chore(release): set APP_VERSION to v1.7.2 [skip ci]

release(v1.7.2): harden asset stamping & CI verification
chore(release): set APP_VERSION to v1.7.1 [skip ci]
2025-10-29 20:54:31 +00:00 · 2025-10-29 16:54:22 -04:00 · 2025-10-29 20:19:45 +00:00 · 2025-10-29 16:19:35 -04:00 · 2025-10-29 20:07:32 +00:00 · 2025-10-29 16:07:22 -04:00
39 changed files with 2668 additions and 445 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,12 +0,0 @@
 ---
 name: "FileRise CodeQL config"
 paths:
  - "public/js"
  - "api"
 paths-ignore:
  - "public/vendor/**"
  - "public/css/vendor/**"
  - "public/fonts/**"
  - "public/**/*.min.js"
  - "public/**/*.min.css"
  - "public/**/*.map"
--- a/.github/workflows/release-on-version.yml
+++ b/.github/workflows/release-on-version.yml
@@ -3,13 +3,12 @@ name: Release on version.js update
 on:
  push:
-    branches:
+    branches: ["master"]
      - master
    paths:
      - public/js/version.js
  workflow_run:
-    workflows: "Bump version and sync Changelog to Docker Repo"
+    workflows: ["Bump version and sync Changelog to Docker Repo"]
-    types: completed
+    types: [completed]
 permissions:
  contents: write
@@ -27,6 +26,10 @@ jobs:
        with:
          fetch-depth: 0
      - name: Ensure tags available
        run: |
          git fetch --tags --force --prune --quiet
      - name: Read version from version.js
        id: ver
        shell: bash
@@ -45,7 +48,6 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          git fetch --tags --quiet
          if git rev-parse -q --verify "refs/tags/${{ steps.ver.outputs.version }}" >/dev/null; then
            echo "exists=true" >> "$GITHUB_OUTPUT"
            echo "Tag ${{ steps.ver.outputs.version }} already exists. Skipping release."
@@ -53,7 +55,76 @@ jobs:
            echo "exists=false" >> "$GITHUB_OUTPUT"
          fi
-      - name: Prepare release notes from CHANGELOG.md (optional)
+      # Ensure the stamper is executable and has LF endings (helps if edited on Windows)
      - name: Prep stamper script
        if: steps.tagcheck.outputs.exists == 'false'
        shell: bash
        run: |
          set -euo pipefail
          sed -i 's/\r$//' scripts/stamp-assets.sh || true
          chmod +x scripts/stamp-assets.sh
      - name: Build zip artifact (stamped)
        if: steps.tagcheck.outputs.exists == 'false'
        shell: bash
        run: |
          set -euo pipefail
          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.12
          ZIP="FileRise-${VER}.zip"
          # Clean staging copy (exclude dotfiles you don’t want)
          rm -rf staging
          rsync -a \
            --exclude '.git' --exclude '.github' \
            --exclude 'resources' \
            --exclude '.dockerignore' --exclude '.gitattributes' --exclude '.gitignore' \
            ./ staging/
          # Stamp IN THE STAGING COPY (invoke via bash to avoid exec-bit issues)
          bash ./scripts/stamp-assets.sh "${VER}" "$(pwd)/staging"
      - name: Verify placeholders are gone (staging)
        if: steps.tagcheck.outputs.exists == 'false'
        shell: bash
        run: |
          set -euo pipefail
          ROOT="$(pwd)/staging"
          if grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" "$ROOT" \
              --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
            echo "---- DEBUG (show 10 hits with context) ----"
            grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" "$ROOT" \
              --include='*.html' --include='*.php' --include='*.css' --include='*.js' \
              | head -n 10 | while IFS=: read -r file line _; do
                  echo ">>> $file:$line"
                  nl -ba "$file" | sed -n "$((line-3)),$((line+3))p" || true
                  echo "----------------------------------------"
                done
            exit 1
          fi
          echo "OK: No unreplaced placeholders in staging."
      - name: Zip stamped staging
        if: steps.tagcheck.outputs.exists == 'false'
        shell: bash
        run: |
          set -euo pipefail
          VER="${{ steps.ver.outputs.version }}"
          ZIP="FileRise-${VER}.zip"
          (cd staging && zip -r "../$ZIP" . >/dev/null)
      - name: Compute SHA-256 checksum
        if: steps.tagcheck.outputs.exists == 'false'
        id: sum
        shell: bash
        run: |
          set -euo pipefail
          ZIP="FileRise-${{ steps.ver.outputs.version }}.zip"
          SHA=$(shasum -a 256 "$ZIP" | awk '{print $1}')
          echo "$SHA  $ZIP" > "${ZIP}.sha256"
          echo "sha=$SHA" >> "$GITHUB_OUTPUT"
          echo "Computed SHA-256: $SHA"
      - name: Extract notes from CHANGELOG (optional)
        if: steps.tagcheck.outputs.exists == 'false'
        id: notes
        shell: bash
@@ -66,45 +137,68 @@ jobs:
              /^## / && !found {found=1}
              found && /^---$/ {exit}
              found {print}
-            ' CHANGELOG.md > RELEASE_BODY.md || true
+            ' CHANGELOG.md > CHANGELOG_SNIPPET.md || true
-
+            sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' CHANGELOG_SNIPPET.md || true
-            # Trim trailing blank lines
+            if [[ -s CHANGELOG_SNIPPET.md ]]; then
-            sed -i -e :a -e '/^\n*$/{$d;N;ba' -e '}' RELEASE_BODY.md || true
+              NOTES_PATH="CHANGELOG_SNIPPET.md"
            if [[ -s RELEASE_BODY.md ]]; then
              NOTES_PATH="RELEASE_BODY.md"
            fi
          fi
          echo "path=$NOTES_PATH" >> "$GITHUB_OUTPUT"
-      - name: (optional) Build archive to attach
+      - name: Compute previous tag (for Full Changelog link)
        if: steps.tagcheck.outputs.exists == 'false'
        id: prev
        shell: bash
        run: |
          set -euo pipefail
          VER="${{ steps.ver.outputs.version }}"
          PREV=$(git tag --list "v*" --sort=-v:refname | grep -v -F "$VER" | head -n1 || true)
          if [[ -z "$PREV" ]]; then
            PREV=$(git rev-list --max-parents=0 HEAD | tail -n1)
          fi
          echo "prev=$PREV" >> "$GITHUB_OUTPUT"
          echo "Previous tag or baseline: $PREV"
      - name: Build release body (snippet + full changelog + checksum)
        if: steps.tagcheck.outputs.exists == 'false'
        shell: bash
        run: |
          set -euo pipefail
-          zip -r "FileRise-${{ steps.ver.outputs.version }}.zip" public/ README.md LICENSE >/dev/null || true
+          VER="${{ steps.ver.outputs.version }}"
          PREV="${{ steps.prev.outputs.prev }}"
          REPO="${GITHUB_REPOSITORY}"
          COMPARE_URL="https://github.com/${REPO}/compare/${PREV}...${VER}"
          ZIP="FileRise-${VER}.zip"
          SHA="${{ steps.sum.outputs.sha }}"
-      # Path A: we have extracted notes -> use body_path
+          {
-      - name: Create GitHub Release (with CHANGELOG snippet)
+            echo
-        if: steps.tagcheck.outputs.exists == 'false' && steps.notes.outputs.path != ''
+            if [[ -s CHANGELOG_SNIPPET.md ]]; then
              cat CHANGELOG_SNIPPET.md
              echo
            fi
            echo "## ${VER}"
            echo "### Full Changelog"
            echo "[${PREV} → ${VER}](${COMPARE_URL})"
            echo
            echo "### SHA-256 (zip)"
            echo '```'
            echo "${SHA}  ${ZIP}"
            echo '```'
          } > RELEASE_BODY.md
          echo "Release body:"
          sed -n '1,200p' RELEASE_BODY.md
      - name: Create GitHub Release
        if: steps.tagcheck.outputs.exists == 'false'
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ steps.ver.outputs.version }}
          target_commitish: ${{ github.sha }}
          name: ${{ steps.ver.outputs.version }}
-          body_path: ${{ steps.notes.outputs.path }}
+          body_path: RELEASE_BODY.md
          generate_release_notes: false
          files: |
            FileRise-${{ steps.ver.outputs.version }}.zip
-
+            FileRise-${{ steps.ver.outputs.version }}.zip.sha256
      # Path B: no notes -> let GitHub auto-generate from commits
      - name: Create GitHub Release (auto notes)
        if: steps.tagcheck.outputs.exists == 'false' && steps.notes.outputs.path == ''
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ steps.ver.outputs.version }}
          target_commitish: ${{ github.sha }}
          name: ${{ steps.ver.outputs.version }}
          generate_release_notes: true
          files: |
            FileRise-${{ steps.ver.outputs.version }}.zip
--- a/.github/workflows/sync-changelog.yml
+++ b/.github/workflows/sync-changelog.yml
@@ -32,7 +32,7 @@ jobs:
            echo "No release(vX.Y.Z) tag in commit message; skipping bump."
