#!/usr/bin/env bash
set -euo pipefail

SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
CHECKS_DIR="$SKILL_ROOT/checks"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"

log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }

run_check_bool() {
  local script="$1"
  if [[ -x "$CHECKS_DIR/$script" ]]; then
    if "$CHECKS_DIR/$script" &>/dev/null; then
      echo "true"
    else
      echo "false"
    fi
  else
    echo "skip"
  fi
}

main() {
  mkdir -p "$OUTPUT_DIR"

  local ufw_ok ssh_ok f2b_ok audit_ok
  ufw_ok=$(run_check_bool check_ufw.sh)
  ssh_ok=$(run_check_bool check_ssh.sh)
  f2b_ok=$(run_check_bool check_fail2ban.sh)
  audit_ok=$(run_check_bool check_auditd.sh)

  local blockers=""
  local warnings=""
  local next_steps=""

  if [[ "$ssh_ok" == "false" ]]; then
    blockers="${blockers}\"SSH hardening check failed\","
  fi
  if [[ "$ufw_ok" == "false" ]]; then
    warnings="${warnings}\"UFW not active\","
  fi
  if [[ "$f2b_ok" == "false" ]]; then
    warnings="${warnings}\"fail2ban not active\","
  fi
  if [[ "$audit_ok" == "false" ]]; then
    warnings="${warnings}\"auditd not active\","
  fi

  next_steps="${next_steps}\"Run ./scripts/99_report.sh\","
  if [[ "$ssh_ok" == "true" && "$ufw_ok" == "true" ]]; then
    next_steps="${next_steps}\"Proceed to backup-sovereign skill\","
  fi

  blockers="[${blockers%,}]"
  warnings="[${warnings%,}]"
  next_steps="[${next_steps%,}]"

  cat > "$OUTPUT_DIR/status_matrix.json" <<EOF
{
  "timestamp": "$(date -Iseconds)",
  "skill": "node-hardening",
  "node": "${NODE_NAME:-node-a}",
  "checks": {
    "ufw": $ufw_ok,
    "ssh": $ssh_ok,
    "fail2ban": $f2b_ok,
    "auditd": $audit_ok
  },
  "blockers": $blockers,
  "warnings": $warnings,
  "next_steps": $next_steps
}
EOF

  log_info "Status matrix written to $OUTPUT_DIR/status_matrix.json"

  echo
  echo "============================================"
  echo "  VERIFICATION SUMMARY"
  echo "============================================"
  echo
  echo "  UFW:       $ufw_ok"
  echo "  SSH:       $ssh_ok"
  echo "  fail2ban:  $f2b_ok"
  echo "  auditd:    $audit_ok"
  echo

  if [[ "$ssh_ok" == "true" ]]; then
    return 0
  fi
  return 1
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"