Merge pull request #86 from markrai/feat/introduce-mermaid

Feat/introduce mermaid

Author: markrai

CHANGELOG.md

@@ -1,6 +1,34 @@
 # Changelog
 
-> **Upgrades:** No breaking changes in **3.7.x** / **3.8.x** / **3.9.x** / **3.10.x** / **3.11.x** / **3.12.x** / **3.13.x** / **3.14.x** / **3.15.x** / **3.16.x** unless noted below.
+> **Upgrades:** No breaking changes in **3.7.x** / **3.8.x** / **3.9.x** / **3.10.x** / **3.11.x** / **3.12.x** / **3.13.x** / **3.14.x** / **3.15.x** / **3.16.x** / **3.17.x** unless noted below.
+
+## [3.17.0] - 2026-05-28
+
+### Features
+
+- **Todo notes Mermaid preview (Phase 1B)** - Optional Mermaid rendering for fenced ` ```mermaid ` blocks inside the existing todo Notes **preview** tab. Mermaid stays preview-only: notes still persist as raw `todos.body`, and board cards, notifications, exports, and server payloads do not render Markdown or diagrams.
+
+### Improvements
+
+- **Layered feature gates** - Added **`SCRUMBOY_MERMAID_NOTES_ENABLED`** as a Markdown sub-flag. Mermaid is active only when both **`SCRUMBOY_MARKDOWN_NOTES_ENABLED=1`** and **`SCRUMBOY_MERMAID_NOTES_ENABLED=1`** are set.
+
+- **Preview safety** - Mermaid lazy-loads from a vendored runtime, initializes once with **`securityLevel: "sandbox"`**, strips user `%%{init: ...}%%` / `%%{initialize: ...}%%` directives before render, and falls back to escaped source for diagram-specific failures instead of dropping the user out of preview mode.
+
+### Frontend
+
+- **Markdown preview pipeline** - Mermaid fence placeholders are resolved after the existing Markdown sanitization step, keeping the normal allow-list unchanged for non-Mermaid Markdown.
+
+- **Runtime loading** - Ships **`/vendor/mermaid.min.js`** through the vendor sync/verify pipeline, but does not eagerly load or service-worker precache Mermaid.
+
+### Tests
+
+- **Server/config** - Added coverage for **`SCRUMBOY_MERMAID_NOTES_ENABLED`** parsing and **`mermaidNotesEnabled`** on auth status responses.
+
+- **Preview rendering** - Added Mermaid fence rendering, directive stripping, fallback behavior, and stale async rerender cancellation coverage.
+
+### Documentation
+
+- **Operator docs** - Updated **`docs/markdown&mermaid.md`**, **`FAQ.md`**, and **`scrumboy.env.example`** for Markdown + Mermaid preview enablement.
 
 ## [3.16.2] - 2026-05-26
 

FAQ.md

@@ -3,6 +3,7 @@
 ## Contents
 
 - [How do I enable Markdown in my notes?](#how-do-i-enable-markdown-in-my-notes)
+- [How do I enable Mermaid diagrams in my notes?](#how-do-i-enable-mermaid-diagrams-in-my-notes)
 - [How do I edit several todos at once?](#how-do-i-edit-several-todos-at-once)
 - [What does the done lane mean for dashboard stats?](#what-does-the-done-lane-mean-for-dashboard-stats)
 - [Are tag colors personal, or shared with the team?](#are-tag-colors-personal-or-shared-with-the-team)
@@ -19,11 +20,40 @@ Set `SCRUMBOY_MARKDOWN_NOTES_ENABLED=1` on the server (also accepts `true`, `on`
 
 After a restart, the todo dialog **Notes** field shows **markdown** and **preview** tabs. **markdown** is the source editor; **preview** is a sanitized rendered view. Supported syntax includes headings, emphasis, lists, blockquotes, inline and fenced code, horizontal rules (`---` on its own line with blank lines around it), and safe `http`/`https` links.
 
-Notes are still stored as raw markdown in `todos.body`. Todo titles and board card titles stay plain text. The server exposes `markdownNotesEnabled` on `/api/auth/status` so the UI only shows the tabs when the feature is enabled.
+Notes are still stored as raw markdown in `todos.body`. Todo titles and board card titles stay plain text. The server exposes `markdownNotesEnabled` on `/api/auth/status` so the UI only enables preview when the server has opted in.
 
 Preview hardening: HTML in notes is not rendered; images stay as escaped text; dangerous link schemes and embedded content are stripped or neutralized.
 
