chore(embedded): cut v0.0.16-beta with public-landing fix

Bake the public-landing-page server change into the dev binary.

mdedit/dist/mdedit.html

@@ -1792,7 +1792,7 @@ body.help-open .app-header {
                 </svg>
                 <div class="header-title-group">
                     <span class="app-header__title">ZDDC Markdown</span>
-                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
                 </div>
                 <button id="addDirectoryBtn" class="btn btn-primary" title="Add a local directory">Add Local Directory</button>
                 <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh directory" aria-label="Refresh" style="font-size:1.1rem;">⟳</button>

zddc/cmd/zddc-server/main.go

@@ -297,14 +297,16 @@ func dispatch(cfg config.Config, idx *archive.Index, ring *handler.LogRing, apps
 	// no real index.html on disk → serve via apps.Serve("landing"). The
 	// other four apps are caught by the "stat fails → app HTML?" branch
 	// below, which only triggers when no concrete file is at the URL path.
+	//
+	// The landing page is intentionally public (no ACL gate). It's a
+	// project picker — the per-project ACL filtering done by
+	// fs.ListDirectory still hides projects an anonymous (or unauthorized)
+	// caller can't reach. See also handler.ServeDirectory's matching
+	// root-path bypass.
 	if appsSrv != nil && (urlPath == "/" || urlPath == "/index.html") {
 		realIndex := filepath.Join(cfg.Root, "index.html")
 		if _, err := os.Stat(realIndex); os.IsNotExist(err) {
 			chain, _ := zddc.EffectivePolicy(cfg.Root, cfg.Root)
-			if !zddc.AllowedWithChain(chain, email) {
-				http.Error(w, "Forbidden", http.StatusForbidden)
-				return
-			}
 			if apps.AppAvailableAt(cfg.Root, cfg.Root, "landing") {
 				appsSrv.Serve(w, r, "landing", chain, cfg.Root)
 				return
@@ -353,11 +355,18 @@ func dispatch(cfg config.Config, idx *archive.Index, ring *handler.LogRing, apps
 	}
 
 	if info.IsDir() {
-		// ACL check
-		chain, _ := zddc.EffectivePolicy(cfg.Root, absPath)
-		if !zddc.AllowedWithChain(chain, email) {
-			http.Error(w, "Forbidden", http.StatusForbidden)
-			return
+		// ACL check — bypassed at the root path so the landing page (the
+		// project picker) is reachable by anyone, including anonymous.
+		// Per-project filtering happens inside ServeDirectory →
+		// fs.ListDirectory, which hides directories the caller can't
+		// reach. Subdirectory requests still hit this gate.
+		isRoot := urlPath == "/"
+		if !isRoot {
+			chain, _ := zddc.EffectivePolicy(cfg.Root, absPath)
+			if !zddc.AllowedWithChain(chain, email) {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
 		}
 		if !strings.HasSuffix(urlPath, "/") {
 			http.Redirect(w, r, urlPath+"/", http.StatusMovedPermanently)

zddc/internal/apps/embedded/archive.html

@@ -2131,7 +2131,7 @@ td[data-field="trackingNumber"] {
                 </svg>
                 <div class="header-title-group">
                     <span class="app-header__title">ZDDC Archive</span>
-                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
                 </div>
                 <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
                 <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh Data" style="font-size:1.1rem;">⟳</button>

zddc/internal/apps/embedded/browse.html

@@ -896,7 +896,7 @@ body {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title">ZDDC Browse</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
             </div>
             <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
             <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh listing" aria-label="Refresh listing" style="font-size:1.1rem;">⟳</button>

zddc/internal/apps/embedded/classifier.html

@@ -1394,7 +1394,7 @@ body.help-open .app-header {
                     </svg>
                     <div class="header-title-group">
                         <span class="app-header__title">ZDDC Classifier</span>
-                        <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                        <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
                     </div>
                     <button id="addDirectoryBtn" class="btn btn-primary">Add Local Directory</button>
                     <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh and rescan directory" aria-label="Refresh" style="font-size:1.1rem;">⟳</button>

zddc/internal/apps/embedded/index.html

@@ -885,7 +885,7 @@ body {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title">ZDDC</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
             </div>
         </div>
         <div class="header-right">

