#!/usr/bin/env bash
# Enforce Invariant I1: no upstream-tracked file is ever edited.
# Exits 0 on clean state, 1 on violation.
#
# Catches BOTH committed drift (commits unique to HEAD vs upstream/master)
# AND working-tree drift (uncommitted local edits to tracked files).
#
# Spec: sethlabels-docs/specs/2026-04-29-packaging-design.md §5.5 (I1, F1)
set -euo pipefail

# Refuse to run silently if upstream/master ref is missing (spec §F1 — the
# guardrail's contract is "abort on drift," not "abort on drift IF the ref
# happens to be present"). Without this check, a fresh clone or
# broken-remote environment would silently pass the committed-drift check.
if ! git rev-parse --verify upstream/master >/dev/null 2>&1; then
  echo "ERROR: upstream/master ref not found." >&2
  echo "  Configure the upstream remote and fetch:" >&2
  echo "    git remote add upstream https://github.com/j-evins/glabels-qt.git" >&2
  echo "    git fetch upstream" >&2
  echo "  See sethlabels-docs/specs/2026-04-29-packaging-design.md §6 (release flow step 1)." >&2
  exit 1
fi

# Allowlist: files/dirs sethLabels is permitted to add or modify.
# `.gitignore` is the one upstream-file exception (called out in spec §2).
allowed_pattern='^\.gitignore$|^\.claude/|^scripts/|^packaging/|^sethlabels-docs/|^tests-impl/|^README\.sethlabels\.md$|^CLAUDE\.md$|^IDEA\.md$|^DECISIONS\.md$'

committed=$(git diff --name-only upstream/master..HEAD 2>/dev/null || true)
working=$(git diff --name-only HEAD 2>/dev/null || true)

all_changes=$(printf "%s\n%s\n" "$committed" "$working" | sort -u | sed '/^$/d')

if [ -z "$all_changes" ]; then
  exit 0
fi

violations=$(echo "$all_changes" | grep -vE "$allowed_pattern" || true)

if [ -n "$violations" ]; then
  echo "ERROR: strict-zero policy violated. The following upstream files have been modified:"
  echo "$violations"
  echo ""
  echo "See sethlabels-docs/specs/2026-04-29-packaging-design.md §I1."
  exit 1
fi

exit 0