#!/bin/bash
# Push inou + Clavitor findings to Mission Control
# Uses direct API calls with curl

MC_URL="http://localhost:9400"
API_KEY=$(grep "^API_KEY=" /home/johan/mission-control/.data/.auto-generated | cut -d= -f2 | tr -d '\n\r')
# echo "DEBUG: Using API key: ${API_KEY:0:30}..."

echo "Pushing Clavitor and inou findings to Mission Control..."
echo ""

# Debug
# echo "API_KEY: ${API_KEY:0:20}..."
# echo ""

# First, test auth
echo "Testing API connection..."
# Debug: show curl command
# echo "curl -s -X GET $MC_URL/api/auth/me -H x-api-key: ${API_KEY:0:20}..."
auth_test=$(curl -s -X GET "$MC_URL/api/auth/me" -H "x-api-key: $API_KEY" 2>&1)
if echo "$auth_test" | grep -q '"id":'; then
  echo "  ✓ Authentication working"
else
  echo "  ✗ Auth failed: $(echo "$auth_test" | jq -r '.error // . // "unknown"' | head -c 100)"
  echo ""
fi
echo ""

# Helper to create task
create_task() {
  local title="$1"
  local desc="$2"
  local priority="$3"
  local tags="$4"
  local meta="$5"
  
  # Build JSON body using jq
  body=$(jq -n \
    --arg title "$title" \
    --arg desc "$desc" \
    --arg priority "$priority" \
    --arg tags "$tags" \
    --arg meta "$meta" \
    '{
      title: $title,
      description: $desc,
      priority: $priority,
      status: "inbox",
      tags: ($tags | split(",")),
      metadata: ($meta | fromjson? // {})
    }')
  
  echo "Creating: ${title:0:50}..."
  
  # Make API call with proper error handling
  response=$(curl -s -w "\n%{http_code}" -X POST "$MC_URL/api/tasks" \
    -H "x-api-key: $API_KEY" \
    -H "Content-Type: application/json" \
    -d "$body" 2>&1)
  
  http_code=$(echo "$response" | tail -n1)
  body_response=$(echo "$response" | sed '$d')
  
  if [ "$http_code" = "201" ] || [ "$http_code" = "200" ]; then
    task_id=$(echo "$body_response" | jq -r '.task.id // .id // "unknown"')
    echo "  ✓ Created task ID: $task_id"
  else
    echo "  ✗ Failed (HTTP $http_code): $(echo "$body_response" | jq -r '.error // .message // . // "unknown error"' | head -c 100)"
  fi
  echo ""
}

# === inou SECURITY - CRITICAL ===

echo "=== inou SECURITY TASKS ==="
echo ""

create_task \
  "[CRITICAL] Remove hardcoded auth backdoor code 250365" \
  "Security scan found hardcoded verification code '250365' in api_mobile.go:128 allowing universal authentication bypass. This bypasses entire email verification security control.\n\nLocation: /repos/inou-portal/portal/api_mobile.go:127-128\n\nAction: Remove backdoor code immediately." \
  "critical" \
  "inou,security,auth,backdoor" \
  '{"source": "shannon-scan-2026-02-14", "finding_id": "AUTH-VULN-01"}'

create_task \
  "[CRITICAL] Add rate limiting to auth endpoints" \
  "All five authentication endpoints lack rate limiting:\n- POST /send-code\n- POST /verify\n- POST /api/v1/auth/send\n- POST /api/v1/auth/verify\n- POST /oauth/token\n\nNo CAPTCHA, account lockout, or failed attempt tracking. Enables brute-force attacks.\n\nAction: Implement rate limiting middleware in defense.go" \
  "critical" \
  "inou,security,auth,rate-limiting" \
  '{"source": "shannon-scan-2026-02-14"}'

create_task \
  "[HIGH] Fix session management vulnerabilities" \
  "Multiple session flaws:\n1. Session identifiers never rotated on login (session fixation)\n2. Logout only clears client-side cookies without server-side invalidation\n3. Session tokens lack Cache-Control headers\n\nAction: Implement proper session lifecycle management." \
  "high" \
  "inou,security,session" \
  '{"source": "shannon-scan-2026-02-14"}'

create_task \
  "[HIGH] XSS vulnerability in DICOM series display" \
  "XSS found in series_desc rendering. JavaScript payload injection via DICOM metadata.\n\nAction: Implement HTML entity encoding in /api/series responses." \
  "high" \
  "inou,security,xss,dicom" \
  '{"source": "shannon-scan-2026-02-14"}'

create_task \
  "[MEDIUM] Enforce HTTPS and add HSTS headers" \
  "Application runs on HTTP without enforcing HTTPS at application layer. Missing HSTS headers.\n\nAction: Add HTTPS redirect middleware and HSTS headers." \
  "medium" \
  "inou,security,https,hsts" \
  '{"source": "shannon-scan-2026-02-14"}'

