<?php
declare(strict_types=1);

session_start();

function loadDotEnv(string $path): void
{
    if (!is_file($path) || !is_readable($path)) {
        return;
    }

    $raw = file_get_contents($path);
    if ($raw === false || $raw === '') {
        return;
    }

    $lines = preg_split("/\r\n|\n|\r/", $raw) ?: [];
    foreach ($lines as $line) {
        $line = trim((string)$line);
        if ($line === '') {
            continue;
        }
        $first = $line[0] ?? '';
        if ($first === '#' || $first === ';') {
            continue;
        }

        $pos = strpos($line, '=');
        if ($pos === false || $pos <= 0) {
            continue;
        }
        $key = trim(substr($line, 0, $pos));
        $value = trim(substr($line, $pos + 1));
        if ($key === '' || $value === '') {
            continue;
        }

        if ((str_starts_with($value, '"') && str_ends_with($value, '"')) || (str_starts_with($value, "'") && str_ends_with($value, "'"))) {
            $value = substr($value, 1, -1);
        }

        if (getenv($key) !== false) {
            continue;
        }
        putenv($key . '=' . $value);
        $_ENV[$key] = $value;
        $_SERVER[$key] = $value;
    }
}

loadDotEnv(__DIR__ . '/.env');

if (PHP_SAPI === 'cli-server') {
    $requestPath = parse_url((string)($_SERVER['REQUEST_URI'] ?? '/'), PHP_URL_PATH);
    $requestPath = is_string($requestPath) ? $requestPath : '/';
    $localPath = __DIR__ . $requestPath;
    if (is_file($localPath)) {
        return false;
    }
}

$indexPath = __DIR__ . '/minhtuwindows.com/index.html';

if (!is_file($indexPath)) {
    http_response_code(500);
    echo 'Missing site files.';
    exit;
}

function jsonResponse(array $data, int $statusCode = 200): void
{
    http_response_code($statusCode);
    header('Content-Type: application/json; charset=UTF-8');
    echo json_encode($data, JSON_UNESCAPED_UNICODE);
    exit;
}

function normalizePath(string $path): string
{
    if ($path === '') {
        return '/';
    }
    if ($path !== '/' && str_ends_with($path, '/')) {
        $path = rtrim($path, '/');
    }
    return $path === '' ? '/' : $path;
}

function getCart(): array
{
    if (!isset($_SESSION['cart']) || !is_array($_SESSION['cart'])) {
        $_SESSION['cart'] = [
            'token' => session_id(),
            'items' => [],
            'note' => null,
            'attributes' => [],
            'cart_level_discount_applications' => [],
        ];
    }

    $cart = $_SESSION['cart'];
    $totalPrice = 0;
    $itemCount = 0;
    $totalWeight = 0;

    foreach ($cart['items'] as $item) {
        $linePrice = (int)($item['line_price'] ?? 0);
        $quantity = (int)($item['quantity'] ?? 0);
        $totalPrice += $linePrice;
        $itemCount += $quantity;
    }

    $cart['total_weight'] = $totalWeight;
    $cart['item_count'] = $itemCount;
    $cart['total_discounts'] = 0;
    $cart['total_price'] = $totalPrice;
    $cart['total_line_items_price'] = $totalPrice;
    $cart['requires_shipping'] = false;

    $_SESSION['cart'] = $cart;
    return $cart;
}

function saveCart(array $cart): void
{
    $_SESSION['cart'] = $cart;
}

function buildLineItem(string $id, int $quantity, int $price, string $title = '', ?string $image = null, string $url = '#'): array
{
    $title = $title !== '' ? $title : ('Sản phẩm ' . $id);
    $linePrice = $price * $quantity;
    $url = $url !== '' ? $url : '#';

    return [
        'id' => $id,
        'variant_id' => $id,
        'product_id' => $id,
        'quantity' => $quantity,
        'title' => $title,
        'product_title' => $title,
        'variant_title' => '',
        'price' => $price,
        'line_price' => $linePrice,
        'image' => $image,
        'url' => $url,
        'properties' => new stdClass(),
    ];
}

function renderIndexWithInjectedScript(string $indexPath, string $script): void
{
    header('Content-Type: text/html; charset=UTF-8');
    $html = file_get_contents($indexPath);
    if ($html === false) {
        http_response_code(500);
        echo 'Missing site files.';
        exit;
    }

    $needle = '</body>';
    $pos = stripos($html, $needle);
    if ($pos !== false) {
        $html = substr($html, 0, $pos) . $script . substr($html, $pos);
    } else {
        $html .= $script;
    }

    echo $html;
    exit;
}

function h(string $value): string
{
    return htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}

function getCsrfToken(): string
{
    if (!isset($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token']) || $_SESSION['csrf_token'] === '') {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
    }
    return $_SESSION['csrf_token'];
}

function requireCsrfToken(string $token): void
{
    $expected = $_SESSION['csrf_token'] ?? '';
    if (!is_string($expected) || $expected === '' || !hash_equals($expected, $token)) {
        http_response_code(400);
        echo 'Invalid request.';
        exit;
    }
}

function getMysqlConfig(): ?array
{
    $host = trim((string)getenv('APP_DB_HOST'));
    $name = trim((string)getenv('APP_DB_NAME'));
    $user = trim((string)getenv('APP_DB_USER'));
    $pass = (string)getenv('APP_DB_PASS');
    $port = trim((string)getenv('APP_DB_PORT'));
    $charset = trim((string)getenv('APP_DB_CHARSET'));

    if ($host === '' || $name === '' || $user === '') {
        return null;
    }

    if ($port === '') {
        $port = '3306';
    }
    if ($charset === '') {
        $charset = 'utf8mb4';
    }

    return [
        'host' => $host,
        'port' => $port,
        'name' => $name,
        'user' => $user,
        'pass' => $pass,
        'charset' => $charset,
    ];
}

function dbPdo(): ?PDO
{
    static $pdo = null;
    static $tried = false;
    if ($tried) {
        return $pdo;
    }
    $tried = true;

    if (!class_exists('PDO')) {
        return null;
    }
    $drivers = PDO::getAvailableDrivers();
    if (!in_array('mysql', $drivers, true)) {
        return null;
    }
    $cfg = getMysqlConfig();
    if (!$cfg) {
        return null;
    }

    $dsn = 'mysql:host=' . $cfg['host'] . ';port=' . $cfg['port'] . ';dbname=' . $cfg['name'] . ';charset=' . $cfg['charset'];
    try {
        $pdo = new PDO($dsn, $cfg['user'], $cfg['pass'], [
            PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
            PDO::ATTR_EMULATE_PREPARES => false,
        ]);
    } catch (Throwable) {
        $pdo = null;
    }

    return $pdo;
}

function usersFilePath(): string
{
    return __DIR__ . '/storage/users.json';
}

function loadUsersFromJson(): array
{
    $path = usersFilePath();
    if (!is_file($path)) {
        return [];
    }
    $raw = file_get_contents($path);
    if ($raw === false || $raw === '') {
        return [];
    }
    $data = json_decode($raw, true);
    return is_array($data) ? $data : [];
}

function saveUsersToJson(array $users): void
{
    $path = usersFilePath();
    $dir = dirname($path);
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }
    file_put_contents($path, json_encode($users, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT), LOCK_EX);
}

function ensureUsersTable(PDO $pdo): void
{
    $sql =
        'CREATE TABLE IF NOT EXISTS users (' .
        'id VARCHAR(32) NOT NULL,' .
        'email VARCHAR(190) NOT NULL,' .
        'name VARCHAR(190) NOT NULL,' .
        'password_hash VARCHAR(255) NOT NULL,' .
        'is_admin TINYINT(1) NOT NULL DEFAULT 0,' .
        'created_at INT NOT NULL,' .
        'updated_at INT NULL,' .
        'PRIMARY KEY (id),' .
        'UNIQUE KEY uniq_email (email)' .
        ') ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci';
    $pdo->exec($sql);
}

function mysqlUsersCount(PDO $pdo): int
{
    $stmt = $pdo->query('SELECT COUNT(*) FROM users');
    $count = $stmt ? $stmt->fetchColumn() : 0;
    return (int)$count;
}

function normalizeUsersArray(array $users): array
{
    $out = [];
    foreach ($users as $key => $user) {
        if (!is_array($user)) {
            continue;
        }
        $email = strtolower(trim((string)($user['email'] ?? $key)));
        if ($email === '') {
            continue;
        }
        $id = (string)($user['id'] ?? '');
        if ($id === '') {
            $id = bin2hex(random_bytes(16));
        }
        $out[$email] = [
            'id' => $id,
            'email' => $email,
            'name' => (string)($user['name'] ?? ''),
            'password_hash' => (string)($user['password_hash'] ?? ''),
            'is_admin' => !empty($user['is_admin']),
            'created_at' => (int)($user['created_at'] ?? time()),
            'updated_at' => isset($user['updated_at']) ? (int)$user['updated_at'] : null,
        ];
    }
    return $out;
}

function mysqlLoadUsers(PDO $pdo): array
{
    $stmt = $pdo->query('SELECT id, email, name, password_hash, is_admin, created_at, updated_at FROM users');
    $rows = $stmt ? $stmt->fetchAll() : [];
    $out = [];
    foreach ($rows as $row) {
        if (!is_array($row)) {
            continue;
        }
        $email = strtolower((string)($row['email'] ?? ''));
        if ($email === '') {
            continue;
        }
        $out[$email] = [
            'id' => (string)($row['id'] ?? ''),
            'email' => $email,
            'name' => (string)($row['name'] ?? ''),
            'password_hash' => (string)($row['password_hash'] ?? ''),
            'is_admin' => !empty($row['is_admin']),
            'created_at' => (int)($row['created_at'] ?? 0),
            'updated_at' => isset($row['updated_at']) ? (int)$row['updated_at'] : null,
        ];
    }
    return $out;
}

function mysqlSaveUsers(PDO $pdo, array $users): void
{
    $users = normalizeUsersArray($users);

    $pdo->beginTransaction();
    try {
        $existing = $pdo->query('SELECT LOWER(email) AS email FROM users');
        $existingEmails = $existing ? $existing->fetchAll(PDO::FETCH_COLUMN) : [];
        $incomingEmails = array_keys($users);

        $incomingSet = [];
        foreach ($incomingEmails as $e) {
            $incomingSet[$e] = true;
        }
        $delete = [];
        foreach ($existingEmails as $e) {
            $e = strtolower((string)$e);
            if ($e !== '' && !isset($incomingSet[$e])) {
                $delete[] = $e;
            }
        }
        if ($delete) {
            $placeholders = implode(',', array_fill(0, count($delete), '?'));
            $delStmt = $pdo->prepare('DELETE FROM users WHERE LOWER(email) IN (' . $placeholders . ')');
            $delStmt->execute($delete);
        }

        $upsert = $pdo->prepare(
            'INSERT INTO users (id, email, name, password_hash, is_admin, created_at, updated_at) ' .
            'VALUES (:id, :email, :name, :password_hash, :is_admin, :created_at, :updated_at) ' .
            'ON DUPLICATE KEY UPDATE ' .
            'name = VALUES(name), ' .
            'password_hash = VALUES(password_hash), ' .
            'is_admin = VALUES(is_admin), ' .
            'created_at = VALUES(created_at), ' .
            'updated_at = VALUES(updated_at)'
        );

        foreach ($users as $user) {
            $upsert->execute([
                ':id' => (string)($user['id'] ?? ''),
                ':email' => (string)($user['email'] ?? ''),
                ':name' => (string)($user['name'] ?? ''),
                ':password_hash' => (string)($user['password_hash'] ?? ''),
                ':is_admin' => !empty($user['is_admin']) ? 1 : 0,
                ':created_at' => (int)($user['created_at'] ?? time()),
                ':updated_at' => isset($user['updated_at']) ? (int)$user['updated_at'] : null,
            ]);
        }

        $pdo->commit();
    } catch (Throwable $e) {
        $pdo->rollBack();
        throw $e;
    }
}

function loadUsers(): array
{
    $pdo = dbPdo();
    if (!$pdo) {
        return normalizeUsersArray(loadUsersFromJson());
    }

    try {
        ensureUsersTable($pdo);
        if (mysqlUsersCount($pdo) === 0) {
            $fromJson = loadUsersFromJson();
            if ($fromJson) {
                mysqlSaveUsers($pdo, $fromJson);
            }
        }
        return mysqlLoadUsers($pdo);
    } catch (Throwable) {
        return normalizeUsersArray(loadUsersFromJson());
    }
}

function saveUsers(array $users): void
{
    $pdo = dbPdo();
    if (!$pdo) {
        saveUsersToJson(normalizeUsersArray($users));
        return;
    }
    try {
        ensureUsersTable($pdo);
        mysqlSaveUsers($pdo, $users);
    } catch (Throwable) {
        saveUsersToJson(normalizeUsersArray($users));
    }
}

function getLoggedInUser(): ?array
{
    $user = $_SESSION['user'] ?? null;
    return is_array($user) ? $user : null;
}

function isAdminUser(?array $user): bool
{
    return is_array($user) && !empty($user['is_admin']);
}

function setLoggedInUser(array $user): void
{
    $_SESSION['user'] = $user;
}

function logoutUser(): void
{
    unset($_SESSION['user']);
}

function requireLogin(string $returnUrl): void
{
    $user = getLoggedInUser();
    if ($user) {
        return;
    }
    header('Location: /account/login?ReturnUrl=' . rawurlencode($returnUrl), true, 302);
    exit;
}

function requireAdmin(string $returnUrl = '/admin'): void
{
    requireLogin($returnUrl);
    $user = getLoggedInUser();
    if (!isAdminUser($user)) {
        http_response_code(403);
        echo 'Forbidden';
        exit;
    }
}

function sanitizeReturnUrl(?string $returnUrl): string
{
    if ($returnUrl === null) {
        return '/account';
    }
    $returnUrl = trim($returnUrl);
    if ($returnUrl === '') {
        return '/account';
    }
    if (!str_starts_with($returnUrl, '/')) {
        return '/account';
    }
    if (str_contains($returnUrl, "\n") || str_contains($returnUrl, "\r")) {
        return '/account';
    }
    if (str_contains($returnUrl, '://')) {
        return '/account';
    }
    return $returnUrl;
}

function loadLayoutParts(string $indexPath): array
{
    static $cache = null;
    if (is_array($cache)) {
        return $cache;
    }

    $html = file_get_contents($indexPath);
    if ($html === false) {
        http_response_code(500);
        echo 'Missing site files.';
        exit;
    }

    $bodyPos = stripos($html, '<body');
    if ($bodyPos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }
    $bodyTagEnd = strpos($html, '>', $bodyPos);
    if ($bodyTagEnd === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $headAndBodyOpen = substr($html, 0, $bodyTagEnd + 1);
    $bodyClosePos = stripos($html, '</body>');
    if ($bodyClosePos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $bodyInner = substr($html, $bodyTagEnd + 1, $bodyClosePos - ($bodyTagEnd + 1));
    $bgHomePos = stripos($bodyInner, '<div class="bg-home"><section style="background-image:url('/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg');background-size:cover;background-position:center;padding:70px 0;"><div class="container"><div class="text-center" style="color:#fff;"><h1 style="font-size:34px;margin-bottom:10px;">Dự án</h1><div>Trang chủ &nbsp;/&nbsp; Dự án</div></div></div></section><section style="padding:40px 0;"><div class="container"><div class="alert alert-info">Chưa có dự án.</div></div></section><footer');
    if ($footerPos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $suffix = substr($bodyInner, $footerPos);
    $tail = substr($html, $bodyClosePos);
    $cache = [
        'head' => $headAndBodyOpen,
        'prefix' => $prefix,
        'suffix' => $suffix . $tail,
    ];
    return $cache;
}

function applyAuthToHtml(string $html): string
{
    $user = getLoggedInUser();
    if (!$user) {
        return $html;
    }

    $adminLink = isAdminUser($user) ? '<a href="/admin">Admin</a>' : '';

    $html = preg_replace(
        '/(<li class="account[^>]*>[\s\S]*?<div class="drop-account">)([\s\S]*?)(<\/div>)/',
        '$1' . $adminLink . '<a href="/account">Tài khoản</a><a href="/account/logout">Đăng xuất</a>$3',
        $html,
        1
    ) ?? $html;

    $html = preg_replace(
        '/(<div class="user-account">)([\s\S]*?)(<\/div>)/',
        '$1' . (isAdminUser($user) ? '<a class="btnx" href="/admin">Admin</a><small><a href="/account">Tài khoản</a></small><small><a href="/account/logout">Đăng xuất</a></small>' : '<a class="btnx" href="/account">Tài khoản</a><small><a href="/account/logout">Đăng xuất</a></small>') . '$3',
        $html,
        1
    ) ?? $html;

    return $html;
}

function applyHomeProductsToHtml(string $html): string
{
    if (!str_contains($html, 'id="home-products-grid"')) {
        return $html;
    }

    $store = loadContent();
    $products = is_array($store['products']) ? $store['products'] : [];

    $cards = '';
    if ($products === []) {
        $cards = '<div class="col-12"><div class="alert alert-info">Chưa có sản phẩm.</div></div>';
    } else {
        $items = [];
        foreach ($products as $slug => $product) {
            if (!is_array($product)) {
                continue;
            }
            $items[] = ['slug' => (string)$slug] + $product;
        }
        usort($items, function (array $a, array $b): int {
            return (int)($b['updated_at'] ?? 0) <=> (int)($a['updated_at'] ?? 0);
        });

        $max = 6;
        $count = 0;
        foreach ($items as $product) {
            if ($count >= $max) {
                break;
            }
            $slug = (string)($product['slug'] ?? '');
            if ($slug === '') {
                continue;
            }
            $title = (string)($product['title'] ?? '');
            $excerpt = (string)($product['excerpt'] ?? '');
            $image = (string)($product['image'] ?? '');
            $price = (int)($product['price'] ?? 0);
            $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : 'Liên hệ';
            $url = '/san-pham/' . $slug;
            $imgHtml = $image !== '' ? '<img src="' . h($image) . '" alt="' . h($title) . '" style="width:100%;height:200px;object-fit:cover;border-radius:14px 14px 0 0;">' : '<div style="height:200px;background:#f2f2f2;border-radius:14px 14px 0 0;"></div>';

            $cards .=
                '<div class="col-lg-4 col-md-6 mb-4">' .
                '<div class="card" style="border-radius:14px;overflow:hidden;border:1px solid #eee;box-shadow:0 8px 26px rgba(0,0,0,.04);">' .
                $imgHtml .
                '<div class="card-body">' .
                '<div class="d-flex align-items-start justify-content-between" style="gap:12px;">' .
                '<div style="min-width:0;"><div style="font-weight:800;font-size:16px;line-height:1.3;"><a href="' . h($url) . '" style="color:var(--textColor);">' . h($title) . '</a></div>' .
                '<div class="text-muted small" style="margin-top:6px;">' . h($excerpt) . '</div></div>' .
                '<div style="font-weight:800;color:var(--mainColor);white-space:nowrap;">' . h($priceText) . '</div>' .
                '</div>' .
                '<div class="mt-3"><a class="btn btn_base" href="' . h($url) . '" style="width:100%;">Xem chi tiết</a></div>' .
                '</div>' .
                '</div>' .
                '</div>';
            $count++;
        }
    }

    $html = preg_replace(
        '/<div class="row" id="home-products-grid">[\s\S]*?<\/div>/',
        '<div class="row" id="home-products-grid">' . $cards . '</div>',
        $html,
        1
    ) ?? $html;

    return $html;
}

function contentFilePath(): string
{
    return __DIR__ . '/storage/content.json';
}

function loadContentFromJson(): array
{
    $path = contentFilePath();
    if (!is_file($path)) {
        return [
            'posts' => [],
            'projects' => [],
            'products' => [],
            'settings' => [],
        ];
    }
    $raw = file_get_contents($path);
    if ($raw === false || $raw === '') {
        return [
            'posts' => [],
            'projects' => [],
            'products' => [],
            'settings' => [],
        ];
    }
    $data = json_decode($raw, true);
    if (!is_array($data)) {
        return [
            'posts' => [],
            'projects' => [],
            'products' => [],
            'settings' => [],
        ];
    }
    if (!isset($data['posts']) || !is_array($data['posts'])) {
        $data['posts'] = [];
    }
    if (!isset($data['projects']) || !is_array($data['projects'])) {
        $data['projects'] = [];
    }
    if (!isset($data['products']) || !is_array($data['products'])) {
        $data['products'] = [];
    }
    if (!isset($data['settings']) || !is_array($data['settings'])) {
        $data['settings'] = [];
    }
    return $data;
}

function saveContentToJson(array $content): void
{
    $path = contentFilePath();
    $dir = dirname($path);
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }
    file_put_contents($path, json_encode($content, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT), LOCK_EX);
}

function ensureContentTables(PDO $pdo): void
{
    $sql1 =
        'CREATE TABLE IF NOT EXISTS content_items (' .
        'type VARCHAR(20) NOT NULL,' .
        'slug VARCHAR(190) NOT NULL,' .
        'title VARCHAR(255) NOT NULL,' .
        'excerpt TEXT NULL,' .
        'content LONGTEXT NULL,' .
        'image VARCHAR(255) NULL,' .
        'price INT NULL,' .
        'created_at INT NOT NULL,' .
        'updated_at INT NULL,' .
        'PRIMARY KEY (type, slug),' .
        'KEY idx_type_updated (type, updated_at),' .
        'KEY idx_type_created (type, created_at)' .
        ') ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci';
    $pdo->exec($sql1);

    $sql2 =
        'CREATE TABLE IF NOT EXISTS settings (' .
        '`key` VARCHAR(100) NOT NULL,' .
        '`value` LONGTEXT NOT NULL,' .
        'updated_at INT NULL,' .
        'PRIMARY KEY (`key`)' .
        ') ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci';
    $pdo->exec($sql2);
}

function normalizeContentStore(array $store): array
{
    $out = [
        'posts' => [],
        'projects' => [],
        'products' => [],
        'settings' => [],
    ];

    $now = time();

    foreach (['posts', 'projects', 'products'] as $type) {
        $items = isset($store[$type]) && is_array($store[$type]) ? $store[$type] : [];
        foreach ($items as $k => $item) {
            if (!is_array($item)) {
                continue;
            }
            $slug = trim((string)($item['slug'] ?? $k));
            $slug = $slug !== '' ? slugify($slug) : '';
            if ($slug === '') {
                continue;
            }
            $createdAt = isset($item['created_at']) ? (int)$item['created_at'] : $now;
            $updatedAt = isset($item['updated_at']) ? (int)$item['updated_at'] : null;
            $record = $item;
            $record['slug'] = $slug;
            $record['title'] = (string)($record['title'] ?? '');
            $record['excerpt'] = (string)($record['excerpt'] ?? '');
            $record['content'] = (string)($record['content'] ?? '');
            $record['image'] = (string)($record['image'] ?? '');
            $record['created_at'] = $createdAt > 0 ? $createdAt : $now;
            $record['updated_at'] = $updatedAt !== null && $updatedAt > 0 ? $updatedAt : $record['created_at'];

            if ($type === 'products') {
                $record['price'] = (int)($record['price'] ?? 0);
            }

            $out[$type][$slug] = $record;
        }
    }

    $settings = isset($store['settings']) && is_array($store['settings']) ? $store['settings'] : [];
    foreach ($settings as $k => $v) {
        $key = trim((string)$k);
        if ($key === '') {
            continue;
        }
        $out['settings'][$key] = is_string($v) ? $v : (is_scalar($v) ? (string)$v : json_encode($v, JSON_UNESCAPED_UNICODE));
    }

    return $out;
}

function mysqlContentCount(PDO $pdo): int
{
    $stmt = $pdo->query('SELECT COUNT(*) FROM content_items');
    $count = $stmt ? $stmt->fetchColumn() : 0;
    return (int)$count;
}

function mysqlLoadContent(PDO $pdo): array
{
    $store = [
        'posts' => [],
        'projects' => [],
        'products' => [],
        'settings' => [],
    ];

    $stmt = $pdo->query('SELECT type, slug, title, excerpt, content, image, price, created_at, updated_at FROM content_items');
    $rows = $stmt ? $stmt->fetchAll() : [];
    foreach ($rows as $row) {
        if (!is_array($row)) {
            continue;
        }
        $type = (string)($row['type'] ?? '');
        $slug = (string)($row['slug'] ?? '');
        if ($type === '' || $slug === '' || !isset($store[$type]) || $type === 'settings') {
            continue;
        }
        $record = [
            'slug' => $slug,
            'title' => (string)($row['title'] ?? ''),
            'excerpt' => (string)($row['excerpt'] ?? ''),
            'content' => (string)($row['content'] ?? ''),
            'image' => (string)($row['image'] ?? ''),
            'created_at' => (int)($row['created_at'] ?? 0),
            'updated_at' => isset($row['updated_at']) ? (int)$row['updated_at'] : null,
        ];
        if ($type === 'products') {
            $record['price'] = (int)($row['price'] ?? 0);
        }
        $store[$type][$slug] = $record;
    }

    $stmt2 = $pdo->query('SELECT `key`, `value` FROM settings');
    $rows2 = $stmt2 ? $stmt2->fetchAll() : [];
    foreach ($rows2 as $row) {
        if (!is_array($row)) {
            continue;
        }
        $key = (string)($row['key'] ?? '');
        if ($key === '') {
            continue;
        }
        $store['settings'][$key] = (string)($row['value'] ?? '');
    }

    return normalizeContentStore($store);
}

function mysqlSaveContent(PDO $pdo, array $store): void
{
    $store = normalizeContentStore($store);

    $pdo->beginTransaction();
    try {
        foreach (['posts', 'projects', 'products'] as $type) {
            $existingStmt = $pdo->prepare('SELECT slug FROM content_items WHERE type = ?');
            $existingStmt->execute([$type]);
            $existingSlugs = $existingStmt->fetchAll(PDO::FETCH_COLUMN) ?: [];

            $incoming = $store[$type];
            $incomingSet = [];
            foreach (array_keys($incoming) as $s) {
                $incomingSet[(string)$s] = true;
            }

            $toDelete = [];
            foreach ($existingSlugs as $s) {
                $s = (string)$s;
                if ($s !== '' && !isset($incomingSet[$s])) {
                    $toDelete[] = $s;
                }
            }
            if ($toDelete) {
                $placeholders = implode(',', array_fill(0, count($toDelete), '?'));
                $del = $pdo->prepare('DELETE FROM content_items WHERE type = ? AND slug IN (' . $placeholders . ')');
                $del->execute(array_merge([$type], $toDelete));
            }

            $upsert = $pdo->prepare(
                'INSERT INTO content_items (type, slug, title, excerpt, content, image, price, created_at, updated_at) ' .
                'VALUES (:type, :slug, :title, :excerpt, :content, :image, :price, :created_at, :updated_at) ' .
                'ON DUPLICATE KEY UPDATE ' .
                'title = VALUES(title), ' .
                'excerpt = VALUES(excerpt), ' .
                'content = VALUES(content), ' .
                'image = VALUES(image), ' .
                'price = VALUES(price), ' .
                'created_at = VALUES(created_at), ' .
                'updated_at = VALUES(updated_at)'
            );

            foreach ($incoming as $slug => $item) {
                if (!is_array($item)) {
                    continue;
                }
                $createdAt = isset($item['created_at']) ? (int)$item['created_at'] : time();
                $updatedAt = isset($item['updated_at']) ? (int)$item['updated_at'] : null;
                $upsert->execute([
                    ':type' => $type,
                    ':slug' => (string)$slug,
                    ':title' => (string)($item['title'] ?? ''),
                    ':excerpt' => (string)($item['excerpt'] ?? ''),
                    ':content' => (string)($item['content'] ?? ''),
                    ':image' => (string)($item['image'] ?? ''),
                    ':price' => $type === 'products' ? (int)($item['price'] ?? 0) : null,
                    ':created_at' => $createdAt > 0 ? $createdAt : time(),
                    ':updated_at' => $updatedAt !== null && $updatedAt > 0 ? $updatedAt : time(),
                ]);
            }
        }

        $existingSettings = $pdo->query('SELECT `key` FROM settings');
        $existingKeys = $existingSettings ? $existingSettings->fetchAll(PDO::FETCH_COLUMN) : [];
        $incomingKeys = array_keys($store['settings']);
        $incomingSet = [];
        foreach ($incomingKeys as $k) {
            $incomingSet[(string)$k] = true;
        }
        $toDelete = [];
        foreach ($existingKeys as $k) {
            $k = (string)$k;
            if ($k !== '' && !isset($incomingSet[$k])) {
                $toDelete[] = $k;
            }
        }
        if ($toDelete) {
            $placeholders = implode(',', array_fill(0, count($toDelete), '?'));
            $del = $pdo->prepare('DELETE FROM settings WHERE `key` IN (' . $placeholders . ')');
            $del->execute($toDelete);
        }

        $upsertSetting = $pdo->prepare(
            'INSERT INTO settings (`key`, `value`, updated_at) VALUES (:key, :value, :updated_at) ' .
            'ON DUPLICATE KEY UPDATE `value` = VALUES(`value`), updated_at = VALUES(updated_at)'
        );
        $now = time();
        foreach ($store['settings'] as $k => $v) {
            $key = (string)$k;
            if ($key === '') {
                continue;
            }
            $upsertSetting->execute([
                ':key' => $key,
                ':value' => (string)$v,
                ':updated_at' => $now,
            ]);
        }

