Changement dans la config pour éviter les url en dur + mise en place d'un mode démo

core/src/main/java/com/loremind/infrastructure/web/controller/ConfigController.java

@@ -0,0 +1,30 @@
+package com.loremind.infrastructure.web.controller;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Map;
+
+/**
+ * Expose la configuration publique consommee par le frontend au demarrage.
+ * Activer le mode demo via la variable d'env DEMO_MODE=true : le front
+ * masque alors Settings / Export VTT, et les endpoints sensibles sont
+ * verrouilles cote serveur (cf. SettingsController).
+ */
+@RestController
+@RequestMapping("/api/config")
+public class ConfigController {
+
+    private final boolean demoMode;
+
+    public ConfigController(@Value("${app.demo-mode:false}") boolean demoMode) {
+        this.demoMode = demoMode;
+    }
+
+    @GetMapping
+    public Map<String, Object> getPublicConfig() {
+        return Map.of("demoMode", demoMode);
+    }
+}

core/src/main/java/com/loremind/infrastructure/web/controller/SettingsController.java

@@ -4,6 +4,7 @@ import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -13,6 +14,7 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.server.ResponseStatusException;
 
 import java.util.Map;
 
@@ -32,20 +34,25 @@ public class SettingsController {
 
     private final RestTemplate restTemplate;
     private final String brainBaseUrl;
+    private final boolean demoMode;
 
     public SettingsController(RestTemplate restTemplate,
-                              @Value("${brain.base-url}") String brainBaseUrl) {
+                              @Value("${brain.base-url}") String brainBaseUrl,
+                              @Value("${app.demo-mode:false}") boolean demoMode) {
         this.restTemplate = restTemplate;
         this.brainBaseUrl = brainBaseUrl;
+        this.demoMode = demoMode;
     }
 
     @GetMapping
     public ResponseEntity<Map<String, Object>> getSettings() {
+        guardDemoMode();
         return forward(HttpMethod.GET, "/settings", null);
     }
 
     @PutMapping
     public ResponseEntity<Map<String, Object>> updateSettings(@RequestBody Map<String, Object> patch) {
+        guardDemoMode();
         return forward(HttpMethod.PUT, "/settings", patch);
     }
 
@@ -64,6 +71,12 @@ public class SettingsController {
         return forward(HttpMethod.GET, "/models/onemin", null);
     }
 
+    private void guardDemoMode() {
+        if (demoMode) {
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Settings disabled in demo mode");
+        }
+    }
+
     @SuppressWarnings({"rawtypes", "unchecked"})
     private ResponseEntity<Map<String, Object>> forward(HttpMethod method, String path, Object body) {
         HttpHeaders headers = new HttpHeaders();

core/src/main/resources/application.properties

@@ -21,13 +21,13 @@ spring.jpa.show-sql=true
 spring.jpa.properties.hibernate.format_sql=true
 
 # Configuration CORS pour autoriser le Frontend Angular
-spring.web.cors.allowed-origins=http://localhost:4200
+spring.web.cors.allowed-origins=${CORS_ALLOWED_ORIGINS:http://localhost:4200}
 spring.web.cors.allowed-methods=GET,POST,PUT,DELETE,OPTIONS
 spring.web.cors.allowed-headers=*
 spring.web.cors.allow-credentials=true
 
 # Configuration du Brain (service IA Python)
-brain.base-url=http://localhost:8000
+brain.base-url=${BRAIN_BASE_URL:http://localhost:8000}
 brain.timeout-seconds=120
 
 # Secret partage Core <-> Brain (auth inter-service via entete X-Internal-Secret).
@@ -50,3 +50,7 @@ minio.bucket=${MINIO_BUCKET:loremind-images}
 # Limites d'upload d'images (MB)
 spring.servlet.multipart.max-file-size=10MB
 spring.servlet.multipart.max-request-size=10MB
+
+# Mode demo : masque Settings/Export cote front et bloque les PUT /api/settings
+# cote serveur. Activer via DEMO_MODE=true sur les deploiements publics.
+app.demo-mode=${DEMO_MODE:false}