#!/bin/bash

###############################################################################
# OpenClaw 配置安全修复脚本 (v2 - 精简版)
# 
# 用途：仅修复真正有价值的安全问题
# 执行前请确认已备份：./deploy.sh backup
#
# 已排除的"误报"（用户确认无需修复）：
# - gateway.bind = "lan" → 实际绑定 Tailscale，安全
# - dangerouslyDisableDeviceAuth = true → 已知权衡，Tailscale 环境下可接受
# - 无 rateLimit → Tailscale 封闭网络 + 强 token，风险极低
# - MemoryLimit 废弃 → 实际 service 文件不存在此参数
###############################################################################

set -e

WORKSPACE="/root/.openclaw/workspace"
CONFIG_FILE="/root/.openclaw/workspace/openclaw-config.json"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)

echo "🔧 OpenClaw 配置安全修复脚本 (精简版)"
echo "======================================"
echo ""
echo "📋 仅修复以下问题:"
echo "   1. 添加 plugins.allow 白名单（良好安全习惯）"
echo ""
echo "⚠️  已排除（用户确认无需修复）:"
echo "   - gateway.bind (Tailscale 环境安全)"
echo "   - dangerouslyDisableDeviceAuth (已知权衡)"
echo "   - rateLimit (威胁模型不匹配)"
echo "   - MemoryLimit (实际不存在)"
echo ""
read -p "确认继续？(y/N): " confirm

if [[ ! $confirm =~ ^[Yy]$ ]]; then
  echo "❌ 已取消"
  exit 0
fi

# 备份当前配置
echo ""
echo "📦 备份当前配置..."
cp "$CONFIG_FILE" "${CONFIG_FILE}.backup.${TIMESTAMP}"
echo "✅ 备份完成：${CONFIG_FILE}.backup.${TIMESTAMP}"
echo ""

# 修复：设置 plugins.allow
echo "🔒 修复：配置插件白名单"
node -e "
const fs = require('fs');
const config = JSON.parse(fs.readFileSync('$CONFIG_FILE', 'utf8'));
config.plugins.allow = ['telegram', 'qwen-portal-auth', 'memos-cloud-openclaw-plugin'];
fs.writeFileSync('$CONFIG_FILE', JSON.stringify(config, null, 2));
"
echo "✅ 完成"
echo ""

echo "======================================"
echo "✅ 修复完成！"
echo ""
echo "📋 下一步操作:"
echo "1. 检查配置变更：git diff $CONFIG_FILE"
echo "2. 重启服务：./deploy.sh restart"
echo "3. 验证状态：./deploy.sh health"
echo "4. 安全审计：openclaw security audit --deep"
echo ""
echo "⚠️  如需回滚:"
echo "cp ${CONFIG_FILE}.backup.${TIMESTAMP} $CONFIG_FILE"
echo "./deploy.sh restart"
echo ""