        $pdo->commit();
    } catch (Throwable $e) {
        $pdo->rollBack();
        throw $e;
    }
}

function loadContent(): array
{
    $pdo = dbPdo();
    if (!$pdo) {
        return normalizeContentStore(loadContentFromJson());
    }

    try {
        ensureContentTables($pdo);
        if (mysqlContentCount($pdo) === 0) {
            $fromJson = loadContentFromJson();
            $normalized = normalizeContentStore($fromJson);
            $hasAny =
                ($normalized['posts'] !== []) ||
                ($normalized['projects'] !== []) ||
                ($normalized['products'] !== []) ||
                ($normalized['settings'] !== []);
            if ($hasAny) {
                mysqlSaveContent($pdo, $normalized);
            }
        }
        return mysqlLoadContent($pdo);
    } catch (Throwable) {
        return normalizeContentStore(loadContentFromJson());
    }
}

function saveContent(array $content): void
{
    $pdo = dbPdo();
    if (!$pdo) {
        saveContentToJson(normalizeContentStore($content));
        return;
    }
    try {
        ensureContentTables($pdo);
        mysqlSaveContent($pdo, $content);
    } catch (Throwable) {
        saveContentToJson(normalizeContentStore($content));
    }
}

function slugify(string $value): string
{
    $value = trim($value);
    if ($value === '') {
        return '';
    }
    if (function_exists('iconv')) {
        $converted = @iconv('UTF-8', 'ASCII//TRANSLIT//IGNORE', $value);
        if (is_string($converted) && $converted !== '') {
            $value = $converted;
        }
    }
    $value = strtolower($value);
    $value = preg_replace('/[^a-z0-9]+/i', '-', $value) ?? $value;
    $value = trim($value, '-');
    $value = preg_replace('/-+/', '-', $value) ?? $value;
    return $value;
}

function sanitizeInlineStyle(string $style): string
{
    $allow = [
        'text-align' => true,
        'color' => true,
        'background-color' => true,
        'font-weight' => true,
        'font-style' => true,
        'text-decoration' => true,
    ];

    $style = trim($style);
    if ($style === '') {
        return '';
    }

    $out = [];
    foreach (explode(';', $style) as $part) {
        $part = trim($part);
        if ($part === '' || !str_contains($part, ':')) {
            continue;
        }
        [$k, $v] = array_map('trim', explode(':', $part, 2));
        $k = strtolower($k);
        if ($k === '' || $v === '' || !isset($allow[$k])) {
            continue;
        }
        $vLower = strtolower($v);
        if (str_contains($vLower, 'expression') || str_contains($vLower, 'javascript:') || str_contains($vLower, 'url(')) {
            continue;
        }
        $out[] = $k . ':' . $v;
    }

    return implode(';', $out);
}

function sanitizeRichHtml(string $html): string
{
    $html = str_replace("\0", '', $html);
    $html = preg_replace('#<\s*(script|style)[^>]*>[\s\S]*?<\s*/\s*\1\s*>#i', '', $html) ?? $html;
    $allowed = '<p><br><b><strong><i><em><u><s><a><ul><ol><li><h2><h3><h4><blockquote><img><table><thead><tbody><tr><th><td><span><div>';
    $html = strip_tags($html, $allowed);
    $html = preg_replace('/\son\w+\s*=\s*(\"[^\"]*\"|\'[^\']*\'|[^\s>]+)/i', '', $html) ?? $html;
    $html = preg_replace_callback(
        '/\sstyle\s*=\s*(\"([^\"]*)\"|\'([^\']*)\')/i',
        function(array $m): string {
            $raw = isset($m[2]) && $m[2] !== '' ? $m[2] : (string)($m[3] ?? '');
            $san = sanitizeInlineStyle($raw);
            return $san !== '' ? ' style="' . h($san) . '"' : '';
        },
        $html
    ) ?? $html;
    $html = preg_replace('/\shref\s*=\s*(\"|\')\s*javascript:[^\"\']*(\"|\')/i', ' href="#"', $html) ?? $html;
    $html = preg_replace('/\ssrc\s*=\s*(\"|\')\s*javascript:[^\"\']*(\"|\')/i', '', $html) ?? $html;
    return trim($html);
}

function uploadsDirPath(): string
{
    return __DIR__ . '/uploads';
}

function handleUpload(string $fieldName): ?string
{
    if (!isset($_FILES[$fieldName]) || !is_array($_FILES[$fieldName])) {
        return null;
    }
    $file = $_FILES[$fieldName];
    if (!isset($file['error'], $file['tmp_name'], $file['name'])) {
        return null;
    }
    if ((int)$file['error'] !== UPLOAD_ERR_OK) {
        return null;
    }
    $tmp = (string)$file['tmp_name'];
    if ($tmp === '' || !is_file($tmp)) {
        return null;
    }
    $size = isset($file['size']) ? (int)$file['size'] : 0;
    if ($size <= 0 || $size > 10 * 1024 * 1024) {
        return null;
    }

    $mime = '';
    if (class_exists('finfo')) {
        $fi = new finfo(FILEINFO_MIME_TYPE);
        $detected = $fi->file($tmp);
        if (is_string($detected)) {
            $mime = $detected;
        }
    }
    if ($mime === '' && function_exists('getimagesize')) {
        $info = @getimagesize($tmp);
        if (is_array($info) && isset($info['mime']) && is_string($info['mime'])) {
            $mime = $info['mime'];
        }
    }

    $allowed = [
        'image/jpeg' => 'jpg',
        'image/jpg' => 'jpg',
        'image/pjpeg' => 'jpg',
        'image/png' => 'png',
        'image/gif' => 'gif',
        'image/webp' => 'webp',
    ];
    $ext = $mime !== '' && isset($allowed[$mime]) ? $allowed[$mime] : '';
    if ($ext === '') {
        $name = (string)($file['name'] ?? '');
        $fromName = strtolower(pathinfo($name, PATHINFO_EXTENSION));
        $allowedExt = ['jpg' => true, 'jpeg' => true, 'png' => true, 'gif' => true, 'webp' => true];
        if (isset($allowedExt[$fromName])) {
            if (function_exists('getimagesize') && @getimagesize($tmp) !== false) {
                $ext = $fromName === 'jpeg' ? 'jpg' : $fromName;
            }
        }
    }
    if ($ext === '') {
        return null;
    }

    $dir = uploadsDirPath();
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }

    $name = bin2hex(random_bytes(16)) . '.' . $ext;
    $dest = $dir . '/' . $name;

    if (!move_uploaded_file($tmp, $dest)) {
        return null;
    }

    return '/uploads/' . $name;
}

function getSiteSettings(): array
{
    $defaults = [
        'company_name' => 'CÔNG TY CỔ PHẦN ĐẦU TƯ VÀ PHÁT TRIỂN ACP MINH TÚ',
        'address' => 'Số 51, ngách 99/110/32, Định Công Hạ, P Định Công, Hà Nội',
        'email' => 'admin@gmail.com',
        'phone' => '0356666312',
        'about_top_title' => 'Chúng tôi là ai',
        'about_title' => '',
        'about_desc' =>
            'Chúng tôi, Công ty CP đầu tư và Phát triển ACP Minh Tú với hơn 15 năm kinh nghiệm trong lĩnh vực thi công mặt dựng Alumilium, mái sảnh, hoàn thiện nội, ngoại thất,... đã được sự tin tưởng, tín nhiệm của các đối tác trong và ngoài nước trên toàn Quốc. Với định hướng phát triển bền vững về chất lượng sản phẩm, dịch vụ, Acp Minh Tú luôn nỗ lực phấn đấu không ngừng, cập nhật xu hướng phát triển nhằm đem lại cho quý khách những công trình có giá trị cao, nâng tầm chất lượng, đảm bảo tính thẩm mỹ, để trở thành đối tác quen thuộc và chiếm chọn sự tin yêu của Quý khách hàng.',
        'footer_services_html' =>
            '<li><a href="/thi-cong-tam-op-nhom-aluminium" title="Thi công mặt dựng Facade">Thi công mặt dựng Facade</a></li>' .
            '<li><a href="/san-xuat-he-cua-nhom-kinh" title="Sản xuất hệ cửa nhôm kính">Sản xuất hệ cửa nhôm kính</a></li>' .
            '<li><a href="/thi-cong-mat-dung-aluminium-la-gi" title="Thi công mặt dựng Aluminium là gì?">Thi công mặt dựng Aluminium là gì?</a></li>',
        'footer_projects_html' =>
            '<li><a href="#projects" title="Dự án tiêu biểu">Dự án tiêu biểu</a></li>' .
            '<li><a href="/du-an-da-thi-cong" title="Dự án đã thi công">Dự án đã thi công</a></li>' .
            '<li><a href="/du-an-dang-thi-cong" title="Dự án đang thi công">Dự án đang thi công</a></li>',
        'newsletter_title' => 'Đăng ký tư vấn',
        'newsletter_subtitle' => 'Đăng ký để chúng tôi có cơ hội được tư vấn và phục vụ bạn.',
        'newsletter_placeholder' => 'Nhập email của bạn',
        'newsletter_button' => 'Đăng ký',
        'copyright_html' =>
            '© Bản quyền thuộc về <b>Acp Minh Tú</b> <span class="center">|</span> <span class="opacity1">Cung cấp bởi <a href="https://www.sapo.vn/" rel="noopener" title="Sapo" target="_blank">Sapo</a></span>',
    ];

    $content = loadContent();
    $settings = isset($content['settings']) && is_array($content['settings']) ? $content['settings'] : [];
    return array_merge($defaults, $settings);
}

function applySettingsToHtml(string $html): string
{
    $s = getSiteSettings();

    $company = (string)($s['company_name'] ?? '');
    $address = (string)($s['address'] ?? '');
    $email = (string)($s['email'] ?? '');
    $phone = (string)($s['phone'] ?? '');

    $defaultCompany = 'CÔNG TY CỔ PHẦN ĐẦU TƯ VÀ PHÁT TRIỂN ACP MINH TÚ';
    $defaultAddress = 'Số 51, ngách 99/110/32, Định Công Hạ, P Định Công, Hà Nội';
    $defaultEmail = 'admin@gmail.com';
    $defaultPhone = '0356666312';
    $defaultTelHref = 'tel:0356666312';

    $telHref = preg_replace('/\\s+/', '', $phone) ?? $phone;
    $telHref = $telHref !== '' ? 'tel:' . $telHref : $defaultTelHref;
    $mailto = $email !== '' ? 'mailto:' . $email : 'mailto:' . $defaultEmail;

    if ($company !== '') {
        $html = str_replace($defaultCompany, $company, $html);
    }
    if ($address !== '') {
        $html = str_replace($defaultAddress, $address, $html);
    }
    if ($email !== '') {
        $html = str_replace($defaultEmail, $email, $html);
        $html = str_replace('mailto:' . $defaultEmail, $mailto, $html);
    }
    if ($phone !== '') {
        $html = str_replace($defaultPhone, $phone, $html);
        $html = str_replace($defaultTelHref, $telHref, $html);
    }

    $aboutTopTitle = (string)($s['about_top_title'] ?? '');
    if ($aboutTopTitle !== '') {
        $html = preg_replace(
            '/(<span class=\"top-title\" id=\"about-top-title\">)[\\s\\S]*?(<\\/span>)/',
            '$1' . h($aboutTopTitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $aboutTitle = (string)($s['about_title'] ?? '');
    if ($aboutTitle !== '') {
        $html = preg_replace(
            '/(<h2 class=\"title\" id=\"about-title\">)[\\s\\S]*?(<\\/h2>)/',
            '$1' . h($aboutTitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $aboutDesc = (string)($s['about_desc'] ?? '');
    if ($aboutDesc !== '') {
        $html = preg_replace(
            '/(<p class=\"desc\" id=\"about-desc\">)[\\s\\S]*?(<\\/p>)/',
            '$1' . h($aboutDesc) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $servicesHtml = (string)($s['footer_services_html'] ?? '');
    if ($servicesHtml !== '') {
        $html = preg_replace_callback(
            '/(<ul class=\"list-menu\" id=\"footer-services-links\">)[\\s\\S]*?(<\\/ul>)/',
            function(array $m) use ($servicesHtml): string {
                return $m[1] . $servicesHtml . $m[2];
            },
            $html,
            1
        ) ?? $html;
    }

    $projectsHtml = (string)($s['footer_projects_html'] ?? '');
    if ($projectsHtml !== '') {
        $html = preg_replace_callback(
            '/(<ul class=\"list-menu\" id=\"footer-projects-links\">)[\\s\\S]*?(<\\/ul>)/',
            function(array $m) use ($projectsHtml): string {
                return $m[1] . $projectsHtml . $m[2];
            },
            $html,
            1
        ) ?? $html;
    }

    $newsletterTitle = (string)($s['newsletter_title'] ?? '');
    if ($newsletterTitle !== '') {
        $html = preg_replace(
            '/(<h4 class=\"title-menu\" id=\"footer-newsletter-title\">)[\\s\\S]*?(<\\/h4>)/',
            '$1' . h($newsletterTitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $newsletterSubtitle = (string)($s['newsletter_subtitle'] ?? '');
    if ($newsletterSubtitle !== '') {
        $html = preg_replace(
            '/(<div class=\"sub-title\" id=\"footer-newsletter-subtitle\">)[\\s\\S]*?(<\\/div>)/',
            '$1' . h($newsletterSubtitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $newsletterPlaceholder = (string)($s['newsletter_placeholder'] ?? '');
    if ($newsletterPlaceholder !== '') {
        $html = preg_replace(
            '/(<input[^>]*id=\"footer-newsletter-placeholder\"[^>]*placeholder=\")([^\"]*)(\"[^>]*>)/',
            '$1' . h($newsletterPlaceholder) . '$3',
            $html,
            1
        ) ?? $html;
    }

    $newsletterButton = (string)($s['newsletter_button'] ?? '');
    if ($newsletterButton !== '') {
        $html = preg_replace(
            '/(<button[^>]*id=\"footer-newsletter-button\"[^>]*>)([\\s\\S]*?)(<\\/button>)/',
            '$1' . h($newsletterButton) . '$3',
            $html,
            1
        ) ?? $html;
    }

    $copyrightHtml = (string)($s['copyright_html'] ?? '');
    if ($copyrightHtml !== '') {
        $html = preg_replace_callback(
            '/(<div class=\"wsp\">)[\\s\\S]*?(<\\/div>)/',
            function(array $m) use ($copyrightHtml): string {
                return $m[1] . $copyrightHtml . $m[2];
            },
            $html,
            1
        ) ?? $html;
    }

    return $html;
}

function normalizeAssetPaths(string $html): string
{
    $replacements = [
        '/bizweb.dktcdn.net/' => '/bizweb.dktcdn.net/',
        "url(/bizweb.dktcdn.net/" => "url(/bizweb.dktcdn.net/",
        "url('/bizweb.dktcdn.net/" => "url('/bizweb.dktcdn.net/",
        'url("/bizweb.dktcdn.net/' => 'url("/bizweb.dktcdn.net/',
        '/minhtuwindows.com/' => '/minhtuwindows.com/',
    ];
    return str_replace(array_keys($replacements), array_values($replacements), $html);
}

function renderHomePage(string $indexPath): void
{
    header('Content-Type: text/html; charset=UTF-8');
    $html = file_get_contents($indexPath);
    if ($html === false) {
        http_response_code(500);
        echo 'Missing site files.';
        exit;
    }
    echo applySettingsToHtml(applyHomeProductsToHtml(applyAuthToHtml(normalizeAssetPaths($html))));
    exit;
}

function renderLayoutPage(string $indexPath, string $title, string $mainHtml): void
{
    $parts = loadLayoutParts($indexPath);
    $html = $parts['head'] . $parts['prefix'] . '<div class="bg-home">' . $mainHtml . $parts['suffix'];
    $html = preg_replace('/<title>Dự án</title>', $html, 1) ?? $html;
    $html = applySettingsToHtml(applyAuthToHtml(normalizeAssetPaths($html)));
    header('Content-Type: text/html; charset=UTF-8');
    echo $html;
    exit;
}

function renderAdminPage(string $indexPath, string $title, string $active, string $contentHtml): void
{
    $user = getLoggedInUser();
    $userName = is_array($user) ? (string)($user['name'] ?? '') : '';
    $userEmail = is_array($user) ? (string)($user['email'] ?? '') : '';

    $links = [
        'dashboard' => ['href' => '/admin', 'label' => 'Tổng quan'],
        'posts' => ['href' => '/admin/posts', 'label' => 'Tin tức'],
        'products' => ['href' => '/admin/products', 'label' => 'Sản phẩm'],
        'projects' => ['href' => '/admin/projects', 'label' => 'Dự án'],
        'users' => ['href' => '/admin/users', 'label' => 'Tài khoản'],
        'settings' => ['href' => '/admin/settings', 'label' => 'Cài đặt'],
        'site' => ['href' => '/', 'label' => 'Xem website'],
    ];

    $nav = '<div class="admin-sidebar">';
    foreach ($links as $key => $link) {
        $isActive = $key === $active;
        $nav .= '<a class="admin-nav-item' . ($isActive ? ' active' : '') . '" href="' . h($link['href']) . '">' . h($link['label']) . '</a>';
    }
    $nav .= '</div>';

    $style =
        '<style>' .
        '.admin-shell{background:#f6f7fb;min-height:60vh;padding:22px 0;}' .
        '.admin-topbar{position:sticky;top:0;z-index:50;background:#fff;border-bottom:1px solid #eee;}' .
        '.admin-topbar .brand{font-weight:800;letter-spacing:.3px;color:var(--textColor);}' .
        '.admin-topbar .brand span{color:var(--mainColor);}' .
        '.admin-user{font-size:13px;color:#666;}' .
        '.admin-user b{color:var(--textColor);}' .
        '.admin-sidebar{background:#fff;border:1px solid #eee;border-radius:14px;overflow:hidden;box-shadow:0 8px 26px rgba(0,0,0,.04);}' .
        '.admin-nav-item{display:flex;align-items:center;gap:10px;padding:12px 14px;color:var(--textColor);border-bottom:1px solid #f1f1f1;font-weight:600;}' .
        '.admin-nav-item:last-child{border-bottom:0;}' .
        '.admin-nav-item:hover{background:#fff7ec;color:var(--mainColor);text-decoration:none;}' .
        '.admin-nav-item.active{background:var(--mainColor);color:#fff;}' .
        '.admin-nav-item.active:hover{background:var(--mainColor);color:#fff;}' .
        '.admin-card{background:#fff;border:1px solid #eee;border-radius:14px;box-shadow:0 8px 26px rgba(0,0,0,.04);}' .
        '.admin-card .card-body{padding:16px;}' .
        '.admin-title{font-size:22px;font-weight:800;margin:0;}' .
        '.admin-subtitle{color:#666;margin:0;}' .
        '.admin-actions .btn{border-radius:12px;}' .
        '.admin-shell .table thead th{border-top:0;background:#fbfbfd;}' .
        '.admin-shell .table td,.admin-shell .table th{vertical-align:middle;}' .
        '.admin-shell .form-control{border-radius:12px;}' .
        '.admin-shell .btn{border-radius:12px;}' .
        '</style>';

    $topbar =
        '<div class="admin-topbar">' .
        '<div class="container">' .
        '<div class="d-flex align-items-center justify-content-between py-2">' .
        '<div class="brand">ACP <span>Admin</span></div>' .
        '<div class="d-flex align-items-center" style="gap:12px;">' .
        '<div class="admin-user d-none d-md-block"><b>' . h($userName !== '' ? $userName : $userEmail) . '</b>' . ($userName !== '' && $userEmail !== '' ? ' <span>(' . h($userEmail) . ')</span>' : '') . '</div>' .
        '<a class="btn btn-outline-secondary btn-sm" href="/">Xem website</a>' .
        '<a class="btn btn-outline-danger btn-sm" href="/account/logout">Đăng xuất</a>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>';

    $mainHtml =
        $style .
        $topbar .
        '<section class="admin-shell"><div class="container">' .
        '<div class="row">' .
        '<div class="col-lg-3 col-md-4 mb-3 mb-md-0">' . $nav . '</div>' .
        '<div class="col-lg-9 col-md-8">' .
        '<div class="admin-card mb-3"><div class="card-body d-flex align-items-center justify-content-between" style="gap:12px;">' .
        '<div><div class="admin-title">' . h($title) . '</div><div class="admin-subtitle">Quản trị nội dung website</div></div>' .
        '<div class="admin-actions d-flex align-items-center" style="gap:10px;"><a class="btn btn-outline-secondary btn-sm" href="/account">Tài khoản</a></div>' .
        '</div></div>' .
        $contentHtml .
        '</div>' .
        '</div>' .
        '</div></section>';

    renderLayoutPage($indexPath, $title, $mainHtml);
}

$requestUri = (string)($_SERVER['REQUEST_URI'] ?? '/');
$path = parse_url($requestUri, PHP_URL_PATH);
$path = normalizePath(is_string($path) ? $path : '/');
$method = strtoupper((string)($_SERVER['REQUEST_METHOD'] ?? 'GET'));

$sessionUser = getLoggedInUser();
if (is_array($sessionUser) && isset($sessionUser['email']) && is_string($sessionUser['email'])) {
    $users = loadUsers();
    $record = $users[strtolower($sessionUser['email'])] ?? null;
    if (is_array($record)) {
        $sessionUser['name'] = (string)($record['name'] ?? ($sessionUser['name'] ?? ''));
        $sessionUser['is_admin'] = !empty($record['is_admin']);
        setLoggedInUser($sessionUser);
    }
}

$redirectToAnchors = [
    '/gioi-thieu' => '/#about',
    '/xuong-san-xuat' => '/#about',
    '/tuyen-dung' => '/#contact',
    '/doi-tac' => '/#contact',
    '/lien-he' => '/#contact',
    '/linh-vuc' => '/#service',
];

if (isset($redirectToAnchors[$path])) {
    header('Location: ' . $redirectToAnchors[$path], true, 302);
    exit;
}

if ($path === '/search' && $method === 'GET') {
    $query = trim(isset($_GET['q']) ? (string)$_GET['q'] : '');
    $content = loadContent();
    $posts = is_array($content['posts']) ? $content['posts'] : [];
    $projects = is_array($content['projects']) ? $content['projects'] : [];

    $results = [];
    if ($query !== '') {
        $lower = function(string $s): string {
            if (function_exists('mb_strtolower')) {
                return (string)mb_strtolower($s, 'UTF-8');
            }
            return strtolower($s);
        };
        $contains = function(string $hay, string $needle): bool {
            if (function_exists('mb_strpos')) {
                return mb_strpos($hay, $needle, 0, 'UTF-8') !== false;
            }
            return strpos($hay, $needle) !== false;
        };

        $q = $lower($query);
        foreach ($posts as $slug => $post) {
            if (!is_array($post)) {
                continue;
            }
            $hay = $lower((string)($post['title'] ?? '') . ' ' . (string)($post['excerpt'] ?? '') . ' ' . (string)($post['content'] ?? ''));
            if ($contains($hay, $q)) {
                $results[] = [
                    'type' => 'post',
                    'slug' => (string)$slug,
                    'title' => (string)($post['title'] ?? ''),
                    'excerpt' => (string)($post['excerpt'] ?? ''),
                ];
            }
        }
        foreach ($projects as $slug => $project) {
            if (!is_array($project)) {
                continue;
            }
            $hay = $lower((string)($project['title'] ?? '') . ' ' . (string)($project['excerpt'] ?? '') . ' ' . (string)($project['content'] ?? ''));
            if ($contains($hay, $q)) {
                $results[] = [
                    'type' => 'project',
                    'slug' => (string)$slug,
                    'title' => (string)($project['title'] ?? ''),
                    'excerpt' => (string)($project['excerpt'] ?? ''),
                ];
            }
        }
    }

    $itemsHtml = '';
    foreach ($results as $r) {
        $href = $r['type'] === 'project' ? '/du-an/' . h($r['slug']) : '/' . h($r['slug']);
        $itemsHtml .=
            '<div class="card mb-3"><div class="card-body">' .
            '<div class="small text-muted mb-1">' . ($r['type'] === 'project' ? 'Dự án' : 'Tin tức') . '</div>' .
            '<h3 class="h5 mb-2"><a href="' . $href . '">' . h($r['title']) . '</a></h3>' .
            '<div>' . h($r['excerpt']) . '</div>' .
            '</div></div>';
    }

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Tìm kiếm</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Tìm kiếm</div>' .
        '</div></div></section>' .
        '<section style="padding:40px 0;"><div class="container">' .
        '<form class="mb-4" method="get" action="/search"><div class="input-group">' .
        '<input class="form-control" name="q" value="' . h($query) . '" placeholder="Nhập từ khóa...">' .
        '<div class="input-group-append"><button class="btn" type="submit" style="background:var(--mainColor);color:#fff;">Tìm</button></div>' .
        '</div></form>' .
        ($query === '' ? '<div class="alert alert-info">Nhập từ khóa để tìm kiếm.</div>' : '') .
        ($query !== '' && $itemsHtml === '' ? '<div class="alert alert-warning">Không tìm thấy kết quả phù hợp.</div>' : '') .
        $itemsHtml .
        '</div></section>';

    renderLayoutPage($indexPath, 'Tìm kiếm', $mainHtml);
}

if ($path === '/collections/all' || str_starts_with($path, '/collections')) {
    header('Location: /san-pham', true, 302);
    exit;
}

if ($path === '/san-pham' && $method === 'GET') {
    $store = loadContent();
    $products = is_array($store['products']) ? $store['products'] : [];
    $cards = '';
    foreach ($products as $slug => $product) {
        if (!is_array($product)) {
            continue;
        }
        $title = (string)($product['title'] ?? '');
        $excerpt = (string)($product['excerpt'] ?? '');
        $image = (string)($product['image'] ?? '');
        $price = (int)($product['price'] ?? 0);
        $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : 'Liên hệ';
        $url = '/san-pham/' . (string)$slug;
        $imgHtml = $image !== '' ? '<img src="' . h($image) . '" alt="' . h($title) . '" style="width:100%;height:220px;object-fit:cover;border-radius:14px 14px 0 0;">' : '<div style="height:220px;background:#f2f2f2;border-radius:14px 14px 0 0;"></div>';

        $cards .=
            '<div class="col-lg-4 col-md-6 mb-4">' .
            '<div class="card" style="border-radius:14px;overflow:hidden;border:1px solid #eee;box-shadow:0 8px 26px rgba(0,0,0,.04);">' .
            $imgHtml .
            '<div class="card-body">' .
            '<div class="d-flex align-items-start justify-content-between" style="gap:12px;">' .
            '<div style="min-width:0;"><div style="font-weight:800;font-size:18px;line-height:1.3;"><a href="' . h($url) . '" style="color:var(--textColor);">' . h($title) . '</a></div>' .
            '<div class="text-muted small" style="margin-top:6px;">' . h($excerpt) . '</div></div>' .
            '<div style="font-weight:800;color:var(--mainColor);white-space:nowrap;">' . h($priceText) . '</div>' .
            '</div>' .
            '<form data-cart-form method="post" action="/cart/add.js" class="mt-3">' .
            '<input type="hidden" name="id" value="' . h((string)$slug) . '">' .
            '<input type="hidden" name="quantity" value="1">' .
            '<input type="hidden" name="price" value="' . h((string)$price) . '">' .
            '<input type="hidden" name="title" value="' . h($title) . '">' .
            '<input type="hidden" name="url" value="' . h($url) . '">' .
            '<input type="hidden" name="image" value="' . h($image) . '">' .
            '<button type="submit" class="btn btn_base fix_add_to_cart ajax_addtocart btn_add_cart btn-cart add_to_cart" style="width:100%;">Thêm vào giỏ</button>' .
            '</form>' .
            '</div>' .
            '</div>' .
            '</div>';
    }

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Sản phẩm</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Sản phẩm</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row">' .
        ($cards !== '' ? $cards : '<div class="col-12"><div class="alert alert-info">Chưa có sản phẩm.</div></div>') .
        '</div></div></section>';

    renderLayoutPage($indexPath, 'Sản phẩm', $mainHtml);
}

if (str_starts_with($path, '/san-pham/') && $method === 'GET') {
    $slug = trim(substr($path, strlen('/san-pham/')));
    $store = loadContent();
    $products = is_array($store['products']) ? $store['products'] : [];
    $product = $slug !== '' && isset($products[$slug]) && is_array($products[$slug]) ? $products[$slug] : null;
    if (!$product) {
        renderLayoutPage($indexPath, 'Không tìm thấy', '<section style="padding:60px 0;"><div class="container"><div class="alert alert-warning">Không tìm thấy sản phẩm.</div></div></section>');
    }

    $title = (string)($product['title'] ?? '');
    $excerpt = (string)($product['excerpt'] ?? '');
    $body = (string)($product['content'] ?? '');
    $image = (string)($product['image'] ?? '');
    $price = (int)($product['price'] ?? 0);
    $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : 'Liên hệ';
    $url = '/san-pham/' . $slug;

    $imgHtml = $image !== '' ? '<img src="' . h($image) . '" alt="' . h($title) . '" style="width:100%;border-radius:14px;border:1px solid #eee;">' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">' . h($title) . '</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; <a href="/san-pham" style="color:#fff;text-decoration:underline;">Sản phẩm</a></div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row">' .
        '<div class="col-lg-5 mb-4">' . ($imgHtml !== '' ? $imgHtml : '<div style="height:360px;background:#f2f2f2;border-radius:14px;"></div>') . '</div>' .
        '<div class="col-lg-7">' .
        '<div class="card" style="border-radius:14px;border:1px solid #eee;box-shadow:0 8px 26px rgba(0,0,0,.04);"><div class="card-body">' .
        '<div class="h4 mb-2" style="font-weight:900;">' . h($title) . '</div>' .
        '<div class="text-muted mb-3">' . h($excerpt) . '</div>' .
        '<div style="font-weight:900;font-size:22px;color:var(--mainColor);" class="mb-3">' . h($priceText) . '</div>' .
        '<form data-cart-form method="post" action="/cart/add.js">' .
        '<input type="hidden" name="id" value="' . h((string)$slug) . '">' .
        '<input type="hidden" name="price" value="' . h((string)$price) . '">' .
        '<input type="hidden" name="title" value="' . h($title) . '">' .
        '<input type="hidden" name="url" value="' . h($url) . '">' .
        '<input type="hidden" name="image" value="' . h($image) . '">' .
        '<div class="d-flex align-items-center" style="gap:10px;">' .
        '<input class="form-control" style="max-width:120px;" type="number" name="quantity" value="1" min="1">' .
        '<button type="submit" class="btn btn_base fix_add_to_cart ajax_addtocart btn_add_cart btn-cart add_to_cart" style="flex:1;">Thêm vào giỏ</button>' .
        '</div>' .
        '</form>' .
        '</div></div>' .
        '</div>' .
        '</div>' .
        ($body !== '' ? '<div class="mt-4"><div class="card" style="border-radius:14px;border:1px solid #eee;"><div class="card-body"><div class="h5 mb-2" style="font-weight:900;">Mô tả</div><div style="white-space:pre-wrap;">' . h($body) . '</div></div></div></div>' : '') .
        '</div></section>';

    renderLayoutPage($indexPath, $title, $mainHtml);
}

if ($path === '/cart.js' && $method === 'GET') {
    jsonResponse(getCart());
}

if ($path === '/cart/clear.js' && $method === 'POST') {
    $cart = getCart();
    $cart['items'] = [];
    saveCart($cart);
    jsonResponse(getCart());
}

if ($path === '/cart/add.js' && $method === 'POST') {
    $id = (string)($_POST['id'] ?? '');
    if ($id === '') {
        jsonResponse(['message' => 'Missing id'], 400);
    }

