@mostajs/school 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Changelog — @mostajs/school
+## [0.1.0] — 2026-06-18
+### Added
+- Inscription avec **prise de photo** + enrôlement visage (carte adhérent = qrCode auto).
+- **Accès au cours par carte QR ou reconnaissance faciale** (`access.byCard`/`byFace`) → présence ; terminal PWA (examples/access-terminal, doc 12-DOC-PWA-IDENTIFICATION) comme SecuAccessPro.
+- Cœur mince établissement : admit (élève+parent via users), enroll/attendance/grade/certificate/coaching (composition), parentPortal agrégé, dashboard.
+- Assemble P2 ATC (6 modules). 3 tests d'assemblage + exemple §12 (parcours complet Anglais A1).

package/README.md

@@ -0,0 +1,14 @@
+# @mostajs/school
+**Auteur** : Dr Hamid MADANI <drmdh@msn.com> · **Licence** : AGPL-3.0-or-later · **Statut** : 0.1.0 (3 tests verts)
+> **Cœur métier mince** P2 ATC : élève/parent (dérive @mostajs/users) + scolarité. **Compose** training/attendance/gradebook/certificates/coaching.
+```js
+import { createSchool, createMemoryRepositories } from '@mostajs/school';
+const school = createSchool({ repositories: createMemoryRepositories(), users, training, attendance, gradebook, certificates, coaching });
+const { student } = await school.students.admit({ person:{firstName:'Inès'}, parent:{firstName:'Mme',email:'p@x.dz'}, grade:'A1' });
+await school.enroll(student.id, sessionId);
+await school.markAttendance(student.id, sessionId, { status:'present' });
+await school.recordGrade(student.id, { sessionId, courseId, levelId, score:17, max:20 });
+await school.issueCertificate(student.id, { title:'Anglais A1' });
+const portal = await school.parentPortal(student.id);  // présences + notes + attestations
+```
+Lancer : `node test-scripts/unit/school.test.mjs && node examples/scolarite/run.mjs`

package/docs/00-PROPOSITION-PLAN-SCHOOL-18062026.md

@@ -0,0 +1,13 @@
+# @mostajs/school — DEVRULES de bout en bout (§4 + #3 condensés)
+**Auteur** : Dr Hamid MADANI <drmdh@msn.com> · **Date** : 2026-06-18 · **Statut** : cas C — **cœur métier MINCE** P2 ATC.
+## §4 (règle d'or / motif « domaine mince »)
+school n'implémente QUE le domaine « élève/parent + scolarité ». L'élève **DÉRIVE de `@mostajs/users`** (la personne :
+nom/photo/faceDescriptor) ; tout le reste est **composé** (training/attendance/gradebook/certificates/coaching/payment/reporting).
+C'est exactement le motif de `@mostajs/crm` (domaine mince) confirmé par l'audit `AUDIT-BESOINS-3P-vs-MODULES-18062026.md`.
+## §3 (périmètre/API)
+**Entité** : Student{userId(→users), parentUserId(→users, mineur), enrollmentNo, grade, status} — RÉFÉRENCE la personne.
+**API** : `createSchool({repositories, users, training?, attendance?, gradebook?, certificates?, coaching?, numbering?})`
+→ `students.{admit({person,parent,grade}), get, byUser, list, withPerson}`, `enroll(studentId,sessionId)`, `markAttendance`, `recordGrade`, `issueCertificate`, `openCoaching`, `parentPortal(studentId)`, `dashboard()`.
+**Composition (§10)** : users (requis) ; training/attendance/gradebook/certificates/coaching (injectés, erreur claire si manquants). KPIs détaillés → reporting.
+**Couvre P2** : F1(élève/parent) + assemble F2/F3(training), F4(attendance), F7(gradebook/questa), F13(certificates), F9(coaching), F6(portail parents). Reste : school-billing (F5, mince/ext subscriptions).
+## §4 (tests) : admit (users+parent+n°), composition requise, parcours complet enroll→présence→note→certificat→portail. (3 verts)

