import crypto from "node:crypto";
import fs from "node:fs";
import path from "node:path";
import url from "node:url";
import { spawn } from "node:child_process";

import MarkdownIt from "markdown-it";
import express from "express";
import multer from "multer";

/*
Public, no-login receipt surface (IF.TRACE / T3)
------------------------------------------------
This server exposes Shadow Dossiers and their "receipt" artifacts via two parallel
representations:

- Raw (download-friendly): `*.md` (and tarballs elsewhere)
- HTML views: same path without the `.md` suffix

Rationale: some external review environments (including certain LLM "web fetchers")
reliably load `text/html` but may reject "downloadable" assets like `.md/.py/.tar.gz`.
Keeping both surfaces makes the governance/receipt premise reviewable by humans *and*
restricted sandboxes.

Deployment detail: the stable public aliases live under `/static/*` on the public
domain and are reverse-proxied here (see operator docs: `/root/docs/17-ifttt-public-receipt-surface.md`).

Naming (avoid drift):
- Public governance brand: IF.TRACE / T3
- Internal legacy implementation name: IF.TTT
*/

const __filename = url.fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);

const projectRoot = path.resolve(__dirname, "..");
const distDir = path.join(projectRoot, "dist");
const indexHtmlPath = path.join(distDir, "index.html");

const privateUploadToken = process.env.PRIVATE_UPLOAD_TOKEN || "";
const privateUploadMaxBytes = Number(process.env.PRIVATE_UPLOAD_MAX_BYTES || 25 * 1024 * 1024);
const privateUploadStyle = process.env.PRIVATE_UPLOAD_STYLE || "if.dave.v1.2";
const privateUploadActionPack = String(process.env.PRIVATE_UPLOAD_ACTION_PACK || "")
  .trim()
  .toLowerCase();
const revoiceRepoRoot = path.resolve(projectRoot, "..", "..");

function normalizeBaseUrl(value) {
  return String(value || "")
    .trim()
    .replace(/\/+$/g, "");
}

function uniqBaseUrls(values) {
  const out = [];
  const seen = new Set();
  for (const v of values || []) {
    const base = normalizeBaseUrl(v);
    if (!base) continue;
    if (seen.has(base)) continue;
    seen.add(base);
    out.push(base);
  }
  return out;
}

function staticMirrorBaseUrls(primaryBaseUrl, publicBaseUrl) {
  const env = String(process.env.STATIC_MIRROR_PUBLIC_BASE_URLS || "").trim();
  const defaults = ["https://git.infrafabric.io"];
  const configured = env ? env.split(",") : defaults;
  return uniqBaseUrls([primaryBaseUrl, ...configured, publicBaseUrl]);
}

function escapeHtml(value) {
  return String(value || "")
    .replaceAll("&", "&")
    .replaceAll("<", "&lt;")
    .replaceAll(">", "&gt;")
    .replaceAll('"', "&quot;")
    .replaceAll("'", "&#39;");
}

function ensureDir(dirPath) {
  fs.mkdirSync(dirPath, { recursive: true });
}

const markdown = new MarkdownIt({
  html: false,
  linkify: true,
  breaks: false,
});
const defaultFence = markdown.renderer.rules.fence;
markdown.renderer.rules.fence = (tokens, idx, options, env, self) => {
  const token = tokens[idx];
  const info = String(token.info || "")
    .trim()
    .split(/\s+/g)[0]
    .toLowerCase();
  if (info === "mermaid") {
    return `<pre class="mermaid">${escapeHtml(token.content)}</pre>\n`;
  }
  if (typeof defaultFence === "function") return defaultFence(tokens, idx, options, env, self);
  return self.renderToken(tokens, idx, options);
};

function renderMarkdownPage({ title, headerHtml, html, topLinksHtml }) {
  return [
    "<!doctype html>",
    "<html><head>",
    "<meta charset='utf-8'/>",
    "<meta name='viewport' content='width=device-width, initial-scale=1'/>",
    "<meta name='robots' content='noindex,nofollow'/>",
    `<title>${escapeHtml(title || "Shadow Dossier")}</title>`,
    "<style>",
    "body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;max-width:980px;margin:40px auto;padding:0 18px;line-height:1.55;color:#111}",
    "a{color:#0b5fff;text-decoration:none}a:hover{text-decoration:underline}",
    "h1,h2,h3{line-height:1.2;margin-top:1.6em}h1{margin-top:0}",
    "pre,code{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace}",
    "pre{background:#f7f7f7;border:1px solid #eee;border-radius:10px;padding:12px;overflow:auto}",
    "code{background:#f7f7f7;border-radius:6px;padding:2px 5px}",
    "blockquote{border-left:4px solid #ddd;margin:16px 0;padding:2px 14px;color:#444}",
    "table{border-collapse:collapse;width:100%;margin:14px 0}",
    "th,td{border:1px solid #ddd;padding:8px;vertical-align:top}",
    ".page-header{margin:0 0 18px 0}",
    ".topbar{display:flex;gap:14px;flex-wrap:wrap;margin:0 0 18px 0;font-size:14px}",
    ".topbar code{padding:2px 6px}",
    ".badge{display:inline-flex;align-items:center;gap:8px;padding:6px 10px;border-radius:999px;border:1px solid transparent;font-weight:700;letter-spacing:.02em}",
    ".badge small{font-weight:600;opacity:.85}",
    ".badge.ok{background:#e6f4ea;border-color:#b7dfc1;color:#137333}",
    ".badge.warn{background:#fff7e0;border-color:#ffe0a3;color:#8b5a00}",
    ".badge.fail{background:#fce8e6;border-color:#f6b8b6;color:#a50e0e}",
    ".trace-header{display:flex;flex-direction:column;gap:10px;margin:0 0 18px 0;padding:14px 14px;border:1px solid #eee;border-radius:14px;background:#fff}",
    ".trace-header-title{display:flex;align-items:center;gap:12px;flex-wrap:wrap}",
    ".trace-header-title h1{margin:0;font-size:24px}",
    ".trace-meta{display:flex;flex-wrap:wrap;gap:10px;font-size:14px;color:#333}",
    ".trace-meta code{padding:2px 6px}",
    ".trace-checks{margin:0;padding-left:18px;color:#333;font-size:14px}",
    ".trace-checks li{margin:2px 0}",
    "</style>",
    "</head><body>",
    headerHtml ? `<header class="page-header">${headerHtml}</header>` : "",
    topLinksHtml ? `<div class="topbar">${topLinksHtml}</div>` : "",
    `<main class="markdown-body">${html}</main>`,
    "<script type='module'>",
    'import mermaid from "https://cdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.esm.min.mjs";',
    "mermaid.initialize({ startOnLoad: true, securityLevel: 'strict' });",
    "</script>",
    "</body></html>",
  ].join("");
}

function renderVerificationBadgeHtml(verification) {
  const status = String(verification?.status || "").toLowerCase();
  const label = String(verification?.label || "").trim();
  const detail = String(verification?.detail || "").trim();

  if (!status) return "";

  const cls = status === "verified" ? "ok" : status === "warning" ? "warn" : "fail";
  const safeLabel = escapeHtml(label || status.toUpperCase());
  const safeDetail = escapeHtml(detail);
  return `<span class="badge ${cls}">${safeLabel}${safeDetail ? ` <small>${safeDetail}</small>` : ""}</span>`;
}

function renderTraceHeaderHtml({ verification, job }) {
  const badge = renderVerificationBadgeHtml(verification);
  const createdAt = job?.createdAt ? String(job.createdAt) : "";
  const traceId = String(job?.id || "");
  const style = String(job?.style || "");
  const ttt = job?._ttt_trace_receipt || null;

  const checks = verification?.checks || {};
  const outputOk = checks.outputOk === true;
  const sourceOk = checks.sourceOk;
  const warningsPresent = checks.warningsPresent === true;

  const outputLabel = outputOk ? "PASS" : "FAIL";
  const sourceLabel = sourceOk === true ? "PASS" : sourceOk === false ? "FAIL" : "UNKNOWN";

  const quantumReady = Boolean(ttt && ttt.quantum_ready === true);
  const pqAlgo = ttt && ttt.pq_algo ? String(ttt.pq_algo) : "";
  const pqStatus = ttt && ttt.pq_status ? String(ttt.pq_status) : "";
  const pqLabel = quantumReady ? `READY${pqAlgo ? ` (${pqAlgo})` : ""}` : ttt ? "ABSENT" : "UNKNOWN";

