chore(release): 1.4.2

Reviewed-on: #20

.env.example

@@ -10,14 +10,16 @@ BACKUPS_REMOTE_HOST=
 BACKUPS_REMOTE_ROOT=
 BACKUPS_MAX_FILES=
 
-# DISK_COMMAND_REMOTE et DISK_COMMAND_LOCAL pour les commandes de vérification de l'espace disque
+# Paramètres utilisés pour construire les commandes disque et backup
-DISK_COMMAND_REMOTE=
+DISK_REMOTE_HOST=malio-b
-DISK_COMMAND_LOCAL=
+DISK_LOCAL_SCRIPT_DIR=/home/malio/Malio-ops/CheckStorage
-
+DISK_REMOTE_SCRIPT_DIR=/home/malio-b/Malio-ops/CheckStorage
-# BACKUP_SCRIPT_COMMAND_BACKUP_BDD_RECETTE, BACKUP_SCRIPT_COMMAND_CHECK_STATUT_RECETTE et BACKUP_SCRIPT_COMMAND_BACKUP_VAULTWARDEN pour les commandes de backup et de vérification des statuts
+RECETTE_SCRIPTS_DIR=/home/malio/Malio-ops/RecetteScripts
-BACKUP_SCRIPT_COMMAND_BACKUP_BDD_RECETTE=
+VAULTWARDEN_SSH_HOST=bitwarden
-BACKUP_SCRIPT_COMMAND_CHECK_STATUT_RECETTE=
+VAULTWARDEN_SCRIPTS_DIR=/home/matt/vaultwarden/Malio-ops/BackupVaultWarden
-BACKUP_SCRIPT_COMMAND_BACKUP_VAULTWARDEN=
 
 # A quelle heure les backups doivent être effectués (format 24h)
 BACKUPS_HOUR=19
+
+#Mettre à true pour que les cookies d'authentification soient sécurisés (HTTPS uniquement)
+AUTH_COOKIE_SECURE=

CHANGELOG.md

@@ -1,3 +1,37 @@
+## [1.4.2](https://gitea.malio.fr/MALIO-DEV/Supervisor/compare/v1.4.1...v1.4.2) (2026-03-18)
+
+
+### Bug Fixes
+
+* systeme metrics chart ([403bc91](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/403bc91f33ca2253d698531e8c6bf0c28b40f5c8))
+* t-001 a t-005 correctif ([bdb65a0](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/bdb65a09ff247f8fb3d22913a3426a89fad1d177))
+* t-005 a t-0029 correctif ([c12387a](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/c12387ac947cde677e78fe77d914a904795d404c))
+* use recette status log ([0a73c5c](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/0a73c5cb37c557568647684382440d95de7bf3ab))
+
+## [1.4.1](https://gitea.malio.fr/MALIO-DEV/Supervisor/compare/v1.4.0...v1.4.1) (2026-03-17)
+
+
+### Bug Fixes
+
+* readme ([13457ce](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/13457ceb5a74686cd7a5e4180a87f130d1e2f73d))
+* resolve production runtime issues ([8886e8b](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/8886e8b7dfe4fb6c9f90f3be7f2a64e23dd7cb3c))
+
+# [1.4.0](https://gitea.malio.fr/MALIO-DEV/Supervisor/compare/v1.3.1...v1.4.0) (2026-03-17)
+
+
+### Bug Fixes
+
+* lint ([69c192c](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/69c192c35ad2a743d01b96d834f509b2b1f0b4e6))
+* readme ([5184e26](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/5184e26293ef23944e874f4e938f1cc89ec85f82))
+* use env ([f7ac255](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/f7ac255820ca5a1fded47a6b0071d85c7d3c4214))
+* use env only ([829ac07](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/829ac07d38e81225017b3c6a33c3f34882ca02d1))
+* use env only ([e13e1eb](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/e13e1eb3dd48c1b5a6f2fe0347e43dea60e4406f))
+
+
+### Features
+
+* add check backup ([5495e18](https://gitea.malio.fr/MALIO-DEV/Supervisor/commit/5495e18173c0778c6eaba4ae1eb8c30ea46bbef7))
+
 ## [1.3.1](https://gitea.malio.fr/MALIO-DEV/Supervisor/compare/v1.3.0...v1.3.1) (2026-03-16)
 
 

README.md

@@ -95,6 +95,19 @@ Consequence visible :
 - si `API_SECRET_KEY` est vide, les appels API sont refusés avec `401 Unauthorized`
 - l'application web pose aussi un cookie HTTP-only via `server/middleware/auth-cookie.ts` pour réutiliser ce secret coté navigateur
 
