From d664a2f5d8d46cbf11239e528b98091ecb8e471b Mon Sep 17 00:00:00 2001
From: Ryan <ryantl66@gmail.com>
Date: Fri, 31 Oct 2025 17:34:25 -0400
Subject: [PATCH] release(v1.7.3): lightweight boot pipeline, dramatically
 faster first paint, deduped /api writes, sturdier uploads/auth

---
 CHANGELOG.md                         |   84 ++
 config/config.php                    |   16 -
 public/.htaccess                     |   71 +-
 public/css/styles.css                |   11 +-
 public/css/vendor/material-icons.css |    2 +-
 public/css/vendor/roboto.css         |    8 +-
 public/index.html                    |  142 ++--
 public/js/adminPanel.js              |  518 ++++++++-----
 public/js/appCore.js                 |   23 +-
 public/js/auth.js                    |  364 ++++++---
 public/js/defer-css.js               |   20 +
 public/js/fileActions.js             |    5 +
 public/js/fileEditor.js              |  148 ++--
 public/js/fileListView.js            |   89 ++-
 public/js/i18n.js                    |    2 +-
 public/js/main.js                    | 1071 +++++++++++++++++++++-----
 public/js/upload.js                  |  136 +++-
 src/controllers/AdminController.php  |   95 +--
 src/controllers/AuthController.php   |    5 +-
 src/controllers/UploadController.php |  108 +--
 src/models/UploadModel.php           |  321 ++++----
 21 files changed, 2272 insertions(+), 967 deletions(-)
 create mode 100644 public/js/defer-css.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d8101e0..fa3d0c6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,89 @@
 # Changelog
 
+## Changes 10/31/2025 (v1.7.3)
+
+release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth
+
+### 🎃 Highlights (advantages) 👻 🦇
+
+- ⚡ Faster, cleaner boot: a lightweight **main.js** decides auth/setup before painting, avoids flicker, and wires modules exactly once.
+- ♻️ Fewer duplicate actions: **request coalescer** dedupes POST/PUT/PATCH/DELETE to /api/* .
+- ✅ Truthy UX: global **toast bridge** queues early toasts and normalizes misleading “not found/already exists” messages after success.
+- 🔐 Smoother auth: CSRF priming/rotation + **TOTP step-up detection** across JSON & redirect paths; “Welcome back, `user`” toast once per tab.
+- 🌓 Polished UI: **dark-mode persistence with system fallback**, live siteConfig title application, higher-z modals, drag auto-scroll.
+- 🚀 Faster first paint & interactions: defer CodeMirror/Fuse/Resumable, promote preloaded CSS, and coalesce duplicate requests → snappier UI.
+- 🧭 Admin polish: live header title preview, masked OIDC fields with **Replace** flow, and a **read-only Sponsors/Donations** section.
+- 🧱 Safer & cache-smarter: opinionated .htaccess (CSP/HSTS/MIME/compression) + `?v={{APP_QVER}}` for versioned immutable assets.
+
+### Core bootstrap (main.js) overhaul
+
+- Early **toast bridge** (queues until domUtils is ready); expose `window.__FR_TOAST_FILTER__` for centralized rewrites/suppression.
+- **Result guard + request coalescer** wrapping `fetch`:
+  - Dedupes same-origin `/api/*` mutating requests for ~800ms using a stable key (method + path + normalized body).
+  - Tracks “last OK” JSON (`success|status|result=ok`) to suppress false-negative error toasts after success.
+- **Boot orchestrator** with hard guards:
+  - `__FR_FLAGS` (`booted`, `initialized`, `wired.*`, `bootPromise`, `entryStarted`) to prevent double init/leaks.
+  - **No-flicker login**: resolve `checkAuth()` + `setup` before showing UI; show login only when truly unauthenticated.
+  - **Heavy boot** for authed users: load i18n, `appCore.loadCsrfToken/initializeApp`, first file list, then light UI wiring.
+- **Auth flow**:
+  - `primeCsrf()` + `<meta name="csrf-token">` management; persist token in localStorage.
+  - **TOTP** detection via header (`X-TOTP-Required`) & JSON (`totp_required` / `TOTP_REQUIRED`); calls `openTOTPLoginModal()`.
+  - **Welcome toast** once per tab via `sessionStorage.__fr_welcomed`.
+- **UI/UX niceties**:
+  - `applySiteConfig()` updates header title & login method visibility on both login & authed screens.
+  - Dark-mode persistence with system fallback, proper a11y labels/icons.
+  - Create dropdown/menu wiring with capture-phase outside-click + ESC close; modal cancel safeties.
+  - Lift modals above cards (z-index), **drag auto-scroll** near viewport edges.
+  - Dispatch legacy `DOMContentLoaded`/`load` **once** (supports older inline handlers).
+  - Username label refresh for existing `.user-name-label` without injecting new DOM.
+
+### Performance & UX changes
+
+- CSS/first paint:
+  - Preload Bootstrap & app CSS; promote at DOMContentLoaded; keep inline CSS minimal.
+  - Add `width/height/decoding/fetchpriority` to logo to reduce layout shift.
+- Search/editor/uploads:
+  - **fileListView.js**: lazy-load Fuse with instant substring fallback; `warmUpSearch()` hook.
+  - **fileEditor.js**: lazy-load CodeMirror core/theme/modes; start plain then upgrade; guard very large files gracefully.
+  - **upload.js**: lazy-load Resumable; resilient init; background warm-up; smarter addFile/submit; clearer toasts.
+- Toast/UX:
+  - Install early toast bridge; queue & normalize messages; neutral “Done.” when server returns misleading errors after success.
+
+### Correctness: uploads, paths, ACLs
+
+- **UploadController/UploadModel**: normalize folders via `ACL::normalizeFolder(rawurldecode())`; stricter segment checks; consistent base paths; safer metadata writes; proper chunk presence/merge & temp cleanup.
+
+### Auth hardening & resilience
+
+- **auth.js/main.js/appCore.js**: CSRF rotate/retry (JSON then x-www-form-urlencoded fallback); robust login handling; fewer misleading error toasts.
+- **AuthController**: OIDC username fallback to `email` or `sub` when `preferred_username` missing.
+
+### Admin panel
+
+- **adminPanel.js**:
+  - Live header title preview (instant update without reload).
+  - Masked OIDC client fields with **Replace** button; saved-value hints; only send secrets when replacing.
+  - **New “Sponsor / Donations” section (read-only)**:
+    - GitHub Sponsors → `https://github.com/sponsors/error311`
+    - Ko-fi → `https://ko-fi.com/error311`
+    - Includes **Copy** and **Open** buttons; values are fixed.
+- **AdminController**: boolean for `oidc.hasClientId/hasClientSecret` to drive masked inputs.
+
+### Security & caching (.htaccess)
+
+- Consolidated security headers (CSP, CORP, HSTS on HTTPS), MIME types, compression (Brotli/Deflate), TRACE disable.
+- Caching rules:
+  - HTML/version.js: no-cache; unversioned JS/CSS: 1h; unversioned static: 7d; **versioned assets `?v=`: 1y `immutable`**.
+- **config.php**: remove duplicate runtime headers (now via Apache) to avoid proxy/CDN conflicts.
+
+### Upgrade notes
+
+- No schema changes.
+- Ensure Apache modules (`headers`, `rewrite`, `brotli`/`deflate`) are available for the new .htaccess rules (fallbacks included).
+- Versioned assets mean users shouldn’t need a hard refresh; `?v={{APP_QVER}}` busts caches automatically.
+
+---
+
 ## Changes 10/29/2025 (v1.7.0 & v1.7.1 & v1.7.2)
 
 release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish
diff --git a/config/config.php b/config/config.php
index e0fa1b6..5f489bf 100644
--- a/config/config.php
+++ b/config/config.php
@@ -1,22 +1,6 @@
 <?php
 // config.php
 
-// Prevent caching
-header("Cache-Control: no-cache, must-revalidate");
-header("Pragma: no-cache");
-header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
-header("Expires: 0");
-
-// Security headers
-header('X-Content-Type-Options: nosniff');
-header("X-Frame-Options: SAMEORIGIN");
-header("Referrer-Policy: no-referrer-when-downgrade");
-header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
-header("X-XSS-Protection: 1; mode=block");
-if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
-    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
-}
-
 // Define constants
 define('PROJECT_ROOT', dirname(__DIR__));
 define('UPLOAD_DIR',    '/var/www/uploads/');
diff --git a/public/.htaccess b/public/.htaccess
index 70599b5..104b6a1 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -11,11 +11,25 @@ DirectoryIndex index.html
 </IfModule>
 
 RewriteEngine On
-# If you want forced HTTPS behind a proxy, keep this off here and do it at the proxy
+
+# --- HTTPS redirect ---
+# Use ONE of these blocks.
+
+# A) Direct TLS on this server (enable this if Apache terminates HTTPS here)
 #RewriteCond %{HTTPS} off
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
-# MIME types (fonts/SVG/ESM)
+# B) Behind a reverse proxy/CDN that sets X-Forwarded-Proto
+#RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
+#RewriteCond %{HTTP:X-Forwarded-Proto} ^$
+#RewriteCond %{HTTPS} !=on
+#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+
+# Don't interfere with ACME/http-01 if you do your own certs
+#RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/
+#RewriteRule - - [L]
+
+# --- MIME types (fonts/SVG/ESM) ---
 <IfModule mod_mime.c>
   AddType font/woff2 .woff2
   AddType font/woff  .woff
@@ -23,58 +37,57 @@ RewriteEngine On
   AddType application/javascript .mjs
 </IfModule>
 
-# Security headers
+# --- Security headers ---
 <IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-XSS-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
-  # HSTS: only if HTTPS (prevents mixed local dev warnings)
-  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
   Header always set X-Download-Options "noopen"
   Header always set Expect-CT "max-age=86400, enforce"
-  # Nice extra hardening (same-origin resource sharing)
   Header always set Cross-Origin-Resource-Policy "same-origin"
   Header always set X-Permitted-Cross-Domain-Policies "none"
+  # HSTS only when actually on HTTPS
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
 
-  # CSP (modules, workers, blobs already accounted for)
-  Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'"
+  # CSP (modules, blobs, workers, etc.)
+  Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'"
 </IfModule>
 
-# Caching
-SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
+# --- Caching (query-string based, no env vars needed) ---
 <IfModule mod_headers.c>
-  # HTML/PHP: no cache (app shell)
+  # HTML/PHP: no cache (only if PHP didn’t already set it)
   <FilesMatch "\.(html?|php)$">
-    Header set Cache-Control "no-cache, no-store, must-revalidate"
-    Header set Pragma "no-cache"
-    Header set Expires "0"
+    Header setifempty Cache-Control "no-cache, no-store, must-revalidate"
+    Header setifempty Pragma "no-cache"
+    Header setifempty Expires "0"
   </FilesMatch>
 
-  # version.js is your source-of-truth; keep it non-cacheable so dev/CI flips show up
+  # version.js: always non-cacheable
   <FilesMatch "^js/version\.js$">
     Header set Cache-Control "no-cache, no-store, must-revalidate"
     Header set Pragma "no-cache"
     Header set Expires "0"
   </FilesMatch>
 
-# Unversioned JS/CSS (dev): 1 hour
-<FilesMatch "\.(?:m?js|css)$">
-  Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
-</FilesMatch>
+  # Unversioned JS/CSS: 1 hour
+  <FilesMatch "\.(?:m?js|css)$">
+    Header set Cache-Control "public, max-age=3600, must-revalidate" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
+  </FilesMatch>
 
-# Unversioned static assets (dev): 7 days
-<FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  Header set Cache-Control "public, max-age=604800" env=!has_version_param
-</FilesMatch>
+  # Unversioned static (images/fonts): 7 days
+  <FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+    Header set Cache-Control "public, max-age=604800" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
+  </FilesMatch>
 
-# Versioned assets (?v=...): 1 year + immutable
-<FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
-</FilesMatch>
+  # Versioned assets (?v=...): 1 year + immutable
+  <FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+    Header setifempty Cache-Control "public, max-age=31536000, immutable" "expr=%{QUERY_STRING} =~ /(^|&)v=/"
+  </FilesMatch>
+</IfModule>
 
-# Compression (if modules exist)
+# --- Compression ---
 <IfModule mod_brotli.c>
   BrotliCompressionQuality 5
   AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
@@ -83,6 +96,6 @@ SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
   AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
 
-# Disable TRACE
+# --- Disable TRACE ---
 RewriteCond %{REQUEST_METHOD} ^TRACE
 RewriteRule .* - [F]
\ No newline at end of file
diff --git a/public/css/styles.css b/public/css/styles.css
index d501273..5ff1043 100644
--- a/public/css/styles.css
+++ b/public/css/styles.css
@@ -37,7 +37,11 @@ body {
   /************************************************************/
   /* FLEXBOX HEADER: LOGO, TITLE, BUTTONS FIXED               */
   /************************************************************/
-  .header-logo .logo { height: 50px; width: auto; display: block; }
+  .header-logo .logo {
+    display:block;
+    max-width:100%;
+    height:auto;         /* keep aspect ratio; HTML attrs set the intrinsic box */
+  }
   .btn-login {
   margin-top: 10px;
   }/* Color overrides */
@@ -1598,7 +1602,7 @@ body {
   #removeUserModal {
   z-index: 5000 !important;
   }#customConfirmModal {
-  z-index: 6000 !important;
+  z-index: 12000 !important;
   }.admin-panel-content {
   background: #fff;
     color: #000;
@@ -1867,4 +1871,5 @@ body {
   #sidebarToggleFloating.is-collapsed {
   background: #fafafa;
     border-color: #e2e2e2;
-  }
\ No newline at end of file
+  }
+  
\ No newline at end of file
diff --git a/public/css/vendor/material-icons.css b/public/css/vendor/material-icons.css
index 3ba292f..1c6b8c2 100644
--- a/public/css/vendor/material-icons.css
+++ b/public/css/vendor/material-icons.css
@@ -4,7 +4,7 @@
   font-style: normal;
   font-weight: 400;
   font-display: swap;
-  src: url(/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2) format('woff2');
+  src: url('/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2?v={{APP_QVER}}') format('woff2');
 }
 
 .material-icons {
diff --git a/public/css/vendor/roboto.css b/public/css/vendor/roboto.css
index ca9215f..5b716c6 100644
--- a/public/css/vendor/roboto.css
+++ b/public/css/vendor/roboto.css
@@ -4,7 +4,7 @@
   font-style:normal;
   font-weight:400;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Regular 400 — latin */
@@ -13,7 +13,7 @@
   font-style:normal;
   font-weight:400;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 /* Roboto Medium 500 — latin-ext */
@@ -22,7 +22,7 @@
   font-style:normal;
   font-weight:500;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Medium 500 — latin */
@@ -31,7 +31,7 @@
   font-style:normal;
   font-weight:500;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 
diff --git a/public/index.html b/public/index.html
index 615a81a..32a550b 100644
--- a/public/index.html
+++ b/public/index.html
@@ -5,38 +5,58 @@
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <title>FileRise</title>
+
+  <!-- Icons -->
   <link rel="icon" type="image/png" href="/assets/logo.png">
   <link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
+
+  <!-- App meta -->
+  <meta name="description" content="FileRise is a fast, self-hosted file manager with granular per-folder ACLs, drag-and-drop folder moves, WebDAV, tagging, and a clean UI.">
   <meta name="csrf-token" content="">
   <meta name="share-url" content="">
+  <meta name="theme-color" content="#0b5ed7">
 
-  <style>.main-wrapper{display:none}#loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}</style>
-  <link rel="stylesheet" href="/css/vendor/roboto.css?v={{APP_QVER}}">
-  <link rel="stylesheet" href="/css/vendor/material-icons.css?v={{APP_QVER}}">
+  <!-- Minimal critical CSS only (keeps CSP clean, no inline JS) -->
+  <style>
+    .main-wrapper{display:none}
+    #loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}
+  </style>
 
-  <!-- Bootstrap CSS (local) -->
-  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
+  <!-- CSS: preload, then promote via tiny external JS (no inline onload) -->
+  <link rel="preload" as="style" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
+  <link rel="preload" as="style" href="/css/styles.css?v={{APP_QVER}}">
 
-  <!-- CodeMirror CSS (local) -->
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/codemirror.min.css?v={{APP_QVER}}">
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/theme/material-darker.min.css?v={{APP_QVER}}">
+  <!-- Fonts: preload only those used above the fold -->
+  <link rel="preload" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}" as="font" type="font/woff2" crossorigin>
+  <link rel="preload" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}" as="font" type="font/woff2" crossorigin>
+  <!-- Do NOT preload material icons unless needed above the fold -->
 
-  <!-- app CSS -->
-  <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
+  <!-- Non-blocking stylesheet promotion (external to satisfy CSP) -->
+  <script src="/js/defer-css.js?v={{APP_QVER}}" defer></script>
+  
 
-  <!-- Libraries (JS) -->
-  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}"></script>
-  <script src="/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}"></script>
-  <script src="/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}"></script>
+  <!-- Base CSS as a fallback if JS is disabled -->
+  <noscript>
+    <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
+    <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
+  </noscript>
 
-  <!-- CodeMirror core FIRST -->
-  <script src="/vendor/codemirror/5.65.5/codemirror.min.js?v={{APP_QVER}}"></script>
+  <!-- Preload font CSS (non-blocking) -->
+  <link rel="preload" as="style" href="/css/vendor/roboto.css?v={{APP_QVER}}">
+  <link rel="preload" as="style" href="/css/vendor/material-icons.css?v={{APP_QVER}}">
 
-  <script src="/js/version.js?v={{APP_QVER}}"></script>
+  <!-- Vendor JS (keep defer; they’re not modules) -->
+  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}" defer></script>
 
+  <!-- IMPORTANT: Remove CodeMirror here; lazy-load it inside your editor route/module. -->
+
+  <!-- Version marker (non-blocking) -->
+  <script src="/js/version.js?v={{APP_QVER}}" defer></script>
+ 
+
+  <!-- App entry: start fetching early, execute after parse -->
   <link rel="modulepreload" href="/js/main.js?v={{APP_QVER}}">
   <script type="module" src="/js/main.js?v={{APP_QVER}}"></script>
-
 </head>
 
 <body>
@@ -44,7 +64,14 @@
     <div class="header-left">
       <a href="index.html">
         <div class="header-logo">
-          <img src="/assets/logo.svg?v={{APP_QVER}}" alt="FileRise" class="logo" />
+          <img
+  src="/assets/logo.svg?v={{APP_QVER}}"
+  alt="FileRise"
+  class="logo"
+  width="50" height="50"
+  decoding="async"
+  fetchpriority="low"
+/>
         </div>
       </a>
     </div>
@@ -103,7 +130,7 @@
   <!-- Custom Toast Container -->
   <div id="customToast"></div>
   <div id="hiddenCardsContainer" style="display:none;"></div>
-
+  <main id="main">
   <div class="row mt-4" id="loginForm">
     <div class="col-12">
       <form id="authForm" method="post">
@@ -115,7 +142,7 @@
           <label for="loginPassword" data-i18n-key="password">Password:</label>
           <input type="password" class="form-control" id="loginPassword" name="password" required />
         </div>
-        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login">Login</button>
+        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login" data-default>Login</button>
         <div class="form-group remember-me-container">
           <input type="checkbox" id="rememberMeCheckbox" name="remember_me" />
           <label for="rememberMeCheckbox" data-i18n-key="remember_me">Remember me</label>
@@ -133,6 +160,8 @@
       </div>
     </div>
   </div>
+</main>
+  
 