  const safeCreatedAt = createdAt ? escapeHtml(createdAt) : "";
  const safeTraceId = traceId ? escapeHtml(traceId) : "";
  const safeStyle = style ? escapeHtml(style) : "";

  const metaParts = [
    safeCreatedAt ? `<span>Generated (UTC): <code>${safeCreatedAt}</code></span>` : "",
    safeTraceId ? `<span>Trace ID: <code>${safeTraceId}</code></span>` : "",
    safeStyle ? `<span>Style: <code>${safeStyle}</code></span>` : "",
  ].filter(Boolean);

  return [
    `<div class="trace-header">`,
    `  <div class="trace-header-title">${badge}<h1>IF.TRACE receipt (T3)</h1></div>`,
    metaParts.length ? `  <div class="trace-meta">${metaParts.join(" · ")}</div>` : "",
    `  <ul class="trace-checks">`,
    `    <li>Output hash check: <strong>${escapeHtml(outputLabel)}</strong></li>`,
    `    <li>Source hash check: <strong>${escapeHtml(sourceLabel)}</strong></li>`,
    `    <li>Quantum-ready receipt: <strong>${escapeHtml(pqLabel)}</strong>${pqStatus ? ` <small>(${escapeHtml(pqStatus)})</small>` : ""}</li>`,
    `    <li>Quality warnings: <strong>${warningsPresent ? "present" : "none recorded"}</strong></li>`,
    `  </ul>`,
    `</div>`,
  ]
    .filter(Boolean)
    .join("");
}

async function computeVerificationStatus({ job, projectRoot, outputsDir, uploadsDir }) {
  const expectedOutput = String(job?.outputSha256 || "").trim();
  const expectedSource = String(job?.sourceSha256 || "").trim();
  const warningsPresent = Boolean(job?.warnings && String(job.warnings).trim());
  const status = String(job?.status || "").trim();

  const outputPathRel = String(job?.outputPath || "").trim();
  const outputAbs = outputPathRel ? path.resolve(projectRoot, outputPathRel) : "";

  let outputOk = false;
  if (expectedOutput && outputAbs && outputAbs.startsWith(outputsDir + path.sep) && fs.existsSync(outputAbs)) {
    try {
      const actual = await sha256File(outputAbs);
      outputOk = actual === expectedOutput;
    } catch {
      outputOk = false;
    }
  }

  const sourcePathRel = String(job?.sourcePath || "").trim();
  const sourceAbs = sourcePathRel ? path.resolve(projectRoot, sourcePathRel) : "";
  let sourceOk = false;
  let sourceCheckKnown = false;
  if (expectedSource && sourceAbs && sourceAbs.startsWith(uploadsDir + path.sep) && fs.existsSync(sourceAbs)) {
    sourceCheckKnown = true;
    try {
      const actual = await sha256File(sourceAbs);
      sourceOk = actual === expectedSource;
    } catch {
      sourceOk = false;
    }
  } else if (expectedSource) {
    sourceCheckKnown = false;
  }

  if (!outputOk) {
    return {
      status: "fail",
      label: "FAIL",
      detail: "hash mismatch",
      checks: { outputOk, sourceOk: sourceCheckKnown ? sourceOk : null, warningsPresent, jobStatus: status },
    };
  }

  if (sourceCheckKnown && !sourceOk) {
    return {
      status: "fail",
      label: "FAIL",
      detail: "source mismatch",
      checks: { outputOk, sourceOk, warningsPresent, jobStatus: status },
    };
  }

  if (warningsPresent || status === "done_with_warnings" || !sourceCheckKnown) {
    const detail = warningsPresent ? "warnings" : !sourceCheckKnown ? "source not locally verifiable" : "check details";
    return {
      status: "warning",
      label: "WARNING",
      detail,
      checks: { outputOk, sourceOk: sourceCheckKnown ? sourceOk : null, warningsPresent, jobStatus: status },
    };
  }

  return {
    status: "verified",
    label: "VERIFIED",
    detail: "all checks passed",
    checks: { outputOk, sourceOk, warningsPresent, jobStatus: status },
  };
}

function renderTraceMarkdown({ shareId, job, publicBaseUrl, staticPublicBaseUrl }) {
  const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl);
  const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl);
  const mirrorBase = bases.find((b) => b !== primaryBase) || "";

  const createdAt = job?.createdAt ? String(job.createdAt) : "";
  const status = job?.status ? String(job.status) : "";
  const warningsPresent = Boolean(job?.warnings && String(job.warnings).trim());
  const ttt = job?._ttt_trace_receipt || job?.tttTraceReceipt || null;
  const tttId = ttt && ttt.id ? String(ttt.id) : "";
  const tttHash = ttt && ttt.content_hash ? String(ttt.content_hash) : "";
  const pqReady = Boolean(ttt && ttt.quantum_ready === true);
  const pqAlgo = ttt && ttt.pq_algo ? String(ttt.pq_algo) : "";
  const pqStatus = ttt && ttt.pq_status ? String(ttt.pq_status) : "";

  const traceId = String(job?.id || "").trim();
  const tracePrefixRaw = traceId ? traceId.split("-")[0] : "";
  const tracePrefix = /^[0-9a-f]{8}$/i.test(tracePrefixRaw) ? tracePrefixRaw.toLowerCase() : "";
  const triageSelectorUrl = tracePrefix
    ? `${primaryBase}/static/hosted/review/trace-bundles/${encodeURIComponent(tracePrefix)}/index.html`
    : "";
  const triageSelectorUrlRaw = tracePrefix
    ? `${primaryBase}/static/hosted/review/trace-bundles/${encodeURIComponent(tracePrefix)}/index.md`
    : "";

  const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`;
  const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`;
  const downloadUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}/download`;
  const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`;
  const packHtmlUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}`;
  const reviewHtmlUrl = `${primaryBase}/static/review/${encodeURIComponent(shareId)}`;
  const marketingHtmlUrl = `${primaryBase}/static/marketing/${encodeURIComponent(shareId)}`;
  const sourceUrl = job?.sourceSha256
    ? `${primaryBase}/static/source/${job.sourceSha256}${path.extname(job.sourcePath || "").toLowerCase()}`
    : "";

  const directBase = primaryBase; // Caddy exposes /r/* on infrafabric.io and git.infrafabric.io too.
  const directDossierUrl = `${directBase}/r/${encodeURIComponent(shareId)}`;
  const directTraceUrl = `${directBase}/r/${encodeURIComponent(shareId)}/trace`;
  const directDownloadUrl = `${directBase}/r/${encodeURIComponent(shareId)}/download`;
  const directPackUrl = `${directBase}/r/${encodeURIComponent(shareId)}/pack.md`;
  const directPackHtmlUrl = `${directBase}/r/${encodeURIComponent(shareId)}/pack`;
  const directReviewHtmlUrl = `${directBase}/r/${encodeURIComponent(shareId)}/review-pack`;
  const directMarketingHtmlUrl = `${directBase}/r/${encodeURIComponent(shareId)}/marketing`;

  const lastResortBase = normalizeBaseUrl(publicBaseUrl);
  const lastResortDossierUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}` : "";
  const lastResortTraceUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/trace` : "";
  const lastResortDownloadUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/download` : "";

