6eda076a25
Replaces the SSH/rsync canal between Max's workstation cron and the VPS
for fetching defenseur scan reports. The defenseur-auto orchestrator now
pulls reports/defenseur-X_<date>*.json over HTTPS, reusing HEALTH_TOKEN.
The handler mirrors the style of index.js (HTTP native, no framework),
includes the same isScanReport guard as defenseurs/src/report.ts (filters
out defenseur-auto_*.json run reports), and validates the date param
against /^\d{4}-\d{2}-\d{2}$/ to short-circuit path traversal before any
filesystem access.
Validated by test-curl.sh — 11 cases covering auth, validation, date
filter, isScanReport filter, sort order, GET-only and 404 paths.
Spike: ~/claude-code/.spikes/archived/endpoint-reports-sur-vps-health-api-pour/
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
31 lines
1.6 KiB
Markdown
31 lines
1.6 KiB
Markdown
# VPS Health API
|
|
|
|
API sante minimaliste pour le VPS. ~127 lignes, Node 22 + HTTP natif.
|
|
|
|
## Endpoints
|
|
|
|
- `GET /health` — CPU, memoire, disque, uptime, logto (`{status, responseTimeMs, error?}`)
|
|
- `GET /defenseurs` — contenu de status.json (rapports defenseurs)
|
|
- `GET /reports/scans?date=YYYY-MM-DD` — agrege les rapports `defenseur-<agent>_<date>*.json` du jour, format `{ date, count, reports: Report[] }`. Filtre `isScanReport` (exclut `defenseur-auto_*.json`). Date validee par regex (path traversal bloque). Consommateur : `defenseur-auto` workstation cron (remplace le pre-rsync SSH). Exemple : `curl -H "Authorization: Bearer $TOKEN" "https://health.lacompagniemaximus.com/reports/scans?date=2026-05-07"`.
|
|
|
|
## Auth
|
|
|
|
- Bearer token via env `HEALTH_TOKEN`
|
|
- Fail-closed : si `HEALTH_TOKEN` non configure, toutes les requetes sont refusees
|
|
- **Coolify** : `HEALTH_TOKEN` doit etre `is_runtime=true, is_buildtime=false`. Buildtime fait fuiter le secret en clair dans `application_deployment_queues.logs`. Voir `la-compagnie-maximus/docs/coolify-ops.md` section "Secrets en buildtime".
|
|
|
|
## Config
|
|
|
|
- Port : `3001` (env `PORT`)
|
|
- `LOGTO_HEALTH_URL` : URL du `.well-known/openid-configuration` (default auth.lacompagniemaximus.com)
|
|
- `REPORTS_DIR` : dossier lu par `/reports/scans` (default `/data/defenseurs/reports`)
|
|
- Bind-mount : `/data/defenseurs/` (status.json + reports/) read-only
|
|
|
|
## Deploy
|
|
|
|
Coolify auto-rebuild depuis push Forgejo. Aucune action manuelle requise.
|
|
|
|
## Gotchas
|
|
|
|
- Pas d'Express — HTTP natif Node.js uniquement
|
|
- Le `status.json` est ecrit par le Sergent defenseurs, pas par cette API (read-only)
|