#!/bin/bash
# WEVIA Self-Managing Engine — cron */5
# Auto-fix, auto-optimize, auto-secure, auto-backup, auto-alert
LOG="/var/log/wevia-selfmanage.log"
TS=$(date +%H:%M)

# === 1. SERVICE AUTO-RESTART ===
for SVC in nginx ollama docker; do
    if ! systemctl is-active $SVC >/dev/null 2>&1; then
        systemctl restart $SVC 2>/dev/null
        echo "$TS RESTART: $SVC" >> $LOG
    fi
done
# PHP-FPM (multiple versions)
for PHP in php8.4-fpm php8.3-fpm php7.4-fpm; do
    systemctl is-active $PHP >/dev/null 2>&1 && break
    systemctl start $PHP 2>/dev/null && echo "$TS START: $PHP" >> $LOG && break
done

# === 2. DOCKER HEALTH ===
DEAD=$(docker ps -f status=exited -f status=dead --format '{{.Names}}' 2>/dev/null | grep -v -E '^$')
if [ -n "$DEAD" ]; then
    for C in $DEAD; do
        # Skip containers that no longer exist (avoid dead loop restarts)
        if docker inspect $C >/dev/null 2>&1; then
            docker restart $C 2>/dev/null
            echo "$TS DOCKER-RESTART: $C" >> $LOG
        fi
    done
fi

# === 3. DISK AUTO-CLEAN (if >85%) ===
DISK=$(df / | awk 'NR==2{print $5}' | tr -d '%')
if [ "$DISK" -gt 85 ]; then
    journalctl --vacuum-size=50M 2>/dev/null
    find /tmp -type f -mtime +1 -delete 2>/dev/null
    find /var/log -name '*.gz' -delete 2>/dev/null
    find /var/log -name '*.1' -delete 2>/dev/null
    docker system prune -f 2>/dev/null
    echo "$TS DISK-CLEAN: $DISK% → $(df / | awk 'NR==2{print $5}')" >> $LOG
fi

# === 4. RAM AUTO-FREE (if >90%) ===
RAM=$(free | awk '/Mem/{printf("%.0f", $3/$2*100)}')
if [ "$RAM" -gt 90 ]; then
    sync && echo 3 > /proc/sys/vm/drop_caches 2>/dev/null
    echo "$TS RAM-FREE: $RAM%" >> $LOG
fi

# === 5. SSL EXPIRY CHECK ===
DAYS=$(echo | openssl s_client -connect weval-consulting.com:443 -servername weval-consulting.com 2>/dev/null | openssl x509 -noout -checkend 604800 2>/dev/null && echo "ok" || echo "expiring")
if [ "$DAYS" = "expiring" ]; then
    certbot renew --quiet 2>/dev/null
    echo "$TS SSL-RENEW: triggered" >> $LOG
fi

# === 6. GIT AUTO-BACKUP (hourly, check dirty) ===
MINUTE=$(date +%M)
if [ "$MINUTE" -lt 6 ]; then
    DIRTY=$(cd /var/www/html && git status --porcelain 2>/dev/null | wc -l)
    if [ "$DIRTY" -gt 0 ]; then
        cd /var/www/html && git add -A && git commit -m "AUTO-BACKUP $(date +%Y%m%d-%H%M)" 2>/dev/null && git push github main 2>/dev/null
        echo "$TS GIT-BACKUP: $DIRTY files" >> $LOG
    fi
fi

# === 7. DATABASE OPTIMIZE (daily at 3AM) ===
HOUR=$(date +%H)
if [ "$HOUR" = "03" ] && [ "$MINUTE" -lt 6 ]; then
    PGPASSWORD=admin123 psql -h 10.1.0.3 -U admin -d adx_system -c "VACUUM ANALYZE" 2>/dev/null
    echo "$TS DB-OPTIMIZE: vacuum analyze" >> $LOG
fi

