feat(post-install): moteur de profils + bootstrap + identité/réseau (tâche 2 SJ-8)

- templates custom/bootstrap-root + identity-network (sortie structurée parsable,
  sauvegardes, échec contrôlé, jamais de coupure réseau sans reconnexion)
- postInstall: registre de manifestes (champs typés + defaults/defaultFrom),
  validateProfileValues + maskSecretValues + buildPostInstallResult (TDD),
  renderProfile/previewProfile (masquage secrets), runPostInstall (SSH)
- execute: RunActionOpts.profileId/values + branche post_install (bloc postInstall)
- action_requests: post_install accepté, payload profileId/values transmis à approve
- routes: GET /profiles, POST .../preview (script masqué + validation),
  POST .../run (action_request si requiresConfirmation, sinon direct)

Champs = formulaire (pas de question SSH interactive) ; secrets jamais sérialisés ;
identity_network exige confirmation. tsc 0 · 101 tests · build OK · boot OK.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/services/postInstall.ts

@@ -0,0 +1,253 @@
+// server/services/postInstall.ts
+import { getMachineRow, getCreds } from "./machines.js";
+import { renderTemplate, type TemplateVars } from "../templates/render.js";
+import { runScriptSudo } from "../ssh/client.js";
+import { outputHub } from "../ws/outputHub.js";
+import type { PostInstallResult, SnapshotError } from "@shared/types.js";
+
+// ----------------------------------------------------------------------------
+// Manifestes de profils (registre versionné en code ; templates versionnés sur disque).
+// ----------------------------------------------------------------------------
+
+export type FieldType =
+  | "string" | "hostname" | "ipv4" | "ipv4_cidr" | "ipv4_list"
+  | "select" | "bool" | "int" | "path" | "secret";
+
+export interface ProfileField {
+  name: string;
+  type: FieldType;
+  required: boolean;
+  label?: string;
+  default?: string | number | boolean;
+  defaultFrom?: string;          // valeur détectée par machine_probe (ex. detected.primaryInterface)
+  options?: string[];            // pour select
+}
+
+export interface ProfileManifest {
+  id: string;
+  label: string;
+  description: string;
+  risk: "low" | "medium" | "network_change";
+  requiresConfirmation: boolean;
+  template: string;              // chemin relatif sous templates/
+  fields: ProfileField[];
+}
+
+export const PROFILES: Record<string, ProfileManifest> = {
+  bootstrap_root: {
+    id: "bootstrap_root",
+    label: "Bootstrap (sudo + base)",
+    description: "Installe sudo, ca-certificates, curl et ajoute l'opérateur au groupe sudo.",
+    risk: "low",
+    requiresConfirmation: false,
+    template: "custom/bootstrap-root.sh.tpl",
+    fields: [
+      { name: "operatorUser", type: "string", required: true, label: "Utilisateur opérateur", defaultFrom: "sshUser" },
+    ],
+  },
+  identity_network: {
+    id: "identity_network",
+    label: "Hostname + IP statique",
+    description: "Définit le hostname, le domaine et l'adresse IP statique (sauvegarde des fichiers).",
+    risk: "network_change",
+    requiresConfirmation: true,
+    template: "custom/identity-network.sh.tpl",
+    fields: [
+      { name: "newHostname", type: "hostname", required: true, label: "Nouveau hostname" },
+      { name: "domain", type: "string", required: true, label: "Domaine", default: "home" },
+      { name: "interfaceName", type: "select", required: true, label: "Interface", defaultFrom: "detected.primaryInterface" },
+      { name: "staticAddress", type: "ipv4_cidr", required: true, label: "Adresse statique (CIDR)" },
+      { name: "gateway", type: "ipv4", required: true, label: "Passerelle", default: "10.0.0.1" },
+      { name: "dnsNameservers", type: "ipv4_list", required: true, label: "DNS", default: "10.0.0.1 10.0.0.10" },
+      { name: "reconnectHost", type: "ipv4", required: true, label: "IP de reconnexion", defaultFrom: "staticAddress.ip" },
+      { name: "rebootAfterInstall", type: "bool", required: false, label: "Reboot après application" },
+    ],
+  },
+};
+
+// ----------------------------------------------------------------------------
+// Validation (pure, testable).
