tunnelforge.sh

#!/usr/bin/env bash
# ╔════════════════════════════════════════════════════════════════════╗
# ║  ▀▀█▀▀ █  █ █▄ █ █▄ █ █▀▀ █   █▀▀ █▀█ █▀█ █▀▀ █▀▀            ║
# ║    █   █  █ █ ▀█ █ ▀█ █▀▀ █   █▀  █ █ █▀█ █ █ █▀▀            ║
# ║    █    ▀▀  █  █ █  █ ▀▀▀ ▀▀▀ █   ▀▀▀ █ █ ▀▀▀ ▀▀▀            ║
# ╚════════════════════════════════════════════════════════════════════╝
#
# TunnelForge — SSH Tunnel Manager
# Copyright (C) 2026 SamNet Technologies, LLC
#
# Single-file bash tool with TUI menu, live dashboard,
# DNS leak protection, kill switch, server hardening, and Telegram bot.
#
# Version : 1.0.0
# Author  : SamNet Technologies, LLC
# License : GNU General Public License v3.0
# GitHub  : github.com/SamNet-dev/tunnelforge
# Usage   : tunnelforge [command] [options]
#           Run 'tunnelforge help' for full command reference.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#

# ============================================================================
# STRICT MODE & BASH VERSION CHECK
# ============================================================================

set -eo pipefail

MIN_BASH_VERSION="4.3"

check_bash_version() {
    local major="${BASH_VERSINFO[0]}"
    local minor="${BASH_VERSINFO[1]}"
    local req_major="${MIN_BASH_VERSION%%.*}"
    local req_minor="${MIN_BASH_VERSION##*.}"

    if (( major < req_major )) || \
       (( major == req_major && minor < req_minor )); then
        echo "ERROR: TunnelForge requires bash ${MIN_BASH_VERSION}+" \
             "(found ${BASH_VERSION})" >&2
        exit 1
    fi
}
check_bash_version

# ============================================================================
# VERSION & GLOBAL CONSTANTS
# ============================================================================

readonly VERSION="1.0.0"
readonly GITHUB_REPO="SamNet-dev/tunnelforge"
readonly APP_NAME="TunnelForge"
readonly APP_NAME_LOWER="tunnelforge"

# Installation directories
readonly INSTALL_DIR="/opt/tunnelforge"
readonly CONFIG_DIR="${INSTALL_DIR}/config"
readonly PROFILES_DIR="${INSTALL_DIR}/profiles"
readonly PID_DIR="${INSTALL_DIR}/pids"
readonly LOG_DIR="${INSTALL_DIR}/logs"
readonly BACKUP_DIR="${INSTALL_DIR}/backups"
readonly DATA_DIR="${INSTALL_DIR}/data"
readonly BIN_LINK="/usr/local/bin/tunnelforge"

# Config files
readonly MAIN_CONFIG="${CONFIG_DIR}/tunnelforge.conf"

# Temp / lock
TMP_DIR=""
# Background Telegram PIDs for cleanup
declare -a _TG_BG_PIDS=()
# SSH ControlMaster
readonly SSH_CONTROL_DIR="${INSTALL_DIR}/sockets"

# Bandwidth & reconnect history
readonly BW_HISTORY_DIR="${DATA_DIR}/bandwidth"
readonly RECONNECT_LOG_DIR="${DATA_DIR}/reconnects"

# ============================================================================
# TEMP FILE CLEANUP TRAP
# ============================================================================

cleanup() {
    local exit_code=$?
    tput cnorm 2>/dev/null || true
    tput rmcup 2>/dev/null || true
    # Reap background Telegram sends
    local _tg_p
    for _tg_p in "${_TG_BG_PIDS[@]}"; do
        kill "$_tg_p" 2>/dev/null || true
        wait "$_tg_p" 2>/dev/null || true
    done
    rm -rf "${TMP_DIR}" 2>/dev/null
    rm -f "${PID_DIR}"/*.lock "${CONFIG_DIR}"/*.lock "${PROFILES_DIR}"/*.lock 2>/dev/null
    # Clean stale SSH ControlMaster sockets
    find "${SSH_CONTROL_DIR}" -type s -delete 2>/dev/null || true
    # Clean up our own mkdir-based locks (stale after SIGKILL)
    local _cleanup_lck _cleanup_pid
    for _cleanup_lck in "${CONFIG_DIR}"/*.lck "${PROFILES_DIR}"/*.lck "${PID_DIR}"/*.lck "${BW_HISTORY_DIR}"/*.lck; do
        if [[ -d "$_cleanup_lck" ]]; then
            _cleanup_pid=$(cat "${_cleanup_lck}/pid" 2>/dev/null) || true
            if [[ "${_cleanup_pid}" == "$$" ]] || [[ -z "$_cleanup_pid" ]]; then
                rm -f "${_cleanup_lck}/pid" 2>/dev/null || true
                rmdir "$_cleanup_lck" 2>/dev/null || true
            fi
        fi
    done
    exit "${exit_code}"
}
trap cleanup EXIT INT TERM HUP QUIT

TMP_DIR=$(mktemp -d "/tmp/tunnelforge.XXXXXX" 2>/dev/null) || {
    echo "FATAL: Cannot create secure temporary directory" >&2
    exit 1
}
chmod 700 "${TMP_DIR}" 2>/dev/null || true
readonly TMP_DIR

# ============================================================================
# CONFIGURATION DEFAULTS  (declare -gA CONFIG)
# ============================================================================

declare -gA CONFIG=(
    # SSH defaults
    [SSH_DEFAULT_USER]="root"
    [SSH_DEFAULT_PORT]="22"
    [SSH_DEFAULT_KEY]=""
    [SSH_CONNECT_TIMEOUT]="10"
    [SSH_SERVER_ALIVE_INTERVAL]="30"
    [SSH_SERVER_ALIVE_COUNT_MAX]="3"
    [SSH_STRICT_HOST_KEY]="yes"

    # AutoSSH
    [AUTOSSH_ENABLED]="true"
    [AUTOSSH_POLL]="30"
    [AUTOSSH_FIRST_POLL]="30"
    [AUTOSSH_GATETIME]="30"

    [AUTOSSH_MONITOR_PORT]="0"
    [AUTOSSH_LOG_LEVEL]="1"

    # ControlMaster
    [CONTROLMASTER_ENABLED]="false"
    [CONTROLMASTER_PERSIST]="600"

    # Security
    [DNS_LEAK_PROTECTION]="false"
    [DNS_SERVER_1]="1.1.1.1"
    [DNS_SERVER_2]="1.0.0.1"
    [KILL_SWITCH]="false"

    # Telegram
    [TELEGRAM_ENABLED]="false"
    [TELEGRAM_BOT_TOKEN]=""
    [TELEGRAM_CHAT_ID]=""
    [TELEGRAM_ALERTS]="true"
    [TELEGRAM_PERIODIC_STATUS]="false"
    [TELEGRAM_STATUS_INTERVAL]="3600"

    # Dashboard
    [DASHBOARD_REFRESH]="5"
    [DASHBOARD_THEME]="retro"

    # Logging
    [LOG_LEVEL]="info"
    [LOG_JSON]="false"
    [LOG_MAX_SIZE]="10485760"
    [LOG_ROTATE_COUNT]="5"

    # General
    [AUTO_UPDATE_CHECK]="false"
)

config_get() {
    local key="$1"
    local default="${2:-}"
    echo "${CONFIG[$key]:-$default}"
}

config_set() {
    local key="$1"
    local value="$2"
    CONFIG["$key"]="$value"
}

# ============================================================================
# COLORS & TERMINAL DETECTION
# ============================================================================

if [[ -t 1 ]] && [[ -t 2 ]]; then
    IS_TTY=true
else
    IS_TTY=false
fi

if [[ "${IS_TTY}" == true ]] && [[ "${TERM:-dumb}" != "dumb" ]] && [[ -z "${NO_COLOR:-}" ]]; then
    RED=$'\033[0;31m'
    GREEN=$'\033[0;32m'
    YELLOW=$'\033[0;33m'
    BLUE=$'\033[0;34m'
    MAGENTA=$'\033[0;35m'
    CYAN=$'\033[0;36m'
    WHITE=$'\033[0;37m'

    BOLD=$'\033[1m'
    BOLD_RED=$'\033[1;31m'
    BOLD_GREEN=$'\033[1;32m'
    BOLD_YELLOW=$'\033[1;33m'
    BOLD_BLUE=$'\033[1;34m'
    BOLD_MAGENTA=$'\033[1;35m'
    BOLD_CYAN=$'\033[1;36m'
    BOLD_WHITE=$'\033[1;37m'

    BG_RED=$'\033[41m'
    BG_GREEN=$'\033[42m'
    BG_YELLOW=$'\033[43m'
    BG_BLUE=$'\033[44m'

    DIM=$'\033[2m'
    UNDERLINE=$'\033[4m'
    REVERSE=$'\033[7m'
    RESET=$'\033[0m'

    # Status indicators (Unicode + color)
    readonly STATUS_OK="${GREEN}●${RESET}"
    readonly STATUS_FAIL="${RED}✗${RESET}"
    readonly STATUS_WARN="${YELLOW}▲${RESET}"
    readonly STATUS_STOP="${DIM}■${RESET}"
    readonly STATUS_SPIN="${CYAN}◆${RESET}"
else
    RED=''   GREEN=''  YELLOW=''  BLUE=''  MAGENTA=''  CYAN=''  WHITE=''
    BOLD=''  BOLD_RED=''  BOLD_GREEN=''  BOLD_YELLOW=''  BOLD_BLUE=''
    BOLD_MAGENTA=''  BOLD_CYAN=''  BOLD_WHITE=''
    BG_RED=''  BG_GREEN=''  BG_YELLOW=''  BG_BLUE=''
    DIM=''  UNDERLINE=''  REVERSE=''  RESET=''
    IS_TTY=false

    # Status indicators (ASCII fallback for dumb/pipe/NO_COLOR)
    readonly STATUS_OK="*"
    readonly STATUS_FAIL="x"
    readonly STATUS_WARN="!"
    readonly STATUS_STOP="-"
    readonly STATUS_SPIN="+"
fi

# ============================================================================
# LOGGING
# ============================================================================

declare -gA LOG_LEVELS=( [debug]=0 [info]=1 [success]=2 [warn]=3 [error]=4 )

_get_log_level_num() { echo "${LOG_LEVELS[${1:-info}]:-1}"; }

_should_log() {
    local msg_level="$1"
    local configured_level
    configured_level=$(config_get "LOG_LEVEL" "info")
    local msg_num configured_num
    msg_num=$(_get_log_level_num "$msg_level")
    configured_num=$(_get_log_level_num "$configured_level")
    if (( msg_num >= configured_num )); then return 0; fi
    return 1
}

log_json() {
    local level="$1" message="$2"
    local ts
    ts=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
    # Escape JSON special characters: backslash first, then quotes, then control chars
    message="${message//\\/\\\\}"
    message="${message//\"/\\\"}"
    message="${message//$'\n'/\\n}"
    message="${message//$'\t'/\\t}"
    message="${message//$'\r'/\\r}"
    printf '{"timestamp":"%s","level":"%s","app":"%s","message":"%s"}\n' \
        "$ts" "$level" "$APP_NAME_LOWER" "$message"
}

_log() {
    local level="$1" color="$2" prefix="$3" message="$4"
    _should_log "$level" || return 0

    if [[ "$(config_get LOG_JSON false)" == "true" ]]; then
        log_json "$level" "$message" \
            >> "${LOG_DIR}/${APP_NAME_LOWER}.log" 2>/dev/null || true
    fi

    local ts
    ts=$(date '+%H:%M:%S')
    if [[ "${IS_TTY}" == true ]]; then
        printf "${DIM}[%s]${RESET} ${color}${prefix}${RESET} %s\n" \
            "$ts" "$message" >&2
    else
        printf "[%s] %s %s\n" "$ts" "$prefix" "$message" >&2
    fi
}

log_debug()   { _log "debug"   "${DIM}"    "[DEBUG]" "$1"; }
log_info()    { _log "info"    "${CYAN}"   "[INFO] " "$1"; }
log_success() { _log "success" "${GREEN}"  "[  OK ]" "$1"; }
log_warn()    { _log "warn"    "${YELLOW}" "[WARN] " "$1"; }
log_error()   { _log "error"   "${RED}"    "[ERROR]" "$1"; }

log_file() {
    local level="$1" message="$2"
    if [[ "$(config_get LOG_JSON false)" == "true" ]]; then
        log_json "$level" "$message" \
            >> "${LOG_DIR}/${APP_NAME_LOWER}.log" 2>/dev/null || true
    else
        local ts
        ts=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
        printf "[%s] [%s] %s\n" "$ts" "$level" "$message" \
            >> "${LOG_DIR}/${APP_NAME_LOWER}.log" 2>/dev/null || true
    fi
}

# ============================================================================
# UTILITY FUNCTIONS
# ============================================================================

# Drain trailing bytes from multi-byte escape sequences (arrow keys, etc.)
# Call after read -rsn1: if key is ESC, consume the rest and blank the var.
# Usage: _drain_esc varname
_drain_esc() {
    local -n _de_ref="$1"
    if [[ "${_de_ref}" == $'\033' ]]; then
        local _de_trash
        read -rsn2 -t 0.1 _de_trash </dev/tty 2>/dev/null || true
        _de_ref=""
    fi
}

validate_port() {
    local port="$1"
    if [[ "$port" =~ ^[0-9]+$ ]] && (( port >= 1 && port <= 65535 )); then
        return 0
    fi
    return 1
}

# Check if a local port is already in use or assigned
# Returns 0 if free, 1 if busy. Prints suggestion on conflict.
_check_port_conflict() {
    local _cp_port="$1" _cp_type="${2:-local}"
    local _cp_busy=false _cp_who=""

    # Check active listeners via ss
    if command -v ss &>/dev/null; then
        if ss -tln 2>/dev/null | tail -n +2 | grep -qE "[:.]${_cp_port}[[:space:]]"; then
            _cp_busy=true
            _cp_who="system process"
        fi
    fi

    # Check other TunnelForge profiles
    if [[ -d "$PROFILES_DIR" ]]; then
        local _cp_f _cp_pname
        for _cp_f in "$PROFILES_DIR"/*.conf; do
            [[ -f "$_cp_f" ]] || continue
            _cp_pname=$(basename "$_cp_f" .conf)
            local _cp_pport=""
            _cp_pport=$(grep -oE "^LOCAL_PORT='[0-9]+'" "$_cp_f" 2>/dev/null | cut -d"'" -f2) || true
            if [[ "$_cp_pport" == "$_cp_port" ]]; then
                _cp_busy=true
                _cp_who="profile '${_cp_pname}'"
                break
            fi
        done
    fi

    if [[ "$_cp_busy" == true ]]; then
        printf "  ${YELLOW}! Port %s is used by %s${RESET}\n" "$_cp_port" "$_cp_who" >/dev/tty
        # Suggest next free port
        local _cp_try=$(( _cp_port + 1 ))
        local _cp_max=$(( _cp_port + 20 ))
        while (( _cp_try <= _cp_max && _cp_try <= 65535 )); do
            local _cp_free=true
            if command -v ss &>/dev/null; then
                if ss -tln 2>/dev/null | tail -n +2 | grep -qE "[:.]${_cp_try}[[:space:]]"; then
                    _cp_free=false
                fi
            fi
            if [[ "$_cp_free" == true ]] && [[ -d "$PROFILES_DIR" ]]; then
                for _cp_f in "$PROFILES_DIR"/*.conf; do
                    [[ -f "$_cp_f" ]] || continue
                    local _cp_pp=""
                    _cp_pp=$(grep -oE "^LOCAL_PORT='[0-9]+'" "$_cp_f" 2>/dev/null | cut -d"'" -f2) || true
                    if [[ "$_cp_pp" == "$_cp_try" ]]; then
                        _cp_free=false; break
                    fi
                done
            fi
            if [[ "$_cp_free" == true ]]; then
                printf "  ${DIM}Suggested: %s${RESET}\n" "$_cp_try" >/dev/tty
                return 1
            fi
            (( ++_cp_try ))
        done
        return 1
    fi
    return 0
}

validate_ip() {
    local ip="$1"
    if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
        local IFS='.'
        read -ra octets <<< "$ip"
        for octet in "${octets[@]}"; do
            # Reject leading zeros (octal ambiguity with iptables/ssh)
            if [[ "$octet" =~ ^0[0-9] ]]; then return 1; fi
            if (( 10#$octet > 255 )); then return 1; fi
        done
        return 0
    fi
    return 1
}

validate_ip6() {
    local ip="$1"
    # Accept bracketed form [::1]
    if [[ "$ip" =~ ^\[([0-9a-fA-F:]+)\]$ ]]; then
        ip="${BASH_REMATCH[1]}"
    fi
    # Basic IPv6: must contain at least one colon, only hex digits and colons
    if [[ "$ip" =~ ^[0-9a-fA-F]*:[0-9a-fA-F:]*$ ]]; then
        # Reject more than one :: (invalid shorthand)
        local _dc="${ip//[^:]/}"
        if [[ "${ip}" == *"::"*"::"* ]]; then return 1; fi
        return 0
    fi
    return 1
}

validate_hostname() {
    local host="$1"
    validate_ip "$host" && return 0
    # Accept bracket-wrapped IPv6 (e.g., [::1], [2001:db8::1])
    if [[ "$host" =~ ^\[[0-9a-fA-F:]+\]$ ]]; then return 0; fi
    # Accept bare IPv6 (e.g., ::1, 2001:db8::1)
    if [[ "$host" =~ ^[0-9a-fA-F]*:[0-9a-fA-F:]+$ ]]; then return 0; fi
    [[ "$host" =~ ^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$ ]]
}

validate_profile_name() {
    local name="$1"
    [[ "$name" =~ ^[a-zA-Z0-9][a-zA-Z0-9_-]{0,63}$ ]]
}

format_bytes() {
    local bytes="${1:-0}"
    [[ "$bytes" =~ ^[0-9]+$ ]] || bytes=0
    if (( bytes < 1024 )); then
        printf "%d B" "$bytes"
    elif (( bytes < 1048576 )); then
        printf "%d.%d KB" "$(( bytes / 1024 ))" "$(( (bytes % 1024) * 10 / 1024 ))"
    elif (( bytes < 1073741824 )); then
        printf "%d.%d MB" "$(( bytes / 1048576 ))" "$(( (bytes % 1048576) * 10 / 1048576 ))"
    else
        printf "%d.%02d GB" "$(( bytes / 1073741824 ))" "$(( (bytes % 1073741824) * 100 / 1073741824 ))"
    fi
}

format_duration() {
    local seconds="${1:-0}"
    [[ "$seconds" =~ ^[0-9]+$ ]] || seconds=0
    local d=$(( seconds / 86400 ))
    local h=$(( (seconds % 86400) / 3600 ))
    local m=$(( (seconds % 3600) / 60 ))
    local s=$(( seconds % 60 ))

    if (( d > 0 )); then
        printf "%dd %dh %dm" "$d" "$h" "$m"
    elif (( h > 0 )); then
        printf "%dh %dm %ds" "$h" "$m" "$s"
    elif (( m > 0 )); then
        printf "%dm %ds" "$m" "$s"
    else
        printf "%ds" "$s"
    fi
}

get_public_ip() {
    local ip="" svc
    local services=(
        "https://api.ipify.org"
        "https://ifconfig.me/ip"
        "https://icanhazip.com"
        "https://ipecho.net/plain"
    )
    for svc in "${services[@]}"; do
        ip=$(curl -s --max-time 5 "$svc" 2>/dev/null | tr -d '[:space:]' || true)
        if validate_ip "$ip" || validate_ip6 "$ip"; then
            echo "$ip"; return 0
        fi
    done
    echo "unknown"; return 1
}

check_root() {
    local hint="${1:-}"
    if [[ $EUID -ne 0 ]]; then
        log_error "This operation requires root privileges"
        log_info  "Run with: sudo tunnelforge ${hint}"
        return 1
    fi
}

confirm_action() {
    local message="${1:-Are you sure?}"
    local default="${2:-n}"
    local prompt
    if [[ "$default" == "y" ]]; then
        prompt="${message} [Y/n]: "
    else
        prompt="${message} [y/N]: "
    fi
    printf "${BOLD}%s${RESET}" "$prompt" >/dev/tty
    local answer
    read -r answer </dev/tty || true
    answer="${answer:-$default}"
    case "${answer,,}" in
        y|yes) return 0 ;;
        *)     return 1 ;;
    esac
}

print_line() {
    local char="${1:-─}" width="${2:-$(get_term_width)}"
    local i
    local line=""
    for (( i=0; i<width; i++ )); do
        line+="$char"
    done
    printf '%s\n' "$line"
}

spinner() {
    local pid="$1" message="${2:-Working...}"
    local -a chars
    if [[ "${IS_TTY}" == true ]] && [[ "${TERM:-dumb}" != "dumb" ]] && [[ -z "${NO_COLOR:-}" ]]; then
        chars=('⠋' '⠙' '⠹' '⠸' '⠼' '⠴' '⠦' '⠧' '⠇' '⠏')
    else
        chars=('|' '/' '-' '\')
    fi
    local i=0
    while kill -0 "$pid" 2>/dev/null; do
        printf "\r${CYAN}%s${RESET} %s" "${chars[$i]}" "$message" >&2
        i=$(( (i + 1) % ${#chars[@]} ))
        sleep 0.1
    done
    printf "\r%*s\r" $(( ${#message} + 3 )) "" >&2
}

is_port_in_use() {
    local port="$1" bind_addr="${2:-127.0.0.1}"
    if command -v ss &>/dev/null; then
        local _ss_pattern
        if [[ "$bind_addr" == "0.0.0.0" ]] || [[ "$bind_addr" == "::" ]] || [[ "$bind_addr" == "[::]" ]]; then
            _ss_pattern="\\*"
        elif [[ "$bind_addr" =~ : ]]; then
            # IPv6 — ss shows as [addr]:port; escape brackets for grep
            local _stripped="${bind_addr#\[}"
            _stripped="${_stripped%\]}"
            _ss_pattern="\\[${_stripped}\\]"
        else
            _ss_pattern="${bind_addr//./\\.}"
        fi
        ss -tln sport = :"${port}" 2>/dev/null | tail -n +2 | grep -qE "(${_ss_pattern}|\\*):" 2>/dev/null
    elif command -v netstat &>/dev/null; then
        netstat -tln 2>/dev/null | grep -qE "(${bind_addr//./\\.}|0\\.0\\.0\\.0):${port}([[:space:]]|$)"
    else
        return 1
    fi
}

get_term_width() {
    tput cols 2>/dev/null || echo 80
}

# ============================================================================
# OS DETECTION & PACKAGE MANAGEMENT
# ============================================================================

declare -g OS_ID=""
declare -g OS_VERSION=""
declare -g OS_FAMILY=""
declare -g PKG_MANAGER=""
declare -g PKG_INSTALL=""
declare -g PKG_UPDATE=""
declare -g INIT_SYSTEM=""

detect_os() {
    if [[ -f /etc/os-release ]]; then
        # Parse directly — sourcing collides with our readonly VERSION
        OS_ID=$(grep -m1 '^ID=' /etc/os-release 2>/dev/null | cut -d= -f2 | tr -d '"') || true
        OS_VERSION=$(grep -m1 '^VERSION_ID=' /etc/os-release 2>/dev/null | cut -d= -f2 | tr -d '"') || true
        : "${OS_ID:=unknown}" "${OS_VERSION:=unknown}"
    elif [[ -f /etc/redhat-release ]]; then
        OS_ID="rhel"
        OS_VERSION=$(grep -oE '[0-9]+\.[0-9]+' /etc/redhat-release | head -1 || true)
    else
        OS_ID="unknown"
        OS_VERSION="unknown"
    fi

    case "${OS_ID}" in
        ubuntu|debian|raspbian|linuxmint|pop|kali|parrot)
            OS_FAMILY="debian"
            PKG_MANAGER="apt-get"
            PKG_INSTALL="apt-get install -y"
            PKG_UPDATE="apt-get update"
            ;;
        fedora|centos|rhel|rocky|almalinux|ol)
            OS_FAMILY="rhel"
            if command -v dnf &>/dev/null; then
                PKG_MANAGER="dnf"
                PKG_INSTALL="dnf install -y"
                PKG_UPDATE="dnf check-update"
            else
                PKG_MANAGER="yum"
                PKG_INSTALL="yum install -y"
                PKG_UPDATE="yum check-update"
            fi
            ;;
        arch|manjaro|endeavouros)
            OS_FAMILY="arch"
            PKG_MANAGER="pacman"
            PKG_INSTALL="pacman -S --noconfirm"
            PKG_UPDATE="pacman -Sy"
            ;;
        alpine)
            OS_FAMILY="alpine"
            PKG_MANAGER="apk"
            PKG_INSTALL="apk add"
            PKG_UPDATE="apk update"
            ;;
        opensuse*|sles)
            OS_FAMILY="suse"
            PKG_MANAGER="zypper"
            PKG_INSTALL="zypper install -y"
            PKG_UPDATE="zypper refresh"
            ;;
        *)
            OS_FAMILY="unknown"
            log_warn "Unknown OS: ${OS_ID}. Some features may not work."
            ;;
    esac

    # Detect init system
    if command -v systemctl &>/dev/null && [[ -d /run/systemd/system ]]; then
        INIT_SYSTEM="systemd"
    elif command -v rc-service &>/dev/null; then
        INIT_SYSTEM="openrc"
    elif [[ -d /etc/init.d ]]; then
        INIT_SYSTEM="sysvinit"
    else
        INIT_SYSTEM="unknown"
    fi

    log_debug "Detected OS: ${OS_ID} ${OS_VERSION} (${OS_FAMILY}), init: ${INIT_SYSTEM}"
}

install_package() {
    local pkg="$1"
    local pkg_name="$pkg"

    case "${OS_FAMILY}" in
        debian)
            case "$pkg" in
                openssh-client) pkg_name="openssh-client" ;;
                ncurses)        pkg_name="ncurses-bin"    ;;
            esac ;;
        rhel)
            case "$pkg" in
                openssh-client) pkg_name="openssh-clients" ;;
                ncurses)        pkg_name="ncurses"         ;;
                iproute2)       pkg_name="iproute"         ;;
            esac ;;
        arch)
            case "$pkg" in
                openssh-client) pkg_name="openssh"   ;;
                ncurses)        pkg_name="ncurses"   ;;
                iproute2)       pkg_name="iproute2"  ;;
            esac ;;
        alpine)
            case "$pkg" in
                openssh-client) pkg_name="openssh-client" ;;
                ncurses)        pkg_name="ncurses"        ;;
                iproute2)       pkg_name="iproute2"       ;;
            esac ;;
        suse)
            case "$pkg" in
                openssh-client) pkg_name="openssh"        ;;
                ncurses)        pkg_name="ncurses-utils"  ;;
                iproute2)       pkg_name="iproute2"       ;;
            esac ;;
    esac

    if [[ -z "$PKG_INSTALL" ]]; then
        log_error "No package manager configured for this OS"
        return 1
    fi
    log_info "Installing ${pkg_name}..."
    if ${PKG_INSTALL} "${pkg_name}" &>/dev/null; then
        log_success "Installed ${pkg_name}"
        return 0
    else
        log_error "Failed to install ${pkg_name}"
        return 1
    fi
}

check_dependencies() {
    local missing=()

    local -A deps=(
        [ssh]="openssh-client"
        [autossh]="autossh"
        [sshpass]="sshpass"
        [iptables]="iptables"
        [curl]="curl"
        [ip]="iproute2"
        [tput]="ncurses"
        [bc]="bc"
        [jq]="jq"
    )

    log_info "Checking dependencies..."
    for cmd in "${!deps[@]}"; do
        if ! command -v "$cmd" &>/dev/null; then
            missing+=("${deps[$cmd]}")
            log_warn "Missing: ${cmd} (package: ${deps[$cmd]})"
        else
            log_debug "Found: ${cmd}"
        fi
    done

    if [[ ${#missing[@]} -eq 0 ]]; then
        log_success "All dependencies satisfied"
        return 0
    fi

    log_info "Missing ${#missing[@]} package(s): ${missing[*]}"

    if ! check_root; then
        log_error "Root access needed to install missing packages"
        return 1
    fi

    log_info "Updating package cache..."
    ${PKG_UPDATE} &>/dev/null || true

    local failed=0
    for pkg in "${missing[@]}"; do
        install_package "$pkg" || ((++failed))
    done

    if (( failed > 0 )); then
        log_error "${failed} package(s) failed to install"
        return 1
    fi

    log_success "All dependencies installed"
    return 0
}

# ============================================================================
# SETTINGS LOAD / SAVE  (safe whitelist-validated parser)
# ============================================================================

readonly CONFIG_WHITELIST=(
    SSH_DEFAULT_USER SSH_DEFAULT_PORT SSH_DEFAULT_KEY
    SSH_CONNECT_TIMEOUT SSH_SERVER_ALIVE_INTERVAL SSH_SERVER_ALIVE_COUNT_MAX
    SSH_STRICT_HOST_KEY
    AUTOSSH_ENABLED AUTOSSH_POLL AUTOSSH_GATETIME AUTOSSH_MONITOR_PORT
    AUTOSSH_FIRST_POLL AUTOSSH_LOG_LEVEL
    CONTROLMASTER_ENABLED CONTROLMASTER_PERSIST
    DNS_LEAK_PROTECTION DNS_SERVER_1 DNS_SERVER_2 KILL_SWITCH
    TELEGRAM_ENABLED TELEGRAM_BOT_TOKEN TELEGRAM_CHAT_ID
    TELEGRAM_ALERTS TELEGRAM_PERIODIC_STATUS TELEGRAM_STATUS_INTERVAL
    DASHBOARD_REFRESH DASHBOARD_THEME
    LOG_LEVEL LOG_JSON LOG_MAX_SIZE LOG_ROTATE_COUNT
    AUTO_UPDATE_CHECK
)

_is_whitelisted() {
    local key="$1" k
    for k in "${CONFIG_WHITELIST[@]}"; do
        if [[ "$k" == "$key" ]]; then return 0; fi
    done
    return 1
}

load_settings() {
    local config_file="${1:-$MAIN_CONFIG}"
    [[ -f "$config_file" ]] || return 0

    log_debug "Loading settings from: ${config_file}"

    while IFS= read -r line || [[ -n "$line" ]]; do
        [[ "$line" =~ ^[[:space:]]*# ]]  && continue
        [[ "$line" =~ ^[[:space:]]*$ ]]   && continue

        if [[ "$line" =~ ^([A-Z_][A-Z0-9_]*)=(.*)$ ]]; then
            local key="${BASH_REMATCH[1]}"
            local value="${BASH_REMATCH[2]}"
            # Strip matched outer quote pairs, then un-escape
            if [[ "$value" == \'*\' ]]; then
                value="${value#\'}"; value="${value%\'}"
                value="${value//\'\\\'\'/\'}"
            elif [[ "$value" == \"*\" ]]; then
                value="${value#\"}"; value="${value%\"}"
            fi

            if _is_whitelisted "$key"; then
                CONFIG["$key"]="$value"
                if [[ "$key" == "TELEGRAM_BOT_TOKEN" ]] || [[ "$key" == "TELEGRAM_CHAT_ID" ]]; then
                    log_debug "Loaded: ${key}=****"
                else
                    log_debug "Loaded: ${key}=${value}"
                fi
            else
                log_warn "Ignoring unknown config key: ${key}"
            fi
        fi
    done < "$config_file"

    log_debug "Settings loaded"
}

save_settings() {
    local config_file="${1:-$MAIN_CONFIG}"

    # Acquire file-level lock to prevent concurrent writer races
    local _ss_lock_fd="" _ss_lock_dir=""
    _ss_unlock() {
        if [[ -n "${_ss_lock_fd:-}" ]]; then exec {_ss_lock_fd}>&- 2>/dev/null || true; fi
        if [[ -n "${_ss_lock_dir:-}" ]]; then
            rm -f "${_ss_lock_dir}/pid" 2>/dev/null || true
            rmdir "${_ss_lock_dir}" 2>/dev/null || true
            _ss_lock_dir=""
        fi
    }
    if command -v flock &>/dev/null; then
        exec {_ss_lock_fd}>"${config_file}.lock"
        flock -w 5 "$_ss_lock_fd" 2>/dev/null || { log_warn "Could not acquire settings lock"; _ss_unlock; return 1; }
    else
        _ss_lock_dir="${config_file}.lck"
        local _ss_try=0
        while ! mkdir "$_ss_lock_dir" 2>/dev/null; do
            local _ss_stale_pid=""
            _ss_stale_pid=$(cat "${_ss_lock_dir}/pid" 2>/dev/null) || true
            if [[ -n "$_ss_stale_pid" ]] && ! kill -0 "$_ss_stale_pid" 2>/dev/null; then
                rm -f "${_ss_lock_dir}/pid" 2>/dev/null || true
                rmdir "$_ss_lock_dir" 2>/dev/null || true
                continue
            fi
            if (( ++_ss_try >= 10 )); then log_warn "Could not acquire settings lock"; return 1; fi
            sleep 0.5
        done
        printf '%s' "$$" > "${_ss_lock_dir}/pid" 2>/dev/null || true
    fi

    local tmp_file
    tmp_file=$(mktemp "${TMP_DIR}/config.XXXXXX")

    mkdir -p "$(dirname "$config_file")" 2>/dev/null || true

    cat > "$tmp_file" <<'HEADER'
# ============================================================================
# TunnelForge Configuration
# Generated automatically — edit with care
# ============================================================================
HEADER

    local key _sv
    {
        for key in "${CONFIG_WHITELIST[@]}"; do
            if [[ -n "${CONFIG[$key]+x}" ]]; then
                _sv="${CONFIG[$key]//$'\n'/}"
                _sv="${_sv//\'/\'\\\'\'}"
                printf "%s='%s'\n" "$key" "$_sv"
            fi
        done
    } >> "$tmp_file"

    # Set permissions before mv so there's no window of insecure perms
    chmod 600 "$tmp_file" 2>/dev/null || true
    # mv fails across filesystems (/tmp → /etc), fall back to cp to same-dir temp then mv
    if mv "$tmp_file" "$config_file" 2>/dev/null || \
       { cp "$tmp_file" "${config_file}.tmp.$$" 2>/dev/null && \
         mv "${config_file}.tmp.$$" "$config_file" 2>/dev/null && \
         rm -f "$tmp_file" 2>/dev/null; }; then
        log_debug "Settings saved to: ${config_file}"
        _ss_unlock
        return 0
    fi
    rm -f "${config_file}.tmp.$$" 2>/dev/null
    rm -f "$tmp_file" 2>/dev/null
    log_error "Failed to save settings to: ${config_file}"
    _ss_unlock
    return 1
}

# ============================================================================
# DIRECTORY INITIALIZATION
# ============================================================================

init_directories() {
    local dirs=(
        "$INSTALL_DIR"  "$CONFIG_DIR"     "$PROFILES_DIR"
        "$PID_DIR"      "$LOG_DIR"        "$BACKUP_DIR"
        "$DATA_DIR"     "$SSH_CONTROL_DIR"
        "$BW_HISTORY_DIR" "$RECONNECT_LOG_DIR"
    )
    for dir in "${dirs[@]}"; do
        if [[ ! -d "$dir" ]]; then
            mkdir -p "$dir" 2>/dev/null || {
                log_error "Failed to create directory: ${dir}"
                return 1
            }
        fi
    done
    chmod 700 "$CONFIG_DIR"      2>/dev/null || true
    chmod 700 "$SSH_CONTROL_DIR" 2>/dev/null || true
    chmod 700 "$LOG_DIR"         2>/dev/null || true
    chmod 700 "$PROFILES_DIR"    2>/dev/null || true
    chmod 700 "$PID_DIR"         2>/dev/null || true
    chmod 700 "$BACKUP_DIR"      2>/dev/null || true
    chmod 700 "$DATA_DIR"        2>/dev/null || true
    chmod 700 "$BW_HISTORY_DIR"      2>/dev/null || true
    chmod 700 "$RECONNECT_LOG_DIR"   2>/dev/null || true
    chmod 755 "$INSTALL_DIR"     2>/dev/null || true
    log_debug "Directories initialized"
}

# ============================================================================
# PROFILE MANAGEMENT
# ============================================================================

readonly PROFILE_FIELDS=(
    PROFILE_NAME TUNNEL_TYPE
    SSH_HOST SSH_PORT SSH_USER SSH_PASSWORD IDENTITY_KEY
    LOCAL_BIND_ADDR LOCAL_PORT REMOTE_HOST REMOTE_PORT
    JUMP_HOSTS SSH_OPTIONS
    AUTOSSH_ENABLED AUTOSSH_MONITOR_PORT
    DNS_LEAK_PROTECTION KILL_SWITCH AUTOSTART
    OBFS_MODE OBFS_PORT OBFS_LOCAL_PORT OBFS_PSK
    DESCRIPTION
)

_profile_path() { echo "${PROFILES_DIR}/${1}.conf"; }

create_profile() {
    local name="$1"

    if ! validate_profile_name "$name"; then
        log_error "Invalid profile name: '${name}'"
        log_info  "Use letters, numbers, hyphens, underscores (max 64 chars)"
        return 1
    fi

    local profile_file
    profile_file=$(_profile_path "$name")
    if [[ -f "$profile_file" ]]; then
        log_error "Profile '${name}' already exists"
        return 1
    fi

    local -A profile=(
        [PROFILE_NAME]="$name"
        [TUNNEL_TYPE]="socks5"
        [SSH_HOST]=""
        [SSH_PORT]="$(config_get SSH_DEFAULT_PORT 22)"
        [SSH_USER]="$(config_get SSH_DEFAULT_USER root)"
        [IDENTITY_KEY]="$(config_get SSH_DEFAULT_KEY)"
        [LOCAL_BIND_ADDR]="127.0.0.1"
        [LOCAL_PORT]="1080"
        [REMOTE_HOST]=""
        [REMOTE_PORT]=""
        [JUMP_HOSTS]=""
        [SSH_OPTIONS]=""
        [AUTOSSH_ENABLED]="$(config_get AUTOSSH_ENABLED true)"
        [AUTOSSH_MONITOR_PORT]="0"
        [DNS_LEAK_PROTECTION]="false"
        [KILL_SWITCH]="false"
        [AUTOSTART]="false"
        [DESCRIPTION]=""
    )

    _save_profile_data "$profile_file" profile
    log_success "Profile '${name}' created"
}

load_profile() {
    local name="$1"
    local -n _profile_ref="$2"

    local profile_file
    profile_file=$(_profile_path "$name")
    if [[ ! -f "$profile_file" ]]; then
        log_error "Profile '${name}' not found"
        return 1
    fi

    while IFS= read -r line || [[ -n "$line" ]]; do
        [[ "$line" =~ ^[[:space:]]*# ]] && continue
        [[ "$line" =~ ^[[:space:]]*$ ]] && continue

        if [[ "$line" =~ ^([A-Z_][A-Z0-9_]*)=(.*)$ ]]; then
            local key="${BASH_REMATCH[1]}"
            local value="${BASH_REMATCH[2]}"
            # Strip matched outer quote pairs, then un-escape
            if [[ "$value" == \'*\' ]]; then
                value="${value#\'}"; value="${value%\'}"
                value="${value//\'\\\'\'/\'}"
            elif [[ "$value" == \"*\" ]]; then
                value="${value#\"}"; value="${value%\"}"
            fi

            local valid=false field
            for field in "${PROFILE_FIELDS[@]}"; do
                [[ "$field" == "$key" ]] && { valid=true; break; }
            done
            if [[ "$valid" == true ]]; then _profile_ref["$key"]="$value"; fi
        fi
    done < "$profile_file"

    # Validate critical fields against injection
    local _fld _fval
    for _fld in SSH_USER SSH_HOST REMOTE_HOST; do
        _fval="${_profile_ref[$_fld]:-}"
        [[ -z "$_fval" ]] && continue
        if [[ "$_fval" =~ [[:cntrl:]] ]]; then
            log_error "Profile '${name}': ${_fld} contains control characters"
            return 1
        fi
    done
    if [[ -n "${_profile_ref[SSH_USER]:-}" ]] && \
       ! [[ "${_profile_ref[SSH_USER]}" =~ ^[a-zA-Z0-9._@-]+$ ]]; then
        log_error "Profile '${name}': SSH_USER contains invalid characters"
        return 1
    fi
    if [[ -n "${_profile_ref[SSH_HOST]:-}" ]] && \
       ! [[ "${_profile_ref[SSH_HOST]}" =~ ^[a-zA-Z0-9._:%-]+$|^\[[0-9a-fA-F:]+\]$ ]]; then
        log_error "Profile '${name}': SSH_HOST contains invalid characters"
        return 1
    fi
    if [[ -n "${_profile_ref[REMOTE_HOST]:-}" ]] && \
       ! [[ "${_profile_ref[REMOTE_HOST]}" =~ ^[a-zA-Z0-9._:%-]+$|^\[[0-9a-fA-F:]+\]$ ]]; then
        log_error "Profile '${name}': REMOTE_HOST contains invalid characters"
        return 1
    fi
    # Validate LOCAL_BIND_ADDR (used directly in SSH -D/-L/-R commands)
    if [[ -n "${_profile_ref[LOCAL_BIND_ADDR]:-}" ]] && \
       ! { validate_ip "${_profile_ref[LOCAL_BIND_ADDR]}" || \
           validate_ip6 "${_profile_ref[LOCAL_BIND_ADDR]}" || \
           [[ "${_profile_ref[LOCAL_BIND_ADDR]}" == "localhost" ]] || \
           [[ "${_profile_ref[LOCAL_BIND_ADDR]}" == "*" ]] || \
           [[ "${_profile_ref[LOCAL_BIND_ADDR]}" == "0.0.0.0" ]]; }; then
        log_error "Profile '${name}': LOCAL_BIND_ADDR is not a valid address"
        return 1
    fi
    # Validate OBFS_MODE enum
    if [[ -n "${_profile_ref[OBFS_MODE]:-}" ]] && \
       ! [[ "${_profile_ref[OBFS_MODE]}" =~ ^(none|stunnel)$ ]]; then
        log_error "Profile '${name}': OBFS_MODE must be 'none' or 'stunnel'"
        return 1
    fi

    log_debug "Profile '${name}' loaded"
}

_save_profile_data() {
    local file="$1"
    local -n _data_ref="$2"
    mkdir -p "$(dirname "$file")" 2>/dev/null || true

    # Acquire file-level lock to prevent concurrent writer races
    local _spd_lock_fd="" _spd_lock_dir=""
    _spd_unlock() {
        if [[ -n "${_spd_lock_fd:-}" ]]; then exec {_spd_lock_fd}>&- 2>/dev/null || true; fi
        if [[ -n "${_spd_lock_dir:-}" ]]; then
            rm -f "${_spd_lock_dir}/pid" 2>/dev/null || true
            rmdir "${_spd_lock_dir}" 2>/dev/null || true
            _spd_lock_dir=""
        fi
    }
    if command -v flock &>/dev/null; then
        exec {_spd_lock_fd}>"${file}.lock"
        flock -w 5 "$_spd_lock_fd" 2>/dev/null || { log_warn "Could not acquire profile lock"; _spd_unlock; return 1; }
    else
        _spd_lock_dir="${file}.lck"
        local _spd_try=0
        while ! mkdir "$_spd_lock_dir" 2>/dev/null; do
            local _spd_stale_pid=""
            _spd_stale_pid=$(cat "${_spd_lock_dir}/pid" 2>/dev/null) || true
            if [[ -n "$_spd_stale_pid" ]] && ! kill -0 "$_spd_stale_pid" 2>/dev/null; then
                rm -f "${_spd_lock_dir}/pid" 2>/dev/null || true
                rmdir "$_spd_lock_dir" 2>/dev/null || true
                continue
            fi
            if (( ++_spd_try >= 10 )); then log_warn "Could not acquire profile lock"; return 1; fi
            sleep 0.5
        done
        printf '%s' "$$" > "${_spd_lock_dir}/pid" 2>/dev/null || true
    fi

    local tmp_file
    tmp_file=$(mktemp "${TMP_DIR}/profile.XXXXXX")

    {
        printf "# TunnelForge Profile\n"
        printf "# Generated: %s\n\n" "$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
        local _sv field
        for field in "${PROFILE_FIELDS[@]}"; do
            if [[ -n "${_data_ref[$field]+x}" ]]; then
                _sv="${_data_ref[$field]//$'\n'/}"
                _sv="${_sv//\'/\'\\\'\'}"
                printf "%s='%s'\n" "$field" "$_sv"
            fi
        done
    } > "$tmp_file"

    # Set permissions before mv so there's no window of insecure perms
    chmod 600 "$tmp_file" 2>/dev/null || true
    # mv fails across filesystems (/tmp → /opt), fall back to cp to same-dir temp then mv
    if ! { mv "$tmp_file" "$file" 2>/dev/null || \
           { cp "$tmp_file" "${file}.tmp.$$" 2>/dev/null && \
             mv "${file}.tmp.$$" "$file" 2>/dev/null && \
             rm -f "$tmp_file" 2>/dev/null; }; }; then
        rm -f "$tmp_file" "${file}.tmp.$$" 2>/dev/null
        log_error "Failed to save profile: ${file}"
        _spd_unlock
        return 1
    fi
    _spd_unlock
}

save_profile() {
    local name="$1"
    local -n _prof_ref="$2"
    _save_profile_data "$(_profile_path "$name")" _prof_ref || { log_error "Failed to save profile '${name}'"; return 1; }
    log_debug "Profile '${name}' saved"
}

delete_profile() {
    local name="$1"
    local profile_file
    profile_file=$(_profile_path "$name")

    if [[ ! -f "$profile_file" ]]; then
        log_error "Profile '${name}' not found"
        return 1
    fi

    # Stop tunnel if running
    if is_tunnel_running "$name"; then
        log_info "Stopping running tunnel '${name}'..."
        stop_tunnel "$name" || log_warn "Could not stop tunnel '${name}'"
    fi

    rm -f "$profile_file" 2>/dev/null || true
    rm -f "${PID_DIR}/${name}.pid"         2>/dev/null || true
    rm -f "${BW_HISTORY_DIR}/${name}.dat"  2>/dev/null || true
    rm -f "${RECONNECT_LOG_DIR}/${name}.log" 2>/dev/null || true
    log_success "Profile '${name}' deleted"
}

list_profiles() {
    [[ -d "$PROFILES_DIR" ]] || return 0
    local f _base
    for f in "${PROFILES_DIR}"/*.conf; do
        [[ -f "$f" ]] || continue
        # Extract profile name without forking basename
        _base="${f##*/}"      # strip directory
        _base="${_base%.conf}" # strip .conf extension
        printf '%s\n' "$_base"
    done
}

get_profile_field() {
    local name="$1" field="$2"
    local -A _gpf
    if load_profile "$name" _gpf; then
        echo "${_gpf[$field]:-}"
    else
        return 1
    fi
}

update_profile_field() {
    local name="$1" field="$2" value="$3"
    local -A _upf
    load_profile "$name" _upf || return 1
    _upf["$field"]="$value"
    save_profile "$name" _upf
}

# ============================================================================
# SSH COMMAND BUILDERS
# ============================================================================

_validate_jump_hosts() {
    local hosts="$1"
    [[ -z "$hosts" ]] && return 0
    if [[ ! "$hosts" =~ ^([a-zA-Z0-9._@:%-]+,)*[a-zA-Z0-9._@:%-]+$ ]]; then
        log_error "Invalid JUMP_HOSTS format: ${hosts}"
        return 1
    fi
    return 0
}

get_ssh_base_opts() {
    local -n _opts_profile="$1"
    local opts=()

    opts+=(-o "ConnectTimeout=$(config_get SSH_CONNECT_TIMEOUT 10)")
    opts+=(-o "ServerAliveInterval=$(config_get SSH_SERVER_ALIVE_INTERVAL 30)")
    opts+=(-o "ServerAliveCountMax=$(config_get SSH_SERVER_ALIVE_COUNT_MAX 3)")

    local strict
    strict=$(config_get SSH_STRICT_HOST_KEY "yes")
    opts+=(-o "StrictHostKeyChecking=${strict}")

    opts+=(-N)                                   # no remote command
    opts+=(-T)                                   # no pseudo-TTY
    opts+=(-o "ExitOnForwardFailure=yes")

    # Identity key
    local key="${_opts_profile[IDENTITY_KEY]:-}"
    if [[ -n "$key" ]] && [[ -f "$key" ]]; then opts+=(-i "$key"); fi

    # Port
    local _ssh_port="${_opts_profile[SSH_PORT]:-22}"
    if ! validate_port "$_ssh_port"; then
        log_error "Invalid SSH port: ${_ssh_port}"
        return 1
    fi
    opts+=(-p "$_ssh_port")

    # Extra SSH options (allowlist — only known-safe options accepted)
    local extra="${_opts_profile[SSH_OPTIONS]:-}"
    if [[ -n "$extra" ]]; then
        local -a _extra_arr
        read -ra _extra_arr <<< "$extra" || true
        local -a _validated_opts=()
        local _opt _opt_name _skip_next=false
        for _opt in "${_extra_arr[@]}"; do
            if [[ "$_skip_next" == true ]]; then
                _skip_next=false
                _opt_name="${_opt%%=*}"
                if ! printf '%s' "$_opt_name" | grep -qiE '^(Compression|TCPKeepAlive|IPQoS|RekeyLimit|Ciphers|MACs|KexAlgorithms|HostKeyAlgorithms|PubkeyAcceptedAlgorithms|PubkeyAcceptedKeyTypes|ConnectionAttempts|ConnectTimeout|NumberOfPasswordPrompts|PreferredAuthentications|AddressFamily|BatchMode|CheckHostIP|HashKnownHosts|NoHostAuthenticationForLocalhost|PasswordAuthentication|StrictHostKeyChecking|UpdateHostKeys|VerifyHostKeyDNS|VisualHostKey|LogLevel|ServerAliveInterval|ServerAliveCountMax|GSSAPIAuthentication|GSSAPIDelegateCredentials)$'; then
                    log_error "SSH option not in allowlist: ${_opt}"
                    return 1
                fi
                _validated_opts+=(-o "$_opt")
                continue
            fi
            if [[ "$_opt" == "-o" ]]; then
                _skip_next=true; continue
            fi
            _opt_name="${_opt%%=*}"
            if ! printf '%s' "$_opt_name" | grep -qiE '^(Compression|TCPKeepAlive|IPQoS|RekeyLimit|Ciphers|MACs|KexAlgorithms|HostKeyAlgorithms|PubkeyAcceptedAlgorithms|PubkeyAcceptedKeyTypes|ConnectionAttempts|ConnectTimeout|NumberOfPasswordPrompts|PreferredAuthentications|AddressFamily|BatchMode|CheckHostIP|HashKnownHosts|NoHostAuthenticationForLocalhost|PasswordAuthentication|StrictHostKeyChecking|UpdateHostKeys|VerifyHostKeyDNS|VisualHostKey|LogLevel|ServerAliveInterval|ServerAliveCountMax|GSSAPIAuthentication|GSSAPIDelegateCredentials)$'; then
                log_error "SSH option not in allowlist: ${_opt}"
                return 1
            fi
            _validated_opts+=(-o "$_opt")
        done
        if [[ "$_skip_next" == true ]]; then
            log_error "SSH option -o without value"
            return 1
        fi
        opts+=("${_validated_opts[@]}")
    fi

    # ControlMaster
    if [[ "$(config_get CONTROLMASTER_ENABLED false)" == "true" ]]; then
        opts+=(-o "ControlMaster=auto")
        opts+=(-o "ControlPath=${SSH_CONTROL_DIR}/%C")
        opts+=(-o "ControlPersist=$(config_get CONTROLMASTER_PERSIST 600)")
    fi

    printf '%s\n' "${opts[@]}"
}

# Wrap bare IPv6 addresses in brackets for SSH forwarding specs
_bracket_ipv6() {
    local addr="$1"
    if [[ "$addr" =~ : ]] && [[ "$addr" != \[* ]]; then
        printf '[%s]' "$addr"
    else
        printf '%s' "$addr"
    fi
}

_unbracket_ipv6() {
    local addr="$1"
    addr="${addr#\[}"
    addr="${addr%\]}"
    printf '%s' "$addr"
}

# ── Obfuscation-aware jump/proxy options builder ──
# Appends the correct jump/proxy flags based on OBFS_MODE.
# When OBFS_MODE=stunnel: uses ProxyCommand with openssl s_client.
# When no obfuscation: uses standard -J for jump hosts.
# Args: profile_nameref cmd_array_nameref
_build_obfs_proxy_or_jump() {
    local -n _ob_prof="$1"
    local -n _ob_cmd="$2"

    local _ob_mode="${_ob_prof[OBFS_MODE]:-none}"
    local _ob_port="${_ob_prof[OBFS_PORT]:-443}"
    local _ob_jump="${_ob_prof[JUMP_HOSTS]:-}"

    # Validate port is numeric to prevent injection in ProxyCommand
    if [[ -n "$_ob_port" ]] && ! [[ "$_ob_port" =~ ^[0-9]+$ ]]; then
        log_error "OBFS_PORT must be numeric"; return 1
    fi

    if [[ "$_ob_mode" == "stunnel" ]]; then
        if [[ -n "$_ob_jump" ]]; then
            # Jump host + stunnel: wrap the jump connection in TLS
            _validate_jump_hosts "$_ob_jump" || return 1
            # Parse first jump host: user@host:port
            local _jh="${_ob_jump%%,*}"
            local _juser="" _jhost="" _jport="22"
            if [[ "$_jh" == *@* ]]; then
                _juser="${_jh%%@*}"
                _jh="${_jh#*@}"
            fi
            if [[ "$_jh" == *:* ]]; then
                _jport="${_jh##*:}"
                _jhost="${_jh%%:*}"
            else
                _jhost="$_jh"
            fi
            # Validate parsed jump host/port to prevent ProxyCommand injection
            if ! [[ "$_jport" =~ ^[0-9]+$ ]]; then
                log_error "Jump host port must be numeric"; return 1
            fi
            if ! [[ "$_jhost" =~ ^[a-zA-Z0-9._:-]+$ ]]; then
                log_error "Jump host contains invalid characters"; return 1
            fi
            local _jdest="${_juser:+${_juser}@}${_jhost}"
            # Nested ProxyCommand: connect to jump via stunnel, then -W to target
            local _inner_pc="openssl s_client -connect ${_jhost}:${_ob_port} -quiet 2>/dev/null"
            _ob_cmd+=(-o "ProxyCommand=ssh -o 'ProxyCommand=${_inner_pc}' -p ${_jport} -W %h:%p ${_jdest}")
        else
            # Direct tunnel + stunnel: openssl s_client as ProxyCommand
            _ob_cmd+=(-o "ProxyCommand=openssl s_client -connect %h:${_ob_port} -quiet 2>/dev/null")
        fi
    else
        # No obfuscation: standard -J for jump hosts
        if [[ -n "$_ob_jump" ]]; then
            _validate_jump_hosts "$_ob_jump" || return 1
            _ob_cmd+=(-J "$_ob_jump")
        fi
    fi
    return 0
}

build_socks5_cmd() {
    local -n _s5="$1"
    local cmd=() base_opts _base_output
    _base_output=$(get_ssh_base_opts _s5) || return 1
    mapfile -t base_opts <<< "$_base_output"
    cmd+=(ssh "${base_opts[@]}")

    local bind
    bind=$(_bracket_ipv6 "${_s5[LOCAL_BIND_ADDR]:-127.0.0.1}")
    local port="${_s5[LOCAL_PORT]:-1080}"
    cmd+=(-D "${bind}:${port}")

    _build_obfs_proxy_or_jump _s5 cmd || return 1

    local user="${_s5[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"
    local _ssh_dest
    _ssh_dest=$(_unbracket_ipv6 "${_s5[SSH_HOST]}")
    cmd+=("${user}@${_ssh_dest}")

    printf '%s\n' "${cmd[@]}"
}

build_local_forward_cmd() {
    local -n _lf="$1"
    local cmd=() base_opts _base_output
    _base_output=$(get_ssh_base_opts _lf) || return 1
    mapfile -t base_opts <<< "$_base_output"
    cmd+=(ssh "${base_opts[@]}")

    local bind rhost
    bind=$(_bracket_ipv6 "${_lf[LOCAL_BIND_ADDR]:-127.0.0.1}")
    rhost=$(_bracket_ipv6 "${_lf[REMOTE_HOST]}")
    cmd+=(-L "${bind}:${_lf[LOCAL_PORT]}:${rhost}:${_lf[REMOTE_PORT]}")

