output "instance_id" {
  value = aws_instance.lab.id
}

output "public_ip" {
  value = aws_instance.lab.public_ip
}

output "ssh_private_key_path" {
  description = "Path to the per-run private key (mode 0600), under the run dir."
  value       = local_file.private_key.filename
}

output "ssh_root_command" {
  description = "Privileged out-of-band channel for the VERIFIER (root via sudo)."
  value       = "ssh -i ${local_file.private_key.filename} -o StrictHostKeyChecking=accept-new ubuntu@${aws_instance.lab.public_ip} 'sudo -n -- bash -c \"id; cat /root/.lab-ready\"'"
}

output "ssh_unprivileged_command" {
  description = "How the EXPLOITER launches the exploit as the unprivileged actor."
  value       = "ssh -i ${local_file.private_key.filename} -o StrictHostKeyChecking=accept-new ubuntu@${aws_instance.lab.public_ip} 'sudo -n -u lowpriv -- bash -lc \"id; whoami\"'"
}

output "kernel_check_command" {
  description = "Confirm the VM is on a vulnerable kernel and the baseline is staged."
  value       = "ssh -i ${local_file.private_key.filename} -o StrictHostKeyChecking=accept-new ubuntu@${aws_instance.lab.public_ip} 'uname -r; cat /root/.lab-ready 2>/dev/null || echo NOT-READY'"
}