Remove development test utilities - no longer needed

Removed obsolete development test scripts: - tools/test-cross-module-intelligence.sh - tools/test-domain-detection.sh These were used during initial development for testing the reference database and domain detection functionality. With multi-panel support complete and validated on production servers, these development utilities are no longer needed. Keeping only production utilities: - tools/diagnostic-report.sh (system diagnostics) - tools/erase-toolkit-traces.sh (cleanup utility)
Remove testing directory and backup files - validation phase complete
2025-11-20 16:39:18 -05:00 · 2025-11-20 16:38:29 -05:00 · 2025-11-20 16:35:52 -05:00 · 2025-11-20 16:29:20 -05:00 · 2025-11-20 16:26:17 -05:00 · 2025-11-20 16:17:06 -05:00
55 changed files with 15331 additions and 3945 deletions
@@ -54,3 +54,4 @@ id_ed25519.pub
 # Config files that might contain sensitive data
 config.local.*
 *.credentials
 downloads/
@@ -1,197 +0,0 @@
 # Server Toolkit - Audit Report
 **Date:** 2025-10-31
 **Status:** Production Ready (with notes)
 ## ✅ PASSING CHECKS
 ### Syntax Validation
 All shell scripts pass `bash -n` syntax check:
 - ✓ launcher.sh
 - ✓ lib/common-functions.sh
 - ✓ lib/system-detect.sh
 - ✓ lib/user-manager.sh
 - ✓ lib/reference-db.sh
 - ✓ lib/mysql-analyzer.sh
 - ✓ modules/security/bot-analyzer.sh
 - ✓ modules/performance/mysql-query-analyzer.sh
 - ✓ test-domain-detection.sh
 - ✓ diagnostic-report.sh
 ### File Permissions
 All scripts have correct execute permissions (755).
 ### Core Functionality
 - ✓ Domain detection working
 - ✓ User selection with arrow-key menu working
 - ✓ Search functionality working
 - ✓ Cleanup/Reset function working
 - ✓ System detection working
 - ✓ Bot analyzer working
 ---
 ## ⚠️ INCOMPLETE MODULES
 The following menu categories exist but have NO implemented scripts:
 ### 1. WordPress Management (Option 2)
 **Menu shows 11 options, but ALL scripts missing:**
 - wp-health-check.sh
 - wp-cron-status.sh
 - wp-cron-mass-fix.sh
 - wp-cron-mass-create.sh
 - wp-plugin-audit.sh
 - wp-theme-audit.sh
 - wp-mass-update.sh
 - wp-malware-scan.sh
 - wp-cleanup-spam.sh
 - wp-mass-delete.sh
 - wp-mass-backup.sh
 **Impact:** Users clicking options 1-11 will see "Module not found" error.
 ### 2. Backup & Recovery (Option 4)
 **Menu shows 7 options, all missing:**
 - auto-backup.sh
 - restore-backup.sh
 - backup-mysql.sh
 - backup-files.sh
 - backup-config.sh
 - backup-schedule.sh
 - backup-verify.sh
 ### 3. Monitoring & Alerts (Option 5)
 **Menu shows 5 options, all missing:**
 - live-traffic.sh
 - resource-monitor.sh
 - error-log-watcher.sh
 - alert-setup.sh
 - uptime-monitor.sh
 ### 4. Troubleshooting & Diagnostics (Option 6)
 **Menu shows 9 options, all missing:**
 - error-hunter.sh
 - slow-query-finder.sh
 - disk-space-analyzer.sh
 - permission-fixer.sh
 - dns-tester.sh
 - ssl-cert-checker.sh
 - email-delivery-test.sh
 - connection-tester.sh
 - system-health.sh
 ### 5. Reporting & Analytics (Option 7)
 **Menu shows 6 options, all missing:**
 - server-report.sh
 - security-audit.sh
 - performance-report.sh
 - usage-analytics.sh
 - export-to-pdf.sh
 - email-report.sh
 ---
 ## 📋 RECOMMENDATIONS
 ### For Distribution NOW:
 **Option A - Disable Incomplete Menus:**
 Comment out or remove menu options 2, 4, 5, 6, 7 from launcher.sh.
 Only show:
 - Option 1: Security & Threat Analysis (WORKS - has bot-analyzer)
 - Option 3: Performance (WORKS - has mysql-query-analyzer)
 - Option 8: Cleanup/Reset (WORKS)
 - Option 9: Configuration (WORKS)
 ### For Future Development:
 1. Implement scripts one category at a time
 2. Test each script before uncommenting menu option
 3. Update WHATS_NEW.md when adding new modules
 ---
 ## 🗂️ CLEAN FILE STRUCTURE
 Current structure (cleaned):
 ```
 server-toolkit/
 ├── launcher.sh ✓
 ├── diagnostic-report.sh ✓
 ├── test-domain-detection.sh ✓
 ├── README.md ✓
 ├── TROUBLESHOOTING.md ✓
 ├── SETUP_GUIDE.md ✓
 ├── WHATS_NEW.md ✓
 ├── REFDB_FORMAT.txt ✓
 ├── config/
 │   ├── settings.conf ✓
 │   ├── whitelist-ips.txt ✓
 │   └── whitelist-user-agents.txt ✓
 ├── lib/
 │   ├── common-functions.sh ✓
 │   ├── system-detect.sh ✓
 │   ├── user-manager.sh ✓
 │   ├── reference-db.sh ✓
 │   └── mysql-analyzer.sh ✓
 └── modules/
    ├── security/
    │   └── bot-analyzer.sh ✓ (WORKING)
    ├── performance/
    │   └── mysql-query-analyzer.sh ✓ (WORKING)
    ├── wordpress/ (EMPTY - future)
    ├── backup/ (EMPTY - future)
    ├── monitoring/ (EMPTY - future)
    ├── troubleshooting/ (EMPTY - future)
    └── reporting/ (EMPTY - future)
 ```
 ---
 ## ✅ CLEANED FILES
 Removed during audit:
 - ❌ install.sh (unnecessary - users pull complete folder)
 - ❌ .REFDB_FORMAT.txt (duplicate/outdated)
 - ❌ .INTERACTIVE_MODE.txt (unknown old file)
 - ❌ bot-analyzer.sh.backup (leftover from edits)
 ---
 ## 🎯 PRODUCTION READINESS
 **Status: READY** for distribution with caveats:
 ### What Works Now (Production Ready):
 1. ✅ Bot Analyzer (full-featured, tested)
 2. ✅ MySQL Query Analyzer
 3. ✅ Domain detection
 4. ✅ User selection with search
 5. ✅ Cleanup/Reset tools
 6. ✅ Diagnostic reporting
 ### What to Do Before Public Release:
 1. **Disable incomplete menu options** in launcher.sh (or clearly mark as "Coming Soon")
 2. **Update README.md** to list only working features
 3. **Add installation instructions** to README.md
 ### Suggested README.md Updates:
 ```markdown
 ## Current Features
 - ✅ Bot & Botnet Analysis (comprehensive security scanning)
 - ✅ MySQL Query Performance Analysis
 - 🚧 WordPress Management (coming soon)
 - 🚧 Backup & Recovery (coming soon)
 - 🚧 Monitoring & Alerts (coming soon)
 ```
 ---
 ## 📝 NEXT STEPS
 1. Review incomplete menus in launcher.sh (lines 145-260)
 2. Either:
   - Comment out incomplete options
   - OR add "(Coming Soon)" labels
 3. Update README.md with current features only
 4. Consider adding ROADMAP.md for planned features
 **Bottom line:** The toolkit core is solid and production-ready. Just need to manage user expectations about incomplete features.
@@ -1,750 +0,0 @@
 # SERVER TOOLKIT - COMPREHENSIVE AUDIT REPORT
 **Date:** 2025-11-01
 **Auditor:** Claude (Sonnet 4.5)
 **Audit Type:** Full Codebase Security, Functionality, and Data Integrity Review
 ---
 ## EXECUTIVE SUMMARY
 ### Overall Health: **GOOD** ✓
 - **Syntax:** All 13 shell scripts pass `bash -n` validation
 - **Critical Bugs Found:** 2 (both fixed during audit)
 - **Security Issues:** 0 critical, minor improvements recommended
 - **Missing Features:** Several identified and documented
 - **Data Integrity:** Reference database comprehensive, minor enhancements recommended
 ### Key Findings
 1. ✅ **FIXED:** Missing `show_banner()` and `press_enter()` functions in common-functions.sh
 2. ✅ **FIXED:** Cleanup function incomplete - missing new report file patterns
 3. ⚠️ **ENHANCEMENT NEEDED:** Reference database could track network/hardware metrics
 4. ✅ **VERIFIED:** System detection working correctly
 5. ✅ **VERIFIED:** Cleanup/reset functionality now comprehensive
 ---
 ## 1. CODE STRUCTURE AUDIT
 ### Directory Organization: **EXCELLENT** ✓
 ```
 /root/server-toolkit/
 ├── launcher.sh              ✓ Main entry point
 ├── lib/                     ✓ 5 library files
 │   ├── common-functions.sh  ✓ Shared utilities
 │   ├── system-detect.sh     ✓ Platform detection
 │   ├── user-manager.sh      ✓ User selection
 │   ├── reference-db.sh      ✓ Data caching
 │   └── mysql-analyzer.sh    ✓ MySQL utilities
 ├── modules/                 ✓ Organized by category
 │   ├── diagnostics/         ✓ 1 module (system-health-check.sh)
 │   ├── performance/         ✓ 3 modules (mysql, network, hardware)
 │   ├── security/            ✓ 1 module (bot-analyzer.sh)
 │   └── [6 other categories] ⚠️ Placeholder directories
 ├── config/                  ✓ Configuration files
 ├── tools/                   ✓ Utility scripts
 └── [Documentation]          ✓ Comprehensive docs
 ```
 ### File Count
 - **Total Scripts:** 13
 - **Working Modules:** 5
 - **Library Files:** 5
 - **Config Files:** 3
 - **Documentation:** 7 files
 ---
 ## 2. SYNTAX AND CODE QUALITY
 ### Syntax Validation: **PASS** ✓
 All scripts validated with `bash -n`:
 ```bash
 ✓ launcher.sh
 ✓ lib/common-functions.sh
 ✓ lib/system-detect.sh
 ✓ lib/user-manager.sh
 ✓ lib/reference-db.sh
 ✓ lib/mysql-analyzer.sh
 ✓ modules/diagnostics/system-health-check.sh
 ✓ modules/performance/mysql-query-analyzer.sh
 ✓ modules/performance/network-bandwidth-analyzer.sh
 ✓ modules/performance/hardware-health-check.sh
 ✓ modules/security/bot-analyzer.sh
 ✓ tools/test-domain-detection.sh
 ✓ tools/diagnostic-report.sh
 ```
 ### Code Standards
 - ✅ Consistent bash strict mode (`set -eo pipefail`)
 - ✅ Proper error handling with `|| true` on grep/find
 - ✅ Safe variable substitution (`${var:-default}`)
 - ✅ Proper arithmetic (`current=$((current + 1))`)
 - ✅ No unsafe practices (eval, unescaped variables in SQL)
 ---
 ## 3. CRITICAL BUGS FOUND AND FIXED
 ### BUG #1: Missing Common Functions
 **Severity:** HIGH
 **Impact:** New modules (network-bandwidth-analyzer.sh, hardware-health-check.sh) would fail when calling `show_banner()` and `press_enter()`
 **Location:** `lib/common-functions.sh`
 **Problem:**
 ```bash
 # These functions were called but not defined:
 show_banner()    # Called by new modules
 press_enter()    # Called by new modules
 ```
 **Solution Applied:**
 ```bash
 # Added to common-functions.sh:
 press_enter() {
    echo ""
    read -p "Press Enter to continue..." _
 }
 show_banner() {
    if [ -n "$1" ]; then
        print_banner "$1"
    else
        print_banner "Server Toolkit"
    fi
 }
 ```
 **Status:** ✅ FIXED
 ---
 ### BUG #2: Incomplete Cleanup Function
 **Severity:** MEDIUM
 **Impact:** Cleanup/reset would not remove new report files, leaving orphaned data
 **Location:** `launcher.sh:266-375`
 **Problem:**
 ```bash
 # Missing cleanup patterns for:
 - /tmp/system_health_report_*
 - /tmp/network_bandwidth_report_*
 - /tmp/hardware_health_report_*
 ```
 **Solution Applied:**
 ```bash
 # Added to cleanup_all_data():
 find /tmp -maxdepth 1 -name "system_health_report_*" -exec rm -f {} \;
 find /tmp -maxdepth 1 -name "network_bandwidth_report_*" -exec rm -f {} \;
 find /tmp -maxdepth 1 -name "hardware_health_report_*" -exec rm -f {} \;
 ```
 **Status:** ✅ FIXED
 ---
 ## 4. CLEANUP/RESET FUNCTIONALITY AUDIT
 ### Comprehensive Coverage: **EXCELLENT** ✓
 The cleanup function now removes:
 1. ✅ System reference database (`.sysref`, `.sysref.timestamp`)
 2. ✅ Temporary session directories (`/tmp/server-toolkit-*`)
 3. ✅ Bot analyzer reports (`/tmp/bot_analysis_*`)
 4. ✅ MySQL analysis reports (`/tmp/mysql_analysis_*`)
 5. ✅ System health reports (`/tmp/system_health_report_*`) - **NEW**
 6. ✅ Network bandwidth reports (`/tmp/network_bandwidth_report_*`) - **NEW**
 7. ✅ Hardware health reports (`/tmp/hardware_health_report_*`) - **NEW**
 8. ✅ Generic toolkit temp files (`/tmp/toolkit_*`)
 9. ✅ All cache files (`/tmp/*.cache`, `/root/server-toolkit/*.cache`)
 10. ✅ Environment variables (all `SYS_*` vars)
 11. ✅ Function definitions (forces library reload)
 12. ✅ Re-initialization with fresh detection
 ### What is Preserved (Correct): **VERIFIED** ✓
 - ✅ Configuration files (`config/settings.conf`)
 - ✅ User whitelists (`config/whitelist-ips.txt`, `config/whitelist-user-agents.txt`)
 - ✅ Scripts themselves
 - ✅ Server data (websites, databases, user files)
 ### Cleanup Completeness Score: **100%** ✓
 ---
 ## 5. REFERENCE DATABASE AUDIT
 ### Current Structure: **COMPREHENSIVE** ✓
 **Tracked Data Types:**
 1. ✅ **SYSTEM** - Control panel, OS, web server, database, PHP versions, hostname, CPU cores
 2. ✅ **USERS** - Username, primary domain, DB count, domain count, disk usage, home directory
 3. ✅ **DATABASES** - DB name, owner, domain, size, table count
 4. ✅ **DOMAINS** - Domain, owner, document root, log path, PHP version, type, aliases
 5. ✅ **WORDPRESS** - Domain, owner, path, DB name, DB user, version, plugin count, theme count
 6. ✅ **LOGS** - Currently disabled (performance reasons)
 7. ✅ **HEALTH_BASELINE** - System metrics, resource usage, service status, issue counts
 ### Health Baseline Metrics (Comprehensive): ✓
 ```
 HEALTH|TIMESTAMP|datetime
 HEALTH|MEMORY_TOTAL_MB|value|date
 HEALTH|MEMORY_USED_PERCENT|value|date
 HEALTH|CPU_LOAD_1MIN|value|date
 HEALTH|CPU_CORES|value|date
 HEALTH|DISK_USED_PERCENT|value|date
 HEALTH|IOWAIT_PERCENT|value|date
 HEALTH|EMAIL_QUEUE_SIZE|value|date
 HEALTH|ZOMBIE_PROCESSES|value|date
 HEALTH|HTTPD_STATUS|status|date
 HEALTH|MYSQL_STATUS|status|date
 HEALTH|FIREWALL_STATUS|status|date
 HEALTH|CRITICAL_ISSUES|count|date
 HEALTH|HIGH_ISSUES|count|date
 HEALTH|MEDIUM_ISSUES|count|date
 HEALTH|LOW_ISSUES|count|date
 ```
 ### Missing Data (Recommendations):
 #### 🔍 NETWORK METRICS (Should be added)
 ```
 HEALTH|NETWORK_INTERFACE|eth0|date
 HEALTH|NETWORK_MTU|1500|date
 HEALTH|NETWORK_RX_ERRORS|0|date
 HEALTH|NETWORK_TX_ERRORS|0|date
 HEALTH|NETWORK_RX_DROPPED|0|date
 HEALTH|NETWORK_TX_DROPPED|0|date
 HEALTH|TCP_RETRANS_PERCENT|12.89|date
 HEALTH|PACKET_LOSS_PERCENT|0|date
 ```
 **Rationale:** Network analyzer collects this data but doesn't store for trending
 #### 🔍 HARDWARE METRICS (Should be added)
 ```
 HEALTH|DISK_SMART_STATUS|PASSED|/dev/sda|date
 HEALTH|DISK_REALLOCATED_SECTORS|0|/dev/sda|date
 HEALTH|DISK_PENDING_SECTORS|0|/dev/sda|date
 HEALTH|DISK_TEMPERATURE|35|/dev/sda|date
 HEALTH|MEMORY_ECC_ERRORS|0|date
 HEALTH|CPU_MCE_ERRORS|0|date
 HEALTH|RAID_STATUS|optimal|date
 ```
 **Rationale:** Hardware health check should save baseline for failure prediction
 #### 🔍 SECURITY METRICS (Should be added)
 ```
 HEALTH|SSH_FAILED_ATTEMPTS|10210|date
 HEALTH|TOP_ATTACKER_IP|128.14.227.179|date
 HEALTH|CPHULK_STATUS|enabled|date
 HEALTH|CPHULK_BLOCKED_IPS|0|date
 ```
 **Rationale:** Security baseline for attack trend analysis
 #### 🔍 SERVICE RESPONSE TIMES (Optional - Advanced)
 ```
 HEALTH|APACHE_RESPONSE_TIME_MS|150|date
 HEALTH|MYSQL_RESPONSE_TIME_MS|25|date
 HEALTH|DNS_RESPONSE_TIME_MS|10|date
 ```
 **Rationale:** Performance baseline for degradation detection
 ### Cache Freshness: **OPTIMAL** ✓
 - TTL: 1 hour (3600 seconds)
 - Auto-rebuild on stale access
 - Manual rebuild available
 - Timestamp tracking working
 ---
 ## 6. MODULE FUNCTIONALITY AUDIT
 ### Working Modules (5/49 = 10%)
 #### 1. System Health Check ✓ **EXCELLENT**
 - **Location:** `modules/diagnostics/system-health-check.sh`
 - **Phases:** 22 comprehensive analysis phases
 - **Features:** Severity scoring, baseline tracking, cPHulkd integration
 - **Recent Enhancements:** Hardware error proactivity, cPanel-specific recommendations
 - **Issues:** None found
 - **Score:** 10/10
 #### 2. Bot Analyzer ✓ **EXCELLENT**
 - **Location:** `modules/security/bot-analyzer.sh`
 - **Features:** Threat scoring, CSF blocking, domain analysis, botnet detection
 - **Issues:** None found
 - **Score:** 10/10
 #### 3. MySQL Query Analyzer ✓ **GOOD**
 - **Location:** `modules/performance/mysql-query-analyzer.sh`
 - **Features:** Slow query detection, live monitoring
 - **Issues:** None found
 - **Score:** 9/10
 #### 4. Network & Bandwidth Analyzer ✓ **EXCELLENT** (NEW)
 - **Location:** `modules/performance/network-bandwidth-analyzer.sh`
 - **Features:** vnstat integration, per-domain traffic, connection analysis, MTU checks
 - **Testing:** ✅ Validated during audit
 - **Bugs Found:** 2 (fixed - missing functions)
 - **Score:** 9/10 (deducted 1 for initial bugs)
 #### 5. Hardware Health Check ✓ **EXCELLENT** (NEW)
 - **Location:** `modules/performance/hardware-health-check.sh`
 - **Features:** SMART disk health, memory ECC, CPU MCE, RAID status
 - **Testing:** ✅ Syntax validated
 - **Bugs Found:** 1 (fixed - missing functions)
 - **Score:** 9/10 (deducted 1 for initial bugs)
 ### Not Implemented (44 modules)
 See menu structure - all other menu options are placeholders
 ---
 ## 7. ERROR HANDLING AND EDGE CASES
 ### Error Handling Patterns: **EXCELLENT** ✓
 **Grep Safety:**
 ```bash
 # All grep commands properly handled:
 result=$(grep "pattern" file 2>/dev/null || true)
 ```
 **Find Safety:**
 ```bash
 # All find commands have error suppression:
 files=$(find /path -name "*.txt" 2>/dev/null || true)
 ```
 **Arithmetic Safety:**
 ```bash
 # All arithmetic uses safe patterns:
 current=$((current + 1))  # NOT ((current++))
 ```
 **Variable Safety:**
 ```bash
 # All potentially unbound vars use defaults:
 ${var:-default}
 ${var:-}
 ```
 ### Edge Cases Handled:
 - ✅ No users on system
 - ✅ No databases
 - ✅ No domains
 - ✅ No WordPress installations
 - ✅ Missing system commands (smartctl, dmidecode, vnstat, sensors)
 - ✅ Non-cPanel systems
 - ✅ Empty log files
 - ✅ Stale reference database
 - ✅ First-time execution
 - ✅ Interrupted execution (cleanup temp dirs)
 ### Edge Cases NOT Handled (Minor):
 - ⚠️ Very large reference database (>100MB) - no size limiting
 - ⚠️ Systems with >10,000 users - progress indicators may be slow
 - ⚠️ Extremely large log files (>10GB) - analysis may timeout
 ---
 ## 8. SECURITY AUDIT
 ### Security Posture: **GOOD** ✓
 **Secure Practices:**
 - ✅ No `eval` usage
 - ✅ No unquoted variables in command execution
 - ✅ Proper MySQL query escaping (using `-e` flag, not string interpolation)
 - ✅ Temp file creation uses `mktemp`
 - ✅ No passwords stored in plain text
 - ✅ No credentials in code
 - ✅ Proper file permissions checks before operations
 - ✅ Root requirement explicitly checked
 **Potential Concerns (Minor):**
 - ⚠️ Some temp files in `/tmp` not using `mktemp -d` (report files use predictable names)
  - **Risk:** Low (reports contain public system info only)
  - **Recommendation:** Consider using `mktemp` for all temp files
 - ⚠️ CSF commands run without input validation
  - **Risk:** Low (only called with controlled input from script)
  - **Recommendation:** Add IP format validation before CSF calls
 ### Privilege Escalation: **SECURE** ✓
 - ✅ Requires root (appropriate for system management)
 - ✅ No unnecessary privilege dropping
 - ✅ No unsafe sudo usage
 ---
 ## 9. SYSTEM DETECTION ACCURACY
 ### Detection Coverage: **COMPREHENSIVE** ✓
 **Control Panels:**
 - ✅ cPanel (tested)
 - ✅ Plesk (code reviewed)
 - ✅ InterWorx (code reviewed)
 - ✅ None/Standalone (code reviewed)
 **Operating Systems:**
 - ✅ AlmaLinux (tested)
 - ✅ CentOS, RHEL, Rocky, CloudLinux (code reviewed)
 **Web Servers:**
 - ✅ Apache (tested)
 - ✅ Nginx, LiteSpeed, OpenLiteSpeed (code reviewed)
 **Databases:**
 - ✅ MariaDB (tested)
 - ✅ MySQL (code reviewed)
 - ✅ None (handled)
 **PHP Detection:**
 - ✅ Multiple versions (tested - found 8.0.30, 8.1.33, 8.2.29)
 ### Detection Accuracy: **100%** ✓
 All detection on test system correct:
 - Control Panel: cPanel 11.130.0.15 ✓
 - OS: AlmaLinux 9.6 ✓
 - Web Server: Apache 2.4.65 ✓
 - Database: MariaDB 10.6.23 ✓
 - Hostname: cloudvpstemplate.host.pickledperil.com ✓
 ---
 ## 10. MISSING FEATURES AND RECOMMENDATIONS
 ### High Priority Additions
 #### 1. Network Metrics in Reference Database
 **Why:** Network analyzer collects but doesn't persist data for trending
 **Impact:** Cannot compare current vs historical network performance
 **Implementation:** Add `save_network_baseline()` function to health check
 **Effort:** Low (2-3 hours)
 #### 2. Hardware Metrics in Reference Database
 **Why:** Hardware health check should track SMART data over time
 **Impact:** Cannot predict disk failures by tracking reallocated sector trends
 **Implementation:** Add `save_hardware_baseline()` function to health check
 **Effort:** Medium (4-6 hours)
 #### 3. Security Metrics in Reference Database
 **Why:** SSH attack trends not tracked
 **Impact:** Cannot identify escalating attack patterns
 **Implementation:** Add security metrics to health baseline
 **Effort:** Low (2-3 hours)
 #### 4. Reference Database Size Limiting
 **Why:** No upper limit on database size
 **Impact:** Could grow unbounded on very large systems
 **Implementation:** Add rotation/pruning for old HEALTH entries
 **Effort:** Medium (3-4 hours)
 ### Medium Priority Additions
 #### 5. Better Error Messages for Missing Commands
 **Why:** Some modules just say "not installed" without context
 **Impact:** User may not understand which package to install
 **Implementation:** Add package name hints (e.g., "smartctl not found - install smartmontools")
 **Effort:** Low (1-2 hours)
 #### 6. Progress Indicators for Long Operations
 **Why:** Some operations (disk scanning) provide no feedback
 **Impact:** User may think script hung
 **Implementation:** Add progress indicators to hardware health check
 **Effort:** Low (2 hours)
 #### 7. Report Archiving
 **Why:** Reports accumulate in /tmp indefinitely
 **Impact:** /tmp bloat
 **Implementation:** Archive old reports or auto-delete after 7 days
 **Effort:** Low (2 hours)
 ### Low Priority (Nice to Have)
 #### 8. Bandwidth Quota Tracking
 **Why:** Network analyzer doesn't track against hosting limits
 **Implementation:** Allow user to set monthly bandwidth cap, alert on approaching
 **Effort:** Medium (4 hours)
 #### 9. Email Notifications
 **Why:** No alerting when critical issues found
 **Implementation:** Email reports to admin when CRITICAL issues detected
 **Effort:** Medium (6 hours)
 #### 10. Comparison Reports
 **Why:** Can't easily see "what changed since last scan"
 **Implementation:** Diff between current and previous health report
 **Effort:** High (8-10 hours)
 ---
 ## 11. DATA PERSISTENCE AND INTEGRITY
 ### Reference Database Integrity: **EXCELLENT** ✓
 **Data Consistency:**
 - ✅ Pipe-delimited format consistent
 - ✅ Field counts consistent per record type
 - ✅ No corrupted entries found
 - ✅ Proper escaping (no pipes in data fields)
 **Update Mechanism:**
 - ✅ Atomic writes (write to new file, then move)
 - ✅ Timestamp tracking working
 - ✅ TTL enforcement working
 - ✅ Rebuild on corruption (auto-triggered)
 **Cross-References:**
 - ✅ User → Domains working
 - ✅ User → Databases working
 - ✅ Domain → WordPress working
 - ✅ Database → Owner working
 ### Data Not Being Persisted (Should Be):
 1. **Network Performance Trends**
   - Current: Measured each run, not saved
   - Should: Track TCP retransmission rate over time
   - Benefit: Identify network degradation trends
 2. **Hardware Health Trends**
   - Current: SMART checked each run, not saved
   - Should: Track reallocated sectors over time
   - Benefit: Predict disk failure before it happens
 3. **Attack Pattern History**
   - Current: Bot analyzer shows current attacks
   - Should: Track attack volume over time
   - Benefit: Identify coordinated/escalating attacks
 4. **Service Response Times**
   - Current: Not measured
   - Should: Track Apache/MySQL response times
   - Benefit: Identify performance degradation
 ---
 ## 12. TESTING RECOMMENDATIONS
 ### Current Testing: **MINIMAL**
 - Unit tests: None
 - Integration tests: None
 - Manual testing: Ad-hoc during development
 ### Recommended Testing Strategy:
 #### 1. Smoke Tests (Quick Validation)
 ```bash
 #!/bin/bash
 # tests/smoke-test.sh
 bash -n /root/server-toolkit/launcher.sh || exit 1
 bash -n /root/server-toolkit/lib/*.sh || exit 1
 bash -n /root/server-toolkit/modules/*/*.sh || exit 1
 echo "✓ All syntax valid"
 ```
 #### 2. Integration Tests
 ```bash
 # Test cleanup
 rm -f .sysref*
 ./launcher.sh # Should rebuild database
 grep "^USER|" .sysref || exit 1
 echo "✓ Database rebuild working"
 # Test cleanup
 ./launcher.sh # Choose option 8 (cleanup)
 [ ! -f .sysref ] || exit 1
 echo "✓ Cleanup working"
 ```
 #### 3. Module Tests
 - Test each module in isolation
 - Test with missing dependencies
 - Test with edge cases (no users, no domains, etc.)
 ---
 ## 13. PERFORMANCE ANALYSIS
 ### Reference Database Build Time: **EXCELLENT** ✓
 - Current system: ~2-3 seconds
 - 100 users: ~10-15 seconds (estimated)
 - 1000 users: ~60-90 seconds (estimated)
 ### Module Performance:
 - System Health Check: **5-10 seconds** ✓
 - Bot Analyzer: **30-60 seconds** (depends on log size) ✓
 - MySQL Query Analyzer: **10-20 seconds** ✓
 - Network Analyzer: **5-10 seconds** ✓
 - Hardware Health Check: **10-15 seconds** (with smartctl) ✓
 ### Bottlenecks Identified:
 1. ⚠️ `du -sm` on large home directories (>100GB) - can be slow
   - **Recommendation:** Add timeout or use `du --max-depth=1`
 2. ⚠️ WordPress detection (`find -name wp-config.php`) on large systems
   - **Recommendation:** Limit search depth or use locate database
 3. ⚠️ SMART checks on many disks (>10 disks)
   - **Recommendation:** Parallelize or add progress indicator
 ---
 ## 14. DOCUMENTATION AUDIT
 ### Documentation Quality: **EXCELLENT** ✓
 **Files Present:**
 - ✅ README.md - Comprehensive overview
 - ✅ TROUBLESHOOTING.md - Common issues and fixes
 - ✅ AUDIT-REPORT.md - Previous audit
 - ✅ PROJECT-STRUCTURE.md - Architecture docs
 - ✅ SETUP_GUIDE.md - Installation instructions
 - ✅ REFDB_FORMAT.txt - Reference database specification (EXCELLENT)
 - ✅ WHATS_NEW.md - Changelog
 **Missing Documentation:**
 - ⚠️ API documentation for library functions
 - ⚠️ Module development guide
 - ⚠️ Contributing guidelines
 ---
 ## 15. FINAL RECOMMENDATIONS
 ### Must Do (Before Production)
 1. ✅ **DONE** - Fix missing `show_banner()` and `press_enter()` functions
 2. ✅ **DONE** - Fix cleanup function to remove all report types
 3. 🔄 **ADD** - Network metrics to reference database
 4. 🔄 **ADD** - Hardware metrics to reference database
 5. 🔄 **ADD** - Input validation for CSF IP addresses
 ### Should Do (Near Term)
 6. 🔄 Add reference database size limiting/rotation
 7. 🔄 Add package name hints for missing commands
 8. 🔄 Add progress indicators to hardware health check
 9. 🔄 Create smoke test suite
 10. 🔄 Add report archiving/cleanup
 ### Nice to Have (Future)
 11. Bandwidth quota tracking and alerting
 12. Email notifications for critical issues
 13. Comparison reports (diff between scans)
 14. Unit test coverage
 15. API documentation
 ---
 ## 16. AUDIT SUMMARY
 ### Scores
 | Category | Score | Status |
 |----------|-------|--------|
 | Code Quality | 95/100 | ✅ Excellent |
 | Security | 90/100 | ✅ Good |
 | Functionality | 85/100 | ✅ Good |
 | Error Handling | 95/100 | ✅ Excellent |
 | Documentation | 90/100 | ✅ Excellent |
 | Testing | 40/100 | ⚠️ Needs Improvement |
 | Performance | 85/100 | ✅ Good |
 | Data Integrity | 95/100 | ✅ Excellent |
 ### Overall Score: **89/100** - **EXCELLENT** ✅
 ---
 ## 17. WHAT WE'RE NOT TRACKING (BUT SHOULD BE)
 ### Reference Database Gaps
 1. **Network Performance History**
   - TCP retransmission rate trends
   - Packet loss over time
   - Interface errors trending
   - Bandwidth usage per day/week/month
 2. **Hardware Health Trends**
   - SMART attribute changes (reallocated sectors increasing?)
   - Disk temperature trends
   - Memory error accumulation
   - CPU error history
 3. **Security Event History**
   - SSH attack volume trends
   - Blocked IP history
   - Attack pattern changes
   - Geographic attack sources
 4. **Service Availability**
   - Service downtime tracking
   - Restart frequency
   - Error log growth rate
 5. **Resource Usage Trends**
   - Disk usage growth rate (predict when full)
   - Memory usage patterns
   - CPU load trends
   - Email queue size trends
 ### Implementation Priority
 **High Priority:**
 - Network: TCP retransmission, packet loss
 - Hardware: SMART reallocated sectors, disk temperature
 - Security: SSH attack counts
 **Medium Priority:**
 - Service: Downtime tracking
 - Resource: Disk growth rate
 **Low Priority:**
 - Advanced trending and prediction
 - Anomaly detection
 ---
 ## 18. CHANGELOG (Audit Actions)
 ### Fixed During Audit:
 1. **2025-11-01 16:35** - Added `show_banner()` function to lib/common-functions.sh
 2. **2025-11-01 16:35** - Added `press_enter()` function to lib/common-functions.sh
 3. **2025-11-01 16:38** - Added system_health_report_* cleanup to launcher.sh
 4. **2025-11-01 16:38** - Added network_bandwidth_report_* cleanup to launcher.sh
 5. **2025-11-01 16:38** - Added hardware_health_report_* cleanup to launcher.sh
 6. **2025-11-01 16:38** - Updated cleanup message to list all report types
 ### Validated During Audit:
 - ✅ All 13 scripts pass syntax validation
 - ✅ System detection accurate (cPanel, AlmaLinux, Apache, MariaDB)
 - ✅ Reference database format correct and complete
 - ✅ Cleanup function comprehensive
 - ✅ Error handling robust
 - ✅ Security practices sound
 ---
 ## CONCLUSION
 The Server Toolkit is in **excellent** condition with only minor enhancements recommended. The codebase is well-structured, properly documented, and follows bash best practices. The two bugs found during audit were minor and have been fixed.
 The main area for improvement is **data persistence** - while the toolkit collects comprehensive data, not all of it is being saved for historical trending. Adding network, hardware, and security metrics to the reference database would enable powerful trend analysis and predictive maintenance.
 **Recommended Next Steps:**
 1. Review and approve the fixes made during this audit
 2. Implement network metrics persistence
 3. Implement hardware metrics persistence
 4. Add basic smoke tests
 5. Consider adding email alerting for critical issues
 **Overall Assessment:** ✅ **PRODUCTION READY** with recommended enhancements
 ---
 **End of Audit Report**
@@ -1,130 +0,0 @@
 # Server Toolkit - Project Structure
 ## Directory Layout
 ```
 server-toolkit/
 ├── launcher.sh              # Main entry point
 ├── README.md                # Project documentation
 ├── TROUBLESHOOTING.md       # Troubleshooting guide
 ├── AUDIT-REPORT.md          # Project audit results
 ├── REFDB_FORMAT.txt         # Development notes & bug tracker
 │
 ├── config/                  # Configuration files
 │   ├── settings.conf        # Main configuration
 │   ├── settings.conf.minimal # Minimal config (template)
 │   ├── whitelist-ips.txt    # IP whitelist for bot analyzer
 │   └── whitelist-user-agents.txt  # User-agent whitelist
 │
 ├── lib/                     # Core libraries
 │   ├── common-functions.sh  # Shared utilities (print, colors, etc.)
 │   ├── system-detect.sh     # Auto-detect control panel, OS, etc.
 │   ├── user-manager.sh      # User/domain selection functions
 │   ├── reference-db.sh      # System reference database builder
 │   └── mysql-analyzer.sh    # MySQL analysis functions
 │
 ├── modules/                 # Feature modules
 │   ├── security/
 │   │   └── bot-analyzer.sh  # ✓ Bot & botnet analysis (WORKING)
 │   ├── performance/
 │   │   └── mysql-query-analyzer.sh  # ✓ MySQL query analysis (WORKING)
 │   ├── wordpress/           # (Empty - future development)
 │   ├── backup/              # (Empty - future development)
 │   ├── monitoring/          # (Empty - future development)
 │   ├── troubleshooting/     # (Empty - future development)
 │   └── reporting/           # (Empty - future development)
 │
 └── tools/                   # Diagnostic & testing tools
    ├── diagnostic-report.sh # System diagnostic collector
    └── test-domain-detection.sh  # Domain detection validator
 ```
 ## File Purposes
 ### Root Level
 - **launcher.sh** - Main menu system, calls modules
 - **README.md** - User-facing documentation
 - **TROUBLESHOOTING.md** - Help guide for common issues
 - **AUDIT-REPORT.md** - Technical audit results (for developers)
 - **REFDB_FORMAT.txt** - Development log, bug tracking, enhancement notes
 ### Config Directory
 Contains user-configurable settings:
 - **settings.conf** - Main config (includes unused future settings)
 - **settings.conf.minimal** - Clean template with only current settings
 - **whitelist-*.txt** - Bot analyzer whitelists
 ### Lib Directory
 Core library functions sourced by modules:
 - **common-functions.sh** - Colors, print functions, formatting
 - **system-detect.sh** - Auto-detect environment (cPanel/Plesk/etc)
 - **user-manager.sh** - User selection, domain detection
 - **reference-db.sh** - Build/manage system reference database
 - **mysql-analyzer.sh** - MySQL analysis helper functions
 ### Modules Directory
 Feature implementations:
 - **security/** - Security tools (bot analyzer, etc.)
 - **performance/** - Performance tools (MySQL analyzer, etc.)
 - **wordpress/** through **reporting/** - Placeholder for future
 ### Tools Directory
 Diagnostic and testing utilities:
 - **diagnostic-report.sh** - Generates comprehensive system report
 - **test-domain-detection.sh** - Quick validation of domain detection
 ## Working Features
 ### Fully Implemented (✓)
 1. **Bot & Botnet Analyzer** (`modules/security/bot-analyzer.sh`)
   - Comprehensive log analysis
   - Threat scoring
   - IP blocking recommendations
   - CSF integration
   - Attack vector detection
 2. **MySQL Query Analyzer** (`modules/performance/mysql-query-analyzer.sh`)
   - Slow query detection
   - Query performance analysis
 3. **System Detection** (`lib/system-detect.sh`)
   - Auto-detect: cPanel, Plesk, InterWorx
   - OS, web server, database detection
   - Resource monitoring
 4. **User Management** (`lib/user-manager.sh`)
   - Interactive user selection
   - Arrow-key navigation
   - Search with confirmation
   - Domain detection
 ## In Development (Future)
 - WordPress Management (11 planned scripts)
 - Backup & Recovery (7 planned scripts)
 - Monitoring & Alerts (5 planned scripts)
 - Troubleshooting (9 planned scripts)
 - Reporting (6 planned scripts)
 See AUDIT-REPORT.md for complete list.
 ## Configuration
 Most settings auto-detect on first run. Manual configuration available in:
 - `config/settings.conf` - All settings (includes future features)
 - `config/settings.conf.minimal` - Only current features
 ## Logs & Cache
 Runtime files (auto-created):
 - `.sysref` - System reference database cache
 - `/tmp/bot_analysis_*.txt` - Bot analysis reports
 - `/tmp/mysql_analysis_*.txt` - MySQL analysis reports
 - `/tmp/server-toolkit-*` - Temporary session directories
 ## For Developers
 Key technical documentation:
 - **AUDIT-REPORT.md** - What's implemented vs. planned
 - **REFDB_FORMAT.txt** - Bug fixes, enhancements, lessons learned
 - **TROUBLESHOOTING.md** - Common issues and debug procedures
@@ -1,6 +1,6 @@
 # ⚡ Linux Server Management Toolkit
-Comprehensive cPanel/Linux server management suite with modular architecture and intelligent security features.
+Comprehensive multi-panel server management suite supporting cPanel, InterWorx, Plesk, and standalone Apache with modular architecture and intelligent security features.
 ## 📦 Directory Structure
@@ -10,6 +10,7 @@ server-toolkit/
 ├── README.md                            # This file
 │
 ├── modules/                             # Modular scripts organized by category
 │   │
 │   ├── security/                        # 🛡️ Security & Threat Analysis
 │   │   ├── bot-analyzer.sh             # Full bot/threat analysis
 │   │   ├── live-attack-monitor.sh      # Real-time attack monitoring dashboard
@@ -17,15 +18,40 @@ server-toolkit/
 │   │   ├── web-traffic-monitor.sh      # Web traffic monitoring
 │   │   ├── firewall-activity-monitor.sh # CSF/iptables monitoring
 │   │   ├── enable-cphulk.sh            # cPHulk enablement with CSF whitelist import
 │   │   ├── ip-reputation-manager.sh    # Centralized IP reputation tracking
 │   │   └── tail-*.sh                   # Various log monitoring scripts
 │   │
 │   ├── backup/                          # 💾 Backup & Recovery (Acronis Cyber Protect)
 │   │   ├── acronis-backup-manager.sh   # Main backup management menu
 │   │   ├── acronis-install.sh          # Install Acronis agent
 │   │   ├── acronis-update.sh           # Update Acronis agent
 │   │   ├── acronis-uninstall.sh        # Uninstall Acronis agent
 │   │   ├── acronis-register.sh         # Register agent with cloud
 │   │   ├── acronis-configure.sh        # Configure agent settings
 │   │   ├── acronis-agent-status.sh     # Comprehensive agent status check
 │   │   ├── acronis-trigger-backup.sh   # Trigger manual backups with optimizations
 │   │   ├── acronis-backup-status.sh    # Check backup job status
 │   │   ├── acronis-list-backups.sh     # List all backups
 │   │   ├── acronis-plan-manager.sh     # Manage protection plans
 │   │   ├── acronis-schedule-viewer.sh  # View backup schedules
 │   │   ├── acronis-restore.sh          # Restore from backup
 │   │   ├── acronis-logs.sh             # View Acronis logs
 │   │   └── acronis-troubleshoot.sh     # Troubleshoot common issues
 │   │
 │   ├── website/                         # 🌐 Website Diagnostics & Troubleshooting
 │   │   ├── website-error-analyzer.sh   # Comprehensive website error analysis
 │   │   └── 500-error-tracker.sh        # Track and analyze 500 errors
 │   │
 │   ├── diagnostics/                     # 🔍 System Diagnostics
 │   │   └── system-health-check.sh      # Comprehensive health analysis
 │   │
-│   └── performance/                     # 📊 Performance Analysis
+│   ├── performance/                     # 📊 Performance Analysis
-│       ├── hardware-health-check.sh    # Hardware diagnostics
+│   │   ├── hardware-health-check.sh    # Hardware diagnostics
-│       ├── mysql-query-analyzer.sh     # MySQL performance analysis
+│   │   ├── mysql-query-analyzer.sh     # MySQL performance analysis
-│       └── network-bandwidth-analyzer.sh # Network analysis
+│   │   └── network-bandwidth-analyzer.sh # Network analysis
 │   │
 │   └── maintenance/                     # 🧹 System Maintenance
 │       └── cleanup-toolkit-data.sh     # Clean temporary toolkit data
 │
 ├── lib/                                 # Shared libraries
 │   ├── common-functions.sh             # Reusable functions
@@ -46,15 +72,18 @@ server-toolkit/
 ## 🚀 Quick Start
-### Running
+### Installation & Running
 **One command - automatic cleanup:**
 ```bash
-# Direct method
+curl -sL https://git.mull.lol/cschantz/Linux-Server-Management-Toolkit/archive/main.tar.gz | tar xz && source linux-server-management-toolkit/run.sh
-bash /root/server-toolkit/launcher.sh
+```
-# Or make executable and run
+When exiting (option 0), answer "yes" and cleanup happens automatically - no extra steps.
-chmod +x /root/server-toolkit/launcher.sh
+
-/root/server-toolkit/launcher.sh
+Or if already downloaded:
 ```bash
 source /root/server-toolkit/run.sh
 ```
 ## ✨ Key Features
@@ -63,8 +92,24 @@ chmod +x /root/server-toolkit/launcher.sh
 - **3-Mode Security Menu**: Analysis / Actions / Live Monitoring
 - **Live Attack Monitor**: Real-time SOC dashboard with threat classification
 - **Intelligent cPHulk Setup**: Auto-imports CSF whitelists from all sources
 - **IP Reputation Tracking**: Centralized cross-module IP intelligence
 - **Multi-Source Monitoring**: SSH, Web, Firewall, cPHulk integration
 ### 💾 Backup & Recovery (Acronis Cyber Protect)
 - **Complete Agent Management**: Install, update, uninstall, register
 - **Comprehensive Status Monitoring**: Agent health, registration, cloud connectivity
 - **Manual Backup Triggering**: CLI-managed plans with performance optimizations
 - **Backup Type Selection**: Full, Incremental, Differential backups
 - **Plan Management**: View, enable/disable, delete protection plans
 - **Restore Operations**: Full restore capabilities from backups
 - **Troubleshooting Tools**: Log viewing and automated diagnostics
 ### 🌐 Website Diagnostics
 - **Error Analysis**: Comprehensive website error detection and troubleshooting
 - **500 Error Tracking**: Detailed analysis of application errors
 - **Log Integration**: Apache, PHP-FPM, cPanel error log analysis
 - **Smart Recommendations**: Context-aware suggestions for fixing issues
 ### 🔍 System Diagnostics
 - **Comprehensive Health Checks**: Hardware, services, security posture
 - **Smart Recommendations**: Context-aware suggestions based on findings
@@ -96,6 +141,25 @@ bash launcher.sh
 # Select: Enable cPHulk Protection
 ```
 ### Acronis Backup Management
 ```bash
 bash launcher.sh
 # Select: Backup & Recovery
 # Select: Check Agent Status (view health, registration, connectivity)
 # Select: Trigger Manual Backup (with type selection and optimizations)
 # Select: Manage Protection Plans
 ```
 ### Website Error Analysis
 ```bash
 bash launcher.sh
 # Select: Website Diagnostics & Troubleshooting
 # Select: Website Error Analyzer
 # Choose a cPanel user account to analyze
 ```
 ### System Health Check
 ```bash
@@ -118,14 +182,49 @@ nano /root/server-toolkit/config/settings.conf
 - **No sensitive data in repo**: .gitignore excludes keys, tokens, credentials
 - **Test first**: Try on non-production environments first
-## 📊 Recent Updates (v2.0)
+## 📊 Recent Updates (v2.2)
- ✅ Complete security menu restructure (3-mode hierarchy)
+### Multi-Control Panel Support (NEW!)
- ✅ Live network security monitoring dashboard
+- ✅ Full cPanel support (primary platform - production ready)
- ✅ Intelligent cPHulk enablement with multi-source CSF whitelist discovery
+- ✅ InterWorx support (validated on real servers - production ready)
 - ✅ Plesk support (validated on real servers - production ready)
 - ✅ Standalone Apache support (basic functionality)
 - ✅ 38/38 modules refactored for multi-panel architecture (100% complete)
 - ✅ Automated validation scripts for InterWorx and Plesk (13 and 15 tests)
 - ✅ All critical paths verified on production systems
 ### System Detection & Abstraction
 - ✅ Automatic control panel detection (system-detect.sh)
 - ✅ Multi-panel user/domain management abstraction (user-manager.sh)
 - ✅ Dynamic log discovery for all panel types
 - ✅ Panel-specific path handling (docroots, logs, configs)
 - ✅ Zero hardcoded paths - all detection-based
 ### Backup & Recovery
 - ✅ Complete Acronis Cyber Protect integration (16 management scripts)
 - ✅ Agent installation, registration, and update automation
 - ✅ Comprehensive status monitoring (health, registration, connectivity)
 - ✅ Manual backup triggering with performance optimizations
 - ✅ Protection plan management and scheduling
 ### Website Diagnostics
 - ✅ Comprehensive website error analyzer (multi-panel)
 - ✅ 500 error tracking and troubleshooting (multi-panel)
 - ✅ Multi-log integration (Apache, PHP-FPM, all panels)
 - ✅ Smart error detection and recommendations
 ### Security Enhancements
 - ✅ Bot analyzer with multi-panel log discovery
 - ✅ Live attack monitor supporting all control panels
 - ✅ Malware scanner with panel-aware docroot detection
 - ✅ Centralized IP reputation tracking
 - ✅ Real-time threat detection and classification
 ### Core Infrastructure
 - ✅ Modular architecture with organized category structure
 - ✅ Reference database for cross-module intelligence
- ✅ Git repository integration
+- ✅ Comprehensive developer documentation (REFDB_FORMAT.txt)
 - ✅ Production validation complete for all major panels
 ## 🙏 Credits
@@ -133,5 +232,5 @@ Built for comprehensive cPanel/Linux server management with a focus on security
 ---
-**Version**: 2.0.0
+**Version**: 2.1.0
 **Repository**: https://git.mull.lol/cschantz/Linux-Server-Management-Toolkit
@@ -1,283 +0,0 @@
 # SESSION INTELLIGENCE - Cross-Module Data Sharing
 ## Overview
 The Server Toolkit now implements **Session Intelligence** - allowing modules to reference data collected by other modules during the current troubleshooting session. This is optimized for the **download → diagnose → troubleshoot → delete** workflow.
 ## Use Case
 Since the toolkit is meant to be temporary (not permanently installed), we don't track historical trends. Instead, we enable **cross-module intelligence** so modules can make smarter recommendations based on what's happening RIGHT NOW.
 ## Example Scenarios
 ### Scenario 1: Bot Attack During System Load
 ```bash
 # User runs System Health Check first
 # Discovers: CPU at 95%, Memory at 92%, HIGH LOAD
 # User then runs Bot Analyzer
 # Bot analyzer checks: db_is_system_under_load
 # Result: "High bot traffic detected, but system is already under load.
 #          Performance issues may be partially due to system resources,
 #          not just bots. Recommend addressing system load first."
 ```
 ### Scenario 2: Slow MySQL During Network Issues
 ```bash
 # User runs System Health Check
 # Discovers: TCP retransmission at 15%, HIGH network issues
 # User then runs MySQL Query Analyzer
 # MySQL analyzer checks: db_has_network_issues
 # Result: "Slow queries detected, but network is experiencing high
 #          retransmission rates. Some query timeouts may be network-
 #          related rather than database performance."
 ```
 ### Scenario 3: Bot Attack + SSH Brute Force
 ```bash
 # User runs System Health Check
 # Discovers: 5,000 failed SSH attempts today
 # User then runs Bot Analyzer
 # Bot analyzer checks: db_is_under_attack
 # Result: "Bot traffic detected AND system is under active SSH attack.
 #          Recommend immediate firewall hardening and cPHulk enablement."
 ```
 ## Architecture
 ### Data Storage: Reference Database (`.sysref`)
 The health check saves current session metrics to `[HEALTH_BASELINE]` section:
 **System Resources:**
 - MEMORY_TOTAL_MB, MEMORY_USED_PERCENT
 - CPU_LOAD_1MIN, CPU_CORES
 - DISK_USED_PERCENT, IOWAIT_PERCENT
 **Services:**
 - HTTPD_STATUS, MYSQL_STATUS
 - FIREWALL_STATUS, EMAIL_QUEUE_SIZE
 - ZOMBIE_PROCESSES
 **Network Status:**
 - NETWORK_INTERFACE, NETWORK_MTU
 - NETWORK_RX_ERRORS, NETWORK_TX_ERRORS
 - NETWORK_RX_DROPPED, NETWORK_TX_DROPPED
 - TCP_RETRANS_PERCENT
 **Hardware Status:**
 - DISK_SMART_STATUS
 - HARDWARE_ERRORS
 **Security Status:**
 - SSH_FAILED_ATTEMPTS_TOTAL
 - SSH_ATTACKS_TODAY
 - CPHULK_STATUS
 **Issue Counts:**
 - CRITICAL_ISSUES, HIGH_ISSUES
 - MEDIUM_ISSUES, LOW_ISSUES
 ### Helper Functions (`lib/reference-db.sh`)
 #### Query Individual Metrics
 ```bash
 value=$(db_get_health_metric "MEMORY_USED_PERCENT")
 echo "Memory: $value%"
 ```
 #### Intelligence Functions
 **Check System Load:**
 ```bash
 if db_is_system_under_load; then
    echo "System under heavy load (CPU > 80% or Memory > 90%)"
    # Adjust recommendations
 fi
 ```
 **Check Network Issues:**
 ```bash
 if db_has_network_issues; then
    echo "Network problems detected (retrans > 5% or errors > 100)"
    # Consider network factors in analysis
 fi
 ```
 **Check Security Status:**
 ```bash
 if db_is_under_attack; then
    echo "Active attacks detected (> 100 SSH failures today)"
    # Correlate with security findings
 fi
 ```
 #### Get All Metrics
 ```bash
 db_get_all_health  # Returns all HEALTH| lines
 ```
 ## Implementation in Modules
 ### Pattern 1: Contextual Recommendations
 ```bash
 # In any module, after sourcing reference-db.sh
 # Check system context
 if db_is_system_under_load; then
    echo "NOTE: System is currently under heavy load."
    echo "      Some issues may be resource-related."
 fi
 if db_has_network_issues; then
    echo "NOTE: Network experiencing high retransmission rates."
    echo "      Connection issues may be network-related."
 fi
 if db_is_under_attack; then
    echo "WARNING: System under active SSH attack."
    echo "         Security hardening recommended."
 fi
 ```
 ### Pattern 2: Adjusted Thresholds
 ```bash
 # MySQL slow query analyzer
 # Normal threshold: 5 seconds
 SLOW_THRESHOLD=5
 # But if system is under load, adjust threshold
 if db_is_system_under_load; then
    SLOW_THRESHOLD=10
    echo "System under load - using relaxed slow query threshold"
 fi
 ```
 ### Pattern 3: Root Cause Analysis
 ```bash
 # Website performance analyzer
 if db_has_network_issues; then
    echo "Website slow, AND network has issues."
    echo "Root cause may be network, not website code."
    echo "Recommendation: Fix network first, then re-test."
 fi
 ```
 ## Testing
 Run the test script to verify cross-module intelligence:
 ```bash
 # First, generate session data
 ./launcher.sh
 # Choose option 1: System Health Check
 # Then test intelligence
 ./tools/test-cross-module-intelligence.sh
 ```
 Expected output shows:
 - All health metrics populated
 - Intelligence functions working
 - System status correctly identified
 ## Best Practices
 ### DO:
 ✅ Run System Health Check **FIRST** in troubleshooting session
 ✅ Use intelligence functions to provide context-aware recommendations
 ✅ Correlate findings across modules
 ✅ Adjust thresholds based on system state
 ### DON'T:
 ❌ Rely on this data for historical trend analysis (it's session-only)
 ❌ Assume data exists (always check if metric is populated)
 ❌ Make critical decisions solely on this data
 ❌ Store this long-term (it gets cleaned up)
 ## Example: Enhanced Bot Analyzer (Future)
 ```bash
 # modules/security/bot-analyzer.sh
 source "$SCRIPT_DIR/lib/reference-db.sh"
 # After analysis, provide context
 if db_has_network_issues; then
    echo ""
    print_warning "Network Issues Detected"
    echo "System experiencing:"
    echo "  • TCP Retransmission: $(db_get_health_metric 'TCP_RETRANS_PERCENT')%"
    echo "  • Network errors: $(db_get_health_metric 'NETWORK_RX_ERRORS')"
    echo ""
    echo "Bot traffic may be compounded by network problems."
    echo "Recommendation: Address network issues first (see System Health Check)"
 fi
 if db_is_system_under_load; then
    echo ""
    print_warning "System Under Heavy Load"
    echo "Current state:"
    echo "  • CPU Load: $(db_get_health_metric 'CPU_LOAD_1MIN')"
    echo "  • Memory: $(db_get_health_metric 'MEMORY_USED_PERCENT')%"
    echo ""
    echo "High bot traffic + system load = performance degradation."
    echo "Recommendation: Block bots AND investigate resource usage."
 fi
 ```
 ## Files Modified
 1. **modules/diagnostics/system-health-check.sh**
   - Enhanced `save_health_baseline()` function
   - Now saves network, hardware, and security metrics
   - Lines: 1660-1758
 2. **lib/reference-db.sh**
   - Added `db_get_health_metric()` - query individual metrics
   - Added `db_is_system_under_load()` - check if CPU/memory high
   - Added `db_has_network_issues()` - check for network problems
   - Added `db_is_under_attack()` - check for active attacks
   - Added `db_get_all_health()` - get all health data
   - Lines: 446-497
 3. **tools/test-cross-module-intelligence.sh** (NEW)
   - Test script demonstrating cross-module queries
   - Shows how to use intelligence functions
 ## Data Lifetime
 - **Created:** When System Health Check runs
 - **Stored:** In `.sysref` file (memory + disk)
 - **Expires:** After 1 hour OR when cleanup/reset runs
 - **Removed:** When toolkit is deleted
 ## Future Enhancements
 Potential modules that could benefit:
 1. **WordPress Health Check**
   - Check if slow WP sites correlate with network/load issues
 2. **Backup Analyzer**
   - Check if backup failures correlate with disk/load issues
 3. **Email Troubleshooter**
   - Check if email issues correlate with network/disk problems
 4. **Resource Monitor**
   - Compare current metrics vs health check baseline
 ## Summary
 Session Intelligence transforms the toolkit from **isolated modules** into an **integrated diagnostic platform**. Each module can now make smarter, context-aware recommendations based on the complete picture of what's happening on the server RIGHT NOW.
 No historical data needed. No complex trending. Just smart, session-aware troubleshooting.
@@ -1,379 +0,0 @@
 # 🚀 Server Management Toolkit - Setup Guide
 ## ✅ What You Have Now
 A **modular, scalable server management system** with:
 ✨ **Professional Menu System**
 - Clean, organized category-based menus
 - Color-coded interface
 - Easy navigation
 📦 **Modular Architecture**
 - 7 main categories (80+ potential modules)
 - Easy to add new modules
 - Organized by function
 ☁️ **Nextcloud Integration**
 - Download modules on-demand
 - Easy updates
 - Share across multiple servers
 🎯 **First Module Ready**
 - `bot-analyzer.sh` - Enhanced v3.0
 - All improvements we made today
 - Ready to use immediately
 ---
 ## 📋 Directory Structure
 ```
 /root/server-toolkit/
 ├── launcher.sh              ← Main menu (run this!)
 ├── install.sh               ← Quick installer
 ├── README.md                ← Full documentation
 ├── manifest.txt.example     ← Template for Nextcloud
 │
 ├── modules/
 │   ├── security/
 │   │   └── bot-analyzer.sh  ✅ READY (v3.0 Enhanced)
 │   ├── wordpress/           (empty - add modules here)
 │   ├── performance/         (empty - add modules here)
 │   ├── backup/              (empty - add modules here)
 │   ├── monitoring/          (empty - add modules here)
 │   ├── troubleshooting/     (empty - add modules here)
 │   └── reporting/           (empty - add modules here)
 │
 ├── lib/                     (common functions - future)
 ├── config/                  (created on first run)
 └── logs/                    (created on first run)
 ```
 ---
 ## 🎯 Quick Start (3 Steps)
 ### Step 1: Run the Installer
 ```bash
 cd /root/server-toolkit
 chmod +x install.sh
 ./install.sh
 ```
 **What it does:**
 - Creates directory structure
 - Sets permissions
 - Offers to create `/usr/local/bin/server-toolkit` symlink
 ### Step 2: Launch & Configure
 ```bash
 # Option A: Direct
 /root/server-toolkit/launcher.sh
 # Option B: If symlink created
 server-toolkit
 ```
 **First time:**
 1. Select `9` (Configuration)
 2. Set your Nextcloud URL (optional, for module downloads)
 3. Review other settings
 4. Save and exit
 ### Step 3: Test the Bot Analyzer
 From the launcher:
 1. Select `1` (Security & Threat Analysis)
 2. Select `1` (Full Bot Analysis)
 3. Watch it run!
 ---
 ## ☁️ Nextcloud Setup (Optional but Recommended)
 ### Why Use Nextcloud?
 ✅ Store all modules in one place
 ✅ Easy updates across multiple servers
 ✅ No need to manually copy files
 ✅ Version control your modules
 ### Setup Process
 **1. Upload to Nextcloud**
 ```
 your-nextcloud/
 └── server-toolkit/
    ├── manifest.txt           ← Copy from manifest.txt.example
    └── modules/
        ├── security/
        │   ├── bot-analyzer.sh
        │   ├── live-monitor.sh
        │   └── ...
        ├── wordpress/
        │   ├── wp-cron-status.sh
        │   └── ...
        └── ...
 ```
 **2. Share the Folder**
 - Right-click folder → Share
 - Create public link
 - Enable "Allow download"
 - Copy the share link
 **3. Convert Link to Download URL**
 Original link:
 ```
 https://nextcloud.example.com/s/AbC123DeF
 ```
 Convert to:
 ```
 https://nextcloud.example.com/s/AbC123DeF/download?path=/
 ```
 **4. Configure**
 ```bash
 nano /root/server-toolkit/config/settings.conf
 ```
 Set:
 ```bash
 NEXTCLOUD_BASE_URL="https://nextcloud.example.com/s/AbC123DeF/download?path=/"
 ```
 **5. Update Modules**
 From launcher: Select `8` (Update All Modules)
 ---
 ## 🔧 Adding New Modules
 ### Method 1: Create Locally
 ```bash
 # Create new module
 nano /root/server-toolkit/modules/wordpress/wp-cron-status.sh
 # Make executable
 chmod +x /root/server-toolkit/modules/wordpress/wp-cron-status.sh
 # Test it
 /root/server-toolkit/modules/wordpress/wp-cron-status.sh
 # It's now available in the launcher menu!
 ```
 ### Method 2: Download from Nextcloud
 1. Upload to Nextcloud: `modules/wordpress/wp-cron-status.sh`
 2. Add to `manifest.txt`: `wordpress:wp-cron-status.sh`
 3. From launcher: Select `8` (Update All Modules)
 ---
 ## 📊 Current Features
 ### ✅ Working Now
 | Feature | Status |
 |---------|--------|
 | Modular architecture | ✅ Complete |
 | Category-based menus | ✅ Complete |
 | Bot analyzer v3.0 | ✅ Working |
 | Server IP detection | ✅ Working |
 | Threat scoring | ✅ Working |
 | Nextcloud integration | ✅ Working |
 | Configuration system | ✅ Working |
 | Auto-updates | ✅ Working |
 ### 🔜 Coming Soon (As You Build Them)
 | Module | Priority | Category |
 |--------|----------|----------|
 | wp-cron-status.sh | High | WordPress |
 | wp-cron-mass-fix.sh | High | WordPress |
 | oom-killer-plotter.sh | Medium | Troubleshooting |
 | resource-monitor.sh | Medium | Performance |
 | disk-usage-report.sh | Medium | Performance |
 ---
 ## 🎓 Example Workflows
 ### Daily Security Check
 ```bash
 server-toolkit
 → 1 (Security)
 → 2 (Quick Scan - 1 hour)
 → Review threats
 → 5 (Auto-Block if needed)
 ```
 ### WordPress Maintenance
 ```bash
 server-toolkit
 → 2 (WordPress)
 → 2 (Check WP-Cron status)
 → 3 (Fix if broken)
 → 7 (Optimize databases)
 ```
 ### Performance Investigation
 ```bash
 server-toolkit
 → 3 (Performance)
 → 1 (Resource Monitor)
 → 2 (Top Processes)
 → Identify issues
 ```
 ### Troubleshoot Out-of-Memory
 ```bash
 server-toolkit
 → 6 (Troubleshooting)
 → 1 (OOM Killer Plotter)
 → Review memory spikes
 ```
 ---
 ## 🔐 Security Best Practices
 ### Before Running
 ✅ Always backup first
 ✅ Test on staging if possible
 ✅ Review whitelist before blocking
 ✅ Check false positives
 ### Regular Maintenance
 📅 **Daily**: Quick security scan
 📅 **Weekly**: Full bot analysis
 📅 **Monthly**: Update all modules
 📅 **Quarterly**: Review all whitelists
 ---
 ## 🆘 Troubleshooting
 ### Launcher Won't Start
 ```bash
 chmod +x /root/server-toolkit/launcher.sh
 bash /root/server-toolkit/launcher.sh
 ```
 ### Module Not Found
 ```bash
 # Check if it exists
 ls -la /root/server-toolkit/modules/security/bot-analyzer.sh
 # Redownload from Nextcloud
 server-toolkit → 8 (Update)
 ```
 ### Config Issues
 ```bash
 # Recreate config
 rm /root/server-toolkit/config/settings.conf
 server-toolkit → 9 (Configuration)
 ```
 ### Nextcloud Download Fails
 1. Check NEXTCLOUD_BASE_URL format
 2. Ensure Nextcloud folder is shared publicly
 3. Test URL in browser first
 4. Check manifest.txt format
 ---
 ## 📞 Next Steps
 ### Immediate
 1. ✅ Run installer
 2. ✅ Test bot analyzer
 3. ✅ Configure settings
 ### Short Term
 1. 📝 Create wp-cron-status.sh module
 2. 📝 Create wp-cron-mass-fix.sh module
 3. ☁️ Setup Nextcloud distribution
 ### Long Term
 1. 📦 Build remaining modules
 2. 🔄 Setup automated updates
 3. 📧 Configure email alerts
 4. 📊 Create custom dashboards
 ---
 ## 💡 Pro Tips
 ### Performance
 - Bot analyzer runs in < 1 second for small logs
 - Use `-H 1` for quick scans
 - Schedule daily cron for security checks
 ### Organization
 - Keep modules organized by category
 - Use descriptive names
 - Add comments in scripts
 - Update manifest when adding modules
 ### Distribution
 - Use Nextcloud for easy sharing
 - Keep manifest.txt updated
 - Version your modules
 - Test before distributing
 ---
 ## 📚 Documentation
 - `README.md` - Full documentation
 - `launcher.sh` - Built-in help menus
 - Each module - Individual usage info
 ---
 ## ✅ Installation Checklist
 - [ ] Ran `/root/server-toolkit/install.sh`
 - [ ] Launcher runs successfully
 - [ ] Created symlink (optional)
 - [ ] Configured settings
 - [ ] Tested bot analyzer
 - [ ] Setup Nextcloud (optional)
 - [ ] Updated modules (if using Nextcloud)
 ---
 **You now have a professional, scalable server management system!** 🎉
 Add modules as you need them, share via Nextcloud, and manage your entire infrastructure from one clean interface.
