Documente les conventions de l'API Wakdo (chemins minuscule + snake_case, ressources
au pluriel, enveloppe data/error, codes d'erreur SCREAMING_SNAKE, champs snake_case alignes
sur le dictionnaire) et le listing des endpoints (en service P2 + projection P3-P5). Acte la
divergence connue avec le repli JSON kiosk legacy et le point de mapping data.js.
Request::formBody() decode un POST urlencode (le login back-office est un
formulaire, pas du JSON) ; Request::clientIp() resout l'IP client reelle derriere
Traefik (dernier hop X-Forwarded-For valide, repli REMOTE_ADDR). Database::transaction()
enveloppe un jeu d'ecritures dans un begin/commit atomique avec rollback sur exception
(RG-T08) ; DatabaseInterface extrait le seam d'acces aux donnees pour rendre les services
testables avec un double. Response gagne des accesseurs en lecture (body/header/headers)
pour les tests de controleur. Tout est additif et retro-compatible.
Cable ARGON2_*, ACCOUNT_LOCKOUT_*, IP_THROTTLE_*, STAFF_PIN_MIN_LENGTH et
PASSWORD_RESET_TTL dans le bloc environment de wakdo-app pour que la couche auth
lise ses parametres de cout et de throttling (deja presents dans .env.example).
Records the alignment review of all project docs and the point-by-point
decision session: drop commande_event, English naming convention, VAT
carried by product (after BOFiP fact-check), real menu customization,
full ingredient configurator, allergen modal. Lists open points D4-D8.
Baseline of the P1 conception work produced over sessions 5-7 (was
uncommitted in the working tree). 11-entity model, French naming.
Superseded next by the prod-like revision (English, ~16 entities) per
the 2026-06-04 decision session - this commit preserves the baseline
in history before that rewrite.
payment.html - card / cash choice with inline SVG icons; both simulate payment (MVP)
confirmation.html - order number WK-<base36 timestamp>, cart cleared on load,
new-order button resets flow to index.html
Displays line items with - / + controls and delete button.
TVA 10% (restauration FR 2024, simplified).
TODO in P3: verify rate with accountant (sur-place vs a-emporter + product type).
Abandon button clears cart and returns to categories.
Normalizes produits.json:
- Prix converted from float EUR to integer centimes
- Image paths rewritten to match actual filesystem (lowercase, dashes)
- Added type field ('produit'|'menu') on each entry
- Added slug field to categories.json
In P4, swap fetch URLs in assets/js/data.js (marked with TODO comments).
- Welcome screen (index.html): background photo, white card, Sur Place / A Emporter
choice buttons with verified school illustrations; pure HTML <a> navigation, no JS
- Category grid (categories.html): 9 categories from categories.json rendered as 3-col
card grid with verified category images; stub links to products.html?category=<id>
- Design system CSS (assets/css/style.css): CSS custom properties for brand yellow
#FFC72C, spacing scale, border-radius, shadows extracted from maquette PDF;
BEM-style component classes; WCAG AA focus-visible rings; kiosk portrait 1080px primary
Switch from Mermaid to drawio for MCD diagrams to gain manual layout
control on the global view (10 entites + 10 associations, planarite
intrinseque non resolue par Mermaid auto-layout).
- mcd-global.drawio : 10 entites + 8 associations (vue compacte sans attributs)
- mcd-catalogue.drawio : Categorie / Produit / Menu / MenuProduit avec attributs
- mcd-commande.drawio : Commande / LigneCommande + polymorphisme vers Produit/Menu
- mcd-rbac.drawio : User / Role / Permission / RolePermission
Notation Merise (min,max) sur chaque cote d'association. Layout de
depart a affiner manuellement dans drawio web (Edit Diagram -> XML).
SVG a regenerer en exportant depuis drawio web.
Bottom-up derivation from school JSON sources + PROJECT_CONTEXT business rules.
Covers : Categorie, Produit, Menu, MenuProduit, Commande, LigneCommande,
User, Role, Permission, RolePermission. Decisions documented :
prices in INT cents, VAT in per-mille, polymorphic FK with snapshots
on ligne_commande, dynamic roles vs static permissions for RBAC.
Three changes bundled because the stubs surfaced two pre-existing infra bugs
that had never been hit (the smoke test only exercised PHP via 'docker exec',
not via the full Apache->PHP-FPM FastCGI path).
- src/public/borne/index.html : minimal HTML stub for the kiosk vhost
(200 OK with the imported logo)
- src/public/admin/index.php : minimal PHP stub that proves the full
FastCGI chain works end-to-end (renders PHP_VERSION + current timestamp)
- docker/apache/vhost.conf : add 'DirectoryIndex index.php index.html' on
the admin vhost. Without it, hitting / returned 403 because the default
Apache DirectoryIndex is index.html only, and the existing RewriteRule
did not apply to the directory request (\!-d cond was false).
- docker/php-fpm/www.conf : comment out 'listen.allowed_clients = any'.
PHP-FPM 8.3 rejects 'any' with 'Wrong IP address' and ends up dropping
every connection from Apache. With the directive absent, all connections
are accepted, which is acceptable in our isolated Docker network.
