chore(release): set APP_VERSION to v1.7.5 [skip ci]

.github/codeql/codeql-config.yml

@@ -1,12 +0,0 @@
----
-name: "FileRise CodeQL config"
-paths:
-  - "public/js"
-  - "api"
-paths-ignore:
-  - "public/vendor/**"
-  - "public/css/vendor/**"
-  - "public/fonts/**"
-  - "public/**/*.min.js"
-  - "public/**/*.min.css"
-  - "public/**/*.map"

.github/workflows/release-on-version.yml

@@ -3,13 +3,12 @@ name: Release on version.js update
 
 on:
   push:
-    branches:
-      - master
+    branches: ["master"]
     paths:
       - public/js/version.js
   workflow_run:
-    workflows: "Bump version and sync Changelog to Docker Repo"
-    types: completed
+    workflows: ["Bump version and sync Changelog to Docker Repo"]
+    types: [completed]
 
 permissions:
   contents: write
@@ -27,6 +26,10 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Ensure tags available
+        run: |
+          git fetch --tags --force --prune --quiet
+
       - name: Read version from version.js
         id: ver
         shell: bash
@@ -45,7 +48,6 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          git fetch --tags --quiet
           if git rev-parse -q --verify "refs/tags/${{ steps.ver.outputs.version }}" >/dev/null; then
             echo "exists=true" >> "$GITHUB_OUTPUT"
             echo "Tag ${{ steps.ver.outputs.version }} already exists. Skipping release."
@@ -53,7 +55,76 @@ jobs:
             echo "exists=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Prepare release notes from CHANGELOG.md (optional)
+      # Ensure the stamper is executable and has LF endings (helps if edited on Windows)
+      - name: Prep stamper script
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i 's/\r$//' scripts/stamp-assets.sh || true
+          chmod +x scripts/stamp-assets.sh
+
+      - name: Build zip artifact (stamped)
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.12
+          ZIP="FileRise-${VER}.zip"
+
+          # Clean staging copy (exclude dotfiles you don’t want)
+          rm -rf staging
+          rsync -a \
+            --exclude '.git' --exclude '.github' \
+            --exclude 'resources' \
+            --exclude '.dockerignore' --exclude '.gitattributes' --exclude '.gitignore' \
+            ./ staging/
+
+          # Stamp IN THE STAGING COPY (invoke via bash to avoid exec-bit issues)
+          bash ./scripts/stamp-assets.sh "${VER}" "$(pwd)/staging"
+
+      - name: Verify placeholders are gone (staging)
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          ROOT="$(pwd)/staging"
+          if grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" "$ROOT" \
+              --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
+            echo "---- DEBUG (show 10 hits with context) ----"
+            grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" "$ROOT" \
+              --include='*.html' --include='*.php' --include='*.css' --include='*.js' \
+              | head -n 10 | while IFS=: read -r file line _; do
+                  echo ">>> $file:$line"
+                  nl -ba "$file" | sed -n "$((line-3)),$((line+3))p" || true
+                  echo "----------------------------------------"
+                done
+            exit 1
+          fi
+          echo "OK: No unreplaced placeholders in staging."
+
+      - name: Zip stamped staging
+        if: steps.tagcheck.outputs.exists == 'false'
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER="${{ steps.ver.outputs.version }}"
+          ZIP="FileRise-${VER}.zip"
+          (cd staging && zip -r "../$ZIP" . >/dev/null)
+
+      - name: Compute SHA-256 checksum
+        if: steps.tagcheck.outputs.exists == 'false'
+        id: sum
+        shell: bash
+        run: |
+          set -euo pipefail
+          ZIP="FileRise-${{ steps.ver.outputs.version }}.zip"
+          SHA=$(shasum -a 256 "$ZIP" | awk '{print $1}')
+          echo "$SHA  $ZIP" > "${ZIP}.sha256"
+          echo "sha=$SHA" >> "$GITHUB_OUTPUT"
+          echo "Computed SHA-256: $SHA"
+
+      - name: Extract notes from CHANGELOG (optional)
         if: steps.tagcheck.outputs.exists == 'false'
         id: notes
         shell: bash
@@ -66,45 +137,68 @@ jobs:
               /^## / && !found {found=1}
               found && /^---$/ {exit}
               found {print}
-            ' CHANGELOG.md > RELEASE_BODY.md || true
-
-            # Trim trailing blank lines
-            sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' RELEASE_BODY.md || true
-
-            if [[ -s RELEASE_BODY.md ]]; then
-              NOTES_PATH="RELEASE_BODY.md"
+            ' CHANGELOG.md > CHANGELOG_SNIPPET.md || true
+            sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' CHANGELOG_SNIPPET.md || true
+            if [[ -s CHANGELOG_SNIPPET.md ]]; then
+              NOTES_PATH="CHANGELOG_SNIPPET.md"
             fi
           fi
           echo "path=$NOTES_PATH" >> "$GITHUB_OUTPUT"
 
-      - name: (optional) Build archive to attach
+      - name: Compute previous tag (for Full Changelog link)
+        if: steps.tagcheck.outputs.exists == 'false'
+        id: prev
+        shell: bash
+        run: |
+          set -euo pipefail
+          VER="${{ steps.ver.outputs.version }}"
+          PREV=$(git tag --list "v*" --sort=-v:refname | grep -v -F "$VER" | head -n1 || true)
+          if [[ -z "$PREV" ]]; then
+            PREV=$(git rev-list --max-parents=0 HEAD | tail -n1)
+          fi
+          echo "prev=$PREV" >> "$GITHUB_OUTPUT"
+          echo "Previous tag or baseline: $PREV"
+
+      - name: Build release body (snippet + full changelog + checksum)
         if: steps.tagcheck.outputs.exists == 'false'
         shell: bash
         run: |
           set -euo pipefail
-          zip -r "FileRise-${{ steps.ver.outputs.version }}.zip" public/ README.md LICENSE >/dev/null || true
+          VER="${{ steps.ver.outputs.version }}"
+          PREV="${{ steps.prev.outputs.prev }}"
+          REPO="${GITHUB_REPOSITORY}"
+          COMPARE_URL="https://github.com/${REPO}/compare/${PREV}...${VER}"
+          ZIP="FileRise-${VER}.zip"
+          SHA="${{ steps.sum.outputs.sha }}"
 
-      # Path A: we have extracted notes -> use body_path
-      - name: Create GitHub Release (with CHANGELOG snippet)
-        if: steps.tagcheck.outputs.exists == 'false' && steps.notes.outputs.path != ''
+          {
+            echo
+            if [[ -s CHANGELOG_SNIPPET.md ]]; then
+              cat CHANGELOG_SNIPPET.md
+              echo
+            fi
+            echo "## ${VER}"
+            echo "### Full Changelog"
+            echo "[${PREV} → ${VER}](${COMPARE_URL})"
+            echo
+            echo "### SHA-256 (zip)"
+            echo '```'
+            echo "${SHA}  ${ZIP}"
+            echo '```'
+          } > RELEASE_BODY.md
+
+          echo "Release body:"
+          sed -n '1,200p' RELEASE_BODY.md
+
+      - name: Create GitHub Release
+        if: steps.tagcheck.outputs.exists == 'false'
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.ver.outputs.version }}
           target_commitish: ${{ github.sha }}
           name: ${{ steps.ver.outputs.version }}
-          body_path: ${{ steps.notes.outputs.path }}
+          body_path: RELEASE_BODY.md
           generate_release_notes: false
           files: |
             FileRise-${{ steps.ver.outputs.version }}.zip
-
-      # Path B: no notes -> let GitHub auto-generate from commits
-      - name: Create GitHub Release (auto notes)
-        if: steps.tagcheck.outputs.exists == 'false' && steps.notes.outputs.path == ''
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ steps.ver.outputs.version }}
-          target_commitish: ${{ github.sha }}
-          name: ${{ steps.ver.outputs.version }}
-          generate_release_notes: true
-          files: |
-            FileRise-${{ steps.ver.outputs.version }}.zip
+            FileRise-${{ steps.ver.outputs.version }}.zip.sha256

.github/workflows/sync-changelog.yml

@@ -5,18 +5,25 @@ on:
   push:
     paths:
       - "CHANGELOG.md"
+  workflow_dispatch: {}
 
 permissions:
   contents: write
 
+concurrency:
+  group: bump-and-sync-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   bump_and_sync:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout FileRise
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.ref }}
 
       - name: Extract version from commit message
         id: ver
@@ -32,7 +39,24 @@ jobs:
             echo "No release(vX.Y.Z) tag in commit message; skipping bump."
           fi
 
-      - name: Update public/js/version.js
+      # Ensure we're on the branch and up to date BEFORE modifying files
+      - name: Ensure clean branch (no local mods), update from remote
+        if: steps.ver.outputs.version != ''
+        shell: bash
+        run: |
+          set -euo pipefail
+          # Be on a named branch that tracks the remote
+          git checkout -B "${{ github.ref_name }}" --track "origin/${{ github.ref_name }}" || git checkout -B "${{ github.ref_name }}"
+          # Make sure the worktree is clean
+          if ! git diff --quiet || ! git diff --cached --quiet; then
+            echo "::error::Working tree not clean before update. Aborting."
+            git status --porcelain
+            exit 1
+          fi
+          # Update branch
+          git pull --rebase origin "${{ github.ref_name }}"
+
+      - name: Update public/js/version.js (source of truth)
         if: steps.ver.outputs.version != ''
         shell: bash
         run: |
@@ -42,44 +66,19 @@ jobs:
           window.APP_VERSION = '${{ steps.ver.outputs.version }}';
           EOF
 
-      - name: Stamp asset cache-busters (?v=...) in HTML/CSS and {{APP_VER}} everywhere
-        if: steps.ver.outputs.version != ''
-        shell: bash
-        run: |
-          set -euo pipefail
-          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.9
-          QVER="${VER#v}"                         # e.g. 1.6.9
-          echo "Stamping ?v=${QVER} and {{APP_VER}}=${VER}"
-
-          # 1) Only stamp ?v= in HTML/CSS (avoid JS concatenation issues)
-          mapfile -t html_css < <(git ls-files -- 'public/*.html' 'public/**/*.html' 'public/*.css' 'public/**/*.css')
-          for f in "${html_css[@]}"; do
-            sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
-            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
-          done
-
-          # 2) For JS, only replace the {{APP_VER}} placeholder (do NOT touch ?v=)
-          mapfile -t jsfiles < <(git ls-files -- 'public/*.js' 'public/**/*.js')
-          for f in "${jsfiles[@]}"; do
-            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
-          done
-
-          echo "Changed files:"
-          git status --porcelain | awk '{print $2}' | sed 's/^/  - /'
-
-      - name: Commit version bump + stamped assets
+      - name: Commit version.js only
         if: steps.ver.outputs.version != ''
         shell: bash
         run: |
           set -euo pipefail
           git config user.name  "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add public/js/version.js public
+          git add public/js/version.js
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
-            git commit -m "chore(release): set APP_VERSION and stamp assets to ${{ steps.ver.outputs.version }} [skip ci]"
-            git push
+            git commit -m "chore(release): set APP_VERSION to ${{ steps.ver.outputs.version }} [skip ci]"
+            git push origin "${{ github.ref_name }}"
           fi
 
       - name: Checkout filerise-docker
@@ -89,6 +88,7 @@ jobs:
           repository: error311/filerise-docker
           token: ${{ secrets.PAT_TOKEN }}
           path: docker-repo
+          fetch-depth: 0
 
       - name: Copy CHANGELOG.md and write VERSION
         if: steps.ver.outputs.version != ''
@@ -110,6 +110,6 @@ jobs:
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
-            git commit -m "chore: sync CHANGELOG.md and VERSION (${{ steps.ver.outputs.version }}) from FileRise"
+            git commit -m "chore: sync CHANGELOG.md + VERSION (${{ steps.ver.outputs.version }}) from FileRise"
             git push origin main
           fi

CHANGELOG.md

@@ -1,5 +1,258 @@
 # Changelog
 
+## Changes 11/2/2025 (v1.7.5)
+
+release(v1.7.5): CSP hardening, API-backed previews, flicker-free theming, cache tuning & deploy script (closes #50)
+release(v1.7.5): retrigger CI bump (no code changes)
+release(v1.7.5): retrigger CI bump ensure up to date
+
+### Security/headers
+
+- Tighten CSP: pin the inline pre-theme snippet with a script-src SHA-256 and keep everything else on 'self'.
+- Improve cache policy for versioned assets: force 1y + immutable and add s-maxage for CDNs; also avoid HSTS redirects on local/dev hosts.
+
+### Previews & editor
+
+- Remove hardcoded `/uploads/` paths; always build preview URLs via the API (respects UPLOAD_DIR/ACL).
+- Use the API URL for gallery prev/next and file-menu “Preview” to fix 404s on custom storage roots.
+- Editor now probes size safely (HEAD → Range 0-0 fallback) before fetching, then fetches with credentials.
+
+### Login, theming & UX polish
+
+- Pre-theme inline boot sets `dark-mode` + background early; swap to `[hidden]`/`unhide()` instead of inline `display:none`.
+- Add full-screen loading overlay with quick fade and proper color-scheme; prevent white/black flash on theme flips.
+- Refactor app/login reveal flow in `main.js` (`revealAppAndHideOverlay`, `authed` path, setup wizard).
+
+### HTML/CSS & perf
+
+- Make Bootstrap/Styles/Roboto critical (plain `<link rel="stylesheet">`); keep fonts as true preloads; modulepreload app entry.
+- Export a `__CSS_PROMISE__` from `defer-css.js` for sites that still promote preloads.
+- Header logo marked `fetchpriority="high"` for faster first paint.
+- Normalize dark-mode selectors to `.dark-mode` scope (admin panel, etc.).
+
+### Manual Deploy script
+
+- Add `scripts/filerise-deploy.sh`: idempotent rsync-based deploy with writable dirs preserved, optional Composer install, and PHP-FPM/Apache reloads.
+
+### Notes
+
+- If you change the inline pre-theme snippet, update the CSP hash accordingly.
+
+---
+
+## Changes 10/31/2025 (v1.7.4)
+
+release(v1.7.4): login hint replace toast + fix unauth boot
+
+main.js
+
+- Added isDemoHost() and showLoginTip(message).
+- In the unauth branch, call showLoginTip('Please log in to continue').
+- Removed ensureToastReady() + showToast('please_log_in_to_continue') in the unauth path to avoid loading toast/DOM utils before auth.
+
+---
+
+## Changes 10/31/2025 (v1.7.3)
+
+release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth
+
+### 🎃 Highlights (advantages) 👻 🦇
+
+- ⚡ Faster, cleaner boot: a lightweight **main.js** decides auth/setup before painting, avoids flicker, and wires modules exactly once.
+- ♻️ Fewer duplicate actions: **request coalescer** dedupes POST/PUT/PATCH/DELETE to /api/* .
+- ✅ Truthy UX: global **toast bridge** queues early toasts and normalizes misleading “not found/already exists” messages after success.
+- 🔐 Smoother auth: CSRF priming/rotation + **TOTP step-up detection** across JSON & redirect paths; “Welcome back, `user`” toast once per tab.
+- 🌓 Polished UI: **dark-mode persistence with system fallback**, live siteConfig title application, higher-z modals, drag auto-scroll.
+- 🚀 Faster first paint & interactions: defer CodeMirror/Fuse/Resumable, promote preloaded CSS, and coalesce duplicate requests → snappier UI.
+- 🧭 Admin polish: live header title preview, masked OIDC fields with **Replace** flow, and a **read-only Sponsors/Donations** section.
+- 🧱 Safer & cache-smarter: opinionated .htaccess (CSP/HSTS/MIME/compression) + `?v={{APP_QVER}}` for versioned immutable assets.
+
+### Core bootstrap (main.js) overhaul
+
+- Early **toast bridge** (queues until domUtils is ready); expose `window.__FR_TOAST_FILTER__` for centralized rewrites/suppression.
+- **Result guard + request coalescer** wrapping `fetch`:
+  - Dedupes same-origin `/api/*` mutating requests for ~800ms using a stable key (method + path + normalized body).
+  - Tracks “last OK” JSON (`success|status|result=ok`) to suppress false-negative error toasts after success.
+- **Boot orchestrator** with hard guards:
+  - `__FR_FLAGS` (`booted`, `initialized`, `wired.*`, `bootPromise`, `entryStarted`) to prevent double init/leaks.
+  - **No-flicker login**: resolve `checkAuth()` + `setup` before showing UI; show login only when truly unauthenticated.
+  - **Heavy boot** for authed users: load i18n, `appCore.loadCsrfToken/initializeApp`, first file list, then light UI wiring.
+- **Auth flow**:
+  - `primeCsrf()` + `<meta name="csrf-token">` management; persist token in localStorage.
+  - **TOTP** detection via header (`X-TOTP-Required`) & JSON (`totp_required` / `TOTP_REQUIRED`); calls `openTOTPLoginModal()`.
+  - **Welcome toast** once per tab via `sessionStorage.__fr_welcomed`.
+- **UI/UX niceties**:
+  - `applySiteConfig()` updates header title & login method visibility on both login & authed screens.
+  - Dark-mode persistence with system fallback, proper a11y labels/icons.
+  - Create dropdown/menu wiring with capture-phase outside-click + ESC close; modal cancel safeties.
+  - Lift modals above cards (z-index), **drag auto-scroll** near viewport edges.
+  - Dispatch legacy `DOMContentLoaded`/`load` **once** (supports older inline handlers).
+  - Username label refresh for existing `.user-name-label` without injecting new DOM.
+
+### Performance & UX changes
+
+- CSS/first paint:
+  - Preload Bootstrap & app CSS; promote at DOMContentLoaded; keep inline CSS minimal.
+  - Add `width/height/decoding/fetchpriority` to logo to reduce layout shift.
+- Search/editor/uploads:
+  - **fileListView.js**: lazy-load Fuse with instant substring fallback; `warmUpSearch()` hook.
+  - **fileEditor.js**: lazy-load CodeMirror core/theme/modes; start plain then upgrade; guard very large files gracefully.
+  - **upload.js**: lazy-load Resumable; resilient init; background warm-up; smarter addFile/submit; clearer toasts.
+- Toast/UX:
+  - Install early toast bridge; queue & normalize messages; neutral “Done.” when server returns misleading errors after success.
+
+### Correctness: uploads, paths, ACLs
+
+- **UploadController/UploadModel**: normalize folders via `ACL::normalizeFolder(rawurldecode())`; stricter segment checks; consistent base paths; safer metadata writes; proper chunk presence/merge & temp cleanup.
+
+### Auth hardening & resilience
+
+- **auth.js/main.js/appCore.js**: CSRF rotate/retry (JSON then x-www-form-urlencoded fallback); robust login handling; fewer misleading error toasts.
+- **AuthController**: OIDC username fallback to `email` or `sub` when `preferred_username` missing.
+
+### Admin panel
+
+- **adminPanel.js**:
+  - Live header title preview (instant update without reload).
+  - Masked OIDC client fields with **Replace** button; saved-value hints; only send secrets when replacing.
+  - **New “Sponsor / Donations” section (read-only)**:
+    - GitHub Sponsors → `https://github.com/sponsors/error311`
+    - Ko-fi → `https://ko-fi.com/error311`
+    - Includes **Copy** and **Open** buttons; values are fixed.
+- **AdminController**: boolean for `oidc.hasClientId/hasClientSecret` to drive masked inputs.
+
+### Security & caching (.htaccess)
+
+- Consolidated security headers (CSP, CORP, HSTS on HTTPS), MIME types, compression (Brotli/Deflate), TRACE disable.
+- Caching rules:
+  - HTML/version.js: no-cache; unversioned JS/CSS: 1h; unversioned static: 7d; **versioned assets `?v=`: 1y `immutable`**.
+- **config.php**: remove duplicate runtime headers (now via Apache) to avoid proxy/CDN conflicts.
+
+### Upgrade notes
+
+- No schema changes.
+- Ensure Apache modules (`headers`, `rewrite`, `brotli`/`deflate`) are available for the new .htaccess rules (fallbacks included).
+- Versioned assets mean users shouldn’t need a hard refresh; `?v={{APP_QVER}}` busts caches automatically.
+
+---
+
+## Changes 10/29/2025 (v1.7.0 & v1.7.1 & v1.7.2)
+
+release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish
+
+### ✨ Features
+
+- Public, non-sensitive site config cache:
+  - Add `AdminModel::buildPublicSubset()` and `writeSiteConfig()` to write `USERS_DIR/siteConfig.json`.
+  - New endpoint `public/api/siteConfig.php` + `UserController::siteConfig()` to serve the public subset (regenerates if stale).
+  - Frontend now reads `/api/siteConfig.php` (safe subset) instead of `/api/admin/getConfig.php`.
+- Frontend module versioning:
+  - Replace all module imports with `?v={{APP_QVER}}` query param so the release/Docker stamper can pin exact versions.
+  - Add `scripts/stamp-assets.sh` to stamp `?v=` and `{{APP_VER}}/{{APP_QVER}}` in **staging** for ZIP/Docker builds.
+
+### 🧩 Refactors
+
+- Extract shared boot/bootstrap logic into `public/js/appCore.js`:
+  - CSRF helpers (`setCsrfToken`, `getCsrfToken`, `loadCsrfToken`)
+  - `initializeApp()`, `triggerLogout()`
+  - Keep `main.js` lean; wrap global `fetch` once to append/rotate CSRF.
+- Update imports across JS modules to use versioned module URLs.
+
+### 🚀 Performance
+
+- Aggressive, safe caching for versioned assets:
+  - `.htaccess`: `?v=…` ⇒ `Cache-Control: max-age=31536000, immutable`.
+  - Unversioned JS/CSS short cache (1h), other static (7d).
+- Eliminate duplicate `main.js` loads and tighten CodeMirror mode loading.
+
+### 🔒 Security / Hardening
+
+- `.htaccess`:
+  - Conditional HSTS only when HTTPS, add CORP and X-Permitted-Cross-Domain-Policies.
+  - CSP kept strict for modules, workers, blobs.
+- Admin config exposure reduced to a curated subset in `siteConfig.json`.
+
+### 🧪 CI/CD / Release
+
+- **FileRise repo**
+  - `sync-changelog.yml`: keep `public/js/version.js` as source-of-truth only (no repo-wide stamping).
+  - `release-on-version.yml`: build **stamped** ZIP from a staging copy via `scripts/stamp-assets.sh`, verify placeholders removed, attach checksum.
+- **filerise-docker repo**
+  - Read `VERSION`, checkout app to `app/`, run stamper inside build context before `docker buildx`, tag `latest` and `:${VERSION}`.
+
+### 🔧 Defaults
+
+- Sample/admin config defaults now set `disableBasicAuth: true` (safer default). Existing installations keep their current setting.
+
+### 📂 Notable file changes
+
+- `src/models/AdminModel.php` (+public subset +atomic write)
+- `src/controllers/UserController.php` (+siteConfig action)
+- `public/api/siteConfig.php` (new)
+- `public/js/appCore.js` (new), `public/js/main.js` (slim, uses appCore)
+- Many `public/js/*.js` import paths updated to `?v={{APP_QVER}}`
+- `public/.htaccess` (caching & headers)
+- `scripts/stamp-assets.sh` (new)
+
+### ⚠️ Upgrade notes
+
+- Ensure `USERS_DIR` is writable by web server for `siteConfig.json`.
+- Proxies/edge caches: the new `?v=` scheme enables long-lived immutable caching; purge is automatic on version bump.
+- If you previously read admin config directly on the client, it now reads `/api/siteConfig.php`.
+
+### Additional changes/fixes for release
+
+- `release-on-version.yml`
+  - normalize line endings (strip CRLF)
+  - stamp-assets.sh don’t rely on the exec; invoke via bash
+
+release(v1.7.2): harden asset stamping & CI verification
+
+### build(stamper)
+
+- Rewrite scripts/stamp-assets.sh to be repo-agnostic and macOS/Windows friendly:
+  - Drop reliance on git ls-files/mapfile; use find + null-delimited loops
+  - Normalize CRLF to LF for all web assets before stamping
+  - Stamp ?v=<APP_QVER> in HTML/CSS/PHP and {{APP_VER}} everywhere
+  - Normalize any ".mjs|.js?v=..." occurrences inside JS (ESM imports/strings)
+  - Force-write public/js/version.js from VER (source of truth in stamped output)
+  - Print touched counts and fail fast if any {{APP_QVER}}|{{APP_VER}} remain
+
+---
+
+## Changes 10/28/2025 (v1.6.11)
+
+release(v1.6.11) fix(ui/dragAndDrop) restore floating zones toggle click action
+
+Re-add the click handler to toggle `zonesCollapsed` so the header
+“sidebarToggleFloating” button actually expands/collapses the zones
+again. This regressed in v1.6.10 during auth-gating refactor.
+
+Refs: #regression #ux
+
+chore(codeql): move config to repo root for default setup
+
+- Relocate .github/codeql/codeql-config.yml to codeql-config.yml so GitHub default code scanning picks it up
+- Keep paths: public/js, api
+- Keep ignores: public/vendor/**, public/css/vendor/**, public/fonts/**, public/**/*.min.{js,css}, public/**/*.map
+
+---
+
+## Changes 10/28/2025 (v1.6.10)
+
+release(v1.6.10): self-host ReDoc, gate sidebar toggle on auth, and enrich release workflow
+
+- Vendor ReDoc and add MIT license file under public/vendor/redoc/; switch api.php to local bundle to satisfy CSP (script-src 'self').
+- main.js: add/remove body.authenticated on login/logout so UI can reflect auth state.
+- dragAndDrop.js: only render sidebarToggleFloating when authenticated; stop event bubbling, keep dark-mode styles.
+- sync-changelog.yml: also stamp ?v= in PHP templates (public/**/*.php).
+- release-on-version.yml: build zip first, compute SHA-256, assemble release body with latest CHANGELOG snippet, “Full Changelog” compare link, and attach .sha256 alongside the zip.
+- THIRD_PARTY.md: document ReDoc vendoring and rationale.
+
+Refs: #security #csp #release
+
+---
+
 ## Changes 10/27/2025 (v1.6.9)
 
 release(v1.6.9): feat(core) localize assets, harden headers, and speed up load

README.md

@@ -139,7 +139,7 @@ docker run -d \
   -e DATE_TIME_FORMAT="m/d/y  h:iA" \
   -e TOTAL_UPLOAD_SIZE="5G" \
   -e SECURE="false" \
-  -e PERSISTENT_TOKENS_KEY="please_change_this_@@" \
+  -e PERSISTENT_TOKENS_KEY="default_please_change_this_key" \
   -e PUID="1000" \
   -e PGID="1000" \
   -e CHOWN_ON_START="true" \
@@ -186,7 +186,7 @@ services:
       DATE_TIME_FORMAT: "m/d/y  h:iA"
       TOTAL_UPLOAD_SIZE: "10G"
       SECURE: "false"
-      PERSISTENT_TOKENS_KEY: "please_change_this_@@"
+      PERSISTENT_TOKENS_KEY: "default_please_change_this_key"
       # Ownership & indexing
       PUID: "1000"              # Unraid users often use 99
       PGID: "1000"              # Unraid users often use 100

THIRD_PARTY.md

@@ -37,6 +37,10 @@ If you believe any attribution is missing or incorrect, please open an issue.
 - **Resumable.js 1.1.0** — MIT License  
   **Files:** `public/vendor/resumable/1.1.0/resumable.min.js`
 
+- **ReDoc (redoc.standalone.js)** — MIT License  
+  **Files:** `public/vendor/redoc/redoc.standalone.js`  
+  **Notes:** Self-hosted to comply with `script-src 'self'` CSP.
+
 > MIT-licensed code: see `licenses/mit.txt`.  
 > Apache-2.0–licensed code: see `licenses/apache-2.0.txt`.
 

