chore: pre-release v0.4.6-dev

.dockerignore

@@ -7,3 +7,9 @@ dist
 .env
 .DS_Store
 *.log
+backend
+frontend/node_modules
+frontend/dist
+frontend/coverage
+frontend/test-results
+frontend/playwright-report

README.md

@@ -99,6 +99,8 @@ docker compose -f docker-compose.prod.yml up -d
 # Access the frontend at localhost:6767
 ```
 
+For single-container deployments, `JWT_SECRET` can be omitted and will be auto-generated and persisted in the backend volume on first start. For portability and all multi-instance deployments, set a fixed `JWT_SECRET` explicitly.
+
 ## Docker Build
 
 [Install Docker](https://docs.docker.com/desktop/)
@@ -141,7 +143,7 @@ frontend:
 
 ### Multi-Container / Kubernetes Deployments
 
-When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set the `CSRF_SECRET` environment variable to the same value across all instances.
+When running multiple backend replicas (e.g., Kubernetes, Docker Swarm, or load-balanced containers), you **must** set both `JWT_SECRET` and `CSRF_SECRET` to the same values across all instances.
 
 ```bash
 # Generate a secure secret
@@ -152,6 +154,7 @@ openssl rand -base64 32
 # docker-compose.yml or k8s deployment
 backend:
   environment:
+    - JWT_SECRET=your-generated-jwt-secret-here
     - CSRF_SECRET=your-generated-secret-here
 ```
 

VERSION

@@ -1 +1 @@
-0.4.0
+0.4.6

backend/.dockerignore

@@ -9,3 +9,7 @@ dist
 *.log
 prisma/dev.db
 prisma/dev.db-journal
+src/generated
+coverage
+*.test.ts
+*.spec.ts

backend/Dockerfile

@@ -3,12 +3,15 @@ FROM node:20-alpine AS builder
 
 WORKDIR /app
 
+# Native build deps for modules that may compile from source (e.g., better-sqlite3 on arm64)
+RUN apk add --no-cache python3 make g++
+
 # Copy package files
 COPY package*.json ./
 COPY tsconfig.json ./
 
 # Install dependencies
-RUN npm ci
+RUN npm ci && npm cache clean --force
 
 # Copy prisma schema
 COPY prisma ./prisma/
@@ -25,7 +28,7 @@ RUN npx tsc
 # Production stage
 FROM node:20-alpine
 
-# Install OpenSSL for Prisma and su-exec, create non-root user
+# Install runtime packages and create non-root user
 RUN apk add --no-cache openssl su-exec && \
     addgroup -g 1001 -S nodejs && \
     adduser -S nodejs -u 1001
@@ -36,7 +39,10 @@ WORKDIR /app
 COPY package*.json ./
 
 # Install production dependencies only
-RUN npm ci --only=production
+RUN apk add --no-cache --virtual .build-deps python3 make g++ && \
+    npm ci --omit=dev && \
+    npm cache clean --force && \
+    apk del .build-deps
 
 # Copy prisma schema and migrations for runtime and hydration template
 COPY prisma ./prisma/
@@ -48,9 +54,6 @@ COPY --from=builder /app/dist ./dist
 # Copy the generated Prisma Client from builder to maintain the same structure
 COPY --from=builder /app/src/generated ./dist/generated
 
-# Generate Prisma Client in production (updates node_modules)
-RUN npx prisma generate
-
 # Create necessary directories (ownership will be set in entrypoint)
 RUN mkdir -p /app/uploads /app/prisma
 

backend/docker-entrypoint.sh

@@ -1,6 +1,30 @@
 #!/bin/sh
 set -e
 
+JWT_SECRET_FILE="/app/prisma/.jwt_secret"
+
+# Ensure JWT secret exists for production startup.
+# Backward compatibility: older installs may not have JWT_SECRET configured.
+if [ -z "${JWT_SECRET:-}" ]; then
+    echo "JWT_SECRET not provided, resolving persisted secret..."
+    if [ -f "${JWT_SECRET_FILE}" ]; then
+        JWT_SECRET="$(tr -d '\r\n' < "${JWT_SECRET_FILE}")"
+    fi
+
+    if [ -z "${JWT_SECRET}" ]; then
+        echo "No persisted JWT secret found. Generating a new secret..."
+        JWT_SECRET="$(openssl rand -hex 32)"
+        umask 077
+        printf "%s" "${JWT_SECRET}" > "${JWT_SECRET_FILE}"
+    fi
+else
+    # Persist explicitly provided secret to support future restarts without env injection.
+    umask 077
+    printf "%s" "${JWT_SECRET}" > "${JWT_SECRET_FILE}"
+fi
+
+export JWT_SECRET
+
 # 1. Hydrate volume if empty (Running as root)
 if [ ! -f "/app/prisma/schema.prisma" ]; then
     echo "Mount is empty. Hydrating /app/prisma..."
@@ -18,6 +42,7 @@ echo "Fixing filesystem permissions..."