package/docs/12-DOC-PWA-IDENTIFICATION.md

@@ -0,0 +1,32 @@
+# 12 — Identification via PWA (carte QR / reconnaissance faciale) — comme SecuAccessPro
+**Auteur** : Dr Hamid MADANI <drmdh@msn.com> · **Date** : 2026-06-18
+**Principe** : l'identification d'accès au cours réutilise **la même stack que SecuAccessPro** — `@mostajs/pwa-scan`
+(scanner QR PWA) + `@mostajs/face` (reconnaissance faciale) côté front → l'API `school.access.{byCard,byFace}` côté back.
+Le cœur `@mostajs/school` ne réimplémente rien : il **compose** users (carte/qrCode + matchFace) + attendance (présence).
+
+## Flux
+```
+PWA (terminal d'accès, navigateur)                       Backend (server.mjs, modules réels)
+  <PwaScanner> (QR)  ──POST /api/access/scan {code}────►  school.access.byCard(code,{sessionId})
+                                                            → users(qrCode) → student → attendance.mark('qr')
+  <FaceDetector> (caméra) ─POST /api/access/face {descriptor}► school.access.byFace(desc,{sessionId})
+                                                            → users.matchFace (@mostajs/face) → student → attendance.mark('face')
+  ◄── { status:'granted', data:student } / { matched:true, member, distance }
+```
+
+## Backend (vérifié)
+`examples/access-terminal/server.mjs` (modules réels) :
+- `GET /api/students` → élèves + **carte adhérent** (qrCode).
+- `POST /api/access/scan {code}` → `school.access.byCard` → `{status:'granted'|'denied', data}`.
+- `POST /api/access/face {descriptor[128]}` → `school.access.byFace` → `{matched, member, distance}`.
+Lancer : `node examples/access-terminal/server.mjs` (curl-testable). Vérifié : QR accordé/refusé, visage matché (dist≈0.023)/refusé.
+
+## Front PWA (même gabarit que SecuAccessPro)
+Réutiliser le gabarit `mostajs/mosta-pwa-scan/examples/access-pwa` (front React zéro-build) en pointant les endpoints
+sur ce backend : `<PwaScanner serverUrl scanEndpoint="/api/access/scan">` + `<FaceDetector onCapture=...→/api/access/face>`.
+Les composants `PwaScanner`/`FaceDetector` et le proxy modèles face-api y sont déjà câblés.
+
+## Composition (§10) — aucune réimplémentation
+`@mostajs/pwa-scan` (scanner) · `@mostajs/face` (visage, via `users.matchFace`) · `@mostajs/users` (carte qrCode) ·
+`@mostajs/attendance` (présence) · `@mostajs/school` (orchestration `access.byCard`/`byFace`). Identique à SecuAccessPro,
+mais en briques composables (SecuAccessPro devrait à terme migrer sur `users`/`allocations`/`attendance`).

package/examples/access-terminal/README.md

@@ -0,0 +1,10 @@
+# Terminal d'accès SCHOOL (PWA) — carte QR / reconnaissance faciale
+**Auteur** : Dr Hamid MADANI <drmdh@msn.com>
+Identification d'accès au cours **comme SecuAccessPro**, en composant `@mostajs/pwa-scan` + `@mostajs/face` + `school.access`.
+## Lancer le backend
+```bash
+node server.mjs           # http://localhost:8000 ; API /api/students, /api/access/scan, /api/access/face
+```
+## Front PWA
+Réutiliser `mostajs/mosta-pwa-scan/examples/access-pwa` (PwaScanner + FaceDetector) en pointant sur ce backend.
+Détails : `../../docs/12-DOC-PWA-IDENTIFICATION.md`.