codeql-config.yml

@@ -0,0 +1,12 @@
+---
+name: FileRise CodeQL config
+paths:
+  - public/js
+  - api
+paths-ignore:
+  - public/vendor/**
+  - public/css/vendor/**
+  - public/fonts/**
+  - public/**/*.min.js
+  - public/**/*.min.css
+  - public/**/*.map

config/config.php

@@ -1,22 +1,6 @@
 <?php
 // config.php
 
-// Prevent caching
-header("Cache-Control: no-cache, must-revalidate");
-header("Pragma: no-cache");
-header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
-header("Expires: 0");
-
-// Security headers
-header('X-Content-Type-Options: nosniff');
-header("X-Frame-Options: SAMEORIGIN");
-header("Referrer-Policy: no-referrer-when-downgrade");
-header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
-header("X-XSS-Protection: 1; mode=block");
-if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
-    header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload");
-}
-
 // Define constants
 define('PROJECT_ROOT', dirname(__DIR__));
 define('UPLOAD_DIR',    '/var/www/uploads/');

public/.htaccess

@@ -11,58 +11,91 @@ DirectoryIndex index.html
 </IfModule>
 
 RewriteEngine On
+# Never redirect local/dev hosts
+RewriteCond %{HTTP_HOST} ^(localhost|127\.0\.0\.1|fr\.local|192\.168\.[0-9]+\.[0-9]+)$ [NC]
+RewriteRule ^ - [L]
+
+# --- HTTPS redirect ---
+# Use ONE of these blocks.
+
+# A) Direct TLS on this server (enable this if Apache terminates HTTPS here)
 #RewriteCond %{HTTPS} off
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
-# MIME types for fonts/SVG
+# B) Behind a reverse proxy/CDN that sets X-Forwarded-Proto
+#RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
+#RewriteCond %{HTTP:X-Forwarded-Proto} ^$
+#RewriteCond %{HTTPS} !=on
+#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+
+# Don't interfere with ACME/http-01 if you do your own certs
+#RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/
+#RewriteRule - - [L]
+
+# --- MIME types (fonts/SVG/ESM) ---
 <IfModule mod_mime.c>
   AddType font/woff2 .woff2
   AddType font/woff  .woff
   AddType image/svg+xml .svg
+  AddType application/javascript .mjs
 </IfModule>
 
-# Security headers
+# --- Security headers ---
 <IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-XSS-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
-  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
   Header always set X-Download-Options "noopen"
   Header always set Expect-CT "max-age=86400, enforce"
-  Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'"
+  Header always set Cross-Origin-Resource-Policy "same-origin"
+  Header always set X-Permitted-Cross-Domain-Policies "none"
+  # HSTS only when actually on HTTPS
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
+
+  # CSP (modules, blobs, workers, etc.)
+  Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'sha256-ajmGY+5VJOY6+8JHgzCqsqI8w9dCQfAmqIkFesOKItM='; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'"
 </IfModule>
 
-# Caching
-SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
+# --- Caching (query-string based, no env vars needed) ---
 <IfModule mod_headers.c>
+  # HTML/PHP: no cache (only if PHP didn’t already set it)
   <FilesMatch "\.(html?|php)$">
-    Header set Cache-Control "no-cache, no-store, must-revalidate"
-    Header set Pragma "no-cache"
-    Header set Expires "0"
+    Header setifempty Cache-Control "no-cache, no-store, must-revalidate"
+    Header setifempty Pragma "no-cache"
+    Header setifempty Expires "0"
   </FilesMatch>
 
+  # version.js: always non-cacheable
   <FilesMatch "^js/version\.js$">
     Header set Cache-Control "no-cache, no-store, must-revalidate"
     Header set Pragma "no-cache"
     Header set Expires "0"
   </FilesMatch>
 
-  <FilesMatch "\.(js|css)$">
-    Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
+  # Unversioned JS/CSS: 1 hour
+  <FilesMatch "\.(?:m?js|css)$">
+    Header set Cache-Control "public, max-age=3600, must-revalidate" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
   </FilesMatch>
 
-  <FilesMatch "\.(png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-    Header set Cache-Control "public, max-age=604800" env=!has_version_param
+  # Unversioned static (images/fonts): 7 days
+  <FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+    Header set Cache-Control "public, max-age=604800" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
   </FilesMatch>
 
-  <FilesMatch "\.(js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-    Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
-  </FilesMatch>
+  # --- Versioned assets (?v=...) : 1 year + immutable (override anything else) ---
+  <IfModule mod_headers.c>
+    <FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+      # Only when query string has v=
+      Header unset Cache-Control "expr=%{QUERY_STRING} =~ /(^|&)v=/"
+      Header unset Expires       "expr=%{QUERY_STRING} =~ /(^|&)v=/"
+      Header set Cache-Control "public, max-age=31536000, s-maxage=31536000, immutable" "expr=%{QUERY_STRING} =~ /(^|&)v=/"
+    </FilesMatch>
+  </IfModule>
 </IfModule>
 
-# Compression (only if module exists)
+# --- Compression ---
 <IfModule mod_brotli.c>
   BrotliCompressionQuality 5
   AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
@@ -71,6 +104,6 @@ SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
   AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
 
-# Disable TRACE
+# --- Disable TRACE ---
 RewriteCond %{REQUEST_METHOD} ^TRACE
 RewriteRule .* - [F]

public/api.php

@@ -19,13 +19,11 @@ if (isset($_GET['spec'])) {
   <meta charset="utf-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1"/>
   <title>FileRise API Docs</title>
-  <script defer src="https://cdn.redoc.ly/redoc/latest/bundles/redoc.standalone.js"
-          integrity="sha384-70P5pmIdaQdVbxvjhrcTDv1uKcKqalZ3OHi7S2J+uzDl0PW8dO6L+pHOpm9EEjGJ"
-          crossorigin="anonymous"></script>
-  <script defer src="/js/redoc-init.js"></script>
+  <script defer src="/vendor/redoc/redoc.standalone.js?v={{APP_QVER}}"></script>
+  <script defer src="/js/redoc-init.js?v={{APP_QVER}}"></script>
 </head>
 <body>
-  <redoc spec-url="api.php?spec=1"></redoc>
+  <redoc spec-url="/api.php?spec=1"></redoc>
   <div id="redoc-container"></div>
 </body>
 </html>

public/api/siteConfig.php

@@ -0,0 +1,9 @@
+<?php
+// public/api/siteConfig.php
+
+
+require_once __DIR__ . '/../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/UserController.php';
+
+$userController = new UserController();
+$userController->siteConfig();

public/css/styles.css

@@ -1,6 +1,38 @@
 /* ===========================================================
    GENERAL STYLES & BASE LAYOUT
    =========================================================== */
+/* Reserve stable space for header + main */
+:root { --header-h: 55px; }
+.header-container { min-height: var(--header-h); }
+
+
+img.logo{ width:50px; height:50px; display:block; }  /* belt & suspenders for logo sizing */
+/* Hidden-but-reserved utility (no clicks) */
+.is-visually-hidden {
+  visibility: hidden;
+  pointer-events: none;
+}
+
+/* After auth: show app, hide login */
+
+
+#fr-login-tip {
+  min-height: 40px;            /* reserve space */
+  max-width: 520px;
+  margin: 8px auto 0;
+  border-radius: 8px;
+  padding: 10px 12px;
+  text-align: left;
+  margin-bottom: 10px;
+}
+.main-wrapper{
+  display:flex;              /* or grid—flex is fine here */
+  gap:5px;
+  align-items:flex-start;
+}
+
+
+
 
 /* GENERAL STYLES */
 body {
@@ -24,10 +56,12 @@ body {
     padding-left: 4px !important;
   }@media (min-width: 1300px) {
   .container-fluid {
-      padding-left: 30px !important;
-      padding-right: 30px !important;
+      padding-left: 20px !important;
+      padding-right: 20px !important;
   }}
-  
+  @media (max-width: 600px) {
+    .zones-toggle { left: 85px !important; }
+  }
   /* ===========================================================
      HEADER & NAVIGATION
      =========================================================== */
@@ -35,7 +69,6 @@ body {
   /************************************************************/
   /* FLEXBOX HEADER: LOGO, TITLE, BUTTONS FIXED               */
   /************************************************************/
-  
   .btn-login {
   margin-top: 10px;
   }/* Color overrides */
@@ -59,7 +92,7 @@ body {
     background-color: #2196F3;
     transition: background-color 0.3s ease;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.2);
-  }body.dark-mode .header-container {
+  }.dark-mode .header-container {
   background-color: #1f1f1f;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.7);
   }#darkModeIcon {
@@ -71,7 +104,7 @@ body {
   }.header-logo svg {
   height: 50px;
     width: auto;
-  }body.dark-mode header {
+  }.dark-mode header {
   background-color: #1f1f1f;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.7);
   }.header-left {
@@ -157,7 +190,7 @@ body {
     padding: 10px;
     box-shadow: 2px 2px 6px rgba(0, 0, 0, 0.2);
   }/* Folder Help Tooltip - Dark Mode */
-  body.dark-mode .folder-help-tooltip {
+  .dark-mode .folder-help-tooltip {
   background-color: #333 !important;
     color: #eee !important;
     border: 1px solid #555 !important;
@@ -165,7 +198,7 @@ body {
   -webkit-text-fill-color: orange !important;
     color: inherit !important;
     padding-right: 10px !important;
-  }body.dark-mode #folderHelpBtn i.material-icons.folder-help-icon {
+  }.dark-mode #folderHelpBtn i.material-icons.folder-help-icon {
   -webkit-text-fill-color: #ffa500 !important;
     padding-right: 10px !important;
   }/************************************************************/
@@ -215,8 +248,8 @@ body {
   .material-icons.gallery-icon {
   color: black;
     margin-right: 5px;
-  }body.dark-mode .material-icons.folder-icon,
-  body.dark-mode .material-icons.gallery-icon {
+  }.dark-mode .material-icons.folder-icon,
+  .dark-mode .material-icons.gallery-icon {
   color: white;
     margin-right: 5px;
   }.remove-file-btn {
@@ -247,23 +280,23 @@ body {
     padding: 20px;
     box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
     border-radius: 4px;
-  }body.dark-mode #loginForm {
+  }.dark-mode #loginForm {
   background-color: #2c2c2c;
     color: #e0e0e0;
     padding: 20px;
     border-radius: 8px;
     box-shadow: 0 2px 4px rgba(255, 255, 255, 0.2);
-  }body.dark-mode #loginForm input {
+  }.dark-mode #loginForm input {
   background-color: #333;
     color: #fff;
     border: 1px solid #555;
-  }body.dark-mode #loginForm label {
+  }.dark-mode #loginForm label {
   color: #ddd;
-  }body.dark-mode #loginForm button {
+  }.dark-mode #loginForm button {
   background-color: #007bff;
     color: white;
     border: none;
-  }body.dark-mode #loginForm button:hover {
+  }.dark-mode #loginForm button:hover {
   background-color: #0056b3;
   }/* ===========================================================
      CARDS & MODALS
@@ -286,7 +319,7 @@ body {
     border: 1px solid #ccc;
     border-radius: 4px;
   }/* Override modal content for dark mode */
-  body.dark-mode #restoreFilesModal .modal-content {
+  .dark-mode #restoreFilesModal .modal-content {
   background: #2c2c2c !important;
     border: 1px solid #555 !important;
     color: #f0f0f0;
@@ -370,7 +403,7 @@ body {
       transform: translate(-50%, -70%);
   }}
   
-  body.dark-mode .modal .modal-content {
+  .dark-mode .modal .modal-content {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border-color: #444;
@@ -399,10 +432,10 @@ body {
     background-color: #ff4d4d;
     box-shadow: 0px 0px 6px rgba(255, 77, 77, 0.8);
     transform: scale(1.05);
-  }body.dark-mode .editor-close-btn {
+  }.dark-mode .editor-close-btn {
   background-color: rgba(0, 0, 0, 0.7);
     color: #ff6666;
-  }body.dark-mode .editor-close-btn:hover {
+  }.dark-mode .editor-close-btn:hover {
   background-color: #ff6666;
     color: #000;
   }/* Editor Modal */
@@ -428,7 +461,7 @@ body {
     width: 100% !important;
     resize: none !important;
     overflow: auto !important;
-  }body.dark-mode .editor-modal {
+  }.dark-mode .editor-modal {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border-color: #444;
@@ -453,7 +486,7 @@ body {
   }.editor-title {
   margin: 0;
     line-height: 33px;
-  }body.dark-mode .editor-header {
+  }.dark-mode .editor-header {
   background-color: #2c2c2c;
   }@media (max-width: 600px) {
   .editor-title {
@@ -521,9 +554,9 @@ body {
     padding: 4px;
     border-radius: 4px;
     transition: background-color 0.2s ease, color 0.2s ease;
-  }body.dark-mode .material-icons.pauseResumeBtn {
+  }.dark-mode .material-icons.pauseResumeBtn {
   color: white !important;
-  }body.dark-mode .material-icons.pauseResumeBtn:hover {
+  }.dark-mode .material-icons.pauseResumeBtn:hover {
   background-color: rgba(255, 215, 0, 0.3);
     color: #fff;
   }body:not(.dark-mode) .material-icons.pauseResumeBtn:hover {
@@ -626,15 +659,15 @@ body {
   }#createBtn {
   background-color: #007bff;
     color: white;
-  }body.dark-mode .dropdown-menu {
+  }.dark-mode .dropdown-menu {
   background-color: #2c2c2c !important;
     border-color:   #444    !important;
     color:          #e0e0e0!important;
-  }body.dark-mode .dropdown-menu .dropdown-item {
+  }.dark-mode .dropdown-menu .dropdown-item {
   color: #e0e0e0 !important;
   }.dropdown-item:hover {
   background-color: rgba(0,0,0,0.05);
-  }body.dark-mode .dropdown-item:hover {
+  }.dark-mode .dropdown-item:hover {
   background-color: rgba(255,255,255,0.1);
   }#fileList button.edit-btn {
   background-color: #007bff;
@@ -655,7 +688,7 @@ body {
   background-color: transparent;
   }#fileList table tr:hover {
   background-color: #e0e0e0;
-  }body.dark-mode #fileList table tr:hover {
+  }.dark-mode #fileList table tr:hover {
   background-color: #444;
   }#fileListTitle {
   white-space: normal !important;
@@ -673,7 +706,7 @@ body {
   box-shadow: none;
     border: none !important;
     outline: none !important;
-  }body.dark-mode #fileList table tr {
+  }.dark-mode #fileList table tr {
   box-shadow: none;
     border: none !important;
     outline: none !important;
@@ -757,7 +790,7 @@ body {
     color: inherit;
     cursor: pointer;
     padding: 0;
-  }#loginForm,
+  }
   #uploadForm {
   display: none;
   }.folder-actions {
@@ -818,7 +851,7 @@ body {
     color: #fff;
   }.row-selected {
   background-color: #f2f2f2 !important;
-  }body.dark-mode .row-selected {
+  }.dark-mode .row-selected {
   background-color: #444 !important;
     color: #fff !important;
   }.custom-prev-next-btn {
@@ -832,11 +865,11 @@ body {
     cursor: pointer;
   }.custom-prev-next-btn:hover:not(:disabled) {
   background-color: #d5d5d5;
-  }body.dark-mode .custom-prev-next-btn {
+  }.dark-mode .custom-prev-next-btn {
   background-color: #444;
     color: #fff;
     border: none;
-  }body.dark-mode .custom-prev-next-btn:hover:not(:disabled) {
+  }.dark-mode .custom-prev-next-btn:hover:not(:disabled) {
   background-color: #555;
   }#customToast {
   position: fixed;
@@ -873,6 +906,10 @@ body {
     line-height: 1 !important;
     vertical-align: middle !important;
   }#fileListContainer {
+    border: 1px solid #e0e0e0;
+    background: white;
+    box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
+    border-radius: 8px;
   max-width: 100%;
     padding-bottom: 10px !important;
     padding-left: 5px !important;
@@ -883,7 +920,7 @@ body {
       width: 99%;
   }}
   
-  body.dark-mode #fileListContainer {
+  .dark-mode #fileListContainer {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
@@ -1116,12 +1153,12 @@ body {
   background-color: #d0d0d0;
     border-radius: 4px;
     padding: 2px 4px;
-  }body.dark-mode .folder-option.selected {
+  }.dark-mode .folder-option.selected {
   background-color: #444;
     color: #fff;
     border-radius: 4px;
     padding: 2px 4px;
-  }body.dark-mode .folder-option:hover {
+  }.dark-mode .folder-option:hover {
   background-color: #333;
     color: #fff;
     padding: 2px 4px;
@@ -1161,7 +1198,7 @@ body {
       display: inline-flex !important;
   }}
   
-  body.dark-mode .image-preview-modal-content {
+  .dark-mode .image-preview-modal-content {
   background: #2c2c2c;
     border-color: #444;
   }.image-modal-img {
@@ -1198,13 +1235,13 @@ body {
   width: 600px !important;
     max-width: 90vw !important;
     /* ensures it doesn't exceed the viewport width */
-  }body.dark-mode .close-image-modal {
+  }.dark-mode .close-image-modal {
   background-color: rgba(0, 0, 0, 0.6);
     color: #ff6666;
-  }body.dark-mode .close-image-modal:hover {
+  }.dark-mode .close-image-modal:hover {
   background-color: #ff6666;
     color: #000;
-  }body.dark-mode .image-preview-modal-content {
+  }.dark-mode .image-preview-modal-content {
   background: #2c2c2c;
     border-color: #444;
   }.page-indicator {
@@ -1217,7 +1254,7 @@ body {
     margin-right: 0;
     margin-left: 0;
     font-size: 32px;
-  }body.dark-mode .file-icon {
+  }.dark-mode .file-icon {
   color: white;
   }.bottom-select {
   display: inline-block;
@@ -1315,36 +1352,36 @@ body {
   }/* ===========================================================
      DARK MODE STYLES
      =========================================================== */
-  body.dark-mode {
+  .dark-mode {
   background-color: #121212;
     color: #e0e0e0;
-  }body.dark-mode .container {
+  }.dark-mode .container {
   background-color: transparent !important;
-  }body.dark-mode .btn-primary {
+  }.dark-mode .btn-primary {
   background-color: #007bff;
     color: #fff;
     border-color: #007bff;
-  }body.dark-mode .btn-secondary {
+  }.dark-mode .btn-secondary {
   background-color: #6c757d;
     color: #fff;
     border-color: #6c757d;
-  }body.dark-mode .btn-danger {
+  }.dark-mode .btn-danger {
   background-color: #dc3545;
     color: #fff;
     border-color: #dc3545;
-  }body.dark-mode .modal .modal-content,
-  body.dark-mode .editor-modal {
+  }.dark-mode .modal .modal-content,
+  .dark-mode .editor-modal {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
-  }body.dark-mode table {
+  }.dark-mode table {
   background-color: #2c2c2c;
     color: #e0e0e0;
-  }body.dark-mode table tr:hover {
+  }.dark-mode table tr:hover {
   background-color: #444;
-  }body.dark-mode #uploadProgressContainer .progress {
+  }.dark-mode #uploadProgressContainer .progress {
   background-color: #333;
-  }body.dark-mode #uploadProgressContainer .progress-bar {
+  }.dark-mode #uploadProgressContainer .progress-bar {
   background-color: #007bff;
     color: #e0e0e0;
   }.dark-mode-toggle {
@@ -1361,10 +1398,10 @@ body {
   background-color: rgba(255, 255, 255, 0.15) !important;
   }.dark-mode-toggle:active {
   background-color: rgba(255, 255, 255, 0.25) !important;
-  }body.dark-mode .dark-mode-toggle {
+  }.dark-mode .dark-mode-toggle {
   background-color: transparent !important;
     color: white !important;
-  }body.dark-mode .dark-mode-toggle:hover {
+  }.dark-mode .dark-mode-toggle:hover {
   background-color: rgba(255, 255, 255, 0.15) !important;
   }.dark-mode-toggle:focus {
   outline: none !important;
@@ -1391,29 +1428,29 @@ body {
   }.folder-help-list {
   margin: 0;
     padding-left: 20px;
-  }body.dark-mode .folder-help-details {
+  }.dark-mode .folder-help-details {
   color: #ddd;
     background-color: #2c2c2c;
     border-color: #444;
-  }body.dark-mode .folder-help-summary {
+  }.dark-mode .folder-help-summary {
   color: #ddd;
     background: #2c2c2c;
-  }body.dark-mode .folder-help-icon {
+  }.dark-mode .folder-help-icon {
   color: #f6a72c;
     font-size: 20px;
-  }body.dark-mode .CodeMirror {
+  }.dark-mode .CodeMirror {
   background: #1e1e1e !important;
     color: #ffffff !important;
-  }body.dark-mode .CodeMirror-cursor {
+  }.dark-mode .CodeMirror-cursor {
   border-left: 2px solid #ffffff !important;
-  }body.dark-mode .CodeMirror-gutters {
+  }.dark-mode .CodeMirror-gutters {
   background: #252526 !important;
     border-right: 1px solid #444 !important;
-  }body.dark-mode .CodeMirror-linenumber {
+  }.dark-mode .CodeMirror-linenumber {
   color: #aaaaaa !important;
-  }body.dark-mode .CodeMirror-selected {
+  }.dark-mode .CodeMirror-selected {
   background: rgba(255, 255, 255, 0.2) !important;
-  }body.dark-mode .CodeMirror-matchingbracket {
+  }.dark-mode .CodeMirror-matchingbracket {
   background-color: rgba(255, 255, 255, 0.1) !important;
     border-bottom: 1px solid #ffffff !important;
   }.zoom_in,
@@ -1448,7 +1485,7 @@ body {
   }.drop-hover {
   background-color: #e0e0e0;
     border: 1px dashed #666;
-  }body.dark-mode .drop-hover {
+  }.dark-mode .drop-hover {
   background-color: rgba(255, 255, 255, 0.1) !important;
     border-bottom: 1px dashed #ffffff !important;
   }#restoreFilesList li {
@@ -1460,35 +1497,33 @@ body {
     transform: translateY(-3px) !important;
   }#restoreFilesList li label {
   margin-left: 8px !important;
-  }body.dark-mode #fileContextMenu {
+  }.dark-mode #fileContextMenu {
   background-color: #2c2c2c !important;
     border: 1px solid #555 !important;
     color: #e0e0e0 !important;
-  }body.dark-mode #fileContextMenu div {
+  }.dark-mode #fileContextMenu div {
   color: #e0e0e0 !important;
   }#folderContextMenu {
   font-family: Arial, sans-serif;
     font-size: 14px;
-  }body.dark-mode #folderContextMenu {
+  }.dark-mode #folderContextMenu {
   background-color: #2c2c2c;
     border-color: #555;
     color: #e0e0e0;
-  }.main-wrapper {
-  display: flex;
-    flex-direction: row;
   }.drop-target-sidebar {
   display: none;
-    width: 50px;
-    transition: width 0.3s ease;
     background-color: #f8f9fa;
     border-right: 2px dashed #1565C0;
-    padding: 10px;
+    margin-top: 10px;
+    margin-left: 10px;
   }@media (min-width: 769px) {
   .drop-target-sidebar {
       display: block;
   }}
-  .drop-target-sidebar.active {
+  .drop-target-sidebar.active,
+  .drag-header.active {
   width: 350px;
+  height: 750px;
   }.main-column {
   flex: 1;
     transition: margin-left 0.3s ease;
@@ -1557,13 +1592,12 @@ body {
   }#sidebarDropArea,
   #uploadFolderRow {
   background-color: transparent;
-  }#sidebarDropArea {
-  display: none;
-  }body.dark-mode #sidebarDropArea,
-  body.dark-mode #uploadFolderRow {
+  
+  }.dark-mode #sidebarDropArea,
+  .dark-mode #uploadFolderRow {
   background-color: transparent;
-  }body.dark-mode #sidebarDropArea.highlight,
-  body.dark-mode #uploadFolderRow.highlight {
+  }.dark-mode #sidebarDropArea.highlight,
+  .dark-mode #uploadFolderRow.highlight {
   background-color: #333; 
     border: 2px dashed #555; 
     color: #fff;
@@ -1582,7 +1616,7 @@ body {
     max-width: 900px;
     width: 100%;
     margin: 0 auto;
-  }body.dark-mode .card {
+  }.dark-mode .card {
   background-color: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
@@ -1596,21 +1630,21 @@ body {
   #removeUserModal {
   z-index: 5000 !important;
   }#customConfirmModal {
-  z-index: 6000 !important;
+  z-index: 12000 !important;
   }.admin-panel-content {
   background: #fff;
     color: #000;
-  }body.dark-mode .admin-panel-content {
+  }.dark-mode .admin-panel-content {
   background: #2c2c2c;
     color: #e0e0e0;
     border: 1px solid #444;
-  }body.dark-mode .admin-panel-content input,
-  body.dark-mode .admin-panel-content select,
-  body.dark-mode .admin-panel-content textarea {
+  }.dark-mode .admin-panel-content input,
+  .dark-mode .admin-panel-content select,
+  .dark-mode .admin-panel-content textarea {
   background: #3a3a3a;
     color: #e0e0e0;
     border: 1px solid #555;
-  }body.dark-mode .admin-panel-content label {
+  }.dark-mode .admin-panel-content label {
   color: #e0e0e0;
   }#openChangePasswordModalBtn {
   width: max-content;
@@ -1631,7 +1665,7 @@ body {
     color: var(--download-spinner-color, #000);
   }body:not(.dark-mode) {
   --download-spinner-color: #000;
-  }body.dark-mode {
+  }.dark-mode {
   --download-spinner-color: #fff;
   }.rise-effect {
   transform: translateY(-20px);
@@ -1666,7 +1700,7 @@ body {
     background-color: transparent;
     transition: width 0.3s ease;
     box-sizing: border-box;
-  }body.dark-mode .header-drop-zone.drag-active {
+  }.dark-mode .header-drop-zone.drag-active {
   background-color: #333; 
     border: 2px dashed #555; 
     color: #fff;
@@ -1697,16 +1731,16 @@ body {
   line-height: 1;
     margin: 0;
     padding: 0;
-  }body.dark-mode #fileSummary {
+  }.dark-mode #fileSummary {
   color: white;
   }#searchIcon {
   border-radius: 4px;
     padding: 4px 8px;
-  }body.dark-mode #searchIcon {
+  }.dark-mode #searchIcon {
   background-color: #444;
     border: 1px solid #555;
     color: #fff;
-  }body.dark-mode #searchInput {
+  }.dark-mode #searchInput {
   background-color: #333;
     color: #e0e0e0;
     border: 1px solid #555;
@@ -1731,11 +1765,11 @@ body {
   .btn-icon:focus {
   background: rgba(0, 0, 0, 0.1);
     outline: none;
-  }body.dark-mode .btn-icon .material-icons,
-  body.dark-mode #searchIcon .material-icons {
+  }.dark-mode .btn-icon .material-icons,
+  .dark-mode #searchIcon .material-icons {
   color: #fff;
-  }body.dark-mode .btn-icon:hover,
-  body.dark-mode .btn-icon:focus {
+  }.dark-mode .btn-icon:hover,
+  .dark-mode .btn-icon:focus {
   background: rgba(255, 255, 255, 0.1);
   }.user-dropdown {
   position: relative;
@@ -1766,12 +1800,12 @@ body {
     display: inline-block;
     vertical-align: middle;
     margin-left: 0.25rem;
-  }body.dark-mode .user-dropdown .user-menu {
+  }.dark-mode .user-dropdown .user-menu {
   background: #2c2c2c;
     border-color: #444;
-  }body.dark-mode .user-dropdown .user-menu .item {
+  }.dark-mode .user-dropdown .user-menu .item {
   color: #e0e0e0;
-  }body.dark-mode .user-dropdown .user-menu .item:hover {
+  }.dark-mode .user-dropdown .user-menu .item:hover {
   background: rgba(255,255,255,0.1);
   }.user-dropdown .dropdown-username {
   margin: 0 8px;
@@ -1808,7 +1842,7 @@ body {
   }:root {
   --perm-caret: #444;
   }/* light */
-  body.dark-mode {
+  .dark-mode {
   --perm-caret: #ccc;
   }/* dark */
   
