Production hardening audit: dead code removal, PHP defensive fixes, nginx regex anchor

[Copilot]

Six targeted production-readiness fixes across the stack. No behavior changes to intended functionality.

Security

nginx/snippets/spx-upload-limits.conf — overbroad WP REST media location

# Before — matches /wp-json/wp/v2/media-settings, /wp-json/wp/v2/media<anything>
location ~* ^/wp-json/wp/v2/media {

# After — collection endpoint + numeric item IDs only
location ~* ^/wp-json/wp/v2/media(/[0-9]+)?$ {

Unanchored regex applied the 100 m body limit and GET HEAD POST OPTIONS method policy to unintended REST endpoints.

PHP (spx-upload-mimes.php)

• isset() → array_key_exists() on both constant-array key guards (project standard; isset returns false for null-valued keys)
• Initialize $detected = false before try/finally — variable was undefined if finfo_file() threw before assignment

Dead code removed

• nginx/maps/spx-high-risk-geo.map — not referenced by any nginx config, not deployed by CI (*.conf glob excludes .map), 2-country content out of sync with the 20+ country list hardcoded in spx-bot-mitigation-logic.conf; deployment comment was actively misleading
• scripts/__pycache__/spx-update-cloudflare.cpython-312.pyc — committed build artifact

Housekeeping

• .gitignore: add __pycache__/, *.pyc, *.pyo, *.pyd
• nginx/conf.d/spx-cloudflare-trust.conf: correct stale script name in auto-generated header (update_cloudflare.py → spx-update-cloudflare.py)

[MaximillianGroup]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Done. The only conflict was in nginx/snippets/spx-upload-limits.conf where both branches anchored the /wp-json/wp/v2/media regex independently. I resolved it by keeping the version from main (which uses $hard_block_reason and positions the check after limit_except), discarding the stale $block_reason guard from this branch. The merge commit is 54a609f.