# === inou BUGS ===

echo "=== inou BUG TASKS ==="
echo ""

create_task \
  "[BUG] DICOM VR mismatch on Siemens MAGNETOM Sola MRIs" \
  "DICOM parsing fails for Siemens MAGNETOM Sola with VR (Value Representation) mismatch errors.\n\nStatus: PARKED — needs attention when ready.\n\nNote: May be related to specific Siemens private tags or VR parsing." \
  "medium" \
  "inou,bug,dicom,siemens" \
  '{"source": "working-context-2026-03-22"}'

create_task \
  "[BUG] LOINC matching not working in Labs" \
  "Lab charts not showing properly. LOINC matching failing.\n\nRoot cause: Production DB has 0 entries with loinc in data JSON. Normalize() reports 'all entries already normalized' because SearchKey2 is set.\n\nAction: Investigate LOINC data population in lab import pipeline." \
  "medium" \
  "inou,bug,labs,loinc" \
  '{"source": "memory/2026-02-24.md"}'

create_task \
  "[CLEANUP] inou has 18 uncommitted files" \
  "Repository has 18 uncommitted files (work in progress).\n\nAction: Review, commit, or stash changes. Ensure nothing critical is lost." \
  "low" \
  "inou,git,cleanup" \
  '{"source": "working-context-2026-03-22"}'

# === Clavitor/vault1984 SECURITY ===

echo "=== Clavitor/vault1984 TASKS ==="
echo ""

create_task \
  "[SECURITY] Port 8888 dev server exposed on all interfaces" \
  "Clavitor design-system dev server (port 8888) running on 0.0.0.0 — all interfaces. Compiled and left running since Mar 22 morning.\n\nAction: Kill dev server when not actively developing. Or bind to localhost only." \
  "high" \
  "clavitor,security,dev-server,vault1984" \
  '{"source": "security-scan-2026-03-22"}'

create_task \
  "[SECURITY] Verify VNC password on port 5900" \
  "x11vnc running on port 5900 — all interfaces since Mar 18.\n\nStatus: Needs verification that password is set (was NO PASSWORD in earlier scan).\n\nAction: Verify password protection. Kill if not needed." \
  "high" \
  "forge,security,vnc,vault1984" \
  '{"source": "security-scan-2026-03-22"}'

create_task \
  "[GIT] vault1984/Clavitor unpushed commits" \
  "Repository has commits pending push to origin.\n\nAction: Review and push when ready." \
  "low" \
  "clavitor,git,sync" \
  '{"source": "git-audit-2026-03-22"}'

# === INFRASTRUCTURE ===

echo "=== INFRASTRUCTURE TASKS ==="
echo ""

create_task \
  "[BLOCKED] Hugo bot token needed" \
  "Hugo (DJ Rosie PR agent) waiting for Discord bot token since Mar 17 (5+ days).\n\nAction: Johan to provide Discord bot token for Hugo." \
  "medium" \
  "hugo,discord,blocked,rozie" \
  '{"source": "MEMORY.md", "since": "2026-03-17"}'

create_task \
  "[BLOCKED] Cloudflare Browser Rendering token invalid" \
  "Cloudflare Browser Rendering API token is invalid/expired.\n\nAction: Get new token from dash.cloudflare.com and update config." \
  "medium" \
  "cloudflare,token,blocked" \
  '{"source": "MEMORY.md"}'

create_task \
  "[BLOCKED] Create GitHub org 'clavitor'" \
  "Need to create GitHub organization 'clavitor' for project hosting.\n\nRequires token with admin:org scope.\n\nAction: Create org or provide token." \
  "low" \
  "github,clavitor,org,blocked" \
  '{"source": "MEMORY.md"}'

create_task \
  "[MAINTENANCE] Kernel reboot pending (6.8.0-106)" \
  "Kernel 6.8.0-106-generic installed (Mar 13) but not yet running.\n\nAction: Reboot at convenient time to apply updates." \
  "low" \
  "forge,kernel,reboot" \
  '{"source": "MEMORY.md", "since": "2026-03-13"}'

echo "=== ALL TASKS CREATED ==="