From 12d73fc26e584e5f136b93481b33d0f13a8a98db Mon Sep 17 00:00:00 2001
From: Archicratia <area.technik@proton.me>
Date: Fri, 23 Jan 2026 13:17:22 +0100
Subject: [PATCH] docs: CI baseline + handoff + workflow snapshot

---
 docs/CI-BASELINE.md     |  34 ++++++++++-
 docs/CI-WORKFLOW.md     | 123 ++++++++++++++++++++++++++++++++++++++++
 docs/HANDOFF-SESSION.md |  25 ++++++++
 3 files changed, 181 insertions(+), 1 deletion(-)
 create mode 100644 docs/CI-WORKFLOW.md
 create mode 100644 docs/HANDOFF-SESSION.md

diff --git a/docs/CI-BASELINE.md b/docs/CI-BASELINE.md
index 9cd3f00..ae86a34 100644
--- a/docs/CI-BASELINE.md
+++ b/docs/CI-BASELINE.md
@@ -1 +1,33 @@
-CI OK: runner=host network + node 22 container + checkout event.json
+# CI-BASELINE — Gitea Actions + runner Synology (DS220+)
+
+Baseline VALIDÉE :
+- runner : container.network = host
+- job CI : container Node 22 (conforme engines)
+- checkout : sans GitHub, basé sur workflow/event.json
+- zéro apt-get dans le workflow
+- durcissement DNS Node : NODE_OPTIONS=--dns-result-order=ipv4first
+
+## Runner (DS220+) — configuration de référence
+
+Fichier : /data/config.yaml dans le conteneur runner (ex: gitea-act-runner)
+
+Section container attendue :
+
+    container:
+      network: host
+      options: >-
+        --add-host=gitea.archicratie.trans-hands.synology.me:192.168.1.20
+        -e NODE_OPTIONS=--dns-result-order=ipv4first
+
+Pourquoi : sur cette infra, le DNS du bridge Docker (127.0.0.11) a généré ESERVFAIL / EAI_AGAIN / apt qui ne résout pas.
+Le host network stabilise les résolutions (npm registry, deb.debian.org, etc.).
+
+## Smoke test NAS (doit passer)
+
+    docker run --rm --network host       mcr.microsoft.com/devcontainers/javascript-node:22-bookworm       bash -lc "npm ping --registry=https://registry.npmjs.org"
+
+## Symptômes -> cause -> action
+
+- EAI_AGAIN / ESERVFAIL : runner pas en host network -> remettre container.network: host + restart runner
+- EBADENGINE : mauvais Node -> container Node 22
+- MODULE_NOT_FOUND scripts/check-anchor-aliases.mjs : fichier non commité -> git add/commit/push
diff --git a/docs/CI-WORKFLOW.md b/docs/CI-WORKFLOW.md
new file mode 100644
index 0000000..924b7bb
--- /dev/null
+++ b/docs/CI-WORKFLOW.md
@@ -0,0 +1,123 @@
+# CI-WORKFLOW — snapshot de .gitea/workflows/ci.yml
+
+name: CI
+
+on:
+  push:
+  pull_request:
+    branches: ["master"]
+
+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-and-anchors:
+    runs-on: ubuntu-latest
+    container:
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+
+    steps:
+      - name: Tools sanity
+        run: |
+          set -euo pipefail
+          git --version
+          node --version
+          npm --version
+          npm ping --registry=https://registry.npmjs.org
+
+      # Checkout SANS action externe (pas de github.com)
+      - name: Checkout (from event.json, no external actions)
+        run: |
+          set -euo pipefail
+
+          EVENT_JSON="/var/run/act/workflow/event.json"
+          if [ ! -f "$EVENT_JSON" ]; then
+            echo "ERROR: missing $EVENT_JSON"
+            ls -la /var/run/act/workflow || true
+            exit 1
+          fi
+
+          # 1) Récupère l'URL du repo depuis event.json
+          REPO_URL="$(node -e '
+            const fs=require("fs");
+            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
+            let url = ev.repository?.clone_url || ev.repository?.html_url || "";
+            if (!url) process.exit(2);
+            if (!url.endsWith(".git")) url += ".git";
+            process.stdout.write(url);
+          ' "$EVENT_JSON")"
