<?php

// === WEVAL SECRETS LOADER ===
$_WEVAL_SECRETS = [];
if (file_exists('/etc/weval/secrets.env')) {
    foreach (file('/etc/weval/secrets.env', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $line) {
        if (strpos($line, '#') === 0) continue;
        if (strpos($line, '=') !== false) {
            list($k, $v) = explode('=', $line, 2);
            $_WEVAL_SECRETS[trim($k)] = trim($v);
        }
    }
}
function weval_secret($key, $default='') {
    global $_WEVAL_SECRETS;
    return $_WEVAL_SECRETS[$key] ?? getenv($key) ?: $default;
}

// === INPUT SANITIZATION ===
function weval_input($key, $type='string', $method='GET') {
    $src = $method === 'POST' ? INPUT_POST : INPUT_GET;
    $val = filter_input($src, $key, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    if ($val === null || $val === false) {
        $val = ($method === 'POST') ? ($_POST[$key] ?? '') : ($_GET[$key] ?? '');
        $val = htmlspecialchars(strip_tags(trim($val)), ENT_QUOTES, 'UTF-8');
    }
    if ($type === 'int') return intval($val);
    if ($type === 'email') return filter_var($val, FILTER_SANITIZE_EMAIL);
    return $val;
}

// === WEDROID CAPABILITIES (CrowdSec threat intel + enhanced audit) ===
function crowdsec_check_ip($ip) {
    $out = @shell_exec("sudo cscli decisions list -i $ip -o json 2>/dev/null");
    $decisions = json_decode($out, true) ?: [];
    return count($decisions) > 0;
}

function droid_enhanced_audit($ip, $cmd, $result_len) {
    $entry = json_encode(['ts'=>date('c'), 'ip'=>$ip, 'cmd_hash'=>md5($cmd), 'cmd_len'=>strlen($cmd), 'result_len'=>$result_len, 'user'=>get_current_user()]);
    @file_put_contents('/var/log/droid-audit.log', $entry . "
", FILE_APPEND);
}

function droid_health_snapshot() {
    $ch = curl_init("http://127.0.0.1/api/wevia-capabilities.php?cap=health");
    curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER=>true, CURLOPT_TIMEOUT=>5, CURLOPT_HTTPHEADER=>['Host: weval-consulting.com']]);
    $r = json_decode(curl_exec($ch), true); curl_close($ch);
    return $r;
}

header("Content-Type:application/json");

// IP whitelist: only CF, private net, localhost
$ip = $_SERVER["REMOTE_ADDR"] ?? "";
$cf_ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $ip;
$allowed_ranges = ["10.1.0.", "127.0.0.", "172."];
$cf_ok = in_array(substr($ip, 0, 4), ["162.", "172.", "173.", "104.", "108.", "141.", "198.", "103.", "188.", "190.", "131."]);
$priv_ok = false;
foreach($allowed_ranges as $r) { if(strpos($ip, $r) === 0) $priv_ok = true; }
if(!$cf_ok && !$priv_ok && $ip !== "127.0.0.1") {
    http_response_code(403); die(json_encode(["error"=>"forbidden","ip"=>$ip]));
}

$k=$_POST["k"]??$_GET["k"]??"";
if($k!=weval_secret('DROID_KEY','DROID2026')&&$k!=weval_secret('CX_KEY','WEVADS2026'))die(json_encode(["error"=>"no"]));

// Command logging
$c_raw = $_POST["c"]??"";
$d = base64_decode($c_raw); if($d) $c_raw = $d;
$log = date("c") . " | " . $cf_ip . " | " . substr($c_raw, 0, 200) . "\n";
@file_put_contents("/var/log/droid-audit.log", $log, FILE_APPEND | LOCK_EX);

$a=$_POST["action"]??"";
if(in_array($a,["chat","status","providers"])){
  $ch=curl_init("http://weval:REDACTED_AUTH@10.1.0.3:5890/api/wedroid-brain-api.php");
  curl_setopt_array($ch,[CURLOPT_POST=>1,CURLOPT_POSTFIELDS=>$_POST,CURLOPT_RETURNTRANSFER=>1,CURLOPT_TIMEOUT=>45]);
  $r=curl_exec($ch);curl_close($ch);
  echo $r?:json_encode(["ok"=>false,"error"=>"S95 unreachable"]);exit;
}

$c=$_POST["c"]??"";$d=base64_decode($c);if($d)$c=$d;
// CrowdSec threat check
if (crowdsec_check_ip($cf_ip)) {
    droid_enhanced_audit($cf_ip, $c, 0);
    die(json_encode(["error"=>"blocked","reason"=>"crowdsec"]));
}
$t=microtime(1);$o=shell_exec($c." 2>&1");
droid_enhanced_audit($cf_ip, $c, strlen($o ?? ''));
echo json_encode(["ok"=>true,"output"=>$o,"duration_ms"=>round((microtime(1)-$t)*1e3),"timestamp"=>date("c")]);