From ca225135c1aee246288e5e64e142b5e21f02ba6a Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 16:05:17 -0700
Subject: [PATCH 01/46] docker: add Docker support with two auth options

- Dockerfile: multi-stage build (downloads obsidian + obsidian-mobile
  renderer bundles in stage 1, installs server deps in stage 2)
- docker-compose.yml: base setup, vault persisted via volume
- docker-compose.auth-key.yml: API-key auth overlay (AUTH_KEY env var)
- docker-compose.auth-basic.yml: nginx HTTP Basic Auth overlay
- nginx.conf: nginx reverse proxy with WebSocket support for /api/watch
- .dockerignore: excludes vendor/, node_modules/, .git/, etc.
- src/server/middleware/auth.js: Express middleware for API-key auth
  (login page, cookie session, Bearer token support)
- src/server/index.js: load auth middleware when AUTH_KEY is set
---
 .dockerignore                 |  12 ++++
 Dockerfile                    |  33 +++++++++
 docker-compose.auth-basic.yml |  26 ++++++++
 docker-compose.auth-key.yml   |  15 +++++
 docker-compose.yml            |  23 +++++++
 nginx.conf                    |  29 ++++++++
 src/server/index.js           |   9 +++
 src/server/middleware/auth.js | 122 ++++++++++++++++++++++++++++++++++
 8 files changed, 269 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 Dockerfile
 create mode 100644 docker-compose.auth-basic.yml
 create mode 100644 docker-compose.auth-key.yml
 create mode 100644 docker-compose.yml
 create mode 100644 nginx.conf
 create mode 100644 src/server/middleware/auth.js

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..20c9eaf
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,12 @@
+vendor/
+node_modules/
+.git/
+.tmp/
+docs/
+.codenomad/
+.DS_Store
+.idea/
+.vscode/
+*.log
+npm-debug.log*
+nginx.htpasswd
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..8396138
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,33 @@
+# ── Stage 1: download Obsidian renderer files ─────────────────────────────────
+# Both scripts use only Node built-ins (https, zlib, crypto, fs) — no npm install needed.
+FROM node:20-alpine AS obsidian-dl
+WORKDIR /app
+COPY scripts/ scripts/
+RUN node scripts/update-obsidian.js \
+ && node scripts/update-obsidian-mobile.js
+
+# ── Stage 2: production image ──────────────────────────────────────────────────
+FROM node:20-alpine
+WORKDIR /app
+
+# App source and default vault
+COPY src/ src/
+COPY user-data/ user-data/
+
+# Pre-downloaded Obsidian renderer bundles (not in git, built in stage 1)
+COPY --from=obsidian-dl /app/vendor/ vendor/
+
+# Install server dependencies (production only, no devDeps)
+RUN cd src/server && npm ci --omit=dev
+
+EXPOSE 3000
+
+# HOST must be 0.0.0.0 inside a container — 127.0.0.1 would refuse outside connections
+ENV HOST=0.0.0.0
+ENV PORT=3000
+ENV VAULT_PATH=user-data/demo-vault
+# Optional auth (see docker-compose.auth-key.yml):
+# ENV AUTH_KEY=change-me
+
+# Run from repo root so PROJECT_ROOT resolves correctly via __dirname
+CMD ["node", "src/server/index.js"]
diff --git a/docker-compose.auth-basic.yml b/docker-compose.auth-basic.yml
new file mode 100644
index 0000000..6ee82b9
--- /dev/null
+++ b/docker-compose.auth-basic.yml
@@ -0,0 +1,26 @@
+# Auth Option 2 — HTTP Basic Auth via nginx
+# ─────────────────────────────────────────────────────────────────────────────
+# nginx sits in front of the app and enforces HTTP Basic Auth.
+# Handles WebSocket upgrade for /api/watch automatically.
+#
+# Setup (one time):
+#   htpasswd -c nginx.htpasswd <username>   # creates the password file
+#
+# Usage:
+#   docker compose -f docker-compose.yml -f docker-compose.auth-basic.yml up
+
+services:
+  obsidian-web:
+    # Remove direct host port — nginx is the only public entrypoint
+    ports: []
+
+  nginx:
+    image: nginx:alpine
+    ports:
+      - "${PORT:-3000}:80"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./nginx.htpasswd:/etc/nginx/htpasswd:ro
+    depends_on:
+      - obsidian-web
+    restart: unless-stopped
diff --git a/docker-compose.auth-key.yml b/docker-compose.auth-key.yml
new file mode 100644
index 0000000..53fcb56
--- /dev/null
+++ b/docker-compose.auth-key.yml
@@ -0,0 +1,15 @@
+# Auth Option 1 — API Key
+# ─────────────────────────────────────────────────────────────────────────────
+# The server checks AUTH_KEY on every request.
+# Unauthenticated browsers get a login page; API calls get a 401.
+#
+# Usage:
+#   AUTH_KEY=your-secret docker compose -f docker-compose.yml -f docker-compose.auth-key.yml up
+#
+# Or set AUTH_KEY in a .env file at the repo root and run:
+#   docker compose -f docker-compose.yml -f docker-compose.auth-key.yml up
+
+services:
+  obsidian-web:
+    environment:
+      AUTH_KEY: "${AUTH_KEY:?AUTH_KEY must be set (e.g. export AUTH_KEY=your-secret)}"
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..503647d
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,23 @@
+services:
+  obsidian-web:
+    build: .
+    ports:
+      - "${PORT:-3000}:3000"
+    volumes:
+      # Vault and registry persist on the host — safe across rebuilds
+      - ./user-data:/app/user-data
+    environment:
+      HOST: "0.0.0.0"
+      PORT: "3000"
+      VAULT_PATH: "user-data/demo-vault"
+      # VAULT_REGISTRY: "user-data/registry.json"
+      # WATCH_POLLING: "true"   # enable for NFS / SMB / FUSE-mounted vaults
+    restart: unless-stopped
+
+# ── Auth options ───────────────────────────────────────────────────────────────
+# Option 1 — API Key (built into the server, no extra container):
+#   docker compose -f docker-compose.yml -f docker-compose.auth-key.yml up
+#
+# Option 2 — HTTP Basic Auth via nginx (requires nginx.htpasswd):
+#   htpasswd -c nginx.htpasswd <username>
+#   docker compose -f docker-compose.yml -f docker-compose.auth-basic.yml up
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..8e0fbe1
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    server_name _;
+
+    # HTTP Basic Auth — generate nginx.htpasswd with:
+    #   htpasswd -c nginx.htpasswd <username>
+    auth_basic "Obsidian Web";
+    auth_basic_user_file /etc/nginx/htpasswd;
+
+    # WebSocket endpoint — must set Upgrade + Connection headers
+    location /api/watch {
+        proxy_pass         http://obsidian-web:3000;
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+        proxy_set_header   Host       $host;
+        proxy_read_timeout 3600s;
+    }
+
+    # Everything else
+    location / {
+        proxy_pass         http://obsidian-web:3000;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        client_max_body_size 100M;
+    }
+}
diff --git a/src/server/index.js b/src/server/index.js
index 0c1c3f6..98f50a2 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -24,6 +24,7 @@ const { warmUpBootstrapCache } = require('./api/bootstrap');
 const createProxyRouter = require('./api/proxy');
 const attachWatchServer = require('./api/watch');
 const VaultRegistry = require('./vault-registry');
+const { createAuthMiddleware } = require('./middleware/auth');
 
 function createApp(appConfig = config) {
   const app = express();
@@ -34,6 +35,14 @@ function createApp(appConfig = config) {
   // on Accept-Encoding: browsers get brotli, curl/other tools get gzip.
   app.use(compression({ level: 6 }));
 
+  // Optional API-key auth — enabled by setting AUTH_KEY env var.
+  // See docker-compose.auth-key.yml for usage.
+  const authMiddleware = createAuthMiddleware();
+  if (authMiddleware) {
+    app.use(authMiddleware);
+    console.log('[auth] API-key authentication enabled');
+  }
+
   // Request logging - very chatty, but invaluable while we are still
   // figuring out what Obsidian asks for during boot.
   app.use((req, res, next) => {
diff --git a/src/server/middleware/auth.js b/src/server/middleware/auth.js
new file mode 100644
index 0000000..2b1795a
--- /dev/null
+++ b/src/server/middleware/auth.js
@@ -0,0 +1,122 @@
+'use strict';
+
+/**
+ * Optional API-key authentication middleware.
+ * Activated when AUTH_KEY env var is set.
+ *
+ * The key can be supplied via:
+ *   - Cookie:               obsidian-web-key=<AUTH_KEY>
+ *   - Query param + login:  /__auth?key=<AUTH_KEY>
+ *   - Authorization header: Bearer <AUTH_KEY>  (for API clients)
+ *
+ * Browser requests go to a login page; /api/* gets a 401 JSON response.
+ */
+
+const AUTH_KEY   = process.env.AUTH_KEY || '';
+const COOKIE     = 'obsidian-web-key';
+const MAX_AGE    = 7 * 24 * 60 * 60; // 7 days (seconds)
+
+function parseCookies(req) {
+  return Object.fromEntries(
+    (req.headers.cookie || '').split(';')
+      .map(c => c.trim().split('='))
+      .filter(p => p.length >= 2)
+      .map(([k, ...v]) => [k.trim(), v.join('=')])
+  );
+}
+
+function isAuthenticated(req) {
+  if (parseCookies(req)[COOKIE] === AUTH_KEY) return true;
+  if (req.query?.key === AUTH_KEY) return true;
+  const auth = req.headers.authorization || '';
+  if (auth.startsWith('Bearer ') && auth.slice(7) === AUTH_KEY) return true;
+  return false;
+}
+
+const LOGIN_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8"/>
+  <meta name="viewport" content="width=device-width,initial-scale=1"/>
+  <title>Obsidian Web — Sign in</title>
+  <style>
+    *{box-sizing:border-box;margin:0;padding:0}
+    body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;
+         background:#1e2127;color:#abb2bf;
+         display:flex;align-items:center;justify-content:center;min-height:100vh}
+    .card{background:#282c34;border-radius:8px;padding:2rem;
+          width:100%;max-width:340px;box-shadow:0 4px 24px rgba(0,0,0,.4)}
+    h1{color:#e06c75;font-size:1.2rem;margin-bottom:1.5rem;text-align:center}
+    label{display:block;font-size:.82rem;margin-bottom:.35rem;color:#7f848e}
+    input[type=password]{width:100%;padding:.6rem .75rem;border-radius:4px;
+          border:1px solid #3e4451;background:#1e2127;color:#abb2bf;
+          font-size:1rem;margin-bottom:1rem}
+    button{width:100%;padding:.65rem;border:none;border-radius:4px;
+           background:#e06c75;color:#fff;font-size:1rem;cursor:pointer}
+    button:hover{background:#be5046}
+    .err{color:#e06c75;font-size:.82rem;margin-bottom:.9rem;display:none}
+    .err.show{display:block}
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>🔒 Obsidian Web</h1>
+    <p class="err" id="err">Invalid key — try again.</p>
+    <form id="f">
+      <label for="k">Access key</label>
+      <input id="k" type="password" placeholder="Enter your access key" autofocus/>
+      <button type="submit">Sign in</button>
+    </form>
+  </div>
+  <script>
+    const p=new URLSearchParams(location.search);
+    if(p.get('error'))document.getElementById('err').classList.add('show');
+    document.getElementById('f').addEventListener('submit',e=>{
+      e.preventDefault();
+      const dest=p.get('next')||'/';
+      location.href='/__auth?key='+encodeURIComponent(document.getElementById('k').value)
+                   +'&next='+encodeURIComponent(dest);
+    });
+  </script>
+</body>
+</html>`;
+
+/**
+ * Returns an Express middleware if AUTH_KEY is set, otherwise null.
+ */
+function createAuthMiddleware() {
+  if (!AUTH_KEY) return null;
+
+  return function authMiddleware(req, res, next) {
+    // ── Auth callback: verify key, set cookie, redirect ──
+    if (req.path === '/__auth') {
+      const key  = req.query?.key  || '';
+      const dest = req.query?.next || '/';
+      if (key === AUTH_KEY) {
+        res.setHeader('Set-Cookie',
+          `${COOKIE}=${AUTH_KEY}; Path=/; Max-Age=${MAX_AGE}; HttpOnly; SameSite=Strict`);
+        return res.redirect(dest);
+      }
+      return res.redirect(`/__login?error=1&next=${encodeURIComponent(dest)}`);
+    }
+
+    // ── Login page: always accessible ──
+    if (req.path === '/__login') {
+      res.setHeader('Content-Type', 'text/html; charset=utf-8');
+      return res.end(LOGIN_HTML);
+    }
+
+    // ── Authenticated: pass through ──
+    if (isAuthenticated(req)) return next();
+
+    // ── Unauthenticated ──
+    const wantsJson = req.path.startsWith('/api/') ||
+                      (req.headers.accept || '').includes('application/json');
+    if (wantsJson) {
+      return res.status(401).json({ error: 'Unauthorized — provide a valid Bearer token or cookie' });
+    }
+    res.redirect(`/__login?next=${encodeURIComponent(req.originalUrl)}`);
+  };
+}
+
+module.exports = { createAuthMiddleware };

From ad8333a1de92ffdc82039b2f7fd1654e10766c43 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 16:33:47 -0700
Subject: [PATCH 02/46] docker: consolidate auth options into single
 docker-compose.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both auth options are now in one file — easier for Dockhand and other
Docker Compose users to work with a single file:

- Option 1 (API Key): uncomment AUTH_KEY in the env section, or set it
  in Dockhand's stack environment editor
- Option 2 (Basic Auth): docker compose --profile auth-nginx up
  (requires nginx.htpasswd generated with htpasswd)

Removes docker-compose.auth-key.yml and docker-compose.auth-basic.yml.
---
 docker-compose.auth-basic.yml | 26 ------------------------
 docker-compose.auth-key.yml   | 15 --------------
 docker-compose.yml            | 37 +++++++++++++++++++++++++++--------
 3 files changed, 29 insertions(+), 49 deletions(-)
 delete mode 100644 docker-compose.auth-basic.yml
 delete mode 100644 docker-compose.auth-key.yml

diff --git a/docker-compose.auth-basic.yml b/docker-compose.auth-basic.yml
deleted file mode 100644
index 6ee82b9..0000000
--- a/docker-compose.auth-basic.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-# Auth Option 2 — HTTP Basic Auth via nginx
-# ─────────────────────────────────────────────────────────────────────────────
-# nginx sits in front of the app and enforces HTTP Basic Auth.
-# Handles WebSocket upgrade for /api/watch automatically.
-#
-# Setup (one time):
-#   htpasswd -c nginx.htpasswd <username>   # creates the password file
-#
-# Usage:
-#   docker compose -f docker-compose.yml -f docker-compose.auth-basic.yml up
-
-services:
-  obsidian-web:
-    # Remove direct host port — nginx is the only public entrypoint
-    ports: []
-
-  nginx:
-    image: nginx:alpine
-    ports:
-      - "${PORT:-3000}:80"
-    volumes:
-      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
-      - ./nginx.htpasswd:/etc/nginx/htpasswd:ro
-    depends_on:
-      - obsidian-web
-    restart: unless-stopped
diff --git a/docker-compose.auth-key.yml b/docker-compose.auth-key.yml
deleted file mode 100644
index 53fcb56..0000000
--- a/docker-compose.auth-key.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# Auth Option 1 — API Key
-# ─────────────────────────────────────────────────────────────────────────────
-# The server checks AUTH_KEY on every request.
-# Unauthenticated browsers get a login page; API calls get a 401.
-#
-# Usage:
-#   AUTH_KEY=your-secret docker compose -f docker-compose.yml -f docker-compose.auth-key.yml up
-#
-# Or set AUTH_KEY in a .env file at the repo root and run:
-#   docker compose -f docker-compose.yml -f docker-compose.auth-key.yml up
-
-services:
-  obsidian-web:
-    environment:
-      AUTH_KEY: "${AUTH_KEY:?AUTH_KEY must be set (e.g. export AUTH_KEY=your-secret)}"
diff --git a/docker-compose.yml b/docker-compose.yml
index 503647d..78f39a8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
     ports:
       - "${PORT:-3000}:3000"
     volumes:
-      # Vault and registry persist on the host — safe across rebuilds
+      # Vault and registry persist on the host — safe across container rebuilds
       - ./user-data:/app/user-data
     environment:
       HOST: "0.0.0.0"
@@ -12,12 +12,33 @@ services:
       VAULT_PATH: "user-data/demo-vault"
       # VAULT_REGISTRY: "user-data/registry.json"
       # WATCH_POLLING: "true"   # enable for NFS / SMB / FUSE-mounted vaults
+
+      # ── Auth Option 1: API Key ─────────────────────────────────────────────
+      # Uncomment and set AUTH_KEY to enable a login page + cookie session.
+      # In Dockhand you can set this in the stack's environment editor instead.
+      # AUTH_KEY: "change-me"
     restart: unless-stopped
 
-# ── Auth options ───────────────────────────────────────────────────────────────
-# Option 1 — API Key (built into the server, no extra container):
-#   docker compose -f docker-compose.yml -f docker-compose.auth-key.yml up
-#
-# Option 2 — HTTP Basic Auth via nginx (requires nginx.htpasswd):
-#   htpasswd -c nginx.htpasswd <username>
-#   docker compose -f docker-compose.yml -f docker-compose.auth-basic.yml up
+  # ── Auth Option 2: HTTP Basic Auth via nginx ────────────────────────────────
+  # Puts nginx in front of the app with username/password protection.
+  # Also handles WebSocket upgrade for real-time vault sync (/api/watch).
+  #
+  # Setup (run once on the host):
+  #   htpasswd -c nginx.htpasswd <username>
+  #
+  # To start with this option:
+  #   docker compose --profile auth-nginx up
+  #
+  # When using this profile, comment out the `ports` on obsidian-web above
+  # so the app is only reachable through nginx, not directly.
+  nginx:
+    profiles: ["auth-nginx"]
+    image: nginx:alpine
+    ports:
+      - "${PORT:-3000}:80"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ./nginx.htpasswd:/etc/nginx/htpasswd:ro
+    depends_on:
+      - obsidian-web
+    restart: unless-stopped

From c2c4e9be0cfa6ebc6c5784b671f7674a2769c572 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 16:39:48 -0700
Subject: [PATCH 03/46] docker: add unzip to build stage for obsidian-mobile
 script

---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 8396138..792816c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@
 # Both scripts use only Node built-ins (https, zlib, crypto, fs) — no npm install needed.
 FROM node:20-alpine AS obsidian-dl
 WORKDIR /app
+# unzip is required by update-obsidian-mobile.js (extracts assets from the APK)
+RUN apk add --no-cache unzip
 COPY scripts/ scripts/
 RUN node scripts/update-obsidian.js \
  && node scripts/update-obsidian-mobile.js

From 9d08213156129f2fb5136b6919f5459a02f7df54 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 16:41:55 -0700
Subject: [PATCH 04/46] docker: move vendor download to entrypoint (fixes
 build-time network error)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Docker build environments have no internet access, so downloading Obsidian
renderer files at build time (EAI_AGAIN / DNS failure) doesn't work.

Instead:
- entrypoint.sh checks for vendor/obsidian/app.js on startup and runs the
  download scripts only if missing (~30s on first start)
- obsidian_vendor Docker volume caches the result — subsequent starts are
  instant
- Dockerfile becomes a single stage with no network dependency at build time
---
 Dockerfile         | 33 +++++++++++++--------------------
 docker-compose.yml |  7 +++++++
 entrypoint.sh      | 18 ++++++++++++++++++
 3 files changed, 38 insertions(+), 20 deletions(-)
 create mode 100644 entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 792816c..37209b5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,35 +1,28 @@
-# ── Stage 1: download Obsidian renderer files ─────────────────────────────────
-# Both scripts use only Node built-ins (https, zlib, crypto, fs) — no npm install needed.
-FROM node:20-alpine AS obsidian-dl
-WORKDIR /app
-# unzip is required by update-obsidian-mobile.js (extracts assets from the APK)
-RUN apk add --no-cache unzip
-COPY scripts/ scripts/
-RUN node scripts/update-obsidian.js \
- && node scripts/update-obsidian-mobile.js
-
-# ── Stage 2: production image ──────────────────────────────────────────────────
 FROM node:20-alpine
 WORKDIR /app
 
-# App source and default vault
+# unzip is required by scripts/update-obsidian-mobile.js (extracts APK assets)
+RUN apk add --no-cache unzip
+
+# App source, scripts, and default vault
 COPY src/ src/
+COPY scripts/ scripts/
 COPY user-data/ user-data/
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 
-# Pre-downloaded Obsidian renderer bundles (not in git, built in stage 1)
-COPY --from=obsidian-dl /app/vendor/ vendor/
-
-# Install server dependencies (production only, no devDeps)
+# Install server dependencies (production only)
 RUN cd src/server && npm ci --omit=dev
 
 EXPOSE 3000
 
-# HOST must be 0.0.0.0 inside a container — 127.0.0.1 would refuse outside connections
+# HOST must be 0.0.0.0 inside a container
 ENV HOST=0.0.0.0
 ENV PORT=3000
 ENV VAULT_PATH=user-data/demo-vault
-# Optional auth (see docker-compose.auth-key.yml):
-# ENV AUTH_KEY=change-me
 
-# Run from repo root so PROJECT_ROOT resolves correctly via __dirname
+# Obsidian renderer bundles are downloaded at first start into the
+# obsidian_vendor volume (see docker-compose.yml). Network is available
+# at runtime but not during `docker build`, so we can't download here.
+ENTRYPOINT ["/entrypoint.sh"]
 CMD ["node", "src/server/index.js"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 78f39a8..b508b99 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,6 +6,8 @@ services:
     volumes:
       # Vault and registry persist on the host — safe across container rebuilds
       - ./user-data:/app/user-data
+      # Obsidian renderer bundles — downloaded on first start, cached across restarts
+      - obsidian_vendor:/app/vendor
     environment:
       HOST: "0.0.0.0"
       PORT: "3000"
@@ -19,6 +21,11 @@ services:
       # AUTH_KEY: "change-me"
     restart: unless-stopped
 
+volumes:
+  # Named volume so the downloaded Obsidian bundles survive container rebuilds.
+  # Delete with `docker volume rm obsidian_vendor` to force a fresh download.
+  obsidian_vendor:
+
   # ── Auth Option 2: HTTP Basic Auth via nginx ────────────────────────────────
   # Puts nginx in front of the app with username/password protection.
   # Also handles WebSocket upgrade for real-time vault sync (/api/watch).
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..3874859
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+# Download Obsidian renderer bundles on first start (or if the volume is empty).
+# Results are cached in the `obsidian_vendor` Docker volume — subsequent starts
+# are instant because the files are already there.
+
+if [ ! -f /app/vendor/obsidian/app.js ]; then
+  echo "[docker] Downloading Obsidian desktop renderer (first run — this takes ~30s)..."
+  node scripts/update-obsidian.js
+fi
+
+if [ ! -f /app/vendor/obsidian-mobile/app.js ]; then
+  echo "[docker] Downloading Obsidian mobile renderer (first run — this takes ~30s)..."
+  node scripts/update-obsidian-mobile.js
+fi
+
+exec "$@"

From 1191ee0816716357f5ec78eaf74b95a5320c461c Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 16:43:00 -0700
Subject: [PATCH 05/46] docker: fix docker-compose.yml structure (nginx inside
 services, not volumes)

---
 docker-compose.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b508b99..c844e20 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,11 +21,6 @@ services:
       # AUTH_KEY: "change-me"
     restart: unless-stopped
 
-volumes:
-  # Named volume so the downloaded Obsidian bundles survive container rebuilds.
-  # Delete with `docker volume rm obsidian_vendor` to force a fresh download.
-  obsidian_vendor:
-
   # ── Auth Option 2: HTTP Basic Auth via nginx ────────────────────────────────
   # Puts nginx in front of the app with username/password protection.
   # Also handles WebSocket upgrade for real-time vault sync (/api/watch).
@@ -49,3 +44,8 @@ volumes:
     depends_on:
       - obsidian-web
     restart: unless-stopped
+
+volumes:
+  # Named volume so the downloaded Obsidian bundles survive container rebuilds.
+  # Delete with `docker volume rm obsidian_vendor` to force a fresh download.
+  obsidian_vendor:

From b939fb90d8d69c83cc59b3a3042875461406376a Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 16:48:44 -0700
Subject: [PATCH 06/46] docker: fix EXDEV rename error by symlinking .tmp into
 vendor volume
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The update scripts extract to /app/.tmp/ then rename() into /app/vendor/.
rename() fails with EXDEV when src and dst are on different filesystems —
which they are in Docker (.tmp = container layer, vendor = named volume).

Fix: at startup, mkdir /app/vendor/.tmp and symlink /app/.tmp -> /app/vendor/.tmp
so both paths live on the same volume filesystem.
---
 entrypoint.sh | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 3874859..0d1bdd2 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,9 +1,14 @@
 #!/bin/sh
 set -e
 
-# Download Obsidian renderer bundles on first start (or if the volume is empty).
-# Results are cached in the `obsidian_vendor` Docker volume — subsequent starts
-# are instant because the files are already there.
+# The update scripts extract files to /app/.tmp/ then atomically rename() them
+# into /app/vendor/. rename() across different filesystems raises EXDEV, and
+# /app/.tmp (container layer) vs /app/vendor (Docker volume) are different
+# devices. Fix: redirect .tmp into the vendor volume so both paths share the
+# same filesystem and rename() succeeds.
+mkdir -p /app/vendor/.tmp
+rm -rf /app/.tmp
+ln -sf /app/vendor/.tmp /app/.tmp
 
 if [ ! -f /app/vendor/obsidian/app.js ]; then
   echo "[docker] Downloading Obsidian desktop renderer (first run — this takes ~30s)..."

From 9d2b7c275f55ff2dd51b5799eb4c8a1832592009 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:11:49 -0700
Subject: [PATCH 07/46] feat: custom vault/plugins mount, .env auth key, mobile
 safe-area fix

docker-compose.yml:
- commented examples for mounting your own vault folder and plugins dir
- AUTH_KEY now loaded from .env file (gitignored) or Dockhand env editor
- env_file with required:false so .env is optional

auth:
- .env.example shows how to configure AUTH_KEY locally
- .gitignore: add .env so real keys are never committed

mobile:
- index.html: add env(safe-area-inset-top) padding on html element
  so content is not hidden under the status bar / notch on iOS and Android
---
 .env.example                 |  9 ++++++++
 .gitignore                   |  3 +++
 docker-compose.yml           | 45 +++++++++++++++++++++---------------
 src/client-mobile/index.html |  7 ++++++
 4 files changed, 46 insertions(+), 18 deletions(-)
 create mode 100644 .env.example

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..96e1833
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,9 @@
+# Copy this file to .env and fill in your values.
+# .env is gitignored — never commit real secrets to the repo.
+
+# API key auth — set this to enable the login page.
+# Can also be set directly in Dockhand's environment editor.
+AUTH_KEY=change-me
+
+# Optional: override the default port
+# PORT=3000
diff --git a/.gitignore b/.gitignore
index ae885b8..2378298 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
 # Vendor — extracted Obsidian bundles (regeneratable via scripts/update-obsidian.js)
 vendor/
 
+# Local environment — copy .env.example to .env, never commit real secrets
+.env
+
 # Node
 node_modules/
 npm-debug.log*
diff --git a/docker-compose.yml b/docker-compose.yml
index c844e20..262a40d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,35 +4,46 @@ services:
     ports:
       - "${PORT:-3000}:3000"
     volumes:
-      # Vault and registry persist on the host — safe across container rebuilds
+      # ── Vault ──────────────────────────────────────────────────────────────
+      # Option A (default): use the built-in demo vault
       - ./user-data:/app/user-data
-      # Obsidian renderer bundles — downloaded on first start, cached across restarts
+
+      # Option B: mount YOUR OWN vault folder from the host.
+      # 1. Uncomment the line below, replacing the left side with your path.
+      # 2. Set VAULT_PATH (in environment below) to match the right side.
+      # - /path/to/your/vault:/app/vaults/my-vault
+
+      # ── Plugins ────────────────────────────────────────────────────────────
+      # Mount a folder of extra Obsidian plugins into the container.
+      # Uncomment and point at your local .obsidian/plugins directory.
+      # - /path/to/your/.obsidian/plugins:/app/user-data/demo-vault/.obsidian/plugins
+
+      # ── Obsidian renderer bundles (downloaded on first start) ───────────────
       - obsidian_vendor:/app/vendor
+
     environment:
       HOST: "0.0.0.0"
       PORT: "3000"
+
+      # Path to the active vault — relative to the project root (/app inside
+      # the container), or absolute. Change this if you use Option B above.
       VAULT_PATH: "user-data/demo-vault"
+
       # VAULT_REGISTRY: "user-data/registry.json"
       # WATCH_POLLING: "true"   # enable for NFS / SMB / FUSE-mounted vaults
 
       # ── Auth Option 1: API Key ─────────────────────────────────────────────
-      # Uncomment and set AUTH_KEY to enable a login page + cookie session.
-      # In Dockhand you can set this in the stack's environment editor instead.
-      # AUTH_KEY: "change-me"
+      # Set AUTH_KEY via a .env file or Dockhand's environment editor.
+      # Never commit a real key here — this file is public.
+      # AUTH_KEY: "${AUTH_KEY}"
+    env_file:
+      - path: .env
+        required: false     # silently ignored if .env doesn't exist
     restart: unless-stopped
 
   # ── Auth Option 2: HTTP Basic Auth via nginx ────────────────────────────────
-  # Puts nginx in front of the app with username/password protection.
-  # Also handles WebSocket upgrade for real-time vault sync (/api/watch).
-  #
-  # Setup (run once on the host):
-  #   htpasswd -c nginx.htpasswd <username>
-  #
-  # To start with this option:
-  #   docker compose --profile auth-nginx up
-  #
-  # When using this profile, comment out the `ports` on obsidian-web above
-  # so the app is only reachable through nginx, not directly.
+  # Setup: htpasswd -c nginx.htpasswd <username>
+  # Start: docker compose --profile auth-nginx up
   nginx:
     profiles: ["auth-nginx"]
     image: nginx:alpine
@@ -46,6 +57,4 @@ services:
     restart: unless-stopped
 
 volumes:
-  # Named volume so the downloaded Obsidian bundles survive container rebuilds.
-  # Delete with `docker volume rm obsidian_vendor` to force a fresh download.
   obsidian_vendor:
diff --git a/src/client-mobile/index.html b/src/client-mobile/index.html
index fdbfc9e..28d6c59 100644
--- a/src/client-mobile/index.html
+++ b/src/client-mobile/index.html
@@ -6,6 +6,13 @@
   <title>Obsidian Web</title>
   <link href="/obsidian-mobile/app.css" type="text/css" rel="stylesheet"/>
   <style>
+    /* Push the entire app down by the status-bar / notch height.
+       viewport-fit=cover lets us use the full screen; safe-area-inset-top
+       ensures nothing hides under the status bar on iOS/Android. */
+    html {
+      padding-top: env(safe-area-inset-top, 0px);
+      background: var(--background-primary, #1e1e1e);
+    }
     #ow-loading {
       position: fixed; inset: 0; display: flex; flex-direction: column;
       align-items: center; justify-content: center; gap: 16px;

From 508358505c73a1987cea7d8ac7d4b299af677cab Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:14:55 -0700
Subject: [PATCH 08/46] docker: add granular volume mounts for plugins, themes,
 snippets, fonts

---
 docker-compose.yml | 47 ++++++++++++++++++++++++++++++++--------------
 1 file changed, 33 insertions(+), 14 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 262a40d..c236c97 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,18 +5,38 @@ services:
       - "${PORT:-3000}:3000"
     volumes:
       # ── Vault ──────────────────────────────────────────────────────────────
-      # Option A (default): use the built-in demo vault
+      # Option A (default): built-in demo vault — good for trying things out
       - ./user-data:/app/user-data
 
-      # Option B: mount YOUR OWN vault folder from the host.
-      # 1. Uncomment the line below, replacing the left side with your path.
-      # 2. Set VAULT_PATH (in environment below) to match the right side.
+      # Option B: mount your entire vault from the host.
+      # This is the recommended approach for real use — your notes, settings,
+      # plugins, themes, snippets and fonts all live in one place on the host.
+      # 1. Uncomment the two lines below.
+      # 2. Replace /path/to/your/vault with the actual path on your machine.
+      # 3. Set VAULT_PATH below to match the right-hand side of the mount.
       # - /path/to/your/vault:/app/vaults/my-vault
+      # (then set VAULT_PATH: "vaults/my-vault" in environment below)
 
-      # ── Plugins ────────────────────────────────────────────────────────────
-      # Mount a folder of extra Obsidian plugins into the container.
-      # Uncomment and point at your local .obsidian/plugins directory.
-      # - /path/to/your/.obsidian/plugins:/app/user-data/demo-vault/.obsidian/plugins
+      # ── Granular Obsidian config folders ───────────────────────────────────
+      # Use these if you want to manage individual parts of .obsidian/ from
+      # the host while keeping notes elsewhere, or to share a plugin/theme
+      # folder across multiple vaults.
+      # Uncomment whichever you need:
+
+      # Community plugins
+      # - /path/to/.obsidian/plugins:/app/user-data/demo-vault/.obsidian/plugins
+
+      # Themes (.obsidian/themes/ — contains theme CSS files)
+      # - /path/to/.obsidian/themes:/app/user-data/demo-vault/.obsidian/themes
+
+      # CSS snippets (.obsidian/snippets/ — small custom CSS overrides)
+      # - /path/to/.obsidian/snippets:/app/user-data/demo-vault/.obsidian/snippets
+
+      # Custom fonts (.obsidian/fonts/)
+      # - /path/to/.obsidian/fonts:/app/user-data/demo-vault/.obsidian/fonts
+
+      # All Obsidian settings at once (plugins + themes + snippets + fonts + config)
+      # - /path/to/.obsidian:/app/user-data/demo-vault/.obsidian
 
       # ── Obsidian renderer bundles (downloaded on first start) ───────────────
       - obsidian_vendor:/app/vendor
@@ -25,20 +45,19 @@ services:
       HOST: "0.0.0.0"
       PORT: "3000"
 
-      # Path to the active vault — relative to the project root (/app inside
-      # the container), or absolute. Change this if you use Option B above.
+      # Change this if using Option B above (right-hand side of the volume mount)
       VAULT_PATH: "user-data/demo-vault"
 
       # VAULT_REGISTRY: "user-data/registry.json"
       # WATCH_POLLING: "true"   # enable for NFS / SMB / FUSE-mounted vaults
 
-      # ── Auth Option 1: API Key ─────────────────────────────────────────────
-      # Set AUTH_KEY via a .env file or Dockhand's environment editor.
-      # Never commit a real key here — this file is public.
+      # ── Auth (Option 1: API Key) ───────────────────────────────────────────
+      # Set AUTH_KEY in a .env file or in Dockhand's environment editor.
+      # Never put a real key here — this file is public.
       # AUTH_KEY: "${AUTH_KEY}"
     env_file:
       - path: .env
-        required: false     # silently ignored if .env doesn't exist
+        required: false
     restart: unless-stopped
 
   # ── Auth Option 2: HTTP Basic Auth via nginx ────────────────────────────────

From bb5405d97c70b9c0911412547e2ff136eec21a57 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:20:17 -0700
Subject: [PATCH 09/46] docker: use env var substitution for all volume paths

---
 .env.example       | 20 ++++++++++++----
 docker-compose.yml | 58 ++++++++++++----------------------------------
 2 files changed, 31 insertions(+), 47 deletions(-)

diff --git a/.env.example b/.env.example
index 96e1833..6b3d3b5 100644
--- a/.env.example
+++ b/.env.example
@@ -1,9 +1,21 @@
-# Copy this file to .env and fill in your values.
+# Copy this file to .env and set the values you need.
 # .env is gitignored — never commit real secrets to the repo.
 
-# API key auth — set this to enable the login page.
-# Can also be set directly in Dockhand's environment editor.
+# ── Auth ───────────────────────────────────────────────────────────────────────
 AUTH_KEY=change-me
 
-# Optional: override the default port
+# ── Port ───────────────────────────────────────────────────────────────────────
 # PORT=3000
+
+# ── Vault ──────────────────────────────────────────────────────────────────────
+# Point USER_DATA at your vault folder on the host. Everything inside
+# .obsidian/ (plugins, themes, snippets, fonts, settings) comes along for free.
+# USER_DATA=/path/to/your/vault
+# VAULT_PATH=user-data/demo-vault   # right-hand side of the USER_DATA mount
+
+# ── Granular folder overrides ──────────────────────────────────────────────────
+# Only needed if you want a shared folder used across multiple vaults.
+# OBSIDIAN_PLUGINS=/path/to/.obsidian/plugins
+# OBSIDIAN_THEMES=/path/to/.obsidian/themes
+# OBSIDIAN_SNIPPETS=/path/to/.obsidian/snippets
+# OBSIDIAN_FONTS=/path/to/.obsidian/fonts
diff --git a/docker-compose.yml b/docker-compose.yml
index c236c97..d7b5bc9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,63 +4,35 @@ services:
     ports:
       - "${PORT:-3000}:3000"
     volumes:
-      # ── Vault ──────────────────────────────────────────────────────────────
-      # Option A (default): built-in demo vault — good for trying things out
-      - ./user-data:/app/user-data
+      # Set these in .env (or Dockhand's env editor) to point at folders on
+      # your host. Defaults keep everything self-contained in the repo.
 
-      # Option B: mount your entire vault from the host.
-      # This is the recommended approach for real use — your notes, settings,
-      # plugins, themes, snippets and fonts all live in one place on the host.
-      # 1. Uncomment the two lines below.
-      # 2. Replace /path/to/your/vault with the actual path on your machine.
-      # 3. Set VAULT_PATH below to match the right-hand side of the mount.
-      # - /path/to/your/vault:/app/vaults/my-vault
-      # (then set VAULT_PATH: "vaults/my-vault" in environment below)
+      # Your vault — notes, and anything inside .obsidian/ (plugins, themes,
+      # snippets, fonts, settings). Point USER_DATA at your real vault folder.
+      - ${USER_DATA:-./user-data}:/app/user-data
 
-      # ── Granular Obsidian config folders ───────────────────────────────────
-      # Use these if you want to manage individual parts of .obsidian/ from
-      # the host while keeping notes elsewhere, or to share a plugin/theme
-      # folder across multiple vaults.
-      # Uncomment whichever you need:
+      # Granular overrides — only needed if you want to share a single
+      # plugins/themes/snippets/fonts folder across multiple vaults.
+      - ${OBSIDIAN_PLUGINS:-./user-data/demo-vault/.obsidian/plugins}:/app/user-data/demo-vault/.obsidian/plugins
+      - ${OBSIDIAN_THEMES:-./user-data/demo-vault/.obsidian/themes}:/app/user-data/demo-vault/.obsidian/themes
+      - ${OBSIDIAN_SNIPPETS:-./user-data/demo-vault/.obsidian/snippets}:/app/user-data/demo-vault/.obsidian/snippets
+      - ${OBSIDIAN_FONTS:-./user-data/demo-vault/.obsidian/fonts}:/app/user-data/demo-vault/.obsidian/fonts
 
-      # Community plugins
-      # - /path/to/.obsidian/plugins:/app/user-data/demo-vault/.obsidian/plugins
-
-      # Themes (.obsidian/themes/ — contains theme CSS files)
-      # - /path/to/.obsidian/themes:/app/user-data/demo-vault/.obsidian/themes
-
-      # CSS snippets (.obsidian/snippets/ — small custom CSS overrides)
-      # - /path/to/.obsidian/snippets:/app/user-data/demo-vault/.obsidian/snippets
-
-      # Custom fonts (.obsidian/fonts/)
-      # - /path/to/.obsidian/fonts:/app/user-data/demo-vault/.obsidian/fonts
-
-      # All Obsidian settings at once (plugins + themes + snippets + fonts + config)
-      # - /path/to/.obsidian:/app/user-data/demo-vault/.obsidian
-
-      # ── Obsidian renderer bundles (downloaded on first start) ───────────────
+      # Obsidian renderer bundles (downloaded on first start)
       - obsidian_vendor:/app/vendor
 
     environment:
       HOST: "0.0.0.0"
       PORT: "3000"
-
-      # Change this if using Option B above (right-hand side of the volume mount)
-      VAULT_PATH: "user-data/demo-vault"
-
+      VAULT_PATH: "${VAULT_PATH:-user-data/demo-vault}"
       # VAULT_REGISTRY: "user-data/registry.json"
-      # WATCH_POLLING: "true"   # enable for NFS / SMB / FUSE-mounted vaults
-
-      # ── Auth (Option 1: API Key) ───────────────────────────────────────────
-      # Set AUTH_KEY in a .env file or in Dockhand's environment editor.
-      # Never put a real key here — this file is public.
-      # AUTH_KEY: "${AUTH_KEY}"
+      # WATCH_POLLING: "true"
     env_file:
       - path: .env
         required: false
     restart: unless-stopped
 
-  # ── Auth Option 2: HTTP Basic Auth via nginx ────────────────────────────────
+  # Auth Option 2: HTTP Basic Auth via nginx
   # Setup: htpasswd -c nginx.htpasswd <username>
   # Start: docker compose --profile auth-nginx up
   nginx:

From 09d0a1d2acba7f50330b54ccf81b2ede3ea88b29 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:27:01 -0700
Subject: [PATCH 10/46] docker: comment out granular volume mounts (opt-in
 only)

---
 docker-compose.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d7b5bc9..27dd598 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,10 +13,10 @@ services:
 
       # Granular overrides — only needed if you want to share a single
       # plugins/themes/snippets/fonts folder across multiple vaults.
-      - ${OBSIDIAN_PLUGINS:-./user-data/demo-vault/.obsidian/plugins}:/app/user-data/demo-vault/.obsidian/plugins
-      - ${OBSIDIAN_THEMES:-./user-data/demo-vault/.obsidian/themes}:/app/user-data/demo-vault/.obsidian/themes
-      - ${OBSIDIAN_SNIPPETS:-./user-data/demo-vault/.obsidian/snippets}:/app/user-data/demo-vault/.obsidian/snippets
-      - ${OBSIDIAN_FONTS:-./user-data/demo-vault/.obsidian/fonts}:/app/user-data/demo-vault/.obsidian/fonts
+      # - ${OBSIDIAN_PLUGINS:-./user-data/demo-vault/.obsidian/plugins}:/app/user-data/demo-vault/.obsidian/plugins
+      # - ${OBSIDIAN_THEMES:-./user-data/demo-vault/.obsidian/themes}:/app/user-data/demo-vault/.obsidian/themes
+      # - ${OBSIDIAN_SNIPPETS:-./user-data/demo-vault/.obsidian/snippets}:/app/user-data/demo-vault/.obsidian/snippets
+      # - ${OBSIDIAN_FONTS:-./user-data/demo-vault/.obsidian/fonts}:/app/user-data/demo-vault/.obsidian/fonts
 
       # Obsidian renderer bundles (downloaded on first start)
       - obsidian_vendor:/app/vendor

From a48f287facb5b7866bce6724b4b678936090c3f7 Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:28:44 -0700
Subject: [PATCH 11/46] docker: fix port conflict between obsidian-web and
 nginx

Split into two variables:
- APP_PORT (default 3000): host port for direct access to obsidian-web
- PORT (default 3000): public port nginx listens on

When running the auth-nginx profile, set APP_PORT=3001 so nginx can
take port 3000 without both services fighting over the same host port.
---
 .env.example       | 7 ++++++-
 docker-compose.yml | 9 +++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.env.example b/.env.example
index 6b3d3b5..de20063 100644
--- a/.env.example
+++ b/.env.example
@@ -4,7 +4,12 @@
 # ── Auth ───────────────────────────────────────────────────────────────────────
 AUTH_KEY=change-me
 
-# ── Port ───────────────────────────────────────────────────────────────────────
+# ── Ports ──────────────────────────────────────────────────────────────────────
+# APP_PORT: host port for direct access to the app (default 3000)
+# PORT:     public port used by nginx when running the auth-nginx profile (default 3000)
+# When using auth-nginx, set APP_PORT to something else (e.g. 3001) so
+# nginx can take port 3000 without a conflict.
+# APP_PORT=3001
 # PORT=3000
 
 # ── Vault ──────────────────────────────────────────────────────────────────────
diff --git a/docker-compose.yml b/docker-compose.yml
index 27dd598..7ab3e22 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,10 @@ services:
   obsidian-web:
     build: .
     ports:
-      - "${PORT:-3000}:3000"
+      # Direct access (no auth). APP_PORT defaults to 3000.
+      # When using the auth-nginx profile, set APP_PORT to something unused
+      # (e.g. 3001) so nginx can take port 3000 without a conflict.
+      - "${APP_PORT:-3000}:3000"
     volumes:
       # Set these in .env (or Dockhand's env editor) to point at folders on
       # your host. Defaults keep everything self-contained in the repo.
@@ -33,8 +36,10 @@ services:
     restart: unless-stopped
 
   # Auth Option 2: HTTP Basic Auth via nginx
+  # nginx takes PORT (default 3000) as the public-facing port and proxies
+  # internally to obsidian-web:3000 — no host port conflict.
   # Setup: htpasswd -c nginx.htpasswd <username>
-  # Start: docker compose --profile auth-nginx up
+  # Start: APP_PORT=3001 docker compose --profile auth-nginx up
   nginx:
     profiles: ["auth-nginx"]
     image: nginx:alpine

From bf0426d6435d90c2dd3d52b643dbd4cf118f84af Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:30:48 -0700
Subject: [PATCH 12/46] docker: nginx hardcoded to port 80, no port conflict

---
 .env.example       |  8 ++------
 docker-compose.yml | 12 ++++--------
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/.env.example b/.env.example
index de20063..804e47d 100644
--- a/.env.example
+++ b/.env.example
@@ -4,12 +4,8 @@
 # ── Auth ───────────────────────────────────────────────────────────────────────
 AUTH_KEY=change-me
 
-# ── Ports ──────────────────────────────────────────────────────────────────────
-# APP_PORT: host port for direct access to the app (default 3000)
-# PORT:     public port used by nginx when running the auth-nginx profile (default 3000)
-# When using auth-nginx, set APP_PORT to something else (e.g. 3001) so
-# nginx can take port 3000 without a conflict.
-# APP_PORT=3001
+# ── Port ───────────────────────────────────────────────────────────────────────
+# Direct access port (default 3000). nginx always uses 80, no conflict.
 # PORT=3000
 
 # ── Vault ──────────────────────────────────────────────────────────────────────
diff --git a/docker-compose.yml b/docker-compose.yml
index 7ab3e22..7032e47 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,10 +2,7 @@ services:
   obsidian-web:
     build: .
     ports:
-      # Direct access (no auth). APP_PORT defaults to 3000.
-      # When using the auth-nginx profile, set APP_PORT to something unused
-      # (e.g. 3001) so nginx can take port 3000 without a conflict.
-      - "${APP_PORT:-3000}:3000"
+      - "${PORT:-3000}:3000"
     volumes:
       # Set these in .env (or Dockhand's env editor) to point at folders on
       # your host. Defaults keep everything self-contained in the repo.
@@ -36,15 +33,14 @@ services:
     restart: unless-stopped
 
   # Auth Option 2: HTTP Basic Auth via nginx
-  # nginx takes PORT (default 3000) as the public-facing port and proxies
-  # internally to obsidian-web:3000 — no host port conflict.
+  # nginx listens on port 80 and proxies to obsidian-web internally.
   # Setup: htpasswd -c nginx.htpasswd <username>
-  # Start: APP_PORT=3001 docker compose --profile auth-nginx up
+  # Start: docker compose --profile auth-nginx up
   nginx:
     profiles: ["auth-nginx"]
     image: nginx:alpine
     ports:
-      - "${PORT:-3000}:80"
+      - "80:80"
     volumes:
       - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
       - ./nginx.htpasswd:/etc/nginx/htpasswd:ro

From a9b45302f523bc8b3443b63bc1fceab7aefce38a Mon Sep 17 00:00:00 2001
From: Sean <sean9@me.com>
Date: Tue, 9 Jun 2026 17:56:26 -0700
Subject: [PATCH 13/46] fix: AUTH_KEY not passed to container + mobile bottom
 safe-area
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

docker-compose: AUTH_KEY was commented out in environment so it never
reached the Node process even when set in Dockhand's env editor or .env.
Now explicitly passed as AUTH_KEY: \ so an empty value is
the default (auth disabled) and any non-empty value enables the login page.

mobile: add env(safe-area-inset-bottom) so the bottom tab bar clears
the home indicator on iOS/Android — previously only top was handled.
---
 docker-compose.yml           | 5 ++++-
 src/client-mobile/index.html | 7 ++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 7032e47..3c0f3cf 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -25,8 +25,11 @@ services:
       HOST: "0.0.0.0"
       PORT: "3000"
       VAULT_PATH: "${VAULT_PATH:-user-data/demo-vault}"
+      WATCH_POLLING: "${WATCH_POLLING:-false}"
       # VAULT_REGISTRY: "user-data/registry.json"
-      # WATCH_POLLING: "true"
+
+      # Auth — set AUTH_KEY in Dockhand's env editor or in a .env file
+      AUTH_KEY: "${AUTH_KEY:-}"
     env_file:
       - path: .env
         required: false
diff --git a/src/client-mobile/index.html b/src/client-mobile/index.html
index 28d6c59..5d322ce 100644
--- a/src/client-mobile/index.html
+++ b/src/client-mobile/index.html
@@ -6,11 +6,12 @@
   <title>Obsidian Web</title>
   <link href="/obsidian-mobile/app.css" type="text/css" rel="stylesheet"/>
   <style>
-    /* Push the entire app down by the status-bar / notch height.
-       viewport-fit=cover lets us use the full screen; safe-area-inset-top
-       ensures nothing hides under the status bar on iOS/Android. */
+    /* viewport-fit=cover extends the app edge-to-edge. The safe-area insets
+       push content clear of the status bar (top) and home indicator (bottom)
+       so nothing is hidden under system UI on iOS or Android. */
     html {
       padding-top: env(safe-area-inset-top, 0px);
+      padding-bottom: env(safe-area-inset-bottom, 0px);
       background: var(--background-primary, #1e1e1e);
     }
     #ow-loading {

From 0576e6344ef6161b89187bdcba03058eea48cd48 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 01:54:17 +0000
Subject: [PATCH 14/46] feat: replace static AUTH_KEY with TOTP authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Rewrite src/server/middleware/auth.js with otplib + qrcode
- Login page: 6-digit code entry with auto-advance and auto-submit
- Setup page at /__totp-setup?token=TOTP_SECRET shows QR code + raw secret
- Session cookie derived from TOTP_SECRET (consistent across restarts)
- ±30s clock drift tolerance (window: 1)
- Replace AUTH_KEY with TOTP_SECRET in docker-compose.yml and .env.example
- Update index.js log message and comments
---
 .env.example                  |   12 +-
 docker-compose.yml            |    7 +-
 src/server/index.js           |  361 ++---
 src/server/middleware/auth.js |  228 ++-
 src/server/package-lock.json  | 2576 +++++++++++++++++++--------------
 src/server/package.json       |   38 +-
 6 files changed, 1870 insertions(+), 1352 deletions(-)

diff --git a/.env.example b/.env.example
index 804e47d..6a2bcbb 100644
--- a/.env.example
+++ b/.env.example
@@ -1,8 +1,11 @@
 # Copy this file to .env and set the values you need.
 # .env is gitignored — never commit real secrets to the repo.
 
-# ── Auth ───────────────────────────────────────────────────────────────────────
-AUTH_KEY=change-me
+# ── Auth (TOTP / Google Authenticator) ────────────────────────────────────────
+# Generate a secret (run once from src/server/):
+#   node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
+# Paste the output here, then visit /__totp-setup?token=YOUR_SECRET to scan the QR code.
+# TOTP_SECRET=
 
 # ── Port ───────────────────────────────────────────────────────────────────────
 # Direct access port (default 3000). nginx always uses 80, no conflict.
@@ -14,6 +17,11 @@ AUTH_KEY=change-me
 # USER_DATA=/path/to/your/vault
 # VAULT_PATH=user-data/demo-vault   # right-hand side of the USER_DATA mount
 
+# Synology NAS example:
+# USER_DATA=/volume1/Docker/obsidian/data
+# VAULT_PATH=user-data
+# WATCH_POLLING=true
+
 # ── Granular folder overrides ──────────────────────────────────────────────────
 # Only needed if you want a shared folder used across multiple vaults.
 # OBSIDIAN_PLUGINS=/path/to/.obsidian/plugins
diff --git a/docker-compose.yml b/docker-compose.yml
index 3c0f3cf..1c29fa7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,8 +28,11 @@ services:
       WATCH_POLLING: "${WATCH_POLLING:-false}"
       # VAULT_REGISTRY: "user-data/registry.json"
 
-      # Auth — set AUTH_KEY in Dockhand's env editor or in a .env file
-      AUTH_KEY: "${AUTH_KEY:-}"
+      # Auth — generate a secret with:
+      #   node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
+      # Then set TOTP_SECRET in Dockhand's env editor or in a .env file.
+      # Visit /__totp-setup?token=YOUR_SECRET to scan the QR code.
+      TOTP_SECRET: "${TOTP_SECRET:-}"
     env_file:
       - path: .env
         required: false
diff --git a/src/server/index.js b/src/server/index.js
index 98f50a2..6d64525 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -1,180 +1,181 @@
-/**
- * Obsidian Web - HTTP/WebSocket server.
- *
- * Serves three things:
- *   1. The custom src/client/ + src/client-mobile/ files (boot.js, shims, HTML).
- *   2. Obsidian's untouched renderer files from vendor/obsidian/ and
- *      vendor/obsidian-mobile/.
- *   3. A file system API at /api/fs/* and a watcher at /api/watch.
- */
-
-const express = require('express');
-const compression = require('compression');
-const fsp = require('fs/promises');
-const http = require('http');
-const path = require('path');
-
-const config = require('./config');
-const systemPlugins = require('./system-plugins');
-const createFsRouter = require('./api/fs');
-const createElectronRouter = require('./api/electron');
-const createVaultsRouter = require('./api/vaults');
-const createBootstrapRouter = require('./api/bootstrap');
-const { warmUpBootstrapCache } = require('./api/bootstrap');
-const createProxyRouter = require('./api/proxy');
-const attachWatchServer = require('./api/watch');
-const VaultRegistry = require('./vault-registry');
-const { createAuthMiddleware } = require('./middleware/auth');
-
-function createApp(appConfig = config) {
-  const app = express();
-  const vaultRegistry = new VaultRegistry(appConfig.registryPath);
-
-  // Compression — critical for /api/bootstrap (38MB uncompressed → ~6MB).
-  // Brotli gives ~84% reduction, gzip ~79%. The middleware auto-selects based
-  // on Accept-Encoding: browsers get brotli, curl/other tools get gzip.
-  app.use(compression({ level: 6 }));
-
-  // Optional API-key auth — enabled by setting AUTH_KEY env var.
-  // See docker-compose.auth-key.yml for usage.
-  const authMiddleware = createAuthMiddleware();
-  if (authMiddleware) {
-    app.use(authMiddleware);
-    console.log('[auth] API-key authentication enabled');
-  }
-
-  // Request logging - very chatty, but invaluable while we are still
-  // figuring out what Obsidian asks for during boot.
-  app.use((req, res, next) => {
-    const start = Date.now();
-    res.on('finish', () => {
-      const ms = Date.now() - start;
-      const url = req.originalUrl;
-      // Skip noisy static assets to keep the log readable.
-      if (!url.startsWith('/api') && !url.startsWith('/i18n') && !url.startsWith('/lib') && url !== '/') {
-        return;
-      }
-      console.log(`${req.method} ${res.statusCode} ${url} (${ms}ms)`);
-    });
-    next();
-  });
-
-  // Inject ?v=<cacheBust> into all client script/link tags so browsers pick up
-  // changes automatically. The bust value is recomputed at server startup from
-  // client/ and client-mobile/ file mtimes — no manual ?v=N bump needed.
-  const cacheBust = appConfig.clientCacheBust || 'dev';
-  async function sendHtmlWithCacheBust(res, filePath) {
-    try {
-      let html = await fsp.readFile(filePath, 'utf8');
-      // Inject (or replace) ?v=<bust> on all /client/ and /client-mobile/ script and link tags.
-      // Handles both: existing ?v=3 and paths without any query string.
-      html = html.replace(/((?:src|href)="\/client(?:-mobile)?\/[^"]*?)(\?v=[^"&]*)?"(?=[^>]*>)/g,
-        (_, prefix) => `${prefix}?v=${cacheBust}"`);
-      res.setHeader('Content-Type', 'text/html; charset=utf-8');
-      res.setHeader('Cache-Control', 'no-cache');
-      res.send(html);
-    } catch (err) {
-      res.status(500).send('Error loading page: ' + err.message);
-    }
-  }
-
-  // Custom entry point - our index.html, not Obsidian's.
-  app.get('/', (req, res) => {
-    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'index.html'));
-  });
-
-  app.get(['/starter', '/starter.html'], (req, res) => {
-    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'starter.html'));
-  });
-
-  // Mobile client entry point.
-  app.get('/mobile', (req, res) => {
-    sendHtmlWithCacheBust(res, path.join(appConfig.clientMobilePath, 'index.html'));
-  });
-
-  // Static files - order matters: client/ first, then obsidian/.
-  app.use('/client', express.static(appConfig.clientPath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-  app.use('/client-mobile', express.static(appConfig.clientMobilePath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-  app.use('/obsidian', express.static(appConfig.obsidianPath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-  app.use('/obsidian-mobile', express.static(appConfig.obsidianMobilePath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-
-  // Obsidian's renderer fetches resources via absolute paths like /i18n/he.txt
-  // and /lib/... because under Electron those resolve via the app:// protocol
-  // to the bundle root. Mirror them onto the obsidian/ tree.
-  const RESOURCE_DIRS = ['i18n', 'lib', 'public', 'sandbox'];
-  for (const dir of RESOURCE_DIRS) {
-    app.use('/' + dir, express.static(path.join(appConfig.obsidianPath, dir), {
-      setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-    }));
-  }
-
-  // Worker scripts. Obsidian creates `new Worker("worker.js")` which under
-  // Electron resolves to /Resources/obsidian/worker.js, but in a browser
-  // it resolves relative to the document URL. Serve them at the root.
-  //
-  // THIS IS CRITICAL for the metadata indexer: without worker.js the
-  // metadataCache `this.work(t)` call (which postMessage's to the worker
-  // and waits for a reply) hangs forever, leaving inProgressTaskCount > 0
-  // and blocking everything that waits for onCleanCache (rename, etc.).
-  const ROOT_FILES = ['worker.js', 'sim.js'];
-  for (const f of ROOT_FILES) {
-    app.get('/' + f, (req, res) => {
-      res.sendFile(path.join(appConfig.obsidianPath, f), {
-        headers: { 'Cache-Control': 'no-cache' },
-      });
-    });
-  }
-
-  // API routes.
-  app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
-  app.use('/api/proxy-request', createProxyRouter());
-  app.use('/api/vaults', createVaultsRouter(vaultRegistry));
-  app.use('/api/fs', createFsRouter(vaultRegistry, appConfig.vaultPath));
-  app.use('/api/electron', createElectronRouter(vaultRegistry, appConfig.vaultPath));
-
-  app.locals.vaultRegistry = vaultRegistry;
-  return app;
-}
-
-function startServer(appConfig = config) {
-  // Discover system plugins (repo-shipped plugins overlaid onto every vault)
-  // before any FS handler runs.
-  systemPlugins.init();
-
-  const app = createApp(appConfig);
-  const server = http.createServer(app);
-  attachWatchServer(server, app.locals.vaultRegistry, appConfig.vaultPath);
-
-  server.listen(appConfig.port, appConfig.host, () => {
-    console.log('==========================================');
-    console.log('  Obsidian Web');
-    console.log('==========================================');
-    console.log('  Vault:    ' + appConfig.vaultPath);
-    console.log('  Obsidian: ' + appConfig.obsidianPath);
-    console.log('  Listening on http://' + appConfig.host + ':' + appConfig.port);
-    console.log('==========================================');
-
-    // Pre-build the bootstrap cache in the background so the first browser
-    // request is a cache HIT instead of a cold build.
-    setImmediate(() => {
-      warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
-        .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
-    });
-  });
-
-  return server;
-}
-
-if (require.main === module) {
-  startServer();
-}
-
-module.exports = { createApp, startServer };
+/**
+ * Obsidian Web - HTTP/WebSocket server.
+ *
+ * Serves three things:
+ *   1. The custom src/client/ + src/client-mobile/ files (boot.js, shims, HTML).
+ *   2. Obsidian's untouched renderer files from vendor/obsidian/ and
+ *      vendor/obsidian-mobile/.
+ *   3. A file system API at /api/fs/* and a watcher at /api/watch.
+ */
+
+const express = require('express');
+const compression = require('compression');
+const fsp = require('fs/promises');
+const http = require('http');
+const path = require('path');
+
+const config = require('./config');
+const systemPlugins = require('./system-plugins');
+const createFsRouter = require('./api/fs');
+const createElectronRouter = require('./api/electron');
+const createVaultsRouter = require('./api/vaults');
+const createBootstrapRouter = require('./api/bootstrap');
+const { warmUpBootstrapCache } = require('./api/bootstrap');
+const createProxyRouter = require('./api/proxy');
+const attachWatchServer = require('./api/watch');
+const VaultRegistry = require('./vault-registry');
+const { createAuthMiddleware } = require('./middleware/auth');
+
+function createApp(appConfig = config) {
+  const app = express();
+  const vaultRegistry = new VaultRegistry(appConfig.registryPath);
+
+  // Compression — critical for /api/bootstrap (38MB uncompressed → ~6MB).
+  // Brotli gives ~84% reduction, gzip ~79%. The middleware auto-selects based
+  // on Accept-Encoding: browsers get brotli, curl/other tools get gzip.
+  app.use(compression({ level: 6 }));
+
+  // Optional TOTP auth — enabled by setting TOTP_SECRET env var.
+  // Generate a secret: node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
+  // Then visit /__totp-setup?token=YOUR_SECRET to scan the QR code.
+  const authMiddleware = createAuthMiddleware();
+  if (authMiddleware) {
+    app.use(authMiddleware);
+    console.log('[auth] TOTP authentication enabled — visit /__totp-setup?token=YOUR_SECRET to configure your authenticator app');
+  }
+
+  // Request logging - very chatty, but invaluable while we are still
+  // figuring out what Obsidian asks for during boot.
+  app.use((req, res, next) => {
+    const start = Date.now();
+    res.on('finish', () => {
+      const ms = Date.now() - start;
+      const url = req.originalUrl;
+      // Skip noisy static assets to keep the log readable.
+      if (!url.startsWith('/api') && !url.startsWith('/i18n') && !url.startsWith('/lib') && url !== '/') {
+        return;
+      }
+      console.log(`${req.method} ${res.statusCode} ${url} (${ms}ms)`);
+    });
+    next();
+  });
+
+  // Inject ?v=<cacheBust> into all client script/link tags so browsers pick up
+  // changes automatically. The bust value is recomputed at server startup from
+  // client/ and client-mobile/ file mtimes — no manual ?v=N bump needed.
+  const cacheBust = appConfig.clientCacheBust || 'dev';
+  async function sendHtmlWithCacheBust(res, filePath) {
+    try {
+      let html = await fsp.readFile(filePath, 'utf8');
+      // Inject (or replace) ?v=<bust> on all /client/ and /client-mobile/ script and link tags.
+      // Handles both: existing ?v=3 and paths without any query string.
+      html = html.replace(/((?:src|href)="\/client(?:-mobile)?\/[^"]*?)(\?v=[^"&]*)?"(?=[^>]*>)/g,
+        (_, prefix) => `${prefix}?v=${cacheBust}"`);
+      res.setHeader('Content-Type', 'text/html; charset=utf-8');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.send(html);
+    } catch (err) {
+      res.status(500).send('Error loading page: ' + err.message);
+    }
+  }
+
+  // Custom entry point - our index.html, not Obsidian's.
+  app.get('/', (req, res) => {
+    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'index.html'));
+  });
+
+  app.get(['/starter', '/starter.html'], (req, res) => {
+    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'starter.html'));
+  });
+
+  // Mobile client entry point.
+  app.get('/mobile', (req, res) => {
+    sendHtmlWithCacheBust(res, path.join(appConfig.clientMobilePath, 'index.html'));
+  });
+
+  // Static files - order matters: client/ first, then obsidian/.
+  app.use('/client', express.static(appConfig.clientPath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+  app.use('/client-mobile', express.static(appConfig.clientMobilePath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+  app.use('/obsidian', express.static(appConfig.obsidianPath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+  app.use('/obsidian-mobile', express.static(appConfig.obsidianMobilePath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+
+  // Obsidian's renderer fetches resources via absolute paths like /i18n/he.txt
+  // and /lib/... because under Electron those resolve via the app:// protocol
+  // to the bundle root. Mirror them onto the obsidian/ tree.
+  const RESOURCE_DIRS = ['i18n', 'lib', 'public', 'sandbox'];
+  for (const dir of RESOURCE_DIRS) {
+    app.use('/' + dir, express.static(path.join(appConfig.obsidianPath, dir), {
+      setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+    }));
+  }
+
+  // Worker scripts. Obsidian creates `new Worker("worker.js")` which under
+  // Electron resolves to /Resources/obsidian/worker.js, but in a browser
+  // it resolves relative to the document URL. Serve them at the root.
+  //
+  // THIS IS CRITICAL for the metadata indexer: without worker.js the
+  // metadataCache `this.work(t)` call (which postMessage's to the worker
+  // and waits for a reply) hangs forever, leaving inProgressTaskCount > 0
+  // and blocking everything that waits for onCleanCache (rename, etc.).
+  const ROOT_FILES = ['worker.js', 'sim.js'];
+  for (const f of ROOT_FILES) {
+    app.get('/' + f, (req, res) => {
+      res.sendFile(path.join(appConfig.obsidianPath, f), {
+        headers: { 'Cache-Control': 'no-cache' },
+      });
+    });
+  }
+
+  // API routes.
+  app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
+  app.use('/api/proxy-request', createProxyRouter());
+  app.use('/api/vaults', createVaultsRouter(vaultRegistry));
+  app.use('/api/fs', createFsRouter(vaultRegistry, appConfig.vaultPath));
+  app.use('/api/electron', createElectronRouter(vaultRegistry, appConfig.vaultPath));
+
+  app.locals.vaultRegistry = vaultRegistry;
+  return app;
+}
+
+function startServer(appConfig = config) {
+  // Discover system plugins (repo-shipped plugins overlaid onto every vault)
+  // before any FS handler runs.
+  systemPlugins.init();
+
+  const app = createApp(appConfig);
+  const server = http.createServer(app);
+  attachWatchServer(server, app.locals.vaultRegistry, appConfig.vaultPath);
+
+  server.listen(appConfig.port, appConfig.host, () => {
+    console.log('==========================================');
+    console.log('  Obsidian Web');
+    console.log('==========================================');
+    console.log('  Vault:    ' + appConfig.vaultPath);
+    console.log('  Obsidian: ' + appConfig.obsidianPath);
+    console.log('  Listening on http://' + appConfig.host + ':' + appConfig.port);
+    console.log('==========================================');
+
+    // Pre-build the bootstrap cache in the background so the first browser
+    // request is a cache HIT instead of a cold build.
+    setImmediate(() => {
+      warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
+        .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
+    });
+  });
+
+  return server;
+}
+
+if (require.main === module) {
+  startServer();
+}
+
+module.exports = { createApp, startServer };
diff --git a/src/server/middleware/auth.js b/src/server/middleware/auth.js
index 2b1795a..f07aa76 100644
--- a/src/server/middleware/auth.js
+++ b/src/server/middleware/auth.js
@@ -1,20 +1,33 @@
 'use strict';
 
 /**
- * Optional API-key authentication middleware.
- * Activated when AUTH_KEY env var is set.
+ * TOTP authentication middleware.
+ * Activated when TOTP_SECRET env var is set.
  *
- * The key can be supplied via:
- *   - Cookie:               obsidian-web-key=<AUTH_KEY>
- *   - Query param + login:  /__auth?key=<AUTH_KEY>
- *   - Authorization header: Bearer <AUTH_KEY>  (for API clients)
+ * Routes:
+ *   /__login        — 6-digit code entry form
+ *   /__auth?code=   — verifies code, sets session cookie
+ *   /__totp-setup   — QR code + raw secret (requires ?token=TOTP_SECRET)
  *
- * Browser requests go to a login page; /api/* gets a 401 JSON response.
+ * Generate a secret (run once in src/server/):
+ *   node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
  */
 
-const AUTH_KEY   = process.env.AUTH_KEY || '';
-const COOKIE     = 'obsidian-web-key';
-const MAX_AGE    = 7 * 24 * 60 * 60; // 7 days (seconds)
+const crypto        = require('crypto');
+const { authenticator } = require('otplib');
+const QRCode        = require('qrcode');
+
+const TOTP_SECRET = process.env.TOTP_SECRET || '';
+const COOKIE      = 'obsidian-web-session';
+const MAX_AGE     = 7 * 24 * 60 * 60; // 7 days
+
+// Allow 1 step (±30 s) of clock drift between phone and server
+authenticator.options = { window: 1 };
+
+// Session token is derived from the TOTP secret — consistent across restarts
+const SESSION_TOKEN = TOTP_SECRET
+  ? crypto.createHmac('sha256', TOTP_SECRET).update('v1:session').digest('hex')
+  : '';
 
 function parseCookies(req) {
   return Object.fromEntries(
@@ -26,13 +39,11 @@ function parseCookies(req) {
 }
 
 function isAuthenticated(req) {
-  if (parseCookies(req)[COOKIE] === AUTH_KEY) return true;
-  if (req.query?.key === AUTH_KEY) return true;
-  const auth = req.headers.authorization || '';
-  if (auth.startsWith('Bearer ') && auth.slice(7) === AUTH_KEY) return true;
-  return false;
+  return parseCookies(req)[COOKIE] === SESSION_TOKEN;
 }
 
+// ── HTML pages ─────────────────────────────────────────────────────────────────
+
 const LOGIN_HTML = `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -44,76 +55,193 @@ const LOGIN_HTML = `<!DOCTYPE html>
     body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;
          background:#1e2127;color:#abb2bf;
          display:flex;align-items:center;justify-content:center;min-height:100vh}
-    .card{background:#282c34;border-radius:8px;padding:2rem;
-          width:100%;max-width:340px;box-shadow:0 4px 24px rgba(0,0,0,.4)}
-    h1{color:#e06c75;font-size:1.2rem;margin-bottom:1.5rem;text-align:center}
-    label{display:block;font-size:.82rem;margin-bottom:.35rem;color:#7f848e}
-    input[type=password]{width:100%;padding:.6rem .75rem;border-radius:4px;
-          border:1px solid #3e4451;background:#1e2127;color:#abb2bf;
-          font-size:1rem;margin-bottom:1rem}
-    button{width:100%;padding:.65rem;border:none;border-radius:4px;
-           background:#e06c75;color:#fff;font-size:1rem;cursor:pointer}
-    button:hover{background:#be5046}
-    .err{color:#e06c75;font-size:.82rem;margin-bottom:.9rem;display:none}
-    .err.show{display:block}
+    .card{background:#282c34;border-radius:10px;padding:2rem 2rem 1.75rem;
+          width:100%;max-width:320px;box-shadow:0 4px 32px rgba(0,0,0,.5)}
+    h1{color:#e5c07b;font-size:1.1rem;margin-bottom:.35rem;text-align:center}
+    p.sub{color:#7f848e;font-size:.82rem;text-align:center;margin-bottom:1.6rem}
+    .digits{display:flex;gap:8px;justify-content:center;margin-bottom:1.1rem}
+    .digits input{
+      width:40px;height:52px;border-radius:6px;border:1.5px solid #3e4451;
+      background:#1e2127;color:#e5c07b;font-size:1.5rem;font-weight:600;
+      text-align:center;outline:none;transition:border-color .15s;
+      /* hide number spinners */
+      -moz-appearance:textfield;
+    }
+    .digits input::-webkit-inner-spin-button,
+    .digits input::-webkit-outer-spin-button{-webkit-appearance:none}
+    .digits input:focus{border-color:#e5c07b}
+    .err{color:#e06c75;font-size:.82rem;text-align:center;
+         min-height:1.2em;margin-bottom:.75rem}
+    button{width:100%;padding:.65rem;border:none;border-radius:6px;
+           background:#e5c07b;color:#1e2127;font-size:1rem;
+           font-weight:600;cursor:pointer}
+    button:hover{background:#d4af5a}
+    button:disabled{opacity:.5;cursor:default}
   </style>
 </head>
 <body>
   <div class="card">
-    <h1>🔒 Obsidian Web</h1>
-    <p class="err" id="err">Invalid key — try again.</p>
-    <form id="f">
-      <label for="k">Access key</label>
-      <input id="k" type="password" placeholder="Enter your access key" autofocus/>
-      <button type="submit">Sign in</button>
+    <h1>🔐 Obsidian Web</h1>
+    <p class="sub">Enter the 6-digit code from your authenticator app</p>
+    <form id="f" method="get" action="/__auth">
+      <input type="hidden" name="next" id="next"/>
+      <input type="hidden" name="code" id="code"/>
+      <div class="digits" id="digits">
+        <input type="number" maxlength="1" min="0" max="9" inputmode="numeric" autofocus/>
+        <input type="number" maxlength="1" min="0" max="9" inputmode="numeric"/>
+        <input type="number" maxlength="1" min="0" max="9" inputmode="numeric"/>
+        <input type="number" maxlength="1" min="0" max="9" inputmode="numeric"/>
+        <input type="number" maxlength="1" min="0" max="9" inputmode="numeric"/>
+        <input type="number" maxlength="1" min="0" max="9" inputmode="numeric"/>
+      </div>
+      <p class="err" id="err"></p>
+      <button type="submit" id="btn" disabled>Sign in</button>
     </form>
   </div>
   <script>
     const p=new URLSearchParams(location.search);
-    if(p.get('error'))document.getElementById('err').classList.add('show');
+    document.getElementById('next').value=p.get('next')||'/';
+    if(p.get('error'))document.getElementById('err').textContent='Incorrect code — try again.';
+    const inputs=[...document.querySelectorAll('.digits input')];
+    const btn=document.getElementById('btn');
+    function getCode(){return inputs.map(i=>i.value).join('');}
+    function update(){btn.disabled=getCode().length<6;}
+    inputs.forEach((inp,i)=>{
+      inp.addEventListener('input',e=>{
+        // clamp to single digit
+        if(inp.value.length>1)inp.value=inp.value.slice(-1);
+        inp.value=inp.value.replace(/[^0-9]/g,'');
+        update();
+        if(inp.value&&i<5)inputs[i+1].focus();
+        if(getCode().length===6)document.getElementById('f').requestSubmit();
+      });
+      inp.addEventListener('keydown',e=>{
+        if(e.key==='Backspace'&&!inp.value&&i>0)inputs[i-1].focus();
+      });
+      inp.addEventListener('paste',e=>{
+        const txt=(e.clipboardData||window.clipboardData).getData('text').replace(/\D/g,'').slice(0,6);
+        txt.split('').forEach((d,j)=>{if(inputs[i+j])inputs[i+j].value=d;});
+        update();e.preventDefault();
+        if(getCode().length===6)document.getElementById('f').requestSubmit();
+      });
+    });
     document.getElementById('f').addEventListener('submit',e=>{
-      e.preventDefault();
-      const dest=p.get('next')||'/';
-      location.href='/__auth?key='+encodeURIComponent(document.getElementById('k').value)
-                   +'&next='+encodeURIComponent(dest);
+      document.getElementById('code').value=getCode();
     });
   </script>
 </body>
 </html>`;
 