 chown -R nodejs:nodejs /app/uploads
 chown -R nodejs:nodejs /app/prisma
 chmod 755 /app/uploads
+chmod 600 "${JWT_SECRET_FILE}"
 
 # Ensure database file has proper permissions
 if [ -f "/app/prisma/dev.db" ]; then

backend/package-lock.json

@@ -1,23 +1,15 @@
 {
   "name": "backend",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "backend",
-      "version": "0.3.2",
+      "version": "0.4.1",
       "license": "ISC",
       "dependencies": {
         "@prisma/client": "^5.22.0",
-        "@types/archiver": "^7.0.0",
-        "@types/bcrypt": "^6.0.0",
-        "@types/jsdom": "^21.1.7",
-        "@types/jsonwebtoken": "^9.0.10",
-        "@types/ms": "^2.1.0",
-        "@types/multer": "^2.0.0",
-        "@types/socket.io": "^3.0.1",
-        "@types/uuid": "^10.0.0",
         "archiver": "^7.0.1",
         "bcrypt": "^6.0.0",
         "better-sqlite3": "^12.4.6",
@@ -38,10 +30,18 @@
         "zod": "^4.1.12"
       },
       "devDependencies": {
+        "@types/archiver": "^7.0.0",
+        "@types/bcrypt": "^6.0.0",
         "@types/cors": "^2.8.19",
         "@types/express": "^5.0.5",
+        "@types/jsdom": "^21.1.7",
+        "@types/jsonwebtoken": "^9.0.10",
+        "@types/ms": "^2.1.0",
+        "@types/multer": "^2.0.0",
         "@types/node": "^24.10.1",
+        "@types/socket.io": "^3.0.1",
         "@types/supertest": "^6.0.3",
+        "@types/uuid": "^10.0.0",
         "nodemon": "^3.1.11",
         "supertest": "^7.1.4",
         "ts-node": "^10.9.2",
@@ -1007,6 +1007,7 @@
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/@types/archiver/-/archiver-7.0.0.tgz",
       "integrity": "sha512-/3vwGwx9n+mCQdYZ2IKGGHEFL30I96UgBlk8EtRDDFQ9uxM1l4O5Ci6r00EMAkiDaTqD9DQ6nVrWRICnBPtzzg==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/readdir-glob": "*"
@@ -1016,6 +1017,7 @@
       "version": "6.0.0",
       "resolved": "https://registry.npmjs.org/@types/bcrypt/-/bcrypt-6.0.0.tgz",
       "integrity": "sha512-/oJGukuH3D2+D+3H4JWLaAsJ/ji86dhRidzZ/Od7H/i8g+aCmvkeCc6Ni/f9uxGLSQVCRZkX2/lqEFG2BvWtlQ==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/node": "*"
@@ -1025,6 +1027,7 @@
       "version": "1.19.6",
       "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.19.6.tgz",
       "integrity": "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/connect": "*",
@@ -1046,6 +1049,7 @@
       "version": "3.4.38",
       "resolved": "https://registry.npmjs.org/@types/connect/-/connect-3.4.38.tgz",
       "integrity": "sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/node": "*"
@@ -1085,6 +1089,7 @@
       "version": "5.0.5",
       "resolved": "https://registry.npmjs.org/@types/express/-/express-5.0.5.tgz",
       "integrity": "sha512-LuIQOcb6UmnF7C1PCFmEU1u2hmiHL43fgFQX67sN3H4Z+0Yk0Neo++mFsBjhOAuLzvlQeqAAkeDOZrJs9rzumQ==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/body-parser": "*",
@@ -1096,6 +1101,7 @@
       "version": "5.1.0",
       "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-5.1.0.tgz",
       "integrity": "sha512-jnHMsrd0Mwa9Cf4IdOzbz543y4XJepXrbia2T4b6+spXC2We3t1y6K44D3mR8XMFSXMCf3/l7rCgddfx7UNVBA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/node": "*",
@@ -1108,12 +1114,14 @@
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/@types/http-errors/-/http-errors-2.0.5.tgz",
       "integrity": "sha512-r8Tayk8HJnX0FztbZN7oVqGccWgw98T/0neJphO91KkmOzug1KkofZURD4UaD5uH8AqcFLfdPErnBod0u71/qg==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@types/jsdom": {
       "version": "21.1.7",
       "resolved": "https://registry.npmjs.org/@types/jsdom/-/jsdom-21.1.7.tgz",
       "integrity": "sha512-yOriVnggzrnQ3a9OKOCxaVuSug3w3/SbOj5i7VwXWZEyUNl3bLF9V3MfxGbZKuwqJOQyRfqXyROBB1CoZLFWzA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/node": "*",
@@ -1125,6 +1133,7 @@
       "version": "9.0.10",
       "resolved": "https://registry.npmjs.org/@types/jsonwebtoken/-/jsonwebtoken-9.0.10.tgz",
       "integrity": "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/ms": "*",
@@ -1142,18 +1151,21 @@
       "version": "1.3.5",
       "resolved": "https://registry.npmjs.org/@types/mime/-/mime-1.3.5.tgz",
       "integrity": "sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@types/ms": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/@types/ms/-/ms-2.1.0.tgz",
       "integrity": "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@types/multer": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/@types/multer/-/multer-2.0.0.tgz",
       "integrity": "sha512-C3Z9v9Evij2yST3RSBktxP9STm6OdMc5uR1xF1SGr98uv8dUlAL2hqwrZ3GVB3uyMyiegnscEK6PGtYvNrjTjw==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/express": "*"
@@ -1164,7 +1176,6 @@
       "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz",
       "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "undici-types": "~7.16.0"
       }
@@ -1173,18 +1184,21 @@
       "version": "6.14.0",
       "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.14.0.tgz",
       "integrity": "sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@types/range-parser": {
       "version": "1.2.7",
       "resolved": "https://registry.npmjs.org/@types/range-parser/-/range-parser-1.2.7.tgz",
       "integrity": "sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@types/readdir-glob": {
       "version": "1.1.5",
       "resolved": "https://registry.npmjs.org/@types/readdir-glob/-/readdir-glob-1.1.5.tgz",
       "integrity": "sha512-raiuEPUYqXu+nvtY2Pe8s8FEmZ3x5yAH4VkLdihcPdalvsHltomrRC9BzuStrJ9yk06470hS0Crw0f1pXqD+Hg==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/node": "*"
@@ -1194,6 +1208,7 @@
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/@types/send/-/send-1.2.1.tgz",
       "integrity": "sha512-arsCikDvlU99zl1g69TcAB3mzZPpxgw0UQnaHeC1Nwb015xp8bknZv5rIfri9xTOcMuaVgvabfIRA7PSZVuZIQ==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/node": "*"
@@ -1203,6 +1218,7 @@
       "version": "1.15.10",
       "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.15.10.tgz",
       "integrity": "sha512-tRs1dB+g8Itk72rlSI2ZrW6vZg0YrLI81iQSTkMmOqnqCaNr/8Ek4VwWcN5vZgCYWbg/JJSGBlUaYGAOP73qBw==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/http-errors": "*",
@@ -1214,6 +1230,7 @@
       "version": "0.17.6",
       "resolved": "https://registry.npmjs.org/@types/send/-/send-0.17.6.tgz",
       "integrity": "sha512-Uqt8rPBE8SY0RK8JB1EzVOIZ32uqy8HwdxCnoCOsYrvnswqmFZ/k+9Ikidlk/ImhsdvBsloHbAlewb2IEBV/Og==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@types/mime": "^1",
@@ -1224,6 +1241,7 @@
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/@types/socket.io/-/socket.io-3.0.1.tgz",
       "integrity": "sha512-XSma2FhVD78ymvoxYV4xGXrIH/0EKQ93rR+YR0Y+Kw1xbPzLDCip/UWSejZ08FpxYeYNci/PZPQS9anrvJRqMA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "socket.io": "*"
@@ -1257,6 +1275,7 @@
       "version": "4.0.5",
       "resolved": "https://registry.npmjs.org/@types/tough-cookie/-/tough-cookie-4.0.5.tgz",
       "integrity": "sha512-/Ad8+nIOV7Rl++6f1BdKxFSMgmoqEoYbHRpPcx3JEfv8VRsQe9Z4mCXeJBzxs7mbHY/XOZZuXlRNfhpVPbs6ZA==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@types/trusted-types": {
@@ -1270,6 +1289,7 @@
       "version": "10.0.0",
       "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-10.0.0.tgz",
       "integrity": "sha512-7gqG38EyHgyP1S+7+xomFtL+ZNHcKv6DwNaCZmJmo1vgMugyF3TCnXVg4t1uk89mLNwnLtnY3TpOpCOyp1/xHQ==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@vitest/expect": {
@@ -2655,7 +2675,6 @@
       "resolved": "https://registry.npmjs.org/express/-/express-5.2.0.tgz",
