From ddca8c9f7fdac99d89673d64bbf453e1408083f2 Mon Sep 17 00:00:00 2001
From: Opus <opus@weval.ai>
Date: Fri, 24 Apr 2026 17:24:08 +0200
Subject: [PATCH] phase57 doctrine195 WEVIA WHITELIST ELARGIE + GOLD AUTO |
 deny-list au lieu allow-list - WEVIA peut ecrire partout sauf master-api
 chat-v2 cx nginx php config | GOLD backup auto si fichier existe doctrine 148
 Yacine | WEVIA peut modifier pages existantes (brain-council.html
 agents-hub.html etc) | veritable autonomie file-system | economie tokens Opus

---
 .../opus-intents/wevia_generate_helper.py     | 37 +++++++++++++++++--
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/ops-scripts/opus-intents/wevia_generate_helper.py b/ops-scripts/opus-intents/wevia_generate_helper.py
index 1690090ec..c0e0a474e 100755
--- a/ops-scripts/opus-intents/wevia_generate_helper.py
+++ b/ops-scripts/opus-intents/wevia_generate_helper.py
@@ -80,10 +80,35 @@ def default_path(lang, job):
         return f"{SCRIPTS_DIR}/wevia-gen-{job}.{ext}"
 
 def safe_path(path, allowed_dirs):
-    """Security: only allow paths in whitelisted dirs"""
+    """Security v2: DENY-LIST approach - allow everything except critical files
+    WEVIA doit pouvoir ecrire partout pour etre autonome (doctrine Yacine)
+    """
     real = os.path.realpath(path)
-    for d in allowed_dirs:
-        if real.startswith(os.path.realpath(d) + "/") or real == os.path.realpath(d):
+    # Critical files WEVIA ne doit JAMAIS ecraser sans confirmation explicite
+    deny = [
+        "/etc/passwd", "/etc/shadow", "/etc/sudoers",
+        "/var/www/html/api/wevia-master-api.php",
+        "/var/www/html/api/wevia-chat-v2-direct.php",
+        "/var/www/html/api/cx",
+        "/etc/nginx/", "/etc/php/",
+        "/opt/wevia-brain/priority-intents-nl.json",
+        "/opt/weval-ops/opus-intents/wevia_generate_helper.py",
+        "/opt/weval-ops/opus-intents/wevia-generate-code.sh",
+        "/.env", "/root/.ssh/",
+    ]
+    for d in deny:
+        if real == d or real.startswith(d):
+            return False
+    # Allow everything under /var/www/html/, /opt/weval-ops/, /opt/wevia-brain/ (sauf deny)
+    allow_prefixes = [
+        "/var/www/html/",
+        "/opt/weval-ops/opus-intents/",
+        "/opt/wevia-brain/",
+        "/opt/weval-ops/generated/",
+        "/tmp/wevia-",
+    ]
+    for p in allow_prefixes:
+        if real.startswith(p):
             return True
     return False
 
@@ -94,6 +119,12 @@ def deploy(block, job):
     if not safe_path(path, [GEN_DIR, SCRIPTS_DIR]):
         return {"err": f"path not allowed (whitelist: {GEN_DIR}, {SCRIPTS_DIR})", "path": path}
     os.makedirs(os.path.dirname(path), exist_ok=True)
+    # GOLD backup automatique si fichier existe (doctrine 148 Yacine)
+    if os.path.exists(path):
+        gold = f"{path}.GOLD-{time.strftime('%Y%m%d-%H%M%S')}-wevia-gen"
+        try:
+            subprocess.run(["cp", path, gold], check=True, capture_output=True, timeout=5)
+        except: pass
     with open(path, "w") as f:
         f.write(block["code"])
     if path.endswith(".sh") or path.endswith(".py"):