    $quantity = (int)($_POST['quantity'] ?? 1);
    if ($quantity < 1) {
        $quantity = 1;
    }

    $price = (int)($_POST['price'] ?? 0);
    $title = trim((string)($_POST['title'] ?? ''));
    $image = trim((string)($_POST['image'] ?? ''));
    $url = trim((string)($_POST['url'] ?? ''));
    $image = $image !== '' ? $image : null;

    $cart = getCart();
    $found = false;
    foreach ($cart['items'] as $i => $item) {
        if ((string)($item['id'] ?? '') === $id) {
            $newQuantity = (int)($item['quantity'] ?? 0) + $quantity;
            $existingTitle = (string)($item['title'] ?? '');
            $existingImage = isset($item['image']) && is_string($item['image']) ? (string)$item['image'] : null;
            $existingUrl = (string)($item['url'] ?? '');
            $cart['items'][$i] = buildLineItem(
                $id,
                $newQuantity,
                (int)($item['price'] ?? $price),
                $title !== '' ? $title : $existingTitle,
                $image !== null ? $image : $existingImage,
                $url !== '' ? $url : $existingUrl
            );
            $found = true;
            break;
        }
    }

    if (!$found) {
        $cart['items'][] = buildLineItem($id, $quantity, $price, $title, $image, $url);
    }

    saveCart($cart);

    $cart = getCart();
    $lineItem = null;
    foreach ($cart['items'] as $item) {
        if ((string)($item['id'] ?? '') === $id) {
            $lineItem = $item;
            break;
        }
    }

    jsonResponse($lineItem ?? buildLineItem($id, $quantity, $price, $title, $image, $url));
}

if ($path === '/cart/change.js' && $method === 'POST') {
    $line = (int)($_POST['line'] ?? 0);
    $quantity = (int)($_POST['quantity'] ?? 0);

    $cart = getCart();
    $index = $line - 1;
    if ($index < 0 || $index >= count($cart['items'])) {
        jsonResponse(getCart());
    }

    if ($quantity <= 0) {
        array_splice($cart['items'], $index, 1);
    } else {
        $item = $cart['items'][$index];
        $id = (string)($item['id'] ?? '');
        $price = (int)($item['price'] ?? 0);
        $itemTitle = (string)($item['title'] ?? '');
        $itemImage = isset($item['image']) && is_string($item['image']) ? (string)$item['image'] : null;
        $itemUrl = (string)($item['url'] ?? '');
        $cart['items'][$index] = buildLineItem($id, $quantity, $price, $itemTitle, $itemImage, $itemUrl);
    }

    saveCart($cart);
    jsonResponse(getCart());
}

if ($path === '/cart' && $method === 'GET') {
    header('Location: /#', true, 302);
    exit;
}

if ($path === '/account/logout' && $method === 'GET') {
    logoutUser();
    header('Location: /', true, 302);
    exit;
}

if ($path === '/account' && $method === 'GET') {
    $user = getLoggedInUser();
    if (!$user) {
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }

    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';
    $info = $message !== '' ? '<div class="alert alert-success" role="alert">' . h($message) . '</div>' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Tài khoản của bạn</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Tài khoản</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row justify-content-center"><div class="col-lg-6 col-md-8">' .
        '<div class="card"><div class="card-body">' .
        $alert . $info .
        '<h2 class="h5 mb-3">Thông tin tài khoản</h2>' .
        '<div class="mb-2"><b>Email:</b> ' . h((string)($user['email'] ?? '')) . '</div>' .
        '<div class="mb-3"><b>Họ tên:</b> ' . h((string)($user['name'] ?? '')) . '</div>' .
        '<hr>' .
        '<h3 class="h6 mb-2" style="font-weight:900;">Cập nhật họ tên</h3>' .
        '<form method="post" action="/account/profile" class="mb-3">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<div class="form-group mb-2"><input class="form-control" name="name" type="text" value="' . h((string)($user['name'] ?? '')) . '" placeholder="Nhập họ tên" required></div>' .
        '<button type="submit" class="btn" style="background:#111;color:#fff;width:100%;">Lưu họ tên</button>' .
        '</form>' .
        '<h3 class="h6 mb-2" style="font-weight:900;">Đổi mật khẩu</h3>' .
        '<form method="post" action="/account/password" class="mb-3">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<div class="form-group mb-2"><input class="form-control" name="current_password" type="password" placeholder="Mật khẩu hiện tại" required></div>' .
        '<div class="form-group mb-2"><input class="form-control" name="new_password" type="password" placeholder="Mật khẩu mới (tối thiểu 6 ký tự)" required></div>' .
        '<div class="form-group mb-2"><input class="form-control" name="new_password_confirm" type="password" placeholder="Nhập lại mật khẩu mới" required></div>' .
        '<button type="submit" class="btn" style="background:var(--mainColor);color:#fff;width:100%;">Đổi mật khẩu</button>' .
        '</form>' .
        '<a class="btn" href="/account/logout" style="background:var(--mainColor);color:#fff;width:100%;">Đăng xuất</a>' .
        '</div></div>' .
        '</div></div></div></section>';

    renderLayoutPage($indexPath, 'Tài khoản', $mainHtml);
}

if ($path === '/account/profile' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    requireLogin('/account');
    $session = getLoggedInUser();
    $email = is_array($session) ? strtolower(trim((string)($session['email'] ?? ''))) : '';
    if ($email === '') {
        logoutUser();
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }

    $name = trim((string)($_POST['name'] ?? ''));
    if ($name === '') {
        header('Location: /account?error=' . rawurlencode('Vui lòng nhập họ tên'), true, 302);
        exit;
    }

    $users = loadUsers();
    if (!isset($users[$email]) || !is_array($users[$email])) {
        logoutUser();
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }
    $users[$email]['name'] = $name;
    $users[$email]['updated_at'] = time();
    saveUsers($users);

    $session['name'] = $name;
    $session['is_admin'] = !empty($users[$email]['is_admin']);
    setLoggedInUser($session);

    header('Location: /account?message=' . rawurlencode('Đã cập nhật thông tin'), true, 302);
    exit;
}

if ($path === '/account/password' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    requireLogin('/account');
    $session = getLoggedInUser();
    $email = is_array($session) ? strtolower(trim((string)($session['email'] ?? ''))) : '';
    if ($email === '') {
        logoutUser();
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }

    $current = (string)($_POST['current_password'] ?? '');
    $new = (string)($_POST['new_password'] ?? '');
    $confirm = (string)($_POST['new_password_confirm'] ?? '');

    if ($new === '' || strlen($new) < 6) {
        header('Location: /account?error=' . rawurlencode('Mật khẩu mới phải từ 6 ký tự'), true, 302);
        exit;
    }
    if (!hash_equals($new, $confirm)) {
        header('Location: /account?error=' . rawurlencode('Mật khẩu nhập lại không khớp'), true, 302);
        exit;
    }

    $users = loadUsers();
    $u = $users[$email] ?? null;
    if (!is_array($u) || !isset($u['password_hash']) || !is_string($u['password_hash']) || !password_verify($current, $u['password_hash'])) {
        header('Location: /account?error=' . rawurlencode('Mật khẩu hiện tại không đúng'), true, 302);
        exit;
    }

    $users[$email]['password_hash'] = password_hash($new, PASSWORD_DEFAULT);
    $users[$email]['updated_at'] = time();
    saveUsers($users);

    header('Location: /account?message=' . rawurlencode('Đã đổi mật khẩu'), true, 302);
    exit;
}

if ($path === '/account/login' && $method === 'GET') {
    $returnUrl = sanitizeReturnUrl(isset($_GET['ReturnUrl']) ? (string)$_GET['ReturnUrl'] : '/account');
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';
    $email = isset($_GET['email']) ? (string)$_GET['email'] : '';

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';
    $info = $message !== '' ? '<div class="alert alert-success" role="alert">' . h($message) . '</div>' : '';

    $authStyle =
        '<style>' .
        '.auth-shell{background:#f6f7fb;padding:50px 0;}' .
        '.auth-card{border:1px solid #eee;border-radius:16px;box-shadow:0 12px 34px rgba(0,0,0,.06);overflow:hidden;background:#fff;}' .
        '.auth-card .auth-head{padding:18px 18px 0;}' .
        '.auth-card .auth-title{font-weight:900;font-size:22px;margin:0;}' .
        '.auth-card .auth-sub{color:#666;margin-top:6px;}' .
        '.auth-card .auth-body{padding:18px;}' .
        '.auth-btn{background:var(--mainColor);color:#fff;width:100%;padding:12px 14px;font-weight:800;border-radius:12px;}' .
        '.auth-btn:hover{color:#fff;opacity:.95;}' .
        '.auth-link{color:var(--mainColor);font-weight:700;}' .
        '.auth-sep{display:flex;align-items:center;gap:10px;color:#888;font-size:12px;margin:14px 0;}' .
        '.auth-sep:before,.auth-sep:after{content:\"\";height:1px;background:#eee;flex:1;}' .
        '.auth-oauth{display:flex;gap:10px;}' .
        '.auth-oauth a{flex:1;border-radius:12px;padding:10px 12px;font-weight:800;text-align:center;border:1px solid #eee;color:var(--textColor);}' .
        '.auth-oauth a:hover{text-decoration:none;background:#fafafa;}' .
        '</style>';

    $mainHtml =
        $authStyle .
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Đăng nhập tài khoản</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Đăng nhập tài khoản</div>' .
        '</div></div></section>' .
        '<section class="auth-shell"><div class="container">' .
        '<div class="row justify-content-center">' .
        '<div class="col-lg-5 col-md-7">' .
        '<div class="auth-card">' .
        '<div class="auth-head">' .
        '<div class="auth-title">Đăng nhập</div>' .
        '<div class="auth-sub">Chưa có tài khoản? <a class="auth-link" href="/account/register?ReturnUrl=' . h(rawurlencode($returnUrl)) . '">Đăng ký</a></div>' .
        '</div>' .
        '<div class="auth-body">' .
        $alert . $info .
        '<form method="post" action="/account/login">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<input type="hidden" name="ReturnUrl" value="' . h($returnUrl) . '">' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Email</label><input class="form-control" name="email" type="email" placeholder="Nhập email" value="' . h($email) . '" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Mật khẩu</label><input class="form-control" name="password" type="password" placeholder="Nhập mật khẩu" required></div>' .
        '<button type="submit" class="btn auth-btn">Đăng nhập</button>' .
        '<div class="d-flex align-items-center justify-content-between mt-3" style="gap:10px;">' .
        '<a href="/account/recover">Quên mật khẩu?</a>' .
        '<a href="/account/register?ReturnUrl=' . h(rawurlencode($returnUrl)) . '" class="auth-link">Tạo tài khoản</a>' .
        '</div>' .
        '</form>' .
        '<div class="auth-sep">Hoặc</div>' .
        '<div class="auth-oauth">' .
        '<a href="#" onclick="return false;">Facebook</a>' .
        '<a href="#" onclick="return false;">Google</a>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div></section>';

    renderLayoutPage($indexPath, 'Đăng nhập tài khoản', $mainHtml);
}

if ($path === '/account/login' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));

    $returnUrl = sanitizeReturnUrl(isset($_POST['ReturnUrl']) ? (string)$_POST['ReturnUrl'] : '/account');
    $email = strtolower(trim((string)($_POST['email'] ?? '')));
    $password = (string)($_POST['password'] ?? '');

    if ($email === '' || $password === '') {
        header('Location: /account/login?error=' . rawurlencode('Vui lòng nhập đầy đủ thông tin') . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    $users = loadUsers();
    $user = $users[$email] ?? null;
    if (!is_array($user) || !isset($user['password_hash']) || !is_string($user['password_hash']) || !password_verify($password, $user['password_hash'])) {
        header('Location: /account/login?error=' . rawurlencode('Email hoặc mật khẩu không đúng') . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    setLoggedInUser([
        'id' => (string)($user['id'] ?? ''),
        'email' => (string)($user['email'] ?? $email),
        'name' => (string)($user['name'] ?? ''),
        'is_admin' => !empty($user['is_admin']),
    ]);

    header('Location: ' . $returnUrl, true, 302);
    exit;
}

if ($path === '/account/register' && $method === 'GET') {
    $returnUrl = sanitizeReturnUrl(isset($_GET['ReturnUrl']) ? (string)$_GET['ReturnUrl'] : '/account');
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $email = isset($_GET['email']) ? (string)$_GET['email'] : '';
    $name = isset($_GET['name']) ? (string)$_GET['name'] : '';

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';

    $authStyle =
        '<style>' .
        '.auth-shell{background:#f6f7fb;padding:50px 0;}' .
        '.auth-card{border:1px solid #eee;border-radius:16px;box-shadow:0 12px 34px rgba(0,0,0,.06);overflow:hidden;background:#fff;}' .
        '.auth-card .auth-head{padding:18px 18px 0;}' .
        '.auth-card .auth-title{font-weight:900;font-size:22px;margin:0;}' .
        '.auth-card .auth-sub{color:#666;margin-top:6px;}' .
        '.auth-card .auth-body{padding:18px;}' .
        '.auth-btn{background:var(--mainColor);color:#fff;width:100%;padding:12px 14px;font-weight:800;border-radius:12px;}' .
        '.auth-btn:hover{color:#fff;opacity:.95;}' .
        '.auth-link{color:var(--mainColor);font-weight:700;}' .
        '</style>';

    $mainHtml =
        $authStyle .
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Đăng ký tài khoản</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Đăng ký tài khoản</div>' .
        '</div></div></section>' .
        '<section class="auth-shell"><div class="container">' .
        '<div class="row justify-content-center">' .
        '<div class="col-lg-5 col-md-7">' .
        '<div class="auth-card">' .
        '<div class="auth-head">' .
        '<div class="auth-title">Tạo tài khoản</div>' .
        '<div class="auth-sub">Đã có tài khoản? <a class="auth-link" href="/account/login?ReturnUrl=' . h(rawurlencode($returnUrl)) . '">Đăng nhập</a></div>' .
        '</div>' .
        '<div class="auth-body">' .
        $alert .
        '<form method="post" action="/account/register">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<input type="hidden" name="ReturnUrl" value="' . h($returnUrl) . '">' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Họ và tên</label><input class="form-control" name="name" type="text" placeholder="Nhập họ tên" value="' . h($name) . '" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Email</label><input class="form-control" name="email" type="email" placeholder="Nhập email" value="' . h($email) . '" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Mật khẩu</label><input class="form-control" name="password" type="password" placeholder="Tối thiểu 6 ký tự" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Nhập lại mật khẩu</label><input class="form-control" name="password_confirm" type="password" placeholder="Nhập lại mật khẩu" required></div>' .
        '<button type="submit" class="btn auth-btn">Đăng ký</button>' .
        '</form>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div></section>';

    renderLayoutPage($indexPath, 'Đăng ký tài khoản', $mainHtml);
}

if ($path === '/account/register' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));

    $returnUrl = sanitizeReturnUrl(isset($_POST['ReturnUrl']) ? (string)$_POST['ReturnUrl'] : '/account');
    $name = trim((string)($_POST['name'] ?? ''));
    $email = strtolower(trim((string)($_POST['email'] ?? '')));
    $password = (string)($_POST['password'] ?? '');
    $passwordConfirm = (string)($_POST['password_confirm'] ?? '');

    if ($name === '' || $email === '' || $password === '' || $passwordConfirm === '') {
        header('Location: /account/register?error=' . rawurlencode('Vui lòng nhập đầy đủ thông tin') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        header('Location: /account/register?error=' . rawurlencode('Email không hợp lệ') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    if (strlen($password) < 6) {
        header('Location: /account/register?error=' . rawurlencode('Mật khẩu phải từ 6 ký tự') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    if (!hash_equals($password, $passwordConfirm)) {
        header('Location: /account/register?error=' . rawurlencode('Mật khẩu nhập lại không khớp') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    $users = loadUsers();
    if (isset($users[$email])) {
        header('Location: /account/register?error=' . rawurlencode('Email đã được đăng ký') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    $isAdmin = count($users) === 0;
    $id = bin2hex(random_bytes(16));
    $users[$email] = [
        'id' => $id,
        'email' => $email,
        'name' => $name,
        'password_hash' => password_hash($password, PASSWORD_DEFAULT),
        'is_admin' => $isAdmin,
        'created_at' => time(),
    ];
    saveUsers($users);

    setLoggedInUser([
        'id' => $id,
        'email' => $email,
        'name' => $name,
        'is_admin' => $isAdmin,
    ]);

    header('Location: ' . $returnUrl, true, 302);
    exit;
}

if ($path === '/account/recover' && $method === 'GET') {
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';
    $info = $message !== '' ? '<div class="alert alert-success" role="alert">' . h($message) . '</div>' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Quên mật khẩu</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Quên mật khẩu</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row justify-content-center"><div class="col-lg-4 col-md-6">' .
        $alert . $info .
        '<form method="post" action="/account/recover">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<div class="form-group"><input class="form-control" name="email" type="email" placeholder="Email" required></div>' .
        '<button type="submit" class="btn" style="background:var(--mainColor);color:#fff;width:100%;padding:10px 14px;font-weight:700;">Gửi yêu cầu</button>' .
        '<div class="text-center mt-2"><a href="/account/login">Quay lại đăng nhập</a></div>' .
        '</form>' .
        '</div></div></div></section>';

    renderLayoutPage($indexPath, 'Quên mật khẩu', $mainHtml);
}

if ($path === '/account/recover' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    $email = strtolower(trim((string)($_POST['email'] ?? '')));
    if ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
        header('Location: /account/recover?error=' . rawurlencode('Email không hợp lệ'), true, 302);
        exit;
    }

    $users = loadUsers();
    if (!isset($users[$email])) {
        header('Location: /account/recover?message=' . rawurlencode('Nếu email tồn tại, hệ thống đã ghi nhận yêu cầu.'), true, 302);
        exit;
    }

    $token = bin2hex(random_bytes(16));
    $_SESSION['password_reset'] = [
        'email' => $email,
        'token' => $token,
        'expires_at' => time() + 30 * 60,
    ];

    header('Location: /account/reset?token=' . rawurlencode($token), true, 302);
    exit;
}

if ($path === '/account/reset' && $method === 'GET') {
    $token = (string)($_GET['token'] ?? '');
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $reset = $_SESSION['password_reset'] ?? null;
    if (!is_array($reset) || !isset($reset['token'], $reset['expires_at'], $reset['email']) || !is_string($reset['token']) || (int)$reset['expires_at'] < time() || !hash_equals($reset['token'], $token)) {
        header('Location: /account/recover?error=' . rawurlencode('Liên kết đặt lại mật khẩu không hợp lệ hoặc đã hết hạn'), true, 302);
        exit;
    }

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Đặt lại mật khẩu</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Đặt lại mật khẩu</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row justify-content-center"><div class="col-lg-4 col-md-6">' .
        $alert .
        '<form method="post" action="/account/reset">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<input type="hidden" name="token" value="' . h($token) . '">' .
        '<div class="form-group"><input class="form-control" name="password" type="password" placeholder="Mật khẩu mới" required></div>' .
        '<div class="form-group"><input class="form-control" name="password_confirm" type="password" placeholder="Nhập lại mật khẩu" required></div>' .
        '<button type="submit" class="btn" style="background:var(--mainColor);color:#fff;width:100%;padding:10px 14px;font-weight:700;">Cập nhật mật khẩu</button>' .
        '</form>' .
        '</div></div></div></section>';

    renderLayoutPage($indexPath, 'Đặt lại mật khẩu', $mainHtml);
}

if ($path === '/account/reset' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    $token = (string)($_POST['token'] ?? '');
    $password = (string)($_POST['password'] ?? '');
    $passwordConfirm = (string)($_POST['password_confirm'] ?? '');

    $reset = $_SESSION['password_reset'] ?? null;
    if (!is_array($reset) || !isset($reset['token'], $reset['expires_at'], $reset['email']) || !is_string($reset['token']) || (int)$reset['expires_at'] < time() || !hash_equals($reset['token'], $token)) {
        header('Location: /account/recover?error=' . rawurlencode('Liên kết đặt lại mật khẩu không hợp lệ hoặc đã hết hạn'), true, 302);
        exit;
    }

    if (strlen($password) < 6) {
        header('Location: /account/reset?token=' . rawurlencode($token) . '&error=' . rawurlencode('Mật khẩu phải từ 6 ký tự'), true, 302);
        exit;
    }

    if (!hash_equals($password, $passwordConfirm)) {
        header('Location: /account/reset?token=' . rawurlencode($token) . '&error=' . rawurlencode('Mật khẩu nhập lại không khớp'), true, 302);
        exit;
    }

    $email = (string)$reset['email'];
    $users = loadUsers();
    if (!isset($users[$email]) || !is_array($users[$email])) {
        header('Location: /account/recover?error=' . rawurlencode('Không tìm thấy tài khoản'), true, 302);
        exit;
    }

    $users[$email]['password_hash'] = password_hash($password, PASSWORD_DEFAULT);
    $users[$email]['updated_at'] = time();
    saveUsers($users);
    unset($_SESSION['password_reset']);

    header('Location: /account/login?message=' . rawurlencode('Cập nhật mật khẩu thành công. Vui lòng đăng nhập.'), true, 302);
    exit;
}

if (str_starts_with($path, '/admin')) {
    requireAdmin('/admin');

    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $flash = '';
    if ($message !== '') {
        $flash .= '<div class="alert alert-success">' . h($message) . '</div>';
    }
    if ($error !== '') {
        $flash .= '<div class="alert alert-danger">' . h($error) . '</div>';
    }

    if ($path === '/admin' && $method === 'GET') {
        $content = loadContent();
        $users = loadUsers();
        $postCount = is_array($content['posts']) ? count($content['posts']) : 0;
        $productCount = is_array($content['products']) ? count($content['products']) : 0;
        $projectCount = is_array($content['projects']) ? count($content['projects']) : 0;
        $userCount = is_array($users) ? count($users) : 0;

        $html =
            $flash .
            '<div class="row">' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Tin tức</div><div style="font-size:32px;font-weight:800;">' . $postCount . '</div><a href="/admin/posts">Quản lý</a></div></div></div>' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Sản phẩm</div><div style="font-size:32px;font-weight:800;">' . $productCount . '</div><a href="/admin/products">Quản lý</a></div></div></div>' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Dự án</div><div style="font-size:32px;font-weight:800;">' . $projectCount . '</div><a href="/admin/projects">Quản lý</a></div></div></div>' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Tài khoản</div><div style="font-size:32px;font-weight:800;">' . $userCount . '</div><a href="/admin/users">Quản lý</a></div></div></div>' .
            '</div>';

        renderAdminPage($indexPath, 'Admin', 'dashboard', $html);
    }

    if ($path === '/admin/posts' && $method === 'GET') {
        $content = loadContent();
        $posts = is_array($content['posts']) ? $content['posts'] : [];

        $rows = '';
        foreach ($posts as $slug => $post) {
            if (!is_array($post)) {
                continue;
            }
            $title = (string)($post['title'] ?? '');
            $excerpt = (string)($post['excerpt'] ?? '');
            $updatedAt = isset($post['updated_at']) ? (int)$post['updated_at'] : 0;
            $updatedText = $updatedAt > 0 ? date('d/m/Y H:i', $updatedAt) : '';
            $rows .=
                '<tr>' .
                '<td style="width:220px;"><a href="/' . h((string)$slug) . '" target="_blank">/' . h((string)$slug) . '</a></td>' .
                '<td><b>' . h($title) . '</b><div class="text-muted small">' . h($excerpt) . '</div></td>' .
                '<td style="width:160px;" class="text-muted small">' . h($updatedText) . '</td>' .
                '<td style="width:180px;">' .
                '<a class="btn btn-sm btn-outline-secondary mr-2" href="/' . h((string)$slug) . '" target="_blank">Xem</a>' .
                '<a class="btn btn-sm btn-outline-primary mr-2" href="/admin/posts/edit?slug=' . h((string)$slug) . '">Sửa</a>' .
                '<form method="post" action="/admin/posts/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="slug" value="' . h((string)$slug) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="d-flex align-items-center justify-content-between mb-3">' .
            '<div class="h4 mb-0">Tin tức</div>' .
            '<a class="btn" style="background:var(--mainColor);color:#fff;" href="/admin/posts/new">Thêm bài</a>' .
            '</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>Slug</th><th>Tiêu đề</th><th>Cập nhật</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="4" class="text-center p-4 text-muted">Chưa có bài viết</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý tin tức', 'posts', $html);
    }

    if (($path === '/admin/posts/new' || $path === '/admin/posts/edit') && $method === 'GET') {
        $isEdit = $path === '/admin/posts/edit';
        $slug = $isEdit ? (string)($_GET['slug'] ?? '') : '';
        $contentStore = loadContent();
        $post = $isEdit && $slug !== '' && isset($contentStore['posts'][$slug]) && is_array($contentStore['posts'][$slug]) ? $contentStore['posts'][$slug] : [];

        if ($isEdit && $slug === '') {
            header('Location: /admin/posts?error=' . rawurlencode('Thiếu slug'), true, 302);
            exit;
        }
        if ($isEdit && $slug !== '' && $post === []) {
            header('Location: /admin/posts?error=' . rawurlencode('Không tìm thấy bài viết'), true, 302);
            exit;
        }

        $title = (string)($post['title'] ?? '');
        $excerpt = (string)($post['excerpt'] ?? '');
        $body = (string)($post['content'] ?? '');
        $image = (string)($post['image'] ?? '');
        $formSlug = $isEdit ? $slug : (string)($post['slug'] ?? '');

        $editorStyle =
            '<style>' .
            '.post-form-grid{display:grid;grid-template-columns:1fr;gap:14px;}' .
            '@media (min-width:992px){.post-form-grid{grid-template-columns:1fr 340px;}}' .
            '.editor-toolbar{display:flex;flex-wrap:wrap;gap:8px;padding:10px;border:1px solid #eee;border-radius:14px;background:#fbfbfd;}' .
            '.editor-toolbar button{border:1px solid #eee;background:#fff;border-radius:10px;padding:6px 10px;font-weight:800;}' .
            '.editor-toolbar button:hover{background:#fff7ec;border-color:#ffd8a8;}' .
            '.admin-editor{min-height:360px;border:1px solid #eee;border-radius:14px;padding:12px;background:#fff;box-shadow:0 8px 26px rgba(0,0,0,.04);}' .
            '.admin-editor:focus{outline:0;border-color:#ffd1a0;box-shadow:0 0 0 4px rgba(255,122,0,.12);}' .
            '.meta-card{border:1px solid #eee;border-radius:14px;box-shadow:0 8px 26px rgba(0,0,0,.04);background:#fff;}' .
            '.meta-card .meta-body{padding:14px;}' .
            '.meta-title{font-weight:900;margin-bottom:10px;}' .
            '.img-preview{width:100%;border-radius:14px;border:1px solid #eee;overflow:hidden;background:#f2f2f2;}' .
            '.img-preview img{width:100%;height:auto;display:block;}' .
            '</style>';

        $editorScript =
            '<script>' .
            '(function(){' .
            'var form=document.getElementById("post-form");' .
            'var title=document.getElementById("post-title");' .
            'var slug=document.getElementById("post-slug");' .
            'var textarea=document.getElementById("post-content");' .
            'var editor=document.getElementById("post-editor");' .
            'var touched=false;' .
            'if(slug){slug.addEventListener("input",function(){touched=true;});}' .
            'function slugify(str){' .
            'str=(str||"").toString().trim().toLowerCase();' .
            'try{str=str.normalize("NFD").replace(/[\\u0300-\\u036f]/g,"");}catch(e){}' .
            'str=str.replace(/[^a-z0-9]+/g,"-").replace(/^-+|-+$/g,"").replace(/-+/g,"-");' .
            'return str;' .
            '}' .
            'if(title&&slug){title.addEventListener("input",function(){if(!touched&&(!slug.value||slug.value.trim()==="")){slug.value=slugify(title.value);}});}' .
            'function sanitizeStyle(style){' .
            'if(!style) return "";' .
            'var allow={"text-align":1,"color":1,"background-color":1,"font-weight":1,"font-style":1,"text-decoration":1};' .
            'var out=[];' .
            'style.split(";").forEach(function(part){' .
            'var p=part.split(":");if(p.length<2) return;' .
            'var k=p[0].trim().toLowerCase();var v=p.slice(1).join(":").trim();' .
            'if(!k||!v) return;' .
            'if(allow[k]) out.push(k+":"+v);' .
            '});' .
            'return out.join(";");' .
            '}' .
            'function sanitizeHtml(html){' .
            'try{' .
            'var doc=new DOMParser().parseFromString(html||"","text/html");' .
            'Array.from(doc.querySelectorAll("script,style")).forEach(function(n){n.remove();});' .
            'Array.from(doc.querySelectorAll("*")).forEach(function(el){' .
            'Array.from(el.attributes).forEach(function(a){' .
            'var name=a.name.toLowerCase();var val=a.value||"";' .
            'if(name.startsWith("on")) el.removeAttribute(a.name);' .
            'if(name==="href"||name==="src"){if(/^\\s*javascript:/i.test(val)) el.removeAttribute(a.name);}' .
            'if(name==="style"){el.setAttribute("style",sanitizeStyle(val));}' .
            'if(name!=="href"&&name!=="src"&&name!=="alt"&&name!=="title"&&name!=="style"&&name!=="target"&&name!=="rel"){if(name!=="class") el.removeAttribute(a.name);}' .
            '});' .
            '});' .
            'return doc.body.innerHTML;' .
            '}catch(e){return html||"";}' .
            '}' .
            'function exec(cmd,val){document.execCommand(cmd,false,val||null);editor&&editor.focus();}' .
            'if(editor&&textarea){editor.innerHTML=textarea.value||"";}' .
            'if(editor){editor.addEventListener("paste",function(e){' .
            'var cd=e.clipboardData||window.clipboardData; if(!cd) return;' .
            'var html=cd.getData("text/html"); var text=cd.getData("text/plain");' .
            'if(html){e.preventDefault();exec("insertHTML",sanitizeHtml(html));return;}' .
            'if(text){e.preventDefault();exec("insertText",text);}' .
            '});}' .
            'var tb=document.getElementById("editor-toolbar");' .
            'if(tb){tb.addEventListener("click",function(e){' .
            'var btn=e.target.closest("button"); if(!btn) return;' .
            'e.preventDefault();' .
            'var action=btn.getAttribute("data-action")||"";' .
            'if(action==="link"){var url=prompt("Nhập link (https://...)"); if(url) exec("createLink",url); return;}' .
            'if(action==="image"){var iurl=prompt("Nhập URL ảnh"); if(iurl){iurl=iurl.replace(/\"/g,""); exec("insertHTML","<p><img src=\\\""+iurl+"\\\" alt=\\\"\\\"></p>");} return;}' .
            'if(action==="h2"){exec("formatBlock","H2");return;}' .
            'if(action==="h3"){exec("formatBlock","H3");return;}' .
            'if(action==="p"){exec("formatBlock","P");return;}' .
            'if(action){exec(action);}' .
            '});}' .
            'if(form&&textarea&&editor){form.addEventListener("submit",function(){textarea.value=sanitizeHtml(editor.innerHTML||\"\");});}' .
            '})();' .
            '</script>';

