#!/usr/bin/env bash
# task-2457 Phase 2-A: pre-commit guard hook
# 설치: scripts/install-git-hooks.sh
#
# 검증 순서 (첫 실패 시 exit 1):
#   1) TASKCTL_BYPASS=1 분기 — evidence 4필드 atomic 기록 후 exit 0
#   2) branch == main 차단
#   3) branch에서 task-id 추출 (정규식: ^task/(task-N(.M)?)-)
#      - 커밋 메시지 fallback 절대 금지 (Codex 리뷰 high 권고)
#   4) lock 파일 존재 (.tasks/locks/<task-id>.lock)
#   5) lock 파싱 후 task_id 일치 확인
#
# mixed task commit 감지는 commit-msg 단계에서만 정확하므로 pre-commit에서는 생략.
# 단, 검증 5(branch/lock 일치)가 mixed task의 1차 방어선 역할.
set -euo pipefail

WORKSPACE="$(git rev-parse --show-toplevel)"
cd "$WORKSPACE"

# ---------- 검증 1: TASKCTL_BYPASS 분기 ----------
if [[ "${TASKCTL_BYPASS:-0}" == "1" ]]; then
    REASON="${TASKCTL_BYPASS_REASON:-}"
    if [[ -z "$REASON" ]]; then
        echo "[BLOCKED] TASKCTL_BYPASS reason missing (set TASKCTL_BYPASS_REASON=...)" >&2
        exit 1
    fi
    CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
    BYPASS_TASK_ID=$(echo "$CURRENT_BRANCH" | sed -nE 's|^task/(task-[0-9]+(\.[0-9]+)?)-.*|\1|p')
    if [[ -z "$BYPASS_TASK_ID" ]]; then
        BYPASS_TASK_ID="unknown"
    fi
    TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
    EVIDENCE_DIR="$WORKSPACE/.tasks/evidence/$BYPASS_TASK_ID"
    mkdir -p "$EVIDENCE_DIR"
    EVIDENCE_FILE="$EVIDENCE_DIR/bypass-${TIMESTAMP}.json"
    TMP_FILE="${EVIDENCE_FILE}.tmp.$$"
    ACTOR="${USER:-unknown}"
    cat > "$TMP_FILE" <<EOF
{
  "bypass": true,
  "timestamp": "${TIMESTAMP}",
  "actor": "${ACTOR}",
  "reason": "${REASON}"
}
EOF
    mv "$TMP_FILE" "$EVIDENCE_FILE"
    echo "[BYPASS] pre-commit guard skipped (evidence=$EVIDENCE_FILE)" >&2
    exit 0
fi

# ---------- 검증 2: branch == main 차단 ----------
CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
if [[ "$CURRENT_BRANCH" == "main" ]]; then
    echo "[BLOCKED] main direct commit prohibited" >&2
    exit 1
fi

# ---------- 검증 3: branch에서 task-id 추출 ----------
# 정규식: ^task/(task-[0-9]+(\.[0-9]+)?)-
BRANCH_TASK_ID=$(echo "$CURRENT_BRANCH" | sed -nE 's|^task/(task-[0-9]+(\.[0-9]+)?)-.*|\1|p')
if [[ -z "$BRANCH_TASK_ID" ]]; then
    echo "[BLOCKED] branch does not match task pattern: task/task-N-bot (got: $CURRENT_BRANCH)" >&2
    exit 1
fi

# ---------- 검증 4: lock 파일 존재 ----------
LOCK_FILE="$WORKSPACE/.tasks/locks/${BRANCH_TASK_ID}.lock"
if [[ ! -f "$LOCK_FILE" ]]; then
    echo "[BLOCKED] start_task_guard not passed: .tasks/locks/${BRANCH_TASK_ID}.lock missing" >&2
    exit 1
fi

# ---------- 검증 5: lock 파싱 + task_id 일치 ----------
LOCK_TASK_ID=$(python3 -c "import json,sys;print(json.load(open(sys.argv[1])).get('task_id',''))" "$LOCK_FILE" 2>/dev/null || true)
if [[ -z "$LOCK_TASK_ID" ]]; then
    echo "[BLOCKED] lock file unparseable: $LOCK_FILE" >&2
    exit 1
fi
if [[ "$LOCK_TASK_ID" != "$BRANCH_TASK_ID" ]]; then
    echo "[BLOCKED] branch/lock task-id mismatch (branch=$BRANCH_TASK_ID, lock=$LOCK_TASK_ID)" >&2
    exit 1
fi

# ---------- PASS ----------
echo "[OK] pre-commit guard PASS (task-id=$BRANCH_TASK_ID)" >&2
exit 0