 **Version**: 2.0.0
 **Date**: 2025-10-30
@@ -1,273 +0,0 @@
 # Server Toolkit - Troubleshooting Guide
 ## Quick Diagnostics
 ### Test Domain Detection
 ```bash
 bash /root/server-toolkit/tools/test-domain-detection.sh
 ```
 This will tell you immediately if domain detection is working.
 ### Check System Detection Variables
 ```bash
 bash -c '
 source /root/server-toolkit/lib/system-detect.sh
 echo "SYS_CONTROL_PANEL: [$SYS_CONTROL_PANEL]"
 echo "SYS_DETECTION_COMPLETE: [$SYS_DETECTION_COMPLETE]"
 '
 ```
 Both should have values. If empty, system detection failed.
 ### Test User Domain Lookup
 ```bash
 bash -c '
 source /root/server-toolkit/lib/system-detect.sh
 source /root/server-toolkit/lib/user-manager.sh
 get_user_domains "USERNAME"
 '
 ```
 Replace USERNAME with actual username. Should return domain(s).
 ---
 ## Common Issues
 ### Issue: User shows "(no domains) (0 domains)"
 **Symptoms:**
 - User selection menu shows 0 domains
 - Bot analyzer says "No domains found for user"
 - Domain exists in cPanel
 **Diagnosis:**
 1. Run: `echo $SYS_CONTROL_PANEL` in your shell
 2. If empty, environment is corrupted
 **Fix:**
 - Option 1: Exit launcher completely and restart
 - Option 2: Select option 8 (Cleanup/Reset) in launcher
 - Option 3: Close entire SSH session and reconnect
 **Why it happens:**
 Launcher inherited broken environment variables from a previous session where
 libraries had bugs. Child processes (like bot-analyzer) inherit these.
 ---
 ### Issue: Functions not found / command not found
 **Symptoms:**
 - `bash: select_user_interactive: command not found`
 - `bash: get_user_domains: command not found`
 **Diagnosis:**
 Libraries weren't sourced correctly.
 **Fix:**
 1. Check that files exist:
 ```bash
 ls -la /root/server-toolkit/lib/*.sh
 ```
 2. Test sourcing manually:
 ```bash
 source /root/server-toolkit/lib/system-detect.sh
 source /root/server-toolkit/lib/user-manager.sh
 ```
 3. Check for syntax errors:
 ```bash
 bash -n /root/server-toolkit/lib/system-detect.sh
 bash -n /root/server-toolkit/lib/user-manager.sh
 ```
 ---
 ### Issue: Menus displaying twice or garbled output
 **Symptoms:**
 - Same menu appears multiple times
 - Detection messages appear before menus
 - ANSI codes visible like `[H[J`
 **Diagnosis:**
 Terminal doesn't support ANSI codes or clear screen.
 **Fix:**
 Set high contrast mode:
 ```bash
 export TOOLKIT_HIGH_CONTRAST=1
 bash /root/server-toolkit/launcher.sh
 ```
 Or disable colors completely:
 ```bash
 export TOOLKIT_NO_COLOR=1
 bash /root/server-toolkit/launcher.sh
 ```
 ---
 ### Issue: CSF commands not working
 **Symptoms:**
 - "csf: command not found"
 - CSF blocking options don't work
 **Diagnosis:**
 CSF not installed or not in PATH.
 **Check:**
 ```bash
 which csf
 csf -v
 ```
 **Fix:**
 Install CSF or use alternative security methods (Apache .htaccess, etc.)
 ---
 ### Issue: cPanel users not detected
 **Symptoms:**
 - "No users found"
 - list_all_users returns nothing
 **Diagnosis:**
 Check if cPanel user files exist:
 ```bash
 ls -la /var/cpanel/users/
 cat /etc/trueuserdomains | head
 ```
 **Fix:**
 If files missing, not a cPanel system. System will fall back to standard
 user detection from /etc/passwd.
 ---
 ## Debug Mode
 ### Enable Verbose Initialization
 ```bash
 export TOOLKIT_VERBOSE_INIT=1
 bash /root/server-toolkit/launcher.sh
 ```
 Shows all system detection messages.
 ### Trace Execution
 ```bash
 bash -x /root/server-toolkit/modules/security/bot-analyzer.sh 2>&1 | less
 ```
 Shows every command executed (very verbose).
 ### Check Environment Variables
 ```bash
 # Show all SYS_* variables
 env | grep "^SYS_"
 # Show all toolkit-related variables
 env | grep -i toolkit
 ```
 ---
 ## File Locations
 ### Logs
 - Bot analysis reports: `/tmp/bot_analysis_report_*.txt`
 - MySQL analysis: `/tmp/mysql_analysis_*.txt`
 - Temp sessions: `/tmp/server-toolkit-*`
 ### Cache Files
 - System reference database: `/root/server-toolkit/.sysref`
 - Timestamp file: `/root/server-toolkit/.sysref.timestamp`
 ### Configuration
 - Settings: `/root/server-toolkit/config/settings.conf`
 - Custom slash commands: `/root/server-toolkit/.claude/commands/`
 ---
 ## Performance Issues
 ### Issue: Slow user selection with 200+ users
 **Fix:**
 - Use search: `s <partial-name>`
 - Searches only, doesn't list all users
 - Much faster than 'L' (list all)
 ### Issue: Bot analyzer takes too long
 **Optimization:**
 1. Use time filters: Last 1 hour instead of "All logs"
 2. Use user filter: Analyze specific user instead of all
 3. Check log size: `du -sh /var/log/apache2/domlogs/*`
 ---
 ## Recovery Commands
 ### Complete Reset
 ```bash
 # In launcher, select option 8 (Cleanup/Reset)
 # Or manually:
 rm -f /root/server-toolkit/.sysref*
 rm -rf /tmp/server-toolkit-*
 rm -f /tmp/bot_analysis_* /tmp/mysql_analysis_*
 ```
 ### Force Library Reload
 ```bash
 # In bash session:
 for var in $(compgen -e | grep "^SYS_"); do unset "$var"; done
 unset -f initialize_system_detection get_user_domains select_user_interactive
 source /root/server-toolkit/lib/system-detect.sh
 source /root/server-toolkit/lib/user-manager.sh
 ```
 ### Kill Stuck Processes
 ```bash
 # Find launcher processes
 ps aux | grep launcher
 # Kill specific PID
 kill -9 <PID>
 # Kill all launcher instances
 pkill -9 -f launcher.sh
 ```
 ---
 ## Getting Help
 ### Self-Diagnostic
 1. Run test script: `bash /root/server-toolkit/tools/test-domain-detection.sh`
 2. Check REFDB_FORMAT.txt for known bugs and fixes
 3. Review this troubleshooting guide
 ### Report Issues
 When reporting problems, include:
 1. Output of test-domain-detection.sh
 2. Output of: `env | grep "^SYS_"`
 3. Control panel type: `cat /usr/local/cpanel/version` or equivalent
 4. Error messages (exact text)
 5. Steps to reproduce
 ### Quick Fixes to Try First
 1. Exit and restart launcher
 2. Run Cleanup/Reset (option 8)
 3. Close SSH and reconnect
 4. Run test-domain-detection.sh to verify files are correct
 ---
 ## Version Information
 **Created:** 2025-10-31
 **Last Updated:** 2025-10-31
 **Toolkit Version:** 2.0.0
 **Compatible With:** cPanel, Plesk, InterWorx, Standalone Linux servers
@@ -1,441 +0,0 @@
 # 🎉 What We Built Today - Complete Summary
 ## 📦 Deliverables
 ### 1. **Enhanced Bot Analyzer v3.0**
 Location: `/root/server-toolkit/modules/security/bot-analyzer.sh`
 **Major Improvements:**
 - ✅ Enhanced attack vector detection (6 types)
 - ✅ Threat scoring system (0-100 risk scores)
 - ✅ Time-series analysis with hourly breakdown
 - ✅ Response code intelligence
 - ✅ False positive detection
 - ✅ Server IP auto-detection
 - ✅ Bandwidth cost estimation
 - ✅ **60-120x performance improvement**
 - ✅ Private IP filtering
 - ✅ Prioritized blocklists
 ### 2. **Professional Server Management Toolkit**
 Location: `/root/server-toolkit/`
 **Complete Modular System:**
 - ✅ Clean launcher with 7 category menus
 - ✅ 80+ module slots organized by function
 - ✅ Nextcloud integration for remote updates
 - ✅ Configuration management
 - ✅ Professional directory structure
 ---
 ## 🚀 Bot Analyzer Enhancements (v3.0)
 ### Attack Vector Detection
 **OLD**: Only detected SQL injection and generic scanners
 **NEW**: Detects 6 attack types:
 ```
 💉 SQL Injection       - UNION, SELECT, hex encoding
 🌐 XSS Attacks         - JavaScript injection, event handlers
 📁 Path Traversal      - Directory traversal, LFI
 📤 RCE/Shell Upload    - PHP shells, backdoors
 🔍 Info Disclosure     - .git, .env, config files
 🔓 Login Bruteforce    - wp-login, xmlrpc attacks
 ```
 ### Threat Scoring System
 **NEW Feature**: Each IP gets 0-100 risk score
 **Example Output:**
 ```
 [1] 143.244.57.123 - RISK: 98/100 🔴 CRITICAL
    648 requests - Action: BLOCK IMMEDIATELY + INVESTIGATE
    Attack vectors: SQL-Injection RCE/Upload Login-Bruteforce DDoS-Pattern
 ```
 **Score Components:**
 - Request volume: up to 10 points
 - Attack patterns: up to 70 points
 - Behavioral signals: up to 20 points
 ### Time-Series Analysis
 **NEW**: Hourly traffic visualization
 ```
 Bot Traffic Timeline (hourly):
  14:00-15:00: ████████░░ 8,240 bot requests
  15:00-16:00: ███░░░░░░░ 3,120 bot requests
  16:00-17:00: ██████████ 12,450 bot requests ⚠️ SPIKE
 ```
 ### Response Code Intelligence
 **NEW**: Shows what bots are finding
 ```
 200 (Success):     18,432 (62%) ✓ Bots are getting data
 404 (Not Found):    7,891 (27%) ⚠️ Scanning for vulnerabilities
 403 (Forbidden):    2,103 (7%)  ✓ Blocked by existing rules
 500 (Server Error):    12 (0%)  🚨 Check if exploit triggered
 ```
 ### False Positive Detection
 **NEW**: Auto-identifies legitimate services
 ```
 ⚠️ Whitelist Recommendations:
  65.181.111.155 - 11,515 requests - Identified as: Pingdom Monitoring
    → Action: VERIFY OWNERSHIP then whitelist
 ```
 **Detects:**
 - Pingdom, UptimeRobot, StatusCake
 - WordPress cache preload (WP Rocket, Hummingbird)
 - Backup services (Jetpack, VaultPress)
 ### Server IP Detection
 **NEW**: Auto-detects and excludes server's own IPs
 **5 Detection Methods:**
 1. hostname -I (network interfaces)
 2. ip addr show (Linux IP command)
 3. ifconfig (legacy fallback)
 4. External services (public IP)
 5. cPanel mainip file
 **Output:**
 ```
 ✓ Detected 2 server IP(s) - excluded from threat analysis
 🖥️  Server IPs Detected:
  • 127.0.0.1
  • 67.227.199.95
 ```
 ### Bandwidth Cost Estimation
 **NEW**: Shows financial impact
 ```
 💰 Bandwidth Impact:
   Total bot bandwidth: 847 MB (0.85 GB) - 14.2% of total
   Estimated cost: $0.08 (at $0.09/GB CDN pricing)
 ```
 ### Prioritized Blocklists
 **OLD**: Random order, no context
 **NEW**: Sorted by threat score with annotations
 ```
 # IPs sorted by risk score (highest first)
 Deny from 91.92.243.107  # Risk score: 98/100
 Deny from 34.192.124.246  # Risk score: 85/100
 Deny from 4.245.190.15    # Risk score: 72/100
 ```
 ### Performance Optimization
 **MASSIVE Speed Improvement:**
 | Dataset | Old Method | New Method | Speedup |
 |---------|------------|------------|---------|
 | 1,000 IPs / 50K entries | ~2 minutes | ~2 seconds | **60x** |
 | 10,000 IPs / 250K entries | ~10 minutes | ~10 seconds | **60x** |
 | 25,000 IPs / 500K entries | ~30 minutes | ~30 seconds | **60x** |
 | 50,000 IPs / 1M entries | ~2 hours | ~60 seconds | **120x** |
 **How?**
 - Eliminated 275,000 grep operations
 - Pre-count requests (single pass)
 - Hash table lookups (O(1) vs O(n))
 - Smart caching
 ---
 ## 📊 Server Management Toolkit
 ### Architecture
 ```
 7 Categories × ~12 modules each = 80+ total module slots
 🛡️  Security & Threat Analysis     (10 modules)
 🔧 WordPress Management            (14 modules)
 📊 Performance & Diagnostics       (11 modules)
 💾 Backup & Recovery               (8 modules)
 🔍 Monitoring & Alerts             (8 modules)
 🚨 Troubleshooting & Diagnostics   (11 modules)
 📈 Reporting & Analytics           (7 modules)
 ```
 ### Key Features
 **✨ Clean Interface**
 - Color-coded menus
 - Intuitive navigation
 - Consistent UX
 **📦 Modular Design**
 - Easy to add modules
 - Independent components
 - Shared libraries
 **☁️ Nextcloud Integration**
 - Download modules on-demand
 - Easy updates
 - Share across servers
 **⚙️ Configuration System**
 - Centralized settings
 - Per-module customization
 - Whitelist management
 **🔄 Auto-Updates**
 - One-click module updates
 - Version tracking
 - Manifest-based
 ### Future Modules (Examples)
 **WordPress:**
 - `wp-cron-status.sh` - Check cron health
 - `wp-cron-mass-fix.sh` - Fix broken crons
 - `wp-cron-mass-create.sh` - Setup system crons
 - `wp-malware-scanner.sh` - Detect infections
 **Troubleshooting:**
 - `oom-killer-plotter.sh` - Memory event analysis
 - `hard-drive-error-tracker.sh` - SMART monitoring
 - `kernel-log-analyzer.sh` - System event parser
 **Performance:**
 - `resource-monitor.sh` - Real-time dashboard
 - `disk-io-analyzer.sh` - I/O bottlenecks
 - `inode-usage-checker.sh` - Find inode hogs
 ---
 ## 📈 Comparison: Before vs After
 ### Bot Analyzer
 | Feature | Before (v2.0) | After (v3.0) |
 |---------|---------------|--------------|
 | Attack types | 1 (SQL only) | 6 comprehensive |
 | Threat scoring | No | Yes (0-100 scale) |
 | Time analysis | No | Hourly breakdown |
 | Response analysis | No | Yes with insights |
 | False positives | Manual review | Auto-detection |
 | Server IP handling | Not excluded | Auto-detected & excluded |
 | Bandwidth cost | Not shown | Estimated with cost |
 | Blocklist quality | Basic | Prioritized by risk |
 | Performance (25K IPs) | 30 minutes | 30 seconds |
 ### Overall System
 | Aspect | Before | After |
 |--------|--------|-------|
 | Organization | Single script | Modular system |
 | Maintainability | Hard | Easy |
 | Scalability | Limited | Unlimited |
 | Distribution | Manual copy | Nextcloud sync |
 | Updates | Manual | One-click |
 | Categories | N/A | 7 organized |
 | Future growth | Difficult | Simple |
 ---
 ## 🎯 What You Can Do Now
 ### Immediate
 ✅ Run full security analysis
 ✅ Get detailed threat reports
 ✅ Auto-block high-risk IPs
 ✅ Identify false positives
 ✅ Track bandwidth costs
 ### Short Term
 📝 Add WordPress cron modules
 📝 Create custom monitors
 📝 Build troubleshooting tools
 ☁️ Setup Nextcloud distribution
 ### Long Term
 🔄 Automated daily security scans
 📊 Historical trending dashboards
 📧 Alert automation
 🎯 Custom report generation
 ---
 ## 📁 File Locations
 ### Main Files
 ```
 /root/server-toolkit/launcher.sh          # Run this!
 /root/server-toolkit/install.sh           # One-time setup
 /root/server-toolkit/README.md            # Full docs
 /root/server-toolkit/SETUP_GUIDE.md       # Quick start
 /root/server-toolkit/WHATS_NEW.md         # This file
 ```
 ### Bot Analyzer
 ```
 /root/server-toolkit/modules/security/bot-analyzer.sh  # Enhanced v3.0
 /root/bot_analyzer.sh                                  # Original (backup)
 ```
 ### Configuration
 ```
 /root/server-toolkit/config/settings.conf              # Main config
 /root/server-toolkit/config/whitelist-ips.txt          # IP whitelist
 ```
 ---
 ## 🚀 Getting Started
 ### Step 1: Run Installer
 ```bash
 cd /root/server-toolkit
 ./install.sh
 ```
 ### Step 2: Launch
 ```bash
 /root/server-toolkit/launcher.sh
 # or if symlink created:
 server-toolkit
 ```
 ### Step 3: Test Bot Analyzer
 ```
 Main Menu → 1 (Security) → 1 (Full Bot Analysis)
 ```
 ### Step 4: Configure (Optional)
 ```
 Main Menu → 9 (Configuration)
 ```
 ---
 ## 💡 Key Improvements by Category
 ### Security Analysis
 - 6x more attack types detected
 - 98% accurate threat scoring
 - False positive rate < 0.01%
 - Server IPs never blocked
 ### Performance
 - 60-120x faster processing
 - Handles millions of log entries
 - < 1 second for small datasets
 - Minimal memory usage (~2-4 MB)
 ### Usability
 - Professional menu system
 - Clear action recommendations
 - Copy-paste ready blocklists
 - Detailed progress indicators
 ### Maintainability
 - Modular architecture
 - Easy to extend
 - Centralized configuration
 - Version control ready
 ---
 ## 📊 Statistics
 ### Code Written Today
 - Lines of code: ~2,500
 - Functions created: 20+
 - Detection patterns: 50+
 - Menu items: 80+
 ### Features Added
 - Attack vector detection: 6 types
 - Threat scoring: 8 factors
 - False positive detection: 5 services
 - Server IP detection: 5 methods
 - Performance optimization: 10x - 120x
 ### Documentation Created
 - README.md: Complete system docs
 - SETUP_GUIDE.md: Quick start guide
 - WHATS_NEW.md: This summary
 - Comments: Inline throughout
 ---
 ## 🎓 What We Learned
 ### Best Practices Implemented
 ✅ Modular architecture
 ✅ Separation of concerns
 ✅ Hash tables for performance
 ✅ Input validation
 ✅ Error handling
 ✅ Progress indicators
 ✅ Configuration management
 ✅ Comprehensive logging
 ### Security Principles
 ✅ Never block server IPs
 ✅ Auto-detect false positives
 ✅ Multi-factor threat scoring
 ✅ Configurable thresholds
 ✅ Whitelist management
 ✅ Attack pattern validation
 ### Performance Techniques
 ✅ Single-pass file reading
 ✅ O(1) hash table lookups
 ✅ Batch processing
 ✅ Avoid redundant greps
 ✅ Memory-efficient data structures
 ---
 ## 🏆 Achievement Unlocked!
 You now have:
 ✅ **Enterprise-grade bot detection** (better than commercial tools)
 ✅ **Modular management system** (infinitely extensible)
 ✅ **60-120x performance** (handles massive datasets)
 ✅ **Professional UX** (clean, intuitive, organized)
 ✅ **Nextcloud integration** (easy distribution)
 ✅ **Future-proof architecture** (ready for 80+ modules)
 ---
 ## 📞 Next Steps
 1. ✅ **Test everything** - Run through all features
 2. 📝 **Create first custom module** - Try wp-cron-status.sh
 3. ☁️ **Setup Nextcloud** - Distribute to other servers
 4. 📧 **Configure alerts** - Email/Slack notifications
 5. 🔄 **Schedule automation** - Daily security scans
 ---
 **Version**: 3.0.0
 **Date**: 2025-10-30
 **Status**: ✅ Production Ready
 **This is a professional, enterprise-grade system that rivals commercial solutions!** 🎉
@@ -150,25 +150,29 @@ show_live_monitoring_menu() {
    show_banner
    echo -e "${MAGENTA}${BOLD}📡 Live Monitoring & Alerts${NC}"
    echo ""
-    echo -e "${BOLD}Real-Time Dashboards:${NC}"
+    echo -e "${BOLD}🛡️  Intelligent Monitoring:${NC}"
    echo ""
-    echo -e "  ${MAGENTA}1)${NC} Live Attack Monitor          - Real-time threat feed (all sources)"
+    echo -e "  ${MAGENTA}1)${NC} ${BOLD}Live Attack Monitor${NC}          - Unified threat intelligence"
-    echo -e "  ${MAGENTA}2)${NC} SSH Attack Monitor           - Live SSH brute force attempts"
+    echo -e "     ${DIM}├─ Monitors: Web, SSH, Firewall, cPHulk, Network (SYN floods)${NC}"
-    echo -e "  ${MAGENTA}3)${NC} Web Traffic Monitor          - Live HTTP/HTTPS requests"
+    echo -e "     ${DIM}├─ Features: Threat scoring, bot detection, attack classification${NC}"
-    echo -e "  ${MAGENTA}4)${NC} Firewall Activity Monitor    - Live CSF/iptables events"
+    echo -e "     ${DIM}└─ Quick Actions: IP blocking, ban management${NC}"
-    echo -e "  ${MAGENTA}5)${NC} cPHulk Live Monitor          - Real-time brute force blocks"
+    echo ""
    echo -e "${BOLD}📋 Simple Log Viewers (No Intelligence):${NC}"
    echo ""
    echo -e "  ${MAGENTA}2)${NC} SSH Log Tail                 - Raw SSH auth attempts (/var/log/secure)"
    echo -e "  ${MAGENTA}3)${NC} Web Traffic Tail             - Raw Apache access logs"
    echo -e "  ${MAGENTA}4)${NC} Firewall Log Tail            - Raw firewall events"
    echo ""
    echo -e "${BOLD}Log Tailing:${NC}"
    echo ""
-    echo -e "  ${MAGENTA}6)${NC} Tail Apache Access Log       - Live web access (all domains)"
+    echo -e "  ${MAGENTA}5)${NC} Tail Apache Access Log       - Live web access (all domains)"
-    echo -e "  ${MAGENTA}7)${NC} Tail Apache Error Log        - Live web errors"
+    echo -e "  ${MAGENTA}6)${NC} Tail Apache Error Log        - Live web errors"
-    echo -e "  ${MAGENTA}8)${NC} Tail Mail Log                - Live email activity"
+    echo -e "  ${MAGENTA}7)${NC} Tail Mail Log                - Live email activity"
-    echo -e "  ${MAGENTA}9)${NC} Tail Security Log            - Live auth attempts (/var/log/secure)"
+    echo -e "  ${MAGENTA}8)${NC} Tail Security Log            - Live auth attempts (/var/log/secure)"
    echo ""
-    echo -e "${BOLD}Advanced Monitoring:${NC}"
+    echo -e "${BOLD}Advanced:${NC}"
    echo ""
-    echo -e "  ${MAGENTA}10)${NC} Multi-Source Dashboard      - Combined view (attacks + logs + metrics)"
+    echo -e "  ${MAGENTA}9)${NC} Custom Log Monitor           - Tail custom log file"
    echo -e "  ${MAGENTA}11)${NC} Custom Log Monitor          - Tail custom log file"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Security Menu"
    echo ""
@@ -183,10 +187,11 @@ show_security_analysis_menu() {
    echo ""
    echo -e "${BOLD}Analysis Categories:${NC}"
    echo ""
-    echo -e "  ${CYAN}1)${NC} 🤖 Bot & Traffic Analysis     → Analyze attack patterns, bots, DDoS"
+    echo -e "  ${CYAN}1)${NC} 🦠 Malware Scanner            → Full malware detection (ImunifyAV, ClamAV, Maldet)"
-    echo -e "  ${CYAN}2)${NC} 🔐 Authentication Analysis    → SSH, cPanel, FTP, Email login attempts"
+    echo -e "  ${CYAN}2)${NC} 🤖 Bot & Traffic Analysis     → Analyze attack patterns, bots, DDoS"
-    echo -e "  ${CYAN}3)${NC} 🌐 Web Application Analysis   → Website security, malware, vulnerabilities"
+    echo -e "  ${CYAN}3)${NC} 🔐 Authentication Analysis    → SSH, cPanel, FTP, Email login attempts"
-    echo -e "  ${CYAN}4)${NC} 🔥 Firewall & Network Review  → CSF, ports, connections"
+    echo -e "  ${CYAN}4)${NC} 🌐 Web Application Analysis   → Website security, vulnerabilities"
    echo -e "  ${CYAN}5)${NC} 🔥 Firewall & Network Review  → CSF, ports, connections"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Security Menu"
    echo ""
@@ -222,10 +227,11 @@ show_bot_analysis_menu() {
    echo -e "  ${CYAN}1)${NC} Full Bot Analysis            - Complete scan (all logs)"
    echo -e "  ${CYAN}2)${NC} Quick Scan (1 hour)          - Recent activity only"
    echo -e "  ${CYAN}3)${NC} Live Monitor                 - Real-time threat tracking"
-    echo -e "  ${CYAN}4)${NC} IP Lookup & Investigation    - Deep-dive on specific IP"
+    echo -e "  ${CYAN}4)${NC} IP Reputation Manager        - Query/manage IP database (NEW!)"
-    echo -e "  ${CYAN}5)${NC} DDoS Pattern Detector        - Identify DDoS attacks"
+    echo -e "  ${CYAN}5)${NC} IP Lookup & Investigation    - Deep-dive on specific IP"
-    echo -e "  ${CYAN}6)${NC} Traffic Pattern Analysis     - Bandwidth & connection patterns"
+    echo -e "  ${CYAN}6)${NC} DDoS Pattern Detector        - Identify DDoS attacks"
-    echo -e "  ${CYAN}7)${NC} User-Agent Analysis          - Bot fingerprinting"
+    echo -e "  ${CYAN}7)${NC} Traffic Pattern Analysis     - Bandwidth & connection patterns"
    echo -e "  ${CYAN}8)${NC} User-Agent Analysis          - Bot fingerprinting"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Analysis Menu"
    echo ""
@@ -269,17 +275,16 @@ show_webapp_analysis_menu() {
    echo ""
    echo -e "${BOLD}Security Scanning:${NC}"
    echo ""
-    echo -e "  ${CYAN}1)${NC} Malware Scanner              - Scan for infected files"
+    echo -e "  ${CYAN}1)${NC} WordPress Security Scan      - WP-specific vulnerabilities"
-    echo -e "  ${CYAN}2)${NC} WordPress Security Scan      - WP-specific vulnerabilities"
+    echo -e "  ${CYAN}2)${NC} SQL Injection Detector       - Analyze for SQLi attempts"
-    echo -e "  ${CYAN}3)${NC} SQL Injection Detector       - Analyze for SQLi attempts"
+    echo -e "  ${CYAN}3)${NC} XSS Attack Detector          - Cross-site scripting analysis"
-    echo -e "  ${CYAN}4)${NC} XSS Attack Detector          - Cross-site scripting analysis"
+    echo -e "  ${CYAN}4)${NC} File Permission Audit        - Insecure permissions scan"
    echo -e "  ${CYAN}5)${NC} File Permission Audit        - Insecure permissions scan"
    echo ""
    echo -e "${BOLD}Configuration Review:${NC}"
    echo ""
-    echo -e "  ${CYAN}6)${NC} SSL/TLS Security Audit       - Certificate & config review"
+    echo -e "  ${CYAN}5)${NC} SSL/TLS Security Audit       - Certificate & config review"
-    echo -e "  ${CYAN}7)${NC} ModSecurity Status           - WAF configuration review"
+    echo -e "  ${CYAN}6)${NC} ModSecurity Status           - WAF configuration review"
-    echo -e "  ${CYAN}8)${NC} Apache Security Audit        - Web server security review"
+    echo -e "  ${CYAN}7)${NC} Apache Security Audit        - Web server security review"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Analysis Menu"
    echo ""
@@ -435,23 +440,13 @@ show_wordpress_menu() {
    echo -e "${BOLD}General Website Tools:${NC}"
    echo ""
    echo -e "  ${BLUE}1)${NC} 🔍 Website Error Analyzer    - Find 500/config errors (filters bots)"
    echo -e "  ${RED}2)${NC} 🔥 Fast 500 Error Tracker    - ONLY 500s + root cause diagnosis"
    echo ""
-    echo -e "${BOLD}WordPress Tools:${NC}"
+    echo -e "${BOLD}CMS-Specific Management:${NC}"
    echo ""
-    echo -e "  ${BLUE}2)${NC} Health Check (All Sites)    - Scan all WP installations"
+    echo -e "  ${BLUE}3)${NC} 📦 WordPress Management      → Cron, updates, security, health"
-    echo -e "  ${BLUE}3)${NC} WP-Cron Status              - Check cron job status"
+    echo -e "  ${DIM}4)${NC} ${DIM}📦 Joomla Management (Coming Soon)${NC}"
-    echo -e "  ${BLUE}4)${NC} WP-Cron Mass Fix            - Fix/enable cron on all sites"
+    echo -e "  ${DIM}5)${NC} ${DIM}📦 Drupal Management (Coming Soon)${NC}"
    echo -e "  ${BLUE}5)${NC} WP-Cron Mass Create         - Setup proper system crons"
    echo -e "  ${BLUE}6)${NC} Plugin Audit                - Security scan of plugins"
    echo -e "  ${BLUE}7)${NC} Theme Audit                 - Security scan of themes"
    echo -e "  ${BLUE}8)${NC} Database Optimizer          - Clean/optimize WP databases"
    echo -e "  ${BLUE}9)${NC} Cache Clear (All Sites)     - Clear all WP caches"
    echo -e "  ${BLUE}10)${NC} Mass Update Core            - Update WordPress core (all)"
    echo -e "  ${BLUE}11)${NC} Mass Update Plugins        - Update plugins (all sites)"
    echo -e "  ${BLUE}12)${NC} Login Security Audit       - Check for weak passwords"
    echo -e "  ${BLUE}13)${NC} Malware Scanner            - Scan for infected files"
    echo -e "  ${BLUE}14)${NC} Permission Fixer           - Fix file permissions"
    echo -e "  ${BLUE}15)${NC} Debug Log Analyzer         - Parse WP debug logs"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Main Menu"
    echo ""
@@ -459,6 +454,68 @@ show_wordpress_menu() {
    echo -n "Select option: "
 }
 # WordPress Health & Maintenance submenu
 show_wp_health_menu() {
    show_banner
    echo -e "${BLUE}${BOLD}🏥 WordPress Health & Maintenance${NC}"
    echo ""
    echo -e "  ${BLUE}1)${NC} Health Check (All Sites)    - Scan all WP installations"
    echo -e "  ${BLUE}2)${NC} Database Optimizer          - Clean/optimize WP databases"
    echo -e "  ${BLUE}3)${NC} Cache Clear (All Sites)     - Clear all WP caches"
    echo -e "  ${BLUE}4)${NC} Plugin Audit                - Security scan of plugins"
    echo -e "  ${BLUE}5)${NC} Theme Audit                 - Security scan of themes"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Website Management"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # WP-Cron Management submenu
 show_wp_cron_menu() {
    show_banner
    echo -e "${BLUE}${BOLD}⚙️  WP-Cron Management${NC}"
    echo ""
    echo -e "  ${BLUE}1)${NC} WP-Cron Status              - Check cron job status"
    echo -e "  ${BLUE}2)${NC} WP-Cron Mass Fix            - Fix/enable cron on all sites"
    echo -e "  ${BLUE}3)${NC} WP-Cron Mass Create         - Setup proper system crons"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Website Management"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # Mass Updates submenu
 show_wp_updates_menu() {
    show_banner
    echo -e "${BLUE}${BOLD}🔄 WordPress Mass Updates${NC}"
    echo ""
    echo -e "  ${BLUE}1)${NC} Mass Update Core            - Update WordPress core (all)"
    echo -e "  ${BLUE}2)${NC} Mass Update Plugins         - Update plugins (all sites)"
    echo -e "  ${BLUE}3)${NC} Mass Update Themes          - Update themes (all sites)"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Website Management"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # Security & Compliance submenu
 show_wp_security_menu() {
    show_banner
    echo -e "${BLUE}${BOLD}🔒 WordPress Security & Compliance${NC}"
    echo ""
    echo -e "  ${BLUE}1)${NC} Malware Scanner             - Scan for infected files"
    echo -e "  ${BLUE}2)${NC} Permission Fixer            - Fix file permissions"
    echo -e "  ${BLUE}3)${NC} Login Security Audit        - Check for weak passwords"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Website Management"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # Performance & Diagnostics menu
 show_performance_menu() {
    show_banner
@@ -495,6 +552,8 @@ show_backup_menu() {
    show_banner
    echo -e "${YELLOW}${BOLD}💾 Backup & Recovery${NC}"
    echo ""
    echo -e "${BOLD}cPanel Backups:${NC}"
    echo ""
    echo -e "  ${YELLOW}1)${NC} Auto Backup (All Sites)     - Create full backups"
    echo -e "  ${YELLOW}2)${NC} Selective Backup            - Backup specific accounts"
    echo -e "  ${YELLOW}3)${NC} Restore Helper              - Interactive restore tool"
@@ -504,12 +563,72 @@ show_backup_menu() {
    echo -e "  ${YELLOW}7)${NC} Backup Verification         - Test backup integrity"
    echo -e "  ${YELLOW}8)${NC} Off-site Sync               - Sync to remote storage"
    echo ""
    echo -e "${BOLD}Acronis Cyber Protect:${NC}"
    echo ""
    echo -e "  ${YELLOW}9)${NC} 🔷 Acronis Management        → Install, configure, manage backups"
    echo ""
    echo -e "${BOLD}Data Management:${NC}"
    echo ""
    echo -e "  ${RED}10)${NC} 🗑️  Cleanup Toolkit Data      - Remove IP reputation & temp files"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Main Menu"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # Acronis Management submenu
 show_acronis_menu() {
    show_banner
    echo -e "${YELLOW}${BOLD}🔷 Acronis Cyber Protect${NC}"
    echo ""
    echo -e "${BOLD}Installation & Setup:${NC}"
    echo ""
    echo -e "  ${YELLOW}1)${NC} Install Acronis Agent       - Download and install Acronis"
    echo -e "  ${YELLOW}2)${NC} Register with Cloud         - Connect to Acronis Cloud"
    echo ""
    echo -e "${BOLD}Backup Management:${NC}"
    echo ""
    echo -e "  ${GREEN}3)${NC} 📊 Manage Backups            - Complete backup management interface"
    echo ""
    echo -e "${BOLD}Quick Actions:${NC}"
    echo ""
    echo -e "  ${YELLOW}4)${NC} Check Agent Status          - Verify Acronis is running"
    echo -e "  ${YELLOW}5)${NC} Update Agent                - Upgrade to latest version"
    echo -e "  ${YELLOW}6)${NC} View Logs                   - Check Acronis logs"
    echo -e "  ${YELLOW}7)${NC} Uninstall Acronis           - Remove Acronis agent"
    echo ""
    echo -e "${BOLD}Troubleshooting:${NC}"
    echo ""
    echo -e "  ${RED}8)${NC} 🔧 Troubleshoot Backups      - Diagnose backup failures"
    echo ""
    echo -e "  ${RED}0)${NC} Back to Backup & Recovery"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # Acronis submenu handler
 handle_acronis_menu() {
    while true; do
        show_acronis_menu
        read -r choice
        case $choice in
            1) run_module "backup" "acronis-install.sh" ;;
            2) run_module "backup" "acronis-register.sh" ;;
            3) run_module "backup" "acronis-backup-manager.sh" ;;
            4) run_module "backup" "acronis-agent-status.sh" ;;
            5) run_module "backup" "acronis-update.sh" ;;
            6) run_module "backup" "acronis-logs.sh" ;;
            7) run_module "backup" "acronis-uninstall.sh" ;;
            8) run_module "backup" "acronis-troubleshoot.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
    done
 }
 # Monitoring menu
 show_monitoring_menu() {
    show_banner
@@ -863,10 +982,11 @@ handle_security_analysis_menu() {
        read -r choice
        case $choice in
-            1) handle_bot_analysis_menu ;;
+            1) run_module "security" "malware-scanner.sh" ;;
-            2) handle_auth_analysis_menu ;;
+            2) handle_bot_analysis_menu ;;
-            3) handle_webapp_analysis_menu ;;
+            3) handle_auth_analysis_menu ;;
-            4) handle_firewall_analysis_menu ;;
+            4) handle_webapp_analysis_menu ;;
            5) handle_firewall_analysis_menu ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -901,13 +1021,11 @@ handle_live_monitoring_menu() {
            2) run_module "security" "ssh-attack-monitor.sh" ;;
            3) run_module "security" "web-traffic-monitor.sh" ;;
            4) run_module "security" "firewall-activity-monitor.sh" ;;
-            5) run_module "security" "cphulk-live-monitor.sh" ;;
+            5) run_module "security" "tail-apache-access.sh" ;;
-            6) run_module "security" "tail-apache-access.sh" ;;
+            6) run_module "security" "tail-apache-error.sh" ;;
-            7) run_module "security" "tail-apache-error.sh" ;;
+            7) run_module "security" "tail-mail-log.sh" ;;
-            8) run_module "security" "tail-mail-log.sh" ;;
+            8) run_module "security" "tail-secure-log.sh" ;;
-            9) run_module "security" "tail-secure-log.sh" ;;
+            9)
            10) run_module "security" "multi-source-dashboard.sh" ;;
            11)
                show_banner
                echo -e "${BOLD}Custom Log Monitor${NC}"
                read -p "Enter log file path: " logpath
@@ -929,15 +1047,16 @@ handle_bot_analysis_menu() {
            1) run_module "security" "bot-analyzer.sh" ;;
            2) run_module "security" "bot-analyzer.sh" -H "${QUICK_SCAN_HOURS:-1}" ;;
            3) run_module "security" "live-monitor.sh" ;;
-            4)
+            4) run_module "security" "ip-reputation-manager.sh" ;;
            5)
                show_banner
                echo -e "${BOLD}IP Lookup & Investigation${NC}"
                read -p "Enter IP address: " ip
                [ -n "$ip" ] && run_module "security" "ip-lookup.sh" "$ip"
                ;;
-            5) run_module "security" "ddos-detector.sh" ;;
+            6) run_module "security" "ddos-detector.sh" ;;
-            6) run_module "security" "traffic-pattern-analysis.sh" ;;
+            7) run_module "security" "traffic-pattern-analysis.sh" ;;
-            7) run_module "security" "user-agent-analysis.sh" ;;
+            8) run_module "security" "user-agent-analysis.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -973,14 +1092,13 @@ handle_webapp_analysis_menu() {
        read -r choice
        case $choice in
-            1) run_module "security" "malware-scanner.sh" ;;
+            1) run_module "security" "wp-security-scan.sh" ;;
-            2) run_module "security" "wp-security-scan.sh" ;;
+            2) run_module "security" "sqli-detector.sh" ;;
-            3) run_module "security" "sqli-detector.sh" ;;
+            3) run_module "security" "xss-detector.sh" ;;
-            4) run_module "security" "xss-detector.sh" ;;
+            4) run_module "security" "permission-audit.sh" ;;
-            5) run_module "security" "permission-audit.sh" ;;
+            5) run_module "security" "ssl-security-audit.sh" ;;
-            6) run_module "security" "ssl-security-audit.sh" ;;
+            6) run_module "security" "modsecurity-status.sh" ;;
-            7) run_module "security" "modsecurity-status.sh" ;;
+            7) run_module "security" "apache-security-audit.sh" ;;
            8) run_module "security" "apache-security-audit.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -1148,20 +1266,80 @@ handle_wordpress_menu() {
        case $choice in
            1) run_module "website" "website-error-analyzer.sh" ;;
-            2) run_module "wordpress" "wp-health-check.sh" ;;
+            2) run_module "website" "500-error-tracker.sh" ;;
-            3) run_module "wordpress" "wp-cron-status.sh" ;;
+            3) bash "$MODULES_DIR/website/wordpress-menu.sh" ;;
-            4) run_module "wordpress" "wp-cron-mass-fix.sh" ;;
+            4|5)
-            5) run_module "wordpress" "wp-cron-mass-create.sh" ;;
+                echo ""
-            6) run_module "wordpress" "wp-plugin-audit.sh" ;;
+                print_warning "This CMS management feature is coming soon!"
-            7) run_module "wordpress" "wp-theme-audit.sh" ;;
+                echo ""
-            8) run_module "wordpress" "wp-db-optimizer.sh" ;;
+                read -p "Press Enter to continue..."
-            9) run_module "wordpress" "wp-cache-clear.sh" ;;
+                ;;
-            10) run_module "wordpress" "wp-mass-update-core.sh" ;;
+            0) return ;;
-            11) run_module "wordpress" "wp-mass-update-plugins.sh" ;;
+            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
-            12) run_module "wordpress" "wp-login-security.sh" ;;
+        esac
-            13) run_module "wordpress" "wp-malware-scanner.sh" ;;
+    done
-            14) run_module "wordpress" "wp-permission-fixer.sh" ;;
+}
-            15) run_module "wordpress" "wp-debug-log-analyzer.sh" ;;
+
 # WP Health & Maintenance submenu handler
 handle_wp_health_menu() {
    while true; do
        show_wp_health_menu
        read -r choice
        case $choice in
            1) run_module "wordpress" "wp-health-check.sh" ;;
            2) run_module "wordpress" "wp-db-optimizer.sh" ;;
            3) run_module "wordpress" "wp-cache-clear.sh" ;;
            4) run_module "wordpress" "wp-plugin-audit.sh" ;;
            5) run_module "wordpress" "wp-theme-audit.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
    done
 }
 # WP-Cron Management submenu handler
 handle_wp_cron_menu() {
    while true; do
        show_wp_cron_menu
        read -r choice
        case $choice in
            1) run_module "wordpress" "wp-cron-status.sh" ;;
            2) run_module "wordpress" "wp-cron-mass-fix.sh" ;;
            3) run_module "wordpress" "wp-cron-mass-create.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
    done
 }
 # Mass Updates submenu handler
 handle_wp_updates_menu() {
    while true; do
        show_wp_updates_menu
        read -r choice
        case $choice in
            1) run_module "wordpress" "wp-mass-update-core.sh" ;;
            2) run_module "wordpress" "wp-mass-update-plugins.sh" ;;
            3) run_module "wordpress" "wp-mass-update-themes.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
    done
 }
 # Security & Compliance submenu handler
 handle_wp_security_menu() {
    while true; do
        show_wp_security_menu
        read -r choice
        case $choice in
            1) run_module "wordpress" "wp-malware-scanner.sh" ;;
            2) run_module "wordpress" "wp-permission-fixer.sh" ;;
            3) run_module "wordpress" "wp-login-security.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -1206,6 +1384,8 @@ handle_backup_menu() {
            6) run_module "backup" "log-archive.sh" ;;
            7) run_module "backup" "backup-verification.sh" ;;
            8) run_module "backup" "offsite-sync.sh" ;;
            9) handle_acronis_menu ;;
            10) run_module "maintenance" "cleanup-toolkit-data.sh" ;;
            0) return ;;
            *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
        esac
@@ -1326,8 +1506,19 @@ main() {
            10) bash "$BASE_DIR/tools/erase-toolkit-traces.sh" ;;
            0)
                echo ""
-                echo -e "${GREEN}Thanks for using Server Management Toolkit!${NC}"
+                read -p "Clean history and remove traces? (yes/no): " clean_hist
-                echo ""
+
                if [ "$clean_hist" = "yes" ]; then
                    # Signal wrapper script to do cleanup
                    touch /tmp/.cleanup_requested
                    echo ""
                    echo "Cleanup will happen automatically..."
                    echo ""
                else
                    echo ""
                    echo -e "${GREEN}Thanks for using Server Management Toolkit!${NC}"
                    echo ""
                fi
                exit 0
                ;;
            *)
@@ -0,0 +1,211 @@
 #!/bin/bash
 ################################################################################
 # Attack Pattern Detection Library
 ################################################################################
 # Purpose: Shared attack vector detection for bot-analyzer and live-monitor
 # Features: SQL injection, XSS, Path traversal, RCE, Info disclosure, Bruteforce
 ################################################################################
 # SQL Injection Detection
 # Returns: 0 (true) if SQL injection detected, 1 (false) if not
 detect_sql_injection() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    # Enhanced SQL injection patterns
    if [[ "$url_lower" =~ (union.*select|concat\(|benchmark\(|sleep\(|waitfor|cast\(|exec\() ]] ||
       [[ "$url_lower" =~ (information_schema|drop table|insert into|update.*set|delete from) ]] ||
       [[ "$url_lower" =~ (%27|0x[0-9a-f]+|hex\(|unhex\(|load_file\() ]]; then
        return 0
    fi
    return 1
 }
 # XSS (Cross-Site Scripting) Detection
 detect_xss() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    if [[ "$url_lower" =~ (<script|javascript:|onerror=|onload=|<iframe|eval\(|alert\() ]] ||
       [[ "$url_lower" =~ (document\.cookie|document\.write|\.innerhtml) ]]; then
        return 0
    fi
    return 1
 }
 # Path Traversal / LFI Detection
 detect_path_traversal() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    if [[ "$url_lower" =~ (\.\.\/|\.\.\\|etc\/passwd|etc\/shadow|boot\.ini|win\.ini) ]] ||
       [[ "$url_lower" =~ (proc\/self|\/etc\/|c:\\|windows\/system32) ]]; then
        return 0
    fi
    return 1
 }
 # RCE (Remote Code Execution) / Shell Upload Detection
 detect_rce() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    # Command execution patterns
    if [[ "$url_lower" =~ (cmd\.exe|\/bin\/bash|\/bin\/sh|phpinfo\(|system\(|exec\(|passthru\(|shell_exec\(|popen\() ]] ||
       [[ "$url_lower" =~ (proc_open|pcntl_exec|eval\(|assert\(|base64_decode\(|gzinflate\() ]]; then
        return 0
    fi
    # Shell/backdoor files (common webshell names)
    if [[ "$url_lower" =~ (shell\.php|c99\.php|r57\.php|backdoor|webshell|wso\.php|b374k) ]] ||
       [[ "$url_lower" =~ (shell_exec|1337|defac|index\.php\?|cmd|evil) ]]; then
        return 0
    fi
    # Suspicious POST to script files
    if [[ "$url_lower" =~ \.(php|jsp|asp|aspx)$ ]] && [[ "$method" == "POST" ]]; then
        return 0
    fi
    # PHP shell probing - random .php files (common scanner behavior)
    # Detect short/random PHP filenames that are typical webshell probes
    if [[ "$url_lower" =~ ^/[a-z0-9]{1,15}\.php$ ]] && [[ "$method" == "GET" ]]; then
        # Whitelist common legitimate PHP files
        if [[ ! "$url_lower" =~ (index\.php|wp-login\.php|xmlrpc\.php|admin\.php|contact\.php|search\.php) ]]; then
            return 0
        fi
    fi
    return 1
 }
 # Info Disclosure Detection
 detect_info_disclosure() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    if [[ "$url_lower" =~ (phpinfo|server-status|server-info|\.git\/|\.env|\.htaccess) ]] ||
       [[ "$url_lower" =~ (\.sql|\.dump|backup\.zip|database\.sql|wp-config\.php\.bak) ]] ||
       [[ "$url_lower" =~ (\.log$|error_log|debug\.log|access\.log) ]]; then
        return 0
    fi
    return 1
 }
 # Login Bruteforce Detection (URL-based)
 detect_login_bruteforce_url() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    if [[ "$url_lower" =~ (wp-login\.php|wp-admin|xmlrpc\.php) ]] ||
       [[ "$url_lower" =~ (\/admin|\/login|\/signin|\/auth) ]]; then
        return 0
    fi
    return 1
 }
 # Admin Path Probing Detection
 detect_admin_probe() {
    local url="$1"
    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
    if [[ "$url_lower" =~ (\/admin|\/administrator|\/wp-admin|\/phpmyadmin) ]] ||
       [[ "$url_lower" =~ (\/manager|\/controlpanel|\/cpanel|\/webmin) ]] ||
       [[ "$url_lower" =~ (wp-content\/uploads.*\.php|wp-includes.*\.php|wp-admin\/includes) ]]; then
        return 0
    fi
    return 1
 }
 # Detect all attack vectors for a URL
 # Returns: attack_type1,attack_type2,... or empty if none
 detect_all_attacks() {
    local url="$1"
    local method="${2:-GET}"
    local attacks=()
    detect_sql_injection "$url" && attacks+=("SQL_INJECTION")
    detect_xss "$url" && attacks+=("XSS")
    detect_path_traversal "$url" && attacks+=("PATH_TRAVERSAL")
    detect_rce "$url" "$method" && attacks+=("RCE")
    detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE")
    detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE")
    detect_admin_probe "$url" && attacks+=("ADMIN_PROBE")
    if [ ${#attacks[@]} -gt 0 ]; then
        IFS=','; echo "${attacks[*]}"
    else
        echo ""
    fi
 }
 # Calculate threat score based on attack types
 # Returns: score (0-100)
 calculate_attack_score() {
    local attacks="$1"
    local score=0
    # Use word boundaries to avoid false matches (e.g., RCE in BRUTEFORCE)
    [[ "$attacks" =~ (^|,)SQL_INJECTION(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)XSS(,|$) ]] && score=$((score + 12))
    [[ "$attacks" =~ (^|,)PATH_TRAVERSAL(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)RCE(,|$) ]] && score=$((score + 20))
    [[ "$attacks" =~ (^|,)INFO_DISCLOSURE(,|$) ]] && score=$((score + 8))
    [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10))
    [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5))
    [[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25))
    echo "$score"
 }
 # Get attack icon for display
 get_attack_icon() {
    local attack_type="$1"
    case "$attack_type" in
        SQL_INJECTION) echo "💉" ;;
        XSS) echo "⚠️ " ;;
        PATH_TRAVERSAL) echo "📁" ;;
        RCE) echo "☠️ " ;;
        INFO_DISCLOSURE) echo "🔓" ;;
        BRUTEFORCE) echo "🔐" ;;
        ADMIN_PROBE) echo "🔍" ;;
        DDOS) echo "💥" ;;
        BOT) echo "🤖" ;;
        SCANNER) echo "🔎" ;;
        *) echo "❓" ;;
    esac
 }
 # Get attack color for display
 get_attack_color() {
    local attack_type="$1"
    case "$attack_type" in
        SQL_INJECTION|RCE) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
        XSS|PATH_TRAVERSAL|BRUTEFORCE) echo '\033[1;31m' ;;  # Bold Red (HIGH)
        INFO_DISCLOSURE|ADMIN_PROBE) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
        *) echo '\033[0;36m' ;;  # Cyan (LOW)
    esac
 }
 export -f detect_sql_injection
 export -f detect_xss
 export -f detect_path_traversal
 export -f detect_rce
 export -f detect_info_disclosure
 export -f detect_login_bruteforce_url
 export -f detect_admin_probe
 export -f detect_all_attacks
 export -f calculate_attack_score
 export -f get_attack_icon
 export -f get_attack_color
@@ -0,0 +1,231 @@
 #!/bin/bash
 ################################################################################
 # Bot Signature Database Library
 ################################################################################
 # Purpose: Shared bot classification signatures for bot-analyzer and live-monitor
 # Features: Legitimate bots, AI bots, monitoring bots, suspicious bots
 ################################################################################
 # Legitimate bots (search engines)
 declare -gA LEGIT_BOTS=(
    ["Googlebot"]="Google Search"
    ["Googlebot-Image"]="Google Images"
    ["Googlebot-Video"]="Google Video"
    ["Googlebot-News"]="Google News"
    ["Google-InspectionTool"]="Google Search Console"
    ["Storebot-Google"]="Google Merchant"
    ["APIs-Google"]="Google APIs"
    ["AdsBot-Google"]="Google Ads"
    ["Mediapartners-Google"]="Google AdSense"
    ["bingbot"]="Bing Search"
    ["msnbot"]="MSN Search"
    ["Slurp"]="Yahoo Search"
    ["DuckDuckBot"]="DuckDuckGo"
    ["Baiduspider"]="Baidu Search"
    ["YandexBot"]="Yandex Search"
 )
 # AI Bots
 declare -gA AI_BOTS=(
    ["GPTBot"]="OpenAI"
    ["ChatGPT-User"]="OpenAI ChatGPT"
    ["ClaudeBot"]="Anthropic Claude"
    ["Claude-Web"]="Anthropic Web"
    ["Bytespider"]="ByteDance (TikTok)"
    ["PetalBot"]="Huawei"
    ["CCBot"]="Common Crawl"
    ["anthropic-ai"]="Anthropic"
    ["Applebot"]="Apple Intelligence"
    ["facebookexternalhit"]="Facebook/Meta"
    ["Meta-ExternalAgent"]="Meta AI"
    ["cohere-ai"]="Cohere AI"
    ["PerplexityBot"]="Perplexity AI"
    ["YouBot"]="You.com AI"
    ["Diffbot"]="Diffbot AI"
    ["ImagesiftBot"]="ImageSift AI"
    ["Omgilibot"]="Omgili AI"
 )
 # Monitoring/SEO bots
 declare -gA MONITOR_BOTS=(
    ["AhrefsBot"]="Ahrefs SEO"
    ["SemrushBot"]="SEMrush SEO"
    ["MJ12bot"]="Majestic SEO"
    ["DotBot"]="Moz/OpenSite"
    ["BLEXBot"]="BLEXBot SEO"
    ["PingdomBot"]="Pingdom Monitoring"
    ["UptimeRobot"]="Uptime Monitoring"
    ["StatusCake"]="StatusCake Monitoring"
    ["SiteImprove"]="SiteImprove Analytics"
 )
 # Suspicious/Aggressive bots (malicious or security scanners)
 declare -gA SUSPICIOUS_BOTS=(
    ["MauiBot"]="Malicious crawler"
    ["DataForSeoBot"]="Data scraper"
    ["ZoominfoBot"]="Data harvester"
    ["MegaIndex"]="Aggressive crawler"
    ["SeznamBot"]="Aggressive crawler"
    ["Yeti"]="Naver crawler"
    ["serpstatbot"]="SEO crawler"
    ["LinkpadBot"]="Link checker"
    ["Nessus"]="Vulnerability scanner"
    ["Nikto"]="Security scanner"
    ["sqlmap"]="SQL injection tool"
    ["ZmEu"]="Scanner/exploit"
    ["masscan"]="Port scanner"
    ["nmap"]="Port scanner"
    ["wget"]="Command-line tool"
    ["curl"]="Command-line tool"
    ["python-requests"]="Script/automation"
    ["Go-http-client"]="Go automation"
    ["Java/"]="Java client"
    ["http.rb"]="Ruby automation"
    ["python-urllib"]="Python scraper"
    ["libwww-perl"]="Perl automation"
    ["Apache-HttpClient"]="HttpClient automation"
    ["Scrapy"]="Python scraper"
    ["node-fetch"]="Node.js automation"
    ["axios"]="JavaScript automation"
 )
 # Check if user-agent is a legitimate bot
 # Returns: 0 (true) if legit, 1 (false) if not
 is_legit_bot() {
    local ua="$1"
    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
    for bot in "${!LEGIT_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            return 0
        fi
    done
    return 1
 }
 # Check if user-agent is an AI bot
 is_ai_bot() {
    local ua="$1"
    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
    for bot in "${!AI_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            return 0
        fi
    done
    return 1
 }
 # Check if user-agent is a monitoring/SEO bot
 is_monitor_bot() {
    local ua="$1"
    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
    for bot in "${!MONITOR_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            return 0
        fi
    done
    return 1
 }
 # Check if user-agent is a suspicious bot
 is_suspicious_bot() {
    local ua="$1"
    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
    for bot in "${!SUSPICIOUS_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            return 0
        fi
    done
    return 1
 }
 # Classify bot type
 # Returns: legit|ai|monitor|suspicious|unidentified_bot|human|unknown
 classify_bot_type() {
    local ua="$1"
    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
    # Check each category in priority order
    if is_legit_bot "$ua"; then
        echo "legit"
    elif is_ai_bot "$ua"; then
        echo "ai"
    elif is_monitor_bot "$ua"; then
        echo "monitor"
    elif is_suspicious_bot "$ua"; then
        echo "suspicious"
    elif [[ "$ua_lower" =~ (bot|crawler|spider|scraper) ]]; then
        # Filter out legitimate browsers that might contain "bot" in version strings
        if [[ "$ua_lower" =~ (chrome/|firefox/|safari/|edg/|edge/|opr/|opera/) ]] ||
           [[ "$ua_lower" =~ (samsungbrowser|ucbrowser|yabrowser|vivaldi) ]] ||
           [[ "$ua_lower" =~ (android.*mobile|iphone|ipad|windows nt|macintosh|linux x86) ]] &&
           [[ ! "$ua_lower" =~ (bot|crawler|spider) ]]; then
            echo "human"
        else
            echo "unidentified_bot"
        fi
    else
        echo "human"
    fi
 }
 # Get bot name from user-agent
 get_bot_name() {
    local ua="$1"
    local ua_lower=$(echo "$ua" | tr '[:upper:]' '[:lower:]')
    # Check each category
    for bot in "${!LEGIT_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            echo "${LEGIT_BOTS[$bot]}"
            return 0
        fi
    done
    for bot in "${!AI_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            echo "${AI_BOTS[$bot]}"
            return 0
        fi
    done
    for bot in "${!MONITOR_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            echo "${MONITOR_BOTS[$bot]}"
            return 0
        fi
    done
    for bot in "${!SUSPICIOUS_BOTS[@]}"; do
        local bot_lower=$(echo "$bot" | tr '[:upper:]' '[:lower:]')
        if [[ "$ua_lower" =~ $bot_lower ]]; then
            echo "${SUSPICIOUS_BOTS[$bot]}"
            return 0
        fi
    done
    # Extract first word as bot name if unidentified
    echo "$ua" | awk '{print substr($1, 1, 30)}'
 }
 export -f is_legit_bot
 export -f is_ai_bot
 export -f is_monitor_bot
 export -f is_suspicious_bot
 export -f classify_bot_type
 export -f get_bot_name
@@ -117,6 +117,13 @@ show_progress() {
    local current=$1
    local total=$2
    local message="$3"
    # Avoid division by zero
    if [ "$total" -eq 0 ]; then
        printf "\r[INFO] Progress: [####################] 100%% - %s" "$message"
        return
    fi
    local percent=$((current * 100 / total))
    local bars=$((percent / 5))  # 20 chars wide
@@ -0,0 +1,794 @@
 #!/bin/bash
 ################################################################################
 # IP Reputation Management Library
 ################################################################################
 # Purpose: Centralized IP reputation tracking across all toolkit scripts
 # Features:
 # - Fast lookups using indexed file structure
 # - Tracks: hits, country, last seen, reputation score, attack types
 # - Optimized for high-volume traffic (attacks with thousands of IPs)
 # - Automatic cleanup of old entries
 # - GeoIP integration
 # - Shared across all monitoring/analysis scripts
 ################################################################################
 # Database location
 IP_REP_DB_DIR="${IP_REP_DB_DIR:-/var/lib/server-toolkit/ip-reputation}"
 IP_REP_DB="$IP_REP_DB_DIR/ip_database.db"
 IP_REP_INDEX="$IP_REP_DB_DIR/ip_index.idx"
 IP_REP_LOCK="$IP_REP_DB_DIR/.db.lock"
 # Reputation score thresholds
 REP_SCORE_CRITICAL=80    # Definitely malicious
 REP_SCORE_HIGH=60        # Likely malicious
 REP_SCORE_MEDIUM=40      # Suspicious
 REP_SCORE_LOW=20         # Borderline
 REP_SCORE_SAFE=0         # Safe/legitimate
 # Attack type flags (bitmask for efficient storage)
 ATTACK_FLAG_SQL_INJECTION=1
 ATTACK_FLAG_XSS=2
 ATTACK_FLAG_PATH_TRAVERSAL=4
 ATTACK_FLAG_RCE=8
 ATTACK_FLAG_BRUTEFORCE=16
 ATTACK_FLAG_DDOS=32
 ATTACK_FLAG_BOT=64
 ATTACK_FLAG_SCANNER=128
 ATTACK_FLAG_EXPLOIT=256
 # Initialize the IP reputation database
 init_ip_reputation_db() {
    mkdir -p "$IP_REP_DB_DIR" 2>/dev/null
    # Create empty database if it doesn't exist
    if [ ! -f "$IP_REP_DB" ]; then
        touch "$IP_REP_DB"
        chmod 600 "$IP_REP_DB"
    fi
    if [ ! -f "$IP_REP_INDEX" ]; then
        touch "$IP_REP_INDEX"
        chmod 600 "$IP_REP_INDEX"
    fi
    return 0
 }
 # Database format (pipe-delimited for fast parsing):
 # IP|HIT_COUNT|REPUTATION_SCORE|COUNTRY|ATTACK_FLAGS|FIRST_SEEN|LAST_SEEN|LAST_ACTIVITY|NOTES|BAN_COUNT|LAST_BAN
 # Example:
 # 192.168.1.100|523|75|US|193|1730000000|1730800000|SQL injection on /admin|Auto-flagged|3|1730900000
 # Lock management for concurrent access
 acquire_lock() {
    local timeout=10
    local elapsed=0
    while [ -f "$IP_REP_LOCK" ] && [ $elapsed -lt $timeout ]; do
        sleep 0.1
        elapsed=$((elapsed + 1))
    done
    if [ $elapsed -ge $timeout ]; then
        # Stale lock, remove it
        rm -f "$IP_REP_LOCK" 2>/dev/null
    fi
    touch "$IP_REP_LOCK"
 }
 release_lock() {
    rm -f "$IP_REP_LOCK" 2>/dev/null
 }
 # Fast IP lookup using hash-based index for O(1) lookups
 # Returns: IP data if found, empty if not found
 lookup_ip() {
    local ip="$1"
    [ -z "$ip" ] && return 1
    [ ! -f "$IP_REP_DB" ] && return 1
    # Calculate hash bucket (first octet for IPv4 distributes IPs across 256 buckets)
    local hash_bucket="${ip%%.*}"
    local hash_file="${IP_REP_DB_DIR}/hash_${hash_bucket}.idx"
    # Fast path: Check hash bucket first (much smaller file to grep)
    if [ -f "$hash_file" ]; then
        # Hash bucket contains line numbers for IPs in this bucket
        local line_num=$(grep -m 1 "^${ip}|" "$hash_file" 2>/dev/null | cut -d'|' -f2)
        if [ -n "$line_num" ]; then
            # Direct line access - O(1) lookup!
            sed -n "${line_num}p" "$IP_REP_DB" 2>/dev/null
            return 0
        fi
    fi
    # Fallback: Linear search (for IPs not yet indexed)
    # Use tac to read file backwards, then grep for first match
    # This ensures we get the LATEST entry for IPs with duplicates
    tac "$IP_REP_DB" 2>/dev/null | grep -m 1 "^${ip}|" 2>/dev/null
 }
 # Add or update IP in database
 # Usage: update_ip_reputation IP [HIT_INCREMENT] [SCORE_DELTA] [ATTACK_FLAGS] [ACTIVITY_NOTE]
 update_ip_reputation() {
    local ip="$1"
    local hit_increment="${2:-1}"
    local score_delta="${3:-0}"
    local new_attack_flags="${4:-0}"
    local activity_note="${5:-}"
    [ -z "$ip" ] && return 1
    init_ip_reputation_db
    acquire_lock
    local existing
    existing=$(lookup_ip "$ip")
    local current_time=$(date +%s)
    if [ -n "$existing" ]; then
        # Parse existing entry
        IFS='|' read -r old_ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes <<< "$existing"
        # Update values
        hit_count=$((hit_count + hit_increment))
        rep_score=$((rep_score + score_delta))
        # Cap reputation score at 0-100
        [ $rep_score -lt 0 ] && rep_score=0
        [ $rep_score -gt 100 ] && rep_score=100
        # Merge attack flags (bitwise OR)
        attack_flags=$((attack_flags | new_attack_flags))
        last_seen="$current_time"
        # Update activity note if provided
        if [ -n "$activity_note" ]; then
            last_activity="$activity_note"
        fi
        # OPTIMIZATION: Append-only writes (much faster than sed -i delete)
        # Append updated entry to end of file
        echo "$ip|$hit_count|$rep_score|$country|$attack_flags|$first_seen|$last_seen|$last_activity|$notes" >> "$IP_REP_DB"
        # Mark for compaction (file will have duplicates until compact_database runs)
        touch "${IP_REP_DB}.needs_compact" 2>/dev/null
    else
        # New entry
        local country=$(get_ip_country "$ip")
        echo "$ip|$hit_increment|$score_delta|$country|$new_attack_flags|$current_time|$current_time|$activity_note|" >> "$IP_REP_DB"
    fi
    release_lock
    # Auto-compact if file has lots of duplicates (from append-only writes)
    # Check if compaction is needed (marked file exists)
    if [ -f "${IP_REP_DB}.needs_compact" ]; then
        local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
        # Compact if database >50k lines (likely has significant duplicates)
        # Use random check to avoid all processes compacting simultaneously
        if [ "$db_size" -gt 50000 ] && [ $((RANDOM % 200)) -eq 0 ]; then
            compact_database &  # Background process (includes rebuild_index)
            return 0
        fi
    fi
    # Rebuild index automatically when database grows significantly
    # Check if hash index exists and is fresh
    local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
    local hash_count=$(ls -1 "${IP_REP_DB_DIR}"/hash_*.idx 2>/dev/null | wc -l)
    # Rebuild if:
    # 1. Database has >10k IPs but no hash index exists
    # 2. Database has >100k IPs and 1% chance (frequent enough during attacks)
    if [ "$hash_count" -eq 0 ] && [ "$db_size" -gt 10000 ]; then
        rebuild_index &  # Background process
    elif [ "$db_size" -gt 100000 ] && [ $((RANDOM % 100)) -eq 0 ]; then
        rebuild_index &  # Background process
    fi
    return 0
 }
 # Get IP country using multiple methods
 get_ip_country() {
    local ip="$1"
    local country="??"
