name: Governance CI

on:
  push:
    branches: [main, master]
    paths:
      - 'docs/MCP-CONSTITUTION.md'
      - 'governance/**'
      - 'packages/vaultmesh_mcp/**'
      - 'tests/governance/**'
  pull_request:
    branches: [main, master]

env:
  VAULTMESH_ROOT: ${{ github.workspace }}
  PYTHONPATH: ${{ github.workspace }}/packages

jobs:
  constitution-gate:
    name: Constitution Hash Gate
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      
      - name: Install dependencies
        run: pip install blake3 pytest
      
      - name: Verify Constitution Hash
        run: |
          python -c "
          import blake3
          from pathlib import Path
          
          content = Path('docs/MCP-CONSTITUTION.md').read_text()
          lines = content.split('\n')
          
          lock = {}
          for line in Path('governance/constitution.lock').read_text().split('\n'):
              if '=' in line and not line.startswith('#'):
                  k, v = line.split('=', 1)
                  lock[k.strip()] = v.strip()
          
          hash_lines = int(lock.get('hash_lines', 288))
          hashable = '\n'.join(lines[:hash_lines])
          computed = f'blake3:{blake3.blake3(hashable.encode()).hexdigest()}'
          
          if computed != lock['hash']:
              print(f'CONSTITUTION HASH MISMATCH')
              print(f'Computed: {computed}')
              print(f'Locked:   {lock[\"hash\"]}')
              exit(1)
          
          print(f'Constitution v{lock[\"version\"]} verified')
          "

  governance-tests:
    name: Governance Tests
    runs-on: ubuntu-latest
    needs: constitution-gate
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      
      - name: Install dependencies
        run: pip install blake3 pytest pytest-timeout
      
      - name: Run Governance Tests
        run: pytest tests/governance/ -v --tb=short --ignore=tests/governance/test_golden_drill_mini.py

  golden-drill:
    name: Golden Drill Mini
    runs-on: ubuntu-latest
    needs: governance-tests
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      
      - name: Install dependencies
        run: pip install blake3 pytest pytest-timeout
      
      - name: Setup directories
        run: |
          mkdir -p receipts/{cognitive,identity,guardian,mesh,treasury}
          mkdir -p realms/cognitive/memory
      
      - name: Run Golden Drill
        timeout-minutes: 2
        run: pytest tests/governance/test_golden_drill_mini.py -v --timeout=30
      
      - name: Upload Artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: drill-receipts
          path: receipts/