const fs = require('fs');
const path = require('path');

// Patterns that might indicate leaked credentials
const sensitivePatterns = [
  /ATATT[A-Za-z0-9+/=]{100,}/g, // Confluence tokens
  /ghp_[A-Za-z0-9]{36,}/g, // GitHub tokens
  /api[_-]?key[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
  /token[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
  /password[_-]?[=:]\s*["']?[^\s"']{8,}/gi,
  /secret[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
];

// Files to exclude from scanning
const excludePatterns = [
  /node_modules/,
  /\.git/,
  /\.next/,
  /dist/,
  /build/,
  /out/,
  /terraform\.tfvars$/,
  /\.env/,
  /security-check\.js$/,
];

function scanFile(filePath) {
  const content = fs.readFileSync(filePath, 'utf8');
  const issues = [];
  
  sensitivePatterns.forEach(pattern => {
    const matches = content.match(pattern);
    if (matches) {
      matches.forEach(match => {
        // Only flag if it's not a placeholder or example
        if (!match.includes('example') && !match.includes('YOUR_') && !match.includes('xxx')) {
          issues.push({
            file: filePath,
            pattern: pattern.source,
            match: match.substring(0, 20) + '...',
          });
        }
      });
    }
  });
  
  return issues;
}

function scanDirectory(dir) {
  const issues = [];
  
  function walk(currentPath) {
    const entries = fs.readdirSync(currentPath, { withFileTypes: true });
    
    for (const entry of entries) {
      const fullPath = path.join(currentPath, entry.name);
      const relativePath = path.relative(process.cwd(), fullPath);
      
      // Skip excluded paths
      if (excludePatterns.some(pattern => pattern.test(relativePath))) {
        continue;
      }
      
      if (entry.isDirectory()) {
        walk(fullPath);
      } else if (entry.isFile() && /\.(js|ts|jsx|tsx|json|yml|yaml|md)$/.test(entry.name)) {
        const fileIssues = scanFile(fullPath);
        issues.push(...fileIssues);
      }
    }
  }
  
  walk(dir);
  return issues;
}

// Run the scan
console.log('🔍 Scanning for potential credential leaks...\n');
const issues = scanDirectory(process.cwd());

if (issues.length > 0) {
  console.error('❌ Found potential credential leaks:\n');
  issues.forEach(issue => {
    console.error(`File: ${issue.file}`);
    console.error(`Pattern: ${issue.pattern}`);
    console.error(`Match: ${issue.match}\n`);
  });
  process.exit(1);
} else {
  console.log('✅ No credential leaks detected');
}