#!/bin/bash
OUT=/var/www/html/api/agent-github-pat-watcher.json
# Check if token is set
TOKEN_SET=$(grep -c "^GITHUB_PAT=ghp_" /etc/weval/secrets.env 2>/dev/null || echo 0)
# Try git push test (dry-run)
cd /var/www/html 2>/dev/null
GIT_STATUS=$(git ls-remote --exit-code origin main 2>&1 | head -c 50)
[[ "$GIT_STATUS" =~ ^[0-9a-f]+ ]] && HEALTH="OK" || HEALTH="FAILED"

cat > $OUT << EOJ
{
  "agent": "V61_GitHub_PAT_Watcher",
  "ts": "$(date -Iseconds)",
  "pat_configured": $([[ $TOKEN_SET -gt 0 ]] && echo true || echo false),
  "last_push_health": "$HEALTH",
  "remote_probe": "$(echo $GIT_STATUS | head -c 40)",
  "urgency": "$([[ $HEALTH = OK ]] && echo LOW || echo HIGH)",
  "next_step_owner": "$([[ $HEALTH = OK ]] && echo 'none - token live' || echo 'Yacine renew PAT on github.com/settings/tokens')",
  "cron": "daily 10:00"
}
EOJ
chown www-data:www-data $OUT 2>/dev/null
cat $OUT