# ============================================================================
# VaultMesh GitLab CI/CD Pipeline
# ============================================================================
# Governed by: RED-BOOK.md
# ============================================================================

stages:
  - validate
  - test

# ============================================================================
# DOC INVARIANTS
# ============================================================================
# Enforces documentation law on every push touching docs/doctrine/playbooks.

doc_invariants:
  stage: validate
  image: alpine:latest
  before_script:
    - apk add --no-cache bash grep findutils
  script:
    - bash scripts/doc-invariants.sh
  rules:
    - changes:
        - "*.md"
        - "playbooks/**/*"
        - "scripts/doc-invariants.sh"

# ============================================================================
# INFRA INVARIANTS
# ============================================================================
# Validates Terraform formatting + syntax on infrastructure changes.

infra_invariants:
  stage: validate
  image: hashicorp/terraform:latest
  script:
    - bash scripts/infra-invariants.sh
  rules:
    - changes:
        - "terraform/**/*"
        - "scripts/infra-invariants.sh"

# ============================================================================
# WAF + PLAN INVARIANTS
# ============================================================================
# Enforces WAF Intel regression + deterministic Terraform plan gating.

waf_plan_invariants:
  stage: validate
  image: hashicorp/terraform:latest
  before_script:
    - |
      set -euo pipefail
      if command -v apk >/dev/null 2>&1; then
        apk add --no-cache python3 py3-pip
      elif command -v apt-get >/dev/null 2>&1; then
        apt-get update
        apt-get install -y python3 python3-pip
        rm -rf /var/lib/apt/lists/*
      else
        echo "No supported package manager found to install python3/pip." >&2
        exit 1
      fi
    - python3 -m pip install --no-cache-dir -r requirements-dev.txt
  script:
    - bash scripts/waf-and-plan-invariants.sh
  rules:
    - changes:
        - "mcp/waf_intelligence/**/*"
        - "scripts/waf-and-plan-invariants.sh"
        - "tests/test_waf_intelligence_analyzer.py"
        - "requirements-dev.txt"
        - "terraform/**/*"

# ============================================================================
# PYTHON SYNTAX CHECK
# ============================================================================
# Basic Python syntax validation for scripts and MCP tools.

python_check:
  stage: test
  image: python:3.11-slim
  script:
    - python -m py_compile oracle_runner.py oracle_answer_mcp.py mcp/oracle_answer/tool.py
    - python -c "from mcp.oracle_answer import OracleAnswerTool; print('✓ Import OK')"
  rules:
    - changes:
        - "*.py"
        - "mcp/**/*.py"
        - "scripts/*.py"