#!/bin/bash
set -e

echo "🔍 Checking for secrets in staged files..."

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Flag to track if any violations found
VIOLATIONS_FOUND=0

# Check 1: Prevent .env files from being committed (skip deletions)
echo "📋 Checking for .env files..."
ENV_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E "\.env$|\.env\." | grep -v "\.env\.example$" | grep -v "\.env\.docker\.example$" | grep -v "\.env\.voice-agent\.example$" | grep -v "\.env\.template$" || true)

if [ ! -z "$ENV_FILES" ]; then
  echo -e "${RED}❌ ERROR: Attempting to commit environment files with secrets${NC}"
  echo -e "${YELLOW}Files:${NC}"
  echo "$ENV_FILES" | while read -r file; do
    echo "  - $file"
  done
  echo ""
  echo "💡 Tip: Only .env.example, .env.docker.example, and .env.template files should be committed"
  VIOLATIONS_FOUND=1
fi

# Check 2: Scan for secret patterns in file content
echo "🔎 Scanning for secret patterns in code..."
# Exclude generated Prisma client files — they contain schema field names like
# accessToken/refreshToken which are not real secrets.
SECRET_PATTERNS=$(git diff --cached -U0 -- ':!*check-secrets*' ':!*/generated/prisma/*' | grep -E "(SECRET|PASSWORD|API_KEY|TOKEN|PRIVATE_KEY|CLIENT_SECRET).*=" | grep -v "^-" | grep -v "^@@" || true)

if [ ! -z "$SECRET_PATTERNS" ]; then
  echo -e "${RED}❌ ERROR: Possible secrets detected in commit${NC}"
  echo -e "${YELLOW}Matches:${NC}"
  echo "$SECRET_PATTERNS" | head -10 | while read -r line; do
    echo "  $line"
  done

  if [ $(echo "$SECRET_PATTERNS" | wc -l) -gt 10 ]; then
    echo "  ... and $(( $(echo "$SECRET_PATTERNS" | wc -l) - 10 )) more"
  fi

  echo ""
  echo "💡 Tip: Use environment variables or config files (not committed) for secrets"
  VIOLATIONS_FOUND=1
fi

# Check 3: Look for common API key patterns
echo "🔐 Checking for hardcoded API keys..."
API_KEY_PATTERNS=$(git diff --cached -U0 -- ':!*check-secrets*' | grep -E "^\+" | grep -E "(sk_live_|pk_live_|rk_live_|eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*\.)" || true)

if [ ! -z "$API_KEY_PATTERNS" ]; then
  echo -e "${RED}❌ ERROR: Hardcoded API keys detected${NC}"
  echo -e "${YELLOW}Patterns found:${NC}"
  echo "$API_KEY_PATTERNS" | head -5 | while read -r line; do
    # Mask the actual key values
    echo "  $(echo $line | sed 's/\(sk_live_\|pk_live_\|rk_live_\|eyJ\)[a-zA-Z0-9_-]*/\1***********/g')"
  done
  echo ""
  echo "💡 These look like Stripe keys or JWT tokens - use environment variables!"
  VIOLATIONS_FOUND=1
fi

# Check 4: Database connection strings
echo "🗄️  Checking for database credentials..."
DB_CREDS=$(git diff --cached -U0 | grep -E "^\+" | grep -E "(postgresql://|mysql://|mongodb://)" | grep -v "username:password" || true)

if [ ! -z "$DB_CREDS" ]; then
  echo -e "${YELLOW}⚠️  WARNING: Database connection strings detected${NC}"
  echo "  Make sure these don't contain real credentials"
  echo ""
fi

# Final verdict
if [ $VIOLATIONS_FOUND -eq 1 ]; then
  echo ""
  echo -e "${RED}❌ Pre-commit check FAILED${NC}"
  echo "   Fix the issues above and try again"
  echo ""
  exit 1
fi

echo -e "${GREEN}✅ No secrets detected - commit allowed${NC}"
exit 0