#!/usr/bin/env node
/**
 * InsAIts Security Monitor — wrapper for run-with-flags compatibility.
 *
 * This thin wrapper receives stdin from the hooks infrastructure and
 * delegates to the Python-based insaits-security-monitor.py script.
 *
 * The wrapper exists because run-with-flags.js spawns child scripts
 * via `node`, so a JS entry point is needed to bridge to Python.
 */

'use strict';

const path = require('path');
const { spawnSync } = require('child_process');

const MAX_STDIN = 1024 * 1024;

let raw = '';
process.stdin.setEncoding('utf8');
process.stdin.on('data', chunk => {
  if (raw.length < MAX_STDIN) {
    raw += chunk.substring(0, MAX_STDIN - raw.length);
  }
});

process.stdin.on('end', () => {
  const scriptDir = __dirname;
  const pyScript = path.join(scriptDir, 'insaits-security-monitor.py');

  // Try python3 first (macOS/Linux), fall back to python (Windows)
  const pythonCandidates = ['python3', 'python'];
  let result;

  for (const pythonBin of pythonCandidates) {
    result = spawnSync(pythonBin, [pyScript], {
      input: raw,
      encoding: 'utf8',
      env: process.env,
      cwd: process.cwd(),
      timeout: 14000,
    });

    // ENOENT means binary not found — try next candidate
    if (result.error && result.error.code === 'ENOENT') {
      continue;
    }
    break;
  }

  if (!result || (result.error && result.error.code === 'ENOENT')) {
    process.stderr.write('[InsAIts] python3/python not found. Install Python 3.9+ and: pip install insa-its\n');
    process.stdout.write(raw);
    process.exit(0);
  }

  // Log non-ENOENT spawn errors (timeout, signal kill, etc.) so users
  // know the security monitor did not run — fail-open with a warning.
  if (result.error) {
    process.stderr.write(`[InsAIts] Security monitor failed to run: ${result.error.message}\n`);
    process.stdout.write(raw);
    process.exit(0);
  }

  if (result.stdout) process.stdout.write(result.stdout);
  if (result.stderr) process.stderr.write(result.stderr);

  // result.status is null when the process was killed by a signal or
  // timed out.  Treat that as an error rather than silently passing.
  if (!Number.isInteger(result.status)) {
    const signal = result.signal || 'unknown';
    process.stderr.write(`[InsAIts] Security monitor killed (signal: ${signal}). Tool execution continues.\n`);
    process.exit(0);
  }

  process.exit(result.status);
});