#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"

# Run security checks before commit
echo "🔍 Running security checks..."

# Check for common secrets patterns
if git diff --cached --name-only | xargs grep -l "AKIDAI\|AKIA[0-9A-Z]\{16\}\|sk_live_\|sk_test_\|rk_live_\|rk_test_\|AIza[0-9A-Za-z\\-_]\{35\}\|sk-[a-zA-Z0-9]\{48\}\|eyJ[A-Za-z0-9_/+]*\\.eyJ[A-Za-z0-9_/+]*\\.[A-Za-z0-9._/+-]*\|ghp_[0-9a-zA-Z]\{36\}\|gho_[0-9a-zA-Z]\{36\}\|ghu_[0-9a-zA-Z]\{36\}\|ghs_[0-9a-zA-Z]\{36\}\|ghr_[0-9a-zA-Z]\{36\}" 2>/dev/null; then
  echo "❌ Potential secrets detected in staged files!"
  echo "Please remove sensitive information before committing."
  exit 1
fi

# Check for files that should not be committed
if git diff --cached --name-only | grep -E "\\.env$|\\.env\\..*$|cookies.*\\.txt$|.*\\.pem$|.*\\.key$"; then
  echo "❌ Sensitive files detected in staging area!"
  echo "Files found:"
  git diff --cached --name-only | grep -E "\\.env$|\\.env\\..*$|cookies.*\\.txt$|.*\\.pem$|.*\\.key$"
  echo "Please unstage these files before committing."
  exit 1
fi

echo "✅ Security checks passed!"