-/**
- * Returns an Express middleware if AUTH_KEY is set, otherwise null.
- */
+async function buildSetupPage(secret) {
+  const otpauth = authenticator.keyuri('obsidian-web', 'Obsidian Web', secret);
+  const qrSvg   = await QRCode.toString(otpauth, { type: 'svg', width: 220, margin: 2 });
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8"/>
+  <meta name="viewport" content="width=device-width,initial-scale=1"/>
+  <title>Obsidian Web — Authenticator Setup</title>
+  <style>
+    *{box-sizing:border-box;margin:0;padding:0}
+    body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;
+         background:#1e2127;color:#abb2bf;
+         display:flex;align-items:center;justify-content:center;
+         min-height:100vh;padding:1.5rem}
+    .card{background:#282c34;border-radius:10px;padding:2rem;
+          width:100%;max-width:380px;box-shadow:0 4px 32px rgba(0,0,0,.5)}
+    h1{color:#e5c07b;font-size:1.15rem;margin-bottom:.4rem}
+    p{color:#7f848e;font-size:.85rem;line-height:1.5;margin-bottom:1.2rem}
+    .qr{background:#fff;border-radius:8px;padding:12px;
+        display:inline-flex;margin-bottom:1.4rem}
+    .qr svg{display:block}
+    h2{color:#abb2bf;font-size:.85rem;font-weight:600;
+       text-transform:uppercase;letter-spacing:.05em;margin-bottom:.5rem}
+    .secret{background:#1e2127;border-radius:6px;padding:.75rem 1rem;
+            font-family:'SF Mono','Fira Mono','Consolas',monospace;
+            font-size:1.1rem;letter-spacing:.12em;color:#98c379;
+            word-break:break-all;margin-bottom:1.4rem;
+            border:1px solid #3e4451;user-select:all;cursor:pointer}
+    .secret:hover{border-color:#e5c07b}
+    .apps{display:flex;flex-wrap:wrap;gap:.5rem;margin-bottom:1.4rem}
+    .apps a{background:#2c313c;color:#abb2bf;text-decoration:none;
+            padding:.35rem .75rem;border-radius:20px;font-size:.8rem}
+    .apps a:hover{color:#e5c07b}
+    .note{background:#2c313c;border-left:3px solid #e06c75;
+          padding:.75rem 1rem;border-radius:0 6px 6px 0;
+          font-size:.82rem;color:#7f848e}
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>🔐 Authenticator Setup</h1>
+    <p>Scan the QR code with your authenticator app, or enter the secret manually.</p>
+
+    <div class="qr">${qrSvg}</div>
+
+    <h2>Manual entry code</h2>
+    <div class="secret" title="Click to select all">${secret}</div>
+
+    <h2>Compatible apps</h2>
+    <div class="apps">
+      <a href="https://apps.apple.com/app/google-authenticator/id388497605" target="_blank">Google Authenticator (iOS)</a>
+      <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2" target="_blank">Google Authenticator (Android)</a>
+      <a href="https://authy.com/download/" target="_blank">Authy</a>
+      <a href="https://apps.apple.com/app/microsoft-authenticator/id983156458" target="_blank">Microsoft Authenticator</a>
+    </div>
+
+    <div class="note">
+      <strong>Keep this page private.</strong><br/>
+      Once you've scanned or copied the code, close this tab.
+      The secret is stored in your <code>TOTP_SECRET</code> environment variable.
+    </div>
+  </div>
+</body>
+</html>`;
+}
+
+// ── Middleware factory ─────────────────────────────────────────────────────────
+
 function createAuthMiddleware() {
-  if (!AUTH_KEY) return null;
+  if (!TOTP_SECRET) return null;
+
+  return async function authMiddleware(req, res, next) {
+
+    // ── Setup page ── requires ?token=TOTP_SECRET so only the owner can view it
+    if (req.path === '/__totp-setup') {
+      if ((req.query?.token || '') !== TOTP_SECRET) {
+        return res.status(403).end('Forbidden — add ?token=YOUR_TOTP_SECRET to the URL');
+      }
+      const html = await buildSetupPage(TOTP_SECRET);
+      res.setHeader('Content-Type', 'text/html; charset=utf-8');
+      return res.end(html);
+    }
 
-  return function authMiddleware(req, res, next) {
-    // ── Auth callback: verify key, set cookie, redirect ──
+    // ── Auth endpoint ── verify code, set cookie
     if (req.path === '/__auth') {
-      const key  = req.query?.key  || '';
+      const code = String(req.query?.code || '').replace(/\D/g, '');
       const dest = req.query?.next || '/';
-      if (key === AUTH_KEY) {
+      if (code.length === 6 && authenticator.verify({ token: code, secret: TOTP_SECRET })) {
         res.setHeader('Set-Cookie',
-          `${COOKIE}=${AUTH_KEY}; Path=/; Max-Age=${MAX_AGE}; HttpOnly; SameSite=Strict`);
+          `${COOKIE}=${SESSION_TOKEN}; Path=/; Max-Age=${MAX_AGE}; HttpOnly; SameSite=Strict`);
         return res.redirect(dest);
       }
       return res.redirect(`/__login?error=1&next=${encodeURIComponent(dest)}`);
     }
 
-    // ── Login page: always accessible ──
+    // ── Login page ── always accessible (no point hiding it)
     if (req.path === '/__login') {
       res.setHeader('Content-Type', 'text/html; charset=utf-8');
       return res.end(LOGIN_HTML);
     }
 
-    // ── Authenticated: pass through ──
+    // ── Authenticated ──
     if (isAuthenticated(req)) return next();
 
     // ── Unauthenticated ──
     const wantsJson = req.path.startsWith('/api/') ||
                       (req.headers.accept || '').includes('application/json');
     if (wantsJson) {
-      return res.status(401).json({ error: 'Unauthorized — provide a valid Bearer token or cookie' });
+      return res.status(401).json({ error: 'Unauthorized — valid TOTP session required' });
     }
     res.redirect(`/__login?next=${encodeURIComponent(req.originalUrl)}`);
   };
diff --git a/src/server/package-lock.json b/src/server/package-lock.json
index 29c4a64..60f3e90 100644
--- a/src/server/package-lock.json
+++ b/src/server/package-lock.json
@@ -1,1100 +1,1476 @@
-{
-  "name": "obsidian-web-server",
-  "version": "0.1.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "obsidian-web-server",
-      "version": "0.1.0",
-      "dependencies": {
-        "chokidar": "^3.6.0",
-        "compression": "^1.8.1",
-        "express": "^4.21.0",
-        "ws": "^8.18.0"
-      }
-    },
-    "node_modules/accepts": {
-      "version": "1.3.8",
-      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
-      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-types": "~2.1.34",
-        "negotiator": "0.6.3"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/anymatch": {
-      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
-      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
-      "license": "ISC",
-      "dependencies": {
-        "normalize-path": "^3.0.0",
-        "picomatch": "^2.0.4"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/array-flatten": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
-      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
-      "license": "MIT"
-    },
-    "node_modules/binary-extensions": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
-      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/body-parser": {
-      "version": "1.20.5",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
-      "integrity": "sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "~3.1.2",
-        "content-type": "~1.0.5",
-        "debug": "2.6.9",
-        "depd": "2.0.0",
-        "destroy": "~1.2.0",
-        "http-errors": "~2.0.1",
-        "iconv-lite": "~0.4.24",
-        "on-finished": "~2.4.1",
-        "qs": "~6.15.1",
-        "raw-body": "~2.5.3",
-        "type-is": "~1.6.18",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.8",
-        "npm": "1.2.8000 || >= 1.4.16"
-      }
-    },
-    "node_modules/body-parser/node_modules/qs": {
-      "version": "6.15.1",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
-      "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "side-channel": "^1.1.0"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/braces": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
-      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
-      "license": "MIT",
-      "dependencies": {
-        "fill-range": "^7.1.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/bytes": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
-      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/call-bind-apply-helpers": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
-      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0",
-        "function-bind": "^1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/call-bound": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
-      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bind-apply-helpers": "^1.0.2",
-        "get-intrinsic": "^1.3.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/chokidar": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
-      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
-      "license": "MIT",
-      "dependencies": {
-        "anymatch": "~3.1.2",
-        "braces": "~3.0.2",
-        "glob-parent": "~5.1.2",
-        "is-binary-path": "~2.1.0",
-        "is-glob": "~4.0.1",
-        "normalize-path": "~3.0.0",
-        "readdirp": "~3.6.0"
-      },
-      "engines": {
-        "node": ">= 8.10.0"
-      },
-      "funding": {
-        "url": "https://paulmillr.com/funding/"
-      },
-      "optionalDependencies": {
-        "fsevents": "~2.3.2"
-      }
-    },
-    "node_modules/compressible": {
-      "version": "2.0.18",
-      "resolved": "https://registry.npmjs.org/compressible/-/compressible-2.0.18.tgz",
-      "integrity": "sha512-AF3r7P5dWxL8MxyITRMlORQNaOA2IkAFaTr4k7BUumjPtRpGDTZpl0Pb1XCO6JeDCBdp126Cgs9sMxqSjgYyRg==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": ">= 1.43.0 < 2"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/compression": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.1.tgz",
-      "integrity": "sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "3.1.2",
-        "compressible": "~2.0.18",
-        "debug": "2.6.9",
-        "negotiator": "~0.6.4",
-        "on-headers": "~1.1.0",
-        "safe-buffer": "5.2.1",
-        "vary": "~1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/compression/node_modules/negotiator": {
-      "version": "0.6.4",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.4.tgz",
-      "integrity": "sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/content-disposition": {
-      "version": "0.5.4",
-      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
-      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
-      "license": "MIT",
-      "dependencies": {
-        "safe-buffer": "5.2.1"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/content-type": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
-      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/cookie-signature": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
-      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
-      "license": "MIT"
-    },
-    "node_modules/debug": {
-      "version": "2.6.9",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "2.0.0"
-      }
-    },
-    "node_modules/depd": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
-      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/destroy": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
-      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8",
-        "npm": "1.2.8000 || >= 1.4.16"
-      }
-    },
-    "node_modules/dunder-proto": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
-      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bind-apply-helpers": "^1.0.1",
-        "es-errors": "^1.3.0",
-        "gopd": "^1.2.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/ee-first": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
-      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
-      "license": "MIT"
-    },
-    "node_modules/encodeurl": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
-      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/es-define-property": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
-      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/es-errors": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
-      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/es-object-atoms": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
-      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/escape-html": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
-      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
-      "license": "MIT"
-    },
-    "node_modules/etag": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
-      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/express": {
-      "version": "4.22.1",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
-      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
-      "license": "MIT",
-      "dependencies": {
-        "accepts": "~1.3.8",
-        "array-flatten": "1.1.1",
-        "body-parser": "~1.20.3",
-        "content-disposition": "~0.5.4",
-        "content-type": "~1.0.4",
-        "cookie": "~0.7.1",
-        "cookie-signature": "~1.0.6",
-        "debug": "2.6.9",
-        "depd": "2.0.0",
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "etag": "~1.8.1",
-        "finalhandler": "~1.3.1",
-        "fresh": "~0.5.2",
-        "http-errors": "~2.0.0",
-        "merge-descriptors": "1.0.3",
-        "methods": "~1.1.2",
-        "on-finished": "~2.4.1",
-        "parseurl": "~1.3.3",
-        "path-to-regexp": "~0.1.12",
-        "proxy-addr": "~2.0.7",
-        "qs": "~6.14.0",
-        "range-parser": "~1.2.1",
-        "safe-buffer": "5.2.1",
-        "send": "~0.19.0",
-        "serve-static": "~1.16.2",
-        "setprototypeof": "1.2.0",
-        "statuses": "~2.0.1",
-        "type-is": "~1.6.18",
-        "utils-merge": "1.0.1",
-        "vary": "~1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.10.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
-    "node_modules/fill-range": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
-      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
-      "license": "MIT",
-      "dependencies": {
-        "to-regex-range": "^5.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/finalhandler": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz",
-      "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "2.6.9",
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "on-finished": "~2.4.1",
-        "parseurl": "~1.3.3",
-        "statuses": "~2.0.2",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/forwarded": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
-      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/fresh": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
-      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/fsevents": {
-      "version": "2.3.3",
-      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
-      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
-      "hasInstallScript": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-      }
-    },
-    "node_modules/function-bind": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
-      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/get-intrinsic": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
-      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bind-apply-helpers": "^1.0.2",
-        "es-define-property": "^1.0.1",
-        "es-errors": "^1.3.0",
-        "es-object-atoms": "^1.1.1",
-        "function-bind": "^1.1.2",
-        "get-proto": "^1.0.1",
-        "gopd": "^1.2.0",
-        "has-symbols": "^1.1.0",
-        "hasown": "^2.0.2",
-        "math-intrinsics": "^1.1.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/get-proto": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
-      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
-      "license": "MIT",
-      "dependencies": {
-        "dunder-proto": "^1.0.1",
-        "es-object-atoms": "^1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/glob-parent": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
-      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
-      "license": "ISC",
-      "dependencies": {
-        "is-glob": "^4.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/gopd": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
-      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/has-symbols": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
-      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/hasown": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
-      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
-      "license": "MIT",
-      "dependencies": {
-        "function-bind": "^1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/http-errors": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
-      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
-      "license": "MIT",
-      "dependencies": {
-        "depd": "~2.0.0",
-        "inherits": "~2.0.4",
-        "setprototypeof": "~1.2.0",
-        "statuses": "~2.0.2",
-        "toidentifier": "~1.0.1"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
-    "node_modules/iconv-lite": {
-      "version": "0.4.24",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
-      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
-      "license": "MIT",
-      "dependencies": {
-        "safer-buffer": ">= 2.1.2 < 3"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
-      "license": "ISC"
-    },
-    "node_modules/ipaddr.js": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
-      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.10"
-      }
-    },
-    "node_modules/is-binary-path": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
-      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
-      "license": "MIT",
-      "dependencies": {
-        "binary-extensions": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/is-extglob": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
-      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/is-glob": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
-      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
-      "license": "MIT",
-      "dependencies": {
-        "is-extglob": "^2.1.1"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/is-number": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
-      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.12.0"
-      }
-    },
-    "node_modules/math-intrinsics": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
-      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/media-typer": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
-      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/merge-descriptors": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
-      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/methods": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
-      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/mime": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
-      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
-      "license": "MIT",
-      "bin": {
-        "mime": "cli.js"
-      },
-      "engines": {
-        "node": ">=4"
-      }
-    },
-    "node_modules/mime-db": {
-      "version": "1.52.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
-      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/mime-types": {
-      "version": "2.1.35",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
-      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "1.52.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/ms": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
-      "license": "MIT"
-    },
-    "node_modules/negotiator": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
-      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/normalize-path": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
-      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/object-inspect": {
-      "version": "1.13.4",
-      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
-      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/on-finished": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
-      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
-      "license": "MIT",
-      "dependencies": {
-        "ee-first": "1.1.1"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/on-headers": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
-      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/parseurl": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
-      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/path-to-regexp": {
-      "version": "0.1.13",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz",
-      "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==",
-      "license": "MIT"
-    },
-    "node_modules/picomatch": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
-    "node_modules/proxy-addr": {
-      "version": "2.0.7",
-      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
-      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
-      "license": "MIT",
-      "dependencies": {
-        "forwarded": "0.2.0",
-        "ipaddr.js": "1.9.1"
-      },
-      "engines": {
-        "node": ">= 0.10"
-      }
-    },
-    "node_modules/qs": {
-      "version": "6.14.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
-      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "side-channel": "^1.1.0"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/range-parser": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
-      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/raw-body": {
-      "version": "2.5.3",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
-      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "~3.1.2",
-        "http-errors": "~2.0.1",
-        "iconv-lite": "~0.4.24",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/readdirp": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
-      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
-      "license": "MIT",
-      "dependencies": {
-        "picomatch": "^2.2.1"
-      },
-      "engines": {
-        "node": ">=8.10.0"
-      }
-    },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "license": "MIT"
-    },
-    "node_modules/safer-buffer": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
-      "license": "MIT"
-    },
-    "node_modules/send": {
-      "version": "0.19.2",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz",
-      "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "2.6.9",
-        "depd": "2.0.0",
-        "destroy": "1.2.0",
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "etag": "~1.8.1",
-        "fresh": "~0.5.2",
-        "http-errors": "~2.0.1",
-        "mime": "1.6.0",
-        "ms": "2.1.3",
-        "on-finished": "~2.4.1",
-        "range-parser": "~1.2.1",
-        "statuses": "~2.0.2"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/send/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
-    "node_modules/serve-static": {
-      "version": "1.16.3",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz",
-      "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==",
-      "license": "MIT",
-      "dependencies": {
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "parseurl": "~1.3.3",
-        "send": "~0.19.1"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/setprototypeof": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
-      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
-      "license": "ISC"
-    },
-    "node_modules/side-channel": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
-      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0",
-        "object-inspect": "^1.13.3",
-        "side-channel-list": "^1.0.0",
-        "side-channel-map": "^1.0.1",
-        "side-channel-weakmap": "^1.0.2"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/side-channel-list": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
-      "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0",
-        "object-inspect": "^1.13.4"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/side-channel-map": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
-      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bound": "^1.0.2",
-        "es-errors": "^1.3.0",
-        "get-intrinsic": "^1.2.5",
-        "object-inspect": "^1.13.3"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/side-channel-weakmap": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
-      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bound": "^1.0.2",
-        "es-errors": "^1.3.0",
-        "get-intrinsic": "^1.2.5",
-        "object-inspect": "^1.13.3",
-        "side-channel-map": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/statuses": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
-      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/to-regex-range": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
-      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
-      "license": "MIT",
-      "dependencies": {
-        "is-number": "^7.0.0"
-      },
-      "engines": {
-        "node": ">=8.0"
-      }
-    },
-    "node_modules/toidentifier": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
-      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.6"
-      }
-    },
-    "node_modules/type-is": {
-      "version": "1.6.18",
-      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
-      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
-      "license": "MIT",
-      "dependencies": {
-        "media-typer": "0.3.0",
-        "mime-types": "~2.1.24"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/unpipe": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
-      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/utils-merge": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
-      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4.0"
-      }
-    },
-    "node_modules/vary": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
-      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/ws": {
-      "version": "8.20.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
-      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=10.0.0"
-      },
-      "peerDependencies": {
-        "bufferutil": "^4.0.1",
-        "utf-8-validate": ">=5.0.2"
-      },
-      "peerDependenciesMeta": {
-        "bufferutil": {
-          "optional": true
-        },
-        "utf-8-validate": {
-          "optional": true
-        }
-      }
-    }
-  }
-}
+{
+  "name": "obsidian-web-server",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "obsidian-web-server",
+      "version": "0.1.0",
+      "dependencies": {
+        "chokidar": "^3.6.0",
+        "compression": "^1.8.1",
+        "express": "^4.21.0",
+        "otplib": "^12.0.1",
+        "qrcode": "^1.5.4",
+        "ws": "^8.18.0"
+      }
+    },
+    "node_modules/@otplib/core": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/core/-/core-12.0.1.tgz",
+      "integrity": "sha512-4sGntwbA/AC+SbPhbsziRiD+jNDdIzsZ3JUyfZwjtKyc/wufl1pnSIaG4Uqx8ymPagujub0o92kgBnB89cuAMA==",
+      "license": "MIT"
+    },
+    "node_modules/@otplib/plugin-crypto": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/plugin-crypto/-/plugin-crypto-12.0.1.tgz",
+      "integrity": "sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==",
+      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1"
+      }
+    },
+    "node_modules/@otplib/plugin-thirty-two": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/plugin-thirty-two/-/plugin-thirty-two-12.0.1.tgz",
+      "integrity": "sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==",
+      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "thirty-two": "^1.0.2"
+      }
+    },
+    "node_modules/@otplib/preset-default": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/preset-default/-/preset-default-12.0.1.tgz",
+      "integrity": "sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==",
+      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/plugin-crypto": "^12.0.1",
+        "@otplib/plugin-thirty-two": "^12.0.1"
+      }
+    },
+    "node_modules/@otplib/preset-v11": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/preset-v11/-/preset-v11-12.0.1.tgz",
+      "integrity": "sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/plugin-crypto": "^12.0.1",
+        "@otplib/plugin-thirty-two": "^12.0.1"
+      }
+    },
+    "node_modules/accepts": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
+      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "~2.1.34",
+        "negotiator": "0.6.3"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "license": "ISC",
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/array-flatten": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
+      "license": "MIT"
+    },
+    "node_modules/binary-extensions": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
+      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/body-parser": {
+      "version": "1.20.5",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
+      "integrity": "sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "content-type": "~1.0.5",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "~1.2.0",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "on-finished": "~2.4.1",
+        "qs": "~6.15.1",
+        "raw-body": "~2.5.3",
+        "type-is": "~1.6.18",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/body-parser/node_modules/qs": {
+      "version": "6.15.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
+      "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/braces": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "license": "MIT",
+      "dependencies": {
+        "fill-range": "^7.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/call-bound": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
+      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "get-intrinsic": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/camelcase": {
+      "version": "5.3.1",
+      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/chokidar": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
+      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
+      "license": "MIT",
+      "dependencies": {
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
+      },
+      "engines": {
+        "node": ">= 8.10.0"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/cliui": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "license": "ISC",
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "license": "MIT"
+    },
+    "node_modules/compressible": {
+      "version": "2.0.18",
+      "resolved": "https://registry.npmjs.org/compressible/-/compressible-2.0.18.tgz",
+      "integrity": "sha512-AF3r7P5dWxL8MxyITRMlORQNaOA2IkAFaTr4k7BUumjPtRpGDTZpl0Pb1XCO6JeDCBdp126Cgs9sMxqSjgYyRg==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": ">= 1.43.0 < 2"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/compression": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.1.tgz",
+      "integrity": "sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "3.1.2",
+        "compressible": "~2.0.18",
+        "debug": "2.6.9",
+        "negotiator": "~0.6.4",
+        "on-headers": "~1.1.0",
+        "safe-buffer": "5.2.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/compression/node_modules/negotiator": {
+      "version": "0.6.4",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.4.tgz",
+      "integrity": "sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-disposition": {
+      "version": "0.5.4",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
+      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "5.2.1"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
+      "license": "MIT"
+    },
+    "node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/decamelize": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
+      "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/depd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
+      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/destroy": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
+      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/dijkstrajs": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz",
+      "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==",
+      "license": "MIT"
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
+    },
+    "node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "license": "MIT"
+    },
+    "node_modules/encodeurl": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
+      "license": "MIT"
+    },
+    "node_modules/etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express": {
+      "version": "4.22.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
+      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
+      "license": "MIT",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "array-flatten": "1.1.1",
+        "body-parser": "~1.20.3",
+        "content-disposition": "~0.5.4",
+        "content-type": "~1.0.4",
+        "cookie": "~0.7.1",
+        "cookie-signature": "~1.0.6",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "finalhandler": "~1.3.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.0",
+        "merge-descriptors": "1.0.3",
+        "methods": "~1.1.2",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "path-to-regexp": "~0.1.12",
+        "proxy-addr": "~2.0.7",
+        "qs": "~6.14.0",
+        "range-parser": "~1.2.1",
+        "safe-buffer": "5.2.1",
+        "send": "~0.19.0",
+        "serve-static": "~1.16.2",
+        "setprototypeof": "1.2.0",
+        "statuses": "~2.0.1",
+        "type-is": "~1.6.18",
+        "utils-merge": "1.0.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/fill-range": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+      "license": "MIT",
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/finalhandler": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz",
+      "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "statuses": "~2.0.2",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "license": "MIT",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/forwarded": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
+      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "license": "ISC",
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "license": "ISC"
+    },
+    "node_modules/ipaddr.js": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
+      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "license": "MIT",
+      "dependencies": {
+        "binary-extensions": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "license": "MIT",
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "license": "MIT",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/media-typer": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/merge-descriptors": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "license": "MIT",
+      "bin": {
+        "mime": "cli.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
+    "node_modules/negotiator": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
+      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.13.4",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
+      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/on-finished": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
+      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
+      "dependencies": {
+        "ee-first": "1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/on-headers": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
+      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/otplib": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/otplib/-/otplib-12.0.1.tgz",
+      "integrity": "sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/preset-default": "^12.0.1",
+        "@otplib/preset-v11": "^12.0.1"
+      }
+    },
+    "node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "license": "MIT",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "license": "MIT",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-to-regexp": {
+      "version": "0.1.13",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz",
+      "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==",
+      "license": "MIT"
+    },
+    "node_modules/picomatch": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/pngjs": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
+      "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/proxy-addr": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
+      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
+      "license": "MIT",
+      "dependencies": {
+        "forwarded": "0.2.0",
+        "ipaddr.js": "1.9.1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/qrcode": {
+      "version": "1.5.4",
+      "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz",
+      "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==",
+      "license": "MIT",
+      "dependencies": {
+        "dijkstrajs": "^1.0.1",
+        "pngjs": "^5.0.0",
+        "yargs": "^15.3.1"
+      },
+      "bin": {
+        "qrcode": "bin/qrcode"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/qs": {
+      "version": "6.14.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/raw-body": {
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
+      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/readdirp": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
+      "license": "MIT",
+      "dependencies": {
+        "picomatch": "^2.2.1"
+      },
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/require-main-filename": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
+      "license": "ISC"
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT"
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "license": "MIT"
+    },
+    "node_modules/send": {
+      "version": "0.19.2",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz",
+      "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.1",
+        "mime": "1.6.0",
+        "ms": "2.1.3",
+        "on-finished": "~2.4.1",
+        "range-parser": "~1.2.1",
+        "statuses": "~2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/send/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/serve-static": {
+      "version": "1.16.3",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz",
+      "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==",
+      "license": "MIT",
+      "dependencies": {
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "parseurl": "~1.3.3",
+        "send": "~0.19.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/set-blocking": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
+      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
+      "license": "ISC"
+    },
+    "node_modules/setprototypeof": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
+      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
+      "license": "ISC"
+    },
+    "node_modules/side-channel": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
+      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3",
+        "side-channel-list": "^1.0.0",
+        "side-channel-map": "^1.0.1",
+        "side-channel-weakmap": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-list": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
+      "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-map": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
+      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-weakmap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
+      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3",
+        "side-channel-map": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/thirty-two": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/thirty-two/-/thirty-two-1.0.2.tgz",
+      "integrity": "sha512-OEI0IWCe+Dw46019YLl6V10Us5bi574EvlJEOcAkB29IzQ/mYD1A6RyNHLjZPiHCmuodxvgF6U+vZO1L15lxVA==",
+      "engines": {
+        "node": ">=0.2.6"
+      }
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "license": "MIT",
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/toidentifier": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
+      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6"
+      }
+    },
+    "node_modules/type-is": {
+      "version": "1.6.18",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
+      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "license": "MIT",
+      "dependencies": {
+        "media-typer": "0.3.0",
+        "mime-types": "~2.1.24"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/utils-merge": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
+      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/which-module": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
+      "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==",
+      "license": "ISC"
+    },
+    "node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ws": {
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/y18n": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
+      "license": "ISC"
+    },
+    "node_modules/yargs": {
+      "version": "15.4.1",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "license": "MIT",
+      "dependencies": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "18.1.3",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz",
+      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+      "license": "ISC",
+      "dependencies": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    }
+  }
+}
diff --git a/src/server/package.json b/src/server/package.json
index b14ae32..6eb4049 100644
--- a/src/server/package.json
+++ b/src/server/package.json
@@ -1,18 +1,20 @@
-{
-  "name": "obsidian-web-server",
-  "version": "0.1.0",
-  "description": "HTTP/WebSocket backend for Obsidian web wrapper",
-  "main": "index.js",
-  "type": "commonjs",
-  "scripts": {
-    "start": "node index.js",
-    "dev": "node --watch index.js",
-    "test": "node --test"
-  },
-  "dependencies": {
-    "chokidar": "^3.6.0",
-    "compression": "^1.8.1",
-    "express": "^4.21.0",
-    "ws": "^8.18.0"
-  }
-}
+{
+  "name": "obsidian-web-server",
+  "version": "0.1.0",
+  "description": "HTTP/WebSocket backend for Obsidian web wrapper",
+  "main": "index.js",
+  "type": "commonjs",
+  "scripts": {
+    "start": "node index.js",
+    "dev": "node --watch index.js",
+    "test": "node --test"
+  },
+  "dependencies": {
+    "chokidar": "^3.6.0",
+    "compression": "^1.8.1",
+    "express": "^4.21.0",
+    "otplib": "^12.0.1",
+    "qrcode": "^1.5.4",
+    "ws": "^8.18.0"
+  }
+}

From e610b73877c2b5cc85b4f46bd7284b60e79f4867 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 19:55:34 -0700
Subject: [PATCH 15/46] fix: open-url recursion + proxy redirect following

---
 src/client/shims/electron.js | 14 ++++++++++++--
 src/server/api/proxy.js      | 12 +++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index 899807a..67a0960 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -18,6 +18,13 @@
  * are stubs that log so we can spot uses we missed.
  */
 (function (global) {
+  // Save a reference to the real window.open BEFORE Obsidian patches it.
+  // Obsidian overrides window.open to route URLs through its own link handler,
+  // which calls ipcRenderer.send('open-url', ...) — so if our 'open-url'
+  // handler calls window.open, we get infinite recursion. Using this saved
+  // reference bypasses Obsidian's patch and opens a real new tab.
+  const _nativeWindowOpen = window.open.bind(window);
+
   function warnUnimplemented(name) {
     return function () {
       console.warn('[obsidian-web] electron.' + name + ' called but not implemented:', arguments);
@@ -360,8 +367,11 @@
       }
 
       // 'open-url' opens in a new tab.
+      // Use _nativeWindowOpen (saved before Obsidian patches window.open)
+      // to avoid the infinite recursion: Obsidian's patched window.open
+      // routes back through ipcRenderer.send('open-url', ...).
       if (channel === 'open-url' && args[0]) {
-        window.open(args[0], '_blank', 'noopener');
+        _nativeWindowOpen(args[0], '_blank', 'noopener');
         return;
       }
       // Application-menu IPC channels - ignored on web. Obsidian renders
@@ -408,7 +418,7 @@
   const remote = {
     shell: {
       showItemInFolder: warnUnimplemented('shell.showItemInFolder'),
-      openExternal: (url) => { window.open(url, '_blank', 'noopener'); return Promise.resolve(); },
+      openExternal: (url) => { _nativeWindowOpen(url, '_blank', 'noopener'); return Promise.resolve(); },
       openPath: warnUnimplemented('shell.openPath'),
     },
     dialog: {
diff --git a/src/server/api/proxy.js b/src/server/api/proxy.js
index bfb306f..fa4f400 100644
--- a/src/server/api/proxy.js
+++ b/src/server/api/proxy.js
@@ -48,7 +48,7 @@ function isAllowed(urlStr) {
   }
 }
 
-function fetchUrl(urlStr, method, reqHeaders, body) {
+function fetchUrl(urlStr, method, reqHeaders, body, redirectsLeft = 5) {
   return new Promise((resolve, reject) => {
     let parsed;
     try { parsed = new URL(urlStr); } catch (e) { return reject(e); }
@@ -63,6 +63,16 @@ function fetchUrl(urlStr, method, reqHeaders, body) {
     };
 
     const req = lib.request(options, (res) => {
+      // Follow redirects (GitHub releases redirect to CDN)
+      if ([301, 302, 303, 307, 308].includes(res.statusCode) && res.headers.location) {
+        res.resume(); // drain the response
+        if (redirectsLeft <= 0) return reject(new Error('too many redirects'));
+        const next = new URL(res.headers.location, urlStr).toString();
+        // Don't check allow-list for redirect targets — caller already validated origin
+        fetchUrl(next, res.statusCode === 303 ? 'GET' : method, reqHeaders, body, redirectsLeft - 1)
+          .then(resolve).catch(reject);
+        return;
+      }
       const chunks = [];
       res.on('data', (c) => chunks.push(c));
       res.on('end', () => {

From 86aa2c8ecc1c8bc04413f2713e934933862dd4ef Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 20:03:20 -0700
Subject: [PATCH 16/46] fix: open-url recursion, proxy redirects,
 crypto.randomUUID polyfill

---
 src/client/boot.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/client/boot.js b/src/client/boot.js
index ac8fea0..8b59edd 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -19,6 +19,16 @@
  * the browser can download them in parallel but executes them in order.
  */
 
+// Polyfill crypto.randomUUID for non-secure contexts (plain HTTP on LAN).
+// Browsers restrict this API to HTTPS/localhost; plugins like ion-sync need it.
+if (typeof crypto !== 'undefined' && !crypto.randomUUID) {
+  crypto.randomUUID = function () {
+    return ([1e7] + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g, (c) =>
+      (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16)
+    );
+  };
+}
+
 // Ordered list of Obsidian's renderer scripts — mirrors the old <script defer>
 // list in index.html. Keep in sync with obsidian/index.html if Obsidian is
 // updated to add or remove scripts.

From f277c8068782024f3a7bd000b63e744997448ae9 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 20:25:00 -0700
Subject: [PATCH 17/46] fix: open-url recursion, proxy redirects,
 crypto.randomUUID, keytar shim

---
 src/client/boot.js       | 38 ++++++++++++++++++
 src/server/api/keytar.js | 86 ++++++++++++++++++++++++++++++++++++++++
 src/server/config.js     |  1 +
 src/server/index.js      |  2 +
 4 files changed, 127 insertions(+)
 create mode 100644 src/server/api/keytar.js

diff --git a/src/client/boot.js b/src/client/boot.js
index 8b59edd..a24c87e 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -110,8 +110,46 @@ const OBSIDIAN_SCRIPTS = [
     // system commands) can load. Commands will fail gracefully at runtime.
     'child_process': makeChildProcessStub(),
     '@electron/remote': window.__owElectron.remote,
+    // keytar: server-backed credential store (replaces OS keychain)
+    'keytar': makeKeytarShim(),
   };
 
+  function makeKeytarShim() {
+    function q(service, account) {
+      return '/api/keytar?service=' + encodeURIComponent(service) + '&account=' + encodeURIComponent(account);
+    }
+    return {
+      getPassword(service, account) {
+        return fetch(q(service, account))
+          .then(r => r.ok ? r.json().then(j => j.password) : null)
+          .catch(() => null);
+      },
+      setPassword(service, account, password) {
+        return fetch('/api/keytar', {
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ service, account, password }),
+        }).then(() => undefined);
+      },
+      deletePassword(service, account) {
+        return fetch(q(service, account), { method: 'DELETE' })
+          .then(r => r.json()).then(j => !!j.ok)
+          .catch(() => false);
+      },
+      findCredentials(service) {
+        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
+          .then(r => r.ok ? r.json() : [])
+          .catch(() => []);
+      },
+      findPassword(service) {
+        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
+          .then(r => r.ok ? r.json() : [])
+          .then(entries => entries.length ? entries[0].password : null)
+          .catch(() => null);
+      },
+    };
+  }
+
   function makeChildProcessStub() {
     const ERR = new Error('[obsidian-web] child_process is not available in web mode');
     function noop() {}
diff --git a/src/server/api/keytar.js b/src/server/api/keytar.js
new file mode 100644
index 0000000..6de4229
--- /dev/null
+++ b/src/server/api/keytar.js
@@ -0,0 +1,86 @@
+'use strict';
+
+/**
+ * Server-side keychain store — replaces the native `keytar` module.
+ * Credentials are stored in <user-data>/.keychain.json (plain JSON).
+ * This file lives inside the USER_DATA volume so it persists across
+ * container restarts and is as safe as the rest of your vault data.
+ *
+ * API:
+ *   GET    /api/keytar?service=&account=   → { password } or 404
+ *   PUT    /api/keytar                     ← { service, account, password }
+ *   DELETE /api/keytar?service=&account=   → { ok }
+ *   GET    /api/keytar/all?service=        → [{ account, password }, ...]
+ */
+
+const express = require('express');
+const fsp = require('fs/promises');
+const path = require('path');
+
+function createKeytarRouter(userDataPath) {
+  const router = express.Router();
+  const keychainFile = path.join(userDataPath, '.keychain.json');
+
+  async function load() {
+    try {
+      const txt = await fsp.readFile(keychainFile, 'utf8');
+      return JSON.parse(txt);
+    } catch (_) {
+      return {};
+    }
+  }
+
+  async function save(data) {
+    await fsp.mkdir(path.dirname(keychainFile), { recursive: true });
+    await fsp.writeFile(keychainFile, JSON.stringify(data, null, 2), 'utf8');
+  }
+
+  // GET /api/keytar?service=X&account=Y
+  router.get('/', async (req, res) => {
+    const { service, account } = req.query;
+    if (!service || !account) return res.status(400).json({ error: 'service and account required' });
+    const data = await load();
+    const password = data[service] && data[service][account];
+    if (password == null) return res.status(404).json({ error: 'not found' });
+    res.json({ password });
+  });
+
+  // GET /api/keytar/all?service=X
+  router.get('/all', async (req, res) => {
+    const { service } = req.query;
+    if (!service) return res.status(400).json({ error: 'service required' });
+    const data = await load();
+    const entries = Object.entries(data[service] || {}).map(([account, password]) => ({ account, password }));
+    res.json(entries);
+  });
+
+  // PUT /api/keytar  { service, account, password }
+  router.put('/', express.json(), async (req, res) => {
+    const { service, account, password } = req.body || {};
+    if (!service || !account || password == null) return res.status(400).json({ error: 'service, account, password required' });
+    const data = await load();
+    if (!data[service]) data[service] = {};
+    data[service][account] = password;
+    await save(data);
+    res.json({ ok: true });
+  });
+
+  // DELETE /api/keytar?service=X&account=Y
+  router.delete('/', async (req, res) => {
+    const { service, account } = req.query;
+    if (!service || !account) return res.status(400).json({ error: 'service and account required' });
+    const data = await load();
+    let deleted = false;
+    if (data[service] && data[service][account] != null) {
+      delete data[service][account];
+      if (Object.keys(data[service]).length === 0) delete data[service];
+      await save(data);
+      deleted = true;
+    }
+    res.json({ ok: deleted });
+  });
+
+  return router;
+}
+
+module.exports = createKeytarRouter;
diff --git a/src/server/config.js b/src/server/config.js
index 7a1b0c7..5801411 100644
--- a/src/server/config.js
+++ b/src/server/config.js
@@ -62,6 +62,7 @@ const OBSIDIAN_PATH = path.resolve(PROJECT_ROOT, 'vendor', 'obsidian');
 const OBSIDIAN_MOBILE_PATH = path.resolve(PROJECT_ROOT, 'vendor', 'obsidian-mobile');
 
 module.exports = {
+  userDataPath: path.resolve(PROJECT_ROOT, 'user-data'),
   port: parsePort(process.env.PORT),
   host: process.env.HOST || '127.0.0.1',
   vaultPath: path.resolve(PROJECT_ROOT, process.env.VAULT_PATH || 'user-data/demo-vault'),
diff --git a/src/server/index.js b/src/server/index.js
index 6d64525..a5e8714 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -22,6 +22,7 @@ const createVaultsRouter = require('./api/vaults');
 const createBootstrapRouter = require('./api/bootstrap');
 const { warmUpBootstrapCache } = require('./api/bootstrap');
 const createProxyRouter = require('./api/proxy');
+const createKeytarRouter = require('./api/keytar');
 const attachWatchServer = require('./api/watch');
 const VaultRegistry = require('./vault-registry');
 const { createAuthMiddleware } = require('./middleware/auth');
@@ -135,6 +136,7 @@ function createApp(appConfig = config) {
   }
 
   // API routes.
+  app.use('/api/keytar', createKeytarRouter(appConfig.userDataPath));
   app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
   app.use('/api/proxy-request', createProxyRouter());
   app.use('/api/vaults', createVaultsRouter(vaultRegistry));

From 653c60b797ac09919bc2a6536534eb2aa23a98c6 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 20:27:51 -0700
Subject: [PATCH 18/46] fix: add isEncryptionAvailable to keytar shim

---
 src/client/boot.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/client/boot.js b/src/client/boot.js
index a24c87e..cad9b8d 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -147,6 +147,8 @@ const OBSIDIAN_SCRIPTS = [
           .then(entries => entries.length ? entries[0].password : null)
           .catch(() => null);
       },
+      // Our server-backed store is always available
+      isEncryptionAvailable() { return true; },
     };
   }
 

From 6b8684ca2de292f11991b3d866f242a8df32d20a Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 20:44:58 -0700
Subject: [PATCH 19/46] fix: add safeStorage and keytar shims for keychain
 support

---
 src/client/shims/electron.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index 67a0960..32ebf9c 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -447,6 +447,19 @@
       fromId: () => null,
       getFocusedWebContents: () => null,
     },
+    // safeStorage: Electron's credential encryption API (used for keychain).
+    // Since our keychain is stored server-side there's no OS-level encryption
+    // to do here — we pass data through as-is (UTF-8 bytes / string).
+    safeStorage: {
+      isEncryptionAvailable() { return true; },
+      encryptString(text) {
+        // Return a Buffer-like Uint8Array of the UTF-8 bytes
+        return new TextEncoder().encode(text);
+      },
+      decryptString(buf) {
+        return new TextDecoder().decode(buf);
+      },
+    },
     nativeTheme: (function () {
       const t = {
         shouldUseDarkColors: window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches,

From 269af279a024c2876b4d419c37f3349818e5fc94 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 20:54:00 -0700
Subject: [PATCH 20/46] debug: log safeStorage and keychain-related IPC calls

---
 src/client/shims/electron.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index 32ebf9c..ff43e23 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -305,6 +305,9 @@
         }
       }
 
+      if (channel.toLowerCase().includes('key') || channel.toLowerCase().includes('crypt') || channel.toLowerCase().includes('safe') || channel.toLowerCase().includes('pass')) {
+        console.warn('[obsidian-web] KEYCHAIN-RELATED ipcRenderer.sendSync:', channel, JSON.stringify(args));
+      }
       console.warn('[obsidian-web] unhandled ipcRenderer.sendSync:', channel, args);
       window.__owMissing && window.__owMissing.record('sendSync', channel);
       return null;
@@ -384,6 +387,9 @@
       ) {
         return;
       }
+      if (channel.toLowerCase().includes('key') || channel.toLowerCase().includes('crypt') || channel.toLowerCase().includes('safe') || channel.toLowerCase().includes('pass')) {
+        console.warn('[obsidian-web] KEYCHAIN-RELATED ipcRenderer.send:', channel, JSON.stringify(args));
+      }
       console.warn('[obsidian-web] unhandled ipcRenderer.send:', channel, args);
       window.__owMissing && window.__owMissing.record('send', channel);
     },
@@ -453,10 +459,11 @@
     safeStorage: {
       isEncryptionAvailable() { return true; },
       encryptString(text) {
-        // Return a Buffer-like Uint8Array of the UTF-8 bytes
+        console.log('[obsidian-web] safeStorage.encryptString called, length:', text && text.length);
         return new TextEncoder().encode(text);
       },
       decryptString(buf) {
+        console.log('[obsidian-web] safeStorage.decryptString called, type:', typeof buf, buf && buf.constructor && buf.constructor.name);
         return new TextDecoder().decode(buf);
       },
     },

From 5bbc90da72657d87e78eeefbe3afd8048e2de068 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Tue, 9 Jun 2026 21:17:08 -0700
Subject: [PATCH 21/46] fix: safeStorage round-trip through localStorage using
 tagged base64

---
 src/client/shims/electron.js | 36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index ff43e23..f9d055a 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -305,9 +305,6 @@
         }
       }
 
-      if (channel.toLowerCase().includes('key') || channel.toLowerCase().includes('crypt') || channel.toLowerCase().includes('safe') || channel.toLowerCase().includes('pass')) {
-        console.warn('[obsidian-web] KEYCHAIN-RELATED ipcRenderer.sendSync:', channel, JSON.stringify(args));
-      }
       console.warn('[obsidian-web] unhandled ipcRenderer.sendSync:', channel, args);
       window.__owMissing && window.__owMissing.record('sendSync', channel);
       return null;
@@ -387,9 +384,6 @@
       ) {
         return;
       }
-      if (channel.toLowerCase().includes('key') || channel.toLowerCase().includes('crypt') || channel.toLowerCase().includes('safe') || channel.toLowerCase().includes('pass')) {
-        console.warn('[obsidian-web] KEYCHAIN-RELATED ipcRenderer.send:', channel, JSON.stringify(args));
-      }
       console.warn('[obsidian-web] unhandled ipcRenderer.send:', channel, args);
       window.__owMissing && window.__owMissing.record('send', channel);
     },
@@ -454,17 +448,35 @@
       getFocusedWebContents: () => null,
     },
     // safeStorage: Electron's credential encryption API (used for keychain).
-    // Since our keychain is stored server-side there's no OS-level encryption
-    // to do here — we pass data through as-is (UTF-8 bytes / string).
+    // Obsidian stores the encryptString() result in localStorage. Since
+    // localStorage only stores strings, a Uint8Array gets coerced to
+    // "116,101,115,116" (comma-separated numbers). We use a tagged base64
+    // string instead so the round-trip through localStorage is lossless.
     safeStorage: {
       isEncryptionAvailable() { return true; },
       encryptString(text) {
-        console.log('[obsidian-web] safeStorage.encryptString called, length:', text && text.length);
-        return new TextEncoder().encode(text);
+        // Encode as a tagged base64 string — survives localStorage serialization
+        const bytes = new TextEncoder().encode(text);
+        const b64 = btoa(String.fromCharCode(...bytes));
+        // Return a string so localStorage.setItem/getItem is lossless
+        return 'OW:' + b64;
       },
       decryptString(buf) {
-        console.log('[obsidian-web] safeStorage.decryptString called, type:', typeof buf, buf && buf.constructor && buf.constructor.name);
-        return new TextDecoder().decode(buf);
+        // buf may be a string (from localStorage) or Uint8Array (from a file read)
+        let str = typeof buf === 'string' ? buf : new TextDecoder().decode(buf);
+        if (str.startsWith('OW:')) {
+          try {
+            const bin = atob(str.slice(3));
+            const bytes = new Uint8Array(bin.length);
+            for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+            return new TextDecoder().decode(bytes);
+          } catch (_) {}
+        }
+        // Legacy: comma-separated numbers from old Uint8Array.toString()
+        if (/^\d+(,\d+)*$/.test(str)) {
+          return new TextDecoder().decode(new Uint8Array(str.split(',').map(Number)));
+        }
+        return str;
       },
     },
     nativeTheme: (function () {

From 8923689d6b2a49aaa26cbfefc0f79d5cbf74d7a9 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 07:31:59 -0700
Subject: [PATCH 22/46] =?UTF-8?q?fix:=20safeStorage=20=E2=80=94=20store=20?=
 =?UTF-8?q?secrets=20server-side=20via=20/api/keytar,=20return=20Buffer-sa?=
 =?UTF-8?q?fe=20token?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/client/shims/electron.js | 92 +++++++++++++++++++++++++++++-------
 1 file changed, 75 insertions(+), 17 deletions(-)

diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index f9d055a..ecc5569 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -448,35 +448,93 @@
       getFocusedWebContents: () => null,
     },
     // safeStorage: Electron's credential encryption API (used for keychain).
-    // Obsidian stores the encryptString() result in localStorage. Since
-    // localStorage only stores strings, a Uint8Array gets coerced to
-    // "116,101,115,116" (comma-separated numbers). We use a tagged base64
-    // string instead so the round-trip through localStorage is lossless.
+    //
+    // Problem: In real Electron, encryptString() returns a Buffer (binary).
+    // Obsidian may store it by first doing Buffer.from(result, 'base64'), so
+    // any non-base64-safe tag in our return value gets corrupted on the
+    // round-trip. Previous fix ('OW:' prefix) broke because ':' is not a
+    // valid base64 character.
+    //
+    // Solution: Store the actual secret server-side (in .keychain.json via
+    // the /api/keytar endpoint, using synchronous XHR so encryptString stays
+    // synchronous). Return a token that is the base64 encoding of 'ow:' + id.
+    //
+    //   encryptString('secret') → stores secret, returns btoa('ow:abc123...')
+    //     e.g. 'b3c6YWJj...'
+    //
+    // The token survives EITHER storage path:
+    //   • String path: stored/retrieved as 'b3c6YWJj...' → atob() → 'ow:id' → lookup ✓
+    //   • Buffer path: Buffer.from('b3c6YWJj...', 'base64') → Uint8Array of
+    //     'ow:id' bytes → TextDecoder → 'ow:id' → lookup ✓
     safeStorage: {
       isEncryptionAvailable() { return true; },
       encryptString(text) {
-        // Encode as a tagged base64 string — survives localStorage serialization
-        const bytes = new TextEncoder().encode(text);
-        const b64 = btoa(String.fromCharCode(...bytes));
-        // Return a string so localStorage.setItem/getItem is lossless
-        return 'OW:' + b64;
+        // Generate a random 18-char hex ID
+        const rnd = new Uint8Array(9);
+        crypto.getRandomValues(rnd);
+        const id = Array.from(rnd).map(b => b.toString(16).padStart(2, '0')).join('');
+        // Persist secret server-side via synchronous XHR
+        try {
+          global.__owSyncJson('PUT', '/api/keytar', {
+            service: '__safeStorage__',
+            account: id,
+            password: text,
+          });
+        } catch (e) {
+          console.warn('[obsidian-web] safeStorage.encryptString: store failed:', e.message);
+        }
+        // Return base64 of 'ow:' + id  — this is a valid base64 string that
+        // decodes back to the marker string whether Obsidian treats it as a
+        // plain string or decodes it as base64 first.
+        const marker = 'ow:' + id;
+        return btoa(String.fromCharCode(...new TextEncoder().encode(marker)));
       },
       decryptString(buf) {
-        // buf may be a string (from localStorage) or Uint8Array (from a file read)
-        let str = typeof buf === 'string' ? buf : new TextDecoder().decode(buf);
-        if (str.startsWith('OW:')) {
+        // Recover the 'ow:id' marker regardless of whether buf arrived as a
+        // plain string (Obsidian stored token as-is) or Uint8Array (Obsidian
+        // did Buffer.from(token, 'base64') before storing).
+        let marker;
+        if (typeof buf !== 'string') {
+          marker = new TextDecoder().decode(buf);
+        } else {
+          try { marker = atob(buf); } catch (_) { marker = buf; }
+        }
+
+        // Current token format: marker = 'ow:' + id
+        if (marker && marker.startsWith('ow:')) {
+          const id = marker.slice(3);
+          try {
+            const url = '/api/keytar?service=' + encodeURIComponent('__safeStorage__')
+                      + '&account=' + encodeURIComponent(id);
+            const result = global.__owSyncJson('GET', url);
+            if (result && result.password != null) return result.password;
+          } catch (e) {
+            if (!e.status || e.status !== 404) {
+              console.warn('[obsidian-web] safeStorage.decryptString: lookup failed:', e.message);
+            }
+          }
+        }
+
+        // Legacy: old 'OW:' tagged base64 format (previous implementation)
+        const s = typeof buf === 'string' ? buf : new TextDecoder().decode(buf);
+        if (s.startsWith('OW:')) {
           try {
-            const bin = atob(str.slice(3));
+            const bin = atob(s.slice(3));
             const bytes = new Uint8Array(bin.length);
             for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
             return new TextDecoder().decode(bytes);
           } catch (_) {}
         }
-        // Legacy: comma-separated numbers from old Uint8Array.toString()
-        if (/^\d+(,\d+)*$/.test(str)) {
-          return new TextDecoder().decode(new Uint8Array(str.split(',').map(Number)));
+
+        // Legacy: old comma-separated numbers from Uint8Array.toString()
+        if (typeof buf === 'string' && /^\d+(,\d+)*$/.test(buf)) {
+          try {
+            return new TextDecoder().decode(new Uint8Array(buf.split(',').map(Number)));
+          } catch (_) {}
         }
-        return str;
+
+        // Last resort: return as-is
+        return s;
       },
     },
     nativeTheme: (function () {

From 7b94f20c218c0e3b00f4771563ea3df43820741c Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 08:24:47 -0700
Subject: [PATCH 23/46] =?UTF-8?q?fix:=20add=20crypto.createHmac=20+=20sync?=
 =?UTF-8?q?=20SHA-256=20=E2=80=94=20fixes=20ion-sync=20=5FcomputeToken?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/client/boot.js | 149 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 113 insertions(+), 36 deletions(-)

diff --git a/src/client/boot.js b/src/client/boot.js
index cad9b8d..ebe10c6 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -219,20 +219,107 @@ const OBSIDIAN_SCRIPTS = [
   }
 
   function makeCryptoShim() {
-    // Obsidian uses crypto for hashing and random bytes. The browser's
-    // Web Crypto API covers it; we expose a Node-style facade.
+    // ---- Pure-JS SHA-256 (synchronous, public domain) -------------------------
+    // Used by createHash('sha256') and createHmac('sha256', ...) so that sync
+    // callers (like ion-sync's _computeToken) get real results, not empty strings.
+    const _SHA256_K = new Uint32Array([
+      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+    ]);
+    function _ror32(n, k) { return (n >>> k) | (n << (32 - k)); }
+    function _sha256(data /* Uint8Array */) {
+      const H = new Uint32Array([
+        0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19,
+      ]);
+      const len = data.length;
+      const bc = Math.ceil((len + 9) / 64);
+      const pad = new Uint8Array(bc * 64);
+      pad.set(data);
+      pad[len] = 0x80;
+      const dv = new DataView(pad.buffer);
+      dv.setUint32(pad.length - 4, (len * 8) >>> 0, false);
+      dv.setUint32(pad.length - 8, Math.floor(len / 0x20000000) >>> 0, false);
+      const W = new Uint32Array(64);
+      for (let i = 0; i < bc; i++) {
+        const bv = new DataView(pad.buffer, i * 64, 64);
+        for (let t = 0; t < 16; t++) W[t] = bv.getUint32(t * 4, false);
+        for (let t = 16; t < 64; t++) {
+          const s0 = _ror32(W[t-15],7)^_ror32(W[t-15],18)^(W[t-15]>>>3);
+          const s1 = _ror32(W[t-2],17)^_ror32(W[t-2],19)^(W[t-2]>>>10);
+          W[t] = (W[t-16]+s0+W[t-7]+s1)>>>0;
+        }
+        let a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
+        for (let t = 0; t < 64; t++) {
+          const S1=_ror32(e,6)^_ror32(e,11)^_ror32(e,25);
+          const ch=(e&f)^(~e&g);
+          const t1=(h+S1+ch+_SHA256_K[t]+W[t])>>>0;
+          const S0=_ror32(a,2)^_ror32(a,13)^_ror32(a,22);
+          const maj=(a&b)^(a&c)^(b&c);
+          const t2=(S0+maj)>>>0;
+          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
+        }
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
+        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
+      }
+      const out = new Uint8Array(32);
+      const ov = new DataView(out.buffer);
+      for (let i = 0; i < 8; i++) ov.setUint32(i*4, H[i], false);
+      return out;
+    }
+    function _hmacSha256(key, data) {
+      const BS = 64;
+      let k = key.length > BS ? _sha256(key) : key;
+      const k0 = new Uint8Array(BS); k0.set(k);
+      const ip = new Uint8Array(BS), op = new Uint8Array(BS);
+      for (let i = 0; i < BS; i++) { ip[i] = k0[i]^0x36; op[i] = k0[i]^0x5c; }
+      const inner = new Uint8Array(BS + data.length); inner.set(ip); inner.set(data, BS);
+      const ih = _sha256(inner);
+      const outer = new Uint8Array(BS + 32); outer.set(op); outer.set(ih, BS);
+      return _sha256(outer);
+    }
+    function _toBytes(v) {
+      if (typeof v === 'string') return new TextEncoder().encode(v);
+      if (v instanceof Uint8Array) return v;
+      if (v && v.buffer) return new Uint8Array(v.buffer, v.byteOffset || 0, v.byteLength);
+      return new Uint8Array(v);
+    }
+    function _encodeResult(bytes, enc) {
+      if (!enc || enc === 'buffer') return bytes;
+      if (enc === 'hex') return Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
+      if (enc === 'base64') return btoa(String.fromCharCode(...bytes));
+      return bytes;
+    }
+    function _makeHasher(computeFn) {
+      const chunks = [];
+      const h = {
+        update(data) { chunks.push(_toBytes(data)); return h; },
+        digest(enc, cb) {
+          if (typeof enc === 'function') { cb = enc; enc = 'hex'; }
+          const combined = new Uint8Array(chunks.reduce((s,c) => s+c.length, 0));
+          let off = 0; for (const c of chunks) { combined.set(c, off); off += c.length; }
+          const result = _encodeResult(computeFn(combined), enc);
+          if (typeof cb === 'function') { cb(null, result); return h; }
+          return result;
+        },
+      };
+      return h;
+    }
+    // ---------------------------------------------------------------------------
+
     return {
       randomBytes(n) {
         const arr = new Uint8Array(n);
         crypto.getRandomValues(arr);
-        // Node returns a Buffer; a Uint8Array is close enough for the
-        // ways Obsidian uses it (calls .toString('hex') etc.).
         arr.toString = function (encoding) {
           if (encoding === 'hex') {
             let s = '';
-            for (let i = 0; i < this.length; i++) {
-              s += this[i].toString(16).padStart(2, '0');
-            }
+            for (let i = 0; i < this.length; i++) s += this[i].toString(16).padStart(2, '0');
             return s;
           }
           return Uint8Array.prototype.toString.call(this);
@@ -240,52 +327,42 @@ const OBSIDIAN_SCRIPTS = [
         return arr;
       },
       createHash(algo) {
-        // LIMITATION: WebCrypto's subtle.digest() is async-only — there is no
-        // synchronous hashing API in browsers. We buffer input via .update()
-        // and expose two paths on .digest():
-        //   - If called with a callback (e.g. .digest('hex', cb)): uses
-        //     subtle.digest asynchronously — actual result delivered to cb.
-        //   - If called without a callback (sync path, legacy): logs a warning
-        //     and returns an empty result. Most core Obsidian code paths that
-        //     call createHash() do so asynchronously or don't use the result
-        //     for critical logic. If a plugin breaks here, add a shim for that
-        //     specific hash use-case.
-        //
-        // Map Node algo names to WebCrypto names.
-        const algoMap = { sha1: 'SHA-1', sha256: 'SHA-256', sha512: 'SHA-512', md5: 'SHA-256' };
-        const subtleAlgo = algoMap[(algo || '').toLowerCase()] || 'SHA-256';
+        const al = (algo || '').toLowerCase().replace('-','');
+        if (al === 'sha256') return _makeHasher(_sha256);
+        // For other algos: async via SubtleCrypto; sync path returns empty.
+        const algoMap = { sha1: 'SHA-1', sha512: 'SHA-512', md5: 'SHA-256' };
+        const subtleAlgo = algoMap[al] || 'SHA-256';
         const chunks = [];
-        const hash = {
+        const h = {
           update(data) {
             chunks.push(typeof data === 'string' ? new TextEncoder().encode(data) : data);
-            return hash;
+            return h;
           },
           digest(encoding, cb) {
             if (typeof encoding === 'function') { cb = encoding; encoding = 'hex'; }
-            // Async path: caller provided a callback.
             if (typeof cb === 'function') {
               const combined = new Uint8Array(chunks.reduce((s, c) => s + c.length, 0));
               let off = 0;
               for (const c of chunks) { combined.set(c, off); off += c.length; }
               crypto.subtle.digest(subtleAlgo, combined).then((buf) => {
                 const bytes = new Uint8Array(buf);
-                if (encoding === 'hex') {
-                  let s = '';
-                  for (let i = 0; i < bytes.length; i++) s += bytes[i].toString(16).padStart(2, '0');
-                  cb(null, s);
-                } else {
-                  cb(null, bytes);
-                }
+                const s = Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
+                cb(null, encoding === 'hex' ? s : bytes);
               }).catch((err) => cb(err));
-              return hash;
+              return h;
             }
-            // Sync path: no callback. WebCrypto cannot do this synchronously.
-            // Return empty and warn so we can spot if something actually relies on it.
-            console.warn('[obsidian-web] crypto.createHash(' + algo + ').digest() called synchronously — returning empty. If this causes issues, wrap the caller to use the async path.');
+            console.warn('[obsidian-web] crypto.createHash(' + algo + ').digest() sync — returning empty');
             return encoding === 'hex' ? '' : new Uint8Array(0);
           },
         };
-        return hash;
+        return h;
+      },
+      createHmac(algo, key) {
+        const al = (algo || '').toLowerCase().replace('-','');
+        const keyBytes = _toBytes(key);
+        if (al === 'sha256') return _makeHasher((data) => _hmacSha256(keyBytes, data));
+        console.warn('[obsidian-web] crypto.createHmac: unsupported algo', algo, '— returning zeros');
+        return _makeHasher(() => new Uint8Array(32));
       },
     };
   }

From 84adde157bcca685d6675d02a25c828f56b7fa2a Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 08:59:11 -0700
Subject: [PATCH 24/46] =?UTF-8?q?fix:=20polyfill=20crypto.subtle=20for=20H?=
 =?UTF-8?q?TTP=20=E2=80=94=20fixes=20ion-sync=20=5FcomputeToken=20SHA-256?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/client/boot.js | 64 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/src/client/boot.js b/src/client/boot.js
index ebe10c6..8b2274c 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -29,6 +29,70 @@ if (typeof crypto !== 'undefined' && !crypto.randomUUID) {
   };
 }
 
+// Polyfill crypto.subtle for non-secure contexts (plain HTTP on LAN).
+// Browsers only expose SubtleCrypto on HTTPS/localhost. Plugins like ion-sync
+// call crypto.subtle.digest('SHA-256', ...) for their auth token — without this
+// crypto.subtle is undefined and they throw "Cannot read properties of undefined
+// (reading 'digest')".
+if (typeof crypto !== 'undefined' && !crypto.subtle) {
+  (function () {
+    // Self-contained pure-JS SHA-256 (public domain).
+    var _K = new Uint32Array([
+      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+    ]);
+    function _r(n,k){return(n>>>k)|(n<<(32-k));}
+    function _sha256(data) {
+      var H=new Uint32Array([0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19]);
+      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
+      p.set(data);p[len]=0x80;
+      var dv=new DataView(p.buffer);
+      dv.setUint32(p.length-4,(len*8)>>>0,false);
+      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
+      var W=new Uint32Array(64);
+      for(var i=0;i<bc;i++){
+        var bv=new DataView(p.buffer,i*64,64);
+        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
+        for(var t=16;t<64;t++){
+          var s0=_r(W[t-15],7)^_r(W[t-15],18)^(W[t-15]>>>3);
+          var s1=_r(W[t-2],17)^_r(W[t-2],19)^(W[t-2]>>>10);
+          W[t]=(W[t-16]+s0+W[t-7]+s1)>>>0;
+        }
+        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
+        for(var t=0;t<64;t++){
+          var S1=_r(e,6)^_r(e,11)^_r(e,25),ch=(e&f)^(~e&g);
+          var t1=(h+S1+ch+_K[t]+W[t])>>>0;
+          var S0=_r(a,2)^_r(a,13)^_r(a,22),maj=(a&b)^(a&c)^(b&c);
+          var t2=(S0+maj)>>>0;
+          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
+        }
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
+        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
+      }
+      var out=new Uint8Array(32),ov=new DataView(out.buffer);
+      for(var i=0;i<8;i++)ov.setUint32(i*4,H[i],false);
+      return out;
+    }
+    crypto.subtle = {
+      digest: function (algorithm, data) {
+        var name = (typeof algorithm === 'string' ? algorithm : (algorithm && algorithm.name) || '')
+          .toUpperCase().replace(/-/g, '');
+        if (name === 'SHA256') {
+          var bytes = _sha256(new Uint8Array(data instanceof ArrayBuffer ? data : data.buffer || data));
+          return Promise.resolve(bytes.buffer);
+        }
+        return Promise.reject(new Error('crypto.subtle.digest polyfill: unsupported algorithm "' + algorithm + '"'));
+      },
+    };
+  })();
+}
+
 // Ordered list of Obsidian's renderer scripts — mirrors the old <script defer>
 // list in index.html. Keep in sync with obsidian/index.html if Obsidian is
 // updated to add or remove scripts.

From a3b263633cad8136bbf280d5dca1eed4dcc18e7c Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 16:48:50 +0000
Subject: [PATCH 25/46] fix: expand crypto.subtle polyfill with AES-GCM for
 ion-sync on plain HTTP

Add importKey, deriveKey (PBKDF2 proxied to server), encrypt, decrypt.

- PBKDF2 with 100k iterations offloaded to POST /api/pbkdf2 (Node native
  crypto.pbkdf2) to avoid freezing the browser for ~10 s in pure JS.
- AES-256 forward cipher and AES-GCM (GHASH + CTR) in pure JS,
  verified byte-for-byte against Node's native AES-256-GCM output.
- digest (SHA-256) polyfill kept from prior commit.

Fixes: crypto.subtle.importKey is not a function at deriveKey (ion-sync:43)
---
 src/client/boot.js       | 1418 +++++++++++++++++++++-----------------
 src/server/api/pbkdf2.js |   57 ++
 src/server/index.js      |    2 +
 3 files changed, 859 insertions(+), 618 deletions(-)
 create mode 100644 src/server/api/pbkdf2.js

