#!/usr/bin/env bash
# Scan modified/ for common secret patterns. Exit 0 if none found, 1 if potential leak.
# Run from repo root or from modified/: ./scripts/check-no-secrets.sh

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$ROOT"

FOUND=0

# Google API key (Maps, etc.): AIza followed by 35 alphanumeric chars
if grep -rE --include="*.php" --include="*.dart" --include="*.yaml" --include="*.json" --include="*.md" 'AIza[0-9A-Za-z_-]{35}' . 2>/dev/null | grep -v node_modules | grep -v '.dart_tool' | grep -v '\.css\.map' | grep -q .; then
  echo "check-no-secrets: possible Google Maps-style API key (AIza...) found. Do not reuse this key for FCM; keep client and server keys separate and move them to env/config."
  FOUND=1
fi

# FCM legacy server key: AAAA followed by long base64-like string
if grep -rE --include="*.php" --include="*.dart" --include="*.yaml" --include="*.json" 'AAAA[0-9A-Za-z_-]{100,}' . 2>/dev/null | grep -v node_modules | grep -v '.dart_tool' | grep -q .; then
  echo "check-no-secrets: possible FCM legacy server key (AAAA...) found. This must be different from any Google Maps client key and stored only in secure backend config."
  FOUND=1
fi

# keyfcm = ... or define('keyfcm' with a long value (legacy)
if grep -rE --include="*.php" "keyfcm.*['\"][A-Za-z0-9_-]{20,}" . 2>/dev/null | grep -v node_modules | grep -q .; then
  echo "check-no-secrets: keyfcm or similar hardcoded key found. Ensure this FCM key is different from any Google Maps key and loaded from env/config, not source."
  FOUND=1
fi

if [ "$FOUND" -eq 1 ]; then
  echo "check-no-secrets: FAIL (potential secrets found). Remove from source, use env/config, and keep Google Maps and FCM keys distinct."
  exit 1
fi

echo "check-no-secrets: OK (no common secret patterns found)"
exit 0