#!/usr/bin/env bash
# Run fix-all steps that can be automated from the LAN operator machine.
# Manual steps (Windows hosts, UDM Pro hairpin, Alltra/HYBX) are printed at the end.
# Usage: bash scripts/run-fix-all-from-lan.sh [--verify]
#   --verify  also run full verification (can take several minutes)

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
RUN_VERIFY=false
[[ "${1:-}" == "--verify" ]] && RUN_VERIFY=true

cd "$PROJECT_ROOT"

echo "=== Fix All From LAN ==="
echo ""

# 1. Explorer hosts (this machine)
echo "--- 1. Explorer (explorer.d-bis.org) ---"
if grep -q "explorer.d-bis.org" /etc/hosts 2>/dev/null; then
    echo "OK: /etc/hosts already has an entry for explorer.d-bis.org"
    grep "explorer.d-bis.org" /etc/hosts
else
    echo "Add to /etc/hosts (run with sudo):"
    echo "  echo '192.168.11.140 explorer.d-bis.org' | sudo tee -a /etc/hosts"
fi
if curl -sI -o /dev/null -w "%{http_code}" --connect-timeout 5 "https://explorer.d-bis.org/" 2>/dev/null | grep -q 200; then
    echo "OK: https://explorer.d-bis.org/ returns 200 from this host"
else
    echo "WARN: https://explorer.d-bis.org/ did not return 200; add hosts or check network"
fi
echo ""

# 2. Env permissions
echo "--- 2. Env permissions ---"
if [ -f "scripts/security/secure-env-permissions.sh" ]; then
    bash scripts/security/secure-env-permissions.sh
else
    echo "SKIP: scripts/security/secure-env-permissions.sh not found"
fi
echo ""

# 3. Optional: full verification
if [[ "$RUN_VERIFY" == true ]]; then
    echo "--- 3. Full verification ---"
    if [ -f "scripts/verify/run-full-verification.sh" ]; then
        bash scripts/verify/run-full-verification.sh
    else
        echo "SKIP: scripts/verify/run-full-verification.sh not found"
    fi
else
    echo "--- 3. Full verification (skipped) ---"
    echo "Run with --verify to run: bash scripts/verify/run-full-verification.sh"
fi
echo ""

# 4. Manual steps
echo "=== Manual steps (see docs/05-network/FIX_ALL_ISSUES_RUNBOOK.md) ==="
echo ""
echo "• Windows browser: Add to C:\\Windows\\System32\\drivers\\etc\\hosts (as Admin):"
echo "  192.168.11.140 explorer.d-bis.org"
echo "  Then: ipconfig /flushdns"
echo ""
echo "• UDM Pro: Enable NAT loopback (hairpin) so all LAN clients can use explorer.d-bis.org without hosts."
echo ""
echo "• UDM Pro port forward: 76.53.10.36:80/443 → 192.168.11.167 (for external access)."
echo ""
echo "• Alltra/HYBX: Port forward 76.53.10.38 → 192.168.11.169; fix 502s per docs/04-configuration/FIXES_PREPARED.md"
echo ""