#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$(dirname "$SCRIPT_DIR")")"
source "$SKILL_ROOT/scripts/_common.sh"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"

main() {
  require_root
  confirm_gate
  log_warn "Emergency restore: attempting to relax UFW + restore sshd_config from backup."
  ufw --force disable >/dev/null 2>&1 || true

  # Prefer the stable "before" snapshot if present.
  if [[ -f "$BACKUP_DIR/sshd_config.before" ]]; then
    latest="$BACKUP_DIR/sshd_config.before"
  else
    latest="$(ls -1t "$BACKUP_DIR/sshd_config."*.bak 2>/dev/null | head -n1 || true)"
  fi

  if [[ -n "${latest:-}" && -f "${latest:-}" ]]; then
    cp -p "$latest" /etc/ssh/sshd_config
    sshd -t || die "Restored sshd_config still invalid."
    restart_ssh_service
    log_info "Restored sshd_config from $latest"
  else
    log_warn "No sshd_config backup found in $BACKUP_DIR"
  fi

  log_info "Emergency restore complete. Confirm access via console + SSH."
}
main "$@"