#!/bin/bash
REPORT_FILE=~/.openclaw/workspace-oliver/security/scan-$(date +%Y-%m-%d).md
mkdir -p ~/.openclaw/workspace-oliver/security

echo "# Security Scan — $(date +%Y-%m-%d)" > $REPORT_FILE
echo "" >> $REPORT_FILE

# 1. File permissions
echo "## File Permissions" >> $REPORT_FILE
find ~/.openclaw/workspace-oliver -name "*.env" -o -name "*.key" -o -name "secrets*" 2>/dev/null | while read f; do
  PERMS=$(stat -f "%A %N" "$f" 2>/dev/null || stat -c "%a %n" "$f" 2>/dev/null)
  echo "  $PERMS" >> $REPORT_FILE
done
echo "" >> $REPORT_FILE

# 2. Exposed keys in markdown
echo "## Exposed Keys in Markdown" >> $REPORT_FILE
grep -r "sk-[a-zA-Z0-9]\{20,\}\|AIza[a-zA-Z0-9]\{35\}\|ghp_[a-zA-Z0-9]\{36\}\|tvly-[a-zA-Z0-9]\{20,\}" ~/.openclaw/workspace-oliver --include="*.md" 2>/dev/null >> $REPORT_FILE || echo "  None found" >> $REPORT_FILE
echo "" >> $REPORT_FILE

# 3. OpenClaw built-in audit
echo "## OpenClaw Security Audit" >> $REPORT_FILE
openclaw security audit --deep 2>&1 >> $REPORT_FILE
echo "" >> $REPORT_FILE

# 4. Git history secret scan
echo "## Git History Check" >> $REPORT_FILE
git -C ~/.openclaw/workspace-oliver log --oneline -20 2>/dev/null >> $REPORT_FILE || echo "  No git history" >> $REPORT_FILE
echo "" >> $REPORT_FILE

# 5. Auto-fix permissions
find ~/.openclaw/workspace-oliver -name "*.env" -exec chmod 600 {} \;
find ~/.openclaw/workspace-oliver -name "*.key" -exec chmod 600 {} \;
find ~/.openclaw/secure -exec chmod 700 {} \; 2>/dev/null || true
echo "## Permissions Auto-Fixed" >> $REPORT_FILE
echo "  chmod 600 applied to .env and .key files" >> $REPORT_FILE

# 6. Check for new unknown files in workspace
echo "## New Files This Week" >> $REPORT_FILE
find ~/.openclaw/workspace-oliver -newer ~/.openclaw/workspace-oliver/SOUL.md -type f 2>/dev/null | grep -v "memory\|security\|sessions" >> $REPORT_FILE || echo "  None" >> $REPORT_FILE

echo "" >> $REPORT_FILE
echo "Scan complete: $REPORT_FILE"