install.php

<?php

declare(strict_types=1);

session_start();

const MINI_CMS_INSTALLER_VERSION = '0.2.0-beta';

$projectRoot = @realpath(__DIR__) ?: __DIR__;
$publicPath = $projectRoot.DIRECTORY_SEPARATOR.'public';
$lockPath = $projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'app'.DIRECTORY_SEPARATOR.'installed.lock';
$rootInstallerPath = $projectRoot.DIRECTORY_SEPARATOR.'install.php';
$publicInstallerPath = $publicPath.DIRECTORY_SEPARATOR.'install.php';
$installerSupportPath = $projectRoot.DIRECTORY_SEPARATOR.'installer'.DIRECTORY_SEPARATOR.'InstallerUrl.php';
$installerSupportDir = $projectRoot.DIRECTORY_SEPARATOR.'installer';

require_once $installerSupportPath;

if (! isset($_SESSION['mini_cms_installer_token'])) {
    $_SESSION['mini_cms_installer_token'] = bin2hex(random_bytes(24));
}

$token = $_SESSION['mini_cms_installer_token'];
$action = (string) ($_POST['action'] ?? $_GET['action'] ?? '');
$state = installer_state($projectRoot, $publicPath, $lockPath);

if ($action === 'delete_installer') {
    verify_token($token);
    render_delete_result(delete_installer_files([$rootInstallerPath, $publicInstallerPath, $installerSupportPath], [$installerSupportDir]), $state);
    exit;
}

if ($action === 'emergency_protection') {
    verify_token($token);
    render_emergency_protection_result(write_emergency_htaccess($projectRoot), $state);
    exit;
}

if ($action === 'diagnostics') {
    render_diagnostics($state, $token);
    exit;
}

if (is_file($lockPath)) {
    render_already_installed($state, $token);
    exit;
}

if ($action === 'install') {
    verify_token($token);
    render_install_result(handle_install($projectRoot, $publicPath, $lockPath, $state), $state, $token);
    exit;
}

render_wizard($state, $token);

function verify_token(string $token): void
{
    if (! hash_equals($token, (string) ($_POST['_token'] ?? ''))) {
        render_page('Security check failed', '<div class="alert danger">The installer session token is invalid. Refresh the installer and try again.</div>');
        exit;
    }
}

function installer_state(string $projectRoot, string $publicPath, string $lockPath): array
{
    $docRoot = @realpath((string) ($_SERVER['DOCUMENT_ROOT'] ?? '')) ?: '';
    $scriptFile = @realpath((string) ($_SERVER['SCRIPT_FILENAME'] ?? '')) ?: '';
    $defaultDbPath = $projectRoot.DIRECTORY_SEPARATOR.'database'.DIRECTORY_SEPARATOR.'database.sqlite';
    $requiredExtensions = ['pdo', 'pdo_sqlite', 'sqlite3', 'mbstring', 'openssl', 'tokenizer', 'xml', 'ctype', 'json', 'fileinfo'];
    $optionalExtensions = ['curl', 'zip'];
    $envPath = $projectRoot.DIRECTORY_SEPARATOR.'.env';
    $envContent = is_file($envPath) ? (string) file_get_contents($envPath) : '';
    $appKeyPresent = env_value($envContent, 'APP_KEY') !== '';
    $requiredLaravelPaths = required_laravel_paths($projectRoot, $publicPath, $defaultDbPath);
    $openBasedir = (string) ini_get('open_basedir');
    $openBasedirDiagnostics = open_basedir_diagnostics($requiredLaravelPaths, $openBasedir);
    $publicExposure = public_exposure_checks(guessed_app_url());
    $hestia = hestia_context($projectRoot, $publicPath, $docRoot);
    $composerAvailable = shell_command_available('composer');

    $checks = [];
    $checks[] = check_item('PHP version', version_compare(PHP_VERSION, '8.3.0', '>='), 'Current: '.PHP_VERSION, 'PHP 8.3 or newer is required.');

    foreach ($requiredExtensions as $extension) {
        $checks[] = check_item("PHP extension: {$extension}", extension_loaded($extension), extension_loaded($extension) ? 'Enabled' : 'Missing', "Ask your host to enable {$extension}.");
    }

    foreach ($optionalExtensions as $extension) {
        $checks[] = check_item("Optional PHP extension: {$extension}", extension_loaded($extension), extension_loaded($extension) ? 'Enabled' : 'Optional but recommended', "{$extension} is useful on some hosts but not required for the default SQLite install.", false);
    }

    foreach (writable_install_paths($projectRoot, $publicPath) as $label => $path) {
        $checks[] = check_item("Writable: {$label}", path_writable($path), path_writable($path) ? 'Writable' : 'Not writable', "Set permissions to 775/755 as appropriate or ask hosting support to make {$label} writable.");
    }

    $vendorExists = is_file($projectRoot.DIRECTORY_SEPARATOR.'vendor'.DIRECTORY_SEPARATOR.'autoload.php');
    $checks[] = check_item(
        'vendor/autoload.php',
        $vendorExists || $composerAvailable,
        $vendorExists ? 'Required file exists' : ($composerAvailable ? 'Missing, but Composer command appears available' : 'Missing and Composer not available'),
        'Use the installable ZIP with vendor included, or run composer install before using the installer.',
        ! $vendorExists && ! $composerAvailable,
    );
    $checks[] = check_item('artisan', is_file($projectRoot.DIRECTORY_SEPARATOR.'artisan'), 'Laravel console entry exists', 'The project upload appears incomplete.');
    $checks[] = check_item('public/build/manifest.json', is_file($publicPath.DIRECTORY_SEPARATOR.'build'.DIRECTORY_SEPARATOR.'manifest.json'), 'Built frontend assets found', 'Use the installable ZIP, or run npm ci && npm run build before production install.');
    $checks[] = check_item('public/index.php', is_file($publicPath.DIRECTORY_SEPARATOR.'index.php'), 'Laravel public front controller found', 'The public directory appears incomplete.');
    $checks[] = check_item('database/migrations', is_dir($projectRoot.DIRECTORY_SEPARATOR.'database'.DIRECTORY_SEPARATOR.'migrations'), 'Migration files are present', 'The release package is incomplete. Upload the full project package.');
    $checks[] = check_item('APP_KEY', $appKeyPresent, $appKeyPresent ? 'Present' : 'Missing; installer will generate it', 'The installer can generate APP_KEY during setup.', false);
    $checks[] = check_item('SQLite database outside public', ! path_inside($defaultDbPath, $publicPath), 'Default database path is safe', 'Move database.sqlite outside the public web root.');
    $checks[] = check_item('Installer lock', ! is_file($lockPath), 'Not installed yet', 'Installer is locked because the CMS is already installed.');

    foreach ($openBasedirDiagnostics as $diagnostic) {
        if (! $diagnostic['inside']) {
            $checks[] = check_item(
                'open_basedir: '.$diagnostic['label'],
                false,
                'Blocked by PHP open_basedir',
                'Ask hosting support to add the Laravel project root to open_basedir, not only public/.',
            );
        }
    }

    foreach ($publicExposure as $exposure) {
        if ($exposure['dangerous']) {
            $checks[] = check_item(
                'Public exposure: '.$exposure['path'],
                false,
                'HTTP '.$exposure['status'].' exposes a private file',
                'Set the document root to public/ and use Emergency Protection until the server is fixed.',
            );
        }
    }

    $docRootLooksPublic = same_path($docRoot, $publicPath);
    $docRootLooksProject = same_path($docRoot, $projectRoot);
    $detectedBasePath = MiniCmsInstallerUrl::scriptBasePath((string) ($_SERVER['SCRIPT_NAME'] ?? $_SERVER['PHP_SELF'] ?? ''));
    $docRootWarning = $docRootLooksPublic
        ? 'Your site appears to be served from Laravel /public.'
        : 'Your hosting does not appear to use Laravel /public as the document root. The full project root may be web-accessible, including .env or database files if the server is not configured to block them. Recommended fix: point the domain document root to project/public.';

    return [
        'project_root' => $projectRoot,
        'public_path' => $publicPath,
        'lock_path' => $lockPath,
        'default_db_path' => $defaultDbPath,
        'doc_root' => $docRoot,
        'script_file' => $scriptFile,
        'doc_root_is_public' => $docRootLooksPublic,
        'doc_root_is_project' => $docRootLooksProject,
        'doc_root_warning' => $docRootWarning,
        'detected_base_path' => $detectedBasePath === '' ? '/' : $detectedBasePath,
        'shell_available' => shell_available(),
        'composer_available' => $composerAvailable,
        'can_bootstrap_laravel' => is_file($projectRoot.DIRECTORY_SEPARATOR.'vendor'.DIRECTORY_SEPARATOR.'autoload.php') && is_file($projectRoot.DIRECTORY_SEPARATOR.'bootstrap'.DIRECTORY_SEPARATOR.'app.php'),
        'has_build' => is_file($publicPath.DIRECTORY_SEPARATOR.'build'.DIRECTORY_SEPARATOR.'manifest.json'),
        'open_basedir' => $openBasedir,
        'open_basedir_diagnostics' => $openBasedirDiagnostics,
        'public_exposure' => $publicExposure,
        'hestia' => $hestia,
        'app_key_present' => $appKeyPresent,
        'writable_paths' => writable_install_paths($projectRoot, $publicPath),
        'required_paths' => $requiredLaravelPaths,
        'checks' => $checks,
        'critical_ok' => ! in_array(false, array_map(fn (array $check): bool => $check['ok'] || ! $check['critical'], $checks), true),
    ];
}

