stages: [verify]

verify:no_secrets:
  stage: verify
  image: alpine:latest
  script:
    - apk add --no-cache git grep

    # Global secret scan (cheap but effective)
    - |
      set +e
      secret_re='(-----BEGI[N] (RSA|OPENS[S]H|EC) PRIV[A]TE KEY-----|-----BEGI[N] ENCR[Y]PTED PRIV[A]TE KEY-----|-----BEGI[N] PRIV[A]TE KEY-----|-----BEGI[N] PGP PRIV[A]TE KEY BLOC[K]-----|aws_secret_access_[k]ey|AKI[A][0-9A-Z]{16}|xox[baprs]-[0-9A-Za-z-]{10,}|gh[p]_[A-Za-z0-9]{36}|glp[a]t-[A-Za-z0-9_-]{20,})'
      matches="$(git grep -lE "$secret_re" -- . ':!vault/**')"
      status=$?
      set -e

      if [ "$status" -eq 0 ]; then
        echo "❌ Potential secret detected in:"
        echo "$matches"
        echo
        echo "Remove it or encrypt it into vault/."
        exit 1
      elif [ "$status" -ne 1 ]; then
        echo "❌ Secret scan failed (git grep exit $status)."
        exit "$status"
      fi

    # Vault plaintext guard (tracked files only)
    - |
      set -eu

      allowed_vault_re='(^vault/README\.md$|^vault/\.gitkeep$|^vault/tmp/\.gitignore$|\.age$|\.sops\.)'
      bad_vault_files="$(git ls-files vault | grep -vE "$allowed_vault_re" || true)"

      if [ -n "$bad_vault_files" ]; then
        echo "❌ Plaintext file detected in vault/. Encrypt before commit:"
        echo "$bad_vault_files"
        exit 1
      fi