#!/usr/bin/env bash
set -euo pipefail
REPO=gbharg/exult-agent
PR=67
reply() { gh api "repos/$REPO/pulls/$PR/comments/$1/replies" -f body="$2" >/dev/null; echo "replied $1"; }
resolve() { gh api graphql -f query='mutation($id:ID!){resolveReviewThread(input:{threadId:$id}){thread{isResolved}}}' -f id="$1" >/dev/null; echo "resolved $1"; }

reply 3431601738 "Addressed in 7b4a9cc: pinPractice now fails closed — a non-OK response (or fetch error) when CUROGRAM_PRACTICE_ID is set clears the session and throws, so the server never proceeds against the default tenant."
resolve PRRT_kwDOR5bkYM6KXLFO

reply 3431601741 "Addressed in 7b4a9cc: revealing raw SIP credentials now also requires EXULT_RC_ALLOW_SECRET_READS=1, a startup-only operator gate the caller cannot self-grant. The self-returned approval_text alone is no longer sufficient; default reads stay redacted."
resolve PRRT_kwDOR5bkYM6KXLFP

reply 3431601743 "The RC security concerns themselves are now addressed (approval-text gates, SIP redaction + operator env gate). Whether to split the RingCentral changes into a separate PR is a structural/scope decision I'm leaving for Gautam rather than rewriting history unilaterally. Flagging for his call; leaving open."

echo "DONE4"