diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5197198
--- /dev/null
+++ b/README.md
@@ -0,0 +1,112 @@
+# Pastebin
+
+A lightweight, self-hosted Pastebin application built with PHP and MySQL.
+No build step required — just drop the files on any PHP-enabled web server.
+
+## Features
+
+- **Create, view, and delete** text/code pastes
+- **Syntax highlighting** for 19 languages powered by [highlight.js](https://highlightjs.org/)
+- **Anonymous comments** on every paste
+- **Delete-token authentication** — session flash on creation, long-lived cookie fallback
+- **Paginated paste listing** — browse all pastes with Prev/Next controls in the sidebar
+- **Responsive UI** — mobile-first layout built with [Tailwind CSS](https://tailwindcss.com/)
+- **Raw endpoint** — `?raw=SLUG` returns plain-text content (great for `curl`)
+- **Zero dependencies** — no Composer, no npm; CDN assets only
+
+## Directory Structure
+
+```
+pastebin/
+├── config/
+│   └── config.php          # DB credentials & application constants
+├── src/
+│   ├── db.php              # PDO factory + schema auto-creation
+│   ├── helpers.php         # Slug/token generation, pagination helpers, language list
+│   └── actions.php         # POST request handlers (create, delete, add_comment, raw)
+├── views/
+│   ├── layout_head.php     # HTML <head> + sticky top navbar
+│   ├── layout_foot.php     # Footer + global JavaScript
+│   ├── home.php            # Create-paste form & error/success notices
+│   ├── paste_view.php      # View paste, comments, and delete form
+│   └── sidebar.php         # Paginated recent-pastes sidebar
+├── index.php               # Application entry point (routing + data fetching)
+├── LICENSE
+└── README.md
+```
+
+## Installation
+
+1. **Clone the repository**
+
+   ```bash
+   git clone https://github.com/druvx13/pastebin.git
+   cd pastebin
+   ```
+
+2. **Configure the database** — edit `config/config.php`:
+
+   ```php
+   define('DB_HOST', '127.0.0.1');
+   define('DB_USER', 'your_db_user');
+   define('DB_PASS', 'your_db_password');
+   define('DB_NAME', 'pastebin_app');
+   ```
+
+3. **Deploy** the directory to a PHP-enabled web server with the project root
+   as the document root (or set up a virtual host pointing to it).
+
+4. **Visit the site** — the database and tables are created automatically on
+   the first request.
+
+## Requirements
+
+| Requirement | Minimum version |
+|---|---|
+| PHP | 7.4 |
+| MySQL / MariaDB | MySQL 5.7 / MariaDB 10.3 |
+| PHP extensions | `pdo`, `pdo_mysql`, `mbstring` |
+
+## Configuration Reference
+
+All configuration lives in `config/config.php`:
+
+| Constant | Default | Description |
+|---|---|---|
+| `DB_HOST` | `127.0.0.1` | MySQL host |
+| `DB_PORT` | `3306` | MySQL port |
+| `DB_USER` | `root` | MySQL username |
+| `DB_PASS` | `password` | MySQL password (**change before deploying**) |
+| `DB_NAME` | `pastebin_app` | Database name (auto-created if absent) |
+| `PASTES_PER_PAGE` | `15` | Pastes shown per page in the sidebar |
+| `COOKIE_LIFETIME` | `2592000` | Cookie lifetime in seconds (default 30 days) |
+| `COMMENT_MAX_LENGTH` | `2000` | Maximum comment body length (characters) |
+| `COMMENT_NAME_MAX` | `100` | Maximum commenter name length (characters) |
+
+## Usage
+
+| Task | How |
+|---|---|
+| **Create a paste** | Fill in the form on the homepage and click **Create Paste** |
+| **View a paste** | Click any entry in the sidebar, or navigate to `/?view=SLUG` |
+| **Copy content** | Click the **Copy** button on the paste page |
+| **Raw content** | Click **Raw** or visit `/?raw=SLUG` (returns `text/plain`) |
+| **Delete a paste** | Use the delete form at the bottom of the paste page |
+| **Browse past pastes** | Use the **← Prev** / **Next →** controls in the sidebar |
+| **Comment on a paste** | Use the comment form on any paste page |
+
+## Security Notes
+
+- **Change the default database credentials** in `config/config.php` before any
+  public deployment.
+- **Enable HTTPS** in production to protect tokens and content in transit.
+- Delete tokens use [`hash_equals()`](https://www.php.net/hash_equals) to
+  prevent timing-attack leakage.
+- All user-supplied content is escaped with `htmlspecialchars()` at render time.
+- Cookies set by the application use `SameSite=Lax` in the JavaScript layer;
+  consider setting the `Secure` flag on the PHP `setcookie()` calls when
+  serving over HTTPS.
+
+## License
+
+[MIT](LICENSE)
diff --git a/config/config.php b/config/config.php
new file mode 100644
index 0000000..bd153f4
--- /dev/null
+++ b/config/config.php
@@ -0,0 +1,28 @@
+<?php
+/*
+ * config/config.php
+ * ------------------
+ * Database credentials and application-wide constants.
+ * Edit these values before deploying.
+ */
+
+/* ===========================
+   DATABASE CONFIGURATION
+   =========================== */
+define('DB_HOST', '127.0.0.1');    // MySQL host
+define('DB_PORT', '3306');         // MySQL port
+define('DB_USER', 'root');         // MySQL username
+define('DB_PASS', 'password');     // MySQL password
+define('DB_NAME', 'pastebin_app'); // Database name (auto-created on first run)
+
+/* ===========================
+   APP CONSTANTS
+   =========================== */
+define('TABLE_PASTES',        'pastes');
+define('TABLE_COMMENTS',      'comments');
+define('SLUG_LENGTH_BYTES',   5);           // slug bytes → hex chars = *2
+define('DELETE_TOKEN_BYTES',  12);          // delete-token bytes → hex
+define('PASTES_PER_PAGE',     15);          // pastes shown per sidebar page
+define('COOKIE_LIFETIME',     30*24*3600);  // cookie lifetime (30 days)
+define('COMMENT_MAX_LENGTH',  2000);        // max comment body length (chars)
+define('COMMENT_NAME_MAX',    100);         // max commenter name length (chars)
diff --git a/index.php b/index.php
index 9bab250..287158c 100644
--- a/index.php
+++ b/index.php
@@ -1,704 +1,108 @@
 <?php
 /*
-================================================================================
-Single-file Pastebin — Monolithic index.php
---------------------------------------------------------------------------------
-This monolithic file implements a Pastebin-like application with:
-
-- Create / View / Delete pastes.
-- Anonymous comments on individual paste pages.
-- Syntax highlighting via highlight.js (CDN).
-- Responsive UI with Tailwind CSS (CDN).
-- MySQL database auto-creation and table initialization.
-- One-time display of delete-token upon creation (session flash) + cookie fallback.
-- Comments table auto-created. Comments are plain-text, escaped on render.
-- All code (PHP, HTML, CSS, JS) in one file for minimal setup.
-
-INSTALL
-1. Edit DB credentials in DATABASE CONFIG section below.
-2. Upload to PHP-enabled webroot as index.php.
-3. Visit page. DB and tables auto-created on first run.
-================================================================================
-*/
-
-/* -------------------------
-   SESSION (required for one-time token flash)
-   ------------------------- */
+ * index.php — Application entry point
+ * =====================================
+ * This is the only public file. It boots the app, routes requests, fetches
+ * data, then delegates rendering to the views in views/.
+ *
+ * Directory layout
+ * ----------------
+ *   config/config.php   — DB credentials & app constants
+ *   src/db.php          — PDO factory + schema auto-creation
+ *   src/helpers.php     — slug/token helpers, pagination, language list
+ *   src/actions.php     — POST handlers (create, delete, add_comment)
+ *   views/layout_head.php — HTML <head> + sticky navbar
+ *   views/layout_foot.php — footer + global JS + </body></html>
+ *   views/home.php        — create-paste form
+ *   views/paste_view.php  — view paste, comments, delete form
+ *   views/sidebar.php     — paginated recent-pastes sidebar
+ *
+ * Installation
+ * ------------
+ * 1. Edit DB_HOST / DB_USER / DB_PASS / DB_NAME in config/config.php.
+ * 2. Point a PHP-enabled web server at this directory.
+ * 3. Open the site — the database and tables are auto-created on first load.
