chore: <résumé clair de la modif>

Reviewed-on: #188

.gitea/workflows/anno-apply-pr.yml

@@ -17,13 +17,11 @@ defaults:
     shell: bash
 
 concurrency:
-  group: anno-apply-${{ github.event.issue.number || inputs.issue || 'manual' }}
+  group: anno-apply-${{ github.event.issue.number || github.event.issue.index || inputs.issue || 'manual' }}
   cancel-in-progress: true
 
 jobs:
   apply-approved:
-    # ✅ Job ne démarre QUE si state/approved (ou workflow_dispatch)
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.label.name == 'state/approved' }}
     runs-on: mac-ci
     container:
       image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
@@ -35,12 +33,11 @@ jobs:
           git --version
           node --version
           npm --version
-          curl --version | head -n 1
 
       - name: Derive context (event.json / workflow_dispatch)
         env:
           INPUT_ISSUE: ${{ inputs.issue }}
-          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE }}
+          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE || vars.FORGE_BASE_URL }}
         run: |
           set -euo pipefail
           export EVENT_JSON="/var/run/act/workflow/event.json"
@@ -84,10 +81,12 @@ jobs:
             throw new Error("No issue number in event.json or workflow_dispatch input");
           }
 
-          const labelName =
-            ev?.label?.name ||
-            ev?.label ||
-            "workflow_dispatch";
+          // label name: best-effort (non-bloquant)
+          let labelName = "workflow_dispatch";
+          const lab = ev?.label;
+          if (typeof lab === "string") labelName = lab;
+          else if (lab && typeof lab === "object" && typeof lab.name === "string") labelName = lab.name;
+          else if (ev?.label?.name) labelName = ev.label.name;
 
           const u = new URL(cloneUrl);
           const origin = u.origin;
@@ -98,7 +97,6 @@ jobs:
 
           function sh(s){ return JSON.stringify(String(s)); }
 
-          // ✅ defaults antifragiles (empêchent les steps "always" de faire n'importe quoi)
           process.stdout.write([
             `CLONE_URL=${sh(cloneUrl)}`,
             `OWNER=${sh(owner)}`,
@@ -106,39 +104,57 @@ jobs:
             `DEFAULT_BRANCH=${sh(defaultBranch)}`,
             `ISSUE_NUMBER=${sh(issueNumber)}`,
             `LABEL_NAME=${sh(labelName)}`,
-            `API_BASE=${sh(apiBase)}`,
-            `SKIP=${sh("0")}`,
-            `SKIP_REASON=${sh("")}`,
-            `APPLY_RC=${sh("999")}`,
-            `NOOP=${sh("1")}`
+            `API_BASE=${sh(apiBase)}`
           ].join("\n") + "\n");
           NODE
 
           echo "✅ context:"
-          sed -n '1,160p' /tmp/anno.env
+          sed -n '1,120p' /tmp/anno.env
 
-      - name: Fetch issue + gate on Type (skip Proposer)
+      - name: Early gate (label event fast-skip, but tolerant)
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+
+          echo "ℹ️ event label = $LABEL_NAME"
+
+          # Fast skip on obvious non-approved label events (avoid noise),
+          # BUT do NOT skip if label payload is weird/unknown.
+          if [[ "$LABEL_NAME" != "state/approved" && "$LABEL_NAME" != "workflow_dispatch" && "$LABEL_NAME" != "" && "$LABEL_NAME" != "[object Object]" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip early"
+            echo "SKIP=1" >> /tmp/anno.env
+            echo "SKIP_REASON=\"label_not_approved_event\"" >> /tmp/anno.env
+            exit 0
+          fi
+
+          echo "✅ continue to API gating (issue=$ISSUE_NUMBER)"
+
+      - name: Fetch issue + hard gate on labels + Type
         env:
           FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
         run: |
           set -euo pipefail
           source /tmp/anno.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
           test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
 
-          # ✅ on écrit le JSON dans un fichier (FINI JSON.parse('-'))
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Accept: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
             -o /tmp/issue.json
 
-          node --input-type=module - /tmp/issue.json >> /tmp/anno.env <<'NODE'
+          node --input-type=module - <<'NODE' >> /tmp/anno.env
           import fs from "node:fs";
-          const issue = JSON.parse(fs.readFileSync(process.argv[2], "utf8"));
+
+          const issue = JSON.parse(fs.readFileSync("/tmp/issue.json","utf8"));
           const title = String(issue.title || "");
           const body = String(issue.body || "").replace(/\r\n/g, "\n");
 
+          const labels = Array.isArray(issue.labels) ? issue.labels.map(l => String(l.name || "")).filter(Boolean) : [];
+          const hasApproved = labels.includes("state/approved");
+
           function pickLine(key) {
             const re = new RegExp(`^\\s*${key}\\s*:\\s*([^\\n\\r]+)`, "mi");
             const m = body.match(re);
@@ -155,6 +171,14 @@ jobs:
           out.push(`ISSUE_TITLE=${JSON.stringify(title)}`);
           out.push(`ISSUE_TYPE=${JSON.stringify(type)}`);
 
+          // HARD gate: must currently have state/approved (avoids depending on event payload)
+          if (!hasApproved) {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("not_approved_label_present")}`);
+            process.stdout.write(out.join("\n") + "\n");
+            process.exit(0);
+          }
+
           if (!type) {
             out.push(`SKIP=1`);
             out.push(`SKIP_REASON=${JSON.stringify("missing_type")}`);
@@ -171,7 +195,7 @@ jobs:
           process.stdout.write(out.join("\n") + "\n");
           NODE
 
-          echo "✅ issue type gating:"
+          echo "✅ gating result:"
           grep -E '^(ISSUE_TYPE|SKIP|SKIP_REASON)=' /tmp/anno.env || true
 
       - name: Comment issue if skipped (Proposer / unsupported / missing Type)
@@ -184,24 +208,28 @@ jobs:
 
           [[ "${SKIP:-0}" == "1" ]] || exit 0
 
+          # IMPORTANT: do NOT comment for "not_approved_label_present" (avoid spam on other label events)
+          if [[ "${SKIP_REASON:-}" == "not_approved_label_present" || "${SKIP_REASON:-}" == "label_not_approved_event" ]]; then
+            echo "ℹ️ skip reason=${SKIP_REASON} -> no comment"
+            exit 0
+          fi
+
           test -n "${FORGE_TOKEN:-}" || exit 0
-          test -n "${API_BASE:-}" || exit 0
 
           REASON="${SKIP_REASON:-}"
           TYPE="${ISSUE_TYPE:-}"
 
           if [[ "$REASON" == proposer_type:* ]]; then
-            MSG="ℹ️ Ticket #${ISSUE_NUMBER} détecté comme **Proposer** (${TYPE}).\n\n- Ce type est **traité manuellement par les editors** (correction/fact-check + cat/*).\n- Le bot n'applique **jamais** Proposer.\n\n✅ Action : traitement éditorial manuel."
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} détecté comme **Proposer** (${TYPE}).\n\n- Ce type est **traité manuellement par les editors**.\n✅ Aucun traitement automatique."
           elif [[ "$REASON" == unsupported_type:* ]]; then
-            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : Type non supporté par le bot (${TYPE}).\n\nTypes supportés : type/media, type/reference, type/comment.\n✅ Action : traitement manuel si nécessaire."
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : Type non supporté par le bot (${TYPE}).\n\nTypes supportés : type/media, type/reference, type/comment."
           else
-            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : champ 'Type:' manquant ou illisible.\n\n✅ Action : corriger le ticket (Type: type/media|type/reference|type/comment) ou traiter manuellement."
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : champ 'Type:' manquant ou illisible.\n\nAjoute : Type: type/media|type/reference|type/comment"
           fi
 
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X POST \
+          curl -fsS -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -245,6 +273,7 @@ jobs:
           [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
           npm run build
+
           test -f dist/para-index.json || {
             echo "❌ missing dist/para-index.json after build"
             ls -la dist | sed -n '1,200p' || true
@@ -262,6 +291,7 @@ jobs:
           set -euo pipefail
           source /tmp/anno.env
           [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+          test -d .git || { echo "❌ not a git repo (checkout failed)"; echo "APPLY_RC=90" >> /tmp/anno.env; exit 0; }
 
           test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
 
@@ -292,7 +322,7 @@ jobs:
           END_SHA="$(git rev-parse HEAD)"
 
           if [[ "$RC" -ne 0 ]]; then
-            echo "NOOP=1" >> /tmp/anno.env
+            echo "NOOP=0" >> /tmp/anno.env
             exit 0
           fi
 
