kind: WavePipeline
metadata:
  name: ops-release-harden
  description: "Security scan, branch on severity, apply hotfixes, generate changelog"
  category: composition
  release: true

input:
  source: cli
  example: "v1.0.0"
  schema:
    type: string
    description: "Release version or branch to harden"

steps:
  - id: scan
    pipeline: audit-security
    input: "{{input}}"

  - id: triage
    dependencies: [scan]
    branch:
      on: "{{scan.output.risk_level}}"
      cases:
        critical: impl-hotfix
        high: impl-hotfix
        medium: impl-improve
        low: skip

  - id: gate
    dependencies: [triage]
    gate:
      type: approval
      message: "Review security fixes before release"
      timeout: "4h"