From 0bb0975a09b3d7a9a3d1fbb0ee5d87f63b6cc4c2 Mon Sep 17 00:00:00 2001
From: "thomas.kopp" <thomas.kopp@tueit.de>
Date: Wed, 1 Apr 2026 14:09:23 +0200
Subject: [PATCH] docs: add transcript modal + delete implementation plan

---
 .../2026-04-01-transcript-modal-delete.md     | 383 ++++++++++++++++++
 1 file changed, 383 insertions(+)
 create mode 100644 docs/plans/2026-04-01-transcript-modal-delete.md

diff --git a/docs/plans/2026-04-01-transcript-modal-delete.md b/docs/plans/2026-04-01-transcript-modal-delete.md
new file mode 100644
index 0000000..cccfda6
--- /dev/null
+++ b/docs/plans/2026-04-01-transcript-modal-delete.md
@@ -0,0 +1,383 @@
+# Transcript Modal & Delete Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
+
+**Goal:** Add transcript delete and a markdown-rendering modal viewer, removing the existing preview section.
+
+**Architecture:** Two new REST endpoints (GET + DELETE `/transcripts/{filename}`) with path-confinement security. Frontend gains a full-screen modal using marked.js + DOMPurify for safe rendering; the static preview div is removed entirely. Each list item gets a trash icon that stops event propagation so it doesn't trigger the modal.
+
+**Tech Stack:** FastAPI (existing), marked.js 14 + DOMPurify 3 via CDN, vanilla JS/CSS (no new build step)
+
+---
+
+### Task 1: Backend — GET /transcripts/{filename}
+
+**Files:**
+- Modify: `api/router.py`
+- Modify: `output.py`
+- Test: `tests/test_api.py`
+
+**Step 1: Write the failing test**
+
+Add to `tests/test_api.py`:
+
+```python
+def test_get_transcript_returns_content(tmp_path, monkeypatch):
+    f = tmp_path / "2026-01-01-0900-test.md"
+    f.write_text("# Hello\n\ncontent here\n")
+    from unittest.mock import patch
+    with patch("api.router.current_user", return_value={"username": "", "output_dir": str(tmp_path), "is_admin": False}):
+        from fastapi.testclient import TestClient
+        from main import app
+        client = TestClient(app)
+        r = client.get("/transcripts/2026-01-01-0900-test.md",
+                       headers={"Authorization": "Bearer fake"})
+        assert r.status_code == 200
+        assert "Hello" in r.text
+
+def test_get_transcript_rejects_path_traversal(tmp_path):
+    from unittest.mock import patch
+    with patch("api.router.current_user", return_value={"username": "", "output_dir": str(tmp_path), "is_admin": False}):
+        from fastapi.testclient import TestClient
+        from main import app
+        client = TestClient(app)
+        r = client.get("/transcripts/..%2Fsecret.md",
+                       headers={"Authorization": "Bearer fake"})
+        assert r.status_code == 404
+```
+
+**Step 2: Run to verify it fails**
+
+```bash
+pytest tests/test_api.py::test_get_transcript_returns_content tests/test_api.py::test_get_transcript_rejects_path_traversal -v
+```
+Expected: FAIL — 404 or 405 (route doesn't exist yet)
+
+**Step 3: Add `read_transcript` to `output.py`**
+
+```python
+def read_transcript(output_dir: str, filename: str) -> str | None:
+    """Return file content if filename is a plain .md file inside output_dir."""