@@ -310,13 +340,15 @@ jobs:
         run: |
           set -euo pipefail
           source /tmp/anno.env || true
-          [[ "${SKIP:-0}" != "1" ]] || exit 0
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
-          RC="${APPLY_RC:-999}"
-          [[ "$RC" != "0" ]] || { echo "ℹ️ no failure detected"; exit 0; }
+          RC="${APPLY_RC:-0}"
+          if [[ "$RC" == "0" ]]; then
+            echo "ℹ️ no failure detected"
+            exit 0
+          fi
 
           test -n "${FORGE_TOKEN:-}" || exit 0
-          test -n "${API_BASE:-}" || exit 0
 
           if [[ -f /tmp/apply.log ]]; then
             BODY="$(tail -n 160 /tmp/apply.log | sed 's/\r$//')"
@@ -327,33 +359,7 @@ jobs:
           MSG="❌ apply-annotation-ticket a échoué (rc=${RC}).\n\n\`\`\`\n${BODY}\n\`\`\`\n"
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X POST \
-            -H "Authorization: token $FORGE_TOKEN" \
-            -H "Content-Type: application/json" \
-            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
-            --data-binary "$PAYLOAD"
-
-      - name: Comment issue if no-op (already applied)
-        if: ${{ always() }}
-        env:
-          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
-        run: |
-          set -euo pipefail
-          source /tmp/anno.env || true
-          [[ "${SKIP:-0}" != "1" ]] || exit 0
-
-          [[ "${APPLY_RC:-999}" == "0" ]] || exit 0
-          [[ "${NOOP:-1}" == "1" ]] || exit 0
-
-          test -n "${FORGE_TOKEN:-}" || exit 0
-          test -n "${API_BASE:-}" || exit 0
-
-          MSG="ℹ️ Ticket #${ISSUE_NUMBER} : rien à appliquer (déjà présent / dédupliqué)."
-          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
-
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X POST \
+          curl -fsS -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -368,9 +374,9 @@ jobs:
           source /tmp/anno.env || true
           [[ "${SKIP:-0}" != "1" ]] || exit 0
 
-          [[ "${APPLY_RC:-999}" == "0" ]] || { echo "ℹ️ apply not ok -> skip push"; exit 0; }
-          [[ "${NOOP:-1}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }
-          test -n "${BRANCH:-}" || { echo "ℹ️ no BRANCH -> skip push"; exit 0; }
+          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip push"; exit 0; }
+          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }
+          test -d .git || { echo "ℹ️ no git repo -> skip push"; exit 0; }
 
           AUTH_URL="$(node --input-type=module -e '
             const [clone, tok] = process.argv.slice(1);
@@ -392,10 +398,8 @@ jobs:
           source /tmp/anno.env || true
           [[ "${SKIP:-0}" != "1" ]] || exit 0
 
-          [[ "${APPLY_RC:-999}" == "0" ]] || { echo "ℹ️ apply not ok -> skip PR"; exit 0; }
-          [[ "${NOOP:-1}" == "0" ]] || { echo "ℹ️ no-op -> skip PR"; exit 0; }
-          test -n "${BRANCH:-}" || { echo "ℹ️ no BRANCH -> skip PR"; exit 0; }
-          test -n "${END_SHA:-}" || { echo "ℹ️ no END_SHA -> skip PR"; exit 0; }
+          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip PR"; exit 0; }
+          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip PR"; exit 0; }
 
           PR_TITLE="anno: apply ticket #${ISSUE_NUMBER}"
           PR_BODY="PR auto depuis ticket #${ISSUE_NUMBER} (state/approved).\n\n- Branche: ${BRANCH}\n- Commit: ${END_SHA}\n\nMerge si CI OK."
@@ -405,8 +409,7 @@ jobs:
             console.log(JSON.stringify({ title, body, base, head, allow_maintainer_edit: true }));
           ' "$PR_TITLE" "$PR_BODY" "$DEFAULT_BRANCH" "${OWNER}:${BRANCH}")"
 
-          PR_JSON="$(curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X POST \
+          PR_JSON="$(curl -fsS -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/pulls" \
@@ -422,13 +425,14 @@ jobs:
           MSG="✅ PR créée pour ticket #${ISSUE_NUMBER} : ${PR_URL}"
           C_PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X POST \
+          curl -fsS -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
             --data-binary "$C_PAYLOAD"
 
+          echo "✅ PR: $PR_URL"
+
       - name: Finalize (fail job if apply failed)
         if: ${{ always() }}
         run: |
@@ -437,7 +441,7 @@ jobs:
 
           [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
-          RC="${APPLY_RC:-999}"
+          RC="${APPLY_RC:-0}"
           if [[ "$RC" != "0" ]]; then
             echo "❌ apply failed (rc=$RC)"
             exit "$RC"

.gitea/workflows/anno-reject.yml

@@ -17,13 +17,11 @@ defaults:
     shell: bash
 
 concurrency:
-  group: anno-reject-${{ github.event.issue.number || inputs.issue || 'manual' }}
+  group: anno-reject-${{ github.event.issue.number || github.event.issue.index || inputs.issue || 'manual' }}
   cancel-in-progress: true
 
 jobs:
   reject:
-    # ✅ Job ne démarre QUE si state/rejected (ou workflow_dispatch)
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.label.name == 'state/rejected' }}
     runs-on: mac-ci
     container:
       image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
@@ -33,12 +31,11 @@ jobs:
         run: |
           set -euo pipefail
           node --version
-          curl --version | head -n 1
 
       - name: Derive context (event.json / workflow_dispatch)
         env:
           INPUT_ISSUE: ${{ inputs.issue }}
-          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE }}
+          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE || vars.FORGE_BASE_URL }}
         run: |
           set -euo pipefail
           export EVENT_JSON="/var/run/act/workflow/event.json"
@@ -78,14 +75,20 @@ jobs:
             throw new Error("No issue number in event.json or workflow_dispatch input");
           }
 
-          const labelName =
-            ev?.label?.name ||
-            ev?.label ||
-            "workflow_dispatch";
+          // label name: best-effort (non-bloquant)
+          let labelName = "workflow_dispatch";
+          const lab = ev?.label;
+          if (typeof lab === "string") labelName = lab;
+          else if (lab && typeof lab === "object" && typeof lab.name === "string") labelName = lab.name;
 
-          const apiBase = (process.env.FORGE_API && String(process.env.FORGE_API).trim())
-            ? String(process.env.FORGE_API).trim().replace(/\/+$/,"")
-            : (cloneUrl ? new URL(cloneUrl).origin : "");
+          let apiBase = "";
+          if (process.env.FORGE_API && String(process.env.FORGE_API).trim()) {
+            apiBase = String(process.env.FORGE_API).trim().replace(/\/+$/,"");
+          } else if (cloneUrl) {
+            apiBase = new URL(cloneUrl).origin;
+          } else {
+            apiBase = "";
+          }
 
           function sh(s){ return JSON.stringify(String(s)); }
 
@@ -101,26 +104,39 @@ jobs:
           echo "✅ context:"
           sed -n '1,120p' /tmp/reject.env
 
-      - name: Comment + close (only if not conflicting with state/approved)
+      - name: Early gate (fast-skip, tolerant)
+        run: |
+          set -euo pipefail
+          source /tmp/reject.env
+          echo "ℹ️ event label = $LABEL_NAME"
+
+          if [[ "$LABEL_NAME" != "state/rejected" && "$LABEL_NAME" != "workflow_dispatch" && "$LABEL_NAME" != "" && "$LABEL_NAME" != "[object Object]" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip early"
+            echo "SKIP=1" >> /tmp/reject.env
+            echo "SKIP_REASON=\"label_not_rejected_event\"" >> /tmp/reject.env
+            exit 0
+          fi
+
+      - name: Comment + close (only if label state/rejected is PRESENT now, and no conflict)
         env:
           FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
         run: |
           set -euo pipefail
           source /tmp/reject.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
           test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
           test -n "${API_BASE:-}" || { echo "❌ Missing API_BASE"; exit 1; }
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Accept: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
             -o /tmp/reject.issue.json
 