+ */
+
+/* ---- Session (needed for one-time delete-token flash) ---- */
 if (session_status() === PHP_SESSION_NONE) {
     session_start();
 }
 
-/* ===========================
-   DATABASE CONFIGURATION
-   =========================== */
-define('DB_HOST', '127.0.0.1');    // MySQL host
-define('DB_PORT', '3306');         // MySQL port
-define('DB_USER', 'root');         // MySQL username
-define('DB_PASS', 'password');     // MySQL password
-define('DB_NAME', 'pastebin_app'); // Desired DB name (auto-created if allowed)
-
-/* ===========================
-   APP CONSTANTS
-   =========================== */
-define('TABLE_PASTES', 'pastes');
-define('TABLE_COMMENTS', 'comments');
-define('SLUG_LENGTH_BYTES', 5);   // slug length (bytes -> hex chars = *2)
-define('DELETE_TOKEN_BYTES', 12); // delete token bytes (hex)
-define('RECENT_COUNT', 20);       // number of recent pastes on homepage
-define('COOKIE_LIFETIME', 30*24*3600); // cookie lifetime for paste tokens (30 days)
-define('COMMENT_MAX_LENGTH', 2000);
-define('COMMENT_NAME_MAX', 100);
-
-/* ===========================
-   BOOTSTRAP: CONNECT & INIT
-   =========================== */
-try {
-    // Connect without DB to allow DB creation if needed
-    $dsnNoDB = sprintf('mysql:host=%s;port=%s;charset=utf8mb4', DB_HOST, DB_PORT);
-    $pdo = new PDO($dsnNoDB, DB_USER, DB_PASS, [
-        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
-        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
-    ]);
-
-    // Create DB if missing
-    $safeDb = str_replace('`', '``', DB_NAME);
-    $pdo->exec("CREATE DATABASE IF NOT EXISTS `{$safeDb}` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci");
-
-    // Reconnect with DB selected
-    $dsn = sprintf('mysql:host=%s;port=%s;dbname=%s;charset=utf8mb4', DB_HOST, DB_PORT, DB_NAME);
-    $pdo = new PDO($dsn, DB_USER, DB_PASS, [
-        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
-        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
-    ]);
-
-    // Create pastes table if not exists
-    $createPastesSQL = "
-      CREATE TABLE IF NOT EXISTS `" . TABLE_PASTES . "` (
-        id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
-        slug VARCHAR(64) NOT NULL UNIQUE,
-        title VARCHAR(255) DEFAULT NULL,
-        language VARCHAR(64) DEFAULT 'text',
-        content LONGTEXT NOT NULL,
-        delete_token VARCHAR(128) NOT NULL,
-        views INT UNSIGNED NOT NULL DEFAULT 0,
-        created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        INDEX (created_at)
-      ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-    ";
-    $pdo->exec($createPastesSQL);
-
-    // Create comments table if not exists (anonymous comments)
-    // columns: id, paste_id (FK), name (nullable), message, created_at
-    $createCommentsSQL = "
-      CREATE TABLE IF NOT EXISTS `" . TABLE_COMMENTS . "` (
-        id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
-        paste_id BIGINT UNSIGNED NOT NULL,
-        name VARCHAR(150) DEFAULT NULL,
-        message TEXT NOT NULL,
-        created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-        INDEX (paste_id),
-        FOREIGN KEY (paste_id) REFERENCES `" . TABLE_PASTES . "` (id) ON DELETE CASCADE
-      ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
-    ";
-    $pdo->exec($createCommentsSQL);
-
-} catch (PDOException $e) {
-    http_response_code(500);
-    echo "<h1>Database error</h1><pre>" . htmlspecialchars($e->getMessage()) . "</pre>";
-    exit;
-}
-
-/* ===========================
-   HELPERS
-   =========================== */
-
-/** Generate a unique slug (hex). Retries then fallback. */
-function generate_unique_slug(PDO $pdo) {
-    for ($i=0; $i<8; $i++) {
-        $slug = bin2hex(random_bytes(SLUG_LENGTH_BYTES));
-        $stmt = $pdo->prepare("SELECT 1 FROM `" . TABLE_PASTES . "` WHERE slug = :s LIMIT 1");
-        $stmt->execute([':s' => $slug]);
-        if (!$stmt->fetch()) return $slug;
-    }
-    return preg_replace('/[^a-z0-9]/', '', uniqid('', true));
-}
-
-/** Generate a delete token (hex) */
-function generate_delete_token() {
-    return bin2hex(random_bytes(DELETE_TOKEN_BYTES));
-}
-
-/* Language options for select and highlight classes */
-$languages = [
-    'text' => 'Plain Text',
-    'bash' => 'Bash',
-    'json' => 'JSON',
-    'xml' => 'XML',
-    'html' => 'HTML',
-    'css' => 'CSS',
-    'javascript' => 'JavaScript',
-    'typescript' => 'TypeScript',
-    'php' => 'PHP',
-    'python' => 'Python',
-    'java' => 'Java',
-    'c' => 'C',
-    'cpp' => 'C++',
-    'csharp' => 'C#',
-    'go' => 'Go',
-    'ruby' => 'Ruby',
-    'rust' => 'Rust',
-    'kotlin' => 'Kotlin',
-    'sql' => 'SQL',
-];
-
-/* Base path for links */
-$basePath = strtok($_SERVER["REQUEST_URI"], '?');
-
-/* ===========================
-   REQUEST HANDLERS
-   =========================== */
-
-/* 1) Create paste (improved: session flash + cookie) */
-if (isset($_POST['action']) && $_POST['action'] === 'create') {
-    $title = isset($_POST['title']) ? trim($_POST['title']) : null;
-    $language = isset($_POST['language']) && array_key_exists($_POST['language'], $languages) ? $_POST['language'] : 'text';
-    $content = isset($_POST['content']) ? trim($_POST['content']) : '';
-
-    if ($content === '') {
-        header("Location: " . $basePath . "?err=empty");
-        exit;
-    }
-
-    try {
-        $slug = generate_unique_slug($pdo);
-        $delete_token = generate_delete_token();
-
-        $stmt = $pdo->prepare("INSERT INTO `" . TABLE_PASTES . "` (slug, title, language, content, delete_token) VALUES (:slug, :title, :lang, :content, :dt)");
-        $stmt->execute([
-            ':slug' => $slug,
-            ':title' => $title ?: null,
-            ':lang' => $language,
-            ':content' => $content,
-            ':dt' => $delete_token
-        ]);
-
-        // session flash & cookie for convenience
-        $_SESSION['last_paste'] = ['slug' => $slug, 'delete_token' => $delete_token];
-        setcookie('paste_token_' . $slug, $delete_token, time() + COOKIE_LIFETIME, "/", "", false, false);
-
-        header("Location: " . $basePath . "?view=" . urlencode($slug) . "&created=1");
-        exit;
-    } catch (PDOException $e) {
-        header("Location: " . $basePath . "?err=db");
-        exit;
-    }
-}
-
-/* 2) Delete paste (accept token or cookie fallback) */
-if (isset($_POST['action']) && $_POST['action'] === 'delete') {
-    $slug = isset($_POST['slug']) ? $_POST['slug'] : '';
-    $provided_token = isset($_POST['token']) ? $_POST['token'] : '';
-
-    if ($slug === '') {
-        header("Location: " . $basePath . "?err=delparams");
-        exit;
-    }
-
-    try {
-        $stmt = $pdo->prepare("SELECT delete_token FROM `" . TABLE_PASTES . "` WHERE slug = :s LIMIT 1");
-        $stmt->execute([':s' => $slug]);
-        $row = $stmt->fetch();
-        if (!$row) {
-            header("Location: " . $basePath . "?err=notfound");
-            exit;
-        }
-        $stored_token = $row['delete_token'];
-        $allowed = false;
-
-        if ($provided_token !== '') {
-            if (hash_equals($stored_token, $provided_token)) $allowed = true;
-        }
-        if (!$allowed) {
-            $cookieName = 'paste_token_' . $slug;
-            if (isset($_COOKIE[$cookieName]) && is_string($_COOKIE[$cookieName]) && $_COOKIE[$cookieName] !== '') {
-                if (hash_equals($stored_token, $_COOKIE[$cookieName])) $allowed = true;
-            }
-        }
-
-        if (!$allowed) {
-            header("Location: " . $basePath . "?err=badtoken");
-            exit;
-        }
-
-        $del = $pdo->prepare("DELETE FROM `" . TABLE_PASTES . "` WHERE slug = :s");
-        $del->execute([':s' => $slug]);
-        setcookie('paste_token_' . $slug, '', time() - 3600, "/", "", false, false);
-
-        header("Location: " . $basePath . "?deleted=1");
-        exit;
-    } catch (PDOException $e) {
-        header("Location: " . $basePath . "?err=db");
-        exit;
+/* ---- Bootstrap ---- */
+require_once __DIR__ . '/config/config.php';
+require_once __DIR__ . '/src/db.php';
+require_once __DIR__ . '/src/helpers.php';
+require_once __DIR__ . '/src/actions.php';
+
+$pdo       = db_connect();
+$languages = get_languages();
+$basePath  = strtok($_SERVER['REQUEST_URI'], '?');
+
+/* ---- Route POST actions (PRG pattern) ---- */
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $action = isset($_POST['action']) ? $_POST['action'] : '';
+    switch ($action) {
+        case 'create':      handle_create($pdo, $basePath, $languages);  break;
+        case 'delete':      handle_delete($pdo, $basePath);              break;
+        case 'add_comment': handle_add_comment($pdo, $basePath);         break;
     }
 }
 
-/* 3) Add anonymous comment (action=add_comment)
-   - expects: slug (paste slug), message (required), name (optional)
-   - stores comment linked to paste.id
-*/
-if (isset($_POST['action']) && $_POST['action'] === 'add_comment') {
-    $slug = isset($_POST['slug']) ? $_POST['slug'] : '';
-    $commenter_name = isset($_POST['commenter_name']) ? trim($_POST['commenter_name']) : null;
-    $comment_msg = isset($_POST['comment_msg']) ? trim($_POST['comment_msg']) : '';
-
-    if ($slug === '' || $comment_msg === '') {
-        header("Location: " . $basePath . "?err=commentparams");
-        exit;
-    }
-    if (mb_strlen($comment_msg) > COMMENT_MAX_LENGTH) {
-        header("Location: " . $basePath . "?view=" . urlencode($slug) . "&err=commenttoolong");
-        exit;
-    }
-    if ($commenter_name !== null && mb_strlen($commenter_name) > COMMENT_NAME_MAX) {
-        $commenter_name = mb_substr($commenter_name, 0, COMMENT_NAME_MAX);
-    }
-
-    try {
-        // get paste id
-        $stmt = $pdo->prepare("SELECT id FROM `" . TABLE_PASTES . "` WHERE slug = :s LIMIT 1");
-        $stmt->execute([':s' => $slug]);
-        $row = $stmt->fetch();
-        if (!$row) {
-            header("Location: " . $basePath . "?err=notfound");
-            exit;
-        }
-        $paste_id = (int)$row['id'];
-
