#!/usr/bin/env bash
# Release guard checks for secrets, hardcoded colors, and client-side token/API drift.

set -euo pipefail

ROOT="$(git rev-parse --show-toplevel)"
cd "$ROOT"

COMMON_PLAT="${COMMON_PLAT:-$ROOT/../learning_ai/learning_ai_common_plat}"
if [[ ! -d "$COMMON_PLAT" && -d "$ROOT/../learning_ai_common_plat" ]]; then
  COMMON_PLAT="$ROOT/../learning_ai_common_plat"
fi

echo "=== Secret scan ==="
if [[ -x "$COMMON_PLAT/scripts/secret-scan-repo.sh" ]]; then
  (cd "$ROOT" && bash "$COMMON_PLAT/scripts/secret-scan-repo.sh")
else
  bash scripts/secret-scan-repo.sh
fi

echo "=== Hardcoded color audit ==="
color_matches="$(
  rg -n '#[0-9a-fA-F]{3,8}|rgba?\(' web/src mobile/src \
    --glob '!**/*.test.*' \
    --glob '!**/tokens.*' \
    --glob '!**/*.d.ts' || true
)"
if [[ -n "$color_matches" ]]; then
  echo "Hardcoded colors found outside tests/token files:" >&2
  echo "$color_matches" >&2
  exit 1
fi
echo "✓ No hardcoded hex/rgb colors found in web/mobile product code."

echo "=== Hardcoded token audit ==="
token_matches="$(
  rg -n 'ghp_[A-Za-z0-9_]{20,}|gitea[_-]?[A-Za-z0-9_]{20,}|npm_[A-Za-z0-9_]{20,}|Authorization: Bearer [A-Za-z0-9._-]{20,}' \
    --glob '!node_modules/**' \
    --glob '!docs/**' \
    --glob '!*.md' || true
)"
if [[ -n "$token_matches" ]]; then
  echo "Hardcoded token-like values found:" >&2
  echo "$token_matches" >&2
  exit 1
fi

echo "✓ No hardcoded token-like values found."

echo "Release guard audit passed."