  const lines = [
    "## IF.TRACE receipt (public evidence view)",
    "",
    "IF.TRACE (T3: Traceable, Transparent, Trustworthy) is InfraFabric’s chain-of-custody protocol: it binds the **source fingerprint** to the **generated output fingerprint**, so a skeptical reader can verify what was produced and from which input, without needing access to internal systems.",
    "This page is intentionally scoped to **one dossier only** (no index, no directory listing).",
    "",
    "## What this trace proves",
    "",
    "- You can independently verify the downloaded dossier Markdown by hashing it and comparing to `Output sha256` below.",
    "- You can independently verify the hosted source file (if present) by hashing it and comparing to `Source sha256` below.",
    "- This page binds those two fingerprints together as a single public evidence record.",
    pqReady
      ? `- This trace also has a **Quantum-ready** signed receipt record (${pqAlgo || "PQ"}; ${pqStatus || "hybrid"}).`
      : "- This trace does not claim any post-quantum proof unless the header says QUANTUM READY.",
    "",
    "## What this trace does not prove",
    "",
    "- It does not validate the truth of the source’s claims.",
    "- It does not attest to correctness of any commentary or recommendations in the dossier.",
    "- It does not expose internal prompts, intermediate steps, or private systems.",
    "",
    "## Links",
    "",
    `- Dossier (rendered): ${dossierUrl}`,
    `- Dossier (download Markdown): ${downloadUrl}`,
    `- Single-file pack (review + dossier + trace): ${packUrl}`,
    `- Pack (HTML view; for restrictive sandboxes): ${packHtmlUrl}`,
    `- Review pack (HTML view; links-only): ${reviewHtmlUrl}`,
    `- Marketing excerpt (HTML view): ${marketingHtmlUrl}`,
    triageSelectorUrl ? `- Offline bundles (triage selector): ${triageSelectorUrl}` : null,
    triageSelectorUrlRaw ? `- Offline bundles (raw Markdown): ${triageSelectorUrlRaw}` : null,
    sourceUrl ? `- Source (PDF): ${sourceUrl}` : null,
    `- This trace page: ${traceUrl}`,
    mirrorBase ? "" : null,
    mirrorBase ? "## Mirror host (same paths)" : null,
    mirrorBase ? "" : null,
    mirrorBase ? `- Dossier: ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null,
    mirrorBase ? `- Pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null,
    mirrorBase ? `- Pack (HTML view): ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}` : null,
    mirrorBase ? `- Trace: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null,
    mirrorBase && sourceUrl ? `- Source: ${mirrorBase}/static/source/${job.sourceSha256}${path.extname(job.sourcePath || "").toLowerCase()}` : null,
    "",
    "## Fallback links (direct)",
    "",
    `- Dossier: ${directDossierUrl}`,
    `- Download: ${directDownloadUrl}`,
    `- Pack: ${directPackUrl}`,
    `- Pack (HTML view): ${directPackHtmlUrl}`,
    `- Review pack (HTML view): ${directReviewHtmlUrl}`,
    `- Marketing excerpt (HTML view): ${directMarketingHtmlUrl}`,
    `- Trace: ${directTraceUrl}`,
    lastResortBase && lastResortBase !== directBase ? "" : null,
    lastResortBase && lastResortBase !== directBase ? "## Last resort (alternate host)" : null,
    lastResortBase && lastResortBase !== directBase ? "" : null,
    lastResortBase && lastResortBase !== directBase ? `- Dossier: ${lastResortDossierUrl}` : null,
    lastResortBase && lastResortBase !== directBase ? `- Download: ${lastResortDownloadUrl}` : null,
    lastResortBase && lastResortBase !== directBase ? `- Trace: ${lastResortTraceUrl}` : null,
    "",
    "## Generation context",
    "",
    createdAt ? `- Generated at (UTC): \`${createdAt}\`` : null,
    status ? `- Status: \`${status}\`` : null,
    `- Quality warnings: ${warningsPresent ? "present (see pack trace JSON)" : "none recorded"}`,
    "",
    "## Verifiability",
    "",
    `- Trace ID: \`${job.id || ""}\``,
    `- Dossier: \`${job.originalFilename || ""}\``,
    `- Output sha256: \`${job.outputSha256 || ""}\``,
    `- Source sha256: \`${job.sourceSha256 || ""}\``,
    `- Style: \`${job.style || ""}\``,
    `- Source bytes: \`${String(job.sourceBytes ?? "")}\``,
    tttId ? `- Signed trace receipt ID: \`${tttId}\`` : null,
    tttHash ? `- Signed trace receipt hash: \`${tttHash}\`` : null,
    pqStatus ? `- PQ status: \`${pqStatus}\`` : null,
    "",
    "## How to verify (locally)",
    "",
    "1) Download the dossier Markdown.",
    "2) Compute its hash and compare to `Output sha256` above:",
    "",
    "```bash",
    "sha256sum <downloaded-file>.md",
    "```",
    "",
    sourceUrl ? "3) Optionally, download the source and verify its hash matches `Source sha256` above:" : null,
    sourceUrl ? "" : null,
    sourceUrl
      ? "```bash\nsha256sum <downloaded-source>\n```"
      : null,
  ];

  return lines.filter(Boolean).join("\n");
}

function renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl }) {
  const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl);
  const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl);
  const mirrorBase = bases.find((b) => b !== primaryBase) || "";

  const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`;
  const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`;
  const downloadUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}/download`;
  const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`;

  const directBase = primaryBase; // Caddy exposes /r/* on infrafabric.io and git.infrafabric.io too.
  const directDossierUrl = `${directBase}/r/${encodeURIComponent(shareId)}`;
  const directTraceUrl = `${directBase}/r/${encodeURIComponent(shareId)}/trace`;
  const directDownloadUrl = `${directBase}/r/${encodeURIComponent(shareId)}/download`;
  const directPackUrl = `${directBase}/r/${encodeURIComponent(shareId)}/pack.md`;

  const lastResortBase = normalizeBaseUrl(publicBaseUrl);
  const lastResortDossierUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}` : "";
  const lastResortTraceUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/trace` : "";
  const lastResortDownloadUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/download` : "";
  const lastResortPackUrl = lastResortBase ? `${lastResortBase}/r/${encodeURIComponent(shareId)}/pack.md` : "";

  const lines = [
    "# InfraFabric External Review Pack — Shadow Dossier + IF.TRACE receipt",
    "",
    "Please review the dossier and the trace receipt page. Provide constructive criticism and patch-style suggestions.",
    "",
    "## Assets",
    "",
    `- Dossier (rendered): ${dossierUrl}`,
    `- Dossier (download Markdown): ${downloadUrl}`,
    `- Single-file pack (review + dossier + trace): ${packUrl}`,
    staticSourceUrl ? `- Source (download): ${staticSourceUrl}` : null,
    `- IF.TRACE receipt page: ${traceUrl}`,
    externalReviewUrl ? `- Feedback intake (login): ${externalReviewUrl}` : null,
    mirrorBase ? "" : null,
    mirrorBase ? "## Alternate host mirror (same paths)" : null,
    mirrorBase ? "" : null,
    mirrorBase ? `- Dossier (rendered): ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null,
    mirrorBase ? `- Dossier (download Markdown): ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}/download` : null,
    mirrorBase ? `- Single-file pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null,
    mirrorBase ? `- IF.TRACE receipt page: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null,
    "",
    "## Fallback links (direct)",
    "",
    "- These may be blocked by some scanners/LLM sandboxes; use only if the `infrafabric.io/static/*` links fail.",
    "",
    `- Dossier (rendered): ${directDossierUrl}`,
    `- Dossier (download Markdown): ${directDownloadUrl}`,
    `- Single-file pack (review + dossier + trace): ${directPackUrl}`,
    `- IF.TRACE receipt page: ${directTraceUrl}`,
    lastResortBase && lastResortBase !== directBase ? "" : null,
    lastResortBase && lastResortBase !== directBase ? "## Last resort (alternate host)" : null,
    lastResortBase && lastResortBase !== directBase ? "" : null,
    lastResortBase && lastResortBase !== directBase ? `- Dossier (rendered): ${lastResortDossierUrl}` : null,
    lastResortBase && lastResortBase !== directBase ? `- Dossier (download): ${lastResortDownloadUrl}` : null,
    lastResortBase && lastResortBase !== directBase ? `- Pack: ${lastResortPackUrl}` : null,
    lastResortBase && lastResortBase !== directBase ? `- Trace: ${lastResortTraceUrl}` : null,
    "",
    "## Response metadata (required)",
    "",
    "- `llm_name`: provider + model name/version (exact string)",
    "- `probable_model`: if `llm_name` is ambiguous, your best guess",
    "- `cutoff_date`: training data cutoff (YYYY-MM, or “unknown”)",
    "- `response_date_utc`: current date/time in UTC",
    "- `web_access_used`: `yes`/`no` (if yes, list URLs relied on)",
    "",
    "## Executive read (fast)",
    "",
    "- 5–10 bullets: what works / what doesn’t",
    "- 3 bullets: who this will land with vs who will reject it",
    "",
    "## Scorecard (0–5 each)",
    "",
    "- Mirror integrity (section order, headings, high-signal numbers/dates, lists/tables)",
    "- Layout fidelity (does it “feel” like the source?)",
    "- Humor discipline (sharp without being template-y)",
    "- Mermaid value (valid syntax; clarifies, not decorates)",
    "- IF.TRACE demo value (understandable + credible + worth clicking)",
    "- Call-to-action stealth (curious about governance stack without feeling spammed)",
    "",
    "## Patch suggestions (actionable)",
    "",
    "Provide 5–15 patch suggestions. Use this format per item:",
    "",
    "- `target`: dossier / trace page / “generator rules” / site UX",
    "- `problem`: 1 sentence",
    "- `change`: proposed text or behavior (copy/pasteable if possible)",
    "- `why`: 1 sentence",
    "- `priority`: P0 / P1 / P2",
    "- `confidence`: high / medium / low",
    "",
    "## Plan iteration (debug our plan)",
    "",
    "Propose a revised 5–8 step plan for improving the system. Prioritize steps that:",
    "",
    "- reduce repeatable/template patterns",
    "- strengthen mirror fidelity (numbers/tables/caveats)",
    "- make Mermaid + output correct-by-construction",
    "- make IF.TRACE feel like real chain-of-custody (not just “we printed a hash”)",
    "",
    "## Fact checking guidance (important)",
    "",
    "Default posture: don’t assume stats are true.",
    "",
    "- If you did not verify a number externally, refer to it as “the source claims …”",
    "- If you did verify, cite URLs and state confirmed/disputed/unclear",
    "- If a stat cannot be confirmed, recommend either: keep it attributed (“source claims”) or remove it from commentary",
    "",
    "## Notes",
    "",
    `- Dossier ID: \`${job.id || ""}\``,
    `- Style: \`${job.style || ""}\``,
  ]
    .filter((line) => line !== null)
    .join("\n");