-        // insert comment
-        $ins = $pdo->prepare("INSERT INTO `" . TABLE_COMMENTS . "` (paste_id, name, message) VALUES (:pid, :n, :m)");
-        $ins->execute([
-            ':pid' => $paste_id,
-            ':n' => $commenter_name ?: null,
-            ':m' => $comment_msg
-        ]);
-
-        // optional: store commenter name in cookie to prefill next time
-        if ($commenter_name && $commenter_name !== '') {
-            setcookie('commenter_name', $commenter_name, time() + COOKIE_LIFETIME, "/", "", false, false);
-        }
-
-        // redirect back to paste with anchor for comments
-        header("Location: " . $basePath . "?view=" . urlencode($slug) . "#comments");
-        exit;
-    } catch (PDOException $e) {
-        header("Location: " . $basePath . "?err=db");
-        exit;
-    }
-}
-
-/* Raw endpoint: ?raw=SLUG (plaintext) */
+/* ---- Raw-content endpoint: ?raw=SLUG ---- */
 if (isset($_GET['raw'])) {
-    $slug = $_GET['raw'];
-    $stmt = $pdo->prepare("SELECT content FROM `" . TABLE_PASTES . "` WHERE slug = :s LIMIT 1");
-    $stmt->execute([':s' => $slug]);
-    $row = $stmt->fetch();
-    if (!$row) {
-        http_response_code(404);
-        header('Content-Type: text/plain; charset=utf-8');
-        echo "Not found";
-        exit;
-    }
-    // increment views
-    $upd = $pdo->prepare("UPDATE `" . TABLE_PASTES . "` SET views = views + 1 WHERE slug = :s");
-    $upd->execute([':s' => $slug]);
-    header('Content-Type: text/plain; charset=utf-8');
-    echo $row['content'];
-    exit;
+    handle_raw($pdo);
+    // handle_raw() always exits
 }
 
-/* View paste (if ?view=SLUG) - fetch paste and its comments */
+/* ---- View a paste: ?view=SLUG ---- */
 $viewSlug = isset($_GET['view']) ? $_GET['view'] : null;
-$paste = null;
+$paste    = null;
 $comments = [];
+
 if ($viewSlug) {
-    $stmt = $pdo->prepare("SELECT id, slug, title, language, content, views, created_at, delete_token FROM `" . TABLE_PASTES . "` WHERE slug = :s LIMIT 1");
+    $stmt = $pdo->prepare(
+        'SELECT id, slug, title, language, content, views, created_at, delete_token
+         FROM `' . TABLE_PASTES . '`
+         WHERE slug = :s LIMIT 1'
+    );
     $stmt->execute([':s' => $viewSlug]);
     $paste = $stmt->fetch();
 
     if ($paste) {
-        // increment views
-        $upd = $pdo->prepare("UPDATE `" . TABLE_PASTES . "` SET views = views + 1 WHERE id = :id");
+        // Increment view counter
+        $upd = $pdo->prepare(
+            'UPDATE `' . TABLE_PASTES . '` SET views = views + 1 WHERE id = :id'
+        );
         $upd->execute([':id' => $paste['id']]);
         $paste['views'] += 1;
 
-        // fetch comments for this paste
-        $cstmt = $pdo->prepare("SELECT id, name, message, created_at FROM `" . TABLE_COMMENTS . "` WHERE paste_id = :pid ORDER BY created_at ASC");
+        // Fetch comments (oldest first)
+        $cstmt = $pdo->prepare(
+            'SELECT id, name, message, created_at
+             FROM `' . TABLE_COMMENTS . '`
+             WHERE paste_id = :pid
+             ORDER BY created_at ASC'
+        );
         $cstmt->execute([':pid' => $paste['id']]);
         $comments = $cstmt->fetchAll();
     } else {
-        $viewSlug = null; // not found
+        $viewSlug = null; // slug not found — fall through to homepage
     }
 }
 
-/* Recent pastes for sidebar */
-function fetch_recent(PDO $pdo, $count = RECENT_COUNT) {
-    $stmt = $pdo->prepare("SELECT slug, title, language, created_at FROM `" . TABLE_PASTES . "` ORDER BY created_at DESC LIMIT :cnt");
-    $stmt->bindValue(':cnt', (int)$count, PDO::PARAM_INT);
-    $stmt->execute();
-    return $stmt->fetchAll();
-}
-$recentPastes = fetch_recent($pdo);
-
-/* ===========================
-   RENDER HTML UI (monolithic)
-   =========================== */
-?><!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width,initial-scale=1" />
-  <title>Pastebin — Single-file</title>
-
-  <!-- Tailwind CDN -->
-  <script src="https://cdn.tailwindcss.com"></script>
-
-  <!-- highlight.js -->
-  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/styles/github-dark.min.css">
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/highlight.min.js"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/languages/javascript.min.js"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/languages/python.min.js"></script>
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/languages/php.min.js"></script>
-  <script>hljs.configure({ignoreUnescapedHTML:true});</script>
-
-  <style>
-    pre.hljs { padding: 1rem; border-radius: .5rem; overflow:auto; font-size:0.95rem; }
-  </style>
-</head>
-<body class="bg-slate-50 text-slate-800">
-  <div class="min-h-screen flex items-start justify-center py-10 px-4">
-    <div class="w-full max-w-6xl">
-
-      <!-- Header -->
-      <header class="mb-6">
-        <div class="flex items-center justify-between gap-4">
-          <div>
-            <h1 class="text-2xl font-semibold">Pastebin — Single-file</h1>
-            <p class="text-sm text-slate-500">Create, view, delete pastes. Anonymous comments available per paste.</p>
-          </div>
-          <div class="text-right text-xs text-slate-500">
-            PHP + MySQL + Tailwind + highlight.js
-          </div>
-        </div>
-      </header>
-
-      <main class="grid grid-cols-1 lg:grid-cols-3 gap-6">
-        <!-- MAIN -->
-        <section class="lg:col-span-2 bg-white rounded-lg shadow-sm border p-5">
-
-          <?php if ($viewSlug && $paste): ?>
-            <?php
-              // One-time token display logic: session flash first, then cookie fallback
-              $show_token = null;
-              if (isset($_SESSION['last_paste']) && is_array($_SESSION['last_paste']) && $_SESSION['last_paste']['slug'] === $paste['slug']) {
-                  $show_token = $_SESSION['last_paste']['delete_token'];
-                  unset($_SESSION['last_paste']);
-              } else {
-                  $cookieName = 'paste_token_' . $paste['slug'];
-                  if (isset($_COOKIE[$cookieName]) && is_string($_COOKIE[$cookieName]) && $_COOKIE[$cookieName] !== '') {
-                      $show_token = $_COOKIE[$cookieName];
-                  }
-              }
-
-              // Prefill commenter name from cookie if exists
-              $prefill_commenter = isset($_COOKIE['commenter_name']) ? $_COOKIE['commenter_name'] : '';
-            ?>
-
-            <div class="mb-4 flex items-start justify-between gap-4">
-              <div>
-                <h2 class="text-lg font-medium"><?php echo htmlspecialchars($paste['title'] ?: '[Untitled]'); ?></h2>
-                <div class="text-sm text-slate-500 mt-1">
-                  Language: <span class="font-medium"><?php echo htmlspecialchars($paste['language']); ?></span>
-                  &nbsp;•&nbsp;
-                  Created: <?php echo htmlspecialchars($paste['created_at']); ?>
-                  &nbsp;•&nbsp;
-                  Views: <?php echo (int)$paste['views']; ?>
-                </div>
-              </div>
-
-              <div class="flex items-center gap-2">
-                <a class="inline-flex items-center px-3 py-2 rounded bg-slate-100 hover:bg-slate-200 text-sm" href="<?php echo htmlspecialchars($basePath . '?raw=' . urlencode($paste['slug'])); ?>" target="_blank">Raw</a>
-                <button id="copyRawBtn" class="inline-flex items-center px-3 py-2 rounded bg-indigo-600 text-white text-sm">Copy Raw</button>
-              </div>
-            </div>
-
-            <?php if (!empty($show_token)): ?>
-              <div class="mb-4 p-3 bg-yellow-50 border border-yellow-200 rounded text-sm">
-                <div class="font-medium">Delete token (store securely)</div>
-                <div class="mt-2 flex items-center gap-2">
-                  <input id="showDeleteToken" readonly class="px-3 py-2 border rounded w-full" value="<?php echo htmlspecialchars($show_token); ?>">
-                  <button id="copyDeleteToken" class="px-3 py-2 bg-indigo-600 text-white rounded">Copy</button>
-                </div>
-                <div class="text-xs text-slate-500 mt-2">This token is required to delete the paste if you don't use the same browser. It is shown once after creation.</div>
-              </div>
-            <?php endif; ?>
-
-            <div class="prose max-w-none mb-6">
-              <pre><code id="codeBlock" class="language-<?php echo htmlspecialchars($paste['language']); ?>"><?php
-                echo htmlspecialchars($paste['content']);
-              ?></code></pre>
-            </div>
+/* ---- Page title ---- */
+$pageTitle = $paste
+    ? ($paste['title'] ?: 'Untitled paste')
+    : 'New Paste';
 
-            <!-- Comments section -->
-            <div id="comments" class="mt-6">
-              <h3 class="text-md font-semibold mb-3">Comments (<?php echo count($comments); ?>)</h3>
+/* ---- Render ---- */
+include __DIR__ . '/views/layout_head.php';
 
-              <!-- Add comment form -->
-              <form method="post" class="mb-4" onsubmit="return validateComment(this);">
-                <input type="hidden" name="action" value="add_comment">
-                <input type="hidden" name="slug" value="<?php echo htmlspecialchars($paste['slug']); ?>">
-
-                <div class="grid grid-cols-1 md:grid-cols-3 gap-3 mb-2">
-                  <input name="commenter_name" id="commenter_name" class="px-3 py-2 border rounded" placeholder="Name (optional)" maxlength="<?php echo COMMENT_NAME_MAX; ?>" value="<?php echo htmlspecialchars($prefill_commenter); ?>">
-                  <div class="md:col-span-2">
-                    <textarea name="comment_msg" id="comment_msg" rows="3" class="w-full px-3 py-2 border rounded" placeholder="Write your comment..." maxlength="<?php echo COMMENT_MAX_LENGTH; ?>"></textarea>
-                  </div>
-                </div>
-
-                <div class="flex items-center gap-3">
-                  <button type="submit" class="px-3 py-2 bg-green-600 text-white rounded">Post Comment</button>