-          # conflict guard: approved + rejected => do nothing, comment warning
-          node --input-type=module - /tmp/reject.issue.json > /tmp/reject.flags <<'NODE'
+          node --input-type=module - <<'NODE' > /tmp/reject.flags
           import fs from "node:fs";
-          const issue = JSON.parse(fs.readFileSync(process.argv[2], "utf8"));
+          const issue = JSON.parse(fs.readFileSync("/tmp/reject.issue.json","utf8"));
           const labels = Array.isArray(issue.labels) ? issue.labels.map(l => String(l.name || "")).filter(Boolean) : [];
           const hasApproved = labels.includes("state/approved");
           const hasRejected = labels.includes("state/rejected");
@@ -129,11 +145,16 @@ jobs:
 
           source /tmp/reject.flags
 
+          # Do nothing unless state/rejected is truly present now (anti payload weird)
+          if [[ "${HAS_REJECTED:-0}" != "1" ]]; then
+            echo "ℹ️ state/rejected not present -> skip"
+            exit 0
+          fi
+
           if [[ "${HAS_APPROVED:-0}" == "1" && "${HAS_REJECTED:-0}" == "1" ]]; then
             MSG="⚠️ Conflit d'état sur le ticket #${ISSUE_NUMBER} : labels **state/approved** et **state/rejected** présents.\n\n➡️ Action manuelle requise : retirer l'un des deux labels avant relance."
             PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
-            curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-              -X POST \
+            curl -fsS -X POST \
               -H "Authorization: token $FORGE_TOKEN" \
               -H "Content-Type: application/json" \
               "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -142,20 +163,16 @@ jobs:
             exit 0
           fi
 
-          # comment reject
           MSG="❌ Ticket #${ISSUE_NUMBER} refusé (label state/rejected)."
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X POST \
+          curl -fsS -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
             --data-binary "$PAYLOAD"
 
-          # close issue
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X PATCH \
+          curl -fsS -X PATCH \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \

.gitea/workflows/auto-label-issues.yml

@@ -4,22 +4,37 @@ on:
   issues:
     types: [opened, edited]
 
+concurrency:
+  group: auto-label-${{ github.event.issue.number || github.event.issue.index || 'manual' }}
+  cancel-in-progress: true
+
 jobs:
   label:
     runs-on: mac-ci
+    container:
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+
     steps:
       - name: Apply labels from Type/State/Category
         env:
-          FORGE_BASE: ${{ vars.FORGE_API || vars.FORGE_BASE }}
+          # IMPORTANT: préfère FORGE_BASE (LAN) si défini, sinon FORGE_API
+          FORGE_BASE: ${{ vars.FORGE_BASE || vars.FORGE_API || vars.FORGE_API_BASE }}
           FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
           REPO_FULL: ${{ gitea.repository }}
           EVENT_PATH: ${{ github.event_path }}
+          NODE_OPTIONS: --dns-result-order=ipv4first
         run: |
           python3 - <<'PY'
-          import json, os, re, urllib.request, urllib.error
+          import json, os, re, time, urllib.request, urllib.error, socket
+
+          forge = (os.environ.get("FORGE_BASE") or "").rstrip("/")
+          if not forge:
+              raise SystemExit("Missing FORGE_BASE/FORGE_API repo variable (e.g. http://192.168.1.20:3000)")
+
+          token = os.environ.get("FORGE_TOKEN") or ""
+          if not token:
+              raise SystemExit("Missing secret FORGE_TOKEN")
 
-          forge = os.environ["FORGE_BASE"].rstrip("/")
-          token = os.environ["FORGE_TOKEN"]
           owner, repo = os.environ["REPO_FULL"].split("/", 1)
           event_path = os.environ["EVENT_PATH"]
 
@@ -46,12 +61,9 @@ jobs:
           print("PARSED:", {"Type": t, "State": s, "Category": c})
 
           # 1) explicite depuis le body
-          if t:
-              desired.add(t)
-          if s:
-              desired.add(s)
-          if c:
-              desired.add(c)
+          if t: desired.add(t)
+          if s: desired.add(s)
+          if c: desired.add(c)
 
           # 2) fallback depuis le titre si Type absent
           if not t:
@@ -76,42 +88,56 @@ jobs:
               "Authorization": f"token {token}",
               "Accept": "application/json",
               "Content-Type": "application/json",
-              "User-Agent": "archicratie-auto-label/1.0",
+              "User-Agent": "archicratie-auto-label/1.1",
           }
 
-          def jreq(method, url, payload=None):
+          def jreq(method, url, payload=None, timeout=60, retries=4, backoff=2.0):
               data = None if payload is None else json.dumps(payload).encode("utf-8")
-              req = urllib.request.Request(url, data=data, headers=headers, method=method)
-              try:
-                  with urllib.request.urlopen(req, timeout=20) as r:
-                      b = r.read()
-                      return json.loads(b.decode("utf-8")) if b else None
-              except urllib.error.HTTPError as e:
-                  b = e.read().decode("utf-8", errors="replace")
-                  raise RuntimeError(f"HTTP {e.code} {method} {url}\n{b}") from e
+              last_err = None
+              for i in range(retries):
+                  req = urllib.request.Request(url, data=data, headers=headers, method=method)
+                  try:
+                      with urllib.request.urlopen(req, timeout=timeout) as r:
+                          b = r.read()
+                          return json.loads(b.decode("utf-8")) if b else None
+                  except urllib.error.HTTPError as e:
+                      b = e.read().decode("utf-8", errors="replace")
+                      raise RuntimeError(f"HTTP {e.code} {method} {url}\n{b}") from e
+                  except (TimeoutError, socket.timeout, urllib.error.URLError) as e:
+                      last_err = e
+                      # retry only on network/timeout
+                      time.sleep(backoff * (i + 1))
+              raise RuntimeError(f"Network/timeout after retries: {method} {url}\n{last_err}")
 
           # labels repo
-          labels = jreq("GET", f"{api}/repos/{owner}/{repo}/labels?limit=1000") or []
+          labels = jreq("GET", f"{api}/repos/{owner}/{repo}/labels?limit=1000", timeout=60) or []
           name_to_id = {x.get("name"): x.get("id") for x in labels}
 
           missing = [x for x in desired if x not in name_to_id]
           if missing:
               raise SystemExit("Missing labels in repo: " + ", ".join(sorted(missing)))
 
-          wanted_ids = [name_to_id[x] for x in desired]
+          wanted_ids = sorted({int(name_to_id[x]) for x in desired})
 
           # labels actuels de l'issue
-          current = jreq("GET", f"{api}/repos/{owner}/{repo}/issues/{number}/labels") or []
-          current_ids = {x.get("id") for x in current if x.get("id") is not None}
+          current = jreq("GET", f"{api}/repos/{owner}/{repo}/issues/{number}/labels", timeout=60) or []
+          current_ids = {int(x.get("id")) for x in current if x.get("id") is not None}
 
           final_ids = sorted(current_ids.union(wanted_ids))
 
-          # set labels = union (n'enlève rien)
+          # Replace labels = union (n'enlève rien)
           url = f"{api}/repos/{owner}/{repo}/issues/{number}/labels"
-          try:
-              jreq("PUT", url, {"labels": final_ids})
-          except Exception:
-              jreq("PUT", url, final_ids)
+
+          # IMPORTANT: on n'envoie JAMAIS une liste brute ici (ça a causé le 422)
+          jreq("PUT", url, {"labels": final_ids}, timeout=90, retries=4)
+
+          # vérif post-apply (anti "timeout mais appliqué")
+          post = jreq("GET", f"{api}/repos/{owner}/{repo}/issues/{number}/labels", timeout=60) or []
+          post_ids = {int(x.get("id")) for x in post if x.get("id") is not None}
+
+          missing_ids = [i for i in wanted_ids if i not in post_ids]
+          if missing_ids:
+              raise RuntimeError(f"Labels not applied after PUT (missing ids): {missing_ids}")
 
           print(f"OK labels #{number}: {sorted(desired)}")
           PY

.gitea/workflows/deploy-staging-live.yml

@@ -47,86 +47,152 @@ jobs:
 
           node --input-type=module <<'NODE'
           import fs from "node:fs";
+
           const ev = JSON.parse(fs.readFileSync(process.env.EVENT_JSON, "utf8"));
           const repoObj = ev?.repository || {};
+
           const cloneUrl =
             repoObj?.clone_url ||
             (repoObj?.html_url ? (repoObj.html_url.replace(/\/$/,"") + ".git") : "");
           if (!cloneUrl) throw new Error("No repository clone_url/html_url in event.json");
 
           const defaultBranch = repoObj?.default_branch || "main";
-          const sha =
+
+          // Push-range (most reliable for change detection)
+          const before = String(ev?.before || "").trim();
+          const after =
             (process.env.GITHUB_SHA && String(process.env.GITHUB_SHA).trim()) ||
-            ev?.after ||
-            ev?.sha ||
-            ev?.head_commit?.id ||
-            ev?.pull_request?.head?.sha ||
-            "";
+            String(ev?.after || ev?.sha || ev?.head_commit?.id || ev?.pull_request?.head?.sha || "").trim();
 
           const shq = (s) => "'" + String(s).replace(/'/g, "'\\''") + "'";
+
           fs.writeFileSync("/tmp/deploy.env", [
             `REPO_URL=${shq(cloneUrl)}`,
             `DEFAULT_BRANCH=${shq(defaultBranch)}`,
-            `SHA=${shq(sha)}`
+            `BEFORE=${shq(before)}`,
+            `AFTER=${shq(after)}`
           ].join("\n") + "\n");
           NODE
 
           source /tmp/deploy.env
           echo "Repo URL:       $REPO_URL"
           echo "Default branch: $DEFAULT_BRANCH"
-          echo "SHA:            ${SHA:-<empty>}"
+          echo "BEFORE:         ${BEFORE:-<empty>}"
+          echo "AFTER:          ${AFTER:-<empty>}"
 
           rm -rf .git
           git init -q
           git remote add origin "$REPO_URL"
 