function check_item(string $label, bool $ok, string $detail, string $fix, bool $critical = true): array
{
    return compact('label', 'ok', 'detail', 'fix', 'critical');
}

function writable_install_paths(string $projectRoot, string $publicPath): array
{
    return [
        '.env or project root' => is_file($projectRoot.DIRECTORY_SEPARATOR.'.env') ? $projectRoot.DIRECTORY_SEPARATOR.'.env' : $projectRoot,
        'database/' => $projectRoot.DIRECTORY_SEPARATOR.'database',
        'storage/' => $projectRoot.DIRECTORY_SEPARATOR.'storage',
        'storage/app/' => $projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'app',
        'storage/app/public/' => $projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'app'.DIRECTORY_SEPARATOR.'public',
        'storage/framework/' => $projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'framework',
        'storage/logs/' => $projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'logs',
        'bootstrap/cache/' => $projectRoot.DIRECTORY_SEPARATOR.'bootstrap'.DIRECTORY_SEPARATOR.'cache',
        'public/' => $publicPath,
    ];
}

function required_laravel_paths(string $projectRoot, string $publicPath, string $defaultDbPath): array
{
    return [
        'project root' => $projectRoot,
        'vendor/autoload.php' => $projectRoot.DIRECTORY_SEPARATOR.'vendor'.DIRECTORY_SEPARATOR.'autoload.php',
        'storage/' => $projectRoot.DIRECTORY_SEPARATOR.'storage',
        'bootstrap/cache/' => $projectRoot.DIRECTORY_SEPARATOR.'bootstrap'.DIRECTORY_SEPARATOR.'cache',
        'database/' => $projectRoot.DIRECTORY_SEPARATOR.'database',
        'public/' => $publicPath,
        '.env' => $projectRoot.DIRECTORY_SEPARATOR.'.env',
        'database/database.sqlite' => $defaultDbPath,
    ];
}

function open_basedir_diagnostics(array $paths, string $openBasedir): array
{
    $allowed = open_basedir_paths($openBasedir);

    return collect_array($paths, function (string $path, string $label) use ($allowed, $openBasedir): array {
        $exists = @file_exists($path);
        $inside = $openBasedir === '' || path_allowed_by_open_basedir($path, $allowed);
        $writable = path_writable($path);
        $status = $inside
            ? ($openBasedir === '' ? 'No open_basedir restriction' : 'Allowed')
            : 'Blocked by open_basedir';

        return compact('label', 'path', 'exists', 'inside', 'writable', 'status');
    });
}

function open_basedir_paths(string $openBasedir): array
{
    if (trim($openBasedir) === '') {
        return [];
    }

    return array_values(array_filter(array_map(
        fn (string $path): string => rtrim(normalize_path($path), '/'),
        explode(PATH_SEPARATOR, $openBasedir),
    )));
}

function path_allowed_by_open_basedir(string $path, array $allowedPaths): bool
{
    $normalized = normalize_path($path);

    foreach ($allowedPaths as $allowed) {
        if ($allowed === '') {
            continue;
        }

        if ($normalized === $allowed || str_starts_with($normalized, rtrim($allowed, '/').'/')) {
            return true;
        }
    }

    return false;
}

function public_exposure_checks(string $appUrl): array
{
    $paths = [
        '/.env',
        '/composer.json',
        '/composer.lock',
        '/database/database.sqlite',
        '/vendor/autoload.php',
        '/storage/logs/laravel.log',
        '/storage/logs/cms.log',
    ];

    return array_map(function (string $path) use ($appUrl): array {
        $url = MiniCmsInstallerUrl::appendPath($appUrl, ltrim($path, '/'));
        $status = http_status_for_url($url);
        $dangerous = in_array($status, [200, 206], true);
        $safe = in_array($status, [403, 404], true);

        return [
            'path' => $path,
            'url' => $url,
            'status' => $status,
            'dangerous' => $dangerous,
            'safe' => $safe,
            'status_text' => $status === 0 ? 'Not reachable / not checked' : (string) $status,
        ];
    }, $paths);
}

function http_status_for_url(string $url): int
{
    if (! filter_var($url, FILTER_VALIDATE_URL) || ! (bool) ini_get('allow_url_fopen')) {
        return 0;
    }

    $context = stream_context_create([
        'http' => [
            'method' => 'HEAD',
            'ignore_errors' => true,
            'timeout' => 2,
            'follow_location' => 0,
            'user_agent' => 'MiniCMS-Installer-Diagnostics',
        ],
        'ssl' => [
            'verify_peer' => true,
            'verify_peer_name' => true,
        ],
    ]);

    $headers = @get_headers($url, false, $context);

    if (! is_array($headers) || $headers === []) {
        $context = stream_context_create([
            'http' => [
                'method' => 'GET',
                'ignore_errors' => true,
                'timeout' => 2,
                'follow_location' => 0,
                'user_agent' => 'MiniCMS-Installer-Diagnostics',
            ],
        ]);
        $headers = @get_headers($url, false, $context);
    }

    if (! is_array($headers) || ! isset($headers[0])) {
        return 0;
    }

    return preg_match('/\s(\d{3})\s/', (string) $headers[0], $matches) ? (int) $matches[1] : 0;
}

function hestia_context(string $projectRoot, string $publicPath, string $docRoot): array
{
    $path = str_replace('\\', '/', $projectRoot);
    $isHestiaPath = preg_match('#^/home/([^/]+)/web/([^/]+)/#', $path, $matches) === 1;
    $user = $isHestiaPath ? $matches[1] : 'USER';
    $domain = $isHestiaPath ? $matches[2] : 'DOMAIN';
    $domainRoot = "/home/{$user}/web/{$domain}";
    $hestiaBin = '/usr/local/hestia/bin';
    $domainConf = "/home/{$user}/conf/web/{$domain}";
    $phpMinor = PHP_MAJOR_VERSION.'.'.PHP_MINOR_VERSION;
    $backendTemplate = 'PHP-'.PHP_MAJOR_VERSION.'_'.PHP_MINOR_VERSION;
    $socketMatches = glob("/run/php/*{$domain}*.sock") ?: [];

    return [
        'likely' => $isHestiaPath || is_dir($hestiaBin) || is_dir($domainConf),
        'user' => $user,
        'domain' => $domain,
        'project_root' => $projectRoot,
        'public_path' => $publicPath,
        'document_root' => $docRoot,
        'domain_root' => $domainRoot,
        'hestia_bin' => $hestiaBin,
        'domain_conf' => $domainConf,
        'custom_document_root' => 'public',
        'backend_template' => $backendTemplate,
        'php_version' => $phpMinor,
        'suggested_socket_check' => "ls -la /run/php | grep {$domain}",
        'socket_status' => $socketMatches !== [] ? 'Socket candidate found: '.implode(', ', $socketMatches) : 'Socket not detected from PHP; verify with SSH if the site returns 503',
        'apache_error_log' => "/var/log/apache2/domains/{$domain}.error.log",
        'laravel_logs' => 'storage/logs/cms.log or storage/logs/laravel.log',
        'suggested_open_basedir' => "/home/{$user}/.composer:{$projectRoot}:{$domainRoot}/private:{$domainRoot}/public_shtml:/home/{$user}/tmp:/tmp:/var/www/html:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt",
        'add_php_command' => "/usr/local/hestia/bin/v-add-web-php {$phpMinor}",
        'change_backend_command' => "/usr/local/hestia/bin/v-change-web-domain-backend-tpl {$user} {$domain} {$backendTemplate} yes",
        'reload_commands' => "systemctl reload apache2\nsystemctl reload nginx\nsystemctl restart php{$phpMinor}-fpm",
    ];
}

function shell_command_available(string $command): bool
{
    if (! shell_available()) {
        return false;
    }

    $probe = PHP_OS_FAMILY === 'Windows'
        ? 'where '.escapeshellarg($command).' 2>NUL'
        : 'command -v '.escapeshellarg($command).' 2>/dev/null';

    $result = @shell_exec($probe);

    return is_string($result) && trim($result) !== '';
}

function collect_array(array $items, callable $callback): array
{
    $result = [];

    foreach ($items as $key => $value) {
        $result[] = $callback($value, (string) $key);
    }

    return $result;
}

function handle_install(string $projectRoot, string $publicPath, string $lockPath, array $state): array
{
    $logs = [];
    $warnings = [];
    $errors = [];
    $manualCommands = [
        'composer install --no-dev --optimize-autoloader',
        'npm ci',
        'npm run build',
        'php artisan key:generate --force',
        'php artisan migrate --force',
        'php artisan db:seed --force',
        'php artisan storage:link',
        'php artisan sitemap:generate',
        'php artisan optimize',
    ];