-                  <button type="reset" class="px-3 py-2 bg-slate-100 rounded">Reset</button>
-                  <div class="text-xs text-slate-500 ml-auto">Comments are anonymous; provide a name to display it.</div>
-                </div>
-              </form>
-
-              <!-- Comments list -->
-              <?php if (count($comments) === 0): ?>
-                <div class="text-sm text-slate-500">No comments yet. Be the first to comment.</div>
-              <?php else: ?>
-                <div class="space-y-3">
-                  <?php foreach ($comments as $c): ?>
-                    <div class="p-3 border rounded bg-slate-50">
-                      <div class="flex items-center justify-between">
-                        <div class="text-sm font-medium"><?php echo htmlspecialchars($c['name'] ?: 'Anonymous'); ?></div>
-                        <div class="text-xs text-slate-400"><?php echo htmlspecialchars($c['created_at']); ?></div>
-                      </div>
-                      <div class="mt-2 text-sm text-slate-800 whitespace-pre-wrap"><?php echo nl2br(htmlspecialchars($c['message'])); ?></div>
-                    </div>
-                  <?php endforeach; ?>
-                </div>
-              <?php endif; ?>
-
-            </div>
-
-            <!-- Delete section -->
-            <div class="mt-6 text-sm text-slate-600">
-              <p class="mb-2">To delete this paste, enter the delete token (shown above at creation) or use the same browser (cookie-based). If you don't have either, contact the site admin or remove via DB.</p>
-
-              <form method="post" class="mt-3 grid grid-cols-1 md:grid-cols-3 gap-2" onsubmit="return confirm('Delete this paste? This action cannot be undone.')">
-                <input type="hidden" name="action" value="delete">
-                <input type="hidden" name="slug" value="<?php echo htmlspecialchars($paste['slug']); ?>">
-                <input id="deleteTokenInput" name="token" placeholder="Delete token (or leave empty to use cookie)" class="px-3 py-2 border rounded col-span-2">
-                <button class="px-3 py-2 bg-red-600 text-white rounded">Delete</button>
-              </form>
-            </div>
-
-            <script>
-              document.addEventListener('DOMContentLoaded', function(){
-                try { hljs.highlightElement(document.getElementById('codeBlock')); } catch(e){}
-                // copy raw
-                const crBtn = document.getElementById('copyRawBtn');
-                if (crBtn) {
-                  crBtn.addEventListener('click', async function(){
-                    try {
-                      const raw = <?php echo json_encode($paste['content']); ?>;
-                      await navigator.clipboard.writeText(raw);
-                      this.textContent = 'Copied';
-                      setTimeout(()=> this.textContent = 'Copy Raw', 1400);
-                    } catch (e) { alert('Copy failed'); }
-                  });
-                }
-                // copy delete token
-                const copyBtn = document.getElementById('copyDeleteToken');
-                const delInput = document.getElementById('showDeleteToken');
-                if (copyBtn && delInput) {
-                  copyBtn.addEventListener('click', async function(){
-                    try {
-                      await navigator.clipboard.writeText(delInput.value);
-                      this.textContent = 'Copied';
-                      setTimeout(()=> this.textContent = 'Copy', 1400);
-                    } catch(e) { alert('Copy failed'); }
-                  });
-                }
-                // Autofill delete token input from cookie
-                (function autofillFromCookie(){
-                  try {
-                    const slug = <?php echo json_encode($paste['slug']); ?>;
-                    const cname = 'paste_token_' + slug;
-                    const val = (function getCookie(n){ const m = document.cookie.match('(^|;)\\s*' + n + '\\s*=\\s*([^;]+)'); return m ? decodeURIComponent(m[2]) : null; })(cname);
-                    if (val) {
-                      const deleteInput = document.getElementById('deleteTokenInput');
-                      if (deleteInput && deleteInput.value.trim() === '') deleteInput.value = val;
-                    }
-                  } catch(e){}
-                })();
-                // Prefill commenter name input from commenter_name cookie
-                (function prefillCommenter(){
-                  try {
-                    const v = (function getCookie(n){ const m = document.cookie.match('(^|;)\\s*' + n + '\\s*=\\s*([^;]+)'); return m ? decodeURIComponent(m[2]) : null; })('commenter_name');
-                    if (v) {
-                      const el = document.getElementById('commenter_name');
-                      if (el && el.value.trim() === '') el.value = v;
-                    }
-                  } catch(e){}
-                })();
-              });
-
-              // client-side validation for comment form
-              function validateComment(form) {
-                const msg = form.comment_msg.value || '';
-                if (msg.trim().length === 0) {
-                  alert('Comment cannot be empty.');
-                  return false;
-                }
-                if (msg.length > <?php echo COMMENT_MAX_LENGTH; ?>) {
-                  alert('Comment too long.');
-                  return false;
-                }
-                return true;
-              }
-            </script>
-
-          <?php else: ?>
-            <!-- Create page -->
-            <h2 class="text-lg font-medium mb-3">Create a new paste</h2>
-
-            <?php if (isset($_GET['err'])): ?>
-              <div class="mb-3 text-sm text-red-600">
-                <?php
-                  $e = $_GET['err'];
-                  if ($e === 'empty') echo 'Content cannot be empty.';
-                  elseif ($e === 'db') echo 'A database error occurred.';
-                  elseif ($e === 'badtoken') echo 'Invalid token provided for deletion.';
-                  elseif ($e === 'notfound') echo 'Paste not found.';
-                  elseif ($e === 'commenttoolong') echo 'Comment too long.';
-                  else echo 'An error occurred.';
-                ?>
-              </div>
-            <?php elseif (isset($_GET['deleted'])): ?>
-              <div class="mb-3 text-sm text-green-700">Paste deleted.</div>
-            <?php endif; ?>
-
-            <form method="post" class="space-y-4">
-              <input type="hidden" name="action" value="create">
-              <div>
-                <label class="block text-sm font-medium text-slate-700 mb-1">Title (optional)</label>
-                <input name="title" maxlength="255" class="w-full px-3 py-2 border rounded" placeholder="Short description">
-              </div>
-
-              <div class="flex gap-4 items-center">
-                <div>
-                  <label class="block text-sm font-medium text-slate-700 mb-1">Language</label>
-                  <select name="language" class="w-48 px-3 py-2 border rounded">
-                    <?php foreach ($languages as $key => $label): ?>
-                      <option value="<?php echo htmlspecialchars($key); ?>"><?php echo htmlspecialchars($label); ?></option>
-                    <?php endforeach; ?>
-                  </select>
-                </div>
-                <div class="ml-auto text-sm text-slate-500">Tip: Use Raw link to fetch plain content programmatically.</div>
-              </div>
-
-              <div>
-                <label class="block text-sm font-medium text-slate-700 mb-1">Content</label>
-                <textarea name="content" rows="14" class="w-full px-3 py-3 border rounded font-mono" placeholder="// paste your code here"></textarea>
-              </div>
-
-              <div class="flex items-center gap-3">
-                <button type="submit" class="px-4 py-2 bg-indigo-600 text-white rounded">Create Paste</button>
-                <button type="reset" class="px-4 py-2 bg-slate-100 rounded">Reset</button>
-                <div class="text-sm text-slate-500">A delete token will be shown once after creation and stored in a cookie for this browser.</div>
-              </div>
-            </form>
-
-          <?php endif; ?>
-        </section>
-
-        <!-- SIDEBAR -->
-        <aside class="bg-white rounded-lg shadow-sm border p-5">
-          <div class="mb-4">
-            <h3 class="text-sm font-medium mb-2">Recent pastes</h3>
-            <?php if (count($recentPastes) === 0): ?>
-              <div class="text-sm text-slate-500">No pastes yet.</div>
-            <?php else: ?>
-              <ul class="space-y-2 text-sm">
-                <?php foreach ($recentPastes as $r): ?>
-                  <li class="flex items-start justify-between gap-2">
-                    <div>
-                      <a class="font-medium text-slate-700" href="<?php echo htmlspecialchars($basePath . '?view=' . urlencode($r['slug'])); ?>"><?php echo htmlspecialchars($r['title'] ?: '[Untitled]'); ?></a>
-                      <div class="text-xs text-slate-500"><?php echo htmlspecialchars($r['language']); ?> · <?php echo htmlspecialchars($r['created_at']); ?></div>
-                    </div>
-                  </li>
-                <?php endforeach; ?>
-              </ul>
-            <?php endif; ?>
-          </div>
-
-          <div class="mt-4 text-xs text-slate-500">
-            Tips:
-            <ul class="list-disc ml-4 mt-2">
-              <li>Store the delete token shown immediately to delete the paste from another device.</li>
-              <li>Cookie fallback allows deletion from the same browser without manual token copy.</li>
-              <li>Comments are anonymous; name is optional. Provide a name to display it.</li>
-            </ul>
-          </div>
-        </aside>
-      </main>
-
-      <footer class="mt-8 text-center text-xs text-slate-400">
-        Single-file Pastebin demo with comments. For production: secure DB credentials, enable HTTPS, and build Tailwind.
