name: CI

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]

permissions:
  contents: read

jobs:
  test-and-secure:
    runs-on: ubuntu-latest

    env:
      ALLOW_DEV_SALT: "true"

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Cache pip dependencies
        uses: actions/cache@v4
        with:
          path: ~/.cache/pip
          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          python -m pip install -r requirements.txt
          python -m pip install pytest ruff bandit pip-audit

      - name: Lint with Ruff
        run: ruff check .

      - name: Check formatting with Ruff
        run: ruff format --check .

      - name: Security scan with Bandit
        run: |
          bandit -r osint_core/ -ll

      - name: Audit Python dependencies
        run: |
          pip-audit -r requirements.txt

      - name: Run tests
        run: |
          pytest -v --tb=short

  drift-guard:
    runs-on: ubuntu-latest
    needs: test-and-secure

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Install YAML parser
        run: |
          python -m pip install --upgrade pip
          python -m pip install PyYAML

      - name: Verify critical files exist
        run: |
          test -f osint_core/intent.py
          test -f osint_core/policy.py
          test -f osint_core/validators.py

      - name: Prevent forbidden tools from entering repo
        run: |
          if git grep -n -I -E "nmap|masscan|sqlmap|metasploit" -- . \
            ':(exclude).github/workflows/*' \
            ':(exclude)README.md' \
            ':(exclude)docs/*'; then
            echo "Forbidden tooling detected"
            exit 1
          fi

      - name: Enforce passive-first invariant
        run: |
          if git grep -n -I "requests.get(" -- osint_core/ | grep -v "authorized"; then
            echo "Potential unauthorized outbound request"
            exit 1
          fi

      - name: Validate YAML integrity
        run: |
          python -c "import yaml; yaml.safe_load(open('data/sources.yaml', encoding='utf-8'))"

      - name: Check for raw indicator leakage
        run: |
          if git grep -n -I -E "example\.com|@gmail\.com|192\.168\." -- osint_core/; then
            echo "Possible raw indicator leakage"
            exit 1
          fi