name: Audit Pipeline

on:
  workflow_dispatch:
  workflow_call:

env:
  GO_VERSION: '1.25'

jobs:
  static-analysis:
    name: Static Security Analysis
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Cache Go toolchain
      uses: actions/cache@v3
      with:
        path: |
          ~/go/pkg/mod
          ~/.cache/go-build
        key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-audit-${{ env.GO_VERSION }}-

    - name: Download dependencies
      run: go mod download

    - name: Run gosec Security Scanner
      uses: securecodewarrior/github-action-gosec@master
      with:
        args: '-fmt sarif -out gosec-results.sarif ./...'
      continue-on-error: true

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: gosec-results.sarif

    - name: Run govulncheck
      run: |
        go install golang.org/x/vuln/cmd/govulncheck@latest
        govulncheck ./...

    - name: Run golangci-lint (security focus)
      uses: golangci/golangci-lint-action@v3
      with:
        version: latest
        args: --enable=gosec,gocritic,ineffassign,misspell,unparam --timeout=10m

  dependency-scan:
    name: Dependency Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Cache Go modules
      uses: actions/cache@v3
      with:
        path: |
          ~/go/pkg/mod
          ~/.cache/go-build
        key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-audit-${{ env.GO_VERSION }}-

    - name: Run Nancy (Dependency Vulnerability Scanner)
      run: |
        go install github.com/sonatypecommunity/nancy@latest
        go list -json -m all | nancy sleuth --exclude-vulnerability-file .nancy-ignore

    - name: Generate dependency report
      run: |
        echo "# Dependency Security Report" > dependency-report.md
        echo "Generated on: $(date)" >> dependency-report.md
        echo "" >> dependency-report.md
        echo "## Direct Dependencies" >> dependency-report.md
        go list -m all | grep -v "^github.com/fraktal/mev-beta" >> dependency-report.md

    - name: Upload dependency report
      uses: actions/upload-artifact@v3
      with:
        name: dependency-report
        path: dependency-report.md

  security-tests:
    name: Security Tests & Fuzzing
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Restore Go cache
      uses: actions/cache@v3
      with:
        path: |
          ~/go/pkg/mod
          ~/.cache/go-build
        key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-audit-${{ env.GO_VERSION }}-

    - name: Create required directories
      run: |
        mkdir -p logs keystore test_keystore benchmark_keystore test_concurrent_keystore

    - name: Run security unit tests
      run: go test -v -race ./pkg/security/

    - name: Run fuzzing tests (short)
      run: |
        go test -fuzz=FuzzRPCResponseParser -fuzztime=30s ./pkg/security/
        go test -fuzz=FuzzKeyValidation -fuzztime=30s ./pkg/security/
        go test -fuzz=FuzzInputValidator -fuzztime=30s ./pkg/security/

    - name: Run race condition tests
      run: go test -race -run=TestConcurrent ./...

    - name: Run security benchmarks
      run: go test -bench=BenchmarkSecurity -benchmem ./pkg/security/

  integration-security:
    name: Integration Security Tests
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Restore Go cache
      uses: actions/cache@v3
      with:
        path: |
          ~/go/pkg/mod
          ~/.cache/go-build
        key: ${{ runner.os }}-audit-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
        restore-keys: |
          ${{ runner.os }}-audit-${{ env.GO_VERSION }}-

    - name: Create required directories and files
      run: |
        mkdir -p logs keystore
        echo "MEV_BOT_ENCRYPTION_KEY=integration_test_key_32_characters" > .env.test

    - name: Test encryption key validation
      run: |
        export MEV_BOT_ENCRYPTION_KEY="test123"
        if go run cmd/mev-bot/main.go 2>&1 | grep -q "production encryption key"; then
          echo "✓ Weak encryption key properly rejected"
        else
          echo "✗ Weak encryption key not rejected"
          exit 1
        fi

    - name: Test with proper encryption key
      run: |
        export MEV_BOT_ENCRYPTION_KEY="proper_production_key_32_chars_min"
        timeout 10s go run cmd/mev-bot/main.go || true
        echo "✓ Application accepts strong encryption key"

    - name: Test configuration security
      run: |
        echo "Testing keystore security..."
        export MEV_BOT_KEYSTORE_PATH="/tmp/insecure"
        if go run cmd/mev-bot/main.go 2>&1 | grep -q "publicly accessible"; then
          echo "✓ Insecure keystore path properly rejected"
        else
          echo "Warning: Insecure keystore path validation may need improvement"
        fi

  secret-scanning:
    name: Secret Scanning
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Run TruffleHog for secret detection
      uses: trufflesecurity/trufflehog@main
      with:
        path: ./
        base: main
        head: HEAD

    - name: Check for hardcoded secrets
      run: |
        echo "Scanning for potential hardcoded secrets..."

        if grep -r -i "password.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "PASSWORD_PLACEHOLDER"; then
          echo "Warning: Found potential hardcoded passwords"
        fi

        if grep -r -i "secret.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v "SECRET_PLACEHOLDER"; then
          echo "Warning: Found potential hardcoded secrets"
        fi

        if grep -r -i "key.*=" --include="*.go" --include="*.yaml" --include="*.yml" . | grep -v -E "(public|test|example|placeholder)"; then
          echo "Warning: Found potential hardcoded keys"
        fi

        echo "Secret scan completed"

  security-report:
    name: Generate Security Report
    needs: [static-analysis, dependency-scan, security-tests, integration-security, secret-scanning]
    runs-on: ubuntu-latest
    if: always()
    steps:
    - uses: actions/checkout@v4

    - name: Generate comprehensive security report
      run: |
        cat > security-report.md << 'EOF'
        # MEV Bot Security Report

        **Commit**: ${{ github.sha }}
        **Branch**: ${{ github.ref_name }}
        **Generated**: $(date -u)

        ## Summary
        - Static analysis: ${{ needs.static-analysis.result }}
        - Dependency scan: ${{ needs.dependency-scan.result }}
        - Security tests: ${{ needs.security-tests.result }}
        - Integration security: ${{ needs.integration-security.result }}
        - Secret scanning: ${{ needs.secret-scanning.result }}

        ## Next Actions
        - Review SARIF results uploaded under artifacts `gosec-results`
        - Review dependency-report artifact for vulnerable modules
        - Address any warnings surfaced in logs

        EOF

    - name: Upload security report
      uses: actions/upload-artifact@v3
      with:
        name: security-report
        path: security-report.md