server.js

import express from 'express';
import path from 'path';
import { fileURLToPath } from 'url';
import { dirname } from 'path';
import { GoogleGenerativeAI } from '@google/generative-ai';
import compression from 'compression';
import rateLimit from 'express-rate-limit';
import cors from 'cors';
import cookieParser from 'cookie-parser';
import crypto from 'crypto';
import xxhash from 'xxhash-wasm';
import { SECURITY_CONFIG } from './serverConfig.js';
import fs from 'fs';
import { execFile } from 'child_process';
import { promisify } from 'util';
import os from 'os';
import multer from 'multer';
import JSZip from 'jszip';

const execFileAsync = promisify(execFile);
import {
  initCache,
  hashContent,
  getCachedAIReport,
  setCachedAIReport,
  getCachedWinDBGAnalysis,
  setCachedWinDBGAnalysis,
  getCachedAnalysis,
  setCachedAnalysis,
  isAnalysisCached,
  getCacheStats
} from './services/cache.js';

const __filename = fileURLToPath(import.meta.url);
const __dirname = dirname(__filename);

const app = express();
const PORT = process.env.PORT || 8080;

// Trust proxy headers (required for Cloud Run)
// Set to 2 to trust both Cloudflare and Cloud Run load balancer
// This ensures req.ip extracts the real client IP from X-Forwarded-For
app.set('trust proxy', 2);

// Helper to get client IP - prefer Cloudflare's header for accuracy
function getClientIp(req) {
  // Cloudflare provides the real client IP in CF-Connecting-IP header
  // This is more reliable than parsing X-Forwarded-For
  return req.headers['cf-connecting-ip'] || req.ip || req.connection.remoteAddress;
}

// Initialize xxhash (awaited before server starts listening)
let hasher;

// Initialize Upstash Redis cache
initCache();

// Secret for session validation
const SESSION_SECRET = process.env.SESSION_SECRET;
if (!SESSION_SECRET) {
  if (process.env.NODE_ENV === 'production') {
    console.error('WARNING: SESSION_SECRET not set - using temporary secret. Sessions will be invalid on restart.');
    // Use a temporary secret to allow the service to start
    const TEMP_SECRET = crypto.randomBytes(32).toString('hex');
    process.env.SESSION_SECRET = TEMP_SECRET;
  }
}
// Use the secret (either from env or temporary)
const ACTUAL_SESSION_SECRET = process.env.SESSION_SECRET || crypto.randomBytes(32).toString('hex');

// Store valid sessions
const validSessions = new Map(); // sessionId -> { hash, timestamp, ip }
const SESSION_EXPIRY = 60 * 60 * 1000; // 1 hour

// Track API requests per session (prevent rapid abuse)
const sessionRequestTracking = new Map(); // sessionId -> { count, resetTime, totalTokens }
const REQUEST_LIMIT_PER_SESSION = 50; // Max 50 requests per hour per session
const TOKEN_LIMIT_PER_SESSION = 500000; // Max ~500K tokens per hour per session (increased for full WinDBG output)

// ============================================================
// External API Key Authentication
// ============================================================
const BSOD_API_KEY = process.env.BSOD_API_KEY;
if (!BSOD_API_KEY) {
  console.warn('WARNING: BSOD_API_KEY not configured - external API access disabled');
}

// Multer configuration for file uploads (memory storage for API endpoint)
const upload = multer({
  storage: multer.memoryStorage(),
  limits: {
    fileSize: 500 * 1024 * 1024, // 500MB max
    files: 1 // Single file only
  },
  fileFilter: (req, file, cb) => {
    // Accept dump files and archives
    const allowedExtensions = ['.dmp', '.mdmp', '.hdmp', '.kdmp', '.zip', '.7z', '.rar'];
    const ext = file.originalname.toLowerCase().substring(file.originalname.lastIndexOf('.'));
    if (allowedExtensions.includes(ext)) {
      cb(null, true);
    } else {
      cb(new Error(`Invalid file type. Allowed: ${allowedExtensions.join(', ')}`));
    }
  }
});

// Clean up expired sessions periodically
setInterval(() => {
  const now = Date.now();
  for (const [sessionId, data] of validSessions.entries()) {
    if (now - data.timestamp > SESSION_EXPIRY) {
      validSessions.delete(sessionId);
    }
  }
}, 10 * 60 * 1000); // Clean every 10 minutes

// Read model name from config file
let DEFAULT_MODEL_NAME = 'gemini-3.1-flash-lite-preview';
try {
  const modelConfig = fs.readFileSync(path.join(__dirname, 'model.cfg'), 'utf8').trim();
  if (modelConfig) {
    DEFAULT_MODEL_NAME = modelConfig;
  }
} catch (error) {
  console.log('model.cfg not found or error reading, using default model:', DEFAULT_MODEL_NAME);
}

// Load SRI mapping if available
let sriMapping = {};
try {
  const sriPath = path.join(__dirname, 'dist', 'sri-mapping.json');
  if (fs.existsSync(sriPath)) {
    sriMapping = JSON.parse(fs.readFileSync(sriPath, 'utf8'));
    console.log('SRI mapping loaded:', Object.keys(sriMapping).length, 'files');
  }
} catch (error) {
  console.log('No SRI mapping found, continuing without integrity checks');
}

// Configure CORS with Cloud Run best practices
const corsOptions = {
  origin: function (origin, callback) {
    // Important: Allow requests with no origin (same-origin, server-side, curl, etc.)
    // This is safe and necessary for Cloud Run
    if (!origin) {
      return callback(null, true);
    }
    
    // Allow file:// protocol origins
    if (origin.startsWith('file://')) {
      return callback(null, true);
    }
    
    // Build allowed origins based on environment
    const allowedOrigins = [];
    
    if (process.env.NODE_ENV !== 'production') {
      // Development origins
      allowedOrigins.push(
        'http://localhost:5173', // Vite dev server
        'http://localhost:8080', // Local server
        'http://localhost:3000'  // Common React dev port
      );
    }
    
    // Production origins from environment
    if (process.env.PRODUCTION_URL) {
      allowedOrigins.push(process.env.PRODUCTION_URL);
    }
    if (process.env.ALLOWED_ORIGINS) {
      // Support comma-separated list
      allowedOrigins.push(...process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim()));
    }
    
    // Default production origins
    allowedOrigins.push(
      'https://bsod.windowsforum.com',
      'https://bsod-analyzer-ctlmwtcf5q-ue.a.run.app', // Cloud Run URL
      'https://bsod-analyzer-399450330005.us-east1.run.app' // New Cloud Run URL
    );
    
    // Allow any *.windowsforum.com subdomain (including www.)
    const isWindowsForumDomain = origin && /^https:\/\/(www\.)?([a-z0-9-]+\.)?windowsforum\.com$/i.test(origin);

    // Allow any Cloud Run URL (*.run.app) - we control the deployment
    const isCloudRunApp = origin && /^https:\/\/[a-z0-9-]+(\.[a-z0-9-]+)*\.run\.app$/i.test(origin);

    if (allowedOrigins.includes(origin) || isWindowsForumDomain || isCloudRunApp) {
      callback(null, true);
    } else {
      console.warn(`CORS blocked origin: ${origin}`);
      callback(new Error('Not allowed by CORS'));
    }
  },
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
  exposedHeaders: ['Content-Length', 'Content-Type'],
  maxAge: 86400, // Cache preflight for 24 hours
  preflightContinue: false,
  optionsSuccessStatus: 204
};

// Middleware
// Apply CORS globally (Cloud Run best practice)
app.use(cors(corsOptions));

// Cookie parser middleware
app.use(cookieParser());

// Rate limiting middleware
const apiLimiter = rateLimit({
  windowMs: SECURITY_CONFIG.api.rateLimiting.windowMs,
  max: SECURITY_CONFIG.api.rateLimiting.maxRequests,
  message: SECURITY_CONFIG.api.rateLimiting.message,
  standardHeaders: true,
  legacyHeaders: false,
  // Skip successful requests to prevent false positives
  skipSuccessfulRequests: false,
  // Explicitly handle the trust proxy configuration
  skip: (req) => {
    // Skip rate limiting for health check endpoint
    return req.path === '/health';
  }
});

app.use(compression({
  level: 6, // Compression level 1-9 (6 is good balance)
  threshold: 1024, // Only compress responses above 1KB
  filter: (req, res) => {
    // Don't compress if client doesn't support it
    if (req.headers['x-no-compression']) {
      return false;
    }
    // Use compression filter
    return compression.filter(req, res);
  }
}));
// Higher limit parser for file upload endpoints (base64-encoded files can be up to 133MB for 100MB files)
const largeJsonParser = express.json({ limit: '150mb' });

// Default JSON body limit for most API endpoints
// Skip for routes that need larger payloads (they use largeJsonParser directly)
app.use((req, res, next) => {
  if (req.path === '/api/windbg/upload') {
    return next(); // Skip default parser, route will use largeJsonParser
  }
  express.json({ limit: '10mb' })(req, res, next);
});

