release(v1.8.6): fix large ZIP downloads + safer extract; close #60

Refs #37 — implements ONLYOFFICE integration suggested in the discussion; video progress saving will be tracked separately.

.github/workflows/release-on-version.yml

@@ -3,7 +3,7 @@ name: Release on version.js update
 
 on:
   push:
-    branches: ["master"]
+    branches: ["master"] # keep as-is; change to ["master","main"] if you use main too
     paths:
       - public/js/version.js
   workflow_run:
@@ -14,21 +14,65 @@ permissions:
   contents: write
 
 jobs:
-  release:
+  delay:
     runs-on: ubuntu-latest
+    steps:
+      - name: Delay 2 minutes
+        run: sleep 120
+
+  release:
+    needs: delay
+    runs-on: ubuntu-latest
+
+    # Guard: Only run on trusted workflow_run events (pushes from this repo)
+    if: >
+      github.event_name == 'push' ||
+      (github.event_name == 'workflow_run' &&
+       github.event.workflow_run.event == 'push' &&
+       github.event.workflow_run.head_repository.full_name == github.repository)
+
     concurrency:
-      group: release-${{ github.ref }}-${{ github.sha }}
+      # Ensure concurrency key follows the actual source ref
+      group: release-${{ github.event_name }}-${{ github.event.workflow_run.head_sha || github.sha }}
       cancel-in-progress: false
 
     steps:
+      - name: Resolve correct ref
+        id: pickref
+        shell: bash
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_run" ]; then
+            echo "ref=${{ github.event.workflow_run.head_sha }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          fi
+          echo "Using ref: $(cat $GITHUB_OUTPUT)"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ steps.pickref.outputs.ref }}
 
       - name: Ensure tags available
+        run: git fetch --tags --force --prune --quiet
+
+      # Guard: refuse if the ref isn’t contained in master
+      - name: Assert ref is on master
+        shell: bash
         run: |
-          git fetch --tags --force --prune --quiet
+          set -euo pipefail
+          REF="${{ steps.pickref.outputs.ref }}"
+          git fetch origin master --quiet
+          if ! git merge-base --is-ancestor "$REF" origin/master; then
+            echo "Ref $REF is not on master; refusing to release."
+            exit 78  # neutral exit
+          fi
+
+      - name: Debug version.js origin
+        run: |
+          echo "version.js at commit: $(git log -n1 --pretty=%h -- public/js/version.js)"
+          sed -n '1,20p' public/js/version.js || true
 
       - name: Read version from version.js
         id: ver
@@ -55,17 +99,55 @@ jobs:
             echo "exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Build zip artifact
+      - name: Prep stamper script
         if: steps.tagcheck.outputs.exists == 'false'
         shell: bash
         run: |
           set -euo pipefail
-          ZIP="FileRise-${{ steps.ver.outputs.version }}.zip"
-          zip -r "$ZIP" . \
-            -x "./.git/*" "./.github/*" \
-               "./resources/*" "./resources/**" \
-               "./.dockerignore" "./.gitattributes" "./.gitignore" \
-               "$ZIP" "${ZIP}.sha256" >/dev/null
+          sed -i 's/\r$//' scripts/stamp-assets.sh || true
+          chmod +x scripts/stamp-assets.sh
+
+      - name: Build zip artifact (stamped)
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER="${{ steps.ver.outputs.version }}"
+          rm -rf staging
+          rsync -a \
+            --exclude '.git' --exclude '.github' \
+            --exclude 'resources' \
+            --exclude '.dockerignore' --exclude '.gitattributes' --exclude '.gitignore' \
+            ./ staging/
+          bash ./scripts/stamp-assets.sh "${VER}" "$(pwd)/staging"
+
+      - name: Verify placeholders are gone (staging)
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          ROOT="$(pwd)/staging"
+          if grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" "$ROOT" \
+              --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
+            echo "---- DEBUG (show 10 hits with context) ----"
+            grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" "$ROOT" \
+              --include='*.html' --include='*.php' --include='*.css' --include='*.js' \
+              | head -n 10 | while IFS=: read -r file line _; do
+                  echo ">>> $file:$line"
+                  nl -ba "$file" | sed -n "$((line-3)),$((line+3))p" || true
+                  echo "----------------------------------------"
+                done
+            exit 1
+          fi
+          echo "OK: No unreplaced placeholders in staging."
+
+      - name: Zip stamped staging
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER="${{ steps.ver.outputs.version }}"
+          (cd staging && zip -r "../FileRise-${VER}.zip" . >/dev/null)
 
       - name: Compute SHA-256 checksum
         if: steps.tagcheck.outputs.exists == 'false'
@@ -125,14 +207,13 @@ jobs:
           COMPARE_URL="https://github.com/${REPO}/compare/${PREV}...${VER}"
           ZIP="FileRise-${VER}.zip"
           SHA="${{ steps.sum.outputs.sha }}"
-
           {
-            echo "## ${VER}"
             echo
             if [[ -s CHANGELOG_SNIPPET.md ]]; then
               cat CHANGELOG_SNIPPET.md
               echo
             fi
+            echo "## ${VER}"
             echo "### Full Changelog"
             echo "[${PREV} → ${VER}](${COMPARE_URL})"
             echo
@@ -141,8 +222,6 @@ jobs:
             echo "${SHA}  ${ZIP}"
             echo '```'
           } > RELEASE_BODY.md
-
-          echo "Release body:"
           sed -n '1,200p' RELEASE_BODY.md
 
       - name: Create GitHub Release
@@ -150,7 +229,7 @@ jobs:
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.ver.outputs.version }}
-          target_commitish: ${{ github.sha }}
+          target_commitish: ${{ steps.pickref.outputs.ref }}
           name: ${{ steps.ver.outputs.version }}
           body_path: RELEASE_BODY.md
           generate_release_notes: false

.github/workflows/sync-changelog.yml

@@ -5,18 +5,25 @@ on:
   push:
     paths:
       - "CHANGELOG.md"
+  workflow_dispatch: {}
 
 permissions:
   contents: write
 
+concurrency:
+  group: bump-and-sync-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   bump_and_sync:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout FileRise
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.ref }}
 
       - name: Extract version from commit message
         id: ver
@@ -32,7 +39,24 @@ jobs:
             echo "No release(vX.Y.Z) tag in commit message; skipping bump."
           fi
 
-      - name: Update public/js/version.js
+      # Ensure we're on the branch and up to date BEFORE modifying files
+      - name: Ensure clean branch (no local mods), update from remote
+        if: steps.ver.outputs.version != ''
+        shell: bash
+        run: |
+          set -euo pipefail
+          # Be on a named branch that tracks the remote
+          git checkout -B "${{ github.ref_name }}" --track "origin/${{ github.ref_name }}" || git checkout -B "${{ github.ref_name }}"
+          # Make sure the worktree is clean
+          if ! git diff --quiet || ! git diff --cached --quiet; then
+            echo "::error::Working tree not clean before update. Aborting."
+            git status --porcelain
+            exit 1
+          fi
+          # Update branch
+          git pull --rebase origin "${{ github.ref_name }}"
+
+      - name: Update public/js/version.js (source of truth)
         if: steps.ver.outputs.version != ''
         shell: bash
         run: |
@@ -42,44 +66,19 @@ jobs:
           window.APP_VERSION = '${{ steps.ver.outputs.version }}';
           EOF
 
-      - name: Stamp asset cache-busters (?v=...) in HTML/CSS and {{APP_VER}} everywhere
-        if: steps.ver.outputs.version != ''
-        shell: bash
-        run: |
-          set -euo pipefail
-          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.9
-          QVER="${VER#v}"                         # e.g. 1.6.9
-          echo "Stamping ?v=${QVER} and {{APP_VER}}=${VER}"
-
-          # 1) Only stamp ?v= in HTML/CSS (avoid JS concatenation issues)
-          mapfile -t html_css < <(git ls-files -- 'public/*.html' 'public/**/*.html' 'public/*.php' 'public/**/*.css')
-          for f in "${html_css[@]}"; do
-            sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
-            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
-          done
-
-          # 2) For JS, only replace the {{APP_VER}} placeholder (do NOT touch ?v=)
-          mapfile -t jsfiles < <(git ls-files -- 'public/*.js' 'public/**/*.js')
-          for f in "${jsfiles[@]}"; do
-            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
-          done
-
-          echo "Changed files:"
-          git status --porcelain | awk '{print $2}' | sed 's/^/  - /'
-
-      - name: Commit version bump + stamped assets
+      - name: Commit version.js only
         if: steps.ver.outputs.version != ''
         shell: bash
         run: |
           set -euo pipefail
           git config user.name  "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add public/js/version.js public
+          git add public/js/version.js
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
-            git commit -m "chore(release): set APP_VERSION and stamp assets to ${{ steps.ver.outputs.version }} [skip ci]"
-            git push
+            git commit -m "chore(release): set APP_VERSION to ${{ steps.ver.outputs.version }} [skip ci]"
+            git push origin "${{ github.ref_name }}"
           fi
 
       - name: Checkout filerise-docker
@@ -89,6 +88,7 @@ jobs:
           repository: error311/filerise-docker
           token: ${{ secrets.PAT_TOKEN }}
           path: docker-repo
+          fetch-depth: 0
 
       - name: Copy CHANGELOG.md and write VERSION
         if: steps.ver.outputs.version != ''
@@ -110,6 +110,6 @@ jobs:
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
-            git commit -m "chore: sync CHANGELOG.md and VERSION (${{ steps.ver.outputs.version }}) from FileRise"
+            git commit -m "chore: sync CHANGELOG.md + VERSION (${{ steps.ver.outputs.version }}) from FileRise"
             git push origin main
           fi

CHANGELOG.md

@@ -1,5 +1,368 @@
 # Changelog
 
+## Changes 11/4/2025 (v1.8.6)
+
+release(v1.8.6): fix large ZIP downloads + safer extract; close #60
+
+- Zip creation
+  - Write archives to META_DIR/ziptmp (on large/writable disk) instead of system tmp.
+  - Auto-create ziptmp (0775) and verify writability.
+  - Free-space sanity check (~files total +5% +20MB); clearer error on low space.
+  - Normalize/validate folder segments; include only regular files.
+  - set_time_limit(0); use CREATE|OVERWRITE; improved error handling.
+
+- Zip extraction
+  - New: stamp metadata for files in nested subfolders (per-folder metadata.json).
+  - Skip hidden “dot” paths (files/dirs with any segment starting with “.”) by default
+    via SKIP_DOTFILES_ON_EXTRACT=true; only extract allow-listed entries.
+  - Hardenings: zip-slip guard, reject symlinks (external_attributes), zip-bomb limits
+    (MAX_UNZIP_BYTES default 200GiB, MAX_UNZIP_FILES default 20k).
+  - Persist metadata for all touched folders; keep extractedFiles list for top-level names.
+
+Ops note: ensure /var/www/metadata/ziptmp exists & is writable (or mount META_DIR to a large volume).
+
+Closes #60.
+
+---
+
+## Changes 11/4/2025 (v1.8.5)
+
+release(v1.8.5): ci: reduce pre-run delay to 2-min and add missing `needs: delay`, final test
+
+- No change release just testing
+
+---
+
+## Changes 11/4/2025 (v1.8.4)
+
+release(v1.8.4): ci: add 3-min pre-run delay to avoid workflow_run races
+
+- No change release just testing
+
+---
+
+## Changes 11/4/2025 (v1.8.3)
+
+release(v1.8.3): feat(mobile+ci): harden Capacitor switcher & make release-on-version robust
+
+- switcher.js: allow running inside Capacitor; remove innerHTML usage; build nodes safely; normalize/strip creds from URLs; add withParam() for ?frapp=1; drop inline handlers; clamp rename length; minor UX polish.
+- CI: cancel superseded runs per ref; checkout triggering commit (workflow_run head_sha); improve APP_VERSION parsing; point tag to checked-out commit; add recent-tag debug.
+
+---
+
+## Changes 11/4/2025 (v1.8.2)
+
+release(v1.8.2): media progress tracking + watched badges; PWA scaffolding; mobile switcher (closes #37)
+
+- **Highlights**
+  - Video: auto-save playback progress and mark “Watched”, with resume-on-open and inline status chips on list/gallery.
+  - Mobile: introduced FileRise Mobile (Capacitor) companion repo + in-app server switcher and PWA bits.
+
+- **Details**
+  - API (new):
+    - POST /api/media/updateProgress.php — persist per-user progress (seconds/duration/completed).
+    - GET  /api/media/getProgress.php — fetch per-file progress.
+    - GET  /api/media/getViewedMap.php — folder map for badges.
+
+- **Frontend (media):**
+  - Video previews now resume from last position, periodically save progress, and mark completed on end, with toasts.
+  - Added status badges (“Watched” / %-complete) in table & gallery; CSS polish for badges.
+  - Badges render during list/gallery refresh; safer filename wrapping for badge injection.
+
+- **Mobile & PWA:**
+  - New in-app server switcher (Capacitor-aware) loaded only in app/standalone contexts.
+  - Service Worker + manifest added (root scope via /public/sw.js; worker body in /js/pwa/sw.js; manifest icons).
+  - main.js conditionally imports the mobile switcher and registers the SW on web origins only.
+
+- **Notes**
+  - Companion repo: **filerise-mobile** (Capacitor app shell) created for iOS/Android distribution.
+  - No breaking changes expected; endpoints are additive.
+
+Closes #37.
+
+---
+
+## Changes 11/3/2025 (V1.8.1)
+
+release(v1.8.1): fix(security,onlyoffice): sanitize DS origin; safe api.js/iframe probes; better UX placeholder
+
+- Add ONLYOFFICE URL sanitizers:
+  - getTrustedDocsOrigin(): enforce http/https, strip creds, normalize to origin
+  - buildOnlyOfficeApiUrl(): construct fixed /web-apps/.../api.js via URL()
+- Probe hardening (addresses CodeQL js/xss-through-dom):
+  - ooProbeScript/ooProbeFrame now use sanitized origins and fixed paths
+  - optional CSP nonce support for injected script
+  - optional iframe sandbox; robust cleanup/timeout handling
+- CSP helper now renders lines based on validated origin (fallback to raw for visibility)
+- Admin UI UX: placeholder switched to HTTPS example (`https://docs.example.com`)
+- Comments added to justify safety to static analyzers
+
+Files: public/js/adminPanel.js
+
+Refs: #37
+
+---
+
+## Changes 11/3/2025 (v1.8.0)
+
+release(v1.8.0): feat(onlyoffice): first-class ONLYOFFICE integration (view/edit), admin UI, API, CSP helpers
+
+Refs #37 — implements ONLYOFFICE integration suggested in the discussion; video progress saving will be tracked separately.
+
+Adds secure, ACL-aware ONLYOFFICE support throughout FileRise:
+
+- **Backend / API**
+  - New OnlyOfficeController with supported extensions (doc/xls/ppt/pdf etc.), status/config endpoints, and signed download flow.
+  - New endpoints:
+    - GET /api/onlyoffice/status.php — reports availability + supported exts.  
+    - GET /api/onlyoffice/config.php — returns DocEditor config (signed URLs, callback).  
+    - GET /api/onlyoffice/signed-download.php — serves signed blobs to DS.  
+  - Effective config/overrides: env/constant wins; supports docsOrigin, publicOrigin, and jwtSecret; status gated on presence of origin+secret.
+  - Public origin resolution (BASE_URL/proxy aware) for absolute URLs.
+
+- **Admin config / UI**
+  - AdminPanel gets a new “ONLYOFFICE” section with Enable toggle, Document Server Origin, masked JWT Secret, and “Replace” control.
+  - Built-in connection tester (status, secret presence, callback ping, api.js load, iframe embed) + CSP helper (Apache & Nginx snippets)
+
+- **Frontend integration**
+  - fileEditor detects OO capability via /api/onlyoffice/status and routes supported types to the DocEditor; loads DocsAPI dynamically.
+  - editFile() short-circuits to openOnlyOffice when applicable; includes live dark/light theme sync where supported.
+  - fileListView pulls status once on load to drive UI decisions (e.g., editing affordances).
+
+- **AdminModel / config**
+  - Adds onlyoffice {enabled, docsOrigin, publicOrigin} defaults and update path, with jwtSecret persisted (kept unless explicitly replaced).
+  - Optional constants in config.php to override and debug.
+
+- **Security & UX notes**
+  - Editor access remains ACL-checked (read/edit) and uses absolute, signed URLs surfaced via controller.  
+  - Admin UI never echoes secrets; “Replace” toggles explicit updates only.  
+  - CSP helper makes it straightforward to permit api.js + iframe + XHR to your DS.  
+
+- **Docs/Styling**
+  - Minor CSS touch-ups around hover states and modal layout.
+
+---
+
+## Changes 11/2/2025 (v1.7.5)
+
+release(v1.7.5): CSP hardening, API-backed previews, flicker-free theming, cache tuning & deploy script (closes #50)
+release(v1.7.5): retrigger CI bump (no code changes)
+release(v1.7.5): retrigger CI bump ensure up to date
+
+### Security/headers
+
+- Tighten CSP: pin the inline pre-theme snippet with a script-src SHA-256 and keep everything else on 'self'.
+- Improve cache policy for versioned assets: force 1y + immutable and add s-maxage for CDNs; also avoid HSTS redirects on local/dev hosts.
+
+### Previews & editor
+
+- Remove hardcoded `/uploads/` paths; always build preview URLs via the API (respects UPLOAD_DIR/ACL).
+- Use the API URL for gallery prev/next and file-menu “Preview” to fix 404s on custom storage roots.
+- Editor now probes size safely (HEAD → Range 0-0 fallback) before fetching, then fetches with credentials.
+
+### Login, theming & UX polish
+
+- Pre-theme inline boot sets `dark-mode` + background early; swap to `[hidden]`/`unhide()` instead of inline `display:none`.
+- Add full-screen loading overlay with quick fade and proper color-scheme; prevent white/black flash on theme flips.
+- Refactor app/login reveal flow in `main.js` (`revealAppAndHideOverlay`, `authed` path, setup wizard).
+
+### HTML/CSS & perf
+
+- Make Bootstrap/Styles/Roboto critical (plain `<link rel="stylesheet">`); keep fonts as true preloads; modulepreload app entry.
+- Export a `__CSS_PROMISE__` from `defer-css.js` for sites that still promote preloads.
+- Header logo marked `fetchpriority="high"` for faster first paint.
+- Normalize dark-mode selectors to `.dark-mode` scope (admin panel, etc.).
+
+### Manual Deploy script
+
+- Add `scripts/filerise-deploy.sh`: idempotent rsync-based deploy with writable dirs preserved, optional Composer install, and PHP-FPM/Apache reloads.
+
+### Notes
+
+- If you change the inline pre-theme snippet, update the CSP hash accordingly.
+
+---
+
+## Changes 10/31/2025 (v1.7.4)
+
+release(v1.7.4): login hint replace toast + fix unauth boot
+
+main.js
+
+- Added isDemoHost() and showLoginTip(message).
+- In the unauth branch, call showLoginTip('Please log in to continue').
+- Removed ensureToastReady() + showToast('please_log_in_to_continue') in the unauth path to avoid loading toast/DOM utils before auth.
+
+---
+
+## Changes 10/31/2025 (v1.7.3)
+
+release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth
+
+### 🎃 Highlights (advantages) 👻 🦇
+
+- ⚡ Faster, cleaner boot: a lightweight **main.js** decides auth/setup before painting, avoids flicker, and wires modules exactly once.
+- ♻️ Fewer duplicate actions: **request coalescer** dedupes POST/PUT/PATCH/DELETE to /api/* .
+- ✅ Truthy UX: global **toast bridge** queues early toasts and normalizes misleading “not found/already exists” messages after success.
+- 🔐 Smoother auth: CSRF priming/rotation + **TOTP step-up detection** across JSON & redirect paths; “Welcome back, `user`” toast once per tab.
+- 🌓 Polished UI: **dark-mode persistence with system fallback**, live siteConfig title application, higher-z modals, drag auto-scroll.
+- 🚀 Faster first paint & interactions: defer CodeMirror/Fuse/Resumable, promote preloaded CSS, and coalesce duplicate requests → snappier UI.
+- 🧭 Admin polish: live header title preview, masked OIDC fields with **Replace** flow, and a **read-only Sponsors/Donations** section.
+- 🧱 Safer & cache-smarter: opinionated .htaccess (CSP/HSTS/MIME/compression) + `?v={{APP_QVER}}` for versioned immutable assets.
+
+### Core bootstrap (main.js) overhaul
+
+- Early **toast bridge** (queues until domUtils is ready); expose `window.__FR_TOAST_FILTER__` for centralized rewrites/suppression.
+- **Result guard + request coalescer** wrapping `fetch`:
+  - Dedupes same-origin `/api/*` mutating requests for ~800ms using a stable key (method + path + normalized body).
+  - Tracks “last OK” JSON (`success|status|result=ok`) to suppress false-negative error toasts after success.
+- **Boot orchestrator** with hard guards:
+  - `__FR_FLAGS` (`booted`, `initialized`, `wired.*`, `bootPromise`, `entryStarted`) to prevent double init/leaks.
+  - **No-flicker login**: resolve `checkAuth()` + `setup` before showing UI; show login only when truly unauthenticated.
+  - **Heavy boot** for authed users: load i18n, `appCore.loadCsrfToken/initializeApp`, first file list, then light UI wiring.
+- **Auth flow**:
+  - `primeCsrf()` + `<meta name="csrf-token">` management; persist token in localStorage.
+  - **TOTP** detection via header (`X-TOTP-Required`) & JSON (`totp_required` / `TOTP_REQUIRED`); calls `openTOTPLoginModal()`.
+  - **Welcome toast** once per tab via `sessionStorage.__fr_welcomed`.
+- **UI/UX niceties**:
+  - `applySiteConfig()` updates header title & login method visibility on both login & authed screens.
+  - Dark-mode persistence with system fallback, proper a11y labels/icons.
+  - Create dropdown/menu wiring with capture-phase outside-click + ESC close; modal cancel safeties.
+  - Lift modals above cards (z-index), **drag auto-scroll** near viewport edges.
+  - Dispatch legacy `DOMContentLoaded`/`load` **once** (supports older inline handlers).
+  - Username label refresh for existing `.user-name-label` without injecting new DOM.
+
+### Performance & UX changes
+
+- CSS/first paint:
+  - Preload Bootstrap & app CSS; promote at DOMContentLoaded; keep inline CSS minimal.
+  - Add `width/height/decoding/fetchpriority` to logo to reduce layout shift.
+- Search/editor/uploads:
+  - **fileListView.js**: lazy-load Fuse with instant substring fallback; `warmUpSearch()` hook.
+  - **fileEditor.js**: lazy-load CodeMirror core/theme/modes; start plain then upgrade; guard very large files gracefully.
+  - **upload.js**: lazy-load Resumable; resilient init; background warm-up; smarter addFile/submit; clearer toasts.
+- Toast/UX:
+  - Install early toast bridge; queue & normalize messages; neutral “Done.” when server returns misleading errors after success.
+
+### Correctness: uploads, paths, ACLs
+
+- **UploadController/UploadModel**: normalize folders via `ACL::normalizeFolder(rawurldecode())`; stricter segment checks; consistent base paths; safer metadata writes; proper chunk presence/merge & temp cleanup.
+
+### Auth hardening & resilience
+
+- **auth.js/main.js/appCore.js**: CSRF rotate/retry (JSON then x-www-form-urlencoded fallback); robust login handling; fewer misleading error toasts.
+- **AuthController**: OIDC username fallback to `email` or `sub` when `preferred_username` missing.
+
+### Admin panel
+
+- **adminPanel.js**:
+  - Live header title preview (instant update without reload).
+  - Masked OIDC client fields with **Replace** button; saved-value hints; only send secrets when replacing.
+  - **New “Sponsor / Donations” section (read-only)**:
+    - GitHub Sponsors → `https://github.com/sponsors/error311`
+    - Ko-fi → `https://ko-fi.com/error311`
+    - Includes **Copy** and **Open** buttons; values are fixed.
+- **AdminController**: boolean for `oidc.hasClientId/hasClientSecret` to drive masked inputs.
+
+### Security & caching (.htaccess)
+
+- Consolidated security headers (CSP, CORP, HSTS on HTTPS), MIME types, compression (Brotli/Deflate), TRACE disable.
+- Caching rules:
+  - HTML/version.js: no-cache; unversioned JS/CSS: 1h; unversioned static: 7d; **versioned assets `?v=`: 1y `immutable`**.
+- **config.php**: remove duplicate runtime headers (now via Apache) to avoid proxy/CDN conflicts.
+
+### Upgrade notes
+
+- No schema changes.
+- Ensure Apache modules (`headers`, `rewrite`, `brotli`/`deflate`) are available for the new .htaccess rules (fallbacks included).
+- Versioned assets mean users shouldn’t need a hard refresh; `?v={{APP_QVER}}` busts caches automatically.
+
+---
+
+## Changes 10/29/2025 (v1.7.0 & v1.7.1 & v1.7.2)
+
+release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish
+
+### ✨ Features
+
+- Public, non-sensitive site config cache:
+  - Add `AdminModel::buildPublicSubset()` and `writeSiteConfig()` to write `USERS_DIR/siteConfig.json`.
+  - New endpoint `public/api/siteConfig.php` + `UserController::siteConfig()` to serve the public subset (regenerates if stale).
+  - Frontend now reads `/api/siteConfig.php` (safe subset) instead of `/api/admin/getConfig.php`.
+- Frontend module versioning:
+  - Replace all module imports with `?v={{APP_QVER}}` query param so the release/Docker stamper can pin exact versions.
+  - Add `scripts/stamp-assets.sh` to stamp `?v=` and `{{APP_VER}}/{{APP_QVER}}` in **staging** for ZIP/Docker builds.
+
+### 🧩 Refactors
+
+- Extract shared boot/bootstrap logic into `public/js/appCore.js`:
+  - CSRF helpers (`setCsrfToken`, `getCsrfToken`, `loadCsrfToken`)
+  - `initializeApp()`, `triggerLogout()`
+  - Keep `main.js` lean; wrap global `fetch` once to append/rotate CSRF.
+- Update imports across JS modules to use versioned module URLs.
+
+### 🚀 Performance
+
+- Aggressive, safe caching for versioned assets:
+  - `.htaccess`: `?v=…` ⇒ `Cache-Control: max-age=31536000, immutable`.
+  - Unversioned JS/CSS short cache (1h), other static (7d).
+- Eliminate duplicate `main.js` loads and tighten CodeMirror mode loading.
+
+### 🔒 Security / Hardening
+
+- `.htaccess`:
+  - Conditional HSTS only when HTTPS, add CORP and X-Permitted-Cross-Domain-Policies.
+  - CSP kept strict for modules, workers, blobs.
+- Admin config exposure reduced to a curated subset in `siteConfig.json`.
+
+### 🧪 CI/CD / Release
+
+- **FileRise repo**
+  - `sync-changelog.yml`: keep `public/js/version.js` as source-of-truth only (no repo-wide stamping).
+  - `release-on-version.yml`: build **stamped** ZIP from a staging copy via `scripts/stamp-assets.sh`, verify placeholders removed, attach checksum.
+- **filerise-docker repo**
+  - Read `VERSION`, checkout app to `app/`, run stamper inside build context before `docker buildx`, tag `latest` and `:${VERSION}`.
+
+### 🔧 Defaults
+
+- Sample/admin config defaults now set `disableBasicAuth: true` (safer default). Existing installations keep their current setting.
+
+### 📂 Notable file changes
+
+- `src/models/AdminModel.php` (+public subset +atomic write)
+- `src/controllers/UserController.php` (+siteConfig action)
+- `public/api/siteConfig.php` (new)
+- `public/js/appCore.js` (new), `public/js/main.js` (slim, uses appCore)
+- Many `public/js/*.js` import paths updated to `?v={{APP_QVER}}`
+- `public/.htaccess` (caching & headers)
+- `scripts/stamp-assets.sh` (new)
+
+### ⚠️ Upgrade notes
+
+- Ensure `USERS_DIR` is writable by web server for `siteConfig.json`.
+- Proxies/edge caches: the new `?v=` scheme enables long-lived immutable caching; purge is automatic on version bump.
+- If you previously read admin config directly on the client, it now reads `/api/siteConfig.php`.
+
+### Additional changes/fixes for release
+
+- `release-on-version.yml`
+  - normalize line endings (strip CRLF)
+  - stamp-assets.sh don’t rely on the exec; invoke via bash
+
+release(v1.7.2): harden asset stamping & CI verification
+
+### build(stamper)
+
+- Rewrite scripts/stamp-assets.sh to be repo-agnostic and macOS/Windows friendly:
+  - Drop reliance on git ls-files/mapfile; use find + null-delimited loops
+  - Normalize CRLF to LF for all web assets before stamping
+  - Stamp ?v=<APP_QVER> in HTML/CSS/PHP and {{APP_VER}} everywhere
+  - Normalize any ".mjs|.js?v=..." occurrences inside JS (ESM imports/strings)
+  - Force-write public/js/version.js from VER (source of truth in stamped output)
+  - Print touched counts and fail fast if any {{APP_QVER}}|{{APP_VER}} remain
+
+---
+
 ## Changes 10/28/2025 (v1.6.11)
 
 release(v1.6.11) fix(ui/dragAndDrop) restore floating zones toggle click action

README.md

@@ -10,7 +10,7 @@
 [![Sponsor on GitHub](https://img.shields.io/badge/Sponsor-❤-red)](https://github.com/sponsors/error311)
 [![Support on Ko-fi](https://img.shields.io/badge/Ko--fi-Buy%20me%20a%20coffee-orange)](https://ko-fi.com/error311)
 
-**Quick links:** [Demo](#live-demo) • [Install](#installation--setup) • [Docker](#1-running-with-docker-recommended) • [Unraid](#unraid) • [WebDAV](#quick-start-mount-via-webdav) • [FAQ](#faq--troubleshooting)
+**Quick links:** [Demo](#live-demo) • [Install](#installation--setup) • [Docker](#1-running-with-docker-recommended) • [Unraid](#unraid) • [WebDAV](#quick-start-mount-via-webdav) • [ONLYOFFICE](#quick-start-onlyoffice-optional) • [FAQ](#faq--troubleshooting)
 
 **Elevate your File Management** – A modern, self-hosted web file manager.  
 Upload, organize, and share files or folders through a sleek, responsive web interface.  
@@ -21,6 +21,8 @@ Grant precise capabilities like *view*, *upload*, *rename*, *delete*, or *manage
 
 With drag-and-drop uploads, in-browser editing, secure user logins (SSO & TOTP 2FA), and one-click public sharing, **FileRise** brings professional-grade file management to your own server — simple to deploy, easy to scale, and fully self-hosted.
 
+New: Open and edit Office documents — **Word (DOCX)**, **Excel (XLSX)**, **PowerPoint (PPTX)** — directly in **FileRise** using your self-hosted **ONLYOFFICE Document Server** (optional). Open **ODT/ODS/ODP**, and view **PDFs** inline. Where supported by your Document Server, users can add **comments/annotations** to documents (and PDFs). Everything is enforced by the same per-folder ACLs across the UI and WebDAV.
+
 > ⚠️ **Security fix in v1.5.0** — ACL hardening. If you’re on ≤1.4.x, please upgrade.
 
 **10/25/2025 Video demo:**
@@ -74,6 +76,8 @@ With drag-and-drop uploads, in-browser editing, secure user logins (SSO & TOTP 2
 
 - 📝 **Built-in Editor & Preview:** Inline preview for images, video, audio, and PDFs. CodeMirror-based editor for text/code with syntax highlighting and line numbers.
 
+- 🧩 **Office Docs (ONLYOFFICE, optional):** View/edit DOCX, XLSX, PPTX (and ODT/ODS/ODP, PDF view) using your self-hosted ONLYOFFICE Document Server. Enforced by the same ACLs as the web UI & WebDAV.
+
 - 🏷️ **Tags & Search:** Add color-coded tags and search by name, tag, uploader, or content. Advanced fuzzy search indexes metadata and file contents.
 
 - 🔒 **Authentication & SSO:** Username/password, optional TOTP 2FA, and OIDC (Google, Authentik, Keycloak).
@@ -342,8 +346,49 @@ https://your-host/webdav.php/
 
 ---
 
+## Quick start: ONLYOFFICE (optional)
+
+FileRise can open & edit office docs using your **self-hosted ONLYOFFICE Document Server**.
+
+**What you need**  
+
+- A reachable ONLYOFFICE Document Server (Community/Enterprise).  
+- A shared **JWT secret** used by FileRise and your Document Server.
+
+**Setup (2–3 minutes)**  
+
+1. In FileRise go to **Admin → ONLYOFFICE** and:
+   - ✅ Enable ONLYOFFICE
+   - 🔗 Set **Document Server Origin** (e.g., `https://docs.example.com`)
+   - 🔑 Enter **JWT Secret** (click “Replace” to set)
+2. (Recommended) Click **Run tests** in the ONLYOFFICE card:
+   - Checks FileRise status, callback reachability, `api.js` load, and iframe embed.
+3. Update your **Content-Security-Policy** to allow the DS origin.  
+   The Admin panel shows a ready-to-copy line for Apache & Nginx. Example:
+
+   **Apache**
+
+   ```apache
+   Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM=' https://your-onlyoffice-server.example.com https://your-onlyoffice-server.example.com/web-apps/apps/api/documents/api.js; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' https://your-onlyoffice-server.example.com; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; frame-src 'self' https://your-onlyoffice-server.example.com"
+   ```
+
+   **Nginx**
+
+   ```nginx
+   add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM=' https://your-onlyoffice-server.example.com https://your-onlyoffice-server.example.com/web-apps/apps/api/documents/api.js; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self' https://your-onlyoffice-server.example.com; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'; frame-src 'self' https://your-onlyoffice-server.example.com" always;
+   ```
+
+   **Notes**
+   - If your site is https://, your Document Server must also be https:// (or the browser will block it as mixed content).
+   - Editor access respects FileRise ACLs (view/edit/share) exactly like the rest of the app.
+
+---
+
 ## FAQ / Troubleshooting
 
+- **ONLYOFFICE editor won’t load / blank frame:** Verify CSP allows your DS origin (`script-src`, `frame-src`, `connect-src`) and that the DS is reachable over HTTPS if your site is HTTPS.
+- **“Disabled — check JWT Secret / Origin” in tests:** In **Admin → ONLYOFFICE**, set the Document Server Origin and click “Replace” to save a JWT secret. Then re-run tests.
+
 - **“Upload failed” or large files not uploading:** Ensure `TOTAL_UPLOAD_SIZE` in config and PHP’s `post_max_size` / `upload_max_filesize` are set high enough. For extremely large files, you might need to increase `max_execution_time` or rely on resumable uploads in smaller chunks.
 
 - **How to enable HTTPS?** FileRise doesn’t terminate TLS itself. Run it behind a reverse proxy (Nginx, Caddy, Apache with SSL) or use a companion like nginx-proxy or Caddy in Docker. Set `SECURE="true"` in Docker so FileRise generates HTTPS links.
@@ -399,6 +444,20 @@ Every bit helps me keep FileRise fast, polished, and well-maintained. Thank you!
 