    $siteName = trim((string) ($_POST['site_name'] ?? 'Mini CMS'));
    $appUrl = MiniCmsInstallerUrl::normalizeAppUrl((string) ($_POST['app_url'] ?? ''));
    $assetUrl = MiniCmsInstallerUrl::assetUrl($appUrl);
    $basePath = MiniCmsInstallerUrl::basePath($appUrl);
    $adminEmail = trim((string) ($_POST['admin_email'] ?? ''));
    $adminPassword = (string) ($_POST['admin_password'] ?? '');
    $adminPasswordConfirmation = (string) ($_POST['admin_password_confirmation'] ?? '');
    $defaultLocale = (string) ($_POST['default_locale'] ?? 'en');
    $demoContent = isset($_POST['demo_content']);
    $generateSitemap = isset($_POST['generate_sitemap']);
    $storageStrategy = (string) ($_POST['storage_strategy'] ?? 'symlink');
    $appEnv = (string) ($_POST['app_env'] ?? 'production');
    $appDebug = isset($_POST['app_debug']) ? 'true' : 'false';
    $dbPath = trim((string) ($_POST['db_path'] ?? $state['default_db_path']));
    $acknowledgedRootRisk = isset($_POST['acknowledge_document_root']);
    $updateExistingAdmin = isset($_POST['update_existing_admin']);

    if (! $state['critical_ok']) {
        $errors[] = 'Installation is blocked because one or more critical hosting checks failed.';
        foreach ($state['checks'] as $check) {
            if (! $check['ok'] && $check['critical']) {
                $errors[] = $check['label'].': '.$check['fix'];
            }
        }

        return install_result(false, $errors, $warnings, $logs, $manualCommands);
    }

    if ($siteName === '') {
        $errors[] = 'Site name is required.';
    }

    if (! MiniCmsInstallerUrl::isValidAppUrl($appUrl)) {
        $errors[] = 'APP_URL is invalid. Use a full URL such as https://example.com or https://example.com/cms, without query strings or fragments.';
    }

    if (! filter_var($adminEmail, FILTER_VALIDATE_EMAIL)) {
        $errors[] = 'Admin email is invalid.';
    }

    if (strlen($adminPassword) < 12) {
        $errors[] = 'Admin password must be at least 12 characters.';
    }

    if ($adminPassword !== $adminPasswordConfirmation) {
        $errors[] = 'Admin password confirmation does not match.';
    }

    if (! in_array($defaultLocale, ['en', 'fa', 'ar'], true)) {
        $errors[] = 'Default locale must be en, fa, or ar.';
    }

    if (! in_array($appEnv, ['production', 'local', 'staging'], true)) {
        $errors[] = 'APP_ENV must be production, local, or staging.';
    }

    $dbPath = normalize_install_path($dbPath, $projectRoot);
    if (path_inside($dbPath, $publicPath)) {
        $errors[] = 'The SQLite database path is under public/. Move it outside the public web root.';
    }

    if (($state['doc_root_is_project'] || ! $state['doc_root_is_public']) && ! $acknowledgedRootRisk) {
        $errors[] = 'Your hosting document root does not appear to point to /public. Confirm the risk or fix the document root before installing.';
    }

    if ($errors !== []) {
        return install_result(false, $errors, $warnings, $logs, $manualCommands);
    }

    try {
        ensure_directory(dirname($dbPath));
        ensure_directory($projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'app'.DIRECTORY_SEPARATOR.'public');
        ensure_directory($projectRoot.DIRECTORY_SEPARATOR.'bootstrap'.DIRECTORY_SEPARATOR.'cache');

        if (! is_file($dbPath)) {
            touch($dbPath);
            $logs[] = 'Created SQLite database file.';
        }

        $envPath = $projectRoot.DIRECTORY_SEPARATOR.'.env';
        $envContent = is_file($envPath)
            ? (string) file_get_contents($envPath)
            : (is_file($projectRoot.DIRECTORY_SEPARATOR.'.env.example') ? (string) file_get_contents($projectRoot.DIRECTORY_SEPARATOR.'.env.example') : minimal_env());

        $appKey = env_value($envContent, 'APP_KEY');
        if ($appKey === '') {
            $appKey = 'base64:'.base64_encode(random_bytes(32));
            $logs[] = 'Generated APP_KEY.';
        }

        $envContent = update_env_values($envContent, [
            'APP_NAME' => $siteName,
            'APP_ENV' => $appEnv,
            'APP_DEBUG' => $appDebug,
            'APP_URL' => $appUrl,
            'ASSET_URL' => $assetUrl,
            'APP_KEY' => $appKey,
            'APP_LOCALE' => $defaultLocale,
            'APP_FALLBACK_LOCALE' => 'en',
            'DB_CONNECTION' => 'sqlite',
            'DB_DATABASE' => $dbPath,
            'FILESYSTEM_DISK' => 'public',
            'CACHE_STORE' => 'file',
            'SESSION_DRIVER' => 'file',
            'QUEUE_CONNECTION' => 'sync',
            'CMS_ADMIN_NAME' => 'Admin',
            'CMS_ADMIN_EMAIL' => $adminEmail,
            'CMS_ADMIN_PASSWORD' => '',
            'SQLITE_BUSY_TIMEOUT' => '5000',
            'SQLITE_JOURNAL_MODE' => 'WAL',
            'SQLITE_SYNCHRONOUS' => 'NORMAL',
        ]);

        if (file_put_contents($envPath, $envContent, LOCK_EX) === false) {
            throw new RuntimeException('Could not write .env. Check project root permissions.');
        }

        $logs[] = 'Wrote .env without storing the admin password.';

        if (! $state['can_bootstrap_laravel']) {
            $warnings[] = 'vendor/autoload.php is missing. The installer created .env and SQLite, but Composer dependencies are required before automatic finalization.';

            return install_result(false, [], $warnings, $logs, $manualCommands, true);
        }

        $artisan = new InstallerArtisan($projectRoot);
        $artisan->call('optimize:clear');
        $logs[] = 'Cleared Laravel caches.';

        $artisan->call('migrate', ['--force' => true]);
        $logs[] = 'Ran database migrations.';

        if ($demoContent) {
            $artisan->call('db:seed', ['--force' => true]);
            $logs[] = 'Seeded demo content.';
        }

        ensure_admin_user($adminEmail, $adminPassword, $updateExistingAdmin);
        $logs[] = 'Created or updated administrator account.';

        $storageStatus = setup_storage($projectRoot, $publicPath, $storageStrategy, $artisan, $warnings);
        $logs[] = $storageStatus;

        if ($generateSitemap && artisan_command_exists($artisan, 'sitemap:generate')) {
            $artisan->call('sitemap:generate');
            $logs[] = 'Generated sitemap.';
        }

        $artisan->call('optimize:clear');
        $artisan->call('optimize');
        $logs[] = 'Optimized Laravel caches.';

        if (artisan_command_exists($artisan, 'sqlite:health')) {
            $artisan->call('sqlite:health');
            $logs[] = 'SQLite health check completed.';
        }

        if (artisan_command_exists($artisan, 'storage:health')) {
            try {
                $artisan->call('storage:health');
                $logs[] = 'Storage health check completed.';
            } catch (Throwable $exception) {
                $warnings[] = 'Storage health check reported a problem: '.human_error($exception->getMessage());
            }
        }

        $postInstallChecks = post_install_checks($projectRoot, $publicPath, $appUrl, $appEnv, $appDebug, $generateSitemap);
        $failedPostInstallChecks = array_values(array_filter($postInstallChecks, fn (array $check): bool => $check['status'] === 'fail'));

        if ($failedPostInstallChecks !== []) {
            foreach ($failedPostInstallChecks as $check) {
                $errors[] = $check['label'].': '.$check['fix'];
            }

            return install_result(false, $errors, $warnings, $logs, $manualCommands, false, [
                'post_install_checks' => $postInstallChecks,
            ]);
        }

        ensure_directory(dirname($lockPath));
        file_put_contents($lockPath, json_encode([
            'installed_at' => gmdate('c'),
            'app_url' => $appUrl,
            'base_path' => $basePath,
            'installer_version' => MINI_CMS_INSTALLER_VERSION,
        ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), LOCK_EX);

        $logs[] = 'Created installer lock file.';

        return install_result(true, [], $warnings, $logs, [], false, [
            'site_url' => $appUrl,
            'admin_url' => MiniCmsInstallerUrl::appendPath($appUrl, 'admin'),
            'base_path' => $basePath === '' ? '/' : $basePath,
            'asset_url' => $assetUrl === '' ? '(not set for root install)' : $assetUrl,
            'admin_email' => $adminEmail,
            'storage_status' => $storageStatus,
            'sitemap_status' => $generateSitemap ? 'Requested' : 'Skipped',
            'post_install_checks' => [
                ...$postInstallChecks,
                ['label' => 'Installer lock', 'status' => 'pass', 'detail' => 'storage/app/installed.lock was created.', 'fix' => ''],
            ],
        ]);
    } catch (Throwable $exception) {
        $errors[] = human_error($exception->getMessage());

        return install_result(false, $errors, $warnings, $logs, $manualCommands);
    }
}

function ensure_admin_user(string $email, string $password, bool $updateExistingAdmin): void
{
    $roleClass = '\\App\\Models\\Role';
    $userClass = '\\App\\Models\\User';
    $hashClass = '\\Illuminate\\Support\\Facades\\Hash';

    $administrator = $roleClass::query()->updateOrCreate(
        ['slug' => 'administrator'],
        ['name' => 'Administrator', 'description' => 'Full CMS access', 'permissions' => $roleClass::allPermissions(), 'is_system' => true]
    );

    $roleClass::query()->updateOrCreate(
        ['slug' => 'editor'],
        ['name' => 'Editor', 'description' => 'Content editing access', 'permissions' => $roleClass::editorPermissions(), 'is_system' => true]
    );

    $user = $userClass::query()->firstOrNew(['email' => $email]);

    if ($user->exists && ! $updateExistingAdmin) {
        throw new RuntimeException('An admin user with this email already exists. Confirm password update and run Install again.');
    }

    $user->fill([
        'role_id' => $administrator->id,
        'name' => 'Admin',
        'password' => $hashClass::make($password),
    ]);

    $user->save();
}

function setup_storage(string $projectRoot, string $publicPath, string $strategy, InstallerArtisan $artisan, array &$warnings): string
{
    try {
        $artisan->call('storage:link');
    } catch (Throwable $exception) {
        $warnings[] = 'storage:link failed. Symlink may be disabled on this host.';
    }