// Precompute CSP header string once at startup (avoids rebuilding on every request)
const CSP_HEADER = [
  "default-src 'self'",
  "script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://*.cloudflare.com https://static.cloudflareinsights.com https://*.google https://*.google.com https://*.googletagmanager.com https://*.googlesyndication.com https://adnxs.com https://www.paypalobjects.com",
  "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.googleapis.com",
  "font-src 'self' data: https://fonts.gstatic.com",
  "img-src 'self' data: https: blob:",
  "connect-src 'self' https://challenges.cloudflare.com https://*.google https://*.google.com https://*.gstatic.com https://*.googletagmanager.com https://*.googlesyndication.com https://*.doubleclick.net https://api.claude.ai https://generativelanguage.googleapis.com https://www.paypal.com",
  "frame-src 'self' https://challenges.cloudflare.com https://*.google https://*.google.com https://*.googletagmanager.com https://*.googlesyndication.com https://*.doubleclick.net https://www.paypal.com",
  "object-src 'none'",
  "base-uri 'self'",
  "form-action 'self' https://www.paypal.com",
  "frame-ancestors 'self'",
  "upgrade-insecure-requests"
].join('; ');

// Global security headers middleware
app.use((req, res, next) => {
  res.setHeader('X-Content-Type-Options', 'nosniff');
  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
  res.setHeader('X-XSS-Protection', '1; mode=block');
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
  res.setHeader('Content-Security-Policy', CSP_HEADER);
  res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
  res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
  next();
});

// MIME type lookup for static assets
const MIME_TYPES = {
  '.js': 'application/javascript', '.mjs': 'application/javascript',
  '.css': 'text/css', '.html': 'text/html', '.json': 'application/json',
  '.woff2': 'font/woff2', '.woff': 'font/woff', '.ttf': 'font/ttf',
  '.otf': 'font/otf', '.eot': 'application/vnd.ms-fontobject',
  '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg',
  '.webp': 'image/webp', '.svg': 'image/svg+xml', '.ico': 'image/x-icon',
};

// Set MIME types for assets BEFORE any other middleware
// Ensures Cloud Run serves files with correct Content-Type
app.use((req, res, next) => {
  if (req.path.startsWith('/assets/')) {
    const ext = path.extname(req.path).toLowerCase();
    const mime = MIME_TYPES[ext];
    if (mime) res.type(mime);
  }
  next();
});

// Security middleware - block access to sensitive paths
app.use((req, res, next) => {
  const blockedPaths = [
    '/public',
    '/src',
    '/components',
    '/pages',
    '/services',
    '/hooks',
    '/types',
    '/node_modules',
    '/.git',
    '/.env'
  ];

  const blockedExtensions = [
    '.ts',
    '.tsx',
    '.js.map',
    '.css.map',
    '.log',
    'package.json',
    'package-lock.json',
    'tsconfig.json',
    'vite.config.ts',
    '.env'
  ];

  // Block access to sensitive directories
  if (blockedPaths.some(path => req.path.startsWith(path))) {
    return res.status(403).send('Access Denied');
  }

  // Block access to sensitive file types
  if (blockedExtensions.some(ext => req.path.endsWith(ext))) {
    return res.status(403).send('Access Denied');
  }

  next();
});

// Static file serving with MIME types and caching via shared lookup
const TEXT_EXTS = new Set(['.js', '.mjs', '.css', '.html', '.json']);
const NOSNIFF_EXTS = new Set(['.js', '.mjs', '.css', '.html']);
const FONT_EXTS = new Set(['.woff2', '.woff', '.ttf', '.otf', '.eot']);

app.use(express.static(path.join(__dirname, 'dist'), {
  maxAge: '1y',
  etag: true,
  lastModified: true,
  setHeaders: (res, filePath) => {
    const ext = path.extname(filePath).toLowerCase();
    const mime = MIME_TYPES[ext];

    if (mime) {
      res.setHeader('Content-Type', TEXT_EXTS.has(ext) ? `${mime}; charset=utf-8` : mime);
    }
    if (NOSNIFF_EXTS.has(ext)) {
      res.setHeader('X-Content-Type-Options', 'nosniff');
    }

    // Cache strategy
    if (filePath.endsWith('sw.js')) {
      res.setHeader('Cache-Control', 'public, max-age=0, s-maxage=0');
    } else if (ext === '.html') {
      res.setHeader('Cache-Control', 'public, max-age=300, s-maxage=86400');
    } else if (ext === '.json') {
      res.setHeader('Cache-Control', 'public, max-age=86400');
      if (filePath.includes('/symbols/')) {
        res.setHeader('Access-Control-Allow-Origin', '*');
      }
    } else if (mime) {
      res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
    }

    // CORS for fonts
    if (FONT_EXTS.has(ext)) {
      res.setHeader('Access-Control-Allow-Origin', '*');
    }
  }
}));

// Validate Gemini API key at startup
if (!process.env.GEMINI_API_KEY) {
  console.error('WARNING: GEMINI_API_KEY not configured - AI analysis will not work');
  // Don't exit in production - allow service to start but AI features will be disabled
}

// Initialize Gemini AI with server-side API key
const genAI = process.env.GEMINI_API_KEY ? new GoogleGenerativeAI(process.env.GEMINI_API_KEY) : null;

// Turnstile secret key from environment/Secret Manager
const TURNSTILE_SECRET_KEY = process.env.TURNSTILE_SECRET_KEY;

// Store used tokens to prevent replay attacks
const usedTurnstileTokens = new Map(); // token -> timestamp

// Clean up old tokens periodically (older than 5 minutes)
setInterval(() => {
  const fiveMinutesAgo = Date.now() - (5 * 60 * 1000);
  for (const [token, timestamp] of usedTurnstileTokens.entries()) {
    if (timestamp < fiveMinutesAgo) {
      usedTurnstileTokens.delete(token);
    }
  }
}, 60 * 1000); // Clean every minute

// Verify Turnstile token with proper Siteverify implementation
async function verifyTurnstileToken(token, ip, idempotencyKey = null) {
  if (!TURNSTILE_SECRET_KEY) {
    console.error('TURNSTILE_SECRET_KEY not configured');
    return { 
      success: false, 
      'error-codes': ['missing-input-secret'],
      error: 'Turnstile not configured' 
    };
  }

  if (!token) {
    return { 
      success: false, 
      'error-codes': ['missing-input-response'],
      error: 'No token provided' 
    };
  }

  // Check if token was already used (prevent replay attacks)
  if (usedTurnstileTokens.has(token) && !idempotencyKey) {
    console.warn('Turnstile token already used:', token.substring(0, 20) + '...');
    return { 
      success: false, 
      'error-codes': ['timeout-or-duplicate'],
      error: 'Token already used' 
    };
  }

  try {
    // Build form data as required by Siteverify API
    const formData = new URLSearchParams();
    formData.append('secret', TURNSTILE_SECRET_KEY);
    formData.append('response', token); // Must be called 'response', not 'token'
    
    if (ip) {
      formData.append('remoteip', ip);
    }
    
    // Add idempotency key for retry support
    if (idempotencyKey) {
      formData.append('idempotency_key', idempotencyKey);
    }

    const response = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
      },
      body: formData
    });

    if (!response.ok) {
      console.error('Siteverify HTTP error:', response.status);
      return { 
        success: false, 
        'error-codes': ['internal-error'],
        error: 'Siteverify request failed' 
      };
    }

    const result = await response.json();
    
    if (result.success) {
      // Mark token as used to prevent replay attacks
      usedTurnstileTokens.set(token, Date.now());
      
      // Log successful verification
      console.log('Turnstile verification successful:', {
        hostname: result.hostname,
        challenge_ts: result.challenge_ts,
        action: result.action
      });
    } else {
      console.error('Turnstile verification failed:', result['error-codes']);
    }
    
    return result;
  } catch (error) {
    console.error('Turnstile Siteverify error:', error);
    return { 
      success: false, 
      'error-codes': ['internal-error'],
      error: 'Verification request failed' 
    };
  }
}

// Generate session cookie
function generateSessionCookie(ip) {
  if (!hasher) {
    console.error('XXHash not initialized when trying to generate session');
    throw new Error('XXHash not initialized');
  }
  
  const sessionId = crypto.randomBytes(32).toString('hex');
  const timestamp = Date.now();
  const dataToHash = `${sessionId}:${timestamp}:${ip}:${ACTUAL_SESSION_SECRET}`;
  const sessionHash = hasher.h64ToString(dataToHash);
  
  // Store session
  validSessions.set(sessionId, {
    hash: sessionHash,
    timestamp,
    ip
  });
  
  return {
    sessionId,
    sessionHash
  };
}

// Set session cookies on a response
function setSessionCookies(res, sessionId, sessionHash) {
  const cookieOptions = {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'lax',
    maxAge: SESSION_EXPIRY,
    path: '/',
  };
  res.cookie('bsod_session_id', sessionId, cookieOptions);
  res.cookie('bsod_session_hash', sessionHash, cookieOptions);
  return cookieOptions;
}

// Validate session cookie
function validateSession(sessionId, sessionHash, ip) {
  const sessionData = validSessions.get(sessionId);
  
  if (!sessionData) {
    return { valid: false, reason: 'Session not found' };
  }
  
  // Check expiry
  if (Date.now() - sessionData.timestamp > SESSION_EXPIRY) {
    validSessions.delete(sessionId);
    return { valid: false, reason: 'Session expired' };
  }
  
  // Verify IP matches
  if (sessionData.ip !== ip) {
    return { valid: false, reason: 'IP mismatch' };
  }
  
  // Verify hash
  if (sessionData.hash !== sessionHash) {
    return { valid: false, reason: 'Invalid session hash' };
  }
  
  return { valid: true };
}

// Middleware to validate session for analyzer API
const requireSession = (req, res, next) => {
  const sessionId = req.cookies.bsod_session_id;
  const sessionHash = req.cookies.bsod_session_hash;
  const clientIp = getClientIp(req);
  
