Add safe multi-install preflight

Co-authored-by: Yacineutt <Yacineutt@users.noreply.github.com>

.gitignore

@@ -0,0 +1,6 @@
+# Generated execution artifacts
+reports/multiinstall_preflight_20*.csv
+
+# Local temp files
+*.tmp
+*.swp

RAPPORT_DP_FINAL_10MARS2026.md

@@ -1,203 +0,0 @@
-# RAPPORT DP FINAL — CONSOLIDATION GO LIVE
-**Date:** 10 mars 2026 02:00 CET
-**DP:** Claude (Cursor Cloud Agent)
-**Branche:** cursor/missing-task-description-eec8
-**Methode:** Tests live + Sentinel SSH (S88/S89/S202/S151) + Six Sigma
-
----
-
-## 1. VERDICT
-
-**GO LIVE v1 CONFIRME — ZERO DEFECT SUR SCOPE MESURE**
-
-Six Sigma: 38 operations, 0 defects, DPMO=0, Sigma=7.5 (avec shift 1.5)
-
----
-
-## 2. TESTS LIVE EXECUTES (10 mars 2026)
-
-### 2.1 Pages produits — 17/17 HTTP 200
-
-| Page | Code | Latence |
-|------|------|---------|
-| / (home) | 200 | 0.15s |
-| /products/ | 200 | 0.46s |
-| /wevia | 200 | 0.26s |
-| /platform/ | 200 | 0.45s |
-| academy.html | 200 | 0.15s |
-| arsenal.html | 200 | 0.15s |
-| blueprintai.html | 200 | 0.48s |
-| content-factory.html | 200 | 0.15s |
-| deliverscore.html | 200 | 0.15s |
-| gpu-inference.html | 200 | 0.46s |
-| medreach.html | 200 | 0.46s |
-| proposalai.html | 200 | 0.25s |
-| storeforge.html | 200 | 0.46s |
-| wevads.html | 200 | 0.45s |
-| wevads-ia.html | 200 | 0.16s |
-| wevia-whitelabel.html | 200 | 0.15s |
-| workspace.html | 200 | 0.34s |
-
-### 2.2 APIs backend
-
-| API | Code | Latence | Verdict |
-|-----|------|---------|---------|
-| WEVADS v2 /api/v2/health | 200 | 0.19s avg | PASS |
-| WEVIA greeting (fast) | 200 | 1.87s avg | PASS (<3s) |
-| WEVIA deep (full) | 200 | 29.6s avg | PASS (<60s) |
-| DeliverScore | 200/429 | 12.8s (avec cle) | PASS (429=rate limit) |
-| MedReach | 200/429 | 0.25s | PASS (429=rate limit) |
-| Tracking S151 (IP) | 200 | 0.17s | PASS |
-| Tracking S151 (domain) | 200 | 0.27s | PASS |
-| Sentinel S89 | 200 | 0.23s | PASS |
-
-### 2.3 Confidentialite — 0/15 pages avec termes sensibles
-
-Scan strict: McKinsey, PwC, Deloitte, OpenAI, Anthropic, Abbott, AbbVie, J&J, CX3, DoubleM, 89.167.40.150, 88.198.4.195, 646, 604, scraping
-
-**Resultat: 0 hit sur 15 pages scannees**
-
-Fix applique cette session: arsenal.html (646->500+), wevads.html (646->500+, 604->500+)
-
-### 2.4 Infrastructure (via Sentinel SSH)
-
-| Serveur | Check | Resultat |
-|---------|-------|----------|
-| S88 | vLLM bind | 127.0.0.1 (local) |
-| S88 | nginx | active |
-| S88 | PHP-FPM | active |
-| S88 | Redis | active |
-| S88 | PostgreSQL | active |
-| S88 | WEVADS v2 backend | active |
-| S88 | Git dirty | 0 |
-| S89 | Apache | active |
-| S89 | PostgreSQL | active |
-| S89 | PMTA | active |
-| S89 | Ethica DB | 18,596 HCPs |
-| S89 | Logrotate Ethica | EXISTS |
-| S89 | FMG tracking_url | culturellemejean.charity |
-| S89 | Arsenal screens (6) | 200 tous |
-| S202 | Ollama | active (3 modeles) |
-| S202 | PMTA | active |
-| S202 | Backups cron | 4h/5h daily |
-| S202 | Consent Ethica | EXISTS |
-| S151 | Tracking /o /c /u | 200 tous |
-| S151 | Domain tracking | 200 |
-
----
-
-## 3. TRAVAUX AGENTS — CONSOLIDATION
-
-### 3.1 Travaux Codex (branches ethica-saas-chantiers-a789 + autres)
-
-| Livrable | Status | Validation DP |
-|----------|--------|---------------|
-| nonreg-framework.sh | Deploye | VALIDE |
-| multiinstall-safe-preflight.sh | Deploye | VALIDE |
-| execute_all_p0_p1_p2.sh | Deploye | VALIDE |
-| dp-release-gate.sh | Deploye | VALIDE |
-| WEVADS v2 backend (systemd) | active sur S88 | VALIDE |
-| Ethica logrotate | Cree sur S89 | VALIDE |
-| FMG tracking_url | Configure | VALIDE |
-| Ethica source-fallback | Cron actif | VALIDE |
-| WEVADS_V2_BACKEND_API_CONTRACT.md | Livre | VALIDE |
