From f4000cc675264d39ce43cf79125cfd135bd64557 Mon Sep 17 00:00:00 2001
From: Anders Holck <anders@holck.se>
Date: Tue, 26 May 2026 22:53:26 +0200
Subject: [PATCH] Add TODO.md with remaining tasks

---
 TODO.md | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 TODO.md

diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..bf5ee99
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,35 @@
+# TODO
+
+## Security
+- [ ] Encrypt Gitea tokens at rest in SQLite (use app-level AES with MH_SECRET)
+- [ ] Add `Secure` flag to auth cookie when behind HTTPS (detect via X-Forwarded-Proto)
+- [ ] Password complexity requirements (min length, etc.)
+- [ ] TOTP: don't persist secret until verified (currently saves on setup)
+- [ ] Audit log (who did what, when)
+
+## Features
+- [ ] Rename files/folders (currently only move)
+- [ ] Image upload (drag-drop into editor, store in assets folder)
+- [ ] Browser `beforeunload` warning with unsaved changes
+- [ ] Mobile hamburger menu to toggle sidebar
+- [ ] PWA icons (icon-192.png, icon-512.png)
+- [ ] Session expiry / logout button in UI
+- [ ] Max file size enforcement on upload
+- [ ] Shared file read access (cross-user file serving)
+
+## Testing
+- [ ] End-to-end: WYSIWYG mode (Milkdown)
+- [ ] End-to-end: real-time collab (two browsers)
+- [ ] End-to-end: git push/pull to Gitea
+- [ ] End-to-end: 2FA setup flow
+- [ ] End-to-end: sharing between two users
+- [ ] End-to-end: build daemon + Pi
+- [ ] End-to-end: offline edit → reconnect sync
+
+## Polish
+- [ ] Error toasts instead of alert()
+- [ ] Loading spinners on API calls
+- [ ] Keyboard shortcut help overlay (Ctrl+?)
+- [ ] File rename inline in tree (double-click)
+- [ ] Drag files to trash
+- [ ] Sort files (name, date, size)