-For architecture, security, and source references, see [`docs/markdown.md`](docs/markdown.md).
+For architecture, security, and source references, see [`docs/markdown&mermaid.md`](docs/markdown&mermaid.md).
+
+## How do I enable Mermaid diagrams in my notes?
+
+Mermaid is a **sub-feature of Markdown preview**. You need Markdown preview enabled first (`SCRUMBOY_MARKDOWN_NOTES_ENABLED=1`), then set **`SCRUMBOY_MERMAID_NOTES_ENABLED=1`** on the server (same truthy values: `1`, `true`, `on`, or `yes`; case-insensitive). Turning on Mermaid alone does nothing if Markdown preview is off.
+
+After a restart, fenced **` ```mermaid `** blocks in a todo note render as diagrams when you open the **preview** tab. Regular Markdown in the same note still works; non-Mermaid fenced code blocks stay as code.
+
+Example:
+
+````markdown
+```mermaid
+graph TD
+  A[Start] --> B{Decision}
+  B -- Yes --> C[Result One]
+  B -- No --> D[Result Two]
+```
+````
+
+Mermaid does **not** render on board cards, notifications, exports, or server responses. Notes are still saved as raw text in `todos.body`.
+
+Preview limits (per note): up to **4** Mermaid blocks, **4000** characters per block, and **8000** characters total Mermaid source. Over-limit or syntax errors show a local warning with the original source instead of breaking the whole preview.
+
+Diagrams follow the app’s light/dark theme in preview. Optional yes/no-style branch **label backgrounds** (green/red for pairs like yes/no) can be customized via `/mermaid-semantic-edges.json`; override with `$DATA_DIR/mermaid-semantic-edges.json` (see `data/mermaid-semantic-edges.json.example`).
+
+User-authored Mermaid `%%{init: ...}%%` directive blocks are stripped before render so site security settings stay authoritative. Mermaid runs in **strict** mode (inline SVG in the preview pane only).
+
+The server exposes `mermaidNotesEnabled` on `/api/auth/status` alongside `markdownNotesEnabled`.
+
+For full architecture and security details, see [`docs/markdown&mermaid.md`](docs/markdown&mermaid.md).
 
 # Board
 

README.md

@@ -1,7 +1,7 @@
 <p align="center">
   <img width="372" src="internal/httpapi/web/githublogo.png" alt="scrumboy logo" />
   <br />
-  <img src="https://img.shields.io/badge/version-v3.16.2-blue" alt="version" />
+  <img src="https://img.shields.io/badge/version-v3.17.0-blue" alt="version" />
   <a href="LICENSE">
     <img src="https://img.shields.io/badge/license-AGPL--v3-orange" alt="license" />
   </a>
@@ -193,7 +193,7 @@ Simplicity of a light Kanban, with the power of structured systems: Roles, sprin
 
 - Sticky-Note Wall - per-project scratchpad of draggable sticky notes on the board (see `docs/WALL.md`).
 
-- Todo notes Markdown preview - markdown/preview tabs in the todo Notes field (see `FAQ.md`, `docs/markdown.md`).
+- Todo notes Markdown preview (optional) - **markdown** / **preview** tabs in the todo Notes field; optional Mermaid diagrams in fenced ` ```mermaid ` blocks in preview only (see `FAQ.md`, `docs/markdown&mermaid.md`).
 
 ---
 

cmd/scrumboy/main.go

@@ -110,6 +110,7 @@ func main() {
 		PushDebug:            cfg.PushDebug,
 		WallEnabled:          cfg.WallEnabled,
 		MarkdownNotesEnabled: cfg.MarkdownNotesEnabled,
+		MermaidNotesEnabled:  cfg.MermaidNotesEnabled,
 	})
 	st.SetTodoAssignedPublisher(srv.PublishTodoAssigned)
 

docs/markdown.md docs/markdown&mermaid.mddocs/markdown.md renamed to docs/markdown&mermaid.md

@@ -1,6 +1,6 @@
-# Todo notes Markdown (Phase 1)
+# Todo notes Markdown + Mermaid preview (Phase 1 / 1B)
 
-Phase 1 adds an **optional, client-side preview** of Markdown in the todo dialog **Notes** field. The server stores and serves notes as **plain text**; it does not parse or sanitize Markdown. Enabling the feature only exposes UI and loads browser libraries—the preview pipeline runs entirely in the SPA.
+Scrumboy supports an **optional, client-side preview** of Markdown in the todo dialog **Notes** field. Mermaid is an optional **sub-feature** of that preview. The server stores and serves notes as **plain text**; it does not parse or sanitize Markdown or Mermaid. Enabling these features only exposes UI and loads browser libraries—the preview pipeline runs entirely in the SPA.
 
