feat(scripts): intégrer Auto_scripts dans le repo pour déploiement multi-machine

scripts/aliases.sh

@@ -30,7 +30,7 @@ alias bmad-init='"$LEADTECH/scripts/bmad-init-project.sh"'
 alias projects='cd /Volumes/TeraSSD/Projets_Dev 2>/dev/null || cd /srv/projects'
 
 # Load global secrets (KeePass → env)
-alias loadg='source ~/AI_RULES/Auto_scripts/load-global-secrets.sh || source /srv/shared/scripts/load-global-secrets.sh'
+alias loadg='source "$LEADTECH/scripts/load-global-secrets.sh"'
 
 # Sync service secrets (KeePass → service.env)
-alias sync-service='source ~/AI_RULES/Auto_scripts/sync-service-secrets.sh || source /srv/shared/scripts/sync-service-secrets.sh'
+alias sync-service='source "$LEADTECH/scripts/sync-service-secrets.sh"'

scripts/env_paths.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+case "$(uname -s)" in
+  Darwin)
+    export SECRETS_KDBX="/Volumes/TeraSSD/Max_Perso/Pièces Importantes/MDPs/env_and_co.kdbx"
+    export AUTO_SCRIPTS_DIR="$HOME/AI_RULES/Auto_scripts"
+    ;;
+  Linux)
+    export SECRETS_KDBX="/srv/shared/env/env_and_co.kdbx"
+    export AUTO_SCRIPTS_DIR="/srv/shared/scripts"
+    ;;
+  *)
+    echo "OS non supporté" >&2
+    return 1
+    ;;
+esac

scripts/load-global-secrets.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+
+_load_global_secrets() {
+  local _env_paths
+  if [ -f "$HOME/AI_RULES/Auto_scripts/env_paths.sh" ]; then
+    _env_paths="$HOME/AI_RULES/Auto_scripts/env_paths.sh"
+  elif [ -f "/srv/shared/scripts/env_paths.sh" ]; then
+    _env_paths="/srv/shared/scripts/env_paths.sh"
+  else
+    echo "env_paths.sh introuvable" >&2
+    return 1
+  fi
+  source "$_env_paths" || return 1
+
+  if [ ! -f "$SECRETS_KDBX" ]; then
+    echo "Coffre introuvable : $SECRETS_KDBX" >&2
+    return 1
+  fi
+
+  if ! command -v keepassxc-cli >/dev/null 2>&1; then
+    echo "keepassxc-cli introuvable" >&2
+    return 1
+  fi
+
+  if ! command -v expect >/dev/null 2>&1; then
+    echo "expect introuvable" >&2
+    return 1
+  fi
+
+  if [ -z "${KDBX_PASSWORD:-}" ]; then
+    printf "Mot de passe KeePassXC : " >&2
+    stty -echo
+    IFS= read -r KDBX_PASSWORD
+    stty echo
+    printf '\n' >&2
+  fi
+
+  echo "Chargement des secrets globaux..." >&2
+
+  # Export CSV complet — une seule ouverture du coffre
+  local csv
+  csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
+    log_user 0
+    set timeout 30
+    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
+    expect "Saisir le mot de passe pour déverrouiller*"
+    send -- "$env(KDBX_PASSWORD)\r"
+    expect eof
+    catch wait result
+    puts -nonewline $expect_out(buffer)
+    exit [lindex $result 3]
+EOF
+  ) || {
+    echo "Impossible d'exporter le coffre." >&2
+    return 1
+  }
+
+  local loaded=0
+
+  while IFS=',' read -r group title username password rest; do
+    group="${group//\"/}"
+    title="${title//\"/}"
+    password="${password//\"/}"
+
+    [[ "$group" != "Racine/global" && "$group" != "Racine/global/"* ]] && continue
+
+    local var_name="$title"
+    if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
+      echo "Nom invalide ignoré : $var_name" >&2
+      continue
+    fi
+
+    [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; }
+
+    export "$var_name=$password"
+    loaded=$((loaded + 1))
+
+  done <<< "$csv"
+
+  if [ "$loaded" -eq 0 ]; then
+    echo "Aucun secret global chargé." >&2
+    return 1
+  fi
+
+  echo "Secrets chargés : $loaded"
+}
+
+_load_global_secrets
+unset -f _load_global_secrets

