feat(docker): scan/inspect passifs des stacks Compose (tâche 2 SJ-4)

- 4 tables Docker (settings/compose_roots/compose_stacks/stack_services) + migration 0004 (timestamps journal monotones) - templates docker/scan-compose + inspect-compose ; renderTemplate bascule sur délimiteurs <% %> pour les templates docker/ afin de préserver les Go-templates {{.ID}} intacts - dockerScan: parseDockerScan (TDD) + scanDockerStacks (persiste stacks candidats, complète la détection par labels) - action docker_scan branchée dans execute (route dédiée, archivage report/log) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-05 20:54:52 +02:00
parent 434a149f1f
commit 2af8e74079
12 changed files with 2716 additions and 3 deletions
@@ -0,0 +1,53 @@
+CREATE TABLE `docker_compose_roots` (
+	`id` text PRIMARY KEY NOT NULL,
+	`machine_id` text NOT NULL,
+	`path` text NOT NULL,
+	`enabled` integer DEFAULT 1 NOT NULL,
+	`scan_depth` integer,
+	`created_at` text NOT NULL,
+	`updated_at` text NOT NULL,
+	FOREIGN KEY (`machine_id`) REFERENCES `machines`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `docker_compose_stacks` (
+	`id` text PRIMARY KEY NOT NULL,
+	`machine_id` text NOT NULL,
+	`name` text NOT NULL,
+	`working_dir` text NOT NULL,
+	`compose_files_json` text NOT NULL,
+	`project_name` text,
+	`env_file` text,
+	`status` text NOT NULL,
+	`detected_by` text,
+	`last_scan_at` text,
+	`last_update_at` text,
+	`created_at` text NOT NULL,
+	`updated_at` text NOT NULL,
+	FOREIGN KEY (`machine_id`) REFERENCES `machines`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `docker_settings` (
+	`machine_id` text PRIMARY KEY NOT NULL,
+	`enabled` integer DEFAULT 0 NOT NULL,
+	`scan_depth` integer DEFAULT 4 NOT NULL,
+	`prune_mode` text DEFAULT 'safe' NOT NULL,
+	`last_scan_at` text,
+	`last_pull_check_at` text,
+	`updated_at` text NOT NULL,
+	FOREIGN KEY (`machine_id`) REFERENCES `machines`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `docker_stack_services` (
+	`id` text PRIMARY KEY NOT NULL,
+	`stack_id` text NOT NULL,
+	`service_name` text NOT NULL,
+	`image_ref` text,
+	`current_image_id` text,
+	`current_digest` text,
+	`candidate_image_id` text,
+	`candidate_digest` text,
+	`version_label` text,
+	`status` text,
+	`updated_at` text NOT NULL,
+	FOREIGN KEY (`stack_id`) REFERENCES `docker_compose_stacks`(`id`) ON UPDATE no action ON DELETE cascade
+);
@@ -29,6 +29,13 @@
      "when": 1780669200000,
      "tag": "0003_magical_psylocke",
      "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "6",
+      "when": 1780684150263,
+      "tag": "0004_thin_ted_forrester",
+      "breakpoints": true
    }
  ]
 }
@@ -57,3 +57,39 @@ describe("schéma Phase 2", () => {
    expect(columnNames(sqlite, "machines")).toContain("enc_password");
  });
 });
+
+describe("schéma SJ-4 Docker", () => {
+  it("crée les tables docker_*", () => {
+    const sqlite = freshMigratedDb();
+    const tables = tableNames(sqlite);
+    for (const t of [
+      "docker_settings",
+      "docker_compose_roots",
+      "docker_compose_stacks",
+      "docker_stack_services",
+    ]) {
+      expect(tables, `table ${t}`).toContain(t);
+    }
+  });
+
+  it("docker_settings a les colonnes attendues", () => {
+    const sqlite = freshMigratedDb();
+    expect(columnNames(sqlite, "docker_settings")).toEqual(
+      expect.arrayContaining(["machine_id", "enabled", "scan_depth", "prune_mode", "last_scan_at", "updated_at"]),
+    );
+  });
+
+  it("docker_compose_stacks a les colonnes attendues", () => {
+    const sqlite = freshMigratedDb();
+    expect(columnNames(sqlite, "docker_compose_stacks")).toEqual(
