npm - @atlashub/smartstack-cli - Versions diffs - 1.5.1 → 1.5.2 - Mend

@atlashub/smartstack-cli 1.5.1 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (147) hide show

package/.documentation/css/styles.css +2168 -2168
package/.documentation/js/app.js +794 -794
package/config/default-config.json +86 -86
package/config/settings.json +53 -53
package/config/settings.local.example.json +16 -16
package/dist/index.js +0 -0
package/dist/index.js.map +1 -1
package/package.json +88 -88
package/templates/agents/action.md +36 -36
package/templates/agents/efcore/conflicts.md +84 -84
package/templates/agents/efcore/db-deploy.md +51 -51
package/templates/agents/efcore/db-reset.md +59 -59
package/templates/agents/efcore/db-seed.md +56 -56
package/templates/agents/efcore/db-status.md +64 -64
package/templates/agents/efcore/migration.md +85 -85
package/templates/agents/efcore/rebase-snapshot.md +62 -62
package/templates/agents/efcore/scan.md +90 -90
package/templates/agents/efcore/squash.md +67 -67
package/templates/agents/explore-codebase.md +65 -65
package/templates/agents/explore-docs.md +97 -97
package/templates/agents/fix-grammar.md +49 -49
package/templates/agents/gitflow/abort.md +45 -45
package/templates/agents/gitflow/cleanup.md +85 -85
package/templates/agents/gitflow/commit.md +40 -40
package/templates/agents/gitflow/exec.md +48 -48
package/templates/agents/gitflow/finish.md +92 -92
package/templates/agents/gitflow/init.md +139 -139
package/templates/agents/gitflow/merge.md +62 -62
package/templates/agents/gitflow/plan.md +42 -42
package/templates/agents/gitflow/pr.md +78 -78
package/templates/agents/gitflow/review.md +49 -49
package/templates/agents/gitflow/start.md +61 -61
package/templates/agents/gitflow/status.md +32 -32
package/templates/agents/snipper.md +36 -36
package/templates/agents/websearch.md +46 -46
package/templates/commands/_resources/formatting-guide.md +124 -124
package/templates/commands/ai-prompt.md +315 -315
package/templates/commands/apex/1-analyze.md +100 -100
package/templates/commands/apex/2-plan.md +145 -145
package/templates/commands/apex/3-execute.md +171 -171
package/templates/commands/apex/4-examine.md +116 -116
package/templates/commands/apex/5-tasks.md +209 -209
package/templates/commands/apex.md +76 -76
package/templates/commands/application/create.md +362 -362
package/templates/commands/application/templates-backend.md +463 -463
package/templates/commands/application/templates-frontend.md +517 -517
package/templates/commands/application/templates-i18n.md +478 -478
package/templates/commands/application/templates-seed.md +362 -362
package/templates/commands/application.md +303 -303
package/templates/commands/business-analyse/0-orchestrate.md +640 -640
package/templates/commands/business-analyse/1-init.md +269 -269
package/templates/commands/business-analyse/2-discover.md +520 -520
package/templates/commands/business-analyse/3-analyse.md +408 -408
package/templates/commands/business-analyse/4-specify.md +598 -598
package/templates/commands/business-analyse/5-validate.md +326 -326
package/templates/commands/business-analyse/6-handoff.md +746 -746
package/templates/commands/business-analyse/7-doc-html.md +602 -602
package/templates/commands/business-analyse/bug.md +325 -325
package/templates/commands/business-analyse/change-request.md +368 -368
package/templates/commands/business-analyse/hotfix.md +200 -200
package/templates/commands/business-analyse.md +640 -640
package/templates/commands/controller/create.md +216 -216
package/templates/commands/controller/postman-templates.md +528 -528
package/templates/commands/controller/templates.md +600 -600
package/templates/commands/controller.md +337 -337
package/templates/commands/create/agent.md +138 -138
package/templates/commands/create/command.md +166 -166
package/templates/commands/create/hook.md +234 -234
package/templates/commands/create/plugin.md +329 -329
package/templates/commands/create/project.md +507 -507
package/templates/commands/create/skill.md +199 -199
package/templates/commands/create.md +220 -220
package/templates/commands/debug.md +95 -95
package/templates/commands/documentation/module.md +202 -202
package/templates/commands/documentation/templates.md +432 -432
package/templates/commands/documentation.md +190 -190
package/templates/commands/efcore/_env-check.md +153 -153
package/templates/commands/efcore/conflicts.md +186 -186
package/templates/commands/efcore/db-deploy.md +193 -193
package/templates/commands/efcore/db-reset.md +426 -426
package/templates/commands/efcore/db-seed.md +326 -326
package/templates/commands/efcore/db-status.md +226 -226
package/templates/commands/efcore/migration.md +400 -400
package/templates/commands/efcore/rebase-snapshot.md +264 -264
package/templates/commands/efcore/scan.md +198 -198
package/templates/commands/efcore/squash.md +298 -298
package/templates/commands/efcore.md +224 -224
package/templates/commands/epct.md +69 -69
package/templates/commands/explain.md +186 -186
package/templates/commands/explore.md +45 -45
package/templates/commands/feature-full.md +267 -267
package/templates/commands/gitflow/1-init.md +1038 -1038
package/templates/commands/gitflow/10-start.md +768 -768
package/templates/commands/gitflow/11-finish.md +457 -457
package/templates/commands/gitflow/12-cleanup.md +276 -276
package/templates/commands/gitflow/13-sync.md +216 -216
package/templates/commands/gitflow/14-rebase.md +251 -251
package/templates/commands/gitflow/2-status.md +277 -277
package/templates/commands/gitflow/3-commit.md +344 -344
package/templates/commands/gitflow/4-plan.md +145 -145
package/templates/commands/gitflow/5-exec.md +147 -147
package/templates/commands/gitflow/6-abort.md +344 -344
package/templates/commands/gitflow/7-pull-request.md +453 -355
package/templates/commands/gitflow/8-review.md +240 -176
package/templates/commands/gitflow/9-merge.md +451 -365
package/templates/commands/gitflow.md +128 -128
package/templates/commands/implement.md +663 -663
package/templates/commands/init.md +567 -567
package/templates/commands/mcp-integration.md +330 -330
package/templates/commands/notification.md +129 -129
package/templates/commands/oneshot.md +57 -57
package/templates/commands/quick-search.md +72 -72
package/templates/commands/ralph-loop/cancel-ralph.md +18 -18
package/templates/commands/ralph-loop/help.md +126 -126
package/templates/commands/ralph-loop/ralph-loop.md +18 -18
package/templates/commands/review.md +106 -106
package/templates/commands/utils/test-web-config.md +160 -160
package/templates/commands/utils/test-web.md +151 -151
package/templates/commands/validate.md +233 -233
package/templates/commands/workflow.md +193 -193
package/templates/gitflow/config.json +138 -138
package/templates/hooks/ef-migration-check.md +139 -139
package/templates/hooks/hooks.json +25 -25
package/templates/hooks/stop-hook.sh +177 -177
package/templates/skills/ai-prompt/SKILL.md +778 -778
package/templates/skills/application/SKILL.md +563 -563
package/templates/skills/application/templates-backend.md +450 -450
package/templates/skills/application/templates-frontend.md +531 -531
package/templates/skills/application/templates-i18n.md +520 -520
package/templates/skills/application/templates-seed.md +647 -647
package/templates/skills/business-analyse/SKILL.md +191 -191
package/templates/skills/business-analyse/questionnaire.md +283 -283
package/templates/skills/business-analyse/templates-frd.md +477 -477
package/templates/skills/business-analyse/templates-react.md +580 -580
package/templates/skills/controller/SKILL.md +240 -240
package/templates/skills/controller/postman-templates.md +614 -614
package/templates/skills/controller/templates.md +1468 -1468
package/templates/skills/documentation/SKILL.md +133 -133
package/templates/skills/documentation/templates.md +476 -476
package/templates/skills/feature-full/SKILL.md +838 -838
package/templates/skills/notification/SKILL.md +555 -555
package/templates/skills/ui-components/SKILL.md +870 -870
package/templates/skills/workflow/SKILL.md +582 -582
package/templates/test-web/api-health.json +38 -38
package/templates/test-web/minimal.json +19 -19
package/templates/test-web/npm-package.json +46 -46
package/templates/test-web/seo-check.json +54 -54

package/templates/skills/controller/templates.md CHANGED Viewed

@@ -1,1468 +1,1468 @@
-# Templates Controller SmartStack
-> **Note:** Ces templates sont utilisés par le skill `controller` et la commande `/controller:create`.
-> Adapter les variables `{Area}`, `{Module}`, `{Entity}`, `{PermissionPath}` selon le contexte.
----
-## Template CRUD Controller (Standard)
-```csharp
-// src/SmartStack.Api/Controllers/{Area}/{Module}Controller.cs
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.EntityFrameworkCore;
-using SmartStack.Application.Common.Authorization;
-using SmartStack.Application.Common.Interfaces;
-using SmartStack.Api.Authorization;
-using SmartStack.Domain.{DomainNamespace};
-namespace SmartStack.Api.Controllers.{Area};
-[ApiController]
-[Route("api/{area-kebab}/{module-kebab}")]
-[Authorize]
-[Tags("{Module}")]
-public class {Module}Controller : ControllerBase
-{
-    private readonly IApplicationDbContext _context;
-    private readonly ICurrentUserService _currentUser;
-    private readonly ILogger<{Module}Controller> _logger;
-    public {Module}Controller(
-        IApplicationDbContext context,
-        ICurrentUserService currentUser,
-        ILogger<{Module}Controller> logger)
-    {
-        _context = context;
-        _currentUser = currentUser;
-        _logger = logger;
-    }
-    #region GET - List with Pagination
-    [HttpGet]
-    [RequirePermission(Permissions.{PermissionClass}.View)]
-    [ProducesResponseType(typeof(PagedResult<{Entity}ListDto>), StatusCodes.Status200OK)]
-    public async Task<ActionResult<PagedResult<{Entity}ListDto>>> Get{Module}(
-        [FromQuery] int page = 1,
-        [FromQuery] int pageSize = 20,
-        [FromQuery] string? search = null,
-        CancellationToken cancellationToken = default)
-    {
-        var query = _context.{DbSet}.AsQueryable();
-        // Search filter
-        if (!string.IsNullOrWhiteSpace(search))
-        {
-            var searchLower = search.ToLower();
-            query = query.Where(x =>
-                x.Name.ToLower().Contains(searchLower) ||
-                x.Description != null && x.Description.ToLower().Contains(searchLower));
-        }
-        var totalCount = await query.CountAsync(cancellationToken);
-        var items = await query
-            .OrderBy(x => x.Name)
-            .Skip((page - 1) * pageSize)
-            .Take(pageSize)
-            .Select(x => new {Entity}ListDto(
-                x.Id,
-                x.Name,
-                x.Description,
-                x.IsActive,
-                x.CreatedAt
-            ))
-            .ToListAsync(cancellationToken);
-        _logger.LogInformation("User {User} retrieved {Count} {Module}",
-            _currentUser.Email, items.Count, "{Module}");
-        return Ok(new PagedResult<{Entity}ListDto>(items, totalCount, page, pageSize));
-    }
-    #endregion
-    #region GET - Single by ID
-    [HttpGet("{id:guid}")]
-    [RequirePermission(Permissions.{PermissionClass}.View)]
-    [ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status200OK)]
-    [ProducesResponseType(StatusCodes.Status404NotFound)]
-    public async Task<ActionResult<{Entity}DetailDto>> Get{Entity}(
-        Guid id,
-        CancellationToken cancellationToken)
-    {
-        var entity = await _context.{DbSet}
-            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
-        if (entity == null)
-            return NotFound(new { message = "{Entity} not found" });
-        return Ok(new {Entity}DetailDto(
-            entity.Id,
-            entity.Name,
-            entity.Description,
-            entity.IsActive,
-            entity.CreatedAt,
-            entity.UpdatedAt
-        ));
-    }
-    #endregion
-    #region POST - Create
-    [HttpPost]
-    [RequirePermission(Permissions.{PermissionClass}.Create)]
-    [ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status201Created)]
-    [ProducesResponseType(StatusCodes.Status400BadRequest)]
-    [ProducesResponseType(StatusCodes.Status409Conflict)]
-    public async Task<ActionResult<{Entity}DetailDto>> Create{Entity}(
-        [FromBody] Create{Entity}Request request,
-        CancellationToken cancellationToken)
-    {
-        // Check for duplicates
-        var exists = await _context.{DbSet}
-            .AnyAsync(x => x.Name == request.Name, cancellationToken);
-        if (exists)
-            return Conflict(new { message = "{Entity} with this name already exists" });
-        var entity = {Entity}.Create(
-            request.Name,
-            request.Description
-        );
-        _context.{DbSet}.Add(entity);
-        await _context.SaveChangesAsync(cancellationToken);
-        _logger.LogInformation("User {User} created {Entity} {EntityId} ({Name})",
-            _currentUser.Email, entity.Id, entity.Name);
-        return CreatedAtAction(
-            nameof(Get{Entity}),
-            new { id = entity.Id },