@@ -1821,7 +1855,7 @@ body {
       background-color 160ms cubic-bezier(.2,.0,.2,1);
   }:root {
   --toggle-icon-color: #333;
-  }body.dark-mode {
+  }.dark-mode {
   --toggle-icon-color: #eee;
   }#zonesToggleFloating .material-icons,
   #zonesToggleFloating .material-icons-outlined,
@@ -1865,4 +1899,5 @@ body {
   #sidebarToggleFloating.is-collapsed {
   background: #fafafa;
     border-color: #e2e2e2;
-  }
+  }
+  

public/css/vendor/material-icons.css

@@ -4,7 +4,7 @@
   font-style: normal;
   font-weight: 400;
   font-display: swap;
-  src: url(/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2) format('woff2');
+  src: url('/fonts/material-icons/flUhRq6tzZclQEJ-Vdg-IuiaDsNcIhQ8tQ.woff2?v={{APP_QVER}}') format('woff2');
 }
 
 .material-icons {

public/css/vendor/roboto.css

@@ -4,7 +4,7 @@
   font-style:normal;
   font-weight:400;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Regular 400 — latin */
@@ -13,7 +13,7 @@
   font-style:normal;
   font-weight:400;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 /* Roboto Medium 500 — latin-ext */
@@ -22,7 +22,7 @@
   font-style:normal;
   font-weight:500;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0100-02BA,U+02BD-02C5,U+02C7-02CC,U+02CE-02D7,U+02DD-02FF,U+0304,U+0308,U+0329,U+1D00-1DBF,U+1E00-1E9F,U+1EF2-1EFF,U+2020,U+20A0-20AB,U+20AD-20C0,U+2113,U+2C60-2C7F,U+A720-A7FF;
 }
 /* Roboto Medium 500 — latin */
@@ -31,7 +31,7 @@
   font-style:normal;
   font-weight:500;
   font-display:swap;
-  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2') format('woff2');
+  src:url('/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}') format('woff2');
   unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+0304,U+0308,U+0329,U+2000-206F,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD;
 }
 

public/index.html

@@ -2,116 +2,59 @@
 <html lang="en">
 
 <head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <title>FileRise</title>
-  <link rel="icon" type="image/png" href="/assets/logo.png">
-  <link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
-  <meta name="csrf-token" content="">
-  <meta name="share-url" content="">
+  <meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>FileRise</title>
+  <script>(function(){try{var s=localStorage.getItem('darkMode');var isDark=(s===null)?(window.matchMedia&&window.matchMedia('(prefers-color-scheme: dark)').matches):(s==='1'||s==='true');var root=document.documentElement;root.setAttribute('data-theme',isDark?'dark':'light');root.classList.toggle('dark-mode',isDark);var bg=isDark?'#121212':'#ffffff';root.style.backgroundColor=bg;root.style.colorScheme=isDark?'dark':'light';root.style.setProperty('--pre-bg',bg);var m=document.querySelector('meta[name="theme-color"]');if(m)m.setAttribute('content',bg);}catch(e){}})();</script>
+  <style id="pretheme-css">
+    html,body,#loadingOverlay{background:var(--pre-bg,#ffffff) !important;}
+  </style>
+  <link rel="icon" type="image/png" href="/assets/logo.png"><link rel="icon" type="image/svg+xml" href="/assets/logo.svg">
+  <meta name="description" content="FileRise is a fast, self-hosted file manager with granular per-folder ACLs, drag-and-drop folder moves, WebDAV, tagging, and a clean UI.">
+  <meta name="csrf-token" content=""><meta name="share-url" content=""><meta name="theme-color" content="#0b5ed7"><meta name="color-scheme" content="light dark">
 
-  <style>.main-wrapper{display:none}#loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}</style>
-  <link rel="stylesheet" href="/css/vendor/roboto.css?v=dev">
-  <link rel="stylesheet" href="/css/vendor/material-icons.css?v=dev">
-
-  <!-- Bootstrap CSS (local) -->
-  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v=dev">
-
-  <!-- CodeMirror CSS (local) -->
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/codemirror.min.css?v=dev">
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/theme/material-darker.min.css?v=dev">
-
-  <!-- app CSS -->
-  <link rel="stylesheet" href="/css/styles.css?v=dev">
-
-  <!-- Libraries (JS) -->
-  <script src="/vendor/dompurify/2.4.0/purify.min.js?v=dev"></script>
-  <script src="/vendor/fuse/6.6.2/fuse.min.js?v=dev"></script>
-  <script src="/vendor/resumable/1.1.0/resumable.min.js?v=dev"></script>
-
-  <!-- CodeMirror core FIRST, then modes -->
-  <script src="/vendor/codemirror/5.65.5/codemirror.min.js?v=dev"></script>
-
-  <script src="/js/version.js?v=dev"></script>
-  <script type="module" src="/js/main.js"></script>
-
-</head>
+  
+<!-- Critical CSS -->
+  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
+  <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
+  <link rel="stylesheet" href="/css/vendor/roboto.css?v={{APP_QVER}}">
+  
+  <!-- Fonts (ok to keep as real preloads) -->
+  <link rel="preload" as="font" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3KUBHMdazTgWw.woff2?v={{APP_QVER}}" type="font/woff2" crossorigin>
+  <link rel="preload" as="font" href="/fonts/roboto/KFO7CnqEu92Fr1ME7kSn66aGLdTylUAMa3yUBHMdazQ.woff2?v={{APP_QVER}}" type="font/woff2" crossorigin>
+  
+  <!-- Vendor & version (deferred) -->
+  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}" defer></script>
+  <script src="/js/version.js?v={{APP_QVER}}" defer></script>
+  
+  <!-- App entry -->
+  <link rel="modulepreload" href="/js/main.js?v={{APP_QVER}}"><script type="module" src="/js/main.js?v={{APP_QVER}}"></script>
+  </head>
 
 <body>
+  <div id="appRoot" style="visibility:hidden">
   <header class="header-container">
+   
     <div class="header-left">
       <a href="index.html">
         <div class="header-logo">
-          <svg version="1.1" id="filingCabinetLogo" xmlns="http://www.w3.org/2000/svg"
-            xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 64 64" xml:space="preserve">
-            <defs>
-              <!-- Gradient for the cabinet body -->
-              <linearGradient id="cabinetGradient" x1="0%" y1="0%" x2="0%" y2="100%">
-                <stop offset="0%" style="stop-color:#2196F3;stop-opacity:1" />
-                <stop offset="100%" style="stop-color:#1976D2;stop-opacity:1" />
-              </linearGradient>
-              <!-- Drop shadow filter with animated attributes for a lifting effect -->
-              <filter id="shadowFilter" x="-20%" y="-20%" width="140%" height="140%">
-                <feDropShadow id="dropShadow" dx="0" dy="2" stdDeviation="2" flood-color="#000" flood-opacity="0.2">
-                  <!-- Animate the vertical offset: from 2 to 1 (as it rises), hold, then back to 2 -->
-                  <animate attributeName="dy" values="2;1;1;2" keyTimes="0;0.2;0.8;1" dur="5s" fill="freeze" />
-                  <!-- Animate the blur similarly: from 2 to 1.5 then back to 2 -->
-                  <animate attributeName="stdDeviation" values="2;1.5;1.5;2" keyTimes="0;0.2;0.8;1" dur="5s"
-                    fill="freeze" />
-                </feDropShadow>
-              </filter>
-            </defs>
-            <style type="text/css">
-              /* Cabinet with gradient, white outline, and drop shadow */
-              .cabinet {
-                fill: url(#cabinetGradient);
-                stroke: white;
-                stroke-width: 2;
-              }
-
-              .divider {
-                stroke: #1565C0;
-                stroke-width: 1.5;
-              }
-
-              .drawer {
-                fill: #FFFFFF;
-              }
-
-              .handle {
-                fill: #1565C0;
-              }
-            </style>
-            <!-- Group that will animate upward and then back down once -->
-            <g id="cabinetGroup">
-              <!-- Cabinet Body with rounded corners, white outline, and drop shadow -->
-              <rect x="4" y="4" width="56" height="56" rx="6" ry="6" class="cabinet" filter="url(#shadowFilter)" />
-              <!-- Divider lines for drawers -->
-              <line x1="5" y1="22" x2="59" y2="22" class="divider" />
-              <line x1="5" y1="34" x2="59" y2="34" class="divider" />
-              <!-- Drawers with Handles -->
-              <rect x="8" y="24" width="48" height="6" rx="1" ry="1" class="drawer" />
-              <circle cx="54" cy="27" r="1.5" class="handle" />
-              <rect x="8" y="36" width="48" height="6" rx="1" ry="1" class="drawer" />
-              <circle cx="54" cy="39" r="1.5" class="handle" />
-              <rect x="8" y="48" width="48" height="6" rx="1" ry="1" class="drawer" />
-              <circle cx="54" cy="51" r="1.5" class="handle" />
-              <!-- Additional detail: a small top handle on the cabinet door -->
-              <rect x="28" y="10" width="8" height="4" rx="1" ry="1" fill="#1565C0" />
-              <!-- Animate transform: rises by 2 pixels over 1s, holds for 3s, then falls over 1s (total 5s) -->
-              <animateTransform attributeName="transform" type="translate" values="0 0; 0 -2; 0 -2; 0 0"
-                keyTimes="0;0.2;0.8;1" dur="5s" fill="freeze" />
-            </g>
-          </svg>
+          <img
+  src="/assets/logo.svg?v={{APP_QVER}}"
+  alt="FileRise"
+  class="logo"
+  width="50"
+  height="50"
+  decoding="async"
+  fetchpriority="high"
+/>
         </div>
       </a>
     </div>
+    
     <div class="header-title">
-      <h1 data-i18n-key="header_title">FileRise</h1>
+      <h1>FileRise</h1>
     </div>
     <div class="header-right">
       <div class="header-buttons-wrapper" style="display: flex; align-items: center; gap: 10px;">
-        <!-- Your header drop zone -->
+        
         <div id="headerDropArea" class="header-drop-zone"></div>
         <div class="header-buttons">
           <button id="changePasswordBtn" data-i18n-title="change_password" style="display: none;">
@@ -130,7 +73,7 @@
                 <!-- Trash items will be loaded here -->
               </div>
               <div style="text-align: right;">
-                <button id="restoreSelectedBtn" class="btn btn-primary" data-i18n-key="restore_selected">Restore
+                <button id="restoreSelectedBtn" class="btn btn-primary" data-i18n-key="restore_selected"  style="display: none;">Restore
                   Selected</button>
                 <button id="restoreAllBtn" class="btn btn-secondary" data-i18n-key="restore_all">Restore All</button>
                 <button id="deleteTrashSelectedBtn" class="btn btn-warning" data-i18n-key="delete_selected_trash">Delete
@@ -146,7 +89,7 @@
           <button id="removeUserBtn" data-i18n-title="remove_user" style="display: none;">
             <i class="material-icons">person_remove</i>
           </button>
-          <button id="darkModeToggle" class="btn-icon" aria-label="Toggle dark mode">
+          <button id="darkModeToggle" class="btn-icon" aria-label="Toggle dark mode"  hidden>
             <span class="material-icons" id="darkModeIcon">
               dark_mode
             </span>
@@ -155,15 +98,18 @@
       </div>
     </div>
   </header>
-
+  
   <div id="loadingOverlay"></div>
 
   <!-- Custom Toast Container -->
   <div id="customToast"></div>
   <div id="hiddenCardsContainer" style="display:none;"></div>
-
+  <main id="main" hidden>
   <div class="row mt-4" id="loginForm">
     <div class="col-12">
+      <div id="loginBox" class="login-box">
+        <div id="fr-login-tip" class="alert alert-info login-hint" role="status" aria-live="polite" style="display:none;"></div>
+  
       <form id="authForm" method="post">
         <div class="form-group">
           <label for="loginUsername" data-i18n-key="user">User:</label>
@@ -173,7 +119,7 @@
           <label for="loginPassword" data-i18n-key="password">Password:</label>
           <input type="password" class="form-control" id="loginPassword" name="password" required />
         </div>
-        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login">Login</button>
+        <button type="submit" class="btn btn-primary btn-block btn-login" data-i18n-key="login" data-default>Login</button>
         <div class="form-group remember-me-container">
           <input type="checkbox" id="rememberMeCheckbox" name="remember_me" />
           <label for="rememberMeCheckbox" data-i18n-key="remember_me">Remember me</label>
@@ -189,11 +135,14 @@
           HTTP
           Login</a>
       </div>
+      <div>
     </div>
   </div>
+</main>
+  
 
   <!-- Main Wrapper: Hidden by default; remove "display: none;" after login -->
-  <div class="main-wrapper">
+  <div class="main-wrapper" hidden>
     <!-- Sidebar Drop Zone: Hidden until you drag a card (display controlled by JS) -->
     <div id="sidebarDropArea" class="drop-target-sidebar"></div>
     <!-- Main Column -->
@@ -273,7 +222,7 @@
                           <div class="modal-footer" style="margin-top:15px; text-align:right;">
                             <button id="cancelMoveFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
-                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move">Move</button>
+                            <button id="confirmMoveFolder" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                           </div>
                         </div>
                       </div>
@@ -291,7 +240,7 @@
                             <button id="cancelRenameFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
                             <button id="submitRenameFolder" class="btn btn-primary"
-                              data-i18n-key="rename">Rename</button>
+                              data-i18n-key="rename" data-default>Rename</button>
                           </div>
                         </div>
                       </div>
@@ -311,7 +260,7 @@
                             <button id="cancelDeleteFolder" class="btn btn-secondary"
                               data-i18n-key="cancel">Cancel</button>
                             <button id="confirmDeleteFolder" class="btn btn-danger"
-                              data-i18n-key="delete">Delete</button>
+                              data-i18n-key="delete" data-default>Delete</button>
                           </div>
                         </div>
                       </div>
@@ -347,7 +296,7 @@
                   selected files?</p>
                 <div class="modal-footer">
                   <button id="cancelDeleteFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete">Delete</button>
+                  <button id="confirmDeleteFiles" class="btn btn-danger" data-i18n-key="delete" data-default>Delete</button>
                 </div>
               </div>
             </div>
@@ -361,7 +310,7 @@
                 <select id="copyTargetFolder" class="form-control modal-input"></select>
                 <div class="modal-footer">
                   <button id="cancelCopyFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy">Copy</button>
+                  <button id="confirmCopyFiles" class="btn btn-primary" data-i18n-key="copy" data-default>Copy</button>
                 </div>
               </div>
             </div>
@@ -375,7 +324,7 @@
                 <select id="moveTargetFolder" class="form-control modal-input"></select>
                 <div class="modal-footer">
                   <button id="cancelMoveFiles" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move">Move</button>
+                  <button id="confirmMoveFiles" class="btn btn-primary" data-i18n-key="move" data-default>Move</button>
                 </div>
               </div>
             </div>
@@ -383,35 +332,20 @@
               data-i18n-key="download_zip">Download ZIP</button>
             <button id="extractZipBtn" class="btn action-btn btn-sm btn-info"  style="display: none;" disabled
               data-i18n-key="extract_zip_button">Extract Zip</button>
-            <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
-              <button id="createBtn" class="btn action-btn" style="display: none;" data-i18n-key="create">
-                ${t('create')} <span class="material-icons"
-                  style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
-              </button>
-              <ul id="createMenu" class="dropdown-menu" style="
-                    display: none;
-                    position: absolute;
-                    top: 100%;
-                    left: 0;
-                    margin: 4px 0 0;
-                    padding: 0;
-                    list-style: none;
-                    background: #fff;
-                    border: 1px solid #ccc;
-                    box-shadow: 0 2px 6px rgba(0,0,0,0.2);
-                    z-index: 1000;
-                    min-width: 140px;
-                  ">
-                <li id="createFileOption" class="dropdown-item" data-i18n-key="create_file"
-                  style="padding:8px 12px; cursor:pointer;">
-                  ${t('create_file')}
-                </li>
-                <li id="createFolderOption" class="dropdown-item" data-i18n-key="create_folder"
-                  style="padding:8px 12px; cursor:pointer;">
-                  ${t('create_folder')}
-                </li>
-              </ul>
-            </div>
+              <div id="createDropdown" class="dropdown-container" style="position:relative; display:inline-block;">
+                <button id="createBtn" class="btn action-btn" type="button" style="display:none;" aria-haspopup="true" aria-expanded="false">
+                  <span data-i18n-key="create">Create</span>
+                  <span class="material-icons" style="font-size:16px;vertical-align:middle;">arrow_drop_down</span>
+                </button>
+                <ul id="createMenu" class="dropdown-menu" style="display:none; position:absolute; top:100%; left:0; margin:4px 0 0; padding:0; list-style:none; background:#fff; border:1px solid #ccc; box-shadow:0 2px 6px rgba(0,0,0,0.2); z-index:10010; min-width:160px;">
+                  <li id="createFileOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_file">Create file</span>
+                  </li>
+                  <li id="createFolderOption" class="dropdown-item" style="padding:8px 12px; cursor:pointer;">
+                    <span data-i18n-key="create_folder">Create folder</span>
+                  </li>
+                </ul>
+              </div>
             <!-- Create File Modal -->
             <div id="createFileModal" class="modal" style="display:none;">
               <div class="modal-content">
@@ -420,7 +354,7 @@
                   data-i18n-placeholder="newfile_placeholder" />
                 <div class="modal-footer" style="margin-top:1rem; text-align:right;">
                   <button id="cancelCreateFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create">Create</button>
+                  <button id="confirmCreateFile" class="btn btn-primary" data-i18n-key="create" data-default>Create</button>
                 </div>
               </div>
             </div>
@@ -432,7 +366,7 @@
                   placeholder="files.zip" />
                 <div class="modal-footer" style="margin-top:15px; text-align:right;">
                   <button id="cancelDownloadZip" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download">Download</button>
+                  <button id="confirmDownloadZip" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
                 </div>
               </div>
             </div>
@@ -470,14 +404,14 @@
         placeholder="Filename" />
       <div style="margin-top: 15px; text-align: right;">
         <button id="cancelDownloadFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download">Download</button>
+        <button id="confirmSingleDownloadButton" class="btn btn-primary" data-i18n-key="download" data-default>Download</button>
       </div>
     </div>
   </div>
 
   <!-- Change Password, Add User, Remove User, Rename File, and Custom Confirm Modals (unchanged) -->
   <div id="changePasswordModal" class="modal" style="display:none;">
-    <div class="modal-content" style="max-width:400px; margin:auto;">
+    <div class="modal-content" style="text-align: center; padding: 20px;">
       <span id="closeChangePasswordModal" class="editor-close-btn">&times;</span>
       <h3 data-i18n-key="change_password_title">Change Password</h3>
       <input type="password" id="oldPassword" class="form-control" data-i18n-placeholder="old_password"
@@ -486,7 +420,7 @@
         placeholder="New Password" style="width:100%; margin: 5px 0;" />
       <input type="password" id="confirmPassword" class="form-control" data-i18n-placeholder="confirm_new_password"
         placeholder="Confirm New Password" style="width:100%; margin: 5px 0;" />
-      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;">Save</button>
+      <button id="saveNewPasswordBtn" class="btn btn-primary" data-i18n-key="save" style="width:100%;" data-default>Save</button>
     </div>
   </div>
   <div id="addUserModal" class="modal" style="display:none;">
@@ -511,7 +445,7 @@
             Cancel
           </button>
           <!-- Save becomes type="submit" -->
-          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user">
+          <button type="submit" id="saveUserBtn" class="btn btn-primary" data-i18n-key="save_user" data-default>
             Save User
           </button>
         </div>
@@ -536,7 +470,7 @@
         placeholder="Enter new file name" style="margin-top:10px;" />
       <div style="margin-top:15px; text-align:right;">
         <button id="cancelRenameFile" class="btn btn-secondary" data-i18n-key="cancel">Cancel</button>
-        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename">Rename</button>
+        <button id="submitRenameFile" class="btn btn-primary" data-i18n-key="rename" data-default>Rename</button>
       </div>
     </div>
   </div>
@@ -544,12 +478,12 @@
     <div class="modal-content">
       <p id="confirmMessage"></p>
       <div class="modal-actions">
-        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes">Yes</button>
+        <button id="confirmYesBtn" class="btn btn-primary" data-i18n-key="yes" data-default>Yes</button>
         <button id="confirmNoBtn" class="btn btn-secondary" data-i18n-key="no">No</button>
       </div>
     </div>
   </div>
-
+</div>
 </body>
 
 </html>

public/js/adminPanel.js

@@ -1,8 +1,8 @@
 // adminPanel.js
-import { t } from './i18n.js';
-import { loadAdminConfigFunc } from './auth.js';
-import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
-import { sendRequest } from './networkUtils.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
+import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
 
 const version = window.APP_VERSION || "dev";
 const adminTitle = `${t("admin_panel")} <small style="font-size:12px;color:gray;">${version}</small>`;
@@ -10,16 +10,16 @@ const adminTitle = `${t("admin_panel")} <small style="font-size:12px;color:gray;
 
 function buildFullGrantsForAllFolders(folders) {
   const allTrue = {
-    view:true, viewOwn:false, manage:true, create:true, upload:true, edit:true,
-    rename:true, copy:true, move:true, delete:true, extract:true,
-    shareFile:true, shareFolder:true, share:true
+    view: true, viewOwn: false, manage: true, create: true, upload: true, edit: true,
+    rename: true, copy: true, move: true, delete: true, extract: true,
+    shareFile: true, shareFolder: true, share: true
   };
   return folders.reduce((acc, f) => { acc[f] = { ...allTrue }; return acc; }, {});
 }
 
 /* === BEGIN: Folder Access helpers (merged + improved) === */
-function qs(scope, sel){ return (scope||document).querySelector(sel); }
-function qsa(scope, sel){ return Array.from((scope||document).querySelectorAll(sel)); }
+function qs(scope, sel) { return (scope || document).querySelector(sel); }
+function qsa(scope, sel) { return Array.from((scope || document).querySelectorAll(sel)); }
 
 function enforceShareFolderRule(row) {
   const manage = qs(row, 'input[data-cap="manage"]');
@@ -37,6 +37,66 @@ function enforceShareFolderRule(row) {
   }
 }
 
+function wireHeaderTitleLive() {
+  const input = document.getElementById('headerTitle');
+  if (!input || input.__live) return;
+  input.__live = true;
+
+  const apply = (val) => {
+    const title = (val || '').trim() || 'FileRise';
+    const h1 = document.querySelector('.header-title h1');
+    if (h1) h1.textContent = title;
+    document.title = title;
+    window.headerTitle = val || ''; // preserve raw value user typed
+    try { localStorage.setItem('headerTitle', title); } catch { }
+  };
+
+  // apply current value immediately + on each keystroke
+  apply(input.value);
+  input.addEventListener('input', (e) => apply(e.target.value));
+}
+
+function renderMaskedInput({ id, label, hasValue, isSecret = false }) {
+  const type = isSecret ? 'password' : 'text';
+  const disabled = hasValue ? 'disabled data-replace="0" placeholder="•••••• (saved)"' : '';
+  const replaceBtn = hasValue
+    ? `<button type="button" class="btn btn-sm btn-outline-secondary" data-replace-for="${id}">Replace</button>`
+    : '';
+  const note = hasValue
+    ? `<small class="text-success" style="margin-left:4px;">Saved — leave blank to keep</small>`
+    : '';
+
+  return `
+    <div class="form-group">
+      <label for="${id}">${label}:</label>
+      <div style="display:flex; gap:8px; align-items:center;">
+        <input type="${type}" id="${id}" class="form-control" ${disabled} />
+        ${replaceBtn}
+      </div>
+      ${note}
+    </div>
+  `;
+}
+
+function wireReplaceButtons(scope = document) {
+  scope.querySelectorAll('[data-replace-for]').forEach(btn => {
+    if (btn.__wired) return;
+    btn.__wired = true;
+    btn.addEventListener('click', () => {
+      const id = btn.getAttribute('data-replace-for');
+      const inp = scope.querySelector('#' + id);
+      if (!inp) return;
+      inp.disabled = false;
+      inp.dataset.replace = '1';
+      inp.placeholder = '';
+      inp.value = '';
+      btn.textContent = 'Keep saved value';
+      btn.removeAttribute('data-replace-for');
+      btn.addEventListener('click', () => { /* no-op after first toggle */ }, { once: true });
+    }, { once: true });
+  });
+}
+
 function onShareFolderToggle(row, checked) {
   const manage = qs(row, 'input[data-cap="manage"]');
   const viewAll = qs(row, 'input[data-cap="view"]');
@@ -52,14 +112,14 @@ function onShareFileToggle(row, checked) {
   const viewAll = qs(row, 'input[data-cap="view"]');
   const viewOwn = qs(row, 'input[data-cap="viewOwn"]');
   const hasView = !!(viewAll && viewAll.checked);
-  const hasOwn  = !!(viewOwn && viewOwn.checked);
+  const hasOwn = !!(viewOwn && viewOwn.checked);
   if (!hasView && !hasOwn && viewOwn) {
     viewOwn.checked = true;
   }
 }
 
 function onWriteToggle(row, checked) {
-  const caps = ["create","upload","edit","rename","copy","delete","extract"];
+  const caps = ["create", "upload", "edit", "rename", "copy", "delete", "extract"];
   caps.forEach(c => {
     const box = qs(row, `input[data-cap="${c}"]`);
     if (box) box.checked = checked;
@@ -110,9 +170,9 @@ async function safeJson(res) {
         max-width: none !important;
       }
     }
-    body.dark-mode #adminPanelModal .modal-content { background:#2c2c2c !important; color:#e0e0e0 !important; border-color:#555 !important; }
-    body.dark-mode .form-control { background-color:#333; border-color:#555; color:#eee; }
-    body.dark-mode .form-control::placeholder { color:#888; }
+    .dark-mode #adminPanelModal .modal-content { background:#2c2c2c !important; color:#e0e0e0 !important; border-color:#555 !important; }
+    .dark-mode .form-control { background-color:#333; border-color:#555; color:#eee; }
+    .dark-mode .form-control::placeholder { color:#888; }
 
     .section-header {
       background:#f5f5f5; padding:10px 15px; cursor:pointer; border-radius:4px; font-weight:bold;
@@ -121,8 +181,8 @@ async function safeJson(res) {
     .section-header:first-of-type { margin-top:0; }
     .section-header.collapsed .material-icons { transform:rotate(-90deg); }
     .section-header .material-icons { transition:transform .3s; color:#444; }
-    body.dark-mode .section-header { background:#3a3a3a; color:#eee; }
-    body.dark-mode .section-header .material-icons { color:#ccc; }
+    .dark-mode .section-header { background:#3a3a3a; color:#eee; }
+    .dark-mode .section-header .material-icons { color:#ccc; }
 
     .section-content { display:none; margin-left:20px; margin-top:8px; margin-bottom:8px; }
 
@@ -133,7 +193,7 @@ async function safeJson(res) {
       border:2px solid transparent; transition:all .3s;
     }
     #adminPanelModal .editor-close-btn:hover { color:#fff; background:#ff4d4d; box-shadow:0 0 6px rgba(255,77,77,.8); transform:scale(1.05); }
-    body.dark-mode #adminPanelModal .editor-close-btn { background:rgba(0,0,0,0.6); color:#ff4d4d; }
+    .dark-mode #adminPanelModal .editor-close-btn { background:rgba(0,0,0,0.6); color:#ff4d4d; }
 
     .action-row { display:flex; justify-content:space-between; margin-top:15px; }
 
@@ -150,7 +210,7 @@ async function safeJson(res) {
       border-radius: 6px;
       padding: 0;
     }
-    body.dark-mode .folder-access-list { border-color:#555; }
+    .dark-mode .folder-access-list { border-color:#555; }
 
     .folder-access-header,
     .folder-access-row {
@@ -168,7 +228,7 @@ async function safeJson(res) {
       font-weight: 700;
       border-bottom: 1px solid rgba(0,0,0,0.12);
     }
-    body.dark-mode .folder-access-header { background:#2c2c2c; }
+    .dark-mode .folder-access-header { background:#2c2c2c; }
 
