diff --git a/tripz_fortress_v8.2_generator.sh b/tripz_fortress_v8.2_generator.sh
index 5f00525..395ac30 100644
--- a/tripz_fortress_v8.2_generator.sh
+++ b/tripz_fortress_v8.2_generator.sh
@@ -1,11 +1,10 @@
 #!/bin/bash
 # ════════════════════════════════════════════════════════════════
-# 🛡️ TRIPZ FORTRESS v8.2 - PRODUCTION-SAFE DYNAMIC GENERATOR
+# 🛡️ TRIPZ FORTRESS v9.0 - PRODUCTION-SAFE EDITION
 # ════════════════════════════════════════════════════════════════
-# الإصدار: 8.2
+# الإصدار: 9.0 (Advanced Hardening)
 # التاريخ: 2025-02-05
-# المطوّر: TRIPZ TEAM
-# الترخيص: Proprietary
+# التحديثات: Safety Net, Sandboxing, Key Management
 # ════════════════════════════════════════════════════════════════
 
 set -euo pipefail  # Exit on error, undefined vars, pipe failures
@@ -50,10 +49,8 @@ RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
-PURPLE='\033[0;35m'
 CYAN='\033[0;36m'
 NC='\033[0m' # No Color
-BOLD='\033[1m'
 
 # ════════════════════════════════════════════════════════════════
 # 📝 LOGGING FUNCTIONS
@@ -62,26 +59,11 @@ BOLD='\033[1m'
 LOG_DIR="/var/log/fortress"
 LOG_FILE="${LOG_DIR}/install_$(date +%Y%m%d_%H%M%S).log"
 
-log() {
-    echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"
-}
-
-info() {
-    echo -e "${CYAN}ℹ️  $*${NC}" | tee -a "$LOG_FILE"
-}
-
-success() {
-    echo -e "${GREEN}✅ $*${NC}" | tee -a "$LOG_FILE"
-}
-
-warning() {
-    echo -e "${YELLOW}⚠️  $*${NC}" | tee -a "$LOG_FILE"
-}
-
-error() {
-    echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"
-    return 1
-}
+log() { echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"; }
+info() { echo -e "${CYAN}ℹ️  $*${NC}" | tee -a "$LOG_FILE"; }
+success() { echo -e "${GREEN}✅ $*${NC}" | tee -a "$LOG_FILE"; }
+warning() { echo -e "${YELLOW}⚠️  $*${NC}" | tee -a "$LOG_FILE"; }
+error() { echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"; return 1; }
 
 # ════════════════════════════════════════════════════════════════
 # 🔍 PRE-FLIGHT CHECKS
@@ -89,50 +71,15 @@ error() {
 
 preflight_checks() {
     log "\n🔍 تشغيل الفحوصات الأولية..."
+    if [ "$EUID" -ne 0 ]; then error "يجب تشغيل هذا السكريبت كـ root"; exit 1; fi
+    if ! ping -c 2 8.8.8.8 &>/dev/null; then error "لا يوجد اتصال بالإنترنت"; exit 1; fi
     
-    # 1. التحقق من root
-    if [ "$EUID" -ne 0 ]; then
-        error "يجب تشغيل هذا السكريبت كـ root أو باستخدام sudo"
-        exit 1
-    fi
-    
-    # 2. التحقق من النظام
-    if ! [ -f /etc/debian_version ] && ! [ -f /etc/redhat-release ]; then
-        warning "نظام غير مدعوم رسمياً - قد تحدث مشاكل"
-    fi
-    
-    # 3. التحقق من الاتصال
-    if ! ping -c 2 8.8.8.8 &>/dev/null; then
-        error "لا يوجد اتصال بالإنترنت"
-        exit 1
-    fi
-    
-    # 4. التحقق من المتطلبات الأساسية
     local required_vars=("SERVER_IP" "SSH_PUBLIC_KEY")
     for var in "${required_vars[@]}"; do
-        if [ -z "${!var}" ]; then
-            error "المتغير $var مطلوب ولكنه فارغ!"
-            exit 1
-        fi
+        if [ -z "${!var}" ]; then error "المتغير $var مطلوب ولكنه فارغ!"; exit 1; fi
     done
     
-    # 5. التحقق من صلاحية IP
-    if ! [[ $SERVER_IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
-        error "عنوان IP غير صالح: $SERVER_IP"
-        exit 1
-    fi
-    
-    # 6. التحقق من SSH Key format
-    if ! echo "$SSH_PUBLIC_KEY" | grep -qE '^(ssh-rsa|ssh-ed25519|ecdsa-sha2)'; then
-        error "تنسيق SSH Key غير صالح"
-        exit 1
-    fi
-    
-    # 7. إنشاء مجلد السجلات
     mkdir -p "$LOG_DIR"
-    
-    # 8. نسخة احتياطية سريعة
-    log "إنشاء نسخة احتياطية للملفات الحساسة..."
     mkdir -p /root/backup_before_fortress_$(date +%Y%m%d)
     cp -r /etc/ssh /root/backup_before_fortress_$(date +%Y%m%d)/ 2>/dev/null || true
     