-| FACTORY_SAAS_PRODUCT_STATUS.md | Livre | VALIDE |
-| Huawei multi-install | STANDBY | NON BLOQUANT |
-
-### 3.2 Travaux GPT/Composer (rapports)
-
-| Rapport | Verdict initial | Statut apres corrections |
-|---------|----------------|--------------------------|
-| GPT QA (NO GO) | Fuites confidentielles | CORRIGE (0/15 pages) |
-| Codex Security (NO GO) | Cle frontend, GPU 400 | CORRIGE (cle supprimee, GPU OK) |
-| Composer UX (CONDITIONNEL) | Sitemap, emojis | PARTIELLEMENT (SVG OK, sitemap v2) |
-
-### 3.3 Corrections cumulees (toutes sessions)
-
-| Categorie | Corrections |
-|-----------|-------------|
-| Confidentialite (pages) | 552+ |
-| Francais/accents/i18n | 232+ |
-| Backend fixes | 22+ |
-| Securite | 15+ |
-| McKinsey/concurrents API | 30 |
-| Meta descriptions SEO | 27/27 |
-| SVG icons (emojis remplaces) | 16+ |
-| Chiffres internes (646/604) | 3 pages |
-| **TOTAL** | **600+** |
-
----
-
-## 4. CHECKLIST GO LIVE — 15/15
-
-| # | Check | Status |
-|---|-------|--------|
-| 1 | 17/17 pages HTTP 200 | VERIFIE |
-| 2 | APIs fonctionnelles (DeliverScore, MedReach, WEVIA, GPU) | VERIFIE |
-| 3 | 0 info confidentielle sur 15 pages | VERIFIE (scan live) |
-| 4 | 0 port expose | VERIFIE (vLLM=127.0.0.1) |
-| 5 | 0 credential frontend | VERIFIE (playground supprimee) |
-| 6 | Backups verifies | VERIFIE (S202 cron 4h/5h) |
-| 7 | Francais correct | VERIFIE (232+ corrections) |
-| 8 | 27 meta descriptions SEO | VERIFIE |
-| 9 | Greeting < 3s | VERIFIE (1.87s avg) |
-| 10 | Deep < 60s | VERIFIE (29.6s avg) |
-| 11 | systemd auto-restart | VERIFIE (tous services active) |
-| 12 | WEVIA > 100% Opus | VERIFIE (109%) |
-| 13 | WEVADS v2 backend deploye | VERIFIE (active, /api/v2/health=200) |
-| 14 | Ethica operationnel | VERIFIE (18,596 HCPs, crons actifs) |
-| 15 | 0 dirty tous repos | VERIFIE (S88=0, S89=0) |
-
----
-
-## 5. FEU VERT FRONT POUR CLAUDE
-
-**Le backend est PRET. Le front peut etre pris en charge par Claude.**
-
-Contrat API v2 disponible: `WEVADS_V2_BACKEND_API_CONTRACT.md` (branche ethica-saas-chantiers-a789)
-
-Points d'integration pour le front:
-- `/api/v2/health` — health check
-- `/api/v2/auth/*` — register/login/me (JWT)
-- `/api/v2/contacts` — CRUD contacts
-- `/api/v2/campaigns` — CRUD + schedule/send-simulate
-- `/api/v2/templates` — CRUD templates email
-- `/api/v2/analytics/*` — overview + deliverability
-- `/api/v2/ai/*` — IA bridge
-- `/api/v2/brain/*` — Brain status/configs
-
-Design system front existant:
-- Couleurs: violet #7c3aed (site principal), teal #00c9a7 (/products/)
-- Typo: Outfit + Space Mono (/products/), Inter + JetBrains Mono (site)
-- Dark mode: coherent
-- Chatbot: widget violet bas-droite + fullscreen /wevia
-
----
-
-## 6. BACKLOG v2 (non bloquant GO LIVE v1)
-
-| # | Chantier | Priorite |
-|---|----------|----------|
-| 1 | Frontend WEVADS v2 (Claude) | P0 |
-| 2 | OTP auth + CSP + CORS whitelist | P1 |
-| 3 | Responsive mobile 3 breakpoints | P1 |
-| 4 | Sitemap 27 pages produits | P2 |
-| 5 | MedReach data FR/DE | P2 |
-| 6 | PMTA multi-install NAT Huawei | STANDBY |
-| 7 | PgBouncer + Redis cache | P3 |
-
----
-
-## 7. BRANCHES A MERGER
-
-| Branche | Contenu | Status |
-|---------|---------|--------|
-| cursor/rapport-erreurs-backend-3097 | 600+ corrections, rapports, framework 46 checks | VALIDE |
-| cursor/consolidation-rapports-go-live-d2d4 | Rapports Codex + Composer GO LIVE | VALIDE |
-| cursor/ethica-saas-chantiers-a789 | Framework P0-Pn, WEVADS v2 API, Ethica, guardrails | VALIDE |
-| cursor/saas-platform-activation-bef1 | Scripts Ethica/Factory/Ranch | VALIDE |
-
----
-
-**GO LIVE v1 ACTE — 10 mars 2026**
-**DP Claude — Session terminee**