+## Securite
+
+Le comportement actuel du projet repose sur une hypothèse d'exposition très forte.
+
+- `server/middleware/auth-cookie.ts` pose automatiquement le cookie `api_auth_token` à tout visiteur qui charge l'interface web
+- ce cookie permet ensuite d'accéder aux routes `/api/*` protégées par `API_SECRET_KEY`
+- il n'existe pas de login utilisateur ni de contrôle d'identité distinct dans le dépôt
+
+Conséquence :
+
+- `Supervisor` doit être déployé uniquement sur un réseau de confiance, derrière un VPN, une restriction d'IP, un proxy d'authentification ou un autre contrôle d'accès externe
+- si l'application est exposée publiquement sans protection supplémentaire, ce mécanisme ne constitue pas une authentification suffisante
+
 ### SSH pour les backups
 
 Les fonctionnalités de backup utilisent `ssh` avec les options `BatchMode=yes` et `ConnectTimeout=5` dans `server/utils/ssh.ts`. Cela implique un accès sans saisie interactive de mot de passe.

assets/css/main.css

@@ -15,7 +15,6 @@
   --color-m-success: rgb(var(--m-success));
   --color-m-accent: rgb(var(--m-accent));
   --color-m-warning: rgb(var(--m-warning));
-  --color-m-succes: rgb(var(--m-success));
   --font-display: "Outfit", system-ui, sans-serif;
   --font-mono: "JetBrains Mono", "Fira Code", monospace;
 }

components/BackupRun.vue

@@ -77,7 +77,6 @@
 </template>
 
 <script setup lang="ts">
-import { computed, onMounted, ref } from "vue"
 import { Icon as IconifyIcon } from "@iconify/vue"
 import { apiFetch } from "~/composables/useApiAuth"
 
@@ -108,6 +107,12 @@ type ScriptResult = {
   downloadFolders: string[]
 }
 
+type ApiErrorLike = {
+  data?: {
+    statusMessage?: string
+  }
+}
+
 const emit = defineEmits<{
   result: [payload: ScriptResult]
 }>()
@@ -116,7 +121,6 @@ const active = ref<string | null>(null)
 const loading = ref(true)
 const runningKey = ref<string | null>(null)
 const scripts = ref<BackupScript[]>([])
-const output = ref<string>("")
 const message = ref<string>("")
 const isError = ref(false)
 
@@ -125,7 +129,6 @@ const statusClass = computed(() => (isError.value ? "status-error" : "status-suc
 const loadScripts = async () => {
   loading.value = true
   message.value = ""
-  output.value = ""
   isError.value = false
   emit("result", {
     key: null,
@@ -156,7 +159,6 @@ const loadScripts = async () => {
 const runScript = async (key: string) => {
   active.value = key
   runningKey.value = key
-  output.value = ""
   message.value = ""
   isError.value = false
 
@@ -165,30 +167,25 @@ const runScript = async (key: string) => {
       method: "POST",
       body: { key }
     })
+    const resultOutput = data.output || "Aucune sortie retournee."
     message.value = `${data.label} execute avec succes`
-    output.value = data.output || "Aucune sortie retournee."
     emit("result", {
       key: data.key,
       label: data.label,
-      output: output.value,
+      output: resultOutput,
       isError: false,
       downloadFolders: data.downloadFolders || []
     })
   } catch (error: unknown) {
-    isError.value = true
+    const errorMessage =
-    const statusMessage =
       typeof error === "object" &&
       error !== null &&
       "data" in error &&
-      typeof error.data === "object" &&
+      typeof (error as ApiErrorLike).data?.statusMessage === "string"
-      error.data !== null &&
+        ? (error as ApiErrorLike).data?.statusMessage
-      "statusMessage" in error.data &&
-      typeof error.data.statusMessage === "string"
-        ? error.data.statusMessage
         : null
 
-    message.value = statusMessage || "Erreur execution script"
+    message.value = errorMessage || "Erreur execution script"
-    output.value = ""
     emit("result", {
       key,
       label: scripts.value.find((item) => item.key === key)?.label || key,

components/StatusSite.vue

@@ -24,17 +24,27 @@
       v-else
       :key="`${row.label}-${row.url}`"
       class="status-row"
-      :class="row.status === 200 ? 'row-ok' : 'row-error'"
+      :class="row.ok ? 'row-ok' : 'row-error'"
     >
+      <div class="status-copy">
         <div class="flex items-center gap-3">
-        <span class="status-dot" :class="row.status === 200 ? 'dot-ok' : 'dot-error'" />
+          <span class="status-dot" :class="row.ok ? 'dot-ok' : 'dot-error'" />
           <span class="font-display text-sm font-semibold text-m-text">
             {{ row.label }}
           </span>
         </div>
-      <span class="font-mono text-xs" :class="row.status === 200 ? 'text-m-success' : 'text-m-error'">
+        <p class="status-detail">
-        {{ statusLabel(row.status) }}
+          {{ row.detail }}
+        </p>
+      </div>
+      <div class="status-meta">
+        <span class="font-mono text-xs" :class="row.ok ? 'text-m-success' : 'text-m-error'">
+          {{ statusLabel(row) }}
         </span>
+        <span class="status-time">
+          {{ formatCheckedAt(row.checkedAt) }}
+        </span>
+      </div>
     </div>
   </div>
 </template>
@@ -51,6 +61,7 @@ interface StatusRow {
   ok: boolean
   status: number
   checkedAt: string
+  detail: string
   error?: string
 }
 
