feat: extract MediaController, wire into Dispatcher, delete media.php

app/bootstrap.php

@@ -0,0 +1,45 @@
+<?php
+
+/**
+ * Simple configuration for website
+ */
+
+// Define application root
+define('APP_ROOT', __DIR__);
+
+// Storage directory for uploaded files — intentionally outside the webroot
+// so no uploaded content is ever directly web-accessible (items #3 & #4).
+// Files are served through MediaController which validates paths and MIME types.
+define('STORAGE_ROOT', '/var/www/posterg/storage');
+
+// Error reporting
+if (php_sapi_name() === 'cli-server') {
+    // Development mode
+    error_reporting(E_ALL);
+    ini_set('display_errors', '1');
+} else {
+    // Production mode
+    error_reporting(E_ALL);
+    ini_set('display_errors', '0');
+    ini_set('log_errors', '1');
+}
+
+// Admin password hash is stored in site_settings (DB).
+// AdminAuth reads it on demand — no static config file needed.
+
+// Central application helper (boot, auth guard, CSRF, flash, render)
+require_once APP_ROOT . '/src/App.php';
+
+// Maintenance mode gate — block public pages; allow /admin/ through.
+// The flag file lives in storage/ (outside webroot) to avoid web exposure.
+define('MAINTENANCE_FLAG', APP_ROOT . '/storage/maintenance.flag');
+if (file_exists(MAINTENANCE_FLAG)) {
+    // Allow admin panel through (by path prefix) and the maintenance page itself
+    $requestPath = $_SERVER['REQUEST_URI'] ?? '';
+    $isAdmin = str_starts_with($requestPath, '/admin');
+    $isMaintenance = str_contains($requestPath, 'maintenance.php');
+    if (!$isAdmin && !$isMaintenance) {
+        require APP_ROOT . '/public/maintenance.php';
+        exit();
+    }
+}