#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$ROOT_DIR"
. "$ROOT_DIR/scripts/secret_gate_lib.sh"

TMP_DIR="$(mktemp -d)"
cleanup() {
    rm -rf "$TMP_DIR"
}
trap cleanup EXIT

SECRET_FILE="$TMP_DIR/secret.ts"
CLEAN_FILE="$TMP_DIR/clean.ts"
AWS_SECRET_FILE="$TMP_DIR/aws.ts"
ENV_FILE="$TMP_DIR/.env"
DOCKERIGNORE_FILE="$TMP_DIR/.dockerignore"
MISSING_DOCKERIGNORE_FIXTURE="$ROOT_DIR/scripts/testdata/empty.dockerignore"

printf 'const key = "sk-test-secret";\n' > "$SECRET_FILE"
printf 'const ok = true;\n' > "$CLEAN_FILE"
printf 'const awsKey = "AKIA1234567890ABCDEF";\n' > "$AWS_SECRET_FILE"
printf 'OPENROUTER_API_KEY=sk-test-secret\n' > "$ENV_FILE"
printf '.env\n!.env.example\n' > "$DOCKERIGNORE_FILE"


set +e
secret_scan_paths "$SECRET_FILE" "$CLEAN_FILE" > /tmp/secret_gate_test_scan.out 2> /tmp/secret_gate_test_scan.err
SCAN_RC=$?
set -e
if [ "$SCAN_RC" -eq 0 ]; then
    echo "expected secret_scan_paths to fail"
    exit 1
fi
grep -q "$SECRET_FILE" /tmp/secret_gate_test_scan.out

set +e
secret_scan_paths "$AWS_SECRET_FILE" > /tmp/secret_gate_test_aws.out 2> /tmp/secret_gate_test_aws.err
AWS_SCAN_RC=$?
set -e
if [ "$AWS_SCAN_RC" -eq 0 ]; then
    echo "expected secret_scan_paths to fail for aws-style key"
    exit 1
fi
grep -q 'AKIA1234567890ABCDEF' /tmp/secret_gate_test_aws.out

secret_env_files "$DOCKERIGNORE_FILE" > /tmp/secret_gate_test_env.out 2> /tmp/secret_gate_test_env.err

set +e
secret_env_files "$MISSING_DOCKERIGNORE_FIXTURE" > /tmp/secret_gate_test_env_fail.out 2> /tmp/secret_gate_test_env_fail.err
ENV_RC=$?
set -e
if [ "$ENV_RC" -eq 0 ]; then
    echo "expected secret_env_files to fail without dockerignore entry"
    exit 1
fi
grep -q "missing .env ignore rule" /tmp/secret_gate_test_env_fail.err

echo "secret_gate_test: PASS"