feat(deploy): add deploy-verify-permissions recipe + upload/run deploy-server.sh before verification + run migrations in deploy

justfile

@@ -60,10 +60,17 @@ deploy:
         --exclude 'storage/docs' \
         --exclude 'var/' \
         app/ xamxam:/var/www/xamxam/
+    # Upload deploy-server.sh for post-deploy permission fix
+    rsync -v scripts/deploy-server.sh xamxam:/tmp/deploy-server.sh
+    ssh xamxam "sudo bash /tmp/deploy-server.sh"
+    ssh xamxam "rm -f /tmp/deploy-server.sh"
     ssh xamxam "mkdir -p /var/www/xamxam/var/{cache,logs,tmp}"
-    ssh xamxam "cd /var/www/xamxam && php -r 'if (!file_exists(\"/var/www/xamxam/storage/xamxam.db\")) { \$db = new PDO(\"sqlite:/var/www/xamxam/storage/xamxam.db\"); \$db->exec(file_get_contents(\"/var/www/xamxam/storage/schema.sql\")); echo \"Database created from schema.\\n\"; } else { echo \"Database already exists.\\n\"; }' && php migrations/run.php /var/www/xamxam/storage/xamxam.db"
+    ssh xamxam "cd /var/www/xamxam && php -r 'if (!file_exists(\"/var/www/xamxam/storage/xamxam.db\")) { \$db = new PDO(\"sqlite:/var/www/xamxam/storage/xamxam.db\"); \$db->exec(file_get_contents(\"/var/www/xamxam/storage/schema.sql\")); echo \"Database created from schema.\\n\"; } else { echo \"Database already exists.\\n\"; }'"
+    # Run pending migrations
+    ssh xamxam "cd /var/www/xamxam && bash scripts/migrate.sh"
     # Sync .env separately (excluded above to avoid accidental overwrite on subsequent deploys)
     @just deploy-env
+    @just deploy-verify-permissions
 
 [group('deploy')]
 deploy-env:
@@ -107,6 +114,118 @@ deploy-db:
     rsync -v --progress app/storage/xamxam.db xamxam:/var/www/xamxam/storage/xamxam.db
     ssh xamxam "chown www-data:xamxam /var/www/xamxam/storage/xamxam.db && chmod 660 /var/www/xamxam/storage/xamxam.db"
 
