yanis/html
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
da170ef31d6b54f82b815dce3e237d1cbe220c96
html/api/wevia-opus-write-intents.php
opus 8af035d738 auto-sync-0300
2026-04-17 03:00:01 +02:00

207 lines
11 KiB
PHP
Raw Blame History

<?php
/**
* wevia-opus-write-intents.php — OPUS WIRE v2: file_write + real_exec + intent_wire_real
*
* Fix cause-racine autonomie WEVIA Master (doctrines 46-48 V12-bis):
* - Doctrine 46 INTENT-POWER-GRANTED: intent_wire_real écrit vraiment dans wevia-opus-intents.php
* - Doctrine 47 PATTERN-WORD-BOUNDARY: tous les patterns utilisent \b
* - Doctrine 48 OBSERVABLE-EXEC: toute réponse contient exec_trace
*
* SÉCURITÉ: whitelist stricte des chemins + commandes + pas de sudo/rm/chattr dans real_exec
*
* Créé: 17 avr 2026 — Opus 4.7 (Yacine V12-FINAL autonomie closure)
*/
if (!function_exists('wevia_write_intents')) {
function _wevia_write_allowed_path($p) {
$p = realpath($p) ?: $p;
$whitelist = [
'/var/www/html/api/wiki-',
'/var/www/html/api/wevia-wiki-entries',
'/var/www/html/api/wevia-learnings',
'/opt/wevads/vault/',
'/opt/weval-l99/logs/',
'/opt/weval-l99/wiki/',
'/opt/wevia-brain/sessions/',
'/tmp/wevia-',
'/tmp/v11', '/tmp/v12',
];
foreach ($whitelist as $pref) {
if (strpos($p, $pref) === 0) return true;
}
return false;
}
function _wevia_real_exec_safe($cmd) {
// Doctrine 47: whitelist strict — aucune substitution $(), backtick, redirection vers /etc, sudo, rm -rf, chattr, systemctl, pkill
$banned_patterns = [
'/\bsudo\b/', '/\brm\s+-rf\b/', '/\bchattr\b/', '/\bsystemctl\b/',
'/\bpkill\b/', '/\bkill\s+-9\b/', '/\bmkfs\b/', '/\bdd\s+if=/',
'/>\s*\/etc\//', '/>\s*\/root\//', '/>\s*\/var\/spool\//',
'/\bshutdown\b/', '/\breboot\b/', '/\bhalt\b/',
];
foreach ($banned_patterns as $bp) {
if (preg_match($bp, $cmd)) return ['ok' => false, 'reason' => "banned pattern: $bp"];
}
// whitelist commandes : ls, cat, head, tail, wc, grep, find, echo, curl, ps, df, du, date, md5sum, git
if (!preg_match('/^\s*(ls|cat|head|tail|wc|grep|find|echo|curl|ps|df|du|date|md5sum|git|php|python3|jq|awk|sed|sort|uniq|stat|file|which)\s/', $cmd)) {
return ['ok' => false, 'reason' => 'command not in whitelist (ls/cat/head/tail/wc/grep/find/echo/curl/ps/df/du/date/md5sum/git/php/python3/jq/awk/sed/sort/uniq/stat/file/which)'];
}
// whitelist paths : seuls les args commençant par /tmp/, /opt/weval-l99/, /opt/wevads/vault/, /var/www/weval/claude-sync/ sont OK
if (preg_match_all('/(?<![:\/\w])\/[^\s\/][^\s]*/', $cmd, $paths)) {
foreach ($paths[0] as $p) {
if (preg_match('/^\/(tmp|opt\/weval-l99|opt\/wevads\/vault|var\/www\/weval\/claude-sync|var\/www\/html\/api\/wiki-|dev\/null|usr\/bin|bin)/', $p)) continue;
return ['ok' => false, 'reason' => "path not in whitelist: $p"];
}
}
$out = @shell_exec($cmd . ' 2>&1');
return ['ok' => true, 'out' => $out, 'cmd' => $cmd];
}
function wevia_write_intents($msg, $base = '') {
// INTENT 1: real_exec — "exec:" ou "raw:" prefix → whitelisted shell command
// Doctrine 47: \b word boundaries
if (preg_match('/^\s*(?:exec|raw|run):\s*(.+)$/iu', $msg, $m)) {
$cmd = trim($m[1]);
$r = _wevia_real_exec_safe($cmd);
// Doctrine 48: exec_trace obligatoire
return [
'content' => $r['ok']
? "✅ EXEC OK:\n```\n" . ($r['out'] ?? '(no output)') . "\n```"