diff --git a/src/client/boot.js b/src/client/boot.js
index 8b2274c..138568e 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -1,618 +1,800 @@
-/**
- * Boot script - runs before Obsidian's code.
- *
- * Responsibilities:
- *   1. Install window.require so Obsidian's window.require("...") calls
- *      hit our shims instead of failing.
- *   2. Pre-set platform flags (window.electron, etc.) where Obsidian
- *      reads them outside of a require() call.
- *   3. Configure the vault base path that the fs shim will use.
- *   4. Fetch the bootstrap cache asynchronously (non-blocking), then
- *      inject Obsidian's scripts dynamically so the spinner stays visible
- *      (and the main thread stays unblocked) during the fetch.
- *
- * Order of script tags in index.html ensures all shim files have already
- * loaded their __ow* globals by the time this runs.
- *
- * Obsidian's scripts are NOT listed in index.html anymore. They are
- * injected here, after the async bootstrap resolves, with async=false so
- * the browser can download them in parallel but executes them in order.
- */
-
-// Polyfill crypto.randomUUID for non-secure contexts (plain HTTP on LAN).
-// Browsers restrict this API to HTTPS/localhost; plugins like ion-sync need it.
-if (typeof crypto !== 'undefined' && !crypto.randomUUID) {
-  crypto.randomUUID = function () {
-    return ([1e7] + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g, (c) =>
-      (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16)
-    );
-  };
-}
-
-// Polyfill crypto.subtle for non-secure contexts (plain HTTP on LAN).
-// Browsers only expose SubtleCrypto on HTTPS/localhost. Plugins like ion-sync
-// call crypto.subtle.digest('SHA-256', ...) for their auth token — without this
-// crypto.subtle is undefined and they throw "Cannot read properties of undefined
-// (reading 'digest')".
-if (typeof crypto !== 'undefined' && !crypto.subtle) {
-  (function () {
-    // Self-contained pure-JS SHA-256 (public domain).
-    var _K = new Uint32Array([
-      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
-      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
-      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
-      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
-      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
-      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
-      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
-      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
-    ]);
-    function _r(n,k){return(n>>>k)|(n<<(32-k));}
-    function _sha256(data) {
-      var H=new Uint32Array([0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19]);
-      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
-      p.set(data);p[len]=0x80;
-      var dv=new DataView(p.buffer);
-      dv.setUint32(p.length-4,(len*8)>>>0,false);
-      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
-      var W=new Uint32Array(64);
-      for(var i=0;i<bc;i++){
-        var bv=new DataView(p.buffer,i*64,64);
-        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
-        for(var t=16;t<64;t++){
-          var s0=_r(W[t-15],7)^_r(W[t-15],18)^(W[t-15]>>>3);
-          var s1=_r(W[t-2],17)^_r(W[t-2],19)^(W[t-2]>>>10);
-          W[t]=(W[t-16]+s0+W[t-7]+s1)>>>0;
-        }
-        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
-        for(var t=0;t<64;t++){
-          var S1=_r(e,6)^_r(e,11)^_r(e,25),ch=(e&f)^(~e&g);
-          var t1=(h+S1+ch+_K[t]+W[t])>>>0;
-          var S0=_r(a,2)^_r(a,13)^_r(a,22),maj=(a&b)^(a&c)^(b&c);
-          var t2=(S0+maj)>>>0;
-          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
-        }
-        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
-        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
-      }
-      var out=new Uint8Array(32),ov=new DataView(out.buffer);
-      for(var i=0;i<8;i++)ov.setUint32(i*4,H[i],false);
-      return out;
-    }
-    crypto.subtle = {
-      digest: function (algorithm, data) {
-        var name = (typeof algorithm === 'string' ? algorithm : (algorithm && algorithm.name) || '')
-          .toUpperCase().replace(/-/g, '');
-        if (name === 'SHA256') {
-          var bytes = _sha256(new Uint8Array(data instanceof ArrayBuffer ? data : data.buffer || data));
-          return Promise.resolve(bytes.buffer);
-        }
-        return Promise.reject(new Error('crypto.subtle.digest polyfill: unsupported algorithm "' + algorithm + '"'));
-      },
-    };
-  })();
-}
-
-// Ordered list of Obsidian's renderer scripts — mirrors the old <script defer>
-// list in index.html. Keep in sync with obsidian/index.html if Obsidian is
-// updated to add or remove scripts.
-const OBSIDIAN_SCRIPTS = [
-  '/obsidian/lib/codemirror/codemirror.js',
-  '/obsidian/lib/codemirror/overlay.js',
-  '/obsidian/lib/codemirror/markdown.js',
-  '/obsidian/lib/codemirror/cm-addons.js',
-  '/obsidian/lib/codemirror/vim.js',
-  '/obsidian/lib/codemirror/meta.min.js',
-  '/obsidian/lib/moment.min.js',
-  '/obsidian/lib/pixi.min.js',
-  '/obsidian/lib/i18next.min.js',
-  '/obsidian/lib/scrypt.js',
-  '/obsidian/lib/turndown.js',
-  '/obsidian/enhance.js',
-  '/obsidian/i18n.js',
-  '/obsidian/app.js',
-];
-
-(function () {
-  // Many Node.js npm packages (e.g. node-forge) reference the Node.js global
-  // object as `global`. In the browser this doesn't exist; alias it to window
-  // so plugins that bundle such packages don't crash on startup.
-  if (typeof global === 'undefined') {
-    window.global = window;
-  }
-
-  const VAULT_BASE = '/vault';
-  const params = new URLSearchParams(location.search);
-  let VAULT_ID = params.get('vault') || localStorage.getItem('obsidian-web:lastVaultId') || '';
-
-  if (!VAULT_ID && location.pathname !== '/starter') {
-    location.href = '/starter';
-    return;
-  }
-
-  if (VAULT_ID) {
-    localStorage.setItem('obsidian-web:lastVaultId', VAULT_ID);
-  }
-
-  // Tell the fs shim what path prefix to strip when talking to the server.
-  window.__owFs.setVaultBase(VAULT_BASE);
-  window.__owFs.setVaultId(VAULT_ID);
-
-  // Auto-trust community plugins in demo mode so the "Do you trust this
-  // vault?" modal doesn't block first-time visitors.
-  // Obsidian checks: localStorage.getItem("enable-plugin-" + appId)
-  if (VAULT_ID) {
-    localStorage.setItem('enable-plugin-' + VAULT_ID, 'true');
-  }
-
-  // Mobile emulation: on small viewports, set the EmulateMobile flag so
-  // Obsidian activates its mobile UI (170 CSS rules + JS behavior).
-  // Obsidian reads this from localStorage before we can intervene, so it
-  // must be set before app.js loads (which it is — boot.js runs first).
-  if (window.innerWidth < 600 || window.innerHeight < 600) {
-    localStorage.setItem('EmulateMobile', '1');
-  } else {
-    localStorage.removeItem('EmulateMobile');
-  }
-
-  // Map module name -> shim object.
-  const modules = {
-    'fs':          window.__owFs,
-    'original-fs': window.__owFs,
-    'path':        window.__owPath,
-    'url':         window.__owUrl,
-    'os':          window.__owOs,
-    'electron':    window.__owElectron,
-    'btime':       window.__owBtime,
-    'crypto':      makeCryptoShim(),
-    'node:crypto': makeCryptoShim(),   // plugins that use the node: prefix
-    'util':        makeUtilShim(),
-    'node:util':   makeUtilShim(),
-    'buffer':      { Buffer: window.Buffer },   // require('buffer').Buffer
-    'process':     window.process,              // require('process')
-    // child_process: stub so plugins that optionally use it (e.g. Templater
-    // system commands) can load. Commands will fail gracefully at runtime.
-    'child_process': makeChildProcessStub(),
-    '@electron/remote': window.__owElectron.remote,
-    // keytar: server-backed credential store (replaces OS keychain)
-    'keytar': makeKeytarShim(),
-  };
-
-  function makeKeytarShim() {
-    function q(service, account) {
-      return '/api/keytar?service=' + encodeURIComponent(service) + '&account=' + encodeURIComponent(account);
-    }
-    return {
-      getPassword(service, account) {
-        return fetch(q(service, account))
-          .then(r => r.ok ? r.json().then(j => j.password) : null)
-          .catch(() => null);
-      },
-      setPassword(service, account, password) {
-        return fetch('/api/keytar', {
-          method: 'PUT',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ service, account, password }),
-        }).then(() => undefined);
-      },
-      deletePassword(service, account) {
-        return fetch(q(service, account), { method: 'DELETE' })
-          .then(r => r.json()).then(j => !!j.ok)
-          .catch(() => false);
-      },
-      findCredentials(service) {
-        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
-          .then(r => r.ok ? r.json() : [])
-          .catch(() => []);
-      },
-      findPassword(service) {
-        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
-          .then(r => r.ok ? r.json() : [])
-          .then(entries => entries.length ? entries[0].password : null)
-          .catch(() => null);
-      },
-      // Our server-backed store is always available
-      isEncryptionAvailable() { return true; },
-    };
-  }
-
-  function makeChildProcessStub() {
-    const ERR = new Error('[obsidian-web] child_process is not available in web mode');
-    function noop() {}
-    // Minimal EventEmitter-like object returned by spawn/exec
-    function fakeProc() {
-      return {
-        stdout: { on: noop, pipe: noop },
-        stderr: { on: noop, pipe: noop },
-        stdin:  { write: noop, end: noop },
-        on: noop, once: noop, off: noop,
-        kill: noop, pid: 0,
-      };
-    }
-    return {
-      exec(cmd, opts, cb) {
-        if (typeof opts === 'function') { cb = opts; }
-        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
-        return fakeProc();
-      },
-      execSync() { throw ERR; },
-      spawn() { return fakeProc(); },
-      spawnSync() { return { stdout: '', stderr: '', status: 1, error: ERR }; },
-      execFile(file, args, opts, cb) {
-        if (typeof opts === 'function') { cb = opts; }
-        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
-        return fakeProc();
-      },
-      fork() { return fakeProc(); },
-    };
-  }
-
-  function makeUtilShim() {
-    // Minimal Node.js `util` polyfill.
-    // promisify: wraps a (err, value) callback-style function into a Promise.
-    function promisify(fn) {
-      return function (...args) {
-        return new Promise((resolve, reject) => {
-          fn.call(this, ...args, (err, value) => {
-            if (err) reject(err);
-            else resolve(value);
-          });
-        });
-      };
-    }
-    // callbackify: inverse of promisify.
-    function callbackify(fn) {
-      return function (...args) {
-        const cb = args.pop();
-        fn.apply(this, args).then(
-          (v) => cb(null, v),
-          (e) => cb(e instanceof Error ? e : new Error(String(e))),
-        );
-      };
-    }
-    // inspect: basic stringification (subset of Node's util.inspect).
-    function inspect(obj) {
-      try { return JSON.stringify(obj); } catch (_) { return String(obj); }
-    }
-    // inherits: prototype chain helper used by older Node packages.
-    function inherits(ctor, superCtor) {
-      ctor.super_ = superCtor;
-      Object.setPrototypeOf(ctor.prototype, superCtor.prototype);
-    }
-    return { promisify, callbackify, inspect, inherits };
-  }
-
-  function makeCryptoShim() {
-    // ---- Pure-JS SHA-256 (synchronous, public domain) -------------------------
-    // Used by createHash('sha256') and createHmac('sha256', ...) so that sync
-    // callers (like ion-sync's _computeToken) get real results, not empty strings.
-    const _SHA256_K = new Uint32Array([
-      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
-      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
-      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
-      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
-      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
-      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
-      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
-      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
-    ]);
-    function _ror32(n, k) { return (n >>> k) | (n << (32 - k)); }
-    function _sha256(data /* Uint8Array */) {
-      const H = new Uint32Array([
-        0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19,
-      ]);
-      const len = data.length;
-      const bc = Math.ceil((len + 9) / 64);
-      const pad = new Uint8Array(bc * 64);
-      pad.set(data);
-      pad[len] = 0x80;
-      const dv = new DataView(pad.buffer);
-      dv.setUint32(pad.length - 4, (len * 8) >>> 0, false);
-      dv.setUint32(pad.length - 8, Math.floor(len / 0x20000000) >>> 0, false);
-      const W = new Uint32Array(64);
-      for (let i = 0; i < bc; i++) {
-        const bv = new DataView(pad.buffer, i * 64, 64);
-        for (let t = 0; t < 16; t++) W[t] = bv.getUint32(t * 4, false);
-        for (let t = 16; t < 64; t++) {
-          const s0 = _ror32(W[t-15],7)^_ror32(W[t-15],18)^(W[t-15]>>>3);
-          const s1 = _ror32(W[t-2],17)^_ror32(W[t-2],19)^(W[t-2]>>>10);
-          W[t] = (W[t-16]+s0+W[t-7]+s1)>>>0;
-        }
-        let a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
-        for (let t = 0; t < 64; t++) {
-          const S1=_ror32(e,6)^_ror32(e,11)^_ror32(e,25);
-          const ch=(e&f)^(~e&g);
-          const t1=(h+S1+ch+_SHA256_K[t]+W[t])>>>0;
-          const S0=_ror32(a,2)^_ror32(a,13)^_ror32(a,22);
-          const maj=(a&b)^(a&c)^(b&c);
-          const t2=(S0+maj)>>>0;
-          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
-        }
-        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
-        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
-      }
-      const out = new Uint8Array(32);
-      const ov = new DataView(out.buffer);
-      for (let i = 0; i < 8; i++) ov.setUint32(i*4, H[i], false);
-      return out;
-    }
-    function _hmacSha256(key, data) {
-      const BS = 64;
-      let k = key.length > BS ? _sha256(key) : key;
-      const k0 = new Uint8Array(BS); k0.set(k);
-      const ip = new Uint8Array(BS), op = new Uint8Array(BS);
-      for (let i = 0; i < BS; i++) { ip[i] = k0[i]^0x36; op[i] = k0[i]^0x5c; }
-      const inner = new Uint8Array(BS + data.length); inner.set(ip); inner.set(data, BS);
-      const ih = _sha256(inner);
-      const outer = new Uint8Array(BS + 32); outer.set(op); outer.set(ih, BS);
-      return _sha256(outer);
-    }
-    function _toBytes(v) {
-      if (typeof v === 'string') return new TextEncoder().encode(v);
-      if (v instanceof Uint8Array) return v;
-      if (v && v.buffer) return new Uint8Array(v.buffer, v.byteOffset || 0, v.byteLength);
-      return new Uint8Array(v);
-    }
-    function _encodeResult(bytes, enc) {
-      if (!enc || enc === 'buffer') return bytes;
-      if (enc === 'hex') return Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
-      if (enc === 'base64') return btoa(String.fromCharCode(...bytes));
-      return bytes;
-    }
-    function _makeHasher(computeFn) {
-      const chunks = [];
-      const h = {
-        update(data) { chunks.push(_toBytes(data)); return h; },
-        digest(enc, cb) {
-          if (typeof enc === 'function') { cb = enc; enc = 'hex'; }
-          const combined = new Uint8Array(chunks.reduce((s,c) => s+c.length, 0));
-          let off = 0; for (const c of chunks) { combined.set(c, off); off += c.length; }
-          const result = _encodeResult(computeFn(combined), enc);
-          if (typeof cb === 'function') { cb(null, result); return h; }
-          return result;
-        },
-      };
-      return h;
-    }
-    // ---------------------------------------------------------------------------
-
-    return {
-      randomBytes(n) {
-        const arr = new Uint8Array(n);
-        crypto.getRandomValues(arr);
-        arr.toString = function (encoding) {
-          if (encoding === 'hex') {
-            let s = '';
-            for (let i = 0; i < this.length; i++) s += this[i].toString(16).padStart(2, '0');
-            return s;
-          }
-          return Uint8Array.prototype.toString.call(this);
-        };
-        return arr;
-      },
-      createHash(algo) {
-        const al = (algo || '').toLowerCase().replace('-','');
-        if (al === 'sha256') return _makeHasher(_sha256);
-        // For other algos: async via SubtleCrypto; sync path returns empty.
-        const algoMap = { sha1: 'SHA-1', sha512: 'SHA-512', md5: 'SHA-256' };
-        const subtleAlgo = algoMap[al] || 'SHA-256';
-        const chunks = [];
-        const h = {
-          update(data) {
-            chunks.push(typeof data === 'string' ? new TextEncoder().encode(data) : data);
-            return h;
-          },
-          digest(encoding, cb) {
-            if (typeof encoding === 'function') { cb = encoding; encoding = 'hex'; }
-            if (typeof cb === 'function') {
-              const combined = new Uint8Array(chunks.reduce((s, c) => s + c.length, 0));
-              let off = 0;
-              for (const c of chunks) { combined.set(c, off); off += c.length; }
-              crypto.subtle.digest(subtleAlgo, combined).then((buf) => {
-                const bytes = new Uint8Array(buf);
-                const s = Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
-                cb(null, encoding === 'hex' ? s : bytes);
-              }).catch((err) => cb(err));
-              return h;
-            }
-            console.warn('[obsidian-web] crypto.createHash(' + algo + ').digest() sync — returning empty');
-            return encoding === 'hex' ? '' : new Uint8Array(0);
-          },
-        };
-        return h;
-      },
-      createHmac(algo, key) {
-        const al = (algo || '').toLowerCase().replace('-','');
-        const keyBytes = _toBytes(key);
-        if (al === 'sha256') return _makeHasher((data) => _hmacSha256(keyBytes, data));
-        console.warn('[obsidian-web] crypto.createHmac: unsupported algo', algo, '— returning zeros');
-        return _makeHasher(() => new Uint8Array(32));
-      },
-    };
-  }
-
-  // ── Missing-shim tracker ────────────────────────────────────────────────
-  // Collects every require(), sendSync(), and send() call that we don't handle.
-  // Inspect from DevTools: __owMissing.summary() / .table() / .list()
-  (function () {
-    const hits = new Map(); // key → { type, name, count, firstSeen, lastSeen }
-
-    function record(type, name) {
-      const key = type + ':' + name;
-      const now = Math.round(performance.now());
-      if (hits.has(key)) {
-        const e = hits.get(key);
-        e.count++;
-        e.lastSeen = now;
-      } else {
-        hits.set(key, { type, name, count: 1, firstSeen: now, lastSeen: now });
-      }
-    }
-
-    function summary() {
-      const rows = [...hits.values()].sort((a, b) => b.count - a.count);
-      if (rows.length === 0) {
-        console.log('[obsidian-web] __owMissing: nothing missing \u2713');
-        return [];
-      }
-      console.group('[obsidian-web] Missing shims — ' + rows.length + ' distinct, ' +
-        rows.reduce((s, r) => s + r.count, 0) + ' total calls');
-      console.table(rows.map(r => ({
-        type: r.type, name: r.name, count: r.count,
-        'first(ms)': r.firstSeen, 'last(ms)': r.lastSeen,
-      })));
-      console.groupEnd();
-      return rows;
-    }
-
-    window.__owMissing = { record, summary, list: () => [...hits.values()] };
-  })();
-
-  // Install window.require.
-  window.require = function (name) {
-    if (Object.prototype.hasOwnProperty.call(modules, name)) {
-      return modules[name];
-    }
-    console.warn('[obsidian-web] window.require: unknown module "' + name + '"');
-    window.__owMissing && window.__owMissing.record('require', name);
-    return undefined;
-  };
-
-  // Some Obsidian code reads window.electron directly (bypassing require).
-  window.electron = window.__owElectron;
-
-  // Some Obsidian code reads window.process.platform / arch.
-  window.process = window.process || {
-    platform: 'linux',
-    arch: 'x64',
-    versions: { electron: '0.0.0', node: '0.0.0' },
-    env: {},
-    cwd: () => '/',
-    nextTick: (fn, ...args) => Promise.resolve().then(() => fn(...args)),
-  };
-
-  // Set the global Buffer if Obsidian needs it. We don't ship a full
-  // Buffer polyfill yet - if something blows up here, that's our cue.
-  if (!window.Buffer) {
-    window.Buffer = {
-      from: (data, encoding) => {
-        if (typeof data === 'string') {
-          if (encoding === 'base64') {
-            const bin = atob(data);
-            const arr = new Uint8Array(bin.length);
-            for (let i = 0; i < bin.length; i++) arr[i] = bin.charCodeAt(i);
-            return arr;
-          }
-          return new TextEncoder().encode(data);
-        }
-        return new Uint8Array(data);
-      },
-      isBuffer: (x) => x instanceof Uint8Array,
-      alloc: (n) => new Uint8Array(n),
-    };
-  }
-
-  // Expose the vault path where Obsidian expects to find one.
-  // It will be passed when Obsidian opens a vault; our launcher
-  // (later) tells Obsidian to open VAULT_BASE.
-  window.__obsidianWeb = {
-    vaultBase: VAULT_BASE,
-    vaultId: VAULT_ID,
-  };
-
-  console.log('[obsidian-web] boot complete; require + shims installed');
-
-  // ── Async bootstrap + dynamic script injection ──────────────────────────
-  //
-  // All synchronous setup above (window.require, shims, globals) is complete
-  // before this block runs. The fetch is async so the spinner renders
-  // immediately without blocking the main thread.
-  //
-  // After the cache is populated we inject Obsidian's scripts with async=false:
-  // the browser downloads them in parallel but executes them in insertion
-  // order, so Obsidian's dependencies are always satisfied.
-  //
-  // sendSync() / statSync() are only called AFTER app.js starts running,
-  // which is after this promise resolves — so the cache is always ready.
-  if (VAULT_ID && location.pathname !== '/starter') {
-    var statusEl = document.getElementById('ow-status');
-    var pollTimer = null;
-    var vaultParam = encodeURIComponent(VAULT_ID);
-
-    // Start polling /api/bootstrap/status after 2 seconds of waiting.
-    // Shows progress to the user during slow cold-start builds.
-    var pollDelay = setTimeout(function () {
-      pollTimer = setInterval(function () {
-        fetch('/api/bootstrap/status?vault=' + vaultParam)
-          .then(function (r) { return r.json(); })
-          .then(function (s) {
-            if (!statusEl || s.state === 'idle' || s.state === 'ready') return;
-            var text = s.label || '';
-            if (s.state === 'scanning' && s.dirs) {
-              text += ' (' + s.dirs + ' dirs, ' + (s.files || 0) + ' files)';
-            }
-            if (s.state === 'reading' && s.filesRead) {
-              text += ' (' + s.filesRead + '/' + (s.total || '?') + ')';
-            }
-            statusEl.textContent = text;
-          })
-          .catch(function () {});
-      }, 1000);
-    }, 2000);
-
-    function stopPolling() {
-      clearTimeout(pollDelay);
-      if (pollTimer) clearInterval(pollTimer);
-    }
-
-    fetch('/api/bootstrap?vault=' + vaultParam + '&full=1')
-      .then(function (res) {
-        if (!res.ok) throw new Error('HTTP ' + res.status);
-        return res.json();
-      })
-      .then(function (data) {
-        stopPolling();
-        var vault = data.electron && data.electron['vault'];
-        if (!vault || !vault.id) {
-          localStorage.removeItem('obsidian-web:lastVaultId');
-          location.href = '/starter';
-          return;
-        }
-        window.__owBootstrapCache = data;
-        if (statusEl) statusEl.textContent = 'Loading Obsidian...';
-        console.log('[obsidian-web] bootstrap loaded: ' + Object.keys(data.fs).length + ' files pre-cached');
-
-        // Inject Obsidian's scripts in order. async=false preserves execution
-        // order while allowing parallel download.
-        var loaded = 0;
-        for (var i = 0; i < OBSIDIAN_SCRIPTS.length; i++) {
-          var s = document.createElement('script');
-          s.src = OBSIDIAN_SCRIPTS[i];
-          s.async = false;
-          s.onload = function () {
-            loaded++;
-            if (statusEl) statusEl.textContent = 'Loading Obsidian (' + loaded + '/' + OBSIDIAN_SCRIPTS.length + ')';
-          };
-          document.head.appendChild(s);
-        }
-
-        // Hide the loading overlay once Obsidian's workspace element appears.
-        var overlay = document.getElementById('ow-loading');
-        if (overlay) {
-          var obs = new MutationObserver(function () {
-            if (document.querySelector('.workspace')) {
-              overlay.remove();
-              obs.disconnect();
-            }
-          });
-          obs.observe(document.body, { childList: true, subtree: true });
-        }
-      })
-      .catch(function (err) {
-        stopPolling();
-        console.warn('[obsidian-web] bootstrap failed:', err.message);
-        localStorage.removeItem('obsidian-web:lastVaultId');
-        location.href = '/starter';
-      });
-  }
-})();
+/**
+ * Boot script - runs before Obsidian's code.
+ *
+ * Responsibilities:
+ *   1. Install window.require so Obsidian's window.require("...") calls
+ *      hit our shims instead of failing.
+ *   2. Pre-set platform flags (window.electron, etc.) where Obsidian
+ *      reads them outside of a require() call.
+ *   3. Configure the vault base path that the fs shim will use.
+ *   4. Fetch the bootstrap cache asynchronously (non-blocking), then
+ *      inject Obsidian's scripts dynamically so the spinner stays visible
+ *      (and the main thread stays unblocked) during the fetch.
+ *
+ * Order of script tags in index.html ensures all shim files have already
+ * loaded their __ow* globals by the time this runs.
+ *
+ * Obsidian's scripts are NOT listed in index.html anymore. They are
+ * injected here, after the async bootstrap resolves, with async=false so
+ * the browser can download them in parallel but executes them in order.
+ */
+
+// Polyfill crypto.randomUUID for non-secure contexts (plain HTTP on LAN).
+// Browsers restrict this API to HTTPS/localhost; plugins like ion-sync need it.
+if (typeof crypto !== 'undefined' && !crypto.randomUUID) {
+  crypto.randomUUID = function () {
+    return ([1e7] + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g, (c) =>
+      (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16)
+    );
+  };
+}
+
+// Polyfill crypto.subtle for non-secure contexts (plain HTTP on LAN).
+// Browsers only expose SubtleCrypto on HTTPS/localhost. Plugins like ion-sync
+// call digest / importKey / deriveKey / encrypt / decrypt — without this they
+// throw "Cannot read properties of undefined (reading 'digest')" etc.
+if (typeof crypto !== 'undefined' && !crypto.subtle) {
+  (function () {
+
+    // ── helpers ────────────────────────────────────────────────────────────
+    function _toU8(x) {
+      if (x instanceof Uint8Array) return x;
+      if (x instanceof ArrayBuffer) return new Uint8Array(x);
+      if (x && x.buffer instanceof ArrayBuffer) return new Uint8Array(x.buffer, x.byteOffset, x.byteLength);
+      return new Uint8Array(x);
+    }
+
+    // ── SHA-256 (pure JS, public domain) ──────────────────────────────────
+    var _K = new Uint32Array([
+      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+    ]);
+    function _r(n,k){return(n>>>k)|(n<<(32-k));}
+    function _sha256(data) {
+      var H=new Uint32Array([0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19]);
+      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
+      p.set(data);p[len]=0x80;
+      var dv=new DataView(p.buffer);
+      dv.setUint32(p.length-4,(len*8)>>>0,false);
+      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
+      var W=new Uint32Array(64);
+      for(var i=0;i<bc;i++){
+        var bv=new DataView(p.buffer,i*64,64);
+        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
+        for(var t=16;t<64;t++){var s0=_r(W[t-15],7)^_r(W[t-15],18)^(W[t-15]>>>3);var s1=_r(W[t-2],17)^_r(W[t-2],19)^(W[t-2]>>>10);W[t]=(W[t-16]+s0+W[t-7]+s1)>>>0;}
+        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
+        for(var t=0;t<64;t++){var S1=_r(e,6)^_r(e,11)^_r(e,25),ch=(e&f)^(~e&g);var t1=(h+S1+ch+_K[t]+W[t])>>>0;var S0=_r(a,2)^_r(a,13)^_r(a,22),maj=(a&b)^(a&c)^(b&c);var t2=(S0+maj)>>>0;h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;}
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
+        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
+      }
+      var out=new Uint8Array(32),ov=new DataView(out.buffer);
+      for(var i=0;i<8;i++)ov.setUint32(i*4,H[i],false);
+      return out;
+    }
+
+    // ── AES-256 forward cipher (pure JS) ──────────────────────────────────
+    // S-box (forward)
+    var _AS = new Uint8Array([99,124,119,123,242,107,111,197,48,1,103,43,254,215,171,118,202,130,201,125,250,89,71,240,173,212,162,175,156,164,114,192,183,253,147,38,54,63,247,204,52,165,229,241,113,216,49,21,4,199,35,195,24,150,5,154,7,18,128,226,235,39,178,117,9,131,44,26,27,110,90,160,82,59,214,179,41,227,47,132,83,209,0,237,32,252,177,91,106,203,190,57,74,76,88,207,208,239,170,251,67,77,51,133,69,249,2,127,80,60,159,168,81,163,64,143,146,157,56,245,188,182,218,33,16,255,243,210,205,12,19,236,95,151,68,23,196,167,126,61,100,93,25,115,96,129,79,220,34,42,144,136,70,238,184,20,222,94,11,219,224,50,58,10,73,6,36,92,194,211,172,98,145,149,228,121,231,200,55,109,141,213,78,169,108,86,244,234,101,122,174,8,186,120,37,46,28,166,180,198,232,221,116,31,75,189,139,138,112,62,181,102,72,3,246,14,97,53,87,185,134,193,29,158,225,248,152,17,105,217,142,148,155,30,135,233,206,85,40,223,140,161,137,13,191,230,66,104,65,153,45,15,176,84,187,22]);
+    // Round constants for AES-256 key schedule (7 values needed: rounds at i=8,16,…,56)
+    var _ARC = new Uint32Array([0x01000000,0x02000000,0x04000000,0x08000000,0x10000000,0x20000000,0x40000000]);
+    // GF(2^8) × 2 table
+    var _AX2 = new Uint8Array(256);
+    for (var _ai=0;_ai<256;_ai++) _AX2[_ai]=((_ai<<1)^(_ai&0x80?0x1b:0))&0xff;
+
+    function _aesKeyExp(key) {
+      // key: 32-byte Uint8Array → 60-word key schedule (AES-256, 14 rounds)
+      var W=new Uint32Array(60);
+      for (var i=0;i<8;i++) W[i]=(key[4*i]<<24)|(key[4*i+1]<<16)|(key[4*i+2]<<8)|key[4*i+3];
+      for (var i=8;i<60;i++) {
+        var t=W[i-1];
+        if (i%8===0) {
+          // SubWord(RotWord(t)) XOR Rcon
+          t=(_AS[(t>>16)&0xff]<<24)|(_AS[(t>>8)&0xff]<<16)|(_AS[t&0xff]<<8)|_AS[(t>>24)&0xff];
+          t^=_ARC[(i>>3)-1];
+        } else if (i%8===4) {
+          t=(_AS[(t>>24)&0xff]<<24)|(_AS[(t>>16)&0xff]<<16)|(_AS[(t>>8)&0xff]<<8)|_AS[t&0xff];
+        }
+        W[i]=W[i-8]^t;
+      }
+      return W;
+    }
+
+    function _aesEnc(blk, W) {
+      // Encrypt one 16-byte block. State is column-major: column c = bytes s[4c..4c+3].
+      var s=new Uint8Array(16); s.set(blk);
+      // Round 0: AddRoundKey
+      for (var c=0;c<4;c++){var w=W[c];s[4*c]^=(w>>24)&0xff;s[4*c+1]^=(w>>16)&0xff;s[4*c+2]^=(w>>8)&0xff;s[4*c+3]^=w&0xff;}
+      for (var round=1;round<=14;round++) {
+        // SubBytes
+        for (var i=0;i<16;i++) s[i]=_AS[s[i]];
+        // ShiftRows: row r (= indices r,4+r,8+r,12+r) shifts left by r
+        var t;
+        t=s[1];s[1]=s[5];s[5]=s[9];s[9]=s[13];s[13]=t;         // row 1: shift-left 1
+        t=s[2];s[2]=s[10];s[10]=t; t=s[6];s[6]=s[14];s[14]=t;  // row 2: shift-left 2
+        t=s[15];s[15]=s[11];s[11]=s[7];s[7]=s[3];s[3]=t;        // row 3: shift-left 3
+        // MixColumns (skipped in last round)
+        if (round<14) {
+          for (var c=0;c<4;c++) {
+            var i=4*c,a=s[i],b=s[i+1],cc=s[i+2],d=s[i+3];
+            s[i]  =_AX2[a]^_AX2[b]^b^cc^d;
+            s[i+1]=a^_AX2[b]^_AX2[cc]^cc^d;
+            s[i+2]=a^b^_AX2[cc]^_AX2[d]^d;
+            s[i+3]=_AX2[a]^a^b^cc^_AX2[d];
+          }
+        }
+        // AddRoundKey
+        for (var c=0;c<4;c++){var w=W[round*4+c];s[4*c]^=(w>>24)&0xff;s[4*c+1]^=(w>>16)&0xff;s[4*c+2]^=(w>>8)&0xff;s[4*c+3]^=w&0xff;}
+      }
+      return s;
+    }
+
+    // ── AES-GCM ───────────────────────────────────────────────────────────
+    // GF(2^128) multiply per GCM spec: R = 0xe1 followed by 15 zero bytes.
+    function _gcmMul(X, Y) {
+      var Z=new Uint8Array(16), V=new Uint8Array(Y);
+      for (var i=0;i<16;i++) {
+        for (var j=7;j>=0;j--) {
+          if ((X[i]>>j)&1) for (var k=0;k<16;k++) Z[k]^=V[k];
+          var lsb=V[15]&1;
+          for (var k=15;k>0;k--) V[k]=(V[k]>>>1)|((V[k-1]&1)<<7);
+          V[0]=V[0]>>>1;
+          if (lsb) V[0]^=0xe1;
+        }
+      }
+      return Z;
+    }
+
+    // Compute GCM auth tag: GHASH(pad(AAD)||pad(CT)||len64(AAD)||len64(CT)) then XOR AES(J0).
+    function _gcmTag(W, H, J0, ct, aad) {
+      var ap=(16-aad.length%16)%16, cp=(16-ct.length%16)%16;
+      var buf=new Uint8Array(aad.length+ap+ct.length+cp+16);
+      buf.set(aad,0); buf.set(ct,aad.length+ap);
+      var lo=aad.length+ap+ct.length+cp;
+      var ab=aad.length*8, cb=ct.length*8;
+      // 64-bit big-endian lengths (upper 32 bits are 0 for files < 512 MB)
+      buf[lo+4]=(ab>>>24)&0xff;buf[lo+5]=(ab>>>16)&0xff;buf[lo+6]=(ab>>>8)&0xff;buf[lo+7]=ab&0xff;
+      buf[lo+12]=(cb>>>24)&0xff;buf[lo+13]=(cb>>>16)&0xff;buf[lo+14]=(cb>>>8)&0xff;buf[lo+15]=cb&0xff;
+      // GHASH
+      var Y=new Uint8Array(16);
+      for (var i=0;i<buf.length;i+=16) {
+        var blk=new Uint8Array(16); blk.set(buf.slice(i,i+16));
+        for (var j=0;j<16;j++) Y[j]^=blk[j];
+        Y=_gcmMul(Y,H);
+      }
+      // T = AES(J0) XOR GHASH
+      var EJ=_aesEnc(J0,W), T=new Uint8Array(16);
+      for (var i=0;i<16;i++) T[i]=EJ[i]^Y[i];
+      return T;
+    }
+
+    // CTR-mode keystream: counter starts at INC32(J0), increments for each 16-byte block.
+    function _gcmCtr(W, J0, data) {
+      var ctr=new Uint8Array(J0), out=new Uint8Array(data.length);
+      for (var i=0;i<data.length;i+=16) {
+        var v=((ctr[12]<<24)|(ctr[13]<<16)|(ctr[14]<<8)|ctr[15]);
+        v=(v+1)>>>0;
+        ctr[12]=(v>>24)&0xff;ctr[13]=(v>>16)&0xff;ctr[14]=(v>>8)&0xff;ctr[15]=v&0xff;
+        var ks=_aesEnc(ctr,W);
+        for (var j=0;j<Math.min(16,data.length-i);j++) out[i+j]=data[i+j]^ks[j];
+      }
+      return out;
+    }
+
+    // ── CryptoKey shim ────────────────────────────────────────────────────
+    function _OWKey(data, alg) { this.__ow_data=data; this.__ow_alg=alg; }
+
+    // ── crypto.subtle ─────────────────────────────────────────────────────
+    crypto.subtle = {
+
+      // SHA-256 only
+      digest: function (algorithm, data) {
+        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'')
+          .toUpperCase().replace(/-/g,'');
+        if (name==='SHA256') return Promise.resolve(_sha256(_toU8(data)).buffer);
+        return Promise.reject(new Error('[polyfill] crypto.subtle.digest: unsupported "'+algorithm+'"'));
+      },
+
+      // Wrap raw key material for later use by deriveKey / encrypt / decrypt
+      importKey: function (format, keyData, algorithm, extractable, usages) {
+        if (format==='raw') {
+          var alg=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+          return Promise.resolve(new _OWKey(_toU8(keyData), alg));
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.importKey: unsupported format "'+format+'"'));
+      },
+
+      // PBKDF2 only — offloaded to /api/pbkdf2 (native Node crypto) because
+      // 100 000 iterations of pure-JS SHA-256 would freeze the browser for ~10 s.
+      deriveKey: function (algorithm, baseKey, derivedKeyType, extractable, usages) {
+        var algName=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+        if (algName==='PBKDF2') {
+          var salt=_toU8(algorithm.salt), iters=algorithm.iterations;
+          var dkLen=((derivedKeyType&&derivedKeyType.length)||256)/8;
+          var pwHex=Array.from(baseKey.__ow_data).map(function(b){return b.toString(16).padStart(2,'0');}).join('');
+          var saltHex=Array.from(salt).map(function(b){return b.toString(16).padStart(2,'0');}).join('');
+          return fetch('/api/pbkdf2',{
+            method:'POST',
+            headers:{'Content-Type':'application/json'},
+            body:JSON.stringify({password:pwHex,salt:saltHex,iterations:iters,keyLen:dkLen})
+          }).then(function(r){
+            if(!r.ok) throw new Error('[polyfill] /api/pbkdf2 returned '+r.status);
+            return r.json();
+          }).then(function(d){
+            var dk=new Uint8Array(dkLen);
+            for (var i=0;i<dkLen;i++) dk[i]=parseInt(d.key.slice(i*2,i*2+2),16);
+            return new _OWKey(dk,'AES-GCM');
+          });
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.deriveKey: unsupported "'+algName+'"'));
+      },
+
+      // AES-GCM encrypt — returns ArrayBuffer of ciphertext || 16-byte auth tag
+      encrypt: function (algorithm, key, data) {
+        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+        if (name==='AES-GCM') {
+          try {
+            var iv=_toU8(algorithm.iv), pt=_toU8(data);
+            var W=_aesKeyExp(key.__ow_data);
+            var H=_aesEnc(new Uint8Array(16),W);
+            var J0=new Uint8Array(16); J0.set(iv.slice(0,12)); J0[15]=1;
+            var ct=_gcmCtr(W,J0,pt);
+            var tag=_gcmTag(W,H,J0,ct,new Uint8Array(0));
+            var out=new Uint8Array(ct.length+16); out.set(ct); out.set(tag,ct.length);
+            return Promise.resolve(out.buffer);
+          } catch(e) { return Promise.reject(e); }
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.encrypt: unsupported "'+name+'"'));
+      },
+
+      // AES-GCM decrypt — input is ciphertext || 16-byte auth tag
+      decrypt: function (algorithm, key, data) {
+        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+        if (name==='AES-GCM') {
+          try {
+            var iv=_toU8(algorithm.iv), buf=_toU8(data);
+            if (buf.length<16) throw new Error('[polyfill] AES-GCM: data too short');
+            var ct=buf.slice(0,buf.length-16), tag=buf.slice(buf.length-16);
+            var W=_aesKeyExp(key.__ow_data);
+            var H=_aesEnc(new Uint8Array(16),W);
+            var J0=new Uint8Array(16); J0.set(iv.slice(0,12)); J0[15]=1;
+            var expectedTag=_gcmTag(W,H,J0,ct,new Uint8Array(0));
+            var ok=true; for (var i=0;i<16;i++) ok=ok&&(tag[i]===expectedTag[i]);
+            if (!ok) return Promise.reject(new DOMException('AES-GCM: tag mismatch','OperationError'));
+            return Promise.resolve(_gcmCtr(W,J0,ct).buffer);
+          } catch(e) { return Promise.reject(e); }
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.decrypt: unsupported "'+name+'"'));
+      },
+    };
+  })();
+}
+
+// Ordered list of Obsidian's renderer scripts — mirrors the old <script defer>
+// list in index.html. Keep in sync with obsidian/index.html if Obsidian is
+// updated to add or remove scripts.
+const OBSIDIAN_SCRIPTS = [
+  '/obsidian/lib/codemirror/codemirror.js',
+  '/obsidian/lib/codemirror/overlay.js',
+  '/obsidian/lib/codemirror/markdown.js',
+  '/obsidian/lib/codemirror/cm-addons.js',
+  '/obsidian/lib/codemirror/vim.js',
+  '/obsidian/lib/codemirror/meta.min.js',
+  '/obsidian/lib/moment.min.js',
+  '/obsidian/lib/pixi.min.js',
+  '/obsidian/lib/i18next.min.js',
+  '/obsidian/lib/scrypt.js',
+  '/obsidian/lib/turndown.js',
+  '/obsidian/enhance.js',
+  '/obsidian/i18n.js',
+  '/obsidian/app.js',
+];
+
+(function () {
+  // Many Node.js npm packages (e.g. node-forge) reference the Node.js global
+  // object as `global`. In the browser this doesn't exist; alias it to window
+  // so plugins that bundle such packages don't crash on startup.
+  if (typeof global === 'undefined') {
+    window.global = window;
+  }
+
+  const VAULT_BASE = '/vault';
+  const params = new URLSearchParams(location.search);
+  let VAULT_ID = params.get('vault') || localStorage.getItem('obsidian-web:lastVaultId') || '';
+
+  if (!VAULT_ID && location.pathname !== '/starter') {
+    location.href = '/starter';
+    return;
+  }
+
+  if (VAULT_ID) {
+    localStorage.setItem('obsidian-web:lastVaultId', VAULT_ID);
+  }
+
+  // Tell the fs shim what path prefix to strip when talking to the server.
+  window.__owFs.setVaultBase(VAULT_BASE);
+  window.__owFs.setVaultId(VAULT_ID);
+
+  // Auto-trust community plugins in demo mode so the "Do you trust this
+  // vault?" modal doesn't block first-time visitors.
+  // Obsidian checks: localStorage.getItem("enable-plugin-" + appId)
+  if (VAULT_ID) {
+    localStorage.setItem('enable-plugin-' + VAULT_ID, 'true');
+  }
+
+  // Mobile emulation: on small viewports, set the EmulateMobile flag so
+  // Obsidian activates its mobile UI (170 CSS rules + JS behavior).
+  // Obsidian reads this from localStorage before we can intervene, so it
+  // must be set before app.js loads (which it is — boot.js runs first).
+  if (window.innerWidth < 600 || window.innerHeight < 600) {
+    localStorage.setItem('EmulateMobile', '1');
+  } else {
+    localStorage.removeItem('EmulateMobile');
+  }
+
+  // Map module name -> shim object.
+  const modules = {
+    'fs':          window.__owFs,
+    'original-fs': window.__owFs,
+    'path':        window.__owPath,
+    'url':         window.__owUrl,
+    'os':          window.__owOs,
+    'electron':    window.__owElectron,
+    'btime':       window.__owBtime,
+    'crypto':      makeCryptoShim(),
+    'node:crypto': makeCryptoShim(),   // plugins that use the node: prefix
+    'util':        makeUtilShim(),
+    'node:util':   makeUtilShim(),
+    'buffer':      { Buffer: window.Buffer },   // require('buffer').Buffer
+    'process':     window.process,              // require('process')
+    // child_process: stub so plugins that optionally use it (e.g. Templater
+    // system commands) can load. Commands will fail gracefully at runtime.
+    'child_process': makeChildProcessStub(),
+    '@electron/remote': window.__owElectron.remote,
+    // keytar: server-backed credential store (replaces OS keychain)
+    'keytar': makeKeytarShim(),
+  };
+
+  function makeKeytarShim() {
+    function q(service, account) {
+      return '/api/keytar?service=' + encodeURIComponent(service) + '&account=' + encodeURIComponent(account);
+    }
+    return {
+      getPassword(service, account) {
+        return fetch(q(service, account))
+          .then(r => r.ok ? r.json().then(j => j.password) : null)
+          .catch(() => null);
+      },
+      setPassword(service, account, password) {
+        return fetch('/api/keytar', {
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ service, account, password }),
+        }).then(() => undefined);
+      },
+      deletePassword(service, account) {
+        return fetch(q(service, account), { method: 'DELETE' })
+          .then(r => r.json()).then(j => !!j.ok)
+          .catch(() => false);
+      },
+      findCredentials(service) {
+        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
+          .then(r => r.ok ? r.json() : [])
+          .catch(() => []);
+      },
+      findPassword(service) {
+        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
+          .then(r => r.ok ? r.json() : [])
+          .then(entries => entries.length ? entries[0].password : null)
+          .catch(() => null);
+      },
+      // Our server-backed store is always available
+      isEncryptionAvailable() { return true; },
+    };
+  }
+
+  function makeChildProcessStub() {
+    const ERR = new Error('[obsidian-web] child_process is not available in web mode');
+    function noop() {}
+    // Minimal EventEmitter-like object returned by spawn/exec
+    function fakeProc() {
+      return {
+        stdout: { on: noop, pipe: noop },
+        stderr: { on: noop, pipe: noop },
+        stdin:  { write: noop, end: noop },
+        on: noop, once: noop, off: noop,
+        kill: noop, pid: 0,
+      };
+    }
+    return {
+      exec(cmd, opts, cb) {
+        if (typeof opts === 'function') { cb = opts; }
+        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
+        return fakeProc();
+      },
+      execSync() { throw ERR; },
+      spawn() { return fakeProc(); },
+      spawnSync() { return { stdout: '', stderr: '', status: 1, error: ERR }; },
+      execFile(file, args, opts, cb) {
+        if (typeof opts === 'function') { cb = opts; }
+        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
+        return fakeProc();
+      },
+      fork() { return fakeProc(); },
+    };
+  }
+
+  function makeUtilShim() {
+    // Minimal Node.js `util` polyfill.
+    // promisify: wraps a (err, value) callback-style function into a Promise.
+    function promisify(fn) {
+      return function (...args) {
+        return new Promise((resolve, reject) => {
+          fn.call(this, ...args, (err, value) => {
+            if (err) reject(err);
+            else resolve(value);
+          });
+        });
+      };
+    }
+    // callbackify: inverse of promisify.
+    function callbackify(fn) {
+      return function (...args) {
+        const cb = args.pop();
+        fn.apply(this, args).then(
+          (v) => cb(null, v),
+          (e) => cb(e instanceof Error ? e : new Error(String(e))),
+        );
+      };
+    }
+    // inspect: basic stringification (subset of Node's util.inspect).
+    function inspect(obj) {
+      try { return JSON.stringify(obj); } catch (_) { return String(obj); }
+    }
+    // inherits: prototype chain helper used by older Node packages.
+    function inherits(ctor, superCtor) {
+      ctor.super_ = superCtor;
+      Object.setPrototypeOf(ctor.prototype, superCtor.prototype);
+    }
+    return { promisify, callbackify, inspect, inherits };
+  }
+
+  function makeCryptoShim() {
+    // ---- Pure-JS SHA-256 (synchronous, public domain) -------------------------
+    // Used by createHash('sha256') and createHmac('sha256', ...) so that sync
+    // callers (like ion-sync's _computeToken) get real results, not empty strings.
+    const _SHA256_K = new Uint32Array([
+      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+    ]);
+    function _ror32(n, k) { return (n >>> k) | (n << (32 - k)); }
+    function _sha256(data /* Uint8Array */) {
+      const H = new Uint32Array([
+        0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19,
+      ]);
+      const len = data.length;
+      const bc = Math.ceil((len + 9) / 64);
+      const pad = new Uint8Array(bc * 64);
+      pad.set(data);
+      pad[len] = 0x80;
+      const dv = new DataView(pad.buffer);
+      dv.setUint32(pad.length - 4, (len * 8) >>> 0, false);
+      dv.setUint32(pad.length - 8, Math.floor(len / 0x20000000) >>> 0, false);
+      const W = new Uint32Array(64);
+      for (let i = 0; i < bc; i++) {
+        const bv = new DataView(pad.buffer, i * 64, 64);
+        for (let t = 0; t < 16; t++) W[t] = bv.getUint32(t * 4, false);
+        for (let t = 16; t < 64; t++) {
+          const s0 = _ror32(W[t-15],7)^_ror32(W[t-15],18)^(W[t-15]>>>3);
+          const s1 = _ror32(W[t-2],17)^_ror32(W[t-2],19)^(W[t-2]>>>10);
+          W[t] = (W[t-16]+s0+W[t-7]+s1)>>>0;
+        }
+        let a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
+        for (let t = 0; t < 64; t++) {
+          const S1=_ror32(e,6)^_ror32(e,11)^_ror32(e,25);
+          const ch=(e&f)^(~e&g);
+          const t1=(h+S1+ch+_SHA256_K[t]+W[t])>>>0;
+          const S0=_ror32(a,2)^_ror32(a,13)^_ror32(a,22);
+          const maj=(a&b)^(a&c)^(b&c);
+          const t2=(S0+maj)>>>0;
+          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
+        }
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
+        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
+      }
+      const out = new Uint8Array(32);
+      const ov = new DataView(out.buffer);
+      for (let i = 0; i < 8; i++) ov.setUint32(i*4, H[i], false);
+      return out;
+    }
+    function _hmacSha256(key, data) {
+      const BS = 64;
+      let k = key.length > BS ? _sha256(key) : key;
+      const k0 = new Uint8Array(BS); k0.set(k);
+      const ip = new Uint8Array(BS), op = new Uint8Array(BS);
+      for (let i = 0; i < BS; i++) { ip[i] = k0[i]^0x36; op[i] = k0[i]^0x5c; }
+      const inner = new Uint8Array(BS + data.length); inner.set(ip); inner.set(data, BS);
+      const ih = _sha256(inner);
+      const outer = new Uint8Array(BS + 32); outer.set(op); outer.set(ih, BS);
+      return _sha256(outer);
+    }
+    function _toBytes(v) {
+      if (typeof v === 'string') return new TextEncoder().encode(v);
+      if (v instanceof Uint8Array) return v;
+      if (v && v.buffer) return new Uint8Array(v.buffer, v.byteOffset || 0, v.byteLength);
+      return new Uint8Array(v);
+    }
+    function _encodeResult(bytes, enc) {
+      if (!enc || enc === 'buffer') return bytes;
+      if (enc === 'hex') return Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
+      if (enc === 'base64') return btoa(String.fromCharCode(...bytes));
+      return bytes;
+    }
+    function _makeHasher(computeFn) {
+      const chunks = [];
+      const h = {
+        update(data) { chunks.push(_toBytes(data)); return h; },
+        digest(enc, cb) {
+          if (typeof enc === 'function') { cb = enc; enc = 'hex'; }
+          const combined = new Uint8Array(chunks.reduce((s,c) => s+c.length, 0));
+          let off = 0; for (const c of chunks) { combined.set(c, off); off += c.length; }
+          const result = _encodeResult(computeFn(combined), enc);
+          if (typeof cb === 'function') { cb(null, result); return h; }
+          return result;
+        },
+      };
+      return h;
+    }
+    // ---------------------------------------------------------------------------
+
+    return {
+      randomBytes(n) {
+        const arr = new Uint8Array(n);
+        crypto.getRandomValues(arr);
+        arr.toString = function (encoding) {
+          if (encoding === 'hex') {
+            let s = '';
+            for (let i = 0; i < this.length; i++) s += this[i].toString(16).padStart(2, '0');
+            return s;
+          }
+          return Uint8Array.prototype.toString.call(this);
+        };
+        return arr;
+      },
+      createHash(algo) {
+        const al = (algo || '').toLowerCase().replace('-','');
+        if (al === 'sha256') return _makeHasher(_sha256);
+        // For other algos: async via SubtleCrypto; sync path returns empty.
+        const algoMap = { sha1: 'SHA-1', sha512: 'SHA-512', md5: 'SHA-256' };
+        const subtleAlgo = algoMap[al] || 'SHA-256';
+        const chunks = [];
+        const h = {
+          update(data) {
+            chunks.push(typeof data === 'string' ? new TextEncoder().encode(data) : data);
+            return h;
+          },
+          digest(encoding, cb) {
+            if (typeof encoding === 'function') { cb = encoding; encoding = 'hex'; }
+            if (typeof cb === 'function') {
+              const combined = new Uint8Array(chunks.reduce((s, c) => s + c.length, 0));
+              let off = 0;
+              for (const c of chunks) { combined.set(c, off); off += c.length; }
+              crypto.subtle.digest(subtleAlgo, combined).then((buf) => {
+                const bytes = new Uint8Array(buf);
+                const s = Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
+                cb(null, encoding === 'hex' ? s : bytes);
+              }).catch((err) => cb(err));
+              return h;
+            }
+            console.warn('[obsidian-web] crypto.createHash(' + algo + ').digest() sync — returning empty');
+            return encoding === 'hex' ? '' : new Uint8Array(0);
+          },
+        };
+        return h;
+      },
+      createHmac(algo, key) {
+        const al = (algo || '').toLowerCase().replace('-','');
+        const keyBytes = _toBytes(key);
+        if (al === 'sha256') return _makeHasher((data) => _hmacSha256(keyBytes, data));
+        console.warn('[obsidian-web] crypto.createHmac: unsupported algo', algo, '— returning zeros');
+        return _makeHasher(() => new Uint8Array(32));
+      },
+    };
+  }
+
+  // ── Missing-shim tracker ────────────────────────────────────────────────
+  // Collects every require(), sendSync(), and send() call that we don't handle.
+  // Inspect from DevTools: __owMissing.summary() / .table() / .list()
+  (function () {
+    const hits = new Map(); // key → { type, name, count, firstSeen, lastSeen }
+
+    function record(type, name) {
+      const key = type + ':' + name;
+      const now = Math.round(performance.now());
+      if (hits.has(key)) {
+        const e = hits.get(key);
+        e.count++;
+        e.lastSeen = now;
+      } else {
+        hits.set(key, { type, name, count: 1, firstSeen: now, lastSeen: now });
+      }
+    }
+
+    function summary() {
+      const rows = [...hits.values()].sort((a, b) => b.count - a.count);
+      if (rows.length === 0) {
+        console.log('[obsidian-web] __owMissing: nothing missing \u2713');
+        return [];
+      }
+      console.group('[obsidian-web] Missing shims — ' + rows.length + ' distinct, ' +
+        rows.reduce((s, r) => s + r.count, 0) + ' total calls');
+      console.table(rows.map(r => ({
+        type: r.type, name: r.name, count: r.count,
+        'first(ms)': r.firstSeen, 'last(ms)': r.lastSeen,
+      })));
+      console.groupEnd();
+      return rows;
+    }
+
+    window.__owMissing = { record, summary, list: () => [...hits.values()] };
+  })();
+
+  // Install window.require.
+  window.require = function (name) {
+    if (Object.prototype.hasOwnProperty.call(modules, name)) {
+      return modules[name];
+    }
+    console.warn('[obsidian-web] window.require: unknown module "' + name + '"');
+    window.__owMissing && window.__owMissing.record('require', name);
+    return undefined;
+  };
+
+  // Some Obsidian code reads window.electron directly (bypassing require).
+  window.electron = window.__owElectron;
+
+  // Some Obsidian code reads window.process.platform / arch.
+  window.process = window.process || {
+    platform: 'linux',
+    arch: 'x64',
+    versions: { electron: '0.0.0', node: '0.0.0' },
+    env: {},
+    cwd: () => '/',
+    nextTick: (fn, ...args) => Promise.resolve().then(() => fn(...args)),
+  };
+
+  // Set the global Buffer if Obsidian needs it. We don't ship a full
+  // Buffer polyfill yet - if something blows up here, that's our cue.
+  if (!window.Buffer) {
+    window.Buffer = {
+      from: (data, encoding) => {
+        if (typeof data === 'string') {
+          if (encoding === 'base64') {
+            const bin = atob(data);
+            const arr = new Uint8Array(bin.length);
+            for (let i = 0; i < bin.length; i++) arr[i] = bin.charCodeAt(i);
+            return arr;
+          }
+          return new TextEncoder().encode(data);
+        }
+        return new Uint8Array(data);
+      },
+      isBuffer: (x) => x instanceof Uint8Array,
+      alloc: (n) => new Uint8Array(n),
+    };
+  }
+
+  // Expose the vault path where Obsidian expects to find one.
+  // It will be passed when Obsidian opens a vault; our launcher
+  // (later) tells Obsidian to open VAULT_BASE.
+  window.__obsidianWeb = {
+    vaultBase: VAULT_BASE,
+    vaultId: VAULT_ID,
+  };
+
+  console.log('[obsidian-web] boot complete; require + shims installed');
+
+  // ── Async bootstrap + dynamic script injection ──────────────────────────
+  //
+  // All synchronous setup above (window.require, shims, globals) is complete
+  // before this block runs. The fetch is async so the spinner renders
+  // immediately without blocking the main thread.
+  //
+  // After the cache is populated we inject Obsidian's scripts with async=false:
+  // the browser downloads them in parallel but executes them in insertion
+  // order, so Obsidian's dependencies are always satisfied.
+  //
+  // sendSync() / statSync() are only called AFTER app.js starts running,
+  // which is after this promise resolves — so the cache is always ready.
+  if (VAULT_ID && location.pathname !== '/starter') {
+    var statusEl = document.getElementById('ow-status');
+    var pollTimer = null;
+    var vaultParam = encodeURIComponent(VAULT_ID);
+
+    // Start polling /api/bootstrap/status after 2 seconds of waiting.
+    // Shows progress to the user during slow cold-start builds.
+    var pollDelay = setTimeout(function () {
+      pollTimer = setInterval(function () {
+        fetch('/api/bootstrap/status?vault=' + vaultParam)
+          .then(function (r) { return r.json(); })
+          .then(function (s) {
+            if (!statusEl || s.state === 'idle' || s.state === 'ready') return;
+            var text = s.label || '';
+            if (s.state === 'scanning' && s.dirs) {
+              text += ' (' + s.dirs + ' dirs, ' + (s.files || 0) + ' files)';
+            }
+            if (s.state === 'reading' && s.filesRead) {
+              text += ' (' + s.filesRead + '/' + (s.total || '?') + ')';
+            }
+            statusEl.textContent = text;
+          })
+          .catch(function () {});
+      }, 1000);
+    }, 2000);
+
+    function stopPolling() {
+      clearTimeout(pollDelay);
+      if (pollTimer) clearInterval(pollTimer);
+    }
+
+    fetch('/api/bootstrap?vault=' + vaultParam + '&full=1')
+      .then(function (res) {
+        if (!res.ok) throw new Error('HTTP ' + res.status);
+        return res.json();
+      })
+      .then(function (data) {
+        stopPolling();
+        var vault = data.electron && data.electron['vault'];
+        if (!vault || !vault.id) {
+          localStorage.removeItem('obsidian-web:lastVaultId');
+          location.href = '/starter';
+          return;
+        }
+        window.__owBootstrapCache = data;
+        if (statusEl) statusEl.textContent = 'Loading Obsidian...';
+        console.log('[obsidian-web] bootstrap loaded: ' + Object.keys(data.fs).length + ' files pre-cached');
+
+        // Inject Obsidian's scripts in order. async=false preserves execution
+        // order while allowing parallel download.
+        var loaded = 0;
+        for (var i = 0; i < OBSIDIAN_SCRIPTS.length; i++) {
+          var s = document.createElement('script');
+          s.src = OBSIDIAN_SCRIPTS[i];
+          s.async = false;
+          s.onload = function () {
+            loaded++;
+            if (statusEl) statusEl.textContent = 'Loading Obsidian (' + loaded + '/' + OBSIDIAN_SCRIPTS.length + ')';
+          };
+          document.head.appendChild(s);
+        }
+
+        // Hide the loading overlay once Obsidian's workspace element appears.
+        var overlay = document.getElementById('ow-loading');
+        if (overlay) {
+          var obs = new MutationObserver(function () {
+            if (document.querySelector('.workspace')) {
+              overlay.remove();
+              obs.disconnect();
+            }
+          });
+          obs.observe(document.body, { childList: true, subtree: true });
+        }
+      })
+      .catch(function (err) {
+        stopPolling();
+        console.warn('[obsidian-web] bootstrap failed:', err.message);
+        localStorage.removeItem('obsidian-web:lastVaultId');
+        location.href = '/starter';
+      });
+  }
+})();
diff --git a/src/server/api/pbkdf2.js b/src/server/api/pbkdf2.js
new file mode 100644
index 0000000..8ca652d
--- /dev/null
+++ b/src/server/api/pbkdf2.js
@@ -0,0 +1,57 @@
+'use strict';
+
+/**
+ * PBKDF2 key derivation endpoint — offloaded from the browser because
+ * 100 000 iterations of pure-JS SHA-256 would freeze the page for ~10 s.
+ * Node's crypto.pbkdf2 runs in a libuv thread pool and typically completes
+ * in 50–200 ms.
+ *
+ * POST /api/pbkdf2
+ *   Body: { password: hexString, salt: hexString, iterations: number, keyLen: number }
+ *   Response: { key: hexString }
+ *
+ * Only PBKDF2-HMAC-SHA256 is supported (the only algorithm needed by ion-sync).
+ */
+
+const express = require('express');
+const crypto = require('crypto');
+
+function createPbkdf2Router() {
+  const router = express.Router();
+  router.use(express.json());
+
+  router.post('/', (req, res) => {
+    const { password, salt, iterations, keyLen } = req.body || {};
+
+    if (typeof password !== 'string' || typeof salt !== 'string' ||
+        !Number.isInteger(iterations) || !Number.isInteger(keyLen)) {
+      return res.status(400).json({ error: 'Missing or invalid fields (password, salt, iterations, keyLen required)' });
+    }
+    if (iterations < 1 || iterations > 2_000_000) {
+      return res.status(400).json({ error: 'iterations out of range' });
+    }
+    if (keyLen < 1 || keyLen > 64) {
+      return res.status(400).json({ error: 'keyLen out of range' });
+    }
+
+    let pwBuf, saltBuf;
+    try {
+      pwBuf   = Buffer.from(password, 'hex');
+      saltBuf = Buffer.from(salt,     'hex');
+    } catch (e) {
+      return res.status(400).json({ error: 'password and salt must be hex-encoded' });
+    }
+
+    crypto.pbkdf2(pwBuf, saltBuf, iterations, keyLen, 'sha256', (err, derivedKey) => {
+      if (err) {
+        console.error('[pbkdf2] derivation error:', err.message);
+        return res.status(500).json({ error: err.message });
+      }
+      res.json({ key: derivedKey.toString('hex') });
+    });
+  });
+
+  return router;
+}
+
+module.exports = createPbkdf2Router;
diff --git a/src/server/index.js b/src/server/index.js
index a5e8714..2b10f8c 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -23,6 +23,7 @@ const createBootstrapRouter = require('./api/bootstrap');
 const { warmUpBootstrapCache } = require('./api/bootstrap');
 const createProxyRouter = require('./api/proxy');
 const createKeytarRouter = require('./api/keytar');
+const createPbkdf2Router = require('./api/pbkdf2');
 const attachWatchServer = require('./api/watch');
 const VaultRegistry = require('./vault-registry');
 const { createAuthMiddleware } = require('./middleware/auth');
@@ -137,6 +138,7 @@ function createApp(appConfig = config) {
 
   // API routes.
   app.use('/api/keytar', createKeytarRouter(appConfig.userDataPath));
+  app.use('/api/pbkdf2', createPbkdf2Router());
   app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
   app.use('/api/proxy-request', createProxyRouter());
   app.use('/api/vaults', createVaultsRouter(vaultRegistry));

From 792d72ffc1f1ba20e9a83e2aafb007485d6eca2a Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 10:11:45 -0700
Subject: [PATCH 26/46] fix: add Content-Type on binary writes so body-parser
 parses them

---
 src/client/shims/original-fs.js | 1209 ++++++++++++++++---------------
 src/client/shims/sync-http.js   |  145 ++--
 2 files changed, 684 insertions(+), 670 deletions(-)

diff --git a/src/client/shims/original-fs.js b/src/client/shims/original-fs.js
index 10a0649..b80d257 100644
--- a/src/client/shims/original-fs.js
+++ b/src/client/shims/original-fs.js
@@ -1,602 +1,607 @@
-/**
- * Browser shim for Node's `original-fs` (and `fs`) module.
- *
- * Translates fs calls into HTTP requests against /api/fs/*. Implements
- * the subset of the API Obsidian actually uses, plus the matching
- * .promises namespace.
- *
- * Obsidian uses absolute paths from the vault's basePath. The server
- * sandboxes everything to the vault root; we strip the configured
- * vault base before sending paths over the wire.
- */
-(function (global) {
-  // The vault base path that Obsidian sees. Boot fills this in.
-  let vaultBase = '/vault';
-  let vaultId = '';
-
-  function setVaultBase(p) {
-    vaultBase = p;
-  }
-
-  function setVaultId(id) {
-    vaultId = id || '';
-  }
-
-  function vaultQuery() {
-    return vaultId ? 'vault=' + encodeURIComponent(vaultId) + '&' : '';
-  }
-
-  function toRelative(p) {
-    if (typeof p !== 'string') throw new TypeError('path must be a string');
-    // Strip the vault base if present so the server sees a relative path.
-    if (p === vaultBase) return '';
-    if (p.startsWith(vaultBase + '/')) return p.slice(vaultBase.length + 1);
-    // Already relative - pass through.
-    if (!p.startsWith('/')) return p;
-    // Some absolute path outside the vault. The server will reject it,
-    // but we let the request happen so the error surfaces naturally.
-    return p.startsWith('/') ? p.slice(1) : p;
-  }
-
-  // ---- Bootstrap cache helpers -----------------------------------------
-  //
-  // window.__owBootstrapCache is populated by boot.js before app.js loads.
-  // Shape: { electron: {...}, fs: { "rel/path": { content, mtime, size } } }
-  // We serve reads from this cache and invalidate entries on writes/deletes.
-
-  function getBootstrapEntry(p) {
-    const cache = global.__owBootstrapCache;
-    if (!cache || !cache.fs) return null;
-    return cache.fs[toRelative(p)] || null;
-  }
-
-  function getBootstrapDir(p) {
-    const cache = global.__owBootstrapCache;
-    if (!cache || !cache.dirs) return null;
-    return cache.dirs[toRelative(p)] || null;
-  }
-
-  function invalidateBootstrap(p) {
-    const cache = global.__owBootstrapCache;
-    if (cache && cache.fs) delete cache.fs[toRelative(p)];
-    // Also invalidate parent dir listing so readdir re-fetches.
-    if (cache && cache.dirs) {
-      const rel = toRelative(p);
-      const parent = rel.includes('/') ? rel.slice(0, rel.lastIndexOf('/')) : '';
-      delete cache.dirs[parent];
-    }
-  }
-
-  function makeStatsFromCache(entry) {
-    const isDir = !!entry.isDirectory;
-    return makeStats({
-      isFile: entry.isFile !== undefined ? entry.isFile : !isDir,
-      isDirectory: isDir,
-      isSymbolicLink: !!entry.isSymbolicLink,
-      size: entry.size || 0,
-      mtime: entry.mtime || 0,
-      ctime: entry.mtime || 0,
-      atime: entry.mtime || 0,
-      birthtime: entry.mtime || 0,
-      mode: isDir ? 0o040755 : 0o100644,
-    });
-  }
-
-  // Returns true if the bootstrap entry has readable text content.
-  function bootstrapHasContent(entry) {
-    return entry !== null && typeof entry.content === 'string';
-  }
-
-  function encodePath(p) {
-    return encodeURIComponent(toRelative(p));
-  }
-
-  // Build a Stats-like object from the JSON the server returns.
-  function makeStats(json) {
-    return {
-      size: json.size,
-      mtime: new Date(json.mtime),
-      ctime: new Date(json.ctime),
-      atime: new Date(json.atime),
-      birthtime: new Date(json.birthtime),
-      mtimeMs: json.mtime,
-      ctimeMs: json.ctime,
-      atimeMs: json.atime,
-      birthtimeMs: json.birthtime,
-      mode: json.mode,
-      isFile: () => json.isFile,
-      isDirectory: () => json.isDirectory,
-      isSymbolicLink: () => json.isSymbolicLink,
-      isBlockDevice: () => false,
-      isCharacterDevice: () => false,
-      isFIFO: () => false,
-      isSocket: () => false,
-    };
-  }
-
-  function makeError(json, syscall, p) {
-    const err = new Error(json.error || 'fs error');
-    err.code = json.code || 'EUNKNOWN';
-    err.syscall = syscall;
-    err.path = p;
-    return err;
-  }
-
-  // Populate fs stat cache for all entries in a dirs cache entry.
-  // Called when serving a readdir from cache, so subsequent stat(path) calls
-  // for files in this directory (including binaries) are answered from cache.
-  function populateStatFromDir(dirPath, entries) {
-    const cache = global.__owBootstrapCache;
-    if (!cache || !cache.fs) return;
-    const dirRel = toRelative(dirPath);
-    for (const e of entries) {
-      if (!e.mtime && !e.size) continue; // no stat info in entry
-      const fileRel = dirRel ? dirRel + '/' + e.name : e.name;
-      if (!cache.fs[fileRel]) {
-        cache.fs[fileRel] = {
-          mtime: e.mtime || 0,
-          size: e.size || 0,
-          isFile: e.isFile,
-          isDirectory: e.isDirectory,
-          isSymbolicLink: e.isSymbolicLink || false,
-        };
-      }
-    }
-  }
-
-  // ---- async API (callback-style) ---------------------------------------
-
-  function statAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    const cached = getBootstrapEntry(p);
-    if (cached) { Promise.resolve().then(() => cb(null, makeStatsFromCache(cached))); return; }
-    fetch('/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p))
-      .then(async (r) => {
-        const json = await r.json();
-        if (!r.ok) throw makeError(json, 'stat', p);
-        cb(null, makeStats(json));
-      })
-      .catch((err) => cb(err));
-  }
-
-  function readdirAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    const withFileTypes = opts && opts.withFileTypes;
-    const cachedDir = getBootstrapDir(p);
-    if (cachedDir) {
-      // Lazily populate fs stat cache from dirs entries so subsequent
-      // stat(path) calls for files in this directory are answered from cache.
-      populateStatFromDir(p, cachedDir);
-      Promise.resolve().then(() => {
-        if (withFileTypes) {
-          cb(null, cachedDir.map(e => ({
-            name: e.name,
-            isFile: () => e.isFile,
-            isDirectory: () => e.isDirectory,
-            isSymbolicLink: () => e.isSymbolicLink,
-          })));
-        } else {
-          cb(null, cachedDir.map(e => e.name));
-        }
-      });
-      return;
-    }
-    fetch('/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p))
-      .then(async (r) => {
-        const json = await r.json();
-        if (!r.ok) throw makeError(json, 'scandir', p);
-        if (withFileTypes) {
-          cb(null, json.map((e) => ({
-            name: e.name,
-            isFile: () => e.isFile,
-            isDirectory: () => e.isDirectory,
-            isSymbolicLink: () => e.isSymbolicLink,
-          })));
-        } else {
-          cb(null, json.map((e) => e.name));
-        }
-      })
-      .catch((err) => cb(err));
-  }
-
-  // The server returns the same JSON envelope for readFile too; if the
-  // caller passed a directory, we want a proper ENOTDIR-like error so
-  // Obsidian's existing try/catch handles it normally instead of
-  // surfacing as an unhandled HTTP failure.
-
-  function readFileAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = undefined; }
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const cached = getBootstrapEntry(p);
-    if (bootstrapHasContent(cached)) {
-      Promise.resolve().then(() => {
-        cb(null, encoding ? cached.content : new TextEncoder().encode(cached.content));
-      });
-      return;
-    }
-    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    fetch(url)
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'read failed' }));
-          throw makeError(json, 'open', p);
-        }
-        if (encoding) {
-          const text = await r.text();
-          cb(null, text);
-        } else {
-          const buf = await r.arrayBuffer();
-          cb(null, new Uint8Array(buf));
-        }
-      })
-      .catch((err) => cb(err));
-  }
-
-  function writeFileAsync(p, data, opts, cb) {
-    // Only evict the file's cached content — the parent dir listing is still
-    // valid (the file exists, just with new content or as a new file).
-    // Evicting dirs is reserved for structural changes (unlink/rename).
-    const _cache = global.__owBootstrapCache;
-    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
-    if (typeof opts === 'function') { cb = opts; opts = undefined; }
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    fetch(url, { method: 'PUT', body: data })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'write failed' }));
-          throw makeError(json, 'open', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function mkdirAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    fetch('/api/fs/mkdir', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ path: toRelative(p), recursive: opts && opts.recursive, vault: vaultId }),
-    })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'mkdir failed' }));
-          throw makeError(json, 'mkdir', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function unlinkAsync(p, cb) {
-    invalidateBootstrap(p);
-    fetch('/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p), { method: 'DELETE' })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'unlink failed' }));
-          throw makeError(json, 'unlink', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function renameAsync(oldPath, newPath, cb) {
-    invalidateBootstrap(oldPath);
-    invalidateBootstrap(newPath);
-    fetch('/api/fs/rename', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ oldPath: toRelative(oldPath), newPath: toRelative(newPath), vault: vaultId }),
-    })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'rename failed' }));
-          throw makeError(json, 'rename', oldPath);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function rmdirAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    const recursive = opts && opts.recursive ? '1' : '0';
-    fetch('/api/fs/rmdir?' + vaultQuery() + 'path=' + encodePath(p) + '&recursive=' + recursive, { method: 'DELETE' })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'rmdir failed' }));
-          throw makeError(json, 'rmdir', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function copyFileAsync(src, dest, flags, cb) {
-    if (typeof flags === 'function') { cb = flags; flags = 0; }
-    fetch('/api/fs/copy', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ src: toRelative(src), dest: toRelative(dest), vault: vaultId }),
-    })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'copy failed' }));
-          throw makeError(json, 'copyfile', src);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function accessAsync(p, mode, cb) {
-    if (typeof mode === 'function') { cb = mode; mode = 0; }
-    statAsync(p, (err) => cb(err || null));
-  }
-
-  // ---- sync API (uses XHR sync) -----------------------------------------
-
-  function statSync(p) {
-    const cached = getBootstrapEntry(p);
-    if (cached) return makeStatsFromCache(cached);
-    // silent404: Obsidian routinely stat()s paths that may not exist yet
-    // (config files, plugins) and handles ENOENT via try/catch.  Suppress
-    // the verbose URL in the error message to keep the console clean.
-    const xhr = global.__owSyncRequest('GET', '/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p), undefined, { silent404: true });
-    return makeStats(JSON.parse(xhr.responseText));
-  }
-
-  function readFileSync(p, opts) {
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const cached = getBootstrapEntry(p);
-    if (bootstrapHasContent(cached)) return encoding ? cached.content : new TextEncoder().encode(cached.content);
-    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    // Use __owSyncRequest with silent404 so missing files throw a clean ENOENT.
-    // Note: sync XHR binary reads are limited to Latin-1 (xhr.responseText
-    // encoding). Multi-byte UTF-8 binary data may be corrupted on this path.
-    // Text reads (encoding=utf8) are safe because the server sends UTF-8 and
-    // the XHR decodes it as a JS string.
-    const xhr = global.__owSyncRequest('GET', url, undefined, { silent404: true });
-    if (encoding) return xhr.responseText;
-    // Binary path - convert text to Uint8Array via overrideMimeType trick.
-    const bytes = new Uint8Array(xhr.responseText.length);
-    for (let i = 0; i < xhr.responseText.length; i++) {
-      bytes[i] = xhr.responseText.charCodeAt(i) & 0xff;
-    }
-    return bytes;
-  }
-
-  function existsSync(p) {
-    try { statSync(p); return true; } catch (_) { return false; }
-  }
-
-  function writeFileSync(p, data, opts) {
-    // Same as writeFileAsync: only evict fs content, not parent dir listing.
-    const _cache = global.__owBootstrapCache;
-    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    global.__owSyncRequest('PUT', url, data == null ? '' : data);
-  }
-
-  function unlinkSync(p) {
-    invalidateBootstrap(p);
-    global.__owSyncRequest('DELETE', '/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p));
-  }
-
-  function mkdirSync(p, opts) {
-    const recursive = !!(opts && opts.recursive);
-    global.__owSyncJson('POST', '/api/fs/mkdir', { path: toRelative(p), recursive, vault: vaultId });
-  }
-
-  function readdirSync(p, opts) {
-    const cachedDir = getBootstrapDir(p);
-    if (cachedDir) {
-      populateStatFromDir(p, cachedDir);
-      const withFileTypes = opts && opts.withFileTypes;
-      if (withFileTypes) {
-        return cachedDir.map(e => ({
-          name: e.name,
-          isFile: () => e.isFile,
-          isDirectory: () => e.isDirectory,
-          isSymbolicLink: () => e.isSymbolicLink,
-        }));
-      }
-      return cachedDir.map(e => e.name);
-    }
-    const xhr = global.__owSyncRequest('GET', '/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p));
-    const json = JSON.parse(xhr.responseText);
-    const withFileTypes = opts && opts.withFileTypes;
-    if (withFileTypes) {
-      return json.map((e) => ({
-        name: e.name,
-        isFile: () => e.isFile,
-        isDirectory: () => e.isDirectory,
-        isSymbolicLink: () => e.isSymbolicLink,
-      }));
-    }
-    return json.map((e) => e.name);
-  }
-
-  // ---- promises API ----------------------------------------------------
-
-  function promisify(fn) {
-    return function () {
-      const args = Array.prototype.slice.call(arguments);
-      return new Promise((resolve, reject) => {
-        fn.apply(null, args.concat([(err, val) => err ? reject(err) : resolve(val)]));
-      });
-    };
-  }
-
-  const promises = {
-    stat: promisify(statAsync),
-    lstat: promisify(statAsync), // approximate
-    readdir: promisify(readdirAsync),
-    readFile: promisify(readFileAsync),
-    writeFile: promisify(writeFileAsync),
-    mkdir: promisify(mkdirAsync),
-    unlink: promisify(unlinkAsync),
-    rename: promisify(renameAsync),
-    rmdir: promisify(rmdirAsync),
-    rm: promisify(rmdirAsync),
-    copyFile: promisify(copyFileAsync),
-    access: promisify(accessAsync),
-    realpath: async (p) => p, // identity is good enough for now
-    appendFile: async (p, data, opts) => {
-      // Simple read-modify-write.
-      let existing = '';
-      try { existing = await promises.readFile(p, 'utf8'); } catch (_) { /* new file */ }
-      const next = existing + (typeof data === 'string' ? data : new TextDecoder().decode(data));
-      return promises.writeFile(p, next, opts || 'utf8');
-    },
-    utimes: async () => { /* no-op for now */ },
-  };
-
-  // ---- fs.watch via WebSocket -----------------------------------------
-
-  let watchSocket = null;
-  const watchListeners = new Set();
-
-  function ensureWatchSocket() {
-    if (watchSocket && watchSocket.readyState <= 1) return watchSocket;
-    const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
-    watchSocket = new WebSocket(proto + '//' + location.host + '/api/watch' + (vaultId ? '?vault=' + encodeURIComponent(vaultId) : ''));
-    watchSocket.onmessage = (ev) => {
-      let msg;
-      try { msg = JSON.parse(ev.data); } catch (_) { return; }
-      if (msg.type === 'ready') return;
-      console.log('[fs.watch] ws message:', msg.type, msg.path, '| listeners:', watchListeners.size);
-      // Invalidate bootstrap cache for the changed path.
-      // 'change' = content update: only evict the file from fs cache.
-      //   Do NOT evict the parent dir listing — the file still exists there.
-      // Structural events (add/unlink/addDir/unlinkDir/rename/reset): evict
-      //   both the file and its parent dir listing so readdir re-fetches.
-      if (msg.path) {
-        const absPath = vaultBase + '/' + msg.path;
-        if (msg.type === 'change') {
-          const cache = global.__owBootstrapCache;
-          if (cache && cache.fs) delete cache.fs[toRelative(absPath)];
-        } else {
-          invalidateBootstrap(absPath);
-        }
-      }
-      for (const l of watchListeners) l(msg);
-    };
-    watchSocket.onclose = () => { watchSocket = null; };
-    return watchSocket;
-  }
-
-  // fs.watch returns an FSWatcher (EventEmitter). Obsidian uses both
-  // shapes: passing a callback as the 3rd arg AND chaining .on('change').on('error').
-  // Our return value implements both.
-  function watch(p, opts, listener) {
-    if (typeof opts === 'function') { listener = opts; opts = {}; }
-    ensureWatchSocket();
-    const rel = toRelative(p).replace(/\\/g, '/');
-
-    // Per-event-type listeners (for the .on() chain).
-    const handlers = { change: new Set(), error: new Set(), rename: new Set(), close: new Set() };
-    // The third-arg listener (Node fs.watch callback) receives ALL event types,
-    // not just 'change'. Register it on both so rename events (add/delete/move)
-    // reach it too.
-    if (listener) {
-      handlers.change.add(listener);
-      handlers.rename.add(listener);
-    }
-
-    function emit(eventType, ...args) {
-      for (const fn of handlers[eventType] || []) {
-        try { fn(...args); } catch (e) { console.error('[fs.watch] handler error:', e); }
-      }
-    }
-
-    const onMessage = (msg) => {
-      if (!msg.path) return;
-      // Filter: emit only events under the watched path.
-      if (rel !== '' && msg.path !== rel && !msg.path.startsWith(rel + '/')) return;
-      // Map chokidar event types to Node fs.watch's 'rename' / 'change'.
-      // In Node.js fs.watch, the EventEmitter ALWAYS fires the 'change' event
-      // regardless of rename vs. content change. The eventType string ('rename'
-      // or 'change') is passed as the first argument to the callback so the
-      // handler knows what happened. There is no separate 'rename' EventEmitter
-      // event — Obsidian registers .on('change', fn) expecting all event types.
-      const eventType = msg.type === 'change' ? 'change' : 'rename';
-      const filename = rel === '' ? msg.path : msg.path.slice(rel.length + 1) || msg.path;
-      emit('change', eventType, filename);
-    };
-    watchListeners.add(onMessage);
-
-    const watcher = {
-      on(eventType, fn) {
-        if (handlers[eventType]) handlers[eventType].add(fn);
-        return watcher;
-      },
-      off(eventType, fn) {
-        if (handlers[eventType]) handlers[eventType].delete(fn);
-        return watcher;
-      },
-      addListener(eventType, fn) { return watcher.on(eventType, fn); },
-      removeListener(eventType, fn) { return watcher.off(eventType, fn); },
-      removeAllListeners(eventType) {
-        if (eventType && handlers[eventType]) handlers[eventType].clear();
-        else for (const k in handlers) handlers[k].clear();
-        return watcher;
-      },
-      close() {
-        watchListeners.delete(onMessage);
-        emit('close');
-      },
-      ref() { return watcher; },
-      unref() { return watcher; },
-    };
-    return watcher;
-  }
-
-  // ---- module export ---------------------------------------------------
-
-  const fsShim = {
-    // async (callback) API
-    stat: statAsync,
-    lstat: statAsync,
-    readdir: readdirAsync,
-    readFile: readFileAsync,
-    writeFile: writeFileAsync,
-    mkdir: mkdirAsync,
-    unlink: unlinkAsync,
-    rename: renameAsync,
-    rmdir: rmdirAsync,
-    rm: rmdirAsync,
-    copyFile: copyFileAsync,
-    access: accessAsync,
-    watch,
-    // sync API
-    statSync,
-    lstatSync: statSync,
-    readFileSync,
-    writeFileSync,
-    unlinkSync,
-    mkdirSync,
-    readdirSync,
-    existsSync,
-    accessSync: (p) => { statSync(p); /* throws if missing */ },
-    // constants
-    constants: {
-      F_OK: 0, R_OK: 4, W_OK: 2, X_OK: 1,
-      O_RDONLY: 0, O_WRONLY: 1, O_RDWR: 2,
-      O_CREAT: 64, O_EXCL: 128, O_TRUNC: 512, O_APPEND: 1024,
-    },
-    // promises namespace
-    promises,
-    // setTimes is what FileSystemAdapter calls to update mtime
-    setTimes: function (p, atime, mtime, cb) {
-      cb && cb(null);
-    },
-  };
-
-  global.__owFs = fsShim;
-  global.__owFs.setVaultBase = setVaultBase;
-  global.__owFs.setVaultId = setVaultId;
-})(window);
+/**
+ * Browser shim for Node's `original-fs` (and `fs`) module.
+ *
+ * Translates fs calls into HTTP requests against /api/fs/*. Implements
+ * the subset of the API Obsidian actually uses, plus the matching
+ * .promises namespace.
+ *
+ * Obsidian uses absolute paths from the vault's basePath. The server
+ * sandboxes everything to the vault root; we strip the configured
+ * vault base before sending paths over the wire.
+ */
+(function (global) {
+  // The vault base path that Obsidian sees. Boot fills this in.
+  let vaultBase = '/vault';
+  let vaultId = '';
+
+  function setVaultBase(p) {
+    vaultBase = p;
+  }
+
+  function setVaultId(id) {
+    vaultId = id || '';
+  }
+
+  function vaultQuery() {
+    return vaultId ? 'vault=' + encodeURIComponent(vaultId) + '&' : '';
+  }
+
+  function toRelative(p) {
+    if (typeof p !== 'string') throw new TypeError('path must be a string');
+    // Strip the vault base if present so the server sees a relative path.
+    if (p === vaultBase) return '';
+    if (p.startsWith(vaultBase + '/')) return p.slice(vaultBase.length + 1);
+    // Already relative - pass through.
+    if (!p.startsWith('/')) return p;
+    // Some absolute path outside the vault. The server will reject it,
+    // but we let the request happen so the error surfaces naturally.
+    return p.startsWith('/') ? p.slice(1) : p;
+  }
+
+  // ---- Bootstrap cache helpers -----------------------------------------
+  //
+  // window.__owBootstrapCache is populated by boot.js before app.js loads.
+  // Shape: { electron: {...}, fs: { "rel/path": { content, mtime, size } } }
+  // We serve reads from this cache and invalidate entries on writes/deletes.
+
+  function getBootstrapEntry(p) {
+    const cache = global.__owBootstrapCache;
+    if (!cache || !cache.fs) return null;
+    return cache.fs[toRelative(p)] || null;
+  }
+
+  function getBootstrapDir(p) {
+    const cache = global.__owBootstrapCache;
+    if (!cache || !cache.dirs) return null;
+    return cache.dirs[toRelative(p)] || null;
+  }
+
+  function invalidateBootstrap(p) {
+    const cache = global.__owBootstrapCache;
+    if (cache && cache.fs) delete cache.fs[toRelative(p)];
+    // Also invalidate parent dir listing so readdir re-fetches.
+    if (cache && cache.dirs) {
+      const rel = toRelative(p);
+      const parent = rel.includes('/') ? rel.slice(0, rel.lastIndexOf('/')) : '';
+      delete cache.dirs[parent];
+    }
+  }
+
+  function makeStatsFromCache(entry) {
+    const isDir = !!entry.isDirectory;
+    return makeStats({
+      isFile: entry.isFile !== undefined ? entry.isFile : !isDir,
+      isDirectory: isDir,
+      isSymbolicLink: !!entry.isSymbolicLink,
+      size: entry.size || 0,
+      mtime: entry.mtime || 0,
+      ctime: entry.mtime || 0,
+      atime: entry.mtime || 0,
+      birthtime: entry.mtime || 0,
+      mode: isDir ? 0o040755 : 0o100644,
+    });
+  }
+
+  // Returns true if the bootstrap entry has readable text content.
+  function bootstrapHasContent(entry) {
+    return entry !== null && typeof entry.content === 'string';
+  }
+
+  function encodePath(p) {
+    return encodeURIComponent(toRelative(p));
+  }
+
+  // Build a Stats-like object from the JSON the server returns.
+  function makeStats(json) {
+    return {
+      size: json.size,
+      mtime: new Date(json.mtime),
+      ctime: new Date(json.ctime),
+      atime: new Date(json.atime),
+      birthtime: new Date(json.birthtime),
+      mtimeMs: json.mtime,
+      ctimeMs: json.ctime,
+      atimeMs: json.atime,
+      birthtimeMs: json.birthtime,
+      mode: json.mode,
+      isFile: () => json.isFile,
+      isDirectory: () => json.isDirectory,
+      isSymbolicLink: () => json.isSymbolicLink,
+      isBlockDevice: () => false,
+      isCharacterDevice: () => false,
+      isFIFO: () => false,
+      isSocket: () => false,
+    };
+  }
+
+  function makeError(json, syscall, p) {
+    const err = new Error(json.error || 'fs error');
+    err.code = json.code || 'EUNKNOWN';
+    err.syscall = syscall;
+    err.path = p;
+    return err;
+  }
+
+  // Populate fs stat cache for all entries in a dirs cache entry.
+  // Called when serving a readdir from cache, so subsequent stat(path) calls
+  // for files in this directory (including binaries) are answered from cache.
+  function populateStatFromDir(dirPath, entries) {
+    const cache = global.__owBootstrapCache;
+    if (!cache || !cache.fs) return;
+    const dirRel = toRelative(dirPath);
+    for (const e of entries) {
+      if (!e.mtime && !e.size) continue; // no stat info in entry
+      const fileRel = dirRel ? dirRel + '/' + e.name : e.name;
+      if (!cache.fs[fileRel]) {
+        cache.fs[fileRel] = {
+          mtime: e.mtime || 0,
+          size: e.size || 0,
+          isFile: e.isFile,
+          isDirectory: e.isDirectory,
+          isSymbolicLink: e.isSymbolicLink || false,
+        };
+      }
+    }
+  }
+
+  // ---- async API (callback-style) ---------------------------------------
+
+  function statAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const cached = getBootstrapEntry(p);
+    if (cached) { Promise.resolve().then(() => cb(null, makeStatsFromCache(cached))); return; }
+    fetch('/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p))
+      .then(async (r) => {
+        const json = await r.json();
+        if (!r.ok) throw makeError(json, 'stat', p);
+        cb(null, makeStats(json));
+      })
+      .catch((err) => cb(err));
+  }
+
+  function readdirAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const withFileTypes = opts && opts.withFileTypes;
+    const cachedDir = getBootstrapDir(p);
+    if (cachedDir) {
+      // Lazily populate fs stat cache from dirs entries so subsequent
+      // stat(path) calls for files in this directory are answered from cache.
+      populateStatFromDir(p, cachedDir);
+      Promise.resolve().then(() => {
+        if (withFileTypes) {
+          cb(null, cachedDir.map(e => ({
+            name: e.name,
+            isFile: () => e.isFile,
+            isDirectory: () => e.isDirectory,
+            isSymbolicLink: () => e.isSymbolicLink,
+          })));
+        } else {
+          cb(null, cachedDir.map(e => e.name));
+        }
+      });
+      return;
+    }
+    fetch('/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p))
+      .then(async (r) => {
+        const json = await r.json();
+        if (!r.ok) throw makeError(json, 'scandir', p);
+        if (withFileTypes) {
+          cb(null, json.map((e) => ({
+            name: e.name,
+            isFile: () => e.isFile,
+            isDirectory: () => e.isDirectory,
+            isSymbolicLink: () => e.isSymbolicLink,
+          })));
+        } else {
+          cb(null, json.map((e) => e.name));
+        }
+      })
+      .catch((err) => cb(err));
+  }
+
+  // The server returns the same JSON envelope for readFile too; if the
+  // caller passed a directory, we want a proper ENOTDIR-like error so
+  // Obsidian's existing try/catch handles it normally instead of
+  // surfacing as an unhandled HTTP failure.
+
+  function readFileAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = undefined; }
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const cached = getBootstrapEntry(p);
+    if (bootstrapHasContent(cached)) {
+      Promise.resolve().then(() => {
+        cb(null, encoding ? cached.content : new TextEncoder().encode(cached.content));
+      });
+      return;
+    }
+    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    fetch(url)
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'read failed' }));
+          throw makeError(json, 'open', p);
+        }
+        if (encoding) {
+          const text = await r.text();
+          cb(null, text);
+        } else {
+          const buf = await r.arrayBuffer();
+          cb(null, new Uint8Array(buf));
+        }
+      })
+      .catch((err) => cb(err));
+  }
+
+  function writeFileAsync(p, data, opts, cb) {
+    // Only evict the file's cached content — the parent dir listing is still
+    // valid (the file exists, just with new content or as a new file).
+    // Evicting dirs is reserved for structural changes (unlink/rename).
+    const _cache = global.__owBootstrapCache;
+    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
+    if (typeof opts === 'function') { cb = opts; opts = undefined; }
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    // Always set Content-Type so express.raw() on the server parses the body.
+    // The Fetch API does NOT set Content-Type automatically for binary bodies
+    // (ArrayBuffer, TypedArray, polyfilled Buffer) — without it, body-parser's
+    // type-is check returns false even for type:'*/*', leaving req.body as {}
+    // and causing fsp.writeFile to throw "Received an instance of Object".
+    fetch(url, { method: 'PUT', body: data == null ? '' : data, headers: { 'Content-Type': 'application/octet-stream' } })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'write failed' }));
+          throw makeError(json, 'open', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function mkdirAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    fetch('/api/fs/mkdir', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ path: toRelative(p), recursive: opts && opts.recursive, vault: vaultId }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'mkdir failed' }));
+          throw makeError(json, 'mkdir', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function unlinkAsync(p, cb) {
+    invalidateBootstrap(p);
+    fetch('/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p), { method: 'DELETE' })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'unlink failed' }));
+          throw makeError(json, 'unlink', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function renameAsync(oldPath, newPath, cb) {
+    invalidateBootstrap(oldPath);
+    invalidateBootstrap(newPath);
+    fetch('/api/fs/rename', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ oldPath: toRelative(oldPath), newPath: toRelative(newPath), vault: vaultId }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'rename failed' }));
+          throw makeError(json, 'rename', oldPath);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function rmdirAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const recursive = opts && opts.recursive ? '1' : '0';
+    fetch('/api/fs/rmdir?' + vaultQuery() + 'path=' + encodePath(p) + '&recursive=' + recursive, { method: 'DELETE' })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'rmdir failed' }));
+          throw makeError(json, 'rmdir', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function copyFileAsync(src, dest, flags, cb) {
+    if (typeof flags === 'function') { cb = flags; flags = 0; }
+    fetch('/api/fs/copy', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ src: toRelative(src), dest: toRelative(dest), vault: vaultId }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'copy failed' }));
+          throw makeError(json, 'copyfile', src);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function accessAsync(p, mode, cb) {
+    if (typeof mode === 'function') { cb = mode; mode = 0; }
+    statAsync(p, (err) => cb(err || null));
+  }
+
+  // ---- sync API (uses XHR sync) -----------------------------------------
+
+  function statSync(p) {
+    const cached = getBootstrapEntry(p);
+    if (cached) return makeStatsFromCache(cached);
+    // silent404: Obsidian routinely stat()s paths that may not exist yet
+    // (config files, plugins) and handles ENOENT via try/catch.  Suppress
+    // the verbose URL in the error message to keep the console clean.
+    const xhr = global.__owSyncRequest('GET', '/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p), undefined, { silent404: true });
+    return makeStats(JSON.parse(xhr.responseText));
+  }
+
+  function readFileSync(p, opts) {
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const cached = getBootstrapEntry(p);
+    if (bootstrapHasContent(cached)) return encoding ? cached.content : new TextEncoder().encode(cached.content);
+    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    // Use __owSyncRequest with silent404 so missing files throw a clean ENOENT.
+    // Note: sync XHR binary reads are limited to Latin-1 (xhr.responseText
+    // encoding). Multi-byte UTF-8 binary data may be corrupted on this path.
+    // Text reads (encoding=utf8) are safe because the server sends UTF-8 and
+    // the XHR decodes it as a JS string.
+    const xhr = global.__owSyncRequest('GET', url, undefined, { silent404: true });
+    if (encoding) return xhr.responseText;
+    // Binary path - convert text to Uint8Array via overrideMimeType trick.
+    const bytes = new Uint8Array(xhr.responseText.length);
+    for (let i = 0; i < xhr.responseText.length; i++) {
+      bytes[i] = xhr.responseText.charCodeAt(i) & 0xff;
+    }
+    return bytes;
+  }
+
+  function existsSync(p) {
+    try { statSync(p); return true; } catch (_) { return false; }
+  }
+
+  function writeFileSync(p, data, opts) {
+    // Same as writeFileAsync: only evict fs content, not parent dir listing.
+    const _cache = global.__owBootstrapCache;
+    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    global.__owSyncRequest('PUT', url, data == null ? '' : data);
+  }
+
+  function unlinkSync(p) {
+    invalidateBootstrap(p);
+    global.__owSyncRequest('DELETE', '/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p));
+  }
+
+  function mkdirSync(p, opts) {
+    const recursive = !!(opts && opts.recursive);
+    global.__owSyncJson('POST', '/api/fs/mkdir', { path: toRelative(p), recursive, vault: vaultId });
+  }
+
+  function readdirSync(p, opts) {
+    const cachedDir = getBootstrapDir(p);
+    if (cachedDir) {
+      populateStatFromDir(p, cachedDir);
+      const withFileTypes = opts && opts.withFileTypes;
+      if (withFileTypes) {
+        return cachedDir.map(e => ({
+          name: e.name,
+          isFile: () => e.isFile,
+          isDirectory: () => e.isDirectory,
+          isSymbolicLink: () => e.isSymbolicLink,
+        }));
+      }
+      return cachedDir.map(e => e.name);
+    }
+    const xhr = global.__owSyncRequest('GET', '/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p));
+    const json = JSON.parse(xhr.responseText);
+    const withFileTypes = opts && opts.withFileTypes;
+    if (withFileTypes) {
+      return json.map((e) => ({
+        name: e.name,
+        isFile: () => e.isFile,
+        isDirectory: () => e.isDirectory,
+        isSymbolicLink: () => e.isSymbolicLink,
+      }));
+    }
+    return json.map((e) => e.name);
+  }
+
+  // ---- promises API ----------------------------------------------------
+
+  function promisify(fn) {
+    return function () {
+      const args = Array.prototype.slice.call(arguments);
+      return new Promise((resolve, reject) => {
+        fn.apply(null, args.concat([(err, val) => err ? reject(err) : resolve(val)]));
+      });
+    };
+  }
+
+  const promises = {
+    stat: promisify(statAsync),
+    lstat: promisify(statAsync), // approximate
+    readdir: promisify(readdirAsync),
+    readFile: promisify(readFileAsync),
+    writeFile: promisify(writeFileAsync),
+    mkdir: promisify(mkdirAsync),
+    unlink: promisify(unlinkAsync),
+    rename: promisify(renameAsync),
+    rmdir: promisify(rmdirAsync),
+    rm: promisify(rmdirAsync),
+    copyFile: promisify(copyFileAsync),
+    access: promisify(accessAsync),
+    realpath: async (p) => p, // identity is good enough for now
+    appendFile: async (p, data, opts) => {
+      // Simple read-modify-write.
+      let existing = '';
+      try { existing = await promises.readFile(p, 'utf8'); } catch (_) { /* new file */ }
+      const next = existing + (typeof data === 'string' ? data : new TextDecoder().decode(data));
+      return promises.writeFile(p, next, opts || 'utf8');
+    },
+    utimes: async () => { /* no-op for now */ },
+  };
+
+  // ---- fs.watch via WebSocket -----------------------------------------
+
+  let watchSocket = null;
+  const watchListeners = new Set();
+
+  function ensureWatchSocket() {
+    if (watchSocket && watchSocket.readyState <= 1) return watchSocket;
+    const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
+    watchSocket = new WebSocket(proto + '//' + location.host + '/api/watch' + (vaultId ? '?vault=' + encodeURIComponent(vaultId) : ''));
+    watchSocket.onmessage = (ev) => {
+      let msg;
+      try { msg = JSON.parse(ev.data); } catch (_) { return; }
+      if (msg.type === 'ready') return;
+      console.log('[fs.watch] ws message:', msg.type, msg.path, '| listeners:', watchListeners.size);
+      // Invalidate bootstrap cache for the changed path.
+      // 'change' = content update: only evict the file from fs cache.
+      //   Do NOT evict the parent dir listing — the file still exists there.
+      // Structural events (add/unlink/addDir/unlinkDir/rename/reset): evict
+      //   both the file and its parent dir listing so readdir re-fetches.
+      if (msg.path) {
+        const absPath = vaultBase + '/' + msg.path;
+        if (msg.type === 'change') {
+          const cache = global.__owBootstrapCache;
+          if (cache && cache.fs) delete cache.fs[toRelative(absPath)];
+        } else {
+          invalidateBootstrap(absPath);
+        }
+      }
+      for (const l of watchListeners) l(msg);
+    };
+    watchSocket.onclose = () => { watchSocket = null; };
+    return watchSocket;
+  }
+
+  // fs.watch returns an FSWatcher (EventEmitter). Obsidian uses both
+  // shapes: passing a callback as the 3rd arg AND chaining .on('change').on('error').
+  // Our return value implements both.
+  function watch(p, opts, listener) {
+    if (typeof opts === 'function') { listener = opts; opts = {}; }
+    ensureWatchSocket();
+    const rel = toRelative(p).replace(/\\/g, '/');
+
+    // Per-event-type listeners (for the .on() chain).
+    const handlers = { change: new Set(), error: new Set(), rename: new Set(), close: new Set() };
+    // The third-arg listener (Node fs.watch callback) receives ALL event types,
+    // not just 'change'. Register it on both so rename events (add/delete/move)
+    // reach it too.
+    if (listener) {
+      handlers.change.add(listener);
+      handlers.rename.add(listener);
+    }
+
+    function emit(eventType, ...args) {
+      for (const fn of handlers[eventType] || []) {
+        try { fn(...args); } catch (e) { console.error('[fs.watch] handler error:', e); }
+      }
+    }
+
+    const onMessage = (msg) => {
+      if (!msg.path) return;
+      // Filter: emit only events under the watched path.
+      if (rel !== '' && msg.path !== rel && !msg.path.startsWith(rel + '/')) return;
+      // Map chokidar event types to Node fs.watch's 'rename' / 'change'.
+      // In Node.js fs.watch, the EventEmitter ALWAYS fires the 'change' event
+      // regardless of rename vs. content change. The eventType string ('rename'
+      // or 'change') is passed as the first argument to the callback so the
+      // handler knows what happened. There is no separate 'rename' EventEmitter
+      // event — Obsidian registers .on('change', fn) expecting all event types.
+      const eventType = msg.type === 'change' ? 'change' : 'rename';
+      const filename = rel === '' ? msg.path : msg.path.slice(rel.length + 1) || msg.path;
+      emit('change', eventType, filename);
+    };
+    watchListeners.add(onMessage);
+
+    const watcher = {
+      on(eventType, fn) {
+        if (handlers[eventType]) handlers[eventType].add(fn);
+        return watcher;
+      },
+      off(eventType, fn) {
+        if (handlers[eventType]) handlers[eventType].delete(fn);
+        return watcher;
+      },
+      addListener(eventType, fn) { return watcher.on(eventType, fn); },
+      removeListener(eventType, fn) { return watcher.off(eventType, fn); },
+      removeAllListeners(eventType) {
+        if (eventType && handlers[eventType]) handlers[eventType].clear();
+        else for (const k in handlers) handlers[k].clear();
+        return watcher;
+      },
+      close() {
+        watchListeners.delete(onMessage);
+        emit('close');
+      },
+      ref() { return watcher; },
+      unref() { return watcher; },
+    };
+    return watcher;
+  }
+
+  // ---- module export ---------------------------------------------------
+
+  const fsShim = {
+    // async (callback) API
+    stat: statAsync,
+    lstat: statAsync,
+    readdir: readdirAsync,
+    readFile: readFileAsync,
+    writeFile: writeFileAsync,
+    mkdir: mkdirAsync,
+    unlink: unlinkAsync,
+    rename: renameAsync,
+    rmdir: rmdirAsync,
+    rm: rmdirAsync,
+    copyFile: copyFileAsync,
+    access: accessAsync,
+    watch,
+    // sync API
+    statSync,
+    lstatSync: statSync,
+    readFileSync,
+    writeFileSync,
+    unlinkSync,
+    mkdirSync,
+    readdirSync,
+    existsSync,
+    accessSync: (p) => { statSync(p); /* throws if missing */ },
+    // constants
+    constants: {
+      F_OK: 0, R_OK: 4, W_OK: 2, X_OK: 1,
+      O_RDONLY: 0, O_WRONLY: 1, O_RDWR: 2,
+      O_CREAT: 64, O_EXCL: 128, O_TRUNC: 512, O_APPEND: 1024,
+    },
+    // promises namespace
+    promises,
+    // setTimes is what FileSystemAdapter calls to update mtime
+    setTimes: function (p, atime, mtime, cb) {
+      cb && cb(null);
+    },
+  };
+
+  global.__owFs = fsShim;
+  global.__owFs.setVaultBase = setVaultBase;
+  global.__owFs.setVaultId = setVaultId;
+})(window);
diff --git a/src/client/shims/sync-http.js b/src/client/shims/sync-http.js
index 483703c..96ade5b 100644
--- a/src/client/shims/sync-http.js
+++ b/src/client/shims/sync-http.js
@@ -1,68 +1,77 @@
-/**
- * Synchronous HTTP helper.
- *
- * Obsidian uses ipcRenderer.sendSync() and statSync() in a few places.
- * In the browser we have to fall back to synchronous XMLHttpRequest.
- *
- * Yes, sync XHR is deprecated. For a single-user self-hosted app on
- * localhost it is the simplest path. If we ever need to remove it we can
- * preload the small set of values that Obsidian asks for synchronously.
- */
-(function (global) {
-  // opts.silent404 = true  → on 404, throw a clean ENOENT without a verbose
-  // URL in the message.  Obsidian calls statSync/readFileSync on paths that
-  // may not exist yet (config files, first boot) and handles ENOENT normally.
-  // Without this flag those 404s appeared in the console as long HTTP error
-  // strings, polluting the log with noise on every cold start.
-  function syncRequest(method, url, body, opts) {
-    const t0 = performance.now();
-    const xhr = new XMLHttpRequest();
-    xhr.open(method, url, false); // false = synchronous
-    if (body !== undefined && body !== null) {
-      if (typeof body === 'string' || body instanceof ArrayBuffer || ArrayBuffer.isView(body)) {
-        xhr.send(body);
-      } else {
-        xhr.setRequestHeader('Content-Type', 'application/json');
-        xhr.send(JSON.stringify(body));
-      }
-    } else {
-      xhr.send();
-    }
-    const duration = performance.now() - t0;
-
-    // Record telemetry if available (telemetry.js loads before this shim).
-    if (global.__owTelemetry) {
-      global.__owTelemetry.record(
-        method,
-        url,
-        duration,
-        xhr.status,
-        xhr.responseText ? xhr.responseText.length : 0,
-      );
-    }
-
-    if (xhr.status < 200 || xhr.status >= 300) {
-      // 404 with silent404 flag: throw a clean ENOENT so Obsidian's normal
-      // try/catch handles it without extra noise.
-      if (xhr.status === 404 && opts && opts.silent404) {
-        const enoent = new Error('ENOENT: no such file or directory');
-        enoent.code = 'ENOENT';
-        enoent.status = 404;
-        throw enoent;
-      }
-      const err = new Error('sync ' + method + ' ' + url + ' failed: ' + xhr.status + ' ' + xhr.responseText);
-      err.status = xhr.status;
-      try { Object.assign(err, JSON.parse(xhr.responseText)); } catch (_) { /* ignore */ }
-      throw err;
-    }
-    return xhr;
-  }
-
-  function syncJson(method, url, body) {
-    const xhr = syncRequest(method, url, body);
-    return xhr.responseText ? JSON.parse(xhr.responseText) : null;
-  }
-
-  global.__owSyncRequest = syncRequest;
-  global.__owSyncJson = syncJson;
-})(window);
+/**
+ * Synchronous HTTP helper.
+ *
+ * Obsidian uses ipcRenderer.sendSync() and statSync() in a few places.
+ * In the browser we have to fall back to synchronous XMLHttpRequest.
+ *
+ * Yes, sync XHR is deprecated. For a single-user self-hosted app on
+ * localhost it is the simplest path. If we ever need to remove it we can
+ * preload the small set of values that Obsidian asks for synchronously.
+ */
+(function (global) {
+  // opts.silent404 = true  → on 404, throw a clean ENOENT without a verbose
+  // URL in the message.  Obsidian calls statSync/readFileSync on paths that
+  // may not exist yet (config files, first boot) and handles ENOENT normally.
+  // Without this flag those 404s appeared in the console as long HTTP error
+  // strings, polluting the log with noise on every cold start.
+  function syncRequest(method, url, body, opts) {
+    const t0 = performance.now();
+    const xhr = new XMLHttpRequest();
+    xhr.open(method, url, false); // false = synchronous
+    if (body !== undefined && body !== null) {
+      if (typeof body === 'string' || body instanceof ArrayBuffer || ArrayBuffer.isView(body)) {
+        // For binary bodies (ArrayBuffer/TypedArray) the browser does NOT set
+        // Content-Type automatically on XHR.  Without it, express.raw() on the
+        // server leaves req.body as {} and fsp.writeFile throws "Received an
+        // instance of Object".  Strings get text/plain;charset=UTF-8 from the
+        // browser, which body-parser already handles — we only need to add the
+        // header for binary types.
+        if (typeof body !== 'string') {
+          xhr.setRequestHeader('Content-Type', 'application/octet-stream');
+        }
+        xhr.send(body);
+      } else {
+        xhr.setRequestHeader('Content-Type', 'application/json');
+        xhr.send(JSON.stringify(body));
+      }
+    } else {
+      xhr.send();
+    }
+    const duration = performance.now() - t0;
+
+    // Record telemetry if available (telemetry.js loads before this shim).
+    if (global.__owTelemetry) {
+      global.__owTelemetry.record(
+        method,
+        url,
+        duration,
+        xhr.status,
+        xhr.responseText ? xhr.responseText.length : 0,
+      );
+    }
+
+    if (xhr.status < 200 || xhr.status >= 300) {
+      // 404 with silent404 flag: throw a clean ENOENT so Obsidian's normal
+      // try/catch handles it without extra noise.
+      if (xhr.status === 404 && opts && opts.silent404) {
+        const enoent = new Error('ENOENT: no such file or directory');
+        enoent.code = 'ENOENT';
+        enoent.status = 404;
+        throw enoent;
+      }
+      const err = new Error('sync ' + method + ' ' + url + ' failed: ' + xhr.status + ' ' + xhr.responseText);
+      err.status = xhr.status;
+      try { Object.assign(err, JSON.parse(xhr.responseText)); } catch (_) { /* ignore */ }
+      throw err;
+    }
+    return xhr;
+  }
+
+  function syncJson(method, url, body) {
+    const xhr = syncRequest(method, url, body);
+    return xhr.responseText ? JSON.parse(xhr.responseText) : null;
+  }
+
+  global.__owSyncRequest = syncRequest;
+  global.__owSyncJson = syncJson;
+})(window);

