#!/bin/sh
#
# cyclops-fingerprint.sh — Collect machine fingerprint for Cyclops license
#
# Run this on the TARGET HOST (not inside a container) where Cyclops
# will run. Paste the output fingerprint into the purchase form.
#
# If running Cyclops in Docker, run this script on the Docker HOST.
# The Cyclops container needs these read-only bind mounts:
#
#   docker run \
#     -v /etc/machine-id:/etc/machine-id:ro \
#     -v /sys/class/dmi/id:/sys/class/dmi/id:ro \
#     ...
#
set -e

SALT="cyclops-genworks-2025"

# ---- Collect fingerprint sources ----

# Source 1: systemd machine-id (present on all modern Linux)
MACHINE_ID=""
if [ -f /etc/machine-id ]; then
    MACHINE_ID=$(cat /etc/machine-id)
elif [ -f /var/lib/dbus/machine-id ]; then
    MACHINE_ID=$(cat /var/lib/dbus/machine-id)
fi

# Source 2: DMI product UUID (BIOS/UEFI — hard to fake in containers)
DMI_UUID=""
if [ -f /sys/class/dmi/id/product_uuid ]; then
    # Requires root on some systems
    DMI_UUID=$(cat /sys/class/dmi/id/product_uuid 2>/dev/null || true)
fi

# Source 3: DMI board serial (motherboard — also hard to fake)
BOARD_SERIAL=""
if [ -f /sys/class/dmi/id/board_serial ]; then
    BOARD_SERIAL=$(cat /sys/class/dmi/id/board_serial 2>/dev/null || true)
fi

# ---- Validate we have enough data ----

if [ -z "$MACHINE_ID" ] && [ -z "$DMI_UUID" ]; then
    echo "ERROR: Could not read /etc/machine-id or /sys/class/dmi/id/product_uuid" >&2
    echo "       Run this script on the target Linux host (not in a container)." >&2
    echo "       DMI paths may require: sudo $0" >&2
    exit 1
fi

# ---- Compute fingerprint ----
# Hash all sources together with a salt.
# Order matters — keep it stable.

FINGERPRINT=$(printf '%s\n%s\n%s\n%s' \
    "$SALT" "$MACHINE_ID" "$DMI_UUID" "$BOARD_SERIAL" \
    | sha256sum | cut -d' ' -f1)

# ---- Compute tier (which sources contributed) ----
# Tier tells us how strong the fingerprint is.
# Tier 3: machine-id + product_uuid + board_serial (strongest)
# Tier 2: machine-id + product_uuid
# Tier 1: machine-id only (weakest — easiest to spoof via mount)

TIER=0
[ -n "$MACHINE_ID" ] && TIER=$((TIER + 1))
[ -n "$DMI_UUID" ] && TIER=$((TIER + 1))
[ -n "$BOARD_SERIAL" ] && TIER=$((TIER + 1))

# ---- Output ----
# Structured output: fingerprint hash, tier, and sources present.
# The purchase system only needs the FINGERPRINT line.

echo "========================================"
echo "  Cyclops Machine Fingerprint"
echo "========================================"
echo ""
echo "  Fingerprint: $FINGERPRINT"
echo "  Tier:        $TIER/3"
echo ""
echo "  Sources:"
[ -n "$MACHINE_ID" ]   && echo "    [x] /etc/machine-id"       || echo "    [ ] /etc/machine-id"
[ -n "$DMI_UUID" ]     && echo "    [x] DMI product_uuid"      || echo "    [ ] DMI product_uuid (run with sudo?)"
[ -n "$BOARD_SERIAL" ] && echo "    [x] DMI board_serial"      || echo "    [ ] DMI board_serial"
echo ""
echo "========================================"
echo ""
echo "Paste this fingerprint into the Cyclops purchase form:"
echo ""
echo "  $FINGERPRINT"
echo ""