@@ -74,10 +85,24 @@ const loading = ref(true)
 const initialized = ref(false)
 let timer: ReturnType<typeof setInterval> | null = null
 
-const statusLabel = (status: number) => {
+const statusLabel = (row: StatusRow) => {
-  if (status === 200) return "HTTP 200"
+  if (row.ok) return "OK"
-  if (status === 0) return "Injoignable"
+  if (row.status === 0) return "DOWN"
-  return `KO (${status})`
+  return `KO (${row.status})`
+}
+
+const formatCheckedAt = (checkedAt: string) => {
+  const date = new Date(checkedAt)
+
+  if (Number.isNaN(date.getTime())) {
+    return checkedAt
+  }
+
+  return date.toLocaleTimeString("fr-FR", {
+    hour: "2-digit",
+    minute: "2-digit",
+    second: "2-digit"
+  })
 }
 
 const checkStatus = async () => {
@@ -95,6 +120,7 @@ const checkStatus = async () => {
         ok: false,
         status: 0,
         checkedAt: new Date().toISOString(),
+        detail: "Lecture du statut impossible",
         error: error instanceof Error ? error.message : String(error)
       }
     ]
@@ -149,6 +175,7 @@ onBeforeUnmount(() => {
   display: flex;
   align-items: center;
   justify-content: space-between;
+  gap: 1rem;
   min-height: 3.2rem;
   padding: 0.85rem 1rem;
   border-radius: 14px;
@@ -157,6 +184,30 @@ onBeforeUnmount(() => {
   transition: all 0.2s ease;
 }
 
+.status-copy {
+  min-width: 0;
+}
+
+.status-detail {
+  margin: 0.35rem 0 0;
+  color: rgb(var(--m-muted));
+  font-size: 0.78rem;
+  line-height: 1.4;
+}
+
+.status-meta {
+  display: flex;
+  flex-direction: column;
+  align-items: flex-end;
+  gap: 0.2rem;
+  flex-shrink: 0;
+}
+
+.status-time {
+  font-size: 0.72rem;
+  color: rgb(var(--m-muted));
+}
+
 .row-ok {
   border-color: rgb(var(--m-success) / 0.08);
 }

composables/useApiAuth.ts

@@ -42,7 +42,6 @@ export function useApiAuthHeader() {
 
     // Tous les appels frontend vers /api/* reutilisent ce header commun.
     return {
-        Authorization: `Bearer ${token}`
     }
 }
 

layouts/default.vue

@@ -146,7 +146,6 @@
 </template>
 
 <script setup lang="ts">
-import {ref} from "vue"
 import {Icon as IconifyIcon} from "@iconify/vue"
 import logoSrc from '~/assets/LOGO_CARRE_BLANC.png'
 

nuxt.config.ts

@@ -36,8 +36,11 @@ export default defineNuxtConfig({
   },
   runtimeConfig: {
     apiSecretKey: process.env.API_SECRET_KEY,
+    discordBotToken: process.env.DISCORD_BOT_TOKEN,
+    discordChannelId: process.env.DISCORD_CHANNEL_ID,
     public: {
-      appVersion: getRepoVersion()
+      appVersion: getRepoVersion(),
+      apiKey: process.env.API_SECRET_KEY
     }
   },
   vite: {

package-lock.json

@@ -1,10 +1,10 @@
 {
-  "name": "disk-monitor",
+  "name": "supervisor",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
-      "name": "disk-monitor",
+      "name": "supervisor",
       "hasInstallScript": true,
       "dependencies": {
         "@iconify/vue": "^5.0.0",
@@ -15,11 +15,13 @@
         "@semantic-release/changelog": "^6.0.3",
         "@semantic-release/commit-analyzer": "^13.0.1",
         "@semantic-release/git": "^10.0.1",
-        "@semantic-release/github": "^12.0.6",
         "@semantic-release/release-notes-generator": "^14.1.0",
         "@tailwindcss/vite": "^4.2.1",
         "semantic-release": "^25.0.3",
         "tailwindcss": "^4.2.1"
+      },
+      "engines": {
+        "node": ">=20"
       }
     },
     "node_modules/@actions/core": {

package.json

@@ -1,7 +1,10 @@
 {
-  "name": "disk-monitor",
+  "name": "supervisor",
   "type": "module",
   "private": true,
+  "engines": {
+    "node": ">=20"
+  },
   "scripts": {
     "build": "nuxt build",
     "dev": "nuxt dev",
@@ -20,7 +23,6 @@
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/commit-analyzer": "^13.0.1",
     "@semantic-release/git": "^10.0.1",
-    "@semantic-release/github": "^12.0.6",
     "@semantic-release/release-notes-generator": "^14.1.0",
     "@tailwindcss/vite": "^4.2.1",
     "semantic-release": "^25.0.3",

pages/index.vue

@@ -66,7 +66,6 @@
 </template>
 
 <script setup lang="ts">
-import {computed, onMounted, ref} from "vue"
 import { apiFetch } from "~/composables/useApiAuth"
 import type { SystemMetrics } from "~/types/system";
 