          fi
-      - name: Update public/js/version.js
+      - name: Update public/js/version.js (source of truth)
        if: steps.ver.outputs.version != ''
        shell: bash
        run: |
@@ -42,43 +42,20 @@ jobs:
          window.APP_VERSION = '${{ steps.ver.outputs.version }}';
          EOF
-      - name: Stamp asset cache-busters (?v=...) in HTML/CSS and {{APP_VER}} everywhere
+      # ✂️ REMOVED: repo stamping of HTML/CSS/JS
        if: steps.ver.outputs.version != ''
        shell: bash
        run: |
          set -euo pipefail
          VER="${{ steps.ver.outputs.version }}"  # e.g. v1.6.9
          QVER="${VER#v}"                         # e.g. 1.6.9
          echo "Stamping ?v=${QVER} and {{APP_VER}}=${VER}"
-          # 1) Only stamp ?v= in HTML/CSS (avoid JS concatenation issues)
+      - name: Commit version.js only
          mapfile -t html_css < <(git ls-files -- 'public/*.html' 'public/**/*.html' 'public/*.css' 'public/**/*.css')
          for f in "${html_css[@]}"; do
            sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
          done
          # 2) For JS, only replace the {{APP_VER}} placeholder (do NOT touch ?v=)
          mapfile -t jsfiles < <(git ls-files -- 'public/*.js' 'public/**/*.js')
          for f in "${jsfiles[@]}"; do
            sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
          done
          echo "Changed files:"
          git status --porcelain | awk '{print $2}' | sed 's/^/  - /'
      - name: Commit version bump + stamped assets
        if: steps.ver.outputs.version != ''
        shell: bash
        run: |
          set -euo pipefail
          git config user.name  "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add public/js/version.js public
+          git add public/js/version.js
          if git diff --cached --quiet; then
            echo "No changes to commit"
          else
-            git commit -m "chore(release): set APP_VERSION and stamp assets to ${{ steps.ver.outputs.version }} [skip ci]"
+            git commit -m "chore(release): set APP_VERSION to ${{ steps.ver.outputs.version }} [skip ci]"
            git push
          fi
@@ -110,6 +87,6 @@ jobs:
          if git diff --cached --quiet; then
            echo "No changes to commit"
          else
-            git commit -m "chore: sync CHANGELOG.md and VERSION (${{ steps.ver.outputs.version }}) from FileRise"
+            git commit -m "chore: sync CHANGELOG.md + VERSION (${{ steps.ver.outputs.version }}) from FileRise"
            git push origin main
          fi
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,122 @@
 # Changelog
 ## Changes 10/29/2025 (v1.7.0 & v1.7.1 & v1.7.2)
 release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish
 ### ✨ Features
 - Public, non-sensitive site config cache:
  - Add `AdminModel::buildPublicSubset()` and `writeSiteConfig()` to write `USERS_DIR/siteConfig.json`.
  - New endpoint `public/api/siteConfig.php` + `UserController::siteConfig()` to serve the public subset (regenerates if stale).
  - Frontend now reads `/api/siteConfig.php` (safe subset) instead of `/api/admin/getConfig.php`.
 - Frontend module versioning:
  - Replace all module imports with `?v={{APP_QVER}}` query param so the release/Docker stamper can pin exact versions.
  - Add `scripts/stamp-assets.sh` to stamp `?v=` and `{{APP_VER}}/{{APP_QVER}}` in **staging** for ZIP/Docker builds.
 ### 🧩 Refactors
 - Extract shared boot/bootstrap logic into `public/js/appCore.js`:
  - CSRF helpers (`setCsrfToken`, `getCsrfToken`, `loadCsrfToken`)
  - `initializeApp()`, `triggerLogout()`
  - Keep `main.js` lean; wrap global `fetch` once to append/rotate CSRF.
 - Update imports across JS modules to use versioned module URLs.
 ### 🚀 Performance
 - Aggressive, safe caching for versioned assets:
  - `.htaccess`: `?v=…` ⇒ `Cache-Control: max-age=31536000, immutable`.
  - Unversioned JS/CSS short cache (1h), other static (7d).
 - Eliminate duplicate `main.js` loads and tighten CodeMirror mode loading.
 ### 🔒 Security / Hardening
 - `.htaccess`:
  - Conditional HSTS only when HTTPS, add CORP and X-Permitted-Cross-Domain-Policies.
  - CSP kept strict for modules, workers, blobs.
 - Admin config exposure reduced to a curated subset in `siteConfig.json`.
 ### 🧪 CI/CD / Release
 - **FileRise repo**
  - `sync-changelog.yml`: keep `public/js/version.js` as source-of-truth only (no repo-wide stamping).
  - `release-on-version.yml`: build **stamped** ZIP from a staging copy via `scripts/stamp-assets.sh`, verify placeholders removed, attach checksum.
 - **filerise-docker repo**
  - Read `VERSION`, checkout app to `app/`, run stamper inside build context before `docker buildx`, tag `latest` and `:${VERSION}`.
 ### 🔧 Defaults
 - Sample/admin config defaults now set `disableBasicAuth: true` (safer default). Existing installations keep their current setting.
 ### 📂 Notable file changes
 - `src/models/AdminModel.php` (+public subset +atomic write)
 - `src/controllers/UserController.php` (+siteConfig action)
 - `public/api/siteConfig.php` (new)
 - `public/js/appCore.js` (new), `public/js/main.js` (slim, uses appCore)
 - Many `public/js/*.js` import paths updated to `?v={{APP_QVER}}`
 - `public/.htaccess` (caching & headers)
 - `scripts/stamp-assets.sh` (new)
 ### ⚠️ Upgrade notes
 - Ensure `USERS_DIR` is writable by web server for `siteConfig.json`.
 - Proxies/edge caches: the new `?v=` scheme enables long-lived immutable caching; purge is automatic on version bump.
 - If you previously read admin config directly on the client, it now reads `/api/siteConfig.php`.
 ### Additional changes/fixes for release
 - `release-on-version.yml`
  - normalize line endings (strip CRLF)
  - stamp-assets.sh don’t rely on the exec; invoke via bash
 release(v1.7.2): harden asset stamping & CI verification
 ### build(stamper)
 - Rewrite scripts/stamp-assets.sh to be repo-agnostic and macOS/Windows friendly:
  - Drop reliance on git ls-files/mapfile; use find + null-delimited loops
  - Normalize CRLF to LF for all web assets before stamping
  - Stamp ?v=<APP_QVER> in HTML/CSS/PHP and {{APP_VER}} everywhere
  - Normalize any ".mjs|.js?v=..." occurrences inside JS (ESM imports/strings)
  - Force-write public/js/version.js from VER (source of truth in stamped output)
  - Print touched counts and fail fast if any {{APP_QVER}}|{{APP_VER}} remain
 ---
 ## Changes 10/28/2025 (v1.6.11)
 release(v1.6.11) fix(ui/dragAndDrop) restore floating zones toggle click action
 Re-add the click handler to toggle `zonesCollapsed` so the header
 “sidebarToggleFloating” button actually expands/collapses the zones
 again. This regressed in v1.6.10 during auth-gating refactor.
 Refs: #regression #ux
 chore(codeql): move config to repo root for default setup
 - Relocate .github/codeql/codeql-config.yml to codeql-config.yml so GitHub default code scanning picks it up
 - Keep paths: public/js, api
 - Keep ignores: public/vendor/**, public/css/vendor/**, public/fonts/**, public/**/*.min.{js,css}, public/**/*.map
 ---
 ## Changes 10/28/2025 (v1.6.10)
 release(v1.6.10): self-host ReDoc, gate sidebar toggle on auth, and enrich release workflow
 - Vendor ReDoc and add MIT license file under public/vendor/redoc/; switch api.php to local bundle to satisfy CSP (script-src 'self').
 - main.js: add/remove body.authenticated on login/logout so UI can reflect auth state.
 - dragAndDrop.js: only render sidebarToggleFloating when authenticated; stop event bubbling, keep dark-mode styles.
 - sync-changelog.yml: also stamp ?v= in PHP templates (public/**/*.php).
 - release-on-version.yml: build zip first, compute SHA-256, assemble release body with latest CHANGELOG snippet, “Full Changelog” compare link, and attach .sha256 alongside the zip.
 - THIRD_PARTY.md: document ReDoc vendoring and rationale.
 Refs: #security #csp #release
 ---
 ## Changes 10/27/2025 (v1.6.9)
 release(v1.6.9): feat(core) localize assets, harden headers, and speed up load
--- a/README.md
+++ b/README.md
@@ -139,7 +139,7 @@ docker run -d \
  -e DATE_TIME_FORMAT="m/d/y  h:iA" \
  -e TOTAL_UPLOAD_SIZE="5G" \
  -e SECURE="false" \
-  -e PERSISTENT_TOKENS_KEY="please_change_this_@@" \
+  -e PERSISTENT_TOKENS_KEY="default_please_change_this_key" \
  -e PUID="1000" \
  -e PGID="1000" \
  -e CHOWN_ON_START="true" \
@@ -186,7 +186,7 @@ services:
      DATE_TIME_FORMAT: "m/d/y  h:iA"
      TOTAL_UPLOAD_SIZE: "10G"
      SECURE: "false"
-      PERSISTENT_TOKENS_KEY: "please_change_this_@@"
+      PERSISTENT_TOKENS_KEY: "default_please_change_this_key"
      # Ownership & indexing
      PUID: "1000"              # Unraid users often use 99
      PGID: "1000"              # Unraid users often use 100
--- a/public/THIRD_PARTY.md
+++ b/public/THIRD_PARTY.md
@@ -37,6 +37,10 @@ If you believe any attribution is missing or incorrect, please open an issue.
 - **Resumable.js 1.1.0** — MIT License  
  **Files:** `public/vendor/resumable/1.1.0/resumable.min.js`
 - **ReDoc (redoc.standalone.js)** — MIT License  
  **Files:** `public/vendor/redoc/redoc.standalone.js`  
  **Notes:** Self-hosted to comply with `script-src 'self'` CSP.
 > MIT-licensed code: see `licenses/mit.txt`.  
 > Apache-2.0–licensed code: see `licenses/apache-2.0.txt`.