       "integrity": "sha512-XdpJDLxfztVY59X0zPI6sibRiGcxhTPXRD3IhJmjKf2jwMvkRGV1j7loB8U+heeamoU3XvihAaGRTR4aXXUN3A==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "accepts": "^2.0.0",
         "body-parser": "^2.2.1",
@@ -4090,7 +4109,6 @@
       "integrity": "sha512-vtpjW3XuYCSnMsNVBjLMNkTj6OZbudcPPTPYHqX0CJfpcdWciI1dM8uHETwmDxxiqEwCIE6WvXucWUetJgfu/A==",
       "hasInstallScript": true,
       "license": "Apache-2.0",
-      "peer": true,
       "dependencies": {
         "@prisma/engines": "5.22.0"
       },
@@ -5103,7 +5121,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -5262,7 +5279,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -5353,7 +5369,6 @@
       "integrity": "sha512-tI2l/nFHC5rLh7+5+o7QjKjSR04ivXDF4jcgV0f/bTQ+OJiITy5S6gaynVsEM+7RqzufMnVbIon6Sr5x1SDYaQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.5.0",
@@ -5447,7 +5462,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },

backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend",
-  "version": "0.4.0",
+  "version": "0.4.6",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -17,14 +17,6 @@
   "type": "commonjs",
   "dependencies": {
     "@prisma/client": "^5.22.0",
-    "@types/archiver": "^7.0.0",
-    "@types/bcrypt": "^6.0.0",
-    "@types/jsdom": "^21.1.7",
-    "@types/jsonwebtoken": "^9.0.10",
-    "@types/ms": "^2.1.0",
-    "@types/multer": "^2.0.0",
-    "@types/socket.io": "^3.0.1",
-    "@types/uuid": "^10.0.0",
     "archiver": "^7.0.1",
     "bcrypt": "^6.0.0",
     "better-sqlite3": "^12.4.6",
@@ -45,10 +37,18 @@
     "zod": "^4.1.12"
   },
   "devDependencies": {
+    "@types/archiver": "^7.0.0",
+    "@types/bcrypt": "^6.0.0",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.5",
+    "@types/jsdom": "^21.1.7",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/ms": "^2.1.0",
+    "@types/multer": "^2.0.0",
     "@types/node": "^24.10.1",
+    "@types/socket.io": "^3.0.1",
     "@types/supertest": "^6.0.3",
+    "@types/uuid": "^10.0.0",
     "nodemon": "^3.1.11",
     "supertest": "^7.1.4",
     "ts-node": "^10.9.2",

backend/src/__tests__/imports-compat.integration.ts

@@ -3,6 +3,7 @@ import request from "supertest";
 import fs from "fs";
 import path from "path";
 import os from "os";
+import JSZip from "jszip";
 import { getTestPrisma, setupTestDb, cleanupTestDb } from "./testUtils";
 
 type LegacyDbOptions = {
@@ -156,6 +157,111 @@ const createLegacySqliteDb = (opts: LegacyDbOptions): string => {
   return filePath;
 };
 
+const createExcalidashArchiveWithDuplicateDrawingIds = async (): Promise<string> => {
+  const dir = createTempDir();
+  const filePath = path.join(dir, "duplicate-drawing-ids.excalidash");
+  const zip = new JSZip();
+
+  const manifest = {
+    format: "excalidash",
+    formatVersion: 1,
+    exportedAt: new Date().toISOString(),
+    unorganizedFolder: "Unorganized",
+    collections: [] as any[],
+    drawings: [
+      {
+        id: "duplicate-drawing-id",
+        name: "Drawing One",
+        filePath: "Unorganized/drawing-1.excalidraw",
+        collectionId: null,
+      },
+      {
+        id: "duplicate-drawing-id",
+        name: "Drawing Two",
+        filePath: "Unorganized/drawing-2.excalidraw",
+        collectionId: null,
+      },
+    ],
+  };
+
+  zip.file("excalidash.manifest.json", JSON.stringify(manifest));
+  zip.file(
+    "Unorganized/drawing-1.excalidraw",
+    JSON.stringify({ type: "excalidraw", version: 2, source: "test", elements: [], appState: {}, files: {} })
+  );
+  zip.file(
+    "Unorganized/drawing-2.excalidraw",
+    JSON.stringify({ type: "excalidraw", version: 2, source: "test", elements: [], appState: {}, files: {} })
+  );
+
+  const buffer = await zip.generateAsync({ type: "nodebuffer" });
+  fs.writeFileSync(filePath, buffer);
+  return filePath;
+};
+
+const createLegacySqliteDbWithDuplicateDrawingIds = (): string => {
+  const dir = createTempDir();
+  const filePath = path.join(dir, "legacy-duplicate-ids.db");
+  const db = openWritableDb(filePath);
+
+  try {
+    db.exec(`
+      CREATE TABLE "Drawing" (
+        id TEXT,
+        name TEXT NOT NULL,
+        elements TEXT NOT NULL,
+        appState TEXT NOT NULL,
+        files TEXT,
+        preview TEXT,
+        version INTEGER,
+        collectionId TEXT,
+        collectionName TEXT,
+        createdAt TEXT,
+        updatedAt TEXT
+      );
+    `);
+
+    const now = new Date("2024-01-03T00:00:00.000Z").toISOString();
+    const insertDrawing = db.prepare(
+      `INSERT INTO "Drawing"
+        (id, name, elements, appState, files, preview, version, collectionId, collectionName, createdAt, updatedAt)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    );
+
+    insertDrawing.run(
+      "legacy-duplicate-id",
+      "Legacy Drawing A",
+      JSON.stringify([]),
+      JSON.stringify({}),
+      JSON.stringify({}),
+      null,
+      1,
+      null,
+      null,
+      now,
+      now,
+    );
+
+    insertDrawing.run(
+      "legacy-duplicate-id",
+      "Legacy Drawing B",
+      JSON.stringify([]),
+      JSON.stringify({}),
+      JSON.stringify({}),
+      null,
+      1,
+      null,
+      null,
+      now,
+      now,
+    );
+  } finally {
+    db.close();
+  }
+
+  return filePath;
+};
+
 describe("Import compatibility (legacy exports)", () => {
   const uploadsDir = path.resolve(__dirname, "../../uploads");
   const userAgent = "vitest-import-compat";
@@ -287,4 +393,52 @@ describe("Import compatibility (legacy exports)", () => {
     expect(res.status).toBe(400);
     expect(res.body.error).toBe("Invalid legacy DB");
   });
+
+  it("rejects .excalidash verify when manifest has duplicate drawing IDs", async () => {
+    const archive = await createExcalidashArchiveWithDuplicateDrawingIds();
+    const res = await request(app)
+      .post("/import/excalidash/verify")
+      .set("User-Agent", userAgent)
+      .set(csrfHeaderName, csrfToken)
+      .attach("archive", archive);
+
+    expect(res.status).toBe(400);
+    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
+  });
+
+  it("rejects .excalidash import when manifest has duplicate drawing IDs", async () => {
+    const archive = await createExcalidashArchiveWithDuplicateDrawingIds();
+    const res = await request(app)
+      .post("/import/excalidash")
+      .set("User-Agent", userAgent)
+      .set(csrfHeaderName, csrfToken)
+      .attach("archive", archive);
+
+    expect(res.status).toBe(400);
+    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
+  });
+
+  it("rejects legacy verify when DB has duplicate drawing IDs", async () => {
+    const legacyDb = createLegacySqliteDbWithDuplicateDrawingIds();
+    const res = await request(app)
+      .post("/import/sqlite/legacy/verify")
+      .set("User-Agent", userAgent)
+      .set(csrfHeaderName, csrfToken)
+      .attach("db", legacyDb);
+
+    expect(res.status).toBe(400);
+    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
+  });
+
+  it("rejects legacy import when DB has duplicate drawing IDs", async () => {
+    const legacyDb = createLegacySqliteDbWithDuplicateDrawingIds();
+    const res = await request(app)
+      .post("/import/sqlite/legacy")
+      .set("User-Agent", userAgent)
+      .set(csrfHeaderName, csrfToken)
+      .attach("db", legacyDb);
+
+    expect(res.status).toBe(400);
+    expect(String(res.body.message || "")).toContain("Duplicate drawing id");
+  });
 });

backend/src/index.ts

@@ -259,8 +259,12 @@ app.use((req, res, next) => {
   next();
 });
 
-// HTTPS enforcement in production
+// HTTPS enforcement in production only when configured frontend origins use HTTPS.