@@ -334,14 +333,6 @@ onBeforeUnmount(() => {
     grid-template-columns: 1fr;
   }
 
-  .backup-selector {
-    order: 2;
-  }
-
-  .backup-list-mobile {
-    order: 3;
-  }
-
   .speedtest-card-mobile {
     order: 4;
   }

public/robots.txt

@@ -1,2 +1,2 @@
 User-Agent: *
-Disallow:
+Disallow: /

server/api/backups.get.ts

@@ -3,12 +3,10 @@ import {
   shellQuote,
   resolveFolderRemoteDir,
   REMOTE_ROOT,
+  isSafeFolder,
 } from "../utils/ssh.ts"
 
-import {process} from "std-env";
+const MAX_FILES_PER_FOLDER = Math.max(1, Number(process.env.BACKUPS_MAX_FILES) || 50)
-
-const MAX_FILES_PER_FOLDER = Number(process.env.BACKUPS_MAX_FILES)
-const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 
 
 function isMissingPathError(error: unknown): boolean {

server/api/discord/messages.get.ts

@@ -1,6 +1,7 @@
-export default defineEventHandler(async () => {
+export default defineEventHandler(async (event) => {
-  const token = process.env.DISCORD_BOT_TOKEN
+  const config = useRuntimeConfig(event)
-  const channel = process.env.DISCORD_CHANNEL_ID
+  const token = config.discordBotToken
+  const channel = config.discordChannelId
 
   if (!token || !channel) {
     throw createError({

server/api/disk.get.ts

@@ -1,38 +1,49 @@
-import { exec } from "child_process"
+import { execFile } from "node:child_process"
 
 type DiskSource = {
-  key: string
+  key: "remote" | "local"
   label: string
+}
+
+type CommandSpec = {
   command: string
-  args?: string[]
+  args: string[]
+  cwd?: string
 }
 
 const diskSources: DiskSource[] = [
   {
     key: "remote",
-    label: "Serveur distant",
+    label: "Serveur distant"
-    command: "ssh",
-    args: []
   },
   {
     key: "local",
-    label: "Machine locale",
+    label: "Machine locale"
-    command: "bash",
-    args: []
   }
 ]
 
-function getEnvCommand(source: DiskSource) {
+function getCommand(source: DiskSource): CommandSpec {
-  const envKey = `DISK_COMMAND_${source.key.toUpperCase()}`
+  const localScriptDir = process.env.DISK_LOCAL_SCRIPT_DIR || "/home/malio/Malio-ops/CheckStorage"
-  const legacyEnvKey =
+  const remoteHost = process.env.DISK_REMOTE_HOST || "malio-b"
-    source.key === "remote" ? "DISK_REMOTE_COMMAND" : source.key === "local" ? "DISK_LOCAL_COMMAND" : ""
+  const remoteScriptDir = process.env.DISK_REMOTE_SCRIPT_DIR || "/home/malio-b/Malio-ops/CheckStorage"
 
-  return process.env[envKey] || (legacyEnvKey ? process.env[legacyEnvKey] : undefined) || null
+  if (source.key === "local") {
+    return {
+      command: "bash",
+      args: ["check-storage.sh"],
+      cwd: localScriptDir
+    }
   }
 
-function runShellCommand(command: string): Promise<string> {
+  return {
+    command: "ssh",
+    args: [remoteHost, `cd ${remoteScriptDir} && ./check-storage.sh`]
+  }
+}
+
+function runCommand({ command, args, cwd }: CommandSpec): Promise<string> {
   return new Promise((resolve, reject) => {
-    exec(command, (error, stdout, stderr) => {
+    execFile(command, args, { cwd }, (error, stdout, stderr) => {
       if (error) {
         reject(stderr || error.message)
         return
@@ -46,12 +57,7 @@ export default defineEventHandler(async () => {
   const results = await Promise.all(
     diskSources.map(async (source) => {
       try {
-        const envCommand = getEnvCommand(source)
+        const output = await runCommand(getCommand(source))
-        if (!envCommand) {
-          throw new Error(`Commande disque manquante pour ${source.key}`)
-        }
-
-        const output = await runShellCommand(envCommand)
         return {
           key: source.key,
           label: source.label,