+      expect.arrayContaining(["id", "machine_id", "name", "working_dir", "compose_files_json", "status", "detected_by"]),
+    );
+  });
+
+  it("docker_stack_services a les colonnes attendues", () => {
+    const sqlite = freshMigratedDb();
+    expect(columnNames(sqlite, "docker_stack_services")).toEqual(
+      expect.arrayContaining(["id", "stack_id", "service_name", "image_ref", "current_image_id", "current_digest"]),
+    );
+  });
+});
@@ -226,3 +226,54 @@ export const machineHostKeys = sqliteTable("machine_host_keys", {
  firstSeenAt: text("first_seen_at").notNull(),
  lastSeenAt: text("last_seen_at").notNull(),
 });
+
+// --- SJ-4 : Docker (passif) ---
+export const dockerSettings = sqliteTable("docker_settings", {
+  machineId: text("machine_id").primaryKey().references(() => machines.id, { onDelete: "cascade" }),
+  enabled: integer("enabled").notNull().default(0),
+  scanDepth: integer("scan_depth").notNull().default(4),
+  pruneMode: text("prune_mode").notNull().default("safe"),
+  lastScanAt: text("last_scan_at"),
+  lastPullCheckAt: text("last_pull_check_at"),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const dockerComposeRoots = sqliteTable("docker_compose_roots", {
+  id: text("id").primaryKey(),
+  machineId: text("machine_id").notNull().references(() => machines.id, { onDelete: "cascade" }),
+  path: text("path").notNull(),
+  enabled: integer("enabled").notNull().default(1),
+  scanDepth: integer("scan_depth"),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const dockerComposeStacks = sqliteTable("docker_compose_stacks", {
+  id: text("id").primaryKey(),
+  machineId: text("machine_id").notNull().references(() => machines.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  workingDir: text("working_dir").notNull(),
+  composeFilesJson: text("compose_files_json").notNull(),
+  projectName: text("project_name"),
+  envFile: text("env_file"),
+  status: text("status").notNull(),          // candidate | enabled | ignored | error
+  detectedBy: text("detected_by"),           // root_scan | label | manual
+  lastScanAt: text("last_scan_at"),
+  lastUpdateAt: text("last_update_at"),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const dockerStackServices = sqliteTable("docker_stack_services", {
+  id: text("id").primaryKey(),
+  stackId: text("stack_id").notNull().references(() => dockerComposeStacks.id, { onDelete: "cascade" }),
+  serviceName: text("service_name").notNull(),
+  imageRef: text("image_ref"),
+  currentImageId: text("current_image_id"),
+  currentDigest: text("current_digest"),
+  candidateImageId: text("candidate_image_id"),
+  candidateDigest: text("candidate_digest"),
+  versionLabel: text("version_label"),
+  status: text("status"),                    // up_to_date | updates_available | error
+  updatedAt: text("updated_at").notNull(),
+});
@@ -0,0 +1,29 @@
+// server/services/dockerScan.test.ts
+import { describe, it, expect } from "vitest";
+import { parseDockerScan } from "./dockerScan.js";
+
+const raw = [
+  "===SU:DOCKER_SCAN===",
+  "STACK_OK\tdir=/opt/stacks/media\tfile=/opt/stacks/media/compose.yaml",
+  "STACK_INVALID\tdir=/opt/stacks/broken\tfile=/opt/stacks/broken/compose.yml",
+  "===SU:DOCKER_LABELS===",
+  "ACTIVE\tproject=media\tworking_dir=/opt/stacks/media",
+  "===SU:EXIT=0===",
+].join("\n");
+
+describe("parseDockerScan", () => {
+  it("extrait stacks valides/invalides et actifs", () => {
+    const r = parseDockerScan(raw);
+    expect(r.stacks).toEqual([
+      { workingDir: "/opt/stacks/media", composeFile: "/opt/stacks/media/compose.yaml", valid: true },
