import type { Spine, StepContext } from '../types.js';

const q = (ctx: StepContext) => String(ctx.input.question);
const repoLine = (ctx: StepContext) => (ctx.input.repoPath ? ` Repo: ${String(ctx.input.repoPath)}.` : '');

/** Han security spine — adversarial security analysis with a proof standard. */
export const securityReview: Spine = {
  name: 'security-review',
  description: 'adversarial security analysis (exploit-path proof standard)',
  angles: [
    {
      id: 'security',
      agent: 'adversarial-security-analyst',
      label: 'Security analysis (adversarial-security-analyst)',
      task: (ctx) =>
        `Find REAL, exploitable vulnerabilities in the target below — each finding needs file:line + a demonstrated exploit path ("attacker can do X because Y leads to Z") or a CVE reference. No theoretical risks; if the evidence standard can't be met, report nothing for that item.${repoLine(ctx)}\n\nTARGET: ${q(ctx)}`,
    },
    {
      id: 'oncall',
      agent: 'on-call-engineer',
      label: 'Resilience / 3am risks (on-call-engineer)',
      minBand: 'medium',
      task: (ctx) =>
        `Audit the target below for code-level resilience failures that wake someone at 3am — missing timeouts, retries without backoff, catch-and-swallow, unbounded results, blocking I/O in async paths. Cite file:line, name the failure mode.${repoLine(ctx)}\n\nTARGET: ${q(ctx)}`,
    },
  ],
};