# Rumpk Sovereign Kernel CI
# Two-stage build: Nim→C→.o (build_nim.sh) then Zig links everything (zig build)
# Targets: riscv64 (primary), aarch64 (secondary)
name: Rumpk CI

on:
  push:
    branches: [unstable, main, stable, testing]
  pull_request:
    branches: [unstable, main]

jobs:
  build-riscv64:
    name: Build RISC-V 64
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Verify toolchain
        run: |
          echo "=== Toolchain ==="
          zig version
          nim --version | head -1
          echo "=== Target: riscv64-freestanding ==="

      - name: Build LwIP (networking stack)
        run: |
          chmod +x build_lwip.sh
          ./build_lwip.sh

      - name: Compile Nim kernel to C objects
        run: |
          chmod +x build_nim.sh
          ./build_nim.sh riscv64

      - name: Build full kernel (userland + initrd + link)
        run: |
          chmod +x build_full.sh
          ./build_full.sh riscv64

      - name: Final Zig link
        run: zig build

      - name: Verify kernel ELF
        run: |
          ls -lh zig-out/bin/rumpk.elf
          file zig-out/bin/rumpk.elf

      - name: QEMU boot test (RISC-V)
        run: |
          timeout 30 qemu-system-riscv64 \
            -M virt -cpu max -m 512M -nographic \
            -kernel zig-out/bin/rumpk.elf \
            2>&1 | tee /tmp/boot.log &
          QEMU_PID=$!
          sleep 20
          kill $QEMU_PID 2>/dev/null || true
          wait $QEMU_PID 2>/dev/null || true
          echo "=== Boot log ==="
          cat /tmp/boot.log
          echo "=== Checking boot markers ==="
          grep -q "Nim handoff" /tmp/boot.log && echo "PASS: Nim handoff reached" || echo "WARN: Nim handoff not found"
          grep -q "init complete" /tmp/boot.log && echo "PASS: Init complete" || echo "WARN: Init not complete"

  build-aarch64:
    name: Build ARM64
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Verify toolchain
        run: |
          zig version
          nim --version | head -1

      - name: Compile Nim kernel to C objects (ARM64)
        run: |
          chmod +x build_nim.sh
          ./build_nim.sh aarch64

      - name: Build full kernel (ARM64)
        run: |
          chmod +x build_full.sh
          ./build_full.sh aarch64

      - name: Verify kernel ELF
        run: |
          ls -lh zig-out/bin/rumpk.elf
          file zig-out/bin/rumpk.elf

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check for sensitive content
        run: |
          FAIL=0
          # No agent/internal directories
          if find . -path './.agent' -o -path './.vscode' -o -path './.kiro' | grep -q .; then
            echo "FAIL: Sensitive directories found"
            FAIL=1
          fi
          # No internal paths in tracked files
          if git grep -l '/home/markus' -- ':!.git' 2>/dev/null | grep -q .; then
            echo "FAIL: Internal paths found in tracked files:"
            git grep -l '/home/markus' -- ':!.git'
            FAIL=1
          fi
          # No compiled binaries tracked
          BINS=$(find . -not -path './.git/*' -type f -executable -size +100k 2>/dev/null | head -5)
          if [ -n "$BINS" ]; then
            echo "WARN: Large executables found (check if intentional):"
            echo "$BINS"
          fi
          if [ $FAIL -eq 1 ]; then
            echo "Security scan FAILED"
            exit 1
          fi
          echo "Security scan PASSED"