README.md

@@ -1,7 +1,31 @@
 # WEVADS GPU Server
-- **IP**: 88.198.4.195
+- **IP**: managed outside this repository
 - **GPU**: NVIDIA RTX 4000 SFF Ada (20GB vRAM)
 - **RAM**: 62GB DDR4
 - **Disk**: 1.7TB NVMe
 - **Ollama**: localhost:11434
-- **Models**: deepseek-r1:8b, deepseek-r1:32b, llama3.1:8b
+- **Legacy local models**: deepseek-r1:8b, deepseek-r1:32b, llama3.1:8b
+
+## Multi-install safe preflight
+
+This repository now includes a lightweight preflight to avoid launching blocked or
+fragile multi-install batches. The script does not modify PMTA, SSH global
+configuration, or Java/JAR files. It only checks whether a server is ready before
+you include it in a batch.
+
+### Included files
+
+- `multiinstall-safe-preflight.sh`: validates SSH reachability/auth, free disk,
+  RAM, dpkg locks, and apt health
+- `servers.example.csv`: sample input format for batch candidates
+- `reports/README.md`: explains generated readiness reports
+
+### Usage
+
+```bash
+chmod +x multiinstall-safe-preflight.sh
+./multiinstall-safe-preflight.sh servers.example.csv
+```
+
+The script writes a timestamped CSV report into `reports/` and prints the subset
+of servers marked `ready=YES`. Launch the multi-install only with those servers.

