build(core) : RBAC #345 - nuxt-test and test-all makefile targets

Ajout de isAdmin et effectivePermissions dans UserData, creation du
composable usePermissions() (can/canAny/canAll) avec bypass admin.

frontend/package.json

@@ -10,7 +10,9 @@
     "postinstall": "nuxt prepare",
     "build:dist": "nuxt generate && rm -rf dist && cp -R .output/public dist",
     "lint": "eslint .",
-    "lint:fix": "eslint . --fix"
+    "lint:fix": "eslint . --fix",
+    "test": "vitest run",
+    "test:watch": "vitest"
   },
   "dependencies": {
     "@malio/layer-ui": "^1.2.3",
@@ -28,8 +30,11 @@
     "@nuxt/eslint-config": "^1.9.0",
     "@typescript-eslint/eslint-plugin": "^8.44.1",
     "@typescript-eslint/parser": "^8.44.1",
+    "@vue/test-utils": "^2.4.6",
     "eslint": "^9.36.0",
     "eslint-plugin-vue": "^10.5.0",
+    "happy-dom": "^20.9.0",
+    "vitest": "^4.1.4",
     "vue-eslint-parser": "^10.2.0"
   }
 }

frontend/shared/composables/__tests__/usePermissions.test.ts

@@ -0,0 +1,65 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { usePermissions } from '../usePermissions'
+
+// Mock du store auth : le composable ne depend que de auth.user.
+const mockUser = vi.hoisted(() => ({
+    value: null as { isAdmin: boolean; effectivePermissions: string[] } | null,
+}))
+
+vi.mock('~/shared/stores/auth', () => ({
+    useAuthStore: () => ({
+        get user() {
+            return mockUser.value
+        },
+    }),
+}))
+
+describe('usePermissions', () => {
+    beforeEach(() => {
+        mockUser.value = null
+    })
+
+    it('refuse toute permission quand aucun utilisateur n\'est connecte', () => {
+        const { can, canAny, canAll } = usePermissions()
+        expect(can('core.users.view')).toBe(false)
+        expect(canAny(['core.users.view', 'core.roles.view'])).toBe(false)
+        expect(canAll(['core.users.view'])).toBe(false)
+    })
+
+    it('accorde toutes les permissions a un admin via le bypass', () => {
+        mockUser.value = { isAdmin: true, effectivePermissions: [] }
+        const { can, canAll } = usePermissions()
+        expect(can('core.users.view')).toBe(true)
+        expect(can('module.inexistante.action')).toBe(true)
+        expect(canAll(['a.b.c', 'd.e.f'])).toBe(true)
+    })
+
+    it('accorde une permission presente dans effectivePermissions', () => {
+        mockUser.value = { isAdmin: false, effectivePermissions: ['core.users.view'] }
+        const { can } = usePermissions()
+        expect(can('core.users.view')).toBe(true)
+    })
+
+    it('refuse une permission absente pour un non-admin', () => {
+        mockUser.value = { isAdmin: false, effectivePermissions: ['core.users.view'] }
+        const { can } = usePermissions()
+        expect(can('core.roles.manage')).toBe(false)
+    })
+
+    it('canAny retourne true si au moins un code matche', () => {
+        mockUser.value = { isAdmin: false, effectivePermissions: ['core.users.view'] }
+        const { canAny } = usePermissions()
+        expect(canAny(['core.roles.manage', 'core.users.view'])).toBe(true)
+        expect(canAny(['core.roles.manage', 'core.permissions.view'])).toBe(false)
+    })
+
+    it('canAll retourne true uniquement si tous les codes matchent', () => {
+        mockUser.value = {
+            isAdmin: false,
+            effectivePermissions: ['core.users.view', 'core.roles.view'],
+        }
+        const { canAll } = usePermissions()
+        expect(canAll(['core.users.view', 'core.roles.view'])).toBe(true)
+        expect(canAll(['core.users.view', 'core.roles.manage'])).toBe(false)
+    })
+})

frontend/shared/composables/usePermissions.ts

@@ -0,0 +1,38 @@
+import { useAuthStore } from '~/shared/stores/auth'
+
+/**
+ * Composable d'autorisation cote front.
+ *
+ * Source de verite : `useAuthStore().user`, qui porte le payload /api/me
+ * incluant `isAdmin` et `effectivePermissions` (tableau trie sans doublons).
+ *
+ * Regle de bypass dupliquee avec `PermissionVoter` (back) :
+ *   si `user.isAdmin === true`, toutes les permissions sont accordees.
+ * Cette duplication est volontaire pour offrir un feedback UI immediat
+ * sans aller-retour serveur. Si la regle de bypass change cote back
+ * (decision architecturale #343 section 11), ce composable DOIT evoluer
+ * en meme temps.
+ *
+ * Stateless : aucun ref module-level, tout passe par Pinia. Le reset est
+ * assure automatiquement par `authStore.logout()` qui efface `user`.
+ */
+export function usePermissions() {
+    const auth = useAuthStore()
+
+    function can(code: string): boolean {
+        const user = auth.user
+        if (!user) return false
+        if (user.isAdmin) return true
+        return user.effectivePermissions.includes(code)
+    }
+
+    function canAny(codes: string[]): boolean {
+        return codes.some(can)
+    }
+
+    function canAll(codes: string[]): boolean {
+        return codes.every(can)
+    }
+
+    return { can, canAny, canAll }
+}

frontend/shared/types/user-data.ts

@@ -2,4 +2,8 @@ export interface UserData {
     id: number
     username: string
     roles: string[]
+    /** Vrai si l'utilisateur a le bypass admin total (voir ticket #343 section 11). */
+    isAdmin: boolean
+    /** Codes de permission effectifs de l'utilisateur, tries alphabetiquement, sans doublon. */
+    effectivePermissions: string[]
 }

frontend/vitest.config.ts

@@ -0,0 +1,15 @@
+import { defineConfig } from 'vitest/config'
+import { fileURLToPath } from 'node:url'
+
+export default defineConfig({
+    test: {
+        environment: 'happy-dom',
+        globals: true,
+    },
+    resolve: {
+        alias: {
+            '~': fileURLToPath(new URL('./', import.meta.url)),
+            '@': fileURLToPath(new URL('./', import.meta.url)),
+        },
+    },
+})

makefile

@@ -59,6 +59,10 @@ nuxt-lint:
 nuxt-lint-fix:
 	$(EXEC_PHP) sh -c "cd frontend && npm run lint:fix"
 
+# Lance les tests unitaires frontend (Vitest)
+nuxt-test:
+	$(EXEC_PHP) sh -c "cd frontend && npm run test"
+
 delete_built_dir:
 	CURRENT_UID=$(shell id -u) CURRENT_GID=$(shell id -g) $(DOCKER_COMPOSE) up -d
 	$(DOCKER) exec -u root $(PHP_CONTAINER) rm -rf vendor/
@@ -82,6 +86,11 @@ migration-migrate:
 fixtures:
 	$(SYMFONY_CONSOLE) --no-interaction doctrine:fixtures:load
 
+# Synchronise le catalogue de permissions RBAC avec les declarations
+# des modules actifs (CoreModule::permissions() etc.). Idempotent.
+sync-permissions:
+	$(SYMFONY_CONSOLE) --no-interaction app:sync-permissions
+
 # Attention, supprime votre bdd local
 db-reset:
 	$(DOCKER_COMPOSE) down -v
@@ -90,6 +99,7 @@ db-reset:
 	$(SYMFONY_CONSOLE) doctrine:database:create --if-not-exists
 	$(MAKE) migration-migrate
 	$(MAKE) fixtures
+	$(MAKE) sync-permissions
 
 # Restart la bdd
 db-restart:
@@ -127,5 +137,8 @@ php-cs-fixer-allow-risky:
 test:
 	$(EXEC_PHP) php -d memory_limit="512M" vendor/bin/phpunit $(FILES)
 
