#!/usr/bin/env bash
set -euo pipefail

SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"

log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }
die()       { log_error "$@"; exit 1; }

check_dependency() {
  if command -v "$1" &>/dev/null; then
    log_info "Found: $1 ($(command -v "$1"))"
    return 0
  else
    log_warn "Missing: $1"
    return 1
  fi
}

is_ssh_session() {
  [[ -n "${SSH_CONNECTION:-}" || -n "${SSH_CLIENT:-}" ]]
}

main() {
  mkdir -p "$OUTPUT_DIR" "$BACKUP_DIR"
  log_info "Starting $SCRIPT_NAME"

  local missing=0

  log_info "=== Required Dependencies ==="
  check_dependency sudo || ((missing++))
  check_dependency systemctl || ((missing++))
  check_dependency ss || check_dependency netstat || log_warn "No ss/netstat (network inspection limited)"
  check_dependency awk || ((missing++))
  check_dependency sed || ((missing++))
  check_dependency grep || ((missing++))

  log_info "=== Hardening Tooling (may be installed during apply) ==="
  check_dependency ufw || log_warn "ufw not installed (apply can install)"
  check_dependency sshd || check_dependency ssh || log_warn "sshd binary not found (service may still exist)"
  check_dependency fail2ban-client || log_warn "fail2ban not installed (apply can install)"
  check_dependency auditctl || log_warn "auditd not installed (apply can install)"

  log_info "=== Session Context ==="
  if is_ssh_session; then
    log_warn "Detected SSH session: ${SSH_CONNECTION:-${SSH_CLIENT:-unknown}}"
    log_warn "Recommendation: keep a second session open before applying changes."
  else
    log_info "No SSH session detected (console/local run)"
  fi

  log_info "=== Privilege Check ==="
  if sudo -n true 2>/dev/null; then
    log_info "sudo is available without password prompt (non-interactive)"
  else
    log_info "sudo may prompt for password (interactive)"
  fi

  log_info "=== Parameters (defaults if unset) ==="
  log_info "SSH_PORT=${SSH_PORT:-22}"
  log_info "ALLOW_HTTP=${ALLOW_HTTP:-true}"
  log_info "ALLOW_HTTPS=${ALLOW_HTTPS:-true}"
  log_info "DRY_RUN=${DRY_RUN:-1} (apply scripts require DRY_RUN=0)"

  if [[ $missing -gt 0 ]]; then
    die "Missing $missing required dependencies. Install them before proceeding."
  fi

  log_info "Completed $SCRIPT_NAME"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"