ci: add anno apply bot workflow

Reviewed-on: #108

.gitea/ISSUE_TEMPLATE/correction-paragraphe.md

@@ -3,7 +3,7 @@ name: "Correction paragraphe"
 about: "Proposer une correction ciblée (un paragraphe) avec justification."
 ---
 
-## Chemin (ex: /archicratie/prologue/)
+## Chemin (ex: /archicrat-ia/prologue/)
 <!-- obligatoire -->
 /...
 

.gitea/ISSUE_TEMPLATE/verification-factuelle.md

@@ -3,7 +3,7 @@ name: "Vérification factuelle / sources"
 about: "Signaler une assertion à sourcer ou à corriger (preuves, références)."
 ---
 
-## Chemin (ex: /archicratie/prologue/)
+## Chemin (ex: /archicrat-ia/prologue/)
 <!-- obligatoire -->
 /...
 

.gitea/workflows/anno-apply-pr.yml

@@ -0,0 +1,301 @@
+name: Anno Apply (PR)
+
+on:
+  issues:
+    types: [labeled]
+  workflow_dispatch:
+    inputs:
+      issue:
+        description: "Issue number to apply"
+        required: true
+
+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  apply-approved:
+    runs-on: ubuntu-latest
+    container:
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+
+    steps:
+      - name: Tools sanity
+        run: |
+          set -euo pipefail
+          git --version
+          node --version
+          npm --version
+          npm ping --registry=https://registry.npmjs.org
+
+      - name: Derive context (event.json / workflow_dispatch)
+        env:
+          INPUT_ISSUE: ${{ inputs.issue }}
+        run: |
+          set -euo pipefail
+          export EVENT_JSON="/var/run/act/workflow/event.json"
+          test -f "$EVENT_JSON" || { echo "❌ Missing $EVENT_JSON"; exit 1; }
+
+          node --input-type=module - <<'NODE' > /tmp/anno.env
+import fs from "node:fs";
+
+const ev = JSON.parse(fs.readFileSync(process.env.EVENT_JSON, "utf8"));
+
+const repoObj = ev?.repository || {};
+const cloneUrl =
+  repoObj?.clone_url ||
+  (repoObj?.html_url ? (repoObj.html_url.replace(/\/$/,"") + ".git") : "");
+
+if (!cloneUrl) throw new Error("No repository clone_url/html_url in event.json");
+
+let owner =
+  repoObj?.owner?.login ||
+  repoObj?.owner?.username ||
+  (repoObj?.full_name ? repoObj.full_name.split("/")[0] : "");
+
+let repo =
+  repoObj?.name ||
+  (repoObj?.full_name ? repoObj.full_name.split("/")[1] : "");
+
+if (!owner || !repo) {
+  // fallback parse from clone url
+  const m = cloneUrl.match(/[:/](?<o>[^/]+)\/(?<r>[^/]+?)(?:\.git)?$/);
+  if (m?.groups) { owner = owner || m.groups.o; repo = repo || m.groups.r; }
+}
+if (!owner || !repo) throw new Error("Cannot infer owner/repo");
+
+const defaultBranch = repoObj?.default_branch || "master";
+
+const issueNumber =
+  ev?.issue?.number ||
+  ev?.issue?.index ||
+  (process.env.INPUT_ISSUE ? Number(process.env.INPUT_ISSUE) : 0);
+
+if (!issueNumber || !Number.isFinite(Number(issueNumber))) {
+  throw new Error("No issue number in event.json or workflow_dispatch input");
+}
+
+const labelName =
+  ev?.label?.name ||
+  ev?.label ||
+  "workflow_dispatch";
+
+const u = new URL(cloneUrl);
+const origin = u.origin; // https://gitea...
+const apiBase = (process.env.FORGE_API && process.env.FORGE_API.trim())
+  ? process.env.FORGE_API.trim().replace(/\/+$/,"")
+  : origin;
+
+function sh(s){ return JSON.stringify(String(s)); }
+
+process.stdout.write([
+  `CLONE_URL=${sh(cloneUrl)}`,
+  `OWNER=${sh(owner)}`,
+  `REPO=${sh(repo)}`,
+  `DEFAULT_BRANCH=${sh(defaultBranch)}`,
+  `ISSUE_NUMBER=${sh(issueNumber)}`,
+  `LABEL_NAME=${sh(labelName)}`,
+  `API_BASE=${sh(apiBase)}`,
+].join("\n") + "\n");
+NODE
+
+          echo "✅ context:"
+          sed -n '1,80p' /tmp/anno.env
+
+      - name: Gate on label state/approved
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+          if [[ "$LABEL_NAME" != "state/approved" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip (only state/approved triggers apply)"
+            exit 0
+          fi
+          echo "✅ proceed (label=$LABEL_NAME issue=$ISSUE_NUMBER)"
+
+      - name: Checkout default branch (from event.json, no external actions)
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+
+          rm -rf .git
+          git init -q
+          git remote add origin "$CLONE_URL"
+
+          echo "Repo URL: $CLONE_URL"
+          echo "Base:     $DEFAULT_BRANCH"
+
+          git fetch --depth 1 origin "$DEFAULT_BRANCH"
+          git -c advice.detachedHead=false checkout -q FETCH_HEAD
+          git log -1 --oneline
+
+      - name: Install deps
+        run: |
+          set -euo pipefail
+          npm ci
+
+      - name: Apply ticket on bot branch (strict+verify, commit)
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+          BOT_GIT_NAME: ${{ secrets.BOT_GIT_NAME }}
+          BOT_GIT_EMAIL: ${{ secrets.BOT_GIT_EMAIL }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+
+          test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
+
+          # git identity (required for commits)
+          git config user.name  "${BOT_GIT_NAME:-archicratie-bot}"
+          git config user.email "${BOT_GIT_EMAIL:-bot@archicratie.local}"
+
+          START_SHA="$(git rev-parse HEAD)"
+
+          TS="$(date -u +%Y%m%d-%H%M%S)"
+          BR="bot/anno-${ISSUE_NUMBER}-${TS}"
+          echo "BRANCH=$BR" >> /tmp/anno.env
+          git checkout -b "$BR"
+
+          # env for script
+          export FORGE_API="$API_BASE"
+          export GITEA_OWNER="$OWNER"
+          export GITEA_REPO="$REPO"
+
+          LOG="/tmp/apply.log"
+          set +e
+          node scripts/apply-annotation-ticket.mjs "$ISSUE_NUMBER" --strict --verify --commit >"$LOG" 2>&1
+          RC=$?
+          set -e
+
+          echo "== apply log (tail) =="
+          tail -n 120 "$LOG" || true
+
+          END_SHA="$(git rev-parse HEAD)"
+
+          if [[ "$RC" -ne 0 ]]; then
+            echo "APPLY_RC=$RC" >> /tmp/anno.env
+            exit "$RC"
+          fi
+
+          if [[ "$START_SHA" == "$END_SHA" ]]; then
+            echo "NOOP=1" >> /tmp/anno.env
+          else
+            echo "NOOP=0" >> /tmp/anno.env
+            echo "END_SHA=$END_SHA" >> /tmp/anno.env
+          fi
+
+      - name: Comment issue on failure (strict/verify/etc)
+        if: ${{ always() }}
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+          # si apply a échoué, la step précédente s'arrête => ce step tourne quand même (always)
+          if [[ -z "${APPLY_RC:-}" ]]; then
+            echo "ℹ️ no failure detected"
+            exit 0
+          fi
+
+          BODY="$(tail -n 120 /tmp/apply.log | sed 's/\r$//' )"
+          MSG="❌ apply-annotation-ticket a échoué (rc=${APPLY_RC}).\n\n\`\`\`\n${BODY}\n\`\`\`\n"
+
+          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.env.MSG}))' \
+            MSG="$MSG")"
+
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$PAYLOAD"
+
+          exit "${APPLY_RC}"
+
+      - name: Comment issue if no-op (already applied)
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+          if [[ "${NOOP:-0}" != "1" ]]; then
+            echo "ℹ️ changes exist -> will create PR"
+            exit 0
+          fi
+
+          MSG="ℹ️ Ticket #${ISSUE_NUMBER} : rien à appliquer (déjà présent / dédupliqué)."
+          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.env.MSG}))' MSG="$MSG")"
+
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$PAYLOAD"
+
+          echo "✅ no-op handled"
+          exit 0
+
+      - name: Push bot branch
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+          test "${NOOP:-0}" = "0" || { echo "ℹ️ no-op -> skip push"; exit 0; }
+
+          # auth remote (Gitea supports oauth2:<token>)
+          AUTH_URL="$(node --input-type=module -e '
+            const u = new URL(process.env.CLONE_URL);
+            u.username = "oauth2";
+            u.password = process.env.FORGE_TOKEN;
+            console.log(u.toString());
+          ' CLONE_URL="$CLONE_URL" FORGE_TOKEN="$FORGE_TOKEN")"
+
+          git remote set-url origin "$AUTH_URL"
+          git push -u origin "$BRANCH"
+
+      - name: Create PR + comment issue
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+          test "${NOOP:-0}" = "0" || { echo "ℹ️ no-op -> skip PR"; exit 0; }
+
+          PR_TITLE="anno: apply ticket #${ISSUE_NUMBER}"
+          PR_BODY="PR générée automatiquement à partir du ticket #${ISSUE_NUMBER} (label state/approved).\n\n- Branche: ${BRANCH}\n- Commit: ${END_SHA}\n\nMerge si CI OK."
+
+          PR_PAYLOAD="$(node --input-type=module -e '
+            console.log(JSON.stringify({
+              title: process.env.PR_TITLE,
+              body: process.env.PR_BODY,
+              base: process.env.DEFAULT_BRANCH,
+              head: `${process.env.OWNER}:${process.env.BRANCH}`,
+              allow_maintainer_edit: true
+            }));
+          ' PR_TITLE="$PR_TITLE" PR_BODY="$PR_BODY" OWNER="$OWNER" BRANCH="$BRANCH" DEFAULT_BRANCH="$DEFAULT_BRANCH")"
+
+          PR_JSON="$(curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/pulls" \
+            --data-binary "$PR_PAYLOAD")"
+
+          PR_URL="$(node --input-type=module -e '
+            const pr = JSON.parse(process.env.PR_JSON);
+            console.log(pr.html_url || pr.url || "");
+          ' PR_JSON="$PR_JSON")"
+
+          test -n "$PR_URL" || { echo "❌ PR URL missing. Raw: $PR_JSON"; exit 1; }
+
+          MSG="✅ PR créée pour ticket #${ISSUE_NUMBER} : ${PR_URL}"
+          C_PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.env.MSG}))' MSG="$MSG")"
+
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$C_PAYLOAD"
+
+          echo "✅ PR: $PR_URL"