-          if [[ -n "${SHA:-}" ]]; then
-            git fetch --depth 1 origin "$SHA"
+          # Checkout AFTER (or default branch if missing)
+          if [[ -n "${AFTER:-}" ]]; then
+            git fetch --depth 50 origin "$AFTER"
             git -c advice.detachedHead=false checkout -q FETCH_HEAD
           else
-            git fetch --depth 1 origin "$DEFAULT_BRANCH"
+            git fetch --depth 50 origin "$DEFAULT_BRANCH"
             git -c advice.detachedHead=false checkout -q "origin/$DEFAULT_BRANCH"
-            SHA="$(git rev-parse HEAD)"
-            echo "SHA='$SHA'" >> /tmp/deploy.env
-            echo "Resolved SHA: $SHA"
+            AFTER="$(git rev-parse HEAD)"
+            echo "AFTER='$AFTER'" >> /tmp/deploy.env
+            echo "Resolved AFTER: $AFTER"
           fi
 
           git log -1 --oneline
 
-      - name: Gate — decide HOTPATCH vs FULL rebuild
+      - name: Gate — decide SKIP vs HOTPATCH vs FULL rebuild
         env:
           INPUT_FORCE: ${{ inputs.force }}
+          EVENT_JSON: /var/run/act/workflow/event.json
         run: |
           set -euo pipefail
           source /tmp/deploy.env
 
           FORCE="${INPUT_FORCE:-0}"
 
-          # liste fichiers touchés (utile pour copier les médias)
-          CHANGED="$(git show --name-only --pretty="" "$SHA" | sed '/^$/d' || true)"
-          printf "%s\n" "$CHANGED" > /tmp/changed.txt
+          # Lire before/after du push depuis event.json (merge-proof)
+          node --input-type=module <<'NODE'
+          import fs from "node:fs";
+          const ev = JSON.parse(fs.readFileSync(process.env.EVENT_JSON, "utf8"));
+          const before = ev?.before || "";
+          const after  = ev?.after  || ev?.sha || "";
+          const shq = (s) => "'" + String(s).replace(/'/g, "'\\''") + "'";
+          fs.writeFileSync("/tmp/gate.env", [
+            `EV_BEFORE=${shq(before)}`,
+            `EV_AFTER=${shq(after)}`
+          ].join("\n") + "\n");
+          NODE
 
-          echo "== changed files =="
-          echo "$CHANGED" | sed -n '1,260p'
+          source /tmp/gate.env
 
-          if [[ "$FORCE" == "1" ]]; then
-            echo "GO=1"   >> /tmp/deploy.env
-            echo "MODE='full'" >> /tmp/deploy.env
-            echo "✅ force=1 -> MODE=full (rebuild+restart)"
-            exit 0
+          BEFORE="${EV_BEFORE:-}"
+          AFTER="${EV_AFTER:-}"
+          if [[ -z "${AFTER:-}" ]]; then
+            AFTER="${SHA:-}"
           fi
 
-          # Auto mode: uniquement annotations/media => hotpatch only
-          if echo "$CHANGED" | grep -qE '^(src/annotations/|public/media/)'; then
-            echo "GO=1" >> /tmp/deploy.env
-            echo "MODE='hotpatch'" >> /tmp/deploy.env
+          echo "Gate ctx: BEFORE=${BEFORE:-<empty>} AFTER=${AFTER:-<empty>} FORCE=${FORCE}"
+
+          # Produire une liste CHANGED fiable :
+          # - si BEFORE/AFTER valides -> git diff before..after
+          # - sinon fallback -> diff parent1..after ou show after
+          CHANGED=""
+          Z40="0000000000000000000000000000000000000000"
+
+          if [[ -n "${BEFORE:-}" && "${BEFORE}" != "${Z40}" ]] \
+             && git cat-file -e "${BEFORE}^{commit}" 2>/dev/null \
+             && git cat-file -e "${AFTER}^{commit}"  2>/dev/null; then
+            CHANGED="$(git diff --name-only "${BEFORE}" "${AFTER}" || true)"
+          else
+            P1="$(git rev-parse "${AFTER}^" 2>/dev/null || true)"
+            if [[ -n "${P1:-}" ]] && git cat-file -e "${P1}^{commit}" 2>/dev/null; then
+              CHANGED="$(git diff --name-only "${P1}" "${AFTER}" || true)"
+            else
+              CHANGED="$(git show --name-only --pretty="" "${AFTER}" | sed '/^$/d' || true)"
+            fi
+          fi
+
+          printf "%s\n" "${CHANGED}" > /tmp/changed.txt
+
+          echo "== changed files (first 200) =="
+          sed -n '1,200p' /tmp/changed.txt || true
+
+          # Flags
+          HAS_FULL=0
+          HAS_HOTPATCH=0
+
+          # FULL si build-impacting (ce que tu veux : content/anchors/pages/scripts)
+          if grep -qE '^(src/content/|src/anchors/|src/pages/|scripts/)' /tmp/changed.txt; then
+            HAS_FULL=1
+          fi
+
+          # HOTPATCH si annotations/media touchés
+          if grep -qE '^(src/annotations/|public/media/)' /tmp/changed.txt; then
+            HAS_HOTPATCH=1
+          fi
+
+          echo "Gate flags: HAS_FULL=${HAS_FULL} HAS_HOTPATCH=${HAS_HOTPATCH}"
+
+          # Décision
+          if [[ "${FORCE}" == "1" ]]; then
+            GO=1
+            MODE="full"
+            echo "✅ force=1 -> MODE=full (rebuild+restart)"
+          elif [[ "${HAS_FULL}" == "1" ]]; then
+            GO=1
+            MODE="full"
+            echo "✅ build-impacting change -> MODE=full (rebuild+restart)"
+          elif [[ "${HAS_HOTPATCH}" == "1" ]]; then
+            GO=1
+            MODE="hotpatch"
             echo "✅ annotations/media change -> MODE=hotpatch"
           else
-            echo "GO=0" >> /tmp/deploy.env
-            echo "MODE='skip'" >> /tmp/deploy.env
-            echo "ℹ️ no annotations/media change -> skip deploy"
+            GO=0
+            MODE="skip"
+            echo "ℹ️ no relevant change -> skip deploy"
           fi
 
+          echo "GO=${GO}" >> /tmp/deploy.env
+          echo "MODE='${MODE}'" >> /tmp/deploy.env
+
       - name: Toolchain sanity + resolve COMPOSE_PROJECT_NAME
         run: |
           set -euo pipefail