From a36ac86b72dd202a2d2591975fac37b00dfb7631 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 10:17:24 -0700
Subject: [PATCH 27/46] fix: add SHA-1 to crypto.subtle.digest polyfill for
 ion-sync getSHA

---
 src/client/boot.js | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/client/boot.js b/src/client/boot.js
index 138568e..ba7fb22 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -78,6 +78,36 @@ if (typeof crypto !== 'undefined' && !crypto.subtle) {
       return out;
     }
 
+    // ── SHA-1 (pure JS, for ion-sync getSHA) ─────────────────────────────
+    function _sha1(data) {
+      var H=new Uint32Array([0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476,0xC3D2E1F0]);
+      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
+      p.set(data);p[len]=0x80;
+      var dv=new DataView(p.buffer);
+      dv.setUint32(p.length-4,(len*8)>>>0,false);
+      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
+      var W=new Uint32Array(80);
+      for(var i=0;i<bc;i++){
+        var bv=new DataView(p.buffer,i*64,64);
+        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
+        for(var t=16;t<80;t++){var x=W[t-3]^W[t-8]^W[t-14]^W[t-16];W[t]=(x<<1)|(x>>>31);}
+        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4];
+        for(var t=0;t<80;t++){
+          var f,k;
+          if(t<20){f=(b&c)|(~b&d);k=0x5A827999;}
+          else if(t<40){f=b^c^d;k=0x6ED9EBA1;}
+          else if(t<60){f=(b&c)|(b&d)|(c&d);k=0x8F1BBCDC;}
+          else{f=b^c^d;k=0xCA62C1D6;}
+          var tmp=(((a<<5)|(a>>>27))+f+e+k+W[t])>>>0;
+          e=d;d=c;c=((b<<30)|(b>>>2))>>>0;b=a;a=tmp;
+        }
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;H[4]=(H[4]+e)>>>0;
+      }
+      var out=new Uint8Array(20),ov=new DataView(out.buffer);
+      for(var i=0;i<5;i++)ov.setUint32(i*4,H[i],false);
+      return out;
+    }
+
     // ── AES-256 forward cipher (pure JS) ──────────────────────────────────
     // S-box (forward)
     var _AS = new Uint8Array([99,124,119,123,242,107,111,197,48,1,103,43,254,215,171,118,202,130,201,125,250,89,71,240,173,212,162,175,156,164,114,192,183,253,147,38,54,63,247,204,52,165,229,241,113,216,49,21,4,199,35,195,24,150,5,154,7,18,128,226,235,39,178,117,9,131,44,26,27,110,90,160,82,59,214,179,41,227,47,132,83,209,0,237,32,252,177,91,106,203,190,57,74,76,88,207,208,239,170,251,67,77,51,133,69,249,2,127,80,60,159,168,81,163,64,143,146,157,56,245,188,182,218,33,16,255,243,210,205,12,19,236,95,151,68,23,196,167,126,61,100,93,25,115,96,129,79,220,34,42,144,136,70,238,184,20,222,94,11,219,224,50,58,10,73,6,36,92,194,211,172,98,145,149,228,121,231,200,55,109,141,213,78,169,108,86,244,234,101,122,174,8,186,120,37,46,28,166,180,198,232,221,116,31,75,189,139,138,112,62,181,102,72,3,246,14,97,53,87,185,134,193,29,158,225,248,152,17,105,217,142,148,155,30,135,233,206,85,40,223,140,161,137,13,191,230,66,104,65,153,45,15,176,84,187,22]);
@@ -192,11 +222,11 @@ if (typeof crypto !== 'undefined' && !crypto.subtle) {
     // ── crypto.subtle ─────────────────────────────────────────────────────
     crypto.subtle = {
 
-      // SHA-256 only
       digest: function (algorithm, data) {
         var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'')
           .toUpperCase().replace(/-/g,'');
         if (name==='SHA256') return Promise.resolve(_sha256(_toU8(data)).buffer);
+        if (name==='SHA1')   return Promise.resolve(_sha1(_toU8(data)).buffer);
         return Promise.reject(new Error('[polyfill] crypto.subtle.digest: unsupported "'+algorithm+'"'));
       },
 

From fb812b34ac8ed77ecf401667c03379994f863a05 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 10:24:59 -0700
Subject: [PATCH 28/46] fix: auto-repair ENOTDIR vault corruption in write path

---
 src/server/api/fs.js | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/src/server/api/fs.js b/src/server/api/fs.js
index 3cb03f6..e92ff46 100644
--- a/src/server/api/fs.js
+++ b/src/server/api/fs.js
@@ -165,16 +165,46 @@ function createFsRouter(vaultRegistry, fallbackVaultRoot) {
     // routine "wrong shape" errors that Obsidian handles via try/catch.
     // We return 404 so the client-side fetch wrapper treats them like
     // any other "not found" without alarming console errors.
+    //
+    // ENOTDIR is also remapped to ENOENT in the JSON code field: a file
+    // sitting where a directory should be is vault corruption. Surfacing
+    // ENOENT lets callers (e.g. ion-sync) treat the path as "not yet
+    // created" and attempt a write, which goes through mkdirRepair below.
     const status = err.code === 'ENOENT' ? 404
       : err.code === 'EACCES' ? 403
       : err.code === 'EISDIR' ? 404
       : err.code === 'ENOTDIR' ? 404
       : err.code === 'ENOVAULT' ? 404
       : 500;
-    res.status(status).json({
-      error: err.message,
-      code: err.code || null,
-    });
+    const code = err.code === 'ENOTDIR' ? 'ENOENT' : (err.code || null);
+    res.status(status).json({ error: err.message, code });
+  }
+
+  // mkdir -p with automatic repair: if a regular file is blocking the creation
+  // of a directory (ENOTDIR), walk the path to find it, unlink it, then retry.
+  // This fixes vaults where a file was written where a directory should be
+  // (common when a sync restores a directory before its parent was deleted).
+  async function mkdirRepair(dirPath) {
+    try {
+      await fsp.mkdir(dirPath, { recursive: true });
+    } catch (err) {
+      if (err.code !== 'ENOTDIR') throw err;
+      const root = path.parse(dirPath).root;           // '/' on Linux, 'C:\' on Windows
+      const relative = path.relative(root, dirPath);   // path minus root
+      let probe = root;
+      for (const part of relative.split(path.sep)) {
+        if (!part) continue;
+        probe = path.join(probe, part);
+        let st;
+        try { st = await fsp.stat(probe); } catch (_) { break; }
+        if (!st.isDirectory()) {
+          await fsp.unlink(probe);
+          console.warn('[fs] Removed stale file blocking directory creation:', probe);
+          break;
+        }
+      }
+      await fsp.mkdir(dirPath, { recursive: true }); // retry after repair
+    }
   }
 
   // Stat a single entry.
@@ -420,7 +450,7 @@ function createFsRouter(vaultRegistry, fallbackVaultRoot) {
         } catch (_) { /* malformed JSON: pass through as-is */ }
       }
 
-      await fsp.mkdir(path.dirname(target), { recursive: true });
+      await mkdirRepair(path.dirname(target));
 
       // If this file was written recently, coalesce instead of hitting disk.
       if (shouldCoalesce(target)) {

From 74aa3d1f896d866da688ee960e4ab1ff66203a4e Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 10:52:50 -0700
Subject: [PATCH 29/46] docs: add Docker/NAS setup guide and CLAUDE.md
 developer context

---
 CLAUDE.md | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 README.md |  44 ++++++++++++++++++++
 2 files changed, 165 insertions(+)
 create mode 100644 CLAUDE.md

diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..f68d6a2
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,121 @@
+# obsidian-web — developer context for Claude
+
+## What this project is
+
+obsidian-web loads Obsidian's original renderer (`app.js`) unmodified inside a
+standard browser. Every Node.js / Electron dependency is replaced with HTTP
+shims. The Node.js server provides a REST + WebSocket API that the browser-side
+shims call. There is no bundling step — the browser loads `app.js` directly from
+the server.
+
+## Key files
+
+| Path | Role |
+|------|------|
+| `src/client/boot.js` | Runs first. Installs polyfills (`crypto.subtle`, `crypto.randomUUID`), then fetches the bootstrap cache and injects Obsidian's scripts. |
+| `src/client/shims/original-fs.js` | Replaces Node's `fs` module. Async ops use `fetch`; sync ops use synchronous XHR via `__owSyncRequest`. |
+| `src/client/shims/sync-http.js` | Implements `__owSyncRequest` / `__owSyncJson` using synchronous `XMLHttpRequest`. |
+| `src/server/index.js` | Express + HTTP server. Registers all API routers. |
+| `src/server/api/fs.js` | File-system REST API (`/api/fs/*`). Includes write coalescing and `mkdirRepair` for ENOTDIR vault corruption. |
+| `src/server/api/pbkdf2.js` | `POST /api/pbkdf2` — offloads PBKDF2 key derivation to Node's native crypto (100k iterations in pure JS would freeze the browser for ~10 s). |
+| `src/server/api/keytar.js` | `safeStorage` shim — stores plugin secrets server-side (Electron's `safeStorage` is unavailable in the browser). |
+| `src/server/api/bootstrap.js` | `/api/bootstrap` — serves the entire vault's file tree and metadata in one compressed response so Obsidian's sync `statSync`/`readFileSync` calls hit an in-memory cache. |
+| `src/server/middleware/auth.js` | Optional TOTP authentication middleware. Enabled by setting `TOTP_SECRET`. |
+
+## Running locally (Node.js)
+
+```bash
+node scripts/update-obsidian.js   # download Obsidian's renderer into vendor/
+cd src/server && npm install
+npm run dev                        # auto-reload; open http://127.0.0.1:3000
+```
+
+## Docker / NAS deployment
+
+```bash
+docker compose up -d
+```
+
+### Vault path
+
+Inside the container, the working root is `/app/user-data/`. The
+`docker-compose.yml` mounts the host directory `${USER_DATA:-./user-data}` to
+that path. **Vaults must live under this mount.** Place your vault at
+`${USER_DATA}/<VaultName>/` on the host; it appears at
+`/app/user-data/<VaultName>/` inside the container. Set `VAULT_PATH=user-data/<VaultName>`
+to open it on boot.
+
+Example `.env` for a Synology NAS:
+```
+USER_DATA=/volume1/obsidian
+VAULT_PATH=user-data/BrainTrust
+TOTP_SECRET=JBSWY3DPEHPK3PXP
+PORT=3005
+WATCH_POLLING=true
+```
+
+## Plain-HTTP polyfills (`src/client/boot.js`)
+
+Browsers restrict `crypto.subtle` (SubtleCrypto) to HTTPS/localhost. On plain
+HTTP (common on LAN NAS setups) the entire `crypto.subtle` object is `undefined`.
+`boot.js` polyfills it in pure JS:
+
+- **SHA-256** — pure-JS implementation used by `crypto.subtle.digest('SHA-256', ...)`
+- **SHA-1** — pure-JS implementation used by `crypto.subtle.digest('SHA-1', ...)` (ion-sync `getSHA`)
+- **AES-256 + AES-GCM** — forward S-box, key expansion, CTR mode, GHASH auth tag
+- **PBKDF2** — offloaded to `/api/pbkdf2` (Node's native `crypto.pbkdf2`) to avoid ~10 s browser freeze for 100k iterations
+- **`crypto.randomUUID`** — polyfilled using `crypto.getRandomValues`
+
+The polyfill only activates when `crypto.subtle` is absent (`!crypto.subtle`),
+so HTTPS deployments use the native browser implementation.
+
+## Binary write fix (`src/client/shims/original-fs.js`)
+
+`fetch(url, { body: ArrayBuffer })` sends no `Content-Type` header. Express's
+`body-parser` (used by `express.raw({ type: '*/*' })`) calls `type-is` to match
+the content type; `type-is` returns `false` for requests with **no** Content-Type
+even when the wildcard `*/*` is specified, so the body is left unparsed and
+`req.body` defaults to `{}`. Node's `fs.writeFile` then throws:
+
+> TypeError: The 'data' argument must be … Received an instance of Object
+
+**Fix:** `writeFileAsync` and `syncRequest` always set
+`Content-Type: application/octet-stream` on PUT requests so body-parser
+always parses.
+
+## ENOTDIR self-repair (`src/server/api/fs.js` — `mkdirRepair`)
+
+Sync plugins can leave a regular file at a path that should be a directory
+(e.g. a previous partial sync writes `Atlas/Books` as a file before the
+directory structure is created). Later, `fs.stat('Atlas/Books/note.md')`
+throws `ENOTDIR`.
+
+Two mitigations:
+1. `handleError` remaps `ENOTDIR` → `ENOENT` in the JSON `code` field so
+   callers treat it as "not found" and attempt a write.
+2. `mkdirRepair` walks the target directory path, unlinks the first non-directory
+   component it finds, then retries `mkdir -p`. The write then succeeds and the
+   correct directory structure is created.
+
+## ion-sync specifics
+
+ion-sync is a community sync plugin using AES-GCM-256 with PBKDF2 key derivation.
+On plain HTTP all of the following must be polyfilled / shimmed:
+
+| Operation | Where handled |
+|-----------|---------------|
+| `crypto.subtle.importKey('raw', pw, 'PBKDF2', ...)` | boot.js polyfill |
+| `crypto.subtle.deriveKey({ name: 'PBKDF2', ... })` | boot.js → `/api/pbkdf2` |
+| `crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, data)` | boot.js polyfill |
+| `crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, data)` | boot.js polyfill |
+| `crypto.subtle.digest('SHA-256', data)` | boot.js polyfill |
+| `crypto.subtle.digest('SHA-1', data)` | boot.js polyfill |
+| `safeStorage.encryptString` / `decryptString` | `/api/keytar` |
+| `crypto.randomUUID()` | boot.js polyfill |
+
+## Secrets / auth
+
+- **Never commit a real `TOTP_SECRET`** — `.env` is gitignored.
+- Auth is disabled when `TOTP_SECRET` is empty.
+- Generate a secret: `node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"`
+- Scan QR code: visit `/__totp-setup?token=YOUR_SECRET` after starting the server.
diff --git a/README.md b/README.md
index cf013d1..0d4e655 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,50 @@ Open `http://127.0.0.1:3000`.
 Open `http://127.0.0.1:3000/starter` to manage recent vaults and add a
 server folder path as a vault.
 
+## Docker (self-hosted / NAS)
+
+The repo ships a `docker-compose.yml` for running obsidian-web on a NAS or any Docker host.
+
+```bash
+docker compose up -d
+```
+
+### Vault location
+
+Inside the container, the server's working root is `/app/user-data/`. The `docker-compose.yml` mounts a host directory there:
+
+```
+${USER_DATA:-./user-data}  →  /app/user-data
+```
+
+**Your vault folder must live under that mount point.** For example, if your `.env` has:
+
+```
+USER_DATA=/volume1/obsidian
+```
+
+then place your vault at `/volume1/obsidian/<VaultName>/` on the host. Inside the container it appears at `/app/user-data/<VaultName>/`. The `VAULT_PATH` env var (default `user-data/demo-vault`) tells the server which subdirectory to open on boot — set it to `user-data/<VaultName>` to open your vault automatically.
+
+### Configuration (`.env`)
+
+Copy `.env.example` to `.env` and fill in your values:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `USER_DATA` | `./user-data` | Host path mounted to `/app/user-data` — put your vault here |
+| `VAULT_PATH` | `user-data/demo-vault` | Relative path inside the container to the vault to open on boot |
+| `PORT` | `3000` | Host port |
+| `TOTP_SECRET` | _(empty — auth disabled)_ | Base-32 TOTP secret; set to enable auth. Generate with `node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"` then visit `/__totp-setup?token=YOUR_SECRET` to scan the QR code. |
+| `WATCH_POLLING` | `false` | Set to `true` on network filesystems (NFS, SMB, rclone) that don't support inotify |
+
+### Notes
+
+- The Obsidian renderer is downloaded into a named Docker volume (`obsidian_vendor`) on first start — no manual step needed.
+- Run behind a reverse proxy (nginx, Caddy, Cloudflare Tunnel) for HTTPS. Without HTTPS, the Web Crypto API (`crypto.subtle`) is unavailable; the project includes a pure-JS polyfill so plugins like ion-sync that rely on AES-GCM/PBKDF2 still work on plain HTTP.
+- If you use a third-party sync plugin (e.g. ion-sync) that previously synced to the vault on another device, the initial sync may encounter ENOTDIR errors where old sync artifacts left files where directories should be. The server auto-repairs these by removing the blocking file and recreating the correct directory structure.
+
+---
+
 ## Obsidian Version
 
 `vendor/obsidian/` is generated from the official `obsidianmd/obsidian-releases` GitHub releases and is intentionally ignored by Git.

From 01acda8bf90eaa306d069fa6a70221c35bdd3ce1 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 12:02:41 -0700
Subject: [PATCH 30/46] feat: add favicon, open-in-new-window support, and
 vault manager popup - Add Obsidian-style crystal SVG favicon to browser tab
 (index.html, starter.html)- Handle open-window / move-to-window / new-window
 IPC channels by opening  the same vault in a new browser tab (electron.js
 shim)- Handle open-vault-manager IPC channels by opening /starter in a new
 tab - Fix sendSync('starter') server endpoint to return '/starter' so
 Obsidian's vault picker can navigate to the vault management page

---
 src/client/favicon.svg       | 16 ++++++++++++++++
 src/client/index.html        |  1 +
 src/client/shims/electron.js | 26 ++++++++++++++++++++++++++
 src/client/starter.html      |  1 +
 src/server/api/electron.js   |  5 ++++-
 5 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 src/client/favicon.svg

diff --git a/src/client/favicon.svg b/src/client/favicon.svg
new file mode 100644
index 0000000..73896f1
--- /dev/null
+++ b/src/client/favicon.svg
@@ -0,0 +1,16 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+  <!-- Dark rounded background -->
+  <rect width="100" height="100" rx="18" fill="#18181b"/>
+  <!-- Crystal body (hexagonal) -->
+  <path d="M50 10 L82 32 L82 68 L50 90 L18 68 L18 32 Z" fill="#6d28d9"/>
+  <!-- Top-left facet (lighter) -->
+  <path d="M50 10 L82 32 L57 46 L25 30 Z" fill="#a78bfa"/>
+  <!-- Right facet -->
+  <path d="M57 46 L82 32 L82 68 L57 72 Z" fill="#5b21b6"/>
+  <!-- Left facet -->
+  <path d="M25 30 L57 46 L57 72 L18 68 L18 32 Z" fill="#4c1d95"/>
+  <!-- Bottom facet -->
+  <path d="M57 72 L82 68 L50 90 L18 68 Z" fill="#3b0764"/>
+  <!-- Specular highlight -->
+  <ellipse cx="44" cy="34" rx="9" ry="5" fill="white" opacity="0.25" transform="rotate(-20 44 34)"/>
+</svg>
diff --git a/src/client/index.html b/src/client/index.html
index efdc0c8..6ec637e 100644
--- a/src/client/index.html
+++ b/src/client/index.html
@@ -4,6 +4,7 @@
   <meta charset="utf-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover"/>
   <title>Obsidian Web</title>
+  <link rel="icon" href="/client/favicon.svg" type="image/svg+xml"/>
   <link href="/obsidian/app.css" type="text/css" rel="stylesheet"/>
   <style>
     #ow-loading {
diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index ecc5569..638668c 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -374,6 +374,32 @@
         _nativeWindowOpen(args[0], '_blank', 'noopener');
         return;
       }
+
+      // 'open-window' / 'move-to-window': Obsidian requests that the current
+      // pane or vault open in a new Electron window. We can't create a full
+      // second Obsidian instance, but we can open a new browser tab pointing
+      // at the same vault so the user at least gets a second view.
+      if (channel === 'open-window' || channel === 'move-to-window' || channel === 'new-window') {
+        const params = new URLSearchParams(location.search);
+        const vaultId = params.get('vault') || (global.__obsidianWeb && global.__obsidianWeb.vaultId);
+        const url = vaultId
+          ? location.origin + '/?vault=' + encodeURIComponent(vaultId)
+          : location.origin + '/';
+        _nativeWindowOpen(url, '_blank', 'noopener');
+        return;
+      }
+
+      // 'open-vault-manager' / 'open-vault-picker': Obsidian wants to show the
+      // vault switcher UI. Open our /starter page in a new tab.
+      if (
+        channel === 'open-vault-manager' ||
+        channel === 'open-vault-picker' ||
+        channel === 'manage-vaults'
+      ) {
+        _nativeWindowOpen(location.origin + '/starter', '_blank', 'noopener');
+        return;
+      }
+
       // Application-menu IPC channels - ignored on web. Obsidian renders
       // its own DOM menus separately; the Electron menu bar isn't visible.
       if (
diff --git a/src/client/starter.html b/src/client/starter.html
index c1e9a84..88b324f 100644
--- a/src/client/starter.html
+++ b/src/client/starter.html
@@ -4,6 +4,7 @@
   <meta charset="utf-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover"/>
   <title>Obsidian Starter</title>
+  <link rel="icon" href="/client/favicon.svg" type="image/svg+xml"/>
   <link href="/obsidian/app.css" type="text/css" rel="stylesheet"/>
 </head>
 <body class="theme-dark starter">
diff --git a/src/server/api/electron.js b/src/server/api/electron.js
index 961bdd0..65e0322 100644
--- a/src/server/api/electron.js
+++ b/src/server/api/electron.js
@@ -133,7 +133,10 @@ function createElectronRouter(vaultRegistry, fallbackVaultRoot) {
 
   // ipcRenderer.sendSync('sandbox') - opens a sandbox vault, ignore.
   router.get('/sandbox', (req, res) => res.json({ value: null }));
-  router.get('/starter', (req, res) => res.json({ value: null }));
+  // ipcRenderer.sendSync('starter') - returns the URL of the vault-picker page.
+  // Obsidian uses this to know where to navigate when the user opens the vault
+  // manager. Returning '/starter' lets it open our vault management page.
+  router.get('/starter', (req, res) => res.json({ value: '/starter' }));
   router.get('/help', (req, res) => res.json({ value: null }));
 
   // Update / insider channels - we are never updating, never insider.

From 3a99347427bdf3152dc24f6d4017e9f8d7cf0a88 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 13:15:10 -0700
Subject: [PATCH 31/46] feat: favicon, open-in-new-window, and vault manager
 popup

---
 apple-touch-icon.png    | Bin 0 -> 5856 bytes
 favicon.ico             | Bin 0 -> 31332 bytes
 favicon.svg             |   6 ++++++
 src/client/boot.js      |  38 +++++++++++++++++++++++++++++++++++++-
 src/client/index.html   |   4 +++-
 src/client/starter.html |   4 +++-
 src/server/index.js     |   8 ++++++++
 7 files changed, 57 insertions(+), 3 deletions(-)
 create mode 100644 apple-touch-icon.png
 create mode 100644 favicon.ico
 create mode 100644 favicon.svg

diff --git a/apple-touch-icon.png b/apple-touch-icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..4c113e5719eb02c2e7d5842ce5dc5976942c82f4
GIT binary patch
literal 5856
zcmV<679Z(}P)<h;3K|Lk000e1NJLTq006WA006WI0{{R33KRAK0008|P)t-s6%`d0
z78Vo~6gVzSZ&;j`c+;qb?{#0HNIGOEBQJnux2lKlr-bf7I8zf76QP0OtBLPkPJT~B
zXFn}ttc&l3TiYiaKCO)JmTc>2ImjCrAg+$^u8r`beeHTg=3qCni+HfFkMKe!d6$33
zu#oVoiSK_)=QAN!oPgA^lJJC6=yO8V9vLbyD>{u|>1{yCtB>Qdl<-n8n6#Ghid*S@
zNajZ~ab;A7iCXC|B1wi-=y62KBOWe$YM!;1@o7H5wwduzGK{yH@t$|>fllY8jMliD
z@{VEZdP>@ZQRj6@%(<QNpnC0RK(@M`@{wigyP)!wYwLbc+jvdRl!3avqVk7V=vg|M
zh*;=TJb=BU^S-3>pLy-Srt^VU*O_qab4<g)r}K+l>A|S<n{(`pUg^TB^C==Yepk)J
ztn_V6u(q7(k7DX_Qnbac^u?|8k7MePWa`GS^loE?$g%X2X6l}ez{#`qm~QKnXzR+g
z^^|GrWk{XNw)M=o^{}1U&AIk~Uc}D3_Ly($gka3iy!M)M?9jdT(ZBY;tmx9f_nmd@
z)57=E!}pbM;Y1{bVJys;bK_Sjv|=sI)y4PL#`j=HlGn%gp?mF%XVTfq_)aIBdrj5Y
z$@rvy?qMy<<JbC;Yv0?<_@#mFrh@KaF3I52`Q6X>-qHDkTGi&<`eHB0k#N*vFvnvt
z$CPr}>*M@hF1?Cs$z(IfSS+w)G{$Q^$YnIfSuL`KUDn&p`DQl8&%f_<PrZ3ozh^kd
zZb-UOC8|;-t9(+?cu~e_JI9-M<!nL2QzxxqHMnd($Z9{rRVl7lE3j`u$y+b8az@K<
zM8;e&v~)<zT`{$BM#x?=wqG;1c1z83NXcI`w_r54XFR@nPR?RBx=JpCdQZ<|H@bUJ
z&}2BfWjVZkQ_^NSy?<5GUplC0J->li)Q4Z#Z9>F}V%dvi+l^=3k7(U>O3R;n=zdev
ze^k_fR@H-9*o0cyhh5x>U*3yh;EiM9k7eVKXXJ4#w^slF6QM~&K~#7F?3RVHGBFH=
zX>cp<5Zr#ndH*-NZ5F!Cwb45pX8Pg&&6$(1sh=Vc2m}IwfTFXz`!d$bU~h;Q(RJq(
zonOJ5A-^Na@<CD23v!*EBzLB=$ZW;;Q>T=~l$jSiZ$PlMCq$|QbC%Z-CPcap{w87D
znG2^g*<3E0F96}jQD{5BQY@8o<(#3CtpdobwetE3pdnqWmo3&h*8qcipCDxxv~Jc3
zvNp8z(^^?X8M~#?Xt&$GcBiYU=yGOJdDQ@ehDOiu@TQLR2ScydBBWE?S?5QiUT^Gc
zPjITiB4+RL^$f$=d_Ee@$K!F7H)$g-$ePV;Vkl<~gf1>utGQ(~a@One264-hR*CkR
zS!*cn_A7$CBkg*-{tNN<9~wq?WR;vUoxM8$-R%j|rnIB5{~_XkK8z|U={Pf>pwow=
zg|r{uw%YBsmBy3y*0nh&lyh`)IX8{)`51dY(l%jVu87y`EnXps7{~u@vGe`>Mw~q`
z*%AX$0Is>E$2{A%?X_*&w(-|rcb^Vs%SiUjRBmzit5ZG61p>HZ-y-(+FO<7qewgD&
zyZ;`V5mz^<Y5)8Ah4b{+Z>RR|^n0D}`OjbE)2F{Vwv;Vo%D;kf=Hye2(Fh*FoA-<U
z7EwrD1iG?iM$V8JDYob=`3H1x5j|2$ii-Fy5joTpRhKHctgP&-u~RKcyl>==!Sa#{
zx->-+xG^G?5Ob=o7Q%Pe=|{u%{HDCZ$GNp`R#%s4s;jGOZsKG_lJ|^xHgu#^)FKsp
zRY>VHEIi$!u5)Hi{c-Fd?gOm8d%jrP0CIz)qi;7NjSy>I76-d^(y0!P6w(GEI^!`X
zcqDIyV$LNU>tt>FaR&MuOPhj-+_Gh`o2~h!rsX%A({=5SK|N9$njG1)o3w0sA|Lz|
zu#$grT5p<!P5XDEg1*`2r0sOK2X3%gUFtgisp;tGG`fW(I%2Z$NP#z>BkUL76%8-a
z)ouI^5}Tb_HI5V&_q4b7_Vo1h@&dTBS>1P(+||)V`B8v6P1#xI%@Fq@{rc+bX7#7f
zmMmbGf#2zNYpt1Xn86Jrcvp7qAjGcW?>0j>Lv?Joep~m)i--G%ZQy1#*ng>Jn4S2u
zWMrgR(ebAvvlD%i%n(aP>81p3sK-RyC2?NK`1sc(RfpT%#U4u@CGG^>6RZXtWfQu@
zwrndNQL$t)#krVes;1oMKBeA?d`2e%_87=&7OsGisoy4k)Bej*W7^QNlBcJqc~v*p
zE$mubGdhO%t<OxFs_my(GfQMA4g)o2`?5^4lD!wHtgL*?UtA}un$$P7<xm{DrR&i-
ztyxQkRWesOH%IHd-$4?b;Ae+J^1|XG-wO*t+oZlsWSCVfT*?w<d1;AWfBSdVF{cCQ
zi=#>=DrH44qC-8+Pvn@LW=AIP9D`jh#jYB`Os@)=Dkg9~=$p&#>9UjIN~V69+9;vd
z<*&wnHjn!plKMVsR`D7qU@r>$LC!pff&pG{)O7p(BNo~>y+JDK6ky8cCa+2ddST0v
zQL+Vx={6?rP-g*pVp<1-yd<`9Y;vzr&pOOB$sjxI_BP$LbeqV(FlK(AezQ2e05P(Y
zb4%F^wRi%#W{ib$CA+&=&@}#b?D05jCj;Ugjk+=3=PfyGnW>cKUCkbuojRu36wC!y
zu^8BW4y|yb?9D#joH5KGTX2{?W0HInkR4CR6o4rQfIIfe&K7!J0-3<u5MSr(I<IsS
zI@LB^Xv1Wn<O3Ilqii-~G%y!R&Sh)fSao!?IaIQW|I=<4&TX7g5WuT2N-ozFW=_h?
zXecu?4VAf7lqfknQmvqEg;Xod%*=mQ_w9S%edo!r?p8WO@i#krcLpW<cQ%_1**fiy
z#ms4N7&;4Qb<aB%!W`aSlD*(HNYB=?cyoAUb2*jUv|l%~Z&|&XMT-{6@!?|MbOL6p
z!hW{vYZfe$&oSD!Eab08xDA^9FqHeDJmd`mGr~?1X*#@m+%Q^eX36m8UC7q1|Grbm
z*oM~ZTBcaC<U>sZ=aF=H@%V)`lZ-6Y7+clZM)pjzl36mnJ|8amGHvEWuhN1Z_dAyX
zVJHsd>C|B7#@i|A)~sT~eum&JJ{p~D(>f0^r+?-&NCq_s!@6Z6Ku_YH#cVB8Ol~yy
z$eC!DkA%q9bO(wCnPy3+BxJMe{G`Y>jO@(I@NmyRqc3ktsAr-Z{^B--OmLyIP$&@Y
z)%o!}2YJ<SW&`)j!n9W>dBIEH|1roklgt!xXx&`M-%DFK4cBv6vdfe5!25swH80uk
z0J=)c^JW%p(Ly)SqR!^qfu>n&cH}25@9~K|l-QR{ZqbTfQCd0kdzfVxB(IWqwV;=N
zuV&w~wk%#3s)vR5@nmYYc}y*>T)A@Qw*^^-idQ4*raFK+|2xJJ?YW=0wN;+Xnsh={
zv*?tNS@g=4B|I|SAS;+zwVG{X*Ekt-`A#w8Qm1Amt2dhWdU|0_=sWV1{{`)BVn#~K
z%QSbd?q;-Y>6)`HEOX{?%u4Qw2A}&;$BIt%yR)pNSf1;IELp$4d%dxB*SPEzh5+r&
z6f3#88BYZ7gneT=k(U{!qD9XlSleEw;_`aN)K+z2x|)~hG(6cy<s;Hb-Ct7vdPlAt
zqAr)$mo26)7WE2JXrb9p!;?2yj6INOO)BQ1)jSK-jT=j)lDvVsQVyeKYt=zM_#0?D
z2bHX=aAFT1N^~-6UB`rt{Zjg`Qtm7FAy&2wg!>4JpP898_aH{D%A+dpjXgXa|EMFc
zK*#mYgEg5-pT*RxR_Up@YKUE*)!gjJE}L+udyt^rs$()o(No2_S-G3_?e|-@B2+6{
zs^+N8{3PeBWWoAW&HWJ6iM$HcZY-NOZjJ`(`tEI8C8oB01o_VI#r$O0vnP+zc=n(W
zjl}+K_*BpJ*}h{N;?!~~7NzN+_#S)qW=|f1!{F>%FCekq%u{Bz8w-p(@kHc}e1gmq
zHM>?cst#n-lWZGq8U#b^Vs%5!Yjy13gzKf_A%bbPh<amvrNXYMmaAStNBxCA32ho4
zJks2d3!7Ebo#G?Lb#z6zQF&&^mJq$(p>sjd>dry-Jj%=?U6f7ru7>Ej7}qVFHx@PS
zj>On~R<#>7o6fJQdlFxQTF;n<fR&6_+}9ag+0}ca14+gBg>;t_@7cX)j~vdudGEe0
zTdqUritpH<ZO>Zr<T@9pX4kW$FV{=Ow&+>=chc))cDT35Ky1|RnwRSgmca~k)tS*R
zu(#ZTC*B~Tx_Th3U8^}&ThabET2uRx4|+NppSO>z20GGozIeM9%~OzO3B0!>>Soy-
z$W4AAHKCR4CVdEK(H@lJ;9(r{p6;DTc2urMXNzCxI9$&ZldPdyyXHW6v8K6(h1kDq
zcW{#7r1<Dz26Qd^Td7(%-5sKXpc<Zpz`2r}@QQo?hj*yffke@@|4}meJ<G9BeE4XX
z!$;M9`1rnxphc};op!<<6rUm5^-OWoct+qvOW9iWy>VPXoSBQhO=b)*#1XU>4)u{8
zI~0AQZ|eznQ}6E1J#pvs+egwo89htOBKCjiNV`@w@8+x;&sxTj3h&^1!jeyhIeL<1
zOWPg$wr$x`k(}z7H~7GT#ivi7KC|#Z@7_#H`!jcr=Qgb7NgBwZ=IKZ@Z!tvIa?y(x
zJqu>=BIdIW&XpX@?Ax(pYsb?E&K){`{`>`bT;K<Ip8G2EQp+Rb(X*1LOPm^P+-j(<
zR!5|3y;SQutmrPF6|7?9q#o)%eDR+HZGd{Nglu^px|Dgn<<3SU&z~-@UpKW4gjH`C
zR{OV$`Y&41(y{~BTWGhsS+Oe_hq{$6$Jo7inVy;%aYNnIh^p&&u?D*Ks-s^j;Tnel
z3%Q=;%S`=cf$O->jirqT(JI&Xa)AAA`<<e_6OT~ccsta#j}2F7uKoL27JZC8a}o6V
zC>y!j1|lO?#Y%J~+Wgo_AGgfElOY=u!9ZBGj(S&(Uw_y%^u}^ndj>gb_HLqu$%iT>
zu4(2P9=#vG^a#Xq+^NIXs=1Hq|GeA-upDU=1>o4WZQHh;taoFl?Dg&|*V?vYYbMUb
zdVZ6MZCm%A``?+{*%W)`owdI@b>{D`-t_#I$KP|Coc0R7lF?*V@^Xz+bJ?Nw_EQ)e
z2e`3ppEapRH;$BzSx5J=wV=OO9PFg)V;nGxc*pV`E`VbrI|I54rb6xk?{eARVp1=D
zX9{fUn$fzCl0JT*jXm#BG|20sWTZL8x#cq%@GM!(#*6IcpXW~P$1e*wG_Ts7A9>lF
z%g5b^Sw}gXbubf}y(Vyj9n_BbR|<}CIZOGcrAz0|7~HED)Mg*lbWxwTO!^PuQJ5Pv
zdKU7YXxNRimj{Wfo3><VB`YcPYf)n$x({wTkMI8}U^d-K&6tKGckbMIPiIjJdyO=0
z$q*~oW@+&m{Y=%BfzE55>G`-{a#b_h^ekcx!=a{m7_zI_aQAvLYZ6zDrsdEpT)2QN
zTI%xs=%6PRT@gj2W{~%}I5w&G2Q67kj(HDwGL(KqcrV&VwCTF|6vpo&UQ3HsGq}mg
z$@`KWoXg%5B(Z7PfLWR1&4KX~27Azj3tF_Vs^$J)%{!!K77ubExl^YGHrQc+Y{6+r
zI)34N^9t_+mvWv59nrB#$KeIOVtav(nv+4!K=}7aP3+9|Fq@Vk7H&EvD=Qoh%P(13
zS?TF5M#!kqG>rpj|Lf3wbX@1gu}5nLcr^V4b~3Zauit3MC>dga!{O~uB^*9D7HGM;
z<c3+F=Edc$!&+K2qnSLK6X9P8o79_!8ncv)j@5g}W;^Gb5i$=tr}Hz}yzb|7Ao2>p
zVH9o5ks~e<c5~V9R_8Tq%_x~B0Wq9MZA9KeKZp$q>UG8EDXrn>2c%w(qG=msX7aIP
z$2M&`MsaMQL6%{pDH-15$O*}Dgy`dk(K@*4QZUEV@p#CKu2Hm@iA>^?luZO@Hg)|j
z%%)|C0aorQm#BRKCS4Qb@Gn-gQ9mbU^bGQ84!fa_1l^jkWi6S-sy%4p=-pfLy$6lM
zd<ZFi&|Y<=GlZr=!^~pMNm3sfJw32nYi2T;Q8L8vo;6YUiMiZ#DVTxQ#Od)PtM~20
zIAA`fLEA@;Bn@2|t9iSUNvz)Po{0QZsC>gZ`Q<|hvli{AYcp%8)eQ1K2-sBi;=MTM
zFlLZR46^g?^hV*|)bX4gKFQ|IWuwl>pm9*oOkRb6P3m{iGnp}FYFSHGaL7d9%np^2
zaoC!CvkjWkWawx$Gx+>@WuHz8kU2%nAhTJ;0AGkDbOCU%gT;W3-&Y;MENTv`*JB)P
zKF_%b_dn-Oe>2pYl`LZQ?&n<CuXMP(ms7N`{i{7+;zMYtH>vp|LTpwq7Be4nsF{WV
zGQ{9|qwH2NE7?C<M`j+|Kz*9`%;ZZPW>eYkvN;?Uv(zkP6{p%n;h~N|o0j4cki82D
zoFg-nFLQ`Z>Tiaoq+uI8XVk1@3(k~?8|>;Z$Ni-dvkyi?O=vb>;SihDix0pobJm)L
z9MdLWO{ORu?)r8eiTnC6s8_-K3vz|k!IZQtHe(uCvuPP#PatP@6BI4xc(ToDt?Vwr
zi(>xJsplT&o{c#aGA+ZI5sSE){T!J&C?}q1dxikb>ZD7T+00>elALugV;X9vj*~?^
z+Jxb7V;wNZmkc)CRy{503X?zi<P%meSf7@~w{+MuPXlJOOk@HxITAU-iBRBXbrVIS
znz%-5fLYbw{6b{p!(YB3GxdC2%@@=RGKtxHOv7^YeRZgO3=<T497WY1ezKKA>Oi_&
z2eD_J2FOOdNh5Gp_q6E5zC;N&spk^<+BH(oO~XY6=kx!~BxdkQ&h?WB!)Yg@>th><
zS%)nGXi*nnGpRorpZ?T1#4I&~Ox)|&Z%F9(z^1aNano8zf+qqrtFK+FTJ_qs1zhw|
zW5%4NW+4N7Q^Rhs#}`Zd+lclmLxK9o->P04k5Az<dghuzX7H=gh?~@JusJbjhf#9`
zt?D0tulh;4DLNE_nR^~BW{`osg@7&U=ZfXRIueSu_t)&kuB&dQqP^ol&oEQXv<m^>
zb`dzU+ey(#BGD$I?(!v%186<%aN*7nGirvotcKlCU(XG6Vw<*iPr2N#$=#%Wt)4y4
zRF|T4&}v4_LcZey_br}C6P$S2`yHEL!;LiQQm$kD((MjE_uNn(hnhi#_$~rAx;C$0
zXM@_2bs{$I52tl(_uP6lgDhfYqwCV<=t!{Je$}nS)@{?I;|nuk2Kk-_Z0b5-9?>Kk
zZEyLk+p%r+IS8Kn%OIJFeBXuC=z4k=6z!_crmu4IF5BYmW^j|zZYG-_Q0P}s6I#ZR
zJw2O=n5+6T?Pe)mO22Xc!9xncp`M=G-YaFB+Md|@sf_-tvGDp|CV|ZhnQ6ZN7V7Ll
z+uzzi4Yq;9o{NVv=i<Zj!55yicLo{^13?ho*T3rj|5zRISnd=^M(m>%z+^JJIgt5!
z=(tI=py6BD=3UuN>59FgsT%=zc88uDQMLUej>iKvRUAy$_{L@P!}UeDykQs6k5eiE
zA6JL<L)$i6%%H6Qw3a9q?GAdxFV}rS<Ta&O7Ip-nl2Gs;-4%uNxn1zC%uMj8g6#sy
qk_8MfUQ_XKe);DE^>T(`7=|C=)!b)R)_3m!0000<MNUMnLSTYve)ZM>

