#!/usr/bin/env bash
set -u

status=0

fail() {
  status=1
  printf '[FAIL] %s\n' "$1"
}

pass() {
  printf '[PASS] %s\n' "$1"
}

skip() {
  printf '[SKIP] %s\n' "$1"
}

run_required() {
  local label="$1"
  shift

  if "$@"; then
    pass "$label"
  else
    fail "$label"
  fi
}

repo_root="$(git rev-parse --show-toplevel 2>/dev/null)" || {
  printf '[FAIL] git worktree detection\n' >&2
  exit 1
}

if [ "$PWD" != "$repo_root" ]; then
  printf '[FAIL] bin/lint must run from the repo root: %s\n' "$repo_root" >&2
  exit 1
fi

report_credential_matches() {
  local regex="$1"
  local output

  output="$(git grep -nI -E "$regex" -- . ':!tests/test_lint.py' 2>/dev/null || true)"
  if [ -n "$output" ]; then
    if [ "${credential_matches:-0}" -eq 0 ]; then
      printf 'Credential-like patterns found in tracked files:\n'
    fi
    printf '%s\n' "$output"
    credential_matches=1
  fi
}

check_credentials() {
  credential_matches=0
  report_credential_matches "postgres://[^[:space:]\"']+:[^[:space:]\"']+@"
  report_credential_matches "(^|[^A-Za-z0-9_])DSN[[:space:]]*=[[:space:]]*[\"']?[^$\"'[:space:]][^[:space:]]*"
  report_credential_matches "(^|[^A-Za-z0-9_])(API_KEY|SECRET_KEY|API_SECRET|ACCESS_KEY)[[:space:]]*=[[:space:]]*[\"']?[A-Za-z0-9][^[:space:]]*"
  [ "$credential_matches" -eq 0 ]
}

is_tbd_target() {
  case "$1" in
    tests/fixtures/*|testdata/*|spec/fixtures/*)
      return 1
      ;;
    Makefile|Dockerfile|*.py|*.sh|*.bash|*.zsh|*.rs|*.zig|*.js|*.ts|*.tsx|*.jsx)
      return 0
      ;;
    *)
      return 1
      ;;
  esac
}

comment_pattern_for() {
  case "$1" in
    *.py|*.sh|*.bash|*.zsh|Makefile|Dockerfile)
      printf '^[[:space:]]*#'
      ;;
    *.rs|*.zig|*.js|*.ts|*.tsx|*.jsx)
      printf '^[[:space:]]*//'
      ;;
    *)
      printf '^$'
      ;;
  esac
}

check_tbd() {
  local found=0
  local file

  while IFS= read -r file; do
    is_tbd_target "$file" || continue
    [ -f "$file" ] || continue
    local comment_re
    comment_re="$(comment_pattern_for "$file")"

    while IFS=: read -r line_no line_text; do
      [ -n "$line_no" ] || continue
      if printf '%s\n' "$line_text" | grep -Eq "$comment_re"; then
        continue
      fi
      if printf '%s\n' "$line_text" | grep -Eq '^[[:space:]]*--'; then
        continue
      fi
      if [ "$found" -eq 0 ]; then
        printf 'TBD markers found in shipped code:\n'
      fi
      printf '%s:%s:%s\n' "$file" "$line_no" "$line_text"
      found=1
    done < <(grep -n 'TBD' "$file" || true)
  done < <(git ls-files -- . ':!tests/test_lint.py')

  [ "$found" -eq 0 ]
}

check_pycache() {
  local found=0
  local file

  while IFS= read -r file; do
    [ -n "$file" ] || continue
    if [ "$found" -eq 0 ]; then
      printf 'Tracked __pycache__ paths found (add __pycache__/ to .gitignore):\n'
    fi
    printf '%s\n' "$file"
    found=1
  done < <(git ls-files | grep '/__pycache__/' || true)

  [ "$found" -eq 0 ]
}

DEPRECATED_PUBLIC_DOC_TOKENS=(
  "biomcp-python"
)

check_deprecated_public_doc_tokens() {
  local found=0
  local pattern
  local -a paths=()

  if git ls-files --error-unmatch README.md >/dev/null 2>&1; then
    paths+=("README.md")
  fi
  if git ls-files -- docs/ | grep -q .; then
    paths+=("docs/")
  fi