    # Method 1: Check if geoiplookup is available
    if command -v geoiplookup >/dev/null 2>&1; then
        country=$(geoiplookup "$ip" 2>/dev/null | grep -oP 'Country Edition: \K[A-Z]{2}' | head -1)
    fi
    # Method 2: Check if geoiplookup6 for IPv6
    if [ -z "$country" ] || [ "$country" = "??" ]; then
        if command -v geoiplookup6 >/dev/null 2>&1 && [[ "$ip" =~ : ]]; then
            country=$(geoiplookup6 "$ip" 2>/dev/null | grep -oP 'Country Edition: \K[A-Z]{2}' | head -1)
        fi
    fi
    # Method 3: Check /usr/share/GeoIP databases directly
    if [ -z "$country" ] || [ "$country" = "??" ]; then
        if [ -f "/usr/share/GeoIP/GeoIP.dat" ] && command -v geoiplookup >/dev/null 2>&1; then
            country=$(geoiplookup "$ip" 2>/dev/null | awk -F': ' '{print $2}' | cut -d',' -f1 | head -1)
        fi
    fi
    # Method 4: Fallback - use whois (slower, only if critically needed)
    # Disabled by default for performance
    # if [ -z "$country" ] || [ "$country" = "??" ]; then
    #     country=$(whois "$ip" 2>/dev/null | grep -iE "^country:" | head -1 | awk '{print $2}')
    # fi
    # Default if all methods fail
    [ -z "$country" ] && country="??"
    echo "$country"
 }
 # Increment IP hit count (fast path for common case)
 increment_ip_hits() {
    local ip="$1"
    local increment="${2:-1}"
    update_ip_reputation "$ip" "$increment" 0 0 ""
 }
 # Flag IP for specific attack type
 flag_ip_attack() {
    local ip="$1"
    local attack_type="$2"
    local score_increase="${3:-5}"
    local note="${4:-$attack_type}"
    local attack_flag=0
    case "$attack_type" in
        SQL_INJECTION|sql) attack_flag=$ATTACK_FLAG_SQL_INJECTION; score_increase=15 ;;
        XSS|xss) attack_flag=$ATTACK_FLAG_XSS; score_increase=10 ;;
        PATH_TRAVERSAL|path) attack_flag=$ATTACK_FLAG_PATH_TRAVERSAL; score_increase=12 ;;
        RCE|rce|shell) attack_flag=$ATTACK_FLAG_RCE; score_increase=20 ;;
        BRUTEFORCE|brute) attack_flag=$ATTACK_FLAG_BRUTEFORCE; score_increase=8 ;;
        DDOS|ddos) attack_flag=$ATTACK_FLAG_DDOS; score_increase=10 ;;
        BOT|bot) attack_flag=$ATTACK_FLAG_BOT; score_increase=3 ;;
        SCANNER|scan) attack_flag=$ATTACK_FLAG_SCANNER; score_increase=5 ;;
        EXPLOIT|exploit) attack_flag=$ATTACK_FLAG_EXPLOIT; score_increase=15 ;;
        *) attack_flag=0; score_increase=5 ;;
    esac
    update_ip_reputation "$ip" 1 "$score_increase" "$attack_flag" "$note"
 }
 # Mark IP as legitimate (reduces reputation score)
 mark_ip_legitimate() {
    local ip="$1"
    local note="${2:-Marked as legitimate}"
    update_ip_reputation "$ip" 0 -20 0 "$note"
 }
 # Get IP reputation category
 get_ip_reputation_category() {
    local score="$1"
    if [ $score -ge $REP_SCORE_CRITICAL ]; then
        echo "CRITICAL"
    elif [ $score -ge $REP_SCORE_HIGH ]; then
        echo "HIGH"
    elif [ $score -ge $REP_SCORE_MEDIUM ]; then
        echo "MEDIUM"
    elif [ $score -ge $REP_SCORE_LOW ]; then
        echo "LOW"
    else
        echo "SAFE"
    fi
 }
 # Get attack types from flags
 decode_attack_flags() {
    local flags="$1"
    local attacks=""
    [ $((flags & ATTACK_FLAG_SQL_INJECTION)) -ne 0 ] && attacks="${attacks}SQL,"
    [ $((flags & ATTACK_FLAG_XSS)) -ne 0 ] && attacks="${attacks}XSS,"
    [ $((flags & ATTACK_FLAG_PATH_TRAVERSAL)) -ne 0 ] && attacks="${attacks}PATH,"
    [ $((flags & ATTACK_FLAG_RCE)) -ne 0 ] && attacks="${attacks}RCE,"
    [ $((flags & ATTACK_FLAG_BRUTEFORCE)) -ne 0 ] && attacks="${attacks}BRUTE,"
    [ $((flags & ATTACK_FLAG_DDOS)) -ne 0 ] && attacks="${attacks}DDOS,"
    [ $((flags & ATTACK_FLAG_BOT)) -ne 0 ] && attacks="${attacks}BOT,"
    [ $((flags & ATTACK_FLAG_SCANNER)) -ne 0 ] && attacks="${attacks}SCAN,"
    [ $((flags & ATTACK_FLAG_EXPLOIT)) -ne 0 ] && attacks="${attacks}EXPLOIT,"
    # Remove trailing comma
    attacks="${attacks%,}"
    [ -z "$attacks" ] && attacks="NONE"
    echo "$attacks"
 }
 # Query and display IP information
 query_ip_reputation() {
    local ip="$1"
    init_ip_reputation_db
    local data
    data=$(lookup_ip "$ip")
    if [ -z "$data" ]; then
        echo "IP $ip not found in reputation database"
        return 1
    fi
    IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes <<< "$data"
    local category=$(get_ip_reputation_category "$rep_score")
    local attacks=$(decode_attack_flags "$attack_flags")
    local first_seen_date=$(date -d "@$first_seen" '+%Y-%m-%d %H:%M:%S' 2>/dev/null || echo "$first_seen")
    local last_seen_date=$(date -d "@$last_seen" '+%Y-%m-%d %H:%M:%S' 2>/dev/null || echo "$last_seen")
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "IP Address:       $ip"
    echo "Country:          $country"
    echo "Reputation:       $rep_score/100 [$category]"
    echo "Total Hits:       $hit_count"
    echo "Attack Types:     $attacks"
    echo "First Seen:       $first_seen_date"
    echo "Last Seen:        $last_seen_date"
    echo "Last Activity:    ${last_activity:-None recorded}"
    echo "Notes:            ${notes:-None}"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    return 0
 }
 # Get top IPs by reputation score
 get_top_malicious_ips() {
    local limit="${1:-20}"
    init_ip_reputation_db
    [ ! -f "$IP_REP_DB" ] && return 1
    # OPTIMIZATION: For large files, use partial sort (much faster)
    # Only sort enough to find top N instead of sorting entire file
    local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
    if [ "$db_size" -gt 100000 ]; then
        # For very large databases, use awk to find high-scoring IPs first
        # then sort only those (much faster than sorting 500k lines)
        awk -F'|' '$3 >= 50' "$IP_REP_DB" | sort -t'|' -k3 -rn | head -n "$limit"
    else
        # For smaller databases, regular sort is fine
        sort -t'|' -k3 -rn "$IP_REP_DB" | head -n "$limit"
    fi
 }
 # Get top IPs by hit count
 get_top_active_ips() {
    local limit="${1:-20}"
    init_ip_reputation_db
    [ ! -f "$IP_REP_DB" ] && return 1
    # OPTIMIZATION: For large files, filter first then sort
    local db_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
    if [ "$db_size" -gt 100000 ]; then
        # Filter to IPs with >100 hits, then sort (much faster)
        awk -F'|' '$2 >= 100' "$IP_REP_DB" | sort -t'|' -k2 -rn | head -n "$limit"
    else
        # For smaller databases, regular sort is fine
        sort -t'|' -k2 -rn "$IP_REP_DB" | head -n "$limit"
    fi
 }
 # Clean up old entries (not seen in X days)
 cleanup_old_ips() {
    local days_old="${1:-90}"
    init_ip_reputation_db
    acquire_lock
    local cutoff_time=$(($(date +%s) - (days_old * 86400)))
    local temp_file="${IP_REP_DB}.tmp"
    # Keep only IPs seen within the cutoff time
    awk -F'|' -v cutoff="$cutoff_time" '$7 >= cutoff' "$IP_REP_DB" > "$temp_file"
    mv "$temp_file" "$IP_REP_DB"
    release_lock
    echo "Cleaned up IPs not seen in $days_old days"
 }
 # Compact database to remove duplicate IP entries (from append-only writes)
 compact_database() {
    init_ip_reputation_db
    acquire_lock
    echo "Compacting database (removing duplicate IP entries)..."
    local temp_db="${IP_REP_DB}.compact_tmp"
    local original_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
    # Use awk to keep only the LAST occurrence of each IP (most recent data)
    # Read file backwards, keep first occurrence of each IP, then reverse again
    tac "$IP_REP_DB" | awk -F'|' '!seen[$1]++' | tac > "$temp_db"
    # Replace original with compacted version
    mv "$temp_db" "$IP_REP_DB"
    local new_size=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo "0")
    local removed=$((original_size - new_size))
    # Remove compaction marker
    rm -f "${IP_REP_DB}.needs_compact" 2>/dev/null
    release_lock
    echo "Compaction complete: Removed $removed duplicate entries ($original_size → $new_size IPs)"
    # Rebuild index after compaction
    rebuild_index
 }
 # Rebuild index for faster lookups (for very large databases)
 rebuild_index() {
    init_ip_reputation_db
    acquire_lock
    echo "Rebuilding hash-based index for fast lookups..."
    # Remove old hash files
    rm -f "${IP_REP_DB_DIR}"/hash_*.idx 2>/dev/null
    # Build hash buckets (256 buckets based on first octet)
    # This distributes 500k IPs into ~2k IPs per bucket = MUCH faster
    local line_num=0
    while IFS='|' read -r ip rest; do
        ((line_num++))
        # Calculate hash bucket from first octet
        local hash_bucket="${ip%%.*}"
        local hash_file="${IP_REP_DB_DIR}/hash_${hash_bucket}.idx"
        # Store IP and its line number in the hash bucket file
        echo "${ip}|${line_num}" >> "$hash_file"
    done < "$IP_REP_DB"
    # Sort each hash bucket file for faster grep
    for hash_file in "${IP_REP_DB_DIR}"/hash_*.idx; do
        [ -f "$hash_file" ] && sort -t'|' -k1 -o "$hash_file" "$hash_file"
    done
    # Also create main sorted index for compatibility
    sort -t'|' -k1 "$IP_REP_DB" > "$IP_REP_INDEX"
    release_lock
    echo "Index rebuilt: $(ls -1 "${IP_REP_DB_DIR}"/hash_*.idx 2>/dev/null | wc -l) hash buckets created"
 }
 # Export reputation database to readable format
 export_ip_reputation() {
    local output_file="${1:-/tmp/ip_reputation_export_$(date +%Y%m%d_%H%M%S).txt}"
    init_ip_reputation_db
    {
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "SERVER TOOLKIT - IP REPUTATION DATABASE EXPORT"
        echo "Generated: $(date '+%Y-%m-%d %H:%M:%S')"
        echo "Total IPs: $(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo ""
        printf "%-15s | %-7s | %-4s | %-8s | %-6s | %-30s | %-19s\n" \
            "IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACKS" "LAST SEEN"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        # Sort by reputation score, descending
        sort -t'|' -k3 -rn "$IP_REP_DB" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
            local category=$(get_ip_reputation_category "$rep_score")
            local attacks=$(decode_attack_flags "$attack_flags")
            local last_seen_date=$(date -d "@$last_seen" '+%Y-%m-%d %H:%M' 2>/dev/null || echo "$last_seen")
            printf "%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s | %-19s\n" \
                "$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}" "$last_seen_date"
        done
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    } > "$output_file"
    echo "IP reputation database exported to: $output_file"
 }
 # Check if IP should be blocked (based on reputation)
 should_block_ip() {
    local ip="$1"
    local threshold="${2:-$REP_SCORE_HIGH}"  # Default: block if reputation >= 60
    local data
    data=$(lookup_ip "$ip")
    [ -z "$data" ] && return 1  # Unknown IP, don't block
    IFS='|' read -r _ _ rep_score _ _ _ _ _ _ <<< "$data"
    [ $rep_score -ge $threshold ] && return 0  # Should block
    return 1  # Should not block
 }
 # Batch import IPs from various sources
 import_ips_from_log() {
    local log_file="$1"
    local attack_type="${2:-SUSPICIOUS}"
    local score_per_hit="${3:-5}"
    [ ! -f "$log_file" ] && return 1
    # Extract IPs and count occurrences
    grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' "$log_file" | \
    sort | uniq -c | while read count ip; do
        update_ip_reputation "$ip" "$count" "$score_per_hit" 0 "Imported from $log_file"
    done
    echo "Imported IPs from $log_file"
 }
 # Statistics summary
 show_ip_statistics() {
    init_ip_reputation_db
    local total_ips=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
    local critical=$(awk -F'|' -v thresh=$REP_SCORE_CRITICAL '$3 >= thresh' "$IP_REP_DB" 2>/dev/null | wc -l)
    local high=$(awk -F'|' -v low=$REP_SCORE_HIGH -v hi=$REP_SCORE_CRITICAL '$3 >= low && $3 < hi' "$IP_REP_DB" 2>/dev/null | wc -l)
    local medium=$(awk -F'|' -v low=$REP_SCORE_MEDIUM -v hi=$REP_SCORE_HIGH '$3 >= low && $3 < hi' "$IP_REP_DB" 2>/dev/null | wc -l)
    local low=$(awk -F'|' -v low=$REP_SCORE_LOW -v hi=$REP_SCORE_MEDIUM '$3 >= low && $3 < hi' "$IP_REP_DB" 2>/dev/null | wc -l)
    local safe=$(awk -F'|' -v thresh=$REP_SCORE_LOW '$3 < thresh' "$IP_REP_DB" 2>/dev/null | wc -l)
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "IP REPUTATION DATABASE STATISTICS"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "Total Tracked IPs:    $total_ips"
    echo ""
    echo "By Reputation Level:"
    echo "  CRITICAL (≥80):     $critical"
    echo "  HIGH (60-79):       $high"
    echo "  MEDIUM (40-59):     $medium"
    echo "  LOW (20-39):        $low"
    echo "  SAFE (<20):         $safe"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 }
 ################################################################################
 # BAN MANAGEMENT & TRACKING
 ################################################################################
 # Record that an IP was banned
 # Usage: record_ip_ban IP DURATION_HOURS [REASON]
 record_ip_ban() {
    local ip="$1"
    local duration="${2:-1}"
    local reason="${3:-Manual ban from live monitor}"
    [ -z "$ip" ] && return 1
    init_ip_reputation_db
    acquire_lock
    local existing
    existing=$(lookup_ip "$ip")
    local current_time=$(date +%s)
    if [ -n "$existing" ]; then
        # Parse existing entry (with new ban fields)
        IFS='|' read -r old_ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes ban_count last_ban <<< "$existing"
        # Increment ban count
        ban_count=$((${ban_count:-0} + 1))
        last_ban="$current_time"
        # Increase reputation score for being banned
        rep_score=$((rep_score + 10))
        [ $rep_score -gt 100 ] && rep_score=100
        # Update notes
        notes="Banned ${ban_count}x (${duration}h): $reason"
        # Write updated entry (remove old, add new)
        local temp_file="${IP_REP_DB}.tmp.$$"
        grep -v "^${ip}|" "$IP_REP_DB" > "$temp_file" 2>/dev/null || touch "$temp_file"
        echo "$ip|$hit_count|$rep_score|$country|$attack_flags|$first_seen|$last_seen|$last_activity|$notes|$ban_count|$last_ban" >> "$temp_file"
        mv "$temp_file" "$IP_REP_DB"
    else
        # New IP - create entry with ban
        echo "$ip|0|70|unknown|0|$current_time|$current_time|Banned|Banned: $reason|1|$current_time" >> "$IP_REP_DB"
    fi
    release_lock
    return 0
 }
 # Get ban count for an IP
 get_ip_ban_count() {
    local ip="$1"
    local data
    data=$(lookup_ip "$ip")
    [ -z "$data" ] && echo "0" && return 0
    # Extract ban_count (field 10)
    echo "$data" | awk -F'|' '{print $10}'
 }
 # Get last ban timestamp for an IP
 get_ip_last_ban() {
    local ip="$1"
    local data
    data=$(lookup_ip "$ip")
    [ -z "$data" ] && echo "0" && return 0
    # Extract last_ban (field 11)
    echo "$data" | awk -F'|' '{print $11}'
 }
 # Block IP using CSF (if available) or iptables
 # Usage: block_ip_temporary IP DURATION_HOURS [REASON]
 block_ip_temporary() {
    local ip="$1"
    local duration="${2:-1}"  # Default: 1 hour
    local reason="${3:-High threat activity detected}"
    [ -z "$ip" ] && return 1
    # Validate IP format
    if ! [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        echo "ERROR: Invalid IP format: $ip"
        return 1
    fi
    # Check if CSF is available
    if command -v csf &>/dev/null; then
        # Use CSF temporary deny
        local duration_seconds=$((duration * 3600))
        csf -td "$ip" "$duration_seconds" "$reason" &>/dev/null
        if [ $? -eq 0 ]; then
            echo "✓ Blocked $ip using CSF for ${duration}h: $reason"
            record_ip_ban "$ip" "$duration" "$reason"
            return 0
        else
            echo "⚠ CSF block failed for $ip, trying iptables..."
        fi
    fi
    # Fallback to iptables
    if command -v iptables &>/dev/null; then
        # Check if already blocked
        if iptables -L INPUT -n | grep -q "$ip"; then
            echo "⚠ $ip already blocked in iptables"
            return 0
        fi
        # Add iptables rule
        iptables -I INPUT -s "$ip" -j DROP
        if [ $? -eq 0 ]; then
            echo "✓ Blocked $ip using iptables for ${duration}h: $reason"
            record_ip_ban "$ip" "$duration" "$reason"
            # Schedule removal using at (if available)
            if command -v at &>/dev/null; then
                echo "iptables -D INPUT -s $ip -j DROP 2>/dev/null" | at now + $duration hours 2>/dev/null
                echo "  (Scheduled auto-unblock in ${duration}h)"
            else
                echo "  (WARNING: Manual unblock required - 'at' command not available)"
            fi
            return 0
        else
            echo "✗ Failed to block $ip with iptables"
            return 1
        fi
    fi
    echo "✗ No firewall available (CSF or iptables required)"
    return 1
 }
 # Unblock IP
 unblock_ip() {
    local ip="$1"
    [ -z "$ip" ] && return 1
    # Try CSF first
    if command -v csf &>/dev/null; then
        csf -tr "$ip" &>/dev/null
        if [ $? -eq 0 ]; then
            echo "✓ Unblocked $ip from CSF"
            return 0
        fi
    fi
    # Try iptables
    if command -v iptables &>/dev/null; then
        iptables -D INPUT -s "$ip" -j DROP 2>/dev/null
        if [ $? -eq 0 ]; then
            echo "✓ Unblocked $ip from iptables"
            return 0
        fi
    fi
    echo "⚠ $ip not found in firewall rules"
    return 1
 }
 # Check if IP is currently blocked
 is_ip_blocked() {
    local ip="$1"
    [ -z "$ip" ] && return 1
    # Check CSF
    if command -v csf &>/dev/null; then
        if csf -g "$ip" 2>/dev/null | grep -q "DENY"; then
            return 0
        fi
    fi
    # Check iptables (use word boundaries to avoid partial matches)
    if command -v iptables &>/dev/null; then
        if iptables -L INPUT -n 2>/dev/null | grep -w "$ip" | grep -q "DROP\|REJECT"; then
            return 0
        fi
    fi
    return 1
 }
 # Get list of IPs that should be blocked based on reputation
 # Usage: get_blockable_ips [MIN_SCORE]
 get_blockable_ips() {
    local min_score="${1:-60}"  # Default: score >= 60
    [ ! -f "$IP_REP_DB" ] && return 1
    # Get IPs with score >= min_score, not already blocked
    while IFS='|' read -r ip hit_count rep_score rest; do
        # Skip if score too low
        [ "$rep_score" -lt "$min_score" ] 2>/dev/null && continue
        # Skip if already blocked
        is_ip_blocked "$ip" && continue
        # Output: IP|SCORE|HITS
        echo "$ip|$rep_score|$hit_count"
    done < "$IP_REP_DB" | sort -t'|' -k2 -rn
 }
 export -f record_ip_ban
 export -f get_ip_ban_count
 export -f get_ip_last_ban
 export -f block_ip_temporary
 export -f unblock_ip
 export -f is_ip_blocked
 export -f get_blockable_ips
 # Initialize on library load
 init_ip_reputation_db
@@ -183,6 +183,64 @@ build_databases_section() {
    echo "" >> "$SYSREF_DB"
 }
 # Check domain HTTP/HTTPS status codes
 # Returns: http_code|https_code|status_summary
 check_domain_status() {
    local domain="$1"
    local http_code="000"
    local https_code="000"
    local status_summary="unchecked"
    # Skip if curl not available
    if ! command -v curl &>/dev/null; then
        echo "000|000|no_curl"
        return 0
    fi
    # Skip obviously invalid domains
    if [ -z "$domain" ] || [[ ! "$domain" =~ \. ]]; then
        echo "000|000|invalid_domain"
        return 0
    fi
    # Try HTTP (timeout 3 seconds, max 2 redirects, check for valid response)
    http_code=$(timeout 3 curl -s -o /dev/null -w "%{http_code}" --max-redirs 2 -m 3 "http://$domain" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$http_code" ]; then
        http_code="timeout"
    fi
    # Try HTTPS (timeout 3 seconds, max 2 redirects, ignore cert errors)
    https_code=$(timeout 3 curl -s -o /dev/null -w "%{http_code}" --max-redirs 2 -m 3 -k "https://$domain" 2>/dev/null)
    if [ $? -ne 0 ] || [ -z "$https_code" ]; then
        https_code="timeout"
    fi
    # Determine overall status
    if [ "$http_code" = "200" ] || [ "$https_code" = "200" ]; then
        status_summary="200_OK"
    elif [ "$http_code" = "403" ] || [ "$https_code" = "403" ]; then
        status_summary="403_FORBIDDEN"
    elif [ "$http_code" = "404" ] || [ "$https_code" = "404" ]; then
        status_summary="404_NOT_FOUND"
    elif [ "$http_code" = "500" ] || [ "$https_code" = "500" ]; then
        status_summary="500_ERROR"
    elif [ "$http_code" = "502" ] || [ "$https_code" = "502" ]; then
        status_summary="502_BAD_GATEWAY"
    elif [ "$http_code" = "503" ] || [ "$https_code" = "503" ]; then
        status_summary="503_UNAVAILABLE"
    elif [[ "$http_code" =~ ^30[0-9]$ ]] || [[ "$https_code" =~ ^30[0-9]$ ]]; then
        status_summary="REDIRECT"
    elif [ "$http_code" = "timeout" ] && [ "$https_code" = "timeout" ]; then
        status_summary="TIMEOUT"
    elif [ "$http_code" = "000" ] && [ "$https_code" = "000" ]; then
        status_summary="UNREACHABLE"
    else
        status_summary="OTHER"
    fi
    echo "${http_code}|${https_code}|${status_summary}"
 }
 build_domains_section() {
    echo "[DOMAINS]" >> "$SYSREF_DB"
@@ -191,6 +249,17 @@ build_domains_section() {
    local users=($(list_all_users))
    # Count total domains for progress
    local total_domains=0
    for user in "${users[@]}"; do
        local userdata_dir="/var/cpanel/userdata/${user}"
        if [ -d "$userdata_dir" ]; then
            total_domains=$((total_domains + $(find "$userdata_dir" -type f ! -name "*.cache" ! -name "*.yaml" ! -name "*.json" ! -name "main*" ! -name "cache" ! -name "*_SSL" 2>/dev/null | wc -l)))
        fi
    done
    local current_domain=0
    # Get detailed domain information from cPanel userdata (if available)
    for user in "${users[@]}"; do
        local userdata_dir="/var/cpanel/userdata/${user}"
@@ -233,8 +302,20 @@ build_domains_section() {
                    fi
                fi
-                # Format: DOMAIN|domain|owner|doc_root|log_path|php_version|is_primary|type|aliases
+                # Check HTTP/HTTPS status codes (only for primary and addon domains, skip aliases/subdomains)
-                echo "DOMAIN|$domain|$user|$doc_root|$log_path|$php_version|$is_primary|$domain_type|$server_alias" >> "$SYSREF_DB"
+                current_domain=$((current_domain + 1))
                local http_code="000"
                local https_code="000"
                local status_summary="skipped"
                if [ "$domain_type" = "primary" ] || [ "$domain_type" = "addon" ]; then
                    show_progress $current_domain $total_domains "Checking domain status codes..."
                    local status_result=$(check_domain_status "$domain")
                    IFS='|' read -r http_code https_code status_summary <<< "$status_result"
                fi
                # Format: DOMAIN|domain|owner|doc_root|log_path|php_version|is_primary|type|aliases|http_code|https_code|status_summary
                echo "DOMAIN|$domain|$user|$doc_root|$log_path|$php_version|$is_primary|$domain_type|$server_alias|$http_code|$https_code|$status_summary" >> "$SYSREF_DB"
                seen_domains["$domain"]=1
                # Also add aliases as separate entries
@@ -243,8 +324,8 @@ build_domains_section() {
                        [ -z "$alias" ] && continue
                        [ -n "${seen_domains[$alias]:-}" ] && continue
-                        # Alias points to same document root and logs
+                        # Alias points to same document root and logs (inherit status from parent)
-                        echo "DOMAIN|$alias|$user|$doc_root|$log_path|$php_version|no|alias|$domain" >> "$SYSREF_DB"
+                        echo "DOMAIN|$alias|$user|$doc_root|$log_path|$php_version|no|alias|$domain|$http_code|$https_code|alias_of_$status_summary" >> "$SYSREF_DB"
                        seen_domains["$alias"]=1
                    done
                fi
@@ -265,13 +346,21 @@ build_domains_section() {
                local log_path="${SYS_LOG_DIR}/${domain}"
                [ ! -f "$log_path" ] && log_path="${SYS_LOG_DIR}/${domain}.log"
-                # Simple format for non-cPanel
+                # Check status for non-cPanel domains
-                echo "DOMAIN|$domain|$user||$log_path||$is_primary|local|" >> "$SYSREF_DB"
+                current_domain=$((current_domain + 1))
                show_progress $current_domain $total_domains "Checking domain status codes..."
                local status_result=$(check_domain_status "$domain")
                IFS='|' read -r http_code https_code status_summary <<< "$status_result"
                # Simple format for non-cPanel (with status codes)
                echo "DOMAIN|$domain|$user||$log_path||$is_primary|local||$http_code|$https_code|$status_summary" >> "$SYSREF_DB"
                seen_domains["$domain"]=1
            done
        fi
    done
    finish_progress
    # Check /etc/localdomains (cPanel local domains not yet added)
    if [ -f "/etc/localdomains" ]; then
        while read -r domain; do
@@ -282,12 +371,17 @@ build_domains_section() {
            [ -z "$owner" ] && owner="unknown"
            local log_path="${SYS_LOG_DIR}/${domain}"
-            echo "DOMAIN|$domain|$owner||$log_path||unknown|local|" >> "$SYSREF_DB"
+
            # Check status
            local status_result=$(check_domain_status "$domain")
            IFS='|' read -r http_code https_code status_summary <<< "$status_result"
            echo "DOMAIN|$domain|$owner||$log_path||unknown|local||$http_code|$https_code|$status_summary" >> "$SYSREF_DB"
            seen_domains["$domain"]=1
        done < /etc/localdomains
    fi
-    # Check /etc/remotedomains (cPanel remote MX domains)
+    # Check /etc/remotedomains (cPanel remote MX domains - no status check for remote MX)
    if [ -f "/etc/remotedomains" ]; then
        while read -r domain; do
            [ -z "$domain" ] && continue
@@ -296,7 +390,7 @@ build_domains_section() {
            local owner=$(grep "^${domain}:" /etc/trueuserdomains 2>/dev/null | cut -d: -f2 | xargs || true)
            [ -z "$owner" ] && owner="unknown"
-            echo "DOMAIN|$domain|$owner||||unknown|remote|" >> "$SYSREF_DB"
+            echo "DOMAIN|$domain|$owner||||unknown|remote||000|000|remote_mx" >> "$SYSREF_DB"
            seen_domains["$domain"]=1
        done < /etc/remotedomains
    fi
@@ -557,6 +651,87 @@ export -f db_get_all_users
 export -f db_get_user_databases
 export -f db_get_user_domains
 export -f db_get_database_owner
 #############################################################################
 # SIMPLE KEY-VALUE STORE (for cross-module session data)
 #############################################################################
 # Store a key-value pair in the reference database
 store_reference() {
    local key="$1"
    local value="$2"
    if [ -z "$key" ] || [ -z "$value" ]; then
        return 1
    fi
    # Use REF prefix for simple key-value pairs
    echo "REF|$key|$value" >> "$SYSREF_DB"
 }
 # Retrieve the most recent value for a key
 get_reference() {
    local key="$1"
    if [ -z "$key" ] || [ ! -f "$SYSREF_DB" ]; then
        return 1
    fi
    # Get the most recent value (last occurrence)
    grep "^REF|$key|" "$SYSREF_DB" 2>/dev/null | tail -1 | cut -d'|' -f3
 }
 # Get domain status from reference database
 # Usage: get_domain_status "domain.com"
 # Returns: http_code|https_code|status_summary or empty if not found
 get_domain_status() {
    local domain="$1"
    if [ -z "$domain" ] || [ ! -f "$SYSREF_DB" ]; then
        return 1
    fi
    # Get domain record (DOMAIN|domain|owner|doc_root|log_path|php|primary|type|alias|http|https|status)
    local record=$(grep "^DOMAIN|${domain}|" "$SYSREF_DB" 2>/dev/null | head -1)
    if [ -z "$record" ]; then
        return 1
    fi
    # Extract fields 10, 11, 12 (http_code, https_code, status_summary)
    echo "$record" | awk -F'|' '{print $10"|"$11"|"$12}'
 }
 # Get all domains with their status codes
 # Returns: domain|http_code|https_code|status_summary (one per line)
 get_all_domain_statuses() {
    if [ ! -f "$SYSREF_DB" ]; then
        return 1
    fi
    grep "^DOMAIN|" "$SYSREF_DB" 2>/dev/null | awk -F'|' '{print $2"|"$10"|"$11"|"$12}'
 }
 # Check if domain is healthy (200 OK on either HTTP or HTTPS)
 # Usage: is_domain_healthy "domain.com" && echo "healthy"
 is_domain_healthy() {
    local domain="$1"
    local status=$(get_domain_status "$domain")
    [ -z "$status" ] && return 1
    # Parse status
    IFS='|' read -r http_code https_code status_summary <<< "$status"
    # Healthy if either HTTP or HTTPS returns 200
    if [ "$http_code" = "200" ] || [ "$https_code" = "200" ]; then
        return 0
    fi
    return 1
 }
 export -f store_reference
 export -f get_reference
 export -f db_get_all_wordpress
 export -f db_get_system_info
 export -f db_get_health_metric
@@ -567,3 +742,6 @@ export -f db_get_all_health
 export -f db_is_fresh
 export -f db_ensure_fresh
 export -f db_rebuild
 export -f get_domain_status
 export -f get_all_domain_statuses
 export -f is_domain_healthy
@@ -25,6 +25,9 @@ export SYS_LOG_DIR=""
 export SYS_USER_HOME_BASE=""
 export SYS_PHP_VERSIONS=()
 export SYS_CLOUDFLARE_ACTIVE=""
 export SYS_FIREWALL=""
 export SYS_FIREWALL_VERSION=""
 export SYS_FIREWALL_ACTIVE=""
 #############################################################################
 # CONTROL PANEL DETECTION
@@ -64,7 +67,9 @@ detect_control_panel() {
        if [ -f "/usr/local/interworx/iworx/version.php" ]; then
            SYS_CONTROL_PANEL_VERSION=$(grep -oP "VERSION = '\K[^']+" /usr/local/interworx/iworx/version.php 2>/dev/null || echo "Unknown")
        fi
-        SYS_LOG_DIR="/home"
+        # InterWorx stores logs in /home/user/var/domain.com/logs/
        # We set a marker path that tools will recognize needs special handling
        SYS_LOG_DIR="/home/*/var/*/logs"
        SYS_USER_HOME_BASE="/home"
        print_success "Detected InterWorx v${SYS_CONTROL_PANEL_VERSION}"
@@ -260,6 +265,77 @@ detect_cloudflare() {
    fi
 }
 #############################################################################
 # FIREWALL DETECTION
 #############################################################################
 detect_firewall() {
    print_info "Detecting firewall..."
    # CSF/LFD
    if [ -f "/etc/csf/csf.conf" ]; then
        SYS_FIREWALL="csf"
        SYS_FIREWALL_VERSION=$(csf -v 2>/dev/null | grep -oP 'v\K[\d.]+' | head -1 || echo "unknown")
        if systemctl is-active --quiet lfd 2>/dev/null || service lfd status 2>/dev/null | grep -q running; then
            SYS_FIREWALL_ACTIVE="yes"
            print_success "Detected CSF ${SYS_FIREWALL_VERSION} (active)"
        else
            SYS_FIREWALL_ACTIVE="no"
            print_warning "Detected CSF ${SYS_FIREWALL_VERSION} (inactive)"
        fi
        export SYS_CSF_ACTIVE="${SYS_FIREWALL_ACTIVE}"
        return 0
    fi
    # firewalld
    if command_exists firewall-cmd; then
        SYS_FIREWALL="firewalld"
        SYS_FIREWALL_VERSION=$(firewall-cmd --version 2>/dev/null || echo "unknown")
        if systemctl is-active --quiet firewalld 2>/dev/null; then
            SYS_FIREWALL_ACTIVE="yes"
            print_success "Detected firewalld ${SYS_FIREWALL_VERSION} (active)"
        else
            SYS_FIREWALL_ACTIVE="no"
            print_warning "Detected firewalld ${SYS_FIREWALL_VERSION} (inactive)"
        fi
        return 0
    fi
    # iptables
    if command_exists iptables; then
        SYS_FIREWALL="iptables"
        SYS_FIREWALL_VERSION=$(iptables --version 2>/dev/null | grep -oP 'v\K[\d.]+' | head -1 || echo "unknown")
        # Check if iptables has any rules
        if [ "$(iptables -L -n 2>/dev/null | wc -l)" -gt 8 ]; then
            SYS_FIREWALL_ACTIVE="yes"
            print_success "Detected iptables ${SYS_FIREWALL_VERSION} (active)"
        else
            SYS_FIREWALL_ACTIVE="no"
            print_warning "Detected iptables ${SYS_FIREWALL_VERSION} (no rules)"
        fi
        return 0
    fi
    # UFW
    if command_exists ufw; then
        SYS_FIREWALL="ufw"
        SYS_FIREWALL_VERSION=$(ufw version 2>/dev/null | grep -oP '\d+\.\d+\.\d+' | head -1 || echo "unknown")
        if ufw status 2>/dev/null | grep -q "Status: active"; then
            SYS_FIREWALL_ACTIVE="yes"
            print_success "Detected UFW ${SYS_FIREWALL_VERSION} (active)"
        else
            SYS_FIREWALL_ACTIVE="no"
            print_warning "Detected UFW ${SYS_FIREWALL_VERSION} (inactive)"
        fi
        return 0
    fi
    SYS_FIREWALL="none"
    SYS_FIREWALL_ACTIVE="no"
    print_warning "No firewall detected"
    return 1
 }
 #############################################################################
 # SYSTEM RESOURCES (Comprehensive - like user's example)
 #############################################################################
@@ -424,6 +500,7 @@ initialize_system_detection() {
    detect_database
    detect_php_versions
    detect_cloudflare
    detect_firewall
    get_system_resources
    # Mark as initialized
@@ -0,0 +1,466 @@
 #!/bin/bash
 ################################################################################
 # Threat Intelligence Library
 ################################################################################
 # Purpose: External threat intelligence integration using existing tools
 # Features: IP reputation lookups, geolocation, whitelist management
 # No new services - uses only existing APIs and tools
 ################################################################################
 # Cache directory for threat intelligence
 THREAT_CACHE_DIR="/var/lib/server-toolkit/threat-cache"
 mkdir -p "$THREAT_CACHE_DIR" 2>/dev/null
 # Cache TTL (24 hours)
 CACHE_TTL=86400
 ################################################################################
 # AbuseIPDB Integration (Free API - 1000 requests/day)
 ################################################################################
 # Check if IP is in AbuseIPDB
 # Returns: confidence_score|total_reports|country|isp
 check_abuseipdb() {
    local ip="$1"
    local cache_file="$THREAT_CACHE_DIR/abuseipdb_${ip//\./_}"
    # Check cache first
    if [ -f "$cache_file" ]; then
        local cache_age=$(($(date +%s) - $(stat -c %Y "$cache_file" 2>/dev/null || echo 0)))
        if [ "$cache_age" -lt "$CACHE_TTL" ]; then
            cat "$cache_file"
            return 0
        fi
    fi
    # Check if API key exists
    local api_key_file="/root/.abuseipdb_api_key"
    if [ ! -f "$api_key_file" ]; then
        echo "0|0|Unknown|Unknown"
        return 1
    fi
    local api_key=$(cat "$api_key_file")
    # Query AbuseIPDB API
    local response=$(curl -s -G https://api.abuseipdb.com/api/v2/check \
        --data-urlencode "ipAddress=$ip" \
        -d maxAgeInDays=90 \
        -H "Key: $api_key" \
        -H "Accept: application/json" 2>/dev/null)
    if [ -n "$response" ]; then
        local confidence=$(echo "$response" | grep -oP '"abuseConfidenceScore":\K[0-9]+' | head -1)
        local reports=$(echo "$response" | grep -oP '"totalReports":\K[0-9]+' | head -1)
        local country=$(echo "$response" | grep -oP '"countryCode":"\K[^"]+' | head -1)
        local isp=$(echo "$response" | grep -oP '"isp":"\K[^"]+' | head -1)
        local result="${confidence:-0}|${reports:-0}|${country:-Unknown}|${isp:-Unknown}"
        echo "$result" | tee "$cache_file"
        return 0
    fi
    echo "0|0|Unknown|Unknown"
    return 1
 }
 ################################################################################
 # Geolocation Detection (Using existing geoiplookup or geoip-bin)
 ################################################################################
 # Get country code for IP
 get_country_code() {
    local ip="$1"
    local cache_file="$THREAT_CACHE_DIR/geo_${ip//\./_}"
    # Check cache
    if [ -f "$cache_file" ]; then
        local cache_age=$(($(date +%s) - $(stat -c %Y "$cache_file" 2>/dev/null || echo 0)))
        if [ "$cache_age" -lt "$CACHE_TTL" ]; then
            cat "$cache_file"
            return 0
        fi
    fi
    # Try geoiplookup (if installed)
    if command -v geoiplookup &>/dev/null; then
        local country=$(geoiplookup "$ip" 2>/dev/null | head -1 | grep -oP 'GeoIP Country Edition: \K[A-Z]{2}')
        if [ -n "$country" ]; then
            echo "$country" | tee "$cache_file"
            return 0
        fi
    fi
    # Try geoip-bin (alternative)
    if command -v geoiplookup6 &>/dev/null; then
        local country=$(geoiplookup6 "$ip" 2>/dev/null | head -1 | grep -oP 'GeoIP Country Edition: \K[A-Z]{2}')
        if [ -n "$country" ]; then
            echo "$country" | tee "$cache_file"
            return 0
        fi
    fi
    # Fallback to whois (slower, not cached as aggressively)
    if command -v whois &>/dev/null; then
        local country=$(whois "$ip" 2>/dev/null | grep -i "^country:" | head -1 | awk '{print $2}' | tr '[:lower:]' '[:upper:]')
        if [ -n "$country" ] && [ ${#country} -eq 2 ]; then
            echo "$country" | tee "$cache_file"
            return 0
        fi
    fi
    echo "XX"
    return 1
 }
 # Check if country is high-risk
 is_high_risk_country() {
    local country="$1"
    # High-risk countries (commonly seen in attacks)
    local high_risk="CN RU UA BY KP IR VN TH ID BR"
    if echo "$high_risk" | grep -qw "$country"; then
        return 0
    fi
    return 1
 }
 ################################################################################
 # Smart Whitelisting
 ################################################################################
 # Check if IP should be whitelisted (legitimate services)
 is_whitelisted_service() {
    local ip="$1"
    local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
    # Check static whitelist
    if [ -f "$whitelist_file" ]; then
        if grep -q "^$ip$" "$whitelist_file"; then
            return 0
        fi
    fi
    # Check if IP belongs to known legitimate networks
    # Google IPs (8.8.0.0/16, 66.249.64.0/19, etc.)
    if [[ "$ip" =~ ^8\.8\. ]] || [[ "$ip" =~ ^66\.249\. ]] || [[ "$ip" =~ ^66\.102\. ]]; then
        return 0
    fi
    # Cloudflare IPs (173.245.48.0/20, 103.21.244.0/22, etc.)
    if [[ "$ip" =~ ^173\.245\.(4[8-9]|5[0-9]|6[0-3])\. ]] || [[ "$ip" =~ ^103\.21\.24[4-7]\. ]]; then
        return 0
    fi
    # Microsoft/Bing IPs (40.0.0.0/8, 65.52.0.0/14, etc.)
    if [[ "$ip" =~ ^40\. ]] || [[ "$ip" =~ ^65\.5[2-5]\. ]]; then
        return 0
    fi
    # Common CDN/monitoring services
    # Akamai: 23.0.0.0/8
    if [[ "$ip" =~ ^23\. ]]; then
        return 0
    fi
    return 1
 }
 # Add IP to whitelist
 add_to_whitelist() {
    local ip="$1"
    local reason="$2"
    local whitelist_file="/var/lib/server-toolkit/whitelist_ips.txt"
    if ! grep -q "^$ip$" "$whitelist_file" 2>/dev/null; then
        echo "$ip  # $reason" >> "$whitelist_file"
    fi
 }
 ################################################################################
 # Behavioral Analysis
 ################################################################################
 # Analyze request timing pattern
 # Returns: human|bot|suspicious
 analyze_timing_pattern() {
    local ip="$1"
    local timing_file="$THREAT_CACHE_DIR/timing_${ip//\./_}"
    # Record timestamp
    echo "$(date +%s)" >> "$timing_file"
    # Keep only last 100 requests
    tail -100 "$timing_file" > "${timing_file}.tmp" 2>/dev/null
    mv "${timing_file}.tmp" "$timing_file" 2>/dev/null
    # Analyze if we have enough data
    local request_count=$(wc -l < "$timing_file" 2>/dev/null || echo 0)
    if [ "$request_count" -lt 10 ]; then
        echo "unknown"
        return
    fi
    # Calculate average time between requests
    local timestamps=$(cat "$timing_file")
    local total_gap=0
    local gap_count=0
    local prev_ts=""
    while IFS= read -r ts; do
        if [ -n "$prev_ts" ]; then
            local gap=$((ts - prev_ts))
            total_gap=$((total_gap + gap))
            gap_count=$((gap_count + 1))
        fi
        prev_ts="$ts"
    done <<< "$timestamps"
    if [ "$gap_count" -gt 0 ]; then
        local avg_gap=$((total_gap / gap_count))
        # Bot patterns: < 2 seconds between requests consistently
        if [ "$avg_gap" -lt 2 ]; then
            echo "bot"
            return
        fi
        # Human patterns: 5-30 seconds between requests with variation
        if [ "$avg_gap" -ge 5 ] && [ "$avg_gap" -le 30 ]; then
            echo "human"
            return
        fi
        # Suspicious: Too fast but not consistent bot pattern
        echo "suspicious"
        return
    fi
    echo "unknown"
 }
 ################################################################################
 # Attack Pattern Learning
 ################################################################################
 # Record attack pattern for learning
 record_attack_pattern() {
    local ip="$1"
    local attack_type="$2"
    local uri="$3"
    local user_agent="$4"
    local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
    mkdir -p "$(dirname "$pattern_file")" 2>/dev/null
    # Format: timestamp|ip|attack_type|uri|user_agent
    echo "$(date +%s)|$ip|$attack_type|$uri|$user_agent" >> "$pattern_file"
    # Keep only last 10000 patterns (prevent unbounded growth)
    tail -10000 "$pattern_file" > "${pattern_file}.tmp" 2>/dev/null
    mv "${pattern_file}.tmp" "$pattern_file" 2>/dev/null
 }
 # Check if attack matches known pattern
 matches_known_pattern() {
    local attack_type="$1"
    local uri="$2"
    local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
    if [ ! -f "$pattern_file" ]; then
        return 1
    fi
    # Check if this attack type + similar URI has been seen before
    local similar_count=$(grep "|$attack_type|" "$pattern_file" | grep -c "$uri" || echo 0)
    if [ "$similar_count" -ge 3 ]; then
        return 0  # Known pattern
    fi
    return 1  # New pattern
 }
 ################################################################################
 # Performance Impact Monitoring
 ################################################################################
 # Get current server load
 get_server_load() {
    # Returns: load_1min|load_5min|load_15min|cpu_count
    local load=$(uptime | awk -F'load average:' '{print $2}' | sed 's/,//g' | xargs)
    local cpu_count=$(nproc)
    echo "${load}|${cpu_count}"
 }
 # Check if server is under stress
 is_server_stressed() {
    local load_data=$(get_server_load)
    IFS='|' read -r load1 load5 load15 cpu_count <<< "$load_data"
    # Remove any extra spaces
    load1=$(echo "$load1" | awk '{print $1}')
    # Convert to integer (multiply by 100 to handle decimals)
    local load_int=$(echo "$load1 * 100" | bc 2>/dev/null | cut -d. -f1)
    local threshold=$((cpu_count * 80))  # 80% of CPU count
    if [ "$load_int" -gt "$threshold" ]; then
        return 0  # Server is stressed
    fi
    return 1
 }
 ################################################################################
 # Incident Report Generation
 ################################################################################
 # Generate incident report for an IP
 generate_incident_report() {
    local ip="$1"
    local report_file="/var/lib/server-toolkit/incident-reports/report_${ip//\./_}_$(date +%Y%m%d_%H%M%S).txt"
    mkdir -p "$(dirname "$report_file")" 2>/dev/null
    {
        echo "═══════════════════════════════════════════════════════════════"
        echo "SECURITY INCIDENT REPORT"
        echo "═══════════════════════════════════════════════════════════════"
        echo ""
        echo "Generated: $(date '+%Y-%m-%d %H:%M:%S %Z')"
        echo "IP Address: $ip"
        echo ""
        echo "─────────────────────────────────────────────────────────────"
        echo "THREAT INTELLIGENCE"
        echo "─────────────────────────────────────────────────────────────"
        # AbuseIPDB data
        local abuse_data=$(check_abuseipdb "$ip")
        IFS='|' read -r confidence reports country isp <<< "$abuse_data"
        echo "AbuseIPDB Confidence: ${confidence}%"
        echo "Total Reports: $reports"
        echo "Country: $country"
        echo "ISP: $isp"
        echo ""
        # Geolocation
        local geo=$(get_country_code "$ip")
        echo "Geolocation: $geo"
        if is_high_risk_country "$geo"; then
            echo "Risk Level: HIGH (Known attack source country)"
        else
            echo "Risk Level: MEDIUM"
        fi
        echo ""
        echo "─────────────────────────────────────────────────────────────"
        echo "ATTACK HISTORY"
        echo "─────────────────────────────────────────────────────────────"
        # Get attacks from pattern log
        local pattern_file="/var/lib/server-toolkit/attack-patterns/patterns.log"
        if [ -f "$pattern_file" ]; then
            echo "Recent attacks from this IP:"
            grep "|$ip|" "$pattern_file" | tail -20 | while IFS='|' read -r ts ip_addr attack_type uri ua; do
                echo "  [$(date -d @$ts '+%Y-%m-%d %H:%M:%S')] $attack_type - $uri"
            done
            echo ""
        fi
        echo "─────────────────────────────────────────────────────────────"
        echo "RECOMMENDED ACTIONS"
        echo "─────────────────────────────────────────────────────────────"
        if [ "$confidence" -ge 75 ]; then
            echo "• IMMEDIATE BLOCK - High confidence malicious IP"
            echo "  Command: csf -d $ip \"AbuseIPDB: ${confidence}% confidence\""
        elif [ "$reports" -ge 10 ]; then
            echo "• TEMPORARY BLOCK - Multiple abuse reports"
            echo "  Command: csf -td $ip 86400 \"Multiple abuse reports\""
        else
            echo "• MONITOR - Watch for continued activity"
        fi
        echo ""
        echo "═══════════════════════════════════════════════════════════════"
        echo "END OF REPORT"
        echo "═══════════════════════════════════════════════════════════════"
    } > "$report_file"
    echo "$report_file"
 }
 ################################################################################
 # Multi-Server Coordination (for environments with multiple servers)
 ################################################################################
 # Share threat data with other servers (if configured)
 share_threat_data() {
    local ip="$1"
    local attack_type="$2"
    local score="$3"
    local coordination_file="/var/lib/server-toolkit/shared-threats.log"
    # Log for potential sharing
    echo "$(date +%s)|$(hostname)|$ip|$attack_type|$score" >> "$coordination_file"
    # Keep only last 1000 entries
    tail -1000 "$coordination_file" > "${coordination_file}.tmp" 2>/dev/null
    mv "${coordination_file}.tmp" "$coordination_file" 2>/dev/null
 }
 # Check if IP is flagged by other servers
 check_shared_threats() {
    local ip="$1"
    local coordination_file="/var/lib/server-toolkit/shared-threats.log"
    if [ -f "$coordination_file" ]; then
        local count=$(grep "|$ip|" "$coordination_file" | wc -l)
        echo "$count"
    else
        echo "0"
    fi
 }
 ################################################################################
 # Threat Intelligence Summary
 ################################################################################
 # Get comprehensive threat intelligence for an IP
 get_threat_intelligence() {
    local ip="$1"
    local abuse_data=$(check_abuseipdb "$ip" 2>/dev/null || echo "0|0|Unknown|Unknown")
    local geo=$(get_country_code "$ip" 2>/dev/null || echo "XX")
    local timing=$(analyze_timing_pattern "$ip" 2>/dev/null || echo "unknown")
    local whitelisted="no"
    is_whitelisted_service "$ip" && whitelisted="yes"
    # Format: abuse_confidence|abuse_reports|country|isp|timing_pattern|whitelisted
    echo "${abuse_data}|${geo}|${timing}|${whitelisted}"
 }
 # Export functions for use in other scripts
 export -f check_abuseipdb
 export -f get_country_code
 export -f is_high_risk_country
 export -f is_whitelisted_service
 export -f add_to_whitelist
 export -f analyze_timing_pattern
 export -f record_attack_pattern
 export -f matches_known_pattern
 export -f get_server_load
 export -f is_server_stressed
 export -f generate_incident_report
 export -f share_threat_data
 export -f check_shared_threats
 export -f get_threat_intelligence
@@ -12,6 +12,12 @@ if [ -z "$TOOLKIT_BASE_DIR" ]; then
    source "$SCRIPT_DIR/system-detect.sh"
 fi
 # Initialize temp session directory if not set
 if [ -z "$TEMP_SESSION_DIR" ]; then
    TEMP_SESSION_DIR="/tmp/server-toolkit-$$"
    mkdir -p "$TEMP_SESSION_DIR" 2>/dev/null
 fi
 #############################################################################
 # USER LISTING (Control Panel Specific)
 #############################################################################
@@ -58,8 +64,15 @@ list_interworx_users() {
    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
        /usr/local/interworx/bin/listaccounts.pex --output user 2>/dev/null
    else
-        # Fallback: parse InterWorx config
+        # Fallback: Parse Apache vhost configs for SuexecUserGroup directives
-        find /home -maxdepth 1 -type d -name "*.conf" 2>/dev/null | xargs -I {} basename {} .conf
+        # Each InterWorx account has vhost files in /etc/httpd/conf.d/
        if [ -d "/etc/httpd/conf.d" ]; then
            grep -h "^[[:space:]]*SuexecUserGroup" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
                awk '{print $2}' | sort -u
        else
            # Last resort: list /home directories (may include non-InterWorx users)
            find /home -maxdepth 1 -type d ! -name "home" ! -name "interworx" -printf "%f\n" 2>/dev/null | sort
        fi
    fi
 }
@@ -75,24 +88,21 @@ list_system_users() {
 get_user_info() {
    local username="$1"
    local info_file="${TEMP_SESSION_DIR}/user_${username}_info.tmp"
    case "$SYS_CONTROL_PANEL" in
        cpanel)
-            get_cpanel_user_info "$username" > "$info_file"
+            get_cpanel_user_info "$username"
            ;;
        plesk)
-            get_plesk_user_info "$username" > "$info_file"
+            get_plesk_user_info "$username"
            ;;
        interworx)
-            get_interworx_user_info "$username" > "$info_file"
+            get_interworx_user_info "$username"
            ;;
        *)
-            get_system_user_info "$username" > "$info_file"
+            get_system_user_info "$username"
            ;;
    esac
    cat "$info_file"
 }
 # cPanel user info
@@ -157,10 +167,40 @@ get_interworx_user_info() {
        return 1
    fi
    # Try to get primary domain from listaccounts.pex first
    local primary_domain=""
    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
        primary_domain=$(/usr/local/interworx/bin/listaccounts.pex 2>/dev/null | \
            awk -v user="$username" '$1 == user {print $2; exit}')
    fi
    # Fallback: Parse vhost configs to find primary domain
    if [ -z "$primary_domain" ]; then
        primary_domain=$(grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
            head -1 | sed 's|.*/vhost_||; s|\.conf$||')
    fi
    # Get all domains for this user from vhost configs
    local all_domains=$(grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
        sed 's|.*/vhost_||; s|\.conf$||' | tr '\n' ' ' | sed 's/[[:space:]]*$//')
    # Get disk usage
    local disk_used=$(du -sh "$home_dir" 2>/dev/null | awk '{print $1}')
    # Try to get email from NodeWorx API (if available)
    # Note: This requires nodeworx CLI which may need authentication
    local email=""
    if [ -x "/usr/local/interworx/bin/nodeworx.pex" ] && [ -n "$primary_domain" ]; then
        email=$(nodeworx -u -n -c Siteworx -a listAccounts 2>/dev/null | \
            grep -A20 "\"domain\" => \"$primary_domain\"" | \
            grep "\"email\"" | head -1 | sed 's/.*=> "\(.*\)".*/\1/')
    fi
    echo "USER_EXISTS=yes"
    echo "USERNAME=$username"
    echo "PRIMARY_DOMAIN=$primary_domain"
    echo "ALL_DOMAINS=$all_domains"
    echo "EMAIL=${email:-unknown}"
    echo "HOME_DIR=$home_dir"
    echo "DISK_USED=$disk_used"
 }
@@ -230,8 +270,19 @@ get_plesk_user_domains() {
 get_interworx_user_domains() {
    local username="$1"
    # Method 1: Use listaccounts.pex to get primary domain
    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
-        /usr/local/interworx/bin/listaccounts.pex --user "$username" --output domain 2>/dev/null
+        /usr/local/interworx/bin/listaccounts.pex 2>/dev/null | \
            awk -v user="$username" '$1 == user {print $2}'
    fi
    # Method 2: Parse vhost configs to get ALL domains (primary + secondary/addon)
    # InterWorx creates vhost_domain.conf for each domain, with SuexecUserGroup directive
    if [ -d "/etc/httpd/conf.d" ]; then
        grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
            sed 's|.*/vhost_||; s|\.conf$||' | \
            grep -v "^${username}\." | \
            sort -u
    fi
 }
@@ -277,8 +328,33 @@ get_plesk_user_databases() {
 get_interworx_user_databases() {
    local username="$1"
-    # InterWorx databases typically follow pattern: username_dbname
+    # InterWorx uses the first 8 characters of the PRIMARY DOMAIN as database prefix
-    mysql -e "SHOW DATABASES" 2>/dev/null | grep "^${username}_" || true
+    # NOT the username! (e.g., domain example.com → prefix: examplec_)
    # Get primary domain for this user
    local primary_domain=""
    if [ -x "/usr/local/interworx/bin/listaccounts.pex" ]; then
        primary_domain=$(/usr/local/interworx/bin/listaccounts.pex 2>/dev/null | \
            awk -v user="$username" '$1 == user {print $2; exit}')
    fi
    # Fallback: try to find from vhost configs
    if [ -z "$primary_domain" ]; then
        primary_domain=$(grep -l "SuexecUserGroup ${username}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | \
            head -1 | sed 's|.*/vhost_||; s|\.conf$||')
    fi
    if [ -z "$primary_domain" ]; then
        # No domain found, try username pattern as last resort
        mysql -e "SHOW DATABASES" 2>/dev/null | grep "^${username}_" || true
        return
    fi
    # Get first 8 characters of domain (removing dots) as database prefix
    local db_prefix=$(echo "$primary_domain" | sed 's/\.//g' | cut -c1-8)
    # Query MySQL for databases with this prefix
    mysql -e "SHOW DATABASES" 2>/dev/null | grep "^${db_prefix}_" || true
 }
 #############################################################################
@@ -0,0 +1,268 @@
 #!/bin/bash
 ################################################################################
 # Acronis Agent Status Checker
 ################################################################################
 # Purpose: Check status of all Acronis Cyber Protect services
 # Services monitored:
 # - aakore (Acronis Agent Core)
 # - acronis_mms (Management Service)
 # - acronis_schedule (Scheduler)
 # - active-protection.service (Ransomware Protection)
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Acronis Agent Status"
 echo ""
 echo -e "${BOLD}Checking Acronis Cyber Protect Services...${NC}"
 echo ""
 # Array of services to check
 declare -a SERVICES=(
    "aakore:Acronis Agent Core"
    "acronis_mms:Management Service"
    "acronis_schedule:Backup Scheduler"
    "active-protection:Ransomware Protection"
 )
 # Track overall status
 all_running=true
 any_installed=false
 # Function to check service status
 check_service_status() {
    local service_name="$1"
    local service_desc="$2"
    # Check if service exists
    if systemctl list-unit-files | grep -q "^${service_name}.service"; then
        any_installed=true
        # Get service status
        if systemctl is-active --quiet "$service_name"; then
            echo -e "  ${GREEN}●${NC} ${BOLD}${service_desc}${NC}"
            echo -e "     Status: ${GREEN}RUNNING${NC}"
            # Get uptime
            local uptime=$(systemctl show "$service_name" -p ActiveEnterTimestamp --value)
            if [ -n "$uptime" ]; then
                echo -e "     Uptime: ${uptime}"
            fi
            # Get PID
            local pid=$(systemctl show "$service_name" -p MainPID --value)
            if [ "$pid" != "0" ]; then
                echo -e "     PID:    ${pid}"
            fi
        else
            all_running=false
            echo -e "  ${RED}●${NC} ${BOLD}${service_desc}${NC}"
            echo -e "     Status: ${RED}STOPPED${NC}"
            # Check if failed
            if systemctl is-failed --quiet "$service_name"; then
                echo -e "     ${RED}[FAILED]${NC} - Service has errors"
            fi
        fi
        echo ""
    elif service "$service_name" status &>/dev/null; then
        # Fallback to service command for older systems
        any_installed=true
        if service "$service_name" status | grep -q "running"; then
            echo -e "  ${GREEN}●${NC} ${BOLD}${service_desc}${NC}"
            echo -e "     Status: ${GREEN}RUNNING${NC}"
        else
            all_running=false
            echo -e "  ${RED}●${NC} ${BOLD}${service_desc}${NC}"
            echo -e "     Status: ${RED}STOPPED${NC}"
        fi
        echo ""
    fi
 }
 # Check each service
 for service_entry in "${SERVICES[@]}"; do
    IFS=':' read -r service_name service_desc <<< "$service_entry"
    check_service_status "$service_name" "$service_desc"
 done
 # Check if Acronis is even installed
 if [ "$any_installed" = false ]; then
    echo -e "${YELLOW}${BOLD}⚠ Acronis Agent Not Installed${NC}"
    echo ""
    echo "Acronis Cyber Protect is not installed on this system."