.gitea/workflows/anno-reject.yml

@@ -0,0 +1,102 @@
+name: Anno Reject
+
+on:
+  issues:
+    types: [labeled]
+
+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  reject:
+    runs-on: ubuntu-latest
+    container:
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+
+    steps:
+      - name: Derive context
+        run: |
+          set -euo pipefail
+          export EVENT_JSON="/var/run/act/workflow/event.json"
+          test -f "$EVENT_JSON" || { echo "❌ Missing $EVENT_JSON"; exit 1; }
+
+          node --input-type=module - <<'NODE' > /tmp/reject.env
+import fs from "node:fs";
+
+const ev = JSON.parse(fs.readFileSync(process.env.EVENT_JSON, "utf8"));
+const repoObj = ev?.repository || {};
+const cloneUrl =
+  repoObj?.clone_url ||
+  (repoObj?.html_url ? (repoObj.html_url.replace(/\/$/,"") + ".git") : "");
+if (!cloneUrl) throw new Error("No repository url");
+
+let owner =
+  repoObj?.owner?.login ||
+  repoObj?.owner?.username ||
+  (repoObj?.full_name ? repoObj.full_name.split("/")[0] : "");
+let repo =
+  repoObj?.name ||
+  (repoObj?.full_name ? repoObj.full_name.split("/")[1] : "");
+
+if (!owner || !repo) {
+  const m = cloneUrl.match(/[:/](?<o>[^/]+)\/(?<r>[^/]+?)(?:\.git)?$/);
+  if (m?.groups) { owner = owner || m.groups.o; repo = repo || m.groups.r; }
+}
+if (!owner || !repo) throw new Error("Cannot infer owner/repo");
+
+const issueNumber = ev?.issue?.number || ev?.issue?.index;
+if (!issueNumber) throw new Error("No issue number");
+
+const labelName = ev?.label?.name || ev?.label || "";
+
+const u = new URL(cloneUrl);
+const apiBase = u.origin;
+
+function sh(s){ return JSON.stringify(String(s)); }
+process.stdout.write([
+  `OWNER=${sh(owner)}`,
+  `REPO=${sh(repo)}`,
+  `ISSUE_NUMBER=${sh(issueNumber)}`,
+  `LABEL_NAME=${sh(labelName)}`,
+  `API_BASE=${sh(apiBase)}`
+].join("\n") + "\n");
+NODE
+
+      - name: Gate on label state/rejected
+        run: |
+          set -euo pipefail
+          source /tmp/reject.env
+          if [[ "$LABEL_NAME" != "state/rejected" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip"
+            exit 0
+          fi
+          echo "✅ reject issue=$ISSUE_NUMBER"
+
+      - name: Comment + close issue
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/reject.env
+          test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
+
+          MSG="❌ Ticket #${ISSUE_NUMBER} refusé (label state/rejected)."
+          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.env.MSG}))' MSG="$MSG")"
+
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$PAYLOAD"
+
+          curl -fsS -X PATCH \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
+            --data-binary '{"state":"closed"}'
+
+          echo "✅ closed #$ISSUE_NUMBER"

.gitea/workflows/ci.yaml

@@ -79,22 +79,7 @@ jobs:
           set -euo pipefail
           npm ci
 
-      - name: Inline scripts syntax check
+      - name: Full test suite (CI=1)
         run: |
           set -euo pipefail
-          node scripts/check-inline-js.mjs
-
-      - name: Build (includes postbuild injection + pagefind)
-        run: |
-          set -euo pipefail
-          npm run build
-
-      - name: Anchors contract
-        run: |
-          set -euo pipefail
-          npm run test:anchors
-
-      - name: Verify anchor aliases injected in dist
-        run: |
-          set -euo pipefail
-          node scripts/verify-anchor-aliases-in-dist.mjs
+          npm run ci

.gitea/workflows/ci.yml

@@ -1,103 +0,0 @@
-name: CI
-
-on:
-  push: {}
-  pull_request:
-    branches: ["master"]
-  workflow_dispatch: {}
-
-env:
-  NODE_OPTIONS: --dns-result-order=ipv4first
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  build-and-anchors:
-    runs-on: ubuntu-latest
-    container:
-      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
-
-    steps:
-      - name: Tools sanity
-        run: |
-          set -euo pipefail
-          git --version
-          node --version
-          npm --version
-          npm ping --registry=https://registry.npmjs.org
-
-      - name: Checkout (from event.json, no external actions)
-        run: |
-          set -euo pipefail
-          EVENT_JSON="/var/run/act/workflow/event.json"
-          test -f "$EVENT_JSON" || (echo "❌ Missing $EVENT_JSON" && exit 1)
-
-          eval "$(node - <<'NODE'
-          import fs from "node:fs";
-          const ev = JSON.parse(fs.readFileSync("/var/run/act/workflow/event.json","utf8"));
-          const repo =
-            ev?.repository?.clone_url ||
-            (ev?.repository?.html_url ? (ev.repository.html_url.replace(/\/$/,'') + ".git") : "");
-          const sha =
-            ev?.after ||
-            ev?.pull_request?.head?.sha ||
-            ev?.head_commit?.id ||
-            ev?.sha ||
-            "";
-          if (!repo) { console.error("No repository.clone_url/html_url in event.json"); process.exit(1); }
-          if (!sha)  { console.error("No sha/after/pull_request.head.sha in event.json"); process.exit(1); }
-          console.log(`REPO_URL=${JSON.stringify(repo)}`);
-          console.log(`SHA=${JSON.stringify(sha)}`);
-NODE
-          )"
-
-          echo "Repo URL: $REPO_URL"
-          echo "SHA:      $SHA"
-
-          rm -rf .git
-          git init
-          git remote add origin "$REPO_URL"
-          git fetch --depth 1 origin "$SHA"
-          git checkout -q FETCH_HEAD
-          git log -1 --oneline
-
-      - name: Anchor aliases schema
-        run: |
-          set -euo pipefail
-          node scripts/check-anchor-aliases.mjs
-
-      - name: NPM harden
-        run: |
-          set -euo pipefail
-          npm config set fetch-retries 5
-          npm config set fetch-retry-mintimeout 20000
-          npm config set fetch-retry-maxtimeout 120000
-          npm config set registry https://registry.npmjs.org
-          npm config get registry
-
-      - name: Install deps
-        run: |
-          set -euo pipefail
-          npm ci
-
-      - name: Inline scripts syntax check
-        run: |
-          set -euo pipefail
-          node scripts/check-inline-js.mjs
-
-      - name: Build (includes postbuild injection + pagefind)
-        run: |
-          set -euo pipefail
-          npm run build
-
-      - name: Anchors contract
-        run: |
-          set -euo pipefail
-          npm run test:anchors
-
-      - name: Verify anchor aliases injected in dist
-        run: |
-          set -euo pipefail
-          node scripts/verify-anchor-aliases-in-dist.mjs

.gitignore

@@ -3,6 +3,10 @@
 .env.*
 !.env.example
 
+# dev-only
+public/_auth/whoami
+public/_auth/whoami/*
+
 # --- local backups ---
 *.bak
 *.bak.*

Dockerfile

@@ -12,7 +12,7 @@ ENV npm_config_update_notifier=false \
 # (Optionnel mais propre) git + certificats
 RUN apt-get -o Acquire::Retries=5 -o Acquire::ForceIPv4=true update \
  && apt-get install -y --no-install-recommends ca-certificates git \
- && rm -rf /var/lib/apt/lists/*	
+ && rm -rf /var/lib/apt/lists/*
 
 # Déps d’abord (cache Docker)
 COPY package.json package-lock.json ./
@@ -25,9 +25,21 @@ COPY . .
 ARG PUBLIC_GITEA_BASE
 ARG PUBLIC_GITEA_OWNER
 ARG PUBLIC_GITEA_REPO
+
+# ✅ Canonical + sitemap base (astro.config.mjs lit process.env.PUBLIC_SITE)
+ARG PUBLIC_SITE
+
+# ✅ Garde-fou : si 1 → build fail si PUBLIC_SITE absent
+ARG REQUIRE_PUBLIC_SITE=0
+
 ENV PUBLIC_GITEA_BASE=$PUBLIC_GITEA_BASE \
     PUBLIC_GITEA_OWNER=$PUBLIC_GITEA_OWNER \
-    PUBLIC_GITEA_REPO=$PUBLIC_GITEA_REPO
+    PUBLIC_GITEA_REPO=$PUBLIC_GITEA_REPO \
+    PUBLIC_SITE=$PUBLIC_SITE \
+    REQUIRE_PUBLIC_SITE=$REQUIRE_PUBLIC_SITE
+
+# ✅ antifragile : refuse de builder sans PUBLIC_SITE quand on l’exige
+RUN node -e "if (process.env.REQUIRE_PUBLIC_SITE==='1' && !process.env.PUBLIC_SITE) { console.error('FATAL: PUBLIC_SITE is required (canonical/sitemap).'); process.exit(1) }"
 
 # Build Astro (postbuild tourne via npm scripts)
 RUN npm run build
@@ -38,4 +50,4 @@ COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=build /app/dist/ /usr/share/nginx/html/
 RUN find /usr/share/nginx/html -type d -exec chmod 755 {} \; \
  && find /usr/share/nginx/html -type f -exec chmod 644 {} \;
-EXPOSE 80
+EXPOSE 80

docker-compose.yml

@@ -5,6 +5,8 @@ services:
       dockerfile: Dockerfile
       network: host
       args:
+        REQUIRE_PUBLIC_SITE: "1"
+        PUBLIC_SITE: "https://staging.archicratie.trans-hands.synology.me"
         PUBLIC_GITEA_BASE: ${PUBLIC_GITEA_BASE}
         PUBLIC_GITEA_OWNER: ${PUBLIC_GITEA_OWNER}
         PUBLIC_GITEA_REPO: ${PUBLIC_GITEA_REPO}
@@ -20,6 +22,8 @@ services:
       dockerfile: Dockerfile
       network: host
       args:
+        REQUIRE_PUBLIC_SITE: "1"
+        PUBLIC_SITE: "https://archicratie.trans-hands.synology.me"
         PUBLIC_GITEA_BASE: ${PUBLIC_GITEA_BASE}
         PUBLIC_GITEA_OWNER: ${PUBLIC_GITEA_OWNER}
         PUBLIC_GITEA_REPO: ${PUBLIC_GITEA_REPO}
@@ -27,4 +31,4 @@ services:
     container_name: archicratie-web-green
     ports:
       - "127.0.0.1:8082:80"
-    restart: unless-stopped
+    restart: unless-stopped