server/api/download-latest.get.ts

@@ -3,11 +3,9 @@ import {
   shellQuote,
   resolveFolderRemoteDir,
   REMOTE_HOST,
+  isSafeFolder
 } from "../utils/ssh.ts"
-
+import { spawn } from "node:child_process"
-import {spawn} from "unenv/node/child_process";
-
-const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 
 async function getLatestRemoteFile(remoteDir: string): Promise<string | null> {
   const output = await runSsh(`cd ${shellQuote(remoteDir)} && ls -1A | sort -r | head -n 1`)
@@ -46,6 +44,9 @@ export default defineEventHandler(async (event) => {
     }
 
     const fileName = await getLatestRemoteFile(remoteDir)
+    if (!fileName || !isSafeFolder(fileName)) {
+        continue
+    }
     if (!fileName) {
       continue
     }
@@ -94,6 +95,6 @@ export default defineEventHandler(async (event) => {
       console.error(`Erreur archive SSH (${code}): ${stderr}`)
     }
   })
-
+  event.node.res.on("close", () => child.kill())
   return sendStream(event, child.stdout)
 })

server/api/download.get.ts

@@ -3,12 +3,10 @@ import {
   shellQuote,
   resolveFolderRemoteDir,
   REMOTE_HOST,
+  isSafeFolder,
+  isSafeFile
 } from "../utils/ssh.ts"
-import {spawn} from "unenv/node/child_process";
+import { spawn } from "node:child_process"
-
-const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
-
 
 function buildContentDisposition(fileName: string) {
   const asciiName = fileName.replace(/[^\x20-\x7E]/g, "_").replace(/["\\]/g, "_")
@@ -61,6 +59,6 @@ export default defineEventHandler(async (event) => {
       console.error(`Erreur téléchargement SSH (${code}): ${stderr}`)
     }
   })
-
+  event.node.res.on("close", () => child.kill())
   return sendStream(event, child.stdout)
 })

server/api/upload.post.ts

@@ -1,9 +1,10 @@
 export default defineEventHandler(async (event) => {
     const req = event.node.req
-
+    const MAX_UPLOAD_BYTES = 100 * 1024 * 1024 // 100MB
     let received = 0
 
     for await (const chunk of req) {
+        if (received > MAX_UPLOAD_BYTES) throw createError({ statusCode: 413, statusMessage: "Fichier trop volumineux" })
         received += chunk.length
     }
 

server/api/version-status.get.ts

@@ -1,33 +1,160 @@
-import targets from "../config/version-status-targets.json"
+import { readFile } from "node:fs/promises"
+import { join } from "node:path"
+
+type StatusEntry = {
+  checkedAt: string
+  status: "OK" | "DOWN"
+  host: string
+  detail: string
+}
+
+type StatusResult = {
+  label: string
+  url: string
+  ok: boolean
+  status: number
+  checkedAt: string
+  detail: string
+}
+
+const DEFAULT_RECETTE_SCRIPTS_DIR = "/home/malio/Malio-ops/RecetteScripts"
+
+function parseEnvFile(content: string) {
+  const values: Record<string, string> = {}
+
+  for (const rawLine of content.split("\n")) {
+    const line = rawLine.trim()
+
+    if (!line || line.startsWith("#")) {
+      continue
+    }
+
+    const separatorIndex = line.indexOf("=")
+    if (separatorIndex === -1) {
+      continue
+    }
+
+    const key = line.slice(0, separatorIndex).trim()
+    const value = line.slice(separatorIndex + 1).trim()
+
+    if (!key) {
+      continue
+    }
+
+    values[key] = value.replace(/^['"]|['"]$/g, "")
+  }
+
+  return values
+}
+
+function getLogFileName(date: Date) {
+  const year = date.getFullYear()
+  const month = String(date.getMonth() + 1).padStart(2, "0")
+  const day = String(date.getDate()).padStart(2, "0")
+
+  return `app_health_${year}-${month}-${day}.log`
+}
+
+function parseStatusLine(line: string): StatusEntry | null {
+  const parts = line.split(" | ")
+  if (parts.length < 4) {
+    return null
+  }
+
+  const [checkedAt, status, host, ...detailParts] = parts
+  if ((status !== "OK" && status !== "DOWN") || !host) {
+    return null
+  }
+
+  return {
+    checkedAt,
+    status,
+    host,
+    detail: detailParts.join(" | ")
+  }
+}
+
+function buildStatusResult(entry: StatusEntry): StatusResult {
+  return {
+    label: entry.host,
+    url: `http://${entry.host}/`,
+    ok: entry.status === "OK",
+    status: entry.status === "OK" ? 200 : 0,
+    checkedAt: entry.checkedAt,
+    detail: entry.detail
+  }
+}
 
