#!/bin/sh
# Refuse commits that would (re)introduce personal-info patterns into
# the repo. See CONTRIBUTING.md ("Pre-commit hook") for activation
# instructions and CLAUDE.md § 12 for the policy.
#
# Patterns currently blocked:
#   /Users/<name>/   - macOS author home; <name> starting with a
#                      lowercase letter, so /Users/USER/, /Users/<x>/,
#                      and /Users/Shared/ are NOT blocked
#   /home/<name>/    - Linux author home; same rule for <name>
#   smart-steel-technologies
#                    - day-job employer; should never appear in repo
#                      content (commit-author email metadata is a
#                      separate concern)
#
# Lowercase usernames legitimately referenced in committed content
# are allowlisted in ALLOWED_USERS below. Add sparingly; each entry
# weakens the gate.
#
# To bypass for a one-off (e.g. legitimate historical reference): commit
# with `git commit --no-verify` and explain in the message.

set -e

# Broad pattern: /Users/<lowercase>/ or /home/<lowercase>/.
PATH_PATTERN='/(Users|home)/[a-z][A-Za-z0-9_.-]*'
EMPLOYER_PATTERN='smart-steel-technologies'
# Lowercase usernames that are legitimate references. Keep in sync
# with tests/test_basis_no_maintainer_paths.py::_ALLOWED_USERS.
# - runner, root: CI / system accounts in GitHub-Actions-style docs
# - user: documented placeholder convention (see vibe-queue/tests/
#   test_config.py and docs/user_guide/queue.md — the "/home/user/..."
#   form predates the all-caps "/home/USER/..." form and remains in
#   wide use; allowlisting avoids forcing a fixture churn just to
#   change capitalisation)
ALLOWED_USERS='runner|root|user'

# Inspect added lines in staged content (-U0 trims context,
# --diff-filter excludes pure deletions). Match leading "+" but
# exclude diff headers ("+++ b/...") via the "[^+]" guard.
#
# Pathspec exclusions: meta-files where the blocked patterns
# legitimately appear (the hook documents what it blocks; .mailmap
# maps historical author emails by definition; CLAUDE.md / AGENTS.md
# reference the rules; the basis-library test mirrors the patterns
# for CI). Editing these files won't trip the hook.
LEAKS=$(git diff --cached --diff-filter=ACMR -U0 \
        -- ':(exclude).githooks/' \
           ':(exclude).mailmap' \
           ':(exclude)CLAUDE.md' \
           ':(exclude)AGENTS.md' \
           ':(exclude)tests/test_basis_no_maintainer_paths.py' \
    | grep -E '^\+[^+]' \
    | grep -nE "$PATH_PATTERN|$EMPLOYER_PATTERN" \
    | grep -vE "/(Users|home)/($ALLOWED_USERS)([/[:space:]'\"]|\$)" \
    || true)

if [ -n "$LEAKS" ]; then
    cat >&2 <<EOF
ERROR: staged content contains personal-info patterns:

$LEAKS

Replace with placeholders (e.g. ~/, /home/USER/, <vibe-qc-checkout>)
before committing. If the inclusion is intentional and reviewed,
bypass with:
  git commit --no-verify
and document the reason in the commit message.
EOF
    exit 1
fi