#!/usr/bin/env bash
set -euo pipefail

# Verifies binary artefacts live only in approved locations.
# Allowed roots: local-nugets (curated feed), .nuget/packages (cache), vendor (pinned binaries),
# offline (air-gap bundles/templates), plugins/tools/deploy/ops (module-owned binaries).

repo_root="$(git rev-parse --show-toplevel)"
cd "$repo_root"

# Extensions considered binary artefacts.
binary_ext="(nupkg|dll|exe|so|dylib|a|lib|tar|tar.gz|tgz|zip|jar|deb|rpm|bin)"
# Locations allowed to contain binaries.
allowed_prefix="^(local-nugets|local-nugets/packages|vendor|offline|plugins|tools|deploy|ops|third_party|docs/artifacts|samples|src/.*/Fixtures|src/.*/fixtures)/"

# Only consider files that currently exist in the working tree (skip deleted placeholders).
violations=$(git ls-files | while read -r f; do [[ -f "$f" ]] && echo "$f"; done | grep -E "\\.${binary_ext}$" | grep -Ev "$allowed_prefix" || true)

if [[ -n "$violations" ]]; then
  echo "Binary artefacts found outside approved directories:" >&2
  echo "$violations" >&2
  exit 1
fi

printf "Binary layout OK (allowed roots: %s)\n" "$allowed_prefix"