#!/usr/bin/env bash
# pre-commit hook: runs on every `git commit`
# Install with: make setup  (sets core.hooksPath = .githooks)
set -euo pipefail

# Collect staged Go files only — avoids re-checking untouched code.
STAGED=$(git diff --cached --name-only --diff-filter=ACM | grep '\.go$' || true)

if [ -z "$STAGED" ]; then
  echo "pre-commit: no Go files staged — skipping."
  exit 0
fi

echo "pre-commit: running checks on staged Go files..."

# ── 1. gofmt ──────────────────────────────────────────────────────────────────
echo "  → gofmt"
UNFORMATTED=$(gofmt -l $STAGED)
if [ -n "$UNFORMATTED" ]; then
  echo "  FAIL: the following files are not gofmt-formatted:"
  echo "$UNFORMATTED" | sed 's/^/    /'
  echo "  Fix with: gofmt -w <file>  or  make lint-fix"
  exit 1
fi

# ── 2. golangci-lint ──────────────────────────────────────────────────────────
echo "  → golangci-lint"
golangci-lint run ./...

# ── 3. gosec (security scan) ──────────────────────────────────────────────────
echo "  → gosec"
gosec -quiet ./...

# govulncheck is intentionally omitted from pre-commit (network + slow).
# Run it manually with: make security

echo "pre-commit: all checks passed."