Nicolas Cantu
58cc2493e5
Initial state: - ia_dev was historically referenced as ./ia_dev in docs and integrations, while the vendored module lives under services/ia_dev. - AnythingLLM sync and hook installation had error masking / weak exit signaling. - Proxy layers did not validate proxy path segments, allowing path normalization tricks. Motivation: - Make the IDE-oriented workflow usable (sync -> act -> deploy/preview) with explicit errors. - Reduce security footguns in proxying and script automation. Resolution: - Standardize IA_DEV_ROOT usage and documentation to services/ia_dev. - Add SSH remote data mirroring + optional AnythingLLM ingestion. - Extend AnythingLLM pull sync to support upload-all/prefix and fail on upload errors. - Harden smart-ide-sso-gateway and smart-ide-global-api proxying with safe-path checks and non-leaking error responses. - Improve ia-dev-gateway runner validation and reduce sensitive path leakage. - Add site scaffold tool (Vite/React) with OIDC + chat via sso-gateway -> orchestrator. Root cause: - Historical layout changes (submodule -> vendored tree) and missing central contracts for path resolution. - Missing validation for proxy path traversal patterns. - Overuse of silent fallbacks (|| true, exit 0 on partial failures) in automation scripts. Impacted features: - Project sync: git pull + AnythingLLM sync + remote data mirror ingestion. - Site frontends: SSO gateway proxy and orchestrator intents (rag.query, chat.local). - Agent execution: ia-dev-gateway script runner and SSE output. Code modified: - scripts/remote-data-ssh-sync.sh - scripts/anythingllm-pull-sync/sync.mjs - scripts/install-anythingllm-post-merge-hook.sh - cron/git-pull-project-clones.sh - services/smart-ide-sso-gateway/src/server.ts - services/smart-ide-global-api/src/server.ts - services/smart-ide-orchestrator/src/server.ts - services/ia-dev-gateway/src/server.ts - services/ia_dev/tools/site-generate.sh Documentation modified: - docs/** (architecture, API docs, ia_dev module + integration, scripts) Configurations modified: - config/services.local.env.example - services/*/.env.example Files in deploy modified: - services/ia_dev/deploy/* Files in logs impacted: - logs/ia_dev.log (runtime only) - .logs/* (runtime only) Databases and other sources modified: - None Off-project modifications: - None Files in .smartIde modified: - .smartIde/agents/*.md - services/ia_dev/.smartIde/** Files in .secrets modified: - None New patch version in VERSION: - 0.0.5 CHANGELOG.md updated: - yes
1.7 KiB
Bibliothèques partagées IA_DEV_ROOT/deploy/lib/
ssh.sh
Helpers SSH/SCP canoniques (ssh_run, scp_copy, require_ssh_key, ssh_common_opts).
LeCoffre : deploy/scripts_v2/_lib/ssh.sh du projet peut sourcer IA_DEV_ROOT/deploy/lib/ssh.sh lorsque ce chemin existe depuis la racine du monorepo.
deploy-log.sh
Optionnel : deploy_script_tee_log_if_requested <project_root> <log_subdir> [deploy_env] — troisième argument test | pprod | prod pour le nom de fichier journal. Nécessite info depuis colors.sh du projet.
Politique
La logique spécifique à un projet (Prisma, noms d’unités systemd, layout distant LeCoffre) reste dans le deploy/scripts_v2/ de chaque dépôt. Ici : transport, journalisation, helpers génériques.
deploy-methodology.sh
Contrat partagé : environnements test | pprod | prod, validations. Sourcé par deploy.sh et orchestrator.sh.
Frontière : tout ce qui est strictement identique pour chaque projet vit ici ou dans un deploy/lib/deploy-*.sh pair.
deploy-conf-handling.sh
Lecture conf.json : jq, deploy.secrets_path, exports IA_DEV_DEPLOY_REPO_ROOT, IA_DEV_DEPLOY_ENV (mandatory handoff, pas de repli silencieux). Sourcé par orchestrator.sh.
Orchestration
deploy.sh:./deploy/deploy.sh <project_id> <env> [args]→exec orchestrator.shorchestrator.sh: secrets puisexecorchestrateur projet (deploy.project_orchestrator_path). Legacy :deploy.hooks.phasesoudeploy.deploy_script_path.run-project-hooks.sh: délègue àorchestrator.sh.