+# Lance l'ensemble des tests (PHPUnit back + Vitest front)
+test-all: test nuxt-test
+
 wait:
 	sleep 10

src/Module/Core/Domain/Entity/Permission.php

@@ -19,13 +19,11 @@ use Symfony\Component\Serializer\Attribute\Groups;
     operations: [
         new GetCollection(
             normalizationContext: ['groups' => ['permission:read']],
-            // TODO ticket #345 : remplacer par is_granted('core.permissions.view')
+            security: "is_granted('core.permissions.view')",
-            security: "is_granted('ROLE_ADMIN')",
         ),
         new Get(
             normalizationContext: ['groups' => ['permission:read']],
-            // TODO ticket #345 : remplacer par is_granted('core.permissions.view')
+            security: "is_granted('core.permissions.view')",
-            security: "is_granted('ROLE_ADMIN')",
         ),
     ],
 )]

src/Module/Core/Domain/Entity/Role.php

@@ -35,31 +35,26 @@ use Symfony\Component\Validator\Constraints as Assert;
     operations: [
         new GetCollection(
             normalizationContext: ['groups' => ['role:read']],
-            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('core.roles.view')",
-            security: "is_granted('ROLE_ADMIN')",
         ),
         new Get(
             normalizationContext: ['groups' => ['role:read']],
-            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('core.roles.view')",
-            security: "is_granted('ROLE_ADMIN')",
         ),
         new Post(
             normalizationContext: ['groups' => ['role:read']],
             denormalizationContext: ['groups' => ['role:write']],
-            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('core.roles.manage')",
-            security: "is_granted('ROLE_ADMIN')",
             processor: RoleProcessor::class,
         ),
         new Patch(
             normalizationContext: ['groups' => ['role:read']],
             denormalizationContext: ['groups' => ['role:write']],
-            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('core.roles.manage')",
-            security: "is_granted('ROLE_ADMIN')",
             processor: RoleProcessor::class,
         ),
         new Delete(
-            // TODO ticket #345 : remplacer par is_granted('core.roles.manage')
+            security: "is_granted('core.roles.manage')",
-            security: "is_granted('ROLE_ADMIN')",
             processor: RoleProcessor::class,
         ),
     ],

src/Module/Core/Domain/Entity/User.php

@@ -11,6 +11,7 @@ use ApiPlatform\Metadata\GetCollection;
 use ApiPlatform\Metadata\Patch;
 use ApiPlatform\Metadata\Post;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserPasswordHasherProcessor;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Provider\MeProvider;
 use App\Module\Core\Infrastructure\Doctrine\DoctrineUserRepository;
@@ -31,25 +32,24 @@ use Symfony\Component\Serializer\Attribute\SerializedName;
             normalizationContext: ['groups' => ['me:read']],
         ),
         new Get(
-            security: "is_granted('ROLE_ADMIN')",  // TODO ticket #345 : remplacer par is_granted('core.users.view')
+            security: "is_granted('core.users.view')",
             normalizationContext: ['groups' => ['user:list']],
         ),
         new GetCollection(
-            security: "is_granted('ROLE_ADMIN')",  // TODO ticket #345 : remplacer par is_granted('core.users.view')
+            security: "is_granted('core.users.view')",
             normalizationContext: ['groups' => ['user:list']],
         ),
-        new Post(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
+        new Post(security: "is_granted('core.users.manage')", processor: UserPasswordHasherProcessor::class),
-        new Patch(security: "is_granted('ROLE_ADMIN')", processor: UserPasswordHasherProcessor::class),
+        new Patch(security: "is_granted('core.users.manage')", processor: UserPasswordHasherProcessor::class),
         new Patch(
             name: 'user_rbac_patch',
             uriTemplate: '/users/{id}/rbac',
-            // TODO ticket #345 : remplacer par is_granted('core.users.manage')
+            security: "is_granted('core.users.manage')",
-            security: "is_granted('ROLE_ADMIN')",
             normalizationContext: ['groups' => ['user:rbac:read']],
             denormalizationContext: ['groups' => ['user:rbac:write']],
             processor: UserRbacProcessor::class,
         ),
-        new Delete(security: "is_granted('ROLE_ADMIN')"),
+        new Delete(security: "is_granted('core.users.manage')", processor: UserProcessor::class),
     ],
     denormalizationContext: ['groups' => ['user:write']],
 )]
@@ -68,7 +68,10 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     private ?string $username = null;
 
     #[ORM\Column(name: 'is_admin', options: ['default' => false])]
-    #[Groups(['me:read', 'user:list', 'user:rbac:write', 'user:rbac:read'])]
+    // Groupe d'ecriture uniquement sur la propriete pour la denormalisation PATCH /rbac.
+    // Les groupes de lecture sont declares sur le getter isAdmin() afin d'exposer
+    // la cle JSON "isAdmin" (Symfony strip le prefixe "is" sur les methodes sans SerializedName).
+    #[Groups(['user:rbac:write'])]
     private bool $isAdmin = false;
 
     /**
@@ -169,6 +172,10 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
         return $roles;
     }
 
+    // Groupes de lecture + nom serialise explicite pour eviter que Symfony
+    // ne strip le prefixe "is" et expose la cle "admin" au lieu de "isAdmin".
+    #[Groups(['me:read', 'user:list', 'user:rbac:read'])]
+    #[SerializedName('isAdmin')]
     public function isAdmin(): bool
     {
         return $this->isAdmin;
@@ -245,6 +252,7 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
      *
      * @return list<string>
      */
+    #[Groups(['me:read'])]
     public function getEffectivePermissions(): array
     {
         $codes = [];

src/Module/Core/Domain/Security/AdminHeadcountGuard.php

@@ -17,7 +17,7 @@ use App\Module\Core\Domain\Repository\UserRepositoryInterface;
  * Il compte les admins restants et leve LastAdminProtectionException si
  * le seuil minimum (1) serait franchi.
  */
-final class AdminHeadcountGuard
+final class AdminHeadcountGuard implements AdminHeadcountGuardInterface
 {
     public function __construct(private readonly UserRepositoryInterface $userRepository) {}
 

src/Module/Core/Domain/Security/AdminHeadcountGuardInterface.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Domain\Security;
+
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Exception\LastAdminProtectionException;
+
+/**
+ * Contrat du gardien de l'invariant "au moins un admin sur l'instance".
+ *
+ * Separer l'interface de l'implementation permet de tester unitairement
+ * les processors qui dependent de ce garde sans instancier le repository.
+ */
+interface AdminHeadcountGuardInterface
+{
+    /**
+     * Verifie qu'il restera au moins un admin apres la demote de $user.
+     *
+     * @throws LastAdminProtectionException si le seuil minimum serait franchi
+     */
+    public function ensureAtLeastOneAdminRemainsAfterDemotion(User $user): void;
+
+    /**
+     * Verifie qu'il restera au moins un admin apres la suppression de $user.
+     *
+     * @throws LastAdminProtectionException si le seuil minimum serait franchi
+     */
+    public function ensureAtLeastOneAdminRemainsAfterDeletion(User $user): void;
+}

src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserProcessor.php

@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Exception\LastAdminProtectionException;
+use App\Module\Core\Domain\Security\AdminHeadcountGuardInterface;
+use LogicException;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Processor dedie a l'operation `DELETE /api/users/{id}`.
+ *
+ * Delegue la suppression au RemoveProcessor Doctrine decore apres avoir
+ * applique la garde "dernier admin global" : si l'utilisateur cible est
+ * le seul admin restant sur l'instance, la suppression est refusee pour
+ * preserver l'invariant "au moins un administrateur reste toujours".
+ *
+ * La garde est portee par AdminHeadcountGuard (domaine), partagee avec
+ * UserRbacProcessor qui gere le meme invariant sur le chemin PATCH /rbac.
+ *
+ * @implements ProcessorInterface<User, User>
+ */
+final class UserProcessor implements ProcessorInterface
+{
+    public function __construct(
+        #[Autowire(service: 'api_platform.doctrine.orm.state.remove_processor')]
+        private readonly ProcessorInterface $removeProcessor,
+        private readonly AdminHeadcountGuardInterface $adminHeadcountGuard,
+    ) {}
+
+    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
+    {
+        if (!$data instanceof User) {
+            // Ce processor est wire exclusivement sur l'operation Delete de User.
+            // Si on arrive ici avec un autre type, c'est une misconfiguration.
+            throw new LogicException(sprintf(
+                'UserProcessor attend une instance de %s, %s recu.',
+                User::class,
+                get_debug_type($data),
+            ));
+        }
+
+        // Garde dernier admin global : on ne verifie que si on supprime
+        // effectivement un admin. La suppression d'un user standard n'a
+        // aucun impact sur le compteur d'administrateurs.
+        if ($data->isAdmin()) {
+            try {
+                $this->adminHeadcountGuard->ensureAtLeastOneAdminRemainsAfterDeletion($data);
+            } catch (LastAdminProtectionException $exception) {
+                throw new BadRequestHttpException($exception->getMessage(), $exception);
+            }
+        }
+
+        return $this->removeProcessor->process($data, $operation, $uriVariables, $context);
+    }
+}

