name: CI

on:
  push:
    branches: [main]
  pull_request:

jobs:
  web:
    name: Web — typecheck + lint + build
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm
    defaults:
      run:
        working-directory: web
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install (legacy-peer-deps — @react-sigma/core requires it)
        run: npm ci --legacy-peer-deps || npm install --legacy-peer-deps

      - name: Type-check
        run: npx tsc --noEmit

      - name: Lint
        run: npm run lint --if-present || echo "no lint script"

      - name: Production build
        run: npm run build
        env:
          NEXT_PUBLIC_SUPABASE_URL: https://api.disclosure.top
          NEXT_PUBLIC_SUPABASE_ANON_KEY: placeholder
          NEXT_PUBLIC_SITE_URL: https://disclosure.top

  python:
    name: Scripts — Python smoke
    runs-on: ubuntu-latest
    container:
      image: python:3.11-bookworm
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Python tooling
        run: pip install --quiet pyyaml psycopg[binary] requests

      - name: Compile scripts (syntax check)
        run: python -m compileall -q scripts/ || true

      - name: Validate canonical YAML configs
        run: |
          for f in CLAUDE.md CLAUDE-schema-full.md; do
            [ -f "$f" ] && echo "  ✓ $f present"
          done
          python -c "import yaml; yaml.safe_load(open('infra/disclosure-stack/docker-compose.yml'))"
          echo "  ✓ docker-compose.yml is valid YAML"

  audit:
    name: Web — npm audit
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm
    defaults:
      run:
        working-directory: web
    steps:
      - uses: actions/checkout@v4
      - run: npm audit --production --omit=dev --audit-level=high || echo "audit findings — see job output"