#!/usr/bin/env bash
# KEYHUNTER-HOOK v1 — managed by `keyhunter hook install`
# Remove via `keyhunter hook uninstall`.
set -e

files=$(git diff --cached --name-only --diff-filter=ACMR)
if [ -z "$files" ]; then
  exit 0
fi

# Run keyhunter against each staged file. Exit code 1 from keyhunter
# means findings present; 2 means scan error. Either blocks the commit.
echo "$files" | xargs -r keyhunter scan --exit-code
status=$?
if [ $status -ne 0 ]; then
  echo "keyhunter: pre-commit blocked (exit $status). Run 'git commit --no-verify' to bypass." >&2
  exit $status
fi
exit 0