diff --git a/wiki/cyber-tips-library.md b/wiki/cyber-tips-library.md
index 5bf74ff3f..87aa40e80 100644
--- a/wiki/cyber-tips-library.md
+++ b/wiki/cyber-tips-library.md
@@ -463,3 +463,75 @@ OK github_pat_valid:         PASS
 - ✅ Reconcile multi-Claude cascade autosyncs (V113/V114/V115/V116/V119/V130/V9.66/V9.67/V9.68)
 
 ---
+
+
+---
+
+## HTMLGUARD Doctrine · <!-- HTMLGUARD-DOCTRINE-V1 · 2026-04-21 --> 2026-04-21 12:27
+
+**Doctrine** : "ZERO ecran blanc UX" — toute page admin qui utilise fetch() vers API PHP avec session auth DOIT avoir HTMLGUARD pattern pour eviter crash silencieux quand session expire.
+
+### Cause racine universelle
+
+Pattern vulnerable type :
+```javascript
+const A = p => fetch('/api/endpoint.php?' + p).then(r => r.json());
+// Si session expire, l API retourne LOGIN HTML (pas 401, status 200)
+// r.json() throw SyntaxError silently — UI reste vide
+```
+
+### Pattern HTMLGUARD_V1 (standard)
+
+Applique a wevia-admin.php + tasks-live-opus5.html + architecture-live.html + dmaic-workbench.html :
+
+```javascript
+window._safeJsonGuard = async function(r) {
+  const t = (await r.text()).trim();
+  if (t.startsWith('<!DOCTYPE') || t.startsWith('<html')) {
+    if ((t.indexOf('Login') > -1 || t.indexOf('login') > -1) && !window._sessionExpiredWarned) {
+      window._sessionExpiredWarned = true;
+      // Banner orange top fixed avec lien reconnexion
+      const banner = document.createElement('div');
+      banner.style.cssText = 'position:fixed;top:0;...;background:#f59e0b;...';
+      banner.innerHTML = 'Session expiree · <a href="'+window.location.pathname+'">Se reconnecter</a>';
+      document.body.appendChild(banner);
+    }
+    return {error: 'html_response', isHtmlError: true, status: r.status};
+  }
+  try { return JSON.parse(t); }
+  catch(e) { return {error: 'json_parse: ' + e.message, raw: t.substring(0, 200)}; }
+};
+```
+
+### Pages patchees cette session
+
+| Page | Markers | Session |
+|---|---|---|
+| wevia-ia/wevia-admin.php | HTMLGUARD_V1_ADMIN | Cmdt 048110e2f |
+| tasks-live-opus5.html | HTMLGUARD_V1_TASKS | Cmdt 1331d6006 (autosync) |
+| architecture-live.html | HTMLGUARD_V1_ARCHI | Cmdt 1331d6006 |
+| dmaic-workbench.html | HTMLGUARD_V1_DMAIC | Cmdt 1331d6006 |
+
+### Pages deja proteges
+
+| Page | Pattern |
+|---|---|
+| wevia-master.html | HTML_GUARD_V2_BATCH (3 instances) |
+| wevia-orchestrator.html | HTML_GUARD_V2_BATCH (2 instances) |
+| wevcode.html | WEVCODE_HTML_GUARD_V1 |
+| ops-center.html | PARSE_HTML_GUARD_V1 (avec detection 502/503/504/404) |
+
+### Candidats future patch (si session issues)
+
+- v63-send-queue.html (200 public, pas critique)
+- email-hub.html (200 public)
+- namecheap-hub.html (200 public)
+- blade-hub.html (200 public)
+- wevads-ia/index.html (200 public)
+- business-kpi-dashboard.php / products-kpi-dashboard.php (fetch count = 0, pas vulnerable)
+
+### Regle d or
+
+Tout fichier admin .php/.html qui call `/api/*.php` avec `.then(r=>r.json())` **DOIT** avoir HTMLGUARD, sinon session expire = ecran blanc = UX catastrophique.
+
+---