docs/EDITORIAL-ANNOTATIONS-SPEC.md

@@ -0,0 +1,327 @@
+# SPEC — Annotations éditoriales (YAML v1) + merge + anti-doublon
+> Objectif : permettre aux tickets (Gitea) de déposer “Références / Médias / Commentaires” dans `src/annotations/**`,
+> de façon univoque, stable, et sans régression.
+
+## 0) Contexte et intention
+Le site est statique. L’édition collaborative se fait via :
+- un mode “proposition” (UI / modal)
+- un ticket Gitea (issue) standardisé
+- un script d’application côté éditeur (`apply-ticket.mjs` ou équivalent)
+- génération d’un YAML d’annotations versionné dans Git
+
+La donnée d’annotation doit être :
+- **audit-able** (Git)
+- **merge-able** (sans tout casser)
+- **stable** (IDs paragraphes / liens / médias)
+- **scalable** (éviter YAML monstrueux à long terme)
+
+## 1) Arborescence canonique
+### 1.1 Un workKey par “ouvrage / section du site”
+On veut une univocité entre :
+- SiteNav (Méthode, Essai-thèse, Traité, Cas IA, Glossaire, Atlas)
+et
+- l’arborescence annotations
+
+Proposition canonique (workKey = route racine) :
+- `methode`
+- `archicrat-ia` (Essai-thèse ArchiCraT-IA)
+- `traite`
+- `ia`
+- `glossaire`
+- `atlas`
+
+### 1.2 Règle de stockage “v1”
+**Par page**, un YAML unique :
+
+src/annotations/<workKey>/<slugSansWorkKey>.yml
+
+Exemples :
+- Page : `/archicrat-ia/prologue/`
+  - slug content = `archicrat-ia/prologue`
+  - fichier : `src/annotations/archicrat-ia/prologue.yml`
+
+- Page : `/traite/00-demarrage/`
+  - fichier : `src/annotations/traite/00-demarrage.yml`
+
+> Note : “slugSansWorkKey” = la partie après `<workKey>/`.
+> S’il y a des sous-dossiers (chapitres), le chemin reflète la structure : `chapitre-1/section-a.yml` si on choisit du sharding.
+
+## 2) Question “gros YAML” : page unique vs sharding par paragraphe
+### 2.1 Option A (v1 recommandée) : 1 YAML par page
+Avantages :
+- simple
+- peu de fichiers
+- diff lisible si volume modéré
+- cohérent avec un modèle “annotations par page”
+
+Inconvénients :
+- YAML peut grossir si milliers d’annotations
+
+### 2.2 Option B (v2 future) : sharding par paragraphe
+
+src/annotations/<workKey>/<slugSansWorkKey>/<paraId>.yml
+
+Avantages :
+- fichiers petits
+- merges moins conflictuels
+Inconvénients :
+- plus de fichiers
+- tooling plus complexe (indexation + merge multi-fichiers)
+
+### 2.3 Recommandation de mission (sans casser l’existant)
+- On démarre en **Option A**.
+- On se garde une migration future (v2) quand le volume réel le justifie.
+- On impose dès v1 : **clé unique + merge déterministe + anti-doublon**, ce qui rend la migration future possible.
+
+## 3) Format YAML v1 (schéma complet)
+### 3.1 Top-level
+en yaml :
+
+schema: 1
+
+# Optionnel mais recommandé (doit matcher la page)
+page: "<workKey>/<slugSansWorkKey>"
+
+meta:
+  title: "Titre de la page (optionnel)"
+  updatedAt: "2026-02-21T12:34:56Z"   # ISO8601
+  updatedBy: "username"              # compte editor
+  source:
+    kind: "ticket"
+    id: 123
+    url: "https://gitea.../issues/123"
+
+paras:
+  "<paraId>":
+    references: []
+    media: []
+    comments: []
+
+### 3.2 paras : clé = paraId (ex: p-0-d7974f88)
+
+Chaque paragraphe peut porter 3 types d’éléments :
+
+references
+
+media
+
+comments
+
+Règle : si une section est vide, elle peut être [] ou absente.
+Mais pour simplifier les merges, on recommande de garder la forme canonique avec [].
+
+## 4) Formats des items + clés uniques
+### 4.1 References
+#### 4.1.1 Format
+
+references:
+  - id: "ref:doi:10.1234/abcd.efgh"   # clé stable (voir 4.1.2)
+    kind: "doi"                       # doi | url | isbn | arxiv | hal | other
+    label: "Titre court"
+    target: "https://doi.org/10.1234/abcd.efgh"
+    note: "Pourquoi c’est pertinent (optionnel)"
+    addedAt: "2026-02-21T12:34:56Z"
+    addedBy: "username"
+
+#### 4.1.2 Règle de clé unique (anti-doublon)
+
+id doit être stable et déterministe :
+
+doi → ref:doi:<doi>
+
+isbn → ref:isbn:<isbn>
+
+url → ref:url:<normalizedUrl>
+
+Normalisation URL (v1) : au minimum
+
+trim
+
+lowercase scheme/host
+
+retirer trailing slash si non significatif
+
+conserver query si importante
+
+#### 4.1.3 Merge / précédence
+
+Quand on merge deux listes references :
+
+union par id (clé unique)
+
+si même id existe des deux côtés :
+
+conserver kind/target de l’item le plus “riche” (target non vide gagne)
+
+concat/merge note :
+
+si notes différentes : garder les deux en les séparant (ex: noteA + "\n---\n" + noteB)
+
+addedAt : conserver le plus ancien
+
+addedBy : conserver le premier (ou liste si on veut, mais v1 simple : first)
+
+### 4.2 Media
+#### 4.2.1 Format
+
+media:
+  - id: "media:image:sha256:abcd..."   # clé stable (voir 4.2.2)
+    type: "image"                      # image | video | audio | file
+    src: "/public/media/<workKey>/<slugSansWorkKey>/<paraId>/<filename>"
+    caption: "Légende (optionnel)"
+    credit: "Auteur/source (optionnel)"
+    license: "CC-BY (optionnel)"
+    addedAt: "2026-02-21T12:34:56Z"
+    addedBy: "username"
+
+#### 4.2.2 Règle de clé unique
+
+id déterministe :
+
+idéal : hash du fichier (sha256)
+
+sinon : hash de type + src
+
+v1 (si on ne calcule pas de hash fichier) :
+
+media:<type>:<src>
+
+#### 4.2.3 Merge / précédence
+
+union par id
+
+si collision :
+
+garder src identique (sinon c’est un bug)
+
+fusionner caption/credit/license selon “non vide gagne”
+
+addedAt : plus ancien
+
+### 4.3 Comments
+#### 4.3.1 Format
+
+comments:
+  - id: "cmt:20260221T123456Z:username:0001"
+    kind: "comment"        # comment | question | objection | todo | validation
+    text: "Texte du commentaire"
+    status: "open"         # open | resolved
+    addedAt: "2026-02-21T12:34:56Z"
+    addedBy: "username"
+    source:
+      kind: "ticket"
+      id: 123
+
+#### 4.3.2 Clé unique
+
+Les commentaires sont “append-only” → id peut être générée (timestamp + user + compteur)
+
+Anti-doublon : si on ré-applique un ticket, on refuse de dupliquer un id existant.
+
+#### 4.3.3 Merge / précédence
+
+union par id
+
+collisions rares, mais si elles arrivent :
+
+si textes différents → garder les deux (on renomme l’id du second)
+
+## 5) Règles globales de merge (résumé)
+
+Quand on applique un ticket sur un YAML existant :
+
+vérifier schema == 1
+
+vérifier page si présent :
+
+doit matcher <workKey>/<slugSansWorkKey>
+
+paras :
+
+créer paras[paraId] si absent
+
+pour chaque liste (references/media/comments) :
+
+merge par id (anti-doublon)
+
+appliquer règles de précédence (non vide gagne / concat note / append-only comments)
+
+## 6) Table de correspondance “UI ticket → YAML”
+
+Cette table permet à un successeur IA d’implémenter apply-ticket.mjs sans ambiguïté.
+
+### 6.1 Champs UI minimaux
+
+workKey (sélection implicite via page)
+
+pagePath (ex: /archicrat-ia/prologue/)
+
+pageSlug (ex: archicrat-ia/prologue)
+
+paraId (ex: p-0-d7974f88)
+
+kind :
+
+reference
+
+media
+
+comment
+
+### 6.2 Mapping exact
+
+| UI kind   | UI champs                                                   | YAML cible                   |
+| --------- | ----------------------------------------------------------- | ---------------------------- |
+| reference | kind(doi/url/isbn), target, label, note                     | `paras[paraId].references[]` |
+| media     | type(image/video/audio/file), src, caption, credit, license | `paras[paraId].media[]`      |
+| comment   | kind(comment/question/objection/todo/validation), text      | `paras[paraId].comments[]`   |
+
+### 6.3 Règles de génération d’ID (implémentation)
+
+reference.id :
+
+doi : ref:doi:${doi}
+
+isbn : ref:isbn:${isbn}
+
+url : ref:url:${normalize(url)}
+
+media.id :
+
+media:${type}:${src}
+
+comment.id :
+
+cmt:${timestamp}:${user}:${counter}
+
+## 7) Validation YAML (sanity)
+
+Avant commit (et en CI) :
+
+YAML parse OK
+
+schema OK
+
+page si présent cohérent
+
+paras est un mapping
+
+paraId match pattern : ^p-\d+-[a-f0-9]{8}$ (existant)
+
+src media pointe dans /public/media/... (ou /media/... si on choisit un alias, mais v1 canon : /public/media/...)
+
+## 8) Notes de compatibilité
+
+Les routes “Essai-thèse” ont été migrées vers /archicrat-ia/*.
+
+Les anciennes routes /archicratie/archicrat-ia/* peuvent exister en legacy, mais la donnée canonique d’annotation doit suivre le workKey final (archicrat-ia).
+
+## 9) Ce que l’étape 9 devra implémenter
+
+pipeline : ticket → YAML (apply-ticket)
+
+index : build-annotations-index + check-annotations
+
+tooling : détection médias orphelins / liens cassés
+
+éventuellement : migration vers sharding par paragraphe (v2) si volume réel le justifie

docs/START-HERE.md

@@ -0,0 +1,176 @@
+# START-HERE — Archicratie / Édition Web (v2)
+> Onboarding + exploitation “nickel chrome” (DEV → Gitea → CI → Release → Blue/Green → Edge/SSO)
+
+## 0) TL;DR (la règle d’or)
+- **Gitea = source canonique**.  
+- **main est protégé** : toute modification passe par **branche → PR → CI → merge**.  
+- **Le NAS n’est pas la source** : si un hotfix est fait sur NAS, on **backporte** via PR immédiatement.
+- **Le site est statique Astro** : la prod sert du HTML (nginx), l’accès est contrôlé au niveau reverse-proxy (Traefik + Authelia).
+
+## 1) Architecture mentale (ultra simple)
+- **DEV (Mac Studio)** : édition + tests + commit + push
+- **Gitea** : dépôt canon + PR + CI (CI.yaml)
+- **NAS (DS220+)** : déploiement “blue/green”
+  - `web_blue` (staging upstream) → `127.0.0.1:8081`
+  - `web_green` (live upstream) → `127.0.0.1:8082`
+- **Edge (Traefik)** : route les hosts
+  - `staging.archicratie...` → 8081
+  - `archicratie...` → 8082
+  - **Authelia** devant, via middleware `chain-auth@file`
+
+## 2) Répertoires & conventions (repo)
+### 2.1 Contenu canon (édition)
+- `src/content/**` : contenu MD / MDX canon (Astro content collections)
+- `src/pages/**` : routes Astro (index, [...slug], etc.)
+- `src/components/**` : composants UI (SiteNav, TOC, SidePanel, etc.)
+- `src/layouts/**` : layouts (EditionLayout, SiteLayout)
+- `src/styles/**` : CSS global
+
+### 2.2 Annotations (pré-Édition “tickets”)
+- `src/annotations/<workKey>/<slug>.yml`
+  - Exemple : `src/annotations/archicrat-ia/prologue.yml`
+- Objectif : stocker “Références / Médias / Commentaires” par page et par paragraphe (`p-...`).
+
+### 2.3 Scripts (tooling / build)
+- `scripts/inject-anchor-aliases.mjs` : injection aliases dans dist
+- `scripts/dedupe-ids-dist.mjs` : retire IDs dupliqués dans dist
+- `scripts/build-para-index.mjs` : index paragraphes (postbuild / predev)
+- `scripts/build-annotations-index.mjs` : index annotations (postbuild / predev)
+- `scripts/check-anchors.mjs` : contrat stabilité d’ancres (CI)
+- `scripts/check-annotations*.mjs` : sanity YAML + médias
+
+> Important : les scripts sont **partie intégrante** de la stabilité (IDs/ancres/indexation).  
+> On évite “la magie” : tout est scripté + vérifié.
+
+## 3) Workflow Git “pro” (main protégé)
+### 3.1 Cycle standard (toute modif)
+en bash :
+
+git checkout main
+git pull --ff-only
+
+BR="chore/xxx-$(date +%Y%m%d)"
+git checkout -b "$BR"
+
+# dev…
+npm i
+npm run build
+npm run test:anchors
+
+git add -A
+git commit -m "xxx: description claire"
+git push -u origin "$BR"
+
+### 3.2 PR vers main
+
+Ouvrir PR dans Gitea
+
+CI doit être verte
+
+Merge PR → main
+
+### 3.3 Cas spécial : hotfix prod (NAS)
+
+On peut faire un hotfix “urgence” en prod/staging si nécessaire…
+
+MAIS : l’état final doit revenir dans Gitea : branche → PR → CI → merge.
+
+## 4) Déploiement (NAS) — principe
+### 4.1 Release pack
+
+On génère un pack “reproductible” (source + config + scripts) puis on déploie.
+
+### 4.2 Blue/Green
+
+web_blue = staging upstream (8081)
+
+web_green = live upstream (8082)
+
+Edge Traefik sélectionne quel host pointe vers quel upstream.
+
+## 5) Check-list “≤ 10 commandes” (happy path complet)
+### 5.1 DEV (Mac)
+
+git checkout main && git pull --ff-only
+git checkout -b chore/my-change-$(date +%Y%m%d)
+
+npm i
+rm -rf .astro node_modules/.vite dist
+npm run build
+npm run test:anchors
+npm run dev
+
+### 5.2 Push + PR
+
+git add -A
+git commit -m "chore: my change"
+git push -u origin chore/my-change-YYYYMMDD
+# ouvrir PR dans Gitea
+
+### 5.3 Déploiement NAS (résumé)
+
+Voir docs/runbooks/DEPLOY-BLUE-GREEN.md.
+
+## 6) Problèmes “classiques” + diagnostic rapide
+### 6.1 “Le staging ne ressemble pas au local”
+
+# Comparer upstream direct 8081 vs 8082 :
+
+curl -sS http://127.0.0.1:8081/ | head -n 2
+curl -sS http://127.0.0.1:8082/ | head -n 2
+
+# Vérifier quel routeur edge répond (header diag) :
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/ \
+ | grep -iE 'HTTP/|location:|x-archi-router'
+
+# Lire docs/runbooks/EDGE-TRAEFIK.md.
+
+### 6.2 Canonical incorrect (localhost en prod)
+
+Cause racine : site dans Astro = PUBLIC_SITE non injecté au build.
+
+Fix canonique : voir docs/runbooks/ENV-PUBLIC_SITE.md.
+
+Test :
+
+curl -sS http://127.0.0.1:8082/ | grep -oE 'rel="canonical" href="[^"]+"' | head -1
+
+### 6.3 Contrat “anchors” en échec après migration d’URL
+
+Quand on déplace des routes (ex: /archicratie/archicrat-ia/* → /archicrat-ia/*), le test d’ancres peut échouer même si les IDs n’ont pas changé, car les pages ont changé de chemin.
+
+# Procédure safe :
+
+Backup baseline :
+
+cp -a tests/anchors-baseline.json /tmp/anchors-baseline.json.bak.$(date +%F-%H%M%S)
+
+Mettre à jour les clés (chemins) sans toucher aux IDs :
+
+node - <<'NODE'
+import fs from 'fs';
+const p='tests/anchors-baseline.json';
+const j=JSON.parse(fs.readFileSync(p,'utf8'));
+const out={};
+for (const [k,v] of Object.entries(j)) {
+  const nk = k.replace(/^archicratie\/archicrat-ia\//, 'archicrat-ia/');
+  out[nk]=v;
+}
+fs.writeFileSync(p, JSON.stringify(out,null,2)+'\n');
+console.log('updated keys:', Object.keys(j).length, '->', Object.keys(out).length);
+NODE
+
+Re-run :
+
+npm run test:anchors
+
+## 7) Ce que l’étape 9 doit faire (orientation)
+
+Stabiliser le pipeline “tickets → YAML annotations”
+
+Formaliser la spec YAML + merge + anti-doublon (voir docs/EDITORIAL-ANNOTATIONS-SPEC.md)
+
+Durcir l’onboarding (ce START-HERE + runbooks)
+
+Éviter les régressions par tests (anchors / annotations / smoke)

