#!/usr/bin/env bash
#
# Post-install verification for Rook on Jetson
# Run after install.sh to verify everything is working.

set -uo pipefail

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

PASS=0
FAIL=0
WARN=0

check() {
    local desc="$1"
    shift
    if "$@" &>/dev/null; then
        echo -e "  ${GREEN}✓${NC} ${desc}"
        ((PASS++))
    else
        echo -e "  ${RED}✗${NC} ${desc}"
        ((FAIL++))
    fi
}

check_warn() {
    local desc="$1"
    shift
    if "$@" &>/dev/null; then
        echo -e "  ${GREEN}✓${NC} ${desc}"
        ((PASS++))
    else
        echo -e "  ${YELLOW}⚠${NC} ${desc}"
        ((WARN++))
    fi
}

echo ""
echo "━━━ Rook — Installation Verification ━━━"
echo ""

echo "System:"
check "Hostname is 'hermes'" test "$(hostname)" = "hermes"
check "Headless boot (multi-user.target)" systemctl is-active multi-user.target
check "Swap enabled (>16GB)" test "$(free -g | awk '/Swap/{print $2}')" -gt 16
check "Python 3.11" python3.11 --version
check "Node.js 22+" test "$(node --version 2>/dev/null | cut -d. -f1 | tr -d v)" -ge 22
check "Docker" docker --version
check "uv" uv --version

echo ""
echo "Security:"
check "UFW active" sudo ufw status | grep -q "active"
check "Fail2ban running" systemctl is-active fail2ban
check_warn "Tailscale connected" tailscale status
check "Avahi/mDNS" systemctl is-active avahi-daemon
check "SSH password auth ON" grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null || grep -qv "PasswordAuthentication no" /etc/ssh/sshd_config

echo ""
echo "Services:"
check "rook-agent.service" systemctl --user is-active rook-agent.service
check "rook-nerve.service" systemctl --user is-active rook-nerve.service
check "rook-doctor.timer" systemctl --user is-active rook-doctor.timer
check "User lingering enabled" ls "/var/lib/systemd/linger/$(whoami)"

echo ""
echo "Network:"
check "Agent gateway (:8642)" curl -sf --max-time 5 http://127.0.0.1:8642/health
check "Dashboard frontend (:3080)" curl -sf --max-time 5 -o /dev/null http://127.0.0.1:3080/
check "Dashboard backend (:3081)" curl -sf --max-time 5 http://127.0.0.1:3081/api/health

echo ""
echo "Data:"
check "Hermes home exists" test -d ~/.hermes
check "Sessions directory" test -d ~/.hermes/sessions
check "Secrets directory" test -d ~/.hermes/secrets
check "Training data directory" test -d /opt/hermes-data/training
check_warn "Agent .env exists" test -f ~/rook-agent/.env
check_warn "Nerve .env exists" test -f ~/rook-nerve/.env

echo ""
echo "Tools:"
check_warn "Himalaya email CLI" himalaya --version 2>/dev/null || ~/.local/bin/himalaya --version
check_warn "rclone" rclone --version

echo ""
echo "Cron:"
check_warn "Session processor cron" crontab -l 2>/dev/null | grep -q session_processor
check_warn "Backup cron" crontab -l 2>/dev/null | grep -q rook-backup

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo -e "  ${GREEN}Passed: ${PASS}${NC}  ${RED}Failed: ${FAIL}${NC}  ${YELLOW}Warnings: ${WARN}${NC}"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

if [[ $FAIL -gt 0 ]]; then
    echo -e "\n${RED}Some checks failed. Review the output above.${NC}"
    exit 1
else
    echo -e "\n${GREEN}All critical checks passed!${NC}"
fi