#!/usr/bin/env bash
# pre_commit_hook_install — instala hook pre-commit que invoca scan_secrets_in_dirty

pre_commit_hook_install() {
    local repo_dir="$1"
    local force=0

    shift
    while [[ $# -gt 0 ]]; do
        case "$1" in
            --force) force=1 ;;
        esac
        shift
    done

    local hooks_dir="$repo_dir/.git/hooks"
    local hook_path="$hooks_dir/pre-commit"
    local marker="# fn_registry-pre-commit-v2"

    if [[ ! -d "$hooks_dir" ]]; then
        echo "[pre_commit_hook_install] ERROR: '$repo_dir' no es un repo git valido (falta .git/hooks)" >&2
        return 1
    fi

    if [[ -f "$hook_path" ]]; then
        # Detect either v1 or v2 marker as "ours"
        if grep -qE "fn_registry-pre-commit-v[12]" "$hook_path"; then
            if [[ $force -eq 0 ]]; then
                echo "SKIP $hook_path (already installed)"
                return 0
            else
                local backup="$hook_path.bak.$(date +%s)"
                cp "$hook_path" "$backup"
                echo "[pre_commit_hook_install] Backup: $backup" >&2
            fi
        else
            if [[ $force -eq 0 ]]; then
                echo "[pre_commit_hook_install] ERROR: '$hook_path' existe y no es nuestro. Usa --force para sobreescribir." >&2
                return 2
            fi
        fi
    fi

    cat > "$hook_path" <<'HOOK'
#!/usr/bin/env bash
# fn_registry-pre-commit-v2
set -e

REPO_ROOT="$(git rev-parse --show-toplevel)"

# Localizar fn_registry root
REGISTRY_ROOT="${FN_REGISTRY_ROOT:-}"
if [ -z "$REGISTRY_ROOT" ]; then
    if [ -f "$REPO_ROOT/registry.db" ]; then
        REGISTRY_ROOT="$REPO_ROOT"
    elif [ -f "$REPO_ROOT/../../registry.db" ]; then
        REGISTRY_ROOT="$(cd "$REPO_ROOT/../.." && pwd)"
    elif [ -f "$REPO_ROOT/../../../registry.db" ]; then
        REGISTRY_ROOT="$(cd "$REPO_ROOT/../../.." && pwd)"
    fi
fi

if [ -z "$REGISTRY_ROOT" ] || [ ! -d "$REGISTRY_ROOT/bash/functions" ]; then
    echo "[pre-commit] fn_registry no localizable; saltando checks" >&2
    exit 0
fi

# Check 1: scan secrets
SECRETS_SH="$REGISTRY_ROOT/bash/functions/cybersecurity/scan_secrets_in_dirty.sh"
if [ -f "$SECRETS_SH" ]; then
    bash "$SECRETS_SH" "$REPO_ROOT"
fi

# Check 2: app uses_functions drift (only blocks if a touched app has drift)
DRIFT_SH="$REGISTRY_ROOT/bash/functions/infra/git_hook_audit_app_drift.sh"
if [ -f "$DRIFT_SH" ]; then
    FN_REGISTRY_ROOT="$REGISTRY_ROOT" bash "$DRIFT_SH" "$REPO_ROOT"
fi
HOOK

    chmod +x "$hook_path"
    echo "INSTALLED $hook_path"
    return 0
}

if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    pre_commit_hook_install "$@"
fi