maximus/vps-health-api
1
0
Fork 0
Code Issues 2 Pull requests 1 Projects Releases Packages Wiki Activity Actions
vps-health-api/CLAUDE.md
le king fu 6eda076a25 feat(reports): add GET /reports/scans endpoint for defenseur-auto 
Replaces the SSH/rsync canal between Max's workstation cron and the VPS
for fetching defenseur scan reports. The defenseur-auto orchestrator now
pulls reports/defenseur-X_<date>*.json over HTTPS, reusing HEALTH_TOKEN.

The handler mirrors the style of index.js (HTTP native, no framework),
includes the same isScanReport guard as defenseurs/src/report.ts (filters
out defenseur-auto_*.json run reports), and validates the date param
against /^\d{4}-\d{2}-\d{2}$/ to short-circuit path traversal before any
filesystem access.

Validated by test-curl.sh — 11 cases covering auth, validation, date
filter, isScanReport filter, sort order, GET-only and 404 paths.

Spike: ~/claude-code/.spikes/archived/endpoint-reports-sur-vps-health-api-pour/

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 20:50:29 -04:00

1.6 KiB
Raw Blame History

VPS Health API

API sante minimaliste pour le VPS. ~127 lignes, Node 22 + HTTP natif.

Endpoints

  • GET /health — CPU, memoire, disque, uptime, logto ({status, responseTimeMs, error?})
  • GET /defenseurs — contenu de status.json (rapports defenseurs)
  • GET /reports/scans?date=YYYY-MM-DD — agrege les rapports defenseur-<agent>_<date>*.json du jour, format { date, count, reports: Report[] }. Filtre isScanReport (exclut defenseur-auto_*.json). Date validee par regex (path traversal bloque). Consommateur : defenseur-auto workstation cron (remplace le pre-rsync SSH). Exemple : curl -H "Authorization: Bearer $TOKEN" "https://health.lacompagniemaximus.com/reports/scans?date=2026-05-07".

Auth

  • Bearer token via env HEALTH_TOKEN
  • Fail-closed : si HEALTH_TOKEN non configure, toutes les requetes sont refusees
  • Coolify : HEALTH_TOKEN doit etre is_runtime=true, is_buildtime=false. Buildtime fait fuiter le secret en clair dans application_deployment_queues.logs. Voir la-compagnie-maximus/docs/coolify-ops.md section "Secrets en buildtime".

Config

  • Port : 3001 (env PORT)
  • LOGTO_HEALTH_URL : URL du .well-known/openid-configuration (default auth.lacompagniemaximus.com)
  • REPORTS_DIR : dossier lu par /reports/scans (default /data/defenseurs/reports)
  • Bind-mount : /data/defenseurs/ (status.json + reports/) read-only

Deploy

Coolify auto-rebuild depuis push Forgejo. Aucune action manuelle requise.

Gotchas

  • Pas d'Express — HTTP natif Node.js uniquement
  • Le status.json est ecrit par le Sergent defenseurs, pas par cette API (read-only)