4nk/smart_ide
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
smart_ide/services/ia_dev/tools/proxy-https-watch-lpldf.sh
Nicolas Cantu 58cc2493e5 chore: consolidate ia_dev module, sync tooling, and harden gateways (0.0.5) 
Initial state:
- ia_dev was historically referenced as ./ia_dev in docs and integrations, while the vendored module lives under services/ia_dev.
- AnythingLLM sync and hook installation had error masking / weak exit signaling.
- Proxy layers did not validate proxy path segments, allowing path normalization tricks.

Motivation:
- Make the IDE-oriented workflow usable (sync -> act -> deploy/preview) with explicit errors.
- Reduce security footguns in proxying and script automation.

Resolution:
- Standardize IA_DEV_ROOT usage and documentation to services/ia_dev.
- Add SSH remote data mirroring + optional AnythingLLM ingestion.
- Extend AnythingLLM pull sync to support upload-all/prefix and fail on upload errors.
- Harden smart-ide-sso-gateway and smart-ide-global-api proxying with safe-path checks and non-leaking error responses.
- Improve ia-dev-gateway runner validation and reduce sensitive path leakage.
- Add site scaffold tool (Vite/React) with OIDC + chat via sso-gateway -> orchestrator.

Root cause:
- Historical layout changes (submodule -> vendored tree) and missing central contracts for path resolution.
- Missing validation for proxy path traversal patterns.
- Overuse of silent fallbacks (|| true, exit 0 on partial failures) in automation scripts.

Impacted features:
- Project sync: git pull + AnythingLLM sync + remote data mirror ingestion.
- Site frontends: SSO gateway proxy and orchestrator intents (rag.query, chat.local).
- Agent execution: ia-dev-gateway script runner and SSE output.

Code modified:
- scripts/remote-data-ssh-sync.sh
- scripts/anythingllm-pull-sync/sync.mjs
- scripts/install-anythingllm-post-merge-hook.sh
- cron/git-pull-project-clones.sh
- services/smart-ide-sso-gateway/src/server.ts
- services/smart-ide-global-api/src/server.ts
- services/smart-ide-orchestrator/src/server.ts
- services/ia-dev-gateway/src/server.ts
- services/ia_dev/tools/site-generate.sh

Documentation modified:
- docs/** (architecture, API docs, ia_dev module + integration, scripts)

Configurations modified:
- config/services.local.env.example
- services/*/.env.example

Files in deploy modified:
- services/ia_dev/deploy/*

Files in logs impacted:
- logs/ia_dev.log (runtime only)
- .logs/* (runtime only)

Databases and other sources modified:
- None

Off-project modifications:
- None

Files in .smartIde modified:
- .smartIde/agents/*.md
- services/ia_dev/.smartIde/**