scripts/sync-service-secrets.sh

@@ -0,0 +1,110 @@
+#!/usr/bin/env bash
+
+_sync_service_secrets() {
+  local _env_paths
+  if [ -f "$HOME/AI_RULES/Auto_scripts/env_paths.sh" ]; then
+    _env_paths="$HOME/AI_RULES/Auto_scripts/env_paths.sh"
+  elif [ -f "/srv/shared/scripts/env_paths.sh" ]; then
+    _env_paths="/srv/shared/scripts/env_paths.sh"
+  else
+    echo "env_paths.sh introuvable" >&2
+    return 1
+  fi
+  source "$_env_paths" || return 1
+
+  if [ ! -f "$SECRETS_KDBX" ]; then
+    echo "Coffre introuvable : $SECRETS_KDBX" >&2
+    return 1
+  fi
+
+  if ! command -v keepassxc-cli >/dev/null 2>&1; then
+    echo "keepassxc-cli introuvable" >&2
+    return 1
+  fi
+
+  if ! command -v expect >/dev/null 2>&1; then
+    echo "expect introuvable" >&2
+    return 1
+  fi
+
+  local target_file
+  case "$(uname -s)" in
+    Darwin) target_file="$HOME/.config/auto-secrets/service.env" ;;
+    Linux)  target_file="/srv/shared/env/service.env" ;;
+    *)      echo "OS non supporté" >&2; return 1 ;;
+  esac
+
+  mkdir -p "$(dirname "$target_file")"
+  touch "$target_file"
+  chmod 600 "$target_file"
+
+  if [ -z "${KDBX_PASSWORD:-}" ]; then
+    printf "Mot de passe KeePassXC : " >&2
+    stty -echo
+    IFS= read -r KDBX_PASSWORD
+    stty echo
+    printf '\n' >&2
+  fi
+
+  echo "Sync des secrets de service..." >&2
+
+  # Export CSV complet — une seule ouverture du coffre
+  local csv
+  csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
+    log_user 0
+    set timeout 30
+    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
+    expect "Saisir le mot de passe pour déverrouiller*"
+    send -- "$env(KDBX_PASSWORD)\r"
+    expect eof
+    catch wait result
+    puts -nonewline $expect_out(buffer)
+    exit [lindex $result 3]
+EOF
+  ) || {
+    echo "Impossible d'exporter le coffre." >&2
+    return 1
+  }
+
+  # Parse CSV : colonnes "Group","Title","Username","Password",...
+  # On garde les entrées dont le Group commence par "services/"
+  # ou dont le Group est exactement "services" (selon la structure KeePass)
+  local rendered_lines=""
+  local loaded=0
+
+  while IFS=',' read -r group title username password rest; do
+    # Retirer les guillemets CSV
+    group="${group//\"/}"
+    title="${title//\"/}"
+    password="${password//\"/}"
+
+    # Filtrer le groupe services
+    [[ "$group" != "Racine/services" && "$group" != "Racine/services/"* ]] && continue
+
+    # Le nom de variable = titre de l'entrée
+    local var_name="$title"
+    if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
+      echo "Nom invalide ignoré : $var_name" >&2
+      continue
+    fi
+
+    [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; }
+
+    rendered_lines+="$var_name=$password"$'\n'
+    loaded=$((loaded + 1))
+  done <<< "$csv"
+
+  if [ "$loaded" -eq 0 ]; then
+    echo "Aucun secret de service chargé." >&2
+    return 1
+  fi
+
+  printf '%s' "$rendered_lines" > "$target_file"
+  chmod 600 "$target_file"
+
+  echo "Secrets de service écrits dans : $target_file"
+  echo "Secrets de service chargés : $loaded"
+}
+
+_sync_service_secrets
+unset -f _sync_service_secrets