name: CapitalGuard AI-agent gate

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read
  id-token: write # Remove if signed-preview is false.

jobs:
  capitalguard:
    runs-on: ubuntu-latest
    steps:
      - name: Check out the triggering repository
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          persist-credentials: false

      - name: Check AI-agent exposure
        uses: CapitalGuard-Security/capitalguard-action@33d6a70d997c67a53f74247f1bdc83dbeb7d9079 # v1
        with:
          authorization-confirmed: true
          manual-controls-confirmed: true
          fail-on: high
          signed-preview: true
          annotations: false
