Add CLAUDE.md for Claude Code + GitHub Actions NonReg CI/CD workflow

2026-03-29 20:17:28 +02:00
parent 991cce6d8f
commit d3b71319d7
2 changed files with 185 additions and 44 deletions
--- a/.github/workflows/nonreg.yml
+++ b/.github/workflows/nonreg.yml
@@ -0,0 +1,52 @@
+# .github/workflows/nonreg.yml
+# WEVAL NonReg CI/CD — Runs on every push to main
+name: WEVAL NonReg
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 6,18 * * *'  # 6h + 18h UTC
+  workflow_dispatch:
+
+jobs:
+  nonreg:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    
+    steps:
+      - name: Run NonReg Master v3.2
+        run: |
+          RESULT=$(curl -sk "https://weval-consulting.com/api/nonreg-api.php?cat=run" 2>/dev/null)
+          SCORE=$(echo "$RESULT" | python3 -c "import sys,json;d=json.load(sys.stdin);print(d.get('score',0))")
+          PASS=$(echo "$RESULT" | python3 -c "import sys,json;d=json.load(sys.stdin);print(d.get('pass',0))")
+          TOTAL=$(echo "$RESULT" | python3 -c "import sys,json;d=json.load(sys.stdin);print(d.get('total',0))")
+          echo "Score: ${SCORE}% — ${PASS}/${TOTAL} PASS"
+          if [ "$SCORE" -lt 95 ]; then
+            echo "::error::NonReg FAIL — Score: ${SCORE}%"
+            exit 1
+          fi
+
+      - name: Check API Health
+        run: |
+          curl -sk "https://weval-consulting.com/api/ecosystem-health.php" | python3 -c "
+          import sys,json
+          d=json.load(sys.stdin)
+          print(f'Ecosystem: {d[\"score\"]} ({d[\"percent\"]}%)')
+          for k,v in d['services'].items():
+            if v != 'ok': print(f'  WARN: {k} = {v}')
+          if d['percent'] < 80: sys.exit(1)
+          "
+
+      - name: Verify Zero Old IPs
+        run: |
+          for url in "https://weval-consulting.com" "https://weval-consulting.com/wevia"; do
+            BODY=$(curl -sk "$url")
+            for ip in "157.180.25.208" "88.198.4.195" "46.62.228.135"; do
+              if echo "$BODY" | grep -q "$ip"; then
+                echo "::error::Old IP $ip found in $url"
+                exit 1
+              fi
+            done
+          done
+          echo "Zero old IPs ✅"
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,55 +1,144 @@
-# WEVAL Consulting — Claude Code Configuration
+# CLAUDE.md — WEVAL Consulting Infrastructure
+## Pour Claude Code (claude.ai/code)

-## Project
-B2B SaaS platform: weval-consulting.com (React SPA + PHP APIs + Node backend)
+---
+
+## Projet
+WEVAL Consulting — Cabinet IA souverain + conseil (Casablanca). 4 serveurs, 38 outils, 68 APIs, 104 tests NonReg.

 ## Architecture
- **S204** (204.168.152.13): PRIMARY — Site, WEVIA chatbot, PMTA, 15 Docker containers
- **S95** (95.216.167.89): WEVADS — Arsenal (190 screens), ADX (156 screens), Ethica (20 screens), PostgreSQL
- **S151** (151.80.235.110): OVH — Tracking, consent.wevup.app

-## Stack
- Frontend: React SPA (Vite), Tailwind, i18n (FR/EN/AR/ES)
- Backend: PHP 8.5, Node.js, PostgreSQL 16, nginx, PMTA
- AI: WEVIA Engine (Ollama CPU + Groq + Cerebras + 30 providers), Qdrant, SearXNG
- DevOps: Docker, CrowdSec, Authentik SSO, Plausible, Uptime Kuma, Nuclei
- CI/CD: GitHub (PAT), CF purge after deploy
+### Serveurs
+- **S204** (204.168.152.13): nginx/PHP8.5/PG13, 16 Docker, site principal
+- **S95** (95.216.167.89): Apache/PHP8.4, WEVADS/Arsenal/iResponse, PMTA+KumoMTA, PG 12 schemas
+- **S151** (151.80.235.110): Tracking relay, OpenClaw+Ollama
+- **Blade Razer** (Windows): Sentinel Agent, desktop sync