   <!-- Main Wrapper: Hidden by default; remove "display: none;" after login -->
   <div class="main-wrapper">
@@ -215,7 +244,7 @@
                           <div class="modal-footer" style="margin-top:15px; text-align:right;">
                             <button id="cancelMoveFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
-                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move">Move</button>
+                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                           </div>
                         </div>
                       </div>
@@ -233,7 +262,7 @@
                             <button id="cancelRenameFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
                             <button id="submitRenameFolder" class="btn btn-primary"
-                              data-i18n-key="rename">Rename</button>
+                              data-i18n-key="rename" data-default>Rename</button>
                           </div>
                         </div>
                       </div>
@@ -253,7 +282,7 @@
                             <button id="cancelDeleteFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
                             <button id="confirmDeleteFolder" class="btn btn-danger"
-                              data-i18n-key="delete">Delete</button>
+                              data-i18n-key="delete" data-default>Delete</button>
                           </div>
                         </div>
                       </div>
@@ -289,7 +318,7 @@
                   selected files?</p>
                 <div class="modal-footer">
                   <button id="cancelDeleteFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete">Delete</button>
+                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete" data-default>Delete</button>
                 </div>
               </div>
             </div>
@@ -303,7 +332,7 @@
                 <select id="copyTargetFolder" class="form-control modal-input"></select>
                 <div class="modal-footer">
                   <button id="cancelCopyFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy">Copy</button>
+                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy" data-default>Copy</button>
                 </div>
               </div>
             </div>
@@ -317,7 +346,7 @@
                 <select id="moveTargetFolder" class="form-control modal-input"></select>
                 <div class="modal-footer">
                   <button id="cancelMoveFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move">Move</button>
+                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                 </div>
               </div>
             </div>
@@ -325,35 +354,20 @@
               data-i18n-key="download_zip">Download ZIP</button>
             <button id="extractZipBtn" class="btn action-btn btn-sm btn-info"  style="display: none;" disabled
               data-i18n-key="extract_zip_button">Extract Zip</button>
-            <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
-              <button id="createBtn" class="btn action-btn" style="display: none;" data-i18n-key="create">
-                ${t('create')} <span class="material-icons"
-                  style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
-              </button>
-              <ul id="createMenu" class="dropdown-menu" style="
-                    display: none;
-                    position: absolute;
-                    top: 100%;
-                    left: 0;
-                    margin: 4px 0 0;
-                    padding: 0;
-                    list-style: none;
-                    background: #fff;
-                    border: 1px solid #ccc;
-                    box-shadow: 0 2px 6px rgba(0,0,0,0.2);
-                    z-index: 1000;
-                    min-width: 140px;
-                  ">
-                <li id="createFileOption" class="dropdown-item" data-i18n-key="create_file"
-                  style="padding:8px 12px; cursor:pointer;">
-                  ${t('create_file')}
-                </li>
-                <li id="createFolderOption" class="dropdown-item" data-i18n-key="create_folder"
-                  style="padding:8px 12px; cursor:pointer;">
-                  ${t('create_folder')}
-                </li>
-              </ul>
-            </div>
+              <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
+                <button id="createBtn" class="btn action-btn" type="button" style="display:none;" aria-haspopup="true" aria-expanded="false">
+                  <span data-i18n-key="create">Create</span>
+                  <span class="material-icons" style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
+                </button>
+                <ul id="createMenu" class="dropdown-menu" style="display:none; position:absolute; top:100%; left:0; margin:4px 0 0; padding:0; list-style:none; background:#fff; border:1px solid #ccc; box-shadow:0 2px 6px rgba(0,0,0,0.2); z-index:10010; min-width:160px;">
+                  <li id="createFileOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_file">Create file</span>
+                  </li>
+                  <li id="createFolderOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_folder">Create folder</span>
+                  </li>
+                </ul>
+              </div>
             <!-- Create File Modal -->
             <div id="createFileModal" class="modal" style="display:none;">
               <div class="modal-content">
@@ -362,7 +376,7 @@
                   data-i18n-placeholder="newfile_placeholder" />
                 <div class="modal-footer" style="margin-top:1rem; text-align:right;">
                   <button id="cancelCreateFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create">Create</button>
+                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create" data-default>Create</button>
                 </div>
               </div>
             </div>
@@ -374,7 +388,7 @@
                   placeholder="files.zip" />
                 <div class="modal-footer" style="margin-top:15px; text-align:right;">
                   <button id="cancelDownloadZip" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download">Download</button>
+                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
                 </div>
               </div>
             </div>
@@ -412,14 +426,14 @@
         placeholder="Filename" />
       <div style="margin-top: 15px; text-align: right;">
         <button id="cancelDownloadFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download">Download</button>
+        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
       </div>
     </div>
   </div>
 
   <!-- Change Password, Add User, Remove User, Rename File, and Custom Confirm Modals (unchanged) -->
   <div id="changePasswordModal" class="modal" style="display:none;">
-    <div class="modal-content" style="max-width:400px; margin:auto;">
+    <div class="modal-content" style="text-align: center; padding: 20px;">
       <span id="closeChangePasswordModal" class="editor-close-btn">&times;</span>
       <h3 data-i18n-key="change_password_title">Change Password</h3>
       <input type="password" id="oldPassword" class="form-control" data-i18n-placeholder="old_password"
@@ -428,7 +442,7 @@
         placeholder="New Password" style="width:100%; margin: 5px 0;" />
       <input type="password" id="confirmPassword" class="form-control" data-i18n-placeholder="confirm_new_password"
         placeholder="Confirm New Password" style="width:100%; margin: 5px 0;" />
-      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;">Save</button>
+      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;" data-default>Save</button>
     </div>
   </div>
   <div id="addUserModal" class="modal" style="display:none;">
@@ -453,7 +467,7 @@
             Cancel
           </button>
           <!-- Save becomes type="submit" -->
-          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user">
+          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user" data-default>
             Save User
           </button>
         </div>
@@ -478,7 +492,7 @@
         placeholder="Enter new file name" style="margin-top:10px;" />
       <div style="margin-top:15px; text-align:right;">
         <button id="cancelRenameFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename">Rename</button>
+        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename" data-default>Rename</button>
       </div>
     </div>
   </div>
@@ -486,7 +500,7 @@
     <div class="modal-content">
       <p id="confirmMessage"></p>
       <div class="modal-actions">
-        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes">Yes</button>
+        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes" data-default>Yes</button>
         <button id="confirmNoBtn" class="btn btn-secondary" data-i18n-key="no">No</button>
       </div>
     </div>
diff --git a/public/js/adminPanel.js b/public/js/adminPanel.js
index 998461b..156a84f 100644
--- a/public/js/adminPanel.js
+++ b/public/js/adminPanel.js
@@ -10,16 +10,16 @@ const adminTitle = `${t("admin_panel")} <small style="font-size:12px;color:gray;
 
 function buildFullGrantsForAllFolders(folders) {
   const allTrue = {
-    view:true, viewOwn:false, manage:true, create:true, upload:true, edit:true,
-    rename:true, copy:true, move:true, delete:true, extract:true,
-    shareFile:true, shareFolder:true, share:true
+    view: true, viewOwn: false, manage: true, create: true, upload: true, edit: true,
+    rename: true, copy: true, move: true, delete: true, extract: true,
+    shareFile: true, shareFolder: true, share: true
   };
   return folders.reduce((acc, f) => { acc[f] = { ...allTrue }; return acc; }, {});
 }
 
 /* === BEGIN: Folder Access helpers (merged + improved) === */
-function qs(scope, sel){ return (scope||document).querySelector(sel); }
-function qsa(scope, sel){ return Array.from((scope||document).querySelectorAll(sel)); }
+function qs(scope, sel) { return (scope || document).querySelector(sel); }
+function qsa(scope, sel) { return Array.from((scope || document).querySelectorAll(sel)); }
 
 function enforceShareFolderRule(row) {
   const manage = qs(row, 'input[data-cap="manage"]');
@@ -37,6 +37,66 @@ function enforceShareFolderRule(row) {
   }
 }
 
+function wireHeaderTitleLive() {
+  const input = document.getElementById('headerTitle');
+  if (!input || input.__live) return;
+  input.__live = true;
+
+  const apply = (val) => {
+    const title = (val || '').trim() || 'FileRise';
+    const h1 = document.querySelector('.header-title h1');
+    if (h1) h1.textContent = title;
+    document.title = title;
+    window.headerTitle = val || ''; // preserve raw value user typed
+    try { localStorage.setItem('headerTitle', title); } catch { }
+  };
+
+  // apply current value immediately + on each keystroke
+  apply(input.value);
+  input.addEventListener('input', (e) => apply(e.target.value));
+}
+
+function renderMaskedInput({ id, label, hasValue, isSecret = false }) {
+  const type = isSecret ? 'password' : 'text';
+  const disabled = hasValue ? 'disabled data-replace="0" placeholder="•••••• (saved)"' : '';
+  const replaceBtn = hasValue
+    ? `<button type="button" class="btn btn-sm btn-outline-secondary" data-replace-for="${id}">Replace</button>`
+    : '';
+  const note = hasValue
+    ? `<small class="text-success" style="margin-left:4px;">Saved — leave blank to keep</small>`
+    : '';
+
+  return `
+    <div class="form-group">
+      <label for="${id}">${label}:</label>
+      <div style="display:flex; gap:8px; align-items:center;">
+        <input type="${type}" id="${id}" class="form-control" ${disabled} />
+        ${replaceBtn}
+      </div>
+      ${note}
+    </div>
+  `;
+}
+
+function wireReplaceButtons(scope = document) {
+  scope.querySelectorAll('[data-replace-for]').forEach(btn => {
+    if (btn.__wired) return;
+    btn.__wired = true;
+    btn.addEventListener('click', () => {
+      const id = btn.getAttribute('data-replace-for');
+      const inp = scope.querySelector('#' + id);
+      if (!inp) return;
+      inp.disabled = false;
+      inp.dataset.replace = '1';
+      inp.placeholder = '';
+      inp.value = '';
+      btn.textContent = 'Keep saved value';
+      btn.removeAttribute('data-replace-for');
+      btn.addEventListener('click', () => { /* no-op after first toggle */ }, { once: true });
+    }, { once: true });
+  });
+}
+
 function onShareFolderToggle(row, checked) {
   const manage = qs(row, 'input[data-cap="manage"]');
   const viewAll = qs(row, 'input[data-cap="view"]');
@@ -52,14 +112,14 @@ function onShareFileToggle(row, checked) {
   const viewAll = qs(row, 'input[data-cap="view"]');
   const viewOwn = qs(row, 'input[data-cap="viewOwn"]');
   const hasView = !!(viewAll && viewAll.checked);
-  const hasOwn  = !!(viewOwn && viewOwn.checked);
+  const hasOwn = !!(viewOwn && viewOwn.checked);
   if (!hasView && !hasOwn && viewOwn) {
     viewOwn.checked = true;
   }
 }
 
 function onWriteToggle(row, checked) {
-  const caps = ["create","upload","edit","rename","copy","delete","extract"];
+  const caps = ["create", "upload", "edit", "rename", "copy", "delete", "extract"];
   caps.forEach(c => {
     const box = qs(row, `input[data-cap="${c}"]`);
     if (box) box.checked = checked;
@@ -426,20 +486,21 @@ export function openAdminPanel() {
             <div class="editor-close-btn" id="closeAdminPanel">&times;</div>
             <h3>${adminTitle}</h3>
             <form id="adminPanelForm">
-              ${[
-                { id: "userManagement", label: t("user_management") },
-                { id: "headerSettings", label: t("header_settings") },
-                { id: "loginOptions", label: t("login_options") },
-                { id: "webdav", label: "WebDAV Access" },
-                { id: "upload", label: t("shared_max_upload_size_bytes_title") },
-                { id: "oidc", label: t("oidc_configuration") + " & TOTP" },
-                { id: "shareLinks", label: t("manage_shared_links") }
-              ].map(sec => `
-                <div id="${sec.id}Header" class="section-header collapsed">
-                  ${sec.label} <i class="material-icons">expand_more</i>
-                </div>
-                <div id="${sec.id}Content" class="section-content"></div>
-              `).join("")}
+            ${[
+            { id: "userManagement", label: t("user_management") },
+            { id: "headerSettings", label: t("header_settings") },
+            { id: "loginOptions", label: t("login_options") },
+            { id: "webdav", label: "WebDAV Access" },
+            { id: "upload", label: t("shared_max_upload_size_bytes_title") },
+            { id: "oidc", label: t("oidc_configuration") + " & TOTP" },
+            { id: "shareLinks", label: t("manage_shared_links") },
+            { id: "sponsor", label: (typeof tf === 'function' ? tf("sponsor_donations", "Sponsor / Donations") : "Sponsor / Donations") }
+          ].map(sec => `
+              <div id="${sec.id}Header" class="section-header collapsed">
+                ${sec.label} <i class="material-icons">expand_more</i>
+              </div>
+              <div id="${sec.id}Content" class="section-content"></div>
+            `).join("")}
 
               <div class="action-row">
                 <button type="button" id="cancelAdminSettings" class="btn btn-secondary">${t("cancel")}</button>
@@ -453,7 +514,7 @@ export function openAdminPanel() {
         document.getElementById("closeAdminPanel").addEventListener("click", closeAdminPanel);
         document.getElementById("cancelAdminSettings").addEventListener("click", closeAdminPanel);
 
-        ["userManagement", "headerSettings", "loginOptions", "webdav", "upload", "oidc", "shareLinks"]
+        ["userManagement", "headerSettings", "loginOptions", "webdav", "upload", "oidc", "shareLinks", "sponsor"]
           .forEach(id => {
             document.getElementById(id + "Header")
               .addEventListener("click", () => toggleSection(id));
@@ -485,6 +546,7 @@ export function openAdminPanel() {
             <input type="text" id="headerTitle" class="form-control" value="${window.headerTitle || ""}" />
           </div>
         `;
+        wireHeaderTitleLive();
 
         document.getElementById("loginOptionsContent").innerHTML = `
           <div class="form-group"><input type="checkbox" id="disableFormLogin" /> <label for="disableFormLogin">${t("disable_login_form")}</label></div>
@@ -512,16 +574,34 @@ export function openAdminPanel() {
           </div>
         `;
 
+        const hasId = !!(config.oidc && config.oidc.hasClientId);
+        const hasSecret = !!(config.oidc && config.oidc.hasClientSecret);
+
         document.getElementById("oidcContent").innerHTML = `
-          <div class="form-text text-muted" style="margin-top:8px;">
-            <small>Note: OIDC credentials (Client ID/Secret) will show blank here after saving, but remain unchanged until you explicitly edit and save them.</small>
-          </div>
-          <div class="form-group"><label for="oidcProviderUrl">${t("oidc_provider_url")}:</label><input type="text" id="oidcProviderUrl" class="form-control" value="${window.currentOIDCConfig?.providerUrl || ""}" /></div>
-          <div class="form-group"><label for="oidcClientId">${t("oidc_client_id")}:</label><input type="text" id="oidcClientId" class="form-control" value="${window.currentOIDCConfig?.clientId || ""}" /></div>
-          <div class="form-group"><label for="oidcClientSecret">${t("oidc_client_secret")}:</label><input type="text" id="oidcClientSecret" class="form-control" value="${window.currentOIDCConfig?.clientSecret || ""}" /></div>
-          <div class="form-group"><label for="oidcRedirectUri">${t("oidc_redirect_uri")}:</label><input type="text" id="oidcRedirectUri" class="form-control" value="${window.currentOIDCConfig?.redirectUri || ""}" /></div>
-          <div class="form-group"><label for="globalOtpauthUrl">${t("global_otpauth_url")}:</label><input type="text" id="globalOtpauthUrl" class="form-control" value="${window.currentOIDCConfig?.globalOtpauthUrl || 'otpauth://totp/{label}?secret={secret}&issuer=FileRise'}" /></div>
-        `;
+  <div class="form-text text-muted" style="margin-top:8px;">
+    <small>Client ID/Secret are never shown after saving. A green note indicates a value is saved. Click “Replace” to overwrite.</small>
+  </div>
+
+  <div class="form-group">
+    <label for="oidcProviderUrl">${t("oidc_provider_url")}:</label>
+    <input type="text" id="oidcProviderUrl" class="form-control" value="${(window.currentOIDCConfig?.providerUrl || "")}" />
+  </div>
+
+  ${renderMaskedInput({ id: "oidcClientId", label: t("oidc_client_id"), hasValue: hasId })}
+  ${renderMaskedInput({ id: "oidcClientSecret", label: t("oidc_client_secret"), hasValue: hasSecret, isSecret: true })}
+
+  <div class="form-group">
+    <label for="oidcRedirectUri">${t("oidc_redirect_uri")}:</label>
+    <input type="text" id="oidcRedirectUri" class="form-control" value="${(window.currentOIDCConfig?.redirectUri || "")}" />
+  </div>
+
+  <div class="form-group">
+    <label for="globalOtpauthUrl">${t("global_otpauth_url")}:</label>
+    <input type="text" id="globalOtpauthUrl" class="form-control" value="${window.currentOIDCConfig?.globalOtpauthUrl || 'otpauth://totp/{label}?secret={secret}&issuer=FileRise'}" />
+  </div>
+`;
+
+        wireReplaceButtons(document.getElementById("oidcContent"));
 
         document.getElementById("shareLinksContent").textContent = t("loading") + "…";
 
@@ -545,6 +625,60 @@ export function openAdminPanel() {
           }
         });
 
+        // --- Sponsor (fixed, non-editable) ---
+        const SPONSOR_GH = "https://github.com/sponsors/error311";
+        const SPONSOR_KOFI = "https://ko-fi.com/error311";
+
+        document.getElementById("sponsorContent").innerHTML = `
+  <div class="form-group" style="margin-bottom:12px;">
+    <label for="sponsorGitHub">${(typeof tf === 'function' ? tf("github_sponsors_url", "GitHub Sponsors URL") : "GitHub Sponsors URL")}:</label>
+    <div class="input-group">
+      <input type="url"
+             id="sponsorGitHub"
+             class="form-control"
+             value="${SPONSOR_GH}"
+             readonly
+             data-ignore-dirty="1" />
+      <button type="button" id="copySponsorGitHub" class="btn btn-outline-primary">Copy</button>
+      <a class="btn btn-outline-secondary" id="openSponsorGitHub" target="_blank" rel="noopener">Open</a>
+    </div>
+  </div>
+
+  <div class="form-group" style="margin-bottom:12px;">
+    <label for="sponsorKoFi">${(typeof tf === 'function' ? tf("ko_fi_url", "Ko-fi URL") : "Ko-fi URL")}:</label>
+    <div class="input-group">
+      <input type="url"
+             id="sponsorKoFi"
+             class="form-control"
+             value="${SPONSOR_KOFI}"
+             readonly
+             data-ignore-dirty="1" />
+      <button type="button" id="copySponsorKoFi" class="btn btn-outline-primary">Copy</button>
+      <a class="btn btn-outline-secondary" id="openSponsorKoFi" target="_blank" rel="noopener">Open</a>
+    </div>
+  </div>
+
+  <small class="text-muted">${(typeof tf === 'function'
+            ? tf("sponsor_note_fixed", "Please consider supporting ongoing development.")
+            : "Please consider supporting ongoing development.")}</small>
+`;
+
+        // Wire copy + open (no changes tracked)
+        const ghInput = document.getElementById("sponsorGitHub");
+        const kfInput = document.getElementById("sponsorKoFi");
+
+        document.getElementById("copySponsorGitHub").addEventListener("click", async () => {
+          try { await navigator.clipboard.writeText(ghInput.value); } catch { }
+          showToast(typeof tf === 'function' ? tf("copied", "Copied!") : "Copied!");
+        });
+        document.getElementById("copySponsorKoFi").addEventListener("click", async () => {
+          try { await navigator.clipboard.writeText(kfInput.value); } catch { }
+          showToast(typeof tf === 'function' ? tf("copied", "Copied!") : "Copied!");
+        });
+
+        document.getElementById("openSponsorGitHub").href = SPONSOR_GH;
+        document.getElementById("openSponsorKoFi").href = SPONSOR_KOFI;
+
         const userMgmt = document.getElementById("userManagementContent");
         userMgmt?.removeEventListener("click", window.__userMgmtDelegatedClick);
         window.__userMgmtDelegatedClick = (e) => {
@@ -574,7 +708,11 @@ export function openAdminPanel() {
         document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
         document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
         document.getElementById("oidcProviderUrl").value = window.currentOIDCConfig?.providerUrl || "";
-        document.getElementById("oidcClientId").value = window.currentOIDCConfig?.clientId || "";
+        const idEl = document.getElementById("oidcClientId");
+        const secEl = document.getElementById("oidcClientSecret");
+        if (!hasId) idEl.value = window.currentOIDCConfig?.clientId || "";
+        if (!hasSecret) secEl.value = window.currentOIDCConfig?.clientSecret || "";
+        wireReplaceButtons(document.getElementById("oidcContent"));
         document.getElementById("oidcClientSecret").value = window.currentOIDCConfig?.clientSecret || "";
         document.getElementById("oidcRedirectUri").value = window.currentOIDCConfig?.redirectUri || "";
         document.getElementById("globalOtpauthUrl").value = window.currentOIDCConfig?.globalOtpauthUrl || '';
@@ -585,57 +723,57 @@ export function openAdminPanel() {
 }
 
 function handleSave() {
-  const dFL = !!document.getElementById("disableFormLogin")?.checked;
-  const dBA = !!document.getElementById("disableBasicAuth")?.checked;
-  const dOIDC = !!document.getElementById("disableOIDCLogin")?.checked;
-  const aBypass = !!document.getElementById("authBypass")?.checked;
-  const aHeader = (document.getElementById("authHeaderName")?.value || "X-Remote-User").trim();
-  const eWD = !!document.getElementById("enableWebDAV")?.checked;
-  const sMax = parseInt(document.getElementById("sharedMaxUploadSize")?.value || "0", 10) || 0;
-  const nHT = (document.getElementById("headerTitle")?.value || "").trim();
-  const nOIDC = {
-    providerUrl: (document.getElementById("oidcProviderUrl")?.value || "").trim(),
-    clientId: (document.getElementById("oidcClientId")?.value || "").trim(),
-    clientSecret: (document.getElementById("oidcClientSecret")?.value || "").trim(),
-    redirectUri: (document.getElementById("oidcRedirectUri")?.value || "").trim()
+  const payload = {
+    header_title: document.getElementById("headerTitle")?.value || "",
+    loginOptions: {
+      disableFormLogin: document.getElementById("disableFormLogin").checked,
+      disableBasicAuth: document.getElementById("disableBasicAuth").checked,
+      disableOIDCLogin: document.getElementById("disableOIDCLogin").checked,
+      authBypass: document.getElementById("authBypass").checked,
+      authHeaderName: document.getElementById("authHeaderName").value.trim() || "X-Remote-User",
+    },
+    enableWebDAV: document.getElementById("enableWebDAV").checked,
+    sharedMaxUploadSize: parseInt(document.getElementById("sharedMaxUploadSize").value || "0", 10) || 0,
+    oidc: {
+      providerUrl: document.getElementById("oidcProviderUrl").value.trim(),
+      redirectUri: document.getElementById("oidcRedirectUri").value.trim(),
+      // clientId/clientSecret: only include when replacing
+    },
+    globalOtpauthUrl: document.getElementById("globalOtpauthUrl").value.trim(),
   };
-  const gURL = (document.getElementById("globalOtpauthUrl")?.value || "").trim();
 
-  if ([dFL, dBA, dOIDC].filter(x => x).length === 3) {
-    showToast(t("at_least_one_login_method"));
-    return;
+  const idEl = document.getElementById("oidcClientId");
+  const scEl = document.getElementById("oidcClientSecret");
+
+  if (idEl?.dataset.replace === '1' && idEl.value.trim() !== '') {
+    payload.oidc.clientId = idEl.value.trim();
+  }
+  if (scEl?.dataset.replace === '1' && scEl.value.trim() !== '') {
+    payload.oidc.clientSecret = scEl.value.trim();
   }
 