     .folder-access-row { border-bottom: 1px solid rgba(0,0,0,0.06); }
     .folder-access-row:last-child { border-bottom: none; }
@@ -197,8 +257,8 @@ async function safeJson(res) {
       color: #2064ff;
       margin-left: 6px;
     }
-    body.dark-mode .inherited-row { background: rgba(32,132,255,0.12); }
-    body.dark-mode .inherited-tag { background: rgba(32,132,255,0.2); color: #89b3ff; }
+    .dark-mode .inherited-row { background: rgba(32,132,255,0.12); }
+    .dark-mode .inherited-tag { background: rgba(32,132,255,0.2); color: #89b3ff; }
 
     @media (max-width: 900px) {
       .folder-access-list { --col-perm: 72px; --col-folder-min: 240px; }
@@ -214,7 +274,7 @@ async function safeJson(res) {
   /* nicer thin scrollbar (supported browsers) */
   .folder-cell::-webkit-scrollbar{ height:8px; }
   .folder-cell::-webkit-scrollbar-thumb{ background:rgba(0,0,0,.25); border-radius:4px; }
-  body.dark-mode .folder-cell::-webkit-scrollbar-thumb{ background:rgba(255,255,255,.25); }
+  .dark-mode .folder-cell::-webkit-scrollbar-thumb{ background:rgba(255,255,255,.25); }
 
   /* Badge now doesn't clip; let the wrapper handle scroll */
   .folder-badge{
@@ -426,20 +486,21 @@ export function openAdminPanel() {
             <div class="editor-close-btn" id="closeAdminPanel">&times;</div>
             <h3>${adminTitle}</h3>
             <form id="adminPanelForm">
-              ${[
-                { id: "userManagement", label: t("user_management") },
-                { id: "headerSettings", label: t("header_settings") },
-                { id: "loginOptions", label: t("login_options") },
-                { id: "webdav", label: "WebDAV Access" },
-                { id: "upload", label: t("shared_max_upload_size_bytes_title") },
-                { id: "oidc", label: t("oidc_configuration") + " & TOTP" },
-                { id: "shareLinks", label: t("manage_shared_links") }
-              ].map(sec => `
-                <div id="${sec.id}Header" class="section-header collapsed">
-                  ${sec.label} <i class="material-icons">expand_more</i>
-                </div>
-                <div id="${sec.id}Content" class="section-content"></div>
-              `).join("")}
+            ${[
+            { id: "userManagement", label: t("user_management") },
+            { id: "headerSettings", label: t("header_settings") },
+            { id: "loginOptions", label: t("login_options") },
+            { id: "webdav", label: "WebDAV Access" },
+            { id: "upload", label: t("shared_max_upload_size_bytes_title") },
+            { id: "oidc", label: t("oidc_configuration") + " & TOTP" },
+            { id: "shareLinks", label: t("manage_shared_links") },
+            { id: "sponsor", label: (typeof tf === 'function' ? tf("sponsor_donations", "Sponsor / Donations") : "Sponsor / Donations") }
+          ].map(sec => `
+              <div id="${sec.id}Header" class="section-header collapsed">
+                ${sec.label} <i class="material-icons">expand_more</i>
+              </div>
+              <div id="${sec.id}Content" class="section-content"></div>
+            `).join("")}
 
               <div class="action-row">
                 <button type="button" id="cancelAdminSettings" class="btn btn-secondary">${t("cancel")}</button>
@@ -453,7 +514,7 @@ export function openAdminPanel() {
         document.getElementById("closeAdminPanel").addEventListener("click", closeAdminPanel);
         document.getElementById("cancelAdminSettings").addEventListener("click", closeAdminPanel);
 
-        ["userManagement", "headerSettings", "loginOptions", "webdav", "upload", "oidc", "shareLinks"]
+        ["userManagement", "headerSettings", "loginOptions", "webdav", "upload", "oidc", "shareLinks", "sponsor"]
           .forEach(id => {
             document.getElementById(id + "Header")
               .addEventListener("click", () => toggleSection(id));
@@ -485,6 +546,7 @@ export function openAdminPanel() {
             <input type="text" id="headerTitle" class="form-control" value="${window.headerTitle || ""}" />
           </div>
         `;
+        wireHeaderTitleLive();
 
         document.getElementById("loginOptionsContent").innerHTML = `
           <div class="form-group"><input type="checkbox" id="disableFormLogin" /> <label for="disableFormLogin">${t("disable_login_form")}</label></div>
@@ -512,16 +574,34 @@ export function openAdminPanel() {
           </div>
         `;
 
+        const hasId = !!(config.oidc && config.oidc.hasClientId);
+        const hasSecret = !!(config.oidc && config.oidc.hasClientSecret);
+
         document.getElementById("oidcContent").innerHTML = `
-          <div class="form-text text-muted" style="margin-top:8px;">
-            <small>Note: OIDC credentials (Client ID/Secret) will show blank here after saving, but remain unchanged until you explicitly edit and save them.</small>
-          </div>
-          <div class="form-group"><label for="oidcProviderUrl">${t("oidc_provider_url")}:</label><input type="text" id="oidcProviderUrl" class="form-control" value="${window.currentOIDCConfig?.providerUrl || ""}" /></div>
-          <div class="form-group"><label for="oidcClientId">${t("oidc_client_id")}:</label><input type="text" id="oidcClientId" class="form-control" value="${window.currentOIDCConfig?.clientId || ""}" /></div>
-          <div class="form-group"><label for="oidcClientSecret">${t("oidc_client_secret")}:</label><input type="text" id="oidcClientSecret" class="form-control" value="${window.currentOIDCConfig?.clientSecret || ""}" /></div>
-          <div class="form-group"><label for="oidcRedirectUri">${t("oidc_redirect_uri")}:</label><input type="text" id="oidcRedirectUri" class="form-control" value="${window.currentOIDCConfig?.redirectUri || ""}" /></div>
-          <div class="form-group"><label for="globalOtpauthUrl">${t("global_otpauth_url")}:</label><input type="text" id="globalOtpauthUrl" class="form-control" value="${window.currentOIDCConfig?.globalOtpauthUrl || 'otpauth://totp/{label}?secret={secret}&issuer=FileRise'}" /></div>
-        `;
+  <div class="form-text text-muted" style="margin-top:8px;">
+    <small>Client ID/Secret are never shown after saving. A green note indicates a value is saved. Click “Replace” to overwrite.</small>
+  </div>
+
+  <div class="form-group">
+    <label for="oidcProviderUrl">${t("oidc_provider_url")}:</label>
+    <input type="text" id="oidcProviderUrl" class="form-control" value="${(window.currentOIDCConfig?.providerUrl || "")}" />
+  </div>
+
+  ${renderMaskedInput({ id: "oidcClientId", label: t("oidc_client_id"), hasValue: hasId })}
+  ${renderMaskedInput({ id: "oidcClientSecret", label: t("oidc_client_secret"), hasValue: hasSecret, isSecret: true })}
+
+  <div class="form-group">
+    <label for="oidcRedirectUri">${t("oidc_redirect_uri")}:</label>
+    <input type="text" id="oidcRedirectUri" class="form-control" value="${(window.currentOIDCConfig?.redirectUri || "")}" />
+  </div>
+
+  <div class="form-group">
+    <label for="globalOtpauthUrl">${t("global_otpauth_url")}:</label>
+    <input type="text" id="globalOtpauthUrl" class="form-control" value="${window.currentOIDCConfig?.globalOtpauthUrl || 'otpauth://totp/{label}?secret={secret}&issuer=FileRise'}" />
+  </div>
+`;
+
+        wireReplaceButtons(document.getElementById("oidcContent"));
 
         document.getElementById("shareLinksContent").textContent = t("loading") + "…";
 
@@ -545,6 +625,60 @@ export function openAdminPanel() {
           }
         });
 
+        // --- Sponsor (fixed, non-editable) ---
+        const SPONSOR_GH = "https://github.com/sponsors/error311";
+        const SPONSOR_KOFI = "https://ko-fi.com/error311";
+
+        document.getElementById("sponsorContent").innerHTML = `
+  <div class="form-group" style="margin-bottom:12px;">
+    <label for="sponsorGitHub">${(typeof tf === 'function' ? tf("github_sponsors_url", "GitHub Sponsors URL") : "GitHub Sponsors URL")}:</label>
+    <div class="input-group">
+      <input type="url"
+             id="sponsorGitHub"
+             class="form-control"
+             value="${SPONSOR_GH}"
+             readonly
+             data-ignore-dirty="1" />
+      <button type="button" id="copySponsorGitHub" class="btn btn-outline-primary">Copy</button>
+      <a class="btn btn-outline-secondary" id="openSponsorGitHub" target="_blank" rel="noopener">Open</a>
+    </div>
+  </div>
+
+  <div class="form-group" style="margin-bottom:12px;">
+    <label for="sponsorKoFi">${(typeof tf === 'function' ? tf("ko_fi_url", "Ko-fi URL") : "Ko-fi URL")}:</label>
+    <div class="input-group">
+      <input type="url"
+             id="sponsorKoFi"
+             class="form-control"
+             value="${SPONSOR_KOFI}"
+             readonly
+             data-ignore-dirty="1" />
+      <button type="button" id="copySponsorKoFi" class="btn btn-outline-primary">Copy</button>
+      <a class="btn btn-outline-secondary" id="openSponsorKoFi" target="_blank" rel="noopener">Open</a>
+    </div>
+  </div>
+
+  <small class="text-muted">${(typeof tf === 'function'
+            ? tf("sponsor_note_fixed", "Please consider supporting ongoing development.")
+            : "Please consider supporting ongoing development.")}</small>
+`;
+
+        // Wire copy + open (no changes tracked)
+        const ghInput = document.getElementById("sponsorGitHub");
+        const kfInput = document.getElementById("sponsorKoFi");
+
+        document.getElementById("copySponsorGitHub").addEventListener("click", async () => {
+          try { await navigator.clipboard.writeText(ghInput.value); } catch { }
+          showToast(typeof tf === 'function' ? tf("copied", "Copied!") : "Copied!");
+        });
+        document.getElementById("copySponsorKoFi").addEventListener("click", async () => {
+          try { await navigator.clipboard.writeText(kfInput.value); } catch { }
+          showToast(typeof tf === 'function' ? tf("copied", "Copied!") : "Copied!");
+        });
+
+        document.getElementById("openSponsorGitHub").href = SPONSOR_GH;
+        document.getElementById("openSponsorKoFi").href = SPONSOR_KOFI;
+
         const userMgmt = document.getElementById("userManagementContent");
         userMgmt?.removeEventListener("click", window.__userMgmtDelegatedClick);
         window.__userMgmtDelegatedClick = (e) => {
@@ -574,7 +708,11 @@ export function openAdminPanel() {
         document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
         document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
         document.getElementById("oidcProviderUrl").value = window.currentOIDCConfig?.providerUrl || "";
-        document.getElementById("oidcClientId").value = window.currentOIDCConfig?.clientId || "";
+        const idEl = document.getElementById("oidcClientId");
+        const secEl = document.getElementById("oidcClientSecret");
+        if (!hasId) idEl.value = window.currentOIDCConfig?.clientId || "";
+        if (!hasSecret) secEl.value = window.currentOIDCConfig?.clientSecret || "";
+        wireReplaceButtons(document.getElementById("oidcContent"));
         document.getElementById("oidcClientSecret").value = window.currentOIDCConfig?.clientSecret || "";
         document.getElementById("oidcRedirectUri").value = window.currentOIDCConfig?.redirectUri || "";
         document.getElementById("globalOtpauthUrl").value = window.currentOIDCConfig?.globalOtpauthUrl || '';
@@ -585,57 +723,57 @@ export function openAdminPanel() {
 }
 
 function handleSave() {
-  const dFL = !!document.getElementById("disableFormLogin")?.checked;
-  const dBA = !!document.getElementById("disableBasicAuth")?.checked;
-  const dOIDC = !!document.getElementById("disableOIDCLogin")?.checked;
-  const aBypass = !!document.getElementById("authBypass")?.checked;
-  const aHeader = (document.getElementById("authHeaderName")?.value || "X-Remote-User").trim();
-  const eWD = !!document.getElementById("enableWebDAV")?.checked;
-  const sMax = parseInt(document.getElementById("sharedMaxUploadSize")?.value || "0", 10) || 0;
-  const nHT = (document.getElementById("headerTitle")?.value || "").trim();
-  const nOIDC = {
-    providerUrl: (document.getElementById("oidcProviderUrl")?.value || "").trim(),
-    clientId: (document.getElementById("oidcClientId")?.value || "").trim(),
-    clientSecret: (document.getElementById("oidcClientSecret")?.value || "").trim(),
-    redirectUri: (document.getElementById("oidcRedirectUri")?.value || "").trim()
+  const payload = {
+    header_title: document.getElementById("headerTitle")?.value || "",
+    loginOptions: {
+      disableFormLogin: document.getElementById("disableFormLogin").checked,
+      disableBasicAuth: document.getElementById("disableBasicAuth").checked,
+      disableOIDCLogin: document.getElementById("disableOIDCLogin").checked,
+      authBypass: document.getElementById("authBypass").checked,
+      authHeaderName: document.getElementById("authHeaderName").value.trim() || "X-Remote-User",
+    },
+    enableWebDAV: document.getElementById("enableWebDAV").checked,
+    sharedMaxUploadSize: parseInt(document.getElementById("sharedMaxUploadSize").value || "0", 10) || 0,
+    oidc: {
+      providerUrl: document.getElementById("oidcProviderUrl").value.trim(),
+      redirectUri: document.getElementById("oidcRedirectUri").value.trim(),
+      // clientId/clientSecret: only include when replacing
+    },
+    globalOtpauthUrl: document.getElementById("globalOtpauthUrl").value.trim(),
   };
-  const gURL = (document.getElementById("globalOtpauthUrl")?.value || "").trim();
 
-  if ([dFL, dBA, dOIDC].filter(x => x).length === 3) {
-    showToast(t("at_least_one_login_method"));
-    return;
+  const idEl = document.getElementById("oidcClientId");
+  const scEl = document.getElementById("oidcClientSecret");
+
+  if (idEl?.dataset.replace === '1' && idEl.value.trim() !== '') {
+    payload.oidc.clientId = idEl.value.trim();
+  }
+  if (scEl?.dataset.replace === '1' && scEl.value.trim() !== '') {
+    payload.oidc.clientSecret = scEl.value.trim();
   }
 
-  sendRequest("/api/admin/updateConfig.php", "POST", {
-    header_title: nHT,
-    oidc: nOIDC,
-    loginOptions: {
-      disableFormLogin: dFL,
-      disableBasicAuth: dBA,
-      disableOIDCLogin: dOIDC,
-      authBypass: aBypass,
-      authHeaderName: aHeader
+  fetch('/api/admin/updateConfig.php', {
+    method: 'POST',
+    credentials: 'include',
+    headers: {
+      'Content-Type': 'application/json',
+      'X-CSRF-Token': (document.querySelector('meta[name="csrf-token"]')?.content || '')
     },
-    enableWebDAV: eWD,
-    sharedMaxUploadSize: sMax,
-    globalOtpauthUrl: gURL
-  }, { "X-CSRF-Token": window.csrfToken })
-    .then(res => {
-      if (res.success) {
-        showToast(t("settings_updated_successfully"), "success");
-        captureInitialAdminConfig();
-        closeAdminPanel();
-        loadAdminConfigFunc();
-      } else {
-        showToast(t("error_updating_settings") + ": " + (res.error || t("unknown_error")), "error");
-      }
-    }).catch(() => {/*noop*/ });
+    body: JSON.stringify(payload)
+  })
+    .then(r => r.json())
+    .then(j => {
+      if (j.error) { showToast('Error: ' + j.error); return; }
+      showToast('Settings saved.');
+      closeAdminPanel();
+    })
+    .catch(() => showToast('Save failed.'));
 }
 
 export async function closeAdminPanel() {
   if (hasUnsavedChanges()) {
-    const ok = await showCustomConfirmModal(t("unsaved_changes_confirm"));
-    if (!ok) return;
+    //const ok = await showCustomConfirmModal(t("unsaved_changes_confirm"));
+    //if (!ok) return;
   }
   const m = document.getElementById("adminPanelModal");
   if (m) m.style.display = "none";
@@ -645,29 +783,29 @@ export async function closeAdminPanel() {
    New: Folder Access (ACL) UI
    =========================== */
 
-   let __allFoldersCache = null;
+let __allFoldersCache = null;
 
-   async function getAllFolders(force = false) {
-     if (!force && __allFoldersCache) return __allFoldersCache.slice();
-   
-     const res = await fetch('/api/folder/getFolderList.php?ts=' + Date.now(), {
-       credentials: 'include',
-       cache: 'no-store',
-       headers: { 'Cache-Control': 'no-store' }
-     });
-     const data = await safeJson(res).catch(() => []);
-     const list = Array.isArray(data)
-       ? data.map(x => (typeof x === 'string' ? x : x.folder)).filter(Boolean)
-       : [];
-   
-     const hidden = new Set(['profile_pics', 'trash']);
-     const cleaned = list
-       .filter(f => f && !hidden.has(f.toLowerCase()))
-       .sort((a, b) => (a === 'root' ? -1 : b === 'root' ? 1 : a.localeCompare(b)));
-   
-     __allFoldersCache = cleaned;
-     return cleaned.slice();
-   }
+async function getAllFolders(force = false) {
+  if (!force && __allFoldersCache) return __allFoldersCache.slice();
+
+  const res = await fetch('/api/folder/getFolderList.php?ts=' + Date.now(), {
+    credentials: 'include',
+    cache: 'no-store',
+    headers: { 'Cache-Control': 'no-store' }
+  });
+  const data = await safeJson(res).catch(() => []);
+  const list = Array.isArray(data)
+    ? data.map(x => (typeof x === 'string' ? x : x.folder)).filter(Boolean)
+    : [];
+
+  const hidden = new Set(['profile_pics', 'trash']);
+  const cleaned = list
+    .filter(f => f && !hidden.has(f.toLowerCase()))
+    .sort((a, b) => (a === 'root' ? -1 : b === 'root' ? 1 : a.localeCompare(b)));
+
+  __allFoldersCache = cleaned;
+  return cleaned.slice();
+}
 
 async function getUserGrants(username) {
   const res = await fetch(`/api/admin/acl/getGrants.php?user=${encodeURIComponent(username)}`, {
@@ -683,7 +821,7 @@ function renderFolderGrantsUI(username, container, folders, grants) {
   // toolbar
   const toolbar = document.createElement('div');
   toolbar.className = 'folder-access-toolbar';
-toolbar.innerHTML = `
+  toolbar.innerHTML = `
   <input type="text" class="form-control" style="max-width:220px;"
          placeholder="${tf('search_folders', 'Search folders')}" />
 
@@ -717,8 +855,8 @@ toolbar.innerHTML = `
 
   const headerHtml = `
   <div class="folder-access-header">
-    <div class="folder-cell" title="${tf('folder_help','Folder path within FileRise')}">
-      ${tf('folder','Folder')}
+    <div class="folder-cell" title="${tf('folder_help', 'Folder path within FileRise')}">
+      ${tf('folder', 'Folder')}
     </div>
     <div class="perm-col" title="${tf('view_all_help', 'See all files in this folder (everyone’s files)')}">
       ${tf('view_all', 'View (all)')}
@@ -802,7 +940,7 @@ toolbar.innerHTML = `
   }
 
   function refreshInheritance() {
-    const rows = qsa(list, '.folder-access-row').sort((a,b)=> (a.dataset.folder||'').length - (b.dataset.folder||'').length);
+    const rows = qsa(list, '.folder-access-row').sort((a, b) => (a.dataset.folder || '').length - (b.dataset.folder || '').length);
     const managedPrefixes = new Set();
     rows.forEach(row => {
       const folder = row.dataset.folder || "";
@@ -813,13 +951,13 @@ toolbar.innerHTML = `
         if (p && folder !== p && folder.startsWith(p + '/')) { inheritedFrom = p; break; }
       }
       if (inheritedFrom) {
-        const v = qs(row,'input[data-cap="view"]');
-        const w = qs(row,'input[data-cap="write"]');
-        const vo= qs(row,'input[data-cap="viewOwn"]');
+        const v = qs(row, 'input[data-cap="view"]');
+        const w = qs(row, 'input[data-cap="write"]');
+        const vo = qs(row, 'input[data-cap="viewOwn"]');
         if (v) v.checked = true;
         if (w) w.checked = true;
         if (vo) { vo.checked = false; vo.disabled = true; }
-        ['create','upload','edit','rename','copy','delete','extract','shareFile','shareFolder']
+        ['create', 'upload', 'edit', 'rename', 'copy', 'delete', 'extract', 'shareFile', 'shareFolder']
           .forEach(c => { const cb = qs(row, `input[data-cap="${c}"]`); if (cb) cb.checked = true; });
         setRowDisabled(row, true);
         const tag = row.querySelector('.inherited-tag');
@@ -828,8 +966,8 @@ toolbar.innerHTML = `
         setRowDisabled(row, false);
       }
       enforceShareFolderRule(row);
-      const cbView = qs(row,'input[data-cap="view"]');
-      const cbViewOwn = qs(row,'input[data-cap="viewOwn"]');
+      const cbView = qs(row, 'input[data-cap="view"]');
+      const cbViewOwn = qs(row, 'input[data-cap="viewOwn"]');
       if (cbView && cbViewOwn) {
         if (cbView.checked) {
           cbViewOwn.checked = false;
@@ -847,8 +985,8 @@ toolbar.innerHTML = `
     if (!checked && (which === 'view' || which === 'viewOwn')) {
       qsa(row, 'input[type="checkbox"]').forEach(cb => cb.checked = false);
     }
-    const cbView = qs(row,'input[data-cap="view"]');
-    const cbVO = qs(row,'input[data-cap="viewOwn"]');
+    const cbView = qs(row, 'input[data-cap="view"]');
+    const cbVO = qs(row, 'input[data-cap="viewOwn"]');
     if (cbView && cbVO) {
       if (cbView.checked) {
         cbVO.checked = false;
@@ -863,19 +1001,19 @@ toolbar.innerHTML = `
   }
 
   function wireRow(row) {
-    const cbView    = row.querySelector('input[data-cap="view"]');
+    const cbView = row.querySelector('input[data-cap="view"]');
     const cbViewOwn = row.querySelector('input[data-cap="viewOwn"]');
-    const cbWrite   = row.querySelector('input[data-cap="write"]');
-    const cbManage  = row.querySelector('input[data-cap="manage"]');
-    const cbCreate  = row.querySelector('input[data-cap="create"]');
-    const cbUpload  = row.querySelector('input[data-cap="upload"]');
-    const cbEdit    = row.querySelector('input[data-cap="edit"]');
-    const cbRename  = row.querySelector('input[data-cap="rename"]');
-    const cbCopy    = row.querySelector('input[data-cap="copy"]');
-    const cbMove    = row.querySelector('input[data-cap="move"]');
-    const cbDelete  = row.querySelector('input[data-cap="delete"]');
+    const cbWrite = row.querySelector('input[data-cap="write"]');
+    const cbManage = row.querySelector('input[data-cap="manage"]');
+    const cbCreate = row.querySelector('input[data-cap="create"]');
+    const cbUpload = row.querySelector('input[data-cap="upload"]');
+    const cbEdit = row.querySelector('input[data-cap="edit"]');
+    const cbRename = row.querySelector('input[data-cap="rename"]');
+    const cbCopy = row.querySelector('input[data-cap="copy"]');
+    const cbMove = row.querySelector('input[data-cap="move"]');
+    const cbDelete = row.querySelector('input[data-cap="delete"]');
     const cbExtract = row.querySelector('input[data-cap="extract"]');
-    const cbShareF  = row.querySelector('input[data-cap="shareFile"]');
+    const cbShareF = row.querySelector('input[data-cap="shareFile"]');
     const cbShareFo = row.querySelector('input[data-cap="shareFolder"]');
 
     const granular = [cbCreate, cbUpload, cbEdit, cbRename, cbCopy, cbMove, cbDelete, cbExtract];
@@ -885,7 +1023,7 @@ toolbar.innerHTML = `
         if (cbView) cbView.checked = true;
         if (cbWrite) cbWrite.checked = true;
         granular.forEach(cb => { if (cb) cb.checked = true; });
-        if (cbShareF)  cbShareF.checked = true;
+        if (cbShareF) cbShareF.checked = true;
         if (cbShareFo && !cbShareFo.disabled) cbShareFo.checked = true;
       }
     };
@@ -919,7 +1057,7 @@ toolbar.innerHTML = `
         const w = r.querySelector('input[data-cap="write"]');
         const vo = r.querySelector('input[data-cap="viewOwn"]');
         const boxes = [
-          'create','upload','edit','rename','copy','delete','extract','shareFile','shareFolder'
+          'create', 'upload', 'edit', 'rename', 'copy', 'delete', 'extract', 'shareFile', 'shareFolder'
         ].map(c => r.querySelector(`input[data-cap="${c}"]`));
         if (m) m.checked = checked;
         if (v) v.checked = checked;
@@ -932,7 +1070,7 @@ toolbar.innerHTML = `
     };
 
     if (cbManage) cbManage.addEventListener('change', () => { applyManage(); onShareFile(); cascadeManage(cbManage.checked); });
-    if (cbWrite)  cbWrite.addEventListener('change', applyWrite);
+    if (cbWrite) cbWrite.addEventListener('change', applyWrite);
     granular.forEach(cb => { if (cb) cb.addEventListener('change', () => { syncWriteFromGranular(); }); });
     if (cbView) cbView.addEventListener('change', () => { setFromViewChange(row, 'view', cbView.checked); refreshInheritance(); });
     if (cbViewOwn) cbViewOwn.addEventListener('change', () => { setFromViewChange(row, 'viewOwn', cbViewOwn.checked); refreshInheritance(); });
@@ -1004,18 +1142,18 @@ function collectGrantsFrom(container) {
     const folder = row.dataset.folder || row.getAttribute('data-folder');
     if (!folder) return;
     const g = {
-      view:        get(row, 'input[data-cap="view"]'),
-      viewOwn:     get(row, 'input[data-cap="viewOwn"]'),
-      manage:      get(row, 'input[data-cap="manage"]'),
-      create:      get(row, 'input[data-cap="create"]'),
-      upload:      get(row, 'input[data-cap="upload"]'),
-      edit:        get(row, 'input[data-cap="edit"]'),
-      rename:      get(row, 'input[data-cap="rename"]'),
-      copy:        get(row, 'input[data-cap="copy"]'),
-      move:        get(row, 'input[data-cap="move"]'),
-      delete:      get(row, 'input[data-cap="delete"]'),
-      extract:     get(row, 'input[data-cap="extract"]'),
-      shareFile:   get(row, 'input[data-cap="shareFile"]'),
+      view: get(row, 'input[data-cap="view"]'),
+      viewOwn: get(row, 'input[data-cap="viewOwn"]'),
+      manage: get(row, 'input[data-cap="manage"]'),
+      create: get(row, 'input[data-cap="create"]'),
+      upload: get(row, 'input[data-cap="upload"]'),
+      edit: get(row, 'input[data-cap="edit"]'),
+      rename: get(row, 'input[data-cap="rename"]'),
+      copy: get(row, 'input[data-cap="copy"]'),
+      move: get(row, 'input[data-cap="move"]'),
+      delete: get(row, 'input[data-cap="delete"]'),
+      extract: get(row, 'input[data-cap="extract"]'),
+      shareFile: get(row, 'input[data-cap="shareFile"]'),
       shareFolder: get(row, 'input[data-cap="shareFolder"]')
     };
     g.share = !!(g.shareFile || g.shareFolder);
@@ -1074,16 +1212,16 @@ export function openUserPermissionsModal() {
     });
     document.getElementById("saveUserPermissionsBtn").addEventListener("click", async () => {
       const rows = userPermissionsModal.querySelectorAll(".user-permission-row");
-const changes = [];
-rows.forEach(row => {
-  if (row.getAttribute("data-admin") === "1") return; // skip admins
-  const username = String(row.getAttribute("data-username") || "").trim();
-  if (!username) return;
-  const grantsBox = row.querySelector(".folder-grants-box");
-  if (!grantsBox || grantsBox.getAttribute('data-loaded') !== '1') return;
-  const grants = collectGrantsFrom(grantsBox);
-  changes.push({ user: username, grants });
-});
+      const changes = [];
+      rows.forEach(row => {
+        if (row.getAttribute("data-admin") === "1") return; // skip admins
+        const username = String(row.getAttribute("data-username") || "").trim();
+        if (!username) return;
+        const grantsBox = row.querySelector(".folder-grants-box");
+        if (!grantsBox || grantsBox.getAttribute('data-loaded') !== '1') return;
+        const grants = collectGrantsFrom(grantsBox);
+        changes.push({ user: username, grants });
+      });
       try {
         if (changes.length === 0) { showToast(tf("nothing_to_save", "Nothing to save")); return; }
         await sendRequest("/api/admin/acl/saveGrants.php", "POST",
@@ -1284,70 +1422,70 @@ async function loadUserPermissionsList() {
     const folders = await getAllFolders(true);
 
     listContainer.innerHTML = "";
-users.forEach(user => {
-  const isAdmin = (user.role && String(user.role) === "1") || String(user.username).toLowerCase() === "admin";
+    users.forEach(user => {
+      const isAdmin = (user.role && String(user.role) === "1") || String(user.username).toLowerCase() === "admin";
 
