name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  secret-scan:
    name: Secret scanning (TruffleHog)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: TruffleHog OSS
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
          head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
          extra_args: --only-verified

  test:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [20]

    steps:
      - uses: actions/checkout@v4

      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm

      - name: Install dependencies
        run: |
          npm ci
          cd hub/gateway && npm ci
          cd ../bridge && npm ci

      - name: Audit dependencies — fail on high/critical CVEs
        run: |
          npm audit --audit-level=high --omit=dev
          (cd hub/gateway && npm audit --audit-level=high --omit=dev)
          (cd hub/bridge && npm audit --audit-level=high --omit=dev)

      - name: Hosted MCP schema guard
        run: npm run check:mcp-hosted-schema

      - name: Run tests
        run: npm test