server.js

#!/usr/bin/env node
const http = require('http');
const https = require('https');
const fs = require('fs');
const path = require('path');
const os = require('os');
const crypto = require('crypto');
const { execFile } = require('child_process');
const { URL, pathToFileURL } = require('url');
const logger = require('./server/utils/logger');
const { withFileLock } = require('./server/utils/fileLock');
const createRouter = require('./server/routes');

const loadEnvFile = filePath => {
  try {
    const content = fs.readFileSync(filePath, 'utf-8');
    content.split(/\r?\n/).forEach(line => {
      const trimmed = line.trim();
      if (!trimmed || trimmed.startsWith('#')) {
        return;
      }
      const index = trimmed.indexOf('=');
      if (index === -1) {
        return;
      }
      const key = trimmed.slice(0, index).trim();
      const value = trimmed.slice(index + 1).trim();
      if (!(key in process.env)) {
        process.env[key] = value;
      }
    });
  } catch (error) {
    // ignore missing .env
  }
};

loadEnvFile(path.join(__dirname, '.env'));

const PORT = process.env.PORT || 4173;
const HOST = process.env.HOST || '127.0.0.1';
const ROOT = path.resolve(__dirname);
const ASSETS_PATH = path.join(ROOT, 'assets');
const LOCATIONS_FILE = path.join(ASSETS_PATH, 'locations.json');
const TYPES_FILE = path.join(ASSETS_PATH, 'types.json');
const IMAGES_DIR = path.join(ASSETS_PATH, 'images');
const AUDIO_DIR = path.join(ASSETS_PATH, 'audio');
const AUDIT_DIR = path.join(ASSETS_PATH, 'logs');
const AUDIT_FILE = path.join(AUDIT_DIR, 'locations-audit.jsonl');
const SESSION_STORE_FILE = path.join(AUDIT_DIR, 'sessions.json');
const USERS_FILE = path.join(ASSETS_PATH, 'users.json');
const GROUPS_FILE = path.join(ASSETS_PATH, 'groups.json');
const ANNOTATIONS_FILE = path.join(ASSETS_PATH, 'annotations.json');
const TIMELINE_FILE = path.join(ASSETS_PATH, 'timeline.json');
const SITE_CONFIG_FILE = path.join(ASSETS_PATH, 'site-config.json');
const REMOTE_SYNC_URL = (process.env.REMOTE_SYNC_URL || '').trim();
const REMOTE_SYNC_TOKEN = (process.env.REMOTE_SYNC_TOKEN || '').trim();
const rawRemoteSyncMethod = (process.env.REMOTE_SYNC_METHOD || 'POST').trim().toUpperCase();
const REMOTE_SYNC_METHOD = ['POST', 'PUT', 'PATCH'].includes(rawRemoteSyncMethod) ? rawRemoteSyncMethod : 'POST';
const REMOTE_SYNC_TIMEOUT = Math.max(0, Number(process.env.REMOTE_SYNC_TIMEOUT) || 7000);
const MAX_UPLOAD_SIZE = 25 * 1024 * 1024;
const MAX_BODY_SIZE = 40 * 1024 * 1024;
const AVAILABILITY_DAYS = ['mon', 'tue', 'wed', 'thu', 'fri', 'sat', 'sun'];
const AVAILABILITY_SLOTS = ['morning', 'afternoon', 'evening', 'night'];
const DEFAULT_SITE_CONFIG = {
  home: {
    kicker: 'Accueil - Hub narratif',
    title: "Entrez dans l'univers avant d'ouvrir la carte",
    lead: "Explorez les lieux, suivez les quetes en direct, retrouvez votre groupe JDR et centralisez vos personnages. Cette page sert de point d'entree rapide pour la carte et la communaute.",
    atmosphere: "Accueil narratif - entree rapide vers l'univers, la carte et la communaute.",
    tags: ['Carte narrative', 'Quetes live', 'Groupes JDR', 'Profils & personnages'],
    metrics: [
      { label: 'Hub', value: 'Carte + Communaute' },
      { label: 'Acces', value: 'Lecture / Discord / Admin' },
      { label: 'Etat', value: 'Version actuelle en production' }
    ],
    visuals: {
      backgroundImage: '/assets/home/backgrounds/hero-main.png',
      mapPreviewImage: '/assets/home/mockups/map-preview-main.png',
      characterImage: '/assets/home/characters/Chevalier.png',
      floatingTitle: "Les terres d'Hesta",
      floatingCopy: "Un apercu clair du monde, des routes, des villes et des quetes qui structurent vos campagnes."
    }
  },
  community: {
    youtubeUrl: 'https://www.youtube.com/',
    discordUrl: 'https://discord.com/',
    redditUrl: 'https://www.reddit.com/',
    discord: {
      badge: 'Discord',
      title: 'Serveur principal',
      copy: "Organisation des sessions, annonces JDR et coordination des groupes."
    },
    proof: {
      mode: 'manual',
      guildId: '',
      manualCount: 200,
      label: 'membres sur Discord',
      note: 'Sessions, annonces et coordination des groupes JDR.'
    },
    youtube: {
      badge: 'YouTube',
      title: 'Lore & recaps',
      copy: "Recaps, videos d univers et ambiances pour prolonger les campagnes."
    },
    reddit: {
      badge: 'Reddit',
      title: 'Discussions',
      copy: "Partage d idees, feedback et archives communautaires."
    }
  },
  support: {
    issuesUrl: 'https://github.com/Daneisra/Carte-Interactive/issues',
    contactEmail: 'contact@cartehesta.local'
  },
  legal: {
    creditsUrl: '/docs/credits-assets.md',
    footerNote: "Projet narratif / JDR - fan project / page d'accueil officielle."
  },
  changelog: [
    {
      date: '2026-02-28',
      title: 'Nouvel accueil en ligne',
      summary: "Nouvelle page d'accueil avec session, communaute, flux live, lieux mis en avant et patch notes."
    }
  ]
};
const DEFAULT_TIMELINE = {
  title: "Chronologie d'Hesta",
  subtitle: "Une lecture lineaire des bascules politiques, spirituelles et militaires qui structurent les campagnes.",
  entries: []
};

const MIME_TYPES = {
  '.html': 'text/html; charset=utf-8',
  '.css': 'text/css; charset=utf-8',
  '.js': 'application/javascript; charset=utf-8',
  '.mjs': 'application/javascript; charset=utf-8',
  '.json': 'application/json; charset=utf-8',
  '.png': 'image/png',
  '.jpg': 'image/jpeg',
  '.jpeg': 'image/jpeg',
  '.svg': 'image/svg+xml',
  '.ico': 'image/x-icon',
  '.txt': 'text/plain; charset=utf-8'
};

const SECURITY_HEADERS = {
  'Content-Security-Policy': [
    "default-src 'self' data: blob:",
    "script-src 'self' 'unsafe-eval' https://unpkg.com https://cdn.jsdelivr.net",
    "style-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net",
    "img-src 'self' data: blob: https://unpkg.com https://cdn.jsdelivr.net",
    "font-src 'self' data: https://unpkg.com https://cdn.jsdelivr.net",
    "media-src 'self' data: blob:",
    "connect-src 'self'",
    "frame-src 'self' https://discord.com https://*.discord.com",
    "frame-ancestors 'self'"
  ].join('; '),
  'X-Content-Type-Options': 'nosniff'
};

const SSE_HEARTBEAT_MS = 30_000;
const sseClients = new Set();
const serverStartedAt = Date.now();
const sseMetrics = {
  broadcastCount: 0,
  lastEventAt: null,
  lastEventName: null
};

const broadcastSse = (eventName, payload) => {
  if (!sseClients.size) {
    return;
  }
  sseMetrics.broadcastCount += 1;
  sseMetrics.lastEventAt = Date.now();
  sseMetrics.lastEventName = eventName || null;
  const serialized = typeof payload === 'string' ? payload : JSON.stringify(payload);
  sseClients.forEach(client => {
    if (!client.res || client.res.writableEnded) {
      return;
    }
    try {
      client.res.write(`event: ${eventName}\ndata: ${serialized}\n\n`);
    } catch (error) {
      logger.warn('[sse] write failed', { error: error.message });
    }
  });
};

const registerSseClient = (req, res) => {
  res.writeHead(200, {
    ...SECURITY_HEADERS,
    'Content-Type': 'text/event-stream',
    'Cache-Control': 'no-cache, no-transform',
    Connection: 'keep-alive'
  });

  res.write(`event: connected\ndata: ${JSON.stringify({ timestamp: new Date().toISOString() })}\n\n`);

  const client = { res, heartbeat: null };

  client.heartbeat = setInterval(() => {
    if (res.writableEnded) {
      clearInterval(client.heartbeat);
      return;
    }
    try {
      res.write(`event: heartbeat\ndata: ${Date.now()}\n\n`);
    } catch (error) {
      clearInterval(client.heartbeat);
    }
  }, SSE_HEARTBEAT_MS);

  const cleanup = () => {
    clearInterval(client.heartbeat);
    sseClients.delete(client);
  };

  req.on('close', cleanup);
  res.on('close', cleanup);

  sseClients.add(client);
};

const readJsonFile = async (targetPath, fallback) => {
  try {
    const raw = await fs.promises.readFile(targetPath, 'utf-8');
    return JSON.parse(raw);
  } catch (error) {
    return Array.isArray(fallback) || typeof fallback === 'object' ? JSON.parse(JSON.stringify(fallback)) : fallback;
  }
};

const writeJsonFile = async (targetPath, data) => {
  await withFileLock(targetPath, async () => {
    const directory = path.dirname(targetPath);
    await fs.promises.mkdir(directory, { recursive: true });
    await fs.promises.writeFile(targetPath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
  });
};

const readAnnotationsFile = async () => readJsonFile(ANNOTATIONS_FILE, []);
const writeAnnotationsFile = async annotations => writeJsonFile(ANNOTATIONS_FILE, annotations);
const readTimelineFile = async () => sanitizeTimelineConfig(await readJsonFile(TIMELINE_FILE, DEFAULT_TIMELINE));
const writeTimelineFile = async timeline => writeJsonFile(TIMELINE_FILE, sanitizeTimelineConfig(timeline));

let searchFiltersModulePromise = null;
const loadSearchFiltersModule = () => {
  if (!searchFiltersModulePromise) {
    const modulePath = pathToFileURL(path.join(__dirname, 'js', 'shared', 'searchFilters.mjs')).href;
    searchFiltersModulePromise = import(modulePath);
  }
  return searchFiltersModulePromise;
};

let locationValidationModulePromise = null;
const loadLocationValidationModule = () => {
  if (!locationValidationModulePromise) {
    const modulePath = pathToFileURL(path.join(__dirname, 'js', 'shared', 'locationValidation.mjs')).href;
    locationValidationModulePromise = import(modulePath);
  }
  return locationValidationModulePromise;
};


const send = (res, status, body = '', headers = {}) => {
  res.writeHead(status, { ...SECURITY_HEADERS, ...headers });
  if (body === null) {
    res.end();
  } else {
    res.end(body);
  }
};

const json = (res, status, payload = null) => {
  const headers = { 'Content-Type': 'application/json' };
  if (payload === null) {
    send(res, status, null, headers);
    return;
  }
  send(res, status, JSON.stringify(payload), headers);
};

const serveStatic = (req, res, urlObj) => {
  let pathname = decodeURIComponent(urlObj.pathname);
  if (pathname.includes('..')) {
    send(res, 403, 'Forbidden');
    return;
  }
  if (pathname.endsWith('/')) {
    pathname += 'index.html';
  }
  if (pathname === '/') {
    pathname = '/index.html';
  }
  const filePath = path.join(ROOT, pathname);
  if (!filePath.startsWith(ROOT)) {
    send(res, 403, 'Forbidden');
    return;
  }
  fs.stat(filePath, (err, stats) => {
    if (err) {
      send(res, 404, 'Not Found');
      return;
    }
    if (stats.isDirectory()) {
      const indexPath = path.join(filePath, 'index.html');
      fs.stat(indexPath, (indexErr, indexStats) => {
        if (indexErr || !indexStats.isFile()) {
          send(res, 404, 'Not Found');
          return;
        }
        streamFile(indexPath, req, res);
      });
      return;
    }
    streamFile(filePath, req, res);
  });
};

