#!/bin/bash
# ============================================================
# RouterACS v1.0 — Instalador/Atualizador Automático
# ============================================================
# Instalação: curl -sSL http://saas.libernet.com.br/instalador/routeracs/install.sh | sudo bash
# Atualização: sudo routeracs-update
# ============================================================
set -e

GREEN='\033[0;32m';BLUE='\033[0;34m';YELLOW='\033[1;33m';RED='\033[0;31m';CYAN='\033[0;36m';BOLD='\033[1m';NC='\033[0m'
BASE_URL="http://saas.libernet.com.br/instalador/routeracs"
FRONT_DIR="/opt/genieacs-pro"
AUTH_DIR="/opt/genieacs-pro-auth"
GENIE_USER="genieacs"
GENIE_DIR="/opt/genieacs"
LOG_DIR="/var/log/genieacs"

echo -e "${BLUE}${BOLD}"
echo "╔══════════════════════════════════════════════════╗"
echo "║       RouterACS v1.0 — Instalador Automático     ║"
echo "║  GenieACS + TR-098/TR-181 + Auth + Dashboard     ║"
echo "╚══════════════════════════════════════════════════╝"
echo -e "${NC}"

[ "$EUID" -ne 0 ] && { echo -e "${RED}Execute: curl -sSL $BASE_URL/install.sh | sudo bash${NC}"; exit 1; }

# ========== DETECTAR MODO ==========
MODE="install"
if [ -f "$FRONT_DIR/src/App.jsx" ]; then
  MODE="update"
  echo -e "${YELLOW}[INFO]${NC} Instalação existente detectada — Modo ATUALIZAÇÃO"
else
  echo -e "${BLUE}[INFO]${NC} Modo: INSTALAÇÃO NOVA"
fi

# ========== BAIXAR ARQUIVOS ==========
echo -e "${BLUE}[1/10]${NC} Baixando arquivos..."
TMPDIR=$(mktemp -d)
cd "$TMPDIR"

curl -sSL "$BASE_URL/latest.json" -o latest.json || { echo -e "${RED}[ERRO]${NC} Servidor de releases inacessível"; exit 1; }
NEW_VERSION=$(grep -o '"version": *"[^"]*"' latest.json | cut -d'"' -f4)
echo -e "${GREEN}[  OK]${NC} Versão: v${NEW_VERSION}"

curl -sSL "$BASE_URL/App.jsx" -o App.jsx || { echo -e "${RED}[ERRO]${NC} Falha ao baixar App.jsx"; exit 1; }
curl -sSL "$BASE_URL/auth-server.js" -o auth-server.js || { echo -e "${RED}[ERRO]${NC} Falha ao baixar auth-server.js"; exit 1; }
curl -sSL "$BASE_URL/License.jsx" -o License.jsx 2>/dev/null || true
echo -e "${GREEN}[  OK]${NC} Arquivos baixados"

# ========== SE ATUALIZAÇÃO, BACKUP E PULAR PARA FRONTEND ==========
if [ "$MODE" = "update" ]; then
  echo -e "${BLUE}[2/10]${NC} Backup..."
  BACKUP="$FRONT_DIR/backups/$(date +%Y%m%d_%H%M%S)"
  mkdir -p "$BACKUP"
  cp "$FRONT_DIR/src/App.jsx" "$BACKUP/" 2>/dev/null || true
  cp "$AUTH_DIR/auth-server.js" "$BACKUP/" 2>/dev/null || true
  echo -e "${GREEN}[  OK]${NC} Backup em $BACKUP"
  
  echo -e "${BLUE}[3/10]${NC} Atualizando frontend..."
  cp "$TMPDIR/App.jsx" "$FRONT_DIR/src/App.jsx"
  [ -f "$TMPDIR/License.jsx" ] && cp "$TMPDIR/License.jsx" "$FRONT_DIR/src/License.jsx"
  # Atualizar versão no package.json
  sed -i "s/\"version\":\"[^\"]*\"/\"version\":\"$NEW_VERSION\"/" "$FRONT_DIR/package.json"
  # Aplicar branding RouterACS
  sed -i 's/GenieACS/RouterACS/g' "$FRONT_DIR/src/App.jsx"
  sed -i 's/,color:"#fff",marginBottom:16}}>G<\/div>/,color:"#fff",marginBottom:16}}>R<\/div>/g' "$FRONT_DIR/src/App.jsx"
  sed -i 's/,color:"#fff",flexShrink:0}}>G<\/div>/,color:"#fff",flexShrink:0}}>R<\/div>/g' "$FRONT_DIR/src/App.jsx"
  cd "$FRONT_DIR" && npm run build > /dev/null 2>&1
  echo -e "${GREEN}[  OK]${NC} Frontend atualizado para v${NEW_VERSION}"
  