-            new {Entity}DetailDto(
-                entity.Id,
-                entity.Name,
-                entity.Description,
-                entity.IsActive,
-                entity.CreatedAt,
-                entity.UpdatedAt
-            ));
-    }
-    #endregion
-    #region PUT - Update
-    [HttpPut("{id:guid}")]
-    [RequirePermission(Permissions.{PermissionClass}.Update)]
-    [ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status200OK)]
-    [ProducesResponseType(StatusCodes.Status404NotFound)]
-    [ProducesResponseType(StatusCodes.Status409Conflict)]
-    public async Task<ActionResult<{Entity}DetailDto>> Update{Entity}(
-        Guid id,
-        [FromBody] Update{Entity}Request request,
-        CancellationToken cancellationToken)
-    {
-        var entity = await _context.{DbSet}
-            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
-        if (entity == null)
-            return NotFound(new { message = "{Entity} not found" });
-        // Check for duplicate name (excluding current)
-        if (!string.IsNullOrEmpty(request.Name))
-        {
-            var duplicate = await _context.{DbSet}
-                .AnyAsync(x => x.Name == request.Name && x.Id != id, cancellationToken);
-            if (duplicate)
-                return Conflict(new { message = "{Entity} with this name already exists" });
-        }
-        entity.Update(
-            request.Name ?? entity.Name,
-            request.Description ?? entity.Description
-        );
-        await _context.SaveChangesAsync(cancellationToken);
-        _logger.LogInformation("User {User} updated {Entity} {EntityId}",
-            _currentUser.Email, entity.Id);
-        return Ok(new {Entity}DetailDto(
-            entity.Id,
-            entity.Name,
-            entity.Description,
-            entity.IsActive,
-            entity.CreatedAt,
-            entity.UpdatedAt
-        ));
-    }
-    #endregion
-    #region PATCH - Activate/Deactivate
-    [HttpPatch("{id:guid}/activate")]
-    [RequirePermission(Permissions.{PermissionClass}.Update)]
-    [ProducesResponseType(StatusCodes.Status204NoContent)]
-    [ProducesResponseType(StatusCodes.Status404NotFound)]
-    public async Task<IActionResult> Activate{Entity}(
-        Guid id,
-        CancellationToken cancellationToken)
-    {
-        var entity = await _context.{DbSet}
-            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
-        if (entity == null)
-            return NotFound(new { message = "{Entity} not found" });
-        entity.Activate();
-        await _context.SaveChangesAsync(cancellationToken);
-        _logger.LogInformation("User {User} activated {Entity} {EntityId}",
-            _currentUser.Email, entity.Id);
-        return NoContent();
-    }
-    [HttpPatch("{id:guid}/deactivate")]
-    [RequirePermission(Permissions.{PermissionClass}.Update)]
-    [ProducesResponseType(StatusCodes.Status204NoContent)]
-    [ProducesResponseType(StatusCodes.Status404NotFound)]
-    public async Task<IActionResult> Deactivate{Entity}(
-        Guid id,
-        CancellationToken cancellationToken)
-    {
-        var entity = await _context.{DbSet}
-            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
-        if (entity == null)
-            return NotFound(new { message = "{Entity} not found" });
-        entity.Deactivate();
-        await _context.SaveChangesAsync(cancellationToken);
-        _logger.LogWarning("User {User} deactivated {Entity} {EntityId}",
-            _currentUser.Email, entity.Id);
-        return NoContent();
-    }
-    #endregion
-    #region DELETE
-    [HttpDelete("{id:guid}")]
-    [RequirePermission(Permissions.{PermissionClass}.Delete)]
-    [ProducesResponseType(StatusCodes.Status204NoContent)]
-    [ProducesResponseType(StatusCodes.Status404NotFound)]
-    [ProducesResponseType(StatusCodes.Status400BadRequest)]
-    public async Task<IActionResult> Delete{Entity}(
-        Guid id,
-        CancellationToken cancellationToken)
-    {
-        var entity = await _context.{DbSet}
-            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
-        if (entity == null)
-            return NotFound(new { message = "{Entity} not found" });
-        // Check for dependencies before deletion
-        // var hasReferences = await _context.ChildEntities.AnyAsync(x => x.{Entity}Id == id, ct);
-        // if (hasReferences)
-        //     return BadRequest(new { message = "Cannot delete: has dependent records" });
-        _context.{DbSet}.Remove(entity);
-        await _context.SaveChangesAsync(cancellationToken);
-        _logger.LogWarning("User {User} deleted {Entity} {EntityId} ({Name})",
-            _currentUser.Email, id, entity.Name);
-        return NoContent();
-    }
-    #endregion
-}
-#region DTOs
-public record {Entity}ListDto(
-    Guid Id,
-    string Name,
-    string? Description,
-    bool IsActive,
-    DateTime CreatedAt
-);
-public record {Entity}DetailDto(
-    Guid Id,
-    string Name,
-    string? Description,
-    bool IsActive,
-    DateTime CreatedAt,
-    DateTime? UpdatedAt
-);
-public record Create{Entity}Request(
-    string Name,
-    string? Description
-);
-public record Update{Entity}Request(
-    string? Name,
-    string? Description
-);
-public record PagedResult<T>(
-    List<T> Items,
-    int TotalCount,
-    int Page,
-    int PageSize
-)
-{
-    public int TotalPages => (int)Math.Ceiling((double)TotalCount / PageSize);
-    public bool HasPrevious => Page > 1;
-    public bool HasNext => Page < TotalPages;
-}
-#endregion
-```
----
-## Template Auth Controller (Login/Logout)
-```csharp
-// src/SmartStack.Api/Controllers/AuthController.cs
-// NOTE: Ce controller existe déjà - utiliser comme référence pour patterns auth
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.Options;
-using SmartStack.Application.Common.Interfaces;
-using SmartStack.Application.Common.Settings;
-using SmartStack.Domain.Platform.Administration.Users;
-namespace SmartStack.Api.Controllers;
-[ApiController]
-[Route("api/[controller]")]
-public class AuthController : ControllerBase
-{
-    private readonly IApplicationDbContext _context;
-    private readonly IPasswordService _passwordService;
-    private readonly IJwtService _jwtService;
-    private readonly IUserSessionService _sessionService;
-    private readonly ISessionValidationService _sessionValidationService;
-    private readonly SessionSettings _sessionSettings;
-    private readonly ILogger<AuthController> _logger;
-    // ... Constructor avec tous les services auth
-    #region Login - LOGS CRITIQUES OBLIGATOIRES
-    [HttpPost("login")]
-    [AllowAnonymous]
-    [ProducesResponseType(typeof(LoginResponse), StatusCodes.Status200OK)]
-    [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status401Unauthorized)]
-    public async Task<ActionResult<LoginResponse>> Login(
-        [FromBody] LoginRequest request,
-        CancellationToken cancellationToken)
-    {
-        var ipAddress = GetClientIpAddress();
-        var userAgent = Request.Headers.UserAgent.ToString();
-        var user = await _context.Users
-            .Include(u => u.UserRoles)
-                .ThenInclude(ur => ur.Role)
-                    .ThenInclude(r => r!.RolePermissions)
-                        .ThenInclude(rp => rp.Permission)
-            .FirstOrDefaultAsync(u => u.Email == request.Email, cancellationToken);
-        // ============================================
-        // LOGS CRITIQUES - NE JAMAIS OMETTRE
-        // ============================================
-        if (user == null)
-        {
-            // WARNING: User not found (potential enumeration)
-            _logger.LogWarning(
-                "Login failed: User not found - {Email} from {IpAddress}",
-                request.Email, ipAddress);
-            return Unauthorized(new ErrorResponse("Identifiants invalides", "INVALID_CREDENTIALS"));
-        }
-        if (!user.IsActive)
-        {
-            // WARNING: Disabled account
-            _logger.LogWarning(
-                "Login failed: Account disabled - {Email} from {IpAddress}",
-                request.Email, ipAddress);
-            return Unauthorized(new ErrorResponse("Compte désactivé", "ACCOUNT_DISABLED"));
-        }
-        if (user.IsLocked)
-        {
-            // CRITICAL: Locked account attempt
-            _logger.LogCritical(
-                "SECURITY: Login attempt on locked account - User: {Email} (ID: {UserId}) from {IpAddress}",
-                request.Email, user.Id, ipAddress);
-            return Unauthorized(new ErrorResponse("Compte verrouillé", "ACCOUNT_LOCKED_BY_ADMIN"));
-        }
-        // Check brute force protection
-        var recentFailedAttempts = await _context.UserSessions
-            .Where(s => s.UserId == user.Id && !s.IsSuccessful && s.LoginAt > DateTime.UtcNow.AddMinutes(-15))
-            .CountAsync(cancellationToken);
-        if (recentFailedAttempts >= 5)
-        {
-            // CRITICAL: Too many failed attempts
-            _logger.LogCritical(
-                "SECURITY: Account temporarily locked due to brute force - User: {Email} (ID: {UserId}) from {IpAddress}",
-                request.Email, user.Id, ipAddress);
-            return Unauthorized(new ErrorResponse("Compte temporairement verrouillé", "ACCOUNT_LOCKED"));
-        }
-        if (!_passwordService.VerifyPassword(request.Password, user.PasswordHash))
-        {
-            // WARNING: Invalid password with remaining attempts
-            var remainingAttempts = 5 - recentFailedAttempts - 1;
-            _logger.LogWarning(
-                "Login failed: Invalid password - {Email} from {IpAddress}, remaining attempts: {Remaining}",
-                request.Email, ipAddress, remainingAttempts);
-            // Log failed attempt to session
-            await _sessionService.LogFailedLoginAsync(user.Id, ipAddress, userAgent, cancellationToken);
-            return Unauthorized(new ErrorResponse("Mot de passe incorrect", "INVALID_PASSWORD"));
-        }
-        // ============================================
-        // SUCCESS - Generate tokens
-        // ============================================
-        var roles = user.UserRoles.Select(ur => ur.Role!.Name).ToList();
-        var permissions = user.UserRoles
-            .SelectMany(ur => ur.Role!.RolePermissions)
-            .Select(rp => rp.Permission!.Path)
-            .Distinct()
-            .ToList();
-        var accessToken = _jwtService.GenerateAccessToken(user, roles, permissions);
-        var refreshToken = _jwtService.GenerateRefreshToken();
-        await _sessionService.LogLoginAsync(user.Id, accessToken, ipAddress, userAgent, cancellationToken: cancellationToken);
-        // INFO: Successful login
-        _logger.LogInformation(
-            "User logged in successfully: {Email} from {IpAddress}",
-            user.Email, ipAddress);
-        return Ok(new LoginResponse(accessToken, refreshToken, /* UserInfo */));
-    }
-    #endregion
-    #region Logout
-    [HttpPost("logout")]
-    [Authorize]
-    [ProducesResponseType(StatusCodes.Status204NoContent)]
-    public async Task<IActionResult> Logout(CancellationToken cancellationToken)
-    {
-        var token = Request.Headers.Authorization.ToString().Replace("Bearer ", "");
-        await _sessionService.LogLogoutAsync(token, cancellationToken);
-        _logger.LogInformation("User logged out: {UserId}", User.FindFirst("sub")?.Value);
-        return NoContent();
-    }
-    #endregion
-    #region Change Password - LOG WARNING
-    [HttpPost("change-password")]
-    [Authorize]
-    [ProducesResponseType(typeof(ChangePasswordResponse), StatusCodes.Status200OK)]
-    [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)]
-    public async Task<ActionResult<ChangePasswordResponse>> ChangePassword(
-        [FromBody] ChangePasswordRequest request,
-        CancellationToken cancellationToken)
-    {
-        // ... validation logic
-        user.UpdatePassword(newPasswordHash);
-        await _context.SaveChangesAsync(cancellationToken);
-        // Invalidate ALL sessions after password change
-        await _sessionService.InvalidateAllUserSessionsAsync(userId, "Password changed", cancellationToken);
-        // WARNING: Sensitive operation
-        _logger.LogWarning(
-            "Password changed for user {Email} - All sessions invalidated",
-            user.Email);
-        return Ok(new ChangePasswordResponse("Mot de passe modifié", true));
-    }
-    #endregion
-    private string GetClientIpAddress()
-    {
-        var forwardedFor = Request.Headers["X-Forwarded-For"].FirstOrDefault();
-        if (!string.IsNullOrEmpty(forwardedFor))
-            return forwardedFor.Split(',')[0].Trim();
-        return HttpContext.Connection.RemoteIpAddress?.ToString() ?? "Unknown";
-    }
-}
-```
----
-## Template Permissions Constants
-```csharp
-// src/SmartStack.Application/Common/Authorization/Permissions.cs
-// AJOUTER dans la classe existante
-public static class Permissions
-{
-    // ... existing permissions ...
