From 04336cc68243b58e53e95724d1b276e2816e14b3 Mon Sep 17 00:00:00 2001
From: Matthieu <mtholot19@gmail.com>
Date: Thu, 28 May 2026 09:48:58 +0200
Subject: [PATCH] feat(catalog) : declare CatalogModule with RBAC permissions
 and sync 3 RBAC sources

- CatalogModule.php (REQUIRED=true) expose 2 permissions : catalog.categories.view + catalog.categories.manage
- modules.php : wire CatalogModule
- sidebar.php : item "Gestion des categories" dans la section Administration (gate sur catalog.categories.view)
- fr.json : cle sidebar.catalog.categories
- personas.ts : user-full recoit les 2 permissions, super-admin + ALL_ADMIN_LINKS etendus avec 'categories'
- SeedE2ECommand.php : miroir back, user-full recoit les 2 permissions

RG-1.01 verifiee manuellement (admin 200, bob 403, anonyme 401) sur /api/categories et /api/category_types.
---
 config/modules.php                            |  2 +
 config/sidebar.php                            |  7 +++
 frontend/i18n/locales/fr.json                 |  3 ++
 frontend/tests/e2e/_fixtures/personas.ts      | 10 +++--
 src/Module/Catalog/CatalogModule.php          | 43 +++++++++++++++++++
 .../Infrastructure/Console/SeedE2ECommand.php |  2 +
 6 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 src/Module/Catalog/CatalogModule.php

diff --git a/config/modules.php b/config/modules.php
index 449543e..c4f8f54 100644
--- a/config/modules.php
+++ b/config/modules.php
@@ -1,6 +1,7 @@
 <?php
 
 declare(strict_types=1);
+use App\Module\Catalog\CatalogModule;
 use App\Module\Commercial\CommercialModule;
 use App\Module\Core\CoreModule;
 use App\Module\Sites\SitesModule;
@@ -9,4 +10,5 @@ return [
     CoreModule::class,
     CommercialModule::class,
     SitesModule::class,
+    CatalogModule::class,
 ];
diff --git a/config/sidebar.php b/config/sidebar.php
index d043b3b..2d019df 100644
--- a/config/sidebar.php
+++ b/config/sidebar.php
@@ -83,6 +83,13 @@ return [
                 'module'     => 'sites',
                 'permission' => 'sites.view',
             ],
+            [
+                'label'      => 'sidebar.catalog.categories',
+                'to'         => '/admin/categories',
+                'icon'       => 'mdi:tag-multiple-outline',
+                'module'     => 'catalog',
+                'permission' => 'catalog.categories.view',
+            ],
             [
                 'label'      => 'sidebar.core.audit_log',
                 'to'         => '/admin/audit-log',
diff --git a/frontend/i18n/locales/fr.json b/frontend/i18n/locales/fr.json
index 4d08443..1c9e5cd 100644
--- a/frontend/i18n/locales/fr.json
+++ b/frontend/i18n/locales/fr.json
@@ -32,6 +32,9 @@
         },
         "sites": {
             "admin": "Sites"
+        },
+        "catalog": {
+            "categories": "Gestion des catégories"
         }
     },
     "dashboard": {
diff --git a/frontend/tests/e2e/_fixtures/personas.ts b/frontend/tests/e2e/_fixtures/personas.ts
index 22cd8a4..43d4bba 100644
--- a/frontend/tests/e2e/_fixtures/personas.ts
+++ b/frontend/tests/e2e/_fixtures/personas.ts
@@ -35,7 +35,7 @@ export interface Persona {
     // sidebar-visibility pour driver la matrice. Les valeurs correspondent
     // aux slugs de route (`/admin/<slug>`), volontairement stables quand
     // la copie/i18n change.
-    expectedAdminLinks: Array<'users' | 'roles' | 'sites' | 'audit-log'>
+    expectedAdminLinks: Array<'users' | 'roles' | 'sites' | 'audit-log' | 'categories'>
 }
 