 ## Dependencies
 
+### ONLYOFFICE integration
+
+FileRise can open office documents using a self-hosted ONLYOFFICE Document Server.
+
+- **We do not bundle ONLYOFFICE.** Admins point FileRise to an existing ONLYOFFICE Docs server and (optionally) set a JWT secret in **Admin > ONLYOFFICE**.
+- **Licensing:** ONLYOFFICE Document Server (Community Edition) is released under the GNU AGPL v3. Enterprise editions are commercially licensed. When you deploy ONLYOFFICE, you are responsible for complying with the license of the edition you use.  
+  – Project page & license: <https://github.com/ONLYOFFICE/DocumentServer> (AGPL-3.0)  
+- **FileRise license unaffected:** FileRise communicates with ONLYOFFICE over standard HTTP and loads `api.js` from the configured Document Server at runtime; FileRise does not redistribute ONLYOFFICE code.
+- **Trademarks:** ONLYOFFICE is a trademark of Ascensio System SIA. FileRise is not affiliated with or endorsed by ONLYOFFICE.
+
+#### Security / CSP
+
+If you enable ONLYOFFICE, allow its origin in your CSP (`script-src`, `frame-src`, `connect-src`). The Admin panel shows a ready-to-copy line for Apache/Nginx.
+
 ### PHP Libraries
 
 - **[jumbojett/openid-connect-php](https://github.com/jumbojett/OpenID-Connect-PHP)** (v^1.0.0)

config/config.php

@@ -1,22 +1,6 @@
 <?php
 // config.php
 
-// Prevent caching
-header("Cache-Control: no-cache, must-revalidate");
-header("Pragma: no-cache");
-header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
-header("Expires: 0");
-
-// Security headers
-header('X-Content-Type-Options: nosniff');
-header("X-Frame-Options: SAMEORIGIN");
-header("Referrer-Policy: no-referrer-when-downgrade");
-header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
-header("X-XSS-Protection: 1; mode=block");
-if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
-    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
-}
-
 // Define constants
 define('PROJECT_ROOT', dirname(__DIR__));
 define('UPLOAD_DIR',    '/var/www/uploads/');
@@ -41,6 +25,13 @@ if (!defined('DEFAULT_CAN_ZIP'))          define('DEFAULT_CAN_ZIP', true);
 if (!defined('DEFAULT_VIEW_OWN_ONLY'))    define('DEFAULT_VIEW_OWN_ONLY', false);
 define('FOLDER_OWNERS_FILE', META_DIR . 'folder_owners.json');
 define('ACL_INHERIT_ON_CREATE', true);
+// ONLYOFFICE integration overrides (uncomment and set as needed)
+/*
+define('ONLYOFFICE_ENABLED', false);
+define('ONLYOFFICE_JWT_SECRET', 'test123456');
+define('ONLYOFFICE_DOCS_ORIGIN', 'http://192.168.1.61'); // your Document Server
+define('ONLYOFFICE_DEBUG', true);
+*/
 
 // Encryption helpers
 function encryptData($data, $encryptionKey)

public/.htaccess

@@ -1,76 +1,112 @@
 # --------------------------------
-# Base: safe in most environments
+# FileRise portable .htaccess
 # --------------------------------
 Options -Indexes
 DirectoryIndex index.html
 
 <IfModule mod_authz_core.c>
-  <FilesMatch "^\.">
+  # Block dotfiles like .env, .git, etc., but allow ACME under .well-known
+  <FilesMatch "^\.(?!well-known(?:/|$))">
     Require all denied
   </FilesMatch>
 </IfModule>
 
+# ---------------- Rewrites ----------------
+<IfModule mod_rewrite.c>
 RewriteEngine On
-#RewriteCond %{HTTPS} off
+
+# Never redirect local/dev hosts
+RewriteCond %{HTTP_HOST} ^(localhost|127\.0\.0\.1|fr\.local|192\.168\.[0-9]+\.[0-9]+)$ [NC]
+RewriteRule ^ - [L]
+
+# Let ACME http-01 pass BEFORE any redirect (needed for auto-renew)
+RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/
+RewriteRule - - [L]
+
+# HTTPS redirect (enable ONE of these, comment the other)
+
+# A) Direct TLS on this server
+#RewriteCond %{HTTPS} !=on
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
-# MIME types for fonts/SVG
+# B) Behind reverse proxy that sets X-Forwarded-Proto
+#RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
+#RewriteCond %{HTTP:X-Forwarded-Proto} ^$
+#RewriteCond %{HTTPS} !=on
+#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+
+# Mark versioned assets (?v=...) with env flag for caching rules below
+RewriteCond %{QUERY_STRING} (^|&)v= [NC]
+RewriteRule ^ - [E=IS_VER:1]
+</IfModule>
+
+# ---------------- MIME types ----------------
 <IfModule mod_mime.c>
   AddType font/woff2 .woff2
   AddType font/woff  .woff
   AddType image/svg+xml .svg
+  AddType application/javascript .mjs
 </IfModule>
 
-# Security headers
+# ---------------- Security headers ----------------
 <IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-XSS-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
-  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
   Header always set X-Download-Options "noopen"
   Header always set Expect-CT "max-age=86400, enforce"
-  Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'"
+  Header always set Cross-Origin-Resource-Policy "same-origin"
+  Header always set X-Permitted-Cross-Domain-Policies "none"
+
+  # HSTS only when HTTPS (safe for .htaccess)
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
+
+  # CSP — keep this SHA-256 in sync with your inline pre-theme script
+  Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM='; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'"
 </IfModule>
 
-# Caching
-SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
+# ---------------- Caching ----------------
 <IfModule mod_headers.c>
+  # HTML/PHP: no cache
   <FilesMatch "\.(html?|php)$">
-    Header set Cache-Control "no-cache, no-store, must-revalidate"
-    Header set Pragma "no-cache"
-    Header set Expires "0"
+    Header setifempty Cache-Control "no-cache, no-store, must-revalidate"
+    Header setifempty Pragma "no-cache"
+    Header setifempty Expires "0"
   </FilesMatch>
 
+  # version.js: never cache
   <FilesMatch "^js/version\.js$">
     Header set Cache-Control "no-cache, no-store, must-revalidate"
     Header set Pragma "no-cache"
     Header set Expires "0"
   </FilesMatch>
 
-  <FilesMatch "\.(js|css)$">
-    Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
+  # JS/CSS: long cache if ?v= present, else 1h
+  <FilesMatch "\.(?:m?js|css)$">
+    Header set Cache-Control "public, max-age=31536000, immutable" env=IS_VER
+    Header set Cache-Control "public, max-age=3600, must-revalidate" env=!IS_VER
   </FilesMatch>
 
-  <FilesMatch "\.(png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-    Header set Cache-Control "public, max-age=604800" env=!has_version_param
-  </FilesMatch>
-
-  <FilesMatch "\.(js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-    Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
+  # Images/fonts: long cache if ?v= present, else 7d
+  <FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+    Header set Cache-Control "public, max-age=31536000, immutable" env=IS_VER
+    Header set Cache-Control "public, max-age=604800" env=!IS_VER
   </FilesMatch>
 </IfModule>
 
-# Compression (only if module exists)
+# ---------------- Compression ----------------
 <IfModule mod_brotli.c>
-  BrotliCompressionQuality 5
+  # Do NOT set BrotliCompressionQuality in .htaccess (vhost/server only)
   AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
 <IfModule mod_deflate.c>
   AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
 
-# Disable TRACE
+# ---------------- Disable TRACE ----------------
+<IfModule mod_rewrite.c>
 RewriteCond %{REQUEST_METHOD} ^TRACE
-RewriteRule .* - [F]
+RewriteRule .* - [F]
+</IfModule>

public/api.php

@@ -19,12 +19,8 @@ if (isset($_GET['spec'])) {
   <meta charset="utf-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1"/>
   <title>FileRise API Docs</title>
-
-  <!-- Local ReDoc bundle -->
-  <script defer src="/vendor/redoc/redoc.standalone.js?v=1.6.11"></script>
-
-  <!-- Your init (also local) -->
-  <script defer src="/js/redoc-init.js?v=1.6.11"></script>
+  <script defer src="/vendor/redoc/redoc.standalone.js?v={{APP_QVER}}"></script>
+  <script defer src="/js/redoc-init.js?v={{APP_QVER}}"></script>
 </head>
 <body>
   <redoc spec-url="/api.php?spec=1"></redoc>

public/api/media/getProgress.php

@@ -0,0 +1,7 @@
+<?php
+// public/api/media/getProgress.php
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/MediaController.php';
+
+$ctl = new MediaController();
+$ctl->getProgress();

public/api/media/getViewedMap.php

@@ -0,0 +1,7 @@
+<?php
+// public/api/media/getViewedMap.php
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/MediaController.php';
+
+$ctl = new MediaController();
+$ctl->getViewedMap();

public/api/media/updateProgress.php

@@ -0,0 +1,7 @@
+<?php
+// public/api/media/updateProgress.php
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/MediaController.php';
+
+$ctl = new MediaController();
+$ctl->updateProgress();

public/api/onlyoffice/callback.php

@@ -0,0 +1,13 @@
+<?php
+/**
+ * @OA\Post(
+ *   path="/api/onlyoffice/callback.php",
+ *   summary="ONLYOFFICE save callback",
+ *   tags={"ONLYOFFICE"},
+ *   @OA\Response(response=200, description="OK / error JSON")
+ * )
+ */
+declare(strict_types=1);
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/OnlyOfficeController.php';
+(new OnlyOfficeController())->callback();

public/api/onlyoffice/config.php

@@ -0,0 +1,17 @@
+<?php
+/**
+ * @OA\Get(
+ *   path="/api/onlyoffice/config.php",
+ *   summary="Get editor config for a file (signed URLs, callback)",
+ *   tags={"ONLYOFFICE"},
+ *   @OA\Parameter(name="folder", in="query", @OA\Schema(type="string")),
+ *   @OA\Parameter(name="file",   in="query", @OA\Schema(type="string")),
+ *   @OA\Response(response=200, description="Editor config"),
+ *   @OA\Response(response=403, description="Forbidden"),
+ *   @OA\Response(response=404, description="Disabled / Not found")
+ * )
+ */
+declare(strict_types=1);
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/OnlyOfficeController.php';
+(new OnlyOfficeController())->config();

public/api/onlyoffice/signed-download.php

@@ -0,0 +1,15 @@
+<?php
+/**
+ * @OA\Get(
+ *   path="/api/onlyoffice/signed-download.php",
+ *   summary="Serve a signed file blob to ONLYOFFICE",
+ *   tags={"ONLYOFFICE"},
+ *   @OA\Parameter(name="tok", in="query", required=true, @OA\Schema(type="string")),
+ *   @OA\Response(response=200, description="File stream"),
+ *   @OA\Response(response=403, description="Signature/expiry invalid")
+ * )
+ */
+declare(strict_types=1);
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/OnlyOfficeController.php';
+(new OnlyOfficeController())->signedDownload();

public/api/onlyoffice/status.php

@@ -0,0 +1,13 @@
+<?php
+/**
+ * @OA\Get(
+ *   path="/api/onlyoffice/status.php",
+ *   summary="ONLYOFFICE availability & supported extensions",
+ *   tags={"ONLYOFFICE"},
+ *   @OA\Response(response=200, description="Status JSON")
+ * )
+ */
+declare(strict_types=1);
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/OnlyOfficeController.php';
+(new OnlyOfficeController())->status();

public/api/siteConfig.php

@@ -0,0 +1,9 @@
+<?php
+// public/api/siteConfig.php
+
+
+require_once __DIR__ . '/../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/UserController.php';
+
+$userController = new UserController();
+$userController->siteConfig();

public/css/styles.css

@@ -1,6 +1,38 @@
 /* ===========================================================
    GENERAL STYLES & BASE LAYOUT
    =========================================================== */
+/* Reserve stable space for header + main */
+:root { --header-h: 55px; }
+.header-container { min-height: var(--header-h); }
+
+
+img.logo{ width:50px; height:50px; display:block; }  /* belt & suspenders for logo sizing */
+/* Hidden-but-reserved utility (no clicks) */
+.is-visually-hidden {
+  visibility: hidden;
+  pointer-events: none;
+}
+
+/* After auth: show app, hide login */
+
+
+#fr-login-tip {
+  min-height: 40px;            /* reserve space */
+  max-width: 520px;
+  margin: 8px auto 0;
+  border-radius: 8px;
+  padding: 10px 12px;
+  text-align: left;
+  margin-bottom: 10px;
+}
+.main-wrapper{
+  display:flex;              /* or grid—flex is fine here */
+  gap:5px;
+  align-items:flex-start;
+}
+
+
+
 
 /* GENERAL STYLES */
 body {
@@ -24,10 +56,12 @@ body {
     padding-left: 4px !important;
   }@media (min-width: 1300px) {
   .container-fluid {
-      padding-left: 30px !important;
-      padding-right: 30px !important;
+      padding-left: 20px !important;
+      padding-right: 20px !important;
   }}
-  
+  @media (max-width: 600px) {
+    .zones-toggle { left: 85px !important; }
+  }
   /* ===========================================================
      HEADER & NAVIGATION
      =========================================================== */
@@ -35,7 +69,6 @@ body {
   /************************************************************/
   /* FLEXBOX HEADER: LOGO, TITLE, BUTTONS FIXED               */
   /************************************************************/
-  
   .btn-login {
   margin-top: 10px;
   }/* Color overrides */
@@ -59,7 +92,7 @@ body {
     background-color: #2196F3;
     transition: background-color 0.3s ease;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.2);
-  }body.dark-mode .header-container {
+  }.dark-mode .header-container {
   background-color: #1f1f1f;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.7);
   }#darkModeIcon {
@@ -71,7 +104,7 @@ body {
   }.header-logo svg {
   height: 50px;
     width: auto;
-  }body.dark-mode header {
+  }.dark-mode header {
   background-color: #1f1f1f;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.7);
   }.header-left {
@@ -157,7 +190,7 @@ body {
     padding: 10px;
     box-shadow: 2px 2px 6px rgba(0, 0, 0, 0.2);
   }/* Folder Help Tooltip - Dark Mode */
-  body.dark-mode .folder-help-tooltip {
+  .dark-mode .folder-help-tooltip {
   background-color: #333 !important;
     color: #eee !important;
     border: 1px solid #555 !important;
@@ -165,7 +198,7 @@ body {
   -webkit-text-fill-color: orange !important;
     color: inherit !important;
     padding-right: 10px !important;
-  }body.dark-mode #folderHelpBtn i.material-icons.folder-help-icon {
+  }.dark-mode #folderHelpBtn i.material-icons.folder-help-icon {
   -webkit-text-fill-color: #ffa500 !important;
     padding-right: 10px !important;
   }/************************************************************/
@@ -215,8 +248,8 @@ body {
   .material-icons.gallery-icon {
   color: black;
     margin-right: 5px;
-  }body.dark-mode .material-icons.folder-icon,
-  body.dark-mode .material-icons.gallery-icon {
+  }.dark-mode .material-icons.folder-icon,
+  .dark-mode .material-icons.gallery-icon {
   color: white;
     margin-right: 5px;
   }.remove-file-btn {
@@ -247,23 +280,23 @@ body {
     padding: 20px;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
     border-radius: 4px;
-  }body.dark-mode #loginForm {
+  }.dark-mode #loginForm {
   background-color: #2c2c2c;
     color: #e0e0e0;
     padding: 20px;
     border-radius: 8px;
     box-shadow: 0 2px 4px rgba(255, 255, 255, 0.2);
-  }body.dark-mode #loginForm input {
+  }.dark-mode #loginForm input {
   background-color: #333;
     color: #fff;
     border: 1px solid #555;
-  }body.dark-mode #loginForm label {
+  }.dark-mode #loginForm label {
   color: #ddd;
-  }body.dark-mode #loginForm button {
+  }.dark-mode #loginForm button {
   background-color: #007bff;
     color: white;
     border: none;
-  }body.dark-mode #loginForm button:hover {
+  }.dark-mode #loginForm button:hover {
   background-color: #0056b3;
   }/* ===========================================================
      CARDS & MODALS
@@ -286,7 +319,7 @@ body {
     border: 1px solid #ccc;
     border-radius: 4px;
   }/* Override modal content for dark mode */
-  body.dark-mode #restoreFilesModal .modal-content {
+  .dark-mode #restoreFilesModal .modal-content {
   background: #2c2c2c !important;
     border: 1px solid #555 !important;
     color: #f0f0f0;
@@ -370,7 +403,7 @@ body {
       transform: translate(-50%, -70%);
   }}
   
-  body.dark-mode .modal .modal-content {
+  .dark-mode .modal .modal-content {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border-color: #444;
@@ -399,10 +432,10 @@ body {
     background-color: #ff4d4d;
     box-shadow: 0px 0px 6px rgba(255, 77, 77, 0.8);
     transform: scale(1.05);
-  }body.dark-mode .editor-close-btn {
+  }.dark-mode .editor-close-btn {
   background-color: rgba(0, 0, 0, 0.7);
     color: #ff6666;
-  }body.dark-mode .editor-close-btn:hover {
+  }.dark-mode .editor-close-btn:hover {
   background-color: #ff6666;
     color: #000;
   }/* Editor Modal */
@@ -428,7 +461,7 @@ body {
     width: 100% !important;
     resize: none !important;
     overflow: auto !important;
-  }body.dark-mode .editor-modal {
+  }.dark-mode .editor-modal {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border-color: #444;
@@ -453,7 +486,7 @@ body {
   }.editor-title {
   margin: 0;
     line-height: 33px;
-  }body.dark-mode .editor-header {
+  }.dark-mode .editor-header {
   background-color: #2c2c2c;
   }@media (max-width: 600px) {
   .editor-title {
@@ -521,9 +554,9 @@ body {
     padding: 4px;
     border-radius: 4px;
     transition: background-color 0.2s ease, color 0.2s ease;
-  }body.dark-mode .material-icons.pauseResumeBtn {
+  }.dark-mode .material-icons.pauseResumeBtn {
   color: white !important;
-  }body.dark-mode .material-icons.pauseResumeBtn:hover {
+  }.dark-mode .material-icons.pauseResumeBtn:hover {
   background-color: rgba(255, 215, 0, 0.3);
     color: #fff;
   }body:not(.dark-mode) .material-icons.pauseResumeBtn:hover {
@@ -626,15 +659,15 @@ body {
   }#createBtn {
   background-color: #007bff;
     color: white;
-  }body.dark-mode .dropdown-menu {
+  }.dark-mode .dropdown-menu {
   background-color: #2c2c2c !important;
     border-color:   #444    !important;
     color:          #e0e0e0!important;
-  }body.dark-mode .dropdown-menu .dropdown-item {
+  }.dark-mode .dropdown-menu .dropdown-item {
   color: #e0e0e0 !important;
   }.dropdown-item:hover {
   background-color: rgba(0,0,0,0.05);
-  }body.dark-mode .dropdown-item:hover {
+  }.dark-mode .dropdown-item:hover {
   background-color: rgba(255,255,255,0.1);
   }#fileList button.edit-btn {
   background-color: #007bff;
@@ -655,7 +688,7 @@ body {
   background-color: transparent;
   }#fileList table tr:hover {
   background-color: #e0e0e0;
-  }body.dark-mode #fileList table tr:hover {
+  }.dark-mode #fileList table tr:hover {
   background-color: #444;
   }#fileListTitle {
   white-space: normal !important;
@@ -673,7 +706,7 @@ body {
   box-shadow: none;
     border: none !important;
     outline: none !important;
-  }body.dark-mode #fileList table tr {
+  }.dark-mode #fileList table tr {
   box-shadow: none;
     border: none !important;
     outline: none !important;
@@ -757,7 +790,7 @@ body {
     color: inherit;
     cursor: pointer;
     padding: 0;
-  }#loginForm,
+  }
   #uploadForm {
   display: none;
   }.folder-actions {
@@ -818,7 +851,7 @@ body {
     color: #fff;
   }.row-selected {
   background-color: #f2f2f2 !important;
-  }body.dark-mode .row-selected {
+  }.dark-mode .row-selected {
   background-color: #444 !important;
     color: #fff !important;
   }.custom-prev-next-btn {
@@ -832,11 +865,11 @@ body {
     cursor: pointer;
   }.custom-prev-next-btn:hover:not(:disabled) {
   background-color: #d5d5d5;
-  }body.dark-mode .custom-prev-next-btn {
+  }.dark-mode .custom-prev-next-btn {
   background-color: #444;
     color: #fff;
     border: none;
-  }body.dark-mode .custom-prev-next-btn:hover:not(:disabled) {
+  }.dark-mode .custom-prev-next-btn:hover:not(:disabled) {
   background-color: #555;
   }#customToast {
   position: fixed;
@@ -873,6 +906,10 @@ body {
     line-height: 1 !important;
     vertical-align: middle !important;
   }#fileListContainer {
+    border: 1px solid #e0e0e0;
+    background: white;
+    box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
+    border-radius: 8px;
   max-width: 100%;
     padding-bottom: 10px !important;
     padding-left: 5px !important;
@@ -883,7 +920,7 @@ body {
       width: 99%;
   }}
   
-  body.dark-mode #fileListContainer {
+  .dark-mode #fileListContainer {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
@@ -932,7 +969,7 @@ body {
       align-items: stretch;
   }.file-list-actions .action-btn {
   width: 100%;
-  height: 10px !important;
+  
   }.modal-content {
   width: 95%;
       margin: 20% auto;
@@ -959,7 +996,7 @@ body {
   #copySelectedBtn:hover,
   #moveSelectedBtn:hover,
   #downloadZipBtn:hover,
-  #extractZipBtn:hover
+  #extractZipBtn:hover,
   #customChooseBtn:hover {
     transform: scale(1.08);
     box-shadow: 0 2px 10px rgba(0,0,0,.12);
@@ -1116,12 +1153,12 @@ body {
   background-color: #d0d0d0;
     border-radius: 4px;
     padding: 2px 4px;
-  }body.dark-mode .folder-option.selected {
+  }.dark-mode .folder-option.selected {
   background-color: #444;
     color: #fff;
     border-radius: 4px;
     padding: 2px 4px;
-  }body.dark-mode .folder-option:hover {
+  }.dark-mode .folder-option:hover {
   background-color: #333;
     color: #fff;
     padding: 2px 4px;
@@ -1161,7 +1198,7 @@ body {
       display: inline-flex !important;
   }}
   
-  body.dark-mode .image-preview-modal-content {
+  .dark-mode .image-preview-modal-content {
   background: #2c2c2c;
     border-color: #444;
   }.image-modal-img {
@@ -1198,13 +1235,13 @@ body {
   width: 600px !important;
     max-width: 90vw !important;
     /* ensures it doesn't exceed the viewport width */
-  }body.dark-mode .close-image-modal {
+  }.dark-mode .close-image-modal {
   background-color: rgba(0, 0, 0, 0.6);
     color: #ff6666;
-  }body.dark-mode .close-image-modal:hover {
+  }.dark-mode .close-image-modal:hover {
   background-color: #ff6666;
     color: #000;
-  }body.dark-mode .image-preview-modal-content {
+  }.dark-mode .image-preview-modal-content {
   background: #2c2c2c;
     border-color: #444;
   }.page-indicator {
@@ -1217,7 +1254,7 @@ body {
     margin-right: 0;
     margin-left: 0;
     font-size: 32px;
-  }body.dark-mode .file-icon {
+  }.dark-mode .file-icon {
   color: white;
   }.bottom-select {
   display: inline-block;
@@ -1315,36 +1352,36 @@ body {
   }/* ===========================================================
      DARK MODE STYLES
      =========================================================== */
-  body.dark-mode {
+  .dark-mode {
   background-color: #121212;
     color: #e0e0e0;
-  }body.dark-mode .container {
+  }.dark-mode .container {
   background-color: transparent !important;
-  }body.dark-mode .btn-primary {
+  }.dark-mode .btn-primary {
   background-color: #007bff;
     color: #fff;
     border-color: #007bff;
-  }body.dark-mode .btn-secondary {
+  }.dark-mode .btn-secondary {
   background-color: #6c757d;
     color: #fff;
     border-color: #6c757d;
-  }body.dark-mode .btn-danger {
+  }.dark-mode .btn-danger {
   background-color: #dc3545;
     color: #fff;
     border-color: #dc3545;
-  }body.dark-mode .modal .modal-content,
-  body.dark-mode .editor-modal {
+  }.dark-mode .modal .modal-content,
+  .dark-mode .editor-modal {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
-  }body.dark-mode table {
+  }.dark-mode table {
   background-color: #2c2c2c;
     color: #e0e0e0;
-  }body.dark-mode table tr:hover {
+  }.dark-mode table tr:hover {
   background-color: #444;
-  }body.dark-mode #uploadProgressContainer .progress {
+  }.dark-mode #uploadProgressContainer .progress {
   background-color: #333;
-  }body.dark-mode #uploadProgressContainer .progress-bar {
+  }.dark-mode #uploadProgressContainer .progress-bar {
   background-color: #007bff;
     color: #e0e0e0;
   }.dark-mode-toggle {
@@ -1361,10 +1398,10 @@ body {
   background-color: rgba(255, 255, 255, 0.15) !important;
   }.dark-mode-toggle:active {
   background-color: rgba(255, 255, 255, 0.25) !important;
-  }body.dark-mode .dark-mode-toggle {
+  }.dark-mode .dark-mode-toggle {
   background-color: transparent !important;
     color: white !important;
-  }body.dark-mode .dark-mode-toggle:hover {
+  }.dark-mode .dark-mode-toggle:hover {
   background-color: rgba(255, 255, 255, 0.15) !important;
   }.dark-mode-toggle:focus {
   outline: none !important;
@@ -1391,29 +1428,29 @@ body {
   }.folder-help-list {
   margin: 0;
     padding-left: 20px;
-  }body.dark-mode .folder-help-details {
+  }.dark-mode .folder-help-details {
   color: #ddd;
     background-color: #2c2c2c;
     border-color: #444;
-  }body.dark-mode .folder-help-summary {
+  }.dark-mode .folder-help-summary {
   color: #ddd;
     background: #2c2c2c;
-  }body.dark-mode .folder-help-icon {
+  }.dark-mode .folder-help-icon {
   color: #f6a72c;
     font-size: 20px;
-  }body.dark-mode .CodeMirror {
+  }.dark-mode .CodeMirror {
   background: #1e1e1e !important;
     color: #ffffff !important;
-  }body.dark-mode .CodeMirror-cursor {
+  }.dark-mode .CodeMirror-cursor {
   border-left: 2px solid #ffffff !important;
-  }body.dark-mode .CodeMirror-gutters {
+  }.dark-mode .CodeMirror-gutters {
   background: #252526 !important;
     border-right: 1px solid #444 !important;
-  }body.dark-mode .CodeMirror-linenumber {
+  }.dark-mode .CodeMirror-linenumber {
   color: #aaaaaa !important;
-  }body.dark-mode .CodeMirror-selected {
+  }.dark-mode .CodeMirror-selected {
   background: rgba(255, 255, 255, 0.2) !important;
-  }body.dark-mode .CodeMirror-matchingbracket {
+  }.dark-mode .CodeMirror-matchingbracket {
   background-color: rgba(255, 255, 255, 0.1) !important;
     border-bottom: 1px solid #ffffff !important;
   }.zoom_in,
@@ -1448,7 +1485,7 @@ body {
   }.drop-hover {
   background-color: #e0e0e0;
     border: 1px dashed #666;
-  }body.dark-mode .drop-hover {
+  }.dark-mode .drop-hover {
   background-color: rgba(255, 255, 255, 0.1) !important;
     border-bottom: 1px dashed #ffffff !important;
   }#restoreFilesList li {
@@ -1460,35 +1497,33 @@ body {
     transform: translateY(-3px) !important;
   }#restoreFilesList li label {
   margin-left: 8px !important;
-  }body.dark-mode #fileContextMenu {
+  }.dark-mode #fileContextMenu {
   background-color: #2c2c2c !important;
     border: 1px solid #555 !important;
     color: #e0e0e0 !important;
-  }body.dark-mode #fileContextMenu div {
+  }.dark-mode #fileContextMenu div {
   color: #e0e0e0 !important;
   }#folderContextMenu {
   font-family: Arial, sans-serif;
     font-size: 14px;
-  }body.dark-mode #folderContextMenu {
+  }.dark-mode #folderContextMenu {
   background-color: #2c2c2c;
     border-color: #555;
     color: #e0e0e0;
-  }.main-wrapper {
-  display: flex;
-    flex-direction: row;
   }.drop-target-sidebar {
   display: none;
-    width: 50px;
-    transition: width 0.3s ease;
     background-color: #f8f9fa;
     border-right: 2px dashed #1565C0;
-    padding: 10px;
+    margin-top: 10px;
+    margin-left: 10px;
   }@media (min-width: 769px) {
   .drop-target-sidebar {
       display: block;
   }}
-  .drop-target-sidebar.active {
+  .drop-target-sidebar.active,
+  .drag-header.active {
   width: 350px;
+  height: 750px;
   }.main-column {
   flex: 1;
     transition: margin-left 0.3s ease;
@@ -1557,13 +1592,12 @@ body {
   }#sidebarDropArea,
   #uploadFolderRow {
   background-color: transparent;
-  }#sidebarDropArea {
-  display: none;
-  }body.dark-mode #sidebarDropArea,
-  body.dark-mode #uploadFolderRow {
+  
+  }.dark-mode #sidebarDropArea,
+  .dark-mode #uploadFolderRow {
   background-color: transparent;
-  }body.dark-mode #sidebarDropArea.highlight,
-  body.dark-mode #uploadFolderRow.highlight {
+  }.dark-mode #sidebarDropArea.highlight,
+  .dark-mode #uploadFolderRow.highlight {
   background-color: #333; 
     border: 2px dashed #555; 
     color: #fff;
@@ -1582,7 +1616,7 @@ body {
     max-width: 900px;
     width: 100%;
     margin: 0 auto;
-  }body.dark-mode .card {
+  }.dark-mode .card {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
@@ -1596,21 +1630,21 @@ body {
   #removeUserModal {
   z-index: 5000 !important;
   }#customConfirmModal {
-  z-index: 6000 !important;
+  z-index: 12000 !important;
   }.admin-panel-content {
   background: #fff;
     color: #000;
-  }body.dark-mode .admin-panel-content {
+  }.dark-mode .admin-panel-content {
   background: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
-  }body.dark-mode .admin-panel-content input,
-  body.dark-mode .admin-panel-content select,
-  body.dark-mode .admin-panel-content textarea {
+  }.dark-mode .admin-panel-content input,
+  .dark-mode .admin-panel-content select,
+  .dark-mode .admin-panel-content textarea {
   background: #3a3a3a;
     color: #e0e0e0;
     border: 1px solid #555;
-  }body.dark-mode .admin-panel-content label {
+  }.dark-mode .admin-panel-content label {
   color: #e0e0e0;
   }#openChangePasswordModalBtn {
   width: max-content;
@@ -1631,7 +1665,7 @@ body {
     color: var(--download-spinner-color, #000);
   }body:not(.dark-mode) {
   --download-spinner-color: #000;
-  }body.dark-mode {
+  }.dark-mode {
   --download-spinner-color: #fff;
   }.rise-effect {
   transform: translateY(-20px);
@@ -1666,7 +1700,7 @@ body {
     background-color: transparent;
     transition: width 0.3s ease;
     box-sizing: border-box;
-  }body.dark-mode .header-drop-zone.drag-active {
+  }.dark-mode .header-drop-zone.drag-active {
   background-color: #333; 
     border: 2px dashed #555; 
     color: #fff;
@@ -1697,16 +1731,16 @@ body {
   line-height: 1;
     margin: 0;
     padding: 0;
-  }body.dark-mode #fileSummary {
+  }.dark-mode #fileSummary {
   color: white;
   }#searchIcon {
   border-radius: 4px;
     padding: 4px 8px;
-  }body.dark-mode #searchIcon {
+  }.dark-mode #searchIcon {
   background-color: #444;
     border: 1px solid #555;
     color: #fff;
-  }body.dark-mode #searchInput {
+  }.dark-mode #searchInput {
   background-color: #333;
     color: #e0e0e0;
     border: 1px solid #555;
@@ -1731,11 +1765,11 @@ body {
   .btn-icon:focus {
   background: rgba(0, 0, 0, 0.1);
     outline: none;
-  }body.dark-mode .btn-icon .material-icons,
-  body.dark-mode #searchIcon .material-icons {
+  }.dark-mode .btn-icon .material-icons,
+  .dark-mode #searchIcon .material-icons {
   color: #fff;
-  }body.dark-mode .btn-icon:hover,
-  body.dark-mode .btn-icon:focus {
+  }.dark-mode .btn-icon:hover,
+  .dark-mode .btn-icon:focus {
   background: rgba(255, 255, 255, 0.1);
   }.user-dropdown {
   position: relative;
@@ -1766,12 +1800,12 @@ body {
     display: inline-block;
     vertical-align: middle;
     margin-left: 0.25rem;
-  }body.dark-mode .user-dropdown .user-menu {
+  }.dark-mode .user-dropdown .user-menu {
   background: #2c2c2c;
     border-color: #444;
-  }body.dark-mode .user-dropdown .user-menu .item {
+  }.dark-mode .user-dropdown .user-menu .item {
   color: #e0e0e0;
-  }body.dark-mode .user-dropdown .user-menu .item:hover {
+  }.dark-mode .user-dropdown .user-menu .item:hover {
   background: rgba(255,255,255,0.1);
   }.user-dropdown .dropdown-username {
   margin: 0 8px;
@@ -1808,7 +1842,7 @@ body {
   }:root {
   --perm-caret: #444;
   }/* light */
-  body.dark-mode {
+  .dark-mode {
   --perm-caret: #ccc;
   }/* dark */
   
@@ -1821,7 +1855,7 @@ body {
       background-color 160ms cubic-bezier(.2,.0,.2,1);
   }:root {
   --toggle-icon-color: #333;
-  }body.dark-mode {
+  }.dark-mode {
   --toggle-icon-color: #eee;
   }#zonesToggleFloating .material-icons,
   #zonesToggleFloating .material-icons-outlined,
@@ -1865,4 +1899,30 @@ body {
   #sidebarToggleFloating.is-collapsed {
   background: #fafafa;
     border-color: #e2e2e2;
-  }
+  }
+  /* media modal polish */
+.media-modal { background: var(--panel-bg, #121212); }
+.media-header-bar .btn { padding: 6px 10px; }
+.gallery-nav-btn { color: #fff; opacity: 0.85; }
+.gallery-nav-btn:hover { opacity: 1; transform: scale(1.05); }
+
+/* badges */
+.status-badge {
+  display: inline-block;
+  margin-left: 6px;
+  padding: 2px 6px;
+  font-size: 11px;
+  line-height: 1.3;
+  border-radius: 999px;
+  border: 1px solid rgba(255,255,255,.15);
+  background: rgba(255,255,255,.08);
+  color: #fff;
+}
+.status-badge.watched {
+  border-color: rgba(34,197,94,.35);      /* green-ish */
+  background: rgba(34,197,94,.15);
+}
+.status-badge.progress {
+  border-color: rgba(250,204,21,.35);     /* amber-ish */
+  background: rgba(250,204,21,.15);
+}

public/css/vendor/material-icons.css

@@ -4,7 +4,7 @@
   font-style: normal;
   font-weight: 400;
   font-display: swap;
-  src: url(/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2) format('woff2');
+  src: url('/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2?v={{APP_QVER}}') format('woff2');
 }
 
 .material-icons {

public/css/vendor/roboto.css

@@ -4,7 +4,7 @@
   font-style:normal;
   font-weight:400;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Regular 400 — latin */
@@ -13,7 +13,7 @@
   font-style:normal;
   font-weight:400;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 /* Roboto Medium 500 — latin-ext */
@@ -22,7 +22,7 @@
   font-style:normal;
   font-weight:500;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Medium 500 — latin */
@@ -31,7 +31,7 @@
   font-style:normal;
   font-weight:500;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 

public/index.html

@@ -2,116 +2,60 @@
 <html lang="en">
 
 <head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>FileRise</title>
-  <link rel="icon" type="image/png" href="/assets/logo.png">
-  <link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
-  <meta name="csrf-token" content="">
-  <meta name="share-url" content="">
-
-  <style>.main-wrapper{display:none}#loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}</style>
-  <link rel="stylesheet" href="/css/vendor/roboto.css?v=1.6.11">
-  <link rel="stylesheet" href="/css/vendor/material-icons.css?v=1.6.11">
-
-  <!-- Bootstrap CSS (local) -->
-  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v=1.6.11">
-
-  <!-- CodeMirror CSS (local) -->
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/codemirror.min.css?v=1.6.11">
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/theme/material-darker.min.css?v=1.6.11">
-
-  <!-- app CSS -->
-  <link rel="stylesheet" href="/css/styles.css?v=1.6.11">
-
-  <!-- Libraries (JS) -->
-  <script src="/vendor/dompurify/2.4.0/purify.min.js?v=1.6.11"></script>
-  <script src="/vendor/fuse/6.6.2/fuse.min.js?v=1.6.11"></script>
-  <script src="/vendor/resumable/1.1.0/resumable.min.js?v=1.6.11"></script>
-
-  <!-- CodeMirror core FIRST, then modes -->
-  <script src="/vendor/codemirror/5.65.5/codemirror.min.js?v=1.6.11"></script>
-
-  <script src="/js/version.js?v=1.6.11"></script>
-  <script type="module" src="/js/main.js"></script>
-
+  <meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>FileRise</title>
+  <script>(function(){try{var s=localStorage.getItem('darkMode');var isDark=(s===null)?(window.matchMedia&&window.matchMedia('(prefers-color-scheme: dark)').matches):(s==='1'||s==='true');var root=document.documentElement;root.setAttribute('data-theme',isDark?'dark':'light');root.classList.toggle('dark-mode',isDark);var bg=isDark?'#121212':'#ffffff';root.style.backgroundColor=bg;root.style.colorScheme=isDark?'dark':'light';root.style.setProperty('--pre-bg',bg);var m=document.querySelector('meta[name="theme-color"]');if(m)m.setAttribute('content',bg);}catch(e){}})();</script>
+  <style id="pretheme-css">
+    html,body,#loadingOverlay{background:var(--pre-bg,#ffffff) !important;}
+  </style>
+  <link rel="icon" type="image/png" href="/assets/logo.png"><link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
+  <meta name="description" content="FileRise is a fast, self-hosted file manager with granular per-folder ACLs, drag-and-drop folder moves, WebDAV, tagging, and a clean UI.">
+  <meta name="csrf-token" content=""><meta name="share-url" content=""><meta name="theme-color" content="#0b5ed7"><meta name="color-scheme" content="light dark">
+  <link rel="manifest" href="/manifest.webmanifest?v={{APP_QVER}}">
+  <link rel="apple-touch-icon" href="/assets/icons/icon-192.png?v={{APP_QVER}}">
+  
+<!-- Critical CSS -->
+  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
+  <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
+  <link rel="stylesheet" href="/css/vendor/roboto.css?v={{APP_QVER}}">
+  
+  <!-- Fonts (ok to keep as real preloads) -->
+  <link rel="preload" as="font" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}" type="font/woff2" crossorigin>
+  <link rel="preload" as="font" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}" type="font/woff2" crossorigin>
+  
+  <!-- Vendor & version (deferred) -->
+  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}" defer></script>
+  <script src="/js/version.js?v={{APP_QVER}}" defer></script>
+  
+  <!-- App entry -->
+  <link rel="modulepreload" href="/js/main.js?v={{APP_QVER}}"><script type="module" src="/js/main.js?v={{APP_QVER}}"></script>
+  
 </head>
-
 <body>
+  <div id="appRoot" style="visibility:hidden">
   <header class="header-container">
+   
     <div class="header-left">
       <a href="index.html">
         <div class="header-logo">
-          <svg version="1.1" id="filingCabinetLogo" xmlns="http://www.w3.org/2000/svg"
-            xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 64 64" xml:space="preserve">
-            <defs>
-              <!-- Gradient for the cabinet body -->
-              <linearGradient id="cabinetGradient" x1="0%" y1="0%" x2="0%" y2="100%">
-                <stop offset="0%" style="stop-color:#2196F3;stop-opacity:1" />
-                <stop offset="100%" style="stop-color:#1976D2;stop-opacity:1" />
-              </linearGradient>
-              <!-- Drop shadow filter with animated attributes for a lifting effect -->
-              <filter id="shadowFilter" x="-20%" y="-20%" width="140%" height="140%">
-                <feDropShadow id="dropShadow" dx="0" dy="2" stdDeviation="2" flood-color="#000" flood-opacity="0.2">
-                  <!-- Animate the vertical offset: from 2 to 1 (as it rises), hold, then back to 2 -->
-                  <animate attributeName="dy" values="2;1;1;2" keyTimes="0;0.2;0.8;1" dur="5s" fill="freeze" />
-                  <!-- Animate the blur similarly: from 2 to 1.5 then back to 2 -->
-                  <animate attributeName="stdDeviation" values="2;1.5;1.5;2" keyTimes="0;0.2;0.8;1" dur="5s"
-                    fill="freeze" />
-                </feDropShadow>
-              </filter>
-            </defs>
-            <style type="text/css">
-              /* Cabinet with gradient, white outline, and drop shadow */
-              .cabinet {
-                fill: url(#cabinetGradient);
-                stroke: white;
-                stroke-width: 2;
-              }
-
-              .divider {
-                stroke: #1565C0;
-                stroke-width: 1.5;
-              }
-
-              .drawer {
-                fill: #FFFFFF;
-              }
-
-              .handle {
-                fill: #1565C0;
-              }
-            </style>
-            <!-- Group that will animate upward and then back down once -->
-            <g id="cabinetGroup">
-              <!-- Cabinet Body with rounded corners, white outline, and drop shadow -->
-              <rect x="4" y="4" width="56" height="56" rx="6" ry="6" class="cabinet" filter="url(#shadowFilter)" />
-              <!-- Divider lines for drawers -->
-              <line x1="5" y1="22" x2="59" y2="22" class="divider" />
-              <line x1="5" y1="34" x2="59" y2="34" class="divider" />
-              <!-- Drawers with Handles -->
-              <rect x="8" y="24" width="48" height="6" rx="1" ry="1" class="drawer" />
-              <circle cx="54" cy="27" r="1.5" class="handle" />
-              <rect x="8" y="36" width="48" height="6" rx="1" ry="1" class="drawer" />
-              <circle cx="54" cy="39" r="1.5" class="handle" />
-              <rect x="8" y="48" width="48" height="6" rx="1" ry="1" class="drawer" />
-              <circle cx="54" cy="51" r="1.5" class="handle" />
-              <!-- Additional detail: a small top handle on the cabinet door -->
-              <rect x="28" y="10" width="8" height="4" rx="1" ry="1" fill="#1565C0" />
-              <!-- Animate transform: rises by 2 pixels over 1s, holds for 3s, then falls over 1s (total 5s) -->
-              <animateTransform attributeName="transform" type="translate" values="0 0; 0 -2; 0 -2; 0 0"
-                keyTimes="0;0.2;0.8;1" dur="5s" fill="freeze" />
-            </g>
-          </svg>
+          <img
+  src="/assets/logo.svg?v={{APP_QVER}}"
+  alt="FileRise"
+  class="logo"
+  width="50"
+  height="50"
+  decoding="async"
+  fetchpriority="high"
+/>
         </div>
       </a>
     </div>
+    
     <div class="header-title">
-      <h1 data-i18n-key="header_title">FileRise</h1>
+      <h1>FileRise</h1>
     </div>
     <div class="header-right">
       <div class="header-buttons-wrapper" style="display: flex; align-items: center; gap: 10px;">
-        <!-- Your header drop zone -->
+        
         <div id="headerDropArea" class="header-drop-zone"></div>
         <div class="header-buttons">
           <button id="changePasswordBtn" data-i18n-title="change_password" style="display: none;">
@@ -146,7 +90,7 @@
           <button id="removeUserBtn" data-i18n-title="remove_user" style="display: none;">
             <i class="material-icons">person_remove</i>
           </button>
-          <button id="darkModeToggle" class="btn-icon" aria-label="Toggle dark mode">
+          <button id="darkModeToggle" class="btn-icon" aria-label="Toggle dark mode"  hidden>
             <span class="material-icons" id="darkModeIcon">
               dark_mode
             </span>
@@ -155,15 +99,18 @@
       </div>
     </div>
   </header>
-
+  
   <div id="loadingOverlay"></div>
 