-  sendRequest("/api/admin/updateConfig.php", "POST", {
-    header_title: nHT,
-    oidc: nOIDC,
-    loginOptions: {
-      disableFormLogin: dFL,
-      disableBasicAuth: dBA,
-      disableOIDCLogin: dOIDC,
-      authBypass: aBypass,
-      authHeaderName: aHeader
+  fetch('/api/admin/updateConfig.php', {
+    method: 'POST',
+    credentials: 'include',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-CSRF-Token': (document.querySelector('meta[name="csrf-token"]')?.content || '')
     },
-    enableWebDAV: eWD,
-    sharedMaxUploadSize: sMax,
-    globalOtpauthUrl: gURL
-  }, { "X-CSRF-Token": window.csrfToken })
-    .then(res => {
-      if (res.success) {
-        showToast(t("settings_updated_successfully"), "success");
-        captureInitialAdminConfig();
-        closeAdminPanel();
-        loadAdminConfigFunc();
-      } else {
-        showToast(t("error_updating_settings") + ": " + (res.error || t("unknown_error")), "error");
-      }
-    }).catch(() => {/*noop*/ });
+    body: JSON.stringify(payload)
+  })
+    .then(r => r.json())
+    .then(j => {
+      if (j.error) { showToast('Error: ' + j.error); return; }
+      showToast('Settings saved.');
+      closeAdminPanel();
+    })
+    .catch(() => showToast('Save failed.'));
 }
 
 export async function closeAdminPanel() {
   if (hasUnsavedChanges()) {
-    const ok = await showCustomConfirmModal(t("unsaved_changes_confirm"));
-    if (!ok) return;
+    //const ok = await showCustomConfirmModal(t("unsaved_changes_confirm"));
+    //if (!ok) return;
   }
   const m = document.getElementById("adminPanelModal");
   if (m) m.style.display = "none";
@@ -645,29 +783,29 @@ export async function closeAdminPanel() {
    New: Folder Access (ACL) UI
    =========================== */
 
-   let __allFoldersCache = null;
+let __allFoldersCache = null;
 
-   async function getAllFolders(force = false) {
-     if (!force && __allFoldersCache) return __allFoldersCache.slice();
-   
-     const res = await fetch('/api/folder/getFolderList.php?ts=' + Date.now(), {
-       credentials: 'include',
-       cache: 'no-store',
-       headers: { 'Cache-Control': 'no-store' }
-     });
-     const data = await safeJson(res).catch(() => []);
-     const list = Array.isArray(data)
-       ? data.map(x => (typeof x === 'string' ? x : x.folder)).filter(Boolean)
-       : [];
-   
-     const hidden = new Set(['profile_pics', 'trash']);
-     const cleaned = list
-       .filter(f => f && !hidden.has(f.toLowerCase()))
-       .sort((a, b) => (a === 'root' ? -1 : b === 'root' ? 1 : a.localeCompare(b)));
-   
-     __allFoldersCache = cleaned;
-     return cleaned.slice();
-   }
+async function getAllFolders(force = false) {
+  if (!force && __allFoldersCache) return __allFoldersCache.slice();
+
+  const res = await fetch('/api/folder/getFolderList.php?ts=' + Date.now(), {
+    credentials: 'include',
+    cache: 'no-store',
+    headers: { 'Cache-Control': 'no-store' }
+  });
+  const data = await safeJson(res).catch(() => []);
+  const list = Array.isArray(data)
+    ? data.map(x => (typeof x === 'string' ? x : x.folder)).filter(Boolean)
+    : [];
+
+  const hidden = new Set(['profile_pics', 'trash']);
+  const cleaned = list
+    .filter(f => f && !hidden.has(f.toLowerCase()))
+    .sort((a, b) => (a === 'root' ? -1 : b === 'root' ? 1 : a.localeCompare(b)));
+
+  __allFoldersCache = cleaned;
+  return cleaned.slice();
+}
 
 async function getUserGrants(username) {
   const res = await fetch(`/api/admin/acl/getGrants.php?user=${encodeURIComponent(username)}`, {
@@ -683,7 +821,7 @@ function renderFolderGrantsUI(username, container, folders, grants) {
   // toolbar
   const toolbar = document.createElement('div');
   toolbar.className = 'folder-access-toolbar';
-toolbar.innerHTML = `
+  toolbar.innerHTML = `
   <input type="text" class="form-control" style="max-width:220px;"
          placeholder="${tf('search_folders', 'Search folders')}" />
 
@@ -717,8 +855,8 @@ toolbar.innerHTML = `
 
   const headerHtml = `
   <div class="folder-access-header">
-    <div class="folder-cell" title="${tf('folder_help','Folder path within FileRise')}">
-      ${tf('folder','Folder')}
+    <div class="folder-cell" title="${tf('folder_help', 'Folder path within FileRise')}">
+      ${tf('folder', 'Folder')}
     </div>
     <div class="perm-col" title="${tf('view_all_help', 'See all files in this folder (everyone’s files)')}">
       ${tf('view_all', 'View (all)')}
@@ -802,7 +940,7 @@ toolbar.innerHTML = `
   }
 
   function refreshInheritance() {
-    const rows = qsa(list, '.folder-access-row').sort((a,b)=> (a.dataset.folder||'').length - (b.dataset.folder||'').length);
+    const rows = qsa(list, '.folder-access-row').sort((a, b) => (a.dataset.folder || '').length - (b.dataset.folder || '').length);
     const managedPrefixes = new Set();
     rows.forEach(row => {
       const folder = row.dataset.folder || "";
@@ -813,13 +951,13 @@ toolbar.innerHTML = `
         if (p && folder !== p && folder.startsWith(p + '/')) { inheritedFrom = p; break; }
       }
       if (inheritedFrom) {
-        const v = qs(row,'input[data-cap="view"]');
-        const w = qs(row,'input[data-cap="write"]');
-        const vo= qs(row,'input[data-cap="viewOwn"]');
+        const v = qs(row, 'input[data-cap="view"]');
+        const w = qs(row, 'input[data-cap="write"]');
+        const vo = qs(row, 'input[data-cap="viewOwn"]');
         if (v) v.checked = true;
         if (w) w.checked = true;
         if (vo) { vo.checked = false; vo.disabled = true; }
-        ['create','upload','edit','rename','copy','delete','extract','shareFile','shareFolder']
+        ['create', 'upload', 'edit', 'rename', 'copy', 'delete', 'extract', 'shareFile', 'shareFolder']
           .forEach(c => { const cb = qs(row, `input[data-cap="${c}"]`); if (cb) cb.checked = true; });
         setRowDisabled(row, true);
         const tag = row.querySelector('.inherited-tag');
@@ -828,8 +966,8 @@ toolbar.innerHTML = `
         setRowDisabled(row, false);
       }
       enforceShareFolderRule(row);
-      const cbView = qs(row,'input[data-cap="view"]');
-      const cbViewOwn = qs(row,'input[data-cap="viewOwn"]');
+      const cbView = qs(row, 'input[data-cap="view"]');
+      const cbViewOwn = qs(row, 'input[data-cap="viewOwn"]');
       if (cbView && cbViewOwn) {
         if (cbView.checked) {
           cbViewOwn.checked = false;
@@ -847,8 +985,8 @@ toolbar.innerHTML = `
     if (!checked && (which === 'view' || which === 'viewOwn')) {
       qsa(row, 'input[type="checkbox"]').forEach(cb => cb.checked = false);
     }
-    const cbView = qs(row,'input[data-cap="view"]');
-    const cbVO = qs(row,'input[data-cap="viewOwn"]');
+    const cbView = qs(row, 'input[data-cap="view"]');
+    const cbVO = qs(row, 'input[data-cap="viewOwn"]');
     if (cbView && cbVO) {
       if (cbView.checked) {
         cbVO.checked = false;
@@ -863,19 +1001,19 @@ toolbar.innerHTML = `
   }
 
   function wireRow(row) {
-    const cbView    = row.querySelector('input[data-cap="view"]');
+    const cbView = row.querySelector('input[data-cap="view"]');
     const cbViewOwn = row.querySelector('input[data-cap="viewOwn"]');
-    const cbWrite   = row.querySelector('input[data-cap="write"]');
-    const cbManage  = row.querySelector('input[data-cap="manage"]');
-    const cbCreate  = row.querySelector('input[data-cap="create"]');
-    const cbUpload  = row.querySelector('input[data-cap="upload"]');
-    const cbEdit    = row.querySelector('input[data-cap="edit"]');
-    const cbRename  = row.querySelector('input[data-cap="rename"]');
-    const cbCopy    = row.querySelector('input[data-cap="copy"]');
-    const cbMove    = row.querySelector('input[data-cap="move"]');
-    const cbDelete  = row.querySelector('input[data-cap="delete"]');
+    const cbWrite = row.querySelector('input[data-cap="write"]');
+    const cbManage = row.querySelector('input[data-cap="manage"]');
+    const cbCreate = row.querySelector('input[data-cap="create"]');
+    const cbUpload = row.querySelector('input[data-cap="upload"]');
+    const cbEdit = row.querySelector('input[data-cap="edit"]');
+    const cbRename = row.querySelector('input[data-cap="rename"]');
+    const cbCopy = row.querySelector('input[data-cap="copy"]');
+    const cbMove = row.querySelector('input[data-cap="move"]');
+    const cbDelete = row.querySelector('input[data-cap="delete"]');
     const cbExtract = row.querySelector('input[data-cap="extract"]');
-    const cbShareF  = row.querySelector('input[data-cap="shareFile"]');
+    const cbShareF = row.querySelector('input[data-cap="shareFile"]');
     const cbShareFo = row.querySelector('input[data-cap="shareFolder"]');
 
     const granular = [cbCreate, cbUpload, cbEdit, cbRename, cbCopy, cbMove, cbDelete, cbExtract];
@@ -885,7 +1023,7 @@ toolbar.innerHTML = `
         if (cbView) cbView.checked = true;
         if (cbWrite) cbWrite.checked = true;
         granular.forEach(cb => { if (cb) cb.checked = true; });
-        if (cbShareF)  cbShareF.checked = true;
+        if (cbShareF) cbShareF.checked = true;
         if (cbShareFo && !cbShareFo.disabled) cbShareFo.checked = true;
       }
     };
@@ -919,7 +1057,7 @@ toolbar.innerHTML = `
         const w = r.querySelector('input[data-cap="write"]');
         const vo = r.querySelector('input[data-cap="viewOwn"]');
         const boxes = [
-          'create','upload','edit','rename','copy','delete','extract','shareFile','shareFolder'
+          'create', 'upload', 'edit', 'rename', 'copy', 'delete', 'extract', 'shareFile', 'shareFolder'
         ].map(c => r.querySelector(`input[data-cap="${c}"]`));
         if (m) m.checked = checked;
         if (v) v.checked = checked;
@@ -932,7 +1070,7 @@ toolbar.innerHTML = `
     };
 
     if (cbManage) cbManage.addEventListener('change', () => { applyManage(); onShareFile(); cascadeManage(cbManage.checked); });
-    if (cbWrite)  cbWrite.addEventListener('change', applyWrite);
+    if (cbWrite) cbWrite.addEventListener('change', applyWrite);
     granular.forEach(cb => { if (cb) cb.addEventListener('change', () => { syncWriteFromGranular(); }); });
     if (cbView) cbView.addEventListener('change', () => { setFromViewChange(row, 'view', cbView.checked); refreshInheritance(); });
     if (cbViewOwn) cbViewOwn.addEventListener('change', () => { setFromViewChange(row, 'viewOwn', cbViewOwn.checked); refreshInheritance(); });
@@ -1004,18 +1142,18 @@ function collectGrantsFrom(container) {
     const folder = row.dataset.folder || row.getAttribute('data-folder');
     if (!folder) return;
     const g = {
-      view:        get(row, 'input[data-cap="view"]'),
-      viewOwn:     get(row, 'input[data-cap="viewOwn"]'),
-      manage:      get(row, 'input[data-cap="manage"]'),
-      create:      get(row, 'input[data-cap="create"]'),
-      upload:      get(row, 'input[data-cap="upload"]'),
-      edit:        get(row, 'input[data-cap="edit"]'),
-      rename:      get(row, 'input[data-cap="rename"]'),
-      copy:        get(row, 'input[data-cap="copy"]'),
-      move:        get(row, 'input[data-cap="move"]'),
-      delete:      get(row, 'input[data-cap="delete"]'),
-      extract:     get(row, 'input[data-cap="extract"]'),
-      shareFile:   get(row, 'input[data-cap="shareFile"]'),
+      view: get(row, 'input[data-cap="view"]'),
+      viewOwn: get(row, 'input[data-cap="viewOwn"]'),
+      manage: get(row, 'input[data-cap="manage"]'),
+      create: get(row, 'input[data-cap="create"]'),
+      upload: get(row, 'input[data-cap="upload"]'),
+      edit: get(row, 'input[data-cap="edit"]'),
+      rename: get(row, 'input[data-cap="rename"]'),
+      copy: get(row, 'input[data-cap="copy"]'),
+      move: get(row, 'input[data-cap="move"]'),
+      delete: get(row, 'input[data-cap="delete"]'),
+      extract: get(row, 'input[data-cap="extract"]'),
+      shareFile: get(row, 'input[data-cap="shareFile"]'),
       shareFolder: get(row, 'input[data-cap="shareFolder"]')
     };
     g.share = !!(g.shareFile || g.shareFolder);
@@ -1074,16 +1212,16 @@ export function openUserPermissionsModal() {
     });
     document.getElementById("saveUserPermissionsBtn").addEventListener("click", async () => {
       const rows = userPermissionsModal.querySelectorAll(".user-permission-row");
-const changes = [];
-rows.forEach(row => {
-  if (row.getAttribute("data-admin") === "1") return; // skip admins
-  const username = String(row.getAttribute("data-username") || "").trim();
-  if (!username) return;
-  const grantsBox = row.querySelector(".folder-grants-box");
-  if (!grantsBox || grantsBox.getAttribute('data-loaded') !== '1') return;
-  const grants = collectGrantsFrom(grantsBox);
-  changes.push({ user: username, grants });
-});
+      const changes = [];
+      rows.forEach(row => {
+        if (row.getAttribute("data-admin") === "1") return; // skip admins
+        const username = String(row.getAttribute("data-username") || "").trim();
+        if (!username) return;
+        const grantsBox = row.querySelector(".folder-grants-box");
+        if (!grantsBox || grantsBox.getAttribute('data-loaded') !== '1') return;
+        const grants = collectGrantsFrom(grantsBox);
+        changes.push({ user: username, grants });
+      });
       try {
         if (changes.length === 0) { showToast(tf("nothing_to_save", "Nothing to save")); return; }
         await sendRequest("/api/admin/acl/saveGrants.php", "POST",
@@ -1284,70 +1422,70 @@ async function loadUserPermissionsList() {
     const folders = await getAllFolders(true);
 
     listContainer.innerHTML = "";
-users.forEach(user => {
-  const isAdmin = (user.role && String(user.role) === "1") || String(user.username).toLowerCase() === "admin";
+    users.forEach(user => {
+      const isAdmin = (user.role && String(user.role) === "1") || String(user.username).toLowerCase() === "admin";
 
-  const row = document.createElement("div");
-  row.classList.add("user-permission-row");
-  row.setAttribute("data-username", user.username);
-  if (isAdmin) row.setAttribute("data-admin", "1"); // mark admins
-  row.style.padding = "6px 0";
+      const row = document.createElement("div");
+      row.classList.add("user-permission-row");
+      row.setAttribute("data-username", user.username);
+      if (isAdmin) row.setAttribute("data-admin", "1"); // mark admins
+      row.style.padding = "6px 0";
 
-  row.innerHTML = `
+      row.innerHTML = `
     <div class="user-perm-header" tabindex="0" role="button" aria-expanded="false"
          style="display:flex;align-items:center;gap:8px;cursor:pointer;padding:6px 8px;border-radius:6px;">
       <span class="perm-caret" style="display:inline-block; transform: rotate(-90deg); transition: transform 120ms ease;">▸</span>
       <strong>${user.username}</strong>
       ${isAdmin ? `<span class="muted" style="margin-left:auto;">Admin (full access)</span>`
-                : `<span class="muted" style="margin-left:auto;">${tf('click_to_edit', 'Click to edit')}</span>`}
+          : `<span class="muted" style="margin-left:auto;">${tf('click_to_edit', 'Click to edit')}</span>`}
     </div>
     <div class="user-perm-details" style="display:none; margin:8px 0 12px;">
       <div class="folder-grants-box" data-loaded="0"></div>
     </div>
   `;
 
-  const header = row.querySelector(".user-perm-header");
-  const details = row.querySelector(".user-perm-details");
-  const caret = row.querySelector(".perm-caret");
-  const grantsBox = row.querySelector(".folder-grants-box");
+      const header = row.querySelector(".user-perm-header");
+      const details = row.querySelector(".user-perm-details");
+      const caret = row.querySelector(".perm-caret");
+      const grantsBox = row.querySelector(".folder-grants-box");
 
-  async function ensureLoaded() {
-    if (grantsBox.dataset.loaded === "1") return;
-    try {
-      let grants;
-      if (isAdmin) {
-        // synthesize full access
-        const ordered = ["root", ...folders.filter(f => f !== "root")];
-        grants = buildFullGrantsForAllFolders(ordered);
-        renderFolderGrantsUI(user.username, grantsBox, ordered, grants);
-        // disable all inputs
-        grantsBox.querySelectorAll('input[type="checkbox"]').forEach(cb => cb.disabled = true);
-      } else {
-        const userGrants = await getUserGrants(user.username);
-        renderFolderGrantsUI(user.username, grantsBox, ["root", ...folders.filter(f => f !== "root")], userGrants);
+      async function ensureLoaded() {
+        if (grantsBox.dataset.loaded === "1") return;
+        try {
+          let grants;
+          if (isAdmin) {
+            // synthesize full access
+            const ordered = ["root", ...folders.filter(f => f !== "root")];
+            grants = buildFullGrantsForAllFolders(ordered);
+            renderFolderGrantsUI(user.username, grantsBox, ordered, grants);
+            // disable all inputs
+            grantsBox.querySelectorAll('input[type="checkbox"]').forEach(cb => cb.disabled = true);
+          } else {
+            const userGrants = await getUserGrants(user.username);
+            renderFolderGrantsUI(user.username, grantsBox, ["root", ...folders.filter(f => f !== "root")], userGrants);
+          }
+          grantsBox.dataset.loaded = "1";
+        } catch (e) {
+          console.error(e);
+          grantsBox.innerHTML = `<div class="muted">${tf("error_loading_user_grants", "Error loading user grants")}</div>`;
+        }
       }
-      grantsBox.dataset.loaded = "1";
-    } catch (e) {
-      console.error(e);
-      grantsBox.innerHTML = `<div class="muted">${tf("error_loading_user_grants", "Error loading user grants")}</div>`;
-    }
-  }
 
-  function toggleOpen() {
-    const willShow = details.style.display === "none";
-    details.style.display = willShow ? "block" : "none";
-    header.setAttribute("aria-expanded", willShow ? "true" : "false");
-    caret.style.transform = willShow ? "rotate(0deg)" : "rotate(-90deg)";
-    if (willShow) ensureLoaded();
-  }
+      function toggleOpen() {
+        const willShow = details.style.display === "none";
+        details.style.display = willShow ? "block" : "none";
+        header.setAttribute("aria-expanded", willShow ? "true" : "false");
+        caret.style.transform = willShow ? "rotate(0deg)" : "rotate(-90deg)";
+        if (willShow) ensureLoaded();
+      }
 
-  header.addEventListener("click", toggleOpen);
-  header.addEventListener("keydown", e => {
-    if (e.key === "Enter" || e.key === " ") { e.preventDefault(); toggleOpen(); }
-  });
+      header.addEventListener("click", toggleOpen);
+      header.addEventListener("keydown", e => {
+        if (e.key === "Enter" || e.key === " ") { e.preventDefault(); toggleOpen(); }
+      });
 
-  listContainer.appendChild(row);
-});
+      listContainer.appendChild(row);
+    });
   } catch (err) {
     console.error(err);
     listContainer.innerHTML = "<p>" + t("error_loading_users") + "</p>";
diff --git a/public/js/appCore.js b/public/js/appCore.js
index 20511be..3332f34 100644
--- a/public/js/appCore.js
+++ b/public/js/appCore.js
@@ -86,7 +86,7 @@ export function initializeApp() {
 
   // Hook DnD relay from fileList area into upload area
   const fileListArea = document.getElementById('fileListContainer');
-  const uploadArea   = document.getElementById('uploadDropArea');
+  const uploadArea = document.getElementById('uploadDropArea');
   if (fileListArea && uploadArea) {
     fileListArea.addEventListener('dragover', e => {
       e.preventDefault();
@@ -136,13 +136,30 @@ export function initializeApp() {
    LOGOUT (shared)
    ========================= */
 export function triggerLogout() {
+  const clearWelcomeFlags = () => {
+    try {
+      // one-per-tab toast guard
+      sessionStorage.removeItem('__fr_welcomed');
+      // if you also used the per-user (all-tabs) guard, clear that too:
+      const u = localStorage.getItem('username') || '';
+      if (u) localStorage.removeItem(`__fr_welcomed_${u}`);
+    } catch { }
+  };
+
   _nativeFetch("/api/auth/logout.php", {
     method: "POST",
     credentials: "include",
     headers: { "X-CSRF-Token": getCsrfToken() }
   })
-    .then(() => window.location.reload(true))
-    .catch(() => { /* no-op */ });
+    .then(() => {
+      clearWelcomeFlags();
+      window.location.reload(true);
+    })
+    .catch(() => {
+      // even if the request fails, clear the flags so the next login can toast
+      clearWelcomeFlags();
+      window.location.reload(true);
+    });
 }
 
