#!/usr/bin/env bash
# guruscan-agent-test.sh - Deploy GuruScan to a Windows GuruRMM agent and run an
# end-to-end smoke test (full 3-engine chain, EICAR-seeded, clean mode), pulling
# every log back for review.
#
# Phases:
#   prep    - upload module to C:\GuruScan, Defender-exclude tool/test dirs,
#             download RKill+Emsisoft, fetch HitmanPro, seed EICAR, verify ready
#   scan    - dispatch Invoke-GuruScan.ps1 -Headless (clean mode) and poll
#   collect - pull results.json + per-scanner logs into the repo
#   all     - prep then scan then collect
#
# Usage:
#   bash guruscan-agent-test.sh <hostname|uuid> <prep|scan|collect|all>
#
# Mirrors the RMM plumbing in run-onboarding-diagnostic.sh (vault auth -> JWT ->
# chunked base64 upload -> dispatch -> poll). EICAR is the standard harmless AV
# test file; it is assembled on the endpoint (never written to this host) and
# dropped only into a Defender-excluded folder so GuruScan's own engines are what
# detect it.

set -u

TARGET="${1:-}"
PHASE="${2:-all}"

if [ -z "$TARGET" ]; then
    echo "[ERROR] Usage: bash guruscan-agent-test.sh <hostname|uuid> <prep|scan|collect|all>" >&2
    exit 1
fi

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
VAULT="$REPO_ROOT/.claude/scripts/vault.sh"
ALERT="$REPO_ROOT/.claude/scripts/post-bot-alert.sh"
GS_DIR="$REPO_ROOT/projects/msp-tools/guru-scan"
RESULTS_ROOT="$GS_DIR/test-results"
RMM="http://172.16.3.30:3001"
HITMANPRO_URL="https://dl.surfright.nl/HitmanPro_x64.exe"

_logerr() { bash "$REPO_ROOT/.claude/scripts/log-skill-error.sh" "guruscan-test" "$@" >/dev/null 2>&1 || true; }
post_alert() { [ -f "$ALERT" ] && bash "$ALERT" "$1" >/dev/null 2>&1 || true; }

for tool in jq curl base64 split; do
    command -v "$tool" >/dev/null 2>&1 || { echo "[ERROR] Required tool not found: $tool" >&2; exit 1; }
done

# ---------------------------------------------------------------------------
# Auth
# ---------------------------------------------------------------------------
RMM_EMAIL="$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-email 2>/dev/null)"
RMM_PASS="$(bash "$VAULT" get-field infrastructure/gururmm-server.sops.yaml credentials.gururmm-api.admin-password 2>/dev/null)"
if [ -z "$RMM_EMAIL" ] || [ "$RMM_EMAIL" = "null" ] || [ -z "$RMM_PASS" ]; then
    echo "[ERROR] Could not read GuruRMM credentials from vault" >&2
    _logerr "vault read of GuruRMM creds failed"
    exit 1
fi
TOKEN="$(curl -s -m 30 -X POST "$RMM/api/auth/login" -H "Content-Type: application/json" \
    --data-binary "$(jq -nc --arg e "$RMM_EMAIL" --arg p "$RMM_PASS" '{email:$e,password:$p}')" | jq -r '.token // empty')"
if [ -z "$TOKEN" ]; then
    echo "[ERROR] RMM login failed" >&2; _logerr "RMM login failed"; exit 1
fi
echo "[OK] Authenticated to GuruRMM"

# ---------------------------------------------------------------------------
# Resolve agent (uuid -> exact host -> partial host)
# ---------------------------------------------------------------------------
AGENTS="$(curl -s -m 30 "$RMM/api/agents" -H "Authorization: Bearer $TOKEN")"
echo "$AGENTS" | jq -e 'type=="array"' >/dev/null 2>&1 || { echo "[ERROR] Could not list agents" >&2; exit 1; }

