#!/usr/bin/env bash
# Secret Guard — Poka-yoke for world-readable credentials
set -euo pipefail

ALERT_LOG="/var/log/bezalel_secret_guard.log"
QUARANTINE_DIR="/root/wizards/bezalel/home/quarantine"

mkdir -p "$QUARANTINE_DIR"

log() {
    echo "[$(date -Iseconds)] $1" | tee -a "$ALERT_LOG"
}

# Scan for world-readable files with sensitive keywords in /root, /home, /etc, /tmp, /var/log
# Exclude binary files, large files (>1MB), and known safe paths
BAD_FILES=$(find /root /home /etc /tmp /var/log -maxdepth 4 -type f -perm /o+r 2>/dev/null \
    ! -path "*/.git/*" \
    ! -path "*/node_modules/*" \
    ! -path "*/venv/*" \
    ! -path "*/.venv/*" \
    ! -path "*/__pycache__/*" \
    ! -path "*/.pyc" \
    ! -size +1M \
    -exec grep -l -i -E 'password|token|secret|nsec|api_key|private_key|aws_access_key_id|aws_secret_access_key' {} + 2>/dev/null | head -50)

VIOLATIONS=0
for file in $BAD_FILES; do
    # Skip if already quarantined
    if [[ "$file" == "$QUARANTINE_DIR"* ]]; then
        continue
    fi
    # Skip log files that are expected to be world-readable
    if [[ "$file" == /var/log/* ]]; then
        continue
    fi

    VIOLATIONS=$((VIOLATIONS + 1))
    basename=$(basename "$file")
    quarantine_path="${QUARANTINE_DIR}/${basename}.$(date +%s)"
    cp "$file" "$quarantine_path"
    chmod 600 "$quarantine_path"
    chmod 600 "$file"
    log "QUARANTINED: $file -> $quarantine_path (permissions fixed to 600)"
done

if [[ $VIOLATIONS -gt 0 ]]; then
    log "ALERT: $VIOLATIONS world-readable secret file(s) detected and quarantined."
else
    log "OK: No world-readable secret files found."
fi