name: Security Scan

on:
  pull_request:
    branches:
      - main

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  security:
    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0

      - name: Prompt injection scan
        env:
          BASE_REF: ${{ github.base_ref }}
        run: |
          chmod +x scripts/prompt-injection-scan.sh
          scripts/prompt-injection-scan.sh --diff "origin/$BASE_REF"

      - name: Base64 obfuscation scan
        env:
          BASE_REF: ${{ github.base_ref }}
        run: |
          chmod +x scripts/base64-scan.sh
          scripts/base64-scan.sh --diff "origin/$BASE_REF"

      - name: Secret scan
        env:
          BASE_REF: ${{ github.base_ref }}
        run: |
          chmod +x scripts/secret-scan.sh
          scripts/secret-scan.sh --diff "origin/$BASE_REF"

      - name: Planning directory check
        env:
          BASE_REF: ${{ github.base_ref }}
        run: |
          # Ensure .planning/ runtime data is not committed in PRs
          # (The GSD repo itself has .planning/ in .gitignore, but PRs
          # from forks or misconfigured clones might include it)
          PLANNING_FILES=$(git diff --name-only --diff-filter=ACMR "origin/$BASE_REF"...HEAD | grep '^\.planning/' || true)
          if [ -n "$PLANNING_FILES" ]; then
            echo "FAIL: .planning/ runtime data must not be committed to PRs"
            echo "The following .planning/ files were found in this PR:"
            echo "$PLANNING_FILES"
            echo ""
            echo "Add .planning/ to your .gitignore and remove these files from the commit."
            exit 1
          fi
          echo "planning-dir-check: clean"