# === 8. FILE INTEGRITY (chattr protected files) ===
for F in /var/www/html/wevia-master.html /var/www/html/weval-translate.js /var/www/html/weval-auth-session.php; do
    if [ -f "$F" ]; then
        ATTR=$(lsattr "$F" 2>/dev/null | grep -c 'i')
        if [ "$ATTR" -eq 0 ]; then
            chattr +i "$F" 2>/dev/null
            echo "$TS INTEGRITY: re-locked $F" >> $LOG
        fi
    fi
done

# === 9. DOMAIN EXPIRY CHECK (weekly) ===
DOW=$(date +%u)
if [ "$DOW" = "1" ] && [ "$HOUR" = "08" ] && [ "$MINUTE" -lt 6 ]; then
    EXPIRY=$(whois weval-consulting.com 2>/dev/null | grep -i 'expir' | head -1)
    echo "$TS DOMAIN: $EXPIRY" >> $LOG
fi

# === 10. AUTO-WIKI (log learnings) ===
ERRORS=$(tail -20 /var/log/nginx/error.log 2>/dev/null | grep -c "$(date +%Y/%m/%d)")
if [ "$ERRORS" -gt 10 ]; then
    echo "$TS ALERT: $ERRORS nginx errors today" >> $LOG
fi

# === 11. QDRANT HEALTH ===
QDRANT=$(curl -sf http://127.0.0.1:6333/collections 2>/dev/null | python3 -c "import json,sys;print(len(json.load(sys.stdin).get('result',{}).get('collections',[])))" 2>/dev/null)
if [ -z "$QDRANT" ] || [ "$QDRANT" = "0" ]; then
    docker restart qdrant 2>/dev/null
    echo "$TS QDRANT-RESTART" >> $LOG
fi

# === 12. OLLAMA EMBEDDING-ONLY CHECK (doctrine: only reachable, not auto-restart) ===
# Ollama is masked. Only start if embedding actually needed AND not running. NO automatic restart.
# systemctl restart disabled - embedding loads on-demand per doctrine


# === 14. GITEA MIRROR (OPUS-ENRICH 16avr) — push vers Gitea auth token ===
if [ "$MINUTE" -lt 6 ]; then
    GITEA_TOKEN=$(grep -h '^GITEA_SOVEREIGN_TOKEN=' /etc/weval/secrets.env 2>/dev/null | cut -d= -f2)
    if [ -n "$GITEA_TOKEN" ] && cd /var/www/html; then
        GITEA_REMOTE=$(git remote get-url gitea 2>/dev/null)
        if [ -n "$GITEA_REMOTE" ] && [[ "$GITEA_REMOTE" =~ ^http ]]; then
            AUTH_URL=$(echo "$GITEA_REMOTE" | sed -E "s|(https?://)[^@/]*@?|\1yanis:${GITEA_TOKEN}@|")
            git push "$AUTH_URL" main 2>>$LOG && echo "$TS GITEA-PUSH: ok" >> $LOG || echo "$TS GITEA-PUSH: warn" >> $LOG
        fi
    fi
fi

# === 15. VAULT SNAPSHOT (OPUS-ENRICH 16avr) — horaire minute 00 ===
if [ "$MINUTE" = "00" ] || [ "$MINUTE" = "01" ]; then
    VSNAP=/opt/wevads/vault/auto-$(date +%Y%m%d-%H).tar.gz
    if [ ! -f "$VSNAP" ]; then
        tar -czf "$VSNAP" /opt/obsidian-vault 2>/dev/null && echo "$TS VAULT-SNAP: $VSNAP" >> $LOG
        find /opt/wevads/vault -maxdepth 1 -name 'auto-*.tar.gz' -mtime +2 -delete 2>/dev/null
    fi
fi

# === 16. L99 LIGHT refresh (OPUS-ENRICH 16avr) — toutes 30min ===
if [ "$MINUTE" = "00" ] || [ "$MINUTE" = "30" ]; then
    curl -sk --max-time 20 "https://weval-consulting.com/api/l99-api.php" >/dev/null 2>&1 && echo "$TS L99-REFRESH" >> $LOG
fi
# === 13. WRITE STATUS JSON ===
python3 -c "import json;json.dump({'ts':'$(date +%H:%M)','status':'ok'},open('/var/www/html/api/wevia-selfmanage.json','w'))"