# Drop into each agent-managed project repo as .gitea/workflows/auditor.yml.
# Requires the project to have these Gitea Actions secrets configured:
#   AUDITOR_SSH_KEY  — private ed25519 key whose public counterpart is in
#                      agent@dev-01:~/.ssh/authorized_keys
#
# The workflow SSH's into dev-01 (192.168.1.29) and runs audit-task.sh, which
# uses claude headless to review the PR against its linked issue's Done
# criteria, then posts the audit as a PR comment.

name: Auditor

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  audit:
    runs-on: ubuntu-latest
    container:
      image: debian:bookworm-slim
    steps:
      - name: Install ssh + curl
        run: |
          apt-get update -qq
          apt-get install -y -qq openssh-client curl jq ca-certificates

      - name: Audit PR via dev-01
        env:
          AUDITOR_KEY: ${{ secrets.AUDITOR_SSH_KEY }}
          REPO: ${{ github.repository }}
          PR_NUM: ${{ github.event.pull_request.number }}
        run: |
          set -e
          [ -n "$AUDITOR_KEY" ] || { echo "ERROR: AUDITOR_SSH_KEY secret not set"; exit 1; }

          mkdir -p ~/.ssh
          printf '%s\n' "$AUDITOR_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519

          # Trust dev-01's host key — collected at runtime; LAN-only path
          ssh-keyscan -H 192.168.1.29 >> ~/.ssh/known_hosts 2>/dev/null

          ssh -i ~/.ssh/id_ed25519 \
              -o BatchMode=yes \
              -o StrictHostKeyChecking=yes \
              agent@192.168.1.29 \
              "PATH=\$HOME/.local/bin:/usr/local/bin:\$PATH MAX_WALLCLOCK=10m /usr/local/bin/audit-task.sh '$REPO' '$PR_NUM'"