feat: implement spec #19 Enemy System

Enemy/EnemyAbility/LootTable/Encounter/EncounterEnemy entities.
CombatStats owned value object. DropChance-based loot rolls via IDiceService.
IEnemyService + IEncounterService. EnemyController + EncounterController.
All Danny tests passing. Closes #19

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Fortinbra

.squad/agents/rory/history.md

@@ -8,6 +8,18 @@
 
 ## Learnings
 
+### 2026-04-10 — Spec #19 Enemy System
+
+**Status:** ✅ Complete (Core + Infrastructure + API wired)
+
+**What was done:**
+- Added Enemy/Encounter entities with CombatStats owned value object and loot tables
+- Implemented EnemyService + EncounterService with dice-based loot rolls
+- Added EnemyController + EncounterController endpoints and registered services
+
+**Test Results:**
+- Enemy/Encounter Core + API tests passing
+
 ### 2026-04-09 — Spec #17 Image Management
 
 **Status:** ✅ Complete (Core + Infrastructure + API wired)

src/DungeonMaster.Api/Controllers/EncounterController.cs

@@ -0,0 +1,78 @@
+using DungeonMaster.Core.Encounters;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace DungeonMaster.Api.Controllers;
+
+/// <summary>Encounter management endpoints.</summary>
+[ApiController]
+[Route("api/encounters")]
+public sealed class EncounterController : ControllerBase
+{
+    private readonly IEncounterService _encounterService;
+
+    /// <summary>Initializes a new instance of the <see cref="EncounterController"/> class.</summary>
+    /// <param name="encounterService">Encounter service.</param>
+    public EncounterController(IEncounterService encounterService) => _encounterService = encounterService;
+
+    /// <summary>Starts a new encounter.</summary>
+    /// <param name="command">Start command.</param>
+    /// <returns>The created encounter.</returns>
+    [HttpPost]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> StartEncounter([FromBody] StartEncounterCommand command)
+    {
+        if (!ModelState.IsValid)
+        {
+            return BadRequest(ModelState);
+        }
+
+        var encounter = await _encounterService.StartEncounterAsync(command.CampaignId, command.EnemyIds);
+        return CreatedAtAction(nameof(GetActiveEncounter), new { campaignId = command.CampaignId }, encounter);
+    }
+
+    /// <summary>Gets the active encounter for a campaign.</summary>
+    /// <param name="campaignId">Campaign identifier.</param>
+    /// <returns>The active encounter.</returns>
+    [HttpGet("{campaignId:guid}/active")]
+    [Authorize(Policy = "RequirePlayer")]
+    public async Task<IActionResult> GetActiveEncounter(Guid campaignId)
+    {
+        var encounter = await _encounterService.GetActiveEncounterAsync(campaignId);
+        return encounter is null ? NotFound() : Ok(encounter);
+    }
+
+    /// <summary>Marks an encounter enemy defeated.</summary>
+    /// <param name="id">Encounter identifier.</param>
+    /// <param name="enemyId">Enemy identifier.</param>
+    /// <returns>No content.</returns>
+    [HttpPost("{id:guid}/defeat-enemy/{enemyId:guid}")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> DefeatEnemy(Guid id, Guid enemyId)
+    {
+        await _encounterService.DefeatEnemyAsync(id, enemyId);
+        return NoContent();
+    }
+
+    /// <summary>Ends an encounter.</summary>
+    /// <param name="id">Encounter identifier.</param>
+    /// <returns>No content.</returns>
+    [HttpPost("{id:guid}/end")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> EndEncounter(Guid id)
+    {
+        await _encounterService.EndEncounterAsync(id);
+        return NoContent();
+    }
+
+    /// <summary>Rolls loot for an encounter.</summary>
+    /// <param name="id">Encounter identifier.</param>
+    /// <returns>The loot results.</returns>
+    [HttpGet("{id:guid}/loot")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> RollLoot(Guid id)
+    {
+        var loot = await _encounterService.RollLootAsync(id);
+        return Ok(loot.ToList());
+    }
+}