-      </footer>
-    </div>
-  </div>
-
-  <!-- Client JS -->
-  <script>
-    // highlight code blocks on load
-    document.addEventListener('DOMContentLoaded', function(){
-      document.querySelectorAll('pre code').forEach((el) => {
-        try { hljs.highlightElement(el); } catch(e){}
-      });
-    });
+if ($paste) {
+    include __DIR__ . '/views/paste_view.php';
+} else {
+    include __DIR__ . '/views/home.php';
+}
 
-    // Basic delete confirmation and simple client-side comment validation previously defined per-page
-    document.addEventListener('submit', function(e){
-      const form = e.target;
-      if (form && form.querySelector('input[name="action"]')) {
-        const action = form.querySelector('input[name="action"]').value;
-        if (action === 'delete') {
-          if (!confirm('Delete this paste? This action cannot be undone.')) {
-            e.preventDefault();
-            return false;
-          }
-        }
-        if (action === 'add_comment') {
-          const msg = form.comment_msg.value || '';
-          if (msg.trim().length === 0) {
-            alert('Comment cannot be empty.');
-            e.preventDefault();
-            return false;
-          }
-          if (msg.length > <?php echo COMMENT_MAX_LENGTH; ?>) {
-            alert('Comment too long.');
-            e.preventDefault();
-            return false;
-          }
-          // store commenter name in cookie if provided
-          const name = (form.commenter_name && form.commenter_name.value) ? form.commenter_name.value.trim() : '';
-          if (name) {
-            document.cookie = 'commenter_name=' + encodeURIComponent(name) + ';path=/;max-age=<?php echo COOKIE_LIFETIME; ?>';
-          }
-        }
-      }
-    });
-  </script>
-</body>
-</html>
+include __DIR__ . '/views/layout_foot.php';
diff --git a/src/actions.php b/src/actions.php
new file mode 100644
index 0000000..0018086
--- /dev/null
+++ b/src/actions.php
@@ -0,0 +1,237 @@
+<?php
+/*
+ * src/actions.php
+ * ----------------
+ * HTTP request handlers for all POST actions and the raw-content GET endpoint.
+ * Every handler redirects (PRG pattern) or exits after writing a response.
+ */
+
+/**
+ * Handle POST action=create.
+ * Validates input, inserts a new paste, stores the delete token in a session
+ * flash and a cookie, then redirects to the paste view.
+ *
+ * @param PDO    $pdo
+ * @param string $basePath  Base URL path (no query string)
+ * @param array  $languages Valid language keys
+ */
+function handle_create(PDO $pdo, string $basePath, array $languages): void
+{
+    $title    = isset($_POST['title'])    ? trim($_POST['title'])    : null;
+    $language = (isset($_POST['language']) && array_key_exists($_POST['language'], $languages))
+                ? $_POST['language']
+                : 'text';
+    $content  = isset($_POST['content']) ? trim($_POST['content']) : '';
+
+    if ($content === '') {
+        header('Location: ' . $basePath . '?err=empty');
+        exit;
+    }
+
+    try {
+        $slug         = generate_unique_slug($pdo);
+        $delete_token = generate_delete_token();
+
+        $stmt = $pdo->prepare(
+            'INSERT INTO `' . TABLE_PASTES . '`
+             (slug, title, language, content, delete_token)
+             VALUES (:slug, :title, :lang, :content, :dt)'
+        );
+        $stmt->execute([
+            ':slug'    => $slug,
+            ':title'   => $title ?: null,
+            ':lang'    => $language,
+            ':content' => $content,
+            ':dt'      => $delete_token,
+        ]);
+
+        // Session flash (one-time display) + long-lived cookie fallback
+        $_SESSION['last_paste'] = ['slug' => $slug, 'delete_token' => $delete_token];
+        setcookie(
+            'paste_token_' . $slug,
+            $delete_token,
+            time() + COOKIE_LIFETIME,
+            '/', '', false, false
+        );
+
+        header('Location: ' . $basePath . '?view=' . urlencode($slug) . '&created=1');
+        exit;
+
+    } catch (PDOException $e) {
+        header('Location: ' . $basePath . '?err=db');
+        exit;
+    }
+}
+
+/**
+ * Handle POST action=delete.
+ * Verifies the supplied token (or cookie fallback), deletes the paste, then
+ * redirects to the homepage with a success flag.
+ *
+ * @param PDO    $pdo
+ * @param string $basePath
+ */
+function handle_delete(PDO $pdo, string $basePath): void
+{
+    $slug           = isset($_POST['slug'])  ? $_POST['slug']  : '';
+    $provided_token = isset($_POST['token']) ? $_POST['token'] : '';
+
+    if ($slug === '') {
+        header('Location: ' . $basePath . '?err=delparams');
+        exit;
+    }
+
+    try {
+        $stmt = $pdo->prepare(
+            'SELECT delete_token FROM `' . TABLE_PASTES . '`
+             WHERE slug = :s LIMIT 1'
+        );
+        $stmt->execute([':s' => $slug]);
+        $row = $stmt->fetch();
+
+        if (!$row) {
+            header('Location: ' . $basePath . '?err=notfound');
+            exit;
+        }
+
+        $stored_token = $row['delete_token'];
+        $allowed      = false;
+
+        // Check explicitly provided token first
+        if ($provided_token !== '' && hash_equals($stored_token, $provided_token)) {
+            $allowed = true;
+        }
+
+        // Cookie fallback
+        if (!$allowed) {
+            $cookieName = 'paste_token_' . $slug;
+            if (
+                isset($_COOKIE[$cookieName]) &&
+                is_string($_COOKIE[$cookieName]) &&
+                $_COOKIE[$cookieName] !== '' &&
+                hash_equals($stored_token, $_COOKIE[$cookieName])
+            ) {
+                $allowed = true;
+            }
+        }
+
+        if (!$allowed) {
+            header('Location: ' . $basePath . '?err=badtoken');
+            exit;
+        }
+
+        $del = $pdo->prepare('DELETE FROM `' . TABLE_PASTES . '` WHERE slug = :s');
+        $del->execute([':s' => $slug]);
+        setcookie('paste_token_' . $slug, '', time() - 3600, '/', '', false, false);
+
+        header('Location: ' . $basePath . '?deleted=1');
+        exit;
+
+    } catch (PDOException $e) {
+        header('Location: ' . $basePath . '?err=db');
+        exit;
+    }
+}
+
+/**
+ * Handle POST action=add_comment.
+ * Validates input, inserts an anonymous comment linked to the paste,
+ * optionally stores the commenter name in a cookie, then redirects back
+ * to the paste page anchored at #comments.
+ *
+ * @param PDO    $pdo
+ * @param string $basePath
+ */
+function handle_add_comment(PDO $pdo, string $basePath): void
+{
+    $slug           = isset($_POST['slug'])           ? $_POST['slug']                       : '';
+    $commenter_name = isset($_POST['commenter_name']) ? trim($_POST['commenter_name'])        : null;
+    $comment_msg    = isset($_POST['comment_msg'])    ? trim($_POST['comment_msg'])           : '';
+
+    if ($slug === '' || $comment_msg === '') {
+        header('Location: ' . $basePath . '?err=commentparams');
+        exit;
+    }
+
+    if (mb_strlen($comment_msg) > COMMENT_MAX_LENGTH) {
+        header('Location: ' . $basePath . '?view=' . urlencode($slug) . '&err=commenttoolong');
+        exit;
+    }
+
+    if ($commenter_name !== null && mb_strlen($commenter_name) > COMMENT_NAME_MAX) {
+        $commenter_name = mb_substr($commenter_name, 0, COMMENT_NAME_MAX);
+    }
+
+    try {
+        $stmt = $pdo->prepare(
+            'SELECT id FROM `' . TABLE_PASTES . '` WHERE slug = :s LIMIT 1'
+        );
+        $stmt->execute([':s' => $slug]);
+        $row = $stmt->fetch();
+
+        if (!$row) {
+            header('Location: ' . $basePath . '?err=notfound');
+            exit;
+        }
+
+        $paste_id = (int) $row['id'];
+        $ins      = $pdo->prepare(
+            'INSERT INTO `' . TABLE_COMMENTS . '`
+             (paste_id, name, message)
+             VALUES (:pid, :n, :m)'
+        );
+        $ins->execute([
+            ':pid' => $paste_id,
+            ':n'   => $commenter_name ?: null,
+            ':m'   => $comment_msg,
+        ]);
+
+        if ($commenter_name && $commenter_name !== '') {
+            setcookie(
+                'commenter_name',
+                $commenter_name,
+                time() + COOKIE_LIFETIME,
+                '/', '', false, false
+            );
+        }
+
+        header('Location: ' . $basePath . '?view=' . urlencode($slug) . '#comments');
+        exit;
+
+    } catch (PDOException $e) {
+        header('Location: ' . $basePath . '?err=db');
+        exit;
+    }
+}
+
+/**
+ * Handle GET ?raw=SLUG.
