html/api/paperclip-fix-perms.php

<?php
// WEVIA Intent Helper : paperclip-fix-perms
// Wired by Opus 17 Apr (supervisor level) - executed by WEVIA Master via intent
// Root cause fix : paperclip-weval run-logs files created postgres:postgres 644, 
// paperclip runs as www-data → EACCES.
// Fix : chown postgres:www-data + chmod g+rwX + setgid so new files inherit group
// Doctrine 2 (zero regression), doctrine 6 (root cause)

header('Content-Type: application/json');
$TARGET = '/opt/paperclip-weval/instances/default/data/run-logs';
$out = [];
$cmds = [];

// 1) Diagnostic before
$cmds[] = ['label'=>'before_count_postgres_postgres', 'cmd'=>"find $TARGET -type f -user postgres -group postgres 2>/dev/null | wc -l"];
$cmds[] = ['label'=>'before_count_postgres_www-data', 'cmd'=>"find $TARGET -type f -user postgres -group www-data 2>/dev/null | wc -l"];

// 2) Fix : chown récursif postgres:www-data
$cmds[] = ['label'=>'fix_chown', 'cmd'=>"sudo chown -R postgres:www-data $TARGET 2>&1"];

// 3) Fix : chmod g+rwX (write group, exec dirs uniquement)
$cmds[] = ['label'=>'fix_chmod_group', 'cmd'=>"sudo chmod -R g+rwX $TARGET 2>&1"];

// 4) Fix : setgid sur tous dossiers pour heritage group postgres→www-data auto
$cmds[] = ['label'=>'fix_setgid_dirs', 'cmd'=>"sudo find $TARGET -type d -exec chmod g+s {} + 2>&1"];

// 5) Prevention : ACL pour forcer write group sur nouveaux fichiers
$cmds[] = ['label'=>'fix_acl_default', 'cmd'=>"sudo setfacl -R -d -m g:www-data:rwX $TARGET 2>&1 || echo ACL_SKIPPED"];
$cmds[] = ['label'=>'fix_acl_current', 'cmd'=>"sudo setfacl -R -m g:www-data:rwX $TARGET 2>&1 || echo ACL_SKIPPED"];

// 6) Verification after
$cmds[] = ['label'=>'after_count_bad', 'cmd'=>"find $TARGET -type f -user postgres -group postgres 2>/dev/null | wc -l"];
$cmds[] = ['label'=>'after_count_good', 'cmd'=>"find $TARGET -type f -group www-data 2>/dev/null | wc -l"];
$cmds[] = ['label'=>'after_setgid', 'cmd'=>"find $TARGET -type d -perm -g+s 2>/dev/null | wc -l"];
$cmds[] = ['label'=>'after_writable_test', 'cmd'=>"sudo -u www-data touch $TARGET/.wevia-write-test-".time()." 2>&1 && echo WRITE_OK || echo WRITE_FAIL"];
$cmds[] = ['label'=>'cleanup_test', 'cmd'=>"find $TARGET -maxdepth 1 -name '.wevia-write-test-*' -delete 2>&1"];

foreach($cmds as $c) {
    $r = @shell_exec('timeout 30 '.$c['cmd']);
    $out[$c['label']] = trim((string)$r);
}

// 7) Log
@file_put_contents('/var/log/weval/paperclip-fix-perms.log', 
    date('c')." exec by ".get_current_user().":".posix_getegid()." → ".json_encode($out)."\n", FILE_APPEND);

echo json_encode(['tool'=>'paperclip-fix-perms','status'=>'executed','target'=>$TARGET,'result'=>$out, 'ts'=>date('c')], JSON_PRETTY_PRINT);