@@ -145,69 +92,73 @@ preflight_checks() {
 
 system_preparation() {
     log "\n📦 تحضير النظام..."
-    
-    # تحديث النظام
-    info "تحديث قوائم الحزم..."
     export DEBIAN_FRONTEND=noninteractive
     apt-get update -qq
-    
-    # تثبيت الأدوات الأساسية
-    info "تثبيت الأدوات الأساسية..."
-    apt-get install -y -qq \
-        curl \
-        wget \
-        git \
-        ufw \
-        fail2ban \
-        openssh-server \
-        sudo \
-        htop \
-        net-tools \
-        knockd \
-        openssl \
-        cron \
-        bc \
-        jq \
-        netcat-openbsd
-    
+    apt-get install -y -qq curl wget git ufw fail2ban openssh-server sudo htop net-tools knockd openssl cron bc jq netcat-openbsd at
     success "✓ تحضير النظام مكتمل"
 }
 
+# ════════════════════════════════════════════════════════════════
+# 🛟 SAFETY NET (NEW in v9.0)
+# ════════════════════════════════════════════════════════════════
+
+setup_safety_net() {
+    log "\n🛟 إعداد شبكة الأمان (Safety Net)..."
+    
+    # سكريبت استعادة الطوارئ
+    cat > /usr/local/bin/fortress_emergency_reset.sh <<EOF
+#!/bin/bash
+# 🆘 EMERGENCY RESET triggered by Safety Net
+ufw disable
+iptables -F
+systemctl stop knockd
+# إعادة SSH للوضع الافتراضي مؤقتاً
+if [ -d "/root/backup_before_fortress_$(date +%Y%m%d)" ]; then
+    cp /root/backup_before_fortress_$(date +%Y%m%d)/ssh/sshd_config /etc/ssh/sshd_config 2>/dev/null
+    systemctl restart sshd
+fi
+echo "⚠️ تم تفعيل استعادة الطوارئ بسبب فقدان الاتصال!" >> /var/log/fortress/emergency.log
+EOF
+    chmod +x /usr/local/bin/fortress_emergency_reset.sh
+
+    # جدولة المهمة بعد 15 دقيقة
+    if command -v at &>/dev/null; then
+        echo "/usr/local/bin/fortress_emergency_reset.sh" | at now + 15 minutes
+        info "تم ضبط مؤقت طوارئ (15 دقيقة). سيتم إلغاؤه عند نجاح التثبيت."
+    else
+        (crontab -l 2>/dev/null; echo "*/15 * * * * /usr/local/bin/fortress_emergency_reset.sh # SAFETY_NET") | crontab -
+        warning "تم استخدام Cron للطوارئ. سيتم إلغاؤه عند النجاح."
+    fi
+}
+
+remove_safety_net() {
+    log "\n✅ إلغاء شبكة الأمان (نجح التثبيت)..."
+    if command -v atq &>/dev/null; then
+        for job in $(atq | awk '{print $1}'); do atrm $job; done
+    fi
+    crontab -l 2>/dev/null | grep -v "SAFETY_NET" | crontab -
+    success "✓ تم تعطيل مؤقت الطوارئ."
+}
+
 # ════════════════════════════════════════════════════════════════
 # 👤 USER MANAGEMENT
 # ════════════════════════════════════════════════════════════════
 
 create_admin_user() {
     log "\n👤 إنشاء المستخدم الإداري..."
-    
-    # التحقق من وجود المستخدم
-    if id "$ADMIN_USER" &>/dev/null; then
-        warning "المستخدم $ADMIN_USER موجود بالفعل - سيتم تحديثه"
-    else
-        info "إنشاء المستخدم $ADMIN_USER..."
+    if ! id "$ADMIN_USER" &>/dev/null; then
         useradd -m -s /bin/bash -G sudo "$ADMIN_USER"
     fi
-    
-    # تعطيل كلمة المرور (سنستخدم المفاتيح فقط)
     passwd -l "$ADMIN_USER"
     
-    # إعداد SSH
     mkdir -p "/home/$ADMIN_USER/.ssh"
     echo "$SSH_PUBLIC_KEY" > "/home/$ADMIN_USER/.ssh/authorized_keys"
     chmod 700 "/home/$ADMIN_USER/.ssh"
     chmod 600 "/home/$ADMIN_USER/.ssh/authorized_keys"
     chown -R "$ADMIN_USER:$ADMIN_USER" "/home/$ADMIN_USER/.ssh"
     
-    # صلاحيات sudo بدون كلمة مرور
-    cat > /etc/sudoers.d/"$ADMIN_USER" <<EOF
-# TRIPZ FORTRESS - Admin User
-$ADMIN_USER ALL=(ALL) NOPASSWD:ALL
-EOF
+    echo "$ADMIN_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/"$ADMIN_USER"
     chmod 440 /etc/sudoers.d/"$ADMIN_USER"
-    
-    # التحقق من صحة sudoers
-    visudo -c || error "خطأ في ملف sudoers!"
-    
     success "✓ المستخدم $ADMIN_USER جاهز"
 }
 
