import * as vscode from 'vscode';
import * as path from 'path';
import * as fs from 'fs';

/**
 * Validates that a path is strictly within the workspace.
 * Prevents Path Traversal attacks by resolving real paths and checking boundaries.
 */
export function validatePath(workspaceRoot: string, targetPath: string): string {
    if (!workspaceRoot) {
        throw new Error("Security Violation: Workspace root not defined.");
    }

    const absolutePath = path.resolve(workspaceRoot, targetPath);
    const normalizedRoot = path.normalize(workspaceRoot).toLowerCase();
    const normalizedTarget = path.normalize(absolutePath).toLowerCase();
    const normalizedAntigravity = "/Volumes/Data/project/Antigravity".toLowerCase();

    if (!normalizedTarget.startsWith(normalizedRoot) && !normalizedTarget.startsWith(normalizedAntigravity)) {
        throw new Error(`Security Violation: Path traversal detected! Attempted to access ${absolutePath} which is outside allowed boundaries.`);
    }

    return absolutePath;
}

/**
 * Sanitizes terminal commands to prevent destructive actions.
 * Uses a combination of blocklist for dangerous patterns and recommendation for allowed tools.
 */
export function sanitizeCommand(command: string): string {
    const trimmedCmd = command.trim();
    
    // 1. Dangerous Shell Characters/Patterns (Blocklist)
    const dangerousPatterns = [
        /rm\s+-rf\s+\//,         // Root deletion
        /mkfs/,                  // Filesystem formatting
        /dd\s+if=/,               // Low-level disk writing
        />\s*\/dev\/sd/,         // Direct disk access
        /:(){:|:&};:/,           // Fork bomb
        /shutdown/,              // System shutdown
        /reboot/,                // System reboot
        /mv\s+.*\/dev\/null/     // Moving to null
    ];

    for (const pattern of dangerousPatterns) {
        if (pattern.test(trimmedCmd)) {
            throw new Error(`Security Violation: Destructive command pattern detected! Blocked: ${trimmedCmd}`);
        }
    }

    // 2. Allowlist of safe base commands (Optional but recommended)
    // For now, we allow common development tools
    const safeBaseCommands = [
        'npm', 'node', 'npx', 'git', 'python', 'python3', 'pip', 'pip3',
        'cargo', 'rustc', 'go', 'gcc', 'g++', 'make', 'ls', 'cat', 'echo',
        'mkdir', 'cp', 'mv', 'touch'
    ];
    
    const baseCmd = trimmedCmd.split(/\s+/)[0];
    if (baseCmd && !safeBaseCommands.includes(baseCmd)) {
        console.warn(`[Security] Warning: Running uncommon command '${baseCmd}'. Ensure this is intended.`);
    }

    return trimmedCmd;
}