    _build_obfs_proxy_or_jump _lf cmd || return 1

    local user="${_lf[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"
    local _ssh_dest
    _ssh_dest=$(_unbracket_ipv6 "${_lf[SSH_HOST]}")
    cmd+=("${user}@${_ssh_dest}")

    printf '%s\n' "${cmd[@]}"
}

build_remote_forward_cmd() {
    local -n _rf="$1"
    local cmd=() base_opts _base_output
    _base_output=$(get_ssh_base_opts _rf) || return 1
    mapfile -t base_opts <<< "$_base_output"
    cmd+=(ssh "${base_opts[@]}")

    local rhost rbind
    rhost=$(_bracket_ipv6 "${_rf[REMOTE_HOST]:-localhost}")
    rbind="${_rf[LOCAL_BIND_ADDR]:-}"
    if [[ -n "$rbind" ]]; then
        rbind=$(_bracket_ipv6 "$rbind")
        cmd+=(-R "${rbind}:${_rf[REMOTE_PORT]}:${rhost}:${_rf[LOCAL_PORT]}")
    else
        cmd+=(-R "${_rf[REMOTE_PORT]}:${rhost}:${_rf[LOCAL_PORT]}")
    fi

    _build_obfs_proxy_or_jump _rf cmd || return 1

    local user="${_rf[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"
    local _ssh_dest
    _ssh_dest=$(_unbracket_ipv6 "${_rf[SSH_HOST]}")
    cmd+=("${user}@${_ssh_dest}")

    printf '%s\n' "${cmd[@]}"
}

build_tunnel_cmd() {
    local name="$1"
    local -A _bt
    load_profile "$name" _bt || return 1

    case "${_bt[TUNNEL_TYPE]:-socks5}" in
        socks5)  build_socks5_cmd         _bt ;;
        local)   build_local_forward_cmd  _bt ;;
        remote)  build_remote_forward_cmd _bt ;;
        jump)    # Legacy: dispatch based on whether remote target is set
                 if [[ -n "${_bt[REMOTE_HOST]:-}" ]] && [[ -n "${_bt[REMOTE_PORT]:-}" ]]; then
                     build_local_forward_cmd _bt
                 else
                     build_socks5_cmd _bt
                 fi ;;
        *)
            log_error "Unknown tunnel type: ${_bt[TUNNEL_TYPE]}"
            return 1 ;;
    esac
}

# ============================================================================
# TUNNEL LIFECYCLE
# ============================================================================

_pid_file() { echo "${PID_DIR}/${1}.pid"; }
_log_file() { echo "${LOG_DIR}/${1}.log"; }

is_tunnel_running() {
    local name="$1"
    local pid_file="${PID_DIR}/${name}.pid"
    [[ -f "$pid_file" ]] || return 1

    local pid=""
    read -r pid < "$pid_file" 2>/dev/null || true
    if [[ -z "$pid" ]] || ! kill -0 "$pid" 2>/dev/null; then
        return 1
    fi
    return 0
}

_clean_stale_pid() {
    local name="$1"
    local pid_file="${PID_DIR}/${name}.pid"
    [[ -f "$pid_file" ]] || return 0
    local pid=""
    read -r pid < "$pid_file" 2>/dev/null || true
    if [[ -z "$pid" ]] || ! kill -0 "$pid" 2>/dev/null; then
        rm -f "$pid_file" "${pid_file}.autossh" "${PID_DIR}/${name}.stunnel" \
             "${PID_DIR}/${name}.started" "${PID_DIR}/${name}.askpass" "${PID_DIR}/${name}.pass" 2>/dev/null
    fi
    return 0
}

get_tunnel_pid() {
    local pid_file="${PID_DIR}/${1}.pid"
    if [[ -f "$pid_file" ]]; then
        local _pid=""
        read -r _pid < "$pid_file" 2>/dev/null || true
        printf '%s' "$_pid"
    fi
    return 0
}

_record_reconnect() {
    local name="$1" reason="${2:-unknown}"
    printf "%s|%s\n" "$(date -u '+%Y-%m-%dT%H:%M:%SZ')" "$reason" \
        >> "${RECONNECT_LOG_DIR}/${name}.log" 2>/dev/null || true
    _notify_reconnect "$name" "$reason"
    return 0
}

start_tunnel() {
    local name="$1"

    # Per-profile lock to prevent concurrent start/stop races
    local _st_lock_fd="" _st_lock_dir=""
    _st_unlock() {
        if [[ -n "${_st_lock_fd:-}" ]]; then exec {_st_lock_fd}>&- 2>/dev/null || true; fi
        if [[ -n "${_st_lock_dir:-}" ]]; then
            rm -f "${_st_lock_dir}/pid" 2>/dev/null || true
            rmdir "${_st_lock_dir}" 2>/dev/null || true
            _st_lock_dir=""
        fi
        rm -f "${PID_DIR}/${name}.lock" 2>/dev/null || true
    }
    if command -v flock &>/dev/null; then
        exec {_st_lock_fd}>"${PID_DIR}/${name}.lock" 2>/dev/null || { log_error "Could not open lock file for '${name}'"; return 1; }
        flock -w 10 "$_st_lock_fd" 2>/dev/null || { log_error "Could not acquire lock for '${name}'"; _st_unlock; return 1; }
    else
        _st_lock_dir="${PID_DIR}/${name}.lck"
        local _st_try=0
        while ! mkdir "$_st_lock_dir" 2>/dev/null; do
            local _st_stale_pid=""
            _st_stale_pid=$(cat "${_st_lock_dir}/pid" 2>/dev/null) || true
            if [[ -n "$_st_stale_pid" ]] && ! kill -0 "$_st_stale_pid" 2>/dev/null; then
                rm -f "${_st_lock_dir}/pid" 2>/dev/null || true
                rmdir "$_st_lock_dir" 2>/dev/null || true
                continue
            fi
            if (( ++_st_try >= 20 )); then log_error "Could not acquire lock for '${name}'"; _st_lock_dir=""; return 1; fi
            sleep 0.5
        done
        printf '%s' "$$" > "${_st_lock_dir}/pid" 2>/dev/null || true
    fi

    # Rotate logs if needed
    rotate_logs 2>/dev/null || true

    local profile_file
    profile_file=$(_profile_path "$name")
    if [[ ! -f "$profile_file" ]]; then
        log_error "Profile '${name}' not found"
        _st_unlock; return 1
    fi

    if is_tunnel_running "$name"; then
        log_warn "Tunnel '${name}' is already running (PID: $(get_tunnel_pid "$name"))"
        _st_unlock; return 2
    fi

    local -A _sp
    load_profile "$name" _sp || { _st_unlock; return 1; }

    local tunnel_type="${_sp[TUNNEL_TYPE]:-socks5}"
    local ssh_host="${_sp[SSH_HOST]}"
    local local_port="${_sp[LOCAL_PORT]:-}"
    local bind_addr="${_sp[LOCAL_BIND_ADDR]:-127.0.0.1}"

    # Force 127.0.0.1 binding when inbound TLS is active (stunnel wraps the port)
    if [[ -n "${_sp[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_sp[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
        if [[ "$bind_addr" != "127.0.0.1" ]]; then
            log_info "Inbound TLS active — forcing bind to 127.0.0.1 (stunnel handles external access)"
            bind_addr="127.0.0.1"
            _sp[LOCAL_BIND_ADDR]="127.0.0.1"
        fi
    fi

    # Validate port numbers
    if [[ -n "$local_port" ]] && ! validate_port "$local_port"; then
        log_error "Invalid LOCAL_PORT '${local_port}' in profile '${name}'"
        _st_unlock; return 1
    fi
    if [[ -n "${_sp[REMOTE_PORT]:-}" ]] && ! validate_port "${_sp[REMOTE_PORT]}"; then
        log_error "Invalid REMOTE_PORT '${_sp[REMOTE_PORT]}' in profile '${name}'"
        _st_unlock; return 1
    fi

    if [[ -z "$ssh_host" ]]; then
        log_error "SSH host not configured for profile '${name}'"
        _st_unlock; return 1
    fi

    # Validate openssl is available for TLS obfuscation
    if [[ "${_sp[OBFS_MODE]:-none}" == "stunnel" ]]; then
        if ! command -v openssl &>/dev/null; then
            log_error "openssl required for TLS obfuscation but not found"
            _st_unlock; return 1
        fi
        log_debug "TLS obfuscation enabled (port ${_sp[OBFS_PORT]:-443})"
    fi

    # Validate required fields for forward tunnels
    if [[ "$tunnel_type" == "local" ]]; then
        if [[ -z "${_sp[REMOTE_HOST]:-}" ]] || [[ -z "${_sp[REMOTE_PORT]:-}" ]]; then
            log_error "Local forward requires REMOTE_HOST and REMOTE_PORT"
            _st_unlock; return 1
        fi
        if [[ -z "${_sp[LOCAL_PORT]:-}" ]]; then
            log_error "Local forward requires LOCAL_PORT"
            _st_unlock; return 1
        fi
    elif [[ "$tunnel_type" == "remote" ]]; then
        if [[ -z "${_sp[REMOTE_PORT]:-}" ]] || [[ -z "${_sp[LOCAL_PORT]:-}" ]]; then
            log_error "Remote forward requires REMOTE_PORT and LOCAL_PORT"
            _st_unlock; return 1
        fi
    fi

    # Check port collision (non-remote tunnels)
    if [[ "$tunnel_type" != "remote" ]] && [[ -n "$local_port" ]]; then
        if is_port_in_use "$local_port" "$bind_addr"; then
            log_error "Port ${local_port} is already in use"
            _st_unlock; return 1
        fi
    fi

    # Build SSH command
    local -a ssh_cmd
    local _build_output
    _build_output=$(build_tunnel_cmd "$name") || { log_error "Failed to build SSH command for '${name}'"; _st_unlock; return 1; }
    mapfile -t ssh_cmd <<< "$_build_output"
    if [[ ${#ssh_cmd[@]} -eq 0 ]]; then
        log_error "Failed to build SSH command for '${name}'"
        _st_unlock; return 1
    fi

    local tunnel_log tunnel_pid_file
    tunnel_log=$(_log_file "$name")
    tunnel_pid_file=$(_pid_file "$name")

    log_info "Starting tunnel '${name}' (${tunnel_type})..."
    log_debug "Command: ${ssh_cmd[*]}"

    # Password-based auth via sshpass or SSH_ASKPASS
    local _st_password="${_sp[SSH_PASSWORD]:-}"
    local _st_use_sshpass=false
    local _st_use_askpass=false
    local _st_saved_display="${DISPLAY:-}"
    local _st_had_display=false
    if [[ -n "${DISPLAY+x}" ]]; then _st_had_display=true; fi

    # Auth cleanup helper — unset env vars, restore DISPLAY, remove askpass files
    _st_cleanup_auth() {
        if [[ "${_st_use_sshpass:-}" == true ]]; then unset SSHPASS 2>/dev/null || true; fi
        if [[ "${_st_use_askpass:-}" == true ]]; then
            unset SSH_ASKPASS SSH_ASKPASS_REQUIRE 2>/dev/null || true
            if [[ "${_st_had_display:-}" == true ]]; then
                export DISPLAY="$_st_saved_display"
            else
                unset DISPLAY 2>/dev/null || true
            fi
            rm -f "${PID_DIR}/${name}.askpass" "${PID_DIR}/${name}.pass" 2>/dev/null || true
        fi
    }

    if [[ -n "$_st_password" ]]; then
        if [[ -n "${_sp[JUMP_HOSTS]:-}" ]]; then
            # Jump host tunnels need multiple password prompts.
            # sshpass only handles one, so use SSH_ASKPASS instead.
            local _askpass_file="${PID_DIR}/${name}.askpass"
            local _passfile="${PID_DIR}/${name}.pass"
            printf '%s\n' "$_st_password" > "$_passfile"
            chmod 600 "$_passfile"
            printf '#!/bin/bash\ncat "%s"\n' "$_passfile" > "$_askpass_file"
            chmod 700 "$_askpass_file"
            export DISPLAY="${DISPLAY:-:0}"
            export SSH_ASKPASS="$_askpass_file"
            export SSH_ASKPASS_REQUIRE="force"
            _st_use_askpass=true
        else
            if ! command -v sshpass &>/dev/null; then
                log_info "Installing sshpass for password authentication..."
                if [[ -n "${PKG_UPDATE:-}" ]]; then ${PKG_UPDATE} &>/dev/null || true; fi
                install_package "sshpass" || log_warn "Failed to install sshpass"
            fi
            if command -v sshpass &>/dev/null; then
                _st_use_sshpass=true
                export SSHPASS="$_st_password"
            else
                log_warn "sshpass unavailable — SSH will prompt for password interactively"
            fi
        fi
    fi

    local use_autossh="${_sp[AUTOSSH_ENABLED]:-$(config_get AUTOSSH_ENABLED true)}"

    # autossh cannot handle -J (ProxyJump) — it mangles the argument parsing.
    # Fall back to plain SSH for jump host tunnels.
    if [[ -n "${_sp[JUMP_HOSTS]:-}" ]] && [[ "$use_autossh" == "true" ]]; then
        log_debug "Jump host tunnel — skipping autossh (incompatible with -J)"
        use_autossh="false"
    fi

    if [[ "$use_autossh" == "true" ]] && command -v autossh &>/dev/null; then
        # ── AutoSSH mode ──
        local monitor_port="${_sp[AUTOSSH_MONITOR_PORT]:-$(config_get AUTOSSH_MONITOR_PORT 0)}"

        export AUTOSSH_PIDFILE="$tunnel_pid_file"
        export AUTOSSH_LOGFILE="$tunnel_log"
        export AUTOSSH_POLL="$(config_get AUTOSSH_POLL 30)"
        export AUTOSSH_GATETIME="$(config_get AUTOSSH_GATETIME 30)"
        export AUTOSSH_FIRST_POLL="$(config_get AUTOSSH_FIRST_POLL 30)"
        export AUTOSSH_LOGLEVEL="$(config_get AUTOSSH_LOG_LEVEL 1)"

        ssh_cmd[0]="autossh"
        local -a autossh_cmd=("${ssh_cmd[0]}" "-M" "$monitor_port" "${ssh_cmd[@]:1}")

        if [[ "$_st_use_sshpass" == true ]]; then
            local -a _sshpass_autossh=(sshpass -e "${autossh_cmd[@]}")
            "${_sshpass_autossh[@]}" >> "$tunnel_log" 2>&1 &
        else
            "${autossh_cmd[@]}" >> "$tunnel_log" 2>&1 &
        fi
        local bg_pid=$!
        disown "$bg_pid" 2>/dev/null || true
        # Always record autossh parent PID for reliable kill
        printf '%s\n' "$bg_pid" > "${tunnel_pid_file}.autossh" 2>/dev/null || true

        # Wait for autossh to write its PID (AUTOSSH_PIDFILE)
        local _as_wait
        for _as_wait in 1 2 3; do
            if [[ -f "$tunnel_pid_file" ]]; then break; fi
            sleep 1
        done
        # Fallback: if autossh didn't write PID, use background job PID
        if [[ ! -f "$tunnel_pid_file" ]]; then
            local _pid_tmp
            _pid_tmp=$(mktemp "${tunnel_pid_file}.XXXXXX") || {
                log_error "Cannot create PID temp file"
                unset AUTOSSH_PIDFILE AUTOSSH_LOGFILE AUTOSSH_POLL AUTOSSH_GATETIME AUTOSSH_FIRST_POLL AUTOSSH_LOGLEVEL
                _st_cleanup_auth; _st_unlock; return 1
            }
            printf '%s\n' "$bg_pid" > "$_pid_tmp" && mv -f "$_pid_tmp" "$tunnel_pid_file" || {
                rm -f "$_pid_tmp" 2>/dev/null
                log_error "Failed to write PID file for '${name}'"
                unset AUTOSSH_PIDFILE AUTOSSH_LOGFILE AUTOSSH_POLL AUTOSSH_GATETIME AUTOSSH_FIRST_POLL AUTOSSH_LOGLEVEL
                _st_cleanup_auth; _st_unlock; return 1
            }
        fi

        unset AUTOSSH_PIDFILE AUTOSSH_LOGFILE AUTOSSH_POLL
        unset AUTOSSH_GATETIME AUTOSSH_FIRST_POLL AUTOSSH_LOGLEVEL
    else
        # ── Plain SSH mode ──
        if [[ "$_st_use_sshpass" == true ]] || [[ "$_st_use_askpass" == true ]]; then
            # sshpass/askpass and ssh -f are incompatible (-f breaks pty).
            # Background the whole command ourselves instead.
            if [[ "$_st_use_sshpass" == true ]]; then
                sshpass -e "${ssh_cmd[@]}" >> "$tunnel_log" 2>&1 &
            else
                # </dev/null ensures SSH has no terminal on stdin
                "${ssh_cmd[@]}" </dev/null >> "$tunnel_log" 2>&1 &
            fi
            local bg_pid=$!
            disown "$bg_pid" 2>/dev/null || true

            # Wait for SSH to authenticate and establish the tunnel
            sleep 3
            if ! kill -0 "$bg_pid" 2>/dev/null; then
                log_error "SSH connection failed for '${name}'"
                _st_cleanup_auth; _st_unlock; return 1
            fi
        else
            # Use -f so SSH authenticates in foreground (password prompt works)
            # then forks to background after successful auth
            local _ssh_rc=0
            "${ssh_cmd[@]}" -f >> "$tunnel_log" 2>&1 </dev/tty || _ssh_rc=$?

            if (( _ssh_rc != 0 )); then
                log_error "SSH connection failed for '${name}'"
                _st_unlock; return 1
            fi

            # Jump tunnels with multi-hop take longer to bind the listening port
            local _max_tries=3
            if [[ -n "${_sp[JUMP_HOSTS]:-}" ]]; then
                _max_tries=8
                sleep 2
            else
                sleep 1
            fi

            local bg_pid="" _try
            for (( _try=1; _try<=_max_tries; _try++ )); do
                # Try lsof on the local port first (works for socks5 + local forward)
                if [[ -n "$local_port" ]] && [[ -z "$bg_pid" ]]; then
                    bg_pid=$(lsof -ti:"${local_port}" -sTCP:LISTEN 2>/dev/null | head -1) || true
                fi
                # Fallback: search for the SSH process by command line
                if [[ -z "$bg_pid" ]]; then
                    bg_pid=$(pgrep -n -f "ssh.*-[DJ].*${ssh_host}" 2>/dev/null) || true
                fi
                if [[ -z "$bg_pid" ]]; then
                    bg_pid=$(pgrep -n -f "ssh.*${ssh_host}" 2>/dev/null) || true
                fi
                [[ -n "$bg_pid" ]] && break
                sleep 1
            done

            if [[ -z "$bg_pid" ]]; then
                log_error "Could not find SSH process for '${name}'"
                _st_cleanup_auth; _st_unlock; return 1
            fi
        fi

        local _pid_tmp
        _pid_tmp=$(mktemp "${tunnel_pid_file}.XXXXXX") || { log_error "Cannot create PID temp file"; _st_cleanup_auth; _st_unlock; return 1; }
        printf '%s\n' "$bg_pid" > "$_pid_tmp" && mv -f "$_pid_tmp" "$tunnel_pid_file" || {
            rm -f "$_pid_tmp" 2>/dev/null
            log_error "Failed to write PID file for '${name}'"
            _st_cleanup_auth; _st_unlock; return 1
        }
    fi

    # Clean up auth env vars + restore DISPLAY (keep askpass files for autossh reconnection)
    if [[ "$_st_use_sshpass" == true ]]; then unset SSHPASS 2>/dev/null || true; fi
    if [[ "$_st_use_askpass" == true ]]; then
        unset SSH_ASKPASS SSH_ASKPASS_REQUIRE 2>/dev/null || true
        if [[ "$_st_had_display" == true ]]; then
            export DISPLAY="$_st_saved_display"
        else
            unset DISPLAY 2>/dev/null || true
        fi
    fi

    sleep 1
    if is_tunnel_running "$name"; then
        local pid
        pid=$(get_tunnel_pid "$name")
        # Write startup timestamp for reliable uptime tracking
        date +%s > "${PID_DIR}/${name}.started" 2>/dev/null || true
        log_success "Tunnel '${name}' started (PID: ${pid})"
        log_file "info" "Tunnel '${name}' started (PID: ${pid}, type: ${tunnel_type})" || true
        _notify_tunnel_start "$name" "$tunnel_type" "$pid" || true

        # Enable security features if configured
        if [[ "${_sp[DNS_LEAK_PROTECTION]:-}" == "true" ]]; then
            log_info "Enabling DNS leak protection..."
            if ! enable_dns_leak_protection; then
                log_warn "DNS leak protection FAILED — tunnel running WITHOUT DNS protection"
            fi
        fi
        if [[ "${_sp[KILL_SWITCH]:-}" == "true" ]]; then
            log_info "Enabling kill switch..."
            if ! enable_kill_switch "$name"; then
                log_warn "Kill switch FAILED — tunnel running WITHOUT kill switch"
            fi
        fi

        # Start local stunnel for inbound TLS+PSK if configured
        if [[ -n "${_sp[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_sp[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
            log_info "Starting inbound TLS wrapper (stunnel + PSK)..."
            if _obfs_start_local_stunnel "$name" _sp; then
                _obfs_show_client_config "$name" _sp
            else
                log_warn "Inbound TLS wrapper failed — tunnel running WITHOUT inbound protection"
            fi
        fi
        _st_unlock; return 0
    else
        log_error "Tunnel '${name}' failed to start"
        log_info  "Check logs: ${tunnel_log}"
        _notify_tunnel_fail "$name" || true
        _st_cleanup_auth
        rm -f "$tunnel_pid_file" 2>/dev/null || true
        _st_unlock; return 1
    fi
}

stop_tunnel() {
    local name="$1"

    # Per-profile lock to prevent concurrent start/stop races
    local _stp_lock_fd="" _stp_lock_dir=""
    _stp_unlock() {
        if [[ -n "${_stp_lock_fd:-}" ]]; then exec {_stp_lock_fd}>&- 2>/dev/null || true; fi
        if [[ -n "${_stp_lock_dir:-}" ]]; then
            rm -f "${_stp_lock_dir}/pid" 2>/dev/null || true
            rmdir "${_stp_lock_dir}" 2>/dev/null || true
            _stp_lock_dir=""
        fi
        rm -f "${PID_DIR}/${name}.lock" 2>/dev/null || true
    }
    if command -v flock &>/dev/null; then
        exec {_stp_lock_fd}>"${PID_DIR}/${name}.lock" 2>/dev/null || { log_error "Could not open lock file for '${name}'"; return 1; }
        flock -w 10 "$_stp_lock_fd" 2>/dev/null || { log_error "Could not acquire lock for '${name}'"; _stp_unlock; return 1; }
    else
        _stp_lock_dir="${PID_DIR}/${name}.lck"
        local _stp_try=0
        while ! mkdir "$_stp_lock_dir" 2>/dev/null; do
            local _stp_stale_pid=""
            _stp_stale_pid=$(cat "${_stp_lock_dir}/pid" 2>/dev/null) || true
            if [[ -n "$_stp_stale_pid" ]] && ! kill -0 "$_stp_stale_pid" 2>/dev/null; then
                rm -f "${_stp_lock_dir}/pid" 2>/dev/null || true
                rmdir "$_stp_lock_dir" 2>/dev/null || true
                continue
            fi
            if (( ++_stp_try >= 20 )); then log_error "Could not acquire lock for '${name}'"; return 1; fi
            sleep 0.5
        done
        printf '%s' "$$" > "${_stp_lock_dir}/pid" 2>/dev/null || true
    fi

    if ! is_tunnel_running "$name"; then
        log_warn "Tunnel '${name}' is not running"
        # Still clean up stale PID and security features
        _clean_stale_pid "$name"
        local -A _stp_stale
        if load_profile "$name" _stp_stale 2>/dev/null; then
            if [[ "${_stp_stale[KILL_SWITCH]:-}" == "true" ]]; then
                disable_kill_switch "$name" || log_warn "Kill switch disable failed for stale tunnel"
            fi
            if [[ "${_stp_stale[DNS_LEAK_PROTECTION]:-}" == "true" ]]; then
                disable_dns_leak_protection || log_warn "DNS leak protection disable failed for stale tunnel"
            fi
        fi
        _stp_unlock; return 0
    fi

    local tunnel_pid tunnel_pid_file
    tunnel_pid=$(get_tunnel_pid "$name")
    tunnel_pid_file=$(_pid_file "$name")

    log_info "Stopping tunnel '${name}' (PID: ${tunnel_pid})..."

    # Load profile for security cleanup
    local -A _stp
    load_profile "$name" _stp 2>/dev/null || true

    if [[ "${_stp[KILL_SWITCH]:-}" == "true" ]]; then
        log_info "Disabling kill switch..."
        disable_kill_switch "$name" || log_warn "Kill switch disable failed"
    fi
    if [[ "${_stp[DNS_LEAK_PROTECTION]:-}" == "true" ]]; then
        log_info "Disabling DNS leak protection..."
        disable_dns_leak_protection || log_warn "DNS leak protection disable failed"
    fi

    # Stop local stunnel (inbound TLS+PSK) if running
    _obfs_stop_local_stunnel "$name" || true

    # Kill autossh parent first (if present) — it handles SSH child cleanup
    local _autossh_parent_file="${tunnel_pid_file}.autossh"
    if [[ -f "$_autossh_parent_file" ]]; then
        local _as_parent_pid=""
        read -r _as_parent_pid < "$_autossh_parent_file" 2>/dev/null || true
        if [[ -n "$_as_parent_pid" ]] && kill -0 "$_as_parent_pid" 2>/dev/null; then
            kill "$_as_parent_pid" 2>/dev/null || true
        fi
        rm -f "$_autossh_parent_file" 2>/dev/null || true
    fi

    # Graceful SIGTERM → wait → SIGKILL
    kill "$tunnel_pid" 2>/dev/null || true
    local waited=0
    while (( waited < 5 )) && kill -0 "$tunnel_pid" 2>/dev/null; do
        sleep 1; ((++waited))
    done
    if kill -0 "$tunnel_pid" 2>/dev/null; then
        log_warn "Force killing tunnel '${name}'..."
        kill -9 "$tunnel_pid" 2>/dev/null || true
        sleep 1
    fi

    # Clean up SSH control sockets (stale sockets from %C hash naming)
    # Use timeout to prevent hanging if remote host is unreachable
    find "${SSH_CONTROL_DIR}" -maxdepth 1 -type s ! -name '.' -exec \
        sh -c 'timeout 3 ssh -O check -o "ControlPath=$1" dummy 2>/dev/null || rm -f "$1"' _ {} \; 2>/dev/null || true

    if ! kill -0 "$tunnel_pid" 2>/dev/null; then
        rm -f "$tunnel_pid_file" "${tunnel_pid_file}.autossh" "${PID_DIR}/${name}.stunnel" \
             "${PID_DIR}/${name}.started" "${PID_DIR}/${name}.askpass" "${PID_DIR}/${name}.pass" 2>/dev/null || true
        unset '_SSH_PID_CACHE[$name]' 2>/dev/null || true
        log_success "Tunnel '${name}' stopped"
        log_file "info" "Tunnel '${name}' stopped" || true
        _notify_tunnel_stop "$name" || true
        _stp_unlock; return 0
    else
        log_error "Failed to stop tunnel '${name}'"
        _stp_unlock; return 1
    fi
}

restart_tunnel() {
    local name="$1"

    # Hold a restart lock across the entire stop+start sequence
    # to prevent another process from starting during the gap
    local _rt_lock_fd="" _rt_lock_dir=""
    _rt_unlock() {
        if [[ -n "${_rt_lock_fd:-}" ]]; then exec {_rt_lock_fd}>&- 2>/dev/null || true; fi
        if [[ -n "${_rt_lock_dir:-}" ]]; then
            rm -f "${_rt_lock_dir}/pid" 2>/dev/null || true
            rmdir "${_rt_lock_dir}" 2>/dev/null || true
            _rt_lock_dir=""
        fi
        rm -f "${PID_DIR}/${name}.restart.lock" 2>/dev/null || true
    }
    if command -v flock &>/dev/null; then
        exec {_rt_lock_fd}>"${PID_DIR}/${name}.restart.lock" 2>/dev/null || { log_error "Could not open restart lock file for '${name}'"; return 1; }
        flock -w 10 "$_rt_lock_fd" 2>/dev/null || { log_error "Could not acquire restart lock for '${name}'"; _rt_unlock; return 1; }
    else
        _rt_lock_dir="${PID_DIR}/${name}.restart.lck"
        local _rt_try=0
        while ! mkdir "$_rt_lock_dir" 2>/dev/null; do
            local _rt_stale_pid=""
            _rt_stale_pid=$(cat "${_rt_lock_dir}/pid" 2>/dev/null) || true
            if [[ -n "$_rt_stale_pid" ]] && ! kill -0 "$_rt_stale_pid" 2>/dev/null; then
                rm -f "${_rt_lock_dir}/pid" 2>/dev/null || true
                rmdir "$_rt_lock_dir" 2>/dev/null || true
                continue
            fi
            if (( ++_rt_try >= 20 )); then log_error "Could not acquire restart lock for '${name}'"; return 1; fi
            sleep 0.5
        done
        printf '%s' "$$" > "${_rt_lock_dir}/pid" 2>/dev/null || true
    fi

    log_info "Restarting tunnel '${name}'..."
    _record_reconnect "$name" "manual_restart"
    stop_tunnel "$name" || true
    sleep 1
    start_tunnel "$name" || { log_error "Failed to restart tunnel '${name}'"; _rt_unlock; return 1; }
    _rt_unlock
}

start_all_tunnels() {
    local started=0 failed=0 name
    while IFS= read -r name; do
        [[ -z "$name" ]] && continue
        local autostart
        autostart=$(get_profile_field "$name" "AUTOSTART") || true
        if [[ "$autostart" == "true" ]]; then
            local _st_rc=0
            start_tunnel "$name" || _st_rc=$?
            if (( _st_rc == 0 )); then
                ((++started))
            elif (( _st_rc == 2 )); then
                : # already running — skip counting
            else
                ((++failed))
            fi
        fi
    done < <(list_profiles)
    log_info "Started ${started} tunnel(s), ${failed} failed"
    if (( failed > 0 )); then return 1; fi
    return 0
}

stop_all_tunnels() {
    local stopped=0 failed=0 name
    while IFS= read -r name; do
        [[ -z "$name" ]] && continue
        if is_tunnel_running "$name"; then
            if stop_tunnel "$name"; then
                ((++stopped))
            else
                ((++failed))
            fi
        fi
    done < <(list_profiles)
    if (( failed > 0 )); then
        log_info "Stopped ${stopped} tunnel(s), ${failed} failed"
        return 1
    else
        log_info "Stopped ${stopped} tunnel(s)"
    fi
    return 0
}

# ── Traffic & uptime helpers ──

get_tunnel_uptime() {
    local name="$1"
    local pid
    pid=$(get_tunnel_pid "$name")
    [[ -z "$pid" ]] && { echo 0; return 0; }
    kill -0 "$pid" 2>/dev/null || { echo 0; return 0; }

    local _now
    printf -v _now '%(%s)T' -1

    # Primary: startup timestamp file (most reliable, survives across invocations)
    local _started_file="${PID_DIR}/${name}.started"
    if [[ -f "$_started_file" ]]; then
        local _st_epoch=""
        read -r _st_epoch < "$_started_file" 2>/dev/null || true
        if [[ "$_st_epoch" =~ ^[0-9]+$ ]]; then
            echo $(( _now - _st_epoch ))
            return 0
        fi
    fi

    # Fallback 1: /proc/PID/stat (Linux only, pure bash — no awk forks)
    if [[ -f "/proc/${pid}/stat" ]]; then
        local _stat_line=""
        read -r _stat_line < "/proc/${pid}/stat" 2>/dev/null || true
        # Field 22 is starttime (in clock ticks). Fields are space-delimited
        # but field 2 (comm) can contain spaces in parens. Strip it first.
        _stat_line="${_stat_line#*(}"   # remove up to first (
        _stat_line="${_stat_line#*) }"  # remove up to ") "
        # Now field 1=state, ... field 20=starttime (22 - 2 comm fields)
        local -a _sf
        read -ra _sf <<< "$_stat_line"
        local start_ticks="${_sf[19]:-}"
        local clk_tck
        clk_tck=$(getconf CLK_TCK 2>/dev/null || echo 100)
        [[ "$clk_tck" =~ ^[0-9]+$ ]] || clk_tck=100

        local boot_time=""
        local _bkey _bval
        while read -r _bkey _bval; do
            [[ "$_bkey" == "btime" ]] && { boot_time="$_bval"; break; }
        done < /proc/stat 2>/dev/null

        if [[ "$start_ticks" =~ ^[0-9]+$ ]] && [[ "$boot_time" =~ ^[0-9]+$ ]]; then
            local start_sec=$(( boot_time + start_ticks / clk_tck ))
            echo $(( _now - start_sec ))
            return 0
        fi
    fi

    # Fallback 2: PID file mtime
    local pf="${PID_DIR}/${name}.pid"
    if [[ -f "$pf" ]]; then
        local ft
        ft=$(stat -c %Y "$pf" 2>/dev/null || stat -f %m "$pf" 2>/dev/null) || true
        if [[ -n "$ft" ]]; then
            echo $(( _now - ft )); return 0
        fi
    fi
    echo 0; return 0
}

# Cache: tunnel name → resolved SSH child PID (avoids re-walking tree every frame)
declare -gA _SSH_PID_CACHE=()

get_tunnel_traffic() {
    local _name="$1"
    local pid
    pid=$(get_tunnel_pid "$_name")
    if [[ -z "$pid" ]] || [[ ! -d "/proc/${pid}" ]]; then
        unset '_SSH_PID_CACHE[$_name]' 2>/dev/null || true
        echo "0 0"; return 0
    fi

    # Check cached SSH child PID first
    local _target="${_SSH_PID_CACHE[$_name]:-}"
    if [[ -n "$_target" ]] && [[ -d "/proc/${_target}" ]]; then
        # Cache hit — verify it's still alive
        :
    else
        # Walk process tree to find actual ssh process (autossh/sshpass are wrappers)
        # Uses /proc/PID/task/*/children (no fork) instead of pgrep -P
        _target="$pid"
        local _try _comm=""
        for _try in 1 2 3; do
            _comm=""
            read -r _comm < "/proc/${_target}/comm" 2>/dev/null || true
            [[ "$_comm" == "ssh" ]] && break
            # Read first child PID from /proc without forking pgrep
            local _next=""
            if [[ -f "/proc/${_target}/task/${_target}/children" ]]; then
                read -r _next _ < "/proc/${_target}/task/${_target}/children" 2>/dev/null || true
            fi
            [[ -z "$_next" ]] && break
            _target="$_next"
        done
        _SSH_PID_CACHE["$_name"]="$_target"
    fi

    if [[ ! -f "/proc/${_target}/io" ]]; then
        echo "0 0"; return 0
    fi
    # Read rchar/wchar with a single while-read loop (no awk forks)
    local _key _val rchar=0 wchar=0
    while read -r _key _val; do
        case "$_key" in
            rchar:) rchar="$_val" ;;
            wchar:) wchar="$_val"; break ;;  # wchar comes after rchar, stop early
        esac
    done < "/proc/${_target}/io" 2>/dev/null
    echo "${rchar} ${wchar}"
}

# Count ESTABLISHED connections on a port from ss data (pure bash, no grep fork)
# Usage: _count_port_conns PORT [ss_data_var]
_count_port_conns() {
    local _cpc_port="$1" _cpc_data="${2:-${_DASH_SS_CACHE:-}}"
    if [[ -z "$_cpc_data" ]]; then
        _cpc_data=$(ss -tn 2>/dev/null) || true
    fi
    local _cpc_count=0 _cpc_line
    while IFS= read -r _cpc_line; do
        [[ "$_cpc_line" == *ESTAB* ]] || continue
        [[ "$_cpc_line" == *":${_cpc_port} "* ]] || [[ "$_cpc_line" == *":${_cpc_port}	"* ]] || continue
        (( ++_cpc_count )) || true
    done <<< "$_cpc_data"
    echo "$_cpc_count"
}

get_tunnel_connections() {
    local name="$1"
    local -A _cc
    load_profile "$name" _cc 2>/dev/null || { echo 0; return 0; }
    local port="${_cc[LOCAL_PORT]:-}"
    [[ -z "$port" ]] && { echo 0; return 0; }
    [[ "$port" =~ ^[0-9]+$ ]] || { echo 0; return 0; }

    # When inbound TLS is active, count only the stunnel port
    local _olp="${_cc[OBFS_LOCAL_PORT]:-0}"
    if [[ "$_olp" =~ ^[0-9]+$ ]] && (( _olp > 0 )); then
        _count_port_conns "$_olp"
    else
        _count_port_conns "$port"
    fi
}

# ============================================================================
# SECURITY FEATURES  (Phase 4)
# ============================================================================

readonly _RESOLV_CONF="/etc/resolv.conf"
readonly _RESOLV_BACKUP="${BACKUP_DIR}/resolv.conf.bak"
readonly _IPTABLES_BACKUP_DIR="${BACKUP_DIR}/iptables"
readonly _TF_CHAIN="TUNNELFORGE"

# ── DNS Leak Protection ──
# Forces DNS through specified servers by rewriting /etc/resolv.conf

enable_dns_leak_protection() {
    if [[ $EUID -ne 0 ]]; then
        log_error "DNS leak protection requires root privileges"
        return 1
    fi

    mkdir -p "$BACKUP_DIR" 2>/dev/null || true

    # Backup current resolv.conf if not already backed up
    if [[ ! -f "$_RESOLV_BACKUP" ]] && [[ -f "$_RESOLV_CONF" ]]; then
        if ! cp "$_RESOLV_CONF" "$_RESOLV_BACKUP" 2>/dev/null; then
            log_error "Failed to backup resolv.conf"
            return 1
        fi
        log_debug "Backed up resolv.conf"
    fi

    # Remove immutable flag if set from previous run
    if command -v chattr &>/dev/null; then
        chattr -i "$_RESOLV_CONF" 2>/dev/null || true
    fi

    # Write new resolv.conf with secure DNS
    local dns1 dns2 _dns_val
    dns1=$(config_get DNS_SERVER_1 "1.1.1.1")
    dns2=$(config_get DNS_SERVER_2 "1.0.0.1")

    # Validate DNS server values are valid IPv4 or IPv6 addresses
    local _dns_ip_re='^([0-9]{1,3}\.){3}[0-9]{1,3}$'
    local _dns_ip6_re='^[0-9a-fA-F]*:[0-9a-fA-F:]*$'
    for _dns_val in "$dns1" "$dns2"; do
        if ! [[ "$_dns_val" =~ $_dns_ip_re ]] && ! [[ "$_dns_val" =~ $_dns_ip6_re ]]; then
            log_error "Invalid DNS server address: ${_dns_val}"
            return 1
        fi
    done

    # Abort if resolv.conf is a symlink (systemd-resolved, etc.)
    if [[ -L "$_RESOLV_CONF" ]]; then
        log_error "resolv.conf is a symlink ($(readlink "$_RESOLV_CONF" 2>/dev/null || true)) — cannot safely rewrite; disable systemd-resolved first"
        return 1
    fi

    # Atomic write via temp file + mv
    local _resolv_tmp
    _resolv_tmp=$(mktemp "${_RESOLV_CONF}.tf_tmp.XXXXXX") || { log_error "Failed to create temp file"; return 1; }
    {
        printf "# TunnelForge DNS Leak Protection — do not edit\n"
        printf "# Original backed up to: %s\n" "$_RESOLV_BACKUP"
        printf "nameserver %s\n" "$dns1"
        printf "nameserver %s\n" "$dns2"
        printf "options edns0\n"
    } > "$_resolv_tmp" 2>/dev/null || {
        log_error "Failed to write resolv.conf temp file"
        rm -f "$_resolv_tmp" 2>/dev/null
        return 1
    }
    if ! mv -f "$_resolv_tmp" "$_RESOLV_CONF" 2>/dev/null; then
        log_error "Failed to install resolv.conf (mv failed)"
        rm -f "$_resolv_tmp" 2>/dev/null
        return 1
    fi

    # Make immutable to prevent overwriting by system services
    if command -v chattr &>/dev/null; then
        if ! chattr +i "$_RESOLV_CONF" 2>/dev/null; then
            log_warn "Could not make resolv.conf immutable (chattr +i failed)"
        fi
    fi

    log_success "DNS leak protection enabled (${dns1}, ${dns2})"
    return 0
}

disable_dns_leak_protection() {
    if [[ $EUID -ne 0 ]]; then
        log_error "DNS leak protection requires root privileges"
        return 1
    fi

    # Remove immutable flag
    if command -v chattr &>/dev/null; then
        chattr -i "$_RESOLV_CONF" 2>/dev/null || true
    fi

    # Restore backup (atomic: copy to temp then mv)
    if [[ -f "$_RESOLV_BACKUP" ]]; then
        local _restore_tmp
        _restore_tmp=$(mktemp "${_RESOLV_CONF}.tf_restore.XXXXXX") || { log_error "Failed to create temp file"; return 1; }
        if ! cp "$_RESOLV_BACKUP" "$_restore_tmp" 2>/dev/null; then
            log_error "Failed to copy resolv.conf backup to temp file"
            rm -f "$_restore_tmp" 2>/dev/null
            return 1
        fi
        if ! mv -f "$_restore_tmp" "$_RESOLV_CONF" 2>/dev/null; then
            log_error "Failed to restore resolv.conf (mv failed)"
            rm -f "$_restore_tmp" 2>/dev/null
            return 1
        fi
        rm -f "$_RESOLV_BACKUP" 2>/dev/null
        log_success "DNS leak protection disabled (resolv.conf restored)"
    else
        log_warn "No resolv.conf backup found; writing sane defaults"
        local _defaults_tmp
        _defaults_tmp=$(mktemp "${_RESOLV_CONF}.tf_defaults.XXXXXX") || { log_error "Failed to create temp file"; return 1; }
        if ! { printf "nameserver 8.8.8.8\n"; printf "nameserver 8.8.4.4\n"; } > "$_defaults_tmp" 2>/dev/null; then
            log_error "Failed to write sane defaults to temp file"
            rm -f "$_defaults_tmp" 2>/dev/null
            return 1
        fi
        if ! mv -f "$_defaults_tmp" "$_RESOLV_CONF" 2>/dev/null; then
            log_error "Failed to apply sane defaults (mv failed)"
            rm -f "$_defaults_tmp" 2>/dev/null
            return 1
        fi
    fi
    return 0
}

is_dns_leak_protected() {
    if [[ -f "$_RESOLV_CONF" ]] && grep -qF "TunnelForge DNS" "$_RESOLV_CONF" 2>/dev/null; then
        return 0
    fi
    return 1
}

# ── Kill Switch (iptables firewall) ──
# Blocks all non-tunnel traffic to prevent data leaks if tunnel drops

enable_kill_switch() {
    local name="$1"

    if [[ $EUID -ne 0 ]]; then
        log_error "Kill switch requires root privileges"
        return 1
    fi
    if ! command -v iptables &>/dev/null; then
        log_error "iptables is required for kill switch"
        return 1
    fi

    local _has_ip6tables=false
    if command -v ip6tables &>/dev/null; then _has_ip6tables=true; fi

    local -A _ks_prof
    load_profile "$name" _ks_prof 2>/dev/null || {
        log_error "Cannot load profile '${name}' for kill switch"
        return 1
    }

    local ssh_host="${_ks_prof[SSH_HOST]:-}"
    local ssh_port="${_ks_prof[SSH_PORT]:-22}"

    if [[ -z "$ssh_host" ]]; then
        log_error "No SSH host configured for kill switch"
        return 1
    fi

    # Resolve hostname to IPv4 and IPv6 (with fallback chain for portability)
    local ssh_ip ssh_ip6=""
    ssh_ip=$(getent ahostsv4 "$ssh_host" 2>/dev/null | awk '{print $1; exit}') || true
    if [[ -z "$ssh_ip" ]]; then
        ssh_ip=$(dig +short A "$ssh_host" 2>/dev/null | head -1) || true
    fi
    if [[ -z "$ssh_ip" ]]; then
        ssh_ip=$(host "$ssh_host" 2>/dev/null | awk '/has address/{print $NF; exit}') || true
    fi
    if [[ -z "$ssh_ip" ]]; then
        ssh_ip=$(nslookup "$ssh_host" 2>/dev/null \
            | awk '/^Address/ && !/127\.0\.0/ && NR>2 {print $NF; exit}') || true
    fi
    if [[ -z "$ssh_ip" ]]; then
        ssh_ip="$ssh_host"  # Assume already an IP
    fi
    if ! validate_ip "$ssh_ip" && ! validate_ip6 "$ssh_ip"; then
        log_error "Could not resolve SSH host '${ssh_host}' to a valid IP — kill switch aborted"
        return 1
    fi
    if [[ "$_has_ip6tables" == true ]]; then
        ssh_ip6=$(getent ahostsv6 "$ssh_host" 2>/dev/null | awk '{print $1; exit}') || true
    fi

    mkdir -p "$_IPTABLES_BACKUP_DIR" 2>/dev/null || true

    # Create chain if it doesn't exist
    iptables -N "$_TF_CHAIN" 2>/dev/null || true
    if [[ "$_has_ip6tables" == true ]]; then
        ip6tables -N "$_TF_CHAIN" 2>/dev/null || true
    fi

    # Check if chain already has rules (multi-tunnel support)
    if iptables -S "$_TF_CHAIN" 2>/dev/null | grep -q -- "-j DROP"; then
        # Chain active — remove old DROP, add this tunnel's SSH host, re-add DROP
        iptables -D "$_TF_CHAIN" -j DROP 2>/dev/null || true
        iptables -A "$_TF_CHAIN" -d "$ssh_ip" -p tcp --dport "$ssh_port" -m comment --comment "tf:${name}" -j ACCEPT 2>/dev/null || true
        iptables -A "$_TF_CHAIN" -j DROP 2>/dev/null || true
        if [[ "$_has_ip6tables" == true ]]; then
            ip6tables -D "$_TF_CHAIN" -j DROP 2>/dev/null || true
            if [[ -n "$ssh_ip6" ]]; then
                ip6tables -A "$_TF_CHAIN" -d "$ssh_ip6" -p tcp --dport "$ssh_port" -m comment --comment "tf:${name}" -j ACCEPT 2>/dev/null || true
            fi
            ip6tables -A "$_TF_CHAIN" -j DROP 2>/dev/null || true
        fi
    else
        # Fresh chain — build with all standard rules
        iptables -F "$_TF_CHAIN" 2>/dev/null || true
        # Allow loopback
        iptables -A "$_TF_CHAIN" -o lo -j ACCEPT 2>/dev/null || true
        # Allow established/related
        iptables -A "$_TF_CHAIN" -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
        # Allow SSH to tunnel server
        iptables -A "$_TF_CHAIN" -d "$ssh_ip" -p tcp --dport "$ssh_port" -m comment --comment "tf:${name}" -j ACCEPT 2>/dev/null || true
        # Allow local DNS
        iptables -A "$_TF_CHAIN" -d 127.0.0.0/8 -p udp --dport 53 -j ACCEPT 2>/dev/null || true
        iptables -A "$_TF_CHAIN" -d 127.0.0.0/8 -p tcp --dport 53 -j ACCEPT 2>/dev/null || true
        # Allow configured DNS servers (for DNS leak protection compatibility)
        local _dns1 _dns2
        _dns1=$(config_get DNS_SERVER_1 "1.1.1.1")
        _dns2=$(config_get DNS_SERVER_2 "1.0.0.1")
        if validate_ip "$_dns1" || validate_ip6 "$_dns1"; then
            iptables -A "$_TF_CHAIN" -d "$_dns1" -p udp --dport 53 -j ACCEPT 2>/dev/null || true
            iptables -A "$_TF_CHAIN" -d "$_dns1" -p tcp --dport 53 -j ACCEPT 2>/dev/null || true
        fi
        if validate_ip "$_dns2" || validate_ip6 "$_dns2"; then
            iptables -A "$_TF_CHAIN" -d "$_dns2" -p udp --dport 53 -j ACCEPT 2>/dev/null || true
            iptables -A "$_TF_CHAIN" -d "$_dns2" -p tcp --dport 53 -j ACCEPT 2>/dev/null || true
        fi
        # Allow DHCP
        iptables -A "$_TF_CHAIN" -p udp --dport 67:68 -j ACCEPT 2>/dev/null || true
        # Drop everything else
        iptables -A "$_TF_CHAIN" -j DROP 2>/dev/null || true

        # IPv6 mirror
        if [[ "$_has_ip6tables" == true ]]; then
            ip6tables -F "$_TF_CHAIN" 2>/dev/null || true
            ip6tables -A "$_TF_CHAIN" -o lo -j ACCEPT 2>/dev/null || true
            ip6tables -A "$_TF_CHAIN" -m state --state ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
            if [[ -n "$ssh_ip6" ]]; then
                ip6tables -A "$_TF_CHAIN" -d "$ssh_ip6" -p tcp --dport "$ssh_port" -m comment --comment "tf:${name}" -j ACCEPT 2>/dev/null || true
            fi
            ip6tables -A "$_TF_CHAIN" -d ::1 -p udp --dport 53 -j ACCEPT 2>/dev/null || true
            ip6tables -A "$_TF_CHAIN" -d ::1 -p tcp --dport 53 -j ACCEPT 2>/dev/null || true
            # Allow configured DNS servers if they are IPv6
            local _dns_v
            for _dns_v in "$_dns1" "$_dns2"; do
                if [[ "$_dns_v" =~ : ]]; then
                    ip6tables -A "$_TF_CHAIN" -d "$_dns_v" -p udp --dport 53 -j ACCEPT 2>/dev/null || true
                    ip6tables -A "$_TF_CHAIN" -d "$_dns_v" -p tcp --dport 53 -j ACCEPT 2>/dev/null || true
                fi
            done
            ip6tables -A "$_TF_CHAIN" -p udp --dport 546:547 -j ACCEPT 2>/dev/null || true
            ip6tables -A "$_TF_CHAIN" -p ipv6-icmp -j ACCEPT 2>/dev/null || true
            ip6tables -A "$_TF_CHAIN" -j DROP 2>/dev/null || true
        fi
    fi

    # Insert jump to chain (avoid duplicates)
    if ! iptables -C OUTPUT -j "$_TF_CHAIN" 2>/dev/null; then
        iptables -I OUTPUT 1 -j "$_TF_CHAIN" 2>/dev/null || true
    fi
    if ! iptables -C FORWARD -j "$_TF_CHAIN" 2>/dev/null; then
        iptables -I FORWARD 1 -j "$_TF_CHAIN" 2>/dev/null || true
    fi
    if [[ "$_has_ip6tables" == true ]]; then
        if ! ip6tables -C OUTPUT -j "$_TF_CHAIN" 2>/dev/null; then
            ip6tables -I OUTPUT 1 -j "$_TF_CHAIN" 2>/dev/null || true
        fi
        if ! ip6tables -C FORWARD -j "$_TF_CHAIN" 2>/dev/null; then
            ip6tables -I FORWARD 1 -j "$_TF_CHAIN" 2>/dev/null || true
        fi
    fi

    log_success "Kill switch enabled for '${name}' (allow ${ssh_ip}:${ssh_port})"
    return 0
}

disable_kill_switch() {
    local name="$1"

    if [[ $EUID -ne 0 ]]; then
        log_error "Kill switch requires root privileges"
        return 1
    fi
    if ! command -v iptables &>/dev/null; then
        return 0
    fi

    local _has_ip6tables=false
    if command -v ip6tables &>/dev/null; then _has_ip6tables=true; fi

    # Remove only this tunnel's SSH ACCEPT rule (multi-tunnel safe)
    # Load profile to get SSH host/port for exact rule match
    local -A _dks_prof
    load_profile "$name" _dks_prof 2>/dev/null || true
    local _dks_host="${_dks_prof[SSH_HOST]:-}"
    local _dks_port="${_dks_prof[SSH_PORT]:-22}"
    local _dks_ip
    _dks_ip=$(getent ahostsv4 "$_dks_host" 2>/dev/null | awk '{print $1; exit}') || true
    if [[ -z "$_dks_ip" ]]; then
        _dks_ip=$(dig +short A "$_dks_host" 2>/dev/null | head -1) || true
    fi
    if [[ -z "$_dks_ip" ]]; then
        _dks_ip=$(host "$_dks_host" 2>/dev/null | awk '/has address/{print $NF; exit}') || true
    fi
    : "${_dks_ip:=$_dks_host}"
    if [[ -n "$_dks_ip" ]]; then
        iptables -D "$_TF_CHAIN" -d "$_dks_ip" -p tcp --dport "$_dks_port" -m comment --comment "tf:${name}" -j ACCEPT 2>/dev/null || true
    fi
    # IPv6: remove tunnel rule
    if [[ "$_has_ip6tables" == true ]]; then
        local _dks_ip6
        _dks_ip6=$(getent ahostsv6 "$_dks_host" 2>/dev/null | awk '{print $1; exit}') || true
        if [[ -n "$_dks_ip6" ]]; then
            ip6tables -D "$_TF_CHAIN" -d "$_dks_ip6" -p tcp --dport "$_dks_port" -m comment --comment "tf:${name}" -j ACCEPT 2>/dev/null || true
        fi
    fi
    # Fallback: find exact rule by comment using -S output and delete it
    local _fb_rule
    _fb_rule=$(iptables -S "$_TF_CHAIN" 2>/dev/null | grep -F "tf:${name}" | head -1) || true
    if [[ -n "$_fb_rule" ]]; then
        _fb_rule="${_fb_rule/-A $_TF_CHAIN/-D $_TF_CHAIN}"
        _fb_rule="${_fb_rule//\"/}"
        local -a _fb_arr
        read -ra _fb_arr <<< "$_fb_rule"
        iptables "${_fb_arr[@]}" 2>/dev/null || true
    fi
    # IPv6 fallback
    if [[ "$_has_ip6tables" == true ]]; then
        local _fb6_rule
        _fb6_rule=$(ip6tables -S "$_TF_CHAIN" 2>/dev/null | grep -F "tf:${name}" | head -1) || true
        if [[ -n "$_fb6_rule" ]]; then
            _fb6_rule="${_fb6_rule/-A $_TF_CHAIN/-D $_TF_CHAIN}"
            _fb6_rule="${_fb6_rule//\"/}"
            local -a _fb6_arr
            read -ra _fb6_arr <<< "$_fb6_rule"
            ip6tables "${_fb6_arr[@]}" 2>/dev/null || true
        fi
    fi

    # Check if any other tunnel rules remain
    local _remaining
    _remaining=$(iptables -S "$_TF_CHAIN" 2>/dev/null | grep -c 'tf:' || true)
    : "${_remaining:=0}"

    if (( _remaining == 0 )); then
        # Last tunnel — tear down the entire chain
        iptables -D OUTPUT -j "$_TF_CHAIN" 2>/dev/null || true
        iptables -D FORWARD -j "$_TF_CHAIN" 2>/dev/null || true
        iptables -F "$_TF_CHAIN" 2>/dev/null || true
        iptables -X "$_TF_CHAIN" 2>/dev/null || true
        if [[ "$_has_ip6tables" == true ]]; then
            ip6tables -D OUTPUT -j "$_TF_CHAIN" 2>/dev/null || true
            ip6tables -D FORWARD -j "$_TF_CHAIN" 2>/dev/null || true
            ip6tables -F "$_TF_CHAIN" 2>/dev/null || true
            ip6tables -X "$_TF_CHAIN" 2>/dev/null || true
        fi
    fi

    # Clean up stale pristine backup files (no longer used — chain flush+delete is sufficient)
    if (( _remaining == 0 )); then
        rm -f "${_IPTABLES_BACKUP_DIR}/pristine.rules" 2>/dev/null
        rm -f "${_IPTABLES_BACKUP_DIR}/pristine6.rules" 2>/dev/null
    fi

    log_success "Kill switch disabled for '${name}'"
    return 0
}

is_kill_switch_active() {
    command -v iptables &>/dev/null || return 1
    if iptables -C OUTPUT -j "$_TF_CHAIN" 2>/dev/null; then
        return 0
    fi
    return 1
}

# ── SSH Key Management ──

generate_ssh_key() {
    local key_type="${1:-ed25519}"
    local key_path="${2:-${HOME}/.ssh/id_${key_type}}"
    local comment="${3:-tunnelforge@$(hostname 2>/dev/null || echo localhost)}"

    if [[ -f "$key_path" ]]; then
        log_warn "Key already exists: ${key_path}"
        return 0
    fi

    local key_dir
    key_dir=$(dirname "$key_path")
    mkdir -p "$key_dir" 2>/dev/null || true
    chmod 700 "$key_dir" 2>/dev/null || true

    log_info "Generating ${key_type} SSH key..."

