#!/usr/bin/env node

import { execFileSync } from 'node:child_process';
import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
import { join } from 'node:path';

const MARKER = '# sf-secret-scan';

function git(args) {
  return execFileSync('git', args, {
    encoding: 'utf8',
    shell: process.platform === 'win32',
  }).trim();
}

const gitDir = git(['rev-parse', '--git-dir']);
const repoRoot = git(['rev-parse', '--show-toplevel']);
const hookDir = join(gitDir, 'hooks');
const hookFile = join(hookDir, 'pre-commit');
const hookCommand = `node "${join(repoRoot, 'scripts', 'secret-scan.mjs')}"`;

mkdirSync(hookDir, { recursive: true });

if (existsSync(hookFile)) {
  const current = readFileSync(hookFile, 'utf8');
  if (current.includes(MARKER)) {
    process.stdout.write('secret-scan pre-commit hook already installed.\n');
    process.exit(0);
  }

  const next = `${current.replace(/\s*$/, '\n')}${MARKER}\n${hookCommand}\n`;
  writeFileSync(hookFile, next, 'utf8');
  process.stdout.write('secret-scan appended to existing pre-commit hook.\n');
  process.exit(0);
}

const hookBody = [
  '#!/usr/bin/env sh',
  '# sf-secret-scan',
  '# Pre-commit hook: scan staged files for hardcoded secrets',
  hookCommand,
  '',
].join('\n');

writeFileSync(hookFile, hookBody, 'utf8');
try {
  chmodSync(hookFile, 0o755);
} catch {
  // Best effort on Windows filesystems that do not honor chmod.
}

process.stdout.write('secret-scan pre-commit hook installed.\n');