P1 conception: security-by-design layer (Merise 21 entities, Forgejo CI/CD, hardening) #3

Merged

Corentin merged 17 commits from feat/p1-conception into dev 2026-06-15 12:16:12 +02:00

Conversation 0 Commits 17 Files changed 35 +2016 -1026

Corentin commented 2026-06-15 12:14:56 +02:00

Owner

Copy link

Description

P1 conception - couche security-by-design complete.

• Merise SbD : dictionnaire, MCD, MLD, MCT, MLT etendus a 21 entites (login_throttle, audit_log, stock en %, RGPD). Diagrammes MCD par sous-domaine en Mermaid + SVG.
• Threat model : STRIDE + classification des donnees (PROJECT_CONTEXT 19) + sequence securite (UML).
• Infra/config : .env.example (argon2/lockout/throttle/retention), php.ini durci, gitleaks, script branch-protection.
• CI/CD Forgejo Actions : secret-scan + php-lint + static-tests (gardes), auto-merge sur CI verte.
• Doc : SECURITY.md, runner setup, PROJECT_CONTEXT aligne Forgejo, planning rechiffre.

Type

• docs
• chore

Bloc RNCP impacte

Bloc 2 (Cr 3.a/3.b modelisation, Cr 3.d RGPD), Bloc 5 (CI/CD, infra securite).

Base de la PR

• La base de cette PR est dev (et non main)

## Description P1 conception - couche security-by-design complete. - **Merise SbD** : dictionnaire, MCD, MLD, MCT, MLT etendus a 21 entites (login_throttle, audit_log, stock en %, RGPD). Diagrammes MCD par sous-domaine en Mermaid + SVG. - **Threat model** : STRIDE + classification des donnees (PROJECT_CONTEXT 19) + sequence securite (UML). - **Infra/config** : .env.example (argon2/lockout/throttle/retention), php.ini durci, gitleaks, script branch-protection. - **CI/CD Forgejo Actions** : secret-scan + php-lint + static-tests (gardes), auto-merge sur CI verte. - **Doc** : SECURITY.md, runner setup, PROJECT_CONTEXT aligne Forgejo, planning rechiffre. ## Type - [x] docs - [x] chore ## Bloc RNCP impacte Bloc 2 (Cr 3.a/3.b modelisation, Cr 3.d RGPD), Bloc 5 (CI/CD, infra securite). ## Base de la PR - [x] La base de cette PR est `dev` (et non `main`)

Corentin added 17 commits 2026-06-15 12:14:57 +02:00

docs(merise): add security-by-design layer to data dictionary ... fadf0bd630

Adds audit_log (20) and login_throttle (21); user auth lifecycle (pin_hash,
failed_login_attempts, lockout_until, reset token, anonymized_at); customer_order
acting_user_id + idempotency_key; percentage stock model on ingredient (signed
stock_quantity, stock_capacity, low_stock_pct, critical_stock_pct). 21 entities.

docs(merise): extend MCD with security-by-design entities and percentage stock model ... a1692b6b80

Adds audit_log + login_throttle; security columns on user/customer_order; fixes
product_ingredient drift (quantity -> quantity_normal/quantity_maxi); percentage stock
model and computed product availability. 21 entities, cross-validation 21/21.

docs(merise): add security-by-design tables to MLD ... 14348ba340

audit_log + login_throttle tables; user auth/PIN/anonymisation columns; customer_order
acting_user_id + idempotency_key; ingredient percentage stock columns (drop CHECK
stock_quantity >= 0, add stock_capacity, low_stock_pct, critical_stock_pct). 21 tables.

docs(merise): add security-by-design operations to MCT ... 0f57a44a75

ERASE_USER_PII (RGPD anonymisation) and RESET_PASSWORD; PIN-gated sensitive set writing
audit_log; auth throttling via login_throttle; computed product availability on catalogue
read. Cross-validation 21/21.

docs(merise): add security-by-design treatment rules to MLT ... 5c34f6b2e3

Transverse rules RG-T13-T21 (PIN, audit, escaping, allowlists, idempotency, atomic stock
decrement, computed availability); RGPD erasure and password reset flows; per-IP
login_throttle table with daily purge cron; atomic stock decrement replaces pessimistic
FOR UPDATE.

docs(context): align CI/CD on Forgejo Actions, integrate security-by-design layer, rechiffer planning d305a095fc

docs(uml): add security sequence + v0.2 drift fixes (sequence, state, use-cases) fae5c23722

chore(security): SbD parameters in .env.example + hardened php.ini 2d33e9d442

ci(security): gitleaks config, branch-protection script, Forgejo runner setup doc bf82ba25e6

ci(security): Forgejo Actions CI (gitleaks + php-lint + guarded phpstan/phpunit), SECURITY.md, PR auto-merge script 84ed730e8d

ci: also run CI on push to feat/fix/ci/refactor branches (pre-PR feedback) a5058c02cd

ci: trigger on any push (diagnostic - will scope down once dispatch confirmed) 7a10e2519a

ci: scope push trigger to dev/main + feature branches (final) 6cccaf8ad7

ci: trigger first Forgejo Actions run (actions enabled on prod) f65daf3a27

docs(merise): replace stale v0.1 drawio with per-subdomain Mermaid + SVG (21 entities) 371c029e8a

Merge remote-tracking branch 'origin/dev' into feat/p1-conception ... d555988b81

# Conflicts:
#	.forgejo/workflows/ci.yml

docs(ci): add security-by-design checklist to PR template be53b7e5e0

Corentin scheduled this pull request to auto merge when all checks succeed 2026-06-15 12:15:21 +02:00

Corentin merged commit 32ff6a63ba into dev 2026-06-15 12:16:12 +02:00

Corentin referenced this pull request from a commit 2026-06-15 12:16:12 +02:00

P1 conception: security-by-design layer (Merise 21 entities, Forgejo CI/CD, hardening) (#3)

Corentin referenced this pull request from a commit 2026-06-19 18:28:29 +02:00

feat(borne): composeur menu pilote par les slots /api/menus (P5 L2)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

auto-merge

Fusion automatique sur CI verte

No labels

auto-merge

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AcadeNice/corentin_wakdo#3

No description provided.