chore: sauvegarde complète avant factorisation executor

Point de sauvegarde incluant les fichiers non committés des sessions
précédentes (systemd, docs, agents, GPU manager).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/systemd/rpa-streaming.service

@@ -0,0 +1,39 @@
+[Unit]
+Description=RPA Vision V3 - Streaming Server (FastAPI, port 5005)
+Documentation=https://lea.labs.laurinebazin.design
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+# ---- Runtime ----
+User=dom
+Group=dom
+WorkingDirectory=/home/dom/ai/rpa_vision_v3
+EnvironmentFile=/home/dom/ai/rpa_vision_v3/.env.local
+Environment="PYTHONUNBUFFERED=1"
+Environment="RPA_SERVICE_NAME=rpa-streaming"
+
+# Lancement via le module Python (même commande que svc.sh)
+ExecStart=/home/dom/ai/rpa_vision_v3/.venv/bin/python3 -m agent_v0.server_v1.api_stream
+
+# ---- Resilience ----
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+# Envoyer SIGTERM d'abord, puis SIGKILL après TimeoutStopSec
+KillMode=mixed
+KillSignal=SIGTERM
+
+# ---- Hardening (raisonnable pour un poste de dev/prod) ----
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Logs -> journald
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=rpa-streaming
+
+[Install]
+WantedBy=multi-user.target

deploy/systemd/rpa-vision-v3-api.service

@@ -7,32 +7,29 @@ Wants=network-online.target
 Type=simple
 
 # ---- Runtime ----
-User=rpa
-Group=rpa
-WorkingDirectory=/opt/rpa_vision_v3/server
-EnvironmentFile=/etc/rpa_vision_v3/rpa_vision_v3.env
+User=dom
+Group=dom
+WorkingDirectory=/home/dom/ai/rpa_vision_v3
+EnvironmentFile=/home/dom/ai/rpa_vision_v3/.env.local
 Environment="PYTHONUNBUFFERED=1"
 Environment="ENVIRONMENT=production"
 Environment="RPA_SERVICE_NAME=rpa-vision-v3-api"
 
-# Sécurité : valide les secrets (exit !=0 => systemd restart)
-ExecStart=/opt/rpa_vision_v3/venv_v3/bin/python api_upload.py
+ExecStart=/home/dom/ai/rpa_vision_v3/.venv/bin/python3 server/api_upload.py
 
 # ---- Resilience ----
 Restart=on-failure
 RestartSec=3
 TimeoutStopSec=30
 
-# ---- Hardening (raisonnable pour un MVP) ----
+# ---- Hardening ----
 NoNewPrivileges=true
 PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/opt/rpa_vision_v3/data /opt/rpa_vision_v3/logs
 
 # Logs -> journald
 StandardOutput=journal
 StandardError=journal
+SyslogIdentifier=rpa-vision-v3-api
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

deploy/systemd/rpa-vision-v3-artifact-retention.service

@@ -3,8 +3,8 @@ Description=RPA Vision V3 - Artifact retention / rotation
 
 [Service]
 Type=oneshot
-User=rpa
-Group=rpa
-WorkingDirectory=/opt/rpa_vision_v3
-EnvironmentFile=/etc/rpa_vision_v3/rpa_vision_v3.env
-ExecStart=/opt/rpa_vision_v3/venv_v3/bin/python -m core.system.artifact_retention
+User=dom
+Group=dom
+WorkingDirectory=/home/dom/ai/rpa_vision_v3
+EnvironmentFile=/home/dom/ai/rpa_vision_v3/.env.local
+ExecStart=/home/dom/ai/rpa_vision_v3/.venv/bin/python3 -m core.system.artifact_retention

deploy/systemd/rpa-vision-v3-dashboard.service

@@ -5,14 +5,14 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-User=rpa
-Group=rpa
-WorkingDirectory=/opt/rpa_vision_v3
-EnvironmentFile=/etc/rpa_vision_v3/rpa_vision_v3.env
+User=dom
+Group=dom
+WorkingDirectory=/home/dom/ai/rpa_vision_v3
+EnvironmentFile=/home/dom/ai/rpa_vision_v3/.env.local
 Environment="PYTHONUNBUFFERED=1"
 Environment="ENVIRONMENT=production"
 Environment="RPA_SERVICE_NAME=rpa-vision-v3-dashboard"
-ExecStart=/opt/rpa_vision_v3/venv_v3/bin/python web_dashboard/app.py
+ExecStart=/home/dom/ai/rpa_vision_v3/.venv/bin/python3 web_dashboard/app.py
 
 Restart=on-failure
 RestartSec=3
@@ -20,12 +20,10 @@ TimeoutStopSec=30
 
 NoNewPrivileges=true
 PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/opt/rpa_vision_v3/data /opt/rpa_vision_v3/logs
 