package/examples/access-terminal/server.mjs

@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+// Terminal d'accès SCHOOL (comme SecuAccessPro) — backend Node, modules RÉELS. Author: Dr Hamid MADANI <drmdh@msn.com>
+// Identification par CARTE QR ou RECONNAISSANCE FACIALE → school.access.byCard / byFace → présence.
+// Front PWA = @mostajs/pwa-scan (PwaScanner) + @mostajs/face (FaceDetector) → POST ci-dessous (cf. 12-DOC-PWA-IDENTIFICATION.md).
+import { createServer } from 'node:http';
+import { createSchool, createMemoryRepositories } from '../../src/index.js';
+import { createUsers, createMemoryRepositories as uRepo } from '../../../mosta-users-stack/mosta-users/src/index.js';
+import { createTraining, createMemoryRepositories as tRepo } from '../../../mosta-training/src/index.js';
+import { createAttendance, createMemoryRepositories as aRepo } from '../../../mosta-attendance/src/index.js';
+import { findMatch } from '../../../mosta-face/dist/lib/face-matcher.js';
+
+const PORT = Number(process.argv[2]) || 8000;
+const desc = (s) => Array.from({ length: 128 }, (_, i) => Math.sin(s * (i + 1)) * 0.5);
+
+// ── Stack réelle ──
+const users = createUsers({ repositories: uRepo(), face: { findMatch }, qr: { generate: (id) => `ATC:${id}` } });
+const training = createTraining({ repositories: tRepo() });
+const attendance = createAttendance({ repositories: aRepo(), users });
+const school = createSchool({ repositories: createMemoryRepositories(), users, training, attendance, numbering: { next: () => 'ELV-' + Math.floor(Math.random() * 9999) } });
+
+let SESSION;
+async function seed() {
+  const c = await training.catalog.createCourse({ title: 'Anglais A1' });
+  SESSION = await training.sessions.open({ courseId: c.id, capacity: 30, room: 'Salle 3' });
+  for (const [n, seed] of [[['Inès', 'Mansouri'], 1], [['Karim', 'Saidi'], 2]]) {
+    const { student } = await school.students.admit({ person: { firstName: n[0], lastName: n[1], faceDescriptor: desc(seed) }, grade: 'A1' });
+    await school.enroll(student.id, SESSION.id);
+  }
+}
+const json = (res, code, obj) => { res.writeHead(code, { 'content-type': 'application/json; charset=utf-8', 'access-control-allow-origin': '*' }); res.end(JSON.stringify(obj)); };
+const body = (req) => new Promise((r) => { let b = ''; req.on('data', (c) => b += c); req.on('end', () => { try { r(JSON.parse(b || '{}')); } catch { r({}); } }); });
+const publicStudent = async (s) => { const u = await users.get(s.userId); return { id: s.id, name: users.fullName(u), card: u.qrCode, grade: s.grade }; };
+
+await seed();
+createServer(async (req, res) => {
+  const url = (req.url || '/').split('?')[0];
+  if (req.method === 'OPTIONS') return json(res, 204, {});
+  try {
+    if (url === '/api/students' && req.method === 'GET') return json(res, 200, { students: await Promise.all((await school.students.list()).map(publicStudent)), session: SESSION.id });
+    if (url === '/api/access/scan' && req.method === 'POST') {            // carte adhérent QR (@mostajs/pwa-scan)
+      const { code } = await body(req);
+      const r = await school.access.byCard(code, { sessionId: SESSION.id });
+      return json(res, 200, r.granted ? { status: 'granted', message: `Accès — ${(await publicStudent(r.student)).name}`, data: await publicStudent(r.student) } : { status: 'denied', message: r.reason });
+    }
+    if (url === '/api/access/face' && req.method === 'POST') {            // reconnaissance faciale (@mostajs/face)
+      const { descriptor } = await body(req);
+      if (!Array.isArray(descriptor)) return json(res, 400, { error: 'descriptor requis' });
+      const r = await school.access.byFace(descriptor, { sessionId: SESSION.id });
+      return json(res, 200, r.granted ? { matched: true, member: await publicStudent(r.student), distance: r.distance } : { matched: false });
+    }
+    json(res, 404, { error: 'not found' });
+  } catch (e) { json(res, 500, { error: e.message }); }
+}).listen(PORT, () => {
+  console.log(`🛂 Terminal d'accès SCHOOL — http://localhost:${PORT}`);
+  console.log(`   API : GET /api/students · POST /api/access/scan {code} · POST /api/access/face {descriptor[128]}`);
+  console.log(`   Front PWA : @mostajs/pwa-scan + @mostajs/face (cf. ../../docs/12-DOC-PWA-IDENTIFICATION.md ; gabarit : mosta-pwa-scan/examples/access-pwa)`);
+});