: "❌ EXEC REFUSED: " . $r['reason'],
'provider' => 'wevia-real-exec',
'executed' => $r['ok'],
'exec_trace' => $r['ok'] ? $r['cmd'] : "REFUSED: {$r['reason']}",
'intent' => 'real_exec',
];
}
// INTENT 2: intent_wire_real — "wire intent NAME pattern PATTERN exec COMMAND"
// Doctrine 46: vrai writer, pas compteur
// Syntaxe: wire intent mon_intent pattern "\b(foo|bar)\b" exec "ls /tmp"
if (preg_match('/\bwire\s+intent\s+(\w+)\s+pattern\s+[\"\'](.+?)[\"\']\s+exec\s+[\"\'](.+?)[\"\']/iu', $msg, $m)) {
$name = preg_replace('/[^a-z0-9_]/i', '', $m[1]);
$pattern = $m[2];
$exec_cmd = $m[3];
$target = '/var/www/html/api/wevia-opus-intents.php';
if (!file_exists($target)) {
return ['content' => "❌ target missing: $target", 'provider' => 'wevia-intent-wire-real', 'executed' => false, 'exec_trace' => "stat $target"];
}
// GOLD backup (doctrine 3)
$ts = date('Ymd-His');
$gold = "/opt/wevads/vault/wevia-opus-intents.GOLD-$ts-pre-autowire-$name.php";
$cp_rc = 0;
@shell_exec("sudo -n cp " . escapeshellarg($target) . " " . escapeshellarg($gold) . " 2>&1");
if (!file_exists($gold)) {
@copy($target, $gold);
}
if (!file_exists($gold)) {
return ['content' => "❌ GOLD backup failed on $gold", 'provider' => 'wevia-intent-wire-real', 'executed' => false, 'exec_trace' => "cp $target $gold"];
}
// Construire bloc intent canonical
$block = "\n // INTENT: $name (auto-wired " . date('Y-m-d H:i') . " via wevia_write_intents)\n" .
" if (preg_match('/$pattern/iu', \$msg)) {\n" .
" \$__out = @shell_exec(" . var_export($exec_cmd, true) . " . ' 2>&1');\n" .
" return ['content' => \$__out ?: '(no output)', 'provider' => 'auto-wired', 'intent' => '$name', 'exec_trace' => " . var_export($exec_cmd, true) . "];\n" .
" }\n";
// str_replace safe: on cherche le dernier "return null;" AVANT le "}" final de wevia_opus_intents
$content = file_get_contents($target);
// Injection avant le dernier 'return null;' de la fonction
$needle = "return null;";
$last_pos = strrpos($content, $needle);
if ($last_pos === false) {
return ['content' => "❌ 'return null;' anchor missing in $target", 'provider' => 'wevia-intent-wire-real', 'executed' => false, 'exec_trace' => "strrpos return null;"];
}
$new = substr($content, 0, $last_pos) . $block . "\n " . substr($content, $last_pos);
// Try chattr -i sudo
@shell_exec("sudo -n chattr -i " . escapeshellarg($target) . " 2>/dev/null");
$bytes = @file_put_contents($target, $new);
@shell_exec("sudo -n chattr +i " . escapeshellarg($target) . " 2>/dev/null");
if ($bytes === false) {
// fallback tee
$tmpf = "/tmp/wevia-auto-$name-" . $ts . ".php";
file_put_contents($tmpf, $new);
exec("sudo -n chattr -i " . escapeshellarg($target) . " 2>/dev/null; sudo -n cp " . escapeshellarg($tmpf) . " " . escapeshellarg($target) . " 2>&1; RC=\$?; sudo -n chattr +i " . escapeshellarg($target) . " 2>/dev/null; echo \$RC", $out, $rc);
$bytes = (isset($rc) && $rc === 0) ? strlen($new) : false;
}
// Syntax check
$lint = @shell_exec("php -l " . escapeshellarg($target) . " 2>&1");
$lint_ok = strpos($lint, 'No syntax errors') !== false;
if (!$lint_ok && file_exists($gold)) {
// rollback
@shell_exec("sudo -n chattr -i " . escapeshellarg($target) . " 2>/dev/null; sudo -n cp " . escapeshellarg($gold) . " " . escapeshellarg($target) . " 2>&1; sudo -n chattr +i " . escapeshellarg($target) . " 2>/dev/null");