    if ssh-keygen -t "$key_type" -f "$key_path" -C "$comment" -N "" 2>/dev/null; then
        chmod 600 "$key_path" 2>/dev/null || true
        chmod 644 "${key_path}.pub" 2>/dev/null || true
        log_success "SSH key generated: ${key_path}"
        log_info "Public key:"
        printf "  %s\n" "$(cat "${key_path}.pub" 2>/dev/null)"
        return 0
    fi
    log_error "Failed to generate SSH key"
    return 1
}

deploy_ssh_key() {
    local name="$1"

    local -A _dk_prof
    load_profile "$name" _dk_prof 2>/dev/null || {
        log_error "Cannot load profile '${name}'"
        return 1
    }

    local ssh_host="${_dk_prof[SSH_HOST]:-}"
    local ssh_port="${_dk_prof[SSH_PORT]:-22}"
    local ssh_user="${_dk_prof[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"
    local key="${_dk_prof[IDENTITY_KEY]:-}"

    if [[ -z "$ssh_host" ]]; then
        log_error "No SSH host in profile '${name}'"
        return 1
    fi

    # Find public key
    local pub_key=""
    if [[ -n "$key" ]] && [[ -f "${key}.pub" ]]; then
        pub_key="${key}.pub"
    elif [[ -f "${HOME}/.ssh/id_ed25519.pub" ]]; then
        pub_key="${HOME}/.ssh/id_ed25519.pub"
    elif [[ -f "${HOME}/.ssh/id_rsa.pub" ]]; then
        pub_key="${HOME}/.ssh/id_rsa.pub"
    else
        log_error "No public key found to deploy"
        return 1
    fi

    log_info "Deploying key to ${ssh_user}@${ssh_host}:${ssh_port}..."

    local _dk_pass="${_dk_prof[SSH_PASSWORD]:-}"
    local -a _dk_sshpass_prefix=()
    if [[ -n "$_dk_pass" ]] && command -v sshpass &>/dev/null; then
        _dk_sshpass_prefix=(env "SSHPASS=${_dk_pass}" sshpass -e)
    fi

    if command -v ssh-copy-id &>/dev/null; then
        local priv_key="${pub_key%.pub}"
        local -a _dk_opts=(-i "$priv_key" -p "$ssh_port" -o "StrictHostKeyChecking=accept-new")
        if [[ -n "$key" ]] && [[ -f "$key" ]]; then _dk_opts+=(-o "IdentityFile=${key}"); fi
        if "${_dk_sshpass_prefix[@]}" ssh-copy-id "${_dk_opts[@]}" "${ssh_user}@${ssh_host}" 2>/dev/null; then
            log_success "Key deployed to ${ssh_user}@${ssh_host}"
            return 0
        fi
    fi

    # Manual fallback (always attempted if ssh-copy-id missing or failed)
    local -a _dk_ssh_opts=(-p "$ssh_port" -o "StrictHostKeyChecking=accept-new")
    if [[ -n "$key" ]] && [[ -f "$key" ]]; then _dk_ssh_opts+=(-o "IdentityFile=${key}"); fi
    if "${_dk_sshpass_prefix[@]}" ssh "${_dk_ssh_opts[@]}" "${ssh_user}@${ssh_host}" \
        'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys' \
        < "$pub_key" 2>/dev/null; then
        log_success "Key deployed to ${ssh_user}@${ssh_host}"
        return 0
    fi

    log_error "Failed to deploy key"
    return 1
}

check_key_permissions() {
    local key_path="$1"
    local issues=0

    if [[ ! -f "$key_path" ]]; then
        log_warn "Key not found: ${key_path}"
        return 1
    fi

    local perms
    perms=$(stat -c "%a" "$key_path" 2>/dev/null || stat -f "%Lp" "$key_path" 2>/dev/null) || true
    if [[ -n "$perms" ]]; then
        case "$perms" in
            600|400) ;;
            *)  log_warn "Insecure permissions on ${key_path}: ${perms} (should be 600)"
                ((++issues)) ;;
        esac
    fi

    local owner
    owner=$(stat -c "%U" "$key_path" 2>/dev/null || stat -f "%Su" "$key_path" 2>/dev/null) || true
    if [[ -n "$owner" ]] && [[ "$owner" != "$(whoami 2>/dev/null || echo root)" ]]; then
        log_warn "Key ${key_path} owned by ${owner}"
        ((++issues))
    fi

    if (( issues == 0 )); then
        log_debug "Key permissions OK: ${key_path}"
        return 0
    fi
    return 1
}

# ── Verify SSH Host Fingerprint ──

verify_host_fingerprint() {
    local host="$1" port="${2:-22}"

    if [[ -z "$host" ]]; then
        log_error "Usage: verify_host_fingerprint <host> [port]"
        return 1
    fi

    # Validate hostname — reject option injection and shell metacharacters
    if [[ "$host" == -* ]] || [[ "$host" =~ [^a-zA-Z0-9._:@%\[\]-] ]]; then
        log_error "Invalid hostname: ${host}"
        return 1
    fi

    printf "\n${BOLD}SSH Host Fingerprints for %s:%s${RESET}\n\n" "$host" "$port"

    if ! command -v ssh-keyscan &>/dev/null; then
        log_error "ssh-keyscan is required"
        return 1
    fi

    local keys
    keys=$(ssh-keyscan -p "$port" -- "$host" 2>/dev/null) || true
    if [[ -z "$keys" ]]; then
        log_error "Could not retrieve host keys from ${host}:${port}"
        return 1
    fi

    while IFS= read -r _fline || [[ -n "$_fline" ]]; do
        [[ -z "$_fline" ]] && continue
        [[ "$_fline" == \#* ]] && continue
        local _fp
        _fp=$(echo "$_fline" | ssh-keygen -lf - 2>/dev/null) || true
        if [[ -n "$_fp" ]]; then
            printf "  ${CYAN}●${RESET} %s\n" "$_fp"
        fi
    done <<< "$keys"

    printf "\n${DIM}Known hosts status:${RESET}\n"
    if [[ -f "${HOME}/.ssh/known_hosts" ]]; then
        local _kh_lookup="$host"
        if [[ "$port" != "22" ]]; then _kh_lookup="[${host}]:${port}"; fi
        if ssh-keygen -F "$_kh_lookup" -f "${HOME}/.ssh/known_hosts" &>/dev/null; then
            printf "  ${GREEN}●${RESET} Host is in known_hosts\n"
        else
            printf "  ${YELLOW}▲${RESET} Host is NOT in known_hosts\n"
        fi
    else
        printf "  ${YELLOW}▲${RESET} No known_hosts file found\n"
    fi
    printf "\n"
    return 0
}

# ── Security Audit ──

security_audit() {
    local score=100 issues=0 warnings=0

    printf "\n${BOLD_CYAN}═══ TunnelForge Security Audit ═══${RESET}\n\n"

    # 1. SSH key permissions
    printf "${BOLD}[1/6] SSH Key Permissions${RESET}\n"
    local _found_keys=false _key_f _key_penalty=0
    for _key_f in "${HOME}/.ssh/"*; do
        [[ -f "$_key_f" ]] || continue
        [[ "$_key_f" == *.pub ]] && continue
        [[ "$_key_f" == */known_hosts* ]] && continue
        [[ "$_key_f" == */authorized_keys* ]] && continue
        [[ "$_key_f" == */config ]] && continue
        # Only check files that look like private keys (contain BEGIN marker)
        head -1 "$_key_f" 2>/dev/null | grep -q "PRIVATE KEY" || continue
        _found_keys=true
        local _kp
        _kp=$(stat -c "%a" "$_key_f" 2>/dev/null || stat -f "%Lp" "$_key_f" 2>/dev/null) || true
        if [[ "$_kp" == "600" ]] || [[ "$_kp" == "400" ]]; then
            printf "  ${GREEN}●${RESET} %s (%s) OK\n" "$(basename "$_key_f")" "$_kp"
        else
            printf "  ${RED}✗${RESET} %s (%s) — should be 600\n" "$(basename "$_key_f")" "${_kp:-?}"
            ((++issues))
            if (( _key_penalty < 20 )); then
                score=$(( score - 10 ))
                (( _key_penalty += 10 ))
            fi
        fi
    done
    if [[ "$_found_keys" != true ]]; then
        printf "  ${YELLOW}▲${RESET} No SSH keys found in ~/.ssh/\n"
        ((++warnings))
    fi

    # 2. SSH directory permissions
    printf "\n${BOLD}[2/6] SSH Directory${RESET}\n"
    if [[ -d "${HOME}/.ssh" ]]; then
        local _ssh_perms
        _ssh_perms=$(stat -c "%a" "${HOME}/.ssh" 2>/dev/null || stat -f "%Lp" "${HOME}/.ssh" 2>/dev/null) || true
        if [[ "$_ssh_perms" == "700" ]]; then
            printf "  ${GREEN}●${RESET} ~/.ssh permissions: %s OK\n" "$_ssh_perms"
        else
            printf "  ${RED}✗${RESET} ~/.ssh permissions: %s — should be 700\n" "${_ssh_perms:-?}"
            ((++issues)); score=$(( score - 5 ))
        fi
    else
        printf "  ${YELLOW}▲${RESET} ~/.ssh directory does not exist\n"
        ((++warnings))
    fi

    # 3. DNS leak protection status
    printf "\n${BOLD}[3/6] DNS Leak Protection${RESET}\n"
    if is_dns_leak_protected; then
        printf "  ${GREEN}●${RESET} DNS leak protection is ACTIVE\n"
    else
        printf "  ${DIM}■${RESET} DNS leak protection is not active\n"
        ((++warnings))
    fi

    # 4. Kill switch status
    printf "\n${BOLD}[4/6] Kill Switch${RESET}\n"
    if [[ $EUID -ne 0 ]]; then
        printf "  ${YELLOW}▲${RESET} Skipped — requires root to inspect iptables\n"
        ((++warnings))
    elif is_kill_switch_active; then
        printf "  ${GREEN}●${RESET} Kill switch is ACTIVE (IPv4)\n"
        if command -v ip6tables &>/dev/null && ip6tables -C OUTPUT -j "$_TF_CHAIN" 2>/dev/null; then
            printf "  ${GREEN}●${RESET} Kill switch is ACTIVE (IPv6)\n"
        else
            printf "  ${YELLOW}▲${RESET} IPv6 kill switch not active\n"
            ((++warnings))
        fi
    else
        printf "  ${DIM}■${RESET} Kill switch is not active\n"
        ((++warnings))
    fi

    # 5. Tunnel PID integrity
    printf "\n${BOLD}[5/6] Tunnel Integrity${RESET}\n"
    local _audit_profiles
    _audit_profiles=$(list_profiles)
    if [[ -n "$_audit_profiles" ]]; then
        while IFS= read -r _aname; do
            [[ -z "$_aname" ]] && continue
            local _apid
            _apid=$(get_tunnel_pid "$_aname" 2>/dev/null)
            if [[ -n "$_apid" ]]; then
                if kill -0 "$_apid" 2>/dev/null; then
                    printf "  ${GREEN}●${RESET} %s (PID %s) — running\n" "$_aname" "$_apid"
                else
                    printf "  ${RED}✗${RESET} %s (PID %s) — stale PID file\n" "$_aname" "$_apid"
                    ((++issues)); score=$(( score - 5 ))
                fi
            else
                printf "  ${DIM}■${RESET} %s — not running\n" "$_aname"
            fi
        done <<< "$_audit_profiles"
    else
        printf "  ${DIM}■${RESET} No profiles configured\n"
    fi

    # 6. Listening ports check
    printf "\n${BOLD}[6/6] Listening Ports${RESET}\n"
    if command -v ss &>/dev/null; then
        local _port_count
        _port_count=$(ss -tln 2>/dev/null | tail -n +2 | wc -l) || true
        printf "  ${DIM}■${RESET} %s TCP ports listening\n" "${_port_count:-0}"
    elif command -v netstat &>/dev/null; then
        local _port_count
        _port_count=$(netstat -tln 2>/dev/null | tail -n +3 | wc -l) || true
        printf "  ${DIM}■${RESET} %s TCP ports listening\n" "${_port_count:-0}"
    else
        printf "  ${YELLOW}▲${RESET} Cannot check ports (ss/netstat not found)\n"
    fi

    # Summary
    if (( score < 0 )); then score=0; fi
    printf "\n${BOLD}──────────────────────────────────${RESET}\n"
    local _sc_color="${GREEN}"
    if (( score < 70 )); then _sc_color="${RED}"
    elif (( score < 90 )); then _sc_color="${YELLOW}"; fi
    printf "${BOLD}Security Score: ${_sc_color}%d/100${RESET}\n" "$score"
    printf "${DIM}Issues: %d  |  Warnings: %d${RESET}\n\n" "$issues" "$warnings"
    return 0
}

# ============================================================================
# SERVER SETUP & SYSTEMD  (Phase 5)
# ============================================================================

readonly _SYSTEMD_DIR="/etc/systemd/system"
readonly _SSHD_CONFIG="/etc/ssh/sshd_config"
readonly _SSHD_BACKUP="${BACKUP_DIR}/sshd_config.bak"

# ── Server Hardening ──
# Hardens a remote server's SSH config for receiving tunnel connections

_server_harden_sshd() {
    printf "\n${BOLD}[1/4] Hardening SSH daemon${RESET}\n"

    if [[ ! -f "$_SSHD_CONFIG" ]]; then
        log_error "sshd_config not found at ${_SSHD_CONFIG}"
        return 1
    fi

    # Backup original (canonical backup kept for first-run restore)
    if [[ ! -f "$_SSHD_BACKUP" ]]; then
        cp "$_SSHD_CONFIG" "$_SSHD_BACKUP" 2>/dev/null || {
            log_error "Failed to backup sshd_config"
            return 1
        }
        log_success "Backed up sshd_config (canonical)"
    fi
    # Always create a timestamped backup before each modification
    local _ts_backup="${BACKUP_DIR}/sshd_config.$(date -u '+%Y%m%d%H%M%S').bak"
    cp "$_SSHD_CONFIG" "$_ts_backup" 2>/dev/null || true

    # Check if any user has authorized_keys before disabling password auth
    local _pw_auth="no"
    local _has_keys=false
    local _huser
    for _huser in /root /home/*; do
        if [[ -f "${_huser}/.ssh/authorized_keys" ]] && [[ -s "${_huser}/.ssh/authorized_keys" ]]; then
            _has_keys=true
            break
        fi
    done
    if [[ "$_has_keys" != true ]]; then
        _pw_auth="yes"
        log_warn "No authorized_keys found — keeping PasswordAuthentication=yes to prevent lockout"
    fi

    # Apply hardening settings
    local -A _harden=(
        [PermitRootLogin]="prohibit-password"
        [PasswordAuthentication]="$_pw_auth"
        [PubkeyAuthentication]="yes"
        [X11Forwarding]="no"
        [AllowTcpForwarding]="yes"
        [GatewayPorts]="clientspecified"
        [MaxAuthTries]="3"
        [LoginGraceTime]="30"
        [ClientAliveInterval]="60"
        [ClientAliveCountMax]="3"
        [PermitEmptyPasswords]="no"
    )

    local _hk _hv _changed=false
    for _hk in "${!_harden[@]}"; do
        _hv="${_harden[$_hk]}"
        if grep -qE "^[[:space:]]*${_hk}[[:space:]]" "$_SSHD_CONFIG" 2>/dev/null; then
            # Setting exists — update it
            local _cur
            _cur=$(grep -E "^[[:space:]]*${_hk}[[:space:]]" "$_SSHD_CONFIG" 2>/dev/null | awk '{print $2}' | head -1) || true
            if [[ "$_cur" != "$_hv" ]]; then
                # First-match only to preserve Match block overrides
                local _ln
                _ln=$(grep -n "^[[:space:]]*${_hk}[[:space:]]" "$_SSHD_CONFIG" 2>/dev/null | head -1 | cut -d: -f1) || true
                if [[ -n "$_ln" ]]; then
                    local _sed_tmp
                    _sed_tmp=$(mktemp "${_SSHD_CONFIG}.tf_sed.XXXXXX") || continue
                    sed "${_ln}s/.*/${_hk} ${_hv}/" "$_SSHD_CONFIG" > "$_sed_tmp" 2>/dev/null && mv -f "$_sed_tmp" "$_SSHD_CONFIG" 2>/dev/null || true
                    rm -f "$_sed_tmp" 2>/dev/null || true
                fi
                printf "  ${CYAN}~${RESET} %s: %s → %s\n" "$_hk" "${_cur:-?}" "$_hv"
                _changed=true
            else
                printf "  ${GREEN}●${RESET} %s: %s (already set)\n" "$_hk" "$_hv"
            fi
        elif grep -qE "^[[:space:]]*#[[:space:]]*${_hk}[[:space:]]" "$_SSHD_CONFIG" 2>/dev/null; then
            # Commented out — uncomment and set (first match only)
            local _cln
            _cln=$(grep -n "^[[:space:]]*#[[:space:]]*${_hk}[[:space:]]" "$_SSHD_CONFIG" 2>/dev/null | head -1 | cut -d: -f1) || true
            if [[ -n "$_cln" ]]; then
                local _sed_tmp
                _sed_tmp=$(mktemp "${_SSHD_CONFIG}.tf_sed.XXXXXX") || continue
                sed "${_cln}s/.*/${_hk} ${_hv}/" "$_SSHD_CONFIG" > "$_sed_tmp" 2>/dev/null && mv -f "$_sed_tmp" "$_SSHD_CONFIG" 2>/dev/null || true
                rm -f "$_sed_tmp" 2>/dev/null || true
            fi
            printf "  ${CYAN}+${RESET} %s: %s (uncommented)\n" "$_hk" "$_hv"
            _changed=true
        else
            # Not present — insert before first Match block (or append if none)
            local _match_ln
            _match_ln=$(grep -n "^[[:space:]]*Match[[:space:]]" "$_SSHD_CONFIG" 2>/dev/null | head -1 | cut -d: -f1) || true
            if [[ -n "$_match_ln" ]]; then
                local _sed_tmp
                _sed_tmp=$(mktemp "${_SSHD_CONFIG}.tf_sed.XXXXXX") || continue
                { head -n "$((_match_ln - 1))" "$_SSHD_CONFIG"; printf "%s %s\n" "$_hk" "$_hv"; tail -n "+${_match_ln}" "$_SSHD_CONFIG"; } > "$_sed_tmp" 2>/dev/null && mv -f "$_sed_tmp" "$_SSHD_CONFIG" 2>/dev/null || true
                rm -f "$_sed_tmp" 2>/dev/null || true
            else
                if [[ -s "$_SSHD_CONFIG" ]] && [[ -n "$(tail -c1 "$_SSHD_CONFIG" 2>/dev/null)" ]]; then
                    echo "" >> "$_SSHD_CONFIG" 2>/dev/null || true
                fi
                printf "%s %s\n" "$_hk" "$_hv" >> "$_SSHD_CONFIG" 2>/dev/null || true
            fi
            printf "  ${CYAN}+${RESET} %s: %s (added)\n" "$_hk" "$_hv"
            _changed=true
        fi
    done

    if [[ "$_changed" == true ]]; then
        # Test config before reload
        if sshd -t 2>/dev/null; then
            log_success "sshd_config syntax OK"
            local _reload_ok=false
            if [[ "$INIT_SYSTEM" == "systemd" ]]; then
                if systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null; then
                    _reload_ok=true
                fi
            else
                if service sshd reload 2>/dev/null || service ssh reload 2>/dev/null; then
                    _reload_ok=true
                fi
            fi
            if [[ "$_reload_ok" == true ]]; then
                log_success "SSH daemon reloaded"
            else
                log_warn "Could not reload sshd (reload manually)"
            fi
        else
            log_error "sshd_config syntax error — restoring backup"
            if [[ -f "$_ts_backup" ]] && cp "$_ts_backup" "$_SSHD_CONFIG" 2>/dev/null; then
                log_info "Restored from timestamped backup"
            elif [[ -f "$_SSHD_BACKUP" ]] && cp "$_SSHD_BACKUP" "$_SSHD_CONFIG" 2>/dev/null; then
                log_warn "Timestamped backup unavailable, restored from canonical backup"
            else
                log_error "CRITICAL: No backup available — sshd_config may be broken!"
            fi
            return 1
        fi
    else
        log_info "No changes needed"
    fi
    return 0
}

_server_setup_firewall() {
    printf "\n${BOLD}[2/4] Configuring firewall${RESET}\n"

    # Detect SSH port from sshd_config (used by all firewall paths)
    local _fw_ssh_port=22
    if [[ -f "$_SSHD_CONFIG" ]]; then
        local _detected_port
        _detected_port=$(grep -E "^[[:space:]]*Port[[:space:]]+" "$_SSHD_CONFIG" 2>/dev/null | awk '{print $2}' | head -1) || true
        if [[ -n "$_detected_port" ]] && [[ "$_detected_port" =~ ^[0-9]+$ ]]; then
            _fw_ssh_port="$_detected_port"
        fi
    fi

    if command -v ufw &>/dev/null; then
        ufw default deny incoming 2>/dev/null || true
        ufw allow "$_fw_ssh_port/tcp" 2>/dev/null || true
        ufw --force enable 2>/dev/null || true
        printf "  ${GREEN}●${RESET} UFW enabled (default deny + SSH port %s allowed)\n" "$_fw_ssh_port"
        log_success "UFW configured with default deny"
    elif command -v firewall-cmd &>/dev/null; then
        firewall-cmd --permanent --add-port="${_fw_ssh_port}/tcp" 2>/dev/null || true
        firewall-cmd --reload 2>/dev/null || true
        printf "  ${GREEN}●${RESET} firewalld: SSH port %s allowed\n" "$_fw_ssh_port"
        log_success "firewalld configured"
    elif command -v iptables &>/dev/null; then
        # IPv4 rules (conntrack instead of deprecated state module)
        if ! iptables -C INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null; then
            iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
        fi
        if ! iptables -C INPUT -i lo -j ACCEPT 2>/dev/null; then
            iptables -I INPUT 2 -i lo -j ACCEPT 2>/dev/null || true
        fi
        if ! iptables -C INPUT -p tcp --dport "$_fw_ssh_port" -j ACCEPT 2>/dev/null; then
            iptables -A INPUT -p tcp --dport "$_fw_ssh_port" -j ACCEPT 2>/dev/null || true
        fi
        iptables -P INPUT DROP 2>/dev/null || true
        iptables -P FORWARD DROP 2>/dev/null || true
        printf "  ${GREEN}●${RESET} iptables: SSH (port %s) allowed, default deny\n" "$_fw_ssh_port"
        # IPv6 mirror rules
        if command -v ip6tables &>/dev/null; then
            if ! ip6tables -C INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null; then
                ip6tables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true
            fi
            if ! ip6tables -C INPUT -i lo -j ACCEPT 2>/dev/null; then
                ip6tables -I INPUT 2 -i lo -j ACCEPT 2>/dev/null || true
            fi
            if ! ip6tables -C INPUT -p tcp --dport "$_fw_ssh_port" -j ACCEPT 2>/dev/null; then
                ip6tables -A INPUT -p tcp --dport "$_fw_ssh_port" -j ACCEPT 2>/dev/null || true
            fi
            ip6tables -P INPUT DROP 2>/dev/null || true
            ip6tables -P FORWARD DROP 2>/dev/null || true
            printf "  ${GREEN}●${RESET} ip6tables: SSH (port %s) allowed, default deny\n" "$_fw_ssh_port"
        fi
        # Persist iptables rules
        if [[ -d "/etc/iptables" ]]; then
            iptables-save > /etc/iptables/rules.v4 2>/dev/null || true
            if command -v ip6tables-save &>/dev/null; then
                ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true
            fi
            printf "  ${GREEN}●${RESET} iptables rules persisted to /etc/iptables/\n"
        elif command -v netfilter-persistent &>/dev/null; then
            netfilter-persistent save 2>/dev/null || true
            printf "  ${GREEN}●${RESET} iptables rules persisted via netfilter-persistent\n"
        else
            log_warn "Install iptables-persistent to survive reboots"
        fi
    else
        printf "  ${YELLOW}▲${RESET} No firewall tool found (ufw/firewalld/iptables)\n"
    fi
    return 0
}

_server_setup_fail2ban() {
    printf "\n${BOLD}[3/4] Setting up fail2ban${RESET}\n"

    if ! command -v fail2ban-client &>/dev/null; then
        log_info "Installing fail2ban..."
        if [[ -n "${PKG_INSTALL:-}" ]]; then
            ${PKG_INSTALL} fail2ban 2>/dev/null || {
                log_warn "Could not install fail2ban"
                return 0
            }
        else
            printf "  ${YELLOW}▲${RESET} Cannot install fail2ban (unknown package manager)\n"
            return 0
        fi
    fi

    # Detect SSH port
    local _f2b_ssh_port=22
    if [[ -f "$_SSHD_CONFIG" ]]; then
        local _f2b_dp
        _f2b_dp=$(grep -E "^[[:space:]]*Port[[:space:]]+" "$_SSHD_CONFIG" 2>/dev/null | awk '{print $2}' | head -1) || true
        if [[ -n "$_f2b_dp" ]] && [[ "$_f2b_dp" =~ ^[0-9]+$ ]]; then
            _f2b_ssh_port="$_f2b_dp"
        fi
    fi

    local jail_dir="/etc/fail2ban/jail.d"
    mkdir -p "$jail_dir" 2>/dev/null || true

    local jail_file="${jail_dir}/tunnelforge-sshd.conf"
    if [[ ! -f "$jail_file" ]]; then
        {
            printf "[sshd]\n"
            printf "enabled = true\n"
            printf "port = %s\n" "$_f2b_ssh_port"
            printf "filter = sshd\n"
            printf "maxretry = 5\n"
            printf "findtime = 600\n"
            printf "bantime = 3600\n"
            local _f2b_backend="auto"
            if [[ "$INIT_SYSTEM" == "systemd" ]]; then _f2b_backend="systemd"; fi
            printf "backend = %s\n" "$_f2b_backend"
        } > "$jail_file" 2>/dev/null || true
        printf "  ${GREEN}●${RESET} Created fail2ban SSH jail\n"
    else
        printf "  ${GREEN}●${RESET} fail2ban SSH jail already exists\n"
    fi

    if [[ "$INIT_SYSTEM" == "systemd" ]]; then
        systemctl enable fail2ban 2>/dev/null || true
        systemctl restart fail2ban 2>/dev/null || true
    fi
    log_success "fail2ban configured"
    return 0
}

_server_setup_sysctl() {
    printf "\n${BOLD}[4/4] Kernel hardening${RESET}\n"

    local sysctl_file="/etc/sysctl.d/99-tunnelforge.conf"
    if [[ ! -f "$sysctl_file" ]]; then
        {
            printf "# TunnelForge kernel hardening\n"
            printf "net.ipv4.tcp_syncookies = 1\n"
            printf "net.ipv4.conf.all.rp_filter = 1\n"
            printf "net.ipv4.conf.default.rp_filter = 1\n"
            printf "net.ipv4.icmp_echo_ignore_broadcasts = 1\n"
            printf "net.ipv4.conf.all.accept_redirects = 0\n"
            printf "net.ipv4.conf.default.accept_redirects = 0\n"
            printf "net.ipv4.conf.all.send_redirects = 0\n"
            printf "net.ipv4.conf.default.send_redirects = 0\n"
            printf "net.ipv4.ip_forward = 1\n"
        } > "$sysctl_file" 2>/dev/null || true
        sysctl -p "$sysctl_file" 2>/dev/null || true
        printf "  ${GREEN}●${RESET} Kernel parameters hardened\n"
        log_success "sysctl hardening applied"
    else
        printf "  ${GREEN}●${RESET} Kernel hardening already applied\n"
    fi
    return 0
}

server_setup() {
    local _profile_name="${1:-}"

    # If a profile name is given, harden the REMOTE server via SSH
    if [[ -n "$_profile_name" ]]; then
        _server_setup_remote "$_profile_name"
        return $?
    fi

    # Otherwise, harden THIS (local) server
    if [[ $EUID -ne 0 ]]; then
        log_error "Server setup requires root privileges"
        return 1
    fi

    printf "\n${BOLD_CYAN}═══ TunnelForge Server Setup ═══${RESET}\n"
    printf "${DIM}Hardening this server for receiving SSH tunnel connections${RESET}\n"

    printf "\nThis will:\n"
    printf "  1. Harden SSH daemon configuration\n"
    printf "  2. Configure firewall rules\n"
    printf "  3. Set up fail2ban intrusion prevention\n"
    printf "  4. Apply kernel network hardening\n\n"

    if ! confirm_action "Proceed with server hardening?"; then
        log_info "Server setup cancelled"
        return 0
    fi

    _server_harden_sshd || true
    _server_setup_firewall || true
    _server_setup_fail2ban || true
    _server_setup_sysctl || true

    printf "\n${BOLD_GREEN}═══ Server Setup Complete ═══${RESET}\n"
    printf "${DIM}Your server is now hardened for SSH tunnel connections.${RESET}\n"
    printf "${DIM}Run 'tunnelforge audit' to verify security posture.${RESET}\n\n"
    return 0
}

# ── Remote Server Setup ──
# SSHes into a profile's target server and enables essential tunnel settings

_server_setup_remote() {
    local name="$1"
    local -A _rss_prof
    if ! load_profile "$name" _rss_prof; then
        log_error "Profile '${name}' not found"
        return 1
    fi

    local host="${_rss_prof[SSH_HOST]:-}"
    local user="${_rss_prof[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"
    if [[ -z "$host" ]]; then
        log_error "Profile '${name}' has no SSH_HOST"
        return 1
    fi

    printf "\n${BOLD_CYAN}═══ Remote Server Setup ═══${RESET}\n"
    printf "${DIM}Target: %s@%s${RESET}\n\n" "$user" "$host"
    printf "This will enable on the remote server:\n"
    printf "  - AllowTcpForwarding yes    ${DIM}(required for -D/-L/-R)${RESET}\n"
    printf "  - GatewayPorts clientspecified  ${DIM}(for -R public bind)${RESET}\n"
    printf "  - PermitTunnel yes          ${DIM}(for TUN/TAP forwarding)${RESET}\n\n"

    if ! confirm_action "SSH into ${host} and apply settings?"; then
        log_info "Remote setup cancelled"
        return 0
    fi

    _obfs_remote_ssh _rss_prof
    local _rss_rc=0

    "${_OBFS_SSH_CMD[@]}" "bash -s" <<'REMOTE_SSHD_SCRIPT' || _rss_rc=$?
set -e

# Use sudo if not root
SUDO=""
if [ "$(id -u)" -ne 0 ]; then
    if command -v sudo >/dev/null 2>&1; then
        if sudo -n true 2>/dev/null; then
            SUDO="sudo"
        else
            echo "ERROR: Not root and sudo requires a password"
            echo "  Either SSH as root, or add NOPASSWD for this user"
            exit 1
        fi
    else
        echo "ERROR: Not running as root and sudo not available"
        exit 1
    fi
fi

SSHD_CONFIG="/etc/ssh/sshd_config"
if [ ! -f "$SSHD_CONFIG" ]; then
    echo "ERROR: sshd_config not found at $SSHD_CONFIG"
    exit 1
fi

# Backup before changes
$SUDO cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak.$(date +%s)" 2>/dev/null || true

CHANGED=false

apply_setting() {
    local key="$1" val="$2"
    if grep -qE "^[[:space:]]*${key}[[:space:]]" "$SSHD_CONFIG" 2>/dev/null; then
        CUR=$(grep -E "^[[:space:]]*${key}[[:space:]]" "$SSHD_CONFIG" | awk '{print $2}' | head -1)
        if [ "$CUR" != "$val" ]; then
            LN=$(grep -n "^[[:space:]]*${key}[[:space:]]" "$SSHD_CONFIG" | head -1 | cut -d: -f1)
            $SUDO sed -i "${LN}s/.*/${key} ${val}/" "$SSHD_CONFIG"
            echo "  ~ ${key}: ${CUR} -> ${val}"
            CHANGED=true
        else
            echo "  OK ${key}: ${val} (already set)"
        fi
    elif grep -qE "^[[:space:]]*#[[:space:]]*${key}" "$SSHD_CONFIG" 2>/dev/null; then
        LN=$(grep -n "^[[:space:]]*#[[:space:]]*${key}" "$SSHD_CONFIG" | head -1 | cut -d: -f1)
        $SUDO sed -i "${LN}s/.*/${key} ${val}/" "$SSHD_CONFIG"
        echo "  + ${key}: ${val} (uncommented)"
        CHANGED=true
    else
        echo "${key} ${val}" | $SUDO tee -a "$SSHD_CONFIG" >/dev/null
        echo "  + ${key}: ${val} (added)"
        CHANGED=true
    fi
}

echo "Checking sshd settings..."
apply_setting "AllowTcpForwarding" "yes"
apply_setting "GatewayPorts" "clientspecified"
apply_setting "PermitTunnel" "yes"

if [ "$CHANGED" = true ]; then
    if $SUDO sshd -t 2>/dev/null; then
        echo "sshd_config syntax OK"
        if command -v systemctl >/dev/null 2>&1; then
            $SUDO systemctl reload sshd 2>/dev/null || $SUDO systemctl reload ssh 2>/dev/null || true
        else
            $SUDO service sshd reload 2>/dev/null || $SUDO service ssh reload 2>/dev/null || true
        fi
        echo "SUCCESS: SSH daemon reloaded with new settings"
    else
        echo "ERROR: sshd_config syntax error — restoring backup"
        LATEST_BAK=$(ls -t "${SSHD_CONFIG}.bak."* 2>/dev/null | head -1)
        if [ -n "$LATEST_BAK" ]; then
            $SUDO cp "$LATEST_BAK" "$SSHD_CONFIG" 2>/dev/null || true
            echo "Restored from backup"
        fi
        exit 1
    fi
else
    echo "All settings already correct — no changes needed"
fi
REMOTE_SSHD_SCRIPT

    unset SSHPASS 2>/dev/null || true

    if (( _rss_rc == 0 )); then
        printf "\n"
        log_success "Remote server configured for tunnel forwarding"
    else
        printf "\n"
        log_error "Remote setup failed (exit code: ${_rss_rc})"
    fi
    return "$_rss_rc"
}

# ── TLS Obfuscation (stunnel) Setup ──
# Remotely installs and configures stunnel on a profile's server

# Build SSH command for remote execution on profile's server.
# Populates global _OBFS_SSH_CMD array. Caller must unset SSHPASS.
_obfs_remote_ssh() {
    local -n _ors_prof="$1"
    local host="${_ors_prof[SSH_HOST]:-}"
    local port="${_ors_prof[SSH_PORT]:-22}"
    local user="${_ors_prof[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"
    local key="${_ors_prof[IDENTITY_KEY]:-}"
    local password="${_ors_prof[SSH_PASSWORD]:-}"

    _OBFS_SSH_CMD=()
    local -a ssh_opts=(-p "$port" -o "ConnectTimeout=15" -o "StrictHostKeyChecking=accept-new")
    if [[ -n "$key" ]] && [[ -f "$key" ]]; then ssh_opts+=(-i "$key"); fi

    if [[ -n "$password" ]]; then
        if command -v sshpass &>/dev/null; then
            export SSHPASS="$password"
            _OBFS_SSH_CMD=(sshpass -e ssh "${ssh_opts[@]}" "${user}@${host}")
        else
            ssh_opts+=(-o "BatchMode=no")
            _OBFS_SSH_CMD=(ssh "${ssh_opts[@]}" "${user}@${host}")
        fi
    else
        _OBFS_SSH_CMD=(ssh "${ssh_opts[@]}" "${user}@${host}")
    fi
    return 0
}

# Core remote setup script — shared by CLI and wizard.
# Args: obfs_port ssh_port
# Requires _OBFS_SSH_CMD to be populated by _obfs_remote_ssh().
_obfs_run_remote_setup() {
    local obfs_port="$1" ssh_port="$2"
    # Validate ports are numeric before interpolation into remote script
    if ! [[ "$obfs_port" =~ ^[0-9]+$ ]] || ! [[ "$ssh_port" =~ ^[0-9]+$ ]]; then
        log_error "Port values must be numeric"; return 1
    fi
    local _setup_rc=0

    "${_OBFS_SSH_CMD[@]}" "bash -s" <<OBFS_SCRIPT || _setup_rc=$?
set -e
OBFS_PORT="${obfs_port}"
SSH_PORT="${ssh_port}"

# Use sudo if not root
SUDO=""
if [ "\$(id -u)" -ne 0 ]; then
    if command -v sudo >/dev/null 2>&1; then
        # Verify sudo works without password (non-interactive session has no TTY)
        if sudo -n true 2>/dev/null; then
            SUDO="sudo"
        else
            echo "ERROR: Not root and sudo requires a password"
            echo "  Either SSH as root, or add NOPASSWD for this user in /etc/sudoers"
            exit 1
        fi
    else
        echo "ERROR: Not running as root and sudo not available"
        exit 1
    fi
fi

# Detect package manager
if command -v apt-get >/dev/null 2>&1; then
    PKG_INSTALL="\$SUDO apt-get install -y -qq"
    PKG_UPDATE="\$SUDO apt-get update -qq"
elif command -v dnf >/dev/null 2>&1; then
    PKG_INSTALL="\$SUDO dnf install -y -q"
    PKG_UPDATE="true"
elif command -v yum >/dev/null 2>&1; then
    PKG_INSTALL="\$SUDO yum install -y -q"
    PKG_UPDATE="true"
elif command -v apk >/dev/null 2>&1; then
    PKG_INSTALL="\$SUDO apk add --quiet"
    PKG_UPDATE="\$SUDO apk update --quiet"
else
    echo "ERROR: No supported package manager (apt/dnf/yum/apk)"
    exit 1
fi

# Check if port is already in use (not by our stunnel)
if ss -tln 2>/dev/null | grep -qE ":\${OBFS_PORT}[[:space:]]"; then
    LISTENER=\$(ss -tlnp 2>/dev/null | grep ":\${OBFS_PORT} " | head -1)
    if echo "\$LISTENER" | grep -q stunnel; then
        echo "INFO: stunnel already listening on port \${OBFS_PORT} — updating config"
    else
        echo "ERROR: Port \${OBFS_PORT} already in use by another service:"
        echo "  \$LISTENER"
        echo "Choose a different OBFS_PORT or stop the conflicting service."
        exit 2
    fi
fi

# Install stunnel (skip if already present)
if command -v stunnel >/dev/null 2>&1 || command -v stunnel4 >/dev/null 2>&1; then
    echo "stunnel already installed"
else
    echo "Installing stunnel..."
    \$PKG_UPDATE 2>/dev/null || true
    # Try stunnel4 first (Debian/Ubuntu), then stunnel (RHEL/Alpine)
    \$PKG_INSTALL stunnel4 >/dev/null 2>&1 || \$PKG_INSTALL stunnel >/dev/null 2>&1 || true
    # Verify it actually installed
    if ! command -v stunnel >/dev/null 2>&1 && ! command -v stunnel4 >/dev/null 2>&1; then
        echo "ERROR: Failed to install stunnel"
        echo "  Try manually: ssh into the server and install stunnel"
        exit 1
    fi
    echo "stunnel installed"
fi

# Ensure openssl is available
command -v openssl >/dev/null 2>&1 || \$PKG_INSTALL openssl >/dev/null 2>&1 || true

# Generate self-signed cert if missing
CERT_DIR="/etc/stunnel"
CERT_FILE="\${CERT_DIR}/tunnelforge.pem"
\$SUDO mkdir -p "\$CERT_DIR"

if [ ! -f "\$CERT_FILE" ]; then
    echo "Generating self-signed TLS certificate..."
    \$SUDO openssl req -new -x509 -days 3650 -nodes \
        -out "\$CERT_FILE" -keyout "\$CERT_FILE" \
        -subj "/CN=tunnelforge/O=TunnelForge/C=US" 2>/dev/null || {
        echo "ERROR: Failed to generate certificate"
        exit 1
    }
    \$SUDO chmod 600 "\$CERT_FILE"
    echo "Certificate generated: \$CERT_FILE"
else
    echo "Certificate exists: \$CERT_FILE"
fi

# Write stunnel config
CONF_FILE="\${CERT_DIR}/tunnelforge-ssh.conf"
\$SUDO tee "\$CONF_FILE" >/dev/null <<STUNNEL_CONF
; TunnelForge SSH obfuscation — wraps SSH in TLS
pid = /var/run/stunnel-tunnelforge.pid
[ssh-tls]
accept = 0.0.0.0:\${OBFS_PORT}
connect = 127.0.0.1:\${SSH_PORT}
cert = \${CERT_FILE}
STUNNEL_CONF
echo "Config written: \$CONF_FILE"

# Enable and start stunnel
if command -v systemctl >/dev/null 2>&1; then
    SVC=""
    for _sn in stunnel4 stunnel; do
        if systemctl list-unit-files "\${_sn}.service" 2>/dev/null | grep -q "\${_sn}"; then
            SVC="\$_sn"
            break
        fi
    done
    if [ -n "\$SVC" ]; then
        \$SUDO systemctl enable "\$SVC" 2>/dev/null || true
        \$SUDO systemctl restart "\$SVC" 2>/dev/null || true
        echo "Stunnel service restarted (\${SVC})"
    else
        \$SUDO stunnel "\$CONF_FILE" 2>/dev/null || { echo "ERROR: stunnel failed to start"; exit 1; }
        echo "Stunnel started directly"
    fi
else
    \$SUDO stunnel "\$CONF_FILE" 2>/dev/null || { echo "ERROR: stunnel failed to start"; exit 1; }
    echo "Stunnel started"
fi

# Open firewall port
if command -v ufw >/dev/null 2>&1; then
    \$SUDO ufw allow "\${OBFS_PORT}/tcp" 2>/dev/null || true
    echo "UFW: port \${OBFS_PORT} opened"
elif command -v firewall-cmd >/dev/null 2>&1; then
    \$SUDO firewall-cmd --permanent --add-port="\${OBFS_PORT}/tcp" 2>/dev/null || true
    \$SUDO firewall-cmd --reload 2>/dev/null || true
    echo "firewalld: port \${OBFS_PORT} opened"
fi

# Verify
sleep 1
if ss -tln 2>/dev/null | grep -qE ":\${OBFS_PORT}[[:space:]]"; then
    echo "SUCCESS: stunnel listening on port \${OBFS_PORT}"
else
    echo "WARNING: stunnel may not be listening yet — check manually"
fi
OBFS_SCRIPT

    unset SSHPASS 2>/dev/null || true
    return "$_setup_rc"
}

# CLI entry: tunnelforge obfs-setup <profile>
_obfs_setup_stunnel() {
    local name="$1"
    local -A _os_prof=()
    load_profile "$name" _os_prof || { log_error "Cannot load profile '${name}'"; return 1; }

    local host="${_os_prof[SSH_HOST]:-}"
    local ssh_port="${_os_prof[SSH_PORT]:-22}"
    local obfs_port="${_os_prof[OBFS_PORT]:-443}"
    local user="${_os_prof[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"

    if [[ -z "$host" ]]; then
        log_error "No SSH host in profile '${name}'"
        return 1
    fi

    if [[ "${_os_prof[OBFS_MODE]:-none}" == "none" ]]; then
        log_warn "Profile '${name}' does not have obfuscation enabled"
        printf "${DIM}  Enable it first: edit profile and set OBFS_MODE=stunnel${RESET}\n"
        printf "${DIM}  Or use the wizard: tunnelforge edit ${name}${RESET}\n\n"

        if ! confirm_action "Set up stunnel anyway?"; then
            return 0
        fi
        # Auto-enable if they proceed
        _os_prof[OBFS_MODE]="stunnel"
        _os_prof[OBFS_PORT]="$obfs_port"
        save_profile "$name" _os_prof 2>/dev/null || true
        log_info "Obfuscation enabled for profile '${name}'"
    fi

    printf "\n${BOLD_CYAN}═══ TLS Obfuscation Setup ═══${RESET}\n"
    printf "${DIM}Configuring stunnel on %s@%s to accept TLS on port %s${RESET}\n\n" "$user" "$host" "$obfs_port"

    printf "This will:\n"
    printf "  1. Install stunnel + openssl on the remote server\n"
    printf "  2. Generate a self-signed TLS certificate\n"
    printf "  3. Configure stunnel: port %s (TLS) → port %s (SSH)\n" "$obfs_port" "$ssh_port"
    printf "  4. Enable stunnel service and open firewall port\n\n"

    if ! confirm_action "Proceed with stunnel setup on ${host}?"; then
        log_info "Setup cancelled"
        return 0
    fi

    _obfs_remote_ssh _os_prof || { log_error "Cannot build SSH command"; return 1; }
    log_info "Connecting to ${user}@${host}..."

    local _rc=0
    _obfs_run_remote_setup "$obfs_port" "$ssh_port" || _rc=$?

    if (( _rc == 0 )); then
        log_success "Stunnel configured on ${host}:${obfs_port}"
        printf "\n${DIM}  SSH traffic will be wrapped in TLS — DPI sees HTTPS on port ${obfs_port}.${RESET}\n"
        printf "${DIM}  Start your tunnel: tunnelforge start ${name}${RESET}\n\n"
    elif (( _rc == 2 )); then
        log_error "Port ${obfs_port} is in use on ${host} — choose a different OBFS_PORT"
        return 1
    else
        log_error "Stunnel setup failed on ${host} (exit code: ${_rc})"
        return 1
    fi
    return 0
}

# Wizard entry: setup stunnel using profile nameref (before profile is saved)
_obfs_setup_stunnel_direct() {
    local -n _osd_prof="$1"
    local host="${_osd_prof[SSH_HOST]:-}"
    local ssh_port="${_osd_prof[SSH_PORT]:-22}"
    local obfs_port="${_osd_prof[OBFS_PORT]:-443}"
    local user="${_osd_prof[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"

    if [[ -z "$host" ]]; then
        log_error "No SSH host configured"
        return 1
    fi

    printf "\n${BOLD_CYAN}═══ TLS Obfuscation Setup ═══${RESET}\n" >/dev/tty
    printf "${DIM}Configuring stunnel on %s@%s (port %s → %s)${RESET}\n\n" "$user" "$host" "$obfs_port" "$ssh_port" >/dev/tty

    _obfs_remote_ssh _osd_prof || { log_error "Cannot build SSH command"; return 1; }
    log_info "Connecting to ${user}@${host}..."

    local _rc=0
    _obfs_run_remote_setup "$obfs_port" "$ssh_port" || _rc=$?

    unset SSHPASS 2>/dev/null || true

    if (( _rc == 0 )); then
        log_success "Stunnel configured on ${host}:${obfs_port}"
    elif (( _rc == 2 )); then
        log_error "Port ${obfs_port} is in use on ${host}"
    else
        log_error "Stunnel setup failed (exit code: ${_rc})"
    fi
    return "$_rc"
}

# ── Local Stunnel (Inbound TLS + PSK) ──
# Wraps the SOCKS5/local listener with TLS+PSK so clients connect securely.
# Architecture: client ──TLS+PSK──→ stunnel ──→ 127.0.0.1:LOCAL_PORT

# Generate a random 32-byte hex PSK
_obfs_generate_psk() {
    local _psk=""
    if command -v openssl &>/dev/null; then
        _psk=$(openssl rand -hex 32 2>/dev/null) || true
    fi
    if [[ -z "$_psk" ]] && [[ -r /dev/urandom ]]; then
        _psk=$(head -c 32 /dev/urandom 2>/dev/null | od -An -tx1 2>/dev/null | tr -d ' \n') || true
    fi
    if [[ -z "$_psk" ]]; then
        # Last resort: bash $RANDOM (weaker but functional)
        local _i
        for _i in 1 2 3 4 5 6 7 8; do
            printf '%08x' "$RANDOM$RANDOM" 2>/dev/null
        done
        return 0
    fi
    printf '%s' "$_psk"
    return 0
}

# Write local stunnel config and PSK secrets file.
# Args: name local_port obfs_local_port psk
_obfs_write_local_conf() {
    local _name="$1" _lport="$2" _olport="$3" _psk="$4"
    local _conf_dir="${CONFIG_DIR}/stunnel"
    local _conf_file="${_conf_dir}/${_name}-local.conf"
    local _psk_file="${_conf_dir}/${_name}-local.psk"
    local _pid_f="${PID_DIR}/${_name}.stunnel"
    local _log_f="${LOG_DIR}/${_name}-stunnel.log"

    mkdir -p "$_conf_dir" 2>/dev/null || true

    # Write PSK secrets file (identity:key format)
    printf 'tunnelforge:%s\n' "$_psk" > "$_psk_file" 2>/dev/null || {
        log_error "Cannot write PSK file: $_psk_file"
        return 1
    }
    if ! chmod 600 "$_psk_file" 2>/dev/null; then
        log_error "Failed to secure PSK file permissions: $_psk_file"
        rm -f "$_psk_file" 2>/dev/null || true
        return 1
    fi

    # Write stunnel config — global options MUST come before [section]
    printf '; TunnelForge inbound TLS+PSK wrapper\n' > "$_conf_file"
    printf 'pid = %s\n' "$_pid_f" >> "$_conf_file"
    printf 'output = %s\n' "$_log_f" >> "$_conf_file"
    printf 'foreground = no\n\n' >> "$_conf_file"
    printf '[tunnelforge-inbound]\n' >> "$_conf_file"
    printf 'accept = 0.0.0.0:%s\n' "$_olport" >> "$_conf_file"
    printf 'connect = 127.0.0.1:%s\n' "$_lport" >> "$_conf_file"
    printf 'PSKsecrets = %s\n' "$_psk_file" >> "$_conf_file"
    printf 'ciphers = PSK\n' >> "$_conf_file"

    chmod 600 "$_conf_file" 2>/dev/null || true
    return 0
}

# Start local stunnel for inbound TLS+PSK.
# Args: name
# Reads profile to get LOCAL_PORT, OBFS_LOCAL_PORT, OBFS_PSK.
_obfs_start_local_stunnel() {
    local _name="$1"
    local -n _osl_prof="$2"
    local _lport="${_osl_prof[LOCAL_PORT]:-}"
    local _olport="${_osl_prof[OBFS_LOCAL_PORT]:-}"
    local _psk="${_osl_prof[OBFS_PSK]:-}"

    if [[ -z "$_olport" ]] || [[ "$_olport" == "0" ]]; then return 0; fi
    if [[ -z "$_lport" ]]; then
        log_warn "No LOCAL_PORT for local stunnel — skipping inbound TLS"
        return 0
    fi
    if [[ -z "$_psk" ]]; then
        log_warn "No PSK for local stunnel — skipping inbound TLS"
        return 0
    fi

    if ! command -v stunnel &>/dev/null && ! command -v stunnel4 &>/dev/null; then
        log_info "Installing stunnel for inbound TLS..."
        if [[ -n "${PKG_UPDATE:-}" ]]; then ${PKG_UPDATE} &>/dev/null || true; fi
        install_package "stunnel4" 2>/dev/null || install_package "stunnel" 2>/dev/null || true
        if ! command -v stunnel &>/dev/null && ! command -v stunnel4 &>/dev/null; then
            log_error "Failed to install stunnel — inbound TLS unavailable"
            return 1
        fi
        log_success "stunnel installed"
    fi

    # Write config + PSK file (includes global options at top)
    _obfs_write_local_conf "$_name" "$_lport" "$_olport" "$_psk" || return 1

    local _conf_file="${CONFIG_DIR}/stunnel/${_name}-local.conf"
    local _pid_f="${PID_DIR}/${_name}.stunnel"
    local _log_f="${LOG_DIR}/${_name}-stunnel.log"

    # Check if OBFS_LOCAL_PORT is already in use
    if is_port_in_use "$_olport" "0.0.0.0"; then
        log_error "Inbound TLS port ${_olport} already in use"
        return 1
    fi

    # Launch stunnel
    local _stunnel_bin="stunnel"
    if ! command -v stunnel &>/dev/null; then _stunnel_bin="stunnel4"; fi

    "$_stunnel_bin" "$_conf_file" >> "$_log_f" 2>&1 || {
        log_error "Local stunnel failed to start (check ${_log_f})"
        return 1
    }

    # Wait for stunnel to actually listen on the port (not just PID file)
    local _sw
    for _sw in 1 2 3 4 5; do
        if is_port_in_use "$_olport" "0.0.0.0"; then break; fi
        sleep 1
    done

    if is_port_in_use "$_olport" "0.0.0.0"; then
        local _spid=""
        _spid=$(cat "$_pid_f" 2>/dev/null) || true
        log_success "Inbound TLS active on 0.0.0.0:${_olport} → 127.0.0.1:${_lport} (PID: ${_spid:-?})"
    else
        log_error "stunnel failed to listen on port ${_olport} (check ${_log_f})"
        return 1
    fi
    return 0
}

# Stop local stunnel for a profile.
# Args: name
_obfs_stop_local_stunnel() {
    local _name="$1"
    local _pid_f="${PID_DIR}/${_name}.stunnel"
    local _conf_dir="${CONFIG_DIR}/stunnel"

    if [[ ! -f "$_pid_f" ]]; then return 0; fi

    local _spid=""
    _spid=$(cat "$_pid_f" 2>/dev/null) || true
    if [[ -n "$_spid" ]] && kill -0 "$_spid" 2>/dev/null; then
        log_info "Stopping local stunnel (PID: ${_spid})..."
        kill "$_spid" 2>/dev/null || true
        local _sw=0
        while (( _sw < 3 )) && kill -0 "$_spid" 2>/dev/null; do
            sleep 1; (( ++_sw ))
        done
        if kill -0 "$_spid" 2>/dev/null; then
            kill -9 "$_spid" 2>/dev/null || true
        fi
    fi

    # Clean up files
    rm -f "$_pid_f" \
          "${_conf_dir}/${_name}-local.conf" \
          "${_conf_dir}/${_name}-local.psk" 2>/dev/null || true
    return 0
}

# Display client stunnel config for the user to copy.
# Args: name prof_ref
_obfs_show_client_config() {
    local _name="$1"
    local -n _occ_prof="$2"
    local _olport="${_occ_prof[OBFS_LOCAL_PORT]:-}"
    local _psk="${_occ_prof[OBFS_PSK]:-}"
    local _lport="${_occ_prof[LOCAL_PORT]:-}"
    local _host=""

    if [[ -z "$_olport" ]] || [[ "$_olport" == "0" ]]; then return 0; fi

    # Determine the server's reachable IP/hostname
    _host="${_occ_prof[SSH_HOST]:-localhost}"
    # If this machine has a public IP, try to detect it
    local _pub_ip=""
    _pub_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | grep -oE 'src [0-9.]+' | cut -d' ' -f2) || true
    if [[ -n "$_pub_ip" ]]; then _host="$_pub_ip"; fi

    printf "\n${BOLD_CYAN}═══ Client Connection Info ═══${RESET}\n"
    printf "${DIM}Users connect to this server via TLS+PSK on port ${_olport}${RESET}\n\n"

    printf "${BOLD}Server address:${RESET}  %s:%s\n" "$_host" "$_olport"
    printf "${BOLD}PSK identity:${RESET}    tunnelforge\n"
    printf "${BOLD}PSK secret:${RESET}      %s\n" "$_psk"
    printf "${BOLD}SOCKS5 port:${RESET}     %s (tunneled through TLS)\n\n" "$_lport"

    printf "${BOLD}── Client stunnel.conf ──${RESET}\n"
    printf "${DIM}Save this on the user's PC and run: stunnel stunnel.conf${RESET}\n\n"
    printf "[tunnelforge]\n"
    printf "client = yes\n"
    printf "accept = 127.0.0.1:%s\n" "$_lport"
    printf "connect = %s:%s\n" "$_host" "$_olport"
    printf "PSKsecrets = psk.txt\n"
    printf "ciphers = PSK\n\n"

    printf "${BOLD}── psk.txt ──${RESET}\n"
    printf "tunnelforge:%s\n\n" "$_psk"

    printf "${DIM}After setup, configure browser/apps to use SOCKS5 proxy:${RESET}\n"
    printf "${DIM}  127.0.0.1:%s (on the user's PC)${RESET}\n\n" "$_lport"
    return 0
}

# Show all profiles with inbound TLS+PSK configured — admin quick-reference
# for sharing client connection details.
_menu_client_configs() {
    _menu_header "Client Configs"
    printf "  ${DIM}Profiles with inbound TLS+PSK protection${RESET}\n\n" >/dev/tty

    local _mcc_profiles _mcc_found=0
    _mcc_profiles=$(list_profiles) || true
    if [[ -z "$_mcc_profiles" ]]; then
        printf "  ${YELLOW}No profiles found.${RESET}\n" >/dev/tty
        return 0
    fi

