# R31 — block sendDefaultPii: true from ever landing.
#
# This is a defense-in-depth gate: the privacy posture is also enforced by
# the centralized init helpers in core-shared/instrumentation/sentry/, but
# this grep makes any drift impossible to merge.

name: Sentry PII guard (R31)

on:
  pull_request:
  push:
    branches: [main]

jobs:
  pii-guard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Verify sendDefaultPii is never true
        run: |
          if grep -RIn --include='*.ts' --include='*.tsx' --include='*.mjs' --include='*.cjs' --include='*.js' \
              --exclude-dir=node_modules --exclude-dir=.next --exclude-dir=dist --exclude-dir=.turbo \
              -E 'sendDefaultPii\s*:\s*true' \
              packages/ apps/; then
            echo "::error::R31 violation — sendDefaultPii: true is forbidden anywhere in the repo."
            exit 1
          fi
          echo "OK — no sendDefaultPii: true detected."