# Secret scan — block commits with API keys, private keys, .env
STAGED=$(git diff --cached --name-only --diff-filter=ACM)
if echo "$STAGED" | grep -qE '^\.env$|^\.env\.|\.env\.enc'; then
  echo "BLOCKED: .env file staged for commit" >&2
  exit 1
fi

STAGED_CONTENT=$(git diff --cached --diff-filter=ACM -p)
if echo "$STAGED_CONTENT" | grep -qP '0x[a-fA-F0-9]{64}\b'; then
  echo "BLOCKED: Private key pattern detected" >&2
  exit 1
fi
if echo "$STAGED_CONTENT" | grep -qP "^\+.*['\"]ak_live_[a-f0-9]{32}['\"]"; then
  echo "BLOCKED: APIbase live key in source code" >&2
  exit 1
fi
if echo "$STAGED_CONTENT" | grep -qP 'AKIA[0-9A-Z]{16}'; then
  echo "BLOCKED: AWS access key detected" >&2
  exit 1
fi

# Lint-staged (ESLint + Prettier)
npx lint-staged
