#!/usr/bin/env sh

# Pre-commit gates — fast checks only. Slow checks (full conformance, full
# test, full typecheck) stay in CI.

# 1. lint-staged: format + lint staged files
pnpm exec lint-staged || exit 1

# 2. Stamp the `updated:` frontmatter field on every staged docs/work/ md file.
node scripts/work/bump-updated-timestamps.mjs || exit 1

# 3. If any docs/work/ markdown is staged, regenerate _state.json + re-stage it
if git diff --cached --name-only | grep -qE '^docs/work/.*\.md$'; then
  pnpm work rebuild-state
  git add docs/work/_system/_state.json
fi

# 3. Run the state-sync guard: refuses to commit if _state.json is
# staged but doesn't match what rebuild-state would produce. Catches the case
# where someone hand-edits _state.json without going through rebuild-state.
node scripts/work/state-sync-guard.mjs || exit 1

# 4. Check library decision traces for new runtime deps in feature/core packages.
node scripts/library-decisions/check.mjs || exit 1

# 5. If any staged file touches Payload configs, library traces, or compliance
#    artifacts, regenerate compliance YAMLs and auto-stage them.
if git diff --cached --name-only | grep -qE '^(packages/[^/]+/src/integrations/cms/|docs/library-decisions/|compliance/)'; then
  pnpm compliance:emit-all || exit 1
  git add compliance/
fi

# 6. Scan staged changes for secrets (skip gracefully if gitleaks is not installed).
if command -v gitleaks > /dev/null 2>&1; then
  gitleaks protect --staged --redact || exit 1
else
  echo "gitleaks not found in \$PATH — skipping secret scan (install via brew install gitleaks or https://github.com/gitleaks/gitleaks)"
fi