Merge remote-tracking branch 'origin/alpha' into feat/mimoquage-skip-missing-info

# Conflicts:
#	packages/app/src/server/api/routers/declarationHelpers.ts

Author: LucasCharrier

.claude/rules/audit-logging.md

@@ -144,9 +144,17 @@ Notes:
 
 ### 5. New cron-triggered / system action
 
-Use `logAction` directly with category `system` inside the route handler or
-helper that the cron calls. See `/api/audit/cleanup/route.ts` for the canonical
-pattern (success + failure self-audit with metadata).
+Two patterns are in use, depending on whether the cron runs **inside** the app
+(a tRPC procedure or Next.js route called by a CronJob container) or **out of
+band** (a standalone `.mjs` script invoked by the CronJob with direct DB
+access — see `packages/app/scripts/audit-cleanup.mjs` for the canonical
+example, issue #3268).
+
+- **In-app trigger**: use `logAction` directly with category `system` inside
+  the route handler / helper that the cron calls.
+- **Out-of-band script**: self-audit via a raw `INSERT INTO audit.action_log`
+  statement at the end of the script (success) and in a try/catch arm
+  (failure, outside the rolled-back transaction so the row survives).
 
 ---
 
@@ -196,10 +204,10 @@ the caller is responsible for sanitisation:
 | `export` | 365 days | Data exports and third-party API consumers. |
 | `system` | 365 days | Cron-triggered / admin actions. |
 
-The cleanup cron (`/api/audit/cleanup` → `cleanupAuditLogs`) drops
-`read_sensitive` rows after 180 days and everything else after 365 days. This
-is enforced at the DB level; the category you choose **defines** the retention
-window.
+The cleanup cron (`packages/app/scripts/audit-cleanup.mjs`, wired up in
+`.kontinuous/templates/audit-cleanup-cron.yaml`) drops `read_sensitive` rows
+after 180 days and everything else after 365 days. This is enforced at the DB
+level; the category you choose **defines** the retention window.
 
 ---
 

.claude/rules/automation.md

@@ -114,7 +114,7 @@ Apply these rules **as you write code**, before any agent runs:
 - New auth event / cron → direct `logAction` call; `logger.error` must stay synchronous (`void (async () => {...})()`)
 - Every new action requires **3 wire-up points**: `AUDIT_ACTIONS.*` constant, `AUDIT_ACTION_CATEGORIES` mapping, and the surface-specific wire (tRPC map / wrapper / direct call)
 - `metadata` jsonb must not contain secrets (auto-stripped keys: `password`, `token`, `refresh_token`, `secret`, `client_secret`, `authorization`, `apikey`, `api_key`, `accesskey`, `access_key`, `private_key`)
-- DB-layer changes in `~/server/audit/cleanup.ts` → add an integration test (`*.integration.test.ts`, runs via `pnpm test:integration`) — unit tests mock drizzle and miss driver bugs
+- DB-layer changes in `packages/app/scripts/audit-cleanup.mjs` (or any file that touches `audit.action_log` via non-trivial SQL) → add an integration test (`*.integration.test.ts`, runs via `pnpm test:integration`) — unit tests mock the DB driver and miss driver bugs
 
 ### E2E tests (when relevant)
 

.github/workflows/e2e.yaml

@@ -32,10 +32,6 @@ jobs:
       CLAMAV_HOST: localhost
       CLAMAV_PORT: 3310
       ADMIN_EMAILS: test@fia1.fr
-      # Required by env.js but never exercised by E2E tests (the audit
-      # cleanup route is only called by the K8s CronJob). A dummy value
-      # that satisfies the `.min(32)` Zod check is enough.
-      EGAPRO_AUDIT_CLEANUP_TOKEN: e2e-dummy-audit-cleanup-token-not-used-1234567890
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.kontinuous/Chart.yaml

@@ -0,0 +1,4 @@
+dependencies:
+  - name: valkey
+    repository: https://valkey.io/valkey-helm
+    version: 0.9.4

.kontinuous/env/dev/templates/audit-cleanup.sealed-secret.yaml

@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: valkey
+data:
+  VALKEY_URL: "redis://valkey:6379"

.kontinuous/env/dev/templates/valkey.configmap.yaml

@@ -3,7 +3,10 @@ apiVersion: v1
 metadata:
   name: mail
 data:
-  MAIL_ENABLED: "false"
-  SMTP_HOST: ""
+  # Using MailDev as an in-cluster SMTP catcher until a Tipimail preprod
+  # sealed-secret is available. The UI is exposed at
+  # https://maildev-<global.host> via the maildev Ingress.
+  MAIL_ENABLED: "true"
+  SMTP_HOST: "maildev"
   SMTP_PORT: "1025"
   MAIL_FROM: "no-reply@egapro.preprod.fabrique.social.gouv.fr"

.kontinuous/env/preprod/templates/audit-cleanup.sealed-secret.yaml

@@ -0,0 +1,94 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: maildev
+  namespace: {{ .Values.global.namespace }}
+  labels:
+    app: maildev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: maildev
+  template:
+    metadata:
+      labels:
+        app: maildev
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      containers:
+        - name: maildev
+          image: maildev/maildev:2.2.1
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: ["ALL"]
+          ports:
+            - name: smtp
+              containerPort: 1025
+            - name: web
+              containerPort: 1080
+          readinessProbe:
+            httpGet:
+              path: /
+              port: web
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: tmp
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: maildev
+  namespace: {{ .Values.global.namespace }}
+spec:
+  selector:
+    app: maildev
+  ports:
+    - name: smtp
+      port: 1025
+      targetPort: smtp
+    - name: web
+      port: 1080
+      targetPort: web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: maildev
+  namespace: {{ .Values.global.namespace }}
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - maildev-{{ .Values.global.host }}
+      secretName: maildev-tls
+  rules:
+    - host: maildev-{{ .Values.global.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: maildev
+                port:
+                  name: web

.kontinuous/env/preprod/templates/mail.configmap.yaml

@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: valkey
+data:
+  VALKEY_URL: "redis://valkey:6379"