The login() function used 'request: LoginRequest' which shadowed
FastAPI's Starlette Request object. Request.client was accessed on
the LoginRequest Pydantic model instead of the HTTP request, causing
AttributeError: 'LoginRequest' object has no attribute 'client'.
Fix: rename the Pydantic parameter to 'body' and add explicit
'request: Request' for IP extraction and rate limiting.
- Add .dockerignore to exclude .git, __pycache__, docs, etc. from Docker context
- Create .env.example template with documented env vars
- Move OBSIGATE_ADMIN_PASSWORD from docker-compose.yml to env_file: .env
- Add .env.* to .gitignore (excluding .env.example)
- Enable GZipMiddleware for ~70% bandwidth reduction on text responses
- Add Cache-Control: immutable for /static/ assets
- Update ROADMAP: mark all 4 quick wins as done, add audit findings
- Add comprehensive technical audit report (AUDIT_TECHNIQUE_2026-05-27.md)
Remove the old HTML-based PDF download endpoint in favor of the new
WeasyPrint-based one, and replace the generic "Télécharger" button
in popout.html with a dedicated .md download and a new PDF button.
Also remove the unused generic download button from the main file view.
- Implement dark/light theme toggle with persistent preference via
localStorage
- Add a sticky toolbar with theme toggle, Markdown export, and PDF
export buttons
- Update bookmark button to reflect current state with visual feedback
- Introduce CSS custom properties for theming and responsive layout
improvements
- Add automatic Content-Type header injection for JSON string bodies
- Explicitly set Content-Type on bookmark toggle and share creation
calls
- Add escapeHtml helper function for safe string handling
- Add bookmark button to file header and context menu
- Implement toggle bookmark API call with toast notification
- Redesign share dialog to show existing shares with revocation
- Add expiration options when creating a new share
- Add CSS styles for share action buttons
Register a hook with the indexer so that file add/remove events
incrementally maintain the inverted index, removing the need for
periodic staleness checks and cooldowns. Rebuild the index once on
startup via init_inverted_index().
Implement several security and feature improvements across the backend
and frontend:
- New IP-based rate limiter for authentication endpoints
- New audit logging system for sensitive operations
- New secret redactor to mask sensitive patterns in rendered content
- Configurable token TTL and IGNORED_DIRS via environment variables
- Add backlink index and API endpoint
- Add preview tab support with single/double-click behavior in tree
- Add file backup before write/delete operations
Implement `incrementalLoadDirectory` to update tree items without full
DOM
rebuild. Modify `refreshSidebarTreePreservingState` to use incremental
updates for expanded vaults and directories, preserving existing DOM
state.