+
+          # 2) Récupère le SHA (push -> after, PR -> pull_request.head.sha)
+          SHA="$(node -e '
+            const fs=require("fs");
+            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
+            const sha =
+              ev.after ||
+              ev.pull_request?.head?.sha ||
+              ev.head_commit?.id ||
+              "";
+            process.stdout.write(sha);
+          ' "$EVENT_JSON")"
+
+          if [ -z "$SHA" ]; then
+            echo "ERROR: cannot find SHA in event.json"
+            node -e 'const ev=require(process.argv[1]); console.log(Object.keys(ev));' "$EVENT_JSON" || true
+            exit 1
+          fi
+
+          echo "Repo URL: $REPO_URL"
+          echo "SHA: $SHA"
+
+          # 3) Ajoute token si disponible (NE PAS afficher le token)
+          AUTH_URL="$REPO_URL"
+          if [ -n "${GITHUB_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
+            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITHUB_TOKEN}@}"
+          elif [ -n "${GITEA_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
+            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITEA_TOKEN}@}"
+          fi
+
+          # 4) Clone minimal + checkout exact du SHA
+          rm -rf .git || true
+          git init .
+
+          # Optionnel si ton Gitea a un TLS “non standard” (certificat) :
+          # git config --global http.sslVerify false
+
+          git remote add origin "$AUTH_URL"
+          git fetch --depth=1 origin "$SHA"
+          git checkout -q FETCH_HEAD
+
+          git log -1 --oneline
+      
+      - name: Anchor aliases schema
+        run: node scripts/check-anchor-aliases.mjs
+
+      - name: NPM harden
+        run: |
+          set -euo pipefail
+          npm config set fetch-retries 5
+          npm config set fetch-retry-mintimeout 20000
+          npm config set fetch-retry-maxtimeout 120000
+          npm config set registry https://registry.npmjs.org
+          npm config get registry
+
+      - name: Install deps
+        run: npm ci
+
+      - name: Inline scripts syntax check
+        run: node scripts/check-inline-js.mjs
+
+      - name: Build
+        run: npm run build
+
+      - name: Verify anchor aliases injected
+        run: node scripts/verify-anchor-aliases-in-dist.mjs
+
+      - name: Anchors contract
+        run: npm run test:anchors
+
+
diff --git a/docs/HANDOFF-SESSION.md b/docs/HANDOFF-SESSION.md
new file mode 100644
index 0000000..766d543
--- /dev/null
+++ b/docs/HANDOFF-SESSION.md
@@ -0,0 +1,25 @@
+# HANDOFF — Bilan synthèse (passation)
+
+## Mission
+Rendre la CI Gitea Actions fiable (Synology) et sécuriser les ancrages de paragraphes :
+- mapping oldId -> newId versionné
+- injection build-time dans dist pour préserver les liens profonds
+
+## Causes racines identifiées
+1) DNS instable dans les conteneurs de job via bridge Docker (127.0.0.11) sur cette infra
+2) Checkout GitHub externe impossible/indésirable + variables GITEA_* parfois absentes
+3) engines Node imposent >=22 <23 => EBADENGINE si Node 20
+
+## Résolution validée (baseline)
+- Runner : container.network = host
+- Job : image Node 22
+- Checkout : via workflow/event.json (pas actions/checkout)
+- Workflow : pas de apt-get
+- Anchors :
+  - src/anchors/anchor-aliases.json (par route)
+  - scripts/inject-anchor-aliases.mjs injecte <span id="oldId"> avant l’élément id="newId"
+  - scripts/check-anchor-aliases.mjs valide le schéma en CI
+
+## État actuel
+- CI passe (host net + Node 22 + checkout event.json + no apt)
+- Injection d’aliases vérifiée localement dans dist/…/index.html