PAM_FILE="/etc/pam.d/sudo"
AUTH_LINE="auth            sufficient      pam_exec.so quiet stdout /usr/bin/z-auth"

post_install() {
  echo ":: Configuring PAM for z-auth..."
  
  # Check if line already exists
  if grep -q "/usr/bin/z-auth" "$PAM_FILE"; then
    echo "   PAM configuration already exists. Skipping."
  else
    # Backup
    cp "$PAM_FILE" "$PAM_FILE.bak_zauth"
    
    # Insert after the first line (usually #%PAM-1.0)
    # This places it at the very top of the rules, which is what we want for 'sufficient'
    sed -i "2i$AUTH_LINE" "$PAM_FILE"
    echo "   Added z-auth to $PAM_FILE"
  fi
  
  # Optional: Warning if the OLD manual line still exists
  if grep -q "/usr/local/bin/z-auth.sh" "$PAM_FILE"; then
    echo "   WARNING: You have an old configuration pointing to /usr/local/bin/z-auth.sh."
    echo "   You should remove it manually to avoid redundancy."
  fi
}

post_upgrade() {
  post_install
}

post_remove() {
  echo ":: Removing z-auth from PAM configuration..."
  
  if grep -q "/usr/bin/z-auth" "$PAM_FILE"; then
    # Create backup before verifying
    cp "$PAM_FILE" "$PAM_FILE.bak_zauth_remove"
    
    # Remove the exact line (or lines containing the binary path)
    sed -i "\|/usr/bin/z-auth|d" "$PAM_FILE"
    echo "   Removed z-auth configuration."
  fi
}