        $imagePreview = $image !== '' ? '<div class="img-preview mb-2"><img src="' . h($image) . '" alt=""></div>' : '';

        $html =
            $flash .
            $editorStyle .
            '<form id="post-form" method="post" action="/admin/posts/save" enctype="multipart/form-data">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<input type="hidden" name="original_slug" value="' . h($isEdit ? $slug : '') . '">' .
            '<div class="post-form-grid">' .
            '<div>' .
            '<div class="card admin-card mb-3"><div class="card-body">' .
            '<div class="form-group mb-3"><label style="font-weight:900;">Tiêu đề</label><input id="post-title" class="form-control" name="title" value="' . h($title) . '" required></div>' .
            '<div class="editor-toolbar" id="editor-toolbar">' .
            '<button type="button" data-action="bold"><b>B</b></button>' .
            '<button type="button" data-action="italic"><i>I</i></button>' .
            '<button type="button" data-action="underline"><u>U</u></button>' .
            '<button type="button" data-action="strikeThrough"><s>S</s></button>' .
            '<button type="button" data-action="insertUnorderedList">• List</button>' .
            '<button type="button" data-action="insertOrderedList">1. List</button>' .
            '<button type="button" data-action="h2">H2</button>' .
            '<button type="button" data-action="h3">H3</button>' .
            '<button type="button" data-action="p">P</button>' .
            '<button type="button" data-action="link">Link</button>' .
            '<button type="button" data-action="unlink">Unlink</button>' .
            '<button type="button" data-action="image">Ảnh</button>' .
            '<button type="button" data-action="removeFormat">Clear</button>' .
            '</div>' .
            '<textarea id="post-content" name="content" style="display:none;">' . h($body) . '</textarea>' .
            '<div id="post-editor" class="admin-editor" contenteditable="true"></div>' .
            '<div class="d-flex align-items-center justify-content-between mt-3" style="gap:10px;">' .
            '<div class="text-muted small">Gợi ý: có thể dán trực tiếp nội dung từ Word vào ô soạn thảo.</div>' .
            '<div class="d-flex" style="gap:10px;">' .
            '<button class="btn btn-primary" type="submit" name="submit_action" value="save">Lưu</button>' .
            '<button class="btn btn-outline-primary" type="submit" name="submit_action" value="save_view">Lưu & xem</button>' .
            '<a class="btn btn-outline-secondary" href="/admin/posts">Hủy</a>' .
            '</div>' .
            '</div>' .
            '</div></div>' .
            '</div>' .
            '<div>' .
            '<div class="meta-card mb-3"><div class="meta-body">' .
            '<div class="meta-title">Thiết lập</div>' .
            '<div class="form-group"><label style="font-weight:900;">Slug</label><input id="post-slug" class="form-control" name="slug" value="' . h($formSlug) . '" placeholder="tu-dong-tao-neu-bo-trong"></div>' .
            '<div class="form-group mb-0"><label style="font-weight:900;">Mô tả ngắn</label><textarea class="form-control" name="excerpt" rows="4">' . h($excerpt) . '</textarea></div>' .
            '</div></div>' .
            '<div class="meta-card"><div class="meta-body">' .
            '<div class="meta-title">Ảnh đại diện</div>' .
            $imagePreview .
            '<div class="form-group"><label style="font-weight:900;">URL ảnh</label><input class="form-control" name="image_url" value="' . h($image) . '" placeholder="/uploads/... hoặc https://..."></div>' .
            '<div class="form-group mb-0"><label style="font-weight:900;">Upload</label><input class="form-control" type="file" name="image_file" accept="image/*"></div>' .
            '</div></div>' .
            '</div>' .
            '</div>' .
            $editorScript .
            '</form>';

        renderAdminPage($indexPath, $isEdit ? 'Sửa bài viết' : 'Thêm bài viết', 'posts', $html);
    }

    if ($path === '/admin/posts/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $title = trim((string)($_POST['title'] ?? ''));
        $slugInput = trim((string)($_POST['slug'] ?? ''));
        $originalSlug = trim((string)($_POST['original_slug'] ?? ''));
        $excerpt = trim((string)($_POST['excerpt'] ?? ''));
        $body = sanitizeRichHtml((string)($_POST['content'] ?? ''));
        $imageUrl = trim((string)($_POST['image_url'] ?? ''));
        $uploaded = handleUpload('image_file');
        $submitAction = (string)($_POST['submit_action'] ?? 'save');

        if ($title === '') {
            header('Location: /admin/posts?error=' . rawurlencode('Tiêu đề không được để trống'), true, 302);
            exit;
        }

        $slug = $slugInput !== '' ? slugify($slugInput) : slugify($title);
        if ($slug === '') {
            header('Location: /admin/posts?error=' . rawurlencode('Không tạo được slug'), true, 302);
            exit;
        }

        $store = loadContent();
        if (!is_array($store['posts'])) {
            $store['posts'] = [];
        }

        if ($originalSlug !== '' && $originalSlug !== $slug && isset($store['posts'][$slug])) {
            header('Location: /admin/posts?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }
        if ($originalSlug === '' && isset($store['posts'][$slug])) {
            header('Location: /admin/posts?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }

        $now = time();
        $image = $uploaded !== null ? $uploaded : $imageUrl;
        $existing = $originalSlug !== '' && isset($store['posts'][$originalSlug]) && is_array($store['posts'][$originalSlug]) ? $store['posts'][$originalSlug] : [];
        $createdAt = isset($existing['created_at']) ? (int)$existing['created_at'] : $now;

        $record = [
            'slug' => $slug,
            'title' => $title,
            'excerpt' => $excerpt,
            'content' => $body,
            'image' => $image,
            'created_at' => $createdAt,
            'updated_at' => $now,
        ];

        if ($originalSlug !== '' && $originalSlug !== $slug) {
            unset($store['posts'][$originalSlug]);
        }
        $store['posts'][$slug] = $record;
        saveContent($store);

        if ($submitAction === 'save_view') {
            header('Location: /' . $slug, true, 302);
            exit;
        }
        header('Location: /admin/posts?message=' . rawurlencode('Đã lưu bài viết'), true, 302);
        exit;
    }

    if ($path === '/admin/posts/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $store = loadContent();
        if ($slug !== '' && isset($store['posts'][$slug])) {
            unset($store['posts'][$slug]);
            saveContent($store);
        }
        header('Location: /admin/posts?message=' . rawurlencode('Đã xóa bài viết'), true, 302);
        exit;
    }

    if ($path === '/admin/products' && $method === 'GET') {
        $content = loadContent();
        $products = is_array($content['products']) ? $content['products'] : [];

        $rows = '';
        foreach ($products as $slug => $product) {
            if (!is_array($product)) {
                continue;
            }
            $title = (string)($product['title'] ?? '');
            $excerpt = (string)($product['excerpt'] ?? '');
            $price = (int)($product['price'] ?? 0);
            $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : '';
            $rows .=
                '<tr>' .
                '<td style="width:240px;"><a href="/san-pham/' . h((string)$slug) . '" target="_blank">/san-pham/' . h((string)$slug) . '</a></td>' .
                '<td><b>' . h($title) . '</b><div class="text-muted small">' . h($excerpt) . '</div></td>' .
                '<td style="width:140px;">' . h($priceText) . '</td>' .
                '<td style="width:180px;">' .
                '<a class="btn btn-sm btn-outline-primary mr-2" href="/admin/products/edit?slug=' . h((string)$slug) . '">Sửa</a>' .
                '<form method="post" action="/admin/products/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="slug" value="' . h((string)$slug) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="d-flex align-items-center justify-content-between mb-3" style="gap:12px;">' .
            '<div class="h4 mb-0">Sản phẩm</div>' .
            '<a class="btn btn-primary" href="/admin/products/new">+ Thêm sản phẩm</a>' .
            '</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>URL</th><th>Tiêu đề</th><th>Giá</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="4" class="text-center p-4 text-muted">Chưa có sản phẩm</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý sản phẩm', 'products', $html);
    }

    if (($path === '/admin/products/new' || $path === '/admin/products/edit') && $method === 'GET') {
        $slug = trim((string)($_GET['slug'] ?? ''));
        $content = loadContent();
        $products = is_array($content['products']) ? $content['products'] : [];
        $product = $slug !== '' && isset($products[$slug]) && is_array($products[$slug]) ? $products[$slug] : [];

        $titleVal = (string)($product['title'] ?? '');
        $slugVal = $slug !== '' ? (string)$slug : '';
        $excerptVal = (string)($product['excerpt'] ?? '');
        $bodyVal = (string)($product['content'] ?? '');
        $imageVal = (string)($product['image'] ?? '');
        $priceVal = (string)($product['price'] ?? '');

        $preview = $imageVal !== '' ? '<div class="mb-2"><img src="' . h($imageVal) . '" alt="" style="max-width:220px;border-radius:12px;border:1px solid #eee;"></div>' : '';

        $html =
            $flash .
            '<div class="h4 mb-3">' . ($path === '/admin/products/new' ? 'Thêm sản phẩm' : 'Sửa sản phẩm') . '</div>' .
            '<div class="card"><div class="card-body">' .
            '<form method="post" action="/admin/products/save" enctype="multipart/form-data">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<input type="hidden" name="original_slug" value="' . h($slugVal) . '">' .
            '<div class="form-group"><label>Tiêu đề</label><input class="form-control" name="title" value="' . h($titleVal) . '" required></div>' .
            '<div class="form-group"><label>Slug (URL)</label><input class="form-control" name="slug" value="' . h($slugVal) . '" placeholder="tu-dong-tao-neu-bo-trong"></div>' .
            '<div class="form-group"><label>Giá (VNĐ)</label><input class="form-control" name="price" value="' . h($priceVal) . '" inputmode="numeric" placeholder="VD: 1200000"></div>' .
            '<div class="form-group"><label>Mô tả ngắn</label><textarea class="form-control" name="excerpt" rows="3">' . h($excerptVal) . '</textarea></div>' .
            '<div class="form-group"><label>Nội dung</label><textarea class="form-control" name="content" rows="8">' . h($bodyVal) . '</textarea></div>' .
            '<div class="form-group"><label>Ảnh (URL)</label><input class="form-control" name="image" value="' . h($imageVal) . '" placeholder="/uploads/.... hoặc https://..."></div>' .
            $preview .
            '<div class="form-group"><label>Upload ảnh</label><input class="form-control" type="file" name="image_upload" accept="image/*"></div>' .
            '<div class="d-flex" style="gap:10px;">' .
            '<button class="btn btn-primary" type="submit">Lưu</button>' .
            '<a class="btn btn-outline-secondary" href="/admin/products">Hủy</a>' .
            '</div>' .
            '</form>' .
            '</div></div>';

        renderAdminPage($indexPath, $path === '/admin/products/new' ? 'Thêm sản phẩm' : 'Sửa sản phẩm', 'products', $html);
    }

    if ($path === '/admin/products/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $title = trim((string)($_POST['title'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $originalSlug = trim((string)($_POST['original_slug'] ?? ''));
        $excerpt = trim((string)($_POST['excerpt'] ?? ''));
        $body = trim((string)($_POST['content'] ?? ''));
        $image = trim((string)($_POST['image'] ?? ''));
        $priceRaw = preg_replace('/[^0-9]/', '', (string)($_POST['price'] ?? '')) ?? '';
        $price = $priceRaw !== '' ? (int)$priceRaw : 0;

        if ($title === '') {
            header('Location: /admin/products?error=' . rawurlencode('Tiêu đề là bắt buộc'), true, 302);
            exit;
        }

        if ($slug === '') {
            $slug = slugify($title);
        } else {
            $slug = slugify($slug);
        }

        if ($slug === '') {
            header('Location: /admin/products?error=' . rawurlencode('Slug không hợp lệ'), true, 302);
            exit;
        }

        $upload = handleUpload('image_upload');
        $uploadAttempted = isset($_FILES['image_upload']) && is_array($_FILES['image_upload']) && isset($_FILES['image_upload']['error']) && (int)$_FILES['image_upload']['error'] !== UPLOAD_ERR_NO_FILE;
        if ($uploadAttempted && $upload === null) {
            $target = $originalSlug !== '' ? ('/admin/products/edit?slug=' . rawurlencode($originalSlug)) : '/admin/products/new';
            $join = str_contains($target, '?') ? '&' : '?';
            header('Location: ' . $target . $join . 'error=' . rawurlencode('Upload ảnh thất bại. Vui lòng dùng ảnh JPG/PNG/GIF/WEBP và dung lượng <= 10MB.'), true, 302);
            exit;
        }
        if (is_string($upload) && $upload !== '') {
            $image = $upload;
        }

        $store = loadContent();
        if (!isset($store['products']) || !is_array($store['products'])) {
            $store['products'] = [];
        }

        $existing = isset($store['products'][$slug]) && is_array($store['products'][$slug]) ? $store['products'][$slug] : [];
        $createdAt = isset($existing['created_at']) ? (int)$existing['created_at'] : time();
        $now = time();

        $record = [
            'title' => $title,
            'excerpt' => $excerpt,
            'content' => $body,
            'image' => $image,
            'price' => $price,
            'created_at' => $createdAt,
            'updated_at' => $now,
        ];

        if ($originalSlug !== '' && $originalSlug !== $slug) {
            unset($store['products'][$originalSlug]);
        }
        $store['products'][$slug] = $record;
        saveContent($store);

        header('Location: /admin/products?message=' . rawurlencode('Đã lưu sản phẩm'), true, 302);
        exit;
    }

    if ($path === '/admin/products/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $store = loadContent();
        if ($slug !== '' && isset($store['products'][$slug])) {
            unset($store['products'][$slug]);
            saveContent($store);
        }
        header('Location: /admin/products?message=' . rawurlencode('Đã xóa sản phẩm'), true, 302);
        exit;
    }

    if ($path === '/admin/projects' && $method === 'GET') {
        $content = loadContent();
        $projects = is_array($content['projects']) ? $content['projects'] : [];

        $rows = '';
        foreach ($projects as $slug => $project) {
            if (!is_array($project)) {
                continue;
            }
            $title = (string)($project['title'] ?? '');
            $excerpt = (string)($project['excerpt'] ?? '');
            $rows .=
                '<tr>' .
                '<td style="width:220px;"><a href="/du-an/' . h((string)$slug) . '" target="_blank">/du-an/' . h((string)$slug) . '</a></td>' .
                '<td><b>' . h($title) . '</b><div class="text-muted small">' . h($excerpt) . '</div></td>' .
                '<td style="width:180px;">' .
                '<a class="btn btn-sm btn-outline-primary mr-2" href="/admin/projects/edit?slug=' . h((string)$slug) . '">Sửa</a>' .
                '<form method="post" action="/admin/projects/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="slug" value="' . h((string)$slug) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="d-flex align-items-center justify-content-between mb-3">' .
            '<div class="h4 mb-0">Dự án</div>' .
            '<a class="btn" style="background:var(--mainColor);color:#fff;" href="/admin/projects/new">Thêm dự án</a>' .
            '</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>Slug</th><th>Tiêu đề</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="3" class="text-center p-4 text-muted">Chưa có dự án</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý dự án', 'projects', $html);
    }

    if (($path === '/admin/projects/new' || $path === '/admin/projects/edit') && $method === 'GET') {
        $isEdit = $path === '/admin/projects/edit';
        $slug = $isEdit ? (string)($_GET['slug'] ?? '') : '';
        $contentStore = loadContent();
        $project = $isEdit && $slug !== '' && isset($contentStore['projects'][$slug]) && is_array($contentStore['projects'][$slug]) ? $contentStore['projects'][$slug] : [];

        if ($isEdit && $slug === '') {
            header('Location: /admin/projects?error=' . rawurlencode('Thiếu slug'), true, 302);
            exit;
        }
        if ($isEdit && $slug !== '' && $project === []) {
            header('Location: /admin/projects?error=' . rawurlencode('Không tìm thấy dự án'), true, 302);
            exit;
        }

        $title = (string)($project['title'] ?? '');
        $excerpt = (string)($project['excerpt'] ?? '');
        $body = (string)($project['content'] ?? '');
        $image = (string)($project['image'] ?? '');
        $formSlug = $isEdit ? $slug : (string)($project['slug'] ?? '');

        $html =
            $flash .
            '<div class="card"><div class="card-body">' .
            '<form method="post" action="/admin/projects/save" enctype="multipart/form-data">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<input type="hidden" name="original_slug" value="' . h($isEdit ? $slug : '') . '">' .
            '<div class="form-group"><label>Tiêu đề</label><input class="form-control" name="title" value="' . h($title) . '" required></div>' .
            '<div class="form-group"><label>Slug (để trống sẽ tự tạo)</label><input class="form-control" name="slug" value="' . h($formSlug) . '"></div>' .
            '<div class="form-group"><label>Mô tả ngắn</label><textarea class="form-control" name="excerpt" rows="2">' . h($excerpt) . '</textarea></div>' .
            '<div class="form-group"><label>Ảnh (URL)</label><input class="form-control" name="image_url" value="' . h($image) . '"></div>' .
            '<div class="form-group"><label>Ảnh (upload)</label><input class="form-control" type="file" name="image_file" accept="image/*"></div>' .
            '<div class="form-group"><label>Nội dung (HTML)</label><textarea class="form-control" name="content" rows="10">' . h($body) . '</textarea></div>' .
            '<button class="btn" type="submit" style="background:var(--mainColor);color:#fff;">Lưu</button> ' .
            '<a class="btn btn-outline-secondary" href="/admin/projects">Hủy</a>' .
            '</form>' .
            '</div></div>';

        renderAdminPage($indexPath, $isEdit ? 'Sửa dự án' : 'Thêm dự án', 'projects', $html);
    }

    if ($path === '/admin/projects/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $title = trim((string)($_POST['title'] ?? ''));
        $slugInput = trim((string)($_POST['slug'] ?? ''));
        $originalSlug = trim((string)($_POST['original_slug'] ?? ''));
        $excerpt = trim((string)($_POST['excerpt'] ?? ''));
        $body = (string)($_POST['content'] ?? '');
        $imageUrl = trim((string)($_POST['image_url'] ?? ''));
        $uploaded = handleUpload('image_file');

        if ($title === '') {
            header('Location: /admin/projects?error=' . rawurlencode('Tiêu đề không được để trống'), true, 302);
            exit;
        }

        $slug = $slugInput !== '' ? slugify($slugInput) : slugify($title);
        if ($slug === '') {
            header('Location: /admin/projects?error=' . rawurlencode('Không tạo được slug'), true, 302);
            exit;
        }

        $store = loadContent();
        if (!is_array($store['projects'])) {
            $store['projects'] = [];
        }

        if ($originalSlug !== '' && $originalSlug !== $slug && isset($store['projects'][$slug])) {
            header('Location: /admin/projects?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }
        if ($originalSlug === '' && isset($store['projects'][$slug])) {
            header('Location: /admin/projects?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }

        $now = time();
        $image = $uploaded !== null ? $uploaded : $imageUrl;
        $existing = $originalSlug !== '' && isset($store['projects'][$originalSlug]) && is_array($store['projects'][$originalSlug]) ? $store['projects'][$originalSlug] : [];
        $createdAt = isset($existing['created_at']) ? (int)$existing['created_at'] : $now;

        $record = [
            'slug' => $slug,
            'title' => $title,
            'excerpt' => $excerpt,
            'content' => $body,
            'image' => $image,
            'created_at' => $createdAt,
            'updated_at' => $now,
        ];

        if ($originalSlug !== '' && $originalSlug !== $slug) {
            unset($store['projects'][$originalSlug]);
        }
        $store['projects'][$slug] = $record;
        saveContent($store);

        header('Location: /admin/projects?message=' . rawurlencode('Đã lưu dự án'), true, 302);
        exit;
    }

    if ($path === '/admin/projects/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $store = loadContent();
        if ($slug !== '' && isset($store['projects'][$slug])) {
            unset($store['projects'][$slug]);
            saveContent($store);
        }
        header('Location: /admin/projects?message=' . rawurlencode('Đã xóa dự án'), true, 302);
        exit;
    }

    if ($path === '/admin/users' && $method === 'GET') {
        $users = loadUsers();
        $rows = '';
        foreach ($users as $email => $user) {
            if (!is_array($user)) {
                continue;
            }
            $isAdmin = !empty($user['is_admin']);
            $rows .= '<tr>' .
                '<td>' . h((string)($user['name'] ?? '')) . '</td>' .
                '<td>' . h((string)$email) . '</td>' .
                '<td>' . ($isAdmin ? '<span class="badge badge-success">Admin</span>' : '<span class="badge badge-secondary">User</span>') . '</td>' .
                '<td style="width:360px;">' .
                '<form method="post" action="/admin/users/role" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="email" value="' . h((string)$email) . '">' .
                '<input type="hidden" name="action" value="' . ($isAdmin ? 'demote' : 'promote') . '">' .
                '<button class="btn btn-sm btn-outline-primary mr-2" type="submit">' . ($isAdmin ? 'Bỏ admin' : 'Làm admin') . '</button>' .
                '</form>' .
                '<form method="post" action="/admin/users/reset-password" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="email" value="' . h((string)$email) . '">' .
                '<input class="form-control form-control-sm d-inline-block mr-2" style="width:160px;" name="new_password" placeholder="Mật khẩu mới" minlength="6" required>' .
                '<button class="btn btn-sm btn-outline-secondary mr-2" type="submit">Đổi MK</button>' .
                '</form>' .
                '<form method="post" action="/admin/users/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="email" value="' . h((string)$email) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="h4 mb-3">Tài khoản</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>Họ tên</th><th>Email</th><th>Quyền</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="4" class="text-center p-4 text-muted">Chưa có tài khoản</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý tài khoản', 'users', $html);
    }

    if ($path === '/admin/users/role' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $email = strtolower(trim((string)($_POST['email'] ?? '')));
        $action = (string)($_POST['action'] ?? '');
        $users = loadUsers();
        if (!isset($users[$email]) || !is_array($users[$email])) {
            header('Location: /admin/users?error=' . rawurlencode('Không tìm thấy tài khoản'), true, 302);
            exit;
        }
        if ($action === 'promote') {
            $users[$email]['is_admin'] = true;
        } elseif ($action === 'demote') {
            $users[$email]['is_admin'] = false;
        }
        saveUsers($users);
        header('Location: /admin/users?message=' . rawurlencode('Đã cập nhật quyền'), true, 302);
        exit;
    }

    if ($path === '/admin/users/reset-password' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $email = strtolower(trim((string)($_POST['email'] ?? '')));
        $newPassword = (string)($_POST['new_password'] ?? '');
        if (strlen($newPassword) < 6) {
            header('Location: /admin/users?error=' . rawurlencode('Mật khẩu phải từ 6 ký tự'), true, 302);
            exit;
        }
        $users = loadUsers();
        if (!isset($users[$email]) || !is_array($users[$email])) {
            header('Location: /admin/users?error=' . rawurlencode('Không tìm thấy tài khoản'), true, 302);
            exit;
        }
        $users[$email]['password_hash'] = password_hash($newPassword, PASSWORD_DEFAULT);
        $users[$email]['updated_at'] = time();
        saveUsers($users);
        header('Location: /admin/users?message=' . rawurlencode('Đã đổi mật khẩu'), true, 302);
        exit;
    }

    if ($path === '/admin/users/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $email = strtolower(trim((string)($_POST['email'] ?? '')));
        $session = getLoggedInUser();
        $selfEmail = is_array($session) ? strtolower((string)($session['email'] ?? '')) : '';
        if ($email !== '' && $email === $selfEmail) {
            header('Location: /admin/users?error=' . rawurlencode('Không thể xóa tài khoản đang đăng nhập'), true, 302);
            exit;
        }
        $users = loadUsers();
        if ($email !== '' && isset($users[$email])) {
            unset($users[$email]);
            saveUsers($users);
        }
        header('Location: /admin/users?message=' . rawurlencode('Đã xóa tài khoản'), true, 302);
        exit;
    }

    if ($path === '/admin/settings' && $method === 'GET') {
        $s = getSiteSettings();

        $html =
            $flash .
            '<div class="h4 mb-3">Cài đặt website</div>' .
            '<div class="card"><div class="card-body">' .
            '<form method="post" action="/admin/settings/save">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<div class="row">' .
            '<div class="col-md-6">' .
            '<div class="form-group"><label>Tên công ty</label><input class="form-control" name="company_name" value="' . h((string)($s['company_name'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Địa chỉ</label><input class="form-control" name="address" value="' . h((string)($s['address'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Email</label><input class="form-control" name="email" value="' . h((string)($s['email'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Số điện thoại</label><input class="form-control" name="phone" value="' . h((string)($s['phone'] ?? '')) . '"></div>' .
            '</div>' .
            '<div class="col-md-6">' .
            '<div class="form-group"><label>Giới thiệu - tiêu đề nhỏ</label><input class="form-control" name="about_top_title" value="' . h((string)($s['about_top_title'] ?? '')) . '"></div>' .
            '<div class="form-group"><l</body>';
    $pos = stripos($html, $needle);
    if ($pos !== false) {
        $html = substr($html, 0, $pos) . $script . substr($html, $pos);
    } else {
        $html .= $script;
    }

    echo $html;
    exit;
}

function h(string $value): string
{
    return htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}

function getCsrfToken(): string
{
    if (!isset($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token']) || $_SESSION['csrf_token'] === '') {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
    }
    return $_SESSION['csrf_token'];
}

function requireCsrfToken(string $token): void
{
    $expected = $_SESSION['csrf_token'] ?? '';
    if (!is_string($expected) || $expected === '' || !hash_equals($expected, $token)) {
        http_response_code(400);
        echo 'Invalid request.';
        exit;
    }
}

function getMysqlConfig(): ?array
{
    $host = trim((string)getenv('APP_DB_HOST'));
    $name = trim((string)getenv('APP_DB_NAME'));
    $user = trim((string)getenv('APP_DB_USER'));
    $pass = (string)getenv('APP_DB_PASS');
    $port = trim((string)getenv('APP_DB_PORT'));
    $charset = trim((string)getenv('APP_DB_CHARSET'));

    if ($host === '' || $name === '' || $user === '') {
        return null;
    }

    if ($port === '') {
        $port = '3306';
    }
    if ($charset === '') {
        $charset = 'utf8mb4';
    }

    return [
        'host' => $host,
        'port' => $port,
        'name' => $name,
        'user' => $user,
        'pass' => $pass,
        'charset' => $charset,
    ];
}

function dbPdo(): ?PDO
{
    static $pdo = null;
    static $tried = false;
    if ($tried) {
        return $pdo;
    }
    $tried = true;

    if (!class_exists('PDO')) {
        return null;
    }
    $drivers = PDO::getAvailableDrivers();
    if (!in_array('mysql', $drivers, true)) {
        return null;
    }
    $cfg = getMysqlConfig();
    if (!$cfg) {
        return null;
    }