--- a/codeql-config.yml
+++ b/codeql-config.yml
@@ -0,0 +1,12 @@
 ---
 name: FileRise CodeQL config
 paths:
  - public/js
  - api
 paths-ignore:
  - public/vendor/**
  - public/css/vendor/**
  - public/fonts/**
  - public/**/*.min.js
  - public/**/*.min.css
  - public/**/*.map
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -11,14 +11,16 @@ DirectoryIndex index.html
 </IfModule>
 RewriteEngine On
 # If you want forced HTTPS behind a proxy, keep this off here and do it at the proxy
 #RewriteCond %{HTTPS} off
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
-# MIME types for fonts/SVG
+# MIME types (fonts/SVG/ESM)
 <IfModule mod_mime.c>
  AddType font/woff2 .woff2
  AddType font/woff  .woff
  AddType image/svg+xml .svg
  AddType application/javascript .mjs
 </IfModule>
 # Security headers
@@ -26,43 +28,53 @@ RewriteEngine On
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Content-Type-Options "nosniff"
-  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  # HSTS: only if HTTPS (prevents mixed local dev warnings)
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set X-Download-Options "noopen"
  Header always set Expect-CT "max-age=86400, enforce"
  # Nice extra hardening (same-origin resource sharing)
  Header always set Cross-Origin-Resource-Policy "same-origin"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  # CSP (modules, workers, blobs already accounted for)
  Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'"
 </IfModule>
 # Caching
 SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
 <IfModule mod_headers.c>
  # HTML/PHP: no cache (app shell)
  <FilesMatch "\.(html?|php)$">
    Header set Cache-Control "no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "0"
  </FilesMatch>
  # version.js is your source-of-truth; keep it non-cacheable so dev/CI flips show up
  <FilesMatch "^js/version\.js$">
    Header set Cache-Control "no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "0"
  </FilesMatch>
-  <FilesMatch "\.(js|css)$">
+# Unversioned JS/CSS (dev): 1 hour
-    Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
+<FilesMatch "\.(?:m?js|css)$">
-  </FilesMatch>
+  Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
 </FilesMatch>
-  <FilesMatch "\.(png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+# Unversioned static assets (dev): 7 days
-    Header set Cache-Control "public, max-age=604800" env=!has_version_param
+<FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  </FilesMatch>
+  Header set Cache-Control "public, max-age=604800" env=!has_version_param
 </FilesMatch>
-  <FilesMatch "\.(js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+# Versioned assets (?v=...): 1 year + immutable
-    Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
+<FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  </FilesMatch>
+  Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
-</IfModule>
+</FilesMatch>
-# Compression (only if module exists)
+# Compression (if modules exist)
 <IfModule mod_brotli.c>
  BrotliCompressionQuality 5
  AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
--- a/public/api.php
+++ b/public/api.php
@@ -19,13 +19,11 @@ if (isset($_GET['spec'])) {
  <meta charset="utf-8"/>
  <meta name="viewport" content="width=device-width, initial-scale=1"/>
  <title>FileRise API Docs</title>
-  <script defer src="https://cdn.redoc.ly/redoc/latest/bundles/redoc.standalone.js"
+  <script defer src="/vendor/redoc/redoc.standalone.js?v={{APP_QVER}}"></script>
-          integrity="sha384-70P5pmIdaQdVbxvjhrcTDv1uKcKqalZ3OHi7S2J+uzDl0PW8dO6L+pHOpm9EEjGJ"
+  <script defer src="/js/redoc-init.js?v={{APP_QVER}}"></script>
          crossorigin="anonymous"></script>
  <script defer src="/js/redoc-init.js"></script>
 </head>
 <body>
-  <redoc spec-url="api.php?spec=1"></redoc>
+  <redoc spec-url="/api.php?spec=1"></redoc>
  <div id="redoc-container"></div>
 </body>
 </html>
--- a/public/api/siteConfig.php
+++ b/public/api/siteConfig.php
@@ -0,0 +1,9 @@
 <?php
 // public/api/siteConfig.php
 require_once __DIR__ . '/../../config/config.php';
 require_once PROJECT_ROOT . '/src/controllers/UserController.php';
 $userController = new UserController();
 $userController->siteConfig();
--- a/public/css/styles.css
+++ b/public/css/styles.css
@@ -27,7 +27,9 @@ body {
      padding-left: 30px !important;
      padding-right: 30px !important;
  }}
-  
+  @media (max-width: 600px) {
    .zones-toggle { left: 85px !important; }
  }
  /* ===========================================================
     HEADER & NAVIGATION
     =========================================================== */
@@ -35,7 +37,7 @@ body {
  /************************************************************/
  /* FLEXBOX HEADER: LOGO, TITLE, BUTTONS FIXED               */
  /************************************************************/
-  
+  .header-logo .logo { height: 50px; width: auto; display: block; }
  .btn-login {
  margin-top: 10px;
  }/* Color overrides */
--- a/public/fonts/material-symbols/material-symbols-rounded.woff2
+++ b/public/fonts/material-symbols/material-symbols-rounded.woff2
--- a/public/index.html
+++ b/public/index.html
@@ -11,29 +11,31 @@
  <meta name="share-url" content="">
  <style>.main-wrapper{display:none}#loadingOverlay{position:fixed;inset:0;background:var(--bg-color,#fff);z-index:9999;display:flex;align-items:center;justify-content:center}</style>
-  <link rel="stylesheet" href="/css/vendor/roboto.css?v=dev">
+  <link rel="stylesheet" href="/css/vendor/roboto.css?v={{APP_QVER}}">
-  <link rel="stylesheet" href="/css/vendor/material-icons.css?v=dev">
+  <link rel="stylesheet" href="/css/vendor/material-icons.css?v={{APP_QVER}}">
  <!-- Bootstrap CSS (local) -->
-  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v=dev">
+  <link rel="stylesheet" href="/vendor/bootstrap/4.5.2/bootstrap.min.css?v={{APP_QVER}}">
  <!-- CodeMirror CSS (local) -->
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/codemirror.min.css?v=dev">
+  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/codemirror.min.css?v={{APP_QVER}}">
-  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/theme/material-darker.min.css?v=dev">
+  <link rel="stylesheet" href="/vendor/codemirror/5.65.5/theme/material-darker.min.css?v={{APP_QVER}}">
  <!-- app CSS -->
-  <link rel="stylesheet" href="/css/styles.css?v=dev">
+  <link rel="stylesheet" href="/css/styles.css?v={{APP_QVER}}">
  <!-- Libraries (JS) -->
-  <script src="/vendor/dompurify/2.4.0/purify.min.js?v=dev"></script>
+  <script src="/vendor/dompurify/2.4.0/purify.min.js?v={{APP_QVER}}"></script>
-  <script src="/vendor/fuse/6.6.2/fuse.min.js?v=dev"></script>
+  <script src="/vendor/fuse/6.6.2/fuse.min.js?v={{APP_QVER}}"></script>
-  <script src="/vendor/resumable/1.1.0/resumable.min.js?v=dev"></script>
+  <script src="/vendor/resumable/1.1.0/resumable.min.js?v={{APP_QVER}}"></script>
-  <!-- CodeMirror core FIRST, then modes -->
+  <!-- CodeMirror core FIRST -->
-  <script src="/vendor/codemirror/5.65.5/codemirror.min.js?v=dev"></script>
+  <script src="/vendor/codemirror/5.65.5/codemirror.min.js?v={{APP_QVER}}"></script>
-  <script src="/js/version.js?v=dev"></script>
+  <script src="/js/version.js?v={{APP_QVER}}"></script>
-  <script type="module" src="/js/main.js"></script>
+
  <link rel="modulepreload" href="/js/main.js?v={{APP_QVER}}">
  <script type="module" src="/js/main.js?v={{APP_QVER}}"></script>
 </head>
@@ -42,67 +44,7 @@
    <div class="header-left">
      <a href="index.html">
        <div class="header-logo">
-          <svg version="1.1" id="filingCabinetLogo" xmlns="http://www.w3.org/2000/svg"
+          <img src="/assets/logo.svg?v={{APP_QVER}}" alt="FileRise" class="logo" />
            xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 64 64" xml:space="preserve">
            <defs>
              <!-- Gradient for the cabinet body -->
              <linearGradient id="cabinetGradient" x1="0%" y1="0%" x2="0%" y2="100%">
                <stop offset="0%" style="stop-color:#2196F3;stop-opacity:1" />
                <stop offset="100%" style="stop-color:#1976D2;stop-opacity:1" />
              </linearGradient>
              <!-- Drop shadow filter with animated attributes for a lifting effect -->
              <filter id="shadowFilter" x="-20%" y="-20%" width="140%" height="140%">
                <feDropShadow id="dropShadow" dx="0" dy="2" stdDeviation="2" flood-color="#000" flood-opacity="0.2">
                  <!-- Animate the vertical offset: from 2 to 1 (as it rises), hold, then back to 2 -->
                  <animate attributeName="dy" values="2;1;1;2" keyTimes="0;0.2;0.8;1" dur="5s" fill="freeze" />
                  <!-- Animate the blur similarly: from 2 to 1.5 then back to 2 -->
                  <animate attributeName="stdDeviation" values="2;1.5;1.5;2" keyTimes="0;0.2;0.8;1" dur="5s"
                    fill="freeze" />
                </feDropShadow>
              </filter>
            </defs>
            <style type="text/css">
              /* Cabinet with gradient, white outline, and drop shadow */
              .cabinet {
                fill: url(#cabinetGradient);
                stroke: white;
                stroke-width: 2;
              }
              .divider {
                stroke: #1565C0;
                stroke-width: 1.5;
              }
              .drawer {
                fill: #FFFFFF;
              }
              .handle {
                fill: #1565C0;
              }
            </style>
            <!-- Group that will animate upward and then back down once -->
            <g id="cabinetGroup">
              <!-- Cabinet Body with rounded corners, white outline, and drop shadow -->
              <rect x="4" y="4" width="56" height="56" rx="6" ry="6" class="cabinet" filter="url(#shadowFilter)" />