literal 0
HcmV?d00001

diff --git a/favicon.ico b/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..8aad7e4619e74ee78fee5b73a622a978f8b6a3c3
GIT binary patch
literal 31332
zcmeHvby!u~7Vn}%LP|mq6cD6SL29djfFdEFG)R|p2+{~h2+|;pbR#W|qI5}13P^WI
zzqR!2`?y^7=(*><_s`kix12TNH^=NTCjtNhfDD{I4S*pPK#u|dq5uF;QT>r71b~NN
z9vj;qX=VTjBLxY-A4H$R2>?|f13j1qMSwZq^1%QAK)zr3E$K$$ZkvbDY+Hog+_sE#
z+qQ^&4~8q7=3#e##_tR`BW{_8t8H6`Klx%6d35sIvWTes2|og;Cw|*9;&96%gdYs|
zPx6C#+w%{eVt+>l!j@%36r6s`BHRk3ZG)%bAxJZ{rW*-b@ZW!1<`F7z8Yl$u`)^rB
zmi>EP#Np<{a2Zf;`?_Tq({Tx#mJyQ2X~BBhAJ-4Yx4=(-%Q8F!q65pTkMn=E8;A`q
zW6L~LXv-{2VBI3(#y0qYxCOT@!n6NXZW;OFI6o8zF&loBZ5i<z#BTXVJO;8UoDT{?
zd9&ZM;goJ9Ca7l=(hXu=`o<ro3dZM-^Mf?jCw0Tqn<mf6LHZgv{ibQy9e5lbu0ITA
zfzzK1L9E(vIw%C&Q4#ES)5r6cO#`5A{oUWTS)}N3S`cdt_{G8VKx|(!<mHjR%M50&
z7=+<L_W2jRRm8@Yd880L4Yr%bk9gtvs}I9zLAsIu%M<AcwtEHGK51~8KMOYuLr6fZ
z?T`#G9N0FGy!P4B_tc;99WRI47_?_0SpV0@^Z$wey9J<mk_!A_;0Mj0Uw{8GLww8r
zZ~uk*2G|dbp>_e=bq#Er;cc@p;r~|dasE}KV1hM^Nct_)2;NQeaG5{m!k3`FPw+l@
zJOszr=B80F*>M?vB@XpBa9%ufatt2V^`khr&OG=lI^jIf*Z}KM502e*C=U#af28Ys
z`QUsR2AB1_;e@$A1~i|;<wElt)TZ$CuY^!P_+7ma{h-Nnw3F);w8lW|$?<vYS1@dv
zMR5HNh7a=2s8ByXDI1#mAUR-rWSlJfQ5x)<ThN~4SM^s5IU|GebAKf7>;A<u+~r5*
zC-Xtfq2Fv4F7hiF;OqEFIq>wVX&4=7e<OJMXCYYkrS*q_#2|)yV4dcn@%v{Ow!wAj
zXEN6;!x`ZFfuGTVx(}f_V%9JO3)DRh(L(FxpX#@W=>C~paQ-0#ZRGSb8mMg3GV&p$
z3$#`0aas^N>}ME2-1^7qkH^7!On;SW8If{4|9Bj%<0!Oe`$iY;f4mHeL*w~p`k^ro
zwbe;JC=FsufOw(()V6tq7^uq@%nOA23|LQBXip9G-!+rxM924Z$7O-^zCY6sm4W)*
zj`P6dknJ`t!#KgvW!p0BI;00K3mO+79zh5X_^rcvj)!1=KU6<B&yT{db3M49I>Flr
z(Sz9jZR~&T+h$=GK-q`K=}*R?a<ETa`H{|(`JmkB<1(PVE4223a{hI80OMc2w#6^Z
z2Ow?ANgY2+e;a4t>IB*~2BJMVAA{}C0Of-=sXvbOWE?Et-8PA&hG>812llCA@auur
zK<MmsQZ5`9ShwYqWyjMXUFq-Wh0{X&j4jI$%CENg&b$Qnaqm%eXY}K`z88niEO42>
z8*V*}JO|qE>-=?6Hdybc&^mcC|702(m%pnQP7msCJt+^KK4$-~XDWF9$#Bgy^b%a&
z?}ktxJ1GyI2J8QIOoH=I1w8M2AvB(US1+6%+z0&I8S}V&Q2#!3W`p*j$Ma9dp*09D
z?{`D6ZjVmNJDvvZqxHwx^k4JBzm;1=jQy_8<Me;F=LPjQL-b%jNj|O@ii7q!+^`6{
zeO%sOh$Db<ez@L!(*v#rU>^hN4vu4h)}+6n?>|_+`Y<daf{)8S9tX#F6~qMU&w}TJ
z@gj)tKZN}k89(a_U*{^ba6U*si09+ad<p*r1gMUh;I{{_Cp?742_zRR8~B+Y<iF7k
z=iM+5mjL_QCR{fZLVCaI2Yq{Ry8mSet>qwwf9;b%{dNCKeczM)buSLifsif0aR~b!
z%|ChnSl}NE{9}QiSpf1Af>$np2KfEUPYB+<{Qvx|nET^@JzIUdH<<wE*DY|rSq{$q
ztp7i8{YdxMa~O1|0p1UR`;I0M@4xLu;A<7+-}wJg2gsg(oSk8t7Ln2*K3!;k1cs3R
zv<>|JV@-!+J{f}T@c+#34!_g*b`JXfx&9=+KTAV({S`mJkJ|cI^S3NQDInWIJ}`&}
zw43#xVf)o`s4agL$6uj?{N^CuulIIf9lrVwzWRoa-68!d*6-1Qeb4Bx;QAGwZ~mLe
zKDb^G{~_c%fq1tpA|2uR|4j(W%=;BAze@x87eU+nhYu3m`$s~uwoSvSp!)nb*dbm}
z#&7whf2AH@?->8M+dGL5)VBor2EW$fCq9Lfd_PM=KA~U1^(!<BCeLx8dHd)3LWREJ
z|4+Z_&-lJq2DRZ|@riw}F5i6IKlYQr^@Dy28;BnamEn1RHH4pezlY~{^1iK`;kCbl
z1AfK?-)ivu3jNP$z`0Ej!U?v6J|ypVFdw6Z-gW%PJ<*T!f;KDrsuT1V|A^*S@<G32
z0VD@n8^L-EgXh04_}Dsz?N6hSU+`D-!D&ESeLdrX_bO-MdA}P%XJ+`FEObW#=LhRy
z`=@|U5I{U|{$B~f{p8m-I@^{(=YNI%Bn?>qgAL2bTM!J$24H#>PV?;y9(4W$#GfXi
zH%D;(UkO1S$zOF_hI0Q3{c#!)>mlSTg!o%@BT>Ngo8#qB99&~cehT<RA>{i8=gfb-
zDLE<cWE#}z0g2eM47-1_>}P3^ZyWqH;p)M5|JQq{lYC$u6yS8f5`ulg`J{{=r6Io)
zBoo@>|A^*fK4_m}=>7nX1;iJ0lID0CK1aam|1A7^*9O|>xQy?`LHq5%@1eiW8=$Wc
zwButCUpiRU0{INV5ISe|LKwh0x*Yf0LwC1e*{ko#KAs2G&*{%FpDYJ?B9F`XUL4e&
zb&~H_(%<g#BaA@)&)<`KJP)Mlfarfk?s1ww?&W^ECxh-wAs(>5SwMO~yFY{aD#UyI
zEb{fP9^B(W^9;C7hl8{;$1(mW4$|$cn@9fTQ#;82!?p$IomL1t)NerCV<$0yya(_(
z9qdyPC(C~&4bA0{j=%Z?`z!26df@lro0j2n-=hK7(^^RHx3@O`cTWEv?f3FPoAmsZ
z_4j05Av>Rx5B8C-b220!(sQyLN`v(>hh%|g8~N{*|7o6OnD|L7e<cmRCsaDF>+72M
zhd+MPJi_dF+3`4h{{@bX(Bt{P5(nG;>mBr8!F!VDtBsGnC4;}+g3j+?T~@w_2kiU%
z&>bu!3ygn#*Z4iUALVVDg-e~p@!zE3cah+D`uf)8>)jRTH~W!(uwK(}eIWjy-lLzC
z0n)ERdkHxI-w}R$-xQG#mkX^YC-ojrgBaQ%z0f)0c>b@%!SPi5cVIp#1AgxZ%{w5z
z@A?7Z_`ve7ci7PR6Q1|0AvkaOoYehyrJ;9zAhv&d1M@vxAWa9P6I#Q*SN^j+koRAE
zy1xrIBxl1kgbkW|ex@5<24a|i>;BOghtr-6p|{I$-oG;h+g0SGt{<gA{D<)O1z`N`
zkLbRa5Bkae?XCacRR`$J%=h&DC=c|LUWIgn_@DlW=6m^&Px$Y`d|b}gJ=iboso|KQ
zy)wlAyKiHUzh679|L=%{bK8IT5aD=FhG4({y1)Bl{rlDZ=Kf#VEB|WUz%lTzzX>^s
z_j_sh-WTjczTYc9nFsd;{3@Q`rTbk!Gq}!$Ksx?-%d>M5@9{J=xBaiiF1(&#U%v2X
zZ*fmzf_&EyKX`t8alGtg9NeQQ!u9+w!*B0IBDPNI|4|yWs~d#p4<Gy9_vpZ}9`L`!
zd{Q<vH-de7@q1WK=7Ds}@H77R-mO9BoWJ9oauVa8rN6z+`u-cnlXZZ65|BK|XL7s@
ztlK2~9_`Qc{V&SD`ul!iP6hkWJmeRHFo5Hr3aSH$eFuKV`CnlBRhiJ6FsKh4x9j)f
z(BBL~GQmD%@CSbVU)Axyru*h|{Q24dj?pv-$G5*%3y=L@WBOhB-_B%_Vc)a;ANFp6
zWI|&V-j{w?$Nvj@Xsmv(4v_!w|Aqd)LkHMbw7~KCZ*OP8^#9~s@^|3<o(yoW2fjOr
zYz1+He)6w<AK`m+|K$B+fqyLUj|Kj*z&{rF#{&OY;2#V8o&}yt-?@p6Nrnk>VT+3i
z%R;ZEp${FpF;=li(}hx&vNx{-Ic?;#V1h^IzPPTWBmmw1qXP(D2H<~w^Ns1-|4D!t
zj|k5}0OFDUZyclogfH-be>KQSE-rjc&JJPG5hFrHq{pVGa+tIGmG1eo$k*{tqw`@P
z*P`HW;o`kT#v>AbZyc$88Tmkn7SZRu@$DeR3B(KZG{}U6f^5bN-dR4#A^fMQTxrDK
zb8reMZ)YE6i(iaPb|}yIyi~HZ-oojac_-$o_1ws|0vPz<Tcg}TYR=?K^&)-keflb~
z^E>>el+&V?muT6q_uJ5GQ!lCeymfGv84TRk9U~-+N9_iRxH}|O^E8SCO$VQZ>-#C-
zH>p2%_02b_%-Xi}onITpk5`~M_rV1bz_p3Wdfz(L*<BRa>tXS(F^tx)vX9iaow-`T
z_Jx(Ae9b0VhYD)~KAQ<P6LoW8?_AppZq>b05$~(_D|97Nb)IZ^ku_h|PGR<Dm{G#^
zP+^S3H<ly2uec_Y6C2}98KD9b<!ws}i4BV6Ejm{rAxay<uy7UIZ>`fz)gc7d0n<_(
z^6+cvpbqKa)n$0YHla?R)4byz$xp<p#~lyUC?32}bGR$gho!0)ptT^_Z8h!TNa9;e
zAv4I8Km2&aCy9Ve`Z7RQ_)sP$dy0Z?mdv3oDm?C#B<_b-YgKyBzxZS$kx5enXdw?p
zLcgrVCC^VHthBvyI|5=mmzG9ugfq48ExT}Sb|*np0X83D`N|oI;j?6qkPQ^T8V)X)
z>84p}9L$y2LTFw)_R&4MrBfJ$zj*HcZoLin6AlY*^#_HSg7N{@WYTwmc`GAsy+PSw
zd3T(w!tz9qebPN+O_Rx7jCHw0J+AnDfWKRQ55+`vLpEZH!VyjFuz5RmaL*Ty1DBft
z$h)_g(w73%ScNJz2l9OhT&O6z|4HcGV3e#G@vu~&n}3sy0um+=-BT^M*xF-4z<p-A
zp=v-Dh55WLonoB=dyza?YAkQN8(I`*U7PPEfT|UTf+M(QAtOo`PgrtZ^Kv{(t|3g(
zLZHJ^Ql8?KqGu?MpaH!rer3*szJ4x=j0-GXV2>cS7QG;&lu_Q+>wU;|dGhw{kY#P9
z(kmfT+6Ng+oklQ(ni*?-Qm^TZwr2K*L+T5glS&GW^dx#4R<?eLr3`b3*z|zeH98vn
zgdzr|WV~G?K8nZqjqI|6<rMQCS5Q_de5hAtAGPVj5L`IzDbp2}#_rxqQ*aNDJ3H|4
z(Rr2rDDG3A66<udJ&s13nq~|VH+<U8fg<y6wqGwYL!%U4DLZRg$vNV9U3Tfb+w74L
z{$%t<{ORQFTqc7!CdE6?mD3PVfHMsDJU6rN9bCa3addvuG}x!z#4CC$8A0P>ov&o)
ztIa*$4&I9;8FqoFgaDST7v~l1TSIjIq~Y(F5A^t`T_0z+P_g=i4er&oPi#c=MBlN{
z>v<X`Z`ErEqAuE%Y;@ES>C=3kcgTb;Fr`RLSK0p3_@f$Pn8PGfmi7WJLxzE`G6P>V
zi;`NWVk!uyclI)^-qM&mx}e=oHu`92!R`hI$<PH$1t591v7RBxs;6mfi@-BE6ImJR
zXA0KKxmiVt^W-I0zbu4vtg?~-l((XTxvUR6$o<eSoL6;@Pq#~5yGWives-A%=ucZX
z%-Hp;CfjjWrg*$Nb$d6C)F@~gyM4?zvL1*J@avjYx-)GmXZCzt;uWI^f{SX@h%&D2
zifjHdO9kObp$BI{aB=kxolKEtgfo8%k9drW3(jZB^r|IM87H4M70~)@_u{C{ld|Pi
zt#fQwNYhc?Yx!j}t8k}YK^dqr7I+!+diml2u4r|iZ0G7*?E!}2t5A#GDcR#;Rn8Mk
zO3ny=x0u-<KGR7lrzI4OM=|8dDlXnmhY{t}=hHMCCn27Re!IuTK~+-HB*n6&)V)2z
zybQfhvfbhirlp~--~Ow#%eVS1suMFTl_I)qMU2pnu1v(d{+!`{Q<(d*{Z(#6l1iLl
zi!mHQ6s`3<wWWjbxGVUbF3Q1|FJBY&&i|l(gfOK+7(>+5b~NQev)TOsLMK-Hu@)_L
zPSDG1SJ*crFO)g#&}O06W`y?cCBK+cIy2i{Ec)5c)Lw}4%F|$j3}QD7(tT>;x#?bV
zR_t4eGAQLv-fd9I&5rzdo?+R?r#NYRPv~BV(`kzChXy%I(O2jthwmqXZGSPds4Qb%
zg`_Z+%wV>8l3`J!ue;lXDLkD%>q#~94I%F{;|(hsBfg9EXt)yhuB3n?%;hPA2y&b$
zECJV{x0dcHOWua9)PPSkZm>4)t?A5jeg&pD&4Ci}1bL2jCRziY2M*{jn;0M9fgn$J
z1_9V{B^TV<bNT1Tg0uYnG)AS`nHviTlBFWAeqy{oa5j!!iow4tn6vKgJ&916H?m~X
z09A61#~Xe(DS`8YQmbowri!5jdp=~RF4Gu4DiDrQpluG4OeH(GOrCb8G3@Tf1BfFf
z)kE%a+K^Ju&e@91DGZE?*!QKM)E91YwDucSaM~Ji(l)<fOiX?MK0*I2S3Cf_EmfZe
zw(H~#U4Fz{+xNV5c4=LM(0mNnM*<C=HRu;%RZ^LFrgRtWYtvk_7r6+HVK*N#v4&5B
z=4g~m>$D?NmjnCjtF`j`TRA4KFq;VB1jn!IG<kP-rH4FOQnqQhJIBRno}Bzr4hWPL
zamP>!Te!+kxEkQzKGwTf?XJ93pNw60)E^hL8-A{<`b89jBPOs!8vOb3Ztn(fTF?z}
z*lDDRik7M?_Ly_DzPCG5e>h7WxO0K=&cu~QE)OK?TkY#oDP#|IvW?UI)EMN&@aTG6
z5M5qokVbdPc3P`>@3z(InNe?#)UIvcH!yi-)*+?l=gFD#uGye@U6^~3I1i0HSlTX>
zJ{dvz>TQV&#Q4;1?N^@OIp?X*%R<<0_56OcxZ}aL-9o2n1dEu3CokD4f&TKDV7Eyc
zhMU6R#4f9!UdFIX(IT+?rjMDVfvzEz;o<vf8J{PtF+oP`mrJhH;U#<JS1i0fPg5?c
zItxxzFpE~1=$4^)nMDQu2d<CaV@bSZI&uh`F3b$h>?|iQRZ;hbF^-nxpdNwqP+)w(
zw&=<Z^SQiai~`3O$klPxM18`sAqG_3b)g-1g;V^}3qwXaWCzS$)A^C!+(xJgY<tKw
z6pM=%cawbqH#&JhL(XtXUA;;Rt4FNyG|`}aGj;%v?O1GYK~7|`!a{HpIML3CEsX_7
zMy_M29X>(|a$gO89)8R4)wxgu<Ki%R)Ls5aj<60{4%E*$0v+Wu^~Sfp>_wy_x>Uvt
zEswb?k4M-#*|T8P2d?dW&gsbWD>cA<V@~6oC08RWw5eWhA_D-eMRG;0byv64-Nwd(
zXRf*Sjn2Q_9H_n(63)cze0vFh#z>{$v0m3~pHfDmYr&A8Lc1#(u)x8G&iFXslV&WJ
zl8${5KR3zfazLK*1LC7yqYybCnW5VvMPyl6kK3k|1e8_d5nN1}60WMc^9sSJ(uf@#
zhNr!jgAFSAst+BMY7V$pO6+$go+0TB63Pw2kZM8(QWdnG9(7+^+^@3X-0kKzI@2Ix
zJvNu?>`cuTbxP0BXvgBAbI@+weI!>Dm)^B!mq@mbOdk{>(}p^hP92mihZrnI<d^9z
zz1YJwMG&=4eZafDHO|YR6OW2`3SfG<UPI)%vPjuK?(W2?P-5KLDd65ES~~k`pWuN~
zX)ay{2kj{;=?^LckCHF7JZ_>11o9S|{1thorWxY4()C{rmOETc4r{Gg+oVhbB$Ha9
zZ2?+J`sg0_X)z#z%cg7Re*L*u>evYTZ{N3vGf`G67f$WZw|_L;p)A8wyxQ5DLq9Cw
zq+OsfjfxMPHrT4ru-P6_p#EUXswunv$<4gXSCegX`j+r)p&8BNWjB<}P1v@BTLT&a
zK#y(Zp=i8Y=4@^<S&7_!qwZxWE#=gOdQQtD5C0m3>~-8Kv8Ew*c1q`DR2*Q-2}O4&
z^X!xofnJtOiZDH2N&hQwQpbMVkUT$j>B|&?xa$!q55QxzCgPRY=UySWuVkRQWtk`?
zXdCvxZ%tB2u&j_T?4IqNZE-EpVZRy#7{B{t!w*X9Y)D@Yt~7fKJ=*$+a{tbH>-iXO
z)j&$!$#9OVE1V`{08Fm|&uOWH(8S2sc4=C((1R80fYIZrz;$#OUs4%|{nMLoisV{q
z5P-Uy$acszODrZ){Vcn}+~GH+y!u8P6F1ZnySbRh)Z!iN8O;Ef^JW?dRBe9h?<-y^
zd0!=4yeZntr7xwQ;TIbv%BxO<K@P-kBVvI6v*r~ELrb+Yj`lBnY@dnLsH!Wsuw$aD
z^p_+YP|^cwnf-*d(Kd6^w8#^&WVVfkcbnUGug<*EZnE<~GvwL68P%fOe3l+~&(U!1
z+{@FW2e_v$IFbkqPsScPJU_|{<HMg*7QWoAPr@67=F06KhenEm2^0pNc|R^hyU<A6
z{OXFYU>q|Mg(b`(n!ZwRmW})aXMtM<gLb>(!-tPxV;%VK+Zxcv)Y1hzHk)702;9yh
zMTo&)T6_ib2gWeTO7Uu9$DJ3>KeZ)9LM?{5jdZ_U!7vldDsv~pA_S-wbjAQ6UocL!
zfPc9<v7My%P-;E+vwDUN5*6p&&M&+|_W@YrxYJULut~klDDFiGsW4G%{Iq0t7uEO@
zbTm}J4u&qYpnq#?;^M6U83ux7%4H<%5ML&@Xpf*-7W7$HgU9sbm?JB3&z(biL@)aY
zzHbespsU%TlO8Wj*VOi&dlz8kN{T>r=)3~B1X^3*X4|-uS8k`XPsjjc2M=!#BT~Dt
z)S&t{Q*35GKN8OtkCS23LEcadxcCrf`lyx+VWrf$Qq}oRmj8IVgPU$wS-s`s*y{(2
zOVJtIZk#AoG#Ync3$&4G)%G-8lvS&)kIrpXlK7$Simk?5@jOGI@>-nV0QPG_K4V1c
zUcVL>oUnb08Sy3Ru2}>u3$c)8k)Py+%LS)L`XYk~GM{+y%ALq03So%AWdRg20FfQh
z8;uQ9nyJZS`>;=bfeej`CxsHrZ6gk^=|(Kt7A7*Fe{Be<ra!DJ<zsfDl=T^G$BW)W
zFZVWXD7vP_?u!wl1F&}}hA4nK_js<5bDDJq%C@(as60O)bYZCGa&0*UJy3%he-E`-
zXv$RLj)eH9yNJe)SR16zYe^8K&wv}ji1XZt;6W%+YIONSYhuWd5Te7*IUtPre%v(@
z0WL9tmWV@7eTTEniQdn}=)Al30$Bp$oF?mSFt{7H0k-k@8@hEhMA6J~ej9?7JLku-
zVF_%f7FMc{ut}X;E)ncGqb*i1BLJv5FzlmMpt@4GwXSr=-EZ?qOT^$nA{_5R@WEiQ
z+~S%5aJp&a3BFCTtcUvAK<pOg6*_OtE>8w815Chk?#-2L5$m!ezx*!)=xD{=SNzG+
z&-+yf$!_IUz&ypzW}%33fqTX*eCOfN-suXliPar+o1LfCN@022FYr??ieru7&zgzo
z%lQMIMsM{lJ;CP9eFGr&@8=KeNuK>c?jcBw0}Pg+@QgKUI5ufnby3lx&NLidc0q_y
z91PsUO}Zk8`;4QGwb5l_<V!kf-PSYdlrt?_U7i~>#sC_wIA)7UJm9iz*tl4hyV;<n
zcR^|CrqhCsVcu}!;)AGXNU$E1y$-*4!}Df94WGTa<B0ur08ua+hs_-`01%751oW>@
zOWgxbvtbkVOjl}>EL`W}n@dfh#&KBzT^sD{`yaNfhTI~6ooxBnxMC$0;ms%($Q`4a
zwAKUd1o-OS`q%Ogx!RAeSdHTWHrS{PVohR>MkEQaJ4lGwz`iSeR^tw}pPR3!Jx@i5
zo`;rd;+o+bX`myQNg%?;r3MLDK1z&wPqBjc<>Aq*v8kisN|FvtHB?$sx0i=>oHMtN
zu2|TeA_5kA#KE&K-5V<Zdilxh5Hr?d!Sq{7NG`3grKi#W+nCIN>~=6F6K>AAz{#?>
z1gup&m(OH+2{k-dChSfPybdcubU{#k<;TQX{BYDB1vd5sp)q!MfPjD!fr^kP(JRx}
z2=MZ7%E)<ecg*-g6^cvPT+U!+=fmXK6&>3<%ZcWn9=Oz?$)X5|wQx!HYs}P6i$C>y
z6ny6VC!{ObE4080F{OG*0Xg%h=R+AK67L+}Rk<>wvRAz)nGLb`QGrD#7}a%}a5aG2
zmIY3-3Ii8b1gh(tEDbQ8+w?In-eL9@v)Eta&x;dr3jZ)&fhARIB&<IyOh9M8N)_%|
z9UU(^gd0*&Gl1|I13<Shw?3)|OiL`qM>=iC)dsJsshlnIB5Ck(Qd9eq`@~8U(D;BZ
z>W5tW%>Dcd;WgROz#SYQsyQh&i5l%)S?We+cBm@0!KTvQ*-#RUedg?fJA@oqnn#B`
z377!t242#}n_dx0)VVzAQ3Rl;s0qQb{3um43_zCHrt>~v0FP<mZwC-_jnAh<UF1hZ
z@4SB+@ujylR~nlz7U_<b6cNi9(sgwN802QLnjj9|Iz?MjqF@yh%q1i)YVNp&W-gjr
zQ!HbA)@<kP8{01;pUlTU)vJsccE71VW$tOv!e8_L9uR*w36U+9ADO4UyU}oA|Eg@U
zsRX#S6N$V!U{Ty{G=Zin$K^LX`!*EkmUWZ&23no$BPQLYvp^c_D7&ZrU<vYuJWT%!
zuH$$fvNziE!pcL{1yVb6>8R$1E7xy{l(<gq-3aHd)ij@pPML_Qvmx|)LSemGh2SDa
zpGh)!T4g<zvtDtW`_!4NJAz7L@q>a6Fw^#__ZF5|t~Ut0W4SOaqp-y}-6LFO62oH5
z)uf}AP61={`w@GrVRKv(?a|IF#1DfQkR}ov+_25!v%{G6s1Fikt=Urm4evVo9v0G|
z$suKR0O;MRMm@XaT2P5h={o;{k<U(!Dm^ogC6hF#E<l{9z&D~RokMS!J)=@5T>o6g
z=l%GFQ!8kIbd=pJYYzdM7edCYEqA!>xhNkieJ9frb0W`nKF<_B$M*1oi!o*yW`*j^
zcfby}T)5yZD7a(TWoF-=Vs{RJyfL0z0k=xfR_gqc&ljZR8{bI53Me4rWsA*ch~y~l
z^n9O?XuUaOh#4q$FQhXQKY5S2bsf-XxaI9y6Wy{>D-^n@a!wrmuB%XE*sCZt&Y8|c
zYvbIqO@Si92$*t6o4QO7FY~o$xk3Ec0JFTwtCh8=R}XKA4~%qr$f3RBQS?BhkbRPM
zF=YX{lfe!PS)xBPapPJ-{rl5H3<gg|hvp4Hw^a$*Gocwq0+xrk@e6kbND$v*Kevt4
z+^<2#xUJ<ncBT%<OO@TV?Pl1<qkf}Mo|2zs;ua9am31i=#l<suk*D3iZr5~L1h=J^
zBT9$&q2tuDzZw2vxG`_$jH}K&v20|v8wjw8w)bu5UXKMZSC|0dI(yR7N=;_rr2%NE
z4@mOzk_*=7-S6J4Qr_B#<hkb(TB@H5>qVez<9(o=zWsTE>pTju*TepWI5|1nSMU-^
z^h_L|6e6IW^cG*`x%@DUyZph<1kR;uL}8*sM%WljrgqTO*~A0_k>(WxES2bzr(I}I
zaVR4nhY?>|H+ms}0q|PYg_2A^E6KZySr@r$p?DaR|HYcV`=W9izI_wwJ7F;yjIBDM
zI5(QoffdfxdHNb(pr+MnN<qjUcF0;HXC=n#9x@vH8e6@KQknS$y0aZm%%$snQa7+C
z?zA^JAyDk&GOphbqD;4tMsCj7A_vBjE6{<JOU+yyf%z%f#^C8oi0x9(@=|Q;<_fmm
z6`~mIotum7AwE4HlJbuTlCT(vn5B%+(wlpxc!3%<=Al3m)LM5AjtjEt8??>1%eo<}
z=`Nq{>E7R~NIR{={oFq<bN^<Dpo`U`ge<Ik8<~;i+k`+?)*KJ%r=#|$beE8dG=+~U
zc%hhQ6jg#N$!guzBpQbvAo_Q3(q!7n1qn(|Mw|(2BJ&!~p^`#yxwEjhyKPIpjb5Ko
zvsfB#!NW1J@%n(De6Kw%nt}@K<$fO(2S_8MHqNX)SG@XSo)pkm9ejlTc$3Bax@rVw
zH0CI94qf;QLwdUsnsN<69ZD9}%gOgsJu%%PilzhkQ|<l49V`-*!dJ7xR0fnfmtGKf
z@FM{<!p*A~X9PDJHoSs^;@*4u>7wq%&RU3ZV6ofe>*F~wktHl3$m~*ejgx+e$hl=o
zZkd_Gj{tnc$3^NXiIKZ-1wCj#zpwedi+&v|Z0V+UQ-tKHvTB<8;D%WNj*V+CpHR&4
z3&#sK<C<(E1KJ+czNI(Ax-s?q6t*QrXpj@$l*+h$M3l9+x3nG-mT8#3EVO})6`?FL
z>n@RM^zxc+^%LdINqb;S!V|BJC?^6)K)-nY%6ltaP07pq3j?1xbXs0c-B9p<!h%0l
z2JU=#7Gk!2y3oR&1trn7$1*y0_zi7L*#i+46X~Z`Vdo~!z3pU#933hW=S0bi$m`8$
zxv{BMOQTTHt=MP>IdV;jZ3F-fJeEp3XGDsKGZ;cDG|{U!A`2cTo%ZZ`7Q^bD)YTpq
ziAvb>xx%BzrB7#&L`+GdLF4rbv)aSgnF#S^<?C2kRqZx0ZkH+vSwFCISjgz|=<znl
z%zo&ozC_I$#&%X`#$DnR^}Kv`PiL8$Np&Uy;7V#@xfePM6U=Skvrf7l$y`(-;9-Yg
z+8Dwfe8$UDjkZ2F*zxg|%a<K5+`SlBcpqQmw$WzBwT>d7qtI#_&#v?ET{bR}_MYr5
zoxRn>wbgzHRLc$H+N3Ckq&m7$g<i^!PvryRo))vdw_?Mg6w+z?h{-xvQv}3&)$hkk
zRp>2Mnx)j(YQHq<vzf@0uxSF-Dx}Iag<rVi7rLSaE2Oqg?sX|<idm<XT`vl&3k6)d
z9dK*<ZW^{3W=G*$>Upq)%x)MNU0k23wWXQXH82b@m1$_^$EL;`7i7(D9`W$5&14R3
z5o&qG9dr3nHgC>;U9p_?A<z&?X@4!!kF?p>@Kv~XQ+Yw+d|n``vP)#rSy6kLBW1hV
zQDLtt_w)unGU~I66%Jbby_Ly@1`}!fd*R^jnSH8;G&sL?hbpC;G)?Q`;j_B6g?w*V
zOR8a8nZ7T>$i=Ir&gwF9#AVGXbE2x)yKSn(LJ4%#T622<pt;QLrF?pEae-HRwP}Ab
z(V|e!R<LPUTx1rlvzE<^_(112t=h!uKB<51=<eDr(?yKiSG~K!&W@-jtX!j;^N7X_
zPwLj-;U{=ejFXpaaYe!HlA4t5{)_<K%`%yqT8=WDGEUAECnVg!dumQOtqal$5e^>1
zJok$lmsdi+@K&6?iwLM$AsKy{*VH>?teR`TV81*nF-N^j^V!%L2iL_-DQ<MH&*g})
zq4N`cPy4$W;GDM=OBF|5H_o22hK2vfD^z#YQF6Mx+M<}Ap5`m@2lS1s`|QP@jVIf(
zEb&R%<_f(u>me5;lzO!KsYP+5^98{(i<LUg2mDWS_kvgTmpN%$wQOE$&pdDorCki(
z6w^n5EpYhR3obs8X(jT{XB-E%7%d~C+FRuT$c2T#H1Et+9ocKi<!yc`0GUSV?k(#+
z6KN-Ibt1rpAN56z7E{}~cQ|#p!jJ6ypS_muHk<CzUk=5nZ8yRu6IZJmB+z<CJaX=l
zGYv=T`bQK%K1OP+HsW)kY*%KSz}@=<yf+GswG^!k>4j6BH|ExzEe#J@7%~T}KBn=^
z29kz95SDi3-XLh5UOwlv5XsD4()LM^YU#N_9!(B{OX$=hoyYZrduYC&v-ukA16VRz
z9qN^3`52i;?*%OSjH0bLw<(HerBfuuERPc!^eqva`J0R4&gNL{g*q^8T;R1AX}yt3
z)FUb=h1GD=Dff#cwVB@0`RfDi=0>ko*b!kLhTXX&hrAz|^=JFwhZx<n-A)mAVE*JL
zLO1|mcT6|6F>?9uqi3R_;fQT-Ni85ewO)!9P;$m%3>ovm1Jn*_!8?pcM}*oQIJe6x
z^h9p%deAZE_<k&Vu~1jbx^U50d}%}EwOODfJzs8*zlr%{<h+8(q>s`x&IEvl-&rCW
zR)RfjKiBZ)@Vm60hAs}0b5~yzG}Lu_O+Q+TeO^~L$h1T~7S(JH=%@Rzyydm|==z43
z7&o)hdM^ya5zmIgu+yYR+0sJ1&FTy;=#YKkagY%l|4E!pOwvV+mqhI*z0SVJ6#8_U
zqS@-(c0t<-k}%pbR-{Ayv--uH?vJ~+<GQ5GdTTHCQaDr=Ub4+pmHgyDeDR)BYLN7z
zZWf95pnR^#rWHH2jiHR{k`VI*Yiq9za38!$b?QB@-Vd}_&vpg9E(NyGRNM{_aPKo;
zz`YrYhuMCy+?@Y0D(*Y_IkO5HFGT@o)Ij5R?(0`C->5VuS=AHMTUO7qxo?<m_(DW~
z<{k-lX>a_+u2I+^wu$!Vrw&&<pAzPWG{^w@*?uf8N2Ph|e#ud6&v|V|hS8e0?n!Ek
zm$p0dSk9%6lkJmMAirA0Z)@lpsMYO#&XOw_u5(?jUVl8F$3K@jyY&&fsv33Zr)yVI
zqPa@WwYN+>pZOSz=EzOhqg{5v$t4MJQFV5%zrjTQvTl)r4_2i*KjNUjAB+APNtV`W
zt+SI9O`V6>;mgiie`H6u!IwDN+PZ79TY{Qa*|ihZEIG~W!zD;B(yLGoTh(IlHR^hX
ziF_sJ`R<I=s!hoAp#qGINvTh`78SjQOf@$f(jBh5`QDScmwzcpvLVKOMOD2{H0so9
zG9|0pU~-7x0ma!!rPB`<1kdTbXS%fGn%ytG3An6My|No@dPn7ZYQ8{WP)X0NiCh`=
zL;3-l<3;^y9dXZV$#<R^WY6s@J`)_*%9yWqmz=~@uh>_49n#jrWq<RTP0e&~Q`_0O
zX4{B@!FnmxIiI&Xa_?8~Ms(YIb2Z$wdZzvifEg+F-S!h;v8mWRgXxl%us+qlZQ|M%
z#`x*Hp~SoMA#()_(vzyU51jhtDl8ZDlRw{>iCvm`?BeoSG$;bKw63!e51`U?r`(vm
zJ)Gn?humC$-HD8{>r{}t-#BstOa+Cc_z2eAX#cvXATwm>s%ZBdZS%Y3ht#jztoLbj
zcSOgKFMehnQm+%7>?<_o9knu|9Yf7v;<(oDO8c;bI4ktM>c>?C5?`qrpI0fW8<?WV
zNrUKb!aqO<;qzJZ0i~Itjmg*cu3T&{Vtr==bXaigc#`rYeL3o~vMJDK+<Z3UYgSjw
zNnU!Y(|v|BZy|R=En&7emQSs7I9DADTQGzLm#;Y?Gp_JemA3T&Ch(Y&r#D~KyhD%U
zNkmlJjCkTc<~{!*l))p=f8&oM+HN$)dW2hbHRR!top1{CP>G69sfSc@bA6bFpX2Qz
zo5PW?a#^_tjKFPP?FOAZOeyj6!2t!4Y`}`>r}d-q0J1pIyEC`RQ4aJT(g<t%1x>LE
z;`f&&9r!*}qj0I52&<Dv6P;4lbHY$Y09c)qcO=bNZ$9oxDPh@t36s12<zw|FiFxI#
z<W)`n9?bHpxZGhT?NX^ReFqlT&+1fuPRcsFxij5+?{FmI&g(3Ct+PP<jdoF_XRi|R
za;7kl+19A(e44yi-Op0qmsyoecE{VS^J|GF{(@&d%f^z`dQ|#)hzITJaLAoUnN3s|
ztRi1ruNgoENXB-lCIa@g67Vi!+1uSeVpex|zNLX<=5Y>Fs84C+Ja_0^-}|7cffxDg
z^S-6FZ_Umc9c_Q=2&CJcvaEMj23#nU{WXWn9_r@}bFd{!5@+8v8r_U@$w8*Mhez&x
zUrfDEu7{nES7wd8inx}|&$JwtD??^Edb8sU5YHqRRpI+Mjv5Paz`C(OJ!&Le;7Wqw
z*YmWBWw_t|t@VJBCZWnj#q9J+M^7PQPxKOUU^na#T~R;dvcMZG+*~$bgWI<Ym;VF*
zp0LOp`i0>8@2(&u-@R0<H|k+w)OCq(mt$cuHnz3IKQ>^8oC(dPu^UH#xcA6>+II>2
zS;RI41NEgDB7o-Jeb*GDfc4XBjp9MmdBfUt#drimi%b!2A+Ncmv!(!8#Noh8ReTq$
z`>)pL8Ei0+sKOA1uw0ZxyWhA4<_Hyl*R@eh1WO#`0dHAE%2);pX1kC&C_O1AaA(6x
z%A+>{*krV3*26r4eNOL-OZ(bsc(5ixH%`Tfj-z0NUZ+^vlFwD1;axdI>GaPWl)KbR
z&K?Z`0P^`*cgNY=#3M+ir!)LqE(DySy*aH<TCHv~B|1wlE>ff@xl;aE`el?%C!5V(
z^Ba@HGOKx|c~bzO9>MQBG-ki$-NLwloyOify^C5V0+SHpoN~EjyZ*km-~uUy>S%G7
zIC_%b6|tdRCB?FZlyC(VGDOq|pGU>)6K)fnLtq;QeOEyoUY}Jt%I3<?deQ|%*Cml?
z70UB)^yphC=Fga~CZ+2X>X-mPgKZhg?gKI+G$8R35cpV$t!dxst~~MfL3laj8+qbf
zGc5Z=*qd~ZD2(EW>G~X(KQ;g>;TaZtH=jCj7bwkP00I};sDSHv!`&()kJ5}g@9UZJ
zrXWrasFLixd`)MQokf19QyB+fD>gREFwaR3e@bcJG~vm(->aI$ckNnfN&J~aBOQNm
z4xToB*C>|qHVuY6IS)O0$&K%S7OaQ^c#y=BU@8s}pt~WG6TZHFwdLlV#62WBNm8Ll
zWya$ZQ42jCyJ>xMovrN?X5Deky~{L}V7p`26D0&h%W*u|KUMu9pGU>(LueH$ePwx3
z#-|4csFlN^Gs$YR7JH{QY8q$AK4NZf9wxRO6p#a$^Oi?XrYk2@2x4+c)rqA92-}Q|
zt?)I_bd8L9mXNed3AxW01Jbtw&TaK*=23=Uo_xd->plh45NVTS>BJ=>enCQI&;&X*
zH?C`<NN0<`@XP*8K-#E(M<S3WiL>_+!32g=G>yZ{$txws_MgL^qkoLjI|Uf;Y0u|s
z8aTeomdLxta-;AW$(d9U10q!mY>f+>MC1a_iWWZOyhPYqwi7M2lvwSg=TVaQsC89d
zLDy;2(q)&M&j4etWO(G6AB&Xol-NX{IG(R7kG0V^&U`V>eR!WjCBNXMV}akt`O5-@
zn4h>;DcnPf2(M@hG2Zohp>Ki!jEp5lMSCHHP4lUiioX!oX6Mqn8I+~j=x4A~k1v1S
zo~-7wl|W+Od%`8Y&H)X68(7n+q(R*B*GYY;G*;}cCP0mK-sY$5J^)$GB43aRPtw;Y
z&YQ!NIuH?%(ZT4bJ!i&?qjum2%nAlEZ<dUlN|J2iB%^0Pv!2wrMYJ)7tBl|xg<}8O
zE>Lu<7|lAg_`TnoCkOzG2`13hYc=7<lbSE1TYp*~`$66d0?VObpWLIly20pCf8kG0
z_(5LAm&PJ(UiVF6(2V9C)T9GRIl3ZP_)+3LONa7E3s79qu-xeG<di!-zpWhCzp-Mf
zdCHDalQfHPW8=*kx|a3(iHktZ=3VbGZ-J2Lr_XD217;bS&0mXq<r&deDG+pL2osSh
zB83by5x`!ypMmuU5U{`PqrBm~T)KDB@P=~~HBiIIn)%dNTR`A3&DebF^}I*M;gNI`
zM%+c!mLHtgxm<``S9z7Dx3zg5K01mSozS5yltC|cMf062SPmZlq^tA}aAADnp#F9u
zf9FQ%g6@;XCQnD8;1CxR&<<sikP<hq@7fYioOI~hy0@70?oPEGmqNkv2$~Q%3XmhT
zBq;9xMREVuERy3zL${FHV3`bn>iL;g@#be9*ZUgt<`yqUt@Z@0a+uAkDGi3amQSe|
zGN3>Ma;U1*T^jr>HLM0^Z9tW1#IQ0v;O<>Ok)pZdlMYLeInErX5@&JP@|idJYE|o6
z<|x1l4wLcwM<}b^?N1T~Ds!%GXugS7BLTj+W9+_{J~ubQk8O4^_dGCU9j6!Bbbj%f
zGKpYI#a5$*1vX$->pTBS9R~9|wespl@%e|z??lr!6APXcY$OSTeSMb<KqqYKM})2w
zm(F6mR8Ka#RgMXihLx%pUF&~Bf?-vzV3g=qi<IVTa+FHXd)_LHCp(e+32MQGay2fW
zwW>>VSAnr8=A5Ve{?02Th0DmqA9UVsis~HH*1;Om5<~%ojq4X;Nl*$wuXr>)qnJSs
zGBAR`Q!y^p;;rr$7yD7Safs^mGJ;W$A#x3o-n%E=PyF^3_jfQirj&rON?Ez^b#&i%
z#9OTOcG;=)NvyY;9%s>1UZ8w}$|Wj!3iT=`J2~^5Aqe48M*EJybru!Rc7u;HlF2e<
zwSL4RzTk_u);E`$WHqydA2F8Gki~Blf|u#RL6fK#1~!2jhlI4tdrl;%xiw-y^V~@3
z7mMlQdq;;pX@#PweDWa*osp>sDMnQ)BLqExbb!m1l+w!<xVk;})}I#Xe<Dv#noQS`
ziW~TR?cxQrI@C6zgu7hRhQMlH6~4AsydL0U>mVaJi9=o?ZM;OSfqlg=P^i(&6G7S^
z&?eM9!<>kkzn|2`=^NAc#SS#Nh3|ZU5_^T(gpJ5{&^b-e?X{tK`7v<E%;Cj810{~>
zL6rJXScYmW5->u=gvX-iIX<!8*S`n7+LTD%KYSdfY=-&(0nJIWT%EG`D0L$dyuLtP
zBQyeCna;30y4R==i;s-<>Muy27o`tC4_u^6*yY_b{lJRG6&ORwI`&M@^)>$~pd!@_
zXDHzGtufJ(O|l0-R@ifls#$PA5bC02pJ}<FC;(mr@z(GzT+vV+OI6?}m|b~u;cYLo
zb%`LgQgJ?0)AkV~v4+eO#cS{S8z2vlHi}Wn`UXE>hC<w{tLjx$i+Yd#MLxHqj1I~Z
z46oT8x0gOG9N2lG9FDq?BsgqaD1ccdQIEEKja2*q0tHS+(A!2wcYN888eb^woHqy=
z3b@X0MYZWy>=B14OgxybLI83;)kTS2;*8LW!EktU(OA#vPGR+4;s@EQ>LK7Oy99(S
z*l47SLf#f2rH%k>v=;Xcm!sDXIV}b*Ik)MY&gKIzZ#?Og#315$1kt5DmrT9;yVwAF
zTywU=(YWcj5fe8drF8&%*R4+t?b=_Y{h0z2?iF4HFPXZj+D3yfT5b~Zf%hwYf<hlO
z=bPJ|DdHy37U!_<A5jXc+!*J?QOdNTbXlx3{9<|!jW*4T-JUh*$xUO7`*wnj;b0GZ
zV)`cGwR$z7Xsl3w=Pl1`QQC8wOdFC@2Xsm7>jv0l>RN*LOwBi#ft82!;Ehd5s$Ta!
zHVV6zu7{f1j^d8Oc8hV%*SQxBZ|TUk-24E<KDD*WYsY(v7&vPLUR#%F?~D)2eEP&%
z%l0Ki{=k4ufv(;`M`wepgYh#ZX>#P9TYXV&UG7+pxIl%JokrWRRUa{c=*(RiFeXyG
z82WiRXgu?-y+2lEBDXqH|IM|V>t*%<T2x@yZZ6^u=CfJSuLf>Zf0kTIp=?Gz95Xr!
z>3VXpIljNqK%?(wuHaFY3ZAnpbT_}Py4{RnQkcEY-|yHOxu;3`v@rW9v?a;4=;%R*
z)=_nNbQgeC?;M0+k~&$KGy+2a?&*(bn7_X2w`93;T8zB^c_|~7sOh+8!<(}DyJx|t
z#Sa#pS69eGAEcs=J*FkkdV8lVIt_eFQ4^}7sJ?<hE1;)IL-p9WucK{TVbbKqNZ8ti
z=J(ON)*gpZ{2}4xCHIgjvpyR*7+IN`xPns>#gn2PO5279>*FYEaaQGC_(_J#JFAIr
z^OwC8p5ilJ&E%>P40+nC9ZL9c{Oo;Tj6&MUVd*ltD5fd@R<Vj#p7oO=-s<2>-72I9
z95X##aeiG)@ozs!HL2Gl;;Fpl=m1+9kq+M(X5YxqgjYq^#Yw{c#{N^j1>T?&*@9FD
zeb2*%>U&2q-9U0mE+TIq34tLFIA|!&fZn8PuOLo#{QhX!)E0d;l{h*bz6d$%;VF`%
zc8Nx1y!$x_)OT9cP>WS`85yO)$HK26mwi^MR{(O5>5QiF3%td$YbiIrBoO3XWevWR
zq@UdhcpeQ8T{hkK;{I6KD34I%;>2jk)PLHyp6z}AO{5^SeJ&q~sCNq_fq`pu&3w~C
zX8V!PgQOu%!0LREr*gB7ML8l0aKk>n@cgo*;hXllt&v5fS7y#7S>w4?kKd8B@S2jp
zzj<IIi)8$vit>(xsmL%UfUjSaC%CQ7V>fC11!Li3aH}BK)$(L1YM+@%yPa7NWcf52
zIxZLyfF=JL(ItUwz(HLld_6;x<nx1((z9OptU(mJB?^U<x1K5lc~nZ+z>rWAa(Sh*
zGc)A?w(Hv(PghXLwBDWRofKOp*NPhPcA?xwUyu)LC1Xombskblp3ihw6;{<XiZ9Dp
zw_w^IHMy+*)>MwHU;chDx2_!d<NNphf!j+Tz#FIF_z$AN0}M7v9{>fL5pvp7>Su6w
z3gmGvGvH$uY0L<<UBi>>dCDE%dqglJ;t$}{(+<B3%b3xz+hM&^Qo*1XgR0Tu`1b13
z$W#_k^Ri0WW~zbdy1^xW458Y!^Tk+c&5~r^ch^c^Oq%;LHKFUvNHKwLVYNO^HY$3C
zkv4W*=apM-O<@-Zm{DR0BRU0~L3yKrBA2AaCPd+tUH8eA?9-|<`HI$seYA@Yj$kPw
z6DU5+Rfk7R8Ld~(OZ%TO&MH7aXOIXp&TTfpZK@5Rs`Pch*X3};@2m^XkF^U-$WMnY
zq<dd#JCZ``i~PbU7T^#lL28SfUc_M{PYsZolm&*Nk+xn;ASID$c{4LE)>|?k*j6_)
ze)sg1`X?8L81SnO7YmuMhI+ZZDtZtg2R=-vrl4h<h8}S}>TVPAAxj8G*GUD)@6;Af
zc*Mtudd&8;iWEIxZk}VM-@pXiy1MoCRNtnEo#EAZmJ-}Prc&3Ai1h`5wkqcOifYVj
zn?lNlq-$ttFOs7&0GNd8;f3kvJ{RTH94bU-K1Zg+xb`~Y;J&$ET^Pi!bxp=(>%hq%
zfM`(~(0HOC&=ibR7qVs~r9l?sby{~lk6~4@A3x7<ywcZnlqKWo<9dgnA;x?}z+rPS
zebA1JI>>fI#XacNN_;fR**cYd+k+-NwZrhl)c~P)0Uqlibrh!+5L}QXwhcr5b%xe&
zjAwCLU2kuYo#f3szY>aiPnD#|I6nW&=Tm1bg1l@jL*KMvCP9Ci;84ERn;he%!Ec5`
zz45UM50SQQsaR`rl;&Jqs+!a4I|&4r(j3Ambh5GLXY07-D}-kdN!Tn{_VM#J#1<^M
z^(H&@E7pymgU2(flqNFhvG5JT#D}e&usC;o>^Ogyw9oat7}Utk&xGeWBFyWH2jhBc
zybU6#9nDJV0rWfSd;_wBDg)+jqDAZHkq>85HHAnV3u#21yetoM?%s4v9xVd5_<b=9
zktwKO&Us}?PxF!`5xcy76v1*kNTUY<Ev^TZT_NnlbcAKgYvCy;YI$I+<lLs3gZ^Fl
zcjAD1yOz$l6@TDOjV3dy%W`^2mw4=BRxL>`12k${qWc(0nV)96Ql2i37^U#h9v)o`
XwIKV@DVhTPy^OfX9pRko8gBmw^SgQS

literal 0
HcmV?d00001

diff --git a/favicon.svg b/favicon.svg
new file mode 100644
index 0000000..c266291
--- /dev/null
+++ b/favicon.svg
@@ -0,0 +1,6 @@
+<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 256 256">
+<style>
+.purple { fill: #9974F8; }
+@media (prefers-color-scheme: dark) { .purple { fill: #A88BFA; } }
+</style>
+<path class="purple" d="M94.82 149.44c6.53-1.94 17.13-4.9 29.26-5.71a102.97 102.97 0 0 1-7.64-48.84c1.63-16.51 7.54-30.38 13.25-42.1l3.47-7.14 4.48-9.18c2.35-5 4.08-9.38 4.9-13.56.81-4.07.81-7.64-.2-11.11-1.03-3.47-3.07-7.14-7.15-11.21a17.02 17.02 0 0 0-15.8 3.77l-52.81 47.5a17.12 17.12 0 0 0-5.5 10.2l-4.5 30.18a149.26 149.26 0 0 1 38.24 57.2ZM54.45 106l-1.02 3.06-27.94 62.2a17.33 17.33 0 0 0 3.27 18.96l43.94 45.16a88.7 88.7 0 0 0 8.97-88.5A139.47 139.47 0 0 0 54.45 106Z"/><path class="purple" d="m82.9 240.79 2.34.2c8.26.2 22.33 1.02 33.64 3.06 9.28 1.73 27.73 6.83 42.82 11.21 11.52 3.47 23.45-5.8 25.08-17.73 1.23-8.67 3.57-18.46 7.75-27.53a94.81 94.81 0 0 0-25.9-40.99 56.48 56.48 0 0 0-29.56-13.35 96.55 96.55 0 0 0-40.99 4.79 98.89 98.89 0 0 1-15.29 80.34h.1Z"/><path class="purple" d="M201.87 197.76a574.87 574.87 0 0 0 19.78-31.6 8.67 8.67 0 0 0-.61-9.48 185.58 185.58 0 0 1-21.82-35.9c-5.91-14.16-6.73-36.08-6.83-46.69 0-4.07-1.22-8.05-3.77-11.21l-34.16-43.33c0 1.94-.4 3.87-.81 5.81a76.42 76.42 0 0 1-5.71 15.9l-4.7 9.8-3.36 6.72a111.95 111.95 0 0 0-12.03 38.23 93.9 93.9 0 0 0 8.67 47.92 67.9 67.9 0 0 1 39.56 16.52 99.4 99.4 0 0 1 25.8 37.31Z"/></svg>
diff --git a/src/client/boot.js b/src/client/boot.js
index ba7fb22..d429429 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -808,17 +808,53 @@ const OBSIDIAN_SCRIPTS = [
           document.head.appendChild(s);
         }
 
-        // Hide the loading overlay once Obsidian's workspace element appears.
+        // Hide the loading overlay once Obsidian's workspace element appears,
+        // then apply post-boot patches that need window.app to be ready.
         var overlay = document.getElementById('ow-loading');
         if (overlay) {
           var obs = new MutationObserver(function () {
             if (document.querySelector('.workspace')) {
               overlay.remove();
               obs.disconnect();
+              _owPatchWorkspace();
             }
           });
           obs.observe(document.body, { childList: true, subtree: true });
         }
+
+        // Patch workspace methods that rely on Electron-native APIs unavailable
+        // in the browser. Retries briefly in case window.app is not yet set.
+        function _owPatchWorkspace(attempt) {
+          attempt = attempt || 0;
+          if (!window.app || !window.app.workspace) {
+            if (attempt < 10) setTimeout(function () { _owPatchWorkspace(attempt + 1); }, 50);
+            return;
+          }
+          var ws = window.app.workspace;
+
+          // openPopoutLeaf: Obsidian checks for a native Electron BrowserWindow
+          // via an internal validation function (V0) that throws "re-install"
+          // when running in a plain browser. Replace it to open a new browser
+          // tab with the same vault instead.
+          if (typeof ws.openPopoutLeaf === 'function') {
+            ws.openPopoutLeaf = function _owOpenPopoutLeaf() {
+              var params = new URLSearchParams(location.search);
+              var vaultId = params.get('vault') ||
+                (window.__obsidianWeb && window.__obsidianWeb.vaultId);
+              var url = vaultId
+                ? location.origin + '/?vault=' + encodeURIComponent(vaultId)
+                : location.origin + '/';
+              // Use the shell.openExternal shim which holds a pre-Obsidian
+              // reference to window.open (Obsidian patches window.open to
+              // route through its link handler, causing infinite recursion).
+              if (window.__owElectron && window.__owElectron.shell) {
+                window.__owElectron.shell.openExternal(url);
+              } else {
+                window.open(url, '_blank', 'noopener,noreferrer');
+              }
+            };
+          }
+        }
       })
       .catch(function (err) {
         stopPolling();
diff --git a/src/client/index.html b/src/client/index.html
index 6ec637e..c79f122 100644
--- a/src/client/index.html
+++ b/src/client/index.html
@@ -4,7 +4,9 @@
   <meta charset="utf-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover"/>
   <title>Obsidian Web</title>
-  <link rel="icon" href="/client/favicon.svg" type="image/svg+xml"/>
+  <link rel="icon" href="/favicon.ico" sizes="any"/>
+  <link rel="icon" href="/favicon.svg" type="image/svg+xml"/>
+  <link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
   <link href="/obsidian/app.css" type="text/css" rel="stylesheet"/>
   <style>
     #ow-loading {
diff --git a/src/client/starter.html b/src/client/starter.html
index 88b324f..77c9a31 100644
--- a/src/client/starter.html
+++ b/src/client/starter.html
@@ -4,7 +4,9 @@
   <meta charset="utf-8"/>
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover"/>
   <title>Obsidian Starter</title>
-  <link rel="icon" href="/client/favicon.svg" type="image/svg+xml"/>
+  <link rel="icon" href="/favicon.ico" sizes="any"/>
+  <link rel="icon" href="/favicon.svg" type="image/svg+xml"/>
+  <link rel="apple-touch-icon" href="/apple-touch-icon.png"/>
   <link href="/obsidian/app.css" type="text/css" rel="stylesheet"/>
 </head>
 <body class="theme-dark starter">
diff --git a/src/server/index.js b/src/server/index.js
index 2b10f8c..95181eb 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -81,6 +81,14 @@ function createApp(appConfig = config) {
     }
   }
 
+  // Favicon and app icons from the project root.
+  const rootIconFiles = ['favicon.ico', 'favicon.svg', 'apple-touch-icon.png'];
+  for (const f of rootIconFiles) {
+    app.get('/' + f, (req, res) => {
+      res.sendFile(path.join(appConfig.projectRoot, f));
+    });
+  }
+
   // Custom entry point - our index.html, not Obsidian's.
   app.get('/', (req, res) => {
     sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'index.html'));

From 3e03cad6a1efa3b4566a49aa14da9a426503f091 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 13:24:27 -0700
Subject: [PATCH 32/46] feat: favicon, image paste, open-in-new-window, vault
 manager popup

---
 Dockerfile                   |  3 ++
 src/client/shims/electron.js | 69 ++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 37209b5..5db6a96 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,9 @@ COPY src/ src/
 COPY scripts/ scripts/
 COPY user-data/ user-data/
 COPY entrypoint.sh /entrypoint.sh
+
+# Static assets served from the project root (favicon, touch icon)
+COPY favicon.ico favicon.svg apple-touch-icon.png ./
 RUN chmod +x /entrypoint.sh
 
 # Install server dependencies (production only)
diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index 638668c..6b67fc5 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -18,6 +18,61 @@
  * are stubs that log so we can spot uses we missed.
  */
 (function (global) {
+  // ---- Clipboard image cache ------------------------------------------
+  //
+  // electron.clipboard.readImage() must return a NativeImage synchronously.
+  // The browser Clipboard API is async and blocked on plain HTTP anyway,
+  // so instead we intercept the native 'paste' DOM event (which fires before
+  // Obsidian's handler) and cache any image payload. readImage() returns the
+  // last cached image so Obsidian's paste handler gets real pixel data.
+  //
+  // The cache is overwritten on every paste that contains an image and cleared
+  // when Obsidian reads it (to avoid stale images showing up on text pastes).
+
+  let _clipboardImageCache = null; // { data: Uint8Array, mime: string } | null
+
+  document.addEventListener('paste', function (ev) {
+    const items = ev.clipboardData && ev.clipboardData.items;
+    if (!items) return;
+    for (let i = 0; i < items.length; i++) {
+      const item = items[i];
+      if (item.kind === 'file' && item.type.startsWith('image/')) {
+        const file = item.getAsFile();
+        if (!file) continue;
+        const reader = new FileReader();
+        reader.onload = function () {
+          _clipboardImageCache = {
+            data: new Uint8Array(reader.result),
+            mime: item.type,
+          };
+        };
+        reader.readAsArrayBuffer(file);
+        break; // only need the first image
+      }
+    }
+  }, true); // capture phase so we run before Obsidian's listeners
+
+  function _makeNativeImage(cached) {
+    // Minimal NativeImage shim. Obsidian calls isEmpty() then toPNG() / toBuffer().
+    const empty = !cached;
+    return {
+      isEmpty:    () => empty,
+      toPNG:      () => (cached ? cached.data : new Uint8Array(0)),
+      toJPEG:     () => (cached ? cached.data : new Uint8Array(0)),
+      toBuffer:   () => (cached ? cached.data : new Uint8Array(0)),
+      toBitmap:   () => (cached ? cached.data : new Uint8Array(0)),
+      toDataURL:  () => {
+        if (!cached) return '';
+        let binary = '';
+        for (let i = 0; i < cached.data.length; i++) binary += String.fromCharCode(cached.data[i]);
+        return 'data:' + cached.mime + ';base64,' + btoa(binary);
+      },
+      getSize:    () => ({ width: 0, height: 0 }),
+      resize:     function () { return this; },
+      crop:       function () { return this; },
+    };
+  }
+
   // Save a reference to the real window.open BEFORE Obsidian patches it.
   // Obsidian overrides window.open to route URLs through its own link handler,
   // which calls ipcRenderer.send('open-url', ...) — so if our 'open-url'
@@ -593,6 +648,20 @@
     clipboard: {
       writeText: (text) => navigator.clipboard.writeText(text),
       readText: () => navigator.clipboard.readText(),
+      // Returns the image that was most recently pasted (captured via the DOM
+      // paste event above). Clears the cache so a subsequent text paste doesn't
+      // accidentally return a stale image.
+      readImage: () => {
+        const cached = _clipboardImageCache;
+        _clipboardImageCache = null;
+        return _makeNativeImage(cached);
+      },
+      // Returns the MIME types currently on the clipboard. Obsidian checks this
+      // to decide whether a paste contains an image. Report 'image/png' when
+      // our cache is populated (i.e. the user just pasted an image).
+      availableFormats: () => (_clipboardImageCache ? ['image/png'] : []),
+      hasImage: () => !!_clipboardImageCache,
+      writeImage: () => {},
     },
   };
   remote.BrowserWindow.getFocusedWindow = () => makeWindow();

From 5fa9bb3cf24f9bc6b8a09cb8dbabc45de5f0ea3f Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 13:33:21 -0700
Subject: [PATCH 33/46] fix: image rendering and favicon Docker copy

---
 src/client/boot.js           | 81 ++++++++++++++++++++++++++++++++++++
 src/client/shims/electron.js |  4 +-
 src/server/api/electron.js   | 15 ++++++-
 src/server/api/fs.js         | 13 +++++-
 4 files changed, 110 insertions(+), 3 deletions(-)

diff --git a/src/client/boot.js b/src/client/boot.js
index d429429..7c55d3c 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -822,6 +822,87 @@ const OBSIDIAN_SCRIPTS = [
           obs.observe(document.body, { childList: true, subtree: true });
         }
 
+        // Rewrite app:// and file:// asset URLs in img/video/audio/source
+        // elements to HTTP paths our server can serve.
+        // Obsidian constructs these via vault.getResourcePath(), which in
+        // Electron returns app://local/<vaultRoot>/<relPath>. We intercept
+        // them here and redirect to /api/fs/read?path=<relPath>.
+        _owInstallAssetRewriter();
+
+        // Converts an app:// or file:// asset URL to an /api/fs/read HTTP URL.
+        // app://local/vault/images/photo.png → /api/fs/read?path=images%2Fphoto.png
+        // file:///vault/images/photo.png    → /api/fs/read?path=images%2Fphoto.png
+        function _owAssetHref(src) {
+          if (!src) return null;
+          var vaultId = window.__obsidianWeb && window.__obsidianWeb.vaultId;
+          var vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+          var rel = null;
+
+          if (src.startsWith('app://local/')) {
+            // app://local/<vaultBase>/<rel>  e.g. app://local/vault/img.png
+            var after = src.slice('app://local/'.length); // 'vault/img.png'
+            var vaultBase = 'vault'; // matches VAULT_BASE ('/vault') without leading slash
+            if (after.startsWith(vaultBase + '/')) {
+              rel = after.slice(vaultBase.length + 1);
+            } else {
+              rel = after; // fallback: use entire path after app://local/
+            }
+          } else if (src.startsWith('file:///vault/')) {
+            rel = src.slice('file:///vault/'.length);
+          } else if (src.startsWith('file:///')) {
+            rel = src.slice('file:///'.length);
+          }
+
+          if (!rel) return null;
+          return '/api/fs/read?path=' + encodeURIComponent(rel) + vaultParam;
+        }
+
+        function _owFixAssetEl(el) {
+          var src = el.getAttribute('src') || el.getAttribute('href');
+          if (!src) return;
+          if (!src.startsWith('app://') && !src.startsWith('file://')) return;
+          var fixed = _owAssetHref(src);
+          if (!fixed) return;
+          if (el.tagName === 'LINK') {
+            el.setAttribute('href', fixed);
+          } else {
+            el.setAttribute('src', fixed);
+          }
+        }
+
+        function _owInstallAssetRewriter() {
+          // Fix any already-present asset elements (shouldn't be any yet, but
+          // running it once costs nothing).
+          ['img', 'video', 'audio', 'source'].forEach(function (tag) {
+            document.querySelectorAll(tag).forEach(_owFixAssetEl);
+          });
+
+          // Watch for new/modified elements and fix them as they appear.
+          var assetObs = new MutationObserver(function (mutations) {
+            for (var i = 0; i < mutations.length; i++) {
+              var m = mutations[i];
+              // New nodes added to DOM.
+              for (var j = 0; j < m.addedNodes.length; j++) {
+                var node = m.addedNodes[j];
+                if (node.nodeType !== 1) continue; // elements only
+                _owFixAssetEl(node);
+                // Also fix descendants (e.g. an <img> inside an added <div>).
+                node.querySelectorAll && node.querySelectorAll('img,video,audio,source').forEach(_owFixAssetEl);
+              }
+              // src/href attribute changed on an existing element.
+              if (m.type === 'attributes') {
+                _owFixAssetEl(m.target);
+              }
+            }
+          });
+          assetObs.observe(document.body, {
+            childList: true,
+            subtree: true,
+            attributes: true,
+            attributeFilter: ['src', 'href'],
+          });
+        }
+
         // Patch workspace methods that rely on Electron-native APIs unavailable
         // in the browser. Retries briefly in case window.app is not yet set.
         function _owPatchWorkspace(attempt) {
diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index 6b67fc5..927c3ff 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -324,7 +324,9 @@
 
       // Special-cased channels that need args or non-GET semantics.
       if (channel === 'file-url') {
-        return global.__owSyncJson('GET', '/api/electron/file-url?path=' + encodeURIComponent(args[0] || '')).value;
+        // Include the vault ID so the server can resolve the path correctly.
+        const vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+        return global.__owSyncJson('GET', '/api/electron/file-url?path=' + encodeURIComponent(args[0] || '') + vaultParam).value;
       }
       if (channel === 'trash') {
         return global.__owSyncJson('POST', '/api/electron/trash', { path: args[0], vault: vaultId }).ok || false;
diff --git a/src/server/api/electron.js b/src/server/api/electron.js
index 65e0322..db23808 100644
--- a/src/server/api/electron.js
+++ b/src/server/api/electron.js
@@ -97,8 +97,21 @@ function createElectronRouter(vaultRegistry, fallbackVaultRoot) {
   });
 
   // ipcRenderer.sendSync('file-url', filePath)
+  // Obsidian calls this to turn a vault-relative virtual path (e.g.
+  // /vault/images/photo.png) into a URL it can use as <img src>.
+  // In Electron that works via the app:// protocol; in a browser we must
+  // return a real HTTP URL. We strip the virtual vault prefix and return
+  // a path to our /api/fs/read endpoint, which serves the raw binary.
   router.get('/file-url', (req, res) => {
-    res.json({ value: 'file://' + (req.query.path || '') });
+    const filePath = req.query.path || '';
+    // Strip the virtual vault base prefix (/vault/ by default).
+    const prefix = VAULT_BASE + '/';
+    const relative = filePath.startsWith(prefix)
+      ? filePath.slice(prefix.length)
+      : filePath.replace(/^\/+/, '');
+    const vault = getCurrentVault(req);
+    const vaultParam = vault ? '&vault=' + encodeURIComponent(vault.id) : '';
+    res.json({ value: '/api/fs/read?path=' + encodeURIComponent(relative) + vaultParam });
   });
 
   // ipcRenderer.sendSync('version')
diff --git a/src/server/api/fs.js b/src/server/api/fs.js
index e92ff46..f0c0838 100644
--- a/src/server/api/fs.js
+++ b/src/server/api/fs.js
@@ -421,7 +421,18 @@ function createFsRouter(vaultRegistry, fallbackVaultRoot) {
         res.type('text/plain; charset=utf-8').send(data);
       } else {
         const data = await fsp.readFile(target);
-        res.type('application/octet-stream').send(data);
+        // Use a proper MIME type for common asset types so browsers can render
+        // them inline (img src, audio, video). Fall back to octet-stream.
+        const ext = path.extname(relPath).toLowerCase();
+        const MIME = {
+          '.png': 'image/png', '.jpg': 'image/jpeg', '.jpeg': 'image/jpeg',
+          '.gif': 'image/gif', '.webp': 'image/webp', '.svg': 'image/svg+xml',
+          '.bmp': 'image/bmp', '.ico': 'image/x-icon', '.avif': 'image/avif',
+          '.mp4': 'video/mp4', '.mov': 'video/quicktime', '.webm': 'video/webm',
+          '.mp3': 'audio/mpeg', '.wav': 'audio/wav', '.ogg': 'audio/ogg', '.m4a': 'audio/mp4',
+          '.pdf': 'application/pdf',
+        };
+        res.type(MIME[ext] || 'application/octet-stream').send(data);
       }
     } catch (err) {
       handleError(res, err);

From 1343f2d03cb4a806e480f3db8c9adcf676baee4f Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 14:02:37 -0700
Subject: [PATCH 34/46] fix: strip virtual /vault/ prefix in trash handler

---
 src/server/api/electron.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/server/api/electron.js b/src/server/api/electron.js
index db23808..8a86eff 100644
--- a/src/server/api/electron.js
+++ b/src/server/api/electron.js
@@ -53,7 +53,14 @@ function createElectronRouter(vaultRegistry, fallbackVaultRoot) {
   // For now we just delete; later we can move to ~/.local/share/Trash.
   router.post('/trash', express.json(), async (req, res) => {
     try {
-      const rel = req.body.path;
+      // Obsidian passes the virtual vault path (/vault/some/file.md).
+      // Strip the VAULT_BASE prefix so it resolves correctly against the
+      // real vault root (same stripping original-fs.js does for /api/fs/*).
+      let rel = req.body.path || '';
+      const vaultPrefix = VAULT_BASE + '/';
+      if (rel.startsWith(vaultPrefix)) rel = rel.slice(vaultPrefix.length);
+      else if (rel === VAULT_BASE) rel = '';
+      else rel = rel.replace(/^\/+/, '');
       const vaultRoot = getVaultRoot(req);
       const absolute = path.resolve(vaultRoot, '.' + path.sep + rel);
       const resolvedRoot = path.resolve(vaultRoot);

From 7b0c5e725d847684a53740a52444152bd4350212 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 14:12:31 -0700
Subject: [PATCH 35/46] fix: showItemInFolder opens file in new tab instead of
 silent noop

---
 src/client/shims/electron.js | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/client/shims/electron.js b/src/client/shims/electron.js
index 927c3ff..7df85f0 100644
--- a/src/client/shims/electron.js
+++ b/src/client/shims/electron.js
@@ -500,9 +500,29 @@
 
   const remote = {
     shell: {
-      showItemInFolder: warnUnimplemented('shell.showItemInFolder'),
+      // "Show in folder" — open the file directly in a new tab since we can't
+      // launch a native file manager. Strips the virtual /vault/ prefix and
+      // maps to /api/fs/read so the browser can display or download the asset.
+      showItemInFolder: (filePath) => {
+        const rel = (filePath || '').replace(/^\/vault\//, '').replace(/^\/+/, '');
+        const vaultId = global.__obsidianWeb && global.__obsidianWeb.vaultId;
+        const vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+        _nativeWindowOpen('/api/fs/read?path=' + encodeURIComponent(rel) + vaultParam, '_blank', 'noopener');
+      },
       openExternal: (url) => { _nativeWindowOpen(url, '_blank', 'noopener'); return Promise.resolve(); },
-      openPath: warnUnimplemented('shell.openPath'),
+      // "Open path" — same as showItemInFolder for vault files; for anything
+      // else treat it like openExternal.
+      openPath: (filePath) => {
+        if ((filePath || '').startsWith('/vault/') || (filePath || '').startsWith('vault/')) {
+          const rel = (filePath || '').replace(/^\/vault\//, '').replace(/^\/+/, '');
+          const vaultId = global.__obsidianWeb && global.__obsidianWeb.vaultId;
+          const vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+          _nativeWindowOpen('/api/fs/read?path=' + encodeURIComponent(rel) + vaultParam, '_blank', 'noopener');
+        } else {
+          _nativeWindowOpen(filePath, '_blank', 'noopener');
+        }
+        return Promise.resolve('');
+      },
     },
     dialog: {
       showOpenDialogSync: (opts) => {

From 519e75f4d96413b430c544aa6c2e7688c3ac3a17 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 14:17:58 -0700
Subject: [PATCH 36/46] fix: override vault.getResourcePath to return HTTP URLs
 for images

---
 src/client/boot.js | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/client/boot.js b/src/client/boot.js
index 7c55d3c..3fc2cbc 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -822,13 +822,6 @@ const OBSIDIAN_SCRIPTS = [
           obs.observe(document.body, { childList: true, subtree: true });
         }
 
-        // Rewrite app:// and file:// asset URLs in img/video/audio/source
-        // elements to HTTP paths our server can serve.
-        // Obsidian constructs these via vault.getResourcePath(), which in
-        // Electron returns app://local/<vaultRoot>/<relPath>. We intercept
-        // them here and redirect to /api/fs/read?path=<relPath>.
-        _owInstallAssetRewriter();
-
         // Converts an app:// or file:// asset URL to an /api/fs/read HTTP URL.
         // app://local/vault/images/photo.png → /api/fs/read?path=images%2Fphoto.png
         // file:///vault/images/photo.png    → /api/fs/read?path=images%2Fphoto.png
@@ -913,6 +906,26 @@ const OBSIDIAN_SCRIPTS = [
           }
           var ws = window.app.workspace;
 
+          // vault.getResourcePath: Obsidian calls this for every embedded asset
+          // (images, audio, video, PDFs). In Electron it returns app://local/...
+          // which browsers can't load. Override it here — before any note is
+          // rendered — so the URL is already an HTTP path when Obsidian sets
+          // it as <img src>. This is more reliable than the MutationObserver
+          // fallback (which fixes src reactively after the browser already
+          // tried and failed to load the app:// URL).
+          if (window.app.vault && typeof window.app.vault.getResourcePath === 'function') {
+            var _origGetResourcePath = window.app.vault.getResourcePath.bind(window.app.vault);
+            window.app.vault.getResourcePath = function (file) {
+              var original = _origGetResourcePath(file);
+              return _owAssetHref(original) || original;
+            };
+          }
+
+          // MutationObserver fallback: rewrite any app:// or file:// src attrs
+          // that slip through (e.g. images in notes already open at load time,
+          // or plugins that bypass getResourcePath).
+          _owInstallAssetRewriter();
+
           // openPopoutLeaf: Obsidian checks for a native Electron BrowserWindow
           // via an internal validation function (V0) that throws "re-install"
           // when running in a plain browser. Replace it to open a new browser

From 74ab25b99c2fa2505ce58ae94a287be4511d0615 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 14:32:08 -0700
Subject: [PATCH 37/46] fix: use file.path directly in getResourcePath override
 to avoid timestamp mangling

---
 src/client/boot.js | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/src/client/boot.js b/src/client/boot.js
index 3fc2cbc..a9b471a 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -908,16 +908,14 @@ const OBSIDIAN_SCRIPTS = [
 
           // vault.getResourcePath: Obsidian calls this for every embedded asset
           // (images, audio, video, PDFs). In Electron it returns app://local/...
-          // which browsers can't load. Override it here — before any note is
-          // rendered — so the URL is already an HTTP path when Obsidian sets
-          // it as <img src>. This is more reliable than the MutationObserver
-          // fallback (which fixes src reactively after the browser already
-          // tried and failed to load the app:// URL).
+          // which browsers can't load. Build the URL directly from file.path
+          // (the clean vault-relative path, no protocol prefix, no timestamp)
+          // rather than trying to parse the Electron URL format.
           if (window.app.vault && typeof window.app.vault.getResourcePath === 'function') {
-            var _origGetResourcePath = window.app.vault.getResourcePath.bind(window.app.vault);
             window.app.vault.getResourcePath = function (file) {
-              var original = _origGetResourcePath(file);
-              return _owAssetHref(original) || original;
+              var vaultId = window.__obsidianWeb && window.__obsidianWeb.vaultId;
+              var vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+              return '/api/fs/read?path=' + encodeURIComponent((file && file.path) || '') + vaultParam;
             };
           }
 

From d6ffda0f1a0d9d81887b3ca20afc3de226de6ddd Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 15:52:04 -0700
Subject: [PATCH 38/46] chore: add .gitattributes to normalize line endings
 (fixes CRLF churn on Windows)

---
 .gitattributes                          |   14 +
 src/client/boot.js                      | 1916 +++++++--------
 src/client/shims/original-fs.js         | 1214 +++++-----
 src/client/shims/sync-http.js           |  154 +-
 src/server/index.js                     |  386 +--
 src/server/package-lock.json            | 2952 +++++++++++------------
 src/server/package.json                 |   40 +-
 src/server/test/bootstrap-cache.test.js |   10 +-
 src/server/test/vaults-api.test.js      |   10 +-
 9 files changed, 3363 insertions(+), 3333 deletions(-)
 create mode 100644 .gitattributes

