Update TODO.md with admin features roadmap and AGENTS.md with current project state

TODO.md: Add Markdown editor, plugin enable/disable, plugin API,
file uploads, map management, activity log, and more admin features.
Remove resolved items (extract/AuthController/CSRF - replaced by new admin).
AGENTS.md: Document full project structure including admin-console,
add AI model info (claude-opus-4-6), admin routing, security practices.

AGENTS.md

@@ -1,22 +1,97 @@
 # Agent Instructions for CodePress CMS
 
+## AI Model
+- **Huidig model**: `claude-opus-4-6` (OpenCode / `opencode/claude-opus-4-6`)
+- Sessie gestart: 16 feb 2026
+
 ## Build & Run
 - **Run Server**: `php -S localhost:8080 -t public`
-- **Lint PHP**: `find . -name "*.php" -exec php -l {} \;`
+- **Lint PHP**: `find . -name "*.php" -not -path "./vendor/*" -exec php -l {} \;`
-- **Dependencies**: No Composer/NPM required. Native PHP 8.4+ implementation.
+- **Dependencies**: Composer vereist voor CommonMark. Geen NPM.
+- **Admin Console**: Toegankelijk op `/admin.php` (standaard login: `admin` / `admin`)
+
+## Project Structuur
+```
+codepress/
+├── engine/
+│   ├── core/
+│   │   ├── class/
+│   │   │   ├── CodePressCMS.php    # Hoofd CMS class
+│   │   │   ├── Logger.php          # Logging systeem
+│   │   │   └── SimpleTemplate.php  # Mustache-style template engine
+│   │   ├── plugin/
+│   │   │   ├── PluginManager.php   # Plugin loader
+│   │   │   └── CMSAPI.php          # API voor plugins
+│   │   ├── config.php              # Config loader (leest config.json)
+│   │   └── index.php               # Bootstrap (autoloader, requires)
+│   ├── lang/                       # Taalbestanden (nl.php, en.php)
+│   └── templates/                  # Mustache templates
+│       ├── layout.mustache         # Hoofd layout (bevat inline CSS)
+│       ├── assets/
+│       │   ├── header.mustache
+│       │   ├── navigation.mustache
+│       │   └── footer.mustache
+│       ├── markdown_content.mustache
+│       ├── php_content.mustache
+│       └── html_content.mustache
+├── admin-console/                  # Admin paneel
+│   ├── config/
+│   │   ├── app.php                # Admin app configuratie
+│   │   └── admin.json             # Gebruikers & security (file-based)
+│   ├── src/
+│   │   └── AdminAuth.php          # Authenticatie (sessies, bcrypt, CSRF, lockout)
+│   ├── templates/
+│   │   ├── login.php              # Login pagina
+│   │   ├── layout.php             # Admin layout met sidebar
+│   │   └── pages/
+│   │       ├── dashboard.php
+│   │       ├── content.php
+│   │       ├── content-edit.php
+│   │       ├── content-new.php
+│   │       ├── config.php
+│   │       ├── plugins.php
+│   │       └── users.php
+│   └── storage/logs/              # Admin logs
+├── plugins/                        # CMS plugins
+│   ├── HTMLBlock/
+│   └── MQTTTracker/
+├── public/                         # Web root
+│   ├── assets/css/js/
+│   ├── index.php                  # Website entry point
+│   └── admin.php                  # Admin entry point + router
+├── content/                        # Content bestanden
+├── guide/                          # Handleidingen (nl/en)
+├── config.json                     # Site configuratie
+├── TODO.md                         # Openstaande verbeteringen
+└── AGENTS.md                       # Dit bestand
+```
 
 ## Code Style & Conventions
 - **PHP Standards**: Follow PSR-12. Use 4 spaces for indentation.
 - **Naming**: Classes `PascalCase` (e.g., `CodePressCMS`), methods `camelCase` (e.g., `renderMenu`), variables `camelCase`, config keys `snake_case`.
 - **Architecture**: 
-  - Core logic resides in `index.php`.
+  - Core CMS logic in `engine/core/class/CodePressCMS.php`
-  - Configuration in `config.php`.
+  - Bootstrap/requires in `engine/core/index.php`
-  - Public entry point is `public/index.php`.
+  - Configuration loaded from `config.json` via `engine/core/config.php`
-- **Content**: Stored in `public/content/`. Supports `.md` (Markdown), `.php` (Dynamic), `.html` (Static).
+  - Public website entry point: `public/index.php`
-- **Templating**: Simple string replacement `{{placeholder}}` in `templates/layout.html`.
+  - Admin entry point + routing: `public/admin.php`
+  - Admin authenticatie: `admin-console/src/AdminAuth.php`
+- **Content**: Stored in `content/`. Supports `.md` (Markdown), `.php` (Dynamic), `.html` (Static).
+- **Templating**: Mustache-style `{{placeholder}}` in `templates/layout.mustache` via `SimpleTemplate.php`.
 - **Navigation**: Auto-generated from directory structure. Folders require an index file to be clickable in breadcrumbs.
-- **Security**: Always use `htmlspecialchars()` for outputting user/content data.
+- **Security**: 
-- **Git**: `main` is the clean CMS core. `e.noorlander` contains personal content. Do not mix them.
+  - Always use `htmlspecialchars()` for outputting user/content data
+  - Use `realpath()` + prefix-check for path traversal prevention
+  - Admin forms require CSRF tokens via `AdminAuth::verifyCsrf()`
+  - Passwords stored as bcrypt hashes in `admin.json`
+- **Git**: `main` is the clean CMS core. `development` is de actieve development branch. `e.noorlander` bevat persoonlijke content. Niet mixen.
+
+## Admin Console
+- **File-based**: Geen database. Gebruikers opgeslagen in `admin-console/config/admin.json`
+- **Routing**: Via `?route=` parameter in `public/admin.php`
+- **Routes**: `login`, `logout`, `dashboard`, `content`, `content-edit`, `content-new`, `content-delete`, `config`, `plugins`, `users`
+- **Auth**: Session-based. `AdminAuth` class handelt login, logout, CSRF, brute-force lockout af
+- **Templates**: Pure PHP templates in `admin-console/templates/pages/`. Layout in `layout.php`
 