    echo ""
    echo "To install:"
    echo "  1. Return to Backup & Recovery menu"
    echo "  2. Select 'Acronis Management'"
    echo "  3. Choose 'Install Acronis Agent'"
    echo ""
    press_enter
    exit 0
 fi
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Overall status summary
 if [ "$all_running" = true ]; then
    echo -e "${GREEN}${BOLD}✓ All Services Running${NC}"
    echo ""
    echo "Acronis Cyber Protect is operational and ready for backups."
 else
    echo -e "${YELLOW}${BOLD}⚠ Some Services Not Running${NC}"
    echo ""
    echo "Some Acronis services are stopped. You may want to:"
    echo "  • Start services: Select 'Service Management' from Acronis menu"
    echo "  • Check logs: Select 'View Logs' for error details"
    echo "  • Restart services: Try restarting all services"
 fi
 echo ""
 # Check agent registration status
 echo -e "${BOLD}Agent Registration:${NC}"
 if [ -f "/var/lib/Acronis/BackupAndRecovery/MMS/user.config" ]; then
    # Check for registration info in user.config
    if grep -q "<registration>" "/var/lib/Acronis/BackupAndRecovery/MMS/user.config" 2>/dev/null; then
        reg_address=$(grep -oP '<address>\K[^<]+' /var/lib/Acronis/BackupAndRecovery/MMS/user.config 2>/dev/null)
        reg_env=$(grep -oP '<environment>\K[^<]+' /var/lib/Acronis/BackupAndRecovery/MMS/user.config 2>/dev/null)
        if [ -n "$reg_address" ]; then
            echo -e "  ${GREEN}✓${NC} Agent is registered with Acronis Cloud"
            echo -e "  URL: ${reg_address}"
            [ -n "$reg_env" ] && echo -e "  Environment: ${reg_env}"
        else
            echo -e "  ${YELLOW}⚠${NC} Registration incomplete"
        fi
    else
        echo -e "  ${YELLOW}⚠${NC} Agent not registered"
    fi
 else
    echo -e "  ${YELLOW}⚠${NC} Configuration file not found"
 fi
 echo ""
 # Check active ports
 echo -e "${BOLD}Network Connectivity:${NC}"
 # Check for actual Acronis listening ports (deduplicate IPv4/IPv6)
 acronis_ports=$(netstat -tlnp 2>/dev/null | grep -E "(acronis|mms|aakore)" | awk '{
    split($4, addr, ":");
    port = addr[length(addr)];
    if (!seen[port]++) {
        print $4 " " $7;
    }
 }')
 if [ -n "$acronis_ports" ]; then
    echo "Active Acronis services:"
    echo "$acronis_ports" | while read -r addr process; do
        port=$(echo "$addr" | grep -oP ':\K[0-9]+$')
        if echo "$addr" | grep -q "127.0.0.1\|::1"; then
            # Local-only port
            if [ "$port" = "9850" ]; then
                echo -e "  ${GREEN}✓${NC} Port $port (localhost) - MMS Service"
            else
                echo -e "  ${GREEN}✓${NC} Port $port (localhost) - $(basename "$process" | cut -d/ -f2)"
            fi
        else
            echo -e "  ${GREEN}✓${NC} Port $port - $(basename "$process" | cut -d/ -f2)"
        fi
    done
 else
    echo -e "  ${YELLOW}⚠${NC} No Acronis ports detected"
 fi
 echo ""
 # Check outbound connectivity to cloud (port 443)
 echo ""
 echo -e "${BOLD}Cloud Connectivity Test:${NC}"
 if command -v curl >/dev/null 2>&1; then
    reg_url=$(grep -oP '<address>\K[^<]+' /var/lib/Acronis/BackupAndRecovery/MMS/user.config 2>/dev/null)
    if [ -n "$reg_url" ]; then
        echo -n "  Testing ${reg_url}... "
        http_code=$(timeout 5 curl -s -o /dev/null -w "%{http_code}" "$reg_url" 2>/dev/null)
        if [ "$http_code" -ge 200 ] && [ "$http_code" -lt 500 ]; then
            echo -e "${GREEN}✓ Reachable${NC} (HTTP $http_code)"
        else
            echo -e "${RED}✗ Unreachable${NC}"
            echo -e "  ${YELLOW}⚠${NC} Cannot reach Acronis cloud (firewall/network issue)"
            echo "  • Check internet connectivity"
            echo "  • Verify firewall allows HTTPS (port 443)"
            echo "  • Test manually: curl -I $reg_url"
        fi
    else
        echo -e "  ${YELLOW}⚠${NC} Cloud URL not found in config"
    fi
 else
    echo -e "  ${YELLOW}⚠${NC} curl not installed (cannot test connectivity)"
 fi
 echo ""
 # Check cloud storage quota
 echo -e "${BOLD}Cloud Backup Storage:${NC}"
 if command -v acrocmd >/dev/null 2>&1; then
    vault_info=$(acrocmd list vaults 2>/dev/null | tail -n +3 | head -1)
    if [ -n "$vault_info" ]; then
        # Extract storage info from vault output
        vault_name=$(echo "$vault_info" | awk '{print $1}')
        vault_free_val=$(echo "$vault_info" | awk '{print $4}')
        vault_free_unit=$(echo "$vault_info" | awk '{print $5}')
        vault_occupied=$(echo "$vault_info" | awk '{print $6, $7}')
        echo -e "  Vault:        ${vault_name}"
        echo -e "  Available:    ${vault_free_val} ${vault_free_unit}"
        # Show occupied if available, otherwise note it's not synced
        if [ "$vault_occupied" != "0 GB" ]; then
            echo -e "  Used:         ${vault_occupied}"
        else
            echo -e "  Used:         ${DIM}(Check web console for accurate usage)${NC}"
        fi
    else
        echo -e "  ${YELLOW}⚠${NC} No vault information available"
        echo -e "  ${DIM}(Cloud storage visible after first backup)${NC}"
    fi
 else
    echo -e "  ${YELLOW}⚠${NC} acrocmd not available"
 fi
 echo ""
 # Check local disk space
 echo -e "${BOLD}Local Storage Status:${NC}"
 if [ -d "/var/lib/Acronis" ]; then
    backup_dir_size=$(du -sh /var/lib/Acronis 2>/dev/null | awk '{print $1}')
    echo -e "  Agent data:   ${backup_dir_size} (local cache/logs/config)"
    # Check free space on partition
    free_space=$(df -h /var/lib/Acronis | tail -1 | awk '{print $4}')
    use_percent=$(df -h /var/lib/Acronis | tail -1 | awk '{print $5}' | tr -d '%')
    echo -e "  Free space:   ${free_space} (on root partition)"
    if [ -n "$use_percent" ] && [ "$use_percent" -gt 90 ] 2>/dev/null; then
        echo -e "  ${RED}⚠ Warning: Disk usage at ${use_percent}%${NC}"
    fi
 fi
 echo ""
 press_enter
@@ -0,0 +1,103 @@
 #!/bin/bash
 ################################################################################
 # Acronis Backup Manager
 ################################################################################
 # Purpose: Main interface for Acronis backup operations
 # Features:
 # - List backups and archives
 # - Trigger manual backups
 # - View backup schedules
 # - Monitor backup/recovery status
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 # Check if Acronis is installed
 if ! systemctl list-unit-files | grep -q "acronis_mms.service"; then
    print_error "Acronis is not installed"
    echo ""
    echo "Install Acronis first from the Acronis menu."
    echo ""
    press_enter
    exit 1
 fi
 # Check if acrocmd is available
 if [ ! -f "/usr/sbin/acrocmd" ]; then
    print_error "acrocmd command-line tool not found"
    echo ""
    echo "This may indicate an incomplete Acronis installation."
    echo ""
    press_enter
    exit 1
 fi
 while true; do
    clear
    print_banner "Backup Management"
    echo ""
    echo -e "${BOLD}Agent Management${NC}"
    echo -e "  ${YELLOW}1)${NC} Check Agent Status"
    echo -e "  ${YELLOW}2)${NC} View Agent Logs"
    echo ""
    echo -e "${BOLD}Backup Operations${NC}"
    echo -e "  ${YELLOW}3)${NC} List Backups & Archives"
    echo -e "  ${YELLOW}4)${NC} Trigger Manual Backup"
    echo -e "  ${YELLOW}5)${NC} Check Backup Status"
    echo ""
    echo -e "${BOLD}Plan Management${NC}"
    echo -e "  ${YELLOW}6)${NC} View Backup Plans/Schedules"
    echo -e "  ${YELLOW}7)${NC} Manage Protection Plans"
    echo ""
    echo -e "${BOLD}Restore Operations${NC}"
    echo -e "  ${YELLOW}8)${NC} Restore from Backup (Future)"
    echo ""
    echo -e "  ${YELLOW}0)${NC} Return to Acronis Menu"
    echo ""
    echo -n "Select option: "
    read -r choice
    case "$choice" in
        1)
            bash "$SCRIPT_DIR/modules/backup/acronis-agent-status.sh"
            ;;
        2)
            bash "$SCRIPT_DIR/modules/backup/acronis-logs.sh"
            ;;
        3)
            bash "$SCRIPT_DIR/modules/backup/acronis-list-backups.sh"
            ;;
        4)
            bash "$SCRIPT_DIR/modules/backup/acronis-trigger-backup.sh"
            ;;
        5)
            bash "$SCRIPT_DIR/modules/backup/acronis-backup-status.sh"
            ;;
        6)
            bash "$SCRIPT_DIR/modules/backup/acronis-schedule-viewer.sh"
            ;;
        7)
            bash "$SCRIPT_DIR/modules/backup/acronis-plan-manager.sh"
            ;;
        8)
            bash "$SCRIPT_DIR/modules/backup/acronis-restore.sh"
            ;;
        0)
            exit 0
            ;;
        *)
            echo ""
            print_error "Invalid option"
            sleep 1
            ;;
    esac
 done
@@ -0,0 +1,118 @@
 #!/bin/bash
 ################################################################################
 # Acronis Backup Status
 ################################################################################
 # Purpose: Check status of backup operations using acrocmd
 # Features:
 # - Show active/running backups
 # - Display recent backup history
 # - Show backup task status
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 clear
 print_banner "Backup Status"
 echo ""
 # Check if acrocmd is available
 if [ ! -f "/usr/sbin/acrocmd" ]; then
    print_error "acrocmd command-line tool not found"
    echo ""
    press_enter
    exit 1
 fi
 # Show active/running tasks
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo -e "${BOLD}Active Backup Tasks${NC}"
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 task_output=$(/usr/sbin/acrocmd list tasks 2>&1)
 if echo "$task_output" | grep -qi "no.*tasks\|error"; then
    echo -e "${GREEN}✓${NC} No active backup tasks running"
 else
    echo "$task_output"
 fi
 echo ""
 # Show recent activities
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo -e "${BOLD}Recent Backup Activities${NC}"
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 activity_output=$(/usr/sbin/acrocmd list activities 2>&1)
 if echo "$activity_output" | grep -qi "no.*activities\|error"; then
    echo -e "${YELLOW}No recent backup activities found${NC}"
    echo ""
    echo "This may indicate:"
    echo "  • No backups have been run yet"
    echo "  • Agent needs registration"
    echo "  • No backup plans configured"
 else
    echo "$activity_output" | tail -20
 fi
 echo ""
 # Parse logs for backup status
 if [ -f "/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log" ]; then
    echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
    echo -e "${BOLD}Log Summary${NC}"
    echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
    echo ""
    # Count recent backup events
    log_file="/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
    completed=$(grep -ic "backup.*completed\|backup.*success" "$log_file" 2>/dev/null || echo "0")
    failed=$(grep -ic "backup.*failed\|backup.*error" "$log_file" 2>/dev/null || echo "0")
    started=$(grep -ic "backup.*started\|backup.*begin" "$log_file" 2>/dev/null || echo "0")
    echo "Backup Statistics (from current log):"
    echo "  • Started:   $started"
    echo "  • Completed: $completed"
    echo "  • Failed:    $failed"
    echo ""
    # Show last 5 backup-related events
    echo "Recent Events:"
    echo ""
    grep -i "backup" "$log_file" 2>/dev/null | tail -5 | while read -r line; do
        # Highlight status
        if echo "$line" | grep -qi "success\|completed"; then
            echo -e "  ${GREEN}✓${NC} $line"
        elif echo "$line" | grep -qi "fail\|error"; then
            echo -e "  ${RED}✗${NC} $line"
        else
            echo "  → $line"
        fi
    done
 fi
 echo ""
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 echo -e "${BOLD}Options:${NC}"
 echo ""
 echo "  • View full logs: Select 'View Agent Logs' from menu"
 echo "  • Trigger backup: Select 'Trigger Manual Backup'"
 echo "  • Troubleshoot: Use 'Troubleshoot Backups' for diagnostics"
 echo ""
 press_enter
@@ -0,0 +1,54 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Configure Backup Plans"
 echo ""
 echo -e "${BOLD}Acronis Backup Plan Configuration${NC}"
 echo ""
 echo "Backup plans are configured through the Acronis web console."
 echo ""
 echo -e "${CYAN}Steps to configure backup plans:${NC}"
 echo ""
 echo "1. Log in to your Acronis web console"
 echo "   → https://us5-cloud.acronis.com (or your region)"
 echo ""
 echo "2. Navigate to: Devices → All devices"
 echo ""
 echo "3. Find this server in the device list"
 echo ""
 echo "4. Click on the device and select 'Protection'"
 echo ""
 echo "5. Click 'Add plan' and configure:"
 echo "   • Backup source (files, folders, system)"
 echo "   • Backup schedule (hourly, daily, weekly)"
 echo "   • Retention policy (how long to keep backups)"
 echo "   • Backup location (cloud or local)"
 echo ""
 echo "6. Apply the plan to this device"
 echo ""
 echo -e "${BOLD}Common Backup Plans:${NC}"
 echo ""
 echo "  • Full Server Backup"
 echo "    → Entire system image for disaster recovery"
 echo ""
 echo "  • cPanel Accounts"
 echo "    → /home/* directories for user data"
 echo ""
 echo "  • Databases"
 echo "    → MySQL/MariaDB databases with consistent snapshots"
 echo ""
 echo "  • Configuration Files"
 echo "    → /etc and other critical configs"
 echo ""
 echo "  • Web Files"
 echo "    → /home/*/public_html websites"
 echo ""
 press_enter
@@ -0,0 +1,361 @@
 #!/bin/bash
 ################################################################################
 # Acronis Agent Installer
 ################################################################################
 # Purpose: Download and install Acronis Cyber Protect agent
 # Supports:
 # - Interactive installation with prompts
 # - Unattended installation (-a flag)
 # - Skip registration (--skip-registration)
 # - Install with token (--token=xxx)
 # - Custom service URL (--rain=xxx)
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Acronis Agent Installation"
 # Check if already installed
 if systemctl list-unit-files | grep -q "acronis_mms.service"; then
    echo ""
    echo -e "${YELLOW}${BOLD}⚠ Acronis Already Installed${NC}"
    echo ""
    echo "Acronis Cyber Protect agent is already installed on this system."
    echo ""
    echo -n "Do you want to reinstall/upgrade? (yes/no): "
    read -r reinstall
    if [ "$reinstall" != "yes" ]; then
        echo "Installation cancelled"
        press_enter
        exit 0
    fi
 fi
 echo ""
 echo -e "${BOLD}Acronis Cyber Protect Agent Installation${NC}"
 echo ""
 echo "This will download and install the latest Acronis agent for Linux (x86_64)."
 echo ""
 echo -e "${CYAN}Installation Options:${NC}"
 echo ""
 echo "  1) Interactive installation (default)"
 echo "  2) Unattended installation (auto-accept)"
 echo "  3) Install and register with token"
 echo "  4) Install without registration"
 echo "  5) Advanced/Custom installation (specify all flags)"
 echo ""
 echo -n "Select installation mode [1]: "
 read -r install_mode
 install_mode="${install_mode:-1}"
 # Build installation flags
 INSTALL_FLAGS=""
 SERVICE_URL="us5-cloud.acronis.com"
 REGISTRATION_TOKEN=""
 case "$install_mode" in
    2)
        INSTALL_FLAGS="-a"
        echo ""
        echo "Mode: Unattended installation"
        ;;
    3)
        INSTALL_FLAGS="-a"
        echo ""
        echo -e "${BOLD}Register During Installation${NC}"
        echo ""
        echo "Paste your Acronis registration token below."
        echo "To get a token:"
        echo "  1. Log in to Acronis web console"
        echo "  2. Go to: Settings → Registration tokens"
        echo "  3. Create token or copy existing one"
        echo ""
        echo -n "Registration token: "
        read -r REGISTRATION_TOKEN
        # Allow pasting multi-line or trimming whitespace
        REGISTRATION_TOKEN=$(echo "$REGISTRATION_TOKEN" | tr -d '[:space:]')
        if [ -z "$REGISTRATION_TOKEN" ]; then
            print_error "Token is required for this mode"
            press_enter
            exit 1
        fi
        INSTALL_FLAGS="$INSTALL_FLAGS --token=$REGISTRATION_TOKEN"
        echo ""
        echo "Mode: Install with registration token"
        ;;
    4)
        INSTALL_FLAGS="-a --skip-registration"
        echo ""
        echo "Mode: Install without registration"
        ;;
    5)
        # Advanced/Custom mode
        echo ""
        echo -e "${BOLD}Advanced Installation${NC}"
        echo ""
        echo "Build custom installation flags by selecting options."
        echo ""
        # Unattended mode
        echo -n "Unattended install (auto-accept)? (y/n) [y]: "
        read -r use_unattended
        use_unattended="${use_unattended:-y}"
        if [ "$use_unattended" = "y" ]; then
            INSTALL_FLAGS="$INSTALL_FLAGS -a"
        fi
        # Registration options
        echo ""
        echo "Registration:"
        echo "  1) Register with token during install"
        echo "  2) Skip registration (register later)"
        echo "  3) Interactive (installer will prompt)"
        echo -n "Select [3]: "
        read -r reg_choice
        reg_choice="${reg_choice:-3}"
        if [ "$reg_choice" = "1" ]; then
            echo ""
            echo "Paste your Acronis registration token:"
            echo "(Spaces and line breaks will be automatically removed)"
            echo ""
            read -r REGISTRATION_TOKEN
            REGISTRATION_TOKEN=$(echo "$REGISTRATION_TOKEN" | tr -d '[:space:]')
            if [ -n "$REGISTRATION_TOKEN" ]; then
                INSTALL_FLAGS="$INSTALL_FLAGS --token=$REGISTRATION_TOKEN"
            else
                print_error "Token cannot be empty"
                press_enter
                exit 1
            fi
        elif [ "$reg_choice" = "2" ]; then
            INSTALL_FLAGS="$INSTALL_FLAGS --skip-registration"
        fi
        # Additional flags
        echo ""
        echo -e "${BOLD}Additional Options:${NC}"
        echo ""
        # Verbose logging
        echo -n "Enable verbose logging? (y/n) [n]: "
        read -r use_verbose
        if [ "$use_verbose" = "y" ]; then
            INSTALL_FLAGS="$INSTALL_FLAGS --verbose"
        fi
        # Custom flags
        echo ""
        echo "Enter any additional custom flags (or press Enter to skip):"
        echo "Examples: --proxy=http://proxy:8080, --language=en, etc."
        echo ""
        echo -n "Custom flags: "
        read -r custom_flags
        if [ -n "$custom_flags" ]; then
            INSTALL_FLAGS="$INSTALL_FLAGS $custom_flags"
        fi
        echo ""
        echo "Mode: Advanced/Custom installation"
        ;;
    *)
        echo ""
        echo "Mode: Interactive installation"
        ;;
 esac
 # Ask for service URL (for all modes except skip-registration)
 if [[ "$INSTALL_FLAGS" != *"--skip-registration"* ]]; then
    echo ""
    echo -e "${BOLD}Acronis Cloud Region${NC}"
    echo ""
    echo "Common regions:"
    echo "  • us5-cloud.acronis.com (US - Default)"
    echo "  • eu2-cloud.acronis.com (Europe)"
    echo "  • ap1-cloud.acronis.com (Asia Pacific)"
    echo "  • ca1-cloud.acronis.com (Canada)"
    echo ""
    echo -n "Enter service URL [us5-cloud.acronis.com]: "
    read -r input_url
    if [ -n "$input_url" ]; then
        SERVICE_URL="$input_url"
    fi
    # Add --rain flag if token is being used
    if [[ "$INSTALL_FLAGS" == *"--token"* ]]; then
        INSTALL_FLAGS="$INSTALL_FLAGS --rain=$SERVICE_URL"
    fi
 fi
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${BOLD}Installation Summary:${NC}"
 echo ""
 echo "  Download URL:    https://${SERVICE_URL}/bc/api/ams/links/agents/redirect"
 echo "  Architecture:    x86_64 (64-bit)"
 echo "  Install flags:   ${INSTALL_FLAGS:-none}"
 echo "  Service URL:     ${SERVICE_URL}"
 [ -n "$REGISTRATION_TOKEN" ] && echo "  Token:           ********"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -n "Proceed with installation? (yes/no): "
 read -r confirm
 if [[ ! "$confirm" =~ ^[Yy]([Ee][Ss])?$ ]]; then
    echo ""
    print_error "Installation cancelled"
    press_enter
    exit 0
 fi
 echo ""
 echo -e "${BOLD}Starting Installation...${NC}"
 echo ""
 # Create download directory in toolkit folder
 DOWNLOAD_DIR="$SCRIPT_DIR/downloads"
 mkdir -p "$DOWNLOAD_DIR"
 cd "$DOWNLOAD_DIR" || exit 1
 # Use timestamped subdirectory for this installation
 INSTALL_DIR="$DOWNLOAD_DIR/acronis-install-$(date +%Y%m%d-%H%M%S)"
 mkdir -p "$INSTALL_DIR"
 cd "$INSTALL_DIR" || exit 1
 # Download installer
 echo "→ Downloading Acronis agent installer..."
 DOWNLOAD_URL="https://${SERVICE_URL}/bc/api/ams/links/agents/redirect?language=multi&system=linux&architecture=64&productType=enterprise"
 if wget -q --show-progress "$DOWNLOAD_URL" -O "Cyber_Protection_Agent_for_Linux_x86_64.bin"; then
    print_success "Download complete"
 else
    print_error "Download failed"
    echo ""
    echo "Possible causes:"
    echo "  • No internet connection"
    echo "  • Invalid service URL: ${SERVICE_URL}"
    echo "  • Firewall blocking connection"
    echo ""
    press_enter
    cd /
    rm -rf "$TEMP_DIR"
    exit 1
 fi
 echo ""
 # Make executable
 chmod +x "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null
 # Verify file exists and has size
 if [ ! -f "Cyber_Protection_Agent_for_Linux_x86_64.bin" ]; then
    print_error "Installer file not found"
    cd /
    rm -rf "$TEMP_DIR"
    press_enter
    exit 1
 fi
 file_size=$(stat -c%s "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null || echo "0")
 if [ "$file_size" -lt 1000000 ]; then
    print_error "Installer file is too small (possibly corrupted)"
    cd /
    rm -rf "$TEMP_DIR"
    press_enter
    exit 1
 fi
 # Run installer
 echo "→ Running Acronis installer..."
 echo ""
 echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
 if [ -z "$INSTALL_FLAGS" ]; then
    # Interactive mode - run directly
    ./Cyber_Protection_Agent_for_Linux_x86_64.bin
 else
    # Unattended mode - need to pass flags properly
    ./Cyber_Protection_Agent_for_Linux_x86_64.bin $INSTALL_FLAGS
 fi
 INSTALL_EXIT_CODE=$?
 echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Check installation result
 if [ $INSTALL_EXIT_CODE -eq 0 ]; then
    print_success "Installation completed successfully!"
    echo ""
    # Start services
    echo "→ Starting Acronis services..."
    systemctl start aakore
    systemctl start acronis_mms
    systemctl start acronis_schedule
    echo ""
    # Check if services started
    sleep 2
    if systemctl is-active --quiet acronis_mms; then
        print_success "Services started successfully"
        echo ""
        # Show next steps
        echo -e "${BOLD}Next Steps:${NC}"
        echo ""
        if [ "$install_mode" = "4" ]; then
            echo "  1. Register the agent with Acronis Cloud"
            echo "     → Select 'Register with Cloud' from Acronis menu"
            echo ""
        fi
        echo "  2. Configure backup plans in Acronis web console"
        echo "     → Visit: https://${SERVICE_URL}"
        echo ""
        echo "  3. Check agent status"
        echo "     → Select 'Check Agent Status' from Acronis menu"
        echo ""
    else
        print_error "Services failed to start"
        echo ""
        echo "Check logs for details:"
        echo "  tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
        echo ""
    fi
 else
    print_error "Installation failed with exit code $INSTALL_EXIT_CODE"
    echo ""
    echo "Check the output above for error details."
    echo ""
    echo "Common issues:"
    echo "  • Incompatible system (requires 64-bit Linux)"
    echo "  • Insufficient disk space"
    echo "  • Conflicting backup software"
    echo "  • Invalid registration token"
    echo ""
 fi
 # Cleanup
 echo "→ Cleaning up installation files..."
 cd "$SCRIPT_DIR"
 rm -rf "$INSTALL_DIR"
 echo ""
 press_enter
@@ -0,0 +1,76 @@
 #!/bin/bash
 ################################################################################
 # Acronis List Backups
 ################################################################################
 # Purpose: List all backups and archives using acrocmd
 # Features:
 # - Show backup archives
 # - Show backup versions
 # - Display backup details (size, date, location)
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 clear
 print_banner "List Backups & Archives"
 echo ""
 echo -e "${BOLD}Retrieving backup information...${NC}"
 echo ""
 # Check if acrocmd is available
 if [ ! -f "/usr/sbin/acrocmd" ]; then
    print_error "acrocmd command-line tool not found"
    echo ""
    press_enter
    exit 1
 fi
 # List archives
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo -e "${BOLD}Backup Archives${NC}"
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 if /usr/sbin/acrocmd list archives 2>/dev/null | grep -q .; then
    /usr/sbin/acrocmd list archives 2>/dev/null
 else
    echo -e "${YELLOW}No backup archives found${NC}"
    echo ""
    echo "Possible reasons:"
    echo "  • No backups have been created yet"
    echo "  • Agent not registered with Acronis Cloud"
    echo "  • No backup plans configured"
 fi
 echo ""
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo -e "${BOLD}Backup Details${NC}"
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 if /usr/sbin/acrocmd list backups 2>/dev/null | grep -q .; then
    /usr/sbin/acrocmd list backups 2>/dev/null
 else
    echo -e "${YELLOW}No backup details available${NC}"
 fi
 echo ""
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 echo -e "${BOLD}Options:${NC}"
 echo ""
 echo "  • Create backups via 'Trigger Manual Backup'"
 echo "  • Configure plans in Acronis web console"
 echo "  • Check backup status for active operations"
 echo ""
 press_enter
@@ -0,0 +1,296 @@
 #!/bin/bash
 ################################################################################
 # Acronis Log Viewer
 ################################################################################
 # Purpose: View and tail Acronis Cyber Protect logs
 # Log location: /var/lib/Acronis/BackupAndRecovery/MMS/
 # Primary log: mms.0.log
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 # Log directory
 LOG_DIR="/var/lib/Acronis/BackupAndRecovery/MMS"
 PRIMARY_LOG="$LOG_DIR/mms.0.log"
 print_banner "Acronis Logs Viewer"
 # Check if Acronis is installed
 if [ ! -d "$LOG_DIR" ]; then
    echo ""
    print_error "Acronis log directory not found"
    echo ""
    echo "Acronis may not be installed or logs are in a different location."
    echo ""
    press_enter
    exit 1
 fi
 echo ""
 echo -e "${BOLD}Acronis Log Management${NC}"
 echo ""
 echo "Log directory: ${LOG_DIR}"
 echo ""
 # Show log menu
 show_log_menu() {
    clear
    print_banner "Acronis Logs Viewer"
    echo ""
    echo -e "${BOLD}Available Logs:${NC}"
    echo ""
    # List all log files with sizes
    if [ -d "$LOG_DIR" ]; then
        local log_count=0
        while IFS= read -r log_file; do
            ((log_count++))
            local size=$(du -h "$log_file" 2>/dev/null | awk '{print $1}')
            local filename=$(basename "$log_file")
            local mod_time=$(stat -c %y "$log_file" 2>/dev/null | cut -d'.' -f1)
            echo -e "  ${CYAN}${log_count})${NC} ${filename}"
            echo -e "     Size: ${size} | Modified: ${mod_time}"
        done < <(find "$LOG_DIR" -name "*.log" -type f | sort)
        if [ $log_count -eq 0 ]; then
            echo -e "  ${DIM}No log files found${NC}"
        fi
    fi
    echo ""
    echo -e "${BOLD}Actions:${NC}"
    echo ""
    echo -e "  ${GREEN}v)${NC} View Primary Log (last 100 lines)"
    echo -e "  ${GREEN}t)${NC} Tail Primary Log (live follow)"
    echo -e "  ${GREEN}s)${NC} Search Logs"
    echo -e "  ${GREEN}e)${NC} Show Errors Only"
    echo -e "  ${GREEN}a)${NC} Archive Old Logs"
    echo ""
    echo -e "  ${RED}0)${NC} Return to Menu"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # View primary log
 view_primary_log() {
    clear
    print_banner "Acronis Primary Log (Last 100 Lines)"
    echo ""
    if [ -f "$PRIMARY_LOG" ]; then
        tail -100 "$PRIMARY_LOG"
        echo ""
        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
        echo ""
        press_enter
    else
        print_error "Primary log file not found: $PRIMARY_LOG"
        press_enter
    fi
 }
 # Tail primary log
 tail_primary_log() {
    clear
    print_banner "Acronis Live Log (Ctrl+C to Exit)"
    echo ""
    echo "Following: $PRIMARY_LOG"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo ""
    if [ -f "$PRIMARY_LOG" ]; then
        tail -f "$PRIMARY_LOG"
    else
        print_error "Primary log file not found: $PRIMARY_LOG"
        press_enter
    fi
 }
 # Search logs
 search_logs() {
    clear
    print_banner "Search Acronis Logs"
    echo ""
    echo -n "Enter search term: "
    read -r search_term
    if [ -z "$search_term" ]; then
        print_error "No search term provided"
        press_enter
        return
    fi
    echo ""
    echo "Searching for: ${search_term}"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo ""
    # Search all log files
    local found=false
    while IFS= read -r log_file; do
        if grep -qi "$search_term" "$log_file" 2>/dev/null; then
            found=true
            echo -e "${BOLD}$(basename "$log_file"):${NC}"
            grep -i --color=always "$search_term" "$log_file" | tail -20
            echo ""
        fi
    done < <(find "$LOG_DIR" -name "*.log" -type f)
    if [ "$found" = false ]; then
        echo "No matches found for: $search_term"
    fi
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo ""
    press_enter
 }
 # Show errors only
 show_errors() {
    clear
    print_banner "Acronis Errors (Last 50)"
    echo ""
    if [ -f "$PRIMARY_LOG" ]; then
        echo "Filtering for ERROR, WARN, FAIL, CRITICAL..."
        echo ""
        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
        echo ""
        grep -iE "error|warn|fail|critical" "$PRIMARY_LOG" | tail -50 | while IFS= read -r line; do
            # Color code by severity
            if echo "$line" | grep -qi "critical"; then
                echo -e "${RED}${BOLD}${line}${NC}"
            elif echo "$line" | grep -qi "error"; then
                echo -e "${RED}${line}${NC}"
            elif echo "$line" | grep -qi "warn"; then
                echo -e "${YELLOW}${line}${NC}"
            else
                echo "$line"
            fi
        done
        echo ""
        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
        echo ""
    else
        print_error "Primary log file not found"
    fi
    press_enter
 }
 # Archive old logs
 archive_old_logs() {
    clear
    print_banner "Archive Old Logs"
    echo ""
    # Calculate total size
    local total_size=$(du -sh "$LOG_DIR" 2>/dev/null | awk '{print $1}')
    local log_count=$(find "$LOG_DIR" -name "*.log" -type f | wc -l)
    echo "Current log status:"
    echo "  Directory: $LOG_DIR"
    echo "  Total size: $total_size"
    echo "  Log files: $log_count"
    echo ""
    # Find old logs (older than 30 days)
    local old_logs=$(find "$LOG_DIR" -name "*.log" -type f -mtime +30 2>/dev/null | wc -l)
    if [ $old_logs -eq 0 ]; then
        echo -e "${GREEN}✓ No old logs found (>30 days)${NC}"
        echo ""
        press_enter
        return
    fi
    echo "Found $old_logs log file(s) older than 30 days"
    echo ""
    echo "Archive location: /root/acronis-logs-archive-$(date +%Y%m%d).tar.gz"
    echo ""
    echo -n "Create archive and remove old logs? (yes/no): "
    read -r confirm
    if [ "$confirm" != "yes" ]; then
        echo ""
        echo "Archive cancelled"
        press_enter
        return
    fi
    echo ""
    echo "→ Creating archive..."
    # Create archive
    local archive_name="/root/acronis-logs-archive-$(date +%Y%m%d).tar.gz"
    if find "$LOG_DIR" -name "*.log" -type f -mtime +30 -print0 2>/dev/null | tar -czf "$archive_name" --null -T -; then
        print_success "Archive created: $archive_name"
        # Remove old logs
        echo ""
        echo "→ Removing old logs..."
        find "$LOG_DIR" -name "*.log" -type f -mtime +30 -delete 2>/dev/null
        local remaining=$(find "$LOG_DIR" -name "*.log" -type f | wc -l)
        echo ""
        print_success "Old logs archived and removed"
        echo ""
        echo "Remaining log files: $remaining"
    else
        print_error "Failed to create archive"
    fi
    echo ""
    press_enter
 }
 # Main loop
 while true; do
    show_log_menu
    read -r choice
    case $choice in
        v) view_primary_log ;;
        t) tail_primary_log ;;
        s) search_logs ;;
        e) show_errors ;;
        a) archive_old_logs ;;
        0) exit 0 ;;
        *)
            # Check if numeric selection for specific log file
            if [[ "$choice" =~ ^[0-9]+$ ]]; then
                log_files=($(find "$LOG_DIR" -name "*.log" -type f | sort))
                if [ $choice -gt 0 ] && [ $choice -le ${#log_files[@]} ]; then
                    selected_log="${log_files[$((choice-1))]}"
                    clear
                    print_banner "Log: $(basename "$selected_log")"
                    echo ""
                    tail -100 "$selected_log"
                    echo ""
                    press_enter
                else
                    print_error "Invalid log selection"
                    sleep 1
                fi
            else
                print_error "Invalid option"
                sleep 1
            fi
            ;;
    esac
 done
@@ -0,0 +1,42 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Create Manual Backup"
 echo ""
 echo -e "${BOLD}Manual Backup Creation${NC}"
 echo ""
 echo "Manual backups are triggered through the Acronis web console or CLI."
 echo ""
 echo -e "${CYAN}Web Console Method (Recommended):${NC}"
 echo ""
 echo "1. Log in to Acronis web console"
 echo "2. Go to: Devices → Select this server"
 echo "3. Click 'Back up now' button"
 echo "4. Monitor backup progress in real-time"
 echo ""
 echo -e "${CYAN}Command Line Method:${NC}"
 echo ""
 echo "Use the Acronis CLI tool (acrocmd):"
 echo ""
 echo "  # List available plans"
 echo "  acrocmd list plans"
 echo ""
 echo "  # Run backup for specific plan"
 echo "  acrocmd backup run --plan <plan_id>"
 echo ""
 echo "  # Create ad-hoc backup"
 echo "  acrocmd backup create --source /path/to/data --destination /backup/path"
 echo ""
 echo -e "${BOLD}Note:${NC} Detailed CLI backup functionality can be added here based on"
 echo "your specific requirements. Would you like me to implement the full"
 echo "CLI backup interface?"
 echo ""
 press_enter
@@ -0,0 +1,210 @@
 #!/bin/bash
 ################################################################################
 # Acronis Plan Manager
 ################################################################################
 # Purpose: Manage Acronis protection plans
 # Features:
 # - List protection plans
 # - View plan details
 # - Enable/disable plans
 # - Guidance for plan configuration
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 clear
 print_banner "Protection Plan Management"
 echo ""
 # Check if acrocmd is available
 if [ ! -f "/usr/sbin/acrocmd" ]; then
    print_error "acrocmd command-line tool not found"
    echo ""
    press_enter
    exit 1
 fi
 # List plans
 echo -e "${BOLD}Current Protection Plans${NC}"
 echo ""
 plan_output=$(/usr/sbin/acrocmd list plans 2>&1)
 if echo "$plan_output" | grep -qi "error\|no.*plans"; then
    echo -e "${YELLOW}No protection plans configured${NC}"
    HAS_PLANS=false
 else
    echo "$plan_output"
    HAS_PLANS=true
 fi
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 if [ "$HAS_PLANS" = true ]; then
    echo -e "${BOLD}Plan Management Options${NC}"
    echo ""
    echo "  1) View detailed plan information"
    echo "  2) Enable/disable plan"
    echo "  3) Delete plan"
    echo "  4) Create new plan (via web console)"
    echo "  0) Return"
    echo ""
    echo -n "Select option [0]: "
    read -r choice
    choice="${choice:-0}"
    case "$choice" in
        1)
            echo ""
            echo -n "Enter plan ID or name: "
            read -r plan_id
            if [ -n "$plan_id" ]; then
                echo ""
                echo -e "${BOLD}Plan Details:${NC}"
                echo ""
                /usr/sbin/acrocmd show plan "$plan_id" 2>&1 || {
                    echo ""
                    print_error "Could not retrieve plan details"
                    echo "Check that the plan ID/name is correct"
                }
            fi
            ;;
        2)
            echo ""
            echo -n "Enter plan ID to enable/disable: "
            read -r plan_id
            if [ -n "$plan_id" ]; then
                echo ""
                echo "  1) Enable plan"
                echo "  2) Disable plan"
                echo ""
                echo -n "Select [1]: "
                read -r action
                action="${action:-1}"
                if [ "$action" = "1" ]; then
                    /usr/sbin/acrocmd plan enable "$plan_id" 2>&1 && {
                        print_success "Plan enabled"
                    } || {
                        print_error "Failed to enable plan"
                    }
                else
                    /usr/sbin/acrocmd plan disable "$plan_id" 2>&1 && {
                        print_success "Plan disabled"
                    } || {
                        print_error "Failed to disable plan"
                    }
                fi
            fi
            ;;
        3)
            echo ""
            echo -e "${RED}${BOLD}Delete Protection Plan${NC}"
            echo ""
            echo -e "${YELLOW}Warning:${NC} This will delete the plan configuration."
            echo "Existing backups will be retained."
            echo ""
            echo -n "Enter plan ID to delete: "
            read -r plan_id
            if [ -n "$plan_id" ]; then
                echo ""
                echo -n "Confirm deletion (type 'yes'): "
                read -r confirm
                if [ "$confirm" = "yes" ]; then
                    /usr/sbin/acrocmd delete plan "$plan_id" 2>&1 && {
                        print_success "Plan deleted"
                    } || {
                        print_error "Failed to delete plan"
                    }
                else
                    echo "Cancelled"
                fi
            fi
            ;;
        4)
            echo ""
            echo -e "${BOLD}Create New Protection Plan${NC}"
            echo ""
            echo "Protection plans are best created via the web console"
            echo "for full configuration options and validation."
            echo ""
            echo -e "${CYAN}Web Console Method:${NC}"
            echo ""
            echo "1. Log in to Acronis web console"
            # Get cloud URL
            if [ -f "/etc/Acronis/Global.config" ]; then
                cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
                if [ -n "$cloud_url" ]; then
                    echo "   ${cloud_url}"
                fi
            fi
            echo ""
            echo "2. Navigate to: Devices → Select this server"
            echo "3. Click 'Add protection plan'"
            echo "4. Configure plan settings:"
            echo "   • What to back up (entire system/volumes/files)"
            echo "   • Where to store (cloud/local)"
            echo "   • When to run (schedule)"
            echo "   • How long to keep (retention)"
            echo "5. Save and activate"
            echo ""
            echo -e "${BOLD}Advanced CLI Method:${NC}"
            echo ""
            echo "For advanced users, plans can be created via acrocmd:"
            echo "  acrocmd create plan --help"
            ;;
    esac
 else
    echo -e "${BOLD}Getting Started with Protection Plans${NC}"
    echo ""
    echo "Protection plans define your backup strategy:"
    echo ""
    echo -e "${CYAN}What:${NC}  Files, folders, volumes, or entire system"
    echo -e "${CYAN}Where:${NC} Cloud storage or local destination"
    echo -e "${CYAN}When:${NC}  Scheduled times (hourly/daily/weekly/monthly)"
    echo -e "${CYAN}Keep:${NC}  Retention policy (days/versions to keep)"
    echo ""
    echo -e "${BOLD}To Create Your First Plan:${NC}"
    echo ""
    echo "1. Log in to Acronis web console"
    # Get cloud URL
    if [ -f "/etc/Acronis/Global.config" ]; then
        cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
        if [ -n "$cloud_url" ]; then
            echo "   ${cloud_url}"
        fi
    fi
    echo ""
    echo "2. Navigate to: Devices → This server"
    echo "3. Click 'Add protection plan'"
    echo "4. Follow the configuration wizard"
    echo "5. Activate the plan"
    echo ""
    echo -e "${GREEN}Tip:${NC} Start with a simple file backup plan to test,"
    echo "     then create full system backup plans as needed."
 fi
 echo ""
 press_enter
@@ -0,0 +1,231 @@
 #!/bin/bash
 ################################################################################
 # Acronis Agent Registration
 ################################################################################
 # Purpose: Register Acronis agent with Acronis Cloud
 # Command: /usr/lib/Acronis/RegisterAgentTool/RegisterAgent
 # Flags:
 #   -o register       - Operation: register
 #   -t cloud          - Type: cloud-based
 #   -a <url>          - Service URL
 #   --token <token>   - Registration token
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Acronis Agent Registration"
 # Check if agent is installed
 if [ ! -f "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" ]; then
    echo ""
    print_error "Acronis agent is not installed"
    echo ""
    echo "Please install the agent first:"
    echo "  1. Return to Acronis Management menu"
    echo "  2. Select 'Install Acronis Agent'"
    echo ""
    press_enter
    exit 1
 fi
 echo ""
 # Check current registration status
 echo -e "${BOLD}Current Registration Status:${NC}"
 echo ""
 if [ -f "/etc/Acronis/Global.config" ]; then
    if grep -q "CloudUrl" "/etc/Acronis/Global.config" 2>/dev/null; then
        echo -e "  ${GREEN}✓${NC} Agent is currently registered"
        # Extract current cloud URL
        current_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
        if [ -n "$current_url" ]; then
            echo -e "  Current URL: ${current_url}"
        fi
        echo ""
        echo -e "${YELLOW}⚠ Agent is already registered${NC}"
        echo ""
        echo "Do you want to:"
        echo "  1) Keep current registration"
        echo "  2) Re-register (will overwrite current registration)"
        echo ""
        echo -n "Select [1]: "
        read -r choice
        choice="${choice:-1}"
        if [ "$choice" = "1" ]; then
            echo ""
            echo "Keeping current registration"
            press_enter
            exit 0
        fi
        echo ""
        echo "Proceeding with re-registration..."
    else
        echo -e "  ${YELLOW}○${NC} Agent is not registered"
    fi
 else
    echo -e "  ${YELLOW}○${NC} No configuration found"
 fi
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${BOLD}Agent Registration${NC}"
 echo ""
 echo "You'll need:"
 echo "  • Acronis Cloud service URL (e.g., us5-cloud.acronis.com)"
 echo "  • Registration token from Acronis web console"
 echo ""
 echo "To get a registration token:"
 echo "  1. Log in to Acronis web console"
 echo "  2. Go to Settings → Registration tokens"
 echo "  3. Create a new token or copy existing one"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Get service URL
 echo -n "Enter Acronis Cloud service URL [us5-cloud.acronis.com]: "
 read -r service_url
 service_url="${service_url:-us5-cloud.acronis.com}"
 # Validate URL format
 if [[ ! "$service_url" =~ ^[a-z0-9.-]+\.acronis\.com$ ]]; then
    print_error "Invalid service URL format"
    echo ""
    echo "Expected format: region-cloud.acronis.com"
    echo "Examples:"
    echo "  • us5-cloud.acronis.com"
    echo "  • eu2-cloud.acronis.com"
    echo "  • ap1-cloud.acronis.com"
    echo ""
    press_enter
    exit 1
 fi
 # Get registration token
 echo ""
 echo -n "Enter registration token: "
 read -r reg_token
 if [ -z "$reg_token" ]; then
    print_error "Registration token is required"
    press_enter
    exit 1
 fi
 # Confirm registration
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${BOLD}Registration Summary:${NC}"
 echo ""
 echo "  Service URL:  https://${service_url}"
 echo "  Token:        ${reg_token:0:8}...${reg_token: -4}"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -n "Proceed with registration? (yes/no): "
 read -r confirm
 if [ "$confirm" != "yes" ]; then
    echo ""
    print_error "Registration cancelled"
    press_enter
    exit 0
 fi
 echo ""
 echo -e "${BOLD}Registering Agent...${NC}"
 echo ""
 # Run registration command
 REGISTER_CMD="/usr/lib/Acronis/RegisterAgentTool/RegisterAgent"
 REGISTER_ARGS="-o register -t cloud -a https://${service_url} --token ${reg_token}"
 echo "→ Contacting Acronis Cloud..."
 echo ""
 echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
 # Execute registration
 if $REGISTER_CMD $REGISTER_ARGS; then
    REG_EXIT_CODE=$?
 else
    REG_EXIT_CODE=$?
 fi
 echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Check result
 if [ $REG_EXIT_CODE -eq 0 ]; then
    print_success "Registration successful!"
    echo ""
    # Restart services to apply registration
    echo "→ Restarting Acronis services..."
    systemctl restart acronis_mms
    systemctl restart aakore
    sleep 2
    if systemctl is-active --quiet acronis_mms; then
        print_success "Services restarted successfully"
        echo ""
        echo -e "${BOLD}Agent Registered Successfully!${NC}"
        echo ""
        echo "Next steps:"
        echo "  1. Log in to Acronis web console:"
        echo "     → https://${service_url}"
        echo ""
        echo "  2. Find this agent in the device list"
        echo "     → Navigate to: Devices → All devices"
        echo ""
        echo "  3. Assign backup plans to this agent"
        echo "     → Select device → Protection → Add plan"
        echo ""
        echo "  4. Check agent status from this toolkit"
        echo "     → Select 'Check Agent Status' from Acronis menu"
        echo ""
    else
        print_error "Services failed to restart"
        echo ""
        echo "Registration may have succeeded but services need attention."
        echo "Check logs: tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
        echo ""
    fi
 else
    print_error "Registration failed with exit code $REG_EXIT_CODE"
    echo ""
    echo "Common issues:"
    echo "  • Invalid registration token"
    echo "  • Incorrect service URL"
    echo "  • Network connectivity issues"
    echo "  • Firewall blocking connection to Acronis Cloud"
    echo "  • Token already used or expired"
    echo ""
    echo "Troubleshooting:"
    echo "  1. Verify token in Acronis web console"
    echo "  2. Check network connectivity:"
    echo "     curl -I https://${service_url}"
    echo ""
    echo "  3. Check agent logs:"
    echo "     tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
    echo ""
 fi
 press_enter
@@ -0,0 +1,58 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Restore from Backup"
 echo ""
 echo -e "${RED}${BOLD}⚠️  RESTORE OPERATION ⚠️${NC}"
 echo ""
 echo "Restoring from backups requires careful planning to avoid data loss."
 echo ""
 echo -e "${BOLD}Restore Methods:${NC}"
 echo ""
 echo -e "${CYAN}1. Web Console Method (Recommended)${NC}"
 echo "   • Most user-friendly with visual interface"
 echo "   • Full preview of backup contents"
 echo "   • Granular file/folder selection"
 echo ""
 echo "   Steps:"
 echo "   a) Log in to Acronis web console"
 echo "   b) Navigate to: Backup → Recovery"
 echo "   c) Select backup archive"
 echo "   d) Choose recovery point (date/time)"
 echo "   e) Select files/folders to restore"
 echo "   f) Choose restore destination"
 echo "   g) Start recovery process"
 echo ""
 echo -e "${CYAN}2. Command Line Method${NC}"
 echo "   • For advanced users and automation"
 echo "   • Requires acrocmd CLI tool"
 echo ""
 echo "   Basic syntax:"
 echo "   acrocmd recover --archive <archive_id> \\"
 echo "     --recoverypoint <point_id> \\"
 echo "     --destination /restore/path"
 echo ""
 echo -e "${CYAN}3. Bootable Media Recovery${NC}"
 echo "   • For full system disaster recovery"
 echo "   • Boot from Acronis bootable USB/ISO"
 echo "   • Restore entire system image"
 echo ""
 echo -e "${BOLD}Important Notes:${NC}"
 echo ""
 echo "  ⚠ Test restores in a non-production environment first"
 echo "  ⚠ Verify backup integrity before critical restores"
 echo "  ⚠ Consider restoring to alternate location first"
 echo "  ⚠ Backup current data before overwriting"
 echo ""
 echo "Would you like me to implement an interactive restore wizard"
 echo "with CLI backup browsing and restore capabilities?"
 echo ""
 press_enter
@@ -0,0 +1,109 @@
 #!/bin/bash
 ################################################################################
 # Acronis Schedule Viewer
 ################################################################################
 # Purpose: View backup schedules and protection plans
 # Features:
 # - List all protection plans
 # - Show backup schedules
 # - Display plan details
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 clear
 print_banner "Backup Plans & Schedules"
 echo ""
 # Check if acrocmd is available
 if [ ! -f "/usr/sbin/acrocmd" ]; then
    print_error "acrocmd command-line tool not found"
    echo ""
    press_enter
    exit 1
 fi
 # List protection plans
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo -e "${BOLD}Protection Plans${NC}"
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 plan_output=$(/usr/sbin/acrocmd list plans 2>&1)
 if echo "$plan_output" | grep -qi "error\|no.*plans"; then
    echo -e "${YELLOW}No protection plans found${NC}"
    echo ""
    echo "Protection plans define what, when, and how to back up."
    echo ""
    echo -e "${BOLD}To Create Protection Plans:${NC}"
    echo ""
    echo "1. Log in to Acronis web console"
    # Try to get cloud URL
    if [ -f "/etc/Acronis/Global.config" ]; then
        cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
        if [ -n "$cloud_url" ]; then
            echo "   ${cloud_url}"
        fi
    fi
    echo ""
    echo "2. Navigate to: Devices → Select this server"
    echo "3. Click 'Add protection plan'"
    echo "4. Configure:"
    echo "   • Backup source (files/folders/volumes)"
    echo "   • Backup destination (cloud/local)"
    echo "   • Schedule (hourly/daily/weekly/monthly)"
    echo "   • Retention policy"
    echo "5. Save and activate plan"
 else
    echo "$plan_output"
 fi
 echo ""
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 # Check schedule status from service
 echo -e "${BOLD}Schedule Service Status${NC}"
 echo ""
 if systemctl is-active --quiet acronis_schedule 2>/dev/null; then
    echo -e "${GREEN}✓${NC} Acronis scheduler is running"
    # Show recent schedule events from log
    if [ -f "/var/lib/Acronis/BackupAndRecovery/scheduler.log" ]; then
        echo ""
        echo "Recent scheduler activity:"
        echo ""
        tail -5 /var/lib/Acronis/BackupAndRecovery/scheduler.log 2>/dev/null | while read -r line; do
            echo "  $line"
        done
    fi
 else
    echo -e "${YELLOW}⚠${NC} Acronis scheduler is not running"
    echo ""
    echo "Start it with: systemctl start acronis_schedule"
 fi
 echo ""
 echo -e "${CYAN}════════════════════════════════════════════════════════════${NC}"
 echo ""
 echo -e "${BOLD}Next Steps:${NC}"
 echo ""
 echo "  • Trigger manual backup: Select 'Trigger Manual Backup'"
 echo "  • Manage plans: Select 'Manage Protection Plans'"
 echo "  • Check status: Select 'Check Backup Status'"
 echo ""
 press_enter
@@ -0,0 +1,45 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "View Backup Status"
 echo ""
 echo -e "${BOLD}Acronis Backup Status${NC}"
 echo ""
 echo "Checking backup status..."
 echo ""
 # Check if acrocmd exists
 if ! command -v acrocmd &>/dev/null; then
    echo -e "${YELLOW}acrocmd CLI tool not found${NC}"
    echo ""
    echo "Backup status is available through:"
    echo "  • Acronis web console (real-time status)"
    echo "  • Agent logs (see 'View Logs' option)"
    echo ""
    echo "To use CLI: acrocmd may need to be installed separately"
    echo ""
    press_enter
    exit 0
 fi
 # Show recent backup activities from logs
 if [ -f "/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log" ]; then
    echo -e "${BOLD}Recent Backup Activity:${NC}"
    echo ""
    grep -i "backup.*completed\|backup.*started\|backup.*failed" /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log 2>/dev/null | tail -10
    echo ""
 fi
 echo "For detailed status, use:"
 echo "  • Web console: Full backup history and status"
 echo "  • acrocmd: Command-line status queries"
 echo ""
 press_enter
@@ -0,0 +1,202 @@
 #!/bin/bash
 ################################################################################
 # Acronis Trigger Backup
 ################################################################################
 # Purpose: Trigger manual backups using acrocmd
 # Features:
 # - List available backup plans
 # - Run backup for specific plan
 # - Trigger ad-hoc backup
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 clear
 print_banner "Trigger Manual Backup"
 echo ""
 # Check if acrocmd is available
 if [ ! -f "/usr/sbin/acrocmd" ]; then
    print_error "acrocmd command-line tool not found"
    echo ""
    press_enter
    exit 1
 fi
 # List available plans
 echo -e "${BOLD}Available Backup Plans${NC}"
 echo ""
 echo "Querying backup plans from Acronis..."
 echo ""
 plan_output=$(/usr/sbin/acrocmd list plans 2>&1)
 # Check if no plans exist (empty output or success message only)
 if echo "$plan_output" | grep -qi "error\|failed\|no plans" || ! echo "$plan_output" | grep -q "[a-f0-9]\{8\}-[a-f0-9]\{4\}"; then
    echo -e "${YELLOW}No backup plans found or error querying plans${NC}"
    echo ""
    echo "Possible reasons:"
    echo "  • No CLI-managed plans exist (acrocmd only shows local plans)"
    echo "  • Cloud-managed plans created in web console are not visible here"
    echo "  • Agent not registered with Acronis Cloud"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo ""
    echo -e "${BOLD}Important Note:${NC}"
    echo ""
    echo "Plans created in the Acronis web console are managed at the cloud level"
    echo "and are NOT accessible via the acrocmd CLI tool. The CLI can only see and"
    echo "manage plans created locally via acrocmd commands."
    echo ""
    echo -e "${BOLD}To Trigger Cloud-Managed Backups:${NC}"
    echo ""
    echo "1. Log in to Acronis web console"
    echo "2. Navigate to: Devices → Select this server"
    echo "3. Click 'Back up now' to trigger your existing plan"
    echo ""
    echo -e "${BOLD}To Create CLI-Managed Plans:${NC}"
    echo ""
    echo "Use: acrocmd create plan --help"
    echo "Note: CLI plans give you more control and optimization options"
    echo ""
    press_enter
    exit 0
 fi
 echo "$plan_output"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${BOLD}Select a Plan to Backup:${NC}"
 echo ""
 echo "Enter the plan name or ID from the list above,"
 echo "or press Enter to cancel and use web console instead."
 echo ""
 echo -n "Plan name/ID: "
 read -r plan_id
 if [ -z "$plan_id" ]; then
    echo ""
    echo -e "${BOLD}Use Web Console Instead${NC}"
    echo ""
    echo "To trigger backup via web console:"
    echo ""
    echo "1. Log in to Acronis web console"
    # Try to get cloud URL
    if [ -f "/etc/Acronis/Global.config" ]; then
        cloud_url=$(grep -oP 'CloudUrl[>=\"].*?https://[^\"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^\"<]+' | head -1)
        if [ -n "$cloud_url" ]; then
            echo "   ${cloud_url}"
        fi
    fi
    echo ""
    echo "2. Navigate to: Devices → This server"
    echo "3. Click 'Back up now' button"
    echo "4. Monitor progress in real-time"
    echo ""
    press_enter
    exit 0
 fi
 # User selected a plan, proceed with backup type selection
 echo ""
 echo -e "${BOLD}Backup Type Selection${NC}"
        echo ""
        echo "Select backup type:"
        echo "  1) Auto (use plan's configured type)"
        echo "  2) Full backup"
        echo "  3) Incremental backup"
        echo "  4) Differential backup"
        echo ""
        echo -n "Select type [1]: "
        read -r backup_type_choice
        backup_type_choice="${backup_type_choice:-1}"
        BACKUP_FLAGS=""
        case "$backup_type_choice" in
            2)
                BACKUP_FLAGS="--backuptype=full"
                echo "  → Full backup selected"
                ;;
            3)
                BACKUP_FLAGS="--backuptype=incremental"
                echo "  → Incremental backup selected (faster, stores only changes)"
                ;;
            4)
                BACKUP_FLAGS="--backuptype=differential"
                echo "  → Differential backup selected (changes since last full)"
                ;;
            *)
                echo "  → Using plan's default backup type"
                ;;
        esac
        echo ""
        echo -e "${BOLD}Performance Options${NC}"
        echo ""
        echo -n "Enable performance optimizations? (y/n) [n]: "
        read -r opt_choice
        if [ "$opt_choice" = "y" ] || [ "$opt_choice" = "Y" ]; then
            echo ""
            echo "Available optimizations:"
            echo "  1) Lower compression (faster backup, larger size)"
            echo "  2) High priority (use more system resources)"
            echo "  3) Both"
            echo ""
            echo -n "Select [3]: "
            read -r perf_choice
            perf_choice="${perf_choice:-3}"
            case "$perf_choice" in
                1)
                    BACKUP_FLAGS="$BACKUP_FLAGS --compression=normal"
                    echo "  → Lower compression enabled"
                    ;;
                2)
                    BACKUP_FLAGS="$BACKUP_FLAGS --priority=high"
                    echo "  → High priority enabled"
                    ;;
                3)
                    BACKUP_FLAGS="$BACKUP_FLAGS --compression=normal --priority=high"
                    echo "  → Lower compression + high priority enabled"
                    ;;
            esac
        fi
        echo ""
        echo -e "${BOLD}Starting Backup...${NC}"
        echo ""
        echo "Plan: $plan_id"
        [ -n "$BACKUP_FLAGS" ] && echo "Options: $BACKUP_FLAGS"
        echo ""
        # Try to run backup
        if /usr/sbin/acrocmd backup run --plan "$plan_id" $BACKUP_FLAGS 2>&1; then
            echo ""
            print_success "Backup initiated successfully"
            echo ""
            echo "Monitor progress with 'Check Backup Status'"
        else
            echo ""
            print_error "Failed to start backup"
            echo ""
            echo "Check that:"
            echo "  • Plan ID/name is correct"
            echo "  • Agent is online and registered"
            echo "  • No conflicting backups running"
        fi
 echo ""
 press_enter
@@ -0,0 +1,471 @@
 #!/bin/bash
 ################################################################################
 # Acronis Backup Troubleshooter
 ################################################################################
 # Purpose: Diagnose and troubleshoot Acronis backup failures
 # Features:
 # - Multi-log location scanning
 # - Common failure pattern detection
 # - Service health checks
 # - Disk space analysis
 # - Network connectivity tests
 # - Automated fix suggestions
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 # Log locations to check
 declare -A LOG_LOCATIONS=(
    ["MMS"]="/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
    ["MMS_OLD"]="/var/lib/Acronis/BackupAndRecovery/MMS/mms.*.log"
    ["AGENT"]="/var/log/acronis/agent/*.log"
    ["CORE"]="/var/lib/Acronis/BackupAndRecovery/aakore.log"
    ["SCHEDULE"]="/var/lib/Acronis/BackupAndRecovery/scheduler.log"
    ["SYSTEM"]="/var/log/messages"
    ["SYSLOG"]="/var/log/syslog"
 )
 print_banner "Acronis Backup Troubleshooter"
 echo ""
 echo -e "${BOLD}Diagnostic Mode${NC}"
 echo ""
 echo "This tool will analyze:"
 echo "  • Service status and health"
 echo "  • Log files for errors and failures"
 echo "  • System resources (disk, memory)"
 echo "  • Network connectivity to Acronis Cloud"
 echo "  • Common backup failure patterns"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Track issues found
 declare -a ISSUES_FOUND=()
 declare -a WARNINGS_FOUND=()
 declare -a RECOMMENDATIONS=()
 # Function to add issue
 add_issue() {
    ISSUES_FOUND+=("$1")
 }
 # Function to add warning
 add_warning() {
    WARNINGS_FOUND+=("$1")
 }
 # Function to add recommendation
 add_recommendation() {
    RECOMMENDATIONS+=("$1")
 }
 # 1. Check service status
 echo -e "${BOLD}[1/7] Checking Acronis Services...${NC}"
 echo ""
 declare -a SERVICES=("aakore" "acronis_mms" "acronis_schedule" "active-protection")
 all_services_running=true
 for service in "${SERVICES[@]}"; do
    if systemctl list-unit-files | grep -q "^${service}.service"; then
        if systemctl is-active --quiet "$service"; then
            echo -e "  ${GREEN}✓${NC} $service is running"
        else
            echo -e "  ${RED}✗${NC} $service is NOT running"
            add_issue "Service $service is stopped"
            add_recommendation "Start service: systemctl start $service"
            all_services_running=false
        fi
    fi
 done
 if [ "$all_services_running" = false ]; then
    add_recommendation "Start all services: Go to Acronis menu → Check Agent Status → Start All Services"
 fi
 echo ""
 # 2. Check disk space
 echo -e "${BOLD}[2/7] Checking Disk Space...${NC}"
 echo ""
 # Check backup directory
 if [ -d "/var/lib/Acronis" ]; then
    backup_disk_usage=$(df -h /var/lib/Acronis | tail -1 | awk '{print $5}' | tr -d '%')
    backup_disk_avail=$(df -h /var/lib/Acronis | tail -1 | awk '{print $4}')
    echo "  Acronis directory: /var/lib/Acronis"
    echo "  Disk usage: ${backup_disk_usage}%"
    echo "  Available: ${backup_disk_avail}"
    if [ "$backup_disk_usage" -gt 95 ]; then
        add_issue "Disk space critically low (${backup_disk_usage}% used)"
        add_recommendation "Free up disk space or change backup destination"
    elif [ "$backup_disk_usage" -gt 90 ]; then
        add_warning "Disk space running low (${backup_disk_usage}% used)"
        add_recommendation "Monitor disk space closely"
    else
        echo -e "  ${GREEN}✓${NC} Disk space OK"
    fi
 fi
 # Check system disk
 root_disk_usage=$(df -h / | tail -1 | awk '{print $5}' | tr -d '%')
 if [ "$root_disk_usage" -gt 90 ]; then
    add_warning "Root filesystem at ${root_disk_usage}% capacity"
 fi
 echo ""
 # 3. Check memory
 echo -e "${BOLD}[3/7] Checking Memory...${NC}"
 echo ""
 mem_total=$(free -h | grep "^Mem:" | awk '{print $2}')
 mem_available=$(free -h | grep "^Mem:" | awk '{print $7}')
 mem_used_percent=$(free | grep "^Mem:" | awk '{printf "%.0f", ($3/$2)*100}')
 echo "  Total memory: ${mem_total}"
 echo "  Available: ${mem_available}"
 echo "  Used: ${mem_used_percent}%"
 if [ "$mem_used_percent" -gt 95 ]; then
    add_warning "Memory usage critically high (${mem_used_percent}%)"
    add_recommendation "Check for memory leaks or reduce backup concurrency"
 elif [ "$mem_used_percent" -gt 90 ]; then
    add_warning "Memory usage high (${mem_used_percent}%)"
 else
    echo -e "  ${GREEN}✓${NC} Memory OK"
 fi
 echo ""
 # 4. Check network connectivity
 echo -e "${BOLD}[4/7] Checking Network Connectivity...${NC}"
 echo ""
 # Check if registered
 if [ -f "/etc/Acronis/Global.config" ]; then
    cloud_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
    if [ -n "$cloud_url" ]; then
        echo "  Testing connection to: $cloud_url"
        # Extract hostname
        cloud_host=$(echo "$cloud_url" | sed 's|https://||' | sed 's|/.*||')
        # Test connectivity
        if curl -s --connect-timeout 5 -I "$cloud_url" >/dev/null 2>&1; then
            echo -e "  ${GREEN}✓${NC} Connection successful"
        else
            add_issue "Cannot connect to Acronis Cloud: $cloud_url"
            add_recommendation "Check firewall rules and network connectivity"
            add_recommendation "Test manually: curl -I $cloud_url"
        fi
        # Test DNS resolution
        if host "$cloud_host" >/dev/null 2>&1; then
            echo -e "  ${GREEN}✓${NC} DNS resolution OK"
        else
            add_issue "DNS resolution failed for $cloud_host"
            add_recommendation "Check DNS configuration: /etc/resolv.conf"
        fi
    else
        add_warning "Agent may not be registered with Acronis Cloud"
        add_recommendation "Register agent: Acronis menu → Register with Cloud"
    fi
 else
    add_warning "Acronis configuration file not found"
 fi
 echo ""
 # 5. Scan logs for errors
 echo -e "${BOLD}[5/7] Scanning Logs for Errors...${NC}"
 echo ""
 # Common error patterns
 declare -A ERROR_PATTERNS=(
    ["INSUFFICIENT_SPACE"]="insufficient.*space|no.*space.*left|disk.*full"
    ["PERMISSION_DENIED"]="permission.*denied|access.*denied|cannot.*access"
    ["CONNECTION_FAILED"]="connection.*failed|connection.*refused|timeout|network.*error"
    ["AUTH_FAILED"]="authentication.*failed|invalid.*credentials|unauthorized"
    ["BACKUP_FAILED"]="backup.*failed|backup.*error|task.*failed"
    ["VSS_ERROR"]="vss.*error|snapshot.*failed|shadow.*copy.*error"
    ["DATABASE_ERROR"]="database.*error|sql.*error|db.*lock"
    ["FILE_LOCKED"]="file.*locked|file.*in.*use|sharing.*violation"
 )
 # Scan primary log
 primary_log="/var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
 if [ -f "$primary_log" ]; then
    echo "  Scanning primary log: mms.0.log"
    for pattern_name in "${!ERROR_PATTERNS[@]}"; do
        pattern="${ERROR_PATTERNS[$pattern_name]}"
        if grep -iE "$pattern" "$primary_log" 2>/dev/null | tail -1 | grep -q .; then
            error_count=$(grep -icE "$pattern" "$primary_log" 2>/dev/null)
            last_error=$(grep -iE "$pattern" "$primary_log" 2>/dev/null | tail -1)
            echo -e "  ${RED}⚠${NC} Found $pattern_name errors (count: $error_count)"
            echo -e "     Last: ${DIM}${last_error:0:80}...${NC}"
            add_issue "$pattern_name detected in logs (count: $error_count)"
            # Add specific recommendations
            case "$pattern_name" in
                "INSUFFICIENT_SPACE")
                    add_recommendation "Free up disk space or change backup destination"
                    ;;
                "PERMISSION_DENIED")
                    add_recommendation "Check file/directory permissions"
                    add_recommendation "Ensure Acronis agent has necessary access rights"
                    ;;
                "CONNECTION_FAILED")
                    add_recommendation "Check network connectivity and firewall rules"
                    add_recommendation "Verify Acronis Cloud URL is accessible"
                    ;;
                "AUTH_FAILED")
                    add_recommendation "Re-register agent with valid token"
                    add_recommendation "Check registration status in web console"
                    ;;
                "VSS_ERROR")
                    add_recommendation "Check VSS service: vssadmin list writers"
                    add_recommendation "Restart VSS: net stop vss && net start vss"
                    ;;
                "DATABASE_ERROR")
                    add_recommendation "Check database connections and locks"
                    add_recommendation "Consider application-aware backup settings"
                    ;;
                "FILE_LOCKED")
                    add_recommendation "Identify processes locking files: lsof"
                    add_recommendation "Schedule backups during low-activity periods"
                    ;;
            esac
        fi
    done
    # Check for recent backup failures
    recent_failures=$(grep -i "backup.*failed\|task.*failed" "$primary_log" 2>/dev/null | tail -5)
    if [ -n "$recent_failures" ]; then
        echo ""
        echo -e "  ${YELLOW}Recent backup failures:${NC}"
        echo "$recent_failures" | while read -r line; do
            echo -e "    ${DIM}${line:0:100}${NC}"
        done
    fi
 else
    add_warning "Primary log file not found: $primary_log"
 fi
 echo ""
 # 6. Check for stuck backups
 echo -e "${BOLD}[6/7] Checking for Stuck Processes...${NC}"
 echo ""
 # Check for long-running Acronis processes
 old_processes=$(ps aux | grep -i acronis | grep -v grep | awk '{if ($10 ~ /[0-9][0-9]:[0-9][0-9]/) print $0}')
 if [ -n "$old_processes" ]; then
    echo -e "  ${YELLOW}⚠${NC} Long-running Acronis processes detected:"
    echo "$old_processes" | while read -r line; do
        echo -e "    ${DIM}$line${NC}"
    done
    add_warning "Long-running Acronis processes may indicate stuck backups"
    add_recommendation "Review processes and consider restarting services if stuck"
 else
    echo -e "  ${GREEN}✓${NC} No stuck processes detected"
 fi
 echo ""
 # 7. Check configuration issues
 echo -e "${BOLD}[7/7] Checking Configuration...${NC}"
 echo ""
 # Check if backup plans are configured
 if command -v acrocmd &>/dev/null; then
    plan_count=$(acrocmd list plans 2>/dev/null | grep -c "^Plan ID" || echo "0")
    echo "  Configured backup plans: $plan_count"
    if [ "$plan_count" -eq 0 ]; then
        add_warning "No backup plans configured"
        add_recommendation "Configure backup plans in Acronis web console"
    fi
 else
    echo "  ${DIM}acrocmd not available - cannot check backup plans${NC}"
 fi
 # Check agent version
 if [ -f "/usr/lib/Acronis/BackupAndRecovery/aakore" ]; then
    agent_version=$(/usr/lib/Acronis/BackupAndRecovery/aakore --version 2>/dev/null | head -1 || echo "Unknown")
    echo "  Agent version: $agent_version"
 else
    add_warning "Cannot determine agent version"
 fi
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Summary Report
 echo -e "${BOLD}DIAGNOSTIC SUMMARY${NC}"
 echo ""
 if [ ${#ISSUES_FOUND[@]} -eq 0 ] && [ ${#WARNINGS_FOUND[@]} -eq 0 ]; then
    echo -e "${GREEN}${BOLD}✓ No issues detected${NC}"
    echo ""
    echo "Acronis appears to be healthy. If you're experiencing backup"
    echo "failures, check the web console for detailed backup logs."
 else
    # Show issues
    if [ ${#ISSUES_FOUND[@]} -gt 0 ]; then
        echo -e "${RED}${BOLD}Critical Issues (${#ISSUES_FOUND[@]}):${NC}"
        for issue in "${ISSUES_FOUND[@]}"; do
            echo -e "  ${RED}✗${NC} $issue"
        done
        echo ""
    fi
    # Show warnings
    if [ ${#WARNINGS_FOUND[@]} -gt 0 ]; then
        echo -e "${YELLOW}${BOLD}Warnings (${#WARNINGS_FOUND[@]}):${NC}"
        for warning in "${WARNINGS_FOUND[@]}"; do
            echo -e "  ${YELLOW}⚠${NC} $warning"
        done
        echo ""
    fi
    # Show recommendations
    if [ ${#RECOMMENDATIONS[@]} -gt 0 ]; then
        echo -e "${CYAN}${BOLD}Recommendations:${NC}"
        local rec_num=1
        for rec in "${RECOMMENDATIONS[@]}"; do
            echo -e "  ${CYAN}${rec_num}.${NC} $rec"
            ((rec_num++))
        done
        echo ""
    fi
 fi
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Quick actions
 echo -e "${BOLD}Quick Actions:${NC}"
 echo ""
 echo -e "  ${CYAN}1)${NC} View Full Logs (all errors)"
 echo -e "  ${CYAN}2)${NC} Restart All Services"
 echo -e "  ${CYAN}3)${NC} Generate Detailed Report"
 echo -e "  ${CYAN}4)${NC} Export Logs for Support"
 echo ""
 echo -e "  ${RED}0)${NC} Return to Menu"
 echo ""
 echo -n "Select action (or press Enter to return): "
 read -r action
 case "$action" in
    1)
        # Show all errors
        clear
        print_banner "All Errors from Logs"
        echo ""
        if [ -f "$primary_log" ]; then
            grep -iE "error|fail|critical|warn" "$primary_log" | tail -50
        fi
        echo ""
        press_enter
        ;;
    2)
        # Restart services
        echo ""
        echo "Restarting all Acronis services..."
        systemctl restart aakore
        systemctl restart acronis_mms
        systemctl restart acronis_schedule
        systemctl restart active-protection
        echo ""
        print_success "Services restarted"
        echo ""
        echo "Waiting 5 seconds for services to stabilize..."
        sleep 5
        echo ""
        echo "Running diagnostic again..."
        sleep 2
        exec "$0"
        ;;
    3)
        # Generate detailed report
        report_file="/tmp/acronis-diagnostic-$(date +%Y%m%d-%H%M%S).txt"
        echo ""
        echo "Generating detailed report..."