return [
'content' => "❌ AUTOWIRE FAILED (syntax error) — ROLLED BACK from GOLD.\nLint: $lint",
'provider' => 'wevia-intent-wire-real',
'executed' => false,
'exec_trace' => "php -l $target → syntax error, rollback $gold",
'gold' => $gold,
];
}
return [
'content' => ($bytes !== false && $lint_ok)
? "✅ INTENT WIRED: $name\n Pattern: /$pattern/iu\n Exec: $exec_cmd\n Target: $target ($bytes bytes)\n GOLD: $gold\n Syntax: OK"
: "❌ write failed (bytes=$bytes, lint_ok=" . ($lint_ok ? 'yes' : 'no') . ")",
'provider' => 'wevia-intent-wire-real',
'executed' => ($bytes !== false && $lint_ok),
'exec_trace' => "GOLD $gold; str_replace anchor 'return null;'; php -l; chattr -i/+i",
'intent' => 'intent_wire_real',
'name' => $name,
'gold' => $gold,
];
}
// INTENT 3 (existing): append/ajoute ... dans/à /path
if (preg_match('/\b(?:ajoute?|appends?|ecris|écris|write)\s+(?:la\s+ligne\s+)?["«]?(.+?)["»]?\s+(?:dans|à|to|in)\s+(\/\S+)/iu', $msg, $m)) {
$content = trim($m[1], " \"'«»");
$path = trim($m[2]);
if (!_wevia_write_allowed_path($path)) {
return ['content' => "❌ REFUSED: path $path hors whitelist sécurité", 'provider' => 'write-guard', 'executed' => false, 'exec_trace' => "whitelist check failed on $path"];
}
$line = rtrim($content) . "\n";
$ok = @file_put_contents($path, $line, FILE_APPEND);
if ($ok === false) {
$escaped = escapeshellarg($line);
exec("sudo -n chattr -i " . escapeshellarg($path) . " 2>/dev/null; echo -n $escaped | sudo -n tee -a " . escapeshellarg($path) . " > /dev/null 2>&1; RC=\$?; sudo -n chattr +i " . escapeshellarg($path) . " 2>/dev/null; echo \$RC", $out, $rc2);
$ok = ($rc2 === 0) ? strlen($line) : false;
}
$tail = @shell_exec("tail -3 " . escapeshellarg($path) . " 2>&1");
return [
'content' => ($ok !== false ? "✅ WRITE OK: $ok bytes appended to $path\n\n---TAIL---\n$tail" : "❌ WRITE FAILED on $path"),
'provider' => 'wevia-write-intent',
'executed' => ($ok !== false),
'exec_trace' => "file_put_contents $path FILE_APPEND ($ok bytes)",
'path' => $path,
'intent' => 'file_append',
];
}
// INTENT 4 (existing): met à jour le wiki
if (preg_match('/\b(?:mets?\s+[aà]\s+jour|actualise|update)\s+(?:le\s+)?wiki(?:\s+avec\s+|\s*[:;]\s*)(.+)/iu', $msg, $m)) {
$content = trim($m[1], " \"'«»");
$path = '/var/www/html/api/wiki-sessions.md';
$ts = date('Y-m-d H:i');
$line = "- **$ts** · $content\n";
$ok = @file_put_contents($path, $line, FILE_APPEND);
if ($ok === false) {
$escaped = escapeshellarg($line);
exec("sudo -n chattr -i " . escapeshellarg($path) . " 2>/dev/null; echo -n $escaped | sudo -n tee -a " . escapeshellarg($path) . " > /dev/null 2>&1; RC=\$?; sudo -n chattr +i " . escapeshellarg($path) . " 2>/dev/null; echo \$RC", $out, $rc2);
$ok = ($rc2 === 0) ? strlen($line) : false;
}
$tail = @shell_exec("tail -5 " . escapeshellarg($path));
return [
'content' => ($ok !== false ? "✅ WIKI updated: $ok bytes → $path\n\n---TAIL---\n$tail" : "❌ WIKI write failed"),
'provider' => 'wevia-wiki-update-intent',
'executed' => ($ok !== false),
'exec_trace' => "file_put_contents $path FILE_APPEND ($ok bytes)",
'path' => $path,
'intent' => 'wiki_update',
];
}
return null;
}
}
Reference in New Issue View Git Blame Copy Permalink