  // In development mode, skip validation
  if (process.env.NODE_ENV === 'development') {
    return next();
  }
  
  if (!sessionId || !sessionHash) {
    console.log('Session validation failed - missing cookies:', { 
      sessionId: !!sessionId, 
      sessionHash: !!sessionHash,
      cookies: Object.keys(req.cookies || {})
    });
    return res.status(401).json({ error: 'Session required', code: 'NO_SESSION' });
  }
  
  const validation = validateSession(sessionId, sessionHash, clientIp);
  if (!validation.valid) {
    console.log('Session validation failed:', {
      reason: validation.reason,
      sessionId: sessionId.substring(0, 10) + '...',
      clientIp
    });
    return res.status(401).json({ error: validation.reason, code: 'INVALID_SESSION' });
  }
  
  // Refresh session timestamp
  const sessionData = validSessions.get(sessionId);
  sessionData.timestamp = Date.now();

  next();
};

// Middleware to validate API key for external service access
const requireApiKey = (req, res, next) => {
  const apiKey = req.headers['x-api-key'];

  if (!BSOD_API_KEY) {
    console.log('[API Auth] External API access not configured');
    return res.status(503).json({
      success: false,
      error: 'External API access not configured',
      code: 'API_NOT_CONFIGURED'
    });
  }

  if (!apiKey) {
    console.log('[API Auth] Missing API key in request');
    return res.status(401).json({
      success: false,
      error: 'API key required',
      code: 'NO_API_KEY'
    });
  }

  if (apiKey !== BSOD_API_KEY) {
    console.log('[API Auth] Invalid API key provided');
    return res.status(401).json({
      success: false,
      error: 'Invalid API key',
      code: 'INVALID_API_KEY'
    });
  }

  // Mark request as API-authenticated (for logging)
  req.isApiAuthenticated = true;
  console.log('[API Auth] External API request authenticated');
  next();
};

// Health check endpoint for Cloud Run (not rate limited)
app.get('/health', async (req, res) => {
  const cacheStats = await getCacheStats();
  res.status(200).json({
    status: 'ok',
    timestamp: new Date().toISOString(),
    services: {
      gemini: !!genAI,
      turnstile: !!TURNSTILE_SECRET_KEY,
      session: !!ACTUAL_SESSION_SECRET,
      cache: cacheStats
    }
  });
});

// Apply rate limiting to API endpoints
app.use('/api/', apiLimiter);

// Endpoint to verify Turnstile and create session
app.post('/api/auth/verify-turnstile', async (req, res) => {
  try {
    const { token, action, cdata } = req.body;
    const clientIp = getClientIp(req);
    
    // Generate idempotency key for this request
    const idempotencyKey = crypto.randomUUID();
    
    // Verify the Turnstile token with Siteverify
    const verification = await verifyTurnstileToken(token, clientIp, idempotencyKey);
    
    if (!verification.success) {
      // Log detailed error for debugging
      console.error('Turnstile Siteverify failed:', {
        'error-codes': verification['error-codes'],
        clientIp,
        tokenPrefix: token ? token.substring(0, 20) + '...' : 'none'
      });
      
      // Return appropriate error based on error codes
      const errorCode = verification['error-codes']?.[0] || 'unknown-error';
      let userMessage = 'Security verification failed';
      
      switch (errorCode) {
        case 'missing-input-response':
          userMessage = 'Security token missing';
          break;
        case 'invalid-input-response':
          userMessage = 'Security token invalid or expired';
          break;
        case 'timeout-or-duplicate':
          userMessage = 'Security token already used or expired';
          break;
        case 'invalid-input-secret':
          userMessage = 'Server configuration error';
          break;
      }
      
      return res.status(400).json({ 
        success: false, 
        error: userMessage,
        'error-codes': verification['error-codes']
      });
    }
    
    // Validate expected action if provided
    if (action && verification.action !== action) {
      console.warn('Turnstile action mismatch:', {
        expected: action,
        received: verification.action
      });
    }
    
    // Validate hostname matches expected domain
    const expectedHostnames = [
      'localhost',
      'bsod.windowsforum.com',
      process.env.ALLOWED_HOSTNAME
    ].filter(Boolean);
    
    if (verification.hostname && !expectedHostnames.includes(verification.hostname)) {
      console.warn('Unexpected hostname in Turnstile response:', verification.hostname);
    }
    
    // If verification successful, create session
    const { sessionId, sessionHash } = generateSessionCookie(clientIp);

    const cookieOptions = setSessionCookies(res, sessionId, sessionHash);
    res.cookie('bsod_turnstile_verified', 'true', { ...cookieOptions, maxAge: 2 * 60 * 60 * 1000 }); // 2 hours
    
    // Return success with verification details
    res.json({ 
      success: true,
      challenge_ts: verification.challenge_ts,
      hostname: verification.hostname
    });
  } catch (error) {
    console.error('Turnstile endpoint error:', error);
    res.status(500).json({ 
      success: false, 
      error: 'Verification failed',
      'error-codes': ['internal-error']
    });
  }
});

// Signing key endpoint removed - signature validation simplified

// Endpoint to get session cookie (called when user visits analyzer page)
app.get('/api/auth/session', async (req, res) => {
  try {
    // Ensure XXHash is initialized
    if (!hasher) {
      console.log('Waiting for XXHash to initialize...');
      await new Promise(resolve => setTimeout(resolve, 100));
      if (!hasher) {
        return res.status(503).json({ error: 'Session service not ready' });
      }
    }
    const clientIp = getClientIp(req);
    const { sessionId, sessionHash } = generateSessionCookie(clientIp);

    console.log('Creating session:', {
      sessionIdPrefix: sessionId.substring(0, 10) + '...',
      clientIp,
      cookieDomain: req.get('host')
    });

    setSessionCookies(res, sessionId, sessionHash);
    
    res.json({ success: true });
  } catch (error) {
    console.error('Session generation error:', error);
    res.status(500).json({ error: 'Failed to create session' });
  }
});


// Helper function to validate that prompts are BSOD-related (prevent API abuse)
// SIMPLIFIED: Focus on blocking obvious abuse, allow all BSOD-related content
function validateBSODPrompt(contents) {
  // Handle both string and array formats
  let promptText;

  if (typeof contents === 'string') {
    // Direct string format
    promptText = contents.toLowerCase();
  } else if (Array.isArray(contents) && contents.length > 0) {
    // Gemini API format: array of content objects
    promptText = contents
      .flatMap(c => c.parts || [])
      .map(p => p.text || '')
      .join(' ')
      .toLowerCase();
  } else {
    console.log('[Validation] FAILED: Invalid contents structure');
    return { valid: false, reason: 'Invalid contents structure' };
  }

  console.log('[Validation] Prompt length:', promptText.length, 'First 100 chars:', promptText.substring(0, 100));

  // Must be substantial prompt (not just "hi" or "test")
  if (promptText.length < 50) {
    console.log('[Validation] FAILED: Prompt too short');
    return { valid: false, reason: 'Prompt too short for crash analysis' };
  }

  // Must contain BSOD/crash analysis keywords (at least ONE)
  const requiredKeywords = [
    'crash dump',
    'windows crash',
    'bug check',
    'bsod',
    'analyzing a windows',
    'kernel debugger',
    'dump file',
    'minidump',
    'memory dump',
    'stop code',
    'exception code',
    'faulting module',
    'windows',
    'crash',
    'dump',
    'error',
    'blue screen',
    'black screen'
  ];

  const hasKeyword = requiredKeywords.some(keyword =>
    promptText.includes(keyword)
  );

  if (!hasKeyword) {
    console.log('[Validation] FAILED: Missing crash analysis keywords');
    return { valid: false, reason: 'Missing crash analysis keywords' };
  }

  console.log('[Validation] Has keyword: true');

  // Reject obvious abuse patterns (simplified)
  const abusePatterns = [
    /write\s+(me\s+)?(a\s+)?(story|poem|essay|song|novel)/i,
    /tell\s+me\s+(a\s+)?(joke|story)/i,
    /translate\s+to\s+/i,
    /ignore\s+(previous|above)\s+instructions/i,
    /forget\s+your\s+instructions/i
  ];

  const matchedPattern = abusePatterns.find(pattern => pattern.test(promptText));
  if (matchedPattern) {
    console.log('[Validation] FAILED: Abuse pattern detected:', matchedPattern);
    return { valid: false, reason: `Abuse pattern detected` };
  }

  console.log('[Validation] PASSED all checks');
  return { valid: true };
}

// Proxy endpoint for Gemini API calls - now requires session
app.post('/api/gemini/generateContent', requireSession, async (req, res) => {
  try {
    // Check if Gemini AI is configured
    if (!genAI) {
      return res.status(503).json({ 
        error: 'AI service not configured. Please try again later.' 
      });
    }
    
    // Validate request size
    const requestSize = JSON.stringify(req.body).length;
    if (requestSize > SECURITY_CONFIG.api.maxRequestSize) {
      return res.status(413).json({ 
        error: `Request too large. Maximum size is ${SECURITY_CONFIG.api.maxRequestSize / 1024 / 1024}MB` 
      });
    }
    const { contents, generationConfig, safetySettings, config, fileHash } = req.body;
    const sessionId = req.cookies.bsod_session_id;

    // Security: Session validation is handled by requireSession middleware
    // Additional security layers: rate limiting, prompt validation, system instruction