    $publicStorage = $publicPath.DIRECTORY_SEPARATOR.'storage';
    if (is_link($publicStorage) || is_dir($publicStorage)) {
        return verify_public_storage_mapping($projectRoot, $publicPath, $warnings)
            ? 'Public storage path exists and test file is reachable through public/storage.'
            : 'Public storage path exists, but the test file was not reachable through public/storage.';
    }

    if ($strategy === 'copy') {
        ensure_directory($publicStorage);
        copy_directory($projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'app'.DIRECTORY_SEPARATOR.'public', $publicStorage);
        $warnings[] = 'Storage copy fallback was used. Future uploads may need manual sync if symlinks remain disabled.';

        return verify_public_storage_mapping($projectRoot, $publicPath, $warnings)
            ? 'Storage copy fallback created public/storage and test file is reachable.'
            : 'Storage copy fallback created public/storage, but future upload reachability could not be verified.';
    }

    $warnings[] = 'Public storage is not linked. Ask your host to enable symlinks or rerun with copy fallback.';

    return 'Storage link not verified.';
}

function verify_public_storage_mapping(string $projectRoot, string $publicPath, array &$warnings): bool
{
    $storagePublic = $projectRoot.DIRECTORY_SEPARATOR.'storage'.DIRECTORY_SEPARATOR.'app'.DIRECTORY_SEPARATOR.'public';
    $publicStorage = $publicPath.DIRECTORY_SEPARATOR.'storage';
    $relative = 'mini-cms-storage-health.txt';
    $source = $storagePublic.DIRECTORY_SEPARATOR.$relative;
    $public = $publicStorage.DIRECTORY_SEPARATOR.$relative;

    try {
        ensure_directory($storagePublic);
        file_put_contents($source, 'mini-cms-storage-health', LOCK_EX);
        $ok = is_file($public);
    } catch (Throwable $exception) {
        $warnings[] = 'Storage test file could not be written: '.$exception->getMessage();
        $ok = false;
    } finally {
        if (is_file($source)) {
            @unlink($source);
        }
    }

    if (! $ok) {
        $warnings[] = 'Uploaded files may return 404 because public/storage is not mapped to storage/app/public. Run php artisan storage:link or fix the hosting symlink/open_basedir permissions.';
    }

    return $ok;
}

function artisan_command_exists(InstallerArtisan $artisan, string $command): bool
{
    try {
        $artisan->call('list', ['namespace' => explode(':', $command)[0]]);

        return str_contains($artisan->lastOutput(), $command);
    } catch (Throwable) {
        return false;
    }
}

function install_result(bool $success, array $errors, array $warnings, array $logs, array $manualCommands = [], bool $manual = false, array $summary = []): array
{
    return compact('success', 'errors', 'warnings', 'logs', 'manualCommands', 'manual', 'summary');
}

function post_install_checks(string $projectRoot, string $publicPath, string $appUrl, string $appEnv, string $appDebug, bool $generateSitemap): array
{
    $warnings = [];
    $checks = [
        post_install_check('APP_ENV', $appEnv === 'production' ? 'pass' : 'warning', "APP_ENV={$appEnv}", 'Use APP_ENV=production for production installs.'),
        post_install_check('APP_DEBUG', $appDebug === 'false' ? 'pass' : 'fail', "APP_DEBUG={$appDebug}", 'Set APP_DEBUG=false before public launch.'),
        post_install_check('APP_URL', preg_match('/^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?(\/|$)/i', $appUrl) === 1 ? 'fail' : 'pass', $appUrl, 'Set APP_URL to the real production domain before finishing install.'),
        post_install_check('SQLite database file', is_file($projectRoot.DIRECTORY_SEPARATOR.'database'.DIRECTORY_SEPARATOR.'database.sqlite') ? 'pass' : 'fail', 'database/database.sqlite', 'Create the SQLite file and run migrations.'),
        post_install_check('Storage URL mapping', verify_public_storage_mapping($projectRoot, $publicPath, $warnings) ? 'pass' : 'fail', 'storage/app/public -> public/storage', 'Run php artisan storage:link or fix the public/storage symlink so uploaded files do not return 404.'),
        post_install_check('Sitemap', ! $generateSitemap || is_file($publicPath.DIRECTORY_SEPARATOR.'sitemap.xml') ? 'pass' : 'warning', $generateSitemap ? 'Requested' : 'Skipped', 'Run php artisan sitemap:generate after APP_URL is final.'),
    ];

    foreach ($warnings as $warning) {
        $checks[] = post_install_check('Storage warning', 'fail', $warning, 'Fix public/storage before using uploads or galleries.');
    }

    foreach (public_exposure_checks($appUrl) as $exposure) {
        if ($exposure['dangerous']) {
            $checks[] = post_install_check('Public exposure: '.$exposure['path'], 'fail', 'HTTP '.$exposure['status'], 'Set document root to public and block private files before launch.');
        }
    }

    foreach (open_basedir_diagnostics(required_laravel_paths($projectRoot, $publicPath, $projectRoot.DIRECTORY_SEPARATOR.'database'.DIRECTORY_SEPARATOR.'database.sqlite'), (string) ini_get('open_basedir')) as $diagnostic) {
        if (! $diagnostic['inside']) {
            $checks[] = post_install_check('open_basedir: '.$diagnostic['label'], 'fail', 'Blocked', 'Add the Laravel project root to open_basedir.');
        }
    }

    return $checks;
}

function post_install_check(string $label, string $status, string $detail, string $fix): array
{
    return compact('label', 'status', 'detail', 'fix');
}

final class InstallerArtisan
{
    private mixed $app = null;

    private string $output = '';

    public function __construct(private readonly string $projectRoot)
    {
        require_once $this->projectRoot.DIRECTORY_SEPARATOR.'vendor'.DIRECTORY_SEPARATOR.'autoload.php';
        $this->app = require $this->projectRoot.DIRECTORY_SEPARATOR.'bootstrap'.DIRECTORY_SEPARATOR.'app.php';
        $this->app->make(\Illuminate\Contracts\Console\Kernel::class)->bootstrap();
    }

    public function call(string $command, array $parameters = []): void
    {
        $exitCode = \Illuminate\Support\Facades\Artisan::call($command, $parameters);
        $this->output = \Illuminate\Support\Facades\Artisan::output();

        if ($exitCode !== 0) {
            $details = trim($this->output);

            throw new RuntimeException("Command failed: php artisan {$command}".($details !== '' ? "\n{$details}" : ''));
        }
    }

    public function lastOutput(): string
    {
        return $this->output;
    }
}

function render_wizard(array $state, string $token): void
{
    $checksHtml = render_checks($state);
    $appUrl = e(guessed_app_url());
    $dbPath = e($state['default_db_path']);
    $docRootWarning = e($state['doc_root_warning']);
    $riskBox = ! $state['doc_root_is_public'] ? '<label class="check"><input type="checkbox" name="acknowledge_document_root" value="1"> I understand this host should point the domain document root to /public. Continue only if I cannot change it yet.</label>' : '';
    $disabled = $state['critical_ok'] ? '' : ' disabled';
    $docRootAlertClass = $state['doc_root_is_public'] ? 'success' : 'warning';
    $detectedBasePath = e($state['detected_base_path'] ?? '/');
    $diagnosticsUrl = e((string) ($_SERVER['SCRIPT_NAME'] ?? 'install.php')).'?action=diagnostics';
    $hestiaGuidance = $state['hestia']['detected']
        ? render_hestia_guidance($state['hestia'])
        : '<div class="alert success">No Hestia path pattern was detected. If this is cPanel/shared hosting, the same Laravel rule applies: document root must point to <code>public</code> and PHP must access the project root.</div>';
    $unsafeSummary = $state['critical_ok']
        ? '<div class="alert success">No critical installer blocker was detected.</div>'
        : '<div class="alert danger">Installation is blocked until critical hosting problems are fixed. Open Diagnostics for exact details.</div>';
    $errorSummary = $state['critical_ok']
        ? ''
        : '<section class="alert danger"><strong>Fix these blockers before installing:</strong><ul class="compact-list">'.implode('', array_map(
            fn (array $check): string => ! $check['ok'] && $check['critical'] ? '<li>'.e($check['label']).' - '.e($check['fix']).'</li>' : '',
            $state['checks']
        )).'</ul></section>';

    $body = <<<HTML
        {$errorSummary}
        <form method="post" data-wizard>
            <input type="hidden" name="_token" value="{$token}">
            <input type="hidden" name="action" value="install">

            <div class="steps" data-wizard-steps>
                <button type="button" class="active" data-step-button="0">1. Welcome</button>
                <button type="button" data-step-button="1">2. Environment</button>
                <button type="button" data-step-button="2">3. Hosting</button>
                <button type="button" data-step-button="3">4. App settings</button>
                <button type="button" data-step-button="4">5. Admin</button>
                <button type="button" data-step-button="5">6. SQLite</button>
                <button type="button" data-step-button="6">7. Install</button>
                <span>8. Finish</span>
            </div>

            <section class="card" data-step-panel>
                <h2>Welcome</h2>
                <p class="muted">This wizard prepares Mini CMS for production hosting with Laravel, SQLite, public storage, and admin access. It will not continue while critical hosting risks are detected.</p>
                <div class="alert {$docRootAlertClass}">Detected URL base path: <code>{$detectedBasePath}</code>. For HestiaCP, set Custom document root to <code>public</code>. For subdirectory installs, enter the full URL such as <code>https://example.com/cms</code>.</div>
                <div class="wizard-nav"><button type="button" class="button primary" data-next-step>Next</button></div>
            </section>

