#!/bin/bash
# H33 Sentinel — One-command install
# Usage: curl -sSL https://h33.ai/install/sentinel | sudo bash
set -euo pipefail

echo ""
echo "  ██╗  ██╗██████╗ ██████╗     ███████╗███████╗███╗   ██╗████████╗██╗███╗   ██╗███████╗██╗"
echo "  ██║  ██║╚════██╗╚════██╗    ██╔════╝██╔════╝████╗  ██║╚══██╔══╝██║████╗  ██║██╔════╝██║"
echo "  ███████║ █████╔╝ █████╔╝    ███████╗█████╗  ██╔██╗ ██║   ██║   ██║██╔██╗ ██║█████╗  ██║"
echo "  ██╔══██║ ╚═══██╗ ╚═══██╗    ╚════██║██╔══╝  ██║╚██╗██║   ██║   ██║██║╚██╗██║██╔══╝  ██║"
echo "  ██║  ██║██████╔╝██████╔╝    ███████║███████╗██║ ╚████║   ██║   ██║██║ ╚████║███████╗███████╗"
echo "  ╚═╝  ╚═╝╚═════╝ ╚═════╝     ╚══════╝╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚═╝╚═╝  ╚═══╝╚══════╝╚══════╝"
echo ""
echo "  Binary integrity attestation & runtime watchdog"
echo "  https://h33.ai/sentinel"
echo ""

if [ "$EUID" -ne 0 ]; then
  echo "ERROR: Run as root — sudo bash or pipe to sudo bash"
  exit 1
fi

ARCH=$(uname -m)
case "$ARCH" in
  aarch64|arm64) BINARY="h33-sentinel-aarch64-linux" ;;
  x86_64|amd64)  BINARY="h33-sentinel-x86_64-linux" ;;
  *) echo "ERROR: Unsupported architecture: $ARCH"; exit 1 ;;
esac

DOWNLOAD_URL="https://api.h33.ai/v1/releases/sentinel/${BINARY}"

echo "[1/5] Downloading h33-sentinel for ${ARCH}..."
curl -sSL "$DOWNLOAD_URL" -o /usr/local/bin/h33-sentinel || {
  echo "ERROR: Download failed. Check https://h33.ai/sentinel for manual install."
  exit 1
}
chmod +x /usr/local/bin/h33-sentinel

echo "[2/5] Creating receipt store..."
mkdir -p /var/lib/h33-sentinel/receipts

echo "[3/5] Installing systemd service..."
cat > /etc/systemd/system/h33-sentinel.service << 'SVCEOF'
[Unit]
Description=H33 Sentinel — Binary Integrity Watchdog
Documentation=https://h33.ai/sentinel
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
# DEFAULT: dry-run (log only). Add --enforce ONLY after 48h of clean logs.
ExecStart=/usr/local/bin/h33-sentinel watch --interval 60 --dry-run --exclude systemd,sshd,kernel,containerd,dockerd,h33-sentinel
Environment=H33_API_URL=https://api.h33.ai
Environment=H33_RECEIPT_DIR=/var/lib/h33-sentinel/receipts
Environment=RUST_LOG=h33_sentinel=info
Restart=always
RestartSec=5
ProtectSystem=strict
ReadWritePaths=/var/lib/h33-sentinel
ProtectHome=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target
SVCEOF

# API key (optional)
if [ -n "${H33_API_KEY:-}" ]; then
  mkdir -p /etc/h33
  echo "H33_API_KEY=${H33_API_KEY}" > /etc/h33/sentinel.env
  chmod 600 /etc/h33/sentinel.env
  sed -i '/\[Service\]/a EnvironmentFile=/etc/h33/sentinel.env' /etc/systemd/system/h33-sentinel.service
  echo "       API key configured."
fi

echo "[4/5] Starting sentinel (dry-run mode)..."
systemctl daemon-reload
systemctl enable h33-sentinel
systemctl start h33-sentinel

echo "[5/5] Verifying..."
sleep 2
STATUS=$(systemctl is-active h33-sentinel)
if [ "$STATUS" = "active" ]; then
  echo ""
  echo "  ✓ H33 Sentinel is running (dry-run mode)"
  echo ""
  echo "  Next steps:"
  echo "    1. Attest your binaries:     sudo h33-sentinel attest /path/to/binary --label my-app"
  echo "    2. View live violations:     sudo journalctl -u h33-sentinel -f"
  echo "    3. Check attested binaries:  sudo h33-sentinel status"
  echo "    4. After 48h clean logs:     edit /etc/systemd/system/h33-sentinel.service"
  echo "                                 change --dry-run to --enforce"
  echo "                                 sudo systemctl daemon-reload && sudo systemctl restart h33-sentinel"
  echo ""
else
  echo "  ✗ Service failed to start. Check: journalctl -u h33-sentinel -e"
  exit 1
fi