#!/bin/bash
# preflight.sh — stand-alone environment check for MukenVault Entry.
#
# Distinct from scripts/preflight/mukenvault-preflight.sh inside the
# install bundle: this version is what partners curl|bash BEFORE
# downloading anything, to find out fast whether their machine can run
# MukenVault Entry at all. The bundled preflight runs after install and
# does deeper checks against the configured runtime.
#
# Returns 0 = all-green, 1 = at least one MUST check failed.
# WARN findings do not change the exit code.

set -uo pipefail
IFS=$'\n\t'

red()   { printf '\033[1;31m%s\033[0m' "$1"; }
green() { printf '\033[1;32m%s\033[0m' "$1"; }
yel()   { printf '\033[1;33m%s\033[0m' "$1"; }

FAIL=0
WARN=0
mark_must() { echo "  [$(red FAIL)] $1"; FAIL=$((FAIL+1)); }
mark_warn() { echo "  [$(yel WARN)] $1"; WARN=$((WARN+1)); }
mark_ok()   { echo "  [$(green  OK )] $1"; }

echo "=== MukenVault Entry preflight ==="
echo

# ── 1. OS ──────────────────────────────────────────────────────────
if [[ -r /etc/os-release ]]; then
    . /etc/os-release
    case "$ID:$VERSION_ID" in
        ubuntu:24.04|ubuntu:22.04)
            mark_ok "OS: ${PRETTY_NAME:-$ID $VERSION_ID}";;
        ubuntu:*)
            mark_warn "OS: ${PRETTY_NAME:-$ID $VERSION_ID} (tested on 22.04 / 24.04)";;
        *)
            mark_warn "OS: ${PRETTY_NAME:-$ID $VERSION_ID} (Founding 50 supports Ubuntu 22.04 / 24.04)";;
    esac
else
    mark_warn "OS: cannot read /etc/os-release"
fi

# ── 2. Kernel >= 5.7 (userfaultfd is the runtime gating) ───────────
KVER="$(uname -r 2>/dev/null || echo 0.0)"
KMAJ="${KVER%%.*}"; KREST="${KVER#*.}"; KMIN="${KREST%%.*}"
if [[ "$KMAJ" -gt 5 ]] || { [[ "$KMAJ" -eq 5 ]] && [[ "$KMIN" -ge 7 ]]; }; then
    mark_ok "Kernel: $KVER (>= 5.7)"
else
    mark_must "Kernel: $KVER (need >= 5.7 for userfaultfd)"
fi

# ── 3. AES-NI (libkeyless will be much slower without it) ──────────
if grep -q -w aes /proc/cpuinfo 2>/dev/null; then
    mark_ok "CPU: AES-NI present"
else
    mark_must "CPU: AES-NI missing (libkeyless requires AES-NI)"
fi

# ── 4. nginx already installed (Founding 50 is nginx-only) ─────────
if command -v nginx >/dev/null 2>&1; then
    NV=$(nginx -v 2>&1 | grep -oE 'nginx/[0-9.]+' || echo "unknown")
    mark_ok "nginx: $NV"
else
    mark_must "nginx: not installed (Founding 50 protects nginx; install nginx first)"
fi

# ── 5. systemctl (installer needs systemd) ─────────────────────────
if command -v systemctl >/dev/null 2>&1; then
    mark_ok "systemd: $(systemctl --version | head -1)"
else
    mark_must "systemd: not present (the installer manages units via systemctl)"
fi

# ── 6. curl (CLI + heartbeat use libcurl) ──────────────────────────
if command -v curl >/dev/null 2>&1; then
    mark_ok "curl: $(curl --version | head -1 | awk '{print $1 " " $2}')"
else
    mark_must "curl: not installed"
fi

# ── 7. OpenSSL >= 3 (libkeyless hooks OpenSSL 3 EVP_PKEY) ──────────
if command -v openssl >/dev/null 2>&1; then
    OV=$(openssl version | awk '{print $2}')
    case "$OV" in
        3.*) mark_ok "OpenSSL: $OV";;
        *)   mark_warn "OpenSSL: $OV (tested with 3.x; 1.x may need a separate build)";;
    esac
else
    mark_must "OpenSSL: not installed"
fi

# ── 8. /etc + /usr/local + /var write access ───────────────────────
if [[ "$(id -u)" -eq 0 ]]; then
    mark_ok "root: yes (installer needs root)"
else
    mark_warn "root: not running as root (the actual install must be run with sudo)"
fi

# ── 9. Outbound HTTPS reach to mukenvault hosts ────────────────────
for host in install.mukenvault.com license.mukenvault.com admin.mukenvault.com; do
    if curl -sS -o /dev/null -m 5 "https://$host/" -w "%{http_code}" 2>/dev/null \
         | grep -qE '^(200|301|302|403|404)$'; then
        mark_ok "reach: $host (TLS handshake OK)"
    else
        mark_warn "reach: $host (could not reach over HTTPS — check egress firewall)"
    fi
done

echo
echo "=== Summary ==="
if [[ "$FAIL" -gt 0 ]]; then
    echo "$(red "$FAIL must-fix issue(s)"); $(yel "$WARN warning(s)") — install will NOT succeed until the FAIL items are addressed."
    # If the FAIL is a missing apt package (nginx / curl / openssl / gdb),
    # bootstrap.sh installs the full set in one shot. We print the hint
    # unconditionally because narrowing it to "is this FAIL bootstrap-curable?"
    # would mean parsing our own output, and the hint is harmless when the
    # FAIL is something else (e.g. kernel < 5.7 — bootstrap.sh will refuse).
    echo
    echo "If a FAIL above is a missing package (nginx, curl, openssl, gdb),"
    echo "install them in one shot with:"
    echo "  curl -fsSL https://install.mukenvault.com/bootstrap.sh | sudo bash"
    echo "Then re-run this preflight."
    exit 1
else
    if [[ "$WARN" -gt 0 ]]; then
        echo "$(green All required checks passed.) $(yel "$WARN warning(s)") — review above, then proceed."
    else
        echo "$(green All checks passed.) — ready to install."
    fi
    echo
    echo "Next step:"
    echo "  curl -fsSL https://install.mukenvault.com/setup.sh | \\"
    echo "    sudo bash -s -- --license YOUR-KEY-HERE"
    exit 0
fi