src/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessor.php

@@ -7,6 +7,8 @@ namespace App\Module\Core\Infrastructure\ApiPlatform\State\Processor;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProcessorInterface;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Exception\LastAdminProtectionException;
+use App\Module\Core\Domain\Security\AdminHeadcountGuardInterface;
 use Doctrine\ORM\EntityManagerInterface;
 use LogicException;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -21,14 +23,12 @@ use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
  * ne touche JAMAIS au mot de passe — c'est une separation volontaire avec le
  * UserPasswordHasherProcessor qui gere le endpoint profil `/api/users/{id}`.
  *
- * Gardes metier :
+ * Gardes metier (dans l'ordre d'execution) :
  *  - Auto-suicide : un admin ne peut pas retirer son propre flag `isAdmin`.
- *    On compare l'etat entrant a l'etat d'origine via l'UnitOfWork Doctrine,
+ *    Cas particulier plus strict, avec message dedie.
- *    en restreignant la verification au couple "user courant == user cible".
+ *  - Dernier admin global : impossible de retirer `isAdmin` si c'est le
- *
+ *    dernier administrateur de l'instance, meme par un tiers. Enforce via
- * TODO ticket #345 : garde "dernier admin" globale via inventaire des admins
+ *    AdminHeadcountGuardInterface.
- * restants (empeche de retirer `isAdmin` au dernier admin de l'instance, meme
- * si ce n'est pas sa propre operation).
  *
  * @implements ProcessorInterface<User, User>
  */
@@ -39,6 +39,7 @@ final class UserRbacProcessor implements ProcessorInterface
         private readonly ProcessorInterface $persistProcessor,
         private readonly EntityManagerInterface $entityManager,
         private readonly Security $security,
+        private readonly AdminHeadcountGuardInterface $adminHeadcountGuard,
     ) {}
 
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
@@ -56,19 +57,26 @@ final class UserRbacProcessor implements ProcessorInterface
 
         $currentUser = $this->security->getUser();
 
-        // Garde auto-suicide : l'user courant ne peut pas retirer son propre
+        // Calcul partage entre les deux gardes : l'user perdait-il le flag admin ?
-        // flag admin. On ne compare que si la cible == l'user courant.
+        $originalData  = $this->entityManager->getUnitOfWork()->getOriginalEntityData($data);
-        if ($currentUser instanceof User
+        $wasAdmin      = $originalData['isAdmin'] ?? null;
-            && null !== $currentUser->getId()
+        $willLoseAdmin = true === $wasAdmin && false === $data->isAdmin();
-            && $currentUser->getId() === $data->getId()
-        ) {
-            $originalData = $this->entityManager->getUnitOfWork()->getOriginalEntityData($data);
-            $wasAdmin     = $originalData['isAdmin'] ?? null;
 
-            if (true === $wasAdmin && false === $data->isAdmin()) {
+        // Garde auto-suicide : cas particulier plus strict — l'user courant ne
-                throw new BadRequestHttpException(
+        // peut pas retirer son propre flag admin, meme si d'autres admins existent.
-                    'Vous ne pouvez pas retirer vos propres droits administrateur.'
+        if ($willLoseAdmin && $currentUser instanceof User && $currentUser->getId() === $data->getId()) {
-                );
+            throw new BadRequestHttpException(
+                'Vous ne pouvez pas retirer vos propres droits administrateur.'
+            );
+        }
+
+        // Garde dernier admin global : invariant general — impossible de retirer
+        // isAdmin si cela laisserait l'instance sans administrateur.
+        if ($willLoseAdmin) {
+            try {
+                $this->adminHeadcountGuard->ensureAtLeastOneAdminRemainsAfterDemotion($data);
+            } catch (LastAdminProtectionException $exception) {
+                throw new BadRequestHttpException($exception->getMessage(), $exception);
             }
         }
 

src/Module/Core/Infrastructure/Security/PermissionVoter.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\Vote;
+use Symfony\Component\Security\Core\Authorization\Voter\Voter;
+
+/**
+ * Voter RBAC qui evalue les codes de permission metier au format
+ * "module.resource.action" (ex: "core.users.view").
+ *
+ * - Ignore silencieusement les attributs non-RBAC (ROLE_*, IS_AUTHENTICATED_*, ...),
+ *   qui restent traites par les voters core de Symfony. Strategy 'affirmative'
+ *   par defaut : tant qu'un voter repond GRANTED, l'acces est accorde.
+ * - Bypass total si l'utilisateur porte le flag isAdmin (decision architecturale
+ *   gravee au ticket #343 section 11 : is_admin est le seul levier technique
+ *   de bypass, jamais remplace par un check de role).
+ * - Sinon, compare l'attribut aux permissions effectives de l'utilisateur
+ *   (union dedupliquee triee venant des roles et des permissions directes).
+ *
+ * @extends Voter<string, mixed>
+ */
+final class PermissionVoter extends Voter
+{
+    /**
+     * Regex de reconnaissance des codes de permission.
+     *
+     * Contraintes :
+     *  - Premier caractere alphabetique minuscule (pas de chiffre, pas de ROLE_).
+     *  - Au moins un point de separation (ecarte les attributs atomiques
+     *    type ROLE_ADMIN ou IS_AUTHENTICATED_FULLY).
+     *  - Segments en snake_case minuscule coherents avec les permissions
+     *    declarees par les *Module::permissions() et validees par app:sync-permissions.
+     */
+    private const string PERMISSION_CODE_PATTERN = '/^[a-z][a-z0-9_]*(\.[a-z][a-z0-9_]*)+$/';
+
+    protected function supports(string $attribute, mixed $subject): bool
+    {
+        return (bool) preg_match(self::PERMISSION_CODE_PATTERN, $attribute);
+    }
+
+    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
+    {
+        $user = $token->getUser();
+
+        if (!$user instanceof User) {
+            // Token anonyme ou user d'un autre type : on refuse explicitement.
+            // Les voters core (AuthenticatedVoter) se chargent deja du cas
+            // "pas authentifie du tout".
+            return false;
+        }
+
+        if ($user->isAdmin()) {
+            // Bypass total : decision architecturale #343 section 11.
+            // Cette regle est dupliquee cote front dans usePermissions()
+            // et les deux doivent bouger ensemble si elle evolue un jour.
+            return true;
+        }
+
+        return in_array($attribute, $user->getEffectivePermissions(), true);
+    }
+}

tests/Module/Core/Api/AbstractApiTestCase.php

@@ -6,7 +6,11 @@ namespace App\Tests\Module\Core\Api;
 
 use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
 use ApiPlatform\Symfony\Bundle\Test\Client;
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 
 /**
  * Classe de base pour les tests fonctionnels API Platform du module Core.
@@ -18,6 +22,9 @@ use Doctrine\ORM\EntityManagerInterface;
  *    (cookie BEARER HTTP-only pose par lexik_jwt_authentication).
  *  - `getEm()` : recupere l'EntityManager depuis le container courant.
  *    A rappeler apres chaque createClient() car le kernel est reboote.
+ *  - `createUserWithPermission()` : cree un user non-admin jetable portant
+ *    une permission specifique via un role custom. Utile pour prouver qu'un
+ *    non-admin avec la permission obtient 200, et sans la permission 403.
  *
  * @internal
  */
@@ -63,4 +70,64 @@ abstract class AbstractApiTestCase extends ApiTestCase
 
