feat(docker): apply/prune/down + socle action_requests (tâche 2 SJ-6)

- migration 0005 : tables docker_image_events + action_requests
- templates apply-compose (up -d --remove-orphans), prune-images (safe/agressif),
  down-compose (sans volumes/rmi)
- dockerApply: parsers TDD (apply recreated/running/exited, prune images+bytes,
  down removed, parseHumanBytes) + orchestration applyStack/pruneImages/downStack
  réservée aux stacks enabled, insère docker_image_events
- actionRequests: create/approve/reject/list — actions destructives validées
  explicitement (Hermes propose, opérateur approuve, run en arrière-plan) ;
  hors API directe (POST /:id/actions reste passif uniquement)
- routes /machines/:id/action-requests + /action-requests/:id[/approve|/reject]
- execute: RunActionOpts.aggressive, branches apply/prune/down, helper
  archiveExecution mutualisant le boilerplate d'archivage

tsc 0 erreur · 91 tests · build OK · boot OK (migrations 0000→0005).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/db/migrations/0005_silent_drax.sql

@@ -0,0 +1,34 @@
+CREATE TABLE `action_requests` (
+	`id` text PRIMARY KEY NOT NULL,
+	`machine_id` text,
+	`requested_by_type` text NOT NULL,
+	`requested_by_id` text,
+	`action` text NOT NULL,
+	`risk` text,
+	`status` text NOT NULL,
+	`summary` text,
+	`payload_json` text,
+	`created_at` text NOT NULL,
+	`approved_at` text,
+	`approved_by` text,
+	`execution_id` text,
+	`expires_at` text,
+	FOREIGN KEY (`machine_id`) REFERENCES `machines`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `docker_image_events` (
+	`id` text PRIMARY KEY NOT NULL,
+	`execution_id` text,
+	`machine_id` text NOT NULL,
+	`stack_id` text,
+	`service_name` text,
+	`image_ref` text,
+	`from_image_id` text,
+	`to_image_id` text,
+	`from_digest` text,
+	`to_digest` text,
+	`operation` text,
+	`bytes_reclaimed` integer,
+	`created_at` text NOT NULL,
+	FOREIGN KEY (`execution_id`) REFERENCES `executions`(`id`) ON UPDATE no action ON DELETE set null
+);

server/db/migrations/meta/_journal.json

@@ -36,6 +36,13 @@
       "when": 1780684150263,
       "tag": "0004_thin_ted_forrester",
       "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "6",
+      "when": 1780718324238,
+      "tag": "0005_silent_drax",
+      "breakpoints": true
     }
   ]
 }

server/db/schema.ts

@@ -277,3 +277,38 @@ export const dockerStackServices = sqliteTable("docker_stack_services", {
   status: text("status"),                    // up_to_date | updates_available | error
   updatedAt: text("updated_at").notNull(),
 });
+
+// SJ-6 : historique pull/apply/prune (tache1.9.md §8).
+export const dockerImageEvents = sqliteTable("docker_image_events", {
+  id: text("id").primaryKey(),
+  executionId: text("execution_id").references(() => executions.id, { onDelete: "set null" }),
+  machineId: text("machine_id").notNull(),
+  stackId: text("stack_id"),
+  serviceName: text("service_name"),
+  imageRef: text("image_ref"),
+  fromImageId: text("from_image_id"),
+  toImageId: text("to_image_id"),
+  fromDigest: text("from_digest"),
+  toDigest: text("to_digest"),
+  operation: text("operation"),              // pulled | recreated | pruned
+  bytesReclaimed: integer("bytes_reclaimed"),
+  createdAt: text("created_at").notNull(),
+});
+
+// SJ-6 : demandes d'actions destructives à valider (UI/Hermes) (tache1.9.md §10).
+export const actionRequests = sqliteTable("action_requests", {
+  id: text("id").primaryKey(),
+  machineId: text("machine_id").references(() => machines.id, { onDelete: "cascade" }),
+  requestedByType: text("requested_by_type").notNull(),  // user | hermes | schedule
+  requestedById: text("requested_by_id"),
+  action: text("action").notNull(),
+  risk: text("risk"),
+  status: text("status").notNull(),          // pending | approved | rejected | executed | expired
+  summary: text("summary"),
+  payloadJson: text("payload_json"),
+  createdAt: text("created_at").notNull(),
+  approvedAt: text("approved_at"),
+  approvedBy: text("approved_by"),
+  executionId: text("execution_id"),
+  expiresAt: text("expires_at"),
+});