const streamFile = (filePath, req, res) => {
  const ext = path.extname(filePath).toLowerCase();
  const mime = MIME_TYPES[ext] || 'application/octet-stream';
  const headers = { ...SECURITY_HEADERS, 'Content-Type': mime };
  if (ext === '.json') {
    headers['Cache-Control'] = 'no-store';
  }
  res.writeHead(200, headers);
  if (req.method === 'HEAD') {
    res.end();
    return;
  }
  const stream = fs.createReadStream(filePath);
  stream.on('error', () => {
    if (!res.headersSent) {
      send(res, 500, 'Internal Server Error');
    } else {
      res.destroy();
    }
  });
  stream.pipe(res);
};

const UPLOAD_RULES = {
  image: {
    directory: IMAGES_DIR,
    extensions: ['.png', '.jpg', '.jpeg', '.webp', '.gif', '.svg']
  },
  audio: {
    directory: AUDIO_DIR,
    extensions: ['.mp3', '.ogg', '.wav', '.flac', '.aac', '.m4a']
  }
};

const IMAGE_EXTENSIONS = new Set(UPLOAD_RULES.image.extensions);
const AUDIO_EXTENSIONS = new Set(UPLOAD_RULES.audio.extensions);
let cachedTypes = null;
const canSyncRemote = REMOTE_SYNC_URL.length > 0 && REMOTE_SYNC_METHOD.length;
const ADMIN_API_TOKEN = (process.env.ADMIN_API_TOKEN || '').trim();
const USER_API_TOKENS = (process.env.USER_API_TOKENS || '')
  .split(',')
  .map(token => token.trim())
  .filter(Boolean);
const authEnabled = ADMIN_API_TOKEN.length > 0 || USER_API_TOKENS.length > 0;
const DISCORD_CLIENT_ID = (process.env.DISCORD_CLIENT_ID || '').trim();
const DISCORD_CLIENT_SECRET = (process.env.DISCORD_CLIENT_SECRET || '').trim();
const DISCORD_REDIRECT_URI = (process.env.DISCORD_REDIRECT_URI || '').trim();
const DISCORD_OAUTH_ENABLED = DISCORD_CLIENT_ID.length > 0 && DISCORD_CLIENT_SECRET.length > 0 && DISCORD_REDIRECT_URI.length > 0;
const DISCORD_ADMIN_IDS = (process.env.DISCORD_ADMIN_IDS || '')
  .split(',')
  .map(id => id.trim())
  .filter(Boolean);
const DISCORD_API_VERSION = 'v10';
const DEFAULT_DISCORD_API_ORIGIN = 'https://discord.com';
const rawDiscordApiOrigin = (process.env.DISCORD_API_ORIGIN || DEFAULT_DISCORD_API_ORIGIN).trim();
const DISCORD_API_ORIGIN = rawDiscordApiOrigin ? rawDiscordApiOrigin.replace(/\/+$/, '') : DEFAULT_DISCORD_API_ORIGIN;
const DISCORD_AUTHORIZE_URL = `${DISCORD_API_ORIGIN}/oauth2/authorize`;
const DISCORD_TOKEN_URL = `${DISCORD_API_ORIGIN}/api/oauth2/token`;
const DISCORD_USER_URL = `${DISCORD_API_ORIGIN}/api/${DISCORD_API_VERSION}/users/@me`;
const authRequired = authEnabled || DISCORD_OAUTH_ENABLED;
logger.info('Discord OAuth configuration', {
  enabled: DISCORD_OAUTH_ENABLED,
  origin: DISCORD_API_ORIGIN
});

const sessionStore = new Map();
const SESSION_COOKIE_NAME = 'map_session';
const oauthStateStore = new Map();
const OAUTH_STATE_TTL_MS = 5 * 60 * 1000;
const SESSION_TTL_MS = Math.max(5 * 60 * 1000, Number(process.env.SESSION_TTL_MS) || (12 * 60 * 60 * 1000));
const SESSION_SECRET = (process.env.SESSION_SECRET || 'dev-secret').padEnd(32, '0');
const SESSION_PERSIST_DEBOUNCE_MS = 1_000;
let sessionPersistTimer = null;

const serializeSessionStore = () => {
  const sessions = [];
  sessionStore.forEach((value, key) => {
    sessions.push({ id: key, ...value });
  });
  return sessions;
};

const persistSessionStore = async () => {
  try {
    const payload = serializeSessionStore();
    await withFileLock(SESSION_STORE_FILE, async () => {
      const directory = path.dirname(SESSION_STORE_FILE);
      await fs.promises.mkdir(directory, { recursive: true });
      await fs.promises.writeFile(SESSION_STORE_FILE, JSON.stringify(payload, null, 2) + '\n', 'utf-8');
    });
  } catch (error) {
    logger.warn('[session] persist failed', { error: error.message });
  }
};

const scheduleSessionPersist = () => {
  if (sessionPersistTimer) {
    return;
  }
  sessionPersistTimer = setTimeout(() => {
    sessionPersistTimer = null;
    persistSessionStore();
  }, SESSION_PERSIST_DEBOUNCE_MS);
  if (typeof sessionPersistTimer.unref === 'function') {
    sessionPersistTimer.unref();
  }
};

const hydrateSessionStoreFromDisk = async () => {
  try {
    const raw = await fs.promises.readFile(SESSION_STORE_FILE, 'utf-8');
    const entries = JSON.parse(raw);
    if (!Array.isArray(entries)) {
      return;
    }
    const now = Date.now();
    entries.forEach(entry => {
      if (!entry || typeof entry !== 'object') {
        return;
      }
      const id = typeof entry.id === 'string' ? entry.id : null;
      if (!id) {
        return;
      }
      const expiresAt = Number(entry.expiresAt) || 0;
      if (expiresAt <= now) {
        return;
      }
      const { id: _omit, ...data } = entry;
      sessionStore.set(id, data);
    });
    if (sessionStore.size) {
      logger.info('[session] hydrated persisted store', { count: sessionStore.size });
    }
  } catch (error) {
    if (error.code !== 'ENOENT') {
      logger.warn('[session] hydrate failed', { error: error.message });
    }
  }
};

hydrateSessionStoreFromDisk();

const parseCookies = header => {
  if (!header) {
    return {};
  }
  return header.split(';').map(chunk => chunk.trim()).reduce((acc, item) => {
    if (!item) {
      return acc;
    }
    const idx = item.indexOf('=');
    if (idx === -1) {
      return acc;
    }
    const key = item.slice(0, idx).trim();
    const value = decodeURIComponent(item.slice(idx + 1));
    acc[key] = value;
    return acc;
  }, {});
};

const signSessionId = sessionId => {
  const hmac = crypto.createHmac('sha256', SESSION_SECRET);
  hmac.update(sessionId);
  return `${sessionId}.${hmac.digest('hex')}`;
};

const verifySessionId = signed => {
  if (!signed || typeof signed !== 'string') {
    return null;
  }
  const parts = signed.split('.');
  if (parts.length !== 2) {
    return null;
  }
  const [sessionId, signature] = parts;
  const hmac = crypto.createHmac('sha256', SESSION_SECRET);
  hmac.update(sessionId);
  const expected = hmac.digest('hex');
  if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    return null;
  }
  return sessionId;
};

const createSession = payload => {
  const sessionId = crypto.randomUUID();
  const expiresAt = Date.now() + SESSION_TTL_MS;
  sessionStore.set(sessionId, { ...payload, expiresAt });
  scheduleSessionPersist();
  return signSessionId(sessionId);
};

const getSession = req => {
  const cookies = parseCookies(req.headers?.cookie);
  const signed = cookies[SESSION_COOKIE_NAME];
  const sessionId = verifySessionId(signed);
  if (!sessionId) {
    return null;
  }
  const record = sessionStore.get(sessionId);
  if (!record) {
    return null;
  }
  if (record.expiresAt <= Date.now()) {
    sessionStore.delete(sessionId);
    scheduleSessionPersist();
    return null;
  }
  record.expiresAt = Date.now() + SESSION_TTL_MS;
  sessionStore.set(sessionId, record);
  scheduleSessionPersist();
  return { sessionId, data: record };
};

const destroySession = req => {
  const cookies = parseCookies(req.headers?.cookie);
  const signed = cookies[SESSION_COOKIE_NAME];
  const sessionId = verifySessionId(signed);
  if (sessionId && sessionStore.delete(sessionId)) {
    scheduleSessionPersist();
  }
};

const sendSessionCookie = (res, signedId) => {
  const maxAge = Math.floor(SESSION_TTL_MS / 1000);
  const secure = process.env.COOKIE_SECURE === 'true' ? '; Secure' : '';
  const cookie = `${SESSION_COOKIE_NAME}=${encodeURIComponent(signedId)}; Path=/; Max-Age=${maxAge}; HttpOnly; SameSite=Lax${secure}`;
  res.setHeader('Set-Cookie', cookie);
};

const clearSessionCookie = res => {
  const secure = process.env.COOKIE_SECURE === 'true' ? '; Secure' : '';
  res.setHeader('Set-Cookie', `${SESSION_COOKIE_NAME}=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax${secure}`);
};

const fetchJson = (url, options = {}) => new Promise((resolve, reject) => {
  const parsed = new URL(url);
  const transport = parsed.protocol === 'https:' ? https : http;
  const requestOptions = {
    method: options.method || 'GET',
    headers: options.headers ? { ...options.headers } : {},
  };
  if (options.body && !requestOptions.headers['Content-Length']) {
    requestOptions.headers['Content-Length'] = Buffer.byteLength(options.body);
  }
  const request = transport.request(url, requestOptions, response => {
    let body = '';
    response.on('data', chunk => { body += chunk; });
    response.on('end', () => {
      if (response.statusCode >= 200 && response.statusCode < 300) {
        try {
          resolve(body ? JSON.parse(body) : {});
        } catch (error) {
          reject(error);
        }
      } else {
        reject(new Error(`HTTP ${response.statusCode}: ${body}`));
      }
    });
  });
  request.on('error', reject);
  if (options.body) {
    request.write(options.body);
  }
  request.end();
});

const execFileText = (file, args, options = {}) => new Promise((resolve, reject) => {
  execFile(file, args, { ...options, encoding: 'utf8', windowsHide: true, maxBuffer: 1024 * 1024 }, (error, stdout, stderr) => {
    if (error) {
      error.stderr = stderr;
      reject(error);
      return;
    }
    resolve(stdout || '');
  });
});

const readGitChangelogEntries = async (limit = 6) => {
  const count = Math.max(1, Math.min(12, Number(limit) || 6));
  const output = await execFileText('git', [
    'log',
    `-n=${count}`,
    '--date=short',
    '--pretty=format:%ad%x1f%s%x1f%b%x1e'
  ], { cwd: ROOT });
  return output
    .split('\x1e')
    .map(entry => entry.trim())
    .filter(Boolean)
    .map(entry => {
      const [dateRaw = '', titleRaw = '', bodyRaw = ''] = entry.split('\x1f');
      const title = normalizeString(titleRaw) || 'Mise a jour';
      const bodyLine = normalizeString(bodyRaw)
        .split(/\r?\n/)
        .map(line => normalizeString(line))
        .find(Boolean);
      return {
        date: normalizeString(dateRaw) || '',
        title,
        summary: bodyLine || title
      };
    })
    .filter(entry => entry.title);
};

const AUTH_PRIORITY = { user: 1, admin: 2 };

const extractBearerToken = req => {
  const header = req.headers?.authorization || req.headers?.Authorization;
  if (!header || typeof header !== 'string') {
    return null;
  }
  const parts = header.split(/\s+/);
  if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
    return parts[1].trim();
  }
  return null;
};