+ * Returns the paste content as plain text and increments the view counter.
+ *
+ * @param PDO $pdo
+ */
+function handle_raw(PDO $pdo): void
+{
+    $slug = $_GET['raw'];
+    $stmt = $pdo->prepare(
+        'SELECT content FROM `' . TABLE_PASTES . '` WHERE slug = :s LIMIT 1'
+    );
+    $stmt->execute([':s' => $slug]);
+    $row = $stmt->fetch();
+
+    if (!$row) {
+        http_response_code(404);
+        header('Content-Type: text/plain; charset=utf-8');
+        echo 'Not found';
+        exit;
+    }
+
+    $upd = $pdo->prepare(
+        'UPDATE `' . TABLE_PASTES . '` SET views = views + 1 WHERE slug = :s'
+    );
+    $upd->execute([':s' => $slug]);
+
+    header('Content-Type: text/plain; charset=utf-8');
+    echo $row['content'];
+    exit;
+}
diff --git a/src/db.php b/src/db.php
new file mode 100644
index 0000000..0a1e24f
--- /dev/null
+++ b/src/db.php
@@ -0,0 +1,80 @@
+<?php
+/*
+ * src/db.php
+ * -----------
+ * Database connection, schema creation, and the db_connect() factory.
+ * Requires constants defined in config/config.php.
+ */
+
+/**
+ * Create a PDO connection, auto-create the database and tables if they do not
+ * exist yet, and return the ready-to-use PDO instance.
+ *
+ * On failure the function emits a plain-text error and exits so that the
+ * calling code never receives a null/false value.
+ */
+function db_connect(): PDO
+{
+    try {
+        // Connect without selecting a database so we can CREATE DATABASE
+        $dsnNoDB = sprintf('mysql:host=%s;port=%s;charset=utf8mb4', DB_HOST, DB_PORT);
+        $pdo = new PDO($dsnNoDB, DB_USER, DB_PASS, [
+            PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+        ]);
+
+        $safeDb = str_replace('`', '``', DB_NAME);
+        $pdo->exec(
+            "CREATE DATABASE IF NOT EXISTS `{$safeDb}`
+             CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci"
+        );
+
+        // Reconnect with the target database selected
+        $dsn = sprintf(
+            'mysql:host=%s;port=%s;dbname=%s;charset=utf8mb4',
+            DB_HOST, DB_PORT, DB_NAME
+        );
+        $pdo = new PDO($dsn, DB_USER, DB_PASS, [
+            PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
+            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+        ]);
+
+        // Pastes table
+        $pdo->exec("
+            CREATE TABLE IF NOT EXISTS `" . TABLE_PASTES . "` (
+                id           BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+                slug         VARCHAR(64)     NOT NULL UNIQUE,
+                title        VARCHAR(255)    DEFAULT NULL,
+                language     VARCHAR(64)     DEFAULT 'text',
+                content      LONGTEXT        NOT NULL,
+                delete_token VARCHAR(128)    NOT NULL,
+                views        INT UNSIGNED    NOT NULL DEFAULT 0,
+                created_at   TIMESTAMP       NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                INDEX (created_at)
+            ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+        ");
+
+        // Comments table (cascade-deletes when a paste is removed)
+        $pdo->exec("
+            CREATE TABLE IF NOT EXISTS `" . TABLE_COMMENTS . "` (
+                id         BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
+                paste_id   BIGINT UNSIGNED NOT NULL,
+                name       VARCHAR(150)    DEFAULT NULL,
+                message    TEXT            NOT NULL,
+                created_at TIMESTAMP       NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                INDEX (paste_id),
+                FOREIGN KEY (paste_id)
+                    REFERENCES `" . TABLE_PASTES . "` (id)
+                    ON DELETE CASCADE
+            ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+        ");
+
+        return $pdo;
+
+    } catch (PDOException $e) {
+        http_response_code(500);
+        echo '<h1>Database error</h1><pre>'
+            . htmlspecialchars($e->getMessage()) . '</pre>';
+        exit;
+    }
+}
diff --git a/src/helpers.php b/src/helpers.php
new file mode 100644
index 0000000..249780c
--- /dev/null
+++ b/src/helpers.php
@@ -0,0 +1,98 @@
+<?php
+/*
+ * src/helpers.php
+ * ----------------
+ * Pure utility functions: slug/token generation, pagination helpers,
+ * language list, and the commenter-name cookie helper.
+ */
+
+/**
+ * Generate a cryptographically random, URL-safe hex slug.
+ * Retries up to 8 times to avoid collisions, then falls back to uniqid().
+ */
+function generate_unique_slug(PDO $pdo): string
+{
+    for ($i = 0; $i < 8; $i++) {
+        $slug = bin2hex(random_bytes(SLUG_LENGTH_BYTES));
+        $stmt = $pdo->prepare(
+            'SELECT 1 FROM `' . TABLE_PASTES . '` WHERE slug = :s LIMIT 1'
+        );
+        $stmt->execute([':s' => $slug]);
+        if (!$stmt->fetch()) {
+            return $slug;
+        }
+    }
+    // Fallback (extremely unlikely)
+    return preg_replace('/[^a-z0-9]/', '', uniqid('', true));
+}
+
+/**
+ * Generate a cryptographically random delete token (hex string).
+ */
+function generate_delete_token(): string
+{
+    return bin2hex(random_bytes(DELETE_TOKEN_BYTES));
+}
+
+/**
+ * Fetch a paginated list of pastes ordered by most-recent first.
+ *
+ * @param  PDO $pdo
+ * @param  int $page    1-based page number
+ * @param  int $perPage Rows per page (defaults to PASTES_PER_PAGE)
+ * @return array
+ */
+function fetch_pastes(PDO $pdo, int $page = 1, int $perPage = PASTES_PER_PAGE): array
+{
+    $offset = ($page - 1) * $perPage;
+    $stmt   = $pdo->prepare(
+        'SELECT slug, title, language, created_at
+         FROM `' . TABLE_PASTES . '`
+         ORDER BY created_at DESC
+         LIMIT :lim OFFSET :off'
+    );
+    $stmt->bindValue(':lim', $perPage, PDO::PARAM_INT);
+    $stmt->bindValue(':off', $offset,  PDO::PARAM_INT);
+    $stmt->execute();
+    return $stmt->fetchAll();
+}
+
+/**
+ * Return the total number of pastes stored in the database.
+ */
+function count_pastes(PDO $pdo): int
+{
+    return (int) $pdo->query('SELECT COUNT(*) FROM `' . TABLE_PASTES . '`')
+                     ->fetchColumn();
+}
+
+/**
+ * Return the canonical language map used in the create-form <select>
+ * and for syntax-highlight class names.
+ *
+ * @return array<string, string>  key = highlight.js language id, value = display label
+ */
+function get_languages(): array
+{
+    return [
+        'text'       => 'Plain Text',
+        'bash'       => 'Bash',
+        'json'       => 'JSON',
+        'xml'        => 'XML',
+        'html'       => 'HTML',
+        'css'        => 'CSS',
+        'javascript' => 'JavaScript',
+        'typescript' => 'TypeScript',
+        'php'        => 'PHP',
+        'python'     => 'Python',
+        'java'       => 'Java',
+        'c'          => 'C',
+        'cpp'        => 'C++',
+        'csharp'     => 'C#',
+        'go'         => 'Go',
+        'ruby'       => 'Ruby',
+        'rust'       => 'Rust',
+        'kotlin'     => 'Kotlin',
+        'sql'        => 'SQL',
+    ];
+}
diff --git a/views/home.php b/views/home.php
new file mode 100644
index 0000000..2077201
--- /dev/null
+++ b/views/home.php
@@ -0,0 +1,59 @@
+<?php
+/*
+ * views/home.php
+ * ---------------
+ * Create-paste form and homepage error/success notices.