   <!-- Custom Toast Container -->
   <div id="customToast"></div>
   <div id="hiddenCardsContainer" style="display:none;"></div>
-
+  <main id="main" hidden>
   <div class="row mt-4" id="loginForm">
     <div class="col-12">
+      <div id="loginBox" class="login-box">
+        <div id="fr-login-tip" class="alert alert-info login-hint" role="status" aria-live="polite" style="display:none;"></div>
+  
       <form id="authForm" method="post">
         <div class="form-group">
           <label for="loginUsername" data-i18n-key="user">User:</label>
@@ -173,7 +120,7 @@
           <label for="loginPassword" data-i18n-key="password">Password:</label>
           <input type="password" class="form-control" id="loginPassword" name="password" required />
         </div>
-        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login">Login</button>
+        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login" data-default>Login</button>
         <div class="form-group remember-me-container">
           <input type="checkbox" id="rememberMeCheckbox" name="remember_me" />
           <label for="rememberMeCheckbox" data-i18n-key="remember_me">Remember me</label>
@@ -189,11 +136,14 @@
           HTTP
           Login</a>
       </div>
+      <div>
     </div>
   </div>
+</main>
+  
 
   <!-- Main Wrapper: Hidden by default; remove "display: none;" after login -->
-  <div class="main-wrapper">
+  <div class="main-wrapper" hidden>
     <!-- Sidebar Drop Zone: Hidden until you drag a card (display controlled by JS) -->
     <div id="sidebarDropArea" class="drop-target-sidebar"></div>
     <!-- Main Column -->
@@ -273,7 +223,7 @@
                           <div class="modal-footer" style="margin-top:15px; text-align:right;">
                             <button id="cancelMoveFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
-                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move">Move</button>
+                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                           </div>
                         </div>
                       </div>
@@ -291,7 +241,7 @@
                             <button id="cancelRenameFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
                             <button id="submitRenameFolder" class="btn btn-primary"
-                              data-i18n-key="rename">Rename</button>
+                              data-i18n-key="rename" data-default>Rename</button>
                           </div>
                         </div>
                       </div>
@@ -311,7 +261,7 @@
                             <button id="cancelDeleteFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
                             <button id="confirmDeleteFolder" class="btn btn-danger"
-                              data-i18n-key="delete">Delete</button>
+                              data-i18n-key="delete" data-default>Delete</button>
                           </div>
                         </div>
                       </div>
@@ -347,7 +297,7 @@
                   selected files?</p>
                 <div class="modal-footer">
                   <button id="cancelDeleteFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete">Delete</button>
+                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete" data-default>Delete</button>
                 </div>
               </div>
             </div>
@@ -361,7 +311,7 @@
                 <select id="copyTargetFolder" class="form-control modal-input"></select>
                 <div class="modal-footer">
                   <button id="cancelCopyFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy">Copy</button>
+                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy" data-default>Copy</button>
                 </div>
               </div>
             </div>
@@ -375,7 +325,7 @@
                 <select id="moveTargetFolder" class="form-control modal-input"></select>
                 <div class="modal-footer">
                   <button id="cancelMoveFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move">Move</button>
+                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                 </div>
               </div>
             </div>
@@ -383,35 +333,20 @@
               data-i18n-key="download_zip">Download ZIP</button>
             <button id="extractZipBtn" class="btn action-btn btn-sm btn-info"  style="display: none;" disabled
               data-i18n-key="extract_zip_button">Extract Zip</button>
-            <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
-              <button id="createBtn" class="btn action-btn" style="display: none;" data-i18n-key="create">
-                ${t('create')} <span class="material-icons"
-                  style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
-              </button>
-              <ul id="createMenu" class="dropdown-menu" style="
-                    display: none;
-                    position: absolute;
-                    top: 100%;
-                    left: 0;
-                    margin: 4px 0 0;
-                    padding: 0;
-                    list-style: none;
-                    background: #fff;
-                    border: 1px solid #ccc;
-                    box-shadow: 0 2px 6px rgba(0,0,0,0.2);
-                    z-index: 1000;
-                    min-width: 140px;
-                  ">
-                <li id="createFileOption" class="dropdown-item" data-i18n-key="create_file"
-                  style="padding:8px 12px; cursor:pointer;">
-                  ${t('create_file')}
-                </li>
-                <li id="createFolderOption" class="dropdown-item" data-i18n-key="create_folder"
-                  style="padding:8px 12px; cursor:pointer;">
-                  ${t('create_folder')}
-                </li>
-              </ul>
-            </div>
+              <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
+                <button id="createBtn" class="btn action-btn" type="button" style="display:none;" aria-haspopup="true" aria-expanded="false">
+                  <span data-i18n-key="create">Create</span>
+                  <span class="material-icons" style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
+                </button>
+                <ul id="createMenu" class="dropdown-menu" style="display:none; position:absolute; top:100%; left:0; margin:4px 0 0; padding:0; list-style:none; background:#fff; border:1px solid #ccc; box-shadow:0 2px 6px rgba(0,0,0,0.2); z-index:10010; min-width:160px;">
+                  <li id="createFileOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_file">Create file</span>
+                  </li>
+                  <li id="createFolderOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_folder">Create folder</span>
+                  </li>
+                </ul>
+              </div>
             <!-- Create File Modal -->
             <div id="createFileModal" class="modal" style="display:none;">
               <div class="modal-content">
@@ -420,7 +355,7 @@
                   data-i18n-placeholder="newfile_placeholder" />
                 <div class="modal-footer" style="margin-top:1rem; text-align:right;">
                   <button id="cancelCreateFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create">Create</button>
+                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create" data-default>Create</button>
                 </div>
               </div>
             </div>
@@ -432,7 +367,7 @@
                   placeholder="files.zip" />
                 <div class="modal-footer" style="margin-top:15px; text-align:right;">
                   <button id="cancelDownloadZip" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download">Download</button>
+                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
                 </div>
               </div>
             </div>
@@ -470,14 +405,14 @@
         placeholder="Filename" />
       <div style="margin-top: 15px; text-align: right;">
         <button id="cancelDownloadFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download">Download</button>
+        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
       </div>
     </div>
   </div>
 
   <!-- Change Password, Add User, Remove User, Rename File, and Custom Confirm Modals (unchanged) -->
   <div id="changePasswordModal" class="modal" style="display:none;">
-    <div class="modal-content" style="max-width:400px; margin:auto;">
+    <div class="modal-content" style="text-align: center; padding: 20px;">
       <span id="closeChangePasswordModal" class="editor-close-btn">&times;</span>
       <h3 data-i18n-key="change_password_title">Change Password</h3>
       <input type="password" id="oldPassword" class="form-control" data-i18n-placeholder="old_password"
@@ -486,7 +421,7 @@
         placeholder="New Password" style="width:100%; margin: 5px 0;" />
       <input type="password" id="confirmPassword" class="form-control" data-i18n-placeholder="confirm_new_password"
         placeholder="Confirm New Password" style="width:100%; margin: 5px 0;" />
-      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;">Save</button>
+      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;" data-default>Save</button>
     </div>
   </div>
   <div id="addUserModal" class="modal" style="display:none;">
@@ -511,7 +446,7 @@
             Cancel
           </button>
           <!-- Save becomes type="submit" -->
-          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user">
+          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user" data-default>
             Save User
           </button>
         </div>
@@ -536,7 +471,7 @@
         placeholder="Enter new file name" style="margin-top:10px;" />
       <div style="margin-top:15px; text-align:right;">
         <button id="cancelRenameFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename">Rename</button>
+        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename" data-default>Rename</button>
       </div>
     </div>
   </div>
@@ -544,12 +479,11 @@
     <div class="modal-content">
       <p id="confirmMessage"></p>
       <div class="modal-actions">
-        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes">Yes</button>
+        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes" data-default>Yes</button>
         <button id="confirmNoBtn" class="btn btn-secondary" data-i18n-key="no">No</button>
       </div>
     </div>
   </div>
-
+</div>
 </body>
-
 </html>

public/js/appCore.js

@@ -0,0 +1,177 @@
+// /js/appCore.js
+import { showToast } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
+import { setupTrashRestoreDelete } from './trashRestoreDelete.js?v={{APP_QVER}}';
+import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js?v={{APP_QVER}}';
+import { initTagSearch } from './fileTags.js?v={{APP_QVER}}';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
+import { initUpload } from './upload.js?v={{APP_QVER}}';
+import { loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
+
+// Keep a bound handle to the native fetch so wrappers elsewhere never recurse
+const _nativeFetch = window.fetch.bind(window);
+
+/* =========================
+   CSRF UTILITIES (shared)
+   ========================= */
+export function setCsrfToken(token) {
+  if (!token) return;
+  window.csrfToken = token;
+  localStorage.setItem('csrf', token);
+
+  // meta tag for easy access in other places
+  let meta = document.querySelector('meta[name="csrf-token"]');
+  if (!meta) {
+    meta = document.createElement('meta');
+    meta.name = 'csrf-token';
+    document.head.appendChild(meta);
+  }
+  meta.content = token;
+}
+
+export function getCsrfToken() {
+  return window.csrfToken || localStorage.getItem('csrf') || '';
+}
+
+/**
+ * Bootstrap/refresh CSRF from the server.
+ * Uses the native fetch to avoid wrapper loops and accepts rotated tokens via header.
+ */
+export async function loadCsrfToken() {
+  const res = await _nativeFetch('/api/auth/token.php', { method: 'GET', credentials: 'include' });
+
+  // header-based rotation
+  const hdr = res.headers.get('X-CSRF-Token');
+  if (hdr) setCsrfToken(hdr);
+
+  // body (if provided)
+  let body = {};
+  try { body = await res.json(); } catch { /* token endpoint may return empty */ }
+
+  const token = body.csrf_token || getCsrfToken();
+  setCsrfToken(token);
+
+  // share-url meta should reflect the actual origin
+  const actualShare = window.location.origin;
+  let shareMeta = document.querySelector('meta[name="share-url"]');
+  if (!shareMeta) {
+    shareMeta = document.createElement('meta');
+    shareMeta.name = 'share-url';
+    document.head.appendChild(shareMeta);
+  }
+  shareMeta.content = actualShare;
+
+  return { csrf_token: token, share_url: actualShare };
+}
+
+/* =========================
+   APP INIT (shared)
+   ========================= */
+export function initializeApp() {
+  const saved = parseInt(localStorage.getItem('rowHeight') || '48', 10);
+  document.documentElement.style.setProperty('--file-row-height', saved + 'px');
+
+  const last = localStorage.getItem('lastOpenedFolder');
+  window.currentFolder = last ? last : "root";
+
+  const stored = localStorage.getItem('showFoldersInList');
+  window.showFoldersInList = stored === null ? true : stored === 'true';
+
+  // Load public site config early (safe subset)
+  loadAdminConfigFunc();
+
+  // Enable tag search UI; initial file list load is controlled elsewhere
+  initTagSearch();
+
+  // Hook DnD relay from fileList area into upload area
+  const fileListArea = document.getElementById('fileListContainer');
+  const uploadArea = document.getElementById('uploadDropArea');
+  if (fileListArea && uploadArea) {
+    fileListArea.addEventListener('dragover', e => {
+      e.preventDefault();
+      fileListArea.classList.add('drop-hover');
+    });
+    fileListArea.addEventListener('dragleave', () => {
+      fileListArea.classList.remove('drop-hover');
+    });
+    fileListArea.addEventListener('drop', e => {
+      e.preventDefault();
+      fileListArea.classList.remove('drop-hover');
+      uploadArea.dispatchEvent(new DragEvent('drop', {
+        dataTransfer: e.dataTransfer,
+        bubbles: true,
+        cancelable: true
+      }));
+    });
+  }
+
+  // App subsystems
+  initDragAndDrop();
+  loadSidebarOrder();
+  loadHeaderOrder();
+  initFileActions();
+  initUpload();
+  loadFolderTree();
+
+  // Only run trash/restore for admins
+  const isAdmin =
+    localStorage.getItem('isAdmin') === '1' || localStorage.getItem('isAdmin') === 'true';
+  if (isAdmin) {
+    setupTrashRestoreDelete();
+  }
+
+  // Small help tooltip toggle
+  const helpBtn = document.getElementById("folderHelpBtn");
+  const helpTooltip = document.getElementById("folderHelpTooltip");
+  if (helpBtn && helpTooltip) {
+    helpBtn.addEventListener("click", () => {
+      helpTooltip.style.display =
+        helpTooltip.style.display === "block" ? "none" : "block";
+    });
+  }
+}
+
+/* =========================
+   LOGOUT (shared)
+   ========================= */
+export function triggerLogout() {
+  const clearWelcomeFlags = () => {
+    try {
+      // one-per-tab toast guard
+      sessionStorage.removeItem('__fr_welcomed');
+      // if you also used the per-user (all-tabs) guard, clear that too:
+      const u = localStorage.getItem('username') || '';
+      if (u) localStorage.removeItem(`__fr_welcomed_${u}`);
+    } catch { }
+  };
+
+  _nativeFetch("/api/auth/logout.php", {
+    method: "POST",
+    credentials: "include",
+    headers: { "X-CSRF-Token": getCsrfToken() }
+  })
+    .then(() => {
+      clearWelcomeFlags();
+      window.location.reload(true);
+    })
+    .catch(() => {
+      // even if the request fails, clear the flags so the next login can toast
+      clearWelcomeFlags();
+      window.location.reload(true);
+    });
+}
+
+/* =========================
+   Global UX guard (unchanged)
+   ========================= */
+window.addEventListener("unhandledrejection", (ev) => {
+  const msg = (ev?.reason && ev.reason.message) || "";
+  if (msg === "auth") {
+    showToast(t("please_sign_in_again") || "Please sign in again.", "error");
+    ev.preventDefault();
+  } else if (msg === "forbidden") {
+    showToast(t("no_access_to_resource") || "You don’t have access to that.", "error");
+    ev.preventDefault();
+  }
+});

public/js/auth.js

@@ -1,15 +1,15 @@
-import { sendRequest } from './networkUtils.js';
-import { t, applyTranslations } from './i18n.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
+import { t, applyTranslations } from './i18n.js?v={{APP_QVER}}';
 import {
   toggleVisibility,
   showToast as originalShowToast,
   attachEnterKeyListener,
   showCustomConfirmModal
-} from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { initFileActions } from './fileActions.js';
-import { renderFileTable } from './fileListView.js';
-import { loadFolderTree } from './folderManager.js';
+} from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
+import { renderFileTable } from './fileListView.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
 import {
   openTOTPLoginModal as originalOpenTOTPLoginModal,
   openUserPanel,
@@ -17,9 +17,9 @@ import {
   closeTOTPModal,
   setLastLoginData,
   openApiModal
-} from './authModals.js';
-import { openAdminPanel } from './adminPanel.js';
-import { initializeApp, triggerLogout } from './main.js';
+} from './authModals.js?v={{APP_QVER}}';
+import { openAdminPanel } from './adminPanel.js?v={{APP_QVER}}';
+import { initializeApp, triggerLogout } from './appCore.js?v={{APP_QVER}}';
 
 // Production OIDC configuration (override via API as needed)
 const currentOIDCConfig = {
@@ -31,6 +31,49 @@ const currentOIDCConfig = {
 };
 window.currentOIDCConfig = currentOIDCConfig;
 
+
+
+(function installToastFilter() {
+  const isDemoHost = location.hostname.toLowerCase() === 'demo.filerise.net';
+
+  window.__FR_TOAST_FILTER__ = function (msgKeyOrText) {
+    // Suppress the nag while doing TOTP step-up
+    if (window.pendingTOTP && (msgKeyOrText === 'please_log_in_to_continue' ||
+      /please log in/i.test(String(msgKeyOrText)))) {
+      return null; // suppress
+    }
+
+    // Demo host
+    if (isDemoHost && (msgKeyOrText === 'please_log_in_to_continue' ||
+      /please log in/i.test(String(msgKeyOrText)))) {
+      return "Demo site — use:\nUsername: demo\nPassword: demo";
+    }
+
+    // Try to translate keys; pass through plain text
+    try {
+      const maybe = t(msgKeyOrText);
+      if (typeof maybe === 'string' && maybe !== msgKeyOrText) return maybe;
+    } catch { }
+    return msgKeyOrText;
+  };
+})();
+
+function queueWelcomeToast(name) {
+  const uname = String(name || '').trim().slice(0, 80);
+  if (!uname) return;
+  // show immediately (if we don’t reload instantly)
+  try {
+    window.dispatchEvent(new CustomEvent('filerise:toast', {
+      detail: { message: `Welcome back, ${uname}!`, duration: 2000 }
+    }));
+  } catch { }
+
+  // and persist for after-reload (flushed by main.js on boot)
+  try {
+    sessionStorage.setItem('welcomeMessage', `Welcome back, ${uname}!`);
+  } catch { }
+}
+
 /* ----------------- TOTP & Toast Overrides ----------------- */
 // detect if we’re in a pending‑TOTP state
 window.pendingTOTP = new URLSearchParams(window.location.search).get('totp_required') === '1';
@@ -72,45 +115,51 @@ const originalFetch = window.fetch;
  * @param {object} options
  * @returns {Promise<Response>}
  */
+
 export async function fetchWithCsrf(url, options = {}) {
-  // 1) Merge in credentials + header
-  options = {
-    credentials: 'include',
-    ...options,
-  };
+  const original = window.fetch.bind(window);
+  const wantJson = (options.headers && /json/i.test(options.headers['Content-Type'] || '')) || typeof options.body === 'string' && options.body.trim().startsWith('{');
+
+  options = { credentials: 'include', ...options };
   options.headers = {
-    ...(options.headers || {}),
-    'X-CSRF-Token': window.csrfToken,
+    'Accept': 'application/json',
+    ...(options.headers || {})
   };
-
-  // 2) First attempt
-  let res = await originalFetch(url, options);
-
-  // 3) If we got a 403, try to refresh token & retry
-  if (res.status === 403) {
-    // 3a) See if the server gave us a new token header
-    let newToken = res.headers.get('X-CSRF-Token');
-    // 3b) Otherwise fall back to the /api/auth/token endpoint
-    if (!newToken) {
-      const tokRes = await originalFetch('/api/auth/token.php', { credentials: 'include' });
-      if (tokRes.ok) {
-        const body = await tokRes.json();
-        newToken = body.csrf_token;
-      }
-    }
-    if (newToken) {
-      // 3c) Update global + meta
-      window.csrfToken = newToken;
-      const meta = document.querySelector('meta[name="csrf-token"]');
-      if (meta) meta.content = newToken;
-
-      // 3d) Retry the original request with the new token
-      options.headers['X-CSRF-Token'] = newToken;
-      res = await originalFetch(url, options);
-    }
+  if (window.csrfToken) {
+    options.headers['X-CSRF-Token'] = window.csrfToken;
   }
 
-  // 4) Return the real Response—no body peeking here!
+  async function retryWithFreshCsrf(asFormFallback = false) {
+    const tokRes = await original('/api/auth/token.php', { credentials: 'include' });
+    if (tokRes.ok) {
+      const body = await tokRes.json().catch(() => ({}));
+      if (body?.csrf_token) {
+        window.csrfToken = body.csrf_token;
+        const meta = document.querySelector('meta[name="csrf-token"]');
+        if (meta) meta.content = body.csrf_token;
+        options.headers['X-CSRF-Token'] = body.csrf_token;
+      }
+    }
+    if (asFormFallback && wantJson) {
+      // convert JSON body into x-www-form-urlencoded
+      const orig = options.body && typeof options.body === 'string' ? JSON.parse(options.body) : {};
+      options.body = toFormBody(orig);
+      options.headers['Content-Type'] = 'application/x-www-form-urlencoded';
+    }
+    return original(url, options);
+  }
+
+  let res = await original(url, options);
+
+  // If API doesn’t like JSON or token is stale
+  if (res.status === 400 || res.status === 403 || res.status === 415) {
+    // 1) retry with fresh CSRF keeping same encoding
+    res = await retryWithFreshCsrf(false);
+    if (!res.ok && wantJson) {
+      // 2) retry again as form-encoded
+      res = await retryWithFreshCsrf(true);
+    }
+  }
   return res;
 }
 
@@ -180,7 +229,7 @@ function updateLoginOptionsUIFromStorage() {
 }
 
 export function loadAdminConfigFunc() {
-  return fetch("/api/admin/getConfig.php", { credentials: "include" })
+  return fetch("/api/siteConfig.php", { credentials: "include" })
     .then(async (response) => {
       // If a proxy or some edge returns 204/empty, handle gracefully
       let config = {};
@@ -191,13 +240,13 @@ export function loadAdminConfigFunc() {
 
       document.title = headerTitle;
       const lo = config.loginOptions || {};
-      localStorage.setItem("disableFormLogin",  String(!!lo.disableFormLogin));
-      localStorage.setItem("disableBasicAuth",  String(!!lo.disableBasicAuth));
-      localStorage.setItem("disableOIDCLogin",  String(!!lo.disableOIDCLogin));
-      localStorage.setItem("globalOtpauthUrl",  config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
+      localStorage.setItem("disableFormLogin", String(!!lo.disableFormLogin));
+      localStorage.setItem("disableBasicAuth", String(!!lo.disableBasicAuth));
+      localStorage.setItem("disableOIDCLogin", String(!!lo.disableOIDCLogin));
+      localStorage.setItem("globalOtpauthUrl", config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
       // These may be absent for non-admins; default them
-      localStorage.setItem("authBypass",        String(!!lo.authBypass));
-      localStorage.setItem("authHeaderName",    lo.authHeaderName || "X-Remote-User");
+      localStorage.setItem("authBypass", String(!!lo.authBypass));
+      localStorage.setItem("authHeaderName", lo.authHeaderName || "X-Remote-User");
 
       updateLoginOptionsUIFromStorage();
 
@@ -253,14 +302,14 @@ export async function updateAuthenticatedUI(data) {
   if (loading) loading.remove();
 
   // 2) Show main UI
-  document.querySelector('.main-wrapper').style.display    = '';
-  document.getElementById('loginForm').style.display       = 'none';
+  document.querySelector('.main-wrapper').style.display = '';
+  document.getElementById('loginForm').style.display = 'none';
   toggleVisibility("loginForm", false);
   toggleVisibility("mainOperations", true);
   toggleVisibility("uploadFileForm", true);
   toggleVisibility("fileListContainer", true);
-  attachEnterKeyListener("removeUserModal",   "deleteUserBtn");
-  attachEnterKeyListener("changePasswordModal","saveNewPasswordBtn");
+  attachEnterKeyListener("removeUserModal", "deleteUserBtn");
+  attachEnterKeyListener("changePasswordModal", "saveNewPasswordBtn");
   document.querySelector(".header-buttons").style.visibility = "visible";
 
   // 3) Persist auth flags (unchanged)
@@ -271,9 +320,9 @@ export async function updateAuthenticatedUI(data) {
     localStorage.setItem("username", data.username);
   }
   if (typeof data.folderOnly !== "undefined") {
-    localStorage.setItem("folderOnly",   data.folderOnly   ? "true" : "false");
-    localStorage.setItem("readOnly",     data.readOnly     ? "true" : "false");
-    localStorage.setItem("disableUpload",data.disableUpload? "true" : "false");
+    localStorage.setItem("folderOnly", data.folderOnly ? "true" : "false");
+    localStorage.setItem("readOnly", data.readOnly ? "true" : "false");
+    localStorage.setItem("disableUpload", data.disableUpload ? "true" : "false");
   }
 
   // 4) Fetch up-to-date profile picture — ALWAYS overwrite localStorage
@@ -282,7 +331,7 @@ export async function updateAuthenticatedUI(data) {
 
   // 5) Build / update header buttons
   const headerButtons = document.querySelector(".header-buttons");
-  const firstButton   = headerButtons.firstElementChild;
+  const firstButton = headerButtons.firstElementChild;
 
   // a) restore-from-trash for admins
   if (data.isAdmin) {
@@ -290,8 +339,8 @@ export async function updateAuthenticatedUI(data) {
     if (!r) {
       r = document.createElement("button");
       r.id = "restoreFilesBtn";
-      r.classList.add("btn","btn-warning");
-      r.setAttribute("data-i18n-title","trash_restore_delete");
+      r.classList.add("btn", "btn-warning");
+      r.setAttribute("data-i18n-title", "trash_restore_delete");
       r.innerHTML = '<i class="material-icons">restore_from_trash</i>';
       if (firstButton) insertAfter(r, firstButton);
       else headerButtons.appendChild(r);
@@ -308,8 +357,8 @@ export async function updateAuthenticatedUI(data) {
     if (!a) {
       a = document.createElement("button");
       a.id = "adminPanelBtn";
-      a.classList.add("btn","btn-info");
-      a.setAttribute("data-i18n-title","admin_panel");
+      a.classList.add("btn", "btn-info");
+      a.setAttribute("data-i18n-title", "admin_panel");
       a.innerHTML = '<i class="material-icons">admin_panel_settings</i>';
       insertAfter(a, document.getElementById("restoreFilesBtn"));
       a.addEventListener("click", openAdminPanel);
@@ -330,19 +379,19 @@ export async function updateAuthenticatedUI(data) {
       : `<i class="material-icons">account_circle</i>`;
 
     // fallback username if missing
-    const usernameText = data.username 
-      || localStorage.getItem("username") 
+    const usernameText = data.username
+      || localStorage.getItem("username")
       || "";
 
     if (!dd) {
       dd = document.createElement("div");
-      dd.id    = "userDropdown";
+      dd.id = "userDropdown";
       dd.classList.add("user-dropdown");
 
       // toggle button
       const toggle = document.createElement("button");
-      toggle.id    = "userDropdownToggle";
-      toggle.classList.add("btn","btn-user");
+      toggle.id = "userDropdownToggle";
+      toggle.classList.add("btn", "btn-user");
       toggle.setAttribute("title", t("user_settings"));
       toggle.innerHTML = `
         ${avatarHTML}
@@ -464,6 +513,14 @@ function checkAuthentication(showLoginToast = true) {
         }
         updateAuthenticatedUI(data);
         return data;
+
+        // at the end of updateAuthenticatedUI(data)
+        if (!window.__FR_FLAGS?.initialized && typeof initializeApp === 'function') {
+          initializeApp();
+          window.__FR_FLAGS.initialized = true;
+        }
+        if (typeof applyTranslations === 'function') applyTranslations();
+        if (typeof updateLoginOptionsUIFromStorage === 'function') updateLoginOptionsUIFromStorage();
       } else {
         const overlay = document.getElementById('loadingOverlay');
         if (overlay) overlay.remove();
@@ -484,53 +541,162 @@ function checkAuthentication(showLoginToast = true) {
 }
 
 /* ----------------- Authentication Submission ----------------- */
+async function primeCsrfStrict() {
+  const r = await fetch('/api/auth/token.php', { credentials: 'include' });
+  const j = await r.json().catch(() => ({}));
+  if (!r.ok || !j.csrf_token) throw new Error('CSRF missing');
+  window.csrfToken = j.csrf_token;
+  const m = document.querySelector('meta[name="csrf-token"]');
+  if (m) m.content = j.csrf_token;
+}
+
+function toFormBody(obj) {
+  const p = new URLSearchParams();
+  for (const [k, v] of Object.entries(obj || {})) p.set(k, v == null ? '' : String(v));
+  return p.toString();
+}
+
+async function safeJson(res) {
+  const ct = res.headers.get('content-type') || '';
+  if (!/application\/json/i.test(ct)) return null;
+  try { return await res.clone().json(); } catch { return null; }
+}
+
+async function sniffTOTP(res, bodyMaybe) {
+  if (res.headers.get('X-TOTP-Required') === '1') return true;
+  if (res.redirected && /[?&]totp_required=1\b/.test(res.url)) return true;
+  const body = bodyMaybe ?? await safeJson(res);
+  if (body && (body.totp_required || body.error === 'TOTP_REQUIRED')) return true;
+  try {
+    const txt = await res.clone().text();
+    if (/\btotp_required\s*=\s*1\b/i.test(txt)) return true;
+  } catch { }
+  return false;
+}
+
+async function isAuthedNow() {
+  try {
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+    const j = await r.json().catch(() => ({}));
+    return !!j.authenticated;
+  } catch { return false; }
+}
+
+function rafTick(times = 2) {
+  return new Promise(res => {
+    const step = () => { if (--times <= 0) res(); else requestAnimationFrame(step); };
+    requestAnimationFrame(step);
+  });
+}
+
+async function fetchAuthSnapshot() {
+  try {
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+    return await r.json();
+  } catch { return {}; }
+}
+
+async function syncPermissionsToLocalStorage() {
+  try {
+    const r = await fetch('/api/getUserPermissions.php', { credentials: 'include' });
+    const perm = await r.json();
+    if (perm && typeof perm === 'object') {
+      localStorage.setItem('folderOnly', perm.folderOnly ? 'true' : 'false');
+      localStorage.setItem('readOnly', perm.readOnly ? 'true' : 'false');
+      localStorage.setItem('disableUpload', perm.disableUpload ? 'true' : 'false');
+    }
+  } catch { /* non-fatal */ }
+}
+
+// ——— main ———
+let __loginInFlight = false;
+
 async function submitLogin(data) {
-  setLastLoginData(data);
-  window.__lastLoginData = data;
+  if (__loginInFlight) return;
+  __loginInFlight = true;
+
+  const payload = {
+    username: String(data.username || '').trim(),
+    password: String(data.password || '').trim(),
+    remember_me: data.remember_me ? 1 : 0
+  };
+
+  setLastLoginData(payload);
+  window.__lastLoginData = payload;
 
   try {
-    // ─── 1) Get CSRF for the initial auth call ───
-    let res = await fetch("/api/auth/token.php", { credentials: "include" });
-    if (!res.ok) throw new Error("Could not fetch CSRF token");
-    window.csrfToken = (await res.json()).csrf_token;
+    await primeCsrfStrict();
 
-    // ─── 2) Send credentials ───
-    const response = await sendRequest(
-      "/api/auth/auth.php",
-      "POST",
-      data,
-      { "X-CSRF-Token": window.csrfToken }
-    );
+    // Attempt #1 — JSON
+    let res = await fetchWithCsrf('/api/auth/auth.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
+      body: JSON.stringify(payload)
+    });
+    let body = await safeJson(res);
 
-    // ─── 3a) Full login (no TOTP) ───
-    if (response.success || response.status === "ok") {
-      sessionStorage.setItem("welcomeMessage", "Welcome back, " + data.username + "!");
-      // … fetch permissions & reload …
+    // TOTP requested?
+    if (await sniffTOTP(res, body)) {
+      try { await primeCsrfStrict(); } catch { }
+      window.pendingTOTP = true;
       try {
-        const perm = await sendRequest("/api/getUserPermissions.php", "GET");
-        if (perm && typeof perm === "object") {
-          localStorage.setItem("folderOnly", perm.folderOnly ? "true" : "false");
-          localStorage.setItem("readOnly", perm.readOnly ? "true" : "false");
-          localStorage.setItem("disableUpload", perm.disableUpload ? "true" : "false");
-        }
+        const auth = await import('/js/auth.js?v={{APP_QVER}}');
+        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
       } catch { }
-      return window.location.reload();
+      return;
     }
 
-    // ─── 3b) TOTP required ───
-    if (response.totp_required) {
-      // **Refresh** CSRF before the TOTP verify call
-      res = await fetch("/api/auth/token.php", { credentials: "include" });
-      if (res.ok) {
-        window.csrfToken = (await res.json()).csrf_token;
-      }
-      // now open the modal—any totp_verify fetch from here on will use the new token
-      return openTOTPLoginModal();
+    // Full success (no TOTP)
+    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
+
+      await syncPermissionsToLocalStorage();
+      return afterLogin();
     }
 
-    // ─── 3c) Too many attempts ───
-    if (response.error && response.error.includes("Too many failed login attempts")) {
-      showToast(response.error);
+    // Cookie set but non-JSON body — double check session
+    if (!body && await isAuthedNow()) {
+
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    // Attempt #2 — form fallback
+    res = await fetchWithCsrf('/api/auth/auth.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' },
+      body: toFormBody(payload)
+    });
+    body = await safeJson(res);
+
+    if (await sniffTOTP(res, body)) {
+      try { await primeCsrfStrict(); } catch { }
+      window.pendingTOTP = true;
+      try {
+        const auth = await import('/js/auth.js?v={{APP_QVER}}');
+        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
+      } catch { }
+      return;
+    }
+
+    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    if (!body && await isAuthedNow()) {
+
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    // Rate limit still respected
+    if (body?.error && /Too many failed login attempts/i.test(body.error)) {
+      showToast(body.error);
       const btn = document.querySelector("#authForm button[type='submit']");
       if (btn) {
         btn.disabled = true;
@@ -542,12 +708,12 @@ async function submitLogin(data) {
       return;
     }
 
-    // ─── 3d) Other failures ───
-    showToast("Login failed: " + (response.error || "Unknown error"));
+    showToast('Login failed' + (body?.error ? `: ${body.error}` : ''));
 
-  } catch (err) {
-    const msg = err.message || err.error || "Unknown error";
-    showToast(`Login failed: ${msg}`);
+  } catch (e) {
+    showToast('Login failed: ' + (e.message || 'Unknown error'));
+  } finally {
+    __loginInFlight = false;
   }
 }
 
@@ -763,4 +929,4 @@ document.addEventListener("DOMContentLoaded", function () {
   }
 });
 
-export { initAuth, checkAuthentication };
+export { initAuth, checkAuthentication, openTOTPLoginModal };

public/js/authModals.js

@@ -1,7 +1,7 @@
-import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
-import { sendRequest } from './networkUtils.js';
-import { t, applyTranslations, setLocale } from './i18n.js';
-import { loadAdminConfigFunc, updateAuthenticatedUI } from './auth.js';
+import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
+import { t, applyTranslations, setLocale } from './i18n.js?v={{APP_QVER}}';
+import { loadAdminConfigFunc, updateAuthenticatedUI } from './auth.js?v={{APP_QVER}}';
 
 let lastLoginData = null;
 export function setLastLoginData(data) {

public/js/defer-css.js

@@ -0,0 +1,31 @@
+// /public/js/defer-css.js
+// Promote preloaded styles to real stylesheets (CSP-safe) and expose a load promise.
+(function () {
+  if (window.__CSS_PROMISE__) return;
+
+  var loads = [];
+
+  // Promote <link rel="preload" as="style"> IN-PLACE
+  var preloads = document.querySelectorAll('link[rel="preload"][as="style"]');
+  for (var i = 0; i < preloads.length; i++) {
+    var l = preloads[i];
+    // resolve when it finishes loading as a stylesheet
+    loads.push(new Promise(function (res) { l.addEventListener('load', res, { once: true }); }));
+    l.rel = 'stylesheet';
+    if (!l.media || l.media === 'print') l.media = 'all'; // be explicit
+    l.removeAttribute('as'); // keep some engines happy about "used" preload
+  }
+
+  // Also wait for any existing <link rel="stylesheet"> that haven't finished yet
+  var styles = document.querySelectorAll('link[rel="stylesheet"]');
+  for (var j = 0; j < styles.length; j++) {
+    var s = styles[j];
+    if (s.sheet) continue; // already applied
+    loads.push(new Promise(function (res) { s.addEventListener('load', res, { once: true }); }));
+  }
+
+  // Safari quirk: nudge layout so promoted sheets apply immediately
+  void document.documentElement.offsetHeight;
+
+  window.__CSS_PROMISE__ = Promise.all(loads);
+})();

public/js/domUtils.js

@@ -1,6 +1,6 @@
 // domUtils.js
-import { t } from './i18n.js';
-import { openDownloadModal } from './fileActions.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { openDownloadModal } from './fileActions.js?v={{APP_QVER}}';
 
 // Basic DOM Helpers
 export function toggleVisibility(elementId, shouldShow) {

public/js/dragAndDrop.js

@@ -489,18 +489,12 @@ function mountHeaderToggle(btn) {
   });
 }
 
+
 function ensureZonesToggle() {
-  const isAuthed = document.body.classList.contains('authenticated');
   let btn = document.getElementById('sidebarToggleFloating');
   const host = getHeaderHost();
   if (!host) return;
 
-  // If not authenticated, make sure the button is gone and bail.
-  if (!isAuthed) {
-    if (btn) btn.remove();
-    return;
-  }
-
   // ensure the host is a positioning context
   const hostStyle = getComputedStyle(host);
   if (hostStyle.position === 'static') {
@@ -542,6 +536,7 @@ function ensureZonesToggle() {
       padding: '0',
       lineHeight: '0'
     });
+    btn.classList.add('zones-toggle');
 
     // Dark mode polish
     if (document.body.classList.contains('dark-mode')) {

public/js/fileActions.js

@@ -1,8 +1,8 @@
 // fileActions.js
-import { showToast, attachEnterKeyListener } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { formatFolderName } from './fileListView.js';
-import { t } from './i18n.js';
+import { showToast, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { formatFolderName } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 export function handleDeleteSelected(e) {
   e.preventDefault();
@@ -31,6 +31,7 @@ document.addEventListener("DOMContentLoaded", function () {
 
   const confirmDelete = document.getElementById("confirmDeleteFiles");
   if (confirmDelete) {
+    confirmDelete.setAttribute("data-default", "");
     confirmDelete.addEventListener("click", function () {
       fetch("/api/file/deleteFiles.php", {
         method: "POST",
@@ -316,6 +317,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   // 2) Confirm button kicks off the zip+download
   if (confirmZipBtn) {
+    confirmZipBtn.setAttribute("data-default", "");
     confirmZipBtn.addEventListener("click", async () => {
       // a) Validate ZIP filename
       let zipName = document.getElementById("zipFileNameInput").value.trim();
@@ -478,6 +480,7 @@ document.addEventListener("DOMContentLoaded", function () {
   }
   const confirmCopy = document.getElementById("confirmCopyFiles");
   if (confirmCopy) {
+    confirmCopy.setAttribute("data-default", "");
     confirmCopy.addEventListener("click", function () {
       const targetFolder = document.getElementById("copyTargetFolder").value;
       if (!targetFolder) {
@@ -529,6 +532,7 @@ document.addEventListener("DOMContentLoaded", function () {
   }
   const confirmMove = document.getElementById("confirmMoveFiles");
   if (confirmMove) {
+    confirmMove.setAttribute("data-default", "");
     confirmMove.addEventListener("click", function () {
       const targetFolder = document.getElementById("moveTargetFolder").value;
       if (!targetFolder) {
@@ -598,6 +602,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   const submitBtn = document.getElementById("submitRenameFile");
   if (submitBtn) {
+    submitBtn.setAttribute("data-default", "");
     submitBtn.addEventListener("click", function () {
       const newName = document.getElementById("newFileName").value.trim();
       if (!newName || newName === window.fileToRename) {

public/js/fileDragDrop.js

@@ -1,6 +1,6 @@
 // fileDragDrop.js
-import { showToast } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
+import { showToast } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
 
 export function fileDragStartHandler(event) {
   const row = event.currentTarget;

public/js/fileEditor.js

@@ -1,43 +1,59 @@
 // fileEditor.js
-import { escapeHTML, showToast } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { t } from './i18n.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { buildPreviewUrl } from './filePreview.js?v={{APP_QVER}}';
 