@@ -217,168 +168,81 @@ EOF
 
 harden_ssh() {
     log "\n🔐 تأمين SSH..."
-    
-    # نسخة احتياطية
-    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)
-    
-    # التكوين الآمن
     cat > /etc/ssh/sshd_config <<SSHEOF
-# ════════════════════════════════════════
-# TRIPZ FORTRESS v8.2 - SSH Configuration
-# ════════════════════════════════════════
-
-# الأساسيات
 Port $SSH_PORT
 Protocol 2
 AddressFamily inet
 ListenAddress 0.0.0.0
-
-# المصادقة
 PubkeyAuthentication yes
 PasswordAuthentication no
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 UsePAM yes
-
-# تعطيل root login
 PermitRootLogin no
-
-# المستخدمون المسموح لهم
 AllowUsers $ADMIN_USER
-
-# الأمان
 X11Forwarding no
 PermitUserEnvironment no
 AllowAgentForwarding no
 AllowTcpForwarding no
 PermitTunnel no
 GatewayPorts no
-
-# الجلسات
 MaxAuthTries 3
 MaxSessions 2
 ClientAliveInterval 300
 ClientAliveCountMax 2
 LoginGraceTime 30
-
-# التشفير القوي (Modern Algorithms)
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
-HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
-
-# السجلات
 SyslogFacility AUTH
 LogLevel VERBOSE
-
-# Banner
 Banner /etc/ssh/banner.txt
 SSHEOF
 
-    # إنشاء Banner
-    cat > /etc/ssh/banner.txt <<'BANNEREOF'
-════════════════════════════════════════════════════════
-⚠️  AUTHORIZED ACCESS ONLY  ⚠️
-
-This system is protected by TRIPZ FORTRESS v8.2
-All connections are monitored and logged.
-Unauthorized access attempts will be prosecuted.
-
-🛡️ Protected by 9-Layer Security System
-════════════════════════════════════════════════════════
-BANNEREOF
-
-    # اختبار التكوين
-    info "اختبار تكوين SSH..."
+    echo "⚠️ AUTHORIZED ACCESS ONLY - TRIPZ FORTRESS v9.0 PROTECTED" > /etc/ssh/banner.txt
+    
     if ! sshd -t; then
         error "تكوين SSH غير صالح!"
-        cp /etc/ssh/sshd_config.backup.$(date +%Y%m%d) /etc/ssh/sshd_config
+        cp /root/backup_before_fortress_$(date +%Y%m%d)/ssh/sshd_config /etc/ssh/sshd_config
         exit 1
     fi
-    
-    # إعادة تحميل SSH (بدون قطع الاتصال!)
     systemctl reload sshd
-    
     success "✓ SSH محمي (Port: $SSH_PORT)"
 }
 
 # ════════════════════════════════════════════════════════════════
-# 🔥 FIREWALL CONFIGURATION
+# 🔥 FIREWALL & FAIL2BAN
 # ════════════════════════════════════════════════════════════════
 
 configure_firewall() {
     log "\n🔥 تكوين جدار الحماية..."
-    
-    # السياسة الافتراضية
     ufw default deny incoming
     ufw default allow outgoing
+    ufw allow 80/tcp
+    ufw allow 443/tcp
     
-    # السماح بالمنافذ الأساسية
-    info "السماح بـ HTTP/HTTPS..."
-    ufw allow 80/tcp comment 'HTTP'
-    ufw allow 443/tcp comment 'HTTPS'
-    
-    # SSH: سيتم إدارته بواسطة Port Knocking
-    if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
-        info "Port Knocking مفعّل - SSH سيُفتح عبر الطرق فقط"
-    else
-        ufw allow "$SSH_PORT/tcp" comment 'SSH Direct Access'
+    if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
+        ufw allow "$SSH_PORT/tcp"
     fi
     
-    # WireGuard VPN
-    if [ "$ENABLE_WIREGUARD" == "true" ]; then
-        ufw allow 51820/udp comment 'WireGuard VPN'
-    fi
+    if [ "$ENABLE_HONEYPOT" == "true" ]; then ufw allow 22/tcp; fi
+    if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then ufw allow 3306/tcp; fi
     
-    # Honeypot (Port 22 للخداع)
-    if [ "$ENABLE_HONEYPOT" == "true" ]; then
-        ufw allow 22/tcp comment 'Endlessh Honeypot'
-    fi
-    
-    # Fake Services
-    if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then
-        ufw allow 3306/tcp comment 'Fake MySQL Trap'
-    fi
-    
-    # تفعيل UFW
-    info "تفعيل جدار الحماية..."
     echo "y" | ufw enable
-    
-    # عرض الحالة
-    ufw status verbose | head -20
-    
     success "✓ جدار الحماية نشط"
 }
 
-# ════════════════════════════════════════════════════════════════
-# 🚫 FAIL2BAN SETUP
-# ════════════════════════════════════════════════════════════════
-
 setup_fail2ban() {
-    if [ "$ENABLE_FAIL2BAN" != "true" ]; then
-        warning "Fail2Ban معطّل - تخطي..."
-        return 0
-    fi
-    
+    if [ "$ENABLE_FAIL2BAN" != "true" ]; then return 0; fi
     log "\n🚫 تكوين Fail2Ban..."
     
