---
# =============================================================================
# golden_state/tasks — Deploy and enforce golden state provider chain
# =============================================================================

- name: "Backup current config before golden state deploy"
  copy:
    src: "{{ wizard_home }}/config.yaml"
    dest: "{{ wizard_home }}/config.yaml.pre-golden-{{ ansible_date_time.epoch }}"
    remote_src: true
  when: golden_state_backup_before_deploy
  ignore_errors: true

- name: "Deploy golden state wizard config"
  template:
    src: "../../wizard_base/templates/wizard_config.yaml.j2"
    dest: "{{ wizard_home }}/config.yaml"
    mode: "0644"
    backup: true
  notify:
    - "Restart hermes agent (systemd)"
    - "Restart hermes agent (launchctl)"

- name: "Scan for banned providers in all config files"
  shell: |
    FOUND=0
    for f in {{ wizard_home }}/config.yaml {{ hermes_home }}/config.yaml; do
      if [ -f "$f" ]; then
        if grep -qi 'anthropic\|claude-sonnet\|claude-opus\|claude-haiku' "$f"; then
          echo "BANNED PROVIDER in $f:"
          grep -ni 'anthropic\|claude-sonnet\|claude-opus\|claude-haiku' "$f"
          FOUND=1
        fi
      fi
    done
    exit $FOUND
  register: provider_scan
  changed_when: false
  failed_when: provider_scan.rc != 0 and provider_ban_enforcement == 'strict'

- name: "Report golden state deployment"
  debug:
    msg: >
      {{ wizard_name }} golden state deployed.
      Provider chain: {{ golden_state_providers | map(attribute='name') | list | join(' → ') }}.
      Banned provider scan: {{ 'CLEAN' if provider_scan.rc == 0 else 'VIOLATIONS FOUND' }}.