    $dsn = 'mysql:host=' . $cfg['host'] . ';port=' . $cfg['port'] . ';dbname=' . $cfg['name'] . ';charset=' . $cfg['charset'];
    try {
        $pdo = new PDO($dsn, $cfg['user'], $cfg['pass'], [
            PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
            PDO::ATTR_EMULATE_PREPARES => false,
        ]);
    } catch (Throwable) {
        $pdo = null;
    }

    return $pdo;
}

function usersFilePath(): string
{
    return __DIR__ . '/storage/users.json';
}

function loadUsersFromJson(): array
{
    $path = usersFilePath();
    if (!is_file($path)) {
        return [];
    }
    $raw = file_get_contents($path);
    if ($raw === false || $raw === '') {
        return [];
    }
    $data = json_decode($raw, true);
    return is_array($data) ? $data : [];
}

function saveUsersToJson(array $users): void
{
    $path = usersFilePath();
    $dir = dirname($path);
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }
    file_put_contents($path, json_encode($users, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT), LOCK_EX);
}

function ensureUsersTable(PDO $pdo): void
{
    $sql =
        'CREATE TABLE IF NOT EXISTS users (' .
        'id VARCHAR(32) NOT NULL,' .
        'email VARCHAR(190) NOT NULL,' .
        'name VARCHAR(190) NOT NULL,' .
        'password_hash VARCHAR(255) NOT NULL,' .
        'is_admin TINYINT(1) NOT NULL DEFAULT 0,' .
        'created_at INT NOT NULL,' .
        'updated_at INT NULL,' .
        'PRIMARY KEY (id),' .
        'UNIQUE KEY uniq_email (email)' .
        ') ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci';
    $pdo->exec($sql);
}

function mysqlUsersCount(PDO $pdo): int
{
    $stmt = $pdo->query('SELECT COUNT(*) FROM users');
    $count = $stmt ? $stmt->fetchColumn() : 0;
    return (int)$count;
}

function normalizeUsersArray(array $users): array
{
    $out = [];
    foreach ($users as $key => $user) {
        if (!is_array($user)) {
            continue;
        }
        $email = strtolower(trim((string)($user['email'] ?? $key)));
        if ($email === '') {
            continue;
        }
        $id = (string)($user['id'] ?? '');
        if ($id === '') {
            $id = bin2hex(random_bytes(16));
        }
        $out[$email] = [
            'id' => $id,
            'email' => $email,
            'name' => (string)($user['name'] ?? ''),
            'password_hash' => (string)($user['password_hash'] ?? ''),
            'is_admin' => !empty($user['is_admin']),
            'created_at' => (int)($user['created_at'] ?? time()),
            'updated_at' => isset($user['updated_at']) ? (int)$user['updated_at'] : null,
        ];
    }
    return $out;
}

function mysqlLoadUsers(PDO $pdo): array
{
    $stmt = $pdo->query('SELECT id, email, name, password_hash, is_admin, created_at, updated_at FROM users');
    $rows = $stmt ? $stmt->fetchAll() : [];
    $out = [];
    foreach ($rows as $row) {
        if (!is_array($row)) {
            continue;
        }
        $email = strtolower((string)($row['email'] ?? ''));
        if ($email === '') {
            continue;
        }
        $out[$email] = [
            'id' => (string)($row['id'] ?? ''),
            'email' => $email,
            'name' => (string)($row['name'] ?? ''),
            'password_hash' => (string)($row['password_hash'] ?? ''),
            'is_admin' => !empty($row['is_admin']),
            'created_at' => (int)($row['created_at'] ?? 0),
            'updated_at' => isset($row['updated_at']) ? (int)$row['updated_at'] : null,
        ];
    }
    return $out;
}

function mysqlSaveUsers(PDO $pdo, array $users): void
{
    $users = normalizeUsersArray($users);

    $pdo->beginTransaction();
    try {
        $existing = $pdo->query('SELECT LOWER(email) AS email FROM users');
        $existingEmails = $existing ? $existing->fetchAll(PDO::FETCH_COLUMN) : [];
        $incomingEmails = array_keys($users);

        $incomingSet = [];
        foreach ($incomingEmails as $e) {
            $incomingSet[$e] = true;
        }
        $delete = [];
        foreach ($existingEmails as $e) {
            $e = strtolower((string)$e);
            if ($e !== '' && !isset($incomingSet[$e])) {
                $delete[] = $e;
            }
        }
        if ($delete) {
            $placeholders = implode(',', array_fill(0, count($delete), '?'));
            $delStmt = $pdo->prepare('DELETE FROM users WHERE LOWER(email) IN (' . $placeholders . ')');
            $delStmt->execute($delete);
        }

        $upsert = $pdo->prepare(
            'INSERT INTO users (id, email, name, password_hash, is_admin, created_at, updated_at) ' .
            'VALUES (:id, :email, :name, :password_hash, :is_admin, :created_at, :updated_at) ' .
            'ON DUPLICATE KEY UPDATE ' .
            'name = VALUES(name), ' .
            'password_hash = VALUES(password_hash), ' .
            'is_admin = VALUES(is_admin), ' .
            'created_at = VALUES(created_at), ' .
            'updated_at = VALUES(updated_at)'
        );

        foreach ($users as $user) {
            $upsert->execute([
                ':id' => (string)($user['id'] ?? ''),
                ':email' => (string)($user['email'] ?? ''),
                ':name' => (string)($user['name'] ?? ''),
                ':password_hash' => (string)($user['password_hash'] ?? ''),
                ':is_admin' => !empty($user['is_admin']) ? 1 : 0,
                ':created_at' => (int)($user['created_at'] ?? time()),
                ':updated_at' => isset($user['updated_at']) ? (int)$user['updated_at'] : null,
            ]);
        }

        $pdo->commit();
    } catch (Throwable $e) {
        $pdo->rollBack();
        throw $e;
    }
}

function loadUsers(): array
{
    $pdo = dbPdo();
    if (!$pdo) {
        return normalizeUsersArray(loadUsersFromJson());
    }

    try {
        ensureUsersTable($pdo);
        if (mysqlUsersCount($pdo) === 0) {
            $fromJson = loadUsersFromJson();
            if ($fromJson) {
                mysqlSaveUsers($pdo, $fromJson);
            }
        }
        return mysqlLoadUsers($pdo);
    } catch (Throwable) {
        return normalizeUsersArray(loadUsersFromJson());
    }
}

function saveUsers(array $users): void
{
    $pdo = dbPdo();
    if (!$pdo) {
        saveUsersToJson(normalizeUsersArray($users));
        return;
    }
    try {
        ensureUsersTable($pdo);
        mysqlSaveUsers($pdo, $users);
    } catch (Throwable) {
        saveUsersToJson(normalizeUsersArray($users));
    }
}

function getLoggedInUser(): ?array
{
    $user = $_SESSION['user'] ?? null;
    return is_array($user) ? $user : null;
}

function isAdminUser(?array $user): bool
{
    return is_array($user) && !empty($user['is_admin']);
}

function setLoggedInUser(array $user): void
{
    $_SESSION['user'] = $user;
}

function logoutUser(): void
{
    unset($_SESSION['user']);
}

function requireLogin(string $returnUrl): void
{
    $user = getLoggedInUser();
    if ($user) {
        return;
    }
    header('Location: /account/login?ReturnUrl=' . rawurlencode($returnUrl), true, 302);
    exit;
}

function requireAdmin(string $returnUrl = '/admin'): void
{
    requireLogin($returnUrl);
    $user = getLoggedInUser();
    if (!isAdminUser($user)) {
        http_response_code(403);
        echo 'Forbidden';
        exit;
    }
}

function sanitizeReturnUrl(?string $returnUrl): string
{
    if ($returnUrl === null) {
        return '/account';
    }
    $returnUrl = trim($returnUrl);
    if ($returnUrl === '') {
        return '/account';
    }
    if (!str_starts_with($returnUrl, '/')) {
        return '/account';
    }
    if (str_contains($returnUrl, "\n") || str_contains($returnUrl, "\r")) {
        return '/account';
    }
    if (str_contains($returnUrl, '://')) {
        return '/account';
    }
    return $returnUrl;
}

function loadLayoutParts(string $indexPath): array
{
    static $cache = null;
    if (is_array($cache)) {
        return $cache;
    }

    $html = file_get_contents($indexPath);
    if ($html === false) {
        http_response_code(500);
        echo 'Missing site files.';
        exit;
    }

    $bodyPos = stripos($html, '<body');
    if ($bodyPos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }
    $bodyTagEnd = strpos($html, '>', $bodyPos);
    if ($bodyTagEnd === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $headAndBodyOpen = substr($html, 0, $bodyTagEnd + 1);
    $bodyClosePos = stripos($html, '</body>');
    if ($bodyClosePos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $bodyInner = substr($html, $bodyTagEnd + 1, $bodyClosePos - ($bodyTagEnd + 1));
    $bgHomePos = stripos($bodyInner, '<div class="bg-home">');
    if ($bgHomePos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $prefix = substr($bodyInner, 0, $bgHomePos);
    $footerPos = stripos($bodyInner, '<footer');
    if ($footerPos === false) {
        http_response_code(500);
        echo 'Invalid site template.';
        exit;
    }

    $suffix = substr($bodyInner, $footerPos);
    $tail = substr($html, $bodyClosePos);
    $cache = [
        'head' => $headAndBodyOpen,
        'prefix' => $prefix,
        'suffix' => $suffix . $tail,
    ];
    return $cache;
}

function applyAuthToHtml(string $html): string
{
    $user = getLoggedInUser();
    if (!$user) {
        return $html;
    }

    $adminLink = isAdminUser($user) ? '<a href="/admin">Admin</a>' : '';

    $html = preg_replace(
        '/(<li class="account[^>]*>[\s\S]*?<div class="drop-account">)([\s\S]*?)(<\/div>)/',
        '$1' . $adminLink . '<a href="/account">Tài khoản</a><a href="/account/logout">Đăng xuất</a>$3',
        $html,
        1
    ) ?? $html;

    $html = preg_replace(
        '/(<div class="user-account">)([\s\S]*?)(<\/div>)/',
        '$1' . (isAdminUser($user) ? '<a class="btnx" href="/admin">Admin</a><small><a href="/account">Tài khoản</a></small><small><a href="/account/logout">Đăng xuất</a></small>' : '<a class="btnx" href="/account">Tài khoản</a><small><a href="/account/logout">Đăng xuất</a></small>') . '$3',
        $html,
        1
    ) ?? $html;

    return $html;
}

function applyHomeProductsToHtml(string $html): string
{
    if (!str_contains($html, 'id="home-products-grid"')) {
        return $html;
    }

    $store = loadContent();
    $products = is_array($store['products']) ? $store['products'] : [];

    $cards = '';
    if ($products === []) {
        $cards = '<div class="col-12"><div class="alert alert-info">Chưa có sản phẩm.</div></div>';
    } else {
        $items = [];
        foreach ($products as $slug => $product) {
            if (!is_array($product)) {
                continue;
            }
            $items[] = ['slug' => (string)$slug] + $product;
        }
        usort($items, function (array $a, array $b): int {
            return (int)($b['updated_at'] ?? 0) <=> (int)($a['updated_at'] ?? 0);
        });

        $max = 6;
        $count = 0;
        foreach ($items as $product) {
            if ($count >= $max) {
                break;
            }
            $slug = (string)($product['slug'] ?? '');
            if ($slug === '') {
                continue;
            }
            $title = (string)($product['title'] ?? '');
            $excerpt = (string)($product['excerpt'] ?? '');
            $image = (string)($product['image'] ?? '');
            $price = (int)($product['price'] ?? 0);
            $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : 'Liên hệ';
            $url = '/san-pham/' . $slug;
            $imgHtml = $image !== '' ? '<img src="' . h($image) . '" alt="' . h($title) . '" style="width:100%;height:200px;object-fit:cover;border-radius:14px 14px 0 0;">' : '<div style="height:200px;background:#f2f2f2;border-radius:14px 14px 0 0;"></div>';

            $cards .=
                '<div class="col-lg-4 col-md-6 mb-4">' .
                '<div class="card" style="border-radius:14px;overflow:hidden;border:1px solid #eee;box-shadow:0 8px 26px rgba(0,0,0,.04);">' .
                $imgHtml .
                '<div class="card-body">' .
                '<div class="d-flex align-items-start justify-content-between" style="gap:12px;">' .
                '<div style="min-width:0;"><div style="font-weight:800;font-size:16px;line-height:1.3;"><a href="' . h($url) . '" style="color:var(--textColor);">' . h($title) . '</a></div>' .
                '<div class="text-muted small" style="margin-top:6px;">' . h($excerpt) . '</div></div>' .
                '<div style="font-weight:800;color:var(--mainColor);white-space:nowrap;">' . h($priceText) . '</div>' .
                '</div>' .
                '<div class="mt-3"><a class="btn btn_base" href="' . h($url) . '" style="width:100%;">Xem chi tiết</a></div>' .
                '</div>' .
                '</div>' .
                '</div>';
            $count++;
        }
    }

    $html = preg_replace(
        '/<div class="row" id="home-products-grid">[\s\S]*?<\/div>/',
        '<div class="row" id="home-products-grid">' . $cards . '</div>',
        $html,
        1
    ) ?? $html;

    return $html;
}

function contentFilePath(): string
{
    return __DIR__ . '/storage/content.json';
}

function loadContentFromJson(): array
{
    $path = contentFilePath();
    if (!is_file($path)) {
        return [
            'posts' => [],
            'projects' => [],
            'products' => [],
            'settings' => [],
        ];
    }
    $raw = file_get_contents($path);
    if ($raw === false || $raw === '') {
        return [
            'posts' => [],
            'projects' => [],
            'products' => [],
            'settings' => [],
        ];
    }
    $data = json_decode($raw, true);
    if (!is_array($data)) {
        return [
            'posts' => [],
            'projects' => [],
            'products' => [],
            'settings' => [],
        ];
    }
    if (!isset($data['posts']) || !is_array($data['posts'])) {
        $data['posts'] = [];
    }
    if (!isset($data['projects']) || !is_array($data['projects'])) {
        $data['projects'] = [];
    }
    if (!isset($data['products']) || !is_array($data['products'])) {
        $data['products'] = [];
    }
    if (!isset($data['settings']) || !is_array($data['settings'])) {
        $data['settings'] = [];
    }
    return $data;
}

function saveContentToJson(array $content): void
{
    $path = contentFilePath();
    $dir = dirname($path);
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }
    file_put_contents($path, json_encode($content, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT), LOCK_EX);
}

function ensureContentTables(PDO $pdo): void
{
    $sql1 =
        'CREATE TABLE IF NOT EXISTS content_items (' .
        'type VARCHAR(20) NOT NULL,' .
        'slug VARCHAR(190) NOT NULL,' .
        'title VARCHAR(255) NOT NULL,' .
        'excerpt TEXT NULL,' .
        'content LONGTEXT NULL,' .
        'image VARCHAR(255) NULL,' .
        'price INT NULL,' .
        'created_at INT NOT NULL,' .
        'updated_at INT NULL,' .
        'PRIMARY KEY (type, slug),' .
        'KEY idx_type_updated (type, updated_at),' .
        'KEY idx_type_created (type, created_at)' .
        ') ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci';
    $pdo->exec($sql1);

    $sql2 =
        'CREATE TABLE IF NOT EXISTS settings (' .
        '`key` VARCHAR(100) NOT NULL,' .
        '`value` LONGTEXT NOT NULL,' .
        'updated_at INT NULL,' .
        'PRIMARY KEY (`key`)' .
        ') ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci';
    $pdo->exec($sql2);
}

function normalizeContentStore(array $store): array
{
    $out = [
        'posts' => [],
        'projects' => [],
        'products' => [],
        'settings' => [],
    ];

    $now = time();

    foreach (['posts', 'projects', 'products'] as $type) {
        $items = isset($store[$type]) && is_array($store[$type]) ? $store[$type] : [];
        foreach ($items as $k => $item) {
            if (!is_array($item)) {
                continue;
            }
            $slug = trim((string)($item['slug'] ?? $k));
            $slug = $slug !== '' ? slugify($slug) : '';
            if ($slug === '') {
                continue;
            }
            $createdAt = isset($item['created_at']) ? (int)$item['created_at'] : $now;
            $updatedAt = isset($item['updated_at']) ? (int)$item['updated_at'] : null;
            $record = $item;
            $record['slug'] = $slug;
            $record['title'] = (string)($record['title'] ?? '');
            $record['excerpt'] = (string)($record['excerpt'] ?? '');
            $record['content'] = (string)($record['content'] ?? '');
            $record['image'] = (string)($record['image'] ?? '');
            $record['created_at'] = $createdAt > 0 ? $createdAt : $now;
            $record['updated_at'] = $updatedAt !== null && $updatedAt > 0 ? $updatedAt : $record['created_at'];

            if ($type === 'products') {
                $record['price'] = (int)($record['price'] ?? 0);
            }

            $out[$type][$slug] = $record;
        }
    }

    $settings = isset($store['settings']) && is_array($store['settings']) ? $store['settings'] : [];
    foreach ($settings as $k => $v) {
        $key = trim((string)$k);
        if ($key === '') {
            continue;
        }
        $out['settings'][$key] = is_string($v) ? $v : (is_scalar($v) ? (string)$v : json_encode($v, JSON_UNESCAPED_UNICODE));
    }

    return $out;
}

function mysqlContentCount(PDO $pdo): int
{
    $stmt = $pdo->query('SELECT COUNT(*) FROM content_items');
    $count = $stmt ? $stmt->fetchColumn() : 0;
    return (int)$count;
}

function mysqlLoadContent(PDO $pdo): array
{
    $store = [
        'posts' => [],
        'projects' => [],
        'products' => [],
        'settings' => [],
    ];

    $stmt = $pdo->query('SELECT type, slug, title, excerpt, content, image, price, created_at, updated_at FROM content_items');
    $rows = $stmt ? $stmt->fetchAll() : [];
    foreach ($rows as $row) {
        if (!is_array($row)) {
            continue;
        }
        $type = (string)($row['type'] ?? '');
        $slug = (string)($row['slug'] ?? '');
        if ($type === '' || $slug === '' || !isset($store[$type]) || $type === 'settings') {
            continue;
        }
        $record = [
            'slug' => $slug,
            'title' => (string)($row['title'] ?? ''),
            'excerpt' => (string)($row['excerpt'] ?? ''),
            'content' => (string)($row['content'] ?? ''),
            'image' => (string)($row['image'] ?? ''),
            'created_at' => (int)($row['created_at'] ?? 0),
            'updated_at' => isset($row['updated_at']) ? (int)$row['updated_at'] : null,
        ];
        if ($type === 'products') {
            $record['price'] = (int)($row['price'] ?? 0);
        }
        $store[$type][$slug] = $record;
    }

    $stmt2 = $pdo->query('SELECT `key`, `value` FROM settings');
    $rows2 = $stmt2 ? $stmt2->fetchAll() : [];
    foreach ($rows2 as $row) {
        if (!is_array($row)) {
            continue;
        }
        $key = (string)($row['key'] ?? '');
        if ($key === '') {
            continue;
        }
        $store['settings'][$key] = (string)($row['value'] ?? '');
    }

    return normalizeContentStore($store);
}

function mysqlSaveContent(PDO $pdo, array $store): void
{
    $store = normalizeContentStore($store);

    $pdo->beginTransaction();
    try {
        foreach (['posts', 'projects', 'products'] as $type) {
            $existingStmt = $pdo->prepare('SELECT slug FROM content_items WHERE type = ?');
            $existingStmt->execute([$type]);
            $existingSlugs = $existingStmt->fetchAll(PDO::FETCH_COLUMN) ?: [];

            $incoming = $store[$type];
            $incomingSet = [];
            foreach (array_keys($incoming) as $s) {
                $incomingSet[(string)$s] = true;
            }

            $toDelete = [];
            foreach ($existingSlugs as $s) {
                $s = (string)$s;
                if ($s !== '' && !isset($incomingSet[$s])) {
                    $toDelete[] = $s;
                }
            }
            if ($toDelete) {
                $placeholders = implode(',', array_fill(0, count($toDelete), '?'));
                $del = $pdo->prepare('DELETE FROM content_items WHERE type = ? AND slug IN (' . $placeholders . ')');
                $del->execute(array_merge([$type], $toDelete));
            }

            $upsert = $pdo->prepare(
                'INSERT INTO content_items (type, slug, title, excerpt, content, image, price, created_at, updated_at) ' .
                'VALUES (:type, :slug, :title, :excerpt, :content, :image, :price, :created_at, :updated_at) ' .
                'ON DUPLICATE KEY UPDATE ' .
                'title = VALUES(title), ' .
                'excerpt = VALUES(excerpt), ' .
                'content = VALUES(content), ' .
                'image = VALUES(image), ' .
                'price = VALUES(price), ' .
                'created_at = VALUES(created_at), ' .
                'updated_at = VALUES(updated_at)'
            );

            foreach ($incoming as $slug => $item) {
                if (!is_array($item)) {
                    continue;
                }
                $createdAt = isset($item['created_at']) ? (int)$item['created_at'] : time();
                $updatedAt = isset($item['updated_at']) ? (int)$item['updated_at'] : null;
                $upsert->execute([
                    ':type' => $type,
                    ':slug' => (string)$slug,
                    ':title' => (string)($item['title'] ?? ''),
                    ':excerpt' => (string)($item['excerpt'] ?? ''),
                    ':content' => (string)($item['content'] ?? ''),
                    ':image' => (string)($item['image'] ?? ''),
                    ':price' => $type === 'products' ? (int)($item['price'] ?? 0) : null,
                    ':created_at' => $createdAt > 0 ? $createdAt : time(),
                    ':updated_at' => $updatedAt !== null && $updatedAt > 0 ? $updatedAt : time(),
                ]);
            }
        }

        $existingSettings = $pdo->query('SELECT `key` FROM settings');
        $existingKeys = $existingSettings ? $existingSettings->fetchAll(PDO::FETCH_COLUMN) : [];
        $incomingKeys = array_keys($store['settings']);
        $incomingSet = [];
        foreach ($incomingKeys as $k) {
            $incomingSet[(string)$k] = true;
        }
        $toDelete = [];
        foreach ($existingKeys as $k) {
            $k = (string)$k;
            if ($k !== '' && !isset($incomingSet[$k])) {
                $toDelete[] = $k;
            }
        }
        if ($toDelete) {
            $placeholders = implode(',', array_fill(0, count($toDelete), '?'));
            $del = $pdo->prepare('DELETE FROM settings WHERE `key` IN (' . $placeholders . ')');
            $del->execute($toDelete);
        }

        $upsertSetting = $pdo->prepare(
            'INSERT INTO settings (`key`, `value`, updated_at) VALUES (:key, :value, :updated_at) ' .
            'ON DUPLICATE KEY UPDATE `value` = VALUES(`value`), updated_at = VALUES(updated_at)'
        );
        $now = time();
        foreach ($store['settings'] as $k => $v) {
            $key = (string)$k;
            if ($key === '') {
                continue;
            }
            $upsertSetting->execute([
                ':key' => $key,
                ':value' => (string)$v,
                ':updated_at' => $now,
            ]);
        }

        $pdo->commit();
    } catch (Throwable $e) {
        $pdo->rollBack();
        throw $e;
    }
}

function loadContent(): array
{
    $pdo = dbPdo();
    if (!$pdo) {
        return normalizeContentStore(loadContentFromJson());
    }

    try {
        ensureContentTables($pdo);
        if (mysqlContentCount($pdo) === 0) {
            $fromJson = loadContentFromJson();
            $normalized = normalizeContentStore($fromJson);
            $hasAny =
                ($normalized['posts'] !== []) ||
                ($normalized['projects'] !== []) ||
                ($normalized['products'] !== []) ||
                ($normalized['settings'] !== []);
            if ($hasAny) {
                mysqlSaveContent($pdo, $normalized);
            }
        }
        return mysqlLoadContent($pdo);
    } catch (Throwable) {
        return normalizeContentStore(loadContentFromJson());
    }
}

function saveContent(array $content): void
{
    $pdo = dbPdo();
    if (!$pdo) {
        saveContentToJson(normalizeContentStore($content));
        return;
    }
    try {
        ensureContentTables($pdo);
        mysqlSaveContent($pdo, $content);
    } catch (Throwable) {
        saveContentToJson(normalizeContentStore($content));
    }
}

function slugify(string $value): string
{
    $value = trim($value);
    if ($value === '') {
        return '';
    }
    if (function_exists('iconv')) {
        $converted = @iconv('UTF-8', 'ASCII//TRANSLIT//IGNORE', $value);
        if (is_string($converted) && $converted !== '') {
            $value = $converted;
        }
    }
    $value = strtolower($value);
    $value = preg_replace('/[^a-z0-9]+/i', '-', $value) ?? $value;
    $value = trim($value, '-');
    $value = preg_replace('/-+/', '-', $value) ?? $value;
    return $value;
}

function sanitizeInlineStyle(string $style): string
{
    $allow = [
        'text-align' => true,
        'color' => true,
        'background-color' => true,
        'font-weight' => true,
        'font-style' => true,
        'text-decoration' => true,
    ];

    $style = trim($style);
    if ($style === '') {
        return '';
    }

    $out = [];
    foreach (explode(';', $style) as $part) {
        $part = trim($part);
        if ($part === '' || !str_contains($part, ':')) {
            continue;
        }
        [$k, $v] = array_map('trim', explode(':', $part, 2));
        $k = strtolower($k);
        if ($k === '' || $v === '' || !isset($allow[$k])) {
            continue;
        }
        $vLower = strtolower($v);
        if (str_contains($vLower, 'expression') || str_contains($vLower, 'javascript:') || str_contains($vLower, 'url(')) {
            continue;
        }
        $out[] = $k . ':' . $v;
    }

    return implode(';', $out);
}

function sanitizeRichHtml(string $html): string
{
    $html = str_replace("\0", '', $html);
    $html = preg_replace('#<\s*(script|style)[^>]*>[\s\S]*?<\s*/\s*\1\s*>#i', '', $html) ?? $html;
    $allowed = '<p><br><b><strong><i><em><u><s><a><ul><ol><li><h2><h3><h4><blockquote><img><table><thead><tbody><tr><th><td><span><div>';
    $html = strip_tags($html, $allowed);
    $html = preg_replace('/\son\w+\s*=\s*(\"[^\"]*\"|\'[^\']*\'|[^\s>]+)/i', '', $html) ?? $html;
    $html = preg_replace_callback(
        '/\sstyle\s*=\s*(\"([^\"]*)\"|\'([^\']*)\')/i',
        function(array $m): string {
            $raw = isset($m[2]) && $m[2] !== '' ? $m[2] : (string)($m[3] ?? '');
            $san = sanitizeInlineStyle($raw);
            return $san !== '' ? ' style="' . h($san) . '"' : '';
        },
        $html
    ) ?? $html;
    $html = preg_replace('/\shref\s*=\s*(\"|\')\s*javascript:[^\"\']*(\"|\')/i', ' href="#"', $html) ?? $html;
    $html = preg_replace('/\ssrc\s*=\s*(\"|\')\s*javascript:[^\"\']*(\"|\')/i', '', $html) ?? $html;
    return trim($html);
}

function uploadsDirPath(): string
{
    return __DIR__ . '/uploads';
}

function handleUpload(string $fieldName): ?string
{
    if (!isset($_FILES[$fieldName]) || !is_array($_FILES[$fieldName])) {
        return null;
    }
    $file = $_FILES[$fieldName];
    if (!isset($file['error'], $file['tmp_name'], $file['name'])) {
        return null;
    }
    if ((int)$file['error'] !== UPLOAD_ERR_OK) {
        return null;
    }
    $tmp = (string)$file['tmp_name'];
    if ($tmp === '' || !is_file($tmp)) {
        return null;
    }
    $size = isset($file['size']) ? (int)$file['size'] : 0;
    if ($size <= 0 || $size > 10 * 1024 * 1024) {
        return null;
    }

    $mime = '';
    if (class_exists('finfo')) {
        $fi = new finfo(FILEINFO_MIME_TYPE);
        $detected = $fi->file($tmp);
        if (is_string($detected)) {
            $mime = $detected;
        }
    }
    if ($mime === '' && function_exists('getimagesize')) {
        $info = @getimagesize($tmp);
        if (is_array($info) && isset($info['mime']) && is_string($info['mime'])) {
            $mime = $info['mime'];
        }
    }

    $allowed = [
        'image/jpeg' => 'jpg',
        'image/jpg' => 'jpg',
        'image/pjpeg' => 'jpg',
        'image/png' => 'png',
        'image/gif' => 'gif',
        'image/webp' => 'webp',
    ];
    $ext = $mime !== '' && isset($allowed[$mime]) ? $allowed[$mime] : '';
    if ($ext === '') {
        $name = (string)($file['name'] ?? '');
        $fromName = strtolower(pathinfo($name, PATHINFO_EXTENSION));
        $allowedExt = ['jpg' => true, 'jpeg' => true, 'png' => true, 'gif' => true, 'webp' => true];
        if (isset($allowedExt[$fromName])) {
            if (function_exists('getimagesize') && @getimagesize($tmp) !== false) {
                $ext = $fromName === 'jpeg' ? 'jpg' : $fromName;
            }
        }
    }
    if ($ext === '') {
        return null;
    }

    $dir = uploadsDirPath();
    if (!is_dir($dir)) {
        mkdir($dir, 0755, true);
    }

    $name = bin2hex(random_bytes(16)) . '.' . $ext;
    $dest = $dir . '/' . $name;

    if (!move_uploaded_file($tmp, $dest)) {
        return null;
    }

    return '/uploads/' . $name;
}

function getSiteSettings(): array
{
    $defaults = [
        'company_name' => 'CÔNG TY CỔ PHẦN ĐẦU TƯ VÀ PHÁT TRIỂN ACP MINH TÚ',
        'address' => 'Số 51, ngách 99/110/32, Định Công Hạ, P Định Công, Hà Nội',
        'email' => 'admin@gmail.com',
        'phone' => '0356666312',
        'about_top_title' => 'Chúng tôi là ai',
        'about_title' => '',
        'about_desc' =>
            'Chúng tôi, Công ty CP đầu tư và Phát triển ACP Minh Tú với hơn 15 năm kinh nghiệm trong lĩnh vực thi công mặt dựng Alumilium, mái sảnh, hoàn thiện nội, ngoại thất,... đã được sự tin tưởng, tín nhiệm của các đối tác trong và ngoài nước trên toàn Quốc. Với định hướng phát triển bền vững về chất lượng sản phẩm, dịch vụ, Acp Minh Tú luôn nỗ lực phấn đấu không ngừng, cập nhật xu hướng phát triển nhằm đem lại cho quý khách những công trình có giá trị cao, nâng tầm chất lượng, đảm bảo tính thẩm mỹ, để trở thành đối tác quen thuộc và chiếm chọn sự tin yêu của Quý khách hàng.',
        'footer_services_html' =>
            '<li><a href="/thi-cong-tam-op-nhom-aluminium" title="Thi công mặt dựng Facade">Thi công mặt dựng Facade</a></li>' .
            '<li><a href="/san-xuat-he-cua-nhom-kinh" title="Sản xuất hệ cửa nhôm kính">Sản xuất hệ cửa nhôm kính</a></li>' .
            '<li><a href="/thi-cong-mat-dung-aluminium-la-gi" title="Thi công mặt dựng Aluminium là gì?">Thi công mặt dựng Aluminium là gì?</a></li>',
        'footer_projects_html' =>
            '<li><a href="#projects" title="Dự án tiêu biểu">Dự án tiêu biểu</a></li>' .
            '<li><a href="/du-an-da-thi-cong" title="Dự án đã thi công">Dự án đã thi công</a></li>' .
            '<li><a href="/du-an-dang-thi-cong" title="Dự án đang thi công">Dự án đang thi công</a></li>',
        'newsletter_title' => 'Đăng ký tư vấn',
        'newsletter_subtitle' => 'Đăng ký để chúng tôi có cơ hội được tư vấn và phục vụ bạn.',
        'newsletter_placeholder' => 'Nhập email của bạn',
        'newsletter_button' => 'Đăng ký',
        'copyright_html' =>
            '© Bản quyền thuộc về <b>Acp Minh Tú</b> <span class="center">|</span> <span class="opacity1">Cung cấp bởi <a href="https://www.sapo.vn/" rel="noopener" title="Sapo" target="_blank">Sapo</a></span>',
    ];