.gitea/workflows/proposer-apply-pr.yml

@@ -0,0 +1,395 @@
+name: Proposer Apply (PR)
+
+on:
+  issues:
+    types: [labeled]
+  workflow_dispatch:
+    inputs:
+      issue:
+        description: "Issue number to apply (Proposer: correction/fact-check)"
+        required: true
+
+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: proposer-apply-${{ github.event.issue.number || inputs.issue || 'manual' }}
+  cancel-in-progress: true
+
+jobs:
+  apply-proposer:
+    runs-on: mac-ci
+    container:
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+
+    steps:
+      - name: Tools sanity
+        run: |
+          set -euo pipefail
+          git --version
+          node --version
+          npm --version
+
+      - name: Derive context (event.json / workflow_dispatch)
+        env:
+          INPUT_ISSUE: ${{ inputs.issue }}
+          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE }}
+        run: |
+          set -euo pipefail
+          export EVENT_JSON="/var/run/act/workflow/event.json"
+          test -f "$EVENT_JSON" || { echo "❌ Missing $EVENT_JSON"; exit 1; }
+
+          node --input-type=module - <<'NODE' > /tmp/proposer.env
+          import fs from "node:fs";
+
+          const ev = JSON.parse(fs.readFileSync(process.env.EVENT_JSON, "utf8"));
+          const repoObj = ev?.repository || {};
+
+          const cloneUrl =
+            repoObj?.clone_url ||
+            (repoObj?.html_url ? (repoObj.html_url.replace(/\/$/,"") + ".git") : "");
+
+          if (!cloneUrl) throw new Error("No repository clone_url/html_url in event.json");
+
+          let owner =
+            repoObj?.owner?.login ||
+            repoObj?.owner?.username ||
+            (repoObj?.full_name ? repoObj.full_name.split("/")[0] : "");
+
+          let repo =
+            repoObj?.name ||
+            (repoObj?.full_name ? repoObj.full_name.split("/")[1] : "");
+
+          if (!owner || !repo) {
+            const m = cloneUrl.match(/[:/](?<o>[^/]+)\/(?<r>[^/]+?)(?:\.git)?$/);
+            if (m?.groups) { owner = owner || m.groups.o; repo = repo || m.groups.r; }
+          }
+          if (!owner || !repo) throw new Error("Cannot infer owner/repo");
+
+          const defaultBranch = repoObj?.default_branch || "main";
+
+          const issueNumber =
+            ev?.issue?.number ||
+            ev?.issue?.index ||
+            (process.env.INPUT_ISSUE ? Number(process.env.INPUT_ISSUE) : 0);
+
+          if (!issueNumber || !Number.isFinite(Number(issueNumber))) {
+            throw new Error("No issue number in event.json or workflow_dispatch input");
+          }
+
+          const labelName =
+            ev?.label?.name ||
+            ev?.label ||
+            "workflow_dispatch";
+
+          const u = new URL(cloneUrl);
+          const origin = u.origin;
+
+          const apiBase = (process.env.FORGE_API && String(process.env.FORGE_API).trim())
+            ? String(process.env.FORGE_API).trim().replace(/\/+$/,"")
+            : origin;
+
+          function sh(s){ return JSON.stringify(String(s)); }
+          process.stdout.write([
+            `CLONE_URL=${sh(cloneUrl)}`,
+            `OWNER=${sh(owner)}`,
+            `REPO=${sh(repo)}`,
+            `DEFAULT_BRANCH=${sh(defaultBranch)}`,
+            `ISSUE_NUMBER=${sh(issueNumber)}`,
+            `LABEL_NAME=${sh(labelName)}`,
+            `API_BASE=${sh(apiBase)}`
+          ].join("\n") + "\n");
+          NODE
+
+          echo "✅ context:"
+          sed -n '1,120p' /tmp/proposer.env
+
+      - name: Gate on label state/approved
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+
+          if [[ "$LABEL_NAME" != "state/approved" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip"
+            echo "SKIP=1" >> /tmp/proposer.env
+            exit 0
+          fi
+          echo "✅ proceed (issue=$ISSUE_NUMBER)"
+
+      - name: Fetch issue + API-hard gate on (state/approved present + proposer type)
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+
+          test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
+
+          curl -fsS \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Accept: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
+            -o /tmp/issue.json
+
+          node --input-type=module - <<'NODE' >> /tmp/proposer.env
+          import fs from "node:fs";
+          const issue = JSON.parse(fs.readFileSync("/tmp/issue.json","utf8"));
+          const title = String(issue.title || "");
+          const body = String(issue.body || "").replace(/\r\n/g, "\n");
+          const labels = Array.isArray(issue.labels) ? issue.labels.map(l => String(l.name||"")).filter(Boolean) : [];
+
+          function pickLine(key) {
+            const re = new RegExp(`^\\s*${key}\\s*:\\s*([^\\n\\r]+)`, "mi");
+            const m = body.match(re);
+            return m ? m[1].trim() : "";
+          }
+
+          const typeRaw = pickLine("Type");
+          const type = String(typeRaw || "").trim().toLowerCase();
+
+          const hasApproved = labels.includes("state/approved");
+          const proposer = new Set(["type/correction","type/fact-check"]);
+
+          const out = [];
+          out.push(`ISSUE_TITLE=${JSON.stringify(title)}`);
+          out.push(`ISSUE_TYPE=${JSON.stringify(type)}`);
+          out.push(`HAS_APPROVED=${hasApproved ? "1":"0"}`);
+
+          if (!hasApproved) {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("approved_not_present")}`);
+          } else if (!type) {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("missing_type")}`);
+          } else if (!proposer.has(type)) {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("not_proposer:"+type)}`);
+          }
+          process.stdout.write(out.join("\n") + "\n");
+          NODE
+
+          echo "✅ proposer gating:"
+          grep -E '^(ISSUE_TYPE|HAS_APPROVED|SKIP|SKIP_REASON)=' /tmp/proposer.env || true
+
+      - name: Comment issue if skipped
+        if: ${{ always() }}
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env || true
+
+          [[ "${SKIP:-0}" == "1" ]] || exit 0
+          [[ "$LABEL_NAME" == "state/approved" || "$LABEL_NAME" == "workflow_dispatch" ]] || exit 0
+
+          REASON="${SKIP_REASON:-}"
+          TYPE="${ISSUE_TYPE:-}"
+
+          if [[ "$REASON" == "approved_not_present" ]]; then
+            MSG="ℹ️ Proposer Apply: skip — le label **state/approved** n'est pas présent sur le ticket au moment du run (gate API-hard)."
+          elif [[ "$REASON" == "missing_type" ]]; then
+            MSG="ℹ️ Proposer Apply: skip — champ **Type:** manquant/illisible. Attendu: type/correction ou type/fact-check."
+          else
+            MSG="ℹ️ Proposer Apply: skip — Type non-Proposer (${TYPE}). (Ce workflow ne traite que correction/fact-check.)"
+          fi
+
+          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$PAYLOAD" || true
+
+      - name: Checkout default branch
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+
+          rm -rf .git
+          git init -q
+          git remote add origin "$CLONE_URL"
+          git fetch --depth 1 origin "$DEFAULT_BRANCH"
+          git -c advice.detachedHead=false checkout -q FETCH_HEAD
+          git log -1 --oneline
+          echo "✅ workspace:"
+          ls -la | sed -n '1,120p'
+
+      - name: Detect app dir (repo-root vs ./site)
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+
+          APP_DIR="."
+          if [[ -d "site" && -f "site/package.json" ]]; then
+            APP_DIR="site"
+          fi
+
+          echo "APP_DIR=$APP_DIR" >> /tmp/proposer.env
+          echo "✅ APP_DIR=$APP_DIR"
+          ls -la "$APP_DIR" | sed -n '1,120p'
+          test -f "$APP_DIR/package.json" || { echo "❌ package.json missing in APP_DIR=$APP_DIR"; exit 1; }
+          test -d "$APP_DIR/scripts" || { echo "❌ scripts/ missing in APP_DIR=$APP_DIR"; exit 1; }
+
+      - name: NPM harden (reduce flakiness)
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || exit 0
+          cd "$APP_DIR"
+          npm config set fetch-retries 5
+          npm config set fetch-retry-mintimeout 20000
+          npm config set fetch-retry-maxtimeout 120000
+          npm config set registry https://registry.npmjs.org
+
+      - name: Install deps (APP_DIR)
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+          cd "$APP_DIR"
+          npm ci --no-audit --no-fund
+
+      - name: Build dist baseline (APP_DIR)
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+          cd "$APP_DIR"
+          npm run build
+
+      - name: Apply ticket (alias + commit) on bot branch
+        continue-on-error: true
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+          BOT_GIT_NAME: ${{ secrets.BOT_GIT_NAME }}
+          BOT_GIT_EMAIL: ${{ secrets.BOT_GIT_EMAIL }}
+          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE }}
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+
+          git config user.name  "${BOT_GIT_NAME:-archicratie-bot}"
+          git config user.email "${BOT_GIT_EMAIL:-bot@archicratie.local}"
+
+          START_SHA="$(git rev-parse HEAD)"
+          TS="$(date -u +%Y%m%d-%H%M%S)"
+          BR="bot/proposer-${ISSUE_NUMBER}-${TS}"
+          echo "BRANCH=$BR" >> /tmp/proposer.env
+          git checkout -b "$BR"
+
+          export GITEA_OWNER="$OWNER"
+          export GITEA_REPO="$REPO"
+          export FORGE_BASE="$API_BASE"
+
+          LOG="/tmp/proposer-apply.log"
+          set +e
+          (cd "$APP_DIR" && node scripts/apply-ticket.mjs "$ISSUE_NUMBER" --alias --commit) >"$LOG" 2>&1
+          RC=$?
+          set -e
+
+          echo "APPLY_RC=$RC" >> /tmp/proposer.env
+
+          echo "== apply log (tail) =="
+          tail -n 200 "$LOG" || true
+
+          END_SHA="$(git rev-parse HEAD)"
+          if [[ "$RC" -ne 0 ]]; then
+            echo "NOOP=0" >> /tmp/proposer.env
+            exit 0
+          fi
+
+          if [[ "$START_SHA" == "$END_SHA" ]]; then
+            echo "NOOP=1" >> /tmp/proposer.env
+          else
+            echo "NOOP=0" >> /tmp/proposer.env
+            echo "END_SHA=$END_SHA" >> /tmp/proposer.env
+          fi
+
+      - name: Push bot branch
+        if: ${{ always() }}
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env || true
+          [[ "${SKIP:-0}" != "1" ]] || exit 0
+
+          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip push"; exit 0; }
+          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }
+          [[ -n "${BRANCH:-}" ]] || { echo "ℹ️ BRANCH unset -> skip push"; exit 0; }
+
+          AUTH_URL="$(node --input-type=module -e '
+            const [clone, tok] = process.argv.slice(1);
+            const u = new URL(clone);
+            u.username = "oauth2";
+            u.password = tok;
+            console.log(u.toString());
+          ' "$CLONE_URL" "$FORGE_TOKEN")"
+
+          git remote set-url origin "$AUTH_URL"
+          git push -u origin "$BRANCH"
+
+      - name: Create PR + comment issue
+        if: ${{ always() }}
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env || true
+          [[ "${SKIP:-0}" != "1" ]] || exit 0
+
+          [[ "${APPLY_RC:-0}" == "0" ]] || exit 0
+          [[ "${NOOP:-0}" == "0" ]] || exit 0
+          [[ -n "${BRANCH:-}" ]] || { echo "ℹ️ BRANCH unset -> skip PR"; exit 0; }
+
+          PR_TITLE="proposer: apply ticket #${ISSUE_NUMBER}"
+          PR_BODY="PR auto depuis ticket #${ISSUE_NUMBER} (state/approved).\n\n- Branche: ${BRANCH}\n- Commit: ${END_SHA:-unknown}\n\nMerge si CI OK."
+
+          PR_PAYLOAD="$(node --input-type=module -e '
+            const [title, body, base, head] = process.argv.slice(1);
+            console.log(JSON.stringify({ title, body, base, head, allow_maintainer_edit: true }));
+          ' "$PR_TITLE" "$PR_BODY" "$DEFAULT_BRANCH" "${OWNER}:${BRANCH}")"
+
+          PR_JSON="$(curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/pulls" \
+            --data-binary "$PR_PAYLOAD")"
+
+          PR_URL="$(node --input-type=module -e '
+            const pr = JSON.parse(process.argv[1] || "{}");
+            console.log(pr.html_url || pr.url || "");
+          ' "$PR_JSON")"
+
+          test -n "$PR_URL" || { echo "❌ PR URL missing. Raw: $PR_JSON"; exit 1; }
+
+          MSG="✅ PR Proposer créée pour ticket #${ISSUE_NUMBER} : ${PR_URL}"
+          C_PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
+
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$C_PAYLOAD"
+
+      - name: Finalize (fail job if apply failed)
+        if: ${{ always() }}
+        run: |
+          set -euo pipefail
+          source /tmp/proposer.env || true
+          [[ "${SKIP:-0}" != "1" ]] || exit 0
+
+          RC="${APPLY_RC:-0}"
+          if [[ "$RC" != "0" ]]; then
+            echo "❌ apply failed (rc=$RC)"
+            exit "$RC"
+          fi
+          echo "✅ apply ok"