    // SECURITY: Check per-session rate limiting (prevent abuse even with valid prompts)
    const now = Date.now();
    let sessionTracking = sessionRequestTracking.get(sessionId);

    if (!sessionTracking || now > sessionTracking.resetTime) {
      // Initialize or reset tracking
      sessionTracking = {
        count: 0,
        resetTime: now + (60 * 60 * 1000), // Reset after 1 hour
        totalTokens: 0
      };
      sessionRequestTracking.set(sessionId, sessionTracking);
    }

    // Check request limit
    if (sessionTracking.count >= REQUEST_LIMIT_PER_SESSION) {
      console.warn('[Security] Per-session rate limit exceeded:', {
        sessionId: sessionId?.substring(0, 10) + '...',
        ip: getClientIp(req),
        requestCount: sessionTracking.count,
        resetTime: new Date(sessionTracking.resetTime).toISOString()
      });
      return res.status(429).json({
        error: `Rate limit exceeded. Maximum ${REQUEST_LIMIT_PER_SESSION} analysis requests per hour.`,
        code: 'SESSION_RATE_LIMIT',
        resetTime: sessionTracking.resetTime
      });
    }

    // Estimate tokens in request (rough estimate: 1 token ≈ 4 characters)
    const requestText = JSON.stringify(contents);
    const estimatedInputTokens = Math.ceil(requestText.length / 4);

    // Check token limit
    if (sessionTracking.totalTokens + estimatedInputTokens > TOKEN_LIMIT_PER_SESSION) {
      console.warn('[Security] Per-session token limit exceeded:', {
        sessionId: sessionId?.substring(0, 10) + '...',
        ip: getClientIp(req),
        totalTokens: sessionTracking.totalTokens,
        estimatedRequest: estimatedInputTokens
      });
      return res.status(429).json({
        error: 'Token quota exceeded for this session. Please try again later.',
        code: 'SESSION_TOKEN_LIMIT',
        resetTime: sessionTracking.resetTime
      });
    }

    // SECURITY: Validate that prompt is BSOD-related (prevent API abuse)
    const validation = validateBSODPrompt(contents);
    if (!validation.valid) {
      console.warn('[Security] Non-BSOD prompt blocked:', {
        sessionId: sessionId?.substring(0, 10) + '...',
        ip: getClientIp(req),
        reason: validation.reason,
        promptPreview: JSON.stringify(contents).substring(0, 150) + '...'
      });
      return res.status(400).json({
        error: 'Invalid request. This endpoint only analyzes Windows crash dumps and BSOD errors.',
        code: 'INVALID_PROMPT'
      });
    }

    // Check cache using fileHash if provided (consistent with WinDBG cache)
    const cacheKey = fileHash || hashContent(requestText);
    const cachedResponse = await getCachedAIReport(cacheKey);
    if (cachedResponse) {
      console.log('[Gemini API] Cache HIT for:', fileHash ? `fileHash ${fileHash}` : 'prompt hash');
      return res.json({
        ...cachedResponse,
        cached: true
      });
    }

    // Increment request count and token usage
    sessionTracking.count++;
    sessionTracking.totalTokens += estimatedInputTokens;

    // Debug logging
    console.log('[Gemini API] Cache MISS, calling Gemini. Contents type:', typeof contents);
    if (typeof contents === 'object') {
      console.log('[Gemini API] Contents structure:', JSON.stringify(contents).substring(0, 200) + '...');
    }
    
    // Always use the model from config file - ignore any client-provided model
    const modelName = DEFAULT_MODEL_NAME;
    
    // Extract configuration - frontend sends 'config', SDK expects 'generationConfig'
    const frontendConfig = config || generationConfig || {};
    
    // Build proper generationConfig for the SDK
    const sdkGenerationConfig = {};
    
    // Handle response_mime_type (correct field name for the SDK)
    if (frontendConfig.responseMimeType) {
      sdkGenerationConfig.response_mime_type = frontendConfig.responseMimeType;
    }
    
    // Handle response_schema (correct field name for the SDK)
    if (frontendConfig.responseSchema) {
      sdkGenerationConfig.response_schema = frontendConfig.responseSchema;
    }
    
    // Handle temperature if provided
    if (frontendConfig.temperature !== undefined) {
      sdkGenerationConfig.temperature = frontendConfig.temperature;
    }
    
    // Handle maxOutputTokens if provided (use snake_case for SDK consistency)
    if (frontendConfig.maxOutputTokens !== undefined) {
      sdkGenerationConfig.max_output_tokens = frontendConfig.maxOutputTokens;
    }
    
    // Handle topK if provided (use snake_case for SDK consistency)
    if (frontendConfig.topK !== undefined) {
      sdkGenerationConfig.top_k = frontendConfig.topK;
    }

    // Handle topP if provided (use snake_case for SDK consistency)
    if (frontendConfig.topP !== undefined) {
      sdkGenerationConfig.top_p = frontendConfig.topP;
    }
    
    // Copy any other config properties that might be supported
    // SECURITY: Explicitly exclude 'model' to prevent client from overriding server model selection
    const excludedKeys = ['responseMimeType', 'responseSchema', 'temperature', 'maxOutputTokens', 'topK', 'topP', 'model'];
    Object.keys(frontendConfig).forEach(key => {
      if (!excludedKeys.includes(key)) {
        sdkGenerationConfig[key] = frontendConfig[key];
      }
    });
    
    // Configure model with tools for grounding
    const modelConfig = {
      model: modelName,
      generationConfig: sdkGenerationConfig,
      safetySettings,
      // SECURITY: Add system instruction to enforce BSOD-only analysis (defense-in-depth)
      systemInstruction: {
        role: "system",
        parts: [{
          text: `You are a Windows crash dump analyzer and kernel debugger assistant. You MUST ONLY analyze crash dumps and BSOD errors.

STRICT OPERATIONAL RULES:
- ONLY respond to Windows crash dump analysis requests
- ONLY discuss: bug check codes, drivers, memory dumps, stack traces, Windows kernel debugging
- REJECT any requests for: stories, poems, code generation, translations, general questions, homework help
- If the request is not about Windows crash analysis, respond: "Error: This service only analyzes Windows crash dumps"

Your expertise is limited to:
✓ Bug check codes and parameters
✓ Driver and module analysis
✓ Memory dump interpretation
✓ Stack trace analysis
✓ Windows kernel debugging
✓ System crash diagnostics

You do NOT provide assistance with any other topics.`
        }]
      }
    };
    
    // Add grounding tools configuration
    const tools = req.body.tools || [];
    if (tools.length > 0) {
      // Ensure tools are properly formatted for the API
      modelConfig.tools = tools.map(tool => {
        // Handle Google Search grounding tool
        if (tool.googleSearch || tool.google_search_retrieval) {
          return {
            googleSearchRetrieval: tool.googleSearch || tool.google_search_retrieval || {}
          };
        }
        return tool;
      });
    }
    
    const geminiModel = genAI.getGenerativeModel(modelConfig);

    const result = await geminiModel.generateContent(contents);
    const response = await result.response;

    // Track output tokens for cost control
    const outputTokens = response.usageMetadata?.candidatesTokenCount || Math.ceil(response.text().length / 4);
    sessionTracking.totalTokens += outputTokens;

    // Log finish reason to diagnose truncation issues
    const finishReason = response.candidates?.[0]?.finishReason || 'UNKNOWN';

    console.log('[Gemini API] Request completed:', {
      sessionId: sessionId?.substring(0, 10) + '...',
      inputTokens: estimatedInputTokens,
      outputTokens: outputTokens,
      finishReason: finishReason,
      sessionTotal: sessionTracking.totalTokens,
      requestsRemaining: REQUEST_LIMIT_PER_SESSION - sessionTracking.count
    });

    // Return the text directly for compatibility
    const text = response.text();

    const responseData = {
      candidates: response.candidates || [{ content: { parts: [{ text }] } }],
      usageMetadata: response.usageMetadata,
      modelVersion: response.modelVersion,
      text // Include text for easier access
    };

    // Cache the response using fileHash if provided
    await setCachedAIReport(cacheKey, responseData);

    res.json(responseData);
  } catch (error) {
    console.error('Gemini API error:', error);
    res.status(500).json({ error: error.message || 'Failed to generate content' });
  }
});

// ============================================================
// WinDBG Server Proxy Endpoints
// ============================================================

const WINDBG_API_URL = 'https://windbg.stack-tech.net/api';
const WINDBG_API_KEY = process.env.WINDBG_API_KEY;

if (!WINDBG_API_KEY) {
  console.warn('WARNING: WINDBG_API_KEY not configured - WinDBG analysis will fall back to local parsing');
}

// Get cached analysis by file hash (skip upload for known-cached files)
// Returns combined WinDBG analysis and AI report from single cache key
app.get('/api/cache/get', requireSession, async (req, res) => {
  try {
    const { hash } = req.query;

    if (!hash || typeof hash !== 'string' || !/^[a-f0-9]{8,16}$/i.test(hash)) {
      return res.status(400).json({
        success: false,
        error: 'Invalid or missing hash parameter'
      });
    }

    // Use new combined cache (with legacy fallback built-in)
    const cached = await getCachedAnalysis(hash);

    if (cached && (cached.windbgOutput || cached.aiReport)) {
      console.log(`[Cache] GET hit for hash ${hash.substring(0, 12)}...`);
      return res.json({
        success: true,
        cached: true,
        windbgAnalysis: cached.windbgOutput || null,
        aiReport: cached.aiReport || null,
        fileHash: hash
      });
    }

    console.log(`[Cache] GET miss for hash ${hash.substring(0, 12)}...`);
    return res.json({
      success: false,
      cached: false,
      error: 'Not found in cache'
    });
  } catch (error) {
    console.error('[Cache] Error getting cached analysis:', error);
    return res.status(500).json({
      success: false,
      error: 'Failed to get cached analysis'
    });
  }
});

