#!/bin/sh
# =============================================================================
# Pre-commit hook: Secret Scanner
# STATUS: DISABLED — uncomment the body below to re-enable
# =============================================================================

exit 0

# -----------------------------------------------------------------------------
# DISABLED IMPLEMENTATION — re-enable when needed
# -----------------------------------------------------------------------------
# echo "Scanning staged env template files for secrets..."
#
# FAILED=0
#
# STAGED_FILES=$(git diff --cached --name-only | grep -E "(\.env\.example|\.env\.local|railway\.env\.example)$")
#
# if [ -z "$STAGED_FILES" ]; then
#   echo "OK: No env template files staged."
#   exit 0
# fi
#
# for FILE in $STAGED_FILES; do
#   if [ ! -f "$FILE" ]; then
#     continue
#   fi
#
#   echo "  Checking: $FILE"
#   CONTENT=$(git show ":$FILE" 2>/dev/null)
#
#   # ---- AWS Access Key ----
#   if echo "$CONTENT" | grep -qE "AKIA[0-9A-Z]{16}"; then
#     echo "BLOCKED: Real AWS Access Key found in $FILE"
#     FAILED=1
#   fi
#
#   # ---- Firebase / RSA Private Key ----
#   HAS_PRIVKEY=$(echo "$CONTENT" | grep -c "BEGIN PRIVATE KEY" 2>/dev/null || echo 0)
#   HAS_PLACEHOLDER=$(echo "$CONTENT" | grep -ciE "YOUR_PRIVATE_KEY_HERE|change.me|placeholder|example|fake|dummy" 2>/dev/null || echo 0)
#   if [ "$HAS_PRIVKEY" -gt 0 ] && [ "$HAS_PLACEHOLDER" -eq 0 ]; then
#     echo "BLOCKED: Real private key found in $FILE"
#     FAILED=1
#   fi
#
#   # ---- Google OAuth Client Secret ----
#   if echo "$CONTENT" | grep -qE "GOCSPX-[a-zA-Z0-9_-]{20,}"; then
#     echo "BLOCKED: Real Google OAuth secret found in $FILE"
#     FAILED=1
#   fi
#
#   # ---- Razorpay Live Key ----
#   if echo "$CONTENT" | grep -qE "rzp_live_[a-zA-Z0-9]{10,}"; then
#     echo "BLOCKED: Real Razorpay LIVE key found in $FILE"
#     FAILED=1
#   fi
#
#   # ---- Razorpay Test Key (only if not a placeholder) ----
#   if echo "$CONTENT" | grep -qE "rzp_test_[a-zA-Z0-9]{10,}"; then
#     if ! echo "$CONTENT" | grep -q "rzp_test_your"; then
#       echo "BLOCKED: Real Razorpay TEST key found in $FILE"
#       FAILED=1
#     fi
#   fi
#
#   # ---- Twilio Account SID ----
#   if echo "$CONTENT" | grep -qE "AC[0-9a-f]{32}[^0-9a-f]"; then
#     if ! echo "$CONTENT" | grep -qE "ACxx|AC0000|ACxxxxxxx"; then
#       echo "BLOCKED: Real Twilio SID found in $FILE"
#       FAILED=1
#     fi
#   fi
#
# done
#
# if [ "$FAILED" -eq 1 ]; then
#   echo ""
#   echo "COMMIT BLOCKED: Real credentials found in env template files!"
#   echo "  Fix: Replace real values with placeholders like 'your-key-here'"
#   echo "  Then: rotate any exposed credentials immediately!"
#   exit 1
# fi
#
# echo "OK: Secret scan passed."
# exit 0
