From 0a6744644dd7b5bd0fd65db4a8ff910805be1c9e Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Sat, 23 May 2026 16:55:41 -0500
Subject: [PATCH] fix: script.php uses heartbeat receiver instead of Grafana
 API

The postflight still had the old Grafana API code with obfuscated tokens,
causing 403 RBAC errors on install/update. Now uses the heartbeat receiver
at bench.mokoconsulting.tech/api/waas-heartbeat/register.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/script.php | 109 ++++++++++++++++---------------------------------
 1 file changed, 35 insertions(+), 74 deletions(-)

diff --git a/src/script.php b/src/script.php
index 231800a..d18f6de 100644
--- a/src/script.php
+++ b/src/script.php
@@ -792,96 +792,57 @@ class plgSystemMokoWaaSInstallerScript implements InstallerScriptInterface
 			$db->execute();
 		}
 
-		// Grafana provisioning — obfuscated credentials
-		$gXor = 'MokoWaaS-Grafana-Provision';
-		$deobfuscate = function ($encoded) use ($gXor) {
-			$data = base64_decode($encoded);
-			$out  = '';
-			for ($i = 0, $len = strlen($data); $i < $len; $i++) {
-				$out .= chr(ord($data[$i]) ^ ord($gXor[$i % strlen($gXor)]));
-			}
-			return $out;
-		};
-		$grafanaUrl = $deobfuscate('JRsfHyRbTnxPIhwCDk8DDkY/EQAYGgYFGwcjCEUbMgIJ');
-		$grafanaKey = $deobfuscate('KgMYDggFCSFoLxskMSUsMGoaKAgyXCIjKzh1AhwCYwIqA1pzHz5XVwwCHWdHWg==');
+		// Heartbeat receiver — register with Grafana provisioning
+		$siteUrl  = rtrim(\Joomla\CMS\Uri\Uri::root(), '/');
+		$siteName = Factory::getConfig()->get('sitename', 'Joomla');
+		$token    = $params->get('health_api_token', '');
 
-		$siteUrl   = rtrim(\Joomla\CMS\Uri\Uri::root(), '/');
-		$siteName  = Factory::getConfig()->get('sitename', 'Joomla');
-		$dsUid     = 'mokowaas-' . md5($siteUrl);
-		$token     = $params->get('health_api_token', '');
-
-		// Provision datasource via Grafana REST API (cURL)
-		$dsPayload = json_encode([
-			'uid'    => $dsUid,
-			'name'   => 'MokoWaaS — ' . $siteName,
-			'type'   => 'yesoreyeram-infinity-datasource',
-			'access' => 'proxy',
-			'url'    => $siteUrl,
-			'jsonData' => [
-				'auth_method'    => 'bearerToken',
-				'global_queries' => [],
-			],
-			'secureJsonData' => [
-				'bearerToken' => $token,
-			],
+		$payload = json_encode([
+			'site_url'     => $siteUrl,
+			'site_name'    => $siteName,
+			'health_token' => $token,
+			'action'       => 'register',
 		], JSON_UNESCAPED_SLASHES);
 
-		$headers = [
-			'Authorization: Bearer ' . $grafanaKey,
+		$ch = curl_init('https://bench.mokoconsulting.tech/api/waas-heartbeat/register');
+		curl_setopt($ch, CURLOPT_POST, true);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, [
 			'Content-Type: application/json',
-			'Accept: application/json',
-		];
-
-		// Try PUT (update), fall back to POST (create)
-		$ch = curl_init($grafanaUrl . '/api/datasources/uid/' . $dsUid);
-		curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-		curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
-		curl_setopt($ch, CURLOPT_POSTFIELDS, $dsPayload);
+			'X-MokoWaaS-Key: moko-waas-hb-2026-x9k4m',
+		]);
+		curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
 		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-		curl_setopt($ch, CURLOPT_TIMEOUT, 15);
+		curl_setopt($ch, CURLOPT_TIMEOUT, 30);
 		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
 		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+
 		$response = curl_exec($ch);
 		$code     = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
 		$error    = curl_error($ch);
 		curl_close($ch);
 
-		Log::add(
-			sprintf('Grafana heartbeat PUT: HTTP %d, error=%s, url=%s, dsUid=%s',
-				$code, $error ?: 'none', $grafanaUrl, $dsUid),
-			Log::INFO,
-			'mokowaas'
-		);
+		$app  = Factory::getApplication();
+		$body = json_decode($response, true);
 
-		if ($code === 404)
+		if ($error)
 		{
-			$ch = curl_init($grafanaUrl . '/api/datasources');
-			curl_setopt($ch, CURLOPT_POST, true);
-			curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
-			curl_setopt($ch, CURLOPT_POSTFIELDS, $dsPayload);
-			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-			curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-			curl_setopt($ch, CURLOPT_TIMEOUT, 15);
-			curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
-			$response2 = curl_exec($ch);
-			$code2     = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
-			$error2    = curl_error($ch);
-			curl_close($ch);
-
-			Log::add(
-				sprintf('Grafana heartbeat POST: HTTP %d, error=%s',
-					$code2, $error2 ?: 'none'),
-				Log::INFO,
-				'mokowaas'
+			$app->enqueueMessage('Grafana heartbeat failed: ' . $error, 'warning');
+			Log::add('Heartbeat failed: ' . $error, Log::WARNING, 'mokowaas');
+		}
+		elseif ($code === 200 && ($body['status'] ?? '') === 'registered')
+		{
+			$app->enqueueMessage(
+				'Grafana heartbeat: site registered (' . ($body['ds_uid'] ?? '') . ')',
+				'message'
 			);
 		}
-
-		Log::add(
-			sprintf('Grafana heartbeat result: %s (site=%s)',
-				$code === 200 ? 'updated' : 'created', $siteUrl),
-			Log::INFO,
-			'mokowaas'
-		);
+		else
+		{
+			$msg = sprintf('Grafana heartbeat failed: HTTP %d — %s',
+				$code, $body['error'] ?? 'Unknown');
+			$app->enqueueMessage($msg, 'warning');
+			Log::add($msg, Log::WARNING, 'mokowaas');
+		}
 	}
 
 	private function registerActionLogExtension()