<?
	// 🔥 Get the requested URL path (excluding query strings)
	$request_uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);

	// Prevent search engines from indexing any responses
	header('X-Robots-Tag: noindex, nofollow, noarchive', true);

	// 🔥 IP BLOCKLIST
	$security_storage_path = __DIR__ . '/.well-known/security_logs';
	if (!is_dir($security_storage_path)) mkdir($security_storage_path, 0700, true);

	$blocklist_file = "$security_storage_path/blocked_ips";
	$attempts_file = "$security_storage_path/attempts";
	$blocked_ips = file_exists($blocklist_file) ? array_flip(file($blocklist_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES)) : [];

	$visitor_ip = trim(explode(',', $_SERVER['HTTP_CF_CONNECTING_IP'] ?? $_SERVER['HTTP_TRUE_CLIENT_IP'] ?? $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['HTTP_X_REAL_IP'] ?? $_SERVER['HTTP_CLIENT_IP'] ?? $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0')[0]);
	if (!filter_var($visitor_ip, FILTER_VALIDATE_IP)) {
		$visitor_ip = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
	}
	if (isset($blocked_ips[$visitor_ip])) {
		http_response_code(200);
		exit;
	}

	$suspicious_patterns = [
		// 1) Suspicious *.php files — only if they appear as EXACT `.php` after these keywords
		'/\b(autoload_classmap|bypass|conflg|config|updates|install|makeasmtp|admin|editor|engine)\.php\b/i',

		// 2) Suspicious “dot + (well-known|pki-validation|ssl|cert)” anywhere
		'/\.(?:well-known|pki-validation|ssl|cert)\b/i',

		// 3) CMS and database probes
		//    - Removed raw `db` or constrained it. If you really do need to match “db” alone,
		//      consider using `\bdb\b` so it won’t flag “feedback.”
		'/\b(wp-|joomla|drupal|magento|phpbb|cms|database)\b/i',

		// 4) Common WordPress & plugin hack probes
		'/\b(mu-plugins|theme|plugin|wp-admin|wp-content|wp-includes|wp-login|xmlrpc|filemanager|upload)\b/i',

		// 5) Random library or class references often probed by attackers
		'/\b(ID3|Text\/Diff|class-config|classwithtostring|lock|requests|rest-api|widgets|blocks|IXR)\b/i',

		// 6) Various suspicious file extensions / backups
		'/(\.php7|\.php5|\.php3|\.phtml|\.bak|\.old|\.backup)\b/i',

		// 7) Hidden or environment files
		'/(\.git|\.svn|\.env|\.htaccess|\.DS_Store)\b/i',

		// 8) Admin actions or shells
		'/\b(ajax-actions|admin-post|wp-config|shell|exec|repeater|dropdown|cache-compat|alfanew|cloud)\b/i',

		// 9) Odd codes or known suspicious URIs
		'/\b(403|about|xmrlpc|updates|avaa|yanz|wsoyanz)\b/i',
	];

	if (strpos($request_uri, '/page/') !== 0 && array_filter($suspicious_patterns, fn($pattern) => preg_match($pattern, $request_uri))) {
		$attempts = [];
		if (file_exists($attempts_file)) {
			foreach (file($attempts_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $line) {
				list($ip, $count) = explode(',', $line);
				$attempts[$ip] = (int)$count;
			}
		}

		$attempts[$visitor_ip] = ($attempts[$visitor_ip] ?? 0) + 1;

		if ($attempts[$visitor_ip] >= 15) {
			file_put_contents($blocklist_file, "$visitor_ip\n", FILE_APPEND | LOCK_EX);
		}

		$new_attempts = array_map(fn($ip, $count) => "$ip,$count", array_keys($attempts), $attempts);
		file_put_contents($attempts_file, implode("\n", $new_attempts) . "\n", LOCK_EX);

		http_response_code(200);
		exit;
	}

	// It is safe, so let's continue processing the script
	require_once(__DIR__.'/config.php');

		
	// 🚀 REDIRECT `/index.php` or `/index.html` to `/`
	if (preg_match('#/index\.(php|html?)$#', $request_uri)) {
		$clean_url = preg_replace('#/index\.(php|html?)$#', '/', $request_uri);
		header("Location: $clean_url", true, 301);
		exit;
	}
	
	// 🚀 REDIRECT `.php` or `.html` URLs to clean versions (`/page.php` → `/page`)
	if (preg_match('#\.(php|html?)$#', $request_uri)) {
		$clean_url = preg_replace('#\.(php|html?)$#', '', $request_uri);
		header("Location: $clean_url", true, 301);
		exit;
	}
	
	// 🔥 SPECIAL CASE: The `/app/` and `/page/` folders must continue processing in `router.php`
	if (($request_uri === '/app' || $request_uri === '/page') ||
		(strpos($request_uri, '/app/') === 0 || strpos($request_uri, '/page/') === 0)) {
		// Do nothing here—just let it continue processing the script below
	} else {
		$document_root = $_SERVER['DOCUMENT_ROOT'];
		$full_path = realpath($document_root . $request_uri);
        // 📝 Serve files normally IF they exist (EXCEPT `/app/`) with strong conditional caching
        if (is_file($full_path)) {
            streamFileWithConditionalCache($full_path);
            exit;
        }

        // 🔄 Alias: /uploads/profile_pictures/g-<id>[.png] → stream sharded file directly (no redirect)
        //     <id> can be any safe token (letters, numbers, _ or -), not just 32-hex
        if (preg_match('#^/uploads/profile_pictures/(g-[A-Za-z0-9_-]+)(?:\.png)?$#', $request_uri, $m)) {
            $openaiId = $m[1];
            $hex = substr($openaiId, 2);
            $shard = substr($hex, 0, 2) ?: '00';
            $canonicalUrl = '/uploads/profile_pictures/_/' . $shard . '/' . $openaiId . '.png';
            $canonicalPath = __DIR__ . $canonicalUrl;

            if (is_file($canonicalPath)) {
                // Stream with strong conditional caching so alias URL gets ETag/Last-Modified
                streamFileWithConditionalCache($canonicalPath);
                exit;
            }
            http_response_code(404);
            exit;
        }

        // (Legacy /uploads/g-<id>.png intentionally not handled here; use api/test.php to migrate.)