 /* =========================
diff --git a/public/js/auth.js b/public/js/auth.js
index 71319df..4de006b 100644
--- a/public/js/auth.js
+++ b/public/js/auth.js
@@ -31,6 +31,49 @@ const currentOIDCConfig = {
 };
 window.currentOIDCConfig = currentOIDCConfig;
 
+
+
+(function installToastFilter() {
+  const isDemoHost = location.hostname.toLowerCase() === 'demo.filerise.net';
+
+  window.__FR_TOAST_FILTER__ = function (msgKeyOrText) {
+    // Suppress the nag while doing TOTP step-up
+    if (window.pendingTOTP && (msgKeyOrText === 'please_log_in_to_continue' ||
+      /please log in/i.test(String(msgKeyOrText)))) {
+      return null; // suppress
+    }
+
+    // Demo host
+    if (isDemoHost && (msgKeyOrText === 'please_log_in_to_continue' ||
+      /please log in/i.test(String(msgKeyOrText)))) {
+      return "Demo site — use:\nUsername: demo\nPassword: demo";
+    }
+
+    // Try to translate keys; pass through plain text
+    try {
+      const maybe = t(msgKeyOrText);
+      if (typeof maybe === 'string' && maybe !== msgKeyOrText) return maybe;
+    } catch { }
+    return msgKeyOrText;
+  };
+})();
+
+function queueWelcomeToast(name) {
+  const uname = String(name || '').trim().slice(0, 80);
+  if (!uname) return;
+  // show immediately (if we don’t reload instantly)
+  try {
+    window.dispatchEvent(new CustomEvent('filerise:toast', {
+      detail: { message: `Welcome back, ${uname}!`, duration: 2000 }
+    }));
+  } catch { }
+
+  // and persist for after-reload (flushed by main.js on boot)
+  try {
+    sessionStorage.setItem('welcomeMessage', `Welcome back, ${uname}!`);
+  } catch { }
+}
+
 /* ----------------- TOTP & Toast Overrides ----------------- */
 // detect if we’re in a pending‑TOTP state
 window.pendingTOTP = new URLSearchParams(window.location.search).get('totp_required') === '1';
@@ -72,45 +115,51 @@ const originalFetch = window.fetch;
  * @param {object} options
  * @returns {Promise<Response>}
  */
+
 export async function fetchWithCsrf(url, options = {}) {
-  // 1) Merge in credentials + header
-  options = {
-    credentials: 'include',
-    ...options,
-  };
+  const original = window.fetch.bind(window);
+  const wantJson = (options.headers && /json/i.test(options.headers['Content-Type'] || '')) || typeof options.body === 'string' && options.body.trim().startsWith('{');
+
+  options = { credentials: 'include', ...options };
   options.headers = {
-    ...(options.headers || {}),
-    'X-CSRF-Token': window.csrfToken,
+    'Accept': 'application/json',
+    ...(options.headers || {})
   };
-
-  // 2) First attempt
-  let res = await originalFetch(url, options);
-
-  // 3) If we got a 403, try to refresh token & retry
-  if (res.status === 403) {
-    // 3a) See if the server gave us a new token header
-    let newToken = res.headers.get('X-CSRF-Token');
-    // 3b) Otherwise fall back to the /api/auth/token endpoint
-    if (!newToken) {
-      const tokRes = await originalFetch('/api/auth/token.php', { credentials: 'include' });
-      if (tokRes.ok) {
-        const body = await tokRes.json();
-        newToken = body.csrf_token;
-      }
-    }
-    if (newToken) {
-      // 3c) Update global + meta
-      window.csrfToken = newToken;
-      const meta = document.querySelector('meta[name="csrf-token"]');
-      if (meta) meta.content = newToken;
-
-      // 3d) Retry the original request with the new token
-      options.headers['X-CSRF-Token'] = newToken;
-      res = await originalFetch(url, options);
-    }
+  if (window.csrfToken) {
+    options.headers['X-CSRF-Token'] = window.csrfToken;
   }
 
-  // 4) Return the real Response—no body peeking here!
+  async function retryWithFreshCsrf(asFormFallback = false) {
+    const tokRes = await original('/api/auth/token.php', { credentials: 'include' });
+    if (tokRes.ok) {
+      const body = await tokRes.json().catch(() => ({}));
+      if (body?.csrf_token) {
+        window.csrfToken = body.csrf_token;
+        const meta = document.querySelector('meta[name="csrf-token"]');
+        if (meta) meta.content = body.csrf_token;
+        options.headers['X-CSRF-Token'] = body.csrf_token;
+      }
+    }
+    if (asFormFallback && wantJson) {
+      // convert JSON body into x-www-form-urlencoded
+      const orig = options.body && typeof options.body === 'string' ? JSON.parse(options.body) : {};
+      options.body = toFormBody(orig);
+      options.headers['Content-Type'] = 'application/x-www-form-urlencoded';
+    }
+    return original(url, options);
+  }
+
+  let res = await original(url, options);
+
+  // If API doesn’t like JSON or token is stale
+  if (res.status === 400 || res.status === 403 || res.status === 415) {
+    // 1) retry with fresh CSRF keeping same encoding
+    res = await retryWithFreshCsrf(false);
+    if (!res.ok && wantJson) {
+      // 2) retry again as form-encoded
+      res = await retryWithFreshCsrf(true);
+    }
+  }
   return res;
 }
 
@@ -191,13 +240,13 @@ export function loadAdminConfigFunc() {
 
       document.title = headerTitle;
       const lo = config.loginOptions || {};
-      localStorage.setItem("disableFormLogin",  String(!!lo.disableFormLogin));
-      localStorage.setItem("disableBasicAuth",  String(!!lo.disableBasicAuth));
-      localStorage.setItem("disableOIDCLogin",  String(!!lo.disableOIDCLogin));
-      localStorage.setItem("globalOtpauthUrl",  config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
+      localStorage.setItem("disableFormLogin", String(!!lo.disableFormLogin));
+      localStorage.setItem("disableBasicAuth", String(!!lo.disableBasicAuth));
+      localStorage.setItem("disableOIDCLogin", String(!!lo.disableOIDCLogin));
+      localStorage.setItem("globalOtpauthUrl", config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
       // These may be absent for non-admins; default them
-      localStorage.setItem("authBypass",        String(!!lo.authBypass));
-      localStorage.setItem("authHeaderName",    lo.authHeaderName || "X-Remote-User");
+      localStorage.setItem("authBypass", String(!!lo.authBypass));
+      localStorage.setItem("authHeaderName", lo.authHeaderName || "X-Remote-User");
 
       updateLoginOptionsUIFromStorage();
 
@@ -253,14 +302,14 @@ export async function updateAuthenticatedUI(data) {
   if (loading) loading.remove();
 
   // 2) Show main UI
-  document.querySelector('.main-wrapper').style.display    = '';
-  document.getElementById('loginForm').style.display       = 'none';
+  document.querySelector('.main-wrapper').style.display = '';
+  document.getElementById('loginForm').style.display = 'none';
   toggleVisibility("loginForm", false);
   toggleVisibility("mainOperations", true);
   toggleVisibility("uploadFileForm", true);
   toggleVisibility("fileListContainer", true);
-  attachEnterKeyListener("removeUserModal",   "deleteUserBtn");
-  attachEnterKeyListener("changePasswordModal","saveNewPasswordBtn");
+  attachEnterKeyListener("removeUserModal", "deleteUserBtn");
+  attachEnterKeyListener("changePasswordModal", "saveNewPasswordBtn");
   document.querySelector(".header-buttons").style.visibility = "visible";
 
   // 3) Persist auth flags (unchanged)
@@ -271,9 +320,9 @@ export async function updateAuthenticatedUI(data) {
     localStorage.setItem("username", data.username);
   }
   if (typeof data.folderOnly !== "undefined") {
-    localStorage.setItem("folderOnly",   data.folderOnly   ? "true" : "false");
-    localStorage.setItem("readOnly",     data.readOnly     ? "true" : "false");
-    localStorage.setItem("disableUpload",data.disableUpload? "true" : "false");
+    localStorage.setItem("folderOnly", data.folderOnly ? "true" : "false");
+    localStorage.setItem("readOnly", data.readOnly ? "true" : "false");
+    localStorage.setItem("disableUpload", data.disableUpload ? "true" : "false");
   }
 
   // 4) Fetch up-to-date profile picture — ALWAYS overwrite localStorage
@@ -282,7 +331,7 @@ export async function updateAuthenticatedUI(data) {
 
   // 5) Build / update header buttons
   const headerButtons = document.querySelector(".header-buttons");
-  const firstButton   = headerButtons.firstElementChild;
+  const firstButton = headerButtons.firstElementChild;
 
   // a) restore-from-trash for admins
   if (data.isAdmin) {
@@ -290,8 +339,8 @@ export async function updateAuthenticatedUI(data) {
     if (!r) {
       r = document.createElement("button");
       r.id = "restoreFilesBtn";
-      r.classList.add("btn","btn-warning");
-      r.setAttribute("data-i18n-title","trash_restore_delete");
+      r.classList.add("btn", "btn-warning");
+      r.setAttribute("data-i18n-title", "trash_restore_delete");
       r.innerHTML = '<i class="material-icons">restore_from_trash</i>';
       if (firstButton) insertAfter(r, firstButton);
       else headerButtons.appendChild(r);
@@ -308,8 +357,8 @@ export async function updateAuthenticatedUI(data) {
     if (!a) {
       a = document.createElement("button");
       a.id = "adminPanelBtn";
-      a.classList.add("btn","btn-info");
-      a.setAttribute("data-i18n-title","admin_panel");
+      a.classList.add("btn", "btn-info");
+      a.setAttribute("data-i18n-title", "admin_panel");
       a.innerHTML = '<i class="material-icons">admin_panel_settings</i>';
       insertAfter(a, document.getElementById("restoreFilesBtn"));
       a.addEventListener("click", openAdminPanel);
@@ -330,19 +379,19 @@ export async function updateAuthenticatedUI(data) {
       : `<i class="material-icons">account_circle</i>`;
 
     // fallback username if missing
-    const usernameText = data.username 
-      || localStorage.getItem("username") 
+    const usernameText = data.username
+      || localStorage.getItem("username")
       || "";
 
     if (!dd) {
       dd = document.createElement("div");
-      dd.id    = "userDropdown";
+      dd.id = "userDropdown";
       dd.classList.add("user-dropdown");
 
       // toggle button
       const toggle = document.createElement("button");
-      toggle.id    = "userDropdownToggle";
-      toggle.classList.add("btn","btn-user");
+      toggle.id = "userDropdownToggle";
+      toggle.classList.add("btn", "btn-user");
       toggle.setAttribute("title", t("user_settings"));
       toggle.innerHTML = `
         ${avatarHTML}
@@ -464,6 +513,14 @@ function checkAuthentication(showLoginToast = true) {
         }
         updateAuthenticatedUI(data);
         return data;
+
+        // at the end of updateAuthenticatedUI(data)
+        if (!window.__FR_FLAGS?.initialized && typeof initializeApp === 'function') {
+          initializeApp();
+          window.__FR_FLAGS.initialized = true;
+        }
+        if (typeof applyTranslations === 'function') applyTranslations();
+        if (typeof updateLoginOptionsUIFromStorage === 'function') updateLoginOptionsUIFromStorage();
       } else {
         const overlay = document.getElementById('loadingOverlay');
         if (overlay) overlay.remove();
@@ -484,53 +541,162 @@ function checkAuthentication(showLoginToast = true) {
 }
 
 /* ----------------- Authentication Submission ----------------- */
+async function primeCsrfStrict() {
+  const r = await fetch('/api/auth/token.php', { credentials: 'include' });
+  const j = await r.json().catch(() => ({}));
+  if (!r.ok || !j.csrf_token) throw new Error('CSRF missing');
+  window.csrfToken = j.csrf_token;
+  const m = document.querySelector('meta[name="csrf-token"]');
+  if (m) m.content = j.csrf_token;
+}
+
+function toFormBody(obj) {
+  const p = new URLSearchParams();
+  for (const [k, v] of Object.entries(obj || {})) p.set(k, v == null ? '' : String(v));
+  return p.toString();
+}
+
+async function safeJson(res) {
+  const ct = res.headers.get('content-type') || '';
+  if (!/application\/json/i.test(ct)) return null;
+  try { return await res.clone().json(); } catch { return null; }
+}
+
+async function sniffTOTP(res, bodyMaybe) {
+  if (res.headers.get('X-TOTP-Required') === '1') return true;
+  if (res.redirected && /[?&]totp_required=1\b/.test(res.url)) return true;
+  const body = bodyMaybe ?? await safeJson(res);
+  if (body && (body.totp_required || body.error === 'TOTP_REQUIRED')) return true;
+  try {
+    const txt = await res.clone().text();
+    if (/\btotp_required\s*=\s*1\b/i.test(txt)) return true;
+  } catch { }
+  return false;
+}
+
+async function isAuthedNow() {
+  try {
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+    const j = await r.json().catch(() => ({}));
+    return !!j.authenticated;
+  } catch { return false; }
+}
+
+function rafTick(times = 2) {
+  return new Promise(res => {
+    const step = () => { if (--times <= 0) res(); else requestAnimationFrame(step); };
+    requestAnimationFrame(step);
+  });
+}
+
+async function fetchAuthSnapshot() {
+  try {
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+    return await r.json();
+  } catch { return {}; }
+}
+
+async function syncPermissionsToLocalStorage() {
+  try {
+    const r = await fetch('/api/getUserPermissions.php', { credentials: 'include' });
+    const perm = await r.json();
+    if (perm && typeof perm === 'object') {
+      localStorage.setItem('folderOnly', perm.folderOnly ? 'true' : 'false');
+      localStorage.setItem('readOnly', perm.readOnly ? 'true' : 'false');
+      localStorage.setItem('disableUpload', perm.disableUpload ? 'true' : 'false');
+    }
+  } catch { /* non-fatal */ }
+}
+
+// ——— main ———
+let __loginInFlight = false;
+
 async function submitLogin(data) {
-  setLastLoginData(data);
-  window.__lastLoginData = data;
+  if (__loginInFlight) return;
+  __loginInFlight = true;
+
+  const payload = {
+    username: String(data.username || '').trim(),
+    password: String(data.password || '').trim(),
+    remember_me: data.remember_me ? 1 : 0
+  };
+
+  setLastLoginData(payload);
+  window.__lastLoginData = payload;
 
   try {
-    // ─── 1) Get CSRF for the initial auth call ───
-    let res = await fetch("/api/auth/token.php", { credentials: "include" });
-    if (!res.ok) throw new Error("Could not fetch CSRF token");
-    window.csrfToken = (await res.json()).csrf_token;
+    await primeCsrfStrict();
 
-    // ─── 2) Send credentials ───
-    const response = await sendRequest(
-      "/api/auth/auth.php",
-      "POST",
-      data,
-      { "X-CSRF-Token": window.csrfToken }
-    );
+    // Attempt #1 — JSON
+    let res = await fetchWithCsrf('/api/auth/auth.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
+      body: JSON.stringify(payload)
+    });
+    let body = await safeJson(res);
 
-    // ─── 3a) Full login (no TOTP) ───
-    if (response.success || response.status === "ok") {
-      sessionStorage.setItem("welcomeMessage", "Welcome back, " + data.username + "!");
-      // … fetch permissions & reload …
+    // TOTP requested?
+    if (await sniffTOTP(res, body)) {
+      try { await primeCsrfStrict(); } catch { }
+      window.pendingTOTP = true;
       try {
-        const perm = await sendRequest("/api/getUserPermissions.php", "GET");
-        if (perm && typeof perm === "object") {
-          localStorage.setItem("folderOnly", perm.folderOnly ? "true" : "false");
-          localStorage.setItem("readOnly", perm.readOnly ? "true" : "false");
-          localStorage.setItem("disableUpload", perm.disableUpload ? "true" : "false");
-        }
+        const auth = await import('/js/auth.js?v={{APP_QVER}}');
+        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
       } catch { }
-      return window.location.reload();
+      return;
     }
 
-    // ─── 3b) TOTP required ───
-    if (response.totp_required) {
-      // **Refresh** CSRF before the TOTP verify call
-      res = await fetch("/api/auth/token.php", { credentials: "include" });
-      if (res.ok) {
-        window.csrfToken = (await res.json()).csrf_token;
-      }
-      // now open the modal—any totp_verify fetch from here on will use the new token
-      return openTOTPLoginModal();
+    // Full success (no TOTP)
+    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
+
+      await syncPermissionsToLocalStorage();
+      return afterLogin();
     }
 
-    // ─── 3c) Too many attempts ───
-    if (response.error && response.error.includes("Too many failed login attempts")) {
-      showToast(response.error);
+    // Cookie set but non-JSON body — double check session
+    if (!body && await isAuthedNow()) {
+
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    // Attempt #2 — form fallback
+    res = await fetchWithCsrf('/api/auth/auth.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' },
+      body: toFormBody(payload)
+    });
+    body = await safeJson(res);
+
+    if (await sniffTOTP(res, body)) {
+      try { await primeCsrfStrict(); } catch { }
+      window.pendingTOTP = true;
+      try {
+        const auth = await import('/js/auth.js?v={{APP_QVER}}');
+        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
+      } catch { }
+      return;
+    }
+
+    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    if (!body && await isAuthedNow()) {
+
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    // Rate limit still respected
+    if (body?.error && /Too many failed login attempts/i.test(body.error)) {
+      showToast(body.error);
       const btn = document.querySelector("#authForm button[type='submit']");
       if (btn) {
         btn.disabled = true;
@@ -542,12 +708,12 @@ async function submitLogin(data) {
       return;
     }
 
-    // ─── 3d) Other failures ───
-    showToast("Login failed: " + (response.error || "Unknown error"));
+    showToast('Login failed' + (body?.error ? `: ${body.error}` : ''));
 
-  } catch (err) {
-    const msg = err.message || err.error || "Unknown error";
-    showToast(`Login failed: ${msg}`);
+  } catch (e) {
+    showToast('Login failed: ' + (e.message || 'Unknown error'));
+  } finally {
+    __loginInFlight = false;
   }
 }
 
@@ -763,4 +929,4 @@ document.addEventListener("DOMContentLoaded", function () {
   }
 });
 
-export { initAuth, checkAuthentication };
\ No newline at end of file
+export { initAuth, checkAuthentication, openTOTPLoginModal };
\ No newline at end of file
diff --git a/public/js/defer-css.js b/public/js/defer-css.js
new file mode 100644
index 0000000..a4131e3
--- /dev/null
+++ b/public/js/defer-css.js
@@ -0,0 +1,20 @@
+// Promote any preloaded styles to real stylesheets without inline handlers (CSP-safe)
+document.addEventListener('DOMContentLoaded', () => {
+  // Promote any preloaded core CSS
+  document.querySelectorAll('link[rel="preload"][as="style"][href]').forEach(link => {
+    const href = link.getAttribute('href');
+    if ([...document.querySelectorAll('link[rel="stylesheet"]')]
+          .some(s => s.getAttribute('href') === href)) return;
+    const sheet = document.createElement('link');
+    sheet.rel = 'stylesheet';
+    sheet.href = href;
+    document.head.appendChild(sheet);
+  });
+
+
+  // Optionally load non-critical icon/extra font CSS after first paint:
+  const extra = document.createElement('link');
+  extra.rel = 'stylesheet';
+  extra.href = '/css/vendor/material-icons.css?v={{APP_QVER}}';
+  document.head.appendChild(extra);
+});
\ No newline at end of file
diff --git a/public/js/fileActions.js b/public/js/fileActions.js
index 0a43e73..9ee5195 100644
--- a/public/js/fileActions.js
+++ b/public/js/fileActions.js
@@ -31,6 +31,7 @@ document.addEventListener("DOMContentLoaded", function () {
 
   const confirmDelete = document.getElementById("confirmDeleteFiles");
   if (confirmDelete) {
+    confirmDelete.setAttribute("data-default", "");
     confirmDelete.addEventListener("click", function () {
       fetch("/api/file/deleteFiles.php", {
         method: "POST",
@@ -316,6 +317,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   // 2) Confirm button kicks off the zip+download
   if (confirmZipBtn) {
+    confirmZipBtn.setAttribute("data-default", "");
     confirmZipBtn.addEventListener("click", async () => {
       // a) Validate ZIP filename
       let zipName = document.getElementById("zipFileNameInput").value.trim();
@@ -478,6 +480,7 @@ document.addEventListener("DOMContentLoaded", function () {
   }
   const confirmCopy = document.getElementById("confirmCopyFiles");
   if (confirmCopy) {
+    confirmCopy.setAttribute("data-default", "");
     confirmCopy.addEventListener("click", function () {
       const targetFolder = document.getElementById("copyTargetFolder").value;
       if (!targetFolder) {
@@ -529,6 +532,7 @@ document.addEventListener("DOMContentLoaded", function () {
   }
   const confirmMove = document.getElementById("confirmMoveFiles");
   if (confirmMove) {
+    confirmMove.setAttribute("data-default", "");
     confirmMove.addEventListener("click", function () {
       const targetFolder = document.getElementById("moveTargetFolder").value;
       if (!targetFolder) {
@@ -598,6 +602,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   const submitBtn = document.getElementById("submitRenameFile");
   if (submitBtn) {
+    submitBtn.setAttribute("data-default", "");
     submitBtn.addEventListener("click", function () {
       const newName = document.getElementById("newFileName").value.trim();
       if (!newName || newName === window.fileToRename) {
diff --git a/public/js/fileEditor.js b/public/js/fileEditor.js
index 805b6e6..12225e9 100644
--- a/public/js/fileEditor.js
+++ b/public/js/fileEditor.js
@@ -7,9 +7,17 @@ import { t } from './i18n.js?v={{APP_QVER}}';
 const EDITOR_PLAIN_THRESHOLD = 5 * 1024 * 1024;  // >5 MiB => force plain text, lighter settings
 const EDITOR_BLOCK_THRESHOLD = 10 * 1024 * 1024; // >10 MiB => block editing
 
