#!/usr/bin/env bash
# Reject direct push to protected branches (main, master).
#
# Install:
#   cp hooks/pre-push .git/hooks/pre-push && chmod +x .git/hooks/pre-push
#
# Bypass (only when really needed):
#   git push --no-verify
#
# Hook receives push refs on stdin, one per line:
#   <local_ref> <local_sha> <remote_ref> <remote_sha>
# See `man githooks` for details.

set -euo pipefail

protected_re='^refs/heads/(main|master)$'

while read -r _local_ref _local_sha remote_ref _remote_sha; do
    if [[ $remote_ref =~ $protected_re ]]; then
        branch=${remote_ref##refs/heads/}
        echo "✖ Direct push to '$branch' is forbidden by project policy." >&2
        echo "  Use a feature branch and PR/MR instead." >&2
        echo "  See CLAUDE.md → Git workflow." >&2
        echo "  Bypass: git push --no-verify (only if you really mean it)." >&2
        exit 1
    fi
done

exit 0
