#!/usr/bin/env bash
set -euo pipefail

VIOLATIONS=$(git diff --cached --name-only --diff-filter=ACM |
  grep -E "\.(nu|rs)$" |
  grep -v "templates/" |
  grep -v "extensions/providers/" |
  grep -v "orchestrator/" |
  xargs grep -lE "^\^hcloud|^\^aws |^\^doctl|hcloud server" 2>/dev/null |
  grep -v "^$") || true

if [ -n "$VIOLATIONS" ]; then
  echo "SOLID VIOLATION: Provider API calls outside orchestrator:"
  echo "$VIOLATIONS"
  exit 1
fi

SSH_VIOLATIONS=$(git diff --cached --name-only --diff-filter=ACM |
  grep -E "\.(rs)$" |
  grep -E "control-center|vault-service" |
  xargs grep -lE "ssh2?::|russh::" 2>/dev/null) || true

if [ -n "$SSH_VIOLATIONS" ]; then
  echo "SOLID VIOLATION: SSH code outside orchestrator:"
  echo "$SSH_VIOLATIONS"
  exit 1
fi