IP blocking — two ways to run it:

A) Recommended (no Firebase rules change for guests):
   Deploy api/visitor-ip-block-check.php with the same firebase-admin-bootstrap.local.php
   + service account as facebook-capi-purchase-proxy.php.
   The shop calls this endpoint; the server reads clients/{clientId}/security/blockedIps
   using the Admin SDK. Visitor IP is taken from the HTTP request (X-Forwarded-For first hop,
   CF-Connecting-IP, X-Real-IP, REMOTE_ADDR).

B) Optional (client-side RTDB read):
   If you prefer the browser to read blockedIps directly, merge database.rules.example.json
   into Realtime Database rules under clients/$clientId (public read on security/blockedIps only).
   You can remove or ignore this if you use (A).

Dashboard writes to security/blockedIps still require your existing authenticated admin rules.