    # Detect this machine's IP once
    local _mcc_pub_ip=""
    _mcc_pub_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | grep -oE 'src [0-9.]+' | cut -d' ' -f2) || true

    while IFS= read -r _mcc_name; do
        [[ -z "$_mcc_name" ]] && continue
        local -A _mcc_p=()
        load_profile "$_mcc_name" _mcc_p || continue

        local _mcc_olport="${_mcc_p[OBFS_LOCAL_PORT]:-}"
        [[ -z "$_mcc_olport" ]] || [[ "$_mcc_olport" == "0" ]] && { unset _mcc_p; continue; }

        local _mcc_psk="${_mcc_p[OBFS_PSK]:-}"
        local _mcc_lport="${_mcc_p[LOCAL_PORT]:-1080}"
        local _mcc_host="${_mcc_pub_ip:-${_mcc_p[SSH_HOST]:-localhost}}"
        local _mcc_running=""
        if is_tunnel_running "$_mcc_name"; then
            _mcc_running="${GREEN}ALIVE${RESET}"
        else
            _mcc_running="${RED}STOPPED${RESET}"
        fi

        (( ++_mcc_found ))

        printf "  ${BOLD_CYAN}┌─── %s [%b]${RESET}\n" "$_mcc_name" "$_mcc_running" >/dev/tty
        printf "  ${CYAN}│${RESET}  ${BOLD}Server address:${RESET}    %s\n" "$_mcc_host" >/dev/tty
        printf "  ${CYAN}│${RESET}  ${BOLD}Port:${RESET}              %s\n" "$_mcc_olport" >/dev/tty
        printf "  ${CYAN}│${RESET}  ${BOLD}Local SOCKS5 port:${RESET} %s ${DIM}(default for client)${RESET}\n" "$_mcc_lport" >/dev/tty
        printf "  ${CYAN}│${RESET}  ${BOLD}PSK secret key:${RESET}    %s\n" "$_mcc_psk" >/dev/tty
        printf "  ${CYAN}└───${RESET}\n\n" >/dev/tty

        unset _mcc_p
    done <<< "$_mcc_profiles"

    if (( _mcc_found == 0 )); then
        printf "  ${YELLOW}No profiles have inbound TLS+PSK configured.${RESET}\n" >/dev/tty
        printf "  ${DIM}Create a tunnel with inbound protection enabled to see configs here.${RESET}\n" >/dev/tty
    else
        printf "  ${DIM}─────────────────────────────────────────────${RESET}\n" >/dev/tty
        printf "  ${DIM}Give clients the Server, Port, and PSK above.${RESET}\n" >/dev/tty
        printf "  ${DIM}They can use tunnelforge-client.bat (Windows) or the Linux script.${RESET}\n" >/dev/tty
        printf "  ${DIM}CLI: tunnelforge client-config <name> │ tunnelforge client-script <name>${RESET}\n" >/dev/tty
    fi
    printf "\n" >/dev/tty
    return 0
}

# Generate a self-contained client setup script.
# Users run this on their PC and it installs stunnel + connects automatically.
# Args: name prof_ref [output_file]
_obfs_generate_client_script() {
    local _name="$1"
    local -n _ogs_prof="$2"
    local _out="${3:-}"
    local _olport="${_ogs_prof[OBFS_LOCAL_PORT]:-}"
    local _psk="${_ogs_prof[OBFS_PSK]:-}"
    local _lport="${_ogs_prof[LOCAL_PORT]:-}"

    if [[ -z "$_olport" ]] || [[ "$_olport" == "0" ]]; then
        log_error "No inbound TLS configured on profile '$_name'"
        return 1
    fi
    if [[ -z "$_psk" ]]; then
        log_error "No PSK configured on profile '$_name'"
        return 1
    fi

    # Determine server IP
    local _host=""
    _host="${_ogs_prof[SSH_HOST]:-localhost}"
    local _pub_ip=""
    _pub_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | grep -oE 'src [0-9.]+' | cut -d' ' -f2) || true
    if [[ -n "$_pub_ip" ]]; then _host="$_pub_ip"; fi

    # Validate interpolated values to prevent injection in generated script
    if ! [[ "$_psk" =~ ^[a-fA-F0-9]+$ ]]; then
        log_error "PSK contains invalid characters (expected hex)"
        return 1
    fi
    if ! [[ "$_host" =~ ^[a-zA-Z0-9._-]+$ ]]; then
        log_error "Host contains invalid characters"
        return 1
    fi
    if ! [[ "$_olport" =~ ^[0-9]+$ ]] || ! [[ "$_lport" =~ ^[0-9]+$ ]]; then
        log_error "Port values must be numeric"
        return 1
    fi

    # Default output file
    if [[ -z "$_out" ]]; then
        _out="${CONFIG_DIR}/tunnelforge-connect.sh"
    fi

    cat > "$_out" << CLIENTSCRIPT
#!/usr/bin/env bash
# ═══════════════════════════════════════════════════════
# TunnelForge Client Connect Script
# Generated: $(date '+%Y-%m-%d %H:%M:%S')
# Server: ${_host}:${_olport}
# ═══════════════════════════════════════════════════════
set -e

SERVER="${_host}"
PORT="${_olport}"
LOCAL_PORT="${_lport}"
PSK_IDENTITY="tunnelforge"
PSK_SECRET="${_psk}"

CONF_DIR="\${HOME}/.tunnelforge-client"
CONF_FILE="\${CONF_DIR}/stunnel.conf"
PSK_FILE="\${CONF_DIR}/psk.txt"
PID_FILE="\${CONF_DIR}/stunnel.pid"
LOG_FILE="\${CONF_DIR}/stunnel.log"

RED='\033[0;31m'; GREEN='\033[0;32m'; CYAN='\033[0;36m'
BOLD='\033[1m'; DIM='\033[2m'; RESET='\033[0m'

info()  { printf "\${GREEN}[+]\${RESET} %s\n" "\$1"; }
error() { printf "\${RED}[!]\${RESET} %s\n" "\$1"; }
dim()   { printf "\${DIM}%s\${RESET}\n" "\$1"; }

# ── Stop ──
do_stop() {
    if [[ -f "\$PID_FILE" ]]; then
        local pid=""
        pid=\$(cat "\$PID_FILE" 2>/dev/null) || true
        if [[ -n "\$pid" ]] && kill -0 "\$pid" 2>/dev/null; then
            kill "\$pid" 2>/dev/null || true
            info "Disconnected (PID: \$pid)"
        fi
        rm -f "\$PID_FILE" 2>/dev/null || true
    else
        error "Not connected"
    fi
    exit 0
}

# ── Status ──
do_status() {
    if [[ -f "\$PID_FILE" ]]; then
        local pid=""
        pid=\$(cat "\$PID_FILE" 2>/dev/null) || true
        if [[ -n "\$pid" ]] && kill -0 "\$pid" 2>/dev/null; then
            info "Connected (PID: \$pid)"
            dim "SOCKS5 proxy: 127.0.0.1:\${LOCAL_PORT}"
            exit 0
        fi
    fi
    error "Not connected"
    exit 1
}

case "\${1:-}" in
    stop)   do_stop ;;
    status) do_status ;;
esac

printf "\n\${BOLD}\${CYAN}═══ TunnelForge Client ═══\${RESET}\n"
printf "\${DIM}Connecting to \${SERVER}:\${PORT} via TLS+PSK\${RESET}\n\n"

# ── Check/install stunnel ──
if ! command -v stunnel >/dev/null 2>&1 && ! command -v stunnel4 >/dev/null 2>&1; then
    info "Installing stunnel..."
    if command -v apt-get >/dev/null 2>&1; then
        sudo apt-get update -qq && sudo apt-get install -y -qq stunnel4
    elif command -v dnf >/dev/null 2>&1; then
        sudo dnf install -y -q stunnel
    elif command -v yum >/dev/null 2>&1; then
        sudo yum install -y -q stunnel
    elif command -v pacman >/dev/null 2>&1; then
        sudo pacman -S --noconfirm stunnel
    elif command -v brew >/dev/null 2>&1; then
        brew install stunnel
    else
        error "Cannot install stunnel automatically"
        error "Install it manually: https://www.stunnel.org/downloads.html"
        exit 1
    fi
fi

if ! command -v stunnel >/dev/null 2>&1 && ! command -v stunnel4 >/dev/null 2>&1; then
    error "stunnel installation failed"
    exit 1
fi
info "stunnel found"

# ── Already running? ──
if [[ -f "\$PID_FILE" ]]; then
    old_pid=\$(cat "\$PID_FILE" 2>/dev/null) || true
    if [[ -n "\$old_pid" ]] && kill -0 "\$old_pid" 2>/dev/null; then
        info "Already connected (PID: \$old_pid)"
        dim "SOCKS5 proxy: 127.0.0.1:\${LOCAL_PORT}"
        dim "Run '\$0 stop' to disconnect"
        exit 0
    fi
    rm -f "\$PID_FILE" 2>/dev/null || true
fi

# ── Write config ──
mkdir -p "\$CONF_DIR" 2>/dev/null
chmod 700 "\$CONF_DIR" 2>/dev/null || true

printf '%s:%s\n' "\$PSK_IDENTITY" "\$PSK_SECRET" > "\$PSK_FILE"
chmod 600 "\$PSK_FILE"

cat > "\$CONF_FILE" << STCONF
; TunnelForge client config
pid = \${PID_FILE}
output = \${LOG_FILE}
foreground = no

[tunnelforge]
client = yes
accept = 127.0.0.1:\${LOCAL_PORT}
connect = \${SERVER}:\${PORT}
PSKsecrets = \${PSK_FILE}
ciphers = PSK
STCONF

# ── Connect ──
STUNNEL_BIN="stunnel"
if ! command -v stunnel >/dev/null 2>&1; then STUNNEL_BIN="stunnel4"; fi

"\$STUNNEL_BIN" "\$CONF_FILE" 2>/dev/null || {
    error "Failed to connect (check \$LOG_FILE)"
    exit 1
}

sleep 1
if [[ -f "\$PID_FILE" ]]; then
    pid=\$(cat "\$PID_FILE" 2>/dev/null) || true
    if [[ -n "\$pid" ]] && kill -0 "\$pid" 2>/dev/null; then
        printf "\n"
        info "Connected! (PID: \$pid)"
        printf "\n"
        printf "  \${BOLD}SOCKS5 proxy:\${RESET}  127.0.0.1:\${LOCAL_PORT}\n"
        printf "\n"
        dim "  Browser setup: Settings → Proxy → Manual"
        dim "    SOCKS Host: 127.0.0.1   Port: \${LOCAL_PORT}"
        dim "    Select SOCKS v5, enable Proxy DNS"
        printf "\n"
        dim "  Commands:"
        dim "    \$0 status  — check connection"
        dim "    \$0 stop    — disconnect"
        printf "\n"
        exit 0
    fi
fi
error "Connection failed (check \$LOG_FILE)"
exit 1
CLIENTSCRIPT

    chmod +x "$_out" 2>/dev/null || true
    log_success "Linux/Mac script: $_out"
    printf "  ${BOLD}./tunnelforge-connect.sh${RESET}          # Connect\n"
    printf "  ${BOLD}./tunnelforge-connect.sh stop${RESET}     # Disconnect\n"
    printf "  ${BOLD}./tunnelforge-connect.sh status${RESET}   # Check status\n\n"
    return 0
}

# Generate a Windows PowerShell client connect script.
# Args: name prof_ref [output_file]
_obfs_generate_client_script_win() {
    local _name="$1"
    local -n _ogw_prof="$2"
    local _out="${3:-}"
    local _olport="${_ogw_prof[OBFS_LOCAL_PORT]:-}"
    local _psk="${_ogw_prof[OBFS_PSK]:-}"
    local _lport="${_ogw_prof[LOCAL_PORT]:-}"

    if [[ -z "$_olport" ]] || [[ "$_olport" == "0" ]]; then
        log_error "No inbound TLS configured on profile '$_name'"
        return 1
    fi
    if [[ -z "$_psk" ]]; then
        log_error "No PSK configured on profile '$_name'"
        return 1
    fi

    local _host=""
    _host="${_ogw_prof[SSH_HOST]:-localhost}"
    local _pub_ip=""
    _pub_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | grep -oE 'src [0-9.]+' | cut -d' ' -f2) || true
    if [[ -n "$_pub_ip" ]]; then _host="$_pub_ip"; fi

    # Validate interpolated values to prevent injection in generated script
    if ! [[ "$_psk" =~ ^[a-fA-F0-9]+$ ]]; then
        log_error "PSK contains invalid characters (expected hex)"
        return 1
    fi
    if ! [[ "$_host" =~ ^[a-zA-Z0-9._-]+$ ]]; then
        log_error "Host contains invalid characters"
        return 1
    fi
    if ! [[ "$_olport" =~ ^[0-9]+$ ]] || ! [[ "$_lport" =~ ^[0-9]+$ ]]; then
        log_error "Port values must be numeric"
        return 1
    fi

    if [[ -z "$_out" ]]; then
        _out="${CONFIG_DIR}/tunnelforge-connect.ps1"
    fi

    cat > "$_out" << 'WINSCRIPT_TOP'
# ═══════════════════════════════════════════════════════
# TunnelForge Client Connect Script (Windows)
WINSCRIPT_TOP

    cat >> "$_out" << WINSCRIPT_VARS
# Generated: $(date '+%Y-%m-%d %H:%M:%S')
# Server: ${_host}:${_olport}
# ═══════════════════════════════════════════════════════

\$Server = "${_host}"
\$Port = "${_olport}"
\$LocalPort = "${_lport}"
\$PskIdentity = "tunnelforge"
\$PskSecret = "${_psk}"
WINSCRIPT_VARS

    cat >> "$_out" << 'WINSCRIPT_BODY'

$ConfDir = "$env:USERPROFILE\.tunnelforge-client"
$StunnelDir = "$ConfDir\stunnel"
$ConfFile = "$ConfDir\stunnel.conf"
$PskFile = "$ConfDir\psk.txt"
$PidFile = "$ConfDir\stunnel.pid"
$LogFile = "$ConfDir\stunnel.log"
$StunnelExe = "$StunnelDir\stunnel.exe"
$StunnelZip = "$ConfDir\stunnel.zip"
$StunnelUrl = "https://www.stunnel.org/downloads/stunnel-5.72-win64-installer.exe"

function Write-Info($msg) { Write-Host "[+] $msg" -ForegroundColor Green }
function Write-Err($msg)  { Write-Host "[!] $msg" -ForegroundColor Red }
function Write-Dim($msg)  { Write-Host "    $msg" -ForegroundColor DarkGray }

# ── Stop ──
if ($args[0] -eq "stop") {
    if (Test-Path $PidFile) {
        $pid = Get-Content $PidFile -ErrorAction SilentlyContinue
        if ($pid) {
            try { Stop-Process -Id $pid -Force -ErrorAction Stop; Write-Info "Disconnected (PID: $pid)" }
            catch { Write-Err "Process $pid not found" }
        }
        Remove-Item $PidFile -Force -ErrorAction SilentlyContinue
    } else { Write-Err "Not connected" }
    exit
}

# ── Status ──
if ($args[0] -eq "status") {
    if (Test-Path $PidFile) {
        $pid = Get-Content $PidFile -ErrorAction SilentlyContinue
        if ($pid) {
            try {
                Get-Process -Id $pid -ErrorAction Stop | Out-Null
                Write-Info "Connected (PID: $pid)"
                Write-Dim "SOCKS5 proxy: 127.0.0.1:$LocalPort"
                exit 0
            } catch {}
        }
    }
    Write-Err "Not connected"
    exit 1
}

Write-Host ""
Write-Host "=== TunnelForge Client ===" -ForegroundColor Cyan
Write-Host "Connecting to ${Server}:${Port} via TLS+PSK" -ForegroundColor DarkGray
Write-Host ""

# ── Create config dir ──
if (-not (Test-Path $ConfDir)) { New-Item -ItemType Directory -Path $ConfDir -Force | Out-Null }

# ── Find or install stunnel ──
$stunnel = $null

# Check common locations
$searchPaths = @(
    "$StunnelExe",
    "C:\Program Files (x86)\stunnel\bin\stunnel.exe",
    "C:\Program Files\stunnel\bin\stunnel.exe",
    "$env:ProgramFiles\stunnel\bin\stunnel.exe",
    "${env:ProgramFiles(x86)}\stunnel\bin\stunnel.exe"
)
foreach ($p in $searchPaths) {
    if (Test-Path $p) { $stunnel = $p; break }
}

# Check PATH
if (-not $stunnel) {
    $inPath = Get-Command stunnel -ErrorAction SilentlyContinue
    if ($inPath) { $stunnel = $inPath.Source }
}

if (-not $stunnel) {
    Write-Info "stunnel not found. Please install it:"
    Write-Host ""
    Write-Host "  Option 1: Download from https://www.stunnel.org/downloads.html" -ForegroundColor Yellow
    Write-Host "            Install the Win64 version" -ForegroundColor DarkGray
    Write-Host ""
    Write-Host "  Option 2: Using winget:" -ForegroundColor Yellow
    Write-Host "            winget install stunnel" -ForegroundColor White
    Write-Host ""
    Write-Host "  Option 3: Using chocolatey:" -ForegroundColor Yellow
    Write-Host "            choco install stunnel" -ForegroundColor White
    Write-Host ""
    Write-Host "After installing, run this script again." -ForegroundColor DarkGray
    exit 1
}

Write-Info "stunnel found: $stunnel"

# ── Check if already running ──
if (Test-Path $PidFile) {
    $oldPid = Get-Content $PidFile -ErrorAction SilentlyContinue
    if ($oldPid) {
        try {
            Get-Process -Id $oldPid -ErrorAction Stop | Out-Null
            Write-Info "Already connected (PID: $oldPid)"
            Write-Dim "SOCKS5 proxy: 127.0.0.1:$LocalPort"
            Write-Dim "Run '$($MyInvocation.MyCommand.Name) stop' to disconnect"
            exit 0
        } catch {}
    }
    Remove-Item $PidFile -Force -ErrorAction SilentlyContinue
}

# ── Write config files ──
Set-Content -Path $PskFile -Value "${PskIdentity}:${PskSecret}" -Force
Set-Content -Path $ConfFile -Value @"
; TunnelForge client config
pid = $PidFile
output = $LogFile
foreground = no

[tunnelforge]
client = yes
accept = 127.0.0.1:$LocalPort
connect = ${Server}:${Port}
PSKsecrets = $PskFile
ciphers = PSK
"@ -Force

# ── Connect ──
Write-Info "Connecting..."
$proc = Start-Process -FilePath $stunnel -ArgumentList "`"$ConfFile`"" -PassThru -NoNewWindow -ErrorAction SilentlyContinue

Start-Sleep -Seconds 2

# Check if stunnel created a PID file or is running
if (Test-Path $PidFile) {
    $newPid = Get-Content $PidFile -ErrorAction SilentlyContinue
    if ($newPid) {
        try {
            Get-Process -Id $newPid -ErrorAction Stop | Out-Null
            Write-Host ""
            Write-Info "Connected! (PID: $newPid)"
            Write-Host ""
            Write-Host "  SOCKS5 proxy:  127.0.0.1:$LocalPort" -ForegroundColor White
            Write-Host ""
            Write-Dim "Browser setup: Settings > Proxy > Manual"
            Write-Dim "  SOCKS Host: 127.0.0.1   Port: $LocalPort"
            Write-Dim "  Select SOCKS v5, enable Proxy DNS"
            Write-Host ""
            Write-Dim "Commands:"
            Write-Dim "  .\$($MyInvocation.MyCommand.Name) status  - check connection"
            Write-Dim "  .\$($MyInvocation.MyCommand.Name) stop    - disconnect"
            Write-Host ""
            exit 0
        } catch {}
    }
}

# Fallback: check if process is running
if ($proc -and -not $proc.HasExited) {
    Write-Host ""
    Write-Info "Connected! (PID: $($proc.Id))"
    Set-Content -Path $PidFile -Value $proc.Id
    Write-Host ""
    Write-Host "  SOCKS5 proxy:  127.0.0.1:$LocalPort" -ForegroundColor White
    Write-Host ""
    exit 0
}

Write-Err "Connection failed (check $LogFile)"
exit 1
WINSCRIPT_BODY

    log_success "Windows script: $_out"
    printf "  ${BOLD}powershell -ExecutionPolicy Bypass -File tunnelforge-connect.ps1${RESET}          # Connect\n"
    printf "  ${BOLD}powershell -ExecutionPolicy Bypass -File tunnelforge-connect.ps1 stop${RESET}     # Disconnect\n"
    printf "  ${BOLD}powershell -ExecutionPolicy Bypass -File tunnelforge-connect.ps1 status${RESET}   # Check\n\n"
    printf "${DIM}Send both files to users — .sh for Linux/Mac, .ps1 for Windows.${RESET}\n\n"
    return 0
}

# ── Systemd Service Management ──
# Generates and manages systemd unit files for tunnel profiles

_service_unit_path() {
    printf "%s/tunnelforge-%s.service" "$_SYSTEMD_DIR" "$1"
}

generate_service() {
    local name="$1"

    if [[ $EUID -ne 0 ]]; then
        log_error "Service management requires root privileges"
        return 1
    fi
    if [[ "$INIT_SYSTEM" != "systemd" ]]; then
        log_error "Systemd is required (detected: ${INIT_SYSTEM})"
        return 1
    fi

    local -A _svc_prof
    load_profile "$name" _svc_prof 2>/dev/null || {
        log_error "Cannot load profile '${name}'"
        return 1
    }

    local tunnel_type="${_svc_prof[TUNNEL_TYPE]:-socks5}"
    local ssh_host="${_svc_prof[SSH_HOST]:-}"
    local ssh_port="${_svc_prof[SSH_PORT]:-22}"
    local ssh_user="${_svc_prof[SSH_USER]:-$(config_get SSH_DEFAULT_USER root)}"

    if [[ -z "$ssh_host" ]]; then
        log_error "No SSH host in profile '${name}'"
        return 1
    fi

    local unit_file
    unit_file=$(_service_unit_path "$name")

    # Escape % for systemd specifier safety in all user-derived fields
    local safe_name="${name//%/%%}"
    local exec_cmd="${INSTALL_DIR}/tunnelforge.sh start ${safe_name}"

    # Build description
    local desc="TunnelForge ${tunnel_type} tunnel '${name}' (${ssh_user}@${ssh_host}:${ssh_port})"
    desc="${desc//%/%%}"

    {
        printf "[Unit]\n"
        printf "Description=%s\n" "$desc"
        printf "Documentation=man:ssh(1)\n"
        printf "After=network-online.target\n"
        printf "Wants=network-online.target\n"
        printf "StartLimitIntervalSec=60\n"
        printf "StartLimitBurst=3\n"
        printf "\n"
        printf "[Service]\n"
        printf "Type=oneshot\n"
        printf "RemainAfterExit=yes\n"
        printf "ExecStart=%s\n" "$exec_cmd"
        printf "ExecStop=%s stop %s\n" "${INSTALL_DIR}/tunnelforge.sh" "$safe_name"
        printf "TimeoutStartSec=30\n"
        printf "TimeoutStopSec=15\n"
        printf "\n"
        printf "# Security sandboxing\n"
        local _needs_net_admin=false _needs_resolv=false
        if [[ "${_svc_prof[KILL_SWITCH]:-}" == "true" ]]; then _needs_net_admin=true; fi
        if [[ "${_svc_prof[DNS_LEAK_PROTECTION]:-}" == "true" ]]; then _needs_resolv=true; fi
        printf "ProtectSystem=strict\n"
        printf "ProtectHome=tmpfs\n"
        local _svc_home
        _svc_home=$(getent passwd root 2>/dev/null | cut -d: -f6) || true
        : "${_svc_home:=/root}"
        printf "BindReadOnlyPaths=%s/.ssh\n" "$_svc_home"
        printf "ReadWritePaths=%s\n" "$INSTALL_DIR"
        if [[ "$_needs_resolv" == true ]]; then
            printf "ReadWritePaths=/etc\n"
        fi
        printf "PrivateTmp=true\n"
        # Build capabilities dynamically based on features
        local _caps=""
        if [[ "$_needs_net_admin" == true ]]; then _caps="CAP_NET_ADMIN CAP_NET_RAW"; fi
        if [[ "$_needs_resolv" == true ]]; then
            if [[ -n "$_caps" ]]; then _caps="${_caps} CAP_LINUX_IMMUTABLE"; else _caps="CAP_LINUX_IMMUTABLE"; fi
        fi
        if [[ -n "$_caps" ]]; then
            printf "AmbientCapabilities=%s\n" "$_caps"
            printf "CapabilityBoundingSet=%s\n" "$_caps"
        else
            printf "NoNewPrivileges=true\n"
        fi
        printf "\n"
        printf "[Install]\n"
        printf "WantedBy=multi-user.target\n"
    } > "$unit_file" 2>/dev/null || {
        log_error "Failed to write service file: ${unit_file}"
        return 1
    }

    chmod 644 "$unit_file" 2>/dev/null || true
    systemctl daemon-reload 2>/dev/null || true

    log_success "Service file created: ${unit_file}"
    printf "\n${DIM}Manage with:${RESET}\n"
    printf "  systemctl enable  tunnelforge-%s    ${DIM}# Start on boot${RESET}\n" "$name"
    printf "  systemctl start   tunnelforge-%s    ${DIM}# Start now${RESET}\n" "$name"
    printf "  systemctl status  tunnelforge-%s    ${DIM}# Check status${RESET}\n" "$name"
    printf "  systemctl stop    tunnelforge-%s    ${DIM}# Stop${RESET}\n" "$name"
    printf "  systemctl disable tunnelforge-%s    ${DIM}# Remove from boot${RESET}\n\n" "$name"
    return 0
}

enable_service() {
    local name="$1"

    if [[ $EUID -ne 0 ]]; then
        log_error "Service management requires root privileges"
        return 1
    fi

    local unit_file
    unit_file=$(_service_unit_path "$name")

    if [[ ! -f "$unit_file" ]]; then
        log_info "No service file found, generating..."
        generate_service "$name" || return 1
    fi

    systemctl enable "tunnelforge-${name}" 2>/dev/null || {
        log_error "Failed to enable service"
        return 1
    }
    systemctl start "tunnelforge-${name}" 2>/dev/null || {
        log_error "Failed to start service"
        return 1
    }
    log_success "Service tunnelforge-${name} enabled and started"
    return 0
}

disable_service() {
    local name="$1"

    if [[ $EUID -ne 0 ]]; then
        log_error "Service management requires root privileges"
        return 1
    fi

    systemctl stop "tunnelforge-${name}" 2>/dev/null || true
    systemctl disable "tunnelforge-${name}" 2>/dev/null || true
    log_success "Service tunnelforge-${name} stopped and disabled"
    return 0
}

remove_service() {
    local name="$1"

    if [[ $EUID -ne 0 ]]; then
        log_error "Service management requires root privileges"
        return 1
    fi

    disable_service "$name" || true

    local unit_file
    unit_file=$(_service_unit_path "$name")
    if [[ -f "$unit_file" ]]; then
        rm -f "$unit_file" 2>/dev/null || true
        systemctl daemon-reload 2>/dev/null || true
        log_success "Removed service file: ${unit_file}"
    else
        log_info "No service file to remove"
    fi
    return 0
}

service_status() {
    local name="$1"

    local unit_name="tunnelforge-${name}"
    local unit_file
    unit_file=$(_service_unit_path "$name")

    printf "\n${BOLD}Service: %s${RESET}\n" "$unit_name"

    if [[ ! -f "$unit_file" ]]; then
        printf "  ${DIM}■${RESET} No service file\n\n"
        return 0
    fi

    local _svc_active _svc_enabled
    _svc_active=$(systemctl is-active "$unit_name" 2>/dev/null) || true
    _svc_enabled=$(systemctl is-enabled "$unit_name" 2>/dev/null) || true

    if [[ "$_svc_active" == "active" ]]; then
        printf "  ${GREEN}●${RESET} Status:  active (running)\n"
    elif [[ "$_svc_active" == "activating" ]]; then
        printf "  ${YELLOW}▲${RESET} Status:  activating\n"
    else
        printf "  ${DIM}■${RESET} Status:  %s\n" "${_svc_active:-unknown}"
    fi

    if [[ "$_svc_enabled" == "enabled" ]]; then
        printf "  ${GREEN}●${RESET} Boot:    enabled\n"
    else
        printf "  ${DIM}■${RESET} Boot:    %s\n" "${_svc_enabled:-disabled}"
    fi

    # Show recent log entries
    if command -v journalctl &>/dev/null; then
        printf "\n${DIM}Recent logs (last 5 lines):${RESET}\n"
        journalctl -u "$unit_name" --no-pager -n 5 2>/dev/null || true
    fi
    printf "\n"
    return 0
}

# ── Service interactive menu ──

_menu_service() {
    local name="$1"

    while true; do
        clear >/dev/tty 2>/dev/null || true
        printf "\n${BOLD_CYAN}═══ Service Manager: %s ═══${RESET}\n\n" "$name" >/dev/tty

        printf "  ${CYAN}1${RESET}) Generate service file\n" >/dev/tty
        printf "  ${CYAN}2${RESET}) Enable + start service\n" >/dev/tty
        printf "  ${CYAN}3${RESET}) Disable + stop service\n" >/dev/tty
        printf "  ${CYAN}4${RESET}) Show service status\n" >/dev/tty
        printf "  ${CYAN}5${RESET}) Remove service file\n" >/dev/tty
        printf "  ${YELLOW}q${RESET}) Back\n\n" >/dev/tty

        local _sv_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _sv_choice </dev/tty || true
        _drain_esc _sv_choice
        printf "\n" >/dev/tty

        case "$_sv_choice" in
            1) generate_service "$name" || true; _press_any_key ;;
            2) enable_service "$name" || true; _press_any_key ;;
            3) disable_service "$name" || true; _press_any_key ;;
            4) service_status "$name" || true; _press_any_key ;;
            5)
                if confirm_action "Remove service for '${name}'?"; then
                    remove_service "$name" || true
                fi
                _press_any_key ;;
            q|Q) return 0 ;;
            *) true ;;
        esac
    done
}

# ── Backup & Restore ──

backup_tunnelforge() {
    local timestamp
    timestamp=$(date '+%Y%m%d_%H%M%S')
    local backup_name="tunnelforge_backup_${timestamp}.tar.gz"
    local backup_path="${BACKUP_DIR}/${backup_name}"

    mkdir -p "$BACKUP_DIR" 2>/dev/null || true

    log_info "Creating backup: ${backup_name}..."

    # Build list of paths to include
    local -a _bk_paths=()
    if [[ -d "$CONFIG_DIR" ]]; then _bk_paths+=("$CONFIG_DIR"); fi
    if [[ -d "$PROFILES_DIR" ]]; then _bk_paths+=("$PROFILES_DIR"); fi
    if [[ -d "$DATA_DIR" ]]; then _bk_paths+=("$DATA_DIR"); fi

    # Include security-related backups (sshd_config, iptables rules)
    if [[ -d "$BACKUP_DIR" ]]; then
        _bk_paths+=("$BACKUP_DIR")
    fi

    if [[ ${#_bk_paths[@]} -eq 0 ]]; then
        log_error "Nothing to backup"
        return 1
    fi

    if tar czf "$backup_path" --exclude='*.tar.gz' "${_bk_paths[@]}" 2>/dev/null; then
        chmod 600 "$backup_path" 2>/dev/null || true
        local _bk_size
        _bk_size=$(stat -c %s "$backup_path" 2>/dev/null || stat -f %z "$backup_path" 2>/dev/null) || true
        _bk_size=$(format_bytes "${_bk_size:-0}")
        log_success "Backup created: ${backup_path} (${_bk_size})"

        # Rotate old backups (keep last 5)
        local _bk_count
        _bk_count=$(find "$BACKUP_DIR" -name "tunnelforge_backup_*.tar.gz" -type f 2>/dev/null | wc -l) || true
        : "${_bk_count:=0}"
        if (( _bk_count > 5 )); then
            find "$BACKUP_DIR" -name "tunnelforge_backup_*.tar.gz" -type f 2>/dev/null | \
                sort | head -n $(( _bk_count - 5 )) | while IFS= read -r _old_bk; do
                rm -f "$_old_bk" 2>/dev/null
            done || true
            log_debug "Rotated old backups"
        fi
    else
        rm -f "$backup_path" 2>/dev/null || true
        log_error "Failed to create backup"
        return 1
    fi

    return 0
}

restore_tunnelforge() {
    if [[ $EUID -ne 0 ]]; then
        log_error "Restore requires root privileges"
        return 1
    fi

    local backup_file="${1:-}"

    # If no file specified, find the latest
    if [[ -z "$backup_file" ]]; then
        backup_file=$(find "$BACKUP_DIR" -name "tunnelforge_backup_*.tar.gz" -type f 2>/dev/null | \
            sort -r | head -1) || true
        if [[ -z "$backup_file" ]]; then
            log_error "No backup files found in ${BACKUP_DIR}"
            return 1
        fi
        log_info "Found backup: $(basename "$backup_file")"
    fi

    if [[ ! -f "$backup_file" ]]; then
        log_error "Backup file not found: ${backup_file}"
        return 1
    fi

    printf "\n${BOLD}Backup contents:${RESET}\n"
    if ! tar tzf "$backup_file" >/dev/null 2>&1; then
        log_error "Cannot read backup archive"
        return 1
    fi
    tar tzf "$backup_file" 2>/dev/null | head -20 || true
    printf "${DIM}  ... (truncated)${RESET}\n\n"

    if ! confirm_action "Restore from this backup? (current config will be overwritten)"; then
        log_info "Restore cancelled"
        return 0
    fi

    log_info "Restoring from backup..."

    # Pre-scan archive for path traversal and symlink attacks
    local _bad_paths _symlinks _tar_listing
    _tar_listing=$(tar tzf "$backup_file" 2>/dev/null || true)
    _bad_paths=$(printf '%s\n' "$_tar_listing" | grep -E '(^|/)\.\.(/|$)|^/' || true)
    if [[ -n "$_bad_paths" ]]; then
        log_error "Backup archive contains unsafe paths (potential path traversal)"
        log_error "Suspicious entries: $(printf '%s' "$_bad_paths" | head -5)"
        return 1
    fi
    # Check for symlinks in the archive (tar tvf shows 'l' type)
    _symlinks=$(tar tvzf "$backup_file" 2>/dev/null | grep -E '^l' || true)
    if [[ -n "$_symlinks" ]]; then
        log_error "Backup archive contains symlinks (potential symlink attack)"
        log_error "Suspicious entries: $(printf '%s' "$_symlinks" | head -5)"
        return 1
    fi

    # Feature-detect --no-unsafe-links support
    local -a _tar_safe_opts=()
    if tar --help 2>&1 | grep -q -- '--no-unsafe-links' 2>/dev/null; then
        _tar_safe_opts=(--no-unsafe-links)
    fi
    if tar xzf "$backup_file" -C / --no-same-owner --no-same-permissions "${_tar_safe_opts[@]}" 2>/dev/null; then
        log_success "Backup restored successfully"
        log_info "Reapplying directory permissions..."
        init_directories 2>/dev/null || true
        # Secure config and profile files
        find "${CONFIG_DIR}" -type f -exec chmod 600 {} \; 2>/dev/null || true
        find "${PROFILES_DIR}" -type f -exec chmod 600 {} \; 2>/dev/null || true
        log_info "Reloading settings..."
        load_settings || true
    else
        log_error "Failed to restore backup"
        return 1
    fi

    return 0
}

# ── Backup interactive menu ──

_menu_backup_restore() {
    while true; do
        clear >/dev/tty 2>/dev/null || true
        printf "\n${BOLD_CYAN}═══ Backup & Restore ═══${RESET}\n\n" >/dev/tty

        printf "  ${CYAN}1${RESET}) Create backup now\n" >/dev/tty
        printf "  ${CYAN}2${RESET}) Restore from latest backup\n" >/dev/tty
        printf "  ${CYAN}3${RESET}) List available backups\n" >/dev/tty
        printf "  ${YELLOW}q${RESET}) Back\n\n" >/dev/tty

        local _br_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _br_choice </dev/tty || true
        _drain_esc _br_choice
        printf "\n" >/dev/tty

        case "$_br_choice" in
            1) backup_tunnelforge || true; _press_any_key ;;
            2) restore_tunnelforge || true; _press_any_key ;;
            3)
                printf "\n${BOLD}Available Backups:${RESET}\n"
                local _br_found=false
                local _br_f
                while IFS= read -r _br_f; do
                    [[ -z "$_br_f" ]] && continue
                    _br_found=true
                    local _br_sz
                    _br_sz=$(stat -c %s "$_br_f" 2>/dev/null || stat -f %z "$_br_f" 2>/dev/null) || true
                    _br_sz=$(format_bytes "${_br_sz:-0}")
                    printf "  ${CYAN}●${RESET} %s  ${DIM}(%s)${RESET}\n" "$(basename "$_br_f")" "$_br_sz"
                done < <(find "$BACKUP_DIR" -name "tunnelforge_backup_*.tar.gz" -type f 2>/dev/null | sort -r || true)
                if [[ "$_br_found" != true ]]; then
                    printf "  ${DIM}No backups found${RESET}\n"
                fi
                printf "\n"
                _press_any_key ;;
            q|Q) return 0 ;;
            *) true ;;
        esac
    done
}

# ── Uninstall ──

uninstall_tunnelforge() {
    if [[ $EUID -ne 0 ]]; then
        log_error "Uninstall requires root privileges"
        return 1
    fi

    printf "\n${BOLD_RED}═══ TunnelForge Uninstall ═══${RESET}\n\n"
    printf "This will remove:\n"
    printf "  - All tunnel profiles and configuration\n"
    printf "  - Systemd service files\n"
    printf "  - Installation directory (%s)\n" "$INSTALL_DIR"
    printf "  - CLI symlink (%s)\n" "$BIN_LINK"
    printf "\n${YELLOW}This will NOT remove:${RESET}\n"
    printf "  - Your SSH keys (~/.ssh/)\n"
    printf "  - Final backup (saved to ~/)\n\n"

    if ! confirm_action "Are you absolutely sure you want to uninstall?"; then
        log_info "Uninstall cancelled"
        return 0
    fi

    # Offer backup BEFORE any destructive operations
    if confirm_action "Create a backup before uninstalling?"; then
        backup_tunnelforge || true
        local _ui_bk
        _ui_bk=$(find "$BACKUP_DIR" -name "tunnelforge_backup_*.tar.gz" -type f 2>/dev/null | sort -r | head -1) || true
        if [[ -n "$_ui_bk" ]]; then
            local _ui_home_bk="${HOME}/tunnelforge_final_backup.tar.gz"
            if cp "$_ui_bk" "$_ui_home_bk" 2>/dev/null; then
                log_info "Backup saved to: ${_ui_home_bk}"
            else
                log_error "Failed to copy backup to ${_ui_home_bk}"
                if ! confirm_action "Continue uninstall WITHOUT backup?"; then
                    return 0
                fi
            fi
        fi
    fi

    # Stop all running tunnels
    log_info "Stopping all tunnels..."
    stop_all_tunnels 2>/dev/null || true

    # Remove systemd services
    log_info "Removing systemd services..."
    local _ui_svc
    while IFS= read -r _ui_svc; do
        [[ -z "$_ui_svc" ]] && continue
        local _ui_name
        _ui_name=$(basename "$_ui_svc" .service)
        _ui_name="${_ui_name#tunnelforge-}"
        systemctl stop "tunnelforge-${_ui_name}" 2>/dev/null || true
        systemctl disable "tunnelforge-${_ui_name}" 2>/dev/null || true
        rm -f "$_ui_svc" 2>/dev/null || true
    done < <(find "$_SYSTEMD_DIR" -name "tunnelforge-*.service" -type f 2>/dev/null || true)
    systemctl daemon-reload 2>/dev/null || true

    # Disable security features if active
    if is_dns_leak_protected; then
        log_info "Disabling DNS leak protection..."
        disable_dns_leak_protection 2>/dev/null || true
    fi
    if is_kill_switch_active; then
        log_info "Disabling kill switch..."
        local _fw_cmd
        for _fw_cmd in iptables ip6tables; do
            if command -v "$_fw_cmd" &>/dev/null; then
                "$_fw_cmd" -D OUTPUT -j "$_TF_CHAIN" 2>/dev/null || true
                "$_fw_cmd" -D FORWARD -j "$_TF_CHAIN" 2>/dev/null || true
                "$_fw_cmd" -F "$_TF_CHAIN" 2>/dev/null || true
                "$_fw_cmd" -X "$_TF_CHAIN" 2>/dev/null || true
            fi
        done
    fi

    # Remove symlink
    rm -f "$BIN_LINK" 2>/dev/null || true
    log_success "Removed CLI symlink"

    # Remove sysctl config
    rm -f /etc/sysctl.d/99-tunnelforge.conf 2>/dev/null || true
    sysctl --system >/dev/null 2>&1 || true

    # Remove fail2ban jail and reload
    rm -f /etc/fail2ban/jail.d/tunnelforge-sshd.conf 2>/dev/null || true
    systemctl reload fail2ban 2>/dev/null || systemctl restart fail2ban 2>/dev/null || true

    # Restore original sshd_config if we have a backup
    if [[ -f "$_SSHD_BACKUP" ]]; then
        log_info "Restoring original sshd_config..."
        if cp "$_SSHD_BACKUP" "$_SSHD_CONFIG" 2>/dev/null; then
            systemctl reload sshd 2>/dev/null || systemctl reload ssh 2>/dev/null || true
            log_success "Restored original sshd_config"
        else
            log_warn "Could not restore sshd_config"
        fi
    fi

    # Remove data dirs first, install dir last (contains running script)
    rm -rf "${PID_DIR}" 2>/dev/null || true
    rm -rf "${LOG_DIR}" 2>/dev/null || true
    rm -rf "${DATA_DIR}" 2>/dev/null || true
    rm -rf "${SSH_CONTROL_DIR}" 2>/dev/null || true
    rm -rf "${PROFILES_DIR}" 2>/dev/null || true
    rm -rf "${CONFIG_DIR}" 2>/dev/null || true

    # Print farewell BEFORE deleting the script itself
    printf "\n${BOLD_GREEN}TunnelForge has been uninstalled.${RESET}\n" >/dev/tty 2>/dev/null || true
    printf "${DIM}Thank you for using TunnelForge!${RESET}\n\n" >/dev/tty 2>/dev/null || true

    rm -rf "${INSTALL_DIR}" 2>/dev/null || true
    return 0
}

# ── Self-Update ──────────────────────────────────────────────────────────────

update_tunnelforge() {
    if [[ $EUID -ne 0 ]]; then
        log_error "Update requires root privileges"
        return 1
    fi

    printf "\n${BOLD_CYAN}═══ TunnelForge Update ═══${RESET}\n\n" >/dev/tty

    local _script_path="${INSTALL_DIR}/tunnelforge.sh"
    if [[ ! -f "$_script_path" ]]; then
        log_error "TunnelForge not installed at ${_script_path}"
        return 1
    fi

    # Download latest script to temp file
    printf "  Checking for updates..." >/dev/tty
    local _tmp_file=""
    _tmp_file=$(mktemp /tmp/tunnelforge-update.XXXXXX) || { log_error "Failed to create temp file"; return 1; }

    if ! curl -sf --connect-timeout 10 --max-time 60 \
        "https://raw.githubusercontent.com/${GITHUB_REPO}/main/tunnelforge.sh" \
        -o "$_tmp_file" 2>/dev/null; then
        printf "\r                          \r" >/dev/tty
        log_error "Could not reach GitHub (check your internet connection)"
        rm -f "$_tmp_file" 2>/dev/null || true
        return 1
    fi
    printf "\r                          \r" >/dev/tty

    # Compare SHA256 of installed vs remote
    local _local_sha="" _remote_sha=""
    _local_sha=$(sha256sum "$_script_path" 2>/dev/null | cut -d' ' -f1) || true
    _remote_sha=$(sha256sum "$_tmp_file" 2>/dev/null | cut -d' ' -f1) || true

    if [[ -z "$_remote_sha" ]] || [[ -z "$_local_sha" ]]; then
        log_error "Failed to compute file checksums"
        rm -f "$_tmp_file" 2>/dev/null || true
        return 1
    fi

    if [[ "$_local_sha" == "$_remote_sha" ]]; then
        printf "  ${GREEN}Already up to date${RESET} ${DIM}(v%s)${RESET}\n\n" "$VERSION" >/dev/tty
        rm -f "$_tmp_file" 2>/dev/null || true
        return 0
    fi

    # Update available — show info and ask
    local _remote_ver=""
    _remote_ver=$(grep -oE 'readonly VERSION="[^"]+"' "$_tmp_file" 2>/dev/null \
        | head -1 | grep -oE '"[^"]+"' | tr -d '"') || true

    printf "  ${YELLOW}Update available${RESET}\n" >/dev/tty
    if [[ -n "$_remote_ver" ]] && [[ "$_remote_ver" != "$VERSION" ]]; then
        printf "    Installed : ${DIM}v%s${RESET}\n" "$VERSION" >/dev/tty
        printf "    Latest    : ${BOLD}v%s${RESET}\n\n" "$_remote_ver" >/dev/tty
    else
        printf "    ${DIM}New changes available (v%s)${RESET}\n\n" "$VERSION" >/dev/tty
    fi

    if ! confirm_action "Install update?"; then
        printf "\n  ${DIM}Update skipped.${RESET}\n\n" >/dev/tty
        rm -f "$_tmp_file" 2>/dev/null || true
        return 0
    fi

    # Validate downloaded script
    if ! bash -n "$_tmp_file" 2>/dev/null; then
        log_error "Downloaded file failed syntax check — aborting"
        rm -f "$_tmp_file" 2>/dev/null || true
        return 1
    fi

    # Backup current script
    if [[ -f "$_script_path" ]]; then
        cp "$_script_path" "${_script_path}.bak" 2>/dev/null || true
    fi

    # Replace script
    mv "$_tmp_file" "$_script_path" || { log_error "Failed to install update"; rm -f "$_tmp_file" 2>/dev/null || true; return 1; }
    chmod +x "$_script_path" 2>/dev/null || true

    if [[ -n "$_remote_ver" ]] && [[ "$_remote_ver" != "$VERSION" ]]; then
        printf "\n  ${BOLD_GREEN}Updated successfully${RESET} ${DIM}(v%s → v%s)${RESET}\n" \
            "$VERSION" "$_remote_ver" >/dev/tty
    else
        printf "\n  ${BOLD_GREEN}Updated successfully${RESET}\n" >/dev/tty
    fi
    printf "  ${DIM}Running tunnels are not affected.${RESET}\n" >/dev/tty
    printf "  ${DIM}Previous version backed up to %s.bak${RESET}\n\n" "$_script_path" >/dev/tty
    return 0
}

# ============================================================================
# TELEGRAM NOTIFICATIONS  (Phase 6)
# ============================================================================

readonly _TG_API="https://api.telegram.org"

_telegram_enabled() {
    [[ "$(config_get TELEGRAM_ENABLED false)" == "true" ]] || return 1
    [[ -n "$(config_get TELEGRAM_BOT_TOKEN)" ]] || return 1
    [[ -n "$(config_get TELEGRAM_CHAT_ID)" ]] || return 1
    return 0
}

# Find a running SOCKS5 proxy port for Telegram API calls
# (Telegram may be blocked on the local network)
_tg_find_proxy() {
    local _pn _pt _pp
    for _pn in $(list_profiles 2>/dev/null); do
        if is_tunnel_running "$_pn" 2>/dev/null; then
            _pt=$(get_profile_field "$_pn" "TUNNEL_TYPE" 2>/dev/null) || true
            if [[ "$_pt" == "socks5" ]]; then
                _pp=$(get_profile_field "$_pn" "LOCAL_PORT" 2>/dev/null) || true
                if [[ -n "$_pp" ]]; then
                    printf '%s' "$_pp"
                    return 0
                fi
            fi
        fi
    done
    return 1
}

# Build curl proxy args if a SOCKS5 tunnel is available
# Sets _TG_PROXY_ARGS array for caller
_tg_proxy_args() {
    _TG_PROXY_ARGS=()
    local _proxy_port
    _proxy_port=$(_tg_find_proxy 2>/dev/null) || true
    if [[ -n "$_proxy_port" ]]; then
        _TG_PROXY_ARGS=(--socks5-hostname "127.0.0.1:${_proxy_port}")
    fi
    return 0
}

# Send a message via Telegram Bot API
# Usage: _telegram_send "message text" [parse_mode]
_telegram_send() {
    local message="$1"
    local parse_mode="${2:-}"
    local token chat_id

    token=$(config_get TELEGRAM_BOT_TOKEN "")
    chat_id=$(config_get TELEGRAM_CHAT_ID "")

    [[ -n "$token" ]] && [[ -n "$chat_id" ]] || return 1

    local _tg_url="${_TG_API}/bot${token}/sendMessage"
    log_debug "Telegram send to chat ${chat_id}"

    local -a _TG_PROXY_ARGS=()
    _tg_proxy_args || true

    local -a curl_args=(
        -s --max-time 15
        "${_TG_PROXY_ARGS[@]}"
        -X POST
        --data-urlencode "chat_id=${chat_id}"
        --data-urlencode "text=${message}"
        --data-urlencode "disable_web_page_preview=true"
    )
    if [[ -n "$parse_mode" ]]; then
        curl_args+=(--data-urlencode "parse_mode=${parse_mode}")
    fi

    # Write URL to temp file to hide bot token from process listing and /proc/fd
    local _tg_cfg
    _tg_cfg=$(mktemp "${TMP_DIR}/tg_cfg.XXXXXX") || return 1
    printf 'url = "%s"\n' "$_tg_url" > "$_tg_cfg" 2>/dev/null || return 1
    chmod 600 "$_tg_cfg" 2>/dev/null || true
    local _tg_rc=0
    curl --config "$_tg_cfg" "${curl_args[@]}" >/dev/null 2>&1 || _tg_rc=$?
    rm -f "$_tg_cfg" 2>/dev/null || true
    return "$_tg_rc"
}

# Send a notification (checks if enabled + alerts flag)
_telegram_notify() {
    local message="$1"
    if _telegram_enabled && [[ "$(config_get TELEGRAM_ALERTS true)" == "true" ]]; then
        _telegram_send "$message" &
        _TG_BG_PIDS+=($!)
    fi
    # Reap any completed background sends
    local -a _tg_alive=()
    local _tg_p
    for _tg_p in "${_TG_BG_PIDS[@]}"; do
        if kill -0 "$_tg_p" 2>/dev/null; then
            _tg_alive+=("$_tg_p")
        else
            wait "$_tg_p" 2>/dev/null || true
        fi
    done
    _TG_BG_PIDS=("${_tg_alive[@]}")
    return 0
}

# Test Telegram connectivity
telegram_test() {
    if ! _telegram_enabled; then
        log_error "Telegram not configured (set bot token and chat ID first)"
        return 1
    fi

    local hostname _t_ip _t_running=0 _t_stopped=0 _t_total=0
    hostname=$(hostname 2>/dev/null || echo "unknown")
    _t_ip=$(hostname -I 2>/dev/null | awk '{print $1}') || true
    : "${_t_ip:=unknown}"

    # Count tunnel status
    local _t_name
    while IFS= read -r _t_name; do
        [[ -z "$_t_name" ]] && continue
        (( ++_t_total ))
        if is_tunnel_running "$_t_name" 2>/dev/null; then
            (( ++_t_running ))
        else
            (( ++_t_stopped ))
        fi
    done < <(list_profiles 2>/dev/null)

    local _t_alerts _t_reports
    _t_alerts=$(config_get TELEGRAM_ALERTS true)
    _t_reports=$(config_get TELEGRAM_PERIODIC_STATUS false)

    # Build tunnel list
    local _t_list=""
    local _tl_name
    while IFS= read -r _tl_name; do
        [[ -z "$_tl_name" ]] && continue
        if is_tunnel_running "$_tl_name" 2>/dev/null; then
            _t_list="${_t_list}  ✅ ${_tl_name} [ALIVE]
"
        else
            _t_list="${_t_list}  ⛔ ${_tl_name} [STOPPED]
"
        fi
    done < <(list_profiles 2>/dev/null)
    [[ -z "$_t_list" ]] && _t_list="  (none configured)
"

    local test_msg
    test_msg="$(printf '✅ TunnelForge Connected

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🖥 Server Info
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Host: %s
IP: %s
Version: %s
Time: %s

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Tunnels (%d running / %d stopped)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
%s
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔔 Alerts
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Alerts: %s
Status Reports: %s

You will be notified on:
  tunnel start/stop/fail/reconnect
  periodic status reports
  security audit alerts

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🤖 Bot Commands
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
/tf_help    - Show this help
/tf_status  - Tunnel status
/tf_list    - List all tunnels
/tf_ip      - Show server IP
/tf_config  - Get client config (PSK)
/tf_uptime  - Server uptime
/tf_report  - Full status report

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⌨️ Server CLI
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
tunnelforge start/stop/restart <name>
tunnelforge list
tunnelforge dashboard
tunnelforge menu
tunnelforge telegram share <name>
tunnelforge telegram report' \
        "$hostname" "$_t_ip" "${VERSION}" "$(date '+%Y-%m-%d %H:%M:%S')" \
        "$_t_running" "$_t_stopped" "$_t_list" "$_t_alerts" "$_t_reports")"

    log_info "Sending test message..."
    local _tt_token
    _tt_token=$(config_get TELEGRAM_BOT_TOKEN "")
    local _tt_url="${_TG_API}/bot${_tt_token}/sendMessage"

    local -a _TG_PROXY_ARGS=()
    _tg_proxy_args || true

    # Write URL to temp file to hide bot token from /proc (matches _telegram_send pattern)
    local _tt_cfg
    _tt_cfg=$(mktemp "${TMP_DIR}/tg_test.XXXXXX") || { log_error "Cannot create temp file"; return 1; }
    printf 'url = "%s"\n' "$_tt_url" > "$_tt_cfg" 2>/dev/null || { rm -f "$_tt_cfg" 2>/dev/null; return 1; }
    chmod 600 "$_tt_cfg" 2>/dev/null || true
    local response
    response=$(curl --config "$_tt_cfg" \
        -s --max-time 15 "${_TG_PROXY_ARGS[@]}" -X POST \
        --data-urlencode "chat_id=$(config_get TELEGRAM_CHAT_ID)" \
        --data-urlencode "text=${test_msg}" 2>/dev/null) || true
    rm -f "$_tt_cfg" 2>/dev/null

    if printf '%s' "$response" | grep -qF '"ok":true' 2>/dev/null; then
        log_success "Telegram test message sent successfully"
        return 0
    else
        local err_desc
        err_desc=$(printf '%s' "$response" | grep -oE '"description":"[^"]*"' 2>/dev/null | head -1) || true
        log_error "Telegram test failed: ${err_desc:-no response}"
        return 1
    fi
}

# Show Telegram status
telegram_status() {
    printf "\n${BOLD}Telegram Notification Status${RESET}\n\n"
    printf "  Enabled       : ${BOLD}%s${RESET}\n" "$(config_get TELEGRAM_ENABLED false)"
    printf "  Bot Token     : ${BOLD}%s${RESET}\n" \
        "$(if [[ -n "$(config_get TELEGRAM_BOT_TOKEN)" ]]; then echo '••••••••(set)'; else echo '(not set)'; fi)"
    printf "  Chat ID       : ${BOLD}%s${RESET}\n" \
        "$(local _cid; _cid=$(config_get TELEGRAM_CHAT_ID); if [[ -n "$_cid" ]]; then echo "****${_cid: -4}"; else echo '(not set)'; fi)"
    printf "  Alerts        : ${BOLD}%s${RESET}\n" "$(config_get TELEGRAM_ALERTS true)"
    printf "  Status Reports: ${BOLD}%s${RESET}\n" "$(config_get TELEGRAM_PERIODIC_STATUS false)"
    printf "  Report Interval: ${BOLD}%s${RESET}s\n" "$(config_get TELEGRAM_STATUS_INTERVAL 3600)"
    printf "\n"
    return 0
}

# Telegram update offset file — prevents reprocessing same messages
_tg_offset_file() { printf '%s' "${CONFIG_DIR}/tg_offset"; }

_tg_get_offset() {
    local _f
    _f=$(_tg_offset_file)
    if [[ -f "$_f" ]]; then
        local _val
        _val=$(cat "$_f" 2>/dev/null) || true
        if [[ "$_val" =~ ^[0-9]+$ ]]; then
            printf '%s' "$_val"; return 0
        fi
    fi
    printf '0'
    return 0
}

_tg_set_offset() {
    local _f
    _f=$(_tg_offset_file)
    printf '%s' "$1" > "$_f" 2>/dev/null || true
}