const ensureAuthorized = async (req, res, minimumRole = 'user') => {
  if (!authRequired) {
    req.auth = { role: 'admin' };
    return 'admin';
  }
  let role = null;
  let userRecord = null;
  const session = getSession(req);
  if (session?.data?.userId) {
    const persisted = await findUserById(session.data.userId);
    if (persisted) {
      role = sanitizeRole(persisted.role);
      userRecord = persisted;
      sessionStore.set(session.sessionId, { ...session.data, role, username: persisted.username, expiresAt: session.data.expiresAt });
    } else {
      destroySession(req);
    }
  } else if (session?.data?.role) {
    role = sanitizeRole(session.data.role);
    if (session?.data?.username) {
      userRecord = { username: session.data.username, role };
    }
  }
  if (!role) {
    const tokenResult = await resolveTokenUser(extractBearerToken(req));
    if (tokenResult) {
      role = tokenResult.role;
      userRecord = tokenResult.user || null;
    }
  }
  if (!role) {
    send(res, 401, JSON.stringify({ status: 'error', message: 'Authorization required.' }), { 'Content-Type': 'application/json' });
    return null;
  }
  if ((AUTH_PRIORITY[role] || 0) < (AUTH_PRIORITY[minimumRole] || 0)) {
    send(res, 403, JSON.stringify({ status: 'error', message: 'Insufficient privileges.' }), { 'Content-Type': 'application/json' });
    return null;
  }
  req.auth = { role, user: userRecord, session: session?.data || null };
  return role;
};


const loadTypeMap = async () => {
  if (cachedTypes) {
    return cachedTypes;
  }
  try {
    const raw = await fs.promises.readFile(TYPES_FILE, 'utf-8');
    const parsed = JSON.parse(raw);
    cachedTypes = parsed && typeof parsed === 'object' ? parsed : {};
  } catch (error) {
    cachedTypes = {};
  }
  return cachedTypes;
};

const normalizeString = value => (value ?? '').toString().trim();
const parseListParam = (searchParams, key) => {
  const rawValues = searchParams.getAll(key) || [];
  const collected = [];
  rawValues.forEach(entry => {
    if (typeof entry !== 'string') {
      return;
    }
    entry.split(/[,;]+/).forEach(chunk => {
      const normalized = normalizeString(chunk);
      if (normalized) {
        collected.push(normalized);
      }
    });
  });
  return collected;
};


const isHttpUrl = value => {
  if (!value || typeof value !== 'string') {
    return false;
  }
  try {
    const parsed = new URL(value);
    return parsed.protocol === 'http:' || parsed.protocol === 'https:';
  } catch (error) {
    return false;
  }
};

const cloneSiteConfigDefaults = () => JSON.parse(JSON.stringify(DEFAULT_SITE_CONFIG));

const sanitizeSiteConfigText = (value, maxLength = 1200) => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return '';
  }
  return normalized.slice(0, maxLength);
};

const sanitizeSiteConfigDate = value => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return '';
  }
  const parsed = Date.parse(normalized);
  return Number.isFinite(parsed) ? new Date(parsed).toISOString().slice(0, 10) : normalized.slice(0, 32);
};

const sanitizeSiteConfigUrl = (value, { allowRelative = false } = {}) => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return '';
  }
  if (allowRelative && normalized.startsWith('/')) {
    return normalized;
  }
  return isHttpUrl(normalized) ? normalized : '';
};

const sanitizeSiteConfigContact = value => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return '';
  }
  if (/^mailto:[^@\s]+@[^@\s]+\.[^@\s]+$/i.test(normalized)) {
    return normalized;
  }
  return /^[^@\s]+@[^@\s]+\.[^@\s]+$/i.test(normalized) ? normalized : '';
};

const sanitizeSiteConfigMode = value => {
  const normalized = normalizeString(value).toLowerCase();
  return normalized === 'discord' ? 'discord' : 'manual';
};

const sanitizeSiteConfigMetric = value => {
  if (!value || typeof value !== 'object') {
    return null;
  }
  const label = sanitizeSiteConfigText(value.label, 60);
  const metricValue = sanitizeSiteConfigText(value.value, 120);
  if (!label || !metricValue) {
    return null;
  }
  return { label, value: metricValue };
};

const sanitizeSiteConfigChangelogEntry = value => {
  if (!value || typeof value !== 'object') {
    return null;
  }
  const date = sanitizeSiteConfigDate(value.date);
  const title = sanitizeSiteConfigText(value.title, 120);
  const summary = sanitizeSiteConfigText(value.summary, 400);
  if (!date && !title && !summary) {
    return null;
  }
  return {
    date: date || '',
    title: title || 'Mise a jour',
    summary: summary || ''
  };
};

const sanitizeTimelineText = (value, maxLength = 1200) => sanitizeSiteConfigText(value, maxLength);
const sanitizeTimelineColor = value => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return '#7dd3fc';
  }
  return /^#([0-9a-f]{3}|[0-9a-f]{6})$/i.test(normalized) ? normalized : '#7dd3fc';
};
const sanitizeTimelineEventKind = value => {
  const normalized = normalizeString(value).toLowerCase();
  return normalized === 'player' ? 'player' : 'lore';
};
const sanitizeTimelineId = value => {
  const normalized = normalizeString(value)
    .toLowerCase()
    .replace(/[^a-z0-9_-]+/g, '-')
    .replace(/-+/g, '-')
    .replace(/^-+|-+$/g, '');
  return normalized.slice(0, 80);
};
const sanitizeTimelineList = (list, maxItems = 8, itemMaxLength = 60) => (
  Array.isArray(list)
    ? list.map(entry => sanitizeTimelineText(entry, itemMaxLength)).filter(Boolean).slice(0, maxItems)
    : []
);
const sanitizeTimelineEntry = (value, index = 0) => {
  if (!value || typeof value !== 'object') {
    return null;
  }
  const yearValue = Number(value.year);
  const year = Number.isFinite(yearValue) ? Math.round(yearValue) : index;
  const title = sanitizeTimelineText(value.title, 140);
  const summary = sanitizeTimelineText(value.summary, 280);
  const content = sanitizeTimelineText(value.content, 2400);
  const era = sanitizeTimelineText(value.era, 80);
  const period = sanitizeTimelineText(value.period, 80);
  const id = sanitizeTimelineId(value.id) || sanitizeTimelineId(`${year}-${title || `event-${index + 1}`}`) || `timeline-${index + 1}`;
  return {
    id,
    year,
    yearLabel: sanitizeTimelineText(value.yearLabel, 40) || String(year),
    title: title || `Evenement ${index + 1}`,
    summary: summary || content || '',
    content: content || summary || '',
    eventKind: sanitizeTimelineEventKind(value.eventKind),
    era: era || period || 'Periode inconnue',
    eraSummary: sanitizeTimelineText(value.eraSummary, 240),
    sceneLabel: sanitizeTimelineText(value.sceneLabel, 60),
    period: period || 'Periode inconnue',
    tags: sanitizeTimelineList(value.tags, 10, 40),
    locationNames: sanitizeTimelineList(value.locationNames, 10, 80),
    imageUrl: sanitizeSiteConfigUrl(value.imageUrl, { allowRelative: true }),
    mediaAlt: sanitizeTimelineText(value.mediaAlt, 180),
    accentColor: sanitizeTimelineColor(value.accentColor),
    visible: value.visible !== false
  };
};
const sanitizeTimelineConfig = value => {
  const source = value && typeof value === 'object' ? value : {};
  const entries = Array.isArray(source.entries)
    ? source.entries.map((entry, index) => sanitizeTimelineEntry(entry, index)).filter(Boolean).slice(0, 120)
    : [];
  return {
    title: sanitizeTimelineText(source.title, 120) || DEFAULT_TIMELINE.title,
    subtitle: sanitizeTimelineText(source.subtitle, 320) || DEFAULT_TIMELINE.subtitle,
    entries
  };
};


const extractDiscordInviteCode = value => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return '';
  }
  try {
    const parsed = new URL(normalized);
    const parts = parsed.pathname.split('/').map(part => part.trim()).filter(Boolean);
    return parts.length ? parts[parts.length - 1] : '';
  } catch (_error) {
    return normalized.replace(/^https?:\/\/[^/]+\//i, '').trim();
  }
};

const fetchDiscordInviteStats = async inviteUrl => {
  const inviteCode = extractDiscordInviteCode(inviteUrl);
  if (!inviteCode) {
    return null;
  }
  const url = `${DISCORD_API_ORIGIN}/api/${DISCORD_API_VERSION}/invites/${encodeURIComponent(inviteCode)}?with_counts=true`;
  const payload = await fetchJson(url);
  return {
    inviteCode,
    memberCount: Math.max(0, Number(payload?.approximate_member_count) || 0),
    presenceCount: Math.max(0, Number(payload?.approximate_presence_count) || 0),
    guildId: normalizeString(payload?.guild?.id || ''),
    guildName: normalizeString(payload?.guild?.name || ''),
    source: 'discord'
  };
};

const fetchDiscordWidgetStats = async guildId => {
  const normalizedGuildId = normalizeString(guildId);
  if (!normalizedGuildId) {
    return null;
  }
  const widgetUrl = `${DISCORD_API_ORIGIN}/api/guilds/${encodeURIComponent(normalizedGuildId)}/widget.json`;
  const payload = await fetchJson(widgetUrl);
  const presenceCount = Math.max(0, Number(payload?.presence_count) || 0);
  const memberCount = Array.isArray(payload?.members) ? payload.members.length : 0;
  return {
    guildId: normalizedGuildId,
    presenceCount,
    memberCount,
    instantInvite: typeof payload?.instant_invite === 'string' ? payload.instant_invite : null,
    source: 'discord'
  };
};
const sanitizeSiteConfig = value => {
  const defaults = cloneSiteConfigDefaults();
  const source = value && typeof value === 'object' ? value : {};
  const homeSource = source.home && typeof source.home === 'object' ? source.home : {};
  const communitySource = source.community && typeof source.community === 'object' ? source.community : {};
  const supportSource = source.support && typeof source.support === 'object' ? source.support : {};
  const legalSource = source.legal && typeof source.legal === 'object' ? source.legal : {};

  const tags = Array.isArray(homeSource.tags)
    ? homeSource.tags.map(entry => sanitizeSiteConfigText(entry, 60)).filter(Boolean).slice(0, 8)
    : defaults.home.tags;
  const metrics = Array.isArray(homeSource.metrics)
    ? homeSource.metrics.map(sanitizeSiteConfigMetric).filter(Boolean).slice(0, 6)
    : defaults.home.metrics;
  const visualsSource = homeSource.visuals && typeof homeSource.visuals === 'object' ? homeSource.visuals : {};
  const proofSource = communitySource.proof && typeof communitySource.proof === 'object' ? communitySource.proof : {};

  const sanitizeCommunityCard = (key, fallback) => {
    const cardSource = communitySource[key] && typeof communitySource[key] === 'object' ? communitySource[key] : {};
    return {
      badge: sanitizeSiteConfigText(cardSource.badge, 30) || fallback.badge,
      title: sanitizeSiteConfigText(cardSource.title, 80) || fallback.title,
      copy: sanitizeSiteConfigText(cardSource.copy, 240) || fallback.copy
    };
  };

  const proof = {
    mode: normalizeString(proofSource.mode) === 'discord' ? 'discord' : 'manual',
    guildId: normalizeString(proofSource.guildId || ''),
    manualCount: Math.max(0, Number(proofSource.manualCount) || 0),
    label: sanitizeSiteConfigText(proofSource.label, 60) || defaults.community.proof.label,
    note: sanitizeSiteConfigText(proofSource.note, 200) || defaults.community.proof.note
  };

  const changelog = Array.isArray(source.changelog)
    ? source.changelog.map(sanitizeSiteConfigChangelogEntry).filter(Boolean).slice(0, 12)
    : defaults.changelog;

