#!/usr/bin/env bash
# Validate shell files after Edit/Write/MultiEdit.
# PostToolUse hook: receives tool-call JSON on stdin.
#
# On success: exit 0 silent.
# On failure: emit JSON with hookSpecificOutput.additionalContext so Claude
# sees a structured error in its context, THEN exit 2 to block the tool
# pipeline. stderr still echoes the error for terminal visibility.
#
# Gate: shellcheck. It catches the bugs that define shell — unquoted
# expansions, unset variables, masked exit codes — and is the high-value,
# universally-agreed check. Formatting (shfmt) is deliberately NOT enforced
# here: shell has no single canonical style (tabs vs spaces), so blocking on
# it would impose a contested choice. bash.md recommends shfmt; this hook
# enforces correctness.
#
# Scope: .sh and .bash files, plus extensionless files whose first line is a
# sh/bash shebang (the CLI tools that fill a shell-heavy repo carry no
# extension).

set -u

# Emit a JSON failure payload and exit 2. Arguments:
#   $1 — short failure type (e.g. "SHELLCHECK FAILED")
#   $2 — file path
#   $3 — tool output (error body)
fail_json() {
    local ctx
    ctx="$(printf '%s: %s\n\n%s\n\nFix before proceeding.' "$1" "$2" "$3" \
        | jq -Rs .)"
    cat <<EOF
{"hookSpecificOutput": {"hookEventName": "PostToolUse", "additionalContext": $ctx}}
EOF
    printf '%s: %s\n%s\n' "$1" "$2" "$3" >&2
    exit 2
}

f="$(jq -r '.tool_input.file_path // .tool_response.filePath // empty')"
[ -z "$f" ] && exit 0
[ -f "$f" ] || exit 0

# Is this a shell file? By extension, or by shebang when it has no extension.
# Match on the basename, not the full path — a temp/parent dir can carry a dot
# (e.g. validate-bash-bats.XXXX/) and misfire the "*.*" extension test.
is_shell=0
base="${f##*/}"
case "$base" in
    *.sh | *.bash) is_shell=1 ;;
    *.*) is_shell=0 ;;  # some other extension — not ours
    *)
        # No extension: sniff the shebang.
        if head -1 "$f" 2>/dev/null | grep -qE '^#!.*\b(bash|sh)\b'; then
            is_shell=1
        fi
        ;;
esac
[ "$is_shell" -eq 1 ] || exit 0

# No shellcheck on this machine — nothing to validate, don't block the edit.
command -v shellcheck >/dev/null 2>&1 || exit 0

if ! out="$(shellcheck "$f" 2>&1)"; then
    fail_json "SHELLCHECK FAILED" "$f" "$out"
fi

exit 0