package/examples/scolarite/run.mjs

@@ -0,0 +1,40 @@
+// Exemple §12 — ATC : inscription+photo → accès cours par carte QR ou visage. node examples/scolarite/run.mjs
+import assert from 'node:assert/strict';
+import { createSchool, createMemoryRepositories } from '../../src/index.js';
+import { createUsers, createMemoryRepositories as uRepo } from '../../../mosta-users-stack/mosta-users/src/index.js';
+import { createTraining, createMemoryRepositories as tRepo } from '../../../mosta-training/src/index.js';
+import { createAttendance, createMemoryRepositories as aRepo } from '../../../mosta-attendance/src/index.js';
+import { createGradebook, createMemoryRepositories as gRepo } from '../../../mosta-gradebook/src/index.js';
+import { createCertificates, createMemoryRepositories as cRepo } from '../../../mosta-certificates/src/index.js';
+import { hmacSha256 } from '../../../mosta-security/src/index.js';
+import { findMatch } from '../../../mosta-face/dist/lib/face-matcher.js';
+const desc=(s)=>Array.from({length:128},(_,i)=>Math.sin(s*(i+1))*0.5);
+const users=createUsers({ repositories:uRepo(), face:{ findMatch }, qr:{generate:(id)=>'BADGE:'+id} });
+const training=createTraining({ repositories:tRepo() });
+const attendance=createAttendance({ repositories:aRepo(), users });
+const gradebook=createGradebook({ repositories:gRepo() });
+const certificates=createCertificates({ repositories:cRepo(), hmac:hmacSha256, secret:'atc', qr:{generate:(p)=>'verify?c='+p} });
+const school=createSchool({ repositories:createMemoryRepositories(), users, training, attendance, gradebook, certificates, numbering:{next:()=>'ELV-2026-'+Math.floor(Math.random()*999)} });
+
+const eng=await training.catalog.createCourse({ title:'Anglais', category:'langues' });
+const a1=await training.catalog.addLevel(eng.id,{ order:1, label:'A1' });
+const grp=await training.sessions.open({ courseId:eng.id, levelId:a1.id, capacity:12, room:'Salle 3' });
+
+// 1) Inscription AVEC prise de photo + enrôlement visage (→ carte adhérent QR auto)
+const { student, card }=await school.students.admit({
+  person:{ firstName:'Inès', lastName:'Mansouri', photo:'data:image/jpeg;base64,…', faceDescriptor:desc(1) },
+  parent:{ firstName:'Mme', lastName:'Mansouri', email:'parent@ex.dz' }, grade:'A1' });
+await school.enroll(student.id, grp.id);
+console.log('   inscrit %s · carte adhérent: %s · photo ✓', (await school.students.withPerson(student.id)).person.name, card);
+
+// 2) Accès au cours — voie A : carte QR
+const accCard=await school.access.byCard(card, { sessionId:grp.id });
+// 3) Accès au cours — voie B : reconnaissance faciale (autre séance/jour)
+const grp2=await training.sessions.open({ courseId:eng.id, levelId:a1.id, capacity:12 });
+await school.enroll(student.id, grp2.id);
+const accFace=await school.access.byFace(desc(1).map(x=>x+0.002), { sessionId:grp2.id });
+
+assert.equal(accCard.granted && accCard.method==='qr', true);
+assert.equal(accFace.granted && accFace.method==='face', true);
+console.log('✅ school — accès cours : carte QR ✓ (présence %s) · visage ✓ (dist %s)',
+  accCard.attendance.status, accFace.distance.toFixed(3));