            <section class="card" data-step-panel>
                <h2>Environment checks</h2>
                <p class="muted">PHP, SQLite extensions, write permissions, release package mode, APP_KEY status, and public exposure are checked before setup.</p>
                {$checksHtml}
                <div class="wizard-nav"><button type="button" class="button secondary" data-prev-step>Back</button><a class="button primary" href="">Re-check</a><button type="button" class="button primary" data-next-step>Next</button></div>
            </section>

            <section class="card" data-step-panel>
                <h2>Hosting and Hestia checks</h2>
                <div class="alert {$docRootAlertClass}">{$docRootWarning}</div>
                {$unsafeSummary}
                {$hestiaGuidance}
                <details class="advanced">
                    <summary>Advanced diagnostics</summary>
                    <p><a class="button primary" href="{$diagnosticsUrl}">Open diagnostics</a></p>
                    <p class="muted">Emergency .htaccess protection is available from the diagnostics page when public exposure is detected.</p>
                </details>
                <div class="wizard-nav"><button type="button" class="button secondary" data-prev-step>Back</button><button type="button" class="button primary" data-next-step>Next</button></div>
            </section>

            <section class="card" data-step-panel>
                <h2>App settings</h2>
                <div class="grid">
                    <label>Site name<input name="site_name" value="Mini CMS" required></label>
                    <label>Installation URL<input name="app_url" value="{$appUrl}" placeholder="https://example.com or https://example.com/cms" required><small>Stored without a trailing slash. If it includes a folder, ASSET_URL is set to the same URL.</small></label>
                    <label>Default locale<select name="default_locale"><option value="en">English</option><option value="fa">فارسی</option><option value="ar">العربية</option></select></label>
                </div>
                <div class="options">
                    <label class="check"><input type="checkbox" name="demo_content" value="1" checked> Enable demo content</label>
                    <label class="check"><input type="checkbox" name="generate_sitemap" value="1" checked> Generate sitemap after install</label>
                    {$riskBox}
                </div>
                <div class="wizard-nav"><button type="button" class="button secondary" data-prev-step>Back</button><button type="button" class="button primary" data-next-step>Next</button></div>
            </section>

            <section class="card" data-step-panel>
                <h2>Admin account</h2>
                <p class="muted">Use a real email and a strong password. The installer never writes the admin password to .env.</p>
                <div class="grid">
                    <label>Admin email<input type="email" name="admin_email" value="admin@example.com" required></label>
                    <label>Admin password<input type="password" name="admin_password" minlength="12" required></label>
                    <label>Confirm password<input type="password" name="admin_password_confirmation" minlength="12" required></label>
                </div>
                <div class="options">
                    <label class="check"><input type="checkbox" name="update_existing_admin" value="1"> Update password if admin email already exists</label>
                </div>
                <div class="wizard-nav"><button type="button" class="button secondary" data-prev-step>Back</button><button type="button" class="button primary" data-next-step>Next</button></div>
            </section>

            <section class="card" data-step-panel>
                <h2>Database and storage</h2>
                <p class="muted">SQLite is stored outside public/. Uploaded files go to <code>storage/app/public</code> and must be served through <code>/storage</code>.</p>
                <div class="grid">
                    <label>Storage strategy<select name="storage_strategy"><option value="symlink">Prefer symlink</option><option value="copy">Copy fallback if symlink fails</option></select><small>Symlink is recommended. Copy fallback is only a hosting workaround.</small></label>
                    <label class="full">SQLite DB path<input name="db_path" value="{$dbPath}"></label>
                </div>
                <details class="advanced">
                    <summary>Advanced environment</summary>
                    <div class="grid">
                        <label>APP_ENV<select name="app_env"><option value="production">production</option><option value="staging">staging</option><option value="local">local</option></select></label>
                        <label class="check"><input type="checkbox" name="app_debug" value="1"> Enable APP_DEBUG</label>
                    </div>
                </details>
                <div class="wizard-nav"><button type="button" class="button secondary" data-prev-step>Back</button><button type="button" class="button primary" data-next-step>Next</button></div>
            </section>

            <section class="card" data-step-panel>
                <h2>Install</h2>
                <p class="muted">The installer will write .env, create SQLite, run migrations, create the admin user, verify storage, optionally generate sitemap, optimize Laravel, and create <code>storage/app/installed.lock</code>.</p>
                {$unsafeSummary}
                <button class="button primary"{$disabled}>Install Mini CMS</button>
                <p class="muted">Do not run this installer on an already configured local project unless you are using a disposable copy.</p>
                <div class="wizard-nav"><button type="button" class="button secondary" data-prev-step>Back</button></div>
            </section>
        </form>
    HTML;

    render_page('Mini CMS Installer', $body);
}

function render_install_result(array $result, array $state, string $token): void
{
    $alerts = '';
    foreach ($result['errors'] as $error) {
        $alerts .= '<div class="alert danger">'.e($error).'</div>';
    }
    foreach ($result['warnings'] as $warning) {
        $alerts .= '<div class="alert warning">'.e($warning).'</div>';
    }

    $logs = '';
    foreach ($result['logs'] as $log) {
        $logs .= '<li>'.e(redact_log($log, $state['project_root'])).'</li>';
    }

    if ($result['manual']) {
        $commands = implode("\n", array_map('e', $result['manualCommands']));
        $body = <<<HTML
            <div class="steps"><span class="done">1. Check</span><span class="done">2. Settings</span><span class="active">3. Manual finalization</span></div>
            {$alerts}
            <section class="card">
                <h2>Manual finalization required</h2>
                <p>The installer created the basic files it could, but Laravel dependencies are missing or unavailable. Run these commands after installing dependencies:</p>
                <pre>{$commands}</pre>
            </section>
            <section class="card"><h2>Installer log</h2><ul>{$logs}</ul></section>
        HTML;
        render_page('Manual finalization required', $body);

        return;
    }

    if (! $result['success']) {
        $commands = implode("\n", array_map('e', $result['manualCommands']));
        $body = <<<HTML
            <div class="steps"><span class="done">1. Check</span><span class="done">2. Settings</span><span class="active">3. Needs attention</span></div>
            {$alerts}
            <section class="card"><h2>Installer log</h2><ul>{$logs}</ul></section>
            <section class="card"><h2>Manual commands if needed</h2><pre>{$commands}</pre></section>
        HTML;
        render_page('Installation needs attention', $body);

        return;
    }

    $summary = $result['summary'];
    $siteUrl = e((string) ($summary['site_url'] ?? ''));
    $adminUrl = e((string) ($summary['admin_url'] ?? ''));
    $adminEmail = e((string) ($summary['admin_email'] ?? ''));
    $basePath = e((string) ($summary['base_path'] ?? '/'));
    $assetUrl = e((string) ($summary['asset_url'] ?? '(not set for root install)'));
    $storageStatus = e((string) ($summary['storage_status'] ?? 'Unknown'));
    $sitemapStatus = e((string) ($summary['sitemap_status'] ?? 'Unknown'));
    $postInstallChecklist = render_post_install_checks($summary['post_install_checks'] ?? []);

    $body = <<<HTML
        <div class="steps"><span class="done">1. Check</span><span class="done">2. Settings</span><span class="done">3. Installed</span></div>
        {$alerts}
        <section class="card success-card">
            <h2>Mini CMS is installed</h2>
            <dl class="summary">
                <dt>Site URL</dt><dd><a href="{$siteUrl}">{$siteUrl}</a></dd>
                <dt>Admin URL</dt><dd><a href="{$adminUrl}">{$adminUrl}</a></dd>
                <dt>Base path detected</dt><dd>{$basePath}</dd>
                <dt>ASSET_URL</dt><dd>{$assetUrl}</dd>
                <dt>Admin email</dt><dd>{$adminEmail}</dd>
                <dt>Database</dt><dd>SQLite</dd>
                <dt>Storage</dt><dd>{$storageStatus}</dd>
                <dt>Sitemap</dt><dd>{$sitemapStatus}</dd>
            </dl>
            <div class="alert danger"><strong>Delete the installer immediately.</strong> Leaving install.php online is unsafe.</div>
            <form method="post">
                <input type="hidden" name="_token" value="{$token}">
                <input type="hidden" name="action" value="delete_installer">
                <button class="button danger">Delete installer securely</button>
            </form>
        </section>
        <section class="card">
            <h2>Post-install checklist</h2>
            {$postInstallChecklist}
        </section>
        <section class="card">
            <h2>Next steps</h2>
            <ol>
                <li>Delete installer.</li>
                <li>Log in to admin.</li>
                <li>Change site settings.</li>
                <li>Upload logo.</li>
                <li>Test media upload.</li>
                <li>Back up database and storage.</li>
            </ol>
        </section>
        <section class="card"><h2>Installer log</h2><ul>{$logs}</ul></section>
    HTML;

    render_page('Installation complete', $body);
}

function render_post_install_checks(array $checks): string
{
    if ($checks === []) {
        return '<div class="alert warning">Post-install checklist was not available.</div>';
    }

