agw

#!/bin/bash
# ==============================================================================
# UnitOne AgentGateway - Unified CLI
# ==============================================================================
#
# Single entry point for all AgentGateway operations.
#
# Usage:
#   ./agw <command> [options]
#
# Commands:
#   setup          Interactive first-time setup
#   scope          Manage deployment scopes (dev, staging, prod)
#   auth           Configure OAuth authentication
#   build          Build and push image to ACR
#   deploy         Deploy to Azure Container Apps
#   test           Run E2E tests locally
#   test-servers   Deploy/manage test servers
#   logs           View container logs
#   status         Show deployment status
#   help           Show this help
#
# Examples:
#   ./agw setup                    # First-time setup wizard
#   ./agw scope set dev            # Switch to dev scope
#   ./agw build                    # Build and push to ACR
#   ./agw deploy                   # Deploy latest image
#   ./agw test                     # Run E2E tests locally
#   ./agw logs                     # Stream container logs
#
# ==============================================================================

set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'

# ==============================================================================
# Helper Functions
# ==============================================================================

print_header() {
    echo ""
    echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
    echo -e "${BOLD}${CYAN}  $1${NC}"
    echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
    echo ""
}

print_step() { echo -e "${CYAN}▶${NC} $1"; }
print_success() { echo -e "${GREEN}✓${NC} $1"; }
print_warning() { echo -e "${YELLOW}⚠${NC} $1"; }
print_error() { echo -e "${RED}✗${NC} $1"; }
print_info() { echo -e "${BLUE}ℹ${NC} $1"; }

# ==============================================================================
# Scope Management Functions
# ==============================================================================

# New structure: terraform/scopes/{global,users/<username>}/*.env
# Resolution order: users/<username>/<scope>.env -> global/<scope>.env
AGW_LOCAL_CONFIG_DIR=".agw"
AGW_CURRENT_FILE="${AGW_LOCAL_CONFIG_DIR}/current"
AGW_SCOPES_DIR="terraform/scopes"
AGW_GLOBAL_SCOPES_DIR="${AGW_SCOPES_DIR}/global"
AGW_USER_SCOPES_DIR="${AGW_SCOPES_DIR}/users"

# Get current username for user-specific scopes
get_username() {
    whoami 2>/dev/null || echo "${USER:-unknown}"
}

# Get current scope name
get_current_scope() {
    if [ -f "$AGW_CURRENT_FILE" ]; then
        cat "$AGW_CURRENT_FILE"
    fi
}

# Find scope file with resolution order: user -> global
find_scope_file() {
    local scope=$1
    local username=$(get_username)

    # First check user-specific scope
    if [ -f "${AGW_USER_SCOPES_DIR}/${username}/${scope}.env" ]; then
        echo "${AGW_USER_SCOPES_DIR}/${username}/${scope}.env"
        return
    fi

    # Fall back to global scope
    if [ -f "${AGW_GLOBAL_SCOPES_DIR}/${scope}.env" ]; then
        echo "${AGW_GLOBAL_SCOPES_DIR}/${scope}.env"
        return
    fi

    # Legacy: check old location for backwards compatibility
    if [ -f "${AGW_LOCAL_CONFIG_DIR}/scopes/${scope}.env" ]; then
        echo "${AGW_LOCAL_CONFIG_DIR}/scopes/${scope}.env"
        return
    fi
}

# Get config value for current scope
get_scope_config() {
    local key=$1
    local scope=$(get_current_scope)
    local scope_file=$(find_scope_file "$scope")

    if [ -n "$scope_file" ] && [ -f "$scope_file" ]; then
        grep "^${key}=" "$scope_file" 2>/dev/null | cut -d'=' -f2-
    fi
}

# Get config - reads from scope config, maps common names to scope config keys
get_config() {
    local key=$1
    case "$key" in
        acr_name) get_scope_config "AGW_ACR_NAME" ;;
        container_app_name) get_scope_config "AGW_CONTAINER_APP" ;;
        resource_group_name) get_scope_config "AGW_RESOURCE_GROUP" ;;
        container_app_env_name) get_scope_config "AGW_CONTAINER_APP_ENV" ;;
        *) get_scope_config "AGW_$(echo "$key" | tr '[:lower:]' '[:upper:]')" ;;
    esac
}

# Initialize config directories
init_config_dir() {
    mkdir -p "$AGW_LOCAL_CONFIG_DIR"
    mkdir -p "$AGW_GLOBAL_SCOPES_DIR"
    mkdir -p "${AGW_USER_SCOPES_DIR}/$(get_username)"
}

# Get terraform outputs if available (only used for scope import)
get_tf_output_raw() {
    local key=$1
    if [ -f "terraform/terraform.tfstate" ] || [ -d "terraform/.terraform" ]; then
        (cd terraform && terraform output -raw "$key" 2>/dev/null) || echo ""
    fi
}

# Get config value - prefers scope config, falls back to terraform
get_tf_output() {
    local key=$1

    # First try scope config
    local scope_value=$(get_config "$key")
    if [ -n "$scope_value" ]; then
        echo "$scope_value"
        return
    fi

    # Fall back to terraform
    get_tf_output_raw "$key"
}

# Get scope/stamp identifier for this deployment
get_scope() {
    # First check for configured scope
    local scope=$(get_current_scope)
    if [ -n "$scope" ]; then
        # Return scope name with container app name if available
        local app_name=$(get_scope_config "AGW_CONTAINER_APP")
        if [ -n "$app_name" ]; then
            echo "$scope ($app_name)"
        else
            echo "$scope"
        fi
        return
    fi

    # Try environment variable
    if [ -n "$AGW_SCOPE" ]; then
        echo "$AGW_SCOPE"
        return
    fi

    # Try to get from terraform outputs (legacy fallback)
    local app_name=$(get_tf_output_raw container_app_name)
    if [ -n "$app_name" ]; then
        echo "$app_name"
        return
    fi

    # Not configured
    echo ""
}

# Show banner with scope
show_banner() {
    local scope=$(get_scope)
    echo ""
    echo -e "${BOLD}${BLUE}╔═══════════════════════════════════════════════════════════╗${NC}"
    if [ -n "$scope" ]; then
        echo -e "${BOLD}${BLUE}║${NC}   ${BOLD}${CYAN}UnitOne AgentGateway${NC}                                  ${BOLD}${BLUE}║${NC}"
        echo -e "${BOLD}${BLUE}║${NC}   ${YELLOW}Scope: ${scope}${NC}$(printf '%*s' $((36 - ${#scope})) '')${BOLD}${BLUE}║${NC}"
    else
        echo -e "${BOLD}${BLUE}║${NC}   ${BOLD}${CYAN}UnitOne AgentGateway${NC}                                  ${BOLD}${BLUE}║${NC}"
        echo -e "${BOLD}${BLUE}║${NC}   ${RED}Scope: Not configured (run ./agw setup)${NC}              ${BOLD}${BLUE}║${NC}"
    fi
    echo -e "${BOLD}${BLUE}╚═══════════════════════════════════════════════════════════╝${NC}"
}

# ==============================================================================
# Commands
# ==============================================================================

cmd_help() {
    cat << 'EOF'
UnitOne AgentGateway CLI

Usage:
  ./agw <command> [options]

Commands:
  setup              Interactive first-time setup wizard
  scope              Manage deployment scopes (dev, staging, prod)
  auth               Configure OAuth authentication
  build              Build and push image to ACR
  deploy             Deploy to Azure Container Apps
  test               Run E2E tests locally with Docker
  test-servers       Deploy test servers to Azure
  logs               View container logs
  status             Show deployment status
  help               Show this help