-if (config.nodeEnv === "production") {
+const shouldEnforceHttps =
+  config.nodeEnv === "production" &&
+  allowedOrigins.some((origin) => origin.toLowerCase().startsWith("https://"));
+
+if (shouldEnforceHttps) {
   app.use((req, res, next) => {
     if (req.header("x-forwarded-proto") !== "https") {
       res.redirect(`https://${req.header("host")}${req.url}`);
@@ -556,6 +560,7 @@ const drawingUpdateSchema = drawingBaseSchema
     elements: elementSchema.array().optional(),
     appState: appStateSchema.optional(),
     files: filesFieldSchema,
+    version: z.number().int().positive().optional(),
   })
   .refine(
     (data) => {

backend/src/routes/dashboard.ts

@@ -310,7 +310,12 @@ export const registerDashboardRoutes = (
       appState?: Record<string, unknown>;
       preview?: string | null;
       files?: Record<string, unknown>;
+      version?: number;
     };
+    const isSceneUpdate =
+      payload.elements !== undefined ||
+      payload.appState !== undefined ||
+      payload.files !== undefined;
     const data: Prisma.DrawingUpdateInput = { version: { increment: 1 } };
 
     if (payload.name !== undefined) data.name = payload.name;
@@ -334,7 +339,37 @@ export const registerDashboardRoutes = (
       }
     }
 
-    const updatedDrawing = await prisma.drawing.update({ where: { id }, data });
+    const updateWhere: Prisma.DrawingWhereInput = { id, userId: req.user.id };
+    if (isSceneUpdate && payload.version !== undefined) {
+      updateWhere.version = payload.version;
+    }
+
+    const updateResult = await prisma.drawing.updateMany({
+      where: updateWhere,
+      data,
+    });
+    if (updateResult.count === 0) {
+      if (isSceneUpdate && payload.version !== undefined) {
+        const latestDrawing = await prisma.drawing.findFirst({
+          where: { id, userId: req.user.id },
+          select: { version: true },
+        });
+        return res.status(409).json({
+          error: "Conflict",
+          code: "VERSION_CONFLICT",
+          message: "Drawing has changed since this editor state was loaded.",
+          currentVersion: latestDrawing?.version ?? null,
+        });
+      }
+      return res.status(404).json({ error: "Drawing not found" });
+    }
+
+    const updatedDrawing = await prisma.drawing.findFirst({
+      where: { id, userId: req.user.id },
+    });
+    if (!updatedDrawing) {
+      return res.status(404).json({ error: "Drawing not found" });
+    }
     invalidateDrawingsCache();
 
     return res.json({
@@ -352,7 +387,12 @@ export const registerDashboardRoutes = (
     const drawing = await prisma.drawing.findFirst({ where: { id, userId: req.user.id } });
     if (!drawing) return res.status(404).json({ error: "Drawing not found" });
 
-    await prisma.drawing.delete({ where: { id } });
+    const deleteResult = await prisma.drawing.deleteMany({
+      where: { id, userId: req.user.id },
+    });
+    if (deleteResult.count === 0) {
+      return res.status(404).json({ error: "Drawing not found" });
+    }
     invalidateDrawingsCache();
 
     if (config.enableAuditLogging) {
@@ -375,6 +415,9 @@ export const registerDashboardRoutes = (
     const { id } = req.params;
     const original = await prisma.drawing.findFirst({ where: { id, userId: req.user.id } });
     if (!original) return res.status(404).json({ error: "Original drawing not found" });
+    if (original.collectionId === "trash") {
+      await ensureTrashCollection(prisma, req.user.id);
+    }
 
     const newDrawing = await prisma.drawing.create({
       data: {
@@ -443,10 +486,19 @@ export const registerDashboardRoutes = (
     }
 
     const sanitizedName = sanitizeText(parsed.data, 100);
-    const updatedCollection = await prisma.collection.update({
+    const updateResult = await prisma.collection.updateMany({
-      where: { id },
+      where: { id, userId: req.user.id },
       data: { name: sanitizedName },
     });
+    if (updateResult.count === 0) {
+      return res.status(404).json({ error: "Collection not found" });
+    }
+    const updatedCollection = await prisma.collection.findFirst({
+      where: { id, userId: req.user.id },
+    });
+    if (!updatedCollection) {
+      return res.status(404).json({ error: "Collection not found" });
+    }
     return res.json(updatedCollection);
   }));
 
@@ -464,7 +516,7 @@ export const registerDashboardRoutes = (
         where: { collectionId: id, userId: req.user.id },
         data: { collectionId: null },
       }),
-      prisma.collection.delete({ where: { id } }),
+      prisma.collection.deleteMany({ where: { id, userId: req.user.id } }),
     ]);
     invalidateDrawingsCache();
 

backend/src/routes/importExport.ts

@@ -131,6 +131,21 @@ const makeUniqueName = (base: string, used: Set<string>): string => {
   return candidate;
 };
 
+const findFirstDuplicate = (values: string[]): string | null => {
+  const seen = new Set<string>();
+  for (const value of values) {
+    if (seen.has(value)) return value;
+    seen.add(value);
+  }
+  return null;
+};
+
+const normalizeNonEmptyId = (value: unknown): string | null => {
+  if (typeof value !== "string") return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+};
+
 const findSqliteTable = (tables: string[], candidates: string[]): string | null => {
   const byLower = new Map(tables.map((t) => [t.toLowerCase(), t]));
   for (const candidate of candidates) {
@@ -439,6 +454,28 @@ Drawings: ${drawings.length}
           message: `Too many drawings (max ${MAX_IMPORT_DRAWINGS})`,
         });
       }
+