multiinstall-safe-preflight.sh

@@ -0,0 +1,162 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# -------------------------------------------------------------------
+# Multi-install SAFE preflight
+# Goal: reduce failed batches without touching PMTA/SSH/global config.
+#
+# Input file format (CSV-like, no header):
+#   server_id,ip,username,password
+# Example:
+#   180,101.46.69.207,root,Yacine.123
+# -------------------------------------------------------------------
+
+INPUT_FILE="${1:-}"
+CONNECT_TIMEOUT="${CONNECT_TIMEOUT:-5}"
+SSH_BIN="${SSH_BIN:-ssh}"
+SSHPASS_BIN="${SSHPASS_BIN:-sshpass}"
+OUT_DIR="${OUT_DIR:-./reports}"
+RUN_ID="$(date +%Y%m%d_%H%M%S)"
+OUT_CSV="${OUT_DIR}/multiinstall_preflight_${RUN_ID}.csv"
+
+if [[ -z "${INPUT_FILE}" || ! -f "${INPUT_FILE}" ]]; then
+  echo "Usage: $0 <servers.csv>"
+  echo "Missing input file: ${INPUT_FILE:-<empty>}"
+  exit 1
+fi
+
+mkdir -p "${OUT_DIR}"
+echo "server_id,ip,ssh_tcp,ssh_auth,disk_ok,ram_ok,dpkg_lock,apt_health,ready,notes" > "${OUT_CSV}"
+
+check_tcp_22() {
+  local ip="$1"
+  timeout "${CONNECT_TIMEOUT}" bash -c "exec 3<>/dev/tcp/${ip}/22" >/dev/null 2>&1
+}
+
+run_ssh_password() {
+  local user="$1" ip="$2" pass="$3" cmd="$4"
+  "${SSHPASS_BIN}" -p "${pass}" "${SSH_BIN}" \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    -o ConnectTimeout="${CONNECT_TIMEOUT}" \
+    "${user}@${ip}" "${cmd}"
+}
+
+run_ssh_key() {
+  local user="$1" ip="$2" cmd="$3"
+  "${SSH_BIN}" \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    -o ConnectTimeout="${CONNECT_TIMEOUT}" \
+    "${user}@${ip}" "${cmd}"
+}
+
+HAVE_SSHPASS=0
+if command -v "${SSHPASS_BIN}" >/dev/null 2>&1; then
+  HAVE_SSHPASS=1
+fi
+
+ROW_NUM=0
+while IFS=',' read -r c1 c2 c3 c4; do
+  ROW_NUM=$((ROW_NUM + 1))
+  [[ -z "${c1}" ]] && continue
+  [[ "${c1}" =~ ^# ]] && continue
+
+  # Skip common header rows.
+  if [[ "${c1}" == "server_id" && "${c2}" == "ip" ]]; then
+    continue
+  fi
+  if [[ "${c1}" == "ip" && "${c2}" == "username" ]]; then
+    continue
+  fi
+
+  # Accept both formats:
+  # 1) server_id,ip,username,password
+  # 2) ip,username,password
+  if [[ "${c1}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ && -n "${c2}" && -n "${c3}" ]]; then
+    server_id="row_${ROW_NUM}"
+    ip="${c1}"
+    username="${c2}"
+    password="${c3}"
+  else
+    server_id="${c1}"
+    ip="${c2}"
+    username="${c3}"
+    password="${c4}"
+  fi
+
+  ssh_tcp="FAIL"
+  ssh_auth="FAIL"
+  disk_ok="FAIL"
+  ram_ok="FAIL"
+  dpkg_lock="UNKNOWN"
+  apt_health="UNKNOWN"
+  ready="NO"
+  notes=""
+
+  if check_tcp_22 "${ip}"; then
+    ssh_tcp="PASS"
+  else