              <!-- Divider lines for drawers -->
              <line x1="5" y1="22" x2="59" y2="22" class="divider" />
              <line x1="5" y1="34" x2="59" y2="34" class="divider" />
              <!-- Drawers with Handles -->
              <rect x="8" y="24" width="48" height="6" rx="1" ry="1" class="drawer" />
              <circle cx="54" cy="27" r="1.5" class="handle" />
              <rect x="8" y="36" width="48" height="6" rx="1" ry="1" class="drawer" />
              <circle cx="54" cy="39" r="1.5" class="handle" />
              <rect x="8" y="48" width="48" height="6" rx="1" ry="1" class="drawer" />
              <circle cx="54" cy="51" r="1.5" class="handle" />
              <!-- Additional detail: a small top handle on the cabinet door -->
              <rect x="28" y="10" width="8" height="4" rx="1" ry="1" fill="#1565C0" />
              <!-- Animate transform: rises by 2 pixels over 1s, holds for 3s, then falls over 1s (total 5s) -->
              <animateTransform attributeName="transform" type="translate" values="0 0; 0 -2; 0 -2; 0 0"
                keyTimes="0;0.2;0.8;1" dur="5s" fill="freeze" />
            </g>
          </svg>
        </div>
      </a>
    </div>
--- a/public/js/adminPanel.js
+++ b/public/js/adminPanel.js
@@ -1,8 +1,8 @@
 // adminPanel.js
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
-import { loadAdminConfigFunc } from './auth.js';
+import { loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
-import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
+import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
-import { sendRequest } from './networkUtils.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
 const version = window.APP_VERSION || "dev";
 const adminTitle = `${t("admin_panel")} <small style="font-size:12px;color:gray;">${version}</small>`;
--- a/public/js/appCore.js
+++ b/public/js/appCore.js
@@ -0,0 +1,160 @@
 // /js/appCore.js
 import { showToast } from './domUtils.js?v={{APP_QVER}}';
 import { t } from './i18n.js?v={{APP_QVER}}';
 import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
 import { setupTrashRestoreDelete } from './trashRestoreDelete.js?v={{APP_QVER}}';
 import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js?v={{APP_QVER}}';
 import { initTagSearch } from './fileTags.js?v={{APP_QVER}}';
 import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
 import { initUpload } from './upload.js?v={{APP_QVER}}';
 import { loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
 // Keep a bound handle to the native fetch so wrappers elsewhere never recurse
 const _nativeFetch = window.fetch.bind(window);
 /* =========================
   CSRF UTILITIES (shared)
   ========================= */
 export function setCsrfToken(token) {
  if (!token) return;
  window.csrfToken = token;
  localStorage.setItem('csrf', token);
  // meta tag for easy access in other places
  let meta = document.querySelector('meta[name="csrf-token"]');
  if (!meta) {
    meta = document.createElement('meta');
    meta.name = 'csrf-token';
    document.head.appendChild(meta);
  }
  meta.content = token;
 }
 export function getCsrfToken() {
  return window.csrfToken || localStorage.getItem('csrf') || '';
 }
 /**
 * Bootstrap/refresh CSRF from the server.
 * Uses the native fetch to avoid wrapper loops and accepts rotated tokens via header.
 */
 export async function loadCsrfToken() {
  const res = await _nativeFetch('/api/auth/token.php', { method: 'GET', credentials: 'include' });
  // header-based rotation
  const hdr = res.headers.get('X-CSRF-Token');
  if (hdr) setCsrfToken(hdr);
  // body (if provided)
  let body = {};
  try { body = await res.json(); } catch { /* token endpoint may return empty */ }
  const token = body.csrf_token || getCsrfToken();
  setCsrfToken(token);
  // share-url meta should reflect the actual origin
  const actualShare = window.location.origin;
  let shareMeta = document.querySelector('meta[name="share-url"]');
  if (!shareMeta) {
    shareMeta = document.createElement('meta');
    shareMeta.name = 'share-url';
    document.head.appendChild(shareMeta);
  }
  shareMeta.content = actualShare;
  return { csrf_token: token, share_url: actualShare };
 }
 /* =========================
   APP INIT (shared)
   ========================= */
 export function initializeApp() {
  const saved = parseInt(localStorage.getItem('rowHeight') || '48', 10);
  document.documentElement.style.setProperty('--file-row-height', saved + 'px');
  const last = localStorage.getItem('lastOpenedFolder');
  window.currentFolder = last ? last : "root";
  const stored = localStorage.getItem('showFoldersInList');
  window.showFoldersInList = stored === null ? true : stored === 'true';
  // Load public site config early (safe subset)
  loadAdminConfigFunc();
  // Enable tag search UI; initial file list load is controlled elsewhere
  initTagSearch();
  // Hook DnD relay from fileList area into upload area
  const fileListArea = document.getElementById('fileListContainer');
  const uploadArea   = document.getElementById('uploadDropArea');
  if (fileListArea && uploadArea) {
    fileListArea.addEventListener('dragover', e => {
      e.preventDefault();
      fileListArea.classList.add('drop-hover');
    });
    fileListArea.addEventListener('dragleave', () => {
      fileListArea.classList.remove('drop-hover');
    });
    fileListArea.addEventListener('drop', e => {
      e.preventDefault();
      fileListArea.classList.remove('drop-hover');
      uploadArea.dispatchEvent(new DragEvent('drop', {
        dataTransfer: e.dataTransfer,
        bubbles: true,
        cancelable: true
      }));
    });
  }
  // App subsystems
  initDragAndDrop();
  loadSidebarOrder();
  loadHeaderOrder();
  initFileActions();
  initUpload();
  loadFolderTree();
  // Only run trash/restore for admins
  const isAdmin =
    localStorage.getItem('isAdmin') === '1' || localStorage.getItem('isAdmin') === 'true';
  if (isAdmin) {
    setupTrashRestoreDelete();
  }
  // Small help tooltip toggle
  const helpBtn = document.getElementById("folderHelpBtn");
  const helpTooltip = document.getElementById("folderHelpTooltip");
  if (helpBtn && helpTooltip) {
    helpBtn.addEventListener("click", () => {
      helpTooltip.style.display =
        helpTooltip.style.display === "block" ? "none" : "block";
    });
  }
 }
 /* =========================
   LOGOUT (shared)
   ========================= */
 export function triggerLogout() {
  _nativeFetch("/api/auth/logout.php", {
    method: "POST",
    credentials: "include",
    headers: { "X-CSRF-Token": getCsrfToken() }
  })
    .then(() => window.location.reload(true))
    .catch(() => { /* no-op */ });
 }
 /* =========================
   Global UX guard (unchanged)
   ========================= */
 window.addEventListener("unhandledrejection", (ev) => {
  const msg = (ev?.reason && ev.reason.message) || "";
  if (msg === "auth") {
    showToast(t("please_sign_in_again") || "Please sign in again.", "error");
    ev.preventDefault();
  } else if (msg === "forbidden") {
    showToast(t("no_access_to_resource") || "You don’t have access to that.", "error");
    ev.preventDefault();
  }
 });
--- a/public/js/auth.js
+++ b/public/js/auth.js
@@ -1,15 +1,15 @@
-import { sendRequest } from './networkUtils.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
-import { t, applyTranslations } from './i18n.js';
+import { t, applyTranslations } from './i18n.js?v={{APP_QVER}}';
 import {
  toggleVisibility,
  showToast as originalShowToast,
  attachEnterKeyListener,
  showCustomConfirmModal
-} from './domUtils.js';
+} from './domUtils.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { initFileActions } from './fileActions.js';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
-import { renderFileTable } from './fileListView.js';
+import { renderFileTable } from './fileListView.js?v={{APP_QVER}}';
-import { loadFolderTree } from './folderManager.js';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
 import {
  openTOTPLoginModal as originalOpenTOTPLoginModal,
  openUserPanel,
@@ -17,9 +17,9 @@ import {
  closeTOTPModal,
  setLastLoginData,
  openApiModal
-} from './authModals.js';
+} from './authModals.js?v={{APP_QVER}}';
-import { openAdminPanel } from './adminPanel.js';
+import { openAdminPanel } from './adminPanel.js?v={{APP_QVER}}';
-import { initializeApp, triggerLogout } from './main.js';
+import { initializeApp, triggerLogout } from './appCore.js?v={{APP_QVER}}';
 // Production OIDC configuration (override via API as needed)
 const currentOIDCConfig = {
@@ -180,7 +180,7 @@ function updateLoginOptionsUIFromStorage() {
 }
 export function loadAdminConfigFunc() {
-  return fetch("/api/admin/getConfig.php", { credentials: "include" })
+  return fetch("/api/siteConfig.php", { credentials: "include" })
    .then(async (response) => {
      // If a proxy or some edge returns 204/empty, handle gracefully
      let config = {};
--- a/public/js/authModals.js
+++ b/public/js/authModals.js
@@ -1,7 +1,7 @@
-import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js';
+import { showToast, toggleVisibility, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
-import { sendRequest } from './networkUtils.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
-import { t, applyTranslations, setLocale } from './i18n.js';
+import { t, applyTranslations, setLocale } from './i18n.js?v={{APP_QVER}}';
-import { loadAdminConfigFunc, updateAuthenticatedUI } from './auth.js';
+import { loadAdminConfigFunc, updateAuthenticatedUI } from './auth.js?v={{APP_QVER}}';
 let lastLoginData = null;
 export function setLastLoginData(data) {
--- a/public/js/domUtils.js
+++ b/public/js/domUtils.js
@@ -1,6 +1,6 @@
 // domUtils.js