Build Options:
  ./agw build                     Build with ACR Cloud Build
  ./agw build --local             Build locally with Docker
  ./agw build --deploy            Build and deploy in one step
  ./agw build --tag v1.0.0        Build with specific tag

Deploy Options:
  ./agw deploy                    Deploy to Azure (default)
  ./agw deploy --azure            Deploy to Azure Container Apps
  ./agw deploy --aws              Deploy to AWS (coming soon)
  ./agw deploy --tag v1.0.0       Deploy specific image tag

Test Options:
  ./agw test                      Run full E2E test suite
  ./agw test --skip-build         Use existing image
  ./agw test --stop               Stop test containers

Test Server Options:
  ./agw test-servers              Deploy test servers to Azure
  ./agw test-servers --local      Start test servers locally

Scope Options:
  ./agw scope                     Show current scope
  ./agw scope list                List all scopes
  ./agw scope set <name>          Switch to a scope
  ./agw scope add <name>          Add new scope interactively
  ./agw scope import --name <n>   Import from terraform outputs

Auth Options:
  ./agw auth                      Show authentication status
  ./agw auth setup                Configure OAuth providers
  ./agw auth urls                 Show OAuth callback URLs
  ./agw auth enable               Require authentication
  ./agw auth disable              Allow anonymous access

Examples:
  # First time setup
  ./agw setup

  # Build and deploy
  ./agw build --deploy

  # Run tests
  ./agw test

  # View logs
  ./agw logs --follow
EOF
}

cmd_setup() {
    print_header "AgentGateway Setup"

    echo "What would you like to do?"
    echo ""
    echo "  1) Create new environment    - Deploy infrastructure with terraform"
    echo "  2) Import existing           - Import from terraform outputs"
    echo "  3) Manual entry              - Enter resource details manually"
    echo ""
    read -rp "Choose [1-3]: " choice

    case "$choice" in
        1) setup_create_new ;;
        2) setup_import_existing ;;
        3) setup_manual_entry ;;
        *)
            print_error "Invalid choice"
            exit 1
            ;;
    esac
}

setup_create_new() {
    print_header "Create New Environment"

    # Check if terraform directory exists
    if [ ! -d "terraform" ]; then
        print_error "terraform/ directory not found"
        exit 1
    fi

    # Check Azure CLI login
    print_step "Checking Azure CLI login..."
    if ! az account show &>/dev/null; then
        print_error "Not logged in to Azure CLI. Please run: az login"
        exit 1
    fi
    local subscription=$(az account show --query name -o tsv)
    print_success "Logged in to Azure: $subscription"

    echo ""
    echo "This will deploy new Azure infrastructure using terraform."
    echo ""

    # Collect deployment parameters
    read -rp "Environment name (dev/staging/prod) [dev]: " env_name
    env_name=${env_name:-dev}

    if [[ ! "$env_name" =~ ^(dev|staging|prod)$ ]]; then
        print_error "Environment must be dev, staging, or prod"
        exit 1
    fi

    read -rp "Base name prefix for resources [agw]: " base_name
    base_name=${base_name:-agw}

    local default_rg="${base_name}-${env_name}-rg"
    read -rp "Resource group name [$default_rg]: " rg_name
    rg_name=${rg_name:-$default_rg}

    read -rp "Azure region [eastus2]: " location
    location=${location:-eastus2}

    # Check if resource group exists, create if not
    echo ""
    print_step "Checking resource group..."
    if az group show --name "$rg_name" &>/dev/null; then
        print_success "Resource group exists: $rg_name"
    else
        print_step "Creating resource group: $rg_name"
        if az group create --name "$rg_name" --location "$location" --output none; then
            print_success "Created resource group: $rg_name"
        else
            print_error "Failed to create resource group"
            exit 1
        fi
    fi

    # Create terraform.tfvars
    echo ""
    print_step "Creating terraform.tfvars..."
    cat > terraform/terraform.tfvars << EOF
# Auto-generated by ./agw setup
# Environment: $env_name

environment         = "$env_name"
resource_group_name = "$rg_name"
location            = "$location"
base_name           = "$base_name"

# Initial deployment uses placeholder image
use_placeholder_image  = true
enable_sticky_sessions = true
EOF
    print_success "Created terraform/terraform.tfvars"

    # Use env_name as scope name
    local scope_name="$env_name"

    echo ""
    print_step "Step 1: Initialize Terraform"
    (cd terraform && terraform init)

    echo ""
    print_step "Step 2: Deploy Infrastructure"
    echo ""
    echo "This will create Azure resources. Review the plan and confirm."
    echo ""

    (cd terraform && terraform apply)

    if [ $? -ne 0 ]; then
        print_error "Terraform apply failed"
        exit 1
    fi

    echo ""
    print_step "Step 3: Create Scope from Outputs"

    # Read terraform outputs
    local rg_name=$(cd terraform && terraform output -raw resource_group_name 2>/dev/null)
    local app_name=$(cd terraform && terraform output -raw container_app_name 2>/dev/null)
    local acr_name=$(cd terraform && terraform output -raw acr_name 2>/dev/null)
    local env_name=$(cd terraform && terraform output -raw container_app_env_name 2>/dev/null || echo "")

    if [ -z "$rg_name" ] || [ -z "$app_name" ] || [ -z "$acr_name" ]; then
        print_error "Could not read terraform outputs"
        exit 1
    fi

    echo ""
    echo -e "  ${GREEN}✓${NC} acr_name: $acr_name"
    echo -e "  ${GREEN}✓${NC} container_app_name: $app_name"
    echo -e "  ${GREEN}✓${NC} resource_group_name: $rg_name"
    [ -n "$env_name" ] && echo -e "  ${GREEN}✓${NC} container_app_env_name: $env_name"

    echo ""
    read -rp "Scope type - (G)lobal or (P)ersonal? [G/p]: " scope_type

    if [[ "$scope_type" =~ ^[Pp]$ ]]; then
        local target_dir="${AGW_USER_SCOPES_DIR}/$(get_username)"
        local scope_type_label="personal"
    else
        local target_dir="$AGW_GLOBAL_SCOPES_DIR"
        local scope_type_label="global"
    fi

    mkdir -p "$target_dir"

    # Get URL if app exists
    local url=""
    local app_info=$(az containerapp show --name "$app_name" --resource-group "$rg_name" 2>/dev/null || echo "")
    if [ -n "$app_info" ]; then
        local fqdn=$(echo "$app_info" | jq -r '.properties.configuration.ingress.fqdn // ""')
        [ -n "$fqdn" ] && url="https://${fqdn}"
    fi

    # Write scope file
    cat > "${target_dir}/${scope_name}.env" << EOF
# Scope: $scope_name ($scope_type_label)
# Created: $(date -u +"%Y-%m-%dT%H:%M:%SZ")

# Required - identifies the deployment
AGW_RESOURCE_GROUP=$rg_name
AGW_CONTAINER_APP=$app_name
AGW_ACR_NAME=$acr_name

# Optional
AGW_CONTAINER_APP_ENV=$env_name
AGW_DESCRIPTION=Created via ./agw setup
AGW_URL=$url
EOF

    print_success "Created scope: ${target_dir}/${scope_name}.env"

