#!/usr/bin/env node
/*
 * Guard against putting secrets in Gitea step env/with blocks.
 * Gitea/act_runner logs may render those blocks before masking is effective.
 */

const fs = require("fs");
const path = require("path");

const root = path.resolve(__dirname, "../..");
const workflowDir = path.join(root, ".gitea", "workflows");
const violations = [];
const routeViolations = [];

for (const fileName of fs.readdirSync(workflowDir).sort()) {
  if (!fileName.endsWith(".yml") && !fileName.endsWith(".yaml")) {
    continue;
  }

  const filePath = path.join(workflowDir, fileName);
  const content = fs.readFileSync(filePath, "utf8");
  const lines = content.split(/\r?\n/);
  let block = null;

  if (content.includes("TELEGRAM_ALERT_CHAT_ID")) {
    routeViolations.push(`${filePath}: legacy TELEGRAM_ALERT_CHAT_ID is not allowed; use SRE_GROUP_CHAT_ID`);
  }

  if (content.includes("TELEGRAM_CHAT_ID")) {
    routeViolations.push(`${filePath}: legacy TELEGRAM_CHAT_ID is not allowed for alert routing; use SRE_GROUP_CHAT_ID`);
  }

  let lineOffset = 0;
  lines.forEach((line, index) => {
    if (
      line.includes("api.telegram.org/bot")
      && !content.slice(Math.max(0, lineOffset - 700), lineOffset + line.length + 1200).includes("SRE_GROUP_CHAT_ID")
    ) {
      routeViolations.push(`${filePath}:${index + 1}: direct Telegram fallback must target SRE_GROUP_CHAT_ID`);
    }
    lineOffset += line.length + 1;
  });

  lines.forEach((line, index) => {
    const indent = line.match(/^\s*/)[0].length;
    const trimmed = line.trim();

    if (block && trimmed && indent <= block.indent) {
      block = null;
    }

    const blockMatch = line.match(/^(\s*)(env|with):\s*$/);
    if (blockMatch) {
      block = {
        indent: blockMatch[1].length,
        section: blockMatch[2],
      };
      return;
    }

    if (block && line.includes("${{ secrets.")) {
      violations.push(`${filePath}:${index + 1}:${block.section}`);
    }
  });
}

if (violations.length > 0) {
  console.error("Gitea workflow exposes secrets through step env/with:");
  for (const violation of violations) {
    console.error(`  - ${violation}`);
  }
  process.exit(1);
}

if (routeViolations.length > 0) {
  console.error("Gitea workflow Telegram route must converge on AwoooI SRE war room:");
  for (const violation of routeViolations) {
    console.error(`  - ${violation}`);
  }
  process.exit(1);
}

console.log("no Gitea step env/with secrets or legacy Telegram routes");