markdownr 0.8.0 → 0.8.1

data/lib/markdown_server/assets/editor-loader.js

@@ -0,0 +1,362 @@
+// markdownr editor loader — CodeMirror 6.
+//
+// All esm.sh URLs are pinned in the page's <script type="importmap"> (see
+// editor_import_map_json in lib/markdown_server/app.rb). Each package has
+// `?external=<shared-deps>` so esm.sh emits bare imports for shared modules
+// (state, view, language, commands), which the importmap then resolves to a
+// single URL each — guaranteeing one instance of each shared module.
+
+import { EditorState, Compartment, RangeSetBuilder } from '@codemirror/state';
+import {
+  EditorView, keymap, highlightActiveLine, lineNumbers,
+  highlightActiveLineGutter, drawSelection, ViewPlugin, Decoration, WidgetType
+} from '@codemirror/view';
+import {
+  defaultKeymap, history, historyKeymap, indentWithTab
+} from '@codemirror/commands';
+import {
+  defaultHighlightStyle, syntaxHighlighting, indentOnInput, bracketMatching,
+  foldGutter, foldKeymap, StreamLanguage, syntaxTree
+} from '@codemirror/language';
+import { searchKeymap, highlightSelectionMatches } from '@codemirror/search';
+import {
+  autocompletion, completionKeymap, closeBrackets, closeBracketsKeymap
+} from '@codemirror/autocomplete';
+import { oneDark } from '@codemirror/theme-one-dark';
+import { markdown } from '@codemirror/lang-markdown';
+import { javascript } from '@codemirror/lang-javascript';
+import { json } from '@codemirror/lang-json';
+import { yaml } from '@codemirror/lang-yaml';
+import { html } from '@codemirror/lang-html';
+import { css } from '@codemirror/lang-css';
+import { python } from '@codemirror/lang-python';
+import { ruby } from '@codemirror/legacy-modes/mode/ruby';
+import { shell } from '@codemirror/legacy-modes/mode/shell';
+import { vim, Vim } from '@replit/codemirror-vim';
+
+// ── Live-preview plugin (subset: headings, strong, emphasis, inline code, links)
+//
+// Lines whose content the cursor (or selection) is currently on are left as
+// raw markdown so the user can edit the syntax. All other supported tokens
+// are decorated: structural marks (#, **, _, `, [, ]) get hidden via
+// Decoration.replace; content gets a class for CSS styling. Anything we
+// don't recognize (tables, fences, lists, images, embeds, etc.) is left
+// untouched and shows as raw markdown text — that's why the side preview
+// pane is still available for the cases this subset can't render.
+
+const HEADING_LEVEL = {
+  ATXHeading1: 1, ATXHeading2: 2, ATXHeading3: 3,
+  ATXHeading4: 4, ATXHeading5: 5, ATXHeading6: 6,
+};
+
+class BulletWidget extends WidgetType {
+  toDOM() {
+    const span = document.createElement('span');
+    span.className = 'cm-md-bullet';
+    span.textContent = '• ';
+    return span;
+  }
+  eq() { return true; }
+  ignoreEvent() { return false; }
+}
+
+function buildLivePreviewDecorations(view) {
+  const tree = syntaxTree(view.state);
+
+  const sel = view.state.selection.main;
+  const cursorLines = new Set();
+  const lineFromIdx = view.state.doc.lineAt(sel.from).number;
+  const lineToIdx = view.state.doc.lineAt(sel.to).number;
+  for (let l = lineFromIdx; l <= lineToIdx; l++) cursorLines.add(l);
+
+  const lineHasCursor = (pos) => cursorLines.has(view.state.doc.lineAt(pos).number);
+
+  // We collect ranges into an array and let Decoration.set(..., true) sort
