supervision/CLAUDE.md

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Commands

```bash
# Dev server (http://localhost:5000, credentials admin/admin)
cargo run

# Release build — produces target/release/supervision (Linux) or target\release\supervision.exe (Windows)
cargo build --release

# Cross-compile for Windows from Linux
rustup target add x86_64-pc-windows-gnu
cargo build --release --target x86_64-pc-windows-gnu

# Tests
cargo test

# Linting
cargo clippy
```

### Windows service (run as Administrator)

```cmd
supervision.exe install     # register as auto-start service named "Supervision"
sc start Supervision
sc stop Supervision
supervision.exe uninstall
```

## Architecture

Single-binary Axum web server. All shared mutable state is passed through `AppState` (defined in `src/routes/mod.rs`) which holds `Arc`-wrapped components.

**`src/main.rs`** — entry point: builds `AppState`, registers all routes, starts background threads (`start_monitoring`, `UserMonitor::start`), and handles Windows service scaffolding (feature-gated on `cfg(windows)`).

**`src/routes/mod.rs`** — defines `AppState`, the `AuthUser` extractor (redirects to `/login` if session is absent), and `build_tera()` which **embeds all templates at compile time** via `include_str!`. Modifying a template requires a recompile. Also provides `flash`/`get_and_clear_flash` session helpers and `render_html`.

**`src/routes/{auth,dashboard,settings,alerts,users}.rs`** — all HTTP route handlers. Each protected handler receives `AuthUser` as an extractor to enforce authentication.

**`src/config.rs`** — `Config` struct serialised to/from `data/config.json`. `ConfigManager` wraps `Config` and the `data/` path; callers lock `Arc<AsyncMutex<ConfigManager>>` to read or write config. Password hashing with bcrypt. Alerts ring-buffered to 500 entries in `data/alerts.json`.

**`src/monitor.rs`** — `SystemMonitor` collects CPU/RAM/disk/process data via `sysinfo`. `eval_status(value, threshold)` returns `"ok"` / `"warning"` / `"critical"` (warning ≥ 80 %, critical ≥ 100 % of threshold). The background thread calls `collect_metrics` → `check_thresholds`, applies per-key cooldown, persists alerts, and optionally sends email. Sleeps in 5-second chunks so `monitoring_active` changes are picked up promptly.

**`src/user_monitor.rs`** — `UserMonitor` parses Amadea `awevents_*` and `isoft_*` log files (plain or `.gz`) to build a per-user activity snapshot. `parse_awevents_line` extracts login/action/label from `awevents` files; `isoft` files provide `connected_since` (session open time via `OpenUserSession`). `compute_statuses` assigns `actif` / `inactif` / `absent` / `deconnecte` based on configurable minute thresholds — `absent` means inactive beyond `inactive_minutes` without an explicit logout. `compute_active_time` derives presence and active time by subtracting gaps exceeding `pause_threshold_minutes`. Also provides `get_weekly_activity` / `get_monthly_activity` (peak concurrent users per day) and `get_users_for_date` / `get_user_history`. Log file discovery handles both dated files (`awevents_YY-MM-DD_N.log.gz`) and undated active-log files (`awevents.log`). `UserMonitor.data` is guarded by `std::Mutex` (never held across `.await`).

**`src/alerter.rs`** — SMTP email dispatch via `lettre`. `is_configured` guards all sends. Uses STARTTLS by default; falls back to unencrypted when `use_tls = false`.

### Data directory

`data/` is created next to the binary at first launch:
- `config.json` — all settings; written after every settings form submission.
- `alerts.json` — ring buffer of the last 500 alerts, newest first.

### Template context conventions

Every protected page calls `base_context()` which injects `authenticated`, `flash_messages`, `default_pw`, and `username`. `apply_security_headers()` adds `X-Content-Type-Options`, `X-Frame-Options`, etc. to every response.