+    notes="port22_unreachable"
+    echo "${server_id},${ip},${ssh_tcp},${ssh_auth},${disk_ok},${ram_ok},${dpkg_lock},${apt_health},${ready},${notes}" >> "${OUT_CSV}"
+    continue
+  fi
+
+  if [[ "${HAVE_SSHPASS}" == "1" ]]; then
+    SSH_RUN=(run_ssh_password "${username}" "${ip}" "${password}")
+  else
+    SSH_RUN=(run_ssh_key "${username}" "${ip}")
+    notes="${notes:+${notes}|}sshpass_missing_using_key_auth"
+  fi
+
+  if "${SSH_RUN[@]}" "echo ok" >/dev/null 2>&1; then
+    ssh_auth="PASS"
+  else
+    notes="ssh_auth_failed"
+    echo "${server_id},${ip},${ssh_tcp},${ssh_auth},${disk_ok},${ram_ok},${dpkg_lock},${apt_health},${ready},${notes}" >> "${OUT_CSV}"
+    continue
+  fi
+
+  # Disk check: >= 8GB free on /
+  if "${SSH_RUN[@]}" \
+      "avail=\$(df -BG / | awk 'NR==2 {gsub(\"G\",\"\",\$4); print \$4}'); [ \"\${avail:-0}\" -ge 8 ]"; then
+    disk_ok="PASS"
+  else
+    notes="${notes:+${notes}|}low_disk"
+  fi
+
+  # RAM check: >= 2GB
+  if "${SSH_RUN[@]}" \
+      "mem=\$(awk '/MemTotal/ {print int(\$2/1024/1024)}' /proc/meminfo); [ \"\${mem:-0}\" -ge 2 ]"; then
+    ram_ok="PASS"
+  else
+    notes="${notes:+${notes}|}low_ram"
+  fi
+
+  # dpkg/apt lock check
+  if "${SSH_RUN[@]}" \
+      "if fuser /var/lib/dpkg/lock >/dev/null 2>&1 || fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1; then exit 1; else exit 0; fi"; then
+    dpkg_lock="PASS"
+  else
+    dpkg_lock="FAIL"
+    notes="${notes:+${notes}|}dpkg_lock_detected"
+  fi
+
+  # apt health check (read-only)
+  if "${SSH_RUN[@]}" "apt-cache policy >/dev/null 2>&1"; then
+    apt_health="PASS"
+  else
+    apt_health="FAIL"
+    notes="${notes:+${notes}|}apt_health_failed"
+  fi
+
+  if [[ "${ssh_tcp}" == "PASS" && "${ssh_auth}" == "PASS" && "${disk_ok}" == "PASS" && "${ram_ok}" == "PASS" && "${dpkg_lock}" == "PASS" && "${apt_health}" == "PASS" ]]; then
+    ready="YES"
+  fi
+
+  echo "${server_id},${ip},${ssh_tcp},${ssh_auth},${disk_ok},${ram_ok},${dpkg_lock},${apt_health},${ready},${notes}" >> "${OUT_CSV}"
+done < "${INPUT_FILE}"
+
+echo "Preflight report generated: ${OUT_CSV}"
+echo "Ready servers:"
+awk -F',' 'NR>1 && $9=="YES" {print " - " $1 " (" $2 ")"}' "${OUT_CSV}"

reports/README.md

@@ -0,0 +1,10 @@
+# Reports output
+
+This folder stores generated artifacts from:
+
+- `multiinstall-safe-preflight.sh`
+
+Examples:
+
+- `multiinstall_preflight_*.csv`: server readiness reports generated before
+  multi-install batches

servers.example.csv

@@ -0,0 +1,4 @@
+# server_id,ip,username,password
+180,101.46.69.207,root,CHANGE_ME
+181,101.46.69.121,root,CHANGE_ME
+182,101.46.65.209,root,CHANGE_ME