The login() function used 'request: LoginRequest' which shadowed
FastAPI's Starlette Request object. Request.client was accessed on
the LoginRequest Pydantic model instead of the HTTP request, causing
AttributeError: 'LoginRequest' object has no attribute 'client'.
Fix: rename the Pydantic parameter to 'body' and add explicit
'request: Request' for IP extraction and rate limiting.
Implement several security and feature improvements across the backend
and frontend:
- New IP-based rate limiter for authentication endpoints
- New audit logging system for sensitive operations
- New secret redactor to mask sensitive patterns in rendered content
- Configurable token TTL and IGNORED_DIRS via environment variables
- Add backlink index and API endpoint
- Add preview tab support with single/double-click behavior in tree
- Add file backup before write/delete operations
