#!/bin/sh
# Git pre-commit — block Genesis-IP term leaks before they reach the index.
#
# INSTALL (public-facing repos only):
#   ln -sf $HOME/.claude/agents/hooks/git-pre-commit-genesis.sh .git/hooks/pre-commit
#
# BEHAVIOUR:
#   - Resolves the `genesis-scan` binary under the KeiSeiKit install tree.
#   - Runs `--staged --exit-on-hit` so the hook fails the commit on any hit.
#   - Bypass with GENESIS_GUARD_BYPASS=1 (visible, per-call — logged in transcript).
#
# EXIT:
#   0  clean or bypassed
#   1  usage / binary missing
#   2  leak detected (commit blocked)

set -eu

SCANNER="${GENESIS_SCAN_BIN:-$HOME/.claude/agents/_primitives/_rust/target/release/genesis-scan}"

if [ ! -x "$SCANNER" ]; then
    # Absent scanner = silent no-op. Installs without the `core` or `full`
    # profile won't have the binary; we prefer letting the commit through
    # over noisy spam, since the runtime hook still catches new writes.
    exit 0
fi

if "$SCANNER" --staged --format=human --exit-on-hit; then
    exit 0
fi

# Non-zero exit from scanner = hits found.
if [ "${GENESIS_GUARD_BYPASS:-0}" = "1" ]; then
    echo "" >&2
    echo "[genesis-scan] BYPASSED (GENESIS_GUARD_BYPASS=1). Hit logged above." >&2
    exit 0
fi

cat >&2 <<EOF

Commit blocked by genesis-scan.

Review the hits above and either:
  - remove the Genesis / patent-IP terms from the staged content, or
  - move the file into an exempt scope (see: $SCANNER --list-patterns), or
  - bypass explicitly (use sparingly):
        GENESIS_GUARD_BYPASS=1 git commit ...

EOF
exit 2