#!/usr/bin/env bash
# Pro-plan SMTP TCP matrix (OpenSSL from Railway container).
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
cd "$ROOT/api"
STAMP="$(date -u +%Y%m%dT%H%M%SZ)"
EVID="$ROOT/frontend/qa/evidence/smtp-verify/${STAMP}-pro-openssl-tcp-matrix.txt"
mkdir -p "$(dirname "$EVID")"

{
  echo "# SMTP TCP matrix (OpenSSL) — $STAMP UTC"
  echo "# Source: railway status --json meta.plan + railway ssh openssl"
  echo "# Plan: Railway Pro workspace — fresh egress verification"
  echo
} >"$EVID"

probe() {
  local host=$1 port=$2 mode=$3
  local start end ms
  start=$(date +%s)
  echo "=== $host:$port ($mode) ===" | tee -a "$EVID"
  if [ "$mode" = starttls ]; then
    railway ssh -- timeout 12 openssl s_client -connect "${host}:${port}" -starttls smtp -brief 2>&1 | head -15 | tee -a "$EVID" || true
  else
    railway ssh -- timeout 12 openssl s_client -connect "${host}:${port}" -brief 2>&1 | head -15 | tee -a "$EVID" || true
  fi
  end=$(date +%s)
  ms=$(( (end - start) * 1000 ))
  echo "elapsed_ms: $ms" | tee -a "$EVID"
  if grep -qiE 'CONNECTED|220 |Verify return code' "$EVID" 2>/dev/null; then
  :
  fi
  # Mark fail if no CONNECTED in last probe block
  if ! railway ssh -- timeout 3 openssl s_client -connect "${host}:${port}" -brief 2>&1 | head -3 | grep -q CONNECTED; then
    echo "tcp_result: TIMEOUT_OR_FAIL" | tee -a "$EVID"
  else
    echo "tcp_result: TCP_OK" | tee -a "$EVID"
  fi
  echo | tee -a "$EVID"
}

probe smtp.gmail.com 587 starttls
probe smtp.gmail.com 465 ssl
probe smtp-relay.gmail.com 587 starttls
probe smtp.office365.com 587 starttls

echo "Wrote $EVID"