#!/bin/bash
# Install git hooks for this project
set -e

HOOK_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
mkdir -p "$HOOK_DIR"

# --- pre-commit hook: secret scanning with gitleaks ---
cat > "$HOOK_DIR/pre-commit" << 'HOOK'
#!/bin/bash
# Pre-commit hook — scans staged files for secrets using gitleaks

if ! command -v gitleaks >/dev/null 2>&1; then
  echo ""
  echo "⚠️  gitleaks is not installed — skipping secret scan"
  echo "   Install: brew install gitleaks  (macOS)"
  echo "   Or: curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_\$(uname -s)_\$(uname -m).tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
  echo ""
  exit 0
fi

echo "🔒 Scanning for secrets..."

if gitleaks protect --staged --no-banner 2>/dev/null; then
  echo "✅ No secrets detected"
  exit 0
else
  echo ""
  echo "❌ Secrets detected in staged changes — commit blocked"
  echo ""
  echo "   Details:  gitleaks protect --staged --verbose"
  echo "   Bypass:   git commit --no-verify"
  echo ""
  exit 1
fi
HOOK

chmod +x "$HOOK_DIR/pre-commit"
echo "✅ Pre-commit hook installed (.git/hooks/pre-commit)"