 // thresholds for editor behavior
 const EDITOR_PLAIN_THRESHOLD = 5 * 1024 * 1024;  // >5 MiB => force plain text, lighter settings
 const EDITOR_BLOCK_THRESHOLD = 10 * 1024 * 1024; // >10 MiB => block editing
 
-// Lazy-load CodeMirror modes on demand
-//const CM_CDN = "https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.5/";
-const CM_LOCAL = "/vendor/codemirror/5.65.5/";
+// ==== CodeMirror lazy loader ===============================================
+const CM_BASE = "/vendor/codemirror/5.65.5/";
+
+// Stamp-friendly helpers (the stamper will replace {{APP_QVER}})
+const coreUrl = (p) => `${CM_BASE}${p}?v={{APP_QVER}}`;
+
+const CORE = {
+  js: coreUrl("codemirror.min.js"),
+  css: coreUrl("codemirror.min.css"),
+  themeCss: coreUrl("theme/material-darker.min.css"),
+};
 
 // Which mode file to load for a given name/mime
 const MODE_URL = {
   // core/common
-  "xml":        "mode/xml/xml.min.js",
-  "css":        "mode/css/css.min.js",
-  "javascript": "mode/javascript/javascript.min.js",
+  "xml": "mode/xml/xml.min.js?v={{APP_QVER}}",
+  "css": "mode/css/css.min.js?v={{APP_QVER}}",
+  "javascript": "mode/javascript/javascript.min.js?v={{APP_QVER}}",
 
   // meta / combos
-  "htmlmixed":  "mode/htmlmixed/htmlmixed.min.js",
-  "application/x-httpd-php": "mode/php/php.min.js",
+  "htmlmixed": "mode/htmlmixed/htmlmixed.min.js?v={{APP_QVER}}",
+  "application/x-httpd-php": "mode/php/php.min.js?v={{APP_QVER}}",
 
   // docs / data
-  "markdown":   "mode/markdown/markdown.min.js",
-  "yaml":       "mode/yaml/yaml.min.js",
-  "properties": "mode/properties/properties.min.js",
-  "sql":        "mode/sql/sql.min.js",
+  "markdown": "mode/markdown/markdown.min.js?v={{APP_QVER}}",
+  "yaml": "mode/yaml/yaml.min.js?v={{APP_QVER}}",
+  "properties": "mode/properties/properties.min.js?v={{APP_QVER}}",
+  "sql": "mode/sql/sql.min.js?v={{APP_QVER}}",
 
   // shells
-  "shell":      "mode/shell/shell.min.js",
+  "shell": "mode/shell/shell.min.js?v={{APP_QVER}}",
 
   // languages
-  "python":     "mode/python/python.min.js",
-  "text/x-csrc":    "mode/clike/clike.min.js",
-  "text/x-c++src":  "mode/clike/clike.min.js",
-  "text/x-java":    "mode/clike/clike.min.js",
-  "text/x-csharp":  "mode/clike/clike.min.js",
-  "text/x-kotlin":  "mode/clike/clike.min.js"
+  "python": "mode/python/python.min.js?v={{APP_QVER}}",
+  "text/x-csrc": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-c++src": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-java": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-csharp": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-kotlin": "mode/clike/clike.min.js?v={{APP_QVER}}"
+};
+
+// Mode dependency graph
+const MODE_DEPS = {
+  "htmlmixed": ["xml", "javascript", "css"],
+  "application/x-httpd-php": ["htmlmixed", "text/x-csrc"], // php overlays + clike bits
+  "markdown": ["xml"]
 };
 
 // Map any mime/alias to the key we use in MODE_URL
@@ -49,62 +65,209 @@ function normalizeModeName(modeOption) {
   return name;
 }
 
-const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+// ---- ONLYOFFICE integration -----------------------------------------------
+
+function getExt(name) { const i = name.lastIndexOf('.'); return i >= 0 ? name.slice(i + 1).toLowerCase() : ''; }
+
+// Cache OO capabilities (enabled flag + ext list) from /api/onlyoffice/status.php
+let __ooCaps = { enabled: false, exts: new Set(), fetched: false };
+
+async function fetchOnlyOfficeCapsOnce() {
+  if (__ooCaps.fetched) return __ooCaps;
+  try {
+    const r = await fetch('/api/onlyoffice/status.php', { credentials: 'include' });
+    if (r.ok) {
+      const j = await r.json();
+      __ooCaps.enabled = !!j.enabled;
+      __ooCaps.exts = new Set(Array.isArray(j.exts) ? j.exts : []);
+    }
+  } catch { /* ignore; keep defaults */ }
+  __ooCaps.fetched = true;
+  return __ooCaps;
+}
+
+async function shouldUseOnlyOffice(fileName) {
+  const { enabled, exts } = await fetchOnlyOfficeCapsOnce();
+  return enabled && exts.has(getExt(fileName));
+}
+
+function isAbsoluteHttpUrl(u) { return /^https?:\/\//i.test(u || ''); }
+
+async function ensureOnlyOfficeApi(srcFromConfig, originFromConfig) {
+  let src =
+    srcFromConfig ||
+    (originFromConfig ? originFromConfig.replace(/\/$/, '') + '/web-apps/apps/api/documents/api.js'
+      : (window.ONLYOFFICE_API_SRC || '/onlyoffice/web-apps/apps/api/documents/api.js'));
+  if (window.DocsAPI && typeof window.DocsAPI.DocEditor === 'function') return;
+  await loadScriptOnce(src);
+}
+
+async function openOnlyOffice(fileName, folder) {
+  let editor; // make visible to the whole function
+
+  try {
+    const url = `/api/onlyoffice/config.php?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(fileName)}`;
+    const resp = await fetch(url, { credentials: 'include' });
+
+    const text = await resp.text();
+    let cfg;
+    try { cfg = JSON.parse(text); } catch {
+      throw new Error(`ONLYOFFICE config parse failed (HTTP ${resp.status}). First 120 chars: ${text.slice(0,120)}`);
+    }
+    if (!resp.ok) throw new Error(cfg.error || `ONLYOFFICE config HTTP ${resp.status}`);
+
+    // Must be absolute
+    const docUrl = cfg?.document?.url;
+    const cbUrl  = cfg?.editorConfig?.callbackUrl;
+    if (!/^https?:\/\//i.test(docUrl || '') || !/^https?:\/\//i.test(cbUrl || '')) {
+      throw new Error(`Config URLs must be absolute. document.url='${docUrl}', callbackUrl='${cbUrl}'`);
+    }
+
+    // Load DocsAPI if needed
+    await ensureOnlyOfficeApi(cfg.docs_api_js, cfg.documentServerOrigin);
+
+    // Modal
+    const modal = document.createElement('div');
+    modal.id = 'ooEditorModal';
+    modal.classList.add('modal', 'editor-modal');
+    modal.setAttribute('tabindex', '-1');
+    modal.innerHTML = `
+      <div class="editor-header">
+        <h3 class="editor-title">
+          ${t("editing")}: ${escapeHTML(fileName)}
+        </h3>
+        <button id="closeEditorX" class="editor-close-btn" aria-label="${t("close") || "Close"}">&times;</button>
+      </div>
+      <div class="editor-body" style="flex:1;min-height:200px">
+        <div id="oo-editor" style="width:100%;height:100%"></div>
+      </div>
+    `;
+    document.body.appendChild(modal);
+    modal.style.display = 'block';
+    modal.focus();
+
+    // We’ll fill this after wiring the toggle, so destroy() can unhook it
+    let removeThemeListener = () => {};
+
+    const destroy = () => {
+      try { editor?.destroyEditor?.(); } catch {}
+      try { removeThemeListener(); } catch {}
+      try { modal.remove(); } catch {}
+    };
+
+    modal.addEventListener('keydown', e => { if (e.key === 'Escape') destroy(); });
+    document.getElementById('closeEditorX')?.addEventListener('click', destroy);
+
+    // Let DS request closing
+    cfg.events = Object.assign({}, cfg.events, { onRequestClose: destroy });
+
+    // Initial theme
+    const isDark =
+    document.documentElement.classList.contains('dark-mode') ||
+    /^(1|true)$/i.test(localStorage.getItem('darkMode') || '');
+  
+  cfg.editorConfig = cfg.editorConfig || {};
+  cfg.editorConfig.customization = Object.assign(
+    {},
+    cfg.editorConfig.customization,
+    { uiTheme: isDark ? 'theme-dark' : 'theme-light' } // <- correct key/value
+  );
+
+    // Launch editor
+    editor = new window.DocsAPI.DocEditor('oo-editor', cfg);
+
+    // Live theme switching (ONLYOFFICE v7.2+ supports setTheme)
+    const darkToggle = document.getElementById('darkModeToggle');
+    const onDarkToggle = () => {
+      const nowDark = document.documentElement.classList.contains('dark-mode');
+      if (editor && typeof editor.setTheme === 'function') {
+        editor.setTheme(nowDark ? 'dark' : 'light');
+      }
+    };
+    if (darkToggle) {
+      darkToggle.addEventListener('click', onDarkToggle);
+      removeThemeListener = () => darkToggle.removeEventListener('click', onDarkToggle);
+    }
+  } catch (e) {
+    console.error('[ONLYOFFICE] failed to open:', e);
+    showToast((e && e.message) ? e.message : 'Unable to open ONLYOFFICE editor.');
+  }
+}
+// ---- /ONLYOFFICE integration ----------------------------------------------
+
+
+const _loadedScripts = new Set();
+const _loadedCss = new Set();
+let _corePromise = null;
 
 function loadScriptOnce(url) {
   return new Promise((resolve, reject) => {
-    const ver = (window.APP_VERSION ?? 'dev').replace(/^v/, ''); // "v1.6.9" -> "1.6.9"
-    const withQS = url + '?v=' + ver;
-
-    const key = `cm:${withQS}`;
-    let s = document.querySelector(`script[data-key="${key}"]`);
-    if (s) {
-      if (s.dataset.loaded === "1") return resolve();
-      s.addEventListener("load", resolve);
-      s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
-      return;
-    }
-    s = document.createElement("script");
-    s.src = withQS;
+    if (_loadedScripts.has(url)) return resolve();
+    const s = document.createElement("script");
+    s.src = url;
     s.async = true;
-    s.dataset.key = key;
-    s.addEventListener("load", () => { s.dataset.loaded = "1"; resolve(); });
-    s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
+    s.onload = () => { _loadedScripts.add(url); resolve(); };
+    s.onerror = () => reject(new Error(`Load failed: ${url}`));
     document.head.appendChild(s);
   });
 }
 
+function loadCssOnce(href) {
+  return new Promise((resolve, reject) => {
+    if (_loadedCss.has(href)) return resolve();
+    const l = document.createElement("link");
+    l.rel = "stylesheet";
+    l.href = href;
+    l.onload = () => { _loadedCss.add(href); resolve(); };
+    l.onerror = () => reject(new Error(`Load failed: ${href}`));
+    document.head.appendChild(l);
+  });
+}
+
+async function ensureCore() {
+  if (_corePromise) return _corePromise;
+  _corePromise = (async () => {
+    // load CSS first to avoid FOUC
+    await loadCssOnce(CORE.css);
+    await loadCssOnce(CORE.themeCss);
+    if (!window.CodeMirror) {
+      await loadScriptOnce(CORE.js);
+    }
+  })();
+  return _corePromise;
+}
+
+async function loadSingleMode(name) {
+  const rel = MODE_URL[name];
+  if (!rel) return;
+  // prepend base if needed
+  const url = rel.startsWith("http") ? rel : (rel.startsWith("/") ? rel : (CM_BASE + rel));
+  await loadScriptOnce(url);
+}
+
+function isModeRegistered(name) {
+  return !!(
+    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
+    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name])
+  );
+}
 
 async function ensureModeLoaded(modeOption) {
-  if (!window.CodeMirror) return;
-
+  await ensureCore();
   const name = normalizeModeName(modeOption);
   if (!name) return;
-
-  const isRegistered = () =>
-    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
-    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name]);
-
-  if (isRegistered()) return;
-
-  const url = MODE_URL[name];
-  if (!url) return; // unknown -> stay in text/plain
-
-  // Dependencies
-  if (name === "htmlmixed") {
-    await Promise.all([
-      ensureModeLoaded("xml"),
-      ensureModeLoaded("css"),
-      ensureModeLoaded("javascript")
-    ]);
+  if (isModeRegistered(name)) return;
+  const deps = MODE_DEPS[name] || [];
+  for (const d of deps) {
+    if (!isModeRegistered(d)) await loadSingleMode(d);
   }
-  if (name === "application/x-httpd-php") {
-    await ensureModeLoaded("htmlmixed");
-  }
-
-  await loadScriptOnce(CM_LOCAL + url);
+  await loadSingleMode(name);
 }
 
+// Public helper for callers (we keep your existing function name in use):
+const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+// ==== /CodeMirror lazy loader ===============================================
+
 function getModeForFile(fileName) {
   const dot = fileName.lastIndexOf(".");
   const ext = dot >= 0 ? fileName.slice(dot + 1).toLowerCase() : "";
@@ -164,29 +327,48 @@ function observeModalResize(modal) {
 }
 export { observeModalResize };
 
-export function editFile(fileName, folder) {
+export async function editFile(fileName, folder) {
   // destroy any previous editor
   let existingEditor = document.getElementById("editorContainer");
   if (existingEditor) existingEditor.remove();
 
   const folderUsed = folder || window.currentFolder || "root";
-  const folderPath = folderUsed === "root"
-    ? "uploads/"
-    : "uploads/" + folderUsed.split("/").map(encodeURIComponent).join("/") + "/";
-  const fileUrl = folderPath + encodeURIComponent(fileName) + "?t=" + new Date().getTime();
+  const fileUrl = buildPreviewUrl(folderUsed, fileName);
 
-  fetch(fileUrl, { method: "HEAD" })
-    .then(response => {
-      const lenHeader = response.headers.get("content-length") ?? response.headers.get("Content-Length");
-      const sizeBytes = lenHeader ? parseInt(lenHeader, 10) : null;
+  if (await shouldUseOnlyOffice(fileName)) {
+    await openOnlyOffice(fileName, folderUsed);
+    return;
+  }
 
+  // Probe size safely via API. Prefer HEAD; if missing Content-Length, fall back to a 1-byte Range GET.
+  async function probeSize(url) {
+    try {
+      const h = await fetch(url, { method: "HEAD", credentials: "include" });
+      const len = h.headers.get("content-length") ?? h.headers.get("Content-Length");
+      if (len && !Number.isNaN(parseInt(len, 10))) return parseInt(len, 10);
+    } catch { }
+    try {
+      const r = await fetch(url, {
+        method: "GET",
+        headers: { Range: "bytes=0-0" },
+        credentials: "include"
+      });
+      // Content-Range: bytes 0-0/12345
+      const cr = r.headers.get("content-range") ?? r.headers.get("Content-Range");
+      const m = cr && cr.match(/\/(\d+)\s*$/);
+      if (m) return parseInt(m[1], 10);
+    } catch { }
+    return null;
+  }
+
+  probeSize(fileUrl)
+    .then(sizeBytes => {
       if (sizeBytes !== null && sizeBytes > EDITOR_BLOCK_THRESHOLD) {
         showToast("This file is larger than 10 MB and cannot be edited in the browser.");
         throw new Error("File too large.");
       }
-      return response;
+      return fetch(fileUrl, { credentials: "include" });
     })
-    .then(() => fetch(fileUrl))
     .then(response => {
       if (!response.ok) throw new Error("HTTP error! Status: " + response.status);
       const lenHeader = response.headers.get("content-length") ?? response.headers.get("Content-Length");
@@ -215,7 +397,7 @@ export function editFile(fileName, folder) {
         </div>
         <textarea id="fileEditor" class="editor-textarea">${escapeHTML(content)}</textarea>
         <div class="editor-footer">
-          <button id="saveBtn" class="btn btn-primary" disabled>${t("save")}</button>
+          <button id="saveBtn" class="btn btn-primary" data-default disabled>${t("save")} </button>
           <button id="closeBtn" class="btn btn-secondary">${t("close")}</button>
         </div>
       `;
@@ -238,28 +420,28 @@ export function editFile(fileName, folder) {
       // Keep buttons responsive even before editor exists
       const decBtn = document.getElementById("decreaseFont");
       const incBtn = document.getElementById("increaseFont");
-      decBtn.addEventListener("click", () => {});
-      incBtn.addEventListener("click", () => {});
+      decBtn.addEventListener("click", () => { });
+      incBtn.addEventListener("click", () => { });
 
       // Theme + mode selection
       const isDarkMode = document.body.classList.contains("dark-mode");
       const theme = isDarkMode ? "material-darker" : "default";
       const desiredMode = forcePlainText ? "text/plain" : getModeForFile(fileName);
 
-      // Helper to check whether a mode is currently registered
-      const modeName = typeof desiredMode === "string" ? desiredMode : (desiredMode && desiredMode.name);
-      const isModeRegistered = () =>
-        (window.CodeMirror?.modes && window.CodeMirror.modes[modeName]) ||
-        (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[modeName]);
-
-      // Start mode loading (don’t block closing)
-      const modePromise = ensureModeLoaded(desiredMode);
+      // Start core+mode loading (don’t block closing)
+      const modePromise = (async () => {
+        await ensureCore();                 // load CM core + CSS
+        if (!forcePlainText) {
+          await ensureModeLoaded(desiredMode); // then load the needed mode + deps
+        }
+      })();
 
       // Wait up to MODE_LOAD_TIMEOUT_MS; then proceed with whatever is available
       const timeout = new Promise((res) => setTimeout(res, MODE_LOAD_TIMEOUT_MS));
 
       Promise.race([modePromise, timeout]).then(() => {
         if (canceled) return;
+
         if (!window.CodeMirror) {
           // Core not present: keep plain <textarea>; enable Save and bail gracefully
           document.getElementById("saveBtn").disabled = false;
@@ -267,7 +449,9 @@ export function editFile(fileName, folder) {
           return;
         }
 
-        const initialMode = (forcePlainText || !isModeRegistered()) ? "text/plain" : desiredMode;
+        const normName = normalizeModeName(desiredMode) || "text/plain";
+        const initialMode = (forcePlainText || !isModeRegistered(normName)) ? "text/plain" : desiredMode;
+
         const cmOptions = {
           lineNumbers: !forcePlainText,
           mode: initialMode,
@@ -319,8 +503,11 @@ export function editFile(fileName, folder) {
 
         // If we started in plain text due to timeout, flip to the real mode once it arrives
         modePromise.then(() => {
-          if (!canceled && !forcePlainText && isModeRegistered()) {
-            editor.setOption("mode", desiredMode);
+          if (!canceled && !forcePlainText) {
+            const nn = normalizeModeName(desiredMode);
+            if (nn && isModeRegistered(nn)) {
+              editor.setOption("mode", desiredMode);
+            }
           }
         }).catch(() => {
           // If the mode truly fails to load, we just stay in plain text

public/js/fileListView.js

@@ -11,11 +11,11 @@ import {
     updateRowHighlight,
     toggleRowSelection,
     attachEnterKeyListener
-  } from './domUtils.js';
-  import { t } from './i18n.js';
-  import { bindFileListContextMenu } from './fileMenu.js';
-  import { openDownloadModal } from './fileActions.js';
-  import { openTagModal, openMultiTagModal } from './fileTags.js';
+  } from './domUtils.js?v={{APP_QVER}}';
+  import { t } from './i18n.js?v={{APP_QVER}}';
+  import { bindFileListContextMenu } from './fileMenu.js?v={{APP_QVER}}';
+  import { openDownloadModal } from './fileActions.js?v={{APP_QVER}}';
+  import { openTagModal, openMultiTagModal } from './fileTags.js?v={{APP_QVER}}';
   import {
     getParentFolder,
     updateBreadcrumbTitle,
@@ -24,16 +24,35 @@ import {
     hideFolderManagerContextMenu,
     openRenameFolderModal,
     openDeleteFolderModal
-  } from './folderManager.js';
-  import { openFolderShareModal } from './folderShareModal.js';
+  } from './folderManager.js?v={{APP_QVER}}';
+  import { openFolderShareModal } from './folderShareModal.js?v={{APP_QVER}}';
   import {
     folderDragOverHandler,
     folderDragLeaveHandler,
     folderDropHandler
-  } from './fileDragDrop.js';
+  } from './fileDragDrop.js?v={{APP_QVER}}';
   
   export let fileData = [];
   export let sortOrder = { column: "uploaded", ascending: true };
+
+
+
+    // onnlyoffice
+let OO_ENABLED = false;
+let OO_EXTS = new Set();
+
+export async function initOnlyOfficeCaps() {
+  try {
+    const r = await fetch('/api/onlyoffice/status.php', { credentials: 'include' });
+    if (!r.ok) throw 0;
+    const j = await r.json();
+    OO_ENABLED = !!j.enabled;
+    OO_EXTS = new Set(Array.isArray(j.exts) ? j.exts : []);
+  } catch {
+    OO_ENABLED = false;
+    OO_EXTS = new Set();
+  }
+}
   
   // Hide "Edit" for files >10 MiB
   const MAX_EDIT_BYTES = 10 * 1024 * 1024;
@@ -138,7 +157,121 @@ function wireSelectAll(fileListContent) {
     }
     return body ?? {};
   }
-  
+  // ---- Viewed badges (table + gallery) ----
+// ---------- Badge factory (center text vertically) ----------
+function makeBadge(state) {
+  if (!state) return null;
+  const el = document.createElement('span');
+  el.className = 'status-badge';
+  el.style.cssText = [
+    'display:inline-flex',
+    'align-items:center',
+    'justify-content:center',
+    'vertical-align:middle',
+    'margin-left:6px',
+    'padding:2px 8px',
+    'min-height:18px',
+    'line-height:1',
+    'border-radius:999px',
+    'font-size:.78em',
+    'border:1px solid rgba(0,0,0,.2)',
+    'background:rgba(0,0,0,.06)'
+  ].join(';');
+
+  if (state.completed) {
+    el.classList.add('watched');
+    el.textContent = (t('watched') || t('viewed') || 'Watched');
+    el.style.borderColor = 'rgba(34,197,94,.45)';
+    el.style.background  = 'rgba(34,197,94,.12)';
+    el.style.color       = '#22c55e';
+    return el;
+  }
+
+  if (Number.isFinite(state.seconds) && Number.isFinite(state.duration) && state.duration > 0) {
+    const pct = Math.max(1, Math.min(99, Math.round((state.seconds / state.duration) * 100)));
+    el.classList.add('progress');
+    el.textContent = `${pct}%`;
+    el.style.borderColor = 'rgba(245,158,11,.45)';
+    el.style.background  = 'rgba(245,158,11,.12)';
+    el.style.color       = '#f59e0b';
+    return el;
+  }
+
+  return null;
+}
+
+// ---------- Public: set/clear badges for one file (table + gallery) ----------
+function applyBadgeToDom(name, state) {
+  const safe = CSS.escape(name);
+
+  // Table
+  document.querySelectorAll(`tr[data-file-name="${safe}"] .name-cell, tr[data-file-name="${safe}"] .file-name-cell`)
+    .forEach(cell => {
+      cell.querySelector('.status-badge')?.remove();
+      const b = makeBadge(state);
+      if (b) cell.appendChild(b);
+    });
+
+  // Gallery
+  document.querySelectorAll(`.gallery-card[data-file-name="${safe}"] .gallery-file-name`)
+    .forEach(title => {
+      title.querySelector('.status-badge')?.remove();
+      const b = makeBadge(state);
+      if (b) title.appendChild(b);
+    });
+}
+
+export function setFileWatchedBadge(name, watched = true) {
+  applyBadgeToDom(name, watched ? { completed: true } : null);
+}
+
+export function setFileProgressBadge(name, seconds, duration) {
+  if (duration > 0 && seconds >= 0) {
+    applyBadgeToDom(name, { seconds, duration, completed: seconds >= duration - 1 });
+  } else {
+    applyBadgeToDom(name, null);
+  }
+}
+
+export async function refreshViewedBadges(folder) {
+  let map = null;
+  try {
+    const res = await fetch(`/api/media/getViewedMap.php?folder=${encodeURIComponent(folder)}&t=${Date.now()}`, { credentials: 'include' });
+    const j = await res.json();
+    map = j?.map || null;
+  } catch { /* ignore */ }
+
+  // Clear any existing badges
+  document.querySelectorAll(
+    '#fileList tr[data-file-name] .file-name-cell .status-badge, ' +
+    '#fileList tr[data-file-name] .name-cell .status-badge, ' +
+    '.gallery-card[data-file-name] .gallery-file-name .status-badge'
+  ).forEach(n => n.remove());
+
+  if (!map) return;
+
+  // Table rows
+  document.querySelectorAll('#fileList tr[data-file-name]').forEach(tr => {
+    const name = tr.getAttribute('data-file-name');
+    const state = map[name];
+    if (!state) return;
+    const cell = tr.querySelector('.name-cell, .file-name-cell');
+    if (!cell) return;
+    const badge = makeBadge(state);
+    if (badge) cell.appendChild(badge);
+  });
+
+  // Gallery cards
+  document.querySelectorAll('.gallery-card[data-file-name]').forEach(card => {
+    const name = card.getAttribute('data-file-name');
+    const state = map[name];
+    if (!state) return;
+    const title = card.querySelector('.gallery-file-name');
+    if (!title) return;
+    const badge = makeBadge(state);
+    if (badge) title.appendChild(badge);
+  });
+}
   /**
    * Convert a file size string (e.g. "456.9KB", "1.2 MB", "1024") into bytes.
    */
@@ -205,29 +338,84 @@ function wireSelectAll(fileListContent) {
   /**
    * Fuse.js fuzzy search helper
    */
-  function searchFiles(searchTerm) {
-    if (!searchTerm) return fileData;
-  
-    let keys = [
-      { name: 'name', weight: 0.1 },
-      { name: 'uploader', weight: 0.1 },
-      { name: 'tags.name', weight: 0.1 }
-    ];
-    if (window.advancedSearchEnabled) {
-      keys.push({ name: 'content', weight: 0.7 });
-    }
-  
+  // --- Lazy Fuse loader (drop-in, CSP-safe, no inline) ---
+const FUSE_SRC = '/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}';
+let _fuseLoadingPromise = null;
+
+function loadScriptOnce(src) {
+  // cache by src so we don't append multiple <script> tags
+  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
+  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
+  const p = new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = src;
+    s.async = true;
+    s.onload = resolve;
+    s.onerror = () => reject(new Error(`Failed to load ${src}`));
+    document.head.appendChild(s);
+  });
+  loadScriptOnce._cache.set(src, p);
+  return p;
+}
+
+function lazyLoadFuse() {
+  if (window.Fuse) return Promise.resolve(window.Fuse);
+  if (!_fuseLoadingPromise) {
+    _fuseLoadingPromise = loadScriptOnce(FUSE_SRC).then(() => window.Fuse);
+  }
+  return _fuseLoadingPromise;
+}
+
+// (Optional) warm-up call you can trigger from main.js after first render:
+//   import { warmUpSearch } from './fileListView.js?v={{APP_QVER}}';
+//   warmUpSearch();
+// This just starts fetching Fuse in the background.
+export function warmUpSearch() {
+  lazyLoadFuse().catch(() => {/* ignore; we’ll fall back */});
+}
+
+// Lazy + backward-compatible search
+function searchFiles(searchTerm) {
+  if (!searchTerm) return fileData;
+
+  // kick off Fuse load in the background, but don't await
+  lazyLoadFuse().catch(() => { /* ignore */ });
+
+  // keys config (matches your original)
+  const fuseKeys = [
+    { name: 'name',      weight: 0.1 },
+    { name: 'uploader',  weight: 0.1 },
+    { name: 'tags.name', weight: 0.1 }
+  ];
+  if (window.advancedSearchEnabled) {
+    fuseKeys.push({ name: 'content', weight: 0.7 });
+  }
+
+  // If Fuse is present, use it right away (synchronous API)
+  if (window.Fuse) {
     const options = {
-      keys: keys,
+      keys: fuseKeys,
       threshold: 0.4,
       minMatchCharLength: 2,
       ignoreLocation: true
     };
-  
-    const fuse = new Fuse(fileData, options);
-    let results = fuse.search(searchTerm);
-    return results.map(result => result.item);
+    const fuse = new window.Fuse(fileData, options);
+    const results = fuse.search(searchTerm);
+    return results.map(r => r.item);
   }
+
+  // Fallback (first keystrokes before Fuse finishes loading):
+  // simple case-insensitive substring match on the same fields
+  const q = String(searchTerm).toLowerCase();
+  const hay = (v) => (v == null ? '' : String(v)).toLowerCase();
+  return fileData.filter(item => {
+    if (hay(item.name).includes(q)) return true;
+    if (hay(item.uploader).includes(q)) return true;
+    if (Array.isArray(item.tags) && item.tags.some(t => hay(t?.name).includes(q))) return true;
+    if (window.advancedSearchEnabled && hay(item.content).includes(q)) return true;
+    return false;
+  });
+}
   
   /**
    * View mode toggle
@@ -283,6 +471,7 @@ function wireSelectAll(fileListContent) {
   window.updateRowHighlight = updateRowHighlight;
   
   export async function loadFileList(folderParam) {
+    await initOnlyOfficeCaps(); 
     const reqId = ++__fileListReqSeq; // latest call wins
     const folder = folderParam || "root";
     const fileListContainer = document.getElementById("fileList");
@@ -473,6 +662,7 @@ function wireSelectAll(fileListContent) {
       }
       updateFileActionButtons();
       fileListContainer.style.visibility = "visible";
+
   
       // ----- FOLDERS NEXT (populate strip when ready; doesn't block rows) -----
       try {
@@ -637,9 +827,14 @@ function wireSelectAll(fileListContent) {
     if (totalFiles > 0) {
       filteredFiles.slice(startIndex, endIndex).forEach((file, idx) => {
         // Build row with a neutral base, then correct the links/preview below.
-        let rowHTML = buildFileTableRow(file, fakeBase);
         // Give the row an ID so we can patch attributes safely
-        rowHTML = rowHTML.replace("<tr", `<tr id="file-row-${encodeURIComponent(file.name)}-${startIndex + idx}"`);
+        const idSafe = encodeURIComponent(file.name) + "-" + (startIndex + idx);
+        let rowHTML = buildFileTableRow(file, fakeBase);
+        
+        // add row id + data-file-name, and ensure the name cell also has "name-cell"
+        rowHTML = rowHTML
+  .replace("<tr", `<tr id="file-row-${idSafe}" data-file-name="${escapeHTML(file.name)}"`)
+  .replace('class="file-name-cell"', 'class="file-name-cell name-cell"');
   
         let tagBadgesHTML = "";
         if (file.tags && file.tags.length > 0) {
@@ -649,9 +844,13 @@ function wireSelectAll(fileListContent) {
           });
           tagBadgesHTML += "</div>";
         }
-        rowsHTML += rowHTML.replace(/(<td class="file-name-cell">)(.*?)(<\/td>)/, (match, p1, p2, p3) => {
-          return p1 + p2 + tagBadgesHTML + p3;
-        });
+        rowsHTML += rowHTML.replace(
+          /(<td\s+class="[^"]*\bfile-name-cell\b[^"]*">)([\s\S]*?)(<\/td>)/,
+          (m, open, inner, close) => {
+            // keep the original filename content, then add your tag badges, then close
+            return `${open}<span class="filename-text">${inner}</span>${tagBadgesHTML}${close}`;
+          }
+        );
       });
     } else {
       rowsHTML += `<tr><td colspan="8">No files found.</td></tr>`;
@@ -750,7 +949,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".edit-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileEditor.js');
+        const m = await import('./fileEditor.js?v={{APP_QVER}}');
         m.editFile(btn.dataset.editName, btn.dataset.editFolder);
       });
     });
@@ -759,7 +958,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".rename-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileActions.js');
+        const m = await import('./fileActions.js?v={{APP_QVER}}');
         m.renameFile(btn.dataset.renameName, btn.dataset.renameFolder);
       });
     });
@@ -768,7 +967,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".preview-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./filePreview.js');
+        const m = await import('./filePreview.js?v={{APP_QVER}}');
         m.previewFile(btn.dataset.previewUrl, btn.dataset.previewName);
       });
     });
@@ -822,16 +1021,17 @@ function wireSelectAll(fileListContent) {
         const fileName = this.getAttribute("data-file");
         const file = fileData.find(f => f.name === fileName);
         if (file) {
-          import('./filePreview.js').then(module => {
+          import('./filePreview.js?v={{APP_QVER}}').then(module => {
             module.openShareModal(file, folder);
           });
         }
       });
     });
     updateFileActionButtons();
+    
     document.querySelectorAll("#fileList tbody tr").forEach(row => {
       row.setAttribute("draggable", "true");
-      import('./fileDragDrop.js').then(module => {
+      import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
         row.addEventListener("dragstart", module.fileDragStartHandler);
       });
     });
@@ -839,6 +1039,7 @@ function wireSelectAll(fileListContent) {
       btn.addEventListener("click", e => e.stopPropagation());
     });
     bindFileListContextMenu();
+    refreshViewedBadges(folder).catch(() => {});
   }
   
   // A helper to compute the max image height based on the current column count.
@@ -965,6 +1166,7 @@ function wireSelectAll(fileListContent) {
       // card with checkbox, preview, info, buttons
       galleryHTML += `
         <div class="gallery-card"
+             data-file-name="${escapeHTML(file.name)}"
              style="position:relative; border:1px solid #ccc; padding:5px; text-align:center;">
           <input type="checkbox"
                  class="file-checkbox"
@@ -1085,7 +1287,7 @@ function wireSelectAll(fileListContent) {
     // preview clicks (dynamic import to avoid global dependency)
     fileListContent.querySelectorAll(".gallery-preview").forEach(el => {
       el.addEventListener("click", async () => {
-        const m = await import('./filePreview.js');
+        const m = await import('./filePreview.js?v={{APP_QVER}}');
         m.previewFile(el.dataset.previewUrl, el.dataset.previewName);
       });
     });
@@ -1102,7 +1304,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".edit-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileEditor.js');
+        const m = await import('./fileEditor.js?v={{APP_QVER}}');
         m.editFile(btn.dataset.editName, btn.dataset.editFolder);
       });
     });
@@ -1111,7 +1313,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".rename-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileActions.js');
+        const m = await import('./fileActions.js?v={{APP_QVER}}');
         m.renameFile(btn.dataset.renameName, btn.dataset.renameFolder);
       });
     });
@@ -1123,7 +1325,7 @@ function wireSelectAll(fileListContent) {
         const fileName = btn.dataset.file;
         const fileObj = fileData.find(f => f.name === fileName);
         if (fileObj) {
-          import('./filePreview.js').then(m => m.openShareModal(fileObj, folder));
+          import('./filePreview.js?v={{APP_QVER}}').then(m => m.openShareModal(fileObj, folder));
         }
       });
     });
@@ -1161,7 +1363,7 @@ function wireSelectAll(fileListContent) {
       if (window.viewMode === "gallery") renderGalleryView(folder);
       else renderFileTable(folder);
     };
-  
+    refreshViewedBadges(folder).catch(() => {});
     updateFileActionButtons();
     createViewToggleButton();
   }
@@ -1273,46 +1475,34 @@ function wireSelectAll(fileListContent) {
     if (!fileName || typeof fileName !== "string") return false;
     const dot = fileName.lastIndexOf(".");
     if (dot < 0) return false;
-  
     const ext = fileName.slice(dot + 1).toLowerCase();
   
-    const allowedExtensions = [
-      "txt", "text", "md", "markdown", "rst",
-      "html", "htm", "xhtml", "shtml",
-      "css", "scss", "sass", "less",
-      "js", "mjs", "cjs", "jsx",
-      "ts", "tsx",
-      "json", "jsonc", "ndjson",
-      "yml", "yaml", "toml", "xml", "plist",
-      "ini", "conf", "config", "cfg", "cnf", "properties", "props", "rc",
-      "env", "dotenv",
-      "csv", "tsv", "tab",
+    // Your CodeMirror text-based types
+    const textEditExts = new Set([
+      "txt","text","md","markdown","rst",
+      "html","htm","xhtml","shtml",
+      "css","scss","sass","less",
+      "js","mjs","cjs","jsx",
+      "ts","tsx",
+      "json","jsonc","ndjson",
+      "yml","yaml","toml","xml","plist",
+      "ini","conf","config","cfg","cnf","properties","props","rc",
+      "env","dotenv",
+      "csv","tsv","tab",
       "log",
-      "sh", "bash", "zsh", "ksh", "fish",
-      "bat", "cmd",
-      "ps1", "psm1", "psd1",
-      "py", "pyw",
-      "rb",
-      "pl", "pm",
-      "go",
-      "rs",
-      "java",
-      "kt", "kts",
-      "scala", "sc",
-      "groovy", "gradle",
-      "c", "h", "cpp", "cxx", "cc", "hpp", "hh", "hxx",
-      "m", "mm",
-      "swift",
-      "cs", "fs", "fsx",
-      "dart",
-      "lua",
-      "r", "rmd",
-      "sql",
-      "vue", "svelte",
-      "twig", "mustache", "hbs", "handlebars", "ejs", "pug", "jade"
-    ];
+      "sh","bash","zsh","ksh","fish",
+      "bat","cmd",
+      "ps1","psm1","psd1",
+      "py","pyw","rb","pl","pm","go","rs","java","kt","kts",
+      "scala","sc","groovy","gradle",
+      "c","h","cpp","cxx","cc","hpp","hh","hxx",
+      "m","mm","swift","cs","fs","fsx","dart","lua","r","rmd",
+      "sql","vue","svelte","twig","mustache","hbs","handlebars","ejs","pug","jade"
+    ]);
   
-    return allowedExtensions.includes(ext);
+    if (textEditExts.has(ext)) return true;            // CodeMirror
+    if (OO_ENABLED && OO_EXTS.has(ext)) return true;   // ONLYOFFICE types if enabled
+    return false;
   }
   
   // Expose global functions for pagination and preview.

public/js/fileManager.js

@@ -1,10 +1,10 @@
 // fileManager.js
-import './fileListView.js';
-import './filePreview.js';
-import './fileEditor.js';
-import './fileDragDrop.js';
-import './fileMenu.js';
-import { initFileActions } from './fileActions.js';
+import './fileListView.js?v={{APP_QVER}}';
+import './filePreview.js?v={{APP_QVER}}';
+import './fileEditor.js?v={{APP_QVER}}';
+import './fileDragDrop.js?v={{APP_QVER}}';
+import './fileMenu.js?v={{APP_QVER}}';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
 
