#!/usr/bin/env bash
set -euo pipefail

remote_name="${1:-}"
remote_url="${2:-}"

if [[ "$remote_name" != "tubco" && "$remote_url" != *"git.tub.co"* ]]; then
  exit 0
fi

allowed=0

while read -r local_ref local_sha remote_ref remote_sha; do
  [[ -z "${local_ref:-}" ]] && continue

  case "$local_ref" in
    refs/heads/release/tubco-*)
      allowed=1
      ;;
    refs/tags/tubco-baseline-*)
      allowed=1
      ;;
    *)
      echo "Blocked push to 'tubco': '$local_ref' is not an approved customer ref." >&2
      echo "Allowed refs:" >&2
      echo "  refs/heads/release/tubco-*" >&2
      echo "  refs/tags/tubco-baseline-*" >&2
      echo "Use origin for normal product work." >&2
      exit 1
      ;;
  esac
done

if [[ "$allowed" -eq 0 ]]; then
  echo "Blocked push to 'tubco': no approved TUBCO refs were detected." >&2
  exit 1
fi

exit 0