         return $client;
     }
+
+    /**
+     * Cree un utilisateur non-admin portant une permission specifique via un
+     * role custom jetable. A utiliser dans les tests fonctionnels qui doivent
+     * prouver qu'un non-admin avec la permission requise obtient 200, et
+     * sans la permission obtient 403.
+     *
+     * Le user et le role sont persistes avec un suffixe aleatoire pour eviter
+     * les collisions inter-tests. Le password est "testpass".
+     *
+     * Prerequis : la permission identifiee par $permissionCode doit exister en
+     * base (seeder via `app:sync-permissions`). Si elle est introuvable, le test
+     * echoue immediatement avec un message explicite.
+     *
+     * @param string $permissionCode Le code de la permission (ex: "core.users.view")
+     *
+     * @return array{username: string, password: string} Les identifiants pour authenticatedClient()
+     */
+    protected function createUserWithPermission(string $permissionCode): array
+    {
+        if (!self::$kernel) {
+            self::bootKernel();
+        }
+
+        $em = $this->getEm();
+
+        /** @var null|Permission $permission */
+        $permission = $em->getRepository(Permission::class)->findOneBy(['code' => $permissionCode]);
+
+        self::assertNotNull(
+            $permission,
+            sprintf(
+                'Permission "%s" introuvable en base. Assurez-vous que `app:sync-permissions` a ete execute.',
+                $permissionCode,
+            ),
+        );
+
+        $suffix   = substr(bin2hex(random_bytes(4)), 0, 8);
+        $username = 'testuser_'.$suffix;
+        $password = 'testpass';
+
+        /** @var UserPasswordHasherInterface $hasher */
+        $hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
+
+        $role = new Role('test_'.$suffix, 'Test Role '.$suffix, false);
+        $role->addPermission($permission);
+        $em->persist($role);
+
+        $user = new User();
+        $user->setUsername($username);
+        $user->setIsAdmin(false);
+        $user->setPassword($hasher->hashPassword($user, $password));
+        $user->addRbacRole($role);
+        $em->persist($user);
+
+        $em->flush();
+        $em->clear();
+
+        return ['username' => $username, 'password' => $password];
+    }
 }

tests/Module/Core/Api/MeApiTest.php

@@ -0,0 +1,169 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Api;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+
+/**
+ * Tests fonctionnels de l'endpoint GET /api/me.
+ *
+ * Verifie que la reponse inclut `isAdmin` et `effectivePermissions`
+ * dans le groupe de serialisation `me:read`.
+ *
+ * Strategie de donnees :
+ *  - Les tests 1-3 s'appuient exclusivement sur les fixtures (admin/alice).
+ *  - Le test 4 cree un user jetable prefixe `test_me_` + role + permission,
+ *    purges en tearDown.
+ *
+ * @internal
+ */
+final class MeApiTest extends AbstractApiTestCase
+{
+    private const TEST_USER_PREFIX       = 'test_me_';
+    private const TEST_ROLE_PREFIX       = 'test_me_';
+    private const TEST_PERMISSION_PREFIX = 'test.me.';
+
+    protected function tearDown(): void
+    {
+        $this->cleanupTestData();
+        parent::tearDown();
+    }
+
+    /**
+     * L'admin (isAdmin=true, role systeme sans permission explicite) doit
+     * obtenir un payload /me avec isAdmin=true et effectivePermissions=[].
+     */
+    public function testMeEndpointReturnsIsAdminAndEffectivePermissionsForAdmin(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/me', [
+            'headers' => ['Accept' => 'application/ld+json'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $data = $response->toArray();
+
+        self::assertSame('admin', $data['username'], 'Le champ username doit etre "admin".');
+        self::assertTrue($data['isAdmin'], 'isAdmin doit etre true pour l\'admin fixture.');
+        self::assertArrayHasKey('effectivePermissions', $data, 'effectivePermissions doit etre present dans le payload.');
+        self::assertIsArray($data['effectivePermissions'], 'effectivePermissions doit etre un tableau JSON.');
+        // Le role systeme admin n'a pas de permissions explicites : tableau vide attendu.
+        self::assertSame([], $data['effectivePermissions'], 'effectivePermissions doit etre [] pour l\'admin sans permissions explicites.');
+    }
+
+    /**
+     * Un utilisateur standard (isAdmin=false, role user sans permission) doit
+     * obtenir isAdmin=false et effectivePermissions=[].
+     */
+    public function testMeEndpointReturnsEmptyPermissionsForStandardUser(): void
+    {
+        $client   = $this->authenticatedClient('alice', 'alice');
+        $response = $client->request('GET', '/api/me', [
+            'headers' => ['Accept' => 'application/ld+json'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $data = $response->toArray();
+
+        self::assertFalse($data['isAdmin'], 'isAdmin doit etre false pour alice.');
+        self::assertArrayHasKey('effectivePermissions', $data, 'effectivePermissions doit etre present dans le payload.');
+        self::assertSame([], $data['effectivePermissions'], 'effectivePermissions doit etre [] pour un user sans role avec permission.');
+    }
+
+    /**
+     * Une requete non authentifiee sur /api/me doit retourner 401.
+     */
+    public function testMeEndpointRequiresAuthentication(): void
+    {
+        $client = self::createClient();
+        $client->request('GET', '/api/me', [
+            'headers' => ['Accept' => 'application/ld+json'],
+        ]);
+
+        self::assertResponseStatusCodeSame(401);
+    }
+
+    /**
+     * Un user rattache a un role portant la permission `core.users.view` doit
+     * retrouver cette permission dans effectivePermissions, triee alphabetiquement.
+     */
+    public function testMeEndpointReturnsEffectivePermissionsForUserWithRolePermissions(): void
+    {
+        // --- Preparation des donnees de test ---
+        self::bootKernel();
+        $em = $this->getEm();
+
+        $this->cleanupTestData();
+
+        /** @var UserPasswordHasherInterface $hasher */
+        $hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
+
+        $permission = new Permission('test.me.core.users.view', 'View users (test me)', 'core');
+        $em->persist($permission);
+
+        $role = new Role('test_me_viewer', 'Viewer (test me)', false);
+        $role->addPermission($permission);
+        $em->persist($role);
+
+        $user = new User();
+        $user->setUsername('test_me_viewer_user');
+        $user->setIsAdmin(false);
+        $user->setPassword($hasher->hashPassword($user, 'secret'));
+        $user->addRbacRole($role);
+        $em->persist($user);
+
+        $em->flush();
+        $em->clear();
+
+        // --- Appel API ---
+        $client   = $this->authenticatedClient('test_me_viewer_user', 'secret');
+        $response = $client->request('GET', '/api/me', [
+            'headers' => ['Accept' => 'application/ld+json'],
+        ]);
+
+        self::assertResponseIsSuccessful();
+
+        $data = $response->toArray();
+
+        self::assertArrayHasKey('effectivePermissions', $data, 'effectivePermissions doit etre present dans le payload.');
+        self::assertContains(
+            'test.me.core.users.view',
+            $data['effectivePermissions'],
+            'effectivePermissions doit contenir le code de permission du role attribue.',
+        );
+
+        // Verifie le tri alphabetique (contrat spec section 9 ticket-343).
+        $sorted = $data['effectivePermissions'];
+        $copy   = $sorted;
+        sort($copy);
+        self::assertSame($copy, $sorted, 'effectivePermissions doit etre trie alphabetiquement.');
+    }
+
+    /**
+     * Purge les entites de test creees par les methodes ci-dessus.
+     * Ordre : users d'abord (FK vers roles), puis roles, puis permissions.
+     */
+    private function cleanupTestData(): void
+    {
+        $em = $this->getEm();
+
+        $em->createQuery(
+            'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
+        )->setParameter('prefix', self::TEST_USER_PREFIX.'%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
+    }
+}

tests/Module/Core/Api/PermissionApiTest.php

@@ -5,6 +5,8 @@ declare(strict_types=1);
 namespace App\Tests\Module\Core\Api;
 
 use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
 
 /**
  * Tests fonctionnels de l'exposition API Platform de l'entite Permission.
@@ -172,9 +174,69 @@ final class PermissionApiTest extends AbstractApiTestCase
         self::assertResponseStatusCodeSame(403);
     }
 