 ## Important: Title vs File/Directory Name Logic
 - **CRITICAL**: When user asks for "title" corrections, they usually mean **FILE/DIRECTORY NAME WITHOUT LANGUAGE PREFIX AND EXTENSIONS**, not the HTML title from content!
@@ -26,4 +101,10 @@
   - `en.php-testen` → display as "Php Testen" (not "ICT")
 - **Method**: Use `formatDisplayName()` to process file/directory names correctly
 - **Priority**: Directory names take precedence over file names when both exist
-- **Language prefixes**: Always remove `nl.` or `en.` prefixes from display names
+- **Language prefixes**: Dynamisch verwijderd op basis van beschikbare talen via `getAvailableLanguages()`
+
+## Bekende aandachtspunten
+- LSP errors over "Undefined function" in PHP files zijn vals-positief (standaard PHP functies worden niet herkend door de LSP). Negeer deze.
+- Zie `TODO.md` voor alle openstaande verbeteringen en nieuwe features.
+- `vendor/` map bevat Composer dependencies (CommonMark, Mustache). Niet handmatig wijzigen.
+- `admin-console/config/admin.json` bevat wachtwoord-hashes. Niet committen met echte productie-wachtwoorden.

TODO.md

@@ -13,7 +13,6 @@
 - [x] **Debug hardcoded** - `'debug' => true` hardcoded in admin config (`admin-console/config/app.php:6`)
 - [x] **Cookie security** - Cookies zonder `Secure`/`HttpOnly`/`SameSite` flags (`MQTTTracker.php:70`)
 - [ ] **autoLinkPageTitles()** - Regex kan geneste `<a>` tags produceren (`CodePressCMS.php:587`)
-- [ ] **extract($data)** - Kan lokale variabelen overschrijven in AuthController (`AuthController.php:77`)
 - [ ] **MQTT wachtwoord** - Credentials in plain text JSON (`MQTTTracker.php:37`)
 
 ## Medium
@@ -32,7 +31,6 @@
 - [ ] **ctime is geen creatietijd op Linux** - `stat()` ctime is inode-wijzigingstijd (`CodePressCMS.php:400`)
 - [ ] **getGuidePage() dupliceert markdown parsing** - Zelfde CommonMark setup als `parseMarkdown()` (`CodePressCMS.php:854`)
 - [ ] **HTMLBlock ontbrekende `</div>`** - Niet-gesloten tags bij null-check (`HTMLBlock.php:68`)
-- [ ] **CSRF-bescherming** - Login form zonder CSRF token (`AuthController.php:18`)
 - [ ] **formatDisplayName() redundante logica** - Dubbele checks en overtollige str_replace (`CodePressCMS.php:688`)
 
 ## Laag
@@ -53,3 +51,32 @@
 - [ ] **Externe links missen rel="noreferrer"**
 - [ ] **Zoekformulier mist aria-label**
 - [ ] **mobile.css override Bootstrap utilities** met `!important`
+
+---
+
+## Admin Console - Nieuwe features
+
+### Hoog
+
+- [ ] **Markdown editor** - WYSIWYG/split-view Markdown editor integreren in content-edit (bijv. EasyMDE, SimpleMDE, of Toast UI Editor). Live preview, toolbar met opmaakknoppen, drag & drop afbeeldingen
+- [ ] **Plugin activeren/deactiveren** - Toggle knop per plugin in admin Plugins pagina. Schrijft `enabled: true/false` naar plugin `config.json`. PluginManager moet `enabled` status respecteren bij het laden
+- [ ] **Plugin API** - Uitgebreide API voor plugins zodat ze kunnen inhaken op CMS events (hooks/filters). Denk aan: `onPageLoad`, `onBeforeRender`, `onAfterRender`, `onSearch`, `onMenuBuild`. Plugins moeten sidebar content, head tags, en footer scripts kunnen injecteren
+
+### Medium
+
+- [ ] **Plugin configuratie editor** - Per-plugin config.json bewerken vanuit admin panel
+- [ ] **Bestand uploaden** - Afbeeldingen en bestanden uploaden via admin Content pagina
+- [ ] **Map aanmaken/verwijderen** - Directory management in admin Content pagina
+- [ ] **Admin activity log** - Logboek van alle admin acties (wie deed wat wanneer) met viewer in dashboard
+- [ ] **Wachtwoord wijzigen eigen account** - Apart formulier voor ingelogde gebruiker om eigen wachtwoord te wijzigen (met huidig wachtwoord verificatie)
+- [ ] **Admin thema** - Admin sidebar kleur overnemen van site thema config (`header_color`)
+
+### Laag
+
+- [ ] **Content preview** - Live preview van Markdown/HTML content naast de editor
+- [ ] **Content versioning** - Simpele file-based backup bij elke save (bijv. `.bak` bestanden)
+- [ ] **Zoeken in admin** - Zoekfunctie binnen de admin content browser
+- [ ] **Drag & drop** - Bestanden herordenen/verplaatsen via drag & drop
+- [ ] **Keyboard shortcuts** - Ctrl+S om op te slaan in editor, Ctrl+N voor nieuw bestand
+- [ ] **Dark mode** - Admin panel dark mode toggle
+- [ ] **Responsive admin** - Admin sidebar inklapbaar op mobiel (nu is het gestacked)