#!/bin/sh
# BeaverScan Pre-Commit Hook with Baseline Comparison
#
# This hook runs BeaverScan security scanning on staged files with baseline comparison.
# It only fails on NEW critical/high severity issues, allowing existing issues to pass.
#
# Installation:
#   beaverscan install-hook pre-commit-baseline
#
# Or manually:
#   cp templates/git-hooks/pre-commit-baseline .git/hooks/pre-commit
#   chmod +x .git/hooks/pre-commit
#
# Requirements:
#   - Baseline file (.beaverscan-baseline.json) must exist
#   - Run 'beaverscan scan . --baseline' to create it

# Exit immediately if a command exits with a non-zero status
set -e

echo "🦫 BeaverScan Pre-Commit Hook (Baseline Mode)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

# Check if beaverscan is installed
if ! command -v beaverscan >/dev/null 2>&1; then
    echo "❌ Error: BeaverScan CLI is not installed"
    echo "   Install: npm install -g @beaverscan/cli"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    exit 1
fi

# Check if we're in a git repository
if ! git rev-parse --git-dir >/dev/null 2>&1; then
    echo "❌ Error: Not a git repository"
    exit 1
fi

# Check if baseline exists
if [ ! -f ".beaverscan-baseline.json" ]; then
    echo "⚠️  Warning: No baseline file found (.beaverscan-baseline.json)"
    echo ""
    echo "Creating baseline now..."
    echo "Run this command to create a baseline:"
    echo "  beaverscan scan . --baseline"
    echo ""
    echo "For now, running scan without baseline comparison..."
    echo ""

    # Run without baseline
    if beaverscan scan . --incremental --git-diff-mode staged --cache 2>&1; then
        echo ""
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "✅ Security scan passed (no baseline comparison)"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        exit 0
    else
        EXIT_CODE=$?
        echo ""
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "❌ Security scan failed!"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        exit $EXIT_CODE
    fi
fi

echo "📝 Scanning staged files with baseline comparison..."
echo ""

# Run BeaverScan with incremental scanning + baseline comparison
# Only fails on NEW critical/high severity issues
if beaverscan scan . --incremental --git-diff-mode staged --compare-baseline --cache 2>&1; then
    echo ""
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "✅ Security scan passed!"
    echo ""
    echo "No new critical/high severity issues detected."
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    exit 0
else
    EXIT_CODE=$?
    echo ""
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "❌ Security scan failed!"
    echo ""
    echo "NEW critical or high severity issues detected in staged files."
    echo ""
    echo "Options:"
    echo "  1. Fix the NEW security issues and try again"
    echo "  2. Review the comparison report above"
    echo "  3. Skip this hook with: git commit --no-verify (not recommended)"
    echo ""
    echo "Note: Existing issues from baseline are allowed to pass."
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    exit $EXIT_CODE
fi