src/DungeonMaster.Api/Controllers/EnemyController.cs

@@ -0,0 +1,112 @@
+using DungeonMaster.Core.Enemies;
+using DungeonMaster.Core.Entities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace DungeonMaster.Api.Controllers;
+
+/// <summary>Enemy catalog endpoints.</summary>
+[ApiController]
+[Route("api/enemies")]
+public sealed class EnemyController : ControllerBase
+{
+    private readonly IEnemyService _enemyService;
+
+    /// <summary>Initializes a new instance of the <see cref="EnemyController"/> class.</summary>
+    /// <param name="enemyService">Enemy service.</param>
+    public EnemyController(IEnemyService enemyService) => _enemyService = enemyService;
+
+    /// <summary>Gets all enemies.</summary>
+    /// <returns>The enemy list.</returns>
+    [HttpGet]
+    [Authorize(Policy = "RequirePlayer")]
+    public async Task<IActionResult> GetEnemies()
+    {
+        var enemies = await _enemyService.GetEnemiesAsync();
+        return Ok(enemies.ToList());
+    }
+
+    /// <summary>Gets an enemy by identifier.</summary>
+    /// <param name="id">Enemy identifier.</param>
+    /// <returns>The enemy.</returns>
+    [HttpGet("{id:guid}")]
+    [Authorize(Policy = "RequirePlayer")]
+    public async Task<IActionResult> GetEnemy(Guid id)
+    {
+        var enemy = await _enemyService.GetEnemyAsync(id);
+        return enemy is null ? NotFound() : Ok(enemy);
+    }
+
+    /// <summary>Creates a new enemy.</summary>
+    /// <param name="command">Creation command.</param>
+    /// <returns>The created enemy.</returns>
+    [HttpPost]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> CreateEnemy([FromBody] CreateEnemyCommand command)
+    {
+        if (!ModelState.IsValid)
+        {
+            return BadRequest(ModelState);
+        }
+
+        var created = await _enemyService.CreateEnemyAsync(command);
+        return CreatedAtAction(nameof(GetEnemy), new { id = created.Id }, created);
+    }
+
+    /// <summary>Updates an enemy.</summary>
+    /// <param name="id">Enemy identifier.</param>
+    /// <param name="enemy">Enemy payload.</param>
+    /// <returns>No content.</returns>
+    [HttpPut("{id:guid}")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> UpdateEnemy(Guid id, [FromBody] Enemy enemy)
+    {
+        if (!ModelState.IsValid)
+        {
+            return BadRequest(ModelState);
+        }
+
+        enemy.Id = id;
+        await _enemyService.UpdateEnemyAsync(enemy);
+        return NoContent();
+    }
+
+    /// <summary>Deletes an enemy.</summary>
+    /// <param name="id">Enemy identifier.</param>
+    /// <returns>No content.</returns>
+    [HttpDelete("{id:guid}")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> DeleteEnemy(Guid id)
+    {
+        await _enemyService.DeleteEnemyAsync(id);
+        return NoContent();
+    }
+
+    /// <summary>Gets the loot table for an enemy.</summary>
+    /// <param name="id">Enemy identifier.</param>
+    /// <returns>The loot table.</returns>
+    [HttpGet("{id:guid}/loot-table")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> GetLootTable(Guid id)
+    {
+        var enemy = await _enemyService.GetEnemyAsync(id);
+        return enemy?.LootTable is null ? NotFound() : Ok(enemy.LootTable);
+    }
+
+    /// <summary>Updates the loot table for an enemy.</summary>
+    /// <param name="id">Enemy identifier.</param>
+    /// <param name="entries">Loot entries.</param>
+    /// <returns>The updated enemy.</returns>
+    [HttpPut("{id:guid}/loot-table")]
+    [Authorize(Policy = "RequireDungeonMaster")]
+    public async Task<IActionResult> UpdateLootTable(Guid id, [FromBody] List<LootEntry> entries)
+    {
+        if (!ModelState.IsValid)
+        {
+            return BadRequest(ModelState);
+        }
+
+        var updated = await _enemyService.UpdateLootTableAsync(id, entries);
+        return updated is null ? NotFound() : Ok(updated);
+    }
+}

src/DungeonMaster.Api/Program.cs

@@ -1,5 +1,7 @@
 using DungeonMaster.Api.Extensions;
 using DungeonMaster.Core.Campaigns;
+using DungeonMaster.Core.Encounters;
+using DungeonMaster.Core.Enemies;
 using DungeonMaster.Core.Items;
 using DungeonMaster.Core.Rulesets;
 using DungeonMaster.Core.WorldBuilding;
@@ -11,6 +13,8 @@
 builder.Services.AddAppAuthorization();
 builder.Services.AddControllers();
 builder.Services.AddScoped<ICampaignService, CampaignService>();
+builder.Services.AddScoped<IEnemyService, EnemyService>();
+builder.Services.AddScoped<IEncounterService, EncounterService>();
 builder.Services.AddScoped<IItemService, ItemService>();
 builder.Services.AddScoped<IRulesetService, RulesetService>();
 builder.Services.AddScoped<IWorldService, WorldService>();