        {
            echo "Acronis Diagnostic Report"
            echo "Generated: $(date)"
            echo "Hostname: $(hostname)"
            echo ""
            echo "=== Service Status ==="
            for service in "${SERVICES[@]}"; do
                systemctl status "$service" 2>&1 | head -20
                echo ""
            done
            echo ""
            echo "=== Recent Log Entries ==="
            if [ -f "$primary_log" ]; then
                tail -200 "$primary_log"
            fi
            echo ""
            echo "=== System Resources ==="
            df -h
            echo ""
            free -h
            echo ""
            echo "=== Network ==="
            netstat -tuln | grep -E "7770|7800|8443|44445"
            echo ""
            echo "=== Processes ==="
            ps aux | grep -i acronis | grep -v grep
        } > "$report_file"
        print_success "Report generated: $report_file"
        echo ""
        echo "You can send this report to Acronis support or review it locally."
        echo ""
        press_enter
        ;;
    4)
        # Export logs
        archive_file="/tmp/acronis-logs-$(date +%Y%m%d-%H%M%S).tar.gz"
        echo ""
        echo "Exporting logs..."
        if [ -d "/var/lib/Acronis/BackupAndRecovery/MMS" ]; then
            tar -czf "$archive_file" /var/lib/Acronis/BackupAndRecovery/MMS/*.log 2>/dev/null
            print_success "Logs exported: $archive_file"
            echo ""
            echo "Archive size: $(du -h "$archive_file" | awk '{print $1}')"
        else
            print_error "Log directory not found"
        fi
        echo ""
        press_enter
        ;;
    *)
        exit 0
        ;;
 esac
@@ -0,0 +1,249 @@
 #!/bin/bash
 ################################################################################
 # Acronis Agent Uninstaller
 ################################################################################
 # Purpose: Safely uninstall Acronis Cyber Protect agent
 # Process:
 # 1. Stop all Acronis services
 # 2. Unregister from cloud (optional)
 # 3. Remove Acronis packages
 # 4. Clean up data directories (optional)
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Acronis Agent Uninstaller"
 # Check if Acronis is installed
 if ! systemctl list-unit-files | grep -q "acronis_mms.service"; then
    echo ""
    echo -e "${YELLOW}⚠ Acronis Not Installed${NC}"
    echo ""
    echo "Acronis Cyber Protect does not appear to be installed on this system."
    echo ""
    press_enter
    exit 0
 fi
 echo ""
 echo -e "${RED}${BOLD}⚠️  WARNING ⚠️${NC}"
 echo ""
 echo "This will completely remove Acronis Cyber Protect from this system."
 echo ""
 echo -e "${BOLD}What will be removed:${NC}"
 echo "  • All Acronis services (aakore, mms, schedule, active-protection)"
 echo "  • Acronis software packages"
 echo "  • Agent registration (if selected)"
 echo "  • Backup data and logs (if selected)"
 echo ""
 echo -e "${RED}This action cannot be easily undone!${NC}"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Confirm uninstallation
 echo -n "Type 'uninstall' to confirm removal: "
 read -r confirm
 if [ "$confirm" != "uninstall" ]; then
    echo ""
    print_error "Uninstallation cancelled"
    press_enter
    exit 0
 fi
 echo ""
 echo -e "${BOLD}Uninstallation Options:${NC}"
 echo ""
 # Ask about data retention
 echo -n "Remove backup data and logs? (yes/no) [no]: "
 read -r remove_data
 remove_data="${remove_data:-no}"
 echo ""
 echo -n "Unregister from Acronis Cloud? (yes/no) [yes]: "
 read -r unregister
 unregister="${unregister:-yes}"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${BOLD}Uninstallation Summary:${NC}"
 echo ""
 echo "  Stop services:       Yes"
 echo "  Remove software:     Yes"
 echo "  Unregister agent:    ${unregister}"
 echo "  Remove data/logs:    ${remove_data}"
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -n "Proceed with uninstallation? (yes/no): "
 read -r final_confirm
 if [ "$final_confirm" != "yes" ]; then
    echo ""
    print_error "Uninstallation cancelled"
    press_enter
    exit 0
 fi
 echo ""
 echo -e "${BOLD}Starting Uninstallation...${NC}"
 echo ""
 # Stop all services
 echo "→ Stopping Acronis services..."
 systemctl stop active-protection.service 2>/dev/null
 systemctl stop acronis_schedule 2>/dev/null
 systemctl stop acronis_mms 2>/dev/null
 systemctl stop aakore 2>/dev/null
 service acronis_mms stop 2>/dev/null
 sleep 2
 if systemctl is-active --quiet acronis_mms; then
    print_error "Warning: Some services may still be running"
 else
    print_success "Services stopped"
 fi
 echo ""
 # Unregister from cloud if requested
 if [ "$unregister" = "yes" ]; then
    echo "→ Unregistering from Acronis Cloud..."
    if [ -f "/usr/lib/Acronis/RegisterAgentTool/RegisterAgent" ]; then
        if /usr/lib/Acronis/RegisterAgentTool/RegisterAgent -o unregister 2>/dev/null; then
            print_success "Agent unregistered"
        else
            echo "  ${YELLOW}Note: Unregistration may have failed (continuing anyway)${NC}"
        fi
    else
        echo "  ${YELLOW}Note: Registration tool not found (skipping)${NC}"
    fi
    echo ""
 fi
 # Disable services
 echo "→ Disabling Acronis services..."
 systemctl disable aakore 2>/dev/null
 systemctl disable acronis_mms 2>/dev/null
 systemctl disable acronis_schedule 2>/dev/null
 systemctl disable active-protection.service 2>/dev/null
 echo "  ${GREEN}✓${NC} Services disabled"
 echo ""
 # Remove packages
 echo "→ Removing Acronis packages..."
 # Try different package managers
 if command -v dpkg &>/dev/null; then
    # Debian/Ubuntu
    dpkg -l | grep -i acronis | awk '{print $2}' | while read -r pkg; do
        echo "  Removing: $pkg"
        dpkg --purge "$pkg" 2>/dev/null
    done
 elif command -v rpm &>/dev/null; then
    # RedHat/CentOS
    rpm -qa | grep -i acronis | while read -r pkg; do
        echo "  Removing: $pkg"
        rpm -e "$pkg" 2>/dev/null
    done
 fi
 print_success "Packages removed"
 echo ""
 # Remove data directories if requested
 if [ "$remove_data" = "yes" ]; then
    echo "→ Removing Acronis data and logs..."
    declare -a DATA_DIRS=(
        "/var/lib/Acronis"
        "/usr/lib/Acronis"
        "/etc/Acronis"
        "/opt/acronis"
    )
    for dir in "${DATA_DIRS[@]}"; do
        if [ -d "$dir" ]; then
            local size=$(du -sh "$dir" 2>/dev/null | awk '{print $1}')
            echo "  Removing: $dir (${size})"
            rm -rf "$dir" 2>/dev/null
        fi
    done
    print_success "Data directories removed"
    echo ""
 fi
 # Clean up systemd
 echo "→ Cleaning up system configuration..."
 systemctl daemon-reload
 echo "  ${GREEN}✓${NC} systemd reloaded"
 echo ""
 # Final verification
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${GREEN}${BOLD}✓ Uninstallation Complete${NC}"
 echo ""
 # Check if anything remains
 local remaining=0
 if systemctl list-unit-files | grep -q "acronis"; then
    echo -e "${YELLOW}⚠ Some service files may still be present${NC}"
    ((remaining++))
 fi
 if [ -d "/var/lib/Acronis" ] || [ -d "/usr/lib/Acronis" ]; then
    echo -e "${YELLOW}⚠ Some directories were not removed${NC}"
    ((remaining++))
 fi
 if [ $remaining -eq 0 ]; then
    echo "Acronis Cyber Protect has been completely removed from this system."
 else
    echo ""
    echo "Uninstallation mostly complete, but some files may remain."
    echo "This is usually safe and won't affect system operation."
 fi
 echo ""
 # Show what was kept
 if [ "$remove_data" = "no" ]; then
    echo -e "${BOLD}Retained Data:${NC}"
    echo ""
    echo "Backup data and logs were kept as requested:"
    if [ -d "/var/lib/Acronis" ]; then
        local data_size=$(du -sh /var/lib/Acronis 2>/dev/null | awk '{print $1}')
        echo "  Location: /var/lib/Acronis"
        echo "  Size:     $data_size"
        echo ""
        echo "To remove this data later:"
        echo "  rm -rf /var/lib/Acronis"
    fi
    echo ""
 fi
 echo "To reinstall Acronis in the future:"
 echo "  1. Return to Backup & Recovery menu"
 echo "  2. Select 'Acronis Management'"
 echo "  3. Choose 'Install Acronis Agent'"
 echo ""
 press_enter
@@ -0,0 +1,314 @@
 #!/bin/bash
 ################################################################################
 # Acronis Agent Update/Upgrade
 ################################################################################
 # Purpose: Update Acronis Cyber Protect agent to latest version
 # Methods:
 # - Automatic via cloud (web console)
 # - Manual download and upgrade (preserves config/registration)
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Update Acronis Agent"
 echo ""
 # Check if Acronis is installed
 if ! systemctl list-unit-files | grep -q "acronis_mms.service"; then
    print_error "Acronis is not installed"
    echo ""
    echo "Install Acronis first:"
    echo "  1. Return to Acronis menu"
    echo "  2. Select 'Install Acronis Agent'"
    echo ""
    press_enter
    exit 1
 fi
 echo -e "${BOLD}Current Installation${NC}"
 echo ""
 # Check current version
 echo "→ Checking current agent version..."
 if [ -f "/usr/lib/Acronis/BackupAndRecovery/aakore" ]; then
    current_version=$(/usr/lib/Acronis/BackupAndRecovery/aakore --version 2>/dev/null | head -1 || echo "Unknown")
    echo "  Current version: ${current_version}"
 else
    echo "  ${YELLOW}Version unknown${NC}"
 fi
 # Check service status
 echo ""
 echo "→ Service status:"
 if systemctl is-active --quiet acronis_mms; then
    echo "  ${GREEN}✓${NC} Services are running"
 else
    echo "  ${YELLOW}⚠${NC} Some services are stopped"
 fi
 echo ""
 echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
 echo ""
 echo -e "${BOLD}Update Methods${NC}"
 echo ""
 echo -e "${CYAN}1. Automatic Update (via Acronis Cloud)${NC}"
 echo "   • Managed from web console"
 echo "   • Navigate to: Settings → Agent updates"
 echo "   • Can enable automatic updates"
 echo "   • Recommended for production environments"
 echo ""
 echo -e "${CYAN}2. Manual Update (Download + Upgrade)${NC}"
 echo "   • Downloads latest installer"
 echo "   • Runs upgrade automatically"
 echo "   • Preserves configuration and registration"
 echo "   • Agent stays registered to same account"
 echo ""
 echo -n "Select update method (1/2) or 0 to cancel [2]: "
 read -r method
 method="${method:-2}"
 case "$method" in
    1)
        # Automatic update instructions
        clear
        print_banner "Automatic Agent Updates"
        echo ""
        echo -e "${BOLD}Configure Automatic Updates via Web Console${NC}"
        echo ""
        echo "Steps:"
        echo "  1. Log in to Acronis web console"
        # Try to get cloud URL
        if [ -f "/etc/Acronis/Global.config" ]; then
            cloud_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
            if [ -n "$cloud_url" ]; then
                echo "     ${cloud_url}"
            fi
        fi
        echo ""
        echo "  2. Navigate to: Settings → Agent updates"
        echo ""
        echo "  3. Options available:"
        echo "     • Enable automatic updates"
        echo "     • Schedule update time"
        echo "     • Set update policy per device"
        echo "     • Configure notification preferences"
        echo ""
        echo "  4. Agents will update during maintenance window"
        echo ""
        echo -e "${GREEN}Benefits:${NC}"
        echo "  ✓ Centrally managed"
        echo "  ✓ Scheduled updates"
        echo "  ✓ Rollback capability"
        echo "  ✓ Update verification"
        echo ""
        press_enter
        ;;
    2)
        # Manual update/upgrade
        clear
        print_banner "Manual Agent Upgrade"
        echo ""
        echo -e "${BOLD}Upgrade Process${NC}"
        echo ""
        echo "This will:"
        echo "  1. Download the latest Acronis agent installer"
        echo "  2. Run installer over existing installation"
        echo "  3. Automatically upgrade to latest version"
        echo "  4. Preserve all configuration and registration"
        echo "  5. Restart services with new version"
        echo ""
        echo -e "${YELLOW}Note:${NC} The agent will stay registered to your Acronis account."
        echo "       No need to re-register after upgrade."
        echo ""
        echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
        echo ""
        # Get cloud URL for download
        SERVICE_URL="us5-cloud.acronis.com"
        if [ -f "/etc/Acronis/Global.config" ]; then
            config_url=$(grep -oP 'CloudUrl[>="].*?https://[^"<]+' /etc/Acronis/Global.config 2>/dev/null | grep -oP 'https://[^"<]+' | head -1)
            if [ -n "$config_url" ]; then
                SERVICE_URL=$(echo "$config_url" | sed 's|https://||' | sed 's|/.*||')
            fi
        fi
        echo "Download region: ${SERVICE_URL}"
        echo ""
        echo -n "Proceed with upgrade? (yes/no): "
        read -r confirm
        if [[ ! "$confirm" =~ ^[Yy]([Ee][Ss])?$ ]]; then
            echo ""
            print_error "Upgrade cancelled"
            press_enter
            exit 0
        fi
        echo ""
        echo -e "${BOLD}Starting Upgrade...${NC}"
        echo ""
        # Create download directory
        DOWNLOAD_DIR="$SCRIPT_DIR/downloads"
        mkdir -p "$DOWNLOAD_DIR"
        cd "$DOWNLOAD_DIR" || exit 1
        INSTALL_DIR="$DOWNLOAD_DIR/acronis-upgrade-$(date +%Y%m%d-%H%M%S)"
        mkdir -p "$INSTALL_DIR"
        cd "$INSTALL_DIR" || exit 1
        # Download installer
        echo "→ Downloading latest Acronis agent..."
        DOWNLOAD_URL="https://${SERVICE_URL}/bc/api/ams/links/agents/redirect?language=multi&system=linux&architecture=64&productType=enterprise"
        if wget -q --show-progress "$DOWNLOAD_URL" -O "Cyber_Protection_Agent_for_Linux_x86_64.bin"; then
            print_success "Download complete"
        else
            print_error "Download failed"
            echo ""
            echo "Possible causes:"
            echo "  • No internet connection"
            echo "  • Invalid service URL"
            echo "  • Firewall blocking connection"
            echo ""
            cd "$SCRIPT_DIR"
            rm -rf "$INSTALL_DIR"
            press_enter
            exit 1
        fi
        echo ""
        # Make executable
        chmod +x "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null
        # Verify file
        file_size=$(stat -c%s "Cyber_Protection_Agent_for_Linux_x86_64.bin" 2>/dev/null || echo "0")
        if [ "$file_size" -lt 1000000 ]; then
            print_error "Downloaded file is too small (possibly corrupted)"
            cd "$SCRIPT_DIR"
            rm -rf "$INSTALL_DIR"
            press_enter
            exit 1
        fi
        # Run upgrade (unattended mode)
        echo "→ Running upgrade..."
        echo ""
        echo "The installer will automatically:"
        echo "  • Detect existing installation"
        echo "  • Upgrade to latest version"
        echo "  • Preserve configuration"
        echo "  • Keep registration"
        echo ""
        sleep 2
        echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
        # Run installer in unattended mode
        ./Cyber_Protection_Agent_for_Linux_x86_64.bin -a
        UPGRADE_EXIT_CODE=$?
        echo -e "${DIM}──────────────────────────────────────────────────────────────${NC}"
        echo ""
        # Check result
        if [ $UPGRADE_EXIT_CODE -eq 0 ]; then
            print_success "Upgrade completed successfully!"
            echo ""
            # Check new version
            echo "→ Verifying upgrade..."
            sleep 2
            if [ -f "/usr/lib/Acronis/BackupAndRecovery/aakore" ]; then
                new_version=$(/usr/lib/Acronis/BackupAndRecovery/aakore --version 2>/dev/null | head -1 || echo "Unknown")
                echo "  New version: ${new_version}"
                echo ""
                if [ "$new_version" != "$current_version" ]; then
                    print_success "Agent upgraded: $current_version → $new_version"
                else
                    echo "  ${YELLOW}Version appears unchanged (may already be latest)${NC}"
                fi
            fi
            echo ""
            # Check services
            echo "→ Checking services..."
            sleep 1
            if systemctl is-active --quiet acronis_mms; then
                print_success "Services are running"
            else
                echo "  ${YELLOW}⚠ Services may need restart${NC}"
                echo ""
                echo -n "Restart Acronis services? (yes/no): "
                read -r restart_confirm
                if [[ "$restart_confirm" =~ ^[Yy]([Ee][Ss])?$ ]]; then
                    echo ""
                    echo "→ Restarting services..."
                    systemctl restart aakore
                    systemctl restart acronis_mms
                    systemctl restart acronis_schedule
                    sleep 2
                    if systemctl is-active --quiet acronis_mms; then
                        print_success "Services restarted"
                    else
                        print_error "Service restart failed"
                        echo "Check status: systemctl status acronis_mms"
                    fi
                fi
            fi
            echo ""
            echo -e "${GREEN}${BOLD}✓ Upgrade Complete${NC}"
            echo ""
            echo "The agent has been upgraded and remains registered."
            echo "Backups will continue according to existing schedules."
            echo ""
        else
            print_error "Upgrade failed with exit code $UPGRADE_EXIT_CODE"
            echo ""
            echo "Common issues:"
            echo "  • Agent is already latest version"
            echo "  • Insufficient disk space"
            echo "  • Services in use"
            echo ""
            echo "Check logs for details:"
            echo "  tail -f /var/lib/Acronis/BackupAndRecovery/MMS/mms.0.log"
            echo ""
        fi
        # Cleanup
        echo "→ Cleaning up installation files..."
        cd "$SCRIPT_DIR"
        rm -rf "$INSTALL_DIR"
        echo ""
        press_enter
        ;;
    *)
        echo ""
        echo "Update cancelled"
        press_enter
        ;;
 esac
@@ -937,12 +937,13 @@ System may be vulnerable" \
        fi
    fi
-    # Check for cPanel updates (if cPanel)
+    # Check for control panel version
-    if [ -f "/usr/local/cpanel/version" ]; then
+    if [ "$SYS_CONTROL_PANEL" = "cpanel" ] && [ -n "$SYS_CONTROL_PANEL_VERSION" ]; then
-        local cpanel_version=$(cat /usr/local/cpanel/version)
+        echo "cPanel version: $SYS_CONTROL_PANEL_VERSION" >> "$TEMP_DIR/system_info.txt"
-        # Note: We can't easily check if update is available without WHM API
+    elif [ "$SYS_CONTROL_PANEL" = "plesk" ] && [ -n "$SYS_CONTROL_PANEL_VERSION" ]; then
-        # Just record the version
+        echo "Plesk version: $SYS_CONTROL_PANEL_VERSION" >> "$TEMP_DIR/system_info.txt"
-        echo "cPanel version: $cpanel_version" >> "$TEMP_DIR/system_info.txt"
+    elif [ "$SYS_CONTROL_PANEL" = "interworx" ] && [ -n "$SYS_CONTROL_PANEL_VERSION" ]; then
        echo "InterWorx version: $SYS_CONTROL_PANEL_VERSION" >> "$TEMP_DIR/system_info.txt"
    fi
 }
@@ -0,0 +1,243 @@
 #!/bin/bash
 ################################################################################
 # Server Toolkit Data Cleanup
 ################################################################################
 # Purpose: Remove all toolkit-generated data (for wiping before system transfer)
 # Use Case: When moving toolkit to another server or fresh start
 #
 # What gets cleaned:
 # - IP reputation database
 # - Temporary analysis files
 # - Cached data
 # - Generated reports
 # - Session data
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 print_banner "Server Toolkit Data Cleanup"
 echo ""
 echo -e "${YELLOW}${BOLD}⚠️  WARNING ⚠️${NC}"
 echo ""
 echo "This will remove ALL data collected by the Server Toolkit:"
 echo ""
 echo "  • IP reputation database (/var/lib/server-toolkit/)"
 echo "  • Temporary analysis files (/tmp/)"
 echo "  • Generated reports"
 echo "  • Cached data"
 echo "  • Session files"
 echo ""
 echo -e "${RED}This action CANNOT be undone!${NC}"
 echo ""
 echo "Use this when:"
 echo "  ✓ Moving toolkit to a different server"
 echo "  ✓ Starting fresh analysis"
 echo "  ✓ Removing server-specific data before sharing"
 echo ""
 echo -e "${CYAN}────────────────────────────────────────────────────────────${NC}"
 echo ""
 read -p "Type 'yes' to confirm cleanup: " confirm
 if [ "$confirm" != "yes" ]; then
    echo ""
    print_error "Cleanup cancelled"
    exit 0
 fi
 echo ""
 echo "Starting cleanup..."
 echo ""
 # Track what was cleaned
 cleaned_count=0
 cleaned_size=0
 # Function to safely remove directory/file and track size
 safe_remove() {
    local path="$1"
    local description="$2"
    if [ -e "$path" ]; then
        # Calculate size before removing
        if [ -d "$path" ]; then
            size=$(du -sb "$path" 2>/dev/null | awk '{print $1}' || echo "0")
        else
            size=$(stat -c%s "$path" 2>/dev/null || echo "0")
        fi
        # Remove
        rm -rf "$path" 2>/dev/null
        if [ $? -eq 0 ]; then
            cleaned_size=$((cleaned_size + size))
            ((cleaned_count++))
            echo -e "  ${GREEN}✓${NC} Removed: $description"
            return 0
        else
            echo -e "  ${RED}✗${NC} Failed to remove: $description"
            return 1
        fi
    else
        echo -e "  ${DIM}○${NC} Not found: $description (already clean)"
        return 0
    fi
 }
 echo -e "${BOLD}IP Reputation Database:${NC}"
 safe_remove "/var/lib/server-toolkit/ip-reputation" "IP reputation database (including hash index)"
 safe_remove "/var/lib/server-toolkit" "Toolkit data directory"
 echo ""
 echo -e "${BOLD}Temporary Analysis Files:${NC}"
 # Bot analyzer temp files
 for pattern in /tmp/bot_analysis_* /tmp/*_bot_*.txt; do
    if ls $pattern 2>/dev/null | grep -q .; then
        rm -f $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: Bot analysis temp files"
        ((cleaned_count++))
        break
    fi
 done
 # 500 error tracker temp files
 for pattern in /tmp/500-tracker-* /tmp/*500*.txt; do
    if ls $pattern 2>/dev/null | grep -q .; then
        rm -rf $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: 500 error tracker temp files"
        ((cleaned_count++))
        break
    fi
 done
 # Live monitoring temp files
 for pattern in /tmp/live-monitor-* /tmp/*monitor*.tmp; do
    if ls $pattern 2>/dev/null | grep -q .; then
        rm -rf $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: Live monitoring temp files"
        ((cleaned_count++))
        break
    fi
 done
 # Error analyzer temp files
 for pattern in /tmp/error_analysis_* /tmp/*error*.tmp; do
    if ls $pattern 2>/dev/null | grep -q .; then
        rm -f $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: Error analyzer temp files"
        ((cleaned_count++))
        break
    fi
 done
 # Generic toolkit temp files
 for pattern in /tmp/toolkit_* /tmp/server-toolkit*; do
    if ls $pattern 2>/dev/null | grep -q .; then
        rm -rf $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: Generic toolkit temp files"
        ((cleaned_count++))
        break
    fi
 done
 echo ""
 echo -e "${BOLD}Generated Reports:${NC}"
 # Look for common report locations
 for pattern in /tmp/*_report_*.txt /tmp/*_analysis_*.txt /root/*toolkit*.txt /root/*_report*.txt; do
    if ls $pattern 2>/dev/null | grep -q .; then
        count=$(ls $pattern 2>/dev/null | wc -l)
        rm -f $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: $count report file(s)"
        ((cleaned_count++))
        break
    fi
 done
 echo ""
 echo -e "${BOLD}Cache and Session Data:${NC}"
 # Cached analysis data
 if [ -d "/var/cache/server-toolkit" ]; then
    safe_remove "/var/cache/server-toolkit" "Toolkit cache directory"
 fi
 # Session/lock files
 for pattern in /var/run/server-toolkit* /var/lock/server-toolkit*; do
    if ls $pattern 2>/dev/null | grep -q .; then
        rm -f $pattern 2>/dev/null
        echo -e "  ${GREEN}✓${NC} Removed: Session/lock files"
        ((cleaned_count++))
        break
    fi
 done
 echo ""
 echo -e "${BOLD}Log Files (Optional):${NC}"
 echo -n "Remove toolkit execution logs? (yes/no) [no]: "
 read remove_logs
 remove_logs="${remove_logs:-no}"
 if [ "$remove_logs" = "yes" ]; then
    for pattern in /var/log/server-toolkit*.log; do
        if ls $pattern 2>/dev/null | grep -q .; then
            count=$(ls $pattern 2>/dev/null | wc -l)
            rm -f $pattern 2>/dev/null
            echo -e "  ${GREEN}✓${NC} Removed: $count log file(s)"
            ((cleaned_count++))
            break
        fi
    done
 else
    echo -e "  ${DIM}○${NC} Logs kept (skipped)"
 fi
 echo ""
 echo -e "${CYAN}────────────────────────────────────────────────────────────${NC}"
 echo ""
 # Convert size to human readable
 if [ $cleaned_size -lt 1024 ]; then
    size_human="${cleaned_size}B"
 elif [ $cleaned_size -lt 1048576 ]; then
    size_human="$((cleaned_size / 1024))KB"
 elif [ $cleaned_size -lt 1073741824 ]; then
    size_human="$((cleaned_size / 1048576))MB"
 else
    size_human="$((cleaned_size / 1073741824))GB"
 fi
 echo -e "${GREEN}${BOLD}✓ Cleanup Complete!${NC}"
 echo ""
 echo "Summary:"
 echo "  Items removed: $cleaned_count"
 echo "  Space freed:   $size_human"
 echo ""
 echo "The toolkit is now clean and ready for:"
 echo "  • Transfer to another server"
 echo "  • Fresh analysis start"
 echo "  • Sharing without server-specific data"
 echo ""
 # Verify critical directories are gone
 missing=0
 [ -d "/var/lib/server-toolkit" ] && { echo -e "${YELLOW}Warning: /var/lib/server-toolkit still exists${NC}"; ((missing++)); }
 [ -d "/tmp/live-monitor-current" ] && { echo -e "${YELLOW}Warning: /tmp/live-monitor-current still exists${NC}"; ((missing++)); }
 if [ $missing -gt 0 ]; then
    echo ""
    echo -e "${YELLOW}Some directories could not be removed (may be in use)${NC}"
    echo "Try stopping any running toolkit scripts and run cleanup again."
 fi
 echo ""
 press_enter
@@ -182,19 +182,27 @@ This is significantly higher than typical usage" \
 analyze_web_traffic() {
    echo -e "${CYAN}[INFO]${NC} Analyzing web server traffic patterns..."
-    # Find Apache log directory
+    # Multi-panel log directory discovery
    local log_dir=""
-    if [ -d "/var/log/apache2/domlogs" ]; then
+    if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
-        log_dir="/var/log/apache2/domlogs"
+        # InterWorx: Multiple log locations (use first user's logs as sample)
-    elif [ -d "/etc/apache2/logs/domlogs" ]; then
+        log_dir=$(find /home/*/var/*/logs -type d 2>/dev/null | head -1)
-        log_dir="/etc/apache2/logs/domlogs"
+    elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
        # Plesk: System logs
        log_dir="/var/www/vhosts/system"
    elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
        # cPanel or detected log directory
        log_dir="$SYS_LOG_DIR"
    elif [ -d "/var/log/httpd" ]; then
        # Standalone fallback
        log_dir="/var/log/httpd"
    elif [ -d "/var/log/apache2" ]; then
        log_dir="/var/log/apache2"
    fi
    if [ -z "$log_dir" ] || [ ! -d "$log_dir" ]; then
        add_finding "INFO" "Web Server Logs Not Found" \
-            "Could not locate Apache/web server logs" \
+            "Could not locate Apache/web server logs (Panel: $SYS_CONTROL_PANEL)" \
            "Web traffic analysis requires Apache logs"
        return
    fi
@@ -27,11 +27,25 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
 source "$SCRIPT_DIR/lib/ip-reputation.sh"
 source "$SCRIPT_DIR/lib/bot-signatures.sh"
 source "$SCRIPT_DIR/lib/attack-patterns.sh"
 source "$SCRIPT_DIR/lib/threat-intelligence.sh"
 # Default configuration (auto-detected from system)
 LOG_DIR="${SYS_LOG_DIR:-/var/log/apache2/domlogs}"
-TEMP_DIR="/tmp/bot_analysis_$$"
+
-OUTPUT_FILE="/tmp/bot_analysis_report_$(date +%Y%m%d_%H%M%S).txt"
+# Use toolkit's tmp directory instead of system /tmp to avoid filling it up
 # On large servers with 200+ domains, compressed temp files can still be 50-100MB
 # Using toolkit's tmp dir means:
 # - Won't fill up system /tmp
 # - Gets auto-cleaned when toolkit is removed
 # - Included in cleanup script (clean-and-push-toolkit.sh)
 TOOLKIT_TMP_DIR="$SCRIPT_DIR/tmp"
 mkdir -p "$TOOLKIT_TMP_DIR" 2>/dev/null
 TEMP_DIR="$TOOLKIT_TMP_DIR/bot_analysis_$$"
 OUTPUT_FILE="$TOOLKIT_TMP_DIR/bot_analysis_report_$(date +%Y%m%d_%H%M%S).txt"
 DAYS_BACK=""  # Empty means all logs, otherwise filter by days
 HOURS_BACK=""  # Empty means all logs, otherwise filter by hours
 FILTER_USER=""  # Empty means all users, otherwise specific user
@@ -176,6 +190,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 BLUE='\033[0;34m'
 CYAN='\033[0;36m'
 BOLD='\033[1m'
 NC='\033[0m' # No Color
 # Check for required commands
@@ -196,15 +211,16 @@ check_dependencies() {
 # Check disk space
 check_disk_space() {
    local available_kb
-    available_kb=$(df /tmp 2>/dev/null | tail -1 | awk '{print $4}')
+    local check_path="$SCRIPT_DIR"
    available_kb=$(df "$check_path" 2>/dev/null | tail -1 | awk '{print $4}')
    if [ -z "$available_kb" ]; then
-        echo -e "${YELLOW}Warning: Cannot determine available disk space in /tmp${NC}" >&2
+        echo -e "${YELLOW}Warning: Cannot determine available disk space for toolkit directory${NC}" >&2
        return
    fi
    if [ "$available_kb" -lt 102400 ]; then  # Less than 100MB
-        echo -e "${YELLOW}Warning: Low disk space in /tmp: $((available_kb/1024))MB available${NC}" >&2
+        echo -e "${YELLOW}Warning: Low disk space in toolkit directory: $((available_kb/1024))MB available${NC}" >&2
        read -p "Continue anyway? (y/N): " -n 1 -r
        echo
        if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -229,80 +245,8 @@ trap "rm -rf $TEMP_DIR" EXIT
 #############################################################################
 # Bot Signature Database
 #############################################################################
-
+# NOTE: Bot signatures now loaded from lib/bot-signatures.sh
-# Legitimate bots (search engines)
+# Arrays available: LEGIT_BOTS, AI_BOTS, MONITOR_BOTS, SUSPICIOUS_BOTS
 declare -A LEGIT_BOTS=(
    ["Googlebot"]="Google Search"
    ["Googlebot-Image"]="Google Images"
    ["Googlebot-Video"]="Google Video"
    ["Googlebot-News"]="Google News"
    ["Google-InspectionTool"]="Google Search Console"
    ["Storebot-Google"]="Google Merchant"
    ["APIs-Google"]="Google APIs"
    ["AdsBot-Google"]="Google Ads"
    ["Mediapartners-Google"]="Google AdSense"
    ["bingbot"]="Bing Search"
    ["msnbot"]="MSN Search"
    ["Slurp"]="Yahoo Search"
    ["DuckDuckBot"]="DuckDuckGo"
    ["Baiduspider"]="Baidu Search"
    ["YandexBot"]="Yandex Search"
 )
 # AI Bots
 declare -A AI_BOTS=(
    ["GPTBot"]="OpenAI"
    ["ChatGPT-User"]="OpenAI ChatGPT"
    ["ClaudeBot"]="Anthropic Claude"
    ["Claude-Web"]="Anthropic Web"
    ["Bytespider"]="ByteDance (TikTok)"
    ["PetalBot"]="Huawei"
    ["CCBot"]="Common Crawl"
    ["anthropic-ai"]="Anthropic"
    ["Applebot"]="Apple Intelligence"
    ["facebookexternalhit"]="Facebook/Meta"
    ["Meta-ExternalAgent"]="Meta AI"
    ["cohere-ai"]="Cohere AI"
    ["PerplexityBot"]="Perplexity AI"
    ["YouBot"]="You.com AI"
    ["Diffbot"]="Diffbot AI"
    ["ImagesiftBot"]="ImageSift AI"
    ["Omgilibot"]="Omgili AI"
 )
 # Monitoring/SEO bots
 declare -A MONITOR_BOTS=(
    ["AhrefsBot"]="Ahrefs SEO"
    ["SemrushBot"]="SEMrush SEO"
    ["MJ12bot"]="Majestic SEO"
    ["DotBot"]="Moz/OpenSite"
    ["BLEXBot"]="BLEXBot SEO"
    ["PingdomBot"]="Pingdom Monitoring"
    ["UptimeRobot"]="Uptime Monitoring"
    ["StatusCake"]="StatusCake Monitoring"
    ["SiteImprove"]="SiteImprove Analytics"
 )
 # Suspicious/Aggressive bots (malicious or security scanners)
 declare -A SUSPICIOUS_BOTS=(
    ["MauiBot"]="Malicious crawler"
    ["DataForSeoBot"]="Data scraper"
    ["ZoominfoBot"]="Data harvester"
    ["MegaIndex"]="Aggressive crawler"
    ["SeznamBot"]="Aggressive crawler"
    ["Yeti"]="Naver crawler"
    ["serpstatbot"]="SEO crawler"
    ["LinkpadBot"]="Link checker"
    ["Nessus"]="Vulnerability scanner"
    ["Nikto"]="Security scanner"
    ["sqlmap"]="SQL injection tool"
    ["ZmEu"]="Scanner/exploit"
    ["masscan"]="Port scanner"
    ["nmap"]="Port scanner"
    ["wget"]="Command-line tool"
    ["curl"]="Command-line tool"
    ["python-requests"]="Script/automation"
 )
 #############################################################################
 # Helper Functions
@@ -335,7 +279,11 @@ print_success() {
 #############################################################################
 parse_logs() {
-    print_info "Parsing logs from: $LOG_DIR"
+    if [ "$INTERWORX_MODE" = "yes" ]; then
        print_info "Parsing InterWorx domain logs from: /home/*/var/*/logs/"
    else
        print_info "Parsing logs from: $LOG_DIR"
    fi
    local find_opts=()
@@ -349,13 +297,38 @@ parse_logs() {
        print_info "Filtering logs from last $DAYS_BACK days"
    fi
-    # Parse all domain logs (excluding -bytes_log, .offset, and error_log files)
+    # Determine log file search pattern based on control panel
-    # cPanel creates files like: domain.com, domain.com-ssl_log
+    local log_search_path
-    find "$LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | while read -r logfile; do
+    local log_search_name
    if [ "$INTERWORX_MODE" = "yes" ]; then
        # InterWorx: /home/user/var/domain.com/logs/transfer.log (VERIFIED: uses 'transfer.log' not 'access_log')
        log_search_path="/home/*/var/*/logs"
        log_search_name="transfer.log"
    else
        # cPanel/Plesk: /var/log/apache2/domlogs/domain.com
        log_search_path="$LOG_DIR"
        log_search_name="*"
    fi
    # Parse all domain logs
    local file_count=0
    local progress_interval=50
    echo ""
    find "$log_search_path" -type f -name "$log_search_name" ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | while read -r logfile; do
        # Skip empty files
        [ -s "$logfile" ] || continue
-        domain=$(basename "$logfile" | sed 's/-ssl_log$//')
+        # Extract domain name based on control panel
        if [ "$INTERWORX_MODE" = "yes" ]; then
            # InterWorx: extract from path /home/user/var/domain.com/logs/transfer.log
            domain=$(echo "$logfile" | sed -n 's|^/home/.*/var/\([^/]*\)/logs/.*|\1|p')
        else
            # cPanel: extract from filename
            domain=$(basename "$logfile" | sed 's/-ssl_log$//')
        fi
        # Skip if domain extraction failed
        [ -z "$domain" ] && continue
        # User filtering: skip domains not belonging to the specified user
        if [ -n "$FILTER_USER" ]; then
@@ -364,6 +337,12 @@ parse_logs() {
            fi
        fi
        # Show progress every N files
        file_count=$((file_count + 1))
        if [ $((file_count % progress_interval)) -eq 0 ]; then
            echo -ne "\r  Parsed $file_count log files... (current: $domain)"
        fi
        # Parse Apache Combined Log Format with error handling
        # Format: IP - - [timestamp] "METHOD URL PROTOCOL" STATUS SIZE "REFERRER" "USER-AGENT"
        awk -v domain="$domain" '
@@ -407,8 +386,11 @@ parse_logs() {
            if (ip != "" && ip !~ /^[[:space:]]*$/) {
                print ip "|" domain "|" request_url "|" status "|" size "|" user_agent "|" http_method "|" timestamp
            }
-        }' "$logfile" >> "$TEMP_DIR/parsed_logs.txt" 2>/dev/null
+        }' "$logfile" 2>/dev/null
-    done
+    done > "$TEMP_DIR/parsed_logs.txt"
    # Clear the progress line
    echo -ne "\r\033[K"
    if [ ! -s "$TEMP_DIR/parsed_logs.txt" ]; then
        print_alert "No log entries were parsed. Check log format or permissions."
@@ -417,7 +399,14 @@ parse_logs() {
    local line_count
    line_count=$(wc -l < "$TEMP_DIR/parsed_logs.txt")
-    print_success "Logs parsed successfully ($line_count entries)"
+    local file_size_kb
    file_size_kb=$(du -k "$TEMP_DIR/parsed_logs.txt" | cut -f1)
    # Compress for storage (gzip saves ~90% space on text)
    # But we keep uncompressed version for fast analysis
    gzip -c "$TEMP_DIR/parsed_logs.txt" > "$TEMP_DIR/parsed_logs.txt.gz" &
    print_success "Logs parsed successfully ($line_count entries, ${file_size_kb}KB uncompressed)"
    return 0
 }
@@ -516,7 +505,7 @@ classify_bots() {
        if (bot_type != "unknown") {
            print ip "|" domain "|" url "|" status "|" size "|" ua "|" method "|" timestamp "|" bot_type "|" bot_name
        }
-    }' "$TEMP_DIR/parsed_logs.txt" > "$TEMP_DIR/classified_bots.txt"
+    }' < "$TEMP_DIR/parsed_logs.txt" > "$TEMP_DIR/classified_bots.txt"
    if [ ! -s "$TEMP_DIR/classified_bots.txt" ]; then
        print_alert "Bot classification failed"
@@ -525,7 +514,13 @@ classify_bots() {
    local classified_count
    classified_count=$(wc -l < "$TEMP_DIR/classified_bots.txt")
-    print_success "Bot classification complete ($classified_count entries)"
+    local file_size_kb
    file_size_kb=$(du -k "$TEMP_DIR/classified_bots.txt" | cut -f1)
    # Compress for storage in background
    gzip -c "$TEMP_DIR/classified_bots.txt" > "$TEMP_DIR/classified_bots.txt.gz" &
    print_success "Bot classification complete ($classified_count entries, ${file_size_kb}KB uncompressed)"
    return 0
 }
@@ -612,7 +607,7 @@ detect_threats() {
        # Track response codes for intelligence
        print status > "'"$TEMP_DIR"'/response_codes_raw.txt"
    }
-    ' "$TEMP_DIR/parsed_logs.txt"
+    ' < <(cat "$TEMP_DIR/parsed_logs.txt")
    # Process attack vectors by type
    if [ -f "$TEMP_DIR/attack_vectors_raw.txt" ]; then
@@ -675,26 +670,26 @@ detect_threats() {
 detect_botnets() {
    print_info "Analyzing for botnet patterns..."
-    
+
    # Group IPs by similar behavior patterns
    # Pattern 1: Multiple IPs hitting same URLs in coordinated manner
-    awk -F'|' '{print $1"|"$3}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1"|"$3}' | \
        sort | uniq -c | awk '$1 > 10 {print $2}' | \
        cut -d'|' -f2 | sort | uniq -c | sort -rn | \
        awk '$1 > 5 {print $2}' > "$TEMP_DIR/coordinated_urls.txt"
-    
+
    # Pattern 2: IPs with similar User-Agents hitting multiple domains
-    awk -F'|' '{print $1"|"$6}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1"|"$6}' | \
        sort | uniq > "$TEMP_DIR/ip_ua_pairs.txt"
-    
+
    # Pattern 3: Detect IP ranges (Class C networks) with suspicious activity
-    awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1}' | \
        awk -F'.' '{print $1"."$2"."$3".0/24"}' | \
        sort | uniq -c | sort -rn | awk '$1 > 20' > "$TEMP_DIR/suspicious_networks.txt"
-    
+
    # Pattern 4: Rapid fire requests (DDoS indicators)
    # Extract timestamp and count requests per IP per minute
-    awk -F'|' '{
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{
        ip = $1
        timestamp = $8
        # Extract date/time components (handles format: DD/MMM/YYYY:HH:MM:SS)
@@ -703,13 +698,13 @@ detect_botnets() {
            time_key = ts[3] ts[2] ts[1] "_" ts[4] ts[5]
            print ip "|" time_key
        }
-    }' "$TEMP_DIR/parsed_logs.txt" | \
+    }' | \
        sort | uniq -c | \
        awk '$1 > 50 {print $1 " " $2}' | \
        awk -F'|' '{print $1}' | \
        awk '{ip=$2; count=$1; sum[ip]+=count; max[ip]=(count>max[ip]?count:max[ip])} END {for(ip in sum) print sum[ip], ip, max[ip]}' | \
        sort -rn > "$TEMP_DIR/rapid_fire_ips.txt"
-    
+
    print_success "Botnet analysis complete"
 }
@@ -765,10 +760,39 @@ detect_server_ips() {
    fi
 }
 # Helper function to validate IP address format
 is_valid_ip() {
    local ip="$1"
    # IPv4 validation
    if [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        local IFS='.'
        local -a octets=($ip)
        for octet in "${octets[@]}"; do
            if [ "$octet" -gt 255 ]; then
                return 1  # Invalid
            fi
        done
        return 0  # Valid IPv4
    fi
    # IPv6 basic validation (simplified)
    if [[ "$ip" =~ ^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$ ]]; then
        return 0  # Valid IPv6
    fi
    return 1  # Invalid
 }
 # Helper function to check if an IP should be excluded
 is_excluded_ip() {
    local ip="$1"
    # First validate IP format
    if ! is_valid_ip "$ip"; then
        return 0  # Exclude invalid IPs
    fi
    # Check if private/internal IP
    if [[ "$ip" =~ ^127\. ]] || \
       [[ "$ip" =~ ^10\. ]] || \
@@ -798,13 +822,13 @@ analyze_time_series() {
    print_info "Analyzing time-series patterns..."
    # Extract hourly bot traffic
-    awk -F'|' '$9 != "unknown" {
+    cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown" {
        timestamp = $8
        if (match(timestamp, /([0-9]{2})\/([A-Za-z]{3})\/([0-9]{4}):([0-9]{2}):([0-9]{2}):([0-9]{2})/, ts)) {
            hour = ts[4]
            print hour
        }
-    }' "$TEMP_DIR/classified_bots.txt" | sort | uniq -c > "$TEMP_DIR/hourly_bot_traffic.txt"
+    }' | sort | uniq -c > "$TEMP_DIR/hourly_bot_traffic.txt"
    # Extract hourly attack traffic
    if [ -f "$TEMP_DIR/attack_vectors_raw.txt" ]; then
@@ -815,7 +839,7 @@ analyze_time_series() {
                hour = ts[4]
                print hour
            }
-        }' "$TEMP_DIR/attack_vectors_raw.txt" "$TEMP_DIR/parsed_logs.txt" | sort | uniq -c > "$TEMP_DIR/hourly_attack_traffic.txt"
+        }' "$TEMP_DIR/attack_vectors_raw.txt" <(cat "$TEMP_DIR/parsed_logs.txt") | sort | uniq -c > "$TEMP_DIR/hourly_attack_traffic.txt"
    fi
    print_success "Time-series analysis complete"
@@ -832,59 +856,50 @@ calculate_threat_scores() {
    declare -A ip_request_counts
    while IFS='|' read -r ip rest; do
        ((ip_request_counts["$ip"]++))
-    done < "$TEMP_DIR/parsed_logs.txt"
+    done < <(cat "$TEMP_DIR/parsed_logs.txt")
    # Build hash tables from threat files for O(1) lookups
    # OPTIMIZATION: Use awk instead of echo|awk|cut in loops (10x faster)
    declare -A threat_ips_sqli threat_ips_xss threat_ips_path threat_ips_rce threat_ips_login
    declare -A threat_ips_suspicious threat_ips_ddos threat_admin_count threat_404_count
-    # Parse each threat file and build hash tables
+    # Parse each threat file and build hash tables (optimized with awk)
-    [ -f "$TEMP_DIR/sqli_attempts.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/sqli_attempts.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+        threat_ips_sqli["$ip"]=1
-        [ -n "$ip" ] && threat_ips_sqli["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/sqli_attempts.txt" | cut -d'|' -f1)
    done < "$TEMP_DIR/sqli_attempts.txt"
-    [ -f "$TEMP_DIR/xss_attempts.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/xss_attempts.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+        threat_ips_xss["$ip"]=1
-        [ -n "$ip" ] && threat_ips_xss["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/xss_attempts.txt" | cut -d'|' -f1)
    done < "$TEMP_DIR/xss_attempts.txt"
-    [ -f "$TEMP_DIR/path_traversal_attempts.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/path_traversal_attempts.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+        threat_ips_path["$ip"]=1
-        [ -n "$ip" ] && threat_ips_path["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/path_traversal_attempts.txt" | cut -d'|' -f1)
    done < "$TEMP_DIR/path_traversal_attempts.txt"
-    [ -f "$TEMP_DIR/rce_upload_attempts.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/rce_upload_attempts.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+        threat_ips_rce["$ip"]=1
-        [ -n "$ip" ] && threat_ips_rce["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/rce_upload_attempts.txt" | cut -d'|' -f1)
    done < "$TEMP_DIR/rce_upload_attempts.txt"
-    [ -f "$TEMP_DIR/login_bruteforce_attempts.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/login_bruteforce_attempts.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+        threat_ips_login["$ip"]=1
-        [ -n "$ip" ] && threat_ips_login["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/login_bruteforce_attempts.txt" | cut -d'|' -f1)
    done < "$TEMP_DIR/login_bruteforce_attempts.txt"
-    [ -f "$TEMP_DIR/suspicious_ua.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/suspicious_ua.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
+        threat_ips_suspicious["$ip"]=1
-        [ -n "$ip" ] && threat_ips_suspicious["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/suspicious_ua.txt" | cut -d'|' -f1)
    done < "$TEMP_DIR/suspicious_ua.txt"
-    [ -f "$TEMP_DIR/rapid_fire_ips.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/rapid_fire_ips.txt" ] && while read -r ip; do
-        ip=$(echo "$line" | awk '{print $2}')
+        threat_ips_ddos["$ip"]=1
-        [ -n "$ip" ] && threat_ips_ddos["$ip"]=1
+    done < <(awk '{print $2}' "$TEMP_DIR/rapid_fire_ips.txt")
    done < "$TEMP_DIR/rapid_fire_ips.txt"
-    [ -f "$TEMP_DIR/admin_probes.txt" ] && while read -r line; do
+    # Parse count-based threat files
-        count=$(echo "$line" | awk '{print $1}')
+    [ -f "$TEMP_DIR/admin_probes.txt" ] && while read -r count ip; do
        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
        [ -n "$ip" ] && threat_admin_count["$ip"]=$count
-    done < "$TEMP_DIR/admin_probes.txt"
+    done < <(awk '{print $1, $2}' "$TEMP_DIR/admin_probes.txt" | sed 's/|.*//')
-    [ -f "$TEMP_DIR/404_scans.txt" ] && while read -r line; do
+    [ -f "$TEMP_DIR/404_scans.txt" ] && while read -r count ip; do
        count=$(echo "$line" | awk '{print $1}')
        ip=$(echo "$line" | awk '{print $2}' | cut -d'|' -f1)
        [ -n "$ip" ] && threat_404_count["$ip"]=$count
-    done < "$TEMP_DIR/404_scans.txt"
+    done < <(awk '{print $1, $2}' "$TEMP_DIR/404_scans.txt" | sed 's/|.*//')
    # Now calculate scores for each IP (using pre-counted requests)
    for ip in "${!ip_request_counts[@]}"; do
@@ -920,14 +935,59 @@ calculate_threat_scores() {
        scan_404=${threat_404_count[$ip]:-0}
        [ "$scan_404" -gt 50 ] 2>/dev/null && score=$((score + 3))
        # OPTIMIZATION: Skip external API calls for performance
        # Threat Intelligence Enrichment can be done post-analysis for high-risk IPs only
        # Uncommenting these will SIGNIFICANTLY slow down analysis (API calls for every IP)
        #
        # To enable threat intelligence enrichment:
        # 1. Uncomment the code below
        # 2. Ensure check_abuseipdb, get_country_code, and is_high_risk_country functions exist
        # 3. Be aware this will make thousands of API calls and take much longer
        #
        # local abuse_data=$(check_abuseipdb "$ip" 2>/dev/null || echo "0|0|Unknown|Unknown")
        # IFS='|' read -r abuse_confidence abuse_reports abuse_country abuse_isp <<< "$abuse_data"
        #
        # if [ "$abuse_confidence" -ge 75 ]; then
        #     score=$((score + 15))  # High confidence malicious
        # elif [ "$abuse_confidence" -ge 50 ]; then
        #     score=$((score + 8))   # Moderate confidence
        # elif [ "$abuse_confidence" -ge 25 ]; then
        #     score=$((score + 3))   # Low confidence
        # fi
        #
        # local geo_country=$(get_country_code "$ip" 2>/dev/null || echo "XX")
        # if is_high_risk_country "$geo_country" 2>/dev/null; then
        #     score=$((score + 5))   # High-risk country bonus
        # fi
        # Cap at 100
        [ $score -gt 100 ] && score=100
        # Only output IPs with score > 0
        [ $score -gt 0 ] && echo "$score|$ip|$req_count"
        # Track in centralized IP reputation database (background process)
        if [ $score -gt 0 ]; then
            (
                # Update IP with hit count
                increment_ip_hits "$ip" "$req_count" >/dev/null 2>&1
                # Tag with specific attack types found
                [ -n "${threat_ips_sqli[$ip]}" ] && flag_ip_attack "$ip" "SQL_INJECTION" 0 "Bot analyzer: SQL injection attempts" >/dev/null 2>&1
                [ -n "${threat_ips_xss[$ip]}" ] && flag_ip_attack "$ip" "XSS" 0 "Bot analyzer: XSS attempts" >/dev/null 2>&1
                [ -n "${threat_ips_path[$ip]}" ] && flag_ip_attack "$ip" "PATH_TRAVERSAL" 0 "Bot analyzer: Path traversal" >/dev/null 2>&1
                [ -n "${threat_ips_rce[$ip]}" ] && flag_ip_attack "$ip" "RCE" 0 "Bot analyzer: RCE/shell upload attempts" >/dev/null 2>&1
                [ -n "${threat_ips_login[$ip]}" ] && flag_ip_attack "$ip" "BRUTEFORCE" 0 "Bot analyzer: Login bruteforce" >/dev/null 2>&1
                [ -n "${threat_ips_ddos[$ip]}" ] && flag_ip_attack "$ip" "DDOS" 0 "Bot analyzer: Rapid-fire requests" >/dev/null 2>&1
                [ -n "${threat_ips_suspicious[$ip]}" ] && flag_ip_attack "$ip" "SCANNER" 0 "Bot analyzer: Suspicious user-agent" >/dev/null 2>&1
            ) &
        fi
    done | sort -t'|' -k1 -rn > "$TEMP_DIR/threat_scores.txt"
-    print_success "Threat scores calculated"
+    # Wait for background IP reputation updates to complete
    wait
    print_success "Threat scores calculated and IP reputation updated"
 }
 #############################################################################
@@ -938,7 +998,7 @@ detect_false_positives() {
    print_info "Detecting legitimate services (false positives)..."
    # Known monitoring service patterns
-    awk -F'|' '{
+    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{
        ip = $1
        domain = $2
        url = $3
@@ -964,7 +1024,7 @@ detect_false_positives() {
        else if (match(ua, /jetpack|vaultpress|updraftplus/)) {
            print ip "|Backup Service|" ua "|" domain
        }
-    }' "$TEMP_DIR/parsed_logs.txt" | sort -u > "$TEMP_DIR/false_positives.txt"
+    }' | sort -u > "$TEMP_DIR/false_positives.txt"
    print_success "False positive detection complete"
 }
@@ -975,34 +1035,62 @@ detect_false_positives() {
 generate_statistics() {
    print_info "Generating statistics..."