-  const row = document.createElement("div");
-  row.classList.add("user-permission-row");
-  row.setAttribute("data-username", user.username);
-  if (isAdmin) row.setAttribute("data-admin", "1"); // mark admins
-  row.style.padding = "6px 0";
+      const row = document.createElement("div");
+      row.classList.add("user-permission-row");
+      row.setAttribute("data-username", user.username);
+      if (isAdmin) row.setAttribute("data-admin", "1"); // mark admins
+      row.style.padding = "6px 0";
 
-  row.innerHTML = `
+      row.innerHTML = `
     <div class="user-perm-header" tabindex="0" role="button" aria-expanded="false"
          style="display:flex;align-items:center;gap:8px;cursor:pointer;padding:6px 8px;border-radius:6px;">
       <span class="perm-caret" style="display:inline-block; transform: rotate(-90deg); transition: transform 120ms ease;">▸</span>
       <strong>${user.username}</strong>
       ${isAdmin ? `<span class="muted" style="margin-left:auto;">Admin (full access)</span>`
-                : `<span class="muted" style="margin-left:auto;">${tf('click_to_edit', 'Click to edit')}</span>`}
+          : `<span class="muted" style="margin-left:auto;">${tf('click_to_edit', 'Click to edit')}</span>`}
     </div>
     <div class="user-perm-details" style="display:none; margin:8px 0 12px;">
       <div class="folder-grants-box" data-loaded="0"></div>
     </div>
   `;
 
-  const header = row.querySelector(".user-perm-header");
-  const details = row.querySelector(".user-perm-details");
-  const caret = row.querySelector(".perm-caret");
-  const grantsBox = row.querySelector(".folder-grants-box");
+      const header = row.querySelector(".user-perm-header");
+      const details = row.querySelector(".user-perm-details");
+      const caret = row.querySelector(".perm-caret");
+      const grantsBox = row.querySelector(".folder-grants-box");
 
-  async function ensureLoaded() {
-    if (grantsBox.dataset.loaded === "1") return;
-    try {
-      let grants;
-      if (isAdmin) {
-        // synthesize full access
-        const ordered = ["root", ...folders.filter(f => f !== "root")];
-        grants = buildFullGrantsForAllFolders(ordered);
-        renderFolderGrantsUI(user.username, grantsBox, ordered, grants);
-        // disable all inputs
-        grantsBox.querySelectorAll('input[type="checkbox"]').forEach(cb => cb.disabled = true);
-      } else {
-        const userGrants = await getUserGrants(user.username);
-        renderFolderGrantsUI(user.username, grantsBox, ["root", ...folders.filter(f => f !== "root")], userGrants);
+      async function ensureLoaded() {
+        if (grantsBox.dataset.loaded === "1") return;
+        try {
+          let grants;
+          if (isAdmin) {
+            // synthesize full access
+            const ordered = ["root", ...folders.filter(f => f !== "root")];
+            grants = buildFullGrantsForAllFolders(ordered);
+            renderFolderGrantsUI(user.username, grantsBox, ordered, grants);
+            // disable all inputs
+            grantsBox.querySelectorAll('input[type="checkbox"]').forEach(cb => cb.disabled = true);
+          } else {
+            const userGrants = await getUserGrants(user.username);
+            renderFolderGrantsUI(user.username, grantsBox, ["root", ...folders.filter(f => f !== "root")], userGrants);
+          }
+          grantsBox.dataset.loaded = "1";
+        } catch (e) {
+          console.error(e);
+          grantsBox.innerHTML = `<div class="muted">${tf("error_loading_user_grants", "Error loading user grants")}</div>`;
+        }
       }
-      grantsBox.dataset.loaded = "1";
-    } catch (e) {
-      console.error(e);
-      grantsBox.innerHTML = `<div class="muted">${tf("error_loading_user_grants", "Error loading user grants")}</div>`;
-    }
-  }
 
-  function toggleOpen() {
-    const willShow = details.style.display === "none";
-    details.style.display = willShow ? "block" : "none";
-    header.setAttribute("aria-expanded", willShow ? "true" : "false");
-    caret.style.transform = willShow ? "rotate(0deg)" : "rotate(-90deg)";
-    if (willShow) ensureLoaded();
-  }
+      function toggleOpen() {
+        const willShow = details.style.display === "none";
+        details.style.display = willShow ? "block" : "none";
+        header.setAttribute("aria-expanded", willShow ? "true" : "false");
+        caret.style.transform = willShow ? "rotate(0deg)" : "rotate(-90deg)";
+        if (willShow) ensureLoaded();
+      }
 
-  header.addEventListener("click", toggleOpen);
-  header.addEventListener("keydown", e => {
-    if (e.key === "Enter" || e.key === " ") { e.preventDefault(); toggleOpen(); }
-  });
+      header.addEventListener("click", toggleOpen);
+      header.addEventListener("keydown", e => {
+        if (e.key === "Enter" || e.key === " ") { e.preventDefault(); toggleOpen(); }
+      });
 
-  listContainer.appendChild(row);
-});
+      listContainer.appendChild(row);
+    });
   } catch (err) {
     console.error(err);
     listContainer.innerHTML = "<p>" + t("error_loading_users") + "</p>";

public/js/appCore.js

@@ -0,0 +1,177 @@
+// /js/appCore.js
+import { showToast } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
+import { setupTrashRestoreDelete } from './trashRestoreDelete.js?v={{APP_QVER}}';
+import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js?v={{APP_QVER}}';
+import { initTagSearch } from './fileTags.js?v={{APP_QVER}}';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
+import { initUpload } from './upload.js?v={{APP_QVER}}';
+import { loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
+
+// Keep a bound handle to the native fetch so wrappers elsewhere never recurse
+const _nativeFetch = window.fetch.bind(window);
+
+/* =========================
+   CSRF UTILITIES (shared)
+   ========================= */
+export function setCsrfToken(token) {
+  if (!token) return;
+  window.csrfToken = token;
+  localStorage.setItem('csrf', token);
+
+  // meta tag for easy access in other places
+  let meta = document.querySelector('meta[name="csrf-token"]');
+  if (!meta) {
+    meta = document.createElement('meta');
+    meta.name = 'csrf-token';
+    document.head.appendChild(meta);
+  }
+  meta.content = token;
+}
+
+export function getCsrfToken() {
+  return window.csrfToken || localStorage.getItem('csrf') || '';
+}
+
+/**
+ * Bootstrap/refresh CSRF from the server.
+ * Uses the native fetch to avoid wrapper loops and accepts rotated tokens via header.
+ */
+export async function loadCsrfToken() {
+  const res = await _nativeFetch('/api/auth/token.php', { method: 'GET', credentials: 'include' });
+
+  // header-based rotation
+  const hdr = res.headers.get('X-CSRF-Token');
+  if (hdr) setCsrfToken(hdr);
+
+  // body (if provided)
+  let body = {};
+  try { body = await res.json(); } catch { /* token endpoint may return empty */ }
+
+  const token = body.csrf_token || getCsrfToken();
+  setCsrfToken(token);
+
+  // share-url meta should reflect the actual origin
+  const actualShare = window.location.origin;
+  let shareMeta = document.querySelector('meta[name="share-url"]');
+  if (!shareMeta) {
+    shareMeta = document.createElement('meta');
+    shareMeta.name = 'share-url';
+    document.head.appendChild(shareMeta);
+  }
+  shareMeta.content = actualShare;
+
+  return { csrf_token: token, share_url: actualShare };
+}
+
+/* =========================
+   APP INIT (shared)
+   ========================= */
+export function initializeApp() {
+  const saved = parseInt(localStorage.getItem('rowHeight') || '48', 10);
+  document.documentElement.style.setProperty('--file-row-height', saved + 'px');
+
+  const last = localStorage.getItem('lastOpenedFolder');
+  window.currentFolder = last ? last : "root";
+
+  const stored = localStorage.getItem('showFoldersInList');
+  window.showFoldersInList = stored === null ? true : stored === 'true';
+
+  // Load public site config early (safe subset)
+  loadAdminConfigFunc();
+
+  // Enable tag search UI; initial file list load is controlled elsewhere
+  initTagSearch();
+
+  // Hook DnD relay from fileList area into upload area
+  const fileListArea = document.getElementById('fileListContainer');
+  const uploadArea = document.getElementById('uploadDropArea');
+  if (fileListArea && uploadArea) {
+    fileListArea.addEventListener('dragover', e => {
+      e.preventDefault();
+      fileListArea.classList.add('drop-hover');
+    });
+    fileListArea.addEventListener('dragleave', () => {
+      fileListArea.classList.remove('drop-hover');
+    });
+    fileListArea.addEventListener('drop', e => {
+      e.preventDefault();
+      fileListArea.classList.remove('drop-hover');
+      uploadArea.dispatchEvent(new DragEvent('drop', {
+        dataTransfer: e.dataTransfer,
+        bubbles: true,
+        cancelable: true
+      }));
+    });
+  }
+
+  // App subsystems
+  initDragAndDrop();
+  loadSidebarOrder();
+  loadHeaderOrder();
+  initFileActions();
+  initUpload();
+  loadFolderTree();
+
+  // Only run trash/restore for admins
+  const isAdmin =
+    localStorage.getItem('isAdmin') === '1' || localStorage.getItem('isAdmin') === 'true';
+  if (isAdmin) {
+    setupTrashRestoreDelete();
+  }
+
+  // Small help tooltip toggle
+  const helpBtn = document.getElementById("folderHelpBtn");
+  const helpTooltip = document.getElementById("folderHelpTooltip");
+  if (helpBtn && helpTooltip) {
+    helpBtn.addEventListener("click", () => {
+      helpTooltip.style.display =
+        helpTooltip.style.display === "block" ? "none" : "block";
+    });
+  }
+}
+
+/* =========================
+   LOGOUT (shared)
+   ========================= */
+export function triggerLogout() {
+  const clearWelcomeFlags = () => {
+    try {
+      // one-per-tab toast guard
+      sessionStorage.removeItem('__fr_welcomed');
+      // if you also used the per-user (all-tabs) guard, clear that too:
+      const u = localStorage.getItem('username') || '';
+      if (u) localStorage.removeItem(`__fr_welcomed_${u}`);
+    } catch { }
+  };
+
+  _nativeFetch("/api/auth/logout.php", {
+    method: "POST",
+    credentials: "include",
+    headers: { "X-CSRF-Token": getCsrfToken() }
+  })
+    .then(() => {
+      clearWelcomeFlags();
+      window.location.reload(true);
+    })
+    .catch(() => {
+      // even if the request fails, clear the flags so the next login can toast
+      clearWelcomeFlags();
+      window.location.reload(true);
+    });
+}
+
+/* =========================
+   Global UX guard (unchanged)
+   ========================= */
+window.addEventListener("unhandledrejection", (ev) => {
+  const msg = (ev?.reason && ev.reason.message) || "";
+  if (msg === "auth") {
+    showToast(t("please_sign_in_again") || "Please sign in again.", "error");
+    ev.preventDefault();
+  } else if (msg === "forbidden") {
+    showToast(t("no_access_to_resource") || "You don’t have access to that.", "error");
+    ev.preventDefault();
+  }
+});

public/js/auth.js

@@ -1,15 +1,15 @@
-import { sendRequest } from './networkUtils.js';
-import { t, applyTranslations } from './i18n.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
+import { t, applyTranslations } from './i18n.js?v={{APP_QVER}}';
 import {
   toggleVisibility,
   showToast as originalShowToast,
   attachEnterKeyListener,
   showCustomConfirmModal
-} from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { initFileActions } from './fileActions.js';
-import { renderFileTable } from './fileListView.js';
-import { loadFolderTree } from './folderManager.js';
+} from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
+import { renderFileTable } from './fileListView.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
 import {
   openTOTPLoginModal as originalOpenTOTPLoginModal,
   openUserPanel,
@@ -17,9 +17,9 @@ import {
   closeTOTPModal,
   setLastLoginData,
   openApiModal
-} from './authModals.js';
-import { openAdminPanel } from './adminPanel.js';
-import { initializeApp, triggerLogout } from './main.js';
+} from './authModals.js?v={{APP_QVER}}';
+import { openAdminPanel } from './adminPanel.js?v={{APP_QVER}}';
+import { initializeApp, triggerLogout } from './appCore.js?v={{APP_QVER}}';
 
 // Production OIDC configuration (override via API as needed)
 const currentOIDCConfig = {
@@ -31,6 +31,49 @@ const currentOIDCConfig = {
 };
 window.currentOIDCConfig = currentOIDCConfig;
 
+
+
+(function installToastFilter() {
+  const isDemoHost = location.hostname.toLowerCase() === 'demo.filerise.net';
+
+  window.__FR_TOAST_FILTER__ = function (msgKeyOrText) {
+    // Suppress the nag while doing TOTP step-up
+    if (window.pendingTOTP && (msgKeyOrText === 'please_log_in_to_continue' ||
+      /please log in/i.test(String(msgKeyOrText)))) {
+      return null; // suppress
+    }
+
+    // Demo host
+    if (isDemoHost && (msgKeyOrText === 'please_log_in_to_continue' ||
+      /please log in/i.test(String(msgKeyOrText)))) {
+      return "Demo site — use:\nUsername: demo\nPassword: demo";
+    }
+
+    // Try to translate keys; pass through plain text
+    try {
+      const maybe = t(msgKeyOrText);
+      if (typeof maybe === 'string' && maybe !== msgKeyOrText) return maybe;
+    } catch { }
+    return msgKeyOrText;
+  };
+})();
+
+function queueWelcomeToast(name) {
+  const uname = String(name || '').trim().slice(0, 80);
+  if (!uname) return;
+  // show immediately (if we don’t reload instantly)
+  try {
+    window.dispatchEvent(new CustomEvent('filerise:toast', {
+      detail: { message: `Welcome back, ${uname}!`, duration: 2000 }
+    }));
+  } catch { }
+
+  // and persist for after-reload (flushed by main.js on boot)
+  try {
+    sessionStorage.setItem('welcomeMessage', `Welcome back, ${uname}!`);
+  } catch { }
+}
+
 /* ----------------- TOTP & Toast Overrides ----------------- */
 // detect if we’re in a pending‑TOTP state
 window.pendingTOTP = new URLSearchParams(window.location.search).get('totp_required') === '1';
@@ -72,45 +115,51 @@ const originalFetch = window.fetch;
  * @param {object} options
  * @returns {Promise<Response>}
  */
+
 export async function fetchWithCsrf(url, options = {}) {
-  // 1) Merge in credentials + header
-  options = {
-    credentials: 'include',
-    ...options,
-  };
+  const original = window.fetch.bind(window);
+  const wantJson = (options.headers && /json/i.test(options.headers['Content-Type'] || '')) || typeof options.body === 'string' && options.body.trim().startsWith('{');
+
+  options = { credentials: 'include', ...options };
   options.headers = {
-    ...(options.headers || {}),
-    'X-CSRF-Token': window.csrfToken,
+    'Accept': 'application/json',
+    ...(options.headers || {})
   };
-
-  // 2) First attempt
-  let res = await originalFetch(url, options);
-
-  // 3) If we got a 403, try to refresh token & retry
-  if (res.status === 403) {
-    // 3a) See if the server gave us a new token header
-    let newToken = res.headers.get('X-CSRF-Token');
-    // 3b) Otherwise fall back to the /api/auth/token endpoint
-    if (!newToken) {
-      const tokRes = await originalFetch('/api/auth/token.php', { credentials: 'include' });
-      if (tokRes.ok) {
-        const body = await tokRes.json();
-        newToken = body.csrf_token;
-      }
-    }
-    if (newToken) {
-      // 3c) Update global + meta
-      window.csrfToken = newToken;
-      const meta = document.querySelector('meta[name="csrf-token"]');
-      if (meta) meta.content = newToken;
-
-      // 3d) Retry the original request with the new token
-      options.headers['X-CSRF-Token'] = newToken;
-      res = await originalFetch(url, options);
-    }
+  if (window.csrfToken) {
+    options.headers['X-CSRF-Token'] = window.csrfToken;
   }
 
-  // 4) Return the real Response—no body peeking here!
+  async function retryWithFreshCsrf(asFormFallback = false) {
+    const tokRes = await original('/api/auth/token.php', { credentials: 'include' });
+    if (tokRes.ok) {
+      const body = await tokRes.json().catch(() => ({}));
+      if (body?.csrf_token) {
+        window.csrfToken = body.csrf_token;
+        const meta = document.querySelector('meta[name="csrf-token"]');
+        if (meta) meta.content = body.csrf_token;
+        options.headers['X-CSRF-Token'] = body.csrf_token;
+      }
+    }
+    if (asFormFallback && wantJson) {
+      // convert JSON body into x-www-form-urlencoded
+      const orig = options.body && typeof options.body === 'string' ? JSON.parse(options.body) : {};
+      options.body = toFormBody(orig);
+      options.headers['Content-Type'] = 'application/x-www-form-urlencoded';
+    }
+    return original(url, options);
+  }
+
+  let res = await original(url, options);
+
+  // If API doesn’t like JSON or token is stale
+  if (res.status === 400 || res.status === 403 || res.status === 415) {
+    // 1) retry with fresh CSRF keeping same encoding
+    res = await retryWithFreshCsrf(false);
+    if (!res.ok && wantJson) {
+      // 2) retry again as form-encoded
+      res = await retryWithFreshCsrf(true);
+    }
+  }
   return res;
 }
 
@@ -180,7 +229,7 @@ function updateLoginOptionsUIFromStorage() {
 }
 
 export function loadAdminConfigFunc() {
-  return fetch("/api/admin/getConfig.php", { credentials: "include" })
+  return fetch("/api/siteConfig.php", { credentials: "include" })
     .then(async (response) => {
       // If a proxy or some edge returns 204/empty, handle gracefully
       let config = {};
@@ -191,13 +240,13 @@ export function loadAdminConfigFunc() {
 
       document.title = headerTitle;
       const lo = config.loginOptions || {};
-      localStorage.setItem("disableFormLogin",  String(!!lo.disableFormLogin));
-      localStorage.setItem("disableBasicAuth",  String(!!lo.disableBasicAuth));
-      localStorage.setItem("disableOIDCLogin",  String(!!lo.disableOIDCLogin));
-      localStorage.setItem("globalOtpauthUrl",  config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
+      localStorage.setItem("disableFormLogin", String(!!lo.disableFormLogin));
+      localStorage.setItem("disableBasicAuth", String(!!lo.disableBasicAuth));
+      localStorage.setItem("disableOIDCLogin", String(!!lo.disableOIDCLogin));
+      localStorage.setItem("globalOtpauthUrl", config.globalOtpauthUrl || "otpauth://totp/{label}?secret={secret}&issuer=FileRise");
       // These may be absent for non-admins; default them
-      localStorage.setItem("authBypass",        String(!!lo.authBypass));
-      localStorage.setItem("authHeaderName",    lo.authHeaderName || "X-Remote-User");
+      localStorage.setItem("authBypass", String(!!lo.authBypass));
+      localStorage.setItem("authHeaderName", lo.authHeaderName || "X-Remote-User");
 
       updateLoginOptionsUIFromStorage();
 
@@ -253,14 +302,14 @@ export async function updateAuthenticatedUI(data) {
   if (loading) loading.remove();
 
   // 2) Show main UI
-  document.querySelector('.main-wrapper').style.display    = '';
-  document.getElementById('loginForm').style.display       = 'none';
+  document.querySelector('.main-wrapper').style.display = '';
+  document.getElementById('loginForm').style.display = 'none';
   toggleVisibility("loginForm", false);
   toggleVisibility("mainOperations", true);
   toggleVisibility("uploadFileForm", true);
   toggleVisibility("fileListContainer", true);
-  attachEnterKeyListener("removeUserModal",   "deleteUserBtn");
-  attachEnterKeyListener("changePasswordModal","saveNewPasswordBtn");
+  attachEnterKeyListener("removeUserModal", "deleteUserBtn");
+  attachEnterKeyListener("changePasswordModal", "saveNewPasswordBtn");
   document.querySelector(".header-buttons").style.visibility = "visible";
 
   // 3) Persist auth flags (unchanged)
@@ -271,9 +320,9 @@ export async function updateAuthenticatedUI(data) {
     localStorage.setItem("username", data.username);
   }
   if (typeof data.folderOnly !== "undefined") {
-    localStorage.setItem("folderOnly",   data.folderOnly   ? "true" : "false");
-    localStorage.setItem("readOnly",     data.readOnly     ? "true" : "false");
-    localStorage.setItem("disableUpload",data.disableUpload? "true" : "false");
+    localStorage.setItem("folderOnly", data.folderOnly ? "true" : "false");
+    localStorage.setItem("readOnly", data.readOnly ? "true" : "false");
+    localStorage.setItem("disableUpload", data.disableUpload ? "true" : "false");
   }
 
   // 4) Fetch up-to-date profile picture — ALWAYS overwrite localStorage
@@ -282,7 +331,7 @@ export async function updateAuthenticatedUI(data) {
 
   // 5) Build / update header buttons
   const headerButtons = document.querySelector(".header-buttons");
-  const firstButton   = headerButtons.firstElementChild;
+  const firstButton = headerButtons.firstElementChild;
 
   // a) restore-from-trash for admins
   if (data.isAdmin) {
@@ -290,8 +339,8 @@ export async function updateAuthenticatedUI(data) {
     if (!r) {
       r = document.createElement("button");
       r.id = "restoreFilesBtn";
-      r.classList.add("btn","btn-warning");
-      r.setAttribute("data-i18n-title","trash_restore_delete");
+      r.classList.add("btn", "btn-warning");
+      r.setAttribute("data-i18n-title", "trash_restore_delete");
       r.innerHTML = '<i class="material-icons">restore_from_trash</i>';
       if (firstButton) insertAfter(r, firstButton);
       else headerButtons.appendChild(r);
@@ -308,8 +357,8 @@ export async function updateAuthenticatedUI(data) {
     if (!a) {
       a = document.createElement("button");
       a.id = "adminPanelBtn";
-      a.classList.add("btn","btn-info");
-      a.setAttribute("data-i18n-title","admin_panel");
+      a.classList.add("btn", "btn-info");
+      a.setAttribute("data-i18n-title", "admin_panel");
       a.innerHTML = '<i class="material-icons">admin_panel_settings</i>';
       insertAfter(a, document.getElementById("restoreFilesBtn"));
       a.addEventListener("click", openAdminPanel);
@@ -330,19 +379,19 @@ export async function updateAuthenticatedUI(data) {
       : `<i class="material-icons">account_circle</i>`;
 
     // fallback username if missing
-    const usernameText = data.username 
-      || localStorage.getItem("username") 
+    const usernameText = data.username
+      || localStorage.getItem("username")
       || "";
 
     if (!dd) {
       dd = document.createElement("div");
-      dd.id    = "userDropdown";
+      dd.id = "userDropdown";
       dd.classList.add("user-dropdown");
 
       // toggle button
       const toggle = document.createElement("button");
-      toggle.id    = "userDropdownToggle";
-      toggle.classList.add("btn","btn-user");
+      toggle.id = "userDropdownToggle";
+      toggle.classList.add("btn", "btn-user");
       toggle.setAttribute("title", t("user_settings"));
       toggle.innerHTML = `
         ${avatarHTML}
@@ -464,6 +513,14 @@ function checkAuthentication(showLoginToast = true) {
         }
         updateAuthenticatedUI(data);
         return data;
+
+        // at the end of updateAuthenticatedUI(data)
+        if (!window.__FR_FLAGS?.initialized && typeof initializeApp === 'function') {
+          initializeApp();
+          window.__FR_FLAGS.initialized = true;
+        }
+        if (typeof applyTranslations === 'function') applyTranslations();
+        if (typeof updateLoginOptionsUIFromStorage === 'function') updateLoginOptionsUIFromStorage();
       } else {
         const overlay = document.getElementById('loadingOverlay');
         if (overlay) overlay.remove();
@@ -484,53 +541,162 @@ function checkAuthentication(showLoginToast = true) {
 }
 
 /* ----------------- Authentication Submission ----------------- */
+async function primeCsrfStrict() {
+  const r = await fetch('/api/auth/token.php', { credentials: 'include' });
+  const j = await r.json().catch(() => ({}));
+  if (!r.ok || !j.csrf_token) throw new Error('CSRF missing');
+  window.csrfToken = j.csrf_token;
+  const m = document.querySelector('meta[name="csrf-token"]');
+  if (m) m.content = j.csrf_token;
+}
+
+function toFormBody(obj) {
+  const p = new URLSearchParams();
+  for (const [k, v] of Object.entries(obj || {})) p.set(k, v == null ? '' : String(v));
+  return p.toString();
+}
+
+async function safeJson(res) {
+  const ct = res.headers.get('content-type') || '';
+  if (!/application\/json/i.test(ct)) return null;
+  try { return await res.clone().json(); } catch { return null; }
+}
+
+async function sniffTOTP(res, bodyMaybe) {
+  if (res.headers.get('X-TOTP-Required') === '1') return true;
+  if (res.redirected && /[?&]totp_required=1\b/.test(res.url)) return true;
+  const body = bodyMaybe ?? await safeJson(res);
+  if (body && (body.totp_required || body.error === 'TOTP_REQUIRED')) return true;
+  try {
+    const txt = await res.clone().text();
+    if (/\btotp_required\s*=\s*1\b/i.test(txt)) return true;
+  } catch { }
+  return false;
+}
+
+async function isAuthedNow() {
+  try {
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+    const j = await r.json().catch(() => ({}));
+    return !!j.authenticated;
+  } catch { return false; }
+}
+
+function rafTick(times = 2) {
+  return new Promise(res => {
+    const step = () => { if (--times <= 0) res(); else requestAnimationFrame(step); };
+    requestAnimationFrame(step);
+  });
+}
+
+async function fetchAuthSnapshot() {
+  try {
+    const r = await fetch('/api/auth/checkAuth.php', { credentials: 'include' });
+    return await r.json();
+  } catch { return {}; }
+}
+
+async function syncPermissionsToLocalStorage() {
+  try {
+    const r = await fetch('/api/getUserPermissions.php', { credentials: 'include' });
+    const perm = await r.json();
+    if (perm && typeof perm === 'object') {
+      localStorage.setItem('folderOnly', perm.folderOnly ? 'true' : 'false');
+      localStorage.setItem('readOnly', perm.readOnly ? 'true' : 'false');
+      localStorage.setItem('disableUpload', perm.disableUpload ? 'true' : 'false');
+    }
+  } catch { /* non-fatal */ }
+}
+
+// ——— main ———
+let __loginInFlight = false;
+
 async function submitLogin(data) {
-  setLastLoginData(data);
-  window.__lastLoginData = data;
+  if (__loginInFlight) return;
+  __loginInFlight = true;
+
+  const payload = {
+    username: String(data.username || '').trim(),
+    password: String(data.password || '').trim(),
+    remember_me: data.remember_me ? 1 : 0
+  };
+
+  setLastLoginData(payload);
+  window.__lastLoginData = payload;
 
   try {
-    // ─── 1) Get CSRF for the initial auth call ───
-    let res = await fetch("/api/auth/token.php", { credentials: "include" });
-    if (!res.ok) throw new Error("Could not fetch CSRF token");
-    window.csrfToken = (await res.json()).csrf_token;
+    await primeCsrfStrict();
 
