#!/usr/bin/env bash
set -euo pipefail

ROOT="${1:-.}"
cd "$ROOT"

echo "[scan] checking for likely secrets in staged changes..."
STAGED=$(git diff --cached --name-only || true)
if [[ -z "${STAGED}" ]]; then
  echo "[scan] no staged files"
  exit 0
fi

FAIL=0

# simple patterns (high-signal only)
PATTERN='(AKIA[0-9A-Z]{16}|-----BEGIN (RSA|EC|OPENSSH|PRIVATE) KEY-----|xox[baprs]-|ghp_[A-Za-z0-9]{20,}|AIza[0-9A-Za-z\-_]{35})'

if git diff --cached | grep -E -n "$PATTERN" >/tmp/precommit-scan-matches.txt; then
  echo "[scan] possible secret patterns found:"
  cat /tmp/precommit-scan-matches.txt
  FAIL=1
fi

# block obvious sensitive paths
while IFS= read -r f; do
  case "$f" in
    .openclaw/credentials/*|*.pem|*.key|*.p12|*.pfx|.env|.env.*)
      echo "[scan] blocked sensitive path staged: $f"
      FAIL=1
      ;;
  esac
done <<< "$STAGED"

if [[ "$FAIL" -ne 0 ]]; then
  echo "[scan] FAILED. unstage/remove sensitive data before commit."
  exit 2
fi

echo "[scan] ok"