# Auto-detect chat ID from recent messages to the bot
# Uses offset tracking to avoid reprocessing old updates
_telegram_get_chat_id() {
    local token="$1"
    [[ -z "$token" ]] && return 1

    local -a _TG_PROXY_ARGS=()
    _tg_proxy_args || true

    local _offset
    _offset=$(_tg_get_offset) || true

    local _curl_cfg _url_str
    _curl_cfg=$(mktemp "${TMP_DIR}/tg_cid.XXXXXX") || return 1
    chmod 600 "$_curl_cfg" 2>/dev/null || true
    if [[ "$_offset" -gt 0 ]] 2>/dev/null; then
        _url_str=$(printf '%s/bot%s/getUpdates?offset=%s' "$_TG_API" "$token" "$_offset")
    else
        _url_str=$(printf '%s/bot%s/getUpdates' "$_TG_API" "$token")
    fi
    printf 'url = "%s"\n' "$_url_str" > "$_curl_cfg"
    local response
    response=$(curl -s --max-time 15 "${_TG_PROXY_ARGS[@]}" --max-filesize 1048576 -K "$_curl_cfg" 2>/dev/null) || true
    rm -f "$_curl_cfg" 2>/dev/null || true
    [[ -z "$response" ]] && return 1
    printf '%s' "$response" | grep -qF '"ok":true' || return 1

    local chat_id="" max_update_id=""
    if command -v python3 &>/dev/null; then
        local _py_out
        _py_out=$(python3 -c "
import json,sys
try:
    d=json.loads(sys.stdin.read())
    results=d.get('result',[])
    max_uid=0
    cid=''
    for u in results:
        uid=u.get('update_id',0)
        if uid>max_uid: max_uid=uid
    for u in reversed(results):
        if 'message' in u:
            cid=str(u['message']['chat']['id']); break
        elif 'my_chat_member' in u:
            cid=str(u['my_chat_member']['chat']['id']); break
    print(cid+'|'+str(max_uid))
except: print('|0')
" <<< "$response" 2>/dev/null) || true
        chat_id="${_py_out%%|*}"
        max_update_id="${_py_out##*|}"
    fi
    # Fallback: grep extraction
    if [[ -z "$chat_id" ]]; then
        chat_id=$(printf '%s' "$response" | grep -oE '"chat"[[:space:]]*:[[:space:]]*\{[[:space:]]*"id"[[:space:]]*:[[:space:]]*-?[0-9]+' \
            | grep -oE -- '-?[0-9]+$' | tail -1 2>/dev/null) || true
        # Extract max update_id via grep
        if [[ -z "$max_update_id" ]] || [[ "$max_update_id" == "0" ]]; then
            max_update_id=$(printf '%s' "$response" | grep -oE '"update_id"[[:space:]]*:[[:space:]]*[0-9]+' \
                | grep -oE '[0-9]+$' | sort -n | tail -1 2>/dev/null) || true
        fi
    fi

    # Confirm processed updates by advancing offset
    if [[ -n "$max_update_id" ]] && [[ "$max_update_id" =~ ^[0-9]+$ ]] && (( max_update_id > 0 )); then
        _tg_set_offset "$(( max_update_id + 1 ))"
    fi

    if [[ -n "$chat_id" ]] && [[ "$chat_id" =~ ^-?[0-9]+$ ]]; then
        _TG_DETECTED_CHAT_ID="$chat_id"
        return 0
    fi
    return 1
}

# Telegram interactive setup wizard
telegram_setup() {
    local _saved_token _saved_chatid _saved_enabled
    _saved_token=$(config_get TELEGRAM_BOT_TOKEN "")
    _saved_chatid=$(config_get TELEGRAM_CHAT_ID "")
    _saved_enabled=$(config_get TELEGRAM_ENABLED "false")

    # Restore on Ctrl+C
    trap 'config_set TELEGRAM_BOT_TOKEN "$_saved_token"; config_set TELEGRAM_CHAT_ID "$_saved_chatid"; config_set TELEGRAM_ENABLED "$_saved_enabled"; trap - INT; printf "\n" >/dev/tty; return 0' INT

    clear >/dev/tty 2>/dev/null || true
    printf "${BOLD_CYAN}══════════════════════════════════════════════════════════════${RESET}\n" >/dev/tty
    printf "              ${BOLD}TELEGRAM NOTIFICATIONS SETUP${RESET}\n" >/dev/tty
    printf "${BOLD_CYAN}══════════════════════════════════════════════════════════════${RESET}\n\n" >/dev/tty

    # ── Step 1: Bot Token ──
    printf "  ${BOLD}Step 1: Create a Telegram Bot${RESET}\n" >/dev/tty
    printf "  ${CYAN}─────────────────────────────${RESET}\n" >/dev/tty
    printf "  1. Open Telegram and search for ${BOLD}@BotFather${RESET}\n" >/dev/tty
    printf "  2. Send ${YELLOW}/newbot${RESET}\n" >/dev/tty
    printf "  3. Choose a name (e.g. \"TunnelForge Monitor\")\n" >/dev/tty
    printf "  4. Choose a username (e.g. \"my_tunnel_bot\")\n" >/dev/tty
    printf "  5. BotFather will give you a token like:\n" >/dev/tty
    printf "     ${YELLOW}123456789:ABCdefGHIjklMNOpqrsTUVwxyz${RESET}\n\n" >/dev/tty

    local _tg_token=""
    read -rp "  Enter your bot token: " _tg_token </dev/tty >/dev/tty || { trap - INT; return 0; }
    _tg_token="${_tg_token## }"; _tg_token="${_tg_token%% }"
    printf "\n" >/dev/tty

    if [[ -z "$_tg_token" ]]; then
        printf "  ${RED}No token entered. Setup cancelled.${RESET}\n" >/dev/tty
        _press_any_key || true; trap - INT; return 0
    fi

    # Validate token format
    if [[ ! "$_tg_token" =~ ^[0-9]+:[A-Za-z0-9_-]+$ ]]; then
        printf "  ${RED}Invalid token format. Should be like: 123456789:ABCdefGHI...${RESET}\n" >/dev/tty
        _press_any_key || true; trap - INT; return 0
    fi

    # Verify token with Telegram API (route through SOCKS5 if available)
    local -a _TG_PROXY_ARGS=()
    _tg_proxy_args || true

    printf "  Verifying bot token... " >/dev/tty
    local _me_cfg _me_resp
    _me_cfg=$(mktemp "${TMP_DIR}/tg_me.XXXXXX") || true
    if [[ -n "$_me_cfg" ]]; then
        chmod 600 "$_me_cfg" 2>/dev/null || true
        printf 'url = "%s/bot%s/getMe"\n' "$_TG_API" "$_tg_token" > "$_me_cfg"
        _me_resp=$(curl -s --max-time 15 "${_TG_PROXY_ARGS[@]}" -K "$_me_cfg" 2>/dev/null) || true
        rm -f "$_me_cfg" 2>/dev/null || true
        if printf '%s' "$_me_resp" | grep -qF '"ok":true' 2>/dev/null; then
            printf "${GREEN}Valid${RESET}\n" >/dev/tty
        else
            printf "${RED}Invalid token${RESET}\n" >/dev/tty
            printf "  ${RED}The Telegram API rejected this token. Check it and try again.${RESET}\n" >/dev/tty
            _press_any_key || true; trap - INT; return 0
        fi
    fi

    # ── Step 2: Chat ID (auto-detect) ──
    printf "\n  ${BOLD}Step 2: Get Your Chat ID${RESET}\n" >/dev/tty
    printf "  ${CYAN}────────────────────────${RESET}\n" >/dev/tty
    printf "  1. Open your new bot in Telegram\n" >/dev/tty
    printf "  2. Send it the message: ${YELLOW}/start${RESET}\n\n" >/dev/tty
    printf "  ${YELLOW}Important:${RESET} You MUST send ${BOLD}/start${RESET} to the bot first!\n\n" >/dev/tty

    read -rp "  Press Enter after sending /start to your bot... " </dev/tty >/dev/tty || { trap - INT; return 0; }

    printf "\n  Detecting chat ID... " >/dev/tty
    local _TG_DETECTED_CHAT_ID="" _attempts=0
    while (( _attempts < 3 )) && [[ -z "$_TG_DETECTED_CHAT_ID" ]]; do
        _telegram_get_chat_id "$_tg_token" || true
        if [[ -n "$_TG_DETECTED_CHAT_ID" ]]; then break; fi
        (( ++_attempts ))
        sleep 2
    done

    local _tg_chat_id=""
    if [[ -n "$_TG_DETECTED_CHAT_ID" ]]; then
        _tg_chat_id="$_TG_DETECTED_CHAT_ID"
        printf "${GREEN}Found: ${_tg_chat_id}${RESET}\n" >/dev/tty
    else
        printf "${RED}Could not auto-detect${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}You can enter it manually:${RESET}\n" >/dev/tty
        printf "  ${CYAN}────────────────────────────${RESET}\n" >/dev/tty
        printf "  Option 1: Press Enter to retry detection\n" >/dev/tty
        printf "  Option 2: Find your chat ID via ${BOLD}@userinfobot${RESET} on Telegram\n\n" >/dev/tty

        local _manual_chatid=""
        read -rp "  Enter chat ID (or Enter to retry): " _manual_chatid </dev/tty >/dev/tty || true

        if [[ -z "$_manual_chatid" ]]; then
            # Retry
            printf "\n  Retrying detection... " >/dev/tty
            _attempts=0
            while (( _attempts < 5 )) && [[ -z "$_TG_DETECTED_CHAT_ID" ]]; do
                _telegram_get_chat_id "$_tg_token" || true
                if [[ -n "$_TG_DETECTED_CHAT_ID" ]]; then break; fi
                (( ++_attempts ))
                sleep 2
            done
            if [[ -n "$_TG_DETECTED_CHAT_ID" ]]; then
                _tg_chat_id="$_TG_DETECTED_CHAT_ID"
                printf "${GREEN}Found: ${_tg_chat_id}${RESET}\n" >/dev/tty
            fi
        elif [[ "$_manual_chatid" =~ ^-?[0-9]+$ ]]; then
            _tg_chat_id="$_manual_chatid"
        else
            printf "  ${RED}Invalid chat ID. Must be a number.${RESET}\n" >/dev/tty
        fi

        if [[ -z "$_tg_chat_id" ]]; then
            printf "  ${RED}Could not get chat ID. Setup cancelled.${RESET}\n" >/dev/tty
            _press_any_key || true; trap - INT; return 0
        fi
    fi

    # ── Step 3: Save and test ──
    config_set "TELEGRAM_BOT_TOKEN" "$_tg_token"
    config_set "TELEGRAM_CHAT_ID" "$_tg_chat_id"
    config_set "TELEGRAM_ENABLED" "true"
    save_settings || true

    printf "\n  Sending test message... " >/dev/tty
    if telegram_test 2>/dev/null; then
        printf "${GREEN}Success!${RESET}\n" >/dev/tty
        printf "\n  ${GREEN}Telegram notifications are now active.${RESET}\n" >/dev/tty
    else
        printf "${RED}Failed to send.${RESET}\n" >/dev/tty
        printf "  ${YELLOW}Token/chat ID saved but test failed — check credentials.${RESET}\n" >/dev/tty
    fi

    _press_any_key || true
    trap - INT
    return 0
}

# ── Notification message builders ──

_notify_tunnel_start() {
    local name="$1" tunnel_type="${2:-tunnel}" pid="${3:-}"
    local hostname
    hostname=$(hostname 2>/dev/null || echo "unknown")
    local _nts_obfs=""
    local -A _nts_prof=()
    if load_profile "$name" _nts_prof 2>/dev/null; then
        if [[ "${_nts_prof[OBFS_MODE]:-none}" != "none" ]]; then
            _nts_obfs=$(printf '\nObfuscation: %s (port %s)' "${_nts_prof[OBFS_MODE]}" "${_nts_prof[OBFS_PORT]:-443}")
        fi
        if [[ -n "${_nts_prof[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_nts_prof[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
            _nts_obfs="${_nts_obfs}$(printf '\nInbound TLS: port %s (PSK)' "${_nts_prof[OBFS_LOCAL_PORT]}")"
        fi
    fi
    _telegram_notify "$(printf '✅ Tunnel Started\n\nName: %s\nType: %s\nHost: %s\nPID: %s%s\nTime: %s' \
        "$name" "$tunnel_type" "$hostname" "${pid:-?}" "$_nts_obfs" "$(date '+%H:%M:%S')")"
    return 0
}

_notify_tunnel_stop() {
    local name="$1"
    _telegram_notify "$(printf '⛔ Tunnel Stopped\n\nName: %s\nTime: %s' \
        "$name" "$(date '+%H:%M:%S')")"
    return 0
}

_notify_tunnel_fail() {
    local name="$1"
    _telegram_notify "$(printf '❌ Tunnel Failed\n\nName: %s\nTime: %s\nCheck logs for details.' \
        "$name" "$(date '+%H:%M:%S')")"
    return 0
}

_notify_reconnect() {
    local name="$1" reason="${2:-unknown}"
    _telegram_notify "$(printf '🔄 Tunnel Reconnect\n\nName: %s\nReason: %s\nTime: %s' \
        "$name" "$reason" "$(date '+%H:%M:%S')")"
    return 0
}


# Generate a periodic status report (with timestamp dedup to prevent repeats)
telegram_send_status() {
    if ! _telegram_enabled; then return 0; fi
    if [[ "$(config_get TELEGRAM_PERIODIC_STATUS false)" != "true" ]]; then return 0; fi

    # Dedup: check last send timestamp to prevent repeat sends
    local _ts_file="${CONFIG_DIR}/tg_last_report"
    local _interval
    _interval=$(config_get TELEGRAM_STATUS_INTERVAL 3600)
    if [[ -f "$_ts_file" ]]; then
        local _last_ts _now_ts
        _last_ts=$(cat "$_ts_file" 2>/dev/null) || true
        _now_ts=$(date +%s 2>/dev/null) || true
        if [[ "$_last_ts" =~ ^[0-9]+$ ]] && [[ "$_now_ts" =~ ^[0-9]+$ ]]; then
            if (( _now_ts - _last_ts < _interval )); then
                return 0  # Too soon, skip
            fi
        fi
    fi

    local hostname running=0 stopped=0 total=0
    hostname=$(hostname 2>/dev/null || echo "unknown")

    local name
    while IFS= read -r name; do
        [[ -z "$name" ]] && continue
        ((++total))
        if is_tunnel_running "$name"; then
            ((++running))
        else
            ((++stopped))
        fi
    done < <(list_profiles)

    (( total > 0 )) || return 0

    local public_ip
    public_ip=$(hostname -I 2>/dev/null | awk '{print $1}') || true
    : "${public_ip:=unknown}"

    local msg
    msg=$(printf '📊 Status Report\n\nHost: %s\nIP: %s\nTunnels: %d running / %d stopped / %d total\nTime: %s' \
        "$hostname" "$public_ip" "$running" "$stopped" "$total" "$(date '+%Y-%m-%d %H:%M:%S')")

    if _telegram_send "$msg"; then
        # Record send timestamp only on success
        date +%s > "$_ts_file" 2>/dev/null || true
    fi
    return 0
}

# ── Telegram Bot Command Handler ──
# Polls getUpdates, processes /tf_* commands, responds via sendMessage.
# Call periodically (e.g., from dashboard loop). Uses offset tracking to avoid repeats.

_tg_cmd_response() {
    local _cmd="$1" _chat="$2" _token="$3"

    local _resp=""
    case "$_cmd" in
        /tf_help|/tf_help@*)
            _resp="$(printf '🤖 TunnelForge Bot Commands

/tf_help    - Show this help
/tf_status  - Tunnel status overview
/tf_list    - List all tunnels
/tf_ip      - Show server IP
/tf_config  - Get client configs (PSK)
/tf_uptime  - Server uptime
/tf_report  - Full status report')"
            ;;
        /tf_status|/tf_status@*)
            local _r=0 _s=0 _t=0 _n
            while IFS= read -r _n; do
                [[ -z "$_n" ]] && continue
                (( ++_t ))
                if is_tunnel_running "$_n" 2>/dev/null; then (( ++_r )); else (( ++_s )); fi
            done < <(list_profiles 2>/dev/null)
            _resp="$(printf '📊 Tunnel Status\n\nRunning: %d\nStopped: %d\nTotal: %d\nTime: %s' \
                "$_r" "$_s" "$_t" "$(date '+%H:%M:%S')")"
            ;;
        /tf_list|/tf_list@*)
            local _lines="" _n
            while IFS= read -r _n; do
                [[ -z "$_n" ]] && continue
                if is_tunnel_running "$_n" 2>/dev/null; then
                    _lines="${_lines}✅ ${_n} [ALIVE]\n"
                else
                    _lines="${_lines}⛔ ${_n} [STOPPED]\n"
                fi
            done < <(list_profiles 2>/dev/null)
            [[ -z "$_lines" ]] && _lines="(no tunnels configured)\n"
            _resp="$(printf '📋 Tunnel List\n\n%b' "$_lines")"
            ;;
        /tf_ip|/tf_ip@*)
            local _ip
            _ip=$(hostname -I 2>/dev/null | awk '{print $1}') || true
            : "${_ip:=unknown}"
            _resp="$(printf '🌐 Server IP: %s\nHostname: %s' "$_ip" "$(hostname 2>/dev/null || echo unknown)")"
            ;;
        /tf_config|/tf_config@*)
            # Send config for all profiles with inbound TLS
            local _cfg_lines="" _n
            while IFS= read -r _n; do
                [[ -z "$_n" ]] && continue
                local -A _cp=()
                if load_profile "$_n" _cp 2>/dev/null; then
                    local _olp="${_cp[OBFS_LOCAL_PORT]:-}"
                    if [[ -n "$_olp" ]] && [[ "$_olp" != "0" ]]; then
                        local _h="${_cp[SSH_HOST]:-localhost}"
                        local _pub
                        _pub=$(hostname -I 2>/dev/null | awk '{print $1}') || true
                        [[ -n "$_pub" ]] && _h="$_pub"
                        local _st="STOPPED"
                        is_tunnel_running "$_n" 2>/dev/null && _st="ALIVE"
                        _cfg_lines="${_cfg_lines}$(printf '┌── %s [%s]\n│ Server: %s\n│ Port: %s\n│ SOCKS5: 127.0.0.1:%s\n│ PSK: %s\n└──\n\n' \
                            "$_n" "$_st" "$_h" "$_olp" "${_cp[LOCAL_PORT]:-1080}" "${_cp[OBFS_PSK]:-N/A}")"
                    fi
                fi
            done < <(list_profiles 2>/dev/null)
            if [[ -z "$_cfg_lines" ]]; then
                _resp="No profiles with inbound TLS configured."
            else
                _resp="$(printf '🔐 Client Configs\n\n%s' "$_cfg_lines")"
            fi
            ;;
        /tf_uptime|/tf_uptime@*)
            local _up
            _up=$(uptime -p 2>/dev/null || uptime 2>/dev/null || echo "unknown")
            _resp="$(printf '⏱ Server Uptime\n\n%s\nTime: %s' "$_up" "$(date '+%Y-%m-%d %H:%M:%S')")"
            ;;
        /tf_report|/tf_report@*)
            local _r=0 _s=0 _t=0 _n _tlist=""
            while IFS= read -r _n; do
                [[ -z "$_n" ]] && continue
                (( ++_t ))
                if is_tunnel_running "$_n" 2>/dev/null; then
                    (( ++_r ))
                    _tlist="${_tlist}  ✅ ${_n}\n"
                else
                    (( ++_s ))
                    _tlist="${_tlist}  ⛔ ${_n}\n"
                fi
            done < <(list_profiles 2>/dev/null)
            local _ip
            _ip=$(hostname -I 2>/dev/null | awk '{print $1}') || true
            local _up
            _up=$(uptime -p 2>/dev/null || echo "N/A")
            _resp="$(printf '📊 Full Status Report\n\n🖥 %s (%s)\n⏱ %s\n\n📡 Tunnels: %d running / %d stopped\n%b\n🕐 %s' \
                "$(hostname 2>/dev/null || echo unknown)" "${_ip:-unknown}" "$_up" "$_r" "$_s" "$_tlist" "$(date '+%Y-%m-%d %H:%M:%S')")"
            ;;
        /start|/start@*)
            _resp="$(printf '🤖 TunnelForge Bot Active\n\nSend /tf_help for available commands.')"
            ;;
        *)
            # Unknown command — ignore
            return 0
            ;;
    esac

    if [[ -n "$_resp" ]]; then
        # Send response via _telegram_send (uses proxy automatically)
        if _telegram_send "$_resp"; then
            log_info "TG bot: replied to '${_cmd}'"
        else
            log_warn "TG bot: failed to send reply for '${_cmd}'"
        fi
    fi
    return 0
}

# Poll for and process Telegram bot commands (one-shot)
_tg_process_commands() {
    if ! _telegram_enabled; then return 0; fi

    local _token _chat_id
    _token=$(config_get TELEGRAM_BOT_TOKEN "")
    _chat_id=$(config_get TELEGRAM_CHAT_ID "")
    [[ -n "$_token" ]] && [[ -n "$_chat_id" ]] || return 0

    local -a _TG_PROXY_ARGS=()
    _tg_proxy_args || true

    if [[ ${#_TG_PROXY_ARGS[@]} -eq 0 ]]; then
        log_debug "TG poll: no SOCKS5 proxy, trying direct"
    fi

    local _offset
    _offset=$(_tg_get_offset) || true

    local _curl_cfg _url_str
    _curl_cfg=$(mktemp "${TMP_DIR}/tg_poll.XXXXXX") || return 0
    chmod 600 "$_curl_cfg" 2>/dev/null || true
    if [[ "$_offset" -gt 0 ]] 2>/dev/null; then
        _url_str=$(printf '%s/bot%s/getUpdates?offset=%s&timeout=0' "$_TG_API" "$_token" "$_offset")
    else
        _url_str=$(printf '%s/bot%s/getUpdates?timeout=0' "$_TG_API" "$_token")
    fi
    printf 'url = "%s"\n' "$_url_str" > "$_curl_cfg"
    local response
    response=$(curl -s --max-time 20 "${_TG_PROXY_ARGS[@]}" --max-filesize 1048576 -K "$_curl_cfg" 2>/dev/null) || true
    rm -f "$_curl_cfg" 2>/dev/null || true
    if [[ -z "$response" ]]; then
        log_debug "TG poll: empty response from getUpdates"
        return 0
    fi
    if ! printf '%s' "$response" | grep -qF '"ok":true'; then
        log_debug "TG poll: API error: ${response:0:200}"
        return 0
    fi

    # Parse updates with python3 (fast, reliable JSON parsing)
    if ! command -v python3 &>/dev/null; then
        log_debug "TG poll: python3 not found"
        return 0
    fi

    # Validate chat_id is numeric to prevent injection (negative for group chats)
    if ! [[ "$_chat_id" =~ ^-?[0-9]+$ ]]; then
        log_warn "TG poll: invalid chat_id, skipping"
        return 0
    fi

    local _updates
    _updates=$(TF_CHAT_ID="$_chat_id" python3 -c "
import json,sys,os
try:
    cid=os.environ.get('TF_CHAT_ID','')
    d=json.loads(sys.stdin.read())
    for u in d.get('result',[]):
        uid=u.get('update_id',0)
        msg=u.get('message',{})
        text=msg.get('text','')
        chat_id=msg.get('chat',{}).get('id',0)
        if text.startswith('/') and str(chat_id)==cid:
            cmd=text.split()[0].lower()
            print(str(uid)+'|'+cmd)
        else:
            print(str(uid)+'|')
except: pass
" <<< "$response" 2>/dev/null) || true

    local _max_uid=0
    local _line _uid _cmd
    while IFS= read -r _line; do
        [[ -z "$_line" ]] && continue
        _uid="${_line%%|*}"
        _cmd="${_line#*|}"
        if [[ "$_uid" =~ ^[0-9]+$ ]] && (( _uid > _max_uid )); then
            _max_uid=$_uid
        fi
        # Process command if present
        if [[ -n "$_cmd" ]]; then
            log_info "TG bot: received command '${_cmd}'"
            _tg_cmd_response "$_cmd" "$_chat_id" "$_token" || true
        fi
    done <<< "$_updates"

    # Advance offset to skip processed updates
    if (( _max_uid > 0 )); then
        _tg_set_offset "$(( _max_uid + 1 ))"
        log_debug "TG poll: offset advanced to $(( _max_uid + 1 ))"
    fi
    return 0
}

# Non-blocking wrapper: runs _tg_process_commands in background
# Uses lock file to prevent concurrent polls
_tg_process_commands_bg() {
    local _lock="${TMP_DIR}/tg_cmd.lock"
    # Skip if previous poll still running
    if [[ -f "$_lock" ]]; then
        local _lpid
        _lpid=$(cat "$_lock" 2>/dev/null) || true
        if [[ -n "$_lpid" ]] && kill -0 "$_lpid" 2>/dev/null; then
            return 0
        fi
        rm -f "$_lock" 2>/dev/null || true
    fi
    (
        printf '%s' "$BASHPID" > "$_lock" 2>/dev/null || true
        _tg_process_commands 2>/dev/null || true
        rm -f "$_lock" 2>/dev/null || true
    ) &>/dev/null &
    disown 2>/dev/null || true
    return 0
}

# Send a file via Telegram bot API (sendDocument).
# Args: file_path [caption]
_telegram_send_file() {
    local _file="$1" _caption="${2:-}"
    local _token _chat_id
    _token=$(config_get TELEGRAM_BOT_TOKEN "")
    _chat_id=$(config_get TELEGRAM_CHAT_ID "")
    [[ -n "$_token" ]] && [[ -n "$_chat_id" ]] || return 1
    [[ -f "$_file" ]] || return 1

    local _tg_url="${_TG_API}/bot${_token}/sendDocument"
    local _tg_cfg
    _tg_cfg=$(mktemp "${TMP_DIR}/tg_cfg.XXXXXX") || return 1
    printf 'url = "%s"\n' "$_tg_url" > "$_tg_cfg" 2>/dev/null || { rm -f "$_tg_cfg" 2>/dev/null || true; return 1; }
    chmod 600 "$_tg_cfg" 2>/dev/null || true

    local -a _TG_PROXY_ARGS=()
    _tg_proxy_args || true

    local -a curl_args=(
        -s --max-time 30
        "${_TG_PROXY_ARGS[@]}"
        -X POST
        -F "chat_id=${_chat_id}"
        -F "document=@${_file}"
    )
    if [[ -n "$_caption" ]]; then
        curl_args+=(-F "caption=${_caption}")
    fi

    local _rc=0
    curl --config "$_tg_cfg" "${curl_args[@]}" >/dev/null 2>&1 || _rc=$?
    rm -f "$_tg_cfg" 2>/dev/null || true
    return "$_rc"
}

# Share client connection info + scripts via Telegram.
# Args: profile_name
telegram_share_client() {
    local _name="${1:-}"

    if ! _telegram_enabled; then
        log_error "Telegram is not configured. Run: tunnelforge telegram setup"
        return 1
    fi

    if [[ -z "$_name" ]]; then
        # Pick from running profiles with inbound TLS
        local _profiles="" _found=0
        while IFS= read -r _pn; do
            [[ -z "$_pn" ]] && continue
            local -A _tp=()
            if load_profile "$_pn" _tp 2>/dev/null; then
                if [[ -n "${_tp[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_tp[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
                    _profiles="${_profiles}${_pn}\n"
                    ((++_found))
                fi
            fi
        done < <(list_profiles)

        if (( _found == 0 )); then
            log_error "No profiles with inbound TLS found"
            return 1
        fi

        printf "\n${BOLD}Profiles with inbound TLS:${RESET}\n"
        local -a _parr=() _pi=0
        while IFS= read -r _pn; do
            [[ -z "$_pn" ]] && continue
            ((++_pi))
            _parr+=("$_pn")
            printf "  ${CYAN}%d${RESET}) %s\n" "$_pi" "$_pn"
        done < <(printf '%b' "$_profiles")

        printf "\n"
        local _sel=""
        read -rp "  Select profile [1-${_pi}]: " _sel </dev/tty || true
        if [[ -z "$_sel" ]] || ! [[ "$_sel" =~ ^[0-9]+$ ]] || (( _sel < 1 || _sel > _pi )); then
            log_error "Invalid selection"
            return 1
        fi
        _name="${_parr[$((_sel - 1))]}"
    fi

    local -A _sp=()
    load_profile "$_name" _sp || { log_error "Cannot load profile '$_name'"; return 1; }

    local _olport="${_sp[OBFS_LOCAL_PORT]:-}"
    local _psk="${_sp[OBFS_PSK]:-}"
    local _lport="${_sp[LOCAL_PORT]:-}"

    if [[ -z "$_olport" ]] || [[ "$_olport" == "0" ]]; then
        log_error "Profile '$_name' has no inbound TLS configured"
        return 1
    fi

    # Determine server IP
    local _host="${_sp[SSH_HOST]:-localhost}"
    local _pub_ip=""
    _pub_ip=$(ip -4 route get 1.1.1.1 2>/dev/null | grep -oE 'src [0-9.]+' | cut -d' ' -f2) || true
    if [[ -n "$_pub_ip" ]]; then _host="$_pub_ip"; fi

    log_info "Sharing client info for '${_name}' via Telegram..."

    # Determine running status
    local _status_txt="STOPPED"
    if is_tunnel_running "$_name" 2>/dev/null; then _status_txt="ALIVE"; fi

    # 1. Send connection info message (clean, formatted like the menu display)
    local _msg
    _msg=$(printf '🔐 TunnelForge Client Config

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📡 %s [%s]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Server:     %s
Port:       %s
SOCKS5:     127.0.0.1:%s
PSK Key:    %s

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚡ Quick Start (Windows)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Install stunnel from stunnel.org
2. Save the .bat file below
3. Edit the SERVER, PORT, PSK values
4. Double-click to connect
5. Set browser proxy: 127.0.0.1:%s

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🐧 Quick Start (Linux/Mac)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Install stunnel: apt install stunnel4
2. Save the .sh file below
3. chmod +x tunnelforge-connect.sh
4. ./tunnelforge-connect.sh
5. Set browser proxy: 127.0.0.1:%s

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔧 Manual stunnel Config
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
stunnel.conf:
[tunnelforge]
client = yes
accept = 127.0.0.1:%s
connect = %s:%s
PSKsecrets = psk.txt
ciphers = PSK

psk.txt:
tunnelforge:%s

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🌐 Browser Setup
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Firefox:
  Settings → Proxy → Manual
  SOCKS Host: 127.0.0.1
  Port: %s
  SOCKS v5 ✓
  Proxy DNS ✓

Chrome:
  chrome --proxy-server="socks5://127.0.0.1:%s"' \
        "$_name" "$_status_txt" \
        "$_host" "$_olport" "$_lport" "$_psk" \
        "$_lport" \
        "$_lport" \
        "$_lport" "$_host" "$_olport" \
        "$_psk" \
        "$_lport" "$_lport")

    if _telegram_send "$_msg"; then
        log_success "Connection info sent"
    else
        log_error "Failed to send connection info"
        return 1
    fi

    # 2. Generate and send Linux script
    local _sh_file="${TMP_DIR}/tunnelforge-connect.sh"
    if _obfs_generate_client_script "$_name" _sp "$_sh_file" 2>/dev/null; then
        if _telegram_send_file "$_sh_file" "Linux/Mac client — chmod +x and run"; then
            log_success "Linux script sent"
        else
            log_warn "Failed to send Linux script"
        fi
    fi
    rm -f "$_sh_file" 2>/dev/null || true

    # 3. Send Windows bat file if it exists in the install dir
    local _bat_file=""
    for _bp in "${INSTALL_DIR}/tunnelforge-client.bat" \
               "$(dirname "$(readlink -f "$0" 2>/dev/null || echo "$0")")/tunnelforge-client.bat" \
               "/opt/tunnelforge/tunnelforge-client.bat"; do
        if [[ -f "$_bp" ]]; then _bat_file="$_bp"; break; fi
    done

    if [[ -n "$_bat_file" ]]; then
        if _telegram_send_file "$_bat_file" "Windows client — double-click to run"; then
            log_success "Windows script sent"
        else
            log_warn "Failed to send Windows script"
        fi
    else
        log_info "Windows .bat not found — place tunnelforge-client.bat in /opt/tunnelforge/"
    fi

    printf "\n${GREEN}Client setup shared via Telegram.${RESET}\n"
    printf "${DIM}Users in the chat can see the info and download the scripts.${RESET}\n\n"
    return 0
}

# ── Telegram interactive menu ──

_menu_telegram() {
    while true; do
        clear >/dev/tty 2>/dev/null || true
        printf "\n${BOLD_CYAN}═══ Telegram Notifications ═══${RESET}\n\n" >/dev/tty

        local _tg_status_icon="${RED}●${RESET}"
        if _telegram_enabled; then
            _tg_status_icon="${GREEN}●${RESET}"
        fi

        printf "  Status: %b %s\n\n" "$_tg_status_icon" \
            "$(if _telegram_enabled; then echo 'Connected'; else echo 'Not configured'; fi)" >/dev/tty

        printf "    ${CYAN}1${RESET}) Setup / reconfigure\n" >/dev/tty
        printf "    ${CYAN}2${RESET}) Send test message\n" >/dev/tty
        printf "    ${CYAN}3${RESET}) Toggle alerts      : ${BOLD}%s${RESET}\n" "$(config_get TELEGRAM_ALERTS true)" >/dev/tty
        printf "    ${CYAN}4${RESET}) Toggle status reports: ${BOLD}%s${RESET}\n" "$(config_get TELEGRAM_PERIODIC_STATUS false)" >/dev/tty
        printf "    ${CYAN}5${RESET}) Status interval    : ${BOLD}%s${RESET}s\n" "$(config_get TELEGRAM_STATUS_INTERVAL 3600)" >/dev/tty
        printf "    ${CYAN}6${RESET}) Show full status\n" >/dev/tty
        printf "    ${CYAN}7${RESET}) Share client setup (scripts + PSK)\n" >/dev/tty
        printf "    ${CYAN}8${RESET}) Disable Telegram\n" >/dev/tty
        printf "    ${YELLOW}0${RESET}) Back\n\n" >/dev/tty

        local _tg_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _tg_choice </dev/tty || true
        _drain_esc _tg_choice
        printf "\n" >/dev/tty

        case "$_tg_choice" in
            1) telegram_setup || true ;;
            2) telegram_test || true; _press_any_key ;;
            3)
                if [[ "$(config_get TELEGRAM_ALERTS true)" == "true" ]]; then
                    config_set "TELEGRAM_ALERTS" "false"
                    log_info "Telegram alerts disabled"
                else
                    config_set "TELEGRAM_ALERTS" "true"
                    log_info "Telegram alerts enabled"
                fi
                save_settings || true ;;
            4)
                if [[ "$(config_get TELEGRAM_PERIODIC_STATUS false)" == "true" ]]; then
                    config_set "TELEGRAM_PERIODIC_STATUS" "false"
                    log_info "Periodic status reports disabled"
                else
                    config_set "TELEGRAM_PERIODIC_STATUS" "true"
                    log_info "Periodic status reports enabled"
                fi
                save_settings || true ;;
            5)
                local _tg_int
                _read_tty "  Status interval (seconds)" _tg_int "$(config_get TELEGRAM_STATUS_INTERVAL 3600)"
                if [[ "$_tg_int" =~ ^[0-9]+$ ]] && (( _tg_int >= 60 )); then
                    config_set "TELEGRAM_STATUS_INTERVAL" "$_tg_int"
                    save_settings || true
                    log_info "Status interval set to ${_tg_int}s"
                else
                    log_error "Invalid interval (minimum 60 seconds)"
                fi
                _press_any_key ;;
            6) telegram_status || true; _press_any_key ;;
            7) telegram_share_client "" || true; _press_any_key ;;
            8)
                config_set "TELEGRAM_ENABLED" "false"
                save_settings || true
                log_info "Telegram notifications disabled" ;;
            0|q) return 0 ;;
            *) true ;;
        esac
    done
}

# ── Log rotation ──

_rotate_dir_logs() {
    local dir="$1" max_size="$2" max_count="$3"
    local log_f
    while IFS= read -r log_f; do
        [[ -f "$log_f" ]] || continue
        local fsize
        fsize=$(stat -c %s "$log_f" 2>/dev/null || stat -f %z "$log_f" 2>/dev/null) || true
        : "${fsize:=0}"
        if (( fsize > max_size )); then
            local ri
            for (( ri=max_count; ri>=1; ri-- )); do
                local prev=$(( ri - 1 ))
                local src="${log_f}"
                if [[ $prev -gt 0 ]]; then src="${log_f}.${prev}"; fi
                if [[ -f "$src" ]]; then mv -f "$src" "${log_f}.${ri}" 2>/dev/null || true; fi
            done
            : > "$log_f" 2>/dev/null || true
            log_debug "Rotated log: $(basename "$log_f")"
        fi
    done < <(find "$dir" -maxdepth 1 -name "*.log" -type f 2>/dev/null || true)
    return 0
}

rotate_logs() {
    local max_size max_count
    max_size=$(config_get LOG_MAX_SIZE 10485760)
    max_count=$(config_get LOG_ROTATE_COUNT 5)
    _rotate_dir_logs "$LOG_DIR" "$max_size" "$max_count"
    _rotate_dir_logs "$RECONNECT_LOG_DIR" "$max_size" "$max_count"
    return 0
}

# ── Connection quality indicator ──
# Returns a quality rating based on latency to the SSH host

_get_ns_timestamp() {
    local _ts
    _ts=$(date +%s%N 2>/dev/null) || true
    if [[ "$_ts" =~ ^[0-9]+$ ]]; then printf '%s' "$_ts"; return 0; fi
    # macOS fallback: try perl for sub-second precision
    _ts=$(perl -MTime::HiRes=time -e 'printf "%d", time()*1000000000' 2>/dev/null) || true
    if [[ "$_ts" =~ ^[0-9]+$ ]]; then printf '%s' "$_ts"; return 0; fi
    # Last resort: second-level precision
    _ts=$(date +%s 2>/dev/null) || true
    if [[ "$_ts" =~ ^[0-9]+$ ]]; then printf '%s' "$(( _ts * 1000000000 ))"; return 0; fi
    printf '0'
}

_connection_quality() {
    local host="$1" port="${2:-22}"
    local start_ms end_ms

    # Validate host/port to prevent injection in bash -c /dev/tcp
    if ! [[ "$port" =~ ^[0-9]+$ ]]; then printf 'unknown'; return 0; fi
    if ! [[ "$host" =~ ^[a-zA-Z0-9._:-]+$ ]]; then printf 'unknown'; return 0; fi

    # Quick TCP connect test with 2s timeout (kills hangs from iptables DROP)
    start_ms=$(_get_ns_timestamp)

    local _cq_ok=false
    if command -v timeout &>/dev/null; then
        if timeout 2 bash -c ": </dev/tcp/${host}/${port}" 2>/dev/null; then
            _cq_ok=true
        fi
    elif command -v nc &>/dev/null; then
        if nc -z -w2 "$host" "$port" 2>/dev/null; then _cq_ok=true; fi
    fi

    if [[ "$_cq_ok" == true ]]; then
        end_ms=$(_get_ns_timestamp)

        if (( start_ms > 0 && end_ms > 0 )); then
            local latency_ms=$(( (end_ms - start_ms) / 1000000 ))
            if (( latency_ms < 50 )); then
                printf "excellent"
            elif (( latency_ms < 150 )); then
                printf "good"
            elif (( latency_ms < 300 )); then
                printf "fair"
            else
                printf "poor"
            fi
            return 0
        fi
    fi
    printf "unknown"
    return 0
}

# Map quality to visual indicator
_quality_icon() {
    case "$1" in
        excellent) printf "${GREEN}▁▃▅▇${RESET}" ;;
        good)      printf "${GREEN}▁▃▅${RESET}${DIM}▇${RESET}" ;;
        fair)      printf "${YELLOW}▁▃${RESET}${DIM}▅▇${RESET}" ;;
        poor)      printf "${RED}▁${RESET}${DIM}▃▅▇${RESET}" ;;
        *)         printf "${DIM}▁▃▅▇${RESET}" ;;
    esac
}

# ============================================================================
# DISPLAY HELPERS
# ============================================================================

show_banner() {
    printf "${BOLD_CYAN}"
    cat <<'BANNER'

  ╔════════════════════════════════════════════════════════════════╗
  ║  ▀▀█▀▀ █  █ █▄ █ █▄ █ █▀▀ █   █▀▀ █▀█ █▀█ █▀▀ █▀▀              ║
  ║    █   █  █ █ ▀█ █ ▀█ █▀▀ █   █▀  █ █ █▀█ █ █ █▀▀              ║
  ║    █    ▀▀  █  █ █  █ ▀▀▀ ▀▀▀ █   ▀▀▀ █ █ ▀▀▀ ▀▀▀              ║
  ╚════════════════════════════════════════════════════════════════╝
BANNER
    printf "${RESET}"
    printf "${DIM}  SSH Tunnel Manager v%s${RESET}\n\n" "$VERSION"
}

show_help() {
    show_banner
    printf '%b\n' "${BOLD}USAGE:${RESET}
    tunnelforge [command] [options]

${BOLD}TUNNEL COMMANDS:${RESET}
    start <name>         Start a tunnel
    stop <name>          Stop a tunnel
    restart <name>       Restart a tunnel
    start-all            Start all autostart tunnels
    stop-all             Stop all running tunnels
    status               Show all tunnel statuses
    dashboard, dash      Live TUI dashboard
    logs [name]          Tail tunnel logs

${BOLD}PROFILE COMMANDS:${RESET}
    list, ls             List all profiles
    create, new          Create new tunnel (wizard)
    delete <name>        Delete a profile

${BOLD}SECURITY COMMANDS:${RESET}
    audit                Run security audit
    key-gen [type]       Generate SSH key (ed25519/rsa)
    key-deploy <name>    Deploy SSH key to profile's server
    fingerprint <host>   Check SSH host fingerprint

${BOLD}TELEGRAM COMMANDS:${RESET}
    telegram setup       Configure Telegram bot
    telegram test        Send test message
    telegram status      Show notification config
    telegram send <msg>  Send a message via Telegram
    telegram report      Send status report now

${BOLD}SERVICE COMMANDS:${RESET}
    service <name>           Generate systemd service file
    service <name> enable    Enable + start service
    service <name> disable   Disable + stop service
    service <name> status    Show service status
    service <name> remove    Remove service file

${BOLD}SYSTEM COMMANDS:${RESET}
    menu                 Interactive TUI menu
    install              Install TunnelForge
    health               Run health check
    server-setup         Harden local server for tunnels
    server-setup <name>  Enable forwarding on remote server
    obfs-setup <name>    Set up TLS obfuscation (stunnel) on server
    client-config <name> Show client connection config (TLS+PSK)
    client-script <name> Generate client scripts (Linux + Windows)
    backup               Backup profiles + keys
    restore [file]       Restore from backup
    update               Check for updates and install latest
    uninstall            Remove everything
    version              Show version
    help                 Show this help

${BOLD}EXAMPLES:${RESET}
    tunnelforge create                   # Interactive wizard
    tunnelforge start office-proxy       # Start a tunnel
    tunnelforge dashboard                # Live monitoring
    tunnelforge service myproxy enable   # Autostart on boot
    tunnelforge backup                   # Backup everything
"
}

show_version() { printf "%s v%s\n" "$APP_NAME" "$VERSION"; }

show_status() {
    local profiles name
    profiles=$(list_profiles)

    if [[ -z "$profiles" ]]; then
        log_info "No profiles configured. Run 'tunnelforge create' to get started."
        return 0
    fi

    local _st_width
    _st_width=$(get_term_width)
    if (( _st_width > 120 )); then _st_width=120; fi
    if (( _st_width < 82 )); then _st_width=82; fi
    local _name_col=$(( _st_width - 62 ))
    if (( _name_col < 18 )); then _name_col=18; fi
    printf "\n${BOLD}%-${_name_col}s %-8s %-10s %-22s %-12s %-10s${RESET}\n" \
        "NAME" "TYPE" "STATUS" "LOCAL" "TRAFFIC" "UPTIME"
    print_line "─" "$_st_width"

    while IFS= read -r name; do
        [[ -z "$name" ]] && continue

        unset _st 2>/dev/null || true
        local -A _st=()
        load_profile "$name" _st 2>/dev/null || continue

        local ttype="${_st[TUNNEL_TYPE]:-?}"
        local addr="${_st[LOCAL_BIND_ADDR]:-}:${_st[LOCAL_PORT]:-}"

        if is_tunnel_running "$name"; then
            local up_s up_str traffic rchar wchar total traf_str
            up_s=$(get_tunnel_uptime "$name" 2>/dev/null || true)
            : "${up_s:=0}"
            up_str=$(format_duration "$up_s")
            traffic=$(get_tunnel_traffic "$name" 2>/dev/null || true)
            : "${traffic:=0 0}"
            read -r rchar wchar <<< "$traffic"
            [[ "$rchar" =~ ^[0-9]+$ ]] || rchar=0
            [[ "$wchar" =~ ^[0-9]+$ ]] || wchar=0
            total=$(( rchar + wchar ))
            traf_str=$(format_bytes "$total")

            local _nd=$(( _name_col - 2 ))
            printf "  %-${_nd}s %-8s %s %-7s %-22s %-12s %-10s\n" \
                "$name" "${ttype^^}" "${GREEN}●${RESET}" "${GREEN}ALIVE${RESET}" \
                "$addr" "$traf_str" "$up_str"
        else
            local _nd=$(( _name_col - 2 ))
            printf "  %-${_nd}s %-8s %s %-7s ${DIM}%-22s %-12s %-10s${RESET}\n" \
                "$name" "${ttype^^}" "${DIM}■${RESET}" "${DIM}STOP${RESET}" \
                "$addr" "0 B" "-"
        fi

    done <<< "$profiles"
    printf "\n"
}

# ============================================================================
# SETUP WIZARD  (Phase 2)
# ============================================================================

# Read a line from the terminal (works even when stdin is piped)
_read_tty() {
    local _prompt="$1" _var_name="$2" _default="${3:-}"
    local _input

    if [[ -n "$_default" ]]; then
        printf "${BOLD}%s${RESET} ${DIM}[%s]${RESET}: " "$_prompt" "$_default" >/dev/tty
    else
        printf "${BOLD}%s${RESET}: " "$_prompt" >/dev/tty
    fi

    if ! read -r _input </dev/tty; then
        # EOF on /dev/tty — use default if available, otherwise signal EOF
        if [[ -n "$_default" ]]; then
            _input="$_default"
        else
            printf -v "$_var_name" '%s' ""
            return 1
        fi
    fi
    _input="${_input:-$_default}"
    printf -v "$_var_name" '%s' "$_input"
}

_read_secret_tty() {
    local _prompt="$1" _var_name="$2" _default="${3:-}"
    local _input

    if [[ -n "$_default" ]]; then
        printf "${BOLD}%s${RESET} ${DIM}[****]${RESET}: " "$_prompt" >/dev/tty
    else
        printf "${BOLD}%s${RESET}: " "$_prompt" >/dev/tty
    fi

    if ! read -rs _input </dev/tty; then
        if [[ -n "$_default" ]]; then
            _input="$_default"
        else
            printf "\n" >/dev/tty
            printf -v "$_var_name" '%s' ""
            return 1
        fi
    fi
    printf "\n" >/dev/tty
    _input="${_input:-$_default}"
    printf -v "$_var_name" '%s' "$_input"
}

# Read a yes/no answer; returns 0=yes, 1=no
_read_yn() {
    local _prompt="$1" _default="${2:-n}"
    local _input _hint="y/N"
    if [[ "$_default" == "y" ]]; then _hint="Y/n"; fi

    printf "${BOLD}%s${RESET} ${DIM}[%s]${RESET}: " "$_prompt" "$_hint" >/dev/tty
    read -r _input </dev/tty || true
    _input="${_input:-$_default}"
    if [[ "${_input,,}" == "y" || "${_input,,}" == "yes" ]]; then return 0; else return 1; fi
}

# Display a numbered selection menu and return 0-based index
_select_option() {
    if [[ ! -t 0 ]] && [[ ! -e /dev/tty ]]; then
        log_error "Interactive terminal required"
        return 1
    fi
    local _title="$1"
    shift
    local _options=("$@")
    local _count=${#_options[@]}

    printf "\n${BOLD}%s${RESET}\n" "$_title" >/dev/tty
    local _sep=""
    for (( _si=0; _si<40; _si++ )); do _sep+="─"; done
    printf "  %s\n" "$_sep" >/dev/tty

    local _oi
    for (( _oi=0; _oi<_count; _oi++ )); do
        printf "  ${CYAN}%d${RESET}) %s\n" "$((_oi+1))" "${_options[$_oi]}" >/dev/tty
    done
    printf "\n" >/dev/tty

    local _choice
    while true; do
        printf "${BOLD}Select [1-%d]${RESET} ${DIM}(q=quit, b=back)${RESET}: " "$_count" >/dev/tty
        if ! read -r _choice </dev/tty; then return 1; fi
        if [[ "${_choice,,}" == "q" || "${_choice,,}" == "quit" ]]; then
            _WIZ_NAV="quit"; echo "q"; return 1
        fi
        if [[ "${_choice,,}" == "b" || "${_choice,,}" == "back" ]]; then
            _WIZ_NAV="back"; echo "b"; return 1
        fi
        if [[ "$_choice" =~ ^[0-9]+$ ]] && (( _choice >= 1 && _choice <= _count )); then
            _WIZ_NAV=""
            echo "$((_choice - 1))"
            return 0
        fi
        printf "  ${RED}Invalid choice. Try again.${RESET}\n" >/dev/tty
    done
}

# Wait for keypress
_press_any_key() {
    printf "\n${DIM}Press any key to continue...${RESET}" >/dev/tty 2>/dev/null || true
    read -rsn1 _ </dev/tty || true
    _drain_esc _
    printf "\n" >/dev/tty 2>/dev/null || true
}

# Test SSH connectivity
test_ssh_connection() {
    local host="$1" port="$2" user="$3" key="${4:-}" password="${5:-}"

    printf "\n${CYAN}Testing SSH connection to %s@%s:%s...${RESET}\n" \
        "$user" "$host" "$port" >/dev/tty

    local -a ssh_args=(-o "ConnectTimeout=10" -p "$port")
    # Use accept-new for test: accepts host key on first connect (saves to known_hosts),
    # rejects if key changes later. Subsequent tunnel connections use strict=yes.
    ssh_args+=(-o "StrictHostKeyChecking=accept-new")
    if [[ -n "$key" ]] && [[ -f "$key" ]]; then ssh_args+=(-i "$key"); fi

    local -a cmd_prefix=()
    if [[ -n "$password" ]]; then
        if ! command -v sshpass &>/dev/null; then
            printf "  ${DIM}Installing sshpass...${RESET}\n" >/dev/tty
            if [[ -n "${PKG_UPDATE:-}" ]]; then ${PKG_UPDATE} &>/dev/null || true; fi
            install_package "sshpass" 2>/dev/null || true
        fi
        if command -v sshpass &>/dev/null; then
            cmd_prefix=(env "SSHPASS=${password}" sshpass -e)
            ssh_args+=(-o "BatchMode=no")
        else
            # No sshpass — let SSH prompt interactively on /dev/tty
            ssh_args+=(-o "BatchMode=no")
            printf "  ${DIM}(sshpass unavailable — SSH will prompt for password)${RESET}\n" >/dev/tty
        fi
    else
        ssh_args+=(-o "BatchMode=yes")
    fi

    local _test_output _test_rc=0
    _test_output=$("${cmd_prefix[@]}" ssh "${ssh_args[@]}" "${user}@${host}" "echo ok" 2>&1 </dev/tty) || _test_rc=$?

    if [[ "$_test_rc" -eq 0 ]] && [[ "$_test_output" == *"ok"* ]]; then
        printf "  ${GREEN}● Authentication successful${RESET}\n" >/dev/tty
        return 0
    else
        printf "  ${RED}✗ Authentication failed${RESET}\n" >/dev/tty
        if [[ -n "$_test_output" ]]; then
            printf "  ${DIM}%s${RESET}\n" "$_test_output" >/dev/tty
        fi
        return 1
    fi
}

# ── Wizard navigation helpers ──

declare -g _WIZ_NAV=""

_wiz_read() {
    _WIZ_NAV=""
    local _wr_prompt="$1" _wr_var="$2" _wr_default="${3:-}"
    local _wr_input
    if [[ -n "$_wr_default" ]]; then
        printf "${BOLD}%s${RESET} ${DIM}[%s]${RESET} ${DIM}(q/b)${RESET}: " "$_wr_prompt" "$_wr_default" >/dev/tty
    else
        printf "${BOLD}%s${RESET} ${DIM}(q/b)${RESET}: " "$_wr_prompt" >/dev/tty
    fi
    if ! read -r _wr_input </dev/tty; then
        if [[ -n "$_wr_default" ]]; then _wr_input="$_wr_default"
        else printf -v "$_wr_var" '%s' ""; return 0; fi
    fi
    _wr_input="${_wr_input:-$_wr_default}"
    printf -v "$_wr_var" '%s' "$_wr_input"
    if [[ "${_wr_input,,}" == "q" || "${_wr_input,,}" == "quit" ]]; then
        _WIZ_NAV="quit"; printf -v "$_wr_var" '%s' ""
    elif [[ "${_wr_input,,}" == "b" || "${_wr_input,,}" == "back" ]]; then
        _WIZ_NAV="back"; printf -v "$_wr_var" '%s' ""
    fi
}

_wiz_yn() {
    _WIZ_NAV=""
    local _prompt="$1" _default="${2:-n}"
    local _input _hint="y/N"
    if [[ "$_default" == "y" ]]; then _hint="Y/n"; fi
    printf "${BOLD}%s${RESET} ${DIM}[%s] (q/b)${RESET}: " "$_prompt" "$_hint" >/dev/tty
    read -r _input </dev/tty || true
    if [[ "${_input,,}" == "q" || "${_input,,}" == "quit" ]]; then
        _WIZ_NAV="quit"; return 1
    fi
    if [[ "${_input,,}" == "b" || "${_input,,}" == "back" ]]; then
        _WIZ_NAV="back"; return 1
    fi
    _input="${_input:-$_default}"
    if [[ "${_input,,}" == "y" || "${_input,,}" == "yes" ]]; then return 0; else return 1; fi
}

_wiz_quit() { [[ "$_WIZ_NAV" == "quit" ]]; }
_wiz_back() { [[ "$_WIZ_NAV" == "back" ]]; }
_wiz_nav()  { [[ "$_WIZ_NAV" == "quit" || "$_WIZ_NAV" == "back" ]]; }

_wiz_header() {
    printf "\n${BOLD_CYAN}── %s ──${RESET}  ${DIM}(q=quit, b=back)${RESET}\n\n" "$1" >/dev/tty
}