+  // them. RangeSetBuilder requires strict monotonic (from, startSide)
+  // ordering, but the markdown tree visits a parent (e.g. StrongEmphasis)
+  // and then its child marker (EmphasisMark) at the same start position —
+  // that's a tie the builder rejects unless the child range starts exactly
+  // where the parent's last range ended, which it doesn't.
+  const ranges = [];
+  const seen = Object.create(null);
+  const add = (from, to, deco) => { ranges.push(deco.range(from, to)); };
+
+  // Walk the entire doc (not just visibleRanges) — for typical markdown
+  // files in the popup this is fine, and avoids pitfalls when the visible
+  // range hasn't settled yet on first construction.
+  {
+    tree.iterate({
+      enter(node) {
+        const name = node.type.name;
+        seen[name] = (seen[name] || 0) + 1;
+        const lvl = HEADING_LEVEL[name];
+
+        if (lvl) {
+          const line = view.state.doc.lineAt(node.from);
+          add(line.from, line.from, Decoration.line({
+            class: `cm-md-line-h${lvl}`
+          }));
+          return;
+        }
+
+        if (name === 'HeaderMark') {
+          const parent = node.node.parent;
+          if (!parent || !HEADING_LEVEL[parent.type.name]) return;
+          if (lineHasCursor(node.from)) return;
+          // Hide "# " (the mark plus the space after it).
+          const after = view.state.doc.sliceString(node.to, node.to + 1);
+          const hideTo = after === ' ' ? node.to + 1 : node.to;
+          add(node.from, hideTo, Decoration.replace({}));
+          return;
+        }
+
+        if (name === 'ListItem') {
+          const line = view.state.doc.lineAt(node.from);
+          add(line.from, line.from, Decoration.line({ class: 'cm-md-list-item' }));
+          return;
+        }
+
+        if (name === 'ListMark') {
+          if (lineHasCursor(node.from)) return;
+          const parent = node.node.parent;
+          if (!parent || parent.type.name !== 'ListItem') return;
+          const list = parent.parent;
+          if (!list) return;
+          if (list.type.name === 'BulletList') {
+            // Replace `- ` (or `*`/`+` plus its trailing space) with a `• ` widget.
+            const after = view.state.doc.sliceString(node.to, node.to + 1);
+            const hideTo = after === ' ' ? node.to + 1 : node.to;
+            add(node.from, hideTo, Decoration.replace({ widget: new BulletWidget() }));
+          }
+          // OrderedList: leave the "1." marker visible — easier than tracking
+          // the actual sequence number, and reads fine as-is.
+          return;
+        }
+
+        // Styling classes always apply (Obsidian-style: bold/italic/code stay
+        // visually styled even when the cursor is on the line). Only the
+        // syntax markers (**, _, `, [, ], (url)) are revealed/hidden based on
+        // cursor position.
+
+        if (name === 'StrongEmphasis') {
+          add(node.from, node.to, Decoration.mark({ class: 'cm-md-strong' }));
+          return;
+        }
+
+        if (name === 'Emphasis') {
+          add(node.from, node.to, Decoration.mark({ class: 'cm-md-em' }));
+          return;
+        }
+
+        if (name === 'EmphasisMark') {
+          if (lineHasCursor(node.from)) return;