docs/OPS-DEPLOYMENT.md

@@ -25,6 +25,19 @@ Objectif : déployer une nouvelle version du site sur le NAS (DS220+) sans jamai
 
 ➡️ Déploiement = `docs/DEPLOY_PROD_SYNOLOGY_DS220.md` (procédure détaillée, à jour).
 
+## Mise à jour (2026-03-03) — Gate CI de déploiement (SKIP / HOTPATCH / FULL) + preuves A/B
+
+La procédure de déploiement “vivante” est désormais pilotée par **Gitea Actions** via le workflow :
+- `.gitea/workflows/deploy-staging-live.yml`
+
+Ce workflow décide automatiquement :
+- **FULL** (rebuild + restart blue + green) dès qu’un changement impacte le build (ex: `src/content/`, `src/pages/`, `scripts/`, `src/anchors/`, etc.)
+- **HOTPATCH** (patch JSON + copie media) quand le changement ne concerne que `src/annotations/` et/ou `public/media/`
+- **SKIP** sinon
+
+Les preuves et la procédure de test reproductible A/B sont documentées dans :
+➡️ `docs/runbooks/DEPLOY-BLUE-GREEN.md` → section “CI Deploy gate (merge-proof) + Tests A/B + preuve alias injection”.
+
 ## Schéma (résumé, sans commandes)
 
 - Ne jamais toucher au slot live.

docs/OPS_COCKPIT.md

@@ -202,4 +202,33 @@ docker compose logs --tail=200 web_blue
 docker compose logs --tail=200 web_green
 
 # Si tu veux suivre en live :
-docker compose logs -f web_green
+docker compose logs -f web_green
+
+
+## Historique synthétique (2026-03-03) — Stabilisation CI/CD “zéro surprise”
+
+### Problème initial observé
+- Déploiement parfois lancé en “hotpatch” alors qu’un rebuild était nécessaire.
+- Sur merge commits, la détection de fichiers modifiés pouvait être ambiguë.
+- Résultat : besoin de `force=1` manuel pour éviter des incohérences.
+
+### Correctif appliqué
+- Gate CI rendu **merge-proof** :
+  - lecture de `BEFORE` et `AFTER` depuis `event.json`
+  - calcul des fichiers modifiés via `git diff --name-only BEFORE AFTER`
+
+- Politique de décision stabilisée :
+  - FULL auto dès qu’un changement impacte build/runtime (content/pages/scripts/anchors/etc.)
+  - HOTPATCH auto uniquement pour annotations/media
+
+### Preuves
+- Test A (touch src/content) :
+  - Gate flags: HAS_FULL=1 HAS_HOTPATCH=0 → MODE=full
+- Test B (touch src/annotations) :
+  - Gate flags: HAS_FULL=0 HAS_HOTPATCH=1 → MODE=hotpatch
+
+### Audit post-déploiement (preuves côté NAS)
+- 8081 + 8082 répondent HTTP 200
+- `/para-index.json` + `/annotations-index.json` OK
+- Aliases injectés visibles dans HTML via `.para-alias` quand alias présent
+

docs/runbooks/DEPLOY-BLUE-GREEN.md

@@ -199,4 +199,125 @@ Ne jamais modifier dist/ “à la main” sur NAS.
 
 Si un hotfix prod est indispensable : documenter et backporter via PR Gitea.
 
