#!/usr/bin/env bash
set -u

FAILED=0

fail() {
  echo "FAIL: $1"
  FAILED=1
}

run_step() {
  local label="$1"
  shift
  echo "==> $label"
  if ! "$@"; then
    fail "$label"
  fi
}

run_step "Python Syntax" python3 -m py_compile predictive_maintenance_light.py
run_step "Backend Self-Check" python3 predictive_maintenance_light.py --check
run_step "Dashboard Data Validation" python3 validate_dashboard_data.py

echo "==> Runtime-Dateien nicht getrackt"
TRACKED_RUNTIME="$(git ls-files -- users.json sessions.json pml_server.pid pml_server.log .env login_attempts.json acknowledged_alarms.json active_alarm_state.json alarm_history.csv motor_history.csv 'motor_history_*.csv' repair_history.csv backups 2>/dev/null || true)"
if [ -n "$TRACKED_RUNTIME" ]; then
  fail "Runtime-/Security-Dateien sind getrackt"
fi

echo "==> Secret-Scan in getrackten Dateien"
SECRET_PATTERN='((sk-(proj|live|test)-[A-Za-z0-9_-]{16,})|xox[baprs]-[A-Za-z0-9-]{16,}|gh[pousr]_[A-Za-z0-9_]{16,}|AKIA[0-9A-Z]{16}|bearer[[:space:]]+[A-Za-z0-9._-]{20,})'
if git grep -I -E "$SECRET_PATTERN" -- . ':!*.pdf' ':!*.png' ':!*.jpg' ':!*.jpeg' ':!*.gif' >/dev/null 2>&1; then
  fail "Moegliches Secret in getrackten Dateien gefunden"
fi

echo "==> Frontend-Dateien"
[ -f dashboard.html ] || fail "dashboard.html fehlt"
[ -f style.css ] || fail "style.css fehlt"

if [ "$FAILED" -eq 0 ]; then
  echo "RELEASE CHECK OK"
  exit 0
fi

echo "RELEASE CHECK FAILED"
exit 1