-    public static class {PermissionClass}
-    {
-        public const string Access = "{permission.path}";
-        public const string View = "{permission.path}.read";
-        public const string Create = "{permission.path}.create";
-        public const string Update = "{permission.path}.update";
-        public const string Delete = "{permission.path}.delete";
-        // Optionnel selon module
-        public const string Assign = "{permission.path}.assign";
-        public const string Execute = "{permission.path}.execute";
-        public const string Export = "{permission.path}.export";
-    }
-}
-```
----
-## Template PermissionConfiguration Seed
-> **CRITIQUE:** Ce template est OBLIGATOIRE. Sans ces entrées, tous les appels API retourneront 403 Forbidden.
-```csharp
-// src/SmartStack.Infrastructure/Persistence/Configurations/Navigation/PermissionConfiguration.cs
-// AJOUTER dans la méthode Configure(), section HasData
-// ============================================
-// ÉTAPE 1: Déclarer le ModuleId
-// ============================================
-// Vérifier dans ModuleConfiguration.cs si le module existe déjà
-// Sinon, créer le module d'abord via /application skill
-var {module}ModuleId = Guid.Parse("{GUID-DU-MODULE}");  // Récupérer depuis ModuleConfiguration.cs
-// ============================================
-// ÉTAPE 2: Ajouter les permissions (HasData)
-// ============================================
-// Pattern: {context}.{application}.{module}.{action}
-// Exemple: platform.administration.users.read
-var seedDate = new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc);
-builder.HasData(
-    // Wildcard permission (accès complet au module)
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-1}"),
-        Path = "{context}.{application}.{module}.*",
-        Level = PermissionLevel.Module,
-        Action = (PermissionAction?)null,
-        IsWildcard = true,
-        ModuleId = {module}ModuleId,
-        Description = "Full {module} management",
-        CreatedAt = seedDate
-    },
-    // Read permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-2}"),
-        Path = "{context}.{application}.{module}.read",
-        Level = PermissionLevel.Module,
-        Action = PermissionAction.Read,
-        IsWildcard = false,
-        ModuleId = {module}ModuleId,
-        Description = "View {module}",
-        CreatedAt = seedDate
-    },
-    // Create permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-3}"),
-        Path = "{context}.{application}.{module}.create",
-        Level = PermissionLevel.Module,
-        Action = PermissionAction.Create,
-        IsWildcard = false,
-        ModuleId = {module}ModuleId,
-        Description = "Create {module}",
-        CreatedAt = seedDate
-    },
-    // Update permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-4}"),
-        Path = "{context}.{application}.{module}.update",
-        Level = PermissionLevel.Module,
-        Action = PermissionAction.Update,
-        IsWildcard = false,
-        ModuleId = {module}ModuleId,
-        Description = "Update {module}",
-        CreatedAt = seedDate
-    },
-    // Delete permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-5}"),
-        Path = "{context}.{application}.{module}.delete",
-        Level = PermissionLevel.Module,
-        Action = PermissionAction.Delete,
-        IsWildcard = false,
-        ModuleId = {module}ModuleId,
-        Description = "Delete {module}",
-        CreatedAt = seedDate
-    }
-    // Actions optionnelles selon le module:
-    // - PermissionAction.Assign  → Pour assigner des ressources/rôles
-    // - PermissionAction.Execute → Pour exécuter des actions (export, etc.)
-);
-```
-### Génération de GUIDs
-```bash
-# PowerShell (Windows)
-[guid]::NewGuid().ToString()
-# Bash (Linux/Mac)
-uuidgen | tr '[:upper:]' '[:lower:]'
-```
-### Validation Cohérence Permissions.cs ↔ PermissionConfiguration.cs
-> **RÈGLE:** Chaque constante dans `Permissions.cs` DOIT avoir une entrée correspondante dans `PermissionConfiguration.cs`
-```
-┌─────────────────────────────────────────────────────────────────────────────┐
-│                         VALIDATION DE COHÉRENCE                             │
-├─────────────────────────────────────────────────────────────────────────────┤
-│                                                                             │
-│  Permissions.cs                    PermissionConfiguration.cs               │
-│  ──────────────────────────────    ──────────────────────────────────────   │
-│  Permissions.Support.Tickets.View  →  Path = "platform.support.tickets.read"│
-│  Permissions.Support.Tickets.Create→  Path = "platform.support.tickets.create"│
-│  Permissions.Support.Tickets.Update→  Path = "platform.support.tickets.update"│
-│  Permissions.Support.Tickets.Delete→  Path = "platform.support.tickets.delete"│
-│                                                                             │
-│  ⚠️  ERREUR FRÉQUENTE:                                                      │
-│  - Permissions.cs: "platform.support.tickets.read"                          │
-│  - PermissionConfiguration.cs: MANQUANT                                     │
-│  → Résultat: 403 Forbidden pour TOUS les utilisateurs                       │
-│                                                                             │
-└─────────────────────────────────────────────────────────────────────────────┘
-```
-### Commande post-génération
-Après avoir ajouté les entrées dans les deux fichiers:
-```bash
-# 1. Créer la migration
-/efcore:migration Add{Module}Permissions
-# 2. Appliquer la migration
-/efcore:db-deploy
-# 3. Vérifier (optionnel)
-/efcore:db-status
-```
----
-## Template Controller avec Relations
-```csharp
-// Pour les controllers avec entités liées (ex: Tickets avec Comments)
-#region GET with Includes
-[HttpGet("{id:guid}")]
-[RequirePermission(Permissions.{PermissionClass}.View)]
-[ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status200OK)]
-[ProducesResponseType(StatusCodes.Status404NotFound)]
-public async Task<ActionResult<{Entity}DetailDto>> Get{Entity}(
-    Guid id,
-    CancellationToken cancellationToken)
-{
-    var entity = await _context.{DbSet}
-        .Include(x => x.CreatedByUser)
-        .Include(x => x.AssignedToUser)
-        .Include(x => x.Comments)
-            .ThenInclude(c => c.Author)
-        .Include(x => x.Attachments)
-        .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
-    if (entity == null)
-        return NotFound(new { message = "{Entity} not found" });
-    return Ok(MapToDetailDto(entity));
-}
-#endregion
-#region Nested Resources
-[HttpGet("{parentId:guid}/children")]
-[RequirePermission(Permissions.{PermissionClass}.View)]
-[ProducesResponseType(typeof(List<ChildDto>), StatusCodes.Status200OK)]
-public async Task<ActionResult<List<ChildDto>>> GetChildren(
-    Guid parentId,
-    CancellationToken cancellationToken)
-{
-    var children = await _context.Children
-        .Where(x => x.ParentId == parentId)
-        .OrderByDescending(x => x.CreatedAt)
-        .Select(x => new ChildDto(x.Id, x.Name, x.CreatedAt))
-        .ToListAsync(cancellationToken);
-    return Ok(children);
-}
-[HttpPost("{parentId:guid}/children")]
-[RequirePermission(Permissions.{PermissionClass}.Create)]
-[ProducesResponseType(typeof(ChildDto), StatusCodes.Status201Created)]
-public async Task<ActionResult<ChildDto>> AddChild(
-    Guid parentId,
-    [FromBody] CreateChildRequest request,
-    CancellationToken cancellationToken)
-{
-    var parent = await _context.{DbSet}
-        .FirstOrDefaultAsync(x => x.Id == parentId, cancellationToken);
-    if (parent == null)
-        return NotFound(new { message = "Parent not found" });
-    var child = Child.Create(parentId, request.Name, _currentUser.UserId!.Value);
-    _context.Children.Add(child);
-    await _context.SaveChangesAsync(cancellationToken);
-    _logger.LogInformation("User {User} added child to {Entity} {ParentId}",
-        _currentUser.Email, parentId);
-    return CreatedAtAction(
-        nameof(GetChildren),
-        new { parentId },
-        new ChildDto(child.Id, child.Name, child.CreatedAt));
-}
-#endregion
-```
----
-## Patterns Réutilisables
-### Error Response Standard
-```csharp
-public record ErrorResponse(string Message, string? Code = null);
-// Usage:
-return BadRequest(new ErrorResponse("Validation failed", "VALIDATION_ERROR"));
-return Conflict(new ErrorResponse("Already exists", "DUPLICATE"));
-return NotFound(new { message = "Resource not found" });
-```
-### Pagination Query Extension
-```csharp
-public static class QueryableExtensions
-{
-    public static async Task<PagedResult<T>> ToPagedResultAsync<T>(
-        this IQueryable<T> query,
-        int page,
-        int pageSize,
-        CancellationToken ct = default)
-    {
-        var totalCount = await query.CountAsync(ct);
-        var items = await query
-            .Skip((page - 1) * pageSize)
-            .Take(pageSize)
-            .ToListAsync(ct);
-        return new PagedResult<T>(items, totalCount, page, pageSize);
-    }
-}
-```
-### Log Context Pattern
-```csharp
-// Toujours inclure le contexte utilisateur dans les logs
-_logger.LogInformation(
-    "User {User} ({UserId}) performed {Action} on {Entity} {EntityId}",
-    _currentUser.Email,
-    _currentUser.UserId,
-    "Create",
-    "{Entity}",
-    entity.Id);
-```
----
-## Template Section-Level Permissions (Level 4)
-> **Usage:** Quand un Module a plusieurs sous-pages/onglets avec permissions différentes (ex: AI → Dashboard, Settings, Prompts)
-### Permissions.cs - Section
-```csharp
-// src/SmartStack.Application/Common/Authorization/Permissions.cs
-public static class Admin
-{
-    public static class {Module}
-    {
-        // Section permissions (Level 4)
-        public static class {Section}
-        {
-            public const string View = "{context}.{application}.{module}.{section}.read";
-            public const string Create = "{context}.{application}.{module}.{section}.create";
-            public const string Update = "{context}.{application}.{module}.{section}.update";
-            public const string Delete = "{context}.{application}.{module}.{section}.delete";
-            public const string Execute = "{context}.{application}.{module}.{section}.execute";
-        }
-    }
-}
-```
-### PermissionConfiguration.cs - Section Seed
-```csharp
-// src/SmartStack.Infrastructure/Persistence/Configurations/Navigation/PermissionConfiguration.cs
-// AJOUTER dans la méthode Configure(), section HasData
-// ============================================
-// ÉTAPE 1: Déclarer le SectionId
-// ============================================
-// Récupérer depuis NavigationSectionConfiguration.cs
-var {section}SectionId = Guid.Parse("{GUID-DE-LA-SECTION}");
-// ============================================
-// ÉTAPE 2: Ajouter les permissions Section (Level 4)
-// ============================================
-// Pattern: {context}.{application}.{module}.{section}.{action}
-// Exemple: platform.administration.ai.settings.read
-builder.HasData(
-    // Wildcard permission (accès complet à la section)
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-1}"),
-        Path = "{context}.{application}.{module}.{section}.*",
-        Level = PermissionLevel.Section,
-        Action = (PermissionAction?)null,
-        IsWildcard = true,
-        SectionId = {section}SectionId,
-        Description = "Full {section} access",
-        CreatedAt = seedDate
-    },
-    // Read permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-2}"),
-        Path = "{context}.{application}.{module}.{section}.read",
-        Level = PermissionLevel.Section,
-        Action = PermissionAction.Read,
-        IsWildcard = false,
-        SectionId = {section}SectionId,
-        Description = "View {section}",
-        CreatedAt = seedDate
-    },
-    // Create permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-3}"),
-        Path = "{context}.{application}.{module}.{section}.create",
-        Level = PermissionLevel.Section,
-        Action = PermissionAction.Create,
-        IsWildcard = false,
-        SectionId = {section}SectionId,
-        Description = "Create in {section}",
-        CreatedAt = seedDate
-    },
-    // Update permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-4}"),
-        Path = "{context}.{application}.{module}.{section}.update",
-        Level = PermissionLevel.Section,
-        Action = PermissionAction.Update,
-        IsWildcard = false,
-        SectionId = {section}SectionId,
-        Description = "Update in {section}",
-        CreatedAt = seedDate
-    },
-    // Delete permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-5}"),
-        Path = "{context}.{application}.{module}.{section}.delete",
-        Level = PermissionLevel.Section,
-        Action = PermissionAction.Delete,
-        IsWildcard = false,
-        SectionId = {section}SectionId,
-        Description = "Delete in {section}",
-        CreatedAt = seedDate
-    },
-    // Execute permission (optionnel)
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-6}"),
-        Path = "{context}.{application}.{module}.{section}.execute",
-        Level = PermissionLevel.Section,
-        Action = PermissionAction.Execute,
-        IsWildcard = false,
-        SectionId = {section}SectionId,
-        Description = "Execute actions in {section}",
-        CreatedAt = seedDate
-    }
-);
-```
----
-## Template Resource-Level Permissions (Level 5)
-> **Usage:** Pour le niveau de granularité le plus fin (ex: Prompts → Blocks, Users → Profiles)
-> **CRITIQUE:** Utilisé quand une Section contient des sous-ressources avec permissions distinctes
-### Permissions.cs - Resource
-```csharp
-// src/SmartStack.Application/Common/Authorization/Permissions.cs
-public static class Admin
-{
-    public static class {Module}
-    {
-        public static class {Section}
-        {
-            // Section-level permissions...
