#!/usr/bin/env bash
# onx-clamav-upload-scan — tek dosya tara (pure-uploadscript: $1=path, ya da stdin JSON {path})
source "$(dirname "$0")/_lib/common.sh"
require_root; require_cmd jq
FILE=""
if [[ -n "${1:-}" ]]; then FILE="$1"; else onx_json_input; FILE="$(onx_json_field path '')"; fi
[[ -n "$FILE" && -f "$FILE" ]] || { echo '{"clean":true,"infected":[],"scanned_files":0}'; exit 0; }
case "$FILE" in /home/*|/var/www/*) : ;; *) echo '{"clean":true,"infected":[],"scanned_files":0}'; exit 0 ;; esac
FILE="$(realpath -m "$FILE" 2>/dev/null || printf '%s' "$FILE")"
case "$FILE" in /home/*|/var/www/*) : ;; *) echo '{"clean":true,"infected":[],"scanned_files":0}'; exit 0 ;; esac
SCANNER_CMD=(clamscan)
command -v clamdscan &>/dev/null && SCANNER_CMD=(clamdscan --fdpass)
OUT="$("${SCANNER_CMD[@]}" --infected --no-summary "$FILE" 2>/dev/null || true)"
if [[ -n "$OUT" ]]; then
    VIRUS="$(sed -n 's/.*: \(.*\) FOUND$/\1/p' <<<"$OUT" | head -n1)"
    DEST="/var/lib/onoxsoft/quarantine/$(date +%s%N)_$(basename "$FILE").quar"
    mkdir -p /var/lib/onoxsoft/quarantine; chmod 700 /var/lib/onoxsoft/quarantine
    mv -- "$FILE" "$DEST" 2>/dev/null && chmod 600 "$DEST"
    json_ok "$(jq -n --arg p "$FILE" --arg v "$VIRUS" '{clean:false,infected:[{path:$p,virus:$v}],scanned_files:1}')"
else
    echo '{"clean":true,"infected":[],"scanned_files":1}'
fi