// Store combined analysis (WinDBG + AI report) in cache
app.post('/api/cache/set', express.json({ limit: '5mb' }), requireSession, async (req, res) => {
  try {
    const { fileHash, windbgOutput, aiReport } = req.body;

    if (!fileHash || typeof fileHash !== 'string' || !/^[a-f0-9]{8,16}$/i.test(fileHash)) {
      return res.status(400).json({
        success: false,
        error: 'Invalid or missing fileHash'
      });
    }

    if (!windbgOutput && !aiReport) {
      return res.status(400).json({
        success: false,
        error: 'Must provide at least windbgOutput or aiReport'
      });
    }

    const success = await setCachedAnalysis(fileHash, {
      windbgOutput: windbgOutput || null,
      aiReport: aiReport || null
    });

    if (success) {
      console.log(`[Cache] SET combined analysis for hash ${fileHash.substring(0, 12)}...`);
      return res.json({ success: true });
    }

    return res.status(500).json({
      success: false,
      error: 'Failed to cache analysis'
    });
  } catch (error) {
    console.error('[Cache] Error setting cache:', error);
    return res.status(500).json({
      success: false,
      error: 'Failed to cache analysis'
    });
  }
});

// Check cache for file hashes (pre-upload detection)
// No session required - read-only lookup by hash, doesn't expose sensitive data
app.post('/api/cache/check', express.json(), async (req, res) => {
  try {
    const { hashes } = req.body;

    if (!hashes || !Array.isArray(hashes)) {
      return res.status(400).json({
        success: false,
        error: 'Missing required field: hashes (array of file hashes)'
      });
    }

    // Limit number of hashes to check at once
    const hashesToCheck = hashes.slice(0, 20);
    const results = {};

    // Check each hash against the combined cache (with legacy fallback)
    const checkPromises = hashesToCheck
      .filter(hash => typeof hash === 'string' && /^[a-f0-9]{8,16}$/i.test(hash))
      .map(async (hash) => {
        results[hash] = await isAnalysisCached(hash);
      });

    await Promise.all(checkPromises);

    console.log(`[Cache] Checked ${hashesToCheck.length} hashes, ${Object.values(results).filter(Boolean).length} cached`);

    return res.json({
      success: true,
      cached: results
    });
  } catch (error) {
    console.error('[Cache] Error checking cache:', error);
    return res.status(500).json({
      success: false,
      error: 'Failed to check cache'
    });
  }
});

/**
 * Build multipart form body for WinDBG uploads
 */
function buildWinDBGMultipartBody(apiKey, uid, fileBuffer, fileName) {
  const boundary = '----WinDBGBoundary' + Date.now();
  const CRLF = '\r\n';

  let body = '';
  body += `--${boundary}${CRLF}`;
  body += `Content-Disposition: form-data; name="APIKEY"${CRLF}${CRLF}`;
  body += `${apiKey}${CRLF}`;
  body += `--${boundary}${CRLF}`;
  body += `Content-Disposition: form-data; name="UID"${CRLF}${CRLF}`;
  body += `${uid}${CRLF}`;

  const fileHeader = `--${boundary}${CRLF}Content-Disposition: form-data; name="file"; filename="${fileName}"${CRLF}Content-Type: application/octet-stream${CRLF}${CRLF}`;
  const fileFooter = `${CRLF}--${boundary}--${CRLF}`;

  const fullBody = Buffer.concat([
    Buffer.from(body, 'utf8'),
    Buffer.from(fileHeader, 'utf8'),
    fileBuffer,
    Buffer.from(fileFooter, 'utf8')
  ]);

  return { fullBody, boundary };
}

// Upload dump file to WinDBG server
// Uses largeJsonParser to handle base64-encoded files up to 100MB (becomes ~133MB encoded)
app.post('/api/windbg/upload', largeJsonParser, requireSession, async (req, res) => {
  try {
    if (!WINDBG_API_KEY) {
      return res.status(503).json({
        success: false,
        error: 'WinDBG service not configured'
      });
    }

    const { uid, fileData, fileName } = req.body;

    if (!uid || !fileData || !fileName) {
      return res.status(400).json({
        success: false,
        error: 'Missing required fields: uid, fileData, fileName'
      });
    }

    // Convert base64 file data to buffer
    const fileBuffer = Buffer.from(fileData, 'base64');

    // UID is now the file hash (computed client-side), use it directly for caching
    console.log('[WinDBG] File hash UID:', uid, 'Size:', fileBuffer.length);

    // Check cache for existing WinDBG analysis
    const cachedAnalysis = await getCachedWinDBGAnalysis(uid);
    if (cachedAnalysis) {
      console.log('[WinDBG] Cache HIT - returning cached analysis for:', fileName);
      return res.json({
        success: true,
        cached: true,
        cachedAnalysis: cachedAnalysis.windbgOutput,
        data: { queue_position: 0 }
      });
    }

    console.log('[WinDBG] Cache MISS - uploading file:', fileName, 'UID:', uid);

    const { fullBody, boundary } = buildWinDBGMultipartBody(WINDBG_API_KEY, uid, fileBuffer, fileName);
    console.log('[WinDBG] Request body size:', fullBody.length);

    // Upload to WinDBG server
    const response = await fetch(`${WINDBG_API_URL}/upload.php`, {
      method: 'POST',
      body: fullBody,
      headers: {
        'Content-Type': `multipart/form-data; boundary=${boundary}`
      }
    });

    // Log response details
    const responseText = await response.text();
    console.log('[WinDBG] Response status:', response.status);
    console.log('[WinDBG] Response body:', responseText.substring(0, 500));

    // Handle 409 - UID already exists (file was previously uploaded)
    // Check if analysis is complete and cache it if so
    if (response.status === 409) {
      console.log('[WinDBG] UID already exists, checking if analysis is complete...');

      try {
        // Check status on WinDBG server
        const statusUrl = `${WINDBG_API_URL}/status.php?APIKEY=${encodeURIComponent(WINDBG_API_KEY)}&UID=${encodeURIComponent(uid)}`;
        const statusResponse = await fetch(statusUrl);

        if (statusResponse.ok) {
          const statusResult = await statusResponse.json();
          console.log('[WinDBG] Status for existing UID:', statusResult.data?.status);

          // If completed, download and cache the result
          if (statusResult.data?.status === 'completed') {
            console.log('[WinDBG] Analysis already complete, downloading and caching...');
            const downloadUrl = `${WINDBG_API_URL}/download.php?APIKEY=${encodeURIComponent(WINDBG_API_KEY)}&UID=${encodeURIComponent(uid)}`;
            const downloadResponse = await fetch(downloadUrl);

            if (downloadResponse.ok) {
              const analysisText = await downloadResponse.text();
              console.log('[WinDBG] Downloaded existing analysis:', analysisText.length, 'bytes');

              // Cache the result
              await setCachedWinDBGAnalysis(uid, {
                windbgOutput: analysisText,
                timestamp: Date.now()
              });

              // Return cached response
              return res.json({
                success: true,
                cached: true,
                cachedAnalysis: analysisText,
                data: { uid, queue_position: 0 }
              });
            }
          }
        }
      } catch (statusError) {
        console.error('[WinDBG] Error checking status for 409:', statusError);
      }

      // If we couldn't get/cache the result, let client poll
      return res.json({
        success: true,
        alreadyExists: true,
        data: { uid, queue_position: 0 }
      });
    }

    if (!response.ok) {
      throw new Error(`WinDBG upload failed with status ${response.status}: ${responseText}`);
    }

    // Parse the response
    let result;
    try {
      result = JSON.parse(responseText);
    } catch (e) {
      throw new Error(`Failed to parse WinDBG response: ${responseText}`);
    }
    console.log('[WinDBG] Upload response:', result.success ? 'success' : 'failed');

    res.json(result);
  } catch (error) {
    console.error('[WinDBG] Upload error:', error);
    res.status(500).json({
      success: false,
      error: error.message || 'Failed to upload to WinDBG server'
    });
  }
});

// Poll WinDBG status
app.get('/api/windbg/status', requireSession, async (req, res) => {
  try {
    if (!WINDBG_API_KEY) {
      return res.status(503).json({
        success: false,
        error: 'WinDBG service not configured'
      });
    }

    const { uid } = req.query;

    if (!uid) {
      return res.status(400).json({
        success: false,
        error: 'Missing required parameter: uid'
      });
    }

    const statusUrl = `${WINDBG_API_URL}/status.php?APIKEY=${encodeURIComponent(WINDBG_API_KEY)}&UID=${encodeURIComponent(uid)}`;
    console.log('[WinDBG] Checking status for UID:', uid);

    const response = await fetch(statusUrl, {
      headers: {
        'Cache-Control': 'no-cache, no-store',
        'Pragma': 'no-cache'
      }
    });

    if (!response.ok) {
      throw new Error(`WinDBG status check failed with status ${response.status}`);
    }

    const result = await response.json();
    console.log('[WinDBG] Status response:', result.data?.status, 'for UID:', uid);