-            // Resource permissions (Level 5 - finest granularity)
-            public static class {Resource}
-            {
-                public const string View = "{context}.{application}.{module}.{section}.{resource}.read";
-                public const string Create = "{context}.{application}.{module}.{section}.{resource}.create";
-                public const string Update = "{context}.{application}.{module}.{section}.{resource}.update";
-                public const string Delete = "{context}.{application}.{module}.{section}.{resource}.delete";
-            }
-        }
-    }
-}
-```
-### PermissionConfiguration.cs - Resource Seed
-```csharp
-// src/SmartStack.Infrastructure/Persistence/Configurations/Navigation/PermissionConfiguration.cs
-// AJOUTER dans la méthode Configure(), section HasData
-// ============================================
-// ÉTAPE 1: Déclarer le ResourceId
-// ============================================
-// Récupérer depuis NavigationResourceConfiguration.cs
-var {resource}ResourceId = Guid.Parse("{GUID-DE-LA-RESOURCE}");
-// ============================================
-// ÉTAPE 2: Ajouter les permissions Resource (Level 5)
-// ============================================
-// Pattern: {context}.{application}.{module}.{section}.{resource}.{action}
-// Exemple: platform.administration.ai.prompts.blocks.read
-builder.HasData(
-    // Wildcard permission (accès complet à la resource)
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-1}"),
-        Path = "{context}.{application}.{module}.{section}.{resource}.*",
-        Level = PermissionLevel.Resource,
-        Action = (PermissionAction?)null,
-        IsWildcard = true,
-        ResourceId = {resource}ResourceId,
-        Description = "Full {resource} access",
-        CreatedAt = seedDate
-    },
-    // Read permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-2}"),
-        Path = "{context}.{application}.{module}.{section}.{resource}.read",
-        Level = PermissionLevel.Resource,
-        Action = PermissionAction.Read,
-        IsWildcard = false,
-        ResourceId = {resource}ResourceId,
-        Description = "View {resource}",
-        CreatedAt = seedDate
-    },
-    // Create permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-3}"),
-        Path = "{context}.{application}.{module}.{section}.{resource}.create",
-        Level = PermissionLevel.Resource,
-        Action = PermissionAction.Create,
-        IsWildcard = false,
-        ResourceId = {resource}ResourceId,
-        Description = "Create {resource}",
-        CreatedAt = seedDate
-    },
-    // Update permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-4}"),
-        Path = "{context}.{application}.{module}.{section}.{resource}.update",
-        Level = PermissionLevel.Resource,
-        Action = PermissionAction.Update,
-        IsWildcard = false,
-        ResourceId = {resource}ResourceId,
-        Description = "Update {resource}",
-        CreatedAt = seedDate
-    },
-    // Delete permission
-    new
-    {
-        Id = Guid.Parse("{NOUVEAU-GUID-5}"),
-        Path = "{context}.{application}.{module}.{section}.{resource}.delete",
-        Level = PermissionLevel.Resource,
-        Action = PermissionAction.Delete,
-        IsWildcard = false,
-        ResourceId = {resource}ResourceId,
-        Description = "Delete {resource}",
-        CreatedAt = seedDate
-    }
-);
-```
----
-## Template Bulk Operations (Insertion en Masse)
-> **OBLIGATOIRE:** Toujours prévoir les endpoints bulk lors de la création d'un controller CRUD
-### Permissions.cs - Bulk Operations
-```csharp
-// src/SmartStack.Application/Common/Authorization/Permissions.cs
-public static class {Module}
-{
-    // CRUD standard
-    public const string View = "{path}.read";
-    public const string Create = "{path}.create";
-    public const string Update = "{path}.update";
-    public const string Delete = "{path}.delete";
-    // Bulk operations (OBLIGATOIRE pour tout module CRUD)
-    public const string BulkCreate = "{path}.bulk-create";
-    public const string BulkUpdate = "{path}.bulk-update";
-    public const string BulkDelete = "{path}.bulk-delete";
-    public const string Export = "{path}.export";
-    public const string Import = "{path}.import";
-}
-```
-### PermissionConfiguration.cs - Bulk Permissions Seed
-```csharp
-// Ajouter après les permissions CRUD standard
-// Bulk Create permission
-new
-{
-    Id = Guid.Parse("{NOUVEAU-GUID-BULK-1}"),
-    Path = "{context}.{application}.{module}.bulk-create",
-    Level = PermissionLevel.Module,
-    Action = PermissionAction.Create,
-    IsWildcard = false,
-    ModuleId = {module}ModuleId,
-    Description = "Bulk create {module}",
-    CreatedAt = seedDate
-},
-// Bulk Update permission
-new
-{
-    Id = Guid.Parse("{NOUVEAU-GUID-BULK-2}"),
-    Path = "{context}.{application}.{module}.bulk-update",
-    Level = PermissionLevel.Module,
-    Action = PermissionAction.Update,
-    IsWildcard = false,
-    ModuleId = {module}ModuleId,
-    Description = "Bulk update {module}",
-    CreatedAt = seedDate
-},
-// Bulk Delete permission
-new
-{
-    Id = Guid.Parse("{NOUVEAU-GUID-BULK-3}"),
-    Path = "{context}.{application}.{module}.bulk-delete",
-    Level = PermissionLevel.Module,
-    Action = PermissionAction.Delete,
-    IsWildcard = false,
-    ModuleId = {module}ModuleId,
-    Description = "Bulk delete {module}",
-    CreatedAt = seedDate
-},
-// Export permission
-new
-{
-    Id = Guid.Parse("{NOUVEAU-GUID-EXPORT}"),
-    Path = "{context}.{application}.{module}.export",
-    Level = PermissionLevel.Module,
-    Action = PermissionAction.Execute,
-    IsWildcard = false,
-    ModuleId = {module}ModuleId,
-    Description = "Export {module} data",
-    CreatedAt = seedDate
-},
-// Import permission
-new
-{
-    Id = Guid.Parse("{NOUVEAU-GUID-IMPORT}"),
-    Path = "{context}.{application}.{module}.import",
-    Level = PermissionLevel.Module,
-    Action = PermissionAction.Create,
-    IsWildcard = false,
-    ModuleId = {module}ModuleId,
-    Description = "Import {module} data",
-    CreatedAt = seedDate
-}
-```
-### Controller Endpoints - Bulk Operations
-```csharp
-// src/SmartStack.Api/Controllers/{Area}/{Module}Controller.cs
-// AJOUTER après les endpoints CRUD standard
-#region BULK OPERATIONS
-/// <summary>
-/// Bulk create multiple entities
-/// </summary>
-[HttpPost("bulk")]
-[RequirePermission(Permissions.{PermissionClass}.BulkCreate)]
-[ProducesResponseType(typeof(BulkOperationResult<{Entity}Dto>), StatusCodes.Status201Created)]
-[ProducesResponseType(StatusCodes.Status400BadRequest)]
-public async Task<ActionResult<BulkOperationResult<{Entity}Dto>>> BulkCreate{Entity}(
-    [FromBody] List<Create{Entity}Request> requests,
-    CancellationToken cancellationToken)
-{
-    if (requests == null || requests.Count == 0)
-        return BadRequest(new { message = "No items provided" });
-    if (requests.Count > 100)
-        return BadRequest(new { message = "Maximum 100 items per bulk operation" });
-    var results = new List<{Entity}Dto>();
-    var errors = new List<BulkOperationError>();
-    for (int i = 0; i < requests.Count; i++)
-    {
-        try
-        {
-            var entity = {Entity}.Create(
-                requests[i].Name,
-                requests[i].Description
-            );
-            _context.{DbSet}.Add(entity);
-            results.Add(new {Entity}Dto(entity.Id, entity.Name));
-        }
-        catch (Exception ex)
-        {
-            errors.Add(new BulkOperationError(i, requests[i].Name, ex.Message));
-        }
-    }
-    await _context.SaveChangesAsync(cancellationToken);
-    _logger.LogInformation("User {User} bulk created {Count} {Entity}(s), {Errors} error(s)",
-        _currentUser.Email, results.Count, errors.Count);
-    return CreatedAtAction(
-        nameof(Get{Module}),
-        new BulkOperationResult<{Entity}Dto>(results, errors, results.Count, errors.Count));
-}
-/// <summary>
-/// Bulk update multiple entities
-/// </summary>
-[HttpPut("bulk")]
-[RequirePermission(Permissions.{PermissionClass}.BulkUpdate)]
-[ProducesResponseType(typeof(BulkOperationResult), StatusCodes.Status200OK)]
-[ProducesResponseType(StatusCodes.Status400BadRequest)]
-public async Task<ActionResult<BulkOperationResult>> BulkUpdate{Entity}(
-    [FromBody] List<BulkUpdate{Entity}Request> requests,
-    CancellationToken cancellationToken)
-{
-    if (requests == null || requests.Count == 0)
-        return BadRequest(new { message = "No items provided" });
-    if (requests.Count > 100)
-        return BadRequest(new { message = "Maximum 100 items per bulk operation" });
-    var ids = requests.Select(r => r.Id).ToList();
-    var entities = await _context.{DbSet}
-        .Where(x => ids.Contains(x.Id))
-        .ToDictionaryAsync(x => x.Id, cancellationToken);
-    var updated = 0;
-    var errors = new List<BulkOperationError>();
-    for (int i = 0; i < requests.Count; i++)
-    {
-        if (!entities.TryGetValue(requests[i].Id, out var entity))
-        {
-            errors.Add(new BulkOperationError(i, requests[i].Id.ToString(), "Entity not found"));
-            continue;
-        }
-        try
-        {
-            entity.Update(
-                requests[i].Name ?? entity.Name,
-                requests[i].Description ?? entity.Description
-            );
-            updated++;
-        }
-        catch (Exception ex)
-        {
-            errors.Add(new BulkOperationError(i, requests[i].Id.ToString(), ex.Message));
-        }
-    }
-    await _context.SaveChangesAsync(cancellationToken);
-    _logger.LogInformation("User {User} bulk updated {Count} {Entity}(s), {Errors} error(s)",
-        _currentUser.Email, updated, errors.Count);
-    return Ok(new BulkOperationResult(updated, errors.Count, errors));
-}
-/// <summary>
-/// Bulk delete multiple entities by IDs
-/// </summary>
-[HttpDelete("bulk")]
-[RequirePermission(Permissions.{PermissionClass}.BulkDelete)]
-[ProducesResponseType(typeof(BulkOperationResult), StatusCodes.Status200OK)]
-[ProducesResponseType(StatusCodes.Status400BadRequest)]
-public async Task<ActionResult<BulkOperationResult>> BulkDelete{Entity}(
-    [FromBody] List<Guid> ids,
-    CancellationToken cancellationToken)
-{
-    if (ids == null || ids.Count == 0)
-        return BadRequest(new { message = "No IDs provided" });
-    if (ids.Count > 100)
-        return BadRequest(new { message = "Maximum 100 items per bulk operation" });
-    var entities = await _context.{DbSet}
-        .Where(x => ids.Contains(x.Id))
-        .ToListAsync(cancellationToken);
-    var deleted = entities.Count;
-    var notFound = ids.Count - deleted;
-    _context.{DbSet}.RemoveRange(entities);
-    await _context.SaveChangesAsync(cancellationToken);
-    _logger.LogWarning("User {User} bulk deleted {Count} {Entity}(s), {NotFound} not found",
-        _currentUser.Email, deleted, notFound);
-    var errors = notFound > 0
-        ? new List<BulkOperationError> { new(-1, "N/A", $"{notFound} entities not found") }
-        : new List<BulkOperationError>();
-    return Ok(new BulkOperationResult(deleted, errors.Count, errors));
-}
-/// <summary>
-/// Export entities to CSV/Excel
-/// </summary>
-[HttpGet("export")]
-[RequirePermission(Permissions.{PermissionClass}.Export)]
-[ProducesResponseType(typeof(FileContentResult), StatusCodes.Status200OK)]
-public async Task<IActionResult> Export{Module}(
-    [FromQuery] string format = "csv",
-    [FromQuery] string? search = null,
-    CancellationToken cancellationToken = default)
-{
-    var query = _context.{DbSet}.AsQueryable();
-    if (!string.IsNullOrWhiteSpace(search))
-    {
-        var searchLower = search.ToLower();
-        query = query.Where(x => x.Name.ToLower().Contains(searchLower));
-    }
-    var entities = await query.ToListAsync(cancellationToken);
-    _logger.LogInformation("User {User} exported {Count} {Entity}(s) to {Format}",
-        _currentUser.Email, entities.Count, format);
-    // Implement CSV/Excel export logic here
-    // Using libraries like CsvHelper or ClosedXML
-    var content = format.ToLower() switch
-    {
-        "xlsx" => GenerateExcel(entities),
-        _ => GenerateCsv(entities)
-    };
-    var contentType = format.ToLower() == "xlsx"
-        ? "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
-        : "text/csv";