-// Lazy-load CodeMirror modes on demand
-//const CM_CDN = "https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.5/";
-const CM_LOCAL = "/vendor/codemirror/5.65.5/";
+// ==== CodeMirror lazy loader ===============================================
+const CM_BASE = "/vendor/codemirror/5.65.5/";
+
+// Stamp-friendly helpers (the stamper will replace {{APP_QVER}})
+const coreUrl = (p) => `${CM_BASE}${p}?v={{APP_QVER}}`;
+
+const CORE = {
+  js:  coreUrl("codemirror.min.js"),
+  css: coreUrl("codemirror.min.css"),
+  themeCss: coreUrl("theme/material-darker.min.css"),
+};
 
 // Which mode file to load for a given name/mime
 const MODE_URL = {
@@ -40,6 +48,13 @@ const MODE_URL = {
   "text/x-kotlin":  "mode/clike/clike.min.js?v={{APP_QVER}}"
 };
 
+// Mode dependency graph
+const MODE_DEPS = {
+  "htmlmixed": ["xml", "javascript", "css"],
+  "application/x-httpd-php": ["htmlmixed", "text/x-csrc"], // php overlays + clike bits
+  "markdown": ["xml"]
+};
+
 // Map any mime/alias to the key we use in MODE_URL
 function normalizeModeName(modeOption) {
   const name = typeof modeOption === "string" ? modeOption : (modeOption && modeOption.name);
@@ -49,62 +64,78 @@ function normalizeModeName(modeOption) {
   return name;
 }
 
-const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+const _loadedScripts = new Set();
+const _loadedCss = new Set();
+let _corePromise = null;
 
 function loadScriptOnce(url) {
   return new Promise((resolve, reject) => {
-    const ver = (window.APP_VERSION ?? 'dev').replace(/^v/, ''); // "v1.6.9" -> "1.6.9"
-    const withQS = url; //+ '?v=' + ver;
-
-    const key = `cm:${withQS}`;
-    let s = document.querySelector(`script[data-key="${key}"]`);
-    if (s) {
-      if (s.dataset.loaded === "1") return resolve();
-      s.addEventListener("load", resolve);
-      s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
-      return;
-    }
-    s = document.createElement("script");
-    s.src = withQS;
+    if (_loadedScripts.has(url)) return resolve();
+    const s = document.createElement("script");
+    s.src = url;
     s.async = true;
-    s.dataset.key = key;
-    s.addEventListener("load", () => { s.dataset.loaded = "1"; resolve(); });
-    s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
+    s.onload = () => { _loadedScripts.add(url); resolve(); };
+    s.onerror = () => reject(new Error(`Load failed: ${url}`));
     document.head.appendChild(s);
   });
 }
 
+function loadCssOnce(href) {
+  return new Promise((resolve, reject) => {
+    if (_loadedCss.has(href)) return resolve();
+    const l = document.createElement("link");
+    l.rel = "stylesheet";
+    l.href = href;
+    l.onload = () => { _loadedCss.add(href); resolve(); };
+    l.onerror = () => reject(new Error(`Load failed: ${href}`));
+    document.head.appendChild(l);
+  });
+}
+
+async function ensureCore() {
+  if (_corePromise) return _corePromise;
+  _corePromise = (async () => {
+    // load CSS first to avoid FOUC
+    await loadCssOnce(CORE.css);
+    await loadCssOnce(CORE.themeCss);
+    if (!window.CodeMirror) {
+      await loadScriptOnce(CORE.js);
+    }
+  })();
+  return _corePromise;
+}
+
+async function loadSingleMode(name) {
+  const rel = MODE_URL[name];
+  if (!rel) return;
+  // prepend base if needed
+  const url = rel.startsWith("http") ? rel : (rel.startsWith("/") ? rel : (CM_BASE + rel));
+  await loadScriptOnce(url);
+}
+
+function isModeRegistered(name) {
+  return !!(
+    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
+    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name])
+  );
+}
 
 async function ensureModeLoaded(modeOption) {
-  if (!window.CodeMirror) return;
-
+  await ensureCore();
   const name = normalizeModeName(modeOption);
   if (!name) return;
-
-  const isRegistered = () =>
-    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
-    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name]);
-
-  if (isRegistered()) return;
-
-  const url = MODE_URL[name];
-  if (!url) return; // unknown -> stay in text/plain
-
-  // Dependencies
-  if (name === "htmlmixed") {
-    await Promise.all([
-      ensureModeLoaded("xml"),
-      ensureModeLoaded("css"),
-      ensureModeLoaded("javascript")
-    ]);
+  if (isModeRegistered(name)) return;
+  const deps = MODE_DEPS[name] || [];
+  for (const d of deps) {
+    if (!isModeRegistered(d)) await loadSingleMode(d);
   }
-  if (name === "application/x-httpd-php") {
-    await ensureModeLoaded("htmlmixed");
-  }
-
-  await loadScriptOnce(CM_LOCAL + url);
+  await loadSingleMode(name);
 }
 
+// Public helper for callers (we keep your existing function name in use):
+const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+// ==== /CodeMirror lazy loader ===============================================
+
 function getModeForFile(fileName) {
   const dot = fileName.lastIndexOf(".");
   const ext = dot >= 0 ? fileName.slice(dot + 1).toLowerCase() : "";
@@ -215,7 +246,7 @@ export function editFile(fileName, folder) {
         </div>
         <textarea id="fileEditor" class="editor-textarea">${escapeHTML(content)}</textarea>
         <div class="editor-footer">
-          <button id="saveBtn" class="btn btn-primary" disabled>${t("save")}</button>
+          <button id="saveBtn" class="btn btn-primary" data-default disabled>${t("save")} </button>
           <button id="closeBtn" class="btn btn-secondary">${t("close")}</button>
         </div>
       `;
@@ -246,20 +277,20 @@ export function editFile(fileName, folder) {
       const theme = isDarkMode ? "material-darker" : "default";
       const desiredMode = forcePlainText ? "text/plain" : getModeForFile(fileName);
 
-      // Helper to check whether a mode is currently registered
-      const modeName = typeof desiredMode === "string" ? desiredMode : (desiredMode && desiredMode.name);
-      const isModeRegistered = () =>
-        (window.CodeMirror?.modes && window.CodeMirror.modes[modeName]) ||
-        (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[modeName]);
-
-      // Start mode loading (don’t block closing)
-      const modePromise = ensureModeLoaded(desiredMode);
+      // Start core+mode loading (don’t block closing)
+      const modePromise = (async () => {
+        await ensureCore();                 // load CM core + CSS
+        if (!forcePlainText) {
+          await ensureModeLoaded(desiredMode); // then load the needed mode + deps
+        }
+      })();
 
       // Wait up to MODE_LOAD_TIMEOUT_MS; then proceed with whatever is available
       const timeout = new Promise((res) => setTimeout(res, MODE_LOAD_TIMEOUT_MS));
 
       Promise.race([modePromise, timeout]).then(() => {
         if (canceled) return;
+
         if (!window.CodeMirror) {
           // Core not present: keep plain <textarea>; enable Save and bail gracefully
           document.getElementById("saveBtn").disabled = false;
@@ -267,7 +298,9 @@ export function editFile(fileName, folder) {
           return;
         }
 
-        const initialMode = (forcePlainText || !isModeRegistered()) ? "text/plain" : desiredMode;
+        const normName = normalizeModeName(desiredMode) || "text/plain";
+        const initialMode = (forcePlainText || !isModeRegistered(normName)) ? "text/plain" : desiredMode;
+
         const cmOptions = {
           lineNumbers: !forcePlainText,
           mode: initialMode,
@@ -319,8 +352,11 @@ export function editFile(fileName, folder) {
 
         // If we started in plain text due to timeout, flip to the real mode once it arrives
         modePromise.then(() => {
-          if (!canceled && !forcePlainText && isModeRegistered()) {
-            editor.setOption("mode", desiredMode);
+          if (!canceled && !forcePlainText) {
+            const nn = normalizeModeName(desiredMode);
+            if (nn && isModeRegistered(nn)) {
+              editor.setOption("mode", desiredMode);
+            }
           }
         }).catch(() => {
           // If the mode truly fails to load, we just stay in plain text
diff --git a/public/js/fileListView.js b/public/js/fileListView.js
index b04c61a..84a4d76 100644
--- a/public/js/fileListView.js
+++ b/public/js/fileListView.js
@@ -205,29 +205,84 @@ function wireSelectAll(fileListContent) {
   /**
    * Fuse.js fuzzy search helper
    */
-  function searchFiles(searchTerm) {
-    if (!searchTerm) return fileData;
-  
-    let keys = [
-      { name: 'name', weight: 0.1 },
-      { name: 'uploader', weight: 0.1 },
-      { name: 'tags.name', weight: 0.1 }
-    ];
-    if (window.advancedSearchEnabled) {
-      keys.push({ name: 'content', weight: 0.7 });
-    }
-  
+  // --- Lazy Fuse loader (drop-in, CSP-safe, no inline) ---
+const FUSE_SRC = '/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}';
+let _fuseLoadingPromise = null;
+
+function loadScriptOnce(src) {
+  // cache by src so we don't append multiple <script> tags
+  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
+  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
+  const p = new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = src;
+    s.async = true;
+    s.onload = resolve;
+    s.onerror = () => reject(new Error(`Failed to load ${src}`));
+    document.head.appendChild(s);
+  });
+  loadScriptOnce._cache.set(src, p);
+  return p;
+}
+
+function lazyLoadFuse() {
+  if (window.Fuse) return Promise.resolve(window.Fuse);
+  if (!_fuseLoadingPromise) {
+    _fuseLoadingPromise = loadScriptOnce(FUSE_SRC).then(() => window.Fuse);
+  }
+  return _fuseLoadingPromise;
+}
+
+// (Optional) warm-up call you can trigger from main.js after first render:
+//   import { warmUpSearch } from './fileListView.js?v={{APP_QVER}}';
+//   warmUpSearch();
+// This just starts fetching Fuse in the background.
+export function warmUpSearch() {
+  lazyLoadFuse().catch(() => {/* ignore; we’ll fall back */});
+}
+
+// Lazy + backward-compatible search
+function searchFiles(searchTerm) {
+  if (!searchTerm) return fileData;
+
+  // kick off Fuse load in the background, but don't await
+  lazyLoadFuse().catch(() => { /* ignore */ });
+
+  // keys config (matches your original)
+  const fuseKeys = [
+    { name: 'name',      weight: 0.1 },
+    { name: 'uploader',  weight: 0.1 },
+    { name: 'tags.name', weight: 0.1 }
+  ];
+  if (window.advancedSearchEnabled) {
+    fuseKeys.push({ name: 'content', weight: 0.7 });
+  }
+
+  // If Fuse is present, use it right away (synchronous API)
+  if (window.Fuse) {
     const options = {
-      keys: keys,
+      keys: fuseKeys,
       threshold: 0.4,
       minMatchCharLength: 2,
       ignoreLocation: true
     };
-  
-    const fuse = new Fuse(fileData, options);
-    let results = fuse.search(searchTerm);
-    return results.map(result => result.item);
+    const fuse = new window.Fuse(fileData, options);
+    const results = fuse.search(searchTerm);
+    return results.map(r => r.item);
   }
+
+  // Fallback (first keystrokes before Fuse finishes loading):
+  // simple case-insensitive substring match on the same fields
+  const q = String(searchTerm).toLowerCase();
+  const hay = (v) => (v == null ? '' : String(v)).toLowerCase();
+  return fileData.filter(item => {
+    if (hay(item.name).includes(q)) return true;
+    if (hay(item.uploader).includes(q)) return true;
+    if (Array.isArray(item.tags) && item.tags.some(t => hay(t?.name).includes(q))) return true;
+    if (window.advancedSearchEnabled && hay(item.content).includes(q)) return true;
+    return false;
+  });
+}
   
   /**
    * View mode toggle
diff --git a/public/js/i18n.js b/public/js/i18n.js
index 32335a1..ba66d38 100644
--- a/public/js/i18n.js
+++ b/public/js/i18n.js
@@ -247,7 +247,7 @@ const translations = {
     "login_options": "Login Options",
     "disable_login_form": "Disable Login Form",
     "disable_basic_http_auth": "Disable Basic HTTP Auth",
-    "disable_oidc_login": "Disable OIDC Login",
+    "disable_oidc_login": "Disable OIDC Login (OIDC Config Required to enable)",
     "save_settings": "Save Settings",
     "at_least_one_login_method": "At least one login method must remain enabled.",
     "settings_updated_successfully": "Settings updated successfully.",
diff --git a/public/js/main.js b/public/js/main.js
index dc751a7..dff7ab6 100644
--- a/public/js/main.js
+++ b/public/js/main.js
@@ -1,215 +1,916 @@
-// /js/main.js
-import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
-import { toggleVisibility, toggleAllCheckboxes, updateFileActionButtons, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { initUpload } from './upload.js?v={{APP_QVER}}';
-import { initAuth, fetchWithCsrf, checkAuthentication, loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
-import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
-import { setupTrashRestoreDelete } from './trashRestoreDelete.js?v={{APP_QVER}}';
-import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js?v={{APP_QVER}}';
-import { initTagSearch, openTagModal, filterFilesByTag } from './fileTags.js?v={{APP_QVER}}';
-import { displayFilePreview } from './filePreview.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { initFileActions, renameFile, openDownloadModal, confirmSingleDownload } from './fileActions.js?v={{APP_QVER}}';
-import { editFile, saveFile } from './fileEditor.js?v={{APP_QVER}}';
-import { t, applyTranslations, setLocale } from './i18n.js?v={{APP_QVER}}';
+// /js/main.js — light bootstrap
 
-// NEW: import shared helpers from appCore (moved out of main.js)
-import {
-  initializeApp,
-  loadCsrfToken,
-  triggerLogout,
-  setCsrfToken,
-  getCsrfToken
-} from './appCore.js?v={{APP_QVER}}';
+// ---- Toast bridge (global, early, race-proof) ----
+(function installToastBridge() {
+  if (window.__FR_TOAST_BRIDGE__) return;
+  window.__FR_TOAST_BRIDGE__ = true;
 
-/* =========================
-   CSRF HOTFIX UTILITIES
-   ========================= */
-// Keep a handle to the native fetch so wrappers never recurse
-const _nativeFetch = window.fetch.bind(window);
+  window.__FR_TOAST_Q = window.__FR_TOAST_Q || [];     // queued toasts until real toast is ready
+  window.__REAL_TOAST__ = window.__REAL_TOAST__ || null; // set later once domUtils is loaded
+  window.__FR_TOAST_FILTER__ = window.__FR_TOAST_FILTER__ || null; // filter hook (auth.js)
 
-// Seed CSRF from storage ASAP (before any requests)
-setCsrfToken(getCsrfToken());
+  window.showToast = function (msgOrKey, duration) {
+    // Let auth.js (or anyone) rewrite/suppress messages centrally.
+    try {
+      if (typeof window.__FR_TOAST_FILTER__ === 'function') {
+        const out = window.__FR_TOAST_FILTER__(msgOrKey);
+        if (out === null) return;           // suppressed
+        msgOrKey = out;                     // rewritten/translated
+      }
+    } catch { }
 
-// Wrap fetch so *all* callers get CSRF header + token rotation, without recursion
-async function fetchWithCsrfAndRefresh(input, init = {}) {
-  const headers = new Headers(init?.headers || {});
-  const token = getCsrfToken();
-
-  if (token && !headers.has('X-CSRF-Token')) {
-    headers.set('X-CSRF-Token', token);
-  }
-
-  const res = await _nativeFetch(input, {
-    credentials: 'include',
-    ...init,
-    headers,
-  });
-
-  try {
-    const rotated = res.headers?.get('X-CSRF-Token');
-    if (rotated) setCsrfToken(rotated);
-  } catch { /* ignore */ }
-
-  return res;
-}
-
-// Avoid double-wrapping if this module re-evaluates for any reason
-if (!window.fetch || !window.fetch._frWrapped) {
-  const wrapped = fetchWithCsrfAndRefresh;
-  Object.defineProperty(wrapped, '_frWrapped', { value: true });
-  window.fetch = wrapped;
-}
-
-/* =========================
-   SAFE API HELPERS
-   ========================= */
-export async function apiGETJSON(url, opts = {}) {
-  const res = await fetch(url, { credentials: "include", ...opts });
-  if (res.status === 401) throw new Error("auth");
-  if (res.status === 403) throw new Error("forbidden");
-  if (!res.ok) throw new Error(`http ${res.status}`);
-  try { return await res.json(); } catch { return {}; }
-}
-
-export async function apiPOSTJSON(url, body, opts = {}) {
-  const headers = {
-    "Content-Type": "application/json",
-    "X-CSRF-Token": getCsrfToken(),
-    ...(opts.headers || {})
+    if (typeof window.__REAL_TOAST__ === 'function') {
+      return window.__REAL_TOAST__(msgOrKey, duration);
+    }
+    window.__FR_TOAST_Q.push([msgOrKey, duration]);
   };
-  const res = await fetch(url, {
-    method: "POST",
-    credentials: "include",
-    headers,
-    body: JSON.stringify(body ?? {}),
-    ...opts
+
+  // Optional: generic event bridge
+  window.addEventListener('filerise:toast', (e) => {
+    const { message, duration } = (e && e.detail) || {};
+    if (message) window.showToast(message, duration);
   });
-  if (res.status === 401) throw new Error("auth");
-  if (res.status === 403) throw new Error("forbidden");
-  if (!res.ok) throw new Error(`http ${res.status}`);
-  try { return await res.json(); } catch { return {}; }
-}
+})();
 
-// Optional: expose on window for legacy callers
-window.apiGETJSON = apiGETJSON;
-window.apiPOSTJSON = apiPOSTJSON;
-window.triggerLogout = triggerLogout; // expose the moved helper
+async function ensureToastReady() {
+  if (window.__REAL_TOAST__) return;
+  try {
+    const dom = await import('/js/domUtils.js?v={{APP_QVER}}');  // real toast
+    const real = dom.showToast || ((m, d) => console.log('TOAST:', m, d));
 
-// Global handler to keep UX friendly if something forgets to catch
-window.addEventListener("unhandledrejection", (ev) => {
-  const msg = (ev?.reason && ev.reason.message) || "";
-  if (msg === "auth") {
-    showToast(t("please_sign_in_again") || "Please sign in again.", "error");
-    ev.preventDefault();
-  } else if (msg === "forbidden") {
-    showToast(t("no_access_to_resource") || "You don’t have access to that.", "error");
-    ev.preventDefault();
+    // (Optional) “false-negative to success” normalizer
+    const normalized = function (msg, dur) {
+      try {
+        const m = (msg || '').toString().toLowerCase();
+        if (/does not exist|already exist|not found/.test(m) && window.__FR_LAST_OK) {
+          window.__FR_LAST_OK = false;
+          return real('Done.', dur);
+        }
+      } catch { }
+      return real(msg, dur);
+    };
+
+    window.__REAL_TOAST__ = normalized;
+
+    // Flush anything that queued before domUtils was ready
+    const q = window.__FR_TOAST_Q || [];
+    window.__FR_TOAST_Q = [];
+    q.forEach(([m, d]) => window.__REAL_TOAST__(m, d));
+  } catch {
+    window.__REAL_TOAST__ = (m, d) => console.log('TOAST:', m, d);
   }
-});
-
-/* =========================
-   BOOTSTRAP
-   ========================= */
-const params = new URLSearchParams(window.location.search);
-if (params.get('logout') === '1') {
-  localStorage.removeItem("username");
-  localStorage.removeItem("userTOTPEnabled");
 }
 
-document.addEventListener("DOMContentLoaded", function () {
-  // Load site config early (safe subset)
-  loadAdminConfigFunc();
+function wireModalEnterDefault() {
+  if (window.__FR_FLAGS.wired.enterDefault) return;
+  window.__FR_FLAGS.wired.enterDefault = true;
 
-  // i18n
-  const savedLanguage = localStorage.getItem("language") || "en";
-  setLocale(savedLanguage);
-  applyTranslations();
+  document.addEventListener('keydown', (e) => {
+    if (e.key !== 'Enter' || e.shiftKey || e.ctrlKey || e.metaKey || e.altKey) return;
 
-  // 1) Get/refresh CSRF first
-  loadCsrfToken()
-    .then(() => {
-      // 2) Auth boot
-      initAuth();
+    // don’t hijack multiline inputs or anything explicitly opted-out
+    const tgt = e.target;
+    if (tgt && (tgt.tagName === 'TEXTAREA' || tgt.isContentEditable || tgt.closest('[data-no-enter]'))) return;
 
-      // 3) If authenticated, start app
-      checkAuthentication().then(authenticated => {
-        if (authenticated) {
-          const overlay = document.getElementById('loadingOverlay');
-          if (overlay) overlay.remove();
-          initializeApp();
-        }
-      });
+    // pick the topmost visible modal
+    const modal = Array.from(document.querySelectorAll('.modal')).reverse().find(m => {
+      const s = getComputedStyle(m);
+      return s.display !== 'none' && s.visibility !== 'hidden' && s.pointerEvents !== 'none';
+    });
+    if (!modal) return;
 
-      // --- Dark Mode Persistence ---
-      const darkModeToggle = document.getElementById("darkModeToggle");
-      const darkModeIcon = document.getElementById("darkModeIcon");
+    const btn = modal.querySelector('[data-default]');
+    if (!btn || btn.disabled) return;
 
-      if (darkModeToggle && darkModeIcon) {
-        let stored = localStorage.getItem("darkMode");
-        const hasStored = stored !== null;
+    e.preventDefault();
+    btn.click();
+  }, true); // capture so we beat other handlers
+}
 