Files in .secrets modified:
- None

New patch version in VERSION:
- 0.0.5

CHANGELOG.md updated:
- yes
2026-04-04 18:36:43 +02:00

107 lines
3.2 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# HTTPS availability watchdog for Les Petites Leçons de Frédéric (punycode host).
# Intended path on proxy: /opt/proxy-config/scripts/watch-https-lpldf.sh
# Optional env file (root-only recommended): /opt/proxy-config/scripts/env/watch-https-lpldf.env
# Syslog identifier: lpldf-https-watch (for SIEM / Wazuh-style log collection).
set -euo pipefail
_IA_DEV_TOOLS="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
if [[ -f "${_IA_DEV_TOOLS}/lib/smart_ide_logs.sh" ]]; then
# shellcheck source=../lib/smart_ide_logs.sh
source "${_IA_DEV_TOOLS}/lib/smart_ide_logs.sh"
smart_ide_logs_begin "$_IA_DEV_TOOLS" "$0" "$*"
smart_ide_logs_register_exit_trap
fi
readonly WATCH_URL="${WATCH_URL:-https://xn--lespetitesleonsdefrdric-89b1db.fr/}"
readonly STATE_DIR="${STATE_DIR:-/var/lib/lpldf-https-watch}"
readonly STATE_FILE="${STATE_DIR}/last_state"
readonly LAST_ALERT_FILE="${STATE_DIR}/last_alert_epoch"
readonly LOG_TAG="lpldf-https-watch"
ENV_FILE="${ENV_FILE:-/opt/proxy-config/scripts/env/watch-https-lpldf.env}"
if [[ -f "$ENV_FILE" ]]; then
set -a
# shellcheck disable=SC1090
source "$ENV_FILE"
set +a
fi
readonly ALERT_REPEAT_SECONDS="${ALERT_REPEAT_SECONDS:-3600}"
mkdir -p "$STATE_DIR"
last="OK"
if [[ -f "$STATE_FILE" ]]; then
last="$(tr -d '\n' <"$STATE_FILE" || true)"
fi
[[ -z "$last" ]] && last="OK"
http_code="000"
if ! http_code="$(curl -sS -o /dev/null -w '%{http_code}' --max-time 25 "$WATCH_URL" 2>/dev/null)"; then
http_code="000"
fi
[[ -z "$http_code" ]] && http_code="000"
is_ok="false"
if [[ "$http_code" =~ ^(200|301|302|307|308)$ ]]; then
is_ok="true"
fi
send_notifications() {
local message="$1"
logger -t "$LOG_TAG" -p daemon.warning "$message"
if [[ -n "${ALERT_WEBHOOK_URL:-}" ]]; then
curl -sS -X POST "${ALERT_WEBHOOK_URL}" \
-H "Content-Type: text/plain; charset=utf-8" \
--data-binary "$message" \
--max-time 15 || logger -t "$LOG_TAG" -p daemon.err "ALERT_WEBHOOK_URL post failed"
fi
if [[ -n "${ALERT_EMAIL_TO:-}" ]] && command -v mail >/dev/null 2>&1; then
printf '%s\n' "$message" | mail -s "LPLDF HTTPS down" "$ALERT_EMAIL_TO" || logger -t "$LOG_TAG" -p daemon.err "mail alert failed"
fi
}
notify_recovery() {
local message="$1"
logger -t "$LOG_TAG" -p daemon.info "$message"
if [[ -n "${ALERT_WEBHOOK_URL_RECOVER:-}" ]]; then
curl -sS -X POST "${ALERT_WEBHOOK_URL_RECOVER}" \
-H "Content-Type: text/plain; charset=utf-8" \
--data-binary "$message" \
--max-time 15 || true
fi
}
now_epoch="$(date +%s)"
if [[ "$is_ok" == "true" ]]; then
if [[ "$last" == "DOWN" ]]; then
notify_recovery "LPLDF HTTPS recovered: ${WATCH_URL} HTTP ${http_code}"
fi
printf '%s\n' "OK" >"$STATE_FILE"
exit 0
fi
msg="LPLDF HTTPS check FAIL: ${WATCH_URL} HTTP=${http_code}"
if [[ "$last" != "DOWN" ]]; then
printf '%s\n' "DOWN" >"$STATE_FILE"
printf '%s\n' "$now_epoch" >"$LAST_ALERT_FILE"
send_notifications "$msg"
exit 1
fi
last_alert="0"
if [[ -f "$LAST_ALERT_FILE" ]]; then
last_alert="$(tr -d '\n' <"$LAST_ALERT_FILE" || echo 0)"
fi
[[ -z "$last_alert" ]] && last_alert="0"
if [[ "$((now_epoch - last_alert))" -ge "$ALERT_REPEAT_SECONDS" ]]; then
printf '%s\n' "$now_epoch" >"$LAST_ALERT_FILE"
send_notifications "$msg (still down, repeat every ${ALERT_REPEAT_SECONDS}s)"
fi
exit 1
Reference in New Issue View Git Blame Copy Permalink