  return lines;
}

function renderSingleFilePackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl, dossierMarkdown }) {
  const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl);
  const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl);
  const mirrorBase = bases.find((b) => b !== primaryBase) || "";

  const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`;
  const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`;
  const downloadUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}/download`;
  const reviewUrl = `${primaryBase}/static/review/${encodeURIComponent(shareId)}.md`;
  const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`;

  const jobSlim = {
    id: job?.id || "",
    status: job?.status || "",
    createdAt: job?.createdAt || "",
    originalFilename: job?.originalFilename || "",
    style: job?.style || "",
    sourceSha256: job?.sourceSha256 || "",
    outputSha256: job?.outputSha256 || "",
    warnings: job?.warnings || "",
  };

  const lines = [
    "# InfraFabric External Review Pack — Single File",
    "",
    "This is a single-file bundle intended for review environments that cannot reliably fetch multiple URLs.",
    "",
    "## Links",
    "",
    `- Pack (this file): ${packUrl}`,
    `- Review pack (links only): ${reviewUrl}`,
    `- Dossier (rendered): ${dossierUrl}`,
    `- Dossier (download Markdown): ${downloadUrl}`,
    `- IF.TRACE receipt page: ${traceUrl}`,
    staticSourceUrl ? `- Source (download): ${staticSourceUrl}` : null,
    externalReviewUrl ? `- Feedback intake (login): ${externalReviewUrl}` : null,
    mirrorBase ? "" : null,
    mirrorBase ? "## Alternate host mirror (same paths)" : null,
    mirrorBase ? "" : null,
    mirrorBase ? `- Pack (this file): ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null,
    mirrorBase ? `- Review pack: ${mirrorBase}/static/review/${encodeURIComponent(shareId)}.md` : null,
    mirrorBase ? `- Dossier: ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null,
    mirrorBase ? `- Trace: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null,
    "",
    "## Review instructions (portable)",
    "",
    "Hard rules:",
    "1) 100% factual: every non-trivial claim must be tagged [SOURCE]/[DOSSIER]/[TRACE]/[INFERENCE]. If unverified, say “unverified” and stop.",
    "2) Vendor-neutral: critique deployment conditions + org behaviors, not vendor intent/competence.",
    "3) Mirror discipline: follow the dossier’s section order; do not invent a new structure.",
    "",
    "Deliverables:",
    "A) 5–10 bullets: what works / what doesn’t (tag each)",
    "B) Scorecard (0–5): mirror integrity, layout fidelity, humor discipline, mermaid value, IF.TRACE demo value, CTA stealth",
    "C) Section-by-section critique (mirror headings): what’s mirrored, what’s missing, what feels templated/repeated",
    "D) Vendor-safe conclusion rewrite: success conditions / traps / questions-to-ask-vendor",
    "E) Unified diff patches against the current Dave bible (e.g., `IF_DAVE_BIBLE_v2.0.md`) and generator rules",
    "",
    "## IF.TRACE receipt (portable extract)",
    "",
    "```json",
    JSON.stringify(jobSlim, null, 2),
    "```",
    "",
    "## Shadow dossier (Markdown)",
    "",
    "```markdown",
    String(dossierMarkdown || "").trim(),
    "```",
    "",
  ];

  return lines.filter((line) => line !== null && line !== undefined).join("\n");
}

function extractSection(markdownText, sectionMatcher) {
  const text = String(markdownText || "");
  if (!text.trim()) return "";
  const lines = text.split("\n");
  const headingRe = /^##\s+/;
  let start = -1;
  for (let i = 0; i < lines.length; i++) {
    if (!headingRe.test(lines[i])) continue;
    const title = lines[i].replace(/^##\s+/, "").trim();
    if (sectionMatcher && sectionMatcher.test(title)) {
      start = i;
      break;
    }
  }
  if (start === -1) return "";
  let end = lines.length;
  for (let i = start + 1; i < lines.length; i++) {
    if (headingRe.test(lines[i])) {
      end = i;
      break;
    }
  }
  return lines.slice(start, end).join("\n").trim();
}

function extractFirstMermaid(markdownText) {
  const text = String(markdownText || "");
  const m = text.match(/```mermaid\s+([\s\S]*?)```/m);
  return m ? String(m[1] || "").trim() : "";
}

function extractHeroMermaid(dossierMarkdown) {
  // Prefer the section that usually produces the most "hero" marketing loop for this dossier: audits.
  const sec02 = extractSection(dossierMarkdown, /^02\b/);
  const sec02Diagram = extractFirstMermaid(sec02);
  if (sec02Diagram) return { label: "Audit theater loop", diagram: sec02Diagram };
  const any = extractFirstMermaid(dossierMarkdown);
  if (any) return { label: "Incentive loop (inferred)", diagram: any };
  return { label: "", diagram: "" };
}

function renderMarketingPackMarkdown({ shareId, job, publicBaseUrl, staticPublicBaseUrl, staticSourceUrl, dossierMarkdown }) {
  const primaryBase = normalizeBaseUrl(staticPublicBaseUrl || publicBaseUrl);
  const bases = staticMirrorBaseUrls(primaryBase, publicBaseUrl);
  const mirrorBase = bases.find((b) => b !== primaryBase) || "";

  const marketingUrl = `${primaryBase}/static/marketing/${encodeURIComponent(shareId)}.md`;
  const dossierUrl = `${primaryBase}/static/dossier/${encodeURIComponent(shareId)}`;
  const traceUrl = `${primaryBase}/static/trace/${encodeURIComponent(shareId)}`;
  const packUrl = `${primaryBase}/static/pack/${encodeURIComponent(shareId)}.md`;

  const hero = extractHeroMermaid(dossierMarkdown);

  const lines = [
    "# InfraFabric Red Team — Marketing-safe excerpt",
    "",
    "This is a **marketing-safe surface** for sharing a Shadow Dossier without rewriting it into “features”.",
    "",
    "## One sentence (blessed)",
    "",
    "> InfraFabric shows why AI controls fail in practice and what must be true for them to hold.",
    "",
    "## Hero asset (blessed)",
    "",
    hero.diagram ? `### ${hero.label}` : "### (No diagram available)",
    "",
    hero.diagram ? "```mermaid" : null,
    hero.diagram ? hero.diagram : null,
    hero.diagram ? "```" : null,
    "",
    "## Allowed pulls (blessed)",
    "",
    "- Section titles",
    "- “Dave Factor” blocks (verbatim)",
    "- Mermaid diagrams (unchanged)",
    "- Red Team Conclusion questions (verbatim)",
    "",
    "## Forbidden moves (do not do this)",
    "",
    "- Rewriting countermeasures as product capabilities",
    "- Adding adjectives that imply guarantees (\"proven\", \"complete\", \"bulletproof\")",
    "- Removing the “problem isn’t X” framing (it’s the vendor-safe contract)",
    "- Inventing stats, timelines, or customer claims",
    "",
    "## CTAs (safe buttons)",
    "",
    "- Run this against your own rollout",
    "- See the trace behind this critique",
    "- Ask these questions internally",
    "",
    "## Links",
    "",
    `- Marketing excerpt (this file): ${marketingUrl}`,
    `- Full dossier (rendered): ${dossierUrl}`,
    `- Single-file pack (review + dossier + trace): ${packUrl}`,
    `- IF.TRACE receipt: ${traceUrl}`,
    staticSourceUrl ? `- Source (PDF): ${staticSourceUrl}` : null,
    mirrorBase ? "" : null,
    mirrorBase ? "## Mirror host (same paths)" : null,
    mirrorBase ? "" : null,
    mirrorBase ? `- Marketing excerpt: ${mirrorBase}/static/marketing/${encodeURIComponent(shareId)}.md` : null,
    mirrorBase ? `- Full dossier: ${mirrorBase}/static/dossier/${encodeURIComponent(shareId)}` : null,
    mirrorBase ? `- Pack: ${mirrorBase}/static/pack/${encodeURIComponent(shareId)}.md` : null,
    mirrorBase ? `- Trace: ${mirrorBase}/static/trace/${encodeURIComponent(shareId)}` : null,
  ].filter((l) => l !== null);