 const SHARED_PASSWORD = 'e2e-secret'
@@ -47,7 +47,7 @@ export const personas: Record<PersonaKey, Persona> = {
         password: SHARED_PASSWORD,
         isAdmin: true,
         permissions: [],
-        expectedAdminLinks: ['users', 'roles', 'sites', 'audit-log'],
+        expectedAdminLinks: ['users', 'roles', 'sites', 'categories', 'audit-log'],
     },
     'user-full': {
         key: 'user-full',
@@ -63,8 +63,10 @@ export const personas: Record<PersonaKey, Persona> = {
             'sites.view',
             'sites.manage',
             'sites.bypass_scope',
+            'catalog.categories.view',
+            'catalog.categories.manage',
         ],
-        expectedAdminLinks: ['users', 'roles', 'sites', 'audit-log'],
+        expectedAdminLinks: ['users', 'roles', 'sites', 'categories', 'audit-log'],
     },
     'user-readonly': {
         key: 'user-readonly',
@@ -109,4 +111,4 @@ export function getPersona(key: PersonaKey): Persona {
     return personas[key]
 }
 
-export const ALL_ADMIN_LINKS = ['users', 'roles', 'sites', 'audit-log'] as const
+export const ALL_ADMIN_LINKS = ['users', 'roles', 'sites', 'categories', 'audit-log'] as const
diff --git a/src/Module/Catalog/CatalogModule.php b/src/Module/Catalog/CatalogModule.php
new file mode 100644
index 0000000..1bae95f
--- /dev/null
+++ b/src/Module/Catalog/CatalogModule.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Catalog;
+
+final class CatalogModule
+{
+    public const string ID    = 'catalog';
+    public const string LABEL = 'Catalogue';
+    // REQUIRED = true : Category sera FK NOT NULL cote futurs modules Tiers
+    // (M-Clients, M-Fournisseurs, M-Prestataires). Desactiver Catalog casserait
+    // tout le metier au boot Doctrine. Cf. review Tristan MR #12 + spec M0 § 2.1.
+    public const bool REQUIRED = true;
+
+    /**
+     * Liste declarative des permissions RBAC exposees par le module Catalog.
+     *
+     * Consommee par la commande `app:sync-permissions` (SyncPermissionsCommand)
+     * qui se charge d'upserter ces entrees dans la table `permission`, de
+     * reactiver les codes precedemment marques orphelins et de marquer comme
+     * orphelins ceux qui ont disparu du code source.
+     *
+     * La cle `module` est auto-injectee par le sync command a partir de
+     * `self::ID`, il est donc inutile de la repeter dans chaque entree.
+     *
+     * Convention de nommage des codes : `module.resource[.sub].action` en
+     * snake_case, le prefixe module devant correspondre exactement a
+     * `self::ID` (verifie par la commande de synchronisation).
+     *
+     * Granularite alignee sur Core (view + manage), pas view/create/edit/delete
+     * (cf. spec M0 § 2.7).
+     *
+     * @return array<int, array{code: string, label: string}>
+     */
+    public static function permissions(): array
+    {
+        return [
+            ['code' => 'catalog.categories.view', 'label' => 'Voir les categories'],
+            ['code' => 'catalog.categories.manage', 'label' => 'Gerer les categories (creer, editer, supprimer)'],
+        ];
+    }
+}
diff --git a/src/Module/Core/Infrastructure/Console/SeedE2ECommand.php b/src/Module/Core/Infrastructure/Console/SeedE2ECommand.php
index c9bcbb9..115f5d6 100644
--- a/src/Module/Core/Infrastructure/Console/SeedE2ECommand.php
+++ b/src/Module/Core/Infrastructure/Console/SeedE2ECommand.php
@@ -184,6 +184,8 @@ final class SeedE2ECommand extends Command
                     'sites.view',
                     'sites.manage',
                     'sites.bypass_scope',
+                    'catalog.categories.view',
+                    'catalog.categories.manage',
                 ],
             ],
             [