A peek behind the curtain — every file the club keeps on the server, from the front-of-house code to the trophy ledger in the database.
<?php
// Casmio sandbox router for PHP's built-in server (`php -S ... router.php`).
//
// Its only job is to keep PRIVATE files from being served over HTTP, then hand every
// other request back to the built-in server unchanged. Returning false tells `php -S`
// to serve the requested file / run the matched PHP script as it normally would.
//
// This file is shared and mounted READ-ONLY outside the web root (/var/www/router.php,
// docroot is /var/www/html), so untrusted project code can neither edit nor reach it.
//
// Blocked from the web:
// - databases: *.sqlite, *.sqlite3, *.db, and SQLite side files (-wal/-shm/journal)
// - private dirs: anything under /data/ or /storage/
// - dotfiles/dirs: /.env, /.git/…, etc.
//
// (Session cookies are forced to SameSite=None; Secure via `php -S -d …` in casmio-provision,
// so logins work inside the editor's cross-origin preview iframe — not here, because ini_set in
// a router does not carry into the script php -S serves on fallthrough.)
$path = (string) parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH);
$path = rawurldecode($path);
$blocked =
preg_match('#\.(sqlite3?|db|sqlite-journal|sqlite-wal|sqlite-shm)$#i', $path)
|| preg_match('#(^|/)(data|storage)(/|$)#i', $path)
|| preg_match('#(^|/)\.[^/]#', $path);
if ($blocked) {
http_response_code(404);
header('Content-Type: text/plain; charset=utf-8');
echo "Not Found";
return true; // handled — do not serve the file
}
return false; // let the built-in server handle it normally