    $html = '<div class="checks">';

    foreach ($checks as $check) {
        $status = (string) ($check['status'] ?? 'warning');
        $class = $status === 'pass' ? 'ok' : ($status === 'fail' ? 'bad' : 'warn');
        $badge = strtoupper($status);
        $html .= '<div class="check-row '.$class.'">';
        $html .= '<span>'.e((string) ($check['label'] ?? 'Check')).'</span>';
        $html .= '<strong>'.$badge.'</strong>';
        $html .= '<small>'.e((string) ($check['detail'] ?? '')).($status === 'pass' ? '' : '<br>'.e((string) ($check['fix'] ?? ''))).'</small>';
        $html .= '</div>';
    }

    return $html.'</div>';
}

function render_already_installed(array $state, string $token): void
{
    $body = <<<HTML
        <section class="card">
            <h2>Already installed</h2>
            <p>Mini CMS has an installer lock file. Setup is disabled to protect the existing site.</p>
            <div class="alert warning">If installation is complete, delete the installer files now.</div>
            <form method="post">
                <input type="hidden" name="_token" value="{$token}">
                <input type="hidden" name="action" value="delete_installer">
                <button class="button danger">Delete installer securely</button>
            </form>
        </section>
    HTML;

    render_page('Already installed', $body);
}

function render_diagnostics(array $state, string $token): void
{
    $envRows = [
        ['PHP version', PHP_VERSION],
        ['PHP SAPI', PHP_SAPI],
        ['Document root', $state['doc_root'] ?: '(not provided)'],
        ['Script path', $state['script_file'] ?: '(not provided)'],
        ['Project root', $state['project_root']],
        ['Public path', $state['public_path']],
        ['Detected base path', $state['detected_base_path']],
        ['APP_URL guess', guessed_app_url()],
        ['open_basedir', $state['open_basedir'] !== '' ? $state['open_basedir'] : '(not set)'],
        ['Disabled functions', (string) ini_get('disable_functions') ?: '(none)'],
    ];

    $extensionRows = [];
    foreach (['pdo', 'pdo_sqlite', 'sqlite3', 'mbstring', 'openssl', 'tokenizer', 'xml', 'ctype', 'json', 'fileinfo', 'curl', 'zip'] as $extension) {
        $extensionRows[] = [$extension, extension_loaded($extension) ? 'Enabled' : 'Missing'];
    }

    $fileRows = [
        ['artisan', is_file($state['project_root'].DIRECTORY_SEPARATOR.'artisan') ? 'Yes' : 'No'],
        ['vendor/autoload.php', is_file($state['project_root'].DIRECTORY_SEPARATOR.'vendor'.DIRECTORY_SEPARATOR.'autoload.php') ? 'Yes' : 'No'],
        ['public/index.php', is_file($state['public_path'].DIRECTORY_SEPARATOR.'index.php') ? 'Yes' : 'No'],
        ['public/build/manifest.json', is_file($state['public_path'].DIRECTORY_SEPARATOR.'build'.DIRECTORY_SEPARATOR.'manifest.json') ? 'Yes' : 'No'],
        ['.env', is_file($state['project_root'].DIRECTORY_SEPARATOR.'.env') ? 'Yes' : 'No'],
        ['APP_KEY', $state['app_key_present'] ? 'Present' : 'Missing; installer can generate it'],
        ['database/database.sqlite', is_file($state['default_db_path']) ? 'Yes' : 'No'],
    ];

    $writableRows = [];
    foreach ($state['writable_paths'] as $label => $path) {
        $writableRows[] = [$label, $path, path_writable($path) ? 'Writable' : 'Not writable'];
    }

    $hestia = $state['hestia'];
    $hestiaRows = [
        ['Likely Hestia path', $hestia['likely'] ? 'Yes' : 'No'],
        ['Suggested Custom document root', $hestia['custom_document_root']],
        ['Suggested backend template', $hestia['backend_template']],
        ['PHP-FPM socket status', $hestia['socket_status']],
        ['Socket check', $hestia['suggested_socket_check']],
        ['Apache error log', $hestia['apache_error_log']],
        ['Laravel logs', $hestia['laravel_logs']],
        ['Suggested open_basedir', $hestia['suggested_open_basedir']],
    ];

    $body = '<div class="steps"><span class="done">1. Check</span><span class="active">Diagnostics</span><span>Install</span></div>';
    $body .= '<section class="card"><h2>Diagnostics mode</h2><p class="muted">This page is safe to open before installation. It does not run migrations or write .env/database files.</p></section>';
    $body .= '<section class="card"><h2>Environment</h2>'.render_simple_table(['Item', 'Value'], $envRows).'</section>';
    $body .= '<section class="card"><h2>PHP extensions</h2>'.render_simple_table(['Extension', 'Status'], $extensionRows).'</section>';
    $body .= '<section class="card"><h2>Laravel files</h2>'.render_simple_table(['File', 'Exists'], $fileRows).'</section>';
    $body .= '<section class="card"><h2>Writable paths</h2>'.render_simple_table(['Path', 'Location', 'Status'], $writableRows).'</section>';
    $body .= '<section class="card"><h2>open_basedir diagnostics</h2>'.render_open_basedir_table($state['open_basedir_diagnostics']).'</section>';
    $body .= '<section class="card"><h2>Public exposure checks</h2>'.render_public_exposure_table($state['public_exposure']).render_emergency_protection_form($token).'</section>';
    $body .= '<section class="card"><h2>Hestia guidance</h2>'.render_simple_table(['Check', 'Value'], $hestiaRows).render_hestia_guidance($hestia).'</section>';
    $body .= '<section class="card"><h2>Site shows 500/503 after install</h2>'.render_troubleshooting_panel().'</section>';
    $body .= '<p><a class="button primary" href="'.e(basename((string) ($_SERVER['SCRIPT_NAME'] ?? 'install.php'))).'">Back to installer</a></p>';

    render_page('Installer Diagnostics', $body);
}

function render_emergency_protection_result(array $result, array $state): void
{
    $class = $result['success'] ? 'success' : 'danger';
    $message = e($result['message']);
    $body = <<<HTML
        <section class="card">
            <h2>Emergency Protection</h2>
            <div class="alert {$class}">{$message}</div>
            <p class="muted">This is only emergency protection. The correct fix is still to point the document root to public/ and make open_basedir include the Laravel project root.</p>
            <p><a class="button primary" href="?action=diagnostics">Back to diagnostics</a></p>
        </section>
    HTML;

    render_page('Emergency Protection', $body);
}

function render_delete_result(array $result, array $state): void
{
    $items = '';
    foreach ($result['messages'] as $message) {
        $items .= '<li>'.e($message).'</li>';
    }

    $manual = '';
    if ($result['remaining'] !== []) {
        $manual = '<div class="alert danger">Delete these files manually: <code>'.e(implode(', ', $result['remaining'])).'</code></div>';
    }

    $adminUrl = e(MiniCmsInstallerUrl::appendPath(guessed_app_url(), 'admin'));
    $body = <<<HTML
        <meta http-equiv="refresh" content="5;url={$adminUrl}">
        <section class="card success-card">
            <h2>Installer deletion attempted</h2>
            <ul>{$items}</ul>
            {$manual}
            <p><a class="button primary" href="{$adminUrl}">Go to admin</a></p>
            <p class="muted">You will be redirected to the admin panel in a few seconds if this page is still available.</p>
        </section>
    HTML;

    render_page('Installer deleted', $body);
}

function delete_installer_files(array $files, array $directories = []): array
{
    $messages = [];
    $remaining = [];

    foreach (array_unique($files) as $file) {
        if (! is_file($file)) {
            continue;
        }

        if (@unlink($file)) {
            $messages[] = basename($file).' deleted.';
        } else {
            $remaining[] = relative_name($file);
        }
    }

    foreach (array_unique($directories) as $directory) {
        if (! is_dir($directory)) {
            continue;
        }

        if (@rmdir($directory)) {
            $messages[] = basename($directory).' directory deleted.';
        } else {
            $remaining[] = relative_name($directory);
        }
    }

    if ($messages === []) {
        $messages[] = 'No installer file was deleted automatically.';
    }

    return compact('messages', 'remaining');
}

function write_emergency_htaccess(string $projectRoot): array
{
    $path = $projectRoot.DIRECTORY_SEPARATOR.'.htaccess';
    $begin = '# BEGIN Mini CMS Emergency Protection';
    $end = '# END Mini CMS Emergency Protection';
    $block = <<<HTACCESS
{$begin}
<IfModule mod_authz_core.c>
    <FilesMatch "^(\.env|composer\.(json|lock)|package(-lock)?\.json|artisan)$">
        Require all denied
    </FilesMatch>
    RedirectMatch 403 "^/(app|bootstrap|config|database|routes|resources|storage|vendor)(/|$)"
    RedirectMatch 403 "^/database/.*\.sqlite(-wal|-shm|-journal)?$"
</IfModule>
<IfModule !mod_authz_core.c>
    <FilesMatch "^(\.env|composer\.(json|lock)|package(-lock)?\.json|artisan)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
{$end}
HTACCESS;