    // CRITICAL: Set no-cache headers on response to prevent browser/CDN caching
    res.set({
      'Cache-Control': 'no-cache, no-store, must-revalidate, max-age=0',
      'Pragma': 'no-cache',
      'Expires': '0'
    });
    res.json(result);
  } catch (error) {
    console.error('[WinDBG] Status error:', error);
    res.status(500).json({
      success: false,
      error: error.message || 'Failed to check WinDBG status'
    });
  }
});

// Download WinDBG analysis result
app.get('/api/windbg/download', requireSession, async (req, res) => {
  try {
    if (!WINDBG_API_KEY) {
      return res.status(503).json({
        success: false,
        error: 'WinDBG service not configured'
      });
    }

    const { uid } = req.query;

    if (!uid) {
      return res.status(400).json({
        success: false,
        error: 'Missing required parameter: uid'
      });
    }

    const downloadUrl = `${WINDBG_API_URL}/download.php?APIKEY=${encodeURIComponent(WINDBG_API_KEY)}&UID=${encodeURIComponent(uid)}`;

    const response = await fetch(downloadUrl);

    if (!response.ok) {
      throw new Error(`WinDBG download failed with status ${response.status}`);
    }

    const analysisText = await response.text();
    console.log('[WinDBG] Downloaded analysis:', analysisText.length, 'bytes');

    // Cache the WinDBG output (UID is the file hash)
    await setCachedWinDBGAnalysis(uid, {
      windbgOutput: analysisText,
      timestamp: Date.now()
    });

    res.json({
      success: true,
      analysisText
    });
  } catch (error) {
    console.error('[WinDBG] Download error:', error);
    res.status(500).json({
      success: false,
      error: error.message || 'Failed to download WinDBG analysis'
    });
  }
});

// ============================================================
// Archive Extraction Endpoint (7z/RAR)
// ============================================================
app.post('/api/extract-archive', requireSession, upload.single('file'), async (req, res) => {
  try {
    if (!req.file) {
      return res.status(400).json({
        success: false,
        error: 'No file uploaded'
      });
    }

    const buffer = req.file.buffer;
    const fileName = req.file.originalname || 'archive';
    const archiveType = detectArchiveType(buffer);

    if (!archiveType || archiveType === 'zip') {
      return res.status(400).json({
        success: false,
        error: 'File is not a supported archive format (.7z or .rar)'
      });
    }

    console.log(`[Archive] Extracting ${archiveType} archive: ${fileName} (${buffer.length} bytes)`);

    const extractedDumps = await extractDumpsFromArchive(buffer, fileName, archiveType);

    if (extractedDumps.length === 0) {
      return res.status(400).json({
        success: false,
        error: 'No dump files (.dmp, .mdmp, .hdmp, .kdmp) found in archive'
      });
    }

    console.log(`[Archive] Extracted ${extractedDumps.length} dump file(s) from ${fileName}`);

    // Return extracted files as base64-encoded JSON
    const files = extractedDumps.map(dump => ({
      fileName: dump.fileName,
      data: dump.buffer.toString('base64'),
      size: dump.buffer.length
    }));

    res.json({
      success: true,
      files,
      originalArchive: fileName,
      archiveType
    });
  } catch (error) {
    console.error('[Archive] Extraction error:', error);
    res.status(400).json({
      success: false,
      error: error.message || 'Failed to extract archive'
    });
  }
});

// ============================================================
// External API Endpoint for BSOD Analysis
// ============================================================
// This endpoint accepts dump files and returns structured analysis
// Authentication: X-API-Key header with BSOD_API_KEY
// Used by external services (e.g., XenForo integration)

// Constants for WinDBG analysis
const WINDBG_POLL_INTERVAL_MS = 10000; // 10 seconds between polls
const WINDBG_MAX_POLL_ATTEMPTS = 30; // 5 minutes max (30 * 10s)
const WINDBG_TOTAL_TIMEOUT_MS = 300000; // 5 minute hard timeout

/**
 * Generate a unique UID for WinDBG uploads
 */
function generateWinDBGUID() {
  const timestamp = Date.now();
  const random = Math.random().toString(36).substring(2, 8);
  return `API-${timestamp}-${random}`;
}

/**
 * Upload file buffer to WinDBG server
 */
async function uploadBufferToWinDBG(fileBuffer, fileName, uid) {
  const { fullBody, boundary } = buildWinDBGMultipartBody(WINDBG_API_KEY, uid, fileBuffer, fileName);

  const response = await fetch(`${WINDBG_API_URL}/upload.php`, {
    method: 'POST',
    body: fullBody,
    headers: {
      'Content-Type': `multipart/form-data; boundary=${boundary}`
    }
  });

  if (!response.ok) {
    const text = await response.text();
    throw new Error(`WinDBG upload failed: ${response.status} - ${text}`);
  }

  return await response.json();
}

/**
 * Poll WinDBG server for analysis completion
 */
async function pollWinDBGStatus(uid) {
  let attempts = 0;

  while (attempts < WINDBG_MAX_POLL_ATTEMPTS) {
    attempts++;
    console.log(`[API/WinDBG] Polling status (attempt ${attempts}/${WINDBG_MAX_POLL_ATTEMPTS})...`);

    const statusUrl = `${WINDBG_API_URL}/status.php?APIKEY=${encodeURIComponent(WINDBG_API_KEY)}&UID=${encodeURIComponent(uid)}`;
    const response = await fetch(statusUrl, {
      headers: { 'Cache-Control': 'no-cache, no-store', 'Pragma': 'no-cache' }
    });

    if (!response.ok) {
      throw new Error(`WinDBG status check failed: ${response.status}`);
    }

    const result = await response.json();
    console.log(`[API/WinDBG] Status: ${result.data?.status}`);

    if (result.data?.status === 'completed') {
      return result;
    }

    if (result.data?.status === 'failed') {
      throw new Error(result.data.error_message || 'WinDBG analysis failed');
    }

    await new Promise(resolve => setTimeout(resolve, WINDBG_POLL_INTERVAL_MS));
  }

  throw new Error('WinDBG analysis timed out');
}

/**
 * Download analysis result from WinDBG server
 */
async function downloadWinDBGAnalysis(uid) {
  const downloadUrl = `${WINDBG_API_URL}/download.php?APIKEY=${encodeURIComponent(WINDBG_API_KEY)}&UID=${encodeURIComponent(uid)}`;
  const response = await fetch(downloadUrl);

  if (!response.ok) {
    throw new Error(`WinDBG download failed: ${response.status}`);
  }

  return await response.text();
}

/**
 * Extract culprit module from WinDBG output
 */
function extractCulpritFromWinDBG(windbgOutput) {
  const moduleMatch = windbgOutput.match(/MODULE_NAME:\s*(\S+)/i);
  if (moduleMatch) return moduleMatch[1];

  const imageMatch = windbgOutput.match(/IMAGE_NAME:\s*(\S+)/i);
  if (imageMatch) return imageMatch[1];

  const faultingMatch = windbgOutput.match(/FAULTING_MODULE:\s*\S+\s+(\S+)/i);
  if (faultingMatch) return faultingMatch[1];

  return 'Unknown';
}

/**
 * Generate AI report from WinDBG analysis
 * Uses cache to avoid redundant Gemini API calls
 */
async function generateAIReportFromWinDBG(fileName, dumpType, fileSize, windbgAnalysis) {
  // Check cache first
  const cachedReport = await getCachedAIReport(windbgAnalysis);
  if (cachedReport) {
    console.log('[API/AI] Using cached AI report');
    return { ...cachedReport, cached: true };
  }

  console.log('[API/AI] Generating AI report from WinDBG analysis...');

  const prompt = `You are an expert Windows crash analyst. Analyze this REAL WinDBG output from an actual crash dump analysis and provide a detailed, user-friendly report.

**File Information:**
- Filename: ${fileName}
- Dump Type: ${dumpType}
- File Size: ${fileSize} bytes

**ACTUAL WinDBG Analysis Output:**
\`\`\`
${windbgAnalysis}
\`\`\`

## ANALYSIS REQUIREMENTS

Based on the WinDBG output above, provide:

1. **Summary**: A brief one-sentence summary of what caused the crash
2. **Probable Cause**: A detailed but easy-to-understand explanation of the likely cause
3. **Culprit**: The specific driver or module responsible (extract from WinDBG output)
4. **Recommendations**: Actionable steps the user should take to fix the issue

### IMPORTANT RULES:
- Use ONLY the information from the WinDBG output - this is REAL analysis data
- Extract the actual bug check code, culprit driver, and stack trace from the output
- Do NOT invent or guess information not present in the WinDBG output
- If WinDBG identified a specific driver as the cause, use that as the culprit
- Parse the MODULE_NAME, IMAGE_NAME, and FAILURE_BUCKET_ID from the output

Respond with valid JSON matching this schema:
{
  "summary": "string - one sentence summary",
  "probableCause": "string - detailed explanation",
  "culprit": "string - guilty module/driver",
  "recommendations": ["array of actionable steps"],
  "bugCheck": {
    "code": "string - e.g. 0x0000001A",
    "name": "string - e.g. MEMORY_MANAGEMENT",
    "parameters": ["array of 4 parameter values"]
  },
  "driverWarnings": [{"name": "string", "description": "string", "severity": "critical|warning|info"}],
  "hardwareError": {"type": "string", "details": "string"} or null
}`;

  try {
    const modelConfig = {
      model: DEFAULT_MODEL_NAME,
      generationConfig: {
        response_mime_type: 'application/json',
        temperature: 0.5,
        max_output_tokens: 4096
      },
      systemInstruction: {
        role: "system",
        parts: [{
          text: "You are a Windows crash dump analyzer. Provide structured JSON responses only."
        }]
      }
    };

    const geminiModel = genAI.getGenerativeModel(modelConfig);
    const result = await geminiModel.generateContent(prompt);
    const response = await result.response;
    const responseText = response.text();

    let report;
    try {
      report = JSON.parse(responseText);
    } catch (parseError) {
      // Try to extract JSON from response
      const jsonMatch = responseText.match(/\{[\s\S]*\}/);
      if (jsonMatch) {
        report = JSON.parse(jsonMatch[0]);
      } else {
        throw parseError;
      }
    }