package/llms.txt

@@ -0,0 +1,19 @@
+# @mostajs/school — fiche LLM
+RÔLE
+  Cœur métier MINCE d'un établissement de formation (P2 ATC). Domaine : élève/parent + scolarité.
+  L'élève DÉRIVE de @mostajs/users. COMPOSE (injectés) training/attendance/gradebook/certificates/coaching ; KPIs→reporting. Motif « domaine mince » (cf. crm).
+EXPORTS
+  createSchool({ repositories, users(requis), training?, attendance?, gradebook?, certificates?, coaching?, numbering?, now? }) -> api
+  createMemoryRepositories(); StudentSchema
+API
+  students.admit({person:{...,photo?,faceDescriptor?},parent?,grade}) -> {student,user,parent,card(=qrCode)}
+  students.capturePhoto(studentId,{photo,faceDescriptor}) ; students.card(studentId) (photo+QR via users.cardData)
+  access.byCard(qrCode,{sessionId}) -> {granted,student,method:'qr',attendance}  (carte adhérent)
+  access.byFace(descriptor,{sessionId,threshold}) -> {granted,student,distance,method:'face',attendance}  (compose @mostajs/face via users.matchFace)
+  students.admit({person,parent?,grade}) -> {student,user,parent} ; students.get/byUser/list/withPerson
+  enroll(studentId,sessionId)[training] ; markAttendance(studentId,sessionId,{status,method})[attendance]
+  recordGrade(studentId,{sessionId,courseId,levelId,score,max})[gradebook] ; issueCertificate(studentId,{title,payload})[certificates]
+  openCoaching(studentId,{objective,coachId})[coaching] ; parentPortal(studentId)->{student,attendance,grades,certificates} ; dashboard()
+PIÈGES
+  - users REQUIS (la personne = User ; Student n'est qu'un lien userId + champs scolaires). Modules composés injectés → erreur explicite si absents.
+  - Student.userId/parentUserId opaques. parentPortal = lecture seule agrégée. Ne réimplémente AUCUNE brique (compose).

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@mostajs/school",
+  "version": "0.1.0",
+  "description": "Cœur métier MINCE d'un établissement de formation : élève/parent (dérive @mostajs/users) + scolarité. COMPOSE training/attendance/gradebook/certificates/coaching. Assemble P2 ATC.",
+  "license": "AGPL-3.0-or-later",
+  "author": "Dr Hamid MADANI <drmdh@msn.com>",
+  "type": "module",
+  "main": "src/index.js",
+  "exports": {
+    ".": "./src/index.js",
+    "./schemas": "./src/schemas.js"
+  },
+  "keywords": [
+    "mostajs",
+    "school",
+    "ecole",
+    "scolarite",
+    "eleve",
+    "atc"
+  ],
+  "scripts": {
+    "test": "node test-scripts/unit/school.test.mjs",
+    "example": "node examples/scolarite/run.mjs"
+  }
+}

package/src/index.js

@@ -0,0 +1,4 @@
+// @mostajs/school — point d'entrée. Author: Dr Hamid MADANI <drmdh@msn.com>
+export { createSchool } from './school.js';
+export { createMemoryRepositories } from './memory-repo.js';
+export { StudentSchema } from './schemas.js';

package/src/memory-repo.js

@@ -0,0 +1,6 @@
+function coll(){ const m=new Map(); return {
+  async create(d){ const id=d.id||globalThis.crypto.randomUUID(); const now=new Date(); const r={id,createdAt:now,updatedAt:now,...d}; m.set(id,r); return {...r}; },
+  async findById(id){ const r=m.get(id); return r?{...r}:null; },
+  async update(id,p){ const r=m.get(id); if(!r)return null; const x={...r,...p,updatedAt:new Date()}; m.set(id,x); return {...x}; },
+  async find(f=()=>true){ return [...m.values()].filter(f).map(r=>({...r})); } }; }
+export function createMemoryRepositories(){ return { students:coll() }; }

package/src/schemas.js

@@ -0,0 +1,7 @@
+// @mostajs/school — schéma mince (le profil personne vit dans @mostajs/users). Author: Dr Hamid MADANI <drmdh@msn.com>
+// Student RÉFÉRENCE un User (élève) + un User (parent, mineur). Conceptuellement : élève DÉRIVE de User (users.extendUser 'student').
+export const StudentSchema = { name:'Student', collection:'students', timestamps:true, fields:{
+  userId:{type:'string',required:true},          // → @mostajs/users (la personne : nom, photo, faceDescriptor…)
+  parentUserId:{type:'string',default:null},     // → @mostajs/users (tuteur, mineur)
+  enrollmentNo:{type:'string'}, grade:{type:'string'}, status:{type:'string',enum:['active','left'],default:'active'} },
+  indexes:[{fields:{userId:'asc'}}] };