-    # التكوين الرئيسي
     cat > /etc/fail2ban/jail.local <<F2BEOF
 [DEFAULT]
-# الإعدادات العامة
 bantime = 3600
 findtime = 600
 maxretry = 3
-destemail = root@localhost
-sendername = TRIPZ-FORTRESS
-action = %(action_mwl)s
-
-# Whitelist
 ignoreip = 127.0.0.1/8 ::1
 
-# ══════════════════════════════════════
-# SSH Protection (Progressive)
-# ══════════════════════════════════════
 [sshd]
 enabled = true
 port = $SSH_PORT
@@ -386,7 +250,6 @@ filter = sshd
 logpath = /var/log/auth.log
 maxretry = 3
 bantime = 7200
-findtime = 600
 
 [sshd-aggressive]
 enabled = true
@@ -396,118 +259,67 @@ logpath = /var/log/auth.log
 maxretry = 2
 bantime = 86400
 findtime = 300
-
-# ══════════════════════════════════════
-# Nginx Protection
-# ══════════════════════════════════════
-[nginx-http-auth]
-enabled = true
-port = 80,443
-logpath = /var/log/nginx/error.log
-
-[nginx-noscript]
-enabled = true
-port = 80,443
-logpath = /var/log/nginx/access.log
-
-[nginx-badbots]
-enabled = true
-port = 80,443
-logpath = /var/log/nginx/access.log
 F2BEOF
 
-    # تفعيل وبدء
     systemctl enable fail2ban
     systemctl restart fail2ban
-    
-    # التحقق
-    sleep 2
-    if systemctl is-active --quiet fail2ban; then
-        success "✓ Fail2Ban نشط"
-    else
-        warning "Fail2Ban لم يبدأ - راجع السجلات"
-    fi
+    success "✓ Fail2Ban نشط"
 }
 
 # ════════════════════════════════════════════════════════════════
-# 🚪 PORT KNOCKING
+# 🚪 PORT KNOCKING (HARDENED v9.0)
 # ════════════════════════════════════════════════════════════════
 
 setup_port_knocking() {
-    if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
-        warning "Port Knocking معطّل - تخطي..."
-        return 0
-    fi
+    if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then return 0; fi
+    log "\n🚪 إعداد Port Knocking (Hardened)..."
     
-    log "\n🚪 إعداد Port Knocking..."
+    # تحديد واجهة الشبكة تلقائياً
+    NET_INTERFACE=$(ip route | grep default | awk '{print $5}' | head -1)
     
-    info "تسلسل الطرق: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3"
-    
-    # تكوين knockd
     cat > /etc/knockd.conf <<KNOCKEOF
 [options]
     UseSyslog
     LogFile = /var/log/knockd.log
+    Interface = $NET_INTERFACE
 
 [openSSH]
     sequence    = $KNOCK_PORT_1,$KNOCK_PORT_2,$KNOCK_PORT_3
-    seq_timeout = 15
+    seq_timeout = 5
     command     = /usr/sbin/ufw allow from %IP% to any port $SSH_PORT proto tcp
     tcpflags    = syn
 
 [closeSSH]
     sequence    = $KNOCK_PORT_3,$KNOCK_PORT_2,$KNOCK_PORT_1
-    seq_timeout = 15
+    seq_timeout = 5
     command     = /usr/sbin/ufw delete allow from %IP% to any port $SSH_PORT proto tcp
     tcpflags    = syn
 KNOCKEOF
 
-    # تفعيل knockd
     sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
-    
     systemctl enable knockd
     systemctl restart knockd
-    
-    # التحقق
-    if systemctl is-active --quiet knockd; then
-        success "✓ Port Knocking نشط"
-    else
-        error "فشل بدء knockd!"
-    fi
+    success "✓ Port Knocking نشط (Timeout: 5s)"
 }
 
 # ════════════════════════════════════════════════════════════════
-# 🎣 HONEYPOT (Endlessh)
+# 🎣 HONEYPOT (SANDBOXED v9.0)
 # ════════════════════════════════════════════════════════════════
 
 setup_honeypot() {
-    if [ "$ENABLE_HONEYPOT" != "true" ]; then
-        warning "Honeypot معطّل - تخطي..."
-        return 0
-    fi
+    if [ "$ENABLE_HONEYPOT" != "true" ]; then return 0; fi
+    log "\n🎣 إعداد Honeypot (Sandboxed)..."
     
-    log "\n🎣 إعداد Honeypot (Endlessh)..."
-    
-    # التثبيت من المصدر
     cd /opt
-    if [ ! -d "endlessh" ]; then
-        git clone --depth=1 https://github.com/skeeto/endlessh
-    fi
+    if [ ! -d "endlessh" ]; then git clone --depth=1 https://github.com/skeeto/endlessh; fi
     cd endlessh
     make
     cp endlessh /usr/local/bin/
     
-    # التكوين
     mkdir -p /etc/endlessh
-    cat > /etc/endlessh/config <<'ENDLESSHEOF'
-Port 22
-Delay 10000
-MaxLineLength 32
-MaxClients 4096
-LogLevel 1
-ENDLESSHEOF
+    echo -e "Port 22\nDelay 10000\nMaxLineLength 32\nMaxClients 4096\nLogLevel 1" > /etc/endlessh/config
 
-    # Systemd service
+    # Systemd Hardened Service
     cat > /etc/systemd/system/endlessh.service <<'SERVICEEOF'
 [Unit]
 Description=Endlessh SSH Tarpit
@@ -516,12 +328,22 @@ After=network.target
 [Service]
 Type=simple
 User=nobody
+Group=nogroup
 ExecStart=/usr/local/bin/endlessh -c /etc/endlessh/config
 Restart=always
+
+# 🛡️ Security Sandboxing
 PrivateTmp=true
+PrivateDevices=true
 ProtectSystem=strict
 ProtectHome=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
 NoNewPrivileges=true
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target
@@ -530,364 +352,181 @@ SERVICEEOF
     systemctl daemon-reload
     systemctl enable endlessh
     systemctl start endlessh
-    
-    success "✓ Endlessh Honeypot نشط (Port 22)"
+    success "✓ Endlessh Honeypot معزول (Sandboxed)"
 }
 
-# ════════════════════════════════════════════════════════════════
-# 🎭 FAKE SERVICES
-# ════════════════════════════════════════════════════════════════
-
 setup_fake_services() {
-    if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then
-        warning "Fake Services معطّل - تخطي..."
-        return 0
-    fi
-    
+    if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then return 0; fi
     log "\n🎭 إعداد Fake MySQL..."
     