+// ----------------------------------------------------------------------------
+
+export type ProfileValues = Record<string, string | number | boolean | undefined>;
+export interface ValidationResult {
+  ok: boolean;
+  errors: { field: string; message: string }[];
+}
+
+const IPV4 = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+const HOSTNAME = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/;
+
+function isIpv4(v: string): boolean {
+  const m = IPV4.exec(v.trim());
+  return !!m && m.slice(1).every((o) => Number(o) >= 0 && Number(o) <= 255);
+}
+function isIpv4Cidr(v: string): boolean {
+  const [ip, mask] = v.trim().split("/");
+  return !!ip && !!mask && isIpv4(ip) && Number(mask) >= 0 && Number(mask) <= 32;
+}
+
+function validateField(field: ProfileField, raw: string | number | boolean): string | null {
+  const v = String(raw).trim();
+  switch (field.type) {
+    case "hostname":
+      return HOSTNAME.test(v) ? null : "hostname invalide";
+    case "ipv4":
+      return isIpv4(v) ? null : "adresse IPv4 invalide";
+    case "ipv4_cidr":
+      return isIpv4Cidr(v) ? null : "adresse CIDR invalide (ex. 10.0.0.50/22)";
+    case "ipv4_list":
+      return v.split(/[\s,]+/).filter(Boolean).every(isIpv4) ? null : "liste d'IPv4 invalide";
+    case "int":
+      return /^-?\d+$/.test(v) ? null : "entier attendu";
+    default:
+      return null;
+  }
+}
+
+export function validateProfileValues(manifest: ProfileManifest, values: ProfileValues): ValidationResult {
+  const errors: { field: string; message: string }[] = [];
+  for (const field of manifest.fields) {
+    const v = values[field.name];
+    const empty = v === undefined || v === null || String(v).trim() === "";
+    if (empty) {
+      if (field.required) errors.push({ field: field.name, message: "champ requis" });
+      continue;
+    }
+    const err = validateField(field, v);
+    if (err) errors.push({ field: field.name, message: err });
+  }
+  return { ok: errors.length === 0, errors };
+}
+
+// ----------------------------------------------------------------------------
+// Masquage des secrets (jamais en clair vers UI/MCP/preview).
+// ----------------------------------------------------------------------------
+
+export function maskSecretValues(manifest: ProfileManifest, values: ProfileValues): ProfileValues {
+  const secrets = new Set(manifest.fields.filter((f) => f.type === "secret").map((f) => f.name));
+  const out: ProfileValues = {};
+  for (const [k, v] of Object.entries(values)) {
+    out[k] = secrets.has(k) && v !== undefined && v !== "" ? "********" : v;
+  }
+  return out;
+}
+
+/** Valeurs non sensibles uniquement (pour variablesUsed / persistance / Hermes). */
+function nonSecretValues(manifest: ProfileManifest, values: ProfileValues): Record<string, string | number | boolean> {
+  const secrets = new Set(manifest.fields.filter((f) => f.type === "secret").map((f) => f.name));
+  const out: Record<string, string | number | boolean> = {};
+  for (const [k, v] of Object.entries(values)) {
+    if (!secrets.has(k) && v !== undefined) out[k] = v;
+  }
+  return out;
+}
+
+// ----------------------------------------------------------------------------
+// Rendu + preview.