-    // ─── 2) Send credentials ───
-    const response = await sendRequest(
-      "/api/auth/auth.php",
-      "POST",
-      data,
-      { "X-CSRF-Token": window.csrfToken }
-    );
+    // Attempt #1 — JSON
+    let res = await fetchWithCsrf('/api/auth/auth.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: { 'Content-Type': 'application/json', 'Accept': 'application/json' },
+      body: JSON.stringify(payload)
+    });
+    let body = await safeJson(res);
 
-    // ─── 3a) Full login (no TOTP) ───
-    if (response.success || response.status === "ok") {
-      sessionStorage.setItem("welcomeMessage", "Welcome back, " + data.username + "!");
-      // … fetch permissions & reload …
+    // TOTP requested?
+    if (await sniffTOTP(res, body)) {
+      try { await primeCsrfStrict(); } catch { }
+      window.pendingTOTP = true;
       try {
-        const perm = await sendRequest("/api/getUserPermissions.php", "GET");
-        if (perm && typeof perm === "object") {
-          localStorage.setItem("folderOnly", perm.folderOnly ? "true" : "false");
-          localStorage.setItem("readOnly", perm.readOnly ? "true" : "false");
-          localStorage.setItem("disableUpload", perm.disableUpload ? "true" : "false");
-        }
+        const auth = await import('/js/auth.js?v={{APP_QVER}}');
+        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
       } catch { }
-      return window.location.reload();
+      return;
     }
 
-    // ─── 3b) TOTP required ───
-    if (response.totp_required) {
-      // **Refresh** CSRF before the TOTP verify call
-      res = await fetch("/api/auth/token.php", { credentials: "include" });
-      if (res.ok) {
-        window.csrfToken = (await res.json()).csrf_token;
-      }
-      // now open the modal—any totp_verify fetch from here on will use the new token
-      return openTOTPLoginModal();
+    // Full success (no TOTP)
+    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
+
+      await syncPermissionsToLocalStorage();
+      return afterLogin();
     }
 
-    // ─── 3c) Too many attempts ───
-    if (response.error && response.error.includes("Too many failed login attempts")) {
-      showToast(response.error);
+    // Cookie set but non-JSON body — double check session
+    if (!body && await isAuthedNow()) {
+
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    // Attempt #2 — form fallback
+    res = await fetchWithCsrf('/api/auth/auth.php', {
+      method: 'POST',
+      credentials: 'include',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'application/json' },
+      body: toFormBody(payload)
+    });
+    body = await safeJson(res);
+
+    if (await sniffTOTP(res, body)) {
+      try { await primeCsrfStrict(); } catch { }
+      window.pendingTOTP = true;
+      try {
+        const auth = await import('/js/auth.js?v={{APP_QVER}}');
+        if (typeof auth.openTOTPLoginModal === 'function') auth.openTOTPLoginModal();
+      } catch { }
+      return;
+    }
+
+    if (body && (body.success || body.status === 'ok' || body.authenticated)) {
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    if (!body && await isAuthedNow()) {
+
+      await syncPermissionsToLocalStorage();
+
+      return afterLogin();
+    }
+
+    // Rate limit still respected
+    if (body?.error && /Too many failed login attempts/i.test(body.error)) {
+      showToast(body.error);
       const btn = document.querySelector("#authForm button[type='submit']");
       if (btn) {
         btn.disabled = true;
@@ -542,12 +708,12 @@ async function submitLogin(data) {
       return;
     }
 
-    // ─── 3d) Other failures ───
-    showToast("Login failed: " + (response.error || "Unknown error"));
+    showToast('Login failed' + (body?.error ? `: ${body.error}` : ''));
 
-  } catch (err) {
-    const msg = err.message || err.error || "Unknown error";
-    showToast(`Login failed: ${msg}`);
+  } catch (e) {
+    showToast('Login failed: ' + (e.message || 'Unknown error'));
+  } finally {
+    __loginInFlight = false;
   }
 }
 
@@ -763,4 +929,4 @@ document.addEventListener("DOMContentLoaded", function () {
   }
 });
 
-export { initAuth, checkAuthentication };
+export { initAuth, checkAuthentication, openTOTPLoginModal };

public/js/authModals.js

@@ -1,7 +1,7 @@
-import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
-import { sendRequest } from './networkUtils.js';
-import { t, applyTranslations, setLocale } from './i18n.js';
-import { loadAdminConfigFunc, updateAuthenticatedUI } from './auth.js';
+import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
+import { t, applyTranslations, setLocale } from './i18n.js?v={{APP_QVER}}';
+import { loadAdminConfigFunc, updateAuthenticatedUI } from './auth.js?v={{APP_QVER}}';
 
 let lastLoginData = null;
 export function setLastLoginData(data) {

public/js/defer-css.js

@@ -0,0 +1,31 @@
+// /public/js/defer-css.js
+// Promote preloaded styles to real stylesheets (CSP-safe) and expose a load promise.
+(function () {
+  if (window.__CSS_PROMISE__) return;
+
+  var loads = [];
+
+  // Promote <link rel="preload" as="style"> IN-PLACE
+  var preloads = document.querySelectorAll('link[rel="preload"][as="style"]');
+  for (var i = 0; i < preloads.length; i++) {
+    var l = preloads[i];
+    // resolve when it finishes loading as a stylesheet
+    loads.push(new Promise(function (res) { l.addEventListener('load', res, { once: true }); }));
+    l.rel = 'stylesheet';
+    if (!l.media || l.media === 'print') l.media = 'all'; // be explicit
+    l.removeAttribute('as'); // keep some engines happy about "used" preload
+  }
+
+  // Also wait for any existing <link rel="stylesheet"> that haven't finished yet
+  var styles = document.querySelectorAll('link[rel="stylesheet"]');
+  for (var j = 0; j < styles.length; j++) {
+    var s = styles[j];
+    if (s.sheet) continue; // already applied
+    loads.push(new Promise(function (res) { s.addEventListener('load', res, { once: true }); }));
+  }
+
+  // Safari quirk: nudge layout so promoted sheets apply immediately
+  void document.documentElement.offsetHeight;
+
+  window.__CSS_PROMISE__ = Promise.all(loads);
+})();

public/js/domUtils.js

@@ -1,6 +1,6 @@
 // domUtils.js
-import { t } from './i18n.js';
-import { openDownloadModal } from './fileActions.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { openDownloadModal } from './fileActions.js?v={{APP_QVER}}';
 
 // Basic DOM Helpers
 export function toggleVisibility(elementId, shouldShow) {

public/js/dragAndDrop.js

@@ -489,6 +489,7 @@ function mountHeaderToggle(btn) {
   });
 }
 
+
 function ensureZonesToggle() {
   let btn = document.getElementById('sidebarToggleFloating');
   const host = getHeaderHost();
@@ -502,24 +503,25 @@ function ensureZonesToggle() {
 
   if (!btn) {
     btn = document.createElement('button');
-    
     btn.id = 'sidebarToggleFloating';
-    btn.type = 'button'; // not a submit
-btn.addEventListener('click', (e) => {
-  e.preventDefault();
-  e.stopPropagation();           // don't bubble into the <a href="index.html">
-  setSidebarCollapsed(!isSidebarCollapsed());
-  updateSidebarToggleUI();       // refresh icon/title
-});
-['mousedown','mouseup','pointerdown','pointerup'].forEach(evt =>
-  btn.addEventListener(evt, (e) => e.stopPropagation())
-);
+    btn.type = 'button';
     btn.setAttribute('aria-label', 'Toggle panels');
 
+    // Prevent accidental navigations / bubbling
+    btn.addEventListener('click', (e) => {
+      e.preventDefault();
+      e.stopPropagation();
+      setSidebarCollapsed(!isSidebarCollapsed());
+      updateSidebarToggleUI();
+    });
+    ['mousedown','mouseup','pointerdown','pointerup'].forEach(evt =>
+      btn.addEventListener(evt, (e) => e.stopPropagation())
+    );
+
     Object.assign(btn.style, {
-      position: 'absolute',   // <-- key change (was fixed)
-      top: '8px',             // adjust to line up with header content
-      left: '65px',          // place to the right of your logo; tweak as needed
+      position: 'absolute',
+      top: '8px',
+      left: '65px',
       zIndex: '1000',
       width: '38px',
       height: '38px',
@@ -534,8 +536,9 @@ btn.addEventListener('click', (e) => {
       padding: '0',
       lineHeight: '0'
     });
+    btn.classList.add('zones-toggle');
 
-    // dark-mode polish (optional)
+    // Dark mode polish
     if (document.body.classList.contains('dark-mode')) {
       btn.style.background = '#2c2c2c';
       btn.style.border = '1px solid #555';
@@ -547,13 +550,14 @@ btn.addEventListener('click', (e) => {
       setZonesCollapsed(!isZonesCollapsed());
     });
 
-    // Insert right after the logo if present, else just append to host
+    // Insert right after the logo if present, else append to host
     const afterLogo = host.querySelector('.header-logo');
     if (afterLogo && afterLogo.parentNode) {
       afterLogo.parentNode.insertBefore(btn, afterLogo.nextSibling);
     } else {
       host.appendChild(btn);
     }
+
     themeToggleButton(btn);
   }
 

public/js/fileActions.js

@@ -1,8 +1,8 @@
 // fileActions.js
-import { showToast, attachEnterKeyListener } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { formatFolderName } from './fileListView.js';
-import { t } from './i18n.js';
+import { showToast, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { formatFolderName } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 export function handleDeleteSelected(e) {
   e.preventDefault();
@@ -31,6 +31,7 @@ document.addEventListener("DOMContentLoaded", function () {
 
   const confirmDelete = document.getElementById("confirmDeleteFiles");
   if (confirmDelete) {
+    confirmDelete.setAttribute("data-default", "");
     confirmDelete.addEventListener("click", function () {
       fetch("/api/file/deleteFiles.php", {
         method: "POST",
@@ -316,6 +317,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   // 2) Confirm button kicks off the zip+download
   if (confirmZipBtn) {
+    confirmZipBtn.setAttribute("data-default", "");
     confirmZipBtn.addEventListener("click", async () => {
       // a) Validate ZIP filename
       let zipName = document.getElementById("zipFileNameInput").value.trim();
@@ -478,6 +480,7 @@ document.addEventListener("DOMContentLoaded", function () {
   }
   const confirmCopy = document.getElementById("confirmCopyFiles");
   if (confirmCopy) {
+    confirmCopy.setAttribute("data-default", "");
     confirmCopy.addEventListener("click", function () {
       const targetFolder = document.getElementById("copyTargetFolder").value;
       if (!targetFolder) {
@@ -529,6 +532,7 @@ document.addEventListener("DOMContentLoaded", function () {
   }
   const confirmMove = document.getElementById("confirmMoveFiles");
   if (confirmMove) {
+    confirmMove.setAttribute("data-default", "");
     confirmMove.addEventListener("click", function () {
       const targetFolder = document.getElementById("moveTargetFolder").value;
       if (!targetFolder) {
@@ -598,6 +602,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
   const submitBtn = document.getElementById("submitRenameFile");
   if (submitBtn) {
+    submitBtn.setAttribute("data-default", "");
     submitBtn.addEventListener("click", function () {
       const newName = document.getElementById("newFileName").value.trim();
       if (!newName || newName === window.fileToRename) {

public/js/fileDragDrop.js

@@ -1,6 +1,6 @@
 // fileDragDrop.js
-import { showToast } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
+import { showToast } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
 
 export function fileDragStartHandler(event) {
   const row = event.currentTarget;

public/js/fileEditor.js

@@ -1,43 +1,59 @@
 // fileEditor.js
-import { escapeHTML, showToast } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { t } from './i18n.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { buildPreviewUrl } from './filePreview.js?v={{APP_QVER}}';
 
 // thresholds for editor behavior
 const EDITOR_PLAIN_THRESHOLD = 5 * 1024 * 1024;  // >5 MiB => force plain text, lighter settings
 const EDITOR_BLOCK_THRESHOLD = 10 * 1024 * 1024; // >10 MiB => block editing
 
-// Lazy-load CodeMirror modes on demand
-//const CM_CDN = "https://cdnjs.cloudflare.com/ajax/libs/codemirror/5.65.5/";
-const CM_LOCAL = "/vendor/codemirror/5.65.5/";
+// ==== CodeMirror lazy loader ===============================================
+const CM_BASE = "/vendor/codemirror/5.65.5/";
+
+// Stamp-friendly helpers (the stamper will replace {{APP_QVER}})
+const coreUrl = (p) => `${CM_BASE}${p}?v={{APP_QVER}}`;
+
+const CORE = {
+  js: coreUrl("codemirror.min.js"),
+  css: coreUrl("codemirror.min.css"),
+  themeCss: coreUrl("theme/material-darker.min.css"),
+};
 
 // Which mode file to load for a given name/mime
 const MODE_URL = {
   // core/common
-  "xml":        "mode/xml/xml.min.js",
-  "css":        "mode/css/css.min.js",
-  "javascript": "mode/javascript/javascript.min.js",
+  "xml": "mode/xml/xml.min.js?v={{APP_QVER}}",
+  "css": "mode/css/css.min.js?v={{APP_QVER}}",
+  "javascript": "mode/javascript/javascript.min.js?v={{APP_QVER}}",
 
   // meta / combos
-  "htmlmixed":  "mode/htmlmixed/htmlmixed.min.js",
-  "application/x-httpd-php": "mode/php/php.min.js",
+  "htmlmixed": "mode/htmlmixed/htmlmixed.min.js?v={{APP_QVER}}",
+  "application/x-httpd-php": "mode/php/php.min.js?v={{APP_QVER}}",
 
   // docs / data
-  "markdown":   "mode/markdown/markdown.min.js",
-  "yaml":       "mode/yaml/yaml.min.js",
-  "properties": "mode/properties/properties.min.js",
-  "sql":        "mode/sql/sql.min.js",
+  "markdown": "mode/markdown/markdown.min.js?v={{APP_QVER}}",
+  "yaml": "mode/yaml/yaml.min.js?v={{APP_QVER}}",
+  "properties": "mode/properties/properties.min.js?v={{APP_QVER}}",
+  "sql": "mode/sql/sql.min.js?v={{APP_QVER}}",
 
   // shells
-  "shell":      "mode/shell/shell.min.js",
+  "shell": "mode/shell/shell.min.js?v={{APP_QVER}}",
 
   // languages
-  "python":     "mode/python/python.min.js",
-  "text/x-csrc":    "mode/clike/clike.min.js",
-  "text/x-c++src":  "mode/clike/clike.min.js",
-  "text/x-java":    "mode/clike/clike.min.js",
-  "text/x-csharp":  "mode/clike/clike.min.js",
-  "text/x-kotlin":  "mode/clike/clike.min.js"
+  "python": "mode/python/python.min.js?v={{APP_QVER}}",
+  "text/x-csrc": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-c++src": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-java": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-csharp": "mode/clike/clike.min.js?v={{APP_QVER}}",
+  "text/x-kotlin": "mode/clike/clike.min.js?v={{APP_QVER}}"
+};
+
+// Mode dependency graph
+const MODE_DEPS = {
+  "htmlmixed": ["xml", "javascript", "css"],
+  "application/x-httpd-php": ["htmlmixed", "text/x-csrc"], // php overlays + clike bits
+  "markdown": ["xml"]
 };
 
 // Map any mime/alias to the key we use in MODE_URL
@@ -49,62 +65,78 @@ function normalizeModeName(modeOption) {
   return name;
 }
 
-const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+const _loadedScripts = new Set();
+const _loadedCss = new Set();
+let _corePromise = null;
 
 function loadScriptOnce(url) {
   return new Promise((resolve, reject) => {
-    const ver = (window.APP_VERSION ?? 'dev').replace(/^v/, ''); // "v1.6.9" -> "1.6.9"
-    const withQS = url + '?v=' + ver;
-
-    const key = `cm:${withQS}`;
-    let s = document.querySelector(`script[data-key="${key}"]`);
-    if (s) {
-      if (s.dataset.loaded === "1") return resolve();
-      s.addEventListener("load", resolve);
-      s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
-      return;
-    }
-    s = document.createElement("script");
-    s.src = withQS;
+    if (_loadedScripts.has(url)) return resolve();
+    const s = document.createElement("script");
+    s.src = url;
     s.async = true;
-    s.dataset.key = key;
-    s.addEventListener("load", () => { s.dataset.loaded = "1"; resolve(); });
-    s.addEventListener("error", () => reject(new Error(`Load failed: ${withQS}`)));
+    s.onload = () => { _loadedScripts.add(url); resolve(); };
+    s.onerror = () => reject(new Error(`Load failed: ${url}`));
     document.head.appendChild(s);
   });
 }
 
+function loadCssOnce(href) {
+  return new Promise((resolve, reject) => {
+    if (_loadedCss.has(href)) return resolve();
+    const l = document.createElement("link");
+    l.rel = "stylesheet";
+    l.href = href;
+    l.onload = () => { _loadedCss.add(href); resolve(); };
+    l.onerror = () => reject(new Error(`Load failed: ${href}`));
+    document.head.appendChild(l);
+  });
+}
+
+async function ensureCore() {
+  if (_corePromise) return _corePromise;
+  _corePromise = (async () => {
+    // load CSS first to avoid FOUC
+    await loadCssOnce(CORE.css);
+    await loadCssOnce(CORE.themeCss);
+    if (!window.CodeMirror) {
+      await loadScriptOnce(CORE.js);
+    }
+  })();
+  return _corePromise;
+}
+
+async function loadSingleMode(name) {
+  const rel = MODE_URL[name];
+  if (!rel) return;
+  // prepend base if needed
+  const url = rel.startsWith("http") ? rel : (rel.startsWith("/") ? rel : (CM_BASE + rel));
+  await loadScriptOnce(url);
+}
+
+function isModeRegistered(name) {
+  return !!(
+    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
+    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name])
+  );
+}
 
 async function ensureModeLoaded(modeOption) {
-  if (!window.CodeMirror) return;
-
+  await ensureCore();
   const name = normalizeModeName(modeOption);
   if (!name) return;
-
-  const isRegistered = () =>
-    (window.CodeMirror?.modes && window.CodeMirror.modes[name]) ||
-    (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[name]);
-
-  if (isRegistered()) return;
-
-  const url = MODE_URL[name];
-  if (!url) return; // unknown -> stay in text/plain
-
-  // Dependencies
-  if (name === "htmlmixed") {
-    await Promise.all([
-      ensureModeLoaded("xml"),
-      ensureModeLoaded("css"),
-      ensureModeLoaded("javascript")
-    ]);
+  if (isModeRegistered(name)) return;
+  const deps = MODE_DEPS[name] || [];
+  for (const d of deps) {
+    if (!isModeRegistered(d)) await loadSingleMode(d);
   }
-  if (name === "application/x-httpd-php") {
-    await ensureModeLoaded("htmlmixed");
-  }
-
-  await loadScriptOnce(CM_LOCAL + url);
+  await loadSingleMode(name);
 }
 
+// Public helper for callers (we keep your existing function name in use):
+const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait forever
+// ==== /CodeMirror lazy loader ===============================================
+
 function getModeForFile(fileName) {
   const dot = fileName.lastIndexOf(".");
   const ext = dot >= 0 ? fileName.slice(dot + 1).toLowerCase() : "";
@@ -170,23 +202,37 @@ export function editFile(fileName, folder) {
   if (existingEditor) existingEditor.remove();
 
   const folderUsed = folder || window.currentFolder || "root";
-  const folderPath = folderUsed === "root"
-    ? "uploads/"
-    : "uploads/" + folderUsed.split("/").map(encodeURIComponent).join("/") + "/";
-  const fileUrl = folderPath + encodeURIComponent(fileName) + "?t=" + new Date().getTime();
+  const fileUrl = buildPreviewUrl(folderUsed, fileName);
 
-  fetch(fileUrl, { method: "HEAD" })
-    .then(response => {
-      const lenHeader = response.headers.get("content-length") ?? response.headers.get("Content-Length");
-      const sizeBytes = lenHeader ? parseInt(lenHeader, 10) : null;
+  // Probe size safely via API. Prefer HEAD; if missing Content-Length, fall back to a 1-byte Range GET.
+  async function probeSize(url) {
+    try {
+      const h = await fetch(url, { method: "HEAD", credentials: "include" });
+      const len = h.headers.get("content-length") ?? h.headers.get("Content-Length");
+      if (len && !Number.isNaN(parseInt(len, 10))) return parseInt(len, 10);
+    } catch { }
+    try {
+      const r = await fetch(url, {
+        method: "GET",
+        headers: { Range: "bytes=0-0" },
+        credentials: "include"
+      });
+      // Content-Range: bytes 0-0/12345
+      const cr = r.headers.get("content-range") ?? r.headers.get("Content-Range");
+      const m = cr && cr.match(/\/(\d+)\s*$/);
+      if (m) return parseInt(m[1], 10);
+    } catch { }
+    return null;
+  }
 
+  probeSize(fileUrl)
+    .then(sizeBytes => {
       if (sizeBytes !== null && sizeBytes > EDITOR_BLOCK_THRESHOLD) {
         showToast("This file is larger than 10 MB and cannot be edited in the browser.");
         throw new Error("File too large.");
       }
-      return response;
+      return fetch(fileUrl, { credentials: "include" });
     })
-    .then(() => fetch(fileUrl))
     .then(response => {
       if (!response.ok) throw new Error("HTTP error! Status: " + response.status);
       const lenHeader = response.headers.get("content-length") ?? response.headers.get("Content-Length");
@@ -215,7 +261,7 @@ export function editFile(fileName, folder) {
         </div>
         <textarea id="fileEditor" class="editor-textarea">${escapeHTML(content)}</textarea>
         <div class="editor-footer">
-          <button id="saveBtn" class="btn btn-primary" disabled>${t("save")}</button>
+          <button id="saveBtn" class="btn btn-primary" data-default disabled>${t("save")} </button>
           <button id="closeBtn" class="btn btn-secondary">${t("close")}</button>
         </div>
       `;
@@ -238,28 +284,28 @@ export function editFile(fileName, folder) {
       // Keep buttons responsive even before editor exists
       const decBtn = document.getElementById("decreaseFont");
       const incBtn = document.getElementById("increaseFont");
-      decBtn.addEventListener("click", () => {});
-      incBtn.addEventListener("click", () => {});
+      decBtn.addEventListener("click", () => { });
+      incBtn.addEventListener("click", () => { });
 
       // Theme + mode selection
       const isDarkMode = document.body.classList.contains("dark-mode");
       const theme = isDarkMode ? "material-darker" : "default";
       const desiredMode = forcePlainText ? "text/plain" : getModeForFile(fileName);
 
-      // Helper to check whether a mode is currently registered
-      const modeName = typeof desiredMode === "string" ? desiredMode : (desiredMode && desiredMode.name);
-      const isModeRegistered = () =>
-        (window.CodeMirror?.modes && window.CodeMirror.modes[modeName]) ||
-        (window.CodeMirror?.mimeModes && window.CodeMirror.mimeModes[modeName]);
-
-      // Start mode loading (don’t block closing)
-      const modePromise = ensureModeLoaded(desiredMode);
+      // Start core+mode loading (don’t block closing)
+      const modePromise = (async () => {
+        await ensureCore();                 // load CM core + CSS
+        if (!forcePlainText) {
+          await ensureModeLoaded(desiredMode); // then load the needed mode + deps
+        }
+      })();
 
       // Wait up to MODE_LOAD_TIMEOUT_MS; then proceed with whatever is available
       const timeout = new Promise((res) => setTimeout(res, MODE_LOAD_TIMEOUT_MS));
 
       Promise.race([modePromise, timeout]).then(() => {
         if (canceled) return;
+
         if (!window.CodeMirror) {
           // Core not present: keep plain <textarea>; enable Save and bail gracefully
           document.getElementById("saveBtn").disabled = false;
@@ -267,7 +313,9 @@ export function editFile(fileName, folder) {
           return;
         }
 
-        const initialMode = (forcePlainText || !isModeRegistered()) ? "text/plain" : desiredMode;
+        const normName = normalizeModeName(desiredMode) || "text/plain";
+        const initialMode = (forcePlainText || !isModeRegistered(normName)) ? "text/plain" : desiredMode;
+
         const cmOptions = {
           lineNumbers: !forcePlainText,
           mode: initialMode,
@@ -319,8 +367,11 @@ export function editFile(fileName, folder) {
 
         // If we started in plain text due to timeout, flip to the real mode once it arrives
         modePromise.then(() => {
-          if (!canceled && !forcePlainText && isModeRegistered()) {
-            editor.setOption("mode", desiredMode);
+          if (!canceled && !forcePlainText) {
+            const nn = normalizeModeName(desiredMode);
+            if (nn && isModeRegistered(nn)) {
+              editor.setOption("mode", desiredMode);
+            }
           }
         }).catch(() => {
           // If the mode truly fails to load, we just stay in plain text

public/js/fileListView.js

@@ -11,11 +11,11 @@ import {
     updateRowHighlight,
     toggleRowSelection,
     attachEnterKeyListener
-  } from './domUtils.js';
-  import { t } from './i18n.js';
-  import { bindFileListContextMenu } from './fileMenu.js';
-  import { openDownloadModal } from './fileActions.js';
-  import { openTagModal, openMultiTagModal } from './fileTags.js';
+  } from './domUtils.js?v={{APP_QVER}}';
+  import { t } from './i18n.js?v={{APP_QVER}}';
+  import { bindFileListContextMenu } from './fileMenu.js?v={{APP_QVER}}';
+  import { openDownloadModal } from './fileActions.js?v={{APP_QVER}}';
+  import { openTagModal, openMultiTagModal } from './fileTags.js?v={{APP_QVER}}';
   import {
     getParentFolder,
     updateBreadcrumbTitle,
@@ -24,13 +24,13 @@ import {
     hideFolderManagerContextMenu,
     openRenameFolderModal,
     openDeleteFolderModal
-  } from './folderManager.js';
-  import { openFolderShareModal } from './folderShareModal.js';
+  } from './folderManager.js?v={{APP_QVER}}';
+  import { openFolderShareModal } from './folderShareModal.js?v={{APP_QVER}}';
   import {
     folderDragOverHandler,
     folderDragLeaveHandler,
     folderDropHandler
-  } from './fileDragDrop.js';
+  } from './fileDragDrop.js?v={{APP_QVER}}';
   
   export let fileData = [];
   export let sortOrder = { column: "uploaded", ascending: true };
@@ -205,29 +205,84 @@ function wireSelectAll(fileListContent) {
   /**
    * Fuse.js fuzzy search helper
    */
-  function searchFiles(searchTerm) {
-    if (!searchTerm) return fileData;
-  
-    let keys = [
-      { name: 'name', weight: 0.1 },
-      { name: 'uploader', weight: 0.1 },
-      { name: 'tags.name', weight: 0.1 }
-    ];
-    if (window.advancedSearchEnabled) {
-      keys.push({ name: 'content', weight: 0.7 });
-    }
-  
+  // --- Lazy Fuse loader (drop-in, CSP-safe, no inline) ---
+const FUSE_SRC = '/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}';
+let _fuseLoadingPromise = null;
+
+function loadScriptOnce(src) {
+  // cache by src so we don't append multiple <script> tags
+  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
+  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
+  const p = new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = src;
+    s.async = true;
+    s.onload = resolve;
+    s.onerror = () => reject(new Error(`Failed to load ${src}`));
+    document.head.appendChild(s);
+  });
+  loadScriptOnce._cache.set(src, p);
+  return p;
+}
+
+function lazyLoadFuse() {
+  if (window.Fuse) return Promise.resolve(window.Fuse);
+  if (!_fuseLoadingPromise) {
+    _fuseLoadingPromise = loadScriptOnce(FUSE_SRC).then(() => window.Fuse);
+  }
+  return _fuseLoadingPromise;
+}
+
+// (Optional) warm-up call you can trigger from main.js after first render:
+//   import { warmUpSearch } from './fileListView.js?v={{APP_QVER}}';
+//   warmUpSearch();
+// This just starts fetching Fuse in the background.
+export function warmUpSearch() {
+  lazyLoadFuse().catch(() => {/* ignore; we’ll fall back */});
+}
+
+// Lazy + backward-compatible search
+function searchFiles(searchTerm) {
+  if (!searchTerm) return fileData;
+
+  // kick off Fuse load in the background, but don't await
+  lazyLoadFuse().catch(() => { /* ignore */ });
+
+  // keys config (matches your original)
+  const fuseKeys = [
+    { name: 'name',      weight: 0.1 },
+    { name: 'uploader',  weight: 0.1 },
+    { name: 'tags.name', weight: 0.1 }
+  ];
+  if (window.advancedSearchEnabled) {
+    fuseKeys.push({ name: 'content', weight: 0.7 });
+  }
+
+  // If Fuse is present, use it right away (synchronous API)
+  if (window.Fuse) {
     const options = {
-      keys: keys,
+      keys: fuseKeys,
       threshold: 0.4,
       minMatchCharLength: 2,
       ignoreLocation: true
     };
-  
-    const fuse = new Fuse(fileData, options);
-    let results = fuse.search(searchTerm);
-    return results.map(result => result.item);
+    const fuse = new window.Fuse(fileData, options);
+    const results = fuse.search(searchTerm);
+    return results.map(r => r.item);
   }
+
+  // Fallback (first keystrokes before Fuse finishes loading):
+  // simple case-insensitive substring match on the same fields
+  const q = String(searchTerm).toLowerCase();
+  const hay = (v) => (v == null ? '' : String(v)).toLowerCase();
+  return fileData.filter(item => {
+    if (hay(item.name).includes(q)) return true;
+    if (hay(item.uploader).includes(q)) return true;
+    if (Array.isArray(item.tags) && item.tags.some(t => hay(t?.name).includes(q))) return true;
+    if (window.advancedSearchEnabled && hay(item.content).includes(q)) return true;
+    return false;
+  });
+}
   