  return {
    home: {
      kicker: sanitizeSiteConfigText(homeSource.kicker, 80) || defaults.home.kicker,
      title: sanitizeSiteConfigText(homeSource.title, 180) || defaults.home.title,
      lead: sanitizeSiteConfigText(homeSource.lead, 600) || defaults.home.lead,
      atmosphere: sanitizeSiteConfigText(homeSource.atmosphere, 180) || defaults.home.atmosphere,
      tags: tags.length ? tags : defaults.home.tags,
      metrics: metrics.length ? metrics : defaults.home.metrics,
      visuals: {
        backgroundImage: sanitizeSiteConfigUrl(visualsSource.backgroundImage, { allowRelative: true }) || defaults.home.visuals.backgroundImage,
        mapPreviewImage: sanitizeSiteConfigUrl(visualsSource.mapPreviewImage, { allowRelative: true }) || defaults.home.visuals.mapPreviewImage,
        characterImage: sanitizeSiteConfigUrl(visualsSource.characterImage, { allowRelative: true }) || defaults.home.visuals.characterImage,
        floatingTitle: sanitizeSiteConfigText(visualsSource.floatingTitle, 120) || defaults.home.visuals.floatingTitle,
        floatingCopy: sanitizeSiteConfigText(visualsSource.floatingCopy, 260) || defaults.home.visuals.floatingCopy
      }
    },
    community: {
      youtubeUrl: sanitizeSiteConfigUrl(communitySource.youtubeUrl) || defaults.community.youtubeUrl,
      discordUrl: sanitizeSiteConfigUrl(communitySource.discordUrl) || defaults.community.discordUrl,
      redditUrl: sanitizeSiteConfigUrl(communitySource.redditUrl) || defaults.community.redditUrl,
      discord: sanitizeCommunityCard('discord', defaults.community.discord),
      proof,
      youtube: sanitizeCommunityCard('youtube', defaults.community.youtube),
      reddit: sanitizeCommunityCard('reddit', defaults.community.reddit)
    },
    support: {
      issuesUrl: sanitizeSiteConfigUrl(supportSource.issuesUrl) || defaults.support.issuesUrl,
      contactEmail: sanitizeSiteConfigContact(supportSource.contactEmail) || defaults.support.contactEmail
    },
    legal: {
      creditsUrl: sanitizeSiteConfigUrl(legalSource.creditsUrl, { allowRelative: true }) || defaults.legal.creditsUrl,
      footerNote: sanitizeSiteConfigText(legalSource.footerNote, 240) || defaults.legal.footerNote
    },
    changelog: changelog.length ? changelog : defaults.changelog
  };
};

const readSiteConfigFile = async () => sanitizeSiteConfig(await readJsonFile(SITE_CONFIG_FILE, DEFAULT_SITE_CONFIG));
const writeSiteConfigFile = async config => writeJsonFile(SITE_CONFIG_FILE, sanitizeSiteConfig(config));

const resolveAssetPath = relative => {
  const target = path.join(ROOT, relative);
  if (!target.startsWith(ASSETS_PATH)) {
    return null;
  }
  return target;
};

const sanitizeFileName = (value, fallback = 'file') => {
  const base = (value || fallback).toString().toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').replace(/^[-.]+|[-.]+$/g, '');
  return base || fallback;
};

const ensureUniqueFilePath = async (directory, name, ext) => {
  let index = 0;
  let candidate;
  do {
    const suffix = index ? `-${index}` : '';
    candidate = path.join(directory, `${name}${suffix}${ext}`);
    index += 1;
  } while (await fs.promises.access(candidate).then(() => true).catch(() => false));
  return candidate;
};

const decodeBase64Payload = data => {
  if (!data || typeof data !== 'string') {
    return null;
  }
  const parts = data.split(',');
  const encoded = parts.length === 2 ? parts[1] : parts[0];
  try {
    return Buffer.from(encoded, 'base64');
  } catch (error) {
    return null;
  }
};

const persistUploadedFile = async ({ type, filename, data }) => {
  const rules = UPLOAD_RULES[type];
  if (!rules) {
    throw new Error('Unsupported upload type');
  }
  const buffer = decodeBase64Payload(data);
  if (!buffer) {
    throw new Error('Invalid file data');
  }
  if (buffer.length > MAX_UPLOAD_SIZE) {
    throw new Error('Fichier trop volumineux (limite 25 Mo).');
  }
  const ext = path.extname(filename || '').toLowerCase();
  if (!rules.extensions.includes(ext)) {
    throw new Error('Invalid file extension');
  }
  const safeName = sanitizeFileName(path.basename(filename, ext));
  await fs.promises.mkdir(rules.directory, { recursive: true });
  const targetPath = await ensureUniqueFilePath(rules.directory, safeName, ext);
  await withFileLock(targetPath, async () => {
    await fs.promises.writeFile(targetPath, buffer);
  });
  const relative = path.relative(ROOT, targetPath).split(path.sep).join('/');
  return relative;
};

const readLocationsFile = async () => {
  try {
    const raw = await fs.promises.readFile(LOCATIONS_FILE, 'utf-8');
    const parsed = JSON.parse(raw);
    if (!parsed || typeof parsed !== 'object') {
      return {};
    }
    return parsed;
  } catch (error) {
    return {};
  }
};

const formatAssetLabel = (continent, index, name) => {
  const safeContinent = normalizeString(continent) || continent || 'Continent inconnu';
  const position = Number.isInteger(index) ? `${safeContinent}[${index + 1}]` : safeContinent;
  return name ? `${position} - ${name}` : position;
};

const validateLocationsDataset = async dataset => {
  const { validateDataset } = await loadLocationValidationModule();
  const typeMap = await loadTypeMap();
  const { normalized, issues } = validateDataset(dataset, { typeMap, sanitizeKeys: false });

  const errors = [];
  const warnings = [];
  issues.forEach(issue => {
    if (issue.level === 'error') {
      errors.push(issue.message);
    } else if (issue.level === 'warning') {
      warnings.push(issue.message);
    }
  });

  const assetChecks = [];
  Object.entries(normalized).forEach(([continent, locations]) => {
    if (!Array.isArray(locations)) {
      return;
    }
    locations.forEach((location, index) => {
      const label = formatAssetLabel(continent, index, location?.name);
      const audio = normalizeString(location?.audio);
      if (audio && audio.startsWith('assets/')) {
        const ext = path.extname(audio).toLowerCase();
        if (!AUDIO_EXTENSIONS.has(ext)) {
          errors.push(`Extension audio non supportee (${audio}) pour ${label}.`);
        } else {
          const resolved = resolveAssetPath(audio);
          if (!resolved) {
            errors.push(`Chemin audio hors assets (${audio}) pour ${label}.`);
          } else {
            assetChecks.push({ path: resolved, original: audio, context: label });
          }
        }
      }

      const images = Array.isArray(location?.images) ? location.images : [];
      images.forEach((entry, imageIndex) => {
        const value = normalizeString(entry);
        if (!value) {
          return;
        }
        if (value.startsWith('assets/')) {
          const ext = path.extname(value).toLowerCase();
          if (!IMAGE_EXTENSIONS.has(ext)) {
            errors.push(`Extension d'image non supportee (${value}) pour ${label}.`);
          } else {
            const resolved = resolveAssetPath(value);
            if (!resolved) {
              errors.push(`Chemin image hors assets (${value}) pour ${label}.`);
            } else {
              assetChecks.push({ path: resolved, original: value, context: label });
            }
          }
        } else if (!isHttpUrl(value)) {
          errors.push(`Image invalide (${value}) pour ${label} [index ${imageIndex + 1}].`);
        }
      });
    });
  });

  const seenAssetPaths = new Set();
  for (const asset of assetChecks) {
    if (seenAssetPaths.has(asset.path)) {
      continue;
    }
    seenAssetPaths.add(asset.path);
    try {
      await fs.promises.access(asset.path);
    } catch (error) {
      errors.push(`Fichier manquant ${asset.original} reference dans ${asset.context}.`);
    }
  }

  return {
    valid: errors.length === 0,
    errors,
    warnings,
    normalized
  };
};

const flattenLocations = dataset => {
  const map = new Map();
  Object.entries(dataset || {}).forEach(([continent, list]) => {
    if (!Array.isArray(list)) {
      return;
    }
    list.forEach(location => {
      if (!location || typeof location !== 'object') {
        return;
      }
      const name = normalizeString(location.name);
      if (!name) {
        return;
      }
      const key = `${normalizeString(continent).toLowerCase()}::${name.toLowerCase()}`;
      map.set(key, {
        continent: continent,
        name: location.name,
        location
      });
    });
  });
  return map;
};

const cloneDataset = dataset => JSON.parse(JSON.stringify(dataset || {}));

const readUsersFile = async () => {
  try {
    const raw = await fs.promises.readFile(USERS_FILE, 'utf-8');
    const parsed = JSON.parse(raw);
    if (Array.isArray(parsed)) {
      return parsed;
    }
    if (parsed && Array.isArray(parsed.users)) {
      return parsed.users;
    }
  } catch (error) {
    // ignore, fallback to empty list
  }
  return [];
};

const writeUsersFile = async users => withFileLock(USERS_FILE, async () => {
  const directory = path.dirname(USERS_FILE);
  await fs.promises.mkdir(directory, { recursive: true });
  const json = JSON.stringify(users, null, 2) + '\n';
  await fs.promises.writeFile(USERS_FILE, json, 'utf-8');
});

const readGroupsFile = async () => {
  try {
    const raw = await fs.promises.readFile(GROUPS_FILE, 'utf-8');
    const parsed = JSON.parse(raw);
    if (Array.isArray(parsed)) {
      return parsed;
    }
    if (parsed && Array.isArray(parsed.groups)) {
      return parsed.groups;
    }
  } catch (error) {
    // ignore, fallback to empty list
  }
  return [];
};

const writeGroupsFile = async groups => withFileLock(GROUPS_FILE, async () => {
  const directory = path.dirname(GROUPS_FILE);
  await fs.promises.mkdir(directory, { recursive: true });
  const json = JSON.stringify(groups, null, 2) + '\n';
  await fs.promises.writeFile(GROUPS_FILE, json, 'utf-8');
});

const normalizeGroupColor = value => {
  if (!value || typeof value !== 'string') {
    return null;
  }
  const trimmed = value.trim();
  if (!trimmed) {
    return null;
  }
  const normalized = trimmed.startsWith('#') ? trimmed : `#${trimmed}`;
  return /^#[0-9a-fA-F]{6}$/.test(normalized) ? normalized.toLowerCase() : null;
};

const slugifyGroupId = name => {
  if (!name) {
    return '';
  }
  return name
    .toString()
    .trim()
    .normalize('NFD')
    .replace(/[\u0300-\u036f]/g, '')
    .toLowerCase()
    .replace(/[^a-z0-9]+/g, '-')
    .replace(/^-+|-+$/g, '');
};

const ensureUniqueGroupId = (existing, base) => {
  if (!base) {
    return '';
  }
  const used = new Set(existing.map(group => group?.id).filter(Boolean));
  if (!used.has(base)) {
    return base;
  }
  let index = 2;
  let candidate = `${base}-${index}`;
  while (used.has(candidate)) {
    index += 1;
    candidate = `${base}-${index}`;
  }
  return candidate;
};

const sanitizeGroupRecord = group => ({
  id: group?.id || '',
  name: group?.name || '',
  color: normalizeGroupColor(group?.color),
  x: Number.isFinite(group?.x) ? group.x : null,
  y: Number.isFinite(group?.y) ? group.y : null
});

const sanitizeCharacterRecord = (character, { allowEmptyId = true } = {}) => {
  if (!character || typeof character !== 'object') {
    return null;
  }
  const id = normalizeString(character.id);
  const name = normalizeString(character.name);
  const bio = normalizeString(character.bio);
  const avatar = normalizeString(character.avatar);
  const groupId = normalizeString(character.groupId || character.group);
  const active = Boolean(character.active);
  const record = {
    id: id || (allowEmptyId ? null : ''),
    name: name || null,
    bio: bio || null,
    avatar: avatar || null,
    groupId: groupId || null,
    active
  };
  const hasValue = record.name || record.bio || record.avatar || record.groupId || record.active;
  return hasValue ? record : null;
};

const sanitizeCharacterList = (characters, { assignIds = false, allowedGroups = null } = {}) => {
  if (!Array.isArray(characters)) {
    return [];
  }
  const list = [];
  const seen = new Set();
  let hasActiveCharacter = false;
  characters.forEach(entry => {
    const record = sanitizeCharacterRecord(entry);
    if (!record) {
      return;
    }
    let id = normalizeString(record.id);
    if (!id && assignIds) {
      id = `char_${crypto.randomUUID()}`;
    }
    if (!id && !assignIds) {
      id = `legacy_${list.length + 1}`;
    }
    if (!id) {
      return;
    }
    if (seen.has(id)) {
      if (!assignIds) {
        return;
      }
      id = `char_${crypto.randomUUID()}`;
    }
    seen.add(id);
    let groupId = record.groupId || null;
    if (allowedGroups && groupId && !allowedGroups.has(groupId)) {
      groupId = null;
    }
    const isActive = Boolean(record.active) && !hasActiveCharacter;
    if (isActive) {
      hasActiveCharacter = true;
    }
    list.push({
      id,
      name: record.name || null,
      bio: record.bio || null,
      avatar: record.avatar || null,
      groupId,
      active: isActive
    });
  });
  return list;
};