-Le canonical dépend du build : PUBLIC_SITE doit être injecté (voir runbook ENV-PUBLIC_SITE).
+Le canonical dépend du build : PUBLIC_SITE doit être injecté (voir runbook ENV-PUBLIC_SITE).
+
+## 10) CI Deploy (Gitea Actions) — Gate SKIP / HOTPATCH / FULL (merge-proof) + preuves
+
+Cette section documente le comportement **canonique** du workflow :
+- `.gitea/workflows/deploy-staging-live.yml`
+
+Objectif : **zéro surprise**.
+On ne veut plus “penser à force=1”.
+Le gate doit décider automatiquement, y compris sur des **merge commits**.
+
+### 10.1 — Principe (ce que fait réellement le gate)
+
+Le job `deploy` calcule les fichiers modifiés entre :
+- `BEFORE` = commit précédent (avant le push sur main)
+- `AFTER`  = commit actuel (après le push / merge sur main)
+
+Puis il classe le déploiement dans un mode :
+
+- **MODE=full**
+  - rebuild image + restart `archicratie-web-blue` (8081) + `archicratie-web-green` (8082)
+  - warmup endpoints (para-index, annotations-index, pagefind.js)
+  - vérification canonical staging + live
+
+- **MODE=hotpatch**
+  - rebuild d’un `annotations-index.json` consolidé depuis `src/annotations/**`
+  - patch direct dans les conteneurs en cours d’exécution (blue+green)
+  - copie des médias modifiés `public/media/**` vers `/usr/share/nginx/html/media/**`
+  - smoke sur `/annotations-index.json` des deux ports
+
+- **MODE=skip**
+  - pas de déploiement (on évite le bruit)
+
+⚠️ Important : le mode “hotpatch” **ne rebuild pas** Astro.
+Donc toute modification de contenu, routes, scripts, anchors, etc. doit déclencher **full**.
+
+### 10.2 — Matrice de décision (règles officielles)
+
+Le gate définit deux flags :
+- `HAS_FULL=1` si changement “build-impacting”
+- `HAS_HOTPATCH=1` si changement “annotations/media only”
+
+Règle de priorité :
+1) Si `HAS_FULL=1` → **MODE=full**
+2) Sinon si `HAS_HOTPATCH=1` → **MODE=hotpatch**
+3) Sinon → **MODE=skip**
+
+#### 10.2.1 — Changements qui déclenchent FULL (build-impacting)
+
+Exemples typiques (non exhaustif, mais on couvre le cœur) :
+- `src/content/**` (contenu MD/MDX)
+- `src/pages/**` (routes Astro)
+- `src/anchors/**` (aliases d’ancres)
+- `scripts/**` (tooling postbuild : injection, index, tests)
+- `src/layouts/**`, `src/components/**`, `src/styles/**` (rendu et scripts inline)
+- `astro.config.mjs`, `package.json`, `package-lock.json`
+- `Dockerfile`, `docker-compose.yml`, `nginx.conf`
+- `.gitea/workflows/**` (changement infra CI/CD)
+
+=> On veut **full** pour garantir cohérence et éviter “site partiellement mis à jour”.
+
+#### 10.2.2 — Changements qui déclenchent HOTPATCH (sans rebuild)
+
+Uniquement :
+- `src/annotations/**` (shards YAML)
+- `public/media/**` (assets média)
+
+=> On veut hotpatch pour vitesse et éviter rebuild NAS.
+
+### 10.3 — “Merge-proof” : pourquoi on ne lit PAS seulement `git show $SHA`
+
+Sur un merge commit, `git show --name-only $SHA` peut être trompeur selon le contexte.
+La méthode robuste est :
+- utiliser `event.json` (Gitea Actions) pour récupérer `before` et `after`
+- calculer `git diff --name-only BEFORE AFTER`
+
+C’est ce qui rend le gate **merge-proof**.
+
+### 10.4 — Tests de preuve A/B (reproductibles)
+
+Ces tests valident le gate sans ambiguïté.
+But : vérifier que le mode choisi est EXACTEMENT celui attendu.
+
+#### Test A — toucher `src/content/...` (FULL auto)
+
+1) Créer une branche test
+2) Modifier 1 fichier dans `src/content/` (ex : ajouter une ligne de commentaire non destructive)
+3) PR → merge dans `main`
+4) Vérifier dans `deploy-staging-live.yml` :
+
+Attendus :
+- `Gate flags: HAS_FULL=1 HAS_HOTPATCH=0`
+- `✅ build-impacting change -> MODE=full (rebuild+restart)`
+- Les étapes FULL (blue puis green) s’exécutent réellement
+
+#### Test B — toucher `src/annotations/...` uniquement (HOTPATCH auto)
+
+1) Créer une branche test
+2) Modifier 1 fichier sous `src/annotations/**` (ex: un champ comment, ts, etc.)
+3) PR → merge dans `main`
+4) Vérifier dans `deploy-staging-live.yml` :
+
+Attendus :
+- `Gate flags: HAS_FULL=0 HAS_HOTPATCH=1`
+- `✅ annotations/media change -> MODE=hotpatch`
+- Les étapes FULL sont “skip” (durée 0s)
+- L’étape HOTPATCH s’exécute réellement
+
+### 10.5 — Preuve opérationnelle côté NAS (2 URLs + 2 commandes)
+
+But : prouver que staging+live servent bien les endpoints essentiels (et que le déploiement n’a pas “fait semblant”).
+
+#### 10.5.1 — Deux URLs à vérifier (staging et live)
+
+- Staging (blue) : `http://127.0.0.1:8081/`
+- Live (green)  : `http://127.0.0.1:8082/`
+
+#### 10.5.2 — Deux commandes minimales (zéro débat)
+
+```bash
+curl -fsSI http://127.0.0.1:8081/ | head -n 1
+curl -fsSI http://127.0.0.1:8082/ | head -n 1

scripts/import-docx.mjs

@@ -114,7 +114,6 @@ async function runMammoth(docxPath, assetsOutDirWebRoot) {
   );
 
   let html = result.value || "";
-
   // Mammoth gives relative src="image-xx.png" ; we will prefix later
   return html;
 }
@@ -182,6 +181,25 @@ async function exists(p) {
   try { await fs.access(p); return true; } catch { return false; }
 }
 
+/**
+ * ✅ compat:
+ * - ancien : collection="archicratie" + slug="archicrat-ia/chapitre-3"
+ * - nouveau : collection="archicrat-ia" + slug="chapitre-3"
+ *
+ * But : toujours écrire dans src/content/archicrat-ia/<slugSansPrefix>.mdx
+ */
+function normalizeDest(collection, slug) {
+  let outCollection = String(collection || "").trim();
+  let outSlug = String(slug || "").trim().replace(/^\/+|\/+$/g, "");
+
+  if (outCollection === "archicratie" && outSlug.startsWith("archicrat-ia/")) {
+    outCollection = "archicrat-ia";
+    outSlug = outSlug.replace(/^archicrat-ia\//, "");
+  }
+
+  return { outCollection, outSlug };
+}
+
 async function main() {
   const args = parseArgs(process.argv);
   const manifestPath = path.resolve(args.manifest);
@@ -203,11 +221,14 @@ async function main() {
 
   for (const it of selected) {
     const docxPath = path.resolve(it.source);
-    const outFile = path.resolve("src/content", it.collection, `${it.slug}.mdx`);
+
+    const { outCollection, outSlug } = normalizeDest(it.collection, it.slug);
+
+    const outFile = path.resolve("src/content", outCollection, `${outSlug}.mdx`);
     const outDir = path.dirname(outFile);
 
-    const assetsPublicDir = path.posix.join("/imported", it.collection, it.slug);
-    const assetsDiskDir = path.resolve("public", "imported", it.collection, it.slug);
+    const assetsPublicDir = path.posix.join("/imported", outCollection, outSlug);
+    const assetsDiskDir = path.resolve("public", "imported", outCollection, outSlug);
 
     if (!(await exists(docxPath))) {
       throw new Error(`Missing source docx: ${docxPath}`);
@@ -241,18 +262,20 @@ async function main() {
       html = rewriteLocalImageLinks(html, assetsPublicDir);
       body = html.trim() ? html : "<p>(Import vide)</p>";
     }
-  
+
     const defaultVersion = process.env.PUBLIC_RELEASE || "0.1.0";
 
+    // ✅ IMPORTANT: archicrat-ia partage edition/status avec archicratie (pas de migration frontmatter)
     const schemaDefaultsByCollection = {
-      archicratie: { edition: "archicratie", status: "modele_sociopolitique", level: 1 },
-      ia:         { edition: "ia",         status: "cas_pratique",           level: 1 },
-      traite:     { edition: "traite",     status: "ontodynamique",          level: 1 },
-      glossaire:  { edition: "glossaire",  status: "lexique",                level: 1 },
-      atlas:      { edition: "atlas",      status: "atlas",                  level: 1 },
+      archicratie:   { edition: "archicratie", status: "modele_sociopolitique", level: 1 },
+      "archicrat-ia": { edition: "archicrat-ia", status: "essai_these", level: 1 },
+      ia:            { edition: "ia",         status: "cas_pratique",           level: 1 },
+      traite:        { edition: "traite",     status: "ontodynamique",          level: 1 },
+      glossaire:     { edition: "glossaire",  status: "lexique",                level: 1 },
+      atlas:         { edition: "atlas",      status: "atlas",                  level: 1 },
     };
 
-    const defaults = schemaDefaultsByCollection[it.collection] || { edition: it.collection, status: "draft", level: 1 };
+    const defaults = schemaDefaultsByCollection[outCollection] || { edition: outCollection, status: "draft", level: 1 };
 
     const fm = [
       "---",
@@ -282,4 +305,4 @@ async function main() {
 main().catch((e) => {
   console.error("\nERROR:", e?.message || e);
   process.exit(1);
-});
+});

src/anchors/anchor-aliases.json

@@ -1,2 +1,5 @@
-{}
-  
+{
+  "/archicrat-ia/chapitre-3/": {
+    "p-1-60c7ea48": "p-1-a21087b0"
+  }
+}

src/annotations/archicrat-ia/chapitre-3/p-0-ace27175.yml

@@ -10,3 +10,9 @@ paras:
         credit: ""
         ts: 2026-02-27T12:43:14.259Z
         fromIssue: 144
+    refs:
+      - url: https://gitea.archicratie.trans-hands.synology.me
+        label: Gitea
+        kind: (livre / article / vidéo / site / autre) Site
+        ts: 2026-03-02T19:53:21.252Z
+        fromIssue: 169

src/annotations/archicrat-ia/chapitre-3/p-1-60c7ea48.yml

@@ -0,0 +1,10 @@
+schema: 1
+page: archicrat-ia/chapitre-3
+paras:
+  p-1-60c7ea48:
+    refs:
+      - url: https://gitea.archicratie.trans-hands.synology.me
+        label: Gitea
+        kind: (livre / article / vidéo / site / autre) Site
+        ts: 2026-03-02T20:01:55.858Z
+        fromIssue: 172#

src/components/EditionToc.astro

@@ -3,14 +3,11 @@ import { getCollection } from "astro:content";
 
 const { currentSlug } = Astro.props;
 
