Added
- Documents: in-browser document viewer. Uploaded files can now be previewed directly in an
xlmodal without downloading — images (PNG/JPEG/WebP) render inline, PDFs open in a sandboxed same-origin iframe, and text/CSV files are fetched and shown in a monospaced block. Office files (Word/Excel) and other non-previewable types fall back to a download prompt. A new eye-icon action button appears on viewable files, and clicking a card or row opens the viewer. Backed by a newGET /api/v1/documents/:id/previewendpoint serving files withContent-Disposition: inline.
Changed
- Documents: grid cards redesigned — the category icon and date now share a header row, with action buttons centered below a divider.
Security
- The Content-Security-Policy
frame-srcdirective was relaxed from'none'to'self'to allow same-origin PDF embedding in the document viewer. The PDF iframe is additionallysandboxed (allow-same-originonly, no scripts) as defense-in-depth.