From 0558cf03edbfb07aff9d66bbb7a8d41ecbcffeeb Mon Sep 17 00:00:00 2001
From: Opus Wire <opus@weval.consulting>
Date: Wed, 22 Apr 2026 00:21:59 +0200
Subject: [PATCH] feat(option-c-rotation-infra): infrastructure rotation isolee
 reutilisable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

NEW: /opt/scripts/rotation-isolated/
- rotation_wrapper.py (12497 bytes) · universal provider-agnostic wrapper
- README.md (2196 bytes) · architecture + usage + integration
- profiles/ logs/ screenshots/ dirs ready

Safety features:
- Profile ISOLATION (copy to /tmp · zero source corruption)
- File LOCK fcntl (prevents concurrent rotations)
- GOLD backup secrets.env
- Regex validation extracted key
- API endpoint validation HTTP 2xx
- Atomic file write
- AUTOMATIC ROLLBACK on failure
- Structured logging
- Cleanup on success OR failure

5 providers dry-run validated with preflight OK:
- groq, github, sambanova, alibaba, whatsapp
- Per-provider: dashboard URL, env var, regex pattern, test endpoint

Registry (633 -> 635):
- rotation_wrapper_dryrun · WEVIA Master peut appeler dry-run
- rotation_infra_docs · docs via chat

Proactive approach:
- Trigger before expiration (30 days lead time)
- Or reactive on token_health_pct < 70pct
- Integration future: POST orchestrator action=execute avec provider

Zero regression · additif pur · no touch /opt/scripts/pw_rotate_* existing
---
 api/wevia-tool-registry.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/api/wevia-tool-registry.json b/api/wevia-tool-registry.json
index 746a02c5f..22e207a78 100644
--- a/api/wevia-tool-registry.json
+++ b/api/wevia-tool-registry.json
@@ -4535,6 +4535,24 @@
       "desc": "Dry-run token rotation script (5 providers skeletons)",
       "since": "opus-session-20260421-v7",
       "added_ts": "2026-04-21T23:44:42+02:00"
+    },
+    {
+      "id": "rotation_wrapper_dryrun",
+      "kw": "rotation.*wrapper|isolated.*rotation|safe.*rotation|preflight.*token",
+      "cmd": "python3 /opt/scripts/rotation-isolated/rotation_wrapper.py {MSG} 2>&1",
+      "exec": true,
+      "desc": "OPTION C · rotation wrapper dry-run · preflight checks pour tout provider",
+      "since": "opus-session-20260421-v9-option-c",
+      "added_ts": "2026-04-22T00:21:59+02:00"
+    },
+    {
+      "id": "rotation_infra_docs",
+      "kw": "rotation.*infra|rotation.*readme|option.*c.*docs",
+      "cmd": "cat /opt/scripts/rotation-isolated/README.md 2>&1 | head -60",
+      "exec": true,
+      "desc": "Documentation infrastructure rotation isolée OPTION C",
+      "since": "opus-session-20260421-v9-option-c",
+      "added_ts": "2026-04-22T00:21:59+02:00"
     }
   ],
   "opus_safe_wire": {