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
-import { openDownloadModal } from './fileActions.js';
+import { openDownloadModal } from './fileActions.js?v={{APP_QVER}}';
 // Basic DOM Helpers
 export function toggleVisibility(elementId, shouldShow) {
--- a/public/js/dragAndDrop.js
+++ b/public/js/dragAndDrop.js
@@ -489,6 +489,7 @@ function mountHeaderToggle(btn) {
  });
 }
 function ensureZonesToggle() {
  let btn = document.getElementById('sidebarToggleFloating');
  const host = getHeaderHost();
@@ -502,24 +503,25 @@ function ensureZonesToggle() {
  if (!btn) {
    btn = document.createElement('button');
    btn.id = 'sidebarToggleFloating';
-    btn.type = 'button'; // not a submit
+    btn.type = 'button';
 btn.addEventListener('click', (e) => {
  e.preventDefault();
  e.stopPropagation();           // don't bubble into the <a href="index.html">
  setSidebarCollapsed(!isSidebarCollapsed());
  updateSidebarToggleUI();       // refresh icon/title
 });
 ['mousedown','mouseup','pointerdown','pointerup'].forEach(evt =>
  btn.addEventListener(evt, (e) => e.stopPropagation())
 );
    btn.setAttribute('aria-label', 'Toggle panels');
    // Prevent accidental navigations / bubbling
    btn.addEventListener('click', (e) => {
      e.preventDefault();
      e.stopPropagation();
      setSidebarCollapsed(!isSidebarCollapsed());
      updateSidebarToggleUI();
    });
    ['mousedown','mouseup','pointerdown','pointerup'].forEach(evt =>
      btn.addEventListener(evt, (e) => e.stopPropagation())
    );
    Object.assign(btn.style, {
-      position: 'absolute',   // <-- key change (was fixed)
+      position: 'absolute',
-      top: '8px',             // adjust to line up with header content
+      top: '8px',
-      left: '65px',          // place to the right of your logo; tweak as needed
+      left: '65px',
      zIndex: '1000',
      width: '38px',
      height: '38px',
@@ -534,8 +536,9 @@ btn.addEventListener('click', (e) => {
      padding: '0',
      lineHeight: '0'
    });
    btn.classList.add('zones-toggle');
-    // dark-mode polish (optional)
+    // Dark mode polish
    if (document.body.classList.contains('dark-mode')) {
      btn.style.background = '#2c2c2c';
      btn.style.border = '1px solid #555';
@@ -547,13 +550,14 @@ btn.addEventListener('click', (e) => {
      setZonesCollapsed(!isZonesCollapsed());
    });
-    // Insert right after the logo if present, else just append to host
+    // Insert right after the logo if present, else append to host
    const afterLogo = host.querySelector('.header-logo');
    if (afterLogo && afterLogo.parentNode) {
      afterLogo.parentNode.insertBefore(btn, afterLogo.nextSibling);
    } else {
      host.appendChild(btn);
    }
    themeToggleButton(btn);
  }
--- a/public/js/fileActions.js
+++ b/public/js/fileActions.js
@@ -1,8 +1,8 @@
 // fileActions.js
-import { showToast, attachEnterKeyListener } from './domUtils.js';
+import { showToast, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { formatFolderName } from './fileListView.js';
+import { formatFolderName } from './fileListView.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 export function handleDeleteSelected(e) {
  e.preventDefault();
--- a/public/js/fileDragDrop.js
+++ b/public/js/fileDragDrop.js
@@ -1,6 +1,6 @@
 // fileDragDrop.js
-import { showToast } from './domUtils.js';
+import { showToast } from './domUtils.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
 export function fileDragStartHandler(event) {
  const row = event.currentTarget;
--- a/public/js/fileEditor.js
+++ b/public/js/fileEditor.js
@@ -1,7 +1,7 @@
 // fileEditor.js
-import { escapeHTML, showToast } from './domUtils.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 // thresholds for editor behavior
 const EDITOR_PLAIN_THRESHOLD = 5 * 1024 * 1024;  // >5 MiB => force plain text, lighter settings
@@ -14,30 +14,30 @@ const CM_LOCAL = "/vendor/codemirror/5.65.5/";
 // Which mode file to load for a given name/mime
 const MODE_URL = {
  // core/common
-  "xml":        "mode/xml/xml.min.js",
+  "xml":        "mode/xml/xml.min.js?v={{APP_QVER}}",
-  "css":        "mode/css/css.min.js",
+  "css":        "mode/css/css.min.js?v={{APP_QVER}}",
-  "javascript": "mode/javascript/javascript.min.js",
+  "javascript": "mode/javascript/javascript.min.js?v={{APP_QVER}}",
  // meta / combos
-  "htmlmixed":  "mode/htmlmixed/htmlmixed.min.js",
+  "htmlmixed":  "mode/htmlmixed/htmlmixed.min.js?v={{APP_QVER}}",
-  "application/x-httpd-php": "mode/php/php.min.js",
+  "application/x-httpd-php": "mode/php/php.min.js?v={{APP_QVER}}",
  // docs / data
-  "markdown":   "mode/markdown/markdown.min.js",
+  "markdown":   "mode/markdown/markdown.min.js?v={{APP_QVER}}",
-  "yaml":       "mode/yaml/yaml.min.js",
+  "yaml":       "mode/yaml/yaml.min.js?v={{APP_QVER}}",
-  "properties": "mode/properties/properties.min.js",
+  "properties": "mode/properties/properties.min.js?v={{APP_QVER}}",
-  "sql":        "mode/sql/sql.min.js",
+  "sql":        "mode/sql/sql.min.js?v={{APP_QVER}}",
  // shells
-  "shell":      "mode/shell/shell.min.js",
+  "shell":      "mode/shell/shell.min.js?v={{APP_QVER}}",
  // languages
-  "python":     "mode/python/python.min.js",
+  "python":     "mode/python/python.min.js?v={{APP_QVER}}",
-  "text/x-csrc":    "mode/clike/clike.min.js",
+  "text/x-csrc":    "mode/clike/clike.min.js?v={{APP_QVER}}",
-  "text/x-c++src":  "mode/clike/clike.min.js",
+  "text/x-c++src":  "mode/clike/clike.min.js?v={{APP_QVER}}",
-  "text/x-java":    "mode/clike/clike.min.js",
+  "text/x-java":    "mode/clike/clike.min.js?v={{APP_QVER}}",
-  "text/x-csharp":  "mode/clike/clike.min.js",
+  "text/x-csharp":  "mode/clike/clike.min.js?v={{APP_QVER}}",
-  "text/x-kotlin":  "mode/clike/clike.min.js"
+  "text/x-kotlin":  "mode/clike/clike.min.js?v={{APP_QVER}}"
 };
 // Map any mime/alias to the key we use in MODE_URL
@@ -54,7 +54,7 @@ const MODE_LOAD_TIMEOUT_MS = 2500; // allow closing immediately; don't wait fore
 function loadScriptOnce(url) {
  return new Promise((resolve, reject) => {
    const ver = (window.APP_VERSION ?? 'dev').replace(/^v/, ''); // "v1.6.9" -> "1.6.9"
-    const withQS = url + '?v=' + ver;
+    const withQS = url; //+ '?v=' + ver;
    const key = `cm:${withQS}`;
    let s = document.querySelector(`script[data-key="${key}"]`);
--- a/public/js/fileListView.js
+++ b/public/js/fileListView.js
@@ -11,11 +11,11 @@ import {
    updateRowHighlight,
    toggleRowSelection,
    attachEnterKeyListener
-  } from './domUtils.js';
+  } from './domUtils.js?v={{APP_QVER}}';
-  import { t } from './i18n.js';
+  import { t } from './i18n.js?v={{APP_QVER}}';
-  import { bindFileListContextMenu } from './fileMenu.js';
+  import { bindFileListContextMenu } from './fileMenu.js?v={{APP_QVER}}';
-  import { openDownloadModal } from './fileActions.js';
+  import { openDownloadModal } from './fileActions.js?v={{APP_QVER}}';
-  import { openTagModal, openMultiTagModal } from './fileTags.js';
+  import { openTagModal, openMultiTagModal } from './fileTags.js?v={{APP_QVER}}';
  import {
    getParentFolder,
    updateBreadcrumbTitle,
@@ -24,13 +24,13 @@ import {
    hideFolderManagerContextMenu,
    openRenameFolderModal,
    openDeleteFolderModal
-  } from './folderManager.js';
+  } from './folderManager.js?v={{APP_QVER}}';
-  import { openFolderShareModal } from './folderShareModal.js';
+  import { openFolderShareModal } from './folderShareModal.js?v={{APP_QVER}}';
  import {
    folderDragOverHandler,
    folderDragLeaveHandler,
    folderDropHandler
-  } from './fileDragDrop.js';
+  } from './fileDragDrop.js?v={{APP_QVER}}';
  export let fileData = [];
  export let sortOrder = { column: "uploaded", ascending: true };
@@ -750,7 +750,7 @@ function wireSelectAll(fileListContent) {
    fileListContent.querySelectorAll(".edit-btn").forEach(btn => {
      btn.addEventListener("click", async e => {
        e.stopPropagation();
-        const m = await import('./fileEditor.js');
+        const m = await import('./fileEditor.js?v={{APP_QVER}}');
        m.editFile(btn.dataset.editName, btn.dataset.editFolder);
      });
    });
@@ -759,7 +759,7 @@ function wireSelectAll(fileListContent) {
    fileListContent.querySelectorAll(".rename-btn").forEach(btn => {
      btn.addEventListener("click", async e => {
        e.stopPropagation();
-        const m = await import('./fileActions.js');
+        const m = await import('./fileActions.js?v={{APP_QVER}}');
        m.renameFile(btn.dataset.renameName, btn.dataset.renameFolder);
      });
    });
@@ -768,7 +768,7 @@ function wireSelectAll(fileListContent) {
    fileListContent.querySelectorAll(".preview-btn").forEach(btn => {
      btn.addEventListener("click", async e => {
        e.stopPropagation();
-        const m = await import('./filePreview.js');
+        const m = await import('./filePreview.js?v={{APP_QVER}}');
        m.previewFile(btn.dataset.previewUrl, btn.dataset.previewName);
      });
    });
@@ -822,7 +822,7 @@ function wireSelectAll(fileListContent) {
        const fileName = this.getAttribute("data-file");
        const file = fileData.find(f => f.name === fileName);
        if (file) {
-          import('./filePreview.js').then(module => {
+          import('./filePreview.js?v={{APP_QVER}}').then(module => {
            module.openShareModal(file, folder);
          });
        }
@@ -831,7 +831,7 @@ function wireSelectAll(fileListContent) {
    updateFileActionButtons();
    document.querySelectorAll("#fileList tbody tr").forEach(row => {
      row.setAttribute("draggable", "true");
-      import('./fileDragDrop.js').then(module => {
+      import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
        row.addEventListener("dragstart", module.fileDragStartHandler);
      });