    $existing = is_file($path) ? (string) file_get_contents($path) : '';
    $pattern = '/'.preg_quote($begin, '/').'.*?'.preg_quote($end, '/').'/s';
    $content = preg_match($pattern, $existing)
        ? preg_replace($pattern, $block, $existing)
        : rtrim($existing).PHP_EOL.PHP_EOL.$block.PHP_EOL;

    if ($content === null || file_put_contents($path, $content, LOCK_EX) === false) {
        return [
            'success' => false,
            'message' => 'Could not write project-root .htaccess. Ask hosting support to protect private Laravel files and fix the document root.',
        ];
    }

    return [
        'success' => true,
        'message' => 'Emergency .htaccess protection was written. This reduces exposure, but the correct fix is still document root = public/ and open_basedir including the Laravel project root.',
    ];
}

function render_checks(array $state): string
{
    $html = '<div class="checks">';
    foreach ($state['checks'] as $check) {
        $class = $check['ok'] ? 'ok' : ($check['critical'] ? 'bad' : 'warn');
        $html .= '<div class="check-row '.$class.'"><span>'.e($check['label']).'</span><strong>'.e($check['detail']).'</strong><small>'.e($check['ok'] ? 'Ready' : $check['fix']).'</small></div>';
    }
    $html .= '</div>';
    $mode = $state['can_bootstrap_laravel'] && $state['has_build'] ? 'Installable package detected: vendor and built assets are present.' : 'Source package detected: Composer and build steps may be required.';
    $html .= '<div class="alert '.($state['can_bootstrap_laravel'] && $state['has_build'] ? 'success' : 'warning').'">'.e($mode).'</div>';
    $html .= '<div class="alert '.($state['shell_available'] ? 'success' : 'warning').'">'.e($state['shell_available'] ? 'Shell commands appear available, but installer prefers Laravel internal Artisan calls.' : 'Shell commands appear disabled. Installer will use Laravel internals when possible or show manual commands.').'</div>';

    return $html;
}

function render_simple_table(array $headers, array $rows): string
{
    $html = '<div class="table-wrap"><table><thead><tr>';
    foreach ($headers as $header) {
        $html .= '<th>'.e($header).'</th>';
    }
    $html .= '</tr></thead><tbody>';

    foreach ($rows as $row) {
        $html .= '<tr>';
        foreach ($row as $cell) {
            $html .= '<td>'.e($cell).'</td>';
        }
        $html .= '</tr>';
    }

    return $html.'</tbody></table></div>';
}

function render_open_basedir_table(array $diagnostics): string
{
    $rows = [];

    foreach ($diagnostics as $item) {
        $rows[] = [
            $item['label'],
            $item['exists'] ? 'Yes' : 'No',
            $item['inside'] ? 'Yes' : 'No',
            $item['writable'] ? 'Yes' : 'No',
            $item['status'],
        ];
    }

    $html = render_simple_table(['Required path', 'Exists', 'Inside open_basedir', 'Writable if needed', 'Status'], $rows);

    foreach ($diagnostics as $item) {
        if (! $item['inside']) {
            $html .= '<div class="alert danger">PHP open_basedir is restricting Laravel from accessing required files outside /public. Problem: '.e($item['label']).' blocked at <code>'.e($item['path']).'</code>.</div>';
        }
    }

    return $html;
}

function render_public_exposure_table(array $checks): string
{
    $rows = [];

    foreach ($checks as $check) {
        $rows[] = [
            $check['path'],
            $check['status_text'],
            $check['dangerous'] ? 'CRITICAL SECURITY RISK' : ($check['safe'] ? 'Safe' : 'Unknown'),
            $check['url'],
        ];
    }

    $html = render_simple_table(['Path', 'HTTP status', 'Status', 'Checked URL'], $rows);

    foreach ($checks as $check) {
        if ($check['dangerous']) {
            $html .= '<div class="alert danger">CRITICAL SECURITY RISK: '.e($check['path']).' is publicly accessible. Set the document root to public/ immediately. Emergency .htaccess protection can reduce risk, but it is not the final fix.</div>';
        }
    }

    return $html;
}

function render_emergency_protection_form(string $token): string
{
    return <<<HTML
        <form method="post" class="options">
            <input type="hidden" name="_token" value="{$token}">
            <input type="hidden" name="action" value="emergency_protection">
            <button class="button danger">Create/update emergency .htaccess protection</button>
        </form>
    HTML;
}

function render_hestia_guidance(array $hestia): string
{
    $commands = [
        'Install PHP 8.4' => $hestia['add_php_command'],
        'Apply PHP backend template' => $hestia['change_backend_command'],
        'Check PHP-FPM socket' => $hestia['suggested_socket_check'],
        'Reload services' => $hestia['reload_commands'],
    ];
    $commandHtml = '';

    foreach ($commands as $label => $command) {
        $commandHtml .= '<div class="command-box"><div><strong>'.e($label).'</strong><pre>'.e($command).'</pre></div><button type="button" class="copy" data-copy="'.e($command).'">Copy command</button></div>';
    }

    return <<<HTML
        <div class="alert warning">
            <strong>Recommended Hestia Laravel setup:</strong>
            In Hestia go to <code>Web -> Domain -> Edit -> Advanced Options</code>. Enable <strong>Custom document root</strong>. <strong>Point to</strong> should be your domain. <strong>Directory</strong> should be <code>public</code>. Final path: <code>/home/USER/web/DOMAIN/public_html/public</code>. PHP open_basedir must allow <code>/home/USER/web/DOMAIN/public_html</code>, not only <code>/public</code>.
        </div>
        <div class="command-grid">{$commandHtml}</div>
        <p class="muted">Run these from SSH/root only when your Hestia server needs them. The installer never runs server-control commands automatically.</p>
    HTML;
}

function render_troubleshooting_panel(): string
{
    return <<<HTML
        <div class="alert warning"><strong>503 after switching PHP:</strong> the PHP-FPM domain socket may be missing. Install PHP and re-apply the backend template: <code>v-add-web-php 8.4</code> then <code>v-change-web-domain-backend-tpl USER DOMAIN PHP-8_4 yes</code>.</div>
        <div class="alert warning"><strong>500 open_basedir restriction:</strong> open_basedir includes only public/. Laravel needs access to vendor, storage, bootstrap, database, config, and app. Add the project root to open_basedir or use a Laravel-compatible Hestia template.</div>
        <div class="alert warning"><strong>500 could not find driver:</strong> enable <code>pdo_sqlite</code> and <code>sqlite3</code> for the same PHP version used by the domain.</div>
        <div class="alert warning"><strong>500 migrations not run:</strong> run <code>php artisan migrate --force</code> and, when needed, <code>php artisan db:seed --force</code>.</div>
        <div class="alert warning"><strong>500 permissions:</strong> make <code>storage/</code> and <code>bootstrap/cache/</code> writable by the PHP user.</div>
        <div class="alert warning"><strong>Wrong environment:</strong> set <code>APP_ENV=production</code>, <code>APP_DEBUG=false</code>, and <code>APP_URL=https://real-domain.com</code>.</div>
    HTML;
}

