#!/usr/bin/env bash
set -euo pipefail

# === METADATA ===
SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

# === CONFIGURATION ===
: "${NODE_NAME:=node-a}"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"

# === FUNCTIONS ===
log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }

get_ufw_status() {
    if command -v ufw &>/dev/null; then
        if sudo ufw status 2>/dev/null | grep -q "Status: active"; then
            echo "Active"
        else
            echo "Inactive"
        fi
    else
        echo "Not installed"
    fi
}

get_ssh_status() {
    if systemctl is-active ssh &>/dev/null || systemctl is-active sshd &>/dev/null; then
        echo "Running"
    else
        echo "Not running"
    fi
}

get_fail2ban_status() {
    if command -v fail2ban-client &>/dev/null; then
        if systemctl is-active fail2ban &>/dev/null; then
            echo "Active"
        else
            echo "Inactive"
        fi
    else
        echo "Not installed"
    fi
}

get_auditd_status() {
    if command -v auditctl &>/dev/null; then
        if systemctl is-active auditd &>/dev/null; then
            echo "Active"
        else
            echo "Inactive"
        fi
    else
        echo "Not installed"
    fi
}

list_backups() {
    if [[ -d "$BACKUP_DIR" ]]; then
        ls -1 "$BACKUP_DIR" 2>/dev/null | while read -r f; do
            echo "| $f | $(stat -c%s "$BACKUP_DIR/$f" 2>/dev/null || echo "?") bytes |"
        done
    else
        echo "| (no backups) | - |"
    fi
}

main() {
    mkdir -p "$OUTPUT_DIR"
    log_info "Starting $SCRIPT_NAME..."

    local report="$OUTPUT_DIR/audit_report.md"
    local status_file="$OUTPUT_DIR/status_matrix.json"

    cat > "$report" <<EOF
# Node Hardening Audit Report

**Generated:** $(date -Iseconds)
**Node:** $NODE_NAME
**Skill Version:** 1.0.0

---

## Executive Summary

This report documents the hardening operations performed on **$NODE_NAME**
for sovereign EU infrastructure security.

---

## Components Status

### 1. Firewall (UFW)

| Component | Status |
|-----------|--------|
| UFW | $(get_ufw_status) |

### 2. SSH Service

| Component | Status |
|-----------|--------|
| SSH Daemon | $(get_ssh_status) |
| Config Backup | $([ -f "$BACKUP_DIR/sshd_config.before" ] && echo "Present" || echo "Not found") |

### 3. Intrusion Detection (fail2ban)

| Component | Status |
|-----------|--------|
| fail2ban | $(get_fail2ban_status) |

### 4. Audit Logging (auditd)

| Component | Status |
|-----------|--------|
| auditd | $(get_auditd_status) |

---

## Backups

| File | Size |
|------|------|
$(list_backups)

---

## Verification Results

$(if [[ -f "$status_file" ]]; then
    echo '```json'
    cat "$status_file"
    echo '```'
else
    echo "Status matrix not found. Run 90_verify.sh first."
fi)

---

## EU Compliance Declaration

| Aspect | Value |
|--------|-------|
| Data Residency | EU (Ireland - Dublin) |
| GDPR Applicable | Yes |
| Jurisdiction | Irish Law |
| Audit Logging | auditd (local only) |

---

## Rollback Procedures

If access is lost or changes need to be reverted:

1. **Emergency Restore (console):** \`./scripts/rollback/emergency_restore.sh\`
2. **Undo SSH:** \`./scripts/rollback/undo_ssh.sh\`
3. **Undo UFW:** \`./scripts/rollback/undo_ufw.sh\`

---

## Next Steps

1. Verify SSH access from a secondary session
2. Test emergency rollback procedure (recommended)
3. Proceed to **backup-sovereign** skill
4. Document hardening in LAWCHAIN (if applicable)

---

## Artifact Locations

| Artifact | Path |
|----------|------|
| UFW Status (before) | $BACKUP_DIR/ufw_status_before.txt |
| iptables Rules (before) | $BACKUP_DIR/iptables_rules_before.txt |
| sshd_config (before) | $BACKUP_DIR/sshd_config.before |
| UFW Status (after) | $OUTPUT_DIR/ufw_status_after.txt |
| Status Matrix | $OUTPUT_DIR/status_matrix.json |
| This Report | $OUTPUT_DIR/audit_report.md |

---

*Report generated by node-hardening skill v1.0.0*
*$(date -Iseconds)*
EOF

    log_info "Audit report written to $report"

    # Display the report
    echo ""
    cat "$report"

    log_info "Completed $SCRIPT_NAME"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"