# Environment configuration for Xcode script phases
# Create `.xcode.env.local` for local customizations (not versioned)

# Dynamic Node.js binary detection with security validation
find_node_binary() {
  # Check PATH first (safest option)
  if command -v node >/dev/null 2>&1; then
    local node_path=$(command -v node)
    # Validate it's actually executable
    if [ -x "$node_path" ] && [ -f "$node_path" ]; then
      echo "$node_path"
      return 0
    fi
  fi

  # Common installation paths (hardcoded for security)
  local paths=(
    "/opt/homebrew/bin/node"
    "/usr/local/bin/node"
    "/opt/node/bin/node"
    "/usr/bin/node"
  )

  for path in "${paths[@]}"; do
    # Validate path is absolute and executable
    if [ -x "$path" ] && [ -f "$path" ] && [[ "$path" = /* ]]; then
      echo "$path"
      return 0
    fi
  done

  # Check NVM installation with validation
  if [ -n "$NVM_DIR" ] && [ -f "$NVM_DIR/nvm.sh" ] && [[ "$NVM_DIR" = /* ]]; then
    local nvmrc_file="$HOME/.nvmrc"
    if [ -f "$nvmrc_file" ] && [ -r "$nvmrc_file" ]; then
      # Read and sanitize version string
      local nvmrc_version
      nvmrc_version=$(head -n1 "$nvmrc_file" 2>/dev/null | tr -cd 'a-zA-Z0-9.-_' || echo "v18.17.0")

      # Validate version format (should start with 'v' and contain only safe chars)
      if [[ "$nvmrc_version" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        local nvm_node="$HOME/.nvm/versions/node/$nvmrc_version/bin/node"
        # Validate the constructed path is safe
        if [ -x "$nvm_node" ] && [ -f "$nvm_node" ] && [[ "$nvm_node" = /* ]] && [[ "$nvm_node" = "$HOME/.nvm/versions/node/"* ]]; then
          echo "$nvm_node"
          return 0
        fi
      fi
    fi
  fi

  # Fallback to system node (least secure but necessary)
  echo "node"
  return 1
}

export NODE_BINARY=$(find_node_binary)