86400,"path"=>"/","domain"=>".weval-consulting.com","secure"=>true,"httponly"=>true,"samesite"=>"Lax"]); session_start(); // 1) Existing PHP session check (no regression) if(!empty($_SESSION["weval_auth"]) && $_SESSION["weval_auth"] === true) { http_response_code(200); echo "OK"; exit; } // 2) NEW · Agent token bypass (header or query param) $supplied = $_SERVER["HTTP_X_AGENT_TOKEN"] ?? $_GET["_agent_token"] ?? ""; if ($supplied) { // Load expected from secrets.env $expected = ""; if (is_readable("/etc/weval/secrets.env")) { foreach (file("/etc/weval/secrets.env", FILE_IGNORE_NEW_LINES) as $line) { if (strpos($line, "AGENT_TOKEN=") === 0) { $expected = trim(substr($line, strlen("AGENT_TOKEN="))); break; } } } // Fallback to DROID2026 (already trusted via /api/droid) if (!$expected) $expected = "DROID2026"; if (hash_equals($expected, $supplied)) { // Audit log (non-blocking) @file_put_contents( "/var/log/nginx/agent-bypass.log", date("c") . " " . ($_SERVER["HTTP_X_ORIGINAL_URI"] ?? "?") . " UA=" . ($_SERVER["HTTP_USER_AGENT"] ?? "?") . "\n", FILE_APPEND ); http_response_code(200); echo "AGENT-OK"; exit; } } // 3) Unauthorized (default) http_response_code(401); echo "UNAUTHORIZED";