+      const duplicateCollectionId = findFirstDuplicate(manifest.collections.map((c) => c.id));
+      if (duplicateCollectionId) {
+        return res.status(400).json({
+          error: "Invalid backup manifest",
+          message: `Duplicate collection id in manifest: ${duplicateCollectionId}`,
+        });
+      }
+      const duplicateDrawingId = findFirstDuplicate(manifest.drawings.map((d) => d.id));
+      if (duplicateDrawingId) {
+        return res.status(400).json({
+          error: "Invalid backup manifest",
+          message: `Duplicate drawing id in manifest: ${duplicateDrawingId}`,
+        });
+      }
+      const duplicateDrawingPath = findFirstDuplicate(manifest.drawings.map((d) => d.filePath));
+      if (duplicateDrawingPath) {
+        return res.status(400).json({
+          error: "Invalid backup manifest",
+          message: `Duplicate drawing file path in manifest: ${duplicateDrawingPath}`,
+        });
+      }
       for (const drawing of manifest.drawings) {
         if (!getSafeZipEntry(zip, drawing.filePath)) {
           return res.status(400).json({
@@ -532,6 +569,28 @@ Drawings: ${drawings.length}
         });
       }
 
+      const duplicateCollectionId = findFirstDuplicate(manifest.collections.map((c) => c.id));
+      if (duplicateCollectionId) {
+        return res.status(400).json({
+          error: "Invalid backup manifest",
+          message: `Duplicate collection id in manifest: ${duplicateCollectionId}`,
+        });
+      }
+      const duplicateDrawingId = findFirstDuplicate(manifest.drawings.map((d) => d.id));
+      if (duplicateDrawingId) {
+        return res.status(400).json({
+          error: "Invalid backup manifest",
+          message: `Duplicate drawing id in manifest: ${duplicateDrawingId}`,
+        });
+      }
+      const duplicateDrawingPath = findFirstDuplicate(manifest.drawings.map((d) => d.filePath));
+      if (duplicateDrawingPath) {
+        return res.status(400).json({
+          error: "Invalid backup manifest",
+          message: `Duplicate drawing file path in manifest: ${duplicateDrawingPath}`,
+        });
+      }
+
       type PreparedImportDrawing = {
         id: string;
         name: string;
@@ -772,6 +831,31 @@ Drawings: ${drawings.length}
           });
         }
 
+        const duplicateDrawingIdRow = db
+          .prepare(
+            `SELECT id FROM "${drawingTable}" WHERE id IS NOT NULL GROUP BY id HAVING COUNT(1) > 1 LIMIT 1`
+          )
+          .get();
+        if (duplicateDrawingIdRow?.id) {
+          return res.status(400).json({
+            error: "Invalid legacy DB",
+            message: `Duplicate drawing id in legacy DB: ${String(duplicateDrawingIdRow.id)}`,
+          });
+        }
+        if (collectionTable) {
+          const duplicateCollectionIdRow = db
+            .prepare(
+              `SELECT id FROM "${collectionTable}" WHERE id IS NOT NULL GROUP BY id HAVING COUNT(1) > 1 LIMIT 1`
+            )
+            .get();
+          if (duplicateCollectionIdRow?.id) {
+            return res.status(400).json({
+              error: "Invalid legacy DB",
+              message: `Duplicate collection id in legacy DB: ${String(duplicateCollectionIdRow.id)}`,
+            });
+          }
+        }
+
         let latestMigration: string | null = null;
         const migrationsTable = findSqliteTable(tables, ["_prisma_migrations"]);
         if (migrationsTable) {
@@ -862,6 +946,28 @@ Drawings: ${drawings.length}
           });
         }
 
+        const importedCollectionIds = importedCollections
+          .map((c) => normalizeNonEmptyId(c?.id))
+          .filter((id): id is string => id !== null);
+        const duplicateCollectionId = findFirstDuplicate(importedCollectionIds);
+        if (duplicateCollectionId) {
+          return res.status(400).json({
+            error: "Invalid legacy DB",
+            message: `Duplicate collection id in legacy DB: ${duplicateCollectionId}`,
+          });
+        }
+
+        const importedDrawingIds = importedDrawings
+          .map((d) => normalizeNonEmptyId(d?.id))
+          .filter((id): id is string => id !== null);
+        const duplicateDrawingId = findFirstDuplicate(importedDrawingIds);
+        if (duplicateDrawingId) {
+          return res.status(400).json({
+            error: "Invalid legacy DB",
+            message: `Duplicate drawing id in legacy DB: ${duplicateDrawingId}`,
+          });
+        }
+
         type PreparedLegacyDrawing = {
           importedId: string | null;
           name: string;

docker-compose.prod.yml

@@ -6,7 +6,9 @@ services:
       - DATABASE_URL=file:/app/prisma/dev.db
       - PORT=8000
       - NODE_ENV=production
-      # Required for authentication: must be explicitly set to a strong secret (min 32 chars)
+      # Optional for single-instance deployments:
+      # if unset, backend auto-generates and persists one in the volume.
+      # Recommended to set explicitly for portability and multi-instance setups.
       - JWT_SECRET=${JWT_SECRET}
       # Required for horizontal scaling (k8s): uncomment and set to same value on all instances
       # - CSRF_SECRET=${CSRF_SECRET}

docker-compose.yml

@@ -8,7 +8,9 @@ services:
       - DATABASE_URL=file:/app/prisma/dev.db
       - PORT=8000
       - NODE_ENV=production
-      # Required for authentication: must be explicitly set to a strong secret (min 32 chars)
+      # Optional for single-instance deployments:
+      # if unset, backend auto-generates and persists one in the volume.
+      # Recommended to set explicitly for portability and multi-instance setups.
