#!/usr/bin/env bash

secret_scan_paths() {
    local scan_root="${1:-}"
    shift || true

    if [ -z "$scan_root" ]; then
        echo "secret_scan_paths requires scan root" >&2
        return 1
    fi

    local patterns='(sk-[A-Za-z0-9_-]+|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{35}|ghp_[A-Za-z0-9]{36}|xox[baprs]-[A-Za-z0-9-]{10,}|-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----|authorization:[[:space:]]*bearer[[:space:]]+[A-Za-z0-9._-]{8,}|api[_-]?key[[:space:]]*[:=][[:space:]]*[A-Za-z0-9._-]{8,})'
    local excludes=(
        '--exclude=verify_phase6.sh'
        '--exclude=secret_gate_lib.sh'
        '--exclude=secret_gate_test.sh'
        '--exclude=.env.example'
        '--exclude=README.md'
        '--exclude=CONFIGURATION.md'
        '--exclude=DEPLOYMENT.md'
        '--exclude-dir=.git'
        '--exclude-dir=.serena'
        '--exclude-dir=node_modules'
        '--exclude-dir=dist'
        '--exclude-dir=logs'
        '--exclude-dir=reports'
    )

    if grep -R -n -E -i "$patterns" "$scan_root" "$@" \
        --include='*.go' \
        --include='*.ts' \
        --include='*.tsx' \
        --include='*.js' \
        --include='*.jsx' \
        --include='*.sh' \
        --include='*.yml' \
        --include='*.yaml' \
        "${excludes[@]}"; then
        return 1
    fi

    return 0
}

secret_env_files() {
    local dockerignore_path="$1"

    if [ ! -f "$dockerignore_path" ]; then
        echo "missing dockerignore: $dockerignore_path" >&2
        return 1
    fi

    if ! grep -Eq '^\.env(\..*)?$' "$dockerignore_path"; then
        echo "missing .env ignore rule in $dockerignore_path" >&2
        return 1
    fi

    if ! grep -Eq '^!\.env\.example$' "$dockerignore_path"; then
        echo "missing explicit .env.example allow rule in $dockerignore_path" >&2
        return 1
    fi

    return 0
}