const sanitizeProfileUrl = value => {
  const normalized = normalizeString(value);
  if (!normalized) {
    return null;
  }
  if (normalized.startsWith('/')) {
    return normalized;
  }
  return isHttpUrl(normalized) ? normalized : null;
};

const sanitizeAccentColor = value => {
  const normalized = normalizeString(value).toLowerCase();
  return /^#[0-9a-f]{6}$/.test(normalized) ? normalized : null;
};

const PROFILE_SOCIAL_KEYS = ['website', 'discord', 'twitch', 'youtube', 'x'];

const sanitizeProfileRecord = value => {
  if (!value || typeof value !== 'object') {
    return null;
  }
  const banner = sanitizeProfileUrl(value.banner || value.bannerUrl);
  const accentColor = sanitizeAccentColor(value.accentColor || value.accent || value.color);
  const bioRaw = normalizeString(value.bio);
  const bio = bioRaw ? bioRaw.slice(0, 6000) : null;
  const socialsSource = value.socials && typeof value.socials === 'object'
    ? value.socials
    : value;
  const socials = {};
  PROFILE_SOCIAL_KEYS.forEach(key => {
    const normalized = sanitizeProfileUrl(socialsSource[key]);
    if (normalized) {
      socials[key] = normalized;
    }
  });
  const hasSocials = Object.keys(socials).length > 0;
  if (!banner && !accentColor && !bio && !hasSocials) {
    return null;
  }
  return {
    banner: banner || null,
    accentColor: accentColor || null,
    bio: bio || null,
    socials
  };
};

const normalizeAvailabilityMatrix = slots => {
  if (!Array.isArray(slots)) {
    return null;
  }
  const matrix = [];
  for (let dayIndex = 0; dayIndex < AVAILABILITY_DAYS.length; dayIndex += 1) {
    const daySlots = Array.isArray(slots[dayIndex]) ? slots[dayIndex] : [];
    const row = [];
    for (let slotIndex = 0; slotIndex < AVAILABILITY_SLOTS.length; slotIndex += 1) {
      row.push(Boolean(daySlots[slotIndex]));
    }
    matrix.push(row);
  }
  return matrix;
};

const sanitizeAvailabilityRecord = value => {
  if (!value || typeof value !== 'object') {
    return null;
  }
  const timezone = normalizeString(value.timezone || value.tz) || null;
  const sourceSlots = Array.isArray(value.slots)
    ? value.slots
    : (Array.isArray(value.days) ? value.days : null);
  const slots = normalizeAvailabilityMatrix(sourceSlots);
  if (!slots) {
    return null;
  }
  return { timezone, slots };
};

const availabilityHasSlots = availability => {
  if (!availability || !Array.isArray(availability.slots)) {
    return false;
  }
  return availability.slots.some(day => Array.isArray(day) && day.some(Boolean));
};

const resolveUserCharacters = user => {
  if (Array.isArray(user?.characters) && user.characters.length) {
    return user.characters;
  }
  const legacy = sanitizeCharacterRecord(user?.character);
  return legacy ? [legacy] : [];
};

const sanitizeRole = value => (value && value.toLowerCase() === 'admin') ? 'admin' : 'user';

const sanitizeIsoDateString = value => {
  if (typeof value !== 'string') {
    return null;
  }
  const trimmed = value.trim();
  if (!trimmed) {
    return null;
  }
  const timestamp = Date.parse(trimmed);
  if (!Number.isFinite(timestamp)) {
    return null;
  }
  return new Date(timestamp).toISOString();
};

const sanitizeUserRecord = user => {
  const characters = sanitizeCharacterList(resolveUserCharacters(user));
  return ({
  id: user?.id || '',
  provider: user?.provider || 'manual',
  discordId: user?.provider === 'discord' ? user.discordId || null : null,
  username: user?.username || '',
  role: sanitizeRole(user?.role || 'user'),
  avatar: typeof user?.avatar === 'string' && user.avatar.trim() ? user.avatar.trim() : null,
  groups: Array.isArray(user?.groups) ? user.groups.filter(Boolean) : [],
  character: characters[0] || null,
  characters,
  profile: sanitizeProfileRecord(user?.profile),
  availability: sanitizeAvailabilityRecord(user?.availability),
  account: {
    lastLoginAt: sanitizeIsoDateString(user?.lastLoginAt),
    lastSeenAt: sanitizeIsoDateString(user?.lastSeenAt)
  },
  apiTokens: Array.isArray(user?.apiTokens) && user?.provider !== 'discord' ? [...user.apiTokens] : undefined
  });
};

const findUserById = async id => {
  const users = await readUsersFile();
  return users.find(user => user.id === id) || null;
};

const findUserByDiscordId = async discordId => {
  const users = await readUsersFile();
  return users.find(user => user.provider === 'discord' && user.discordId === discordId) || null;
};

const resolveTokenUser = async token => {
  if (!token) {
    return null;
  }
  const users = await readUsersFile();
  for (const user of users) {
    if (Array.isArray(user.apiTokens) && user.apiTokens.includes(token)) {
      return { user, role: sanitizeRole(user.role) };
    }
  }
  if (ADMIN_API_TOKEN && token === ADMIN_API_TOKEN) {
    return { user: null, role: 'admin' };
  }
  if (USER_API_TOKENS.includes(token)) {
    return { user: null, role: 'user' };
  }
  return null;
};

const normalizeCharacterPayload = (payload, allowedGroups = null, assignIds = true) => {
  if (Array.isArray(payload)) {
    return sanitizeCharacterList(payload, { assignIds, allowedGroups });
  }
  if (payload && typeof payload === 'object') {
    return sanitizeCharacterList([payload], { assignIds, allowedGroups });
  }
  return [];
};

const updateSessionsForUser = (userId, updates = {}) => {
  let changed = false;
  sessionStore.forEach((record, key) => {
    if (record.userId === userId) {
      sessionStore.set(key, { ...record, ...updates });
      changed = true;
    }
  });
  if (changed) {
    scheduleSessionPersist();
  }
};

const destroySessionsForUser = userId => {
  let changed = false;
  sessionStore.forEach((record, key) => {
    if (record.userId === userId) {
      sessionStore.delete(key);
      changed = true;
    }
  });
  if (changed) {
    scheduleSessionPersist();
  }
};

const createManualUser = async ({ username = '', role = 'user', token = null }) => {
  const users = await readUsersFile();
  const id = `manual:${crypto.randomUUID()}`;
  const apiToken = token && token.trim() ? token.trim() : crypto.randomBytes(24).toString('hex');
  const user = {
    id,
    provider: 'manual',
    username: username || '',
    role: sanitizeRole(role),
    characters: [],
    character: null,
    profile: null,
    availability: null,
    lastLoginAt: null,
    lastSeenAt: null,
    groups: [],
    apiTokens: [apiToken]
  };
  users.push(user);
  await writeUsersFile(users);
  return { user, token: apiToken };
};

const upsertDiscordUser = async ({ discordId, username = '', roleHint = null, avatar = null, markLogin = false }) => {
  const users = await readUsersFile();
  let user = users.find(entry => entry.provider === 'discord' && entry.discordId === discordId);
  const avatarValue = typeof avatar === 'string' && avatar.trim() ? avatar.trim() : null;
  const loginTimestamp = markLogin ? new Date().toISOString() : null;
  if (!user) {
    const shouldBeAdmin = roleHint
      ? sanitizeRole(roleHint) === 'admin'
      : DISCORD_ADMIN_IDS.includes(discordId) || users.length === 0;
    user = {
      id: `discord:${discordId}`,
      provider: 'discord',
      discordId,
      username: username || '',
      avatar: avatarValue,
      role: shouldBeAdmin ? 'admin' : 'user',
      characters: [],
      character: null,
      profile: null,
      availability: null,
      lastLoginAt: loginTimestamp,
      lastSeenAt: loginTimestamp,
      groups: [],
      apiTokens: []
    };
    users.push(user);
  } else {
    if (username && user.username !== username) {
      user.username = username;
    }
    if (avatarValue && user.avatar !== avatarValue) {
      user.avatar = avatarValue;
    }
    if (roleHint) {
      const sanitized = sanitizeRole(roleHint);
      if (sanitized !== user.role) {
        user.role = sanitized;
      }
    }
    if (markLogin) {
      user.lastLoginAt = loginTimestamp;
      user.lastSeenAt = loginTimestamp;
    }
  }
  await writeUsersFile(users);
  updateSessionsForUser(user.id, {
    role: user.role,
    username: user.username,
    avatar: user.avatar || null,
    characters: Array.isArray(user.characters) ? user.characters : [],
    profile: sanitizeProfileRecord(user?.profile),
    availability: sanitizeAvailabilityRecord(user?.availability),
    account: {
      lastLoginAt: sanitizeIsoDateString(user?.lastLoginAt),
      lastSeenAt: sanitizeIsoDateString(user?.lastSeenAt)
    }
  });
  return user;
};

const updateUser = async (id, { role, username, addToken, removeToken, groups, character, characters, availability }) => {
  const users = await readUsersFile();
  const user = users.find(entry => entry.id === id);
  if (!user) {
    return null;
  }
  let updated = false;
  if (role) {
    const sanitized = sanitizeRole(role);
    if (sanitized !== user.role) {
      user.role = sanitized;
      updated = true;
    }
  }
  if (typeof username === 'string' && username !== user.username) {
    user.username = username;
    updated = true;
  }
  if (addToken) {
    if (!Array.isArray(user.apiTokens)) {
      user.apiTokens = [];
    }
    if (!user.apiTokens.includes(addToken)) {
      user.apiTokens.push(addToken);
      updated = true;
    }
  }
  if (removeToken && Array.isArray(user.apiTokens)) {
    const index = user.apiTokens.indexOf(removeToken);
    if (index !== -1) {
      user.apiTokens.splice(index, 1);
      updated = true;
    }
  }
  if (Array.isArray(groups)) {
    const cleaned = groups.filter(Boolean);
    const current = Array.isArray(user.groups) ? user.groups : [];
    const currentKey = JSON.stringify(current);
    const nextKey = JSON.stringify(cleaned);
    if (currentKey !== nextKey) {
      user.groups = cleaned;
      updated = true;
    }
  }
  if (Array.isArray(characters) || character !== undefined) {
    const groups = await readGroupsFile();
    const allowed = new Set(groups.map(group => group?.id).filter(Boolean));
    const normalized = Array.isArray(characters)
      ? normalizeCharacterPayload(characters, allowed, true)
      : normalizeCharacterPayload(character, allowed, true);
    const currentKey = JSON.stringify(Array.isArray(user.characters) ? user.characters : []);
    const nextKey = JSON.stringify(normalized);
    if (currentKey !== nextKey) {
      user.characters = normalized;
      user.character = null;
      updated = true;
    }
  }
  if (availability !== undefined) {
    const normalized = availability === null ? null : sanitizeAvailabilityRecord(availability);
    if (availability === null || normalized) {
      const currentKey = JSON.stringify(sanitizeAvailabilityRecord(user.availability) || null);
      const nextKey = JSON.stringify(normalized || null);
      if (currentKey !== nextKey) {
        user.availability = normalized;
        updated = true;
      }
    }
  }
  if (updated) {
    await writeUsersFile(users);
    updateSessionsForUser(user.id, {
      role: user.role,
      username: user.username,
      groups: user.groups || [],
      characters: Array.isArray(user.characters) ? user.characters : [],
      profile: sanitizeProfileRecord(user?.profile),
      availability: sanitizeAvailabilityRecord(user?.availability)
    });
  }
  return user;
};

const updateUserCharacters = async (id, characterPayload) => {
  const users = await readUsersFile();
  const user = users.find(entry => entry.id === id);
  if (!user) {
    return null;
  }
  const groups = await readGroupsFile();
  const allowed = new Set(groups.map(group => group?.id).filter(Boolean));
  const normalized = normalizeCharacterPayload(characterPayload, allowed, true);
  const currentKey = JSON.stringify(Array.isArray(user.characters) ? user.characters : []);
  const nextKey = JSON.stringify(normalized);
  if (currentKey !== nextKey) {
    user.characters = normalized;
    user.character = null;
    await writeUsersFile(users);
    updateSessionsForUser(user.id, {
      characters: Array.isArray(user.characters) ? user.characters : [],
      groups: user.groups || []
    });
  }
  return user;
};