# ── Per-type sub-wizards ──

wizard_socks5() {
    local -n _ws_prof="$1"
    local _ss=1 bind="" port=""

    while (( _ss >= 1 )); do
    case $_ss in
    1)
        printf "\n${BOLD_MAGENTA}── SOCKS5 Proxy Configuration ──${RESET}  ${DIM}(q=quit, b=back)${RESET}\n\n" >/dev/tty
        cat >/dev/tty <<'DIAGRAM'
    ┌──────────┐          ┌──────────┐          ┌──────────┐
    │  Client  │──SOCKS5──│ SSH Host │──────────│ Internet │
    │ (local)  │  :1080   │ (proxy)  │          │          │
    └──────────┘          └──────────┘          └──────────┘
      ssh -D 1080 user@host
DIAGRAM
        printf "\n" >/dev/tty
        printf "${DIM}  Your apps connect to a local SOCKS5 port and${RESET}\n" >/dev/tty
        printf "${DIM}  all traffic routes through the SSH server.${RESET}\n" >/dev/tty
        printf "${DIM}  After setup: set your browser proxy to this${RESET}\n" >/dev/tty
        printf "${DIM}  address and port.${RESET}\n\n" >/dev/tty
        printf "${DIM}  Tip: 127.0.0.1 = local only${RESET}\n" >/dev/tty
        printf "${DIM}        0.0.0.0 = allow LAN devices${RESET}\n" >/dev/tty
        _wiz_read "Local bind address" bind "${_ws_prof[LOCAL_BIND_ADDR]:-127.0.0.1}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then return 2; fi
        if ! { validate_ip "$bind" || validate_ip6 "$bind" || [[ "$bind" == "localhost" ]] || [[ "$bind" == "*" ]]; }; then
            printf "  ${RED}Invalid bind address: ${bind}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_ss )) ;;
    2)
        printf "${DIM}  Tip: Common ports: 1080 (standard), 9050 (Tor-style). Avoid ports < 1024${RESET}\n" >/dev/tty
        _wiz_read "Local SOCKS5 port" port "${_ws_prof[LOCAL_PORT]:-1080}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_ss )); continue; fi
        if ! validate_port "$port"; then
            printf "  ${RED}Invalid port: ${port}${RESET}\n" >/dev/tty; continue
        fi
        if ! _check_port_conflict "$port"; then continue; fi
        _ws_prof[LOCAL_BIND_ADDR]="$bind"
        _ws_prof[LOCAL_PORT]="$port"
        _ws_prof[REMOTE_HOST]=""
        _ws_prof[REMOTE_PORT]=""
        return 0 ;;
    esac
    done
}

wizard_local_forward() {
    local -n _wlf_prof="$1"
    local _ls=1 bind="" lport="" rhost="" rport=""

    while (( _ls >= 1 )); do
    case $_ls in
    1)
        printf "\n${BOLD_MAGENTA}── Local Port Forward Configuration ──${RESET}  ${DIM}(q=quit, b=back)${RESET}\n\n" >/dev/tty
        cat >/dev/tty <<'DIAGRAM'
    ┌──────────┐          ┌──────────┐          ┌──────────┐
    │  Client  │──Local───│ SSH Host │──────────│  Remote  │
    │  :8080   │  Fwd     │ (relay)  │          │  :8080   │
    └──────────┘          └──────────┘          └──────────┘
      ssh -L 8080:127.0.0.1:8080 user@host
DIAGRAM
        printf "\n" >/dev/tty
        printf "${DIM}  A port opens on THIS machine and connects${RESET}\n" >/dev/tty
        printf "${DIM}  through SSH to a service on the remote side.${RESET}\n" >/dev/tty
        printf "${DIM}  Example: VPS port 3306 (MySQL) → localhost:3306${RESET}\n\n" >/dev/tty
        printf "${DIM}  Tip: 127.0.0.1 = local only${RESET}\n" >/dev/tty
        printf "${DIM}        0.0.0.0 = allow LAN devices${RESET}\n" >/dev/tty
        _wiz_read "Local bind address" bind "${_wlf_prof[LOCAL_BIND_ADDR]:-127.0.0.1}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then return 2; fi
        if ! { validate_ip "$bind" || validate_ip6 "$bind" || [[ "$bind" == "localhost" ]] || [[ "$bind" == "*" ]]; }; then
            printf "  ${RED}Invalid bind address: ${bind}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_ls )) ;;
    2)
        printf "${DIM}  Tip: The port you will connect to on THIS machine (e.g. 8080, 3306, 5432)${RESET}\n" >/dev/tty
        _wiz_read "Local port" lport "${_wlf_prof[LOCAL_PORT]:-8080}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_ls )); continue; fi
        if ! validate_port "$lport"; then
            printf "  ${RED}Invalid port: ${lport}${RESET}\n" >/dev/tty; continue
        fi
        if ! _check_port_conflict "$lport"; then continue; fi
        (( ++_ls )) ;;
    3)
        printf "${DIM}  Tip: 127.0.0.1 = service on the SSH server${RESET}\n" >/dev/tty
        printf "${DIM}  Or use another IP for a different machine.${RESET}\n" >/dev/tty
        _wiz_read "Remote target host" rhost "${_wlf_prof[REMOTE_HOST]:-127.0.0.1}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_ls )); continue; fi
        (( ++_ls )) ;;
    4)
        printf "${DIM}  Tip: The port of the service on the remote side (e.g. 8080, 3306, 443)${RESET}\n" >/dev/tty
        _wiz_read "Remote target port" rport "${_wlf_prof[REMOTE_PORT]:-8080}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_ls )); continue; fi
        if ! validate_port "$rport"; then
            printf "  ${RED}Invalid port: ${rport}${RESET}\n" >/dev/tty; continue
        fi
        _wlf_prof[LOCAL_BIND_ADDR]="$bind"
        _wlf_prof[LOCAL_PORT]="$lport"
        _wlf_prof[REMOTE_HOST]="$rhost"
        _wlf_prof[REMOTE_PORT]="$rport"
        return 0 ;;
    esac
    done
}

wizard_remote_forward() {
    local -n _wrf_prof="$1"
    local _rs=1 bind="" rport="" lhost="" lport=""

    while (( _rs >= 1 )); do
    case $_rs in
    1)
        printf "\n${BOLD_MAGENTA}── Remote (Reverse) Forward Configuration ──${RESET}  ${DIM}(q=quit, b=back)${RESET}\n\n" >/dev/tty
        cat >/dev/tty <<'DIAGRAM'
    ┌──────────────┐          ┌──────────────┐          ┌──────────┐
    │ THIS machine │──Reverse─│  SSH Server  │──Listen──│  Users   │
    │   :3000      │  Fwd     │    :9090     │          │          │
    └──────────────┘          └──────────────┘          └──────────┘
      ssh -R 9090:127.0.0.1:3000 user@host
DIAGRAM
        printf "\n" >/dev/tty
        printf "${DIM}  A port opens on the SSH SERVER and connects${RESET}\n" >/dev/tty
        printf "${DIM}  back to a service on THIS machine.${RESET}\n" >/dev/tty
        printf "${DIM}  Example: local :3000 → reachable at VPS:9090${RESET}\n\n" >/dev/tty
        printf "${DIM}  Tip: 127.0.0.1 = SSH server only${RESET}\n" >/dev/tty
        printf "${DIM}        0.0.0.0 = public (needs GatewayPorts=yes)${RESET}\n" >/dev/tty
        _wiz_read "Remote bind address (on SSH server)" bind "${_wrf_prof[LOCAL_BIND_ADDR]:-127.0.0.1}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then return 2; fi
        if ! { validate_ip "$bind" || validate_ip6 "$bind" || [[ "$bind" == "localhost" ]] || [[ "$bind" == "*" ]]; }; then
            printf "  ${RED}Invalid bind address: ${bind}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_rs )) ;;
    2)
        printf "${DIM}  Tip: Port to open on the SSH server.${RESET}\n" >/dev/tty
        printf "${DIM}  Example: 9090, 8080, 443${RESET}\n" >/dev/tty
        _wiz_read "Remote listen port (on SSH server)" rport "${_wrf_prof[REMOTE_PORT]:-9090}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_rs )); continue; fi
        if ! validate_port "$rport"; then
            printf "  ${RED}Invalid port: ${rport}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_rs )) ;;
    3)
        printf "${DIM}  Tip: 127.0.0.1 = this machine, or another${RESET}\n" >/dev/tty
        printf "${DIM}  IP for a LAN device.${RESET}\n" >/dev/tty
        _wiz_read "Local service host" lhost "${_wrf_prof[REMOTE_HOST]:-127.0.0.1}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_rs )); continue; fi
        (( ++_rs )) ;;
    4)
        printf "${DIM}  Tip: What port is your local service running on? (e.g. 3000, 8080, 22)${RESET}\n" >/dev/tty
        _wiz_read "Local service port" lport "${_wrf_prof[LOCAL_PORT]:-3000}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_rs )); continue; fi
        if ! validate_port "$lport"; then
            printf "  ${RED}Invalid port: ${lport}${RESET}\n" >/dev/tty; continue
        fi
        _wrf_prof[LOCAL_BIND_ADDR]="$bind"
        _wrf_prof[LOCAL_PORT]="$lport"
        _wrf_prof[REMOTE_HOST]="$lhost"
        _wrf_prof[REMOTE_PORT]="$rport"
        return 0 ;;
    esac
    done
}

wizard_jump_host() {
    local -n _wjh_prof="$1"
    local _js=1 jumps="" _jh_ttype="" bind="" port="" lport="" rhost="" rport=""

    while (( _js >= 1 )); do
    case $_js in
    1)
        printf "\n${BOLD_MAGENTA}── Jump Host (Multi-Hop) Configuration ──${RESET}  ${DIM}(q=quit, b=back)${RESET}\n\n" >/dev/tty
        cat >/dev/tty <<'DIAGRAM'
    ┌──────────┐     ┌──────────┐     ┌──────────┐     ┌──────────┐
    │  Client  │─────│  Jump 1  │─────│  Jump 2  │─────│  Target  │
    │ (local)  │     │ (relay)  │     │ (relay)  │     │ (final)  │
    └──────────┘     └──────────┘     └──────────┘     └──────────┘
      ssh -J jump1,jump2 user@target -D 1080
DIAGRAM
        printf "\n" >/dev/tty
        printf "${DIM}  SSH hops through intermediate servers${RESET}\n" >/dev/tty
        printf "${DIM}  to reach the final target.${RESET}\n" >/dev/tty
        printf "${DIM}  Use when target is behind a firewall.${RESET}\n\n" >/dev/tty
        printf "${DIM}  Tip: Comma-separated, in hop order.${RESET}\n" >/dev/tty
        printf "${DIM}  Format: user@host:port or just host${RESET}\n" >/dev/tty
        printf "${DIM}  e.g. admin@bastion:22,10.0.0.5${RESET}\n\n" >/dev/tty
        _wiz_read "Jump hosts (comma-separated)" jumps "${_wjh_prof[JUMP_HOSTS]:-}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then return 2; fi
        if [[ -z "$jumps" ]]; then
            printf "  ${RED}At least one jump host is required${RESET}\n" >/dev/tty; continue
        fi
        (( ++_js )) ;;
    2)
        # Select tunnel type at destination
        printf "\n${BOLD}Choose tunnel type at destination:${RESET}\n" >/dev/tty
        printf "${DIM}  SOCKS5 = route all traffic (VPN-like)${RESET}\n" >/dev/tty
        printf "${DIM}  Local Forward = access a specific port${RESET}\n" >/dev/tty
        local _jh_types=("SOCKS5 Proxy" "Local Port Forward")
        local _jh_choice
        _jh_choice=$(_select_option "Tunnel type at destination" "${_jh_types[@]}") || true
        # _select_option echoes "q"/"b" for nav (since _WIZ_NAV is lost in subshell)
        if [[ "$_jh_choice" == "q" ]]; then _WIZ_NAV="quit"; return 1; fi
        if [[ "$_jh_choice" == "b" ]]; then (( --_js )); continue; fi
        case "$_jh_choice" in
            0) _jh_ttype="socks5" ;;
            1) _jh_ttype="local" ;;
            *) continue ;;
        esac
        (( ++_js )) ;;
    3)
        printf "${DIM}  Tip: 127.0.0.1 = local only${RESET}\n" >/dev/tty
        printf "${DIM}        0.0.0.0 = allow LAN devices${RESET}\n" >/dev/tty
        if [[ "$_jh_ttype" == "socks5" ]]; then
            _wiz_read "Local SOCKS5 bind address" bind "${_wjh_prof[LOCAL_BIND_ADDR]:-127.0.0.1}"
        else
            _wiz_read "Local bind address" bind "${_wjh_prof[LOCAL_BIND_ADDR]:-127.0.0.1}"
        fi
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_js )); continue; fi
        if ! { validate_ip "$bind" || validate_ip6 "$bind" || [[ "$bind" == "localhost" ]] || [[ "$bind" == "*" ]]; }; then
            printf "  ${RED}Invalid bind address: ${bind}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_js )) ;;
    4)
        if [[ "$_jh_ttype" == "socks5" ]]; then
            printf "${DIM}  Tip: Common ports: 1080 (standard), 9050 (Tor-style). Avoid ports < 1024${RESET}\n" >/dev/tty
            _wiz_read "Local SOCKS5 port" port "${_wjh_prof[LOCAL_PORT]:-1080}"
            if _wiz_quit; then return 1; fi
            if _wiz_back; then (( --_js )); continue; fi
            if ! validate_port "$port"; then
                printf "  ${RED}Invalid port: ${port}${RESET}\n" >/dev/tty; continue
            fi
            if ! _check_port_conflict "$port"; then continue; fi
            # Save SOCKS5 config
            _wjh_prof[JUMP_HOSTS]="$jumps"
            _wjh_prof[TUNNEL_TYPE]="socks5"
            _wjh_prof[LOCAL_BIND_ADDR]="$bind"
            _wjh_prof[LOCAL_PORT]="$port"
            _wjh_prof[REMOTE_HOST]=""
            _wjh_prof[REMOTE_PORT]=""
            return 0
        else
            printf "${DIM}  Tip: The port you will connect to on THIS machine (e.g. 8080, 3306, 5432)${RESET}\n" >/dev/tty
            _wiz_read "Local port" lport "${_wjh_prof[LOCAL_PORT]:-8080}"
            if _wiz_quit; then return 1; fi
            if _wiz_back; then (( --_js )); continue; fi
            if ! validate_port "$lport"; then
                printf "  ${RED}Invalid port: ${lport}${RESET}\n" >/dev/tty; continue
            fi
            if ! _check_port_conflict "$lport"; then continue; fi
            (( ++_js ))
        fi ;;
    5)
        printf "${DIM}  Tip: The host the final SSH server connects to (127.0.0.1 = the target itself)${RESET}\n" >/dev/tty
        _wiz_read "Remote target host" rhost "${_wjh_prof[REMOTE_HOST]:-127.0.0.1}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_js )); continue; fi
        (( ++_js )) ;;
    6)
        printf "${DIM}  Tip: The port of the service on the remote side (e.g. 8080, 3306, 443)${RESET}\n" >/dev/tty
        _wiz_read "Remote target port" rport "${_wjh_prof[REMOTE_PORT]:-8080}"
        if _wiz_quit; then return 1; fi
        if _wiz_back; then (( --_js )); continue; fi
        if ! validate_port "$rport"; then
            printf "  ${RED}Invalid port: ${rport}${RESET}\n" >/dev/tty; continue
        fi
        # Save Local Forward config
        _wjh_prof[JUMP_HOSTS]="$jumps"
        _wjh_prof[TUNNEL_TYPE]="local"
        _wjh_prof[LOCAL_BIND_ADDR]="$bind"
        _wjh_prof[LOCAL_PORT]="$lport"
        _wjh_prof[REMOTE_HOST]="$rhost"
        _wjh_prof[REMOTE_PORT]="$rport"
        return 0 ;;
    esac
    done
}

# ── Main wizard flow ──

wizard_create_profile() {
    if [[ ! -t 0 ]] && [[ ! -e /dev/tty ]]; then
        log_error "Interactive terminal required for wizard"
        return 1
    fi

    _WIZ_NAV=""
    local _step=1
    local name="" ssh_host="" ssh_port="" ssh_user="" ssh_password="" identity_key=""
    local tunnel_type="" type_choice="" desc=""
    local -A _new_profile=()

    while (( _step >= 1 )); do
    case $_step in

    1) # ── Profile name ──
        show_banner >/dev/tty
        _wiz_header "New Tunnel Profile"
        printf "${DIM}  A profile saves all settings for one tunnel connection.${RESET}\n" >/dev/tty
        printf "${DIM}  Tip: Use a short descriptive name (e.g. 'work-vpn', 'db-tunnel', 'home-proxy')${RESET}\n" >/dev/tty
        _wiz_read "Profile name" name ""
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then log_info "Already at first step"; continue; fi
        if [[ -z "$name" ]]; then
            printf "  ${RED}Name cannot be empty${RESET}\n" >/dev/tty; continue
        fi
        if ! validate_profile_name "$name"; then
            printf "  ${RED}Invalid name. Use letters, numbers, hyphens, underscores (max 64 chars)${RESET}\n" >/dev/tty; continue
        fi
        if [[ -f "$(_profile_path "$name")" ]]; then
            printf "  ${RED}Profile '%s' already exists${RESET}\n" "$name" >/dev/tty; continue
        fi
        (( ++_step )) ;;

    2) # ── Tunnel type selection ──
        _wiz_header "Choose Tunnel Type"
        printf "${DIM}  What type of tunnel do you need?${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}SOCKS5 Proxy${RESET}    ${DIM}Route all traffic through${RESET}\n" >/dev/tty
        printf "  ${DIM}                the remote server (VPN-like)${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}Local Forward${RESET}   ${DIM}Access a remote service${RESET}\n" >/dev/tty
        printf "  ${DIM}                on your local machine${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}Remote Forward${RESET}  ${DIM}Expose a local service${RESET}\n" >/dev/tty
        printf "  ${DIM}                to the remote server${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}Jump Host${RESET}       ${DIM}Connect through relay${RESET}\n" >/dev/tty
        printf "  ${DIM}                servers to the target${RESET}\n\n" >/dev/tty
        local _wz_types=("SOCKS5 Proxy (-D)" "Local Port Forward (-L)" "Remote/Reverse Forward (-R)" "Jump Host / Multi-hop (-J)")
        type_choice=$(_select_option "Select tunnel type" "${_wz_types[@]}") || true
        # _select_option echoes "q"/"b" for nav (since _WIZ_NAV is lost in subshell)
        if [[ "$type_choice" == "q" ]]; then log_info "Wizard cancelled"; return 0; fi
        if [[ "$type_choice" == "b" ]]; then (( --_step )); continue; fi
        case "$type_choice" in
            0) tunnel_type="socks5" ;;
            1) tunnel_type="local" ;;
            2) tunnel_type="remote" ;;
            3) tunnel_type="jump" ;;
            *) continue ;;
        esac
        (( ++_step )) ;;

    3) # ── SSH host ──
        _wiz_header "SSH Connection Details"
        printf "${DIM}  Enter the details of the SSH server you want to connect to.${RESET}\n\n" >/dev/tty
        case "$tunnel_type" in
            socks5)  printf "${DIM}  Tip: This server will proxy your traffic${RESET}\n" >/dev/tty ;;
            local)   printf "${DIM}  Tip: Server with the service you want to access${RESET}\n" >/dev/tty ;;
            remote)  printf "${DIM}  Tip: Server where your local service will be exposed${RESET}\n" >/dev/tty ;;
            jump)    printf "${DIM}  Tip: FINAL target server (jump hosts configured next)${RESET}\n" >/dev/tty ;;
        esac
        _wiz_read "SSH host (IP or hostname)" ssh_host "${ssh_host:-}"
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then (( --_step )); continue; fi
        if [[ -z "$ssh_host" ]]; then
            printf "  ${RED}SSH host is required${RESET}\n" >/dev/tty; continue
        fi
        if ! validate_hostname "$ssh_host"; then
            printf "  ${RED}Invalid hostname: ${ssh_host}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_step )) ;;

    4) # ── SSH port ──
        printf "${DIM}  Tip: Default SSH port is 22. Change only if your server uses a custom port${RESET}\n" >/dev/tty
        _wiz_read "SSH port" ssh_port "${ssh_port:-$(config_get SSH_DEFAULT_PORT 22)}"
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then (( --_step )); continue; fi
        if ! validate_port "$ssh_port"; then
            printf "  ${RED}Invalid port: ${ssh_port}${RESET}\n" >/dev/tty; continue
        fi
        (( ++_step )) ;;

    5) # ── SSH user ──
        printf "${DIM}  Tip: The username to log in with (e.g. root, ubuntu, admin)${RESET}\n" >/dev/tty
        if [[ "$tunnel_type" == "jump" ]]; then
            printf "${DIM}  Note: This is the user on the FINAL target, not the jump host.${RESET}\n" >/dev/tty
        fi
        _wiz_read "SSH user" ssh_user "${ssh_user:-$(config_get SSH_DEFAULT_USER root)}"
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then (( --_step )); continue; fi
        (( ++_step )) ;;

    6) # ── SSH password ──
        printf "${DIM}  Tip: Enter your SSH password, or press Enter to skip if using SSH keys.${RESET}\n" >/dev/tty
        printf "${DIM}  The password is stored securely and used for automatic login.${RESET}\n" >/dev/tty
        if [[ "$tunnel_type" == "jump" ]]; then
            printf "${DIM}  Note: This is for the FINAL target, not the jump host.${RESET}\n" >/dev/tty
        fi
        _read_secret_tty "SSH password (Enter to skip)" ssh_password "$ssh_password" || true
        # No q/b detection for passwords — password could literally be "q" or "b"
        (( ++_step )) ;;

    7) # ── Identity key ──
        printf "${DIM}  Tip: Path to your SSH private key file (e.g. ~/.ssh/id_rsa, ~/.ssh/id_ed25519)${RESET}\n" >/dev/tty
        printf "${DIM}  Press Enter to skip if you entered a password above.${RESET}\n" >/dev/tty
        if [[ "$tunnel_type" == "jump" ]]; then
            printf "${DIM}  Note: This key is for the FINAL target, not the jump host.${RESET}\n" >/dev/tty
        fi
        _wiz_read "Identity key path (optional)" identity_key "${identity_key:-$(config_get SSH_DEFAULT_KEY)}"
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then (( --_step )); continue; fi
        if [[ -n "$identity_key" ]] && [[ ! -f "$identity_key" ]]; then
            log_warn "Key file not found: ${identity_key}"
            if ! _wiz_yn "Continue anyway?"; then
                if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
                if _wiz_back; then (( --_step )); continue; fi
                continue  # "no" → re-ask for key path
            fi
        fi
        (( ++_step )) ;;

    8) # ── Auth test ──
        _wiz_header "Testing Authentication"
        printf "${DIM}  Verifying SSH connection to ${ssh_user}@${ssh_host}:${ssh_port}...${RESET}\n" >/dev/tty
        if [[ "$tunnel_type" == "jump" ]]; then
            printf "${DIM}  Note: Direct test only — jump hosts are configured next.${RESET}\n" >/dev/tty
        fi
        if ! test_ssh_connection "$ssh_host" "$ssh_port" "$ssh_user" "$identity_key" "$ssh_password"; then
            printf "\n${DIM}  Common fixes: wrong password, wrong user,${RESET}\n" >/dev/tty
            printf "${DIM}  host unreachable, or SSH key not accepted.${RESET}\n" >/dev/tty
            if [[ "$tunnel_type" == "jump" ]]; then
                printf "${DIM}  For jump hosts, this test may fail if the${RESET}\n" >/dev/tty
                printf "${DIM}  target is only reachable via relay servers.${RESET}\n" >/dev/tty
            fi
            printf "${DIM}  'no' takes you back to edit details.${RESET}\n\n" >/dev/tty
            if ! _wiz_yn "Authentication failed. Continue anyway?"; then
                if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
                _step=5; continue  # back to user/password/key
            fi
        fi
        (( ++_step )) ;;

    9) # ── Type-specific sub-wizard ──
        _new_profile=(
            [PROFILE_NAME]="$name"
            [TUNNEL_TYPE]="$tunnel_type"
            [SSH_HOST]="$ssh_host"
            [SSH_PORT]="$ssh_port"
            [SSH_USER]="$ssh_user"
            [SSH_PASSWORD]="$ssh_password"
            [IDENTITY_KEY]="$identity_key"
            [LOCAL_BIND_ADDR]="127.0.0.1"
            [LOCAL_PORT]=""
            [REMOTE_HOST]=""
            [REMOTE_PORT]=""
            [JUMP_HOSTS]=""
            [SSH_OPTIONS]=""
            [AUTOSSH_ENABLED]="$(config_get AUTOSSH_ENABLED true)"
            [AUTOSSH_MONITOR_PORT]="0"
            [DNS_LEAK_PROTECTION]="false"
            [KILL_SWITCH]="false"
            [AUTOSTART]="false"
            [OBFS_MODE]="none"
            [OBFS_PORT]="443"
            [OBFS_LOCAL_PORT]=""
            [OBFS_PSK]=""
            [DESCRIPTION]=""
        )
        local _sub_rc=0
        case "$tunnel_type" in
            socks5)  wizard_socks5 _new_profile || _sub_rc=$? ;;
            local)   wizard_local_forward _new_profile || _sub_rc=$? ;;
            remote)  wizard_remote_forward _new_profile || _sub_rc=$? ;;
            jump)    wizard_jump_host _new_profile || _sub_rc=$? ;;
        esac
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back || (( _sub_rc == 2 )); then _step=2; continue; fi
        if (( _sub_rc != 0 )); then return 1; fi
        (( ++_step )) ;;

    10) # ── Connection mode: Regular SSH or TLS encrypted ──
        _wiz_header "Connection Mode"
        printf "${DIM}  Choose how your SSH connection reaches the server.${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}1)${RESET} ${GREEN}Regular SSH${RESET} — standard SSH connection (default)\n" >/dev/tty
        printf "     ${DIM}Works everywhere SSH is not blocked.${RESET}\n" >/dev/tty
        printf "  ${BOLD}2)${RESET} ${CYAN}TLS Encrypted (stunnel)${RESET} — SSH wrapped in HTTPS\n" >/dev/tty
        printf "     ${DIM}Bypasses DPI firewalls (Iran, China, etc.)${RESET}\n" >/dev/tty
        printf "     ${DIM}Traffic looks like normal HTTPS on port 443.${RESET}\n\n" >/dev/tty
        printf "     Regular:                        TLS Encrypted:\n" >/dev/tty
        printf "     ┌──────┐ SSH:22 ┌──────┐       ┌──────┐ TLS:443 ┌────────┐\n" >/dev/tty
        printf "     │Client├────────┤Server│       │Client├─────────┤stunnel │\n" >/dev/tty
        printf "     └──────┘        └──────┘       └──────┘  HTTPS  │→SSH :22│\n" >/dev/tty
        printf "                                                      └────────┘\n" >/dev/tty
        printf "\n" >/dev/tty
        local _conn_mode=""
        _wiz_read "Connection mode [1=Regular, 2=TLS]" _conn_mode "1"
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then _step=2; continue; fi
        case "$_conn_mode" in
            2)
                _new_profile[OBFS_MODE]="stunnel"
                local _obfs_port=""
                printf "\n${DIM}  Port 443 mimics HTTPS (most effective).${RESET}\n" >/dev/tty
                printf "${DIM}  Only change if 443 is already in use on the server.${RESET}\n" >/dev/tty
                _wiz_read "TLS port" _obfs_port "${_new_profile[OBFS_PORT]:-443}"
                if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
                if _wiz_back; then continue; fi
                if ! validate_port "$_obfs_port"; then
                    printf "  ${RED}Invalid port: ${_obfs_port}${RESET}\n" >/dev/tty
                    continue
                fi
                # Check if port is available on the remote server
                printf "\n${DIM}  Checking port ${_obfs_port} on ${ssh_host}...${RESET}\n" >/dev/tty
                local _port_check_rc=0
                _obfs_remote_ssh _new_profile || _port_check_rc=1
                if (( _port_check_rc == 0 )); then
                    local _port_in_use=""
                    _port_in_use=$("${_OBFS_SSH_CMD[@]}" "ss -tln 2>/dev/null | grep -E ':${_obfs_port}[[:space:]]' | head -1" 2>/dev/null) || true
                    unset SSHPASS 2>/dev/null || true
                    if [[ -n "$_port_in_use" ]]; then
                        printf "  ${YELLOW}Port ${_obfs_port} is in use on ${ssh_host}:${RESET}\n" >/dev/tty
                        printf "  ${DIM}${_port_in_use}${RESET}\n" >/dev/tty
                        local _alt_port="8443"
                        if [[ "$_obfs_port" == "8443" ]]; then _alt_port="8444"; fi
                        printf "  ${DIM}Suggested alternative: ${_alt_port}${RESET}\n\n" >/dev/tty
                        _wiz_read "TLS port (try ${_alt_port})" _obfs_port "$_alt_port"
                        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
                        if _wiz_back; then continue; fi
                        if ! validate_port "$_obfs_port"; then
                            printf "  ${RED}Invalid port: ${_obfs_port}${RESET}\n" >/dev/tty
                            continue
                        fi
                    else
                        printf "  ${GREEN}Port ${_obfs_port} is available${RESET}\n" >/dev/tty
                    fi
                else
                    unset SSHPASS 2>/dev/null || true
                    printf "  ${DIM}Could not check (SSH failed) — will verify during setup${RESET}\n" >/dev/tty
                fi
                _new_profile[OBFS_PORT]="$_obfs_port"

                printf "\n${DIM}  TunnelForge can install stunnel on your server automatically.${RESET}\n" >/dev/tty
                printf "${DIM}  This requires SSH access (using the credentials above).${RESET}\n" >/dev/tty
                if _wiz_yn "Set up stunnel on server now?"; then
                    _obfs_setup_stunnel_direct _new_profile || true
                fi
                printf "\n" >/dev/tty
                ;;
            *)
                _new_profile[OBFS_MODE]="none"
                ;;
        esac
        (( ++_step )) ;;

    11) # ── Inbound TLS protection (for VPS deployments) ──
        _wiz_header "Inbound Protection"
        printf "${DIM}  If this server is a VPS (not your home PC), users connecting${RESET}\n" >/dev/tty
        printf "${DIM}  from their devices need TLS protection too — otherwise DPI${RESET}\n" >/dev/tty
        printf "${DIM}  can detect the SOCKS5 traffic entering the VPS.${RESET}\n\n" >/dev/tty
        printf "     User PC ──TLS+PSK──→ This VPS ──tunnel──→ Exit VPS ──→ Internet\n\n" >/dev/tty
        printf "  ${BOLD}1)${RESET} ${GREEN}No inbound protection${RESET} — direct SOCKS5 access (default)\n" >/dev/tty
        printf "     ${DIM}Fine for home server or trusted LAN.${RESET}\n" >/dev/tty
        printf "  ${BOLD}2)${RESET} ${CYAN}TLS + PSK inbound${RESET} — encrypted + authenticated access\n" >/dev/tty
        printf "     ${DIM}Users need stunnel client + pre-shared key to connect.${RESET}\n" >/dev/tty
        printf "     ${DIM}Recommended for VPS in censored networks.${RESET}\n\n" >/dev/tty
        local _inbound_mode=""
        _wiz_read "Inbound protection [1=None, 2=TLS+PSK]" _inbound_mode "1"
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        if _wiz_back; then (( --_step )); continue; fi
        case "$_inbound_mode" in
            2)
                local _ol_port=""
                printf "\n${DIM}  Choose a port for client TLS connections.${RESET}\n" >/dev/tty
                printf "${DIM}  Use 443 or 8443 to look like HTTPS traffic.${RESET}\n" >/dev/tty
                _wiz_read "Inbound TLS port" _ol_port "1443"
                if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
                if _wiz_back; then continue; fi
                if ! validate_port "$_ol_port"; then
                    printf "  ${RED}Invalid port: ${_ol_port}${RESET}\n" >/dev/tty
                    continue
                fi
                _new_profile[OBFS_LOCAL_PORT]="$_ol_port"

                # Auto-generate PSK
                printf "\n${DIM}  Generating pre-shared key...${RESET}\n" >/dev/tty
                local _gen_psk=""
                _gen_psk=$(_obfs_generate_psk) || true
                if [[ -z "$_gen_psk" ]]; then
                    printf "  ${RED}Failed to generate PSK${RESET}\n" >/dev/tty
                    continue
                fi
                _new_profile[OBFS_PSK]="$_gen_psk"
                printf "  ${GREEN}PSK generated${RESET} ${DIM}(will be shown after tunnel starts)${RESET}\n" >/dev/tty

                # Force 127.0.0.1 binding
                _new_profile[LOCAL_BIND_ADDR]="127.0.0.1"
                printf "  ${DIM}Bind address forced to 127.0.0.1 (stunnel handles external access)${RESET}\n" >/dev/tty
                printf "\n" >/dev/tty
                ;;
            *)
                _new_profile[OBFS_LOCAL_PORT]=""
                _new_profile[OBFS_PSK]=""
                ;;
        esac
        (( ++_step )) ;;

    12) # ── Optional settings ──
        _wiz_header "Optional Settings"
        printf "${DIM}  Tip: A short note to help you remember${RESET}\n" >/dev/tty
        printf "${DIM}  e.g. 'MySQL access', 'browsing proxy'${RESET}\n" >/dev/tty
        _wiz_read "Description (optional)" desc ""
        if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
        # Go back to tunnel type selection (step 9 reinits _new_profile, so skip it)
        if _wiz_back; then _step=2; continue; fi
        _new_profile[DESCRIPTION]="$desc"

        printf "\n${DIM}  AutoSSH auto-reconnects if the tunnel drops.${RESET}\n" >/dev/tty
        printf "${DIM}  Recommended for long-running tunnels.${RESET}\n" >/dev/tty
        if _wiz_yn "Enable AutoSSH reconnection?" "y"; then
            _new_profile[AUTOSSH_ENABLED]="true"
        else
            if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
            if _wiz_back; then continue; fi
            _new_profile[AUTOSSH_ENABLED]="false"
        fi

        printf "\n${DIM}  Creates a systemd service so this tunnel${RESET}\n" >/dev/tty
        printf "${DIM}  starts automatically on boot.${RESET}\n" >/dev/tty
        if _wiz_yn "Auto-start on system boot?"; then
            _new_profile[AUTOSTART]="true"
        else
            if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
            if _wiz_back; then continue; fi
        fi
        (( ++_step )) ;;

    13) # ── Summary + save ──
        printf "\n${BOLD_CYAN}── Profile Summary ──${RESET}\n\n" >/dev/tty
        printf "  ${BOLD}Name:${RESET}        %s\n" "$name" >/dev/tty
        printf "  ${BOLD}Type:${RESET}        %s\n" "${_new_profile[TUNNEL_TYPE]^^}" >/dev/tty
        printf "  ${BOLD}SSH Host:${RESET}    %s@%s:%s\n" "$ssh_user" "$ssh_host" "$ssh_port" >/dev/tty
        if [[ -n "$ssh_password" ]]; then
            printf "  ${BOLD}Password:${RESET}    ****\n" >/dev/tty
        fi
        if [[ -n "$identity_key" ]]; then
            printf "  ${BOLD}Key:${RESET}         %s\n" "$identity_key" >/dev/tty
        fi
        if [[ -n "${_new_profile[LOCAL_PORT]}" ]]; then
            printf "  ${BOLD}Local:${RESET}       %s:%s\n" "${_new_profile[LOCAL_BIND_ADDR]}" "${_new_profile[LOCAL_PORT]}" >/dev/tty
        fi
        if [[ -n "${_new_profile[REMOTE_HOST]}" ]]; then
            printf "  ${BOLD}Remote:${RESET}      %s:%s\n" "${_new_profile[REMOTE_HOST]}" "${_new_profile[REMOTE_PORT]}" >/dev/tty
        fi
        if [[ -n "${_new_profile[JUMP_HOSTS]}" ]]; then
            printf "  ${BOLD}Jump Hosts:${RESET}  %s\n" "${_new_profile[JUMP_HOSTS]}" >/dev/tty
        fi
        if [[ "${_new_profile[OBFS_MODE]:-none}" != "none" ]]; then
            printf "  ${BOLD}Obfuscation:${RESET} %s (port %s)\n" "${_new_profile[OBFS_MODE]}" "${_new_profile[OBFS_PORT]}" >/dev/tty
        fi
        if [[ -n "${_new_profile[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_new_profile[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
            printf "  ${BOLD}Inbound TLS:${RESET} port %s (PSK protected)\n" "${_new_profile[OBFS_LOCAL_PORT]}" >/dev/tty
        fi
        printf "  ${BOLD}AutoSSH:${RESET}     %s\n" "${_new_profile[AUTOSSH_ENABLED]}" >/dev/tty
        printf "  ${BOLD}Autostart:${RESET}   %s\n" "${_new_profile[AUTOSTART]}" >/dev/tty
        if [[ -n "$desc" ]]; then
            printf "  ${BOLD}Description:${RESET} %s\n" "$desc" >/dev/tty
        fi
        printf "\n" >/dev/tty

        if ! _wiz_yn "Save this profile?" "y"; then
            if _wiz_quit; then log_info "Wizard cancelled"; return 0; fi
            if _wiz_back; then (( --_step )); continue; fi
            log_info "Profile creation cancelled"
            return 0
        fi

        local _wz_pfile
        _wz_pfile=$(_profile_path "$name")
        if ! _save_profile_data "$_wz_pfile" _new_profile; then
            log_error "Failed to save profile '${name}'"
            return 1
        fi
        log_success "Profile '${name}' created successfully"

        printf "\n${DIM}  You can start/stop tunnels from the main menu.${RESET}\n" >/dev/tty
        if _read_yn "Start tunnel now?"; then
            start_tunnel "$name" || true
            # Show "What's Next?" guide based on tunnel type
            local _wn_bind="${_new_profile[LOCAL_BIND_ADDR]}"
            local _wn_lport="${_new_profile[LOCAL_PORT]}"
            local _wn_rhost="${_new_profile[REMOTE_HOST]}"
            local _wn_rport="${_new_profile[REMOTE_PORT]}"
            local _wn_shost="${_new_profile[SSH_HOST]}"
            printf "\n${BOLD_CYAN}── What's Next? ──${RESET}\n\n" >/dev/tty
            case "${_new_profile[TUNNEL_TYPE]}" in
                socks5)
                    printf "  ${BOLD}Configure your apps to use the proxy:${RESET}\n\n" >/dev/tty
                    printf "  ${DIM}Browser (Firefox):${RESET}\n" >/dev/tty
                    printf "    Settings → Proxy → Manual config\n" >/dev/tty
                    printf "    SOCKS Host: ${BOLD}%s${RESET}  Port: ${BOLD}%s${RESET}\n" "$_wn_bind" "$_wn_lport" >/dev/tty
                    printf "    Select SOCKS v5, enable Proxy DNS\n\n" >/dev/tty
                    printf "  ${DIM}Test from command line:${RESET}\n" >/dev/tty
                    printf "    curl --socks5-hostname %s:%s https://ifconfig.me\n\n" "$_wn_bind" "$_wn_lport" >/dev/tty
                    if [[ "$_wn_bind" == "0.0.0.0" ]]; then
                        printf "  ${DIM}From other devices on your LAN, use${RESET}\n" >/dev/tty
                        printf "  ${DIM}this machine's IP instead of 0.0.0.0${RESET}\n\n" >/dev/tty
                    fi ;;
                local)
                    printf "  ${BOLD}Access the remote service locally:${RESET}\n\n" >/dev/tty
                    printf "  ${DIM}Open in browser or connect to:${RESET}\n" >/dev/tty
                    printf "    http://%s:%s\n\n" "$_wn_bind" "$_wn_lport" >/dev/tty
                    printf "  ${DIM}This reaches %s:%s on the remote side${RESET}\n" "$_wn_rhost" "$_wn_rport" >/dev/tty
                    printf "  ${DIM}through the SSH tunnel.${RESET}\n\n" >/dev/tty
                    if [[ "$_wn_bind" == "0.0.0.0" ]]; then
                        printf "  ${DIM}From other devices on your LAN, use${RESET}\n" >/dev/tty
                        printf "  ${DIM}this machine's IP instead of 0.0.0.0${RESET}\n\n" >/dev/tty
                    fi ;;
                remote)
                    printf "  ${BOLD}Before using this tunnel:${RESET}\n\n" >/dev/tty
                    printf "  ${DIM}1. Make sure a service is running on${RESET}\n" >/dev/tty
                    printf "     ${BOLD}%s:%s${RESET} (this machine)\n\n" "$_wn_rhost" "$_wn_lport" >/dev/tty
                    printf "  ${DIM}2. The service is now reachable at:${RESET}\n" >/dev/tty
                    printf "     ${BOLD}%s:%s${RESET} (on the SSH server)\n\n" "$_wn_bind" "$_wn_rport" >/dev/tty
                    printf "  ${DIM}Test from the SSH server:${RESET}\n" >/dev/tty
                    printf "    curl http://localhost:%s\n\n" "$_wn_rport" >/dev/tty ;;
                jump)
                    printf "  ${DIM}Same as the tunnel type you chose${RESET}\n" >/dev/tty
                    printf "  ${DIM}(SOCKS5 or Local Forward) but routed${RESET}\n" >/dev/tty
                    printf "  ${DIM}through the jump host(s).${RESET}\n\n" >/dev/tty ;;
            esac
        fi
        return 0 ;;

    esac
    done
}

setup_wizard() {
    wizard_create_profile || true
}

# ============================================================================
# INTERACTIVE MENUS  (Phase 2)
# ============================================================================

# Clear screen and show banner for menus
_menu_header() {
    local title="${1:-}"
    clear >/dev/tty 2>/dev/null || true
    show_banner >/dev/tty
    if [[ -n "$title" ]]; then
        printf "  ${BOLD_CYAN}%s${RESET}\n" "$title" >/dev/tty
        local _mh_sep=""
        for (( _mhi=0; _mhi<60; _mhi++ )); do _mh_sep+="─"; done
        printf "  %s\n\n" "$_mh_sep" >/dev/tty
    fi
}

# ── Settings menu ──

show_settings_menu() {
    while true; do
        _menu_header "Settings"

        printf "  ${BOLD}Current Defaults:${RESET}\n\n" >/dev/tty
        printf "    ${CYAN}1${RESET}) SSH User           : ${BOLD}%s${RESET}\n"  "$(config_get SSH_DEFAULT_USER root)" >/dev/tty
        printf "    ${CYAN}2${RESET}) SSH Port           : ${BOLD}%s${RESET}\n"  "$(config_get SSH_DEFAULT_PORT 22)" >/dev/tty
        printf "    ${CYAN}3${RESET}) SSH Key            : ${BOLD}%s${RESET}\n"  "$(config_get SSH_DEFAULT_KEY '(none)')" >/dev/tty
        printf "    ${CYAN}4${RESET}) Connect Timeout    : ${BOLD}%s${RESET}s\n" "$(config_get SSH_CONNECT_TIMEOUT 10)" >/dev/tty
        printf "    ${CYAN}5${RESET}) AutoSSH Enabled    : ${BOLD}%s${RESET}\n"  "$(config_get AUTOSSH_ENABLED true)" >/dev/tty
        printf "    ${CYAN}6${RESET}) AutoSSH Poll       : ${BOLD}%s${RESET}s\n" "$(config_get AUTOSSH_POLL 30)" >/dev/tty
        printf "    ${CYAN}7${RESET}) ControlMaster      : ${BOLD}%s${RESET}\n"  "$(config_get CONTROLMASTER_ENABLED false)" >/dev/tty
        printf "    ${CYAN}8${RESET}) Log Level          : ${BOLD}%s${RESET}\n"  "$(config_get LOG_LEVEL info)" >/dev/tty
        printf "    ${CYAN}9${RESET}) Dashboard Refresh  : ${BOLD}%s${RESET}s\n" "$(config_get DASHBOARD_REFRESH 5)" >/dev/tty
        printf "\n    ${YELLOW}0${RESET}) Back\n\n" >/dev/tty

        local _sm_choice
        printf "  ${BOLD}Select [0-9]${RESET}: " >/dev/tty
        read -rsn1 _sm_choice </dev/tty || true
        _drain_esc _sm_choice
        printf "\n" >/dev/tty

        case "$_sm_choice" in
            1)  local val; _read_tty "  SSH default user" val "$(config_get SSH_DEFAULT_USER root)" || true
                if [[ -n "$val" ]]; then
                    config_set "SSH_DEFAULT_USER" "$val"; save_settings || true
                else
                    log_error "User cannot be empty"; _press_any_key
                fi ;;
            2)  local val; _read_tty "  SSH default port" val "$(config_get SSH_DEFAULT_PORT 22)" || true
                if validate_port "$val"; then
                    config_set "SSH_DEFAULT_PORT" "$val"; save_settings || true
                else
                    log_error "Invalid port"; _press_any_key
                fi ;;
            3)  local val; _read_tty "  SSH default key path" val "$(config_get SSH_DEFAULT_KEY)" || true
                config_set "SSH_DEFAULT_KEY" "$val"; save_settings || true ;;
            4)  local val; _read_tty "  Connect timeout (seconds)" val "$(config_get SSH_CONNECT_TIMEOUT 10)" || true
                if [[ "$val" =~ ^[0-9]+$ ]] && (( val >= 1 )); then
                    config_set "SSH_CONNECT_TIMEOUT" "$val"; save_settings || true
                else
                    log_error "Must be a positive number"; _press_any_key
                fi ;;
            5)  local cur; cur=$(config_get AUTOSSH_ENABLED true)
                if [[ "$cur" == "true" ]]; then
                    config_set "AUTOSSH_ENABLED" "false"
                    log_success "AutoSSH disabled"
                else
                    config_set "AUTOSSH_ENABLED" "true"
                    log_success "AutoSSH enabled"
                fi
                save_settings || true ;;
            6)  local val; _read_tty "  AutoSSH poll interval (seconds)" val "$(config_get AUTOSSH_POLL 30)" || true
                if [[ "$val" =~ ^[0-9]+$ ]] && (( val >= 1 )); then
                    config_set "AUTOSSH_POLL" "$val"; save_settings || true
                else
                    log_error "Must be a positive number"; _press_any_key
                fi ;;
            7)  local cur; cur=$(config_get CONTROLMASTER_ENABLED false)
                if [[ "$cur" == "true" ]]; then
                    config_set "CONTROLMASTER_ENABLED" "false"
                    log_success "ControlMaster disabled"
                else
                    config_set "CONTROLMASTER_ENABLED" "true"
                    log_success "ControlMaster enabled"
                fi
                save_settings || true ;;
            8)  local _ll_opts=("debug" "info" "warn" "error")
                local _ll_idx
                if _ll_idx=$(_select_option "  Log level" "${_ll_opts[@]}"); then
                    config_set "LOG_LEVEL" "${_ll_opts[$_ll_idx]}"
                    save_settings || true
                fi ;;
            9)  local val; _read_tty "  Dashboard refresh rate (seconds)" val "$(config_get DASHBOARD_REFRESH 5)" || true
                if [[ "$val" =~ ^[0-9]+$ ]] && (( val >= 1 )); then
                    config_set "DASHBOARD_REFRESH" "$val"; save_settings || true
                else
                    log_error "Must be a positive number"; _press_any_key
                fi ;;
            0|q) return 0 ;;
            *) true ;;
        esac
    done
}

# ── Edit profile sub-menu ──

_edit_profile_menu() {
    local _ep_name="$1"
    local -A _eprof
    load_profile "$_ep_name" _eprof || { log_error "Cannot load profile"; return 1; }
    # Snapshot original values for dirty-check on discard
    local -A _eprof_orig
    local _ep_fld
    for _ep_fld in "${!_eprof[@]}"; do _eprof_orig[$_ep_fld]="${_eprof[$_ep_fld]}"; done

    while true; do
        _menu_header "Edit Profile: ${_ep_name}"

        printf "    ${CYAN}1${RESET}) SSH Host        : ${BOLD}%s${RESET}\n" "${_eprof[SSH_HOST]:-}" >/dev/tty
        printf "    ${CYAN}2${RESET}) SSH Port        : ${BOLD}%s${RESET}\n" "${_eprof[SSH_PORT]:-22}" >/dev/tty
        printf "    ${CYAN}3${RESET}) SSH User        : ${BOLD}%s${RESET}\n" "${_eprof[SSH_USER]:-}" >/dev/tty
        printf "    ${CYAN}4${RESET}) Identity Key    : ${BOLD}%s${RESET}\n" "${_eprof[IDENTITY_KEY]:-none}" >/dev/tty
        printf "    ${CYAN}5${RESET}) Local Bind      : ${BOLD}%s:%s${RESET}\n" "${_eprof[LOCAL_BIND_ADDR]:-}" "${_eprof[LOCAL_PORT]:-}" >/dev/tty
        printf "    ${CYAN}6${RESET}) Remote Target   : ${BOLD}%s:%s${RESET}\n" "${_eprof[REMOTE_HOST]:-}" "${_eprof[REMOTE_PORT]:-}" >/dev/tty
        printf "    ${CYAN}7${RESET}) AutoSSH         : ${BOLD}%s${RESET}\n" "${_eprof[AUTOSSH_ENABLED]:-true}" >/dev/tty
        printf "    ${CYAN}8${RESET}) Autostart       : ${BOLD}%s${RESET}\n" "${_eprof[AUTOSTART]:-false}" >/dev/tty
        printf "    ${CYAN}9${RESET}) Description     : ${BOLD}%s${RESET}\n" "${_eprof[DESCRIPTION]:-}" >/dev/tty
        printf "\n" >/dev/tty
        printf "    ${CYAN}a${RESET}) Kill Switch     : ${BOLD}%s${RESET}\n" "${_eprof[KILL_SWITCH]:-false}" >/dev/tty
        printf "    ${CYAN}b${RESET}) DNS Leak Prot.  : ${BOLD}%s${RESET}\n" "${_eprof[DNS_LEAK_PROTECTION]:-false}" >/dev/tty
        printf "    ${CYAN}c${RESET}) TLS Obfuscation : ${BOLD}%s${RESET}\n" "${_eprof[OBFS_MODE]:-none}" >/dev/tty
        printf "    ${CYAN}d${RESET}) TLS Port        : ${BOLD}%s${RESET}\n" "${_eprof[OBFS_PORT]:-443}" >/dev/tty
        printf "    ${CYAN}e${RESET}) Jump Hosts      : ${BOLD}%s${RESET}\n" "${_eprof[JUMP_HOSTS]:-none}" >/dev/tty
        printf "\n    ${GREEN}s${RESET}) Save changes\n" >/dev/tty
        printf "    ${YELLOW}0${RESET}) Back (discard)\n\n" >/dev/tty

        local _ep_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _ep_choice </dev/tty || true
        _drain_esc _ep_choice
        printf "\n" >/dev/tty

        case "$_ep_choice" in
            1)  local val; _read_tty "  SSH host" val "${_eprof[SSH_HOST]:-}" || true
                if validate_hostname "$val" || validate_ip "$val"; then
                    _eprof[SSH_HOST]="$val"
                else
                    log_error "Invalid hostname or IP"; _press_any_key
                fi ;;
            2)  local val; _read_tty "  SSH port" val "${_eprof[SSH_PORT]:-22}" || true
                if validate_port "$val"; then
                    _eprof[SSH_PORT]="$val"
                else
                    log_error "Invalid port"; _press_any_key
                fi ;;
            3)  local val; _read_tty "  SSH user" val "${_eprof[SSH_USER]:-}" || true
                if [[ -n "$val" ]] && [[ "$val" =~ ^[a-zA-Z0-9._@-]+$ ]]; then
                    _eprof[SSH_USER]="$val"
                elif [[ -z "$val" ]]; then
                    log_warn "SSH user cleared — will use default ($(config_get SSH_DEFAULT_USER root))"
                    _eprof[SSH_USER]=""
                else
                    log_error "Invalid SSH user"; _press_any_key
                fi ;;
            4)  local val; _read_tty "  Identity key path" val "${_eprof[IDENTITY_KEY]:-}" || true
                _eprof[IDENTITY_KEY]="$val" ;;
            5)  local bval pval
                _read_tty "  Bind address" bval "${_eprof[LOCAL_BIND_ADDR]:-127.0.0.1}" || true
                _read_tty "  Local port" pval "${_eprof[LOCAL_PORT]:-}" || true
                if ! { validate_ip "$bval" || validate_ip6 "$bval" || [[ "$bval" == "localhost" ]] || [[ "$bval" == "*" ]]; }; then
                    log_error "Invalid bind address — changes discarded"; _press_any_key
                elif ! validate_port "$pval"; then
                    log_error "Invalid port — changes discarded"; _press_any_key
                else
                    _eprof[LOCAL_BIND_ADDR]="$bval"
                    _eprof[LOCAL_PORT]="$pval"
                fi ;;
            6)  local hval pval
                _read_tty "  Remote host" hval "${_eprof[REMOTE_HOST]:-}" || true
                _read_tty "  Remote port" pval "${_eprof[REMOTE_PORT]:-}" || true
                if [[ -z "$pval" ]] && [[ "${_eprof[TUNNEL_TYPE]:-}" == "socks5" ]]; then
                    # SOCKS5 doesn't use remote host/port — allow clearing
                    _eprof[REMOTE_HOST]=""
                    _eprof[REMOTE_PORT]=""
                elif [[ -n "$pval" ]] && validate_port "$pval"; then
                    _eprof[REMOTE_HOST]="$hval"
                    _eprof[REMOTE_PORT]="$pval"
                else
                    log_error "Invalid port — changes discarded"; _press_any_key
                fi ;;
            7)  if [[ "${_eprof[AUTOSSH_ENABLED]:-true}" == "true" ]]; then
                    _eprof[AUTOSSH_ENABLED]="false"
                else
                    _eprof[AUTOSSH_ENABLED]="true"
                fi ;;
            8)  if [[ "${_eprof[AUTOSTART]:-false}" == "true" ]]; then
                    _eprof[AUTOSTART]="false"
                else
                    _eprof[AUTOSTART]="true"
                fi ;;
            9)  local val; _read_tty "  Description" val "${_eprof[DESCRIPTION]:-}" || true
                _eprof[DESCRIPTION]="$val" ;;
            a|A)  if [[ "${_eprof[KILL_SWITCH]:-false}" == "true" ]]; then
                    _eprof[KILL_SWITCH]="false"
                    log_info "Kill switch disabled"
                else
                    _eprof[KILL_SWITCH]="true"
                    log_warn "Kill switch enabled — blocks traffic if tunnel drops (requires root)"
                fi ;;
            b|B)  if [[ "${_eprof[DNS_LEAK_PROTECTION]:-false}" == "true" ]]; then
                    _eprof[DNS_LEAK_PROTECTION]="false"
                    log_info "DNS leak protection disabled"
                else
                    _eprof[DNS_LEAK_PROTECTION]="true"
                    log_warn "DNS leak protection enabled — rewrites resolv.conf (requires root)"
                fi ;;
            c|C)  if [[ "${_eprof[OBFS_MODE]:-none}" == "none" ]]; then
                    _eprof[OBFS_MODE]="stunnel"
                    log_info "TLS obfuscation enabled (stunnel)"
                else
                    _eprof[OBFS_MODE]="none"
                    log_info "TLS obfuscation disabled"
                fi ;;
            d|D)  local val; _read_tty "  TLS obfuscation port" val "${_eprof[OBFS_PORT]:-443}" || true
                if validate_port "$val"; then
                    _eprof[OBFS_PORT]="$val"
                else
                    log_error "Invalid port"; _press_any_key
                fi ;;
            e|E)  local val; _read_tty "  Jump hosts (user@host:port or blank)" val "${_eprof[JUMP_HOSTS]:-}" || true
                _eprof[JUMP_HOSTS]="$val" ;;
            s|S)
                if save_profile "$_ep_name" _eprof; then
                    log_success "Profile '${_ep_name}' saved"
                else
                    log_error "Failed to save profile '${_ep_name}'"
                fi
                _press_any_key
                return 0 ;;
            0|q)
                # Check if any field was modified
                local _ep_dirty=false _ep_ck
                for _ep_ck in "${!_eprof[@]}"; do
                    if [[ "${_eprof[$_ep_ck]}" != "${_eprof_orig[$_ep_ck]:-}" ]]; then
                        _ep_dirty=true; break
                    fi
                done
                if [[ "$_ep_dirty" == true ]]; then
                    if confirm_action "Discard unsaved changes?"; then
                        return 0
                    fi
                else
                    return 0
                fi ;;
            *) true ;;
        esac
    done
}

# ── Profile management menu ──

show_profiles_menu() {
    while true; do
        _menu_header "Profile Management"

        local _pm_profiles
        _pm_profiles=$(list_profiles)

        local _pm_names=()
        if [[ -z "$_pm_profiles" ]]; then
            printf "  ${DIM}No profiles configured.${RESET}\n\n" >/dev/tty
        else
            printf "  ${BOLD}%-4s %-18s %-8s %-12s %-22s${RESET}\n" \
                "#" "NAME" "TYPE" "STATUS" "LOCAL" >/dev/tty
            local _pm_sep=""
            for (( _pmi=0; _pmi<66; _pmi++ )); do _pm_sep+="─"; done
            printf "  %s\n" "$_pm_sep" >/dev/tty

            local _pm_idx=0
            while IFS= read -r _pm_name; do
                [[ -z "$_pm_name" ]] && continue
                (( ++_pm_idx ))
                _pm_names+=("$_pm_name")
                local _pm_type _pm_status _pm_local
                _pm_type=$(get_profile_field "$_pm_name" "TUNNEL_TYPE" 2>/dev/null) || true
                _pm_local="$(get_profile_field "$_pm_name" "LOCAL_BIND_ADDR" 2>/dev/null || true):$(get_profile_field "$_pm_name" "LOCAL_PORT" 2>/dev/null || true)"
                if is_tunnel_running "$_pm_name"; then
                    _pm_status="${GREEN}● running  ${RESET}"
                else
                    _pm_status="${DIM}■ stopped  ${RESET}"
                fi
                printf "  ${CYAN}%-4s${RESET} %-18s %-8s %b%-22s\n" \
                    "${_pm_idx}" "$_pm_name" "${_pm_type:-?}" "$_pm_status" "$_pm_local" >/dev/tty
            done <<< "$_pm_profiles"
        fi

        printf "\n" >/dev/tty
        printf "    ${CYAN}c${RESET}) Create new profile\n" >/dev/tty
        printf "    ${CYAN}d${RESET}) Delete a profile\n" >/dev/tty
        printf "    ${CYAN}e${RESET}) Edit a profile\n" >/dev/tty
        printf "    ${YELLOW}0${RESET}) Back\n\n" >/dev/tty

        local _pm_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _pm_choice </dev/tty || true
        _drain_esc _pm_choice
        printf "\n" >/dev/tty

        case "$_pm_choice" in
            c|C) wizard_create_profile || true; _press_any_key ;;
            d|D)
                local _pm_dinput _pm_dname
                _read_tty "  Profile # or name to delete" _pm_dinput "" || true
                if [[ "$_pm_dinput" =~ ^[0-9]+$ ]] && (( _pm_dinput >= 1 && _pm_dinput <= ${#_pm_names[@]} )); then
                    _pm_dname="${_pm_names[$((_pm_dinput-1))]}"
                else
                    _pm_dname="$_pm_dinput"
                fi
                if [[ -n "$_pm_dname" ]] && validate_profile_name "$_pm_dname"; then
                    if confirm_action "Delete profile '${_pm_dname}'?"; then
                        delete_profile "$_pm_dname" || true
                    fi
                fi
                _press_any_key ;;
            e|E)
                local _pm_einput _pm_ename
                _read_tty "  Profile # or name to edit" _pm_einput "" || true
                if [[ "$_pm_einput" =~ ^[0-9]+$ ]] && (( _pm_einput >= 1 && _pm_einput <= ${#_pm_names[@]} )); then
                    _pm_ename="${_pm_names[$((_pm_einput-1))]}"
                else
                    _pm_ename="$_pm_einput"
                fi
                if [[ -n "$_pm_ename" ]] && validate_profile_name "$_pm_ename" && [[ -f "$(_profile_path "$_pm_ename")" ]]; then
                    _edit_profile_menu "$_pm_ename" || true
                else
                    log_error "Profile not found: ${_pm_ename}"
                    _press_any_key
                fi ;;
            0|q) return 0 ;;
            *) true ;;
        esac
    done
}

# ── About screen ──

show_about() {
    _menu_header ""
    local _ab_os _ab_w=58
    _ab_os="$(uname -s 2>/dev/null || echo unknown) $(uname -m 2>/dev/null || echo unknown)"
    local _ab_max_os=$(( _ab_w - 2 - 5 - 11 ))
    if (( ${#_ab_os} > _ab_max_os )); then _ab_os="${_ab_os:0:_ab_max_os}"; fi

    local _ab_border="" _abi
    for (( _abi=0; _abi < _ab_w - 2; _abi++ )); do _ab_border+="═"; done

    printf "\n  ${BOLD_CYAN}╔%s╗${RESET}\n" "$_ab_border" >/dev/tty
    printf "  ${BOLD_CYAN}║%-*s║${RESET}\n" "$((_ab_w - 2))" "" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${BOLD_WHITE}TunnelForge${RESET}  — SSH Tunnel Manager%*s${BOLD_CYAN}║${RESET}\n" \
        "$((_ab_w - 38))" "" >/dev/tty
    printf "  ${BOLD_CYAN}║%-*s║${RESET}\n" "$((_ab_w - 2))" "" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "Version  : ${VERSION}" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "Author   : SamNet Technologies, LLC" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "License  : GPL v3.0" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "Platform : ${_ab_os}" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "GitHub   : github.com/SamNet-dev/tunnelforge" >/dev/tty
    printf "  ${BOLD_CYAN}║%-*s║${RESET}\n" "$((_ab_w - 2))" "" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "A single-file SSH tunnel manager with TUI menu," >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "live dashboard, DNS leak protection, kill switch," >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "server hardening, and Telegram notifications." >/dev/tty
    printf "  ${BOLD_CYAN}║%-*s║${RESET}\n" "$((_ab_w - 2))" "" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "This program is free software under the GNU GPL" >/dev/tty
    printf "  ${BOLD_CYAN}║${RESET}   ${DIM}%-*s${RESET}${BOLD_CYAN}║${RESET}\n" "$((_ab_w - 5))" "v3. See LICENSE file or gnu.org/licenses/gpl-3.0" >/dev/tty
    printf "  ${BOLD_CYAN}║%-*s║${RESET}\n" "$((_ab_w - 2))" "" >/dev/tty
    printf "  ${BOLD_CYAN}╚%s╝${RESET}\n\n" "$_ab_border" >/dev/tty
    _press_any_key
}

# ── Learn: SSH tunnel explanations ──

show_learn_menu() {
    while true; do
        _menu_header "Learn: SSH Tunnels"

        printf "    ${BOLD}── SSH Fundamentals ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}1${RESET}) What is an SSH Tunnel?\n" >/dev/tty
        printf "    ${CYAN}2${RESET}) SOCKS5 Dynamic Proxy (-D)\n" >/dev/tty
        printf "    ${CYAN}3${RESET}) Local Port Forwarding (-L)\n" >/dev/tty
        printf "    ${CYAN}4${RESET}) Remote/Reverse Forwarding (-R)\n" >/dev/tty
        printf "    ${CYAN}5${RESET}) Jump Hosts & Multi-hop (-J)\n" >/dev/tty
        printf "    ${CYAN}6${RESET}) ControlMaster Multiplexing\n" >/dev/tty
        printf "    ${CYAN}7${RESET}) AutoSSH & Reconnection\n" >/dev/tty
        printf "\n    ${BOLD}── TLS Obfuscation ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}8${RESET}) What is TLS Obfuscation?\n" >/dev/tty
        printf "    ${CYAN}9${RESET}) PSK Authentication\n" >/dev/tty
        printf "\n    ${BOLD}── Clients ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}m${RESET}) Mobile Client Connection\n" >/dev/tty
        printf "\n    ${YELLOW}0${RESET}) Back\n\n" >/dev/tty

        local _lm_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _lm_choice </dev/tty || true
        _drain_esc _lm_choice
        printf "\n" >/dev/tty

        case "$_lm_choice" in
            1) _learn_what_is_tunnel || true ;;
            2) _learn_socks5 || true ;;
            3) _learn_local_forward || true ;;
            4) _learn_remote_forward || true ;;
            5) _learn_jump_host || true ;;
            6) _learn_controlmaster || true ;;
            7) _learn_autossh || true ;;
            8) _learn_tls_obfuscation || true ;;
            9) _learn_psk_auth || true ;;
            m|M) _learn_mobile_client || true ;;
            0|q) return 0 ;;
            *) true ;;
        esac
    done
}

_learn_what_is_tunnel() {
    _menu_header "What is an SSH Tunnel?"
    cat >/dev/tty <<'EOF'

  An SSH tunnel creates an encrypted channel between your local
  machine and a remote server. Network traffic is forwarded through
  this encrypted tunnel, protecting it from eavesdropping.