if echo "$TARGET" | grep -qiE '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'; then
    AGENT="$(echo "$AGENTS" | jq --arg id "$TARGET" '[.[]|select(.id==$id)]|.[0]//empty')"
else
    AGENT="$(echo "$AGENTS" | jq --arg h "$TARGET" '[.[]|select((.hostname|ascii_downcase)==($h|ascii_downcase))]|.[0]//empty')"
    if [ -z "$AGENT" ] || [ "$AGENT" = "null" ]; then
        MATCHES="$(echo "$AGENTS" | jq --arg h "$TARGET" '[.[]|select(.hostname|ascii_downcase|contains($h|ascii_downcase))]')"
        COUNT="$(echo "$MATCHES" | jq 'length')"
        [ "$COUNT" = "1" ] && AGENT="$(echo "$MATCHES" | jq '.[0]')"
        if [ "$COUNT" != "1" ]; then
            echo "[ERROR] $COUNT agents match '$TARGET'. Be more specific." >&2
            echo "$MATCHES" | jq -r '.[]|"  \(.hostname) (\(.os_type)) id=\(.id)"' >&2
            exit 1
        fi
    fi
fi
[ -z "$AGENT" ] || [ "$AGENT" = "null" ] && { echo "[ERROR] No agent matching '$TARGET'." >&2; exit 1; }

AGENT_ID="$(echo "$AGENT" | jq -r '.id')"
AGENT_HOST="$(echo "$AGENT" | jq -r '.hostname')"
AGENT_OS="$(echo "$AGENT" | jq -r '.os_type')"
AGENT_STATUS="$(echo "$AGENT" | jq -r '.status // "unknown"')"
echo "[OK] Agent: $AGENT_HOST ($AGENT_OS) status=$AGENT_STATUS id=$AGENT_ID"
[ "$AGENT_OS" != "windows" ] && { echo "[ERROR] Windows-only. os_type=$AGENT_OS" >&2; exit 1; }

WORK_DIR="$(mktemp -d 2>/dev/null || echo "${TMPDIR:-/tmp}/guruscan-test-$$")"
mkdir -p "$WORK_DIR"
trap 'rm -rf "$WORK_DIR" 2>/dev/null || true' EXIT

# ---------------------------------------------------------------------------
# dispatch_one <script-file> <timeout_seconds> <max_polls> -> echoes result JSON
# ---------------------------------------------------------------------------
dispatch_one() {
    local script_file="$1" to="$2" max_polls="${3:-72}"
    local payload_file resp cmd_id status result count
    payload_file="$WORK_DIR/payload.json"
    jq -nc --rawfile cmd "$script_file" --argjson to "$to" \
        '{command_type:"powershell", command:$cmd, timeout_seconds:$to}' > "$payload_file"
    resp="$(curl -s -m 30 -X POST "$RMM/api/agents/$AGENT_ID/command" \
        -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
        --data-binary "@$payload_file")"
    cmd_id="$(echo "$resp" | jq -r '.command_id // empty')"
    [ -z "$cmd_id" ] && { echo "[ERROR] Dispatch failed: $resp" >&2; return 1; }
    count=0
    while [ $count -lt "$max_polls" ]; do
        result="$(curl -s -m 30 "$RMM/api/commands/$cmd_id" -H "Authorization: Bearer $TOKEN")"
        status="$(echo "$result" | jq -r '.status // empty')"
        case "$status" in
            completed|failed|cancelled|interrupted)
                printf '%s' "$cmd_id" > "$WORK_DIR/last_cmd_id"
                echo "$result"; return 0 ;;
            *) count=$((count+1)); sleep 5 ;;
        esac
    done
    echo "[ERROR] Command $cmd_id did not finish (last=$status)" >&2; return 1
}

# run_ps <script-file> <timeout> <max_polls> <label> -> prints status, returns nonzero on failure
run_ps() {
    local sf="$1" to="$2" mp="$3" label="$4" res st ec out err
    res="$(dispatch_one "$sf" "$to" "$mp")" || { echo "[ERROR] $label: dispatch failed" >&2; return 1; }
    st="$(echo "$res" | jq -r '.status')"; ec="$(echo "$res" | jq -r '.exit_code // "null"')"
    out="$(echo "$res" | jq -r '.stdout // ""')"; err="$(echo "$res" | jq -r '.stderr // ""')"
    echo "--- $label: status=$st exit=$ec ---"
    [ -n "$out" ] && printf '%s\n' "$out"
    [ -n "$err" ] && { echo "  [stderr]"; printf '%s\n' "$err" | head -30; }
    printf '%s' "$res" > "$WORK_DIR/last_result.json"
    [ "$st" = "completed" ] || return 1
    return 0
}

