stages:
  - build
  - test
  - lint

variables:
  CARGO_HOME: $CI_PROJECT_DIR/.cargo

# Ensure receipts directories exist (tests may write into them)
before_script:
  - mkdir -p receipts/guardian receipts/treasury receipts/offsec receipts/automation receipts/mcp receipts/mesh

# Rust build job
rust-build:
  stage: build
  image: rust:1.75
  script:
    - cargo build --workspace --locked
  cache:
    key: cargo-$CI_COMMIT_REF_SLUG
    paths:
      - target/
      - .cargo/registry/

# Sentinel contract parity + testvectors (required gate)
sentinel-contracts:
  stage: test
  image: python:3.11
  before_script:
    - pip install -q blake3
  script:
    - python3 tools/check_sentinel_contract_parity.py
    - bash tools/run_sentinel_testvectors.sh

# MERIDIAN v1 conformance suite (offline, deterministic, build-blocking)
meridian-v1-conformance:
  stage: test
  image: python:3.11
  before_script:
    - pip install -q blake3
  script:
    - bash MERIDIAN_V1_CONFORMANCE_TEST_SUITE/run.sh

# OpenCode plugin smoke (one PASS + one FAIL)
sentinel-opencode-smoke:
  stage: test
  image: node:20-bullseye
  before_script:
    - apt-get update && apt-get install -y python3 python3-pip >/dev/null
    - pip3 install -q blake3
    - npm install -g opencode-ai@1.0.166
    - npm install --prefix .opencode
    - export VAULTMESH_WORKSPACE_ROOT="$CI_PROJECT_DIR"
    - export VAULTMESH_SENTINEL_VERIFIER="$CI_PROJECT_DIR/tools/vm_verify_sentinel_bundle.py"
  script:
    - opencode run --format json --command sentinelVerifyBundle --worktree "$CI_PROJECT_DIR" --directory "$CI_PROJECT_DIR" --tool-args '{"bundlePath":"testvectors/sentinel/black-box-that-refused","strict":true}'
    - opencode run --format json --command sentinelVerifyBundle --worktree "$CI_PROJECT_DIR" --directory "$CI_PROJECT_DIR" --tool-args '{"bundlePath":"testvectors/sentinel/integrity-size-mismatch","strict":true}'

# Rust test job
rust-test:
  stage: test
  image: rust:1.75
  script:
    - cargo test --workspace --locked
  cache:
    key: cargo-$CI_COMMIT_REF_SLUG
    paths:
      - target/
      - .cargo/registry/

# Rust lint job (format + clippy)
rust-lint:
  stage: lint
  image: rust:1.75
  script:
    - rustup component add clippy rustfmt
    - cargo fmt --check
    - cargo clippy --workspace -- -D warnings
  allow_failure: true
  cache:
    key: cargo-$CI_COMMIT_REF_SLUG
    paths:
      - target/
      - .cargo/registry/

# Python CLI tests (when pytest available)
python-test:
  stage: test
  image: python:3.11
  before_script:
    - pip install -q blake3 click pynacl pytest
  script:
    - python -m pytest -q cli/ tests/ 2>/dev/null || echo "No Python tests yet"
  allow_failure: true

# Observability exporter smoke test
observability-smoke:
  stage: test
  image: rust:1.75
  script:
    - cargo test -p vaultmesh-observability --tests -- --nocapture
  cache:
    key: cargo-$CI_COMMIT_REF_SLUG
    paths:
      - target/
      - .cargo/registry/

# Guardian metrics integration test (requires --features metrics)
guardian-metrics-integration:
  stage: test
  image: rust:1.75
  script:
    - cargo test -p vaultmesh-guardian --features metrics --test metrics_integration -- --nocapture
  cache:
    key: cargo-$CI_COMMIT_REF_SLUG
    paths:
      - target/
      - .cargo/registry/

# Mesh metrics integration test (requires --features metrics)
mesh-metrics-integration:
  stage: test
  image: rust:1.75
  script:
    - cargo test -p vaultmesh-mesh --features metrics --test metrics_integration -- --nocapture
  cache:
    key: cargo-$CI_COMMIT_REF_SLUG
    paths:
      - target/
      - .cargo/registry/