  ┌──────────────────────────────────────────────────────────────┐
  │                                                              │
  │   ┌────────┐    Encrypted SSH Tunnel    ┌────────────┐       │
  │   │  Your  │ ══════════════════════════ │   Remote   │       │
  │   │Machine │       (port 22)            │   Server   │       │
  │   └────────┘                            └────────────┘       │
  │                                                              │
  │   All traffic inside the tunnel is encrypted and secure.     │
  │                                                              │
  └──────────────────────────────────────────────────────────────┘

  Common use cases:
    • Bypass firewalls and NAT
    • Secure access to remote services
    • Create encrypted SOCKS proxies
    • Expose local services to the internet

EOF
    _press_any_key
}

_learn_socks5() {
    _menu_header "SOCKS5 Dynamic Proxy (-D)"
    cat >/dev/tty <<'EOF'

  A SOCKS5 proxy creates a dynamic forwarding tunnel. Any application
  configured to use the SOCKS proxy will route traffic through the
  SSH server.

  ┌──────────┐     ┌─────────────┐     ┌───────────┐
  │ Browser  │────>│  SSH Server │────>│  Website  │
  │  :1080   │     │  (proxy)    │     │           │
  └──────────┘     └─────────────┘     └───────────┘

  Command:  ssh -D 1080 user@server

  Configure your browser/app to use:
    SOCKS5 proxy: 127.0.0.1:1080

  Benefits:
    • Route ALL TCP traffic through the tunnel
    • Appears to browse from the server's IP
    • Supports DNS resolution through proxy
    • Works with any SOCKS5-aware application

EOF
    _press_any_key
}

_learn_local_forward() {
    _menu_header "Local Port Forwarding (-L)"
    cat >/dev/tty <<'EOF'

  Local forwarding maps a port on your local machine to a port on
  a remote machine, through the SSH server.

  ┌──────────┐     ┌─────────────┐     ┌───────────┐
  │  Local   │────>│  SSH Server │────>│  Target   │
  │  :8080   │     │  (relay)    │     │  :80      │
  └──────────┘     └─────────────┘     └───────────┘

  Command:  ssh -L 8080:target:80 user@server

  Now http://localhost:8080 → target:80 via SSH server

  Use cases:
    • Access a database behind a firewall
    • Reach internal web apps securely
    • Connect to services on a private network

EOF
    _press_any_key
}

_learn_remote_forward() {
    _menu_header "Remote/Reverse Forwarding (-R)"
    cat >/dev/tty <<'EOF'

  Remote forwarding exposes a local service on the remote SSH server.
  Users connecting to the server's port reach your local machine.

  ┌──────────┐     ┌─────────────┐     ┌───────────┐
  │  Local   │<────│  SSH Server │<────│  Users    │
  │  :3000   │     │  :9090      │     │           │
  └──────────┘     └─────────────┘     └───────────┘

  Command:  ssh -R 9090:localhost:3000 user@server

  Now server:9090 → your localhost:3000

  Use cases:
    • Expose local dev server to the internet
    • Webhook development & testing
    • Remote access to services behind NAT
    • Demo local apps to clients

EOF
    _press_any_key
}

_learn_jump_host() {
    _menu_header "Jump Hosts & Multi-hop (-J)"
    cat >/dev/tty <<'EOF'

  Jump hosts let you reach a target through one or more intermediate
  SSH servers. Useful when the target is not directly accessible.

  ┌────────┐    ┌────────┐    ┌────────┐    ┌────────┐
  │ Local  │───>│ Jump 1 │───>│ Jump 2 │───>│ Target │
  │        │    │        │    │        │    │        │
  └────────┘    └────────┘    └────────┘    └────────┘

  Command:  ssh -J jump1,jump2 user@target

  Combined with tunnel:
    ssh -J jump1,jump2 -D 1080 user@target

  Use cases:
    • Reach servers in isolated networks
    • Multi-tier security environments
    • Bastion/jump box architectures
    • Chain through multiple datacenters

EOF
    _press_any_key
}

_learn_controlmaster() {
    _menu_header "ControlMaster Multiplexing"
    cat >/dev/tty <<'EOF'

  ControlMaster allows multiple SSH sessions to share a single
  network connection. Subsequent connections reuse the existing
  TCP connection and skip authentication.

  First connection (creates socket):
    ┌────────┐ ═══TCP═══ ┌────────┐
    │ Local  │──socket──>│ Server │
    └────────┘           └────────┘

  Subsequent connections (reuse socket):
    ┌────────┐ ──socket──>
    │ Local  │ ──socket──>  (instant, no auth)
    └────────┘ ──socket──>

  Config:
    ControlMaster  auto
    ControlPath    ~/.ssh/sockets/%r@%h:%p
    ControlPersist 600

  Benefits:
    • Instant connection for subsequent sessions
    • Reduced server authentication load
    • Shared connection for tunnels + shell

EOF
    _press_any_key
}

_learn_autossh() {
    _menu_header "AutoSSH & Reconnection"
    cat >/dev/tty <<'EOF'

  AutoSSH monitors an SSH connection and automatically restarts
  it if the connection drops. Essential for persistent tunnels.

  ┌──────────┐          ┌──────────┐
  │ AutoSSH  │──watch──>│  SSH     │
  │ (monitor)│──restart>│ (tunnel) │
  └──────────┘          └──────────┘

  How it works:
    1. AutoSSH launches SSH with your tunnel config
    2. It monitors the connection health
    3. If SSH dies, AutoSSH restarts it automatically
    4. Exponential backoff prevents rapid reconnection loops

  TunnelForge config:
    AUTOSSH_POLL      = 30   (seconds between health checks)
    AUTOSSH_GATETIME  = 30   (min uptime before restart)
    AUTOSSH_MONITOR   = 0    (use ServerAlive instead)

  Tip: Combined with systemd, AutoSSH gives you a tunnel
       that survives reboots AND network outages.

EOF
    _press_any_key
}

_learn_tls_obfuscation() {
    _menu_header "TLS Obfuscation (stunnel)"
    printf >/dev/tty '%s\n' \
'' \
'  THE PROBLEM:' \
'    Some countries (Iran, China, Russia) use Deep Packet' \
'    Inspection (DPI) to detect and block SSH connections.' \
'    Even though SSH is encrypted, DPI can identify the' \
'    SSH protocol by its handshake pattern.' \
'' \
'  THE SOLUTION — TLS WRAPPING:' \
'    Wrap SSH inside a TLS (HTTPS) connection using stunnel.' \
'    DPI sees standard HTTPS traffic — the same protocol' \
'    used by every website. It cannot tell SSH is inside.' \
'' \
'  WITHOUT OBFUSCATION:' \
'    ┌──────┐  SSH:22  ┌──────┐' \
'    │Client├─────────>│Server│    DPI: "This is SSH → BLOCK"' \
'    └──────┘          └──────┘' \
'' \
'  WITH TLS OBFUSCATION:' \
'    ┌──────┐ TLS:443 ┌────────┐' \
'    │Client├────────>│stunnel │   DPI: "This is HTTPS → ALLOW"' \
'    └──────┘ (HTTPS) │→SSH :22│' \
'                     └────────┘' \
'' \
'  HOW STUNNEL WORKS:' \
'    Server side:' \
'      stunnel listens on port 443 (TLS)' \
'      → unwraps TLS → forwards to SSH on port 22' \
'' \
'    Client side (TunnelForge handles this):' \
'      SSH uses ProxyCommand with openssl to connect' \
'      through the TLS tunnel instead of directly' \
'' \
'  WHY PORT 443?' \
'    Port 443 is the standard HTTPS port. Every website' \
'    uses it. Blocking port 443 would break the internet,' \
'    so censors cannot block it.' \
'' \
'  SETUP IN TUNNELFORGE:' \
'    In the wizard, at "Connection Mode", pick:' \
'    2) TLS Encrypted (stunnel)' \
'    TunnelForge auto-installs stunnel on your server.' \
'' \
'  TWO TYPES OF TLS IN TUNNELFORGE:' \
'    Outbound TLS — wraps SSH going TO a remote server' \
'    Inbound TLS  — wraps SOCKS5 port for clients coming IN' \
'    Both can be active at once for full-chain encryption.' \
''
    _press_any_key
}

_learn_psk_auth() {
    _menu_header "PSK Authentication"
    printf >/dev/tty '%s\n' \
'' \
'  WHAT IS PSK?' \
'    Pre-Shared Key — a shared secret between server and' \
'    client. Both sides know the same key. Only clients' \
'    with the correct key can connect.' \
'' \
'  WHY USE PSK?' \
'    When TunnelForge runs on a VPS and accepts connections' \
'    from user PCs, the SOCKS5 port needs protection:' \
'    - Without PSK: anyone who finds the port can use it' \
'    - With PSK: only authorized users can connect' \
'' \
'  HOW IT WORKS:' \
'    ┌──────────┐    TLS + PSK    ┌──────────────┐' \
'    │ User PC  ├────────────────>│ VPS stunnel  │' \
'    │ stunnel  │  "I know the    │ verifies PSK │' \
'    │ (client) │   secret key"   │ → SOCKS5     │' \
'    └──────────┘                 └──────────────┘' \
'' \
'    1. Server stunnel has a PSK secrets file' \
'    2. Client stunnel has the SAME PSK' \
'    3. During TLS handshake, they prove they share' \
'       the same key — no certificates needed' \
'    4. If key doesn'"'"'t match → connection refused' \
'' \
'  PSK FORMAT:' \
'    identity:hexkey' \
'    Example: tunnelforge:a1b2c3d4e5f6....' \
'' \
'  IN TUNNELFORGE:' \
'    PSK is auto-generated when you enable "Inbound TLS+PSK"' \
'    in the wizard (step 11). 32-byte random hex key.' \
'' \
'    View PSK:    tunnelforge client-config <profile>' \
'    Share setup: tunnelforge client-script <profile>' \
'' \
'  REVOKING ACCESS:' \
'    To block a user: change the PSK in the profile,' \
'    restart the tunnel, and send the new script only' \
'    to authorized users. Old PSK stops working.' \
''
    _press_any_key
}

_learn_mobile_client() {
    _menu_header "Mobile Client Connection"
    cat >/dev/tty <<'EOF'

  HOW TO CONNECT FROM A MOBILE PHONE

  Your TunnelForge tunnel runs on a server and exposes a SOCKS5
  port. To use it from a phone, you need a SOCKS5-capable app.

  ┌──────────┐    SOCKS5    ┌──────────────┐    SSH    ┌──────┐
  │  Phone   ├─────────────>│  VPS/Server  ├─────────>│ Dest │
  │  App     │  proxy conn  │  TunnelForge │  tunnel  │      │
  └──────────┘              └──────────────┘          └──────┘

  ── WITHOUT TLS/PSK (bind 0.0.0.0) ──

    Make sure your profile uses LOCAL_BIND_ADDR=0.0.0.0 so
    the SOCKS5 port accepts external connections.

    Android:
      • SocksDroid (free)   — set SOCKS5: <server_ip>:<port>
      • Drony               — per-app SOCKS5 routing
      • Any browser with proxy settings

    iOS:
      • Shadowrocket        — add SOCKS5 server
      • Surge / Quantumult  — SOCKS5 proxy node
      • iOS WiFi Settings   — HTTP proxy (limited)

    Settings:
      Type:    SOCKS5
      Server:  <your_server_ip>
      Port:    <LOCAL_PORT from profile>

    WARNING: Without PSK, anyone who finds the port can use
    your tunnel. Enable inbound TLS+PSK for protection.

  ── WITH TLS+PSK (recommended) ──

    When inbound TLS+PSK is enabled, stunnel wraps the SOCKS5
    port. Mobile clients need an stunnel-compatible layer:

    Android:
      1. Install SST (Simple Stunnel Tunnel) or Termux
      2. In Termux: pkg install stunnel, then use the config
         from: tunnelforge client-config <profile>
      3. Point your SOCKS5 app at 127.0.0.1:<OBFS_LOCAL_PORT>

    iOS:
      1. Shadowrocket supports TLS-over-SOCKS natively
      2. Or use iSH terminal + stunnel with client config

    Generate client config:
      tunnelforge client-config <profile>
      tunnelforge client-script <profile>

  ── QUICK CHECKLIST ──

    [ ] Server tunnel is running   (tunnelforge status)
    [ ] Firewall allows the port   (ufw allow <port>)
    [ ] Phone and server on same network, or port is public
    [ ] SOCKS5 app configured with correct IP:PORT
    [ ] If PSK: stunnel running on phone with correct key

EOF
    _press_any_key
}

# ── Example Scenarios ──

show_scenarios_menu() {
    while true; do
        _menu_header "Example Scenarios"

        printf "    ${BOLD}── Basic SSH Tunnels ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}1${RESET}) SOCKS5 Proxy — Browse privately\n" >/dev/tty
        printf "    ${CYAN}2${RESET}) Local Forward — Access remote database\n" >/dev/tty
        printf "    ${CYAN}3${RESET}) Remote Forward — Share local website\n" >/dev/tty
        printf "    ${CYAN}4${RESET}) Jump Host — Reach a hidden server\n" >/dev/tty
        printf "\n    ${BOLD}── TLS Obfuscation (Anti-Censorship) ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}5${RESET}) Client → VPS (single server, bypass DPI)\n" >/dev/tty
        printf "    ${CYAN}6${RESET}) Client → VPS → VPS (double TLS, full chain)\n" >/dev/tty
        printf "    ${CYAN}7${RESET}) Share tunnel with others (client script)\n" >/dev/tty
        printf "\n    ${YELLOW}0${RESET}) Back\n\n" >/dev/tty

        local _sc_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _sc_choice </dev/tty || true
        _drain_esc _sc_choice
        printf "\n" >/dev/tty

        case "$_sc_choice" in
            1) _scenario_socks5 || true ;;
            2) _scenario_local_forward || true ;;
            3) _scenario_remote_forward || true ;;
            4) _scenario_jump_host || true ;;
            5) _scenario_tls_single_vps || true ;;
            6) _scenario_tls_double_vps || true ;;
            7) _scenario_tls_share_tunnel || true ;;
            0|q) return 0 ;;
            *) true ;;
        esac
    done
}

_scenario_socks5() {
    _menu_header "Scenario: Browse Privately via SOCKS5 Proxy"
    cat >/dev/tty <<'EOF'

  GOAL: Route your browser traffic through a VPS so websites
        see the VPS IP instead of your real IP.

  WHAT YOU NEED:
    • A VPS or remote server with SSH access
    • A browser (Firefox, Chrome, etc.)

  NETWORK DIAGRAM:

    ┌──────────┐          ┌──────────┐          ┌──────────┐
    │  Your PC │──SOCKS5──│   VPS    │──────────│ Internet │
    │  :1080   │  tunnel  │ (proxy)  │          │          │
    └──────────┘          └──────────┘          └──────────┘

  WIZARD SETTINGS:
    Tunnel type ......... SOCKS5 Proxy
    SSH host ............ Your VPS IP   (e.g. 45.33.32.10)
    SSH port ............ 22
    SSH user ............ root
    Bind address ........ 127.0.0.1     (local only)
                          0.0.0.0       (share with LAN)
    SOCKS port .......... 1080

  AFTER TUNNEL STARTS — CONFIGURE YOUR BROWSER:

    Firefox:
      1. Settings → search "proxy" → Manual proxy
      2. SOCKS Host: 127.0.0.1   Port: 1080
      3. Select "SOCKS v5"
      4. Check "Proxy DNS when using SOCKS v5"
      5. Click OK

    Chrome (command line):
      google-chrome --proxy-server="socks5://127.0.0.1:1080"

  TEST IT WORKS:
    From the command line:
      curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me
    → Should show your VPS IP, not your real IP

    If you used 0.0.0.0 as bind, other devices on your
    LAN can use it too:
      curl --socks5-hostname <server-lan-ip>:1080 https://ifconfig.me

EOF
    _press_any_key
}

_scenario_local_forward() {
    _menu_header "Scenario: Access a Remote Database Locally"
    cat >/dev/tty <<'EOF'

  GOAL: Access a MySQL database running on your VPS as if it
        were on your local machine.

  WHAT YOU NEED:
    • A VPS with MySQL running on port 3306
    • An SSH account on that VPS

  NETWORK DIAGRAM:

    ┌──────────┐          ┌──────────┐
    │  Your PC │──Local───│   VPS    │
    │  :3306   │  Forward │  MySQL   │
    │          │          │  :3306   │
    └──────────┘          └──────────┘

  WIZARD SETTINGS:
    Tunnel type ......... Local Port Forward
    SSH host ............ Your VPS IP   (e.g. 45.33.32.10)
    SSH port ............ 22
    SSH user ............ root
    Local bind .......... 127.0.0.1     (local only)
                          0.0.0.0       (share with LAN)
    Local port .......... 3306          (port on YOUR PC)
    Remote host ......... 127.0.0.1     (means "on the VPS")
    Remote port ......... 3306          (MySQL on VPS)

  AFTER TUNNEL STARTS — CONNECT:

    MySQL client:
      mysql -h 127.0.0.1 -P 3306 -u dbuser -p

    Web app (e.g. phpMyAdmin, DBeaver):
      Host: 127.0.0.1   Port: 3306

    Web service (e.g. a web server on VPS port 8080):
      Change remote port to 8080, then open:
        http://127.0.0.1:8080
      in your browser.

  TEST IT WORKS:
    If forwarding a web service:
      curl http://127.0.0.1:<local-port>

    If using 0.0.0.0 as bind, other LAN devices connect:
      http://<server-lan-ip>:<local-port>

  COMMON VARIATIONS:
    • Forward port 5432 for PostgreSQL
    • Forward port 6379 for Redis
    • Forward port 8080 for a web admin panel
    • Remote host can be another IP on the VPS network
      (e.g. 10.0.0.5:3306 for a DB on a private subnet)

EOF
    _press_any_key
}

_scenario_remote_forward() {
    _menu_header "Scenario: Share a Local Website with the World"
    cat >/dev/tty <<'EOF'

  GOAL: You have a website running on your local machine
        (e.g. port 3000) and want to make it accessible
        from the internet through your VPS.

  WHAT YOU NEED:
    • A local service running (e.g. Node.js on port 3000)
    • A VPS with SSH access and a public IP

  NETWORK DIAGRAM:

    ┌──────────────┐          ┌──────────────┐
    │  Your PC     │──Reverse─│     VPS      │
    │  localhost    │  Forward │   public IP  │
    │    :3000     │          │    :9090     │
    └──────────────┘          └──────────────┘
                                    ↑
                              Anyone can access
                              http://VPS-IP:9090

  WIZARD SETTINGS:
    Tunnel type ......... Remote/Reverse Forward
    SSH host ............ Your VPS IP   (e.g. 45.33.32.10)
    SSH port ............ 22
    SSH user ............ root
    Remote bind ......... 127.0.0.1     (VPS localhost only)
                          0.0.0.0       (public, needs
                                         GatewayPorts yes)
    Remote port ......... 9090          (port on VPS)
    Local host .......... 127.0.0.1     (your machine)
    Local port .......... 3000          (your service)

  BEFORE STARTING — MAKE SURE:
    1. Your local service is running:
         python3 -m http.server 3000
         (or node app.js, etc.)

    2. If using 0.0.0.0 bind, your VPS sshd_config
       needs: GatewayPorts yes
       Then restart sshd: systemctl restart sshd

  AFTER TUNNEL STARTS — TEST FROM VPS:
      ssh root@<vps-ip>
      curl http://localhost:9090
    → Should show your local website content

  TEST FROM ANYWHERE (if bind is 0.0.0.0):
      curl http://<vps-public-ip>:9090
    → Same content, accessible from the internet

  COMMON VARIATIONS:
    • Share a dev server for client demos
    • Receive webhooks from services like GitHub/Stripe
    • Remote access to a home service behind NAT
    • Expose port 22 to allow SSH into your home PC

EOF
    _press_any_key
}

_scenario_jump_host() {
    _menu_header "Scenario: Reach a Server Behind a Firewall"
    cat >/dev/tty <<'EOF'

  GOAL: You need to access a server that is NOT directly
        reachable from the internet. You have SSH access
        to an intermediate "jump" server that CAN reach it.

  WHAT YOU NEED:
    • A jump server (bastion) you can SSH into
    • A target server the jump server can reach
    • SSH credentials for both servers

  NETWORK DIAGRAM:

    ┌──────────┐     ┌──────────┐     ┌──────────┐
    │  Your PC │────>│   Jump   │────>│  Target  │
    │          │     │ (bastion)│     │ (hidden) │
    └──────────┘     └──────────┘     └──────────┘
     You can't reach Target directly,
     but Jump can reach it.

  WIZARD SETTINGS (example with SOCKS5 at target):
    Tunnel type ......... Jump Host
    SSH host ............ Target IP    (e.g. 10.0.0.50)
    SSH port ............ 22
    SSH user ............ admin        (user on TARGET)
    SSH password ........ ****         (for TARGET)
    Jump hosts .......... root@bastion.example.com:22
    Dest tunnel type .... SOCKS5 Proxy
    Bind address ........ 127.0.0.1
    SOCKS port .......... 1080

  WIZARD SETTINGS (example with Local Forward):
    Tunnel type ......... Jump Host
    SSH host ............ 10.0.0.50    (target)
    SSH user ............ admin
    Jump hosts .......... root@45.33.32.10:22
    Dest tunnel type .... Local Port Forward
    Local bind .......... 0.0.0.0
    Local port .......... 8080
    Remote host ......... 127.0.0.1    (on the target)
    Remote port ......... 80           (web server)

  STEP-BY-STEP LOGIC:
    1. TunnelForge connects to the JUMP server first
    2. Through the jump server, it connects to TARGET
    3. Then it sets up your chosen tunnel (SOCKS5 or
       Local Forward) at the target

  AFTER TUNNEL STARTS:
    SOCKS5 mode:
      Set browser proxy to 127.0.0.1:1080
      curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me

    Local Forward mode:
      Open http://127.0.0.1:8080 in your browser
      → Shows the web server on the hidden target

  MULTIPLE JUMP HOSTS:
    You can chain through several servers:
      Jump hosts: user1@hop1:22,user2@hop2:22

    ┌────┐  ┌──────┐  ┌──────┐  ┌────────┐
    │ PC │─>│ Hop1 │─>│ Hop2 │─>│ Target │
    └────┘  └──────┘  └──────┘  └────────┘

  TIPS:
    • The SSH host/user/password are for the TARGET
    • Jump host credentials go in the jump hosts field
      (e.g. root@bastion:22)
    • Auth test may fail for the target — that's OK,
      the connection goes through the jump host

EOF
    _press_any_key
}

_scenario_tls_single_vps() {
    _menu_header "Scenario: Bypass Censorship (Single VPS)"
    printf >/dev/tty '%s\n' \
'' \
'  GOAL: You are in a censored country (Iran, China, etc.)' \
'        and your ISP blocks or detects SSH connections.' \
'        You want to browse freely using a VPS outside.' \
'' \
'  WHAT YOU NEED:' \
'    - 1 VPS outside the censored country (e.g. US, Europe)' \
'    - SSH access to that VPS' \
'' \
'  HOW IT WORKS:' \
'    SSH is wrapped in TLS so it looks like normal HTTPS.' \
'    Your ISP sees encrypted HTTPS traffic — not SSH.' \
'' \
'  NETWORK DIAGRAM:' \
'' \
'    Your PC (Iran)         VPS (Outside)' \
'    ┌──────────┐  TLS:443  ┌─────────────┐' \
'    │TunnelForge├──────────>│  stunnel    │' \
'    │ SOCKS5   │  (HTTPS)  │  → SSH :22  │──> Internet' \
'    │ :1080    │           └─────────────┘' \
'    └──────────┘' \
'     DPI sees: HTTPS traffic (allowed)' \
'' \
'  STEP-BY-STEP SETUP:' \
'    1. Install TunnelForge on your PC (Linux/WSL)' \
'    2. Run: tunnelforge wizard' \
'    3. Enter VPS connection details (host, user, password)' \
'    4. Pick tunnel type: SOCKS5 Proxy' \
'    5. At "Connection Mode": choose TLS Encrypted' \
'       - Port: 443 (or 8443 if 443 is busy)' \
'       - Say YES to "Set up stunnel on server now?"' \
'       - TunnelForge auto-installs stunnel on VPS' \
'    6. At "Inbound Protection": choose No (not needed,' \
'       you are connecting directly from your own PC)' \
'    7. Save and start the tunnel' \
'' \
'  AFTER TUNNEL STARTS:' \
'    Set browser SOCKS5 proxy: 127.0.0.1:1080' \
'    Test: curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me' \
'    → Should show VPS IP' \
'' \
'  WHAT DPI SEES:' \
'    Your PC ──HTTPS:443──> VPS IP' \
'    Looks like you are browsing a normal website.' \
''
    _press_any_key
}

_scenario_tls_double_vps() {
    _menu_header "Scenario: Double TLS Chain (Two VPS)"
    printf >/dev/tty '%s\n' \
'' \
'  GOAL: You run a shared proxy for multiple users.' \
'        One VPS is inside the censored country (relay),' \
'        one is outside (exit). Users connect to the relay' \
'        and traffic exits through the outside VPS.' \
'' \
'  WHAT YOU NEED:' \
'    - VPS-A: Inside censored country (e.g. Iran datacenter)' \
'    - VPS-B: Outside (e.g. US, Europe)' \
'' \
'  HOW IT WORKS:' \
'    Both legs are TLS-wrapped. Users connect with PSK.' \
'' \
'  NETWORK DIAGRAM:' \
'' \
'    Users           VPS-A (Iran)               VPS-B (Outside)' \
'    ┌──────┐ TLS+PSK ┌──────────────┐  TLS:443  ┌──────────┐' \
'    │ PC 1 ├────────>│ TunnelForge  ├──────────>│ stunnel  │' \
'    ├──────┤ :1443   │ stunnel+PSK  │  (HTTPS)  │ → SSH:22 │─> Net' \
'    │ PC 2 ├────────>│ → SOCKS5:1080│           └──────────┘' \
'    └──────┘         └──────────────┘' \
'     DPI sees: HTTPS     DPI sees: HTTPS' \
'' \
'  STEP-BY-STEP SETUP ON VPS-A:' \
'    1. Install TunnelForge on VPS-A' \
'    2. Run: tunnelforge wizard' \
'    3. SSH host = VPS-B IP, enter credentials' \
'    4. Tunnel type: SOCKS5 Proxy' \
'    5. Bind address: 0.0.0.0 (auto-forced to 127.0.0.1)' \
'    6. At "Connection Mode": choose TLS Encrypted' \
'       - Port: 443 (auto-installs stunnel on VPS-B)' \
'    7. At "Inbound Protection": choose TLS + PSK' \
'       - Port: 1443 (users connect here)' \
'       - PSK auto-generated' \
'    8. Save and start' \
'' \
'  AFTER TUNNEL STARTS:' \
'    TunnelForge shows the client config + PSK.' \
'    Generate a connect script for users:' \
'      tunnelforge client-script <profile>' \
'' \
'  USER SETUP (on each user PC):' \
'    Option A: Run the generated script:' \
'      ./tunnelforge-connect.sh' \
'      → Auto-installs stunnel, connects, done' \
'' \
'    Option B: Manual stunnel config:' \
'      tunnelforge client-config <profile>' \
'      → Shows stunnel.conf + psk.txt to copy' \
'' \
'    Then set browser proxy: 127.0.0.1:1080' \
'' \
'  WHAT DPI SEES:' \
'    User PC ──HTTPS:1443──> VPS-A (normal TLS)' \
'    VPS-A   ──HTTPS:443───> VPS-B (normal TLS)' \
'    No SSH protocol visible anywhere in the chain.' \
''
    _press_any_key
}

_scenario_tls_share_tunnel() {
    _menu_header "Scenario: Share Your Tunnel with Others"
    printf >/dev/tty '%s\n' \
'' \
'  GOAL: You have a working TLS tunnel on a VPS and want' \
'        to let friends/family use it from their own PCs.' \
'' \
'  WHAT YOU NEED:' \
'    - A running TunnelForge tunnel with Inbound TLS+PSK' \
'    - Friends who need to connect' \
'' \
'  HOW IT WORKS:' \
'    TunnelForge generates a one-file script. Users run it' \
'    and it auto-installs stunnel, configures everything,' \
'    and connects. No technical knowledge needed.' \
'' \
'  STEP 1 — GENERATE THE SCRIPT (on the server):' \
'' \
'    tunnelforge client-script <profile>' \
'' \
'    This creates: tunnelforge-connect.sh' \
'    The script contains the server address, port,' \
'    and the PSK — everything needed to connect.' \
'' \
'  STEP 2 — SEND IT TO USERS:' \
'    Share tunnelforge-connect.sh via:' \
'    - Telegram, WhatsApp, email, USB drive' \
'    - Any method that can transfer a small file' \
'' \
'  STEP 3 — USER RUNS THE SCRIPT:' \
'' \
'    chmod +x tunnelforge-connect.sh' \
'    ./tunnelforge-connect.sh' \
'' \
'    The script will:' \
'    1. Install stunnel if not present (apt/dnf/brew)' \
'    2. Write config files to ~/.tunnelforge-client/' \
'    3. Start stunnel and create a local SOCKS5 proxy' \
'    4. Print browser setup instructions' \
'' \
'  USER COMMANDS:' \
'    ./tunnelforge-connect.sh          Connect' \
'    ./tunnelforge-connect.sh stop     Disconnect' \
'    ./tunnelforge-connect.sh status   Check connection' \
'' \
'  AFTER CONNECTING:' \
'    Browser proxy: 127.0.0.1:<socks-port>' \
'    All traffic routes through your tunnel.' \
'' \
'  SECURITY NOTES:' \
'    - The script contains the PSK (shared secret)' \
'    - Only share with trusted people' \
'    - To revoke access: change PSK in profile,' \
'      regenerate script, and restart tunnel' \
'    - Each user gets their own local SOCKS5 proxy' \
'    - The server stunnel handles multiple connections' \
'' \
'  OTHER USEFUL COMMANDS:' \
'    tunnelforge client-config <profile>' \
'      → Show connection details + PSK (for manual setup)' \
'    tunnelforge client-script <profile> /path/to/output.sh' \
'      → Save script to specific location' \
''
    _press_any_key
}

# ── Menu helpers for start/stop ──

_menu_start_tunnel() {
    local _ms_profiles
    _ms_profiles=$(list_profiles)
    if [[ -z "$_ms_profiles" ]]; then
        log_info "No profiles found. Create one first."
        return 0
    fi

    printf "\n${BOLD}Available tunnels:${RESET}\n" >/dev/tty
    local _ms_names=() _ms_idx=0
    while IFS= read -r _ms_pn; do
        [[ -z "$_ms_pn" ]] && continue
        (( ++_ms_idx ))
        _ms_names+=("$_ms_pn")
        local _ms_st
        if is_tunnel_running "$_ms_pn"; then
            _ms_st="${GREEN}● running${RESET}"
        else
            _ms_st="${DIM}■ stopped${RESET}"
        fi
        printf "  ${CYAN}%d${RESET}) %-20s %b\n" "$_ms_idx" "$_ms_pn" "$_ms_st" >/dev/tty
    done <<< "$_ms_profiles"

    printf "\n" >/dev/tty
    local _ms_choice
    if ! _read_tty "Select tunnel # (or name)" _ms_choice ""; then return 0; fi

    local _ms_target
    if [[ "$_ms_choice" =~ ^[0-9]+$ ]] && (( _ms_choice >= 1 && _ms_choice <= ${#_ms_names[@]} )); then
        _ms_target="${_ms_names[$((_ms_choice-1))]}"
    else
        _ms_target="$_ms_choice"
    fi

    if [[ -n "$_ms_target" ]]; then
        start_tunnel "$_ms_target" || true
    fi
}

_menu_stop_tunnel() {
    local _mt_profiles
    _mt_profiles=$(list_profiles)
    if [[ -z "$_mt_profiles" ]]; then
        log_info "No profiles found. Create one first."
        return 0
    fi

    local _mt_names=() _mt_idx=0 _mt_header_shown=false
    while IFS= read -r _mt_pn; do
        [[ -z "$_mt_pn" ]] && continue
        if is_tunnel_running "$_mt_pn"; then
            if [[ "$_mt_header_shown" == false ]]; then
                printf "\n${BOLD}Running tunnels:${RESET}\n" >/dev/tty
                _mt_header_shown=true
            fi
            (( ++_mt_idx ))
            _mt_names+=("$_mt_pn")
            printf "  ${CYAN}%d${RESET}) %s\n" "$_mt_idx" "$_mt_pn" >/dev/tty
        fi
    done <<< "$_mt_profiles"

    if [[ ${#_mt_names[@]} -eq 0 ]]; then
        log_info "No running tunnels."
        return 0
    fi

    printf "\n" >/dev/tty
    local _mt_choice
    if ! _read_tty "Select tunnel # (or name)" _mt_choice ""; then return 0; fi

    local _mt_target
    if [[ "$_mt_choice" =~ ^[0-9]+$ ]] && (( _mt_choice >= 1 && _mt_choice <= ${#_mt_names[@]} )); then
        _mt_target="${_mt_names[$((_mt_choice-1))]}"
    else
        _mt_target="$_mt_choice"
    fi

    if [[ -n "$_mt_target" ]]; then
        stop_tunnel "$_mt_target" || true
    fi
}

# ── Security sub-menus ──

_menu_ssh_keys() {
    while true; do
        clear >/dev/tty 2>/dev/null || true
        printf "\n${BOLD_CYAN}═══ SSH Key Management ═══${RESET}\n\n" >/dev/tty
        printf "  ${CYAN}1${RESET}) Generate new SSH key\n" >/dev/tty
        printf "  ${CYAN}2${RESET}) Deploy key to server\n" >/dev/tty
        printf "  ${CYAN}3${RESET}) Check key permissions\n" >/dev/tty
        printf "  ${YELLOW}q${RESET}) Back\n\n" >/dev/tty

        local _mk_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _mk_choice </dev/tty || true
        _drain_esc _mk_choice
        printf "\n" >/dev/tty

        case "$_mk_choice" in
            1)
                local _mk_type _mk_path
                _read_tty "Key type (ed25519/rsa/ecdsa)" _mk_type "ed25519" || true
                case "$_mk_type" in
                    ed25519|rsa|ecdsa) ;;
                    *) log_error "Unsupported key type: ${_mk_type} (use ed25519, rsa, or ecdsa)" ;;
                esac
                if [[ "$_mk_type" =~ ^(ed25519|rsa|ecdsa)$ ]]; then
                    _mk_path="${HOME}/.ssh/id_${_mk_type}"
                    generate_ssh_key "$_mk_type" "$_mk_path" || true
                fi
                _press_any_key ;;
            2)
                local _mk_name
                _read_tty "Profile name" _mk_name "" || true
                if [[ -n "$_mk_name" ]] && validate_profile_name "$_mk_name"; then
                    deploy_ssh_key "$_mk_name" || true
                elif [[ -n "$_mk_name" ]]; then
                    log_error "Invalid profile name: ${_mk_name}"
                fi
                _press_any_key ;;
            3)
                local _mk_kpath
                _read_tty "Key path" _mk_kpath "${HOME}/.ssh/id_ed25519" || true
                check_key_permissions "$_mk_kpath" || true
                _press_any_key ;;
            q|Q) return 0 ;;
            *) true ;;
        esac
    done
}

_menu_service_select() {
    local _msv_profiles
    _msv_profiles=$(list_profiles)
    if [[ -z "$_msv_profiles" ]]; then
        log_info "No profiles found. Create one first."
        return 0
    fi

    printf "\n${BOLD}Available profiles:${RESET}\n" >/dev/tty
    local _msv_names=() _msv_idx=0
    while IFS= read -r _msv_pn; do
        [[ -z "$_msv_pn" ]] && continue
        (( ++_msv_idx ))
        _msv_names+=("$_msv_pn")
        printf "  ${CYAN}%d${RESET}) %s\n" "$_msv_idx" "$_msv_pn" >/dev/tty
    done <<< "$_msv_profiles"

    printf "\n" >/dev/tty
    local _msv_choice
    if ! _read_tty "Select profile # (or name)" _msv_choice ""; then return 0; fi

    local _msv_target
    if [[ "$_msv_choice" =~ ^[0-9]+$ ]] && (( _msv_choice >= 1 && _msv_choice <= ${#_msv_names[@]} )); then
        _msv_target="${_msv_names[$((_msv_choice-1))]}"
    else
        _msv_target="$_msv_choice"
    fi

    if [[ -n "$_msv_target" ]]; then
        _menu_service "$_msv_target" || true
    fi
    return 0
}

_menu_fingerprint() {
    while true; do
        clear >/dev/tty 2>/dev/null || true
        printf "\n${BOLD_CYAN}═══ SSH Host Fingerprint Verification ═══${RESET}\n\n" >/dev/tty

        local _mf_choice
        printf "  ${CYAN}1${RESET}) Enter host manually\n" >/dev/tty
        printf "  ${CYAN}2${RESET}) Check from profile\n" >/dev/tty
        printf "  ${YELLOW}q${RESET}) Back\n\n" >/dev/tty

        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _mf_choice </dev/tty || true
        _drain_esc _mf_choice
        printf "\n" >/dev/tty

        case "$_mf_choice" in
            1)
                local _mf_host _mf_port
                _read_tty "Host" _mf_host "" || true
                _read_tty "Port" _mf_port "22" || true
                if [[ -n "$_mf_host" ]]; then
                    if validate_port "$_mf_port"; then
                        verify_host_fingerprint "$_mf_host" "$_mf_port" || true
                    else
                        log_error "Invalid port: ${_mf_port}"
                    fi
                else
                    log_error "Host cannot be empty"
                fi
                _press_any_key ;;
            2)
                local _mf_name
                _read_tty "Profile name" _mf_name "" || true
                if [[ -n "$_mf_name" ]]; then
                    local -A _mf_prof
                    if load_profile "$_mf_name" _mf_prof 2>/dev/null; then
                        local _mf_h="${_mf_prof[SSH_HOST]:-}"
                        local _mf_p="${_mf_prof[SSH_PORT]:-22}"
                        if [[ -n "$_mf_h" ]]; then
                            verify_host_fingerprint "$_mf_h" "$_mf_p" || true
                        else
                            log_error "No SSH host in profile '${_mf_name}'"
                        fi
                    else
                        log_error "Cannot load profile '${_mf_name}'"
                    fi
                fi
                _press_any_key ;;
            q|Q) return 0 ;;
            *) true ;;
        esac
    done
}

# ── Main interactive menu ──

show_menu() {
    while true; do
        _menu_header ""

        # Quick status summary
        local _mm_profiles _mm_total=0 _mm_running=0
        _mm_profiles=$(list_profiles)
        if [[ -n "$_mm_profiles" ]]; then
            while IFS= read -r _mm_pn; do
                [[ -z "$_mm_pn" ]] && continue
                (( ++_mm_total ))
                if is_tunnel_running "$_mm_pn"; then
                    (( ++_mm_running ))
                fi
            done <<< "$_mm_profiles"
        fi

        printf "  ${DIM}Tunnels: ${RESET}${GREEN}%d running${RESET} ${DIM}/ %d total${RESET}\n\n" \
            "$_mm_running" "$_mm_total" >/dev/tty

        printf "  ${BOLD}── Tunnel Operations ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}1${RESET}) ${BOLD}Create${RESET} new tunnel          ${DIM}Setup wizard${RESET}\n" >/dev/tty
        printf "    ${CYAN}2${RESET}) ${BOLD}Start${RESET} a tunnel             ${DIM}Launch SSH tunnel${RESET}\n" >/dev/tty
        printf "    ${CYAN}3${RESET}) ${BOLD}Stop${RESET} a tunnel              ${DIM}Terminate tunnel${RESET}\n" >/dev/tty
        printf "    ${CYAN}4${RESET}) ${BOLD}Start All${RESET} tunnels          ${DIM}Launch autostart tunnels${RESET}\n" >/dev/tty
        printf "    ${CYAN}5${RESET}) ${BOLD}Stop All${RESET} tunnels           ${DIM}Terminate all${RESET}\n" >/dev/tty

        printf "\n  ${BOLD}── Monitoring ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}6${RESET}) ${BOLD}Status${RESET}                     ${DIM}Show tunnel statuses${RESET}\n" >/dev/tty
        printf "    ${CYAN}7${RESET}) ${BOLD}Dashboard${RESET}                  ${DIM}Live TUI dashboard${RESET}\n" >/dev/tty

        printf "\n  ${BOLD}── Management ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}8${RESET}) ${BOLD}Profiles${RESET}                   ${DIM}Manage tunnel profiles${RESET}\n" >/dev/tty
        printf "    ${CYAN}9${RESET}) ${BOLD}Settings${RESET}                   ${DIM}Configure defaults${RESET}\n" >/dev/tty
        printf "    ${CYAN}s${RESET}) ${BOLD}Services${RESET}                   ${DIM}Systemd service manager${RESET}\n" >/dev/tty
        printf "    ${CYAN}b${RESET}) ${BOLD}Backup / Restore${RESET}           ${DIM}Manage backups${RESET}\n" >/dev/tty

        printf "\n  ${BOLD}── Security & Notifications ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}x${RESET}) ${BOLD}Security Audit${RESET}             ${DIM}Check security posture${RESET}\n" >/dev/tty
        printf "    ${CYAN}k${RESET}) ${BOLD}SSH Key Management${RESET}         ${DIM}Generate & deploy keys${RESET}\n" >/dev/tty
        printf "    ${CYAN}f${RESET}) ${BOLD}Fingerprint Check${RESET}          ${DIM}Verify host fingerprints${RESET}\n" >/dev/tty
        printf "    ${CYAN}t${RESET}) ${BOLD}Telegram${RESET}                   ${DIM}Notification settings${RESET}\n" >/dev/tty
        printf "    ${CYAN}c${RESET}) ${BOLD}Client Configs${RESET}             ${DIM}TLS+PSK connection info${RESET}\n" >/dev/tty

        printf "\n  ${BOLD}── Information ──${RESET}\n" >/dev/tty
        printf "    ${CYAN}e${RESET}) ${BOLD}Examples${RESET}                   ${DIM}Real-world scenarios${RESET}\n" >/dev/tty
        printf "    ${CYAN}l${RESET}) ${BOLD}Learn${RESET}                      ${DIM}SSH tunnel concepts${RESET}\n" >/dev/tty
        printf "    ${CYAN}a${RESET}) ${BOLD}About${RESET}                      ${DIM}Version & info${RESET}\n" >/dev/tty
        printf "    ${CYAN}h${RESET}) ${BOLD}Help${RESET}                       ${DIM}CLI reference${RESET}\n" >/dev/tty

        printf "\n    ${CYAN}w${RESET}) ${BOLD}Update${RESET}                     ${DIM}Check for updates${RESET}\n" >/dev/tty
        printf "    ${RED}u${RESET}) ${BOLD}Uninstall${RESET}                  ${DIM}Remove everything${RESET}\n" >/dev/tty
        printf "    ${YELLOW}q${RESET}) ${BOLD}Quit${RESET}\n\n" >/dev/tty

        local _mm_choice
        printf "  ${BOLD}Select${RESET}: " >/dev/tty
        read -rsn1 _mm_choice </dev/tty || true
        _drain_esc _mm_choice
        printf "\n" >/dev/tty

        case "$_mm_choice" in
            1) wizard_create_profile || true; _press_any_key ;;
            2) _menu_start_tunnel || true; _press_any_key ;;
            3) _menu_stop_tunnel || true; _press_any_key ;;
            4) start_all_tunnels || true; _press_any_key ;;
            5) stop_all_tunnels || true; _press_any_key ;;
            6) show_status || true; _press_any_key ;;
            7) show_dashboard || true ;;
            8) show_profiles_menu || true ;;
            9) show_settings_menu || true ;;
            e|E) show_scenarios_menu || true ;;
            l|L) show_learn_menu || true ;;
            a|A) show_about || true ;;
            h|H) show_help || true; _press_any_key ;;
            x|X) security_audit || true; _press_any_key ;;
            k|K) _menu_ssh_keys || true ;;
            f|F) _menu_fingerprint || true ;;
            t|T) _menu_telegram || true ;;
            c|C) _menu_client_configs || true; _press_any_key ;;
            s|S) _menu_service_select || true ;;
            b|B) _menu_backup_restore || true ;;
            w|W) update_tunnelforge || true; _press_any_key ;;
            u|U) if confirm_action "Uninstall TunnelForge completely?"; then
                     clear >/dev/tty 2>/dev/null || true
                     uninstall_tunnelforge || true
                     return 0
                 fi ;;
            q|Q) clear >/dev/tty 2>/dev/null || true
                 printf "  ${DIM}Goodbye!${RESET}\n\n" >/dev/tty
                 return 0 ;;
            *) true ;;
        esac
    done
}

# ============================================================================
# DASHBOARD & LIVE MONITORING  (Phase 3)
# ============================================================================

# Sparkline block characters (8 levels)
readonly SPARK_CHARS=( "▁" "▂" "▃" "▄" "▅" "▆" "▇" "█" )

# Dashboard caches (avoid expensive re-computation each render)
declare -gA _DASH_LATENCY=()         # cached quality string per tunnel
declare -gA _DASH_LATENCY_TS=()      # epoch of last latency check
declare -gA _DASH_LAT_HOST=()        # latency cache by host:port (shared across tunnels)
declare -gA _DASH_LAT_HOST_TS=()     # epoch of last check per host:port
declare -g  _DASH_SS_CACHE=""        # cached ss -tn output per render cycle
declare -g  _DASH_SYSRES=""           # cached system resources line
declare -g  _DASH_SYSRES_TS=0         # epoch of last sysres check
declare -g  _DASH_LAST_SPEED=""       # last speed test result string
declare -gi _DASH_PAGE=0              # current page (0-indexed)
declare -gi _DASH_PER_PAGE=4          # tunnels per page
declare -gi _DASH_TOTAL_PAGES=1       # computed per render

# Record a bandwidth sample to history (optimized: zero forks in hot path)
declare -gA _BW_WRITE_COUNT=()   # per-tunnel write counter for throttled trim
_bw_record() {
    local name="$1" rx="$2" tx="$3"
    local bw_file="${BW_HISTORY_DIR}/${name}.dat"
    [[ -d "$BW_HISTORY_DIR" ]] || mkdir -p "$BW_HISTORY_DIR" 2>/dev/null || true

    # Light mkdir lock for append+trim
    local _bw_lock="${bw_file}.lck"
    local _bw_try=0
    while ! mkdir "$_bw_lock" 2>/dev/null; do
        local _bw_stale_pid=""
        read -r _bw_stale_pid < "${_bw_lock}/pid" 2>/dev/null || true
        if [[ -n "$_bw_stale_pid" ]] && ! kill -0 "$_bw_stale_pid" 2>/dev/null; then
            rm -f "${_bw_lock}/pid" 2>/dev/null || true
            rmdir "$_bw_lock" 2>/dev/null || true
            continue
        fi
        if (( ++_bw_try >= 3 )); then return 0; fi
        sleep 0.1
    done
    printf '%s' "$$" > "${_bw_lock}/pid" 2>/dev/null || true

    # printf '%(%s)T' is a bash 4.2+ builtin — no fork needed for timestamp
    local _now_epoch
    printf -v _now_epoch '%(%s)T' -1
    printf "%d %d %d\n" "$_now_epoch" "$rx" "$tx" >> "$bw_file" 2>/dev/null || true

    # Throttle trimming: only check every 10 writes (not every single write)
    local _wc=${_BW_WRITE_COUNT[$name]:-0}
    (( ++_wc )) || true
    _BW_WRITE_COUNT["$name"]=$_wc
    if (( _wc >= 10 )); then
        _BW_WRITE_COUNT["$name"]=0
        # Count lines without forking wc
        local _line_count=0
        while IFS= read -r _; do
            (( ++_line_count )) || true
        done < "$bw_file" 2>/dev/null
        if (( _line_count > 120 )); then
            local tmp_bw_file="${bw_file}.tmp"
            if tail -n 120 "$bw_file" > "$tmp_bw_file" 2>/dev/null; then
                mv "$tmp_bw_file" "$bw_file" 2>/dev/null || rm -f "$tmp_bw_file" 2>/dev/null
            else
                rm -f "$tmp_bw_file" 2>/dev/null
            fi
        fi
    fi

    rm -f "${_bw_lock}/pid" 2>/dev/null || true
    rmdir "$_bw_lock" 2>/dev/null || true
}

# Read last N bandwidth deltas from history (optimized: no regex per line)
_bw_read_deltas() {
    local name="$1" count="${2:-30}"
    local bw_file="${BW_HISTORY_DIR}/${name}.dat"
    [[ -f "$bw_file" ]] || return 0

    local -a timestamps rx_vals tx_vals
    local ts rx tx
    # Data file is our own trusted format (epoch rx tx per line) — skip regex
    while read -r ts rx tx; do
        [[ -z "$ts" ]] && continue
        timestamps+=("$ts")
        rx_vals+=("$rx")
        tx_vals+=("$tx")
    done < <(tail -n "$(( count + 1 ))" "$bw_file" 2>/dev/null)

    local total=${#timestamps[@]}
    if (( total < 2 )); then return 0; fi

    local _i dt drx dtx
    for (( _i=1; _i<total; _i++ )); do
        dt=$(( timestamps[_i] - timestamps[_i-1] ))
        if (( dt < 1 )); then dt=1; fi
        drx=$(( (rx_vals[_i] - rx_vals[_i-1]) / dt ))
        dtx=$(( (tx_vals[_i] - tx_vals[_i-1]) / dt ))
        if (( drx < 0 )); then drx=0; fi
        if (( dtx < 0 )); then dtx=0; fi
        echo "$drx $dtx"
    done
}

# Generate sparkline string from numeric values
_sparkline() {
    local -a vals=("$@")
    local count=${#vals[@]}
    if (( count == 0 )); then return 0; fi

    # Find max
    local max_val=0 v
    for v in "${vals[@]}"; do
        if (( v > max_val )); then max_val="$v"; fi
    done

    local spark="" _si
    if (( max_val == 0 )); then
        for (( _si=0; _si<count; _si++ )); do spark+="${SPARK_CHARS[0]}"; done
    else
        for v in "${vals[@]}"; do
            local idx
            if (( v >= max_val )); then
                idx=7
            else
                idx=$(( (v * 7 + max_val / 2) / max_val ))
            fi
            if (( idx > 7 )); then idx=7; fi
            if (( idx < 0 )); then idx=0; fi
            spark+="${SPARK_CHARS[$idx]}"
        done
    fi
    printf '%s' "$spark"
}