   /**
    * View mode toggle
@@ -750,7 +805,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".edit-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileEditor.js');
+        const m = await import('./fileEditor.js?v={{APP_QVER}}');
         m.editFile(btn.dataset.editName, btn.dataset.editFolder);
       });
     });
@@ -759,7 +814,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".rename-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileActions.js');
+        const m = await import('./fileActions.js?v={{APP_QVER}}');
         m.renameFile(btn.dataset.renameName, btn.dataset.renameFolder);
       });
     });
@@ -768,7 +823,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".preview-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./filePreview.js');
+        const m = await import('./filePreview.js?v={{APP_QVER}}');
         m.previewFile(btn.dataset.previewUrl, btn.dataset.previewName);
       });
     });
@@ -822,7 +877,7 @@ function wireSelectAll(fileListContent) {
         const fileName = this.getAttribute("data-file");
         const file = fileData.find(f => f.name === fileName);
         if (file) {
-          import('./filePreview.js').then(module => {
+          import('./filePreview.js?v={{APP_QVER}}').then(module => {
             module.openShareModal(file, folder);
           });
         }
@@ -831,7 +886,7 @@ function wireSelectAll(fileListContent) {
     updateFileActionButtons();
     document.querySelectorAll("#fileList tbody tr").forEach(row => {
       row.setAttribute("draggable", "true");
-      import('./fileDragDrop.js').then(module => {
+      import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
         row.addEventListener("dragstart", module.fileDragStartHandler);
       });
     });
@@ -1085,7 +1140,7 @@ function wireSelectAll(fileListContent) {
     // preview clicks (dynamic import to avoid global dependency)
     fileListContent.querySelectorAll(".gallery-preview").forEach(el => {
       el.addEventListener("click", async () => {
-        const m = await import('./filePreview.js');
+        const m = await import('./filePreview.js?v={{APP_QVER}}');
         m.previewFile(el.dataset.previewUrl, el.dataset.previewName);
       });
     });
@@ -1102,7 +1157,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".edit-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileEditor.js');
+        const m = await import('./fileEditor.js?v={{APP_QVER}}');
         m.editFile(btn.dataset.editName, btn.dataset.editFolder);
       });
     });
@@ -1111,7 +1166,7 @@ function wireSelectAll(fileListContent) {
     fileListContent.querySelectorAll(".rename-btn").forEach(btn => {
       btn.addEventListener("click", async e => {
         e.stopPropagation();
-        const m = await import('./fileActions.js');
+        const m = await import('./fileActions.js?v={{APP_QVER}}');
         m.renameFile(btn.dataset.renameName, btn.dataset.renameFolder);
       });
     });
@@ -1123,7 +1178,7 @@ function wireSelectAll(fileListContent) {
         const fileName = btn.dataset.file;
         const fileObj = fileData.find(f => f.name === fileName);
         if (fileObj) {
-          import('./filePreview.js').then(m => m.openShareModal(fileObj, folder));
+          import('./filePreview.js?v={{APP_QVER}}').then(m => m.openShareModal(fileObj, folder));
         }
       });
     });

public/js/fileManager.js

@@ -1,10 +1,10 @@
 // fileManager.js
-import './fileListView.js';
-import './filePreview.js';
-import './fileEditor.js';
-import './fileDragDrop.js';
-import './fileMenu.js';
-import { initFileActions } from './fileActions.js';
+import './fileListView.js?v={{APP_QVER}}';
+import './filePreview.js?v={{APP_QVER}}';
+import './fileEditor.js?v={{APP_QVER}}';
+import './fileDragDrop.js?v={{APP_QVER}}';
+import './fileMenu.js?v={{APP_QVER}}';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
 
 // Initialize file action buttons.
 document.addEventListener("DOMContentLoaded", function () {
@@ -14,7 +14,7 @@ document.addEventListener("DOMContentLoaded", function () {
 // Attach folder drag-and-drop support for folder tree nodes.
 document.addEventListener("DOMContentLoaded", function () {
   document.querySelectorAll(".folder-option").forEach(el => {
-    import('./fileDragDrop.js').then(module => {
+    import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
       el.addEventListener("dragover", module.folderDragOverHandler);
       el.addEventListener("dragleave", module.folderDragLeaveHandler);
       el.addEventListener("drop", module.folderDropHandler);
@@ -32,7 +32,7 @@ document.addEventListener("keydown", function(e) {
     const selectedCheckboxes = document.querySelectorAll("#fileList .file-checkbox:checked");
     if (selectedCheckboxes.length > 0) {
       e.preventDefault();
-      import('./fileActions.js').then(module => {
+      import('./fileActions.js?v={{APP_QVER}}').then(module => {
         module.handleDeleteSelected(new Event("click"));
       });
     }

public/js/fileMenu.js

@@ -1,11 +1,11 @@
 // fileMenu.js
-import { updateRowHighlight, showToast } from './domUtils.js';
-import { handleDeleteSelected, handleCopySelected, handleMoveSelected, handleDownloadZipSelected, handleExtractZipSelected, renameFile, openCreateFileModal } from './fileActions.js';
-import { previewFile } from './filePreview.js';
-import { editFile } from './fileEditor.js';
-import { canEditFile, fileData } from './fileListView.js';
-import { openTagModal, openMultiTagModal } from './fileTags.js';
-import { t } from './i18n.js';
+import { updateRowHighlight, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { handleDeleteSelected, handleCopySelected, handleMoveSelected, handleDownloadZipSelected, handleExtractZipSelected, renameFile, openCreateFileModal } from './fileActions.js?v={{APP_QVER}}';
+import { previewFile, buildPreviewUrl } from './filePreview.js?v={{APP_QVER}}';
+import { editFile } from './fileEditor.js?v={{APP_QVER}}';
+import { canEditFile, fileData } from './fileListView.js?v={{APP_QVER}}';
+import { openTagModal, openMultiTagModal } from './fileTags.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 export function showFileContextMenu(x, y, menuItems) {
   let menu = document.getElementById("fileContextMenu");
@@ -39,11 +39,11 @@ export function showFileContextMenu(x, y, menuItems) {
     });
     menu.appendChild(menuItem);
   });
-  
+
   menu.style.left = x + "px";
   menu.style.top = y + "px";
   menu.style.display = "block";
-  
+
   const menuRect = menu.getBoundingClientRect();
   const viewportHeight = window.innerHeight;
   if (menuRect.bottom > viewportHeight) {
@@ -62,7 +62,7 @@ export function hideFileContextMenu() {
 
 export function fileListContextMenuHandler(e) {
   e.preventDefault();
-  
+
   let row = e.target.closest("tr");
   if (row) {
     const checkbox = row.querySelector(".file-checkbox");
@@ -71,9 +71,9 @@ export function fileListContextMenuHandler(e) {
       updateRowHighlight(checkbox);
     }
   }
-  
+
   const selected = Array.from(document.querySelectorAll("#fileList .file-checkbox:checked")).map(chk => chk.value);
-  
+
   let menuItems = [
     { label: t("create_file"), action: () => openCreateFileModal() },
     { label: t("delete_selected"), action: () => { handleDeleteSelected(new Event("click")); } },
@@ -81,14 +81,14 @@ export function fileListContextMenuHandler(e) {
     { label: t("move_selected"), action: () => { handleMoveSelected(new Event("click")); } },
     { label: t("download_zip"), action: () => { handleDownloadZipSelected(new Event("click")); } }
   ];
-  
+
   if (selected.some(name => name.toLowerCase().endsWith(".zip"))) {
     menuItems.push({
       label: t("extract_zip"),
       action: () => { handleExtractZipSelected(new Event("click")); }
     });
   }
-  
+
   if (selected.length > 1) {
     menuItems.push({
       label: t("tag_selected"),
@@ -100,36 +100,33 @@ export function fileListContextMenuHandler(e) {
   }
   else if (selected.length === 1) {
     const file = fileData.find(f => f.name === selected[0]);
-    
+
     menuItems.push({
       label: t("preview"),
       action: () => {
         const folder = window.currentFolder || "root";
-        const folderPath = folder === "root"
-          ? "uploads/"
-          : "uploads/" + folder.split("/").map(encodeURIComponent).join("/") + "/";
-        previewFile(folderPath + encodeURIComponent(file.name) + "?t=" + new Date().getTime(), file.name);
+        previewFile(buildPreviewUrl(folder, file.name), file.name);
       }
     });
-    
+
     if (canEditFile(file.name)) {
       menuItems.push({
         label: t("edit"),
         action: () => { editFile(selected[0], window.currentFolder); }
       });
     }
-    
+
     menuItems.push({
       label: t("rename"),
       action: () => { renameFile(selected[0], window.currentFolder); }
     });
-    
+
     menuItems.push({
       label: t("tag_file"),
       action: () => { openTagModal(file); }
     });
   }
-  
+
   showFileContextMenu(e.clientX, e.clientY, menuItems);
 }
 
@@ -140,7 +137,7 @@ export function bindFileListContextMenu() {
   }
 }
 
-document.addEventListener("click", function(e) {
+document.addEventListener("click", function (e) {
   const menu = document.getElementById("fileContextMenu");
   if (menu && menu.style.display === "block") {
     hideFileContextMenu();
@@ -148,9 +145,9 @@ document.addEventListener("click", function(e) {
 });
 
 // Rebind context menu after file table render.
-(function() {
+(function () {
   const originalRenderFileTable = window.renderFileTable;
-  window.renderFileTable = function(folder) {
+  window.renderFileTable = function (folder) {
     originalRenderFileTable(folder);
     bindFileListContextMenu();
   };

public/js/filePreview.js

@@ -1,7 +1,13 @@
 // filePreview.js
-import { escapeHTML, showToast } from './domUtils.js';
-import { fileData } from './fileListView.js';
-import { t } from './i18n.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { fileData } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+
+// Build a preview URL that always goes through the API layer (respects ACLs/UPLOAD_DIR)
+export function buildPreviewUrl(folder, name) {
+  const f = (!folder || folder === '') ? 'root' : String(folder);
+  return `/api/file/download.php?folder=${encodeURIComponent(f)}&file=${encodeURIComponent(name)}&inline=1&t=${Date.now()}`;
+}
 
 export function openShareModal(file, folder) {
   // Remove any existing modal
@@ -92,10 +98,10 @@ export function openShareModal(file, folder) {
 
       if (sel.value === "custom") {
         value = parseInt(document.getElementById("customExpirationValue").value, 10);
-        unit  = document.getElementById("customExpirationUnit").value;
+        unit = document.getElementById("customExpirationUnit").value;
       } else {
         value = parseInt(sel.value, 10);
-        unit  = "minutes";
+        unit = "minutes";
       }
 
       const password = document.getElementById("sharePassword").value;
@@ -115,20 +121,20 @@ export function openShareModal(file, folder) {
           password
         })
       })
-      .then(res => res.json())
-      .then(data => {
-        if (data.token) {
-          const url = `${window.location.origin}/api/file/share.php?token=${encodeURIComponent(data.token)}`;
-          document.getElementById("shareLinkInput").value = url;
-          document.getElementById("shareLinkDisplay").style.display = "block";
-        } else {
-          showToast(t("error_generating_share") + ": " + (data.error||"Unknown"));
-        }
-      })
-      .catch(err => {
-        console.error(err);
-        showToast(t("error_generating_share"));
-      });
+        .then(res => res.json())
+        .then(data => {
+          if (data.token) {
+            const url = `${window.location.origin}/api/file/share.php?token=${encodeURIComponent(data.token)}`;
+            document.getElementById("shareLinkInput").value = url;
+            document.getElementById("shareLinkDisplay").style.display = "block";
+          } else {
+            showToast(t("error_generating_share") + ": " + (data.error || "Unknown"));
+          }
+        })
+        .catch(err => {
+          console.error(err);
+          showToast(t("error_generating_share"));
+        });
     });
 
   // Copy to clipboard
@@ -272,10 +278,7 @@ export function previewFile(fileUrl, fileName) {
         modal.galleryCurrentIndex = (modal.galleryCurrentIndex - 1 + modal.galleryImages.length) % modal.galleryImages.length;
         let newFile = modal.galleryImages[modal.galleryCurrentIndex];
         modal.querySelector("h4").textContent = newFile.name;
-        img.src = ((window.currentFolder === "root")
-          ? "uploads/"
-          : "uploads/" + window.currentFolder.split("/").map(encodeURIComponent).join("/") + "/")
-          + encodeURIComponent(newFile.name) + "?t=" + new Date().getTime();
+        img.src = buildPreviewUrl(window.currentFolder || 'root', newFile.name);
         // Reset transforms.
         img.dataset.scale = 1;
         img.dataset.rotate = 0;
@@ -355,10 +358,7 @@ export function previewFile(fileUrl, fileName) {
         modal.galleryCurrentIndex = (modal.galleryCurrentIndex + 1) % modal.galleryImages.length;
         let newFile = modal.galleryImages[modal.galleryCurrentIndex];
         modal.querySelector("h4").textContent = newFile.name;
-        img.src = ((window.currentFolder === "root")
-          ? "uploads/"
-          : "uploads/" + window.currentFolder.split("/").map(encodeURIComponent).join("/") + "/")
-          + encodeURIComponent(newFile.name) + "?t=" + new Date().getTime();
+        img.src = buildPreviewUrl(window.currentFolder || 'root', newFile.name);
         // Reset transforms.
         img.dataset.scale = 1;
         img.dataset.rotate = 0;
@@ -416,26 +416,26 @@ export function previewFile(fileUrl, fileName) {
     }
   } else {
     // Handle non-image file previews.
-  if (extension === "pdf") {
-    // build a cache‐busted URL
-    const separator = fileUrl.includes('?') ? '&' : '?';
-    const urlWithTs = fileUrl + separator + 't=' + Date.now();
-  
-    // open in a new tab (avoids CSP frame-ancestors)
-    window.open(urlWithTs, "_blank");
-  
-    // tear down the just-created modal
-    const modal = document.getElementById("filePreviewModal");
-    if (modal) modal.remove();
-  
-    // stop further preview logic
-    return;
-  } else if (/\.(mp4|mkv|webm|mov|ogv)$/i.test(fileName)) {
+    if (extension === "pdf") {
+      // build a cache‐busted URL
+      const separator = fileUrl.includes('?') ? '&' : '?';
+      const urlWithTs = fileUrl + separator + 't=' + Date.now();
+
+      // open in a new tab (avoids CSP frame-ancestors)
+      window.open(urlWithTs, "_blank");
+
+      // tear down the just-created modal
+      const modal = document.getElementById("filePreviewModal");
+      if (modal) modal.remove();
+
+      // stop further preview logic
+      return;
+    } else if (/\.(mp4|mkv|webm|mov|ogv)$/i.test(fileName)) {
       const video = document.createElement("video");
       video.src = fileUrl;
       video.controls = true;
       video.className = "image-modal-img";
-      
+
       const progressKey = 'videoProgress-' + fileUrl;
       video.addEventListener("loadedmetadata", () => {
         const savedTime = localStorage.getItem(progressKey);

public/js/fileTags.js

@@ -3,9 +3,9 @@
 // adding tags to files (with a global tag store for reuse),
 // updating the file row display with tag badges,
 // filtering the file list by tag, and persisting tag data.
-import { escapeHTML } from './domUtils.js';
-import { t } from './i18n.js';
-import { renderFileTable, renderGalleryView } from './fileListView.js';
+import { escapeHTML } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { renderFileTable, renderGalleryView } from './fileListView.js?v={{APP_QVER}}';
 
 export function openTagModal(file) {
   // Create the modal element.

public/js/folderManager.js

@@ -1,11 +1,11 @@
 // folderManager.js
 
-import { loadFileList } from './fileListView.js';
-import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js';
-import { t } from './i18n.js';
-import { openFolderShareModal } from './folderShareModal.js';
-import { fetchWithCsrf } from './auth.js';
-import { loadCsrfToken } from './main.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
+import { openFolderShareModal } from './folderShareModal.js?v={{APP_QVER}}';
+import { fetchWithCsrf } from './auth.js?v={{APP_QVER}}';
+import { loadCsrfToken } from './appCore.js?v={{APP_QVER}}';
 
 /* ----------------------
    Helpers: safe JSON + state

public/js/folderShareModal.js

@@ -1,6 +1,6 @@
 // js/folderShareModal.js
-import { escapeHTML, showToast } from './domUtils.js';
-import { t } from './i18n.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 export function openFolderShareModal(folder) {
   // Remove any existing modal

public/js/i18n.js

@@ -247,7 +247,7 @@ const translations = {
     "login_options": "Login Options",
     "disable_login_form": "Disable Login Form",
     "disable_basic_http_auth": "Disable Basic HTTP Auth",
-    "disable_oidc_login": "Disable OIDC Login",
+    "disable_oidc_login": "Disable OIDC Login (OIDC Config Required to enable)",
     "save_settings": "Save Settings",
     "at_least_one_login_method": "At least one login method must remain enabled.",
     "settings_updated_successfully": "Settings updated successfully.",

public/js/trashRestoreDelete.js

@@ -1,9 +1,9 @@
 // trashRestoreDelete.js
-import { sendRequest } from './networkUtils.js';
-import { toggleVisibility, showToast } from './domUtils.js';
-import { loadFileList } from './fileListView.js';
-import { loadFolderTree } from './folderManager.js';
-import { t } from './i18n.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
+import { toggleVisibility, showToast } from './domUtils.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 function showConfirm(message, onConfirm) {
     const modal = document.getElementById("customConfirmModal");

public/js/upload.js

@@ -1,9 +1,9 @@
-import { initFileActions } from './fileActions.js';
-import { displayFilePreview } from './filePreview.js';
-import { showToast, escapeHTML } from './domUtils.js';
-import { loadFolderTree } from './folderManager.js';
-import { loadFileList } from './fileListView.js';
-import { t } from './i18n.js';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
+import { displayFilePreview } from './filePreview.js?v={{APP_QVER}}';
+import { showToast, escapeHTML } from './domUtils.js?v={{APP_QVER}}';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
+import { t } from './i18n.js?v={{APP_QVER}}';
 
 /* -----------------------------------------------------
    Helpers for Drag–and–Drop Folder Uploads (Original Code)
@@ -36,6 +36,38 @@ function traverseFileTreePromise(item, path = "") {
   });
 }
 
+// --- Lazy loader for Resumable.js (no CSP inline, cached, safe) ---
+const RESUMABLE_SRC = '/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}';
+let _resumableLoadPromise = null;
+
+function loadScriptOnce(src) {
+  if (loadScriptOnce._cache?.has(src)) return loadScriptOnce._cache.get(src);
+  loadScriptOnce._cache = loadScriptOnce._cache || new Map();
+  const p = new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = src;
+    s.async = true;
+    s.onload = resolve;
+    s.onerror = () => reject(new Error(`Failed to load ${src}`));
+    document.head.appendChild(s);
+  });
+  loadScriptOnce._cache.set(src, p);
+  return p;
+}
+
+function lazyLoadResumable() {
+  if (window.Resumable) return Promise.resolve(window.Resumable);
+  if (!_resumableLoadPromise) {
+    _resumableLoadPromise = loadScriptOnce(RESUMABLE_SRC).then(() => window.Resumable);
+  }
+  return _resumableLoadPromise;
+}
+
+// Optional: let main.js prefetch it in the background
+export function warmUpResumable() {
+  lazyLoadResumable().catch(() => {/* ignore warm-up failure */});
+}
+
 // Recursively retrieve files from DataTransfer items.
 function getFilesFromDataTransferItems(items) {
   const promises = [];
@@ -401,36 +433,49 @@ function processFiles(filesInput) {
    Resumable.js Integration for File Picker Uploads
    (Only files chosen via file input use Resumable; folder uploads use original code.)
 ----------------------------------------------------- */
-const useResumable = true; // Enable resumable for file picker uploads
-let resumableInstance;
-function initResumableUpload() {
-  resumableInstance = new Resumable({
-    target: "/api/upload/upload.php",
-    chunkSize: 1.5 * 1024 * 1024,
-    simultaneousUploads: 3,
-    forceChunkSize: true,
-    testChunks: false,
-    withCredentials: true,
-    headers: { 'X-CSRF-Token': window.csrfToken },
-    query: () => ({
-      folder: window.currentFolder || "root",
-      upload_token: window.csrfToken
-    })
+const useResumable = true;
+let resumableInstance = null;
+let _pendingPickedFiles = [];   // files picked before library/instance ready
+let _resumableReady = false;
+
+// Make init async-safe; it resolves when Resumable is constructed
+async function initResumableUpload() {
+  if (resumableInstance) return;
+  // Load the library if needed
+  const ResumableCtor = await lazyLoadResumable().catch(err => {
+    console.error('Failed to load Resumable.js:', err);
+    return null;
   });
+  if (!ResumableCtor) return;
+
+  // Construct the instance once
+  if (!resumableInstance) {
+    resumableInstance = new ResumableCtor({
+      target: "/api/upload/upload.php",
+      chunkSize: 1.5 * 1024 * 1024,
+      simultaneousUploads: 3,
+      forceChunkSize: true,
+      testChunks: false,
+      withCredentials: true,
+      headers: { 'X-CSRF-Token': window.csrfToken },
+      query: () => ({
+        folder: window.currentFolder || "root",
+        upload_token: window.csrfToken
+      })
+    });
+  }
 
   // keep query fresh when folder changes (call this from your folder nav code)
   function updateResumableQuery() {
     if (!resumableInstance) return;
     resumableInstance.opts.headers['X-CSRF-Token'] = window.csrfToken;
-    // if you're not using a function for query, do:
     resumableInstance.opts.query.folder = window.currentFolder || 'root';
     resumableInstance.opts.query.upload_token = window.csrfToken;
   }
 
   const fileInput = document.getElementById("file");
   if (fileInput) {
-    // Assign Resumable to file input for file picker uploads.
-    resumableInstance.assignBrowse(fileInput);
+    
     fileInput.addEventListener("change", function () {
       for (let i = 0; i < fileInput.files.length; i++) {
         resumableInstance.addFile(fileInput.files[i]);
@@ -587,13 +632,24 @@ function initResumableUpload() {
       showToast("Some files failed to upload. Please check the list.");
     }
   });
+
+  _resumableReady = true;
+  if (_pendingPickedFiles.length) {
+    updateResumableQuery();
+    for (const f of _pendingPickedFiles) resumableInstance.addFile(f);
+    _pendingPickedFiles = [];
+  }
+
 }
 
 /* -----------------------------------------------------
    XHR-based submitFiles for Drag–and–Drop (Folder) Uploads
 ----------------------------------------------------- */
 function submitFiles(allFiles) {
-  const folderToUse = window.currentFolder || "root";
+  const folderToUse = (() => {
+    const f = window.currentFolder || "root";
+    try { return decodeURIComponent(f); } catch { return f; }
+  })();
   const progressContainer = document.getElementById("uploadProgressContainer");
   const fileInput = document.getElementById("file");
 
