<#
.SYNOPSIS
    NCO Toolbox Remote Launcher
.DESCRIPTION
    Downloads and runs the NCO Admin Toolbox from a private GitHub repo.
    Usage: irm https://toolbox.nxcore.hu | iex
    
    The user enters a short memorable password that decrypts the stored
    GitHub PAT, which is then used to download the repo as a zip file.
    No git installation required. Files are stored in %LOCALAPPDATA%\NCO-Toolbox
    and overwritten on each run.
#>

# ============================================================
# CONFIG — Paste your encrypted PAT here (from encrypt-pat.ps1)
# ============================================================
$EncryptedPAT = "y8PkMAysuFZJIAx0FuFOLcbWNecr69+Ya7b4kXCChSEii4LVj0IVWNf8MA+2FBCwdFmMc/XZ/8jnkbf2LKenYlnCNOHnuiFEd928XrDTZktlZyVsokYXNlgSDxQ5sJn6fTwuaOmplmFVdDHbKQZtbg=="
$RepoOwner = "subs-dash"
$RepoName = "nco-admin-toolbox-pwsh"
$Branch = "main"
# ============================================================

$hrTop    = "  $([char]0x250C)" + ([char]0x2500).ToString() * 2 + " NCO Admin Toolbox " + ([char]0x2500).ToString() * 11 + [char]0x2510
$hrMid    = "  $([char]0x2502)  Remote Launcher             $([char]0x2502)"
$hrBottom = "  $([char]0x2514)" + ([char]0x2500).ToString() * 29 + [char]0x2518

Write-Host ""
Write-Host $hrTop -ForegroundColor Cyan
Write-Host $hrMid -ForegroundColor Cyan
Write-Host $hrBottom -ForegroundColor Cyan
Write-Host ""

# --- 1. Password prompt ---
$securePass = Read-Host "  Unlock password" -AsSecureString
$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
    [Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass)
)

if ($password.Length -lt 8) {
    Write-Host "  [!] Invalid password." -ForegroundColor Red
    return
}

# --- 2. Decrypt PAT ---
Write-Host "  Authenticating..." -ForegroundColor DarkGray
try {
    $combined = [Convert]::FromBase64String($EncryptedPAT)
    $iv = $combined[0..15]
    $cipherText = $combined[16..($combined.Length - 1)]

    $sha = [System.Security.Cryptography.SHA256]::Create()
    $keyBytes = $sha.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($password))
    $sha.Dispose()
    $password = $null

    $aes = [System.Security.Cryptography.Aes]::Create()
    $aes.Key = $keyBytes
    $aes.IV = $iv
    $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7

    $decryptor = $aes.CreateDecryptor()
    $decrypted = $decryptor.TransformFinalBlock($cipherText, 0, $cipherText.Length)
    $pat = [System.Text.Encoding]::UTF8.GetString($decrypted)
    $decryptor.Dispose()
    $aes.Dispose()

    if ($pat.Length -lt 10) { throw "Decrypted value too short" }
}
catch {
    Write-Host "  [!] Wrong password or corrupted data." -ForegroundColor Red
    return
}

Write-Host "  $([char]0x2714) Authenticated" -ForegroundColor Green

# --- 3. Download repo as zip ---
$installDir = Join-Path $env:LOCALAPPDATA "NCO-Toolbox"
$zipPath = Join-Path $env:TEMP "nco-toolbox-dl.zip"

Write-Host "  Downloading toolbox..." -ForegroundColor DarkGray

try {
    $headers = @{
        Authorization = "Bearer $pat"
        Accept = "application/vnd.github+json"
        "X-GitHub-Api-Version" = "2022-11-28"
    }
    $zipUrl = "https://api.github.com/repos/$RepoOwner/$RepoName/zipball/$Branch"
    $pat = $null

    Invoke-WebRequest -Uri $zipUrl -Headers $headers -OutFile $zipPath -UseBasicParsing
}
catch {
    Write-Host "  [!] Download failed: $_" -ForegroundColor Red
    if (Test-Path $zipPath) { Remove-Item $zipPath -Force -ErrorAction SilentlyContinue }
    return
}

Write-Host "  $([char]0x2714) Downloaded" -ForegroundColor Green

# --- 4. Extract to stable short path ---
Write-Host "  Extracting..." -ForegroundColor DarkGray
try {
    # Extract to temp first
    $tmpExtract = Join-Path $env:TEMP "nco-extract-tmp"
    if (Test-Path $tmpExtract) { Remove-Item $tmpExtract -Recurse -Force }
    Expand-Archive -Path $zipPath -DestinationPath $tmpExtract -Force
    Remove-Item $zipPath -Force -ErrorAction SilentlyContinue

    # GitHub zip creates a subfolder like "owner-repo-hash/" — find it
    $innerDir = Get-ChildItem -Path $tmpExtract -Directory | Select-Object -First 1
    if (-not $innerDir) { throw "No directory found in archive" }

    # Copy contents to stable short path (overwrite previous version)
    if (Test-Path $installDir) { Remove-Item $installDir -Recurse -Force }
    Copy-Item -Path $innerDir.FullName -Destination $installDir -Recurse -Force

    # Clean up temp extract
    Remove-Item $tmpExtract -Recurse -Force -ErrorAction SilentlyContinue

    $scriptPath = Join-Path $installDir "nco-toolbox.ps1"
    if (-not (Test-Path $scriptPath)) {
        throw "nco-toolbox.ps1 not found at: $installDir"
    }
}
catch {
    Write-Host "  [!] Extraction failed: $_" -ForegroundColor Red
    return
}

Write-Host "  $([char]0x2714) Ready" -ForegroundColor Green
Write-Host ""

# --- 5. Run the toolbox ---
try {
    & $scriptPath
}
catch {
    Write-Host "  [!] Toolbox error: $_" -ForegroundColor Red
}

# --- 6. Done ---
# Files remain in %LOCALAPPDATA%\NCO-Toolbox until next run (overwritten).
# This ensures admin relaunches can still access the script files.
Write-Host ""
Write-Host "  $([char]0x2714) Session ended." -ForegroundColor Green