 For operator setup, see [`FAQ.md`](../FAQ.md). This document describes architecture, configuration, and the preview security model.
 
@@ -13,6 +13,7 @@ For operator setup, see [`FAQ.md`](../FAQ.md). This document describes architect
 | **markdown** / **preview** tabs in the Edit/New Todo dialog (`#todoBody`, `#todoBodyPreview`) | Rendering Markdown on the board, dashboard, or notifications |
 | Preview of `todos.body` when the user opens the **preview** tab | Server-side Markdown → HTML conversion |
 | Sanitized HTML in the preview pane only | WYSIWYG editing (Notes stay a `<textarea>`) |
+| Optional Mermaid rendering for fenced ` ```mermaid ` blocks in the preview pane only | Rendering Mermaid on cards, notifications, exports, or any server path |
 | Raw Markdown persisted on create/patch | Images, raw HTML, or non-http(s) links in preview |
 
 Todo **titles** and card titles on the board are always escaped plain text (see `board-rendering` tests).
@@ -24,12 +25,13 @@ Todo **titles** and card titles on the board are always escaped plain text (see
 | Variable | Default | Enabled when |
 |----------|---------|--------------|
 | `SCRUMBOY_MARKDOWN_NOTES_ENABLED` | off (unset) | `1`, `true`, `on`, or `yes` (trimmed, case-insensitive) |
+| `SCRUMBOY_MERMAID_NOTES_ENABLED` | off (unset) | `1`, `true`, `on`, or `yes` **and** Markdown notes are already enabled |
 
-Parsed in `internal/config/config.go` (`markdownNotesEnabledFromEnv`), passed through `cmd/scrumboy/main.go` into the HTTP server (`ServerOpts.MarkdownNotesEnabled`), and exposed to the SPA as **`markdownNotesEnabled`** on:
+Parsed in `internal/config/config.go` (`markdownNotesEnabledFromEnv`, `mermaidNotesEnabledFromEnv`), passed through `cmd/scrumboy/main.go` into the HTTP server (`ServerOpts.MarkdownNotesEnabled`, `ServerOpts.MermaidNotesEnabled`), and exposed to the SPA as **`markdownNotesEnabled`** and **`mermaidNotesEnabled`** on:
 
 - `GET /api/auth/status` (authenticated and anonymous status payloads in `internal/httpapi/routing_auth.go`)
 
-The UI reads that flag once during auth bootstrap (`modules/router.ts` → `setMarkdownNotesEnabled`) and gates tab visibility in `modules/dialogs/todo.ts` (`markdownNotesPreviewEnabled()`).
+The UI reads those flags once during auth bootstrap (`modules/router.ts` → `setMarkdownNotesEnabled` / `setMermaidNotesEnabled`). Markdown gates tab visibility in `modules/dialogs/todo.ts` (`markdownNotesPreviewEnabled()`); Mermaid only affects whether fenced Mermaid blocks are upgraded inside the preview pane.
 
 There is **no per-project** or per-user toggle; it is instance-wide.
 
@@ -48,6 +50,10 @@ renderMarkdownPreviewInto()
         │
         ├─► markdown-it.render()  (html: false)
         └─► DOMPurify + link policy + DOM cleanup
+                │
+                ├─► (optional) detect Mermaid placeholders
+                ├─► lazy-load /vendor/mermaid.min.js on first Mermaid preview use
+                └─► mermaid.run() in preview-only hosts (strict mode)
                 │
                 ▼
         #todoBodyPreview innerHTML (ephemeral, not saved)
@@ -70,14 +76,14 @@ renderMarkdownPreviewInto()
 - **`todoNotesMode`:** `"markdown"` | `"preview"`.
 - **`syncTodoNotesModeUI()`:** toggles `hidden` on textarea vs preview, `is-active` / `aria-pressed` on tabs.
 - **`renderTodoNotesPreview()`:** calls `renderMarkdownPreviewInto`; on vendor/render failure, shows a toast and falls back to markdown mode.
-- **`input` listener:** re-renders preview live while the preview tab is active.
+- **`input` listener:** re-renders preview live while the preview tab is active; stale async Mermaid renders are cancelled by container-scoped render epochs.
 
 ### Preview module (`modules/markdown-preview.ts`)
 
 Exported API:
 
 - `renderMarkdownToSafeHtml(markdown: string): string`
-- `renderMarkdownPreviewInto(container: HTMLElement, markdown: string): void`
+- `renderMarkdownPreviewInto(container: HTMLElement, markdown: string, options?: { mermaidEnabled?: boolean }): Promise<void>`
 
 Empty or whitespace-only notes set `todo-markdown-preview--empty` and clear the container (placeholder via CSS `::before`).
 
