#!/usr/bin/env bash
#
# onx-dnssec-status — Zone DNSSEC durumu (aktif/pasif + DS records)
#
# Stdin:  {"zone":"example.com"}
# Stdout: {"ok":true,"zone":"...","enabled":bool,"ds_records":[...],"keys":[...]}

set -uo pipefail

die() {
    local msg="$1" code="${2:-3}"
    msg="${msg//\\/\\\\}"; msg="${msg//\"/\\\"}"
    printf '{"error":"%s","code":%d}\n' "$msg" "$code" >&2
    exit "$code"
}

INPUT=$(cat 2>/dev/null || echo '{}')
ZONE=$(echo "$INPUT" | jq -r '.zone // ""')
[[ -z "$ZONE" ]] && die "zone gerekli" 1

command -v pdnsutil >/dev/null 2>&1 || die "pdnsutil yok" 2
pdnsutil show-zone "$ZONE" >/dev/null 2>&1 || die "Zone yok: $ZONE" 2

SHOW=$(pdnsutil show-zone "$ZONE" 2>/dev/null)
ENABLED=false
if echo "$SHOW" | grep -q "Zone is .* presigned\|Zone has \(NSEC\|NSEC3\)\|^DS = "; then
    ENABLED=true
fi

DS_LINES=$(echo "$SHOW" | grep "^DS = " | sed 's/^DS = //')
DS_JSON=$(printf '%s\n' "$DS_LINES" | jq -R -s -c 'split("\n") | map(select(length>0))')

# Anahtarlar
KEYS_RAW=$(pdnsutil list-keys "$ZONE" 2>/dev/null || echo "")

jq -nc \
    --arg zone "$ZONE" \
    --argjson enabled "$ENABLED" \
    --argjson ds "$DS_JSON" \
    --arg keys "$KEYS_RAW" \
    '{ok:true,zone:$zone,enabled:$enabled,ds_records:$ds,keys_info:$keys}'

exit 0