    });
@@ -1085,7 +1085,7 @@ function wireSelectAll(fileListContent) {
    // preview clicks (dynamic import to avoid global dependency)
    fileListContent.querySelectorAll(".gallery-preview").forEach(el => {
      el.addEventListener("click", async () => {
-        const m = await import('./filePreview.js');
+        const m = await import('./filePreview.js?v={{APP_QVER}}');
        m.previewFile(el.dataset.previewUrl, el.dataset.previewName);
      });
    });
@@ -1102,7 +1102,7 @@ function wireSelectAll(fileListContent) {
    fileListContent.querySelectorAll(".edit-btn").forEach(btn => {
      btn.addEventListener("click", async e => {
        e.stopPropagation();
-        const m = await import('./fileEditor.js');
+        const m = await import('./fileEditor.js?v={{APP_QVER}}');
        m.editFile(btn.dataset.editName, btn.dataset.editFolder);
      });
    });
@@ -1111,7 +1111,7 @@ function wireSelectAll(fileListContent) {
    fileListContent.querySelectorAll(".rename-btn").forEach(btn => {
      btn.addEventListener("click", async e => {
        e.stopPropagation();
-        const m = await import('./fileActions.js');
+        const m = await import('./fileActions.js?v={{APP_QVER}}');
        m.renameFile(btn.dataset.renameName, btn.dataset.renameFolder);
      });
    });
@@ -1123,7 +1123,7 @@ function wireSelectAll(fileListContent) {
        const fileName = btn.dataset.file;
        const fileObj = fileData.find(f => f.name === fileName);
        if (fileObj) {
-          import('./filePreview.js').then(m => m.openShareModal(fileObj, folder));
+          import('./filePreview.js?v={{APP_QVER}}').then(m => m.openShareModal(fileObj, folder));
        }
      });
    });
--- a/public/js/fileManager.js
+++ b/public/js/fileManager.js
@@ -1,10 +1,10 @@
 // fileManager.js
-import './fileListView.js';
+import './fileListView.js?v={{APP_QVER}}';
-import './filePreview.js';
+import './filePreview.js?v={{APP_QVER}}';
-import './fileEditor.js';
+import './fileEditor.js?v={{APP_QVER}}';
-import './fileDragDrop.js';
+import './fileDragDrop.js?v={{APP_QVER}}';
-import './fileMenu.js';
+import './fileMenu.js?v={{APP_QVER}}';
-import { initFileActions } from './fileActions.js';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
 // Initialize file action buttons.
 document.addEventListener("DOMContentLoaded", function () {
@@ -14,7 +14,7 @@ document.addEventListener("DOMContentLoaded", function () {
 // Attach folder drag-and-drop support for folder tree nodes.
 document.addEventListener("DOMContentLoaded", function () {
  document.querySelectorAll(".folder-option").forEach(el => {
-    import('./fileDragDrop.js').then(module => {
+    import('./fileDragDrop.js?v={{APP_QVER}}').then(module => {
      el.addEventListener("dragover", module.folderDragOverHandler);
      el.addEventListener("dragleave", module.folderDragLeaveHandler);
      el.addEventListener("drop", module.folderDropHandler);
@@ -32,7 +32,7 @@ document.addEventListener("keydown", function(e) {
    const selectedCheckboxes = document.querySelectorAll("#fileList .file-checkbox:checked");
    if (selectedCheckboxes.length > 0) {
      e.preventDefault();
-      import('./fileActions.js').then(module => {
+      import('./fileActions.js?v={{APP_QVER}}').then(module => {
        module.handleDeleteSelected(new Event("click"));
      });
    }
--- a/public/js/fileMenu.js
+++ b/public/js/fileMenu.js
@@ -1,11 +1,11 @@
 // fileMenu.js
-import { updateRowHighlight, showToast } from './domUtils.js';
+import { updateRowHighlight, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { handleDeleteSelected, handleCopySelected, handleMoveSelected, handleDownloadZipSelected, handleExtractZipSelected, renameFile, openCreateFileModal } from './fileActions.js';
+import { handleDeleteSelected, handleCopySelected, handleMoveSelected, handleDownloadZipSelected, handleExtractZipSelected, renameFile, openCreateFileModal } from './fileActions.js?v={{APP_QVER}}';
-import { previewFile } from './filePreview.js';
+import { previewFile } from './filePreview.js?v={{APP_QVER}}';
-import { editFile } from './fileEditor.js';
+import { editFile } from './fileEditor.js?v={{APP_QVER}}';
-import { canEditFile, fileData } from './fileListView.js';
+import { canEditFile, fileData } from './fileListView.js?v={{APP_QVER}}';
-import { openTagModal, openMultiTagModal } from './fileTags.js';
+import { openTagModal, openMultiTagModal } from './fileTags.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 export function showFileContextMenu(x, y, menuItems) {
  let menu = document.getElementById("fileContextMenu");
--- a/public/js/filePreview.js
+++ b/public/js/filePreview.js
@@ -1,7 +1,7 @@
 // filePreview.js
-import { escapeHTML, showToast } from './domUtils.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { fileData } from './fileListView.js';
+import { fileData } from './fileListView.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 export function openShareModal(file, folder) {
  // Remove any existing modal
--- a/public/js/fileTags.js
+++ b/public/js/fileTags.js
@@ -3,9 +3,9 @@
 // adding tags to files (with a global tag store for reuse),
 // updating the file row display with tag badges,
 // filtering the file list by tag, and persisting tag data.
-import { escapeHTML } from './domUtils.js';
+import { escapeHTML } from './domUtils.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
-import { renderFileTable, renderGalleryView } from './fileListView.js';
+import { renderFileTable, renderGalleryView } from './fileListView.js?v={{APP_QVER}}';
 export function openTagModal(file) {
  // Create the modal element.
--- a/public/js/folderManager.js
+++ b/public/js/folderManager.js
@@ -1,11 +1,11 @@
 // folderManager.js
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js';
+import { showToast, escapeHTML, attachEnterKeyListener } from './domUtils.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
-import { openFolderShareModal } from './folderShareModal.js';
+import { openFolderShareModal } from './folderShareModal.js?v={{APP_QVER}}';
-import { fetchWithCsrf } from './auth.js';
+import { fetchWithCsrf } from './auth.js?v={{APP_QVER}}';
-import { loadCsrfToken } from './main.js';
+import { loadCsrfToken } from './appCore.js?v={{APP_QVER}}';
 /* ----------------------
   Helpers: safe JSON + state
--- a/public/js/folderShareModal.js
+++ b/public/js/folderShareModal.js
@@ -1,6 +1,6 @@
 // js/folderShareModal.js
-import { escapeHTML, showToast } from './domUtils.js';
+import { escapeHTML, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 export function openFolderShareModal(folder) {
  // Remove any existing modal
--- a/public/js/main.js
+++ b/public/js/main.js
@@ -1,55 +1,65 @@
-import { sendRequest } from './networkUtils.js';
+// /js/main.js
-import { toggleVisibility, toggleAllCheckboxes, updateFileActionButtons, showToast } from './domUtils.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
-import { initUpload } from './upload.js';
+import { toggleVisibility, toggleAllCheckboxes, updateFileActionButtons, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { initAuth, fetchWithCsrf, checkAuthentication, loadAdminConfigFunc } from './auth.js';
+import { initUpload } from './upload.js?v={{APP_QVER}}';
-import { loadFolderTree } from './folderManager.js';
+import { initAuth, fetchWithCsrf, checkAuthentication, loadAdminConfigFunc } from './auth.js?v={{APP_QVER}}';
-import { setupTrashRestoreDelete } from './trashRestoreDelete.js';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
-import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js';
+import { setupTrashRestoreDelete } from './trashRestoreDelete.js?v={{APP_QVER}}';
-import { initTagSearch, openTagModal, filterFilesByTag } from './fileTags.js';
+import { initDragAndDrop, loadSidebarOrder, loadHeaderOrder } from './dragAndDrop.js?v={{APP_QVER}}';
-import { displayFilePreview } from './filePreview.js';
+import { initTagSearch, openTagModal, filterFilesByTag } from './fileTags.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { displayFilePreview } from './filePreview.js?v={{APP_QVER}}';
-import { initFileActions, renameFile, openDownloadModal, confirmSingleDownload } from './fileActions.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { editFile, saveFile } from './fileEditor.js';
+import { initFileActions, renameFile, openDownloadModal, confirmSingleDownload } from './fileActions.js?v={{APP_QVER}}';
-import { t, applyTranslations, setLocale } from './i18n.js';
+import { editFile, saveFile } from './fileEditor.js?v={{APP_QVER}}';
 import { t, applyTranslations, setLocale } from './i18n.js?v={{APP_QVER}}';
 // NEW: import shared helpers from appCore (moved out of main.js)
 import {
  initializeApp,
  loadCsrfToken,
  triggerLogout,
  setCsrfToken,
  getCsrfToken
 } from './appCore.js?v={{APP_QVER}}';
 /* =========================
   CSRF HOTFIX UTILITIES
   ========================= */
-const _nativeFetch = window.fetch; // keep the real fetch
+// Keep a handle to the native fetch so wrappers never recurse
-
+const _nativeFetch = window.fetch.bind(window);
 function setCsrfToken(token) {
  if (!token) return;
  window.csrfToken = token;
  localStorage.setItem('csrf', token);
  // meta tag for easy access in other places
  let meta = document.querySelector('meta[name="csrf-token"]');
  if (!meta) {
    meta = document.createElement('meta');
    meta.name = 'csrf-token';
    document.head.appendChild(meta);
  }
  meta.content = token;
 }
 function getCsrfToken() {
  return window.csrfToken || localStorage.getItem('csrf') || '';
 }
 // Seed CSRF from storage ASAP (before any requests)
 setCsrfToken(getCsrfToken());
-// Wrap the existing fetchWithCsrf so we also capture rotated tokens from headers.