+          const parent = node.node.parent;
+          if (!parent) return;
+          if (parent.type.name === 'Emphasis' || parent.type.name === 'StrongEmphasis') {
+            add(node.from, node.to, Decoration.replace({}));
+          }
+          return;
+        }
+
+        if (name === 'InlineCode') {
+          add(node.from, node.to, Decoration.mark({ class: 'cm-md-code' }));
+          return;
+        }
+
+        if (name === 'CodeMark') {
+          if (lineHasCursor(node.from)) return;
+          const parent = node.node.parent;
+          if (parent && parent.type.name === 'InlineCode') {
+            add(node.from, node.to, Decoration.replace({}));
+          }
+          return;
+        }
+
+        if (name === 'Link') {
+          add(node.from, node.to, Decoration.mark({ class: 'cm-md-link' }));
+          return;
+        }
+
+        if (name === 'LinkMark' || name === 'URL') {
+          if (lineHasCursor(node.from)) return;
+          const parent = node.node.parent;
+          if (parent && parent.type.name === 'Link') {
+            add(node.from, node.to, Decoration.replace({}));
+          }
+          return;
+        }
+      }
+    });
+  }
+  if (typeof window !== 'undefined') {
+    window.__lpDebug = {
+      treeRoot: tree.type.name,
+      docLength: view.state.doc.length,
+      seenNodeTypes: seen,
+      decorationsAdded: ranges.length,
+      ranAt: new Date().toISOString(),
+    };
+  }
+  return Decoration.set(ranges, true);
+}
+
+const livePreviewPlugin = ViewPlugin.fromClass(class {
+  constructor(view) { this.decorations = buildLivePreviewDecorations(view); }
+  update(u) {
+    if (u.docChanged || u.viewportChanged || u.selectionSet) {
+      this.decorations = buildLivePreviewDecorations(u.view);
+    }
+  }
+}, { decorations: v => v.decorations });
+
+function languageExtension(name) {
+  switch (name) {
+    case 'markdown': return markdown({ codeLanguages: [] });
+    case 'javascript': return javascript();
+    case 'json': return json();
+    case 'yaml': return yaml();
+    case 'html': return html();
+    case 'css': return css();
+    case 'python': return python();
+    case 'ruby': return StreamLanguage.define(ruby);
+    case 'bash': case 'shell': return StreamLanguage.define(shell);
+    default: return [];
+  }
+}
+
+const baseExtensions = (onChange) => [
+  lineNumbers(),
+  highlightActiveLineGutter(),
+  history(),
+  drawSelection(),
+  foldGutter(),
+  indentOnInput(),
+  syntaxHighlighting(defaultHighlightStyle, { fallback: true }),
+  bracketMatching(),
+  closeBrackets(),
+  autocompletion(),
+  highlightActiveLine(),
+  highlightSelectionMatches(),
+  oneDark,
+  // Live-preview decorations — only emit non-empty results when the active
+  // language is lang-markdown (other parsers' syntax trees never contain the
+  // node names we look for). Adding it at the base level instead of inside
+  // the language compartment avoids confusion when the language is switched.
+  livePreviewPlugin,
+  EditorView.lineWrapping,
+  keymap.of([
+    ...closeBracketsKeymap,
+    ...defaultKeymap,
+    ...searchKeymap,
+    ...historyKeymap,
+    ...foldKeymap,
+    ...completionKeymap,
+    indentWithTab,
+  ]),
+  EditorView.updateListener.of((u) => {
+    if (u.docChanged && onChange) onChange(u.state.doc.toString());
