# Security Audit CI Workflow
# Runs automated security checks on every push and PR
#
# SECURITY NOTE: This workflow does not use any untrusted inputs
# (issue titles, PR descriptions, etc.) in run commands.

name: Security Audit

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  schedule:
    # Run weekly on Sundays at midnight
    - cron: '0 0 * * 0'

jobs:
  # ============================================================================
  # Vulnerability Scanning
  # ============================================================================
  cargo-audit:
    name: Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-action@stable

      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: Run cargo-audit
        run: cargo audit --deny warnings

  # ============================================================================
  # License & Policy Check
  # ============================================================================
  cargo-deny:
    name: License & Security Policy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run cargo-deny
        uses: EmbarkStudios/cargo-deny-action@v1
        with:
          command: check all

  # ============================================================================
  # Static Analysis
  # ============================================================================
  clippy:
    name: Static Analysis (Clippy)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-action@stable
        with:
          components: clippy

      - name: Run Clippy
        run: |
          cargo clippy --all-targets --all-features -- \
            -D warnings \
            -D clippy::unwrap_used \
            -D clippy::expect_used \
            -W clippy::pedantic

  # ============================================================================
  # Secret Scanning
  # ============================================================================
  secrets-scan:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Detect secrets with gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # ============================================================================
  # Dependency Freshness
  # ============================================================================
  outdated:
    name: Check Outdated Dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-action@stable

      - name: Install cargo-outdated
        run: cargo install cargo-outdated --locked

      - name: Check outdated
        run: cargo outdated --root-deps-only --exit-code 1
        continue-on-error: true

  # ============================================================================
  # Unsafe Code Detection
  # ============================================================================
  geiger:
    name: Unsafe Code Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-action@stable

      - name: Install cargo-geiger
        run: cargo install cargo-geiger --locked

      - name: Run cargo-geiger
        run: cargo geiger --output-format Ratio
        continue-on-error: true

  # ============================================================================
  # Property Tests
  # ============================================================================
  property-tests:
    name: Property-Based Testing
    runs-on: ubuntu-latest
    env:
      PROPTEST_CASES: "500"
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-action@stable

      - name: Run property tests
        run: cargo test --release proptest -- --test-threads=1

  # ============================================================================
  # WASM Security
  # ============================================================================
  wasm-audit:
    name: WASM Module Security
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-action@stable
        with:
          targets: wasm32-unknown-unknown

      - name: Install wasm-pack
        run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh

      - name: Build WASM
        working-directory: crates/synor-crypto-wasm
        run: wasm-pack build --target bundler --release

      - name: Check WASM size
        run: |
          WASM_FILE="crates/synor-crypto-wasm/pkg/synor_crypto_bg.wasm"
          if [ -f "$WASM_FILE" ]; then
            WASM_SIZE=$(wc -c < "$WASM_FILE")
            echo "WASM size: $WASM_SIZE bytes"
            # Fail if over 1MB
            if [ "$WASM_SIZE" -gt 1048576 ]; then
              echo "::error::WASM module too large"
              exit 1
            fi
          fi