 // Initialize file action buttons.
 document.addEventListener("DOMContentLoaded", function () {
@@ -14,7 +14,7 @@ document.addEventListener("DOMContentLoaded", function () {
 // Attach folder drag-and-drop support for folder tree nodes.
 document.addEventListener("DOMContentLoaded", function () {
   document.querySelectorAll(".folder-option").forEach(el => {
-    import('./fileDragDrop.js').then(module => {
+    import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
       el.addEventListener("dragover", module.folderDragOverHandler);
       el.addEventListener("dragleave", module.folderDragLeaveHandler);
       el.addEventListener("drop", module.folderDropHandler);
@@ -32,7 +32,7 @@ document.addEventListener("keydown", function(e) {
     const selectedCheckboxes = document.querySelectorAll("#fileList .file-checkbox:checked");
     if (selectedCheckboxes.length > 0) {
       e.preventDefault();
-      import('./fileActions.js').then(module => {
+      import('./fileActions.js?v={{APP_QVER}}').then(module => {
         module.handleDeleteSelected(new Event("click"));
       });
     }

public/js/fileMenu.js

@@ -1,11 +1,11 @@
 // fileMenu.js
-import { updateRowHighlight, showToast } from './domUtils.js';
-import { handleDeleteSelected, handleCopySelected, handleMoveSelected, handleDownloadZipSelected, handleExtractZipSelected, renameFile, openCreateFileModal } from './fileActions.js';
-import { previewFile } from './filePreview.js';
-import { editFile } from './fileEditor.js';
-import { canEditFile, fileData } from './fileListView.js';
-import { openTagModal, openMultiTagModal } from './fileTags.js';
-import { t } from './i18n.js';
+import { updateRowHighlight, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { handleDeleteSelected, handleCopySelected, handleMoveSelected, handleDownloadZipSelected, handleExtractZipSelected, renameFile, openCreateFileModal } from './fileActions.js?v={{APP_QVER}}';
+import { previewFile, buildPreviewUrl } from './filePreview.js?v={{APP_QVER}}';
+import { editFile } from './fileEditor.js?v={{APP_QVER}}';
+import { canEditFile, fileData } from './fileListView.js?v={{APP_QVER}}';
+import { openTagModal, openMultiTagModal } from './fileTags.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 export function showFileContextMenu(x, y, menuItems) {
   let menu = document.getElementById("fileContextMenu");
@@ -39,11 +39,11 @@ export function showFileContextMenu(x, y, menuItems) {
     });
     menu.appendChild(menuItem);
   });
-  
+
   menu.style.left = x + "px";
   menu.style.top = y + "px";
   menu.style.display = "block";
-  
+
   const menuRect = menu.getBoundingClientRect();
   const viewportHeight = window.innerHeight;
   if (menuRect.bottom > viewportHeight) {
@@ -62,7 +62,7 @@ export function hideFileContextMenu() {
 
 export function fileListContextMenuHandler(e) {
   e.preventDefault();
-  
+
   let row = e.target.closest("tr");
   if (row) {
     const checkbox = row.querySelector(".file-checkbox");
@@ -71,9 +71,9 @@ export function fileListContextMenuHandler(e) {
       updateRowHighlight(checkbox);
     }
   }
-  
+
   const selected = Array.from(document.querySelectorAll("#fileList .file-checkbox:checked")).map(chk => chk.value);
-  
+
   let menuItems = [
     { label: t("create_file"), action: () => openCreateFileModal() },
     { label: t("delete_selected"), action: () => { handleDeleteSelected(new Event("click")); } },
@@ -81,14 +81,14 @@ export function fileListContextMenuHandler(e) {
     { label: t("move_selected"), action: () => { handleMoveSelected(new Event("click")); } },
     { label: t("download_zip"), action: () => { handleDownloadZipSelected(new Event("click")); } }
   ];
-  
+
   if (selected.some(name => name.toLowerCase().endsWith(".zip"))) {
     menuItems.push({
       label: t("extract_zip"),
       action: () => { handleExtractZipSelected(new Event("click")); }
     });
   }
-  
+
   if (selected.length > 1) {
     menuItems.push({
       label: t("tag_selected"),
@@ -100,36 +100,33 @@ export function fileListContextMenuHandler(e) {
   }
   else if (selected.length === 1) {
     const file = fileData.find(f => f.name === selected[0]);
-    
+
     menuItems.push({
       label: t("preview"),
       action: () => {
         const folder = window.currentFolder || "root";
-        const folderPath = folder === "root"
-          ? "uploads/"
-          : "uploads/" + folder.split("/").map(encodeURIComponent).join("/") + "/";
-        previewFile(folderPath + encodeURIComponent(file.name) + "?t=" + new Date().getTime(), file.name);
+        previewFile(buildPreviewUrl(folder, file.name), file.name);
       }
     });
-    
+
     if (canEditFile(file.name)) {
       menuItems.push({
         label: t("edit"),
         action: () => { editFile(selected[0], window.currentFolder); }
       });
     }
-    
+
     menuItems.push({
       label: t("rename"),
       action: () => { renameFile(selected[0], window.currentFolder); }
     });
-    
+
     menuItems.push({
       label: t("tag_file"),
       action: () => { openTagModal(file); }
     });
   }
-  
+
   showFileContextMenu(e.clientX, e.clientY, menuItems);
 }
 
@@ -140,7 +137,7 @@ export function bindFileListContextMenu() {
   }
 }
 
-document.addEventListener("click", function(e) {
+document.addEventListener("click", function (e) {
   const menu = document.getElementById("fileContextMenu");
   if (menu && menu.style.display === "block") {
     hideFileContextMenu();
@@ -148,9 +145,9 @@ document.addEventListener("click", function(e) {
 });
 
 // Rebind context menu after file table render.
-(function() {
+(function () {
   const originalRenderFileTable = window.renderFileTable;
-  window.renderFileTable = function(folder) {
+  window.renderFileTable = function (folder) {
     originalRenderFileTable(folder);
     bindFileListContextMenu();
   };

public/js/filePreview.js

@@ -1,14 +1,19 @@
 // filePreview.js
-import { escapeHTML, showToast } from './domUtils.js';
-import { fileData } from './fileListView.js';
-import { t } from './i18n.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { fileData, setFileProgressBadge, setFileWatchedBadge } from './fileListView.js?v={{APP_QVER}}';
 
+// Build a preview URL that always goes through the API layer (respects ACLs/UPLOAD_DIR)
+export function buildPreviewUrl(folder, name) {
+  const f = (!folder || folder === '') ? 'root' : String(folder);
+  return `/api/file/download.php?folder=${encodeURIComponent(f)}&file=${encodeURIComponent(name)}&inline=1&t=${Date.now()}`;
+}
+
+/* -------------------------------- Share modal (existing) -------------------------------- */
 export function openShareModal(file, folder) {
-  // Remove any existing modal
   const existing = document.getElementById("shareModal");
   if (existing) existing.remove();
 
-  // Build the modal
   const modal = document.createElement("div");
   modal.id = "shareModal";
   modal.classList.add("modal");
@@ -45,18 +50,9 @@ export function openShareModal(file, folder) {
         </div>
 
         <p style="margin-top:15px;">${t("password_optional")}</p>
-        <input
-          type="text"
-          id="sharePassword"
-          placeholder="${t("password_optional")}"
-          style="width:100%;padding:5px;"
-        />
+        <input type="text" id="sharePassword" placeholder="${t("password_optional")}" style="width:100%;padding:5px;"/>
 
-        <button
-          id="generateShareLinkBtn"
-          class="btn btn-primary"
-          style="margin-top:15px;"
-        >
+        <button id="generateShareLinkBtn" class="btn btn-primary" style="margin-top:15px;">
           ${t("generate_share_link")}
         </button>
 
@@ -73,48 +69,32 @@ export function openShareModal(file, folder) {
   document.body.appendChild(modal);
   modal.style.display = "block";
 
-  // Close handler
-  document.getElementById("closeShareModal")
-    .addEventListener("click", () => modal.remove());
+  document.getElementById("closeShareModal").addEventListener("click", () => modal.remove());
+  document.getElementById("shareExpiration").addEventListener("change", e => {
+    const container = document.getElementById("customExpirationContainer");
+    container.style.display = e.target.value === "custom" ? "block" : "none";
+  });
 
-  // Show/hide custom-duration inputs
-  document.getElementById("shareExpiration")
-    .addEventListener("change", e => {
-      const container = document.getElementById("customExpirationContainer");
-      container.style.display = e.target.value === "custom" ? "block" : "none";
-    });
+  document.getElementById("generateShareLinkBtn").addEventListener("click", () => {
+    const sel = document.getElementById("shareExpiration");
+    let value, unit;
 
-  // Generate share link
-  document.getElementById("generateShareLinkBtn")
-    .addEventListener("click", () => {
-      const sel = document.getElementById("shareExpiration");
-      let value, unit;
+    if (sel.value === "custom") {
+      value = parseInt(document.getElementById("customExpirationValue").value, 10);
+      unit = document.getElementById("customExpirationUnit").value;
+    } else {
+      value = parseInt(sel.value, 10);
+      unit = "minutes";
+    }
 
-      if (sel.value === "custom") {
-        value = parseInt(document.getElementById("customExpirationValue").value, 10);
-        unit  = document.getElementById("customExpirationUnit").value;
-      } else {
-        value = parseInt(sel.value, 10);
-        unit  = "minutes";
-      }
+    const password = document.getElementById("sharePassword").value;
 
-      const password = document.getElementById("sharePassword").value;
-
-      fetch("/api/file/createShareLink.php", {
-        method: "POST",
-        credentials: "include",
-        headers: {
-          "Content-Type": "application/json",
-          "X-CSRF-Token": window.csrfToken
-        },
-        body: JSON.stringify({
-          folder,
-          file: file.name,
-          expirationValue: value,
-          expirationUnit: unit,
-          password
-        })
-      })
+    fetch("/api/file/createShareLink.php", {
+      method: "POST",
+      credentials: "include",
+      headers: { "Content-Type": "application/json", "X-CSRF-Token": window.csrfToken },
+      body: JSON.stringify({ folder, file: file.name, expirationValue: value, expirationUnit: unit, password })
+    })
       .then(res => res.json())
       .then(data => {
         if (data.token) {
@@ -122,349 +102,491 @@ export function openShareModal(file, folder) {
           document.getElementById("shareLinkInput").value = url;
           document.getElementById("shareLinkDisplay").style.display = "block";
         } else {
-          showToast(t("error_generating_share") + ": " + (data.error||"Unknown"));
+          showToast(t("error_generating_share") + ": " + (data.error || "Unknown"));
         }
       })
       .catch(err => {
         console.error(err);
         showToast(t("error_generating_share"));
       });
-    });
+  });
 
-  // Copy to clipboard
-  document.getElementById("copyShareLinkBtn")
-    .addEventListener("click", () => {
-      const input = document.getElementById("shareLinkInput");
-      input.select();
-      document.execCommand("copy");
-      showToast(t("link_copied"));
-    });
+  document.getElementById("copyShareLinkBtn").addEventListener("click", () => {
+    const input = document.getElementById("shareLinkInput");
+    input.select();
+    document.execCommand("copy");
+    showToast(t("link_copied"));
+  });
 }
 
-export function previewFile(fileUrl, fileName) {
-  let modal = document.getElementById("filePreviewModal");
-  if (!modal) {
-    modal = document.createElement("div");
-    modal.id = "filePreviewModal";
-    Object.assign(modal.style, {
-      position: "fixed",
-      top: "0",
-      left: "0",
-      width: "100vw",
-      height: "100vh",
-      backgroundColor: "rgba(0,0,0,0.7)",
-      display: "flex",
-      justifyContent: "center",
-      alignItems: "center",
-      zIndex: "1000"
-    });
-    modal.innerHTML = `
-      <div class="modal-content image-preview-modal-content" style="position: relative; max-width: 90vw; max-height: 90vh;">
-        <span id="closeFileModal" class="close-image-modal" style="position: absolute; top: 10px; right: 10px; font-size: 24px; cursor: pointer;">&times;</span>
-        <h4 class="image-modal-header"></h4>
-        <div class="file-preview-container" style="position: relative; text-align: center;"></div>
-      </div>`;
-    document.body.appendChild(modal);
+/* -------------------------------- Media modal viewer -------------------------------- */
+const IMG_RE = /\.(jpg|jpeg|png|gif|bmp|webp|svg|ico)$/i;
+const VID_RE = /\.(mp4|mkv|webm|mov|ogv)$/i;
+const AUD_RE = /\.(mp3|wav|m4a|ogg|flac|aac|wma|opus)$/i;
 
-    function closeModal() {
-      const mediaElements = modal.querySelectorAll("video, audio");
-      mediaElements.forEach(media => {
-        media.pause();
-        if (media.tagName.toLowerCase() !== 'video') {
-          try { media.currentTime = 0; } catch (e) { }
-        }
-      });
-      modal.remove();
-    }
+function ensureMediaModal() {
+  let overlay = document.getElementById("filePreviewModal");
+  if (overlay) return overlay;
 
-    document.getElementById("closeFileModal").addEventListener("click", closeModal);
-    modal.addEventListener("click", function (e) {
-      if (e.target === modal) {
-        closeModal();
-      }
-    });
+  overlay = document.createElement("div");
+  overlay.id = "filePreviewModal";
+  Object.assign(overlay.style, {
+    position: "fixed",
+    inset: "0",
+    width: "100vw",
+    height: "100vh",
+    backgroundColor: "rgba(0,0,0,0.7)",
+    display: "flex",
+    justifyContent: "center",
+    alignItems: "center",
+    zIndex: "1000"
+  });
+
+  const root   = document.documentElement;
+  const styles = getComputedStyle(root);
+  const isDark = root.classList.contains('dark-mode');
+  const panelBg = styles.getPropertyValue('--panel-bg').trim() || styles.getPropertyValue('--bg-color').trim() || (isDark ? '#121212' : '#ffffff');
+  const textCol = styles.getPropertyValue('--text-color').trim() || (isDark ? '#eaeaea' : '#111111');
+
+  const navBg     = isDark ? 'rgba(255,255,255,.28)' : 'rgba(0,0,0,.45)';
+  const navFg     = '#fff';
+  const navBorder = isDark ? 'rgba(255,255,255,.35)' : 'rgba(0,0,0,.25)';
+
+  overlay.innerHTML = `
+    <div class="modal-content media-modal" style="
+      position: relative;
+      max-width: 92vw;
+      max-height: 92vh;
+      width: 92vw;
+      box-sizing: border-box;
+      padding: 12px;
+      background: ${panelBg};
+      color: ${textCol};
+      overflow: hidden;
+      border-radius: 10px;
+    ">
+      <div class="media-stage" style="position:relative; display:flex; align-items:center; justify-content:center; height: calc(92vh - 8px);">
+        <!-- filename badge (top-left) -->
+        <div class="media-title-badge" style="
+          position:absolute; top:8px; left:12px; max-width:60vw;
+          padding:4px 10px; border-radius:10px;
+          background: ${isDark ? 'rgba(0,0,0,.55)' : 'rgba(255,255,255,.65)'};
+          color: ${isDark ? '#fff' : '#111'};
+          font-weight:600; font-size:13px; line-height:1.3; white-space:nowrap; overflow:hidden; text-overflow:ellipsis; z-index:1002;">
+        </div>
+
+        <!-- top-right actions row (aligned with your X at top:10px) -->
+        <div class="media-actions-bar" style="
+          position:absolute; top:10px; right:56px; display:flex; gap:6px; align-items:center; z-index:1002;">
+          <span class="status-chip" style="
+            display:none; padding:4px 8px; border-radius:999px; font-size:12px; line-height:1;
+            border:1px solid rgba(250,204,21,.45); background:rgba(250,204,21,.15); color:#facc15;"></span>
+          <div class="action-group" style="display:flex; gap:6px;"></div>
+        </div>
+
+        <!-- your absolute close X -->
+        <span id="closeFileModal" class="close-image-modal" title="${t('close')}">&times;</span>
+
+        <!-- centered media -->
+        <div class="file-preview-container" style="position:relative; text-align:center; flex:1; min-width:0;"></div>
+
+        <!-- high-contrast prev/next -->
+        <button class="nav-left"  aria-label="${t('previous')||'Previous'}" style="
+          position:absolute; left:8px; top:50%; transform:translateY(-50%);
+          height:56px; min-width:44px; padding:0 12px; font-size:42px; line-height:1;
+          background:${navBg}; color:${navFg}; border:1px solid ${navBorder};
+          text-shadow: 0 1px 2px rgba(0,0,0,.6);
+          border-radius:12px; cursor:pointer; display:none; z-index:1001; backdrop-filter: blur(2px);
+          box-shadow: 0 2px 8px rgba(0,0,0,.35);">‹</button>
+        <button class="nav-right" aria-label="${t('next')||'Next'}" style="
+          position:absolute; right:8px; top:50%; transform:translateY(-50%);
+          height:56px; min-width:44px; padding:0 12px; font-size:42px; line-height:1;
+          background:${navBg}; color:${navFg}; border:1px solid ${navBorder};
+          text-shadow: 0 1px 2px rgba(0,0,0,.6);
+          border-radius:12px; cursor:pointer; display:none; z-index:1001; backdrop-filter: blur(2px);
+          box-shadow: 0 2px 8px rgba(0,0,0,.35);">›</button>
+      </div>
+    </div>`;
+
+  document.body.appendChild(overlay);
+
+  function closeModal() {
+    try { overlay.querySelectorAll("video,audio").forEach(m => { try{m.pause()}catch(_){}}); } catch {}
+    if (overlay._onKey) window.removeEventListener('keydown', overlay._onKey);
+    overlay.remove();
   }
-  modal.querySelector("h4").textContent = fileName;
-  const container = modal.querySelector(".file-preview-container");
-  container.innerHTML = "";
+  overlay.querySelector("#closeFileModal").addEventListener("click", closeModal);
+  overlay.addEventListener("click", (e) => { if (e.target === overlay) closeModal(); });
 
-  const extension = fileName.split('.').pop().toLowerCase();
-  const isImage = /\.(jpg|jpeg|png|gif|bmp|webp|svg|ico)$/i.test(fileName);
+  return overlay;
+}
+
+function setTitle(overlay, name) {
+  const el = overlay.querySelector('.media-title-badge');
+  if (el) el.textContent = name || '';
+}
+
+function makeMI(name, title) {
+  const b = document.createElement('button');
+  b.className = `material-icons ${name}`;
+  b.textContent = name; // Material Icons font
+  b.title = title;
+  Object.assign(b.style, {
+    width: "32px",
+    height: "32px",
+    display: "flex",
+    alignItems: "center",
+    justifyContent: "center",
+    background: "rgba(0,0,0,.25)",
+    border: "1px solid rgba(255,255,255,.25)",
+    cursor: "pointer",
+    userSelect: "none",
+    fontSize: "20px",
+    padding: "0",
+    borderRadius: "8px",
+    color: "#fff",
+    lineHeight: "1"
+  });
+  return b;
+}
+
+function setNavVisibility(overlay, showPrev, showNext) {
+  const prev = overlay.querySelector('.nav-left');
+  const next = overlay.querySelector('.nav-right');
+  prev.style.display = showPrev ? 'inline-flex' : 'none';
+  next.style.display = showNext ? 'inline-flex' : 'none';
+}
+
+function setRowWatchedBadge(name, watched) {
+  try {
+    const cell = document.querySelector(`tr[data-file-name="${CSS.escape(name)}"] .name-cell`);
+    if (!cell) return;
+    const old = cell.querySelector('.status-badge.watched');
+    if (watched) {
+      if (!old) {
+        const b = document.createElement('span');
+        b.className = 'status-badge watched';
+        b.textContent = t("watched") || t("viewed") || "Watched";
+        b.style.marginLeft = "6px";
+        cell.appendChild(b);
+      }
+    } else if (old) {
+      old.remove();
+    }
+  } catch {}
+}
+
+/* -------------------------------- Entry -------------------------------- */
+export function previewFile(fileUrl, fileName) {
+  const overlay    = ensureMediaModal();
+  const container  = overlay.querySelector(".file-preview-container");
+  const actionWrap = overlay.querySelector(".media-actions-bar .action-group");
+  const statusChip = overlay.querySelector(".media-actions-bar .status-chip");
+
+  // replace nav buttons to clear old listeners
+  let prevBtn = overlay.querySelector('.nav-left');
+  let nextBtn = overlay.querySelector('.nav-right');
+  const newPrev = prevBtn.cloneNode(true);
+  const newNext = nextBtn.cloneNode(true);
+  prevBtn.replaceWith(newPrev);
+  nextBtn.replaceWith(newNext);
+  prevBtn = newPrev; nextBtn = newNext;
+
+  // reset
+  container.innerHTML = "";
+  actionWrap.innerHTML = "";
+  if (statusChip) statusChip.style.display = 'none';
+  if (overlay._onKey) window.removeEventListener('keydown', overlay._onKey);
+  overlay._onKey = null;
+
+  const folder = window.currentFolder || 'root';
+  const name   = fileName;
+  const lower  = (name || '').toLowerCase();
+  const isImage = IMG_RE.test(lower);
+  const isVideo = VID_RE.test(lower);
+  const isAudio = AUD_RE.test(lower);
+
+  setTitle(overlay, name);
+
+  /* -------------------- IMAGES -------------------- */
   if (isImage) {
-    // Create the image element with default transform data.
     const img = document.createElement("img");
     img.src = fileUrl;
     img.className = "image-modal-img";
-    img.style.maxWidth = "80vw";
-    img.style.maxHeight = "80vh";
+    img.style.maxWidth  = "88vw";
+    img.style.maxHeight = "88vh";
     img.style.transition = "transform 0.3s ease";
     img.dataset.scale = 1;
     img.dataset.rotate = 0;
-    img.style.position = 'relative';
-    img.style.zIndex = '1';
+    container.appendChild(img);
 
-    // Filter gallery images for navigation.
-    const images = fileData.filter(file => /\.(jpg|jpeg|png|gif|bmp|webp|svg|ico)$/i.test(file.name));
+    const zoomInBtn   = makeMI('zoom_in',      t('zoom_in')       || 'Zoom In');
+    const zoomOutBtn  = makeMI('zoom_out',     t('zoom_out')      || 'Zoom Out');
+    const rotateLeft  = makeMI('rotate_left',  t('rotate_left')   || 'Rotate Left');
+    const rotateRight = makeMI('rotate_right', t('rotate_right')  || 'Rotate Right');
+    actionWrap.appendChild(zoomInBtn);
+    actionWrap.appendChild(zoomOutBtn);
+    actionWrap.appendChild(rotateLeft);
+    actionWrap.appendChild(rotateRight);
 
-    // Create a flex wrapper to hold left panel, center image, and right panel.
-    const wrapper = document.createElement('div');
-    wrapper.className = 'image-wrapper';
-    wrapper.style.display = 'flex';
-    wrapper.style.alignItems = 'center';
-    wrapper.style.justifyContent = 'center';
-    wrapper.style.position = 'relative';
+    zoomInBtn.addEventListener('click', (e) => {
+      e.stopPropagation();
+      let s = parseFloat(img.dataset.scale) || 1; s += 0.1;
+      img.dataset.scale = s;
+      img.style.transform = `scale(${s}) rotate(${img.dataset.rotate}deg)`;
+    });
+    zoomOutBtn.addEventListener('click', (e) => {
+      e.stopPropagation();
+      let s = parseFloat(img.dataset.scale) || 1; s = Math.max(0.1, s - 0.1);
+      img.dataset.scale = s;
+      img.style.transform = `scale(${s}) rotate(${img.dataset.rotate}deg)`;
+    });
+    rotateLeft.addEventListener('click', (e) => {
+      e.stopPropagation();
+      let r = parseFloat(img.dataset.rotate) || 0; r = (r - 90 + 360) % 360;
+      img.dataset.rotate = r;
+      img.style.transform = `scale(${img.dataset.scale}) rotate(${r}deg)`;
+    });
+    rotateRight.addEventListener('click', (e) => {
+      e.stopPropagation();
+      let r = parseFloat(img.dataset.rotate) || 0; r = (r + 90) % 360;
+      img.dataset.rotate = r;
+      img.style.transform = `scale(${img.dataset.scale}) rotate(${r}deg)`;
+    });
 
-    // --- Left Panel: Contains Zoom controls (top) and Prev button (bottom) ---
-    const leftPanel = document.createElement('div');
-    leftPanel.className = 'left-panel';
-    leftPanel.style.display = 'flex';
-    leftPanel.style.flexDirection = 'column';
-    leftPanel.style.justifyContent = 'space-between';
-    leftPanel.style.alignItems = 'center';
-    leftPanel.style.width = '60px';
-    leftPanel.style.height = '100%';
-    leftPanel.style.zIndex = '10';
+    const images = (Array.isArray(fileData) ? fileData : []).filter(f => IMG_RE.test(f.name));
+    overlay.mediaType  = 'image';
+    overlay.mediaList  = images;
+    overlay.mediaIndex = Math.max(0, images.findIndex(f => f.name === name));
+    setNavVisibility(overlay, images.length > 1, images.length > 1);
 
-    // Top container for zoom buttons.
-    const leftTop = document.createElement('div');
-    leftTop.style.display = 'flex';
-    leftTop.style.flexDirection = 'column';
-    leftTop.style.gap = '4px';
-    // Zoom In button.
-    const zoomInBtn = document.createElement('button');
-    zoomInBtn.className = 'material-icons zoom_in';
-    zoomInBtn.title = 'Zoom In';
-    zoomInBtn.style.background = 'transparent';
-    zoomInBtn.style.border = 'none';
-    zoomInBtn.style.cursor = 'pointer';
-    zoomInBtn.textContent = 'zoom_in';
-    // Zoom Out button.
-    const zoomOutBtn = document.createElement('button');
-    zoomOutBtn.className = 'material-icons zoom_out';
-    zoomOutBtn.title = 'Zoom Out';
-    zoomOutBtn.style.background = 'transparent';
-    zoomOutBtn.style.border = 'none';
-    zoomOutBtn.style.cursor = 'pointer';
-    zoomOutBtn.textContent = 'zoom_out';
-    leftTop.appendChild(zoomInBtn);
-    leftTop.appendChild(zoomOutBtn);
-    leftPanel.appendChild(leftTop);
+    const navigate = (dir) => {
+      if (!overlay.mediaList || overlay.mediaList.length < 2) return;
+      overlay.mediaIndex = (overlay.mediaIndex + dir + overlay.mediaList.length) % overlay.mediaList.length;
+      const newFile = overlay.mediaList[overlay.mediaIndex].name;
+      setTitle(overlay, newFile);
+      img.dataset.scale = 1;
+      img.dataset.rotate = 0;
+      img.style.transform = 'scale(1) rotate(0deg)';
+      img.src = buildPreviewUrl(folder, newFile);
+    };
 
-    // Bottom container for prev button.
-    const leftBottom = document.createElement('div');
-    leftBottom.style.display = 'flex';
-    leftBottom.style.justifyContent = 'center';
-    leftBottom.style.alignItems = 'center';
-    leftBottom.style.width = '100%';
     if (images.length > 1) {
-      const prevBtn = document.createElement("button");
-      prevBtn.textContent = "‹";
-      prevBtn.className = "gallery-nav-btn";
-      prevBtn.style.background = 'transparent';
-      prevBtn.style.border = 'none';
-      prevBtn.style.color = 'white';
-      prevBtn.style.fontSize = '48px';
-      prevBtn.style.cursor = 'pointer';
-      prevBtn.addEventListener("click", function (e) {
-        e.stopPropagation();
-        // Safety check:
-        if (!modal.galleryImages || modal.galleryImages.length === 0) return;
-        modal.galleryCurrentIndex = (modal.galleryCurrentIndex - 1 + modal.galleryImages.length) % modal.galleryImages.length;
-        let newFile = modal.galleryImages[modal.galleryCurrentIndex];
-        modal.querySelector("h4").textContent = newFile.name;
-        img.src = ((window.currentFolder === "root")
-          ? "uploads/"
-          : "uploads/" + window.currentFolder.split("/").map(encodeURIComponent).join("/") + "/")
-          + encodeURIComponent(newFile.name) + "?t=" + new Date().getTime();
-        // Reset transforms.
-        img.dataset.scale = 1;
-        img.dataset.rotate = 0;
-        img.style.transform = 'scale(1) rotate(0deg)';
-      });
-      leftBottom.appendChild(prevBtn);
-    } else {
-      // Insert an empty placeholder for consistent layout.
-      leftBottom.innerHTML = '&nbsp;';
+      prevBtn.addEventListener('click', (e) => { e.stopPropagation(); navigate(-1); });
+      nextBtn.addEventListener('click', (e) => { e.stopPropagation(); navigate(+1); });
+      const onKey = (e) => {
+        if (!document.body.contains(overlay)) { window.removeEventListener("keydown", onKey); return; }
+        if (e.key === "ArrowLeft")  navigate(-1);
+        if (e.key === "ArrowRight") navigate(+1);
+      };
+      window.addEventListener("keydown", onKey);
+      overlay._onKey = onKey;
     }
-    leftPanel.appendChild(leftBottom);
 
-    // --- Center Panel: Contains the image ---
-    const centerPanel = document.createElement('div');
-    centerPanel.className = 'center-image-container';
-    centerPanel.style.flexGrow = '1';
-    centerPanel.style.textAlign = 'center';
-    centerPanel.style.position = 'relative';
-    centerPanel.style.zIndex = '1';
-    centerPanel.appendChild(img);
+    overlay.style.display = "flex";
+    return;
+  }
 
-    // --- Right Panel: Contains Rotate controls (top) and Next button (bottom) ---
-    const rightPanel = document.createElement('div');
-    rightPanel.className = 'right-panel';
-    rightPanel.style.display = 'flex';
-    rightPanel.style.flexDirection = 'column';
-    rightPanel.style.justifyContent = 'space-between';
-    rightPanel.style.alignItems = 'center';
-    rightPanel.style.width = '60px';
-    rightPanel.style.height = '100%';
-    rightPanel.style.zIndex = '10';
-
-    // Top container for rotate buttons.
-    const rightTop = document.createElement('div');
-    rightTop.style.display = 'flex';
-    rightTop.style.flexDirection = 'column';
-    rightTop.style.gap = '4px';
-    // Rotate Left button.
-    const rotateLeftBtn = document.createElement('button');
-    rotateLeftBtn.className = 'material-icons rotate_left';
-    rotateLeftBtn.title = 'Rotate Left';
-    rotateLeftBtn.style.background = 'transparent';
-    rotateLeftBtn.style.border = 'none';
-    rotateLeftBtn.style.cursor = 'pointer';
-    rotateLeftBtn.textContent = 'rotate_left';
-    // Rotate Right button.
-    const rotateRightBtn = document.createElement('button');
-    rotateRightBtn.className = 'material-icons rotate_right';
-    rotateRightBtn.title = 'Rotate Right';
-    rotateRightBtn.style.background = 'transparent';
-    rotateRightBtn.style.border = 'none';
-    rotateRightBtn.style.cursor = 'pointer';
-    rotateRightBtn.textContent = 'rotate_right';
-    rightTop.appendChild(rotateLeftBtn);
-    rightTop.appendChild(rotateRightBtn);
-    rightPanel.appendChild(rightTop);
-
-    // Bottom container for next button.
-    const rightBottom = document.createElement('div');
-    rightBottom.style.display = 'flex';
-    rightBottom.style.justifyContent = 'center';
-    rightBottom.style.alignItems = 'center';
-    rightBottom.style.width = '100%';
-    if (images.length > 1) {
-      const nextBtn = document.createElement("button");
-      nextBtn.textContent = "›";
-      nextBtn.className = "gallery-nav-btn";
-      nextBtn.style.background = 'transparent';
-      nextBtn.style.border = 'none';
-      nextBtn.style.color = 'white';
-      nextBtn.style.fontSize = '48px';
-      nextBtn.style.cursor = 'pointer';
-      nextBtn.addEventListener("click", function (e) {
-        e.stopPropagation();
-        // Safety check:
-        if (!modal.galleryImages || modal.galleryImages.length === 0) return;
-        modal.galleryCurrentIndex = (modal.galleryCurrentIndex + 1) % modal.galleryImages.length;
-        let newFile = modal.galleryImages[modal.galleryCurrentIndex];
-        modal.querySelector("h4").textContent = newFile.name;
-        img.src = ((window.currentFolder === "root")
-          ? "uploads/"
-          : "uploads/" + window.currentFolder.split("/").map(encodeURIComponent).join("/") + "/")
-          + encodeURIComponent(newFile.name) + "?t=" + new Date().getTime();
-        // Reset transforms.
-        img.dataset.scale = 1;
-        img.dataset.rotate = 0;
-        img.style.transform = 'scale(1) rotate(0deg)';
-      });
-      rightBottom.appendChild(nextBtn);
-    } else {
-      // Insert a placeholder so that center remains properly aligned.
-      rightBottom.innerHTML = '&nbsp;';
-    }
-    rightPanel.appendChild(rightBottom);
-
-    // Assemble panels into the wrapper.
-    wrapper.appendChild(leftPanel);
-    wrapper.appendChild(centerPanel);
-    wrapper.appendChild(rightPanel);
-    container.appendChild(wrapper);
-
-    // --- Set up zoom controls event listeners ---
-    zoomInBtn.addEventListener('click', function (e) {
-      e.stopPropagation();
-      let scale = parseFloat(img.dataset.scale) || 1;
-      scale += 0.1;
-      img.dataset.scale = scale;
-      img.style.transform = 'scale(' + scale + ') rotate(' + img.dataset.rotate + 'deg)';
-    });
-    zoomOutBtn.addEventListener('click', function (e) {
-      e.stopPropagation();
-      let scale = parseFloat(img.dataset.scale) || 1;
-      scale = Math.max(0.1, scale - 0.1);
-      img.dataset.scale = scale;
-      img.style.transform = 'scale(' + scale + ') rotate(' + img.dataset.rotate + 'deg)';
-    });
-
-    // Attach rotation control listeners (always present now).
-    rotateLeftBtn.addEventListener('click', function (e) {
-      e.stopPropagation();
-      let rotate = parseFloat(img.dataset.rotate) || 0;
-      rotate = (rotate - 90 + 360) % 360;
-      img.dataset.rotate = rotate;
-      img.style.transform = 'scale(' + img.dataset.scale + ') rotate(' + rotate + 'deg)';
-    });
-    rotateRightBtn.addEventListener('click', function (e) {
-      e.stopPropagation();
-      let rotate = parseFloat(img.dataset.rotate) || 0;
-      rotate = (rotate + 90) % 360;
-      img.dataset.rotate = rotate;
-      img.style.transform = 'scale(' + img.dataset.scale + ') rotate(' + rotate + 'deg)';
-    });
-
-    // Save gallery details if there is more than one image.
-    if (images.length > 1) {
-      modal.galleryImages = images;
-      modal.galleryCurrentIndex = images.findIndex(f => f.name === fileName);
-    }
-  } else {
-    // Handle non-image file previews.
-  if (extension === "pdf") {
-    // build a cache‐busted URL
+  /* -------------------- PDF => new tab -------------------- */
+  if (lower.endsWith('.pdf')) {
     const separator = fileUrl.includes('?') ? '&' : '?';
     const urlWithTs = fileUrl + separator + 't=' + Date.now();
-  
-    // open in a new tab (avoids CSP frame-ancestors)
     window.open(urlWithTs, "_blank");
-  
-    // tear down the just-created modal
-    const modal = document.getElementById("filePreviewModal");
-    if (modal) modal.remove();
-  
-    // stop further preview logic
+    overlay.remove();
     return;
-  } else if (/\.(mp4|mkv|webm|mov|ogv)$/i.test(fileName)) {
-      const video = document.createElement("video");
-      video.src = fileUrl;
-      video.controls = true;
-      video.className = "image-modal-img";
-      
-      const progressKey = 'videoProgress-' + fileUrl;
-      video.addEventListener("loadedmetadata", () => {
-        const savedTime = localStorage.getItem(progressKey);
-        if (savedTime) {
-          video.currentTime = parseFloat(savedTime);
+  }
+
+  /* -------------------- VIDEOS -------------------- */
+  if (isVideo) {
+    let video = document.createElement("video"); // let so we can rebind
+    video.controls = true;
+    video.style.maxWidth  = "88vw";
+    video.style.maxHeight = "88vh";
+    video.style.objectFit = "contain";
+    container.appendChild(video);
+
+    const markBtn  = document.createElement('button');
+    const clearBtn = document.createElement('button');
+    markBtn.className  = 'btn btn-sm btn-success';
+    clearBtn.className = 'btn btn-sm btn-secondary';
+    markBtn.textContent  = t("mark_as_viewed") || "Mark as viewed";
+    clearBtn.textContent = t("clear_progress") || "Clear progress";
+    actionWrap.appendChild(markBtn);
+    actionWrap.appendChild(clearBtn);
+
+    const videos = (Array.isArray(fileData) ? fileData : []).filter(f => VID_RE.test(f.name));
+    overlay.mediaType  = 'video';
+    overlay.mediaList  = videos;
+    overlay.mediaIndex = Math.max(0, videos.findIndex(f => f.name === name));
+    setNavVisibility(overlay, videos.length > 1, videos.length > 1);
+
+    const setVideoSrc = (nm) => { video.src = buildPreviewUrl(folder, nm); setTitle(overlay, nm); };
+
+    const SAVE_INTERVAL_MS = 5000;
+    let lastSaveAt = 0;
+    let pending = false;
+
+    async function getProgress(nm) {
+      try {
+        const res = await fetch(`/api/media/getProgress.php?folder=${encodeURIComponent(folder)}&file=${encodeURIComponent(nm)}&t=${Date.now()}`, { credentials: "include" });
+        const data = await res.json();
+        return data && data.state ? data.state : null;
+      } catch { return null; }
+    }
+    async function sendProgress({nm, seconds, duration, completed, clear}) {
+      try {
+        pending = true;
+        const res = await fetch("/api/media/updateProgress.php", {
+          method: "POST",
+          credentials: "include",
+          headers: { "Content-Type": "application/json", "X-CSRF-Token": window.csrfToken },
+          body: JSON.stringify({ folder, file: nm, seconds, duration, completed, clear })
+        });
+        const data = await res.json();
+        pending = false;
+        return data;
+      } catch (e) { pending = false; console.error(e); return null; }
+    }
+    const lsKey = (nm) => `videoProgress-${folder}/${nm}`;
+
+    function renderStatus(state) {
+      if (!statusChip) return;
+      // Completed
+      if (state && state.completed) {
+        
+        statusChip.textContent = (t('viewed') || 'Viewed') + ' ✓';
+        statusChip.style.display = 'inline-block';
+        statusChip.style.borderColor = 'rgba(34,197,94,.45)';
+        statusChip.style.background  = 'rgba(34,197,94,.15)';
+        statusChip.style.color       = '#22c55e';
+        markBtn.style.display  = 'none';
+        clearBtn.style.display = '';
+        clearBtn.textContent   = t('reset_progress') || t('clear_progress') || 'Reset';
+        return;
+      }
+      // In progress
+      if (state && Number.isFinite(state.seconds) && Number.isFinite(state.duration) && state.duration > 0) {
+        const pct = Math.max(1, Math.min(99, Math.round((state.seconds / state.duration) * 100)));
+        statusChip.textContent = `${pct}%`;
+        statusChip.style.display = 'inline-block';
+        statusChip.style.borderColor = 'rgba(250,204,21,.45)';
+        statusChip.style.background  = 'rgba(250,204,21,.15)';
+        statusChip.style.color       = '#facc15';
+        markBtn.style.display  = '';
+        clearBtn.style.display = '';
+        clearBtn.textContent   = t('reset_progress') || t('clear_progress') || 'Reset';
+        return;
+      }
+      // No progress
+      statusChip.style.display = 'none';
+      markBtn.style.display  = '';
+      clearBtn.style.display = 'none';
+    }
+
+    function bindVideoEvents(nm) {
+      const nv = video.cloneNode(true);
+      video.replaceWith(nv);
+      video = nv;
+
+      video.addEventListener("loadedmetadata", async () => {
+        try {
+          const state = await getProgress(nm);
+          if (state && Number.isFinite(state.seconds) && state.seconds > 0 && state.seconds < (video.duration || Infinity)) {
+            video.currentTime = state.seconds;
+            const seconds = Math.floor(video.currentTime || 0);
+const duration = Math.floor(video.duration || 0);
+setFileProgressBadge(nm, seconds, duration);
+            showToast((t("resumed_from") || "Resumed from") + " " + Math.floor(state.seconds) + "s");
+          } else {
+            const ls = localStorage.getItem(lsKey(nm));
+            if (ls) video.currentTime = parseFloat(ls);
+          }
+          renderStatus(state || null);
+        } catch {
+          renderStatus(null);
         }
       });
-      video.addEventListener("timeupdate", () => {
-        localStorage.setItem(progressKey, video.currentTime);
+
+      video.addEventListener("timeupdate", async () => {
+        const now = Date.now();
+        if ((now - lastSaveAt) < SAVE_INTERVAL_MS || pending) return;
+        lastSaveAt = now;
+        const seconds = Math.floor(video.currentTime || 0);
+        const duration = Math.floor(video.duration || 0);
+        sendProgress({ nm, seconds, duration });
+        setFileProgressBadge(nm, seconds, duration);
+        try { localStorage.setItem(lsKey(nm), String(seconds)); } catch {}
+        renderStatus({ seconds, duration, completed: false });
       });
-      video.addEventListener("ended", () => {
-        localStorage.removeItem(progressKey);
+
+      video.addEventListener("ended", async () => {
+        const duration = Math.floor(video.duration || 0);
+        await sendProgress({ nm, seconds: duration, duration, completed: true });
+        try { localStorage.removeItem(lsKey(nm)); } catch {}
+        showToast(t("marked_viewed") || "Marked as viewed");
+        setFileWatchedBadge(nm, true);
+        renderStatus({ seconds: duration, duration, completed: true });
       });
-      container.appendChild(video);
-    } else if (/\.(mp3|wav|m4a|ogg|flac|aac|wma|opus)$/i.test(fileName)) {
-      const audio = document.createElement("audio");
-      audio.src = fileUrl;
-      audio.controls = true;
-      audio.className = "audio-modal";
-      audio.style.maxWidth = "80vw";
-      container.appendChild(audio);
-    } else {
-      container.textContent = "Preview not available for this file type.";
+
+      markBtn.onclick = async () => {
+        const duration = Math.floor(video.duration || 0);
+        await sendProgress({ nm, seconds: duration, duration, completed: true });
+        showToast(t("marked_viewed") || "Marked as viewed");
+        setFileWatchedBadge(nm, true);
+        renderStatus({ seconds: duration, duration, completed: true });
+      };
+      clearBtn.onclick = async () => {
+        await sendProgress({ nm, seconds: 0, duration: null, completed: false, clear: true });
+        try { localStorage.removeItem(lsKey(nm)); } catch {}
+        showToast(t("progress_cleared") || "Progress cleared");
+        setFileWatchedBadge(nm, false);
+        renderStatus(null);
+      };
     }
+
+    const navigate = (dir) => {
+      if (!overlay.mediaList || overlay.mediaList.length < 2) return;
+      overlay.mediaIndex = (overlay.mediaIndex + dir + overlay.mediaList.length) % overlay.mediaList.length;
+      const nm = overlay.mediaList[overlay.mediaIndex].name;
+      setVideoSrc(nm);
+      bindVideoEvents(nm);
+    };
+
+    if (videos.length > 1) {
+      prevBtn.addEventListener('click', (e) => { e.stopPropagation(); navigate(-1); });
+      nextBtn.addEventListener('click', (e) => { e.stopPropagation(); navigate(+1); });
+      const onKey = (e) => {
+        if (!document.body.contains(overlay)) { window.removeEventListener("keydown", onKey); return; }
+        if (e.key === "ArrowLeft")  navigate(-1);
+        if (e.key === "ArrowRight") navigate(+1);
+      };
+      window.addEventListener("keydown", onKey);
+      overlay._onKey = onKey;
+    }
+
+    setVideoSrc(name);
+    renderStatus(null);
+    bindVideoEvents(name);
+    overlay.style.display = "flex";
+    return;
+  }
+
+  /* -------------------- AUDIO / OTHER -------------------- */
+  if (isAudio) {
+    const audio = document.createElement("audio");
+    audio.src = fileUrl;
+    audio.controls = true;
+    audio.className = "audio-modal";
+    audio.style.maxWidth = "88vw";
+    container.appendChild(audio);
+    overlay.style.display = "flex";
+  } else {
+    container.textContent = t("preview_not_available") || "Preview not available for this file type.";
+    overlay.style.display = "flex";
   }
-  modal.style.display = "flex";
 }
 