-    var fileName = $"{module}-export-{DateTime.UtcNow:yyyyMMdd-HHmmss}.{format}";
-    return File(content, contentType, fileName);
-}
-#endregion
-#region Bulk DTOs
-public record BulkOperationResult(
-    int SuccessCount,
-    int ErrorCount,
-    List<BulkOperationError> Errors);
-public record BulkOperationResult<T>(
-    List<T> Created,
-    List<BulkOperationError> Errors,
-    int SuccessCount,
-    int ErrorCount);
-public record BulkOperationError(
-    int Index,
-    string Identifier,
-    string Message);
-public record BulkUpdate{Entity}Request(
-    Guid Id,
-    string? Name,
-    string? Description);
-#endregion
-```
----
-## Hiérarchie Complète des Permissions
-```
-┌─────────────────────────────────────────────────────────────────────────────────┐
-│                    HIÉRARCHIE COMPLÈTE DES PERMISSIONS                          │
-├─────────────────────────────────────────────────────────────────────────────────┤
-│                                                                                 │
-│  Level 1: CONTEXT                                                               │
-│  └─ Path: {context}.*                                                           │
-│     └─ Ex: platform.* → Accès complet au context platform                       │
-│                                                                                 │
-│  Level 2: APPLICATION                                                           │
-│  └─ Path: {context}.{application}.*                                             │
-│     └─ Ex: platform.administration.* → Accès complet à l'administration         │
-│                                                                                 │
-│  Level 3: MODULE                                                                │
-│  └─ Path: {context}.{application}.{module}.{action}                             │
-│     └─ Ex: platform.administration.users.read → Lecture des users               │
-│     └─ BULK: platform.administration.users.bulk-create → Création en masse      │
-│                                                                                 │
-│  Level 4: SECTION                                                               │
-│  └─ Path: {context}.{application}.{module}.{section}.{action}                   │
-│     └─ Ex: platform.administration.ai.settings.update → MAJ paramètres IA       │
-│                                                                                 │
-│  Level 5: RESOURCE (finest granularity)                                         │
-│  └─ Path: {context}.{application}.{module}.{section}.{resource}.{action}        │
-│     └─ Ex: platform.administration.ai.prompts.blocks.delete → Suppr. blocs      │
-│                                                                                 │
-└─────────────────────────────────────────────────────────────────────────────────┘
-```
----
-## Checklist Controller avec Permissions Complètes
-```
-□ CRUD Standard
-  □ GET /api/.../           → {path}.read
-  □ GET /api/.../{id}       → {path}.read
-  □ POST /api/.../          → {path}.create
-  □ PUT /api/.../{id}       → {path}.update
-  □ DELETE /api/.../{id}    → {path}.delete
-□ Bulk Operations
-  □ POST /api/.../bulk      → {path}.bulk-create
-  □ PUT /api/.../bulk       → {path}.bulk-update
-  □ DELETE /api/.../bulk    → {path}.bulk-delete
-□ Export/Import
-  □ GET /api/.../export     → {path}.export
-  □ POST /api/.../import    → {path}.import
-□ Permissions Configurées
-  □ Permissions.cs - Constantes définies
-  □ PermissionConfiguration.cs - Seed HasData
-  □ Migration EF Core créée
-  □ Migration appliquée
-□ Niveau Permission Correct
-  □ Module (Level 3) - Pour CRUD principal
-  □ Section (Level 4) - Si sous-pages avec perms différentes
-  □ Resource (Level 5) - Si sous-ressources avec perms distinctes
-```
+# Templates Controller SmartStack
+> **Note:** Ces templates sont utilisés par le skill `controller` et la commande `/controller:create`.
+> Adapter les variables `{Area}`, `{Module}`, `{Entity}`, `{PermissionPath}` selon le contexte.
+---
+## Template CRUD Controller (Standard)
+```csharp
+// src/SmartStack.Api/Controllers/{Area}/{Module}Controller.cs
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using SmartStack.Application.Common.Authorization;
+using SmartStack.Application.Common.Interfaces;
+using SmartStack.Api.Authorization;
+using SmartStack.Domain.{DomainNamespace};
+namespace SmartStack.Api.Controllers.{Area};
+[ApiController]
+[Route("api/{area-kebab}/{module-kebab}")]
+[Authorize]
+[Tags("{Module}")]
+public class {Module}Controller : ControllerBase
+{
+    private readonly IApplicationDbContext _context;
+    private readonly ICurrentUserService _currentUser;
+    private readonly ILogger<{Module}Controller> _logger;
+    public {Module}Controller(
+        IApplicationDbContext context,
+        ICurrentUserService currentUser,
+        ILogger<{Module}Controller> logger)
+    {
+        _context = context;
+        _currentUser = currentUser;
+        _logger = logger;
+    }
+    #region GET - List with Pagination
+    [HttpGet]
+    [RequirePermission(Permissions.{PermissionClass}.View)]
+    [ProducesResponseType(typeof(PagedResult<{Entity}ListDto>), StatusCodes.Status200OK)]
+    public async Task<ActionResult<PagedResult<{Entity}ListDto>>> Get{Module}(
+        [FromQuery] int page = 1,
+        [FromQuery] int pageSize = 20,
+        [FromQuery] string? search = null,
+        CancellationToken cancellationToken = default)
+    {
+        var query = _context.{DbSet}.AsQueryable();
+        // Search filter
+        if (!string.IsNullOrWhiteSpace(search))
+        {
+            var searchLower = search.ToLower();
+            query = query.Where(x =>
+                x.Name.ToLower().Contains(searchLower) ||
+                x.Description != null && x.Description.ToLower().Contains(searchLower));
+        }
+        var totalCount = await query.CountAsync(cancellationToken);
+        var items = await query
+            .OrderBy(x => x.Name)
+            .Skip((page - 1) * pageSize)
+            .Take(pageSize)
+            .Select(x => new {Entity}ListDto(
+                x.Id,
+                x.Name,
+                x.Description,
+                x.IsActive,
+                x.CreatedAt
+            ))
+            .ToListAsync(cancellationToken);
+        _logger.LogInformation("User {User} retrieved {Count} {Module}",
+            _currentUser.Email, items.Count, "{Module}");
+        return Ok(new PagedResult<{Entity}ListDto>(items, totalCount, page, pageSize));
+    }
+    #endregion
+    #region GET - Single by ID
+    [HttpGet("{id:guid}")]
+    [RequirePermission(Permissions.{PermissionClass}.View)]
+    [ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<ActionResult<{Entity}DetailDto>> Get{Entity}(
+        Guid id,
+        CancellationToken cancellationToken)
+    {
+        var entity = await _context.{DbSet}
+            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
+        if (entity == null)
+            return NotFound(new { message = "{Entity} not found" });
+        return Ok(new {Entity}DetailDto(
+            entity.Id,
+            entity.Name,
+            entity.Description,
+            entity.IsActive,
+            entity.CreatedAt,
+            entity.UpdatedAt
+        ));
+    }
+    #endregion
+    #region POST - Create
+    [HttpPost]
+    [RequirePermission(Permissions.{PermissionClass}.Create)]
+    [ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status201Created)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status409Conflict)]
+    public async Task<ActionResult<{Entity}DetailDto>> Create{Entity}(
+        [FromBody] Create{Entity}Request request,
+        CancellationToken cancellationToken)
+    {
+        // Check for duplicates
+        var exists = await _context.{DbSet}
+            .AnyAsync(x => x.Name == request.Name, cancellationToken);
+        if (exists)
+            return Conflict(new { message = "{Entity} with this name already exists" });
+        var entity = {Entity}.Create(
+            request.Name,
+            request.Description
+        );
+        _context.{DbSet}.Add(entity);
+        await _context.SaveChangesAsync(cancellationToken);
+        _logger.LogInformation("User {User} created {Entity} {EntityId} ({Name})",
+            _currentUser.Email, entity.Id, entity.Name);
+        return CreatedAtAction(
+            nameof(Get{Entity}),
+            new { id = entity.Id },
+            new {Entity}DetailDto(
+                entity.Id,
+                entity.Name,
+                entity.Description,
+                entity.IsActive,
+                entity.CreatedAt,
+                entity.UpdatedAt
+            ));
+    }
+    #endregion
+    #region PUT - Update
+    [HttpPut("{id:guid}")]
+    [RequirePermission(Permissions.{PermissionClass}.Update)]
+    [ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status409Conflict)]
+    public async Task<ActionResult<{Entity}DetailDto>> Update{Entity}(
+        Guid id,
+        [FromBody] Update{Entity}Request request,
+        CancellationToken cancellationToken)
+    {
+        var entity = await _context.{DbSet}
+            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
+        if (entity == null)
+            return NotFound(new { message = "{Entity} not found" });
+        // Check for duplicate name (excluding current)
+        if (!string.IsNullOrEmpty(request.Name))
+        {
+            var duplicate = await _context.{DbSet}
+                .AnyAsync(x => x.Name == request.Name && x.Id != id, cancellationToken);
+            if (duplicate)
+                return Conflict(new { message = "{Entity} with this name already exists" });
+        }
+        entity.Update(
+            request.Name ?? entity.Name,
+            request.Description ?? entity.Description
+        );
+        await _context.SaveChangesAsync(cancellationToken);
+        _logger.LogInformation("User {User} updated {Entity} {EntityId}",
+            _currentUser.Email, entity.Id);
+        return Ok(new {Entity}DetailDto(
+            entity.Id,
+            entity.Name,
+            entity.Description,
+            entity.IsActive,
+            entity.CreatedAt,
+            entity.UpdatedAt
+        ));
+    }
+    #endregion
+    #region PATCH - Activate/Deactivate
+    [HttpPatch("{id:guid}/activate")]
+    [RequirePermission(Permissions.{PermissionClass}.Update)]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> Activate{Entity}(
+        Guid id,
+        CancellationToken cancellationToken)
+    {
+        var entity = await _context.{DbSet}
+            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
+        if (entity == null)
+            return NotFound(new { message = "{Entity} not found" });
+        entity.Activate();
+        await _context.SaveChangesAsync(cancellationToken);
+        _logger.LogInformation("User {User} activated {Entity} {EntityId}",
+            _currentUser.Email, entity.Id);
+        return NoContent();
+    }
+    [HttpPatch("{id:guid}/deactivate")]
+    [RequirePermission(Permissions.{PermissionClass}.Update)]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> Deactivate{Entity}(
+        Guid id,
+        CancellationToken cancellationToken)
+    {
+        var entity = await _context.{DbSet}
+            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
+        if (entity == null)
+            return NotFound(new { message = "{Entity} not found" });
+        entity.Deactivate();
+        await _context.SaveChangesAsync(cancellationToken);
+        _logger.LogWarning("User {User} deactivated {Entity} {EntityId}",
+            _currentUser.Email, entity.Id);
+        return NoContent();
+    }
+    #endregion
+    #region DELETE
+    [HttpDelete("{id:guid}")]
+    [RequirePermission(Permissions.{PermissionClass}.Delete)]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    public async Task<IActionResult> Delete{Entity}(
+        Guid id,
+        CancellationToken cancellationToken)
+    {
+        var entity = await _context.{DbSet}
+            .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
+        if (entity == null)
+            return NotFound(new { message = "{Entity} not found" });
+        // Check for dependencies before deletion
+        // var hasReferences = await _context.ChildEntities.AnyAsync(x => x.{Entity}Id == id, ct);
