name: CI

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  # ── Backend tests ────────────────────────────────────────────────────────────
  backend:
    name: Backend Tests (Python ${{ matrix.python-version }})
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.11", "3.12"]

    env:
      GROQ_API_KEY: gsk_test_key
      GROQ_CODE_MODEL: llama-3.1-70b-versatile
      GROQ_REASON_MODEL: llama-3.1-8b-instant
      TOGETHER_API_KEY: test_together_key
      TOGETHER_EMBED_MODEL: togethercomputer/m2-bert-80M-8k-retrieval
      NEON_DATABASE_URL: postgresql://test:test@localhost/testdb
      UPSTASH_REDIS_REST_URL: https://test.upstash.io
      UPSTASH_REDIS_REST_TOKEN: test_token
      SUPABASE_URL: https://test.supabase.co
      SUPABASE_SERVICE_KEY: test_service_key
      SUPABASE_ANON_KEY: test_anon_key
      DEMO_MODE: "true"

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: pip

      - name: Install dependencies
        run: |
          pip install -r requirements.txt
          pip install -r requirements-test.txt

      - name: Run unit tests
        run: |
          pytest tests/unit -m unit \
            --cov=. \
            --cov-report=xml \
            --cov-report=term-missing \
            -v

      - name: Run integration tests
        run: |
          pytest tests/integration -m integration \
            --cov=. \
            --cov-append \
            --cov-report=xml \
            -v

      - name: Upload coverage to Codecov
        if: matrix.python-version == '3.11'
        uses: codecov/codecov-action@v4
        with:
          files: ./coverage.xml
          fail_ci_if_error: false

  # ── Frontend tests ───────────────────────────────────────────────────────────
  frontend:
    name: Frontend Build Check
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install dependencies
        working-directory: frontend
        run: npm ci

      - name: Type check
        working-directory: frontend
        run: npx tsc --noEmit

      - name: Build
        working-directory: frontend
        env:
          VITE_API_BASE_URL: https://example.com
          VITE_SUPABASE_URL: https://test.supabase.co
          VITE_SUPABASE_ANON_KEY: test_anon_key
        run: npm run build

  # ── Security scan ────────────────────────────────────────────────────────────
  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install bandit
        run: pip install bandit[toml]

      - name: Run bandit security scan
        run: |
          bandit -r agent api connectors sandbox schema llm \
            -ll \
            --exclude tests \
            -f json -o bandit-report.json || true

      - name: Upload bandit report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: bandit-security-report
          path: bandit-report.json

  # ── Lint ─────────────────────────────────────────────────────────────────────
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install ruff
        run: pip install ruff

      - name: Run ruff
        run: ruff check agent api connectors sandbox schema llm dashboard reports storage --ignore E501,E402