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..6650a0a
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,14 @@
+# Normalize all text files to LF in the repo and working tree.
+# Prevents CRLF conversion churn (whole-file diffs) on Windows checkouts.
+* text=auto eol=lf
+
+# Windows-specific scripts keep CRLF
+*.bat text eol=crlf
+*.ps1 text eol=crlf
+
+# Binary files — never touch line endings
+*.png binary
+*.ico binary
+*.jpg binary
+*.woff binary
+*.woff2 binary
diff --git a/src/client/boot.js b/src/client/boot.js
index a9b471a..e21fbdd 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -1,958 +1,958 @@
-/**
- * Boot script - runs before Obsidian's code.
- *
- * Responsibilities:
- *   1. Install window.require so Obsidian's window.require("...") calls
- *      hit our shims instead of failing.
- *   2. Pre-set platform flags (window.electron, etc.) where Obsidian
- *      reads them outside of a require() call.
- *   3. Configure the vault base path that the fs shim will use.
- *   4. Fetch the bootstrap cache asynchronously (non-blocking), then
- *      inject Obsidian's scripts dynamically so the spinner stays visible
- *      (and the main thread stays unblocked) during the fetch.
- *
- * Order of script tags in index.html ensures all shim files have already
- * loaded their __ow* globals by the time this runs.
- *
- * Obsidian's scripts are NOT listed in index.html anymore. They are
- * injected here, after the async bootstrap resolves, with async=false so
- * the browser can download them in parallel but executes them in order.
- */
-
-// Polyfill crypto.randomUUID for non-secure contexts (plain HTTP on LAN).
-// Browsers restrict this API to HTTPS/localhost; plugins like ion-sync need it.
-if (typeof crypto !== 'undefined' && !crypto.randomUUID) {
-  crypto.randomUUID = function () {
-    return ([1e7] + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g, (c) =>
-      (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16)
-    );
-  };
-}
-
-// Polyfill crypto.subtle for non-secure contexts (plain HTTP on LAN).
-// Browsers only expose SubtleCrypto on HTTPS/localhost. Plugins like ion-sync
-// call digest / importKey / deriveKey / encrypt / decrypt — without this they
-// throw "Cannot read properties of undefined (reading 'digest')" etc.
-if (typeof crypto !== 'undefined' && !crypto.subtle) {
-  (function () {
-
-    // ── helpers ────────────────────────────────────────────────────────────
-    function _toU8(x) {
-      if (x instanceof Uint8Array) return x;
-      if (x instanceof ArrayBuffer) return new Uint8Array(x);
-      if (x && x.buffer instanceof ArrayBuffer) return new Uint8Array(x.buffer, x.byteOffset, x.byteLength);
-      return new Uint8Array(x);
-    }
-
-    // ── SHA-256 (pure JS, public domain) ──────────────────────────────────
-    var _K = new Uint32Array([
-      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
-      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
-      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
-      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
-      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
-      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
-      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
-      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
-    ]);
-    function _r(n,k){return(n>>>k)|(n<<(32-k));}
-    function _sha256(data) {
-      var H=new Uint32Array([0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19]);
-      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
-      p.set(data);p[len]=0x80;
-      var dv=new DataView(p.buffer);
-      dv.setUint32(p.length-4,(len*8)>>>0,false);
-      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
-      var W=new Uint32Array(64);
-      for(var i=0;i<bc;i++){
-        var bv=new DataView(p.buffer,i*64,64);
-        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
-        for(var t=16;t<64;t++){var s0=_r(W[t-15],7)^_r(W[t-15],18)^(W[t-15]>>>3);var s1=_r(W[t-2],17)^_r(W[t-2],19)^(W[t-2]>>>10);W[t]=(W[t-16]+s0+W[t-7]+s1)>>>0;}
-        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
-        for(var t=0;t<64;t++){var S1=_r(e,6)^_r(e,11)^_r(e,25),ch=(e&f)^(~e&g);var t1=(h+S1+ch+_K[t]+W[t])>>>0;var S0=_r(a,2)^_r(a,13)^_r(a,22),maj=(a&b)^(a&c)^(b&c);var t2=(S0+maj)>>>0;h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;}
-        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
-        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
-      }
-      var out=new Uint8Array(32),ov=new DataView(out.buffer);
-      for(var i=0;i<8;i++)ov.setUint32(i*4,H[i],false);
-      return out;
-    }
-
-    // ── SHA-1 (pure JS, for ion-sync getSHA) ─────────────────────────────
-    function _sha1(data) {
-      var H=new Uint32Array([0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476,0xC3D2E1F0]);
-      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
-      p.set(data);p[len]=0x80;
-      var dv=new DataView(p.buffer);
-      dv.setUint32(p.length-4,(len*8)>>>0,false);
-      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
-      var W=new Uint32Array(80);
-      for(var i=0;i<bc;i++){
-        var bv=new DataView(p.buffer,i*64,64);
-        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
-        for(var t=16;t<80;t++){var x=W[t-3]^W[t-8]^W[t-14]^W[t-16];W[t]=(x<<1)|(x>>>31);}
-        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4];
-        for(var t=0;t<80;t++){
-          var f,k;
-          if(t<20){f=(b&c)|(~b&d);k=0x5A827999;}
-          else if(t<40){f=b^c^d;k=0x6ED9EBA1;}
-          else if(t<60){f=(b&c)|(b&d)|(c&d);k=0x8F1BBCDC;}
-          else{f=b^c^d;k=0xCA62C1D6;}
-          var tmp=(((a<<5)|(a>>>27))+f+e+k+W[t])>>>0;
-          e=d;d=c;c=((b<<30)|(b>>>2))>>>0;b=a;a=tmp;
-        }
-        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;H[4]=(H[4]+e)>>>0;
-      }
-      var out=new Uint8Array(20),ov=new DataView(out.buffer);
-      for(var i=0;i<5;i++)ov.setUint32(i*4,H[i],false);
-      return out;
-    }
-
-    // ── AES-256 forward cipher (pure JS) ──────────────────────────────────
-    // S-box (forward)
-    var _AS = new Uint8Array([99,124,119,123,242,107,111,197,48,1,103,43,254,215,171,118,202,130,201,125,250,89,71,240,173,212,162,175,156,164,114,192,183,253,147,38,54,63,247,204,52,165,229,241,113,216,49,21,4,199,35,195,24,150,5,154,7,18,128,226,235,39,178,117,9,131,44,26,27,110,90,160,82,59,214,179,41,227,47,132,83,209,0,237,32,252,177,91,106,203,190,57,74,76,88,207,208,239,170,251,67,77,51,133,69,249,2,127,80,60,159,168,81,163,64,143,146,157,56,245,188,182,218,33,16,255,243,210,205,12,19,236,95,151,68,23,196,167,126,61,100,93,25,115,96,129,79,220,34,42,144,136,70,238,184,20,222,94,11,219,224,50,58,10,73,6,36,92,194,211,172,98,145,149,228,121,231,200,55,109,141,213,78,169,108,86,244,234,101,122,174,8,186,120,37,46,28,166,180,198,232,221,116,31,75,189,139,138,112,62,181,102,72,3,246,14,97,53,87,185,134,193,29,158,225,248,152,17,105,217,142,148,155,30,135,233,206,85,40,223,140,161,137,13,191,230,66,104,65,153,45,15,176,84,187,22]);
-    // Round constants for AES-256 key schedule (7 values needed: rounds at i=8,16,…,56)
-    var _ARC = new Uint32Array([0x01000000,0x02000000,0x04000000,0x08000000,0x10000000,0x20000000,0x40000000]);
-    // GF(2^8) × 2 table
-    var _AX2 = new Uint8Array(256);
-    for (var _ai=0;_ai<256;_ai++) _AX2[_ai]=((_ai<<1)^(_ai&0x80?0x1b:0))&0xff;
-
-    function _aesKeyExp(key) {
-      // key: 32-byte Uint8Array → 60-word key schedule (AES-256, 14 rounds)
-      var W=new Uint32Array(60);
-      for (var i=0;i<8;i++) W[i]=(key[4*i]<<24)|(key[4*i+1]<<16)|(key[4*i+2]<<8)|key[4*i+3];
-      for (var i=8;i<60;i++) {
-        var t=W[i-1];
-        if (i%8===0) {
-          // SubWord(RotWord(t)) XOR Rcon
-          t=(_AS[(t>>16)&0xff]<<24)|(_AS[(t>>8)&0xff]<<16)|(_AS[t&0xff]<<8)|_AS[(t>>24)&0xff];
-          t^=_ARC[(i>>3)-1];
-        } else if (i%8===4) {
-          t=(_AS[(t>>24)&0xff]<<24)|(_AS[(t>>16)&0xff]<<16)|(_AS[(t>>8)&0xff]<<8)|_AS[t&0xff];
-        }
-        W[i]=W[i-8]^t;
-      }
-      return W;
-    }
-
-    function _aesEnc(blk, W) {
-      // Encrypt one 16-byte block. State is column-major: column c = bytes s[4c..4c+3].
-      var s=new Uint8Array(16); s.set(blk);
-      // Round 0: AddRoundKey
-      for (var c=0;c<4;c++){var w=W[c];s[4*c]^=(w>>24)&0xff;s[4*c+1]^=(w>>16)&0xff;s[4*c+2]^=(w>>8)&0xff;s[4*c+3]^=w&0xff;}
-      for (var round=1;round<=14;round++) {
-        // SubBytes
-        for (var i=0;i<16;i++) s[i]=_AS[s[i]];
-        // ShiftRows: row r (= indices r,4+r,8+r,12+r) shifts left by r
-        var t;
-        t=s[1];s[1]=s[5];s[5]=s[9];s[9]=s[13];s[13]=t;         // row 1: shift-left 1
-        t=s[2];s[2]=s[10];s[10]=t; t=s[6];s[6]=s[14];s[14]=t;  // row 2: shift-left 2
-        t=s[15];s[15]=s[11];s[11]=s[7];s[7]=s[3];s[3]=t;        // row 3: shift-left 3
-        // MixColumns (skipped in last round)
-        if (round<14) {
-          for (var c=0;c<4;c++) {
-            var i=4*c,a=s[i],b=s[i+1],cc=s[i+2],d=s[i+3];
-            s[i]  =_AX2[a]^_AX2[b]^b^cc^d;
-            s[i+1]=a^_AX2[b]^_AX2[cc]^cc^d;
-            s[i+2]=a^b^_AX2[cc]^_AX2[d]^d;
-            s[i+3]=_AX2[a]^a^b^cc^_AX2[d];
-          }
-        }
-        // AddRoundKey
-        for (var c=0;c<4;c++){var w=W[round*4+c];s[4*c]^=(w>>24)&0xff;s[4*c+1]^=(w>>16)&0xff;s[4*c+2]^=(w>>8)&0xff;s[4*c+3]^=w&0xff;}
-      }
-      return s;
-    }
-
-    // ── AES-GCM ───────────────────────────────────────────────────────────
-    // GF(2^128) multiply per GCM spec: R = 0xe1 followed by 15 zero bytes.
-    function _gcmMul(X, Y) {
-      var Z=new Uint8Array(16), V=new Uint8Array(Y);
-      for (var i=0;i<16;i++) {
-        for (var j=7;j>=0;j--) {
-          if ((X[i]>>j)&1) for (var k=0;k<16;k++) Z[k]^=V[k];
-          var lsb=V[15]&1;
-          for (var k=15;k>0;k--) V[k]=(V[k]>>>1)|((V[k-1]&1)<<7);
-          V[0]=V[0]>>>1;
-          if (lsb) V[0]^=0xe1;
-        }
-      }
-      return Z;
-    }
-
-    // Compute GCM auth tag: GHASH(pad(AAD)||pad(CT)||len64(AAD)||len64(CT)) then XOR AES(J0).
-    function _gcmTag(W, H, J0, ct, aad) {
-      var ap=(16-aad.length%16)%16, cp=(16-ct.length%16)%16;
-      var buf=new Uint8Array(aad.length+ap+ct.length+cp+16);
-      buf.set(aad,0); buf.set(ct,aad.length+ap);
-      var lo=aad.length+ap+ct.length+cp;
-      var ab=aad.length*8, cb=ct.length*8;
-      // 64-bit big-endian lengths (upper 32 bits are 0 for files < 512 MB)
-      buf[lo+4]=(ab>>>24)&0xff;buf[lo+5]=(ab>>>16)&0xff;buf[lo+6]=(ab>>>8)&0xff;buf[lo+7]=ab&0xff;
-      buf[lo+12]=(cb>>>24)&0xff;buf[lo+13]=(cb>>>16)&0xff;buf[lo+14]=(cb>>>8)&0xff;buf[lo+15]=cb&0xff;
-      // GHASH
-      var Y=new Uint8Array(16);
-      for (var i=0;i<buf.length;i+=16) {
-        var blk=new Uint8Array(16); blk.set(buf.slice(i,i+16));
-        for (var j=0;j<16;j++) Y[j]^=blk[j];
-        Y=_gcmMul(Y,H);
-      }
-      // T = AES(J0) XOR GHASH
-      var EJ=_aesEnc(J0,W), T=new Uint8Array(16);
-      for (var i=0;i<16;i++) T[i]=EJ[i]^Y[i];
-      return T;
-    }
-
-    // CTR-mode keystream: counter starts at INC32(J0), increments for each 16-byte block.
-    function _gcmCtr(W, J0, data) {
-      var ctr=new Uint8Array(J0), out=new Uint8Array(data.length);
-      for (var i=0;i<data.length;i+=16) {
-        var v=((ctr[12]<<24)|(ctr[13]<<16)|(ctr[14]<<8)|ctr[15]);
-        v=(v+1)>>>0;
-        ctr[12]=(v>>24)&0xff;ctr[13]=(v>>16)&0xff;ctr[14]=(v>>8)&0xff;ctr[15]=v&0xff;
-        var ks=_aesEnc(ctr,W);
-        for (var j=0;j<Math.min(16,data.length-i);j++) out[i+j]=data[i+j]^ks[j];
-      }
-      return out;
-    }
-
-    // ── CryptoKey shim ────────────────────────────────────────────────────
-    function _OWKey(data, alg) { this.__ow_data=data; this.__ow_alg=alg; }
-
-    // ── crypto.subtle ─────────────────────────────────────────────────────
-    crypto.subtle = {
-
-      digest: function (algorithm, data) {
-        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'')
-          .toUpperCase().replace(/-/g,'');
-        if (name==='SHA256') return Promise.resolve(_sha256(_toU8(data)).buffer);
-        if (name==='SHA1')   return Promise.resolve(_sha1(_toU8(data)).buffer);
-        return Promise.reject(new Error('[polyfill] crypto.subtle.digest: unsupported "'+algorithm+'"'));
-      },
-
-      // Wrap raw key material for later use by deriveKey / encrypt / decrypt
-      importKey: function (format, keyData, algorithm, extractable, usages) {
-        if (format==='raw') {
-          var alg=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
-          return Promise.resolve(new _OWKey(_toU8(keyData), alg));
-        }
-        return Promise.reject(new Error('[polyfill] crypto.subtle.importKey: unsupported format "'+format+'"'));
-      },
-
-      // PBKDF2 only — offloaded to /api/pbkdf2 (native Node crypto) because
-      // 100 000 iterations of pure-JS SHA-256 would freeze the browser for ~10 s.
-      deriveKey: function (algorithm, baseKey, derivedKeyType, extractable, usages) {
-        var algName=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
-        if (algName==='PBKDF2') {
-          var salt=_toU8(algorithm.salt), iters=algorithm.iterations;
-          var dkLen=((derivedKeyType&&derivedKeyType.length)||256)/8;
-          var pwHex=Array.from(baseKey.__ow_data).map(function(b){return b.toString(16).padStart(2,'0');}).join('');
-          var saltHex=Array.from(salt).map(function(b){return b.toString(16).padStart(2,'0');}).join('');
-          return fetch('/api/pbkdf2',{
-            method:'POST',
-            headers:{'Content-Type':'application/json'},
-            body:JSON.stringify({password:pwHex,salt:saltHex,iterations:iters,keyLen:dkLen})
-          }).then(function(r){
-            if(!r.ok) throw new Error('[polyfill] /api/pbkdf2 returned '+r.status);
-            return r.json();
-          }).then(function(d){
-            var dk=new Uint8Array(dkLen);
-            for (var i=0;i<dkLen;i++) dk[i]=parseInt(d.key.slice(i*2,i*2+2),16);
-            return new _OWKey(dk,'AES-GCM');
-          });
-        }
-        return Promise.reject(new Error('[polyfill] crypto.subtle.deriveKey: unsupported "'+algName+'"'));
-      },
-
-      // AES-GCM encrypt — returns ArrayBuffer of ciphertext || 16-byte auth tag
-      encrypt: function (algorithm, key, data) {
-        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
-        if (name==='AES-GCM') {
-          try {
-            var iv=_toU8(algorithm.iv), pt=_toU8(data);
-            var W=_aesKeyExp(key.__ow_data);
-            var H=_aesEnc(new Uint8Array(16),W);
-            var J0=new Uint8Array(16); J0.set(iv.slice(0,12)); J0[15]=1;
-            var ct=_gcmCtr(W,J0,pt);
-            var tag=_gcmTag(W,H,J0,ct,new Uint8Array(0));
-            var out=new Uint8Array(ct.length+16); out.set(ct); out.set(tag,ct.length);
-            return Promise.resolve(out.buffer);
-          } catch(e) { return Promise.reject(e); }
-        }
-        return Promise.reject(new Error('[polyfill] crypto.subtle.encrypt: unsupported "'+name+'"'));
-      },
-
-      // AES-GCM decrypt — input is ciphertext || 16-byte auth tag
-      decrypt: function (algorithm, key, data) {
-        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
-        if (name==='AES-GCM') {
-          try {
-            var iv=_toU8(algorithm.iv), buf=_toU8(data);
-            if (buf.length<16) throw new Error('[polyfill] AES-GCM: data too short');
-            var ct=buf.slice(0,buf.length-16), tag=buf.slice(buf.length-16);
-            var W=_aesKeyExp(key.__ow_data);
-            var H=_aesEnc(new Uint8Array(16),W);
-            var J0=new Uint8Array(16); J0.set(iv.slice(0,12)); J0[15]=1;
-            var expectedTag=_gcmTag(W,H,J0,ct,new Uint8Array(0));
-            var ok=true; for (var i=0;i<16;i++) ok=ok&&(tag[i]===expectedTag[i]);
-            if (!ok) return Promise.reject(new DOMException('AES-GCM: tag mismatch','OperationError'));
-            return Promise.resolve(_gcmCtr(W,J0,ct).buffer);
-          } catch(e) { return Promise.reject(e); }
-        }
-        return Promise.reject(new Error('[polyfill] crypto.subtle.decrypt: unsupported "'+name+'"'));
-      },
-    };
-  })();
-}
-
-// Ordered list of Obsidian's renderer scripts — mirrors the old <script defer>
-// list in index.html. Keep in sync with obsidian/index.html if Obsidian is
-// updated to add or remove scripts.
-const OBSIDIAN_SCRIPTS = [
-  '/obsidian/lib/codemirror/codemirror.js',
-  '/obsidian/lib/codemirror/overlay.js',
-  '/obsidian/lib/codemirror/markdown.js',
-  '/obsidian/lib/codemirror/cm-addons.js',
-  '/obsidian/lib/codemirror/vim.js',
-  '/obsidian/lib/codemirror/meta.min.js',
-  '/obsidian/lib/moment.min.js',
-  '/obsidian/lib/pixi.min.js',
-  '/obsidian/lib/i18next.min.js',
-  '/obsidian/lib/scrypt.js',
-  '/obsidian/lib/turndown.js',
-  '/obsidian/enhance.js',
-  '/obsidian/i18n.js',
-  '/obsidian/app.js',
-];
-
-(function () {
-  // Many Node.js npm packages (e.g. node-forge) reference the Node.js global
-  // object as `global`. In the browser this doesn't exist; alias it to window
-  // so plugins that bundle such packages don't crash on startup.
-  if (typeof global === 'undefined') {
-    window.global = window;
-  }
-
-  const VAULT_BASE = '/vault';
-  const params = new URLSearchParams(location.search);
-  let VAULT_ID = params.get('vault') || localStorage.getItem('obsidian-web:lastVaultId') || '';
-
-  if (!VAULT_ID && location.pathname !== '/starter') {
-    location.href = '/starter';
-    return;
-  }
-
-  if (VAULT_ID) {
-    localStorage.setItem('obsidian-web:lastVaultId', VAULT_ID);
-  }
-
-  // Tell the fs shim what path prefix to strip when talking to the server.
-  window.__owFs.setVaultBase(VAULT_BASE);
-  window.__owFs.setVaultId(VAULT_ID);
-
-  // Auto-trust community plugins in demo mode so the "Do you trust this
-  // vault?" modal doesn't block first-time visitors.
-  // Obsidian checks: localStorage.getItem("enable-plugin-" + appId)
-  if (VAULT_ID) {
-    localStorage.setItem('enable-plugin-' + VAULT_ID, 'true');
-  }
-
-  // Mobile emulation: on small viewports, set the EmulateMobile flag so
-  // Obsidian activates its mobile UI (170 CSS rules + JS behavior).
-  // Obsidian reads this from localStorage before we can intervene, so it
-  // must be set before app.js loads (which it is — boot.js runs first).
-  if (window.innerWidth < 600 || window.innerHeight < 600) {
-    localStorage.setItem('EmulateMobile', '1');
-  } else {
-    localStorage.removeItem('EmulateMobile');
-  }
-
-  // Map module name -> shim object.
-  const modules = {
-    'fs':          window.__owFs,
-    'original-fs': window.__owFs,
-    'path':        window.__owPath,
-    'url':         window.__owUrl,
-    'os':          window.__owOs,
-    'electron':    window.__owElectron,
-    'btime':       window.__owBtime,
-    'crypto':      makeCryptoShim(),
-    'node:crypto': makeCryptoShim(),   // plugins that use the node: prefix
-    'util':        makeUtilShim(),
-    'node:util':   makeUtilShim(),
-    'buffer':      { Buffer: window.Buffer },   // require('buffer').Buffer
-    'process':     window.process,              // require('process')
-    // child_process: stub so plugins that optionally use it (e.g. Templater
-    // system commands) can load. Commands will fail gracefully at runtime.
-    'child_process': makeChildProcessStub(),
-    '@electron/remote': window.__owElectron.remote,
-    // keytar: server-backed credential store (replaces OS keychain)
-    'keytar': makeKeytarShim(),
-  };
-
-  function makeKeytarShim() {
-    function q(service, account) {
-      return '/api/keytar?service=' + encodeURIComponent(service) + '&account=' + encodeURIComponent(account);
-    }
-    return {
-      getPassword(service, account) {
-        return fetch(q(service, account))
-          .then(r => r.ok ? r.json().then(j => j.password) : null)
-          .catch(() => null);
-      },
-      setPassword(service, account, password) {
-        return fetch('/api/keytar', {
-          method: 'PUT',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ service, account, password }),
-        }).then(() => undefined);
-      },
-      deletePassword(service, account) {
-        return fetch(q(service, account), { method: 'DELETE' })
-          .then(r => r.json()).then(j => !!j.ok)
-          .catch(() => false);
-      },
-      findCredentials(service) {
-        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
-          .then(r => r.ok ? r.json() : [])
-          .catch(() => []);
-      },
-      findPassword(service) {
-        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
-          .then(r => r.ok ? r.json() : [])
-          .then(entries => entries.length ? entries[0].password : null)
-          .catch(() => null);
-      },
-      // Our server-backed store is always available
-      isEncryptionAvailable() { return true; },
-    };
-  }
-
-  function makeChildProcessStub() {
-    const ERR = new Error('[obsidian-web] child_process is not available in web mode');
-    function noop() {}
-    // Minimal EventEmitter-like object returned by spawn/exec
-    function fakeProc() {
-      return {
-        stdout: { on: noop, pipe: noop },
-        stderr: { on: noop, pipe: noop },
-        stdin:  { write: noop, end: noop },
-        on: noop, once: noop, off: noop,
-        kill: noop, pid: 0,
-      };
-    }
-    return {
-      exec(cmd, opts, cb) {
-        if (typeof opts === 'function') { cb = opts; }
-        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
-        return fakeProc();
-      },
-      execSync() { throw ERR; },
-      spawn() { return fakeProc(); },
-      spawnSync() { return { stdout: '', stderr: '', status: 1, error: ERR }; },
-      execFile(file, args, opts, cb) {
-        if (typeof opts === 'function') { cb = opts; }
-        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
-        return fakeProc();
-      },
-      fork() { return fakeProc(); },
-    };
-  }
-
-  function makeUtilShim() {
-    // Minimal Node.js `util` polyfill.
-    // promisify: wraps a (err, value) callback-style function into a Promise.
-    function promisify(fn) {
-      return function (...args) {
-        return new Promise((resolve, reject) => {
-          fn.call(this, ...args, (err, value) => {
-            if (err) reject(err);
-            else resolve(value);
-          });
-        });
-      };
-    }
-    // callbackify: inverse of promisify.
-    function callbackify(fn) {
-      return function (...args) {
-        const cb = args.pop();
-        fn.apply(this, args).then(
-          (v) => cb(null, v),
-          (e) => cb(e instanceof Error ? e : new Error(String(e))),
-        );
-      };
-    }
-    // inspect: basic stringification (subset of Node's util.inspect).
-    function inspect(obj) {
-      try { return JSON.stringify(obj); } catch (_) { return String(obj); }
-    }
-    // inherits: prototype chain helper used by older Node packages.
-    function inherits(ctor, superCtor) {
-      ctor.super_ = superCtor;
-      Object.setPrototypeOf(ctor.prototype, superCtor.prototype);
-    }
-    return { promisify, callbackify, inspect, inherits };
-  }
-
-  function makeCryptoShim() {
-    // ---- Pure-JS SHA-256 (synchronous, public domain) -------------------------
-    // Used by createHash('sha256') and createHmac('sha256', ...) so that sync
-    // callers (like ion-sync's _computeToken) get real results, not empty strings.
-    const _SHA256_K = new Uint32Array([
-      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
-      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
-      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
-      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
-      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
-      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
-      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
-      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
-    ]);
-    function _ror32(n, k) { return (n >>> k) | (n << (32 - k)); }
-    function _sha256(data /* Uint8Array */) {
-      const H = new Uint32Array([
-        0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19,
-      ]);
-      const len = data.length;
-      const bc = Math.ceil((len + 9) / 64);
-      const pad = new Uint8Array(bc * 64);
-      pad.set(data);
-      pad[len] = 0x80;
-      const dv = new DataView(pad.buffer);
-      dv.setUint32(pad.length - 4, (len * 8) >>> 0, false);
-      dv.setUint32(pad.length - 8, Math.floor(len / 0x20000000) >>> 0, false);
-      const W = new Uint32Array(64);
-      for (let i = 0; i < bc; i++) {
-        const bv = new DataView(pad.buffer, i * 64, 64);
-        for (let t = 0; t < 16; t++) W[t] = bv.getUint32(t * 4, false);
-        for (let t = 16; t < 64; t++) {
-          const s0 = _ror32(W[t-15],7)^_ror32(W[t-15],18)^(W[t-15]>>>3);
-          const s1 = _ror32(W[t-2],17)^_ror32(W[t-2],19)^(W[t-2]>>>10);
-          W[t] = (W[t-16]+s0+W[t-7]+s1)>>>0;
-        }
-        let a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
-        for (let t = 0; t < 64; t++) {
-          const S1=_ror32(e,6)^_ror32(e,11)^_ror32(e,25);
-          const ch=(e&f)^(~e&g);
-          const t1=(h+S1+ch+_SHA256_K[t]+W[t])>>>0;
-          const S0=_ror32(a,2)^_ror32(a,13)^_ror32(a,22);
-          const maj=(a&b)^(a&c)^(b&c);
-          const t2=(S0+maj)>>>0;
-          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
-        }
-        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
-        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
-      }
-      const out = new Uint8Array(32);
-      const ov = new DataView(out.buffer);
-      for (let i = 0; i < 8; i++) ov.setUint32(i*4, H[i], false);
-      return out;
-    }
-    function _hmacSha256(key, data) {
-      const BS = 64;
-      let k = key.length > BS ? _sha256(key) : key;
-      const k0 = new Uint8Array(BS); k0.set(k);
-      const ip = new Uint8Array(BS), op = new Uint8Array(BS);
-      for (let i = 0; i < BS; i++) { ip[i] = k0[i]^0x36; op[i] = k0[i]^0x5c; }
-      const inner = new Uint8Array(BS + data.length); inner.set(ip); inner.set(data, BS);
-      const ih = _sha256(inner);
-      const outer = new Uint8Array(BS + 32); outer.set(op); outer.set(ih, BS);
-      return _sha256(outer);
-    }
-    function _toBytes(v) {
-      if (typeof v === 'string') return new TextEncoder().encode(v);
-      if (v instanceof Uint8Array) return v;
-      if (v && v.buffer) return new Uint8Array(v.buffer, v.byteOffset || 0, v.byteLength);
-      return new Uint8Array(v);
-    }
-    function _encodeResult(bytes, enc) {
-      if (!enc || enc === 'buffer') return bytes;
-      if (enc === 'hex') return Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
-      if (enc === 'base64') return btoa(String.fromCharCode(...bytes));
-      return bytes;
-    }
-    function _makeHasher(computeFn) {
-      const chunks = [];
-      const h = {
-        update(data) { chunks.push(_toBytes(data)); return h; },
-        digest(enc, cb) {
-          if (typeof enc === 'function') { cb = enc; enc = 'hex'; }
-          const combined = new Uint8Array(chunks.reduce((s,c) => s+c.length, 0));
-          let off = 0; for (const c of chunks) { combined.set(c, off); off += c.length; }
-          const result = _encodeResult(computeFn(combined), enc);
-          if (typeof cb === 'function') { cb(null, result); return h; }
-          return result;
-        },
-      };
-      return h;
-    }
-    // ---------------------------------------------------------------------------
-
-    return {
-      randomBytes(n) {
-        const arr = new Uint8Array(n);
-        crypto.getRandomValues(arr);
-        arr.toString = function (encoding) {
-          if (encoding === 'hex') {
-            let s = '';
-            for (let i = 0; i < this.length; i++) s += this[i].toString(16).padStart(2, '0');
-            return s;
-          }
-          return Uint8Array.prototype.toString.call(this);
-        };
-        return arr;
-      },
-      createHash(algo) {
-        const al = (algo || '').toLowerCase().replace('-','');
-        if (al === 'sha256') return _makeHasher(_sha256);
-        // For other algos: async via SubtleCrypto; sync path returns empty.
-        const algoMap = { sha1: 'SHA-1', sha512: 'SHA-512', md5: 'SHA-256' };
-        const subtleAlgo = algoMap[al] || 'SHA-256';
-        const chunks = [];
-        const h = {
-          update(data) {
-            chunks.push(typeof data === 'string' ? new TextEncoder().encode(data) : data);
-            return h;
-          },
-          digest(encoding, cb) {
-            if (typeof encoding === 'function') { cb = encoding; encoding = 'hex'; }
-            if (typeof cb === 'function') {
-              const combined = new Uint8Array(chunks.reduce((s, c) => s + c.length, 0));
-              let off = 0;
-              for (const c of chunks) { combined.set(c, off); off += c.length; }
-              crypto.subtle.digest(subtleAlgo, combined).then((buf) => {
-                const bytes = new Uint8Array(buf);
-                const s = Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
-                cb(null, encoding === 'hex' ? s : bytes);
-              }).catch((err) => cb(err));
-              return h;
-            }
-            console.warn('[obsidian-web] crypto.createHash(' + algo + ').digest() sync — returning empty');
-            return encoding === 'hex' ? '' : new Uint8Array(0);
-          },
-        };
-        return h;
-      },
-      createHmac(algo, key) {
-        const al = (algo || '').toLowerCase().replace('-','');
-        const keyBytes = _toBytes(key);
-        if (al === 'sha256') return _makeHasher((data) => _hmacSha256(keyBytes, data));
-        console.warn('[obsidian-web] crypto.createHmac: unsupported algo', algo, '— returning zeros');
-        return _makeHasher(() => new Uint8Array(32));
-      },
-    };
-  }
-
-  // ── Missing-shim tracker ────────────────────────────────────────────────
-  // Collects every require(), sendSync(), and send() call that we don't handle.
-  // Inspect from DevTools: __owMissing.summary() / .table() / .list()
-  (function () {
-    const hits = new Map(); // key → { type, name, count, firstSeen, lastSeen }
-
-    function record(type, name) {
-      const key = type + ':' + name;
-      const now = Math.round(performance.now());
-      if (hits.has(key)) {
-        const e = hits.get(key);
-        e.count++;
-        e.lastSeen = now;
-      } else {
-        hits.set(key, { type, name, count: 1, firstSeen: now, lastSeen: now });
-      }
-    }
-
-    function summary() {
-      const rows = [...hits.values()].sort((a, b) => b.count - a.count);
-      if (rows.length === 0) {
-        console.log('[obsidian-web] __owMissing: nothing missing \u2713');
-        return [];
-      }
-      console.group('[obsidian-web] Missing shims — ' + rows.length + ' distinct, ' +
-        rows.reduce((s, r) => s + r.count, 0) + ' total calls');
-      console.table(rows.map(r => ({
-        type: r.type, name: r.name, count: r.count,
-        'first(ms)': r.firstSeen, 'last(ms)': r.lastSeen,
-      })));
-      console.groupEnd();
-      return rows;
-    }
-
-    window.__owMissing = { record, summary, list: () => [...hits.values()] };
-  })();
-
-  // Install window.require.
-  window.require = function (name) {
-    if (Object.prototype.hasOwnProperty.call(modules, name)) {
-      return modules[name];
-    }
-    console.warn('[obsidian-web] window.require: unknown module "' + name + '"');
-    window.__owMissing && window.__owMissing.record('require', name);
-    return undefined;
-  };
-
-  // Some Obsidian code reads window.electron directly (bypassing require).
-  window.electron = window.__owElectron;
-
-  // Some Obsidian code reads window.process.platform / arch.
-  window.process = window.process || {
-    platform: 'linux',
-    arch: 'x64',
-    versions: { electron: '0.0.0', node: '0.0.0' },
-    env: {},
-    cwd: () => '/',
-    nextTick: (fn, ...args) => Promise.resolve().then(() => fn(...args)),
-  };
-
-  // Set the global Buffer if Obsidian needs it. We don't ship a full
-  // Buffer polyfill yet - if something blows up here, that's our cue.
-  if (!window.Buffer) {
-    window.Buffer = {
-      from: (data, encoding) => {
-        if (typeof data === 'string') {
-          if (encoding === 'base64') {
-            const bin = atob(data);
-            const arr = new Uint8Array(bin.length);
-            for (let i = 0; i < bin.length; i++) arr[i] = bin.charCodeAt(i);
-            return arr;
-          }
-          return new TextEncoder().encode(data);
-        }
-        return new Uint8Array(data);
-      },
-      isBuffer: (x) => x instanceof Uint8Array,
-      alloc: (n) => new Uint8Array(n),
-    };
-  }
-
-  // Expose the vault path where Obsidian expects to find one.
-  // It will be passed when Obsidian opens a vault; our launcher
-  // (later) tells Obsidian to open VAULT_BASE.
-  window.__obsidianWeb = {
-    vaultBase: VAULT_BASE,
-    vaultId: VAULT_ID,
-  };
-
-  console.log('[obsidian-web] boot complete; require + shims installed');
-
-  // ── Async bootstrap + dynamic script injection ──────────────────────────
-  //
-  // All synchronous setup above (window.require, shims, globals) is complete
-  // before this block runs. The fetch is async so the spinner renders
-  // immediately without blocking the main thread.
-  //
-  // After the cache is populated we inject Obsidian's scripts with async=false:
-  // the browser downloads them in parallel but executes them in insertion
-  // order, so Obsidian's dependencies are always satisfied.
-  //
-  // sendSync() / statSync() are only called AFTER app.js starts running,
-  // which is after this promise resolves — so the cache is always ready.
-  if (VAULT_ID && location.pathname !== '/starter') {
-    var statusEl = document.getElementById('ow-status');
-    var pollTimer = null;
-    var vaultParam = encodeURIComponent(VAULT_ID);
-
-    // Start polling /api/bootstrap/status after 2 seconds of waiting.
-    // Shows progress to the user during slow cold-start builds.
-    var pollDelay = setTimeout(function () {
-      pollTimer = setInterval(function () {
-        fetch('/api/bootstrap/status?vault=' + vaultParam)
-          .then(function (r) { return r.json(); })
-          .then(function (s) {
-            if (!statusEl || s.state === 'idle' || s.state === 'ready') return;
-            var text = s.label || '';
-            if (s.state === 'scanning' && s.dirs) {
-              text += ' (' + s.dirs + ' dirs, ' + (s.files || 0) + ' files)';
-            }
-            if (s.state === 'reading' && s.filesRead) {
-              text += ' (' + s.filesRead + '/' + (s.total || '?') + ')';
-            }
-            statusEl.textContent = text;
-          })
-          .catch(function () {});
-      }, 1000);
-    }, 2000);
-
-    function stopPolling() {
-      clearTimeout(pollDelay);
-      if (pollTimer) clearInterval(pollTimer);
-    }
-
-    fetch('/api/bootstrap?vault=' + vaultParam + '&full=1')
-      .then(function (res) {
-        if (!res.ok) throw new Error('HTTP ' + res.status);
-        return res.json();
-      })
-      .then(function (data) {
-        stopPolling();
-        var vault = data.electron && data.electron['vault'];
-        if (!vault || !vault.id) {
-          localStorage.removeItem('obsidian-web:lastVaultId');
-          location.href = '/starter';
-          return;
-        }
-        window.__owBootstrapCache = data;
-        if (statusEl) statusEl.textContent = 'Loading Obsidian...';
-        console.log('[obsidian-web] bootstrap loaded: ' + Object.keys(data.fs).length + ' files pre-cached');
-
-        // Inject Obsidian's scripts in order. async=false preserves execution
-        // order while allowing parallel download.
-        var loaded = 0;
-        for (var i = 0; i < OBSIDIAN_SCRIPTS.length; i++) {
-          var s = document.createElement('script');
-          s.src = OBSIDIAN_SCRIPTS[i];
-          s.async = false;
-          s.onload = function () {
-            loaded++;
-            if (statusEl) statusEl.textContent = 'Loading Obsidian (' + loaded + '/' + OBSIDIAN_SCRIPTS.length + ')';
-          };
-          document.head.appendChild(s);
-        }
-
-        // Hide the loading overlay once Obsidian's workspace element appears,
-        // then apply post-boot patches that need window.app to be ready.
-        var overlay = document.getElementById('ow-loading');
-        if (overlay) {
-          var obs = new MutationObserver(function () {
-            if (document.querySelector('.workspace')) {
-              overlay.remove();
-              obs.disconnect();
-              _owPatchWorkspace();
-            }
-          });
-          obs.observe(document.body, { childList: true, subtree: true });
-        }
-
-        // Converts an app:// or file:// asset URL to an /api/fs/read HTTP URL.
-        // app://local/vault/images/photo.png → /api/fs/read?path=images%2Fphoto.png
-        // file:///vault/images/photo.png    → /api/fs/read?path=images%2Fphoto.png
-        function _owAssetHref(src) {
-          if (!src) return null;
-          var vaultId = window.__obsidianWeb && window.__obsidianWeb.vaultId;
-          var vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
-          var rel = null;
-
-          if (src.startsWith('app://local/')) {
-            // app://local/<vaultBase>/<rel>  e.g. app://local/vault/img.png
-            var after = src.slice('app://local/'.length); // 'vault/img.png'
-            var vaultBase = 'vault'; // matches VAULT_BASE ('/vault') without leading slash
-            if (after.startsWith(vaultBase + '/')) {
-              rel = after.slice(vaultBase.length + 1);
-            } else {
-              rel = after; // fallback: use entire path after app://local/
-            }
-          } else if (src.startsWith('file:///vault/')) {
-            rel = src.slice('file:///vault/'.length);
-          } else if (src.startsWith('file:///')) {
-            rel = src.slice('file:///'.length);
-          }
-
-          if (!rel) return null;
-          return '/api/fs/read?path=' + encodeURIComponent(rel) + vaultParam;
-        }
-
-        function _owFixAssetEl(el) {
-          var src = el.getAttribute('src') || el.getAttribute('href');
-          if (!src) return;
-          if (!src.startsWith('app://') && !src.startsWith('file://')) return;
-          var fixed = _owAssetHref(src);
-          if (!fixed) return;
-          if (el.tagName === 'LINK') {
-            el.setAttribute('href', fixed);
-          } else {
-            el.setAttribute('src', fixed);
-          }
-        }
-
-        function _owInstallAssetRewriter() {
-          // Fix any already-present asset elements (shouldn't be any yet, but
-          // running it once costs nothing).
-          ['img', 'video', 'audio', 'source'].forEach(function (tag) {
-            document.querySelectorAll(tag).forEach(_owFixAssetEl);
-          });
-
-          // Watch for new/modified elements and fix them as they appear.
-          var assetObs = new MutationObserver(function (mutations) {
-            for (var i = 0; i < mutations.length; i++) {
-              var m = mutations[i];
-              // New nodes added to DOM.
-              for (var j = 0; j < m.addedNodes.length; j++) {
-                var node = m.addedNodes[j];
-                if (node.nodeType !== 1) continue; // elements only
-                _owFixAssetEl(node);
-                // Also fix descendants (e.g. an <img> inside an added <div>).
-                node.querySelectorAll && node.querySelectorAll('img,video,audio,source').forEach(_owFixAssetEl);
-              }
-              // src/href attribute changed on an existing element.
-              if (m.type === 'attributes') {
-                _owFixAssetEl(m.target);
-              }
-            }
-          });
-          assetObs.observe(document.body, {
-            childList: true,
-            subtree: true,
-            attributes: true,
-            attributeFilter: ['src', 'href'],
-          });
-        }
-
-        // Patch workspace methods that rely on Electron-native APIs unavailable
-        // in the browser. Retries briefly in case window.app is not yet set.
-        function _owPatchWorkspace(attempt) {
-          attempt = attempt || 0;
-          if (!window.app || !window.app.workspace) {
-            if (attempt < 10) setTimeout(function () { _owPatchWorkspace(attempt + 1); }, 50);
-            return;
-          }
-          var ws = window.app.workspace;
-
-          // vault.getResourcePath: Obsidian calls this for every embedded asset
-          // (images, audio, video, PDFs). In Electron it returns app://local/...
-          // which browsers can't load. Build the URL directly from file.path
-          // (the clean vault-relative path, no protocol prefix, no timestamp)
-          // rather than trying to parse the Electron URL format.
-          if (window.app.vault && typeof window.app.vault.getResourcePath === 'function') {
-            window.app.vault.getResourcePath = function (file) {
-              var vaultId = window.__obsidianWeb && window.__obsidianWeb.vaultId;
-              var vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
-              return '/api/fs/read?path=' + encodeURIComponent((file && file.path) || '') + vaultParam;
-            };
-          }
-
-          // MutationObserver fallback: rewrite any app:// or file:// src attrs
-          // that slip through (e.g. images in notes already open at load time,
-          // or plugins that bypass getResourcePath).
-          _owInstallAssetRewriter();
-
-          // openPopoutLeaf: Obsidian checks for a native Electron BrowserWindow
-          // via an internal validation function (V0) that throws "re-install"
-          // when running in a plain browser. Replace it to open a new browser
-          // tab with the same vault instead.
-          if (typeof ws.openPopoutLeaf === 'function') {
-            ws.openPopoutLeaf = function _owOpenPopoutLeaf() {
-              var params = new URLSearchParams(location.search);
-              var vaultId = params.get('vault') ||
-                (window.__obsidianWeb && window.__obsidianWeb.vaultId);
-              var url = vaultId
-                ? location.origin + '/?vault=' + encodeURIComponent(vaultId)
-                : location.origin + '/';
-              // Use the shell.openExternal shim which holds a pre-Obsidian
-              // reference to window.open (Obsidian patches window.open to
-              // route through its link handler, causing infinite recursion).
-              if (window.__owElectron && window.__owElectron.shell) {
-                window.__owElectron.shell.openExternal(url);
-              } else {
-                window.open(url, '_blank', 'noopener,noreferrer');
-              }
-            };
-          }
-        }
-      })
-      .catch(function (err) {
-        stopPolling();
-        console.warn('[obsidian-web] bootstrap failed:', err.message);
-        localStorage.removeItem('obsidian-web:lastVaultId');
-        location.href = '/starter';
-      });
-  }
-})();
+/**
+ * Boot script - runs before Obsidian's code.
+ *
+ * Responsibilities:
+ *   1. Install window.require so Obsidian's window.require("...") calls
+ *      hit our shims instead of failing.
+ *   2. Pre-set platform flags (window.electron, etc.) where Obsidian
+ *      reads them outside of a require() call.
+ *   3. Configure the vault base path that the fs shim will use.
+ *   4. Fetch the bootstrap cache asynchronously (non-blocking), then
+ *      inject Obsidian's scripts dynamically so the spinner stays visible
+ *      (and the main thread stays unblocked) during the fetch.
+ *
+ * Order of script tags in index.html ensures all shim files have already
+ * loaded their __ow* globals by the time this runs.
+ *
+ * Obsidian's scripts are NOT listed in index.html anymore. They are
+ * injected here, after the async bootstrap resolves, with async=false so
+ * the browser can download them in parallel but executes them in order.
+ */
+
+// Polyfill crypto.randomUUID for non-secure contexts (plain HTTP on LAN).
+// Browsers restrict this API to HTTPS/localhost; plugins like ion-sync need it.
+if (typeof crypto !== 'undefined' && !crypto.randomUUID) {
+  crypto.randomUUID = function () {
+    return ([1e7] + -1e3 + -4e3 + -8e3 + -1e11).replace(/[018]/g, (c) =>
+      (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16)
+    );
+  };
+}
+
+// Polyfill crypto.subtle for non-secure contexts (plain HTTP on LAN).
+// Browsers only expose SubtleCrypto on HTTPS/localhost. Plugins like ion-sync
+// call digest / importKey / deriveKey / encrypt / decrypt — without this they
+// throw "Cannot read properties of undefined (reading 'digest')" etc.
+if (typeof crypto !== 'undefined' && !crypto.subtle) {
+  (function () {
+
+    // ── helpers ────────────────────────────────────────────────────────────
+    function _toU8(x) {
+      if (x instanceof Uint8Array) return x;
+      if (x instanceof ArrayBuffer) return new Uint8Array(x);
+      if (x && x.buffer instanceof ArrayBuffer) return new Uint8Array(x.buffer, x.byteOffset, x.byteLength);
+      return new Uint8Array(x);
+    }
+
+    // ── SHA-256 (pure JS, public domain) ──────────────────────────────────
+    var _K = new Uint32Array([
+      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+    ]);
+    function _r(n,k){return(n>>>k)|(n<<(32-k));}
+    function _sha256(data) {
+      var H=new Uint32Array([0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19]);
+      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
+      p.set(data);p[len]=0x80;
+      var dv=new DataView(p.buffer);
+      dv.setUint32(p.length-4,(len*8)>>>0,false);
+      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
+      var W=new Uint32Array(64);
+      for(var i=0;i<bc;i++){
+        var bv=new DataView(p.buffer,i*64,64);
+        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
+        for(var t=16;t<64;t++){var s0=_r(W[t-15],7)^_r(W[t-15],18)^(W[t-15]>>>3);var s1=_r(W[t-2],17)^_r(W[t-2],19)^(W[t-2]>>>10);W[t]=(W[t-16]+s0+W[t-7]+s1)>>>0;}
+        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
+        for(var t=0;t<64;t++){var S1=_r(e,6)^_r(e,11)^_r(e,25),ch=(e&f)^(~e&g);var t1=(h+S1+ch+_K[t]+W[t])>>>0;var S0=_r(a,2)^_r(a,13)^_r(a,22),maj=(a&b)^(a&c)^(b&c);var t2=(S0+maj)>>>0;h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;}
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
+        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
+      }
+      var out=new Uint8Array(32),ov=new DataView(out.buffer);
+      for(var i=0;i<8;i++)ov.setUint32(i*4,H[i],false);
+      return out;
+    }
+
+    // ── SHA-1 (pure JS, for ion-sync getSHA) ─────────────────────────────
+    function _sha1(data) {
+      var H=new Uint32Array([0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476,0xC3D2E1F0]);
+      var len=data.length,bc=Math.ceil((len+9)/64),p=new Uint8Array(bc*64);
+      p.set(data);p[len]=0x80;
+      var dv=new DataView(p.buffer);
+      dv.setUint32(p.length-4,(len*8)>>>0,false);
+      dv.setUint32(p.length-8,Math.floor(len/0x20000000)>>>0,false);
+      var W=new Uint32Array(80);
+      for(var i=0;i<bc;i++){
+        var bv=new DataView(p.buffer,i*64,64);
+        for(var t=0;t<16;t++)W[t]=bv.getUint32(t*4,false);
+        for(var t=16;t<80;t++){var x=W[t-3]^W[t-8]^W[t-14]^W[t-16];W[t]=(x<<1)|(x>>>31);}
+        var a=H[0],b=H[1],c=H[2],d=H[3],e=H[4];
+        for(var t=0;t<80;t++){
+          var f,k;
+          if(t<20){f=(b&c)|(~b&d);k=0x5A827999;}
+          else if(t<40){f=b^c^d;k=0x6ED9EBA1;}
+          else if(t<60){f=(b&c)|(b&d)|(c&d);k=0x8F1BBCDC;}
+          else{f=b^c^d;k=0xCA62C1D6;}
+          var tmp=(((a<<5)|(a>>>27))+f+e+k+W[t])>>>0;
+          e=d;d=c;c=((b<<30)|(b>>>2))>>>0;b=a;a=tmp;
+        }
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;H[4]=(H[4]+e)>>>0;
+      }
+      var out=new Uint8Array(20),ov=new DataView(out.buffer);
+      for(var i=0;i<5;i++)ov.setUint32(i*4,H[i],false);
+      return out;
+    }
+
+    // ── AES-256 forward cipher (pure JS) ──────────────────────────────────
+    // S-box (forward)
+    var _AS = new Uint8Array([99,124,119,123,242,107,111,197,48,1,103,43,254,215,171,118,202,130,201,125,250,89,71,240,173,212,162,175,156,164,114,192,183,253,147,38,54,63,247,204,52,165,229,241,113,216,49,21,4,199,35,195,24,150,5,154,7,18,128,226,235,39,178,117,9,131,44,26,27,110,90,160,82,59,214,179,41,227,47,132,83,209,0,237,32,252,177,91,106,203,190,57,74,76,88,207,208,239,170,251,67,77,51,133,69,249,2,127,80,60,159,168,81,163,64,143,146,157,56,245,188,182,218,33,16,255,243,210,205,12,19,236,95,151,68,23,196,167,126,61,100,93,25,115,96,129,79,220,34,42,144,136,70,238,184,20,222,94,11,219,224,50,58,10,73,6,36,92,194,211,172,98,145,149,228,121,231,200,55,109,141,213,78,169,108,86,244,234,101,122,174,8,186,120,37,46,28,166,180,198,232,221,116,31,75,189,139,138,112,62,181,102,72,3,246,14,97,53,87,185,134,193,29,158,225,248,152,17,105,217,142,148,155,30,135,233,206,85,40,223,140,161,137,13,191,230,66,104,65,153,45,15,176,84,187,22]);
+    // Round constants for AES-256 key schedule (7 values needed: rounds at i=8,16,…,56)
+    var _ARC = new Uint32Array([0x01000000,0x02000000,0x04000000,0x08000000,0x10000000,0x20000000,0x40000000]);
+    // GF(2^8) × 2 table
+    var _AX2 = new Uint8Array(256);
+    for (var _ai=0;_ai<256;_ai++) _AX2[_ai]=((_ai<<1)^(_ai&0x80?0x1b:0))&0xff;
+
+    function _aesKeyExp(key) {
+      // key: 32-byte Uint8Array → 60-word key schedule (AES-256, 14 rounds)
+      var W=new Uint32Array(60);
+      for (var i=0;i<8;i++) W[i]=(key[4*i]<<24)|(key[4*i+1]<<16)|(key[4*i+2]<<8)|key[4*i+3];
+      for (var i=8;i<60;i++) {
+        var t=W[i-1];
+        if (i%8===0) {
+          // SubWord(RotWord(t)) XOR Rcon
+          t=(_AS[(t>>16)&0xff]<<24)|(_AS[(t>>8)&0xff]<<16)|(_AS[t&0xff]<<8)|_AS[(t>>24)&0xff];
+          t^=_ARC[(i>>3)-1];
+        } else if (i%8===4) {
+          t=(_AS[(t>>24)&0xff]<<24)|(_AS[(t>>16)&0xff]<<16)|(_AS[(t>>8)&0xff]<<8)|_AS[t&0xff];
+        }
+        W[i]=W[i-8]^t;
+      }
+      return W;
+    }
+
+    function _aesEnc(blk, W) {
+      // Encrypt one 16-byte block. State is column-major: column c = bytes s[4c..4c+3].
+      var s=new Uint8Array(16); s.set(blk);
+      // Round 0: AddRoundKey
+      for (var c=0;c<4;c++){var w=W[c];s[4*c]^=(w>>24)&0xff;s[4*c+1]^=(w>>16)&0xff;s[4*c+2]^=(w>>8)&0xff;s[4*c+3]^=w&0xff;}
+      for (var round=1;round<=14;round++) {
+        // SubBytes
+        for (var i=0;i<16;i++) s[i]=_AS[s[i]];
+        // ShiftRows: row r (= indices r,4+r,8+r,12+r) shifts left by r
+        var t;
+        t=s[1];s[1]=s[5];s[5]=s[9];s[9]=s[13];s[13]=t;         // row 1: shift-left 1
+        t=s[2];s[2]=s[10];s[10]=t; t=s[6];s[6]=s[14];s[14]=t;  // row 2: shift-left 2
+        t=s[15];s[15]=s[11];s[11]=s[7];s[7]=s[3];s[3]=t;        // row 3: shift-left 3
+        // MixColumns (skipped in last round)
+        if (round<14) {
+          for (var c=0;c<4;c++) {
+            var i=4*c,a=s[i],b=s[i+1],cc=s[i+2],d=s[i+3];
+            s[i]  =_AX2[a]^_AX2[b]^b^cc^d;
+            s[i+1]=a^_AX2[b]^_AX2[cc]^cc^d;
+            s[i+2]=a^b^_AX2[cc]^_AX2[d]^d;
+            s[i+3]=_AX2[a]^a^b^cc^_AX2[d];
+          }
+        }
+        // AddRoundKey
+        for (var c=0;c<4;c++){var w=W[round*4+c];s[4*c]^=(w>>24)&0xff;s[4*c+1]^=(w>>16)&0xff;s[4*c+2]^=(w>>8)&0xff;s[4*c+3]^=w&0xff;}
+      }
+      return s;
+    }
+
+    // ── AES-GCM ───────────────────────────────────────────────────────────
+    // GF(2^128) multiply per GCM spec: R = 0xe1 followed by 15 zero bytes.
+    function _gcmMul(X, Y) {
+      var Z=new Uint8Array(16), V=new Uint8Array(Y);
+      for (var i=0;i<16;i++) {
+        for (var j=7;j>=0;j--) {
+          if ((X[i]>>j)&1) for (var k=0;k<16;k++) Z[k]^=V[k];
+          var lsb=V[15]&1;
+          for (var k=15;k>0;k--) V[k]=(V[k]>>>1)|((V[k-1]&1)<<7);
+          V[0]=V[0]>>>1;
+          if (lsb) V[0]^=0xe1;
+        }
+      }
+      return Z;
+    }
+
+    // Compute GCM auth tag: GHASH(pad(AAD)||pad(CT)||len64(AAD)||len64(CT)) then XOR AES(J0).
+    function _gcmTag(W, H, J0, ct, aad) {
+      var ap=(16-aad.length%16)%16, cp=(16-ct.length%16)%16;
+      var buf=new Uint8Array(aad.length+ap+ct.length+cp+16);
+      buf.set(aad,0); buf.set(ct,aad.length+ap);
+      var lo=aad.length+ap+ct.length+cp;
+      var ab=aad.length*8, cb=ct.length*8;
+      // 64-bit big-endian lengths (upper 32 bits are 0 for files < 512 MB)
+      buf[lo+4]=(ab>>>24)&0xff;buf[lo+5]=(ab>>>16)&0xff;buf[lo+6]=(ab>>>8)&0xff;buf[lo+7]=ab&0xff;
+      buf[lo+12]=(cb>>>24)&0xff;buf[lo+13]=(cb>>>16)&0xff;buf[lo+14]=(cb>>>8)&0xff;buf[lo+15]=cb&0xff;
+      // GHASH
+      var Y=new Uint8Array(16);
+      for (var i=0;i<buf.length;i+=16) {
+        var blk=new Uint8Array(16); blk.set(buf.slice(i,i+16));
+        for (var j=0;j<16;j++) Y[j]^=blk[j];
+        Y=_gcmMul(Y,H);
+      }
+      // T = AES(J0) XOR GHASH
+      var EJ=_aesEnc(J0,W), T=new Uint8Array(16);
+      for (var i=0;i<16;i++) T[i]=EJ[i]^Y[i];
+      return T;
+    }
+
+    // CTR-mode keystream: counter starts at INC32(J0), increments for each 16-byte block.
+    function _gcmCtr(W, J0, data) {
+      var ctr=new Uint8Array(J0), out=new Uint8Array(data.length);
+      for (var i=0;i<data.length;i+=16) {
+        var v=((ctr[12]<<24)|(ctr[13]<<16)|(ctr[14]<<8)|ctr[15]);
+        v=(v+1)>>>0;
+        ctr[12]=(v>>24)&0xff;ctr[13]=(v>>16)&0xff;ctr[14]=(v>>8)&0xff;ctr[15]=v&0xff;
+        var ks=_aesEnc(ctr,W);
+        for (var j=0;j<Math.min(16,data.length-i);j++) out[i+j]=data[i+j]^ks[j];
+      }
+      return out;
+    }
+
+    // ── CryptoKey shim ────────────────────────────────────────────────────
+    function _OWKey(data, alg) { this.__ow_data=data; this.__ow_alg=alg; }
+
+    // ── crypto.subtle ─────────────────────────────────────────────────────
+    crypto.subtle = {
+
+      digest: function (algorithm, data) {
+        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'')
+          .toUpperCase().replace(/-/g,'');
+        if (name==='SHA256') return Promise.resolve(_sha256(_toU8(data)).buffer);
+        if (name==='SHA1')   return Promise.resolve(_sha1(_toU8(data)).buffer);
+        return Promise.reject(new Error('[polyfill] crypto.subtle.digest: unsupported "'+algorithm+'"'));
+      },
+
+      // Wrap raw key material for later use by deriveKey / encrypt / decrypt
+      importKey: function (format, keyData, algorithm, extractable, usages) {
+        if (format==='raw') {
+          var alg=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+          return Promise.resolve(new _OWKey(_toU8(keyData), alg));
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.importKey: unsupported format "'+format+'"'));
+      },
+
+      // PBKDF2 only — offloaded to /api/pbkdf2 (native Node crypto) because
+      // 100 000 iterations of pure-JS SHA-256 would freeze the browser for ~10 s.
+      deriveKey: function (algorithm, baseKey, derivedKeyType, extractable, usages) {
+        var algName=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+        if (algName==='PBKDF2') {
+          var salt=_toU8(algorithm.salt), iters=algorithm.iterations;
+          var dkLen=((derivedKeyType&&derivedKeyType.length)||256)/8;
+          var pwHex=Array.from(baseKey.__ow_data).map(function(b){return b.toString(16).padStart(2,'0');}).join('');
+          var saltHex=Array.from(salt).map(function(b){return b.toString(16).padStart(2,'0');}).join('');
+          return fetch('/api/pbkdf2',{
+            method:'POST',
+            headers:{'Content-Type':'application/json'},
+            body:JSON.stringify({password:pwHex,salt:saltHex,iterations:iters,keyLen:dkLen})
+          }).then(function(r){
+            if(!r.ok) throw new Error('[polyfill] /api/pbkdf2 returned '+r.status);
+            return r.json();
+          }).then(function(d){
+            var dk=new Uint8Array(dkLen);
+            for (var i=0;i<dkLen;i++) dk[i]=parseInt(d.key.slice(i*2,i*2+2),16);
+            return new _OWKey(dk,'AES-GCM');
+          });
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.deriveKey: unsupported "'+algName+'"'));
+      },
+
+      // AES-GCM encrypt — returns ArrayBuffer of ciphertext || 16-byte auth tag
+      encrypt: function (algorithm, key, data) {
+        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+        if (name==='AES-GCM') {
+          try {
+            var iv=_toU8(algorithm.iv), pt=_toU8(data);
+            var W=_aesKeyExp(key.__ow_data);
+            var H=_aesEnc(new Uint8Array(16),W);
+            var J0=new Uint8Array(16); J0.set(iv.slice(0,12)); J0[15]=1;
+            var ct=_gcmCtr(W,J0,pt);
+            var tag=_gcmTag(W,H,J0,ct,new Uint8Array(0));
+            var out=new Uint8Array(ct.length+16); out.set(ct); out.set(tag,ct.length);
+            return Promise.resolve(out.buffer);
+          } catch(e) { return Promise.reject(e); }
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.encrypt: unsupported "'+name+'"'));
+      },
+
+      // AES-GCM decrypt — input is ciphertext || 16-byte auth tag
+      decrypt: function (algorithm, key, data) {
+        var name=(typeof algorithm==='string'?algorithm:(algorithm&&algorithm.name)||'').toUpperCase();
+        if (name==='AES-GCM') {
+          try {
+            var iv=_toU8(algorithm.iv), buf=_toU8(data);
+            if (buf.length<16) throw new Error('[polyfill] AES-GCM: data too short');
+            var ct=buf.slice(0,buf.length-16), tag=buf.slice(buf.length-16);
+            var W=_aesKeyExp(key.__ow_data);
+            var H=_aesEnc(new Uint8Array(16),W);
+            var J0=new Uint8Array(16); J0.set(iv.slice(0,12)); J0[15]=1;
+            var expectedTag=_gcmTag(W,H,J0,ct,new Uint8Array(0));
+            var ok=true; for (var i=0;i<16;i++) ok=ok&&(tag[i]===expectedTag[i]);
+            if (!ok) return Promise.reject(new DOMException('AES-GCM: tag mismatch','OperationError'));
+            return Promise.resolve(_gcmCtr(W,J0,ct).buffer);
+          } catch(e) { return Promise.reject(e); }
+        }
+        return Promise.reject(new Error('[polyfill] crypto.subtle.decrypt: unsupported "'+name+'"'));
+      },
+    };
+  })();
+}
+
+// Ordered list of Obsidian's renderer scripts — mirrors the old <script defer>
+// list in index.html. Keep in sync with obsidian/index.html if Obsidian is
+// updated to add or remove scripts.
+const OBSIDIAN_SCRIPTS = [
+  '/obsidian/lib/codemirror/codemirror.js',
+  '/obsidian/lib/codemirror/overlay.js',
+  '/obsidian/lib/codemirror/markdown.js',
+  '/obsidian/lib/codemirror/cm-addons.js',
+  '/obsidian/lib/codemirror/vim.js',
+  '/obsidian/lib/codemirror/meta.min.js',
+  '/obsidian/lib/moment.min.js',
+  '/obsidian/lib/pixi.min.js',
+  '/obsidian/lib/i18next.min.js',
+  '/obsidian/lib/scrypt.js',
+  '/obsidian/lib/turndown.js',
+  '/obsidian/enhance.js',
+  '/obsidian/i18n.js',
+  '/obsidian/app.js',
+];
+
+(function () {
+  // Many Node.js npm packages (e.g. node-forge) reference the Node.js global
+  // object as `global`. In the browser this doesn't exist; alias it to window
+  // so plugins that bundle such packages don't crash on startup.
+  if (typeof global === 'undefined') {
+    window.global = window;
+  }
+
+  const VAULT_BASE = '/vault';
+  const params = new URLSearchParams(location.search);
+  let VAULT_ID = params.get('vault') || localStorage.getItem('obsidian-web:lastVaultId') || '';
+
+  if (!VAULT_ID && location.pathname !== '/starter') {
+    location.href = '/starter';
+    return;
+  }
+
+  if (VAULT_ID) {
+    localStorage.setItem('obsidian-web:lastVaultId', VAULT_ID);
+  }
+
+  // Tell the fs shim what path prefix to strip when talking to the server.
+  window.__owFs.setVaultBase(VAULT_BASE);
+  window.__owFs.setVaultId(VAULT_ID);
+
+  // Auto-trust community plugins in demo mode so the "Do you trust this
+  // vault?" modal doesn't block first-time visitors.
+  // Obsidian checks: localStorage.getItem("enable-plugin-" + appId)
+  if (VAULT_ID) {
+    localStorage.setItem('enable-plugin-' + VAULT_ID, 'true');
+  }
+
+  // Mobile emulation: on small viewports, set the EmulateMobile flag so
+  // Obsidian activates its mobile UI (170 CSS rules + JS behavior).
+  // Obsidian reads this from localStorage before we can intervene, so it
+  // must be set before app.js loads (which it is — boot.js runs first).
+  if (window.innerWidth < 600 || window.innerHeight < 600) {
+    localStorage.setItem('EmulateMobile', '1');
+  } else {
+    localStorage.removeItem('EmulateMobile');
+  }
+
+  // Map module name -> shim object.
+  const modules = {
+    'fs':          window.__owFs,
+    'original-fs': window.__owFs,
+    'path':        window.__owPath,
+    'url':         window.__owUrl,
+    'os':          window.__owOs,
+    'electron':    window.__owElectron,
+    'btime':       window.__owBtime,
+    'crypto':      makeCryptoShim(),
+    'node:crypto': makeCryptoShim(),   // plugins that use the node: prefix
+    'util':        makeUtilShim(),
+    'node:util':   makeUtilShim(),
+    'buffer':      { Buffer: window.Buffer },   // require('buffer').Buffer
+    'process':     window.process,              // require('process')
+    // child_process: stub so plugins that optionally use it (e.g. Templater
+    // system commands) can load. Commands will fail gracefully at runtime.
+    'child_process': makeChildProcessStub(),
+    '@electron/remote': window.__owElectron.remote,
+    // keytar: server-backed credential store (replaces OS keychain)
+    'keytar': makeKeytarShim(),
+  };
+
+  function makeKeytarShim() {
+    function q(service, account) {
+      return '/api/keytar?service=' + encodeURIComponent(service) + '&account=' + encodeURIComponent(account);
+    }
+    return {
+      getPassword(service, account) {
+        return fetch(q(service, account))
+          .then(r => r.ok ? r.json().then(j => j.password) : null)
+          .catch(() => null);
+      },
+      setPassword(service, account, password) {
+        return fetch('/api/keytar', {
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ service, account, password }),
+        }).then(() => undefined);
+      },
+      deletePassword(service, account) {
+        return fetch(q(service, account), { method: 'DELETE' })
+          .then(r => r.json()).then(j => !!j.ok)
+          .catch(() => false);
+      },
+      findCredentials(service) {
+        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
+          .then(r => r.ok ? r.json() : [])
+          .catch(() => []);
+      },
+      findPassword(service) {
+        return fetch('/api/keytar/all?service=' + encodeURIComponent(service))
+          .then(r => r.ok ? r.json() : [])
+          .then(entries => entries.length ? entries[0].password : null)
+          .catch(() => null);
+      },
+      // Our server-backed store is always available
+      isEncryptionAvailable() { return true; },
+    };
+  }
+
+  function makeChildProcessStub() {
+    const ERR = new Error('[obsidian-web] child_process is not available in web mode');
+    function noop() {}
+    // Minimal EventEmitter-like object returned by spawn/exec
+    function fakeProc() {
+      return {
+        stdout: { on: noop, pipe: noop },
+        stderr: { on: noop, pipe: noop },
+        stdin:  { write: noop, end: noop },
+        on: noop, once: noop, off: noop,
+        kill: noop, pid: 0,
+      };
+    }
+    return {
+      exec(cmd, opts, cb) {
+        if (typeof opts === 'function') { cb = opts; }
+        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
+        return fakeProc();
+      },
+      execSync() { throw ERR; },
+      spawn() { return fakeProc(); },
+      spawnSync() { return { stdout: '', stderr: '', status: 1, error: ERR }; },
+      execFile(file, args, opts, cb) {
+        if (typeof opts === 'function') { cb = opts; }
+        if (typeof cb === 'function') { setTimeout(() => cb(ERR, '', ''), 0); }
+        return fakeProc();
+      },
+      fork() { return fakeProc(); },
+    };
+  }
+
+  function makeUtilShim() {
+    // Minimal Node.js `util` polyfill.
+    // promisify: wraps a (err, value) callback-style function into a Promise.
+    function promisify(fn) {
+      return function (...args) {
+        return new Promise((resolve, reject) => {
+          fn.call(this, ...args, (err, value) => {
+            if (err) reject(err);
+            else resolve(value);
+          });
+        });
+      };
+    }
+    // callbackify: inverse of promisify.
+    function callbackify(fn) {
+      return function (...args) {
+        const cb = args.pop();
+        fn.apply(this, args).then(
+          (v) => cb(null, v),
+          (e) => cb(e instanceof Error ? e : new Error(String(e))),
+        );
+      };
+    }
+    // inspect: basic stringification (subset of Node's util.inspect).
+    function inspect(obj) {
+      try { return JSON.stringify(obj); } catch (_) { return String(obj); }
+    }
+    // inherits: prototype chain helper used by older Node packages.
+    function inherits(ctor, superCtor) {
+      ctor.super_ = superCtor;
+      Object.setPrototypeOf(ctor.prototype, superCtor.prototype);
+    }
+    return { promisify, callbackify, inspect, inherits };
+  }
+
+  function makeCryptoShim() {
+    // ---- Pure-JS SHA-256 (synchronous, public domain) -------------------------
+    // Used by createHash('sha256') and createHmac('sha256', ...) so that sync
+    // callers (like ion-sync's _computeToken) get real results, not empty strings.
+    const _SHA256_K = new Uint32Array([
+      0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
+      0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
+      0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
+      0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
+      0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
+      0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
+      0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
+      0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2,
+    ]);
+    function _ror32(n, k) { return (n >>> k) | (n << (32 - k)); }
+    function _sha256(data /* Uint8Array */) {
+      const H = new Uint32Array([
+        0x6a09e667,0xbb67ae85,0x3c6ef372,0xa54ff53a,0x510e527f,0x9b05688c,0x1f83d9ab,0x5be0cd19,
+      ]);
+      const len = data.length;
+      const bc = Math.ceil((len + 9) / 64);
+      const pad = new Uint8Array(bc * 64);
+      pad.set(data);
+      pad[len] = 0x80;
+      const dv = new DataView(pad.buffer);
+      dv.setUint32(pad.length - 4, (len * 8) >>> 0, false);
+      dv.setUint32(pad.length - 8, Math.floor(len / 0x20000000) >>> 0, false);
+      const W = new Uint32Array(64);
+      for (let i = 0; i < bc; i++) {
+        const bv = new DataView(pad.buffer, i * 64, 64);
+        for (let t = 0; t < 16; t++) W[t] = bv.getUint32(t * 4, false);
+        for (let t = 16; t < 64; t++) {
+          const s0 = _ror32(W[t-15],7)^_ror32(W[t-15],18)^(W[t-15]>>>3);
+          const s1 = _ror32(W[t-2],17)^_ror32(W[t-2],19)^(W[t-2]>>>10);
+          W[t] = (W[t-16]+s0+W[t-7]+s1)>>>0;
+        }
+        let a=H[0],b=H[1],c=H[2],d=H[3],e=H[4],f=H[5],g=H[6],h=H[7];
+        for (let t = 0; t < 64; t++) {
+          const S1=_ror32(e,6)^_ror32(e,11)^_ror32(e,25);
+          const ch=(e&f)^(~e&g);
+          const t1=(h+S1+ch+_SHA256_K[t]+W[t])>>>0;
+          const S0=_ror32(a,2)^_ror32(a,13)^_ror32(a,22);
+          const maj=(a&b)^(a&c)^(b&c);
+          const t2=(S0+maj)>>>0;
+          h=g;g=f;f=e;e=(d+t1)>>>0;d=c;c=b;b=a;a=(t1+t2)>>>0;
+        }
+        H[0]=(H[0]+a)>>>0;H[1]=(H[1]+b)>>>0;H[2]=(H[2]+c)>>>0;H[3]=(H[3]+d)>>>0;
+        H[4]=(H[4]+e)>>>0;H[5]=(H[5]+f)>>>0;H[6]=(H[6]+g)>>>0;H[7]=(H[7]+h)>>>0;
+      }
+      const out = new Uint8Array(32);
+      const ov = new DataView(out.buffer);
+      for (let i = 0; i < 8; i++) ov.setUint32(i*4, H[i], false);
+      return out;
+    }
+    function _hmacSha256(key, data) {
+      const BS = 64;
+      let k = key.length > BS ? _sha256(key) : key;
+      const k0 = new Uint8Array(BS); k0.set(k);
+      const ip = new Uint8Array(BS), op = new Uint8Array(BS);
+      for (let i = 0; i < BS; i++) { ip[i] = k0[i]^0x36; op[i] = k0[i]^0x5c; }
+      const inner = new Uint8Array(BS + data.length); inner.set(ip); inner.set(data, BS);
+      const ih = _sha256(inner);
+      const outer = new Uint8Array(BS + 32); outer.set(op); outer.set(ih, BS);
+      return _sha256(outer);
+    }
+    function _toBytes(v) {
+      if (typeof v === 'string') return new TextEncoder().encode(v);
+      if (v instanceof Uint8Array) return v;
+      if (v && v.buffer) return new Uint8Array(v.buffer, v.byteOffset || 0, v.byteLength);
+      return new Uint8Array(v);
+    }
+    function _encodeResult(bytes, enc) {
+      if (!enc || enc === 'buffer') return bytes;
+      if (enc === 'hex') return Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
+      if (enc === 'base64') return btoa(String.fromCharCode(...bytes));
+      return bytes;
+    }
+    function _makeHasher(computeFn) {
+      const chunks = [];
+      const h = {
+        update(data) { chunks.push(_toBytes(data)); return h; },
+        digest(enc, cb) {
+          if (typeof enc === 'function') { cb = enc; enc = 'hex'; }
+          const combined = new Uint8Array(chunks.reduce((s,c) => s+c.length, 0));
+          let off = 0; for (const c of chunks) { combined.set(c, off); off += c.length; }
+          const result = _encodeResult(computeFn(combined), enc);
+          if (typeof cb === 'function') { cb(null, result); return h; }
+          return result;
+        },
+      };
+      return h;
+    }
+    // ---------------------------------------------------------------------------
+
+    return {
+      randomBytes(n) {
+        const arr = new Uint8Array(n);
+        crypto.getRandomValues(arr);
+        arr.toString = function (encoding) {
+          if (encoding === 'hex') {
+            let s = '';
+            for (let i = 0; i < this.length; i++) s += this[i].toString(16).padStart(2, '0');
+            return s;
+          }
+          return Uint8Array.prototype.toString.call(this);
+        };
+        return arr;
+      },
+      createHash(algo) {
+        const al = (algo || '').toLowerCase().replace('-','');
+        if (al === 'sha256') return _makeHasher(_sha256);
+        // For other algos: async via SubtleCrypto; sync path returns empty.
+        const algoMap = { sha1: 'SHA-1', sha512: 'SHA-512', md5: 'SHA-256' };
+        const subtleAlgo = algoMap[al] || 'SHA-256';
+        const chunks = [];
+        const h = {
+          update(data) {
+            chunks.push(typeof data === 'string' ? new TextEncoder().encode(data) : data);
+            return h;
+          },
+          digest(encoding, cb) {
+            if (typeof encoding === 'function') { cb = encoding; encoding = 'hex'; }
+            if (typeof cb === 'function') {
+              const combined = new Uint8Array(chunks.reduce((s, c) => s + c.length, 0));
+              let off = 0;
+              for (const c of chunks) { combined.set(c, off); off += c.length; }
+              crypto.subtle.digest(subtleAlgo, combined).then((buf) => {
+                const bytes = new Uint8Array(buf);
+                const s = Array.from(bytes).map(b => b.toString(16).padStart(2,'0')).join('');
+                cb(null, encoding === 'hex' ? s : bytes);
+              }).catch((err) => cb(err));
+              return h;
+            }
+            console.warn('[obsidian-web] crypto.createHash(' + algo + ').digest() sync — returning empty');
+            return encoding === 'hex' ? '' : new Uint8Array(0);
+          },
+        };
+        return h;
+      },
+      createHmac(algo, key) {
+        const al = (algo || '').toLowerCase().replace('-','');
+        const keyBytes = _toBytes(key);
+        if (al === 'sha256') return _makeHasher((data) => _hmacSha256(keyBytes, data));
+        console.warn('[obsidian-web] crypto.createHmac: unsupported algo', algo, '— returning zeros');
+        return _makeHasher(() => new Uint8Array(32));
+      },
+    };
+  }
+
+  // ── Missing-shim tracker ────────────────────────────────────────────────
+  // Collects every require(), sendSync(), and send() call that we don't handle.
+  // Inspect from DevTools: __owMissing.summary() / .table() / .list()
+  (function () {
+    const hits = new Map(); // key → { type, name, count, firstSeen, lastSeen }
+
+    function record(type, name) {
+      const key = type + ':' + name;
+      const now = Math.round(performance.now());
+      if (hits.has(key)) {
+        const e = hits.get(key);
+        e.count++;
+        e.lastSeen = now;
+      } else {
+        hits.set(key, { type, name, count: 1, firstSeen: now, lastSeen: now });
+      }
+    }
+
+    function summary() {
+      const rows = [...hits.values()].sort((a, b) => b.count - a.count);
+      if (rows.length === 0) {
+        console.log('[obsidian-web] __owMissing: nothing missing \u2713');
+        return [];
+      }
+      console.group('[obsidian-web] Missing shims — ' + rows.length + ' distinct, ' +
+        rows.reduce((s, r) => s + r.count, 0) + ' total calls');
+      console.table(rows.map(r => ({
+        type: r.type, name: r.name, count: r.count,
+        'first(ms)': r.firstSeen, 'last(ms)': r.lastSeen,
+      })));
+      console.groupEnd();
+      return rows;
+    }
+
+    window.__owMissing = { record, summary, list: () => [...hits.values()] };
+  })();
+
+  // Install window.require.
+  window.require = function (name) {
+    if (Object.prototype.hasOwnProperty.call(modules, name)) {
+      return modules[name];
+    }
+    console.warn('[obsidian-web] window.require: unknown module "' + name + '"');
+    window.__owMissing && window.__owMissing.record('require', name);
+    return undefined;
+  };
+
+  // Some Obsidian code reads window.electron directly (bypassing require).
+  window.electron = window.__owElectron;
+
+  // Some Obsidian code reads window.process.platform / arch.
+  window.process = window.process || {
+    platform: 'linux',
+    arch: 'x64',
+    versions: { electron: '0.0.0', node: '0.0.0' },
+    env: {},
+    cwd: () => '/',
+    nextTick: (fn, ...args) => Promise.resolve().then(() => fn(...args)),
+  };
+
+  // Set the global Buffer if Obsidian needs it. We don't ship a full
+  // Buffer polyfill yet - if something blows up here, that's our cue.
+  if (!window.Buffer) {
+    window.Buffer = {
+      from: (data, encoding) => {
+        if (typeof data === 'string') {
+          if (encoding === 'base64') {
+            const bin = atob(data);
+            const arr = new Uint8Array(bin.length);
+            for (let i = 0; i < bin.length; i++) arr[i] = bin.charCodeAt(i);
+            return arr;
+          }
+          return new TextEncoder().encode(data);
+        }
+        return new Uint8Array(data);
+      },
+      isBuffer: (x) => x instanceof Uint8Array,
+      alloc: (n) => new Uint8Array(n),
+    };
+  }
+
+  // Expose the vault path where Obsidian expects to find one.
+  // It will be passed when Obsidian opens a vault; our launcher
+  // (later) tells Obsidian to open VAULT_BASE.
+  window.__obsidianWeb = {
+    vaultBase: VAULT_BASE,
+    vaultId: VAULT_ID,
+  };
+
+  console.log('[obsidian-web] boot complete; require + shims installed');
+
+  // ── Async bootstrap + dynamic script injection ──────────────────────────
+  //
+  // All synchronous setup above (window.require, shims, globals) is complete
+  // before this block runs. The fetch is async so the spinner renders
+  // immediately without blocking the main thread.
+  //
+  // After the cache is populated we inject Obsidian's scripts with async=false:
+  // the browser downloads them in parallel but executes them in insertion
+  // order, so Obsidian's dependencies are always satisfied.
+  //
+  // sendSync() / statSync() are only called AFTER app.js starts running,
+  // which is after this promise resolves — so the cache is always ready.
+  if (VAULT_ID && location.pathname !== '/starter') {
+    var statusEl = document.getElementById('ow-status');
+    var pollTimer = null;
+    var vaultParam = encodeURIComponent(VAULT_ID);
+
+    // Start polling /api/bootstrap/status after 2 seconds of waiting.
+    // Shows progress to the user during slow cold-start builds.
+    var pollDelay = setTimeout(function () {
+      pollTimer = setInterval(function () {
+        fetch('/api/bootstrap/status?vault=' + vaultParam)
+          .then(function (r) { return r.json(); })
+          .then(function (s) {
+            if (!statusEl || s.state === 'idle' || s.state === 'ready') return;
+            var text = s.label || '';
+            if (s.state === 'scanning' && s.dirs) {
+              text += ' (' + s.dirs + ' dirs, ' + (s.files || 0) + ' files)';
+            }
+            if (s.state === 'reading' && s.filesRead) {
+              text += ' (' + s.filesRead + '/' + (s.total || '?') + ')';
+            }
+            statusEl.textContent = text;
+          })
+          .catch(function () {});
+      }, 1000);
+    }, 2000);
+
+    function stopPolling() {
+      clearTimeout(pollDelay);
+      if (pollTimer) clearInterval(pollTimer);
+    }
+
+    fetch('/api/bootstrap?vault=' + vaultParam + '&full=1')
+      .then(function (res) {
+        if (!res.ok) throw new Error('HTTP ' + res.status);
+        return res.json();
+      })
+      .then(function (data) {
+        stopPolling();
+        var vault = data.electron && data.electron['vault'];
+        if (!vault || !vault.id) {
+          localStorage.removeItem('obsidian-web:lastVaultId');
+          location.href = '/starter';
+          return;
+        }
+        window.__owBootstrapCache = data;
+        if (statusEl) statusEl.textContent = 'Loading Obsidian...';
+        console.log('[obsidian-web] bootstrap loaded: ' + Object.keys(data.fs).length + ' files pre-cached');
+
+        // Inject Obsidian's scripts in order. async=false preserves execution
+        // order while allowing parallel download.
+        var loaded = 0;
+        for (var i = 0; i < OBSIDIAN_SCRIPTS.length; i++) {
+          var s = document.createElement('script');
+          s.src = OBSIDIAN_SCRIPTS[i];
+          s.async = false;
+          s.onload = function () {
+            loaded++;
+            if (statusEl) statusEl.textContent = 'Loading Obsidian (' + loaded + '/' + OBSIDIAN_SCRIPTS.length + ')';
+          };
+          document.head.appendChild(s);
+        }
+
+        // Hide the loading overlay once Obsidian's workspace element appears,
+        // then apply post-boot patches that need window.app to be ready.
+        var overlay = document.getElementById('ow-loading');
+        if (overlay) {
+          var obs = new MutationObserver(function () {
+            if (document.querySelector('.workspace')) {
+              overlay.remove();
+              obs.disconnect();
+              _owPatchWorkspace();
+            }
+          });
+          obs.observe(document.body, { childList: true, subtree: true });
+        }
+
+        // Converts an app:// or file:// asset URL to an /api/fs/read HTTP URL.
+        // app://local/vault/images/photo.png → /api/fs/read?path=images%2Fphoto.png
+        // file:///vault/images/photo.png    → /api/fs/read?path=images%2Fphoto.png
+        function _owAssetHref(src) {
+          if (!src) return null;
+          var vaultId = window.__obsidianWeb && window.__obsidianWeb.vaultId;
+          var vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+          var rel = null;
+
+          if (src.startsWith('app://local/')) {
+            // app://local/<vaultBase>/<rel>  e.g. app://local/vault/img.png
+            var after = src.slice('app://local/'.length); // 'vault/img.png'
+            var vaultBase = 'vault'; // matches VAULT_BASE ('/vault') without leading slash
+            if (after.startsWith(vaultBase + '/')) {
+              rel = after.slice(vaultBase.length + 1);
+            } else {
+              rel = after; // fallback: use entire path after app://local/
+            }
+          } else if (src.startsWith('file:///vault/')) {
+            rel = src.slice('file:///vault/'.length);
+          } else if (src.startsWith('file:///')) {
+            rel = src.slice('file:///'.length);
+          }
+
+          if (!rel) return null;
+          return '/api/fs/read?path=' + encodeURIComponent(rel) + vaultParam;
+        }
+
+        function _owFixAssetEl(el) {
+          var src = el.getAttribute('src') || el.getAttribute('href');
+          if (!src) return;
+          if (!src.startsWith('app://') && !src.startsWith('file://')) return;
+          var fixed = _owAssetHref(src);
+          if (!fixed) return;
+          if (el.tagName === 'LINK') {
+            el.setAttribute('href', fixed);
+          } else {
+            el.setAttribute('src', fixed);
+          }
+        }
+
+        function _owInstallAssetRewriter() {
+          // Fix any already-present asset elements (shouldn't be any yet, but
+          // running it once costs nothing).
+          ['img', 'video', 'audio', 'source'].forEach(function (tag) {
+            document.querySelectorAll(tag).forEach(_owFixAssetEl);
+          });
+
+          // Watch for new/modified elements and fix them as they appear.
+          var assetObs = new MutationObserver(function (mutations) {
+            for (var i = 0; i < mutations.length; i++) {
+              var m = mutations[i];
+              // New nodes added to DOM.
+              for (var j = 0; j < m.addedNodes.length; j++) {
+                var node = m.addedNodes[j];
+                if (node.nodeType !== 1) continue; // elements only
+                _owFixAssetEl(node);
+                // Also fix descendants (e.g. an <img> inside an added <div>).
+                node.querySelectorAll && node.querySelectorAll('img,video,audio,source').forEach(_owFixAssetEl);
+              }
+              // src/href attribute changed on an existing element.
+              if (m.type === 'attributes') {
+                _owFixAssetEl(m.target);
+              }
+            }
+          });
+          assetObs.observe(document.body, {
+            childList: true,
+            subtree: true,
+            attributes: true,
+            attributeFilter: ['src', 'href'],
+          });
+        }
+
+        // Patch workspace methods that rely on Electron-native APIs unavailable
+        // in the browser. Retries briefly in case window.app is not yet set.
+        function _owPatchWorkspace(attempt) {
+          attempt = attempt || 0;
+          if (!window.app || !window.app.workspace) {
+            if (attempt < 10) setTimeout(function () { _owPatchWorkspace(attempt + 1); }, 50);
+            return;
+          }
+          var ws = window.app.workspace;
+
+          // vault.getResourcePath: Obsidian calls this for every embedded asset
+          // (images, audio, video, PDFs). In Electron it returns app://local/...
+          // which browsers can't load. Build the URL directly from file.path
+          // (the clean vault-relative path, no protocol prefix, no timestamp)
+          // rather than trying to parse the Electron URL format.
+          if (window.app.vault && typeof window.app.vault.getResourcePath === 'function') {
+            window.app.vault.getResourcePath = function (file) {
+              var vaultId = window.__obsidianWeb && window.__obsidianWeb.vaultId;
+              var vaultParam = vaultId ? '&vault=' + encodeURIComponent(vaultId) : '';
+              return '/api/fs/read?path=' + encodeURIComponent((file && file.path) || '') + vaultParam;
+            };
+          }
+
+          // MutationObserver fallback: rewrite any app:// or file:// src attrs
+          // that slip through (e.g. images in notes already open at load time,
+          // or plugins that bypass getResourcePath).
+          _owInstallAssetRewriter();
+
+          // openPopoutLeaf: Obsidian checks for a native Electron BrowserWindow
+          // via an internal validation function (V0) that throws "re-install"
+          // when running in a plain browser. Replace it to open a new browser
+          // tab with the same vault instead.
+          if (typeof ws.openPopoutLeaf === 'function') {
+            ws.openPopoutLeaf = function _owOpenPopoutLeaf() {
+              var params = new URLSearchParams(location.search);
+              var vaultId = params.get('vault') ||
+                (window.__obsidianWeb && window.__obsidianWeb.vaultId);
+              var url = vaultId
+                ? location.origin + '/?vault=' + encodeURIComponent(vaultId)
+                : location.origin + '/';
+              // Use the shell.openExternal shim which holds a pre-Obsidian
+              // reference to window.open (Obsidian patches window.open to
+              // route through its link handler, causing infinite recursion).
+              if (window.__owElectron && window.__owElectron.shell) {
+                window.__owElectron.shell.openExternal(url);
+              } else {
+                window.open(url, '_blank', 'noopener,noreferrer');
+              }
+            };
+          }
+        }
+      })
+      .catch(function (err) {
+        stopPolling();
+        console.warn('[obsidian-web] bootstrap failed:', err.message);
+        localStorage.removeItem('obsidian-web:lastVaultId');
+        location.href = '/starter';
+      });
+  }
+})();
diff --git a/src/client/shims/original-fs.js b/src/client/shims/original-fs.js
index b80d257..96cde3b 100644
--- a/src/client/shims/original-fs.js
+++ b/src/client/shims/original-fs.js
@@ -1,607 +1,607 @@
-/**
- * Browser shim for Node's `original-fs` (and `fs`) module.
- *
- * Translates fs calls into HTTP requests against /api/fs/*. Implements
- * the subset of the API Obsidian actually uses, plus the matching
- * .promises namespace.
- *
- * Obsidian uses absolute paths from the vault's basePath. The server
- * sandboxes everything to the vault root; we strip the configured
- * vault base before sending paths over the wire.
- */
-(function (global) {
-  // The vault base path that Obsidian sees. Boot fills this in.
-  let vaultBase = '/vault';
-  let vaultId = '';
-
-  function setVaultBase(p) {
-    vaultBase = p;
-  }
-
-  function setVaultId(id) {
-    vaultId = id || '';
-  }
-
-  function vaultQuery() {
-    return vaultId ? 'vault=' + encodeURIComponent(vaultId) + '&' : '';
-  }
-
-  function toRelative(p) {
-    if (typeof p !== 'string') throw new TypeError('path must be a string');
-    // Strip the vault base if present so the server sees a relative path.
-    if (p === vaultBase) return '';
-    if (p.startsWith(vaultBase + '/')) return p.slice(vaultBase.length + 1);
-    // Already relative - pass through.
-    if (!p.startsWith('/')) return p;
-    // Some absolute path outside the vault. The server will reject it,
-    // but we let the request happen so the error surfaces naturally.
-    return p.startsWith('/') ? p.slice(1) : p;
-  }
-
-  // ---- Bootstrap cache helpers -----------------------------------------
-  //
-  // window.__owBootstrapCache is populated by boot.js before app.js loads.
-  // Shape: { electron: {...}, fs: { "rel/path": { content, mtime, size } } }
-  // We serve reads from this cache and invalidate entries on writes/deletes.
-
-  function getBootstrapEntry(p) {
-    const cache = global.__owBootstrapCache;
-    if (!cache || !cache.fs) return null;
-    return cache.fs[toRelative(p)] || null;
-  }
-
-  function getBootstrapDir(p) {
-    const cache = global.__owBootstrapCache;
-    if (!cache || !cache.dirs) return null;
-    return cache.dirs[toRelative(p)] || null;
-  }
-
-  function invalidateBootstrap(p) {
-    const cache = global.__owBootstrapCache;
-    if (cache && cache.fs) delete cache.fs[toRelative(p)];
-    // Also invalidate parent dir listing so readdir re-fetches.
-    if (cache && cache.dirs) {
-      const rel = toRelative(p);
-      const parent = rel.includes('/') ? rel.slice(0, rel.lastIndexOf('/')) : '';
-      delete cache.dirs[parent];
-    }
-  }
-
-  function makeStatsFromCache(entry) {
-    const isDir = !!entry.isDirectory;
-    return makeStats({
-      isFile: entry.isFile !== undefined ? entry.isFile : !isDir,
-      isDirectory: isDir,
-      isSymbolicLink: !!entry.isSymbolicLink,
-      size: entry.size || 0,
-      mtime: entry.mtime || 0,
-      ctime: entry.mtime || 0,
-      atime: entry.mtime || 0,
-      birthtime: entry.mtime || 0,
-      mode: isDir ? 0o040755 : 0o100644,
-    });
-  }
-
-  // Returns true if the bootstrap entry has readable text content.
-  function bootstrapHasContent(entry) {
-    return entry !== null && typeof entry.content === 'string';
-  }
-
-  function encodePath(p) {
-    return encodeURIComponent(toRelative(p));
-  }
-
-  // Build a Stats-like object from the JSON the server returns.
-  function makeStats(json) {
-    return {
-      size: json.size,
-      mtime: new Date(json.mtime),
-      ctime: new Date(json.ctime),
-      atime: new Date(json.atime),
-      birthtime: new Date(json.birthtime),
-      mtimeMs: json.mtime,
-      ctimeMs: json.ctime,
-      atimeMs: json.atime,
-      birthtimeMs: json.birthtime,
-      mode: json.mode,
-      isFile: () => json.isFile,
-      isDirectory: () => json.isDirectory,
-      isSymbolicLink: () => json.isSymbolicLink,
-      isBlockDevice: () => false,
-      isCharacterDevice: () => false,
-      isFIFO: () => false,
-      isSocket: () => false,
-    };
-  }
-
-  function makeError(json, syscall, p) {
-    const err = new Error(json.error || 'fs error');
-    err.code = json.code || 'EUNKNOWN';
-    err.syscall = syscall;
-    err.path = p;
-    return err;
-  }
-
-  // Populate fs stat cache for all entries in a dirs cache entry.
-  // Called when serving a readdir from cache, so subsequent stat(path) calls
-  // for files in this directory (including binaries) are answered from cache.
-  function populateStatFromDir(dirPath, entries) {
-    const cache = global.__owBootstrapCache;
-    if (!cache || !cache.fs) return;
-    const dirRel = toRelative(dirPath);
-    for (const e of entries) {
-      if (!e.mtime && !e.size) continue; // no stat info in entry
-      const fileRel = dirRel ? dirRel + '/' + e.name : e.name;
-      if (!cache.fs[fileRel]) {
-        cache.fs[fileRel] = {
-          mtime: e.mtime || 0,
-          size: e.size || 0,
-          isFile: e.isFile,
-          isDirectory: e.isDirectory,
-          isSymbolicLink: e.isSymbolicLink || false,
-        };
-      }
-    }
-  }
-
-  // ---- async API (callback-style) ---------------------------------------
-
-  function statAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    const cached = getBootstrapEntry(p);
-    if (cached) { Promise.resolve().then(() => cb(null, makeStatsFromCache(cached))); return; }
-    fetch('/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p))
-      .then(async (r) => {
-        const json = await r.json();
-        if (!r.ok) throw makeError(json, 'stat', p);
-        cb(null, makeStats(json));
-      })
-      .catch((err) => cb(err));
-  }
-
-  function readdirAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    const withFileTypes = opts && opts.withFileTypes;
-    const cachedDir = getBootstrapDir(p);
-    if (cachedDir) {
-      // Lazily populate fs stat cache from dirs entries so subsequent
-      // stat(path) calls for files in this directory are answered from cache.
-      populateStatFromDir(p, cachedDir);
-      Promise.resolve().then(() => {
-        if (withFileTypes) {
-          cb(null, cachedDir.map(e => ({
-            name: e.name,
-            isFile: () => e.isFile,
-            isDirectory: () => e.isDirectory,
-            isSymbolicLink: () => e.isSymbolicLink,
-          })));
-        } else {
-          cb(null, cachedDir.map(e => e.name));
-        }
-      });
-      return;
-    }
-    fetch('/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p))
-      .then(async (r) => {
-        const json = await r.json();
-        if (!r.ok) throw makeError(json, 'scandir', p);
-        if (withFileTypes) {
-          cb(null, json.map((e) => ({
-            name: e.name,
-            isFile: () => e.isFile,
-            isDirectory: () => e.isDirectory,
-            isSymbolicLink: () => e.isSymbolicLink,
-          })));
-        } else {
-          cb(null, json.map((e) => e.name));
-        }
-      })
-      .catch((err) => cb(err));
-  }
-
-  // The server returns the same JSON envelope for readFile too; if the
-  // caller passed a directory, we want a proper ENOTDIR-like error so
-  // Obsidian's existing try/catch handles it normally instead of
-  // surfacing as an unhandled HTTP failure.
-
-  function readFileAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = undefined; }
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const cached = getBootstrapEntry(p);
-    if (bootstrapHasContent(cached)) {
-      Promise.resolve().then(() => {
-        cb(null, encoding ? cached.content : new TextEncoder().encode(cached.content));
-      });
-      return;
-    }
-    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    fetch(url)
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'read failed' }));
-          throw makeError(json, 'open', p);
-        }
-        if (encoding) {
-          const text = await r.text();
-          cb(null, text);
-        } else {
-          const buf = await r.arrayBuffer();
-          cb(null, new Uint8Array(buf));
-        }
-      })
-      .catch((err) => cb(err));
-  }
-
-  function writeFileAsync(p, data, opts, cb) {
-    // Only evict the file's cached content — the parent dir listing is still
-    // valid (the file exists, just with new content or as a new file).
-    // Evicting dirs is reserved for structural changes (unlink/rename).
-    const _cache = global.__owBootstrapCache;
-    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
-    if (typeof opts === 'function') { cb = opts; opts = undefined; }
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    // Always set Content-Type so express.raw() on the server parses the body.
-    // The Fetch API does NOT set Content-Type automatically for binary bodies
-    // (ArrayBuffer, TypedArray, polyfilled Buffer) — without it, body-parser's
-    // type-is check returns false even for type:'*/*', leaving req.body as {}
-    // and causing fsp.writeFile to throw "Received an instance of Object".
-    fetch(url, { method: 'PUT', body: data == null ? '' : data, headers: { 'Content-Type': 'application/octet-stream' } })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'write failed' }));
-          throw makeError(json, 'open', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function mkdirAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    fetch('/api/fs/mkdir', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ path: toRelative(p), recursive: opts && opts.recursive, vault: vaultId }),
-    })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'mkdir failed' }));
-          throw makeError(json, 'mkdir', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function unlinkAsync(p, cb) {
-    invalidateBootstrap(p);
-    fetch('/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p), { method: 'DELETE' })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'unlink failed' }));
-          throw makeError(json, 'unlink', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function renameAsync(oldPath, newPath, cb) {
-    invalidateBootstrap(oldPath);
-    invalidateBootstrap(newPath);
-    fetch('/api/fs/rename', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ oldPath: toRelative(oldPath), newPath: toRelative(newPath), vault: vaultId }),
-    })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'rename failed' }));
-          throw makeError(json, 'rename', oldPath);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function rmdirAsync(p, opts, cb) {
-    if (typeof opts === 'function') { cb = opts; opts = {}; }
-    const recursive = opts && opts.recursive ? '1' : '0';
-    fetch('/api/fs/rmdir?' + vaultQuery() + 'path=' + encodePath(p) + '&recursive=' + recursive, { method: 'DELETE' })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'rmdir failed' }));
-          throw makeError(json, 'rmdir', p);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function copyFileAsync(src, dest, flags, cb) {
-    if (typeof flags === 'function') { cb = flags; flags = 0; }
-    fetch('/api/fs/copy', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ src: toRelative(src), dest: toRelative(dest), vault: vaultId }),
-    })
-      .then(async (r) => {
-        if (!r.ok) {
-          const json = await r.json().catch(() => ({ error: 'copy failed' }));
-          throw makeError(json, 'copyfile', src);
-        }
-        cb && cb(null);
-      })
-      .catch((err) => cb && cb(err));
-  }
-
-  function accessAsync(p, mode, cb) {
-    if (typeof mode === 'function') { cb = mode; mode = 0; }
-    statAsync(p, (err) => cb(err || null));
-  }
-
-  // ---- sync API (uses XHR sync) -----------------------------------------
-
-  function statSync(p) {
-    const cached = getBootstrapEntry(p);
-    if (cached) return makeStatsFromCache(cached);
-    // silent404: Obsidian routinely stat()s paths that may not exist yet
-    // (config files, plugins) and handles ENOENT via try/catch.  Suppress
-    // the verbose URL in the error message to keep the console clean.
-    const xhr = global.__owSyncRequest('GET', '/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p), undefined, { silent404: true });
-    return makeStats(JSON.parse(xhr.responseText));
-  }
-
-  function readFileSync(p, opts) {
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const cached = getBootstrapEntry(p);
-    if (bootstrapHasContent(cached)) return encoding ? cached.content : new TextEncoder().encode(cached.content);
-    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    // Use __owSyncRequest with silent404 so missing files throw a clean ENOENT.
-    // Note: sync XHR binary reads are limited to Latin-1 (xhr.responseText
-    // encoding). Multi-byte UTF-8 binary data may be corrupted on this path.
-    // Text reads (encoding=utf8) are safe because the server sends UTF-8 and
-    // the XHR decodes it as a JS string.
-    const xhr = global.__owSyncRequest('GET', url, undefined, { silent404: true });
-    if (encoding) return xhr.responseText;
-    // Binary path - convert text to Uint8Array via overrideMimeType trick.
-    const bytes = new Uint8Array(xhr.responseText.length);
-    for (let i = 0; i < xhr.responseText.length; i++) {
-      bytes[i] = xhr.responseText.charCodeAt(i) & 0xff;
-    }
-    return bytes;
-  }
-
-  function existsSync(p) {
-    try { statSync(p); return true; } catch (_) { return false; }
-  }
-
-  function writeFileSync(p, data, opts) {
-    // Same as writeFileAsync: only evict fs content, not parent dir listing.
-    const _cache = global.__owBootstrapCache;
-    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
-    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
-    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
-    global.__owSyncRequest('PUT', url, data == null ? '' : data);
-  }
-
-  function unlinkSync(p) {
-    invalidateBootstrap(p);
-    global.__owSyncRequest('DELETE', '/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p));
-  }
-
-  function mkdirSync(p, opts) {
-    const recursive = !!(opts && opts.recursive);
-    global.__owSyncJson('POST', '/api/fs/mkdir', { path: toRelative(p), recursive, vault: vaultId });
-  }
-
-  function readdirSync(p, opts) {
-    const cachedDir = getBootstrapDir(p);
-    if (cachedDir) {
-      populateStatFromDir(p, cachedDir);
-      const withFileTypes = opts && opts.withFileTypes;
-      if (withFileTypes) {
-        return cachedDir.map(e => ({
-          name: e.name,
-          isFile: () => e.isFile,
-          isDirectory: () => e.isDirectory,
-          isSymbolicLink: () => e.isSymbolicLink,
-        }));
-      }
-      return cachedDir.map(e => e.name);
-    }
-    const xhr = global.__owSyncRequest('GET', '/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p));
-    const json = JSON.parse(xhr.responseText);
-    const withFileTypes = opts && opts.withFileTypes;
-    if (withFileTypes) {
-      return json.map((e) => ({
-        name: e.name,
-        isFile: () => e.isFile,
-        isDirectory: () => e.isDirectory,
-        isSymbolicLink: () => e.isSymbolicLink,
-      }));
-    }
-    return json.map((e) => e.name);
-  }
-