  return lines.join("\n");
}

function ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot }) {
  if (!job?.sourcePath) return null;
  if (!job?.sourceSha256) return null;

  const ext = path.extname(String(job.sourcePath || "")).slice(0, 12).toLowerCase() || ".bin";
  const fileName = `${job.sourceSha256}${ext}`;
  const destAbs = path.join(staticSourceDir, fileName);
  if (fs.existsSync(destAbs)) return { fileName, destAbs, urlPath: `/static/source/${fileName}` };

  const srcAbs = path.resolve(projectRoot, job.sourcePath);
  if (!srcAbs.startsWith(uploadsDir + path.sep)) return null;
  if (!fs.existsSync(srcAbs)) return null;

  ensureDir(staticSourceDir);
  fs.copyFileSync(srcAbs, destAbs);
  return { fileName, destAbs, urlPath: `/static/source/${fileName}` };
}

function buildExternalReviewUrl(baseUrl, sheetId) {
  const base = String(baseUrl || "").trim();
  const id = String(sheetId || "").trim();
  if (!base || !id) return "";
  try {
    const u = new URL(base);
    u.searchParams.set("sheet", id);
    return u.toString();
  } catch {
    return base.includes("?") ? `${base}&sheet=${encodeURIComponent(id)}` : `${base}?sheet=${encodeURIComponent(id)}`;
  }
}

function publicBaseFromRequest(req, fallbackHost) {
  const host = req.get("host") || fallbackHost || "red-team.infrafabric.io";
  const protocol = req.protocol || "https";
  return `${protocol}://${host}`.replace(/\/+$/g, "");
}

function staticPublicBaseUrlForRequest(req, fallbackPublicBaseUrl) {
  const explicit = String(process.env.STATIC_SOURCE_PUBLIC_BASE_URL || "").trim();
  if (explicit) return explicit.replace(/\/+$/g, "");
  return publicBaseFromRequest(req, fallbackPublicBaseUrl);
}

function tttRegistryBaseUrl() {
  const explicit = String(process.env.TTT_REGISTRY_BASE_URL || "").trim();
  return explicit ? explicit.replace(/\/+$/g, "") : "";
}

function tttRegistryApiToken() {
  return String(process.env.TTT_API_TOKEN || "").trim();
}

async function fetchJson(url, { method = "GET", headers, body, timeoutMs = 4500 } = {}) {
  const controller = new AbortController();
  const t = setTimeout(() => controller.abort(), timeoutMs);
  try {
    const resp = await fetch(url, { method, headers, body, signal: controller.signal });
    const text = await resp.text();
    let data = null;
    try {
      data = JSON.parse(text);
    } catch {
      data = { raw: text };
    }
    return { ok: resp.ok, status: resp.status, data };
  } finally {
    clearTimeout(t);
  }
}

function traceReceiptRecordId(traceId) {
  const id = String(traceId || "").trim();
  if (!looksLikeUuid(id)) return "";
  return `if://trace/${id}/v1`;
}

function buildTraceReceiptEvidence({ job, shareId, staticPublicBaseUrl }) {
  const base = normalizeBaseUrl(staticPublicBaseUrl || process.env.STATIC_SOURCE_PUBLIC_BASE_URL || "https://infrafabric.io");

  const sid = String(shareId || "").trim();
  const traceId = String(job?.id || "").trim();

  const sourceExt = String(job?.sourcePath ? path.extname(job.sourcePath) : "").toLowerCase() || ".pdf";
  const sourceUrl = job?.sourceSha256 ? `${base}/static/source/${job.sourceSha256}${sourceExt}` : "";

  return {
    share_id: sid,
    trace_id: traceId,
    created_at: job?.createdAt || "",
    style: job?.style || "",
    source_sha256: job?.sourceSha256 || "",
    output_sha256: job?.outputSha256 || "",
    urls: {
      pack_md: `${base}/static/pack/${encodeURIComponent(sid)}.md`,
      pack_html: `${base}/static/pack/${encodeURIComponent(sid)}`,
      review_html: `${base}/static/review/${encodeURIComponent(sid)}`,
      marketing_html: `${base}/static/marketing/${encodeURIComponent(sid)}`,
      dossier_html: `${base}/static/dossier/${encodeURIComponent(sid)}`,
      dossier_md: `${base}/static/dossier/${encodeURIComponent(sid)}/download`,
      trace_html: `${base}/static/trace/${encodeURIComponent(sid)}`,
      source_pdf: sourceUrl,
    },
  };
}

function summarizeTttRecord(record) {
  const rec = record && typeof record === "object" ? record : null;
  if (!rec) return null;
  const pqStatus = String(rec.pq_status || "").trim();
  const pqAlgo = String(rec.pq_algo || "").trim();
  const signaturePqPresent = Boolean(rec.signature_pq);
  return {
    id: String(rec.id || "").trim(),
    content_hash: String(rec.content_hash || "").trim(),
    signer: String(rec.signer || "").trim(),
    pq_status: pqStatus,
    pq_algo: pqAlgo,
    pq_signature_present: signaturePqPresent,
    quantum_ready: signaturePqPresent && pqStatus !== "classical-only",
  };
}

async function fetchTttRecordById(recordId) {
  const base = tttRegistryBaseUrl();
  if (!base || !recordId) return { ok: false, status: 0, record: null };
  const u = `${base}/v1/citation?id=${encodeURIComponent(recordId)}`;
  try {
    const { ok, status, data } = await fetchJson(u, { method: "GET" });
    const verified = Boolean(data && data.verified === true);
    const record = verified && data && data.record ? data.record : null;
    return { ok: ok && verified, status, record };
  } catch {
    return { ok: false, status: 0, record: null };
  }
}

async function upsertTttTraceReceipt({ job, shareId, staticPublicBaseUrl }) {
  const base = tttRegistryBaseUrl();
  if (!base) return { ok: false, status: 0, record: null, mode: "disabled" };

  const rid = traceReceiptRecordId(job?.id);
  if (!rid) return { ok: false, status: 0, record: null, mode: "invalid_trace_id" };

  // Best effort: read-only GET first (no token required).
  const existing = await fetchTttRecordById(rid);
  if (existing.ok && existing.record) return { ok: true, status: 200, record: existing.record, mode: "found" };

  const token = tttRegistryApiToken();
  if (!token) return { ok: false, status: 0, record: null, mode: "no_token" };

  const evidence = buildTraceReceiptEvidence({ job, shareId, staticPublicBaseUrl });
  const claim = `IF.TRACE receipt (T3) for shareId=${shareId} trace_id=${job.id}`;
  const payload = {
    id: rid,
    claim,
    evidence,
    timestamp: job?.createdAt || undefined,
  };

  const url = `${base}/v1/citation`;
  try {
    const { ok, status, data } = await fetchJson(url, {
      method: "POST",
      headers: {
        Authorization: `Bearer ${token}`,
        "Content-Type": "application/json; charset=utf-8",
      },
      body: JSON.stringify(payload),
      timeoutMs: 6500,
    });
    if (!ok || !data || !data.record) return { ok: false, status, record: null, mode: "create_failed" };
    return { ok: true, status, record: data.record, mode: "created" };
  } catch {
    return { ok: false, status: 0, record: null, mode: "create_failed" };
  }
}

function looksLikeUuid(value) {
  return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(String(value || ""));
}

function jobJsonPath(jobsDir, jobId) {
  return path.join(jobsDir, `${jobId}.json`);
}

function readJob(jobsDir, jobId) {
  const p = jobJsonPath(jobsDir, jobId);
  if (!fs.existsSync(p)) return null;
  try {
    return JSON.parse(fs.readFileSync(p, "utf8"));
  } catch {
    return null;
  }
}

function writeJob(jobsDir, job) {
  const p = jobJsonPath(jobsDir, job.id);
  fs.writeFileSync(p, JSON.stringify(job, null, 2) + "\n", "utf8");
}

