docs: map existing codebase

- stack.md (68 lines) - PHP/MySQL/Apache stack, vendored libraries
- architecture.md (131 lines) - Custom MVC CMS, dual-layer (front/admin)
- structure.md (170 lines) - Directory layout and conventions
- conventions.md (98 lines) - PHP snake_case, SCSS $c/$f prefixes, jQuery patterns
- testing.md (49 lines) - No automated tests detected
- integrations.md (111 lines) - Google Maps, PHPMailer, Pixieset, Facebook
- concerns.md (150 lines) - Critical security issues: hardcoded creds, MD5, unserialize
- db_schema.md (260 lines) - ~32 tables with pp_ prefix, inferred from source
- tech_changelog.md (9 lines) - Initial log entry

Co-Authored-By: Claude <noreply@anthropic.com>

.paul/codebase/integrations.md

@@ -0,0 +1,144 @@
+# External Integrations
+
+**Analysis Date:** 2026-05-05
+
+## APIs & External Services
+
+**Maps & Geolocation:**
+- Google Maps API — interactive contact/location maps on frontend
+  - Integration: JavaScript API via `https://maps.googleapis.com/maps/api/js?key=<key>`
+  - Auth: API key stored in `pp_settings` table as `google_map_key`
+  - Toggle: `google_maps` setting in admin settings
+  - Files: `templates/site/contact.php`, `admin/templates/settings/settings.php`
+
+- geoPlugin IP Geolocation — visitor IP-to-location lookup with currency detection
+  - Service URL: `http://www.geoplugin.net/php.gp?ip={IP}&base_currency={CURRENCY}`
+  - Library: `autoload/class.geoplugin.php`
+  - No API key required (free service)
+
+**Fonts & CDN Resources:**
+- Google Fonts — `https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700`
+  - File: `admin/templates/site/main-layout.php`
+- Google AJAX CDN — jQuery loaded from `//ajax.googleapis.com/ajax/libs/jquery/2.1.4/`
+  - File: `admin/templates/site/unlogged-layout.php`
+
+**Social Media:**
+- Facebook Likebox widget — fixed sidebar widget showing Facebook feed
+  - App ID: `194295077275888` (hardcoded in iframe)
+  - File: `templates/site/facebook.php`
+
+**Gallery:**
+- Pixieset — external photo gallery service integration
+  - Features: ZIP download of gallery images, mark favorites
+  - AJAX endpoints: `ajax.php?a=pixieset_*`
+  - Files: `templates/articles/article-gallery.php`, `ajax.php`
+
+## Data Storage
+
+**Databases:**
+- MySQL 5.7+ — primary data store for all CMS content
+  - Connection: credentials hardcoded in `config.php` (host, user, password, dbname)
+  - Client: Medoo ORM (`libraries/medoo/medoo.php`)
+  - Table prefix: `pp_` (~32 tables)
+  - Migrations: None detected — schema managed manually
+
+**File Storage:**
+- Local filesystem — all user uploads stored on server
+  - Images: `images/` directory
+  - Uploads: `upload/` directory
+  - Temp files: `admin/temp/`
+  - Cache/WebP: `cache/` directory
+  - No cloud storage (no AWS S3, no CDN)
+
+**Caching:**
+- Session-based cache via `\Cache` class (`autoload/class.Cache.php`)
+  - Keys pattern: `page_details:lang:id`
+  - File-based WebP image cache: `cache/` directory
+
+## Authentication & Identity
+
+**Auth Provider:**
+- Custom session-based authentication — no OAuth provider
+  - Implementation: `admin/index.php` (session check + cookie auto-login)
+  - Password storage: MD5 hashing (insecure — see concerns.md)
+  - Session security: IP address validation stored in `$_SESSION`
+  - Files: `autoload/admin/factory/class.Users.php`, `autoload/admin/class.Site.php`
+
+**OAuth Integrations:**
+- None detected
+
+## Email & Messaging
+
+**SMTP Mail:**
+- PHPMailer — SMTP-based transactional email
+  - Library: `libraries/phpmailer/class.phpmailer.php`, `libraries/phpmailer/class.smtp.php`
+  - Config: host, port, login, password stored in `pp_settings` table
+  - Settings keys: `email_host`, `email_port`, `email_login`, `email_password`
+  - Function: `\S::send_email()` in `autoload/class.S.php`
+  - Used for: contact forms, newsletter delivery
+
+**Newsletter:**
+- Custom database-driven newsletter system (no Mailchimp/SendGrid)
+  - Templates: `pp_newsletter_templates` table
+  - Subscribers: `pp_newsletter` table
+  - Send log: `pp_newsletter_send` table
+  - Files: `autoload/front/factory/class.Newsletter.php`
+
+## Analytics & Tracking
+
+**Analytics:**
+- Custom code injection — third-party analytics configured via admin settings
+  - Setting key: `statistic_code` (stored in `pp_settings`)
+  - Injection point: before `</head>` in `index.php`
+  - Supports: Google Analytics, Matomo, or any snippet
+
+**Error Tracking:**
+- None detected — no Sentry, Rollbar, or similar
+
+## Security
+
+**CAPTCHA:**
+- Custom JavaScript captcha for contact forms
+  - Library: `libraries/jquery/captcha.js`, `libraries/jquery/captcha.css`
+  - Toggle: `contact_form_captcha` setting
+  - File: `templates/site/contact.php`
+
+- Google reCAPTCHA — used in some contact form variants
+  - Secret key hardcoded in `plugins/special-actions-middle.php` (8 locations — see concerns.md)
+
+## CI/CD & Deployment
+
+**Hosting:**
+- Shared hosting at `serwer1574995.home.pl`
+  - Deployment: FTP via VS Code extension (`.vscode/sftp.json`, `.vscode/ftp-kr.json`)
+  - No automated deployment pipeline
+
+**CI Pipeline:**
+- None detected — no GitHub Actions, no CI configuration
+
+## Environment Configuration
+
+**Development:**
+- Required config: Database credentials in `config.php`
+- No `.env` or `.env.example` — all config hardcoded
+- FTP settings: `.vscode/sftp.json`
+
+**Production:**
+- Same `config.php` used for production (no environment separation)
+- No staging environment detected
+
+## Not Detected
+
+- ❌ Payment gateways (Stripe, PayPal, Przelewy24)
+- ❌ SMS services (Twilio, SMSAPI)
+- ❌ Cloud storage (AWS S3, Google Cloud Storage)
+- ❌ Error tracking (Sentry, Rollbar)
+- ❌ OAuth / SSO providers
+- ❌ Redis / Memcached
+- ❌ CDN (no Cloudflare, no CloudFront)
+- ❌ Webhooks (incoming or outgoing)
+
+---
+
+*Integration audit: 2026-05-05*
+*Update when adding/removing external services*