-  // ---- promises API ----------------------------------------------------
-
-  function promisify(fn) {
-    return function () {
-      const args = Array.prototype.slice.call(arguments);
-      return new Promise((resolve, reject) => {
-        fn.apply(null, args.concat([(err, val) => err ? reject(err) : resolve(val)]));
-      });
-    };
-  }
-
-  const promises = {
-    stat: promisify(statAsync),
-    lstat: promisify(statAsync), // approximate
-    readdir: promisify(readdirAsync),
-    readFile: promisify(readFileAsync),
-    writeFile: promisify(writeFileAsync),
-    mkdir: promisify(mkdirAsync),
-    unlink: promisify(unlinkAsync),
-    rename: promisify(renameAsync),
-    rmdir: promisify(rmdirAsync),
-    rm: promisify(rmdirAsync),
-    copyFile: promisify(copyFileAsync),
-    access: promisify(accessAsync),
-    realpath: async (p) => p, // identity is good enough for now
-    appendFile: async (p, data, opts) => {
-      // Simple read-modify-write.
-      let existing = '';
-      try { existing = await promises.readFile(p, 'utf8'); } catch (_) { /* new file */ }
-      const next = existing + (typeof data === 'string' ? data : new TextDecoder().decode(data));
-      return promises.writeFile(p, next, opts || 'utf8');
-    },
-    utimes: async () => { /* no-op for now */ },
-  };
-
-  // ---- fs.watch via WebSocket -----------------------------------------
-
-  let watchSocket = null;
-  const watchListeners = new Set();
-
-  function ensureWatchSocket() {
-    if (watchSocket && watchSocket.readyState <= 1) return watchSocket;
-    const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
-    watchSocket = new WebSocket(proto + '//' + location.host + '/api/watch' + (vaultId ? '?vault=' + encodeURIComponent(vaultId) : ''));
-    watchSocket.onmessage = (ev) => {
-      let msg;
-      try { msg = JSON.parse(ev.data); } catch (_) { return; }
-      if (msg.type === 'ready') return;
-      console.log('[fs.watch] ws message:', msg.type, msg.path, '| listeners:', watchListeners.size);
-      // Invalidate bootstrap cache for the changed path.
-      // 'change' = content update: only evict the file from fs cache.
-      //   Do NOT evict the parent dir listing — the file still exists there.
-      // Structural events (add/unlink/addDir/unlinkDir/rename/reset): evict
-      //   both the file and its parent dir listing so readdir re-fetches.
-      if (msg.path) {
-        const absPath = vaultBase + '/' + msg.path;
-        if (msg.type === 'change') {
-          const cache = global.__owBootstrapCache;
-          if (cache && cache.fs) delete cache.fs[toRelative(absPath)];
-        } else {
-          invalidateBootstrap(absPath);
-        }
-      }
-      for (const l of watchListeners) l(msg);
-    };
-    watchSocket.onclose = () => { watchSocket = null; };
-    return watchSocket;
-  }
-
-  // fs.watch returns an FSWatcher (EventEmitter). Obsidian uses both
-  // shapes: passing a callback as the 3rd arg AND chaining .on('change').on('error').
-  // Our return value implements both.
-  function watch(p, opts, listener) {
-    if (typeof opts === 'function') { listener = opts; opts = {}; }
-    ensureWatchSocket();
-    const rel = toRelative(p).replace(/\\/g, '/');
-
-    // Per-event-type listeners (for the .on() chain).
-    const handlers = { change: new Set(), error: new Set(), rename: new Set(), close: new Set() };
-    // The third-arg listener (Node fs.watch callback) receives ALL event types,
-    // not just 'change'. Register it on both so rename events (add/delete/move)
-    // reach it too.
-    if (listener) {
-      handlers.change.add(listener);
-      handlers.rename.add(listener);
-    }
-
-    function emit(eventType, ...args) {
-      for (const fn of handlers[eventType] || []) {
-        try { fn(...args); } catch (e) { console.error('[fs.watch] handler error:', e); }
-      }
-    }
-
-    const onMessage = (msg) => {
-      if (!msg.path) return;
-      // Filter: emit only events under the watched path.
-      if (rel !== '' && msg.path !== rel && !msg.path.startsWith(rel + '/')) return;
-      // Map chokidar event types to Node fs.watch's 'rename' / 'change'.
-      // In Node.js fs.watch, the EventEmitter ALWAYS fires the 'change' event
-      // regardless of rename vs. content change. The eventType string ('rename'
-      // or 'change') is passed as the first argument to the callback so the
-      // handler knows what happened. There is no separate 'rename' EventEmitter
-      // event — Obsidian registers .on('change', fn) expecting all event types.
-      const eventType = msg.type === 'change' ? 'change' : 'rename';
-      const filename = rel === '' ? msg.path : msg.path.slice(rel.length + 1) || msg.path;
-      emit('change', eventType, filename);
-    };
-    watchListeners.add(onMessage);
-
-    const watcher = {
-      on(eventType, fn) {
-        if (handlers[eventType]) handlers[eventType].add(fn);
-        return watcher;
-      },
-      off(eventType, fn) {
-        if (handlers[eventType]) handlers[eventType].delete(fn);
-        return watcher;
-      },
-      addListener(eventType, fn) { return watcher.on(eventType, fn); },
-      removeListener(eventType, fn) { return watcher.off(eventType, fn); },
-      removeAllListeners(eventType) {
-        if (eventType && handlers[eventType]) handlers[eventType].clear();
-        else for (const k in handlers) handlers[k].clear();
-        return watcher;
-      },
-      close() {
-        watchListeners.delete(onMessage);
-        emit('close');
-      },
-      ref() { return watcher; },
-      unref() { return watcher; },
-    };
-    return watcher;
-  }
-
-  // ---- module export ---------------------------------------------------
-
-  const fsShim = {
-    // async (callback) API
-    stat: statAsync,
-    lstat: statAsync,
-    readdir: readdirAsync,
-    readFile: readFileAsync,
-    writeFile: writeFileAsync,
-    mkdir: mkdirAsync,
-    unlink: unlinkAsync,
-    rename: renameAsync,
-    rmdir: rmdirAsync,
-    rm: rmdirAsync,
-    copyFile: copyFileAsync,
-    access: accessAsync,
-    watch,
-    // sync API
-    statSync,
-    lstatSync: statSync,
-    readFileSync,
-    writeFileSync,
-    unlinkSync,
-    mkdirSync,
-    readdirSync,
-    existsSync,
-    accessSync: (p) => { statSync(p); /* throws if missing */ },
-    // constants
-    constants: {
-      F_OK: 0, R_OK: 4, W_OK: 2, X_OK: 1,
-      O_RDONLY: 0, O_WRONLY: 1, O_RDWR: 2,
-      O_CREAT: 64, O_EXCL: 128, O_TRUNC: 512, O_APPEND: 1024,
-    },
-    // promises namespace
-    promises,
-    // setTimes is what FileSystemAdapter calls to update mtime
-    setTimes: function (p, atime, mtime, cb) {
-      cb && cb(null);
-    },
-  };
-
-  global.__owFs = fsShim;
-  global.__owFs.setVaultBase = setVaultBase;
-  global.__owFs.setVaultId = setVaultId;
-})(window);
+/**
+ * Browser shim for Node's `original-fs` (and `fs`) module.
+ *
+ * Translates fs calls into HTTP requests against /api/fs/*. Implements
+ * the subset of the API Obsidian actually uses, plus the matching
+ * .promises namespace.
+ *
+ * Obsidian uses absolute paths from the vault's basePath. The server
+ * sandboxes everything to the vault root; we strip the configured
+ * vault base before sending paths over the wire.
+ */
+(function (global) {
+  // The vault base path that Obsidian sees. Boot fills this in.
+  let vaultBase = '/vault';
+  let vaultId = '';
+
+  function setVaultBase(p) {
+    vaultBase = p;
+  }
+
+  function setVaultId(id) {
+    vaultId = id || '';
+  }
+
+  function vaultQuery() {
+    return vaultId ? 'vault=' + encodeURIComponent(vaultId) + '&' : '';
+  }
+
+  function toRelative(p) {
+    if (typeof p !== 'string') throw new TypeError('path must be a string');
+    // Strip the vault base if present so the server sees a relative path.
+    if (p === vaultBase) return '';
+    if (p.startsWith(vaultBase + '/')) return p.slice(vaultBase.length + 1);
+    // Already relative - pass through.
+    if (!p.startsWith('/')) return p;
+    // Some absolute path outside the vault. The server will reject it,
+    // but we let the request happen so the error surfaces naturally.
+    return p.startsWith('/') ? p.slice(1) : p;
+  }
+
+  // ---- Bootstrap cache helpers -----------------------------------------
+  //
+  // window.__owBootstrapCache is populated by boot.js before app.js loads.
+  // Shape: { electron: {...}, fs: { "rel/path": { content, mtime, size } } }
+  // We serve reads from this cache and invalidate entries on writes/deletes.
+
+  function getBootstrapEntry(p) {
+    const cache = global.__owBootstrapCache;
+    if (!cache || !cache.fs) return null;
+    return cache.fs[toRelative(p)] || null;
+  }
+
+  function getBootstrapDir(p) {
+    const cache = global.__owBootstrapCache;
+    if (!cache || !cache.dirs) return null;
+    return cache.dirs[toRelative(p)] || null;
+  }
+
+  function invalidateBootstrap(p) {
+    const cache = global.__owBootstrapCache;
+    if (cache && cache.fs) delete cache.fs[toRelative(p)];
+    // Also invalidate parent dir listing so readdir re-fetches.
+    if (cache && cache.dirs) {
+      const rel = toRelative(p);
+      const parent = rel.includes('/') ? rel.slice(0, rel.lastIndexOf('/')) : '';
+      delete cache.dirs[parent];
+    }
+  }
+
+  function makeStatsFromCache(entry) {
+    const isDir = !!entry.isDirectory;
+    return makeStats({
+      isFile: entry.isFile !== undefined ? entry.isFile : !isDir,
+      isDirectory: isDir,
+      isSymbolicLink: !!entry.isSymbolicLink,
+      size: entry.size || 0,
+      mtime: entry.mtime || 0,
+      ctime: entry.mtime || 0,
+      atime: entry.mtime || 0,
+      birthtime: entry.mtime || 0,
+      mode: isDir ? 0o040755 : 0o100644,
+    });
+  }
+
+  // Returns true if the bootstrap entry has readable text content.
+  function bootstrapHasContent(entry) {
+    return entry !== null && typeof entry.content === 'string';
+  }
+
+  function encodePath(p) {
+    return encodeURIComponent(toRelative(p));
+  }
+
+  // Build a Stats-like object from the JSON the server returns.
+  function makeStats(json) {
+    return {
+      size: json.size,
+      mtime: new Date(json.mtime),
+      ctime: new Date(json.ctime),
+      atime: new Date(json.atime),
+      birthtime: new Date(json.birthtime),
+      mtimeMs: json.mtime,
+      ctimeMs: json.ctime,
+      atimeMs: json.atime,
+      birthtimeMs: json.birthtime,
+      mode: json.mode,
+      isFile: () => json.isFile,
+      isDirectory: () => json.isDirectory,
+      isSymbolicLink: () => json.isSymbolicLink,
+      isBlockDevice: () => false,
+      isCharacterDevice: () => false,
+      isFIFO: () => false,
+      isSocket: () => false,
+    };
+  }
+
+  function makeError(json, syscall, p) {
+    const err = new Error(json.error || 'fs error');
+    err.code = json.code || 'EUNKNOWN';
+    err.syscall = syscall;
+    err.path = p;
+    return err;
+  }
+
+  // Populate fs stat cache for all entries in a dirs cache entry.
+  // Called when serving a readdir from cache, so subsequent stat(path) calls
+  // for files in this directory (including binaries) are answered from cache.
+  function populateStatFromDir(dirPath, entries) {
+    const cache = global.__owBootstrapCache;
+    if (!cache || !cache.fs) return;
+    const dirRel = toRelative(dirPath);
+    for (const e of entries) {
+      if (!e.mtime && !e.size) continue; // no stat info in entry
+      const fileRel = dirRel ? dirRel + '/' + e.name : e.name;
+      if (!cache.fs[fileRel]) {
+        cache.fs[fileRel] = {
+          mtime: e.mtime || 0,
+          size: e.size || 0,
+          isFile: e.isFile,
+          isDirectory: e.isDirectory,
+          isSymbolicLink: e.isSymbolicLink || false,
+        };
+      }
+    }
+  }
+
+  // ---- async API (callback-style) ---------------------------------------
+
+  function statAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const cached = getBootstrapEntry(p);
+    if (cached) { Promise.resolve().then(() => cb(null, makeStatsFromCache(cached))); return; }
+    fetch('/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p))
+      .then(async (r) => {
+        const json = await r.json();
+        if (!r.ok) throw makeError(json, 'stat', p);
+        cb(null, makeStats(json));
+      })
+      .catch((err) => cb(err));
+  }
+
+  function readdirAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const withFileTypes = opts && opts.withFileTypes;
+    const cachedDir = getBootstrapDir(p);
+    if (cachedDir) {
+      // Lazily populate fs stat cache from dirs entries so subsequent
+      // stat(path) calls for files in this directory are answered from cache.
+      populateStatFromDir(p, cachedDir);
+      Promise.resolve().then(() => {
+        if (withFileTypes) {
+          cb(null, cachedDir.map(e => ({
+            name: e.name,
+            isFile: () => e.isFile,
+            isDirectory: () => e.isDirectory,
+            isSymbolicLink: () => e.isSymbolicLink,
+          })));
+        } else {
+          cb(null, cachedDir.map(e => e.name));
+        }
+      });
+      return;
+    }
+    fetch('/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p))
+      .then(async (r) => {
+        const json = await r.json();
+        if (!r.ok) throw makeError(json, 'scandir', p);
+        if (withFileTypes) {
+          cb(null, json.map((e) => ({
+            name: e.name,
+            isFile: () => e.isFile,
+            isDirectory: () => e.isDirectory,
+            isSymbolicLink: () => e.isSymbolicLink,
+          })));
+        } else {
+          cb(null, json.map((e) => e.name));
+        }
+      })
+      .catch((err) => cb(err));
+  }
+
+  // The server returns the same JSON envelope for readFile too; if the
+  // caller passed a directory, we want a proper ENOTDIR-like error so
+  // Obsidian's existing try/catch handles it normally instead of
+  // surfacing as an unhandled HTTP failure.
+
+  function readFileAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = undefined; }
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const cached = getBootstrapEntry(p);
+    if (bootstrapHasContent(cached)) {
+      Promise.resolve().then(() => {
+        cb(null, encoding ? cached.content : new TextEncoder().encode(cached.content));
+      });
+      return;
+    }
+    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    fetch(url)
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'read failed' }));
+          throw makeError(json, 'open', p);
+        }
+        if (encoding) {
+          const text = await r.text();
+          cb(null, text);
+        } else {
+          const buf = await r.arrayBuffer();
+          cb(null, new Uint8Array(buf));
+        }
+      })
+      .catch((err) => cb(err));
+  }
+
+  function writeFileAsync(p, data, opts, cb) {
+    // Only evict the file's cached content — the parent dir listing is still
+    // valid (the file exists, just with new content or as a new file).
+    // Evicting dirs is reserved for structural changes (unlink/rename).
+    const _cache = global.__owBootstrapCache;
+    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
+    if (typeof opts === 'function') { cb = opts; opts = undefined; }
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    // Always set Content-Type so express.raw() on the server parses the body.
+    // The Fetch API does NOT set Content-Type automatically for binary bodies
+    // (ArrayBuffer, TypedArray, polyfilled Buffer) — without it, body-parser's
+    // type-is check returns false even for type:'*/*', leaving req.body as {}
+    // and causing fsp.writeFile to throw "Received an instance of Object".
+    fetch(url, { method: 'PUT', body: data == null ? '' : data, headers: { 'Content-Type': 'application/octet-stream' } })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'write failed' }));
+          throw makeError(json, 'open', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function mkdirAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    fetch('/api/fs/mkdir', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ path: toRelative(p), recursive: opts && opts.recursive, vault: vaultId }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'mkdir failed' }));
+          throw makeError(json, 'mkdir', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function unlinkAsync(p, cb) {
+    invalidateBootstrap(p);
+    fetch('/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p), { method: 'DELETE' })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'unlink failed' }));
+          throw makeError(json, 'unlink', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function renameAsync(oldPath, newPath, cb) {
+    invalidateBootstrap(oldPath);
+    invalidateBootstrap(newPath);
+    fetch('/api/fs/rename', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ oldPath: toRelative(oldPath), newPath: toRelative(newPath), vault: vaultId }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'rename failed' }));
+          throw makeError(json, 'rename', oldPath);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function rmdirAsync(p, opts, cb) {
+    if (typeof opts === 'function') { cb = opts; opts = {}; }
+    const recursive = opts && opts.recursive ? '1' : '0';
+    fetch('/api/fs/rmdir?' + vaultQuery() + 'path=' + encodePath(p) + '&recursive=' + recursive, { method: 'DELETE' })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'rmdir failed' }));
+          throw makeError(json, 'rmdir', p);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function copyFileAsync(src, dest, flags, cb) {
+    if (typeof flags === 'function') { cb = flags; flags = 0; }
+    fetch('/api/fs/copy', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ src: toRelative(src), dest: toRelative(dest), vault: vaultId }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const json = await r.json().catch(() => ({ error: 'copy failed' }));
+          throw makeError(json, 'copyfile', src);
+        }
+        cb && cb(null);
+      })
+      .catch((err) => cb && cb(err));
+  }
+
+  function accessAsync(p, mode, cb) {
+    if (typeof mode === 'function') { cb = mode; mode = 0; }
+    statAsync(p, (err) => cb(err || null));
+  }
+
+  // ---- sync API (uses XHR sync) -----------------------------------------
+
+  function statSync(p) {
+    const cached = getBootstrapEntry(p);
+    if (cached) return makeStatsFromCache(cached);
+    // silent404: Obsidian routinely stat()s paths that may not exist yet
+    // (config files, plugins) and handles ENOENT via try/catch.  Suppress
+    // the verbose URL in the error message to keep the console clean.
+    const xhr = global.__owSyncRequest('GET', '/api/fs/stat?' + vaultQuery() + 'path=' + encodePath(p), undefined, { silent404: true });
+    return makeStats(JSON.parse(xhr.responseText));
+  }
+
+  function readFileSync(p, opts) {
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const cached = getBootstrapEntry(p);
+    if (bootstrapHasContent(cached)) return encoding ? cached.content : new TextEncoder().encode(cached.content);
+    const url = '/api/fs/read?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    // Use __owSyncRequest with silent404 so missing files throw a clean ENOENT.
+    // Note: sync XHR binary reads are limited to Latin-1 (xhr.responseText
+    // encoding). Multi-byte UTF-8 binary data may be corrupted on this path.
+    // Text reads (encoding=utf8) are safe because the server sends UTF-8 and
+    // the XHR decodes it as a JS string.
+    const xhr = global.__owSyncRequest('GET', url, undefined, { silent404: true });
+    if (encoding) return xhr.responseText;
+    // Binary path - convert text to Uint8Array via overrideMimeType trick.
+    const bytes = new Uint8Array(xhr.responseText.length);
+    for (let i = 0; i < xhr.responseText.length; i++) {
+      bytes[i] = xhr.responseText.charCodeAt(i) & 0xff;
+    }
+    return bytes;
+  }
+
+  function existsSync(p) {
+    try { statSync(p); return true; } catch (_) { return false; }
+  }
+
+  function writeFileSync(p, data, opts) {
+    // Same as writeFileAsync: only evict fs content, not parent dir listing.
+    const _cache = global.__owBootstrapCache;
+    if (_cache && _cache.fs) delete _cache.fs[toRelative(p)];
+    const encoding = typeof opts === 'string' ? opts : (opts && opts.encoding);
+    const url = '/api/fs/write?' + vaultQuery() + 'path=' + encodePath(p) + (encoding ? '&encoding=' + encoding : '');
+    global.__owSyncRequest('PUT', url, data == null ? '' : data);
+  }
+
+  function unlinkSync(p) {
+    invalidateBootstrap(p);
+    global.__owSyncRequest('DELETE', '/api/fs/unlink?' + vaultQuery() + 'path=' + encodePath(p));
+  }
+
+  function mkdirSync(p, opts) {
+    const recursive = !!(opts && opts.recursive);
+    global.__owSyncJson('POST', '/api/fs/mkdir', { path: toRelative(p), recursive, vault: vaultId });
+  }
+
+  function readdirSync(p, opts) {
+    const cachedDir = getBootstrapDir(p);
+    if (cachedDir) {
+      populateStatFromDir(p, cachedDir);
+      const withFileTypes = opts && opts.withFileTypes;
+      if (withFileTypes) {
+        return cachedDir.map(e => ({
+          name: e.name,
+          isFile: () => e.isFile,
+          isDirectory: () => e.isDirectory,
+          isSymbolicLink: () => e.isSymbolicLink,
+        }));
+      }
+      return cachedDir.map(e => e.name);
+    }
+    const xhr = global.__owSyncRequest('GET', '/api/fs/readdir?' + vaultQuery() + 'path=' + encodePath(p));
+    const json = JSON.parse(xhr.responseText);
+    const withFileTypes = opts && opts.withFileTypes;
+    if (withFileTypes) {
+      return json.map((e) => ({
+        name: e.name,
+        isFile: () => e.isFile,
+        isDirectory: () => e.isDirectory,
+        isSymbolicLink: () => e.isSymbolicLink,
+      }));
+    }
+    return json.map((e) => e.name);
+  }
+
+  // ---- promises API ----------------------------------------------------
+
+  function promisify(fn) {
+    return function () {
+      const args = Array.prototype.slice.call(arguments);
+      return new Promise((resolve, reject) => {
+        fn.apply(null, args.concat([(err, val) => err ? reject(err) : resolve(val)]));
+      });
+    };
+  }
+
+  const promises = {
+    stat: promisify(statAsync),
+    lstat: promisify(statAsync), // approximate
+    readdir: promisify(readdirAsync),
+    readFile: promisify(readFileAsync),
+    writeFile: promisify(writeFileAsync),
+    mkdir: promisify(mkdirAsync),
+    unlink: promisify(unlinkAsync),
+    rename: promisify(renameAsync),
+    rmdir: promisify(rmdirAsync),
+    rm: promisify(rmdirAsync),
+    copyFile: promisify(copyFileAsync),
+    access: promisify(accessAsync),
+    realpath: async (p) => p, // identity is good enough for now
+    appendFile: async (p, data, opts) => {
+      // Simple read-modify-write.
+      let existing = '';
+      try { existing = await promises.readFile(p, 'utf8'); } catch (_) { /* new file */ }
+      const next = existing + (typeof data === 'string' ? data : new TextDecoder().decode(data));
+      return promises.writeFile(p, next, opts || 'utf8');
+    },
+    utimes: async () => { /* no-op for now */ },
+  };
+
+  // ---- fs.watch via WebSocket -----------------------------------------
+
+  let watchSocket = null;
+  const watchListeners = new Set();
+
+  function ensureWatchSocket() {
+    if (watchSocket && watchSocket.readyState <= 1) return watchSocket;
+    const proto = location.protocol === 'https:' ? 'wss:' : 'ws:';
+    watchSocket = new WebSocket(proto + '//' + location.host + '/api/watch' + (vaultId ? '?vault=' + encodeURIComponent(vaultId) : ''));
+    watchSocket.onmessage = (ev) => {
+      let msg;
+      try { msg = JSON.parse(ev.data); } catch (_) { return; }
+      if (msg.type === 'ready') return;
+      console.log('[fs.watch] ws message:', msg.type, msg.path, '| listeners:', watchListeners.size);
+      // Invalidate bootstrap cache for the changed path.
+      // 'change' = content update: only evict the file from fs cache.
+      //   Do NOT evict the parent dir listing — the file still exists there.
+      // Structural events (add/unlink/addDir/unlinkDir/rename/reset): evict
+      //   both the file and its parent dir listing so readdir re-fetches.
+      if (msg.path) {
+        const absPath = vaultBase + '/' + msg.path;
+        if (msg.type === 'change') {
+          const cache = global.__owBootstrapCache;
+          if (cache && cache.fs) delete cache.fs[toRelative(absPath)];
+        } else {
+          invalidateBootstrap(absPath);
+        }
+      }
+      for (const l of watchListeners) l(msg);
+    };
+    watchSocket.onclose = () => { watchSocket = null; };
+    return watchSocket;
+  }
+
+  // fs.watch returns an FSWatcher (EventEmitter). Obsidian uses both
+  // shapes: passing a callback as the 3rd arg AND chaining .on('change').on('error').
+  // Our return value implements both.
+  function watch(p, opts, listener) {
+    if (typeof opts === 'function') { listener = opts; opts = {}; }
+    ensureWatchSocket();
+    const rel = toRelative(p).replace(/\\/g, '/');
+
+    // Per-event-type listeners (for the .on() chain).
+    const handlers = { change: new Set(), error: new Set(), rename: new Set(), close: new Set() };
+    // The third-arg listener (Node fs.watch callback) receives ALL event types,
+    // not just 'change'. Register it on both so rename events (add/delete/move)
+    // reach it too.
+    if (listener) {
+      handlers.change.add(listener);
+      handlers.rename.add(listener);
+    }
+
+    function emit(eventType, ...args) {
+      for (const fn of handlers[eventType] || []) {
+        try { fn(...args); } catch (e) { console.error('[fs.watch] handler error:', e); }
+      }
+    }
+
+    const onMessage = (msg) => {
+      if (!msg.path) return;
+      // Filter: emit only events under the watched path.
+      if (rel !== '' && msg.path !== rel && !msg.path.startsWith(rel + '/')) return;
+      // Map chokidar event types to Node fs.watch's 'rename' / 'change'.
+      // In Node.js fs.watch, the EventEmitter ALWAYS fires the 'change' event
+      // regardless of rename vs. content change. The eventType string ('rename'
+      // or 'change') is passed as the first argument to the callback so the
+      // handler knows what happened. There is no separate 'rename' EventEmitter
+      // event — Obsidian registers .on('change', fn) expecting all event types.
+      const eventType = msg.type === 'change' ? 'change' : 'rename';
+      const filename = rel === '' ? msg.path : msg.path.slice(rel.length + 1) || msg.path;
+      emit('change', eventType, filename);
+    };
+    watchListeners.add(onMessage);
+
+    const watcher = {
+      on(eventType, fn) {
+        if (handlers[eventType]) handlers[eventType].add(fn);
+        return watcher;
+      },
+      off(eventType, fn) {
+        if (handlers[eventType]) handlers[eventType].delete(fn);
+        return watcher;
+      },
+      addListener(eventType, fn) { return watcher.on(eventType, fn); },
+      removeListener(eventType, fn) { return watcher.off(eventType, fn); },
+      removeAllListeners(eventType) {
+        if (eventType && handlers[eventType]) handlers[eventType].clear();
+        else for (const k in handlers) handlers[k].clear();
+        return watcher;
+      },
+      close() {
+        watchListeners.delete(onMessage);
+        emit('close');
+      },
+      ref() { return watcher; },
+      unref() { return watcher; },
+    };
+    return watcher;
+  }
+
+  // ---- module export ---------------------------------------------------
+
+  const fsShim = {
+    // async (callback) API
+    stat: statAsync,
+    lstat: statAsync,
+    readdir: readdirAsync,
+    readFile: readFileAsync,
+    writeFile: writeFileAsync,
+    mkdir: mkdirAsync,
+    unlink: unlinkAsync,
+    rename: renameAsync,
+    rmdir: rmdirAsync,
+    rm: rmdirAsync,
+    copyFile: copyFileAsync,
+    access: accessAsync,
+    watch,
+    // sync API
+    statSync,
+    lstatSync: statSync,
+    readFileSync,
+    writeFileSync,
+    unlinkSync,
+    mkdirSync,
+    readdirSync,
+    existsSync,
+    accessSync: (p) => { statSync(p); /* throws if missing */ },
+    // constants
+    constants: {
+      F_OK: 0, R_OK: 4, W_OK: 2, X_OK: 1,
+      O_RDONLY: 0, O_WRONLY: 1, O_RDWR: 2,
+      O_CREAT: 64, O_EXCL: 128, O_TRUNC: 512, O_APPEND: 1024,
+    },
+    // promises namespace
+    promises,
+    // setTimes is what FileSystemAdapter calls to update mtime
+    setTimes: function (p, atime, mtime, cb) {
+      cb && cb(null);
+    },
+  };
+
+  global.__owFs = fsShim;
+  global.__owFs.setVaultBase = setVaultBase;
+  global.__owFs.setVaultId = setVaultId;
+})(window);
diff --git a/src/client/shims/sync-http.js b/src/client/shims/sync-http.js
index 96ade5b..9b2521d 100644
--- a/src/client/shims/sync-http.js
+++ b/src/client/shims/sync-http.js
@@ -1,77 +1,77 @@
-/**
- * Synchronous HTTP helper.
- *
- * Obsidian uses ipcRenderer.sendSync() and statSync() in a few places.
- * In the browser we have to fall back to synchronous XMLHttpRequest.
- *
- * Yes, sync XHR is deprecated. For a single-user self-hosted app on
- * localhost it is the simplest path. If we ever need to remove it we can
- * preload the small set of values that Obsidian asks for synchronously.
- */
-(function (global) {
-  // opts.silent404 = true  → on 404, throw a clean ENOENT without a verbose
-  // URL in the message.  Obsidian calls statSync/readFileSync on paths that
-  // may not exist yet (config files, first boot) and handles ENOENT normally.
-  // Without this flag those 404s appeared in the console as long HTTP error
-  // strings, polluting the log with noise on every cold start.
-  function syncRequest(method, url, body, opts) {
-    const t0 = performance.now();
-    const xhr = new XMLHttpRequest();
-    xhr.open(method, url, false); // false = synchronous
-    if (body !== undefined && body !== null) {
-      if (typeof body === 'string' || body instanceof ArrayBuffer || ArrayBuffer.isView(body)) {
-        // For binary bodies (ArrayBuffer/TypedArray) the browser does NOT set
-        // Content-Type automatically on XHR.  Without it, express.raw() on the
-        // server leaves req.body as {} and fsp.writeFile throws "Received an
-        // instance of Object".  Strings get text/plain;charset=UTF-8 from the
-        // browser, which body-parser already handles — we only need to add the
-        // header for binary types.
-        if (typeof body !== 'string') {
-          xhr.setRequestHeader('Content-Type', 'application/octet-stream');
-        }
-        xhr.send(body);
-      } else {
-        xhr.setRequestHeader('Content-Type', 'application/json');
-        xhr.send(JSON.stringify(body));
-      }
-    } else {
-      xhr.send();
-    }
-    const duration = performance.now() - t0;
-
-    // Record telemetry if available (telemetry.js loads before this shim).
-    if (global.__owTelemetry) {
-      global.__owTelemetry.record(
-        method,
-        url,
-        duration,
-        xhr.status,
-        xhr.responseText ? xhr.responseText.length : 0,
-      );
-    }
-
-    if (xhr.status < 200 || xhr.status >= 300) {
-      // 404 with silent404 flag: throw a clean ENOENT so Obsidian's normal
-      // try/catch handles it without extra noise.
-      if (xhr.status === 404 && opts && opts.silent404) {
-        const enoent = new Error('ENOENT: no such file or directory');
-        enoent.code = 'ENOENT';
-        enoent.status = 404;
-        throw enoent;
-      }
-      const err = new Error('sync ' + method + ' ' + url + ' failed: ' + xhr.status + ' ' + xhr.responseText);
-      err.status = xhr.status;
-      try { Object.assign(err, JSON.parse(xhr.responseText)); } catch (_) { /* ignore */ }
-      throw err;
-    }
-    return xhr;
-  }
-
-  function syncJson(method, url, body) {
-    const xhr = syncRequest(method, url, body);
-    return xhr.responseText ? JSON.parse(xhr.responseText) : null;
-  }
-
-  global.__owSyncRequest = syncRequest;
-  global.__owSyncJson = syncJson;
-})(window);
+/**
+ * Synchronous HTTP helper.
+ *
+ * Obsidian uses ipcRenderer.sendSync() and statSync() in a few places.
+ * In the browser we have to fall back to synchronous XMLHttpRequest.
+ *
+ * Yes, sync XHR is deprecated. For a single-user self-hosted app on
+ * localhost it is the simplest path. If we ever need to remove it we can
+ * preload the small set of values that Obsidian asks for synchronously.
+ */
+(function (global) {
+  // opts.silent404 = true  → on 404, throw a clean ENOENT without a verbose
+  // URL in the message.  Obsidian calls statSync/readFileSync on paths that
+  // may not exist yet (config files, first boot) and handles ENOENT normally.
+  // Without this flag those 404s appeared in the console as long HTTP error
+  // strings, polluting the log with noise on every cold start.
+  function syncRequest(method, url, body, opts) {
+    const t0 = performance.now();
+    const xhr = new XMLHttpRequest();
+    xhr.open(method, url, false); // false = synchronous
+    if (body !== undefined && body !== null) {
+      if (typeof body === 'string' || body instanceof ArrayBuffer || ArrayBuffer.isView(body)) {
+        // For binary bodies (ArrayBuffer/TypedArray) the browser does NOT set
+        // Content-Type automatically on XHR.  Without it, express.raw() on the
+        // server leaves req.body as {} and fsp.writeFile throws "Received an
+        // instance of Object".  Strings get text/plain;charset=UTF-8 from the
+        // browser, which body-parser already handles — we only need to add the
+        // header for binary types.
+        if (typeof body !== 'string') {
+          xhr.setRequestHeader('Content-Type', 'application/octet-stream');
+        }
+        xhr.send(body);
+      } else {
+        xhr.setRequestHeader('Content-Type', 'application/json');
+        xhr.send(JSON.stringify(body));
+      }
+    } else {
+      xhr.send();
+    }
+    const duration = performance.now() - t0;
+
+    // Record telemetry if available (telemetry.js loads before this shim).
+    if (global.__owTelemetry) {
+      global.__owTelemetry.record(
+        method,
+        url,
+        duration,
+        xhr.status,
+        xhr.responseText ? xhr.responseText.length : 0,
+      );
+    }
+
+    if (xhr.status < 200 || xhr.status >= 300) {
+      // 404 with silent404 flag: throw a clean ENOENT so Obsidian's normal
+      // try/catch handles it without extra noise.
+      if (xhr.status === 404 && opts && opts.silent404) {
+        const enoent = new Error('ENOENT: no such file or directory');
+        enoent.code = 'ENOENT';
+        enoent.status = 404;
+        throw enoent;
+      }
+      const err = new Error('sync ' + method + ' ' + url + ' failed: ' + xhr.status + ' ' + xhr.responseText);
+      err.status = xhr.status;
+      try { Object.assign(err, JSON.parse(xhr.responseText)); } catch (_) { /* ignore */ }
+      throw err;
+    }
+    return xhr;
+  }
+
+  function syncJson(method, url, body) {
+    const xhr = syncRequest(method, url, body);
+    return xhr.responseText ? JSON.parse(xhr.responseText) : null;
+  }
+
+  global.__owSyncRequest = syncRequest;
+  global.__owSyncJson = syncJson;
+})(window);
diff --git a/src/server/index.js b/src/server/index.js
index 95181eb..53c3939 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -1,193 +1,193 @@
-/**
- * Obsidian Web - HTTP/WebSocket server.
- *
- * Serves three things:
- *   1. The custom src/client/ + src/client-mobile/ files (boot.js, shims, HTML).
- *   2. Obsidian's untouched renderer files from vendor/obsidian/ and
- *      vendor/obsidian-mobile/.
- *   3. A file system API at /api/fs/* and a watcher at /api/watch.
- */
-
-const express = require('express');
-const compression = require('compression');
-const fsp = require('fs/promises');
-const http = require('http');
-const path = require('path');
-
-const config = require('./config');
-const systemPlugins = require('./system-plugins');
-const createFsRouter = require('./api/fs');
-const createElectronRouter = require('./api/electron');
-const createVaultsRouter = require('./api/vaults');
-const createBootstrapRouter = require('./api/bootstrap');
-const { warmUpBootstrapCache } = require('./api/bootstrap');
-const createProxyRouter = require('./api/proxy');
-const createKeytarRouter = require('./api/keytar');
-const createPbkdf2Router = require('./api/pbkdf2');
-const attachWatchServer = require('./api/watch');
-const VaultRegistry = require('./vault-registry');
-const { createAuthMiddleware } = require('./middleware/auth');
-
-function createApp(appConfig = config) {
-  const app = express();
-  const vaultRegistry = new VaultRegistry(appConfig.registryPath);
-
-  // Compression — critical for /api/bootstrap (38MB uncompressed → ~6MB).
-  // Brotli gives ~84% reduction, gzip ~79%. The middleware auto-selects based
-  // on Accept-Encoding: browsers get brotli, curl/other tools get gzip.
-  app.use(compression({ level: 6 }));
-
-  // Optional TOTP auth — enabled by setting TOTP_SECRET env var.
-  // Generate a secret: node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
-  // Then visit /__totp-setup?token=YOUR_SECRET to scan the QR code.
-  const authMiddleware = createAuthMiddleware();
-  if (authMiddleware) {
-    app.use(authMiddleware);
-    console.log('[auth] TOTP authentication enabled — visit /__totp-setup?token=YOUR_SECRET to configure your authenticator app');
-  }
-
-  // Request logging - very chatty, but invaluable while we are still
-  // figuring out what Obsidian asks for during boot.
-  app.use((req, res, next) => {
-    const start = Date.now();
-    res.on('finish', () => {
-      const ms = Date.now() - start;
-      const url = req.originalUrl;
-      // Skip noisy static assets to keep the log readable.
-      if (!url.startsWith('/api') && !url.startsWith('/i18n') && !url.startsWith('/lib') && url !== '/') {
-        return;
-      }
-      console.log(`${req.method} ${res.statusCode} ${url} (${ms}ms)`);
-    });
-    next();
-  });
-
-  // Inject ?v=<cacheBust> into all client script/link tags so browsers pick up
-  // changes automatically. The bust value is recomputed at server startup from
-  // client/ and client-mobile/ file mtimes — no manual ?v=N bump needed.
-  const cacheBust = appConfig.clientCacheBust || 'dev';
-  async function sendHtmlWithCacheBust(res, filePath) {
-    try {
-      let html = await fsp.readFile(filePath, 'utf8');
-      // Inject (or replace) ?v=<bust> on all /client/ and /client-mobile/ script and link tags.
-      // Handles both: existing ?v=3 and paths without any query string.
-      html = html.replace(/((?:src|href)="\/client(?:-mobile)?\/[^"]*?)(\?v=[^"&]*)?"(?=[^>]*>)/g,
-        (_, prefix) => `${prefix}?v=${cacheBust}"`);
-      res.setHeader('Content-Type', 'text/html; charset=utf-8');
-      res.setHeader('Cache-Control', 'no-cache');
-      res.send(html);
-    } catch (err) {
-      res.status(500).send('Error loading page: ' + err.message);
-    }
-  }
-
-  // Favicon and app icons from the project root.
-  const rootIconFiles = ['favicon.ico', 'favicon.svg', 'apple-touch-icon.png'];
-  for (const f of rootIconFiles) {
-    app.get('/' + f, (req, res) => {
-      res.sendFile(path.join(appConfig.projectRoot, f));
-    });
-  }
-
-  // Custom entry point - our index.html, not Obsidian's.
-  app.get('/', (req, res) => {
-    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'index.html'));
-  });
-
-  app.get(['/starter', '/starter.html'], (req, res) => {
-    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'starter.html'));
-  });
-
-  // Mobile client entry point.
-  app.get('/mobile', (req, res) => {
-    sendHtmlWithCacheBust(res, path.join(appConfig.clientMobilePath, 'index.html'));
-  });
-
-  // Static files - order matters: client/ first, then obsidian/.
-  app.use('/client', express.static(appConfig.clientPath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-  app.use('/client-mobile', express.static(appConfig.clientMobilePath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-  app.use('/obsidian', express.static(appConfig.obsidianPath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-  app.use('/obsidian-mobile', express.static(appConfig.obsidianMobilePath, {
-    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-  }));
-
-  // Obsidian's renderer fetches resources via absolute paths like /i18n/he.txt
-  // and /lib/... because under Electron those resolve via the app:// protocol
-  // to the bundle root. Mirror them onto the obsidian/ tree.
-  const RESOURCE_DIRS = ['i18n', 'lib', 'public', 'sandbox'];
-  for (const dir of RESOURCE_DIRS) {
-    app.use('/' + dir, express.static(path.join(appConfig.obsidianPath, dir), {
-      setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
-    }));
-  }
-
-  // Worker scripts. Obsidian creates `new Worker("worker.js")` which under
-  // Electron resolves to /Resources/obsidian/worker.js, but in a browser
-  // it resolves relative to the document URL. Serve them at the root.
-  //
-  // THIS IS CRITICAL for the metadata indexer: without worker.js the
-  // metadataCache `this.work(t)` call (which postMessage's to the worker
-  // and waits for a reply) hangs forever, leaving inProgressTaskCount > 0
-  // and blocking everything that waits for onCleanCache (rename, etc.).
-  const ROOT_FILES = ['worker.js', 'sim.js'];
-  for (const f of ROOT_FILES) {
-    app.get('/' + f, (req, res) => {
-      res.sendFile(path.join(appConfig.obsidianPath, f), {
-        headers: { 'Cache-Control': 'no-cache' },
-      });
-    });
-  }
-
-  // API routes.
-  app.use('/api/keytar', createKeytarRouter(appConfig.userDataPath));
-  app.use('/api/pbkdf2', createPbkdf2Router());
-  app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
-  app.use('/api/proxy-request', createProxyRouter());
-  app.use('/api/vaults', createVaultsRouter(vaultRegistry));
-  app.use('/api/fs', createFsRouter(vaultRegistry, appConfig.vaultPath));
-  app.use('/api/electron', createElectronRouter(vaultRegistry, appConfig.vaultPath));
-
-  app.locals.vaultRegistry = vaultRegistry;
-  return app;
-}
-
-function startServer(appConfig = config) {
-  // Discover system plugins (repo-shipped plugins overlaid onto every vault)
-  // before any FS handler runs.
-  systemPlugins.init();
-
-  const app = createApp(appConfig);
-  const server = http.createServer(app);
-  attachWatchServer(server, app.locals.vaultRegistry, appConfig.vaultPath);
-
-  server.listen(appConfig.port, appConfig.host, () => {
-    console.log('==========================================');
-    console.log('  Obsidian Web');
-    console.log('==========================================');
-    console.log('  Vault:    ' + appConfig.vaultPath);
-    console.log('  Obsidian: ' + appConfig.obsidianPath);
-    console.log('  Listening on http://' + appConfig.host + ':' + appConfig.port);
-    console.log('==========================================');
-
-    // Pre-build the bootstrap cache in the background so the first browser
-    // request is a cache HIT instead of a cold build.
-    setImmediate(() => {
-      warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
-        .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
-    });
-  });
-
-  return server;
-}
-
-if (require.main === module) {
-  startServer();
-}
-
-module.exports = { createApp, startServer };
+/**
+ * Obsidian Web - HTTP/WebSocket server.
+ *
+ * Serves three things:
+ *   1. The custom src/client/ + src/client-mobile/ files (boot.js, shims, HTML).
+ *   2. Obsidian's untouched renderer files from vendor/obsidian/ and
+ *      vendor/obsidian-mobile/.
+ *   3. A file system API at /api/fs/* and a watcher at /api/watch.
+ */
+
+const express = require('express');
+const compression = require('compression');
+const fsp = require('fs/promises');
+const http = require('http');
+const path = require('path');
+
+const config = require('./config');
+const systemPlugins = require('./system-plugins');
+const createFsRouter = require('./api/fs');
+const createElectronRouter = require('./api/electron');
+const createVaultsRouter = require('./api/vaults');
+const createBootstrapRouter = require('./api/bootstrap');
+const { warmUpBootstrapCache } = require('./api/bootstrap');
+const createProxyRouter = require('./api/proxy');
+const createKeytarRouter = require('./api/keytar');
+const createPbkdf2Router = require('./api/pbkdf2');
+const attachWatchServer = require('./api/watch');
+const VaultRegistry = require('./vault-registry');
+const { createAuthMiddleware } = require('./middleware/auth');
+
+function createApp(appConfig = config) {
+  const app = express();
+  const vaultRegistry = new VaultRegistry(appConfig.registryPath);
+
+  // Compression — critical for /api/bootstrap (38MB uncompressed → ~6MB).
+  // Brotli gives ~84% reduction, gzip ~79%. The middleware auto-selects based
+  // on Accept-Encoding: browsers get brotli, curl/other tools get gzip.
+  app.use(compression({ level: 6 }));
+
+  // Optional TOTP auth — enabled by setting TOTP_SECRET env var.
+  // Generate a secret: node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
+  // Then visit /__totp-setup?token=YOUR_SECRET to scan the QR code.
+  const authMiddleware = createAuthMiddleware();
+  if (authMiddleware) {
+    app.use(authMiddleware);
+    console.log('[auth] TOTP authentication enabled — visit /__totp-setup?token=YOUR_SECRET to configure your authenticator app');
+  }
+
+  // Request logging - very chatty, but invaluable while we are still
+  // figuring out what Obsidian asks for during boot.
+  app.use((req, res, next) => {
+    const start = Date.now();
+    res.on('finish', () => {
+      const ms = Date.now() - start;
+      const url = req.originalUrl;
+      // Skip noisy static assets to keep the log readable.
+      if (!url.startsWith('/api') && !url.startsWith('/i18n') && !url.startsWith('/lib') && url !== '/') {
+        return;
+      }
+      console.log(`${req.method} ${res.statusCode} ${url} (${ms}ms)`);
+    });
+    next();
+  });
+
+  // Inject ?v=<cacheBust> into all client script/link tags so browsers pick up
+  // changes automatically. The bust value is recomputed at server startup from
+  // client/ and client-mobile/ file mtimes — no manual ?v=N bump needed.
+  const cacheBust = appConfig.clientCacheBust || 'dev';
+  async function sendHtmlWithCacheBust(res, filePath) {
+    try {
+      let html = await fsp.readFile(filePath, 'utf8');
+      // Inject (or replace) ?v=<bust> on all /client/ and /client-mobile/ script and link tags.
+      // Handles both: existing ?v=3 and paths without any query string.
+      html = html.replace(/((?:src|href)="\/client(?:-mobile)?\/[^"]*?)(\?v=[^"&]*)?"(?=[^>]*>)/g,
+        (_, prefix) => `${prefix}?v=${cacheBust}"`);
+      res.setHeader('Content-Type', 'text/html; charset=utf-8');
+      res.setHeader('Cache-Control', 'no-cache');
+      res.send(html);
+    } catch (err) {
+      res.status(500).send('Error loading page: ' + err.message);
+    }
+  }
+
+  // Favicon and app icons from the project root.
+  const rootIconFiles = ['favicon.ico', 'favicon.svg', 'apple-touch-icon.png'];
+  for (const f of rootIconFiles) {
+    app.get('/' + f, (req, res) => {
+      res.sendFile(path.join(appConfig.projectRoot, f));
+    });
+  }
+
+  // Custom entry point - our index.html, not Obsidian's.
+  app.get('/', (req, res) => {
+    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'index.html'));
+  });
+
+  app.get(['/starter', '/starter.html'], (req, res) => {
+    sendHtmlWithCacheBust(res, path.join(appConfig.clientPath, 'starter.html'));
+  });
+
+  // Mobile client entry point.
+  app.get('/mobile', (req, res) => {
+    sendHtmlWithCacheBust(res, path.join(appConfig.clientMobilePath, 'index.html'));
+  });
+
+  // Static files - order matters: client/ first, then obsidian/.
+  app.use('/client', express.static(appConfig.clientPath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+  app.use('/client-mobile', express.static(appConfig.clientMobilePath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+  app.use('/obsidian', express.static(appConfig.obsidianPath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+  app.use('/obsidian-mobile', express.static(appConfig.obsidianMobilePath, {
+    setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+  }));
+
+  // Obsidian's renderer fetches resources via absolute paths like /i18n/he.txt
+  // and /lib/... because under Electron those resolve via the app:// protocol
+  // to the bundle root. Mirror them onto the obsidian/ tree.
+  const RESOURCE_DIRS = ['i18n', 'lib', 'public', 'sandbox'];
+  for (const dir of RESOURCE_DIRS) {
+    app.use('/' + dir, express.static(path.join(appConfig.obsidianPath, dir), {
+      setHeaders: (res) => res.setHeader('Cache-Control', 'no-cache'),
+    }));
+  }
+
+  // Worker scripts. Obsidian creates `new Worker("worker.js")` which under
+  // Electron resolves to /Resources/obsidian/worker.js, but in a browser
+  // it resolves relative to the document URL. Serve them at the root.
+  //
+  // THIS IS CRITICAL for the metadata indexer: without worker.js the
+  // metadataCache `this.work(t)` call (which postMessage's to the worker
+  // and waits for a reply) hangs forever, leaving inProgressTaskCount > 0
+  // and blocking everything that waits for onCleanCache (rename, etc.).
+  const ROOT_FILES = ['worker.js', 'sim.js'];
+  for (const f of ROOT_FILES) {
+    app.get('/' + f, (req, res) => {
+      res.sendFile(path.join(appConfig.obsidianPath, f), {
+        headers: { 'Cache-Control': 'no-cache' },
+      });
+    });
+  }
+
+  // API routes.
+  app.use('/api/keytar', createKeytarRouter(appConfig.userDataPath));
+  app.use('/api/pbkdf2', createPbkdf2Router());
+  app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
+  app.use('/api/proxy-request', createProxyRouter());
+  app.use('/api/vaults', createVaultsRouter(vaultRegistry));
+  app.use('/api/fs', createFsRouter(vaultRegistry, appConfig.vaultPath));
+  app.use('/api/electron', createElectronRouter(vaultRegistry, appConfig.vaultPath));
+
+  app.locals.vaultRegistry = vaultRegistry;
+  return app;
+}
+
+function startServer(appConfig = config) {
+  // Discover system plugins (repo-shipped plugins overlaid onto every vault)
+  // before any FS handler runs.
+  systemPlugins.init();
+
+  const app = createApp(appConfig);
+  const server = http.createServer(app);
+  attachWatchServer(server, app.locals.vaultRegistry, appConfig.vaultPath);
+
+  server.listen(appConfig.port, appConfig.host, () => {
+    console.log('==========================================');
+    console.log('  Obsidian Web');
+    console.log('==========================================');
+    console.log('  Vault:    ' + appConfig.vaultPath);
+    console.log('  Obsidian: ' + appConfig.obsidianPath);
+    console.log('  Listening on http://' + appConfig.host + ':' + appConfig.port);
+    console.log('==========================================');
+
+    // Pre-build the bootstrap cache in the background so the first browser
+    // request is a cache HIT instead of a cold build.
+    setImmediate(() => {
+      warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
+        .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
+    });
+  });
+
+  return server;
+}
+
+if (require.main === module) {
+  startServer();
+}
+
+module.exports = { createApp, startServer };
diff --git a/src/server/package-lock.json b/src/server/package-lock.json
index 60f3e90..930e5e3 100644
--- a/src/server/package-lock.json
+++ b/src/server/package-lock.json
@@ -1,1476 +1,1476 @@
-{
-  "name": "obsidian-web-server",
-  "version": "0.1.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "obsidian-web-server",
-      "version": "0.1.0",
-      "dependencies": {
-        "chokidar": "^3.6.0",
-        "compression": "^1.8.1",
-        "express": "^4.21.0",
-        "otplib": "^12.0.1",
-        "qrcode": "^1.5.4",
-        "ws": "^8.18.0"
-      }
-    },
-    "node_modules/@otplib/core": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/@otplib/core/-/core-12.0.1.tgz",
-      "integrity": "sha512-4sGntwbA/AC+SbPhbsziRiD+jNDdIzsZ3JUyfZwjtKyc/wufl1pnSIaG4Uqx8ymPagujub0o92kgBnB89cuAMA==",
-      "license": "MIT"
-    },
-    "node_modules/@otplib/plugin-crypto": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/@otplib/plugin-crypto/-/plugin-crypto-12.0.1.tgz",
-      "integrity": "sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==",
-      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
-      "license": "MIT",
-      "dependencies": {
-        "@otplib/core": "^12.0.1"
-      }
-    },
-    "node_modules/@otplib/plugin-thirty-two": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/@otplib/plugin-thirty-two/-/plugin-thirty-two-12.0.1.tgz",
-      "integrity": "sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==",
-      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
-      "license": "MIT",
-      "dependencies": {
-        "@otplib/core": "^12.0.1",
-        "thirty-two": "^1.0.2"
-      }
-    },
-    "node_modules/@otplib/preset-default": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/@otplib/preset-default/-/preset-default-12.0.1.tgz",
-      "integrity": "sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==",
-      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
-      "license": "MIT",
-      "dependencies": {
-        "@otplib/core": "^12.0.1",
-        "@otplib/plugin-crypto": "^12.0.1",
-        "@otplib/plugin-thirty-two": "^12.0.1"
-      }
-    },
-    "node_modules/@otplib/preset-v11": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/@otplib/preset-v11/-/preset-v11-12.0.1.tgz",
-      "integrity": "sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==",
-      "license": "MIT",
-      "dependencies": {
-        "@otplib/core": "^12.0.1",
-        "@otplib/plugin-crypto": "^12.0.1",
-        "@otplib/plugin-thirty-two": "^12.0.1"
-      }
-    },
-    "node_modules/accepts": {
-      "version": "1.3.8",
-      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
-      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-types": "~2.1.34",
-        "negotiator": "0.6.3"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/ansi-regex": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/ansi-styles": {
-      "version": "4.3.0",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-      "license": "MIT",
-      "dependencies": {
-        "color-convert": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
-      }
-    },
-    "node_modules/anymatch": {
-      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
-      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
-      "license": "ISC",
-      "dependencies": {
-        "normalize-path": "^3.0.0",
-        "picomatch": "^2.0.4"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/array-flatten": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
-      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
-      "license": "MIT"
-    },
-    "node_modules/binary-extensions": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
-      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/body-parser": {
-      "version": "1.20.5",
-      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
-      "integrity": "sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "~3.1.2",
-        "content-type": "~1.0.5",
-        "debug": "2.6.9",
-        "depd": "2.0.0",
-        "destroy": "~1.2.0",
-        "http-errors": "~2.0.1",
-        "iconv-lite": "~0.4.24",
-        "on-finished": "~2.4.1",
-        "qs": "~6.15.1",
-        "raw-body": "~2.5.3",
-        "type-is": "~1.6.18",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.8",
-        "npm": "1.2.8000 || >= 1.4.16"
-      }
-    },
-    "node_modules/body-parser/node_modules/qs": {
-      "version": "6.15.1",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
-      "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "side-channel": "^1.1.0"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/braces": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
-      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
-      "license": "MIT",
-      "dependencies": {
-        "fill-range": "^7.1.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/bytes": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
-      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/call-bind-apply-helpers": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
-      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0",
-        "function-bind": "^1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/call-bound": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
-      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bind-apply-helpers": "^1.0.2",
-        "get-intrinsic": "^1.3.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/camelcase": {
-      "version": "5.3.1",
-      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
-      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/chokidar": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
-      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
-      "license": "MIT",
-      "dependencies": {
-        "anymatch": "~3.1.2",
-        "braces": "~3.0.2",
-        "glob-parent": "~5.1.2",
-        "is-binary-path": "~2.1.0",
-        "is-glob": "~4.0.1",
-        "normalize-path": "~3.0.0",
-        "readdirp": "~3.6.0"
-      },
-      "engines": {
-        "node": ">= 8.10.0"
-      },
-      "funding": {
-        "url": "https://paulmillr.com/funding/"
-      },
-      "optionalDependencies": {
-        "fsevents": "~2.3.2"
-      }
-    },
-    "node_modules/cliui": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz",
-      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
-      "license": "ISC",
-      "dependencies": {
-        "string-width": "^4.2.0",
-        "strip-ansi": "^6.0.0",
-        "wrap-ansi": "^6.2.0"
-      }
-    },
-    "node_modules/color-convert": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
-      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-      "license": "MIT",
-      "dependencies": {
-        "color-name": "~1.1.4"
-      },
-      "engines": {
-        "node": ">=7.0.0"
-      }
-    },
-    "node_modules/color-name": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
-      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
-      "license": "MIT"
-    },
-    "node_modules/compressible": {
-      "version": "2.0.18",
-      "resolved": "https://registry.npmjs.org/compressible/-/compressible-2.0.18.tgz",
-      "integrity": "sha512-AF3r7P5dWxL8MxyITRMlORQNaOA2IkAFaTr4k7BUumjPtRpGDTZpl0Pb1XCO6JeDCBdp126Cgs9sMxqSjgYyRg==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": ">= 1.43.0 < 2"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/compression": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.1.tgz",
-      "integrity": "sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "3.1.2",
-        "compressible": "~2.0.18",
-        "debug": "2.6.9",
-        "negotiator": "~0.6.4",
-        "on-headers": "~1.1.0",
-        "safe-buffer": "5.2.1",
-        "vary": "~1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/compression/node_modules/negotiator": {
-      "version": "0.6.4",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.4.tgz",
-      "integrity": "sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/content-disposition": {
-      "version": "0.5.4",
-      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
-      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
-      "license": "MIT",
-      "dependencies": {
-        "safe-buffer": "5.2.1"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/content-type": {
-      "version": "1.0.5",
-      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
-      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/cookie": {
-      "version": "0.7.2",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
-      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/cookie-signature": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
-      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
-      "license": "MIT"
-    },
-    "node_modules/debug": {
-      "version": "2.6.9",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "2.0.0"
-      }
-    },
-    "node_modules/decamelize": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
-      "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/depd": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
-      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/destroy": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
-      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8",
-        "npm": "1.2.8000 || >= 1.4.16"
-      }
-    },
-    "node_modules/dijkstrajs": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz",
-      "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==",
-      "license": "MIT"
-    },
-    "node_modules/dunder-proto": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
-      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bind-apply-helpers": "^1.0.1",
-        "es-errors": "^1.3.0",
-        "gopd": "^1.2.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/ee-first": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
-      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
-      "license": "MIT"
-    },
-    "node_modules/emoji-regex": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
-      "license": "MIT"
-    },
-    "node_modules/encodeurl": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
-      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/es-define-property": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
-      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/es-errors": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
-      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/es-object-atoms": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
-      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/escape-html": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
-      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
-      "license": "MIT"
-    },
-    "node_modules/etag": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
-      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/express": {
-      "version": "4.22.1",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
-      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
-      "license": "MIT",
-      "dependencies": {
-        "accepts": "~1.3.8",
-        "array-flatten": "1.1.1",
-        "body-parser": "~1.20.3",
-        "content-disposition": "~0.5.4",
-        "content-type": "~1.0.4",
-        "cookie": "~0.7.1",
-        "cookie-signature": "~1.0.6",
-        "debug": "2.6.9",
-        "depd": "2.0.0",
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "etag": "~1.8.1",
-        "finalhandler": "~1.3.1",
-        "fresh": "~0.5.2",
-        "http-errors": "~2.0.0",
-        "merge-descriptors": "1.0.3",
-        "methods": "~1.1.2",
-        "on-finished": "~2.4.1",
-        "parseurl": "~1.3.3",
-        "path-to-regexp": "~0.1.12",
-        "proxy-addr": "~2.0.7",
-        "qs": "~6.14.0",
-        "range-parser": "~1.2.1",
-        "safe-buffer": "5.2.1",
-        "send": "~0.19.0",
-        "serve-static": "~1.16.2",
-        "setprototypeof": "1.2.0",
-        "statuses": "~2.0.1",
-        "type-is": "~1.6.18",
-        "utils-merge": "1.0.1",
-        "vary": "~1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.10.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
-    "node_modules/fill-range": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
-      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
-      "license": "MIT",
-      "dependencies": {
-        "to-regex-range": "^5.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/finalhandler": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz",
-      "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "2.6.9",
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "on-finished": "~2.4.1",
-        "parseurl": "~1.3.3",
-        "statuses": "~2.0.2",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/find-up": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
-      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
-      "license": "MIT",
-      "dependencies": {
-        "locate-path": "^5.0.0",
-        "path-exists": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/forwarded": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
-      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/fresh": {
-      "version": "0.5.2",
-      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
-      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/fsevents": {
-      "version": "2.3.3",
-      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
-      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
-      "hasInstallScript": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-      }
-    },
-    "node_modules/function-bind": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
-      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/get-caller-file": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
-      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
-      "license": "ISC",
-      "engines": {
-        "node": "6.* || 8.* || >= 10.*"
-      }
-    },
-    "node_modules/get-intrinsic": {
-      "version": "1.3.0",
-      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
-      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bind-apply-helpers": "^1.0.2",
-        "es-define-property": "^1.0.1",
-        "es-errors": "^1.3.0",
-        "es-object-atoms": "^1.1.1",
-        "function-bind": "^1.1.2",
-        "get-proto": "^1.0.1",
-        "gopd": "^1.2.0",
-        "has-symbols": "^1.1.0",
-        "hasown": "^2.0.2",
-        "math-intrinsics": "^1.1.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/get-proto": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
-      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
-      "license": "MIT",
-      "dependencies": {
-        "dunder-proto": "^1.0.1",
-        "es-object-atoms": "^1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/glob-parent": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
-      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
-      "license": "ISC",
-      "dependencies": {
-        "is-glob": "^4.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/gopd": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
-      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/has-symbols": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
-      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/hasown": {
-      "version": "2.0.3",
-      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
-      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
-      "license": "MIT",
-      "dependencies": {
-        "function-bind": "^1.1.2"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/http-errors": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
-      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
-      "license": "MIT",
-      "dependencies": {
-        "depd": "~2.0.0",
-        "inherits": "~2.0.4",
-        "setprototypeof": "~1.2.0",
-        "statuses": "~2.0.2",
-        "toidentifier": "~1.0.1"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
-    "node_modules/iconv-lite": {
-      "version": "0.4.24",
-      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
-      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
-      "license": "MIT",
-      "dependencies": {
-        "safer-buffer": ">= 2.1.2 < 3"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/inherits": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
-      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
-      "license": "ISC"
-    },
-    "node_modules/ipaddr.js": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
-      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.10"
-      }
-    },
-    "node_modules/is-binary-path": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
-      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
-      "license": "MIT",
-      "dependencies": {
-        "binary-extensions": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/is-extglob": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
-      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/is-fullwidth-code-point": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
-      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/is-glob": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
-      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
-      "license": "MIT",
-      "dependencies": {
-        "is-extglob": "^2.1.1"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/is-number": {
-      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
-      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.12.0"
-      }
-    },
-    "node_modules/locate-path": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
-      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
-      "license": "MIT",
-      "dependencies": {
-        "p-locate": "^4.1.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/math-intrinsics": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
-      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      }
-    },
-    "node_modules/media-typer": {
-      "version": "0.3.0",
-      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
-      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/merge-descriptors": {
-      "version": "1.0.3",
-      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
-      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
-      "license": "MIT",
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/methods": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
-      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/mime": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
-      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
-      "license": "MIT",
-      "bin": {
-        "mime": "cli.js"
-      },
-      "engines": {
-        "node": ">=4"
-      }
-    },
-    "node_modules/mime-db": {
-      "version": "1.52.0",
-      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
-      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/mime-types": {
-      "version": "2.1.35",
-      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
-      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
-      "license": "MIT",
-      "dependencies": {
-        "mime-db": "1.52.0"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/ms": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
-      "license": "MIT"
-    },
-    "node_modules/negotiator": {
-      "version": "0.6.3",
-      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
-      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/normalize-path": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
-      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/object-inspect": {
-      "version": "1.13.4",
-      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
-      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/on-finished": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
-      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
-      "license": "MIT",
-      "dependencies": {
-        "ee-first": "1.1.1"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/on-headers": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
-      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/otplib": {
-      "version": "12.0.1",
-      "resolved": "https://registry.npmjs.org/otplib/-/otplib-12.0.1.tgz",
-      "integrity": "sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==",
-      "license": "MIT",
-      "dependencies": {
-        "@otplib/core": "^12.0.1",
-        "@otplib/preset-default": "^12.0.1",
-        "@otplib/preset-v11": "^12.0.1"
-      }
-    },
-    "node_modules/p-limit": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
-      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
-      "license": "MIT",
-      "dependencies": {
-        "p-try": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
-    "node_modules/p-locate": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
-      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
-      "license": "MIT",
-      "dependencies": {
-        "p-limit": "^2.2.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/p-try": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
-      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/parseurl": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
-      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/path-exists": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
-      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/path-to-regexp": {
-      "version": "0.1.13",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz",
-      "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==",
-      "license": "MIT"
-    },
-    "node_modules/picomatch": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
-    "node_modules/pngjs": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
-      "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=10.13.0"
-      }
-    },
-    "node_modules/proxy-addr": {
-      "version": "2.0.7",
-      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
-      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
-      "license": "MIT",
-      "dependencies": {
-        "forwarded": "0.2.0",
-        "ipaddr.js": "1.9.1"
-      },
-      "engines": {
-        "node": ">= 0.10"
-      }
-    },
-    "node_modules/qrcode": {
-      "version": "1.5.4",
-      "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz",
-      "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==",
-      "license": "MIT",
-      "dependencies": {
-        "dijkstrajs": "^1.0.1",
-        "pngjs": "^5.0.0",
-        "yargs": "^15.3.1"
-      },
-      "bin": {
-        "qrcode": "bin/qrcode"
-      },
-      "engines": {
-        "node": ">=10.13.0"
-      }
-    },
-    "node_modules/qs": {
-      "version": "6.14.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
-      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "side-channel": "^1.1.0"
-      },
-      "engines": {
-        "node": ">=0.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/range-parser": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
-      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/raw-body": {
-      "version": "2.5.3",
-      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
-      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
-      "license": "MIT",
-      "dependencies": {
-        "bytes": "~3.1.2",
-        "http-errors": "~2.0.1",
-        "iconv-lite": "~0.4.24",
-        "unpipe": "~1.0.0"
-      },
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/readdirp": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
-      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
-      "license": "MIT",
-      "dependencies": {
-        "picomatch": "^2.2.1"
-      },
-      "engines": {
-        "node": ">=8.10.0"
-      }
-    },
-    "node_modules/require-directory": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
-      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/require-main-filename": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
-      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
-      "license": "ISC"
-    },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "license": "MIT"
-    },
-    "node_modules/safer-buffer": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
-      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
-      "license": "MIT"
-    },
-    "node_modules/send": {
-      "version": "0.19.2",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz",
-      "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==",
-      "license": "MIT",
-      "dependencies": {
-        "debug": "2.6.9",
-        "depd": "2.0.0",
-        "destroy": "1.2.0",
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "etag": "~1.8.1",
-        "fresh": "~0.5.2",
-        "http-errors": "~2.0.1",
-        "mime": "1.6.0",
-        "ms": "2.1.3",
-        "on-finished": "~2.4.1",
-        "range-parser": "~1.2.1",
-        "statuses": "~2.0.2"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/send/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
-    "node_modules/serve-static": {
-      "version": "1.16.3",
-      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz",
-      "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==",
-      "license": "MIT",
-      "dependencies": {
-        "encodeurl": "~2.0.0",
-        "escape-html": "~1.0.3",
-        "parseurl": "~1.3.3",
-        "send": "~0.19.1"
-      },
-      "engines": {
-        "node": ">= 0.8.0"
-      }
-    },
-    "node_modules/set-blocking": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
-      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
-      "license": "ISC"
-    },
-    "node_modules/setprototypeof": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
-      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
-      "license": "ISC"
-    },
-    "node_modules/side-channel": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
-      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0",
-        "object-inspect": "^1.13.3",
-        "side-channel-list": "^1.0.0",
-        "side-channel-map": "^1.0.1",
-        "side-channel-weakmap": "^1.0.2"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/side-channel-list": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
-      "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
-      "license": "MIT",
-      "dependencies": {
-        "es-errors": "^1.3.0",
-        "object-inspect": "^1.13.4"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/side-channel-map": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
-      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bound": "^1.0.2",
-        "es-errors": "^1.3.0",
-        "get-intrinsic": "^1.2.5",
-        "object-inspect": "^1.13.3"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/side-channel-weakmap": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
-      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
-      "license": "MIT",
-      "dependencies": {
-        "call-bound": "^1.0.2",
-        "es-errors": "^1.3.0",
-        "get-intrinsic": "^1.2.5",
-        "object-inspect": "^1.13.3",
-        "side-channel-map": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 0.4"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/ljharb"
-      }
-    },
-    "node_modules/statuses": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
-      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/string-width": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
-      "license": "MIT",
-      "dependencies": {
-        "emoji-regex": "^8.0.0",
-        "is-fullwidth-code-point": "^3.0.0",
-        "strip-ansi": "^6.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/strip-ansi": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-      "license": "MIT",
-      "dependencies": {
-        "ansi-regex": "^5.0.1"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/thirty-two": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/thirty-two/-/thirty-two-1.0.2.tgz",
-      "integrity": "sha512-OEI0IWCe+Dw46019YLl6V10Us5bi574EvlJEOcAkB29IzQ/mYD1A6RyNHLjZPiHCmuodxvgF6U+vZO1L15lxVA==",
-      "engines": {
-        "node": ">=0.2.6"
-      }
-    },
-    "node_modules/to-regex-range": {
-      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
-      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
-      "license": "MIT",
-      "dependencies": {
-        "is-number": "^7.0.0"
-      },
-      "engines": {
-        "node": ">=8.0"
-      }
-    },
-    "node_modules/toidentifier": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
-      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=0.6"
-      }
-    },
-    "node_modules/type-is": {
-      "version": "1.6.18",
-      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
-      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
-      "license": "MIT",
-      "dependencies": {
-        "media-typer": "0.3.0",
-        "mime-types": "~2.1.24"
-      },
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
-    "node_modules/unpipe": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
-      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/utils-merge": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
-      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.4.0"
-      }
-    },
-    "node_modules/vary": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
-      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 0.8"
-      }
-    },
-    "node_modules/which-module": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
-      "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==",
-      "license": "ISC"
-    },
-    "node_modules/wrap-ansi": {
-      "version": "6.2.0",
-      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
-      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
-      "license": "MIT",
-      "dependencies": {
-        "ansi-styles": "^4.0.0",
-        "string-width": "^4.1.0",
-        "strip-ansi": "^6.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/ws": {
-      "version": "8.20.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
-      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=10.0.0"
-      },
-      "peerDependencies": {
-        "bufferutil": "^4.0.1",
-        "utf-8-validate": ">=5.0.2"
-      },
-      "peerDependenciesMeta": {
-        "bufferutil": {
-          "optional": true
-        },
-        "utf-8-validate": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/y18n": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",
-      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
-      "license": "ISC"
-    },
-    "node_modules/yargs": {
-      "version": "15.4.1",
-      "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz",
-      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
-      "license": "MIT",
-      "dependencies": {
-        "cliui": "^6.0.0",
-        "decamelize": "^1.2.0",
-        "find-up": "^4.1.0",
-        "get-caller-file": "^2.0.1",
-        "require-directory": "^2.1.1",
-        "require-main-filename": "^2.0.0",
-        "set-blocking": "^2.0.0",
-        "string-width": "^4.2.0",
-        "which-module": "^2.0.0",
-        "y18n": "^4.0.0",
-        "yargs-parser": "^18.1.2"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/yargs-parser": {
-      "version": "18.1.3",
-      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz",
-      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
-      "license": "ISC",
-      "dependencies": {
-        "camelcase": "^5.0.0",
-        "decamelize": "^1.2.0"
-      },
-      "engines": {
-        "node": ">=6"
-      }
-    }
-  }
-}
+{
+  "name": "obsidian-web-server",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "obsidian-web-server",
+      "version": "0.1.0",
+      "dependencies": {
+        "chokidar": "^3.6.0",
+        "compression": "^1.8.1",
+        "express": "^4.21.0",
+        "otplib": "^12.0.1",
+        "qrcode": "^1.5.4",
+        "ws": "^8.18.0"
+      }
+    },
+    "node_modules/@otplib/core": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/core/-/core-12.0.1.tgz",
+      "integrity": "sha512-4sGntwbA/AC+SbPhbsziRiD+jNDdIzsZ3JUyfZwjtKyc/wufl1pnSIaG4Uqx8ymPagujub0o92kgBnB89cuAMA==",
+      "license": "MIT"
+    },
+    "node_modules/@otplib/plugin-crypto": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/plugin-crypto/-/plugin-crypto-12.0.1.tgz",
+      "integrity": "sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==",
+      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1"
+      }
+    },
+    "node_modules/@otplib/plugin-thirty-two": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/plugin-thirty-two/-/plugin-thirty-two-12.0.1.tgz",
+      "integrity": "sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==",
+      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "thirty-two": "^1.0.2"
+      }
+    },
+    "node_modules/@otplib/preset-default": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/preset-default/-/preset-default-12.0.1.tgz",
+      "integrity": "sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==",
+      "deprecated": "Please upgrade to v13 of otplib. Refer to otplib docs for migration paths",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/plugin-crypto": "^12.0.1",
+        "@otplib/plugin-thirty-two": "^12.0.1"
+      }
+    },
+    "node_modules/@otplib/preset-v11": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/preset-v11/-/preset-v11-12.0.1.tgz",
+      "integrity": "sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/plugin-crypto": "^12.0.1",
+        "@otplib/plugin-thirty-two": "^12.0.1"
+      }
+    },
+    "node_modules/accepts": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
+      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "~2.1.34",
+        "negotiator": "0.6.3"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "license": "ISC",
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/array-flatten": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
+      "license": "MIT"
+    },
+    "node_modules/binary-extensions": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
+      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/body-parser": {
+      "version": "1.20.5",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.5.tgz",
+      "integrity": "sha512-3grm+/2tUOvu2cjJkvsIxrv/wVpfXQW4PsQHYm7yk4vfpu7Ekl6nEsYBoJUL6qDwZUx8wUhQ8tR2qz+ad9c9OA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "content-type": "~1.0.5",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "~1.2.0",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "on-finished": "~2.4.1",
+        "qs": "~6.15.1",
+        "raw-body": "~2.5.3",
+        "type-is": "~1.6.18",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/body-parser/node_modules/qs": {
+      "version": "6.15.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz",
+      "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/braces": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "license": "MIT",
+      "dependencies": {
+        "fill-range": "^7.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/call-bound": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
+      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "get-intrinsic": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/camelcase": {
+      "version": "5.3.1",
+      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/chokidar": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
+      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
+      "license": "MIT",
+      "dependencies": {
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
+      },
+      "engines": {
+        "node": ">= 8.10.0"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/cliui": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "license": "ISC",
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      }
+    },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "license": "MIT",
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "license": "MIT"
+    },
+    "node_modules/compressible": {
+      "version": "2.0.18",
+      "resolved": "https://registry.npmjs.org/compressible/-/compressible-2.0.18.tgz",
+      "integrity": "sha512-AF3r7P5dWxL8MxyITRMlORQNaOA2IkAFaTr4k7BUumjPtRpGDTZpl0Pb1XCO6JeDCBdp126Cgs9sMxqSjgYyRg==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": ">= 1.43.0 < 2"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/compression": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/compression/-/compression-1.8.1.tgz",
+      "integrity": "sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "3.1.2",
+        "compressible": "~2.0.18",
+        "debug": "2.6.9",
+        "negotiator": "~0.6.4",
+        "on-headers": "~1.1.0",
+        "safe-buffer": "5.2.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/compression/node_modules/negotiator": {
+      "version": "0.6.4",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.4.tgz",
+      "integrity": "sha512-myRT3DiWPHqho5PrJaIRyaMv2kgYf0mUVgBNOYMuCH5Ki1yEiQaf/ZJuQ62nvpc44wL5WDbTX7yGJi1Neevw8w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-disposition": {
+      "version": "0.5.4",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
+      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "5.2.1"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
+      "license": "MIT"
+    },
+    "node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/decamelize": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
+      "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/depd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
+      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/destroy": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
+      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/dijkstrajs": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz",
+      "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==",
+      "license": "MIT"
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
+    },
+    "node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "license": "MIT"
+    },
+    "node_modules/encodeurl": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
+      "license": "MIT"
+    },
+    "node_modules/etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express": {
+      "version": "4.22.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
+      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
+      "license": "MIT",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "array-flatten": "1.1.1",
+        "body-parser": "~1.20.3",
+        "content-disposition": "~0.5.4",
+        "content-type": "~1.0.4",
+        "cookie": "~0.7.1",
+        "cookie-signature": "~1.0.6",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "finalhandler": "~1.3.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.0",
+        "merge-descriptors": "1.0.3",
+        "methods": "~1.1.2",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "path-to-regexp": "~0.1.12",
+        "proxy-addr": "~2.0.7",
+        "qs": "~6.14.0",
+        "range-parser": "~1.2.1",
+        "safe-buffer": "5.2.1",
+        "send": "~0.19.0",
+        "serve-static": "~1.16.2",
+        "setprototypeof": "1.2.0",
+        "statuses": "~2.0.1",
+        "type-is": "~1.6.18",
+        "utils-merge": "1.0.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/fill-range": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+      "license": "MIT",
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/finalhandler": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz",
+      "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "statuses": "~2.0.2",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "license": "MIT",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/forwarded": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
+      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "license": "ISC",
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.3.tgz",
+      "integrity": "sha512-ej4AhfhfL2Q2zpMmLo7U1Uv9+PyhIZpgQLGT1F9miIGmiCJIoCgSmczFdrc97mWT4kVY72KA+WnnhJ5pghSvSg==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "license": "ISC"
+    },
+    "node_modules/ipaddr.js": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
+      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "license": "MIT",
+      "dependencies": {
+        "binary-extensions": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "license": "MIT",
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "license": "MIT",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/media-typer": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/merge-descriptors": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "license": "MIT",
+      "bin": {
+        "mime": "cli.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
+    "node_modules/negotiator": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
+      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.13.4",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
+      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/on-finished": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
+      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
+      "dependencies": {
+        "ee-first": "1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/on-headers": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
+      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/otplib": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/otplib/-/otplib-12.0.1.tgz",
+      "integrity": "sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==",
+      "license": "MIT",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/preset-default": "^12.0.1",
+        "@otplib/preset-v11": "^12.0.1"
+      }
+    },
+    "node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "license": "MIT",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "license": "MIT",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/path-exists": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
+      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/path-to-regexp": {
+      "version": "0.1.13",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz",
+      "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==",
+      "license": "MIT"
+    },
+    "node_modules/picomatch": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/pngjs": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
+      "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/proxy-addr": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
+      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
+      "license": "MIT",
+      "dependencies": {
+        "forwarded": "0.2.0",
+        "ipaddr.js": "1.9.1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/qrcode": {
+      "version": "1.5.4",
+      "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz",
+      "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==",
+      "license": "MIT",
+      "dependencies": {
+        "dijkstrajs": "^1.0.1",
+        "pngjs": "^5.0.0",
+        "yargs": "^15.3.1"
+      },
+      "bin": {
+        "qrcode": "bin/qrcode"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
+    "node_modules/qs": {
+      "version": "6.14.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/raw-body": {
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
+      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/readdirp": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
+      "license": "MIT",
+      "dependencies": {
+        "picomatch": "^2.2.1"
+      },
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/require-main-filename": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
+      "license": "ISC"
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT"
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "license": "MIT"
+    },
+    "node_modules/send": {
+      "version": "0.19.2",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz",
+      "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.1",
+        "mime": "1.6.0",
+        "ms": "2.1.3",
+        "on-finished": "~2.4.1",
+        "range-parser": "~1.2.1",
+        "statuses": "~2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/send/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/serve-static": {
+      "version": "1.16.3",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz",
+      "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==",
+      "license": "MIT",
+      "dependencies": {
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "parseurl": "~1.3.3",
+        "send": "~0.19.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/set-blocking": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
+      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
+      "license": "ISC"
+    },
+    "node_modules/setprototypeof": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
+      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
+      "license": "ISC"
+    },
+    "node_modules/side-channel": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
+      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3",
+        "side-channel-list": "^1.0.0",
+        "side-channel-map": "^1.0.1",
+        "side-channel-weakmap": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-list": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
+      "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-map": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
+      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-weakmap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
+      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3",
+        "side-channel-map": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/thirty-two": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/thirty-two/-/thirty-two-1.0.2.tgz",
+      "integrity": "sha512-OEI0IWCe+Dw46019YLl6V10Us5bi574EvlJEOcAkB29IzQ/mYD1A6RyNHLjZPiHCmuodxvgF6U+vZO1L15lxVA==",
+      "engines": {
+        "node": ">=0.2.6"
+      }
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "license": "MIT",
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/toidentifier": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
+      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6"
+      }
+    },
+    "node_modules/type-is": {
+      "version": "1.6.18",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
+      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "license": "MIT",
+      "dependencies": {
+        "media-typer": "0.3.0",
+        "mime-types": "~2.1.24"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/utils-merge": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
+      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/which-module": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
+      "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==",
+      "license": "ISC"
+    },
+    "node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/ws": {
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/y18n": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
+      "license": "ISC"
+    },
+    "node_modules/yargs": {
+      "version": "15.4.1",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "license": "MIT",
+      "dependencies": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "18.1.3",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz",
+      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+      "license": "ISC",
+      "dependencies": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    }
+  }
+}
diff --git a/src/server/package.json b/src/server/package.json
index 6eb4049..a52a4b9 100644
--- a/src/server/package.json
+++ b/src/server/package.json
@@ -1,20 +1,20 @@
-{
-  "name": "obsidian-web-server",
-  "version": "0.1.0",
-  "description": "HTTP/WebSocket backend for Obsidian web wrapper",
-  "main": "index.js",
-  "type": "commonjs",
-  "scripts": {
-    "start": "node index.js",
-    "dev": "node --watch index.js",
-    "test": "node --test"
-  },
-  "dependencies": {
-    "chokidar": "^3.6.0",
-    "compression": "^1.8.1",
-    "express": "^4.21.0",
-    "otplib": "^12.0.1",
-    "qrcode": "^1.5.4",
-    "ws": "^8.18.0"
-  }
-}
+{
+  "name": "obsidian-web-server",
+  "version": "0.1.0",
+  "description": "HTTP/WebSocket backend for Obsidian web wrapper",
+  "main": "index.js",
+  "type": "commonjs",
+  "scripts": {
+    "start": "node index.js",
+    "dev": "node --watch index.js",
+    "test": "node --test"
+  },
+  "dependencies": {
+    "chokidar": "^3.6.0",
+    "compression": "^1.8.1",
+    "express": "^4.21.0",
+    "otplib": "^12.0.1",
+    "qrcode": "^1.5.4",
+    "ws": "^8.18.0"
+  }
+}
diff --git a/src/server/test/bootstrap-cache.test.js b/src/server/test/bootstrap-cache.test.js
index c735310..2623928 100644
--- a/src/server/test/bootstrap-cache.test.js
+++ b/src/server/test/bootstrap-cache.test.js
@@ -22,7 +22,15 @@ const { createApp } = require('../index');
 const { serverCache } = require('../api/bootstrap');
 