+// ----------------------------------------------------------------------------
+
+function toTemplateVars(values: ProfileValues): TemplateVars {
+  const vars: TemplateVars = {};
+  for (const [k, v] of Object.entries(values)) vars[k] = v as never;
+  return vars;
+}
+
+export function renderProfile(profileId: string, values: ProfileValues): string {
+  const manifest = PROFILES[profileId];
+  if (!manifest) throw new Error(`Profil inconnu : ${profileId}`);
+  return renderTemplate(manifest.template, toTemplateVars(values));
+}
+
+/** Preview du script rendu avec masquage des secrets. */
+export function previewProfile(profileId: string, values: ProfileValues): string {
+  const manifest = PROFILES[profileId];
+  if (!manifest) throw new Error(`Profil inconnu : ${profileId}`);
+  return renderTemplate(manifest.template, toTemplateVars(maskSecretValues(manifest, values)));
+}
+
+// ----------------------------------------------------------------------------
+// Parsing du résultat (pure, testable).
+// ----------------------------------------------------------------------------
+
+function collectPrefixed(raw: string, prefix: string): string[] {
+  const out: string[] = [];
+  for (const line of raw.split("\n")) {
+    const t = line.trim();
+    if (t.startsWith(prefix)) out.push(t.slice(prefix.length));
+  }
+  return out;
+}
+function firstPrefixed(raw: string, prefix: string): string | null {
+  for (const line of raw.split("\n")) {
+    const t = line.trim();
+    if (t.startsWith(prefix)) return t.slice(prefix.length);
+  }
+  return null;
+}
+
+export function buildPostInstallResult(
+  raw: string,
+  profilesRun: string[],
+  variablesUsed: Record<string, string | number | boolean>,
+): PostInstallResult {
+  const errors: SnapshotError[] = collectPrefixed(raw, "ERR=").map((kind) => ({
+    source: "post_install",
+    kind,
+    severity: "error",
+    message: `Échec post-install : ${kind}`,
+  }));
+
+  const oldEndpoint = firstPrefixed(raw, "OLD_ENDPOINT=");
+  const newEndpoint = firstPrefixed(raw, "NEW_ENDPOINT=");
+  const networkChange = oldEndpoint !== null || newEndpoint !== null
+    ? { oldEndpoint: oldEndpoint || null, newEndpoint: newEndpoint || null, reconnectHost: newEndpoint || null }
+    : undefined;
+
+  return {
+    profilesRun,
+    variablesUsed,
+    filesModified: collectPrefixed(raw, "FILE_MODIFIED="),
+    packagesInstalled: collectPrefixed(raw, "PKG_INSTALLED="),
+    servicesEnabled: collectPrefixed(raw, "SERVICE_ENABLED="),
+    rebootsRequested: /REBOOT_REQUESTED=1/.test(raw),
+    ...(networkChange ? { networkChange } : {}),
+    ...(errors.length ? { errors } : {}),
+  };
+}
+
+// ----------------------------------------------------------------------------
+// Orchestration (SSH).
+// ----------------------------------------------------------------------------
+
+export interface PostInstallOutcome {
+  result: PostInstallResult;
+  raw: string;
+  status: "ok" | "error";
+}
+
+export async function runPostInstall(
+  machineId: string,
+  profileId: string,
+  values: ProfileValues,
+  onData?: (c: string) => void,
+): Promise<PostInstallOutcome> {
+  const m = getMachineRow(machineId);
+  if (!m) throw new Error("Machine introuvable");
+  const manifest = PROFILES[profileId];
+  if (!manifest) throw new Error(`Profil inconnu : ${profileId}`);
+  const validation = validateProfileValues(manifest, values);
+  if (!validation.ok) {
+    throw new Error("Champs invalides : " + validation.errors.map((e) => `${e.field} (${e.message})`).join(", "));
+  }
+
+  const script = renderProfile(profileId, values);
+  const res = await runScriptSudo(getCreds(m), script, (c) => {
+    onData?.(c);
+    outputHub.publish(machineId, c);
+  });
+  const raw = res.stdout;
+  const result = buildPostInstallResult(raw, [profileId], nonSecretValues(manifest, values));
+  const failed = (result.errors?.length ?? 0) > 0 || (/===SU:EXIT=\d+===/.test(raw) && !/===SU:EXIT=0===/.test(raw));
+  return { result, raw, status: failed ? "error" : "ok" };
+}