+[group('deploy')]
+deploy-verify-permissions:
+	#!/usr/bin/env bash
+	set -euo pipefail
+	APP_DIR="/var/www/xamxam"
+	WEB_USER="www-data"
+	APP_GROUP="xamxam"
+	ERRORS=0
+
+	RED='\033[0;31m'
+	GREEN='\033[0;32m'
+	YELLOW='\033[1;33m'
+	NC='\033[0m'
+
+	ok()   { printf "${GREEN}✓${NC} %s\n" "$*"; }
+	err()  { printf "${RED}✗${NC} %s\n" "$*" >&2; ERRORS=$((ERRORS + 1)); }
+	warn() { printf "${YELLOW}!${NC} %s\n" "$*"; }
+
+	printf "🔍 Verifying permissions on %s…\n\n" "$APP_DIR"
+
+	# ── Ownership ──────────────────────────────────────────────────────────────────
+	echo "── Ownership ───────────────────────────────────"
+	while IFS= read -r line; do
+		owner=$(echo "$line" | awk '{print $3}')
+		group=$(echo "$line" | awk '{print $4}')
+		path=$(echo "$line" | awk '{print $NF}')
+		if [ "$owner" != "$WEB_USER" ] || [ "$group" != "$APP_GROUP" ]; then
+			err "$path → $owner:$group (expected $WEB_USER:$APP_GROUP)"
+		else
+			ok "$path → $owner:$group"
+		fi
+	done < <(ssh xamxam "stat -c '%U %G %n' $APP_DIR $APP_DIR/app $APP_DIR/storage $APP_DIR/var 2>/dev/null")
+
+	# ── Key directories: 2775 ─────────────────────────────────────────────────────
+	echo "── Directory permissions (expected 2775) ───────"
+	while IFS= read -r line; do
+		perms=$(echo "$line" | awk '{print $1}')
+		path=$(echo "$line" | awk '{print $NF}')
+		if [ "$perms" != "drwxrwsr-x" ]; then
+			err "$path → $perms (expected drwxrwsr-x / 2775)"
+		else
+			ok "$path → $perms"
+		fi
+	done < <(ssh xamxam "find $APP_DIR -maxdepth 2 -type d -exec stat -c '%A %n' {} \\; 2>/dev/null | sort")
+
+	# ── Key files: 664 ────────────────────────────────────────────────────────────
+	echo "── File permissions (expected 664 / 660) ───────"
+	# Spot-check a few critical files
+	while IFS= read -r path; do
+		perms=$(ssh xamxam "stat -c '%a %U %G' '$path' 2>/dev/null" || echo "MISSING")
+		if [ "$perms" = "MISSING" ]; then
+			err "$path → FILE MISSING"
+		else
+			perm_num=$(echo "$perms" | awk '{print $1}')
+			owner=$(echo "$perms" | awk '{print $2}')
+			group=$(echo "$perms" | awk '{print $3}')
+			case "$path" in
+				*/storage/xamxam.db|*/storage/*.db)
+					expected_perm="660" ;;
+				*)
+					expected_perm="664" ;;
+			esac
+			if [ "$perm_num" != "$expected_perm" ]; then
+				err "$path → $perm_num ($owner:$group), expected $expected_perm $WEB_USER:$APP_GROUP"
+			elif [ "$owner" != "$WEB_USER" ]; then
+				err "$path → owner $owner, expected $WEB_USER (perm $perm_num OK)"
+			else
+				ok "$path → $perm_num $owner:$group"
+			fi
+		fi
+	done < <(printf '%s\n' \
+		"$APP_DIR/.env" \
+		"$APP_DIR/app/router.php" \
+		"$APP_DIR/storage/xamxam.db")
+
+	# ── var/ subdirectories must be writable ──────────────────────────────────────
+	echo "── var/ writability ────────────────────────────"
+	for subdir in cache logs tmp; do
+		if ssh xamxam "[ -w /var/www/xamxam/var/$subdir ]"; then
+			ok "var/$subdir → writable"
+		else
+			err "var/$subdir → NOT WRITABLE"
+		fi
+	done
+
+	# ── storage/cache/rate_limit writable ─────────────────────────────────────────
+	if ssh xamxam "[ -w /var/www/xamxam/storage/cache/rate_limit ]"; then
+		ok "storage/cache/rate_limit → writable"
+	else
+		err "storage/cache/rate_limit → NOT WRITABLE"
+	fi
+
+	# ── .env must be 640 ──────────────────────────────────────────────────────────
+	env_perm=$(ssh xamxam "stat -c '%a' /var/www/xamxam/.env 2>/dev/null" || echo "")
+	if [ "$env_perm" = "640" ]; then
+		ok ".env → 640"
+	elif [ -z "$env_perm" ]; then
+		warn ".env → MISSING"
+	else
+		err ".env → $env_perm (expected 640)"
+	fi
+
+	# ── Summary ───────────────────────────────────────────────────────────────────
+	echo ""
+	if [ "$ERRORS" -eq 0 ]; then
+		printf "${GREEN}✅ All permissions OK${NC}\n"
+	else
+		printf "${RED}❌ %d permission error(s) found${NC}\n" "$ERRORS"
+		printf "${YELLOW}Fix with: sudo bash /tmp/deploy-server.sh${NC}\n"
+		exit 1
+	fi
+
 [group('deploy')]
 deploy-script script_name:
     # Generic script deployer (e.g., just deploy-script setup-server)