vm-skills/hetzner-bootstrap/scripts/99_report.sh

#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
source "$SCRIPT_DIR/_common.sh"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"

main() {
  report="$OUTPUT_DIR/audit_report.md"
  status="$OUTPUT_DIR/status_matrix.json"
  ufw_out="$OUTPUT_DIR/ufw_status_after.txt"
  wg_pub="$OUTPUT_DIR/wireguard_publickey.txt"

  cat > "$report" <<EOF
# Hetzner Bootstrap Audit Report

**Generated:** $(date -Iseconds)  
**Skill Version:** 1.0.0

## Status Matrix

$(if [[ -f "$status" ]]; then echo '```json'; cat "$status"; echo '```'; else echo "_Missing status_matrix.json_"; fi)

## UFW Snapshot (after)

$(if [[ -f "$ufw_out" ]]; then echo '```'; cat "$ufw_out"; echo '```'; else echo "_No ufw snapshot captured._"; fi)

## WireGuard Public Key (if generated)

$(if [[ -f "$wg_pub" ]]; then echo '```'; cat "$wg_pub"; echo '```'; else echo "_No wg public key captured._"; fi)

## Rollback

- SSH/UFW emergency restore: \`./scripts/rollback/emergency_restore_ssh_ufw.sh\`
- WireGuard undo: \`./scripts/rollback/undo_wireguard.sh\`

## EU Compliance

Hetzner EU DC (Germany/Finland). Local-first node operations; public services should be via Cloudflare Tunnel.
EOF

  log_info "Wrote $report"
  cat "$report"
}
main "$@"