Environment editor tells tenant super-admin to run `sudo systemctl reload php8.3-fpm` and leaks .env file mechanics in flash messages

Area: Admin deep-dive (commerce/config) (audit p15b) · Surface: /admin/config (Environment / System tab) · Dimension: Law 6 (users never see scripts/config paths/server mechanics) · Severity: major

Law 6 says users must never be told to run scripts, edit config, or see server paths/service names. A tenant super-admin who saves an environment value is instructed to SSH in and run a systemd command they have no access to, and is shown raw .env file-operation failures (`tempfile write failed`, `atomic rename failed`). This both confuses the customer and leaks platform internals.

Evidence

AdminConfigController.php:1003 — success flash: `count($changed) . ' environment value(s) updated. Restart PHP-FPM for changes to take effect: `sudo systemctl reload php8.3-fpm`.'`. Same handler also surfaces server internals: :895 `'.env is not writable by the web user. Check ownership/permissions and retry.'`, :987 `'.env tempfile write failed.'`, :993 `'.env atomic rename failed.'`. This is a tenant-facing surface: the Environment editor renders in /admin/config under `#section-system` (templates/admin/config/index.php:1508-1647) and the editable keys are tenant settings (APP_NAME, SESSION_LIFETIME_MINUTES, ANTHROPIC_API_KEY, GIPHY_API_KEY, etc. — EDITABLE_ENV_KEYS at AdminConfigController.php:97+). Handler is requireRole(5) = Tenant Super Admin.

Suggested fix. Trigger an automatic FPM reload server-side (or have the change take effect without a manual reload) and replace the success copy with an outcome-focused message like 'Settings saved.' Replace the .env mechanic errors with a generic 'Could not save settings. Please try again or contact support.' and log the real reason server-side.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.