       - JWT_SECRET=${JWT_SECRET}
       # Required for horizontal scaling (k8s): uncomment and set to same value on all instances
       # - CSRF_SECRET=${CSRF_SECRET}

frontend/Dockerfile

@@ -7,7 +7,7 @@ WORKDIR /app/frontend
 COPY frontend/package*.json ./
 
 # Install dependencies
-RUN npm ci
+RUN npm ci && npm cache clean --force
 
 # Copy source code and config files
 COPY frontend/ ./
@@ -25,9 +25,6 @@ RUN npm run build
 # Production stage
 FROM nginx:alpine
 
-# Install envsubst (gettext) so we can template nginx config at runtime
-RUN apk add --no-cache gettext
-
 # Copy nginx config template (will be processed at runtime)
 COPY frontend/nginx.conf.template /etc/nginx/nginx.conf.template
 

frontend/docker-entrypoint.sh

@@ -7,9 +7,9 @@ export BACKEND_URL="${BACKEND_URL:-backend:8000}"
 
 echo "Configuring nginx with BACKEND_URL: ${BACKEND_URL}"
 
-# Substitute environment variables in nginx config template
+# Replace only our custom placeholder and preserve nginx runtime vars like $http_upgrade
-# Only substitute BACKEND_URL, preserve nginx variables like $http_upgrade
+ESCAPED_BACKEND_URL=$(printf '%s\n' "$BACKEND_URL" | sed 's/[\/&]/\\&/g')
-envsubst '${BACKEND_URL}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
+sed "s/__BACKEND_URL__/${ESCAPED_BACKEND_URL}/g" /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
 
 # Validate the generated nginx configuration before starting
 echo "Validating nginx configuration..."

frontend/nginx.conf.template

@@ -24,7 +24,7 @@ http {
         # API and WebSocket proxy to backend
         # BACKEND_URL is substituted at container startup (default: backend:8000)
         location /api/ {
-            proxy_pass http://${BACKEND_URL}/;
+            proxy_pass http://__BACKEND_URL__/;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection 'upgrade';
@@ -49,7 +49,7 @@ http {
 
         # WebSocket proxy for Socket.IO
         location /socket.io/ {
-            proxy_pass http://${BACKEND_URL}/socket.io/;
+            proxy_pass http://__BACKEND_URL__/socket.io/;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection 'upgrade';

frontend/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "frontend",
-  "version": "0.3.2",
+  "version": "0.4.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "frontend",
-      "version": "0.3.2",
+      "version": "0.4.1",
       "dependencies": {
         "@dnd-kit/core": "^6.3.1",
         "@dnd-kit/utilities": "^3.2.2",
@@ -162,7 +162,6 @@
       "integrity": "sha512-e7jT4DxYvIDLk1ZHmU/m/mB19rex9sv0c2ftBtjSBv+kVM/902eh0fINUzD7UwLLNR+jU585GxUJ8/EBfAM5fw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.27.1",
         "@babel/generator": "^7.28.5",
@@ -517,7 +516,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=18"
       },
@@ -561,7 +559,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=18"
       }
@@ -2612,7 +2609,8 @@
       "resolved": "https://registry.npmjs.org/@types/aria-query/-/aria-query-5.0.4.tgz",
       "integrity": "sha512-rfT93uj5s0PRL7EzccGMs3brplhcrghnDoV26NqKhCAS1hVo+WdNsPvE/yb6ilfr5hi2MEk6d5EWJTKdxg8jVw==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/@types/babel__core": {
       "version": "7.20.5",
@@ -2777,7 +2775,6 @@
       "integrity": "sha512-V0kuGBX3+prX+DQ/7r2qsv1NsdfnCLnTgnRJ1pYnxykBhGMz+qj+box5lq7XsO5mtZsBqpjwwTu/7wszPfMBcw==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/prop-types": "*",
         "csstype": "^3.0.2"
@@ -2789,7 +2786,6 @@
       "integrity": "sha512-qW1Mfv8taImTthu4KoXgDfLuk4bydU6Q/TkADnDWWHwi4NX4BR+LWfTp2sVmTqRrsHvyDDTelgelxJ+SsejKKQ==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@types/react": "*"
       }
@@ -2860,7 +2856,6 @@
       "integrity": "sha512-lJi3PfxVmo0AkEY93ecfN+r8SofEqZNGByvHAI3GBLrvt1Cw6H5k1IM02nSzu0RfUafr2EvFSw0wAsZgubNplQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.47.0",
         "@typescript-eslint/types": "8.47.0",
@@ -3224,7 +3219,6 @@
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -3275,6 +3269,7 @@
       "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=8"
       }
@@ -3504,7 +3499,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "baseline-browser-mapping": "^2.8.25",
         "caniuse-lite": "^1.0.30001754",
@@ -3840,7 +3834,6 @@
       "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.33.1.tgz",
       "integrity": "sha512-iJc4TwyANnOGR1OmWhsS9ayRS3s+XQ185FmuHObThD+5AeJCakAAbWv8KimMTt08xCCLNgneQwFp+JRJOr9qGQ==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10"
       }
@@ -4214,7 +4207,6 @@
       "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
       "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
       "license": "ISC",
-      "peer": true,
       "engines": {
         "node": ">=12"
       }
@@ -4454,7 +4446,8 @@
       "resolved": "https://registry.npmjs.org/dom-accessibility-api/-/dom-accessibility-api-0.5.16.tgz",
       "integrity": "sha512-X7BJ2yElsnOJ30pZF4uIIDfBEVgF4XEBxL9Bxhy6dnrm5hkzqmsWHGTiHqRiITNhMyFLyAiWndIJP7Z1NTteDg==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/dompurify": {
       "version": "3.1.6",
@@ -4673,7 +4666,6 @@
       "integrity": "sha512-BhHmn2yNOFA9H9JmmIVKJmd288g9hrVRDkdoIgRCRuSySRUHH7r/DI6aAXW9T1WwUuY3DFgrcaqB+deURBLR5g==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.8.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -5507,7 +5499,6 @@
       "resolved": "https://registry.npmjs.org/jotai/-/jotai-2.11.0.tgz",
       "integrity": "sha512-zKfoBBD1uDw3rljwHkt0fWuja1B76R7CjznuBO+mSX6jpsO1EBeWNRKpeaQho9yPI/pvCv4recGfgOXGxwPZvQ==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12.20.0"
       },
@@ -5855,6 +5846,7 @@
       "integrity": "sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "bin": {
         "lz-string": "bin/bin.js"
       }
@@ -6884,7 +6876,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.7",
         "picocolors": "^1.0.0",
@@ -7050,6 +7041,7 @@
       "integrity": "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "ansi-regex": "^5.0.1",
         "ansi-styles": "^5.0.0",
@@ -7065,6 +7057,7 @@
       "integrity": "sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=10"
       },
@@ -7120,7 +7113,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
       "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "loose-envify": "^1.1.0"
       },
@@ -7133,7 +7125,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz",
       "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "loose-envify": "^1.1.0",