+        // if (hasReferences)
+        //     return BadRequest(new { message = "Cannot delete: has dependent records" });
+        _context.{DbSet}.Remove(entity);
+        await _context.SaveChangesAsync(cancellationToken);
+        _logger.LogWarning("User {User} deleted {Entity} {EntityId} ({Name})",
+            _currentUser.Email, id, entity.Name);
+        return NoContent();
+    }
+    #endregion
+}
+#region DTOs
+public record {Entity}ListDto(
+    Guid Id,
+    string Name,
+    string? Description,
+    bool IsActive,
+    DateTime CreatedAt
+);
+public record {Entity}DetailDto(
+    Guid Id,
+    string Name,
+    string? Description,
+    bool IsActive,
+    DateTime CreatedAt,
+    DateTime? UpdatedAt
+);
+public record Create{Entity}Request(
+    string Name,
+    string? Description
+);
+public record Update{Entity}Request(
+    string? Name,
+    string? Description
+);
+public record PagedResult<T>(
+    List<T> Items,
+    int TotalCount,
+    int Page,
+    int PageSize
+)
+{
+    public int TotalPages => (int)Math.Ceiling((double)TotalCount / PageSize);
+    public bool HasPrevious => Page > 1;
+    public bool HasNext => Page < TotalPages;
+}
+#endregion
+```
+---
+## Template Auth Controller (Login/Logout)
+```csharp
+// src/SmartStack.Api/Controllers/AuthController.cs
+// NOTE: Ce controller existe déjà - utiliser comme référence pour patterns auth
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Options;
+using SmartStack.Application.Common.Interfaces;
+using SmartStack.Application.Common.Settings;
+using SmartStack.Domain.Platform.Administration.Users;
+namespace SmartStack.Api.Controllers;
+[ApiController]
+[Route("api/[controller]")]
+public class AuthController : ControllerBase
+{
+    private readonly IApplicationDbContext _context;
+    private readonly IPasswordService _passwordService;
+    private readonly IJwtService _jwtService;
+    private readonly IUserSessionService _sessionService;
+    private readonly ISessionValidationService _sessionValidationService;
+    private readonly SessionSettings _sessionSettings;
+    private readonly ILogger<AuthController> _logger;
+    // ... Constructor avec tous les services auth
+    #region Login - LOGS CRITIQUES OBLIGATOIRES
+    [HttpPost("login")]
+    [AllowAnonymous]
+    [ProducesResponseType(typeof(LoginResponse), StatusCodes.Status200OK)]
+    [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status401Unauthorized)]
+    public async Task<ActionResult<LoginResponse>> Login(
+        [FromBody] LoginRequest request,
+        CancellationToken cancellationToken)
+    {
+        var ipAddress = GetClientIpAddress();
+        var userAgent = Request.Headers.UserAgent.ToString();
+        var user = await _context.Users
+            .Include(u => u.UserRoles)
+                .ThenInclude(ur => ur.Role)
+                    .ThenInclude(r => r!.RolePermissions)
+                        .ThenInclude(rp => rp.Permission)
+            .FirstOrDefaultAsync(u => u.Email == request.Email, cancellationToken);
+        // ============================================
+        // LOGS CRITIQUES - NE JAMAIS OMETTRE
+        // ============================================
+        if (user == null)
+        {
+            // WARNING: User not found (potential enumeration)
+            _logger.LogWarning(
+                "Login failed: User not found - {Email} from {IpAddress}",
+                request.Email, ipAddress);
+            return Unauthorized(new ErrorResponse("Identifiants invalides", "INVALID_CREDENTIALS"));
+        }
+        if (!user.IsActive)
+        {
+            // WARNING: Disabled account
+            _logger.LogWarning(
+                "Login failed: Account disabled - {Email} from {IpAddress}",
+                request.Email, ipAddress);
+            return Unauthorized(new ErrorResponse("Compte désactivé", "ACCOUNT_DISABLED"));
+        }
+        if (user.IsLocked)
+        {
+            // CRITICAL: Locked account attempt
+            _logger.LogCritical(
+                "SECURITY: Login attempt on locked account - User: {Email} (ID: {UserId}) from {IpAddress}",
+                request.Email, user.Id, ipAddress);
+            return Unauthorized(new ErrorResponse("Compte verrouillé", "ACCOUNT_LOCKED_BY_ADMIN"));
+        }
+        // Check brute force protection
+        var recentFailedAttempts = await _context.UserSessions
+            .Where(s => s.UserId == user.Id && !s.IsSuccessful && s.LoginAt > DateTime.UtcNow.AddMinutes(-15))
+            .CountAsync(cancellationToken);
+        if (recentFailedAttempts >= 5)
+        {
+            // CRITICAL: Too many failed attempts
+            _logger.LogCritical(
+                "SECURITY: Account temporarily locked due to brute force - User: {Email} (ID: {UserId}) from {IpAddress}",
+                request.Email, user.Id, ipAddress);
+            return Unauthorized(new ErrorResponse("Compte temporairement verrouillé", "ACCOUNT_LOCKED"));
+        }
+        if (!_passwordService.VerifyPassword(request.Password, user.PasswordHash))
+        {
+            // WARNING: Invalid password with remaining attempts
+            var remainingAttempts = 5 - recentFailedAttempts - 1;
+            _logger.LogWarning(
+                "Login failed: Invalid password - {Email} from {IpAddress}, remaining attempts: {Remaining}",
+                request.Email, ipAddress, remainingAttempts);
+            // Log failed attempt to session
+            await _sessionService.LogFailedLoginAsync(user.Id, ipAddress, userAgent, cancellationToken);
+            return Unauthorized(new ErrorResponse("Mot de passe incorrect", "INVALID_PASSWORD"));
+        }
+        // ============================================
+        // SUCCESS - Generate tokens
+        // ============================================
+        var roles = user.UserRoles.Select(ur => ur.Role!.Name).ToList();
+        var permissions = user.UserRoles
+            .SelectMany(ur => ur.Role!.RolePermissions)
+            .Select(rp => rp.Permission!.Path)
+            .Distinct()
+            .ToList();
+        var accessToken = _jwtService.GenerateAccessToken(user, roles, permissions);
+        var refreshToken = _jwtService.GenerateRefreshToken();
+        await _sessionService.LogLoginAsync(user.Id, accessToken, ipAddress, userAgent, cancellationToken: cancellationToken);
+        // INFO: Successful login
+        _logger.LogInformation(
+            "User logged in successfully: {Email} from {IpAddress}",
+            user.Email, ipAddress);
+        return Ok(new LoginResponse(accessToken, refreshToken, /* UserInfo */));
+    }
+    #endregion
+    #region Logout
+    [HttpPost("logout")]
+    [Authorize]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    public async Task<IActionResult> Logout(CancellationToken cancellationToken)
+    {
+        var token = Request.Headers.Authorization.ToString().Replace("Bearer ", "");
+        await _sessionService.LogLogoutAsync(token, cancellationToken);
+        _logger.LogInformation("User logged out: {UserId}", User.FindFirst("sub")?.Value);
+        return NoContent();
+    }
+    #endregion
+    #region Change Password - LOG WARNING
+    [HttpPost("change-password")]
+    [Authorize]
+    [ProducesResponseType(typeof(ChangePasswordResponse), StatusCodes.Status200OK)]
+    [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)]
+    public async Task<ActionResult<ChangePasswordResponse>> ChangePassword(
+        [FromBody] ChangePasswordRequest request,
+        CancellationToken cancellationToken)
+    {
+        // ... validation logic
+        user.UpdatePassword(newPasswordHash);
+        await _context.SaveChangesAsync(cancellationToken);
+        // Invalidate ALL sessions after password change
+        await _sessionService.InvalidateAllUserSessionsAsync(userId, "Password changed", cancellationToken);
+        // WARNING: Sensitive operation
+        _logger.LogWarning(
+            "Password changed for user {Email} - All sessions invalidated",
+            user.Email);
+        return Ok(new ChangePasswordResponse("Mot de passe modifié", true));
+    }
+    #endregion
+    private string GetClientIpAddress()
+    {
+        var forwardedFor = Request.Headers["X-Forwarded-For"].FirstOrDefault();
+        if (!string.IsNullOrEmpty(forwardedFor))
+            return forwardedFor.Split(',')[0].Trim();
+        return HttpContext.Connection.RemoteIpAddress?.ToString() ?? "Unknown";
+    }
+}
+```
+---
+## Template Permissions Constants
+```csharp
+// src/SmartStack.Application/Common/Authorization/Permissions.cs
+// AJOUTER dans la classe existante
+public static class Permissions
+{
+    // ... existing permissions ...
+    public static class {PermissionClass}
+    {
+        public const string Access = "{permission.path}";
+        public const string View = "{permission.path}.read";
+        public const string Create = "{permission.path}.create";
+        public const string Update = "{permission.path}.update";
+        public const string Delete = "{permission.path}.delete";
+        // Optionnel selon module
+        public const string Assign = "{permission.path}.assign";
+        public const string Execute = "{permission.path}.execute";
+        public const string Export = "{permission.path}.export";
+    }
+}
+```
+---
+## Template PermissionConfiguration Seed
+> **CRITIQUE:** Ce template est OBLIGATOIRE. Sans ces entrées, tous les appels API retourneront 403 Forbidden.
+```csharp
+// src/SmartStack.Infrastructure/Persistence/Configurations/Navigation/PermissionConfiguration.cs
+// AJOUTER dans la méthode Configure(), section HasData
+// ============================================
+// ÉTAPE 1: Déclarer le ModuleId
+// ============================================
+// Vérifier dans ModuleConfiguration.cs si le module existe déjà
+// Sinon, créer le module d'abord via /application skill
+var {module}ModuleId = Guid.Parse("{GUID-DU-MODULE}");  // Récupérer depuis ModuleConfiguration.cs
+// ============================================
+// ÉTAPE 2: Ajouter les permissions (HasData)
+// ============================================
+// Pattern: {context}.{application}.{module}.{action}
+// Exemple: platform.administration.users.read
+var seedDate = new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc);
+builder.HasData(
+    // Wildcard permission (accès complet au module)
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-1}"),
+        Path = "{context}.{application}.{module}.*",
+        Level = PermissionLevel.Module,
+        Action = (PermissionAction?)null,
+        IsWildcard = true,
+        ModuleId = {module}ModuleId,
+        Description = "Full {module} management",
+        CreatedAt = seedDate
+    },
+    // Read permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-2}"),
+        Path = "{context}.{application}.{module}.read",
+        Level = PermissionLevel.Module,
+        Action = PermissionAction.Read,
+        IsWildcard = false,
+        ModuleId = {module}ModuleId,
+        Description = "View {module}",
+        CreatedAt = seedDate
+    },
+    // Create permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-3}"),
+        Path = "{context}.{application}.{module}.create",
+        Level = PermissionLevel.Module,
+        Action = PermissionAction.Create,
+        IsWildcard = false,
+        ModuleId = {module}ModuleId,
+        Description = "Create {module}",
+        CreatedAt = seedDate
+    },
+    // Update permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-4}"),
+        Path = "{context}.{application}.{module}.update",
+        Level = PermissionLevel.Module,
+        Action = PermissionAction.Update,
+        IsWildcard = false,
+        ModuleId = {module}ModuleId,
+        Description = "Update {module}",
+        CreatedAt = seedDate
+    },
+    // Delete permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-5}"),
+        Path = "{context}.{application}.{module}.delete",
+        Level = PermissionLevel.Module,
+        Action = PermissionAction.Delete,
+        IsWildcard = false,
+        ModuleId = {module}ModuleId,
+        Description = "Delete {module}",
+        CreatedAt = seedDate
+    }
+    // Actions optionnelles selon le module:
+    // - PermissionAction.Assign  → Pour assigner des ressources/rôles
+    // - PermissionAction.Execute → Pour exécuter des actions (export, etc.)
