#!/usr/bin/env bash
set -euo pipefail

if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <task-status-json-or-handoff-text> [extra prompt]" >&2
  exit 2
fi

STATUS_FILE="$1"
EXTRA_PROMPT="${2:-}"

if [[ ! -f "$STATUS_FILE" ]]; then
  echo "Missing status/handoff file: $STATUS_FILE" >&2
  exit 2
fi

ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
STAMP="$(date -u +%Y%m%dT%H%M%SZ)"
OUT_DIR="${ROOT}/Saved/AiEscalations/${STAMP}"
mkdir -p "$OUT_DIR"

PROMPT_FILE="${OUT_DIR}/codex_prompt.txt"
LOG_FILE="${OUT_DIR}/codex_exec.log"
BYPASS_LOG_FILE="${OUT_DIR}/codex_exec_bypass.log"

{
  echo "You are Codex being called as an escalation worker for Agrarian."
  echo "Use the repository at: ${ROOT}"
  echo
  echo "Local AI stopped and requested escalation. Review the status below,"
  echo "inspect the repo, make only the needed changes, run verification, and"
  echo "summarize the result. Do not hide uncertainty."
  echo
  echo "Status / handoff:"
  cat "$STATUS_FILE"
  if [[ -n "$EXTRA_PROMPT" ]]; then
    echo
    echo "Extra prompt:"
    echo "$EXTRA_PROMPT"
  fi
} > "$PROMPT_FILE"

echo "Prompt written to ${PROMPT_FILE}"

run_codex_sandboxed() {
  if command -v codex >/dev/null 2>&1; then
    codex exec --sandbox workspace-write -C "$ROOT" - < "$PROMPT_FILE" 2>&1 | tee "$LOG_FILE"
  else
    npx -y @openai/codex exec --sandbox workspace-write -C "$ROOT" - < "$PROMPT_FILE" 2>&1 | tee "$LOG_FILE"
  fi
}

run_codex_bypass() {
  {
    echo "LinaAI note: Codex sandbox failed inside the isolated LinaAI VM."
    echo "Retrying with Codex sandbox bypass so escalation can inspect/run commands."
    echo "This should only be used from LinaAI, not shared production hosts."
    echo
    if command -v codex >/dev/null 2>&1; then
      codex exec --dangerously-bypass-approvals-and-sandbox -C "$ROOT" - < "$PROMPT_FILE"
    else
      npx -y @openai/codex exec --dangerously-bypass-approvals-and-sandbox -C "$ROOT" - < "$PROMPT_FILE"
    fi
  } 2>&1 | tee "$BYPASS_LOG_FILE"
}

run_codex_sandboxed

if grep -q "bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted" "$LOG_FILE"; then
  run_codex_bypass
  echo "Codex escalation bypass log written to ${BYPASS_LOG_FILE}"
else
  echo "Codex escalation log written to ${LOG_FILE}"
fi