 StandardOutput=journal
 StandardError=journal
+SyslogIdentifier=rpa-vision-v3-dashboard
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

deploy/systemd/rpa-vision-v3-healthcheck.service

@@ -8,9 +8,9 @@ OnFailure=rpa-vision-v3-recover.service
 
 [Service]
 Type=oneshot
-WorkingDirectory=/opt/rpa_vision_v3
-EnvironmentFile=/etc/rpa_vision_v3/rpa_vision_v3.env
-ExecStart=/opt/rpa_vision_v3/server/healthcheck.sh
+WorkingDirectory=/home/dom/ai/rpa_vision_v3
+EnvironmentFile=/home/dom/ai/rpa_vision_v3/.env.local
+ExecStart=/home/dom/ai/rpa_vision_v3/server/healthcheck.sh
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

deploy/systemd/rpa-vision-v3-recover.service

@@ -5,4 +5,4 @@ Description=RPA Vision V3 - Recover stack (restart services)
 Type=oneshot
 # Important: nécessite root pour systemctl
 User=root
-ExecStart=/bin/bash -lc 'systemctl restart rpa-vision-v3-api.service rpa-vision-v3-dashboard.service rpa-vision-v3-worker.service || true'
+ExecStart=/bin/bash -lc 'systemctl restart rpa-streaming.service rpa-vision-v3-api.service rpa-vision-v3-dashboard.service rpa-vision-v3-worker.service || true'

deploy/systemd/rpa-vision-v3-worker.service

@@ -5,12 +5,12 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-User=rpa
-Group=rpa
-WorkingDirectory=/opt/rpa_vision_v3/server
-EnvironmentFile=/etc/rpa_vision_v3/rpa_vision_v3.env
+User=dom
+Group=dom
+WorkingDirectory=/home/dom/ai/rpa_vision_v3
+EnvironmentFile=/home/dom/ai/rpa_vision_v3/.env.local
 Environment="PYTHONUNBUFFERED=1"
-ExecStart=/opt/rpa_vision_v3/venv_v3/bin/python worker_daemon.py
+ExecStart=/home/dom/ai/rpa_vision_v3/.venv/bin/python3 server/worker_daemon.py
 
 Restart=on-failure
 RestartSec=3
@@ -18,12 +18,10 @@ TimeoutStopSec=60
 
 NoNewPrivileges=true
 PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=true
-ReadWritePaths=/opt/rpa_vision_v3/data /opt/rpa_vision_v3/logs
 
 StandardOutput=journal
 StandardError=journal
+SyslogIdentifier=rpa-vision-v3-worker
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

deploy/systemd/rpa_vision_v3.env.example

@@ -1,4 +1,11 @@
-# /etc/rpa_vision_v3/rpa_vision_v3.env
+# /home/dom/ai/rpa_vision_v3/.env.local
+# Chargé par tous les services systemd via EnvironmentFile=
+#
+# IMPORTANT : format systemd EnvironmentFile
+#   - Pas de "export" devant les variables
+#   - Pas de guillemets autour des valeurs (sauf si espaces)
+#   - Commentaires avec #
+#   - Une variable par ligne : CLE=valeur
 
 # --- Secrets (OBLIGATOIRES en prod) ---
 ENCRYPTION_PASSWORD=CHANGE_ME
@@ -7,33 +14,45 @@ SECRET_KEY=CHANGE_ME
 # --- Runtime ---
 ENVIRONMENT=production
 
-# --- Fiche #24 - Observabilité ---
-# Label Prometheus (surcouche). En prod, les unités systemd posent déjà une valeur par service.
-# RPA_SERVICE_NAME=rpa-vision-v3
+# --- Token API fixe (streaming server + agent) ---
+# Générer avec : python3 -c "import secrets; print(secrets.token_hex(32))"
+# OBLIGATOIRE : si vide en prod, le serveur de streaming refuse de démarrer
+# (fail-closed P0-C). Pour désactiver l'auth en dev local : RPA_AUTH_DISABLED=true
+RPA_API_TOKEN=CHANGE_ME
 
-# Worker mode:
+# --- Auth dashboard Flask (port 5001, Fix P0-A) ---
+# HTTP Basic Auth obligatoire sur tous les endpoints sauf healthchecks.
+# OBLIGATOIRE en prod. Pour désactiver en dev : DASHBOARD_AUTH_DISABLED=true
+DASHBOARD_USER=lea
+DASHBOARD_PASSWORD=CHANGE_ME
+
+# --- Worker mode ---
 #   thread   -> worker intégré à l'API
 #   external -> worker dans rpa-vision-v3-worker.service (recommandé prod)
 #   disabled -> API upload only
 RPA_PROCESSING_WORKER=external
 
-# Ports (healthcheck.sh les utilise)
+# --- Ports (healthcheck.sh les utilise) ---
 RPA_API_HOST=127.0.0.1
 RPA_API_PORT=8000
 RPA_DASHBOARD_HOST=127.0.0.1
 RPA_DASHBOARD_PORT=5001
 RPA_CHECK_DASHBOARD=1
 
-# Worker heartbeat (si worker external)
+# --- Worker heartbeat ---
 RPA_WORKER_HEARTBEAT_PATH=data/runtime/health/worker_heartbeat.json
 RPA_WORKER_HEARTBEAT_MAX_AGE_S=60
 
-# Retention / rotation
+# --- Retention / rotation ---
 RPA_DATA_DIR=data
 RPA_RETENTION_FAILURE_CASES_DAYS=14
 RPA_RETENTION_ARCHIVE_FAILURE_CASES=true
 RPA_RETENTION_WATCHDOG_DAYS=7
 RPA_RETENTION_GUARD_REPORTS_DAYS=30
 
-# Healthcheck - disque
-RPA_MIN_FREE_MB=1024
+# --- Healthcheck - disque ---
+RPA_MIN_FREE_MB=1024
+
+# --- VLM (modèle de vision local) ---
+RPA_VLM_MODEL=qwen3-vl:8b
+VLM_MODEL=qwen3-vl:8b