 export default defineEventHandler(async () => {
-  const results = await Promise.all(
+  const recetteScriptsDir = process.env.RECETTE_SCRIPTS_DIR || DEFAULT_RECETTE_SCRIPTS_DIR
-    targets.map(async (target) => {
+  const envFilePath = join(recetteScriptsDir, ".env")
+
   try {
-        const response = await fetch(target.url, {
+    const envFileContent = await readFile(envFilePath, "utf8")
-          method: "GET",
+    const envValues = parseEnvFile(envFileContent)
-          headers: { Accept: "application/json" }
+    const logDir = envValues.APP_LOG_DIR
+
+    if (!logDir) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: "Variable APP_LOG_DIR manquante"
       })
+    }
+
+    const logFilePath = join(logDir, getLogFileName(new Date()))
+    const logFileContent = await readFile(logFilePath, "utf8")
+    const latestEntriesByHost = new Map<string, StatusEntry>()
+
+    for (const line of logFileContent.split("\n")) {
+      const entry = parseStatusLine(line)
+      if (!entry) {
+        continue
+      }
+
+      latestEntriesByHost.set(entry.host, entry)
+    }
+
+    const configuredHosts = (envValues.APP_URLS || "")
+      .split(/\s+/)
+      .map((host) => host.trim())
+      .filter(Boolean)
+
+    const orderedResults = configuredHosts
+      .map((host) => latestEntriesByHost.get(host))
+      .filter((entry): entry is StatusEntry => Boolean(entry))
+      .map(buildStatusResult)
+
+    const remainingResults = Array.from(latestEntriesByHost.entries())
+      .filter(([host]) => !configuredHosts.includes(host))
+      .map(([, entry]) => buildStatusResult(entry))
+
+    const results = [...orderedResults, ...remainingResults]
+
+    if (results.length === 0) {
+      throw createError({
+        statusCode: 503,
+        statusMessage: "Aucun statut disponible"
+      })
+    }
 
     return {
-          label: target.label,
+      results
-          url: target.url,
-          ok: response.status === 200,
-          status: response.status,
-          checkedAt: new Date().toISOString()
     }
   } catch (error) {
-        return {
+    console.error("Erreur lecture status recette:", error)
-          label: target.label,
-          url: target.url,
-          ok: false,
-          status: 0,
-          checkedAt: new Date().toISOString(),
-          error: error instanceof Error ? error.message : String(error)
-        }
-      }
-    })
-  )
 
-  return { results }
+    if (
+      typeof error === "object" &&
+      error !== null &&
+      "statusCode" in error &&
+      "statusMessage" in error
+    ) {
+      throw error
+    }
+
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Erreur lors de l'opération"
+    })
+  }
 })

server/config/version-status-targets.json

@@ -1,5 +0,0 @@
-[
-  { "label": "Ferme", "url": "http://ferme.malio-dev.fr/api/version" },
-  { "label": "SIRH", "url": "http://sirh.malio-dev.fr/api/version" },
-  { "label": "Inventory", "url": "http://inventory.malio-dev.fr/api/health" }
-]

server/middleware/auth-cookie.ts

@@ -1,3 +1,9 @@
+// SECURITE:
+// Ce middleware pose automatiquement le cookie d'authentification pour tout
+// visiteur de l'interface web. Ce comportement repose sur l'hypothèse que
+// Supervisor n'est exposé qu'à un réseau de confiance ou derrière un contrôle
+// d'accès externe. Si l'application devient publiquement accessible, ce
+// mécanisme ne constitue pas une authentification utilisateur.
 export default defineEventHandler((event) => {
   const path = event.path || event.node.req.url || ""
 
@@ -16,10 +22,12 @@ export default defineEventHandler((event) => {
     return
   }
 
+  const secureCookie = process.env.AUTH_COOKIE_SECURE === "true"
+
   setCookie(event, "api_auth_token", expectedToken, {
     httpOnly: true,
     sameSite: "lax",
-    secure: process.env.NODE_ENV === "production",
+    secure: secureCookie,
     path: "/"
   })
 })

server/utils/backup-scripts.ts

@@ -25,7 +25,21 @@ export const backupScripts: BackupScript[] = [
   }
 ]
 