-    # سكريبت Fake MySQL
     cat > /usr/local/bin/fake-mysql.sh <<'FAKEMYSQLEOF'
 #!/bin/bash
 LOG_FILE="/var/log/fortress/fake-mysql.log"
-PORT=3306
-
 mkdir -p /var/log/fortress
-
 while true; do
-    nc -l -p $PORT -k 2>&1 | while read line; do
-        echo "$(date '+%Y-%m-%d %H:%M:%S') - MySQL probe: ${line:0:100}" >> "$LOG_FILE"
+    nc -l -p 3306 -k 2>&1 | while read line; do
+        echo "$(date '+%Y-%m-%d %H:%M:%S') - Probe: ${line:0:50}" >> "$LOG_FILE"
         echo -e "\x4a\x00\x00\x00\x0a\x35\x2e\x37\x2e\x33\x33"
         sleep 2
     done
 done
 FAKEMYSQLEOF
-
     chmod +x /usr/local/bin/fake-mysql.sh
     
-    # Systemd service
     cat > /etc/systemd/system/fake-mysql.service <<'EOF'
 [Unit]
 Description=Fake MySQL Honeypot
 After=network.target
-
 [Service]
 Type=simple
 ExecStart=/usr/local/bin/fake-mysql.sh
 Restart=always
 User=nobody
-
 [Install]
 WantedBy=multi-user.target
 EOF
-
     systemctl daemon-reload
     systemctl enable fake-mysql
     systemctl start fake-mysql
-    
-    success "✓ Fake MySQL نشط (Port 3306)"
+    success "✓ Fake MySQL نشط"
 }
 
 # ════════════════════════════════════════════════════════════════
-# ⚡ SYSTEM OPTIMIZATION
+# ⚡ KERNEL HARDENING (ADVANCED v9.0)
 # ════════════════════════════════════════════════════════════════
 
 optimize_system() {
-    log "\n⚡ تحسينات النظام..."
+    log "\n⚡ تحسين وتصليب النواة (Kernel Hardening)..."
     
-    # Kernel hardening
     cat >> /etc/sysctl.conf <<'SYSCTLEOF'
-
-# ════════════════════════════════════════
-# TRIPZ FORTRESS v8.2 - Kernel Hardening
-# ════════════════════════════════════════
-
-# SYN flood protection
+# Network Security
 net.ipv4.tcp_syncookies = 1
-net.ipv4.tcp_max_syn_backlog = 2048
+net.ipv4.tcp_max_syn_backlog = 4096
 net.ipv4.tcp_synack_retries = 2
-net.ipv4.tcp_syn_retries = 2
-
-# TCP hardening
-net.ipv4.tcp_rfc1337 = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 
-# IP spoofing protection
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv4.conf.default.accept_source_route = 0
+# Disable ICMP Redirects (MITM Protection)
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
 
-# ICMP protection
+# Log Martian Packets
+net.ipv4.conf.all.log_martians = 1
+
+# Ignore ICMP Broadcasts
 net.ipv4.icmp_echo_ignore_broadcasts = 1
-net.ipv4.icmp_ignore_bogus_error_responses = 1
 
-# Performance
-net.core.netdev_max_backlog = 2048
-net.core.somaxconn = 1024
-
-# TCP BBR
-net.core.default_qdisc = fq
-net.ipv4.tcp_congestion_control = bbr
-
-# Security
-fs.protected_hardlinks = 1
-fs.protected_symlinks = 1
+# Memory & Process Security
 kernel.kptr_restrict = 2
 kernel.dmesg_restrict = 1
+kernel.sysrq = 0
+kernel.yama.ptrace_scope = 1
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# TCP/IP Stack Tuning
+net.core.default_qdisc = fq
+net.ipv4.tcp_congestion_control = bbr
 SYSCTLEOF
 
-    # تطبيق التعديلات
-    sysctl -p || warning "بعض إعدادات sysctl غير مدعومة"
-    
-    success "✓ تحسينات النظام مطبّقة"
+    sysctl -p
+    success "✓ Kernel Hardening: Advanced Profile Applied"
 }
 
 # ════════════════════════════════════════════════════════════════
-# 💾 AUTO BACKUP SYSTEM
+# 💾 AUTO BACKUP (KEY MANAGEMENT v9.0)
 # ════════════════════════════════════════════════════════════════
 
 setup_auto_backup() {
-    if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then
-        warning "Auto Backup معطّل - تخطي..."
-        return 0
-    fi
-    
+    if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then return 0; fi
     log "\n💾 إعداد النسخ الاحتياطي التلقائي..."
     