+);
+```
+### Génération de GUIDs
+```bash
+# PowerShell (Windows)
+[guid]::NewGuid().ToString()
+# Bash (Linux/Mac)
+uuidgen | tr '[:upper:]' '[:lower:]'
+```
+### Validation Cohérence Permissions.cs ↔ PermissionConfiguration.cs
+> **RÈGLE:** Chaque constante dans `Permissions.cs` DOIT avoir une entrée correspondante dans `PermissionConfiguration.cs`
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                         VALIDATION DE COHÉRENCE                             │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                             │
+│  Permissions.cs                    PermissionConfiguration.cs               │
+│  ──────────────────────────────    ──────────────────────────────────────   │
+│  Permissions.Support.Tickets.View  →  Path = "platform.support.tickets.read"│
+│  Permissions.Support.Tickets.Create→  Path = "platform.support.tickets.create"│
+│  Permissions.Support.Tickets.Update→  Path = "platform.support.tickets.update"│
+│  Permissions.Support.Tickets.Delete→  Path = "platform.support.tickets.delete"│
+│                                                                             │
+│  ⚠️  ERREUR FRÉQUENTE:                                                      │
+│  - Permissions.cs: "platform.support.tickets.read"                          │
+│  - PermissionConfiguration.cs: MANQUANT                                     │
+│  → Résultat: 403 Forbidden pour TOUS les utilisateurs                       │
+│                                                                             │
+└─────────────────────────────────────────────────────────────────────────────┘
+```
+### Commande post-génération
+Après avoir ajouté les entrées dans les deux fichiers:
+```bash
+# 1. Créer la migration
+/efcore:migration Add{Module}Permissions
+# 2. Appliquer la migration
+/efcore:db-deploy
+# 3. Vérifier (optionnel)
+/efcore:db-status
+```
+---
+## Template Controller avec Relations
+```csharp
+// Pour les controllers avec entités liées (ex: Tickets avec Comments)
+#region GET with Includes
+[HttpGet("{id:guid}")]
+[RequirePermission(Permissions.{PermissionClass}.View)]
+[ProducesResponseType(typeof({Entity}DetailDto), StatusCodes.Status200OK)]
+[ProducesResponseType(StatusCodes.Status404NotFound)]
+public async Task<ActionResult<{Entity}DetailDto>> Get{Entity}(
+    Guid id,
+    CancellationToken cancellationToken)
+{
+    var entity = await _context.{DbSet}
+        .Include(x => x.CreatedByUser)
+        .Include(x => x.AssignedToUser)
+        .Include(x => x.Comments)
+            .ThenInclude(c => c.Author)
+        .Include(x => x.Attachments)
+        .FirstOrDefaultAsync(x => x.Id == id, cancellationToken);
+    if (entity == null)
+        return NotFound(new { message = "{Entity} not found" });
+    return Ok(MapToDetailDto(entity));
+}
+#endregion
+#region Nested Resources
+[HttpGet("{parentId:guid}/children")]
+[RequirePermission(Permissions.{PermissionClass}.View)]
+[ProducesResponseType(typeof(List<ChildDto>), StatusCodes.Status200OK)]
+public async Task<ActionResult<List<ChildDto>>> GetChildren(
+    Guid parentId,
+    CancellationToken cancellationToken)
+{
+    var children = await _context.Children
+        .Where(x => x.ParentId == parentId)
+        .OrderByDescending(x => x.CreatedAt)
+        .Select(x => new ChildDto(x.Id, x.Name, x.CreatedAt))
+        .ToListAsync(cancellationToken);
+    return Ok(children);
+}
+[HttpPost("{parentId:guid}/children")]
+[RequirePermission(Permissions.{PermissionClass}.Create)]
+[ProducesResponseType(typeof(ChildDto), StatusCodes.Status201Created)]
+public async Task<ActionResult<ChildDto>> AddChild(
+    Guid parentId,
+    [FromBody] CreateChildRequest request,
+    CancellationToken cancellationToken)
+{
+    var parent = await _context.{DbSet}
+        .FirstOrDefaultAsync(x => x.Id == parentId, cancellationToken);
+    if (parent == null)
+        return NotFound(new { message = "Parent not found" });
+    var child = Child.Create(parentId, request.Name, _currentUser.UserId!.Value);
+    _context.Children.Add(child);
+    await _context.SaveChangesAsync(cancellationToken);
+    _logger.LogInformation("User {User} added child to {Entity} {ParentId}",
+        _currentUser.Email, parentId);
+    return CreatedAtAction(
+        nameof(GetChildren),
+        new { parentId },
+        new ChildDto(child.Id, child.Name, child.CreatedAt));
+}
+#endregion
+```
+---
+## Patterns Réutilisables
+### Error Response Standard
+```csharp
+public record ErrorResponse(string Message, string? Code = null);
+// Usage:
+return BadRequest(new ErrorResponse("Validation failed", "VALIDATION_ERROR"));
+return Conflict(new ErrorResponse("Already exists", "DUPLICATE"));
+return NotFound(new { message = "Resource not found" });
+```
+### Pagination Query Extension
+```csharp
+public static class QueryableExtensions
+{
+    public static async Task<PagedResult<T>> ToPagedResultAsync<T>(
+        this IQueryable<T> query,
+        int page,
+        int pageSize,
+        CancellationToken ct = default)
+    {
+        var totalCount = await query.CountAsync(ct);
+        var items = await query
+            .Skip((page - 1) * pageSize)
+            .Take(pageSize)
+            .ToListAsync(ct);
+        return new PagedResult<T>(items, totalCount, page, pageSize);
+    }
+}
+```
+### Log Context Pattern
+```csharp
+// Toujours inclure le contexte utilisateur dans les logs
+_logger.LogInformation(
+    "User {User} ({UserId}) performed {Action} on {Entity} {EntityId}",
+    _currentUser.Email,
+    _currentUser.UserId,
+    "Create",
+    "{Entity}",
+    entity.Id);
+```
+---
+## Template Section-Level Permissions (Level 4)
+> **Usage:** Quand un Module a plusieurs sous-pages/onglets avec permissions différentes (ex: AI → Dashboard, Settings, Prompts)
+### Permissions.cs - Section
+```csharp
+// src/SmartStack.Application/Common/Authorization/Permissions.cs
+public static class Admin
+{
+    public static class {Module}
+    {
+        // Section permissions (Level 4)
+        public static class {Section}
+        {
+            public const string View = "{context}.{application}.{module}.{section}.read";
+            public const string Create = "{context}.{application}.{module}.{section}.create";
+            public const string Update = "{context}.{application}.{module}.{section}.update";
+            public const string Delete = "{context}.{application}.{module}.{section}.delete";
+            public const string Execute = "{context}.{application}.{module}.{section}.execute";
+        }
+    }
+}
+```
+### PermissionConfiguration.cs - Section Seed
+```csharp
+// src/SmartStack.Infrastructure/Persistence/Configurations/Navigation/PermissionConfiguration.cs
+// AJOUTER dans la méthode Configure(), section HasData
+// ============================================
+// ÉTAPE 1: Déclarer le SectionId
+// ============================================
+// Récupérer depuis NavigationSectionConfiguration.cs
+var {section}SectionId = Guid.Parse("{GUID-DE-LA-SECTION}");
+// ============================================
+// ÉTAPE 2: Ajouter les permissions Section (Level 4)
+// ============================================
+// Pattern: {context}.{application}.{module}.{section}.{action}
+// Exemple: platform.administration.ai.settings.read
+builder.HasData(
+    // Wildcard permission (accès complet à la section)
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-1}"),
+        Path = "{context}.{application}.{module}.{section}.*",
+        Level = PermissionLevel.Section,
+        Action = (PermissionAction?)null,
+        IsWildcard = true,
+        SectionId = {section}SectionId,
+        Description = "Full {section} access",
+        CreatedAt = seedDate
+    },
+    // Read permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-2}"),
+        Path = "{context}.{application}.{module}.{section}.read",
+        Level = PermissionLevel.Section,
+        Action = PermissionAction.Read,
+        IsWildcard = false,
+        SectionId = {section}SectionId,
+        Description = "View {section}",
+        CreatedAt = seedDate
+    },
+    // Create permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-3}"),
+        Path = "{context}.{application}.{module}.{section}.create",
+        Level = PermissionLevel.Section,
+        Action = PermissionAction.Create,
+        IsWildcard = false,
+        SectionId = {section}SectionId,
+        Description = "Create in {section}",
+        CreatedAt = seedDate
+    },
+    // Update permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-4}"),
+        Path = "{context}.{application}.{module}.{section}.update",
+        Level = PermissionLevel.Section,
+        Action = PermissionAction.Update,
+        IsWildcard = false,
+        SectionId = {section}SectionId,
+        Description = "Update in {section}",
+        CreatedAt = seedDate
+    },
+    // Delete permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-5}"),
+        Path = "{context}.{application}.{module}.{section}.delete",
+        Level = PermissionLevel.Section,
+        Action = PermissionAction.Delete,
+        IsWildcard = false,
+        SectionId = {section}SectionId,
+        Description = "Delete in {section}",
+        CreatedAt = seedDate
+    },
+    // Execute permission (optionnel)
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-6}"),
+        Path = "{context}.{application}.{module}.{section}.execute",
+        Level = PermissionLevel.Section,
+        Action = PermissionAction.Execute,
+        IsWildcard = false,
+        SectionId = {section}SectionId,
+        Description = "Execute actions in {section}",
+        CreatedAt = seedDate
+    }
+);
+```
+---
+## Template Resource-Level Permissions (Level 5)
+> **Usage:** Pour le niveau de granularité le plus fin (ex: Prompts → Blocks, Users → Profiles)
+> **CRITIQUE:** Utilisé quand une Section contient des sous-ressources avec permissions distinctes
+### Permissions.cs - Resource
+```csharp
+// src/SmartStack.Application/Common/Authorization/Permissions.cs
+public static class Admin
+{
+    public static class {Module}
+    {
+        public static class {Section}
+        {
+            // Section-level permissions...