function shareJsonPath(sharesDir, shareId) {
  return path.join(sharesDir, `${shareId}.json`);
}

function writeShare(sharesDir, shareId, data) {
  const p = shareJsonPath(sharesDir, shareId);
  fs.writeFileSync(p, JSON.stringify(data, null, 2) + "\n", "utf8");
}

function readShare(sharesDir, shareId) {
  const p = shareJsonPath(sharesDir, shareId);
  if (!fs.existsSync(p)) return null;
  try {
    return JSON.parse(fs.readFileSync(p, "utf8"));
  } catch {
    return null;
  }
}

async function sha256File(filePath) {
  return await new Promise((resolve, reject) => {
    const h = crypto.createHash("sha256");
    const s = fs.createReadStream(filePath);
    s.on("error", reject);
    s.on("data", (chunk) => h.update(chunk));
    s.on("end", () => resolve(h.digest("hex")));
  });
}

function runProcess(command, args, { cwd, env }) {
  return new Promise((resolve) => {
    const child = spawn(command, args, {
      cwd,
      env,
      stdio: ["ignore", "pipe", "pipe"],
    });

    let stdout = "";
    let stderr = "";
    child.stdout.on("data", (d) => {
      stdout += d.toString("utf8");
      if (stdout.length > 256_000) stdout = stdout.slice(-256_000);
    });
    child.stderr.on("data", (d) => {
      stderr += d.toString("utf8");
      if (stderr.length > 256_000) stderr = stderr.slice(-256_000);
    });

    child.on("error", (err) => {
      const msg = err?.message ? String(err.message) : String(err);
      resolve({ code: 127, stdout, stderr: (stderr ? `${stderr}\n` : "") + msg });
    });

    child.on("close", (code) => resolve({ code: code ?? 0, stdout, stderr }));
  });
}

async function generateShadowDossier({ inputPath, outputPath }) {
  const revoiceModule = path.join(revoiceRepoRoot, "src", "revoice");
  if (!fs.existsSync(revoiceModule)) {
    throw new Error(`Missing revoice pipeline at ${revoiceModule}`);
  }

  const baseEnv = {
    ...process.env,
    PYTHONPATH: path.join(revoiceRepoRoot, "src"),
  };

  const genArgs = ["-m", "revoice", "generate", "--style", privateUploadStyle];
  if (["1", "true", "yes", "on"].includes(privateUploadActionPack)) genArgs.push("--action-pack");
  genArgs.push("--input", inputPath, "--output", outputPath);

  const gen = await runProcess(
    "python3",
    genArgs,
    { cwd: revoiceRepoRoot, env: baseEnv }
  );
  if (gen.code !== 0) {
    throw new Error(`revoice generate failed (code ${gen.code}): ${gen.stderr || gen.stdout}`);
  }

  const preflight = await runProcess(
    "python3",
    ["-m", "revoice", "preflight", "--style", privateUploadStyle, "--input", outputPath, "--source", inputPath],
    { cwd: revoiceRepoRoot, env: baseEnv }
  );
  const warnings = preflight.code === 0 ? "" : preflight.stderr || preflight.stdout;
  if (preflight.code !== 0 && preflight.code !== 2) {
    throw new Error(`revoice preflight failed (code ${preflight.code}): ${preflight.stderr || preflight.stdout}`);
  }
  return { warnings };
}

function pickPhrases(input) {
  const text = String(input || "").replace(/\r\n?/g, "\n");
  const lines = text
    .split("\n")
    .map((l) => l.trim())
    .filter(Boolean)
    .slice(0, 200);

  const interesting = [];
  const needles = ["must", "should", "require", "required", "ensure", "enforce", "policy", "control", "audit", "compliance"];
  for (const line of lines) {
    const lower = line.toLowerCase();
    if (needles.some((n) => lower.includes(n))) interesting.push(line);
    if (interesting.length >= 4) break;
  }

  if (interesting.length) return interesting;
  return lines.slice(0, 3);
}

function generateRoastText(content) {
  const trimmed = String(content || "").trim();
  const phrases = pickPhrases(trimmed);

  const bullets = phrases.map((p) => `- ${p.length > 120 ? `${p.slice(0, 117)}…` : p}`).join("\n");

  return [
    "We love the ambition here and are directionally aligned with the idea of \"secure rollout\" as long as we define secure as \"documented\" and rollout as \"phased.\"",
    "",
    "Key risk: this reads like a control narrative optimized for sign-off, not for the Friday-afternoon pull request that actually ships the code.",
    "",
    "Observed control theater (excerpt):",
    bullets ? bullets : "- (no extractable claims detected)",
    "",
    "Recommendation: convert every \"should\" into an owner, a gate (PR/CI/access), and a stop condition. Otherwise this becomes an alignment session that reproduces itself indefinitely.",
  ].join("\n");
}

function main() {
  const port = Number(process.env.PORT || 8080);
  const app = express();
  app.set("trust proxy", true);
  const configuredDataDir = String(process.env.RED_TEAM_DATA_DIR || "").trim();
  const dataDir = configuredDataDir ? path.resolve(configuredDataDir) : path.join(projectRoot, "data");
  const uploadsDir = path.join(dataDir, "uploads");
  const outputsDir = path.join(dataDir, "outputs");
  const jobsDir = path.join(dataDir, "jobs");
  const sharesDir = path.join(dataDir, "shares");
  const staticDir = path.join(dataDir, "static");
  const staticSourceDir = path.join(staticDir, "source");

  ensureDir(uploadsDir);
  ensureDir(outputsDir);
  ensureDir(jobsDir);
  ensureDir(sharesDir);
  ensureDir(staticDir);
  ensureDir(staticSourceDir);

  app.disable("x-powered-by");
  app.use(express.json({ limit: "256kb" }));
  app.use("/static", express.static(staticDir, { fallthrough: false, etag: true, maxAge: "30d" }));

  app.get("/healthz", (_req, res) => {
    res.status(200).json({ ok: true });
  });

  app.post("/api/roast", (req, res) => {
    const content = String(req.body?.content ?? "");
    if (!content.trim()) return res.status(400).json({ text: "Missing content" });
    if (content.length > 20_000) return res.status(413).json({ text: "Content too large" });
    return res.status(200).json({ text: generateRoastText(content) });
  });

  const privateUploadEnabled = Boolean(privateUploadToken.trim());
  const privateGuard = (req, res, next) => {
    if (!privateUploadEnabled) return res.status(404).type("text/plain").send("Not found");
    if (req.params?.token !== privateUploadToken) return res.status(404).type("text/plain").send("Not found");
    return next();
  };

  const upload = multer({
    storage: multer.diskStorage({
      destination: (_req, _file, cb) => cb(null, uploadsDir),
      filename: (req, file, cb) => {
        const id = crypto.randomUUID();
        req._jobId = id;
        const ext = path.extname(file.originalname || "").slice(0, 12).toLowerCase();
        cb(null, `${id}${ext}`);
      },
    }),
    limits: { fileSize: privateUploadMaxBytes, files: 1 },
  });

  app.get("/private/:token", privateGuard, (req, res) => {
    const token = req.params.token;
    res
      .status(200)
      .type("text/html; charset=utf-8")
      .send(
        [
          "<!doctype html>",
          "<html><head>",
          "<meta charset='utf-8'/>",
          "<meta name='viewport' content='width=device-width, initial-scale=1'/>",
          "<title>Private Upload · Shadow Dossier</title>",
          "<style>body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;max-width:900px;margin:40px auto;padding:0 18px;line-height:1.45}code,pre{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace}fieldset{border:1px solid #ddd;border-radius:10px;padding:16px}input,button{font-size:16px}button{padding:10px 14px}small{color:#666}</style>",
          "</head><body>",
          "<h1>Private dossier upload</h1>",
          `<p><small>Style: <code>${escapeHtml(privateUploadStyle)}</code> · Max: <code>${escapeHtml(
            String(privateUploadMaxBytes)
          )}</code> bytes</small></p>`,
          "<fieldset>",
          "<form method='post' enctype='multipart/form-data' action='" +
            `/api/private/${encodeURIComponent(token)}/upload` +
            "'>",
          "<p><input type='file' name='file' required accept='.pdf,.md,.txt' /></p>",
          "<p><button type='submit'>Upload & generate</button></p>",
          "<p><small>Supported: PDF/MD/TXT. Output: Markdown shadow dossier.</small></p>",
          "</form>",
          "</fieldset>",
          "</body></html>",
        ].join("")
      );
  });