package/src/school.js

@@ -0,0 +1,83 @@
+// @mostajs/school — cœur métier MINCE (établissement de formation). Author: Dr Hamid MADANI <drmdh@msn.com>
+// N'implémente QUE le domaine « élève/parent + scolarité + accès ». COMPOSE les briques (injectées) :
+//   users (personne — l'élève DÉRIVE de User : photo, faceDescriptor, qrCode/carte), training (sessions/inscriptions),
+//   attendance (présences), gradebook (notes), certificates (attestations), coaching (suivi). Motif « domaine mince » de @mostajs/crm.
+
+export function createSchool({ repositories, users, training, attendance, gradebook, certificates, coaching, numbering, now = () => new Date() } = {}) {
+  if (!repositories?.students) throw new Error('createSchool: repositories.students requis');
+  if (!users) throw new Error('createSchool: @mostajs/users requis (la personne dérive de User)');
+  const { students } = repositories;
+  const enrollNo = () => (numbering?.next ? numbering.next('student') : `ELV-${now().getFullYear()}-${Math.floor(now().getTime() % 100000)}`);
+  const need = (m, name) => { if (!m) throw new Error(`@mostajs/${name} requis (composition)`); return m; };
+
+  const api = {
+    students: {
+      /** Admet un élève : crée la PERSONNE (users : nom + PHOTO + faceDescriptor + qrCode/carte) + le parent + le profil scolaire. */
+      async admit({ person = {}, parent = null, grade } = {}) {
+        if (!person.firstName && !person.lastName && !person.username) throw new Error('person (élève) requise');
+        const parentUser = parent ? await users.create({ ...parent }) : null;
+        const studentUser = await users.create({ ...person });   // person peut porter photo + faceDescriptor → carte qrCode auto
+        const student = await students.create({ userId: studentUser.id, parentUserId: parentUser?.id || null, grade, enrollmentNo: enrollNo() });
+        return { student, user: studentUser, parent: parentUser, card: studentUser.qrCode };
+      },
+      /** Prise de photo / enrôlement visage (post-admission). */
+      async capturePhoto(studentId, { photo, faceDescriptor } = {}) {
+        const s = await students.findById(studentId); if (!s) throw new Error('élève introuvable');
+        if (photo) await users.setPhoto(s.userId, photo);
+        if (Array.isArray(faceDescriptor)) await users.enrollFace(s.userId, faceDescriptor);
+        return users.get(s.userId);
+      },
+      /** Carte adhérent (photo + QR). Compose @mostajs/users (cardData → qrpanel côté rendu). */
+      async card(studentId) { const s = await students.findById(studentId); return users.cardData ? users.cardData(s.userId) : { id: s.userId }; },
+      get: (id) => students.findById(id),
+      byUser: async (userId) => (await students.find((s) => s.userId === userId))[0] || null,
+      list: () => students.find(),
+      async withPerson(id) {
+        const s = await students.findById(id); if (!s) return null;
+        const u = await users.get(s.userId); const p = s.parentUserId ? await users.get(s.parentUserId) : null;
+        return { ...s, person: u && { name: users.fullName(u), email: u.email, photo: u.photo }, parent: p && { name: users.fullName(p), email: p.email } };
