#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
source "$SCRIPT_DIR/_common.sh"

: "${NODE_NAME:=}"
: "${SOVEREIGN_USER:=sovereign}"
: "${WG_PORT:=51820}"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"

main() {
  require_root
  status="$OUTPUT_DIR/status_matrix.json"
  mkdir -p "$OUTPUT_DIR"

  ok_user=false; ok_hostname=false; ok_ufw=false; ok_ssh=false; ok_wg=false

  id "$SOVEREIGN_USER" >/dev/null 2>&1 && ok_user=true
  [[ -n "$NODE_NAME" ]] && hostname | grep -q "$NODE_NAME" && ok_hostname=true || true
  ufw status 2>/dev/null | grep -qi "Status: active" && ok_ufw=true || true
  sshd -t >/dev/null 2>&1 && ok_ssh=true || true
  systemctl is-active wg-quick@wg0 >/dev/null 2>&1 && ok_wg=true || true

  blockers="[]"
  if [[ "$ok_user" != "true" ]]; then blockers='["missing_sovereign_user"]'
  elif [[ "$ok_ufw" != "true" ]]; then blockers='["ufw_not_active"]'
  elif [[ "$ok_ssh" != "true" ]]; then blockers='["sshd_config_invalid"]'
  fi

  cat > "$status" <<EOF
{
  "skill":"hetzner-bootstrap",
  "timestamp":"$(date -Iseconds)",
  "checks":[
    {"name":"sovereign_user_present","ok": $ok_user, "user":"$(json_escape "$SOVEREIGN_USER")"},
    {"name":"hostname_set","ok": $ok_hostname, "hostname":"$(json_escape "$(hostname)")"},
    {"name":"ufw_active","ok": $ok_ufw, "wg_port":"$(json_escape "$WG_PORT")"},
    {"name":"sshd_config_valid","ok": $ok_ssh},
    {"name":"wireguard_active_optional","ok": $ok_wg}
  ],
  "blockers": $blockers,
  "warnings": [],
  "next_steps": ["verify sovereign SSH login", "operator-bootstrap", "secrets-vault", "cloudflare-tunnel-manager"]
}
EOF

  log_info "Wrote $status"
  cat "$status"
}
main "$@"