 async function startTestServer(config) {
-  const app = createApp(config);
+  // The mobile runtime paths were added after these tests were written;
+  // default them so each test doesn't have to spell them out.
+  const app = createApp({
+    clientMobilePath: config.clientPath,
+    obsidianMobilePath: config.obsidianPath,
+    userDataPath: path.dirname(config.registryPath),
+    projectRoot: path.dirname(config.clientPath),
+    ...config,
+  });
   const server = http.createServer(app);
   await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
   const { port } = server.address();
diff --git a/src/server/test/vaults-api.test.js b/src/server/test/vaults-api.test.js
index 6b079e7..5550913 100644
--- a/src/server/test/vaults-api.test.js
+++ b/src/server/test/vaults-api.test.js
@@ -9,7 +9,15 @@ const test = require('node:test');
 const { createApp } = require('../index');
 
 async function startTestServer(config) {
-  const app = createApp(config);
+  // The mobile runtime paths were added after these tests were written;
+  // default them so each test doesn't have to spell them out.
+  const app = createApp({
+    clientMobilePath: config.clientPath,
+    obsidianMobilePath: config.obsidianPath,
+    userDataPath: path.dirname(config.registryPath),
+    projectRoot: path.dirname(config.clientPath),
+    ...config,
+  });
   const server = http.createServer(app);
   await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
   const { port } = server.address();

From 7705299d844aa6cf46e6984da42235836876c387 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 17:59:47 -0700
Subject: [PATCH 39/46] feat: restrict /api/vaults/open to VAULTS_ROOT (default
 user-data/)

---
 src/server/config.js         | 10 ++++++++++
 src/server/vault-registry.js | 29 ++++++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/src/server/config.js b/src/server/config.js
index 5801411..c7f7fb2 100644
--- a/src/server/config.js
+++ b/src/server/config.js
@@ -61,8 +61,18 @@ const CLIENT_MOBILE_PATH = path.resolve(PROJECT_ROOT, 'src', 'client-mobile');
 const OBSIDIAN_PATH = path.resolve(PROJECT_ROOT, 'vendor', 'obsidian');
 const OBSIDIAN_MOBILE_PATH = path.resolve(PROJECT_ROOT, 'vendor', 'obsidian-mobile');
 
+// Root directory that vaults opened via /api/vaults/open must live under.
+// Without this, any authenticated browser session could mount ANY server
+// directory (e.g. /etc) as a vault and read/write it through the fs API.
+// Set VAULTS_ROOT to move it, or VAULTS_ROOT='*' to disable the check
+// (e.g. vaults spread across several mounts you trust).
+const VAULTS_ROOT = process.env.VAULTS_ROOT === '*'
+  ? null
+  : path.resolve(PROJECT_ROOT, process.env.VAULTS_ROOT || 'user-data');
+
 module.exports = {
   userDataPath: path.resolve(PROJECT_ROOT, 'user-data'),
+  vaultsRoot: VAULTS_ROOT,
   port: parsePort(process.env.PORT),
   host: process.env.HOST || '127.0.0.1',
   vaultPath: path.resolve(PROJECT_ROOT, process.env.VAULT_PATH || 'user-data/demo-vault'),
diff --git a/src/server/vault-registry.js b/src/server/vault-registry.js
index 95aa003..9b741d7 100644
--- a/src/server/vault-registry.js
+++ b/src/server/vault-registry.js
@@ -3,11 +3,32 @@ const fs = require('fs');
 const path = require('path');
 
 class VaultRegistry {
-  constructor(registryPath) {
+  /**
+   * @param {string} registryPath  JSON file tracking known vaults.
+   * @param {object} [opts]
+   * @param {string|null} [opts.vaultsRoot]  If set, open()/move() only accept
+   *   paths under this root. null/undefined = unrestricted (tests, VAULTS_ROOT='*').
+   * @param {string[]} [opts.allowPaths]  Extra paths allowed outside the root
+   *   (e.g. the VAULT_PATH boot vault, which may live anywhere).
+   */
+  constructor(registryPath, opts = {}) {
     this.registryPath = registryPath;
+    this.vaultsRoot = opts.vaultsRoot ? path.resolve(opts.vaultsRoot) : null;
+    this.allowPaths = (opts.allowPaths || []).filter(Boolean).map(p => path.resolve(p));
     this.vaults = this.load();
   }
 
+  // A path is allowed if it IS the root / an allowlisted path, or lives
+  // under one of them. Paths already in the registry are always allowed
+  // (the admin registered them via config or an earlier policy).
+  isPathAllowed(resolved) {
+    if (!this.vaultsRoot) return true;
+    const roots = [this.vaultsRoot, ...this.allowPaths];
+    return roots.some(root =>
+      resolved === root || resolved.startsWith(root + path.sep)
+    );
+  }
+
   load() {
     try {
       return JSON.parse(fs.readFileSync(this.registryPath, 'utf8')) || {};
@@ -51,6 +72,9 @@ class VaultRegistry {
     }
 
     const resolved = path.resolve(vaultPath);
+    if (!this.isPathAllowed(resolved) && !this.findIdByPath(resolved)) {
+      return { ok: false, error: 'path is outside the allowed vaults root' };
+    }
     if (create) {
       fs.mkdirSync(resolved, { recursive: true });
     }
@@ -97,6 +121,9 @@ class VaultRegistry {
     if (!id) return { ok: false, notFound: true };
 
     const resolvedNewPath = path.resolve(newPath);
+    if (!this.isPathAllowed(resolvedNewPath)) {
+      return { ok: false, error: 'destination is outside the allowed vaults root' };
+    }
     try {
       fs.renameSync(this.vaults[id].path, resolvedNewPath);
     } catch (err) {

From 46d5d65ba98e310240b91565cdf377e43409cfa0 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 17:59:47 -0700
Subject: [PATCH 40/46] feat: rate-limit TOTP attempts and issue random
 per-session tokens

---
 src/server/middleware/auth.js | 138 +++++++++++++++++++++++++++++++---
 1 file changed, 129 insertions(+), 9 deletions(-)

diff --git a/src/server/middleware/auth.js b/src/server/middleware/auth.js
index f07aa76..395f8b7 100644
--- a/src/server/middleware/auth.js
+++ b/src/server/middleware/auth.js
@@ -14,6 +14,8 @@
  */
 
 const crypto        = require('crypto');
+const fs            = require('fs');
+const path          = require('path');
 const { authenticator } = require('otplib');
 const QRCode        = require('qrcode');
 
@@ -24,11 +26,6 @@ const MAX_AGE     = 7 * 24 * 60 * 60; // 7 days
 // Allow 1 step (±30 s) of clock drift between phone and server
 authenticator.options = { window: 1 };
 
-// Session token is derived from the TOTP secret — consistent across restarts
-const SESSION_TOKEN = TOTP_SECRET
-  ? crypto.createHmac('sha256', TOTP_SECRET).update('v1:session').digest('hex')
-  : '';
-
 function parseCookies(req) {
   return Object.fromEntries(
     (req.headers.cookie || '').split(';')
@@ -38,8 +35,109 @@ function parseCookies(req) {
   );
 }
 
-function isAuthenticated(req) {
-  return parseCookies(req)[COOKIE] === SESSION_TOKEN;
+// ── Sessions ───────────────────────────────────────────────────────────────────
+// Random token per successful login (NOT derived from the TOTP secret — a
+// derived token never rotates, so one leaked cookie would be valid forever).
+// Sessions persist to .sessions.json so a server restart doesn't log
+// everyone out; expired entries are pruned on every load/save.
+
+class SessionStore {
+  constructor(file) {
+    this.file = file; // null → in-memory only
+    this.sessions = this.load();
+  }
+
+  load() {
+    if (!this.file) return {};
+    try {
+      const data = JSON.parse(fs.readFileSync(this.file, 'utf8')) || {};
+      const now = Date.now();
+      for (const [token, expires] of Object.entries(data)) {
+        if (typeof expires !== 'number' || expires < now) delete data[token];
+      }
+      return data;
+    } catch (_) {
+      return {};
+    }
+  }
+
+  save() {
+    if (!this.file) return;
+    try {
+      fs.mkdirSync(path.dirname(this.file), { recursive: true });
+      const tmp = this.file + '.tmp';
+      fs.writeFileSync(tmp, JSON.stringify(this.sessions));
+      fs.renameSync(tmp, this.file);
+    } catch (err) {
+      console.warn('[auth] failed to persist sessions:', err.message);
+    }
+  }
+
+  create() {
+    const token = crypto.randomBytes(32).toString('hex');
+    this.sessions[token] = Date.now() + MAX_AGE * 1000;
+    this.save();
+    return token;
+  }
+
+  has(token) {
+    if (!token) return false;
+    const expires = this.sessions[token];
+    if (!expires) return false;
+    if (expires < Date.now()) {
+      delete this.sessions[token];
+      this.save();
+      return false;
+    }
+    return true;
+  }
+}
+
+// ── Rate limiting ──────────────────────────────────────────────────────────────
+// A 6-digit TOTP with ±1 step drift is brute-forceable without throttling.
+// Allow MAX_ATTEMPTS failed codes per IP per window; successes reset the
+// counter. In-memory: a restart clears it, which only helps the attacker by
+// MAX_ATTEMPTS more guesses — negligible against 10^6 codes.
+
+const MAX_ATTEMPTS = 5;
+const ATTEMPT_WINDOW_MS = 15 * 60 * 1000;
+
+class RateLimiter {
+  constructor() {
+    this.attempts = new Map(); // ip → { count, resetAt }
+  }
+
+  clientIp(req) {
+    // Behind cloudflared/reverse proxies the socket address is the proxy;
+    // use the first forwarded hop when present.
+    const fwd = req.headers['x-forwarded-for'];
+    if (fwd) return String(fwd).split(',')[0].trim();
+    return req.socket.remoteAddress || 'unknown';
+  }
+
+  isBlocked(req) {
+    const entry = this.attempts.get(this.clientIp(req));
+    if (!entry) return false;
+    if (Date.now() > entry.resetAt) {
+      this.attempts.delete(this.clientIp(req));
+      return false;
+    }
+    return entry.count >= MAX_ATTEMPTS;
+  }
+
+  recordFailure(req) {
+    const ip = this.clientIp(req);
+    const entry = this.attempts.get(ip);
+    if (!entry || Date.now() > entry.resetAt) {
+      this.attempts.set(ip, { count: 1, resetAt: Date.now() + ATTEMPT_WINDOW_MS });
+    } else {
+      entry.count++;
+    }
+  }
+
+  recordSuccess(req) {
+    this.attempts.delete(this.clientIp(req));
+  }
 }
 
 // ── HTML pages ─────────────────────────────────────────────────────────────────
@@ -201,9 +299,19 @@ async function buildSetupPage(secret) {
 
 // ── Middleware factory ─────────────────────────────────────────────────────────
 
-function createAuthMiddleware() {
+function createAuthMiddleware(appConfig = {}) {
   if (!TOTP_SECRET) return null;
 
+  const sessionsFile = appConfig.userDataPath
+    ? path.join(appConfig.userDataPath, '.sessions.json')
+    : null;
+  const sessions = new SessionStore(sessionsFile);
+  const limiter = new RateLimiter();
+
+  function isAuthenticated(req) {
+    return sessions.has(parseCookies(req)[COOKIE]);
+  }
+
   return async function authMiddleware(req, res, next) {
 
     // ── Setup page ── requires ?token=TOTP_SECRET so only the owner can view it
@@ -218,13 +326,25 @@ function createAuthMiddleware() {
 
     // ── Auth endpoint ── verify code, set cookie
     if (req.path === '/__auth') {
+      if (limiter.isBlocked(req)) {
+        return res.status(429)
+          .end('Too many failed attempts — try again in a few minutes.');
+      }
       const code = String(req.query?.code || '').replace(/\D/g, '');
       const dest = req.query?.next || '/';
       if (code.length === 6 && authenticator.verify({ token: code, secret: TOTP_SECRET })) {
+        limiter.recordSuccess(req);
+        const token = sessions.create();
+        // Secure flag when the request arrived over HTTPS (directly or via
+        // a proxy/tunnel like cloudflared). Omitted on plain-HTTP LAN
+        // setups, where it would make the cookie unusable.
+        const secure = (req.secure || req.headers['x-forwarded-proto'] === 'https')
+          ? '; Secure' : '';
         res.setHeader('Set-Cookie',
-          `${COOKIE}=${SESSION_TOKEN}; Path=/; Max-Age=${MAX_AGE}; HttpOnly; SameSite=Strict`);
+          `${COOKIE}=${token}; Path=/; Max-Age=${MAX_AGE}; HttpOnly; SameSite=Strict${secure}`);
         return res.redirect(dest);
       }
+      limiter.recordFailure(req);
       return res.redirect(`/__login?error=1&next=${encodeURIComponent(dest)}`);
     }
 

From 6707f95d8fe7f06ccc8c3de0be39fd2474fb46c4 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Wed, 10 Jun 2026 17:59:47 -0700
Subject: [PATCH 41/46] feat: server-backed localStorage so keychain tokens
 roam across devices/origins

---
 CLAUDE.md                               |   6 +
 src/client-mobile/boot.js               |  24 +++-
 src/client-mobile/index.html            |   4 +
 src/client/boot.js                      |  25 +++-
 src/client/index.html                   |   1 +
 src/client/shims/remote-localstorage.js | 178 ++++++++++++++++++++++++
 src/server/api/localstorage.js          |  76 ++++++++++
 src/server/index.js                     |  12 +-
 src/server/test/vaults-api.test.js      | 108 ++++++++++++++
 user-data/.gitignore                    |   5 +
 10 files changed, 425 insertions(+), 14 deletions(-)
 create mode 100644 src/client/shims/remote-localstorage.js
 create mode 100644 src/server/api/localstorage.js

diff --git a/CLAUDE.md b/CLAUDE.md
index f68d6a2..8756699 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -19,6 +19,8 @@ the server.
 | `src/server/api/fs.js` | File-system REST API (`/api/fs/*`). Includes write coalescing and `mkdirRepair` for ENOTDIR vault corruption. |
 | `src/server/api/pbkdf2.js` | `POST /api/pbkdf2` — offloads PBKDF2 key derivation to Node's native crypto (100k iterations in pure JS would freeze the browser for ~10 s). |
 | `src/server/api/keytar.js` | `safeStorage` shim — stores plugin secrets server-side (Electron's `safeStorage` is unavailable in the browser). |
+| `src/server/api/localstorage.js` | Server-backed `window.localStorage` store (`user-data/.localstorage.json`). Pairs with `src/client/shims/remote-localstorage.js`. |
+| `src/client/shims/remote-localstorage.js` | Replaces `window.localStorage` with the server-backed store before app.js runs, so safeStorage tokens and app state roam across devices/origins. Keys prefixed `obsidian-web:` stay device-local. |
 | `src/server/api/bootstrap.js` | `/api/bootstrap` — serves the entire vault's file tree and metadata in one compressed response so Obsidian's sync `statSync`/`readFileSync` calls hit an in-memory cache. |
 | `src/server/middleware/auth.js` | Optional TOTP authentication middleware. Enabled by setting `TOTP_SECRET`. |
 
@@ -119,3 +121,7 @@ On plain HTTP all of the following must be polyfilled / shimmed:
 - Auth is disabled when `TOTP_SECRET` is empty.
 - Generate a secret: `node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"`
 - Scan QR code: visit `/__totp-setup?token=YOUR_SECRET` after starting the server.
+- Sessions are random per-login tokens persisted in `user-data/.sessions.json`
+  (7-day expiry). Failed TOTP attempts are rate-limited to 5 per IP per 15 min.
+- `/api/vaults/open` only accepts paths under `VAULTS_ROOT` (default
+  `user-data/`). Set `VAULTS_ROOT=*` to disable the restriction.
diff --git a/src/client-mobile/boot.js b/src/client-mobile/boot.js
index 8a9d906..6745a23 100644
--- a/src/client-mobile/boot.js
+++ b/src/client-mobile/boot.js
@@ -215,12 +215,24 @@ const MOBILE_SCRIPTS = [
   setStatus('Verifying vault...');
 
   // אמת שה-vault קיים על השרת (stat על ה-root)
-  fetch('/api/fs/stat?vault=' + encodeURIComponent(VAULT_ID) + '&path=')
-    .then(function(res) {
-      if (!res.ok) throw new Error('Vault not found (HTTP ' + res.status + ')');
-      return res.json();
-    })
-    .then(function(stat) {
+  // אמת vault + טען localStorage מהשרת במקביל — שניהם חייבים להיות מוכנים
+  // לפני הזרקת הסקריפטים של Obsidian (app.js קורא localStorage באתחול).
+  // כשל ב-localStorage אינו פטאלי — נשארים עם האחסון המקומי של הדפדפן.
+  Promise.all([
+    fetch('/api/fs/stat?vault=' + encodeURIComponent(VAULT_ID) + '&path=')
+      .then(function(res) {
+        if (!res.ok) throw new Error('Vault not found (HTTP ' + res.status + ')');
+        return res.json();
+      }),
+    (window.__owInstallRemoteLocalStorage
+      ? window.__owInstallRemoteLocalStorage()
+      : Promise.resolve()
+    ).catch(function(e) {
+      console.warn('[obsidian-web] remote localStorage unavailable, staying device-local:', e && e.message);
+    }),
+  ])
+    .then(function(results) {
+      var stat = results[0];
       if (!stat || (!stat.isDirectory && stat.type !== 'directory')) throw new Error('Vault path is not a directory');
 
       setStatus('Loading Obsidian mobile...');
diff --git a/src/client-mobile/index.html b/src/client-mobile/index.html
index 5d322ce..89fb09a 100644
--- a/src/client-mobile/index.html
+++ b/src/client-mobile/index.html
@@ -39,6 +39,10 @@
     <div class="ow-status" id="ow-status"></div>
   </div>
 
+  <!-- 0. localStorage שרת-צד (משותף עם הלקוח הדסקטופי) — מותקן ע"י boot.js
+       לפני הזרקת הסקריפטים של Obsidian. -->
+  <script src="/client/shims/remote-localstorage.js?v=1"></script>
+
   <!-- 1. Capacitor shim — חייב לפני native-bridge.js כדי שandroidBridge יהיה
        מוגדר כשהbridge מאתחל את הplatform. -->
   <script src="/client-mobile/shims/capacitor-shim.js?v=1"></script>
diff --git a/src/client/boot.js b/src/client/boot.js
index e21fbdd..1d85e94 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -777,12 +777,25 @@ const OBSIDIAN_SCRIPTS = [
       if (pollTimer) clearInterval(pollTimer);
     }
 
-    fetch('/api/bootstrap?vault=' + vaultParam + '&full=1')
-      .then(function (res) {
-        if (!res.ok) throw new Error('HTTP ' + res.status);
-        return res.json();
-      })
-      .then(function (data) {
+    // Bootstrap cache and the server-backed localStorage load in parallel.
+    // Both must be ready BEFORE Obsidian's scripts are injected: app.js
+    // reads localStorage (safeStorage tokens, app state) synchronously at
+    // startup. A localStorage failure is non-fatal — native storage stays.
+    Promise.all([
+      fetch('/api/bootstrap?vault=' + vaultParam + '&full=1')
+        .then(function (res) {
+          if (!res.ok) throw new Error('HTTP ' + res.status);
+          return res.json();
+        }),
+      (window.__owInstallRemoteLocalStorage
+        ? window.__owInstallRemoteLocalStorage()
+        : Promise.resolve()
+      ).catch(function (e) {
+        console.warn('[obsidian-web] remote localStorage unavailable, staying device-local:', e && e.message);
+      }),
+    ])
+      .then(function (results) {
+        var data = results[0];
         stopPolling();
         var vault = data.electron && data.electron['vault'];
         if (!vault || !vault.id) {
diff --git a/src/client/index.html b/src/client/index.html
index c79f122..56024be 100644
--- a/src/client/index.html
+++ b/src/client/index.html
@@ -54,6 +54,7 @@
        together whenever any client file changes and needs to reach the
        browser past its HTTP cache. One global version for all client files. -->
   <script src="/client/shims/telemetry.js?v=3"></script>
+  <script src="/client/shims/remote-localstorage.js?v=3"></script>
   <script src="/client/shims/sync-http.js?v=3"></script>
   <script src="/client/shims/path.js?v=3"></script>
   <script src="/client/shims/url.js?v=3"></script>
diff --git a/src/client/shims/remote-localstorage.js b/src/client/shims/remote-localstorage.js
new file mode 100644
index 0000000..ad64b3d
--- /dev/null
+++ b/src/client/shims/remote-localstorage.js
@@ -0,0 +1,178 @@
+'use strict';
+
+/**
+ * Server-backed window.localStorage replacement.
+ *
+ * Why: Obsidian and its plugins store state in localStorage — most
+ * importantly the safeStorage keychain tokens (see electron.js shim).
+ * Browser localStorage is per-device AND per-origin, so secrets entered on
+ * one PC don't roam to another, and http://nas:3005 vs the cloudflared URL
+ * don't even share state on the same PC. This shim makes localStorage live
+ * server-side (user-data/.localstorage.json) so it follows the vault,
+ * matching real Electron semantics (one install = one shared store).
+ *
+ * Keys prefixed 'obsidian-web:' (layout mode, last vault id) are deliberately
+ * device-local and keep using the native localStorage.
+ *
+ * Install contract: boot.js calls window.__owInstallRemoteLocalStorage()
+ * BEFORE injecting Obsidian's scripts and waits for the returned promise.
+ * On failure the native localStorage stays in place (old behavior).
+ */
+(function () {
+  var LOCAL_PREFIX = 'obsidian-web:'; // stays per-device
+  var FLUSH_DELAY_MS = 300;
+
+  window.__owInstallRemoteLocalStorage = function () {
+    var native = window.localStorage;
+
+    return fetch('/api/localstorage')
+      .then(function (res) {
+        if (!res.ok) throw new Error('HTTP ' + res.status);
+        return res.json();
+      })
+      .then(function (serverData) {
+        var mem = {};
+        Object.keys(serverData).forEach(function (k) { mem[k] = String(serverData[k]); });
+
+        // One-time migration: keys already in this device's native storage
+        // but missing on the server get uploaded, so the first PC that runs
+        // this seeds the server store with its existing tokens/state.
+        var seed = {};
+        var seeded = 0;
+        for (var i = 0; i < native.length; i++) {
+          var k = native.key(i);
+          if (k.indexOf(LOCAL_PREFIX) === 0) continue;
+          if (!(k in mem)) {
+            var v = native.getItem(k);
+            mem[k] = v;
+            seed[k] = v;
+            seeded++;
+          }
+        }
+
+        // ── Debounced write-through ──────────────────────────────────────
+        var pending = {};      // key → value|null
+        var hasPending = false;
+        var timer = null;
+
+        function queue(key, value) {
+          pending[key] = value;
+          hasPending = true;
+          if (timer) clearTimeout(timer);
+          timer = setTimeout(flush, FLUSH_DELAY_MS);
+        }
+
+        function flush() {
+          if (!hasPending) return;
+          var entries = pending;
+          pending = {};
+          hasPending = false;
+          timer = null;
+          fetch('/api/localstorage', {
+            method: 'PUT',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ entries: entries }),
+          }).catch(function (e) {
+            console.warn('[obsidian-web] localStorage flush failed:', e && e.message);
+          });
+        }
+
+        // Last-chance flush when the tab closes. keepalive lets the PUT
+        // survive page unload (sendBeacon can't be used — it only POSTs).
+        window.addEventListener('pagehide', function () {
+          if (!hasPending) return;
+          var entries = pending;
+          pending = {};
+          hasPending = false;
+          try {
+            fetch('/api/localstorage', {
+              method: 'PUT',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({ entries: entries }),
+              keepalive: true,
+            });
+          } catch (_) {}
+        });
+
+        // ── Storage-compatible facade ────────────────────────────────────
+        var storageShim = {
+          getItem: function (key) {
+            key = String(key);
+            if (key.indexOf(LOCAL_PREFIX) === 0) return native.getItem(key);
+            return Object.prototype.hasOwnProperty.call(mem, key) ? mem[key] : null;
+          },
+          setItem: function (key, value) {
+            key = String(key); value = String(value);
+            if (key.indexOf(LOCAL_PREFIX) === 0) return native.setItem(key, value);
+            mem[key] = value;
+            queue(key, value);
+          },
+          removeItem: function (key) {
+            key = String(key);
+            if (key.indexOf(LOCAL_PREFIX) === 0) return native.removeItem(key);
+            if (Object.prototype.hasOwnProperty.call(mem, key)) {
+              delete mem[key];
+              queue(key, null);
+            }
+          },
+          clear: function () {
+            Object.keys(mem).forEach(function (k) { queue(k, null); });
+            mem = {};
+            // Native obsidian-web: keys are intentionally kept.
+          },
+          key: function (n) {
+            var keys = Object.keys(mem);
+            return n >= 0 && n < keys.length ? keys[n] : null;
+          },
+        };
+        Object.defineProperty(storageShim, 'length', {
+          get: function () { return Object.keys(mem).length; },
+        });
+
+        // Proxy catches direct property access (localStorage.foo = 'x' /
+        // localStorage['foo']) which some plugins use instead of setItem.
+        var proxy = new Proxy(storageShim, {
+          get: function (target, prop) {
+            if (prop in target) {
+              var v = target[prop];
+              return typeof v === 'function' ? v.bind(target) : v;
+            }
+            if (typeof prop === 'symbol') return undefined;
+            var item = target.getItem(prop);
+            return item === null ? undefined : item;
+          },
+          set: function (target, prop, value) {
+            if (typeof prop !== 'symbol') target.setItem(prop, value);
+            return true;
+          },
+          deleteProperty: function (target, prop) {
+            if (typeof prop !== 'symbol') target.removeItem(prop);
+            return true;
+          },
+          has: function (target, prop) {
+            return prop in target || target.getItem(prop) !== null;
+          },
+          ownKeys: function () {
+            return Object.keys(mem);
+          },
+          getOwnPropertyDescriptor: function (target, prop) {
+            if (typeof prop === 'symbol' || !(prop in mem)) return undefined;
+            return { value: mem[prop], writable: true, enumerable: true, configurable: true };
+          },
+        });
+
+        Object.defineProperty(window, 'localStorage', {
+          value: proxy,
+          configurable: true,
+        });
+
+        // Upload the migration seed after install so it can't race the map.
+        if (seeded > 0) {
+          Object.keys(seed).forEach(function (k) { queue(k, seed[k]); });
+          console.log('[obsidian-web] remote localStorage: seeded ' + seeded + ' local keys to server');
+        }
+
+        console.log('[obsidian-web] remote localStorage installed (' + Object.keys(mem).length + ' keys)');
+      });
+  };
+})();
diff --git a/src/server/api/localstorage.js b/src/server/api/localstorage.js
new file mode 100644
index 0000000..2641e15
--- /dev/null
+++ b/src/server/api/localstorage.js
@@ -0,0 +1,76 @@
+'use strict';
+
+/**
+ * Server-backed localStorage store.
+ *
+ * Obsidian (and its plugins) keep state in window.localStorage — including
+ * the safeStorage keychain *tokens* that point at secrets in .keychain.json.
+ * Browser localStorage is scoped per device AND per origin, so credentials
+ * entered on one PC (or via one URL, e.g. LAN vs cloudflared tunnel) don't
+ * roam. The client shim (client/shims/remote-localstorage.js) replaces
+ * window.localStorage with a copy of this server-side store, making that
+ * state follow the server instead of the browser.
+ *
+ * This mirrors real Electron semantics: one Obsidian install = one shared
+ * localStorage across all vaults, persisted next to the rest of user-data.
+ *
+ * API:
+ *   GET /api/localstorage           → { key: value, ... }   (full map)
+ *   PUT /api/localstorage           ← { entries: { key: value | null } }
+ *                                      null deletes the key. Batched by the
+ *                                      client's debounced write-through.
+ */
+
+const express = require('express');
+const fsp = require('fs/promises');
+const path = require('path');
+
+function createLocalStorageRouter(userDataPath) {
+  const router = express.Router();
+  const storeFile = path.join(userDataPath, '.localstorage.json');
+
+  // Serialize writes so concurrent PUTs don't interleave load/save.
+  let writeChain = Promise.resolve();
+
+  async function load() {
+    try {
+      return JSON.parse(await fsp.readFile(storeFile, 'utf8')) || {};
+    } catch (_) {
+      return {};
+    }
+  }
+
+  async function save(data) {
+    await fsp.mkdir(path.dirname(storeFile), { recursive: true });
+    // Atomic: temp file + rename, same pattern as vault-registry.
+    const tmp = storeFile + '.tmp';
+    await fsp.writeFile(tmp, JSON.stringify(data, null, 2), 'utf8');
+    await fsp.rename(tmp, storeFile);
+  }
+
+  router.get('/', async (req, res) => {
+    res.json(await load());
+  });
+
+  router.put('/', express.json({ limit: '5mb' }), (req, res) => {
+    const entries = req.body && req.body.entries;
+    if (!entries || typeof entries !== 'object' || Array.isArray(entries)) {
+      return res.status(400).json({ error: 'entries object required' });
+    }
+    writeChain = writeChain.then(async () => {
+      const data = await load();
+      for (const [key, value] of Object.entries(entries)) {
+        if (value === null) delete data[key];
+        else data[key] = String(value);
+      }
+      await save(data);
+      res.json({ ok: true });
+    }).catch((err) => {
+      res.status(500).json({ error: err.message });
+    });
+  });
+
+  return router;
+}
+
+module.exports = createLocalStorageRouter;
diff --git a/src/server/index.js b/src/server/index.js
index 53c3939..ec4a032 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -23,6 +23,7 @@ const createBootstrapRouter = require('./api/bootstrap');
 const { warmUpBootstrapCache } = require('./api/bootstrap');
 const createProxyRouter = require('./api/proxy');
 const createKeytarRouter = require('./api/keytar');
+const createLocalStorageRouter = require('./api/localstorage');
 const createPbkdf2Router = require('./api/pbkdf2');
 const attachWatchServer = require('./api/watch');
 const VaultRegistry = require('./vault-registry');
@@ -30,7 +31,13 @@ const { createAuthMiddleware } = require('./middleware/auth');
 
 function createApp(appConfig = config) {
   const app = express();
-  const vaultRegistry = new VaultRegistry(appConfig.registryPath);
+  const vaultRegistry = new VaultRegistry(appConfig.registryPath, {
+    // Restrict /api/vaults/open to paths under vaultsRoot (VAULTS_ROOT env,
+    // default user-data/). The configured boot vault is always allowed even
+    // if it lives elsewhere. Tests pass no vaultsRoot → unrestricted.
+    vaultsRoot: appConfig.vaultsRoot,
+    allowPaths: [appConfig.vaultPath],
+  });
 
   // Compression — critical for /api/bootstrap (38MB uncompressed → ~6MB).
   // Brotli gives ~84% reduction, gzip ~79%. The middleware auto-selects based
@@ -40,7 +47,7 @@ function createApp(appConfig = config) {
   // Optional TOTP auth — enabled by setting TOTP_SECRET env var.
   // Generate a secret: node -e "const {authenticator}=require('otplib');console.log(authenticator.generateSecret())"
   // Then visit /__totp-setup?token=YOUR_SECRET to scan the QR code.
-  const authMiddleware = createAuthMiddleware();
+  const authMiddleware = createAuthMiddleware(appConfig);
   if (authMiddleware) {
     app.use(authMiddleware);
     console.log('[auth] TOTP authentication enabled — visit /__totp-setup?token=YOUR_SECRET to configure your authenticator app');
@@ -146,6 +153,7 @@ function createApp(appConfig = config) {
 
   // API routes.
   app.use('/api/keytar', createKeytarRouter(appConfig.userDataPath));
+  app.use('/api/localstorage', createLocalStorageRouter(appConfig.userDataPath));
   app.use('/api/pbkdf2', createPbkdf2Router());
   app.use('/api/bootstrap', createBootstrapRouter(vaultRegistry, appConfig.vaultPath));
   app.use('/api/proxy-request', createProxyRouter());
diff --git a/src/server/test/vaults-api.test.js b/src/server/test/vaults-api.test.js
index 5550913..df9166d 100644
--- a/src/server/test/vaults-api.test.js
+++ b/src/server/test/vaults-api.test.js
@@ -292,3 +292,111 @@ test('starter route serves the wrapped Obsidian starter entry', async (t) => {
   assert.equal(response.status, 200);
   assert.match(await response.text(), /starter/);
 });
+
+test('vaultsRoot restricts open to paths under the root', async (t) => {
+  const tmp = await fsp.mkdtemp(path.join(os.tmpdir(), 'obsidian-web-'));
+  t.after(() => fsp.rm(tmp, { recursive: true, force: true }));
+
+  const vaultsRoot = path.join(tmp, 'vaults');
+  const insidePath = path.join(vaultsRoot, 'good-vault');
+  const outsidePath = path.join(tmp, 'evil-vault');
+  await fsp.mkdir(insidePath, { recursive: true });
+  await fsp.mkdir(outsidePath);
+
+  const bootVault = path.join(vaultsRoot, 'boot');
+  await fsp.mkdir(bootVault);
+  const server = await startTestServer({
+    clientPath: path.join(tmp, 'client'),
+    obsidianPath: path.join(tmp, 'obsidian'),
+    registryPath: path.join(tmp, 'vaults.json'),
+    vaultPath: bootVault,
+    vaultsRoot,
+  });
+  t.after(server.close);
+
+  // Inside the root → allowed.
+  const okRes = await fetch(server.baseUrl + '/api/vaults/open', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ path: insidePath, create: false }),
+  });
+  assert.equal(okRes.status, 200);
+  assert.equal((await okRes.json()).ok, true);
+
+  // Outside the root → rejected, even though the directory exists.
+  const badRes = await fetch(server.baseUrl + '/api/vaults/open', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ path: outsidePath, create: false }),
+  });
+  assert.equal(badRes.status, 400);
+  const bad = await badRes.json();
+  assert.equal(bad.ok, false);
+  assert.match(bad.error, /outside the allowed vaults root/);
+
+  // Path traversal out of the root → rejected.
+  const traversalRes = await fetch(server.baseUrl + '/api/vaults/open', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ path: path.join(vaultsRoot, '..', 'evil-vault'), create: false }),
+  });
+  assert.equal(traversalRes.status, 400);
+
+  // The configured boot vault is allowed even when it equals the allowlist entry.
+  const bootRes = await fetch(server.baseUrl + '/api/vaults/open', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ path: bootVault, create: false }),
+  });
+  assert.equal(bootRes.status, 200);
+});
+
+test('localstorage API stores, merges, and deletes keys', async (t) => {
+  const tmp = await fsp.mkdtemp(path.join(os.tmpdir(), 'obsidian-web-'));
+  t.after(() => fsp.rm(tmp, { recursive: true, force: true }));
+
+  const server = await startTestServer({
+    clientPath: path.join(tmp, 'client'),
+    obsidianPath: path.join(tmp, 'obsidian'),
+    registryPath: path.join(tmp, 'vaults.json'),
+    userDataPath: tmp,
+    vaultPath: tmp,
+  });
+  t.after(server.close);
+
+  // Empty store initially.
+  let res = await fetch(server.baseUrl + '/api/localstorage');
+  assert.equal(res.status, 200);
+  assert.deepEqual(await res.json(), {});
+
+  // Batch PUT sets keys.
+  res = await fetch(server.baseUrl + '/api/localstorage', {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ entries: { alpha: '1', beta: 'two' } }),
+  });
+  assert.equal(res.status, 200);
+
+  // Second PUT merges and deletes (null).
+  res = await fetch(server.baseUrl + '/api/localstorage', {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ entries: { beta: null, gamma: '3' } }),
+  });
+  assert.equal(res.status, 200);
+
+  res = await fetch(server.baseUrl + '/api/localstorage');
+  assert.deepEqual(await res.json(), { alpha: '1', gamma: '3' });
+
+  // Malformed body rejected.
+  res = await fetch(server.baseUrl + '/api/localstorage', {
+    method: 'PUT',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ nope: true }),
+  });
+  assert.equal(res.status, 400);
+
+  // Persisted to disk in userDataPath.
+  const onDisk = JSON.parse(await fsp.readFile(path.join(tmp, '.localstorage.json'), 'utf8'));
+  assert.deepEqual(onDisk, { alpha: '1', gamma: '3' });
+});
diff --git a/user-data/.gitignore b/user-data/.gitignore
index 55ae369..7656ecd 100644
--- a/user-data/.gitignore
+++ b/user-data/.gitignore
@@ -1,5 +1,10 @@
 # Runtime — contains local absolute paths to user's vaults
 registry.json
 
+# Runtime — secrets and per-server state, never commit
+.keychain.json
+.localstorage.json
+.sessions.json
+
 # Demo vault — track content, ignore Obsidian's local state
 demo-vault/.obsidian/

From dab0c97ad808cfb248ec340d4195b80208e5e54e Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Fri, 12 Jun 2026 14:07:52 +0000
Subject: [PATCH 42/46] feat: add Service Worker bootstrap cache
 (stale-while-revalidate)

Repeat visits now hit a CacheStorage entry instead of waiting for the
server to return /api/bootstrap. The SW fires a background revalidation
in parallel, keeping the cache fresh for the NEXT visit.

- src/client/sw.js: new SW; intercepts GET /api/bootstrap (not /status),
  serves from cache immediately then updates in background; skipWaiting +
  clients.claim() for immediate takeover on install.
- src/server/index.js: add GET /sw.js route with Service-Worker-Allowed: /
  and Cache-Control: no-cache so the SW can control the full origin and
  always receives updates.
- src/client/boot.js: register /sw.js at the top of the IIFE, before the
  bootstrap fetch, so the SW is in place for subsequent navigations.
---
 src/client/boot.js  | 11 ++++++
 src/client/sw.js    | 88 +++++++++++++++++++++++++++++++++++++++++++++
 src/server/index.js | 31 +++++++---------
 3 files changed, 111 insertions(+), 19 deletions(-)
 create mode 100644 src/client/sw.js

diff --git a/src/client/boot.js b/src/client/boot.js
index 1d85e94..8f90d81 100644
--- a/src/client/boot.js
+++ b/src/client/boot.js
@@ -333,6 +333,17 @@ const OBSIDIAN_SCRIPTS = [
     window.global = window;
   }
 
+  // Register the Service Worker for bootstrap caching (stale-while-revalidate).
+  // On repeat visits the SW intercepts /api/bootstrap and returns a cached
+  // response instantly, then revalidates in the background — no server
+  // round-trip needed. The SW file is served at /sw.js with
+  // Service-Worker-Allowed: / so it can intercept requests on the full origin.
+  if ('serviceWorker' in navigator) {
+    navigator.serviceWorker.register('/sw.js', { scope: '/' }).catch(err => {
+      console.warn('[obsidian-web] service worker registration failed:', err.message);
+    });
+  }
+
   const VAULT_BASE = '/vault';
   const params = new URLSearchParams(location.search);
   let VAULT_ID = params.get('vault') || localStorage.getItem('obsidian-web:lastVaultId') || '';
diff --git a/src/client/sw.js b/src/client/sw.js
new file mode 100644
index 0000000..ab55362
--- /dev/null
+++ b/src/client/sw.js
@@ -0,0 +1,88 @@
+/**
+ * Service Worker — bootstrap cache (stale-while-revalidate)
+ *
+ * Intercepts GET /api/bootstrap requests and serves from CacheStorage,
+ * firing a background revalidation in parallel. On repeat visits this
+ * eliminates the ~200–800 ms server round-trip with a <5 ms cache hit.
+ *
+ * Cache is keyed by full URL (includes ?vault=...&full=1) so each vault
+ * gets its own entry. Bump CACHE_NAME to evict all entries on SW update.
+ */
+
+const CACHE_NAME = 'ow-bootstrap-v1';
+
+// ── Lifecycle ────────────────────────────────────────────────────────────────
+
+self.addEventListener('install', () => {
+  // Skip the waiting phase so this SW takes over immediately on install,
+  // without needing a second page load.
+  self.skipWaiting();
+});
+
+self.addEventListener('activate', (event) => {
+  event.waitUntil(
+    // Evict any cache entries from older SW versions.
+    caches.keys()
+      .then(keys => Promise.all(
+        keys
+          .filter(k => k.startsWith('ow-bootstrap-') && k !== CACHE_NAME)
+          .map(k => {
+            console.log('[ow-sw] evicting old cache:', k);
+            return caches.delete(k);
+          }),
+      ))
+      // Take control of all open tabs immediately so the cache is used
+      // on the very next fetch, even on the page that registered us.
+      .then(() => self.clients.claim()),
+  );
+});
+
+// ── Fetch interception ───────────────────────────────────────────────────────
+
+self.addEventListener('fetch', (event) => {
+  const { request } = event;
+  if (request.method !== 'GET') return;
+
+  const url = new URL(request.url);
+
+  // Only cache /api/bootstrap — skip the /status progress-polling sub-route.
+  if (!url.pathname.startsWith('/api/bootstrap')) return;
+  if (url.pathname.includes('/status')) return;
+
+  event.respondWith(staleWhileRevalidate(request));
+});
+
+// ── Strategy ─────────────────────────────────────────────────────────────────
+
+async function staleWhileRevalidate(request) {
+  const cache = await caches.open(CACHE_NAME);
+  const cached = await cache.match(request);
+
+  // Always kick off a background network fetch to keep the cache fresh.
+  // Don't await it — we return the cached response immediately.
+  const networkFetch = fetch(request)
+    .then(response => {
+      if (response.ok) {
+        cache.put(request, response.clone());
+        console.log('[ow-sw] bootstrap cache updated:', new URL(request.url).search);
+      }
+      return response;
+    })
+    .catch(err => {
+      console.warn('[ow-sw] bootstrap revalidation failed:', err.message);
+      return null;
+    });
+
+  if (cached) {
+    console.log('[ow-sw] bootstrap cache HIT:', new URL(request.url).search);
+    return cached;
+  }
+
+  // Cache miss (first visit) — wait for the network.
+  console.log('[ow-sw] bootstrap cache MISS:', new URL(request.url).search);
+  const response = await networkFetch;
+  if (!response) {
+    throw new Error('[ow-sw] bootstrap fetch failed with no cached fallback');
+  }
+  return response;
+}
diff --git a/src/server/index.js b/src/server/index.js
index ec4a032..46313f3 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -134,6 +134,17 @@ function createApp(appConfig = config) {
     }));
   }
 
+  // Service Worker — served from the root path so its scope covers the whole
+  // origin. Service-Worker-Allowed: / is required because the file lives
+  // under /client/ but must control pages at /. Cache-Control: no-cache
+  // ensures browsers always re-fetch it so SW updates propagate promptly.
+  app.get('/sw.js', (req, res) => {
+    res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
+    res.setHeader('Cache-Control', 'no-cache');
+    res.setHeader('Service-Worker-Allowed', '/');
+    res.sendFile(path.join(appConfig.clientPath, 'sw.js'));
+  });
+
   // Worker scripts. Obsidian creates `new Worker("worker.js")` which under
   // Electron resolves to /Resources/obsidian/worker.js, but in a browser
   // it resolves relative to the document URL. Serve them at the root.
@@ -180,22 +191,4 @@ function startServer(appConfig = config) {
     console.log('==========================================');
     console.log('  Vault:    ' + appConfig.vaultPath);
     console.log('  Obsidian: ' + appConfig.obsidianPath);
-    console.log('  Listening on http://' + appConfig.host + ':' + appConfig.port);
-    console.log('==========================================');
-
-    // Pre-build the bootstrap cache in the background so the first browser
-    // request is a cache HIT instead of a cold build.
-    setImmediate(() => {
-      warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
-        .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
-    });
-  });
-
-  return server;
-}
-
-if (require.main === module) {
-  startServer();
-}
-
-module.exports = { createApp, startServer };
+    console.log('  
\ No newline at end of file

From ccb44fca47446dc8702227ace0f731bcfc6e16b5 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Mon, 15 Jun 2026 11:56:00 -0700
Subject: [PATCH 43/46] fix: complete truncated index.js (syntax error in
 Docker)

---
 src/server/index.js | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/server/index.js b/src/server/index.js
index 46313f3..1e8ff75 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -191,4 +191,22 @@ function startServer(appConfig = config) {
     console.log('==========================================');
     console.log('  Vault:    ' + appConfig.vaultPath);
     console.log('  Obsidian: ' + appConfig.obsidianPath);
-    console.log('  
\ No newline at end of file
+    console.log('  Listening on http://' + appConfig.host + ':' + appConfig.port);
+    console.log('==========================================');
+
+    // Pre-build the bootstrap cache in the background so the first browser
+    // request is a cache HIT instead of a cold build.
+    setImmediate(() => {
+      warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
+        .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
+    });
+  });
+
+  return server;
+}
+
+if (require.main === module) {
+  startServer();
+}
+
+module.exports = { createApp, startServer };

From af07246e94eae435cb126fe6915f17989c57dbe4 Mon Sep 17 00:00:00 2001
From: s39n <seanseanrichards@gmail.com>
Date: Mon, 15 Jun 2026 14:52:22 -0700
Subject: [PATCH 44/46] perf: stale-while-revalidate for bootstrap server cache

Serve existing cache immediately when dirs have changed, rebuild in background.
Prevents 30-60s blocking vault scan on every refresh for large vaults.
---
 src/server/api/bootstrap.js | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/server/api/bootstrap.js b/src/server/api/bootstrap.js
index 9f77fe0..241cbec 100644
--- a/src/server/api/bootstrap.js
+++ b/src/server/api/bootstrap.js
@@ -425,16 +425,28 @@ function createBootstrapRouter(vaultRegistry, fallbackVaultRoot) {
     const vault = vaultId ? vaultRegistry.get(vaultId) : null;
     const vaultRoot = vault ? vault.path : fallbackVaultRoot;
 
-    // If a full=1 build is needed but we only have a partial cache, serve
-    // the partial result immediately and kick off the full build in the background.
+    // Stale-while-revalidate: if ANY cached entry exists, serve it immediately
+    // and rebuild in the background. This prevents the browser from blocking on
+    // a full vault rescan (which can take 30-60s for large vaults) when the
+    // cache was merely invalidated by a dir mtime change (e.g. ion-sync activity).
+    //
+    // Only block on a true cold start (no entry at all). On the next request
+    // after the background build finishes, the client will get fresh data.
     const existing = serverCache.get(vaultId);
     let entry;
-    if (full && existing && !existing.isFull) {
-      console.log(`[bootstrap] vault=${vaultId.slice(0, 8)}… serving partial while full build runs in background`);
-      buildCacheEntry(vaultId, vaultRoot, vaultRegistry, true)
-        .catch((err) => console.warn('[bootstrap] background full build error:', err.message));
+    if (existing) {
+      const needsFull = full && !existing.isFull;
+      if (needsFull) {
+        console.log(`[bootstrap] vault=${vaultId.slice(0, 8)}… serving partial/stale while full build runs in background`);
+      } else {
+        console.log(`[bootstrap] vault=${vaultId.slice(0, 8)}… serving stale-while-revalidate`);
+      }
+      // Fire background refresh (deduplicated via pendingBuilds — no-op if already running).
+      buildCacheEntry(vaultId, vaultRoot, vaultRegistry, full)
+        .catch((err) => console.warn('[bootstrap] background revalidation error:', err.message));
       entry = existing;
     } else {
+      // Cold start — no cached entry at all. Must wait for the initial build.
       entry = await buildCacheEntry(vaultId, vaultRoot, vaultRegistry, full);
     }
 

From 736a3d33b0b36796d7ed7f0a73edd7be546981a2 Mon Sep 17 00:00:00 2001
From: Sean <seanseanrichards@gmail.com>
Date: Wed, 17 Jun 2026 15:47:32 +0000
Subject: [PATCH 45/46] feat: notify on available Obsidian renderer updates at
 startup

Add scripts/check-obsidian-version.js, a dependency-free, offline-safe
check comparing the installed renderer version (vendor/obsidian/package.json,
falling back to config APP_VERSION) against the latest obsidianmd/
obsidian-releases tag. The server runs it in the background at boot and logs
a notice when a newer release exists; it never downloads or applies updates
(that stays the manual update-obsidian.js step).

Configurable via OBSIDIAN_UPDATE_CHECK, OBSIDIAN_VERSION (pin), and
OBSIDIAN_CHECK_TIMEOUT. Documented in README; CHANGELOG added.
---
 CHANGELOG.md                      |  19 +++
 scripts/check-obsidian-version.js | 236 ++++++++++++++++++++++++++++++
 src/server/index.js               |  20 +++
 3 files changed, 275 insertions(+)
 create mode 100644 CHANGELOG.md
 create mode 100644 scripts/check-obsidian-version.js

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..67176b1
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,19 @@
+# Changelog
+
+All notable changes to this project are documented here. The format is loosely
+based on [Keep a Changelog](https://keepachangelog.com/).
+
+## [Unreleased]
+
+### Added
+- **Obsidian update notifications (notify-only).** The server now checks
+  `obsidianmd/obsidian-releases` at startup and logs a notice when a newer
+  renderer is available. It never downloads or applies the update
+  automatically; applying stays the deliberate `node scripts/update-obsidian.js`
+  step. (2026-06-17)
+- `scripts/check-obsidian-version.js` — dependency-free, offline-safe version
+  check usable both as a module (called by the server at boot) and as a CLI
+  (`--json` for machine output; exit code 10 when an update is available).
+- Environment variables `OBSIDIAN_UPDATE_CHECK` (disable the check),
+  `OBSIDIAN_VERSION` (pin a version / compare without network), and
+  `OBSIDIAN_CHECK_TIMEOUT` (GitHub request timeout). See README.
diff --git a/scripts/check-obsidian-version.js b/scripts/check-obsidian-version.js
new file mode 100644
index 0000000..d6ac237
--- /dev/null
+++ b/scripts/check-obsidian-version.js
@@ -0,0 +1,236 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * check-obsidian-version.js
+ *
+ * Dependency-free "is there a newer Obsidian renderer?" check.
+ *
+ * It compares the version currently extracted into vendor/obsidian/ against the
+ * latest release published to the obsidianmd/obsidian-releases GitHub repo, and
+ * reports whether an update is available. It NEVER downloads or applies the
+ * update — that stays a deliberate, manual step:
+ *
+ *     node scripts/update-obsidian.js              # latest
+ *     node scripts/update-obsidian.js --version X  # a specific version
+ *
+ * Usage (CLI):
+ *   node scripts/check-obsidian-version.js          # human-readable status
+ *   node scripts/check-obsidian-version.js --json   # machine-readable JSON
+ *
+ * Usage (module):
+ *   const { checkObsidianVersion } = require('./check-obsidian-version');
+ *   const result = await checkObsidianVersion();
+ *   // { installed, latest, pinned, updateAvailable, checked, reason }
+ *
+ * Environment:
+ *   OBSIDIAN_VERSION       Pin to a specific version (e.g. 1.12.7). When set,
+ *                          the check compares the installed version against the
+ *                          pin instead of GitHub's latest, and never reports a
+ *                          newer release as "available".
+ *   OBSIDIAN_UPDATE_CHECK  Set to "false"/"0"/"off" to disable the network
+ *                          check entirely (the server still calls it but it
+ *                          short-circuits). Default: enabled.
+ *   OBSIDIAN_CHECK_TIMEOUT Network timeout in ms for the GitHub request.
+ *                          Default: 5000.
+ */
+
+const fs = require('fs');
+const https = require('https');
+const path = require('path');
+
+const PROJECT_ROOT = path.resolve(__dirname, '..');
+const VENDOR_PKG = path.join(PROJECT_ROOT, 'vendor', 'obsidian', 'package.json');
+const GITHUB_LATEST_API =
+  'https://api.github.com/repos/obsidianmd/obsidian-releases/releases/latest';
+const USER_AGENT = 'obsidian-web-updater';
+const DEFAULT_TIMEOUT = 5000;
+
+function isCheckDisabled() {
+  const raw = (process.env.OBSIDIAN_UPDATE_CHECK || '').trim().toLowerCase();
+  return raw === 'false' || raw === '0' || raw === 'off' || raw === 'no';
+}
+
+function pinnedVersion() {
+  const raw = (process.env.OBSIDIAN_VERSION || '').trim();
+  return raw ? raw.replace(/^v/i, '') : null;
+}
+
+/**
+ * Read the version actually extracted into vendor/obsidian/. Falls back to the
+ * server's config APP_VERSION when the vendor dir has not been populated yet
+ * (e.g. before the first-run download), and finally to null.
+ */
+function readInstalledVersion() {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(VENDOR_PKG, 'utf8'));
+    if (pkg && pkg.version) return String(pkg.version).replace(/^v/i, '');
+  } catch (_) {
+    /* vendor not populated yet */
+  }
+  try {
+    // Lazy require so this script stays usable outside the server tree.
+    const cfg = require(path.join(PROJECT_ROOT, 'src', 'server', 'config'));
+    if (cfg && cfg.appVersion) return String(cfg.appVersion).replace(/^v/i, '');
+  } catch (_) {
+    /* config not importable in this context */
+  }
+  return null;
+}
+
+/**
+ * Compare two dotted version strings numerically.
+ * Returns 1 if a > b, -1 if a < b, 0 if equal. Non-numeric / missing parts
+ * are treated as 0, so "1.12" === "1.12.0".
+ */
+function compareVersions(a, b) {
+  const pa = String(a).split('.').map((n) => parseInt(n, 10) || 0);
+  const pb = String(b).split('.').map((n) => parseInt(n, 10) || 0);
+  const len = Math.max(pa.length, pb.length);
+  for (let i = 0; i < len; i += 1) {
+    const x = pa[i] || 0;
+    const y = pb[i] || 0;
+    if (x > y) return 1;
+    if (x < y) return -1;
+  }
+  return 0;
+}
+
+function fetchLatestTag(timeout) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(
+      GITHUB_LATEST_API,
+      {
+        headers: {
+          Accept: 'application/vnd.github+json',
+          'User-Agent': USER_AGENT,
+        },
+        timeout,
+      },
+      (res) => {
+        if (
+          res.statusCode >= 300 &&
+          res.statusCode < 400 &&
+          res.headers.location
+        ) {
+          res.resume();
+          // The latest endpoint shouldn't redirect, but follow once to be safe.
+          https
+            .get(
+              res.headers.location,
+              { headers: { Accept: 'application/vnd.github+json', 'User-Agent': USER_AGENT }, timeout },
+              (r2) => collect(r2, resolve, reject),
+            )
+            .on('error', reject);
+          return;
+        }
+        collect(res, resolve, reject);
+      },
+    );
+    req.on('timeout', () => req.destroy(new Error(`GitHub request timed out after ${timeout}ms`)));
+    req.on('error', reject);
+  });
+}
+
+function collect(res, resolve, reject) {
+  if (res.statusCode < 200 || res.statusCode >= 300) {
+    res.resume();
+    reject(new Error(`GitHub API returned HTTP ${res.statusCode}`));
+    return;
+  }
+  const chunks = [];
+  res.on('data', (c) => chunks.push(c));
+  res.on('end', () => {
+    try {
+      const data = JSON.parse(Buffer.concat(chunks).toString('utf8'));
+      const tag = data.tag_name || data.name;
+      if (!tag) {
+        reject(new Error('GitHub response did not include a tag_name'));
+        return;
+      }
+      resolve(String(tag).replace(/^v/i, ''));
+    } catch (err) {
+      reject(err);
+    }
+  });
+  res.on('error', reject);
+}
+
+/**
+ * Perform the check. Always resolves (never throws) so callers can fire it at
+ * startup without guarding. Network / parse failures are reported via
+ * `checked: false` + `reason`.
+ */
+async function checkObsidianVersion(opts = {}) {
+  const installed = readInstalledVersion();
+  const pinned = pinnedVersion();
+  const timeout = Number(process.env.OBSIDIAN_CHECK_TIMEOUT) || opts.timeout || DEFAULT_TIMEOUT;
+
+  if (isCheckDisabled()) {
+    return { installed, latest: null, pinned, updateAvailable: false, checked: false, reason: 'disabled' };
+  }
+
+  // Pinned mode: compare installed against the pin, no network needed.
+  if (pinned) {
+    const updateAvailable = installed ? compareVersions(pinned, installed) > 0 : true;
+    return { installed, latest: pinned, pinned, updateAvailable, checked: true, reason: 'pinned' };
+  }
+
+  let latest = null;
+  try {
+    latest = await fetchLatestTag(timeout);
+  } catch (err) {
+    return {
+      installed,
+      latest: null,
+      pinned,
+      updateAvailable: false,
+      checked: false,
+      reason: err.message || String(err),
+    };
+  }
+
+  const updateAvailable = installed ? compareVersions(latest, installed) > 0 : true;
+  return { installed, latest, pinned, updateAvailable, checked: true, reason: 'ok' };
+}
+
+function formatNotice(result) {
+  if (!result.checked) {
+    if (result.reason === 'disabled') return '[update-check] Obsidian update check disabled (OBSIDIAN_UPDATE_CHECK).';
+    return `[update-check] Could not check for a newer Obsidian release: ${result.reason}`;
+  }
+  if (result.updateAvailable) {
+    const from = result.installed || 'unknown';
+    return [
+      '==========================================',
+      `  Obsidian update available: ${from} -> ${result.latest}`,
+      '  Apply it with:',
+      '    node scripts/update-obsidian.js',
+      '    node scripts/update-obsidian-mobile.js   # mobile renderer',
+      '==========================================',
+    ].join('\n');
+  }
+  return `[update-check] Obsidian renderer is up to date (${result.installed || result.latest}).`;
+}
+
+async function main() {
+  const asJson = process.argv.includes('--json');
+  const result = await checkObsidianVersion();
+  if (asJson) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(formatNotice(result));
+  }
+  // Exit 0 when up to date / not checkable, 10 when an update is available, so
+  // CI / cron can branch on it without parsing stdout.
+  process.exitCode = result.updateAvailable ? 10 : 0;
+}
+
+if (require.main === module) {
+  main().catch((err) => {
+    console.error(err.stack || err.message || String(err));
+    process.exitCode = 1;
+  });
+}
+
+module.exports = { checkObsidianVersion, compareVersions, formatNotice };
diff --git a/src/server/index.js b/src/server/index.js
index 1e8ff75..fec33ba 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -200,6 +200,26 @@ function startServer(appConfig = config) {
       warmUpBootstrapCache(app.locals.vaultRegistry, appConfig.vaultPath)
         .catch((err) => console.warn('[bootstrap] warm-up error:', err.message));
     });
+
+    // Notify-only Obsidian update check. Runs in the background so it never
+    // blocks boot, and only logs -- applying an update stays a manual step
+    // (node scripts/update-obsidian.js). Disable with OBSIDIAN_UPDATE_CHECK=false.
+    setImmediate(() => {
+      let checkObsidianVersion;
+      let formatNotice;
+      try {
+        ({ checkObsidianVersion, formatNotice } = require('../../scripts/check-obsidian-version'));
+      } catch (_) {
+        return; // scripts/ not present (e.g. trimmed deployment) -- skip silently.
+      }
+      checkObsidianVersion()
+        .then((result) => {
+          // Log on every successful check (update available or up to date);
+          // stay silent when not checkable (offline/disabled) to avoid noise.
+          if (result.checked) console.log(formatNotice(result));
+        })
+        .catch((err) => console.warn('[update-check] error:', err.message));
+    });
   });
 
   return server;

From 28b04b9f82f392bcbf04cc2750013cb32e53700e Mon Sep 17 00:00:00 2001
From: Sean <seanseanrichards@gmail.com>
Date: Wed, 17 Jun 2026 15:48:38 +0000
Subject: [PATCH 46/46] docs: document Obsidian update-check feature and env
 vars in README

---
 README.md | 48 +++++++++++++++++++++++++++---------------------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 0d4e655..5e942d3 100644
--- a/README.md
+++ b/README.md
@@ -149,6 +149,32 @@ node scripts/update-obsidian.js --no-cache
 
 The updater uses the official `obsidian-<version>.asar.gz` release asset, verifies the SHA-256 digest when GitHub provides one, extracts it locally, validates required renderer files, then replaces `obsidian/`.
 
+### Update notifications (auto-check, notify-only)
+
+The server checks for a newer Obsidian release at startup and logs a notice when one is available. It never downloads or applies the update on its own; applying stays the deliberate `node scripts/update-obsidian.js` step above. This keeps you in control of when the renderer changes while still telling you when you are behind.
+
+You can also run the check on demand:
+
+```bash
+# human-readable status (exit 10 if an update is available, 0 otherwise)
+node scripts/check-obsidian-version.js
+
+# machine-readable output for scripts/cron
+node scripts/check-obsidian-version.js --json
+```
+
+The installed version is read from `vendor/obsidian/package.json` (falling back to the server's configured `APP_VERSION`), and compared against the latest tag on `obsidianmd/obsidian-releases`.
+
+Relevant environment variables:
+
+| Variable | Default | Effect |
+|----------|---------|--------|
+| `OBSIDIAN_UPDATE_CHECK` | enabled | Set to `false`/`0`/`off` to disable the startup network check entirely. |
+| `OBSIDIAN_VERSION` | _(unset)_ | Pin to a version (e.g. `1.12.7`). The check then compares against the pin instead of GitHub's latest, and the check needs no network. |
+| `OBSIDIAN_CHECK_TIMEOUT` | `5000` | Timeout (ms) for the GitHub request. |
+
+The check is non-blocking and offline-safe: if GitHub is unreachable it stays silent rather than failing boot.
+
 ### Mobile bundle (`vendor/obsidian-mobile/`)
 
 The project ships **two runtimes** — a desktop one at `/` and a mobile one at `/mobile`. The mobile runtime needs the Obsidian Android APK bundle, extracted into `vendor/obsidian-mobile/`. Like `vendor/obsidian/`, this directory is gitignored and downloaded on demand:
@@ -246,24 +272,4 @@ The Node.js server (`src/server/`) can be deployed to any Linux box. A typical s
 1. Clone the repo and run `node scripts/update-obsidian.js` to get Obsidian's renderer files
 2. `cd src/server && npm install && npm start`
 3. Put it behind a reverse proxy (nginx, Caddy, Cloudflare Tunnel) with HTTPS
-4. Do not expose the server directly to the internet without auth — there is no application-level authentication
-
-## Notes
-
-- Obsidian's extracted files are treated as third-party artifacts. Do not edit files under `vendor/obsidian/` or `vendor/obsidian-mobile/`; update wrappers/shims instead.
-- The default vault is `user-data/demo-vault/`.
-- The current starter folder picker is prompt-based: enter an absolute server path.
-- Do not bind the server to a public IP without a tunnel or auth layer in front.
-- Current architecture and roadmap are in `PLAN.md`.
-
-## Disclaimer
-
-This is an **educational proof-of-concept** exploring how Electron-based apps can run in a standard browser. It is not affiliated with, endorsed by, or associated with [Obsidian](https://obsidian.md) or Dynalist Inc.
-
-This repository does **not** include Obsidian's source code. The `vendor/obsidian/` and `vendor/obsidian-mobile/` directories are gitignored — users must download Obsidian's renderer themselves using the provided setup scripts. Obsidian's code remains the property of Dynalist Inc. under their [Terms of Service](https://obsidian.md/terms).
-
-If the Obsidian team has any concerns about this project, please [open an issue](https://github.com/MusiCode1/obsidian-web/issues) and we will address them promptly.
-
-## Credits
-
-Built by [MusiCode1](https://github.com/MusiCode1) and [Claude Code](https://claude.ai/code).
+4. Do not
\ No newline at end of file