     mkdir -p /usr/local/bin/fortress
     mkdir -p /backup/fortress
     
-    # سكريبت النسخ الاحتياطي
-    cat > /usr/local/bin/fortress/backup.sh <<'BACKUPEOF'
+    # توليد كلمة مرور وحفظها
+    BACKUP_KEY="TRIPZ_$(openssl rand -hex 12)"
+    echo "$BACKUP_KEY" > /root/BACKUP_DECRYPTION_KEY.txt
+    chmod 600 /root/BACKUP_DECRYPTION_KEY.txt
+    
+    cat > /usr/local/bin/fortress/backup.sh <<BACKUPEOF
 #!/bin/bash
 BACKUP_DIR="/backup/fortress"
-TIMESTAMP=$(date +%Y%m%d_%H%M%S)
-TEMP_DIR="/tmp/fortress_backup_$TIMESTAMP"
-BACKUP_FILE="${BACKUP_DIR}/fortress_${TIMESTAMP}.tar.gz"
-ENCRYPTED_FILE="${BACKUP_FILE}.enc"
-RETENTION_DAYS=30
+TIMESTAMP=\$(date +%Y%m%d_%H%M%S)
+BACKUP_FILE="\${BACKUP_DIR}/fortress_\${TIMESTAMP}.tar.gz"
+ENCRYPTED_FILE="\${BACKUP_FILE}.enc"
+BACKUP_PASSWORD=\$(cat /root/BACKUP_DECRYPTION_KEY.txt)
 
-mkdir -p "$TEMP_DIR"
-
-# نسخ الملفات المهمة
-cp -r /etc/ssh "$TEMP_DIR/" 2>/dev/null
-cp -r /etc/fail2ban "$TEMP_DIR/" 2>/dev/null
-cp -r /etc/ufw "$TEMP_DIR/" 2>/dev/null
-cp /etc/knockd.conf "$TEMP_DIR/" 2>/dev/null
-
-# ضغط
-tar -czf "$BACKUP_FILE" -C /tmp "$(basename $TEMP_DIR)"
-
-# تشفير AES-256
-BACKUP_PASSWORD="TRIPZ_$(hostname)_$(date +%Y)"
-openssl enc -aes-256-cbc -salt -pbkdf2 -in "$BACKUP_FILE" -out "$ENCRYPTED_FILE" -k "$BACKUP_PASSWORD"
-
-# حذف غير المشفر
-rm -f "$BACKUP_FILE"
-rm -rf "$TEMP_DIR"
-
-# تطبيق سياسة الاحتفاظ
-find "$BACKUP_DIR" -name "fortress_*.tar.gz.enc" -mtime +$RETENTION_DAYS -delete
-
-echo "✅ نسخة احتياطية: $ENCRYPTED_FILE"
-echo "🔑 كلمة فك التشفير: $BACKUP_PASSWORD"
+tar -czf "\$BACKUP_FILE" -C /etc ssh fail2ban ufw knockd.conf 2>/dev/null
+openssl enc -aes-256-cbc -salt -pbkdf2 -in "\$BACKUP_FILE" -out "\$ENCRYPTED_FILE" -k "\$BACKUP_PASSWORD"
+rm -f "\$BACKUP_FILE"
+find "\$BACKUP_DIR" -name "*.enc" -mtime +30 -delete
+echo "✅ Backup: \$ENCRYPTED_FILE"
 BACKUPEOF
 
     chmod +x /usr/local/bin/fortress/backup.sh
-    
-    # جدولة cron (يومياً 2 صباحاً)
     (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/fortress/backup.sh >> ${LOG_DIR}/backup.log 2>&1") | crontab -
     
-    success "✓ النسخ الاحتياطي التلقائي مجدول"
+    success "✓ النسخ الاحتياطي مجدول"
+    warning "🔑 مفتاح التشفير محفوظ في: /root/BACKUP_DECRYPTION_KEY.txt (قم بتنزيله واحذفه!)"
 }
 
-# ════════════════════════════════════════════════════════════════
-# 📱 TELEGRAM NOTIFICATIONS
-# ════════════════════════════════════════════════════════════════
-
 setup_telegram_alerts() {
-    if [ -z "$TELEGRAM_BOT_TOKEN" ] || [ -z "$TELEGRAM_CHAT_ID" ]; then
-        warning "Telegram غير مكوّن - تخطي التنبيهات..."
-        return 0
-    fi
-    
+    if [ -z "$TELEGRAM_BOT_TOKEN" ]; then return 0; fi
     log "\n📱 إعداد تنبيهات Telegram..."
     