@@ -88,6 +94,7 @@ Preview typography and colors are scoped under `#todoDialog .todo-markdown-previ
 ### State
 
 - `current._markdownNotesEnabled` in `modules/state/state.ts`, set from auth status only (not from board payloads).
+- `current._mermaidNotesEnabled` in `modules/state/state.ts`, also set from auth status only.
 
 ---
 
@@ -125,6 +132,20 @@ On a detached `<template>`:
    - **External** (`http://` / `https://`): set `target="_blank"` and `rel="noopener noreferrer"`.
    - **Unsafe href:** replace anchor with text node (link text only).
 
+### 4. Mermaid (optional, preview-only)
+
+When `mermaidEnabled` is true and the Markdown contains fenced Mermaid blocks:
+
+1. `renderer.rules.fence` emits opaque placeholders for ` ```mermaid ` blocks while keeping non-Mermaid fences as normal code blocks.
+2. After sanitized HTML is placed into the preview container, placeholders are replaced with local Mermaid hosts.
+3. `/vendor/mermaid.min.js` is lazy-loaded on demand.
+4. Mermaid initializes with preview theme tokens (`theme: "base"` + `themeVariables` from `--panel2`, `--text`, `--accent`, `--border`) so diagram backgrounds match the preview pane in light and dark mode. Re-initializes when the effective theme changes.
+5. All user-authored Mermaid directive blocks in the `%%{...}%%` form are stripped before render so site security settings remain authoritative.
+6. Preview-side limits cap Mermaid work per note: only the first 4 Mermaid fences render, each fence is capped at 4000 characters, and the total Mermaid preview budget is capped at 8000 characters.
+7. Limit overages and diagram syntax failures do **not** tear down preview mode; the preview shows a local warning/error block with the original source.
+8. Changing app theme while the todo preview is open re-renders diagrams via the same preview pipeline (render epochs prevent stale async work from committing).
+9. Optional yes/no-style branch **label backgrounds** only: `/mermaid-semantic-edges.json` (override via `$DATA_DIR/mermaid-semantic-edges.json`; see `data/mermaid-semantic-edges.json.example`). Applied after render via DOM; does not modify diagram source or connector lines.
+
 ---
 
 ## Supported Markdown (preview)
@@ -145,6 +166,7 @@ Verified in `modules/markdown-preview.test.ts`:
 - Raw HTML in source → escaped in output
 - Dangerous or non-web link schemes → plain text
 - Protocol-relative URLs (`//host/...`)
+- Mermaid directives (`%%{...}%%`) are ignored for rendering; site-level Mermaid config wins
 
 ---
 
@@ -154,6 +176,8 @@ Verified in `modules/markdown-preview.test.ts`:
 - **CSP / trust:** preview depends on vendored `markdown-it` and DOMPurify; `npm test` in `internal/httpapi/web` runs `verify-vendor.mjs` before Vitest.
 - **Link exfiltration:** only `http`/`https` external navigation; `noopener noreferrer` on external tabs.
 - **No Markdown on titles** avoids XSS or layout surprises on shared boards and SSE-driven card updates.
+- **Mermaid isolation:** in Mermaid `11.15.0`, the preview uses `securityLevel: "strict"` (Mermaid's secure default), which encodes HTML in diagram text and renders inline SVG. Diagram output is never passed through the general Markdown allow-list as arbitrary SVG/HTML. Inline (rather than sandboxed-iframe) rendering is what lets the semantic label coloring recolor matched label backgrounds via the DOM after render.
+- **Mermaid scope:** diagrams only render in the todo dialog preview, never on the board or server.
 
 ---
 
@@ -163,9 +187,16 @@ Verified in `modules/markdown-preview.test.ts`:
 |-------|------|
 | `/vendor/markdown-it.min.js` | Parser (eager script in `index.html`) |
 | `/vendor/purify.min.js` | Sanitizer (eager script in `index.html`) |
+| `/vendor/mermaid.min.js` | Mermaid runtime (lazy-loaded only when Mermaid preview is needed) |
 | `/dist/markdown-preview.js` | Compiled module (TypeScript → `dist/`) |
 
-Service worker (`sw.js`) precaches vendor scripts and `dist/markdown-preview.js` for offline-capable loads after first visit.
+Service worker (`sw.js`) precaches the eager Markdown assets and `dist/markdown-preview.js`. Mermaid is **not** install-time precached. It is fetched lazily, and because `/vendor/mermaid.min.js` is handled by the service worker's same-origin cache-first asset branch, a successful first fetch while the service worker is active makes it available for later offline reuse from cache.
+
+Manual verification for offline reuse:
+
+- Load a note that contains a Mermaid fence while online and wait for the preview to render once.
+- Disconnect or simulate offline mode, then reopen the same note's preview.
+- Expected result: the preview can still resolve `/vendor/mermaid.min.js` from cache; if the runtime was never fetched successfully before going offline, Mermaid preview is not guaranteed.
 