-## Critical Rules
-1. **NEVER expose internals**: No Ollama/Groq/Cerebras/Hetzner/PMTA/PostgreSQL in public pages. Everything = "WEVIA Engine"
-2. **NEVER modify SACRED configs**: 9 Brain Engine winners, PMTA config, Arsenal auth
-3. **GOLD before modify**: `cp file file.GOLD-$(date +%Y%m%d)` mandatory before any change
-4. **2-strike rule**: If fix fails twice → STOP, step back, change approach entirely
-5. **No heredoc/sed via Sentinel**: Use Python or base64 encode/decode for remote file edits
-6. **chattr**: `/var/www/html/index.html` has immutable flag — `chattr -i` before edit, `chattr +i` after
-7. **React SPA**: `try_files $uri /index.html` in nginx. Bundle filename changes every build
-8. **CSP headers**: Adding Content-Security-Policy breaks React — never add without testing
-9. **PostgreSQL**: Ethica tables use `pays` not `country`, `specialite` not `specialty`
-10. **Chatbot preload**: REMOVED (was crashing FPM). Default provider = groq (GPU S88 dead)
-
-## Commands
+### Accès relay (depuis S204)
 ```bash
-# Deploy site
-cd /var/www/html && git add -A && git commit -m "msg" && git push github master:main --force
-# CF purge
-curl -sk -X POST "https://api.cloudflare.com/client/v4/zones/1488bbba251c6fa282999fcc09aac9fe/purge_cache" -H "X-Auth-Email: ymahboub@weval-consulting.com" -H "X-Auth-Key: 9eb8d1041e7faeae68d5017376871ba170291" -H "Content-Type: application/json" -d '{"purge_everything":true}'
-# Non-reg
-nuclei -u https://weval-consulting.com -severity critical,high -o /tmp/scan.txt
-# Chatbot test
-curl -sk -X POST https://weval-consulting.com/api/weval-ia -H "Content-Type: application/json" -d '{"message":"ping","mode":"widget"}'
+# CX relay (www-data, ~10-15s timeout)
+curl -sk -X POST https://weval-consulting.com/api/cx -d 'k=WEVADS2026&c=BASE64_CMD'
+
+# S95 via Sentinel
+curl -s http://10.1.0.3:5890/api/sentinel-brain.php?action=exec&cmd=CMD
+
+# S95 via SSH
+ssh -p 49222 root@10.1.0.3 'CMD'
 ```

-## Lint & Test
- PHP: `php -l file.php`
- Non-reg: 48 endpoints mega test
- Visual: Playwright + Chromium 18 screenshots
- Security: Nuclei v3.3.7
+### Repo Git
+- **main branch**: `/var/www/html` sur S204
+- **Remote**: GitHub (PAT valide jusqu'au 15 avril 2026)
+- **Protection**: `chattr -i index.html` avant commit, `+i` après