    # Set as current scope
    mkdir -p "$AGW_LOCAL_CONFIG_DIR"
    echo "$scope_name" > "$AGW_CURRENT_FILE"
    print_success "Switched to scope: $scope_name"

    echo ""
    print_step "Step 4: Build & Deploy"
    read -rp "Build and deploy now? [Y/n]: " do_build

    if [[ ! "$do_build" =~ ^[Nn]$ ]]; then
        cmd_build --deploy
    fi

    echo ""
    print_success "Setup complete!"
    echo ""
    echo "Next steps:"
    echo "  git add ${target_dir}/${scope_name}.env"
    echo "  git commit -m 'Add ${scope_name} scope'"
    echo ""
    [ -n "$url" ] && echo -e "  Gateway: ${CYAN}${url}${NC}"
    [ -n "$url" ] && echo -e "  UI:      ${CYAN}${url}/ui${NC}"
}

setup_import_existing() {
    print_header "Import Existing Environment"

    echo "Import scope from terraform outputs."
    echo ""

    # Detect terraform directories
    local tf_dirs=()
    [ -f "terraform/terraform.tfstate" ] && tf_dirs+=("terraform/ (in-repo)")

    # Check for common external locations
    for env in dev staging prod; do
        local ext_path="$HOME/source_code/terraform/environments/$env/agentgateway"
        [ -f "$ext_path/terraform.tfstate" ] && tf_dirs+=("$ext_path")
    done

    if [ ${#tf_dirs[@]} -eq 0 ]; then
        print_warning "No terraform state files found"
        echo ""
        read -rp "Enter terraform directory path: " tf_dir
    elif [ ${#tf_dirs[@]} -eq 1 ]; then
        echo "Found terraform state: ${tf_dirs[0]}"
        read -rp "Use this? [Y/n]: " confirm
        if [[ "$confirm" =~ ^[Nn]$ ]]; then
            read -rp "Enter terraform directory path: " tf_dir
        else
            tf_dir="${tf_dirs[0]}"
            # Remove description suffix if present
            tf_dir="${tf_dir%% (*}"
        fi
    else
        echo "Found multiple terraform states:"
        local i=1
        for dir in "${tf_dirs[@]}"; do
            echo "  $i) $dir"
            ((i++))
        done
        echo "  $i) Other (enter path)"
        echo ""
        read -rp "Choose [1-$i]: " tf_choice

        if [ "$tf_choice" -eq "$i" ] 2>/dev/null; then
            read -rp "Enter terraform directory path: " tf_dir
        elif [ "$tf_choice" -ge 1 ] && [ "$tf_choice" -lt "$i" ] 2>/dev/null; then
            tf_dir="${tf_dirs[$((tf_choice-1))]}"
            tf_dir="${tf_dir%% (*}"
        else
            print_error "Invalid choice"
            exit 1
        fi
    fi

    # Validate terraform directory
    if [ ! -f "$tf_dir/terraform.tfstate" ] && [ ! -d "$tf_dir/.terraform" ]; then
        print_error "No terraform state found in: $tf_dir"
        exit 1
    fi

    echo ""
    print_step "Reading terraform outputs..."

    local rg_name=$(cd "$tf_dir" && terraform output -raw resource_group_name 2>/dev/null)
    local app_name=$(cd "$tf_dir" && terraform output -raw container_app_name 2>/dev/null)
    local acr_name=$(cd "$tf_dir" && terraform output -raw acr_name 2>/dev/null)
    local env_name=$(cd "$tf_dir" && terraform output -raw container_app_env_name 2>/dev/null || echo "")

    if [ -z "$rg_name" ] || [ -z "$app_name" ] || [ -z "$acr_name" ]; then
        print_error "Could not read required terraform outputs"
        exit 1
    fi

    echo ""
    echo -e "  ${GREEN}✓${NC} acr_name: $acr_name"
    echo -e "  ${GREEN}✓${NC} container_app_name: $app_name"
    echo -e "  ${GREEN}✓${NC} resource_group_name: $rg_name"
    [ -n "$env_name" ] && echo -e "  ${GREEN}✓${NC} container_app_env_name: $env_name"

    echo ""
    read -rp "Scope name: " scope_name

    if [ -z "$scope_name" ]; then
        print_error "Scope name is required"
        exit 1
    fi

    echo ""
    read -rp "Scope type - (G)lobal or (P)ersonal? [G/p]: " scope_type

    if [[ "$scope_type" =~ ^[Pp]$ ]]; then
        local target_dir="${AGW_USER_SCOPES_DIR}/$(get_username)"
        local scope_type_label="personal"
    else
        local target_dir="$AGW_GLOBAL_SCOPES_DIR"
        local scope_type_label="global"
    fi

    mkdir -p "$target_dir"

    # Check if scope already exists
    if [ -f "${target_dir}/${scope_name}.env" ]; then
        print_warning "Scope '$scope_name' already exists at ${target_dir}/${scope_name}.env"
        read -rp "Overwrite? [y/N]: " overwrite
        if [[ ! "$overwrite" =~ ^[Yy]$ ]]; then
            echo "Cancelled."
            exit 0
        fi
    fi

    # Get URL if app exists
    local url=""
    local app_info=$(az containerapp show --name "$app_name" --resource-group "$rg_name" 2>/dev/null || echo "")
    if [ -n "$app_info" ]; then
        local fqdn=$(echo "$app_info" | jq -r '.properties.configuration.ingress.fqdn // ""')
        [ -n "$fqdn" ] && url="https://${fqdn}"
    fi

    # Write scope file
    cat > "${target_dir}/${scope_name}.env" << EOF
# Scope: $scope_name ($scope_type_label)
# Imported from: $tf_dir
# Created: $(date -u +"%Y-%m-%dT%H:%M:%SZ")

# Required - identifies the deployment
AGW_RESOURCE_GROUP=$rg_name
AGW_CONTAINER_APP=$app_name
AGW_ACR_NAME=$acr_name

# Optional
AGW_CONTAINER_APP_ENV=$env_name
AGW_DESCRIPTION=Imported from terraform
AGW_URL=$url
EOF

    echo ""
    print_success "Created scope: ${target_dir}/${scope_name}.env"

    # Ask to switch
    read -rp "Set as current scope? [Y/n]: " set_current
    if [[ ! "$set_current" =~ ^[Nn]$ ]]; then
        mkdir -p "$AGW_LOCAL_CONFIG_DIR"
        echo "$scope_name" > "$AGW_CURRENT_FILE"
        print_success "Switched to scope: $scope_name"
    fi

    echo ""
    echo "Next steps:"
    echo "  git add ${target_dir}/${scope_name}.env"
    echo "  git commit -m 'Add ${scope_name} scope'"
}

setup_manual_entry() {
    print_header "Manual Entry"

    echo "Enter the Azure resource details manually."
    echo ""

    read -rp "Scope name (e.g., dev, staging, prod): " scope_name

    if [ -z "$scope_name" ]; then
        print_error "Scope name is required"
        exit 1
    fi

    if [[ ! "$scope_name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
        print_error "Invalid scope name. Use only letters, numbers, dashes, and underscores."
        exit 1
    fi

    echo ""
    read -rp "Resource Group: " rg_name
    read -rp "Container App Name: " app_name
    read -rp "ACR Name: " acr_name
    echo ""
    read -rp "Description (optional): " description
    read -rp "Gateway URL (optional): " url

    if [ -z "$rg_name" ] || [ -z "$app_name" ] || [ -z "$acr_name" ]; then
        print_error "Resource Group, Container App, and ACR Name are required."
        exit 1
    fi

    echo ""
    read -rp "Scope type - (G)lobal or (P)ersonal? [G/p]: " scope_type

    if [[ "$scope_type" =~ ^[Pp]$ ]]; then
        local target_dir="${AGW_USER_SCOPES_DIR}/$(get_username)"
        local scope_type_label="personal"
    else
        local target_dir="$AGW_GLOBAL_SCOPES_DIR"
        local scope_type_label="global"
    fi

    mkdir -p "$target_dir"