# Get reconnect stats for a tunnel
_reconnect_stats() {
    local name="$1"
    local rlog="${RECONNECT_LOG_DIR}/${name}.log"
    [[ -f "$rlog" ]] || { echo "0 -"; return 0; }

    # Count lines + capture last line in one pass (no wc/tail/cut forks)
    local _total=0 _last_line=""
    while IFS= read -r _last_line; do
        (( ++_total )) || true
    done < "$rlog" 2>/dev/null
    # Extract timestamp (before first '|')
    local _last_ts="${_last_line%%|*}"
    echo "${_total} ${_last_ts:--}"
    return 0
}

# Simple speed test using curl (routes through SOCKS5 tunnel if available)
_speed_test() {
    local -a _test_urls=(
        "http://speedtest.tele2.net/1MB.zip"
        "http://proof.ovh.net/files/1Mb.dat"
        "http://ipv4.download.thinkbroadband.com/1MB.zip"
    )
    local test_size=1048576  # 1MB

    printf "\n  ${BOLD_CYAN}── Speed Test ──${RESET}\n\n" >/dev/tty

    if ! command -v curl &>/dev/null; then
        printf "  ${RED}curl is required for speed test${RESET}\n" >/dev/tty
        return 0
    fi

    # Route through SOCKS5 tunnel if available (measures tunnel throughput)
    local -a _proxy_args=()
    local _proxy_port
    _proxy_port=$(_tg_find_proxy 2>/dev/null) || true
    if [[ -n "$_proxy_port" ]]; then
        _proxy_args=(--socks5-hostname "127.0.0.1:${_proxy_port}")
        printf "  ${DIM}Testing through SOCKS5 tunnel (port %s)...${RESET}\n" "$_proxy_port" >/dev/tty
    else
        printf "  ${DIM}Testing direct connection...${RESET}\n" >/dev/tty
    fi

    printf "  ${DIM}Downloading 1MB test file...${RESET}\n" >/dev/tty

    local start_time end_time elapsed speed_bps speed_str
    local _test_ok=false

    for _turl in "${_test_urls[@]}"; do
        start_time=$(_get_ns_timestamp)
        if curl -s -o /dev/null --max-time 15 "${_proxy_args[@]}" "$_turl" 2>/dev/null; then
            end_time=$(_get_ns_timestamp)
            _test_ok=true
            break
        fi
    done

    if [[ "$_test_ok" == true ]] && (( start_time > 0 && end_time > 0 )); then
        elapsed=$(( (end_time - start_time) / 1000000 ))  # milliseconds
        if (( elapsed < 1 )); then elapsed=1; fi
        speed_bps=$(( test_size * 1000 / elapsed ))  # bytes/sec

        speed_str=$(format_bytes "$speed_bps")
        printf "  ${GREEN}●${RESET} Download speed: ${BOLD}%s/s${RESET}\n" "$speed_str" >/dev/tty
        printf "  ${DIM}Time: %d.%03ds${RESET}\n" "$((elapsed/1000))" "$((elapsed%1000))" >/dev/tty
        _DASH_LAST_SPEED="${speed_str}/s"
    else
        printf "  ${RED}✗${RESET} Speed test failed (check connection)\n" >/dev/tty
    fi
    return 0
}

# ── Dashboard renderer ──

_dash_box_top() {
    local width="$1"
    local line="╔"
    local _i
    for (( _i=0; _i<width-2; _i++ )); do line+="═"; done
    line+="╗"
    printf '%s' "$line"
}

_dash_box_bottom() {
    local width="$1"
    local line="╚"
    local _i
    for (( _i=0; _i<width-2; _i++ )); do line+="═"; done
    line+="╝"
    printf '%s' "$line"
}

_dash_box_mid() {
    local width="$1"
    local line="╠"
    local _i
    for (( _i=0; _i<width-2; _i++ )); do line+="═"; done
    line+="╣"
    printf '%s' "$line"
}

# Pure-bash ANSI escape sequence stripping (avoids sed fork per call)
# Store ANSI-stripped string directly into caller's variable (no subshell fork)
# Usage: _strip_ansi_v RESULT_VAR "string with \e[31mcolors\e[0m"
_strip_ansi_v() {
    local -n _sav_ref="$1"
    local _sav_s="$2" _sav_out="" _sav_esc=$'\033'
    while [[ -n "$_sav_s" ]]; do
        if [[ "$_sav_s" == "${_sav_esc}["* ]]; then
            _sav_s="${_sav_s#"${_sav_esc}["}"
            while [[ -n "$_sav_s" ]] && [[ "$_sav_s" != [a-zA-Z]* ]]; do
                _sav_s="${_sav_s:1}"
            done
            _sav_s="${_sav_s:1}"
        elif [[ "$_sav_s" == "${_sav_esc}("* ]]; then
            _sav_s="${_sav_s:3}"
        elif [[ "$_sav_s" == "${_sav_esc}"* ]]; then
            _sav_s="${_sav_s:1}"
        else
            _sav_out+="${_sav_s:0:1}"
            _sav_s="${_sav_s:1}"
        fi
    done
    _sav_ref="$_sav_out"
}

# Legacy wrapper for non-hot-path callers (uses subshell)
_strip_ansi() {
    local _sa_result=""
    _strip_ansi_v _sa_result "$1"
    printf '%s' "$_sa_result"
}

# ── Dashboard helper: system resources (cached 5s) ──
_dash_system_resources() {
    local now
    printf -v now '%(%s)T' -1
    if [[ -n "$_DASH_SYSRES" ]] && (( now - _DASH_SYSRES_TS < 5 )); then
        return 0
    fi

    # Load averages (single read, no forks)
    local load_1="" load_5="" load_15=""
    if [[ -f /proc/loadavg ]]; then
        read -r load_1 load_5 load_15 _ _ < /proc/loadavg 2>/dev/null || true
    fi

    # Memory from /proc/meminfo (pure bash, no grep/awk forks)
    local mem_total=0 mem_avail=0 mem_used=0 mem_pct=0
    if [[ -f /proc/meminfo ]]; then
        local _key _val _unit
        while read -r _key _val _unit; do
            case "$_key" in
                MemTotal:)     mem_total=$(( _val / 1024 )) ;;
                MemAvailable:) mem_avail=$(( _val / 1024 )); break ;;
            esac
        done < /proc/meminfo 2>/dev/null
        if (( mem_total > 0 )); then
            mem_used=$(( mem_total - mem_avail ))
            mem_pct=$(( mem_used * 100 / mem_total ))
        fi
    fi

    local mem_str
    if (( mem_total >= 1024 )); then
        # Integer GB with one decimal via bash math (no awk fork)
        local _mu_whole=$(( mem_used / 1024 )) _mu_frac=$(( (mem_used % 1024) * 10 / 1024 ))
        local _mt_whole=$(( mem_total / 1024 )) _mt_frac=$(( (mem_total % 1024) * 10 / 1024 ))
        mem_str="${_mu_whole}.${_mu_frac}G/${_mt_whole}.${_mt_frac}G (${mem_pct}%)"
    elif (( mem_total > 0 )); then
        mem_str="${mem_used}M/${mem_total}M (${mem_pct}%)"
    else
        mem_str="N/A"
    fi

    _DASH_SYSRES="MEM: ${mem_str}  │  Load: ${load_1:-?} ${load_5:-?} ${load_15:-?}"
    _DASH_SYSRES_TS=$now
    return 0
}

# ── Dashboard helper: active connections on a port (optimized: no awk forks) ──
_dash_active_conns() {
    local port="$1"
    [[ "$port" =~ ^[0-9]+$ ]] || { echo "0 clients"; return 0; }

    local -A _seen=()
    local -a _unique=()
    local _line
    # Use cached ss output if available (set by _dash_render), else run ss
    local _ss_data="${_DASH_SS_CACHE:-}"
    if [[ -z "$_ss_data" ]]; then
        _ss_data=$(ss -tn 2>/dev/null) || true
    fi
    while IFS= read -r _line; do
        [[ -z "$_line" ]] && continue
        # Extract peer address via bash string ops (no awk fork)
        # ss output: ESTAB  0  0  local:port  peer:port
        local _rest="${_line#*ESTAB}"
        [[ "$_rest" == "$_line" ]] && continue  # not ESTAB
        # Split on whitespace: skip recv-q, send-q, local addr; get peer addr
        read -r _ _ _ _src <<< "$_rest" || continue
        # Strip port: 192.168.1.5:43210 → 192.168.1.5
        _src="${_src%:*}"
        if [[ -n "$_src" ]] && [[ -z "${_seen[$_src]:-}" ]]; then
            _seen["$_src"]=1
            _unique+=("$_src")
        fi
    done < <(echo "$_ss_data" | grep -F ":${port}" || true)

    local count=${#_unique[@]}
    if (( count == 0 )); then
        echo "0 clients"
    elif (( count <= 5 )); then
        local _joined
        _joined=$(IFS=, ; echo "${_unique[*]}")
        echo "${count} clients: ${_joined// /}"
    else
        local _first5
        _first5=$(IFS=, ; echo "${_unique[*]:0:5}")
        echo "${count} clients: ${_first5// /} (+$((count-5)))"
    fi
    return 0
}

# ── Dashboard helper: cached latency check (30s TTL) ──
# Result stored in _DASH_LATENCY[name] — caller reads directly (no subshell)
_dash_latency_cached() {
    local name="$1" host="$2" port="${3:-22}"
    local now
    printf -v now '%(%s)T' -1

    # Cache by host:port (not tunnel name) so multiple tunnels to same server share one check
    local _cache_key="${host}:${port}"
    if [[ -n "${_DASH_LAT_HOST[$_cache_key]:-}" ]] && [[ -n "${_DASH_LAT_HOST_TS[$_cache_key]:-}" ]] \
       && (( now - ${_DASH_LAT_HOST_TS[$_cache_key]} < 30 )); then
        _DASH_LATENCY["$name"]="${_DASH_LAT_HOST[$_cache_key]}"
        return 0
    fi

    local rating icon
    rating=$(_connection_quality "$host" "$port" 2>/dev/null) || true
    : "${rating:=unknown}"
    icon=$(_quality_icon "$rating" 2>/dev/null) || true
    : "${icon:=?}"

    local _result="${rating} ${icon}"
    _DASH_LAT_HOST["$_cache_key"]="$_result"
    _DASH_LAT_HOST_TS["$_cache_key"]=$now
    _DASH_LATENCY["$name"]="$_result"
    return 0
}

# Render the complete dashboard frame
_dash_render() {
    local LC_CTYPE=C.UTF-8
    local width=72

    # Cache ss output once per render cycle (used by get_tunnel_connections + _dash_active_conns)
    _DASH_SS_CACHE=$(ss -tn 2>/dev/null) || true

    # Load profiles + compute pagination (before header, so subtitle can show page)
    local profiles
    profiles=$(list_profiles)
    local has_tunnels=false
    local -A _dash_alive=()   # cache: name→1 for running tunnels
    local -A _dash_port=()    # cache: name→LOCAL_PORT for running tunnels
    local -A _dash_tls_port=() # cache: name→OBFS_LOCAL_PORT for running tunnels
    local -a _dash_page_names=()  # tunnels on current page (for active conns)

    local -a _all_profiles=()
    if [[ -n "$profiles" ]]; then
        while IFS= read -r _pname; do
            [[ -z "$_pname" ]] && continue
            _all_profiles+=("$_pname")
        done <<< "$profiles"
    fi
    local _total=${#_all_profiles[@]}

    # Auto-calculate tunnels per page based on terminal height
    # Fixed overhead: header(8) + colhdr(3) + sysres(3) + active_conn_hdr(2) + log(4)
    #   + reconnect(4) + sysinfo(2) + footer(3) = ~29 lines
    # Per tunnel on page: ~5 lines (status + sparkline + route + auth + active_conn_row)
    local _term_h="${_DASH_TERM_H:-40}"
    local _overhead=29
    _DASH_PER_PAGE=$(( (_term_h - _overhead) / 5 ))
    if (( _DASH_PER_PAGE < 2 )); then _DASH_PER_PAGE=2; fi
    if (( _DASH_PER_PAGE > 8 )); then _DASH_PER_PAGE=8; fi

    if (( _total > 0 )); then
        _DASH_TOTAL_PAGES=$(( (_total + _DASH_PER_PAGE - 1) / _DASH_PER_PAGE ))
    else
        _DASH_TOTAL_PAGES=1
    fi
    if (( _DASH_PAGE >= _DASH_TOTAL_PAGES )); then _DASH_PAGE=$(( _DASH_TOTAL_PAGES - 1 )); fi
    if (( _DASH_PAGE < 0 )); then _DASH_PAGE=0; fi
    local _pg_start=$(( _DASH_PAGE * _DASH_PER_PAGE ))
    local _pg_end=$(( _pg_start + _DASH_PER_PAGE ))
    if (( _pg_end > _total )); then _pg_end=$_total; fi

    # Header
    printf "${BOLD_GREEN}"
    _dash_box_top "$width"
    printf "${RESET}\n"

    # Title bar (3-row ASCII art)
    local _tr1="  ▀▀█▀▀ █  █ █▄ █ █▄ █ █▀▀ █   █▀▀ █▀█ █▀█ █▀▀ █▀▀"
    local _tr2="    █   █  █ █ ▀█ █ ▀█ █▀▀ █   █▀  █ █ █▀█ █ █ █▀▀"
    local _tr3="    █    ▀▀  █  █ █  █ ▀▀▀ ▀▀▀ █   ▀▀▀ █ █ ▀▀▀ ▀▀▀"
    local _tpad _tr
    for _tr in "$_tr1" "$_tr2" "$_tr3"; do
        _tpad=$(( width - ${#_tr} - 4 ))
        if (( _tpad < 0 )); then _tpad=0; fi
        printf "${BOLD_GREEN}║${RESET} ${BOLD_CYAN}%s${RESET}%*s ${BOLD_GREEN}║${RESET}\n" "$_tr" "$_tpad" ""
    done

    # Subtitle
    local now_ts
    printf -v now_ts '%(%Y-%m-%d %H:%M:%S)T' -1
    local _page_ind=""
    if (( _DASH_TOTAL_PAGES > 1 )); then
        _page_ind="  │  Page $(( _DASH_PAGE + 1 ))/${_DASH_TOTAL_PAGES}"
    fi
    local sub_text="  Dashboard v${VERSION}${_page_ind}  │  ${now_ts}"
    printf "${BOLD_GREEN}║${RESET} ${DIM}%s${RESET}" "$sub_text"
    local sub_len=${#sub_text}
    local _sub_pad=$(( width - sub_len - 4 ))
    if (( _sub_pad < 0 )); then _sub_pad=0; fi
    printf '%*s' "$_sub_pad" ""
    printf " ${BOLD_GREEN}║${RESET}\n"

    printf "${BOLD_GREEN}"
    _dash_box_mid "$width"
    printf "${RESET}\n"

    # Column headers — fixed 70 inner width layout
    local hdr
    hdr=$(printf " ${BOLD}%-12s %-5s %-8s %-13s %-8s %-5s %-8s${RESET}" \
        "TUNNEL" "TYPE" "STATUS" "LOCAL" "TRAFFIC" "CONNS" "UPTIME")
    printf "${BOLD_GREEN}║${RESET}%s" "$hdr"
    local hdr_stripped
    _strip_ansi_v hdr_stripped "$hdr"
    local hdr_len=${#hdr_stripped}
    local _hdr_pad=$(( width - hdr_len - 2 ))
    if (( _hdr_pad < 0 )); then _hdr_pad=0; fi
    printf '%*s' "$_hdr_pad" ""
    printf "${BOLD_GREEN}║${RESET}\n"

    # Separator
    printf "${BOLD_GREEN}║${RESET}${DIM}"
    local _i
    for (( _i=0; _i<width-2; _i++ )); do printf "─"; done
    printf "${RESET}${BOLD_GREEN}║${RESET}\n"

    # Tunnel rows
    if (( _total > 0 )); then
        local _pidx
        for (( _pidx=0; _pidx<_total; _pidx++ )); do
            local _dname="${_all_profiles[$_pidx]}"
            has_tunnels=true

            # For ALL tunnels: track running status (needed by logs section)
            if is_tunnel_running "$_dname"; then
                _dash_alive["$_dname"]=1
            fi

            # Skip rendering + heavy work for tunnels not on current page
            if (( _pidx < _pg_start || _pidx >= _pg_end )); then
                continue
            fi
            _dash_page_names+=("$_dname")

            # Truncate long names for column alignment
            local _dname_display="$_dname"
            if (( ${#_dname_display} > 12 )); then
                _dname_display="${_dname_display:0:11}~"
            fi

            unset _dp 2>/dev/null || true
            local -A _dp=()
            load_profile "$_dname" _dp 2>/dev/null || true

            local dtype="${_dp[TUNNEL_TYPE]:-?}"
            local daddr="${_dp[LOCAL_BIND_ADDR]:-}:${_dp[LOCAL_PORT]:-}"

            # Populate port caches (for active connections on this page)
            local _is_running=false
            if [[ -n "${_dash_alive[$_dname]:-}" ]]; then
                _is_running=true
                _dash_port["$_dname"]="${_dp[LOCAL_PORT]:-}"
                local _olp_cache="${_dp[OBFS_LOCAL_PORT]:-0}"
                [[ "$_olp_cache" == "0" ]] && _olp_cache=""
                _dash_tls_port["$_dname"]="$_olp_cache"
            fi

            if [[ "$_is_running" == true ]]; then
                # Gather live stats
                local up_s up_str traffic rchar wchar total traf_str conns
                up_s=$(get_tunnel_uptime "$_dname" 2>/dev/null || true)
                : "${up_s:=0}"
                up_str=$(format_duration "$up_s")
                traffic=$(get_tunnel_traffic "$_dname" 2>/dev/null || true)
                : "${traffic:=0 0}"
                read -r rchar wchar <<< "$traffic"
                [[ "$rchar" =~ ^[0-9]+$ ]] || rchar=0
                [[ "$wchar" =~ ^[0-9]+$ ]] || wchar=0
                total=$(( rchar + wchar ))
                traf_str=$(format_bytes "$total")
                # Inline connection count — profile already loaded, skip redundant load_profile
                local _conn_port="${_dp[LOCAL_PORT]:-}"
                local _conn_olp="${_dp[OBFS_LOCAL_PORT]:-0}"
                if [[ "$_conn_olp" =~ ^[0-9]+$ ]] && (( _conn_olp > 0 )); then
                    _conn_port="$_conn_olp"
                fi
                conns=$(_count_port_conns "$_conn_port" 2>/dev/null || true)
                : "${conns:=0}"

                # Record bandwidth for sparkline
                _bw_record "$_dname" "$rchar" "$wchar"

                local row
                row=$(printf " %-12s %-5s ${GREEN}● %-6s${RESET} %-13s %-8s %-5s %-8s" \
                    "$_dname_display" "${dtype^^}" "ALIVE" "$daddr" "$traf_str" "$conns" "$up_str")
                printf "${BOLD_GREEN}║${RESET}%s" "$row"
                local row_stripped
                _strip_ansi_v row_stripped "$row"
                local row_len=${#row_stripped}
                local _row_pad=$(( width - row_len - 2 ))
                if (( _row_pad < 0 )); then _row_pad=0; fi
                printf '%*s' "$_row_pad" ""
                printf "${BOLD_GREEN}║${RESET}\n"

                # Sparkline row
                local -a rx_deltas=()
                local drx dtx
                while read -r drx dtx; do
                    rx_deltas+=("$drx")
                done < <(_bw_read_deltas "$_dname" 30)

                if [[ ${#rx_deltas[@]} -gt 2 ]]; then
                    local spark_str
                    spark_str=$(_sparkline "${rx_deltas[@]}")
                    local last_rate="${rx_deltas[-1]:-0}"
                    local rate_str
                    rate_str=$(format_bytes "$last_rate")

                    # [1] Peak speed from deltas
                    local _peak=0 _dv
                    for _dv in "${rx_deltas[@]}"; do
                        if (( _dv > _peak )); then _peak=$_dv; fi
                    done
                    local peak_str
                    peak_str=$(format_bytes "$_peak")

                    local spark_row
                    spark_row=$(printf " ${DIM}%-12s${RESET} ${CYAN}%s${RESET} ${DIM}%s/s${RESET}  ${DIM}│${RESET}  ${DIM}peak: %s/s${RESET}" \
                        "" "$spark_str" "$rate_str" "$peak_str")
                    printf "${BOLD_GREEN}║${RESET}%s" "$spark_row"
                    local spark_stripped
                    _strip_ansi_v spark_stripped "$spark_row"
                    local spark_len=${#spark_stripped}
                    local _sp_pad=$(( width - spark_len - 2 ))
                    if (( _sp_pad < 0 )); then _sp_pad=0; fi
                    printf '%*s' "$_sp_pad" ""
                    printf "${BOLD_GREEN}║${RESET}\n"
                fi

                # [2] Route row — show hop chain
                local _route_str=""
                local _ssh_host="${_dp[SSH_HOST]:-}"
                local _jump="${_dp[JUMP_HOSTS]:-}"
                if [[ -n "$_jump" ]]; then
                    # Extract jump host IP (user@host:port → host)
                    local _jh="${_jump%%,*}"     # first jump host
                    _jh="${_jh#*@}"              # strip user@
                    _jh="${_jh%%:*}"             # strip :port
                    _route_str="route: → ${_jh} → ${_ssh_host}"
                elif [[ -n "$_ssh_host" ]]; then
                    _route_str="route: → ${_ssh_host}"
                fi
                if [[ -n "$_route_str" ]]; then
                    local _rr
                    _rr=$(printf " ${DIM}%-13s${RESET}${DIM}%s${RESET}" "" "$_route_str")
                    printf "${BOLD_GREEN}║${RESET}%s" "$_rr"
                    local _rr_s
                    _strip_ansi_v _rr_s "$_rr"
                    local _rr_pad=$(( width - ${#_rr_s} - 2 ))
                    if (( _rr_pad < 0 )); then _rr_pad=0; fi
                    printf '%*s' "$_rr_pad" ""
                    printf "${BOLD_GREEN}║${RESET}\n"
                fi

                # [3] Auth + latency row
                local _auth_method="interactive"
                local _has_key=false _has_pass=false
                if [[ -n "${_dp[IDENTITY_KEY]:-}" ]] && [[ -f "${_dp[IDENTITY_KEY]:-}" ]]; then _has_key=true; fi
                if [[ -n "${_dp[SSH_PASSWORD]:-}" ]]; then _has_pass=true; fi
                if [[ "$_has_key" == true ]] && [[ "$_has_pass" == true ]]; then _auth_method="key+pass"
                elif [[ "$_has_key" == true ]]; then _auth_method="key"
                elif [[ "$_has_pass" == true ]]; then _auth_method="password"
                fi
                local _lat_rating="" _lat_icon=""
                if [[ "$_is_running" == true ]]; then
                    # Tunnel alive — skip slow TCP probe, show "active" directly
                    _lat_rating="active"
                    _lat_icon="${GREEN}▁▃▅▇${RESET}"
                else
                    _dash_latency_cached "$_dname" "${_dp[SSH_HOST]:-}" "${_dp[SSH_PORT]:-22}"
                    local _lat_info="${_DASH_LATENCY[$_dname]:-unknown ?}"
                    _lat_rating="${_lat_info%% *}"
                    _lat_icon="${_lat_info#* }"
                fi
                local _obfs_ind=""
                if [[ "${_dp[OBFS_MODE]:-none}" != "none" ]]; then
                    _obfs_ind="${DIM}│${RESET}${GREEN}tls${RESET}"
                    if [[ -n "${_dp[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_dp[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
                        _obfs_ind="${_obfs_ind}${DIM}+psk:${RESET}${GREEN}${_dp[OBFS_LOCAL_PORT]}${RESET}"
                    fi
                elif [[ -n "${_dp[OBFS_LOCAL_PORT]:-}" ]] && [[ "${_dp[OBFS_LOCAL_PORT]:-0}" != "0" ]]; then
                    _obfs_ind="${DIM}│${RESET}${GREEN}psk:${_dp[OBFS_LOCAL_PORT]}${RESET}"
                fi
                local _ar
                _ar=$(printf " ${DIM}%-13s${RESET}${DIM}auth:${RESET}${BOLD}%s${RESET} ${DIM}│${RESET}${DIM}lat:${RESET}%s${CYAN}%s${RESET} %s" \
                    "" "$_auth_method" "$_lat_rating" "$_lat_icon" "$_obfs_ind")
                printf "${BOLD_GREEN}║${RESET}%s" "$_ar"
                local _ar_s
                _strip_ansi_v _ar_s "$_ar"
                local _ar_pad=$(( width - ${#_ar_s} - 2 ))
                if (( _ar_pad < 0 )); then _ar_pad=0; fi
                printf '%*s' "$_ar_pad" ""
                printf "${BOLD_GREEN}║${RESET}\n"

                # [4] Security row (only if dns or kill configured)
                local _show_sec=false
                if [[ "${_dp[DNS_LEAK_PROTECTION]:-}" == "true" ]] || [[ "${_dp[KILL_SWITCH]:-}" == "true" ]]; then
                    _show_sec=true
                fi
                if [[ "$_show_sec" == true ]]; then
                    local _dns_ind _kill_ind
                    if [[ "${_dp[DNS_LEAK_PROTECTION]:-}" == "true" ]]; then
                        _dns_ind="${GREEN}●${RESET}"
                    else
                        _dns_ind="${DIM}○${RESET}"
                    fi
                    if [[ "${_dp[KILL_SWITCH]:-}" == "true" ]]; then
                        _kill_ind="${GREEN}●${RESET}"
                    else
                        _kill_ind="${DIM}○${RESET}"
                    fi
                    local _sr
                    _sr=$(printf " ${DIM}%-13s${RESET}${DIM}security:${RESET} dns %s  kill %s" "" "$_dns_ind" "$_kill_ind")
                    printf "${BOLD_GREEN}║${RESET}%s" "$_sr"
                    local _sr_s
                    _strip_ansi_v _sr_s "$_sr"
                    local _sr_pad=$(( width - ${#_sr_s} - 2 ))
                    if (( _sr_pad < 0 )); then _sr_pad=0; fi
                    printf '%*s' "$_sr_pad" ""
                    printf "${BOLD_GREEN}║${RESET}\n"
                fi
            else
                local row
                row=$(printf " ${DIM}%-12s %-5s ■ %-6s %-13s %-8s %-5s %-8s${RESET}" \
                    "$_dname_display" "${dtype^^}" "STOP" "$daddr" "-" "-" "-")
                printf "${BOLD_GREEN}║${RESET}%s" "$row"
                local row_stripped
                _strip_ansi_v row_stripped "$row"
                local row_len=${#row_stripped}
                local _row_pad=$(( width - row_len - 2 ))
                if (( _row_pad < 0 )); then _row_pad=0; fi
                printf '%*s' "$_row_pad" ""
                printf "${BOLD_GREEN}║${RESET}\n"
            fi

        done
    fi

    if [[ "$has_tunnels" != true ]]; then
        local empty_msg=" No tunnels configured. Press 'c' to create one."
        printf "${BOLD_GREEN}║${RESET}${DIM}%s${RESET}" "$empty_msg"
        printf '%*s' "$(( width - ${#empty_msg} - 2 ))" ""
        printf "${BOLD_GREEN}║${RESET}\n"
    fi

    # [5] System Resources section
    printf "${BOLD_GREEN}"
    _dash_box_mid "$width"
    printf "${RESET}\n"

    local _sysres_hdr
    _sysres_hdr=$(printf " ${BOLD}System Resources${RESET}")
    printf "${BOLD_GREEN}║${RESET}%s" "$_sysres_hdr"
    local _sysres_hdr_s
    _strip_ansi_v _sysres_hdr_s "$_sysres_hdr"
    local _sysres_hdr_pad=$(( width - ${#_sysres_hdr_s} - 2 ))
    if (( _sysres_hdr_pad < 0 )); then _sysres_hdr_pad=0; fi
    printf '%*s' "$_sysres_hdr_pad" ""
    printf "${BOLD_GREEN}║${RESET}\n"

    _dash_system_resources
    local _sysres_data="$_DASH_SYSRES"
    local _sysres_row
    _sysres_row=$(printf "  ${DIM}%s${RESET}" "$_sysres_data")
    printf "${BOLD_GREEN}║${RESET}%s" "$_sysres_row"
    local _sysres_row_s
    _strip_ansi_v _sysres_row_s "$_sysres_row"
    local _sysres_row_pad=$(( width - ${#_sysres_row_s} - 2 ))
    if (( _sysres_row_pad < 0 )); then _sysres_row_pad=0; fi
    printf '%*s' "$_sysres_row_pad" ""
    printf "${BOLD_GREEN}║${RESET}\n"

    # [6] Active Connections section (current page only)
    if [[ "$has_tunnels" == true ]]; then
        local _any_alive=false _ac_lines=""
        local _acname
        for _acname in "${_dash_page_names[@]}"; do
            [[ -z "${_dash_alive[$_acname]:-}" ]] && continue
            _any_alive=true
            local _ac_port="${_dash_port[$_acname]:-}"
            if [[ -n "$_ac_port" ]]; then
                # Use cached TLS port from tunnel row loop (no re-load)
                local _ac_tls_port="${_dash_tls_port[$_acname]:-}"
                local _ac_data _ac_label
                if [[ -n "$_ac_tls_port" ]]; then
                    _ac_data=$(_dash_active_conns "$_ac_tls_port")
                    _ac_label=":${_ac_tls_port}"
                else
                    _ac_data=$(_dash_active_conns "$_ac_port")
                    _ac_label=":${_ac_port}"
                fi
                _ac_lines+="${_acname}|${_ac_label}|${_ac_data}"$'\n'
            fi
        done
        if [[ "$_any_alive" == true ]] && [[ -n "$_ac_lines" ]]; then
            printf "${BOLD_GREEN}"
            _dash_box_mid "$width"
            printf "${RESET}\n"

            local _ac_hdr
            _ac_hdr=$(printf " ${BOLD}Active Connections${RESET}")
            printf "${BOLD_GREEN}║${RESET}%s" "$_ac_hdr"
            local _ac_hdr_s
            _strip_ansi_v _ac_hdr_s "$_ac_hdr"
            local _ac_hdr_pad=$(( width - ${#_ac_hdr_s} - 2 ))
            if (( _ac_hdr_pad < 0 )); then _ac_hdr_pad=0; fi
            printf '%*s' "$_ac_hdr_pad" ""
            printf "${BOLD_GREEN}║${RESET}\n"

            while IFS='|' read -r _ac_n _ac_p _ac_d; do
                [[ -z "$_ac_n" ]] && continue
                local _ac_row
                _ac_row=$(printf "  ${DIM}%s %s${RESET}  %s" "$_ac_n" "$_ac_p" "$_ac_d")
                printf "${BOLD_GREEN}║${RESET}%s" "$_ac_row"
                local _ac_row_s
                _strip_ansi_v _ac_row_s "$_ac_row"
                local _ac_pad=$(( width - ${#_ac_row_s} - 2 ))
                if (( _ac_pad < 0 )); then _ac_pad=0; fi
                printf '%*s' "$_ac_pad" ""
                printf "${BOLD_GREEN}║${RESET}\n"
            done <<< "$_ac_lines"
        fi
    fi

    # [7] Recent Log section (last lines per active tunnel, max 2 total)
    if [[ "$has_tunnels" == true ]]; then
        local _log_lines="" _log_count=0
        local _lgname
        for _lgname in "${!_dash_alive[@]}"; do
            (( _log_count >= 2 )) && break
            local _lf="${LOG_DIR}/${_lgname}.log"
            if [[ -f "$_lf" ]]; then
                local _ltail
                _ltail=$(tail -20 "$_lf" 2>/dev/null) || true
                while IFS= read -r _ll; do
                    [[ -z "$_ll" ]] && continue
                    (( _log_count >= 2 )) && break
                    # Skip normal SSH/SOCKS5 proxy noise
                    [[ "$_ll" == *"channel"*"open failed"* ]] && continue
                    [[ "$_ll" == *"Connection refused"* ]] && continue
                    [[ "$_ll" == *"Name or service not known"* ]] && continue
                    [[ "$_ll" == *"bind"*"Address already in use"* ]] && continue
                    [[ "$_ll" == *"cannot listen to"* ]] && continue
                    [[ "$_ll" == *"not request local forwarding"* ]] && continue
                    # Truncate long lines
                    local _ldisp="[${_lgname}] ${_ll}"
                    if (( ${#_ldisp} > width - 5 )); then
                        _ldisp="${_ldisp:0:$(( width - 8 ))}..."
                    fi
                    _log_lines+="${_ldisp}"$'\n'
                    ((++_log_count))
                done <<< "$_ltail"
            fi
        done
        if (( _log_count > 0 )); then
            printf "${BOLD_GREEN}"
            _dash_box_mid "$width"
            printf "${RESET}\n"

            local _lg_hdr
            _lg_hdr=$(printf " ${BOLD}Recent Log${RESET}")
            printf "${BOLD_GREEN}║${RESET}%s" "$_lg_hdr"
            local _lg_hdr_s
            _strip_ansi_v _lg_hdr_s "$_lg_hdr"
            local _lg_hdr_pad=$(( width - ${#_lg_hdr_s} - 2 ))
            if (( _lg_hdr_pad < 0 )); then _lg_hdr_pad=0; fi
            printf '%*s' "$_lg_hdr_pad" ""
            printf "${BOLD_GREEN}║${RESET}\n"

            while IFS= read -r _lg_row; do
                [[ -z "$_lg_row" ]] && continue
                local _lgr
                _lgr=$(printf "  ${DIM}%s${RESET}" "$_lg_row")
                printf "${BOLD_GREEN}║${RESET}%s" "$_lgr"
                local _lgr_s
                _strip_ansi_v _lgr_s "$_lgr"
                local _lgr_pad=$(( width - ${#_lgr_s} - 2 ))
                if (( _lgr_pad < 0 )); then _lgr_pad=0; fi
                printf '%*s' "$_lgr_pad" ""
                printf "${BOLD_GREEN}║${RESET}\n"
            done <<< "$_log_lines"
        fi
    fi

    # Reconnect summary section
    printf "${BOLD_GREEN}"
    _dash_box_mid "$width"
    printf "${RESET}\n"

    local rc_header
    rc_header=$(printf " ${BOLD}Reconnect Log${RESET}")
    printf "${BOLD_GREEN}║${RESET}%s" "$rc_header"
    local rc_hdr_stripped
    _strip_ansi_v rc_hdr_stripped "$rc_header"
    printf '%*s' "$(( width - ${#rc_hdr_stripped} - 2 ))" ""
    printf "${BOLD_GREEN}║${RESET}\n"

    if [[ -n "$profiles" ]]; then
        local _any_rc=false _rc_shown=0
        while IFS= read -r _rcname; do
            [[ -z "$_rcname" ]] && continue
            (( _rc_shown >= 2 )) && break
            local rc_total rc_last
            read -r rc_total rc_last <<< "$(_reconnect_stats "$_rcname")"
            if (( rc_total > 0 )); then
                _any_rc=true
                (( ++_rc_shown )) || true
                local rc_row
                local _rc_display="$_rcname"
                if (( ${#_rc_display} > 12 )); then _rc_display="${_rc_display:0:11}~"; fi
                rc_row=$(printf " ${DIM}%-12s${RESET}  reconnects: ${YELLOW}%d${RESET}  last: ${DIM}%s${RESET}" \
                    "$_rc_display" "$rc_total" "$rc_last")
                printf "${BOLD_GREEN}║${RESET}%s" "$rc_row"
                local rc_stripped
                _strip_ansi_v rc_stripped "$rc_row"
                local _rc_pad=$(( width - ${#rc_stripped} - 2 ))
                if (( _rc_pad < 0 )); then _rc_pad=0; fi
                printf '%*s' "$_rc_pad" ""
                printf "${BOLD_GREEN}║${RESET}\n"
            fi
        done <<< "$profiles"
        if [[ "$_any_rc" != true ]]; then
            local no_rc=" ${DIM}No reconnections recorded${RESET}"
            printf "${BOLD_GREEN}║${RESET}%s" "$no_rc"
            local no_rc_stripped
            _strip_ansi_v no_rc_stripped "$no_rc"
            printf '%*s' "$(( width - ${#no_rc_stripped} - 2 ))" ""
            printf "${BOLD_GREEN}║${RESET}\n"
        fi
    fi

    # System info row
    printf "${BOLD_GREEN}"
    _dash_box_mid "$width"
    printf "${RESET}\n"

    local pub_ip="${_DASH_PUB_IP:-unknown}"
    local _tg_indicator=""
    if _telegram_enabled; then
        _tg_indicator="  ${DIM}│${RESET}  ${DIM}TG:${RESET} ${GREEN}●${RESET}"
    fi
    local _speed_indicator=""
    if [[ -n "${_DASH_LAST_SPEED:-}" ]]; then
        _speed_indicator="  ${DIM}│${RESET}  ${CYAN}${_DASH_LAST_SPEED}${RESET}"
    fi
    local _dash_ref_rate
    _dash_ref_rate=$(config_get DASHBOARD_REFRESH 5)
    local _dash_time_str
    printf -v _dash_time_str '%(%H:%M:%S)T' -1
    local sys_row
    sys_row=$(printf " ${DIM}IP:${RESET} ${BOLD}%s${RESET}  ${DIM}│${RESET}  ${DIM}Refresh:${RESET} %ss%s%s  ${DIM}│${RESET}  ${DIM}%s${RESET}" \
        "$pub_ip" "$_dash_ref_rate" "$_tg_indicator" "$_speed_indicator" "$_dash_time_str")
    printf "${BOLD_GREEN}║${RESET}%s" "$sys_row"
    local sys_stripped
    _strip_ansi_v sys_stripped "$sys_row"
    local _sys_pad=$(( width - ${#sys_stripped} - 2 ))
    if (( _sys_pad < 0 )); then _sys_pad=0; fi
    printf '%*s' "$_sys_pad" ""
    printf "${BOLD_GREEN}║${RESET}\n"

    # Footer with controls
    printf "${BOLD_GREEN}"
    _dash_box_mid "$width"
    printf "${RESET}\n"

    local ctrl_row
    local _pg_hint=""
    if (( _DASH_TOTAL_PAGES > 1 )); then
        _pg_hint=" ${DIM}│${RESET} ${CYAN}1${RESET}-${CYAN}${_DASH_TOTAL_PAGES}${RESET}${DIM}=page${RESET}"
    fi
    ctrl_row=$(printf " ${CYAN}s${RESET}=start ${CYAN}t${RESET}=stop ${CYAN}r${RESET}=restart ${CYAN}c${RESET}=create ${CYAN}p${RESET}=speed ${CYAN}g${RESET}=qlty ${CYAN}q${RESET}=quit%s" "$_pg_hint")
    printf "${BOLD_GREEN}║${RESET}%s" "$ctrl_row"
    local ctrl_stripped
    _strip_ansi_v ctrl_stripped "$ctrl_row"
    local _ctrl_pad=$(( width - ${#ctrl_stripped} - 2 ))
    if (( _ctrl_pad < 0 )); then _ctrl_pad=0; fi
    printf '%*s' "$_ctrl_pad" ""
    printf "${BOLD_GREEN}║${RESET}\n"

    printf "${BOLD_GREEN}"
    _dash_box_bottom "$width"
    printf "${RESET}\n"
}

# ── Main dashboard loop ──

show_dashboard() {
    local refresh
    refresh=$(config_get DASHBOARD_REFRESH 5)
    if (( refresh < 1 )); then refresh=1; fi

    # Enter alternate screen buffer
    tput smcup 2>/dev/null || true
    # Hide cursor
    tput civis 2>/dev/null || true

    # Frame buffer for flicker-free rendering
    local _frame_file="${TMPDIR:-/tmp}/tf-dash-$$"
    : > "$_frame_file" 2>/dev/null || _frame_file="/tmp/tf-dash-$$"
    : > "$_frame_file"

    # Restore terminal on exit (normal return, Ctrl+C, or TERM)
    local _dash_cleanup_done=false
    _dash_exit() {
        if [[ "$_dash_cleanup_done" == true ]]; then return 0; fi
        _dash_cleanup_done=true
        rm -f "$_frame_file" "${TMP_DIR}/tg_cmd.lock" 2>/dev/null || true
        tput cnorm 2>/dev/null || true   # show cursor
        tput rmcup 2>/dev/null || true   # leave alternate screen
        trap - TSTP CONT
        trap cleanup INT TERM HUP QUIT   # restore global traps
    }
    trap '_dash_exit' RETURN
    local _dash_interrupted=false
    trap '_dash_exit; _dash_interrupted=true' INT
    trap '_dash_exit; _dash_interrupted=true' TERM
    trap '_dash_exit; _dash_interrupted=true' HUP
    trap '_dash_exit; _dash_interrupted=true' QUIT
    trap 'tput cnorm 2>/dev/null || true; tput rmcup 2>/dev/null || true' TSTP
    trap 'tput smcup 2>/dev/null || true; tput civis 2>/dev/null || true' CONT

    # Get local IP once (instant, no network call)
    local _DASH_PUB_IP=""
    _DASH_PUB_IP=$(hostname -I 2>/dev/null | awk '{print $1}') || true
    if [[ -z "$_DASH_PUB_IP" ]]; then
        _DASH_PUB_IP=$(ip -4 route get 1 2>/dev/null | grep -oE 'src [0-9.]+' | awk '{print $2}') || true
    fi
    : "${_DASH_PUB_IP:=unknown}"

    # Cache terminal height — updated on SIGWINCH, not every frame
    declare -g _DASH_TERM_H
    _DASH_TERM_H=$(tput lines 2>/dev/null) || _DASH_TERM_H=40
    trap '_DASH_TERM_H=$(tput lines 2>/dev/null) || _DASH_TERM_H=40' WINCH
    local _dash_rot_count=0
    local _dash_tg_count=0

    while true; do
        if [[ "$_dash_interrupted" == true ]]; then break; fi
        # Periodic log rotation (~5 min at default 3s refresh)
        if (( ++_dash_rot_count >= 100 )); then
            rotate_logs 2>/dev/null || true
            _dash_rot_count=0
        fi
        # Poll Telegram bot commands in background (~every 3 refreshes ≈ 9s)
        if (( ++_dash_tg_count >= 3 )); then
            _tg_process_commands_bg || true
            _dash_tg_count=0
        fi
        # Buffered render: compute frame to file, then flush to screen in one shot
        _dash_render > "$_frame_file" 2>/dev/null || true
        tput cup 0 0 2>/dev/null || printf '\033[H'
        cat "$_frame_file" 2>/dev/null
        tput ed 2>/dev/null || true  # clear stale content below frame

        # Non-blocking read with timeout for refresh
        local key=""
        read -rsn1 -t "$refresh" key </dev/tty || true
        _drain_esc key

        case "$key" in
            q|Q)
                return 0 ;;
            s|S)
                # Start a tunnel (mini-selector)
                tput cnorm 2>/dev/null || true
                tput rmcup 2>/dev/null || true
                _menu_start_tunnel || true
                _press_any_key || true
                tput smcup 2>/dev/null || true
                tput civis 2>/dev/null || true
                ;;
            t|T)
                tput cnorm 2>/dev/null || true
                tput rmcup 2>/dev/null || true
                _menu_stop_tunnel || true
                _press_any_key || true
                tput smcup 2>/dev/null || true
                tput civis 2>/dev/null || true
                ;;
            r|R)
                # Restart all running tunnels
                tput cnorm 2>/dev/null || true
                tput rmcup 2>/dev/null || true
                local _dr_profiles
                _dr_profiles=$(list_profiles)
                if [[ -n "$_dr_profiles" ]]; then
                    while IFS= read -r _dr_name; do
                        [[ -z "$_dr_name" ]] && continue
                        if is_tunnel_running "$_dr_name"; then
                            restart_tunnel "$_dr_name" || true
                        fi
                    done <<< "$_dr_profiles"
                fi
                _press_any_key || true
                tput smcup 2>/dev/null || true
                tput civis 2>/dev/null || true
                ;;
            c|C)
                tput cnorm 2>/dev/null || true
                tput rmcup 2>/dev/null || true
                wizard_create_profile || true
                _press_any_key || true
                tput smcup 2>/dev/null || true
                tput civis 2>/dev/null || true
                ;;
            p|P)
                tput cnorm 2>/dev/null || true
                tput rmcup 2>/dev/null || true
                _speed_test || true
                _press_any_key || true
                tput smcup 2>/dev/null || true
                tput civis 2>/dev/null || true
                ;;
            g|G)
                tput cnorm 2>/dev/null || true
                tput rmcup 2>/dev/null || true
                printf "\n  ${BOLD}Connection Quality Check${RESET}\n\n" >/dev/tty
                local _gq_profiles
                _gq_profiles=$(list_profiles)
                if [[ -n "$_gq_profiles" ]]; then
                    while IFS= read -r _gq_name; do
                        [[ -z "$_gq_name" ]] && continue
                        local _gq_host
                        _gq_host=$(get_profile_field "$_gq_name" "SSH_HOST" 2>/dev/null) || true
                        local _gq_port
                        _gq_port=$(get_profile_field "$_gq_name" "SSH_PORT" 2>/dev/null) || true
                        : "${_gq_port:=22}"
                        if [[ -n "$_gq_host" ]]; then
                            local _gq_rating
                            _gq_rating=$(_connection_quality "$_gq_host" "$_gq_port" 2>/dev/null) || true
                            : "${_gq_rating:=unknown}"
                            printf "  %-16s %s  %s → %s:%s\n" "$_gq_name" "$(_quality_icon "$_gq_rating")" "$_gq_rating" "$_gq_host" "$_gq_port" >/dev/tty
                        fi
                    done <<< "$_gq_profiles"
                else
                    printf "  ${DIM}No profiles configured${RESET}\n" >/dev/tty
                fi
                printf "\n" >/dev/tty
                _press_any_key || true
                tput smcup 2>/dev/null || true
                tput civis 2>/dev/null || true
                ;;
            \[|,)
                # Previous page
                if (( _DASH_PAGE > 0 )); then _DASH_PAGE=$(( _DASH_PAGE - 1 )); fi
                ;;
            \]|.)
                # Next page
                if (( _DASH_PAGE < _DASH_TOTAL_PAGES - 1 )); then _DASH_PAGE=$(( _DASH_PAGE + 1 )); fi
                ;;
            [1-9])
                # Jump to page N
                local _target_pg=$(( key - 1 ))
                if (( _target_pg < _DASH_TOTAL_PAGES )); then
                    _DASH_PAGE=$_target_pg
                fi
                ;;
            *) true ;;
        esac
    done
}

# ============================================================================
# INSTALLER
# ============================================================================

install_tunnelforge() {
    show_banner >/dev/tty
    log_info "Installing ${APP_NAME} v${VERSION}..."

    check_root "install" || return 1
    detect_os

    init_directories || { log_error "Failed to create directories"; return 1; }

    # Copy script
    local script_path dest
    script_path="$(cd "$(dirname "$0")" 2>/dev/null && pwd || pwd)/$(basename "$0")"
    dest="${INSTALL_DIR}/tunnelforge.sh"

    if [[ "$script_path" != "$dest" ]]; then
        cp "$script_path" "$dest"
        chmod +x "$dest"
        log_success "Installed to ${dest}"
    fi

    if ln -sf "$dest" "$BIN_LINK" 2>/dev/null; then
        log_success "Created symlink: ${BIN_LINK}"
    else
        log_warn "Could not create symlink: ${BIN_LINK}"
    fi

    check_dependencies || log_warn "Some dependencies could not be installed"

    if [[ ! -f "$MAIN_CONFIG" ]]; then
        if save_settings; then
            log_success "Created config: ${MAIN_CONFIG}"
        else
            log_warn "Could not create config file — using defaults"
        fi
    fi

    printf "\n"
    printf "${BOLD_GREEN}"
    printf "  ╔══════════════════════════════════════════════════════════╗\n"
    printf "  ║         %s installed successfully!            ║\n" "$APP_NAME"
    printf "  ╠══════════════════════════════════════════════════════════╣\n"
    printf "  ║                                                        ║\n"
    printf "  ║  Commands:                                             ║\n"
    printf "  ║    tunnelforge menu       Interactive menu             ║\n"
    printf "  ║    tunnelforge create     Create a tunnel              ║\n"
    printf "  ║    tunnelforge help       Show all commands            ║\n"
    printf "  ║                                                        ║\n"
    printf "  ╚══════════════════════════════════════════════════════════╝\n"
    printf "${RESET}\n"

    # Offer to launch interactive menu
    local _ans=""
    printf "  Launch interactive menu now? [y/N] " >/dev/tty
    read -rsn1 _ans </dev/tty || true
    printf "\n" >/dev/tty
    if [[ "$_ans" == "y" || "$_ans" == "Y" ]]; then
        detect_os; load_settings
        show_menu || true
    fi
}

# ============================================================================
# CLI ENTRY POINT
# ============================================================================

is_installed() {
    [[ -f "${INSTALL_DIR}/tunnelforge.sh" && -f "$MAIN_CONFIG" ]]
}

cli_main() {
    local command="${1:-}"
    shift 2>/dev/null || true

    # Ensure runtime directories exist for all commands
    init_directories 2>/dev/null || true

    case "$command" in
        # ── Tunnel commands ──
        start)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge start <name>"; return 1; }
            validate_profile_name "$1" || { log_error "Invalid profile name"; return 1; }
            detect_os; load_settings; start_tunnel "$1" ;;
        stop)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge stop <name>"; return 1; }
            validate_profile_name "$1" || { log_error "Invalid profile name"; return 1; }
            load_settings; stop_tunnel "$1" || true ;;
        restart)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge restart <name>"; return 1; }
            validate_profile_name "$1" || { log_error "Invalid profile name"; return 1; }
            detect_os; load_settings; restart_tunnel "$1" || true ;;
        start-all)
            detect_os; load_settings; start_all_tunnels || true ;;
        stop-all)
            load_settings; stop_all_tunnels || true ;;
        status)
            load_settings; show_status || true ;;

        # ── Profile commands ──
        list|ls)
            load_settings
            local profiles
            profiles=$(list_profiles)
            if [[ -z "$profiles" ]]; then
                log_info "No profiles found. Run 'tunnelforge create' to get started."
            else
                printf "\n${BOLD}Tunnel Profiles:${RESET}\n"
                print_line "─" 50
                while IFS= read -r _ls_name; do
                    local _ls_ptype _ls_status
                    _ls_ptype=$(get_profile_field "$_ls_name" "TUNNEL_TYPE" 2>/dev/null) || true
                    if is_tunnel_running "$_ls_name"; then
                        _ls_status="${GREEN}● running${RESET}"
                    else
                        _ls_status="${DIM}■ stopped${RESET}"
                    fi
                    printf "  %-20s %-10s %b\n" "$_ls_name" "${_ls_ptype:-?}" "$_ls_status"
                done <<< "$profiles"
                printf "\n"
            fi ;;
        create|new)
            detect_os; load_settings
            setup_wizard || true ;;
        delete)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge delete <name>"; return 1; }
            validate_profile_name "$1" || { log_error "Invalid profile name"; return 1; }
            load_settings
            if confirm_action "Delete profile '${1}'?"; then
                delete_profile "$1" || true
            fi ;;

        # ── Display commands ──
        dashboard|dash)
            if ! : >/dev/tty 2>/dev/null; then
                log_error "Dashboard requires an interactive terminal (/dev/tty not available)"
                return 1
            fi
            load_settings
            show_dashboard || true ;;
        menu)
            detect_os; load_settings
            show_menu ;;
        logs)
            load_settings
            local target="${1:-}"
            if [[ -n "$target" ]]; then
                validate_profile_name "$target" || { log_error "Invalid profile name"; return 1; }
                local lf; lf=$(_log_file "$target")
                if [[ -f "$lf" ]]; then
                    tail -f "$lf" || true
                else
                    log_error "No logs for '${target}'"
                fi
            else
                local ml="${LOG_DIR}/${APP_NAME_LOWER}.log"
                if [[ -f "$ml" ]]; then
                    tail -f "$ml" || true
                else
                    log_info "No logs found"
                fi
            fi ;;

        # ── Security commands ──
        audit|security)
            load_settings; security_audit || true ;;
        key-gen)
            load_settings
            local ktype="${1:-ed25519}"
            case "$ktype" in
                ed25519|rsa|ecdsa) ;;
                *) log_error "Unsupported key type '${ktype}' (use: ed25519, rsa, ecdsa)"; return 1 ;;
            esac
            generate_ssh_key "$ktype" "${HOME}/.ssh/id_${ktype}" || true ;;
        key-deploy)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge key-deploy <name>"; return 1; }
            validate_profile_name "$1" || { log_error "Invalid profile name"; return 1; }
            load_settings; deploy_ssh_key "$1" || true ;;
        fingerprint)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge fingerprint <host> [port]"; return 1; }
            load_settings; verify_host_fingerprint "$1" "${2:-22}" || true ;;

        # ── Telegram commands ──
        telegram|tg)
            load_settings
            local tg_action="${1:-status}"
            case "$tg_action" in
                setup)   telegram_setup || true ;;
                test)    telegram_test || true ;;
                status)  telegram_status || true ;;
                send)    shift; [[ -z "$*" ]] && { log_error "Usage: tunnelforge telegram send <message>"; return 1; }; _telegram_send "$*" || { log_error "Send failed (is Telegram configured?)"; return 1; } ;;
                report)  telegram_send_status || true ;;
                share)   shift; telegram_share_client "${1:-}" || true ;;
                *)       log_error "Usage: tunnelforge telegram [setup|test|status|send|report|share]"; return 1 ;;
            esac ;;

        # ── System commands ──
        health)
            load_settings; security_audit || true ;;
        server-setup)
            detect_os; load_settings
            server_setup "${1:-}" || true ;;
        obfs-setup|obfuscate)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge obfs-setup <profile>"; return 1; }
            detect_os; load_settings
            _obfs_setup_stunnel "$1" || true ;;
        client-config)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge client-config <profile>"; return 1; }
            detect_os; load_settings
            local -A _cc_prof=()
            load_profile "$1" _cc_prof || { log_error "Cannot load profile '$1'"; return 1; }
            if [[ -z "${_cc_prof[OBFS_LOCAL_PORT]:-}" ]] || [[ "${_cc_prof[OBFS_LOCAL_PORT]:-0}" == "0" ]]; then
                log_error "Profile '$1' has no inbound TLS configured"
                printf "${DIM}Enable it in the wizard or set OBFS_LOCAL_PORT and OBFS_PSK in the profile.${RESET}\n"
                return 1
            fi
            _obfs_show_client_config "$1" _cc_prof || true ;;
        client-script)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge client-script <profile> [output-file]"; return 1; }
            detect_os; load_settings
            local -A _cs_prof=()
            load_profile "$1" _cs_prof || { log_error "Cannot load profile '$1'"; return 1; }
            _obfs_generate_client_script "$1" _cs_prof "${2:-}" || true
            _obfs_generate_client_script_win "$1" _cs_prof "" || true ;;
        service)
            [[ -z "${1:-}" ]] && { log_error "Usage: tunnelforge service <name> [enable|disable|status|remove]"; return 1; }
            validate_profile_name "$1" || { log_error "Invalid profile name"; return 1; }
            detect_os; load_settings
            local svc_name="$1" svc_action="${2:-}"
            case "$svc_action" in
                enable)  enable_service "$svc_name" || true ;;
                disable) disable_service "$svc_name" || true ;;
                status)  service_status "$svc_name" || true ;;
                remove)  remove_service "$svc_name" || true ;;
                "")      generate_service "$svc_name" || true ;;
                *)       log_error "Unknown action: ${svc_action}"; return 1 ;;
            esac ;;
        backup)
            load_settings
            backup_tunnelforge || true ;;
        restore)
            load_settings
            restore_tunnelforge "${1:-}" || true ;;
        uninstall)
            detect_os; load_settings
            uninstall_tunnelforge ;;
        install)
            install_tunnelforge ;;
        update)
            detect_os; load_settings
            update_tunnelforge ;;

        # ── Info commands ──
        version|-v|--version)
            show_version ;;
        help|-h|--help)
            show_help ;;

        # ── Default: first run or menu ──
        "")
            if is_installed; then
                detect_os; load_settings
                show_menu
            else
                install_tunnelforge
                if is_installed; then
                    _press_any_key
                    detect_os; load_settings
                    show_menu
                fi
            fi ;;

        *)
            log_error "Unknown command: ${command}"
            log_info  "Run 'tunnelforge help' for available commands"
            return 1 ;;
    esac
}

# ============================================================================
# MAIN
# ============================================================================

main() { cli_main "$@"; }
main "$@"