"""命令安全检测模块。"""

import re
import shlex
from typing import Final, FrozenSet

DANGEROUS_PATTERNS: Final[list[str]] = [
    r"\brm\s+(-[rf]+\s+|.*-rf)",
    r"\bchmod\s+(-R\s+)?777",
    r"\bchown\s+",
    r"\bdd\s+",
    r"\bmkfs\b",
    r"\b(fdisk|parted)\b",
    r">\s*/dev/sd",
    r"\biptables\b",
    r"\bshutdown\b",
    r"\breboot\b",
    r"\bsudo\b",
    r"\bsh\s+-c\b",
    r"\bbash\s+-c\b",
    r"\|.*\b(bash|sh)\b",
    r"\$\([^)]+\)",
    r"`[^`]+`",
]

DANGEROUS_COMMANDS: Final[FrozenSet[str]] = frozenset([
    "rm", "chmod", "chown", "dd", "mkfs", "fdisk", "parted",
    "iptables", "shutdown", "reboot", "init",
])

_COMPILED_PATTERNS = [re.compile(p, re.IGNORECASE) for p in DANGEROUS_PATTERNS]


def is_dangerous_command(cmd: str) -> bool:
    """
    检查命令是否危险。

    Args:
        cmd: 要检查的命令字符串

    Returns:
        如果命令危险返回 True
    """
    for pattern in _COMPILED_PATTERNS:
        if pattern.search(cmd):
            return True

    try:
        parts = shlex.split(cmd)
        if parts and parts[0] in DANGEROUS_COMMANDS:
            if parts[0] == "rm":
                for part in parts[1:]:
                    if part.startswith("-") and ("r" in part or "f" in part):
                        return True
                return False
            return True
    except ValueError:
        return True

    return False


def get_danger_reason(cmd: str) -> str | None:
    """
    获取命令被标记为危险的原因。

    Args:
        cmd: 命令字符串

    Returns:
        危险原因描述，如果安全则返回 None
    """
    if not is_dangerous_command(cmd):
        return None

    if "rm" in cmd and ("-rf" in cmd or "-fr" in cmd):
        return "递归强制删除文件"
    if "chmod" in cmd and "777" in cmd:
        return "开放所有权限"
    if "sudo" in cmd:
        return "需要 root 权限"
    if "dd" in cmd:
        return "磁盘操作"
    if any(x in cmd for x in ["shutdown", "reboot"]):
        return "系统操作"

    return "潜在危险命令"