    # Check if scope already exists
    if [ -f "${target_dir}/${scope_name}.env" ]; then
        print_warning "Scope '$scope_name' already exists"
        read -rp "Overwrite? [y/N]: " overwrite
        if [[ ! "$overwrite" =~ ^[Yy]$ ]]; then
            echo "Cancelled."
            exit 0
        fi
    fi

    # Write scope file
    cat > "${target_dir}/${scope_name}.env" << EOF
# Scope: $scope_name ($scope_type_label)
# Created: $(date -u +"%Y-%m-%dT%H:%M:%SZ")

# Required - identifies the deployment
AGW_RESOURCE_GROUP=$rg_name
AGW_CONTAINER_APP=$app_name
AGW_ACR_NAME=$acr_name

# Optional - for display
AGW_DESCRIPTION=$description
AGW_URL=$url
EOF

    echo ""
    print_success "Created scope: ${target_dir}/${scope_name}.env"

    # Set as current scope
    mkdir -p "$AGW_LOCAL_CONFIG_DIR"
    echo "$scope_name" > "$AGW_CURRENT_FILE"
    print_success "Switched to scope: $scope_name"

    echo ""
    echo "Next steps:"
    echo "  git add ${target_dir}/${scope_name}.env"
    echo "  git commit -m 'Add ${scope_name} scope'"
}

cmd_build() {
    local LOCAL_BUILD=false
    local DEPLOY=false
    local TAG="latest"
    local NO_CACHE=""

    # Parse arguments
    while [[ $# -gt 0 ]]; do
        case $1 in
            --local) LOCAL_BUILD=true; shift ;;
            --deploy) DEPLOY=true; shift ;;
            --tag) TAG="$2"; shift 2 ;;
            --no-cache) NO_CACHE="--no-cache"; shift ;;
            -h|--help)
                echo "Usage: ./agw build [--local] [--deploy] [--tag TAG] [--no-cache]"
                exit 0
                ;;
            *) print_error "Unknown option: $1"; exit 1 ;;
        esac
    done

    # Get ACR name
    ACR_NAME=$(get_tf_output acr_name)
    if [ -z "$ACR_NAME" ]; then
        ACR_NAME="${ACR_NAME:-$ACR_REGISTRY}"
    fi

    if [ -z "$ACR_NAME" ]; then
        print_error "ACR name not found. Run './agw setup' first or set ACR_REGISTRY env var."
        exit 1
    fi

    # Check if submodule is initialized
    if [ ! -f "agentgateway/Cargo.toml" ]; then
        print_error "agentgateway submodule not initialized."
        echo ""
        echo "Run: git submodule update --init --recursive"
        echo "Or clone with: git clone --recursive <repo-url>"
        exit 1
    fi

    print_header "Building Image"
    print_info "ACR: ${ACR_NAME}.azurecr.io"
    print_info "Tag: $TAG"
    print_info "Method: $([ "$LOCAL_BUILD" = true ] && echo "Local Docker" || echo "ACR Cloud Build")"
    echo ""

    # Clean target directory - not needed for ACR builds and slows down upload significantly
    if [ -d "agentgateway/target" ]; then
        print_step "Cleaning target directory to speed up upload..."
        rm -rf agentgateway/target
        print_success "Cleaned"
    fi

    # Ensure build scripts are executable (fixes Windows/WSL clone issues)
    chmod +x agentgateway/common/scripts/*.sh 2>/dev/null || true

    if [ "$LOCAL_BUILD" = true ]; then
        # Use VM build script
        ./scripts/build-on-vm.sh --acr-name "$ACR_NAME" --tag "$TAG" $NO_CACHE
    else
        # ACR Cloud Build
        print_step "Logging in to ACR..."
        az acr login --name "$ACR_NAME"

        print_step "Building in ACR (this may take 20-30 minutes)..."
        az acr build \
            --registry "$ACR_NAME" \
            --image "unitone-agentgateway:${TAG}" \
            --image "unitone-agentgateway:$(git rev-parse --short HEAD 2>/dev/null || echo 'manual')" \
            --platform linux/amd64 \
            --file Dockerfile.acr \
            .

        print_success "Build complete!"
    fi

    if [ "$DEPLOY" = true ]; then
        cmd_deploy --tag "$TAG"
    fi
}

# Provider-specific deploy functions
deploy_azure() {
    local TAG=$1

    # Get terraform outputs
    ACR_NAME=$(get_tf_output acr_name)
    APP_NAME=$(get_tf_output container_app_name)
    RG_NAME=$(get_tf_output resource_group_name)

    if [ -z "$ACR_NAME" ] || [ -z "$APP_NAME" ] || [ -z "$RG_NAME" ]; then
        print_error "Missing terraform outputs. Run './agw setup' first."
        exit 1
    fi

    print_header "Deploying to Azure"
    print_info "App: $APP_NAME"
    print_info "Image: ${ACR_NAME}.azurecr.io/unitone-agentgateway:${TAG}"
    echo ""

    print_step "Updating container app..."
    az containerapp update \
        --name "$APP_NAME" \
        --resource-group "$RG_NAME" \
        --image "${ACR_NAME}.azurecr.io/unitone-agentgateway:${TAG}" \
        --output none

    # Get URL
    APP_URL=$(az containerapp show --name "$APP_NAME" --resource-group "$RG_NAME" \
        --query "properties.configuration.ingress.fqdn" -o tsv 2>/dev/null || echo "")

    print_success "Deployed!"
    echo ""
    if [ -n "$APP_URL" ]; then
        echo -e "  Gateway: ${CYAN}https://${APP_URL}${NC}"
        echo -e "  UI:      ${CYAN}https://${APP_URL}/ui${NC}"
    fi
}

deploy_aws() {
    local TAG=$1
    print_error "AWS deployment not yet implemented."
    print_info "Coming soon: ECS/Fargate deployment support."
    exit 1
}

cmd_deploy() {
    local TAG="latest"
    local PROVIDER="azure"  # Default provider

    # Parse arguments
    while [[ $# -gt 0 ]]; do
        case $1 in
            --azure) PROVIDER="azure"; shift ;;
            --aws) PROVIDER="aws"; shift ;;
            --tag) TAG="$2"; shift 2 ;;
            -h|--help)
                echo "Usage: ./agw deploy [--azure|--aws] [--tag TAG]"
                echo ""
                echo "Options:"
                echo "  --azure    Deploy to Azure Container Apps (default)"
                echo "  --aws      Deploy to AWS (coming soon)"
                echo "  --tag TAG  Image tag to deploy (default: latest)"
                exit 0
                ;;
            *) print_error "Unknown option: $1"; exit 1 ;;
        esac
    done

