#!/usr/bin/env bash
# task-2463 P0-1/P0-2: gh pr merge 단일 wrapper. taskctl 미호출 시 차단.
# 모든 머지 호출은 본 wrapper를 통해야 하며, taskctl이 호출자임을 증명해야 한다.
#
# 사용법:
#   TASKCTL_INVOKED=1 MERGE_CALLER=<caller> bash scripts/safe_pr_merge.sh <pr_number> <task_id> [merge_method]
set -euo pipefail

PR_NUMBER="${1:?pr_number required}"
TASK_ID="${2:?task_id required}"
MERGE_METHOD="${3:-merge}"
WORKSPACE="${WORKSPACE:-$(git rev-parse --show-toplevel 2>/dev/null || echo /home/jay/workspace)}"

# 0) task-2463 P0-1: TASKCTL_INVOKED=1 강제 (taskctl 미호출 차단)
if [[ "${TASKCTL_INVOKED:-}" != "1" ]]; then
    echo "[BLOCKED] safe_pr_merge.sh: TASKCTL_INVOKED 미설정 — taskctl 우회 시도 차단 (task-2463 P0-1)" >&2
    echo "[HARD-GATE] taskctl not invoked — merge blocked" >&2
    exit 1
fi

# 1) MERGE_CALLER 환경변수 강제
if [[ -z "${MERGE_CALLER:-}" ]]; then
    echo "[BLOCKED] safe_pr_merge.sh: MERGE_CALLER 환경변수 미설정 — wrapper 우회 시도 차단" >&2
    exit 1
fi

# 2) Gemini 리뷰 존재 확인
REVIEWS=$(gh api "repos/$(gh repo view --json nameWithOwner --jq .nameWithOwner)/pulls/${PR_NUMBER}/reviews" 2>/dev/null || echo "[]")
HAS_GEMINI=$(echo "$REVIEWS" | python3 -c "
import json, sys
try:
    data = json.loads(sys.stdin.read())
    has = any('gemini-code-assist' in (r.get('user', {}).get('login', '') or '').lower() for r in data)
    print('1' if has else '0')
except Exception:
    print('0')
")
if [[ "$HAS_GEMINI" != "1" ]]; then
    echo "[BLOCKED] safe_pr_merge.sh: gemini-code-assist 리뷰 0건 — merge 차단 (PR=$PR_NUMBER, task-2463 P0-3)" >&2
    exit 1
fi

# 3) MERGE_METHOD 검증
case "$MERGE_METHOD" in
    merge|squash|rebase) ;;
    *)
        echo "[BLOCKED] safe_pr_merge.sh: invalid merge method: $MERGE_METHOD" >&2
        exit 1
        ;;
esac

# 4) Evidence 박제
EVIDENCE_DIR="$WORKSPACE/.tasks/evidence/${TASK_ID}"
mkdir -p "$EVIDENCE_DIR"
TS=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
EVIDENCE_FILE="$EVIDENCE_DIR/merge-${TS}.json"
python3 -c "
import json
data = {
    'task_id': '$TASK_ID',
    'pr_number': '$PR_NUMBER',
    'merge_method': '$MERGE_METHOD',
    'merge_caller': '${MERGE_CALLER}',
    'taskctl_invoked': '${TASKCTL_INVOKED}',
    'timestamp': '$TS',
    'wrapper': 'scripts/safe_pr_merge.sh',
}
json.dump(data, open('$EVIDENCE_FILE', 'w'), ensure_ascii=False, indent=2)
"

echo "[safe_pr_merge] caller=$MERGE_CALLER pr=$PR_NUMBER method=$MERGE_METHOD evidence=$EVIDENCE_FILE"
exec gh pr merge "$PR_NUMBER" "--$MERGE_METHOD" --delete-branch