+    if os.path.basename(filename) != filename or not filename.endswith(".md"):
+        return None
+    path = os.path.join(output_dir, filename)
+    if not os.path.exists(path):
+        return None
+    with open(path, encoding="utf-8") as f:
+        return f.read()
+```
+
+**Step 4: Add GET endpoint to `api/router.py`**
+
+Add after the existing `get_transcripts` endpoint:
+
+```python
+@router.get("/transcripts/{filename}")
+async def get_transcript(filename: str, user: dict = Depends(current_user)):
+    from output import read_transcript
+    from fastapi.responses import PlainTextResponse
+    user_dir = os.path.join(user["output_dir"], user["username"])
+    content = read_transcript(user_dir, filename)
+    if content is None:
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    return PlainTextResponse(content)
+```
+
+**Step 5: Run tests**
+
+```bash
+pytest tests/test_api.py::test_get_transcript_returns_content tests/test_api.py::test_get_transcript_rejects_path_traversal -v
+```
+Expected: PASS
+
+**Step 6: Commit**
+
+```bash
+git add output.py api/router.py tests/test_api.py
+git commit -m "feat: GET /transcripts/{filename} — serve transcript content"
+```
+
+---
+
+### Task 2: Backend — DELETE /transcripts/{filename}
+
+**Files:**
+- Modify: `api/router.py`
+- Test: `tests/test_api.py`
+
+**Step 1: Write the failing tests**
+
+Add to `tests/test_api.py`:
+
+```python
+def test_delete_transcript_removes_file(tmp_path):
+    f = tmp_path / "2026-01-01-0900-test.md"
+    f.write_text("content")
+    from unittest.mock import patch
+    with patch("api.router.current_user", return_value={"username": "", "output_dir": str(tmp_path), "is_admin": False}):
+        from fastapi.testclient import TestClient
+        from main import app
+        client = TestClient(app)
+        r = client.delete("/transcripts/2026-01-01-0900-test.md",
+                          headers={"Authorization": "Bearer fake"})
+        assert r.status_code == 200
+        assert not f.exists()
+
+def test_delete_transcript_rejects_path_traversal(tmp_path):
+    from unittest.mock import patch
+    with patch("api.router.current_user", return_value={"username": "", "output_dir": str(tmp_path), "is_admin": False}):
+        from fastapi.testclient import TestClient
+        from main import app
+        client = TestClient(app)
+        r = client.delete("/transcripts/..%2Fsecret.md",
+                          headers={"Authorization": "Bearer fake"})
+        assert r.status_code == 404
+```
+
+**Step 2: Run to verify they fail**
+
+```bash
+pytest tests/test_api.py::test_delete_transcript_removes_file tests/test_api.py::test_delete_transcript_rejects_path_traversal -v
+```
+Expected: FAIL — route doesn't exist
+
+**Step 3: Add DELETE endpoint to `api/router.py`**
+
+```python
+@router.delete("/transcripts/{filename}")
+async def delete_transcript(filename: str, user: dict = Depends(current_user)):
+    user_dir = os.path.join(user["output_dir"], user["username"])
+    if os.path.basename(filename) != filename or not filename.endswith(".md"):
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    path = os.path.join(user_dir, filename)
+    if not os.path.exists(path):
+        raise HTTPException(status_code=404, detail="Nicht gefunden")
+    os.unlink(path)
+    return {"ok": True}
+```
+
+**Step 4: Run tests**
+
+```bash
+pytest tests/test_api.py::test_delete_transcript_removes_file tests/test_api.py::test_delete_transcript_rejects_path_traversal -v
+```
+Expected: PASS
+
+**Step 5: Commit**
+
+```bash
+git add api/router.py tests/test_api.py
+git commit -m "feat: DELETE /transcripts/{filename} — delete transcript with path-confinement check"
+```
+
+---
+
+### Task 3: Frontend — Remove preview section, add modal + marked.js + DOMPurify
+
+**Files:**
+- Modify: `frontend/index.html`
+- Modify: `frontend/app.js`
+
+No automated tests; manual verification checklist at end.