+// Wrap fetch so *all* callers get CSRF header + token rotation, without recursion
 async function fetchWithCsrfAndRefresh(input, init = {}) {
-  const res = await fetchWithCsrf(input, init);
+  const headers = new Headers(init?.headers || {});
  const token = getCsrfToken();
  if (token && !headers.has('X-CSRF-Token')) {
    headers.set('X-CSRF-Token', token);
  }
  const res = await _nativeFetch(input, {
    credentials: 'include',
    ...init,
    headers,
  });
  try {
    const rotated = res.headers?.get('X-CSRF-Token');
    if (rotated) setCsrfToken(rotated);
  } catch { /* ignore */ }
  return res;
 }
-// Replace global fetch with the wrapped version so *all* callers benefit.
+// Avoid double-wrapping if this module re-evaluates for any reason
-window.fetch = fetchWithCsrfAndRefresh;
+if (!window.fetch || !window.fetch._frWrapped) {
  const wrapped = fetchWithCsrfAndRefresh;
  Object.defineProperty(wrapped, '_frWrapped', { value: true });
  window.fetch = wrapped;
 }
 /* =========================
   SAFE API HELPERS
@@ -84,6 +94,7 @@ export async function apiPOSTJSON(url, body, opts = {}) {
 // Optional: expose on window for legacy callers
 window.apiGETJSON = apiGETJSON;
 window.apiPOSTJSON = apiPOSTJSON;
 window.triggerLogout = triggerLogout; // expose the moved helper
 // Global handler to keep UX friendly if something forgets to catch
 window.addEventListener("unhandledrejection", (ev) => {
@@ -98,131 +109,16 @@ window.addEventListener("unhandledrejection", (ev) => {
 });
 /* =========================
-   APP INIT
+   BOOTSTRAP
   ========================= */
 export function initializeApp() {
  const saved = parseInt(localStorage.getItem('rowHeight') || '48', 10);
  document.documentElement.style.setProperty('--file-row-height', saved + 'px');
  //window.currentFolder = "root";
  const last = localStorage.getItem('lastOpenedFolder');
  window.currentFolder = last ? last : "root";
  const stored = localStorage.getItem('showFoldersInList');
  window.showFoldersInList = stored === null ? true : stored === 'true';
  loadAdminConfigFunc();
  initTagSearch();
  //loadFileList(window.currentFolder);
  const fileListArea = document.getElementById('fileListContainer');
  const uploadArea = document.getElementById('uploadDropArea');
  if (fileListArea && uploadArea) {
    fileListArea.addEventListener('dragover', e => {
      e.preventDefault();
      fileListArea.classList.add('drop-hover');
    });
    fileListArea.addEventListener('dragleave', () => {
      fileListArea.classList.remove('drop-hover');
    });
    fileListArea.addEventListener('drop', e => {
      e.preventDefault();
      fileListArea.classList.remove('drop-hover');
      uploadArea.dispatchEvent(new DragEvent('drop', {
        dataTransfer: e.dataTransfer,
        bubbles: true,
        cancelable: true
      }));
    });
  }
  initDragAndDrop();
  loadSidebarOrder();
  loadHeaderOrder();
  initFileActions();
  initUpload();
  loadFolderTree();
  // Only run trash/restore for admins
 const isAdmin =
   localStorage.getItem('isAdmin') === '1' ||  localStorage.getItem('isAdmin') === 'true';
 if (isAdmin) {
   setupTrashRestoreDelete();
 }
  const helpBtn = document.getElementById("folderHelpBtn");
  const helpTooltip = document.getElementById("folderHelpTooltip");
  if (helpBtn && helpTooltip) {
    helpBtn.addEventListener("click", () => {
      helpTooltip.style.display =
        helpTooltip.style.display === "block" ? "none" : "block";
    });
  }
 }
 /**
 * Bootstrap/refresh CSRF from the server.
 * Uses the *native* fetch to avoid any wrapper loops and to work even if we don't
 * yet have a token. Also accepts a rotated token from the response header.
 */
 export function loadCsrfToken() {
  return _nativeFetch('/api/auth/token.php', { method: 'GET', credentials: 'include' })
    .then(async res => {
      // header-based rotation
      const hdr = res.headers.get('X-CSRF-Token');
      if (hdr) setCsrfToken(hdr);
      // body (if provided)
      let body = {};
      try { body = await res.json(); } catch { /* token endpoint may return empty */ }
      const token = body.csrf_token || getCsrfToken();
      setCsrfToken(token);
      // share-url meta should reflect the actual origin
      const actualShare = window.location.origin;
      let shareMeta = document.querySelector('meta[name="share-url"]');
      if (!shareMeta) {
        shareMeta = document.createElement('meta');
        shareMeta.name = 'share-url';
        document.head.appendChild(shareMeta);
      }
      shareMeta.content = actualShare;
      return { csrf_token: token, share_url: actualShare };
    });
 }
 // 1) Immediately clear “?logout=1” flag
 const params = new URLSearchParams(window.location.search);
 if (params.get('logout') === '1') {
  localStorage.removeItem("username");
  localStorage.removeItem("userTOTPEnabled");
 }
 export function triggerLogout() {
  _nativeFetch("/api/auth/logout.php", {
    method: "POST",
    credentials: "include",
    headers: { "X-CSRF-Token": getCsrfToken() }
  })
    .then(() => window.location.reload(true))
    .catch(() => { });
 }
 // Expose functions for inline handlers.
 window.sendRequest = sendRequest;
 window.toggleVisibility = toggleVisibility;
 window.toggleAllCheckboxes = toggleAllCheckboxes;
 window.editFile = editFile;
 window.saveFile = saveFile;
 window.renameFile = renameFile;
 window.confirmSingleDownload = confirmSingleDownload;
 window.openDownloadModal = openDownloadModal;
 // Global variable for the current folder.
 window.currentFolder = "root";
 document.addEventListener("DOMContentLoaded", function () {
-  // Load admin config early
+  // Load site config early (safe subset)
  loadAdminConfigFunc();
  // i18n
@@ -304,3 +200,16 @@ document.addEventListener("DOMContentLoaded", function () {
    }
  });
 });
 // Expose functions for inline handlers 
 window.sendRequest = sendRequest;
 window.toggleVisibility = toggleVisibility;
 window.toggleAllCheckboxes = toggleAllCheckboxes;
 window.editFile = editFile;
 window.saveFile = saveFile;
 window.renameFile = renameFile;
 window.confirmSingleDownload = confirmSingleDownload;
 window.openDownloadModal = openDownloadModal;
 // Global variable for the current folder (initial default; initializeApp will update)
 window.currentFolder = "root";
--- a/public/js/trashRestoreDelete.js
+++ b/public/js/trashRestoreDelete.js
@@ -1,9 +1,9 @@
 // trashRestoreDelete.js
-import { sendRequest } from './networkUtils.js';
+import { sendRequest } from './networkUtils.js?v={{APP_QVER}}';
-import { toggleVisibility, showToast } from './domUtils.js';
+import { toggleVisibility, showToast } from './domUtils.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { loadFolderTree } from './folderManager.js';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 function showConfirm(message, onConfirm) {
    const modal = document.getElementById("customConfirmModal");
--- a/public/js/upload.js
+++ b/public/js/upload.js
@@ -1,9 +1,9 @@
-import { initFileActions } from './fileActions.js';
+import { initFileActions } from './fileActions.js?v={{APP_QVER}}';
-import { displayFilePreview } from './filePreview.js';
+import { displayFilePreview } from './filePreview.js?v={{APP_QVER}}';
-import { showToast, escapeHTML } from './domUtils.js';
+import { showToast, escapeHTML } from './domUtils.js?v={{APP_QVER}}';
-import { loadFolderTree } from './folderManager.js';
+import { loadFolderTree } from './folderManager.js?v={{APP_QVER}}';
-import { loadFileList } from './fileListView.js';
+import { loadFileList } from './fileListView.js?v={{APP_QVER}}';
-import { t } from './i18n.js';
+import { t } from './i18n.js?v={{APP_QVER}}';
 /* -----------------------------------------------------
   Helpers for Drag–and–Drop Folder Uploads (Original Code)
--- a/public/js/version.js
+++ b/public/js/version.js
@@ -1,2 +1,2 @@
 // generated by CI
-window.APP_VERSION = 'v1.6.9';
+window.APP_VERSION = 'v1.7.2';
--- a/public/vendor/redoc/LICENSE
+++ b/public/vendor/redoc/LICENSE
@@ -0,0 +1,21 @@
 The MIT License (MIT)
 Copyright (c) 2015-present, Rebilly, Inc.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/public/vendor/redoc/redoc.standalone.js
+++ b/public/vendor/redoc/redoc.standalone.js
--- a/scripts/stamp-assets.sh
+++ b/scripts/stamp-assets.sh
@@ -0,0 +1,54 @@
 #!/usr/bin/env bash
 # usage: scripts/stamp-assets.sh vX.Y.Z /path/to/target/dir
 set -euo pipefail
 VER="${1:?usage: stamp-assets.sh vX.Y.Z target_dir}"
 QVER="${VER#v}"
 TARGET="${2:-.}"
 echo "Stamping assets in: $TARGET"
 echo "VER=${VER}  QVER=${QVER}"
 cd "$TARGET"
