#!/bin/bash
set -euo pipefail

echo "=== Config File Sanitization ==="

# Remove any accidentally committed passwords/keys (check only, don't auto-fix)
echo "Checking for potential passwords in configs..."
if grep -r "password:.*[^*]" configs/ --include="*.yaml" --include="*.yml" 2>/dev/null | grep -v "example\|dummy\|changeme\|your_\|\[REDACTED\]"; then
    echo "WARNING: Potential passwords found in configs (review above)"
fi

# Ensure all non-example configs have secure permissions
find configs/ -type f \( -name "*.yaml" -o -name "*.yml" -o -name "*.toml" \) ! -name "*example*" ! -name "*schema*" -exec chmod 600 {} \; 2>/dev/null || true

# Remove temp config files
rm -f configs/.tmp.* 2>/dev/null || true
rm -f configs/api/.local.* 2>/dev/null || true

# Validate no real credentials in examples
if grep -rE "(sk-[a-zA-Z0-9]{20,}|password: [^\"'*]+[^*])" configs/examples/ 2>/dev/null | grep -v "example\|dummy\|changeme\|your_"; then
    echo "WARNING: Potential real credentials found in example configs!"
fi

echo "Config sanitization complete"