+  }),
+];
+
+// Active editor's vim ex-command handlers. Only one editor can own these at a
+// time (last-set wins). When the focused editor is destroyed, its handlers are
+// cleared so a stale closure doesn't fire against a torn-down view.
+let vimSaveHandler = null;
+let vimQuitHandler = null;
+let vimIsDirtyHandler = null;
+
+function showVimNotice(cm, msg) {
+  if (!cm || typeof cm.openNotification !== 'function') return;
+  const div = document.createElement('div');
+  div.className = 'cm-vim-message';
+  div.style.color = 'red';
+  div.style.whiteSpace = 'pre';
+  div.textContent = msg;
+  cm.openNotification(div, { bottom: true, duration: 4000 });
+}
+
+function vimSaveThenQuit() {
+  if (!vimSaveHandler) {
+    if (vimQuitHandler) vimQuitHandler({ saved: true });
+    return;
+  }
+  Promise.resolve(vimSaveHandler()).then((ok) => {
+    if (ok === false) return;
+    if (vimQuitHandler) vimQuitHandler({ saved: true });
+  });
+}
+
+Vim.defineEx('write', 'w', () => { if (vimSaveHandler) vimSaveHandler(); });
+Vim.defineEx('wq', 'wq', vimSaveThenQuit);
+Vim.defineEx('x', 'x', vimSaveThenQuit);
+Vim.defineEx('quit', 'q', (cm, params) => {
+  // Bang (`:q!`) is parsed into params.argString by codemirror-vim:
+  // commandName='q', argString='!'.
+  const argStr = String((params && params.argString) || '');
+  const force = argStr.indexOf('!') !== -1;
+  if (!force && vimIsDirtyHandler && vimIsDirtyHandler()) {
+    showVimNotice(cm, 'No write since last change (use :q! to discard, :wq to save and quit)');
+    return;
+  }
+  if (vimQuitHandler) vimQuitHandler({ saved: false });
+});
+
+export function createEditor({ parent, doc, language, vim: useVim, onSave, onChange }) {
+  const langCompartment = new Compartment();
+  const vimCompartment = new Compartment();
+
+  const saveKeymap = keymap.of([
+    {
+      key: 'Mod-s',
+      preventDefault: true,
+      run: () => { if (onSave) onSave(); return true; },
+    },
+  ]);
+
+  const state = EditorState.create({
+    doc: doc || '',
+    extensions: [
+      vimCompartment.of(useVim ? vim() : []),
+      saveKeymap,
+      ...baseExtensions(onChange),
+      langCompartment.of(languageExtension(language)),
+    ],
+  });
+
+  const view = new EditorView({ state, parent });
+
+  let mySave = null, myQuit = null, myIsDirty = null;
+
+  return {
+    view,
+    setVim(on) {
+      view.dispatch({ effects: vimCompartment.reconfigure(on ? vim() : []) });
+    },
+    setLanguage(name) {
+      view.dispatch({ effects: langCompartment.reconfigure(languageExtension(name)) });
+    },
+    setSaveHandler(fn) {
+      mySave = fn;
+      vimSaveHandler = fn;
+    },
+    setQuitHandler(quitFn, isDirtyFn) {
+      myQuit = quitFn;
+      myIsDirty = isDirtyFn;
+      vimQuitHandler = quitFn;
+      vimIsDirtyHandler = isDirtyFn;
+    },
+    getValue() {
+      return view.state.doc.toString();
+    },
+    setValue(text) {
+      view.dispatch({ changes: { from: 0, to: view.state.doc.length, insert: text } });
+    },
+    focus() { view.focus(); },
+    destroy() {
+      if (vimSaveHandler === mySave) vimSaveHandler = null;
+      if (vimQuitHandler === myQuit) vimQuitHandler = null;
+      if (vimIsDirtyHandler === myIsDirty) vimIsDirtyHandler = null;
+      view.destroy();
+    },
+  };
+}

