#!/usr/bin/env python3
import argparse
import re
from pathlib import Path


FORBIDDEN = [
    ("/picassox", re.compile(r"/picassox")),
    ("intelligent-cpfs", re.compile(r"intelligent-cpfs")),
    ("intern_beauty", re.compile(r"intern_beauty")),
    ("10.70.2.17", re.compile(r"10\.70\.2\.17")),
    ("/Users/whynotmeitu", re.compile(r"/Users/whynotmeitu")),
    ("/opt/tiger", re.compile(r"/opt/tiger")),
    ("PointVIS", re.compile(r"PointVIS")),
    ("hf token", re.compile(r"hf_[A-Za-z0-9]{20,}")),
    ("path_to_", re.compile(r"path_to_")),
    ("your-repo", re.compile(r"your-repo")),
    ("PATH_TO_", re.compile(r"PATH_TO_")),
    ("v137", re.compile(r"v137")),
]

SKIP_FILES = {
    Path("scripts/check_release.py"),
    Path(".gitignore"),
}


def main():
    parser = argparse.ArgumentParser(description="Check release tree for private paths and secrets.")
    parser.add_argument("root", nargs="?", default=".")
    args = parser.parse_args()

    root = Path(args.root).resolve()
    bad = []
    for path in root.rglob("*"):
        if not path.is_file():
            continue
        if any(part in {".git", "__pycache__", ".cache"} for part in path.parts):
            continue
        rel_path = path.relative_to(root)
        if rel_path in SKIP_FILES:
            continue
        if path.suffix.lower() in {".png", ".jpg", ".jpeg", ".bin", ".pt", ".pth", ".model"}:
            continue
        text = path.read_text(encoding="utf-8", errors="ignore")
        for i, line in enumerate(text.splitlines(), 1):
            for label, pattern in FORBIDDEN:
                if pattern.search(line):
                    bad.append(f"{rel_path}:{i}: [{label}] {line[:180]}")
                    break

    if bad:
        print("Release check failed:")
        print("\n".join(bad))
        raise SystemExit(1)
    print(f"Release check passed: {root}")


if __name__ == "__main__":
    main()