# upload_file <local> <remote_win_path>  (chunked base64, decode on endpoint)
upload_file() {
    local local_path="$1" remote="$2" b64="$WORK_DIR/up.b64" chunk_dir="$WORK_DIR/chunks"
    local remote_b64="${remote}.b64"
    [ -f "$local_path" ] || { echo "[ERROR] missing local file: $local_path" >&2; return 1; }
    rm -rf "$chunk_dir"; mkdir -p "$chunk_dir"
    if base64 -w0 "$local_path" > "$b64" 2>/dev/null; then :
    elif base64 -i "$local_path" > "$b64" 2>/dev/null; then :
    else base64 < "$local_path" | tr -d '\n' > "$b64"; fi
    split -b 24000 "$b64" "$chunk_dir/chunk_"
    local chunks idx=0 nch sf data
    chunks=$(ls -1 "$chunk_dir"/chunk_* | sort)
    nch=$(echo "$chunks" | wc -l | tr -d ' ')
    for ch in $chunks; do
        idx=$((idx+1)); data="$(cat "$ch")"; sf="$WORK_DIR/chunkcmd.ps1"
        if [ "$idx" -eq 1 ]; then
            cat > "$sf" <<PS
\$ErrorActionPreference='Stop'
\$d=Split-Path "$remote" -Parent
if(-not (Test-Path \$d)){New-Item -ItemType Directory -Path \$d -Force|Out-Null}
[System.IO.File]::WriteAllText("$remote_b64","$data")
Write-Output "CHUNK $idx OK"
PS
        else
            cat > "$sf" <<PS
\$ErrorActionPreference='Stop'
[System.IO.File]::AppendAllText("$remote_b64","$data")
Write-Output "CHUNK $idx OK"
PS
        fi
        local r; r="$(dispatch_one "$sf" 60)" || { echo "[ERROR] $(basename "$remote") chunk $idx dispatch failed" >&2; return 1; }
        [ "$(echo "$r" | jq -r '.status')" = "completed" ] || { echo "[ERROR] $(basename "$remote") chunk $idx failed" >&2; return 1; }
    done
    # decode
    local df="$WORK_DIR/decode.ps1"
    cat > "$df" <<PS
\$ErrorActionPreference='Stop'
\$b64=(Get-Content "$remote_b64" -Raw) -replace '\s',''
[System.IO.File]::WriteAllBytes("$remote",[System.Convert]::FromBase64String(\$b64))
Remove-Item "$remote_b64" -Force -ErrorAction SilentlyContinue
\$len=(Get-Item "$remote").Length
Write-Output ("WROTE $remote (\$len bytes)")
PS
    local r; r="$(dispatch_one "$df" 60)" || { echo "[ERROR] decode dispatch failed for $remote" >&2; return 1; }
    [ "$(echo "$r" | jq -r '.status')" = "completed" ] || { echo "[ERROR] decode failed for $remote: $(echo "$r"|jq -r '.stderr'|head -c160)" >&2; return 1; }
    echo "[OK] uploaded $(basename "$remote") ($nch chunk(s)) -> $(echo "$r"|jq -r '.stdout'|tr -d '\r')"
}

