#!/usr/bin/env bash
set -euo pipefail

SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"

log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
log_error() { echo "[ERROR] $(date -Iseconds) $*" >&2; }

detect_ssh_client_ip() {
  if [[ -n "${SSH_CLIENT:-}" ]]; then
    awk '{print $1}' <<<"$SSH_CLIENT"
  elif [[ -n "${SSH_CONNECTION:-}" ]]; then
    awk '{print $1}' <<<"$SSH_CONNECTION"
  else
    echo ""
  fi
}

main() {
  mkdir -p "$OUTPUT_DIR"
  local ssh_port="${SSH_PORT:-22}"
  local allow_http="${ALLOW_HTTP:-true}"
  local allow_https="${ALLOW_HTTPS:-true}"
  local ssh_ip
  ssh_ip="$(detect_ssh_client_ip)"

  log_info "UFW Plan (no changes applied)"
  log_info "Target SSH_PORT=$ssh_port"
  [[ -n "$ssh_ip" ]] && log_info "Detected SSH client IP=$ssh_ip" || log_warn "No SSH client IP detected"

  echo
  echo "--- Intended policy ---"
  echo "Default: deny incoming"
  echo "Default: allow outgoing"
  echo
  echo "--- Intended allow rules ---"
  echo "1) Allow SSH: $ssh_port/tcp (always)"
  if [[ -n "$ssh_ip" ]]; then
    echo "2) Pin SSH from current client IP: from $ssh_ip to any port $ssh_port/tcp (optional safety)"
  else
    echo "2) No client IP detected; IP pinning skipped"
  fi
  if [[ "$allow_http" == "true" ]]; then
    echo "3) Allow HTTP: 80/tcp"
  else
    echo "3) HTTP not allowed"
  fi
  if [[ "$allow_https" == "true" ]]; then
    echo "4) Allow HTTPS: 443/tcp"
  else
    echo "4) HTTPS not allowed"
  fi
  echo
  echo "--- Safety notes ---"
  echo "- Apply script will refuse unless DRY_RUN=0"
  echo "- If you are on SSH, keep a second session open"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"