use anyhow::{Context, Result};
use colored::Colorize;
use tsafe_core::audit::AuditEntry;
use crate::helpers::*;
pub(crate) fn cmd_git(profile: &str, args: Vec<String>) -> Result<()> {
use base64::{engine::general_purpose::STANDARD as B64, Engine as _};
use std::process::Command;
if args.is_empty() {
anyhow::bail!("no git subcommand given. Usage: tsafe git <subcommand> [args...]");
}
let vault = open_vault(profile)?;
let pat_key = std::env::var("TSAFE_GIT_PAT_KEY").unwrap_or_else(|_| "ADO_PAT".to_string());
let pat = vault.get(&pat_key).ok().map(|z| z.to_string());
drop(vault);
let mut cmd = Command::new("git");
cmd.args(&args);
if let Some(ref p) = pat {
let encoded = B64.encode(format!(":{p}"));
cmd.env("GIT_CONFIG_COUNT", "1");
cmd.env("GIT_CONFIG_KEY_0", "http.extraHeader");
cmd.env(
"GIT_CONFIG_VALUE_0",
format!("Authorization: Basic {encoded}"),
);
} else {
eprintln!(
"{} Vault key '{}' not found — running git without injected credentials.",
"i".blue(),
pat_key
);
}
audit(profile)
.append(&AuditEntry::success(profile, "git", None))
.ok();
let status = cmd.status().context("failed to spawn git")?;
std::process::exit(status.code().unwrap_or(1));
}