+
+**Step 1: Remove preview section from `index.html`**
+
+Delete this block from `<main>`:
+
+```html
+    <section class="preview-section">
+      <label>Vorschau</label>
+      <div id="preview">Noch keine Aufnahme verarbeitet.</div>
+    </section>
+```
+
+Delete these CSS rules (search for them by selector):
+- `.preview-section`
+- `#preview`
+- `#preview.has-content`
+
+**Step 2: Add script tags — replace existing `<script src="/app.js">` line**
+
+```html
+  <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
+  <script src="https://cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js"></script>
+  <script src="/app.js"></script>
+```
+
+**Step 3: Add modal HTML + CSS**
+
+Add this block inside `<main>` before `</main>` closing tag (it's a fixed overlay, position doesn't matter):
+
+```html
+  <div id="modal" class="modal hidden" role="dialog" aria-modal="true">
+    <div class="modal-backdrop"></div>
+    <div class="modal-panel">
+      <div class="modal-header">
+        <span id="modal-title" class="modal-title"></span>
+        <div class="modal-actions">
+          <button id="modal-open-btn" class="modal-btn" title="Im Editor öffnen">
+            <svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor">
+              <path d="M14 3h7v7h-2V6.41l-9.29 9.3-1.42-1.42L17.59 5H14V3zm-1 2H5a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2v-8h-2v8H5V7h8V5z"/>
+            </svg>
+          </button>
+          <button id="modal-close-btn" class="modal-btn" title="Schließen">✕</button>
+        </div>
+      </div>
+      <div id="modal-body" class="modal-body"></div>
+    </div>
+  </div>
+```
+
+Add CSS inside `<style>`:
+
+```css
+    .modal { position: fixed; inset: 0; z-index: 100; display: flex; align-items: center; justify-content: center; }
+    .modal.hidden { display: none; }
+    .modal-backdrop { position: absolute; inset: 0; background: rgba(0,0,0,0.7); }
+    .modal-panel {
+      position: relative; z-index: 1;
+      background: var(--surface); border: 1px solid var(--border); border-radius: 10px;
+      width: min(800px, 95vw); max-height: 85vh;
+      display: flex; flex-direction: column;
+    }
+    .modal-header {
+      display: flex; align-items: center; justify-content: space-between;
+      padding: 14px 18px; border-bottom: 1px solid var(--border);
+      flex-shrink: 0;
+    }
+    .modal-title { font-size: 0.9rem; font-weight: 600; }
+    .modal-actions { display: flex; gap: 8px; }
+    .modal-btn {
+      background: none; border: 1px solid var(--border); color: var(--muted);
+      border-radius: 6px; padding: 4px 8px; cursor: pointer; font-family: inherit;
+      font-size: 0.85rem; display: flex; align-items: center;
+      transition: border-color 0.15s, color 0.15s;
+    }
+    .modal-btn:hover { border-color: var(--red); color: var(--red); }
+    .modal-body {
+      padding: 20px 24px; overflow-y: auto; flex: 1;
+      font-size: 0.9rem; line-height: 1.7; color: var(--text);
+    }
+    .modal-body h1,.modal-body h2,.modal-body h3 { margin: 1em 0 0.4em; font-weight: 600; }
+    .modal-body h1 { font-size: 1.3rem; }
+    .modal-body h2 { font-size: 1.1rem; }
+    .modal-body p { margin: 0 0 0.8em; }
+    .modal-body ul,.modal-body ol { padding-left: 1.5em; margin: 0 0 0.8em; }
+    .modal-body code { background: var(--surface2); padding: 2px 5px; border-radius: 3px; font-size: 0.85em; }
+    .modal-body pre { background: var(--surface2); padding: 12px; border-radius: 6px; overflow-x: auto; margin: 0 0 0.8em; }
+    .modal-body pre code { background: none; padding: 0; }
+    .modal-body hr { border: none; border-top: 1px solid var(--border); margin: 1em 0; }
+    .del-btn {
+      background: none; border: none; color: var(--muted); cursor: pointer;