         "scheduler": "^0.23.2"
@@ -7147,7 +7138,8 @@
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-17.0.2.tgz",
       "integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "peer": true
     },
     "node_modules/react-refresh": {
       "version": "0.18.0",
@@ -7862,7 +7854,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -8001,7 +7992,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -8191,7 +8181,6 @@
       "integrity": "sha512-BxAKBWmIbrDgrokdGZH1IgkIk/5mMHDreLDmCJ0qpyJaAteP8NvMhkwr/ZCQNqNH97bw/dANTE9PDzqwJghfMQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "esbuild": "^0.25.0",
         "fdir": "^6.5.0",
@@ -8285,7 +8274,6 @@
       "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -8612,7 +8600,6 @@
       "integrity": "sha512-JInaHOamG8pt5+Ey8kGmdcAcg3OL9reK8ltczgHTAwNhMys/6ThXHityHxVV2p3fkw/c+MAvBHFVYHFZDmjMCQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "frontend",
   "private": true,
-  "version": "0.4.0",
+  "version": "0.4.6",
   "type": "module",
   "scripts": {
     "dev": "vite --port 6767",

frontend/src/api/index.ts

@@ -340,8 +340,8 @@ export const createDrawing = async (
 };
 
 export const updateDrawing = async (id: string, data: Partial<Drawing>) => {
-  const response = await api.put<{ success: true }>(`/drawings/${id}`, data);
+  const response = await api.put<Drawing>(`/drawings/${id}`, data);
-  return response.data;
+  return deserializeDrawing(response.data);
 };
 
 export const deleteDrawing = async (id: string) => {

frontend/src/components/Layout.test.tsx

@@ -0,0 +1,60 @@
+import { fireEvent, render, screen } from "@testing-library/react";
+import { MemoryRouter } from "react-router-dom";
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("./Sidebar", () => ({
+  Sidebar: () => <div data-testid="sidebar">sidebar</div>,
+}));
+
+vi.mock("./Logo", () => ({
+  Logo: () => <div data-testid="logo">logo</div>,
+}));
+
+vi.mock("./UploadStatus", () => ({
+  UploadStatus: () => <div data-testid="upload-status">upload-status</div>,
+}));
+
+import { Layout } from "./Layout";
+
+describe("Layout", () => {
+  it("removes active resize listeners on unmount", () => {
+    const addSpy = vi.spyOn(document, "addEventListener");
+    const removeSpy = vi.spyOn(document, "removeEventListener");
+
+    const { unmount } = render(
+      <MemoryRouter>
+        <Layout
+          collections={[]}
+          selectedCollectionId={undefined}
+          onSelectCollection={() => {}}
+          onCreateCollection={() => {}}
+          onEditCollection={() => {}}
+          onDeleteCollection={() => {}}
+        >
+          <div>content</div>
+        </Layout>
+      </MemoryRouter>
+    );
+
+    fireEvent.mouseDown(screen.getByTitle("Drag to resize sidebar"));
+
+    const mouseMoveAdd = addSpy.mock.calls.find(([event]) => event === "mousemove");
+    const mouseUpAdd = addSpy.mock.calls.find(([event]) => event === "mouseup");
+
+    expect(mouseMoveAdd?.[1]).toBeTypeOf("function");
+    expect(mouseUpAdd?.[1]).toBeTypeOf("function");
+
+    unmount();
+
+    expect(
+      removeSpy.mock.calls.some(
+        ([event, handler]) => event === "mousemove" && handler === mouseMoveAdd?.[1]
+      )
+    ).toBe(true);
+    expect(
+      removeSpy.mock.calls.some(
+        ([event, handler]) => event === "mouseup" && handler === mouseUpAdd?.[1]
+      )
+    ).toBe(true);
+  });
+});

frontend/src/components/Layout.tsx

@@ -2,6 +2,7 @@ import React, { useState, useRef, useEffect } from 'react';
 import { useLocation } from 'react-router-dom';
 import { Menu, X } from 'lucide-react';
 import { Sidebar } from './Sidebar';
+import { Logo } from './Logo';
 import { UploadStatus } from './UploadStatus';
 import type { Collection } from '../types';
 import clsx from 'clsx';
@@ -35,6 +36,8 @@ export const Layout: React.FC<LayoutProps> = ({
   const sidebarRef = useRef<HTMLDivElement>(null);
   const startXRef = useRef(0);
   const startWidthRef = useRef(0);
+  const resizeMouseMoveHandlerRef = useRef<((e: MouseEvent) => void) | null>(null);
+  const resizeMouseUpHandlerRef = useRef<(() => void) | null>(null);
 
   // Handle mouse down on resize handle
   const handleMouseDown = (e: React.MouseEvent) => {
@@ -43,6 +46,13 @@ export const Layout: React.FC<LayoutProps> = ({
     startXRef.current = e.clientX;
     startWidthRef.current = sidebarWidth;
 
+    if (resizeMouseMoveHandlerRef.current) {
+      document.removeEventListener('mousemove', resizeMouseMoveHandlerRef.current);
+    }
+    if (resizeMouseUpHandlerRef.current) {
+      document.removeEventListener('mouseup', resizeMouseUpHandlerRef.current);
+    }
+
     const handleMouseMove = (e: MouseEvent) => {
       const diff = e.clientX - startXRef.current;
       const newWidth = Math.max(200, Math.min(600, startWidthRef.current + diff));
@@ -53,8 +63,12 @@ export const Layout: React.FC<LayoutProps> = ({
       setIsResizing(false);
       document.removeEventListener('mousemove', handleMouseMove);
       document.removeEventListener('mouseup', handleMouseUp);
+      resizeMouseMoveHandlerRef.current = null;
+      resizeMouseUpHandlerRef.current = null;
     };
 
+    resizeMouseMoveHandlerRef.current = handleMouseMove;
+    resizeMouseUpHandlerRef.current = handleMouseUp;
     document.addEventListener('mousemove', handleMouseMove);
     document.addEventListener('mouseup', handleMouseUp);
   };
@@ -62,8 +76,14 @@ export const Layout: React.FC<LayoutProps> = ({
   // Cleanup event listeners on unmount
   useEffect(() => {
     return () => {
-      document.removeEventListener('mousemove', () => {});
+      if (resizeMouseMoveHandlerRef.current) {
-      document.removeEventListener('mouseup', () => {});
+        document.removeEventListener('mousemove', resizeMouseMoveHandlerRef.current);
+        resizeMouseMoveHandlerRef.current = null;
+      }
+      if (resizeMouseUpHandlerRef.current) {
+        document.removeEventListener('mouseup', resizeMouseUpHandlerRef.current);
+        resizeMouseUpHandlerRef.current = null;
+      }
     };
   }, []);
 
@@ -89,16 +109,22 @@ export const Layout: React.FC<LayoutProps> = ({
       {isMobile ? (
         <div className="relative h-full min-w-0">
           <main className="h-full min-w-0 bg-white/40 dark:bg-neutral-900/40 backdrop-blur-sm rounded-2xl border border-white/50 dark:border-neutral-800/50 shadow-sm transition-colors duration-200 overflow-hidden flex flex-col">