docs/runbooks/DEPLOY-BLUE-GREEN.md

@@ -0,0 +1,202 @@
+# RUNBOOK — Déploiement Blue/Green (NAS DS220+)
+> Objectif : déployer une release **sans casser**, avec rollback immédiat.
+
+## 0) Portée
+Ce runbook décrit le déploiement de l’édition web Archicratie sur NAS (Synology), en mode blue/green :
+- `web_blue` : upstream staging → `127.0.0.1:8081`
+- `web_green` : upstream live → `127.0.0.1:8082`
+- Edge Traefik publie :
+  - `staging.archicratie.trans-hands.synology.me` → 8081
+  - `archicratie.trans-hands.synology.me` → 8082
+
+## 1) Pré-requis
+- Accès shell NAS (user `archicratia`) + `sudo`
+- Docker Compose Synology nécessite souvent :
+  - `sudo env DOCKER_API_VERSION=1.43 docker compose ...`
+- Les fichiers edge Traefik sont dans :
+  - `/volume2/docker/edge/config/dynamic/`
+
+## 2) Répertoires canon (NAS)
+On considère ces chemins (adapter si besoin, mais rester cohérent) :
+- Base : `/volume2/docker/archicratie-web`
+- Releases : `/volume2/docker/archicratie-web/releases/YYYYMMDD-HHMMSS/app`
+- Symlink actif : `/volume2/docker/archicratie-web/current` → pointe vers le `.../app` actif
+
+## 3) Garde-fous (AVANT toute action)
+### 3.1 Snapshot de l’état actuel
+en bash :
+
+cd /volume2/docker/archicratie-web
+ls -la current || true
+readlink current || true
+
+### 3.2 Vérifier l’état live/staging upstream direct
+
+curl -sSI http://127.0.0.1:8081/ | head -n 12
+curl -sSI http://127.0.0.1:8082/ | head -n 12
+
+### 3.3 Vérifier l’état edge (host routing)
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/ \
+ | grep -iE 'HTTP/|location:|x-archi-router' | head -n 30
+
+curl -sSI -H 'Host: archicratie.trans-hands.synology.me' http://127.0.0.1:18080/ \
+ | grep -iE 'HTTP/|location:|x-archi-router' | head -n 30
+
+ Si tu n’es pas authentifié, tu verras un 302 vers auth... : c’est normal.
+
+## 4) Procédure de déploiement (release pack → nouvelle release)
+### 4.1 Déposer le pack
+
+Hypothèse : tu as un .tgz “release pack” (issu de release-pack.sh) dans incoming/ :
+
+cd /volume2/docker/archicratie-web
+ls -la incoming | tail -n 20
+
+### 4.2 Créer un répertoire release
+
+TS="$(date +%Y%m%d-%H%M%S)"
+REL="/volume2/docker/archicratie-web/releases/$TS"
+APP="$REL/app"
+sudo mkdir -p "$APP"
+
+### 4.3 Extraire le pack
+
+PKG="/volume2/docker/archicratie-web/incoming/archicratie-web.tar.gz"  # adapter au nom réel
+sudo tar -xzf "$PKG" -C "$APP"
+
+### 4.4 Sanity check (fichiers attendus)
+
+sudo test -f "$APP/Dockerfile" && echo "OK Dockerfile"
+sudo test -f "$APP/docker-compose.yml" && echo "OK compose"
+sudo test -f "$APP/astro.config.mjs" && echo "OK astro config"
+sudo test -f "$APP/src/layouts/EditionLayout.astro" && echo "OK layout"
+sudo test -f "$APP/src/pages/archicrat-ia/index.astro" && echo "OK archicrat-ia index"
+sudo test -f "$APP/docs/diagrams/archicratie-web-edition-global-verbatim-v2.svg" && echo "OK diagrams"
+
+### 4.5 Permissions (crucial sur Synology)
+
+But : archicratia:users doit pouvoir traverser le parent + lire le contenu.
+
+sudo chown -R archicratia:users "$REL"
+sudo chmod -R u+rwX,g+rX,o-rwx "$REL"
+sudo chmod 750 "$REL" "$APP"
+
+Vérifier :
+
+ls -ld "$REL" "$APP"
+ls -la "$APP" | head
+
+## 5) Activation : basculer current vers la nouvelle release
+### 5.1 Backup du current existant
+
+cd /volume2/docker/archicratie-web
+TS2="$(date +%F-%H%M%S)"
+
+# on backup "current" (symlink ou dossier)
+if [ -e current ] || [ -L current ]; then
+  sudo mv -f current "current.BAK.$TS2"
+  echo "✅ backup: current.BAK.$TS2"
+fi
+
+### 5.2 Recréer current (symlink propre)
+
+sudo ln -s "$APP" current
+
+ls -la current
+readlink current
+sudo test -f current/docker-compose.yml && echo "✅ OK: current/docker-compose.yml"
+
+Si cd current échoue, c’est que current n’est pas un symlink correct OU que le parent n’est pas traversable (permissions).
+
+## 6) Build & run : (re)construire web_blue/web_green
+### 6.1 Vérifier la config compose
+
+cd /volume2/docker/archicratie-web/current
+sudo env DOCKER_API_VERSION=1.43 docker compose -f docker-compose.yml config \
+  | grep -nE 'services:|web_blue:|web_green:|context:|dockerfile:|PUBLIC_SITE|REQUIRE_PUBLIC_SITE' \
+  | sed -n '1,220p'
+
+### 6.2 Build propre (recommandé si changement de code/config)
+
+sudo env DOCKER_API_VERSION=1.43 docker compose build --no-cache web_blue web_green
+
+### 6.3 Up (force recreate)
+
+sudo env DOCKER_API_VERSION=1.43 docker compose up -d --force-recreate web_blue web_green
+
+### 6.4 Vérifier upstream direct (8081/8082)
+
+curl -sSI http://127.0.0.1:8081/ | head -n 12
+curl -sSI http://127.0.0.1:8082/ | head -n 12
+
+## 7) Tests de non-régression (MINIMAL CHECKLIST)
+
+À exécuter systématiquement après up.
+
+### 7.1 Upstreams directs
+
+curl -sSI http://127.0.0.1:8081/ | head -n 12
+curl -sSI http://127.0.0.1:8082/ | head -n 12
+
+### 7.2 Canonical (anti “localhost en prod”)
+
+curl -sS http://127.0.0.1:8081/ | grep -oE 'rel="canonical" href="[^"]+"' | head -n 1
+curl -sS http://127.0.0.1:8082/ | grep -oE 'rel="canonical" href="[^"]+"' | head -n 1
+
+Attendu :
+
+blue (8081) → https://staging.archicratie.../
+
+green (8082) → https://archicratie.../
+
+### 7.3 Edge routing (Host header + diag)
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/ \
+ | grep -iE 'HTTP/|location:|x-archi-router' | head -n 30
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/_auth/whoami \
+ | grep -iE 'HTTP/|location:|x-archi-router' | head -n 30
+
+### 7.4 Smoke UI (manuel)
+
+Home : lien “Essai-thèse — ArchiCraT-IA” → /archicrat-ia/
+
+TOC global : liens /archicrat-ia/* (pas de préfixe /archicratie/archicrat-ia/*)
+
+Reading-follow/TOC local : scroll ok
+
+## 8) Rollback (si un seul test est mauvais)
+
+Objectif : revenir immédiatement à l’état précédent.
+
+### 8.1 Repointer current sur l’ancien backup
+
+cd /volume2/docker/archicratie-web
+ls -la current.BAK.* | tail -n 5
+
+# choisir le plus récent
+OLD="current.BAK.YYYY-MM-DD-HHMMSS"
+sudo rm -f current
+sudo ln -s "$(readlink -f "$OLD")" current 2>/dev/null || sudo ln -s "$(readlink "$OLD")" current
+
+ls -la current
+readlink current
+
+### 8.2 Rebuild + recreate
+
+cd /volume2/docker/archicratie-web/current
+sudo env DOCKER_API_VERSION=1.43 docker compose build --no-cache web_blue web_green
+sudo env DOCKER_API_VERSION=1.43 docker compose up -d --force-recreate web_blue web_green
+
+### 8.3 Re-tester la checklist (section 7)
+
+Si rollback OK : investiguer en environnement isolé (staging upstream uniquement, ou release dans un autre current).
+
+## 9) Notes opérationnelles
+
+Ne jamais modifier dist/ “à la main” sur NAS.
+
+Si un hotfix prod est indispensable : documenter et backporter via PR Gitea.
+
+Le canonical dépend du build : PUBLIC_SITE doit être injecté (voir runbook ENV-PUBLIC_SITE).