-    
+
-    # Top 5 bots by request count
+    # OPTIMIZATION: Use single-pass AWK to generate multiple stats from parsed logs
-    awk -F'|' '$9 != "unknown" {print $10}' "$TEMP_DIR/classified_bots.txt" | \
+    # This reads the uncompressed file ONCE instead of 4+ separate reads
    cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '
    {
        # Count by domain (for top sites)
        domains[$2]++
        # Count by IP (for top IPs)
        ips[$1]++
        # Count by domain+URL (for top URLs)
        urls[$2"|"$3]++
    }
    END {
        # Output top sites
        for (domain in domains) {
            print domains[domain], domain > "'"$TEMP_DIR"'/top_sites_raw.txt"
        }
        # Output top IPs
        for (ip in ips) {
            print ips[ip], ip > "'"$TEMP_DIR"'/top_ips_raw.txt"
        }
        # Output top URLs
        for (url in urls) {
            print urls[url], url > "'"$TEMP_DIR"'/top_urls_raw.txt"
        }
    }'
    # Sort and limit results
    sort -rn "$TEMP_DIR/top_sites_raw.txt" | head -5 > "$TEMP_DIR/top_sites.txt"
    sort -rn "$TEMP_DIR/top_ips_raw.txt" | head -5 > "$TEMP_DIR/top_ips.txt"
    sort -rn "$TEMP_DIR/top_urls_raw.txt" | head -5 > "$TEMP_DIR/top_urls.txt"
    # Top 5 bots by request count (single decompression)
    cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown" {print $10}' | \
        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_bots.txt"
-    
+
-    # Top 5 most-hit sites
+    # Traffic breakdown by bot type (single decompression)
-    awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" | \
+    cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '{print $9}' | \
        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_sites.txt"
    # Top 5 most-hit URLs
    awk -F'|' '{print $2"|"$3}' "$TEMP_DIR/parsed_logs.txt" | \
        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_urls.txt"
    # Top 5 IP addresses by request count
    awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | \
        sort | uniq -c | sort -rn | head -5 > "$TEMP_DIR/top_ips.txt"
    # Traffic breakdown by bot type
    awk -F'|' '{print $9}' "$TEMP_DIR/classified_bots.txt" | \
        sort | uniq -c | sort -rn > "$TEMP_DIR/traffic_breakdown.txt"
-    
+
-    # Per-domain traffic sources
+    # Per-domain traffic sources (OPTIMIZED: read uncompressed file once, use grep)
-    while read -r domain; do
+    if [ -f "$TEMP_DIR/all_domains.txt" ]; then
-        echo "$domain" > "$TEMP_DIR/domain_${domain}_stats.txt"
+        # Create indexed bot traffic file (decompress once)
-        grep "|$domain|" "$TEMP_DIR/classified_bots.txt" | \
+        cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '{print $2"|"$9}' > "$TEMP_DIR/domain_bot_types.txt"
-            awk -F'|' '{print $9}' | sort | uniq -c | sort -rn >> "$TEMP_DIR/domain_${domain}_stats.txt"
+
-    done < <(awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" | sort -u)
+        while read -r domain; do
-    
+            echo "$domain" > "$TEMP_DIR/domain_${domain}_stats.txt"
            grep "^$domain|" "$TEMP_DIR/domain_bot_types.txt" | cut -d'|' -f2 | \
                sort | uniq -c | sort -rn >> "$TEMP_DIR/domain_${domain}_stats.txt"
        done < "$TEMP_DIR/all_domains.txt"
    fi
    print_success "Statistics generated"
 }
@@ -1085,19 +1173,19 @@ generate_report() {
    # QUICK STATS DASHBOARD
    print_header "QUICK STATS DASHBOARD"
-    total_requests=$(wc -l < "$TEMP_DIR/parsed_logs.txt")
+    total_requests=$(cat "$TEMP_DIR/parsed_logs.txt" | wc -l)
-    unique_ips=$(awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | sort -u | wc -l)
+    unique_ips=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1}' | sort -u | wc -l)
-    unique_domains=$(awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" | sort -u | wc -l)
+    unique_domains=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $2}' | sort -u | wc -l)
-    bot_requests=$(awk -F'|' '$9 != "unknown"' "$TEMP_DIR/classified_bots.txt" | wc -l)
+    bot_requests=$(cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown"' | wc -l)
    # Count private/internal IPs (excluded from threat analysis)
-    private_ips=$(awk -F'|' '{print $1}' "$TEMP_DIR/parsed_logs.txt" | sort -u | grep -E '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|169\.254\.)' | wc -l)
+    private_ips=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '{print $1}' | sort -u | grep -E '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|169\.254\.)' | wc -l)
    # Count server's own IPs in the logs
    server_ip_hits=0
    if [ -f "$TEMP_DIR/server_ips.txt" ] && [ -s "$TEMP_DIR/server_ips.txt" ]; then
        while read -r server_ip; do
-            if grep -q "^$server_ip|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null; then
+            if cat "$TEMP_DIR/parsed_logs.txt" | grep -q "^$server_ip|" 2>/dev/null; then
                server_ip_hits=$((server_ip_hits + 1))
            fi
        done < "$TEMP_DIR/server_ips.txt"
@@ -1200,7 +1288,7 @@ generate_report() {
            ip=$(echo "$line" | cut -d'|' -f1)
            service=$(echo "$line" | cut -d'|' -f2)
            domain=$(echo "$line" | cut -d'|' -f4)
-            req_count=$(grep -c "^$ip|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo 0)
+            req_count=$(cat "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | grep -c "^$ip|" || echo 0)
            echo "  $ip - $req_count requests - Identified as: $service"
            echo "    → Domain: $domain"
            echo "    → Action: VERIFY OWNERSHIP then whitelist"
@@ -1311,8 +1399,8 @@ generate_report() {
    if [ -s "$TEMP_DIR/large_transfers.txt" ]; then
        # Calculate total bot bandwidth
        total_bot_bandwidth=0
-        if [ -f "$TEMP_DIR/classified_bots.txt" ]; then
+        if [ -f "$TEMP_DIR/classified_bots.txt.gz" ]; then
-            total_bot_bandwidth=$(awk -F'|' '$9 != "unknown" && $5 ~ /^[0-9]+$/ {sum += $5} END {print sum}' "$TEMP_DIR/classified_bots.txt")
+            total_bot_bandwidth=$(cat "$TEMP_DIR/classified_bots.txt" | awk -F'|' '$9 != "unknown" && $5 ~ /^[0-9]+$/ {sum += $5} END {print sum}')
        fi
        if [ -n "$total_bot_bandwidth" ] && [ "$total_bot_bandwidth" -gt 0 ]; then
@@ -1321,7 +1409,7 @@ generate_report() {
            # Estimate cost at $0.09/GB (typical CDN pricing)
            estimated_cost=$(awk "BEGIN {printf \"%.2f\", ($total_bot_bandwidth/1073741824) * 0.09}")
-            total_bandwidth=$(awk -F'|' '$5 ~ /^[0-9]+$/ {sum += $5} END {print sum}' "$TEMP_DIR/parsed_logs.txt")
+            total_bandwidth=$(cat "$TEMP_DIR/parsed_logs.txt" | awk -F'|' '$5 ~ /^[0-9]+$/ {sum += $5} END {print sum}')
            bot_pct=$(awk "BEGIN {printf \"%.1f\", ($total_bot_bandwidth/$total_bandwidth)*100}")
            echo ""
@@ -1548,8 +1636,8 @@ baseline_health_check() {
    # If no domains found from log files, try reference database
    if [ ! -s "$TEMP_DIR/domain_list.txt" ]; then
-        if [ -s "$TOOLKIT_BASE_DIR/.sysref" ]; then
+        if [ -s "$SCRIPT_DIR/.sysref" ]; then
-            grep "^DOMAIN|" "$TOOLKIT_BASE_DIR/.sysref" 2>/dev/null | \
+            grep "^DOMAIN|" "$SCRIPT_DIR/.sysref" 2>/dev/null | \
                cut -d'|' -f2 | sort -u > "$TEMP_DIR/domain_list.txt"
        fi
    fi
@@ -1704,45 +1792,83 @@ main() {
    echo ""
    print_header "Starting Apache/cPanel Bot Analysis"
-    # Check if log directory exists
+    # InterWorx requires special log discovery (logs are in /home/user/var/domain.com/logs/)
-    if [ ! -d "$LOG_DIR" ]; then
+    if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
-        print_alert "Error: Log directory not found: $LOG_DIR"
+        print_info "InterWorx detected - discovering domain logs..."
        echo "Please specify the correct log directory with -l option"
        exit 1
    fi
-    # Check if logs exist
+        # Build time filter options
-    local find_opts=()
+        local find_opts=()
-    if [ -n "$HOURS_BACK" ]; then
+        if [ -n "$HOURS_BACK" ]; then
-        local minutes=$((HOURS_BACK * 60))
+            local minutes=$((HOURS_BACK * 60))
-        find_opts+=(-mmin -"$minutes")
+            find_opts+=(-mmin -"$minutes")
-    elif [ -n "$DAYS_BACK" ]; then
+        elif [ -n "$DAYS_BACK" ]; then
-        find_opts+=(-mtime -"$DAYS_BACK")
+            find_opts+=(-mtime -"$DAYS_BACK")
        fi
        # Find all transfer.log files in InterWorx structure
        log_count=$(find /home/*/var/*/logs -type f -name "transfer.log" "${find_opts[@]}" 2>/dev/null | wc -l)
        if [ "$log_count" -eq 0 ]; then
            print_alert "Error: No InterWorx access logs found in /home/*/var/*/logs/"
            if [ -n "$HOURS_BACK" ]; then
                echo "No logs found from the last $HOURS_BACK hours"
            elif [ -n "$DAYS_BACK" ]; then
                echo "No logs found from the last $DAYS_BACK days"
            fi
            exit 1
        fi
        print_info "Found $log_count InterWorx domain log files to analyze"
        # Override LOG_DIR for parse_logs function to use
        export INTERWORX_MODE="yes"
        export INTERWORX_FIND_OPTS="${find_opts[*]}"
    else
        # Standard cPanel/Plesk log discovery
        # Check if log directory exists
        if [ ! -d "$LOG_DIR" ]; then
            print_alert "Error: Log directory not found: $LOG_DIR"
            echo "Please specify the correct log directory with -l option"
            exit 1
        fi
        # Check if logs exist
        local find_opts=()
        if [ -n "$HOURS_BACK" ]; then
            local minutes=$((HOURS_BACK * 60))
            find_opts+=(-mmin -"$minutes")
        elif [ -n "$DAYS_BACK" ]; then
            find_opts+=(-mtime -"$DAYS_BACK")
        fi
        log_count=$(find "$LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | wc -l)
        if [ "$log_count" -eq 0 ]; then
            print_alert "Error: No log files found in $LOG_DIR"
            if [ -n "$HOURS_BACK" ]; then
                echo "No logs found from the last $HOURS_BACK hours"
            elif [ -n "$DAYS_BACK" ]; then
                echo "No logs found from the last $DAYS_BACK days"
            fi
            exit 1
        fi
        print_info "Found $log_count log files to analyze"
    fi
    # User filtering
    if [ -n "$FILTER_USER" ]; then
        print_info "Filtering logs for user: $FILTER_USER"
-        user_domains=$(get_user_domains "$FILTER_USER")
+        export user_domains=$(get_user_domains "$FILTER_USER")
        if [ -z "$user_domains" ]; then
            print_error "No domains found for user: $FILTER_USER"
            exit 1
        fi
        print_info "User has $(echo "$user_domains" | wc -l) domain(s)"
    else
        export user_domains=""
    fi
-    log_count=$(find "$LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*.offset" ! -name "*error_log" "${find_opts[@]}" 2>/dev/null | wc -l)
+    # Print time range info
    if [ "$log_count" -eq 0 ]; then
        print_alert "Error: No log files found in $LOG_DIR"
        if [ -n "$HOURS_BACK" ]; then
            echo "No logs found from the last $HOURS_BACK hours"
        elif [ -n "$DAYS_BACK" ]; then
            echo "No logs found from the last $DAYS_BACK days"
        fi
        exit 1
    fi
    print_info "Found $log_count log files to analyze"
    if [ -n "$HOURS_BACK" ]; then
        print_info "Analyzing logs from the last $HOURS_BACK hours"
    elif [ -n "$DAYS_BACK" ]; then
@@ -1796,65 +1922,77 @@ analyze_domain_threats() {
    > "$TEMP_DIR/domain_threats.txt"
    > "$TEMP_DIR/domain_high_risk_ips.txt"
-    # Get all unique domains from parsed logs
+    # MASSIVE OPTIMIZATION: Single AWK pass instead of nested loops with 25,000+ greps
-    awk -F'|' '{print $2}' "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u > "$TEMP_DIR/all_domains.txt"
+    # Old approach: O(domains × high_risk_IPs × file_size) = 83 minutes for 500 domains
    # New approach: O(file_size) = seconds
-    # For each domain, calculate threat metrics
+    awk -F'|' '
-    while read -r domain; do
+    BEGIN {
-        [ -z "$domain" ] && continue
+        # Load high-risk IPs into memory
        while ((getline < "'"$TEMP_DIR"'/threat_scores.txt") > 0) {
            score = $1
            ip = $2
            if (score >= 70) {
                high_risk[ip] = score
            }
        }
        close("'"$TEMP_DIR"'/threat_scores.txt")
-        # Total requests to this domain
+        # Load attack vectors
-        local total_requests=$(grep -c "^[^|]*|$domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo "0")
+        while ((getline < "'"$TEMP_DIR"'/attack_vectors_raw.txt") > 0) {
            domain = $2
            attack_counts[domain]++
        }
        close("'"$TEMP_DIR"'/attack_vectors_raw.txt")
    }
-        # Bot requests to this domain
+    # Process parsed logs (single pass)
-        local bot_requests=$(grep "|$domain|" "$TEMP_DIR/classified_bots.txt" 2>/dev/null | wc -l || echo "0")
+    {
        ip = $1
        domain = $2
-        # High-risk IPs hitting this domain (score >= 70)
+        # Count total requests per domain
-        local high_risk_count=0
+        domain_requests[domain]++
        local high_risk_ips=""
-        if [ -s "$TEMP_DIR/threat_scores.txt" ]; then
+        # Track high-risk IPs per domain
-            while read -r score_line; do
+        if (ip in high_risk) {
-                local score=$(echo "$score_line" | cut -d'|' -f1)
+            domain_high_risk_count[domain]++
-                local ip=$(echo "$score_line" | cut -d'|' -f2)
+            domain_high_risk_ips[domain] = domain_high_risk_ips[domain] ip ":" high_risk[ip] ":" ++domain_ip_count[domain":"ip] " "
        }
    }
    END {
        # Now process classified bots
        while ((getline < "'"$TEMP_DIR"'/classified_bots.txt") > 0) {
            domain = $2
            bot_counts[domain]++
        }
        close("'"$TEMP_DIR"'/classified_bots.txt")
-                if [ "$score" -ge 70 ]; then
+        # Output results for each domain
-                    # Check if this IP hit this domain
+        for (domain in domain_requests) {
-                    if grep -q "^$ip|$domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null; then
+            total_req = domain_requests[domain]
-                        local ip_requests=$(grep -c "^$ip|$domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo "0")
+            bot_req = bot_counts[domain] + 0
-                        high_risk_count=$((high_risk_count + 1))
+            bot_pct = (total_req > 0) ? (bot_req / total_req * 100) : 0
-                        high_risk_ips="${high_risk_ips}${ip}:${score}:${ip_requests} "
+            high_risk_count = domain_high_risk_count[domain] + 0
-                    fi
+            attacks = attack_counts[domain] + 0
-                fi
+            high_risk_detail = domain_high_risk_ips[domain]
            done < "$TEMP_DIR/threat_scores.txt"
        fi
-        # Attack attempts targeting this domain
+            # domain|total_requests|bot_requests|bot_percentage|high_risk_ip_count|attack_attempts|high_risk_ips_detail
-        local attack_attempts=0
+            printf "%s|%d|%d|%.1f|%d|%d|%s\n", domain, total_req, bot_req, bot_pct, high_risk_count, attacks, high_risk_detail > "'"$TEMP_DIR"'/domain_threats.txt"
        if [ -s "$TEMP_DIR/attack_vectors_raw.txt" ]; then
            attack_attempts=$(grep "|$domain|" "$TEMP_DIR/attack_vectors_raw.txt" 2>/dev/null | wc -l || echo "0")
        fi
-        # Calculate bot percentage
+            # Track high-risk IPs per domain
-        local bot_percentage=0
+            if (high_risk_count > 0) {
-        if [ "$total_requests" -gt 0 ]; then
+                printf "%s|%d|%s\n", domain, high_risk_count, high_risk_detail > "'"$TEMP_DIR"'/domain_high_risk_ips.txt"
-            bot_percentage=$(awk "BEGIN {printf \"%.1f\", ($bot_requests / $total_requests) * 100}")
+            }
-        fi
+        }
-
+    }' "$TEMP_DIR/parsed_logs.txt"
        # Store domain threat data
        # Format: domain|total_requests|bot_requests|bot_percentage|high_risk_ip_count|attack_attempts|high_risk_ips_detail
        echo "$domain|$total_requests|$bot_requests|$bot_percentage|$high_risk_count|$attack_attempts|$high_risk_ips" >> "$TEMP_DIR/domain_threats.txt"
        # Track which high-risk IPs hit which domains
        if [ $high_risk_count -gt 0 ]; then
            echo "$domain|$high_risk_count|$high_risk_ips" >> "$TEMP_DIR/domain_high_risk_ips.txt"
        fi
    done < "$TEMP_DIR/all_domains.txt"
    # Sort by high-risk IP count (descending)
    sort -t'|' -k5 -rn "$TEMP_DIR/domain_threats.txt" > "$TEMP_DIR/domain_threats_sorted.txt"
    # Get all unique domains
    awk -F'|' '{print $1}' "$TEMP_DIR/domain_threats.txt" | sort -u > "$TEMP_DIR/all_domains.txt"
    print_success "Domain threat analysis complete"
 }
@@ -2729,8 +2867,8 @@ execute_htaccess_domain_blocking() {
    # Find document root for this domain using reference database
    local doc_root=""
-    if [ -s "$TOOLKIT_BASE_DIR/.sysref" ]; then
+    if [ -s "$SCRIPT_DIR/.sysref" ]; then
-        doc_root=$(grep "^DOMAIN|$target_domain|" "$TOOLKIT_BASE_DIR/.sysref" 2>/dev/null | head -1 | cut -d'|' -f4)
+        doc_root=$(grep "^DOMAIN|$target_domain|" "$SCRIPT_DIR/.sysref" 2>/dev/null | head -1 | cut -d'|' -f4)
    fi
    if [ -z "$doc_root" ]; then
@@ -2774,7 +2912,7 @@ execute_htaccess_domain_blocking() {
    print_info "Adding bot blocking rules..."
    # Get high-risk IPs for this domain
-    local block_ips=$(grep "^[^|]*|$target_domain|" "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | cut -d'|' -f1 | sort -u | while read ip; do
+    local block_ips=$(cat "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | grep "^[^|]*|$target_domain|" | cut -d'|' -f1 | sort -u | while read ip; do
        # Check if this IP has high threat score
        if grep -q "|$ip$" "$TEMP_DIR/threat_scores.txt" 2>/dev/null; then
            local score=$(grep "|$ip$" "$TEMP_DIR/threat_scores.txt" | cut -d'|' -f1)
@@ -0,0 +1,494 @@
 #!/bin/bash
 ################################################################################
 # IP Reputation Manager
 ################################################################################
 # Purpose: View, query, and manage the centralized IP reputation database
 # Features:
 # - Query individual IPs
 # - View top malicious IPs
 # - View top active IPs
 # - Export database
 # - Database statistics
 # - Cleanup old entries
 # - Manual IP flagging/whitelisting
 ################################################################################
 # Get script directory
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/ip-reputation.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 # Menu display
 show_menu() {
    clear
    print_banner "IP Reputation Manager"
    # Show quick stats
    local total_ips=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
    local db_size=$(du -h "$IP_REP_DB" 2>/dev/null | awk '{print $1}' || echo "0B")
    echo ""
    echo -e "${BLUE}${BOLD}Database Status:${NC} $total_ips IPs tracked | Size: $db_size"
    echo ""
    echo -e "${BOLD}Query & View:${NC}"
    echo ""
    echo -e "  ${GREEN}1)${NC} Query IP Reputation       - Look up specific IP"
    echo -e "  ${GREEN}2)${NC} Top Malicious IPs         - Highest reputation scores"
    echo -e "  ${GREEN}3)${NC} Top Active IPs            - Most hits/requests"
    echo -e "  ${GREEN}4)${NC} Database Statistics       - Overview of tracked IPs"
    echo -e "  ${GREEN}5)${NC} Live Monitoring           - Real-time reputation updates"
    echo ""
    echo -e "${BOLD}Database Management:${NC}"
    echo ""
    echo -e "  ${BLUE}6)${NC} Export Database           - Export to readable text file"
    echo -e "  ${BLUE}7)${NC} Cleanup Old Entries       - Remove IPs not seen in X days"
    echo -e "  ${BLUE}8)${NC} Compact Database          - Remove duplicate entries (faster writes)"
    echo -e "  ${BLUE}9)${NC} Rebuild Index             - Optimize database for speed"
    echo ""
    echo -e "${BOLD}Manual Actions:${NC}"
    echo ""
    echo -e "  ${YELLOW}10)${NC} Flag IP as Malicious      - Manually mark IP as threat"
    echo -e "  ${YELLOW}11)${NC} Mark IP as Legitimate     - Whitelist/reduce score"
    echo -e "  ${YELLOW}12)${NC} Import IPs from Log       - Batch import from file"
    echo ""
    echo -e "  ${RED}0)${NC} Exit"
    echo ""
    echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}"
    echo -n "Select option: "
 }
 # Query individual IP
 query_ip_interactive() {
    clear
    print_banner "Query IP Reputation"
    echo ""
    echo -n "Enter IP address to query: "
    read -r ip_address
    if [ -z "$ip_address" ]; then
        print_error "No IP address provided"
        press_enter
        return
    fi
    # Validate IP format (basic check)
    if ! [[ "$ip_address" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        print_error "Invalid IP address format"
        press_enter
        return
    fi
    echo ""
    query_ip_reputation "$ip_address"
    echo ""
    press_enter
 }
 # View top malicious IPs
 view_top_malicious() {
    clear
    print_banner "Top Malicious IPs"
    echo ""
    echo -n "How many top IPs to show? [20]: "
    read -r limit
    limit="${limit:-20}"
    echo ""
    echo -e "${RED}${BOLD}Top $limit Most Malicious IPs (by Reputation Score)${NC}"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
        "IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    get_top_malicious_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
        local category=$(get_ip_reputation_category "$rep_score")
        local attacks=$(decode_attack_flags "$attack_flags")
        # Color code by reputation
        local color="$NC"
        case "$category" in
            CRITICAL) color="$RED$BOLD" ;;
            HIGH) color="$RED" ;;
            MEDIUM) color="$YELLOW" ;;
            LOW) color="$CYAN" ;;
        esac
        printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
            "$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
    done
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    press_enter
 }
 # View top active IPs
 view_top_active() {
    clear
    print_banner "Top Active IPs"
    echo ""
    echo -n "How many top IPs to show? [20]: "
    read -r limit
    limit="${limit:-20}"
    echo ""
    echo -e "${YELLOW}${BOLD}Top $limit Most Active IPs (by Hit Count)${NC}"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    printf "%-15s | %-7s | %-4s | %-8s | %-8s | %-30s\n" \
        "IP ADDRESS" "HITS" "CTRY" "REP" "LEVEL" "ATTACK TYPES"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    get_top_active_ips "$limit" | while IFS='|' read -r ip hit_count rep_score country attack_flags first_seen last_seen last_activity notes; do
        local category=$(get_ip_reputation_category "$rep_score")
        local attacks=$(decode_attack_flags "$attack_flags")
        # Color code by hit count
        local color="$NC"
        if [ $hit_count -gt 10000 ]; then
            color="$RED$BOLD"
        elif [ $hit_count -gt 1000 ]; then
            color="$YELLOW"
        fi
        printf "${color}%-15s | %-7s | %-4s | %-3s/100 | %-8s | %-30s${NC}\n" \
            "$ip" "$hit_count" "$country" "$rep_score" "$category" "${attacks:0:30}"
    done
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    press_enter
 }
 # Show statistics
 view_statistics() {
    clear
    print_banner "Database Statistics"
    echo ""
    show_ip_statistics
    echo ""
    # Additional stats
    echo "Recent Activity (Last 24 hours):"
    local cutoff=$(($(date +%s) - 86400))
    local recent_count=$(awk -F'|' -v cut="$cutoff" '$7 >= cut' "$IP_REP_DB" 2>/dev/null | wc -l)
    echo "  Active IPs:         $recent_count"
    echo ""
    # Top countries
    echo "Top Countries by IP Count:"
    awk -F'|' '{print $4}' "$IP_REP_DB" 2>/dev/null | grep -v '^$' | sort | uniq -c | sort -rn | head -5 | \
    while read count country; do
        printf "  %-4s: %s IPs\n" "$country" "$count"
    done
    echo ""
    press_enter
 }
 # Export database
 export_database_interactive() {
    clear
    print_banner "Export IP Reputation Database"
    echo ""
    echo -n "Enter output file path [/tmp/ip_reputation_export.txt]: "
    read -r output_path
    output_path="${output_path:-/tmp/ip_reputation_export.txt}"
    echo ""
    echo "Exporting database to $output_path..."
    export_ip_reputation "$output_path"
    echo ""
    print_success "Database exported successfully!"
    echo ""
    echo "View with: cat $output_path"
    echo "Or:        less $output_path"
    echo ""
    press_enter
 }
 # Cleanup old entries
 cleanup_database_interactive() {
    clear
    print_banner "Cleanup Old Entries"
    echo ""
    echo "Remove IPs that haven't been seen in how many days?"
    echo ""
    echo -n "Days [90]: "
    read -r days
    days="${days:-90}"
    echo ""
    echo "This will remove IPs not seen in the last $days days."
    echo -n "Continue? (yes/no): "
    read -r confirm
    if [ "$confirm" != "yes" ]; then
        echo "Cancelled"
        press_enter
        return
    fi
    echo ""
    cleanup_old_ips "$days"
    echo ""
    print_success "Cleanup complete!"
    echo ""
    press_enter
 }
 # Compact database
 compact_database_interactive() {
    clear
    print_banner "Compact Database"
    echo ""
    local total_before=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
    echo "Current database size: $total_before entries"
    echo ""
    echo "This will remove duplicate IP entries created by fast append-only writes."
    echo "The database will be compacted and re-indexed."
    echo ""
    echo -n "Continue? (yes/no): "
    read -r confirm
    if [ "$confirm" != "yes" ]; then
        echo "Cancelled"
        press_enter
        return
    fi
    echo ""
    compact_database
    echo ""
    print_success "Database compacted successfully!"
    echo ""
    press_enter
 }
 # Rebuild index
 rebuild_index_interactive() {
    clear
    print_banner "Rebuild Database Index"
    echo ""
    echo "Rebuilding index for optimized lookups..."
    rebuild_index
    echo ""
    print_success "Index rebuilt successfully!"
    echo ""
    press_enter
 }
 # Flag IP as malicious
 flag_ip_interactive() {
    clear
    print_banner "Flag IP as Malicious"
    echo ""
    echo -n "Enter IP address: "
    read -r ip_address
    if [ -z "$ip_address" ]; then
        print_error "No IP address provided"
        press_enter
        return
    fi
    echo ""
    echo "Attack Type:"
    echo "  1) SQL Injection"
    echo "  2) XSS"
    echo "  3) Path Traversal"
    echo "  4) RCE/Shell Upload"
    echo "  5) Brute Force"
    echo "  6) DDoS"
    echo "  7) Bot/Scanner"
    echo "  8) Exploit"
    echo ""
    echo -n "Select [1]: "
    read -r attack_choice
    attack_choice="${attack_choice:-1}"
    case "$attack_choice" in
        1) attack_type="SQL_INJECTION" ;;
        2) attack_type="XSS" ;;
        3) attack_type="PATH_TRAVERSAL" ;;
        4) attack_type="RCE" ;;
        5) attack_type="BRUTEFORCE" ;;
        6) attack_type="DDOS" ;;
        7) attack_type="SCANNER" ;;
        8) attack_type="EXPLOIT" ;;
        *) attack_type="SUSPICIOUS" ;;
    esac
    echo ""
    echo -n "Notes/Description: "
    read -r notes
    echo ""
    echo "Flagging $ip_address for $attack_type..."
    flag_ip_attack "$ip_address" "$attack_type" 0 "$notes"
    echo ""
    print_success "IP flagged successfully!"
    echo ""
    query_ip_reputation "$ip_address"
    echo ""
    press_enter
 }
 # Mark IP as legitimate
 whitelist_ip_interactive() {
    clear
    print_banner "Mark IP as Legitimate"
    echo ""
    echo -n "Enter IP address: "
    read -r ip_address
    if [ -z "$ip_address" ]; then
        print_error "No IP address provided"
        press_enter
        return
    fi
    echo ""
    echo -n "Reason/Notes: "
    read -r notes
    echo ""
    echo "Marking $ip_address as legitimate..."
    mark_ip_legitimate "$ip_address" "$notes"
    echo ""
    print_success "IP marked as legitimate!"
    echo ""
    query_ip_reputation "$ip_address"
    echo ""
    press_enter
 }
 # Import from log file
 import_log_interactive() {
    clear
    print_banner "Import IPs from Log File"
    echo ""
    echo -n "Enter log file path: "
    read -r log_path
    if [ ! -f "$log_path" ]; then
        print_error "File not found: $log_path"
        press_enter
        return
    fi
    echo ""
    echo "Attack Type (will be applied to all IPs):"
    echo "  1) Suspicious (default)"
    echo "  2) SQL Injection"
    echo "  3) XSS"
    echo "  4) Bot/Scanner"
    echo "  5) DDoS"
    echo ""
    echo -n "Select [1]: "
    read -r attack_choice
    attack_choice="${attack_choice:-1}"
    case "$attack_choice" in
        2) attack_type="SQL_INJECTION" ;;
        3) attack_type="XSS" ;;
        4) attack_type="SCANNER" ;;
        5) attack_type="DDOS" ;;
        *) attack_type="SUSPICIOUS" ;;
    esac
    echo ""
    echo "Importing IPs from $log_path as $attack_type..."
    import_ips_from_log "$log_path" "$attack_type" 5
    echo ""
    print_success "Import complete!"
    echo ""
    press_enter
 }
 # Live monitoring (real-time updates)
 live_monitoring() {
    clear
    print_banner "Live IP Reputation Monitoring"
    echo ""
    echo "Watching database for changes... (Press Ctrl+C to exit)"
    echo ""
    local last_count=0
    local last_update=0
    while true; do
        local current_count=$(wc -l < "$IP_REP_DB" 2>/dev/null || echo 0)
        local current_time=$(stat -c %Y "$IP_REP_DB" 2>/dev/null || echo 0)
        if [ $current_count -ne $last_count ] || [ $current_time -ne $last_update ]; then
            clear
            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
            echo "LIVE IP REPUTATION MONITORING - $(date '+%H:%M:%S')"
            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
            echo ""
            show_ip_statistics
            echo ""
            echo "Recent Top 10 Updates:"
            get_top_malicious_ips 10 | head -10 | while IFS='|' read -r ip hit_count rep_score country attack_flags _ _ _ _; do
                local category=$(get_ip_reputation_category "$rep_score")
                local attacks=$(decode_attack_flags "$attack_flags")
                printf "%-15s | %5s hits | %3s/100 | %-8s | %s\n" "$ip" "$hit_count" "$rep_score" "$category" "${attacks:0:40}"
            done
            echo ""
            echo "Press Ctrl+C to exit | Refreshing every 2 seconds..."
            last_count=$current_count
            last_update=$current_time
        fi
        sleep 2
    done
 }
 # Main loop
 main() {
    while true; do
        show_menu
        read -r choice
        case $choice in
            1) query_ip_interactive ;;
            2) view_top_malicious ;;
            3) view_top_active ;;
            4) view_statistics ;;
            5) live_monitoring ;;
            6) export_database_interactive ;;
            7) cleanup_database_interactive ;;
            8) compact_database_interactive ;;
            9) rebuild_index_interactive ;;
            10) flag_ip_interactive ;;
            11) whitelist_ip_interactive ;;
            12) import_log_interactive ;;
            0)
                clear
                echo "Exiting..."
                exit 0
                ;;
            *)
                print_error "Invalid option"
                sleep 1
                ;;
        esac
    done
 }
 # Run main
 main
@@ -0,0 +1,856 @@
 #!/bin/bash
 ################################################################################
 # CT_LIMIT Optimizer - Intelligent Connection Limit Calculator
 ################################################################################
 # Purpose: Analyze real traffic patterns to recommend optimal CT_LIMIT
 # Method:
 #   1. Analyze Apache logs for legitimate concurrent connection patterns
 #   2. Check current active connections per IP
 #   3. Identify CDNs, bots, and legitimate high-traffic sources
 #   4. Calculate safe CT_LIMIT that won't block real users
 #   5. Provide CSF configuration recommendations
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/bot-signatures.sh"
 source "$SCRIPT_DIR/lib/reference-db.sh"
 # Require root
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 # Analysis configuration
 ANALYSIS_HOURS=${1:-24}  # Default: analyze last 24 hours
 TEMP_ANALYSIS="/tmp/ct-limit-analysis-$$"
 mkdir -p "$TEMP_ANALYSIS"
 # Color definitions
 BOLD='\033[1m'
 DIM='\033[2m'
 NC='\033[0m'
 ################################################################################
 # Functions
 ################################################################################
 cleanup() {
    rm -rf "$TEMP_ANALYSIS" 2>/dev/null
 }
 trap cleanup EXIT
 get_current_ct_limit() {
    if [ -f "/etc/csf/csf.conf" ]; then
        grep "^CT_LIMIT" /etc/csf/csf.conf | cut -d'=' -f2 | tr -d '"' | tr -d ' '
    else
        echo "Not configured"
    fi
 }
 detect_cdn_usage() {
    local domain="$1"
    # Check DNS for CDN providers
    local dns_result=$(dig +short "$domain" 2>/dev/null | head -5)
    # Check for common CDN patterns
    if echo "$dns_result" | grep -qiE "(cloudflare|cdn77|akamai|fastly|cloudfront|sucuri)"; then
        echo "yes"
        return
    fi
    # Check nameservers
    local ns=$(dig +short NS "$domain" 2>/dev/null)
    if echo "$ns" | grep -qiE "(cloudflare|cdn|akamai)"; then
        echo "yes"
        return
    fi
    echo "no"
 }
 detect_caching() {
    local doc_root="$1"
    local caching_score=0
    # Check for Redis
    if systemctl is-active redis &>/dev/null || pgrep redis-server &>/dev/null; then
        ((caching_score+=3))
    fi
    # Check for Memcached
    if systemctl is-active memcached &>/dev/null || pgrep memcached &>/dev/null; then
        ((caching_score+=3))
    fi
    # Check for WordPress caching plugins
    if [ -d "$doc_root/wp-content/plugins" ]; then
        local cache_plugins=0
        [ -d "$doc_root/wp-content/plugins/wp-rocket" ] && ((cache_plugins++))
        [ -d "$doc_root/wp-content/plugins/w3-total-cache" ] && ((cache_plugins++))
        [ -d "$doc_root/wp-content/plugins/wp-super-cache" ] && ((cache_plugins++))
        [ -d "$doc_root/wp-content/plugins/litespeed-cache" ] && ((cache_plugins++))
        [ -d "$doc_root/wp-content/plugins/wp-fastest-cache" ] && ((cache_plugins++))
        ((caching_score+=cache_plugins))
    fi
    # Check for .htaccess caching rules
    if [ -f "$doc_root/.htaccess" ]; then
        if grep -q "mod_expires\|mod_cache\|Cache-Control" "$doc_root/.htaccess"; then
            ((caching_score++))
        fi
    fi
    echo "$caching_score"
 }
 detect_site_type() {
    local domain="$1"
    local doc_root="$2"
    # Check if WordPress
    if grep -q "^WP|$domain|" "$SYSREF_DB" 2>/dev/null; then
        echo "wordpress"
        return
    fi
    # Check for ecommerce indicators
    if [ -d "$doc_root" ]; then
        if [ -f "$doc_root/wp-content/plugins/woocommerce/woocommerce.php" ] || \
           [ -d "$doc_root/skin/frontend" ] || \
           [ -f "$doc_root/app/Mage.php" ] || \
           [ -d "$doc_root/catalog" ]; then
            echo "ecommerce"
            return
        fi
        # Check for frameworks
        if [ -f "$doc_root/composer.json" ] || [ -d "$doc_root/vendor" ]; then
            echo "framework"
            return
        fi
        # Count PHP files to determine complexity
        local php_count=$(find "$doc_root" -maxdepth 3 -name "*.php" 2>/dev/null | wc -l)
        if [ "$php_count" -gt 50 ]; then
            echo "dynamic"
        elif [ "$php_count" -gt 5 ]; then
            echo "moderate"
        else
            echo "static"
        fi
    else
        echo "unknown"
    fi
 }
 calculate_site_complexity() {
    local domain="$1"
    local doc_root="$2"
    local site_type="$3"
    # Base complexity score (1-10)
    local complexity=1
    # WordPress adds complexity
    if [ "$site_type" = "wordpress" ]; then
        # Check plugin count
        local wp_data=$(grep "^WP|$domain|" "$SYSREF_DB" 2>/dev/null)
        if [ -n "$wp_data" ]; then
            local plugin_count=$(echo "$wp_data" | cut -d'|' -f6)
            # More plugins = more concurrent connections needed
            complexity=$((complexity + (plugin_count / 5)))
        fi
        complexity=$((complexity + 3))  # WordPress admin/ajax
    fi
    # Ecommerce needs higher limits
    if [ "$site_type" = "ecommerce" ]; then
        complexity=$((complexity + 5))  # Shopping cart, checkout, etc.
    fi
    # Framework/dynamic sites
    if [ "$site_type" = "framework" ] || [ "$site_type" = "dynamic" ]; then
        complexity=$((complexity + 2))
    fi
    # Check for Ajax-heavy sites (lots of .js files)
    if [ -d "$doc_root" ]; then
        local js_count=$(find "$doc_root" -maxdepth 2 -name "*.js" 2>/dev/null | wc -l)
        if [ "$js_count" -gt 20 ]; then
            complexity=$((complexity + 2))  # Ajax-heavy = more concurrent
        fi
    fi
    # REDUCE complexity if good caching in place
    local caching_score=$(detect_caching "$doc_root")
    if [ "$caching_score" -gt 0 ]; then
        # Good caching reduces connection needs
        local cache_reduction=$((caching_score / 2))
        complexity=$((complexity - cache_reduction))
        [ "$complexity" -lt 1 ] && complexity=1
    fi
    # REDUCE complexity if CDN is in use
    local has_cdn=$(detect_cdn_usage "$domain")
    if [ "$has_cdn" = "yes" ]; then
        # CDN handles static assets, reduces direct connections
        complexity=$((complexity - 2))
        [ "$complexity" -lt 1 ] && complexity=1
    fi
    # Cap at 10
    [ "$complexity" -gt 10 ] && complexity=10
    echo "$complexity"
 }
 analyze_per_site_traffic() {
    print_status "Analyzing per-site traffic patterns..."
    # Create per-site analysis file
    echo "DOMAIN|SITE_TYPE|COMPLEXITY|MAX_CONN|AVG_CONN|UNIQUE_IPS|TOTAL_REQUESTS" > "$TEMP_ANALYSIS/per_site_analysis.txt"
    # Get all active domains from sysref
    grep "^DOMAIN|" "$SYSREF_DB" 2>/dev/null | while IFS='|' read -r _ domain owner doc_root log_path php_ver is_primary relation target status_code status_text health; do
        # Skip aliases and unknowns
        [ "$owner" = "unknown" ] && continue
        [ "$is_primary" = "no" ] && continue
        [ -z "$log_path" ] && continue
        [ ! -f "$log_path" ] && continue
        # Detect site type
        local site_type=$(detect_site_type "$domain" "$doc_root")
        local complexity=$(calculate_site_complexity "$domain" "$doc_root" "$site_type")
        # Analyze traffic for this specific domain
        local max_conn=0
        local total_ips=0
        local total_requests=0
        if [ -f "$TEMP_ANALYSIS/connections_by_ip.txt" ]; then
            # Get stats for this domain
            local domain_data=$(grep "|$domain|" "$TEMP_ANALYSIS/connections_by_ip.txt")
            if [ -n "$domain_data" ]; then
                max_conn=$(echo "$domain_data" | cut -d'|' -f3 | sort -rn | head -1)
                total_ips=$(echo "$domain_data" | cut -d'|' -f1 | sort -u | wc -l)
                total_requests=$(echo "$domain_data" | cut -d'|' -f4 | awk '{s+=$1} END {print s}')
            fi
        fi
        # Calculate average connections
        local avg_conn=0
        if [ "$total_ips" -gt 0 ]; then
            avg_conn=$((total_requests / total_ips))
        fi
        echo "$domain|$site_type|$complexity|${max_conn:-0}|${avg_conn:-0}|${total_ips:-0}|${total_requests:-0}" >> "$TEMP_ANALYSIS/per_site_analysis.txt"
    done
    print_success "Per-site analysis complete"
 }
 check_server_resources() {
    print_status "Checking server resources..."
    # Get total RAM
    local total_ram_mb=$(free -m | awk '/^Mem:/{print $2}')
    # Get CPU cores
    local cpu_cores=$(nproc 2>/dev/null || echo "2")
    # Calculate max safe connections based on resources
    # Rule of thumb: ~1MB RAM per connection, reserve 50% for other processes
    local max_conn_by_ram=$((total_ram_mb / 2))
    # Also factor in CPU (roughly 50 connections per core max)
    local max_conn_by_cpu=$((cpu_cores * 50))
    # Take the lower of the two
    local max_safe_conn=$max_conn_by_ram
    [ "$max_conn_by_cpu" -lt "$max_safe_conn" ] && max_safe_conn=$max_conn_by_cpu
    echo "$total_ram_mb|$cpu_cores|$max_safe_conn" > "$TEMP_ANALYSIS/server_resources.txt"
    print_success "Server: ${total_ram_mb}MB RAM, ${cpu_cores} cores, max safe connections: ${max_safe_conn}"
 }
 analyze_apache_logs() {
    local hours="$1"
    local cutoff_time=$(date -d "$hours hours ago" "+%d/%b/%Y:%H:%M:%S" 2>/dev/null)
    print_status "Analyzing Apache access logs (last $hours hours)..."
    # Use system-detected log directory (no fallback - rely on system-detect.sh)
    local log_dir="${SYS_LOG_DIR}"
    local total_logs=0
    if [ -z "$log_dir" ] || [ ! -d "$log_dir" ]; then
        print_warning "Apache log directory not found or not detected: $log_dir"
        print_warning "System detection may have failed. Check SYS_LOG_DIR."
        return 1
    fi
    # Analyze each domain's access patterns
    echo "IP|DOMAIN|MAX_CONCURRENT|TOTAL_REQUESTS|USER_AGENT" > "$TEMP_ANALYSIS/connections_by_ip.txt"
    # Track hourly patterns
    > "$TEMP_ANALYSIS/hourly_traffic.txt"
    find "$log_dir" -type f \( -name "*.com" -o -name "*.net" -o -name "*.org" -o -name "*.dev" \) 2>/dev/null | while read -r logfile; do
        local domain=$(basename "$logfile")
        ((total_logs++))
        # Extract IP, timestamp, user agent
        awk -v domain="$domain" '{
            # Parse: IP - - [timestamp] "METHOD URL" status bytes "ref" "UA"
            match($0, /^([0-9.]+).*\[([^\]]+)\].*"([^"]*)".*"([^"]*)"$/, arr)
            if (arr[1] != "") {
                ip = arr[1]
                timestamp = arr[2]
                ua = arr[4]
                # Extract hour for time-of-day analysis
                match(timestamp, /([0-9]{2}):([0-9]{2}):/, time_arr)
                hour = time_arr[1]
                if (hour != "") {
                    hourly_count[hour]++
                }
                # Track requests per second per IP
                gsub(/:.*/, "", timestamp)  # Remove time, keep date
                key = ip "|" domain "|" timestamp
                count[key]++
                user_agent[ip] = ua
            }
        }
        END {
            # Output hourly traffic patterns
            for (h in hourly_count) {
                print h "|" hourly_count[h] >> "/tmp/ct-limit-analysis-$$/hourly_traffic.txt"
            }
            for (key in count) {
                split(key, parts, "|")
                ip = parts[1]
                dom = parts[2]
                # Track max concurrent requests
                if (count[key] > max_concurrent[ip "|" dom]) {
                    max_concurrent[ip "|" dom] = count[key]
                }
                total_requests[ip "|" dom] += count[key]
            }
            for (key in max_concurrent) {
                split(key, parts, "|")
                ip = parts[1]
                dom = parts[2]
                print ip "|" dom "|" max_concurrent[key] "|" total_requests[key] "|" user_agent[ip]
            }
        }' "$logfile" >> "$TEMP_ANALYSIS/connections_by_ip.txt" 2>/dev/null
    done
    print_success "Analyzed logs from $log_dir"
 }
 analyze_current_connections() {
    print_status "Analyzing current active connections..."
    if command -v ss &>/dev/null; then
        # Count current connections per IP
        ss -tn state established 2>/dev/null | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c | sort -rn > "$TEMP_ANALYSIS/current_connections.txt"
    elif command -v netstat &>/dev/null; then
        netstat -tn | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn > "$TEMP_ANALYSIS/current_connections.txt"
    else
        print_warning "Neither ss nor netstat available"
        return 1
    fi
    print_success "Current connection analysis complete"
 }
 classify_ip_behavior() {
    local ip="$1"
    local user_agent="$2"
    local max_concurrent="$3"
    local total_requests="$4"
    # Classify using bot signatures
    local bot_type=$(classify_bot_type "$user_agent")
    # Additional classification
    local classification="unknown"
    # Known good sources
    if [ "$bot_type" = "legit" ]; then
        classification="legitimate_bot"
    elif [ "$bot_type" = "ai" ]; then
        classification="ai_crawler"
    elif [ "$bot_type" = "monitor" ]; then
        classification="monitoring_service"
    # CDN detection
    elif [[ "$user_agent" =~ (Cloudflare|CloudFront|Akamai|Fastly|Sucuri) ]]; then
        classification="cdn"
    # High request rate but legitimate
    elif [ "$max_concurrent" -gt 50 ] && [ "$total_requests" -gt 1000 ]; then
        if [[ "$user_agent" =~ (Chrome|Firefox|Safari|Edge) ]]; then
            classification="high_traffic_user"
        else
            classification="potential_scraper"
        fi
    # Normal user
    elif [ "$max_concurrent" -lt 20 ]; then
        classification="normal_user"
    else
        classification="moderate_user"
    fi
    echo "$classification"
 }
 calculate_percentile() {
    local percentile="$1"
    local data_file="$2"
    # Sort data and get Nth percentile
    local count=$(wc -l < "$data_file")
    local position=$(awk -v p="$percentile" -v c="$count" 'BEGIN {printf "%.0f", (p/100) * c}')
    [ "$position" -lt 1 ] && position=1
    sort -n "$data_file" | sed -n "${position}p"
 }
 generate_recommendation() {
    print_banner "CT_LIMIT Optimizer - Analysis Results"
    echo ""
    # Parse analysis data
    local max_legitimate=0
    local max_bot=0
    local max_cdn=0
    local total_ips=0
    echo "Analyzing connection patterns..."
    echo ""
    # Create summary files
    > "$TEMP_ANALYSIS/legitimate_connections.txt"
    > "$TEMP_ANALYSIS/bot_connections.txt"
    > "$TEMP_ANALYSIS/all_connections.txt"
    # Skip header
    tail -n +2 "$TEMP_ANALYSIS/connections_by_ip.txt" | while IFS='|' read -r ip domain max_concurrent total_requests user_agent; do
        [ -z "$ip" ] && continue
        local classification=$(classify_ip_behavior "$ip" "$user_agent" "$max_concurrent" "$total_requests")
        ((total_ips++))
        # Track max connections by type
        case "$classification" in
            legitimate_bot|ai_crawler|monitoring_service|cdn)
                echo "$max_concurrent" >> "$TEMP_ANALYSIS/bot_connections.txt"
                [ "$max_concurrent" -gt "$max_bot" ] && max_bot=$max_concurrent
                ;;
            normal_user|moderate_user|high_traffic_user)
                echo "$max_concurrent" >> "$TEMP_ANALYSIS/legitimate_connections.txt"
                [ "$max_concurrent" -gt "$max_legitimate" ] && max_legitimate=$max_concurrent
                ;;
        esac
        echo "$max_concurrent" >> "$TEMP_ANALYSIS/all_connections.txt"
    done
    # Calculate statistics
    local legit_count=$(wc -l < "$TEMP_ANALYSIS/legitimate_connections.txt" 2>/dev/null || echo "0")
    local bot_count=$(wc -l < "$TEMP_ANALYSIS/bot_connections.txt" 2>/dev/null || echo "0")
    echo -e "${BOLD}Connection Analysis Summary:${NC}"
    echo "──────────────────────────────────────────────────────────────"
    echo "  Total unique IPs analyzed: $total_ips"
    echo "  Legitimate users: $legit_count"
    echo "  Bots/CDNs/Crawlers: $bot_count"
    echo ""
    # Show per-site analysis
    if [ -f "$TEMP_ANALYSIS/per_site_analysis.txt" ]; then
        local site_count=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | wc -l)
        if [ "$site_count" -gt 0 ]; then
            echo -e "${BOLD}Per-Site Analysis (All $site_count Sites Checked):${NC}"
            echo "──────────────────────────────────────────────────────────────"
            printf "  %-30s %-12s %5s %8s %8s\n" "DOMAIN" "TYPE" "CMPLX" "MAX_CONN" "UNIQ_IPs"
            echo "  $(printf '─%.0s' {1..70})"
            tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | sort -t'|' -k4 -rn | head -15 | while IFS='|' read -r domain site_type complexity max_conn avg_conn unique_ips total_requests; do
                # Truncate long domain names
                local short_domain=$(echo "$domain" | cut -c1-28)
                [ ${#domain} -gt 28 ] && short_domain="${short_domain}.."
                # Color code by complexity
                local color="${NC}"
                if [ "$complexity" -ge 7 ]; then
                    color="${HIGH_COLOR}"
                elif [ "$complexity" -ge 4 ]; then
                    color="${MEDIUM_COLOR}"
                fi
                printf "  ${color}%-30s %-12s %5s %8s %8s${NC}\n" \
                    "$short_domain" "$site_type" "$complexity" "$max_conn" "$unique_ips"
            done
            local remaining=$((site_count - 15))
            if [ "$remaining" -gt 0 ]; then
                echo "  ... and $remaining more sites analyzed"
            fi
            echo ""
            # Identify high-complexity sites that need extra headroom
            local high_complexity_sites=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | awk -F'|' '$3 >= 7 {print $1}' | wc -l)
            if [ "$high_complexity_sites" -gt 0 ]; then
                echo -e "${MEDIUM_COLOR}  ⚠️  $high_complexity_sites high-complexity sites detected${NC}"
                echo "     (WordPress/Ecommerce/Framework - need higher CT_LIMIT)"
                echo ""
            fi
        fi
    fi
    # Calculate percentiles for legitimate traffic
    if [ -s "$TEMP_ANALYSIS/legitimate_connections.txt" ]; then
        local p95=$(calculate_percentile 95 "$TEMP_ANALYSIS/legitimate_connections.txt")
        local p99=$(calculate_percentile 99 "$TEMP_ANALYSIS/legitimate_connections.txt")
        echo -e "${BOLD}Legitimate User Connection Patterns:${NC}"
        echo "  Max concurrent from single IP: $max_legitimate"
        echo "  95th percentile: $p95 concurrent connections"
        echo "  99th percentile: $p99 concurrent connections"
        echo ""
    fi
    # Check current connections
    if [ -s "$TEMP_ANALYSIS/current_connections.txt" ]; then
        local current_max=$(head -1 "$TEMP_ANALYSIS/current_connections.txt" | awk '{print $1}')
        local current_max_ip=$(head -1 "$TEMP_ANALYSIS/current_connections.txt" | awk '{print $2}')
        echo -e "${BOLD}Current Active Connections:${NC}"
        echo "  Highest right now: $current_max connections from $current_max_ip"
        echo ""
    fi
    # Server resource limits
    if [ -f "$TEMP_ANALYSIS/server_resources.txt" ]; then
        IFS='|' read -r total_ram cpu_cores max_safe_conn < "$TEMP_ANALYSIS/server_resources.txt"
        echo -e "${BOLD}Server Resource Limits:${NC}"
        echo "  RAM: ${total_ram}MB | CPU: ${cpu_cores} cores"
        echo "  Max safe connections (hardware): $max_safe_conn"
        echo ""
    fi
    # Time-of-day patterns
    if [ -f "$TEMP_ANALYSIS/hourly_traffic.txt" ]; then
        local peak_hour=$(awk -F'|' '{if($2>max){max=$2; hour=$1}} END{print hour}' "$TEMP_ANALYSIS/hourly_traffic.txt")
        local peak_requests=$(awk -F'|' '{if($2>max){max=$2}} END{print max}' "$TEMP_ANALYSIS/hourly_traffic.txt")
        local avg_requests=$(awk -F'|' '{sum+=$2; count++} END{if(count>0) print int(sum/count)}' "$TEMP_ANALYSIS/hourly_traffic.txt")
        if [ -n "$peak_hour" ] && [ "$peak_requests" -gt "$((avg_requests * 2))" ]; then
            echo -e "${BOLD}Traffic Patterns:${NC}"
            echo "  Peak hour: ${peak_hour}:00 (${peak_requests} requests)"
            echo "  Average: ${avg_requests} requests/hour"
            echo "  Peak is ${MEDIUM_COLOR}$((peak_requests * 100 / avg_requests))% above average${NC}"
            echo "  ${DIM}→ CT_LIMIT should handle peak, not average${NC}"
            echo ""
        fi
    fi
    # Optimization opportunities
    local opt_count=0
    echo -e "${BOLD}Optimization Opportunities:${NC}"
    # Check for sites without CDN
    local no_cdn=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" 2>/dev/null | while IFS='|' read -r domain site_type complexity max_conn avg_conn unique_ips total_requests; do
        if [ "$complexity" -ge 6 ]; then
            local has_cdn=$(detect_cdn_usage "$domain" 2>/dev/null)
            if [ "$has_cdn" = "no" ]; then
                echo "$domain"
                ((opt_count++))
            fi
        fi
    done | head -3)
    if [ -n "$no_cdn" ]; then
        echo "  📦 CDN Recommended for:"
        echo "$no_cdn" | while read -r domain; do
            echo "     • $domain (would reduce CT_LIMIT need)"
        done
    fi
    # Check for WordPress without caching
    local no_cache=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" 2>/dev/null | grep "wordpress" | while IFS='|' read -r domain site_type complexity max_conn avg_conn unique_ips total_requests; do
        # Get doc root from sysref
        local doc_root=$(grep "^DOMAIN|$domain|" "$SYSREF_DB" 2>/dev/null | cut -d'|' -f4)
        if [ -n "$doc_root" ]; then
            local cache_score=$(detect_caching "$doc_root" 2>/dev/null)
            if [ "$cache_score" -eq 0 ]; then
                echo "$domain"
            fi
        fi
    done | head -3)
    if [ -n "$no_cache" ]; then
        echo "  ⚡ Caching Recommended for:"
        echo "$no_cache" | while read -r domain; do
            echo "     • $domain (WP Rocket, Redis, or W3 Total Cache)"
        done
    fi
    if [ -z "$no_cdn" ] && [ -z "$no_cache" ]; then
        echo "  ✅ Sites are well-optimized (CDN + caching in place)"
    fi
    echo ""
    # Current CSF setting
    local current_ct=$(get_current_ct_limit)
    echo -e "${BOLD}Current CSF Configuration:${NC}"
    echo "  CT_LIMIT = $current_ct"
    echo ""
    # Generate recommendation
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo -e "${BOLD}📊 RECOMMENDED CT_LIMIT VALUES${NC}"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    # Calculate safe recommendations
    local conservative=$((max_legitimate + 20))
    local balanced=$((max_legitimate + 10))
    local aggressive=$((max_legitimate + 5))
    # Factor in site complexity - high-complexity sites need more headroom
    if [ -f "$TEMP_ANALYSIS/per_site_analysis.txt" ]; then
        local avg_complexity=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | awk -F'|' '{sum+=$3; count++} END {if(count>0) print int(sum/count); else print 0}')
        local max_complexity=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | awk -F'|' '{if($3>max) max=$3} END {print max+0}')
        # Add complexity buffer (0-20 based on average complexity)
        local complexity_buffer=$((avg_complexity * 2))
        conservative=$((conservative + complexity_buffer))
        balanced=$((balanced + (complexity_buffer / 2)))
        # If we have ecommerce sites, be extra conservative
        local has_ecommerce=$(tail -n +2 "$TEMP_ANALYSIS/per_site_analysis.txt" | grep -c "ecommerce")
        if [ "$has_ecommerce" -gt 0 ]; then
            conservative=$((conservative + 15))
            balanced=$((balanced + 10))
        fi
    fi
    # Minimum safety thresholds
    [ "$conservative" -lt 100 ] && conservative=100
    [ "$balanced" -lt 80 ] && balanced=80
    [ "$aggressive" -lt 50 ] && aggressive=50
    # Cap at server's max safe capacity
    if [ -f "$TEMP_ANALYSIS/server_resources.txt" ]; then
        IFS='|' read -r total_ram cpu_cores max_safe_conn < "$TEMP_ANALYSIS/server_resources.txt"
        if [ "$conservative" -gt "$max_safe_conn" ]; then
            conservative=$max_safe_conn
            echo "  ${MEDIUM_COLOR}Note: Conservative capped at server max ($max_safe_conn)${NC}" >&2
        fi
        if [ "$balanced" -gt "$max_safe_conn" ]; then
            balanced=$max_safe_conn
        fi
    fi
    echo -e "${BOLD}1. CONSERVATIVE${NC} (Recommended for high-traffic sites)"
    echo "   CT_LIMIT = $conservative"
    echo "   • Allows headroom for traffic spikes"
    echo "   • Won't block legitimate users"
    echo "   • Good protection against moderate attacks"
    echo ""
    echo -e "${BOLD}2. BALANCED${NC} (Recommended for most servers) ⭐"
    echo "   CT_LIMIT = $balanced"
    echo "   • Balances security and usability"
    echo "   • Based on 99th percentile + buffer"
    echo "   • Blocks most attack traffic"
    echo ""
    echo -e "${BOLD}3. AGGRESSIVE${NC} (Only if under active attack)"
    echo "   CT_LIMIT = $aggressive"
    echo "   • Tight connection limits"
    echo "   • May affect some legitimate users"
    echo "   • Maximum DDoS protection"
    echo ""
    # Whitelist recommendations
    if [ "$bot_count" -gt 0 ]; then
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo -e "${BOLD}⚠️  WHITELIST RECOMMENDATIONS${NC}"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo ""
        echo "Found bots/crawlers with high connection counts."
        echo "Consider whitelisting these IPs to prevent blocking:"
        echo ""
        # Show top legitimate bots
        tail -n +2 "$TEMP_ANALYSIS/connections_by_ip.txt" | while IFS='|' read -r ip domain max_concurrent total_requests user_agent; do
            [ -z "$ip" ] && continue
            local classification=$(classify_ip_behavior "$ip" "$user_agent" "$max_concurrent" "$total_requests")
            if [[ "$classification" =~ (legitimate_bot|ai_crawler|monitoring_service) ]]; then
                local bot_name=$(echo "$user_agent" | grep -oE '(Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|SemrushBot|AhrefsBot|facebookexternalhit|Twitterbot|LinkedInBot|UptimeRobot|Pingdom)' | head -1)
                [ -z "$bot_name" ] && bot_name="Bot"
                if [ "$max_concurrent" -gt "$balanced" ]; then
                    printf "  • %-15s (%-20s) %3d connections\n" "$ip" "$bot_name" "$max_concurrent"
                fi
            fi
        done | sort -t'(' -k2 -u | head -10
        echo ""
        echo "To whitelist: Add to /etc/csf/csf.ignore or use: csf -a <IP>"
    fi
    echo ""
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo -e "${BOLD}🔧 HOW TO APPLY${NC}"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    echo "1. Edit CSF configuration:"
    echo "   ${BOLD}nano /etc/csf/csf.conf${NC}"
    echo ""
    echo "2. Find CT_LIMIT line and change to recommended value:"
    echo "   ${BOLD}CT_LIMIT = \"$balanced\"${NC}"
    echo ""
    echo "3. Enable SYNFLOOD protection (if not already):"
    echo "   ${BOLD}SYNFLOOD = \"1\"${NC}"
    echo ""
    echo "4. Apply changes:"
    echo "   ${BOLD}csf -r${NC}"
    echo ""
    echo "5. Monitor effectiveness:"
    echo "   ${BOLD}watch -n 2 'csf -g | tail -20'${NC}"
    echo ""
    # Save recommendation to file
    cat > "$TEMP_ANALYSIS/recommendation.txt" <<EOF
 CT_LIMIT Optimization Report
 Generated: $(date)
 Analysis Period: Last $ANALYSIS_HOURS hours
 RECOMMENDED VALUES:
 - Conservative: CT_LIMIT = "$conservative"
 - Balanced: CT_LIMIT = "$balanced" (RECOMMENDED)
 - Aggressive: CT_LIMIT = "$aggressive"
 ANALYSIS DATA:
 - Total IPs analyzed: $total_ips
 - Legitimate users: $legit_count
 - Bots/Crawlers: $bot_count
 - Max legitimate connections: $max_legitimate
 - Current CT_LIMIT: $current_ct
 To apply balanced recommendation:
 1. Edit /etc/csf/csf.conf
 2. Set: CT_LIMIT = "$balanced"
 3. Run: csf -r
 EOF
    echo "Full report saved to: $TEMP_ANALYSIS/recommendation.txt"
    echo ""
 }
 apply_recommendation() {
    local new_limit="$1"
    if [ ! -f "/etc/csf/csf.conf" ]; then
        print_error "CSF not installed or config not found"
        return 1
    fi
    print_status "Backing up CSF configuration..."
    cp /etc/csf/csf.conf "/etc/csf/csf.conf.backup.$(date +%Y%m%d_%H%M%S)"
    print_status "Setting CT_LIMIT = $new_limit..."
    sed -i "s/^CT_LIMIT = .*/CT_LIMIT = \"$new_limit\"/" /etc/csf/csf.conf
    # Also ensure SYNFLOOD is enabled
    if grep -q "^SYNFLOOD = \"0\"" /etc/csf/csf.conf; then
        print_status "Enabling SYNFLOOD protection..."
        sed -i 's/^SYNFLOOD = "0"/SYNFLOOD = "1"/' /etc/csf/csf.conf
    fi
    print_status "Restarting CSF..."
    csf -r >/dev/null 2>&1
    print_success "CT_LIMIT updated to $new_limit and CSF restarted!"
    echo ""
    echo "Monitor effectiveness with: csf -g | tail -20"
 }
 ################################################################################
 # Main
 ################################################################################
 main() {
    clear
    print_banner "CT_LIMIT Optimizer - Intelligent Connection Limit Calculator"
    echo ""
    echo "This tool analyzes your actual traffic patterns to recommend"
    echo "an optimal CT_LIMIT that protects against DDoS without blocking"
    echo "legitimate users, bots, and CDNs."
    echo ""
    echo "Analysis period: Last $ANALYSIS_HOURS hours"
    echo ""
    read -p "Press Enter to start analysis or Ctrl+C to cancel..."
    echo ""
    # Check if sysref database exists, build if needed
    if [ ! -f "$SYSREF_DB" ] || [ ! -s "$SYSREF_DB" ]; then
        print_status "Building system reference database (first run)..."
        build_reference_database >/dev/null 2>&1
    fi
    # Run analysis
    check_server_resources
    analyze_apache_logs "$ANALYSIS_HOURS"
    analyze_per_site_traffic
    analyze_current_connections
    # Generate and show recommendations
    generate_recommendation
    # Offer to apply
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo ""
    read -p "Would you like to apply the BALANCED recommendation automatically? (y/n): " apply
    if [[ "$apply" =~ ^[Yy] ]]; then
        # Extract balanced value from recommendation
        local balanced=$(grep "2. BALANCED" -A1 "$TEMP_ANALYSIS/recommendation.txt" | grep "CT_LIMIT" | grep -oE '[0-9]+')
        if [ -n "$balanced" ]; then
            apply_recommendation "$balanced"
        else
            print_error "Could not determine balanced recommendation value"
        fi
    else
        echo ""
        echo "No changes made. You can apply manually using the commands above."
    fi
    echo ""
    print_success "Analysis complete!"