    $content = loadContent();
    $settings = isset($content['settings']) && is_array($content['settings']) ? $content['settings'] : [];
    return array_merge($defaults, $settings);
}

function applySettingsToHtml(string $html): string
{
    $s = getSiteSettings();

    $company = (string)($s['company_name'] ?? '');
    $address = (string)($s['address'] ?? '');
    $email = (string)($s['email'] ?? '');
    $phone = (string)($s['phone'] ?? '');

    $defaultCompany = 'CÔNG TY CỔ PHẦN ĐẦU TƯ VÀ PHÁT TRIỂN ACP MINH TÚ';
    $defaultAddress = 'Số 51, ngách 99/110/32, Định Công Hạ, P Định Công, Hà Nội';
    $defaultEmail = 'admin@gmail.com';
    $defaultPhone = '0356666312';
    $defaultTelHref = 'tel:0356666312';

    $telHref = preg_replace('/\\s+/', '', $phone) ?? $phone;
    $telHref = $telHref !== '' ? 'tel:' . $telHref : $defaultTelHref;
    $mailto = $email !== '' ? 'mailto:' . $email : 'mailto:' . $defaultEmail;

    if ($company !== '') {
        $html = str_replace($defaultCompany, $company, $html);
    }
    if ($address !== '') {
        $html = str_replace($defaultAddress, $address, $html);
    }
    if ($email !== '') {
        $html = str_replace($defaultEmail, $email, $html);
        $html = str_replace('mailto:' . $defaultEmail, $mailto, $html);
    }
    if ($phone !== '') {
        $html = str_replace($defaultPhone, $phone, $html);
        $html = str_replace($defaultTelHref, $telHref, $html);
    }

    $aboutTopTitle = (string)($s['about_top_title'] ?? '');
    if ($aboutTopTitle !== '') {
        $html = preg_replace(
            '/(<span class=\"top-title\" id=\"about-top-title\">)[\\s\\S]*?(<\\/span>)/',
            '$1' . h($aboutTopTitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $aboutTitle = (string)($s['about_title'] ?? '');
    if ($aboutTitle !== '') {
        $html = preg_replace(
            '/(<h2 class=\"title\" id=\"about-title\">)[\\s\\S]*?(<\\/h2>)/',
            '$1' . h($aboutTitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $aboutDesc = (string)($s['about_desc'] ?? '');
    if ($aboutDesc !== '') {
        $html = preg_replace(
            '/(<p class=\"desc\" id=\"about-desc\">)[\\s\\S]*?(<\\/p>)/',
            '$1' . h($aboutDesc) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $servicesHtml = (string)($s['footer_services_html'] ?? '');
    if ($servicesHtml !== '') {
        $html = preg_replace_callback(
            '/(<ul class=\"list-menu\" id=\"footer-services-links\">)[\\s\\S]*?(<\\/ul>)/',
            function(array $m) use ($servicesHtml): string {
                return $m[1] . $servicesHtml . $m[2];
            },
            $html,
            1
        ) ?? $html;
    }

    $projectsHtml = (string)($s['footer_projects_html'] ?? '');
    if ($projectsHtml !== '') {
        $html = preg_replace_callback(
            '/(<ul class=\"list-menu\" id=\"footer-projects-links\">)[\\s\\S]*?(<\\/ul>)/',
            function(array $m) use ($projectsHtml): string {
                return $m[1] . $projectsHtml . $m[2];
            },
            $html,
            1
        ) ?? $html;
    }

    $newsletterTitle = (string)($s['newsletter_title'] ?? '');
    if ($newsletterTitle !== '') {
        $html = preg_replace(
            '/(<h4 class=\"title-menu\" id=\"footer-newsletter-title\">)[\\s\\S]*?(<\\/h4>)/',
            '$1' . h($newsletterTitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $newsletterSubtitle = (string)($s['newsletter_subtitle'] ?? '');
    if ($newsletterSubtitle !== '') {
        $html = preg_replace(
            '/(<div class=\"sub-title\" id=\"footer-newsletter-subtitle\">)[\\s\\S]*?(<\\/div>)/',
            '$1' . h($newsletterSubtitle) . '$2',
            $html,
            1
        ) ?? $html;
    }

    $newsletterPlaceholder = (string)($s['newsletter_placeholder'] ?? '');
    if ($newsletterPlaceholder !== '') {
        $html = preg_replace(
            '/(<input[^>]*id=\"footer-newsletter-placeholder\"[^>]*placeholder=\")([^\"]*)(\"[^>]*>)/',
            '$1' . h($newsletterPlaceholder) . '$3',
            $html,
            1
        ) ?? $html;
    }

    $newsletterButton = (string)($s['newsletter_button'] ?? '');
    if ($newsletterButton !== '') {
        $html = preg_replace(
            '/(<button[^>]*id=\"footer-newsletter-button\"[^>]*>)([\\s\\S]*?)(<\\/button>)/',
            '$1' . h($newsletterButton) . '$3',
            $html,
            1
        ) ?? $html;
    }

    $copyrightHtml = (string)($s['copyright_html'] ?? '');
    if ($copyrightHtml !== '') {
        $html = preg_replace_callback(
            '/(<div class=\"wsp\">)[\\s\\S]*?(<\\/div>)/',
            function(array $m) use ($copyrightHtml): string {
                return $m[1] . $copyrightHtml . $m[2];
            },
            $html,
            1
        ) ?? $html;
    }

    return $html;
}

function normalizeAssetPaths(string $html): string
{
    $replacements = [
        '/bizweb.dktcdn.net/' => '/bizweb.dktcdn.net/',
        "url(/bizweb.dktcdn.net/" => "url(/bizweb.dktcdn.net/",
        "url('/bizweb.dktcdn.net/" => "url('/bizweb.dktcdn.net/",
        'url("/bizweb.dktcdn.net/' => 'url("/bizweb.dktcdn.net/',
        '/minhtuwindows.com/' => '/minhtuwindows.com/',
    ];
    return str_replace(array_keys($replacements), array_values($replacements), $html);
}

function renderHomePage(string $indexPath): void
{
    header('Content-Type: text/html; charset=UTF-8');
    $html = file_get_contents($indexPath);
    if ($html === false) {
        http_response_code(500);
        echo 'Missing site files.';
        exit;
    }
    echo applySettingsToHtml(applyHomeProductsToHtml(applyAuthToHtml(normalizeAssetPaths($html))));
    exit;
}

function renderLayoutPage(string $indexPath, string $title, string $mainHtml): void
{
    $parts = loadLayoutParts($indexPath);
    $html = $parts['head'] . $parts['prefix'] . '<div class="bg-home">' . $mainHtml . $parts['suffix'];
    $html = preg_replace('/<title>[\s\S]*?<\/title>/', '<title>' . h($title) . '</title>', $html, 1) ?? $html;
    $html = applySettingsToHtml(applyAuthToHtml(normalizeAssetPaths($html)));
    header('Content-Type: text/html; charset=UTF-8');
    echo $html;
    exit;
}

function renderAdminPage(string $indexPath, string $title, string $active, string $contentHtml): void
{
    $user = getLoggedInUser();
    $userName = is_array($user) ? (string)($user['name'] ?? '') : '';
    $userEmail = is_array($user) ? (string)($user['email'] ?? '') : '';

    $links = [
        'dashboard' => ['href' => '/admin', 'label' => 'Tổng quan'],
        'posts' => ['href' => '/admin/posts', 'label' => 'Tin tức'],
        'products' => ['href' => '/admin/products', 'label' => 'Sản phẩm'],
        'projects' => ['href' => '/admin/projects', 'label' => 'Dự án'],
        'users' => ['href' => '/admin/users', 'label' => 'Tài khoản'],
        'settings' => ['href' => '/admin/settings', 'label' => 'Cài đặt'],
        'site' => ['href' => '/', 'label' => 'Xem website'],
    ];

    $nav = '<div class="admin-sidebar">';
    foreach ($links as $key => $link) {
        $isActive = $key === $active;
        $nav .= '<a class="admin-nav-item' . ($isActive ? ' active' : '') . '" href="' . h($link['href']) . '">' . h($link['label']) . '</a>';
    }
    $nav .= '</div>';

    $style =
        '<style>' .
        '.admin-shell{background:#f6f7fb;min-height:60vh;padding:22px 0;}' .
        '.admin-topbar{position:sticky;top:0;z-index:50;background:#fff;border-bottom:1px solid #eee;}' .
        '.admin-topbar .brand{font-weight:800;letter-spacing:.3px;color:var(--textColor);}' .
        '.admin-topbar .brand span{color:var(--mainColor);}' .
        '.admin-user{font-size:13px;color:#666;}' .
        '.admin-user b{color:var(--textColor);}' .
        '.admin-sidebar{background:#fff;border:1px solid #eee;border-radius:14px;overflow:hidden;box-shadow:0 8px 26px rgba(0,0,0,.04);}' .
        '.admin-nav-item{display:flex;align-items:center;gap:10px;padding:12px 14px;color:var(--textColor);border-bottom:1px solid #f1f1f1;font-weight:600;}' .
        '.admin-nav-item:last-child{border-bottom:0;}' .
        '.admin-nav-item:hover{background:#fff7ec;color:var(--mainColor);text-decoration:none;}' .
        '.admin-nav-item.active{background:var(--mainColor);color:#fff;}' .
        '.admin-nav-item.active:hover{background:var(--mainColor);color:#fff;}' .
        '.admin-card{background:#fff;border:1px solid #eee;border-radius:14px;box-shadow:0 8px 26px rgba(0,0,0,.04);}' .
        '.admin-card .card-body{padding:16px;}' .
        '.admin-title{font-size:22px;font-weight:800;margin:0;}' .
        '.admin-subtitle{color:#666;margin:0;}' .
        '.admin-actions .btn{border-radius:12px;}' .
        '.admin-shell .table thead th{border-top:0;background:#fbfbfd;}' .
        '.admin-shell .table td,.admin-shell .table th{vertical-align:middle;}' .
        '.admin-shell .form-control{border-radius:12px;}' .
        '.admin-shell .btn{border-radius:12px;}' .
        '</style>';

    $topbar =
        '<div class="admin-topbar">' .
        '<div class="container">' .
        '<div class="d-flex align-items-center justify-content-between py-2">' .
        '<div class="brand">ACP <span>Admin</span></div>' .
        '<div class="d-flex align-items-center" style="gap:12px;">' .
        '<div class="admin-user d-none d-md-block"><b>' . h($userName !== '' ? $userName : $userEmail) . '</b>' . ($userName !== '' && $userEmail !== '' ? ' <span>(' . h($userEmail) . ')</span>' : '') . '</div>' .
        '<a class="btn btn-outline-secondary btn-sm" href="/">Xem website</a>' .
        '<a class="btn btn-outline-danger btn-sm" href="/account/logout">Đăng xuất</a>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>';

    $mainHtml =
        $style .
        $topbar .
        '<section class="admin-shell"><div class="container">' .
        '<div class="row">' .
        '<div class="col-lg-3 col-md-4 mb-3 mb-md-0">' . $nav . '</div>' .
        '<div class="col-lg-9 col-md-8">' .
        '<div class="admin-card mb-3"><div class="card-body d-flex align-items-center justify-content-between" style="gap:12px;">' .
        '<div><div class="admin-title">' . h($title) . '</div><div class="admin-subtitle">Quản trị nội dung website</div></div>' .
        '<div class="admin-actions d-flex align-items-center" style="gap:10px;"><a class="btn btn-outline-secondary btn-sm" href="/account">Tài khoản</a></div>' .
        '</div></div>' .
        $contentHtml .
        '</div>' .
        '</div>' .
        '</div></section>';

    renderLayoutPage($indexPath, $title, $mainHtml);
}

$requestUri = (string)($_SERVER['REQUEST_URI'] ?? '/');
$path = parse_url($requestUri, PHP_URL_PATH);
$path = normalizePath(is_string($path) ? $path : '/');
$method = strtoupper((string)($_SERVER['REQUEST_METHOD'] ?? 'GET'));

$sessionUser = getLoggedInUser();
if (is_array($sessionUser) && isset($sessionUser['email']) && is_string($sessionUser['email'])) {
    $users = loadUsers();
    $record = $users[strtolower($sessionUser['email'])] ?? null;
    if (is_array($record)) {
        $sessionUser['name'] = (string)($record['name'] ?? ($sessionUser['name'] ?? ''));
        $sessionUser['is_admin'] = !empty($record['is_admin']);
        setLoggedInUser($sessionUser);
    }
}

$redirectToAnchors = [
    '/gioi-thieu' => '/#about',
    '/xuong-san-xuat' => '/#about',
    '/tuyen-dung' => '/#contact',
    '/doi-tac' => '/#contact',
    '/lien-he' => '/#contact',
    '/linh-vuc' => '/#service',
];

if (isset($redirectToAnchors[$path])) {
    header('Location: ' . $redirectToAnchors[$path], true, 302);
    exit;
}

if ($path === '/search' && $method === 'GET') {
    $query = trim(isset($_GET['q']) ? (string)$_GET['q'] : '');
    $content = loadContent();
    $posts = is_array($content['posts']) ? $content['posts'] : [];
    $projects = is_array($content['projects']) ? $content['projects'] : [];

    $results = [];
    if ($query !== '') {
        $lower = function(string $s): string {
            if (function_exists('mb_strtolower')) {
                return (string)mb_strtolower($s, 'UTF-8');
            }
            return strtolower($s);
        };
        $contains = function(string $hay, string $needle): bool {
            if (function_exists('mb_strpos')) {
                return mb_strpos($hay, $needle, 0, 'UTF-8') !== false;
            }
            return strpos($hay, $needle) !== false;
        };

        $q = $lower($query);
        foreach ($posts as $slug => $post) {
            if (!is_array($post)) {
                continue;
            }
            $hay = $lower((string)($post['title'] ?? '') . ' ' . (string)($post['excerpt'] ?? '') . ' ' . (string)($post['content'] ?? ''));
            if ($contains($hay, $q)) {
                $results[] = [
                    'type' => 'post',
                    'slug' => (string)$slug,
                    'title' => (string)($post['title'] ?? ''),
                    'excerpt' => (string)($post['excerpt'] ?? ''),
                ];
            }
        }
        foreach ($projects as $slug => $project) {
            if (!is_array($project)) {
                continue;
            }
            $hay = $lower((string)($project['title'] ?? '') . ' ' . (string)($project['excerpt'] ?? '') . ' ' . (string)($project['content'] ?? ''));
            if ($contains($hay, $q)) {
                $results[] = [
                    'type' => 'project',
                    'slug' => (string)$slug,
                    'title' => (string)($project['title'] ?? ''),
                    'excerpt' => (string)($project['excerpt'] ?? ''),
                ];
            }
        }
    }

    $itemsHtml = '';
    foreach ($results as $r) {
        $href = $r['type'] === 'project' ? '/du-an/' . h($r['slug']) : '/' . h($r['slug']);
        $itemsHtml .=
            '<div class="card mb-3"><div class="card-body">' .
            '<div class="small text-muted mb-1">' . ($r['type'] === 'project' ? 'Dự án' : 'Tin tức') . '</div>' .
            '<h3 class="h5 mb-2"><a href="' . $href . '">' . h($r['title']) . '</a></h3>' .
            '<div>' . h($r['excerpt']) . '</div>' .
            '</div></div>';
    }

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Tìm kiếm</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Tìm kiếm</div>' .
        '</div></div></section>' .
        '<section style="padding:40px 0;"><div class="container">' .
        '<form class="mb-4" method="get" action="/search"><div class="input-group">' .
        '<input class="form-control" name="q" value="' . h($query) . '" placeholder="Nhập từ khóa...">' .
        '<div class="input-group-append"><button class="btn" type="submit" style="background:var(--mainColor);color:#fff;">Tìm</button></div>' .
        '</div></form>' .
        ($query === '' ? '<div class="alert alert-info">Nhập từ khóa để tìm kiếm.</div>' : '') .
        ($query !== '' && $itemsHtml === '' ? '<div class="alert alert-warning">Không tìm thấy kết quả phù hợp.</div>' : '') .
        $itemsHtml .
        '</div></section>';

    renderLayoutPage($indexPath, 'Tìm kiếm', $mainHtml);
}

if ($path === '/collections/all' || str_starts_with($path, '/collections')) {
    header('Location: /san-pham', true, 302);
    exit;
}

if ($path === '/san-pham' && $method === 'GET') {
    $store = loadContent();
    $products = is_array($store['products']) ? $store['products'] : [];
    $cards = '';
    foreach ($products as $slug => $product) {
        if (!is_array($product)) {
            continue;
        }
        $title = (string)($product['title'] ?? '');
        $excerpt = (string)($product['excerpt'] ?? '');
        $image = (string)($product['image'] ?? '');
        $price = (int)($product['price'] ?? 0);
        $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : 'Liên hệ';
        $url = '/san-pham/' . (string)$slug;
        $imgHtml = $image !== '' ? '<img src="' . h($image) . '" alt="' . h($title) . '" style="width:100%;height:220px;object-fit:cover;border-radius:14px 14px 0 0;">' : '<div style="height:220px;background:#f2f2f2;border-radius:14px 14px 0 0;"></div>';

        $cards .=
            '<div class="col-lg-4 col-md-6 mb-4">' .
            '<div class="card" style="border-radius:14px;overflow:hidden;border:1px solid #eee;box-shadow:0 8px 26px rgba(0,0,0,.04);">' .
            $imgHtml .
            '<div class="card-body">' .
            '<div class="d-flex align-items-start justify-content-between" style="gap:12px;">' .
            '<div style="min-width:0;"><div style="font-weight:800;font-size:18px;line-height:1.3;"><a href="' . h($url) . '" style="color:var(--textColor);">' . h($title) . '</a></div>' .
            '<div class="text-muted small" style="margin-top:6px;">' . h($excerpt) . '</div></div>' .
            '<div style="font-weight:800;color:var(--mainColor);white-space:nowrap;">' . h($priceText) . '</div>' .
            '</div>' .
            '<form data-cart-form method="post" action="/cart/add.js" class="mt-3">' .
            '<input type="hidden" name="id" value="' . h((string)$slug) . '">' .
            '<input type="hidden" name="quantity" value="1">' .
            '<input type="hidden" name="price" value="' . h((string)$price) . '">' .
            '<input type="hidden" name="title" value="' . h($title) . '">' .
            '<input type="hidden" name="url" value="' . h($url) . '">' .
            '<input type="hidden" name="image" value="' . h($image) . '">' .
            '<button type="submit" class="btn btn_base fix_add_to_cart ajax_addtocart btn_add_cart btn-cart add_to_cart" style="width:100%;">Thêm vào giỏ</button>' .
            '</form>' .
            '</div>' .
            '</div>' .
            '</div>';
    }

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Sản phẩm</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Sản phẩm</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row">' .
        ($cards !== '' ? $cards : '<div class="col-12"><div class="alert alert-info">Chưa có sản phẩm.</div></div>') .
        '</div></div></section>';

    renderLayoutPage($indexPath, 'Sản phẩm', $mainHtml);
}

if (str_starts_with($path, '/san-pham/') && $method === 'GET') {
    $slug = trim(substr($path, strlen('/san-pham/')));
    $store = loadContent();
    $products = is_array($store['products']) ? $store['products'] : [];
    $product = $slug !== '' && isset($products[$slug]) && is_array($products[$slug]) ? $products[$slug] : null;
    if (!$product) {
        renderLayoutPage($indexPath, 'Không tìm thấy', '<section style="padding:60px 0;"><div class="container"><div class="alert alert-warning">Không tìm thấy sản phẩm.</div></div></section>');
    }

    $title = (string)($product['title'] ?? '');
    $excerpt = (string)($product['excerpt'] ?? '');
    $body = (string)($product['content'] ?? '');
    $image = (string)($product['image'] ?? '');
    $price = (int)($product['price'] ?? 0);
    $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : 'Liên hệ';
    $url = '/san-pham/' . $slug;

    $imgHtml = $image !== '' ? '<img src="' . h($image) . '" alt="' . h($title) . '" style="width:100%;border-radius:14px;border:1px solid #eee;">' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">' . h($title) . '</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; <a href="/san-pham" style="color:#fff;text-decoration:underline;">Sản phẩm</a></div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row">' .
        '<div class="col-lg-5 mb-4">' . ($imgHtml !== '' ? $imgHtml : '<div style="height:360px;background:#f2f2f2;border-radius:14px;"></div>') . '</div>' .
        '<div class="col-lg-7">' .
        '<div class="card" style="border-radius:14px;border:1px solid #eee;box-shadow:0 8px 26px rgba(0,0,0,.04);"><div class="card-body">' .
        '<div class="h4 mb-2" style="font-weight:900;">' . h($title) . '</div>' .
        '<div class="text-muted mb-3">' . h($excerpt) . '</div>' .
        '<div style="font-weight:900;font-size:22px;color:var(--mainColor);" class="mb-3">' . h($priceText) . '</div>' .
        '<form data-cart-form method="post" action="/cart/add.js">' .
        '<input type="hidden" name="id" value="' . h((string)$slug) . '">' .
        '<input type="hidden" name="price" value="' . h((string)$price) . '">' .
        '<input type="hidden" name="title" value="' . h($title) . '">' .
        '<input type="hidden" name="url" value="' . h($url) . '">' .
        '<input type="hidden" name="image" value="' . h($image) . '">' .
        '<div class="d-flex align-items-center" style="gap:10px;">' .
        '<input class="form-control" style="max-width:120px;" type="number" name="quantity" value="1" min="1">' .
        '<button type="submit" class="btn btn_base fix_add_to_cart ajax_addtocart btn_add_cart btn-cart add_to_cart" style="flex:1;">Thêm vào giỏ</button>' .
        '</div>' .
        '</form>' .
        '</div></div>' .
        '</div>' .
        '</div>' .
        ($body !== '' ? '<div class="mt-4"><div class="card" style="border-radius:14px;border:1px solid #eee;"><div class="card-body"><div class="h5 mb-2" style="font-weight:900;">Mô tả</div><div style="white-space:pre-wrap;">' . h($body) . '</div></div></div></div>' : '') .
        '</div></section>';

    renderLayoutPage($indexPath, $title, $mainHtml);
}

if ($path === '/cart.js' && $method === 'GET') {
    jsonResponse(getCart());
}

if ($path === '/cart/clear.js' && $method === 'POST') {
    $cart = getCart();
    $cart['items'] = [];
    saveCart($cart);
    jsonResponse(getCart());
}

if ($path === '/cart/add.js' && $method === 'POST') {
    $id = (string)($_POST['id'] ?? '');
    if ($id === '') {
        jsonResponse(['message' => 'Missing id'], 400);
    }

    $quantity = (int)($_POST['quantity'] ?? 1);
    if ($quantity < 1) {
        $quantity = 1;
    }

    $price = (int)($_POST['price'] ?? 0);
    $title = trim((string)($_POST['title'] ?? ''));
    $image = trim((string)($_POST['image'] ?? ''));
    $url = trim((string)($_POST['url'] ?? ''));
    $image = $image !== '' ? $image : null;

    $cart = getCart();
    $found = false;
    foreach ($cart['items'] as $i => $item) {
        if ((string)($item['id'] ?? '') === $id) {
            $newQuantity = (int)($item['quantity'] ?? 0) + $quantity;
            $existingTitle = (string)($item['title'] ?? '');
            $existingImage = isset($item['image']) && is_string($item['image']) ? (string)$item['image'] : null;
            $existingUrl = (string)($item['url'] ?? '');
            $cart['items'][$i] = buildLineItem(
                $id,
                $newQuantity,
                (int)($item['price'] ?? $price),
                $title !== '' ? $title : $existingTitle,
                $image !== null ? $image : $existingImage,
                $url !== '' ? $url : $existingUrl
            );
            $found = true;
            break;
        }
    }

    if (!$found) {
        $cart['items'][] = buildLineItem($id, $quantity, $price, $title, $image, $url);
    }

    saveCart($cart);

    $cart = getCart();
    $lineItem = null;
    foreach ($cart['items'] as $item) {
        if ((string)($item['id'] ?? '') === $id) {
            $lineItem = $item;
            break;
        }
    }

    jsonResponse($lineItem ?? buildLineItem($id, $quantity, $price, $title, $image, $url));
}

if ($path === '/cart/change.js' && $method === 'POST') {
    $line = (int)($_POST['line'] ?? 0);
    $quantity = (int)($_POST['quantity'] ?? 0);

    $cart = getCart();
    $index = $line - 1;
    if ($index < 0 || $index >= count($cart['items'])) {
        jsonResponse(getCart());
    }

    if ($quantity <= 0) {
        array_splice($cart['items'], $index, 1);
    } else {
        $item = $cart['items'][$index];
        $id = (string)($item['id'] ?? '');
        $price = (int)($item['price'] ?? 0);
        $itemTitle = (string)($item['title'] ?? '');
        $itemImage = isset($item['image']) && is_string($item['image']) ? (string)$item['image'] : null;
        $itemUrl = (string)($item['url'] ?? '');
        $cart['items'][$index] = buildLineItem($id, $quantity, $price, $itemTitle, $itemImage, $itemUrl);
    }

    saveCart($cart);
    jsonResponse(getCart());
}

if ($path === '/cart' && $method === 'GET') {
    header('Location: /#', true, 302);
    exit;
}

if ($path === '/account/logout' && $method === 'GET') {
    logoutUser();
    header('Location: /', true, 302);
    exit;
}

if ($path === '/account' && $method === 'GET') {
    $user = getLoggedInUser();
    if (!$user) {
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }

    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';
    $info = $message !== '' ? '<div class="alert alert-success" role="alert">' . h($message) . '</div>' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Tài khoản của bạn</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Tài khoản</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row justify-content-center"><div class="col-lg-6 col-md-8">' .
        '<div class="card"><div class="card-body">' .
        $alert . $info .
        '<h2 class="h5 mb-3">Thông tin tài khoản</h2>' .
        '<div class="mb-2"><b>Email:</b> ' . h((string)($user['email'] ?? '')) . '</div>' .
        '<div class="mb-3"><b>Họ tên:</b> ' . h((string)($user['name'] ?? '')) . '</div>' .
        '<hr>' .
        '<h3 class="h6 mb-2" style="font-weight:900;">Cập nhật họ tên</h3>' .
        '<form method="post" action="/account/profile" class="mb-3">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<div class="form-group mb-2"><input class="form-control" name="name" type="text" value="' . h((string)($user['name'] ?? '')) . '" placeholder="Nhập họ tên" required></div>' .
        '<button type="submit" class="btn" style="background:#111;color:#fff;width:100%;">Lưu họ tên</button>' .
        '</form>' .
        '<h3 class="h6 mb-2" style="font-weight:900;">Đổi mật khẩu</h3>' .
        '<form method="post" action="/account/password" class="mb-3">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<div class="form-group mb-2"><input class="form-control" name="current_password" type="password" placeholder="Mật khẩu hiện tại" required></div>' .
        '<div class="form-group mb-2"><input class="form-control" name="new_password" type="password" placeholder="Mật khẩu mới (tối thiểu 6 ký tự)" required></div>' .
        '<div class="form-group mb-2"><input class="form-control" name="new_password_confirm" type="password" placeholder="Nhập lại mật khẩu mới" required></div>' .
        '<button type="submit" class="btn" style="background:var(--mainColor);color:#fff;width:100%;">Đổi mật khẩu</button>' .
        '</form>' .
        '<a class="btn" href="/account/logout" style="background:var(--mainColor);color:#fff;width:100%;">Đăng xuất</a>' .
        '</div></div>' .
        '</div></div></div></section>';

    renderLayoutPage($indexPath, 'Tài khoản', $mainHtml);
}

if ($path === '/account/profile' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    requireLogin('/account');
    $session = getLoggedInUser();
    $email = is_array($session) ? strtolower(trim((string)($session['email'] ?? ''))) : '';
    if ($email === '') {
        logoutUser();
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }

    $name = trim((string)($_POST['name'] ?? ''));
    if ($name === '') {
        header('Location: /account?error=' . rawurlencode('Vui lòng nhập họ tên'), true, 302);
        exit;
    }

    $users = loadUsers();
    if (!isset($users[$email]) || !is_array($users[$email])) {
        logoutUser();
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }
    $users[$email]['name'] = $name;
    $users[$email]['updated_at'] = time();
    saveUsers($users);

    $session['name'] = $name;
    $session['is_admin'] = !empty($users[$email]['is_admin']);
    setLoggedInUser($session);

    header('Location: /account?message=' . rawurlencode('Đã cập nhật thông tin'), true, 302);
    exit;
}

if ($path === '/account/password' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    requireLogin('/account');
    $session = getLoggedInUser();
    $email = is_array($session) ? strtolower(trim((string)($session['email'] ?? ''))) : '';
    if ($email === '') {
        logoutUser();
        header('Location: /account/login?ReturnUrl=%2Faccount', true, 302);
        exit;
    }

    $current = (string)($_POST['current_password'] ?? '');
    $new = (string)($_POST['new_password'] ?? '');
    $confirm = (string)($_POST['new_password_confirm'] ?? '');

    if ($new === '' || strlen($new) < 6) {
        header('Location: /account?error=' . rawurlencode('Mật khẩu mới phải từ 6 ký tự'), true, 302);
        exit;
    }
    if (!hash_equals($new, $confirm)) {
        header('Location: /account?error=' . rawurlencode('Mật khẩu nhập lại không khớp'), true, 302);
        exit;
    }

    $users = loadUsers();
    $u = $users[$email] ?? null;
    if (!is_array($u) || !isset($u['password_hash']) || !is_string($u['password_hash']) || !password_verify($current, $u['password_hash'])) {
        header('Location: /account?error=' . rawurlencode('Mật khẩu hiện tại không đúng'), true, 302);
        exit;
    }