+const getDefaultBackupScriptCommands = (): Record<string, string> => {
+  const recetteScriptsDir = process.env.RECETTE_SCRIPTS_DIR || "/home/malio/Malio-ops/RecetteScripts"
+  const vaultwardenHost = process.env.VAULTWARDEN_SSH_HOST || "bitwarden"
+  const vaultwardenScriptsDir =
+    process.env.VAULTWARDEN_SCRIPTS_DIR || "/home/matt/vaultwarden/Malio-ops/BackupVaultWarden"
+
+  return {
+    "backup-bdd-recette": `cd ${recetteScriptsDir} && bash backup-bdd-recette.sh`,
+    "check-statut-recette": `cd ${recetteScriptsDir} && bash check-statut-recette.sh`,
+    "backup-vaultwarden":
+      `ssh ${vaultwardenHost} "cd ${vaultwardenScriptsDir} && bash backup-vaultwarden.sh"`
+  }
+}
+
 export function getBackupScriptCommand(key: string) {
   const envKey = `BACKUP_SCRIPT_COMMAND_${key.toUpperCase().replace(/-/g, "_")}`
-  return process.env[envKey] || null
+  return process.env[envKey] || getDefaultBackupScriptCommands()[key] || null
 }

server/utils/ssh.ts

@@ -1,15 +1,18 @@
 import {execFile} from "node:child_process"
-import {process} from "std-env";
 import folderMap from "#server/config/backup-folders.json";
 
 export const REMOTE_HOST = process.env.BACKUPS_REMOTE_HOST
 export const REMOTE_ROOT = process.env.BACKUPS_REMOTE_ROOT || "/home/malio-b/backups"
 export const FOLDER_MAP = folderMap as Record<string, string>
-
+export const isSafeFolder = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
+export const isSafeFile = (value: string) => /^[a-zA-Z0-9._-]+$/.test(value)
 
 export const shellQuote = (value: string) => `'${value.replace(/'/g, `'\\''`)}'`
 
 export function runSsh(command: string): Promise<string> {
+    if (!REMOTE_HOST) {
+        return Promise.reject(new Error("BACKUPS_REMOTE_HOST is not configured"))
+    }
     return new Promise((resolve, reject) => {
         execFile(
             "ssh",
@@ -42,7 +45,7 @@ export async function resolveFolderRemoteDir(folderName: string): Promise<string
         return direct
     }
 
-    const nested = `${REMOTE_ROOT}/bdd_recette/${folderName}`
+    const nested = `${REMOTE_ROOT}/bdd-recette/${folderName}`
     if (await remoteDirExists(nested)) {
         return nested
     }