  echo -e "${BLUE}[4/10]${NC} Atualizando auth server..."
  cp "$TMPDIR/auth-server.js" "$AUTH_DIR/auth-server.js"
  systemctl restart genieacs-pro-auth 2>/dev/null || true
  echo -e "${GREEN}[  OK]${NC} Auth server atualizado"
  
  # Criar comando de atualização
  cat > /usr/local/bin/routeracs-update << 'UPDATER'
#!/bin/bash
echo "RouterACS — Atualizador"
curl -sSL http://saas.libernet.com.br/instalador/routeracs/install.sh | sudo bash
UPDATER
  chmod +x /usr/local/bin/routeracs-update
  
  rm -rf "$TMPDIR"
  
  IP=$(hostname -I | awk '{print $1}')
  echo ""
  echo -e "${GREEN}${BOLD}══════════════════════════════════════════════════${NC}"
  echo -e "${GREEN}${BOLD}  RouterACS atualizado para v${NEW_VERSION}!${NC}"
  echo -e "${GREEN}${BOLD}══════════════════════════════════════════════════${NC}"
  echo ""
  echo -e "  ${CYAN}Painel:${NC}  http://$IP"
  echo -e "  ${BOLD}Atualizar:${NC} sudo routeracs-update"
  echo ""
  exit 0
fi

# ========== INSTALAÇÃO NOVA ==========

# Coletar dados
echo ""
echo -e "${BOLD}Configuração da Licença:${NC}"
read -p "  Servidor de licenças (padrão: https://ispacs.libernet.com.br): " LICENSE_URL
LICENSE_URL=${LICENSE_URL:-https://ispacs.libernet.com.br}
read -p "  Chave da licença (ex: RA-A1B2-C3D4-E5F6-G7H8): " LICENSE_KEY

if [ -z "$LICENSE_KEY" ]; then
  echo -e "${YELLOW}[WARN]${NC} Sem licença — modo demo."
  LICENSE_KEY=""
fi

echo ""
echo -e "${BOLD}Credenciais do Painel:${NC}"
read -p "  Usuário admin (padrão: admin): " ADMIN_USER
ADMIN_USER=${ADMIN_USER:-admin}
printf "  Senha admin (padrão: admin123): "
stty -echo 2>/dev/null; read ADMIN_PASS; stty echo 2>/dev/null; echo ""
ADMIN_PASS=${ADMIN_PASS:-admin123}

echo ""
echo -e "${BOLD}Será instalado:${NC}"
echo -e "  • MongoDB (detecta AVX automaticamente)"
echo -e "  • Node.js 18"
echo -e "  • GenieACS 1.2.13 (TR-098 + TR-181)"
echo -e "  • RouterACS Frontend + Auth Server"
echo -e "  • Auto-credentials (segurança ONU)"
read -p "Continuar? (s/N) " -n 1 -r; echo ""
[[ ! $REPLY =~ ^[Ss]$ ]] && { echo "Cancelado."; exit 0; }

# ---------- 2. Dependências ----------
echo -e "\n${BLUE}[2/10]${NC} Dependências..."
. /etc/os-release 2>/dev/null; OS=$ID
apt-get update -qq && apt-get install -y -qq curl wget gnupg ca-certificates lsb-release build-essential python3 nginx > /dev/null 2>&1
echo -e "${GREEN}[  OK]${NC} Dependências ($PRETTY_NAME)"

# ---------- 3. Node.js ----------
echo -e "${BLUE}[3/10]${NC} Node.js 18..."
if ! command -v node &>/dev/null; then
  curl -fsSL https://deb.nodesource.com/setup_18.x | bash - > /dev/null 2>&1
  apt-get install -y -qq nodejs > /dev/null 2>&1
fi
echo -e "${GREEN}[  OK]${NC} Node $(node -v)"