function render_page(string $title, string $body): void
{
    $safeTitle = e($title);
    echo <<<HTML
<!doctype html>
<html lang="en" dir="ltr">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>{$safeTitle}</title>
    <style>
        :root { color-scheme: light; --primary: #0f766e; --primary-dark: #115e59; --danger: #dc2626; --muted: #64748b; --line: #e2e8f0; --bg: #f8fafc; --card: #ffffff; }
        * { box-sizing: border-box; }
        body { margin: 0; min-height: 100vh; font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background: radial-gradient(circle at top left, rgba(15, 118, 110, .13), transparent 30rem), var(--bg); color: #0f172a; }
        a { color: var(--primary); }
        .wrap { width: min(1120px, calc(100% - 32px)); margin: 0 auto; padding: 40px 0; }
        .hero { display: grid; gap: 14px; margin-bottom: 24px; }
        .eyebrow { width: fit-content; border: 1px solid rgba(15,118,110,.2); border-radius: 999px; background: rgba(15,118,110,.08); color: var(--primary-dark); padding: 6px 12px; font-size: 12px; font-weight: 800; letter-spacing: .08em; text-transform: uppercase; }
        h1 { margin: 0; font-size: clamp(34px, 6vw, 64px); line-height: 1; letter-spacing: -.04em; }
        h2 { margin: 0 0 12px; font-size: 22px; }
        p { line-height: 1.7; }
        .muted { color: var(--muted); }
        .steps { display: flex; flex-wrap: wrap; gap: 10px; margin: 24px 0; }
        .steps span, .steps button { border: 1px solid var(--line); border-radius: 999px; background: white; padding: 10px 14px; font-size: 13px; font-weight: 800; color: var(--muted); }
        .steps button { cursor: pointer; }
        .steps .active { background: #0f172a; color: white; border-color: #0f172a; }
        .steps .done { background: rgba(15,118,110,.1); color: var(--primary-dark); border-color: rgba(15,118,110,.24); }
        .card { border: 1px solid rgba(148,163,184,.32); border-radius: 24px; background: rgba(255,255,255,.94); box-shadow: 0 20px 55px rgba(15,23,42,.08); padding: clamp(20px, 4vw, 32px); margin: 18px 0; backdrop-filter: blur(12px); }
        .success-card { border-color: rgba(15,118,110,.28); }
        .grid { display: grid; gap: 16px; grid-template-columns: repeat(2, minmax(0, 1fr)); }
        .full { grid-column: 1 / -1; }
        label { display: grid; gap: 7px; font-size: 13px; font-weight: 800; color: #334155; }
        input, select { width: 100%; border: 1px solid var(--line); border-radius: 14px; padding: 12px 14px; background: white; color: #0f172a; font: inherit; }
        input:focus, select:focus, button:focus-visible, summary:focus-visible { outline: 3px solid rgba(15,118,110,.24); outline-offset: 2px; }
        .options { display: grid; gap: 10px; margin: 18px 0; }
        .check { display: flex; align-items: flex-start; gap: 10px; font-weight: 700; color: #475569; }
        .check input { width: auto; margin-top: 4px; }
        .button { display: inline-flex; align-items: center; justify-content: center; border: 0; border-radius: 14px; padding: 12px 18px; color: white; background: #334155; font-weight: 900; text-decoration: none; cursor: pointer; }
        .button.primary { background: var(--primary); }
        .button.secondary { background: #475569; }
        .button.danger { background: var(--danger); }
        .button:disabled { opacity: .5; cursor: not-allowed; }
        .alert { border-radius: 18px; padding: 14px 16px; margin: 12px 0; border: 1px solid var(--line); background: #fff; color: #334155; }
        .alert.success { background: #ecfdf5; color: #065f46; border-color: #a7f3d0; }
        .alert.warning { background: #fffbeb; color: #92400e; border-color: #fde68a; }
        .alert.danger { background: #fef2f2; color: #991b1b; border-color: #fecaca; }
        .checks { display: grid; gap: 10px; }
        .check-row { display: grid; grid-template-columns: 1.2fr 1fr 1.6fr; gap: 10px; align-items: center; border: 1px solid var(--line); border-radius: 16px; padding: 12px; background: white; }
        .check-row span { font-weight: 850; }
        .check-row strong { font-size: 13px; }
        .check-row small { color: var(--muted); line-height: 1.5; }
        .check-row.ok { border-color: rgba(16,185,129,.35); }
        .check-row.bad { border-color: rgba(220,38,38,.35); }
        .check-row.warn { border-color: rgba(245,158,11,.35); }
        details.advanced { margin: 18px 0; }
        summary { cursor: pointer; font-weight: 900; color: var(--primary-dark); }
        pre { overflow: auto; border-radius: 16px; background: #0f172a; color: #e2e8f0; padding: 16px; }
        .table-wrap { overflow-x: auto; border: 1px solid var(--line); border-radius: 16px; background: white; }
        table { width: 100%; border-collapse: collapse; font-size: 13px; }
        th, td { padding: 12px; border-bottom: 1px solid var(--line); text-align: left; vertical-align: top; overflow-wrap: anywhere; }
        th { background: #f8fafc; color: #334155; font-weight: 900; }
        tr:last-child td { border-bottom: 0; }
        .summary { display: grid; grid-template-columns: 180px 1fr; gap: 10px 16px; }
        .summary dt { font-weight: 900; color: #475569; }
        .summary dd { margin: 0; overflow-wrap: anywhere; }
        .wizard-nav { display: flex; flex-wrap: wrap; gap: 10px; margin-top: 20px; }
        [data-step-panel][hidden] { display: none; }
        .compact-list { margin: 10px 0 0; padding-left: 20px; line-height: 1.7; }
        .command-grid { display: grid; gap: 12px; }
        .command-box { display: grid; grid-template-columns: minmax(0, 1fr) auto; gap: 12px; align-items: start; border: 1px solid var(--line); border-radius: 18px; background: white; padding: 14px; }
        .command-box pre { margin: 8px 0 0; }
        .copy { border: 1px solid var(--line); border-radius: 12px; background: #f8fafc; color: #0f172a; padding: 10px 12px; font-weight: 900; cursor: pointer; }
        .copy.copied { background: #ecfdf5; color: #065f46; border-color: #a7f3d0; }
        ol { padding-left: 22px; line-height: 1.8; }
        code { background: rgba(15,23,42,.06); border-radius: 8px; padding: 2px 6px; }
        @media (max-width: 720px) { .grid, .check-row, .summary, .command-box { grid-template-columns: 1fr; } .wrap { padding: 24px 0; } }
    </style>
</head>
<body>
    <main class="wrap">
        <header class="hero">
            <span class="eyebrow">Mini CMS Installer</span>
            <h1>{$safeTitle}</h1>
            <p class="muted">A browser-based setup wizard for Laravel, Filament, SQLite, and shared hosting installs.</p>
        </header>
        {$body}
    </main>
    <script>
        (() => {
            const wizard = document.querySelector('[data-wizard]');
            if (wizard) {
                const panels = Array.from(wizard.querySelectorAll('[data-step-panel]'));
                const buttons = Array.from(wizard.querySelectorAll('[data-step-button]'));
                let current = 0;
                const show = (index) => {
                    current = Math.max(0, Math.min(index, panels.length - 1));
                    panels.forEach((panel, i) => panel.hidden = i !== current);
                    buttons.forEach((button, i) => {
                        button.classList.toggle('active', i === current);
                        button.classList.toggle('done', i < current);
                    });
                };
                wizard.addEventListener('click', (event) => {
                    const target = event.target;
                    if (!(target instanceof HTMLElement)) return;
                    if (target.matches('[data-next-step]')) show(current + 1);
                    if (target.matches('[data-prev-step]')) show(current - 1);
                    const step = target.getAttribute('data-step-button');
                    if (step !== null) show(Number(step));
                });
                show(0);
            }

            document.addEventListener('click', async (event) => {
                const target = event.target;
                if (!(target instanceof HTMLElement) || !target.matches('[data-copy]')) return;
                try {
                    await navigator.clipboard.writeText(target.getAttribute('data-copy') || '');
                    target.classList.add('copied');
                    target.textContent = 'Copied';
                    setTimeout(() => {
                        target.classList.remove('copied');
                        target.textContent = 'Copy command';
                    }, 1600);
                } catch {
                    target.textContent = 'Copy failed';
                }
            });
        })();
    </script>
</body>
</html>
HTML;
}

function update_env_values(string $content, array $values): string
{
    $lines = preg_split('/\r\n|\r|\n/', $content) ?: [];
    $seen = [];

    foreach ($lines as &$line) {
        if (! preg_match('/^\s*([A-Z0-9_]+)\s*=/', $line, $matches)) {
            continue;
        }

        $key = $matches[1];
        if (array_key_exists($key, $values)) {
            $line = $key.'='.env_encode((string) $values[$key]);
            $seen[$key] = true;
        }
    }
    unset($line);

    foreach ($values as $key => $value) {
        if (! isset($seen[$key])) {
            $lines[] = $key.'='.env_encode((string) $value);
        }
    }

    return rtrim(implode(PHP_EOL, $lines)).PHP_EOL;
}

function env_value(string $content, string $key): string
{
    if (! preg_match('/^'.preg_quote($key, '/').'=(.*)$/m', $content, $matches)) {
        return '';
    }

    return trim(trim((string) $matches[1]), "\"'");
}

function env_encode(string $value): string
{
    if ($value === 'true' || $value === 'false' || preg_match('/^[A-Za-z0-9_:\\/.-]+$/', $value)) {
        return $value;
    }

    return '"'.str_replace(['\\', '"'], ['\\\\', '\\"'], $value).'"';
}

function minimal_env(): string
{
    return "APP_NAME=\"Mini CMS\"\nAPP_ENV=production\nAPP_KEY=\nAPP_DEBUG=false\nAPP_URL=https://example.com\nASSET_URL=\nDB_CONNECTION=sqlite\nFILESYSTEM_DISK=public\n";
}

function normalize_install_path(string $path, string $projectRoot): string
{
    if ($path === '') {
        return $projectRoot.DIRECTORY_SEPARATOR.'database'.DIRECTORY_SEPARATOR.'database.sqlite';
    }

    if (preg_match('/^[A-Za-z]:[\\\\\\/]/', $path) || str_starts_with($path, DIRECTORY_SEPARATOR)) {
        return $path;
    }

    return $projectRoot.DIRECTORY_SEPARATOR.ltrim($path, '\\/');
}

function ensure_directory(string $path): void
{
    if (! is_dir($path) && ! mkdir($path, 0775, true) && ! is_dir($path)) {
        throw new RuntimeException("Could not create directory: ".relative_name($path));
    }

    if (! is_writable($path)) {
        throw new RuntimeException("Directory is not writable: ".relative_name($path));
    }
}

function copy_directory(string $source, string $destination): void
{
    if (! is_dir($source)) {
        ensure_directory($destination);

        return;
    }

    ensure_directory($destination);
    $items = scandir($source) ?: [];
    foreach ($items as $item) {
        if ($item === '.' || $item === '..') {
            continue;
        }

        $from = $source.DIRECTORY_SEPARATOR.$item;
        $to = $destination.DIRECTORY_SEPARATOR.$item;
        if (is_dir($from)) {
            copy_directory($from, $to);
        } elseif (! copy($from, $to)) {
            throw new RuntimeException('Could not copy storage file: '.relative_name($from));
        }
    }
}

function path_writable(string $path): bool
{
    return @is_writable($path) || (! @file_exists($path) && @is_writable(dirname($path)));
}

function path_inside(string $path, string $directory): bool
{
    $normalizedPath = normalize_path($path);
    $normalizedDirectory = rtrim(normalize_path($directory), '/').'/';

    return str_starts_with($normalizedPath, $normalizedDirectory);
}

function same_path(string $left, string $right): bool
{
    return normalize_path($left) === normalize_path($right);
}

function normalize_path(string $path): string
{
    return str_replace('\\', '/', strtolower(@realpath($path) ?: $path));
}

function shell_available(): bool
{
    $disabled = array_map('trim', explode(',', (string) ini_get('disable_functions')));

    return function_exists('proc_open') && ! in_array('proc_open', $disabled, true)
        && function_exists('shell_exec') && ! in_array('shell_exec', $disabled, true);
}

function guessed_app_url(): string
{
    return MiniCmsInstallerUrl::guessFromServer($_SERVER);
}

function human_error(string $message): string
{
    if (str_contains($message, 'could not find driver')) {
        return 'SQLite/PDO driver is missing. Ask your host to enable pdo_sqlite and sqlite3.';
    }

    return $message;
}

function redact_log(string $message, string $projectRoot): string
{
    $message = str_replace($projectRoot, '[project]', $message);
    $message = preg_replace('/APP_KEY\s*=\s*[^\s]+/i', 'APP_KEY=[hidden]', $message) ?? $message;
    $message = preg_replace('/password\s*[:=]\s*[^\s]+/i', 'password=[hidden]', $message) ?? $message;

    return $message;
}

function relative_name(string $path): string
{
    return str_replace('\\', '/', basename(dirname($path)).'/'.basename($path));
}

function e(mixed $value): string
{
    return htmlspecialchars((string) $value, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}