#!/bin/sh
# Git pre-push hook: BLOCK push when protected paths are dirty on main
# (BR-16 / BR-22). Prevents accidentally publishing a contaminated main.
#
# Installed via `make install-git-hooks`. Scanner exits 2 on dirty state
# when --block is set; we propagate that exit code to abort the push.

REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null)"
if [ -z "$REPO_ROOT" ]; then
    exit 0
fi

cat >/dev/null  # drain push refs; we don't care which refs, only local state
python3 "$REPO_ROOT/scripts/hooks/check_main_clean.py" --trigger pre-push --block
STATUS=$?
if [ "$STATUS" -ne 0 ]; then
    echo "" >&2
    echo "pre-push aborted: main has dirty protected paths (see above)." >&2
    echo "If you know this is intentional, bypass with: git push --no-verify" >&2
    exit "$STATUS"
fi

# implementation note implementation note: branch-naming hard gate at publish time. Distinct
# override env var (WORKSTATE_ALLOW_NONCONFORMING_BRANCH_PUSH) — commit-side
# leniency does not leak across the publish boundary.
python3 "$REPO_ROOT/scripts/hooks/check_branch_naming.py" --trigger pre-push
STATUS=$?
if [ "$STATUS" -ne 0 ]; then
    exit "$STATUS"
fi
exit 0