# ---------- 4. MongoDB ----------
echo -e "${BLUE}[4/10]${NC} MongoDB..."
if ! command -v mongod &>/dev/null; then
  HAS_AVX=$(grep -o 'avx' /proc/cpuinfo | head -1)
  CODENAME=$(lsb_release -cs)
  if [ -n "$HAS_AVX" ]; then
    echo -e "  ${CYAN}CPU com AVX → MongoDB 7.0${NC}"
    curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | gpg --dearmor -o /usr/share/keyrings/mongodb-server-7.0.gpg 2>/dev/null
    if [ "$OS" = "ubuntu" ]; then
      echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/ubuntu ${CODENAME}/mongodb-org/7.0 multiverse" > /etc/apt/sources.list.d/mongodb-org-7.0.list
    else
      echo "deb [signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg] https://repo.mongodb.org/apt/debian ${CODENAME}/mongodb-org/7.0 main" > /etc/apt/sources.list.d/mongodb-org-7.0.list
    fi
    apt-get update -qq && apt-get install -y -qq mongodb-org > /dev/null 2>&1
  else
    echo -e "  ${YELLOW}CPU sem AVX → MongoDB 4.4${NC}"
    wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add - 2>/dev/null
    echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" > /etc/apt/sources.list.d/mongodb-org-4.4.list
    apt-get update -qq && apt-get install -y -qq mongodb-org > /dev/null 2>&1
  fi
fi
systemctl start mongod 2>/dev/null; systemctl enable mongod 2>/dev/null
sleep 2
if systemctl is-active --quiet mongod; then
  echo -e "${GREEN}[  OK]${NC} MongoDB"
else
  echo -e "${RED}[ERRO]${NC} MongoDB não iniciou"; exit 1
fi

# ---------- 5. GenieACS ----------
echo -e "${BLUE}[5/10]${NC} GenieACS 1.2.13..."
npm install -g genieacs@1.2.13 > /dev/null 2>&1
id "$GENIE_USER" &>/dev/null || useradd --system --no-create-home --user-group $GENIE_USER
mkdir -p $GENIE_DIR/ext $LOG_DIR

cat > $GENIE_DIR/genieacs.env << 'ENV'
GENIEACS_CWMP_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-cwmp-access.log
GENIEACS_NBI_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-nbi-access.log
GENIEACS_FS_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-fs-access.log
GENIEACS_UI_ACCESS_LOG_FILE=/var/log/genieacs/genieacs-ui-access.log
GENIEACS_DEBUG_FILE=/var/log/genieacs/genieacs-debug.yaml
GENIEACS_EXT_DIR=/opt/genieacs/ext
GENIEACS_CWMP_AUTH=false
NODE_OPTIONS=--enable-source-maps
ENV
node -e "console.log('GENIEACS_UI_JWT_SECRET=' + require('crypto').randomBytes(128).toString('hex'))" >> $GENIE_DIR/genieacs.env
chown -R $GENIE_USER:$GENIE_USER $GENIE_DIR $LOG_DIR
chmod 600 $GENIE_DIR/genieacs.env

for SVC in cwmp nbi fs ui; do
cat > /etc/systemd/system/genieacs-${SVC}.service << EOF
[Unit]
Description=GenieACS ${SVC^^}
After=network.target mongod.service
[Service]
User=$GENIE_USER
EnvironmentFile=$GENIE_DIR/genieacs.env
ExecStart=/usr/bin/genieacs-${SVC}
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
done
systemctl daemon-reload
for SVC in cwmp nbi fs ui; do systemctl enable genieacs-${SVC} && systemctl start genieacs-${SVC}; done 2>/dev/null
sleep 3
echo -e "${GREEN}[  OK]${NC} GenieACS (4 serviços + CWMP_AUTH=false)"

