#!/bin/bash
# DSS Immutability Guard - Simplified Version
# Protects core principle files from accidental modification

echo "🛡️  DSS Immutability Check..."

# List of protected files (core principles and config)
PROTECTED_FILES=(
  ".knowledge/dss-principles.json"
  ".knowledge/dss-architecture.json"
  ".clauderc"
  "PROJECT_CONFIG.md"
  ".dss/config/figma.json"
)

# DSS Core Structure - ONLY modifiable by Figma sync
# These paths require ALLOW_FIGMA_SYNC=true to modify
DSS_CORE_PATHS=(
  ".dss/data/_system/"
  ".dss/schema/"
  "dss-claude-plugin/core/skins/"
  "dss/core_tokens/"
)

# Check if any protected files are being modified
MODIFIED_PROTECTED=()
for file in "${PROTECTED_FILES[@]}"; do
  if git diff --cached --name-only | grep -q "^${file}$"; then
    MODIFIED_PROTECTED+=("$file")
  fi
done

# If protected files are modified, require confirmation
if [ ${#MODIFIED_PROTECTED[@]} -gt 0 ]; then
  echo ""
  echo "⚠️  WARNING: You are modifying protected core files:"
  for file in "${MODIFIED_PROTECTED[@]}"; do
    echo "  - $file"
  done
  echo ""
  echo "These files define DSS core architecture and should rarely change."
  echo ""
  echo "To proceed with this commit, set: ALLOW_CORE_CHANGES=true"
  echo "Example: ALLOW_CORE_CHANGES=true git commit -m 'your message'"
  echo ""

  # Check if user has explicitly allowed the change
  if [ "$ALLOW_CORE_CHANGES" != "true" ]; then
    echo "❌ Commit blocked. Set ALLOW_CORE_CHANGES=true to proceed."
    exit 1
  fi

  echo "✅ ALLOW_CORE_CHANGES=true detected. Proceeding with commit."
fi

# Check DSS Core paths (Figma sync only)
MODIFIED_DSS_CORE=()
for path in "${DSS_CORE_PATHS[@]}"; do
  if git diff --cached --name-only | grep -q "^${path}"; then
    while IFS= read -r file; do
      MODIFIED_DSS_CORE+=("$file")
    done < <(git diff --cached --name-only | grep "^${path}")
  fi
done

if [ ${#MODIFIED_DSS_CORE[@]} -gt 0 ]; then
  echo ""
  echo "🔒 DSS CORE STRUCTURE PROTECTION"
  echo "   The following paths can ONLY be modified via Figma sync:"
  for file in "${MODIFIED_DSS_CORE[@]}"; do
    echo "   - $file"
  done
  echo ""
  echo "   Source of truth: Figma → DSS Pipeline → These files"
  echo ""
  echo "   To proceed (Figma sync only): ALLOW_FIGMA_SYNC=true"
  echo ""

  if [ "$ALLOW_FIGMA_SYNC" != "true" ]; then
    echo "❌ Commit blocked. DSS core structure is Figma-sync only."
    exit 1
  fi

  echo "✅ ALLOW_FIGMA_SYNC=true detected. Proceeding with Figma sync commit."

  # Verify hash manifest is also being updated
  if ! git diff --cached --name-only | grep -q "^.dss/core-hashes.sha256$"; then
    echo ""
    echo "⚠️  WARNING: core-hashes.sha256 not updated!"
    echo "   Figma sync should regenerate: .dss/core-hashes.sha256"
    echo "   Run: scripts/regenerate-core-hashes.sh"
  fi
fi

# Hash verification for DSS core files
HASH_FILE=".dss/core-hashes.sha256"
if [ -f "$HASH_FILE" ] && [ ${#MODIFIED_DSS_CORE[@]} -gt 0 ]; then
  echo ""
  echo "🔐 Verifying DSS core file hashes..."
  HASH_FAILURES=()

  for file in "${MODIFIED_DSS_CORE[@]}"; do
    if grep -q "  ${file}$" "$HASH_FILE" 2>/dev/null; then
      EXPECTED=$(grep "  ${file}$" "$HASH_FILE" | cut -d' ' -f1)
      # Get hash from staged version
      ACTUAL=$(git show ":${file}" 2>/dev/null | sha256sum | cut -d' ' -f1)
      if [ "$EXPECTED" != "$ACTUAL" ] && [ "$ALLOW_FIGMA_SYNC" != "true" ]; then
        HASH_FAILURES+=("$file")
      fi
    fi
  done

  if [ ${#HASH_FAILURES[@]} -gt 0 ]; then
    echo "❌ Hash verification failed for:"
    for file in "${HASH_FAILURES[@]}"; do
      echo "   - $file"
    done
    echo ""
    echo "   These files have been modified outside Figma sync pipeline."
    echo "   Revert changes or run Figma sync to update properly."
    exit 1
  fi
  echo "✅ Hash verification passed."
fi

echo "✅ Immutability check passed."
echo ""

# Run DSS code quality verification
echo "🔍 Running DSS Code Quality Checks..."
if [ -f "./scripts/verify-quality.sh" ]; then
  if ! ./scripts/verify-quality.sh; then
    echo ""
    echo "❌ Code quality checks failed. Please fix the errors above."
    echo "To bypass (not recommended): git commit --no-verify"
    exit 1
  fi
else
  echo "⚠️  Warning: scripts/verify-quality.sh not found, skipping quality checks"
fi

# Run Python validation hook (documentation, schemas, terminology)
echo ""
echo "📚 Running Documentation & Schema Checks..."
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if [ -f "${SCRIPT_DIR}/pre-commit-python" ]; then
  if ! python3 "${SCRIPT_DIR}/pre-commit-python"; then
    echo ""
    echo "❌ Validation checks failed. Please fix the errors above."
    echo "To bypass (not recommended): git commit --no-verify"
    exit 1
  fi
elif [ -f ".git/hooks/pre-commit" ] && file ".git/hooks/pre-commit" | grep -q Python; then
  if ! python3 ".git/hooks/pre-commit"; then
    echo "❌ Python validation checks failed."
    exit 1
  fi
fi

echo ""
echo "✅ All pre-commit checks passed!"
exit 0