# ---------------------------------------------------------------------------
# DETACHED, NO-CAP execution. A scanner must never be killed by an RMM command
# timeout - large drives can scan for hours. So we launch GuruScan as a
# scheduled task with ExecutionTimeLimit=0 (unlimited); the launch command
# returns immediately, the scan runs to completion on its own, and we poll a
# disk done-marker with NO overall cap.
# ---------------------------------------------------------------------------
# gs_launch_detached "<invoke-guruscan-args>" <tag>
gs_launch_detached() {
    local gsargs="$1" tag="$2"
    local wl="$WORK_DIR/wrapper_$tag.ps1"
    cat > "$wl" <<PS
\$ErrorActionPreference='Continue'
\$marker='C:\\GuruScan\\_done_${tag}.txt'
\$log='C:\\GuruScan\\_log_${tag}.txt'
Remove-Item \$marker,\$log -Force -ErrorAction SilentlyContinue
try { & C:\\GuruScan\\Invoke-GuruScan.ps1 ${gsargs} *> \$log; \$rc=\$LASTEXITCODE }
catch { \$rc=-1; \$_ | Out-String | Add-Content \$log }
"DONE rc=\$rc at \$(Get-Date -Format o)" | Set-Content \$marker
PS
    upload_file "$wl" "C:\\GuruScan\\_detached_${tag}.ps1" || return 1
    local sf="$WORK_DIR/launch_$tag.ps1"
    cat > "$sf" <<PS
\$ErrorActionPreference='Stop'
\$tn='GuruScan-${tag}'
try{ Unregister-ScheduledTask -TaskName \$tn -Confirm:\$false -ErrorAction SilentlyContinue }catch{}
\$a=New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\GuruScan\\_detached_${tag}.ps1'
\$pr=New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
\$st=New-ScheduledTaskSettingsSet -ExecutionTimeLimit ([TimeSpan]::Zero) -StartWhenAvailable -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -MultipleInstances IgnoreNew
Register-ScheduledTask -TaskName \$tn -Action \$a -Principal \$pr -Settings \$st -Force | Out-Null
Start-ScheduledTask -TaskName \$tn
Start-Sleep -Seconds 2
Write-Output ('LAUNCHED ' + \$tn + ' state=' + ((Get-ScheduledTask -TaskName \$tn).State))
PS
    run_ps "$sf" 90 24 "launch-$tag" || return 1
}

# gs_wait_detached <tag> <label>  -- polls for the done-marker; NO cap (24h safety net)
gs_wait_detached() {
    local tag="$1" label="$2" i=0 maxi=2880
    local sf="$WORK_DIR/poll_$tag.ps1"
    cat > "$sf" <<PS
\$ErrorActionPreference='Continue'
\$marker='C:\\GuruScan\\_done_${tag}.txt'
if(Test-Path \$marker){ Write-Output ('MARKER ' + ((Get-Content \$marker -Raw) -replace '\s+',' ').Trim()) }
else {
  \$act=@(); foreach(\$n in @('a2cmd','HitmanPro_x64','rkill')){ \$p=Get-Process -Name \$n -ErrorAction SilentlyContinue; if(\$p){ \$act += (\$n+' CPU='+[math]::Round((\$p|Select-Object -First 1).CPU,0)+'s') } }
  if(\$act.Count){ Write-Output ('RUNNING ' + (\$act -join ', ')) } else { Write-Output 'RUNNING (between scanners / starting)' }
}
PS
    echo "[INFO] waiting for '$label' to finish (NO cap; checking every 30s)..."
    while [ $i -lt $maxi ]; do
        run_ps "$sf" 30 8 "poll-$tag" >/dev/null 2>&1 || true
        local out; out="$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null | tr -d '\r')"
        if printf '%s' "$out" | grep -q '^MARKER '; then
            echo "[OK] '$label' finished -> $(printf '%s' "$out" | grep '^MARKER ')"
            return 0
        fi
        i=$((i+1))
        if [ $((i % 4)) -eq 0 ]; then echo "  [$label] $((i/2)) min elapsed: $(printf '%s' "$out" | grep -E '^(RUNNING|MARKER)' | head -1)"; fi
        sleep 30
    done
    echo "[WARN] '$label' exceeded 24h safety net"; return 1
}

# fetch the captured console log of a detached run (contains GURUSCAN_RESULT_JSON)
gs_fetch_detached_log() {
    local tag="$1"
    local sf="$WORK_DIR/getlog_$tag.ps1"
    cat > "$sf" <<PS
\$p='C:\\GuruScan\\_log_${tag}.txt'
if(Test-Path \$p){ Get-Content \$p -Raw } else { Write-Output 'NO-LOG' }
PS
    run_ps "$sf" 60 24 "fetchlog-$tag" >/dev/null 2>&1 || true
    jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null
}