    # Dispatch to provider-specific function
    case "$PROVIDER" in
        azure) deploy_azure "$TAG" ;;
        aws) deploy_aws "$TAG" ;;
        *) print_error "Unknown provider: $PROVIDER"; exit 1 ;;
    esac
}

cmd_test() {
    print_header "E2E Testing"
    # Pass through to existing deploy.sh (which handles E2E tests)
    exec ./deploy.sh "$@"
}

cmd_test_servers() {
    local LOCAL=false

    # Parse arguments
    while [[ $# -gt 0 ]]; do
        case $1 in
            --local) LOCAL=true; shift ;;
            -h|--help)
                echo "Usage: ./agw test-servers [--local]"
                echo "  --local    Start test servers locally with Docker"
                echo "  (default)  Deploy test servers to Azure"
                exit 0
                ;;
            *) shift ;;  # Pass through other args
        esac
    done

    if [ "$LOCAL" = true ]; then
        print_header "Starting Local Test Servers"
        cd tests/docker
        docker compose up -d mcp-test-servers
        print_success "Test servers running"
        echo ""
        echo "  PII Server:          http://localhost:8000"
        echo "  Tool Poisoning:      http://localhost:8010"
        echo "  Rug Pull:            http://localhost:8020"
        echo ""
        echo "Stop with: docker compose down"
    else
        # Get terraform outputs
        ACR_NAME=$(get_tf_output acr_name)
        RG_NAME=$(get_tf_output resource_group_name)
        ENV_NAME=$(get_tf_output container_app_env_name 2>/dev/null || echo "")

        if [ -z "$ACR_NAME" ] || [ -z "$RG_NAME" ] || [ -z "$ENV_NAME" ]; then
            print_error "Missing terraform outputs. Run './agw setup' first."
            exit 1
        fi

        print_header "Deploying Test Servers to Azure"
        bash ./scripts/deploy-test-servers.sh \
            --resource-group "$RG_NAME" \
            --acr-name "$ACR_NAME" \
            --environment "$ENV_NAME" \
            --update-gateway \
            "$@"
    fi
}

cmd_logs() {
    local FOLLOW=false
    local TAIL=100

    # Parse arguments
    while [[ $# -gt 0 ]]; do
        case $1 in
            -f|--follow) FOLLOW=true; shift ;;
            --tail) TAIL="$2"; shift 2 ;;
            -h|--help)
                echo "Usage: ./agw logs [-f|--follow] [--tail N]"
                exit 0
                ;;
            *) print_error "Unknown option: $1"; exit 1 ;;
        esac
    done

    APP_NAME=$(get_tf_output container_app_name)
    RG_NAME=$(get_tf_output resource_group_name)

    if [ -z "$APP_NAME" ] || [ -z "$RG_NAME" ]; then
        print_error "Missing terraform outputs. Run './agw setup' first."
        exit 1
    fi

    print_info "Fetching logs for $APP_NAME..."

    if [ "$FOLLOW" = true ]; then
        az containerapp logs show \
            --name "$APP_NAME" \
            --resource-group "$RG_NAME" \
            --follow
    else
        az containerapp logs show \
            --name "$APP_NAME" \
            --resource-group "$RG_NAME" \
            --tail "$TAIL"
    fi
}

cmd_status() {
    print_header "Deployment Status"

    APP_NAME=$(get_tf_output container_app_name)
    RG_NAME=$(get_tf_output resource_group_name)

    if [ -z "$APP_NAME" ] || [ -z "$RG_NAME" ]; then
        print_warning "No deployment found. Run './agw setup' first."
        exit 0
    fi

    print_step "Checking container app..."

    # Get app info
    APP_INFO=$(az containerapp show --name "$APP_NAME" --resource-group "$RG_NAME" 2>/dev/null)

    if [ -z "$APP_INFO" ]; then
        print_error "Container app not found: $APP_NAME"
        exit 1
    fi

    # Parse info
    APP_URL=$(echo "$APP_INFO" | jq -r '.properties.configuration.ingress.fqdn // "N/A"')
    RUNNING_STATE=$(echo "$APP_INFO" | jq -r '.properties.runningStatus // "Unknown"')
    IMAGE=$(echo "$APP_INFO" | jq -r '.properties.template.containers[0].image // "N/A"')
    REPLICAS=$(echo "$APP_INFO" | jq -r '.properties.template.scale.minReplicas // 0')

    echo ""
    echo -e "  ${BOLD}App:${NC}       $APP_NAME"
    echo -e "  ${BOLD}Status:${NC}    $RUNNING_STATE"
    echo -e "  ${BOLD}Image:${NC}     $IMAGE"
    echo -e "  ${BOLD}Replicas:${NC}  $REPLICAS"
    echo ""
    if [ "$APP_URL" != "N/A" ]; then
        echo -e "  ${BOLD}Gateway:${NC}   ${CYAN}https://${APP_URL}${NC}"
        echo -e "  ${BOLD}UI:${NC}        ${CYAN}https://${APP_URL}/ui${NC}"
        echo -e "  ${BOLD}MCP:${NC}       ${CYAN}https://${APP_URL}/mcp${NC}"
    fi
    echo ""

    # Check health
    print_step "Checking health..."
    if curl -sf "https://${APP_URL}/ui" > /dev/null 2>&1; then
        print_success "Gateway is healthy"
    else
        print_warning "Gateway may be starting up or unhealthy"
    fi
}

cmd_scope() {
    local SUBCOMMAND="${1:-}"
    shift 2>/dev/null || true

    case "$SUBCOMMAND" in
        ""|show)
            # Show current scope
            local scope=$(get_current_scope)
            if [ -n "$scope" ]; then
                local scope_file=$(find_scope_file "$scope")
                echo -e "${BOLD}Current scope:${NC} $scope"
                if [ -n "$scope_file" ]; then
                    echo -e "${CYAN}  → $scope_file${NC}"
                    echo ""
                    local desc=$(get_scope_config "AGW_DESCRIPTION")
                    local app=$(get_scope_config "AGW_CONTAINER_APP")
                    local rg=$(get_scope_config "AGW_RESOURCE_GROUP")
                    local acr=$(get_scope_config "AGW_ACR_NAME")
                    local url=$(get_scope_config "AGW_URL")
                    [ -n "$desc" ] && echo -e "  ${BOLD}Description:${NC}    $desc"
                    [ -n "$app" ] && echo -e "  ${BOLD}Container App:${NC}  $app"
                    [ -n "$rg" ] && echo -e "  ${BOLD}Resource Group:${NC} $rg"
                    [ -n "$acr" ] && echo -e "  ${BOLD}ACR Name:${NC}       $acr"
                    [ -n "$url" ] && echo -e "  ${BOLD}URL:${NC}            $url"
                fi
            else
                print_warning "No scope configured."
                echo ""
                echo "Run './agw setup' to get started"
                echo "Or  './agw scope set <name>' if scopes already exist"
            fi
            ;;

        list)
            # List all scopes with resolution order
            init_config_dir
            local current=$(get_current_scope)
            local username=$(get_username)
            local found=false

            echo -e "${BOLD}Available scopes:${NC}"
            echo ""

            # List user-specific scopes
            if [ -d "${AGW_USER_SCOPES_DIR}/${username}" ]; then
                local user_found=false
                for f in "${AGW_USER_SCOPES_DIR}/${username}"/*.env; do
                    [ -f "$f" ] || continue
                    user_found=true
                    found=true
                    local name=$(basename "$f" .env)
                    local desc=$(grep "^AGW_DESCRIPTION=" "$f" 2>/dev/null | cut -d'=' -f2-)
                    local app=$(grep "^AGW_CONTAINER_APP=" "$f" 2>/dev/null | cut -d'=' -f2-)

                    if [ "$name" = "$current" ]; then
                        echo -e "  ${GREEN}*${NC} ${BOLD}$name${NC} ${YELLOW}(personal)${NC}"
                    else
                        echo -e "    $name ${YELLOW}(personal)${NC}"
                    fi
                    [ -n "$desc" ] && echo -e "      ${CYAN}$desc${NC}"
                    [ -n "$app" ] && echo -e "      App: $app"
                    echo ""
                done
            fi

            # List global scopes
            if [ -d "$AGW_GLOBAL_SCOPES_DIR" ]; then
                for f in "$AGW_GLOBAL_SCOPES_DIR"/*.env; do
                    [ -f "$f" ] || continue
                    found=true
                    local name=$(basename "$f" .env)
                    local desc=$(grep "^AGW_DESCRIPTION=" "$f" 2>/dev/null | cut -d'=' -f2-)
                    local app=$(grep "^AGW_CONTAINER_APP=" "$f" 2>/dev/null | cut -d'=' -f2-)

