================================================================================
META APP & WEBHOOK SETUP (checklist)
================================================================================
Do these steps in Meta Developer Console: https://developers.facebook.com/

1) CREATE APP
   - Create a Meta app (Business type is typical for Pages).
   - Add products: Messenger, Webhooks (add Facebook Login if the wizard suggests it).

2) APP SECRET & VERIFY TOKEN (server-only)
   - App Secret: App Dashboard -> Settings -> Basic -> App Secret -> Show.
     Put it in config/config.php as APP_SECRET (never commit config.php).
   - Webhook Verify Token: invent a long random string; same value in:
       - Meta -> Webhooks -> Verify Token field
       - config/config.php as WEBHOOK_VERIFY_TOKEN

3) PAGE & ACCESS TOKEN
   - Connect the Facebook Page you manage to the app.
   - Generate a Page access token with permissions such as:
       pages_messaging, pages_manage_metadata (Messenger)
       pages_read_engagement, pages_manage_engagement (comments; confirm names in dashboard)
   - Put PAGE_ID and PAGE_ACCESS_TOKEN in config/config.php.
   - Prefer long-lived Page tokens or System User tokens per Meta docs.

4) WEBHOOK CALLBACK URL (must be HTTPS publicly reachable)
   Example: https://YOUR-NGROK-SUBDOMAIN.ngrok.io/chatbot/public/webhook.php
   - Meta sends GET with hub.mode, hub.verify_token, hub.challenge for verification.
   - Subscribe your Page to the app and enable webhook fields:
       * messages (Messenger)
       * messaging_postbacks (optional)
       * feed (Page post / comment activity — needed for comments)
   - Exact field names may vary by app type; use "Test" in Meta dashboard to confirm delivery.

5) MESSENGER CONFIGURATION
   - In Messenger product settings, connect the Page and subscribe webhooks.
   - Ensure the Page is subscribed to webhook fields for messages.

6) APP MODE
   - Development mode: only testers/roles receive webhooks; add test users as needed.
   - For production, complete App Review for required permissions.

7) LOCAL XAMPP NOTE
   - Facebook cannot call http://localhost directly.
   - Use ngrok, Cloudflare Tunnel, or deploy to a host with HTTPS.

8) OPERATOR UI LOGIN
   - Copy config/config.example.php to config/config.php if needed.
   - Set operator_password_hash to a bcrypt hash from:
       php -r "echo password_hash('YOUR_PASSWORD', PASSWORD_BCRYPT), PHP_EOL;"

================================================================================