#!/usr/bin/env bash
set -euo pipefail

# PreToolUse hook for Bash tool: blocks git commit/push on protected branches.
# TOOL_INPUT is JSON with a "command" field containing the bash command.

PROTECTED_BRANCHES=("develop" "main" "master")

COMMAND="${TOOL_INPUT:-}"

# Only check commands that look like git commit or git push
if ! echo "$COMMAND" | grep -qE '\bgit\b.*(commit|push)'; then
  exit 0
fi

BRANCH="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")"

for protected in "${PROTECTED_BRANCHES[@]}"; do
  if [[ "$BRANCH" == "$protected" ]]; then
    echo "BLOCKED: Cannot commit or push on protected branch '$BRANCH'."
    echo "Create a feature branch first: git checkout -b feature/<name>"
    exit 2
  fi
done

exit 0