# TODO

## Security
- [x] Encrypt Gitea tokens at rest in SQLite (use app-level AES with MH_SECRET)
- [x] Add `Secure` flag to auth cookie when behind HTTPS (detect via X-Forwarded-Proto)
- [x] Password complexity requirements (min 8 chars)
- [x] TOTP: don't persist secret until verified (uses totp_pending column)
- [x] Audit log (who did what, when)

## Features
- [x] Rename files/folders (double-click in tree)
- [x] Image upload (drag-drop into editor, store in .assets folder)
- [x] Browser `beforeunload` warning with unsaved changes
- [x] Mobile hamburger menu to toggle sidebar
- [x] PWA icons (icon-192.png, icon-512.png)
- [x] Session expiry / logout button in UI
- [x] Max file size enforcement on upload (10MB)
- [x] Shared file read access (cross-user file serving)

## Testing
- [ ] End-to-end: WYSIWYG mode (Milkdown)
- [ ] End-to-end: real-time collab (two browsers)
- [ ] End-to-end: git push/pull to Gitea
- [ ] End-to-end: 2FA setup flow
- [ ] End-to-end: sharing between two users
- [ ] End-to-end: build daemon + Pi
- [ ] End-to-end: offline edit → reconnect sync

## Polish
- [x] Error toasts instead of alert()
- [x] Loading spinners on API calls
- [x] Keyboard shortcut help overlay (Ctrl+/)
- [x] File rename inline in tree (double-click)
- [x] Drag files to trash
- [x] Sort files (name, date)