 Regenerate vendor files after dependency bumps:
 
@@ -181,12 +212,12 @@ npm run verify:vendor
 
 | Location | Covers |
 |----------|--------|
-| `internal/config/config_markdown_enabled_test.go` | Env parsing |
-| `internal/httpapi/routing_auth_markdown_test.go` | `markdownNotesEnabled` on auth status |
-| `modules/markdown-preview.test.ts` | Supported subset, links, HTML/images neutralization |
+| `internal/config/config_markdown_enabled_test.go` | Markdown + Mermaid env parsing |
+| `internal/httpapi/routing_auth_markdown_test.go` | `markdownNotesEnabled` and `mermaidNotesEnabled` on auth status |
+| `modules/markdown-preview.test.ts` | Supported subset, links, HTML/images neutralization, Mermaid fences, placeholder spoofing regression, full directive stripping, preview-size limits, async rerender cancellation |
 | `modules/dialogs/todo-markdown-preview.test.ts` | Dialog gating, preview vs textarea, raw body on save |
-| `modules/dialogs/todo-submit.test.ts` | API payloads keep raw Markdown |
-| `modules/views/board-rendering.test.ts` | Card titles do not render note Markdown |
+| `modules/dialogs/todo-submit.test.ts` | API payloads keep raw Markdown / raw note bodies |
+| `modules/views/board-rendering.test.ts` | Card titles do not render note Markdown or Mermaid |
 
 ---
 

internal/config/config.go

@@ -53,6 +53,11 @@ type Config struct {
 	// Markdown notes preview. Defaults off until explicitly enabled via
 	// SCRUMBOY_MARKDOWN_NOTES_ENABLED=1 (also accepts true/on/yes).
 	MarkdownNotesEnabled bool
+
+	// Mermaid notes preview. Defaults off until explicitly enabled via
+	// SCRUMBOY_MERMAID_NOTES_ENABLED=1 (also accepts true/on/yes). Effective
+	// only when MarkdownNotesEnabled is also true.
+	MermaidNotesEnabled bool
 }
 
 func FromEnv() Config {
@@ -66,6 +71,8 @@ func FromEnv() Config {
 		mode = "full" // Default to full if invalid
 	}
 
+	markdownNotesEnabled := markdownNotesEnabledFromEnv()
+
 	return Config{
 		BindAddr:             getenv("BIND_ADDR", ":8080"),
 		DataDir:              dataDir,
@@ -98,7 +105,8 @@ func FromEnv() Config {
 		PushDebug:       strings.TrimSpace(os.Getenv("SCRUMBOY_DEBUG_PUSH")) == "1",
 
 		WallEnabled:          wallEnabledFromEnv(),
-		MarkdownNotesEnabled: markdownNotesEnabledFromEnv(),
+		MarkdownNotesEnabled: markdownNotesEnabled,
+		MermaidNotesEnabled:  mermaidNotesEnabledFromEnv(markdownNotesEnabled),
 	}
 }
 
@@ -129,6 +137,22 @@ func markdownNotesEnabledFromEnv() bool {
 	}
 }
 
+// mermaidNotesEnabledFromEnv returns whether Mermaid preview is enabled for todo
+// notes. Mermaid is layered on top of markdown preview, so it is only effective
+// when markdown notes are already enabled.
+func mermaidNotesEnabledFromEnv(markdownNotesEnabled bool) bool {
+	if !markdownNotesEnabled {
+		return false
+	}
+	v := strings.TrimSpace(strings.ToLower(os.Getenv("SCRUMBOY_MERMAID_NOTES_ENABLED")))
+	switch v {
+	case "1", "true", "on", "yes":
+		return true
+	default:
+		return false
+	}
+}
+
 // OIDCEnabled returns true if all required OIDC env vars are set.
 func (c Config) OIDCEnabled() bool {
 	return c.OIDCIssuerCanonical != "" && c.OIDCClientID != "" && c.OIDCClientSecret != "" && c.OIDCRedirectURL != ""