# ===========================================================================
phase_prep() {
    echo ""; echo "=== PHASE: prep ==="
    # 1) upload module files
    local files="GuruScan.psm1 GuruScan.psd1 scanners.json Invoke-GuruScan.ps1 Invoke-ScannerCleanup.ps1 Download-Scanners.ps1"
    for f in $files; do
        upload_file "$GS_DIR/$f" "C:\\GuruScan\\$f" || { _logerr "upload failed" --context "file=$f host=$AGENT_HOST"; return 1; }
    done

    # 2) Defender exclusions for tool + downloads + test dirs (so Defender does not
    #    nuke the scanner EXEs or grab EICAR before GuruScan's engines run).
    local sf="$WORK_DIR/defender.ps1"
    cat > "$sf" <<'PS'
$ErrorActionPreference='Continue'
foreach($p in @('C:\GuruScan','C:\GuruScan\downloads','C:\GuruScanTest','C:\EmsisoftCmd')){
  try { Add-MpPreference -ExclusionPath $p -ErrorAction Stop; Write-Output "EXCLUDED $p" }
  catch { Write-Output ("EXCLUDE-SKIP " + $p + " : " + $_.Exception.Message) }
}
PS
    run_ps "$sf" 60 24 "defender-exclusions" || echo "[WARN] Defender exclusion step had issues (continuing)"

    # 3) download RKill + Emsisoft via the module's downloader
    local sf2="$WORK_DIR/dl.ps1"
    cat > "$sf2" <<'PS'
$ErrorActionPreference='Continue'
& C:\GuruScan\Download-Scanners.ps1
PS
    run_ps "$sf2" 600 130 "download-rkill-emsisoft" || echo "[WARN] scanner download reported issues (HitmanPro is expected MANUAL)"

    # 4) fetch HitmanPro directly to downloads\
    local sf3="$WORK_DIR/hmp.ps1"
    cat > "$sf3" <<PS
\$ErrorActionPreference='Continue'
\$ProgressPreference='SilentlyContinue'
\$dst='C:\\GuruScan\\downloads\\HitmanPro_x64.exe'
try {
  [Net.ServicePointManager]::SecurityProtocol=[Net.ServicePointManager]::SecurityProtocol -bor 3072
  \$wc=New-Object System.Net.WebClient
  \$wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 10.0; Win64; x64)')
  \$wc.DownloadFile('$HITMANPRO_URL',\$dst)
  \$len=(Get-Item \$dst).Length
  Write-Output ("HITMANPRO OK \$len bytes")
} catch { Write-Output ("HITMANPRO FAIL: " + \$_.Exception.Message) }
PS
    run_ps "$sf3" 300 70 "download-hitmanpro" || echo "[WARN] HitmanPro download dispatch issue"

    # 5) seed EICAR into the Defender-excluded test folder (assembled on endpoint)
    local sf4="$WORK_DIR/eicar.ps1"
    cat > "$sf4" <<'PS'
$ErrorActionPreference='Continue'
$dir='C:\GuruScanTest'
if(-not (Test-Path $dir)){New-Item -ItemType Directory -Path $dir -Force|Out-Null}
# Standard EICAR test signature, assembled from fragments so it is never stored
# contiguously anywhere except the on-disk test file.
$e = 'X5O!P%@AP[4\PZX54(P^)7CC)7}' + '$EICAR' + '-STANDARD-ANTIVIRUS-' + 'TEST-FILE!$H+H*'
$f = Join-Path $dir 'eicar_test.com'
Set-Content -Path $f -Value $e -Encoding ASCII -NoNewline
Start-Sleep -Seconds 2
if(Test-Path $f){
  $sz=(Get-Item $f).Length
  Write-Output ("EICAR seeded: $f ($sz bytes) - survived (Defender exclusion working)")
} else {
  Write-Output "EICAR MISSING after write - Defender (or other AV) grabbed it despite exclusion"
}
PS
    run_ps "$sf4" 60 24 "seed-eicar" || { _logerr "EICAR seed failed" --context "host=$AGENT_HOST"; return 1; }

