#!/bin/bash
# Protect sensitive files from being edited

INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // empty')

if [ -z "$FILE_PATH" ]; then
  exit 0
fi

# Get the project directory
PROJECT_DIR="$CLAUDE_PROJECT_DIR"
if [ -z "$PROJECT_DIR" ]; then
  PROJECT_DIR="$(pwd)"
fi

# Block edits to .git internals
if echo "$FILE_PATH" | grep -q '\.git/'; then
  echo "Edit blocked: path matches protected pattern (.git/)" >&2
  exit 2
fi

# Block .env files
if echo "$FILE_PATH" | grep -qE '\.env($|\.)'; then
  echo "Edit blocked: path matches protected pattern (.env)" >&2
  exit 2
fi

# Block node_modules
if echo "$FILE_PATH" | grep -q 'node_modules/'; then
  echo "Edit blocked: path matches protected pattern (node_modules/)" >&2
  exit 2
fi

# Block files outside project directory
REAL_PROJECT=$(cd "$PROJECT_DIR" 2>/dev/null && pwd -P)
REAL_FILE_DIR=$(cd "$(dirname "$FILE_PATH")" 2>/dev/null && pwd -P)

if [ -n "$REAL_PROJECT" ] && [ -n "$REAL_FILE_DIR" ]; then
  case "$REAL_FILE_DIR" in
    "$REAL_PROJECT"*) ;;
    *) echo "Edit blocked: path is outside project directory" >&2; exit 2 ;;
  esac
fi

exit 0