#!/usr/bin/env bash
#
# Pre-commit guard: fail if a file named vault.yml holds plaintext secrets.
#
# A vault.yml is allowed only if it is either:
#   - ansible-vault encrypted (first line starts with `$ANSIBLE_VAULT`), or
#   - a placeholder with no real content (comments / blank lines / `---` only).
#
# It fails when an unencrypted vault.yml contains actual key: value content, which
# is almost always an accidental plaintext secret. Encrypt it with:
#   make encrypt FILE=<path>
#
set -euo pipefail

status=0
for f in "$@"; do
  [ -f "$f" ] || continue

  # Encrypted — always fine.
  if head -n1 "$f" | grep -q '^\$ANSIBLE_VAULT'; then
    continue
  fi

  # Unencrypted — allowed only if there is no real content. "Real content" is any
  # line that is not blank, not a comment, and not the YAML document marker `---`.
  content=$(grep -vE '^\s*(#|---\s*$|$)' "$f" || true)
  if [ -n "$content" ]; then
    echo "ERROR: $f is not ansible-vault encrypted but contains plaintext content:" >&2
    printf '%s\n' "$content" | sed 's/^/    /' >&2
    echo "  Encrypt it with:  make encrypt FILE=$f" >&2
    status=1
  fi
done

exit $status