const updateUserProfile = async (
  id,
  {
    characterPayload,
    availabilityPayload,
    profilePayload,
    updateCharacters,
    updateAvailability,
    updateProfile
  } = {}
) => {
  const users = await readUsersFile();
  const user = users.find(entry => entry.id === id);
  if (!user) {
    return { user: null };
  }
  const groups = await readGroupsFile();
  const allowed = new Set(groups.map(group => group?.id).filter(Boolean));
  const currentCharacters = sanitizeCharacterList(resolveUserCharacters(user), { assignIds: true, allowedGroups: allowed });
  let characters = currentCharacters;
  let updated = false;
  if (updateCharacters) {
    const normalized = normalizeCharacterPayload(characterPayload, allowed, true);
    const currentKey = JSON.stringify(Array.isArray(user.characters) ? user.characters : []);
    const nextKey = JSON.stringify(normalized);
    if (currentKey !== nextKey) {
      user.characters = normalized;
      user.character = null;
      updated = true;
    }
    characters = normalized;
  } else {
    const currentKey = JSON.stringify(Array.isArray(user.characters) ? user.characters : []);
    const nextKey = JSON.stringify(characters);
    if (currentKey !== nextKey || user.character) {
      user.characters = characters;
      user.character = null;
      updated = true;
    }
  }

  let availability = sanitizeAvailabilityRecord(user.availability) || null;
  if (updateAvailability) {
    if (availabilityPayload === null) {
      if (availability !== null) {
        availability = null;
        user.availability = null;
        updated = true;
      }
    } else {
      const normalized = sanitizeAvailabilityRecord(availabilityPayload);
      if (!normalized) {
        return { user: null, error: 'Invalid availability payload.' };
      }
      const currentKey = JSON.stringify(availability || null);
      const nextKey = JSON.stringify(normalized || null);
      if (currentKey !== nextKey) {
        availability = normalized;
        user.availability = normalized;
        updated = true;
      }
    }
  }

  let profile = sanitizeProfileRecord(user.profile) || null;
  if (updateProfile) {
    if (profilePayload === null) {
      if (profile !== null) {
        profile = null;
        user.profile = null;
        updated = true;
      }
    } else {
      const normalized = sanitizeProfileRecord(profilePayload);
      const currentKey = JSON.stringify(profile || null);
      const nextKey = JSON.stringify(normalized || null);
      if (currentKey !== nextKey) {
        profile = normalized;
        user.profile = normalized;
        updated = true;
      }
    }
  }

  if (updated) {
    await writeUsersFile(users);
    updateSessionsForUser(user.id, {
      characters: Array.isArray(user.characters) ? user.characters : [],
      groups: user.groups || [],
      profile: sanitizeProfileRecord(user?.profile),
      availability: sanitizeAvailabilityRecord(user?.availability)
    });
  }
  return { user, characters, availability, profile };
};

const deleteUser = async id => {
  const users = await readUsersFile();
  const index = users.findIndex(entry => entry.id === id);
  if (index === -1) {
    return null;
  }
  const [removed] = users.splice(index, 1);
  await writeUsersFile(users);
  destroySessionsForUser(id);
  return removed;
};

const createGroup = async ({ name, color = null, x, y }) => {
  const groups = await readGroupsFile();
  const baseId = slugifyGroupId(name);
  const id = ensureUniqueGroupId(groups, baseId);
  const nextX = x === null ? null : Number(x);
  const nextY = y === null ? null : Number(y);
  const hasCoords = Number.isFinite(nextX) && Number.isFinite(nextY);
  const group = {
    id,
    name,
    color: normalizeGroupColor(color),
    x: hasCoords ? nextX : null,
    y: hasCoords ? nextY : null
  };
  groups.push(group);
  await writeGroupsFile(groups);
  return group;
};

const updateGroup = async (id, { name, color, x, y }) => {
  const groups = await readGroupsFile();
  const group = groups.find(entry => entry.id === id);
  if (!group) {
    return null;
  }
  let updated = false;
  if (typeof name === 'string' && name.trim() && name.trim() !== group.name) {
    group.name = name.trim();
    updated = true;
  }
  if (color !== undefined) {
    const normalized = normalizeGroupColor(color);
    if (normalized !== group.color) {
      group.color = normalized;
      updated = true;
    }
  }
  if (x !== undefined || y !== undefined) {
    const nextX = x === null ? null : Number(x);
    const nextY = y === null ? null : Number(y);
    if (nextX === null || nextY === null) {
      if (group.x !== null || group.y !== null) {
        group.x = null;
        group.y = null;
        updated = true;
      }
    } else if (Number.isFinite(nextX) && Number.isFinite(nextY)) {
      if (group.x !== nextX || group.y !== nextY) {
        group.x = nextX;
        group.y = nextY;
        updated = true;
      }
    }
  }
  if (updated) {
    await writeGroupsFile(groups);
  }
  return group;
};

const removeGroupFromUsers = async groupId => {
  const users = await readUsersFile();
  let changed = false;
  users.forEach(user => {
    if (!Array.isArray(user.groups)) {
      return;
    }
    const next = user.groups.filter(entry => entry !== groupId);
    if (next.length !== user.groups.length) {
      user.groups = next;
      updateSessionsForUser(user.id, { groups: next });
      changed = true;
    }
  });
  if (changed) {
    await writeUsersFile(users);
  }
};

const deleteGroup = async id => {
  const groups = await readGroupsFile();
  const index = groups.findIndex(entry => entry.id === id);
  if (index === -1) {
    return null;
  }
  const [removed] = groups.splice(index, 1);
  await writeGroupsFile(groups);
  await removeGroupFromUsers(id);
  return removed;
};

const computeLocationsDiff = (previous, next) => {
  const before = flattenLocations(previous);
  const after = flattenLocations(next);
  const created = [];
  const updated = [];
  const deleted = [];

  after.forEach((entry, key) => {
    if (!before.has(key)) {
      created.push({ continent: entry.continent, name: entry.name });
      return;
    }
    const previousEntry = before.get(key);
    const beforeSnapshot = JSON.stringify(previousEntry.location);
    const afterSnapshot = JSON.stringify(entry.location);
    if (beforeSnapshot !== afterSnapshot) {
      updated.push({ continent: entry.continent, name: entry.name });
    }
  });

  before.forEach((entry, key) => {
    if (!after.has(key)) {
      deleted.push({ continent: entry.continent, name: entry.name });
    }
  });

  return { created, updated, deleted };
};

const appendAuditLog = async ({ dataset, diff }) => {
  const totalContinents = Object.keys(dataset || {}).length;
  const totalLocations = Object.values(dataset || {}).reduce(
    (acc, list) => acc + (Array.isArray(list) ? list.length : 0),
    0
  );
  const summarize = entries => ({
    count: entries.length,
    items: entries.slice(0, 10)
  });
  const entry = {
    timestamp: new Date().toISOString(),
    totals: {
      continents: totalContinents,
      locations: totalLocations
    },
    changes: {
      created: summarize(diff.created),
      updated: summarize(diff.updated),
      deleted: summarize(diff.deleted)
    }
  };
  try {
    await withFileLock(AUDIT_FILE, async () => {
      await fs.promises.mkdir(AUDIT_DIR, { recursive: true });
      await fs.promises.appendFile(AUDIT_FILE, JSON.stringify(entry) + '\n', 'utf-8');
    });
  } catch (error) {
    logger.error('[audit] unable to append log', { error: error.message });
  }
};

const sendRemoteSync = async ({ dataset, diff }) => {
  if (!canSyncRemote) {
    return { status: 'skipped' };
  }
  try {
    const target = new URL(REMOTE_SYNC_URL);
    const transport = target.protocol === 'https:' ? https : http;
    const body = JSON.stringify({
      timestamp: new Date().toISOString(),
      locations: dataset,
      diff
    });
    const headers = {
      'Content-Type': 'application/json',
      'Content-Length': Buffer.byteLength(body)
    };
    if (REMOTE_SYNC_TOKEN) {
      headers.Authorization = `Bearer ${REMOTE_SYNC_TOKEN}`;
    }
    const options = {
      method: REMOTE_SYNC_METHOD,
      hostname: target.hostname,
      port: target.port || (target.protocol === 'https:' ? 443 : 80),
      path: `${target.pathname}${target.search}`,
      headers,
      timeout: REMOTE_SYNC_TIMEOUT
    };

    return await new Promise(resolve => {
      const request = transport.request(options, response => {
        let responseBody = '';
        response.on('data', chunk => {
          responseBody += chunk;
        });
        response.on('end', () => {
          if (response.statusCode >= 200 && response.statusCode < 300) {
            resolve({ status: 'ok', statusCode: response.statusCode });
          } else {
            resolve({
              status: 'error',
              statusCode: response.statusCode,
              body: responseBody
            });
          }
        });
      });
      request.on('timeout', () => {
        request.destroy(new Error('timeout'));
      });
      request.on('error', error => {
        resolve({ status: 'error', error: error.message });
      });
      request.write(body);
      request.end();
    });
  } catch (error) {
    return { status: 'error', error: error.message };
  }
};

const collectBody = req => new Promise((resolve, reject) => {
  let body = '';
  req.on('data', chunk => {
    body += chunk;
    if (body.length > MAX_BODY_SIZE) {
      reject(new Error('Payload too large'));
      req.destroy();
    }
  });
  req.on('end', () => resolve(body));
  req.on('error', reject);
});

const persistLocations = async payload => withFileLock(LOCATIONS_FILE, async () => {
  const directory = path.dirname(LOCATIONS_FILE);
  await fs.promises.mkdir(directory, { recursive: true });
  const json = JSON.stringify(payload, null, 2) + '\n';
  await fs.promises.writeFile(LOCATIONS_FILE, json, 'utf-8');
});

const context = {
  logger,
  json,
  send,
  ensureAuthorized,
  normalizeString,
  parseListParam,
  loadSearchFiltersModule,
  loadLocationValidationModule,
  readLocationsFile,
  loadTypeMap,
  validateLocationsDataset,
  persistLocations,
  computeLocationsDiff,
  appendAuditLog,
  sendRemoteSync,
  broadcastSse,
  collectBody,
  readAnnotationsFile,
  writeAnnotationsFile,
  readTimelineFile,
  writeTimelineFile,
  authRequired,
  discordOauth: {
    enabled: DISCORD_OAUTH_ENABLED,
    clientId: DISCORD_CLIENT_ID,
    clientSecret: DISCORD_CLIENT_SECRET,
    redirectUri: DISCORD_REDIRECT_URI
  },
  discordEndpoints: {
    origin: DISCORD_API_ORIGIN,
    authorizeUrl: DISCORD_AUTHORIZE_URL,
    tokenUrl: DISCORD_TOKEN_URL,
    userUrl: DISCORD_USER_URL
  },
  oauthStateStore,
  oauthStateTtlMs: OAUTH_STATE_TTL_MS,
  createSession,
  getSession,
  sendSessionCookie,
  clearSessionCookie,
  destroySession,
  findUserById,
  sanitizeRole,
  sanitizeUserRecord,
  upsertDiscordUser,
  fetchJson,
  readGroupsFile
};

const router = createRouter(context);

const server = http.createServer(async (req, res) => {
  try {
    const urlObj = new URL(req.url, `http://${req.headers.host}`);
    if (req.method === 'GET' && urlObj.pathname === '/api/events/stream') {
      registerSseClient(req, res);
      return;
    }
    const handled = await router(req, res, urlObj);
    if (handled) {
      return;
    }

