#!/usr/bin/env bash
set +e
set +u
set +H 2>/dev/null

TS="$(date +%Y%m%d_%H%M%S)"
OUT="/tmp/yeffai_readonly_discovery_audit_${TS}.txt"

{
  echo "===== YEFF AI READ-ONLY DISCOVERY AUDIT ====="
  echo "DATE=$(date)"
  echo "HOSTNAME=$(hostname 2>/dev/null)"
  echo "OUT=$OUT"
  echo "REMOTE_YEFFAI_MUTATION=NO"
  echo "YEFFAI_READONLY_DISCOVERY_COMMANDS_EXECUTED=YES"
  echo "YEFFAI_INSTALLATION_COMMAND_EXECUTED=NO"
  echo "INSTALLATION_STARTED=NO"
  echo "PACKAGE_ID=yeffai_readonly_discovery_audit_commands"
  echo "OPERATOR_PACKET_ID=yeffai_readonly_discovery_audit_operator_packet"
  echo
  echo "===== COMMAND_001 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=HOST_IDENTITY_READ"
  echo "PURPOSE=Ler identidade básica do host YEFF AI sem mutação."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  printf "hostname="; hostname; printf "kernel="; uname -a; printf "os_release="; cat /etc/os-release 2>/dev/null
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_002 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=TIME_AND_UPTIME_READ"
  echo "PURPOSE=Ler horário, uptime e carga do host."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  date -Is; uptime
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_003 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=PROCESS_READ"
  echo "PURPOSE=Ler processos ativos para evidência de runtime/observer/serviços."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  ps aux --sort=comm | head -n 200
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_004 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=SYSTEMD_SERVICE_READ"
  echo "PURPOSE=Ler serviços systemd sem iniciar, parar ou reiniciar nada."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  systemctl list-units --type=service --all --no-pager 2>/dev/null | head -n 300
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_005 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=LISTENING_PORTS_READ"
  echo "PURPOSE=Ler portas em escuta e processos associados."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  ss -tulpn 2>/dev/null || netstat -tulpn 2>/dev/null
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_006 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=DISK_AND_MOUNTS_READ"
  echo "PURPOSE=Ler discos, mounts e espaço sem alterar arquivos."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  df -hT; printf "\n--- mounts ---\n"; mount | head -n 200
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_007 ====="
  echo "SCOPE=BASE"
  echo "GROUP_ID=BASE"
  echo "COMMAND_ID=TOP_LEVEL_TREE_READ"
  echo "PURPOSE=Ler estrutura de diretórios prováveis sem conteúdo sensível."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  find /home /opt /srv /var/www -maxdepth 3 -type d 2>/dev/null | sort | head -n 500
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_008 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=RUNTIME_OBSERVABILITY"
  echo "COMMAND_ID=RUNTIME_LOG_PATHS_READ"
  echo "PURPOSE=Descobrir caminhos de logs e runtime state sem ler segredo."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  find /var/log /run /var/run /opt /srv /home -maxdepth 4 \( -iname "*log*" -o -iname "*runtime*" -o -iname "*status*" -o -iname "*observer*" -o -iname "*audit*" \) 2>/dev/null | sort | head -n 500
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_009 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=RUNTIME_OBSERVABILITY"
  echo "COMMAND_ID=RECENT_LOG_METADATA_READ"
  echo "PURPOSE=Ler metadados de logs recentes sem truncar ou modificar."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  find /var/log -type f -maxdepth 3 -printf "%TY-%Tm-%Td %TH:%TM %s %p\n" 2>/dev/null | sort | tail -n 200
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_010 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=SECURITY_BASELINE"
  echo "COMMAND_ID=UFW_STATUS_READ"
  echo "PURPOSE=Ler status do UFW sem habilitar firewall."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  ufw status verbose 2>/dev/null || true
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_011 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=SECURITY_BASELINE"
  echo "COMMAND_ID=SSH_CONFIG_READ"
  echo "PURPOSE=Ler configuração SSH efetiva e arquivos principais sem editar."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  sshd -T 2>/dev/null | egrep "^(permitrootlogin|passwordauthentication|pubkeyauthentication|port|allowusers|denyusers)"; printf "\n--- sshd_config ---\n"; grep -RIn "^PermitRootLogin\|^PasswordAuthentication\|^PubkeyAuthentication\|^Port\|^AllowUsers\|^DenyUsers" /etc/ssh/sshd_config /etc/ssh/sshd_config.d 2>/dev/null || true
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_012 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=SECURITY_BASELINE"
  echo "COMMAND_ID=SECURITY_PACKAGES_STATUS_READ"
  echo "PURPOSE=Ler presença/status de fail2ban, auditd e inotify-tools sem instalar."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  dpkg -l 2>/dev/null | egrep "fail2ban|auditd|audispd|inotify-tools" || true; printf "\n--- services ---\n"; systemctl status fail2ban auditd --no-pager 2>/dev/null || true
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_013 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=SECURITY_BASELINE"
  echo "COMMAND_ID=PERMISSIONS_SECURITY_READ"
  echo "PURPOSE=Ler permissões de arquivos/diretórios críticos sem alterar."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  ls -ld /root /home /etc/ssh /var/log /opt /srv /var/www 2>/dev/null; find /etc/ssh -maxdepth 2 -type f -printf "%m %u %g %p\n" 2>/dev/null | sort
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_014 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=BACKUP_RECOVERY"
  echo "COMMAND_ID=BACKUP_PATHS_DISCOVERY_READ"
  echo "PURPOSE=Descobrir diretórios e manifests de backup sem executar backup ou restore."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  find /home /opt /srv /var/backups /backup /backups -maxdepth 5 \( -iname "*backup*" -o -iname "*restore*" -o -iname "*snapshot*" -o -iname "*manifest*" -o -iname "*rollback*" \) 2>/dev/null | sort | head -n 500
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== COMMAND_015 ====="
  echo "SCOPE=GROUP"
  echo "GROUP_ID=BACKUP_RECOVERY"
  echo "COMMAND_ID=BACKUP_METADATA_READ"
  echo "PURPOSE=Ler metadados de arquivos de backup sem copiar, deletar ou restaurar."
  echo "MUTATES_SYSTEM=NO"
  echo "COMMAND_BEGIN"
  find /var/backups /backup /backups /home /opt /srv -maxdepth 4 -type f \( -iname "*manifest*" -o -iname "*.sha256" -o -iname "*.json" -o -iname "*.txt" \) -printf "%TY-%Tm-%Td %TH:%TM %s %p\n" 2>/dev/null | sort | head -n 500
  CMD_STATUS=$?
  echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
  echo "COMMAND_END"
  echo
  echo "===== FINAL ====="
  echo "STATUS=PASS"
  echo "CAUSE=read-only discovery audit executed on YEFF AI target without requested mutation"
  echo "REMOTE_YEFFAI_MUTATION=NO"
  echo "YEFFAI_INSTALLATION_COMMAND_EXECUTED=NO"
  echo "INSTALLATION_STARTED=NO"
  echo "OUTPUT_FILE=$OUT"
} | tee "$OUT"

printf "\nCOPIE E COLE O OUTPUT COMPLETO DE: %s\n" "$OUT"