+      padding: 4px; border-radius: 4px; display: flex; align-items: center;
+      transition: color 0.15s; flex-shrink: 0;
+    }
+    .del-btn:hover { color: var(--red); }
+```
+
+**Step 4: Update `app.js`**
+
+Remove these variable declarations at the top:
+```javascript
+const preview = document.getElementById('preview');
+```
+
+Add these variable declarations at the top:
+```javascript
+const modal = document.getElementById('modal');
+const modalTitle = document.getElementById('modal-title');
+const modalBody = document.getElementById('modal-body');
+const modalOpenBtn = document.getElementById('modal-open-btn');
+const modalCloseBtn = document.getElementById('modal-close-btn');
+let _modalPath = null;
+```
+
+Add these functions and event listeners (after the `logoutBtn` listener):
+```javascript
+function openModal(filename, path) {
+  _modalPath = path;
+  modalTitle.textContent = filename.replace(/\.md$/, '').replace(/^\d{4}-\d{2}-\d{2}-\d{4}-/, '');
+  modalBody.innerHTML = '';
+  modal.classList.remove('hidden');
+  apiFetch(`/transcripts/${encodeURIComponent(filename)}`)
+    .then(r => r.text())
+    .then(md => {
+      modalBody.innerHTML = DOMPurify.sanitize(marked.parse(md));
+    });
+}
+
+function closeModal() {
+  modal.classList.add('hidden');
+  _modalPath = null;
+}
+
+modalCloseBtn.addEventListener('click', closeModal);
+modal.querySelector('.modal-backdrop').addEventListener('click', closeModal);
+document.addEventListener('keydown', e => { if (e.key === 'Escape') closeModal(); });
+modalOpenBtn.addEventListener('click', () => {
+  if (_modalPath) apiFetch('/open', { method: 'POST', body: JSON.stringify({ path: _modalPath }) });
+});
+```
+
+In `loadTranscripts`, replace the existing `div.addEventListener` block and the `div.append(name, meta)` line with:
+
+```javascript
+      div.addEventListener('click', () => openModal(t.filename, t.path));
+
+      const delBtn = document.createElement('button');
+      delBtn.className = 'del-btn';
+      delBtn.title = 'Löschen';
+      delBtn.innerHTML = '<svg width="14" height="14" viewBox="0 0 24 24" fill="currentColor"><path d="M9 3h6l1 1h4v2H4V4h4l1-1zm-3 5h12l-1 13H7L6 8zm5 2v9h2v-9h-2zm-3 0v9h2v-9H8zm8 0v9h2v-9h-2z"/></svg>';
+      delBtn.addEventListener('click', async (e) => {
+        e.stopPropagation();
+        await apiFetch(`/transcripts/${encodeURIComponent(t.filename)}`, { method: 'DELETE' });
+        loadTranscripts();
+      });
+
+      div.append(name, meta, delBtn);
+```
+
+Remove the WS handler block that references preview:
+```javascript
+    if (msg.event === 'transcribed' || msg.event === 'refined') {
+      const text = msg.raw || msg.markdown || '';
+      preview.textContent = text;
+      preview.classList.add('has-content');
+    }
+```
+
+Also remove the `setStatus('idle')` + `preview.*` lines from the click handler's `reset` branch — keep only the `setStatus('idle')` call.
+
+**Step 5: Manual verification checklist**
+
+Restart app (`kill $(pgrep -f main.py) && .venv/bin/python main.py &`), open browser:
+
+- [ ] No "Vorschau" section visible
+- [ ] Clicking a transcript item opens modal with rendered markdown
+- [ ] Title in modal header shows human-readable name (date prefix stripped)
+- [ ] Clicking backdrop or ✕ closes modal
+- [ ] Pressing Escape closes modal
+- [ ] "Im Editor öffnen" triggers xdg-open
+- [ ] Trash icon deletes file and refreshes list
+- [ ] Trash click does NOT open the modal
+
+**Step 6: Commit**
+
+```bash
+git add frontend/index.html frontend/app.js
+git commit -m "feat: transcript modal with markdown rendering, delete button, remove preview section"
+```
+
+---
+
+### Task 4: Run full test suite
+
+```bash
+pytest -v
+```
+
+Expected: all tests pass. Fix any regressions before pushing.
+
+```bash
+git push
+```