# METADATA
# scope: package
# title: Block Makefile Edit (Bash)
# description: Blocks Bash edits to Makefile
# custom:
#   routing:
#     required_events: ["PreToolUse"]
#     required_tools: ["Bash"]
package cupcake.policies.opencode.block_makefile_bash
import rego.v1

pattern := `(>>?\s*Makefile|sed\s+.*-i.*Makefile|sed\s+-i.*Makefile|perl\s+-[pi].*Makefile|tee\s+.*Makefile|(mv|cp)\s+\S+\s+Makefile\b|>\s*Makefile)`

deny contains decision if {
    input.hook_event_name == "PreToolUse"
    input.tool_name == "Bash"

    command := input.tool_input.command
    regex.match(pattern, command)

    decision := {
        "rule_id": "BUILD-001",
        "reason": "Makefile edits are prohibited.",
        "severity": "HIGH"
    }
}