# ---------- 6. Provisions ----------
echo -e "${BLUE}[6/10]${NC} Provisions TR-069..."
sleep 5

# Auto-credentials
curl -s -X PUT "http://localhost:7557/provisions/auto-credentials" -H "Content-Type: text/plain" --data 'let user,pass;let igd=declare("InternetGatewayDevice.ManagementServer.Username",{value:1});let dev=declare("Device.ManagementServer.Username",{value:1});let isIGD=igd.value!==undefined&&igd.value!==null;let isDev=dev.value!==undefined&&dev.value!==null;let prefix,currentUser;if(isIGD){prefix="InternetGatewayDevice";currentUser=igd.value?igd.value[0]:""}else if(isDev){prefix="Device";currentUser=dev.value?dev.value[0]:""}else return;if(currentUser&&currentUser.indexOf("acs_")===0)return;let serial=declare("DeviceID.SerialNumber",{value:1});let sn=serial.value?serial.value[0]:"000000";let ts=Date.now().toString(36);let snClean=sn.replace(/[^a-zA-Z0-9]/g,"").slice(-6);let newUser="acs_"+snClean+ts.slice(-2);let newPass=ts+snClean+Math.random().toString(36).slice(2,10);declare(prefix+".ManagementServer.Username",{value:1},{value:newUser});declare(prefix+".ManagementServer.Password",{value:1},{value:newPass});declare(prefix+".ManagementServer.PeriodicInformEnable",{value:1},{value:true});declare(prefix+".ManagementServer.PeriodicInformInterval",{value:1},{value:300});declare("Tags.auto-credentials",{value:1},{value:true});' > /dev/null 2>&1

# Coletar info
curl -s -X PUT "http://localhost:7557/provisions/coletar-info" -H "Content-Type: text/plain" --data 'declare("DeviceID.Manufacturer",{value:1});declare("DeviceID.ProductClass",{value:1});declare("DeviceID.SerialNumber",{value:1});' > /dev/null 2>&1

# Coletar PPPoE
curl -s -X PUT "http://localhost:7557/provisions/coletar-pppoe" -H "Content-Type: text/plain" --data 'let p="InternetGatewayDevice";let d=declare(p+".DeviceInfo.SoftwareVersion",{value:1});if(d.value===undefined||d.value===null)p="Device";declare(p+".WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Username",{value:1});declare(p+".WANDevice.1.WANConnectionDevice.2.WANPPPConnection.1.Username",{value:1});declare(p+".WANDevice.1.WANConnectionDevice.3.WANPPPConnection.1.Username",{value:1});declare(p+".WANDevice.1.WANConnectionDevice.4.WANPPPConnection.1.Username",{value:1});declare(p+".WANDevice.1.WANConnectionDevice.5.WANPPPConnection.1.Username",{value:1});declare(p+".PPP.Interface.1.Username",{value:1});' > /dev/null 2>&1

# Noop
curl -s -X PUT "http://localhost:7557/provisions/noop" -H "Content-Type: text/plain" --data '// noop' > /dev/null 2>&1

# Presets
curl -s -X PUT "http://localhost:7557/presets/auto-credentials" -H "Content-Type: application/json" -d '{"weight":0,"precondition":"_deviceId._OUI <> \"00E04C\" AND _deviceId._OUI <> \"34FCA1\" AND _deviceId._OUI <> \"886EDD\"","configurations":[{"type":"provision","name":"auto-credentials"}]}' > /dev/null 2>&1
curl -s -X PUT "http://localhost:7557/presets/coletar-info" -H "Content-Type: application/json" -d '{"weight":1,"precondition":"_deviceId._OUI <> \"00E04C\" AND _deviceId._OUI <> \"34FCA1\" AND _deviceId._OUI <> \"886EDD\"","configurations":[{"type":"provision","name":"coletar-info"}]}' > /dev/null 2>&1
curl -s -X PUT "http://localhost:7557/presets/coletar-pppoe" -H "Content-Type: application/json" -d '{"weight":2,"precondition":"_deviceId._OUI <> \"00E04C\" AND _deviceId._OUI <> \"34FCA1\" AND _deviceId._OUI <> \"886EDD\" AND _deviceId._OUI <> \"DISCOVERYSERVICE\"","configurations":[{"type":"provision","name":"coletar-pppoe"}]}' > /dev/null 2>&1
curl -s -X PUT "http://localhost:7557/presets/intelbras-noop" -H "Content-Type: application/json" -d '{"weight":-1,"precondition":"_deviceId._OUI = \"00E04C\" OR _deviceId._OUI = \"34FCA1\" OR _deviceId._OUI = \"886EDD\"","configurations":[{"type":"provision","name":"noop"}]}' > /dev/null 2>&1

echo -e "${GREEN}[  OK]${NC} Provisions e Presets configurados"