data/lib/markdown_server/helpers/admin_helpers.rb

@@ -21,7 +21,17 @@ module MarkdownServer
         end
       end
 
+      def admin_only_mode?
+        return true if settings.admin_only
+        setup_config["admin_only"] == true
+      end
+
+      def admin_only_public_route?(path)
+        path == "/admin/login" || path == "/admin/logout" || path == "/robots.txt"
+      end
+
       def admin?
+        return true if settings.admin_all
         return true if session[:admin]
 
         adm = setup_config["admin"]

data/lib/markdown_server/helpers/formatting_helpers.rb

@@ -49,7 +49,9 @@ module MarkdownServer
       end
 
       def inline_directory_html(dir_path, relative_dir)
-        entries = Dir.entries(dir_path).reject { |e| e.start_with?(".") || EXCLUDED.include?(e) }
+        entries = Dir.entries(dir_path).select do |e|
+          e != "." && e != ".." && entry_admitted?(dir_path, relative_dir, e)
+        end
         items = entries.map do |name|
           stat = File.stat(File.join(dir_path, name)) rescue next
           is_dir = stat.directory?

data/lib/markdown_server/helpers/markdown_helpers.rb

@@ -73,7 +73,7 @@ module MarkdownServer
             %(<sup id="fnref:#{name}" role="doc-noteref"><a href="#fn:#{name}" class="footnote" rel="footnote">#{h(name)}</a></sup>)
           end
         end
-        html.gsub(%r{<li id="fn:([^"]+)"[^>]*>\s*<p>}m) do
+        html = html.gsub(%r{<li id="fn:([^"]+)"[^>]*>\s*<p>}m) do
           full_match = $&
           name = $1
           if name =~ /\A\d+\z/
@@ -82,6 +82,107 @@ module MarkdownServer
             %(<li id="fn:#{name}"><p><strong>#{h(name)}:</strong> )
           end
         end
+
+        transform_callouts(html)
+      end
+
+      # Obsidian-style callouts: `> [!TYPE] Optional Title` at the start of a
+      # blockquote becomes a styled .callout panel. `[!TYPE]+` makes it a
+      # foldable <details open>; `[!TYPE]-` makes it foldable and collapsed.
+      CALLOUT_TYPES = {
+        "note"     => { label: "Note",     color: "#448aff" },
+        "abstract" => { label: "Abstract", color: "#00b0ff" },
+        "summary"  => { label: "Summary",  color: "#00b0ff" },
+        "tldr"     => { label: "TL;DR",    color: "#00b0ff" },
+        "info"     => { label: "Info",     color: "#00b8d4" },
+        "todo"     => { label: "Todo",     color: "#00b8d4" },
+        "tip"      => { label: "Tip",      color: "#00bfa5" },
+        "hint"     => { label: "Hint",     color: "#00bfa5" },
+        "important"=> { label: "Important",color: "#00bfa5" },
+        "success"  => { label: "Success",  color: "#00c853" },
+        "check"    => { label: "Check",    color: "#00c853" },
+        "done"     => { label: "Done",     color: "#00c853" },
+        "question" => { label: "Question", color: "#64dd17" },
+        "help"     => { label: "Help",     color: "#64dd17" },
+        "faq"      => { label: "FAQ",      color: "#64dd17" },
+        "warning"  => { label: "Warning",  color: "#ff9100" },
+        "caution"  => { label: "Caution",  color: "#ff9100" },
+        "attention"=> { label: "Attention",color: "#ff9100" },
+        "failure"  => { label: "Failure",  color: "#ff5252" },
+        "fail"     => { label: "Fail",     color: "#ff5252" },
+        "missing"  => { label: "Missing",  color: "#ff5252" },
+        "danger"   => { label: "Danger",   color: "#ff1744" },
+        "error"    => { label: "Error",    color: "#ff1744" },
+        "bug"      => { label: "Bug",      color: "#f50057" },
+        "example"  => { label: "Example",  color: "#7c4dff" },
+        "quote"    => { label: "Quote",    color: "#9e9e9e" },
+        "cite"     => { label: "Cite",     color: "#9e9e9e" }
+      }.freeze
+
+      CALLOUT_ICONS = {
+        "note"     => '<path d="M12 20h9"/><path d="M16.5 3.5a2.121 2.121 0 0 1 3 3L7 19l-4 1 1-4z"/>',
+        "abstract" => '<path d="M9 5H7a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V7a2 2 0 0 0-2-2h-2"/><rect x="9" y="3" width="6" height="4" rx="1"/><path d="M9 12h6M9 16h6"/>',
