@echo off
cd /d "%~dp0"

echo.
echo  [1/2] Checking for sensitive files...
echo.

set FOUND=0

:: git? ??? ??(tracked)?? ?? ?? ??
for %%F in (
    .env
    .env.local
    .env.production
    .env.secret
) do (
    git ls-files --error-unmatch "%%F" >nul 2>&1
    if not errorlevel 1 (
        echo  [ERROR] Sensitive file is tracked by git: %%F
        set FOUND=1
    )
)

:: ??? ?? ?? ??? git? ????? ??
for %%P in (
    *.pem *.key *.p12 *.pfx id_rsa id_ed25519
    *secret* *password* *credential* *token* *apikey* *api_key*
    db.conf database.conf
) do (
    git ls-files "%%P" 2>nul | findstr /r "." >nul 2>&1
    if not errorlevel 1 (
        echo  [ERROR] Sensitive file pattern tracked by git: %%P
        set FOUND=1
    )
)

if %FOUND%==1 (
    echo.
    echo  ============================================================
    echo   PUSH BLOCKED: Sensitive file found in git.
    echo.
    echo   Remove it with:
    echo     git rm --cached ^<filename^>
    echo     git commit -m "remove sensitive file"
    echo.
    echo   Then add it to .gitignore to prevent future accidents.
    echo  ============================================================
    echo.
    pause
    exit /b 1
)

echo  No sensitive files detected. Safe to push.
echo.

echo  [2/2] Pushing to Gitea...
echo  https://gitea.no1king.freeddns.org/king/dbx-main.git
echo.

git push -u origin master

if %errorlevel%==0 (
    echo.
    echo  [OK] Push complete.
    echo  https://gitea.no1king.freeddns.org/king/dbx-main
    echo.
) else (
    echo.
    echo  [ERROR] Push failed. Check your credentials or network.
    echo.
)
pause