#!/bin/sh
# pm-commit: stage and commit agent-touched files with a denylist guard.
#
# Default: stage everything visible to git (.gitignore already filters
# most runtime state), then unstage anything in the denylist below. If
# more than 50 files end up staged after that, abort — caller almost
# certainly meant to scope narrower. Pass --allow-broad as the FIRST
# arg to override.
#
# Usage:
#   pm-commit "message"
#   pm-commit --allow-broad "message"   # for legitimate big sweeps
set -e
cd /data

ALLOW_BROAD=0
if [ "$1" = "--allow-broad" ]; then
  ALLOW_BROAD=1
  shift
fi

DENY='^(agent-browser-profiles|compiled|logs|cron-logs|push|generated)/'

git add -A
# Unstage anything matching the denylist (belt-and-braces with .gitignore).
# NUL-delimited the whole way so filenames with spaces / quotes / newlines
# don't trip xargs or the shell.
git diff --cached --name-only -z \
  | grep -zE "$DENY" \
  | xargs -0r git reset HEAD --

staged=$(git diff --cached --name-only | wc -l)
if [ "$staged" -gt 50 ] && [ "$ALLOW_BROAD" -ne 1 ]; then
  echo "pm-commit: $staged files staged — refusing without --allow-broad" >&2
  echo "Top of staged set:" >&2
  git diff --cached --stat | head -20 >&2
  # Unstage everything so the caller isn't left with a fully-staged tree
  # they have to clean up by hand.
  git reset HEAD -- . >/dev/null
  exit 2
fi

git diff --cached --quiet && exit 0
git commit -m "$1"