    # 6) readiness check - confirm all three scanner binaries present + EICAR present
    local sf5="$WORK_DIR/ready.ps1"
    cat > "$sf5" <<'PS'
$ErrorActionPreference='Continue'
$need=@{
  'RKill'     ='C:\GuruScan\downloads\rkill.exe';
  'Emsisoft'  ='C:\GuruScan\downloads\EmsisoftCommandlineScanner64.exe';
  'HitmanPro' ='C:\GuruScan\downloads\HitmanPro_x64.exe';
  'Module'    ='C:\GuruScan\GuruScan.psm1';
  'EICAR'     ='C:\GuruScanTest\eicar_test.com'
}
$ok=$true
foreach($k in $need.Keys){
  if(Test-Path $need[$k]){ Write-Output ("READY  {0,-10} {1} ({2} bytes)" -f $k,$need[$k],(Get-Item $need[$k]).Length) }
  else { Write-Output ("MISSING {0,-10} {1}" -f $k,$need[$k]); $ok=$false }
}
if($ok){Write-Output 'ALL-READY'}else{Write-Output 'NOT-READY'}
PS
    run_ps "$sf5" 60 24 "readiness" || return 1
    if grep -q 'ALL-READY' "$WORK_DIR/last_result.json" 2>/dev/null || \
       echo "$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null)" | grep -q 'ALL-READY'; then
        echo "[OK] prep complete - endpoint is READY for scan"
        post_alert "[RMM] GuruScan test: prepped $AGENT_HOST (module+3 scanners+EICAR staged)"
    else
        echo "[WARN] prep finished but not all components READY - review output above before scanning"
    fi
}

# ===========================================================================
phase_scan() {
    echo ""; echo "=== PHASE: scan (clean mode, full chain, headless, DETACHED - NO CAP) ==="
    gs_launch_detached "-Headless" "scan" || { _logerr "detached scan launch failed" --context "host=$AGENT_HOST"; echo "[ERROR] launch failed"; return 1; }
    gs_wait_detached "scan" "full-scan" || true
    local out; out="$(gs_fetch_detached_log "scan")"
    echo ""
    printf '%s\n' "$out" | grep 'GURUSCAN_RESULT_JSON:' | sed 's/^.*GURUSCAN_RESULT_JSON://' | jq '.' 2>/dev/null \
        || echo "[WARN] no GURUSCAN_RESULT_JSON in detached log"
    post_alert "[RMM] GuruScan test: detached scan finished on $AGENT_HOST"
}

# ===========================================================================
phase_collect() {
    echo ""; echo "=== PHASE: collect (pull results.json + logs) ==="
    local stamp; stamp="$(date -u +%Y%m%dT%H%M%S)"
    local outdir="$RESULTS_ROOT/${AGENT_HOST}-${stamp}"
    mkdir -p "$outdir"

    # newest scan log dir + results.json + per-scanner logs, emitted as base64 blobs
    local sf="$WORK_DIR/collect.ps1"
    cat > "$sf" <<'PS'
$ErrorActionPreference='Continue'
$root='C:\ScanLogs'
if(-not (Test-Path $root)){ Write-Output 'NO-SCANLOGS'; return }
$dir=Get-ChildItem $root -Directory | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if(-not $dir){ Write-Output 'NO-SCAN-DIR'; return }
Write-Output ("SCANDIR=" + $dir.FullName)
# EICAR sanity: is the planted test file still on disk after a clean-mode scan?
$eicar='C:\GuruScanTest\eicar_test.com'
if(Test-Path $eicar){ Write-Output ("EICAR-STILL-PRESENT (" + (Get-Item $eicar).Length + " bytes) - NOT quarantined") }
else { Write-Output 'EICAR-GONE - a scanner removed/quarantined it' }
# whitelist that was handed to the engines
if(Test-Path 'C:\GuruScan\whitelist.txt'){ Write-Output '===FILE===whitelist.txt==='; Write-Output ([Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\GuruScan\whitelist.txt'))) }
# recurse: pull every log file under the scan dir (logs live in *_Logs subdirs), cap each at 512KB
Get-ChildItem $dir.FullName -File -Recurse | ForEach-Object {
  $bytes=[IO.File]::ReadAllBytes($_.FullName)
  if($bytes.Length -gt 524288){ $bytes=$bytes[0..524287] }
  $rel=$_.FullName.Substring($dir.FullName.Length).TrimStart('\') -replace '\\','__'
  Write-Output ("===FILE===" + $rel + "===")
  Write-Output ([Convert]::ToBase64String($bytes))
}
Write-Output "===END==="
PS
    run_ps "$sf" 180 72 "collect-logs" || { echo "[ERROR] collect failed"; return 1; }
    local out; out="$(jq -r '.stdout' "$WORK_DIR/last_result.json")"
    printf '%s' "$out" > "$WORK_DIR/collect.out"

