Done. Phased allocation engine + stateless preview endpoint shipped. 170 tests green, PHPStan clean, Pint clean, 100% line coverage on all new classes. Pre-commit (code-reviewer) + finish-phase…
Done — domain model ported to Doctrine + API Platform. 86 tests / 252 assertions green, PHPStan + CS clean. 10 commits (59807d8..bebc042).
Exit criteria
- ✅ Entities migrate —…
Follow-up: deferred stateless CSRF is now WON'T-DO (superseded by SameSite)
This ticket deferred "explicit stateless double-submit CSRF" to the first mutating-resource ticket (#31). Revisited…
CSRF scope clarification (2026-06-18)
The original plan was to add stateless double-submit CSRF tokens on /api/login via json_login's enable_csrf option. While implementing, we verified…