#!/usr/bin/env bash
# Pre-tool hook: block inline PowerShell, enforce .ps1 file approach.
#
# Blocks powershell.exe -Command and pwsh -Command / pwsh -c inline execution.
# Forces: write a .ps1 file, then run pwsh -NoProfile -File script.ps1
#
# Why: Git Bash expands $_ and mangles quoting before PowerShell sees the
# command. Inline execution fails 2-3 times before landing on the .ps1 approach.

input=$(cat)
cmd=$(echo "$input" | jq -r '.tool_input.command // ""' 2>/dev/null)

# Match: (powershell[.exe] | pwsh) followed by -Command or -c (as a flag, not a filename)
if echo "$cmd" | grep -qiE '^\s*(powershell(\.exe)?|pwsh)\s+(-Command|-c) ' || \
   echo "$cmd" | grep -qiE '^\s*(powershell(\.exe)?|pwsh)\s+(-Command|-c)$'; then
    echo "BLOCKED: Do not use powershell.exe or pwsh with inline -Command/-c arguments."
    echo ""
    echo "Git Bash mangles quoting and variable expansion before PowerShell sees the command."
    echo ""
    echo "Correct approach:"
    echo "  1. Write the script using the Write tool to a .ps1 file"
    echo "  2. Run: pwsh -NoProfile -File \"path/to/script.ps1\""
    exit 2
fi

exit 0