#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
cd "$ROOT_DIR"

PATTERN='(Token[[:space:]]+[A-Za-z0-9._-]{20,}|eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}|\b[a-fA-F0-9]{40,}\b)'

MATCHES="$(rg -n --no-heading -S "$PATTERN" \
  iphone WekoutThotViewer SharedCore \
  --glob '!**/*.xcodeproj/**' \
  --glob '!**/Tests/**' \
  --glob '!**/*.md' \
  --glob '!**/.build/**' || true)"

if [[ -n "$MATCHES" ]]; then
  echo "Potential hardcoded token(s) detected:" >&2
  echo "$MATCHES" >&2
  echo "If a match is intentional, redact it or move it to secure runtime configuration." >&2
  exit 1
fi

echo "Token scan passed."