@@ -857,32 +913,48 @@ function initUpload() {
   }
 
   if (fileInput) {
-    fileInput.addEventListener("change", function () {
+    fileInput.addEventListener("change", async function () {
+      const files = Array.from(fileInput.files || []);
+      if (!files.length) return;
+  
       if (useResumable) {
-        // For file picker, if resumable is enabled, let it handle the files.
-        for (let i = 0; i < fileInput.files.length; i++) {
-          resumableInstance.addFile(fileInput.files[i]);
+        // Ensure the lib/instance exists
+        if (!_resumableReady) await initResumableUpload();
+        if (resumableInstance) {
+          for (const f of files) resumableInstance.addFile(f);
+        } else {
+          // If still not ready (load error), fall back to your XHR path
+          processFiles(files);
         }
       } else {
-        processFiles(fileInput.files);
+        processFiles(files);
       }
     });
   }
 
   if (uploadForm) {
-    uploadForm.addEventListener("submit", function (e) {
+    uploadForm.addEventListener("submit", async function (e) {
       e.preventDefault();
       const files = window.selectedFiles || (fileInput ? fileInput.files : []);
-      if (!files || files.length === 0) {
+      if (!files || !files.length) {
         showToast("No files selected.");
         return;
       }
-      // If files come from file picker (no relative path), use Resumable.
-      if (useResumable && (!files[0].customRelativePath || files[0].customRelativePath === "")) {
-        // Ensure current folder is updated.
-        resumableInstance.opts.query.folder = window.currentFolder || "root";
-        resumableInstance.upload();
-        showToast("Resumable upload started...");
+  
+      // Resumable path (only for picked files, not folder uploads)
+      const first = files[0];
+      const isFolderish = !!(first.customRelativePath || first.webkitRelativePath);
+      if (useResumable && !isFolderish) {
+        if (!_resumableReady) await initResumableUpload();
+        if (resumableInstance) {
+          // ensure folder/token fresh
+          resumableInstance.opts.query.folder = window.currentFolder || "root";
+          resumableInstance.upload();
+          showToast("Resumable upload started...");
+        } else {
+          // fallback
+          submitFiles(files);
+        }
       } else {
         submitFiles(files);
       }

public/js/version.js

@@ -1,2 +1,2 @@
 // generated by CI
-window.APP_VERSION = 'v1.6.9';
+window.APP_VERSION = 'v1.7.5';

public/vendor/redoc/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015-present, Rebilly, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

scripts/stamp-assets.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# usage: scripts/stamp-assets.sh vX.Y.Z /path/to/target/dir
+set -euo pipefail
+
+VER="${1:?usage: stamp-assets.sh vX.Y.Z target_dir}"
+QVER="${VER#v}"
+TARGET="${2:-.}"
+
+echo "Stamping assets in: $TARGET"
+echo "VER=${VER}  QVER=${QVER}"
+
+cd "$TARGET"
+
+# Normalize CRLF to LF (if any files were edited on Windows)
+# We only touch web assets.
+find public \( -name '*.html' -o -name '*.php' -o -name '*.css' -o -name '*.js' \) -type f -print0 \
+  | xargs -0 -r sed -i 's/\r$//'
+
+# --- HTML/CSS/PHP: stamp ?v=... and {{APP_VER}} ---
+# (?v=...) -> ?v=<QVER>
+HTML_CSS_COUNT=0
+while IFS= read -r -d '' f; do
+  sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
+  sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
+  HTML_CSS_COUNT=$((HTML_CSS_COUNT+1))
+done < <(find public -type f \( -name '*.html' -o -name '*.php' -o -name '*.css' \) -print0)
+
+# --- JS: stamp placeholders and normalize any pre-existing ?v=... ---
+JS_COUNT=0
+while IFS= read -r -d '' f; do
+  # Replace placeholders
+  sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
+  sed -E -i "s/\{\{APP_QVER\}\}/${QVER}/g" "$f"
+  # Normalize any "?v=..." that appear in ESM imports or strings
+  # This keeps any ".js" or ".mjs" then forces ?v=<QVER>
+  perl -0777 -i -pe "s@(\.m?js)\?v=[^\"')]+@\1?v=${QVER}@g" "$f"
+  JS_COUNT=$((JS_COUNT+1))
+done < <(find public -type f -name '*.js' -print0)
+
+# Force-write version.js (source of truth in stamped output)
+if [[ -f public/js/version.js ]]; then
+  printf "window.APP_VERSION = '%s';\n" "$VER" > public/js/version.js
+fi
+
+echo "Touched files: HTML/CSS/PHP=${HTML_CSS_COUNT}, JS=${JS_COUNT}"
+
+# Final self-check: fail if anything is left
+if grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" public \
+   --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
+  echo "ERROR: Placeholders remain after stamping." >&2
+  exit 2
+fi
+
+echo "✅ Stamped to ${VER} (${QVER})"

src/controllers/AdminController.php

@@ -7,55 +7,60 @@ require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 class AdminController
 { 
     public function getConfig(): void
-{
-    header('Content-Type: application/json');
-
-    // Load raw config (no disclosure yet)
-    $config = AdminModel::getConfig();
-    if (isset($config['error'])) {
-        http_response_code(500);
-        echo json_encode(['error' => $config['error']]);
-        exit;
-    }
-
-    // Minimal, safe subset for all callers (unauth users and regular users)
-    $public = [
-        'header_title'        => $config['header_title'] ?? 'FileRise',
-        'loginOptions'        => [
-            // expose only what the login page / header needs
-            'disableFormLogin'  => (bool)($config['loginOptions']['disableFormLogin']  ?? false),
-            'disableBasicAuth'  => (bool)($config['loginOptions']['disableBasicAuth']  ?? false),
-            'disableOIDCLogin'  => (bool)($config['loginOptions']['disableOIDCLogin']  ?? false),
-        ],
-        'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
-        'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
-        'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
-
-        'oidc' => [
-            'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
-            'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
-            // never expose clientId / clientSecret
-        ],
-    ];
-
-    $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
-
-    if ($isAdmin) {
-        // Add admin-only fields (used by Admin Panel UI)
-        $adminExtra = [
-            'loginOptions' => array_merge($public['loginOptions'], [
-                'authBypass'     => (bool)($config['loginOptions']['authBypass']     ?? false),
-                'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
-            ]),
+    {
+        header('Content-Type: application/json; charset=utf-8');
+    
+        $config = AdminModel::getConfig();
+        if (isset($config['error'])) {
+            http_response_code(500);
+            header('Cache-Control: no-store');
+            echo json_encode(['error' => $config['error']], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+    
+        // Whitelisted public subset only
+        $public = [
+            'header_title'        => (string)($config['header_title'] ?? 'FileRise'),
+            'loginOptions'        => [
+                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
+                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
+                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
+            ],
+            'globalOtpauthUrl'    => (string)($config['globalOtpauthUrl'] ?? ''),
+            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+            'oidc' => [
+                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
+                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
+                // never include clientId/clientSecret
+            ],
         ];
-        echo json_encode(array_merge($public, $adminExtra));
+    
+        $isAdmin = !empty($_SESSION['authenticated']) && !empty($_SESSION['isAdmin']);
+    
+        if ($isAdmin) {
+            // admin-only extras: presence flags + proxy options
+            $adminExtra = [
+                'loginOptions' => array_merge($public['loginOptions'], [
+                    'authBypass'     => (bool)($config['loginOptions']['authBypass'] ?? false),
+                    'authHeaderName' => (string)($config['loginOptions']['authHeaderName'] ?? 'X-Remote-User'),
+                ]),
+                'oidc' => array_merge($public['oidc'], [
+                    'hasClientId'     => !empty($config['oidc']['clientId']),
+                    'hasClientSecret' => !empty($config['oidc']['clientSecret']),
+                ]),
+            ];
+            header('Cache-Control: no-store'); // don’t cache admin config
+            echo json_encode(array_merge($public, $adminExtra), JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+            return;
+        }
+    
+        // Non-admins / unauthenticated: only the public subset
+        header('Cache-Control: no-store');
+        echo json_encode($public, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
         return;
     }
 
-    // Non-admins / unauthenticated: only the public subset
-    echo json_encode($public);
-}
-
     public function updateConfig(): void
     {
         header('Content-Type: application/json');
@@ -99,7 +104,7 @@ class AdminController
             'header_title'        => '',
             'loginOptions'        => [
                 'disableFormLogin' => false,
-                'disableBasicAuth' => false,
+                'disableBasicAuth' => true,
                 'disableOIDCLogin' => true,
                 'authBypass'       => false,
                 'authHeaderName'   => 'X-Remote-User'

src/controllers/AuthController.php

@@ -70,7 +70,10 @@ class AuthController
             if ($oidcAction === 'callback') {
                 try {
                     $oidc->authenticate();
-                    $username = $oidc->requestUserInfo('preferred_username');
+                    $username =
+    $oidc->requestUserInfo('preferred_username')
+    ?: $oidc->requestUserInfo('email')
+    ?: $oidc->requestUserInfo('sub');
 
                     // check if this user has a TOTP secret
                     $totp_secret = null;

src/controllers/UploadController.php

@@ -52,57 +52,69 @@ class UploadController {
         }
     
         // ---- 3) Folder-level WRITE permission (ACL) ----
-        // Always require client to send the folder; fall back to GET if needed.
-        $folderParam   = isset($_POST['folder']) ? (string)$_POST['folder'] : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
-        $targetFolder  = ACL::normalizeFolder($folderParam);
-    
-        // Admins bypass folder canWrite checks
-        if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
-            return;
-        }
-    
-        // ---- 4) Delegate to model (actual file/chunk processing) ----
-        // (Optionally re-check in UploadModel before finalizing.)
-        $result = UploadModel::handleUpload($_POST, $_FILES);
-    
-        // ---- 5) Response ----
-        if (isset($result['error'])) {
-            http_response_code(400);
-            echo json_encode($result);
-            return;
-        }
-        if (isset($result['status'])) {
-            // e.g., {"status":"chunk uploaded"}
-            echo json_encode($result);
-            return;
-        }
-    
-        echo json_encode([
-            'success'     => 'File uploaded successfully',
-            'newFilename' => $result['newFilename'] ?? null
-        ]);
+    // Always require client to send the folder; fall back to GET if needed.
+    $folderParam = isset($_POST['folder'])
+        ? (string)$_POST['folder']
+        : (isset($_GET['folder']) ? (string)$_GET['folder'] : 'root');
+
+    // Decode %xx (e.g., "test%20folder") then normalize
+    $folderParam  = rawurldecode($folderParam);
+    $targetFolder = ACL::normalizeFolder($folderParam);
+
+    // Admins bypass folder canWrite checks
+    $username  = (string)($_SESSION['username'] ?? '');
+    $userPerms = loadUserPermissions($username) ?: [];
+    $isAdmin   = ACL::isAdmin($userPerms);
+
+    if (!$isAdmin && !ACL::canUpload($username, $userPerms, $targetFolder)) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Forbidden: no write access to folder "'.$targetFolder.'".']);
+        return;
     }
+
+    // ---- 4) Delegate to model (force the sanitized folder) ----
+    $_POST['folder'] = $targetFolder; // in case model reads superglobal
+    $post = $_POST;
+    $post['folder'] = $targetFolder;
+
+    $result = UploadModel::handleUpload($post, $_FILES);
+
+    // ---- 5) Response (unchanged) ----
+    if (isset($result['error'])) {
+        http_response_code(400);
+        echo json_encode($result);
+        return;
+    }
+    if (isset($result['status'])) {
+        echo json_encode($result);
+        return;
+    }
+
+    echo json_encode([
+        'success'     => 'File uploaded successfully',
+        'newFilename' => $result['newFilename'] ?? null
+    ]);
+}
     
     public function removeChunks(): void {
-        header('Content-Type: application/json');
+    header('Content-Type: application/json');
 
-        $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
-        if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
-            http_response_code(403);
-            echo json_encode(['error' => 'Invalid CSRF token']);
-            return;
-        }
-
-        if (!isset($_POST['folder'])) {
-            http_response_code(400);
-            echo json_encode(['error' => 'No folder specified']);
-            return;
-        }
-
-        $folder = (string)$_POST['folder'];
-        $result = UploadModel::removeChunks($folder);
-        echo json_encode($result);
+    $receivedToken = isset($_POST['csrf_token']) ? trim($_POST['csrf_token']) : '';
+    if ($receivedToken !== ($_SESSION['csrf_token'] ?? '')) {
+        http_response_code(403);
+        echo json_encode(['error' => 'Invalid CSRF token']);
+        return;
     }
+
+    if (!isset($_POST['folder'])) {
+        http_response_code(400);
+        echo json_encode(['error' => 'No folder specified']);
+        return;
+    }
+
+    $folderRaw = (string)$_POST['folder'];
+    $folder    = ACL::normalizeFolder(rawurldecode($folderRaw));
+
+    echo json_encode(UploadModel::removeChunks($folder));
+}
 }

src/controllers/UserController.php

@@ -3,6 +3,7 @@
 
 require_once __DIR__ . '/../../config/config.php';
 require_once PROJECT_ROOT . '/src/models/UserModel.php';
+require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 
 /**
  * UserController
@@ -665,4 +666,38 @@ class UserController
         echo json_encode(['success' => true, 'url' => $url]);
         exit;
     }
+
+    public function siteConfig(): void
+    {
+        header('Content-Type: application/json');
+
+        $usersDir     = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR;
+        $publicPath   = $usersDir . 'siteConfig.json';
+        $adminEncPath = $usersDir . 'adminConfig.json';
+
+        $publicMtime = is_file($publicPath) ? (int)@filemtime($publicPath) : 0;
+        $adminMtime  = is_file($adminEncPath) ? (int)@filemtime($adminEncPath) : 0;
+
+        // If public cache is present and fresh enough, serve it
+        if ($publicMtime > 0 && $publicMtime >= $adminMtime) {
+            $raw = @file_get_contents($publicPath);
+            $data = is_string($raw) ? json_decode($raw, true) : null;
+            if (is_array($data)) {
+                echo json_encode($data);
+                return;
+            }
+        }
+
+        // Otherwise regenerate from decrypted admin config
+        $cfg = AdminModel::getConfig();
+        if (isset($cfg['error'])) {
+            http_response_code(500);
+            echo json_encode(['error' => $cfg['error']]);
+            return;
+        }
+
+        $public = AdminModel::buildPublicSubset($cfg);
+        $w = AdminModel::writeSiteConfig($public); // best effort
+        echo json_encode($public);
+    }
 }

src/models/AdminModel.php

@@ -62,6 +62,51 @@ class AdminModel
         return (int)$val;
     }
 
+    public static function buildPublicSubset(array $config): array
+    {
+        return [
+            'header_title'        => $config['header_title'] ?? 'FileRise',
+            'loginOptions'        => [
+                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
+                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
+                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
+                // do NOT include authBypass/authHeaderName here — admin-only
+            ],
+            'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
+            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
+            'oidc' => [
+                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
+                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
+                // never include clientId / clientSecret
+            ],
+        ];
+    }
+
+    /** Write USERS_DIR/siteConfig.json atomically (unencrypted). */
+    public static function writeSiteConfig(array $publicSubset): array
+    {
+        $dest = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR . 'siteConfig.json';
+        $tmp  = $dest . '.tmp';
+
+        $json = json_encode($publicSubset, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+        if ($json === false) {
+            return ["error" => "Failed to encode siteConfig.json"];
+        }
+
+        if (file_put_contents($tmp, $json, LOCK_EX) === false) {
+            return ["error" => "Failed to write temp siteConfig.json"];
+        }
+
+        if (!@rename($tmp, $dest)) {
+            @unlink($tmp);
+            return ["error" => "Failed to move siteConfig.json into place"];
+        }
+
+        @chmod($dest, 0664); // readable in bind mounts
+        return ["success" => true];
+    }
+
     /**
      * Updates the admin configuration file.
      *
@@ -157,6 +202,14 @@ class AdminModel
         // Best-effort normalize perms for host visibility (user rw, group rw)
         @chmod($configFile, 0664);
 
+        $public = self::buildPublicSubset($configUpdate);
+        $w = self::writeSiteConfig($public);
+        // Don’t fail the whole update if public cache write had a minor issue.
+        if (isset($w['error'])) {
+            // Log but keep success for admin write
+            error_log("AdminModel::writeSiteConfig warning: " . $w['error']);
+        }
+
         return ["success" => "Configuration updated successfully."];
     }
 
@@ -262,7 +315,7 @@ class AdminModel
             ],
             'loginOptions'          => [
                 'disableFormLogin' => false,
-                'disableBasicAuth' => false,
+                'disableBasicAuth' => true,
                 'disableOIDCLogin' => true
             ],
             'globalOtpauthUrl'      => "",

src/models/UploadModel.php

@@ -6,231 +6,206 @@ require_once PROJECT_ROOT . '/config/config.php';
 class UploadModel {
 
     private static function sanitizeFolder(string $folder): string {
-                $folder = trim($folder);
-                if ($folder === '' || strtolower($folder) === 'root') return '';
-                // no traversal
-                if (strpos($folder, '..') !== false) return '';
-                // only safe chars + forward slashes
-                if (!preg_match('/^[A-Za-z0-9_\-\/]+$/', $folder)) return '';
-                // normalize: strip leading slashes
-                return ltrim($folder, '/');
+        // decode "%20", normalise slashes & trim via ACL helper
+        $f = ACL::normalizeFolder(rawurldecode($folder));
+
+        // model uses '' to represent root
+        if ($f === 'root') return '';
+
+        // forbid dot segments / empty parts
+        foreach (explode('/', $f) as $seg) {
+            if ($seg === '' || $seg === '.' || $seg === '..') {
+                return '';
             }
+        }
 
+        // allow spaces & unicode via your global regex
+        // (REGEX_FOLDER_NAME validates a path "seg(/seg)*")
+        if (!preg_match(REGEX_FOLDER_NAME, $f)) {
+            return '';
+        }
+
+        return $f; // safe, normalised, with spaces allowed
+    }
 
-    /**
-     * Handles file uploads – supports both chunked uploads and full (non-chunked) uploads.
-     *
-     * @param array $post The $_POST array.
-     * @param array $files The $_FILES array.
-     * @return array Returns an associative array with "success" on success or "error" on failure.
-     */
     public static function handleUpload(array $post, array $files): array {
-        // If this is a GET request for testing chunk existence.
+        // --- GET resumable test (make folder handling consistent)
         if ($_SERVER['REQUEST_METHOD'] === 'GET' && isset($post['resumableTest'])) {
-            $chunkNumber = intval($post['resumableChunkNumber']);
+            $chunkNumber         = (int)($post['resumableChunkNumber'] ?? 0);
             $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $folder = isset($post['folder']) ? trim($post['folder']) : 'root';
+            $folderSan           = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
             $baseUploadDir = UPLOAD_DIR;
-            if ($folder !== 'root') {
-                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR . $folder . DIRECTORY_SEPARATOR;
+            if ($folderSan !== '') {
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
             }
-            $tempDir = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
+
+            $tempDir  = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
             $chunkFile = $tempDir . $chunkNumber;
             return ["status" => file_exists($chunkFile) ? "found" : "not found"];
         }
-        
-        // Handle chunked uploads.
+
+        // --- CHUNKED ---
         if (isset($post['resumableChunkNumber'])) {
-            $chunkNumber         = intval($post['resumableChunkNumber']);
-            $totalChunks         = intval($post['resumableTotalChunks']);
+            $chunkNumber         = (int)$post['resumableChunkNumber'];
+            $totalChunks         = (int)$post['resumableTotalChunks'];
             $resumableIdentifier = $post['resumableIdentifier'] ?? '';
-            $resumableFilename   = urldecode(basename($post['resumableFilename']));
-            
-            // Validate file name.
+            $resumableFilename   = urldecode(basename($post['resumableFilename'] ?? ''));
+
             if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
                 return ["error" => "Invalid file name: $resumableFilename"];
             }
-            
-            $folderRaw = $post['folder'] ?? 'root';
-            $folderSan = self::sanitizeFolder((string)$folderRaw);
 
-            
+            $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
             if (empty($files['file']) || !isset($files['file']['name'])) {
-                        return ["error" => "No files received"];
-                    }
-            
+                return ["error" => "No files received"];
+            }
+
             $baseUploadDir = UPLOAD_DIR;
             if ($folderSan !== '') {
-                                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
-                                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
-                            }
+                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
+            }
             if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
                 return ["error" => "Failed to create upload directory"];
             }
-            
+
             $tempDir = $baseUploadDir . 'resumable_' . $resumableIdentifier . DIRECTORY_SEPARATOR;
             if (!is_dir($tempDir) && !mkdir($tempDir, 0775, true)) {
                 return ["error" => "Failed to create temporary chunk directory"];
             }
-            
+
             $chunkErr = $files['file']['error'] ?? UPLOAD_ERR_NO_FILE;
             if ($chunkErr !== UPLOAD_ERR_OK) {
                 return ["error" => "Upload error on chunk $chunkNumber"];
             }
-            
+
             $chunkFile = $tempDir . $chunkNumber;
-            $tmpName = $files['file']['tmp_name'] ?? null;
+            $tmpName   = $files['file']['tmp_name'] ?? null;
             if (!$tmpName || !move_uploaded_file($tmpName, $chunkFile)) {
                 return ["error" => "Failed to move uploaded chunk $chunkNumber"];
             }
-            
-            // Check if all chunks are present.
-            $allChunksPresent = true;
+
+            // all chunks present?
             for ($i = 1; $i <= $totalChunks; $i++) {
                 if (!file_exists($tempDir . $i)) {
-                    $allChunksPresent = false;
-                    break;
+                    return ["status" => "chunk uploaded"];
                 }
             }
-            if (!$allChunksPresent) {
-                return ["status" => "chunk uploaded"];
-            }
-            
-            // Merge chunks.
+
+            // merge
             $targetPath = $baseUploadDir . $resumableFilename;
             if (!$out = fopen($targetPath, "wb")) {
                 return ["error" => "Failed to open target file for writing"];
             }
             for ($i = 1; $i <= $totalChunks; $i++) {
                 $chunkPath = $tempDir . $i;
-                if (!file_exists($chunkPath)) {
-                    fclose($out);
-                    return ["error" => "Chunk $i missing during merge"];
-                }
-                if (!$in = fopen($chunkPath, "rb")) {
-                    fclose($out);
-                    return ["error" => "Failed to open chunk $i"];
-                }
-                while ($buff = fread($in, 4096)) {
-                    fwrite($out, $buff);
-                }
+                if (!file_exists($chunkPath)) { fclose($out); return ["error" => "Chunk $i missing during merge"]; }
+                if (!$in = fopen($chunkPath, "rb")) { fclose($out); return ["error" => "Failed to open chunk $i"]; }
+                while ($buff = fread($in, 4096)) { fwrite($out, $buff); }
                 fclose($in);
             }
             fclose($out);
-            
-            // Update metadata.
-            $metadataKey = ($folderSan === '') ? "root" : $folderSan;
+
+            // metadata
+            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
             $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
-            $metadataFile = META_DIR . $metadataFileName;
-            $uploadedDate = date(DATE_TIME_FORMAT);
-            $uploader = $_SESSION['username'] ?? "Unknown";
-            $metadataCollection = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-            if (!is_array($metadataCollection)) {
-                $metadataCollection = [];
+            $metadataFile     = META_DIR . $metadataFileName;
+            $uploadedDate     = date(DATE_TIME_FORMAT);
+            $uploader         = $_SESSION['username'] ?? "Unknown";
+            $collection       = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+            if (!is_array($collection)) $collection = [];
+            if (!isset($collection[$resumableFilename])) {
+                $collection[$resumableFilename] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
+                file_put_contents($metadataFile, json_encode($collection, JSON_PRETTY_PRINT));
             }
-            if (!isset($metadataCollection[$resumableFilename])) {
-                $metadataCollection[$resumableFilename] = [
-                    "uploaded" => $uploadedDate,
-                    "uploader" => $uploader
-                ];
-                file_put_contents($metadataFile, json_encode($metadataCollection, JSON_PRETTY_PRINT));
-            }
-            
-            // Cleanup temporary directory.
-            $rrmdir = function($dir) use (&$rrmdir) {
-                if (!is_dir($dir)) return;
-                $iterator = new RecursiveIteratorIterator(
-                    new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS),
-                    RecursiveIteratorIterator::CHILD_FIRST
-                );
-                foreach ($iterator as $item) {
-                    $item->isDir() ? rmdir($item->getRealPath()) : unlink($item->getRealPath());
-                }
-                rmdir($dir);
-            };
-            $rrmdir($tempDir);
-            
+
+            // cleanup temp
+            self::rrmdir($tempDir);
+
             return ["success" => "File uploaded successfully"];
-        } else {
-                        // Handle full upload (non-chunked)
-                        $folderRaw = $post['folder'] ?? 'root';
-                        $folderSan = self::sanitizeFolder((string)$folderRaw);
-            }
-            
-            $baseUploadDir = UPLOAD_DIR;
-            if ($folderSan !== '') {
-                                $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
-                                               . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
-                            }
-            if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
-                return ["error" => "Failed to create upload directory"];
-            }
-            
-            $safeFileNamePattern = REGEX_FILE_NAME;
-            $metadataCollection = [];
-            $metadataChanged = [];
-            
-            foreach ($files["file"]["name"] as $index => $fileName) {
-                // Basic PHP upload error check per file
-                if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
-                        return ["error" => "Error uploading file"];
-                    }
-                $safeFileName = trim(urldecode(basename($fileName)));
-                if (!preg_match($safeFileNamePattern, $safeFileName)) {
-                    return ["error" => "Invalid file name: " . $fileName];
-                }
-                $relativePath = '';
-                if (isset($post['relativePath'])) {
-                    $relativePath = is_array($post['relativePath']) ? $post['relativePath'][$index] ?? '' : $post['relativePath'];
-                }
-                $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
-                if (!empty($relativePath)) {
-                    $subDir = dirname($relativePath);
-                    if ($subDir !== '.' && $subDir !== '') {
-                      // IMPORTANT: build the subfolder under the *current* base folder
-                        $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR .
-                                     str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
-                    }
-                    $safeFileName = basename($relativePath);
-                }
-                if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
-                    return ["error" => "Failed to create subfolder: " . $uploadDir];
-                }
-                $targetPath = $uploadDir . $safeFileName;
-                if (move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
-                                        $metadataKey = ($folderSan === '') ? "root" : $folderSan;
-                    $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
-                    $metadataFile = META_DIR . $metadataFileName;
-                    if (!isset($metadataCollection[$metadataKey])) {
-                        $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
-                        if (!is_array($metadataCollection[$metadataKey])) {
-                            $metadataCollection[$metadataKey] = [];
-                        }
-                        $metadataChanged[$metadataKey] = false;
-                    }
-                    if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
-                        $uploadedDate = date(DATE_TIME_FORMAT);
-                        $uploader = $_SESSION['username'] ?? "Unknown";
-                        $metadataCollection[$metadataKey][$safeFileName] = [
-                            "uploaded" => $uploadedDate,
-                            "uploader" => $uploader
-                        ];
-                        $metadataChanged[$metadataKey] = true;
-                    }
-                } else {
-                    return ["error" => "Error uploading file"];
-                }
-            }
-            
-            foreach ($metadataCollection as $folderKey => $data) {
-                if ($metadataChanged[$folderKey]) {
-                    $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
-                    $metadataFile = META_DIR . $metadataFileName;
-                    file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
-                }
-            }
-            return ["success" => "Files uploaded successfully"];
         }
+
+        // --- NON-CHUNKED ---
+        $folderSan = self::sanitizeFolder((string)($post['folder'] ?? 'root'));
+
+        $baseUploadDir = UPLOAD_DIR;
+        if ($folderSan !== '') {
+            $baseUploadDir = rtrim(UPLOAD_DIR, '/\\') . DIRECTORY_SEPARATOR
+                           . str_replace('/', DIRECTORY_SEPARATOR, $folderSan) . DIRECTORY_SEPARATOR;
+        }
+        if (!is_dir($baseUploadDir) && !mkdir($baseUploadDir, 0775, true)) {
+            return ["error" => "Failed to create upload directory"];
+        }
+
+        $safeFileNamePattern = REGEX_FILE_NAME;
+        $metadataCollection  = [];
+        $metadataChanged     = [];
+
+        foreach ($files["file"]["name"] as $index => $fileName) {
+            if (($files['file']['error'][$index] ?? UPLOAD_ERR_OK) !== UPLOAD_ERR_OK) {
+                return ["error" => "Error uploading file"];
+            }
+
+            $safeFileName = trim(urldecode(basename($fileName)));
+            if (!preg_match($safeFileNamePattern, $safeFileName)) {
+                return ["error" => "Invalid file name: " . $fileName];
+            }
+
+            $relativePath = '';
+            if (isset($post['relativePath'])) {
+                $relativePath = is_array($post['relativePath']) ? ($post['relativePath'][$index] ?? '') : $post['relativePath'];
+            }
+
+            $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR;
+            if (!empty($relativePath)) {
+                $subDir = dirname($relativePath);
+                if ($subDir !== '.' && $subDir !== '') {
+                    $uploadDir = rtrim($baseUploadDir, '/\\') . DIRECTORY_SEPARATOR
+                               . str_replace('/', DIRECTORY_SEPARATOR, $subDir) . DIRECTORY_SEPARATOR;
+                }
+                $safeFileName = basename($relativePath);
+            }
+
+            if (!is_dir($uploadDir) && !@mkdir($uploadDir, 0775, true)) {
+                return ["error" => "Failed to create subfolder: " . $uploadDir];
+            }
+
+            $targetPath = $uploadDir . $safeFileName;
+            if (!move_uploaded_file($files["file"]["tmp_name"][$index], $targetPath)) {
+                return ["error" => "Error uploading file"];
+            }
+
+            $metadataKey      = ($folderSan === '') ? "root" : $folderSan;
+            $metadataFileName = str_replace(['/', '\\', ' '], '-', $metadataKey) . '_metadata.json';
+            $metadataFile     = META_DIR . $metadataFileName;
+
+            if (!isset($metadataCollection[$metadataKey])) {
+                $metadataCollection[$metadataKey] = file_exists($metadataFile) ? json_decode(file_get_contents($metadataFile), true) : [];
+                if (!is_array($metadataCollection[$metadataKey])) $metadataCollection[$metadataKey] = [];
+                $metadataChanged[$metadataKey] = false;
+            }
+
+            if (!isset($metadataCollection[$metadataKey][$safeFileName])) {
+                $uploadedDate = date(DATE_TIME_FORMAT);
+                $uploader     = $_SESSION['username'] ?? "Unknown";
+                $metadataCollection[$metadataKey][$safeFileName] = ["uploaded" => $uploadedDate, "uploader" => $uploader];
+                $metadataChanged[$metadataKey] = true;
+            }
+        }
+
+        foreach ($metadataCollection as $folderKey => $data) {
+            if (!empty($metadataChanged[$folderKey])) {
+                $metadataFileName = str_replace(['/', '\\', ' '], '-', $folderKey) . '_metadata.json';
+                $metadataFile     = META_DIR . $metadataFileName;
+                file_put_contents($metadataFile, json_encode($data, JSON_PRETTY_PRINT));
+            }
+        }
+
+        return ["success" => "Files uploaded successfully"];
+    }
     
 
         /**