 }
 main
@@ -1,8 +1,33 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
-print_banner "Apache Access Log"
+source "$SCRIPT_DIR/lib/system-detect.sh"
 print_banner "Apache Access Log - Multi-Panel Support"
 echo "Tailing Apache access logs..."
 echo "Control Panel: ${SYS_CONTROL_PANEL}"
 echo "Press Ctrl+C to exit"
 echo ""
-[ -d "/var/log/apache2/domlogs" ] && tail -f /var/log/apache2/domlogs/* || echo "No access logs found"
+
 # Multi-panel log discovery
 if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
    # InterWorx: Per-domain logs in user home (uses 'transfer.log' not 'access_log')
    log_files=$(find /home/*/var/*/logs -type f -name "transfer.log" 2>/dev/null)
 elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
    # Plesk: System logs
    log_files=$(find /var/www/vhosts/system/*/logs -type f -name "access_log" -o -name "access_ssl_log" 2>/dev/null)
 elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
    # cPanel: Use detected log directory
    log_files=$(find "$SYS_LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*error_log" 2>/dev/null)
 else
    # Standalone: Try common locations
    log_files="/var/log/httpd/access_log /var/log/apache2/access.log"
 fi
 if [ -n "$log_files" ]; then
    tail -f $log_files 2>/dev/null
 else
    print_error "No access logs found"
    echo "Searched: $SYS_LOG_DIR (control panel: $SYS_CONTROL_PANEL)"
    exit 1
 fi
@@ -1,8 +1,36 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
-print_banner "Apache Error Log"
+source "$SCRIPT_DIR/lib/system-detect.sh"
 print_banner "Apache Error Log - Multi-Panel Support"
 echo "Tailing Apache error logs..."
 echo "Control Panel: ${SYS_CONTROL_PANEL}"
 echo "Press Ctrl+C to exit"
 echo ""
-tail -f /var/log/apache2/error_log 2>/dev/null || tail -f /var/log/httpd/error_log 2>/dev/null || echo "No error logs found"
+
 # Multi-panel error log discovery
 if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
    # InterWorx: Per-domain error logs in user home
    log_files=$(find /home/*/var/*/logs -type f -name "error_log" 2>/dev/null)
 elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
    # Plesk: System logs
    log_files=$(find /var/www/vhosts/system/*/logs -type f -name "error_log" 2>/dev/null)
 elif [ "$SYS_CONTROL_PANEL" = "cpanel" ]; then
    # cPanel: Per-domain error logs in domlogs
    log_files=$(find "$SYS_LOG_DIR" -type f -name "*-error_log" 2>/dev/null)
 else
    # Standalone: Try common main error log locations
    log_files=""
    [ -f "/var/log/apache2/error_log" ] && log_files="/var/log/apache2/error_log"
    [ -f "/var/log/httpd/error_log" ] && log_files="$log_files /var/log/httpd/error_log"
    [ -f "/var/log/apache2/error.log" ] && log_files="$log_files /var/log/apache2/error.log"
 fi
 if [ -n "$log_files" ]; then
    tail -f $log_files 2>/dev/null
 else
    print_error "No error logs found"
    echo "Searched for logs in control panel: $SYS_CONTROL_PANEL"
    exit 1
 fi
@@ -1,20 +1,38 @@
 #!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
-print_banner "Web Traffic Monitor"
+print_banner "Web Traffic Monitor - Multi-Panel Support"
 echo ""
 echo "Monitoring Apache access logs in real-time..."
 echo "Control Panel: ${SYS_CONTROL_PANEL}"
 echo "Press Ctrl+C to exit"
 echo ""
-# Find apache log directory
+# Multi-panel log discovery
-if [ -d "/var/log/apache2/domlogs" ]; then
+log_files=""
-    tail -f /var/log/apache2/domlogs/* 2>/dev/null | while read line; do
+if [ "$SYS_CONTROL_PANEL" = "interworx" ]; then
    # InterWorx: Monitor recent access logs (uses 'transfer.log', limit for performance)
    log_files=$(find /home/*/var/*/logs -type f -name "transfer.log" -mmin -60 2>/dev/null | head -10)
 elif [ "$SYS_CONTROL_PANEL" = "plesk" ]; then
    # Plesk: System logs
    log_files=$(find /var/www/vhosts/system/*/logs -type f -name "access_log" -o -name "access_ssl_log" 2>/dev/null | head -10)
 elif [ -n "$SYS_LOG_DIR" ] && [ -d "$SYS_LOG_DIR" ]; then
    # cPanel: Use detected log directory
    log_files=$(find "$SYS_LOG_DIR" -type f ! -name "*-bytes_log" ! -name "*error_log" 2>/dev/null)
 else
    # Standalone: Try common locations
    [ -f "/var/log/httpd/access_log" ] && log_files="/var/log/httpd/access_log"
    [ -f "/var/log/apache2/access.log" ] && log_files="$log_files /var/log/apache2/access.log"
 fi
 if [ -n "$log_files" ]; then
    tail -f $log_files 2>/dev/null | while read line; do
        ip=$(echo "$line" | awk '{print $1}')
        request=$(echo "$line" | awk '{print $6, $7}' | tr -d '"')
        status=$(echo "$line" | awk '{print $9}')
-        
+
        # Color code by status
        if [[ "$status" =~ ^5 ]]; then
            color="\033[1;31m"  # Red for 5xx
@@ -25,9 +43,12 @@ if [ -d "/var/log/apache2/domlogs" ]; then
        else
            color="\033[0;37m"  # White for others
        fi
-        
+
        printf "${color}%-15s %s %s\033[0m\n" "$ip" "$status" "$request"
    done
 else
-    print_error "Apache domlogs directory not found"
+    print_error "No Apache access logs found"
    echo "Control panel: $SYS_CONTROL_PANEL"
    echo "Log directory: $SYS_LOG_DIR"
    exit 1
 fi
@@ -0,0 +1,882 @@
 #!/bin/bash
 ################################################################################
 # Fast 500 Error Tracker
 ################################################################################
 # Purpose: ONLY track 500 errors - find them fast and show WHY
 # No menus, no options - just find 500s and diagnose the root cause
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
 source "$SCRIPT_DIR/lib/ip-reputation.sh"
 # Ensure color variables are set
 DIM='\033[2m'
 BOLD='\033[1m'
 print_banner "Fast 500 Error Tracker"
 echo ""
 echo "Scanning for 500 errors and diagnosing root causes..."
 echo ""
 # Ask for time range
 echo -e "${CYAN}How far back to scan?${NC}"
 echo "  1) Last 24 hours (default)"
 echo "  2) Last 7 days"
 echo "  3) Last 30 days"
 echo "  0) Cancel and return to menu"
 echo ""
 read -p "Select option [1]: " time_choice
 time_choice=${time_choice:-1}
 case $time_choice in
    0)
        echo ""
        echo "Scan cancelled."
        echo ""
        exit 0
        ;;
    1) HOURS_TO_SCAN=24 ;;
    2) HOURS_TO_SCAN=168 ;;
    3) HOURS_TO_SCAN=720 ;;
    *) HOURS_TO_SCAN=24 ;;
 esac
 echo ""
 echo "→ Scanning last $HOURS_TO_SCAN hours of access logs..."
 echo ""
 # Temporary files
 TEMP_DIR="/tmp/500-tracker-$$"
 mkdir -p "$TEMP_DIR"
 trap "rm -rf $TEMP_DIR" EXIT
 ERRORS_500="$TEMP_DIR/errors_500.txt"
 ERROR_DETAILS="$TEMP_DIR/error_details.txt"
 # Configuration - Use system-detected paths
 DOMLOGS_DIR="${SYS_LOG_DIR}"
 CONTROL_PANEL="${SYS_CONTROL_PANEL}"
 # Get cutoff time
 cutoff_time=$(date -d "$HOURS_TO_SCAN hours ago" +%s 2>/dev/null || echo "0")
 declare -A domain_count
 declare -A domain_user
 total_500s=0
 filtered_bots=0
 # Scan all domain access logs for 500 errors (including subdirectories)
 while IFS= read -r log; do
    [ -f "$log" ] || continue
    [[ "$log" =~ (bytes_log|offset|error_log|ftpxferlog|-ssl_log)$ ]] && continue
    # Extract domain from log filename
    domain="${log##*/}"
    domain="${domain%%-*}"
    # Skip non-domain system logs (proxy, localhost, etc.)
    [[ "$domain" =~ ^(proxy|localhost|default|cpanel|webmail|whm|cpcalendars|cpcontacts|webdisk)$ ]] && continue
    # Find user for this domain - Multi-panel support
    user=""
    case "$CONTROL_PANEL" in
        cpanel)
            user=$(grep "^${domain}:" /etc/userdatadomains 2>/dev/null | cut -d: -f2 | awk -F'==' '{print $1}' | head -1)
            ;;
        interworx)
            user=$(grep -l "ServerName ${domain}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | head -1 | \
                   xargs grep "SuexecUserGroup" 2>/dev/null | awk '{print $2}')
            ;;
        plesk)
            user=$(plesk bin subscription --info "$domain" 2>/dev/null | grep "Owner" | awk '{print $2}')
            ;;
    esac
    [ -z "$user" ] && user="unknown"
    domain_user["$domain"]="$user"
    # Scan for 500 errors in this log
    while IFS= read -r line; do
        # Check for 500 status code
        if [[ "$line" =~ '"'[[:space:]](5[0-9]{2})[[:space:]] ]]; then
            status="${BASH_REMATCH[1]}"
            # Time filtering
            if [ "$cutoff_time" != "0" ]; then
                if [[ "$line" =~ \[([0-9]{2}/[A-Z][a-z]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2}) ]]; then
                    log_date="${BASH_REMATCH[1]}"
                    log_time=$(date -d "${log_date/:/ }" +%s 2>/dev/null || echo "0")
                    [ "$log_time" != "0" ] && [ "$log_time" -lt "$cutoff_time" ] && continue
                fi
            fi
            # Parse log line to get IP first
            read -r ip _ _ timestamp _ request _ _ <<< "$line"
            # IP-based filtering - skip non-relevant IPs
            # Skip localhost/internal IPs
            if [[ "$ip" =~ ^(127\.|::1|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.) ]]; then
                ((filtered_bots++))
                continue
            fi
            # Skip common cloud scanner IPs and known bot networks
            # AWS, GCP, Azure scanner ranges, security scanners
            if [[ "$ip" =~ ^(3\.|13\.|18\.|34\.|35\.|52\.|54\.) ]] || \
               [[ "$ip" =~ ^(104\.196\.|104\.154\.|130\.211\.|35\.184\.|35\.185\.|35\.186\.|35\.187\.|35\.188\.|35\.189\.|35\.19) ]] || \
               [[ "$ip" =~ ^(20\.|40\.|51\.|52\.|13\.64\.|13\.65\.|13\.66\.|13\.67\.|13\.68\.) ]]; then
                # Check if it's actually a bot by examining user agent
                line_lower="${line,,}"
                if [[ "$line_lower" =~ (bot|crawler|spider|scanner|monitor|cloud|amazon|google|microsoft|azure) ]]; then
                    ((filtered_bots++))
                    # Track bot IP with BOT flag
                    flag_ip_attack "$ip" "BOT" 0 "500 error - filtered as bot/scanner" >/dev/null 2>&1 &
                    continue
                fi
            fi
            # Bot/Scanner filtering - skip noise
            line_lower="${line,,}"
            if [[ "$line_lower" =~ (bot|crawler|spider|scraper|scanner|check|monitor|uptime|pingdom|newrelic|datadog|nagios|zabbix|prtg|gomez|keynote|catchpoint|dotcom-monitor|site24x7|uptimerobot|statuscake|nodequery|hetrixtools|freshping|uptrendscom|siteuptime|montastic|updown\.io|apex|alertsite|webmon|wormly) ]]; then
                ((filtered_bots++))
                # Track monitoring/uptime bot
                flag_ip_attack "$ip" "BOT" 0 "Monitoring/uptime bot" >/dev/null 2>&1 &
                continue
            fi
            if [[ "$line_lower" =~ (semrush|ahrefs|moz|majestic|serpstat|screaming|screamingfrog|sitebulb|linkchecker|validator|scanner|security|acunetix|nessus|openvas|burp|nikto|skipfish|w3af|sqlmap|metasploit|nmap|masscan|zmap|shodan|censys|binaryedge) ]]; then
                ((filtered_bots++))
                # Track scanner with higher score
                flag_ip_attack "$ip" "SCANNER" 0 "Security scanner detected" >/dev/null 2>&1 &
                continue
            fi
            if [[ "$line_lower" =~ (curl|wget|python|perl|ruby|java|go-http|libwww|axios|node-fetch|http\.client|httpie|postman|insomnia|apachehttp|okhttp|httpclient) ]]; then
                ((filtered_bots++))
                # Track programmatic access
                flag_ip_attack "$ip" "BOT" 0 "HTTP library/tool" >/dev/null 2>&1 &
                continue
            fi
            # Extract URL
            if [[ "$request" =~ '"'[A-Z]+[[:space:]]([^[:space:]]+) ]]; then
                url="${BASH_REMATCH[1]:0:80}"
            else
                url="/"
            fi
            # Extract timestamp
            if [[ "$line" =~ \[([^]]+)\] ]]; then
                timestamp="${BASH_REMATCH[1]}"
            else
                timestamp="unknown"
            fi
            ((domain_count["$domain"]++))
            ((total_500s++))
            # Track IP in reputation database (500 error = slight increase in score)
            # Most 500s are due to server issues, not attacks, so low score increase
            increment_ip_hits "$ip" 1 >/dev/null 2>&1 &
            # Save for analysis
            echo "$domain|$user|$status|$url|$timestamp|$ip" >> "$ERRORS_500"
        fi
    done < <(tail -n 100000 "$log" 2>/dev/null)
 done < <(
    # Multi-panel log discovery
    case "$CONTROL_PANEL" in
        cpanel)
            # cPanel: Centralized domlogs
            find "$DOMLOGS_DIR" -type f ! -name "*bytes_log" ! -name "*offset*" ! -name "*error_log" ! -name "*ftpxferlog*" ! -name "*-ssl_log" 2>/dev/null
            ;;
        interworx)
            # InterWorx: Per-domain logs in user homes (uses 'transfer.log')
            find /home/*/var/*/logs -type f -name "transfer.log" 2>/dev/null
            ;;
        plesk)
            # Plesk: System vhosts logs
            find /var/www/vhosts/system/*/logs -type f \( -name "access_log" -o -name "access_ssl_log" \) 2>/dev/null
            ;;
        *)
            # Standalone: Try common locations
            if [ -f "/var/log/httpd/access_log" ]; then echo "/var/log/httpd/access_log"; fi
            if [ -f "/var/log/apache2/access.log" ]; then echo "/var/log/apache2/access.log"; fi
            ;;
    esac
 )
 if [ "$total_500s" -eq 0 ]; then
    echo ""
    echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
    echo -e "${GREEN} ✓ NO 500 ERRORS FOUND IN LAST $HOURS_TO_SCAN HOURS!${NC}"
    echo -e "${GREEN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
    echo ""
    exit 0
 fi
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " 500 ERRORS DETECTED: $total_500s errors (filtered out $filtered_bots bot/scanner requests)"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 echo -e "${RED}${BOLD}TOP AFFECTED DOMAINS:${NC}"
 echo ""
 # Sort and display top domains
 for domain in "${!domain_count[@]}"; do
    echo "${domain_count[$domain]} $domain ${domain_user[$domain]}"
 done | sort -rn | head -10 | while read count domain user; do
    printf "  ${RED}●${NC} %-40s ${BOLD}%4d errors${NC}  (user: %s)\n" "$domain" "$count" "$user"
 done
 echo ""
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " DIAGNOSING ROOT CAUSES"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 # Detailed diagnostic tracking - per URL/file
 DETAILED_DIAGNOSIS="$TEMP_DIR/detailed_diagnosis.txt"
 > "$DETAILED_DIAGNOSIS"
 declare -A diagnosed_causes
 declare -A cause_examples
 total_to_diagnose=$(wc -l < "$ERRORS_500")
 current_line=0
 echo "Analyzing $total_to_diagnose errors for root causes..."
 echo ""
 while IFS='|' read -r domain user status url timestamp ip; do
    [ -z "$domain" ] && continue
    ((current_line++))
    # Show progress every 500 errors
    if [ $((current_line % 500)) -eq 0 ]; then
        echo -ne "\rAnalyzed $current_line / $total_to_diagnose errors..."
    fi
    diagnosis=""
    cause="UNKNOWN"
    specific_file=""
    # Get document root
    docroot="/home/$user/public_html"
    # Try to determine the actual file being requested
    if [[ "$url" =~ ^/([^?]+) ]]; then
        url_path="${BASH_REMATCH[1]}"
        # Handle common patterns
        if [ -z "$url_path" ] || [ "$url_path" = "/" ]; then
            possible_files=("$docroot/index.php" "$docroot/index.html")
        elif [[ "$url_path" =~ \.php$ ]]; then
            possible_files=("$docroot/$url_path")
        else
            possible_files=("$docroot/$url_path" "$docroot/${url_path}.php" "$docroot/$url_path/index.php")
        fi
        # Find the actual file
        for pf in "${possible_files[@]}"; do
            if [ -f "$pf" ]; then
                specific_file="$pf"
                break
            fi
        done
    fi
    # Find PHP error log - check multiple locations
    error_log=""
    if [ "$user" != "unknown" ]; then
        for potential_log in \
            "/home/$user/public_html/error_log" \
            "/home/$user/logs/error_log" \
            "/home/$user/error_log" \
            "/var/log/apache2/domlogs/$domain-error_log" \
            "/usr/local/apache/domlogs/$domain"; do
            if [ -f "$potential_log" ]; then
                error_log="$potential_log"
                break
            fi
        done
    fi
    # Check if error log exists and has recent errors
    if [ -n "$error_log" ] && [ -f "$error_log" ]; then
        # Look for errors matching this URL/timestamp
        recent_error=$(tail -1000 "$error_log" | grep -F "$url" | tail -1)
        # If no URL match, get most recent error
        [ -z "$recent_error" ] && recent_error=$(tail -500 "$error_log" | grep -E "Fatal error|Parse error|syntax error|memory.*exhausted|database|MySQL|Permission denied|failed to open stream" | tail -1)
        if [ -n "$recent_error" ]; then
            # Extract file path from error if present
            if [[ "$recent_error" =~ in[[:space:]](/[^:]+\.php) ]]; then
                error_file="${BASH_REMATCH[1]}"
                specific_file="$error_file"
            fi
            # Determine cause and diagnose
            if [[ "$recent_error" =~ (memory.*exhausted|Allowed memory size) ]]; then
                cause="PHP_MEMORY_EXHAUSTED"
                # Check current memory limit
                mem_limit=$(grep -h "memory_limit" "$docroot/.user.ini" "$docroot/../.php.ini" 2>/dev/null | tail -1 | cut -d'=' -f2 | tr -d ' ')
                [ -z "$mem_limit" ] && mem_limit=$(php -r "echo ini_get('memory_limit');" 2>/dev/null)
                diagnosis="$domain$url - Memory exhausted (current limit: ${mem_limit:-unknown})"
                [ -n "$specific_file" ] && diagnosis="$diagnosis - File: $specific_file"
            elif [[ "$recent_error" =~ (failed to open stream|Permission denied) ]]; then
                cause="PERMISSION_ERROR"
                # Extract the file with permission issue
                if [[ "$recent_error" =~ failed\ to\ open\ stream.*\'([^\']+)\' ]]; then
                    perm_file="${BASH_REMATCH[1]}"
                elif [[ "$recent_error" =~ Permission\ denied.*\'([^\']+)\' ]]; then
                    perm_file="${BASH_REMATCH[1]}"
                else
                    perm_file="$specific_file"
                fi
                # Check permissions on that specific file
                if [ -n "$perm_file" ] && [ -e "$perm_file" ]; then
                    file_perms=$(stat -c "%a" "$perm_file" 2>/dev/null)
                    file_owner=$(stat -c "%U:%G" "$perm_file" 2>/dev/null)
                    diagnosis="$domain$url - Permission denied on: $perm_file (perms: $file_perms, owner: $file_owner)"
                    # Check if file is readable by Apache
                    if [ -f "$perm_file" ]; then
                        if ! sudo -u nobody test -r "$perm_file" 2>/dev/null; then
                            diagnosis="$diagnosis - File NOT readable by Apache (nobody user)"
                        fi
                    fi
                else
                    diagnosis="$domain$url - Permission denied (file in error: $perm_file - does not exist)"
                fi
            elif [[ "$recent_error" =~ (Fatal error|PHP Fatal error) ]]; then
                if [[ "$recent_error" =~ (undefined function|Call to undefined function) ]]; then
                    cause="MISSING_PHP_FUNCTION"
                    # Extract function name
                    if [[ "$recent_error" =~ Call\ to\ undefined\ function\ ([a-zA-Z0-9_]+) ]]; then
                        missing_func="${BASH_REMATCH[1]}"
                        # Check which extension provides this function
                        ext_info=$(php -r "if(function_exists('$missing_func')) echo 'EXISTS'; else echo 'MISSING';" 2>&1)
                        diagnosis="$domain$url - Missing function: $missing_func"
                        [ -n "$specific_file" ] && diagnosis="$diagnosis - in file: $specific_file"
                    else
                        diagnosis="$domain$url - Missing PHP function - $recent_error"
                    fi
                else
                    cause="PHP_FATAL_ERROR"
                    diagnosis="$domain$url - PHP Fatal Error"
                    [ -n "$specific_file" ] && diagnosis="$diagnosis - File: $specific_file"
                    diagnosis="$diagnosis - ${recent_error:0:200}"
                fi
            elif [[ "$recent_error" =~ (Parse error|syntax error) ]]; then
                cause="PHP_SYNTAX_ERROR"
                # Extract line number if present
                if [[ "$recent_error" =~ line\ ([0-9]+) ]]; then
                    error_line="${BASH_REMATCH[1]}"
                    diagnosis="$domain$url - PHP Syntax Error at line $error_line"
                else
                    diagnosis="$domain$url - PHP Syntax Error"
                fi
                [ -n "$specific_file" ] && diagnosis="$diagnosis - File: $specific_file"
            elif [[ "$recent_error" =~ (database|MySQL|Can\'t connect|Access denied for user) ]]; then
                cause="DATABASE_CONNECTION"
                if [[ "$recent_error" =~ Access\ denied\ for\ user\ \'([^\']+)\' ]]; then
                    db_user="${BASH_REMATCH[1]}"
                    diagnosis="$domain$url - Database access denied for user: $db_user"
                elif [[ "$recent_error" =~ Unknown\ database\ \'([^\']+)\' ]]; then
                    db_name="${BASH_REMATCH[1]}"
                    diagnosis="$domain$url - Unknown database: $db_name"
                else
                    diagnosis="$domain$url - Database connection error"
                fi
                [ -n "$specific_file" ] && diagnosis="$diagnosis - from file: $specific_file"
            fi
            # Save detailed diagnosis only if we identified a specific cause
            if [ "$cause" != "UNKNOWN" ] && [ -n "$diagnosis" ]; then
                echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                ((diagnosed_causes["$cause"]++))
                [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
            else
                # No matching error in error_log - run comprehensive checks
                if [ "$user" != "unknown" ]; then
                    issue_found=""
                    # Check 1: .htaccess issues
                    if [ -f "$docroot/.htaccess" ]; then
                        htaccess_file="$docroot/.htaccess"
                        htaccess_issues=""
                        # Invalid PHP directives
                        if grep -qE "^[[:space:]]*(php_value|php_flag|php_admin_value|php_admin_flag)" "$htaccess_file" 2>/dev/null; then
                            if ! apache2ctl -M 2>/dev/null | grep -q "php.*module"; then
                                htaccess_issues="PHP directives incompatible with FPM"
                            fi
                        fi
                        # Malformed RewriteRule
                        bad_rewrite=$(grep -nE "RewriteRule.*\[.*[^]]*$" "$htaccess_file" 2>/dev/null | head -1)
                        [ -n "$bad_rewrite" ] && htaccess_issues="${htaccess_issues:+$htaccess_issues; }Malformed RewriteRule: ${bad_rewrite:0:50}"
                        # Missing RewriteBase with RewriteRule
                        if grep -q "RewriteRule" "$htaccess_file" 2>/dev/null; then
                            if ! grep -q "RewriteBase" "$htaccess_file" 2>/dev/null; then
                                # Check if rules use relative paths
                                if grep -qE "RewriteRule.*\^[^/]" "$htaccess_file" 2>/dev/null; then
                                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Missing RewriteBase with relative paths"
                                fi
                            fi
                        fi
                        if [ -n "$htaccess_issues" ]; then
                            cause="HTACCESS_ERROR"
                            diagnosis="$domain$url - $htaccess_issues"
                            issue_found="yes"
                        fi
                    fi
                    # Check 2: PHP file exists and is readable
                    if [ -z "$issue_found" ] && [ -n "$specific_file" ]; then
                        if [ ! -f "$specific_file" ]; then
                            cause="FILE_NOT_FOUND"
                            diagnosis="$domain$url - File does not exist: $specific_file"
                            issue_found="yes"
                        elif [ ! -r "$specific_file" ]; then
                            file_perms=$(stat -c "%a" "$specific_file" 2>/dev/null)
                            cause="PERMISSION_ERROR"
                            diagnosis="$domain$url - File not readable: $specific_file (perms: $file_perms)"
                            issue_found="yes"
                        fi
                    fi
                    # Check 3: Document root permissions
                    if [ -z "$issue_found" ]; then
                        if [ ! -d "$docroot" ]; then
                            cause="DOCROOT_MISSING"
                            diagnosis="$domain$url - Document root does not exist: $docroot"
                            issue_found="yes"
                        else
                            docroot_perms=$(stat -c "%a" "$docroot" 2>/dev/null)
                            if [ "$docroot_perms" != "755" ] && [ "$docroot_perms" != "750" ] && [ "$docroot_perms" != "711" ]; then
                                cause="PERMISSION_ERROR"
                                diagnosis="$domain$url - Docroot bad perms: $docroot ($docroot_perms, should be 755)"
                                issue_found="yes"
                            fi
                        fi
                    fi
                    # Check 4: PHP handler/version issues
                    if [ -z "$issue_found" ] && [ -n "$specific_file" ] && [ -f "$specific_file" ]; then
                        # Check if PHP is configured for this domain
                        php_handler=$(grep -i "phpversion\|php_admin_value" /var/cpanel/userdata/$user/$domain 2>/dev/null | head -1)
                        if [ -z "$php_handler" ]; then
                            # Check if .htaccess tries to set PHP version but fails
                            if grep -qE "AddHandler.*php|SetHandler.*php" "$docroot/.htaccess" 2>/dev/null; then
                                cause="PHP_HANDLER_ERROR"
                                diagnosis="$domain$url - PHP handler misconfigured (check .htaccess AddHandler/SetHandler)"
                                issue_found="yes"
                            fi
                        fi
                    fi
                    # Check 5: WordPress-specific issues (if WP detected)
                    if [ -z "$issue_found" ] && [ -f "$docroot/wp-config.php" ]; then
                        # Check if wp-config.php is readable
                        if [ ! -r "$docroot/wp-config.php" ]; then
                            cause="PERMISSION_ERROR"
                            diagnosis="$domain$url - wp-config.php not readable"
                            issue_found="yes"
                        else
                            # Check for WP_DEBUG causing issues
                            if grep -q "define.*WP_DEBUG.*true" "$docroot/wp-config.php" 2>/dev/null; then
                                # Check if WP_DEBUG_DISPLAY is also true (can cause 500s with some errors)
                                if grep -q "define.*WP_DEBUG_DISPLAY.*true" "$docroot/wp-config.php" 2>/dev/null; then
                                    cause="WP_DEBUG_ERROR"
                                    diagnosis="$domain$url - WP_DEBUG_DISPLAY enabled (may cause 500 on warnings)"
                                    issue_found="yes"
                                fi
                            fi
                        fi
                    fi
                    # Save diagnosis if we found an issue
                    if [ -n "$issue_found" ] && [ -n "$diagnosis" ]; then
                        echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                        ((diagnosed_causes["$cause"]++))
                        [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                    else
                        ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
                    fi
                else
                    ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
                fi
            fi
        else
            # No error in error_log at all - check .htaccess
            if [ "$user" != "unknown" ] && [ -f "$docroot/.htaccess" ]; then
                htaccess_file="$docroot/.htaccess"
                htaccess_issues=""
                # Check for invalid PHP directives
                if grep -qE "^[[:space:]]*(php_value|php_flag|php_admin_value|php_admin_flag)" "$htaccess_file" 2>/dev/null; then
                    if ! apache2ctl -M 2>/dev/null | grep -q "php.*module"; then
                        htaccess_issues="PHP directives (php_value/php_flag) incompatible with current PHP handler (not mod_php)"
                    fi
                fi
                # Check for malformed RewriteRule
                bad_rewrite=$(grep -nE "RewriteRule.*\[.*[^]]*$" "$htaccess_file" 2>/dev/null | head -1)
                if [ -n "$bad_rewrite" ]; then
                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Malformed RewriteRule: $bad_rewrite"
                fi
                if [ -n "$htaccess_issues" ]; then
                    cause="HTACCESS_ERROR"
                    diagnosis="$domain$url - .htaccess error: $htaccess_issues"
                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                    ((diagnosed_causes["$cause"]++))
                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                else
                    ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
                fi
            else
                ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
            fi
        fi
    else
        # No error log found - check .htaccess and permissions thoroughly
        if [ "$user" != "unknown" ]; then
            htaccess_file="$docroot/.htaccess"
            if [ -f "$htaccess_file" ]; then
                # Check .htaccess file permissions first
                htaccess_perms=$(stat -c "%a" "$htaccess_file" 2>/dev/null)
                htaccess_owner=$(stat -c "%U:%G" "$htaccess_file" 2>/dev/null)
                # Check if readable by Apache
                htaccess_readable="yes"
                if ! sudo -u nobody test -r "$htaccess_file" 2>/dev/null; then
                    htaccess_readable="no"
                fi
                # Actually validate .htaccess syntax
                htaccess_test=$(apache2ctl -t 2>&1)
                htaccess_issues=""
                # Check for invalid directives
                if grep -qE "^[[:space:]]*(php_value|php_flag|php_admin_value|php_admin_flag)" "$htaccess_file" 2>/dev/null; then
                    if ! apache2ctl -M 2>/dev/null | grep -q "php.*module"; then
                        htaccess_issues="PHP directives (php_value/php_flag) incompatible with current PHP handler (not mod_php)"
                    fi
                fi
                # Check for malformed RewriteRule
                bad_rewrite=$(grep -nE "RewriteRule.*\[.*[^]]*$" "$htaccess_file" 2>/dev/null | head -1)
                if [ -n "$bad_rewrite" ]; then
                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Malformed RewriteRule: $bad_rewrite"
                fi
                # Check for RewriteCond without following RewriteRule
                orphan_cond=$(grep -n "RewriteCond" "$htaccess_file" | while read line; do
                    linenum=$(echo "$line" | cut -d: -f1)
                    nextline=$((linenum + 1))
                    next=$(sed -n "${nextline}p" "$htaccess_file")
                    if [[ ! "$next" =~ RewriteRule|RewriteCond ]]; then
                        echo "Line $linenum: RewriteCond without RewriteRule"
                    fi
                done | head -1)
                if [ -n "$orphan_cond" ]; then
                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }$orphan_cond"
                fi
                # Check for syntax errors in .htaccess
                if echo "$htaccess_test" | grep -qi "syntax error"; then
                    syntax_err=$(echo "$htaccess_test" | grep -i "syntax error" | head -1)
                    htaccess_issues="${htaccess_issues:+$htaccess_issues; }Apache syntax error: $syntax_err"
                fi
                if [ "$htaccess_readable" = "no" ]; then
                    cause="PERMISSION_ERROR"
                    diagnosis="$domain$url - .htaccess not readable by Apache (perms: $htaccess_perms, owner: $htaccess_owner)"
                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                    ((diagnosed_causes["$cause"]++))
                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                elif [ -n "$htaccess_issues" ]; then
                    cause="HTACCESS_ERROR"
                    diagnosis="$domain$url - .htaccess error: $htaccess_issues"
                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                    ((diagnosed_causes["$cause"]++))
                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                else
                    # .htaccess appears valid - check document root and file permissions
                    docroot_perms=$(stat -c "%a" "$docroot" 2>/dev/null)
                    docroot_owner=$(stat -c "%U:%G" "$docroot" 2>/dev/null)
                    if [ "$docroot_perms" != "755" ] && [ "$docroot_perms" != "750" ]; then
                        cause="PERMISSION_ERROR"
                        diagnosis="$domain$url - Document root incorrect permissions (perms: $docroot_perms, owner: $docroot_owner, should be 755)"
                        echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                        ((diagnosed_causes["$cause"]++))
                        [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                    elif [ -n "$specific_file" ] && [ -f "$specific_file" ]; then
                        # Check the specific PHP file permissions
                        file_perms=$(stat -c "%a" "$specific_file" 2>/dev/null)
                        file_owner=$(stat -c "%U:%G" "$specific_file" 2>/dev/null)
                        file_readable="yes"
                        if ! sudo -u nobody test -r "$specific_file" 2>/dev/null; then
                            file_readable="no"
                        fi
                        if [ "$file_readable" = "no" ]; then
                            cause="PERMISSION_ERROR"
                            diagnosis="$domain$url - File not readable by Apache: $specific_file (perms: $file_perms, owner: $file_owner)"
                            echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                            ((diagnosed_causes["$cause"]++))
                            [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                        else
                            ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
                        fi
                    else
                        ((diagnosed_causes["NO_PHP_ERROR_LOGGED"]++))
                    fi
                fi
            else
                # No .htaccess - check document root and file permissions
                docroot_perms=$(stat -c "%a" "$docroot" 2>/dev/null)
                docroot_owner=$(stat -c "%U:%G" "$docroot" 2>/dev/null)
                if [ "$docroot_perms" != "755" ] && [ "$docroot_perms" != "750" ]; then
                    cause="PERMISSION_ERROR"
                    diagnosis="$domain$url - Document root incorrect permissions (perms: $docroot_perms, owner: $docroot_owner, should be 755)"
                    echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                    ((diagnosed_causes["$cause"]++))
                    [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                elif [ -n "$specific_file" ] && [ -f "$specific_file" ]; then
                    # Check the specific PHP file
                    file_perms=$(stat -c "%a" "$specific_file" 2>/dev/null)
                    file_owner=$(stat -c "%U:%G" "$specific_file" 2>/dev/null)
                    if ! sudo -u nobody test -r "$specific_file" 2>/dev/null; then
                        cause="PERMISSION_ERROR"
                        diagnosis="$domain$url - File not readable: $specific_file (perms: $file_perms, owner: $file_owner)"
                        echo "$cause|$diagnosis" >> "$DETAILED_DIAGNOSIS"
                        ((diagnosed_causes["$cause"]++))
                        [ -z "${cause_examples[$cause]}" ] && cause_examples["$cause"]="$diagnosis"
                    else
                        ((diagnosed_causes["NO_ERROR_LOG_FILE"]++))
                    fi
                else
                    ((diagnosed_causes["NO_ERROR_LOG_FILE"]++))
                fi
            fi
        else
            ((diagnosed_causes["NO_ERROR_LOG_FILE"]++))
        fi
    fi
 done < "$ERRORS_500"
 echo -e "\rAnalyzed $total_to_diagnose / $total_to_diagnose errors - Complete!     "
 echo ""
 # Display diagnosed causes
 echo -e "${CYAN}${BOLD}ROOT CAUSES IDENTIFIED:${NC}"
 echo ""
 for cause in "${!diagnosed_causes[@]}"; do
    count="${diagnosed_causes[$cause]}"
    echo "$count|$cause"
 done | sort -rn | while IFS='|' read count cause; do
    clean_cause=$(echo "$cause" | tr '_' ' ')
    case "$cause" in
        PHP_MEMORY_EXHAUSTED)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Increase memory_limit in /home/USER/public_html/.user.ini"
            echo -e "   ${YELLOW}Set:${NC} memory_limit = 512M"
            ;;
        PHP_FATAL_ERROR)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Review recent code/plugin changes"
            ;;
        PHP_SYNTAX_ERROR)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Check for PHP syntax errors in recent file edits"
            ;;
        MISSING_PHP_FUNCTION)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Install missing PHP extension (check error for which one)"
            ;;
        DATABASE_CONNECTION)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Check database credentials or MySQL service"
            ;;
        HTACCESS_ERROR)
            echo -e "${RED}.HTACCESS ERROR DETECTED${NC} - $count occurrences"
            ;;
        PERMISSION_ERROR)
            echo -e "${RED}PERMISSION ERROR DETECTED${NC} - $count occurrences"
            ;;
        NO_ERROR_LOG_FILE)
            echo -e "${YELLOW}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Note:${NC} Checked multiple error_log locations - none found"
            echo -e "   ${YELLOW}Check:${NC} May need to enable PHP error logging"
            ;;
        NO_PHP_ERROR_LOGGED)
            echo -e "${YELLOW}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Note:${NC} 500 error but no PHP error in log - likely .htaccess or Apache config"
            ;;
        FILE_NOT_FOUND)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Requested file does not exist - check URL or restore missing files"
            ;;
        PHP_HANDLER_ERROR)
            echo -e "${RED}PHP HANDLER ERROR${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} PHP handler misconfigured - check cPanel PHP version or .htaccess AddHandler"
            ;;
        WP_DEBUG_ERROR)
            echo -e "${YELLOW}WORDPRESS DEBUG ERROR${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Disable WP_DEBUG_DISPLAY in wp-config.php or fix underlying warnings"
            ;;
        DOCROOT_MISSING)
            echo -e "${RED}$clean_cause${NC} - $count occurrences"
            echo -e "   ${YELLOW}Fix:${NC} Document root directory missing - restore from backup or check domain configuration"
            ;;
        UNKNOWN)
            # Skip - these are errors we couldn't diagnose
            ;;
        *)
            echo -e "${INFO_COLOR}$clean_cause${NC} - $count occurrences"
            ;;
    esac
    # Show example if we have one
    if [ -n "${cause_examples[$cause]}" ]; then
        example="${cause_examples[$cause]}"
        echo -e "   ${DIM}Example: ${example:0:120}...${NC}"
    fi
    echo ""
 done
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " DETAILED 500 ERROR LIST"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 # Show most frequent URLs getting 500s
 echo "Most Frequent 500 Error URLs:"
 echo ""
 cut -d'|' -f1,4 "$ERRORS_500" | sort | uniq -c | sort -rn | head -15 | while read count domain_url; do
    domain=$(echo "$domain_url" | cut -d'|' -f1)
    url=$(echo "$domain_url" | cut -d'|' -f2)
    user="${domain_user[$domain]}"
    printf "  ${RED}%4d×${NC} %s%s ${DIM}(user: %s)${NC}\n" "$count" "$domain" "$url" "$user"
 done
 echo ""
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " SPECIFIC DIAGNOSTICS (per URL/file)"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 # Show detailed diagnostics grouped by cause and issue pattern
 if [ -f "$DETAILED_DIAGNOSIS" ] && [ -s "$DETAILED_DIAGNOSIS" ]; then
    for cause_type in PHP_MEMORY_EXHAUSTED PERMISSION_ERROR HTACCESS_ERROR PHP_FATAL_ERROR PHP_SYNTAX_ERROR MISSING_PHP_FUNCTION DATABASE_CONNECTION FILE_NOT_FOUND PHP_HANDLER_ERROR WP_DEBUG_ERROR DOCROOT_MISSING; do
        cause_count=$(grep "^${cause_type}|" "$DETAILED_DIAGNOSIS" 2>/dev/null | wc -l)
        cause_count=${cause_count//[^0-9]/}  # Remove any non-numeric characters
        cause_count=${cause_count:-0}  # Default to 0 if empty
        if [ "$cause_count" -gt 0 ]; then
            cause_display=$(echo "$cause_type" | tr '_' ' ')
            echo -e "${RED}${BOLD}$cause_display ($cause_count occurrences)${NC}"
            echo ""
            # Group by unique error pattern (not domain)
            declare -A issue_domains
            # First pass: collect all domains per issue pattern
            declare -A pattern_domains_temp
            while IFS='|' read -r ctype full_diag; do
                # Extract just the error part (after domain/)
                issue_pattern=$(echo "$full_diag" | sed 's/^[^ ]* - //')
                domain_part=$(echo "$full_diag" | grep -oP '^[^/]+')
                # Append to temporary storage
                pattern_domains_temp[$issue_pattern]+="$domain_part"$'\n'
            done < <(grep "^${cause_type}|" "$DETAILED_DIAGNOSIS" 2>/dev/null)
            # Second pass: deduplicate and limit to 5 unique domains per pattern
            for pattern in "${!pattern_domains_temp[@]}"; do
                # Get unique domains, limit to 5
                unique_list=$(echo "${pattern_domains_temp[$pattern]}" | sort -u | head -5 | tr '\n' ',')
                # Remove trailing comma
                unique_list=${unique_list%,}
                # Count total unique domains
                total_unique=$(echo "${pattern_domains_temp[$pattern]}" | sort -u | wc -l)
                # Add "..." if there are more than 5
                if [ "$total_unique" -gt 5 ]; then
                    unique_list="$unique_list,..."
                fi
                issue_domains[$pattern]="$unique_list"
            done
            unset pattern_domains_temp
            # Display grouped issues
            shown=0
            for pattern in "${!issue_domains[@]}"; do
                [ $shown -ge 10 ] && break
                ((shown++))
                domains="${issue_domains[$pattern]}"
                domain_count=$(echo "$domains" | tr ',' '\n' | grep -v '^\.\.\.$' | wc -l)
                echo -e "  ${YELLOW}Issue:${NC} $pattern"
                echo -e "  ${DIM}Affected ($domain_count):${NC} ${domains//,/, }"
                echo ""
            done
            if [ "${#issue_domains[@]}" -gt 10 ]; then
                remaining=$((${#issue_domains[@]} - 10))
                echo -e "  ${DIM}... and $remaining more issue patterns${NC}"
                echo ""
            fi
            unset issue_domains
        fi
    done
 else
    echo "No detailed diagnostics available."
    echo ""
 fi
 echo "Full error list saved to: $ERRORS_500"
 echo "Detailed diagnostics saved to: $DETAILED_DIAGNOSIS"
 echo ""
 press_enter
@@ -12,15 +12,19 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
 source "$SCRIPT_DIR/lib/ip-reputation.sh"
-# Configuration
+# Configuration - Use system-detected paths
-APACHE_ERROR_LOG="/var/log/apache2/error_log"
+APACHE_ERROR_LOG="/var/log/apache2/error_log"  # Will be auto-detected
-DOMLOGS_DIR="/var/log/apache2/domlogs"
+DOMLOGS_DIR="${SYS_LOG_DIR}"  # From system-detect.sh
-MODSEC_AUDIT_LOG="/usr/local/apache/logs/modsec_audit.log"
+MODSEC_AUDIT_LOG="/usr/local/apache/logs/modsec_audit.log"  # Will be auto-detected
 HOURS_TO_ANALYZE=24
 FILTER_USER=""
 FILTER_DOMAIN=""
 # Multi-panel support
 CONTROL_PANEL="${SYS_CONTROL_PANEL}"
 print_banner "Intelligent Website Error Analyzer"
 echo ""
@@ -46,26 +50,42 @@ echo -e "${CYAN}Analysis Scope:${NC}"
 echo "  1) All users/domains (default)"
 echo "  2) Specific cPanel user"
 echo "  3) Specific domain"
 echo "  0) Cancel and return to menu"
 echo ""
 read -p "Select option [1]: " scope_choice
 scope_choice=${scope_choice:-1}
 case $scope_choice in
    0)
        echo ""
        echo "Analysis cancelled."
        echo ""
        exit 0
        ;;
    2)
        # Select specific user
        select_user_interactive "Select cPanel user to analyze"
        if [ -n "$SELECTED_USER" ]; then
            FILTER_USER="$SELECTED_USER"
            echo "→ Filtering for user: $FILTER_USER"
        else
            echo ""
            echo "No user selected. Analysis cancelled."
            echo ""
            exit 0
        fi
        ;;
    3)
        # Enter specific domain
        echo ""
-        read -p "Enter domain name (e.g., example.com): " FILTER_DOMAIN
+        read -p "Enter domain name (e.g., example.com) or 0 to cancel: " FILTER_DOMAIN
-        if [ -n "$FILTER_DOMAIN" ]; then
+        if [ "$FILTER_DOMAIN" = "0" ] || [ -z "$FILTER_DOMAIN" ]; then
-            echo "→ Filtering for domain: $FILTER_DOMAIN"
+            echo ""
            echo "Analysis cancelled."
            echo ""
            exit 0
        fi
        echo "→ Filtering for domain: $FILTER_DOMAIN"
        ;;
    *)
        echo "→ Analyzing all users/domains"
@@ -81,11 +101,18 @@ echo "  2) Last 6 hours"
 echo "  3) Last 24 hours (default)"
 echo "  4) Last 7 days"
 echo "  5) Last 30 days"
 echo "  0) Cancel and return to menu"
 echo ""
 read -p "Select option [3]: " time_choice
 time_choice=${time_choice:-3}
 case $time_choice in
    0)
        echo ""
        echo "Analysis cancelled."
        echo ""
        exit 0
        ;;
    1) HOURS_TO_ANALYZE=1 ;;
    2) HOURS_TO_ANALYZE=6 ;;
    3) HOURS_TO_ANALYZE=24 ;;
@@ -118,52 +145,161 @@ if [ -z "$FILTER_USER" ] && [ -z "$FILTER_DOMAIN" ]; then
    done
 fi
-# Per-domain PHP error logs in public_html
+# Per-domain PHP error logs - Multi-panel support
 if [ -n "$FILTER_USER" ]; then
    # Specific user
    find "/home/$FILTER_USER" -name "error_log" -type f 2>/dev/null | while read -r log; do
        echo "$log|php_$FILTER_USER" >> "$LOG_FILES_LIST"
    done
 elif [ -n "$FILTER_DOMAIN" ]; then
-    # Try to find domain's user and error logs
+    # Try to find domain's user using multi-panel method
-    user=$(grep -l "DNS.*$FILTER_DOMAIN" /var/cpanel/users/* 2>/dev/null | head -1 | xargs basename 2>/dev/null)
+    user=""
    case "$CONTROL_PANEL" in
        cpanel)
            user=$(grep "^${FILTER_DOMAIN}:" /etc/userdatadomains 2>/dev/null | cut -d: -f2 | awk -F'==' '{print $1}' | head -1)
            ;;
        interworx)
            user=$(grep -l "ServerName ${FILTER_DOMAIN}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | head -1 | \
                   xargs grep "SuexecUserGroup" 2>/dev/null | awk '{print $2}')
            ;;
        plesk)
            # Plesk domain-to-user lookup would require DB query
            user=$(plesk bin subscription --info "$FILTER_DOMAIN" 2>/dev/null | grep "Owner" | awk '{print $2}')
            ;;
    esac
    if [ -n "$user" ]; then
        find "/home/$user" -name "error_log" -type f 2>/dev/null | while read -r log; do
            echo "$log|php_$FILTER_DOMAIN" >> "$LOG_FILES_LIST"
        done
    fi
 else
-    # All users
+    # All users - Search based on control panel structure
-    find /home/*/public_html -name "error_log" -type f 2>/dev/null | while read -r log; do
+    case "$CONTROL_PANEL" in
-        username=$(echo "$log" | grep -oE '/home/[^/]+' | sed 's|/home/||')
+        cpanel)
-        echo "$log|php_$username" >> "$LOG_FILES_LIST"
+            find /home/*/public_html -name "error_log" -type f 2>/dev/null | while read -r log; do
-    done
+                username=$(echo "$log" | grep -oE '/home/[^/]+' | sed 's|/home/||')
                echo "$log|php_$username" >> "$LOG_FILES_LIST"
            done
            ;;
        interworx)
            find /home/*/*/html -name "error_log" -type f 2>/dev/null | while read -r log; do
                username=$(echo "$log" | grep -oE '/home/[^/]+' | sed 's|/home/||')
                echo "$log|php_$username" >> "$LOG_FILES_LIST"
            done
            ;;
        plesk)
            find /var/www/vhosts/*/httpdocs -name "error_log" -type f 2>/dev/null | while read -r log; do
                domain=$(echo "$log" | grep -oE '/vhosts/[^/]+' | sed 's|/vhosts/||')
                echo "$log|php_$domain" >> "$LOG_FILES_LIST"
            done
            ;;
        *)
            # Standalone - try common locations
            find /var/www/html -name "error_log" -type f 2>/dev/null | while read -r log; do
                echo "$log|php_standalone" >> "$LOG_FILES_LIST"
            done
            ;;
    esac
 fi
-# Per-domain Apache logs in domlogs
+# Per-domain Apache logs - Multi-panel support
-if [ -d "$DOMLOGS_DIR" ]; then
+case "$CONTROL_PANEL" in
-    if [ -n "$FILTER_DOMAIN" ]; then
+    cpanel)
-        # Specific domain
+        # cPanel: Centralized domlogs directory
-        for log in "$DOMLOGS_DIR/$FILTER_DOMAIN" "$DOMLOGS_DIR/$FILTER_DOMAIN-"*; do
+        if [ -d "$DOMLOGS_DIR" ]; then
-            [ -f "$log" ] && echo "$log|domlog_$FILTER_DOMAIN" >> "$LOG_FILES_LIST"
+            if [ -n "$FILTER_DOMAIN" ]; then
-        done
+                # Specific domain
-    elif [ -n "$FILTER_USER" ]; then
+                for log in "$DOMLOGS_DIR/$FILTER_DOMAIN" "$DOMLOGS_DIR/$FILTER_DOMAIN-"*; do
-        # Specific user - find their domains
+                    [ -f "$log" ] && echo "$log|domlog_$FILTER_DOMAIN" >> "$LOG_FILES_LIST"
        if [ -f "/var/cpanel/users/$FILTER_USER" ]; then
            grep "^DNS" "/var/cpanel/users/$FILTER_USER" | awk '{print $2}' | while read -r domain; do
                for log in "$DOMLOGS_DIR/$domain" "$DOMLOGS_DIR/$domain-"*; do
                    [ -f "$log" ] && echo "$log|domlog_$domain" >> "$LOG_FILES_LIST"
                done
            elif [ -n "$FILTER_USER" ]; then
                # Specific user - use get_user_domains from user-manager.sh
                local user_domains=$(get_user_domains "$FILTER_USER" 2>/dev/null)
                if [ -n "$user_domains" ]; then
                    while IFS= read -r domain; do
                        for log in "$DOMLOGS_DIR/$domain" "$DOMLOGS_DIR/$domain-"*; do
                            [ -f "$log" ] && echo "$log|domlog_$domain" >> "$LOG_FILES_LIST"
                        done
                    done <<< "$user_domains"
                fi
            else
                # All domains
                for log in "$DOMLOGS_DIR"/*; do
                    [ -f "$log" ] && ! [[ "$log" =~ (bytes_log|offset|error_log|ftpxferlog)$ ]] && \
                        echo "$log|domlog_$(basename "$log")" >> "$LOG_FILES_LIST"
                done
            fi
        fi
        ;;
    interworx)
        # InterWorx: Per-domain logs in user home directories
        if [ -n "$FILTER_DOMAIN" ]; then
            # Specific domain - find its user
            local user=$(grep -l "ServerName ${FILTER_DOMAIN}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | head -1 | \
                         xargs grep "SuexecUserGroup" 2>/dev/null | awk '{print $2}')
            if [ -n "$user" ]; then
                local log="/home/${user}/var/${FILTER_DOMAIN}/logs/transfer.log"
                [ -f "$log" ] && echo "$log|domlog_$FILTER_DOMAIN" >> "$LOG_FILES_LIST"
            fi
        elif [ -n "$FILTER_USER" ]; then
            # Specific user - get their domains
            local user_domains=$(get_user_domains "$FILTER_USER" 2>/dev/null)
            if [ -n "$user_domains" ]; then
                while IFS= read -r domain; do
                    local log="/home/${FILTER_USER}/var/${domain}/logs/transfer.log"
                    [ -f "$log" ] && echo "$log|domlog_$domain" >> "$LOG_FILES_LIST"
                done <<< "$user_domains"
            fi
        else
            # All domains - find all transfer.log files (InterWorx uses 'transfer.log' not 'access_log')
            find /home/*/var/*/logs -type f -name "transfer.log" 2>/dev/null | while read -r log; do
                local domain=$(echo "$log" | grep -oE '/var/[^/]+' | sed 's|/var/||')
                echo "$log|domlog_$domain" >> "$LOG_FILES_LIST"
            done
        fi
-    else
+        ;;
-        # All domains
+
-        for log in "$DOMLOGS_DIR"/*; do
+    plesk)
-            [ -f "$log" ] && ! [[ "$log" =~ (bytes_log|offset|error_log|ftpxferlog)$ ]] && \
+        # Plesk: System vhosts logs
-                echo "$log|domlog_$(basename "$log")" >> "$LOG_FILES_LIST"
+        if [ -n "$FILTER_DOMAIN" ]; then
-        done
+            # Specific domain
-    fi
+            for log in /var/www/vhosts/system/"$FILTER_DOMAIN"/logs/access_log \
-fi
+                       /var/www/vhosts/system/"$FILTER_DOMAIN"/logs/access_ssl_log; do
                [ -f "$log" ] && echo "$log|domlog_$FILTER_DOMAIN" >> "$LOG_FILES_LIST"
            done
        elif [ -n "$FILTER_USER" ]; then
            # Specific user - get their domains
            local user_domains=$(get_user_domains "$FILTER_USER" 2>/dev/null)
            if [ -n "$user_domains" ]; then
                while IFS= read -r domain; do
                    for log in /var/www/vhosts/system/"$domain"/logs/access_log \
                               /var/www/vhosts/system/"$domain"/logs/access_ssl_log; do
                        [ -f "$log" ] && echo "$log|domlog_$domain" >> "$LOG_FILES_LIST"
                    done
                done <<< "$user_domains"
            fi
        else
            # All domains
            find /var/www/vhosts/system/*/logs -type f \( -name "access_log" -o -name "access_ssl_log" \) 2>/dev/null | \
            while read -r log; do
                local domain=$(echo "$log" | grep -oE '/system/[^/]+' | sed 's|/system/||')
                echo "$log|domlog_$domain" >> "$LOG_FILES_LIST"
            done
        fi
        ;;
    *)
        # Standalone Apache - try common locations
        if [ -f "/var/log/httpd/access_log" ]; then
            echo "/var/log/httpd/access_log|domlog_standalone" >> "$LOG_FILES_LIST"
        fi
        if [ -f "/var/log/apache2/access.log" ]; then
            echo "/var/log/apache2/access.log|domlog_standalone" >> "$LOG_FILES_LIST"
        fi
        ;;
 esac
 # ModSecurity audit log (only if not filtering or matches filter)
 if [ -f "$MODSEC_AUDIT_LOG" ]; then
@@ -190,127 +326,200 @@ echo ""
 is_noise() {
    local line="$1"
    local line_lower="${line,,}"  # Convert to lowercase once
    # Bot/Scanner patterns
-    if echo "$line" | grep -qiE "bot|crawler|spider|scanner|nikto|nmap|masscan|sqlmap|nessus|acunetix|burp|shodan|censys|zgrab|nuclei|semrush|ahrefs|mj12"; then
+    [[ "$line_lower" =~ (bot|crawler|spider|scanner|nikto|nmap|masscan|sqlmap|nessus|acunetix|burp|shodan|censys|zgrab|nuclei|semrush|ahrefs|mj12) ]] && return 0
        return 0
    fi
    # Known scanner IPs
-    if echo "$line" | grep -qE "45\.148\.|185\.220\.|89\.248\.165\."; then
+    [[ "$line" =~ (45\.148\.|185\.220\.|89\.248\.165\.) ]] && return 0
        return 0
    fi
    # WordPress plugin deprecation warnings (not user-facing)
-    if echo "$line" | grep -qiE "PHP Deprecated|Deprecated.*plugin|call_user_func_array.*deprecated"; then
+    [[ "$line" =~ (PHP\ Deprecated|Deprecated.*plugin|call_user_func_array.*deprecated) ]] && return 0
        return 0
    fi
-    # Non-critical PHP notices
+    # Non-critical PHP notices (unless critical indicators present)
-    if echo "$line" | grep -qiE "PHP Notice.*Undefined (variable|index|offset)" && \
+    if [[ "$line" =~ PHP\ Notice.*Undefined\ (variable|index|offset) ]] && ! [[ "$line_lower" =~ (fatal|error\ 500|white\ screen) ]]; then
       ! echo "$line" | grep -qiE "fatal|error 500|white screen"; then
        return 0
    fi
    # Missing favicon/common assets (not real errors)
-    if echo "$line" | grep -qiE "favicon\.ico|apple-touch-icon|robots\.txt|sitemap\.xml.*404"; then
+    [[ "$line_lower" =~ (favicon\.ico|apple-touch-icon|robots\.txt|sitemap\.xml.*404) ]] && return 0
        return 0
    fi
    # Security probes
-    if echo "$line" | grep -qiE "wp-admin|wp-login|phpMyAdmin|phpmyadmin|\.env|\.git|config\.php|xmlrpc|eval-stdin|shell\.php|c99\.php|r57\.php|adminer\.php" && \
+    if [[ "$line_lower" =~ (wp-admin|wp-login|phpmyadmin|\.env|\.git|config\.php|xmlrpc|eval-stdin|shell\.php|c99\.php|r57\.php|adminer\.php) ]] && \
-       echo "$line" | grep -qiE "404|403|not found"; then
+       [[ "$line" =~ (404|403|not\ found) ]]; then
        return 0
    fi
    # WordPress auto-updates and cron (normal operations)
-    if echo "$line" | grep -qiE "wp-cron\.php|doing_cron|auto.*update"; then
+    [[ "$line_lower" =~ (wp-cron\.php|doing_cron|auto.*update) ]] && return 0
        return 0
    fi
    # Common plugin update checks (not errors)
-    if echo "$line" | grep -qiE "update-check|version-check|api\.wordpress\.org"; then
+    [[ "$line_lower" =~ (update-check|version-check|api\.wordpress\.org) ]] && return 0
        return 0
    fi
    return 1
 }
 is_critical_user_facing() {
    local line="$1"
    local line_lower="${line,,}"
    # 500 Internal Server Error (users see white page)
-    if echo "$line" | grep -qiE " 500 |Internal Server Error"; then
+    [[ "$line" =~ (\ 500\ |Internal\ Server\ Error) ]] && return 0
        return 0
    fi
    # PHP Fatal Errors (breaks functionality)
-    if echo "$line" | grep -qiE "PHP Fatal error|Fatal error:.*in /"; then
+    [[ "$line" =~ (PHP\ Fatal\ error|Fatal\ error:.*in\ /) ]] && return 0
        return 0
    fi
    # PHP Parse Errors (site completely broken)
-    if echo "$line" | grep -qiE "PHP Parse error|syntax error"; then
+    [[ "$line" =~ (PHP\ Parse\ error|syntax\ error) ]] && return 0
        return 0
    fi
    # Database connection failures (site down)
-    if echo "$line" | grep -qiE "Error establishing.*database|Can't connect.*MySQL|Access denied for user.*database|Too many connections|MySQL server has gone away"; then
+    [[ "$line" =~ (Error\ establishing.*database|Can\'t\ connect.*MySQL|Access\ denied\ for\ user.*database|Too\ many\ connections|MySQL\ server\ has\ gone\ away) ]] && return 0
        return 0
    fi
    # Memory exhaustion (white screen/incomplete pages)
-    if echo "$line" | grep -qiE "Allowed memory size.*exhausted|Out of memory|Fatal.*memory"; then
+    [[ "$line" =~ (Allowed\ memory\ size.*exhausted|Out\ of\ memory|Fatal.*memory) ]] && return 0
        return 0
    fi
    # Segmentation fault (complete crash)
-    if echo "$line" | grep -qiE "Segmentation fault|signal 11"; then
+    [[ "$line" =~ (Segmentation\ fault|signal\ 11) ]] && return 0
        return 0
    fi
    # Permission denied on critical files
-    if echo "$line" | grep -qiE "Permission denied" && \
+    if [[ "$line" =~ Permission\ denied ]] && [[ "$line" =~ (index\.php|wp-config\.php|\.htaccess|config\.php) ]]; then
       echo "$line" | grep -qE "index\.php|wp-config\.php|\.htaccess|config\.php"; then
        return 0
    fi
    # File not found for MAIN page (404 on homepage/index)
-    if echo "$line" | grep -qiE "File does not exist.*index\.(php|html)" || \
+    [[ "$line" =~ (File\ does\ not\ exist.*index\.(php|html)|\ 404\ .*\"\ \"GET\ /) ]] && return 0
       echo "$line" | grep -qE " 404 .*\" \"GET / "; then
        return 0
    fi
    return 1
 }
 extract_useful_info() {
    local line="$1"
    local domain="unknown"
    local file_path=""
    local error_msg
-    # Extract domain
+    # Extract domain using bash regex (faster than grep|sed pipeline)
-    domain=$(echo "$line" | grep -oE '\[vhost [^:]+' | sed 's/\[vhost //' || \
+    if [[ "$line" =~ \[vhost\ ([^:]+) ]]; then
-             echo "$line" | grep -oE '[a-zA-Z0-9.-]+\.(com|net|org|io|co|uk|us|dev)' | head -1 || \
+        domain="${BASH_REMATCH[1]}"
-             echo "$line" | grep -oE '/home/[^/]+' | sed 's|/home/||' || echo "unknown")
+    elif [[ "$line" =~ ([a-zA-Z0-9.-]+\.(com|net|org|io|co|uk|us|dev)) ]]; then
-
+        domain="${BASH_REMATCH[1]}"
-    # Extract file path if PHP error
+    elif [[ "$line" =~ /home/([^/]+) ]]; then
-    file_path=$(echo "$line" | grep -oE "in /[^ ]+\.php" | sed 's/in //' || echo "")
+        domain="${BASH_REMATCH[1]}"
    # Extract error message (clean up ModSec noise, timestamps, etc.)
    error_msg=$(echo "$line" | \
                sed 's/^\[.*\] //' | \
                sed 's/\[client [^]]*\] //' | \
                sed 's/\[unique_id "[^"]*"\]//g' | \
                sed 's/\[pid [^]]*\]//g' | \
                sed 's/\[tid [^]]*\]//g' | \
                grep -v "^$" | \
                cut -c1-150)
    # Skip if error message is empty or just whitespace
    if [ -z "$(echo "$error_msg" | tr -d '[:space:]')" ]; then
        return 1
    fi
-    echo "$domain|$file_path|$error_msg"
+    # Extract file path if PHP error
    if [[ "$line" =~ in\ (/[^ ]+\.php) ]]; then
        file_path="${BASH_REMATCH[1]}"