                    # Check if overridden by user scope
                    local overridden=""
                    [ -f "${AGW_USER_SCOPES_DIR}/${username}/${name}.env" ] && overridden=" ${YELLOW}(overridden by personal)${NC}"

                    if [ "$name" = "$current" ] && [ -z "$overridden" ]; then
                        echo -e "  ${GREEN}*${NC} ${BOLD}$name${NC} (global)${overridden}"
                    else
                        echo -e "    $name (global)${overridden}"
                    fi
                    [ -n "$desc" ] && echo -e "      ${CYAN}$desc${NC}"
                    [ -n "$app" ] && echo -e "      App: $app"
                    echo ""
                done
            fi

            # Legacy: check old location
            if [ -d "${AGW_LOCAL_CONFIG_DIR}/scopes" ]; then
                for f in "${AGW_LOCAL_CONFIG_DIR}/scopes"/*.env; do
                    [ -f "$f" ] || continue
                    found=true
                    local name=$(basename "$f" .env)
                    echo -e "    $name ${RED}(legacy - migrate with ./agw scope migrate)${NC}"
                    echo ""
                done
            fi

            if [ "$found" = false ]; then
                echo "  (no scopes configured)"
                echo ""
                echo "Run './agw setup' to create your first scope"
            fi
            ;;

        set)
            # Switch to a scope
            local name="$1"
            if [ -z "$name" ]; then
                print_error "Scope name required."
                echo "Usage: ./agw scope set <name>"
                exit 1
            fi

            local scope_file=$(find_scope_file "$name")
            if [ -z "$scope_file" ]; then
                print_error "Scope '$name' not found."
                echo ""
                echo "Available scopes:"
                cmd_scope list
                exit 1
            fi

            mkdir -p "$AGW_LOCAL_CONFIG_DIR"
            echo "$name" > "$AGW_CURRENT_FILE"
            print_success "Switched to scope: $name"
            echo -e "  → $scope_file"
            ;;

        add)
            # Redirect to guided setup
            print_info "Use './agw setup' for guided scope creation"
            echo ""
            echo "Or specify --global or --user for quick add:"
            echo "  ./agw scope add <name> --global    # Team-shared scope"
            echo "  ./agw scope add <name> --user      # Personal scope"

            local name="$1"
            local scope_type=""

            # Parse remaining args
            shift 2>/dev/null || true
            while [[ $# -gt 0 ]]; do
                case $1 in
                    --global) scope_type="global"; shift ;;
                    --user) scope_type="user"; shift ;;
                    *) shift ;;
                esac
            done

            if [ -z "$name" ] || [ -z "$scope_type" ]; then
                exit 0
            fi

            # Validate scope name
            if [[ ! "$name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
                print_error "Invalid scope name. Use only letters, numbers, dashes, and underscores."
                exit 1
            fi

            if [ "$scope_type" = "global" ]; then
                local target_dir="$AGW_GLOBAL_SCOPES_DIR"
            else
                local target_dir="${AGW_USER_SCOPES_DIR}/$(get_username)"
            fi

            mkdir -p "$target_dir"

            if [ -f "${target_dir}/${name}.env" ]; then
                print_warning "Scope '$name' already exists at ${target_dir}/${name}.env"
                read -rp "Overwrite? [y/N]: " confirm
                if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
                    echo "Cancelled."
                    exit 0
                fi
            fi

            print_header "Add Scope: $name ($scope_type)"

            echo "Enter the Azure resource details for this scope."
            echo ""

            read -rp "Resource Group: " rg_name
            read -rp "Container App: " app_name
            read -rp "ACR Name: " acr_name
            echo ""
            read -rp "Description (optional): " description
            read -rp "Gateway URL (optional): " url

            if [ -z "$rg_name" ] || [ -z "$app_name" ] || [ -z "$acr_name" ]; then
                print_error "Resource Group, Container App, and ACR Name are required."
                exit 1
            fi

            cat > "${target_dir}/${name}.env" << EOF
# Scope: $name ($scope_type)
# Created: $(date -u +"%Y-%m-%dT%H:%M:%SZ")

# Required - identifies the deployment
AGW_RESOURCE_GROUP=$rg_name
AGW_CONTAINER_APP=$app_name
AGW_ACR_NAME=$acr_name

# Optional - for display
AGW_DESCRIPTION=$description
AGW_URL=$url
EOF

            print_success "Created scope: ${target_dir}/${name}.env"
            echo ""

            mkdir -p "$AGW_LOCAL_CONFIG_DIR"
            echo "$name" > "$AGW_CURRENT_FILE"
            print_success "Switched to scope: $name"

            echo ""
            echo "Next steps:"
            echo "  git add ${target_dir}/${name}.env"
            echo "  git commit -m 'Add ${name} scope'"
            ;;

        remove)
            # Remove a scope
            local name="$1"
            if [ -z "$name" ]; then
                print_error "Scope name required."
                echo "Usage: ./agw scope remove <name>"
                exit 1
            fi

            local scope_file=$(find_scope_file "$name")
            if [ -z "$scope_file" ]; then
                print_error "Scope '$name' not found."
                exit 1
            fi

            print_warning "Remove scope '$name'? ($scope_file) [y/N]"
            read -r confirm
            if [[ ! "$confirm" =~ ^[Yy]$ ]]; then
                echo "Cancelled."
                exit 0
            fi

            rm -f "$scope_file"
            print_success "Removed scope: $scope_file"

            # Clear current if this was the active scope
            local current=$(get_current_scope)
            if [ "$current" = "$name" ]; then
                rm -f "$AGW_CURRENT_FILE"
                print_info "Cleared active scope (was: $name)"
            fi

            echo ""
            echo "Remember to commit: git add -u && git commit -m 'Remove ${name} scope'"
            ;;

        import)
            # Redirect to guided setup
            print_info "Use './agw setup' and choose 'Import existing' for guided import"
            echo ""
            echo "Or use quick import: ./agw scope import --name <name> --from <terraform-dir> [--global|--user]"

            local name=""
            local tf_dir="terraform"
            local scope_type="global"

            # Parse arguments
            while [[ $# -gt 0 ]]; do
                case $1 in
                    --name) name="$2"; shift 2 ;;
                    --from) tf_dir="$2"; shift 2 ;;
                    --global) scope_type="global"; shift ;;
                    --user) scope_type="user"; shift ;;
                    *) shift ;;
                esac
            done

            if [ -z "$name" ]; then
                exit 0
            fi

            # Check terraform is available
            if [ ! -f "$tf_dir/terraform.tfstate" ] && [ ! -d "$tf_dir/.terraform" ]; then
                print_error "No terraform state found in: $tf_dir"
                exit 1
            fi

            print_step "Reading terraform outputs from $tf_dir..."

            local rg_name=$(cd "$tf_dir" && terraform output -raw resource_group_name 2>/dev/null)
            local app_name=$(cd "$tf_dir" && terraform output -raw container_app_name 2>/dev/null)
            local acr_name=$(cd "$tf_dir" && terraform output -raw acr_name 2>/dev/null)
            local env_name=$(cd "$tf_dir" && terraform output -raw container_app_env_name 2>/dev/null || echo "")

            if [ -z "$rg_name" ] || [ -z "$app_name" ] || [ -z "$acr_name" ]; then
                print_error "Could not read required terraform outputs."
                exit 1
            fi

            echo -e "  ${GREEN}✓${NC} resource_group_name: $rg_name"
            echo -e "  ${GREEN}✓${NC} container_app_name: $app_name"
            echo -e "  ${GREEN}✓${NC} acr_name: $acr_name"