		// 📌 Serve `index.php` or `index.html` for directories (EXCEPT `/app/`)
		if (is_dir($full_path)) {
			if (file_exists($full_path . '/index.php')) {
				require $full_path . '/index.php';
				exit;
			} elseif (file_exists($full_path . '/index.html')) {
				require $full_path . '/index.html';
				exit;
			}
		}

		// ✨ Pretty URLs: `/page` → `/page.php` (EXCEPT `/app/`)
		$php_file = $document_root . $request_uri . '.php';
		if (file_exists($php_file)) {
			require $php_file;
			exit;
		}
	}

	// DEFAULT INDEX
	router('GET', '/', function () {
		header('Location: ' . (__DEFAULT__ ? __DEFAULT__ : 'https://hello.gpt-tools.co/'));
	}, true);

	router('GET', 'close', function ($params) {
		$_REQUEST = array_merge($_REQUEST, $params);
		// If a payment success flag is explicitly provided via query, keep old behavior
		if (isset($_REQUEST['success'])) {
			header('Location: ' . ($_REQUEST['success'] ? 'https://hello.gpt-tools.co/payment-successful' : 'https://hello.gpt-tools.co/payment-not-successful'));
			return;
		}
		// Otherwise render the local auto-close page
		require __DIR__ . '/close.php';
	}, true);

	router('GET', '(e|error)', function ($params) {
		$m = $_REQUEST['m'] ?? $_REQUEST['message'] ?? 'Something went wrong.';
		$o = strpos($m, ' ') !== false ? $m : (($d=base64_decode($m,true)) && base64_encode($d) === $m ? $d : $m);
		print htmlspecialchars($o);
	}, true);
		
	router('GET', 'api/(?<uuid>{/uuid/})/integrate/openai/(?<route>(action|privacy))', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI('user/integrate/openai/'. @$params['route']);
	}, true);

	router(['GET', 'POST'], 'api/(?<user_uuid>{/uuid/})?/?(?<product_uuid>{/uuid/})/chat/?(?<route>(next|donate|auth|oauth|start))?', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI(@$params['route'] == 'oauth' ? 'user/auth/oauth' : 'chat/' . (@$params['route'] ?? 'next'));
	}, true);

	router(['GET', 'POST'], 'api/(?<user_uuid>{/uuid/})?/?(?<product_uuid>{/uuid/})/checkout/?(?<route>(get|pay|go|check|back|oauth))?', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI(@$params['route'] == 'oauth' ? 'user/auth/oauth' : 'checkout/' . @$params['route'] ?? 'get');
	}, true);

	router(['GET', 'POST'], 'api/(?<user_uuid>{/uuid/})?/?(?<product_uuid>{/uuid/})?/?checkout/(?<checkout_uuid>{/uuid/})/(?<route>(get|pay|go|manage|check|back))', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI(@$params['route'] == 'oauth' ? 'user/auth/oauth' : 'checkout/' . @$params['route'] ?? 'get');
	}, true);

	router(['GET', 'POST'], 'api/(?<product_uuid>{/uuid/})?/?tools/(?<route>(mysql))', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI('tools/' . @$params['route']);
	}, true);

	router(['GET'], 'api/affiliate/(?<route>(go))', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI('affiliate/'. @$params['route']);
	}, true);

	router(['GET', 'POST'], 'api/user/(?<user_uuid>{/uuid/})/?(?<route>.*)?', function ($params) {
		$_REQUEST = array_merge($_REQUEST, array_diff_key($params, array_flip(['route'])));
		renderAPI('user/'. @$params['route']);
	}, true);

	router('GET', 'app/?(?<route>.*)', function ($params) {
		renderAPP('/'. @$params['route']);
	}, true);

	router('GET', 'page/?(?<route>.*)', function ($params) {
		$_REQUEST = array_merge($_REQUEST, $params);
		renderPAGE('/'. @$params['route']);
	}, true);

	router('GET', 'sitemap.xml', function () {
		http_response_code(410);
	}, true);

	router('GET', 'favicon.ico', function () {
		header('Location: ' . __SITE__ . '/app/_/images/gpt.builders.jpg');
	}, true);

	router('GET', 'db/?(?<route>.*)', function ($params) {
		header('Location: /');
	}, true);

	router('GET', '(?<user_handle>[^/]+)/?(?<route>.*)', function ($params) {
		$_REQUEST = array_merge($_REQUEST, $params);

		$route = $_REQUEST['route'] ?? '';
		$user_handle = $_REQUEST['user_handle'];
		if ($user_handle != "user" && $route == "affiliate") {
			$user = getUserWithUserHandle($user_handle);
			if ($user) {
				$_REQUEST["u"] = $user_handle;
				renderAPI('affiliate/go');
			}
		}
		header('Location: /');
	}, true);


?>