+        "info"     => '<circle cx="12" cy="12" r="10"/><line x1="12" y1="16" x2="12" y2="12"/><line x1="12" y1="8" x2="12.01" y2="8"/>',
+        "todo"     => '<circle cx="12" cy="12" r="10"/><polyline points="9 12 11 14 15 10"/>',
+        "tip"      => '<path d="M8.5 14.5A2.5 2.5 0 0 0 11 12c0-1.38-.5-2-1-3-1.072-2.143-.224-4.054 2-6 .5 2.5 2 4.9 4 6.5 2 1.6 3 3.5 3 5.5a7 7 0 1 1-14 0c0-1.153.433-2.294 1-3a2.5 2.5 0 0 0 2.5 2.5z"/>',
+        "success"  => '<polyline points="20 6 9 17 4 12"/>',
+        "question" => '<circle cx="12" cy="12" r="10"/><path d="M9.09 9a3 3 0 0 1 5.83 1c0 2-3 3-3 3"/><line x1="12" y1="17" x2="12.01" y2="17"/>',
+        "warning"  => '<path d="M10.29 3.86 1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"/><line x1="12" y1="9" x2="12" y2="13"/><line x1="12" y1="17" x2="12.01" y2="17"/>',
+        "failure"  => '<circle cx="12" cy="12" r="10"/><line x1="15" y1="9" x2="9" y2="15"/><line x1="9" y1="9" x2="15" y2="15"/>',
+        "danger"   => '<polygon points="13 2 3 14 12 14 11 22 21 10 12 10 13 2"/>',
+        "bug"      => '<rect x="8" y="6" width="8" height="14" rx="4"/><path d="M19 7l-3 2M5 7l3 2M19 13h-3M8 13H5M19 19l-3-2M5 19l3-2M9 2l1 2M15 2l-1 2"/>',
+        "example"  => '<line x1="8" y1="6" x2="21" y2="6"/><line x1="8" y1="12" x2="21" y2="12"/><line x1="8" y1="18" x2="21" y2="18"/><line x1="3" y1="6" x2="3.01" y2="6"/><line x1="3" y1="12" x2="3.01" y2="12"/><line x1="3" y1="18" x2="3.01" y2="18"/>',
+        "quote"    => '<path d="M3 21c3 0 7-1 7-8V5c0-1.25-.756-2.017-2-2H4c-1.25 0-2 .75-2 1.972V11c0 1.25.75 2 2 2 1 0 1 0 1 1v1c0 1-1 2-2 2s-1 .008-1 1.031V20c0 1 0 1 1 1z"/><path d="M15 21c3 0 7-1 7-8V5c0-1.25-.757-2.017-2-2h-4c-1.25 0-2 .75-2 1.972V11c0 1.25.75 2 2 2h.75c0 2.25.25 4-2.75 4v3c0 1 0 1 1 1z"/>'
+      }.freeze
+
+      CALLOUT_ICON_ALIASES = {
+        "summary" => "abstract", "tldr" => "abstract",
+        "hint" => "tip", "important" => "tip",
+        "check" => "success", "done" => "success",
+        "help" => "question", "faq" => "question",
+        "caution" => "warning", "attention" => "warning",
+        "fail" => "failure", "missing" => "failure",
+        "error" => "danger",
+        "cite" => "quote"
+      }.freeze
+
+      def callout_meta(type)
+        CALLOUT_TYPES[type] || { label: type.capitalize, color: "#888888" }
+      end
+
+      def callout_icon_svg(type)
+        key = CALLOUT_ICON_ALIASES[type] || type
+        body = CALLOUT_ICONS[key] || CALLOUT_ICONS["note"]
+        %(<svg class="callout-icon" viewBox="0 0 24 24" width="16" height="16" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">#{body}</svg>)
+      end
+
+      def transform_callouts(html)
+        html.gsub(
+          %r{<blockquote>\s*<p>\[!(\w+)\]([+-])?[ \t]*([^\n<]*?)[ \t]*(?:<br\s*/?>\n?|\n)?(.*?)</p>(.*?)</blockquote>}m
+        ) do
+          type = $1.downcase
+          fold = $2
+          custom_title = $3.to_s.strip
+          first_p_rest = $4.to_s.strip
+          rest = $5.to_s.strip
+
+          meta = callout_meta(type)
+          title = custom_title.empty? ? meta[:label] : custom_title
+
+          body = +""
+          body << "<p>#{first_p_rest}</p>" unless first_p_rest.empty?
+          body << rest
+
+          icon = callout_icon_svg(type)
+          title_html = %(#{icon}<span class="callout-title-inner">#{h(title)}</span>)
+
+          if fold
+            open_attr = fold == "+" ? " open" : ""
+            %(<div class="callout callout-#{type}" data-callout="#{type}" style="--callout-color: #{meta[:color]}"><details#{open_attr}><summary class="callout-title">#{title_html}</summary><div class="callout-content">#{body}</div></details></div>)
+          else
+            %(<div class="callout callout-#{type}" data-callout="#{type}" style="--callout-color: #{meta[:color]}"><div class="callout-title">#{title_html}</div><div class="callout-content">#{body}</div></div>)
+          end
+        end
       end
 
