# AI Poster

AI Poster is a procedural PHP, MySQL, MySQLi, Bootstrap 5 MVP for AI-assisted social media automation. 
It is structured for deployment at `https://aiposter.z2a.us` and uses cron jobs, webhook endpoints, queue tables, and OpenAI integration to automate content workflows.

## Project architecture

```text
admin/                  Admin dashboards and controls
api/
  openai/               JSON endpoint for AI generation
  platforms/            OAuth connect handlers per platform
assets/
  css/                  Theme CSS and custom SaaS styling
  img/                  Bootstrap theme images
  js/                   Theme JS
config/                 App and database configuration
core/                   Shared helpers, auth, DB, queue, OpenAI, platform logic
cron/                   Queue workers, retries, content sync
database/               MySQL schema
includes/               Shared header, footer, sidebar templates
logs/                   Application logs
uploads/                User media storage
user/                   Member dashboard pages
webhooks/               Platform callback handlers
index.php               Marketing landing page
login.php/register.php  Auth entry points
```

## What changed in this build

- Richer import browser for supported platform content in [user/imports.php](/E:/ChatGPT%20Coding/AI%20Poster/user/imports.php)
- Token refresh and OAuth lifecycle management in [core/platforms.php](/E:/ChatGPT%20Coding/AI%20Poster/core/platforms.php) and 
- [cron/refresh_tokens.php](/E:/ChatGPT%20Coding/AI%20Poster/cron/refresh_tokens.php)
- Review queue and 7-day calendar workflow in [user/review_queue.php](/E:/ChatGPT%20Coding/AI%20Poster/user/review_queue.php)
- Approval gating so only approved items are auto-published by [cron/process_queue.php](/E:/ChatGPT%20Coding/AI%20Poster/cron/process_queue.php)
- Production hardening for `aiposter.z2a.us` in [.htaccess](/E:/ChatGPT%20Coding/AI%20Poster/.htaccess) and [core/init.php](/E:/ChatGPT%20Coding/AI%20Poster/core/init.php)

## Installation

1. Create a MySQL database and import [database/schema.sql](/E:/ChatGPT%20Coding/AI%20Poster/database/schema.sql).
2. Update [config/database.php](/E:/ChatGPT%20Coding/AI%20Poster/config/database.php) and [config/app.php](/E:/ChatGPT%20Coding/AI%20Poster/config/app.php) with production credentials.
3. Point Apache or LiteSpeed document root at this project, enable `mod_rewrite`, and keep `.htaccess` enabled.
4. Ensure `uploads/media`, `uploads/tmp`, and `logs` are writable by PHP.
5. Create the first admin manually:
   - Insert a user row with `role_id = 1`.
   - Generate the password using `password_hash()` in a one-off PHP shell.
6. Add cron entries:
   - `*/15 * * * * php /path/to/project/cron/refresh_tokens.php`
   - `* * * * * php /path/to/project/cron/process_queue.php`
   - `*/10 * * * * php /path/to/project/cron/retry_failed.php`
   - `0 * * * * php /path/to/project/cron/sync_imports.php`
7. Configure OAuth redirect URIs:
   - Facebook: `https://aiposter.z2a.us/api/platforms/facebook_connect.php?action=callback`
   - Google: `https://aiposter.z2a.us/api/platforms/youtube_connect.php?action=callback`
   - TikTok: `https://aiposter.z2a.us/api/platforms/tiktok_callback.php`

## Platform capability notes

- Facebook: the current foundation connects and publishes to Facebook Pages via the Graph API. Personal profile posting is not assumed.
- YouTube: uploads use the Data API `videos.insert` flow. Unverified API projects may have uploads default to private.
- TikTok: direct publishing requires approved `video.publish` or `video.upload` scopes, and unaudited clients can face private-only restrictions. 
- Import/sync is intentionally conservative because access depends on approved products and scopes.

## Security recommendations

- Move secrets from `config/app.php` into environment-loaded files outside the web root in production.
- Rotate OAuth refresh tokens and app secrets regularly.
- Put uploads behind malware scanning if you expect untrusted users.
- Add rate limiting on auth, password reset, OpenAI generation, and webhook endpoints.
- Replace the basic SMTP transport with a hardened mail relay or transactional provider if uptime matters.
- Serve the app only over HTTPS and enable secure session cookies at the PHP runtime level.
- Run the app behind Cloudflare or another WAF and restrict direct origin access where possible.
- Store PHP error logs outside the web root and disable `display_errors` in production.
- Re-run OAuth consent flows if Google or TikTok refresh tokens are revoked or rotated by the provider.
- Treat Facebook Page connections as reauthorization-based in this MVP when tokens become invalid.

## Key files

- [core/auth.php](/E:/ChatGPT%20Coding/AI%20Poster/core/auth.php)
- [core/platforms.php](/E:/ChatGPT%20Coding/AI%20Poster/core/platforms.php)
- [core/openai.php](/E:/ChatGPT%20Coding/AI%20Poster/core/openai.php)
- [user/schedule.php](/E:/ChatGPT%20Coding/AI%20Poster/user/schedule.php)
- [admin/settings.php](/E:/ChatGPT%20Coding/AI%20Poster/admin/settings.php)
- [cron/process_queue.php](/E:/ChatGPT%20Coding/AI%20Poster/cron/process_queue.php)
