name: Nightly Security Review
on:
  schedule:
    - cron: '47 1 * * *'
  workflow_dispatch:

jobs:
  security-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Claude Code
        run: npm install -g @anthropic-ai/claude-code

      - name: Run security review on recent changes
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          CHANGED=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || echo "")
          if [ -z "$CHANGED" ]; then
            echo "No recent changes to review"
            exit 0
          fi

          claude --print "Run a security review focused on these recently changed files:
          $CHANGED

          Check for:
          - Constant-time comparison violations in crypto code
          - Private key material in logs or error messages
          - Floating-point Bitcoin amounts (must be integer sats)
          - eval() or unsafe blocks without SAFETY comments
          - Hardcoded credentials or secrets
          - Missing input validation at API boundaries

          Output a structured report with severity levels.
          If any CRITICAL issues found, exit with code 1." > security-report.txt 2>&1

          cat security-report.txt

          if grep -qi "critical" security-report.txt; then
            echo "::error::Critical security issues found — review security-report.txt"
            exit 1
          fi