-        const isDark = hasStored
-          ? (stored === "true")
-          : (window.matchMedia && window.matchMedia("(prefers-color-scheme: dark)").matches);
+// One-shot guards
+window.__FR_FLAGS = window.__FR_FLAGS || {
+  booted: false,
+  initialized: false,
+  domReadyFired: false,
+  wired: Object.create(null)
+};
 
-        document.body.classList.toggle("dark-mode", isDark);
-        darkModeToggle.classList.toggle("active", isDark);
+window.__FR_FLAGS.bootPromise = window.__FR_FLAGS.bootPromise || null;
+window.__FR_FLAGS.entryStarted = window.__FR_FLAGS.entryStarted || false;
 
-        function updateIcon() {
-          const dark = document.body.classList.contains("dark-mode");
-          darkModeIcon.textContent = dark ? "light_mode" : "dark_mode";
-          darkModeToggle.setAttribute("aria-label", dark ? t("light_mode") : t("dark_mode"));
-          darkModeToggle.setAttribute("title", dark ? t("switch_to_light_mode") : t("switch_to_dark_mode"));
-        }
-        updateIcon();
+// ---- Result guard + request coalescer (dedupe) ----
+(function installResultGuardAndCoalescer() {
+  if (window.__FR_FETCH_GUARD_INSTALLED) return;
+  window.__FR_FETCH_GUARD_INSTALLED = true;
 
-        darkModeToggle.addEventListener("click", () => {
-          const nowDark = document.body.classList.toggle("dark-mode");
-          localStorage.setItem("darkMode", nowDark ? "true" : "false");
-          updateIcon();
-        });
+  const nativeFetch = window.fetch.bind(window);
+  window.__FR_LAST_OK = false;
 
-        if (!hasStored && window.matchMedia) {
-          window.matchMedia("(prefers-color-scheme: dark)").addEventListener("change", e => {
-            document.body.classList.toggle("dark-mode", e.matches);
-            updateIcon();
-          });
+  const inFlight = new Map(); // key -> { ts, promise }
+
+  function normalizeUrl(u) {
+    try {
+      const url = new URL(u, window.location.origin);
+      // Keep path + stable query ordering
+      const params = new URLSearchParams(url.search);
+      const sorted = new URLSearchParams();
+      [...params.keys()].sort().forEach(k => sorted.set(k, params.get(k)));
+      return url.pathname + (sorted.toString() ? '?' + sorted.toString() : '');
+    } catch { return String(u || ''); }
+  }
+
+  async function toStableBody(init) {
+    const b = init && init.body;
+    if (!b) return '';
+    try {
+      if (typeof b === 'string') {
+        // try JSON
+        try {
+          const j = JSON.parse(b);
+          // remove volatile fields like csrf
+          delete j.csrf; delete j.csrf_token; delete j._;
+          return 'JSON:' + JSON.stringify(j, Object.keys(j).sort());
+        } catch {
+          // maybe urlencoded
+          const p = new URLSearchParams(b);
+          ['csrf', 'csrf_token', '_'].forEach(k => p.delete(k));
+          return 'FORM:' + [...p.entries()].map(([k, v]) => `${k}=${v}`).sort().join('&');
         }
       }
-      // --- End Dark Mode Persistence ---
+    } catch { }
+    return 'B:' + String(b);
+  }
 
-      const message = sessionStorage.getItem("welcomeMessage");
-      if (message) {
-        showToast(message);
-        sessionStorage.removeItem("welcomeMessage");
-      }
-    })
-    .catch(error => {
-      console.error("Initialization halted due to CSRF token load failure.", error);
+  window.fetch = async (input, init = {}) => {
+    const method = (init.method || 'GET').toUpperCase();
+    const urlKey = normalizeUrl(typeof input === 'string' ? input : (input && input.url) || '');
+    const bodyKey = await toStableBody(init);
+    const key = method + ' ' + urlKey + ' ' + bodyKey;
+
+    const now = Date.now();
+    const existing = inFlight.get(key);
+    if (existing && (now - existing.ts) < 800) {
+      // coalesce: return the same promise
+      return existing.promise.then(r => r.clone());
+    }
+
+    // 1) Only coalesce mutating methods
+    if (!['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) {
+      return nativeFetch(input, init);
+    }
+
+    // 2) Only same-origin API calls
+    const isSameOrigin = (typeof input === 'string')
+      ? input.startsWith('/') || input.startsWith(location.origin)
+      : new URL(input.url).origin === location.origin;
+    const urlPath = (typeof input === 'string') ? input : new URL(input.url).pathname;
+    if (!isSameOrigin || !urlPath.startsWith('/api/')) {
+      return nativeFetch(input, init);
+    }
+
+    // 3) Never touch downloads/streams
+    if (urlPath.includes('download') || urlPath.includes('zip')) {
+      return nativeFetch(input, init);
+    }
+
+    // 4) Kill switch (handy for debugging)
+    if (window.__FR_DISABLE_COALESCE) {
+      return nativeFetch(input, init);
+    }
+
+    const p = nativeFetch(input, init).then(async (res) => {
+      try {
+        const clone = res.clone();
+        let okJson = null;
+        try { okJson = await clone.json(); } catch { }
+        const okFlag = res.ok && okJson && (
+          okJson.success === true || okJson.status === 'ok' || okJson.result === 'ok'
+        );
+        window.__FR_LAST_OK = !!okFlag;
+      } catch { }
+      return res;
+    }).finally(() => {
+      // let it linger briefly so very-rapid duplicates still coalesce
+      setTimeout(() => inFlight.delete(key), 200);
     });
 
-  // --- Auto-scroll During Drag ---
-  const SCROLL_THRESHOLD = 50;
-  const SCROLL_SPEED = 20;
-  document.addEventListener("dragover", function (e) {
-    if (e.clientY < SCROLL_THRESHOLD) {
-      window.scrollBy(0, -SCROLL_SPEED);
-    } else if (e.clientY > window.innerHeight - SCROLL_THRESHOLD) {
-      window.scrollBy(0, SCROLL_SPEED);
+    inFlight.set(key, { ts: now, promise: p });
+    return p.then(r => r.clone());
+  };
+
+  // Gentle toast normalizer (compatible with showToast(message, duration))
+  const origToast = window.showToast;
+  if (typeof origToast === 'function' && !origToast.__frWrapped) {
+    const wrapped = function (msg, maybeDuration) {
+      try {
+        const m = (msg || '').toString().toLowerCase();
+        const looksWrong =
+          /does not exist|already exist|not found/.test(m) &&
+          window.__FR_LAST_OK === true;
+        if (looksWrong) {
+          window.__FR_LAST_OK = false;
+          // Keep default duration if not numeric
+          const dur = (typeof maybeDuration === 'number') ? maybeDuration : undefined;
+          return origToast('Done.', dur);
+        }
+      } catch { }
+      const dur = (typeof maybeDuration === 'number') ? maybeDuration : undefined;
+      return origToast(msg, dur);
+    };
+    wrapped.__frWrapped = true;
+    window.showToast = wrapped;
+  }
+})();
+
+
+function bindDragAutoScroll() {
+  if (window.__FR_FLAGS.wired.dragScroll) return;
+  window.__FR_FLAGS.wired.dragScroll = true;
+
+  const THRESH = 50;
+  const SPEED = 20;
+  document.addEventListener('dragover', (e) => {
+    const y = e && typeof e.clientY === 'number' ? e.clientY : null;
+    if (y == null) return;
+    if (y < THRESH) window.scrollBy(0, -SPEED);
+    else if (y > (window.innerHeight - THRESH)) window.scrollBy(0, SPEED);
+  }, { passive: true });
+}
+
+function bindClickIfMissing(id, fnName) {
+  const el = document.getElementById(id);
+  if (!el || el.__bound) return;
+  el.__bound = true;
+
+  el.addEventListener('click', async (e) => {
+    e.preventDefault();
+    if (el.dataset.busy === '1') return;
+    el.dataset.busy = '1';
+
+    try {
+      const acts = await ensureFileActionsLoaded();
+      if (acts && typeof acts[fnName] === 'function') {
+        await acts[fnName]();
+      }
+      // if API said success but no positive toast happened, give a neutral one
+      if (window.__FR_LAST_OK === true && typeof window.showToast === 'function') {
+        window.showToast('Done.', 'success');
+        window.__FR_LAST_OK = false;
+      }
+    } catch (err) {
+      console.warn(`[wire] ${fnName} error`, err);
+    } finally {
+      const modal = el.closest('.modal'); if (modal) modal.style.display = 'none';
+      setTimeout(() => { el.dataset.busy = '0'; }, 600); // short cooldown
     }
+  }, true);
+}
+
+function dispatchLegacyReadyOnce() {
+  if (window.__FR_FLAGS.domReadyFired) return;
+  window.__FR_FLAGS.domReadyFired = true;
+  try { document.dispatchEvent(new Event('DOMContentLoaded')); } catch { }
+  try { window.dispatchEvent(new Event('load')); } catch { }
+}
+
+// -------- username label ( --------
+function wireUserNameLabel(state) {
+  const username = (state && state.username) || localStorage.getItem('username') || '';
+  const btn = document.getElementById('userDropdownToggle') || document.getElementById('userMenuBtn');
+  if (!btn) return;
+  const label = btn.querySelector('.user-name-label');
+  if (!label) return; // don’t inject new DOM
+  label.textContent = username || '';
+}
+
+// -------- DARK MODE (persist + system fallback + a11y labels) --------
+function applyDarkMode({ fromSystemChange = false } = {}) {
+  let stored = null;
+  try { stored = localStorage.getItem('darkMode'); } catch { }
+
+  // If no stored pref, fall back to system
+  let isDark = (stored === null)
+    ? (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches)
+    : (stored === '1' || stored === 'true');
+
+  const root = document.documentElement;
+  const body = document.body;
+
+  [root, body].forEach(el => {
+    if (!el) return;
+    el.classList.toggle('dark-mode', isDark);
+    el.setAttribute('data-theme', isDark ? 'dark' : 'light');
   });
-});
 
-// Expose functions for inline handlers 
-window.sendRequest = sendRequest;
-window.toggleVisibility = toggleVisibility;
-window.toggleAllCheckboxes = toggleAllCheckboxes;
-window.editFile = editFile;
-window.saveFile = saveFile;
-window.renameFile = renameFile;
-window.confirmSingleDownload = confirmSingleDownload;
-window.openDownloadModal = openDownloadModal;
+  const btn = document.getElementById('darkModeToggle');
+  const icon = document.getElementById('darkModeIcon');
+  if (icon) icon.textContent = isDark ? 'light_mode' : 'dark_mode';
 
