# TODO

## Security
- [ ] Encrypt Gitea tokens at rest in SQLite (use app-level AES with MH_SECRET)
- [ ] Add `Secure` flag to auth cookie when behind HTTPS (detect via X-Forwarded-Proto)
- [ ] Password complexity requirements (min length, etc.)
- [ ] TOTP: don't persist secret until verified (currently saves on setup)
- [ ] Audit log (who did what, when)

## Features
- [ ] Rename files/folders (currently only move)
- [ ] Image upload (drag-drop into editor, store in assets folder)
- [ ] Browser `beforeunload` warning with unsaved changes
- [ ] Mobile hamburger menu to toggle sidebar
- [ ] PWA icons (icon-192.png, icon-512.png)
- [ ] Session expiry / logout button in UI
- [ ] Max file size enforcement on upload
- [ ] Shared file read access (cross-user file serving)

## Testing
- [ ] End-to-end: WYSIWYG mode (Milkdown)
- [ ] End-to-end: real-time collab (two browsers)
- [ ] End-to-end: git push/pull to Gitea
- [ ] End-to-end: 2FA setup flow
- [ ] End-to-end: sharing between two users
- [ ] End-to-end: build daemon + Pi
- [ ] End-to-end: offline edit → reconnect sync

## Polish
- [ ] Error toasts instead of alert()
- [ ] Loading spinners on API calls
- [ ] Keyboard shortcut help overlay (Ctrl+?)
- [ ] File rename inline in tree (double-click)
- [ ] Drag files to trash
- [ ] Sort files (name, date, size)