+ *
+ * Expects: $languages, $basePath (set in index.php)
+ */
+?>
+
+<!-- Create page -->
+<h2 class="text-lg font-medium mb-3">Create a new paste</h2>
+
+<?php if (isset($_GET['err'])): ?>
+  <div class="mb-3 text-sm text-red-600">
+    <?php
+      $e = $_GET['err'];
+      if      ($e === 'empty')          echo 'Content cannot be empty.';
+      elseif  ($e === 'db')             echo 'A database error occurred.';
+      elseif  ($e === 'badtoken')       echo 'Invalid token provided for deletion.';
+      elseif  ($e === 'notfound')       echo 'Paste not found.';
+      elseif  ($e === 'commenttoolong') echo 'Comment too long.';
+      else                              echo 'An error occurred.';
+    ?>
+  </div>
+<?php elseif (isset($_GET['deleted'])): ?>
+  <div class="mb-3 text-sm text-green-700">Paste deleted.</div>
+<?php endif; ?>
+
+<form method="post" class="space-y-4">
+  <input type="hidden" name="action" value="create">
+  <div>
+    <label class="block text-sm font-medium text-slate-700 mb-1">Title (optional)</label>
+    <input name="title" maxlength="255" class="w-full px-3 py-2 border rounded" placeholder="Short description">
+  </div>
+
+  <div class="flex gap-4 items-center">
+    <div>
+      <label class="block text-sm font-medium text-slate-700 mb-1">Language</label>
+      <select name="language" class="w-48 px-3 py-2 border rounded">
+        <?php foreach ($languages as $key => $label): ?>
+          <option value="<?php echo htmlspecialchars($key); ?>"><?php echo htmlspecialchars($label); ?></option>
+        <?php endforeach; ?>
+      </select>
+    </div>
+    <div class="ml-auto text-sm text-slate-500">Tip: Use Raw link to fetch plain content programmatically.</div>
+  </div>
+
+  <div>
+    <label class="block text-sm font-medium text-slate-700 mb-1">Content</label>
+    <textarea name="content" rows="14" class="w-full px-3 py-3 border rounded font-mono" placeholder="// paste your code here"></textarea>
+  </div>
+
+  <div class="flex items-center gap-3">
+    <button type="submit" class="px-4 py-2 bg-indigo-600 text-white rounded">Create Paste</button>
+    <button type="reset" class="px-4 py-2 bg-slate-100 rounded">Reset</button>
+    <div class="text-sm text-slate-500">A delete token will be shown once after creation and stored in a cookie for this browser.</div>
+  </div>
+</form>
diff --git a/views/layout_foot.php b/views/layout_foot.php
new file mode 100644
index 0000000..0e09488
--- /dev/null
+++ b/views/layout_foot.php
@@ -0,0 +1,60 @@
+        </section><!-- end main section -->
+
+        <!-- SIDEBAR -->
+        <?php include __DIR__ . '/sidebar.php'; ?>
+
+      </main><!-- end grid -->
+
+      <footer class="mt-8 text-center text-xs text-slate-400">
+        Pastebin — PHP + MySQL + Tailwind CSS + highlight.js
+      </footer>
+    </div><!-- end max-w-6xl -->
+  </div><!-- end min-h-screen -->
+
+  <!-- Global JavaScript -->
+  <script>
+    // Highlight all code blocks on load
+    document.addEventListener('DOMContentLoaded', function () {
+      document.querySelectorAll('pre code').forEach(function (el) {
+        try { hljs.highlightElement(el); } catch (e) {}
+      });
+    });
+
+    // Global form submission guard: delete confirmation + comment validation
+    document.addEventListener('submit', function (e) {
+      var form = e.target;
+      var actionInput = form.querySelector('input[name="action"]');
+      if (!actionInput) return;
+
+      var action = actionInput.value;
+
+      if (action === 'delete') {
+        if (!confirm('Delete this paste? This action cannot be undone.')) {
+          e.preventDefault();
+        }
+        return;
+      }
+
+      if (action === 'add_comment') {
+        var msg = (form.comment_msg && form.comment_msg.value) ? form.comment_msg.value : '';
+        if (msg.trim().length === 0) {
+          alert('Comment cannot be empty.');
+          e.preventDefault();
+          return;
+        }
+        if (msg.length > <?php echo COMMENT_MAX_LENGTH; ?>) {
+          alert('Comment is too long (max <?php echo COMMENT_MAX_LENGTH; ?> characters).');
+          e.preventDefault();
+          return;
+        }
+        // Persist commenter name in cookie for future prefills
+        var nameInput = form.commenter_name;
+        if (nameInput && nameInput.value.trim()) {
+          document.cookie = 'commenter_name=' + encodeURIComponent(nameInput.value.trim())
+            + ';path=/;max-age=<?php echo COOKIE_LIFETIME; ?>';
+        }
+      }
+    });
+  </script>
+</body>
+</html>
diff --git a/views/layout_head.php b/views/layout_head.php
new file mode 100644
index 0000000..fc68218
--- /dev/null
+++ b/views/layout_head.php
@@ -0,0 +1,44 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width,initial-scale=1" />
+  <title><?php echo isset($pageTitle) ? htmlspecialchars($pageTitle) . ' — Pastebin' : 'Pastebin'; ?></title>
+
+  <!-- Tailwind CDN -->
+  <script src="https://cdn.tailwindcss.com"></script>
+
+  <!-- highlight.js -->
+  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/styles/github-dark.min.css">
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/highlight.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/languages/javascript.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/languages/python.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/languages/php.min.js"></script>
+  <script>hljs.configure({ignoreUnescapedHTML:true});</script>
+
+  <style>
+    pre.hljs { padding: 1rem; border-radius: .5rem; overflow:auto; font-size:0.95rem; }
+  </style>
+</head>
+<body class="bg-slate-50 text-slate-800">
+  <div class="min-h-screen flex items-start justify-center py-10 px-4">
+    <div class="w-full max-w-6xl">
+
+      <!-- Header -->
+      <header class="mb-6">
+        <div class="flex items-center justify-between gap-4">
+          <div>
+            <h1 class="text-2xl font-semibold">
+              <a href="<?php echo htmlspecialchars($basePath); ?>" class="hover:underline">Pastebin</a>
+            </h1>
+            <p class="text-sm text-slate-500">Create, view, delete pastes. Anonymous comments available per paste.</p>
+          </div>
+          <div class="text-right text-xs text-slate-500">
+            PHP + MySQL + Tailwind + highlight.js
+          </div>
+        </div>
+      </header>
+
+      <main class="grid grid-cols-1 lg:grid-cols-3 gap-6">
+        <!-- MAIN CONTENT -->
+        <section class="lg:col-span-2 bg-white rounded-lg shadow-sm border p-5">
diff --git a/views/paste_view.php b/views/paste_view.php
new file mode 100644
index 0000000..3416cec
--- /dev/null
+++ b/views/paste_view.php
@@ -0,0 +1,187 @@
+<?php
+/*
+ * views/paste_view.php
+ * ---------------------
+ * Render a single paste: content with syntax highlighting, comments section,
+ * delete form, and the one-time delete-token notice.
+ *
+ * Expects: $paste, $comments, $basePath (set in index.php)
+ */
+
+// One-time token display: prefer session flash, fall back to cookie
+$show_token = null;
+if (
+    isset($_SESSION['last_paste']) &&
+    is_array($_SESSION['last_paste']) &&
+    $_SESSION['last_paste']['slug'] === $paste['slug']
+) {
+    $show_token = $_SESSION['last_paste']['delete_token'];
+    unset($_SESSION['last_paste']);
+} else {
+    $cookieName = 'paste_token_' . $paste['slug'];
+    if (
+        isset($_COOKIE[$cookieName]) &&
+        is_string($_COOKIE[$cookieName]) &&
+        $_COOKIE[$cookieName] !== ''
+    ) {
+        $show_token = $_COOKIE[$cookieName];
+    }
+}
+
+// Prefill commenter name from cookie
+$prefill_commenter = isset($_COOKIE['commenter_name'])
+    ? htmlspecialchars($_COOKIE['commenter_name'])
+    : '';
+?>
+
+<div class="mb-4 flex items-start justify-between gap-4">
+  <div>
+    <h2 class="text-lg font-medium"><?php echo htmlspecialchars($paste['title'] ?: '[Untitled]'); ?></h2>
+    <div class="text-sm text-slate-500 mt-1">
+      Language: <span class="font-medium"><?php echo htmlspecialchars($paste['language']); ?></span>
+      &nbsp;•&nbsp;
+      Created: <?php echo htmlspecialchars($paste['created_at']); ?>
+      &nbsp;•&nbsp;
+      Views: <?php echo (int)$paste['views']; ?>
+    </div>
+  </div>
+
+  <div class="flex items-center gap-2">
+    <a class="inline-flex items-center px-3 py-2 rounded bg-slate-100 hover:bg-slate-200 text-sm"
+       href="<?php echo htmlspecialchars($basePath . '?raw=' . urlencode($paste['slug'])); ?>"
+       target="_blank">Raw</a>
+    <button id="copyRawBtn" class="inline-flex items-center px-3 py-2 rounded bg-indigo-600 text-white text-sm">Copy Raw</button>
+  </div>
+</div>
+
+<?php if (!empty($show_token)): ?>
+  <div class="mb-4 p-3 bg-yellow-50 border border-yellow-200 rounded text-sm">
+    <div class="font-medium">Delete token (store securely)</div>
+    <div class="mt-2 flex items-center gap-2">
+      <input id="showDeleteToken" readonly class="px-3 py-2 border rounded w-full" value="<?php echo htmlspecialchars($show_token); ?>">
+      <button id="copyDeleteToken" class="px-3 py-2 bg-indigo-600 text-white rounded">Copy</button>
+    </div>
+    <div class="text-xs text-slate-500 mt-2">This token is required to delete the paste if you don't use the same browser. It is shown once after creation.</div>
+  </div>
+<?php endif; ?>
+
+<div class="prose max-w-none mb-6">
+  <pre><code id="codeBlock" class="language-<?php echo htmlspecialchars($paste['language']); ?>"><?php
+    echo htmlspecialchars($paste['content']);
+  ?></code></pre>
+</div>
+
+<!-- Comments section -->
+<div id="comments" class="mt-6">
+  <h3 class="text-md font-semibold mb-3">Comments (<?php echo count($comments); ?>)</h3>
+
+  <!-- Add comment form -->
+  <form method="post" class="mb-4">
+    <input type="hidden" name="action" value="add_comment">
+    <input type="hidden" name="slug" value="<?php echo htmlspecialchars($paste['slug']); ?>">
+
+    <div class="grid grid-cols-1 md:grid-cols-3 gap-3 mb-2">
+      <input name="commenter_name" id="commenter_name"
+             class="px-3 py-2 border rounded"
+             placeholder="Name (optional)"
+             maxlength="<?php echo COMMENT_NAME_MAX; ?>"
+             value="<?php echo $prefill_commenter; ?>">
+      <div class="md:col-span-2">
+        <textarea name="comment_msg" id="comment_msg" rows="3"
+                  class="w-full px-3 py-2 border rounded"
+                  placeholder="Write your comment..."