docs/runbooks/EDGE-TRAEFIK.md

@@ -0,0 +1,147 @@
+# RUNBOOK — Edge Traefik (routing + SSO Authelia)
+> Objectif : comprendre et diagnostiquer rapidement qui route quoi, et pourquoi staging/live peuvent diverger.
+
+## 0) Portée
+Edge Traefik route plusieurs hosts vers des backends locaux (127.0.0.1:*), avec Auth via Authelia.
+
+Répertoire :
+- `/volume2/docker/edge/config/dynamic/`
+
+Port d’entrée edge :
+- `http://127.0.0.1:18080/` (entryPoint `web`)
+- Les hosts publics pointent vers cet edge.
+
+## 1) Fichiers dynamiques (canon)
+### 00-smoke.yml
+- route `/__smoke` vers le service `smoke_svc` → `127.0.0.1:18081`
+
+### 10-core.yml
+- définit les middlewares :
+  - `sanitize-remote`
+  - `authelia` (forwardAuth vers 9091)
+  - `chain-auth` (chain sanitize-remote + authelia)
+
+### 20-archicratie-backend.yml
+- définit service `archicratie_web` → `127.0.0.1:8082` (live upstream)
+
+### 21-archicratie-staging.yml
+- route staging host vers `127.0.0.1:8081` (staging upstream)
+- applique middlewares `diag-staging@file` et `chain-auth@file`
+- IMPORTANT : `diag-staging@file` doit exister
+
+### 22-archicratie-authinfo-staging.yml
+- route `/ _auth /` sur staging vers `whoami@file`
+- applique `diag-staging-authinfo@file` + `chain-auth@file`
+- IMPORTANT : `diag-staging-authinfo@file` doit exister
+
+### 90-overlay-staging-fix.yml (overlay de diagnostic + fallback)
+Rôle :
+- **fournir** les middlewares manquants (`diag-staging`, `diag-staging-authinfo`)
+- optionnel : fallback route si 21/22 sont cassés
+- injecter un header `X-Archi-Router` pour identifier le routeur utilisé
+
+### 92-overlay-live-fix.yml
+- route live host `archicratie.trans-hands.synology.me` → `archicratie_web@file` (8082)
+- route `/ _auth/whoami` → `whoami@file` (18081)
+
+## 2) Diagnostiquer rapidement : quel routeur répond ?
+### 2.1 Test “host header” (sans UI)
+# en bash :
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/ \
+ | grep -iE 'HTTP/|location:|x-archi-router' | head -n 30
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/_auth/whoami \
+ | grep -iE 'HTTP/|location:|x-archi-router' | head -n 30
+
+# Interprétation :
+
+X-Archi-Router: staging@21 → routeur 21-archicratie-staging.yml OK
+
+X-Archi-Router: staging-authinfo@22 → routeur authinfo OK
+
+Si tu vois staging-fallback@90 → tu es tombé sur le fallback 90 (donc 21/22 potentiellement invalides)
+
+### 2.2 Vérifier l’upstream direct derrière edge
+
+curl -sSI http://127.0.0.1:8081/ | head -n 12
+curl -sSI http://127.0.0.1:8082/ | head -n 12
+
+Si 8081 et 8082 servent des versions différentes : c’est “normal” en blue/green, mais il faut savoir laquelle est censée être staging/live.
+
+## 3) Diagnostiquer les erreurs Traefik (fichier invalide / middleware manquant)
+### 3.1 Grep “level=error”
+
+sudo docker logs edge-traefik --since 5m | grep -Ei 'level=error|middleware|router|service|yaml' | tail -n 80
+
+# Cas typique :
+
+middleware "diag-staging@file" does not exist
+→ 21-archicratie-staging.yml référence un middleware absent. Solution : le définir (souvent dans 90-overlay-staging-fix.yml).
+
+## 4) Procédure safe de modification (jamais en aveugle)
+### 4.1 Backup
+
+cd /volume2/docker/edge/config/dynamic
+TS="$(date +%F-%H%M%S)"
+sudo cp -a 90-overlay-staging-fix.yml "90-overlay-staging-fix.yml.bak.$TS"
+
+### 4.2 Édition (ex : ajouter middlewares diag)
+
+Faire une modif minimale
+
+Ne pas casser les règles existantes (Host + PathPrefix)
+
+Respecter les priorités (voir section 5)
+
+### 4.3 Reload Traefik
+
+sudo docker restart edge-traefik
+
+### 4.4 Tests immédiats
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/ \
+ | grep -iE 'HTTP/|location:|x-archi-router'
+
+curl -sSI -H 'Host: staging.archicratie.trans-hands.synology.me' http://127.0.0.1:18080/_auth/whoami \
+ | grep -iE 'HTTP/|location:|x-archi-router'
+
+## 5) Priorités Traefik (le point subtil)
+
+Traefik choisit le routeur selon :
+
+la correspondance de règle
+
+la priority (plus grand gagne)
+
+en cas d’égalité, l’ordre interne (à éviter)
+
+### 5.1 Canon pour staging
+
+21-archicratie-staging.yml : priority 10
+
+22-archicratie-authinfo-staging.yml : priority 10000
+
+90-overlay-staging-fix.yml :
+
+fallback host : priority faible (ex: 5) pour ne PAS écraser 21
+
+fallback whoami : priority < 10000 (ex: 9000) pour ne PAS écraser 22
+
+=> On garde 90 comme filet de sécurité / diag, pas comme “source”.
+
+## 6) Rollback (si un changement edge casse staging/live)
+
+cd /volume2/docker/edge/config/dynamic
+# choisir le bon backup
+sudo mv -f 90-overlay-staging-fix.yml "90-overlay-staging-fix.yml.BAD.$(date +%F-%H%M%S)"
+sudo cp -a 90-overlay-staging-fix.yml.bak.YYYY-MM-DD-HHMMSS 90-overlay-staging-fix.yml
+sudo docker restart edge-traefik
+
+Puis re-tests section 2.
+
+## 7) Remarques
+
+Les 302 Authelia sont normaux si non authentifié.
+
+Un 404 “Not Found” depuis edge alors que 8081 répond : souvent routeur manquant / invalidé / middleware absent.

docs/runbooks/ENV-PUBLIC_SITE.md

@@ -0,0 +1,114 @@
+# RUNBOOK — PUBLIC_SITE (canonical + sitemap) “anti localhost en prod”
+> Objectif : ne plus jamais voir `rel="canonical" href="http://localhost:4321/"` en staging/live.
+
+## 0) Pourquoi c’est critique
+Astro génère :
+- `<link rel="canonical" href="...">`
+- `sitemap-index.xml`
+
+Ces valeurs dépendent de `site` dans `astro.config.mjs`.
+
+Si `site` vaut `http://localhost:4321` au moment du build Docker, **la prod sortira des canonical faux** :
+- SEO / partage / cohérence de navigation impactés
+- confusion staging/live
+
+## 1) Règle canonique
+- `astro.config.mjs` :
+# en js :
+
+site: process.env.PUBLIC_SITE ?? "http://localhost:4321"
+
+# Donc :
+
+En DEV local : pas besoin de PUBLIC_SITE (fallback ok)
+
+En build “déploiement” : on DOIT fournir PUBLIC_SITE
+
+## 2) Exigence “antifragile”
+### 2.1 Dockerfile (build stage)
+
+On injecte PUBLIC_SITE au build et on peut le rendre obligatoire :
+
+ARG PUBLIC_SITE
+
+ARG REQUIRE_PUBLIC_SITE=0
+
+ENV PUBLIC_SITE=$PUBLIC_SITE
+
+# garde-fou :
+
+RUN if [ "$REQUIRE_PUBLIC_SITE" = "1" ] && [ -z "$PUBLIC_SITE" ]; then \
+      echo "ERROR: PUBLIC_SITE is required (REQUIRE_PUBLIC_SITE=1)"; exit 1; \
+    fi
+
+=> Si quelqu’un oublie l’URL en prod, le build casse au lieu de produire une release mauvaise.
+
+## 3) docker-compose : blue/staging vs green/live
+
+Objectif : injecter deux valeurs différentes, sans bricolage.
+
+### 3.1 .env (NAS)
+
+Exemple canonique :
+
+PUBLIC_SITE_BLUE=https://staging.archicratie.trans-hands.synology.me
+PUBLIC_SITE_GREEN=https://archicratie.trans-hands.synology.me
+
+### 3.2 docker-compose.yml
+
+web_blue :
+
+REQUIRE_PUBLIC_SITE: "1"
+
+PUBLIC_SITE: ${PUBLIC_SITE_BLUE}
+
+web_green :
+
+REQUIRE_PUBLIC_SITE: "1"
+
+PUBLIC_SITE: ${PUBLIC_SITE_GREEN}
+
+## 4) Tests (obligatoires après build)
+### 4.1 Vérifier l’injection dans compose
+
+sudo env DOCKER_API_VERSION=1.43 docker compose config \
+ | grep -nE 'PUBLIC_SITE|REQUIRE_PUBLIC_SITE|web_blue:|web_green:' | sed -n '1,200p'
+
+### 4.2 Vérifier canonical (upstream direct)
+
+curl -sS http://127.0.0.1:8081/ | grep -oE 'rel="canonical" href="[^"]+"' | head -n 1
+curl -sS http://127.0.0.1:8082/ | grep -oE 'rel="canonical" href="[^"]+"' | head -n 1
+
+# Attendu :
+
+blue : https://staging.../
+
+green : https://archicratie.../
+
+## 5) Procédure de correction (si canonical est faux)
+### 5.1 Vérifier astro.config.mjs dans la release courante
+
+cd /volume2/docker/archicratie-web/current
+grep -nE 'site:\s*process\.env\.PUBLIC_SITE' astro.config.mjs
+
+### 5.2 Vérifier que Dockerfile exporte PUBLIC_SITE
+
+grep -nE 'ARG PUBLIC_SITE|ENV PUBLIC_SITE|REQUIRE_PUBLIC_SITE' Dockerfile
+
+### 5.3 Vérifier .env et compose
+
+grep -nE 'PUBLIC_SITE_BLUE|PUBLIC_SITE_GREEN' .env
+grep -nE 'PUBLIC_SITE|REQUIRE_PUBLIC_SITE' docker-compose.yml
+
+### 5.4 Rebuild + recreate
+
+sudo env DOCKER_API_VERSION=1.43 docker compose build --no-cache web_blue web_green
+sudo env DOCKER_API_VERSION=1.43 docker compose up -d --force-recreate web_blue web_green
+
+Puis tests section 4.
+
+## 6) Notes
+
+Cette mécanique doit être backportée dans Gitea (source canonique), sinon ça re-cassera au prochain pack.
+
+En DEV local, conserver le fallback http://localhost:4321 est utile et normal.