# ---------- 7. Frontend RouterACS ----------
echo -e "${BLUE}[7/10]${NC} Frontend RouterACS..."
mkdir -p $FRONT_DIR/src

cat > $FRONT_DIR/package.json << 'PKGJSON'
{"name":"routeracs","version":"1.0.0","private":true,"scripts":{"dev":"vite","build":"vite build"},"dependencies":{"react":"^18.2.0","react-dom":"^18.2.0"},"devDependencies":{"@vitejs/plugin-react":"^4.2.0","vite":"^5.0.0"}}
PKGJSON

cat > $FRONT_DIR/vite.config.js << 'VITE'
import{defineConfig}from'vite';import react from'@vitejs/plugin-react';
export default defineConfig({plugins:[react()],server:{port:3100,host:'0.0.0.0'}});
VITE

cat > $FRONT_DIR/index.html << 'HTML'
<!DOCTYPE html><html lang="pt-BR"><head><meta charset="UTF-8"/><meta name="viewport" content="width=device-width,initial-scale=1.0"/><title>RouterACS</title></head><body><div id="root"></div><script type="module" src="/src/main.jsx"></script></body></html>
HTML

cat > $FRONT_DIR/src/license-config.js << LICEOF
export const LICENSE_SERVER = "${LICENSE_URL}";
export const LICENSE_KEY = "${LICENSE_KEY}";
LICEOF

cat > $FRONT_DIR/src/main.jsx << 'MAIN'
import React from 'react';
import ReactDOM from 'react-dom/client';
import App from './App.jsx';
import { LicenseProvider, LicenseGate } from './License.jsx';
import { LICENSE_SERVER, LICENSE_KEY } from './license-config.js';
ReactDOM.createRoot(document.getElementById('root')).render(
  <React.StrictMode>
    <LicenseProvider serverUrl={LICENSE_SERVER} licenseKey={LICENSE_KEY}>
      <LicenseGate><App /></LicenseGate>
    </LicenseProvider>
  </React.StrictMode>
);
MAIN