 # Normalize CRLF to LF (if any files were edited on Windows)
 # We only touch web assets.
 find public \( -name '*.html' -o -name '*.php' -o -name '*.css' -o -name '*.js' \) -type f -print0 \
  | xargs -0 -r sed -i 's/\r$//'
 # --- HTML/CSS/PHP: stamp ?v=... and {{APP_VER}} ---
 # (?v=...) -> ?v=<QVER>
 HTML_CSS_COUNT=0
 while IFS= read -r -d '' f; do
  sed -E -i "s/(\?v=)[^\"'&<>\s]*/\1${QVER}/g" "$f"
  sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
  HTML_CSS_COUNT=$((HTML_CSS_COUNT+1))
 done < <(find public -type f \( -name '*.html' -o -name '*.php' -o -name '*.css' \) -print0)
 # --- JS: stamp placeholders and normalize any pre-existing ?v=... ---
 JS_COUNT=0
 while IFS= read -r -d '' f; do
  # Replace placeholders
  sed -E -i "s/\{\{APP_VER\}\}/${VER}/g" "$f"
  sed -E -i "s/\{\{APP_QVER\}\}/${QVER}/g" "$f"
  # Normalize any "?v=..." that appear in ESM imports or strings
  # This keeps any ".js" or ".mjs" then forces ?v=<QVER>
  perl -0777 -i -pe "s@(\.m?js)\?v=[^\"')]+@\1?v=${QVER}@g" "$f"
  JS_COUNT=$((JS_COUNT+1))
 done < <(find public -type f -name '*.js' -print0)
 # Force-write version.js (source of truth in stamped output)
 if [[ -f public/js/version.js ]]; then
  printf "window.APP_VERSION = '%s';\n" "$VER" > public/js/version.js
 fi
 echo "Touched files: HTML/CSS/PHP=${HTML_CSS_COUNT}, JS=${JS_COUNT}"
 # Final self-check: fail if anything is left
 if grep -R -n -E "{{APP_QVER}}|{{APP_VER}}" public \
   --include='*.html' --include='*.php' --include='*.css' --include='*.js' 2>/dev/null; then
  echo "ERROR: Placeholders remain after stamping." >&2
  exit 2
 fi
 echo "✅ Stamped to ${VER} (${QVER})"
--- a/src/controllers/AdminController.php
+++ b/src/controllers/AdminController.php
@@ -99,7 +99,7 @@ class AdminController
            'header_title'        => '',
            'loginOptions'        => [
                'disableFormLogin' => false,
-                'disableBasicAuth' => false,
+                'disableBasicAuth' => true,
                'disableOIDCLogin' => true,
                'authBypass'       => false,
                'authHeaderName'   => 'X-Remote-User'
--- a/src/controllers/UserController.php
+++ b/src/controllers/UserController.php
@@ -3,6 +3,7 @@
 require_once __DIR__ . '/../../config/config.php';
 require_once PROJECT_ROOT . '/src/models/UserModel.php';
 require_once PROJECT_ROOT . '/src/models/AdminModel.php';
 /**
 * UserController
@@ -665,4 +666,38 @@ class UserController
        echo json_encode(['success' => true, 'url' => $url]);
        exit;
    }
    public function siteConfig(): void
    {
        header('Content-Type: application/json');
        $usersDir     = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR;
        $publicPath   = $usersDir . 'siteConfig.json';
        $adminEncPath = $usersDir . 'adminConfig.json';
        $publicMtime = is_file($publicPath) ? (int)@filemtime($publicPath) : 0;
        $adminMtime  = is_file($adminEncPath) ? (int)@filemtime($adminEncPath) : 0;
        // If public cache is present and fresh enough, serve it
        if ($publicMtime > 0 && $publicMtime >= $adminMtime) {
            $raw = @file_get_contents($publicPath);
            $data = is_string($raw) ? json_decode($raw, true) : null;
            if (is_array($data)) {
                echo json_encode($data);
                return;
            }
        }
        // Otherwise regenerate from decrypted admin config
        $cfg = AdminModel::getConfig();
        if (isset($cfg['error'])) {
            http_response_code(500);
            echo json_encode(['error' => $cfg['error']]);
            return;
        }
        $public = AdminModel::buildPublicSubset($cfg);
        $w = AdminModel::writeSiteConfig($public); // best effort
        echo json_encode($public);
    }
 }
--- a/src/models/AdminModel.php
+++ b/src/models/AdminModel.php
@@ -62,6 +62,51 @@ class AdminModel
        return (int)$val;
    }
    public static function buildPublicSubset(array $config): array
    {
        return [
            'header_title'        => $config['header_title'] ?? 'FileRise',
            'loginOptions'        => [
                'disableFormLogin' => (bool)($config['loginOptions']['disableFormLogin'] ?? false),
                'disableBasicAuth' => (bool)($config['loginOptions']['disableBasicAuth'] ?? false),
                'disableOIDCLogin' => (bool)($config['loginOptions']['disableOIDCLogin'] ?? false),
                // do NOT include authBypass/authHeaderName here — admin-only
            ],
            'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
            'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
            'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
            'oidc' => [
                'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
                'redirectUri' => (string)($config['oidc']['redirectUri'] ?? ''),
                // never include clientId / clientSecret
            ],
        ];
    }
    /** Write USERS_DIR/siteConfig.json atomically (unencrypted). */
    public static function writeSiteConfig(array $publicSubset): array
    {
        $dest = rtrim(USERS_DIR, '/\\') . DIRECTORY_SEPARATOR . 'siteConfig.json';
        $tmp  = $dest . '.tmp';
        $json = json_encode($publicSubset, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
        if ($json === false) {
            return ["error" => "Failed to encode siteConfig.json"];
        }
        if (file_put_contents($tmp, $json, LOCK_EX) === false) {
            return ["error" => "Failed to write temp siteConfig.json"];
        }
        if (!@rename($tmp, $dest)) {
            @unlink($tmp);
            return ["error" => "Failed to move siteConfig.json into place"];
        }
        @chmod($dest, 0664); // readable in bind mounts
        return ["success" => true];
    }
    /**
     * Updates the admin configuration file.
     *
@@ -157,6 +202,14 @@ class AdminModel
        // Best-effort normalize perms for host visibility (user rw, group rw)
        @chmod($configFile, 0664);
        $public = self::buildPublicSubset($configUpdate);
        $w = self::writeSiteConfig($public);
        // Don’t fail the whole update if public cache write had a minor issue.
        if (isset($w['error'])) {
            // Log but keep success for admin write
            error_log("AdminModel::writeSiteConfig warning: " . $w['error']);
        }
        return ["success" => "Configuration updated successfully."];
    }
@@ -262,7 +315,7 @@ class AdminModel
            ],
            'loginOptions'          => [
                'disableFormLogin' => false,
-                'disableBasicAuth' => false,
+                'disableBasicAuth' => true,
                'disableOIDCLogin' => true
            ],
            'globalOtpauthUrl'      => "",
Author	SHA1	Message	Date
github-actions[bot]	a18a8df7af	chore(release): set APP_VERSION to v1.7.2 [skip ci]	2025-10-29 20:54:31 +00:00
Ryan	8cf5a34ae9	release(v1.7.2): harden asset stamping & CI verification	2025-10-29 16:54:22 -04:00
github-actions[bot]	55d5656139	chore(release): set APP_VERSION to v1.7.1 [skip ci]	2025-10-29 20:19:45 +00:00
Ryan	04be05ad1e	release(v1.7.1): stamp-assets.sh invoke via bash	2025-10-29 16:19:35 -04:00
github-actions[bot]	0469d183de	chore(release): set APP_VERSION to v1.7.0 [skip ci]	2025-10-29 20:07:32 +00:00
Ryan	b1de8679e0	release(v1.7.0): asset cache-busting pipeline, public siteConfig cache, JS core split, and caching/security polish	2025-10-29 16:07:22 -04:00
github-actions[bot]	f4f7ec0dca	chore(release): set APP_VERSION and stamp assets to v1.6.11 [skip ci]	2025-10-28 07:22:04 +00:00
Ryan	5a7c4704d0	release(v1.6.11) fix(ui/dragAndDrop) restore floating zones toggle click action	2025-10-28 03:21:52 -04:00
Ryan	8b880738d6	chore(codeql): move config to repo root for default setup	2025-10-28 02:54:17 -04:00
Ryan	06c732971f	ci(release): fix lint + harden release workflow	2025-10-28 02:44:13 -04:00
github-actions[bot]	ab75381acb	chore(release): set APP_VERSION and stamp assets to v1.6.10 [skip ci]	2025-10-28 06:12:04 +00:00
Ryan	b1bd903072	release(v1.6.10): self-host ReDoc, gate sidebar toggle on auth, and enrich release workflow	2025-10-28 02:11:54 -04:00
Ryan	ab327acc8a	chore(icons): remove material-symbols-rounded	2025-10-27 06:01:07 -04:00
Ryan	2e98ceee4c	docs: move THIRD_PARTY.md to repo root	2025-10-27 05:55:05 -04:00
`@@ -1,2 +1,2 @@`
	`// generated by CI`	`// generated by CI`
	`window.APP_VERSION = 'v1.6.9';`	`window.APP_VERSION = 'v1.7.2';`