package-lock.json

@@ -9,7 +9,7 @@
       "version": "0.0.1",
       "dependencies": {
         "@astrojs/mdx": "^4.3.13",
-        "astro": "^5.16.11"
+        "astro": "^5.17.3"
       },
       "devDependencies": {
         "@astrojs/sitemap": "^3.7.0",
@@ -1905,9 +1905,9 @@
       }
     },
     "node_modules/astro": {
-      "version": "5.16.11",
-      "resolved": "https://registry.npmjs.org/astro/-/astro-5.16.11.tgz",
-      "integrity": "sha512-Z7kvkTTT5n6Hn5lCm6T3WU6pkxx84Hn25dtQ6dR7ATrBGq9eVa8EuB/h1S8xvaoVyCMZnIESu99Z9RJfdLRLDA==",
+      "version": "5.17.3",
+      "resolved": "https://registry.npmjs.org/astro/-/astro-5.17.3.tgz",
+      "integrity": "sha512-69dcfPe8LsHzklwj+hl+vunWUbpMB6pmg35mACjetxbJeUNNys90JaBM8ZiwsPK689SAj/4Zqb1ayaANls9/MA==",
       "license": "MIT",
       "dependencies": {
         "@astrojs/compiler": "^2.13.0",
@@ -1933,7 +1933,7 @@
         "dlv": "^1.1.3",
         "dset": "^3.1.4",
         "es-module-lexer": "^1.7.0",
-        "esbuild": "^0.25.0",
+        "esbuild": "^0.27.3",
         "estree-walker": "^3.0.3",
         "flattie": "^1.1.1",
         "fontace": "~0.4.0",
@@ -1954,16 +1954,16 @@
         "prompts": "^2.4.2",
         "rehype": "^13.0.2",
         "semver": "^7.7.3",
-        "shiki": "^3.20.0",
+        "shiki": "^3.21.0",
         "smol-toml": "^1.6.0",
         "svgo": "^4.0.0",
         "tinyexec": "^1.0.2",
         "tinyglobby": "^0.2.15",
         "tsconfck": "^3.1.6",
         "ultrahtml": "^1.6.0",
-        "unifont": "~0.7.1",
+        "unifont": "~0.7.3",
         "unist-util-visit": "^5.0.0",
-        "unstorage": "^1.17.3",
+        "unstorage": "^1.17.4",
         "vfile": "^6.0.3",
         "vite": "^6.4.1",
         "vitefu": "^1.1.1",
@@ -1990,6 +1990,463 @@
         "sharp": "^0.34.0"
       }
     },
+    "node_modules/astro/node_modules/@esbuild/aix-ppc64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
+      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "aix"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/android-arm": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
+      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/android-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
+      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/android-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
+      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/darwin-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
+      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/darwin-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
+      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/freebsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
+      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-arm": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
+      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
+      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-ia32": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
+      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+      "cpu": [
+        "ia32"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-loong64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
+      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+      "cpu": [
+        "loong64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-mips64el": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
+      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+      "cpu": [
+        "mips64el"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-ppc64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
+      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-riscv64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
+      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-s390x": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
+      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+      "cpu": [
+        "s390x"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/linux-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
+      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/netbsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
+      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
+      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/openbsd-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
+      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
+      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/sunos-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
+      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/win32-arm64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
+      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/win32-ia32": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
+      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+      "cpu": [
+        "ia32"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/@esbuild/win32-x64": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
+      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/astro/node_modules/esbuild": {
+      "version": "0.27.3",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
+      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "esbuild": "bin/esbuild"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "@esbuild/aix-ppc64": "0.27.3",
+        "@esbuild/android-arm": "0.27.3",
+        "@esbuild/android-arm64": "0.27.3",
+        "@esbuild/android-x64": "0.27.3",
+        "@esbuild/darwin-arm64": "0.27.3",
+        "@esbuild/darwin-x64": "0.27.3",
+        "@esbuild/freebsd-arm64": "0.27.3",
+        "@esbuild/freebsd-x64": "0.27.3",
+        "@esbuild/linux-arm": "0.27.3",
+        "@esbuild/linux-arm64": "0.27.3",
+        "@esbuild/linux-ia32": "0.27.3",
+        "@esbuild/linux-loong64": "0.27.3",
+        "@esbuild/linux-mips64el": "0.27.3",
+        "@esbuild/linux-ppc64": "0.27.3",
+        "@esbuild/linux-riscv64": "0.27.3",
+        "@esbuild/linux-s390x": "0.27.3",
+        "@esbuild/linux-x64": "0.27.3",
+        "@esbuild/netbsd-arm64": "0.27.3",
+        "@esbuild/netbsd-x64": "0.27.3",
+        "@esbuild/openbsd-arm64": "0.27.3",
+        "@esbuild/openbsd-x64": "0.27.3",
+        "@esbuild/openharmony-arm64": "0.27.3",
+        "@esbuild/sunos-x64": "0.27.3",
+        "@esbuild/win32-arm64": "0.27.3",
+        "@esbuild/win32-ia32": "0.27.3",
+        "@esbuild/win32-x64": "0.27.3"
+      }
+    },
     "node_modules/axobject-query": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/axobject-query/-/axobject-query-4.1.0.tgz",

package.json

@@ -4,32 +4,29 @@
   "version": "0.0.1",
   "private": true,
   "scripts": {
-    "dev": "astro dev",
+    "dev": "node scripts/write-dev-whoami.mjs && astro dev",
     "preview": "astro preview",
     "astro": "astro",
-
     "clean": "rm -rf dist",
     "build": "astro build",
     "build:clean": "npm run clean && npm run build",
-
-    "postbuild": "node scripts/inject-anchor-aliases.mjs && node scripts/dedupe-ids-dist.mjs && npx pagefind --site dist",
-
+    "postbuild": "node scripts/inject-anchor-aliases.mjs && node scripts/dedupe-ids-dist.mjs && node scripts/build-para-index.mjs && node scripts/build-annotations-index.mjs && node scripts/purge-dist-dev-whoami.mjs && npx pagefind --site dist",
     "import": "node scripts/import-docx.mjs",
     "apply:ticket": "node scripts/apply-ticket.mjs",
-
     "audit:dist": "node scripts/audit-dist.mjs",
-
+    "build:para-index": "node scripts/build-para-index.mjs",
+    "build:annotations-index": "node scripts/build-annotations-index.mjs",
     "test:aliases": "node scripts/check-anchor-aliases.mjs",
     "test:anchors": "node scripts/check-anchors.mjs",
     "test:anchors:update": "node scripts/check-anchors.mjs --update",
-
-    "test": "npm run test:aliases && npm run build:clean && npm run audit:dist && node scripts/verify-anchor-aliases-in-dist.mjs && npm run test:anchors && node scripts/check-inline-js.mjs",
-
+    "test:annotations": "node scripts/check-annotations.mjs",
+    "test:annotations:media": "node scripts/check-annotations-media.mjs",
+    "test": "npm run test:aliases && npm run build:clean && npm run audit:dist && node scripts/verify-anchor-aliases-in-dist.mjs && npm run test:anchors && npm run test:annotations && npm run test:annotations:media && node scripts/check-inline-js.mjs",
     "ci": "CI=1 npm test"
   },
   "dependencies": {
     "@astrojs/mdx": "^4.3.13",
-    "astro": "^5.16.11"
+    "astro": "^5.17.3"
   },
   "devDependencies": {
     "@astrojs/sitemap": "^3.7.0",

scripts/check-annotations.mjs

@@ -60,10 +60,12 @@ function getAlias(aliases, pageKey, oldId) {
   // supporte:
   // 1) { "<pageKey>": { "<old>": "<new>" } }
   // 2) { "<old>": "<new>" }
-  const a1 = aliases?.[pageKey]?.[oldId];
-  if (a1) return a1;
+  const k1 = String(pageKey || "");
+  const k2 = k1 ? ("/" + k1.replace(/^\/+|\/+$/g, "") + "/") : "";
+  const a1 = (aliases?.[k1]?.[oldId]) || (k2 ? aliases?.[k2]?.[oldId] : "");
+  if (a1) return String(a1);
   const a2 = aliases?.[oldId];
-  if (a2) return a2;
+  if (a2) return String(a2);
   return "";
 }
 

scripts/inject-anchor-aliases.mjs

@@ -14,6 +14,24 @@ const STRICT = argv.includes("--strict") || process.env.CI === "1" || process.en
 function escRe(s) {
   return String(s).replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
+
+async function exists(p) {
+  try {
+    await fs.access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function normalizeRoute(route) {
+  let r = String(route || "").trim();
+  if (!r.startsWith("/")) r = "/" + r;
+  if (!r.endsWith("/")) r = r + "/";
+  r = r.replace(/\/{2,}/g, "/");
+  return r;
+}
+
 function countIdAttr(html, id) {
   const re = new RegExp(`\\bid=(["'])${escRe(id)}\\1`, "gi");
   let c = 0;
@@ -22,7 +40,6 @@ function countIdAttr(html, id) {
 }
 
 function findStartTagWithId(html, id) {
-  // 1er élément qui porte id="..."
   const re = new RegExp(
     `<([a-zA-Z0-9:-]+)\\b[^>]*\\bid=(["'])${escRe(id)}\\2[^>]*>`,
     "i"
@@ -36,34 +53,10 @@ function isInjectedAliasSpan(html, id) {
   const found = findStartTagWithId(html, id);
   if (!found) return false;
   if (found.tagName !== "span") return false;
-  // class="... para-alias ..."
   return /\bclass=(["'])(?:(?!\1).)*\bpara-alias\b(?:(?!\1).)*\1/i.test(found.tag);
 }
-  
-function normalizeRoute(route) {
-  let r = String(route || "").trim();
-  if (!r.startsWith("/")) r = "/" + r;
-  if (!r.endsWith("/")) r = r + "/";
-  r = r.replace(/\/{2,}/g, "/");
-  return r;
-}
-
-async function exists(p) {
-  try {
-    await fs.access(p);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function hasId(html, id) {
-  const re = new RegExp(`\\bid=(["'])${escRe(id)}\\1`, "i");
-  return re.test(html);
-}
 
 function injectBeforeId(html, newId, injectHtml) {
-  // insère juste avant la balise qui porte id="newId"
   const re = new RegExp(
     `(<[^>]+\\bid=(["'])${escRe(newId)}\\2[^>]*>)`,
     "i"
@@ -82,6 +75,7 @@ async function main() {
   }
 
   const raw = await fs.readFile(ALIASES_PATH, "utf-8");
+
   /** @type {Record<string, Record<string,string>>} */
   let aliases;
   try {
@@ -89,6 +83,7 @@ async function main() {
   } catch (e) {
     throw new Error(`JSON invalide: ${ALIASES_PATH} (${e?.message || e})`);
   }
+
   if (!aliases || typeof aliases !== "object" || Array.isArray(aliases)) {
     throw new Error(`Format invalide: attendu { route: { oldId: newId } } dans ${ALIASES_PATH}`);
   }
@@ -114,10 +109,10 @@ async function main() {
       console.log(msg);
       warnCount++;
     }
-    
+
     if (entries.length === 0) continue;
 
-    const rel = route.replace(/^\/+|\/+$/g, ""); // sans slash
+    const rel = route.replace(/^\/+|\/+$/g, "");
     const htmlPath = path.join(DIST_ROOT, rel, "index.html");
 
     if (!(await exists(htmlPath))) {
@@ -135,24 +130,8 @@ async function main() {
       if (!oldId || !newId) continue;
 
       const oldCount = countIdAttr(html, oldId);
-      if (oldCount > 0) {
-        // ✅ déjà injecté (idempotent)
-        if (isInjectedAliasSpan(html, oldId)) continue;
 
-        // ⛔️ oldId existe déjà "en vrai" (ex: <p id="oldId">)
-        // => alias inutile / inversé / obsolète
-        const found = findStartTagWithId(html, oldId);
-        const where = found ? `<${found.tagName} … id="${oldId}" …>` : `id="${oldId}"`;
-        const msg =
-          `⚠️  alias inutile/inversé: oldId déjà présent dans la page (${where}). ` +
-          `Supprime l'alias ${oldId} -> ${newId} (ou corrige le sens) pour route=${route}`;
-        if (STRICT) throw new Error(msg);
-        console.log(msg);
-        warnCount++;
-        continue;
-      }
-
-      // juste après avoir calculé oldCount
+      // ✅ déjà injecté => idempotent
       if (oldCount > 0 && isInjectedAliasSpan(html, oldId)) {
         if (STRICT && oldCount !== 1) {
           throw new Error(`oldId dupliqué (${oldCount}) alors qu'il est censé être unique: ${route} id=${oldId}`);
@@ -160,18 +139,23 @@ async function main() {
         continue;
       }
 
-      // avant l'injection, après hasId(newId)
-      const newCount = countIdAttr(html, newId);
-      if (newCount !== 1) {
-        const msg = `⚠️  newId non-unique (${newCount}) : ${route} new=${newId} (injection ambiguë)`;
+      // ⛔️ oldId existe déjà "en vrai" => alias inutile/inversé
+      if (oldCount > 0) {
+        const found = findStartTagWithId(html, oldId);
+        const where = found ? `<${found.tagName} … id="${oldId}" …>` : `id="${oldId}"`;
+        const msg =
+          `⚠️  alias inutile/inversé: oldId déjà présent (${where}). ` +
+          `Supprime ${oldId} -> ${newId} (ou corrige le sens) pour route=${route}`;
         if (STRICT) throw new Error(msg);
         console.log(msg);
         warnCount++;
         continue;
       }
 