    if (req.method === 'POST' && urlObj.pathname === '/api/upload') {
      if (!(await ensureAuthorized(req, res, 'admin'))) {
        return;
      }
      let body;
      try {
        body = await collectBody(req);
      } catch (error) {
        const statusCode = error.message === 'Payload too large' ? 413 : 400;
        logger.warn('[upload] body rejected', { error: error.message });
        send(res, statusCode, JSON.stringify({ status: 'error', message: 'Fichier trop volumineux pour etre traite.' }), {
          'Content-Type': 'application/json'
        });
        return;
      }
      let payload;
      try {
        payload = JSON.parse(body || '{}');
      } catch (error) {
        send(res, 400, 'Invalid JSON');
        return;
      }
      try {
        const relativePath = await persistUploadedFile({
          type: payload?.type,
          filename: payload?.filename,
          data: payload?.data
        });
        send(res, 200, JSON.stringify({ status: 'ok', path: relativePath }), { 'Content-Type': 'application/json' });
      } catch (error) {
        logger.error('[upload] error', { error: error.message, type: payload?.type, filename: payload?.filename });
        send(res, 400, JSON.stringify({ status: 'error', message: error.message }), { 'Content-Type': 'application/json' });
      }
      return;
    }

    if (req.method === 'GET' && urlObj.pathname === '/api/admin/assets.zip') {
      if (!(await ensureAuthorized(req, res, 'admin'))) {
        return;
      }
      const filename = 'assets.zip';
      let tempDir = null;
      let archivePath = null;
      let methodUsed = null;
      const cleanup = async () => {
        if (tempDir) {
          try {
            await fs.promises.rm(tempDir, { recursive: true, force: true });
          } catch (error) {
            logger.warn('[assets-zip] cleanup failed', { error: error.message });
          }
        }
      };
      const createWithZipCmd = async targetPath => {
        const zipCommand = process.env.ZIP_COMMAND || 'zip';
        const args = ['-r', targetPath, '.', '-x', 'logs/*'];
        await new Promise((resolve, reject) => {
          execFile(zipCommand, args, { cwd: ASSETS_PATH }, (error, stdout, stderr) => {
            if (error) {
              const enriched = new Error(stderr?.toString().trim() || error.message || 'zip failed');
              enriched.code = error.code || error.errno;
              return reject(enriched);
            }
            return resolve();
          });
        });
      };
      const createWithPowershell = async targetPath => {
        const command = [
          'Compress-Archive',
          '-Path', '*',
          '-DestinationPath', `"${targetPath}"`,
          '-Force',
          '-CompressionLevel', 'Optimal',
          '-Exclude', 'logs/*', 'icons/README.md'
        ].join(' ');
        await new Promise((resolve, reject) => {
          execFile('powershell', ['-Command', command], { cwd: ASSETS_PATH }, (error, stdout, stderr) => {
            if (error) {
              const enriched = new Error(stderr?.toString().trim() || error.message || 'Compress-Archive failed');
              enriched.code = error.code || error.errno;
              return reject(enriched);
            }
            return resolve();
          });
        });
      };
      const createWithTar = async targetPath => {
        const args = ['-czf', targetPath, '--exclude=logs', '--exclude=icons/README.md', '.'];
        await new Promise((resolve, reject) => {
          execFile('tar', args, { cwd: ASSETS_PATH }, (error, stdout, stderr) => {
            if (error) {
              const enriched = new Error(stderr?.toString().trim() || error.message || 'tar failed');
              enriched.code = error.code || error.errno;
              return reject(enriched);
            }
            return resolve();
          });
        });
      };
      try {
        tempDir = await fs.promises.mkdtemp(path.join(os.tmpdir(), 'assets-zip-'));
        archivePath = path.join(tempDir, filename);
        try {
          await createWithZipCmd(archivePath);
          methodUsed = 'zip';
        } catch (zipError) {
          const missingZip = zipError?.code === 'ENOENT';
          if (missingZip && process.platform === 'win32') {
            await createWithPowershell(archivePath);
            methodUsed = 'powershell';
          } else if (missingZip) {
            filename = 'assets.tar.gz';
            archivePath = path.join(tempDir, filename);
            await createWithTar(archivePath);
            methodUsed = 'tar';
          } else {
            throw zipError;
          }
        }
        res.writeHead(200, {
          ...SECURITY_HEADERS,
          'Content-Type': methodUsed === 'tar' ? 'application/gzip' : 'application/zip',
          'Content-Disposition': `attachment; filename="${filename}"`,
          'X-Archive-Method': methodUsed || 'unknown'
        });
        const stream = fs.createReadStream(archivePath);
        stream.on('error', async error => {
          logger.error('[assets-zip] stream error', { error: error.message });
          if (!res.headersSent) {
            send(res, 500, JSON.stringify({ status: 'error', message: 'Erreur lors du telechargement.' }), { 'Content-Type': 'application/json' });
          } else {
            res.destroy(error);
          }
          await cleanup();
        });
        stream.on('close', cleanup);
        stream.pipe(res);
      } catch (error) {
        const isMissingZip = error?.code === 'ENOENT';
        const message = isMissingZip
          ? 'Outil d’archivage introuvable (zip/tar). Installez zip ou tar, ou configurez ZIP_COMMAND.'
          : (error?.message || 'Echec de la generation de l’archive.');
        logger.error('[assets-zip] generation failed', { error: message });
        send(res, isMissingZip ? 501 : 500, JSON.stringify({ status: 'error', message }), { 'Content-Type': 'application/json' });
        await cleanup();
      }
      return;
    }


    if (urlObj.pathname === '/api/changelog') {
      if (req.method !== 'GET') {
        send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET' });
        return;
      }
      try {
        const limit = Math.max(1, Math.min(12, Number(urlObj.searchParams.get('limit')) || 6));
        const entries = await readGitChangelogEntries(limit);
        send(res, 200, JSON.stringify({
          status: 'ok',
          source: 'git',
          entries
        }), { 'Content-Type': 'application/json' });
      } catch (error) {
        logger.warn('[changelog] git history unavailable', { error: error.message });
        try {
          const config = await readSiteConfigFile();
          send(res, 200, JSON.stringify({
            status: 'ok',
            source: 'config',
            entries: Array.isArray(config?.changelog) ? config.changelog : []
          }), { 'Content-Type': 'application/json' });
        } catch (configError) {
          send(res, 500, JSON.stringify({ status: 'error', message: 'Changelog unavailable.' }), { 'Content-Type': 'application/json' });
        }
      }
      return;
    }

    if (urlObj.pathname === '/api/community/discord') {
      if (req.method !== 'GET') {
        send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET' });
        return;
      }
      try {
        const config = await readSiteConfigFile();
        const proof = config?.community?.proof || {};
        const manualCount = Math.max(0, Number(proof.manualCount) || 0);
        const label = normalizeString(proof.label) || 'membres sur Discord';
        const note = normalizeString(proof.note) || 'Sessions, annonces et coordination des groupes JDR.';
        if (proof.mode === 'discord') {
          try {
            const inviteStats = await fetchDiscordInviteStats(config?.community?.discordUrl || '');
            if (inviteStats) {
              send(res, 200, JSON.stringify({
                status: 'ok',
                mode: 'discord',
                source: 'discord',
                count: Math.max(inviteStats.memberCount, inviteStats.presenceCount),
                label,
                note,
                guildId: inviteStats.guildId || normalizeString(proof.guildId) || null,
                inviteUrl: config?.community?.discordUrl || null,
                live: true
              }), { 'Content-Type': 'application/json' });
              return;
            }
          } catch (error) {
            logger.warn('[community] discord invite unavailable', { error: error.message, url: config?.community?.discordUrl || null });
          }
          if (normalizeString(proof.guildId)) {
            try {
              const live = await fetchDiscordWidgetStats(proof.guildId);
              send(res, 200, JSON.stringify({
                status: 'ok',
                mode: 'discord',
                source: 'discord',
                count: Math.max(live.presenceCount, live.memberCount),
                label,
                note,
                guildId: live.guildId,
                inviteUrl: live.instantInvite || config?.community?.discordUrl || null,
                live: true
              }), { 'Content-Type': 'application/json' });
              return;
            } catch (error) {
              logger.warn('[community] discord widget unavailable', { error: error.message, guildId: proof.guildId });
            }
          }
        }
        send(res, 200, JSON.stringify({
          status: 'ok',
          mode: proof.mode === 'discord' ? 'discord' : 'manual',
          source: 'manual',
          count: manualCount,
          label,
          note,
          guildId: normalizeString(proof.guildId) || null,
          inviteUrl: config?.community?.discordUrl || null,
          live: false
        }), { 'Content-Type': 'application/json' });
      } catch (error) {
        send(res, 500, JSON.stringify({ status: 'error', message: 'Discord community stats unavailable.' }), { 'Content-Type': 'application/json' });
      }
      return;
    }
    if (urlObj.pathname === '/api/groups') {
      if (req.method !== 'GET') {
        send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET' });
        return;
      }
      const groups = await readGroupsFile();
      const users = await readUsersFile();
      const membersByGroup = new Map();
      groups.forEach(group => {
        if (group?.id) {
          membersByGroup.set(group.id, []);
        }
      });
      users.forEach(user => {
        const characters = sanitizeCharacterList(resolveUserCharacters(user));
        const username = normalizeString(user?.username) || user?.username || user?.id;
        if (!username && !characters.length) {
          return;
        }
        const userAvatar = normalizeString(user?.avatar) || null;
        const assigned = new Set();
        characters.forEach(character => {
          if (character?.groupId) {
            assigned.add(character.groupId);
          }
        });
        if (Array.isArray(user?.groups)) {
          user.groups.forEach(groupId => {
            if (groupId) {
              assigned.add(groupId);
            }
          });
        }
        assigned.forEach(groupId => {
          if (!groupId || !membersByGroup.has(groupId)) {
            return;
          }
          const bucket = membersByGroup.get(groupId);
          if (username) {
            bucket.push({ name: username, avatar: userAvatar, type: 'user' });
          }
          characters
            .filter(character => character?.groupId === groupId)
            .forEach(character => {
              bucket.push({
                name: character.name || 'Personnage',
                avatar: character.avatar || null,
                type: 'character',
                active: Boolean(character.active)
              });
            });
        });
      });
      send(res, 200, JSON.stringify({
        status: 'ok',
        groups: groups.map(group => {
          const record = sanitizeGroupRecord(group);
          const members = membersByGroup.get(record.id) || [];
          return {
            ...record,
            members,
            memberCount: members.length
          };
        })
      }), { 'Content-Type': 'application/json' });
      return;
    }