+      { workingDir: "/opt/stacks/broken", composeFile: "/opt/stacks/broken/compose.yml", valid: false },
+    ]);
+    expect(r.active).toEqual([{ project: "media", workingDir: "/opt/stacks/media" }]);
+  });
+
+  it("retourne des listes vides si rien n'est trouvé", () => {
+    const r = parseDockerScan("===SU:DOCKER_SCAN===\n===SU:DOCKER_LABELS===\n===SU:EXIT=0===");
+    expect(r.stacks).toHaveLength(0);
+    expect(r.active).toHaveLength(0);
+  });
+});
@@ -0,0 +1,133 @@
+// server/services/dockerScan.ts
+import { randomUUID } from "node:crypto";
+import { eq } from "drizzle-orm";
+import { basename } from "node:path";
+import { db, schema } from "../db/client.js";
+import { getMachineRow, getCreds } from "./machines.js";
+import { renderTemplate } from "../templates/render.js";
+import { runScriptSudo } from "../ssh/client.js";
+import { outputHub } from "../ws/outputHub.js";
+
+export interface DockerScanResult {
+  stacks: { workingDir: string; composeFile: string; valid: boolean }[];
+  active: { project: string; workingDir: string }[];
+}
+
+function fields(line: string): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const part of line.split("\t")) {
+    const i = part.indexOf("=");
+    if (i > 0) out[part.slice(0, i)] = part.slice(i + 1);
+  }
+  return out;
+}
+
+export function parseDockerScan(raw: string): DockerScanResult {
+  const stacks: DockerScanResult["stacks"] = [];
+  const active: DockerScanResult["active"] = [];
+  for (const line of raw.split("\n")) {
+    const l = line.trimEnd();
+    if (l.startsWith("STACK_OK\t") || l.startsWith("STACK_INVALID\t")) {
+      const f = fields(l);
+      stacks.push({ workingDir: f.dir ?? "", composeFile: f.file ?? "", valid: l.startsWith("STACK_OK") });
+    } else if (l.startsWith("ACTIVE\t")) {
+      const f = fields(l);
+      active.push({ project: f.project ?? "", workingDir: f.working_dir ?? "" });
+    }
+  }
+  return { stacks, active };
+}
+
+/** Racines Compose déclarées (enabled) d'une machine. */
+export function getComposeRoots(machineId: string): string[] {
+  return db
+    .select()
+    .from(schema.dockerComposeRoots)
+    .where(eq(schema.dockerComposeRoots.machineId, machineId))
+    .all()
+    .filter((r) => r.enabled)
+    .map((r) => r.path);
+}
+
+/** Déclare/active Docker pour une machine + ses racines Compose (idempotent). */
+export function setDockerRoots(machineId: string, paths: string[], scanDepth = 4): void {
+  const now = new Date().toISOString();
+  db.insert(schema.dockerSettings)
+    .values({ machineId, enabled: 1, scanDepth, pruneMode: "safe", updatedAt: now })
+    .onConflictDoUpdate({ target: schema.dockerSettings.machineId, set: { enabled: 1, scanDepth, updatedAt: now } })
+    .run();
+  db.delete(schema.dockerComposeRoots).where(eq(schema.dockerComposeRoots.machineId, machineId)).run();
+  for (const path of paths) {
+    db.insert(schema.dockerComposeRoots).values({
+      id: randomUUID(),
+      machineId,
+      path,
+      enabled: 1,
+      createdAt: now,
+      updatedAt: now,
+    }).run();
+  }
+}
+
+/** Scanne les racines déclarées et upsert les stacks candidats. Renvoie le résultat parsé. */
+export async function scanDockerStacks(machineId: string): Promise<DockerScanResult> {
+  const m = getMachineRow(machineId);
+  if (!m) throw new Error("Machine introuvable");
+  const roots = getComposeRoots(machineId);
+  const settings = db
+    .select()
+    .from(schema.dockerSettings)
+    .where(eq(schema.dockerSettings.machineId, machineId))
+    .get();
+  const depth = settings?.scanDepth ?? 4;
+  if (roots.length === 0) return { stacks: [], active: [] };
