#!/usr/bin/env bash
# covenant-managed-pre-push
set -euo pipefail

REPO_ROOT="$(git rev-parse --show-toplevel)"
cd "$REPO_ROOT"

node agent-os/scripts/validate-current-git-identity.mjs </dev/null
node agent-os/scripts/validate-github-cli-account.mjs </dev/null
node agent-os/scripts/validate-github-push-identity.mjs "${1:-origin}" "${2:-}" </dev/null

refs=()
while read -r local_ref local_sha remote_ref remote_sha || [ -n "${local_ref:-}" ]; do
  if [ -z "${local_ref:-}" ] || [ -z "${local_sha:-}" ]; then
    continue
  fi
  if [ "$local_sha" = "0000000000000000000000000000000000000000" ]; then
    continue
  fi
  if [ "${remote_sha:-}" = "0000000000000000000000000000000000000000" ] || [ -z "${remote_sha:-}" ]; then
    refs+=(--rev "$local_sha")
  else
    refs+=(--rev "${remote_sha}..${local_sha}")
  fi
done

if [ "${#refs[@]}" -eq 0 ]; then
  upstream="$(git rev-parse --abbrev-ref --symbolic-full-name '@{upstream}' 2>/dev/null || true)"
  if [ -n "$upstream" ]; then
    refs+=(--rev "${upstream}..HEAD")
  else
    refs+=(--rev HEAD)
  fi
fi

node agent-os/scripts/validate-git-identity.mjs "${refs[@]}"