-// Preserve original functionality.
+/* -------------------------------- Small display helper -------------------------------- */
 export function displayFilePreview(file, container) {
   const actualFile = file.file || file;
   if (!(actualFile instanceof File)) {
@@ -472,10 +594,9 @@ export function displayFilePreview(file, container) {
     return;
   }
   container.style.display = "inline-block";
-  while (container.firstChild) {
-    container.removeChild(container.firstChild);
-  }
-  if (/\.(jpg|jpeg|png|gif|bmp|webp|svg|ico)$/i.test(actualFile.name)) {
+  while (container.firstChild) container.removeChild(container.firstChild);
+
+  if (IMG_RE.test(actualFile.name)) {
     const img = document.createElement("img");
     img.src = URL.createObjectURL(actualFile);
     img.classList.add("file-preview-img");
@@ -488,5 +609,6 @@ export function displayFilePreview(file, container) {
   }
 }
 
+// expose for HTML onclick usage
 window.previewFile = previewFile;
 window.openShareModal = openShareModal;

public/js/fileTags.js

@@ -3,9 +3,9 @@
 // adding tags to files (with a global tag store for reuse),
 // updating the file row display with tag badges,
 // filtering the file list by tag, and persisting tag data.
-import { escapeHTML } from './domUtils.js';
-import { t } from './i18n.js';
-import { renderFileTable, renderGalleryView } from './fileListView.js';
+import { escapeHTML } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { renderFileTable, renderGalleryView } from './fileListView.js?v={{APP_QVER}}';
 
 export function openTagModal(file) {
   // Create the modal element.

public/js/folderManager.js

@@ -1,11 +1,11 @@
 // folderManager.js
 
-import { loadFileList } from './fileListView.js';
-import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js';
-import { t } from './i18n.js';
-import { openFolderShareModal } from './folderShareModal.js';
-import { fetchWithCsrf } from './auth.js';
-import { loadCsrfToken } from './main.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { openFolderShareModal } from './folderShareModal.js?v={{APP_QVER}}';
+import { fetchWithCsrf } from './auth.js?v={{APP_QVER}}';
+import { loadCsrfToken } from './appCore.js?v={{APP_QVER}}';
 
 /* ----------------------
    Helpers: safe JSON + state

public/js/folderShareModal.js

@@ -1,6 +1,6 @@
 // js/folderShareModal.js
-import { escapeHTML, showToast } from './domUtils.js';
-import { t } from './i18n.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 export function openFolderShareModal(folder) {
   // Remove any existing modal

public/js/i18n.js

@@ -247,7 +247,7 @@ const translations = {
     "login_options": "Login Options",
     "disable_login_form": "Disable Login Form",
     "disable_basic_http_auth": "Disable Basic HTTP Auth",
-    "disable_oidc_login": "Disable OIDC Login",
+    "disable_oidc_login": "Disable OIDC Login (OIDC Config Required to enable)",
     "save_settings": "Save Settings",
     "at_least_one_login_method": "At least one login method must remain enabled.",
     "settings_updated_successfully": "Settings updated successfully.",
@@ -302,7 +302,17 @@ const translations = {
     "acl_move_folder_info": "Moving folders is restricted to folder owners or managers. Destination folders must also allow moves in.",
     "context_move_folder": "Move Folder...",
     "context_move_here": "Move Here",
-    "context_move_cancel": "Cancel Move"
+    "context_move_cancel": "Cancel Move",
+    "mark_as_viewed": "Mark as viewed",
+    "viewed": "Viewed",
+    "resumed_from": "Resumed from",
+    "clear_progress": "Clear progress",
+    "marked_viewed": "Marked as viewed",
+    "progress_cleared": "Progress cleared",
+    "previous": "Previous",
+    "next": "Next",
+    "watched": "Watched",
+    "reset_progress": "Reset Progress"
   },
   es: {
     "please_log_in_to_continue": "Por favor, inicie sesión para continuar.",

public/js/mobile/switcher.js

@@ -0,0 +1,365 @@
+(function(){
+  const isCap = !!window.Capacitor || /Capacitor/i.test(navigator.userAgent);
+  if (!isCap) return;
+  // NOTE: allow running inside Capacitor (origin "capacitor://localhost")
+
+  const Plugins = (window.Capacitor && window.Capacitor.Plugins) || {};
+  const Pref = Plugins.Preferences ? {
+    get:   ({key}) => Plugins.Preferences.get({key}),
+    set:   ({key,value}) => Plugins.Preferences.set({key,value}),
+    remove:({key}) => Plugins.Preferences.remove({key})
+  } : {
+    get:    async ({key}) => ({ value: localStorage.getItem(key) || null }),
+    set:    async ({key,value}) => localStorage.setItem(key, value),
+    remove: async ({key}) => localStorage.removeItem(key)
+  };
+  const Http = (Plugins.Http || Plugins.CapacitorHttp) || null;
+
+  const K_INST='fr_instances_v1', K_ACTIVE='fr_active_v1', K_STATUS='fr_status_v1';
+
+  const $ = s => document.querySelector(s);
+
+  // Safe element builder: attributes only, children as nodes/strings (no innerHTML)
+  const el = (tag, attrs = {}, children = []) => {
+    const n = document.createElement(tag);
+    for (const k in attrs) n.setAttribute(k, attrs[k]);
+    (Array.isArray(children) ? children : [children]).forEach(c => {
+      if (c == null) return;
+      n.appendChild(typeof c === 'string' ? document.createTextNode(c) : c);
+    });
+    return n;
+  };
+
+  // Normalize to http(s), strip creds, collapse trailing slashes
+  const normalize = (u) => {
+    if (!u) return '';
+    let v = u.trim();
+    if (!/^https?:\/\//i.test(v)) v = 'https://' + v;
+    try {
+      const url = new URL(v);
+      if (!/^https?:$/.test(url.protocol)) return '';
+      url.username = '';
+      url.password = '';
+      url.pathname = url.pathname.replace(/\/+$/,'');
+      return url.toString();
+    } catch { return ''; }
+  };
+
+  // Append/overwrite a query param safely on a normalized URL
+  const withParam = (base, k, v) => {
+    try {
+      const u = new URL(normalize(base));
+      u.searchParams.set(k, v);
+      return u.toString();
+    } catch { return ''; }
+  };
+
+  const host = u => {
+    try { return new URL(normalize(u)).hostname; } catch { return ''; }
+  };
+  const originOf = u => {
+    try { return new URL(normalize(u)).origin; } catch { return ''; }
+  };
+  const faviconUrl = u => {
+    try { const x = new URL(normalize(u)); return x.origin + '/favicon.ico'; } catch { return ''; }
+  };
+  const initialsIcon = (hn='FR') => {
+    const t=(hn||'FR').replace(/^www\./,'').slice(0,2).toUpperCase();
+    const svg=`<svg xmlns='http://www.w3.org/2000/svg' width='64' height='64'>
+      <rect width='100%' height='100%' rx='12' ry='12' fill='#2196F3'/>
+      <text x='50%' y='54%' text-anchor='middle' font-family='system-ui,-apple-system,Segoe UI,Roboto,sans-serif'
+            font-size='28' font-weight='700' fill='#fff'>${t}</text></svg>`;
+    return 'data:image/svg+xml;utf8,'+encodeURIComponent(svg);
+  };
+
+  async function getStatusCache(){
+    const raw=(await Pref.get({key:K_STATUS})).value;
+    try { return raw ? JSON.parse(raw) : {}; } catch { return {}; }
+  }
+  async function writeStatus(origin, ok){
+    const cache=await getStatusCache();
+    cache[origin]={ ok, ts: Date.now() };
+    await Pref.set({key:K_STATUS, value:JSON.stringify(cache)});
+  }
+
+  async function verifyFileRise(u, timeout=5000){
+    if (!u || !Http) return {ok:false};
+    const base = normalize(u), org = originOf(base);
+    const tryJson = async (url, validate) => {
+      try{
+        const r = await Http.get({ url, connectTimeout:timeout, readTimeout:timeout, headers:{'Accept':'application/json','Cache-Control':'no-cache'} });
+        if (r && r.data) {
+          const j = (typeof r.data === 'string') ? JSON.parse(r.data) : r.data;
+          return !!validate(j);
+        }
+      }catch(_){}
+      return false;
+    };
+    if (await tryJson(org + '/siteConfig.json', j => j && (j.appTitle || j.headerTitle || j.auth || j.oidc || j.basicAuth))) return {ok:true, origin:org};
+    if (await tryJson(org + '/api/ping.php',    j => j && (j.ok===true || j.status==='ok' || j.pong || j.app==='FileRise'))) return {ok:true, origin:org};
+    if (await tryJson(org + '/api/version.php', j => j && (j.version || j.app==='FileRise'))) return {ok:true, origin:org};
+    try{
+      const r = await Http.get({ url: org+'/', connectTimeout:timeout, readTimeout:timeout, headers:{'Cache-Control':'no-cache'} });
+      if (typeof r.data === 'string' && /FileRise/i.test(r.data)) return {ok:true, origin:org};
+    }catch(_){}
+    return {ok:false, origin:org};
+  }
+
+  async function probeReachable(u, timeout=3000){
+    try{
+      const base = new URL(normalize(u)).origin, ico=base+'/favicon.ico';
+      if (Http){
+        try{ const r=await Http.get({ url: ico, connectTimeout:timeout, readTimeout:timeout, headers:{'Cache-Control':'no-cache'} });
+             if (r && typeof r.status==='number' && r.status<500) return true; }catch(e){}
+        try{ const r2=await Http.get({ url: base+'/', connectTimeout:timeout, readTimeout:timeout, headers:{'Cache-Control':'no-cache'} });
+             if (r2 && typeof r2.status==='number' && r2.status<500) return true; }catch(e){}
+        return false;
+      }
+      return await new Promise(res=>{
+        const img=new Image(), t=setTimeout(()=>done(false), timeout);
+        function done(ok){ clearTimeout(t); img.onload=img.onerror=null; res(ok); }
+        img.onload=()=>done(true); img.onerror=()=>done(false);
+        img.src = ico + (ico.includes('?')?'&':'?') + '__fr=' + Date.now();
+      });
+    }catch{ return false; }
+  }
+
+  async function loadInstances(){
+    const raw=(await Pref.get({key:K_INST})).value;
+    try { return raw ? JSON.parse(raw) : []; } catch { return []; }
+  }
+  async function saveInstances(list){
+    await Pref.set({key:K_INST, value:JSON.stringify(list)});
+  }
+  async function getActive(){ return (await Pref.get({key:K_ACTIVE})).value }
+  async function setActive(id){ await Pref.set({key:K_ACTIVE, value:id||''}) }
+
+  // ---- Styles (slide-up sheet + disabled buttons + safe-area) ----
+  if (!$('#frx-mobile-style')) {
+    const css = `
+      .frx-fab { position:fixed; right:16px; bottom:calc(env(safe-area-inset-bottom,0px) + 18px); width:52px; height:52px; border-radius:26px;
+        background: linear-gradient(180deg,#64B5F6,#2196F3 65%,#1976D2); color:#fff; display:grid; place-items:center;
+        box-shadow:0 10px 22px rgba(33,150,243,.38); z-index:2147483647; cursor:pointer; user-select:none; }
+      .frx-fab:active { transform: translateY(1px) scale(.98); }
+      .frx-fab svg { width:26px; height:26px; fill:white }
+      .frx-scrim{position:fixed;inset:0;background:rgba(0,0,0,.45);z-index:2147483645;opacity:0;visibility:hidden;transition:opacity .24s ease}
+      .frx-scrim.show{opacity:1;visibility:visible}
+      .frx-sheet{position:fixed;left:0;right:0;bottom:0;background:#0f172a;color:#e5e7eb;
+        border-top-left-radius:16px;border-top-right-radius:16px;box-shadow:0 -10px 30px rgba(0,0,0,.3);
+        z-index:2147483646;transform:translateY(100%);opacity:0;visibility:hidden;
+        transition:transform .28s cubic-bezier(.2,.8,.2,1), opacity .28s ease; will-change:transform}
+      .frx-sheet.show{transform:translateY(0);opacity:1;visibility:visible}
+      .frx-sheet .hdr{display:flex;align-items:center;justify-content:space-between;padding:14px 16px;border-bottom:1px solid rgba(255,255,255,.08)}
+      .frx-title{display:flex;align-items:center;gap:10px;font-weight:800}
+      .frx-title img{width:22px;height:22px}
+      .frx-list{max-height:60vh;overflow:auto;padding:8px 12px}
+      .frx-chip{border:1px solid rgba(255,255,255,.08);border-radius:12px;padding:12px;margin:8px 4px;background:rgba(255,255,255,.04)}
+      .frx-chip.active{outline:3px solid rgba(33,150,243,.35); border-color:#2196F3}
+      .frx-top{display:flex;gap:10px;align-items:center;justify-content:space-between;margin-bottom:10px}
+      .frx-left{display:flex;gap:10px;align-items:center}
+      .frx-ico{width:20px;height:20px;border-radius:6px;overflow:hidden;background:#fff;display:grid;place-items:center}
+      .frx-ico img{width:100%;height:100%;object-fit:cover;display:block}
+      .frx-name{font-weight:800}
+      .frx-host{font-size:12px;opacity:.8;margin-top:2px}
+      .frx-status{display:flex;align-items:center;gap:6px;font-size:12px;opacity:.9}
+      .frx-dot{width:10px;height:10px;border-radius:50%;}
+      .frx-dot.on{background:#10B981;box-shadow:0 0 0 3px rgba(16,185,129,.18)}
+      .frx-dot.off{background:#ef4444;box-shadow:0 0 0 3px rgba(239,68,68,.18)}
+      .frx-actions{display:flex;gap:8px;flex-wrap:wrap}
+      .frx-btn{appearance:none;border:0;border-radius:10px;padding:10px 12px;font-weight:700;cursor:pointer;transition:.15s ease opacity, .15s ease filter}
+      .frx-btn[disabled]{opacity:.5;cursor:not-allowed;filter:grayscale(20%)}
+      .frx-primary{background:linear-gradient(180deg,#64B5F6,#2196F3);color:#fff}
+      .frx-ghost{background:transparent;color:#cbd5e1;border:1px solid rgba(255,255,255,.12)}
+      .frx-danger{background:transparent;color:#f44336;border:1px solid rgba(244,67,54,.45)}
+      .frx-row{display:flex;gap:8px;align-items:center}
+      .frx-field{display:grid;gap:6px;margin:8px 4px}
+      .frx-input{width:100%;padding:12px;border-radius:10px;border:1px solid rgba(255,255,255,.12);background:transparent;color:inherit}
+      .frx-footer{display:flex;justify-content:flex-end;gap:8px;padding:10px 12px;border-top:1px solid rgba(255,255,255,.08)}
+      @media (pointer:coarse) { .frx-fab { width:58px; height:58px; border-radius:29px; } }
+    `;
+    document.head.appendChild(el('style',{id:'frx-mobile-style'}, css));
+  }
+
+  // ---- DOM skeleton (no innerHTML) ----
+  const scrim = el('div',{class:'frx-scrim', id:'frx-scrim'});
+  const sheet = el('div',{class:'frx-sheet', id:'frx-sheet'});
+  const hdr = el('div',{class:'hdr'});
+  const title = el('div',{class:'frx-title'});
+  const logo = el('img',{src:'/assets/logo.svg', alt:'FileRise'});
+  // inline handler via property, not attribute
+  logo.onerror = function(){ this.style.display='none'; };
+  title.append(logo, el('span',{},'FileRise Switcher'));
+  const hdrBtns = el('div',{class:'frx-row'},[
+    el('button',{class:'frx-btn frx-ghost', id:'frx-home'},'Home'),
+    el('button',{class:'frx-btn frx-ghost', id:'frx-close'},'Close')
+  ]);
+  hdr.append(title, hdrBtns);
+
+  const list = el('div',{class:'frx-list', id:'frx-list'});
+  const formWrap = el('div',{style:'padding:10px 12px'},[
+    el('div',{class:'frx-field'},[
+      el('input',{class:'frx-input', id:'frx-name', placeholder:'Display name (optional)'}),
+      el('input',{class:'frx-input', id:'frx-url',  placeholder:'https://files.example.com'})
+    ])
+  ]);
+  const footer = el('div',{class:'frx-footer'},[
+    el('button',{class:'frx-btn frx-ghost', id:'frx-add-cancel'},'Close'),
+    el('button',{class:'frx-btn frx-primary', id:'frx-add-save'},'+ Add server')
+  ]);
+  sheet.append(hdr, list, formWrap, footer);
+
+  const fab = el('div',{class:'frx-fab', id:'frx-fab', title:'Switch server'},[
+    el('svg',{viewBox:'0 0 24 24'},[ el('path',{d:'M7 7h10v2H7V7zm0 4h10v2H7v-2zm0 4h10v2H7v-2z'}) ])
+  ]);
+
+  document.body.appendChild(scrim);
+  document.body.appendChild(sheet);
+  document.body.appendChild(fab);
+
+  function show(){ scrim.classList.add('show'); sheet.classList.add('show'); fab.style.display='none'; }
+  function hide(){ scrim.classList.remove('show'); sheet.classList.remove('show'); fab.style.display='grid'; }
+  $('#frx-close').addEventListener('click', hide);
+  $('#frx-add-cancel').addEventListener('click', hide);
+  $('#frx-home').addEventListener('click', ()=>{ try{ location.href='capacitor://localhost/index.html'; }catch{} });
+  scrim.addEventListener('click', hide);
+  document.addEventListener('keydown', e=>{ if(e.key==='Escape') hide(); });
+
+  function chipNode(item, isActive){
+    const hv = host(item.url);
+    const node = el('div',{class:'frx-chip'+(isActive?' active':''), 'data-id':item.id});
+
+    const top  = el('div',{class:'frx-top'});
+    const left = el('div',{class:'frx-left'});
+
+    const ico  = el('div',{class:'frx-ico'});
+    const img  = new Image();
+    img.alt=''; img.src=item.favicon||faviconUrl(item.url)||initialsIcon(hv);
+    img.onerror=()=>{ img.onerror=null; img.src=initialsIcon(hv); };
+    ico.appendChild(img);
+
+    const txt  = el('div',{},[
+      el('div',{class:'frx-name'}, (item.name || hv)),
+      el('div',{class:'frx-host'}, hv)
+    ]);
+
+    left.appendChild(ico);
+    left.appendChild(txt);
+
+    const dot = el('span',{class:'frx-dot', id:`frx-dot-${item.id}`});
+    const lbl = el('span',{id:`frx-lbl-${item.id}`}, 'Checking…');
+    const status = el('div',{class:'frx-status'}, [dot, lbl]);
+
+    top.appendChild(left);
+    top.appendChild(status);
+
+    const actions = el('div',{class:'frx-actions'});
+    const bOpen = el('button',{class:'frx-btn frx-primary', 'data-act':'open', disabled:true}, 'Open');
+    const bRen  = el('button',{class:'frx-btn frx-ghost',   'data-act':'rename'}, 'Rename');
+    const bDel  = el('button',{class:'frx-btn frx-danger',  'data-act':'remove'}, 'Remove');
+    actions.appendChild(bOpen); actions.appendChild(bRen); actions.appendChild(bDel);
+
+    node.appendChild(top);
+    node.appendChild(actions);
+    return node;
+  }
+
+  async function renderList(){
+    const listEl=$('#frx-list'); listEl.textContent='';
+    const list=await loadInstances(); const active=await getActive();
+    const cache=await getStatusCache();
+
+    list.sort((a,b)=>(b.lastUsed||0)-(a.lastUsed||0)).forEach(item=>{
+      const chip = chipNode(item, item.id===active);
+      const o = originOf(item.url), cached = cache[o];
+      const dot = chip.querySelector(`#frx-dot-${item.id}`);
+      const lbl = chip.querySelector(`#frx-lbl-${item.id}`);
+      const openBtn = chip.querySelector('[data-act="open"]');
+
+      if (cached){
+        dot.classList.add(cached.ok ? 'on':'off');
+        lbl.textContent = cached.ok ? 'Online' : 'Offline';
+        openBtn.disabled = !cached.ok;
+      } else {
+        lbl.textContent = 'Unknown';
+        openBtn.disabled = true;
+      }
+
+      chip.addEventListener('click', async (e)=>{
+        const act = e.target?.dataset?.act;
+        if (!act) return;
+
+        if (act==='open'){
+          if (openBtn.disabled) return;
+          await setActive(item.id);
+          const dest = withParam(item.url, 'frapp', '1');
+          if (dest) window.location.replace(dest);
+        } else if (act==='rename'){
+          const nn=prompt('New display name:', item.name || host(item.url));
+          if (nn!=null){
+            const L=await loadInstances(); const it=L.find(x=>x.id===item.id);
+            if (it){ it.name=nn.trim().slice(0,120); it.lastUsed=Date.now(); await saveInstances(L); renderList(); }
+          }
+        } else if (act==='remove'){
+          if (!confirm('Remove this server?')) return;
+          let L=await loadInstances(); L=L.filter(x=>x.id!==item.id); await saveInstances(L);
+          const a=await getActive(); if (a===item.id) await setActive(L[0]?.id||''); renderList();
+        }
+      });
+
+      listEl.appendChild(chip);
+
+      // Live refresh (best effort)
+      (async ()=>{
+        const ok = await probeReachable(item.url, 2500);
+        const d = document.getElementById(`frx-dot-${item.id}`);
+        const l = document.getElementById(`frx-lbl-${item.id}`);
+        const b = chip.querySelector('[data-act="open"]');
+        if (d && l && b){
+          d.classList.remove('on','off');
+          d.classList.add(ok?'on':'off');
+          l.textContent = ok ? 'Online' : 'Offline';
+          b.disabled = !ok;
+        }
+        const o2 = originOf(item.url); if (o2) writeStatus(o2, ok);
+      })();
+    });
+  }
+
+  $('#frx-add-save').addEventListener('click', async ()=>{
+    const name = $('#frx-name').value.trim();
+    const url  = $('#frx-url').value.trim();
+    if (!url) { alert('Enter a valid URL'); return; }
+
+    // Verify: must be FileRise
+    const vf = await verifyFileRise(url);
+    if (!vf.ok) { alert('That address does not look like a FileRise server.'); return; }
+
+    let L = await loadInstances();
+    const h  = host(url);
+    const dupe = L.find(i => host(i.url)===h);
+    const inst = dupe || { id:'i'+Math.random().toString(36).slice(2)+Date.now().toString(36) };
+    inst.name = name || inst.name || h;
+    inst.url  = normalize(url);
+    inst.favicon = faviconUrl(url);
+    inst.lastUsed = Date.now();
+    if (!dupe) L.push(inst);
+    await saveInstances(L);
+    await setActive(inst.id);
+
+    if (vf.origin) await writeStatus(vf.origin, true);
+
+    const dest = withParam(inst.url, 'frapp', '1');
+    if (dest) window.location.replace(dest);
+  });
+
+  fab.addEventListener('click', async ()=>{ await renderList(); show(); });
+
+  // Ensure zoom gestures work if the host page tried to disable them
+  (function ensureZoomable(){
+    let m = document.querySelector('meta[name=viewport]');
+    const desired = 'width=device-width, initial-scale=1, viewport-fit=cover, user-scalable=yes, minimum-scale=1, maximum-scale=5';
+    if (!m){ m = document.createElement('meta'); m.setAttribute('name','viewport'); document.head.appendChild(m); }
+    const c = m.getAttribute('content') || '';
+    if (/user-scalable=no|maximum-scale=1/.test(c)) m.setAttribute('content', desired);
+  })();
+})();

public/js/pwa/register-sw.js

@@ -0,0 +1,5 @@
+if ('serviceWorker' in navigator) {
+    window.addEventListener('load', () => {
+      navigator.serviceWorker.register('/sw.js?v={{APP_QVER}}').catch(() => {});
+    });
+  }

public/js/pwa/sw.js

@@ -0,0 +1,9 @@
+// public/js/pwa/sw.js
+const SW_VERSION = '{{APP_QVER}}';
+const STATIC_CACHE = `fr-static-${SW_VERSION}`;
+const STATIC_ASSETS = [
+  '/', '/index.html',
+  '/css/styles.css?v={{APP_QVER}}',
+  '/js/main.js?v={{APP_QVER}}',
+  '/assets/logo.svg?v={{APP_QVER}}'
+];

public/js/trashRestoreDelete.js

@@ -1,9 +1,9 @@
 // trashRestoreDelete.js
-import { sendRequest } from './networkUtils.js';
-import { toggleVisibility, showToast } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { loadFolderTree } from './folderManager.js';
-import { t } from './i18n.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
+import { toggleVisibility, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 function showConfirm(message, onConfirm) {
     const modal = document.getElementById("customConfirmModal");

public/js/upload.js

@@ -1,9 +1,9 @@
-import { initFileActions } from './fileActions.js';
-import { displayFilePreview } from './filePreview.js';
-import { showToast, escapeHTML } from './domUtils.js';
-import { loadFolderTree } from './folderManager.js';
-import { loadFileList } from './fileListView.js';
-import { t } from './i18n.js';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
+import { displayFilePreview } from './filePreview.js?v={{APP_QVER}}';
+import { showToast, escapeHTML } from './domUtils.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 /* -----------------------------------------------------
    Helpers for Drag–and–Drop Folder Uploads (Original Code)
@@ -36,6 +36,38 @@ function traverseFileTreePromise(item, path = "") {
   });
 }
 
+// --- Lazy loader for Resumable.js (no CSP inline, cached, safe) ---
+const RESUMABLE_SRC = '/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}';
+let _resumableLoadPromise = null;
+
+function loadScriptOnce(src) {
+  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
+  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
+  const p = new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = src;
+    s.async = true;
+    s.onload = resolve;
+    s.onerror = () => reject(new Error(`Failed to load ${src}`));
+    document.head.appendChild(s);
+  });
+  loadScriptOnce._cache.set(src, p);
+  return p;
+}
+
+function lazyLoadResumable() {
+  if (window.Resumable) return Promise.resolve(window.Resumable);
+  if (!_resumableLoadPromise) {
+    _resumableLoadPromise = loadScriptOnce(RESUMABLE_SRC).then(() => window.Resumable);
+  }
+  return _resumableLoadPromise;
+}
+
+// Optional: let main.js prefetch it in the background
+export function warmUpResumable() {
+  lazyLoadResumable().catch(() => {/* ignore warm-up failure */});
+}
+
 // Recursively retrieve files from DataTransfer items.
 function getFilesFromDataTransferItems(items) {
   const promises = [];
@@ -401,36 +433,49 @@ function processFiles(filesInput) {
    Resumable.js Integration for File Picker Uploads
    (Only files chosen via file input use Resumable; folder uploads use original code.)
 ----------------------------------------------------- */
-const useResumable = true; // Enable resumable for file picker uploads
-let resumableInstance;
-function initResumableUpload() {
-  resumableInstance = new Resumable({
-    target: "/api/upload/upload.php",
-    chunkSize: 1.5 * 1024 * 1024,
-    simultaneousUploads: 3,
-    forceChunkSize: true,
-    testChunks: false,
-    withCredentials: true,
-    headers: { 'X-CSRF-Token': window.csrfToken },
-    query: () => ({
-      folder: window.currentFolder || "root",
-      upload_token: window.csrfToken
-    })
+const useResumable = true;
+let resumableInstance = null;
+let _pendingPickedFiles = [];   // files picked before library/instance ready
+let _resumableReady = false;
+
+// Make init async-safe; it resolves when Resumable is constructed
+async function initResumableUpload() {
+  if (resumableInstance) return;
+  // Load the library if needed
+  const ResumableCtor = await lazyLoadResumable().catch(err => {
+    console.error('Failed to load Resumable.js:', err);
+    return null;
   });
+  if (!ResumableCtor) return;
+
+  // Construct the instance once
+  if (!resumableInstance) {
+    resumableInstance = new ResumableCtor({
+      target: "/api/upload/upload.php",
+      chunkSize: 1.5 * 1024 * 1024,
+      simultaneousUploads: 3,
+      forceChunkSize: true,
+      testChunks: false,
+      withCredentials: true,
+      headers: { 'X-CSRF-Token': window.csrfToken },
+      query: () => ({
+        folder: window.currentFolder || "root",
+        upload_token: window.csrfToken
+      })
+    });
+  }
 
   // keep query fresh when folder changes (call this from your folder nav code)
   function updateResumableQuery() {
     if (!resumableInstance) return;
     resumableInstance.opts.headers['X-CSRF-Token'] = window.csrfToken;
-    // if you're not using a function for query, do:
     resumableInstance.opts.query.folder = window.currentFolder || 'root';
     resumableInstance.opts.query.upload_token = window.csrfToken;
   }
 
   const fileInput = document.getElementById("file");
   if (fileInput) {
-    // Assign Resumable to file input for file picker uploads.
-    resumableInstance.assignBrowse(fileInput);
+    
     fileInput.addEventListener("change", function () {
       for (let i = 0; i < fileInput.files.length; i++) {
         resumableInstance.addFile(fileInput.files[i]);
@@ -587,13 +632,24 @@ function initResumableUpload() {
       showToast("Some files failed to upload. Please check the list.");
     }
   });
+
+  _resumableReady = true;
+  if (_pendingPickedFiles.length) {
+    updateResumableQuery();
+    for (const f of _pendingPickedFiles) resumableInstance.addFile(f);
+    _pendingPickedFiles = [];
+  }
+
 }
 
 /* -----------------------------------------------------
    XHR-based submitFiles for Drag–and–Drop (Folder) Uploads
 ----------------------------------------------------- */
 function submitFiles(allFiles) {
-  const folderToUse = window.currentFolder || "root";
+  const folderToUse = (() => {
+    const f = window.currentFolder || "root";
+    try { return decodeURIComponent(f); } catch { return f; }
+  })();
   const progressContainer = document.getElementById("uploadProgressContainer");
   const fileInput = document.getElementById("file");
 
@@ -857,32 +913,48 @@ function initUpload() {
   }
 
   if (fileInput) {
-    fileInput.addEventListener("change", function () {
+    fileInput.addEventListener("change", async function () {
+      const files = Array.from(fileInput.files || []);
+      if (!files.length) return;
+  
       if (useResumable) {
-        // For file picker, if resumable is enabled, let it handle the files.
-        for (let i = 0; i < fileInput.files.length; i++) {
-          resumableInstance.addFile(fileInput.files[i]);
+        // Ensure the lib/instance exists
+        if (!_resumableReady) await initResumableUpload();
+        if (resumableInstance) {
+          for (const f of files) resumableInstance.addFile(f);
+        } else {
+          // If still not ready (load error), fall back to your XHR path
+          processFiles(files);
         }
       } else {
-        processFiles(fileInput.files);
+        processFiles(files);
       }
     });
   }
 
   if (uploadForm) {
-    uploadForm.addEventListener("submit", function (e) {
+    uploadForm.addEventListener("submit", async function (e) {
       e.preventDefault();
       const files = window.selectedFiles || (fileInput ? fileInput.files : []);
-      if (!files || files.length === 0) {
+      if (!files || !files.length) {
         showToast("No files selected.");
         return;
       }
-      // If files come from file picker (no relative path), use Resumable.
-      if (useResumable && (!files[0].customRelativePath || files[0].customRelativePath === "")) {
-        // Ensure current folder is updated.
-        resumableInstance.opts.query.folder = window.currentFolder || "root";
-        resumableInstance.upload();
-        showToast("Resumable upload started...");
+  
+      // Resumable path (only for picked files, not folder uploads)
+      const first = files[0];
+      const isFolderish = !!(first.customRelativePath || first.webkitRelativePath);
+      if (useResumable && !isFolderish) {
+        if (!_resumableReady) await initResumableUpload();
+        if (resumableInstance) {
+          // ensure folder/token fresh
+          resumableInstance.opts.query.folder = window.currentFolder || "root";
+          resumableInstance.upload();
+          showToast("Resumable upload started...");
+        } else {
+          // fallback
+          submitFiles(files);
+        }
       } else {
         submitFiles(files);
       }

public/js/version.js

@@ -1,2 +1,2 @@
 // generated by CI
-window.APP_VERSION = 'v1.6.11';
+window.APP_VERSION = 'v1.8.5';

public/manifest.webmanifest

@@ -0,0 +1,14 @@
+{
+    "name": "FileRise",
+    "short_name": "FileRise",
+    "start_url": "/?pwa=1",
+    "scope": "/",
+    "display": "standalone",
+    "background_color": "#111111",
+    "theme_color": "#0b5ed7",
+    "icons": [
+      { "src": "/assets/icons/icon-192.png?v={{APP_QVER}}", "sizes": "192x192", "type": "image/png" },
+      { "src": "/assets/icons/icon-512.png?v={{APP_QVER}}", "sizes": "512x512", "type": "image/png" },
+      { "src": "/assets/icons/maskable-512.png?v={{APP_QVER}}", "sizes": "512x512", "type": "image/png", "purpose": "maskable" }
+    ]
+  }

public/sw.js

@@ -0,0 +1,6 @@
+// Root-scoped stub. Keeps the worker’s scope at “/” level
+try {
+  self.importScripts('/js/pwa/sw.js?v={{APP_QVER}}');
+} catch (_) {
+  // no-op
+}

scripts/stamp-assets.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# usage: scripts/stamp-assets.sh vX.Y.Z /path/to/target/dir
+set -euo pipefail
+
+VER="${1:?usage: stamp-assets.sh vX.Y.Z target_dir}"
+QVER="${VER#v}"
+TARGET="${2:-.}"
+
+echo "Stamping assets in: $TARGET"
+echo "VER=${VER}  QVER=${QVER}"
+
+cd "$TARGET"
+
+# Normalize CRLF to LF (if any files were edited on Windows)
+# We only touch web assets.
+find public \( -name '*.html' -o -name '*.php' -o -name '*.css' -o -name '*.js' \) -type f -print0 \
+  | xargs -0 -r sed -i 's/\r$//'
+
+# --- HTML/CSS/PHP: stamp ?v=... and {{APP_VER}} ---
+# (?v=...) -> ?v=<QVER>
+HTML_CSS_COUNT=0
+while IFS= read -r -d '' f; do
+  sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
+  sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
+  HTML_CSS_COUNT=$((HTML_CSS_COUNT+1))
+done < <(find public -type f \( -name '*.html' -o -name '*.php' -o -name '*.css' \) -print0)
+
+# --- JS: stamp placeholders and normalize any pre-existing ?v=... ---
+JS_COUNT=0
+while IFS= read -r -d '' f; do
+  # Replace placeholders
+  sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
+  sed -E -i "s/\{\{APP_QVER\}\}/${QVER}/g" "$f"
+  # Normalize any "?v=..." that appear in ESM imports or strings
+  # This keeps any ".js" or ".mjs" then forces ?v=<QVER>
+  perl -0777 -i -pe "s@(\.m?js)\?v=[^\"')]+@\1?v=${QVER}@g" "$f"
+  JS_COUNT=$((JS_COUNT+1))
+done < <(find public -type f -name '*.js' -print0)
+
+# Force-write version.js (source of truth in stamped output)
+if [[ -f public/js/version.js ]]; then
+  printf "window.APP_VERSION = '%s';\n" "$VER" > public/js/version.js
+fi
+
+echo "Touched files: HTML/CSS/PHP=${HTML_CSS_COUNT}, JS=${JS_COUNT}"
+
+# Final self-check: fail if anything is left
+if grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" public \
+   --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
+  echo "ERROR: Placeholders remain after stamping." >&2
+  exit 2
+fi
+
+echo "✅ Stamped to ${VER} (${QVER})"

src/controllers/AdminController.php

@@ -5,57 +5,93 @@ require_once __DIR__ . '/../../config/config.php';
 require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 
 class AdminController
-{ 
-    public function getConfig(): void
 {
-    header('Content-Type: application/json');
+    public function getConfig(): void
+    {
+        header('Content-Type: application/json; charset=utf-8');
 