-      if (!hasId(html, newId)) {
-        const msg = `⚠️  newId introuvable: ${route} old=${oldId} -> new=${newId}`;
+      // newId doit exister UNE fois (sinon injection ambiguë)
+      const newCount = countIdAttr(html, newId);
+      if (newCount !== 1) {
+        const msg = `⚠️  newId non-unique (${newCount}) : ${route} new=${newId} (injection ambiguë)`;
         if (STRICT) throw new Error(msg);
         console.log(msg);
         warnCount++;

scripts/purge-dist-dev-whoami.mjs

@@ -0,0 +1,31 @@
+// scripts/purge-dist-dev-whoami.mjs
+import fs from "node:fs/promises";
+import path from "node:path";
+
+const CWD = process.cwd();
+const targetDir = path.join(CWD, "dist", "_auth", "whoami");
+const targetIndex = path.join(CWD, "dist", "_auth", "whoami", "index.html");
+
+// Purge idempotente (force=true => pas d'erreur si absent)
+async function rmSafe(p) {
+  try {
+    await fs.rm(p, { recursive: true, force: true });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function main() {
+  const removedIndex = await rmSafe(targetIndex);
+  const removedDir = await rmSafe(targetDir);
+
+  // Optionnel: si dist/_auth devient vide, on laisse tel quel (pas besoin de toucher)
+  const any = removedIndex || removedDir;
+  console.log(`✅ purge-dist-dev-whoami: ${any ? "purged" : "nothing to purge"}`);
+}
+
+main().catch((e) => {
+  console.error("❌ purge-dist-dev-whoami failed:", e);
+  process.exit(1);
+});

scripts/verify-anchor-aliases-in-dist.mjs

@@ -205,7 +205,7 @@ for (const [route, mapping] of Object.entries(data)) {
         newId,
         htmlPath,
         msg:
-          `oldId present but is NOT an injected alias span (<span class="para-alias">).</n` +
+          `oldId present but is NOT an injected alias span (<span class="para-alias">).\n` +
           `Saw: ${seen}`,
       });
       continue;

scripts/write-dev-whoami.mjs

@@ -0,0 +1,26 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+const OUT = path.join(process.cwd(), "public", "_auth", "whoami");
+
+const groupsRaw = process.env.PUBLIC_WHOAMI_GROUPS ?? "editors";
+const user = process.env.PUBLIC_WHOAMI_USER ?? "dev";
+const name = process.env.PUBLIC_WHOAMI_NAME ?? "Dev Local";
+const email = process.env.PUBLIC_WHOAMI_EMAIL ?? "area.technik@proton.me";
+
+const groups = groupsRaw
+  .split(/[;,]/)
+  .map((s) => s.trim())
+  .filter(Boolean)
+  .join(",");
+
+const body =
+  `Remote-User: ${user}\n` +
+  `Remote-Name: ${name}\n` +
+  `Remote-Email: ${email}\n` +
+  `Remote-Groups: ${groups}\n`;
+
+await fs.mkdir(path.dirname(OUT), { recursive: true });
+await fs.writeFile(OUT, body, "utf8");
+
+console.log(`✅ dev whoami written: ${path.relative(process.cwd(), OUT)} (${groups})`);

src/annotations/archicrat-ia/prologue.yml

@@ -1,8 +1,5 @@
 schema: 1
 
-# optionnel (si présent, doit matcher le chemin du fichier)
-page: archicratie/archicrat-ia/prologue
-
 paras:
   p-0-d7974f88:
     refs:
@@ -50,10 +47,4 @@ paras:
       - text: "Si l’on voulait chercher quelque chose comme une vision du monde chez Kafka..."
         source: "Bernard Lahire, Franz Kafka, p.475+"
 
-    media:
-      - type: "video"
-        src: "/media/prologue/p-1-2ef25f29/bien_commun.mp4"
-        caption: "Entretien avec Bernard Lahire"
-        credit: "Cairn.info"
-
     comments_editorial: []

src/components/SidePanel.astro

@@ -144,15 +144,14 @@
     const canReaders = inGroup(groups, "readers");
     const canEditors = inGroup(groups, "editors");
 
-    access.canUsers = Boolean((info?.ok && (canReaders || canEditors)) || (isDev() && !info?.ok));
+    const whoamiSkipped = Boolean(window.__archiFlags && window.__archiFlags.whoamiSkipped);
+    access.canUsers = Boolean((info?.ok && (canReaders || canEditors)) || whoamiSkipped);
     access.ready = true;
 
     if (btnMediaSubmit) btnMediaSubmit.disabled = !access.canUsers;
     if (btnSend) btnSend.disabled = !access.canUsers;
-
     if (btnRefSubmit) btnRefSubmit.disabled = !access.canUsers;
 
-
     // si pas d'accès, on informe (soft)
     if (!access.canUsers) {
       if (msgHead) {
@@ -162,12 +161,13 @@
       }
     }
   }).catch(() => {
-    // fallback dev
+    // fallback dev (cohérent: media + ref + comment)
     access.ready = true;
-    if (isDev()) {
+    if (Boolean(window.__archiFlags && window.__archiFlags.whoamiSkipped)) {
       access.canUsers = true;
       if (btnMediaSubmit) btnMediaSubmit.disabled = false;
       if (btnSend) btnSend.disabled = false;
+      if (btnRefSubmit) btnRefSubmit.disabled = false;
     }
   });
 
@@ -209,8 +209,12 @@
   async function loadIndex() {
     if (_idxP) return _idxP;
     _idxP = (async () => {
-      const res = await fetch("/annotations-index.json?_=" + Date.now(), { cache: "no-store" }).catch(() => null);
-      if (res && res.ok) return await res.json();
+      try {
+        const res = await fetch("/annotations-index.json?_=" + Date.now(), { cache: "no-store" });
+        if (res && res.ok) return await res.json();
+      } catch {}
+      // ✅ antifragile: ne pas “cacher” un échec pour toujours (dev/HMR/boot race)
+      _idxP = null;
       return null;
     })();
     return _idxP;
@@ -564,6 +568,14 @@
     hideMsg(msgComment);
 
     const idx = await loadIndex();
+
+    // ✅ message soft si l’index est indisponible (sans écraser le message d’auth)
+    if (!idx && msgHead && msgHead.hidden) {
+      msgHead.hidden = false;
+      msgHead.textContent = "Index annotations indisponible (annotations-index.json).";
+      msgHead.dataset.kind = "info";
+    }
+
     const data = idx?.pages?.[pageKey]?.paras?.[currentParaId] || null;
 
     renderLevel2(data);

src/layouts/EditionLayout.astro

@@ -30,6 +30,13 @@ const GITEA_REPO = import.meta.env.PUBLIC_GITEA_REPO ?? "";
 
 // ✅ OPTIONNEL : bridge serveur (proxy same-origin)
 const ISSUE_BRIDGE_PATH = import.meta.env.PUBLIC_ISSUE_BRIDGE_PATH ?? "";
+
+// ✅ Auth whoami (same-origin) — configurable, antifragile en dev
+const WHOAMI_PATH = import.meta.env.PUBLIC_WHOAMI_PATH ?? "/_auth/whoami";
+// Par défaut: en DEV local on SKIP pour éviter le spam 404.
+// Pour tester l’auth en dev: export PUBLIC_WHOAMI_IN_DEV=1
+const WHOAMI_IN_DEV = (import.meta.env.PUBLIC_WHOAMI_IN_DEV ?? "") === "1";
+const WHOAMI_FORCE_LOCALHOST = (import.meta.env.PUBLIC_WHOAMI_FORCE_LOCALHOST ?? "") === "1";
 ---
 
 <!doctype html>
@@ -52,54 +59,104 @@ const ISSUE_BRIDGE_PATH = import.meta.env.PUBLIC_ISSUE_BRIDGE_PATH ?? "";
     <meta data-pagefind-meta={`version:${String(version ?? "")}`} />
 
     {/* ✅ BOOT EARLY : SidePanel dépend de ces globals. */}
-    <script is:inline define:vars={{ IS_DEV, GITEA_BASE, GITEA_OWNER, GITEA_REPO, ISSUE_BRIDGE_PATH }}>
+    <script
+      is:inline
+      define:vars={{
+        IS_DEV,
+        GITEA_BASE,
+        GITEA_OWNER,
+        GITEA_REPO,
+        ISSUE_BRIDGE_PATH,
+        WHOAMI_PATH,
+        WHOAMI_IN_DEV,
+        WHOAMI_FORCE_LOCALHOST,
+      }}
+    >
 (() => {
-  const __DEV__ = Boolean(IS_DEV);
-  window.__archiFlags = Object.assign({}, window.__archiFlags, { dev: __DEV__ });
+  // ✅ anti double-init (HMR / inclusion accidentelle)
+  if (window.__archiBootOnce === 1) return;
+  window.__archiBootOnce = 1;
 
-  const base = String(GITEA_BASE || "").replace(/\/+$/, "");
-  const owner = String(GITEA_OWNER || "");
-  const repo = String(GITEA_REPO || "");
-  const giteaReady = Boolean(base && owner && repo);
-  window.__archiGitea = { ready: giteaReady, base, owner, repo };
+  var __DEV__ = Boolean(IS_DEV);
 
-  const rawBridge = String(ISSUE_BRIDGE_PATH || "").trim();
-  const normBridge = rawBridge
+  // ===== Gitea globals =====
+  var base = String(GITEA_BASE || "").replace(/\/+$/, "");
+  var owner = String(GITEA_OWNER || "");
+  var repo = String(GITEA_REPO || "");
+  window.__archiGitea = {
+    ready: Boolean(base && owner && repo),
+    base, owner, repo
+  };
+
+  // ===== optional issue bridge (same-origin proxy) =====
+  var rawBridge = String(ISSUE_BRIDGE_PATH || "").trim();
+  var normBridge = rawBridge
     ? (rawBridge.startsWith("/") ? rawBridge : ("/" + rawBridge.replace(/^\/+/, ""))).replace(/\/+$/, "")
     : "";
   window.__archiIssueBridge = { ready: Boolean(normBridge), path: normBridge };
 
-  const WHOAMI_PATH = "/_auth/whoami";
-  const REQUIRED_GROUP = "editors";
-  const READ_GROUP = "readers";
+  // ===== whoami config =====
+  var __WHOAMI_PATH__ = String(WHOAMI_PATH || "/_auth/whoami");
+  var __WHOAMI_IN_DEV__ = Boolean(WHOAMI_IN_DEV);
+
+  // En dev: par défaut on SKIP (=> pas de spam 404). Override via PUBLIC_WHOAMI_IN_DEV=1.
+  var SHOULD_FETCH_WHOAMI = (!__DEV__) || __WHOAMI_IN_DEV__;
+
+  window.__archiFlags = Object.assign({}, window.__archiFlags, {
+    dev: __DEV__,
+    whoamiPath: __WHOAMI_PATH__,
+    whoamiInDev: __WHOAMI_IN_DEV__,
+    whoamiFetch: SHOULD_FETCH_WHOAMI,
+  });
+
+  var REQUIRED_GROUP = "editors";
+  var READ_GROUP = "readers";
 
   function parseWhoamiLine(text, key) {
-    const re = new RegExp(`^${key}:\\s*(.*)$`, "mi");
-    const m = String(text || "").match(re);
-    return (m?.[1] ?? "").trim();
+    var re = new RegExp("^" + key + ":\\s*(.*)$", "mi");
+    var m = String(text || "").match(re);
+    return (m && m[1] ? m[1] : "").trim();
   }
+
   function inGroup(groups, g) {
-    const gg = String(g || "").toLowerCase();
+    var gg = String(g || "").toLowerCase();
     return Array.isArray(groups) && groups.some((x) => String(x).toLowerCase() === gg);
   }
 
