update-ai-blocklist.sh fetches the officially published IP ranges of AI crawlers
(OpenAI GPTBot, OAI-SearchBot, ChatGPT-User, PerplexityBot, Perplexity-User) and renders
them into an nginx geo map that sets $ai_blocked_ip to 1 for matching client IPs.
It validates every prefix as CIDR, dedupes across vendors, refuses suspiciously short
lists, installs atomically, checks the result with nginx -t (rolls back to the previous
list on failure) and reloads nginx only when the list actually changed — so it is safe
to run from cron.