    # split the marker-delimited base64 blobs into files
    awk -v outdir="$WORK_DIR/blobs" '
        BEGIN{ system("mkdir -p \"" outdir "\""); name="" }
        /^===FILE===/ { n=$0; sub(/^===FILE===/,"",n); sub(/===$/,"",n); name=n; next }
        /^===END===/ { name=""; next }
        name!="" { print > (outdir "/" name ".b64") }
    ' "$WORK_DIR/collect.out"

    if [ -d "$WORK_DIR/blobs" ]; then
        for bf in "$WORK_DIR/blobs"/*.b64; do
            [ -e "$bf" ] || continue
            local name; name="$(basename "$bf" .b64)"
            tr -d '\r\n' < "$bf" | base64 -d > "$outdir/$name" 2>/dev/null \
                && echo "[OK] pulled $name ($(wc -c < "$outdir/$name") bytes)" \
                || echo "[WARN] could not decode $name"
        done
    fi

    # save raw stdout (incl. SCANDIR line) too
    printf '%s\n' "$out" | grep -E '^(SCANDIR=|NO-)' > "$outdir/_collect-meta.txt" 2>/dev/null || true

    echo ""
    if [ -f "$outdir/results.json" ]; then
        echo "=== results.json ==="
        jq '.' "$outdir/results.json" 2>/dev/null || cat "$outdir/results.json"
    else
        echo "[WARN] results.json not among pulled files - check $outdir"
    fi
    echo ""
    echo "[OK] logs saved to: $outdir"
}

# ===========================================================================
# verify-each: re-seed a fresh EICAR before EACH engine and run that engine
# ALONE in clean mode, so the first engine's quarantine can't mask the others.
# Reports a per-engine detect+remove matrix. RKill is run but is a process
# killer (not a file scanner), so it is expected NOT to touch the file.
# Seeds in several locations to give targeted scanners (HitmanPro) a fair shot.
# ===========================================================================
VE_DIRS=('C:\GuruScanTest' 'C:\Users\Public\Desktop' 'C:\Windows\Temp')
VE_FILES=('C:\GuruScanTest\eicar_test.com' 'C:\Users\Public\Desktop\eicar_test.com' 'C:\Windows\Temp\eicar_test.com')

ve_seed_ps() {  # emits PS that (re)creates a fresh EICAR in every VE_DIRS location
    cat <<'PS'
$ErrorActionPreference='Continue'
$e='X5O!P%@AP[4\PZX54(P^)7CC)7}' + '$EICAR' + '-STANDARD-ANTIVIRUS-' + 'TEST-FILE!$H+H*'
foreach($d in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp')){
  if(-not (Test-Path $d)){ New-Item -ItemType Directory -Path $d -Force | Out-Null }
  Set-Content -Path (Join-Path $d 'eicar_test.com') -Value $e -Encoding ASCII -NoNewline
}
$n=@(Get-ChildItem 'C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com' -ErrorAction SilentlyContinue).Count
Write-Output ("SEEDED $n/3 EICAR copies")
PS
}

phase_verify_each() {
    echo ""; echo "=== PHASE: verify-each (per-engine re-seed, clean mode) ==="