  app.get("/private/:token/job/:jobId", privateGuard, (req, res) => {
    const jobId = String(req.params.jobId || "");
    if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found");

    const job = readJob(jobsDir, jobId);
    if (!job) return res.status(404).type("text/plain").send("Not found");

    const status = String(job.status || "unknown");
    const isDone = status === "done" || status === "done_with_warnings";
    const isError = status === "error";
    const token = req.params.token;

    const refresh = isDone || isError ? "" : "<meta http-equiv='refresh' content='2'/>";

    const downloadLink = isDone
      ? `<p><a href="/private/${encodeURIComponent(token)}/download/${encodeURIComponent(jobId)}">Download Markdown</a></p>`
      : "";
    const viewLink = isDone
      ? `<p><a href="/private/${encodeURIComponent(token)}/view/${encodeURIComponent(jobId)}">View rendered dossier</a></p>`
      : "";
    const shareLinks = isDone && job.shareId
      ? [
          "<p><strong>Share links</strong> (no repo):</p>",
          `<p><a href="/r/${encodeURIComponent(job.shareId)}">Public view</a> · <a href="/r/${encodeURIComponent(job.shareId)}/download">Public download</a></p>`,
        ].join("")
      : "";

    const sourceLink = job.sourcePath
      ? `<p><a href="/private/${encodeURIComponent(token)}/source/${encodeURIComponent(jobId)}">Download source</a></p>`
      : "";

    const warnings = job.warnings ? `<pre>${escapeHtml(job.warnings)}</pre>` : "";
    const error = job.error ? `<pre>${escapeHtml(job.error)}</pre>` : "";

    res
      .status(200)
      .type("text/html; charset=utf-8")
      .send(
        [
          "<!doctype html>",
          "<html><head>",
          "<meta charset='utf-8'/>",
          "<meta name='viewport' content='width=device-width, initial-scale=1'/>",
          refresh,
          "<title>Job · Shadow Dossier</title>",
          "<style>body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;max-width:900px;margin:40px auto;padding:0 18px;line-height:1.45}code,pre{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace}pre{background:#f7f7f7;border:1px solid #eee;border-radius:10px;padding:12px;overflow:auto}</style>",
          "</head><body>",
          "<h1>Shadow dossier job</h1>",
          `<p>Status: <code>${escapeHtml(status)}</code></p>`,
          `<p>Job ID: <code>${escapeHtml(jobId)}</code></p>`,
          job.originalFilename ? `<p>Source: <code>${escapeHtml(job.originalFilename)}</code></p>` : "",
          job.sourceSha256 ? `<p>Source sha256: <code>${escapeHtml(job.sourceSha256)}</code></p>` : "",
          job.outputSha256 ? `<p>Output sha256: <code>${escapeHtml(job.outputSha256)}</code></p>` : "",
          job.shareId ? `<p>Share ID: <code>${escapeHtml(job.shareId)}</code></p>` : "",
          downloadLink,
          viewLink,
          sourceLink,
          shareLinks,
          warnings ? "<h2>Warnings</h2>" + warnings : "",
          isError ? "<h2>Error</h2>" + error : "",
          `<p><a href="/private/${encodeURIComponent(token)}">Back to upload</a></p>`,
          "</body></html>",
        ].join("")
      );
  });

  app.get("/private/:token/view/:jobId", privateGuard, (req, res) => {
    const jobId = String(req.params.jobId || "");
    if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, jobId);
    if (!job) return res.status(404).type("text/plain").send("Not found");
    if (!job.outputPath) return res.status(409).type("text/plain").send("Not ready");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");

    const mdText = fs.readFileSync(abs, "utf8");
    const html = markdown.render(mdText);

    const token = req.params.token;
    const topLinks = [
      `<a href="/private/${encodeURIComponent(token)}/download/${encodeURIComponent(jobId)}">Download Markdown</a>`,
      job.sourcePath ? `<a href="/private/${encodeURIComponent(token)}/source/${encodeURIComponent(jobId)}">Download source</a>` : "",
      job.shareId ? `<a href="/r/${encodeURIComponent(job.shareId)}">Share view</a>` : "",
    ]
      .filter(Boolean)
      .join(" · ");

    res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: job.originalFilename || "Shadow dossier", html, topLinksHtml: topLinks }));
  });

  app.get("/r/:shareId/trace", async (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);

    // Best-effort: attach a registry-signed trace receipt record so we can render
    // black/white “QUANTUM READY” without over-claiming. If the registry is
    // unreachable, we still render the classic hash receipt.
    let tttTraceReceipt = job.tttTraceReceipt || null;
    if (!tttTraceReceipt || !tttTraceReceipt.id || !tttTraceReceipt.content_hash) {
      const ttt = await upsertTttTraceReceipt({ job, shareId, staticPublicBaseUrl });
      if (ttt.ok && ttt.record) {
        tttTraceReceipt = summarizeTttRecord(ttt.record);
        if (tttTraceReceipt) {
          job.tttTraceReceipt = tttTraceReceipt;
          writeJob(jobsDir, job);
        }
      }
    }

    const verification = await computeVerificationStatus({ job, projectRoot, outputsDir, uploadsDir });
    const jobForRender = { ...job, _verification: verification, _ttt_trace_receipt: tttTraceReceipt };

    const md = renderTraceMarkdown({ shareId, job: jobForRender, publicBaseUrl, staticPublicBaseUrl });
    const html = markdown.render(md);

    const headerHtml = renderTraceHeaderHtml({ verification, job: jobForRender });
    const topLinks = [
      `<a href="/r/${encodeURIComponent(shareId)}">Back to dossier</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/download">Download Markdown</a>`,
      job.sourcePath ? `<a href="/r/${encodeURIComponent(shareId)}/source">Download source</a>` : "",
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack">Review pack (HTML)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack.md">Review pack (MD)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack">Single-file pack (HTML)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack.md">Single-file pack (MD)</a>`,
    ]
      .filter(Boolean)
      .join(" · ");

    res
      .status(200)
      .type("text/html; charset=utf-8")
      .send(renderMarkdownPage({ title: "IF.TRACE receipt (T3)", headerHtml, html, topLinksHtml: topLinks }));
  });

  app.get("/r/:shareId/source", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.sourcePath) return res.status(404).type("text/plain").send("Not found");

    const staticFile = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    if (!staticFile) return res.status(404).type("text/plain").send("Not found");
    res.redirect(302, staticFile.urlPath);
  });

  // NOTE: These routes intentionally come in pairs:
  // - `*.md` is the raw, download-friendly artifact
  // - same path without `.md` is the HTML view (for HTML-only sandboxes)
  app.get("/r/:shareId/review-pack.md", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html");
    const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId);
    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);
    const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : "";

    const md = renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl });
    const baseName = (job.originalFilename || "dossier").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 60);
    res
      .status(200)
      .type("text/markdown; charset=utf-8")
      .send(md);
  });

  app.get("/r/:shareId/review-pack", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html");
    const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId);
    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);
    const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : "";

    const md = renderReviewPackMarkdown({ shareId, job, publicBaseUrl, externalReviewUrl, staticSourceUrl, staticPublicBaseUrl });
    const html = markdown.render(md);
    const topLinks = [
      `<a href="/r/${encodeURIComponent(shareId)}">Back to dossier</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack.md">Raw Markdown</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack">Single-file pack (HTML)</a>`,
    ]
      .filter(Boolean)
      .join(" · ");
    res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: "Review pack", html, topLinksHtml: topLinks }));
  });

  app.get("/r/:shareId/pack.md", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");
    const dossierMarkdown = fs.readFileSync(abs, "utf8");

    const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html");
    const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId);
    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);
    const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : "";

    const md = renderSingleFilePackMarkdown({
      shareId,
      job,
      publicBaseUrl,
      externalReviewUrl,
      staticSourceUrl,
      staticPublicBaseUrl,
      dossierMarkdown,
    });

    res.status(200).type("text/markdown; charset=utf-8").send(md);
  });

  app.get("/r/:shareId/pack", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");
    const dossierMarkdown = fs.readFileSync(abs, "utf8");

    const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html");
    const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId);
    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);
    const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : "";

    const md = renderSingleFilePackMarkdown({
      shareId,
      job,
      publicBaseUrl,
      externalReviewUrl,
      staticSourceUrl,
      staticPublicBaseUrl,
      dossierMarkdown,
    });
    const html = markdown.render(md);
    const topLinks = [
      `<a href="/r/${encodeURIComponent(shareId)}">Back to dossier</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack.md">Raw Markdown</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack">Review pack (HTML)</a>`,
    ]
      .filter(Boolean)
      .join(" · ");
    res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: "Single-file pack", html, topLinksHtml: topLinks }));
  });