# License.jsx inline
cat > $FRONT_DIR/src/License.jsx << 'LICJSX'
import{useState,useEffect,useCallback,createContext,useContext}from"react";
const Ctx=createContext(null);
export function useLicense(){return useContext(Ctx)}
export function usePermission(a){const{license}=useLicense();if(!license?.permissions)return true;return!!license.permissions[a]}
export function LicenseProvider({children,serverUrl,licenseKey}){
  const[license,setLicense]=useState(()=>{try{const c=JSON.parse(sessionStorage.getItem("racs_lic")||"null");if(c&&c._t&&Date.now()-c._t<86400000)return c}catch{}return null});
  const[loading,setLoading]=useState(!license);
  const validate=useCallback(async()=>{
    if(!licenseKey||!serverUrl){setLicense({valid:true,status:"active",permissions:{read:true,write:true,api_erp:true,updates:true},message:null,client_name:"Modo Demo",plan:"demo",days_remaining:999});setLoading(false);return}
    try{const r=await fetch(`${serverUrl}/api/license/validate`,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({license_key:licenseKey,product:"routeracs",hostname:location.hostname})});
      const d=await r.json();d._t=Date.now();try{sessionStorage.setItem("racs_lic",JSON.stringify(d))}catch{}setLicense(d);
    }catch{if(!license)setLicense({valid:true,status:"active",permissions:{read:true,write:true,api_erp:true,updates:true},message:"Sem conexão com servidor de licenças",_offline:true})}
    setLoading(false);
  },[serverUrl,licenseKey,license]);
  useEffect(()=>{validate();const i=setInterval(validate,3600000);return()=>clearInterval(i)},[]);
  return<Ctx.Provider value={{license,loading,revalidate:validate}}>{children}</Ctx.Provider>
}
export function LicenseGate({children}){
  const{license,loading,revalidate}=useLicense();
  if(loading)return<div style={{minHeight:"100vh",display:"flex",alignItems:"center",justifyContent:"center",background:"#030712",color:"#94a3b8",fontFamily:"'Inter',sans-serif"}}><div style={{textAlign:"center"}}><div style={{width:40,height:40,border:"3px solid #1e293b",borderTopColor:"#3b82f6",borderRadius:"50%",animation:"spin .8s linear infinite",margin:"0 auto 16px"}}/><div style={{fontSize:14}}>Verificando licença...</div><style>{`@keyframes spin{from{transform:rotate(0deg)}to{transform:rotate(360deg)}}`}</style></div></div>;
  if(license?.status==="blocked"||license?.status==="suspended"||license?.status==="cancelled")return<div style={{minHeight:"100vh",display:"flex",alignItems:"center",justifyContent:"center",background:"#030712",fontFamily:"'Inter',sans-serif"}}><div style={{textAlign:"center",maxWidth:440,padding:40,background:"#111827",border:"1px solid #1e293b",borderRadius:12}}><div style={{fontSize:48,marginBottom:16}}>🔒</div><h1 style={{fontSize:20,fontWeight:700,color:"#f1f5f9",marginBottom:8}}>Acesso Bloqueado</h1><p style={{fontSize:14,color:"#94a3b8",marginBottom:20}}>Licença {license?.status==="suspended"?"suspensa":"expirada"}. Entre em contato.</p><button onClick={revalidate} style={{padding:"10px 24px",borderRadius:6,background:"#3b82f6",border:"none",color:"#fff",fontSize:13,cursor:"pointer"}}>Verificar Novamente</button></div></div>;
  return children;
}
export function LicenseBanner(){
  const{license}=useLicense();if(!license?.message||license.status==="active")return null;
  const c={grace:{bg:"rgba(245,158,11,0.1)",bd:"rgba(245,158,11,0.3)",c:"#f59e0b",i:"⚠️"},readonly:{bg:"rgba(249,115,22,0.1)",bd:"rgba(249,115,22,0.3)",c:"#f97316",i:"🔒"}}[license.status]||{bg:"rgba(239,68,68,0.1)",bd:"rgba(239,68,68,0.3)",c:"#ef4444",i:"🚫"};
  return<div style={{background:c.bg,border:`1px solid ${c.bd}`,borderRadius:8,padding:"10px 16px",margin:"0 0 16px 0",display:"flex",alignItems:"center",gap:10,fontSize:13,color:c.c,fontWeight:500}}><span>{c.i}</span><span style={{flex:1}}>{license.message}</span></div>
}
export function WriteProtected({children,fallback}){const w=usePermission("write");if(!w)return fallback||<div style={{padding:"8px 14px",borderRadius:6,background:"rgba(249,115,22,.08)",border:"1px solid rgba(249,115,22,.2)",color:"#f97316",fontSize:12,textAlign:"center"}}>🔒 Modo somente leitura</div>;return children}
export function ApiProtected({children,fallback}){const a=usePermission("api_erp");if(!a)return fallback||<div style={{padding:"8px 14px",borderRadius:6,background:"rgba(239,68,68,.08)",border:"1px solid rgba(239,68,68,.2)",color:"#ef4444",fontSize:12,textAlign:"center"}}>🔒 API desativada</div>;return children}
LICJSX

# Copiar App.jsx e aplicar branding
cp "$TMPDIR/App.jsx" $FRONT_DIR/src/App.jsx
sed -i 's/GenieACS/RouterACS/g' $FRONT_DIR/src/App.jsx
sed -i 's/,color:"#fff",marginBottom:16}}>G<\/div>/,color:"#fff",marginBottom:16}}>R<\/div>/g' $FRONT_DIR/src/App.jsx
sed -i 's/,color:"#fff",flexShrink:0}}>G<\/div>/,color:"#fff",flexShrink:0}}>R<\/div>/g' $FRONT_DIR/src/App.jsx

cd $FRONT_DIR && npm install > /dev/null 2>&1 && npm run build > /dev/null 2>&1
chown -R $GENIE_USER:$GENIE_USER $FRONT_DIR
echo -e "${GREEN}[  OK]${NC} Frontend RouterACS compilado"