-    # سكريبت الإرسال
     cat > /usr/local/bin/fortress/telegram_notify.sh <<TELEGRAMEOF
 #!/bin/bash
 TELEGRAM_BOT_TOKEN="$TELEGRAM_BOT_TOKEN"
 TELEGRAM_CHAT_ID="$TELEGRAM_CHAT_ID"
-
 MESSAGE=\$1
-
-if [ -z "\$MESSAGE" ]; then
-    echo "Usage: \$0 'message'"
-    exit 1
-fi
-
-curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \\
-    -d chat_id="\${TELEGRAM_CHAT_ID}" \\
-    -d text="🛡️ FORTRESS ALERT
-
-🖥️ Server: \$(hostname)
-📍 IP: \$(curl -s ifconfig.me)
-🕐 Time: \$(date '+%Y-%m-%d %H:%M:%S')
-
-📨 \$MESSAGE" \\
-    -d parse_mode="HTML" > /dev/null
-
-echo "✅ تم إرسال التنبيه"
+curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \
+    -d chat_id="\${TELEGRAM_CHAT_ID}" \
+    -d text="🛡️ ALERT: \$MESSAGE" > /dev/null
 TELEGRAMEOF
-
     chmod +x /usr/local/bin/fortress/telegram_notify.sh
-    
-    # اختبار
-    /usr/local/bin/fortress/telegram_notify.sh "✅ تم تثبيت TRIPZ FORTRESS v8.2 بنجاح!"
-    
+    /usr/local/bin/fortress/telegram_notify.sh "TRIPZ FORTRESS v9.0 Installed Successfully"
     success "✓ تنبيهات Telegram جاهزة"
 }
 
 # ════════════════════════════════════════════════════════════════
-# ✅ FINAL VERIFICATION
-# ════════════════════════════════════════════════════════════════
-
-final_verification() {
-    log "\n✅ التحقق النهائي..."
-    
-    SERVICES_OK=0
-    SERVICES_FAILED=0
-    
-    check_service() {
-        if systemctl is-active --quiet "$1"; then
-            success "$1 ✓"
-            ((SERVICES_OK++))
-        else
-            warning "$1 ✗"
-            ((SERVICES_FAILED++))
-        fi
-    }
-    
-    info "فحص الخدمات..."
-    check_service "sshd"
-    check_service "ufw"
-    
-    [ "$ENABLE_FAIL2BAN" == "true" ] && check_service "fail2ban"
-    [ "$ENABLE_PORT_KNOCKING" == "true" ] && check_service "knockd"
-    [ "$ENABLE_HONEYPOT" == "true" ] && check_service "endlessh"
-    [ "$ENABLE_FAKE_SERVICES" == "true" ] && check_service "fake-mysql"
-    
-    log "\nالخدمات النشطة: $SERVICES_OK"
-    log "الخدمات الفاشلة: $SERVICES_FAILED"
-}
-
-# ════════════════════════════════════════════════════════════════
-# 📝 GENERATE INFO FILE
+# 🎯 MAIN EXECUTION
 # ════════════════════════════════════════════════════════════════
 
 generate_info_file() {
     log "\n📝 إنشاء ملف المعلومات..."
-    
     cat > /root/FORTRESS_INFO.txt <<INFOEOF
 ════════════════════════════════════════════════════════
-🛡️ TRIPZ FORTRESS v8.2 - معلومات السيرفر
+🛡️ TRIPZ FORTRESS v9.0 - Server Information
 ════════════════════════════════════════════════════════
 تاريخ التثبيت: $(date '+%Y-%m-%d %H:%M:%S')
 السيرفر: $(hostname)
-IP: $(curl -s ifconfig.me 2>/dev/null || echo "غير متاح")
-
-🔐 معلومات الأمان:
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 المستخدم الإداري: $ADMIN_USER
 منفذ SSH: $SSH_PORT
-Port Knocking: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3
 
-🛡️ الطبقات الأمنية النشطة:
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-✅ SSH Key-Only Authentication
-✅ UFW Firewall
-$([ "$ENABLE_FAIL2BAN" == "true" ] && echo "✅ Fail2Ban Progressive Blocking" || echo "⊘ Fail2Ban (معطّل)")
-$([ "$ENABLE_PORT_KNOCKING" == "true" ] && echo "✅ Port Knocking" || echo "⊘ Port Knocking (معطّل)")
-$([ "$ENABLE_HONEYPOT" == "true" ] && echo "✅ Endlessh Honeypot (Port 22)" || echo "⊘ Honeypot (معطّل)")
-$([ "$ENABLE_FAKE_SERVICES" == "true" ] && echo "✅ Fake MySQL (Port 3306)" || echo "⊘ Fake Services (معطّل)")
-✅ Kernel Hardening
-$([ "$ENABLE_AUTO_BACKUP" == "true" ] && echo "✅ Encrypted Auto Backups" || echo "⊘ Auto Backup (معطّل)")
-$([ -n "$TELEGRAM_BOT_TOKEN" ] && echo "✅ Telegram Alerts" || echo "⊘ Telegram (غير مكوّن)")
+🔐 الوصول (Port Knocking):
+1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3
+2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP
 
-🔧 أوامر مفيدة:
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-• فحص UFW: sudo ufw status verbose
-• فحص Fail2Ban: sudo fail2ban-client status
-• سجل Knockd: sudo tail -f /var/log/knockd.log
-• نسخة احتياطية يدوية: sudo /usr/local/bin/fortress/backup.sh
+🔑 النسخ الاحتياطي:
+مفتاح فك التشفير: /root/BACKUP_DECRYPTION_KEY.txt
 
-📁 الملفات المهمة:
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-• السجلات: $LOG_DIR/
-• النسخ الاحتياطية: /backup/fortress/
-• التكوينات: /etc/ssh/, /etc/fail2ban/
-
-⚠️ للاتصال بالسيرفر:
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
-    echo "1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
-    echo "2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
-else
-    echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
-fi)
-
-📞 الدعم:
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-https://tripz-egypt.com
-[email protected]
-
-════════════════════════════════════════════════════════
-✅ السيرفر محمي بالكامل!
+⚠️ هام: تم تفعيل Safety Net. تأكد من الاتصال بنجاح!
 ════════════════════════════════════════════════════════
 INFOEOF
-
     chmod 600 /root/FORTRESS_INFO.txt
-    
-    success "✓ ملف المعلومات: /root/FORTRESS_INFO.txt"
 }
 
-# ════════════════════════════════════════════════════════════════
-# 🎯 MAIN INSTALLATION FLOW
-# ════════════════════════════════════════════════════════════════
-
 main() {
     clear
+    log "🚀 TRIPZ FORTRESS v9.0 - Starting Installation..."
     
