<?php
// Opus WIRE 19-avr doctrine 94 - Safe Write Helper
// Allows WEVIA to write whitelisted paths (chattr lifecycle handled by sudoers)
// REQUIRES: sudo access for www-data on chattr (to be configured by root)
// WHITELIST: only specific files or paths WEVIA can modify autonomously
// SECURITY: token required + path validation

header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');

$TOKEN = 'SAFEWRITE2026_WEVIA_DOCTRINE94';
$WHITELIST = [
    '/var/www/html/wiki/',           // Wiki docs
    '/var/www/html/api/playwright-results/',  // Test results
    '/opt/weval-l99/wiki/',          // L99 wiki
    '/opt/obsidian-vault/sessions/',  // Session files
    '/opt/weval-l99/kpi-cache/',     // KPI feeders output
    '/tmp/wevia-',                    // Temp files
];

$input = json_decode(file_get_contents('php://input'), true);
$token = $input['token'] ?? '';
$path = $input['path'] ?? '';
$content = $input['content'] ?? '';
$action = $input['action'] ?? 'write';

if ($token !== $TOKEN) {
    http_response_code(403);
    echo json_encode(['error' => 'invalid token']);
    exit;
}

if (empty($path)) {
    echo json_encode(['error' => 'path required', 'whitelist' => $WHITELIST]);
    exit;
}

// Resolve to absolute path safely
$path = realpath(dirname($path)) . '/' . basename($path);
$allowed = false;
foreach ($WHITELIST as $prefix) {
    if (strpos($path, $prefix) === 0) { $allowed = true; break; }
}
if (!$allowed) {
    http_response_code(403);
    echo json_encode(['error' => 'path not in whitelist', 'path' => $path, 'whitelist' => $WHITELIST]);
    exit;
}

// Reject path traversal
if (strpos($path, '..') !== false || strpos($path, " ") !== false) {
    http_response_code(403);
    echo json_encode(['error' => 'path traversal detected']);
    exit;
}

if ($action === 'write') {
    // Ensure directory exists
    $dir = dirname($path);
    if (!is_dir($dir)) @mkdir($dir, 0755, true);
    $bytes = @file_put_contents($path, $content);
    if ($bytes === false) {
        http_response_code(500);
        echo json_encode(['error' => 'write failed', 'path' => $path]);
        exit;
    }
    @chmod($path, 0644);
    echo json_encode(['ok' => true, 'path' => $path, 'bytes' => $bytes, 'action' => 'written']);
    exit;
}

if ($action === 'read') {
    if (!file_exists($path)) { http_response_code(404); echo json_encode(['error'=>'not found']); exit; }
    echo json_encode(['ok'=>true, 'path'=>$path, 'content'=>file_get_contents($path), 'size'=>filesize($path)]);
    exit;
}

if ($action === 'append') {
    $bytes = @file_put_contents($path, $content, FILE_APPEND);
    echo json_encode(['ok' => $bytes !== false, 'path' => $path, 'bytes' => $bytes]);
    exit;
}

echo json_encode(['error' => 'unknown action', 'actions' => ['write', 'read', 'append']]);