            # Get URL
            local url=""
            local app_info=$(az containerapp show --name "$app_name" --resource-group "$rg_name" 2>/dev/null || echo "")
            if [ -n "$app_info" ]; then
                local fqdn=$(echo "$app_info" | jq -r '.properties.configuration.ingress.fqdn // ""')
                [ -n "$fqdn" ] && url="https://${fqdn}"
            fi

            if [ "$scope_type" = "global" ]; then
                local target_dir="$AGW_GLOBAL_SCOPES_DIR"
            else
                local target_dir="${AGW_USER_SCOPES_DIR}/$(get_username)"
            fi

            mkdir -p "$target_dir"

            cat > "${target_dir}/${name}.env" << EOF
# Scope: $name ($scope_type)
# Imported from: $tf_dir
# Created: $(date -u +"%Y-%m-%dT%H:%M:%SZ")

# Required - identifies the deployment
AGW_RESOURCE_GROUP=$rg_name
AGW_CONTAINER_APP=$app_name
AGW_ACR_NAME=$acr_name

# Optional
AGW_CONTAINER_APP_ENV=$env_name
AGW_DESCRIPTION=Imported from terraform
AGW_URL=$url
EOF

            echo ""
            print_success "Created scope: ${target_dir}/${name}.env"

            mkdir -p "$AGW_LOCAL_CONFIG_DIR"
            echo "$name" > "$AGW_CURRENT_FILE"
            print_success "Switched to scope: $name"

            echo ""
            echo "Next steps:"
            echo "  git add ${target_dir}/${name}.env"
            echo "  git commit -m 'Add ${name} scope'"
            ;;

        migrate)
            # Migrate legacy scopes from .agw/scopes/ to new location
            print_header "Migrate Legacy Scopes"

            local legacy_dir="${AGW_LOCAL_CONFIG_DIR}/scopes"
            if [ ! -d "$legacy_dir" ]; then
                print_info "No legacy scopes found"
                exit 0
            fi

            local found=false
            for f in "$legacy_dir"/*.env; do
                [ -f "$f" ] || continue
                found=true
                local name=$(basename "$f" .env)
                echo ""
                echo -e "${BOLD}Found:${NC} $name"
                cat "$f" | grep -E "^AGW_" | head -5
                echo ""
                read -rp "Migrate to (G)lobal, (P)ersonal, or (S)kip? [g/p/S]: " choice

                case "$choice" in
                    [Gg])
                        mkdir -p "$AGW_GLOBAL_SCOPES_DIR"
                        mv "$f" "${AGW_GLOBAL_SCOPES_DIR}/${name}.env"
                        print_success "Moved to ${AGW_GLOBAL_SCOPES_DIR}/${name}.env"
                        ;;
                    [Pp])
                        local user_dir="${AGW_USER_SCOPES_DIR}/$(get_username)"
                        mkdir -p "$user_dir"
                        mv "$f" "${user_dir}/${name}.env"
                        print_success "Moved to ${user_dir}/${name}.env"
                        ;;
                    *)
                        print_info "Skipped"
                        ;;
                esac
            done

            if [ "$found" = false ]; then
                print_info "No legacy scopes to migrate"
            else
                echo ""
                echo "Remember to commit migrated scopes:"
                echo "  git add terraform/scopes/"
                echo "  git commit -m 'Migrate scopes to new structure'"
            fi
            ;;

        -h|--help)
            echo "Usage: ./agw scope [command]"
            echo ""
            echo "Commands:"
            echo "  (none)           Show current scope"
            echo "  list             List all configured scopes"
            echo "  set <name>       Switch to a scope"
            echo "  add <name>       Add a new scope interactively"
            echo "  remove <name>    Remove a scope"
            echo "  import --name <name>  Import from terraform outputs"
            echo ""
            echo "Examples:"
            echo "  ./agw scope                    # Show current scope"
            echo "  ./agw scope list               # List all scopes"
            echo "  ./agw scope set prod           # Switch to prod"
            echo "  ./agw scope add staging        # Add staging scope"
            echo "  ./agw scope import --name dev  # Import from terraform"
            ;;

        *)
            print_error "Unknown scope command: $SUBCOMMAND"
            echo "Run './agw scope --help' for usage."
            exit 1
            ;;
    esac
}

cmd_auth() {
    local SUBCOMMAND="${1:-}"
    shift 2>/dev/null || true

    # Get app info
    local APP_NAME=$(get_tf_output container_app_name)
    local RG_NAME=$(get_tf_output resource_group_name)

    if [ -z "$APP_NAME" ] || [ -z "$RG_NAME" ]; then
        print_error "No deployment found. Run './agw setup' first."
        exit 1
    fi

    # Get app URL for callback URLs
    get_app_url() {
        local app_info=$(az containerapp show --name "$APP_NAME" --resource-group "$RG_NAME" 2>/dev/null || echo "")
        if [ -n "$app_info" ]; then
            echo "$app_info" | jq -r '.properties.configuration.ingress.fqdn // ""'
        fi
    }

    case "$SUBCOMMAND" in
        ""|show|status)
            # Show current auth status
            print_header "Authentication Status"

            print_step "Fetching auth configuration..."
            local auth_config=$(az containerapp auth show --name "$APP_NAME" --resource-group "$RG_NAME" 2>/dev/null || echo "")

            if [ -z "$auth_config" ] || [ "$auth_config" = "{}" ]; then
                print_warning "Authentication not configured"
                echo ""
                echo "Run './agw auth setup' to configure authentication"
                return
            fi

            local enabled=$(echo "$auth_config" | jq -r '.platform.enabled // false')
            local restrict=$(echo "$auth_config" | jq -r '.globalValidation.unauthenticatedClientAction // "AllowAnonymous"')

            echo ""
            if [ "$enabled" = "true" ]; then
                print_success "Authentication: Enabled"
                if [ "$restrict" = "RedirectToLoginPage" ] || [ "$restrict" = "Return401" ]; then
                    echo -e "  ${BOLD}Access:${NC} Authentication required"
                else
                    echo -e "  ${BOLD}Access:${NC} Anonymous allowed"
                fi
            else
                print_warning "Authentication: Disabled"
            fi
            echo ""

            # Check configured providers
            echo -e "${BOLD}Configured Providers:${NC}"

            local ms_id=$(echo "$auth_config" | jq -r '.identityProviders.azureActiveDirectory.registration.clientId // ""')
            local google_id=$(echo "$auth_config" | jq -r '.identityProviders.google.registration.clientId // ""')
            local github_id=$(echo "$auth_config" | jq -r '.identityProviders.gitHub.registration.clientId // ""')

            if [ -n "$ms_id" ]; then
                echo -e "  ${GREEN}✓${NC} Microsoft (Azure AD): $ms_id"
            else
                echo -e "  ${YELLOW}○${NC} Microsoft (Azure AD): Not configured"
            fi

            if [ -n "$google_id" ]; then
                echo -e "  ${GREEN}✓${NC} Google: $google_id"
            else
                echo -e "  ${YELLOW}○${NC} Google: Not configured"
            fi

            if [ -n "$github_id" ]; then
                echo -e "  ${GREEN}✓${NC} GitHub: $github_id"
            else
                echo -e "  ${YELLOW}○${NC} GitHub: Not configured"
            fi
            echo ""
            ;;

        urls)
            # Show callback URLs for OAuth app setup
            print_header "OAuth Callback URLs"

            local app_url=$(get_app_url)
            if [ -z "$app_url" ]; then
                print_error "Could not determine app URL"
                exit 1
            fi

