#!/bin/bash
# Generated by goneat hooks generate
# Schema-compliant hook template (bash)

set -euo pipefail

# Establish repository root for reliable relative paths
REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || pwd)

# Resolve goneat home for ephemeral artifacts (reports/cache/tmp)
# Repo .goneat/ is static-only; do not write reports here.
GONEAT_HOME="${GONEAT_HOME:-$HOME/.goneat}"
export GONEAT_HOME

# Detect dev mode: enabled if $REPO_ROOT/.goneat/dev-mode exists or env is set
DEV_MODE=0
if [ -f "$REPO_ROOT/.goneat/dev-mode" ] || [ "${GONEAT_DEV_MODE:-0}" = "1" ]; then
  DEV_MODE=1
fi

echo "🚀 Running goneat pre-push validation..."

# Robust binary discovery (prefer repo build first, then PATH/common locations)
find_goneat_bin() {
  if [ -x "$REPO_ROOT/dist/goneat" ]; then
    echo "$REPO_ROOT/dist/goneat"
    return 0
  fi
  local candidates=(
    "$HOME/go/bin/goneat"
    "/opt/homebrew/bin/goneat"
    "/usr/local/bin/goneat"
    "$HOME/.local/bin/goneat"
    "$HOME/.goneat/bin/goneat"
    "goneat"
  )
  for c in "${candidates[@]}"; do
    if [ -x "$c" ] || command -v "$c" >/dev/null 2>&1; then
      echo "$c"
      return 0
    fi
  done
  return 1
}

GONEAT_BIN=""
if BIN=$(find_goneat_bin); then
  GONEAT_BIN="$BIN"
fi

if [ -z "$GONEAT_BIN" ]; then
  if [ "$DEV_MODE" = "1" ]; then
    echo "⚠️  goneat not found (dev mode). Using fallback validation"
    echo "Skipping validation - goneat not available"
    exit 0
  else
    echo "❌ goneat CLI not found. Pre-push validation requires goneat."
    echo "👉 Install options:"
    echo "   - Go:   go install github.com/fulmenhq/goneat@latest   (ensure \$GOPATH/bin in \$PATH)"
    echo "   - Brew: brew install 3leaps/tap/goneat                (macOS, if tap available)"
    echo "   - Releases: https://github.com/fulmenhq/goneat/releases"
    echo "🔎 Searched: $REPO_ROOT/dist, $HOME/go/bin, /opt/homebrew/bin, /usr/local/bin, $HOME/.local/bin, $HOME/.goneat/bin"
    echo "💡 Tip: export PATH=\"$HOME/go/bin:$HOME/.local/bin:$PATH\""
    exit 1
  fi
fi

# Guardian enforcement for protected git push operations
REMOTE_NAME="${1:-}"
REMOTE_URL="${2:-}"
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")
GUARDIAN_SCOPE="git"
GUARDIAN_OPERATION="push"

GUARDIAN_ARGS=("$GONEAT_BIN" guardian check "$GUARDIAN_SCOPE" "$GUARDIAN_OPERATION")
if [ -n "$CURRENT_BRANCH" ]; then
  GUARDIAN_ARGS+=("--branch" "$CURRENT_BRANCH")
fi
if [ -n "$REMOTE_NAME" ]; then
  GUARDIAN_ARGS+=("--remote" "$REMOTE_NAME")
elif [ -n "$REMOTE_URL" ]; then
  GUARDIAN_ARGS+=("--remote" "$REMOTE_URL")
fi

# Pass push context for display
if [ -n "$REMOTE_NAME" ] && [ -n "$CURRENT_BRANCH" ]; then
  GUARDIAN_ARGS+=("--" "$REMOTE_NAME" "$CURRENT_BRANCH")
else
  GUARDIAN_ARGS+=("--" "<remote>" "<branch>")
fi

if ! "${GUARDIAN_ARGS[@]}"; then
  echo ""
  echo "❌ Operation blocked by guardian"
  echo "🔐 Approval required for: ${GUARDIAN_SCOPE} ${GUARDIAN_OPERATION}"
  if [ -n "$CURRENT_BRANCH" ]; then
    echo "   • Branch: $CURRENT_BRANCH"
  fi
  if [ -n "$REMOTE_NAME" ]; then
    echo "   • Remote: $REMOTE_NAME"
  elif [ -n "$REMOTE_URL" ]; then
    echo "   • Remote URL: $REMOTE_URL"
  fi
  echo "   • Risk level: critical"
  echo "   • Method: browser"
  echo "   • Approval expires in: 15m0s"
  echo "📝 A reason is required when approving this operation."
  echo ""
  echo "Wrap your git push with guardian approval to proceed:"
  if [ -n "$REMOTE_NAME" ] && [ -n "$CURRENT_BRANCH" ]; then
    echo "  $GONEAT_BIN guardian approve $GUARDIAN_SCOPE $GUARDIAN_OPERATION -- git push \"$REMOTE_NAME\" \"$CURRENT_BRANCH\""
  else
    echo "  $GONEAT_BIN guardian approve $GUARDIAN_SCOPE $GUARDIAN_OPERATION -- git push <remote> <branch>"
  fi
  echo "Once approved, the push runs automatically under guardian supervision."
  exit 1
fi

echo "✅ Guardian approval satisfied"

# Use goneat's orchestrated assessment (manifest-driven)
"$GONEAT_BIN" assess --hook pre-push --hook-manifest "$REPO_ROOT/.goneat/hooks.yaml" --package-mode

echo "✅ Pre-push validation passed!"}