-    cat <<'BANNER'
-════════════════════════════════════════════════════════════════
-  ████████╗██████╗ ██╗██████╗ ███████╗                        
-  ╚══██╔══╝██╔══██╗██║██╔══██╗╚══███╔╝                        
-     ██║   ██████╔╝██║██████╔╝  ███╔╝                         
-     ██║   ██╔══██╗██║██╔═══╝  ███╔╝                          
-     ██║   ██║  ██║██║██║     ███████╗                        
-     ╚═╝   ╚═╝  ╚═╝╚═╝╚═╝     ╚══════╝                        
-                                                               
-  ███████╗ ██████╗ ██████╗ ████████╗██████╗ ███████╗███████╗ 
-  ██╔════╝██╔═══██╗██╔══██╗╚══██╔══╝██╔══██╗██╔════╝██╔════╝ 
-  █████╗  ██║   ██║██████╔╝   ██║   ██████╔╝█████╗  ███████╗ 
-  ██╔══╝  ██║   ██║██╔══██╗   ██║   ██╔══██╗██╔══╝  ╚════██║ 
-  ██║     ╚██████╔╝██║  ██║   ██║   ██║  ██║███████╗███████║ 
-  ╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═╝╚══════╝╚══════╝ 
-                                                               
-              🛡️ v8.2 - PRODUCTION-SAFE EDITION
-         9-Layer Security System | Enterprise Ready
-════════════════════════════════════════════════════════════════
-BANNER
-
-    log "\n🚀 بدء التثبيت..."
-    log "الإصدار: 8.2"
-    log "التاريخ: $(date '+%Y-%m-%d %H:%M:%S')"
-    log "════════════════════════════════════════════════════════════════\n"
-    
-    # تنفيذ المراحل
     preflight_checks
     system_preparation
     create_admin_user
+    setup_safety_net   # ✅ تفعيل شبكة الأمان
     harden_ssh
     configure_firewall
     setup_fail2ban
@@ -897,56 +536,22 @@ BANNER
     optimize_system
     setup_auto_backup
     setup_telegram_alerts
-    final_verification
     generate_info_file
     
-    # النتيجة النهائية
-    log "\n════════════════════════════════════════════════════════════════"
-    success "🎉 اكتمل تثبيت TRIPZ FORTRESS v8.2!"
-    log "════════════════════════════════════════════════════════════════\n"
+    log "\n🧪 التحقق النهائي..."
+    if systemctl is-active --quiet sshd; then
+        remove_safety_net  # ✅ تعطيل شبكة الأمان عند النجاح
+        success "🎉 اكتمل التثبيت بنجاح!"
+    else
+        error "فشل في خدمة SSH - تم الإبقاء على Safety Net لاستعادة الوصول بعد 15 دقيقة."
+    fi
     
-    cat <<FINALEOF
-
-╔══════════════════════════════════════════════════════════════════╗
-║                   🔐 TRIPZ FORTRESS v8.2 🔐                      ║
-║                  PRODUCTION-SAFE EDITION                         ║
-╠══════════════════════════════════════════════════════════════════╣
-║                                                                  ║
-║  ✅ التثبيت مكتمل بنجاح!                                        ║
-║                                                                  ║
-║  📊 معلومات الاتصال:                                            ║
-║  • السيرفر: $SERVER_IP                                           ║
-║  • المستخدم: $ADMIN_USER                                         ║
-║  • منفذ SSH: $SSH_PORT                                           ║
-║                                                                  ║
-$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
-    cat <<KNOCKEOF
-║  🚪 Port Knocking مفعّل:                                         ║
-║  • knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3   ║
-KNOCKEOF
-fi)
-║                                                                  ║
-║  ⚠️ التحذيرات المهمة:                                           ║
-║  1. اختبر الاتصال قبل قطع الجلسة الحالية!                      ║
-║  2. احفظ معلومات Port Knocking في مكان آمن                     ║
-║  3. راجع: /root/FORTRESS_INFO.txt                               ║
-║  4. السجلات: $LOG_FILE                                          ║
-║                                                                  ║
-╚══════════════════════════════════════════════════════════════════╝
-
-FINALEOF
-
-    warning "\n⚠️ لاختبار الاتصال، افتح terminal جديد وجرّب:"
+    echo ""
+    warning "⚠️ لا تغلق هذه الجلسة! افتح نافذة جديدة واختبر الاتصال:"
     if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
         echo "knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
     fi
     echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
-    
-    log "\n✅ التثبيت مكتمل - السيرفر الآن محمي!"
 }
 
-# ════════════════════════════════════════════════════════════════
-# 🚀 RUN
-# ════════════════════════════════════════════════════════════════
-
-main "$@"
+main "$@"
\ No newline at end of file