#!/bin/bash
# PreToolUse hook: block direct edits to credential files.
# Only .example templates should be modified — real secrets stay untouched.

set -euo pipefail

input=$(cat)
file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty')

# No file path in input (e.g. Bash tool) — allow
[[ -z "$file_path" ]] && exit 0

basename=$(basename "$file_path")

# Block known credential files (but allow .example templates)
case "$basename" in
    99-claude|99-gemini|99-google|99-huggingface|99-replicate)
        echo "Blocked: do not edit credential files directly — edit the .example template instead" >&2
        exit 2
        ;;
esac

exit 0