-    // Load raw config (no disclosure yet)
-    $config = AdminModel::getConfig();
-    if (isset($config['error'])) {
-        http_response_code(500);
-        echo json_encode(['error' => $config['error']]);
-        exit;
-    }
+        $config = AdminModel::getConfig();
+        if (isset($config['error'])) {
+            http_response_code(500);
+            header('Cache-Control: no-store');
+            echo json_encode(['error' => $config['error']], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
 
-    // Minimal, safe subset for all callers (unauth users and regular users)
-    $public = [
-        'header_title'        => $config['header_title'] ?? 'FileRise',
-        'loginOptions'        => [
-            // expose only what the login page / header needs
-            'disableFormLogin'  => (bool)($config['loginOptions']['disableFormLogin']  ?? false),
-            'disableBasicAuth'  => (bool)($config['loginOptions']['disableBasicAuth']  ?? false),
-            'disableOIDCLogin'  => (bool)($config['loginOptions']['disableOIDCLogin']  ?? false),
-        ],
-        'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
-        'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
-        'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+        // ---- Effective ONLYOFFICE values (constants override adminConfig) ----
+        $ooCfg       = is_array($config['onlyoffice'] ?? null) ? $config['onlyoffice'] : [];
+        $effEnabled  = defined('ONLYOFFICE_ENABLED')
+            ? (bool) ONLYOFFICE_ENABLED
+            : (bool) ($ooCfg['enabled'] ?? false);
 
-        'oidc' => [
-            'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
-            'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
-            // never expose clientId / clientSecret
-        ],
-    ];
+        $effDocs     = defined('ONLYOFFICE_DOCS_ORIGIN') && ONLYOFFICE_DOCS_ORIGIN !== ''
+            ? (string) ONLYOFFICE_DOCS_ORIGIN
+            : (string) ($ooCfg['docsOrigin'] ?? '');
 
-    $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
+        $hasSecret   = defined('ONLYOFFICE_JWT_SECRET')
+            ? (ONLYOFFICE_JWT_SECRET !== '')
+            : (!empty($ooCfg['jwtSecret']));
 
-    if ($isAdmin) {
-        // Add admin-only fields (used by Admin Panel UI)
-        $adminExtra = [
-            'loginOptions' => array_merge($public['loginOptions'], [
-                'authBypass'     => (bool)($config['loginOptions']['authBypass']     ?? false),
-                'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
-            ]),
+        $publicOriginCfg = (string) ($ooCfg['publicOrigin'] ?? '');
+
+        // Whitelisted public subset only (+ ONLYOFFICE enabled flag)
+        $public = [
+            'header_title'        => (string)($config['header_title'] ?? 'FileRise'),
+            'loginOptions'        => [
+                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
+                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
+                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
+            ],
+            'globalOtpauthUrl'    => (string)($config['globalOtpauthUrl'] ?? ''),
+            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+            'oidc' => [
+                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
+                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
+                // never include clientId/clientSecret
+            ],
+            'onlyoffice' => [
+                // Public only needs to know if it’s on; no secrets/origins here.
+                'enabled' => $effEnabled,
+            ],
         ];
-        echo json_encode(array_merge($public, $adminExtra));
+
+        $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
+
+        if ($isAdmin) {
+            // admin-only extras: presence flags + proxy options + ONLYOFFICE effective view
+            $adminExtra = [
+                'loginOptions' => array_merge($public['loginOptions'], [
+                    'authBypass'     => (bool)($config['loginOptions']['authBypass'] ?? false),
+                    'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
+                ]),
+                'oidc' => array_merge($public['oidc'], [
+                    'hasClientId'     => !empty($config['oidc']['clientId']),
+                    'hasClientSecret' => !empty($config['oidc']['clientSecret']),
+                ]),
+                'onlyoffice' => [
+                    'enabled'      => $effEnabled,
+                    'docsOrigin'   => $effDocs,                // effective (constants win)
+                    'publicOrigin' => $publicOriginCfg,        // optional override from adminConfig
+                    'hasJwtSecret' => (bool)$hasSecret,        // boolean only; never leak secret
+                    'lockedByPhp'  => (
+                        defined('ONLYOFFICE_ENABLED')
+                        || defined('ONLYOFFICE_DOCS_ORIGIN')
+                        || defined('ONLYOFFICE_JWT_SECRET')
+                    ),
+                ],
+            ];
+            header('Cache-Control: no-store'); // don’t cache admin config
+            echo json_encode(array_merge($public, $adminExtra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+
+        // Non-admins / unauthenticated: only the public subset
+        header('Cache-Control: no-store');
+        echo json_encode($public, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
         return;
     }
 
-    // Non-admins / unauthenticated: only the public subset
-    echo json_encode($public);
-}
-
     public function updateConfig(): void
     {
         header('Content-Type: application/json');
@@ -99,7 +135,7 @@ class AdminController
             'header_title'        => '',
             'loginOptions'        => [
                 'disableFormLogin' => false,
-                'disableBasicAuth' => false,
+                'disableBasicAuth' => true,
                 'disableOIDCLogin' => true,
                 'authBypass'       => false,
                 'authHeaderName'   => 'X-Remote-User'
@@ -216,6 +252,40 @@ class AdminController
         }
 
         // —– persist merged config —–
+                // ---- ONLYOFFICE: merge from payload (unless locked by PHP defines) ----
+                $ooLockedByPhp = (
+                    defined('ONLYOFFICE_ENABLED') ||
+                    defined('ONLYOFFICE_DOCS_ORIGIN') ||
+                    defined('ONLYOFFICE_JWT_SECRET') ||
+                    defined('ONLYOFFICE_PUBLIC_ORIGIN')
+                );
+        
+                if (!$ooLockedByPhp && isset($data['onlyoffice']) && is_array($data['onlyoffice'])) {
+                    $ooExisting = (isset($existing['onlyoffice']) && is_array($existing['onlyoffice']))
+                        ? $existing['onlyoffice'] : [];
+        
+                    $oo = $ooExisting;
+        
+                    if (array_key_exists('enabled', $data['onlyoffice'])) {
+                        $oo['enabled'] = filter_var($data['onlyoffice']['enabled'], FILTER_VALIDATE_BOOLEAN);
+                    }
+                    if (isset($data['onlyoffice']['docsOrigin'])) {
+                        $oo['docsOrigin'] = (string)$data['onlyoffice']['docsOrigin'];
+                    }
+                    if (isset($data['onlyoffice']['publicOrigin'])) {
+                        $oo['publicOrigin'] = (string)$data['onlyoffice']['publicOrigin'];
+                    }
+                    // Allow setting/changing the secret when NOT locked by PHP
+                    if (isset($data['onlyoffice']['jwtSecret'])) {
+                        $js = trim((string)$data['onlyoffice']['jwtSecret']);
+                        if ($js !== '') {
+                            $oo['jwtSecret'] = $js; // stored encrypted by AdminModel
+                        }
+                        // If blank, we leave existing secret unchanged (no implicit wipe).
+                    }
+        
+                    $merged['onlyoffice'] = $oo;
+                }
         $result = AdminModel::updateConfig($merged);
         if (isset($result['error'])) {
             http_response_code(500);

src/controllers/AuthController.php

@@ -70,7 +70,10 @@ class AuthController
             if ($oidcAction === 'callback') {
                 try {
                     $oidc->authenticate();
-                    $username = $oidc->requestUserInfo('preferred_username');
+                    $username =
+    $oidc->requestUserInfo('preferred_username')
+    ?: $oidc->requestUserInfo('email')
+    ?: $oidc->requestUserInfo('sub');
 
                     // check if this user has a TOTP secret
                     $totp_secret = null;

src/controllers/MediaController.php

@@ -0,0 +1,135 @@
+<?php
+// src/controllers/MediaController.php
+declare(strict_types=1);
+
+require_once PROJECT_ROOT . '/config/config.php';
+require_once PROJECT_ROOT . '/src/models/MediaModel.php';
+require_once PROJECT_ROOT . '/src/lib/ACL.php';
+
+class MediaController
+{
+    private function jsonStart(): void {
+        if (session_status() !== PHP_SESSION_ACTIVE) session_start();
+        header('Content-Type: application/json; charset=utf-8');
+        set_error_handler(function ($severity, $message, $file, $line) {
+            if (!(error_reporting() & $severity)) return;
+            throw new ErrorException($message, 0, $severity, $file, $line);
+        });
+    }
+    private function jsonEnd(): void { restore_error_handler(); }
+    private function out($payload, int $status=200): void {
+        http_response_code($status);
+        echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+    }
+    private function readJson(): array {
+        $raw = file_get_contents('php://input');
+        $data = json_decode($raw, true);
+        return is_array($data) ? $data : [];
+    }
+    private function requireAuth(): ?string {
+        if (empty($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
+            $this->out(['error'=>'Unauthorized'], 401); return 'no';
+        }
+        return null;
+    }
+    private function checkCsrf(): ?string {
+        $headers = function_exists('getallheaders') ? array_change_key_case(getallheaders(), CASE_LOWER) : [];
+        $received = $headers['x-csrf-token'] ?? '';
+        if (!isset($_SESSION['csrf_token']) || $received !== $_SESSION['csrf_token']) {
+            $this->out(['error'=>'Invalid CSRF token'], 403); return 'no';
+        }
+        return null;
+    }
+    private function normalizeFolder($f): string {
+        $f = trim((string)$f);
+        return ($f==='' || strtolower($f)==='root') ? 'root' : $f;
+    }
+    private function validFolder($f): bool {
+        return $f==='root' || (bool)preg_match(REGEX_FOLDER_NAME, $f);
+    }
+    private function validFile($f): bool {
+        $f = basename((string)$f);
+        return $f !== '' && (bool)preg_match(REGEX_FILE_NAME, $f);
+    }
+    private function enforceRead(string $folder, string $username): ?string {
+        $perms = loadUserPermissions($username) ?: [];
+        return ACL::canRead($username, $perms, $folder) ? null : "Forbidden";
+    }
+
+    /** POST /api/media/updateProgress.php */
+    public function updateProgress(): void {
+        $this->jsonStart();
+        try {
+            if ($this->requireAuth()) return;
+            if ($this->checkCsrf())    return;
+
+            $u = $_SESSION['username'] ?? '';
+            $d = $this->readJson();
+            $folder = $this->normalizeFolder($d['folder'] ?? 'root');
+            $file   = (string)($d['file'] ?? '');
+            $seconds   = isset($d['seconds'])  ? floatval($d['seconds'])  : 0.0;
+            $duration  = isset($d['duration']) ? floatval($d['duration']) : null;
+            $completed = isset($d['completed']) ? (bool)$d['completed'] : null;
+            $clear     = isset($d['clear']) ? (bool)$d['clear'] : false;
+
+            if (!$this->validFolder($folder) || !$this->validFile($file)) {
+                $this->out(['error'=>'Invalid folder/file'], 400); return;
+            }
+            if ($this->enforceRead($folder, $u)) { $this->out(['error'=>'Forbidden'], 403); return; }
+
+            if ($clear) {
+                $ok = MediaModel::clearProgress($u, $folder, $file);
+                $this->out(['success'=>$ok]); return;
+            }
+
+            $row = MediaModel::saveProgress($u, $folder, $file, $seconds, $duration, $completed);
+            $this->out(['success'=>true, 'state'=>$row]);
+        } catch (Throwable $e) {
+            error_log('MediaController::updateProgress: '.$e->getMessage());
+            $this->out(['error'=>'Internal server error'], 500);
+        } finally { $this->jsonEnd(); }
+    }
+
+    /** GET /api/media/getProgress.php?folder=…&file=… */
+    public function getProgress(): void {
+        $this->jsonStart();
+        try {
+            if ($this->requireAuth()) return;
+            $u = $_SESSION['username'] ?? '';
+            $folder = $this->normalizeFolder($_GET['folder'] ?? 'root');
+            $file   = (string)($_GET['file'] ?? '');
+
+            if (!$this->validFolder($folder) || !$this->validFile($file)) {
+                $this->out(['error'=>'Invalid folder/file'], 400); return;
+            }
+            if ($this->enforceRead($folder, $u)) { $this->out(['error'=>'Forbidden'], 403); return; }
+
+            $row = MediaModel::getProgress($u, $folder, $file);
+            $this->out(['state'=>$row]);
+        } catch (Throwable $e) {
+            error_log('MediaController::getProgress: '.$e->getMessage());
+            $this->out(['error'=>'Internal server error'], 500);
+        } finally { $this->jsonEnd(); }
+    }
+
+    /** GET /api/media/getViewedMap.php?folder=…  (optional, for badges) */
+    public function getViewedMap(): void {
+        $this->jsonStart();
+        try {
+            if ($this->requireAuth()) return;
+            $u = $_SESSION['username'] ?? '';
+            $folder = $this->normalizeFolder($_GET['folder'] ?? 'root');
+
+            if (!$this->validFolder($folder)) {
+                $this->out(['error'=>'Invalid folder'], 400); return;
+            }
+            if ($this->enforceRead($folder, $u)) { $this->out(['error'=>'Forbidden'], 403); return; }
+
+            $map = MediaModel::getFolderMap($u, $folder);
+            $this->out(['map'=>$map]);
+        } catch (Throwable $e) {
+            error_log('MediaController::getViewedMap: '.$e->getMessage());
+            $this->out(['error'=>'Internal server error'], 500);
+        } finally { $this->jsonEnd(); }
+    }
+}

src/controllers/OnlyOfficeController.php

@@ -0,0 +1,383 @@
+<?php
+// src/controllers/OnlyOfficeController.php
+declare(strict_types=1);
+
+require_once PROJECT_ROOT . '/src/models/AdminModel.php';
+require_once PROJECT_ROOT . '/src/lib/ACL.php';
+
+class OnlyOfficeController
+{
+
+
+// What FileRise will route to ONLYOFFICE at all (edit *or* view)
+private const OO_SUPPORTED_EXTS = [
+    'doc','docx','odt','rtf','txt',
+    'xls','xlsx','ods','csv',
+    'ppt','pptx','odp',
+    'pdf'
+  ];
+  
+  // Never editable via OO (we’ll always set edit=false for these)
+  private const OO_NEVER_EDIT = ['pdf'];
+  
+  // (Optional) More view-only types you can enable if you like
+  private const OO_VIEW_ONLY_EXTRAS = [
+    'djvu','xps','oxps','epub','fb2','pages','hwp','hwpx',
+    'vsdx','vsdm','vssx','vssm','vstx','vstm'
+  ];
+    /** Resolve effective secret: constants override adminConfig */
+    private function effectiveSecret(): string
+    {
+        $cfg = AdminModel::getConfig();
+        $oo  = is_array($cfg['onlyoffice'] ?? null) ? $cfg['onlyoffice'] : [];
+        if (defined('ONLYOFFICE_JWT_SECRET') && ONLYOFFICE_JWT_SECRET !== '') {
+            return (string)ONLYOFFICE_JWT_SECRET;
+        }
+        return (string)($oo['jwtSecret'] ?? '');
+    }
+
+    // --- lightweight logger ------------------------------------------------------
+private const OO_LOG_PATH = '/var/www/users/onlyoffice-cb.debug';
+
+private function ooDebug(): bool
+{
+    // Enable verbose logging by either constant or env var
+    if (defined('ONLYOFFICE_DEBUG') && ONLYOFFICE_DEBUG) return true;
+    return getenv('ONLYOFFICE_DEBUG') === '1';
+}
+
+/**
+ * @param 'error'|'warn'|'info'|'debug' $level
+ */
+private function ooLog(string $level, string $msg): void
+{
+    $level = strtolower($level);
+    $line  = '[OO-CB][' . strtoupper($level) . '] ' . $msg;
+
+    // Only emit to Apache on errors (keeps logs clean)
+    if ($level === 'error') {
+        error_log($line);
+    }
+
+    // If debug mode is on, mirror all levels to a local file
+    if ($this->ooDebug()) {
+        @file_put_contents(self::OO_LOG_PATH, '[' . date('c') . '] ' . $line . "\n", FILE_APPEND);
+    }
+}
+
+    /** Resolve effective docs origin (http/https root of OO Docs server) */
+    private function effectiveDocsOrigin(): string
+    {
+        $cfg = AdminModel::getConfig();
+        $oo  = is_array($cfg['onlyoffice'] ?? null) ? $cfg['onlyoffice'] : [];
+        if (defined('ONLYOFFICE_DOCS_ORIGIN') && ONLYOFFICE_DOCS_ORIGIN !== '') {
+            return (string)ONLYOFFICE_DOCS_ORIGIN;
+        }
+        if (!empty($oo['docsOrigin'])) return (string)$oo['docsOrigin'];
+        $env = getenv('ONLYOFFICE_DOCS_ORIGIN');
+        return $env ? (string)$env : '';
+    }
+
+    /** Resolve effective enabled flag (constants override adminConfig) */
+    private function effectiveEnabled(): bool
+    {
+        $cfg = AdminModel::getConfig();
+        $oo  = is_array($cfg['onlyoffice'] ?? null) ? $cfg['onlyoffice'] : [];
+        if (defined('ONLYOFFICE_ENABLED')) return (bool)ONLYOFFICE_ENABLED;
+        return !empty($oo['enabled']);
+    }
+
+    /** Optional explicit public origin; else infer from BASE_URL / request */
+    private function effectivePublicOrigin(): string
+    {
+        $cfg = AdminModel::getConfig();
+        $oo  = is_array($cfg['onlyoffice'] ?? null) ? $cfg['onlyoffice'] : [];
+
+        if (defined('ONLYOFFICE_PUBLIC_ORIGIN') && ONLYOFFICE_PUBLIC_ORIGIN !== '') {
+            return (string)ONLYOFFICE_PUBLIC_ORIGIN;
+        }
+        if (!empty($oo['publicOrigin'])) return (string)$oo['publicOrigin'];
+
+        // Try BASE_URL if it isn't a placeholder
+        if (defined('BASE_URL') && strpos((string)BASE_URL, 'yourwebsite') === false) {
+            $u = parse_url((string)BASE_URL);
+            if (!empty($u['scheme']) && !empty($u['host'])) {
+                return $u['scheme'].'://'.$u['host'].(isset($u['port'])?':'.$u['port']:'');
+            }
+        }
+        // Fallback to request (proxy aware)
+        $proto = $_SERVER['HTTP_X_FORWARDED_PROTO']
+            ?? ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http');
+        $host  = $_SERVER['HTTP_X_FORWARDED_HOST'] ?? ($_SERVER['HTTP_HOST'] ?? 'localhost');
+        return $proto.'://'.$host;
+    }
+
+    /** base64url encode/decode helpers */
+    private function b64uDec(string $s)
+    {
+        $s = strtr($s, '-_', '+/');
+        $pad = strlen($s) % 4;
+        if ($pad) $s .= str_repeat('=', 4 - $pad);
+        return base64_decode($s, true);
+    }
+    private function b64uEnc(string $s): string
+    {
+        return rtrim(strtr(base64_encode($s), '+/','-_'), '=');
+    }
+
+    /** GET /api/onlyoffice/status.php */
+    public function status(): void
+    {
+        header('Content-Type: application/json; charset=utf-8');
+        header('Cache-Control: no-store');
+
+        $enabled   = $this->effectiveEnabled();
+        $docsOrig  = $this->effectiveDocsOrigin();
+        $secret    = $this->effectiveSecret();
+
+        // Must have docs origin and secret to actually function
+        $enabled = $enabled && ($docsOrig !== '') && ($secret !== '');
+
+        $exts = self::OO_SUPPORTED_EXTS;
+        // If you want the extras:
+        $exts = array_values(array_unique(array_merge($exts, self::OO_VIEW_ONLY_EXTRAS)));
+        
+        echo json_encode(['enabled' => (bool)$enabled, 'exts' => $exts], JSON_UNESCAPED_SLASHES);
+    }
+
+    /** GET /api/onlyoffice/config.php?folder=...&file=... */
+    public function config(): void
+    {
+        header('Content-Type: application/json; charset=utf-8');
+        header('Cache-Control: no-store');
+
+        @session_start();
+        $user   = $_SESSION['username'] ?? 'anonymous';
+        $perms  = [];
+        $isAdmin = \ACL::isAdmin($perms);
+
+        // Effective toggles
+        $enabled    = $this->effectiveEnabled();
+        $docsOrigin = rtrim($this->effectiveDocsOrigin(), '/');
+        $secret     = $this->effectiveSecret();
+        if (!$enabled) { http_response_code(404); echo '{"error":"ONLYOFFICE disabled"}'; return; }
+        if ($secret === '') { http_response_code(500); echo '{"error":"ONLYOFFICE_JWT_SECRET not configured"}'; return; }
+        if ($docsOrigin === '') { http_response_code(500); echo '{"error":"ONLYOFFICE_DOCS_ORIGIN not configured"}'; return; }
+        if (!defined('UPLOAD_DIR')) { http_response_code(500); echo '{"error":"UPLOAD_DIR not defined"}'; return; }
+
+        // Inputs
+        $folder = \ACL::normalizeFolder((string)($_GET['folder'] ?? 'root'));
+        $file   = basename((string)($_GET['file'] ?? ''));
+        if ($file === '') { http_response_code(400); echo '{"error":"Bad request"}'; return; }
+
+        // ACL
+        if (!\ACL::canRead($user, $perms, $folder)) { http_response_code(403); echo '{"error":"Forbidden"}'; return; }
+        $canEdit = \ACL::canEdit($user, $perms, $folder);
+
+        // Path
+        $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
+        $rel  = ($folder === 'root') ? '' : ($folder . '/');
+        $abs  = realpath($base . $rel . $file);
+        if (!$abs || !is_file($abs)) { http_response_code(404); echo '{"error":"Not found"}'; return; }
+        if (strpos($abs, realpath($base)) !== 0) { http_response_code(400); echo '{"error":"Invalid path"}'; return; }
+
+        // Public origin
+        $publicOrigin = $this->effectivePublicOrigin();
+
+        // Signed download
+        $exp  = time() + 10*60;
+        $data = json_encode(['f'=>$folder,'n'=>$file,'u'=>$user,'adm'=>$isAdmin,'exp'=>$exp], JSON_UNESCAPED_SLASHES);
+        $sig  = hash_hmac('sha256', $data, $secret, true);
+        $tok  = $this->b64uEnc($data) . '.' . $this->b64uEnc($sig);
+        $fileUrl = $publicOrigin . '/api/onlyoffice/signed-download.php?tok=' . rawurlencode($tok);
+
+        // Callback
+        $cbExp = time() + 10*60;
+        $cbSig = hash_hmac('sha256', $folder.'|'.$file.'|'.$cbExp, $secret);
+        $callbackUrl = $publicOrigin . '/api/onlyoffice/callback.php'
+          . '?folder=' . rawurlencode($folder)
+          . '&file='   . rawurlencode($file)
+          . '&exp='    . $cbExp
+          . '&sig='    . $cbSig;
+
+        // Doc type & key
+        $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION) ?: 'docx');
+        $docType = in_array($ext, ['xls','xlsx','ods','csv'], true) ? 'cell'
+                : (in_array($ext, ['ppt','pptx','odp'], true) ? 'slide' : 'word');
+        $key = substr(sha1($abs . '|' . (string)filemtime($abs)), 0, 20);
+
+        $docsApiJs  = $docsOrigin . '/web-apps/apps/api/documents/api.js';
+
+        $cfgOut = [
+          'document' => [
+            'fileType' => $ext,
+            'key'      => $key,
+            'title'    => $file,
+            'url'      => $fileUrl,
+            'permissions' => [
+              'download' => true,
+              'print'    => true,
+              'edit' => $canEdit && !in_array($ext, self::OO_NEVER_EDIT, true),
+            ],
+          ],
+          'documentType' => $docType,
+          'editorConfig' => [
+            'callbackUrl' => $callbackUrl,
+            'user'        => ['id'=>$user, 'name'=>$user],
+            'lang'        => 'en',
+          ],
+          'type' => 'desktop',
+        ];
+
+        // JWT sign cfg
+        $h = $this->b64uEnc(json_encode(['alg'=>'HS256','typ'=>'JWT']));
+        $p = $this->b64uEnc(json_encode($cfgOut, JSON_UNESCAPED_SLASHES));
+        $s = $this->b64uEnc(hash_hmac('sha256', "$h.$p", $secret, true));
+        $cfgOut['token'] = "$h.$p.$s";
+        $cfgOut['docs_api_js'] = $docsApiJs;
+
+        echo json_encode($cfgOut, JSON_UNESCAPED_SLASHES);
+    }
+
+    /** POST /api/onlyoffice/callback.php?folder=...&file=...&exp=...&sig=... */
+    public function callback(): void
+{
+    header('Content-Type: application/json; charset=utf-8');
+
+    if (isset($_GET['ping'])) { echo '{"error":0}'; return; }
+
+    $secret = $this->effectiveSecret();
+    if ($secret === '') { http_response_code(500); $this->ooLog('error', 'missing secret'); echo '{"error":6}'; return; }
+
+    $folderRaw = (string)($_GET['folder'] ?? 'root');
+    $fileRaw   = (string)($_GET['file']   ?? '');
+    $exp       = (int)($_GET['exp']       ?? 0);
+    $sig       = (string)($_GET['sig']    ?? '');
+    $calc      = hash_hmac('sha256', "$folderRaw|$fileRaw|$exp", $secret);
+
+    // Debug-only preflight (no secrets; show short sigs)
+    if ($this->ooDebug()) {
+        $this->ooLog('debug', sprintf(
+            "PRE f='%s' n='%s' exp=%d sig[8]=%s calc[8]=%s",
+            $folderRaw, $fileRaw, $exp, substr($sig, 0, 8), substr($calc, 0, 8)
+        ));
+    }
+
+    $folder = \ACL::normalizeFolder($folderRaw);
+    $file   = basename($fileRaw);
+    if (!$exp || time() > $exp) { $this->ooLog('error', "expired exp for $folder/$file"); echo '{"error":6}'; return; }
+    if (!hash_equals($calc, $sig)) { $this->ooLog('error', "sig mismatch for $folder/$file"); echo '{"error":6}'; return; }
+
+    $raw  = file_get_contents('php://input') ?: '';
+    if ($this->ooDebug()) {
+        $this->ooLog('debug', 'BODY len=' . strlen($raw));
+    }
+
+    $body   = json_decode($raw, true) ?: [];
+    $status = (int)($body['status'] ?? 0);
+    $actor  = (string)($body['actions'][0]['userid'] ?? '');
+
+    $actorIsAdmin = (defined('DEFAULT_ADMIN_USER') && $actor !== '' && strcasecmp($actor, (string)DEFAULT_ADMIN_USER) === 0)
+                 || (strcasecmp($actor, 'admin') === 0);
+    $perms = $actorIsAdmin ? ['admin'=>true] : [];
+
+    $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
+    $rel  = ($folder === 'root') ? '' : ($folder . '/');
+    $dir  = realpath($base . $rel) ?: ($base . $rel);
+    if (strpos($dir, realpath($base)) !== 0) { $this->ooLog('error', 'path escape'); echo '{"error":6}'; return; }
+
+    // Save-on statuses: 2/6/7
+    if (in_array($status, [2,6,7], true)) {
+        if (!$actor || !\ACL::canEdit($actor, $perms, $folder)) {
+            $this->ooLog('error', "ACL deny edit: actor='$actor' folder='$folder'");
+            echo '{"error":6}'; return;
+        }
+        $saveUrl = (string)($body['url'] ?? '');
+        if ($saveUrl === '') { $this->ooLog('error', "no url for status=$status"); echo '{"error":6}'; return; }
+
+        // fetch saved file
+        $data = null; $curlErr=''; $httpCode=0;
+        if (function_exists('curl_init')) {
+            $ch = curl_init($saveUrl);
+            curl_setopt_array($ch, [
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_FOLLOWLOCATION => true,
+                CURLOPT_CONNECTTIMEOUT => 10,
+                CURLOPT_TIMEOUT        => 45,
+                CURLOPT_HTTPHEADER     => ['Accept: */*','User-Agent: FileRise-ONLYOFFICE-Callback'],
+            ]);
+            $data = curl_exec($ch);
+            if ($data === false) $curlErr = curl_error($ch);
+            $httpCode = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
+            curl_close($ch);
+            if ($data === false || $httpCode >= 400) {
+                $this->ooLog('error', "curl get failed ($httpCode) url=$saveUrl err=" . ($curlErr ?: 'n/a'));
+                $data = null;
+            }
+        }
+        if ($data === null) {
+            $ctx = stream_context_create(['http'=>['method'=>'GET','timeout'=>45,'header'=>"Accept: */*\r\n"]]);
+            $data = @file_get_contents($saveUrl, false, $ctx);
+            if ($data === false) { $this->ooLog('error', "stream get failed url=$saveUrl"); echo '{"error":6}'; return; }
+        }
+
+        if (!is_dir($dir)) { @mkdir($dir, 0775, true); }
+        $dest = rtrim($dir, "/\\") . DIRECTORY_SEPARATOR . $file;
+        if (@file_put_contents($dest, $data) === false) { $this->ooLog('error', "write failed: $dest"); echo '{"error":6}'; return; }
+
+        @touch($dest);
+
+        // Success: debug only
+        if ($this->ooDebug()) {
+            $this->ooLog('debug', "saved OK by '$actor' → $dest (" . strlen($data) . " bytes, status=$status)");
+        }
+        echo '{"error":0}'; return;
+    }
+
+    // Non-saving statuses: debug only
+    if ($this->ooDebug()) {
+        $this->ooLog('debug', "status=$status ack for $folder/$file by '$actor'");
+    }
+    echo '{"error":0}';
+}
+
+    /** GET /api/onlyoffice/signed-download.php?tok=... */
+    public function signedDownload(): void
+    {
+        header('X-Content-Type-Options: nosniff');
+        header('Cache-Control: no-store');
+
+        $secret = $this->effectiveSecret();
+        if ($secret === '') { http_response_code(403); return; }
+
+        $tok = $_GET['tok'] ?? '';
+        if (!$tok || strpos($tok, '.') === false) { http_response_code(400); return; }
+        [$b64data, $b64sig] = explode('.', $tok, 2);
+        $data = $this->b64uDec($b64data);
+        $sig  = $this->b64uDec($b64sig);
+        if ($data === false || $sig === false) { http_response_code(400); return; }
+
+        $calc = hash_hmac('sha256', $data, $secret, true);
+        if (!hash_equals($calc, $sig)) { http_response_code(403); return; }
+
+        $payload = json_decode($data, true);
+        if (!$payload || !isset($payload['f'],$payload['n'],$payload['exp'])) { http_response_code(400); return; }
+        if (time() > (int)$payload['exp']) { http_response_code(403); return; }
+
+        $folder = trim(str_replace('\\','/',$payload['f']),"/ \t\r\n");
+        if ($folder === '' || $folder === 'root') $folder = 'root';
+        $file   = basename((string)$payload['n']);
+
+        $base = rtrim(UPLOAD_DIR, "/\\") . DIRECTORY_SEPARATOR;
+        $rel  = ($folder === 'root') ? '' : ($folder . '/');
+        $abs  = realpath($base . $rel . $file);
+        if (!$abs || !is_file($abs)) { http_response_code(404); return; }
+        if (strpos($abs, realpath($base)) !== 0) { http_response_code(400); return; }
+
+        $mime = mime_content_type($abs) ?: 'application/octet-stream';
+        header('Content-Type: '.$mime);
+        header('Content-Length: '.filesize($abs));
+        header('Content-Disposition: inline; filename="' . rawurlencode($file) . '"');
+        readfile($abs);
+    }
+}

src/controllers/UploadController.php

@@ -52,57 +52,69 @@ class UploadController {
         }
     
         // ---- 3) Folder-level WRITE permission (ACL) ----
-        // Always require client to send the folder; fall back to GET if needed.
-        $folderParam   = isset($_POST['folder']) ? (string)$_POST['folder'] : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
-        $targetFolder  = ACL::normalizeFolder($folderParam);
-    
-        // Admins bypass folder canWrite checks
-        if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
-            return;
-        }
-    
-        // ---- 4) Delegate to model (actual file/chunk processing) ----
-        // (Optionally re-check in UploadModel before finalizing.)
-        $result = UploadModel::handleUpload($_POST, $_FILES);
-    
-        // ---- 5) Response ----
-        if (isset($result['error'])) {
-            http_response_code(400);
-            echo json_encode($result);
-            return;
-        }
-        if (isset($result['status'])) {
-            // e.g., {"status":"chunk uploaded"}
-            echo json_encode($result);
-            return;
-        }
-    
-        echo json_encode([
-            'success'     => 'File uploaded successfully',
-            'newFilename' => $result['newFilename'] ?? null
-        ]);
+    // Always require client to send the folder; fall back to GET if needed.
+    $folderParam = isset($_POST['folder'])
+        ? (string)$_POST['folder']
+        : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
+
+    // Decode %xx (e.g., "test%20folder") then normalize
+    $folderParam  = rawurldecode($folderParam);
+    $targetFolder = ACL::normalizeFolder($folderParam);
+
+    // Admins bypass folder canWrite checks
+    $username  = (string)($_SESSION['username'] ?? '');
+    $userPerms = loadUserPermissions($username) ?: [];
+    $isAdmin   = ACL::isAdmin($userPerms);
+
+    if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
+        return;
     }
+
+    // ---- 4) Delegate to model (force the sanitized folder) ----
+    $_POST['folder'] = $targetFolder; // in case model reads superglobal
+    $post = $_POST;
+    $post['folder'] = $targetFolder;
+
+    $result = UploadModel::handleUpload($post, $_FILES);
+
+    // ---- 5) Response (unchanged) ----
+    if (isset($result['error'])) {
+        http_response_code(400);
+        echo json_encode($result);
+        return;
+    }
+    if (isset($result['status'])) {
+        echo json_encode($result);
+        return;
+    }
+
+    echo json_encode([
+        'success'     => 'File uploaded successfully',
+        'newFilename' => $result['newFilename'] ?? null
+    ]);
+}
     
     public function removeChunks(): void {
-        header('Content-Type: application/json');
+    header('Content-Type: application/json');
 
-        $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
-        if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Invalid CSRF token']);
-            return;
-        }
-
-        if (!isset($_POST['folder'])) {
-            http_response_code(400);
-            echo json_encode(['error' => 'No folder specified']);
-            return;
-        }
-
-        $folder = (string)$_POST['folder'];
-        $result = UploadModel::removeChunks($folder);
-        echo json_encode($result);
+    $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
+    if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Invalid CSRF token']);
+        return;
     }
+
+    if (!isset($_POST['folder'])) {
+        http_response_code(400);
+        echo json_encode(['error' => 'No folder specified']);
+        return;
+    }
+
+    $folderRaw = (string)$_POST['folder'];
+    $folder    = ACL::normalizeFolder(rawurldecode($folderRaw));
+
+    echo json_encode(UploadModel::removeChunks($folder));
+}
 }

src/controllers/UserController.php

@@ -3,6 +3,7 @@
 
 require_once __DIR__ . '/../../config/config.php';
 require_once PROJECT_ROOT . '/src/models/UserModel.php';
+require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 
 /**
  * UserController
@@ -665,4 +666,38 @@ class UserController
         echo json_encode(['success' => true, 'url' => $url]);
         exit;
     }
+
+    public function siteConfig(): void
+    {
+        header('Content-Type: application/json');
+
+        $usersDir     = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR;
+        $publicPath   = $usersDir . 'siteConfig.json';
+        $adminEncPath = $usersDir . 'adminConfig.json';
+
+        $publicMtime = is_file($publicPath) ? (int)@filemtime($publicPath) : 0;
+        $adminMtime  = is_file($adminEncPath) ? (int)@filemtime($adminEncPath) : 0;
+
+        // If public cache is present and fresh enough, serve it
+        if ($publicMtime > 0 && $publicMtime >= $adminMtime) {
+            $raw = @file_get_contents($publicPath);
+            $data = is_string($raw) ? json_decode($raw, true) : null;
+            if (is_array($data)) {
+                echo json_encode($data);
+                return;
+            }
+        }
+
+        // Otherwise regenerate from decrypted admin config
+        $cfg = AdminModel::getConfig();
+        if (isset($cfg['error'])) {
+            http_response_code(500);
+            echo json_encode(['error' => $cfg['error']]);
+            return;
+        }
+
+        $public = AdminModel::buildPublicSubset($cfg);
+        $w = AdminModel::writeSiteConfig($public); // best effort
+        echo json_encode($public);
+    }
 }

src/models/AdminModel.php

@@ -62,6 +62,83 @@ class AdminModel
         return (int)$val;
     }
 
+    /** Allow only http(s) URLs; return '' for invalid input. */
+    private static function sanitizeHttpUrl($url): string
+    {
+        $url = trim((string)$url);
+        if ($url === '') return '';
+        $valid = filter_var($url, FILTER_VALIDATE_URL);
+        if (!$valid) return '';
+        $scheme = strtolower(parse_url($url, PHP_URL_SCHEME) ?: '');
+        return ($scheme === 'http' || $scheme === 'https') ? $url : '';
+    }
+
+    public static function buildPublicSubset(array $config): array
+{
+    $public = [
+        'header_title'        => $config['header_title'] ?? 'FileRise',
+        'loginOptions'        => [
+            'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
+            'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
+            'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
+        ],
+        'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
+        'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+        'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+        'oidc' => [
+            'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
+            'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
+        ],
+    ];
+
+    // NEW: include ONLYOFFICE minimal public flag
+    $ooEnabled = null;
+    if (isset($config['onlyoffice']['enabled'])) {
+        $ooEnabled = (bool)$config['onlyoffice']['enabled'];
+    } elseif (defined('ONLYOFFICE_ENABLED')) {
+        $ooEnabled = (bool)ONLYOFFICE_ENABLED;
+    }
+    if ($ooEnabled !== null) {
+        $public['onlyoffice'] = ['enabled' => $ooEnabled];
+    }
+    $locked = defined('ONLYOFFICE_ENABLED') || defined('ONLYOFFICE_JWT_SECRET')
+       || defined('ONLYOFFICE_DOCS_ORIGIN') || defined('ONLYOFFICE_PUBLIC_ORIGIN');
+
+if ($locked) {
+    $ooEnabled = defined('ONLYOFFICE_ENABLED') ? (bool)ONLYOFFICE_ENABLED : false;
+} else {
+    $ooEnabled = isset($config['onlyoffice']['enabled']) ? (bool)$config['onlyoffice']['enabled'] : false;
+}
+
+$public['onlyoffice'] = ['enabled' => $ooEnabled];
+
+    return $public;
+}
+
+    /** Write USERS_DIR/siteConfig.json atomically (unencrypted). */
+    public static function writeSiteConfig(array $publicSubset): array
+    {
+        $dest = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR . 'siteConfig.json';
+        $tmp  = $dest . '.tmp';
+
+        $json = json_encode($publicSubset, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+        if ($json === false) {
+            return ["error" => "Failed to encode siteConfig.json"];
+        }
+
+        if (file_put_contents($tmp, $json, LOCK_EX) === false) {
+            return ["error" => "Failed to write temp siteConfig.json"];
+        }
+
+        if (!@rename($tmp, $dest)) {
+            @unlink($tmp);
+            return ["error" => "Failed to move siteConfig.json into place"];
+        }
+
+        @chmod($dest, 0664); // readable in bind mounts
+        return ["success" => true];
+    }
+
     /**
      * Updates the admin configuration file.
      *
@@ -128,6 +205,28 @@ class AdminModel
             $configUpdate['loginOptions']['authHeaderName'] = trim($configUpdate['loginOptions']['authHeaderName']);
         }
 
