#!/bin/bash
RAM=$(free | awk '/Mem/{printf("%.0f", $3/$2*100)}')
DISK=$(df / | awk 'NR==2{print $5}' | tr -d '%')
DEAD=$(docker ps -f status=exited --format '{{.Names}}' 2>/dev/null | head -3)
FSSH=$(journalctl -u sshd --since "1 hour ago" 2>/dev/null | grep -c "Failed" || echo 0)
MSG=""
[ "$RAM" -gt 90 ] && MSG="$MSG RAM:${RAM}%"
[ "$DISK" -gt 90 ] && MSG="$MSG Disk:${DISK}%"
[ -n "$DEAD" ] && MSG="$MSG Docker-dead:$DEAD" && docker restart $DEAD 2>/dev/null
[ "$FSSH" -gt 50 ] && MSG="$MSG SSH-brute:$FSSH"
[ "$RAM" -gt 95 ] && sync && echo 3 > /proc/sys/vm/drop_caches 2>/dev/null
# SSL CERT EXPIRY CHECK
SSL_EXP=$(openssl x509 -in /var/www/weval/ssl/fullchain.pem -noout -enddate 2>/dev/null | cut -d= -f2)
SSL_DAYS=$(( ($(date -d "$SSL_EXP" +%s) - $(date +%s)) / 86400 ))
[ "$SSL_DAYS" -lt 14 ] && MSG="$MSG SSL:${SSL_DAYS}d"
[ "$SSL_DAYS" -lt 3 ] && openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/www/weval/ssl/privkey.pem -out /var/www/weval/ssl/fullchain.pem -subj "/CN=weval-consulting.com" -addext "subjectAltName=DNS:weval-consulting.com,DNS:*.weval-consulting.com" > /dev/null 2>&1 && systemctl reload nginx && MSG="$MSG SSL-RENEWED"

echo "$(date +%H:%M): RAM:${RAM}% Disk:${DISK}% SSH:$FSSH $MSG" >> /tmp/wevia-proactive.log

# TOKEN EXPIRY CHECK
ACTIONS=$(curl -sf http://127.0.0.1/api/wevia-actions.php?mode=status 2>/dev/null)
URGENT=$(echo $ACTIONS | python3 -c "import json,sys;d=json.load(sys.stdin);print(d.get(\"summary\",{}).get(\"urgent\",0))" 2>/dev/null)
[ "$URGENT" -gt 0 ] && # SSL CERT EXPIRY CHECK
SSL_EXP=$(openssl x509 -in /var/www/weval/ssl/fullchain.pem -noout -enddate 2>/dev/null | cut -d= -f2)
SSL_DAYS=$(( ($(date -d "$SSL_EXP" +%s) - $(date +%s)) / 86400 ))
[ "$SSL_DAYS" -lt 14 ] && MSG="$MSG SSL:${SSL_DAYS}d"
[ "$SSL_DAYS" -lt 3 ] && openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/www/weval/ssl/privkey.pem -out /var/www/weval/ssl/fullchain.pem -subj "/CN=weval-consulting.com" -addext "subjectAltName=DNS:weval-consulting.com,DNS:*.weval-consulting.com" > /dev/null 2>&1 && systemctl reload nginx && MSG="$MSG SSL-RENEWED"

echo "$(date +%H:%M): TOKENS URGENT=$URGENT" >> /tmp/wevia-proactive.log

# BLADE HEALTH CHECK
BLADE_STATUS=$(timeout 5 bash /opt/weval-l99/wevia-blade-health.sh status 2>/dev/null | head -3)
if echo "$BLADE_STATUS" | grep -q "CPU:"; then
    CPU=$(echo "$BLADE_STATUS" | grep "CPU:" | grep -oP "\d+" | head -1)
    RAM=$(echo "$BLADE_STATUS" | grep "RAM:" | grep -oP "\d+%" | head -1 | tr -d "%")
    [ "$CPU" -gt 90 ] && # SSL CERT EXPIRY CHECK
SSL_EXP=$(openssl x509 -in /var/www/weval/ssl/fullchain.pem -noout -enddate 2>/dev/null | cut -d= -f2)
SSL_DAYS=$(( ($(date -d "$SSL_EXP" +%s) - $(date +%s)) / 86400 ))
[ "$SSL_DAYS" -lt 14 ] && MSG="$MSG SSL:${SSL_DAYS}d"
[ "$SSL_DAYS" -lt 3 ] && openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/www/weval/ssl/privkey.pem -out /var/www/weval/ssl/fullchain.pem -subj "/CN=weval-consulting.com" -addext "subjectAltName=DNS:weval-consulting.com,DNS:*.weval-consulting.com" > /dev/null 2>&1 && systemctl reload nginx && MSG="$MSG SSL-RENEWED"

echo "$(date +%H:%M): BLADE CPU:${CPU}%" >> /tmp/wevia-proactive.log
    [ -n "$RAM" ] && [ "$RAM" -gt 90 ] && # SSL CERT EXPIRY CHECK
SSL_EXP=$(openssl x509 -in /var/www/weval/ssl/fullchain.pem -noout -enddate 2>/dev/null | cut -d= -f2)
SSL_DAYS=$(( ($(date -d "$SSL_EXP" +%s) - $(date +%s)) / 86400 ))
[ "$SSL_DAYS" -lt 14 ] && MSG="$MSG SSL:${SSL_DAYS}d"
[ "$SSL_DAYS" -lt 3 ] && openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /var/www/weval/ssl/privkey.pem -out /var/www/weval/ssl/fullchain.pem -subj "/CN=weval-consulting.com" -addext "subjectAltName=DNS:weval-consulting.com,DNS:*.weval-consulting.com" > /dev/null 2>&1 && systemctl reload nginx && MSG="$MSG SSL-RENEWED"

echo "$(date +%H:%M): BLADE RAM:${RAM}%" >> /tmp/wevia-proactive.log
fi

# WEVIA BRAIN HEALTH
BRAIN_STATUS=$(curl -sf "https://weval-consulting.com/api/wevia-health.php" --max-time 5 2>/dev/null | python3 -c "import json,sys;print(json.load(sys.stdin).get(\"status\",\"down\"))" 2>/dev/null)
[ "$BRAIN_STATUS" != "ok" ] && echo "$(date +%H:%M): BRAIN $BRAIN_STATUS" >> /tmp/wevia-proactive.log && systemctl restart ollama 2>/dev/null