#!/usr/bin/env bash
# Сканер утечки секретов в git-tracked файлах Montana.
set -u
cd "$(git rev-parse --show-toplevel 2>/dev/null)" || { echo "git repo нужен"; exit 1; }

FAIL=0
GREEN='\033[0;32m'; RED='\033[0;31m'; NC='\033[0m'

declare -A PATTERNS=(
  ["Reality privateKey (FI active)"]="cL7D6FCqH5nWcQlHCKH9uNr-RNwCt5peRAqt8tl9mXs"
)

ALLOWED='External-Audit/|/memory/'
FILES=$(git ls-files | grep -vE "$ALLOWED" | grep -vE '\.(png|jpg|jpeg|gif|pdf|zip|tar|gz|bin|so|dylib)$')

for name in "${!PATTERNS[@]}"; do
  pat="${PATTERNS[$name]}"
  hits=$(printf "%s\n" "$FILES" | xargs grep -lF "$pat" 2>/dev/null || true)
  if [ -z "$hits" ]; then
    echo -e "${GREEN}✓${NC} $name — чисто"
  else
    echo -e "${RED}✗${NC} $name — обнаружены утечки:"
    echo "$hits" | head -10 | sed 's/^/    /'
    FAIL=$((FAIL+1))
  fi
done

if [ "$FAIL" -eq 0 ]; then
  echo -e "${GREEN}=== СЕКРЕТЫ НЕ УТЕКЛИ ===${NC}"
  exit 0
else
  echo -e "${RED}=== УТЕЧКИ: $FAIL паттернов ===${NC}"
  exit 1
fi