-const entries = (await getCollection("archicratie"))
-  .filter((e) => e.slug.startsWith("archicrat-ia/"))
+// ✅ Après migration : TOC = collection "archicrat-ia"
+const entries = (await getCollection("archicrat-ia"))
   .sort((a, b) => (a.data.order ?? 0) - (b.data.order ?? 0));
 
-// ✅ On route l’Essai-thèse sur /archicrat-ia/<slug-sans-prefix>/
-// (Astro trailingSlash = always → on garde le "/" final)
-const strip = (s) => String(s || "").replace(/^archicrat-ia\//, "");
-const href = (slug) => `/archicrat-ia/${strip(slug)}/`;
+const href = (slug) => `/archicrat-ia/${slug}/`;
 ---
 
 <nav class="toc-global" aria-label="Table des matières — ArchiCraT-IA">
@@ -163,4 +160,4 @@ const href = (slug) => `/archicrat-ia/${strip(slug)}/`;
   const active = document.querySelector(".toc-global .toc-item.is-active");
   if (active) active.scrollIntoView({ block: "nearest" });
 })();
-</script>
+</script>

src/content/archicrat-ia/chapitre-3.mdx

@@ -14,7 +14,7 @@ source:
 ---
 Ce chapitre se tient à un point nodal de notre essai-thèse : il ouvre un espace d’exploration systématique des formes conceptuelles et philosophiques à travers lesquelles le pouvoir se configure comme régime de régulation. Il ne s’agit pas ici de revenir une nouvelle fois sur les fondements de l’autorité, ni d’interroger la légitimité politique au sens classique du terme, ni même d’enquêter sur la genèse des institutions. L’ambition est autre, structurelle, transversale, morphologique, elle tentera d’arpenter, à même les dispositifs, les pensées, les théorisations et les expériences, les modalités différentiées par lesquelles s’instaurent, s’éprouvent et se disputent les formes de régulation du vivre-ensemble.
 
-Dès lors, ce chapitre ne postule aucun fondement, ne cherche aucun point d’origine, ne prétend restituer aucune ontologie stable du politique. Ce qu’il donne à lire, c’est une cartographie dynamique des régimes de régulation, traversée par des formes irréductibles, non homogènes, souvent conflictuelles, parfois incompatibles, mais toutes pensées comme des configurations singulières.
+Dès lors, ce chapitre ne postule aucun fondement, ne cherche aucun point d’origine, ne prétend restituer aucune ontologie stable du politique. Ce qu’il donne à lire, c’est une cartographie dynamique des régimes de régulation, traversée par des formes irréductibles, non homogènes, souvent conflictuelles, parfois incompatibles, mais toutes pensées comme des configurations singulières, et souvent complémentaires.
 
 Ainsi, loin d’être une galerie illustrative de théories politiques juxtaposées, le chapitre s’agence comme une topologie critique, une plongée stratigraphique dans les scènes où s’articule la régulation — entendue ici non comme stabilisation externe ou ajustement technico-fonctionnel, mais comme dispositif instituant, tension structurante, scène traversée de conflictualité et d’exigence normative. Car à nos yeux, la régulation n’est pas ce qui vient après le pouvoir, elle en est la forme même constitutive — son architecture, son rythme, son épaisseur. Elle est ce par quoi le pouvoir ne se contente pas d’être exercé, mais s’institue, se justifie, se dispute, se recompose.
 

src/content/config.ts

@@ -2,7 +2,7 @@ import { defineCollection, z } from "astro:content";
 
 const linkSchema = z.object({
   type: z.enum(["definition", "appui", "transposition"]),
-  target: z.string().min(1), // URL interne (ex: /glossaire/archicratie/) ou slug
+  target: z.string().min(1),
   note: z.string().optional()
 });
 
@@ -12,7 +12,6 @@ const baseTextSchema = z.object({
   version: z.string().min(1),
   concepts: z.array(z.string().min(1)).default([]),
   links: z.array(linkSchema).default([]),
-  // optionnels mais utiles dès maintenant
   order: z.number().int().nonnegative().optional(),
   summary: z.string().optional()
 });
@@ -50,20 +49,31 @@ const atlas = defineCollection({
   })
 });
 
+// ✅ NOUVELLE collection : archicrat-ia (Essai-thèse)
+// NOTE : on accepte temporairement edition/status "archicratie/modele_sociopolitique"
+// si tes MDX n’ont pas encore été normalisés.
+// Quand tu voudras "strict", on passera à edition="archicrat-ia" status="essai_these"
+// + update frontmatter des 7 fichiers.
+const archicratIa = defineCollection({
+  type: "content",
+  schema: baseTextSchema.extend({
+    edition: z.union([z.literal("archicrat-ia"), z.literal("archicratie")]),
+    status: z.union([z.literal("essai_these"), z.literal("modele_sociopolitique")])
+  })
+});
+
 // Glossaire (référentiel terminologique)
 const glossaire = defineCollection({
   type: "content",
   schema: z.object({
-    title: z.string().min(1), // Titre public (souvent identique au terme)
-    term: z.string().min(1),  // Terme canonique
+    title: z.string().min(1),
+    term: z.string().min(1),
     aliases: z.array(z.string().min(1)).default([]),
     edition: z.literal("glossaire"),
     status: z.literal("referentiel"),
     version: z.string().min(1),
-    // Micro-définition affichable en popover (courte, stable)
     definitionShort: z.string().min(1),
     concepts: z.array(z.string().min(1)).default([]),
-    // Liens typés (vers ouvrages ou autres termes)
     links: z.array(linkSchema).default([])
   })
 });
@@ -73,5 +83,8 @@ export const collections = {
   archicratie,
   ia,
   glossaire,
-  atlas
-};
+  atlas,
+
+  // ⚠️ clé avec tiret => doit être quotée
+  "archicrat-ia": archicratIa
+};

src/pages/archicrat-ia/[...slug].astro

@@ -5,12 +5,11 @@ import EditionToc from "../../components/EditionToc.astro";
 import LocalToc from "../../components/LocalToc.astro";
 
 export async function getStaticPaths() {
-  const entries = (await getCollection("archicratie"))
-    .filter((e) => e.slug.startsWith("archicrat-ia/"));
+  // ✅ Après migration : plus de filtre par prefix, on prend toute la collection
+  const entries = await getCollection("archicrat-ia");
 
   return entries.map((entry) => ({
-    // ✅ inline : jamais de helper externe (évite "stripPrefix is not defined")
-    params: { slug: entry.slug.replace(/^archicrat-ia\//, "") },
+    params: { slug: entry.slug },
     props: { entry },
   }));
 }
@@ -35,4 +34,4 @@ const { Content, headings } = await entry.render();
 
   <h1>{entry.data.title}</h1>
   <Content />
-</EditionLayout>
+</EditionLayout>

src/pages/archicrat-ia/index.astro

@@ -2,13 +2,12 @@
 import SiteLayout from "../../layouts/SiteLayout.astro";
 import { getCollection } from "astro:content";
 
-const entries = (await getCollection("archicratie"))
-  .filter((e) => e.slug.startsWith("archicrat-ia/"));
+// ✅ Après migration physique : collection = "archicrat-ia", slug = "chapitre-3" (sans prefix)
+const entries = await getCollection("archicrat-ia");
 
 entries.sort((a, b) => (a.data.order ?? 9999) - (b.data.order ?? 9999));
 
-const strip = (slug) => slug.replace(/^archicrat-ia\//, "");
-const href = (slug) => `/archicrat-ia/${strip(slug)}/`;
+const href = (slug) => `/archicrat-ia/${slug}/`;
 ---
 
 <SiteLayout title="Essai-thèse — ArchiCraT-IA">
@@ -19,4 +18,4 @@ const href = (slug) => `/archicrat-ia/${strip(slug)}/`;
       <li><a href={href(e.slug)}>{e.data.title}</a></li>
     ))}
   </ul>
-</SiteLayout>
+</SiteLayout>