package Mnemosyne::Webhook;
use strict;
use warnings;

# Mojolicious controller / update router for inbound Telegram webhook POSTs.
#
# Security gates (must run in this order before any processing):
#   1. Validate X-Telegram-Bot-Api-Secret-Token header matches config.
#      Reject with 403 (not 200) — this is not a Telegram client, it's a rogue POST.
#   2. Validate chat_id is in the allowed_chat_ids whitelist.
#      Respond 200 (so Telegram stops retrying) but do not process the update.
#
# Update types handled:
# TODO: handle_message($update, $db, $config, $telegram)
#       — routes slash commands: /today /glance /list /add /done /edit /disable /delete
#         /settime /help; plus free-text during multi-step flows (e.g. /add wizard)
#
# TODO: handle_callback_query($update, $db, $config, $telegram)
#       — handles Mark Done and Undo button taps; calls answerCallbackQuery immediately
#         then does DB work + message edit; idempotent (tolerate Telegram redelivery)
#
# Command handlers (each returns a Telegram reply or edits the original message):
# TODO: cmd_today($chat_id, $db, $config, $telegram)
# TODO: cmd_list($chat_id, $args, $db, $config, $telegram)
# TODO: cmd_add($chat_id, $args, $db, $config, $telegram)   — starts guided flow
# TODO: cmd_done($chat_id, $args, $db, $config, $telegram)
# TODO: cmd_edit($chat_id, $args, $db, $config, $telegram)
# TODO: cmd_disable($chat_id, $args, $db, $config, $telegram)
# TODO: cmd_delete($chat_id, $args, $db, $config, $telegram) — confirmation required
# TODO: cmd_settime($chat_id, $args, $db, $config, $telegram)
# TODO: cmd_help($chat_id, $telegram)
#
# Conversation state for multi-step flows (e.g. /add wizard):
# TODO: decide and document storage mechanism (in-memory hash keyed by chat_id,
#       or a small 'sessions' table in SQLite for persistence across restarts)

1;