-## File Structure
+## Fichiers clés
+
+### WEVIA (Chatbot IA)
+- API: `/var/www/weval/wevia-ia/weval-chatbot-api.php` (~305KB, chattr +i)
+- Widget: `/var/www/html/wevia-widget.html`
+- Fullscreen: `/var/www/weval/wevia-ia/wevia.html` (149KB, chattr +i)
+- Quick prompts: `/var/www/html/assets/wevia-qp.js`
+
+### WEVADS IA
+- SPA: `/var/www/html/wevads-ia/index.html` (1515 lignes, 57 modules)
+- Login: yacineutt@gmail.com / YacineWeval2026
+
+### Manager
+- Page: `/var/www/html/ops-center.html` (82KB)
+- CDN: `/var/www/html/assets/manager-enhance.js` (10KB)
+
+### NonReg
+- Master: `/opt/weval-nonreg/nonreg-master.py` (155 lignes, 104 tests, 14 couches)
+- Report: `/var/www/html/api/nonreg-report.html`
+- JSON: `/var/www/html/api/nonreg-latest.json`
+- Baselines: `/opt/weval-nonreg/baselines/` (11 PNGs)
+- Cron: 6h + 18h
+
+### APIs (68 endpoints sur S204)
+AEGIS, SkillSmith, AIOS, OpenClaw, Prometheus, Mastra, Dify, Supermemory, EvoMaster, Activepieces, Goose, Browser Use, WhatsApp, SpamScore, Ethica, CRM, NonReg, Blade, Ecosystem Health, Tools Router, Manifest...
+
+## Règles ABSOLUES
+
+1. **Scanner avant créer** — `ls`, `wc -l`, `head` AVANT toute modification
+2. **chattr -i/+i** — nginx config protégé, toujours unlock/lock
+3. **PMTA port 25 — NEVER TOUCH**
+4. **DB S95**: host=10.1.0.3:5432, user=admin, pass=admin123, db=adx_system
+5. **Deploy via hex+zlib** — pas base64 direct pour gros fichiers
+6. **NonReg PASS obligatoire** avant toute livraison
+7. **Enrichir l'existant** — jamais créer si une page/module existe déjà
+8. **Root cause** — jamais patcher un symptôme
+9. **3 MTA coexistence**: PMTA:25, KumoMTA:587+8010, Postfix:2525/2526
+10. **Autocomplete OFF** sur tous les champs de saisie WEVIA
+
+## Tests
+
+### Lancer NonReg
+```bash
+curl -sk "https://weval-consulting.com/api/nonreg-api.php?cat=run"
 ```
-/var/www/html/          # Site (weval-consulting repo, master→main)
-/var/www/weval/         # API + WEVIA (weval-consulting repo, feature/i18n-multilang)
-/opt/wevia-brain/       # Brain engine (wevia-brain repo)
-/opt/wevads/            # WEVADS config + vault
-/opt/wevads-arsenal/    # Arsenal screens
+
+### Playwright wrapped (41 tests)
+```bash
+cd /tmp && node pw_full.js
+```
+
+### Dernier score
+```bash
+curl -sk "https://weval-consulting.com/api/nonreg-latest.json"
+```
+
+## Ce que Claude Code peut faire
+
+### 1. Maintenance du repo Git
+- Fix bugs dans les 68 APIs PHP
+- Ajouter des tests Playwright
+- Nettoyer le code (dead imports, orphan files)
+- Valider la syntaxe PHP/JS avant push
+
+### 2. NonReg CI/CD
+- Créer un GitHub Actions workflow qui run NonReg à chaque push
+- Ajouter des tests Playwright dans le CI
+- Bloquer les merges si NonReg FAIL
+
+### 3. Front-end fixes
+- WEVADS IA modules (57 → compléter les stubs)
+- Arsenal HTML cleanup
+- Manager panels enrichment
+- WEVIA widget UX improvements
+
+### 4. API development
+- Nouveaux endpoints PHP
+- OpenAPI/Swagger documentation
+- Rate limiting, input validation
+- Error handling standardization
+
+### 5. Infrastructure as Code
+- Docker compose files consolidation
+- Nginx config templating
+- Cron management centralization
+- Secrets management (migration vers vault)
+
+### 6. Code quality
+- PHPStan/Psalm static analysis
+- ESLint pour les JS
+- Playwright test coverage expansion
+- Visual regression baselines update
+
+## Commandes utiles pour Claude Code
+
+```bash
+# Vérifier l'état
+curl -sk https://weval-consulting.com/api/nonreg-latest.json | jq .score
+
+# Ecosystem health
+curl -sk https://weval-consulting.com/api/ecosystem-health.php | jq .
+
+# Git status (via relay)
+echo 'cd /var/www/html && git status --short' | base64 | xargs -I{} curl -sk -X POST https://weval-consulting.com/api/cx -d "k=WEVADS2026&c={}"
+
+# PHP syntax check
+php -l fichier.php
+
+# Playwright test
+npx playwright test --headed
 ```