-// Global variable for the current folder (initial default; initializeApp will update)
-window.currentFolder = "root";
\ No newline at end of file
+  if (btn) {
+    const ttOn = (typeof t === 'function' ? t('switch_to_dark_mode') : 'Switch to dark mode');
+    const ttOff = (typeof t === 'function' ? t('switch_to_light_mode') : 'Switch to light mode');
+    const aria = (typeof t === 'function' ? (isDark ? t('light_mode') : t('dark_mode')) : (isDark ? 'Light mode' : 'Dark mode'));
+
+    btn.classList.toggle('active', isDark);
+    btn.setAttribute('aria-label', aria);
+    btn.setAttribute('title', isDark ? ttOff : ttOn);
+  }
+}
+
+function bindDarkMode() {
+  const btn = document.getElementById('darkModeToggle');
+  if (btn && !btn.__bound) {
+    btn.__bound = true;
+    applyDarkMode(); // apply once on boot
+
+    btn.addEventListener('click', () => {
+      // Toggle relative to current DOM state
+      const isDarkNext = !(document.documentElement.classList.contains('dark-mode') || document.body.classList.contains('dark-mode'));
+      try { localStorage.setItem('darkMode', isDarkNext ? '1' : '0'); } catch { }
+      applyDarkMode();
+    });
+  }
+
+  // Listen to system changes only if user has NOT set a preference
+  if (!window.__FR_FLAGS.wired.sysDarkMO) {
+    window.__FR_FLAGS.wired.sysDarkMO = true;
+    let stored = null; try { stored = localStorage.getItem('darkMode'); } catch { }
+    if (stored === null && window.matchMedia) {
+      const mq = window.matchMedia('(prefers-color-scheme: dark)');
+      const handler = () => applyDarkMode({ fromSystemChange: true });
+      try { mq.addEventListener('change', handler); } catch { mq.addListener(handler); }
+    }
+  }
+}
+
+(function () {
+  // ---------- tiny utils ----------
+  const $ = (s, root = document) => root.querySelector(s);
+  const $$ = (s, root = document) => Array.from(root.querySelectorAll(s));
+  const show = (el) => {
+    if (!el) return;
+    el.hidden = false; el.classList?.remove('d-none', 'hidden');
+    el.style.display = 'block'; el.style.visibility = 'visible'; el.style.opacity = '1';
+  };
+  const hide = (el) => { if (!el) return; el.style.display = 'none'; };
+  const setMeta = (name, val) => {
+    let m = document.querySelector(`meta[name="${name}"]`);
+    if (!m) { m = document.createElement('meta'); m.name = name; document.head.appendChild(m); }
+    m.content = val;
+  };
+
+  // ---------- site config / auth ----------
+  function applySiteConfig(cfg) {
+    try {
+      const title = (cfg && cfg.header_title) ? String(cfg.header_title) : 'FileRise';
+      document.title = title;
+      const h1 = document.querySelector('.header-title h1'); if (h1) h1.textContent = title;
+
+      const lo = (cfg && cfg.loginOptions) ? cfg.loginOptions : {};
+      const disableForm = !!lo.disableFormLogin;
+      const disableOIDC = !!lo.disableOIDCLogin;
+      const disableBasic = !!lo.disableBasicAuth;
+
+      const row = $('#loginForm'); if (row) row.style.display = disableForm ? 'none' : '';
+      const oidc = $('#oidcLoginBtn'); if (oidc) oidc.style.display = disableOIDC ? 'none' : '';
+      const basic = document.querySelector('a[href="/api/auth/login_basic.php"]');
+      if (basic) basic.style.display = disableBasic ? 'none' : '';
+    } catch { }
+  }
+  async function loadSiteConfig() {
+    try {
+      const r = await fetch('/api/siteConfig.php', { credentials: 'include' });
+      const j = await r.json().catch(() => ({})); applySiteConfig(j);
+    } catch { applySiteConfig({}); }
+  }
+  async function primeCsrf() {
+    try {
+      const tr = await fetch('/api/auth/token.php', { credentials: 'include' });
+      const tj = await tr.json().catch(() => ({}));
+      if (tj?.csrf_token) { setMeta('csrf-token', tj.csrf_token); window.csrfToken = tj.csrf_token; try { localStorage.setItem('csrf', tj.csrf_token); } catch { } }
+    } catch { }
+  }
+  async function checkAuth() {
+    try {
+      const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+      const j = await r.json().catch(() => ({}));
+
+      if (j?.csrf_token) {
+        setMeta('csrf-token', j.csrf_token);
+        window.csrfToken = j.csrf_token;
+        try { localStorage.setItem('csrf', j.csrf_token); } catch { }
+      }
+      if (typeof j?.isAdmin !== 'undefined') {
+        try { localStorage.setItem('isAdmin', j.isAdmin ? '1' : '0'); } catch { }
+      }
+      if (typeof j?.username !== 'undefined') {
+        try { localStorage.setItem('username', j.username || ''); } catch { }
+      }
+
+      const setup = !!j?.setup || !!j?.setup_mode || j?.mode === 'setup' || j?.status === 'setup' || !!j?.requires_setup || !!j?.needs_setup;
+      return { authed: !!j?.authenticated, setup, raw: j };
+    } catch {
+      return { authed: false, setup: false, raw: {} };
+    }
+  }
+
+  // ---- Create dropdown + its two modals  ----
+  function wireCreateDropdown() {
+    const container = document.getElementById('createDropdown');
+    const btn = document.getElementById('createBtn');
+    const menu = document.getElementById('createMenu');
+    const makeF = document.getElementById('createFileOption');
+    const makeD = document.getElementById('createFolderOption');
+    if (!container || !btn || !menu) return;
+
+    // Ensure layout basics
+    if (getComputedStyle(container).position === 'static') container.style.position = 'relative';
+    btn.style.pointerEvents = 'auto';
+    menu.style.pointerEvents = 'auto';
+    menu.style.zIndex = '10010';
+
+    // Show/hide button based on live auth flags
+    const st = (window.__FR_AUTH_STATE || {});
+    const readOnly = !!st.readOnly || (localStorage.getItem('readOnly') === 'true' || localStorage.getItem('readOnly') === '1');
+    const disableUpload = !!st.disableUpload || (localStorage.getItem('disableUpload') === 'true' || localStorage.getItem('disableUpload') === '1');
+    btn.style.display = (!readOnly && !disableUpload) ? 'inline-flex' : 'none';
+
+    let justToggledAt = 0;
+
+    function openMenu() {
+      // Beat any CSS with !important
+      menu.style.setProperty('display', 'block', 'important');
+      btn.setAttribute('aria-expanded', 'true');
+      justToggledAt = Date.now();
+    }
+    function closeMenu() {
+      menu.style.setProperty('display', 'none', 'important');
+      btn.setAttribute('aria-expanded', 'false');
+    }
+    function isOpen() {
+      return getComputedStyle(menu).display !== 'none';
+    }
+
+    if (!btn.__bound) {
+      btn.__bound = true;
+      btn.addEventListener('click', (e) => {
+        e.preventDefault();
+        e.stopPropagation(); // block bubble-phase global closers
+        if (isOpen()) closeMenu(); else openMenu();
+      }, true); // use capture so we run before bubble-phase closers
+    }
+
+    // Close only when clicking truly outside our container.
+    // Use capture and ignore the click that immediately follows our open() call.
+    if (!menu.__outside) {
+      menu.__outside = true;
+      document.addEventListener('click', (e) => {
+        // ignore the same-tick/rapid click that opened the menu
+        if (Date.now() - justToggledAt < 120) return;
+        if (!container.contains(e.target)) closeMenu();
+      }, true); // capture to pre-empt other handlers
+    }
+
+    if (!menu.__esc) {
+      menu.__esc = true;
+      document.addEventListener('keydown', (e) => {
+        if (e.key === 'Escape' && isOpen()) closeMenu();
+      });
+    }
+
+    const openModal = (id) => {
+      const m = document.getElementById(id);
+      if (m) { m.style.display = 'block'; closeMenu(); }
+    };
+    if (makeF && !makeF.__bound) { makeF.__bound = true; makeF.addEventListener('click', (e) => { e.preventDefault(); openModal('createFileModal'); }); }
+    if (makeD && !makeD.__bound) { makeD.__bound = true; makeD.addEventListener('click', (e) => { e.preventDefault(); openModal('createFolderModal'); }); }
+  }
+
+  // ---- Modal cancel safety ----
+  function bindCancelSafeties() {
+    const ids = [
+      '#cancelDeleteFiles', '#cancelCopyFiles', '#cancelMoveFiles', '#cancelDownloadZip', '#cancelDownloadFile',
+      '#cancelCreateFile', '#cancelMoveFolder', '#cancelRenameFolder', '#cancelDeleteFolder', '#closeRestoreModal'
+    ];
+    ids.forEach(id => {
+      const el = document.querySelector(id);
+      if (el && !el.__safe) {
+        el.__safe = true;
+        el.addEventListener('click', (e) => {
+          e.preventDefault();
+          const modal = el.closest('.modal');
+          if (modal) modal.style.display = 'none';
+        });
+      }
+    });
+  }
+
+  function keepCreateDropdownWired() {
+    if (window.__FR_FLAGS.wired.keepCreateMO) return;
+    window.__FR_FLAGS.wired.keepCreateMO = true;
+    const mo = new MutationObserver(() => {
+      const btn = document.getElementById('createBtn');
+      const menu = document.getElementById('createMenu');
+      if (btn && menu && !btn.__bound) wireCreateDropdown();
+    });
+    mo.observe(document.body, { childList: true, subtree: true });
+  }
+
+  // ---- Folder-level helpers: de-dupe selects only when a modal opens ----
+  function dedupeSelect(el) {
+    if (!el) return;
+    const seen = new Set();
+    const rm = [];
+    Array.from(el.options).forEach(opt => {
+      const key = (opt.value || opt.textContent || '').trim();
+      if (!key) return;
+      if (seen.has(key)) rm.push(opt); else seen.add(key);
+    });
+    rm.forEach(o => o.remove());
+  }
+  function dedupeByIdSoon(id) { setTimeout(() => { const el = document.getElementById(id); if (el) dedupeSelect(el); }, 60); }
+
+  function wireFolderButtons() {
+    const open = (id) => { const m = document.getElementById(id); if (m) m.style.display = 'block'; };
+
+    const moveBtn = document.getElementById('moveFolderBtn');
+    if (moveBtn && !moveBtn.__bound) {
+      moveBtn.__bound = true;
+      moveBtn.addEventListener('click', (e) => { e.preventDefault(); open('moveFolderModal'); dedupeByIdSoon('moveFolderTarget'); });
+    }
+
+    const shareBtn = document.getElementById('shareFolderBtn');
+    if (shareBtn && !shareBtn.__bound) {
+      shareBtn.__bound = true;
+      shareBtn.addEventListener('click', (e) => {
+        e.preventDefault();
+        const shareModal = document.getElementById('shareFolderModal');
+        if (shareModal) shareModal.style.display = 'block';
+        else document.dispatchEvent(new CustomEvent('filerise:share-folder', { detail: { folder: window.currentFolder || 'root' } }));
+      });
+    }
+
+    const moveFilesOpenBtn = document.getElementById('moveSelectedBtn');
+    if (moveFilesOpenBtn && !moveFilesOpenBtn.__dedupeHook) {
+      moveFilesOpenBtn.__dedupeHook = true;
+      moveFilesOpenBtn.addEventListener('click', () => dedupeByIdSoon('moveTargetFolder'));
+    }
+  }
+
+  // ---- Lift modals above cards, always clickable ----
+  function liftModals() {
+    document.querySelectorAll('.modal').forEach(m => { m.style.pointerEvents = 'auto'; m.style.zIndex = '10000'; });
+    document.querySelectorAll('.modal .modal-content').forEach(c => { c.style.position = 'relative'; c.style.zIndex = '10001'; });
+  }
+
+  // ---- Title fix after first list ----
+  function updateFileListTitle() {
+    const el = document.getElementById('fileListTitle');
+    if (!el) return;
+    const folder = (window.currentFolder || localStorage.getItem('lastOpenedFolder') || 'root');
+    const name = folder === 'root' ? '(Root)' : folder;
+    el.textContent = `Files in ${name}`;
+    el.setAttribute('data-i18n-key', 'file_list_title');
+  }
+
+  // ---------- SETUP MODE ----------
+  async function createUserSetup(username, password, isAdmin) {
+    const csrf = window.csrfToken || localStorage.getItem('csrf') || '';
+    const headers = { 'Content-Type': 'application/json' };
+    if (csrf) headers['X-CSRF-Token'] = csrf;
+
+    const res = await fetch('/api/addUser.php?setup=1', {
+      method: 'POST',
+      credentials: 'include',
+      headers,
+      body: JSON.stringify({ username, password, isAdmin: true, admin: true, grant_admin: true })
+    });
+
+    let j = {};
+    try { j = await res.json(); } catch { }
+    if (!res.ok || j.error) throw new Error(j.error || `Add user failed (${res.status})`);
+    return true;
+  }
+  function bindSetupAddUser() {
+    const form = document.getElementById('addUserForm');
+    if (!form || form.__bound) return;
+    form.__bound = true;
+
+    form.addEventListener('submit', async (ev) => {
+      ev.preventDefault();
+
+      const usernameEl = document.getElementById('newUsername');
+      const passwordEl = document.getElementById('addUserPassword');
+      const isAdminEl = document.getElementById('isAdmin');
+
+      const username = (usernameEl?.value || '').trim();
+      const password = (passwordEl?.value || '');
+      const isAdmin = isAdminEl ? !!isAdminEl.checked : true;
+
+      if (!username || !password) {
+        alert('Enter a username and password.');
+        (username ? passwordEl : usernameEl)?.focus();
+        return;
+      }
+
+      try {
+        await primeCsrf();
+        await createUserSetup(username, password, isAdmin);
+        const addModal = document.getElementById('addUserModal'); if (addModal) addModal.style.display = 'none';
+        window.setupMode = false;
+        window.location.reload();
+      } catch (e) {
+        alert(e.message || 'Failed to create user. Check server logs.');
+        if (!username) usernameEl?.focus();
+        else if (!password) passwordEl?.focus();
+      }
+    }, true);
+  }
+
+  // ---------- pre-auth login ----------
+  function forceLoginVisible() {
+    show($('#main'));
+    show($('#loginForm'));
+    hide($('.main-wrapper'));
+    const hb = $('.header-buttons'); if (hb) hb.style.visibility = 'hidden';
+    const ov = $('#loadingOverlay'); if (ov) ov.style.display = 'none';
+  }
+  function looksLikeTOTP(res, body) {
+    try {
+      if (res && (res.headers.get('X-TOTP-Required') === '1' ||
+        (res.redirected && /[?&]totp_required=1\b/.test(res.url)))) {
+        return true;
+      }
+      if (body && (body.totp_required === true || body.error === 'TOTP_REQUIRED')) {
+        return true;
+      }
+    } catch { }
+    return false;
+  }
+
+  async function openTotpNow() {
+    // refresh CSRF for the upcoming /totp_verify call
+    try { await primeCsrf(); } catch { }
+    window.pendingTOTP = true;
+    // reuse the function you already export from auth.js
+    try {
+      const auth = await import('/js/auth.js?v={{APP_QVER}}');
+      if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
+    } catch (e) {
+      console.warn('Could not import auth.js to open TOTP modal:', e);
+
+      const m = document.getElementById('totpLoginModal'); if (m) m.style.display = 'block';
+    }
+  }
+  function bindLogin() {
+    const oidcBtn = $('#oidcLoginBtn');
+    if (oidcBtn && !oidcBtn.__bound) {
+      oidcBtn.__bound = true;
+      oidcBtn.addEventListener('click', () => { window.location.href = '/api/auth/auth.php?oidc=initiate'; });
+    }
+
+    const form = $('#authForm');
+    if (!form || form.__bound) return;
+    form.__bound = true;
+
+    form.addEventListener('submit', async (ev) => {
+      ev.preventDefault();
+      const username = ($('#loginUsername') || {}).value || '';
+      const password = ($('#loginPassword') || {}).value || '';
+      const remember = !!(document.getElementById('rememberMeCheckbox') || {}).checked;
+
+      await primeCsrf();
+      const csrf = window.csrfToken || localStorage.getItem('csrf') || '';
+
+      // After showing the login form in the not-authed branch
+      (async () => {
+        const qp = new URLSearchParams(location.search);
+        if (qp.get('totp_required') === '1') {
+          try { await primeCsrf(); } catch { }
+          window.pendingTOTP = true;
+          try {
+            const auth = await import('/js/auth.js?v={{APP_QVER}}');
+            if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
+          } catch (e) {
+            console.warn('openTOTPLoginModal import failed', e);
+          }
+        }
+      })();
+
+      // JSON first
+      try {
+        const r = await fetch('/api/auth/auth.php', {
+          method: 'POST', credentials: 'include',
+          headers: Object.assign({ 'Content-Type': 'application/json', 'Accept': 'application/json' }, csrf ? { 'X-CSRF-Token': csrf } : {}),
+          body: JSON.stringify({ username: String(username).trim(), password: String(password).trim(), remember_me: !!remember })
+        });
+        const j = await r.clone().json().catch(() => ({}));
+
+        //  TOTP step-up?
+        if (looksLikeTOTP(r, j)) { await openTotpNow(); return; }
+
+        if (j && (j.authenticated || j.success || j.status === 'ok' || j.result === 'ok')) return afterLogin();
+      } catch { }
+
+      // fallback form
+      try {
+        const p = new URLSearchParams();
+        p.set('username', username); p.set('password', password); p.set('remember_me', remember ? '1' : '0');
+        const r2 = await fetch('/api/auth/auth.php', {
+          method: 'POST', credentials: 'include',
+          headers: Object.assign({ 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' }, csrf ? { 'X-CSRF-Token': csrf } : {}),
+          body: p.toString()
+        });
+        const j2 = await r2.clone().json().catch(() => ({}));
+
+        //  TOTP step-up on fallback too
+        if (looksLikeTOTP(r2, j2)) { await openTotpNow(); return; }
+
+        if (j2 && (j2.authenticated || j2.success || j2.status === 'ok' || j2.result === 'ok')) return afterLogin();
+      } catch { }
+      alert('Login failed');
+    });
+  }
+  function afterLogin() {
+    const start = Date.now();
+    (function poll() {
+      checkAuth().then(({ authed }) => {
+        if (authed) { window.location.reload(); return; }
+        if (Date.now() - start < 5000) return setTimeout(poll, 200);
+        alert('Login session not established');
+      }).catch(() => setTimeout(poll, 250));
+    })();
+  }
+
+  // ---------- SETUP MODE (no flicker) ----------
+  async function bootSetupWizard() {
+    const overlay = document.getElementById('loadingOverlay'); if (overlay) overlay.remove();
+    const wrap = document.querySelector('.main-wrapper'); if (wrap) wrap.style.display = '';
+    const login = document.getElementById('loginForm'); if (login) login.style.display = 'none';
+    const hb = document.querySelector('.header-buttons'); if (hb) hb.style.visibility = 'hidden';
+    (document.getElementById('mainOperations') || {}).style && (document.getElementById('mainOperations').style.display = 'none');
+    (document.getElementById('uploadFileForm') || {}).style && (document.getElementById('uploadFileForm').style.display = 'none');
+    (document.getElementById('fileListContainer') || {}).style && (document.getElementById('fileListContainer').style.display = 'none');
+
+    window.setupMode = true;
+    await primeCsrf();
+
+    try { await import('/js/adminPanel.js?v={{APP_QVER}}'); } catch { }
+    try { document.dispatchEvent(new Event('DOMContentLoaded')); } catch { }
+
+    const addModal = document.getElementById('addUserModal'); if (addModal) addModal.style.display = 'block';
+
+    const lu = document.getElementById('loginUsername'); if (lu) { lu.removeAttribute('autofocus'); lu.disabled = true; }
+    const lp = document.getElementById('loginPassword'); if (lp) lp.disabled = true;
+
+    document.querySelectorAll('[autofocus]').forEach(el => el.removeAttribute('autofocus'));
+    bindSetupAddUser();
+  }
+
+  // ---------- HEAVY BOOT ----------
+  async function bootHeavy() {
+    if (window.__FR_FLAGS.bootPromise) return window.__FR_FLAGS.bootPromise;
+    window.__FR_FLAGS.bootPromise = (async () => {
+      if (window.__FR_FLAGS.booted) return; // no-op if somehow set
+      window.__FR_FLAGS.booted = true;
+      ensureToastReady();
+      // show chrome
+      const wrap = document.querySelector('.main-wrapper'); if (wrap) { wrap.hidden = false; wrap.classList?.remove('d-none', 'hidden'); wrap.style.display = 'block'; }
+      const lf = document.getElementById('loginForm'); if (lf) lf.style.display = 'none';
+      const hb = document.querySelector('.header-buttons'); if (hb) hb.style.visibility = 'visible';
+      const ov = document.getElementById('loadingOverlay'); if (ov) ov.style.display = 'flex';
+
+      try {
+        // 0) refresh auth snapshot (once)
+        let state = {};
+        try {
+          const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+          state = await r.json();
+          if (state && state.username) localStorage.setItem('username', state.username);
+          if (typeof state.isAdmin !== 'undefined') localStorage.setItem('isAdmin', state.isAdmin ? '1' : '0');
+          window.__FR_AUTH_STATE = state;
+        } catch { }
+
+        // 1) i18n (safe)
+        // i18n: honor saved language first, then apply translations
+        try {
+          const i18n = await import('/js/i18n.js?v={{APP_QVER}}').catch(() => import('/js/i18n.js'));
+          let saved = 'en';
+          try { saved = localStorage.getItem('language') || 'en'; } catch { }
+          if (typeof i18n.setLocale === 'function') { await i18n.setLocale(saved); }
+          if (typeof i18n.applyTranslations === 'function') { i18n.applyTranslations(); }
+          try { document.documentElement.setAttribute('lang', saved); } catch { }
+        } catch { }
+        // 2) core app — **initialize exactly once** (this calls initUpload/initFileActions/loadFolderTree/etc.)
+        const app = await import('/js/appCore.js?v={{APP_QVER}}');
+        if (!window.__FR_FLAGS.initialized) {
+          if (typeof app.loadCsrfToken === 'function') await app.loadCsrfToken();
+          if (typeof app.initializeApp === 'function') app.initializeApp();
+
+          window.__FR_FLAGS.initialized = true;
+
+          // Show "Welcome back, <username>!" only once per tab-session
+          try {
+            if (!sessionStorage.getItem('__fr_welcomed')) {
+              const name = (window.__FR_AUTH_STATE?.username) || localStorage.getItem('username') || '';
+              const safe = String(name).replace(/[\r\n<>]/g, '').trim().slice(0, 60);
+
+              window.showToast(safe ? `Welcome back, ${safe}!` : 'Welcome!', 3000);
+              sessionStorage.setItem('__fr_welcomed', '1'); // prevent repeats on reload
+            }
+          } catch { }
+        }
+
+
+        // 3) auth/header bits — pass real state so “Admin Panel” shows up
+        if (!window.__FR_FLAGS.wired.auth) {
+          try {
+            const auth = await import('/js/auth.js?v={{APP_QVER}}');
+            auth.updateLoginOptionsUIFromStorage && auth.updateLoginOptionsUIFromStorage();
+            auth.applyProxyBypassUI && auth.applyProxyBypassUI();
+            auth.updateAuthenticatedUI && auth.updateAuthenticatedUI(state);
+
+            // ⬇️ bind ALL the admin / change-password buttons once
+            if (!window.__FR_FLAGS.wired.authInit && typeof auth.initAuth === 'function') {
+              try { auth.initAuth(); } catch (e) { console.warn('[auth] initAuth failed', e); }
+              window.__FR_FLAGS.wired.authInit = true;
+            }
+          } catch (e) {
+            console.warn('[auth] import failed', e);
+          }
+          wireUserNameLabel(state);
+          window.__FR_FLAGS.wired.auth = true;
+        }
+
+        // 4) legacy ready **only once** (prevents loops)
+        dispatchLegacyReadyOnce();
+
+        // 5) first file list — once (initializeApp doesn’t fetch list)
+        if (!window.__FR_FLAGS.wired.firstList) {
+          try {
+            const flv = await import('/js/fileListView.js?v={{APP_QVER}}');
+            window.currentFolder ||= 'root';
+            if (typeof flv.loadFileList === 'function') await flv.loadFileList(window.currentFolder);
+            const list = document.getElementById('fileListContainer'); if (list) list.style.display = '';
+            updateFileListTitle();
+          } catch { }
+          window.__FR_FLAGS.wired.firstList = true;
+        }
+        // 6) light UI wiring — once each (no confirm bindings here; your modules own them)
+        if (!window.__FR_FLAGS.wired.dark) { bindDarkMode(); window.__FR_FLAGS.wired.dark = true; }
+        if (!window.__FR_FLAGS.wired.create) { wireCreateDropdown(); window.__FR_FLAGS.wired.create = true; }
+        if (!window.__FR_FLAGS.wired.folder) { wireFolderButtons(); window.__FR_FLAGS.wired.folder = true; }
+        if (!window.__FR_FLAGS.wired.lift) { liftModals(); window.__FR_FLAGS.wired.lift = true; }
+        if (!window.__FR_FLAGS.wired.cancel) { bindCancelSafeties(); window.__FR_FLAGS.wired.cancel = true; }
+        if (!window.__FR_FLAGS.wired.dragScroll) { bindDragAutoScroll(); window.__FR_FLAGS.wired.dragScroll = true; }
+        wireModalEnterDefault();
+
+
+      } catch (e) {
+        console.error('[main] heavy boot failed', e);
+        alert('Failed to load app');
+      } finally {
+        if (ov) ov.style.display = 'none';
+        window.setupMode = false;
+      }
+    })();
+    return window.__FR_FLAGS.bootPromise;
+  }
+
+  // ---------- entry (no flicker: decide state BEFORE showing login) ----------
+  document.addEventListener('DOMContentLoaded', async () => {
+
+
+    if (window.__FR_FLAGS.entryStarted) return;
+    window.__FR_FLAGS.entryStarted = true;
+
+    bindDarkMode();
+    await loadSiteConfig();
+
+    const { authed, setup } = await checkAuth();
+
+    if (setup) { await bootSetupWizard(); return; }
+    if (authed) { await bootHeavy(); return; }
+
+    // login view
+    show(document.querySelector('#main'));
+    show(document.querySelector('#loginForm'));
+    (document.querySelector('.header-buttons') || {}).style && (document.querySelector('.header-buttons').style.visibility = 'hidden');
+    const ov = document.getElementById('loadingOverlay'); if (ov) ov.style.display = 'none';
+    ['uploadCard', 'folderManagementCard'].forEach(id => {
+      const el = document.getElementById(id);
+      if (!el) return;
+      el.style.display = 'none';
+      el.setAttribute('aria-hidden', 'true');
+      try { el.inert = true; } catch { }
+    });
+    bindLogin();
+    wireCreateDropdown();
+    keepCreateDropdownWired();
+    wireModalEnterDefault();
+
+    await ensureToastReady();
+    window.showToast('please_log_in_to_continue', 6000);
+
+  }, { once: true }); // <— important
+})();
\ No newline at end of file
diff --git a/public/js/upload.js b/public/js/upload.js
index 1a5ffcf..064f66b 100644
--- a/public/js/upload.js
+++ b/public/js/upload.js
@@ -36,6 +36,38 @@ function traverseFileTreePromise(item, path = "") {
   });
 }
 
+// --- Lazy loader for Resumable.js (no CSP inline, cached, safe) ---
+const RESUMABLE_SRC = '/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}';
+let _resumableLoadPromise = null;
+
+function loadScriptOnce(src) {
+  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
+  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
+  const p = new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = src;
+    s.async = true;
+    s.onload = resolve;
+    s.onerror = () => reject(new Error(`Failed to load ${src}`));
+    document.head.appendChild(s);
+  });
+  loadScriptOnce._cache.set(src, p);
+  return p;
+}
+
+function lazyLoadResumable() {
+  if (window.Resumable) return Promise.resolve(window.Resumable);
+  if (!_resumableLoadPromise) {
+    _resumableLoadPromise = loadScriptOnce(RESUMABLE_SRC).then(() => window.Resumable);
+  }
+  return _resumableLoadPromise;
+}
+
+// Optional: let main.js prefetch it in the background
+export function warmUpResumable() {
+  lazyLoadResumable().catch(() => {/* ignore warm-up failure */});
+}
+
 // Recursively retrieve files from DataTransfer items.
 function getFilesFromDataTransferItems(items) {
   const promises = [];
@@ -401,36 +433,49 @@ function processFiles(filesInput) {
    Resumable.js Integration for File Picker Uploads
    (Only files chosen via file input use Resumable; folder uploads use original code.)
 ----------------------------------------------------- */
-const useResumable = true; // Enable resumable for file picker uploads
-let resumableInstance;
-function initResumableUpload() {
-  resumableInstance = new Resumable({
-    target: "/api/upload/upload.php",
-    chunkSize: 1.5 * 1024 * 1024,
-    simultaneousUploads: 3,
-    forceChunkSize: true,
-    testChunks: false,
-    withCredentials: true,
-    headers: { 'X-CSRF-Token': window.csrfToken },
-    query: () => ({
-      folder: window.currentFolder || "root",
-      upload_token: window.csrfToken
-    })
+const useResumable = true;
+let resumableInstance = null;
+let _pendingPickedFiles = [];   // files picked before library/instance ready
+let _resumableReady = false;
+
+// Make init async-safe; it resolves when Resumable is constructed
+async function initResumableUpload() {
+  if (resumableInstance) return;
+  // Load the library if needed
+  const ResumableCtor = await lazyLoadResumable().catch(err => {
+    console.error('Failed to load Resumable.js:', err);
+    return null;
   });
+  if (!ResumableCtor) return;
+
+  // Construct the instance once
+  if (!resumableInstance) {
+    resumableInstance = new ResumableCtor({
+      target: "/api/upload/upload.php",
+      chunkSize: 1.5 * 1024 * 1024,
+      simultaneousUploads: 3,
+      forceChunkSize: true,
+      testChunks: false,
+      withCredentials: true,
+      headers: { 'X-CSRF-Token': window.csrfToken },
+      query: () => ({
+        folder: window.currentFolder || "root",
+        upload_token: window.csrfToken
+      })
+    });
+  }
 
   // keep query fresh when folder changes (call this from your folder nav code)
   function updateResumableQuery() {
     if (!resumableInstance) return;
     resumableInstance.opts.headers['X-CSRF-Token'] = window.csrfToken;
-    // if you're not using a function for query, do:
     resumableInstance.opts.query.folder = window.currentFolder || 'root';
     resumableInstance.opts.query.upload_token = window.csrfToken;
   }
 
   const fileInput = document.getElementById("file");
   if (fileInput) {
-    // Assign Resumable to file input for file picker uploads.
-    resumableInstance.assignBrowse(fileInput);
+    
     fileInput.addEventListener("change", function () {
       for (let i = 0; i < fileInput.files.length; i++) {
         resumableInstance.addFile(fileInput.files[i]);
@@ -587,13 +632,24 @@ function initResumableUpload() {
       showToast("Some files failed to upload. Please check the list.");
     }
   });
+
+  _resumableReady = true;
+  if (_pendingPickedFiles.length) {
+    updateResumableQuery();
+    for (const f of _pendingPickedFiles) resumableInstance.addFile(f);
+    _pendingPickedFiles = [];
+  }
+
 }
 
 /* -----------------------------------------------------
    XHR-based submitFiles for Drag–and–Drop (Folder) Uploads
 ----------------------------------------------------- */
 function submitFiles(allFiles) {
-  const folderToUse = window.currentFolder || "root";
+  const folderToUse = (() => {
+    const f = window.currentFolder || "root";
+    try { return decodeURIComponent(f); } catch { return f; }
+  })();
   const progressContainer = document.getElementById("uploadProgressContainer");
   const fileInput = document.getElementById("file");
 
