#!/usr/bin/env bash
set -euo pipefail

if [ "$#" -gt 0 ]; then
  ROOTS=("$@")
else
  ROOTS=(.)
fi

if ! command -v rg >/dev/null 2>&1; then
  echo "redaction-check requires ripgrep: https://github.com/BurntSushi/ripgrep" >&2
  exit 2
fi

PATTERNS=(
  '\\b10\\.(?:[0-9]{1,3}\\.){2}[0-9]{1,3}\\b'
  '\\b192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3}\\b'
  '\\b172\\.(?:1[6-9]|2[0-9]|3[0-1])\\.[0-9]{1,3}\\.[0-9]{1,3}\\b'
  '\\b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\\b'
  '/Users/[A-Za-z0-9._-]+'
  '\\b[A-Za-z0-9._-]+\\.local\\b'
  'SHA256:[A-Za-z0-9+/=]+'
  '\\bssh-(?:rsa|ed25519)\\b|ecdsa-sha2-nistp'
)

status=0
for pattern in "${PATTERNS[@]}"; do
  if rg --hidden --glob '!.git/**' --glob '!__pycache__/**' --glob '!redaction-check.sh' -n -I "$pattern" "${ROOTS[@]}"; then
    status=1
  fi
done

if [ "$status" -ne 0 ]; then
  echo "Potential private network, host, path, MAC, or SSH-key data found." >&2
  exit 1
fi

echo "No obvious private IPs, MACs, local hostnames, home paths, or SSH host keys found."