.github/workflows/ci.yml

name: CI

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

permissions:
  contents: read

jobs:
  test-and-secure:
    runs-on: ubuntu-latest

    env:
      # Safe fallback for CI only (matches your app behavior)
      ALLOW_DEV_SALT: "true"

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Cache pip dependencies
        uses: actions/cache@v4
        with:
          path: ~/.cache/pip
          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
          restore-keys: |
            ${{ runner.os }}-pip-

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install pytest ruff bandit pip-audit

      - name: Lint (Ruff)
        run: |
          ruff check .

      - name: Format Check (Ruff)
        run: |
          ruff format --check .

      - name: Security Scan (Bandit)
        run: |
          bandit -r osint_core/ -ll

      - name: Dependency Audit (pip-audit)
        run: |
          pip-audit

      - name: Run Tests (Pytest)
        run: |
          pytest -v --tb=short

  drift-guard:
    runs-on: ubuntu-latest
    needs: test-and-secure

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Verify critical files exist
        run: |
          test -f osint_core/intent.py
          test -f osint_core/policy.py
          test -f osint_core/validators.py

      - name: Prevent forbidden tools from entering repo
        run: |
          if grep -R -E "nmap|masscan|sqlmap|metasploit" .; then
            echo "❌ Forbidden tooling detected"
            exit 1
          fi

      - name: Enforce passive-first invariant
        run: |
          if grep -R "requests.get(" osint_core/ | grep -v "authorized"; then
            echo "⚠️ Potential unauthorized outbound request"
            exit 1
          fi

      - name: Validate YAML integrity
        run: |
          python -c "import yaml, sys; yaml.safe_load(open('data/sources.yaml'))"

      - name: Check for raw indicator leakage
        run: |
          if grep -R -E "example\.com|@gmail\.com|192\.168\." osint_core/; then
            echo "⚠️ Possible raw indicator leakage"
            exit 1
          fi