+            // Resource permissions (Level 5 - finest granularity)
+            public static class {Resource}
+            {
+                public const string View = "{context}.{application}.{module}.{section}.{resource}.read";
+                public const string Create = "{context}.{application}.{module}.{section}.{resource}.create";
+                public const string Update = "{context}.{application}.{module}.{section}.{resource}.update";
+                public const string Delete = "{context}.{application}.{module}.{section}.{resource}.delete";
+            }
+        }
+    }
+}
+```
+### PermissionConfiguration.cs - Resource Seed
+```csharp
+// src/SmartStack.Infrastructure/Persistence/Configurations/Navigation/PermissionConfiguration.cs
+// AJOUTER dans la méthode Configure(), section HasData
+// ============================================
+// ÉTAPE 1: Déclarer le ResourceId
+// ============================================
+// Récupérer depuis NavigationResourceConfiguration.cs
+var {resource}ResourceId = Guid.Parse("{GUID-DE-LA-RESOURCE}");
+// ============================================
+// ÉTAPE 2: Ajouter les permissions Resource (Level 5)
+// ============================================
+// Pattern: {context}.{application}.{module}.{section}.{resource}.{action}
+// Exemple: platform.administration.ai.prompts.blocks.read
+builder.HasData(
+    // Wildcard permission (accès complet à la resource)
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-1}"),
+        Path = "{context}.{application}.{module}.{section}.{resource}.*",
+        Level = PermissionLevel.Resource,
+        Action = (PermissionAction?)null,
+        IsWildcard = true,
+        ResourceId = {resource}ResourceId,
+        Description = "Full {resource} access",
+        CreatedAt = seedDate
+    },
+    // Read permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-2}"),
+        Path = "{context}.{application}.{module}.{section}.{resource}.read",
+        Level = PermissionLevel.Resource,
+        Action = PermissionAction.Read,
+        IsWildcard = false,
+        ResourceId = {resource}ResourceId,
+        Description = "View {resource}",
+        CreatedAt = seedDate
+    },
+    // Create permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-3}"),
+        Path = "{context}.{application}.{module}.{section}.{resource}.create",
+        Level = PermissionLevel.Resource,
+        Action = PermissionAction.Create,
+        IsWildcard = false,
+        ResourceId = {resource}ResourceId,
+        Description = "Create {resource}",
+        CreatedAt = seedDate
+    },
+    // Update permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-4}"),
+        Path = "{context}.{application}.{module}.{section}.{resource}.update",
+        Level = PermissionLevel.Resource,
+        Action = PermissionAction.Update,
+        IsWildcard = false,
+        ResourceId = {resource}ResourceId,
+        Description = "Update {resource}",
+        CreatedAt = seedDate
+    },
+    // Delete permission
+    new
+    {
+        Id = Guid.Parse("{NOUVEAU-GUID-5}"),
+        Path = "{context}.{application}.{module}.{section}.{resource}.delete",
+        Level = PermissionLevel.Resource,
+        Action = PermissionAction.Delete,
+        IsWildcard = false,
+        ResourceId = {resource}ResourceId,
+        Description = "Delete {resource}",
+        CreatedAt = seedDate
+    }
+);
+```
+---
+## Template Bulk Operations (Insertion en Masse)
+> **OBLIGATOIRE:** Toujours prévoir les endpoints bulk lors de la création d'un controller CRUD
+### Permissions.cs - Bulk Operations
+```csharp
+// src/SmartStack.Application/Common/Authorization/Permissions.cs
+public static class {Module}
+{
+    // CRUD standard
+    public const string View = "{path}.read";
+    public const string Create = "{path}.create";
+    public const string Update = "{path}.update";
+    public const string Delete = "{path}.delete";
+    // Bulk operations (OBLIGATOIRE pour tout module CRUD)
+    public const string BulkCreate = "{path}.bulk-create";
+    public const string BulkUpdate = "{path}.bulk-update";
+    public const string BulkDelete = "{path}.bulk-delete";
+    public const string Export = "{path}.export";
+    public const string Import = "{path}.import";
+}
+```
+### PermissionConfiguration.cs - Bulk Permissions Seed
+```csharp
+// Ajouter après les permissions CRUD standard
+// Bulk Create permission
+new
+{
+    Id = Guid.Parse("{NOUVEAU-GUID-BULK-1}"),
+    Path = "{context}.{application}.{module}.bulk-create",
+    Level = PermissionLevel.Module,
+    Action = PermissionAction.Create,
+    IsWildcard = false,
+    ModuleId = {module}ModuleId,
+    Description = "Bulk create {module}",
+    CreatedAt = seedDate
+},
+// Bulk Update permission
+new
+{
+    Id = Guid.Parse("{NOUVEAU-GUID-BULK-2}"),
+    Path = "{context}.{application}.{module}.bulk-update",
+    Level = PermissionLevel.Module,
+    Action = PermissionAction.Update,
+    IsWildcard = false,
+    ModuleId = {module}ModuleId,
+    Description = "Bulk update {module}",
+    CreatedAt = seedDate
+},
+// Bulk Delete permission
+new
+{
+    Id = Guid.Parse("{NOUVEAU-GUID-BULK-3}"),
+    Path = "{context}.{application}.{module}.bulk-delete",
+    Level = PermissionLevel.Module,
+    Action = PermissionAction.Delete,
+    IsWildcard = false,
+    ModuleId = {module}ModuleId,
+    Description = "Bulk delete {module}",
+    CreatedAt = seedDate
+},
+// Export permission
+new
+{
+    Id = Guid.Parse("{NOUVEAU-GUID-EXPORT}"),
+    Path = "{context}.{application}.{module}.export",
+    Level = PermissionLevel.Module,
+    Action = PermissionAction.Execute,
+    IsWildcard = false,
+    ModuleId = {module}ModuleId,
+    Description = "Export {module} data",
+    CreatedAt = seedDate
+},
+// Import permission
+new
+{
+    Id = Guid.Parse("{NOUVEAU-GUID-IMPORT}"),
+    Path = "{context}.{application}.{module}.import",
+    Level = PermissionLevel.Module,
+    Action = PermissionAction.Create,
+    IsWildcard = false,
+    ModuleId = {module}ModuleId,
+    Description = "Import {module} data",
+    CreatedAt = seedDate
+}
+```
+### Controller Endpoints - Bulk Operations
+```csharp
+// src/SmartStack.Api/Controllers/{Area}/{Module}Controller.cs
+// AJOUTER après les endpoints CRUD standard
+#region BULK OPERATIONS
+/// <summary>
+/// Bulk create multiple entities
+/// </summary>
+[HttpPost("bulk")]
+[RequirePermission(Permissions.{PermissionClass}.BulkCreate)]
+[ProducesResponseType(typeof(BulkOperationResult<{Entity}Dto>), StatusCodes.Status201Created)]
+[ProducesResponseType(StatusCodes.Status400BadRequest)]
+public async Task<ActionResult<BulkOperationResult<{Entity}Dto>>> BulkCreate{Entity}(
+    [FromBody] List<Create{Entity}Request> requests,
+    CancellationToken cancellationToken)
+{
+    if (requests == null || requests.Count == 0)
+        return BadRequest(new { message = "No items provided" });
+    if (requests.Count > 100)
+        return BadRequest(new { message = "Maximum 100 items per bulk operation" });
+    var results = new List<{Entity}Dto>();
+    var errors = new List<BulkOperationError>();
+    for (int i = 0; i < requests.Count; i++)
+    {
+        try
+        {
+            var entity = {Entity}.Create(
+                requests[i].Name,
+                requests[i].Description
+            );
+            _context.{DbSet}.Add(entity);
+            results.Add(new {Entity}Dto(entity.Id, entity.Name));
+        }
+        catch (Exception ex)
+        {
+            errors.Add(new BulkOperationError(i, requests[i].Name, ex.Message));
+        }
+    }
+    await _context.SaveChangesAsync(cancellationToken);
+    _logger.LogInformation("User {User} bulk created {Count} {Entity}(s), {Errors} error(s)",
+        _currentUser.Email, results.Count, errors.Count);
+    return CreatedAtAction(
+        nameof(Get{Module}),
+        new BulkOperationResult<{Entity}Dto>(results, errors, results.Count, errors.Count));
+}
+/// <summary>
+/// Bulk update multiple entities
+/// </summary>
+[HttpPut("bulk")]
+[RequirePermission(Permissions.{PermissionClass}.BulkUpdate)]
+[ProducesResponseType(typeof(BulkOperationResult), StatusCodes.Status200OK)]
+[ProducesResponseType(StatusCodes.Status400BadRequest)]
+public async Task<ActionResult<BulkOperationResult>> BulkUpdate{Entity}(
+    [FromBody] List<BulkUpdate{Entity}Request> requests,
+    CancellationToken cancellationToken)
+{
+    if (requests == null || requests.Count == 0)
+        return BadRequest(new { message = "No items provided" });
+    if (requests.Count > 100)
+        return BadRequest(new { message = "Maximum 100 items per bulk operation" });
+    var ids = requests.Select(r => r.Id).ToList();
+    var entities = await _context.{DbSet}
+        .Where(x => ids.Contains(x.Id))
+        .ToDictionaryAsync(x => x.Id, cancellationToken);
+    var updated = 0;
+    var errors = new List<BulkOperationError>();
+    for (int i = 0; i < requests.Count; i++)
+    {
+        if (!entities.TryGetValue(requests[i].Id, out var entity))
+        {
+            errors.Add(new BulkOperationError(i, requests[i].Id.ToString(), "Entity not found"));
+            continue;
+        }
+        try
+        {
+            entity.Update(
+                requests[i].Name ?? entity.Name,
+                requests[i].Description ?? entity.Description
+            );
+            updated++;
+        }
+        catch (Exception ex)
+        {
+            errors.Add(new BulkOperationError(i, requests[i].Id.ToString(), ex.Message));
+        }
+    }
+    await _context.SaveChangesAsync(cancellationToken);
+    _logger.LogInformation("User {User} bulk updated {Count} {Entity}(s), {Errors} error(s)",
+        _currentUser.Email, updated, errors.Count);
+    return Ok(new BulkOperationResult(updated, errors.Count, errors));
+}
+/// <summary>
+/// Bulk delete multiple entities by IDs
+/// </summary>
+[HttpDelete("bulk")]
+[RequirePermission(Permissions.{PermissionClass}.BulkDelete)]
+[ProducesResponseType(typeof(BulkOperationResult), StatusCodes.Status200OK)]
+[ProducesResponseType(StatusCodes.Status400BadRequest)]
+public async Task<ActionResult<BulkOperationResult>> BulkDelete{Entity}(
+    [FromBody] List<Guid> ids,
+    CancellationToken cancellationToken)
+{
+    if (ids == null || ids.Count == 0)
+        return BadRequest(new { message = "No IDs provided" });
+    if (ids.Count > 100)
+        return BadRequest(new { message = "Maximum 100 items per bulk operation" });
+    var entities = await _context.{DbSet}
+        .Where(x => ids.Contains(x.Id))
+        .ToListAsync(cancellationToken);
+    var deleted = entities.Count;
+    var notFound = ids.Count - deleted;
+    _context.{DbSet}.RemoveRange(entities);
+    await _context.SaveChangesAsync(cancellationToken);
+    _logger.LogWarning("User {User} bulk deleted {Count} {Entity}(s), {NotFound} not found",
+        _currentUser.Email, deleted, notFound);
+    var errors = notFound > 0
+        ? new List<BulkOperationError> { new(-1, "N/A", $"{notFound} entities not found") }
+        : new List<BulkOperationError>();
+    return Ok(new BulkOperationResult(deleted, errors.Count, errors));
+}
+/// <summary>
+/// Export entities to CSV/Excel
+/// </summary>
+[HttpGet("export")]
+[RequirePermission(Permissions.{PermissionClass}.Export)]
+[ProducesResponseType(typeof(FileContentResult), StatusCodes.Status200OK)]
+public async Task<IActionResult> Export{Module}(
+    [FromQuery] string format = "csv",
+    [FromQuery] string? search = null,
+    CancellationToken cancellationToken = default)
+{
+    var query = _context.{DbSet}.AsQueryable();
+    if (!string.IsNullOrWhiteSpace(search))
+    {
+        var searchLower = search.ToLower();
+        query = query.Where(x => x.Name.ToLower().Contains(searchLower));
+    }
+    var entities = await query.ToListAsync(cancellationToken);
+    _logger.LogInformation("User {User} exported {Count} {Entity}(s) to {Format}",
+        _currentUser.Email, entities.Count, format);
+    // Implement CSV/Excel export logic here
+    // Using libraries like CsvHelper or ClosedXML
+    var content = format.ToLower() switch
+    {
+        "xlsx" => GenerateExcel(entities),
+        _ => GenerateCsv(entities)
+    };
+    var contentType = format.ToLower() == "xlsx"
+        ? "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
+        : "text/csv";
+    var fileName = $"{module}-export-{DateTime.UtcNow:yyyyMMdd-HHmmss}.{format}";
+    return File(content, contentType, fileName);
+}
+#endregion
+#region Bulk DTOs
+public record BulkOperationResult(
+    int SuccessCount,
+    int ErrorCount,
+    List<BulkOperationError> Errors);
+public record BulkOperationResult<T>(
+    List<T> Created,
+    List<BulkOperationError> Errors,
+    int SuccessCount,
+    int ErrorCount);
+public record BulkOperationError(
+    int Index,
+    string Identifier,
+    string Message);
+public record BulkUpdate{Entity}Request(
+    Guid Id,
+    string? Name,
+    string? Description);
+#endregion
+```
+---
+## Hiérarchie Complète des Permissions
+```
+┌─────────────────────────────────────────────────────────────────────────────────┐
+│                    HIÉRARCHIE COMPLÈTE DES PERMISSIONS                          │
+├─────────────────────────────────────────────────────────────────────────────────┤
+│                                                                                 │
+│  Level 1: CONTEXT                                                               │
+│  └─ Path: {context}.*                                                           │
+│     └─ Ex: platform.* → Accès complet au context platform                       │
+│                                                                                 │
+│  Level 2: APPLICATION                                                           │
+│  └─ Path: {context}.{application}.*                                             │
+│     └─ Ex: platform.administration.* → Accès complet à l'administration         │
+│                                                                                 │
+│  Level 3: MODULE                                                                │
+│  └─ Path: {context}.{application}.{module}.{action}                             │
+│     └─ Ex: platform.administration.users.read → Lecture des users               │
+│     └─ BULK: platform.administration.users.bulk-create → Création en masse      │
+│                                                                                 │
+│  Level 4: SECTION                                                               │
+│  └─ Path: {context}.{application}.{module}.{section}.{action}                   │
+│     └─ Ex: platform.administration.ai.settings.update → MAJ paramètres IA       │
+│                                                                                 │
+│  Level 5: RESOURCE (finest granularity)                                         │
+│  └─ Path: {context}.{application}.{module}.{section}.{resource}.{action}        │
+│     └─ Ex: platform.administration.ai.prompts.blocks.delete → Suppr. blocs      │
+│                                                                                 │
+└─────────────────────────────────────────────────────────────────────────────────┘
+```
+---
+## Checklist Controller avec Permissions Complètes
+```
+□ CRUD Standard
+  □ GET /api/.../           → {path}.read
+  □ GET /api/.../{id}       → {path}.read
+  □ POST /api/.../          → {path}.create
+  □ PUT /api/.../{id}       → {path}.update
+  □ DELETE /api/.../{id}    → {path}.delete
+□ Bulk Operations
+  □ POST /api/.../bulk      → {path}.bulk-create
+  □ PUT /api/.../bulk       → {path}.bulk-update
+  □ DELETE /api/.../bulk    → {path}.bulk-delete
+□ Export/Import
+  □ GET /api/.../export     → {path}.export
+  □ POST /api/.../import    → {path}.import
+□ Permissions Configurées
+  □ Permissions.cs - Constantes définies
+  □ PermissionConfiguration.cs - Seed HasData
+  □ Migration EF Core créée
+  □ Migration appliquée
+□ Niveau Permission Correct
+  □ Module (Level 3) - Pour CRUD principal
+  □ Section (Level 4) - Si sous-pages avec perms différentes
+  □ Resource (Level 5) - Si sous-ressources avec perms distinctes
+```