#!/bin/bash
#
# Git pre-push hook to enforce AI_POLICY.md
# Prevents AI assistants from pushing tags (tags should only be created by humans)
#

# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without setting a remote, the remote name will be provided as "(no remote)"
# and the URL will be provided as "(no URL)".

remote="$1"
url="$2"

# Read the list of refs being pushed from stdin
# Format: <local ref> <local oid> <remote ref> <remote oid>
while read local_ref local_oid remote_ref remote_oid
do
    # Check if we're pushing a tag (refs/tags/*)
    if echo "$remote_ref" | grep -q "^refs/tags/"; then
        tag_name=$(echo "$remote_ref" | sed 's|^refs/tags/||')

        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "ERROR: Push rejected - AI assistants must NOT create or push tags"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo ""
        echo "You attempted to push tag: $tag_name"
        echo ""
        echo "Per AI_POLICY.md and the project's security architecture:"
        echo "  • AI assistants work on asgard1 (working repository)"
        echo "  • Tags are ONLY created on the human developer's PC"
        echo "  • Tags represent releases and require human judgment"
        echo ""
        echo "This is enforced to maintain:"
        echo "  1. Human control over release versioning"
        echo "  2. Clear separation of AI work vs. human approval"
        echo "  3. Security in the multi-stage Git workflow"
        echo ""
        echo "If you are a HUMAN developer who needs to push this tag:"
        echo "  • Verify you are on your dev PC (NOT on asgard1)"
        echo "  • Follow these steps to temporarily disable hooks:"
        echo ""
        echo "    1) Verify current hooks path:"
        echo "       git config core.hooksPath"
        echo ""
        echo "    2) Disable hooks:"
        echo "       git config core.hooksPath /dev/null"
        echo ""
        echo "    3) Tag and push:"
        echo "       git tag -a $tag_name -m \"release comment\" && git push origin $tag_name"
        echo ""
        echo "    4) Re-enable hooks:"
        echo "       git config core.hooksPath .ai/.githooks"
        echo ""
        echo "    5) Verify hooks are re-enabled:"
        echo "       git config core.hooksPath"
        echo ""
        echo "  • IMPORTANT: Only use this for legitimate tag releases"
        echo "  • Never bypass this hook on asgard1 (AI working repository)"
        echo ""
        exit 1
    fi

    # Check if we're deleting a tag (remote_oid is all zeros)
    if echo "$remote_ref" | grep -q "^refs/tags/" && [ "$remote_oid" = "0000000000000000000000000000000000000000" ]; then
        tag_name=$(echo "$remote_ref" | sed 's|^refs/tags/||')

        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "ERROR: Push rejected - AI assistants must NOT delete tags"
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo ""
        echo "You attempted to delete tag: $tag_name"
        echo ""
        echo "Tag deletion requires human judgment and should only be done"
        echo "from the human developer's PC, never from asgard1."
        echo ""
        echo "If you are a HUMAN developer who needs to delete this tag:"
        echo "  • Verify you are on your dev PC (NOT on asgard1)"
        echo "  • Understand the impact of deleting this tag"
        echo "  • Follow these steps to temporarily disable hooks:"
        echo ""
        echo "    1) Verify current hooks path:"
        echo "       git config core.hooksPath"
        echo ""
        echo "    2) Disable hooks:"
        echo "       git config core.hooksPath /dev/null"
        echo ""
        echo "    3) Delete tag locally and push deletion:"
        echo "       git tag -d $tag_name && git push origin :refs/tags/$tag_name"
        echo ""
        echo "    4) Re-enable hooks:"
        echo "       git config core.hooksPath .ai/.githooks"
        echo ""
        echo "    5) Verify hooks are re-enabled:"
        echo "       git config core.hooksPath"
        echo ""
        echo "  • IMPORTANT: Only use this for legitimate tag management"
        echo "  • Never bypass this hook on asgard1 (AI working repository)"
        echo ""
        exit 1
    fi
done

exit 0