    $users[$email]['password_hash'] = password_hash($new, PASSWORD_DEFAULT);
    $users[$email]['updated_at'] = time();
    saveUsers($users);

    header('Location: /account?message=' . rawurlencode('Đã đổi mật khẩu'), true, 302);
    exit;
}

if ($path === '/account/login' && $method === 'GET') {
    $returnUrl = sanitizeReturnUrl(isset($_GET['ReturnUrl']) ? (string)$_GET['ReturnUrl'] : '/account');
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';
    $email = isset($_GET['email']) ? (string)$_GET['email'] : '';

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';
    $info = $message !== '' ? '<div class="alert alert-success" role="alert">' . h($message) . '</div>' : '';

    $authStyle =
        '<style>' .
        '.auth-shell{background:#f6f7fb;padding:50px 0;}' .
        '.auth-card{border:1px solid #eee;border-radius:16px;box-shadow:0 12px 34px rgba(0,0,0,.06);overflow:hidden;background:#fff;}' .
        '.auth-card .auth-head{padding:18px 18px 0;}' .
        '.auth-card .auth-title{font-weight:900;font-size:22px;margin:0;}' .
        '.auth-card .auth-sub{color:#666;margin-top:6px;}' .
        '.auth-card .auth-body{padding:18px;}' .
        '.auth-btn{background:var(--mainColor);color:#fff;width:100%;padding:12px 14px;font-weight:800;border-radius:12px;}' .
        '.auth-btn:hover{color:#fff;opacity:.95;}' .
        '.auth-link{color:var(--mainColor);font-weight:700;}' .
        '.auth-sep{display:flex;align-items:center;gap:10px;color:#888;font-size:12px;margin:14px 0;}' .
        '.auth-sep:before,.auth-sep:after{content:\"\";height:1px;background:#eee;flex:1;}' .
        '.auth-oauth{display:flex;gap:10px;}' .
        '.auth-oauth a{flex:1;border-radius:12px;padding:10px 12px;font-weight:800;text-align:center;border:1px solid #eee;color:var(--textColor);}' .
        '.auth-oauth a:hover{text-decoration:none;background:#fafafa;}' .
        '</style>';

    $mainHtml =
        $authStyle .
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Đăng nhập tài khoản</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Đăng nhập tài khoản</div>' .
        '</div></div></section>' .
        '<section class="auth-shell"><div class="container">' .
        '<div class="row justify-content-center">' .
        '<div class="col-lg-5 col-md-7">' .
        '<div class="auth-card">' .
        '<div class="auth-head">' .
        '<div class="auth-title">Đăng nhập</div>' .
        '<div class="auth-sub">Chưa có tài khoản? <a class="auth-link" href="/account/register?ReturnUrl=' . h(rawurlencode($returnUrl)) . '">Đăng ký</a></div>' .
        '</div>' .
        '<div class="auth-body">' .
        $alert . $info .
        '<form method="post" action="/account/login">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<input type="hidden" name="ReturnUrl" value="' . h($returnUrl) . '">' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Email</label><input class="form-control" name="email" type="email" placeholder="Nhập email" value="' . h($email) . '" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Mật khẩu</label><input class="form-control" name="password" type="password" placeholder="Nhập mật khẩu" required></div>' .
        '<button type="submit" class="btn auth-btn">Đăng nhập</button>' .
        '<div class="d-flex align-items-center justify-content-between mt-3" style="gap:10px;">' .
        '<a href="/account/recover">Quên mật khẩu?</a>' .
        '<a href="/account/register?ReturnUrl=' . h(rawurlencode($returnUrl)) . '" class="auth-link">Tạo tài khoản</a>' .
        '</div>' .
        '</form>' .
        '<div class="auth-sep">Hoặc</div>' .
        '<div class="auth-oauth">' .
        '<a href="#" onclick="return false;">Facebook</a>' .
        '<a href="#" onclick="return false;">Google</a>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div></section>';

    renderLayoutPage($indexPath, 'Đăng nhập tài khoản', $mainHtml);
}

if ($path === '/account/login' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));

    $returnUrl = sanitizeReturnUrl(isset($_POST['ReturnUrl']) ? (string)$_POST['ReturnUrl'] : '/account');
    $email = strtolower(trim((string)($_POST['email'] ?? '')));
    $password = (string)($_POST['password'] ?? '');

    if ($email === '' || $password === '') {
        header('Location: /account/login?error=' . rawurlencode('Vui lòng nhập đầy đủ thông tin') . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    $users = loadUsers();
    $user = $users[$email] ?? null;
    if (!is_array($user) || !isset($user['password_hash']) || !is_string($user['password_hash']) || !password_verify($password, $user['password_hash'])) {
        header('Location: /account/login?error=' . rawurlencode('Email hoặc mật khẩu không đúng') . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    setLoggedInUser([
        'id' => (string)($user['id'] ?? ''),
        'email' => (string)($user['email'] ?? $email),
        'name' => (string)($user['name'] ?? ''),
        'is_admin' => !empty($user['is_admin']),
    ]);

    header('Location: ' . $returnUrl, true, 302);
    exit;
}

if ($path === '/account/register' && $method === 'GET') {
    $returnUrl = sanitizeReturnUrl(isset($_GET['ReturnUrl']) ? (string)$_GET['ReturnUrl'] : '/account');
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $email = isset($_GET['email']) ? (string)$_GET['email'] : '';
    $name = isset($_GET['name']) ? (string)$_GET['name'] : '';

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';

    $authStyle =
        '<style>' .
        '.auth-shell{background:#f6f7fb;padding:50px 0;}' .
        '.auth-card{border:1px solid #eee;border-radius:16px;box-shadow:0 12px 34px rgba(0,0,0,.06);overflow:hidden;background:#fff;}' .
        '.auth-card .auth-head{padding:18px 18px 0;}' .
        '.auth-card .auth-title{font-weight:900;font-size:22px;margin:0;}' .
        '.auth-card .auth-sub{color:#666;margin-top:6px;}' .
        '.auth-card .auth-body{padding:18px;}' .
        '.auth-btn{background:var(--mainColor);color:#fff;width:100%;padding:12px 14px;font-weight:800;border-radius:12px;}' .
        '.auth-btn:hover{color:#fff;opacity:.95;}' .
        '.auth-link{color:var(--mainColor);font-weight:700;}' .
        '</style>';

    $mainHtml =
        $authStyle .
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Đăng ký tài khoản</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Đăng ký tài khoản</div>' .
        '</div></div></section>' .
        '<section class="auth-shell"><div class="container">' .
        '<div class="row justify-content-center">' .
        '<div class="col-lg-5 col-md-7">' .
        '<div class="auth-card">' .
        '<div class="auth-head">' .
        '<div class="auth-title">Tạo tài khoản</div>' .
        '<div class="auth-sub">Đã có tài khoản? <a class="auth-link" href="/account/login?ReturnUrl=' . h(rawurlencode($returnUrl)) . '">Đăng nhập</a></div>' .
        '</div>' .
        '<div class="auth-body">' .
        $alert .
        '<form method="post" action="/account/register">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<input type="hidden" name="ReturnUrl" value="' . h($returnUrl) . '">' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Họ và tên</label><input class="form-control" name="name" type="text" placeholder="Nhập họ tên" value="' . h($name) . '" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Email</label><input class="form-control" name="email" type="email" placeholder="Nhập email" value="' . h($email) . '" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Mật khẩu</label><input class="form-control" name="password" type="password" placeholder="Tối thiểu 6 ký tự" required></div>' .
        '<div class="form-group"><label class="mb-1" style="font-weight:800;">Nhập lại mật khẩu</label><input class="form-control" name="password_confirm" type="password" placeholder="Nhập lại mật khẩu" required></div>' .
        '<button type="submit" class="btn auth-btn">Đăng ký</button>' .
        '</form>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div>' .
        '</div></section>';

    renderLayoutPage($indexPath, 'Đăng ký tài khoản', $mainHtml);
}

if ($path === '/account/register' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));

    $returnUrl = sanitizeReturnUrl(isset($_POST['ReturnUrl']) ? (string)$_POST['ReturnUrl'] : '/account');
    $name = trim((string)($_POST['name'] ?? ''));
    $email = strtolower(trim((string)($_POST['email'] ?? '')));
    $password = (string)($_POST['password'] ?? '');
    $passwordConfirm = (string)($_POST['password_confirm'] ?? '');

    if ($name === '' || $email === '' || $password === '' || $passwordConfirm === '') {
        header('Location: /account/register?error=' . rawurlencode('Vui lòng nhập đầy đủ thông tin') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        header('Location: /account/register?error=' . rawurlencode('Email không hợp lệ') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    if (strlen($password) < 6) {
        header('Location: /account/register?error=' . rawurlencode('Mật khẩu phải từ 6 ký tự') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    if (!hash_equals($password, $passwordConfirm)) {
        header('Location: /account/register?error=' . rawurlencode('Mật khẩu nhập lại không khớp') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    $users = loadUsers();
    if (isset($users[$email])) {
        header('Location: /account/register?error=' . rawurlencode('Email đã được đăng ký') . '&name=' . rawurlencode($name) . '&email=' . rawurlencode($email) . '&ReturnUrl=' . rawurlencode($returnUrl), true, 302);
        exit;
    }

    $isAdmin = count($users) === 0;
    $id = bin2hex(random_bytes(16));
    $users[$email] = [
        'id' => $id,
        'email' => $email,
        'name' => $name,
        'password_hash' => password_hash($password, PASSWORD_DEFAULT),
        'is_admin' => $isAdmin,
        'created_at' => time(),
    ];
    saveUsers($users);

    setLoggedInUser([
        'id' => $id,
        'email' => $email,
        'name' => $name,
        'is_admin' => $isAdmin,
    ]);

    header('Location: ' . $returnUrl, true, 302);
    exit;
}

if ($path === '/account/recover' && $method === 'GET') {
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';
    $info = $message !== '' ? '<div class="alert alert-success" role="alert">' . h($message) . '</div>' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Quên mật khẩu</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Quên mật khẩu</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row justify-content-center"><div class="col-lg-4 col-md-6">' .
        $alert . $info .
        '<form method="post" action="/account/recover">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<div class="form-group"><input class="form-control" name="email" type="email" placeholder="Email" required></div>' .
        '<button type="submit" class="btn" style="background:var(--mainColor);color:#fff;width:100%;padding:10px 14px;font-weight:700;">Gửi yêu cầu</button>' .
        '<div class="text-center mt-2"><a href="/account/login">Quay lại đăng nhập</a></div>' .
        '</form>' .
        '</div></div></div></section>';

    renderLayoutPage($indexPath, 'Quên mật khẩu', $mainHtml);
}

if ($path === '/account/recover' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    $email = strtolower(trim((string)($_POST['email'] ?? '')));
    if ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
        header('Location: /account/recover?error=' . rawurlencode('Email không hợp lệ'), true, 302);
        exit;
    }

    $users = loadUsers();
    if (!isset($users[$email])) {
        header('Location: /account/recover?message=' . rawurlencode('Nếu email tồn tại, hệ thống đã ghi nhận yêu cầu.'), true, 302);
        exit;
    }

    $token = bin2hex(random_bytes(16));
    $_SESSION['password_reset'] = [
        'email' => $email,
        'token' => $token,
        'expires_at' => time() + 30 * 60,
    ];

    header('Location: /account/reset?token=' . rawurlencode($token), true, 302);
    exit;
}

if ($path === '/account/reset' && $method === 'GET') {
    $token = (string)($_GET['token'] ?? '');
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $reset = $_SESSION['password_reset'] ?? null;
    if (!is_array($reset) || !isset($reset['token'], $reset['expires_at'], $reset['email']) || !is_string($reset['token']) || (int)$reset['expires_at'] < time() || !hash_equals($reset['token'], $token)) {
        header('Location: /account/recover?error=' . rawurlencode('Liên kết đặt lại mật khẩu không hợp lệ hoặc đã hết hạn'), true, 302);
        exit;
    }

    $alert = $error !== '' ? '<div class="alert alert-danger" role="alert">' . h($error) . '</div>' : '';

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Đặt lại mật khẩu</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Đặt lại mật khẩu</div>' .
        '</div></div></section>' .
        '<section style="padding:50px 0;"><div class="container">' .
        '<div class="row justify-content-center"><div class="col-lg-4 col-md-6">' .
        $alert .
        '<form method="post" action="/account/reset">' .
        '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
        '<input type="hidden" name="token" value="' . h($token) . '">' .
        '<div class="form-group"><input class="form-control" name="password" type="password" placeholder="Mật khẩu mới" required></div>' .
        '<div class="form-group"><input class="form-control" name="password_confirm" type="password" placeholder="Nhập lại mật khẩu" required></div>' .
        '<button type="submit" class="btn" style="background:var(--mainColor);color:#fff;width:100%;padding:10px 14px;font-weight:700;">Cập nhật mật khẩu</button>' .
        '</form>' .
        '</div></div></div></section>';

    renderLayoutPage($indexPath, 'Đặt lại mật khẩu', $mainHtml);
}

if ($path === '/account/reset' && $method === 'POST') {
    requireCsrfToken((string)($_POST['csrf'] ?? ''));
    $token = (string)($_POST['token'] ?? '');
    $password = (string)($_POST['password'] ?? '');
    $passwordConfirm = (string)($_POST['password_confirm'] ?? '');

    $reset = $_SESSION['password_reset'] ?? null;
    if (!is_array($reset) || !isset($reset['token'], $reset['expires_at'], $reset['email']) || !is_string($reset['token']) || (int)$reset['expires_at'] < time() || !hash_equals($reset['token'], $token)) {
        header('Location: /account/recover?error=' . rawurlencode('Liên kết đặt lại mật khẩu không hợp lệ hoặc đã hết hạn'), true, 302);
        exit;
    }

    if (strlen($password) < 6) {
        header('Location: /account/reset?token=' . rawurlencode($token) . '&error=' . rawurlencode('Mật khẩu phải từ 6 ký tự'), true, 302);
        exit;
    }

    if (!hash_equals($password, $passwordConfirm)) {
        header('Location: /account/reset?token=' . rawurlencode($token) . '&error=' . rawurlencode('Mật khẩu nhập lại không khớp'), true, 302);
        exit;
    }

    $email = (string)$reset['email'];
    $users = loadUsers();
    if (!isset($users[$email]) || !is_array($users[$email])) {
        header('Location: /account/recover?error=' . rawurlencode('Không tìm thấy tài khoản'), true, 302);
        exit;
    }

    $users[$email]['password_hash'] = password_hash($password, PASSWORD_DEFAULT);
    $users[$email]['updated_at'] = time();
    saveUsers($users);
    unset($_SESSION['password_reset']);

    header('Location: /account/login?message=' . rawurlencode('Cập nhật mật khẩu thành công. Vui lòng đăng nhập.'), true, 302);
    exit;
}

if (str_starts_with($path, '/admin')) {
    requireAdmin('/admin');

    $message = isset($_GET['message']) ? (string)$_GET['message'] : '';
    $error = isset($_GET['error']) ? (string)$_GET['error'] : '';
    $flash = '';
    if ($message !== '') {
        $flash .= '<div class="alert alert-success">' . h($message) . '</div>';
    }
    if ($error !== '') {
        $flash .= '<div class="alert alert-danger">' . h($error) . '</div>';
    }

    if ($path === '/admin' && $method === 'GET') {
        $content = loadContent();
        $users = loadUsers();
        $postCount = is_array($content['posts']) ? count($content['posts']) : 0;
        $productCount = is_array($content['products']) ? count($content['products']) : 0;
        $projectCount = is_array($content['projects']) ? count($content['projects']) : 0;
        $userCount = is_array($users) ? count($users) : 0;

        $html =
            $flash .
            '<div class="row">' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Tin tức</div><div style="font-size:32px;font-weight:800;">' . $postCount . '</div><a href="/admin/posts">Quản lý</a></div></div></div>' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Sản phẩm</div><div style="font-size:32px;font-weight:800;">' . $productCount . '</div><a href="/admin/products">Quản lý</a></div></div></div>' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Dự án</div><div style="font-size:32px;font-weight:800;">' . $projectCount . '</div><a href="/admin/projects">Quản lý</a></div></div></div>' .
            '<div class="col-md-3 mb-3"><div class="card admin-card"><div class="card-body"><div class="h6 mb-1 text-muted">Tài khoản</div><div style="font-size:32px;font-weight:800;">' . $userCount . '</div><a href="/admin/users">Quản lý</a></div></div></div>' .
            '</div>';

        renderAdminPage($indexPath, 'Admin', 'dashboard', $html);
    }

    if ($path === '/admin/posts' && $method === 'GET') {
        $content = loadContent();
        $posts = is_array($content['posts']) ? $content['posts'] : [];

        $rows = '';
        foreach ($posts as $slug => $post) {
            if (!is_array($post)) {
                continue;
            }
            $title = (string)($post['title'] ?? '');
            $excerpt = (string)($post['excerpt'] ?? '');
            $updatedAt = isset($post['updated_at']) ? (int)$post['updated_at'] : 0;
            $updatedText = $updatedAt > 0 ? date('d/m/Y H:i', $updatedAt) : '';
            $rows .=
                '<tr>' .
                '<td style="width:220px;"><a href="/' . h((string)$slug) . '" target="_blank">/' . h((string)$slug) . '</a></td>' .
                '<td><b>' . h($title) . '</b><div class="text-muted small">' . h($excerpt) . '</div></td>' .
                '<td style="width:160px;" class="text-muted small">' . h($updatedText) . '</td>' .
                '<td style="width:180px;">' .
                '<a class="btn btn-sm btn-outline-secondary mr-2" href="/' . h((string)$slug) . '" target="_blank">Xem</a>' .
                '<a class="btn btn-sm btn-outline-primary mr-2" href="/admin/posts/edit?slug=' . h((string)$slug) . '">Sửa</a>' .
                '<form method="post" action="/admin/posts/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="slug" value="' . h((string)$slug) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="d-flex align-items-center justify-content-between mb-3">' .
            '<div class="h4 mb-0">Tin tức</div>' .
            '<a class="btn" style="background:var(--mainColor);color:#fff;" href="/admin/posts/new">Thêm bài</a>' .
            '</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>Slug</th><th>Tiêu đề</th><th>Cập nhật</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="4" class="text-center p-4 text-muted">Chưa có bài viết</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý tin tức', 'posts', $html);
    }

    if (($path === '/admin/posts/new' || $path === '/admin/posts/edit') && $method === 'GET') {
        $isEdit = $path === '/admin/posts/edit';
        $slug = $isEdit ? (string)($_GET['slug'] ?? '') : '';
        $contentStore = loadContent();
        $post = $isEdit && $slug !== '' && isset($contentStore['posts'][$slug]) && is_array($contentStore['posts'][$slug]) ? $contentStore['posts'][$slug] : [];

        if ($isEdit && $slug === '') {
            header('Location: /admin/posts?error=' . rawurlencode('Thiếu slug'), true, 302);
            exit;
        }
        if ($isEdit && $slug !== '' && $post === []) {
            header('Location: /admin/posts?error=' . rawurlencode('Không tìm thấy bài viết'), true, 302);
            exit;
        }

        $title = (string)($post['title'] ?? '');
        $excerpt = (string)($post['excerpt'] ?? '');
        $body = (string)($post['content'] ?? '');
        $image = (string)($post['image'] ?? '');
        $formSlug = $isEdit ? $slug : (string)($post['slug'] ?? '');

        $editorStyle =
            '<style>' .
            '.post-form-grid{display:grid;grid-template-columns:1fr;gap:14px;}' .
            '@media (min-width:992px){.post-form-grid{grid-template-columns:1fr 340px;}}' .
            '.editor-toolbar{display:flex;flex-wrap:wrap;gap:8px;padding:10px;border:1px solid #eee;border-radius:14px;background:#fbfbfd;}' .
            '.editor-toolbar button{border:1px solid #eee;background:#fff;border-radius:10px;padding:6px 10px;font-weight:800;}' .
            '.editor-toolbar button:hover{background:#fff7ec;border-color:#ffd8a8;}' .
            '.admin-editor{min-height:360px;border:1px solid #eee;border-radius:14px;padding:12px;background:#fff;box-shadow:0 8px 26px rgba(0,0,0,.04);}' .
            '.admin-editor:focus{outline:0;border-color:#ffd1a0;box-shadow:0 0 0 4px rgba(255,122,0,.12);}' .
            '.meta-card{border:1px solid #eee;border-radius:14px;box-shadow:0 8px 26px rgba(0,0,0,.04);background:#fff;}' .
            '.meta-card .meta-body{padding:14px;}' .
            '.meta-title{font-weight:900;margin-bottom:10px;}' .
            '.img-preview{width:100%;border-radius:14px;border:1px solid #eee;overflow:hidden;background:#f2f2f2;}' .
            '.img-preview img{width:100%;height:auto;display:block;}' .
            '</style>';

        $editorScript =
            '<script>' .
            '(function(){' .
            'var form=document.getElementById("post-form");' .
            'var title=document.getElementById("post-title");' .
            'var slug=document.getElementById("post-slug");' .
            'var textarea=document.getElementById("post-content");' .
            'var editor=document.getElementById("post-editor");' .
            'var touched=false;' .
            'if(slug){slug.addEventListener("input",function(){touched=true;});}' .
            'function slugify(str){' .
            'str=(str||"").toString().trim().toLowerCase();' .
            'try{str=str.normalize("NFD").replace(/[\\u0300-\\u036f]/g,"");}catch(e){}' .
            'str=str.replace(/[^a-z0-9]+/g,"-").replace(/^-+|-+$/g,"").replace(/-+/g,"-");' .
            'return str;' .
            '}' .
            'if(title&&slug){title.addEventListener("input",function(){if(!touched&&(!slug.value||slug.value.trim()==="")){slug.value=slugify(title.value);}});}' .
            'function sanitizeStyle(style){' .
            'if(!style) return "";' .
            'var allow={"text-align":1,"color":1,"background-color":1,"font-weight":1,"font-style":1,"text-decoration":1};' .
            'var out=[];' .
            'style.split(";").forEach(function(part){' .
            'var p=part.split(":");if(p.length<2) return;' .
            'var k=p[0].trim().toLowerCase();var v=p.slice(1).join(":").trim();' .
            'if(!k||!v) return;' .
            'if(allow[k]) out.push(k+":"+v);' .
            '});' .
            'return out.join(";");' .
            '}' .
            'function sanitizeHtml(html){' .
            'try{' .
            'var doc=new DOMParser().parseFromString(html||"","text/html");' .
            'Array.from(doc.querySelectorAll("script,style")).forEach(function(n){n.remove();});' .
            'Array.from(doc.querySelectorAll("*")).forEach(function(el){' .
            'Array.from(el.attributes).forEach(function(a){' .
            'var name=a.name.toLowerCase();var val=a.value||"";' .
            'if(name.startsWith("on")) el.removeAttribute(a.name);' .
            'if(name==="href"||name==="src"){if(/^\\s*javascript:/i.test(val)) el.removeAttribute(a.name);}' .
            'if(name==="style"){el.setAttribute("style",sanitizeStyle(val));}' .
            'if(name!=="href"&&name!=="src"&&name!=="alt"&&name!=="title"&&name!=="style"&&name!=="target"&&name!=="rel"){if(name!=="class") el.removeAttribute(a.name);}' .
            '});' .
            '});' .
            'return doc.body.innerHTML;' .
            '}catch(e){return html||"";}' .
            '}' .
            'function exec(cmd,val){document.execCommand(cmd,false,val||null);editor&&editor.focus();}' .
            'if(editor&&textarea){editor.innerHTML=textarea.value||"";}' .
            'if(editor){editor.addEventListener("paste",function(e){' .
            'var cd=e.clipboardData||window.clipboardData; if(!cd) return;' .
            'var html=cd.getData("text/html"); var text=cd.getData("text/plain");' .
            'if(html){e.preventDefault();exec("insertHTML",sanitizeHtml(html));return;}' .
            'if(text){e.preventDefault();exec("insertText",text);}' .
            '});}' .
            'var tb=document.getElementById("editor-toolbar");' .
            'if(tb){tb.addEventListener("click",function(e){' .
            'var btn=e.target.closest("button"); if(!btn) return;' .
            'e.preventDefault();' .
            'var action=btn.getAttribute("data-action")||"";' .
            'if(action==="link"){var url=prompt("Nhập link (https://...)"); if(url) exec("createLink",url); return;}' .
            'if(action==="image"){var iurl=prompt("Nhập URL ảnh"); if(iurl){iurl=iurl.replace(/\"/g,""); exec("insertHTML","<p><img src=\\\""+iurl+"\\\" alt=\\\"\\\"></p>");} return;}' .
            'if(action==="h2"){exec("formatBlock","H2");return;}' .
            'if(action==="h3"){exec("formatBlock","H3");return;}' .
            'if(action==="p"){exec("formatBlock","P");return;}' .
            'if(action){exec(action);}' .
            '});}' .
            'if(form&&textarea&&editor){form.addEventListener("submit",function(){textarea.value=sanitizeHtml(editor.innerHTML||\"\");});}' .
            '})();' .
            '</script>';

        $imagePreview = $image !== '' ? '<div class="img-preview mb-2"><img src="' . h($image) . '" alt=""></div>' : '';

        $html =
            $flash .
            $editorStyle .
            '<form id="post-form" method="post" action="/admin/posts/save" enctype="multipart/form-data">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<input type="hidden" name="original_slug" value="' . h($isEdit ? $slug : '') . '">' .
            '<div class="post-form-grid">' .
            '<div>' .
            '<div class="card admin-card mb-3"><div class="card-body">' .
            '<div class="form-group mb-3"><label style="font-weight:900;">Tiêu đề</label><input id="post-title" class="form-control" name="title" value="' . h($title) . '" required></div>' .
            '<div class="editor-toolbar" id="editor-toolbar">' .
            '<button type="button" data-action="bold"><b>B</b></button>' .
            '<button type="button" data-action="italic"><i>I</i></button>' .
            '<button type="button" data-action="underline"><u>U</u></button>' .
            '<button type="button" data-action="strikeThrough"><s>S</s></button>' .
            '<button type="button" data-action="insertUnorderedList">• List</button>' .
            '<button type="button" data-action="insertOrderedList">1. List</button>' .
            '<button type="button" data-action="h2">H2</button>' .
            '<button type="button" data-action="h3">H3</button>' .
            '<button type="button" data-action="p">P</button>' .
            '<button type="button" data-action="link">Link</button>' .
            '<button type="button" data-action="unlink">Unlink</button>' .
            '<button type="button" data-action="image">Ảnh</button>' .
            '<button type="button" data-action="removeFormat">Clear</button>' .
            '</div>' .
            '<textarea id="post-content" name="content" style="display:none;">' . h($body) . '</textarea>' .
            '<div id="post-editor" class="admin-editor" contenteditable="true"></div>' .
            '<div class="d-flex align-items-center justify-content-between mt-3" style="gap:10px;">' .
            '<div class="text-muted small">Gợi ý: có thể dán trực tiếp nội dung từ Word vào ô soạn thảo.</div>' .
            '<div class="d-flex" style="gap:10px;">' .
            '<button class="btn btn-primary" type="submit" name="submit_action" value="save">Lưu</button>' .
            '<button class="btn btn-outline-primary" type="submit" name="submit_action" value="save_view">Lưu & xem</button>' .
            '<a class="btn btn-outline-secondary" href="/admin/posts">Hủy</a>' .
            '</div>' .
            '</div>' .
            '</div></div>' .
            '</div>' .
            '<div>' .
            '<div class="meta-card mb-3"><div class="meta-body">' .
            '<div class="meta-title">Thiết lập</div>' .
            '<div class="form-group"><label style="font-weight:900;">Slug</label><input id="post-slug" class="form-control" name="slug" value="' . h($formSlug) . '" placeholder="tu-dong-tao-neu-bo-trong"></div>' .
            '<div class="form-group mb-0"><label style="font-weight:900;">Mô tả ngắn</label><textarea class="form-control" name="excerpt" rows="4">' . h($excerpt) . '</textarea></div>' .
            '</div></div>' .
            '<div class="meta-card"><div class="meta-body">' .
            '<div class="meta-title">Ảnh đại diện</div>' .
            $imagePreview .
            '<div class="form-group"><label style="font-weight:900;">URL ảnh</label><input class="form-control" name="image_url" value="' . h($image) . '" placeholder="/uploads/... hoặc https://..."></div>' .
            '<div class="form-group mb-0"><label style="font-weight:900;">Upload</label><input class="form-control" type="file" name="image_file" accept="image/*"></div>' .
            '</div></div>' .
            '</div>' .
            '</div>' .
            $editorScript .
            '</form>';

        renderAdminPage($indexPath, $isEdit ? 'Sửa bài viết' : 'Thêm bài viết', 'posts', $html);
    }

    if ($path === '/admin/posts/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $title = trim((string)($_POST['title'] ?? ''));
        $slugInput = trim((string)($_POST['slug'] ?? ''));
        $originalSlug = trim((string)($_POST['original_slug'] ?? ''));
        $excerpt = trim((string)($_POST['excerpt'] ?? ''));
        $body = sanitizeRichHtml((string)($_POST['content'] ?? ''));
        $imageUrl = trim((string)($_POST['image_url'] ?? ''));
        $uploaded = handleUpload('image_file');
        $submitAction = (string)($_POST['submit_action'] ?? 'save');

        if ($title === '') {
            header('Location: /admin/posts?error=' . rawurlencode('Tiêu đề không được để trống'), true, 302);
            exit;
        }

        $slug = $slugInput !== '' ? slugify($slugInput) : slugify($title);
        if ($slug === '') {
            header('Location: /admin/posts?error=' . rawurlencode('Không tạo được slug'), true, 302);
            exit;
        }

        $store = loadContent();
        if (!is_array($store['posts'])) {
            $store['posts'] = [];
        }

        if ($originalSlug !== '' && $originalSlug !== $slug && isset($store['posts'][$slug])) {
            header('Location: /admin/posts?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }
        if ($originalSlug === '' && isset($store['posts'][$slug])) {
            header('Location: /admin/posts?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }

        $now = time();
        $image = $uploaded !== null ? $uploaded : $imageUrl;
        $existing = $originalSlug !== '' && isset($store['posts'][$originalSlug]) && is_array($store['posts'][$originalSlug]) ? $store['posts'][$originalSlug] : [];
        $createdAt = isset($existing['created_at']) ? (int)$existing['created_at'] : $now;

        $record = [
            'slug' => $slug,
            'title' => $title,
            'excerpt' => $excerpt,
            'content' => $body,
            'image' => $image,
            'created_at' => $createdAt,
            'updated_at' => $now,
        ];

        if ($originalSlug !== '' && $originalSlug !== $slug) {
            unset($store['posts'][$originalSlug]);
        }
        $store['posts'][$slug] = $record;
        saveContent($store);

        if ($submitAction === 'save_view') {
            header('Location: /' . $slug, true, 302);
            exit;
        }
        header('Location: /admin/posts?message=' . rawurlencode('Đã lưu bài viết'), true, 302);
        exit;
    }

    if ($path === '/admin/posts/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $store = loadContent();
        if ($slug !== '' && isset($store['posts'][$slug])) {
            unset($store['posts'][$slug]);
            saveContent($store);
        }
        header('Location: /admin/posts?message=' . rawurlencode('Đã xóa bài viết'), true, 302);
        exit;
    }

    if ($path === '/admin/products' && $method === 'GET') {
        $content = loadContent();
        $products = is_array($content['products']) ? $content['products'] : [];

        $rows = '';
        foreach ($products as $slug => $product) {
            if (!is_array($product)) {
                continue;
            }
            $title = (string)($product['title'] ?? '');
            $excerpt = (string)($product['excerpt'] ?? '');
            $price = (int)($product['price'] ?? 0);
            $priceText = $price > 0 ? number_format($price, 0, ',', '.') . '₫' : '';
            $rows .=
                '<tr>' .
                '<td style="width:240px;"><a href="/san-pham/' . h((string)$slug) . '" target="_blank">/san-pham/' . h((string)$slug) . '</a></td>' .
                '<td><b>' . h($title) . '</b><div class="text-muted small">' . h($excerpt) . '</div></td>' .
                '<td style="width:140px;">' . h($priceText) . '</td>' .
                '<td style="width:180px;">' .
                '<a class="btn btn-sm btn-outline-primary mr-2" href="/admin/products/edit?slug=' . h((string)$slug) . '">Sửa</a>' .
                '<form method="post" action="/admin/products/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="slug" value="' . h((string)$slug) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="d-flex align-items-center justify-content-between mb-3" style="gap:12px;">' .
            '<div class="h4 mb-0">Sản phẩm</div>' .
            '<a class="btn btn-primary" href="/admin/products/new">+ Thêm sản phẩm</a>' .
            '</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>URL</th><th>Tiêu đề</th><th>Giá</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="4" class="text-center p-4 text-muted">Chưa có sản phẩm</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý sản phẩm', 'products', $html);
    }

    if (($path === '/admin/products/new' || $path === '/admin/products/edit') && $method === 'GET') {
        $slug = trim((string)($_GET['slug'] ?? ''));
        $content = loadContent();
        $products = is_array($content['products']) ? $content['products'] : [];
        $product = $slug !== '' && isset($products[$slug]) && is_array($products[$slug]) ? $products[$slug] : [];

        $titleVal = (string)($product['title'] ?? '');
        $slugVal = $slug !== '' ? (string)$slug : '';
        $excerptVal = (string)($product['excerpt'] ?? '');
        $bodyVal = (string)($product['content'] ?? '');
        $imageVal = (string)($product['image'] ?? '');
        $priceVal = (string)($product['price'] ?? '');

        $preview = $imageVal !== '' ? '<div class="mb-2"><img src="' . h($imageVal) . '" alt="" style="max-width:220px;border-radius:12px;border:1px solid #eee;"></div>' : '';

        $html =
            $flash .
            '<div class="h4 mb-3">' . ($path === '/admin/products/new' ? 'Thêm sản phẩm' : 'Sửa sản phẩm') . '</div>' .
            '<div class="card"><div class="card-body">' .
            '<form method="post" action="/admin/products/save" enctype="multipart/form-data">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<input type="hidden" name="original_slug" value="' . h($slugVal) . '">' .
            '<div class="form-group"><label>Tiêu đề</label><input class="form-control" name="title" value="' . h($titleVal) . '" required></div>' .
            '<div class="form-group"><label>Slug (URL)</label><input class="form-control" name="slug" value="' . h($slugVal) . '" placeholder="tu-dong-tao-neu-bo-trong"></div>' .
            '<div class="form-group"><label>Giá (VNĐ)</label><input class="form-control" name="price" value="' . h($priceVal) . '" inputmode="numeric" placeholder="VD: 1200000"></div>' .
            '<div class="form-group"><label>Mô tả ngắn</label><textarea class="form-control" name="excerpt" rows="3">' . h($excerptVal) . '</textarea></div>' .
            '<div class="form-group"><label>Nội dung</label><textarea class="form-control" name="content" rows="8">' . h($bodyVal) . '</textarea></div>' .
            '<div class="form-group"><label>Ảnh (URL)</label><input class="form-control" name="image" value="' . h($imageVal) . '" placeholder="/uploads/.... hoặc https://..."></div>' .
            $preview .
            '<div class="form-group"><label>Upload ảnh</label><input class="form-control" type="file" name="image_upload" accept="image/*"></div>' .
            '<div class="d-flex" style="gap:10px;">' .
            '<button class="btn btn-primary" type="submit">Lưu</button>' .
            '<a class="btn btn-outline-secondary" href="/admin/products">Hủy</a>' .
            '</div>' .
            '</form>' .
            '</div></div>';

        renderAdminPage($indexPath, $path === '/admin/products/new' ? 'Thêm sản phẩm' : 'Sửa sản phẩm', 'products', $html);
    }

    if ($path === '/admin/products/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $title = trim((string)($_POST['title'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $originalSlug = trim((string)($_POST['original_slug'] ?? ''));
        $excerpt = trim((string)($_POST['excerpt'] ?? ''));
        $body = trim((string)($_POST['content'] ?? ''));
        $image = trim((string)($_POST['image'] ?? ''));
        $priceRaw = preg_replace('/[^0-9]/', '', (string)($_POST['price'] ?? '')) ?? '';
        $price = $priceRaw !== '' ? (int)$priceRaw : 0;

        if ($title === '') {
            header('Location: /admin/products?error=' . rawurlencode('Tiêu đề là bắt buộc'), true, 302);
            exit;
        }

        if ($slug === '') {
            $slug = slugify($title);
        } else {
            $slug = slugify($slug);
        }

        if ($slug === '') {
            header('Location: /admin/products?error=' . rawurlencode('Slug không hợp lệ'), true, 302);
            exit;
        }

        $upload = handleUpload('image_upload');
        $uploadAttempted = isset($_FILES['image_upload']) && is_array($_FILES['image_upload']) && isset($_FILES['image_upload']['error']) && (int)$_FILES['image_upload']['error'] !== UPLOAD_ERR_NO_FILE;
        if ($uploadAttempted && $upload === null) {
            $target = $originalSlug !== '' ? ('/admin/products/edit?slug=' . rawurlencode($originalSlug)) : '/admin/products/new';
            $join = str_contains($target, '?') ? '&' : '?';
            header('Location: ' . $target . $join . 'error=' . rawurlencode('Upload ảnh thất bại. Vui lòng dùng ảnh JPG/PNG/GIF/WEBP và dung lượng <= 10MB.'), true, 302);
            exit;
        }
        if (is_string($upload) && $upload !== '') {
            $image = $upload;
        }

        $store = loadContent();
        if (!isset($store['products']) || !is_array($store['products'])) {
            $store['products'] = [];
        }

        $existing = isset($store['products'][$slug]) && is_array($store['products'][$slug]) ? $store['products'][$slug] : [];
        $createdAt = isset($existing['created_at']) ? (int)$existing['created_at'] : time();
        $now = time();

        $record = [
            'title' => $title,
            'excerpt' => $excerpt,
            'content' => $body,
            'image' => $image,
            'price' => $price,
            'created_at' => $createdAt,
            'updated_at' => $now,
        ];

        if ($originalSlug !== '' && $originalSlug !== $slug) {
            unset($store['products'][$originalSlug]);
        }
        $store['products'][$slug] = $record;
        saveContent($store);

        header('Location: /admin/products?message=' . rawurlencode('Đã lưu sản phẩm'), true, 302);
        exit;
    }

    if ($path === '/admin/products/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $store = loadContent();
        if ($slug !== '' && isset($store['products'][$slug])) {
            unset($store['products'][$slug]);
            saveContent($store);
        }
        header('Location: /admin/products?message=' . rawurlencode('Đã xóa sản phẩm'), true, 302);
        exit;
    }

    if ($path === '/admin/projects' && $method === 'GET') {
        $content = loadContent();
        $projects = is_array($content['projects']) ? $content['projects'] : [];

        $rows = '';
        foreach ($projects as $slug => $project) {
            if (!is_array($project)) {
                continue;
            }
            $title = (string)($project['title'] ?? '');
            $excerpt = (string)($project['excerpt'] ?? '');
            $rows .=
                '<tr>' .
                '<td style="width:220px;"><a href="/du-an/' . h((string)$slug) . '" target="_blank">/du-an/' . h((string)$slug) . '</a></td>' .
                '<td><b>' . h($title) . '</b><div class="text-muted small">' . h($excerpt) . '</div></td>' .
                '<td style="width:180px;">' .
                '<a class="btn btn-sm btn-outline-primary mr-2" href="/admin/projects/edit?slug=' . h((string)$slug) . '">Sửa</a>' .
                '<form method="post" action="/admin/projects/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="slug" value="' . h((string)$slug) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="d-flex align-items-center justify-content-between mb-3">' .
            '<div class="h4 mb-0">Dự án</div>' .
            '<a class="btn" style="background:var(--mainColor);color:#fff;" href="/admin/projects/new">Thêm dự án</a>' .
            '</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>Slug</th><th>Tiêu đề</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="3" class="text-center p-4 text-muted">Chưa có dự án</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý dự án', 'projects', $html);
    }

    if (($path === '/admin/projects/new' || $path === '/admin/projects/edit') && $method === 'GET') {
        $isEdit = $path === '/admin/projects/edit';
        $slug = $isEdit ? (string)($_GET['slug'] ?? '') : '';
        $contentStore = loadContent();
        $project = $isEdit && $slug !== '' && isset($contentStore['projects'][$slug]) && is_array($contentStore['projects'][$slug]) ? $contentStore['projects'][$slug] : [];

        if ($isEdit && $slug === '') {
            header('Location: /admin/projects?error=' . rawurlencode('Thiếu slug'), true, 302);
            exit;
        }
        if ($isEdit && $slug !== '' && $project === []) {
            header('Location: /admin/projects?error=' . rawurlencode('Không tìm thấy dự án'), true, 302);
            exit;
        }

        $title = (string)($project['title'] ?? '');
        $excerpt = (string)($project['excerpt'] ?? '');
        $body = (string)($project['content'] ?? '');
        $image = (string)($project['image'] ?? '');
        $formSlug = $isEdit ? $slug : (string)($project['slug'] ?? '');

        $html =
            $flash .
            '<div class="card"><div class="card-body">' .
            '<form method="post" action="/admin/projects/save" enctype="multipart/form-data">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<input type="hidden" name="original_slug" value="' . h($isEdit ? $slug : '') . '">' .
            '<div class="form-group"><label>Tiêu đề</label><input class="form-control" name="title" value="' . h($title) . '" required></div>' .
            '<div class="form-group"><label>Slug (để trống sẽ tự tạo)</label><input class="form-control" name="slug" value="' . h($formSlug) . '"></div>' .
            '<div class="form-group"><label>Mô tả ngắn</label><textarea class="form-control" name="excerpt" rows="2">' . h($excerpt) . '</textarea></div>' .
            '<div class="form-group"><label>Ảnh (URL)</label><input class="form-control" name="image_url" value="' . h($image) . '"></div>' .
            '<div class="form-group"><label>Ảnh (upload)</label><input class="form-control" type="file" name="image_file" accept="image/*"></div>' .
            '<div class="form-group"><label>Nội dung (HTML)</label><textarea class="form-control" name="content" rows="10">' . h($body) . '</textarea></div>' .
            '<button class="btn" type="submit" style="background:var(--mainColor);color:#fff;">Lưu</button> ' .
            '<a class="btn btn-outline-secondary" href="/admin/projects">Hủy</a>' .
            '</form>' .
            '</div></div>';

        renderAdminPage($indexPath, $isEdit ? 'Sửa dự án' : 'Thêm dự án', 'projects', $html);
    }

    if ($path === '/admin/projects/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $title = trim((string)($_POST['title'] ?? ''));
        $slugInput = trim((string)($_POST['slug'] ?? ''));
        $originalSlug = trim((string)($_POST['original_slug'] ?? ''));
        $excerpt = trim((string)($_POST['excerpt'] ?? ''));
        $body = (string)($_POST['content'] ?? '');
        $imageUrl = trim((string)($_POST['image_url'] ?? ''));
        $uploaded = handleUpload('image_file');

        if ($title === '') {
            header('Location: /admin/projects?error=' . rawurlencode('Tiêu đề không được để trống'), true, 302);
            exit;
        }

        $slug = $slugInput !== '' ? slugify($slugInput) : slugify($title);
        if ($slug === '') {
            header('Location: /admin/projects?error=' . rawurlencode('Không tạo được slug'), true, 302);
            exit;
        }

        $store = loadContent();
        if (!is_array($store['projects'])) {
            $store['projects'] = [];
        }

        if ($originalSlug !== '' && $originalSlug !== $slug && isset($store['projects'][$slug])) {
            header('Location: /admin/projects?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }
        if ($originalSlug === '' && isset($store['projects'][$slug])) {
            header('Location: /admin/projects?error=' . rawurlencode('Slug đã tồn tại'), true, 302);
            exit;
        }

        $now = time();
        $image = $uploaded !== null ? $uploaded : $imageUrl;
        $existing = $originalSlug !== '' && isset($store['projects'][$originalSlug]) && is_array($store['projects'][$originalSlug]) ? $store['projects'][$originalSlug] : [];
        $createdAt = isset($existing['created_at']) ? (int)$existing['created_at'] : $now;

        $record = [
            'slug' => $slug,
            'title' => $title,
            'excerpt' => $excerpt,
            'content' => $body,
            'image' => $image,
            'created_at' => $createdAt,
            'updated_at' => $now,
        ];

        if ($originalSlug !== '' && $originalSlug !== $slug) {
            unset($store['projects'][$originalSlug]);
        }
        $store['projects'][$slug] = $record;
        saveContent($store);

        header('Location: /admin/projects?message=' . rawurlencode('Đã lưu dự án'), true, 302);
        exit;
    }

    if ($path === '/admin/projects/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $slug = trim((string)($_POST['slug'] ?? ''));
        $store = loadContent();
        if ($slug !== '' && isset($store['projects'][$slug])) {
            unset($store['projects'][$slug]);
            saveContent($store);
        }
        header('Location: /admin/projects?message=' . rawurlencode('Đã xóa dự án'), true, 302);
        exit;
    }

    if ($path === '/admin/users' && $method === 'GET') {
        $users = loadUsers();
        $rows = '';
        foreach ($users as $email => $user) {
            if (!is_array($user)) {
                continue;
            }
            $isAdmin = !empty($user['is_admin']);
            $rows .= '<tr>' .
                '<td>' . h((string)($user['name'] ?? '')) . '</td>' .
                '<td>' . h((string)$email) . '</td>' .
                '<td>' . ($isAdmin ? '<span class="badge badge-success">Admin</span>' : '<span class="badge badge-secondary">User</span>') . '</td>' .
                '<td style="width:360px;">' .
                '<form method="post" action="/admin/users/role" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="email" value="' . h((string)$email) . '">' .
                '<input type="hidden" name="action" value="' . ($isAdmin ? 'demote' : 'promote') . '">' .
                '<button class="btn btn-sm btn-outline-primary mr-2" type="submit">' . ($isAdmin ? 'Bỏ admin' : 'Làm admin') . '</button>' .
                '</form>' .
                '<form method="post" action="/admin/users/reset-password" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="email" value="' . h((string)$email) . '">' .
                '<input class="form-control form-control-sm d-inline-block mr-2" style="width:160px;" name="new_password" placeholder="Mật khẩu mới" minlength="6" required>' .
                '<button class="btn btn-sm btn-outline-secondary mr-2" type="submit">Đổi MK</button>' .
                '</form>' .
                '<form method="post" action="/admin/users/delete" style="display:inline;">' .
                '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
                '<input type="hidden" name="email" value="' . h((string)$email) . '">' .
                '<button class="btn btn-sm btn-outline-danger" type="submit">Xóa</button>' .
                '</form>' .
                '</td>' .
                '</tr>';
        }

        $html =
            $flash .
            '<div class="h4 mb-3">Tài khoản</div>' .
            '<div class="card"><div class="card-body p-0">' .
            '<table class="table mb-0"><thead><tr><th>Họ tên</th><th>Email</th><th>Quyền</th><th></th></tr></thead><tbody>' .
            ($rows !== '' ? $rows : '<tr><td colspan="4" class="text-center p-4 text-muted">Chưa có tài khoản</td></tr>') .
            '</tbody></table>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Quản lý tài khoản', 'users', $html);
    }

    if ($path === '/admin/users/role' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $email = strtolower(trim((string)($_POST['email'] ?? '')));
        $action = (string)($_POST['action'] ?? '');
        $users = loadUsers();
        if (!isset($users[$email]) || !is_array($users[$email])) {
            header('Location: /admin/users?error=' . rawurlencode('Không tìm thấy tài khoản'), true, 302);
            exit;
        }
        if ($action === 'promote') {
            $users[$email]['is_admin'] = true;
        } elseif ($action === 'demote') {
            $users[$email]['is_admin'] = false;
        }
        saveUsers($users);
        header('Location: /admin/users?message=' . rawurlencode('Đã cập nhật quyền'), true, 302);
        exit;
    }

    if ($path === '/admin/users/reset-password' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $email = strtolower(trim((string)($_POST['email'] ?? '')));
        $newPassword = (string)($_POST['new_password'] ?? '');
        if (strlen($newPassword) < 6) {
            header('Location: /admin/users?error=' . rawurlencode('Mật khẩu phải từ 6 ký tự'), true, 302);
            exit;
        }
        $users = loadUsers();
        if (!isset($users[$email]) || !is_array($users[$email])) {
            header('Location: /admin/users?error=' . rawurlencode('Không tìm thấy tài khoản'), true, 302);
            exit;
        }
        $users[$email]['password_hash'] = password_hash($newPassword, PASSWORD_DEFAULT);
        $users[$email]['updated_at'] = time();
        saveUsers($users);
        header('Location: /admin/users?message=' . rawurlencode('Đã đổi mật khẩu'), true, 302);
        exit;
    }

    if ($path === '/admin/users/delete' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));
        $email = strtolower(trim((string)($_POST['email'] ?? '')));
        $session = getLoggedInUser();
        $selfEmail = is_array($session) ? strtolower((string)($session['email'] ?? '')) : '';
        if ($email !== '' && $email === $selfEmail) {
            header('Location: /admin/users?error=' . rawurlencode('Không thể xóa tài khoản đang đăng nhập'), true, 302);
            exit;
        }
        $users = loadUsers();
        if ($email !== '' && isset($users[$email])) {
            unset($users[$email]);
            saveUsers($users);
        }
        header('Location: /admin/users?message=' . rawurlencode('Đã xóa tài khoản'), true, 302);
        exit;
    }

    if ($path === '/admin/settings' && $method === 'GET') {
        $s = getSiteSettings();

        $html =
            $flash .
            '<div class="h4 mb-3">Cài đặt website</div>' .
            '<div class="card"><div class="card-body">' .
            '<form method="post" action="/admin/settings/save">' .
            '<input type="hidden" name="csrf" value="' . h(getCsrfToken()) . '">' .
            '<div class="row">' .
            '<div class="col-md-6">' .
            '<div class="form-group"><label>Tên công ty</label><input class="form-control" name="company_name" value="' . h((string)($s['company_name'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Địa chỉ</label><input class="form-control" name="address" value="' . h((string)($s['address'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Email</label><input class="form-control" name="email" value="' . h((string)($s['email'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Số điện thoại</label><input class="form-control" name="phone" value="' . h((string)($s['phone'] ?? '')) . '"></div>' .
            '</div>' .
            '<div class="col-md-6">' .
            '<div class="form-group"><label>Giới thiệu - tiêu đề nhỏ</label><input class="form-control" name="about_top_title" value="' . h((string)($s['about_top_title'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Giới thiệu - tiêu đề</label><input class="form-control" name="about_title" value="' . h((string)($s['about_title'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Giới thiệu - nội dung</label><textarea class="form-control" rows="6" name="about_desc">' . h((string)($s['about_desc'] ?? '')) . '</textarea></div>' .
            '</div>' .
            '</div>' .
            '<hr>' .
            '<div class="row">' .
            '<div class="col-md-6">' .
            '<div class="form-group"><label>Footer - DỊCH VỤ (HTML &lt;li&gt;...&lt;/li&gt;)</label><textarea class="form-control" rows="6" name="footer_services_html">' . h((string)($s['footer_services_html'] ?? '')) . '</textarea></div>' .
            '<div class="form-group"><label>Footer - Dự án tiêu biểu (HTML &lt;li&gt;...&lt;/li&gt;)</label><textarea class="form-control" rows="6" name="footer_projects_html">' . h((string)($s['footer_projects_html'] ?? '')) . '</textarea></div>' .
            '</div>' .
            '<div class="col-md-6">' .
            '<div class="form-group"><label>Footer - Tiêu đề đăng ký tư vấn</label><input class="form-control" name="newsletter_title" value="' . h((string)($s['newsletter_title'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Footer - Mô tả đăng ký tư vấn</label><input class="form-control" name="newsletter_subtitle" value="' . h((string)($s['newsletter_subtitle'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Footer - Placeholder</label><input class="form-control" name="newsletter_placeholder" value="' . h((string)($s['newsletter_placeholder'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Footer - Nút</label><input class="form-control" name="newsletter_button" value="' . h((string)($s['newsletter_button'] ?? '')) . '"></div>' .
            '<div class="form-group"><label>Footer - Copyright (HTML)</label><textarea class="form-control" rows="5" name="copyright_html">' . h((string)($s['copyright_html'] ?? '')) . '</textarea></div>' .
            '</div>' .
            '</div>' .
            '<div class="d-flex" style="gap:10px;">' .
            '<button class="btn btn-primary" type="submit">Lưu cài đặt</button>' .
            '<a class="btn btn-outline-secondary" href="/admin">Quay lại</a>' .
            '</div>' .
            '</form>' .
            '</div></div>';

        renderAdminPage($indexPath, 'Cài đặt', 'settings', $html);
    }

    if ($path === '/admin/settings/save' && $method === 'POST') {
        requireCsrfToken((string)($_POST['csrf'] ?? ''));

        $store = loadContent();
        if (!isset($store['settings']) || !is_array($store['settings'])) {
            $store['settings'] = [];
        }

        $keys = [
            'company_name',
            'address',
            'email',
            'phone',
            'about_top_title',
            'about_title',
            'about_desc',
            'footer_services_html',
            'footer_projects_html',
            'newsletter_title',
            'newsletter_subtitle',
            'newsletter_placeholder',
            'newsletter_button',
            'copyright_html',
        ];

        foreach ($keys as $k) {
            $store['settings'][$k] = trim((string)($_POST[$k] ?? ''));
        }

        saveContent($store);
        header('Location: /admin/settings?message=' . rawurlencode('Đã lưu cài đặt'), true, 302);
        exit;
    }

    header('Location: /admin', true, 302);
    exit;
}

if ($path === '/tin-tuc' && $method === 'GET') {
    $store = loadContent();
    $posts = is_array($store['posts']) ? $store['posts'] : [];
    $items = [];
    foreach ($posts as $slug => $post) {
        if (!is_array($post)) {
            continue;
        }
        $items[] = ['slug' => (string)$slug] + $post;
    }
    usort($items, function(array $a, array $b): int {
        return (int)($b['updated_at'] ?? 0) <=> (int)($a['updated_at'] ?? 0);
    });

    $cards = '';
    foreach ($items as $p) {
        $img = (string)($p['image'] ?? '');
        $cards .=
            '<div class="card mb-3"><div class="row no-gutters">' .
            '<div class="col-md-4">' .
            ($img !== '' ? '<img class="img-fluid" src="' . h($img) . '" alt="' . h((string)($p['title'] ?? '')) . '">' : '') .
            '</div>' .
            '<div class="col-md-8"><div class="card-body">' .
            '<h3 class="h5"><a href="/' . h((string)($p['slug'] ?? '')) . '">' . h((string)($p['title'] ?? '')) . '</a></h3>' .
            '<div>' . h((string)($p['excerpt'] ?? '')) . '</div>' .
            '</div></div>' .
            '</div></div>';
    }

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Tin tức</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Tin tức</div>' .
        '</div></div></section>' .
        '<section style="padding:40px 0;"><div class="container">' .
        ($cards !== '' ? $cards : '<div class="alert alert-info">Chưa có bài viết.</div>') .
        '</div></section>';

    renderLayoutPage($indexPath, 'Tin tức', $mainHtml);
}

if (in_array($path, ['/du-an-tieu-bieu', '/du-an-da-thi-cong', '/du-an-dang-thi-cong'], true) && $method === 'GET') {
    $store = loadContent();
    $projects = is_array($store['projects']) ? $store['projects'] : [];
    $items = [];
    foreach ($projects as $slug => $project) {
        if (!is_array($project)) {
            continue;
        }
        $items[] = ['slug' => (string)$slug] + $project;
    }
    usort($items, function(array $a, array $b): int {
        return (int)($b['updated_at'] ?? 0) <=> (int)($a['updated_at'] ?? 0);
    });

    $cards = '';
    foreach ($items as $p) {
        $img = (string)($p['image'] ?? '');
        $cards .=
            '<div class="card mb-3"><div class="row no-gutters">' .
            '<div class="col-md-4">' .
            ($img !== '' ? '<img class="img-fluid" src="' . h($img) . '" alt="' . h((string)($p['title'] ?? '')) . '">' : '') .
            '</div>' .
            '<div class="col-md-8"><div class="card-body">' .
            '<h3 class="h5"><a href="/du-an/' . h((string)($p['slug'] ?? '')) . '">' . h((string)($p['title'] ?? '')) . '</a></h3>' .
            '<div>' . h((string)($p['excerpt'] ?? '')) . '</div>' .
            '</div></div>' .
            '</div></div>';
    }

    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">Dự án</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Dự án</div>' .
        '</div></div></section>' .
        '<section style="padding:40px 0;"><div class="container">' .
        ($cards !== '' ? $cards : '<div class="alert alert-info">Chưa có dự án.</div>') .
        '</div></section>';

    renderLayoutPage($indexPath, 'Dự án', $mainHtml);
}

if (preg_match('#^/du-an/([a-z0-9-]+)$#', $path, $m) && $method === 'GET') {
    $slug = (string)$m[1];
    $store = loadContent();
    $projects = is_array($store['projects']) ? $store['projects'] : [];
    $project = isset($projects[$slug]) && is_array($projects[$slug]) ? $projects[$slug] : null;
    if (!$project) {
        http_response_code(404);
        renderLayoutPage($indexPath, 'Không tìm thấy', '<section style="padding:60px 0;"><div class="container"><div class="alert alert-warning">Không tìm thấy dự án.</div></div></section>');
    }
    $img = (string)($project['image'] ?? '');
    $mainHtml =
        '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
        '<div class="container"><div class="text-center" style="color:#fff;">' .
        '<h1 style="font-size:34px;margin-bottom:10px;">' . h((string)($project['title'] ?? '')) . '</h1>' .
        '<div>Trang chủ &nbsp;/&nbsp; Dự án</div>' .
        '</div></div></section>' .
        '<section style="padding:40px 0;"><div class="container">' .
        ($img !== '' ? '<div class="mb-3"><img class="img-fluid" src="' . h($img) . '" alt="' . h((string)($project['title'] ?? '')) . '"></div>' : '') .
        '<div>' . (string)($project['content'] ?? '') . '</div>' .
        '</div></section>';
    renderLayoutPage($indexPath, (string)($project['title'] ?? 'Dự án'), $mainHtml);
}

if (preg_match('#^/([a-z0-9-]+)$#', $path, $m) && $method === 'GET') {
    $slug = (string)$m[1];
    $store = loadContent();
    $posts = is_array($store['posts']) ? $store['posts'] : [];
    $post = isset($posts[$slug]) && is_array($posts[$slug]) ? $posts[$slug] : null;
    if ($post) {
        $img = (string)($post['image'] ?? '');
        $mainHtml =
            '<section style="background-image:url(\'/bizweb.dktcdn.net/100/333/150/themes/960392/assets/background_banner.jpg\');background-size:cover;background-position:center;padding:70px 0;">' .
            '<div class="container"><div class="text-center" style="color:#fff;">' .
            '<h1 style="font-size:34px;margin-bottom:10px;">' . h((string)($post['title'] ?? '')) . '</h1>' .
            '<div>Trang chủ &nbsp;/&nbsp; Tin tức</div>' .
            '</div></div></section>' .
            '<section style="padding:40px 0;"><div class="container">' .
            ($img !== '' ? '<div class="mb-3"><img class="img-fluid" src="' . h($img) . '" alt="' . h((string)($post['title'] ?? '')) . '"></div>' : '') .
            '<div>' . (string)($post['content'] ?? '') . '</div>' .
            '</div></section>';
        renderLayoutPage($indexPath, (string)($post['title'] ?? 'Tin tức'), $mainHtml);
    }
}

if ($path !== '/' && $method === 'GET') {
    http_response_code(404);
    renderLayoutPage($indexPath, 'Không tìm thấy', '<section style="padding:60px 0;"><div class="container"><div class="alert alert-warning">Trang không tồn tại.</div></div></section>');
}

header('Content-Type: text/html; charset=UTF-8');
renderHomePage($indexPath);