+      },
+    },
+
+    // ── Scolarité ──
+    async enroll(studentId, sessionId) { const s = await students.findById(studentId); return need(training, 'training').enrollments.enroll(sessionId, s.userId); },
+    async markAttendance(studentId, sessionId, opts = {}) { const s = await students.findById(studentId); return need(attendance, 'attendance').mark(sessionId, s.userId, opts); },
+    async recordGrade(studentId, dto) { const s = await students.findById(studentId); return need(gradebook, 'gradebook').record(s.userId, dto); },
+    async issueCertificate(studentId, dto) { const s = await students.findById(studentId); return need(certificates, 'certificates').issue({ subjectId: s.userId, ...dto }); },
+    async openCoaching(studentId, { objective, coachId } = {}) { const s = await students.findById(studentId); return need(coaching, 'coaching').plans.create({ coacheeId: s.userId, coachId, objective }); },
+
+    // ── Accès au cours : carte QR OU reconnaissance faciale → pointage de présence ──
+    access: {
+      /** Accès par carte adhérent (QR). Identifie via users(qrCode) → marque présence. */
+      async byCard(qrCode, { sessionId, mark = true } = {}) {
+        const u = (await users.repositories.users.find((x) => x.qrCode === qrCode))[0];
+        if (!u) return { granted: false, reason: 'carte inconnue' };
+        const st = await api.students.byUser(u.id); if (!st) return { granted: false, reason: 'non inscrit' };
+        const att = (sessionId && mark && attendance) ? await attendance.mark(sessionId, u.id, { status: 'present', method: 'qr' }) : null;
+        return { granted: true, student: st, user: u, method: 'qr', attendance: att };
+      },
+      /** Accès par reconnaissance faciale. Identifie via users.matchFace (@mostajs/face) → marque présence. */
+      async byFace(descriptor, { sessionId, mark = true, threshold } = {}) {
+        if (!users.matchFace) throw new Error('users.matchFace requis (@mostajs/face injecté dans users)');
+        const m = await users.matchFace(descriptor, { threshold });
+        if (!m) return { granted: false, reason: 'visage inconnu' };
+        const st = await api.students.byUser(m.match.id); if (!st) return { granted: false, reason: 'non inscrit' };
+        const att = (sessionId && mark && attendance) ? await attendance.mark(sessionId, m.match.id, { status: 'present', method: 'face' }) : null;
+        return { granted: true, student: st, distance: m.distance, method: 'face', attendance: att };
+      },
+    },
+
+    async parentPortal(studentId) {
+      const s = await students.findById(studentId); if (!s) return null;
+      return {
+        student: await api.students.withPerson(studentId),
+        attendance: attendance ? await attendance.listByLearner(s.userId) : [],
+        grades: gradebook ? await gradebook.average(s.userId, {}) : null,
+        certificates: certificates ? await certificates.listBySubject(s.userId) : [],
+      };
+    },
+    async dashboard() { return { students: (await students.find()).length }; },
+    repositories,
+  };
+  return api;
+}