+    // --- Tests voter RBAC : non-admin avec / sans permission ---
+
+    public function testListPermissionsAsUserWithViewPermissionReturns200(): void
+    {
+        // Un non-admin portant core.permissions.view doit pouvoir lister.
+        $credentials = $this->createUserWithPermission('core.permissions.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/permissions');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testListPermissionsAsStandardUserReturns403(): void
+    {
+        // alice n'a aucune permission RBAC : acces refuse.
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/permissions');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testGetPermissionAsUserWithViewPermissionReturns200(): void
+    {
+        // Recupere l'id d'une permission existante pour construire l'URL GET item.
+        $permission = $this->getEm()->getRepository(Permission::class)
+            ->findOneBy(['code' => 'test.core.users.view'])
+        ;
+        self::assertNotNull($permission);
+
+        $credentials = $this->createUserWithPermission('core.permissions.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/permissions/'.$permission->getId());
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testGetPermissionAsStandardUserReturns403(): void
+    {
+        $permission = $this->getEm()->getRepository(Permission::class)
+            ->findOneBy(['code' => 'test.core.users.view'])
+        ;
+        self::assertNotNull($permission);
+
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/permissions/'.$permission->getId());
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
     private function cleanupTestPermissions(): void
     {
-        $this->getEm()->createQuery(
+        $em = $this->getEm();
+
+        // Purge des users et roles jetables crees par createUserWithPermission().
+        $em->createQuery(
+            'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
+        )->setParameter('prefix', 'testuser_%')->execute();
+
+        $em->createQuery(
+            'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
+        )->setParameter('prefix', 'test_%')->execute();
+
+        $em->createQuery(
             'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
         )->setParameter('prefix', self::TEST_CODE_PREFIX.'%')->execute();
     }

tests/Module/Core/Api/RoleApiTest.php

@@ -368,6 +368,85 @@ final class RoleApiTest extends AbstractApiTestCase
         self::assertResponseStatusCodeSame(403);
     }
 
+    // --- Tests voter RBAC : non-admin avec / sans permission ---
+
+    public function testListRolesAsUserWithViewPermissionReturns200(): void
+    {
+        // Un non-admin portant core.roles.view doit pouvoir lister les roles.
+        $credentials = $this->createUserWithPermission('core.roles.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testListRolesAsUserWithOnlyManagePermissionReturns403(): void
+    {
+        // Un user avec uniquement core.roles.manage ne peut PAS lister (list/get
+        // exige core.roles.view, cf. spec section 3 ticket-345).
+        $credentials = $this->createUserWithPermission('core.roles.manage');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testListRolesAsStandardUserReturns403(): void
+    {
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/roles');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testCreateRoleAsUserWithManagePermissionReturns201(): void
+    {
+        // Un non-admin portant core.roles.manage doit pouvoir creer un role.
+        $credentials = $this->createUserWithPermission('core.roles.manage');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $response    = $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'  => 'test_created_by_manager',
+                'label' => 'Role cree par manager (test)',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(201);
+        $data = $response->toArray();
+        self::assertSame('test_created_by_manager', $data['code']);
+    }
+
+    public function testCreateRoleAsUserWithOnlyViewPermissionReturns403(): void
+    {
+        // Un user avec core.roles.view uniquement ne peut pas creer (POST exige .manage).
+        $credentials = $this->createUserWithPermission('core.roles.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'  => 'test_shouldnotcreate',
+                'label' => 'Ne doit pas etre cree',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testCreateRoleAsStandardUserReturns403(): void
+    {
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('POST', '/api/roles', [
+            'headers' => ['Content-Type' => 'application/ld+json'],
+            'json'    => [
+                'code'  => 'test_shouldnotcreate_alice',
+                'label' => 'Ne doit pas etre cree',
+            ],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
     /**
      * Purge les donnees de test (roles et permissions prefixees `test.`).
      * Ne touche JAMAIS aux roles systeme `admin` et `user` charges par les

tests/Module/Core/Api/UserApiTest.php

@@ -0,0 +1,195 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Api;
+
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+
+/**
+ * Tests fonctionnels de l'exposition API Platform de l'entite User.
+ *
+ * Strategie :
+ *  - Les fixtures chargent 3 users : admin (is_admin=true), alice, bob.
+ *  - Les tests de lecture s'appuient sur les fixtures sans les modifier.
+ *  - Les tests de suppression et de guard "dernier admin" creent des users
+ *    additionnels via EntityManager, purges en tearDown.
+ *  - On ne supprime JAMAIS les users fixture (admin / alice / bob).
+ *
+ * @internal
+ */
+final class UserApiTest extends AbstractApiTestCase
+{
+    private const TEST_USER_PREFIX = 'test_';
+    private const TEST_ROLE_PREFIX = 'test_';
+
+    protected function tearDown(): void
+    {
+        $this->cleanupTestData();
+        parent::tearDown();
+    }
+
+    // --- Tests lecture collection ---
+
+    public function testListUsersAsAdminReturns200(): void
+    {
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('GET', '/api/users');
+
+        self::assertResponseIsSuccessful();
+        $data = $response->toArray();
+        self::assertArrayHasKey('member', $data);
+        // Au moins 3 users fixture.
+        self::assertGreaterThanOrEqual(3, $data['totalItems']);
+    }
+
+    public function testListUsersAsUserWithViewPermissionReturns200(): void
+    {
+        // Un non-admin portant core.users.view doit pouvoir lister les users.
+        $credentials = $this->createUserWithPermission('core.users.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('GET', '/api/users');
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testListUsersAsStandardUserReturns403(): void
+    {
+        // alice n'a aucune permission RBAC : acces refuse.
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('GET', '/api/users');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    // --- Tests suppression ---
+
+    public function testDeleteNonAdminUserAsAdminReturns204(): void
+    {
+        // Confirme que la suppression d'un user non-admin fonctionne.
+        $em = $this->getEm();
+
+        /** @var UserPasswordHasherInterface $hasher */
+        $hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
+
+        $target = new User();
+        $target->setUsername('test_deletable_user');
+        $target->setIsAdmin(false);
+        $target->setPassword($hasher->hashPassword($target, 'secret'));
+        $em->persist($target);
+        $em->flush();
+        $targetId = $target->getId();
+        $em->clear();
+
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('DELETE', '/api/users/'.$targetId);
+
+        self::assertResponseStatusCodeSame(204);
+
+        // Verification cote base : le user n'existe plus.
+        $em = $this->getEm();
+        $em->clear();
+        self::assertNull($em->getRepository(User::class)->find($targetId));
+    }
+
+    public function testDeleteSecondAdminReturns204(): void
+    {
+        // Quand il y a 2 admins, supprimer le second est autorise (garde non declenchee).
+        $em = $this->getEm();
+
+        /** @var UserPasswordHasherInterface $hasher */
+        $hasher = self::getContainer()->get(UserPasswordHasherInterface::class);
+
+        $secondAdmin = new User();
+        $secondAdmin->setUsername('test_second_admin');
+        $secondAdmin->setIsAdmin(true);
+        $secondAdmin->setPassword($hasher->hashPassword($secondAdmin, 'secret'));
+        $em->persist($secondAdmin);
+        $em->flush();
+        $secondAdminId = $secondAdmin->getId();
+        $em->clear();
+
+        // Auth en tant qu'admin fixture, supprime le second admin.
+        $client = $this->authenticatedClient('admin', 'admin');
+        $client->request('DELETE', '/api/users/'.$secondAdminId);
+
+        self::assertResponseStatusCodeSame(204);
+
+        $em = $this->getEm();
+        $em->clear();
+        self::assertNull($em->getRepository(User::class)->find($secondAdminId));
+    }
+
+    public function testDeleteLastAdminReturns400(): void
+    {
+        // Scenario "dernier admin global" : un seul admin existe (fixture admin).
+        // Il tente de se supprimer lui-meme -> garde activee -> 400.
+        $em = $this->getEm();
+
+        /** @var null|User $fixtureAdmin */
+        $fixtureAdmin = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
+        self::assertNotNull($fixtureAdmin, 'L\'user admin fixture doit exister.');
+        $fixtureAdminId = $fixtureAdmin->getId();
+
+        // Garantit qu'il n'y a qu'un seul admin au moment du test :
+        // s'assure que test_second_admin n'existe pas (tearDown le purge, mais
+        // soyons defensifs si un test precedent n'a pas nettoye).
+        $em->createQuery(
+            'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix AND u.username != :admin'
+        )->setParameters(['prefix' => 'test_%', 'admin' => 'admin'])->execute();
+
+        // Auth en tant que l'admin fixture et tente l'auto-suppression.
+        $client   = $this->authenticatedClient('admin', 'admin');
+        $response = $client->request('DELETE', '/api/users/'.$fixtureAdminId);
+
+        self::assertResponseStatusCodeSame(400);
+
+        // Verification cote base : l'admin fixture doit toujours exister.
+        $em = $this->getEm();
+        $em->clear();
+        self::assertNotNull(
+            $em->getRepository(User::class)->find($fixtureAdminId),
+            'Le dernier admin ne doit PAS etre supprime.',
+        );
+    }
+
+    public function testDeleteAsStandardUserReturns403(): void
+    {
+        $em = $this->getEm();
+
+        /** @var null|User $alice */
+        $alice = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
+        self::assertNotNull($alice);
+
+        /** @var null|User $bob */
+        $bob = $em->getRepository(User::class)->findOneBy(['username' => 'bob']);
+        self::assertNotNull($bob);
+
+        // alice sans permission ne peut pas supprimer bob.
+        $client = $this->authenticatedClient('alice', 'alice');
+        $client->request('DELETE', '/api/users/'.$bob->getId());
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    /**
+     * Purge les entites de test creees par cette suite.
+     * Ne touche JAMAIS aux fixtures (admin / alice / bob).
+     */
+    private function cleanupTestData(): void
+    {
+        $em = $this->getEm();
+
+        // Purge des users jetables crees par les tests (y compris testuser_ de createUserWithPermission).
+        $em->createQuery(
+            'DELETE FROM '.User::class.' u WHERE u.username LIKE :prefix'
+        )->setParameter('prefix', self::TEST_USER_PREFIX.'%')->execute();
+
+        // Purge des roles jetables crees par createUserWithPermission.
+        $em->createQuery(
+            'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
+        )->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
+    }
+}