    # Defender exclusions for all seed locations (so only GuruScan's engines act)
    local sfx="$WORK_DIR/ve_excl.ps1"
    cat > "$sfx" <<'PS'
$ErrorActionPreference='Continue'
foreach($p in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp','C:\GuruScan','C:\GuruScan\downloads','C:\EmsisoftCmd')){
  try{ Add-MpPreference -ExclusionPath $p -ErrorAction Stop; Write-Output "EXCLUDED $p" }catch{ Write-Output ("EXCL-SKIP "+$p) }
}
PS
    run_ps "$sfx" 60 24 "ve-defender-exclusions" || echo "[WARN] exclusion step issues"

    local engines="RKill HitmanPro Emsisoft"
    local matrix=""
    for eng in $engines; do
        echo ""; echo "--- verify engine: $eng ---"
        # 1) re-seed fresh EICAR everywhere
        ve_seed_ps > "$WORK_DIR/ve_seed.ps1"
        run_ps "$WORK_DIR/ve_seed.ps1" 60 24 "seed-for-$eng" || { echo "[ERROR] seed failed for $eng"; return 1; }

        # 2) run ONLY this engine in clean mode, DETACHED with NO cap (Emsisoft
        #    updates+scans all of C:\ - can take far longer than any RMM timeout)
        gs_launch_detached "-Scanners $eng -Headless" "ve_$eng" || { echo "[ERROR] launch failed for $eng"; return 1; }
        gs_wait_detached "ve_$eng" "run-$eng" || true

        # 3) check which seeded copies survived + read that run's result json
        cat > "$WORK_DIR/ve_check.ps1" <<'PS'
$ErrorActionPreference='Continue'
foreach($f in @('C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com')){
  if(Test-Path $f){ Write-Output ("PRESENT $f") } else { Write-Output ("GONE $f") }
}
$d=Get-ChildItem C:\ScanLogs -Directory -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if($d){
  try{ $r=Get-Content (Join-Path $d.FullName 'results.json') -Raw | ConvertFrom-Json
    Write-Output ("RESULT total_threats=" + $r.total_threats + " | " + (($r.scanners | ForEach-Object { $_.name + ' threats=' + $_.threats_found + ' exit=' + $_.exit_code }) -join ' ; ')) }catch{}
}
PS
        run_ps "$WORK_DIR/ve_check.ps1" 60 24 "check-$eng" || true
        local out gone present
        out="$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null)"
        gone="$(printf '%s' "$out" | grep -c '^GONE ')"
        present="$(printf '%s' "$out" | grep -c '^PRESENT ')"
        local verdict
        if [ "$eng" = "RKill" ]; then verdict="n/a (process killer, not a file scanner)"
        elif [ "$gone" -gt 0 ]; then verdict="DETECTED+REMOVED ($gone/3 copies removed)"
        else verdict="MISSED (0/3 copies removed)"; fi
        matrix="${matrix}\n  ${eng}: ${verdict}"
        echo "  -> $eng: $verdict"
    done

    # cleanup: remove seeded files + the exclusions we added
    cat > "$WORK_DIR/ve_clean.ps1" <<'PS'
$ErrorActionPreference='Continue'
foreach($f in @('C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com')){ Remove-Item $f -Force -ErrorAction SilentlyContinue }
Remove-Item 'C:\GuruScanTest' -Recurse -Force -ErrorAction SilentlyContinue
foreach($p in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp','C:\GuruScan','C:\GuruScan\downloads','C:\EmsisoftCmd')){ try{ Remove-MpPreference -ExclusionPath $p -ErrorAction Stop }catch{} }
Write-Output ("REMAINING-EXCLUSIONS: " + (((Get-MpPreference).ExclusionPath) -join '; '))
PS
    run_ps "$WORK_DIR/ve_clean.ps1" 60 24 "ve-cleanup" || true

    echo ""
    echo "=========================================================="
    echo " VERIFY-EACH RESULT (per-engine, independent re-seed)"
    echo -e "$matrix"
    echo "=========================================================="
    post_alert "[RMM] GuruScan verify-each on $AGENT_HOST complete - see per-engine detect/remove matrix"
}

case "$PHASE" in
    prep)        phase_prep ;;
    scan)        phase_scan ;;
    collect)     phase_collect ;;
    verify-each) phase_verify_each ;;
    all)         phase_prep && phase_scan && phase_collect ;;
    *) echo "[ERROR] Unknown phase '$PHASE' (prep|scan|collect|verify-each|all)" >&2; exit 1 ;;
esac