    // Cache the successful AI report
    await setCachedAIReport(windbgAnalysis, report);
    return report;
  } catch (error) {
    console.error('[API/AI] AI analysis error:', error);
    // Return basic report if AI fails (don't cache failures)
    return {
      summary: `Windows crash in ${fileName} analyzed by WinDBG`,
      probableCause: 'WinDBG analysis completed but AI interpretation failed.',
      culprit: extractCulpritFromWinDBG(windbgAnalysis),
      recommendations: [
        'Review the raw WinDBG output manually',
        'Update drivers mentioned in the analysis',
        'Check Windows Event Viewer for related errors'
      ]
    };
  }
}

/**
 * Determine dump type from file content
 */
function detectDumpType(fileBuffer) {
  // Check magic bytes
  const header = fileBuffer.slice(0, 8).toString('ascii');

  // MDMP = Minidump
  if (header.startsWith('MDMP')) {
    return 'minidump';
  }

  // PAGEDU64 = Full/Kernel dump
  if (header.startsWith('PAGEDU64') || header.startsWith('PAGEDUMP')) {
    return 'kernel';
  }

  // Default to kernel for large files
  if (fileBuffer.length >= 5 * 1024 * 1024) {
    return 'kernel';
  }

  return 'minidump';
}

// Extract dump files from ZIP archive
const DUMP_EXTENSIONS = ['.dmp', '.mdmp', '.hdmp', '.kdmp'];

async function extractDumpsFromZip(zipBuffer, originalName) {
  const results = [];

  try {
    const zip = await JSZip.loadAsync(zipBuffer);

    for (const [path, file] of Object.entries(zip.files)) {
      if (file.dir) continue;

      const lowerPath = path.toLowerCase();
      const isDump = DUMP_EXTENSIONS.some(ext => lowerPath.endsWith(ext));

      if (isDump) {
        const content = await file.async('nodebuffer');
        const fileName = path.split('/').pop();
        results.push({
          fileName,
          buffer: content,
          originalZip: originalName
        });
      }
    }
  } catch (error) {
    console.error(`[ZIP] Failed to extract from ${originalName}:`, error.message);
    throw new Error(`Failed to extract ZIP: ${error.message}`);
  }

  return results;
}

const ARCHIVE_SIGNATURES = [
  { type: 'zip', bytes: [0x50, 0x4B, 0x03, 0x04] },
  { type: '7z',  bytes: [0x37, 0x7A, 0xBC, 0xAF, 0x27, 0x1C] },
  { type: 'rar', bytes: [0x52, 0x61, 0x72, 0x21, 0x1A, 0x07, 0x01] }, // RAR v5
  { type: 'rar', bytes: [0x52, 0x61, 0x72, 0x21, 0x1A, 0x07, 0x00] }, // RAR v4
];

/**
 * Detect archive type from buffer magic bytes
 * @returns 'zip' | '7z' | 'rar' | null
 */
function detectArchiveType(buffer) {
  for (const { type, bytes } of ARCHIVE_SIGNATURES) {
    if (buffer.length >= bytes.length && bytes.every((b, i) => buffer[i] === b)) {
      return type;
    }
  }
  return null;
}

/**
 * Extract .dmp files from a 7z/RAR archive.
 * Uses 7z for .7z files and bsdtar for .rar files (Alpine's 7zip lacks RAR codec).
 * Security: archive bomb detection, path traversal prevention, timeout
 */
async function extractDumpsFromArchive(buffer, originalName, archiveType) {
  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'bsod-extract-'));
  const archivePath = path.join(tmpDir, `archive.${archiveType}`);
  const extractDir = path.join(tmpDir, 'out');

  try {
    fs.writeFileSync(archivePath, buffer);
    fs.mkdirSync(extractDir);

    // Archive bomb checks
    const MAX_EXTRACTED_SIZE = 200 * 1024 * 1024; // 200MB
    const MAX_FILE_COUNT = 20;
    const MAX_COMPRESSION_RATIO = 100;

    if (archiveType === 'rar') {
      // Use bsdtar for RAR files (Alpine's 7zip lacks the RAR codec)
      // Step 1: List contents for bomb detection
      let listOutput;
      try {
        listOutput = await execFileAsync('bsdtar', ['tf', archivePath], { timeout: 15000 });
      } catch (err) {
        if (err.stderr && (err.stderr.includes('password') || err.stderr.includes('encrypted'))) {
          throw new Error('Password-protected archives are not supported');
        }
        throw new Error(`Failed to read RAR archive: ${err.stderr || err.message}`);
      }

      const fileList = listOutput.stdout.trim().split('\n').filter(f => f.length > 0);
      if (fileList.length > MAX_FILE_COUNT) {
        throw new Error(`Archive contains too many files (${fileList.length}). Maximum is ${MAX_FILE_COUNT}.`);
      }

      // Step 2: Extract
      try {
        await execFileAsync('bsdtar', ['xf', archivePath, '-C', extractDir], { timeout: 30000 });
      } catch (err) {
        if (err.stderr && (err.stderr.includes('password') || err.stderr.includes('encrypted'))) {
          throw new Error('Password-protected archives are not supported');
        }
        throw new Error(`Failed to extract RAR archive: ${err.stderr || err.message}`);
      }

      // Post-extraction size check
      let totalSize = 0;
      function checkSize(dir) {
        const entries = fs.readdirSync(dir, { withFileTypes: true });
        for (const entry of entries) {
          const fullPath = path.join(dir, entry.name);
          if (entry.isDirectory()) {
            checkSize(fullPath);
          } else {
            totalSize += fs.statSync(fullPath).size;
          }
        }
      }
      checkSize(extractDir);

      if (totalSize > MAX_EXTRACTED_SIZE) {
        throw new Error(`Archive too large when extracted (${(totalSize / 1024 / 1024).toFixed(1)}MB). Maximum is 200MB.`);
      }
      if (buffer.length > 0 && totalSize / buffer.length > MAX_COMPRESSION_RATIO) {
        throw new Error('Archive compression ratio too high — possible archive bomb');
      }
    } else {
      // Use 7z for .7z files
      // Step 1: List archive contents for bomb detection
      let listOutput;
      try {
        listOutput = await execFileAsync('7z', ['l', '-slt', archivePath], { timeout: 15000 });
      } catch (err) {
        if (err.stderr && err.stderr.includes('Wrong password')) {
          throw new Error('Password-protected archives are not supported');
        }
        throw new Error(`Failed to read archive: ${err.message}`);
      }

      const sizeMatches = listOutput.stdout.matchAll(/^Size = (\d+)$/gm);
      let totalExtractedSize = 0;
      let fileCount = 0;

      for (const match of sizeMatches) {
        totalExtractedSize += parseInt(match[1], 10);
        fileCount++;
      }

      if (totalExtractedSize > MAX_EXTRACTED_SIZE) {
        throw new Error(`Archive too large when extracted (${(totalExtractedSize / 1024 / 1024).toFixed(1)}MB). Maximum is 200MB.`);
      }
      if (fileCount > MAX_FILE_COUNT) {
        throw new Error(`Archive contains too many files (${fileCount}). Maximum is ${MAX_FILE_COUNT}.`);
      }
      if (buffer.length > 0 && totalExtractedSize / buffer.length > MAX_COMPRESSION_RATIO) {
        throw new Error('Archive compression ratio too high — possible archive bomb');
      }

      // Step 2: Extract
      try {
        await execFileAsync('7z', ['x', `-o${extractDir}`, '-y', archivePath], { timeout: 30000 });
      } catch (err) {
        if (err.stderr && err.stderr.includes('Wrong password')) {
          throw new Error('Password-protected archives are not supported');
        }
        throw new Error(`Failed to extract archive: ${err.message}`);
      }
    }

    // Step 3: Find .dmp files recursively, with path traversal protection
    const results = [];
    const realExtractDir = fs.realpathSync(extractDir);

    function findDmpFiles(dir) {
      const entries = fs.readdirSync(dir, { withFileTypes: true });
      for (const entry of entries) {
        const fullPath = path.join(dir, entry.name);
        // Path traversal protection
        const realPath = fs.realpathSync(fullPath);
        if (!realPath.startsWith(realExtractDir)) {
          console.warn('[Archive] Path traversal detected, skipping:', fullPath);
          continue;
        }
        if (entry.isDirectory()) {
          findDmpFiles(fullPath);
        } else if (DUMP_EXTENSIONS.some(ext => entry.name.toLowerCase().endsWith(ext))) {
          results.push({
            fileName: entry.name,
            buffer: fs.readFileSync(fullPath),
            originalArchive: originalName
          });
        }
      }
    }

    findDmpFiles(extractDir);
    return results;
  } finally {
    // Always clean up temp directory
    try {
      fs.rmSync(tmpDir, { recursive: true, force: true });
    } catch (cleanupErr) {
      console.error('[Archive] Cleanup error:', cleanupErr.message);
    }
  }
}

