#!/usr/bin/env bash
#
# Literal Security — git pre-commit hook installer
# Run from the root of any git repo:
#   curl -fsSL https://literalsec.com/install-git-hook.sh | bash
#
# Or, with the token pre-set:
#   LITERALSEC_TOKEN=lsec_... bash <(curl -fsSL https://literalsec.com/install-git-hook.sh)

set -e

# STATIC_URL is the marketing host where /git-hook.js + /install-git-hook.sh
# live — not the API host. The hook itself, once installed, calls /v1/* on a
# separate API host (see git-hook.js, which reads LITERALSEC_API_URL there).
STATIC_URL="${LITERALSEC_STATIC_URL:-${LITERALSEC_API_URL:-https://literalsec.com}}"
TOKEN_FILE="${HOME}/.literalsec/token"

# 1. Verify environment
if ! command -v git >/dev/null 2>&1; then
  echo "✗ git is not installed. Aborting." >&2
  exit 1
fi
if ! command -v node >/dev/null 2>&1; then
  echo "✗ node is not installed. The hook is a small node script (Node 18+ required for fetch)." >&2
  exit 1
fi
NODE_MAJOR=$(node -e 'process.stdout.write(String(process.versions.node.split(".")[0]))')
if [ "$NODE_MAJOR" -lt 18 ]; then
  echo "✗ Node 18+ required (you have $(node -v)). The hook uses the built-in fetch." >&2
  exit 1
fi
if [ ! -d ".git" ] && ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "✗ Not inside a git repo. Run this from the root of your project." >&2
  exit 1
fi
GIT_DIR="$(git rev-parse --git-dir)"
HOOK_PATH="${GIT_DIR}/hooks/pre-commit"

# 2. Get token
if [ -z "${LITERALSEC_TOKEN:-}" ] && [ ! -s "${TOKEN_FILE}" ]; then
  echo "Paste your Literal Security project token (from https://app.literalsec.com/dashboard):"
  read -r -s -p "> " LITERALSEC_TOKEN
  echo
fi
if [ -n "${LITERALSEC_TOKEN:-}" ]; then
  mkdir -p "$(dirname "$TOKEN_FILE")"
  printf '%s\n' "$LITERALSEC_TOKEN" > "$TOKEN_FILE"
  chmod 600 "$TOKEN_FILE"
  echo "✓ Token saved to ${TOKEN_FILE} (chmod 600)"
elif [ -s "$TOKEN_FILE" ]; then
  echo "✓ Using existing token at ${TOKEN_FILE}"
else
  echo "✗ No token provided. Aborting." >&2
  exit 1
fi

# 3. Don't clobber an existing hook silently
if [ -f "$HOOK_PATH" ]; then
  if ! grep -q "Literal Security" "$HOOK_PATH" 2>/dev/null; then
    BACKUP="${HOOK_PATH}.literalsec-backup-$(date +%s)"
    echo "  Existing pre-commit hook found — backing up to ${BACKUP}"
    mv "$HOOK_PATH" "$BACKUP"
  fi
fi

# 4. Install the hook
mkdir -p "$(dirname "$HOOK_PATH")"
if ! curl -fsSL "${STATIC_URL}/git-hook.js" > "$HOOK_PATH.tmp"; then
  echo "✗ Failed to download hook from ${STATIC_URL}/git-hook.js" >&2
  rm -f "$HOOK_PATH.tmp"
  exit 1
fi
mv "$HOOK_PATH.tmp" "$HOOK_PATH"
chmod +x "$HOOK_PATH"

echo "✓ Installed ${HOOK_PATH}"
echo ""
echo "Your next \`git commit\` will scan staged source files (.ts .tsx .js .py .go .rs .java .rb .php .sql ...)."
echo ""
echo "Useful commands:"
echo "  Bypass for one commit:   LITERALSEC_SKIP=1 git commit -m '...'"
echo "  Bypass all pre-commit:   git commit --no-verify -m '...'"
echo "  Uninstall:               rm ${HOOK_PATH}"
echo "  Update hook:             curl -fsSL ${STATIC_URL}/install-git-hook.sh | bash"