#!/usr/bin/env bash
# Block commits that add/modify plaintext files under secrets/
set -euo pipefail

# Find added/modified paths under secrets/ in the index
changed_files=$(git diff --cached --name-only --diff-filter=ACMR | grep -E '^secrets/' || true)

[ -z "$changed_files" ] && exit 0  # nothing to check

fail=0
msg="❌ Commit blocked: Unencrypted file(s) detected under secrets/.
Each file in secrets/ must be SOPS-encrypted (contain a top-level 'sops:' block).
Use 'sops <file>' to edit or 'sops --encrypt --in-place <file>' to encrypt."

while IFS= read -r f; do
  if ! git cat-file -e ":$f" 2>/dev/null; then
    continue
  fi
  if [ -d "$f" ]; then
    continue
  fi
  content="$(git show ":$f" || true)"
  if [ -z "$content" ]; then
    echo " - $f (empty)"; fail=1; continue
  fi
  if echo "$content" | grep -qE '^[[:space:]]*sops:[[:space:]]*$|"sops"[[:space:]]*:'; then
    continue
  fi
  case "$f" in
    *.age|*.gpg) continue ;;
  esac
  echo " - $f"
  fail=1
done <<< "$changed_files"

if [ "$fail" -ne 0 ]; then
  echo ""
  echo "$msg"
  echo ""
  echo "Tips:"
  echo "  • Edit with SOPS:   sops secrets/<file>.yaml"
  echo "  • Encrypt in place: sops --encrypt --in-place secrets/<file>.yaml"
  exit 1
fi

exit 0