// Main external API endpoint
app.post('/api/analyze', requireApiKey, upload.single('file'), async (req, res) => {
  const startTime = Date.now();

  try {
    // Validate file upload
    if (!req.file) {
      return res.status(400).json({
        success: false,
        error: 'No file uploaded. Use multipart form with "file" field.',
        code: 'NO_FILE'
      });
    }

    let fileBuffer = req.file.buffer;
    let fileName = req.file.originalname || 'upload.dmp';
    const originalFileSize = fileBuffer.length;
    let originalZip = null;

    console.log(`[API/Analyze] Received file: ${fileName} (${originalFileSize} bytes)`);

    // Check if file is an archive and extract dumps
    const archiveType = detectArchiveType(fileBuffer);
    if (archiveType) {
      console.log(`[API/Analyze] Detected ${archiveType} archive, extracting dumps...`);

      let extractedDumps;
      if (archiveType === 'zip') {
        extractedDumps = await extractDumpsFromZip(fileBuffer, fileName);
      } else {
        extractedDumps = await extractDumpsFromArchive(fileBuffer, fileName, archiveType);
      }

      if (extractedDumps.length === 0) {
        return res.status(400).json({
          success: false,
          error: `No dump files (.dmp, .mdmp, .hdmp, .kdmp) found in ${archiveType.toUpperCase()} archive`,
          code: 'NO_DUMPS_IN_ARCHIVE'
        });
      }

      // Use the first dump found (could enhance to analyze all)
      const firstDump = extractedDumps[0];
      console.log(`[API/Analyze] Found ${extractedDumps.length} dump(s), analyzing: ${firstDump.fileName}`);
      originalZip = fileName;
      fileName = firstDump.fileName;
      fileBuffer = firstDump.buffer;
    }

    const fileSize = fileBuffer.length;

    // Detect dump type
    const dumpType = detectDumpType(fileBuffer);
    console.log(`[API/Analyze] Detected dump type: ${dumpType}`);

    // Compute file hash for caching
    const fileHash = hashContent(fileBuffer);
    console.log(`[API/Analyze] File hash: ${fileHash.substring(0, 12)}...`);

    // Check cache for previous WinDBG analysis of this exact file
    const cachedAnalysis = await getCachedWinDBGAnalysis(fileHash);
    if (cachedAnalysis) {
      console.log('[API/Analyze] Cache HIT - using cached WinDBG analysis');

      // Generate AI report from cached WinDBG output
      const report = await generateAIReportFromWinDBG(
        fileName,
        dumpType,
        fileSize,
        cachedAnalysis.windbgOutput
      );

      const processingTime = (Date.now() - startTime) / 1000;
      console.log(`[API/Analyze] Completed from cache in ${processingTime}s`);

      return res.json({
        success: true,
        data: report,
        analysisMethod: 'windbg',
        cached: true,
        processingTime,
        metadata: {
          fileName,
          fileSize,
          dumpType,
          uid: cachedAnalysis.uid,
          originalZip: originalZip || undefined
        }
      });
    }

    console.log('[API/Analyze] Cache MISS - running full WinDBG analysis');

    // Check if WinDBG is configured
    if (!WINDBG_API_KEY) {
      return res.status(503).json({
        success: false,
        error: 'WinDBG analysis service not configured',
        code: 'WINDBG_NOT_CONFIGURED'
      });
    }

    // Check if Gemini AI is configured
    if (!genAI) {
      return res.status(503).json({
        success: false,
        error: 'AI service not configured',
        code: 'AI_NOT_CONFIGURED'
      });
    }

    // Generate UID for this analysis
    const uid = generateWinDBGUID();
    console.log(`[API/Analyze] Starting WinDBG analysis with UID: ${uid}`);

    // Create timeout wrapper
    const timeoutPromise = new Promise((_, reject) => {
      setTimeout(() => {
        reject(new Error('Analysis timed out after 5 minutes'));
      }, WINDBG_TOTAL_TIMEOUT_MS);
    });

    // Main analysis pipeline
    const analysisPromise = (async () => {
      // Step 1: Upload to WinDBG
      console.log('[API/Analyze] Step 1: Uploading to WinDBG server...');
      const uploadResult = await uploadBufferToWinDBG(fileBuffer, fileName, uid);
      if (!uploadResult.success) {
        throw new Error(uploadResult.error || 'WinDBG upload failed');
      }
      console.log(`[API/Analyze] Upload successful, queue position: ${uploadResult.data?.queue_position}`);

      // Step 2: Poll for completion
      console.log('[API/Analyze] Step 2: Polling for completion...');
      await pollWinDBGStatus(uid);
      console.log('[API/Analyze] WinDBG analysis completed');

      // Step 3: Download results
      console.log('[API/Analyze] Step 3: Downloading analysis...');
      const windbgAnalysis = await downloadWinDBGAnalysis(uid);
      console.log(`[API/Analyze] Downloaded ${windbgAnalysis.length} bytes of analysis`);

      // Cache the WinDBG analysis for future requests with same file
      await setCachedWinDBGAnalysis(fileHash, {
        windbgOutput: windbgAnalysis,
        uid,
        fileName,
        dumpType,
        timestamp: Date.now()
      });

      // Step 4: Generate AI report
      console.log('[API/Analyze] Step 4: Generating AI report...');
      const report = await generateAIReportFromWinDBG(fileName, dumpType, fileSize, windbgAnalysis);

      return {
        report,
        windbgAnalysis,
        analysisMethod: 'windbg'
      };
    })();

    // Race between analysis and timeout
    const result = await Promise.race([analysisPromise, timeoutPromise]);

    const processingTime = (Date.now() - startTime) / 1000;
    console.log(`[API/Analyze] Analysis completed in ${processingTime}s`);

    // Return structured response
    res.json({
      success: true,
      data: result.report,
      analysisMethod: result.analysisMethod,
      processingTime,
      metadata: {
        fileName,
        fileSize,
        dumpType,
        uid,
        originalZip: originalZip || undefined
      }
    });

  } catch (error) {
    const processingTime = (Date.now() - startTime) / 1000;
    console.error('[API/Analyze] Error:', error);

    res.status(500).json({
      success: false,
      error: error.message || 'Analysis failed',
      code: 'ANALYSIS_FAILED',
      processingTime
    });
  }
});

// Catch-all: serve React app for client-side routing
app.use((req, res) => {
  const pathname = req.path;

  // CRITICAL: Don't handle asset files with the catch-all route
  // Static files should be served by express.static middleware
  if (pathname.startsWith('/assets/') ||
      pathname.match(/\.(js|css|woff2|woff|ttf|otf|eot|png|jpg|jpeg|webp|svg|ico|json|xml|txt|webmanifest)$/)) {
    // Return 404 for asset files that weren't found by static middleware
    return res.status(404).send('File not found');
  }

  // Serve React app for all other routes (non-asset routes only)
  // CDN caches 24h (purged on deploy), browser always revalidates
  res.setHeader('Cache-Control', 'public, max-age=300, s-maxage=86400');
  res.setHeader('Content-Type', 'text/html; charset=utf-8');
  // Link header enables Cloudflare Early Hints (103) for critical assets
  if (earlyHintsLinkHeader) res.setHeader('Link', earlyHintsLinkHeader);
  res.send(cachedIndexHtml);
});

// Cache index.html in memory and ensure xxhash is ready before accepting requests
let cachedIndexHtml;
// Precomputed Link header for Early Hints / Cloudflare preloading
let earlyHintsLinkHeader = '';

async function startServer() {
  // Initialize xxhash before accepting requests
  hasher = await xxhash();
  console.log('XXHash initialized for session management');

  // Cache index.html in memory (~9KB, avoids disk read on every request)
  const indexPath = path.join(__dirname, 'dist', 'index.html');
  if (fs.existsSync(indexPath)) {
    cachedIndexHtml = fs.readFileSync(indexPath, 'utf-8');
    console.log(`Cached index.html in memory (${Buffer.byteLength(cachedIndexHtml)} bytes)`);

    // Build Link header from built assets for Early Hints (Cloudflare)
    const distAssets = path.join(__dirname, 'dist', 'assets');
    if (fs.existsSync(distAssets)) {
      const files = fs.readdirSync(distAssets);
      const links = [];
      // Preload the main JS entry and CSS — these are render-critical
      const mainJs = files.find(f => f.match(/^index-.*\.js$/));
      const mainCss = files.find(f => f.match(/^index-.*\.css$/));
      if (mainCss) links.push(`</assets/${mainCss}>; rel=preload; as=style`);
      if (mainJs) links.push(`</assets/${mainJs}>; rel=modulepreload`);
      if (links.length) {
        earlyHintsLinkHeader = links.join(', ');
        console.log(`Early Hints Link header: ${earlyHintsLinkHeader}`);
      }
    }
  } else {
    console.warn('dist/index.html not found - run npm run build first');
    cachedIndexHtml = '<html><body>Build not found. Run npm run build.</body></html>';
  }

  app.listen(PORT, () => {
    console.log(`Server running on port ${PORT}`);
    console.log(`Gemini API Key configured: ${process.env.GEMINI_API_KEY ? 'Yes' : 'No'}`);
    console.log(`Turnstile Secret Key configured: ${TURNSTILE_SECRET_KEY ? 'Yes' : 'No'}`);
    console.log(`WinDBG API Key configured: ${WINDBG_API_KEY ? 'Yes' : 'No'}`);
  });
}

startServer().catch(err => {
  console.error('Failed to start server:', err);
  process.exit(1);
});