#!/usr/bin/env bash

set -uo pipefail

ROOT="${1:-/Users/farzin/Projects}"

if ! command -v rg >/dev/null 2>&1; then
  echo "Error: ripgrep (rg) is not installed."
  exit 1
fi

if [ ! -d "$ROOT" ]; then
  echo "Error: directory does not exist: $ROOT"
  exit 1
fi

echo "Starting scan in: $ROOT"
echo

infected_count=0
safe_count=0
lockfile_count=0

while IFS= read -r -d '' lockfile; do
  lockfile_count=$((lockfile_count + 1))
  project_dir="$(dirname "$lockfile")"

  echo "--------------------------------------------------"
  echo "[$lockfile_count] Checking lockfile:"
  echo "  $lockfile"
  echo "  Project dir: $project_dir"
  echo "  Running scan..."

  matches="$(rg -n --no-messages \
    -e 'plain-crypto-js' \
    -e 'axios@1\.14\.1' \
    -e 'axios@0\.30\.4' \
    "$lockfile" || true)"

  if [ -n "$matches" ]; then
    infected_count=$((infected_count + 1))
    echo "  Result: INFECTED"
    echo "  Matched lines:"
    echo "$matches" | sed 's/^/    /'
  else
    safe_count=$((safe_count + 1))
    echo "  Result: SAFE"
  fi

  echo
done < <(
  find "$ROOT" -type f \
    \( -name "package-lock.json" -o -name "yarn.lock" -o -name "pnpm-lock.yaml" \) \
    -not -path "*/node_modules/*" \
    -not -path "*/.git/*" \
    -print0
)

echo "=================================================="
echo "Scan finished."
echo "Total lockfiles checked: $lockfile_count"
echo "SAFE: $safe_count"
echo "INFECTED: $infected_count"

# 🔥 exit with error if any infected found (useful for CI)
if [ "$infected_count" -gt 0 ]; then
  echo "❌ Vulnerable dependencies detected!"
  exit 1
else
  echo "✅ All lockfiles are safe."
  exit 0
fi