# ---------- 8. Auth Server ----------
echo -e "${BLUE}[8/10]${NC} Auth Server..."
mkdir -p $AUTH_DIR
cat > $AUTH_DIR/package.json << 'APKG'
{"name":"routeracs-auth","version":"1.0.0","scripts":{"start":"node auth-server.js"},"dependencies":{"better-sqlite3":"^11.0.0","cors":"^2.8.5","express":"^4.18.2"}}
APKG
cp "$TMPDIR/auth-server.js" $AUTH_DIR/auth-server.js
cd $AUTH_DIR && npm install > /dev/null 2>&1

cat > /etc/systemd/system/genieacs-pro-auth.service << EOF
[Unit]
Description=RouterACS Auth Server
After=network.target
[Service]
Type=simple
WorkingDirectory=$AUTH_DIR
ExecStart=/usr/bin/node auth-server.js
Restart=on-failure
RestartSec=5
Environment=AUTH_PORT=4001
Environment=ADMIN_USER=$ADMIN_USER
Environment=ADMIN_PASS=$ADMIN_PASS
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable genieacs-pro-auth && systemctl restart genieacs-pro-auth
sleep 2
echo -e "${GREEN}[  OK]${NC} Auth Server na porta 4001"

# ---------- 9. Nginx ----------
echo -e "${BLUE}[9/10]${NC} Nginx..."
IP=$(hostname -I | awk '{print $1}')
cat > /etc/nginx/sites-available/routeracs << NGINX
server {
    listen 80 default_server;
    server_name _;
    root $FRONT_DIR/dist;
    index index.html;
    location / { try_files \$uri \$uri/ /index.html; }
    location /api-genie/ {
        proxy_pass http://127.0.0.1:7557/;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_read_timeout 300s;
    }
    location /api/auth/ {
        proxy_pass http://127.0.0.1:4001/api/auth/;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
    }
    location /genieacs-ui/ {
        proxy_pass http://127.0.0.1:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host \$host;
    }
}
NGINX
ln -sf /etc/nginx/sites-available/routeracs /etc/nginx/sites-enabled/
rm -f /etc/nginx/sites-enabled/default
nginx -t > /dev/null 2>&1 && systemctl reload nginx
echo -e "${GREEN}[  OK]${NC} Nginx configurado"

# ---------- 10. Finalizar ----------
echo -e "${BLUE}[10/10]${NC} Finalizando..."

# Comando de atualização
cat > /usr/local/bin/routeracs-update << 'UPDATER'
#!/bin/bash
echo "RouterACS — Atualizador"
curl -sSL http://saas.libernet.com.br/instalador/routeracs/install.sh | sudo bash
UPDATER
chmod +x /usr/local/bin/routeracs-update

# Firewall
if command -v ufw &>/dev/null; then
  ufw allow 80/tcp > /dev/null 2>&1
  ufw allow 7547/tcp > /dev/null 2>&1
fi

rm -rf "$TMPDIR"

echo ""
echo -e "${GREEN}${BOLD}══════════════════════════════════════════════════${NC}"
echo -e "${GREEN}${BOLD}  RouterACS v${NEW_VERSION} — Instalado com sucesso!${NC}"
echo -e "${GREEN}${BOLD}══════════════════════════════════════════════════${NC}"
echo ""
echo -e "  ${CYAN}Painel RouterACS:${NC}     http://$IP"
echo -e "  ${CYAN}Login:${NC}                $ADMIN_USER / $ADMIN_PASS"
echo -e "  ${CYAN}ACS URL (ONUs):${NC}       http://$IP:7547/"
echo -e "  ${CYAN}API NBI:${NC}              http://$IP:7557"
echo ""
if [ -n "$LICENSE_KEY" ]; then
  echo -e "  ${CYAN}Licença:${NC}  $LICENSE_KEY"
  echo -e "  ${CYAN}Servidor:${NC} $LICENSE_URL"
else
  echo -e "  ${YELLOW}Modo Demo (sem licença)${NC}"
fi
echo ""
echo -e "  ${BOLD}Comandos:${NC}"
echo -e "    sudo routeracs-update           — Atualizar"
echo -e "    systemctl status genieacs-cwmp   — Status CWMP"
echo -e "    journalctl -u genieacs-cwmp -f   — Logs"
echo -e "    sudo certbot --nginx             — HTTPS"
echo ""