package/test-scripts/unit/school.test.mjs

@@ -0,0 +1,65 @@
+// @mostajs/school — tests d'ASSEMBLAGE + accès (DEVRULES §5). node test-scripts/unit/school.test.mjs
+import assert from 'node:assert/strict';
+import { createSchool, createMemoryRepositories } from '../../src/index.js';
+import { createUsers, createMemoryRepositories as uRepo } from '../../../mosta-users-stack/mosta-users/src/index.js';
+import { createTraining, createMemoryRepositories as tRepo } from '../../../mosta-training/src/index.js';
+import { createAttendance, createMemoryRepositories as aRepo } from '../../../mosta-attendance/src/index.js';
+import { createGradebook, createMemoryRepositories as gRepo } from '../../../mosta-gradebook/src/index.js';
+import { createCertificates, createMemoryRepositories as cRepo } from '../../../mosta-certificates/src/index.js';
+import { hmacSha256 } from '../../../mosta-security/src/index.js';
+import { findMatch } from '../../../mosta-face/dist/lib/face-matcher.js';
+let pass=0; const test=async(n,f)=>{await f();pass++;console.log('  ✓',n);};
+const desc=(s)=>Array.from({length:128},(_,i)=>Math.sin(s*(i+1))*0.5);
+function wire(){
+  const users=createUsers({ repositories:uRepo(), face:{ findMatch }, qr:{generate:(id)=>'BADGE:'+id} });
+  const training=createTraining({ repositories:tRepo() });
+  const attendance=createAttendance({ repositories:aRepo(), users });
+  const gradebook=createGradebook({ repositories:gRepo() });
+  const certificates=createCertificates({ repositories:cRepo(), hmac:hmacSha256, secret:'k', qr:{generate:(p)=>'QR:'+p} });
+  const school=createSchool({ repositories:createMemoryRepositories(), users, training, attendance, gradebook, certificates });
+  return { users, training, attendance, gradebook, certificates, school };
+}
+
+await test('admit avec PHOTO + visage + carte (dérive User)', async()=>{
+  const { school }=wire();
+  const r=await school.students.admit({ person:{firstName:'Inès',lastName:'M',photo:'data:photo',faceDescriptor:desc(1)}, parent:{firstName:'P',email:'p@x.dz'}, grade:'A1' });
+  assert.ok(r.card.startsWith('BADGE:'), 'carte = qrCode auto');
+  const card=await school.students.card(r.student.id); assert.equal(card.photo,'data:photo'); assert.ok(card.qr);
+});
+await test('capturePhoto post-admission', async()=>{
+  const { school, users }=wire(); const r=await school.students.admit({ person:{firstName:'A'} });
+  await school.students.capturePhoto(r.student.id,{ photo:'data:p2', faceDescriptor:desc(2) });
+  const u=await users.get(r.user.id); assert.equal(u.photo,'data:p2'); assert.equal(u.faceDescriptor.length,128);
+});
+await test('ACCÈS par carte QR → présence', async()=>{
+  const { training, school }=wire();
+  const c=await training.catalog.createCourse({title:'Anglais'}); const ses=await training.sessions.open({courseId:c.id,capacity:10});
+  const r=await school.students.admit({ person:{firstName:'Inès'} }); await school.enroll(r.student.id, ses.id);
+  const acc=await school.access.byCard(r.card, { sessionId:ses.id });
+  assert.equal(acc.granted,true); assert.equal(acc.method,'qr'); assert.equal(acc.attendance.status,'present');
+  assert.equal((await school.access.byCard('BADGE:inconnu',{sessionId:ses.id})).granted,false);
+});
+await test('ACCÈS par reconnaissance faciale → présence', async()=>{
+  const { training, school }=wire();
+  const c=await training.catalog.createCourse({title:'X'}); const ses=await training.sessions.open({courseId:c.id,capacity:10});
+  const r=await school.students.admit({ person:{firstName:'Inès',faceDescriptor:desc(1)} }); await school.enroll(r.student.id, ses.id);
+  const acc=await school.access.byFace(desc(1).map(x=>x+0.002), { sessionId:ses.id });
+  assert.equal(acc.granted,true); assert.equal(acc.method,'face'); assert.equal(acc.attendance.method,'face');
+  assert.equal((await school.access.byFace(desc(99),{sessionId:ses.id})).granted,false);
+});
+await test('parcours complet : enroll→note→certificat→portail parent', async()=>{
+  const { training, school }=wire();
+  const c=await training.catalog.createCourse({title:'Anglais'}); const lvl=await training.catalog.addLevel(c.id,{order:1,label:'A1'});
+  const ses=await training.sessions.open({courseId:c.id,levelId:lvl.id,capacity:10});
+  const r=await school.students.admit({ person:{firstName:'Inès'}, parent:{firstName:'P',email:'p@x.dz'} });
+  await school.enroll(r.student.id, ses.id);
+  await school.recordGrade(r.student.id,{ sessionId:ses.id, courseId:c.id, levelId:lvl.id, kind:'exam', score:16, max:20 });
+  const cert=await school.issueCertificate(r.student.id,{ title:'Anglais A1' });
+  const portal=await school.parentPortal(r.student.id);
+  assert.equal(portal.grades.percent,80); assert.equal(portal.certificates[0].no,cert.no);
+});
+await test('composition requise (erreur claire)', async()=>{
+  const users=createUsers({ repositories:uRepo() }); const school=createSchool({ repositories:createMemoryRepositories(), users });
+  const r=await school.students.admit({ person:{firstName:'A'} }); await assert.rejects(()=>school.enroll(r.student.id,'s'),/training requis/);
+});
+console.log(`\n✅ @mostajs/school — ${pass} tests OK`);