#!/usr/bin/env bash
# =============================================================================
# onx-log-clear — Whitelisted log file truncate (clear).
#
# D5-26: PhpErrorLogController::clear() bu action'ı çağırıyordu ama script YOKtu
# (AllowedActions + FakeSysapi'de kayıtlı → testler false-green, prod kırık).
#
# Input (stdin JSON):  {"path":"/home/onx_xxx/logs/php_errors.log"}
# Output (stdout JSON): {"path":"...","previous_size_bytes":N,"new_size_bytes":0}
#
# Exit codes: 0 ok · 1 invalid input (path/whitelist/traversal/symlink) · 3 exec fail
#
# Güvenlik:
#   • Path ALLOWED_PATTERNS whitelist'ine uymalı (yalnız MÜŞTERİ logları; sistem
#     logları truncate EDİLEMEZ).
#   • '..' traversal + symlink (cross-account hedefe truncate) reddedilir.
#
# Sudoers: apache ALL=(root) NOPASSWD: /usr/local/onoxsoft/bin/onx-log-clear
# =============================================================================
set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

onx_json_input

PATH_ARG=$(onx_json_field 'path' '')
[[ -n "$PATH_ARG" ]] || onx_die 1 "path is required"
[[ "$PATH_ARG" == *".."* ]] && onx_die 1 "path traversal not allowed"
# D5-04 sınıfı: symlink'i truncate ETME (başka hesabın dosyasına yönlenebilir).
[[ -L "$PATH_ARG" ]] && onx_die 1 "symlink reddedildi: $PATH_ARG"

# Yalnız müşteri-sahipli log'lar temizlenebilir (onx-log-tail ile tutarlı alt-küme).
ALLOWED_PATTERNS=(
    "/home/*/logs/php_errors.log"
    "/home/*/logs/*.php_errors.log"
    "/home/*/logs/*-access.log"
    "/home/*/logs/*-error.log"
)
allowed=false
for pattern in "${ALLOWED_PATTERNS[@]}"; do
    # shellcheck disable=SC2053
    if [[ "$PATH_ARG" == $pattern ]]; then
        allowed=true
        break
    fi
done
[[ "$allowed" == "true" ]] || onx_die 1 "path_not_allowed: $PATH_ARG"

PREV=0
if [[ -f "$PATH_ARG" ]]; then
    PREV=$(stat -c %s "$PATH_ARG" 2>/dev/null || echo 0)
    : > "$PATH_ARG" || onx_die 3 "truncate failed: $PATH_ARG"
fi

onx_log "log-clear: ${PATH_ARG} (${PREV} bytes cleared)"
printf '{"path":%s,"previous_size_bytes":%d,"new_size_bytes":0}\n' \
    "$(printf '%s' "$PATH_ARG" | jq -Rs '.')" "$PREV"