  app.get("/r/:shareId/marketing.md", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");
    const dossierMarkdown = fs.readFileSync(abs, "utf8");

    const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);
    const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : "";

    const md = renderMarketingPackMarkdown({
      shareId,
      job,
      publicBaseUrl,
      staticPublicBaseUrl,
      staticSourceUrl,
      dossierMarkdown,
    });

    res.status(200).type("text/markdown; charset=utf-8").send(md);
  });

  app.get("/r/:shareId/marketing", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");
    const dossierMarkdown = fs.readFileSync(abs, "utf8");

    const staticSource = ensureStaticSourceFile({ job, uploadsDir, staticSourceDir, projectRoot });
    const publicBaseUrl = publicBaseFromRequest(req, "red-team.infrafabric.io");
    const staticPublicBaseUrl = staticPublicBaseUrlForRequest(req, publicBaseUrl);
    const staticSourceUrl = staticSource ? `${staticPublicBaseUrl}${staticSource.urlPath}` : "";

    const md = renderMarketingPackMarkdown({
      shareId,
      job,
      publicBaseUrl,
      staticPublicBaseUrl,
      staticSourceUrl,
      dossierMarkdown,
    });
    const html = markdown.render(md);
    const topLinks = [
      `<a href="/r/${encodeURIComponent(shareId)}">Back to dossier</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/marketing.md">Raw Markdown</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack">Single-file pack (HTML)</a>`,
    ]
      .filter(Boolean)
      .join(" · ");
    res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: "Marketing excerpt", html, topLinksHtml: topLinks }));
  });

  app.get("/r/:shareId", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");

    const mdText = fs.readFileSync(abs, "utf8");
    const html = markdown.render(mdText);
    const externalReviewBaseUrl = String(process.env.EXTERNAL_REVIEW_BASE_URL || "https://emo-social.infrafabric.io/external-review.html");
    const externalReviewUrl = buildExternalReviewUrl(externalReviewBaseUrl, share.reviewSheetId);
    const topLinks = [
      `<a href="/r/${encodeURIComponent(shareId)}/download">Download Markdown</a>`,
      job.sourcePath ? `<a href="/r/${encodeURIComponent(shareId)}/source">Download source</a>` : "",
      `<a href="/r/${encodeURIComponent(shareId)}/trace">IF.TRACE receipt</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack">Review pack (HTML)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/review-pack.md">Review pack (MD)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack">Single-file pack (HTML)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/pack.md">Single-file pack (MD)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/marketing">Marketing excerpt (HTML)</a>`,
      `<a href="/r/${encodeURIComponent(shareId)}/marketing.md">Marketing excerpt (MD)</a>`,
      externalReviewUrl ? `<a href="${escapeHtml(externalReviewUrl)}" target="_blank" rel="noreferrer">Feedback intake (login)</a>` : "",
    ]
      .filter(Boolean)
      .join(" · ");
    res.status(200).type("text/html; charset=utf-8").send(renderMarkdownPage({ title: job.originalFilename || "Shadow dossier", html, topLinksHtml: topLinks }));
  });

  app.get("/r/:shareId/download", (req, res) => {
    const shareId = String(req.params.shareId || "").trim();
    if (!shareId) return res.status(404).type("text/plain").send("Not found");
    const share = readShare(sharesDir, shareId);
    if (!share?.jobId || !looksLikeUuid(share.jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, share.jobId);
    if (!job?.outputPath) return res.status(404).type("text/plain").send("Not found");

    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");

    const baseName = (job.originalFilename || "dossier").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 60);
    res.download(abs, `${baseName}.shadow.dave.md`);
  });

  app.get("/private/:token/download/:jobId", privateGuard, (req, res) => {
    const jobId = String(req.params.jobId || "");
    if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, jobId);
    if (!job) return res.status(404).type("text/plain").send("Not found");
    if (!job.outputPath) return res.status(409).type("text/plain").send("Not ready");
    const abs = path.resolve(projectRoot, job.outputPath);
    if (!abs.startsWith(outputsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");

    const baseName = (job.originalFilename || "dossier").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 60);
    res.download(abs, `${baseName}.shadow.dave.md`);
  });

  app.get("/private/:token/source/:jobId", privateGuard, (req, res) => {
    const jobId = String(req.params.jobId || "");
    if (!looksLikeUuid(jobId)) return res.status(404).type("text/plain").send("Not found");
    const job = readJob(jobsDir, jobId);
    if (!job) return res.status(404).type("text/plain").send("Not found");
    if (!job.sourcePath) return res.status(404).type("text/plain").send("Not found");
    const abs = path.resolve(projectRoot, job.sourcePath);
    if (!abs.startsWith(uploadsDir + path.sep)) return res.status(400).type("text/plain").send("Bad path");
    if (!fs.existsSync(abs)) return res.status(404).type("text/plain").send("Not found");
    const baseName = (job.originalFilename || "source").replace(/[^A-Za-z0-9._-]+/g, "-").slice(0, 80);
    res.download(abs, baseName);
  });

  app.post("/api/private/:token/upload", privateGuard, upload.single("file"), async (req, res) => {
    const jobId = req._jobId || crypto.randomUUID();
    const file = req.file;
    if (!file?.path) return res.status(400).type("text/plain").send("Missing file");

    const relSourcePath = path.relative(projectRoot, file.path);
    const absOutputPath = path.join(outputsDir, `${jobId}.shadow.dave.md`);
    const relOutputPath = path.relative(projectRoot, absOutputPath);
    const shareId = crypto.randomBytes(18).toString("base64url");

    const now = new Date().toISOString();
    const job = {
      id: jobId,
      status: "processing",
      createdAt: now,
      originalFilename: file.originalname || "",
      sourcePath: relSourcePath,
      outputPath: relOutputPath,
      shareId,
      style: privateUploadStyle,
      sourceBytes: Number(file.size || 0),
      sourceSha256: "",
      outputSha256: "",
      warnings: "",
      error: "",
    };

    try {
      job.sourceSha256 = await sha256File(file.path);
    } catch (e) {
      job.status = "error";
      job.error = String(e?.message || e || "hash_failed");
      writeJob(jobsDir, job);
      return res.status(500).type("text/plain").send("Failed to hash upload");
    }

    writeJob(jobsDir, job);
    writeShare(sharesDir, shareId, { shareId, jobId, createdAt: now });

    void (async () => {
      try {
        const { warnings } = await generateShadowDossier({ inputPath: file.path, outputPath: absOutputPath });
        job.warnings = warnings ? warnings.trim() : "";
        job.outputSha256 = await sha256File(absOutputPath);
        job.status = job.warnings ? "done_with_warnings" : "done";

        // Best-effort: create a registry-signed trace receipt record (PQ-capable).
        // This must never block publishing; failures degrade gracefully.
        try {
          const staticPublicBaseUrl = normalizeBaseUrl(process.env.STATIC_SOURCE_PUBLIC_BASE_URL || "https://infrafabric.io");
          const ttt = await upsertTttTraceReceipt({ job, shareId, staticPublicBaseUrl });
          if (ttt.ok && ttt.record) {
            const summary = summarizeTttRecord(ttt.record);
            if (summary) job.tttTraceReceipt = summary;
          }
        } catch {
          // ignore
        }

        writeJob(jobsDir, job);
      } catch (e) {
        job.status = "error";
        job.error = String(e?.message || e || "generation_failed");
        writeJob(jobsDir, job);
      }
    })();

    res.redirect(303, `/private/${encodeURIComponent(req.params.token)}/job/${encodeURIComponent(jobId)}`);
  });

  if (fs.existsSync(distDir) && fs.existsSync(indexHtmlPath)) {
    app.use(express.static(distDir, { fallthrough: true }));

    app.get("*", (_req, res) => {
      res.setHeader("Content-Type", "text/html; charset=utf-8");
      res.status(200).sendFile(indexHtmlPath);
    });
  } else {
    app.get("*", (_req, res) => {
      res
        .status(503)
        .type("text/plain")
        .send("red-team site is not built yet. Run `npm install` then `npm run build`.");
    });
  }

  app.listen(port, "0.0.0.0", () => {
    // eslint-disable-next-line no-console
    console.log(`red-team site listening on http://0.0.0.0:${port}`);
  });
}

main();