#!/bin/sh
# CoM Enterprise — PostToolUse Download Validation Hook
# Scans downloaded files for suspicious patterns.
# POSIX-compatible (Git Bash + Linux).
# Usage: post-download-scan.sh <filepath>

FILE="$1"

if [ -z "$FILE" ] || [ ! -f "$FILE" ]; then
  echo "post-download-scan: No file to scan or file not found." >&2
  exit 0
fi

BASENAME=$(basename "$FILE")
LOGFILE="$(dirname "$0")/audit.log"

# Check for extension/content mismatch (text file with executable content)
case "$BASENAME" in
  *.txt|*.md|*.json|*.yaml|*.yml|*.toml)
    # Check if file has executable markers
    if head -c 4 "$FILE" 2>/dev/null | grep -q "MZ\|ELF\|\x7fELF"; then
      echo "WARNING: $BASENAME claims to be text but contains executable headers." >&2
      echo "$(date -u '+%Y-%m-%dT%H:%M:%SZ') WARN extension-mismatch $FILE" >> "$LOGFILE"
      exit 1
    fi
    ;;
esac

# Scan for obfuscated eval/exec patterns in text files
if file "$FILE" 2>/dev/null | grep -qi "text\|ascii\|utf"; then
  if grep -qE '(eval\s*\(|exec\s*\(|base64_decode|fromCharCode|\\x[0-9a-fA-F]{2}{4,})' "$FILE" 2>/dev/null; then
    echo "WARNING: $BASENAME contains potentially obfuscated code (eval/exec/base64)." >&2
    echo "$(date -u '+%Y-%m-%dT%H:%M:%SZ') WARN obfuscated-code $FILE" >> "$LOGFILE"
    # Warn but don't block — human review required
  fi
fi

# Log clean scan
echo "$(date -u '+%Y-%m-%dT%H:%M:%SZ') OK scan-clean $FILE" >> "$LOGFILE"
exit 0