tests/Module/Core/Api/UserRbacApiTest.php

@@ -224,6 +224,40 @@ final class UserRbacApiTest extends AbstractApiTestCase
         self::assertFalse($reloaded->isAdmin());
     }
 
+    // --- Tests voter RBAC : non-admin avec / sans permission ---
+
+    public function testPatchRbacAsUserWithManagePermissionReturns200(): void
+    {
+        // Un non-admin portant core.users.manage doit pouvoir appeler PATCH /rbac.
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $credentials = $this->createUserWithPermission('core.users.manage');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => false],
+        ]);
+
+        self::assertResponseIsSuccessful();
+    }
+
+    public function testPatchRbacAsUserWithOnlyViewPermissionReturns403(): void
+    {
+        // Un user avec core.users.view uniquement ne peut pas ecrire via /rbac.
+        $target = $this->getEm()->getRepository(User::class)->findOneBy(['username' => 'test_target']);
+        self::assertNotNull($target);
+
+        $credentials = $this->createUserWithPermission('core.users.view');
+        $client      = $this->authenticatedClient($credentials['username'], $credentials['password']);
+        $client->request('PATCH', '/api/users/'.$target->getId().'/rbac', [
+            'headers' => ['Content-Type' => 'application/merge-patch+json'],
+            'json'    => ['isAdmin' => true],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
     public function testPatchRbacSelfRemovingAdminReturns400(): void
     {
         // On utilise le user admin dedie (test_self_admin) pour ne pas

tests/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserProcessorTest.php

@@ -0,0 +1,130 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Infrastructure\ApiPlatform\State\Processor;
+
+use ApiPlatform\Metadata\Delete;
+use ApiPlatform\State\ProcessorInterface;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Exception\LastAdminProtectionException;
+use App\Module\Core\Domain\Security\AdminHeadcountGuardInterface;
+use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserProcessor;
+use LogicException;
+use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use stdClass;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+
+/**
+ * Tests unitaires du UserProcessor : couvre la garde "dernier admin global"
+ * et la delegation au RemoveProcessor Doctrine decore pour l'operation DELETE.
+ *
+ * @internal
+ */
+#[AllowMockObjectsWithoutExpectations]
+final class UserProcessorTest extends TestCase
+{
+    private MockObject&ProcessorInterface $removeProcessor;
+    private AdminHeadcountGuardInterface&MockObject $adminHeadcountGuard;
+    private UserProcessor $processor;
+
+    protected function setUp(): void
+    {
+        $this->removeProcessor     = $this->createMock(ProcessorInterface::class);
+        $this->adminHeadcountGuard = $this->createMock(AdminHeadcountGuardInterface::class);
+
+        $this->processor = new UserProcessor(
+            $this->removeProcessor,
+            $this->adminHeadcountGuard,
+        );
+    }
+
+    public function testDelegatesWhenUserIsNotAdmin(): void
+    {
+        $user = new User();
+        $user->setUsername('alice');
+        $user->setIsAdmin(false);
+
+        // La garde ne doit jamais etre appellee pour un non-admin.
+        $this->adminHeadcountGuard
+            ->expects($this->never())
+            ->method('ensureAtLeastOneAdminRemainsAfterDeletion')
+        ;
+
+        $this->removeProcessor
+            ->expects($this->once())
+            ->method('process')
+            ->with($user)
+            ->willReturn(null)
+        ;
+
+        $result = $this->processor->process($user, new Delete());
+
+        self::assertNull($result);
+    }
+
+    public function testDelegatesWhenAdminButNotLast(): void
+    {
+        $user = new User();
+        $user->setUsername('admin');
+        $user->setIsAdmin(true);
+
+        // La garde est appelee et ne leve pas d'exception (il reste d'autres admins).
+        $this->adminHeadcountGuard
+            ->expects($this->once())
+            ->method('ensureAtLeastOneAdminRemainsAfterDeletion')
+            ->with($user)
+        ;
+
+        $this->removeProcessor
+            ->expects($this->once())
+            ->method('process')
+            ->with($user)
+            ->willReturn(null)
+        ;
+
+        $this->processor->process($user, new Delete());
+    }
+
+    public function testBlocksWhenDeletingLastAdmin(): void
+    {
+        $user = new User();
+        $user->setUsername('admin');
+        $user->setIsAdmin(true);
+
+        $exceptionMessage = 'Impossible : au moins un administrateur doit rester sur l\'instance.';
+
+        $this->adminHeadcountGuard
+            ->expects($this->once())
+            ->method('ensureAtLeastOneAdminRemainsAfterDeletion')
+            ->with($user)
+            ->willThrowException(new LastAdminProtectionException($exceptionMessage))
+        ;
+
+        // La suppression ne doit pas etre executee si la garde echoue.
+        $this->removeProcessor
+            ->expects($this->never())
+            ->method('process')
+        ;
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage($exceptionMessage);
+
+        $this->processor->process($user, new Delete());
+    }
+
+    public function testFailFastOnInvalidDataType(): void
+    {
+        // Garde-fou contre une misconfiguration : ce processor est wire
+        // exclusivement sur l'operation Delete de User.
+        $this->adminHeadcountGuard->expects($this->never())->method('ensureAtLeastOneAdminRemainsAfterDeletion');
+        $this->removeProcessor->expects($this->never())->method('process');
+
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage('UserProcessor attend une instance de');
+
+        $this->processor->process(new stdClass(), new Delete());
+    }
+}

tests/Module/Core/Infrastructure/ApiPlatform/State/Processor/UserRbacProcessorTest.php