    if (urlObj.pathname === '/api/profile') {
      if (!(await ensureAuthorized(req, res, 'user'))) {
        return;
      }
      const currentUser = req.auth?.user;
      if (!currentUser?.id) {
        send(res, 403, JSON.stringify({ status: 'error', message: 'User profile unavailable.' }), { 'Content-Type': 'application/json' });
        return;
      }
      if (req.method === 'GET') {
        const users = await readUsersFile();
        const index = users.findIndex(entry => entry.id === currentUser.id);
        const user = index === -1 ? null : users[index];
        if (!user) {
          send(res, 404, JSON.stringify({ status: 'error', message: 'User not found.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const groups = await readGroupsFile();
        const allowed = new Set(groups.map(group => group?.id).filter(Boolean));
        const characters = sanitizeCharacterList(resolveUserCharacters(user), { assignIds: true, allowedGroups: allowed });
        const availability = sanitizeAvailabilityRecord(user.availability) || null;
        const profile = sanitizeProfileRecord(user.profile) || null;
        const currentKey = JSON.stringify(Array.isArray(user.characters) ? user.characters : []);
        const nextKey = JSON.stringify(characters);
        const currentProfileKey = JSON.stringify(user?.profile || null);
        const nextProfileKey = JSON.stringify(profile || null);
        if (currentKey !== nextKey || user.character || currentProfileKey !== nextProfileKey) {
          user.characters = characters;
          user.character = null;
          user.profile = profile;
          await writeUsersFile(users);
          updateSessionsForUser(user.id, { characters, availability, profile });
        }
        send(res, 200, JSON.stringify({
          status: 'ok',
          profile: {
            username: user.username || '',
            avatar: user.avatar || null,
            provider: user.provider || 'manual',
            discordId: user.provider === 'discord' ? user.discordId || null : null,
            groups: Array.isArray(user.groups) ? user.groups : [],
            characters,
            availability,
            account: {
              lastLoginAt: sanitizeIsoDateString(user?.lastLoginAt),
              lastSeenAt: sanitizeIsoDateString(user?.lastSeenAt)
            },
            profile,
            customization: profile
          }
        }), { 'Content-Type': 'application/json' });
        return;
      }
      if (req.method === 'PATCH' || req.method === 'PUT') {
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const hasLegacyFields = payload && typeof payload === 'object' && (
          payload.name || payload.bio || payload.avatar || payload.groupId || payload.group
        );
        const updateCharacters = Boolean(
          Array.isArray(payload?.characters) || payload?.character || hasLegacyFields
        );
        const characterPayload = updateCharacters
          ? (Array.isArray(payload?.characters)
            ? payload.characters
            : (payload?.character ? payload.character : payload))
          : undefined;
        const updateAvailability = Object.prototype.hasOwnProperty.call(payload || {}, 'availability');
        const availabilityPayload = updateAvailability ? payload.availability : undefined;
        const updateProfile = Object.prototype.hasOwnProperty.call(payload || {}, 'profile');
        const profilePayload = updateProfile ? payload.profile : undefined;
        const result = await updateUserProfile(currentUser.id, {
          characterPayload,
          availabilityPayload,
          profilePayload,
          updateCharacters,
          updateAvailability,
          updateProfile
        });
        if (result.error) {
          send(res, 400, JSON.stringify({ status: 'error', message: result.error }), { 'Content-Type': 'application/json' });
          return;
        }
        if (!result.user) {
          send(res, 404, JSON.stringify({ status: 'error', message: 'User not found.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const characters = Array.isArray(result.characters)
          ? result.characters
          : sanitizeCharacterList(resolveUserCharacters(result.user));
        const availability = result.availability ?? (sanitizeAvailabilityRecord(result.user.availability) || null);
        const profile = result.profile ?? (sanitizeProfileRecord(result.user.profile) || null);
        send(res, 200, JSON.stringify({
          status: 'ok',
          profile: {
            username: result.user.username || '',
            avatar: result.user.avatar || null,
            provider: result.user.provider || 'manual',
            discordId: result.user.provider === 'discord' ? result.user.discordId || null : null,
            groups: Array.isArray(result.user.groups) ? result.user.groups : [],
            characters,
            availability,
            account: {
              lastLoginAt: sanitizeIsoDateString(result.user?.lastLoginAt),
              lastSeenAt: sanitizeIsoDateString(result.user?.lastSeenAt)
            },
            profile,
            customization: profile
          }
        }), { 'Content-Type': 'application/json' });
        return;
      }
      send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET,PATCH,PUT' });
      return;
    }

    if (urlObj.pathname === '/api/admin/availability') {
      if (req.method !== 'GET') {
        send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET' });
        return;
      }
      if (!(await ensureAuthorized(req, res, 'admin'))) {
        return;
      }
      const users = await readUsersFile();
      const counts = Array.from({ length: AVAILABILITY_DAYS.length }, () => (
        Array.from({ length: AVAILABILITY_SLOTS.length }, () => 0)
      ));
      const timezones = {};
      let respondents = 0;
      users.forEach(user => {
        const availability = sanitizeAvailabilityRecord(user?.availability);
        if (!availability || !availabilityHasSlots(availability)) {
          return;
        }
        respondents += 1;
        availability.slots.forEach((daySlots, dayIndex) => {
          daySlots.forEach((active, slotIndex) => {
            if (active) {
              counts[dayIndex][slotIndex] += 1;
            }
          });
        });
        if (availability.timezone) {
          timezones[availability.timezone] = (timezones[availability.timezone] || 0) + 1;
        }
      });
      send(res, 200, JSON.stringify({
        status: 'ok',
        days: AVAILABILITY_DAYS,
        slots: AVAILABILITY_SLOTS,
        respondents,
        totalUsers: users.length,
        counts,
        timezones
      }), { 'Content-Type': 'application/json' });
      return;
    }

    if (urlObj.pathname === '/api/admin/home-config' || urlObj.pathname === '/api/admin/site-config') {
      if (!(await ensureAuthorized(req, res, 'admin'))) {
        return;
      }
      if (req.method === 'GET') {
        const config = await readSiteConfigFile();
        send(res, 200, JSON.stringify({ status: 'ok', config }), { 'Content-Type': 'application/json' });
        return;
      }
      if (req.method === 'PATCH' || req.method === 'PUT') {
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const nextConfig = sanitizeSiteConfig(payload?.config && typeof payload.config === 'object' ? payload.config : payload);
        await writeSiteConfigFile(nextConfig);
        send(res, 200, JSON.stringify({ status: 'ok', config: nextConfig }), { 'Content-Type': 'application/json' });
        return;
      }
      send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET,PATCH,PUT' });
      return;
    }

    if (urlObj.pathname === '/api/admin/metrics') {
      if (req.method !== 'GET') {
        send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET' });
        return;
      }
      if (!(await ensureAuthorized(req, res, 'admin'))) {
        return;
      }
      send(res, 200, JSON.stringify({
        status: 'ok',
        serverTime: new Date().toISOString(),
        uptimeMs: Date.now() - serverStartedAt,
        sse: {
          clients: sseClients.size,
          broadcastCount: sseMetrics.broadcastCount,
          lastEventAt: sseMetrics.lastEventAt,
          lastEventName: sseMetrics.lastEventName
        }
      }), { 'Content-Type': 'application/json' });
      return;
    }

    if (urlObj.pathname === '/api/admin/groups') {
      if (req.method === 'GET') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const groups = await readGroupsFile();
        send(res, 200, JSON.stringify({
          status: 'ok',
          groups: groups.map(group => sanitizeGroupRecord(group))
        }), { 'Content-Type': 'application/json' });
        return;
      }

      if (req.method === 'POST') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const name = normalizeString(payload?.name);
        if (!name) {
          send(res, 400, JSON.stringify({ status: 'error', message: 'name is required.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const color = payload?.color || null;
        const group = await createGroup({
          name,
          color,
          x: payload?.x ?? undefined,
          y: payload?.y ?? undefined
        });
        send(res, 201, JSON.stringify({
          status: 'ok',
          group: sanitizeGroupRecord(group)
        }), { 'Content-Type': 'application/json' });
        return;
      }

      if (req.method === 'PATCH' || req.method === 'PUT') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const id = normalizeString(payload?.id);
        if (!id) {
          send(res, 400, JSON.stringify({ status: 'error', message: 'id is required.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const group = await updateGroup(id, {
          name: typeof payload?.name === 'string' ? payload.name : undefined,
          color: payload?.color,
          x: payload?.x ?? undefined,
          y: payload?.y ?? undefined
        });
        if (!group) {
          send(res, 404, JSON.stringify({ status: 'error', message: 'Group not found.' }), { 'Content-Type': 'application/json' });
          return;
        }
        send(res, 200, JSON.stringify({
          status: 'ok',
          group: sanitizeGroupRecord(group)
        }), { 'Content-Type': 'application/json' });
        return;
      }

      if (req.method === 'DELETE') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const id = normalizeString(payload?.id);
        if (!id) {
          send(res, 400, JSON.stringify({ status: 'error', message: 'id is required.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const removed = await deleteGroup(id);
        if (!removed) {
          send(res, 404, JSON.stringify({ status: 'error', message: 'Group not found.' }), { 'Content-Type': 'application/json' });
          return;
        }
        send(res, 200, JSON.stringify({
          status: 'ok',
          removed: sanitizeGroupRecord(removed)
        }), { 'Content-Type': 'application/json' });
        return;
      }

      send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET,POST,PATCH,PUT,DELETE' });
      return;
    }

    if (urlObj.pathname === '/api/admin/users') {
      if (req.method === 'GET') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const users = await readUsersFile();
        send(res, 200, JSON.stringify({
          status: 'ok',
          users: users.map(user => sanitizeUserRecord(user))
        }), { 'Content-Type': 'application/json' });
        return;
      }

      if (req.method === 'POST') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const provider = normalizeString(payload?.provider) || 'manual';
        if (provider === 'discord') {
          const discordId = normalizeString(payload?.discordId);
          if (!discordId) {
            send(res, 400, JSON.stringify({ status: 'error', message: 'discordId is required.' }), { 'Content-Type': 'application/json' });
            return;
          }
          const existing = await findUserByDiscordId(discordId);
          if (existing) {
            send(res, 409, JSON.stringify({ status: 'error', message: 'Discord user already exists.' }), { 'Content-Type': 'application/json' });
            return;
          }
          const user = await upsertDiscordUser({
            discordId,
            username: normalizeString(payload?.username),
            roleHint: sanitizeRole(payload?.role || 'user')
          });
          send(res, 201, JSON.stringify({
            status: 'ok',
            user: sanitizeUserRecord(user)
          }), { 'Content-Type': 'application/json' });
          return;
        }

        const { user, token } = await createManualUser({
          username: normalizeString(payload?.username),
          role: sanitizeRole(payload?.role || 'user'),
          token: payload?.token
        });
        send(res, 201, JSON.stringify({
          status: 'ok',
          user: sanitizeUserRecord(user),
          token
        }), { 'Content-Type': 'application/json' });
        return;
      }

      if (req.method === 'PATCH' || req.method === 'PUT') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const id = normalizeString(payload?.id);
        if (!id) {
          send(res, 400, JSON.stringify({ status: 'error', message: 'id is required.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const updates = {};
        if (payload?.role) {
          updates.role = sanitizeRole(payload.role);
        }
        if (typeof payload?.username === 'string') {
          updates.username = payload.username;
        }
        if (Array.isArray(payload?.groups)) {
          const groups = await readGroupsFile();
          const allowed = new Set(groups.map(group => group?.id).filter(Boolean));
          updates.groups = payload.groups
            .map(entry => normalizeString(entry))
            .filter(entry => entry && allowed.has(entry));
        }
        let generatedToken = null;
        if (payload?.generateToken) {
          generatedToken = crypto.randomBytes(24).toString('hex');
          updates.addToken = generatedToken;
        }
        if (payload?.removeToken) {
          updates.removeToken = payload.removeToken;
        }
        const user = await updateUser(id, updates);
        if (!user) {
          send(res, 404, JSON.stringify({ status: 'error', message: 'User not found.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const response = {
          status: 'ok',
          user: sanitizeUserRecord(user)
        };
        if (generatedToken) {
          response.token = generatedToken;
        }
        send(res, 200, JSON.stringify(response), { 'Content-Type': 'application/json' });
        return;
      }

      if (req.method === 'DELETE') {
        if (!(await ensureAuthorized(req, res, 'admin'))) {
          return;
        }
        const body = await collectBody(req);
        let payload;
        try {
          payload = JSON.parse(body || '{}');
        } catch (error) {
          send(res, 400, 'Invalid JSON');
          return;
        }
        const id = normalizeString(payload?.id);
        if (!id) {
          send(res, 400, JSON.stringify({ status: 'error', message: 'id is required.' }), { 'Content-Type': 'application/json' });
          return;
        }
        const removed = await deleteUser(id);
        if (!removed) {
          send(res, 404, JSON.stringify({ status: 'error', message: 'User not found.' }), { 'Content-Type': 'application/json' });
          return;
        }
        send(res, 200, JSON.stringify({
          status: 'ok',
          removed: sanitizeUserRecord(removed)
        }), { 'Content-Type': 'application/json' });
        return;
      }

      send(res, 405, JSON.stringify({ status: 'error', message: 'Method Not Allowed' }), { 'Content-Type': 'application/json', 'Allow': 'GET,POST,PATCH,PUT,DELETE' });
      return;
    }

    if (req.method === 'OPTIONS') {
      send(res, 204, null, {
        'Access-Control-Allow-Origin': '*',
        'Access-Control-Allow-Methods': 'GET,POST,OPTIONS',
        'Access-Control-Allow-Headers': 'Content-Type'
      });
      return;
    }

    if (req.method !== 'GET' && req.method !== 'HEAD') {
      send(res, 405, 'Method Not Allowed', {'Allow': 'GET,HEAD,POST,OPTIONS'});
      return;
    }

    serveStatic(req, res, urlObj);
  } catch (error) {
    logger.error('Unhandled server error', { error: error.message });
    if (!res.headersSent) {
      send(res, 500, 'Internal Server Error');
    } else {
      res.destroy();
    }
  }
});

server.listen(PORT, HOST, () => {
  logger.info(`Running at http://${HOST}:${PORT}`);
});