+
+  const script = renderTemplate("docker/scan-compose.sh.tpl", {
+    composeRoots: roots.join(" "),
+    composeScanDepth: depth,
+  });
+  let raw = "";
+  const res = await runScriptSudo(getCreds(m), script, (c) => {
+    raw += c;
+    outputHub.publish(machineId, c);
+  });
+  raw = res.stdout;
+  const parsed = parseDockerScan(raw);
+
+  const now = new Date().toISOString();
+  const activeDirs = new Set(parsed.active.map((a) => a.workingDir));
+  for (const s of parsed.stacks) {
+    if (!s.valid) continue;
+    const name = basename(s.workingDir);
+    const existing = db
+      .select()
+      .from(schema.dockerComposeStacks)
+      .where(eq(schema.dockerComposeStacks.workingDir, s.workingDir))
+      .get();
+    const detectedBy = activeDirs.has(s.workingDir) ? "label" : "root_scan";
+    if (existing) {
+      db.update(schema.dockerComposeStacks)
+        .set({ lastScanAt: now, detectedBy, updatedAt: now })
+        .where(eq(schema.dockerComposeStacks.id, existing.id))
+        .run();
+    } else {
+      db.insert(schema.dockerComposeStacks).values({
+        id: randomUUID(),
+        machineId,
+        name,
+        workingDir: s.workingDir,
+        composeFilesJson: JSON.stringify([s.composeFile]),
+        status: "candidate",
+        detectedBy,
+        lastScanAt: now,
+        createdAt: now,
+        updatedAt: now,
+      }).run();
+    }
+  }
+  db.update(schema.dockerSettings)
+    .set({ lastScanAt: now, updatedAt: now })
+    .where(eq(schema.dockerSettings.machineId, machineId))
+    .run();
+  return parsed;
+}
@@ -20,4 +20,17 @@ describe("renderTemplate", () => {
    expect(out).toContain("===SU:APT_SIM_DISTUPGRADE===");
    expect(out).toContain("apt-mark showhold");
  });
+
+  it("rend les variables Docker en <% %> sans toucher aux Go-templates {{...}}", () => {
+    const out = renderTemplate("docker/scan-compose.sh.tpl", { composeRoots: "/opt/stacks", composeScanDepth: 3 });
+    expect(out).toContain("/opt/stacks");
+    expect(out).toContain("{{.ID}}");        // Go-template Docker resté littéral
+    expect(out).not.toContain("<%composeRoots%>");
+  });
+
+  it("rétro-compat : les templates APT ({{ }}) restent fonctionnels", () => {
+    const out = renderTemplate("apt/check.sh.tpl", { aptProxy: "http://proxy:3142" });
+    expect(out).toContain("http://proxy:3142");
+    expect(out).not.toContain("{{");
+  });
 });
@@ -7,12 +7,23 @@ const TEMPLATES_ROOT = resolve(process.cwd(), "templates");

 export interface TemplateVars {
  aptProxy?: string | null;
+  // Docker template vars
+  composeRoots?: string | number | null;
+  composeScanDepth?: string | number | null;
+  stackDir?: string | null;
 }

-export function renderTemplate(relPath: string, vars: TemplateVars): string {
+export function renderTemplate(
+  relPath: string,
+  vars: TemplateVars,
+  opts?: { tags?: [string, string] },
+): string {
  const tpl = readFileSync(resolve(TEMPLATES_ROOT, relPath), "utf8");
-  // Mustache échappe le HTML par défaut; on désactive (ce sont des scripts shell).
-  return Mustache.render(tpl, vars, {}, { escape: (s) => s });
+  // Les templates Docker contiennent des Go-templates {{...}} : on bascule les
+  // délimiteurs Mustache sur <% %> pour ne pas les interpréter.
+  const tags = opts?.tags ?? (relPath.startsWith("docker/") ? (["<%", "%>"] as [string, string]) : undefined);
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  return Mustache.render(tpl, vars, {}, { escape: (s: any) => s, ...(tags ? { tags } : {}) } as any);
 }

 /** Existence par défaut d'un template relatif à templates/. */