import { readdir, readFile, stat } from 'node:fs/promises';
import path from 'node:path';

const dist = path.resolve('dist');
const failures = [];

async function walk(dir) {
  const entries = await readdir(dir, { withFileTypes: true });
  const files = [];

  for (const entry of entries) {
    const fullPath = path.join(dir, entry.name);
    if (entry.isDirectory()) {
      files.push(...(await walk(fullPath)));
    } else {
      files.push(fullPath);
    }
  }

  return files;
}

try {
  await stat(dist);
} catch {
  throw new Error('dist/ does not exist. Run npm run build first.');
}

const files = await walk(dist);
const jsFiles = files.filter((file) => file.endsWith('.js'));

if (jsFiles.length > 0) {
  failures.push(
    `Unexpected JavaScript assets:\n${jsFiles.map((file) => `- ${file}`).join('\n')}`
  );
}

// Script tags are only allowed if they declare one of these safe `type`
// attributes (or are tagged with `data-theme-script`). All other scripts,
// including untyped ones, which default to executable JavaScript, are flagged.
const SAFE_SCRIPT_TYPES = new Set([
  'application/ld+json',
  'importmap',
  'speculationrules',
]);

function isSafeScriptTag(tag) {
  if (tag.includes('data-theme-script')) return true;
  if (tag.includes('data-thumbnail-iframe-script')) return true;
  const typeMatch = tag.match(/\btype=["']([^"']+)["']/i);
  if (!typeMatch) return false;
  return SAFE_SCRIPT_TYPES.has(typeMatch[1].trim().toLowerCase());
}

for (const file of files.filter((candidate) => candidate.endsWith('.html'))) {
  const html = await readFile(file, 'utf8');
  const scripts = (html.match(/<script\b[^>]*>/gi) ?? []).filter(
    (tag) => !isSafeScriptTag(tag)
  );
  if (scripts.length) {
    failures.push(`Unexpected script tag in ${file}:\n${scripts.join('\n')}`);
  }

  // Inline event handlers (onclick=, onload=, etc.) execute JavaScript even
  // without a <script> tag, so flag any attribute matching `on*=`. We strip
  // <script> blocks first to avoid false positives from JSON-LD payloads.
  const stripped = html.replace(/<script\b[\s\S]*?<\/script>/gi, '');
  const handlerMatches = stripped.match(/\son\w+=/gi);
  if (handlerMatches?.length) {
    const unique = [...new Set(handlerMatches.map((m) => m.trim()))];
    failures.push(`Unexpected inline event handler in ${file}:\n${unique.join('\n')}`);
  }
}

if (failures.length > 0) {
  console.error(failures.join('\n\n'));
  process.exit(1);
}

console.log('No unexpected JavaScript found in dist/.');