       def resolve_wiki_link(name)
@@ -101,8 +202,7 @@ module MarkdownServer
               real = File.realpath(path) rescue next
               next unless real.start_with?(base)
               relative = real.sub("#{base}/", "")
-              first_segment = relative.split("/").first
-              next if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
+              next unless MarkdownServer::Unhide.visible?(relative.split("/"), Array(settings.unhide_rules))
               if File.basename(real) == filename
                 local_exact = relative
                 break
@@ -124,8 +224,7 @@ module MarkdownServer
             real = File.realpath(path) rescue next
             next unless real.start_with?(base)
             relative = real.sub("#{base}/", "")
-            first_segment = relative.split("/").first
-            next if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
+            next unless MarkdownServer::Unhide.visible?(relative.split("/"), Array(settings.unhide_rules))
             if File.basename(real) == filename
               exact_match ||= relative
             else
@@ -203,6 +302,34 @@ module MarkdownServer
         formatter.format(lexer.lex(code))
       end
 
+      def detect_source_language(real_path, content)
+        ext = File.extname(real_path).downcase
+        by_ext = case ext
+                 when ".py" then "python"
+                 when ".rb" then "ruby"
+                 when ".csv" then "text"
+                 when ".sh" then "bash"
+                 when ".yaml", ".yml" then "yaml"
+                 when ".erb" then "html"
+                 when ".html" then "html"
+                 when ".js" then "javascript"
+                 when ".css" then "css"
+                 when ".json" then "json"
+                 end
+        return by_ext if by_ext
+
+        if content.is_a?(String) && content.start_with?("#!")
+          shebang = content.lines.first.to_s
+          return "ruby"       if shebang.match?(/\bruby\b/)
+          return "python"     if shebang.match?(/\bpython[\d.]*\b/)
+          return "bash"       if shebang.match?(/\b(bash|zsh|dash|ksh|sh)\b/)
+          return "javascript" if shebang.match?(/\bnode\b/)
+          return "perl"       if shebang.match?(/\bperl\b/)
+        end
+
+        "text"
+      end
+
       def extract_toc(html)
         headings = []
         html.scan(/<h([1-6])\s[^>]*id="([^"]*)"[^>]*>(.*?)<\/h\1>/mi) do |level, id, text|

data/lib/markdown_server/helpers/path_helpers.rb

@@ -13,6 +13,27 @@ module MarkdownServer
         URI.encode_www_form_component(str).gsub("+", "%20")
       end
 
+      # Returns the permitted base (root realpath or a followed-link target realpath)
+      # that contains `real`, or nil if no permitted base contains it.
+      def permitted_base_for(real)
+        MarkdownServer::PermittedBases.base_for(real, permitted_bases)
+      end
+
+      def permitted_bases
+        [File.realpath(root_dir), *Array(settings.followed_links)]
+      end
+
+      # Returns true if `real` is under a permitted base AND every restricted
+      # segment of the path under that base is admitted by the configured
+      # unhide rules (per Unhide.visible? algorithm).
+      def permitted_path?(real)
+        base = permitted_base_for(real)
+        return false unless base
+        return true if real == base
+        rel = real.sub("#{base}/", "")
+        MarkdownServer::Unhide.visible?(rel.split("/"), Array(settings.unhide_rules))
+      end
+
       def safe_path(requested)
         base = File.realpath(root_dir)
         full = File.join(base, requested)
@@ -23,17 +44,45 @@ module MarkdownServer
           halt 404, erb(:layout) { "<h1>Not Found</h1><p>#{h(requested)}</p>" }
         end
 
-        unless real.start_with?(base)
-          halt 403, erb(:layout) { "<h1>Forbidden</h1>" }
+        halt 403, erb(:layout) { "<h1>Forbidden</h1>" } unless permitted_path?(real)
+        real
+      end
+
+      # Name-gate check for an entry in a directory listing.
+      #
+      # Boundary gate (against served root) is NOT applied here so non-followed
+      # external non-dot symlinks still appear in listings — matching today's
+      # UX; clicking them produces a 403 via safe_path/permitted_path?.
+      #
+      # When the name gate admits a normally-restricted entry (dotfile or
+      # EXCLUDED) that is also a symlink, additionally require the symlink's
+      # realpath to be explicitly listed in --follow-link. Otherwise the
+      # unhide rule does not surface it. Keeps `unhide` (visibility by name)
+      # and `--follow-link` (which symlinks may be entered) as orthogonal
+      # opt-ins; prevents internal-aliased dotfile symlinks like
+      # `.claude → claude` from showing up as duplicates of their targets.
+      def entry_admitted?(parent_real, parent_relative_str, entry_name)
+        rules = Array(settings.unhide_rules)
+        parent_segs = parent_relative_str.to_s.empty? ? [] : parent_relative_str.split("/")
+
+        mode = :open
+        parent_segs.each_with_index do |seg, i|
+          ok, mode = MarkdownServer::Unhide.step(mode, parent_segs, i, seg, rules)
+          return false unless ok
         end
 
-        relative = real.sub("#{base}/", "")
-        first_segment = relative.split("/").first
-        if EXCLUDED.include?(first_segment) || first_segment&.start_with?(".")
-          halt 403, erb(:layout) { "<h1>Forbidden</h1>" }
+        ok, _ = MarkdownServer::Unhide.entry_step(mode, parent_segs, entry_name, rules)
+        return false unless ok
+
+        if MarkdownServer::Unhide.restricted?(entry_name)
+          full = File.join(parent_real, entry_name)
+          if File.symlink?(full)
+            real = File.realpath(full) rescue (return false)
+            return false unless Array(settings.followed_links).include?(real)
+          end
         end
 
-        real
+        true
       end
     end
   end