-            <div className="px-3 pt-3 flex-shrink-0">
+            <div className="h-16 flex-shrink-0 flex items-center px-4 border-b border-black/5 dark:border-white/5 bg-white/50 dark:bg-neutral-900/50 backdrop-blur-md">
               <button
                 type="button"
                 onClick={() => setIsSidebarOpen(v => !v)}
-                className="inline-flex items-center justify-center h-11 w-11 rounded-xl border-2 border-black dark:border-neutral-700 bg-white/90 dark:bg-neutral-900/90 shadow-[2px_2px_0px_0px_rgba(0,0,0,1)] dark:shadow-[2px_2px_0px_0px_rgba(255,255,255,0.2)] backdrop-blur-sm text-slate-900 dark:text-neutral-200 hover:-translate-y-0.5 transition-all"
+                className="inline-flex items-center justify-center h-11 w-11 rounded-xl border-2 border-black dark:border-neutral-700 bg-white/90 dark:bg-neutral-900/90 shadow-[2px_2px_0px_0px_rgba(0,0,0,1)] dark:shadow-[2px_2px_0px_0px_rgba(255,255,255,0.2)] text-slate-900 dark:text-neutral-200 hover:-translate-y-0.5 transition-all active:translate-y-0 active:shadow-none"
                 title={isSidebarOpen ? 'Close menu' : 'Open menu'}
                 aria-label={isSidebarOpen ? 'Close menu' : 'Open menu'}
               >
                 {isSidebarOpen ? <X size={20} /> : <Menu size={20} />}
               </button>
+
+              <div className="ml-auto flex items-center gap-2">
+                <Logo className="w-8 h-8" />
+                <span className="text-xl text-slate-900 dark:text-white mt-1" style={{ fontFamily: 'Excalifont' }}>ExcaliDash</span>
+                <span className="text-[10px] font-bold text-red-500 mt-2" style={{ fontFamily: 'sans-serif' }}>BETA</span>
+              </div>
             </div>
 
             <div className="flex-1 min-w-0 overflow-y-auto">

frontend/src/context/AuthContext.test.tsx

@@ -0,0 +1,48 @@
+import { render, screen, waitFor } from "@testing-library/react";
+import axios from "axios";
+import { MemoryRouter } from "react-router-dom";
+import { describe, expect, it, vi } from "vitest";
+import { AuthProvider, useAuth } from "./AuthContext";
+
+const Probe = () => {
+  const { loading, authEnabled } = useAuth();
+  return (
+    <div>
+      <span data-testid="loading">{String(loading)}</span>
+      <span data-testid="auth-enabled">{String(authEnabled)}</span>
+    </div>
+  );
+};
+
+describe("AuthProvider", () => {
+  it("defaults to auth-enabled mode if /auth/status fails", async () => {
+    const storage = new Map<string, string>();
+    Object.defineProperty(window, "localStorage", {
+      configurable: true,
+      value: {
+        getItem: (key: string) => storage.get(key) ?? null,
+        setItem: (key: string, value: string) => {
+          storage.set(key, value);
+        },
+        removeItem: (key: string) => {
+          storage.delete(key);
+        },
+      },
+    });
+
+    vi.spyOn(axios, "get").mockRejectedValueOnce(new Error("network down"));
+
+    render(
+      <MemoryRouter>
+        <AuthProvider>
+          <Probe />
+        </AuthProvider>
+      </MemoryRouter>
+    );
+
+    await waitFor(() => {
+      expect(screen.getByTestId("loading").textContent).toBe("false");
+    });
+    expect(screen.getByTestId("auth-enabled").textContent).toBe("true");
+  });
+});

frontend/src/context/AuthContext.tsx

@@ -60,12 +60,10 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
             return;
           }
         } catch {
-          // If status fails (backend down / schema mismatch), avoid locking the UI
+          // If status fails, default to auth-enabled mode to avoid exposing
-          // behind login. Backend still enforces auth when enabled.
+          // single-user UI paths accidentally. Backend remains the source of truth.
-          setAuthEnabled(false);
+          setAuthEnabled(true);
           setBootstrapRequired(false);
-          setUser(null);
-          return;
         }
 
         const storedUser = localStorage.getItem(USER_KEY);

frontend/src/pages/Dashboard.tsx

@@ -11,6 +11,7 @@ import clsx from 'clsx';
 import { ConfirmModal } from '../components/ConfirmModal';
 import { useUpload } from '../context/UploadContext';
 import { DragOverlayPortal, getSelectionBounds, type Point, type SelectionBounds } from './dashboard/shared';
+import { isLatestRequest, mergeUniqueDrawings } from './dashboard/pagination';
 
 const PAGE_SIZE = 24;
 
@@ -73,12 +74,14 @@ export const Dashboard: React.FC = () => {
   });
 
   const [isLoading, setIsLoading] = useState(false);
+  const listRequestVersionRef = useRef(0);
 
   const { uploadFiles } = useUpload();
 
   const hasMore = drawings.length < totalCount;
 
   const refreshData = useCallback(async () => {
+    const requestVersion = ++listRequestVersionRef.current;
     setIsLoading(true);
     try {
       const [drawingsRes, collectionsData] = await Promise.all([
@@ -90,6 +93,7 @@ export const Dashboard: React.FC = () => {
         }),
         api.getCollections()
       ]);
+      if (!isLatestRequest(requestVersion, listRequestVersionRef.current)) return;
       setDrawings(drawingsRes.drawings);
       setTotalCount(drawingsRes.totalCount);
       setCollections(collectionsData);
@@ -97,12 +101,15 @@ export const Dashboard: React.FC = () => {
     } catch (err) {
       console.error('Failed to fetch data:', err);
     } finally {
+      if (isLatestRequest(requestVersion, listRequestVersionRef.current)) {
         setIsLoading(false);
       }
+    }
   }, [debouncedSearch, selectedCollectionId, sortConfig.field, sortConfig.direction]);
 
   const fetchMore = useCallback(async () => {
     if (isFetchingMore || !hasMore || isLoading) return;
+    const requestVersion = listRequestVersionRef.current;
     setIsFetchingMore(true);
     try {
       const drawingsRes = await api.getDrawings(debouncedSearch, selectedCollectionId, {
@@ -111,7 +118,8 @@ export const Dashboard: React.FC = () => {
         sortField: sortConfig.field,
         sortDirection: sortConfig.direction,
       });
-      setDrawings(prev => [...prev, ...drawingsRes.drawings]);
+      if (!isLatestRequest(requestVersion, listRequestVersionRef.current)) return;
+      setDrawings(prev => mergeUniqueDrawings(prev, drawingsRes.drawings));
       setTotalCount(drawingsRes.totalCount);
     } catch (err) {
       console.error('Failed to fetch more data:', err);