+                // ---- ONLYOFFICE (persist, sanitize; keep secret unless explicitly replaced) ----
+                if (isset($configUpdate['onlyoffice']) && is_array($configUpdate['onlyoffice'])) {
+                    $oo = $configUpdate['onlyoffice'];
+        
+                    $norm = [
+                        'enabled'      => (bool)($oo['enabled'] ?? false),
+                        'docsOrigin'   => self::sanitizeHttpUrl($oo['docsOrigin'] ?? ''),
+                        'publicOrigin' => self::sanitizeHttpUrl($oo['publicOrigin'] ?? ''),
+                    ];
+        
+                    // Only accept a new secret if provided (non-empty). We do NOT clear on empty.
+                    if (array_key_exists('jwtSecret', $oo)) {
+                        $js = trim((string)$oo['jwtSecret']);
+                        if ($js !== '') {
+                            if (strlen($js) > 1024) $js = substr($js, 0, 1024);
+                            $norm['jwtSecret'] = $js; // will be encrypted with encryptData()
+                        }
+                    }
+        
+                    $configUpdate['onlyoffice'] = $norm;
+                }
+
         // Convert configuration to JSON.
         $plainTextConfig = json_encode($configUpdate, JSON_PRETTY_PRINT);
         if ($plainTextConfig === false) {
@@ -157,6 +256,14 @@ class AdminModel
         // Best-effort normalize perms for host visibility (user rw, group rw)
         @chmod($configFile, 0664);
 
+        $public = self::buildPublicSubset($configUpdate);
+        $w = self::writeSiteConfig($public);
+        // Don’t fail the whole update if public cache write had a minor issue.
+        if (isset($w['error'])) {
+            // Log but keep success for admin write
+            error_log("AdminModel::writeSiteConfig warning: " . $w['error']);
+        }
+
         return ["success" => "Configuration updated successfully."];
     }
 
@@ -248,6 +355,19 @@ class AdminModel
                 $config['sharedMaxUploadSize'] = (int)min((int)$config['sharedMaxUploadSize'], $maxBytes);
             }
 
+            // ---- Ensure ONLYOFFICE structure exists, sanitize values ----
+            if (!isset($config['onlyoffice']) || !is_array($config['onlyoffice'])) {
+                $config['onlyoffice'] = [
+                    'enabled'      => false,
+                    'docsOrigin'   => '',
+                    'publicOrigin' => '',
+                ];
+            } else {
+                $config['onlyoffice']['enabled']      = (bool)($config['onlyoffice']['enabled'] ?? false);
+                $config['onlyoffice']['docsOrigin']   = self::sanitizeHttpUrl($config['onlyoffice']['docsOrigin'] ?? '');
+                $config['onlyoffice']['publicOrigin'] = self::sanitizeHttpUrl($config['onlyoffice']['publicOrigin'] ?? '');
+            }
+
             return $config;
         }
 
@@ -262,12 +382,17 @@ class AdminModel
             ],
             'loginOptions'          => [
                 'disableFormLogin' => false,
-                'disableBasicAuth' => false,
+                'disableBasicAuth' => true,
                 'disableOIDCLogin' => true
             ],
             'globalOtpauthUrl'      => "",
             'enableWebDAV'          => false,
-            'sharedMaxUploadSize'   => min(50 * 1024 * 1024, self::parseSize(TOTAL_UPLOAD_SIZE))
+            'sharedMaxUploadSize'   => min(50 * 1024 * 1024, self::parseSize(TOTAL_UPLOAD_SIZE)),
+            'onlyoffice'            => [
+                'enabled'      => false,
+                'docsOrigin'   => '',
+                'publicOrigin' => '',
+            ],
         ];
     }
-}
+}

src/models/FileModel.php

@@ -557,59 +557,96 @@ class FileModel {
      * @return array An associative array with either an "error" key or a "zipPath" key.
      */
     public static function createZipArchive($folder, $files) {
-        // Validate and build folder path.
-        $folder = trim($folder) ?: 'root';
+        // Normalize and validate target folder
+        $folder = trim((string)$folder) ?: 'root';
         $baseDir = realpath(UPLOAD_DIR);
         if ($baseDir === false) {
             return ["error" => "Uploads directory not configured correctly."];
         }
+    
         if (strtolower($folder) === 'root' || $folder === "") {
             $folderPathReal = $baseDir;
         } else {
-            // Prevent path traversal.
+            // Prevent traversal and validate each segment against folder regex
             if (strpos($folder, '..') !== false) {
                 return ["error" => "Invalid folder name."];
             }
-            $folderPath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . trim($folder, "/\\ ");
+            $parts = explode('/', trim($folder, "/\\ "));
+            foreach ($parts as $part) {
+                if ($part === '' || !preg_match(REGEX_FOLDER_NAME, $part)) {
+                    return ["error" => "Invalid folder name."];
+                }
+            }
+            $folderPath = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $parts);
             $folderPathReal = realpath($folderPath);
             if ($folderPathReal === false || strpos($folderPathReal, $baseDir) !== 0) {
                 return ["error" => "Folder not found."];
             }
         }
-
-        // Validate each file and build an array of files to zip.
+    
+        // Collect files to zip (only regular files in the chosen folder)
         $filesToZip = [];
         foreach ($files as $fileName) {
-            // Validate file name using REGEX_FILE_NAME.
-            $fileName = basename(trim($fileName));
+            $fileName = basename(trim((string)$fileName));
             if (!preg_match(REGEX_FILE_NAME, $fileName)) {
                 continue;
             }
             $fullPath = $folderPathReal . DIRECTORY_SEPARATOR . $fileName;
-            if (file_exists($fullPath)) {
+            if (is_file($fullPath)) {
                 $filesToZip[] = $fullPath;
             }
         }
         if (empty($filesToZip)) {
             return ["error" => "No valid files found to zip."];
         }
-
-        // Create a temporary ZIP file.
-        $tempZip = tempnam(sys_get_temp_dir(), 'zip');
-        unlink($tempZip); // Remove the temp file so that ZipArchive can create a new file.
-        $tempZip .= '.zip';
-
-        $zip = new ZipArchive();
-        if ($zip->open($tempZip, ZipArchive::CREATE) !== TRUE) {
+    
+        // Workspace on the big disk: META_DIR/ziptmp
+        $work = rtrim((string)META_DIR, '/\\') . DIRECTORY_SEPARATOR . 'ziptmp';
+        if (!is_dir($work)) {
+            @mkdir($work, 0775, true);
+        }
+        if (!is_dir($work) || !is_writable($work)) {
+            return ["error" => "ZIP temp dir not writable: " . $work];
+        }
+    
+        // Optional sanity: ensure there is roughly enough free space
+        $totalSize = 0;
+        foreach ($filesToZip as $fp) {
+            $sz = @filesize($fp);
+            if ($sz !== false) $totalSize += (int)$sz;
+        }
+        $free = @disk_free_space($work);
+        // Add ~20MB overhead and a 5% cushion
+        if ($free !== false && $totalSize > 0) {
+            $needed = (int)ceil($totalSize * 1.05) + (20 * 1024 * 1024);
+            if ($free < $needed) {
+                return ["error" => "Insufficient free space in ZIP workspace."];
+            }
+        }
+    
+        @set_time_limit(0);
+    
+        // Create the ZIP path inside META_DIR/ziptmp
+        $zipName = 'download-' . date('Ymd-His') . '-' . bin2hex(random_bytes(4)) . '.zip';
+        $zipPath = $work . DIRECTORY_SEPARATOR . $zipName;
+    
+        $zip = new \ZipArchive();
+        if ($zip->open($zipPath, \ZipArchive::CREATE | \ZipArchive::OVERWRITE) !== true) {
             return ["error" => "Could not create zip archive."];
         }
-        // Add each file using its base name.
+    
         foreach ($filesToZip as $filePath) {
+            // Add using basename at the root of the zip (matches your current behavior)
             $zip->addFile($filePath, basename($filePath));
         }
-        $zip->close();
-
-        return ["zipPath" => $tempZip];
+    
+        if (!$zip->close()) {
+            // Commonly indicates disk full at finalize
+            return ["error" => "Failed to finalize ZIP (disk full?)."];
+        }
+    
+        // Success: controller will readfile() and unlink()
+        return ["zipPath" => $zipPath];
     }
 
     /**
@@ -623,15 +660,23 @@ class FileModel {
         $errors = [];
         $allSuccess = true;
         $extractedFiles = [];
-
+    
+        // Config toggles
+        $SKIP_DOTFILES = defined('SKIP_DOTFILES_ON_EXTRACT') ? (bool)SKIP_DOTFILES_ON_EXTRACT : true;
+    
+        // Hard limits to mitigate zip-bombs (tweak via defines if you like)
+        $MAX_UNZIP_BYTES = defined('MAX_UNZIP_BYTES') ? (int)MAX_UNZIP_BYTES : (200 * 1024 * 1024 * 1024); // 200 GiB
+        $MAX_UNZIP_FILES = defined('MAX_UNZIP_FILES') ? (int)MAX_UNZIP_FILES : 20000;
+    
         $baseDir = realpath(UPLOAD_DIR);
         if ($baseDir === false) {
             return ["error" => "Uploads directory not configured correctly."];
         }
-
+    
         // Build target dir
         if (strtolower(trim($folder) ?: '') === "root") {
             $relativePath = "";
+            $folderNorm = "root";
         } else {
             $parts = explode('/', trim($folder, "/\\"));
             foreach ($parts as $part) {
@@ -640,9 +685,10 @@ class FileModel {
                 }
             }
             $relativePath = implode(DIRECTORY_SEPARATOR, $parts) . DIRECTORY_SEPARATOR;
+            $folderNorm   = implode('/', $parts); // normalized with forward slashes for metadata helpers
         }
-
-        $folderPath     = $baseDir . DIRECTORY_SEPARATOR . $relativePath;
+    
+        $folderPath = $baseDir . DIRECTORY_SEPARATOR . $relativePath;
         if (!is_dir($folderPath) && !mkdir($folderPath, 0775, true)) {
             return ["error" => "Folder not found and cannot be created."];
         }
@@ -650,17 +696,74 @@ class FileModel {
         if ($folderPathReal === false || strpos($folderPathReal, $baseDir) !== 0) {
             return ["error" => "Folder not found."];
         }
-
-        // Prepare metadata container
-        $metadataFile  = self::getMetadataFilePath($folder);
-        $destMetadata  = file_exists($metadataFile) ? (json_decode(file_get_contents($metadataFile), true) ?: []) : [];
-
+    
+        // Metadata cache per folder to avoid many reads/writes
+        $metaCache = [];
+        $getMeta = function(string $folderStr) use (&$metaCache) {
+            if (!isset($metaCache[$folderStr])) {
+                $mf = self::getMetadataFilePath($folderStr);
+                $metaCache[$folderStr] = file_exists($mf) ? (json_decode(file_get_contents($mf), true) ?: []) : [];
+            }
+            return $metaCache[$folderStr];
+        };
+        $putMeta = function(string $folderStr, array $meta) use (&$metaCache) {
+            $metaCache[$folderStr] = $meta;
+        };
+    
         $safeFileNamePattern = REGEX_FILE_NAME;
         $actor = $_SESSION['username'] ?? 'Unknown';
         $now   = date(DATE_TIME_FORMAT);
-
+    
+        // --- Helpers ---
+    
+        // Reject absolute paths, traversal, drive letters
+        $isUnsafeEntryPath = function(string $entry) : bool {
+            $e = str_replace('\\', '/', $entry);
+            if ($e === '' || str_contains($e, "\0")) return true;
+            if (str_starts_with($e, '/')) return true;                 // absolute nix path
+            if (preg_match('/^[A-Za-z]:[\\/]/', $e)) return true;      // Windows drive
+            if (str_contains($e, '../') || str_contains($e, '..\\')) return true;
+            return false;
+        };
+    
+        // Validate each subfolder name in the path using REGEX_FOLDER_NAME
+        $validEntrySubdirs = function(string $entry) : bool {
+            $e = trim(str_replace('\\', '/', $entry), '/');
+            if ($e === '') return true;
+            $dirs = explode('/', $e);
+            array_pop($dirs); // remove basename; we only validate directories here
+            foreach ($dirs as $d) {
+                if ($d === '' || !preg_match(REGEX_FOLDER_NAME, $d)) return false;
+            }
+            return true;
+        };
+    
+        // NEW: hidden path detector — true if ANY segment starts with '.'
+        $isHiddenDotPath = function(string $entry) : bool {
+            $e = trim(str_replace('\\', '/', $entry), '/');
+            if ($e === '') return false;
+            foreach (explode('/', $e) as $seg) {
+                if ($seg !== '' && $seg[0] === '.') return true;
+            }
+            return false;
+        };
+    
+        // Generalized metadata stamper: writes to the specified folder's metadata.json
+        $stampMeta = function(string $folderStr, string $basename) use (&$getMeta, &$putMeta, $actor, $now) {
+            $meta = $getMeta($folderStr);
+            $meta[$basename] = [
+                'uploaded' => $now,
+                'modified' => $now,
+                'uploader' => $actor,
+            ];
+            $putMeta($folderStr, $meta);
+        };
+    
+        // No PHP execution time limit during heavy work
+        @set_time_limit(0);
+    
         foreach ($files as $zipFileName) {
-            $zipBase = basename(trim($zipFileName));
+            $zipBase = basename(trim((string)$zipFileName));
             if (strtolower(substr($zipBase, -4)) !== '.zip') {
                 continue;
             }
@@ -669,76 +772,135 @@ class FileModel {
                 $allSuccess = false;
                 continue;
             }
-
+    
             $zipFilePath = $folderPathReal . DIRECTORY_SEPARATOR . $zipBase;
             if (!file_exists($zipFilePath)) {
                 $errors[] = "$zipBase does not exist in folder.";
                 $allSuccess = false;
                 continue;
             }
-
-            $zip = new ZipArchive();
-            if ($zip->open($zipFilePath) !== TRUE) {
+    
+            $zip = new \ZipArchive();
+            if ($zip->open($zipFilePath) !== true) {
                 $errors[] = "Could not open $zipBase as a zip file.";
                 $allSuccess = false;
                 continue;
             }
-
-            // Minimal Zip Slip guard: fail if any entry looks unsafe
+    
+            // ---- Pre-scan: safety and size limits + build allow-list (skip dotfiles) ----
             $unsafe = false;
+            $totalUncompressed = 0;
+            $fileCount = 0;
+            $allowedEntries = [];   // names to extract (files and/or directories)
+            $allowedFiles   = [];   // only files (for metadata stamping)
+    
             for ($i = 0; $i < $zip->numFiles; $i++) {
-                $entryName = $zip->getNameIndex($i);
-                if ($entryName === false) { $unsafe = true; break; }
-                // Absolute paths, parent traversal, or Windows drive paths
-                if (strpos($entryName, '../') !== false || strpos($entryName, '..\\') !== false ||
-                    str_starts_with($entryName, '/') || preg_match('/^[A-Za-z]:[\\\\\\/]/', $entryName)) {
+                $stat = $zip->statIndex($i);
+                $name = $zip->getNameIndex($i);
+                if ($name === false || !$stat) { $unsafe = true; break; }
+    
+                $isDir = str_ends_with($name, '/');
+    
+                // Basic path checks
+                if ($isUnsafeEntryPath($name) || !$validEntrySubdirs($name)) { $unsafe = true; break; }
+    
+                // Skip hidden entries (any segment starts with '.')
+                if ($SKIP_DOTFILES && $isHiddenDotPath($name)) {
+                    continue; // just ignore; do not treat as unsafe
+                }
+    
+                // Detect symlinks via external attributes (best-effort)
+                $mode = (isset($stat['external_attributes']) ? (($stat['external_attributes'] >> 16) & 0xF000) : 0);
+                if ($mode === 0120000) { // S_IFLNK
                     $unsafe = true; break;
                 }
+    
+                // Track limits only for files we're going to extract
+                if (!$isDir) {
+                    $fileCount++;
+                    $sz = isset($stat['size']) ? (int)$stat['size'] : 0;
+                    $totalUncompressed += $sz;
+                    if ($fileCount > $MAX_UNZIP_FILES || $totalUncompressed > $MAX_UNZIP_BYTES) {
+                        $unsafe = true; break;
+                    }
+                    $allowedFiles[] = $name;
+                }
+    
+                $allowedEntries[] = $name;
             }
+    
             if ($unsafe) {
                 $zip->close();
-                $errors[] = "$zipBase contains unsafe paths; extraction aborted.";
+                $errors[] = "$zipBase contains unsafe or oversized contents; extraction aborted.";
                 $allSuccess = false;
                 continue;
             }
-
-            // Extract safely (whole archive) after precheck
-            if (!$zip->extractTo($folderPathReal)) {
+    
+            // Nothing to extract after filtering?
+            if (empty($allowedEntries)) {
+                $zip->close();
+                // Treat as success (nothing visible to extract), but informatively note it
+                $errors[] = "$zipBase contained only hidden or unsupported entries.";
+                $allSuccess = false; // or keep true if you'd rather not mark as failure
+                continue;
+            }
+    
+            // ---- Extract ONLY the allowed entries ----
+            if (!$zip->extractTo($folderPathReal, $allowedEntries)) {
                 $errors[] = "Failed to extract $zipBase.";
                 $allSuccess = false;
                 $zip->close();
                 continue;
             }
-
-            // Stamp metadata for extracted regular files
-            for ($i = 0; $i < $zip->numFiles; $i++) {
-                $entryName = $zip->getNameIndex($i);
-                if ($entryName === false) continue;
-
-                $basename = basename($entryName);
+    
+            // ---- Stamp metadata for files in the target folder AND nested subfolders (allowed files only) ----
+            foreach ($allowedFiles as $entryName) {
+                // Normalize entry path for filesystem checks
+                $entryFsRel = str_replace(['\\'], '/', $entryName);
+                $entryFsRel = ltrim($entryFsRel, '/'); // ensure relative
+    
+                // Skip any directories (shouldn't be listed here, but defend anyway)
+                if ($entryFsRel === '' || str_ends_with($entryFsRel, '/')) continue;
+    
+                $basename = basename($entryFsRel);
                 if ($basename === '' || !preg_match($safeFileNamePattern, $basename)) continue;
-
-                // Only stamp files that actually exist after extraction
-                $target = $folderPathReal . DIRECTORY_SEPARATOR . $entryName;
-                $isDir  = str_ends_with($entryName, '/') || is_dir($target);
-                if ($isDir) continue;
-
-                $extractedFiles[] = $basename;
-                $destMetadata[$basename] = [
-                    'uploaded' => $now,
-                    'modified' => $now,
-                    'uploader' => $actor,
-                    // no tags by default
-                ];
+    
+                // Decide which folder's metadata to update:
+                // - top-level files -> $folderNorm
+                // - nested files    -> corresponding "<folderNorm>/<sub/dir>" (or "sub/dir" if folderNorm is 'root')
+                $relDir = str_replace('\\', '/', trim(dirname($entryFsRel), '.'));
+                $relDir = ($relDir === '.' ? '' : trim($relDir, '/'));
+    
+                $targetFolderNorm = ($relDir === '' || $relDir === '.')
+                    ? $folderNorm
+                    : (($folderNorm === 'root') ? $relDir : ($folderNorm . '/' . $relDir));
+    
+                // Only stamp if the file actually exists on disk after extraction
+                $targetAbs = $folderPathReal . DIRECTORY_SEPARATOR . str_replace('/', DIRECTORY_SEPARATOR, $entryFsRel);
+                if (is_file($targetAbs)) {
+                    // Preserve list behavior: only include top-level extracted names
+                    if ($relDir === '' || $relDir === '.') {
+                        $extractedFiles[] = $basename;
+                    }
+                    $stampMeta($targetFolderNorm, $basename);
+                }
             }
+    
             $zip->close();
         }
-
-        if (file_put_contents($metadataFile, json_encode($destMetadata, JSON_PRETTY_PRINT), LOCK_EX) === false) {
-            $errors[] = "Failed to update metadata.";
-            $allSuccess = false;
+    
+        // Persist metadata for any touched folder(s)
+        foreach ($metaCache as $folderStr => $meta) {
+            $metadataFile = self::getMetadataFilePath($folderStr);
+            if (!is_dir(dirname($metadataFile))) {
+                @mkdir(dirname($metadataFile), 0775, true);
+            }
+            if (file_put_contents($metadataFile, json_encode($meta, JSON_PRETTY_PRINT), LOCK_EX) === false) {
+                $errors[] = "Failed to update metadata for {$folderStr}.";
+                $allSuccess = false;
+            }
         }
-
+    
         return $allSuccess
             ? ["success" => true, "extractedFiles" => $extractedFiles]
             : ["success" => false, "error" => implode(" ", $errors)];

src/models/MediaModel.php

@@ -0,0 +1,94 @@
+<?php
+// src/models/MediaModel.php
+declare(strict_types=1);
+
+require_once PROJECT_ROOT . '/config/config.php';
+require_once PROJECT_ROOT . '/src/lib/ACL.php';
+
+class MediaModel
+{
+    private static function baseDir(): string {
+        $dir = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR . 'user_state';
+        if (!is_dir($dir)) @mkdir($dir, 0775, true);
+        return $dir . DIRECTORY_SEPARATOR;
+    }
+
+    private static function filePathFor(string $username): string {
+        // case-insensitive username file
+        $safe = strtolower(preg_replace('/[^a-z0-9_\-\.]/i', '_', $username));
+        return self::baseDir() . $safe . '_media.json';
+    }
+
+    private static function loadState(string $username): array {
+        $path = self::filePathFor($username);
+        if (!file_exists($path)) return ["version"=>1, "items"=>[]];
+        $json = file_get_contents($path);
+        $data = json_decode($json, true);
+        return (is_array($data) && isset($data['items'])) ? $data : ["version"=>1, "items"=>[]];
+    }
+
+    private static function saveState(string $username, array $state): bool {
+        $path = self::filePathFor($username);
+        $tmp  = $path . '.tmp';
+        $ok   = file_put_contents($tmp, json_encode($state, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT), LOCK_EX);
+        if ($ok === false) return false;
+        return @rename($tmp, $path);
+    }
+
+    /** Save/merge a single file progress record. */
+    public static function saveProgress(string $username, string $folder, string $file, float $seconds, ?float $duration, ?bool $completed): array {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $nowIso    = date('c');
+
+        $state = self::loadState($username);
+        if (!isset($state['items'][$folderKey])) $state['items'][$folderKey] = [];
+        if (!isset($state['items'][$folderKey][$file])) {
+            $state['items'][$folderKey][$file] = [
+                "seconds"   => 0,
+                "duration"  => $duration ?? 0,
+                "completed" => false,
+                "updatedAt" => $nowIso
+            ];
+        }
+
+        $row =& $state['items'][$folderKey][$file];
+        if ($duration !== null && $duration > 0) $row['duration'] = $duration;
+        if ($seconds >= 0) $row['seconds'] = $seconds;
+        if ($completed !== null) $row['completed'] = (bool)$completed;
+        // auto-complete if we’re basically done
+        if (!$row['completed'] && $row['duration'] > 0 && $row['seconds'] >= max(0, $row['duration'] * 0.95)) {
+            $row['completed'] = true;
+        }
+        $row['updatedAt'] = $nowIso;
+
+        self::saveState($username, $state);
+        return $row;
+    }
+
+    /** Get a single file progress record. */
+    public static function getProgress(string $username, string $folder, string $file): array {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $state = self::loadState($username);
+        $row   = $state['items'][$folderKey][$file] ?? null;
+        return is_array($row) ? $row : ["seconds"=>0,"duration"=>0,"completed"=>false,"updatedAt"=>null];
+    }
+
+    /** Folder map: filename => {seconds,duration,completed,updatedAt} */
+    public static function getFolderMap(string $username, string $folder): array {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $state = self::loadState($username);
+        $items = $state['items'][$folderKey] ?? [];
+        return is_array($items) ? $items : [];
+    }
+
+    /** Clear one file’s progress (e.g., “mark unviewed”). */
+    public static function clearProgress(string $username, string $folder, string $file): bool {
+        $folderKey = ($folder === '' || strtolower($folder)==='root') ? 'root' : $folder;
+        $state = self::loadState($username);
+        if (isset($state['items'][$folderKey][$file])) {
+            unset($state['items'][$folderKey][$file]);
+            return self::saveState($username, $state);
+        }
+        return true;
+    }
+}

src/models/UploadModel.php

@@ -6,231 +6,206 @@ require_once PROJECT_ROOT . '/config/config.php';
 class UploadModel {
 
     private static function sanitizeFolder(string $folder): string {
-                $folder = trim($folder);
-                if ($folder === '' || strtolower($folder) === 'root') return '';
-                // no traversal
-                if (strpos($folder, '..') !== false) return '';
-                // only safe chars + forward slashes
-                if (!preg_match('/^[A-Za-z0-9_\-\/]+$/', $folder)) return '';
-                // normalize: strip leading slashes
-                return ltrim($folder, '/');
+        // decode "%20", normalise slashes & trim via ACL helper
+        $f = ACL::normalizeFolder(rawurldecode($folder));
+
+        // model uses '' to represent root
+        if ($f === 'root') return '';
+
+        // forbid dot segments / empty parts
+        foreach (explode('/', $f) as $seg) {
+            if ($seg === '' || $seg === '.' || $seg === '..') {
+                return '';
             }
+        }
 
+        // allow spaces & unicode via your global regex
+        // (REGEX_FOLDER_NAME validates a path "seg(/seg)*")
+        if (!preg_match(REGEX_FOLDER_NAME, $f)) {
+            return '';
+        }
+
+        return $f; // safe, normalised, with spaces allowed
+    }
 
-    /**
-     * Handles file uploads – supports both chunked uploads and full (non-chunked) uploads.
-     *
-     * @param array $post The $_POST array.
-     * @param array $files The $_FILES array.
-     * @return array Returns an associative array with "success" on success or "error" on failure.
-     */
     public static function handleUpload(array $post, array $files): array {
-        // If this is a GET request for testing chunk existence.
+        // --- GET resumable test (make folder handling consistent)
         if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($post['resumableTest'])) {
-            $chunkNumber = intval($post['resumableChunkNumber']);
+            $chunkNumber         = (int)($post['resumableChunkNumber'] ?? 0);
             $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $folder = isset($post['folder']) ? trim($post['folder']) : 'root';
+            $folderSan           = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
             $baseUploadDir = UPLOAD_DIR;
-            if ($folder !== 'root') {
-                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder . DIRECTORY_SEPARATOR;
+            if ($folderSan !== '') {
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
             }
-            $tempDir = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
+
+            $tempDir  = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
             $chunkFile = $tempDir . $chunkNumber;
             return ["status" => file_exists($chunkFile) ? "found" : "not found"];
         }
-        
-        // Handle chunked uploads.
+
+        // --- CHUNKED ---
         if (isset($post['resumableChunkNumber'])) {
-            $chunkNumber         = intval($post['resumableChunkNumber']);
-            $totalChunks         = intval($post['resumableTotalChunks']);
+            $chunkNumber         = (int)$post['resumableChunkNumber'];
+            $totalChunks         = (int)$post['resumableTotalChunks'];
             $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $resumableFilename   = urldecode(basename($post['resumableFilename']));
-            
-            // Validate file name.
+            $resumableFilename   = urldecode(basename($post['resumableFilename'] ?? ''));
+
             if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
                 return ["error" => "Invalid file name: $resumableFilename"];
             }
-            
-            $folderRaw = $post['folder'] ?? 'root';
-            $folderSan = self::sanitizeFolder((string)$folderRaw);
 
-            
+            $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
             if (empty($files['file']) || !isset($files['file']['name'])) {
-                        return ["error" => "No files received"];
-                    }
-            
+                return ["error" => "No files received"];
+            }
+
             $baseUploadDir = UPLOAD_DIR;
             if ($folderSan !== '') {
-                                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
-                                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
-                            }
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
+            }
             if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
                 return ["error" => "Failed to create upload directory"];
             }
-            
+
             $tempDir = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
             if (!is_dir($tempDir) && !mkdir($tempDir, 0775, true)) {
                 return ["error" => "Failed to create temporary chunk directory"];
             }
-            
+
             $chunkErr = $files['file']['error'] ?? UPLOAD_ERR_NO_FILE;
             if ($chunkErr !== UPLOAD_ERR_OK) {
                 return ["error" => "Upload error on chunk $chunkNumber"];
             }
-            
+
             $chunkFile = $tempDir . $chunkNumber;
-            $tmpName = $files['file']['tmp_name'] ?? null;
+            $tmpName   = $files['file']['tmp_name'] ?? null;
             if (!$tmpName || !move_uploaded_file($tmpName, $chunkFile)) {
                 return ["error" => "Failed to move uploaded chunk $chunkNumber"];
             }
-            
-            // Check if all chunks are present.
-            $allChunksPresent = true;
+
+            // all chunks present?
             for ($i = 1; $i <= $totalChunks; $i++) {
                 if (!file_exists($tempDir . $i)) {
-                    $allChunksPresent = false;
-                    break;
+                    return ["status" => "chunk uploaded"];
                 }
             }
-            if (!$allChunksPresent) {
-                return ["status" => "chunk uploaded"];
-            }
-            
-            // Merge chunks.
+
+            // merge
             $targetPath = $baseUploadDir . $resumableFilename;
             if (!$out = fopen($targetPath, "wb")) {
                 return ["error" => "Failed to open target file for writing"];
             }
             for ($i = 1; $i <= $totalChunks; $i++) {
                 $chunkPath = $tempDir . $i;
-                if (!file_exists($chunkPath)) {
-                    fclose($out);
-                    return ["error" => "Chunk $i missing during merge"];
-                }
-                if (!$in = fopen($chunkPath, "rb")) {
-                    fclose($out);
-                    return ["error" => "Failed to open chunk $i"];
-                }
-                while ($buff = fread($in, 4096)) {
-                    fwrite($out, $buff);
-                }
+                if (!file_exists($chunkPath)) { fclose($out); return ["error" => "Chunk $i missing during merge"]; }
+                if (!$in = fopen($chunkPath, "rb")) { fclose($out); return ["error" => "Failed to open chunk $i"]; }
+                while ($buff = fread($in, 4096)) { fwrite($out, $buff); }
                 fclose($in);
             }
             fclose($out);
-            
-            // Update metadata.
-            $metadataKey = ($folderSan === '') ? "root" : $folderSan;
+
+            // metadata
+            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
             $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
-            $metadataFile = META_DIR . $metadataFileName;
-            $uploadedDate = date(DATE_TIME_FORMAT);
-            $uploader = $_SESSION['username'] ?? "Unknown";
-            $metadataCollection = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-            if (!is_array($metadataCollection)) {
-                $metadataCollection = [];
+            $metadataFile     = META_DIR . $metadataFileName;
+            $uploadedDate     = date(DATE_TIME_FORMAT);
+            $uploader         = $_SESSION['username'] ?? "Unknown";
+            $collection       = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+            if (!is_array($collection)) $collection = [];
+            if (!isset($collection[$resumableFilename])) {
+                $collection[$resumableFilename] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
+                file_put_contents($metadataFile, json_encode($collection, JSON_PRETTY_PRINT));
             }
-            if (!isset($metadataCollection[$resumableFilename])) {
-                $metadataCollection[$resumableFilename] = [
-                    "uploaded" => $uploadedDate,
-                    "uploader" => $uploader
-                ];
-                file_put_contents($metadataFile, json_encode($metadataCollection, JSON_PRETTY_PRINT));
-            }
-            
-            // Cleanup temporary directory.
-            $rrmdir = function($dir) use (&$rrmdir) {
-                if (!is_dir($dir)) return;
-                $iterator = new RecursiveIteratorIterator(
-                    new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS),
-                    RecursiveIteratorIterator::CHILD_FIRST
-                );
-                foreach ($iterator as $item) {
-                    $item->isDir() ? rmdir($item->getRealPath()) : unlink($item->getRealPath());
-                }
-                rmdir($dir);
-            };
-            $rrmdir($tempDir);
-            
+
+            // cleanup temp
+            self::rrmdir($tempDir);
+
             return ["success" => "File uploaded successfully"];
-        } else {
-                        // Handle full upload (non-chunked)
-                        $folderRaw = $post['folder'] ?? 'root';
-                        $folderSan = self::sanitizeFolder((string)$folderRaw);
-            }
-            
-            $baseUploadDir = UPLOAD_DIR;
-            if ($folderSan !== '') {
-                                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
-                                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
-                            }
-            if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
-                return ["error" => "Failed to create upload directory"];
-            }
-            
-            $safeFileNamePattern = REGEX_FILE_NAME;
-            $metadataCollection = [];
-            $metadataChanged = [];
-            
-            foreach ($files["file"]["name"] as $index => $fileName) {
-                // Basic PHP upload error check per file
-                if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
-                        return ["error" => "Error uploading file"];
-                    }
-                $safeFileName = trim(urldecode(basename($fileName)));
-                if (!preg_match($safeFileNamePattern, $safeFileName)) {
-                    return ["error" => "Invalid file name: " . $fileName];
-                }
-                $relativePath = '';
-                if (isset($post['relativePath'])) {
-                    $relativePath = is_array($post['relativePath']) ? $post['relativePath'][$index] ?? '' : $post['relativePath'];
-                }
-                $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
-                if (!empty($relativePath)) {
-                    $subDir = dirname($relativePath);
-                    if ($subDir !== '.' && $subDir !== '') {
-                      // IMPORTANT: build the subfolder under the *current* base folder
-                        $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR .
-                                     str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
-                    }
-                    $safeFileName = basename($relativePath);
-                }
-                if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
-                    return ["error" => "Failed to create subfolder: " . $uploadDir];
-                }
-                $targetPath = $uploadDir . $safeFileName;
-                if (move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
-                                        $metadataKey = ($folderSan === '') ? "root" : $folderSan;
-                    $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
-                    $metadataFile = META_DIR . $metadataFileName;
-                    if (!isset($metadataCollection[$metadataKey])) {
-                        $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-                        if (!is_array($metadataCollection[$metadataKey])) {
-                            $metadataCollection[$metadataKey] = [];
-                        }
-                        $metadataChanged[$metadataKey] = false;
-                    }
-                    if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
-                        $uploadedDate = date(DATE_TIME_FORMAT);
-                        $uploader = $_SESSION['username'] ?? "Unknown";
-                        $metadataCollection[$metadataKey][$safeFileName] = [
-                            "uploaded" => $uploadedDate,
-                            "uploader" => $uploader
-                        ];
-                        $metadataChanged[$metadataKey] = true;
-                    }
-                } else {
-                    return ["error" => "Error uploading file"];
-                }
-            }
-            
-            foreach ($metadataCollection as $folderKey => $data) {
-                if ($metadataChanged[$folderKey]) {
-                    $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
-                    $metadataFile = META_DIR . $metadataFileName;
-                    file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
-                }
-            }
-            return ["success" => "Files uploaded successfully"];
         }
+
+        // --- NON-CHUNKED ---
+        $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
+        $baseUploadDir = UPLOAD_DIR;
+        if ($folderSan !== '') {
+            $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                           . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
+        }
+        if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
+            return ["error" => "Failed to create upload directory"];
+        }
+
+        $safeFileNamePattern = REGEX_FILE_NAME;
+        $metadataCollection  = [];
+        $metadataChanged     = [];
+
+        foreach ($files["file"]["name"] as $index => $fileName) {
+            if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
+                return ["error" => "Error uploading file"];
+            }
+
+            $safeFileName = trim(urldecode(basename($fileName)));
+            if (!preg_match($safeFileNamePattern, $safeFileName)) {
+                return ["error" => "Invalid file name: " . $fileName];
+            }
+
+            $relativePath = '';
+            if (isset($post['relativePath'])) {
+                $relativePath = is_array($post['relativePath']) ? ($post['relativePath'][$index] ?? '') : $post['relativePath'];
+            }
+
+            $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
+            if (!empty($relativePath)) {
+                $subDir = dirname($relativePath);
+                if ($subDir !== '.' && $subDir !== '') {
+                    $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
+                }
+                $safeFileName = basename($relativePath);
+            }
+
+            if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
+                return ["error" => "Failed to create subfolder: " . $uploadDir];
+            }
+
+            $targetPath = $uploadDir . $safeFileName;
+            if (!move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
+                return ["error" => "Error uploading file"];
+            }
+
+            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
+            $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
+            $metadataFile     = META_DIR . $metadataFileName;
+
+            if (!isset($metadataCollection[$metadataKey])) {
+                $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+                if (!is_array($metadataCollection[$metadataKey])) $metadataCollection[$metadataKey] = [];
+                $metadataChanged[$metadataKey] = false;
+            }
+
+            if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
+                $uploadedDate = date(DATE_TIME_FORMAT);
+                $uploader     = $_SESSION['username'] ?? "Unknown";
+                $metadataCollection[$metadataKey][$safeFileName] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
+                $metadataChanged[$metadataKey] = true;
+            }
+        }
+
+        foreach ($metadataCollection as $folderKey => $data) {
+            if (!empty($metadataChanged[$folderKey])) {
+                $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
+                $metadataFile     = META_DIR . $metadataFileName;
+                file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
+            }
+        }
+
+        return ["success" => "Files uploaded successfully"];
+    }
     
 
         /**