#!/usr/bin/env bash
set -euo pipefail
REPO=gbharg/exult-agent
PR=67

# reply <comment_db_id> <body>
reply() {
  gh api "repos/$REPO/pulls/$PR/comments/$1/replies" -f body="$2" >/dev/null
  echo "replied to $1"
}

# resolve <thread_node_id>
resolve() {
  gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -f id="$1" >/dev/null
  echo "resolved $1"
}

# 1. .claude/settings.json
reply 3431396021 "Addressed in 2246410: removed .claude/settings.json from tracking (git rm --cached) and added it to .gitignore so the personal rtk PreToolUse hook is no longer committed."
resolve PRRT_kwDOR5bkYM6KWnVs

# 2. update_call_queue_members approval
reply 3431396028 "Addressed in 2246410: added an exact per-request approval_text gate (queue id + add/remove ids) on the live write; dry_run returns the exact string to confirm. Mirrors create_ai_scheduling_extension."
resolve PRRT_kwDOR5bkYM6KWnVy

# 3. set_call_queue_ring_type approval
reply 3431396034 "Addressed in 2246410: live PUT now requires exact approval_text (queue id + rule id + transferMode); EXULT_RC_ALLOW_WRITES + dry_run=false alone is no longer sufficient."
resolve PRRT_kwDOR5bkYM6KWnV3

# 4. set_call_queue_member_order approval
reply 3431396038 "Addressed in 2246410: live PUT now requires exact approval_text (queue id + rule id + ordered ids) returned by the dry_run preview."
resolve PRRT_kwDOR5bkYM6KWnV7

# 5. relogin loop
reply 3431397856 "Addressed in 2246410: added MAX_RELOGIN=3 cap with a counter that only resets on a non-401 response, so a persistent 401 throws instead of looping."
resolve PRRT_kwDOR5bkYM6KWnpn

# 6. flock
reply 3431397859 "Addressed in 2246410: replaced the PID-file check-then-write with a real flock advisory lock on fd 9 (exec 9>LOCK; flock -n 9). Dropped the cleanup trap since the kernel releases on exit."
resolve PRRT_kwDOR5bkYM6KWnpq

# 7. CDP staleness
reply 3431397862 "Addressed in 2246410: when only static CDP cookies are present (no user/pass), a 401 now fails fast with a re-harvest message instead of relogging into the same stale session."
resolve PRRT_kwDOR5bkYM6KWnpt

# 8. input validation
reply 3431397864 "Addressed in 2246410: conversation_id, patient_id and message_id are now validated against /^[a-f0-9]{24}$/i before interpolation (requireObjectId/optObjectId)."
resolve PRRT_kwDOR5bkYM6KWnpu

# 9. export optional env
reply 3431397869 "Addressed in 2246410: optional CUROGRAM_* vars are now exported only when set (loop guarded with if, not &&), so unset stays undefined in the child."
resolve PRRT_kwDOR5bkYM6KWnp0

# 10. SERVER_DIR
reply 3431397878 "Addressed in 2246410: SERVER_DIR is now derived from the script location (BASH_SOURCE -> SCRIPT_DIR/../tools/curogram-mcp) instead of a hardcoded checkout path."
resolve PRRT_kwDOR5bkYM6KWnp5

# 11. message_length leak
reply 3431397883 "Addressed in 2246410: removed message_length from both dry-run branches of handleSendText."
resolve PRRT_kwDOR5bkYM6KWnp9

# 12. token cache
reply 3431397886 "Addressed in 2246410: token cache now stores only an explicit allowlist of keys (access_token, token_type, expires_in, scope, owner_id, endpoint_id, expireTime) instead of merging the full OAuth body, so refresh_token never lands in the cache."
resolve PRRT_kwDOR5bkYM6KWnp_

# 13. approval_text reconstructable -> DEFER (no resolve)
reply 3431397895 "Noted. The string-equality approval_text is intentional human-in-the-loop defense-in-depth on top of EXULT_RC_ALLOW_WRITES, not a secret. Moving to a nonce/timestamp challenge is a larger design change for the whole RC write surface; flagging for Gautam to decide separately. Leaving this thread open."

# 14. confirming _validate_id pattern
reply 3431397897 "Confirmed: _validate_id is applied to queue_id (and every id/array item) across all three new write tools before interpolation. No change needed."
resolve PRRT_kwDOR5bkYM6KWnqF

# 15. startup log
reply 3431397903 "Addressed in 2246410: the 'server started' log moved inside the try block after serveMcpOverHttp returns (it binds synchronously via Bun.serve, which throws on conflict), so it only logs on a successful bind."
resolve PRRT_kwDOR5bkYM6KWnqI

# 16. teams banner
reply 3431397908 "Addressed in 2246410: consolidated the four per-subsystem HTTP_ONLY skip logs into a single startup banner."
resolve PRRT_kwDOR5bkYM6KWnqN

# 17. flock comment mismatch
reply 3431398573 "Addressed in 2246410: the script now actually uses flock, so the header comment is accurate."
resolve PRRT_kwDOR5bkYM6KWnx6

echo "ALL DONE"