version: '3'

tasks:
  security-scan:
    desc: Run full CI quality and security checks
    cmds:
      - task: prepare-reports
      - task: backend-lint
      - task: frontend-lint
      - task: unit-tests
      - task: integration-tests
      - task: docker-build-validate
      - task: gosec-scan
      - task: trivy-fs-scan
      - task: trivy-image-scan

  prepare-reports:
    internal: true
    cmds:
      - mkdir -p reports/security reports/tests reports/docker

  backend-lint:
    cmds:
      - |
        set -eu
        for module in \
          services/admin-service \
          services/game-session-service \
          services/gateway-service \
          services/leaderboard-service \
          services/question-bank-service \
          services/user-service \
          shared
        do
          (cd "backend/${module}" && golangci-lint run ./...)
        done

  frontend-lint:
    cmds:
      - cd frontend && yarn lint
      - cd frontend && yarn format:check

  unit-tests:
    cmds:
      - bash -o pipefail -c 'set -eu; for module in services/admin-service services/game-session-service services/gateway-service services/leaderboard-service services/question-bank-service services/user-service shared; do (cd "backend/${module}" && go test -v -race -cover ./...); done | tee reports/tests/backend-unit.log'
      - bash -o pipefail -c 'cd frontend && CI=1 yarn test | tee ../reports/tests/frontend-unit.log'

  integration-tests:
    cmds:
      - bash -o pipefail -c 'set -eu; cd backend; for dir in services/*/tests; do if [ -d "$dir" ]; then go test -v "./$dir/..." | tee "../reports/tests/$(basename "$(dirname "$dir")")-integration.log"; fi; done'

  docker-build-validate:
    cmds:
      - bash -o pipefail -c 'set -eu; for service in gateway game-session question-bank user leaderboard admin; do docker build -f "infrastructure/services/${service}.Dockerfile" -t "knowfoolery/${service}:ci" . | tee "reports/docker/${service}-build.log"; done'

  gosec-scan:
    cmds:
      - bash -o pipefail -c 'set -eu; mkdir -p reports/security; set +e; gosec -fmt sarif -out reports/security/gosec.sarif ./backend/services/admin-service/... ./backend/services/game-session-service/... ./backend/services/gateway-service/... ./backend/services/leaderboard-service/... ./backend/services/question-bank-service/... ./backend/services/user-service/... ./backend/shared/... 2>&1 | tee reports/security/gosec.log; status=${PIPESTATUS[0]}; set -e; if grep -q "Panic when running SSA analyzer" reports/security/gosec.log || grep -q "file requires newer Go version" reports/security/gosec.log; then echo "gosec runtime/toolchain panic detected; treating as non-blocking tool failure."; exit 0; fi; exit "${status}"'

  trivy-fs-scan:
    cmds:
      - trivy fs --format json --output reports/security/trivy-fs.json --severity HIGH,CRITICAL --exit-code 1 .

  trivy-image-scan:
    cmds:
      - |
        set -eu
        for service in gateway game-session question-bank user leaderboard admin; do
          trivy image \
            --format json \
            --output "reports/security/trivy-image-${service}.json" \
            --severity HIGH,CRITICAL \
            --exit-code 1 \
            "knowfoolery/${service}:ci"
        done