@@ -857,32 +913,48 @@ function initUpload() {
   }
 
   if (fileInput) {
-    fileInput.addEventListener("change", function () {
+    fileInput.addEventListener("change", async function () {
+      const files = Array.from(fileInput.files || []);
+      if (!files.length) return;
+  
       if (useResumable) {
-        // For file picker, if resumable is enabled, let it handle the files.
-        for (let i = 0; i < fileInput.files.length; i++) {
-          resumableInstance.addFile(fileInput.files[i]);
+        // Ensure the lib/instance exists
+        if (!_resumableReady) await initResumableUpload();
+        if (resumableInstance) {
+          for (const f of files) resumableInstance.addFile(f);
+        } else {
+          // If still not ready (load error), fall back to your XHR path
+          processFiles(files);
         }
       } else {
-        processFiles(fileInput.files);
+        processFiles(files);
       }
     });
   }
 
   if (uploadForm) {
-    uploadForm.addEventListener("submit", function (e) {
+    uploadForm.addEventListener("submit", async function (e) {
       e.preventDefault();
       const files = window.selectedFiles || (fileInput ? fileInput.files : []);
-      if (!files || files.length === 0) {
+      if (!files || !files.length) {
         showToast("No files selected.");
         return;
       }
-      // If files come from file picker (no relative path), use Resumable.
-      if (useResumable && (!files[0].customRelativePath || files[0].customRelativePath === "")) {
-        // Ensure current folder is updated.
-        resumableInstance.opts.query.folder = window.currentFolder || "root";
-        resumableInstance.upload();
-        showToast("Resumable upload started...");
+  
+      // Resumable path (only for picked files, not folder uploads)
+      const first = files[0];
+      const isFolderish = !!(first.customRelativePath || first.webkitRelativePath);
+      if (useResumable && !isFolderish) {
+        if (!_resumableReady) await initResumableUpload();
+        if (resumableInstance) {
+          // ensure folder/token fresh
+          resumableInstance.opts.query.folder = window.currentFolder || "root";
+          resumableInstance.upload();
+          showToast("Resumable upload started...");
+        } else {
+          // fallback
+          submitFiles(files);
+        }
       } else {
         submitFiles(files);
       }
diff --git a/src/controllers/AdminController.php b/src/controllers/AdminController.php
index b7397ae..e2d2641 100644
--- a/src/controllers/AdminController.php
+++ b/src/controllers/AdminController.php
@@ -7,55 +7,60 @@ require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 class AdminController
 { 
     public function getConfig(): void
-{
-    header('Content-Type: application/json');
-
-    // Load raw config (no disclosure yet)
-    $config = AdminModel::getConfig();
-    if (isset($config['error'])) {
-        http_response_code(500);
-        echo json_encode(['error' => $config['error']]);
-        exit;
-    }
-
-    // Minimal, safe subset for all callers (unauth users and regular users)
-    $public = [
-        'header_title'        => $config['header_title'] ?? 'FileRise',
-        'loginOptions'        => [
-            // expose only what the login page / header needs
-            'disableFormLogin'  => (bool)($config['loginOptions']['disableFormLogin']  ?? false),
-            'disableBasicAuth'  => (bool)($config['loginOptions']['disableBasicAuth']  ?? false),
-            'disableOIDCLogin'  => (bool)($config['loginOptions']['disableOIDCLogin']  ?? false),
-        ],
-        'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
-        'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
-        'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
-
-        'oidc' => [
-            'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
-            'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
-            // never expose clientId / clientSecret
-        ],
-    ];
-
-    $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
-
-    if ($isAdmin) {
-        // Add admin-only fields (used by Admin Panel UI)
-        $adminExtra = [
-            'loginOptions' => array_merge($public['loginOptions'], [
-                'authBypass'     => (bool)($config['loginOptions']['authBypass']     ?? false),
-                'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
-            ]),
+    {
+        header('Content-Type: application/json; charset=utf-8');
+    
+        $config = AdminModel::getConfig();
+        if (isset($config['error'])) {
+            http_response_code(500);
+            header('Cache-Control: no-store');
+            echo json_encode(['error' => $config['error']], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+    
+        // Whitelisted public subset only
+        $public = [
+            'header_title'        => (string)($config['header_title'] ?? 'FileRise'),
+            'loginOptions'        => [
+                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
+                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
+                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
+            ],
+            'globalOtpauthUrl'    => (string)($config['globalOtpauthUrl'] ?? ''),
+            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+            'oidc' => [
+                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
+                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
+                // never include clientId/clientSecret
+            ],
         ];
-        echo json_encode(array_merge($public, $adminExtra));
+    
+        $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
+    
+        if ($isAdmin) {
+            // admin-only extras: presence flags + proxy options
+            $adminExtra = [
+                'loginOptions' => array_merge($public['loginOptions'], [
+                    'authBypass'     => (bool)($config['loginOptions']['authBypass'] ?? false),
+                    'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
+                ]),
+                'oidc' => array_merge($public['oidc'], [
+                    'hasClientId'     => !empty($config['oidc']['clientId']),
+                    'hasClientSecret' => !empty($config['oidc']['clientSecret']),
+                ]),
+            ];
+            header('Cache-Control: no-store'); // don’t cache admin config
+            echo json_encode(array_merge($public, $adminExtra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+    
+        // Non-admins / unauthenticated: only the public subset
+        header('Cache-Control: no-store');
+        echo json_encode($public, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
         return;
     }
 
-    // Non-admins / unauthenticated: only the public subset
-    echo json_encode($public);
-}
-
     public function updateConfig(): void
     {
         header('Content-Type: application/json');
diff --git a/src/controllers/AuthController.php b/src/controllers/AuthController.php
index 624b014..c76c94c 100644
--- a/src/controllers/AuthController.php
+++ b/src/controllers/AuthController.php
@@ -70,7 +70,10 @@ class AuthController
             if ($oidcAction === 'callback') {
                 try {
                     $oidc->authenticate();
-                    $username = $oidc->requestUserInfo('preferred_username');
+                    $username =
+    $oidc->requestUserInfo('preferred_username')
+    ?: $oidc->requestUserInfo('email')
+    ?: $oidc->requestUserInfo('sub');
 
                     // check if this user has a TOTP secret
                     $totp_secret = null;
diff --git a/src/controllers/UploadController.php b/src/controllers/UploadController.php
index c81c54b..08773c1 100644
--- a/src/controllers/UploadController.php
+++ b/src/controllers/UploadController.php
@@ -52,57 +52,69 @@ class UploadController {
         }
     
         // ---- 3) Folder-level WRITE permission (ACL) ----
-        // Always require client to send the folder; fall back to GET if needed.
-        $folderParam   = isset($_POST['folder']) ? (string)$_POST['folder'] : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
-        $targetFolder  = ACL::normalizeFolder($folderParam);
-    
-        // Admins bypass folder canWrite checks
-        if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
-            return;
-        }
-    
-        // ---- 4) Delegate to model (actual file/chunk processing) ----
-        // (Optionally re-check in UploadModel before finalizing.)
-        $result = UploadModel::handleUpload($_POST, $_FILES);
-    
-        // ---- 5) Response ----
-        if (isset($result['error'])) {
-            http_response_code(400);
-            echo json_encode($result);
-            return;
-        }
-        if (isset($result['status'])) {
-            // e.g., {"status":"chunk uploaded"}
-            echo json_encode($result);
-            return;
-        }
-    
-        echo json_encode([
-            'success'     => 'File uploaded successfully',
-            'newFilename' => $result['newFilename'] ?? null
-        ]);
+    // Always require client to send the folder; fall back to GET if needed.
+    $folderParam = isset($_POST['folder'])
+        ? (string)$_POST['folder']
+        : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
+
+    // Decode %xx (e.g., "test%20folder") then normalize
+    $folderParam  = rawurldecode($folderParam);
+    $targetFolder = ACL::normalizeFolder($folderParam);
+
+    // Admins bypass folder canWrite checks
+    $username  = (string)($_SESSION['username'] ?? '');
+    $userPerms = loadUserPermissions($username) ?: [];
+    $isAdmin   = ACL::isAdmin($userPerms);
+
+    if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
+        return;
     }
+
+    // ---- 4) Delegate to model (force the sanitized folder) ----
+    $_POST['folder'] = $targetFolder; // in case model reads superglobal
+    $post = $_POST;
+    $post['folder'] = $targetFolder;
+
+    $result = UploadModel::handleUpload($post, $_FILES);
+
+    // ---- 5) Response (unchanged) ----
+    if (isset($result['error'])) {
+        http_response_code(400);
+        echo json_encode($result);
+        return;
+    }
+    if (isset($result['status'])) {
+        echo json_encode($result);
+        return;
+    }
+
+    echo json_encode([
+        'success'     => 'File uploaded successfully',
+        'newFilename' => $result['newFilename'] ?? null
+    ]);
+}
     
     public function removeChunks(): void {
-        header('Content-Type: application/json');
+    header('Content-Type: application/json');
 
-        $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
-        if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Invalid CSRF token']);
-            return;
-        }
-
-        if (!isset($_POST['folder'])) {
-            http_response_code(400);
-            echo json_encode(['error' => 'No folder specified']);
-            return;
-        }
-
-        $folder = (string)$_POST['folder'];
-        $result = UploadModel::removeChunks($folder);
-        echo json_encode($result);
+    $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
+    if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Invalid CSRF token']);
+        return;
     }
+
+    if (!isset($_POST['folder'])) {
+        http_response_code(400);
+        echo json_encode(['error' => 'No folder specified']);
+        return;
+    }
+
+    $folderRaw = (string)$_POST['folder'];
+    $folder    = ACL::normalizeFolder(rawurldecode($folderRaw));
+
+    echo json_encode(UploadModel::removeChunks($folder));
+}
 }
\ No newline at end of file
diff --git a/src/models/UploadModel.php b/src/models/UploadModel.php
index 5f99907..1413cb6 100644
--- a/src/models/UploadModel.php
+++ b/src/models/UploadModel.php
@@ -6,231 +6,206 @@ require_once PROJECT_ROOT . '/config/config.php';
 class UploadModel {
 
     private static function sanitizeFolder(string $folder): string {
-                $folder = trim($folder);
-                if ($folder === '' || strtolower($folder) === 'root') return '';
-                // no traversal
-                if (strpos($folder, '..') !== false) return '';
-                // only safe chars + forward slashes
-                if (!preg_match('/^[A-Za-z0-9_\-\/]+$/', $folder)) return '';
-                // normalize: strip leading slashes
-                return ltrim($folder, '/');
+        // decode "%20", normalise slashes & trim via ACL helper
+        $f = ACL::normalizeFolder(rawurldecode($folder));
+
+        // model uses '' to represent root
+        if ($f === 'root') return '';
+
+        // forbid dot segments / empty parts
+        foreach (explode('/', $f) as $seg) {
+            if ($seg === '' || $seg === '.' || $seg === '..') {
+                return '';
             }
+        }
 
+        // allow spaces & unicode via your global regex
+        // (REGEX_FOLDER_NAME validates a path "seg(/seg)*")
+        if (!preg_match(REGEX_FOLDER_NAME, $f)) {
+            return '';
+        }
+
+        return $f; // safe, normalised, with spaces allowed
+    }
 
-    /**
-     * Handles file uploads – supports both chunked uploads and full (non-chunked) uploads.
-     *
-     * @param array $post The $_POST array.
-     * @param array $files The $_FILES array.
-     * @return array Returns an associative array with "success" on success or "error" on failure.
-     */
     public static function handleUpload(array $post, array $files): array {
-        // If this is a GET request for testing chunk existence.
+        // --- GET resumable test (make folder handling consistent)
         if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($post['resumableTest'])) {
-            $chunkNumber = intval($post['resumableChunkNumber']);
+            $chunkNumber         = (int)($post['resumableChunkNumber'] ?? 0);
             $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $folder = isset($post['folder']) ? trim($post['folder']) : 'root';
+            $folderSan           = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
             $baseUploadDir = UPLOAD_DIR;
-            if ($folder !== 'root') {
-                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder . DIRECTORY_SEPARATOR;
+            if ($folderSan !== '') {
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
             }
-            $tempDir = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
+
+            $tempDir  = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
             $chunkFile = $tempDir . $chunkNumber;
             return ["status" => file_exists($chunkFile) ? "found" : "not found"];
         }
-        
-        // Handle chunked uploads.
+
+        // --- CHUNKED ---
         if (isset($post['resumableChunkNumber'])) {
-            $chunkNumber         = intval($post['resumableChunkNumber']);
-            $totalChunks         = intval($post['resumableTotalChunks']);
+            $chunkNumber         = (int)$post['resumableChunkNumber'];
+            $totalChunks         = (int)$post['resumableTotalChunks'];
             $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $resumableFilename   = urldecode(basename($post['resumableFilename']));
-            
-            // Validate file name.
+            $resumableFilename   = urldecode(basename($post['resumableFilename'] ?? ''));
+
             if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
                 return ["error" => "Invalid file name: $resumableFilename"];
             }
-            
-            $folderRaw = $post['folder'] ?? 'root';
-            $folderSan = self::sanitizeFolder((string)$folderRaw);
 
-            
+            $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
             if (empty($files['file']) || !isset($files['file']['name'])) {
-                        return ["error" => "No files received"];
-                    }
-            
+                return ["error" => "No files received"];
+            }
+
             $baseUploadDir = UPLOAD_DIR;
             if ($folderSan !== '') {
-                                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
-                                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
-                            }
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
+            }
             if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
                 return ["error" => "Failed to create upload directory"];
             }
-            
+
             $tempDir = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
             if (!is_dir($tempDir) && !mkdir($tempDir, 0775, true)) {
                 return ["error" => "Failed to create temporary chunk directory"];
             }
-            
+
             $chunkErr = $files['file']['error'] ?? UPLOAD_ERR_NO_FILE;
             if ($chunkErr !== UPLOAD_ERR_OK) {
                 return ["error" => "Upload error on chunk $chunkNumber"];
             }
-            
+
             $chunkFile = $tempDir . $chunkNumber;
-            $tmpName = $files['file']['tmp_name'] ?? null;
+            $tmpName   = $files['file']['tmp_name'] ?? null;
             if (!$tmpName || !move_uploaded_file($tmpName, $chunkFile)) {
                 return ["error" => "Failed to move uploaded chunk $chunkNumber"];
             }
-            
-            // Check if all chunks are present.
-            $allChunksPresent = true;
+
+            // all chunks present?
             for ($i = 1; $i <= $totalChunks; $i++) {
                 if (!file_exists($tempDir . $i)) {
-                    $allChunksPresent = false;
-                    break;
+                    return ["status" => "chunk uploaded"];
                 }
             }
-            if (!$allChunksPresent) {
-                return ["status" => "chunk uploaded"];
-            }
-            
-            // Merge chunks.
+
+            // merge
             $targetPath = $baseUploadDir . $resumableFilename;
             if (!$out = fopen($targetPath, "wb")) {
                 return ["error" => "Failed to open target file for writing"];
             }
             for ($i = 1; $i <= $totalChunks; $i++) {
                 $chunkPath = $tempDir . $i;
-                if (!file_exists($chunkPath)) {
-                    fclose($out);
-                    return ["error" => "Chunk $i missing during merge"];
-                }
-                if (!$in = fopen($chunkPath, "rb")) {
-                    fclose($out);
-                    return ["error" => "Failed to open chunk $i"];
-                }
-                while ($buff = fread($in, 4096)) {
-                    fwrite($out, $buff);
-                }
+                if (!file_exists($chunkPath)) { fclose($out); return ["error" => "Chunk $i missing during merge"]; }
+                if (!$in = fopen($chunkPath, "rb")) { fclose($out); return ["error" => "Failed to open chunk $i"]; }
+                while ($buff = fread($in, 4096)) { fwrite($out, $buff); }
                 fclose($in);
             }
             fclose($out);
-            
-            // Update metadata.
-            $metadataKey = ($folderSan === '') ? "root" : $folderSan;
+
+            // metadata
+            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
             $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
-            $metadataFile = META_DIR . $metadataFileName;
-            $uploadedDate = date(DATE_TIME_FORMAT);
-            $uploader = $_SESSION['username'] ?? "Unknown";
-            $metadataCollection = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-            if (!is_array($metadataCollection)) {
-                $metadataCollection = [];
+            $metadataFile     = META_DIR . $metadataFileName;
+            $uploadedDate     = date(DATE_TIME_FORMAT);
+            $uploader         = $_SESSION['username'] ?? "Unknown";
+            $collection       = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+            if (!is_array($collection)) $collection = [];
+            if (!isset($collection[$resumableFilename])) {
+                $collection[$resumableFilename] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
+                file_put_contents($metadataFile, json_encode($collection, JSON_PRETTY_PRINT));
             }
-            if (!isset($metadataCollection[$resumableFilename])) {
-                $metadataCollection[$resumableFilename] = [
-                    "uploaded" => $uploadedDate,
-                    "uploader" => $uploader
-                ];
-                file_put_contents($metadataFile, json_encode($metadataCollection, JSON_PRETTY_PRINT));
-            }
-            
-            // Cleanup temporary directory.
-            $rrmdir = function($dir) use (&$rrmdir) {
-                if (!is_dir($dir)) return;
-                $iterator = new RecursiveIteratorIterator(
-                    new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS),
-                    RecursiveIteratorIterator::CHILD_FIRST
-                );
-                foreach ($iterator as $item) {
-                    $item->isDir() ? rmdir($item->getRealPath()) : unlink($item->getRealPath());
-                }
-                rmdir($dir);
-            };
-            $rrmdir($tempDir);
-            
+
+            // cleanup temp
+            self::rrmdir($tempDir);
+
             return ["success" => "File uploaded successfully"];
-        } else {
-                        // Handle full upload (non-chunked)
-                        $folderRaw = $post['folder'] ?? 'root';
-                        $folderSan = self::sanitizeFolder((string)$folderRaw);
-            }
-            
-            $baseUploadDir = UPLOAD_DIR;
-            if ($folderSan !== '') {
-                                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
-                                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
-                            }
-            if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
-                return ["error" => "Failed to create upload directory"];
-            }
-            
-            $safeFileNamePattern = REGEX_FILE_NAME;
-            $metadataCollection = [];
-            $metadataChanged = [];
-            
-            foreach ($files["file"]["name"] as $index => $fileName) {
-                // Basic PHP upload error check per file
-                if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
-                        return ["error" => "Error uploading file"];
-                    }
-                $safeFileName = trim(urldecode(basename($fileName)));
-                if (!preg_match($safeFileNamePattern, $safeFileName)) {
-                    return ["error" => "Invalid file name: " . $fileName];
-                }
-                $relativePath = '';
-                if (isset($post['relativePath'])) {
-                    $relativePath = is_array($post['relativePath']) ? $post['relativePath'][$index] ?? '' : $post['relativePath'];
-                }
-                $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
-                if (!empty($relativePath)) {
-                    $subDir = dirname($relativePath);
-                    if ($subDir !== '.' && $subDir !== '') {
-                      // IMPORTANT: build the subfolder under the *current* base folder
-                        $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR .
-                                     str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
-                    }
-                    $safeFileName = basename($relativePath);
-                }
-                if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
-                    return ["error" => "Failed to create subfolder: " . $uploadDir];
-                }
-                $targetPath = $uploadDir . $safeFileName;
-                if (move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
-                                        $metadataKey = ($folderSan === '') ? "root" : $folderSan;
-                    $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
-                    $metadataFile = META_DIR . $metadataFileName;
-                    if (!isset($metadataCollection[$metadataKey])) {
-                        $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-                        if (!is_array($metadataCollection[$metadataKey])) {
-                            $metadataCollection[$metadataKey] = [];
-                        }
-                        $metadataChanged[$metadataKey] = false;
-                    }
-                    if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
-                        $uploadedDate = date(DATE_TIME_FORMAT);
-                        $uploader = $_SESSION['username'] ?? "Unknown";
-                        $metadataCollection[$metadataKey][$safeFileName] = [
-                            "uploaded" => $uploadedDate,
-                            "uploader" => $uploader
-                        ];
-                        $metadataChanged[$metadataKey] = true;
-                    }
-                } else {
-                    return ["error" => "Error uploading file"];
-                }
-            }
-            
-            foreach ($metadataCollection as $folderKey => $data) {
-                if ($metadataChanged[$folderKey]) {
-                    $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
-                    $metadataFile = META_DIR . $metadataFileName;
-                    file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
-                }
-            }
-            return ["success" => "Files uploaded successfully"];
         }
+
+        // --- NON-CHUNKED ---
+        $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
+        $baseUploadDir = UPLOAD_DIR;
+        if ($folderSan !== '') {
+            $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                           . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
+        }
+        if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
+            return ["error" => "Failed to create upload directory"];
+        }
+
+        $safeFileNamePattern = REGEX_FILE_NAME;
+        $metadataCollection  = [];
+        $metadataChanged     = [];
+
+        foreach ($files["file"]["name"] as $index => $fileName) {
+            if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
+                return ["error" => "Error uploading file"];
+            }
+
+            $safeFileName = trim(urldecode(basename($fileName)));
+            if (!preg_match($safeFileNamePattern, $safeFileName)) {
+                return ["error" => "Invalid file name: " . $fileName];
+            }
+
+            $relativePath = '';
+            if (isset($post['relativePath'])) {
+                $relativePath = is_array($post['relativePath']) ? ($post['relativePath'][$index] ?? '') : $post['relativePath'];
+            }
+
+            $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
+            if (!empty($relativePath)) {
+                $subDir = dirname($relativePath);
+                if ($subDir !== '.' && $subDir !== '') {
+                    $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
+                }
+                $safeFileName = basename($relativePath);
+            }
+
+            if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
+                return ["error" => "Failed to create subfolder: " . $uploadDir];
+            }
+
+            $targetPath = $uploadDir . $safeFileName;
+            if (!move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
+                return ["error" => "Error uploading file"];
+            }
+
+            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
+            $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
+            $metadataFile     = META_DIR . $metadataFileName;
+
+            if (!isset($metadataCollection[$metadataKey])) {
+                $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+                if (!is_array($metadataCollection[$metadataKey])) $metadataCollection[$metadataKey] = [];
+                $metadataChanged[$metadataKey] = false;
+            }
+
+            if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
+                $uploadedDate = date(DATE_TIME_FORMAT);
+                $uploader     = $_SESSION['username'] ?? "Unknown";
+                $metadataCollection[$metadataKey][$safeFileName] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
+                $metadataChanged[$metadataKey] = true;
+            }
+        }
+
+        foreach ($metadataCollection as $folderKey => $data) {
+            if (!empty($metadataChanged[$folderKey])) {
+                $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
+                $metadataFile     = META_DIR . $metadataFileName;
+                file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
+            }
+        }
+
+        return ["success" => "Files uploaded successfully"];
+    }
     
 
         /**