#!/bin/sh
# CoM Enterprise — Session Cleanup Hook
# Scrubs credentials from shell history, prunes old snapshots.
# POSIX-compatible (Git Bash + Linux).
# Run at session end or via cron.

LOGFILE="$(dirname "$0")/audit.log"

echo "=== CoM Session Cleanup — $(date -u '+%Y-%m-%dT%H:%M:%SZ') ==="

# 1. Scan shell history for credential patterns
CRED_PATTERNS='(API_KEY|SECRET|TOKEN|PASSWORD|PRIVATE_KEY|sk-ant-|ghp_|gho_|xoxb-|xoxp-)'
FOUND=0

for HISTFILE_PATH in "$HOME/.bash_history" "$HOME/.zsh_history"; do
  if [ -f "$HISTFILE_PATH" ]; then
    MATCHES=$(grep -cE "$CRED_PATTERNS" "$HISTFILE_PATH" 2>/dev/null || echo 0)
    if [ "$MATCHES" -gt 0 ]; then
      echo "WARNING: $MATCHES potential credential patterns found in $HISTFILE_PATH"
      echo "  Run: grep -nE '$CRED_PATTERNS' $HISTFILE_PATH"
      FOUND=$((FOUND + MATCHES))
    fi
  fi
done

if [ "$FOUND" -eq 0 ]; then
  echo "Shell history: CLEAN (no credential patterns detected)"
fi

# 2. Prune old shell snapshots (older than 7 days)
SNAPSHOT_DIR="$HOME/.claude/shell-snapshots"
if [ -d "$SNAPSHOT_DIR" ]; then
  PRUNED=$(find "$SNAPSHOT_DIR" -type f -mtime +7 2>/dev/null | wc -l)
  if [ "$PRUNED" -gt 0 ]; then
    find "$SNAPSHOT_DIR" -type f -mtime +7 -delete 2>/dev/null
    echo "Pruned $PRUNED shell snapshots older than 7 days"
  else
    echo "Shell snapshots: No stale files to prune"
  fi
else
  echo "Shell snapshots directory not found — skipping"
fi

# 3. Report audit log size
if [ -f "$LOGFILE" ]; then
  LINES=$(wc -l < "$LOGFILE")
  echo "Audit log: $LINES entries"
  if [ "$LINES" -gt 1000 ]; then
    echo "WARNING: Audit log exceeds 1000 lines. Consider rotating."
  fi
fi

echo "=== Cleanup complete ==="