param(
    [string]$Workspace = (Get-Location).Path,
    [string]$OutDir = "audit_out",
    [int]$MaxFiles = 150,
    [int]$MaxPreviewChars = 200
)

$ErrorActionPreference = "Stop"

function Ensure-Dir {
    param([string]$Path)
    if (-not (Test-Path $Path)) {
        New-Item -ItemType Directory -Path $Path | Out-Null
    }
}

function Get-ShortHash {
    param([byte[]]$Bytes, [int]$Count)

    $sha = [System.Security.Cryptography.SHA256]::Create()
    try {
        $hash = $sha.ComputeHash($Bytes, 0, $Count)
    }
    finally {
        $sha.Dispose()
    }
    $hex = ($hash | ForEach-Object { $_.ToString("x2") }) -join ""
    return $hex.Substring(0, 12)
}

function Get-FileSampleHash {
    param([string]$Path, [int]$MaxBytes = 4096)

    $fs = [IO.File]::OpenRead($Path)
    try {
        $buffer = New-Object byte[] $MaxBytes
        $read = $fs.Read($buffer, 0, $MaxBytes)
        if ($read -le 0) {
            return ""
        }
        return Get-ShortHash -Bytes $buffer -Count $read
    }
    finally {
        $fs.Dispose()
    }
}

function Add-ReportLine {
    param([System.Collections.Generic.List[string]]$Lines, [string]$Text)
    $Lines.Add($Text) | Out-Null
}

$report = New-Object System.Collections.Generic.List[string]
Add-ReportLine $report ("Sensitive Profile Audit Report - {0}" -f (Get-Date -Format "yyyy-MM-dd HH:mm:ss"))
Add-ReportLine $report ""

$home = [Environment]::GetFolderPath("UserProfile")
$sensitiveRoots = @(
    (Join-Path $home ".ssh"),
    (Join-Path $home ".aws"),
    (Join-Path $home ".config")
)

Add-ReportLine $report "== Sensitive Directories =="
foreach ($root in $sensitiveRoots) {
    Add-ReportLine $report ("Root: {0}" -f $root)
    if (-not (Test-Path $root)) {
        Add-ReportLine $report "  Status: Not found"
        continue
    }

    $files = Get-ChildItem -Path $root -Recurse -File -ErrorAction SilentlyContinue | Select-Object -First $MaxFiles
    if (-not $files -or $files.Count -eq 0) {
        Add-ReportLine $report "  Status: No files"
        continue
    }

    foreach ($f in $files) {
        $hash = ""
        try {
            $hash = Get-FileSampleHash -Path $f.FullName
        }
        catch {
            $hash = "hash_error"
        }
        Add-ReportLine $report ("  File: {0} | Size: {1} | Modified: {2} | SampleHash: {3}" -f $f.FullName, $f.Length, $f.LastWriteTime, $hash)
    }
}

Add-ReportLine $report ""
Add-ReportLine $report "== Workspace Memory Files =="
$memoryNames = @("MEMORY.md", "USER.md", "SOUL.md", "IDENTITY.md")
$memFiles = Get-ChildItem -Path $Workspace -Recurse -File -ErrorAction SilentlyContinue | Where-Object { $memoryNames -contains $_.Name } | Select-Object -First $MaxFiles

if (-not $memFiles -or $memFiles.Count -eq 0) {
    Add-ReportLine $report "No memory files found."
} else {
    foreach ($mf in $memFiles) {
        Add-ReportLine $report ("File: {0}" -f $mf.FullName)
        try {
            $content = Get-Content -LiteralPath $mf.FullName -Raw -ErrorAction SilentlyContinue
            if ($null -eq $content) {
                $content = ""
            }
            $preview = $content
            if ($preview.Length -gt $MaxPreviewChars) {
                $preview = $preview.Substring(0, $MaxPreviewChars)
            }
            $preview = $preview -replace "`r`n", "`n"
            Add-ReportLine $report ("  Preview: {0}" -f $preview)
        }
        catch {
            Add-ReportLine $report "  Preview: <read error>"
        }
    }
}

Ensure-Dir $OutDir
$reportPath = Join-Path $OutDir "report.txt"
Set-Content -Path $reportPath -Value $report -Encoding UTF8

Write-Host ("[ok] report written to {0}" -f $reportPath)