solution.md

@@ -0,0 +1,235 @@
+# Correctifs finaux de deploiement Supervisor
+
+Ce document resume les correctifs finaux identifies pour faire fonctionner `Supervisor` en production sur `recette`.
+
+## 1. Lancement en production
+
+`Supervisor` n'est pas un site statique simple. Le projet contient :
+
+- des routes serveur dans `server/api/*`
+- des middlewares dans `server/middleware/*`
+- un plugin serveur dans `server/plugins/metrics-worker.ts`
+
+Il faut donc :
+
+```bash
+npm run build
+node .output/server/index.mjs
+```
+
+En production, l'application a ete lancee via `pm2`.
+
+## 2. Configuration Nginx
+
+Le projet doit etre expose en reverse proxy vers le serveur Node sur `127.0.0.1:3000`.
+
+Configuration minimale valide :
+
+```nginx
+server {
+    listen 80;
+    server_name supervisor.malio-dev.fr;
+
+    client_max_body_size 200M;
+    client_body_timeout 300s;
+    send_timeout 300s;
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+### Pourquoi
+
+- sans reverse proxy, les endpoints `/api/*` ne fonctionnent pas
+- sans `client_max_body_size`, le speedtest d'upload retourne `413 Request Entity Too Large`
+
+Apres modification :
+
+```bash
+nginx -t
+systemctl reload nginx
+```
+
+## 3. Cookie d'authentification en HTTP
+
+Le projet etait configure pour utiliser un cookie `Secure` en production, ce qui bloquait toutes les routes `/api/*` en HTTP avec des erreurs `401`.
+
+Correctif applique dans `server/middleware/auth-cookie.ts` :
+
+- le flag `secure` du cookie depend maintenant de `AUTH_COOKIE_SECURE`
+
+Valeur a mettre en HTTP :
+
+```env
+AUTH_COOKIE_SECURE=false
+```
+
+Si un passage en HTTPS est fait plus tard :
+
+```env
+AUTH_COOKIE_SECURE=true
+```
+
+## 4. Variables d'environnement a utiliser
+
+Exemple de `.env` fonctionnel :
+
+```env
+API_SECRET_KEY=...
+DISCORD_BOT_TOKEN=...
+DISCORD_CHANNEL_ID=...
+BACKUPS_REMOTE_HOST=malio-b
+BACKUPS_REMOTE_ROOT=/home/malio-b/backups
+BACKUPS_MAX_FILES=200
+DISK_COMMAND_LOCAL="cd /home/malio/Malio-ops/CheckStorage && bash check-storage.sh"
+DISK_COMMAND_REMOTE="ssh malio-b \"cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh\""
+BACKUP_SCRIPT_COMMAND_BACKUP_BDD_RECETTE="cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh"
+BACKUP_SCRIPT_COMMAND_CHECK_STATUT_RECETTE="cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh"
+BACKUP_SCRIPT_COMMAND_BACKUP_VAULTWARDEN="ssh bitwarden \"bash -lc 'cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && ./backup-vaultwarden.sh'\""
+BACKUPS_HOUR=19
+AUTH_COOKIE_SECURE=false
+```
+
+### Important
+
+Les commandes qui contiennent des espaces, `&&` ou des guillemets doivent etre entourees correctement dans le `.env`.
+
+Le format suivant a provoque des erreurs lors d'un `source .env` :
+
+```env
+DISK_COMMAND_LOCAL=bash -lc '...'
+```
+
+Le shell l'interpretait comme une commande, pas comme une simple valeur.
+
+## 5. PM2
+
+Les variables ajoutees dans `.env` n'etaient pas toujours reprises par le process PM2 deja lance.
+
+Sequence fiable :
+
+```bash
+cd /var/www/Supervisor
+set -a
+source .env
+set +a
+pm2 kill
+pm2 start .output/server/index.mjs --name supervisor
+pm2 save
+```
+
+Verification utile :
+
+```bash
+pm2 list
+pm2 env 0 | grep DISK_COMMAND
+```
+
+## 6. Backups recette
+
+Comme `Supervisor` tourne deja sur `ferme` / `recette`, les scripts de backup recette ne doivent pas repasser par `ssh ferme`.
+
+Correct :
+
+```env
+BACKUP_SCRIPT_COMMAND_BACKUP_BDD_RECETTE="cd /home/malio/Malio-ops/RecetteScripts && bash backup-bdd-recette.sh"
+BACKUP_SCRIPT_COMMAND_CHECK_STATUT_RECETTE="cd /home/malio/Malio-ops/RecetteScripts && bash check-statut-recette.sh"
+```
+
+La connexion SSH reste necessaire uniquement pour `vaultwarden`.
+
+## 7. SSH vers vaultwarden
+
+La commande distante utilisee est :
+
+```env
+BACKUP_SCRIPT_COMMAND_BACKUP_VAULTWARDEN="ssh bitwarden \"bash -lc 'cd /home/matt/vaultwarden/Malio-ops/BackupVaultWarden && ./backup-vaultwarden.sh'\""
+```
+
+Cela implique :
+
+- une cle SSH disponible pour l'utilisateur qui lance `Supervisor`
+- la cle publique autorisee sur `vault.lpc-liot.fr`
+- une resolution correcte de l'alias `bitwarden` ou l'utilisation directe de `matt@vault.lpc-liot.fr`
+
+Exemple de test :
+
+```bash
+ssh matt@vault.lpc-liot.fr "hostname"
+```
+
+## 8. Commandes disque
+
+Les diagrammes de stockage dependent de :
+
+- `DISK_COMMAND_LOCAL`
+- `DISK_COMMAND_REMOTE`
+
+Valeurs fonctionnelles :
+
+```env
+DISK_COMMAND_LOCAL="cd /home/malio/Malio-ops/CheckStorage && bash check-storage.sh"
+DISK_COMMAND_REMOTE="ssh malio-b \"cd /home/malio-b/Malio-ops/CheckStorage && bash check-storage.sh\""
+```
+
+Le script local avait aussi un probleme de droits d'execution. Il a fallu le rendre executable.
+
+Exemple :
+
+```bash
+chmod +x /home/malio/Malio-ops/CheckStorage/check-storage.sh
+```
+
+## 9. Commandes de verification utiles
+
+Verifier le retour de l'API disque :
+
+```bash
+curl -s http://127.0.0.1:3000/api/disk -H "Authorization: Bearer <API_SECRET_KEY>"
+```
+
+Verifier le backup status :
+
+```bash
+curl -s http://127.0.0.1:3000/api/check-backup -H "Authorization: Bearer <API_SECRET_KEY>"
+```
+
+Verifier le process PM2 :
+
+```bash
+pm2 list
+pm2 logs 0 --lines 100
+```
+
+Verifier la configuration Nginx chargee :
+
+```bash
+nginx -T
+grep -R "supervisor.malio-dev.fr" /etc/nginx
+```
+
+## 10. Cause des principaux problemes rencontres
+
+- erreurs `401` : cookie d'auth `Secure` alors que le site etait en HTTP
+- erreurs `413` : absence de `client_max_body_size` dans le vhost Nginx
+- `ssh undefined` : variable `BACKUPS_REMOTE_HOST` non prise en compte dans le process lance
+- diagrammes vides : `DISK_COMMAND_LOCAL` et `DISK_COMMAND_REMOTE` absentes ou mal chargees
+- commandes `.env` non lues correctement : quoting incorrect pour des commandes shell complexes
+- stockage local vide : script local non executable
+
+## 11. Point de securite
+
+Des secrets ont ete affiches pendant le debug :
+
+- `API_SECRET_KEY`
+- `DISCORD_BOT_TOKEN`
+
+Ils doivent etre consideres comme compromis et regeneres.