  [ "${#paths[@]}" -gt 0 ] || return 0

  for pattern in "${DEPRECATED_PUBLIC_DOC_TOKENS[@]}"; do
    local output
    output="$(git grep -nIF "$pattern" -- "${paths[@]}" 2>/dev/null || true)"
    if [ -n "$output" ]; then
      if [ "$found" -eq 0 ]; then
        printf 'Deprecated public-doc install strings found:\n'
      fi
      printf '%s\n' "$output"
      found=1
    fi
  done

  [ "$found" -eq 0 ]
}

check_docs_test_code_leaks() {
  local found=0
  local file

  while IFS= read -r file; do
    [ -n "$file" ] || continue
    [ -f "$file" ] || continue

    local in_fence=0
    local fence_start=0
    local has_pathlib=0
    local has_read_text=0
    local has_assert=0
    local line_no=0
    local line

    while IFS= read -r line || [ -n "$line" ]; do
      line_no=$((line_no + 1))
      if printf '%s\n' "$line" | grep -Eq '^```'; then
        if [ "$in_fence" -eq 0 ]; then
          in_fence=1
          fence_start="$line_no"
          has_pathlib=0
          has_read_text=0
          has_assert=0
        else
          if [ "$has_pathlib" -eq 1 ] && [ "$has_read_text" -eq 1 ] && [ "$has_assert" -eq 1 ]; then
            if [ "$found" -eq 0 ]; then
              printf 'Docs code blocks contain leaked test-code signatures:\n'
            fi
            printf '%s:%s: code block contains from pathlib import Path, .read_text(), and assert\n' "$file" "$fence_start"
            found=1
          fi
          in_fence=0
        fi
        continue
      fi

      if [ "$in_fence" -eq 1 ]; then
        printf '%s\n' "$line" | grep -Fq 'from pathlib import Path' && has_pathlib=1
        printf '%s\n' "$line" | grep -Fq '.read_text()' && has_read_text=1
        printf '%s\n' "$line" | grep -Eq '(^|[^[:alnum:]_])assert([^[:alnum:]_]|$)' && has_assert=1
      fi
    done < "$file"

    if [ "$in_fence" -eq 1 ] && [ "$has_pathlib" -eq 1 ] && [ "$has_read_text" -eq 1 ] && [ "$has_assert" -eq 1 ]; then
      if [ "$found" -eq 0 ]; then
        printf 'Docs code blocks contain leaked test-code signatures:\n'
      fi
      printf '%s:%s: code block contains from pathlib import Path, .read_text(), and assert\n' "$file" "$fence_start"
      found=1
    fi
  done < <(git ls-files -- 'docs/*.md' 'docs/**/*.md')

  [ "$found" -eq 0 ]
}

has_tracked_files() {
  git ls-files -- "$1" | grep -q .
}

check_credentials && pass 'credential scan' || fail 'credential scan'
check_tbd && pass 'TBD scan' || fail 'TBD scan'
check_pycache && pass 'stale __pycache__ scan' || fail 'stale __pycache__ scan'
check_deprecated_public_doc_tokens && pass 'deprecated public-doc install string scan' || fail 'deprecated public-doc install string scan'
check_docs_test_code_leaks && pass 'docs test-code leak scan' || fail 'docs test-code leak scan'

if has_tracked_files '*.py'; then
  if command -v ruff >/dev/null 2>&1; then
    run_required 'Python lint (ruff check .)' ruff check .
  else
    skip 'Python lint (ruff not installed)'
  fi
else
  skip 'Python lint (no tracked Python files)'
fi

if [ -f build.zig ] || has_tracked_files '*.zig'; then
  run_required 'Zig lint (zig fmt --check .)' zig fmt --check .
else
  skip 'Zig lint (not detected)'
fi

if [ -f Cargo.toml ]; then
  run_required 'Rust lint (cargo fmt --check)' cargo fmt --check
  run_required 'Rust lint (cargo clippy -- -D warnings)' cargo clippy -- -D warnings
  if command -v cargo-deny >/dev/null 2>&1; then
    run_required 'Rust license lint (cargo deny check licenses)' cargo deny check licenses
    run_required 'Rust advisory lint (cargo deny check advisories)' cargo deny check advisories
  else
    printf 'Install cargo-deny with: cargo install cargo-deny --locked\n'
    fail 'Rust license lint (cargo-deny missing)'
  fi
else
  skip 'Rust lint (not detected)'
fi

if [ -f package.json ]; then
  run_required 'JS/TS lint (npm run lint --if-present)' npm run lint --if-present
else
  skip 'JS/TS lint (not detected)'
fi

exit "$status"
