#!/bin/sh

RED='\033[0;31m'
NC='\033[0m'

detected=false

check_file() {
    while IFS=: read -r file score; do
        [ -z "$file" ] && continue
        detected=true
    done <<EOF
$(git diff --cached --name-only | while read -r f; do
    [ ! -f "$f" ] && continue
    case "$f" in
        .env|.env.*)
            [ "$f" = ".env.example" ] && continue
            echo "$f|1"
            ;;
    esac
    case "$(basename "$f")" in
        .env|.env.*)
            [ "$f" = ".env.example" ] && continue
            echo "$f|1"
            ;;
    esac
done)
EOF
}

check_diff() {
    content=$(git diff --cached --diff-filter=ACM -- "$@" 2>/dev/null)
    [ -z "$content" ] && return

    patterns='VITE_SUPABASE_SERVICE_ROLE_KEY|SUPABASE_SERVICE_ROLE|eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9|ghp_[0-9a-zA-Z]{36}|gho_[0-9a-zA-Z]{36}|sk_live_|sk_test_|AKIA[0-9A-Z]{16}|-----BEGIN[ A-Z]*PRIVATE KEY-----'

    echo "$content" | while read -r line; do
        case "$line" in
            *VITE_SUPABASE_SERVICE_ROLE_KEY*)
                printf "${RED}⛔ Secret détecté : VITE_SUPABASE_SERVICE_ROLE_KEY (clé admin Supabase)${NC}\n"
                return 1
                ;;
            *eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9*)
                printf "${RED}⛔ Secret détecté : JWT token (eyJ...) dans le diff${NC}\n"
                return 1
                ;;
            *ghp_*|*gho_*)
                printf "${RED}⛔ Secret détecté : GitHub token (ghp_/gho_)${NC}\n"
                return 1
                ;;
            *sk_live_*|*sk_test_*)
                printf "${RED}⛔ Secret détecté : clé Stripe${NC}\n"
                return 1
                ;;
            *AKIA[0-9A-Z]*)
                printf "${RED}⛔ Secret détecté : clé AWS (AKIA)${NC}\n"
                return 1
                ;;
            *-----BEGIN*PRIVATE*KEY*-----*)
                printf "${RED}⛔ Secret détecté : clé privée RSA/EC${NC}\n"
                return 1
                ;;
        esac
    done
}

check_file

for f in $(git diff --cached --name-only); do
    case "$f" in .githooks/*) continue ;; esac
    check_diff "$f"
    [ $? -eq 1 ] && detected=true
done

if [ "$detected" = true ]; then
    printf "${RED}⛔ Commit bloqué : secret(s) détecté(s) dans les fichiers indexés.${NC}\n"
    printf "  Vérifie le contenu et utilise 'git rm --cached' si nécessaire.\n"
    exit 1
fi

exit 0
