}

// ── CSRF token helper ──────────────────────────────────────────────────────
const CSRF_TOKEN = '<?= csrfToken() ?>';

// ── API helper ─────────────────────────────────────────────────────────────
async function api(endpoint, method = 'GET', data = null) {
  const opts = {
    method,
    headers: { 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest' },
    credentials: 'same-origin',
  };
  if (data) opts.body = JSON.stringify(data);
  const res = await fetch(endpoint, opts);
  if (!res.ok) {
    const err = await res.json().catch(() => ({ error: 'Network error' }));
    throw new Error(err.error || 'Request failed');
  }
  return res.json();
}
</script>
</body>
</html>