#!/usr/bin/env bash
unset GIT_DIR GIT_WORK_TREE GIT_INDEX_FILE

# Gate: all commits must go through scripts/committer
if [ -z "$PROJECT_COMMITTER" ]; then
  echo "error: use scripts/committer — direct git commit is blocked"
  echo "usage: scripts/committer \"<message>\" <file...>"
  exit 1
fi

# Author identity check — whitelist only, not blacklist
AUTHOR_EMAIL=$(git config user.email)
AUTHOR_NAME=$(git config user.name)
if [ "$AUTHOR_EMAIL" != "130952152+0xmariowu@users.noreply.github.com" ]; then
  echo "error: git email '$AUTHOR_EMAIL' is not the noreply address"
  echo "fix: git config user.email '130952152+0xmariowu@users.noreply.github.com'"
  exit 1
fi
if [ "$AUTHOR_NAME" != "0xmariowu" ]; then
  echo "error: git name '$AUTHOR_NAME' is not the public pseudonym"
  echo "fix: git config user.name '0xmariowu'"
  exit 1
fi

# Content scan on staged files — codenames, personal paths, hostnames
SCAN_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -v -E '(\.gitleaks\.toml$|\.example$|\.husky/|\.github/workflows/)' || true)
if [ -n "$SCAN_FILES" ]; then
  # Internal project codenames
  CN_MATCHES=$(echo "$SCAN_FILES" | while IFS= read -r f; do grep -nEH '\b(Armory|AIMD|atoms|kalami2?|alaya[_-]os)\b' "$f" 2>/dev/null; done || true)
  if [ -n "$CN_MATCHES" ]; then
    echo "error: internal project codenames in staged files:"
    echo "$CN_MATCHES"
    exit 1
  fi
  # Personal paths and hostnames (placeholder patterns like /Users/xxx are whitelisted)
  PII_MATCHES=$(echo "$SCAN_FILES" | while IFS= read -r f; do grep -nEH '/Users/[a-zA-Z]|/home/[a-z]|\.ts\.net|tailcca|vimalamac' "$f" 2>/dev/null; done | grep -vE '/Users/(xxx|yourusername|example|your-username)' || true)
  if [ -n "$PII_MATCHES" ]; then
    echo "error: personal paths or hostnames in staged files:"
    echo "$PII_MATCHES"
    exit 1
  fi
fi

# Public-repo hygiene path check — refuse internal-only paths even getting staged
# (defense in depth — committer also blocks these, but a hook covers raw `git commit` too)
HYGIENE_PATHS=$(git diff --cached --name-only --diff-filter=ACM | grep -E '^(HANDOFF\.md$|docs/(plans|proposals|spikes|channel-hunt|exec-plans)/|reports/|.*\.private\.md$|.*\.handoff\.md$)' || true)
if [ -n "$HYGIENE_PATHS" ]; then
  echo "error: public-repo-hygiene blocked these paths from being committed:"
  echo "$HYGIENE_PATHS"
  echo "fix: these belong locally only — see docs/exec-plans/active/autosearch-0425-public-repo-hygiene-plan.md"
  exit 1
fi

# Public-repo hygiene content check — flag dangerous flags / unsafe shortcuts
# (Markdown docs included — these strings should never appear in published docs)
# Allowlist must mirror scripts/validate/public_repo_hygiene.py CONTENT_RULES
# allowlist_paths: files that legitimately describe the rule by literal name.
HYGIENE_CONTENT_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -v -E '(\.gitleaks\.toml$|\.husky/|\.github/workflows/|docs/exec-plans/|^tests/.*\.(py|yaml|yml)$|^scripts/validate/public_repo_hygiene\.py$|^docs/internal-docs\.md$|^docs/public-repo-policy\.md$|^docs/security/hygiene-verify\.md$)' || true)
if [ -n "$HYGIENE_CONTENT_FILES" ]; then
  HYGIENE_MATCHES=$(echo "$HYGIENE_CONTENT_FILES" | while IFS= read -r f; do grep -nEH 'dangerously-skip-permissions' "$f" 2>/dev/null; done || true)
  if [ -n "$HYGIENE_MATCHES" ]; then
    echo "error: 'dangerously-skip-permissions' found in staged files:"
    echo "$HYGIENE_MATCHES"
    echo "fix: remove the flag — it is an internal Claude Code shortcut, not for public docs"
    exit 1
  fi
fi

# Secret detection — Markdown is now in scope (only specific test fixtures + .example excluded)
SECRET_PATTERNS='(API_KEY|SECRET_KEY|PRIVATE_KEY|AUTH_TOKEN|PASSWORD)\s*=\s*["\x27][^\s"'\'']+|sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|AIzaSy[a-zA-Z0-9_-]{33}|sk-ant-[a-zA-Z0-9_-]{40,}|sk-or-[a-zA-Z0-9_-]{20,}|tvly-[a-zA-Z0-9_-]{20,}|github_pat_[a-zA-Z0-9_]{22,}|exa-[a-zA-Z0-9_-]{20,}'
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -v -E '(\.example$|\.test\.py$|tests/fixtures/)' || true)
if [ -n "$STAGED_FILES" ]; then
  MATCHES=$(echo "$STAGED_FILES" | while IFS= read -r f; do grep -nEH "$SECRET_PATTERNS" "$f" 2>/dev/null; done || true)
  if [ -n "$MATCHES" ]; then
    echo "error: potential secrets detected in staged files:"
    echo "$MATCHES"
    exit 1
  fi
fi

# Ruff lint + format on staged Python files
PY_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep '\.py$' || true)
if [ -n "$PY_FILES" ]; then
  echo "$PY_FILES" | xargs ruff check --fix 2>/dev/null || true
  echo "$PY_FILES" | xargs ruff format 2>/dev/null || true
  echo "$PY_FILES" | xargs git add
fi
