#!/usr/bin/env node
// AZ-482 — static deny-list enforcement driven by tests/security/banned-deps.json.
//
// One canonical implementation that the run-tests.sh static profile delegates to,
// so adding or removing a banned dependency / pattern is a one-file change visible
// in code review (per AZ-482 constraint).
//
// Usage:
//   node scripts/check-banned-deps.mjs --kind=<key> [--root=<repo-root>]
//
// Exit code 0 on PASS (no hits); non-zero on FAIL (writes the hit list to stderr).

import { readFileSync, statSync, readdirSync } from 'node:fs'
import { join, dirname, resolve, relative } from 'node:path'
import { fileURLToPath } from 'node:url'

const __filename = fileURLToPath(import.meta.url)
const __dirname = dirname(__filename)

function parseArgs(argv) {
  const out = { kind: null, root: resolve(__dirname, '..') }
  for (const a of argv.slice(2)) {
    if (a.startsWith('--kind=')) out.kind = a.slice('--kind='.length)
    else if (a.startsWith('--root=')) out.root = resolve(a.slice('--root='.length))
    else if (a === '-h' || a === '--help') {
      // eslint-disable-next-line no-console
      console.error('Usage: check-banned-deps.mjs --kind=<key> [--root=<repo-root>]')
      process.exit(0)
    }
  }
  if (!out.kind) {
    process.stderr.write('check-banned-deps: --kind is required\n')
    process.exit(2)
  }
  return out
}

function loadDenylist(root) {
  const path = join(root, 'tests', 'security', 'banned-deps.json')
  return JSON.parse(readFileSync(path, 'utf8'))
}

function loadPackageJson(root) {
  return JSON.parse(readFileSync(join(root, 'package.json'), 'utf8'))
}

function namesFromPackageJson(pkg) {
  return Object.keys({ ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) })
}

function checkPackageJson(section, root) {
  const pkg = loadPackageJson(root)
  const names = namesFromPackageJson(pkg)
  const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
  const hits = []
  for (const name of names) {
    for (const re of regexes) {
      if (re.test(name)) {
        hits.push(`${name} matched /${re.source}/i`)
        break
      }
    }
  }
  return hits
}

// File walker — yields paths under `dir` that match the included extensions.
// Skips dist/, node_modules/, test-output/, and any `*.test.{ts,tsx}` /
// `*.spec.{ts,tsx}` files (production source only, mirrors run-tests.sh src_grep).
const IGNORED_DIRS = new Set([
  'node_modules', 'dist', 'build', 'test-output', 'test-results',
  'coverage', '.git', '.cache', 'playwright-report', 'blob-report',
])
const SOURCE_EXT = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']
const TEST_NAME_RE = /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i

function* walkSourceFiles(rootDir) {
  let entries
  try {
    entries = readdirSync(rootDir, { withFileTypes: true })
  } catch {
    return
  }
  for (const entry of entries) {
    const full = join(rootDir, entry.name)
    if (entry.isDirectory()) {
      if (IGNORED_DIRS.has(entry.name)) continue
      yield* walkSourceFiles(full)
    } else if (entry.isFile()) {
      const ext = '.' + entry.name.split('.').pop()
      if (!SOURCE_EXT.includes(ext)) continue
      if (TEST_NAME_RE.test(entry.name)) continue
      yield full
    }
  }
}

function checkSourceTree(section, root, subdirs) {
  const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
  const allowlist = new Set((section.allowlist ?? []).map((p) => p.replaceAll('\\', '/')))
  const hits = []
  for (const sub of subdirs) {
    const full = join(root, sub)
    try { statSync(full) } catch { continue }
    for (const file of walkSourceFiles(full)) {
      const relPath = relative(root, file).replaceAll('\\', '/')
      if (allowlist.has(relPath)) continue
      let text
      try { text = readFileSync(file, 'utf8') } catch { continue }
      const lines = text.split('\n')
      lines.forEach((line, idx) => {
        for (const re of regexes) {
          if (re.test(line)) {
            hits.push(`${relPath}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
            break
          }
        }
      })
    }
  }
  return hits
}

function checkDestructiveSurfaces(section, root, subdirs) {
  const regexes = section.patterns.map((p) => new RegExp(p))
  const gated = new Set((section.gated ?? []).map((p) => p.replaceAll('\\', '/')))
  const drift = new Set((section.drift ?? []).map((p) => p.replaceAll('\\', '/')))
  const known = new Set([...gated, ...drift])
  const hits = []
  for (const sub of subdirs) {
    const full = join(root, sub)
    try { statSync(full) } catch { continue }
    for (const file of walkSourceFiles(full)) {
      const relPath = relative(root, file).replaceAll('\\', '/')
      let text
      try { text = readFileSync(file, 'utf8') } catch { continue }
      const matches = regexes.some((re) => re.test(text))
      if (!matches) continue
      if (known.has(relPath)) continue
      hits.push(
        `${relPath}: contains destructive call but is not in gated/drift allowlist; ` +
        `add to tests/security/banned-deps.json (destructive_surfaces) with a code-review note`,
      )
    }
  }
  return hits
}

function* walkAnyFiles(rootDir) {
  let entries
  try {
    entries = readdirSync(rootDir, { withFileTypes: true })
  } catch {
    return
  }
  for (const entry of entries) {
    const full = join(rootDir, entry.name)
    if (entry.isDirectory()) {
      if (IGNORED_DIRS.has(entry.name)) continue
      yield* walkAnyFiles(full)
    } else if (entry.isFile()) {
      yield full
    }
  }
}

function checkDistTree(section, root) {
  const dist = join(root, 'dist')
  try { statSync(dist) } catch {
    process.stderr.write('dist/ missing — run `bun run build` before this check\n')
    process.exit(1)
  }
  const hits = []
  for (const file of walkAnyFiles(dist)) {
    let text
    try { text = readFileSync(file, 'utf8') } catch { continue }
    for (const literal of section.patterns) {
      if (text.includes(literal)) {
        hits.push(`${relative(root, file)} contains banned literal: ${literal}`)
      }
    }
  }
  return hits
}

function main() {
  const { kind, root } = parseArgs(process.argv)
  const denylist = loadDenylist(root)
  const section = denylist[kind]
  if (!section) {
    process.stderr.write(`unknown --kind=${kind}; available: ${Object.keys(denylist).filter((k) => !k.startsWith('$')).join(', ')}\n`)
    process.exit(2)
  }

  let hits = []
  if (kind === 'owm_key_in_dist') {
    hits = checkDistTree(section, root)
  } else if (
    kind === 'legacy_integrations' ||
    kind === 'concurrent_edit_patterns' ||
    kind === 'alert_calls'
  ) {
    hits = checkSourceTree(section, root, ['src', 'mission-planner'])
  } else if (kind === 'destructive_surfaces') {
    hits = checkDestructiveSurfaces(section, root, ['src'])
  } else {
    hits = checkPackageJson(section, root)
  }

  if (hits.length) {
    process.stderr.write(`banned (${kind} / ${section.ac}):\n`)
    for (const h of hits) process.stderr.write(`  ${h}\n`)
    process.exit(1)
  }
  process.exit(0)
}

main()