@@ -9,6 +9,8 @@ use ApiPlatform\State\ProcessorInterface;
 use App\Module\Core\Domain\Entity\Permission;
 use App\Module\Core\Domain\Entity\Role;
 use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Domain\Exception\LastAdminProtectionException;
+use App\Module\Core\Domain\Security\AdminHeadcountGuardInterface;
 use App\Module\Core\Infrastructure\ApiPlatform\State\Processor\UserRbacProcessor;
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\ORM\UnitOfWork;
@@ -22,9 +24,9 @@ use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 /**
- * Tests unitaires du UserRbacProcessor : couvre la garde "auto-suicide" et la
+ * Tests unitaires du UserRbacProcessor : couvre la garde "auto-suicide", la
- * delegation au PersistProcessor Doctrine decore pour les trois champs RBAC
+ * garde "dernier admin global" et la delegation au PersistProcessor Doctrine
- * (isAdmin, roles, directPermissions).
+ * decore pour les trois champs RBAC (isAdmin, roles, directPermissions).
  *
  * @internal
  */
@@ -35,14 +37,16 @@ final class UserRbacProcessorTest extends TestCase
     private EntityManagerInterface&MockObject $entityManager;
     private MockObject&UnitOfWork $unitOfWork;
     private MockObject&Security $security;
+    private AdminHeadcountGuardInterface&MockObject $adminHeadcountGuard;
     private UserRbacProcessor $processor;
 
     protected function setUp(): void
     {
-        $this->persistProcessor = $this->createMock(ProcessorInterface::class);
+        $this->persistProcessor    = $this->createMock(ProcessorInterface::class);
-        $this->entityManager    = $this->createMock(EntityManagerInterface::class);
+        $this->entityManager       = $this->createMock(EntityManagerInterface::class);
-        $this->unitOfWork       = $this->createMock(UnitOfWork::class);
+        $this->unitOfWork          = $this->createMock(UnitOfWork::class);
-        $this->security         = $this->createMock(Security::class);
+        $this->security            = $this->createMock(Security::class);
+        $this->adminHeadcountGuard = $this->createMock(AdminHeadcountGuardInterface::class);
 
         $this->entityManager->method('getUnitOfWork')->willReturn($this->unitOfWork);
 
@@ -50,19 +54,28 @@ final class UserRbacProcessorTest extends TestCase
             $this->persistProcessor,
             $this->entityManager,
             $this->security,
+            $this->adminHeadcountGuard,
         );
     }
 
     public function testPatchPromotesUserToAdminDelegatesToPersistProcessor(): void
     {
-        $target = $this->buildUser(42, 'alice', false);
+        $target = $this->buildUser(42, 'alice', true);
-        $target->setIsAdmin(true);
 
         $currentAdmin = $this->buildUser(1, 'admin', true);
         $this->security->method('getUser')->willReturn($currentAdmin);
 
-        // Cible != user courant : pas de lecture d'UnitOfWork necessaire.
+        // La cible gagne isAdmin (false -> true) : willLoseAdmin = false, donc
-        $this->unitOfWork->expects(self::never())->method('getOriginalEntityData');
+        // getOriginalEntityData est appele mais aucune garde ne bloque.
+        $this->unitOfWork
+            ->method('getOriginalEntityData')
+            ->with($target)
+            ->willReturn([
+                'id'       => 42,
+                'username' => 'alice',
+                'isAdmin'  => false,
+            ])
+        ;
 
         $this->persistProcessor
             ->expects(self::once())
@@ -146,14 +159,30 @@ final class UserRbacProcessorTest extends TestCase
 
     public function testPatchAdminDemotingAnotherUserIsAllowed(): void
     {
-        // Un admin qui retire isAdmin a quelqu'un d'autre : autorise.
+        // Un admin qui retire isAdmin a quelqu'un d'autre : autorise si d'autres
+        // admins existent (guard ne leve pas d'exception).
         $target  = $this->buildUser(42, 'alice', false);
         $current = $this->buildUser(1, 'admin', true);
 
         $this->security->method('getUser')->willReturn($current);
 
-        // Cible != user courant : pas de verification d'auto-suicide.
+        // La cible perd isAdmin (true -> false) : getOriginalEntityData est appele.
-        $this->unitOfWork->expects(self::never())->method('getOriginalEntityData');
+        $this->unitOfWork
+            ->method('getOriginalEntityData')
+            ->with($target)
+            ->willReturn([
+                'id'       => 42,
+                'username' => 'alice',
+                'isAdmin'  => true,
+            ])
+        ;
+
+        // Le garde ne leve pas d'exception : d'autres admins existent.
+        $this->adminHeadcountGuard
+            ->expects(self::once())
+            ->method('ensureAtLeastOneAdminRemainsAfterDemotion')
+            ->with($target)
+        ;
 
         $this->persistProcessor
             ->expects(self::once())
@@ -210,6 +239,150 @@ final class UserRbacProcessorTest extends TestCase
         $this->processor->process(new stdClass(), new Patch());
     }
 
+    // -------------------------------------------------------------------------
+    // Tests de la garde "dernier admin global"
+    // -------------------------------------------------------------------------
+
+    public function testBlocksDemotionWhenLastAdminGlobally(): void
+    {
+        // L'admin courant A tente de retirer isAdmin a l'admin B (le dernier).
+        $adminA = $this->buildUser(1, 'adminA', true);
+        $adminB = $this->buildUser(2, 'adminB', false); // isAdmin -> false dans le PATCH
+
+        $this->security->method('getUser')->willReturn($adminA);
+
+        $this->unitOfWork
+            ->method('getOriginalEntityData')
+            ->with($adminB)
+            ->willReturn([
+                'id'       => 2,
+                'username' => 'adminB',
+                'isAdmin'  => true,
+            ])
+        ;
+
+        // Le garde signale qu'il n'y aurait plus aucun admin.
+        $this->adminHeadcountGuard
+            ->expects(self::once())
+            ->method('ensureAtLeastOneAdminRemainsAfterDemotion')
+            ->with($adminB)
+            ->willThrowException(new LastAdminProtectionException())
+        ;
+
+        $this->persistProcessor->expects(self::never())->method('process');
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('Impossible : au moins un administrateur doit rester sur l\'instance.');
+
+        $this->processor->process($adminB, new Patch());
+    }
+
+    public function testDelegatesDemotionWhenAdminsRemain(): void
+    {
+        // L'admin courant A retire isAdmin a l'admin B, mais d'autres admins existent.
+        $adminA = $this->buildUser(1, 'adminA', true);
+        $adminB = $this->buildUser(2, 'adminB', false); // isAdmin -> false dans le PATCH
+
+        $this->security->method('getUser')->willReturn($adminA);
+
+        $this->unitOfWork
+            ->method('getOriginalEntityData')
+            ->with($adminB)
+            ->willReturn([
+                'id'       => 2,
+                'username' => 'adminB',
+                'isAdmin'  => true,
+            ])
+        ;
+
+        // Le garde ne leve pas d'exception : il reste au moins un admin.
+        $this->adminHeadcountGuard
+            ->expects(self::once())
+            ->method('ensureAtLeastOneAdminRemainsAfterDemotion')
+            ->with($adminB)
+        ;
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($adminB)
+            ->willReturn($adminB)
+        ;
+
+        $result = $this->processor->process($adminB, new Patch());
+
+        self::assertSame($adminB, $result);
+    }
+
+    public function testDoesNotCallGuardWhenIsAdminUntouched(): void
+    {
+        // PATCH qui ne touche pas isAdmin (reste false) : la garde ne doit pas etre appelee.
+        $target  = $this->buildUser(42, 'alice', false);
+        $current = $this->buildUser(1, 'admin', true);
+
+        $this->security->method('getUser')->willReturn($current);
+
+        $this->unitOfWork
+            ->method('getOriginalEntityData')
+            ->with($target)
+            ->willReturn([
+                'id'       => 42,
+                'username' => 'alice',
+                'isAdmin'  => false,
+            ])
+        ;
+
+        // isAdmin reste false : willLoseAdmin = false, garde jamais appelee.
+        $this->adminHeadcountGuard
+            ->expects(self::never())
+            ->method('ensureAtLeastOneAdminRemainsAfterDemotion')
+        ;
+
+        $this->persistProcessor
+            ->expects(self::once())
+            ->method('process')
+            ->with($target)
+            ->willReturn($target)
+        ;
+
+        $result = $this->processor->process($target, new Patch());
+
+        self::assertSame($target, $result);
+    }
+
+    public function testAutoSuicideTakesPrecedenceOverLastAdminGlobal(): void
+    {
+        // L'unique admin tente de se retirer lui-meme son propre flag.
+        // La garde auto-suicide doit court-circuiter avant la garde dernier-admin.
+        $self = $this->buildUser(1, 'admin', false); // isAdmin -> false dans le PATCH
+
+        $this->security->method('getUser')->willReturn($self);
+
+        $this->unitOfWork
+            ->method('getOriginalEntityData')
+            ->with($self)
+            ->willReturn([
+                'id'       => 1,
+                'username' => 'admin',
+                'isAdmin'  => true,
+            ])
+        ;
+
+        // La garde dernier-admin ne doit jamais etre appelee : l'auto-suicide
+        // court-circuite avant.
+        $this->adminHeadcountGuard
+            ->expects(self::never())
+            ->method('ensureAtLeastOneAdminRemainsAfterDemotion')
+        ;
+
+        $this->persistProcessor->expects(self::never())->method('process');
+
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('Vous ne pouvez pas retirer vos propres droits administrateur.');
+
+        $this->processor->process($self, new Patch());
+    }
+
     /**
      * Construit un User avec un id force via reflection (les mocks
      * d'UnitOfWork n'alimentent pas l'id tout seul).