+                  maxlength="<?php echo COMMENT_MAX_LENGTH; ?>"></textarea>
+      </div>
+    </div>
+
+    <div class="flex items-center gap-3">
+      <button type="submit" class="px-3 py-2 bg-green-600 text-white rounded">Post Comment</button>
+      <button type="reset" class="px-3 py-2 bg-slate-100 rounded">Reset</button>
+      <div class="text-xs text-slate-500 ml-auto">Comments are anonymous; provide a name to display it.</div>
+    </div>
+  </form>
+
+  <!-- Comments list -->
+  <?php if (count($comments) === 0): ?>
+    <div class="text-sm text-slate-500">No comments yet. Be the first to comment.</div>
+  <?php else: ?>
+    <div class="space-y-3">
+      <?php foreach ($comments as $c): ?>
+        <div class="p-3 border rounded bg-slate-50">
+          <div class="flex items-center justify-between">
+            <div class="text-sm font-medium"><?php echo htmlspecialchars($c['name'] ?: 'Anonymous'); ?></div>
+            <div class="text-xs text-slate-400"><?php echo htmlspecialchars($c['created_at']); ?></div>
+          </div>
+          <div class="mt-2 text-sm text-slate-800 whitespace-pre-wrap"><?php echo nl2br(htmlspecialchars($c['message'])); ?></div>
+        </div>
+      <?php endforeach; ?>
+    </div>
+  <?php endif; ?>
+
+</div>
+
+<!-- Delete section -->
+<div class="mt-6 text-sm text-slate-600">
+  <p class="mb-2">To delete this paste, enter the delete token (shown above at creation) or use the same browser (cookie-based). If you don't have either, contact the site admin or remove via DB.</p>
+
+  <form method="post" class="mt-3 grid grid-cols-1 md:grid-cols-3 gap-2">
+    <input type="hidden" name="action" value="delete">
+    <input type="hidden" name="slug" value="<?php echo htmlspecialchars($paste['slug']); ?>">
+    <input id="deleteTokenInput" name="token"
+           placeholder="Delete token (or leave empty to use cookie)"
+           class="px-3 py-2 border rounded col-span-2">
+    <button class="px-3 py-2 bg-red-600 text-white rounded">Delete</button>
+  </form>
+</div>
+
+<script>
+document.addEventListener('DOMContentLoaded', function () {
+  try { hljs.highlightElement(document.getElementById('codeBlock')); } catch(e){}
+
+  // Copy raw content
+  var crBtn = document.getElementById('copyRawBtn');
+  if (crBtn) {
+    crBtn.addEventListener('click', function () {
+      var raw = <?php echo json_encode($paste['content']); ?>;
+      navigator.clipboard.writeText(raw).then(function () {
+        crBtn.textContent = 'Copied';
+        setTimeout(function () { crBtn.textContent = 'Copy Raw'; }, 1400);
+      }).catch(function () { alert('Copy failed'); });
+    });
+  }
+
+  // Copy delete token
+  var copyBtn  = document.getElementById('copyDeleteToken');
+  var delInput = document.getElementById('showDeleteToken');
+  if (copyBtn && delInput) {
+    copyBtn.addEventListener('click', function () {
+      navigator.clipboard.writeText(delInput.value).then(function () {
+        copyBtn.textContent = 'Copied';
+        setTimeout(function () { copyBtn.textContent = 'Copy'; }, 1400);
+      }).catch(function () { alert('Copy failed'); });
+    });
+  }
+
+  // Auto-fill delete token input from cookie
+  (function autofillFromCookie() {
+    try {
+      var slug  = <?php echo json_encode($paste['slug']); ?>;
+      var cname = 'paste_token_' + slug;
+      var m     = document.cookie.match('(^|;)\\s*' + cname + '\\s*=\\s*([^;]+)');
+      var val   = m ? decodeURIComponent(m[2]) : null;
+      var input = document.getElementById('deleteTokenInput');
+      if (val && input && input.value.trim() === '') input.value = val;
+    } catch(e) {}
+  })();
+
+  // Prefill commenter name from cookie
+  (function prefillCommenter() {
+    try {
+      var m  = document.cookie.match('(^|;)\\s*commenter_name\\s*=\\s*([^;]+)');
+      var v  = m ? decodeURIComponent(m[2]) : null;
+      var el = document.getElementById('commenter_name');
+      if (v && el && el.value.trim() === '') el.value = v;
+    } catch(e) {}
+  })();
+});
+</script>
diff --git a/views/sidebar.php b/views/sidebar.php
new file mode 100644
index 0000000..dfc2821
--- /dev/null
+++ b/views/sidebar.php
@@ -0,0 +1,81 @@
+<?php
+/*
+ * views/sidebar.php
+ * ------------------
+ * Paginated list of recent pastes in the right-hand sidebar.
+ * Uses the ?p= query parameter for the current page.
+ *
+ * Expects: $pdo, $basePath (set in index.php)
+ *          count_pastes(), fetch_pastes() (from src/helpers.php)
+ */
+
+$sidebarPage   = isset($_GET['p']) ? max(1, (int) $_GET['p']) : 1;
+$totalPastes   = count_pastes($pdo);
+$totalPages    = $totalPastes > 0 ? (int) ceil($totalPastes / PASTES_PER_PAGE) : 1;
+$sidebarPage   = min($sidebarPage, $totalPages);
+$sidebarPastes = fetch_pastes($pdo, $sidebarPage, PASTES_PER_PAGE);
+?>
+
+<aside class="bg-white rounded-lg shadow-sm border p-5">
+  <div class="mb-4">
+    <h3 class="text-sm font-medium mb-2">
+      Recent pastes
+      <span class="text-xs font-normal text-slate-400 ml-1">(<?php echo $totalPastes; ?> total)</span>
+    </h3>
+
+    <?php if (count($sidebarPastes) === 0): ?>
+      <div class="text-sm text-slate-500">No pastes yet.</div>
+    <?php else: ?>
+      <ul class="space-y-2 text-sm">
+        <?php foreach ($sidebarPastes as $r): ?>
+          <li class="flex items-start justify-between gap-2">
+            <div>
+              <a class="font-medium text-slate-700"
+                 href="<?php echo htmlspecialchars($basePath . '?view=' . urlencode($r['slug'])); ?>">
+                <?php echo htmlspecialchars($r['title'] ?: '[Untitled]'); ?>
+              </a>
+              <div class="text-xs text-slate-500">
+                <?php echo htmlspecialchars($r['language']); ?>
+                &middot;
+                <?php echo htmlspecialchars($r['created_at']); ?>
+              </div>
+            </div>
+          </li>
+        <?php endforeach; ?>
+      </ul>
+
+      <!-- Pagination controls -->
+      <?php if ($totalPages > 1): ?>
+        <div class="mt-3 pt-3 border-t flex items-center justify-between text-xs text-slate-500">
+          <?php if ($sidebarPage > 1): ?>
+            <a href="<?php echo htmlspecialchars($basePath . '?p=' . ($sidebarPage - 1)); ?>"
+               class="px-2 py-1 bg-slate-100 hover:bg-slate-200 rounded">← Prev</a>
+          <?php else: ?>
+            <span class="px-2 py-1 text-slate-300">← Prev</span>
+          <?php endif; ?>
+
+          <span><?php echo $sidebarPage; ?> / <?php echo $totalPages; ?></span>
+
+          <?php if ($sidebarPage < $totalPages): ?>
+            <a href="<?php echo htmlspecialchars($basePath . '?p=' . ($sidebarPage + 1)); ?>"
+               class="px-2 py-1 bg-slate-100 hover:bg-slate-200 rounded">Next →</a>
+          <?php else: ?>
+            <span class="px-2 py-1 text-slate-300">Next →</span>
+          <?php endif; ?>
+        </div>
+        <p class="text-center text-xs text-slate-400 mt-1">
+          Showing <?php echo count($sidebarPastes); ?> of <?php echo $totalPastes; ?>
+        </p>
+      <?php endif; ?>
+    <?php endif; ?>
+  </div>
+
+  <div class="mt-4 text-xs text-slate-500">
+    Tips:
+    <ul class="list-disc ml-4 mt-2">
+      <li>Store the delete token shown immediately to delete the paste from another device.</li>
+      <li>Cookie fallback allows deletion from the same browser without manual token copy.</li>
+      <li>Comments are anonymous; name is optional. Provide a name to display it.</li>
+    </ul>
+  </div>
+</aside>