    fi
    # Extract error message (clean up ModSec noise, timestamps, etc.)
    # Use single sed command instead of pipeline
    error_msg=$(echo "$line" | sed -E 's/^\[.*\] //; s/\[client [^]]*\] //; s/\[unique_id "[^"]*"\]//g; s/\[pid [^]]*\]//g; s/\[tid [^]]*\]//g' | cut -c1-150)
    # Skip if error message is empty or just whitespace
    error_msg="${error_msg#"${error_msg%%[![:space:]]*}"}"  # ltrim
    error_msg="${error_msg%"${error_msg##*[![:space:]]}"}"  # rtrim
    [ -z "$error_msg" ] && return 1
    # Correlate to root cause
    local root_cause=$(correlate_root_cause "$line" "$error_msg" "$domain")
    echo "$domain|$file_path|$error_msg|$root_cause"
 }
 correlate_root_cause() {
    local line="$1"
    local error_msg="$2"
    local domain="$3"
    local cause="UNKNOWN"
    local line_lower="${line,,}"
    local error_lower="${error_msg,,}"
    # .htaccess issues
    if [[ "$line_lower" =~ (\.htaccess|invalid\ command|rewriterule|rewritecond) ]]; then
        cause="HTACCESS"
    # ModSecurity blocks
    elif [[ "$line_lower" =~ (modsecurity|mod_security|waf) ]]; then
        cause="MODSECURITY"
    # PHP memory limit
    elif [[ "$error_lower" =~ (memory.*exhausted|allowed\ memory\ size) ]]; then
        # Get current memory limit for this domain/user
        if [ -n "$domain" ] && [ "$domain" != "unknown" ]; then
            user=$(grep -l "DNS.*$domain" /var/cpanel/users/* 2>/dev/null | head -1 | xargs basename 2>/dev/null)
            if [ -n "$user" ]; then
                mem_limit=$(grep -h "memory_limit" /home/$user/public_html/.user.ini /home/$user/.php.ini 2>/dev/null | tail -1 | cut -d'=' -f2 | tr -d ' ')
                [ -n "$mem_limit" ] && cause="PHP_MEMORY:$mem_limit" || cause="PHP_MEMORY:default"
            else
                cause="PHP_MEMORY"
            fi
        else
            cause="PHP_MEMORY"
        fi
    # PHP max execution time
    elif [[ "$error_lower" =~ (max_execution_time|maximum\ execution\ time) ]]; then
        cause="PHP_TIMEOUT"
    # PHP upload/post size limits
    elif [[ "$error_lower" =~ (upload_max_filesize|post_max_size) ]]; then
        cause="PHP_UPLOAD_LIMIT"
    # File permissions
    elif [[ "$error_lower" =~ (permission\ denied|failed\ to\ open\ stream.*permission) ]]; then
        cause="FILE_PERMISSIONS"
    # Missing PHP modules/extensions
    elif [[ "$error_lower" =~ (undefined\ function|call\ to\ undefined\ function|class\ .*\ not\ found) ]]; then
        # Try to identify which module
        if [[ "$error_lower" =~ (imagecreate|imagefilter|gd_) ]]; then
            cause="MISSING_PHP_GD"
        elif [[ "$error_msg" =~ (curl_|CURL) ]]; then
            cause="MISSING_PHP_CURL"
        elif [[ "$error_msg" =~ (json_|JSON) ]]; then
            cause="MISSING_PHP_JSON"
        elif [[ "$error_lower" =~ (mysqli|mysql_connect) ]]; then
            cause="MISSING_PHP_MYSQLI"
        else
            cause="MISSING_PHP_MODULE"
        fi
    # Database issues
    elif [[ "$error_lower" =~ (database|mysql|mysqli) ]]; then
        if [[ "$error_lower" =~ (too\ many\ connections|max_connections) ]]; then
            cause="DB_MAX_CONNECTIONS"
        elif [[ "$error_lower" =~ (access\ denied|authentication) ]]; then
            cause="DB_AUTH_FAILED"
        elif [[ "$error_lower" =~ (gone\ away|lost\ connection) ]]; then
            cause="DB_TIMEOUT"
        else
            cause="DB_ERROR"
        fi
    # Apache configuration
    elif [[ "$error_lower" =~ (invalid\ uri|request\ exceeded\ the\ limit|limitrequestline) ]]; then
        cause="APACHE_CONFIG"
    # PHP parse/syntax errors (code issues)
    elif [[ "$error_lower" =~ (parse\ error|syntax\ error|unexpected) ]]; then
        cause="PHP_SYNTAX_ERROR"
    # File not found (may indicate bad symlinks or missing files)
    elif [[ "$error_lower" =~ (no\ such\ file|failed\ to\ open\ stream) ]]; then
        cause="MISSING_FILE"
    # Generic PHP fatal error
    elif [[ "$error_lower" =~ fatal\ error ]]; then
        cause="PHP_FATAL_ERROR"
    # 500 errors without specific cause
    elif [[ "$error_msg" =~ (500|Internal\ Server) ]]; then
        cause="SERVER_ERROR_500"
    fi
    echo "$cause"
 }
 ################################################################################
@@ -356,41 +565,93 @@ while IFS='|' read -r log_path log_type; do
                uri=$(echo "$line" | grep -oE "uri: [^ ]+" | sed 's/uri: //' || echo "")
                domain=$(echo "$line" | grep -oE "hostname: [^ ]+" | sed 's/hostname: //' || echo "unknown")
-                echo "$domain||ModSecurity blocked: $attack_type $uri" >> "$CRITICAL_ERRORS"
+                # Extract rule ID if available
                rule_id=$(echo "$line" | grep -oE "id \"[0-9]+\"" | grep -oE "[0-9]+" || echo "")
                root_cause="MODSECURITY"
                [ -n "$rule_id" ] && root_cause="MODSECURITY:rule_$rule_id"
                echo "$domain||ModSecurity blocked: $attack_type $uri|$root_cause" >> "$CRITICAL_ERRORS"
            fi
        done < <(tail -n 5000 "$log_path" 2>/dev/null)
    elif $is_access_log; then
        # Access log - look for 5xx status codes
        # Use time-based filtering if possible, otherwise last 50k lines
        cutoff_time=$(date -d "$HOURS_TO_ANALYZE hours ago" +%s 2>/dev/null || echo "0")
        while IFS= read -r line; do
            ((total_lines++))
            # Skip if bot/scanner
            if is_noise "$line"; then
                ((filtered_out++))
                # Track bot/scanner IPs
                read -r ip _ _ _ _ _ _ _ <<< "$line"
                if [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
                    flag_ip_attack "$ip" "BOT" 0 "Bot/scanner filtered in error analysis" >/dev/null 2>&1 &
                fi
                continue
            fi
-            # Extract status code and URL
+            # Time filtering (Apache format: [DD/Mon/YYYY:HH:MM:SS +ZONE])
-            if echo "$line" | grep -qE '" 5[0-9]{2} '; then
+            if [ "$cutoff_time" != "0" ]; then
-                status=$(echo "$line" | grep -oE '" 5[0-9]{2} ' | tr -d '" ')
+                if [[ "$line" =~ \[([0-9]{2}/[A-Z][a-z]{2}/[0-9]{4}:[0-9]{2}:[0-9]{2}:[0-9]{2}) ]]; then
-                url=$(echo "$line" | awk '{print $7}' | cut -c1-80)
+                    log_date="${BASH_REMATCH[1]}"
-                ip=$(echo "$line" | awk '{print $1}')
+                    log_time=$(date -d "${log_date/:/ }" +%s 2>/dev/null || echo "0")
-                domain=$(basename "$log_path" | sed 's/-.*//')
+                    [ "$log_time" != "0" ] && [ "$log_time" -lt "$cutoff_time" ] && continue
                fi
            fi
            # Extract status code and URL using bash regex and read
            if [[ "$line" =~ '"'[[:space:]](5[0-9]{2})[[:space:]] ]]; then
                status="${BASH_REMATCH[1]}"
                # Parse Apache log format: IP - - [timestamp] "METHOD URL PROTOCOL" STATUS SIZE
                read -r ip _ _ timestamp _ request status_check _ <<< "$line"
                # Extract URL from request (format: "GET /path HTTP/1.1")
                if [[ "$request" =~ '"'[A-Z]+[[:space:]]([^[:space:]]+) ]]; then
                    url="${BASH_REMATCH[1]:0:80}"
                else
                    url="/"
                fi
                # Extract timestamp
                if [[ "$line" =~ \[([^]]+)\] ]]; then
                    timestamp="${BASH_REMATCH[1]}"
                else
                    timestamp=""
                fi
                # Get domain from log filename
                domain="${log_path##*/}"  # basename
                domain="${domain%%-*}"    # remove everything after first dash
                # Apply domain filter if set
                if [ -n "$FILTER_DOMAIN" ] && [ "$domain" != "$FILTER_DOMAIN" ]; then
                    continue
                fi
                # Determine root cause from status code
                case $status in
                    500) root_cause="SERVER_ERROR_500" ;;
                    502) root_cause="APACHE_CONFIG:bad_gateway" ;;
                    503) root_cause="APACHE_CONFIG:service_unavailable" ;;
                    504) root_cause="APACHE_CONFIG:gateway_timeout" ;;
                    *) root_cause="SERVER_ERROR_5XX" ;;
                esac
                ((critical_found++))
-                echo "$domain||HTTP $status - $url (from $ip)" >> "$CRITICAL_ERRORS"
+                echo "$domain||[$timestamp] HTTP $status - $url (from $ip)|$root_cause" >> "$CRITICAL_ERRORS"
            fi
-        done < <(tail -n 5000 "$log_path" 2>/dev/null)
+        done < <(tail -n 50000 "$log_path" 2>/dev/null)
    else
        # Error log - look for critical errors
        # Use time-based filtering if possible, otherwise last 50k lines
        cutoff_time=$(date -d "$HOURS_TO_ANALYZE hours ago" +%s 2>/dev/null || echo "0")
        while IFS= read -r line; do
            ((total_lines++))
@@ -400,12 +661,21 @@ while IFS='|' read -r log_path log_type; do
                continue
            fi
            # Time filtering (Apache/PHP error log format: [Day Mon DD HH:MM:SS YYYY])
            if [ "$cutoff_time" != "0" ]; then
                if [[ "$line" =~ \[([A-Z][a-z]{2}\ [A-Z][a-z]{2}\ [0-9]{2}\ [0-9]{2}:[0-9]{2}:[0-9]{2}\ [0-9]{4})\] ]]; then
                    log_date="${BASH_REMATCH[1]}"
                    log_time=$(date -d "$log_date" +%s 2>/dev/null || echo "0")
                    [ "$log_time" != "0" ] && [ "$log_time" -lt "$cutoff_time" ] && continue
                fi
            fi
            # Apply user/domain filter if set
            if [ -n "$FILTER_USER" ]; then
-                echo "$line" | grep -q "/home/$FILTER_USER" || continue
+                [[ "$line" =~ /home/$FILTER_USER ]] || continue
            fi
            if [ -n "$FILTER_DOMAIN" ]; then
-                echo "$line" | grep -q "$FILTER_DOMAIN" || continue
+                [[ "$line" =~ $FILTER_DOMAIN ]] || continue
            fi
            # Check if it's critical and user-facing
@@ -414,7 +684,7 @@ while IFS='|' read -r log_path log_type; do
                extract_useful_info "$line" >> "$CRITICAL_ERRORS"
            fi
-        done < <(tail -n 10000 "$log_path" 2>/dev/null)
+        done < <(tail -n 50000 "$log_path" 2>/dev/null)
    fi
 done < "$LOG_FILES_LIST"
@@ -462,8 +732,8 @@ echo ""
 # Group identical errors and count them
 awk -F'|' '{
-    key = $1 "|" $3  # domain|error_msg (skip file_path for grouping)
+    key = $1 "|" $3 "|" $4  # domain|error_msg|root_cause
-    file[$1"|"$3] = $2  # Store file path
+    file[$1"|"$3"|"$4] = $2  # Store file path
    count[key]++
 }
 END {
@@ -471,14 +741,15 @@ END {
        split(key, parts, "|")
        domain = parts[1]
        error = parts[2]
        root_cause = parts[3]
        file_path = file[key]
        # Skip empty errors
-        if (length(error) == 0) next
+        if (length(error) > 0) {
-
+            print count[key] "|" domain "|" file_path "|" error "|" root_cause
-        print count[key] "|" domain "|" file_path "|" error
+        }
    }
-}' "$CRITICAL_ERRORS" | sort -t'|' -k1 -rn | head -20 | while IFS='|' read -r count domain file_path error_msg; do
+}' "$CRITICAL_ERRORS" | sort -t'|' -k1 -rn | head -20 | while IFS='|' read -r count domain file_path error_msg root_cause; do
    # Color code by frequency
    if [ "$count" -ge 10 ]; then
@@ -496,14 +767,150 @@ END {
    [ -n "$domain" ] && [ "$domain" != "unknown" ] && echo "  Domain: $domain"
    [ -n "$file_path" ] && echo "  File: $file_path"
    echo "  Error: $error_msg"
    # Display root cause with color coding and actionable fix
    if [ -n "$root_cause" ] && [ "$root_cause" != "UNKNOWN" ]; then
        echo -ne "  ${CYAN}Root Cause: ${BOLD}"
        case "$root_cause" in
            HTACCESS)
                echo -e "${YELLOW}⚙️  .htaccess Configuration${NC}"
                echo "  → Check .htaccess syntax in domain root"
                echo "  → Look for invalid RewriteRule or directives"
                ;;
            MODSECURITY*)
                rule=$(echo "$root_cause" | cut -d':' -f2)
                echo -e "${YELLOW}🛡️  ModSecurity WAF Block${NC}"
                [ -n "$rule" ] && echo "  → Rule ID: $rule"
                echo "  → Check if this is a false positive"
                echo "  → Review: /usr/local/apache/logs/modsec_audit.log"
                ;;
            PHP_MEMORY*)
                limit=$(echo "$root_cause" | cut -d':' -f2)
                echo -e "${RED}💾 PHP Memory Exhausted${NC}"
                [ -n "$limit" ] && echo "  → Current limit: $limit"
                echo "  → Increase memory_limit in .user.ini or php.ini"
                echo "  → Recommended: 256M minimum, 512M for WooCommerce"
                ;;
            PHP_TIMEOUT)
                echo -e "${YELLOW}⏱️  PHP Execution Timeout${NC}"
                echo "  → Increase max_execution_time in php.ini"
                echo "  → Recommended: 300 for imports/backups"
                ;;
            PHP_UPLOAD_LIMIT)
                echo -e "${YELLOW}📤 PHP Upload Size Limit${NC}"
                echo "  → Increase upload_max_filesize and post_max_size"
                echo "  → Match both values (e.g., 64M)"
                ;;
            FILE_PERMISSIONS)
                echo -e "${RED}🔒 File Permission Denied${NC}"
                echo "  → Check file ownership and permissions"
                echo "  → Files should be 644, directories 755"
                echo "  → Owner should match cPanel user"
                ;;
            MISSING_PHP_GD)
                echo -e "${RED}📦 Missing PHP GD Extension${NC}"
                echo "  → Install: yum install ea-phpXX-php-gd"
                echo "  → Required for image processing"
                ;;
            MISSING_PHP_CURL)
                echo -e "${RED}📦 Missing PHP cURL Extension${NC}"
                echo "  → Install: yum install ea-phpXX-php-curl"
                ;;
            MISSING_PHP_*)
                module=$(echo "$root_cause" | sed 's/MISSING_PHP_//' | tr '[:upper:]' '[:lower:]')
                echo -e "${RED}📦 Missing PHP Extension: $module${NC}"
                echo "  → Install: yum install ea-phpXX-php-$module"
                ;;
            DB_MAX_CONNECTIONS)
                echo -e "${RED}🗄️  Database Max Connections Reached${NC}"
                echo "  → Check: mysql -e 'SHOW VARIABLES LIKE \"max_connections\"'"
                echo "  → Increase max_connections in my.cnf"
                echo "  → Or optimize slow queries reducing connection time"
                ;;
            DB_AUTH_FAILED)
                echo -e "${RED}🗄️  Database Authentication Failed${NC}"
                echo "  → Verify credentials in wp-config.php / config files"
                echo "  → Check database user permissions"
                ;;
            DB_TIMEOUT)
                echo -e "${YELLOW}🗄️  Database Connection Timeout${NC}"
                echo "  → MySQL server may be overloaded"
                echo "  → Check slow query log"
                ;;
            DB_ERROR)
                echo -e "${RED}🗄️  Database Error${NC}"
                echo "  → Check MySQL error log for details"
                ;;
            APACHE_CONFIG*)
                issue=$(echo "$root_cause" | cut -d':' -f2)
                echo -e "${YELLOW}⚙️  Apache Configuration${NC}"
                [ -n "$issue" ] && echo "  → Issue: $issue"
                echo "  → Check Apache config and vhost settings"
                ;;
            PHP_SYNTAX_ERROR)
                echo -e "${RED}⚠️  PHP Syntax Error in Code${NC}"
                echo "  → Review recent code changes"
                echo "  → Check for missing semicolons, brackets, quotes"
                ;;
            MISSING_FILE)
                echo -e "${YELLOW}📄 File Not Found${NC}"
                echo "  → File may have been deleted or moved"
                echo "  → Check for broken symlinks"
                ;;
            PHP_FATAL_ERROR)
                echo -e "${RED}⚠️  PHP Fatal Error${NC}"
                echo "  → Review PHP error logs for details"
                echo "  → May be compatibility issue or code bug"
                ;;
            SERVER_ERROR_500)
                echo -e "${RED}🔥 Generic 500 Internal Server Error${NC}"
                echo "  → Check PHP/Apache error logs for specifics"
                ;;
            *)
                echo -e "${NC}$root_cause"
                ;;
        esac
    fi
    echo ""
 done
 ################################################################################
 # Root Cause Summary
 ################################################################################
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " 📊 ROOT CAUSE BREAKDOWN"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo ""
 # Count errors by root cause
 cut -d'|' -f4 "$CRITICAL_ERRORS" | grep -v "^$" | sort | uniq -c | sort -rn | while read -r count cause; do
    # Clean up cause display
    clean_cause=$(echo "$cause" | sed 's/:.*//; s/_/ /g')
    # Color code by severity
    case "$cause" in
        PHP_MEMORY*|DB_MAX_CONNECTIONS|PHP_FATAL_ERROR|SERVER_ERROR_500)
            color="${RED}"; icon="🔥" ;;
        HTACCESS|MODSECURITY*|PHP_TIMEOUT|DB_*)
            color="${YELLOW}"; icon="⚠️ " ;;
        MISSING_PHP*|FILE_PERMISSIONS)
            color="${YELLOW}"; icon="📦" ;;
        *)
            color="${INFO_COLOR}"; icon="•" ;;
    esac
    printf "  ${color}${icon} %-35s %4d errors${NC}\n" "$clean_cause" "$count"
 done
 echo ""
 ################################################################################
 # Intelligent Recommendations
 ################################################################################
 echo ""
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 echo " 🔧 RECOMMENDED ACTIONS"
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
@@ -0,0 +1,63 @@
 #!/bin/bash
 ################################################################################
 # WordPress Management Menu
 ################################################################################
 # Purpose: Submenu for WordPress-specific management tools
 # Features:
 # - WordPress cron management
 # - (Future: plugin updates, theme management, security hardening, etc.)
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This menu must be run as root"
    exit 1
 fi
 # Main menu loop
 while true; do
    clear
    print_banner "WordPress Management"
    echo ""
    echo -e "${BOLD}Available WordPress Tools${NC}"
    echo ""
    echo "  1) WordPress Cron Manager"
    echo "     └─ Convert WordPress sites from wp-cron to system cron"
    echo ""
    echo "  ${DIM}2) WordPress Plugin Manager (Coming Soon)"
    echo "     └─ Bulk update, scan vulnerabilities, manage plugins${NC}"
    echo ""
    echo "  ${DIM}3) WordPress Security Hardening (Coming Soon)"
    echo "     └─ Apply security best practices, file permissions${NC}"
    echo ""
    echo "  ${DIM}4) WordPress Theme Manager (Coming Soon)"
    echo "     └─ Update themes, check compatibility${NC}"
    echo ""
    echo "  0) Return to Website Diagnostics Menu"
    echo ""
    echo -n "Select option: "
    read -r choice
    case "$choice" in
        1)
            bash "$SCRIPT_DIR/modules/website/wordpress/wordpress-cron-manager.sh"
            ;;
        2|3|4)
            echo ""
            print_warning "This feature is coming soon!"
            echo ""
            press_enter
            ;;
        0)
            exit 0
            ;;
        *)
            print_error "Invalid option"
            sleep 1
            ;;
    esac
 done
@@ -0,0 +1,943 @@
 #!/bin/bash
 ################################################################################
 # WordPress Cron Manager
 ################################################################################
 # Purpose: Disable wp-cron and convert to real system cron jobs
 # Features:
 # - Detect all WordPress installations
 # - Disable DISABLE_WP_CRON in wp-config.php
 # - Add proper cron jobs for scheduled tasks
 # - Server-wide, per-user, or per-domain operations
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 if [ "$EUID" -ne 0 ]; then
    print_error "This script must be run as root"
    exit 1
 fi
 # Global counter for staggering cron times
 CRON_OFFSET=0
 # Function to generate staggered cron time
 # Distributes jobs across 15 minutes to avoid load spikes
 generate_staggered_cron() {
    local minute=$((CRON_OFFSET % 15))
    # Create pattern: 0,15,30,45 but offset by the calculated minute
    local minutes=""
    for base in 0 15 30 45; do
        local actual_minute=$(( (base + minute) % 60 ))
        if [ -z "$minutes" ]; then
            minutes="$actual_minute"
        else
            minutes="$minutes,$actual_minute"
        fi
    done
    # Increment offset for next site (wraps at 15)
    CRON_OFFSET=$((CRON_OFFSET + 1))
    echo "$minutes * * * *"
 }
 # Function to extract user from WordPress site path
 # Multi-panel aware
 extract_user_from_path() {
    local site_path="$1"
    local user=""
    case "$SYS_CONTROL_PANEL" in
        cpanel)
            user=$(extract_user_from_path "$site_path")
            ;;
        interworx)
            user=$(extract_user_from_path "$site_path")
            ;;
        plesk)
            # Extract domain from path and lookup user
            local domain=$(echo "$site_path" | grep -oE '/vhosts/[^/]+' | sed 's|/vhosts/||')
            user=$(plesk bin subscription --info "$domain" 2>/dev/null | grep "Owner" | awk '{print $2}')
            [ -z "$user" ] && user="www-data"  # Plesk fallback
            ;;
        *)
            user="www-data"  # Standalone fallback
            ;;
    esac
    echo "$user"
 }
 # Function to safely modify wp-config.php to disable wp-cron
 # Returns 0 on success, 1 on failure
 disable_wpcron_in_config() {
    local wp_config="$1"
    # Check if file exists and is writable
    if [ ! -f "$wp_config" ] || [ ! -w "$wp_config" ]; then
        return 1
    fi
    # First, remove any existing DISABLE_WP_CRON lines (anywhere in file)
    # This ensures clean placement even if previously added in wrong location
    if grep -q "DISABLE_WP_CRON" "$wp_config" 2>/dev/null; then
        sed -i.wpbak "/define\s*(\s*['\"]DISABLE_WP_CRON['\"]/d" "$wp_config"
    else
        # Create backup even if no existing line
        cp "$wp_config" "${wp_config}.wpbak"
    fi
    # Now add it in the proper location - before "stop editing" comment
    if grep -q "stop editing" "$wp_config" 2>/dev/null; then
        # Add before "stop editing" line (proper WordPress convention)
        sed -i "/stop editing/i \\
 define('DISABLE_WP_CRON', true);" "$wp_config"
    elif grep -q "<?php" "$wp_config"; then
        # Fallback: if no "stop editing" found, add after opening PHP tag
        sed -i "/<?php/a \\
 define('DISABLE_WP_CRON', true);" "$wp_config"
    else
        # Restore backup if file format is unexpected
        if [ -f "${wp_config}.wpbak" ]; then
            mv "${wp_config}.wpbak" "$wp_config"
        fi
        return 1
    fi
    # Verify the change was successful
    if grep -E "^[^/]*define\s*\(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*\)" "$wp_config" >/dev/null 2>&1; then
        # Remove backup if successful
        rm -f "${wp_config}.wpbak"
        return 0
    else
        # Restore backup if verification failed
        if [ -f "${wp_config}.wpbak" ]; then
            mv "${wp_config}.wpbak" "$wp_config"
        fi
        return 1
    fi
 }
 # Function to safely re-enable wp-cron (revert changes)
 # Returns 0 on success, 1 on failure
 enable_wpcron_in_config() {
    local wp_config="$1"
    # Check if file exists and is writable
    if [ ! -f "$wp_config" ] || [ ! -w "$wp_config" ]; then
        return 1
    fi
    # Check if DISABLE_WP_CRON exists and is set to true
    if grep -E "^[^/]*define\s*\(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*\)" "$wp_config" >/dev/null 2>&1; then
        # Remove or comment out the line
        sed -i.wpbak "/^[^/]*define\s*(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*)/d" "$wp_config"
        # Verify removal was successful
        if ! grep -E "^[^/]*define\s*\(\s*['\"]DISABLE_WP_CRON['\"]\s*,\s*true\s*\)" "$wp_config" >/dev/null 2>&1; then
            rm -f "${wp_config}.wpbak"
            return 0
        else
            # Restore backup if removal failed
            if [ -f "${wp_config}.wpbak" ]; then
                mv "${wp_config}.wpbak" "$wp_config"
            fi
            return 1
        fi
    else
        # DISABLE_WP_CRON not found or already disabled
        return 0
    fi
 }
 clear
 print_banner "WordPress Cron Manager"
 echo ""
 echo -e "${BOLD}What would you like to do?${NC}"
 echo ""
 echo -e "${GREEN}Enable System Cron:${NC}"
 echo "  1) Scan for WordPress installations"
 echo "  2) Disable wp-cron for specific domain"
 echo "  3) Disable wp-cron for specific user (all their WP sites)"
 echo "  4) Disable wp-cron server-wide (all WordPress sites)"
 echo ""
 echo -e "${YELLOW}Revert to WP-Cron:${NC}"
 echo "  6) Re-enable wp-cron for specific domain"
 echo "  7) Re-enable wp-cron for specific user (all their WP sites)"
 echo "  8) Re-enable wp-cron server-wide (all WordPress sites)"
 echo ""
 echo -e "${CYAN}Status & Information:${NC}"
 echo "  5) Check wp-cron status for domain/user"
 echo ""
 echo "  0) Return to menu"
 echo ""
 echo -n "Select option [0]: "
 read -r choice
 choice="${choice:-0}"
 case "$choice" in
    1)
        # Scan for WordPress installations
        echo ""
        print_banner "WordPress Installation Scanner"
        echo ""
        echo "Scanning for WordPress installations..."
        echo ""
        # Find all wp-config.php files - Multi-panel support
        wp_sites=""
        case "$SYS_CONTROL_PANEL" in
            cpanel)
                wp_sites=$(find /home/*/public_html -name "wp-config.php" -type f 2>/dev/null)
                ;;
            interworx)
                wp_sites=$(find /home/*/*/html -name "wp-config.php" -type f 2>/dev/null)
                ;;
            plesk)
                wp_sites=$(find /var/www/vhosts/*/httpdocs -name "wp-config.php" -type f 2>/dev/null)
                ;;
            *)
                wp_sites=$(find /var/www/html -name "wp-config.php" -type f 2>/dev/null)
                ;;
        esac
        if [ -z "$wp_sites" ]; then
            echo -e "${YELLOW}No WordPress installations found${NC}"
        else
            count=0
            echo -e "${BOLD}Found WordPress Installations:${NC}"
            echo ""
            while IFS= read -r config_file; do
                count=$((count + 1))
                # Extract info - Multi-panel support
                site_path=$(dirname "$config_file")
                # Extract user and domain based on control panel
                user="(unknown)"
                domain="(unknown domain)"
                case "$SYS_CONTROL_PANEL" in
                    cpanel)
                        user=$(extract_user_from_path "$site_path")
                        if [ -f "/var/cpanel/userdata/$user/main" ]; then
                            domain=$(grep -m1 "^servername:" "/var/cpanel/userdata/$user/main" 2>/dev/null | awk '{print $2}')
                        fi
                        ;;
                    interworx)
                        user=$(extract_user_from_path "$site_path")
                        domain=$(echo "$site_path" | cut -d'/' -f4)
                        ;;
                    plesk)
                        domain=$(echo "$site_path" | grep -oE '/vhosts/[^/]+' | sed 's|/vhosts/||')
                        user=$(plesk bin subscription --info "$domain" 2>/dev/null | grep "Owner" | awk '{print $2}')
                        [ -z "$user" ] && user="(unknown)"
                        ;;
                    *)
                        user="standalone"
                        domain="localhost"
                        ;;
                esac
                # Check if wp-cron is disabled
                if grep -q "define.*DISABLE_WP_CRON.*true" "$config_file" 2>/dev/null; then
                    status="${GREEN}✓ Disabled (using system cron)${NC}"
                else
                    status="${YELLOW}⚠ Enabled (default wp-cron)${NC}"
                fi
                echo -e "${count}. ${BOLD}$domain${NC}"
                echo "   Path: $site_path"
                echo "   User: $user"
                echo "   Status: $status"
                echo ""
            done <<< "$wp_sites"
            echo -e "${CYAN}Total WordPress installations: $count${NC}"
        fi
        ;;
    2)
        # Disable wp-cron for specific domain
        echo ""
        echo -n "Enter domain name (or 0 to cancel): "
        read -r domain
        if [ -z "$domain" ] || [ "$domain" = "0" ]; then
            echo "Operation cancelled."
            press_enter
            exit 0
        fi
        # Find WordPress installation for this domain - Multi-panel support
        echo ""
        echo "Searching for WordPress installation for $domain..."
        wp_config=""
        case "$SYS_CONTROL_PANEL" in
            cpanel)
                # Method 1: Check main_domain in /var/cpanel/userdata/*/main files
                for userdata_file in /var/cpanel/userdata/*/main; do
                    if grep -q "^main_domain: $domain" "$userdata_file" 2>/dev/null; then
                        user=$(basename "$(dirname "$userdata_file")")
                        potential_config="/home/$user/public_html/wp-config.php"
                        if [ -f "$potential_config" ]; then
                            wp_config="$potential_config"
                            break
                        fi
                    fi
                done
                # Method 2: If not found, search all domain-specific files for servername
                if [ -z "$wp_config" ]; then
                    for userdata_file in /var/cpanel/userdata/*/*; do
                        # Skip cache files and main files
                        [[ "$userdata_file" == *.cache ]] && continue
                        [[ "$userdata_file" == */main ]] && continue
                        [[ "$userdata_file" == */cache ]] && continue
                        [[ "$userdata_file" == */cache.json ]] && continue
                        if grep -q "^servername: $domain" "$userdata_file" 2>/dev/null; then
                            user=$(basename "$(dirname "$userdata_file")")
                            potential_config="/home/$user/public_html/wp-config.php"
                            if [ -f "$potential_config" ]; then
                                wp_config="$potential_config"
                                break
                            fi
                        fi
                    done
                fi
                ;;
            interworx)
                # Find user from vhost config
                user=$(grep -l "ServerName ${domain}" /etc/httpd/conf.d/vhost_*.conf 2>/dev/null | head -1 | \
                       xargs grep "SuexecUserGroup" 2>/dev/null | awk '{print $2}')
                if [ -n "$user" ]; then
                    potential_config="/home/${user}/${domain}/html/wp-config.php"
                    [ -f "$potential_config" ] && wp_config="$potential_config"
                fi
                ;;
            plesk)
                # Try standard Plesk path
                potential_config="/var/www/vhosts/${domain}/httpdocs/wp-config.php"
                [ -f "$potential_config" ] && wp_config="$potential_config"
                ;;
            *)
                # Standalone - try standard path
                potential_config="/var/www/html/wp-config.php"
                [ -f "$potential_config" ] && wp_config="$potential_config"
                ;;
        esac
        if [ -z "$wp_config" ]; then
            print_error "WordPress installation not found for $domain"
            press_enter
            exit 1
        fi
        echo -e "${GREEN}Found WordPress:${NC} $wp_config"
        echo ""
        # Check if already disabled
        if grep -q "define.*DISABLE_WP_CRON.*true" "$wp_config" 2>/dev/null; then
            echo -e "${YELLOW}wp-cron is already disabled for this site${NC}"
            echo ""
            echo -n "Re-configure anyway? (y/n) [n]: "
            read -r confirm
            if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then
                press_enter
                exit 0
            fi
        fi
        # Backup wp-config.php
        cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)"
        echo -e "${GREEN}✓${NC} Backed up wp-config.php"
        # Safely disable wp-cron in wp-config.php
        if disable_wpcron_in_config "$wp_config"; then
            echo -e "${GREEN}✓${NC} Set DISABLE_WP_CRON to true in wp-config.php"
        else
            print_error "Failed to modify wp-config.php"
            echo "  Please check file permissions and syntax"
            press_enter
            exit 1
        fi
        # Add cron job with staggered timing
        site_path=$(dirname "$wp_config")
        cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
        # Add to user's crontab - Multi-panel support
        user=$(extract_user_from_path "$site_path")
        # Check if cron job already exists
        if crontab -u "$user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
            echo -e "${YELLOW}⚠${NC} Cron job already exists for this site"
        else
            # Generate staggered cron time
            cron_time=$(generate_staggered_cron)
            (crontab -u "$user" -l 2>/dev/null; echo "$cron_time $cron_cmd") | crontab -u "$user" -
            echo -e "${GREEN}✓${NC} Added cron job ($cron_time)"
        fi
        echo ""
        print_success "WordPress cron converted to system cron for $domain"
        echo ""
        echo "Changes made:"
        echo "  • DISABLE_WP_CRON set to true in wp-config.php"
        echo "  • System cron job added (every 15 minutes)"
        echo "  • Backup saved: ${wp_config}.backup-*"
        ;;
    3)
        # Disable wp-cron for specific user
        echo ""
        echo -n "Enter cPanel username (or 0 to cancel): "
        read -r target_user
        if [ -z "$target_user" ] || [ "$target_user" = "0" ]; then
            echo "Operation cancelled."
            press_enter
            exit 0
        fi
        if [ ! -d "/home/$target_user" ]; then
            print_error "User $target_user does not exist"
            press_enter
            exit 1
        fi
        echo ""
        echo "Searching for WordPress installations for user: $target_user"
        echo ""
        wp_configs=$(find "/home/$target_user" -name "wp-config.php" -type f 2>/dev/null)
        if [ -z "$wp_configs" ]; then
            print_error "No WordPress installations found for $target_user"
            press_enter
            exit 1
        fi
        count=0
        echo "$wp_configs" | while IFS= read -r wp_config; do
            count=$((count + 1))
            site_path=$(dirname "$wp_config")
            echo -e "${BOLD}Site $count:${NC} $site_path"
            # Backup
            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
            echo "  • Backed up wp-config.php"
            # Safely disable wp-cron
            if disable_wpcron_in_config "$wp_config"; then
                echo "  • Set DISABLE_WP_CRON to true"
            else
                echo "  • ${YELLOW}Warning: Could not modify wp-config.php${NC}"
                echo ""
                continue
            fi
            # Add cron job with staggered timing
            cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
            if ! crontab -u "$target_user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
                cron_time=$(generate_staggered_cron)
                (crontab -u "$target_user" -l 2>/dev/null; echo "$cron_time $cron_cmd") | crontab -u "$target_user" -
                echo "  • Added cron job ($cron_time)"
            else
                echo "  • Cron job already exists"
            fi
            echo ""
        done
        print_success "All WordPress sites for $target_user converted to system cron"
        ;;
    4)
        # Server-wide conversion
        echo ""
        echo -e "${RED}${BOLD}WARNING: Server-Wide wp-cron Conversion${NC}"
        echo ""
        echo "This will:"
        echo "  • Find ALL WordPress installations on the server"
        echo "  • Disable wp-cron in each wp-config.php"
        echo "  • Add system cron jobs for each user"
        echo ""
        echo -n "Are you sure? Type 'yes' to confirm: "
        read -r confirm
        if [ "$confirm" != "yes" ]; then
            echo "Cancelled"
            press_enter
            exit 0
        fi
        echo ""
        echo "Scanning entire server for WordPress installations..."
        echo ""
        total=0
        converted=0
        # Find all wp-config.php files - Multi-panel support
        wp_configs=""
        case "$SYS_CONTROL_PANEL" in
            cpanel)
                wp_configs=$(find /home/*/public_html -name "wp-config.php" -type f 2>/dev/null)
                ;;
            interworx)
                wp_configs=$(find /home/*/*/html -name "wp-config.php" -type f 2>/dev/null)
                ;;
            plesk)
                wp_configs=$(find /var/www/vhosts/*/httpdocs -name "wp-config.php" -type f 2>/dev/null)
                ;;
            *)
                wp_configs=$(find /var/www/html -name "wp-config.php" -type f 2>/dev/null)
                ;;
        esac
        if [ -z "$wp_configs" ]; then
            echo -e "${YELLOW}No WordPress installations found${NC}"
            press_enter
            exit 0
        fi
        while IFS= read -r wp_config; do
            total=$((total + 1))
            site_path=$(dirname "$wp_config")
            user=$(extract_user_from_path "$site_path")
            echo -e "${BOLD}Processing:${NC} $site_path (user: $user)"
            # Backup
            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
            # Safely disable wp-cron
            if ! disable_wpcron_in_config "$wp_config"; then
                echo -e "${YELLOW}⚠ Failed to modify wp-config.php${NC}"
                echo ""
                continue
            fi
            # Add cron job with staggered timing
            cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
            if ! crontab -u "$user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
                cron_time=$(generate_staggered_cron)
                (crontab -u "$user" -l 2>/dev/null; echo "$cron_time $cron_cmd") | crontab -u "$user" - 2>/dev/null
                echo "  Cron: $cron_time"
            fi
            converted=$((converted + 1))
            echo -e "${GREEN}✓${NC} Converted"
            echo ""
        done <<< "$wp_configs"
        echo ""
        print_success "Server-wide conversion complete"
        echo ""
        echo "Summary:"
        echo "  • Total WordPress sites found: $total"
        echo "  • Successfully converted: $converted"
        ;;
    5)
        # Check status
        echo ""
        echo "Check wp-cron status for:"
        echo "  1) Specific domain"
        echo "  2) Specific user"
        echo "  0) Cancel"
        echo ""
        echo -n "Select [1]: "
        read -r check_choice
        check_choice="${check_choice:-1}"
        if [ "$check_choice" = "0" ]; then
            echo "Operation cancelled."
            press_enter
            exit 0
        elif [ "$check_choice" = "1" ]; then
            echo ""
            echo -n "Enter domain name (or 0 to cancel): "
            read -r domain
            if [ -z "$domain" ] || [ "$domain" = "0" ]; then
                echo "Operation cancelled."
                press_enter
                exit 0
            fi
            # Find WordPress for domain
            wp_config=""
            # Method 1: Check main_domain in main files
            for userdata_file in /var/cpanel/userdata/*/main; do
                if grep -q "^main_domain: $domain" "$userdata_file" 2>/dev/null; then
                    user=$(basename "$(dirname "$userdata_file")")
                    potential_config="/home/$user/public_html/wp-config.php"
                    if [ -f "$potential_config" ]; then
                        wp_config="$potential_config"
                        break
                    fi
                fi
            done
            # Method 2: Search domain-specific files for servername
            if [ -z "$wp_config" ]; then
                for userdata_file in /var/cpanel/userdata/*/*; do
                    [[ "$userdata_file" == *.cache ]] && continue
                    [[ "$userdata_file" == */main ]] && continue
                    [[ "$userdata_file" == */cache ]] && continue
                    [[ "$userdata_file" == */cache.json ]] && continue
                    if grep -q "^servername: $domain" "$userdata_file" 2>/dev/null; then
                        user=$(basename "$(dirname "$userdata_file")")
                        potential_config="/home/$user/public_html/wp-config.php"
                        if [ -f "$potential_config" ]; then
                            wp_config="$potential_config"
                            break
                        fi
                    fi
                done
            fi
            if [ -z "$wp_config" ]; then
                print_error "WordPress not found for $domain"
                press_enter
                exit 1
            fi
            echo ""
            echo -e "${BOLD}WordPress Cron Status for $domain${NC}"
            echo ""
            echo "Config file: $wp_config"
            echo ""
            if grep -q "define.*DISABLE_WP_CRON.*true" "$wp_config" 2>/dev/null; then
                echo -e "wp-cron: ${GREEN}DISABLED${NC} (using system cron)"
                # Check for cron job
                site_path=$(dirname "$wp_config")
                user=$(extract_user_from_path "$site_path")
                if crontab -u "$user" -l 2>/dev/null | grep -q "wp-cron.php"; then
                    echo -e "System cron: ${GREEN}CONFIGURED${NC}"
                    echo ""
                    echo "Cron jobs:"
                    crontab -u "$user" -l 2>/dev/null | grep "wp-cron.php"
                else
                    echo -e "System cron: ${RED}NOT CONFIGURED${NC}"
                fi
            else
                echo -e "wp-cron: ${YELLOW}ENABLED${NC} (default WordPress cron)"
                echo ""
                echo "Recommendation: Disable wp-cron and use system cron for better performance"
            fi
        else
            echo ""
            echo -n "Enter cPanel username (or 0 to cancel): "
            read -r check_user
            if [ -z "$check_user" ] || [ "$check_user" = "0" ]; then
                echo "Operation cancelled."
                press_enter
                exit 0
            fi
            if [ ! -d "/home/$check_user" ]; then
                print_error "User $check_user does not exist"
                press_enter
                exit 1
            fi
            echo ""
            echo -e "${BOLD}WordPress Cron Status for user: $check_user${NC}"
            echo ""
            wp_configs=$(find "/home/$check_user" -name "wp-config.php" -type f 2>/dev/null)
            if [ -z "$wp_configs" ]; then
                echo "No WordPress installations found"
            else
                count=0
                while IFS= read -r wp_config; do
                    count=$((count + 1))
                    site_path=$(dirname "$wp_config")
                    echo -e "${count}. ${BOLD}$site_path${NC}"
                    if grep -q "define.*DISABLE_WP_CRON.*true" "$wp_config" 2>/dev/null; then
                        echo "   wp-cron: ${GREEN}DISABLED${NC}"
                    else
                        echo "   wp-cron: ${YELLOW}ENABLED${NC}"
                    fi
                    echo ""
                done <<< "$wp_configs"
                # Show cron jobs
                echo -e "${BOLD}Cron Jobs:${NC}"
                if crontab -u "$check_user" -l 2>/dev/null | grep -q "wp-cron.php"; then
                    crontab -u "$check_user" -l 2>/dev/null | grep "wp-cron.php"
                else
                    echo "  No wp-cron jobs found"
                fi
            fi
        fi
        ;;
    6)
        # Re-enable wp-cron for specific domain
        echo ""
        echo -n "Enter domain name (or 0 to cancel): "
        read -r domain
        if [ -z "$domain" ] || [ "$domain" = "0" ]; then
            echo "Operation cancelled."
            press_enter
            exit 0
        fi
        # Find WordPress installation
        wp_config=""
        # Method 1: Check main_domain in main files
        for userdata_file in /var/cpanel/userdata/*/main; do
            if grep -q "^main_domain: $domain" "$userdata_file" 2>/dev/null; then
                user=$(basename "$(dirname "$userdata_file")")
                potential_config="/home/$user/public_html/wp-config.php"
                if [ -f "$potential_config" ]; then
                    wp_config="$potential_config"
                    break
                fi
            fi
        done
        # Method 2: Search domain-specific files for servername
        if [ -z "$wp_config" ]; then
            for userdata_file in /var/cpanel/userdata/*/*; do
                [[ "$userdata_file" == *.cache ]] && continue
                [[ "$userdata_file" == */main ]] && continue
                [[ "$userdata_file" == */cache ]] && continue
                [[ "$userdata_file" == */cache.json ]] && continue
                if grep -q "^servername: $domain" "$userdata_file" 2>/dev/null; then
                    user=$(basename "$(dirname "$userdata_file")")
                    potential_config="/home/$user/public_html/wp-config.php"
                    if [ -f "$potential_config" ]; then
                        wp_config="$potential_config"
                        break
                    fi
                fi
            done
        fi
        if [ -z "$wp_config" ]; then
            print_error "WordPress installation not found for $domain"
            press_enter
            exit 1
        fi
        echo -e "${GREEN}Found WordPress:${NC} $wp_config"
        echo ""
        # Backup wp-config.php
        cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)"
        echo -e "${GREEN}✓${NC} Backed up wp-config.php"
        # Re-enable wp-cron
        if enable_wpcron_in_config "$wp_config"; then
            echo -e "${GREEN}✓${NC} Removed DISABLE_WP_CRON from wp-config.php"
        else
            echo -e "${YELLOW}⚠${NC} DISABLE_WP_CRON not found or already enabled"
        fi
        # Remove cron job - Multi-panel support
        site_path=$(dirname "$wp_config")
        user=$(extract_user_from_path "$site_path")
        if crontab -u "$user" -l 2>/dev/null | grep -q "$site_path.*wp-cron.php"; then
            crontab -u "$user" -l 2>/dev/null | grep -v "$site_path.*wp-cron.php" | crontab -u "$user" -
            echo -e "${GREEN}✓${NC} Removed cron job from user crontab"
        else
            echo -e "${YELLOW}⚠${NC} No cron job found for this site"
        fi
        echo ""
        print_success "WordPress cron reverted to default for $domain"
        ;;
    7)
        # Re-enable wp-cron for specific user
        echo ""
        echo -n "Enter cPanel username (or 0 to cancel): "
        read -r target_user
        if [ -z "$target_user" ] || [ "$target_user" = "0" ]; then
            echo "Operation cancelled."
            press_enter
            exit 0
        fi
        if [ ! -d "/home/$target_user" ]; then
            print_error "User $target_user does not exist"
            press_enter
            exit 1
        fi
        echo ""
        echo "Reverting WordPress installations for user: $target_user"
        echo ""
        wp_configs=$(find "/home/$target_user" -name "wp-config.php" -type f 2>/dev/null)
        if [ -z "$wp_configs" ]; then
            print_error "No WordPress installations found for $target_user"
            press_enter
            exit 1
        fi
        count=0
        echo "$wp_configs" | while IFS= read -r wp_config; do
            count=$((count + 1))
            site_path=$(dirname "$wp_config")
            echo -e "${BOLD}Site $count:${NC} $site_path"
            # Backup
            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
            echo "  • Backed up wp-config.php"
            # Re-enable wp-cron
            if enable_wpcron_in_config "$wp_config"; then
                echo "  • Removed DISABLE_WP_CRON"
            else
                echo "  • Already using default wp-cron"
            fi
            echo ""
        done
        # Remove all wp-cron jobs for this user
        if crontab -u "$target_user" -l 2>/dev/null | grep -q "wp-cron.php"; then
            crontab -u "$target_user" -l 2>/dev/null | grep -v "wp-cron.php" | crontab -u "$target_user" -
            echo -e "${GREEN}✓${NC} Removed all wp-cron jobs from user crontab"
        fi
        print_success "All WordPress sites for $target_user reverted to default wp-cron"
        ;;
    8)
        # Server-wide revert
        echo ""
        echo -e "${RED}${BOLD}WARNING: Server-Wide Revert${NC}"
        echo ""
        echo "This will:"
        echo "  • Find ALL WordPress installations on the server"
        echo "  • Remove DISABLE_WP_CRON from each wp-config.php"
        echo "  • Remove all wp-cron system cron jobs"
        echo ""
        echo -n "Are you sure? Type 'yes' to confirm: "
        read -r confirm
        if [ "$confirm" != "yes" ]; then
            echo "Cancelled"
            press_enter
            exit 0
        fi
        echo ""
        echo "Scanning entire server for WordPress installations..."
        echo ""
        total=0
        reverted=0
        # Find all wp-config.php files - Multi-panel support
        wp_configs=""
        case "$SYS_CONTROL_PANEL" in
            cpanel)
                wp_configs=$(find /home/*/public_html -name "wp-config.php" -type f 2>/dev/null)
                ;;
            interworx)
                wp_configs=$(find /home/*/*/html -name "wp-config.php" -type f 2>/dev/null)
                ;;
            plesk)
                wp_configs=$(find /var/www/vhosts/*/httpdocs -name "wp-config.php" -type f 2>/dev/null)
                ;;
            *)
                wp_configs=$(find /var/www/html -name "wp-config.php" -type f 2>/dev/null)
                ;;
        esac
        if [ -z "$wp_configs" ]; then
            echo -e "${YELLOW}No WordPress installations found${NC}"
            press_enter
            exit 0
        fi
        while IFS= read -r wp_config; do
            total=$((total + 1))
            site_path=$(dirname "$wp_config")
            user=$(extract_user_from_path "$site_path")
            echo -e "${BOLD}Processing:${NC} $site_path (user: $user)"
            # Backup
            cp "$wp_config" "${wp_config}.backup-$(date +%Y%m%d-%H%M%S)" 2>/dev/null
            # Re-enable wp-cron
            if enable_wpcron_in_config "$wp_config"; then
                reverted=$((reverted + 1))
                echo -e "${GREEN}✓${NC} Reverted"
            else
                echo -e "${YELLOW}⚠${NC} Already using default wp-cron"
            fi
            echo ""
        done <<< "$wp_configs"
        # Remove all wp-cron jobs from all users
        echo ""
        echo "Removing wp-cron jobs from user crontabs..."
        for user_home in /home/*; do
            user=$(basename "$user_home")
            if crontab -u "$user" -l 2>/dev/null | grep -q "wp-cron.php"; then
                crontab -u "$user" -l 2>/dev/null | grep -v "wp-cron.php" | crontab -u "$user" - 2>/dev/null
                echo "  • Removed cron jobs for user: $user"
            fi
        done
        echo ""
        print_success "Server-wide revert complete"
        echo ""
        echo "Summary:"
        echo "  • Total WordPress sites found: $total"
        echo "  • Successfully reverted: $reverted"
        ;;
    0)
        exit 0
        ;;
    *)
        print_error "Invalid option"
        ;;
 esac
 echo ""
 press_enter
@@ -0,0 +1,64 @@
 #!/bin/bash
 ################################################################################
 # Wrapper script for Server Toolkit
 ################################################################################
 # This wrapper allows proper history cleanup by running in the current shell
 ################################################################################
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Fix HISTFILE if set to non-existent path (prevents crashes on sourcing)
 if [ -n "$HISTFILE" ]; then
    HISTFILE_DIR="$(dirname "$HISTFILE" 2>/dev/null)"
    if [ ! -d "$HISTFILE_DIR" ] 2>/dev/null; then
        # Fallback to default history location
        export HISTFILE="$HOME/.bash_history"
    fi
 fi
 # Check if being sourced or executed
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    echo "ERROR: This script must be sourced, not executed."
    echo ""
    echo "Run it like this:"
    echo "  source $0"
    echo ""
    echo "Or use the alias:"
    echo "  . $0"
    exit 1
 fi
 # Run the launcher
 bash "$SCRIPT_DIR/launcher.sh"
 # Check if cleanup is requested
 if [ -f /tmp/.cleanup_requested ]; then
    rm -f /tmp/.cleanup_requested
    # Clean history in current shell
    GREP_PATTERN="git\.mull\.lol|linux-server-management-toolkit|server-toolkit|launcher\.sh|erase-toolkit-traces|run\.sh"
    if [ -f ~/.bash_history ]; then
        cp ~/.bash_history ~/.bash_history.bak.$$
        grep -Ev "$GREP_PATTERN" ~/.bash_history.bak.$$ > ~/.bash_history 2>/dev/null || true
        rm -f ~/.bash_history.bak.$$
    fi
    # Clear current shell's history
    history -c
    history -r ~/.bash_history
    unset HISTFILE
    set +o history
    # Remove toolkit directory
    cd /root 2>/dev/null
    rm -rf "$SCRIPT_DIR" 2>/dev/null
    clear
    echo ""
    echo "✓ All traces removed"
    echo ""
    echo "Type 'exit' and start a new shell."
    echo ""
 fi
@@ -12,25 +12,31 @@ source "$SCRIPT_DIR/lib/common-functions.sh" 2>/dev/null || true
 print_banner "Toolkit Trace Eraser"
-echo ""
+# Check if running in auto mode (from launcher exit)
-echo "This will remove all traces of the Server Toolkit from:"
+if [ "$TRACE_ERASER_AUTO" != "yes" ]; then
-echo "  • Bash history (all toolkit-related commands)"
+    echo ""
-echo "  • System logs (toolkit operations)"
+    echo "This will remove all traces of the Server Toolkit from:"
-echo "  • Download records"
+    echo "  • Bash history (all toolkit-related commands)"
-echo "  • Temporary files"
+    echo "  • System logs (toolkit operations)"
-echo ""
+    echo "  • Download records"
-echo -e "${RED}WARNING: This cannot be undone!${NC}"
+    echo "  • Temporary files"
-echo ""
+    echo ""
-read -p "Are you sure you want to proceed? (yes/no): " confirm
+    echo -e "${RED}WARNING: This cannot be undone!${NC}"
    echo ""
    read -p "Are you sure you want to proceed? (yes/no): " confirm
-if [ "$confirm" != "yes" ]; then
+    if [ "$confirm" != "yes" ]; then
-    echo "Cancelled."
+        echo "Cancelled."
-    exit 0
+        exit 0
    fi
 fi
-echo ""
+# Only show progress if not in auto mode
-echo "Removing traces..."
+if [ "$TRACE_ERASER_AUTO" != "yes" ]; then
-echo ""
+    echo ""
    echo "Removing traces..."
    echo ""
 fi
 # Patterns to remove from history
 PATTERNS=(
@@ -50,51 +56,24 @@ PATTERNS=(
    "erase-toolkit-traces"
 )
-# Clean bash history for root
+# Clean bash history for root (will be done at the end to avoid re-adding entries)
-if [ -f ~/.bash_history ]; then
+CLEAN_HISTORY=true
    echo "→ Cleaning root bash history..."
    cp ~/.bash_history ~/.bash_history.bak
-    for pattern in "${PATTERNS[@]}"; do
+# Skip user bash histories - only clean root
-        sed -i "/$pattern/d" ~/.bash_history
+# (User histories are not touched to avoid affecting normal user operations)
    done
-    # Also clean in-memory history
+# Clean system logs (pattern-based for logs, not history)
    for pattern in "${PATTERNS[@]}"; do
        history | grep -i "$pattern" | awk '{print $1}' | while read -r num; do
            history -d "$num" 2>/dev/null
        done
    done
    echo "  ✓ Root history cleaned"
 fi
 # Clean bash history for all users
 echo "→ Checking user histories..."
 for user_home in /home/*; do
    if [ -f "$user_home/.bash_history" ]; then
        username=$(basename "$user_home")
        echo "  → Cleaning history for $username..."
        for pattern in "${PATTERNS[@]}"; do
            sed -i "/$pattern/d" "$user_home/.bash_history"
        done
        echo "    ✓ Cleaned"
    fi
 done
 # Clean system logs
 echo "→ Cleaning system logs..."
 if [ -f /var/log/messages ]; then
    for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" /var/log/messages 2>/dev/null
+        # Use grep -v instead of sed to avoid regex issues
        grep -v "$pattern" /var/log/messages > /var/log/messages.tmp 2>/dev/null && mv /var/log/messages.tmp /var/log/messages || true
    done
 fi
 if [ -f /var/log/secure ]; then
    for pattern in "${PATTERNS[@]}"; do
-        sed -i "/$pattern/d" /var/log/secure 2>/dev/null
+        grep -v "$pattern" /var/log/secure > /var/log/secure.tmp 2>/dev/null && mv /var/log/secure.tmp /var/log/secure || true
    done
 fi
@@ -103,9 +82,9 @@ echo "  ✓ System logs cleaned"
 # Clean auth logs
 echo "→ Cleaning auth logs..."
 for log in /var/log/auth.log* /var/log/secure*; do
-    if [ -f "$log" ]; then
+    if [ -f "$log" ] && [ ! -L "$log" ]; then
        for pattern in "${PATTERNS[@]}"; do
-            sed -i "/$pattern/d" "$log" 2>/dev/null
+            grep -v "$pattern" "$log" > "${log}.tmp" 2>/dev/null && mv "${log}.tmp" "$log" || true
        done
    fi
 done
@@ -142,32 +121,81 @@ rm -f "$SCRIPT_DIR/.sysref" 2>/dev/null
 rm -f "$SCRIPT_DIR/.sysref.timestamp" 2>/dev/null
 echo "  ✓ Reference database removed"
-# Offer to remove the entire toolkit
+# Clean bash history BEFORE asking about directory removal
-echo ""
+# (This ensures history is cleaned even if user removes toolkit directory)
-echo -e "${YELLOW}Final step: Remove toolkit directory?${NC}"
+CLEAN_HISTORY=true
-echo "This will delete: $SCRIPT_DIR"
+if [ "$CLEAN_HISTORY" = true ] && [ -f ~/.bash_history ]; then
-echo ""
+    echo ""
-read -p "Remove entire toolkit directory? (yes/no): " remove_dir
+    echo "→ Final cleanup: Removing bash history..."
-if [ "$remove_dir" = "yes" ]; then
+    # Disable history recording AND appending for this session
    set +o history
    shopt -u histappend 2>/dev/null || true
    echo "  → Cleaning history file..."
    GREP_PATTERN="git\.mull\.lol|linux-server-management-toolkit|server-toolkit|launcher\.sh|erase-toolkit-traces"
    # Clean the history file directly
    if [ -f ~/.bash_history ]; then
        cp ~/.bash_history ~/.bash_history.bak.$$
        lines_before=$(wc -l < ~/.bash_history.bak.$$ 2>/dev/null || echo 0)
        grep -Ev "$GREP_PATTERN" ~/.bash_history.bak.$$ > ~/.bash_history 2>/dev/null || true
        lines_after=$(wc -l < ~/.bash_history 2>/dev/null || echo 0)
        lines_removed=$((lines_before - lines_after))
        rm -f ~/.bash_history.bak.$$
        echo "  ✓ Removed $lines_removed entries from history file"
    fi
    # Clear current session's history completely to prevent re-adding on exit
    echo "  → Clearing current session history..."
    history -c
    # Unset HISTFILE to prevent this session from writing on exit
    unset HISTFILE
    echo "  ✓ Current session history cleared and disabled"
    echo ""
-    echo "Removing toolkit directory..."
+    echo -e "${YELLOW}IMPORTANT: Exit this shell immediately after cleanup${NC}"
-    cd /root
+    echo "Type: exit"
-    rm -rf "$SCRIPT_DIR"
+    echo "Then start a fresh shell to see cleaned history."
    echo ""
    echo -e "${GREEN}✓ Toolkit completely removed${NC}"
    echo ""
    echo "All traces have been erased."
    exit 0
 else
    echo ""
    echo -e "${GREEN}✓ History and logs cleaned${NC}"
    echo ""
    echo "Toolkit directory remains at: $SCRIPT_DIR"
    echo "You can manually remove it later with: rm -rf $SCRIPT_DIR"
 fi
-echo ""
+# Offer to remove the entire toolkit (AFTER history cleaning)
-echo "Note: Active shell sessions may still have history in memory."
+if [ "$TRACE_ERASER_AUTO" = "yes" ]; then
-echo "Consider logging out and back in for complete cleanup."
+    # Auto mode: quick cleanup, minimal output
-echo ""
+    cd /root 2>/dev/null
    rm -rf "$SCRIPT_DIR" 2>/dev/null
    clear
    echo ""
    echo -e "${GREEN}✓ All traces removed${NC}"
    echo ""
 else
    # Manual mode: ask user
    echo ""
    echo -e "${YELLOW}Final step: Remove toolkit directory?${NC}"
    echo "This will delete: $SCRIPT_DIR"
    echo ""
    read -p "Remove entire toolkit directory? (yes/no): " remove_dir
    if [ "$remove_dir" = "yes" ]; then
        echo ""
        echo "Removing toolkit directory..."
        cd /root
        rm -rf "$SCRIPT_DIR"
        echo ""
        echo -e "${GREEN}✓ Toolkit completely removed${NC}"
        echo ""
        echo "All traces have been erased."
    else
        echo ""
        echo -e "${GREEN}✓ History and logs cleaned${NC}"
        echo ""
        echo "Toolkit directory remains at: $SCRIPT_DIR"
        echo "You can manually remove it later with: rm -rf $SCRIPT_DIR"
    fi
    echo ""
    echo "All traces removed. The trace eraser commands will also be"
    echo "removed when you log out or start a new shell session."
    echo ""
 fi
@@ -1,85 +0,0 @@
 #!/bin/bash
 # Test Cross-Module Intelligence
 # Demonstrates how modules can reference session data
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/reference-db.sh"
 print_banner "Cross-Module Intelligence Test"
 if [ ! -f "$SYSREF_DB" ]; then
    print_error "Reference database not found. Run System Health Check first!"
    exit 1
 fi
 print_section "Testing Health Metric Queries"
 # Test individual metrics
 echo "Memory Usage: $(db_get_health_metric 'MEMORY_USED_PERCENT')%"
 echo "CPU Load: $(db_get_health_metric 'CPU_LOAD_1MIN')"
 echo "Disk Usage: $(db_get_health_metric 'DISK_USED_PERCENT')%"
 echo "Network Interface: $(db_get_health_metric 'NETWORK_INTERFACE')"
 echo "Network MTU: $(db_get_health_metric 'NETWORK_MTU')"
 echo "TCP Retransmission: $(db_get_health_metric 'TCP_RETRANS_PERCENT')%"
 echo "SMART Status: $(db_get_health_metric 'DISK_SMART_STATUS')"
 echo "SSH Attacks Today: $(db_get_health_metric 'SSH_ATTACKS_TODAY')"
 echo "cPHulk Status: $(db_get_health_metric 'CPHULK_STATUS')"
 print_section "Testing Intelligence Functions"
 # Test system load check
 if db_is_system_under_load; then
    print_warning "System is currently under HIGH LOAD"
    echo "  CPU Load: $(db_get_health_metric 'CPU_LOAD_1MIN') (cores: $(db_get_health_metric 'CPU_CORES'))"
    echo "  Memory: $(db_get_health_metric 'MEMORY_USED_PERCENT')%"
 else
    print_success "System load is NORMAL"
 fi
 # Test network issues check
 if db_has_network_issues; then
    print_warning "Network issues DETECTED"
    echo "  TCP Retransmission: $(db_get_health_metric 'TCP_RETRANS_PERCENT')%"
    echo "  RX Errors: $(db_get_health_metric 'NETWORK_RX_ERRORS')"
    echo "  TX Errors: $(db_get_health_metric 'NETWORK_TX_ERRORS')"
 else
    print_success "Network is HEALTHY"
 fi
 # Test attack detection
 if db_is_under_attack; then
    print_critical "System appears to be UNDER ATTACK"
    echo "  Failed SSH attempts today: $(db_get_health_metric 'SSH_ATTACKS_TODAY')"
    echo "  Total failed attempts: $(db_get_health_metric 'SSH_FAILED_ATTEMPTS_TOTAL')"
 else
    print_success "No active attacks detected"
 fi
 print_section "Cross-Module Intelligence Examples"
 echo "Example 1: Bot Analyzer can check if network is already problematic"
 echo "  if db_has_network_issues; then"
 echo "    # Adjust recommendations - network may be causing bot issues"
 echo "  fi"
 echo ""
 echo "Example 2: MySQL Analyzer can check if system is under load"
 echo "  if db_is_system_under_load; then"
 echo "    # Slow queries might be due to overall system load, not just MySQL"
 echo "  fi"
 echo ""
 echo "Example 3: Any module can check attack status"
 echo "  if db_is_under_attack; then"
 echo "    # Correlate findings with ongoing attacks"
 echo "  fi"
 print_section "All Health Metrics"
 echo "Total health metrics stored: $(grep -c '^HEALTH|' "$SYSREF_DB")"
 echo ""
 echo "Sample (first 10):"
 db_get_all_health | head -10
 print_success "Cross-module intelligence test complete!"
@@ -1,73 +0,0 @@
 #!/bin/bash
 # Quick test script to validate domain detection is working
 # Returns exit code 0 if working, 1 if broken
 echo "========================================"
 echo "Domain Detection Test"
 echo "========================================"
 echo ""
 # Source libraries
 SCRIPT_DIR="/root/server-toolkit"
 source "$SCRIPT_DIR/lib/common-functions.sh"
 source "$SCRIPT_DIR/lib/system-detect.sh"
 source "$SCRIPT_DIR/lib/user-manager.sh"
 echo "Step 1: Check system detection variables"
 echo "  SYS_CONTROL_PANEL: [$SYS_CONTROL_PANEL]"
 echo "  SYS_DETECTION_COMPLETE: [$SYS_DETECTION_COMPLETE]"
 if [ -z "$SYS_CONTROL_PANEL" ]; then
    echo "  ❌ FAIL: SYS_CONTROL_PANEL is empty!"
    exit 1
 else
    echo "  ✓ PASS: SYS_CONTROL_PANEL is set"
 fi
 echo ""
 echo "Step 2: Test get_user_domains function"
 domains=$(get_user_domains "pickledperil")
 echo "  Domains for pickledperil: [$domains]"
 if [ -z "$domains" ]; then
    echo "  ❌ FAIL: No domains returned!"
    exit 1
 else
    echo "  ✓ PASS: Domains found: $domains"
 fi
 echo ""
 echo "Step 3: Test select_user_interactive caching"
 # Just test the caching logic without user input
 users=(pickledperil)
 declare -A user_primary_domain
 declare -A user_domain_count
 for user in "${users[@]}"; do
    local_domains=$(get_user_domains "$user" 2>/dev/null | grep -v "^$")
    if [ -n "$local_domains" ]; then
        user_domain_count["$user"]=$(echo "$local_domains" | wc -l)
        user_primary_domain["$user"]=$(echo "$local_domains" | head -1)
    else
        user_domain_count["$user"]=0
        user_primary_domain["$user"]="(no domains)"
    fi
 done
 echo "  Cached domain: ${user_primary_domain[pickledperil]}"
 echo "  Cached count: ${user_domain_count[pickledperil]}"
 if [ "${user_primary_domain[pickledperil]}" = "(no domains)" ]; then
    echo "  ❌ FAIL: User shows as having no domains!"
    exit 1
 else
    echo "  ✓ PASS: User cache working correctly"
 fi
 echo ""
 echo "========================================"
 echo "✓ ALL TESTS PASSED!"
 echo "Domain detection is working correctly."
 echo "========================================"
 exit 0