            echo "Use these URLs when creating OAuth apps:"
            echo ""
            echo -e "${BOLD}Microsoft (Azure AD):${NC}"
            echo -e "  Redirect URI: ${CYAN}https://${app_url}/.auth/login/aad/callback${NC}"
            echo ""
            echo -e "${BOLD}Google:${NC}"
            echo -e "  Authorized redirect URI: ${CYAN}https://${app_url}/.auth/login/google/callback${NC}"
            echo ""
            echo -e "${BOLD}GitHub:${NC}"
            echo -e "  Authorization callback URL: ${CYAN}https://${app_url}/.auth/login/github/callback${NC}"
            echo ""
            ;;

        setup)
            # Interactive auth setup
            print_header "Authentication Setup"

            local app_url=$(get_app_url)
            if [ -z "$app_url" ]; then
                print_error "Could not determine app URL"
                exit 1
            fi

            echo "This wizard will configure OAuth authentication for your gateway."
            echo ""
            echo -e "${BOLD}Your callback URLs:${NC}"
            echo -e "  Microsoft: ${CYAN}https://${app_url}/.auth/login/aad/callback${NC}"
            echo -e "  Google:    ${CYAN}https://${app_url}/.auth/login/google/callback${NC}"
            echo -e "  GitHub:    ${CYAN}https://${app_url}/.auth/login/github/callback${NC}"
            echo ""

            # Microsoft setup
            echo -e "${BOLD}Microsoft (Azure AD)${NC}"
            echo "Create app at: https://portal.azure.com → Azure AD → App registrations"
            read -rp "Configure Microsoft auth? [y/N]: " configure_ms
            if [[ "$configure_ms" =~ ^[Yy]$ ]]; then
                read -rp "  Client ID: " ms_client_id
                read -rsp "  Client Secret: " ms_client_secret
                echo ""

                if [ -n "$ms_client_id" ] && [ -n "$ms_client_secret" ]; then
                    print_step "Configuring Microsoft provider..."
                    az containerapp auth microsoft update \
                        --name "$APP_NAME" \
                        --resource-group "$RG_NAME" \
                        --client-id "$ms_client_id" \
                        --client-secret "$ms_client_secret" \
                        --yes \
                        --output none 2>/dev/null && \
                    print_success "Microsoft auth configured" || \
                    print_error "Failed to configure Microsoft auth"
                fi
            fi
            echo ""

            # Google setup
            echo -e "${BOLD}Google${NC}"
            echo "Create app at: https://console.cloud.google.com → APIs & Services → Credentials"
            read -rp "Configure Google auth? [y/N]: " configure_google
            if [[ "$configure_google" =~ ^[Yy]$ ]]; then
                read -rp "  Client ID: " google_client_id
                read -rsp "  Client Secret: " google_client_secret
                echo ""

                if [ -n "$google_client_id" ] && [ -n "$google_client_secret" ]; then
                    print_step "Configuring Google provider..."
                    az containerapp auth google update \
                        --name "$APP_NAME" \
                        --resource-group "$RG_NAME" \
                        --client-id "$google_client_id" \
                        --client-secret "$google_client_secret" \
                        --yes \
                        --output none 2>/dev/null && \
                    print_success "Google auth configured" || \
                    print_error "Failed to configure Google auth"
                fi
            fi
            echo ""

            # GitHub setup
            echo -e "${BOLD}GitHub${NC}"
            echo "Create app at: https://github.com/settings/developers → OAuth Apps"
            read -rp "Configure GitHub auth? [y/N]: " configure_github
            if [[ "$configure_github" =~ ^[Yy]$ ]]; then
                read -rp "  Client ID: " github_client_id
                read -rsp "  Client Secret: " github_client_secret
                echo ""

                if [ -n "$github_client_id" ] && [ -n "$github_client_secret" ]; then
                    print_step "Configuring GitHub provider..."
                    az containerapp auth github update \
                        --name "$APP_NAME" \
                        --resource-group "$RG_NAME" \
                        --client-id "$github_client_id" \
                        --client-secret "$github_client_secret" \
                        --yes \
                        --output none 2>/dev/null && \
                    print_success "GitHub auth configured" || \
                    print_error "Failed to configure GitHub auth"
                fi
            fi
            echo ""

            # Enable auth
            read -rp "Require authentication (block anonymous access)? [Y/n]: " require_auth
            if [[ ! "$require_auth" =~ ^[Nn]$ ]]; then
                print_step "Enabling authentication requirement..."
                az containerapp auth update \
                    --name "$APP_NAME" \
                    --resource-group "$RG_NAME" \
                    --unauthenticated-client-action RedirectToLoginPage \
                    --enabled true \
                    --output none 2>/dev/null && \
                print_success "Authentication required for all requests" || \
                print_error "Failed to enable auth requirement"
            else
                print_step "Enabling authentication (anonymous allowed)..."
                az containerapp auth update \
                    --name "$APP_NAME" \
                    --resource-group "$RG_NAME" \
                    --unauthenticated-client-action AllowAnonymous \
                    --enabled true \
                    --output none 2>/dev/null && \
                print_success "Authentication enabled (anonymous allowed)" || \
                print_error "Failed to enable auth"
            fi
            echo ""

            print_success "Authentication setup complete!"
            echo ""
            echo "Test login at: https://${app_url}/.auth/login/<provider>"
            echo "  Providers: aad, google, github"
            ;;

        enable)
            # Enable auth requirement
            print_step "Enabling authentication requirement..."
            az containerapp auth update \
                --name "$APP_NAME" \
                --resource-group "$RG_NAME" \
                --unauthenticated-client-action RedirectToLoginPage \
                --enabled true \
                --output none && \
            print_success "Authentication required for all requests" || \
            print_error "Failed to enable auth"
            ;;

        disable)
            # Allow anonymous access
            print_step "Allowing anonymous access..."
            az containerapp auth update \
                --name "$APP_NAME" \
                --resource-group "$RG_NAME" \
                --unauthenticated-client-action AllowAnonymous \
                --enabled true \
                --output none && \
            print_success "Anonymous access allowed" || \
            print_error "Failed to update auth"
            ;;

        -h|--help)
            echo "Usage: ./agw auth [command]"
            echo ""
            echo "Commands:"
            echo "  (none)     Show current authentication status"
            echo "  setup      Interactive authentication setup wizard"
            echo "  urls       Show OAuth callback URLs for app registration"
            echo "  enable     Require authentication (block anonymous)"
            echo "  disable    Allow anonymous access"
            echo ""
            echo "Examples:"
            echo "  ./agw auth                # Show auth status"
            echo "  ./agw auth setup          # Configure OAuth providers"
            echo "  ./agw auth urls           # Get callback URLs"
            echo "  ./agw auth enable         # Require authentication"
            ;;

        *)
            print_error "Unknown auth command: $SUBCOMMAND"
            echo "Run './agw auth --help' for usage."
            exit 1
            ;;
    esac
}

# ==============================================================================
# Main
# ==============================================================================

# Show banner with scope information
show_banner

# Parse command
COMMAND="${1:-help}"
shift 2>/dev/null || true

case "$COMMAND" in
    setup)        cmd_setup "$@" ;;
    scope)        cmd_scope "$@" ;;
    auth)         cmd_auth "$@" ;;
    build)        cmd_build "$@" ;;
    deploy)       cmd_deploy "$@" ;;
    test)         cmd_test "$@" ;;
    test-servers) cmd_test_servers "$@" ;;
    logs)         cmd_logs "$@" ;;
    status)       cmd_status "$@" ;;
    help|-h|--help) cmd_help ;;
    *)
        print_error "Unknown command: $COMMAND"
        echo ""
        echo "Run './agw help' for usage."
        exit 1
        ;;
esac