tests/Module/Core/Infrastructure/Security/PermissionVoterTest.php

@@ -0,0 +1,221 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Module\Core\Infrastructure\Security;
+
+use App\Module\Core\Domain\Entity\Permission;
+use App\Module\Core\Domain\Entity\Role;
+use App\Module\Core\Domain\Entity\User;
+use App\Module\Core\Infrastructure\Security\PermissionVoter;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+
+/**
+ * Tests unitaires du PermissionVoter RBAC.
+ *
+ * Le voter est teste via sa methode publique vote() qui retourne une des
+ * trois constantes VoterInterface : ACCESS_GRANTED, ACCESS_DENIED, ACCESS_ABSTAIN.
+ * - ACCESS_ABSTAIN : supports() a retourne false (attribut non-RBAC).
+ * - ACCESS_GRANTED / ACCESS_DENIED : voteOnAttribute() a ete invoque.
+ *
+ * Aucun acces base de donnees : toutes les entites sont construites en memoire.
+ *
+ * @internal
+ */
+class PermissionVoterTest extends TestCase
+{
+    private PermissionVoter $voter;
+
+    protected function setUp(): void
+    {
+        $this->voter = new PermissionVoter();
+    }
+
+    // ---------------------------------------------------------------
+    // Abstention : attributs non-RBAC
+    // ---------------------------------------------------------------
+
+    /**
+     * Le voter s'abstient sur ROLE_ADMIN : commence par une majuscule,
+     * ne correspond pas au pattern snake_case minuscule avec point.
+     */
+    public function testAbstainsOnRoleAdminAttribute(): void
+    {
+        $user  = $this->buildUser(username: 'alice', isAdmin: false);
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        $result = $this->voter->vote($token, null, ['ROLE_ADMIN']);
+
+        $this->assertSame(VoterInterface::ACCESS_ABSTAIN, $result);
+    }
+
+    /**
+     * Le voter s'abstient sur IS_AUTHENTICATED_FULLY : contient des majuscules,
+     * pas de point de separation conforme au pattern RBAC.
+     */
+    public function testAbstainsOnIsAuthenticatedAttribute(): void
+    {
+        $user  = $this->buildUser(username: 'alice', isAdmin: false);
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        $result = $this->voter->vote($token, null, ['IS_AUTHENTICATED_FULLY']);
+
+        $this->assertSame(VoterInterface::ACCESS_ABSTAIN, $result);
+    }
+
+    /**
+     * Le voter s'abstient sur des attributs malformes : sans point ou avec
+     * majuscules.
+     */
+    #[DataProvider('malformedAttributeProvider')]
+    public function testAbstainsOnMalformedAttribute(string $attribute): void
+    {
+        $user  = $this->buildUser(username: 'alice', isAdmin: false);
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        $result = $this->voter->vote($token, null, [$attribute]);
+
+        $this->assertSame(
+            VoterInterface::ACCESS_ABSTAIN,
+            $result,
+            sprintf('Le voter aurait du s\'abstenir pour l\'attribut "%s".', $attribute),
+        );
+    }
+
+    /**
+     * @return array<string, array{string}>
+     */
+    public static function malformedAttributeProvider(): array
+    {
+        return [
+            'sans point'       => ['nodot'],
+            'majuscule milieu' => ['HAS.UPPERCASE'],
+            'commence chiffre' => ['1core.users.view'],
+            'chaine vide'      => [''],
+        ];
+    }
+
+    // ---------------------------------------------------------------
+    // Refus : utilisateur non reconnu
+    // ---------------------------------------------------------------
+
+    /**
+     * Refuse l'acces quand le token ne porte pas une instance de User metier
+     * (ex: InMemoryUser de Symfony).
+     */
+    public function testDeniesWhenUserIsNotAUserEntity(): void
+    {
+        $inMemoryUser = new InMemoryUser('anonymous', null, ['ROLE_USER']);
+        $token        = new UsernamePasswordToken($inMemoryUser, 'main', $inMemoryUser->getRoles());
+
+        $result = $this->voter->vote($token, null, ['core.users.view']);
+
+        $this->assertSame(VoterInterface::ACCESS_DENIED, $result);
+    }
+
+    // ---------------------------------------------------------------
+    // Bypass admin
+    // ---------------------------------------------------------------
+
+    /**
+     * Accorde l'acces systematiquement a un administrateur, meme sans aucune
+     * permission explicite assignee.
+     */
+    public function testGrantsForAdminBypass(): void
+    {
+        // Admin sans role ni permission directe : le bypass doit suffire.
+        $user  = $this->buildUser(username: 'admin', isAdmin: true);
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        $result = $this->voter->vote($token, null, ['core.users.view']);
+
+        $this->assertSame(VoterInterface::ACCESS_GRANTED, $result);
+    }
+
+    // ---------------------------------------------------------------
+    // Permissions effectives via role
+    // ---------------------------------------------------------------
+
+    /**
+     * Accorde l'acces quand l'utilisateur possede la permission exacte via un role.
+     */
+    public function testGrantsWhenUserHasExactPermission(): void
+    {
+        $permission = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+        $role       = new Role('viewer', 'Viewer');
+        $role->addPermission($permission);
+
+        $user = $this->buildUser(username: 'alice', isAdmin: false);
+        $user->addRbacRole($role);
+
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        $result = $this->voter->vote($token, null, ['core.users.view']);
+
+        $this->assertSame(VoterInterface::ACCESS_GRANTED, $result);
+    }
+
+    /**
+     * Refuse l'acces quand l'utilisateur possede une permission differente de
+     * celle demandee.
+     */
+    public function testDeniesWhenUserLacksPermission(): void
+    {
+        $permission = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+        $role       = new Role('viewer', 'Viewer');
+        $role->addPermission($permission);
+
+        $user = $this->buildUser(username: 'alice', isAdmin: false);
+        $user->addRbacRole($role);
+
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        // L'utilisateur a core.users.view mais pas core.roles.manage.
+        $result = $this->voter->vote($token, null, ['core.roles.manage']);
+
+        $this->assertSame(VoterInterface::ACCESS_DENIED, $result);
+    }
+
+    // ---------------------------------------------------------------
+    // Permissions directes (hors roles)
+    // ---------------------------------------------------------------
+
+    /**
+     * Accorde l'acces via une permission directe (assignee sans passer par un role).
+     */
+    public function testGrantsForDirectPermission(): void
+    {
+        $permission = new Permission('core.users.view', 'Voir les utilisateurs', 'core');
+
+        $user = $this->buildUser(username: 'bob', isAdmin: false);
+        $user->addDirectPermission($permission);
+
+        $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
+
+        $result = $this->voter->vote($token, null, ['core.users.view']);
+
+        $this->assertSame(VoterInterface::ACCESS_GRANTED, $result);
+    }
+
+    // ---------------------------------------------------------------
+    // Helpers
+    // ---------------------------------------------------------------
+
+    /**
+     * Construit un User metier minimal sans persistance.
+     */
+    private function buildUser(string $username, bool $isAdmin): User
+    {
+        $user = new User();
+        $user->setUsername($username);
+        $user->setIsAdmin($isAdmin);
+        // Mot de passe factice pour satisfaire PasswordAuthenticatedUserInterface.
+        $user->setPassword('hashed_placeholder');
+
+        return $user;
+    }
+}