+  // ===== Auth info promise (single source of truth) =====
   if (!window.__archiAuthInfoP) {
     window.__archiAuthInfoP = (async () => {
-      const res = await fetch(`${WHOAMI_PATH}?_=${Date.now()}`, {
-        credentials: "include",
-        cache: "no-store",
-        redirect: "manual",
-        headers: { Accept: "text/plain" },
-      }).catch(() => null);
+      // ✅ dev default: skip
+      if (!SHOULD_FETCH_WHOAMI) {
+        return { ok: false, user: "", name: "", email: "", groups: [], raw: "" };
+      }
+
+      var res = null;
+      try {
+        res = await fetch(__WHOAMI_PATH__ + "?_=" + Date.now(), {
+          credentials: "include",
+          cache: "no-store",
+          redirect: "manual",
+          headers: { Accept: "text/plain" },
+        });
+      } catch {
+        res = null;
+      }
 
       if (!res) return { ok: false, user: "", name: "", email: "", groups: [], raw: "" };
+      if (res.type === "opaqueredirect") return { ok: false, user: "", name: "", email: "", groups: [], raw: "" };
       if (res.status >= 300 && res.status < 400) return { ok: false, user: "", name: "", email: "", groups: [], raw: "" };
+      if (res.status === 404) return { ok: false, user: "", name: "", email: "", groups: [], raw: "" };
 
-      const text = await res.text().catch(() => "");
-      const looksLikeWhoami = /Remote-(User|Groups|Email|Name)\s*:/i.test(text);
-      if (!res.ok || !looksLikeWhoami) return { ok: false, user: "", name: "", email: "", groups: [], raw: text };
+      var text = "";
+      try { text = await res.text(); } catch { text = ""; }
 
-      const groups = parseWhoamiLine(text, "Remote-Groups")
+      var looksLikeWhoami = /Remote-(User|Groups|Email|Name)\s*:/i.test(text);
+      if (!res.ok || !looksLikeWhoami) {
+        return { ok: false, user: "", name: "", email: "", groups: [], raw: text };
+      }
+
+      var groups = parseWhoamiLine(text, "Remote-Groups")
         .split(/[;,]/)
         .map((s) => s.trim())
         .filter(Boolean)
@@ -116,18 +173,22 @@ const ISSUE_BRIDGE_PATH = import.meta.env.PUBLIC_ISSUE_BRIDGE_PATH ?? "";
     })().catch(() => ({ ok: false, user: "", name: "", email: "", groups: [], raw: "" }));
   }
 
+  // readers + editors (strict)
   if (!window.__archiCanReadP) {
     window.__archiCanReadP = window.__archiAuthInfoP.then((info) =>
-      Boolean(info.ok && (inGroup(info.groups, READ_GROUP) || inGroup(info.groups, REQUIRED_GROUP)))
+      Boolean(info && info.ok && (inGroup(info.groups, READ_GROUP) || inGroup(info.groups, REQUIRED_GROUP)))
     );
   }
 
+  // editors gate for "Proposer"
   if (!window.__archiIsEditorP) {
     window.__archiIsEditorP = window.__archiAuthInfoP
-      .then((info) => Boolean(inGroup(info.groups, REQUIRED_GROUP) || (__DEV__ && !info.ok)))
-      .catch(() => false);
+      // ✅ DEV fallback: si whoami absent/KO => Proposer autorisé (comme ton intention initiale)
+      .then((info) => Boolean(inGroup(info.groups, REQUIRED_GROUP) || (__DEV__ && !(info && info.ok))))
+      .catch(() => Boolean(__DEV__));
   }
 })();
+
     </script>
   </head>
 
@@ -950,11 +1011,13 @@ const ISSUE_BRIDGE_PATH = import.meta.env.PUBLIC_ISSUE_BRIDGE_PATH ?? "";
 
   safe("propose-gate", () => {
     if (!giteaReady) return;
+
     const p = window.__archiIsEditorP || Promise.resolve(false);
+
     p.then((ok) => {
       document.querySelectorAll(".para-propose").forEach((el) => {
         if (ok) showEl(el);
-        else el.remove();
+        else hideEl(el); // ✅ jamais remove => antifragile
       });
     }).catch((err) => {
       console.warn("[proposer] gate failed; keeping Proposer hidden", err);

src/pages/annotations-index.json.ts

@@ -0,0 +1,197 @@
+import type { APIRoute } from "astro";
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import { parse as parseYAML } from "yaml";
+
+const CWD = process.cwd();
+const ANNO_DIR = path.join(CWD, "src", "annotations");
+
+// Strict en CI (ou override explicite)
+const STRICT =
+  process.env.ANNOTATIONS_STRICT === "1" ||
+  process.env.CI === "1" ||
+  process.env.CI === "true";
+
+async function exists(p: string): Promise<boolean> {
+  try {
+    await fs.access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function walk(dir: string): Promise<string[]> {
+  const out: string[] = [];
+  const ents = await fs.readdir(dir, { withFileTypes: true });
+  for (const e of ents) {
+    const p = path.join(dir, e.name);
+    if (e.isDirectory()) out.push(...(await walk(p)));
+    else out.push(p);
+  }
+  return out;
+}
+
+function isPlainObject(x: unknown): x is Record<string, unknown> {
+  return !!x && typeof x === "object" && !Array.isArray(x);
+}
+
+function normalizePageKey(s: unknown): string {
+  return String(s ?? "")
+    .replace(/^\/+/, "")
+    .replace(/\/+$/, "")
+    .trim();
+}
+
+function inferPageKeyFromFile(inDirAbs: string, fileAbs: string): string {
+  const rel = path.relative(inDirAbs, fileAbs).replace(/\\/g, "/");
+  return rel.replace(/\.(ya?ml|json)$/i, "");
+}
+
+function parseDoc(raw: string, fileAbs: string): unknown {
+  if (/\.json$/i.test(fileAbs)) return JSON.parse(raw);
+  return parseYAML(raw);
+}
+
+function hardFailOrCollect(errors: string[], msg: string): void {
+  if (STRICT) throw new Error(msg);
+  errors.push(msg);
+}
+
+function sanitizeEntry(
+  fileRel: string,
+  paraId: string,
+  entry: unknown,
+  errors: string[]
+): Record<string, unknown> {
+  if (entry == null) return {};
+
+  if (!isPlainObject(entry)) {
+    hardFailOrCollect(errors, `${fileRel}: paras.${paraId} must be an object`);
+    return {};
+  }
+
+  const e: Record<string, unknown> = { ...entry };
+
+  const arrayFields = [
+    "refs",
+    "authors",
+    "quotes",
+    "media",
+    "comments_editorial",
+  ] as const;
+
+  for (const k of arrayFields) {
+    if (e[k] == null) continue;
+    if (!Array.isArray(e[k])) {
+      errors.push(`${fileRel}: paras.${paraId}.${k} must be an array (coerced to [])`);
+      e[k] = [];
+    }
+  }
+
+  return e;
+}
+
+export const GET: APIRoute = async () => {
+  if (!(await exists(ANNO_DIR))) {
+    const out = {
+      schema: 1,
+      generatedAt: new Date().toISOString(),
+      pages: {},
+      stats: { pages: 0, paras: 0, errors: 0 },
+      errors: [] as string[],
+    };
+
+    return new Response(JSON.stringify(out), {
+      headers: {
+        "Content-Type": "application/json; charset=utf-8",
+        "Cache-Control": "no-store",
+      },
+    });
+  }
+
+  const files = (await walk(ANNO_DIR)).filter((p) => /\.(ya?ml|json)$/i.test(p));
+
+  const pages: Record<string, { paras: Record<string, Record<string, unknown>> }> =
+    Object.create(null);
+
+  const errors: string[] = [];
+  let paraCount = 0;
+
+  for (const f of files) {
+    const fileRel = path.relative(CWD, f).replace(/\\/g, "/");
+    const pageKey = normalizePageKey(inferPageKeyFromFile(ANNO_DIR, f));
+
+    if (!pageKey) {
+      hardFailOrCollect(errors, `${fileRel}: cannot infer page key`);
+      continue;
+    }
+
+    let doc: unknown;
+    try {
+      const raw = await fs.readFile(f, "utf8");
+      doc = parseDoc(raw, f);
+    } catch (e) {
+      hardFailOrCollect(errors, `${fileRel}: parse failed: ${String((e as any)?.message ?? e)}`);
+      continue;
+    }
+
+    if (!isPlainObject(doc) || (doc as any).schema !== 1) {
+      hardFailOrCollect(errors, `${fileRel}: schema must be 1`);
+      continue;
+    }
+
+    if ((doc as any).page != null) {
+      const declared = normalizePageKey((doc as any).page);
+      if (declared !== pageKey) {
+        hardFailOrCollect(
+          errors,
+          `${fileRel}: page mismatch (page="${declared}" vs path="${pageKey}")`
+        );
+      }
+    }
+
+    const parasAny = (doc as any).paras;
+    if (!isPlainObject(parasAny)) {
+      hardFailOrCollect(errors, `${fileRel}: missing object key "paras"`);
+      continue;
+    }
+
+    if (pages[pageKey]) {
+      hardFailOrCollect(errors, `${fileRel}: duplicate page "${pageKey}" (only one file per page)`);
+      continue;
+    }
+
+    const parasOut: Record<string, Record<string, unknown>> = Object.create(null);
+
+    for (const [paraId, entry] of Object.entries(parasAny)) {
+      if (!/^p-\d+-/i.test(paraId)) {
+        hardFailOrCollect(errors, `${fileRel}: invalid para id "${paraId}"`);
+        continue;
+      }
+      parasOut[paraId] = sanitizeEntry(fileRel, paraId, entry, errors);
+    }
+
+    pages[pageKey] = { paras: parasOut };
+    paraCount += Object.keys(parasOut).length;
+  }
+
+  const out = {
+    schema: 1,
+    generatedAt: new Date().toISOString(),
+    pages,
+    stats: {
+      pages: Object.keys(pages).length,
+      paras: paraCount,
+      errors: errors.length,
+    },
+    errors,
+  };
+
+  return new Response(JSON.stringify(out), {
+    headers: {
+      "Content-Type": "application/json; charset=utf-8",
+      "Cache-Control": "no-store",
+    },
+  });
+};

src/pages/para-index.json.ts

@@ -0,0 +1,42 @@
+import type { APIRoute } from "astro";
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+
+export const prerender = true;
+
+async function exists(p: string) {
+  try { await fs.access(p); return true; } catch { return false; }
+}
+
+export const GET: APIRoute = async () => {
+  const distFile = path.join(process.cwd(), "dist", "para-index.json");
+
+  // Si dist existe (ex: après un build), on renvoie le vrai fichier.
+  if (await exists(distFile)) {
+    const raw = await fs.readFile(distFile, "utf8");
+    return new Response(raw, {
+      status: 200,
+      headers: {
+        "content-type": "application/json; charset=utf-8",
+        "cache-control": "no-store",
+      },
+    });
+  }
+
+  // Sinon stub (dev sans build) : pas d’erreur, pas de crash, pas de 404.
+  const stub = {
+    schema: 1,
+    generatedAt: new Date().toISOString(),
+    items: [],
+    byId: {},
+    note: "para-index not built yet (run: npm run build to generate dist/para-index.json)",
+  };
+
+  return new Response(JSON.stringify(stub), {
+    status: 200,
+    headers: {
+      "content-type": "application/json; charset=utf-8",
+      "cache-control": "no-store",
+    },
+  });
+};

tests/anchors-baseline.json

@@ -1,8 +1,4 @@
 {
-  "archicratie/00-demarrage/index.html": [
-    "p-0-d64c1c39",
-    "p-1-3f750540"
-  ],
   "archicrat-ia/chapitre-1/index.html": [
     "p-0-8d27a7f5",
     "p-1-8a6c18bf",