zddc/internal/apps/embedded/mdedit.html

@@ -1792,7 +1792,7 @@ body.help-open .app-header {
                 </svg>
                 <div class="header-title-group">
                     <span class="app-header__title">ZDDC Markdown</span>
-                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                    <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
                 </div>
                 <button id="addDirectoryBtn" class="btn btn-primary" title="Add a local directory">Add Local Directory</button>
                 <button id="refreshHeaderBtn" class="btn btn-secondary hidden" title="Refresh directory" aria-label="Refresh" style="font-size:1.1rem;">⟳</button>

zddc/internal/apps/embedded/transmittal.html

@@ -2192,7 +2192,7 @@ dialog.modal--narrow {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title">ZDDC Transmittal</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
             </div>
             <span id="no-js-notice" class="text-gray-400 text-xs italic">JavaScript not available</span>
             <!-- Publish split-button (Transmittal-specific primary action;

zddc/internal/apps/embedded/versions.txt

@@ -1,8 +1,8 @@
 # Generated by build.sh — do not edit. One <app>=<build label> per line.
-archive=v0.0.16-beta · 2026-05-04 · e67c1b2
-transmittal=v0.0.16-beta · 2026-05-04 · e67c1b2
-classifier=v0.0.16-beta · 2026-05-04 · e67c1b2
-mdedit=v0.0.16-beta · 2026-05-04 · e67c1b2
-landing=v0.0.16-beta · 2026-05-04 · e67c1b2
-form=v0.0.16-beta · 2026-05-04 · e67c1b2
-browse=v0.0.16-beta · 2026-05-04 · e67c1b2
+archive=v0.0.16-beta · 2026-05-04 · 62ce6e9
+transmittal=v0.0.16-beta · 2026-05-04 · 62ce6e9
+classifier=v0.0.16-beta · 2026-05-04 · 62ce6e9
+mdedit=v0.0.16-beta · 2026-05-04 · 62ce6e9
+landing=v0.0.16-beta · 2026-05-04 · 62ce6e9
+form=v0.0.16-beta · 2026-05-04 · 62ce6e9
+browse=v0.0.16-beta · 2026-05-04 · 62ce6e9

zddc/internal/handler/directory.go

@@ -40,7 +40,10 @@ func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) {
 	dirPath := strings.TrimPrefix(urlPath, "/")
 	dirPath = strings.TrimSuffix(dirPath, "/")
 
-	// ACL check on this directory itself
+	// ACL check on this directory itself.
+	// Bypassed at the root path: the landing page is a public project
+	// picker. Per-project filtering inside fs.ListDirectory still hides
+	// directories the caller can't reach.
 	absDir, ok := safeJoin(cfg.Root, dirPath)
 	if !ok {
 		http.Error(w, "Not Found", http.StatusNotFound)
@@ -50,7 +53,8 @@ func ServeDirectory(cfg config.Config, w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		slog.Warn("ACL policy error", "path", absDir, "err", err)
 	}
-	if !zddc.AllowedWithChain(chain, email) {
+	isRoot := dirPath == ""
+	if !isRoot && !zddc.AllowedWithChain(chain, email) {
 		http.Error(w, "Forbidden", http.StatusForbidden)
 		return
 	}

zddc/internal/handler/directory_test.go

@@ -0,0 +1,128 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
+)
+
+// TestServeDirectoryRootIsPublic asserts that the landing page (the root
+// directory listing) is reachable by anyone, including anonymous callers
+// whose email is empty AND whose access would be denied by a restrictive
+// root .zddc. Per-project filtering inside fs.ListDirectory still hides
+// directories the caller can't reach (separately verified below).
+//
+// The behavior was changed when "Everyone needs to have access to the
+// landing page" became the explicit requirement; this test is the
+// regression guard.
+func TestServeDirectoryRootIsPublic(t *testing.T) {
+	root := t.TempDir()
+
+	// Restrictive root .zddc — only admin@example.com is allowed by ACL,
+	// nothing else. A user without that email would have been 403'd before
+	// the bypass.
+	if err := os.WriteFile(filepath.Join(root, ".zddc"),
+		[]byte("admins:\n  - admin@example.com\nacl:\n  allow:\n    - admin@example.com\n"),
+		0o644); err != nil {
+		t.Fatalf("write root .zddc: %v", err)
+	}
+
+	// One project visible to everyone, one only to admin.
+	for _, name := range []string{"PublicProj", "PrivateProj"} {
+		if err := os.MkdirAll(filepath.Join(root, name), 0o755); err != nil {
+			t.Fatalf("mkdir %s: %v", name, err)
+		}
+	}
+	if err := os.WriteFile(filepath.Join(root, "PublicProj", ".zddc"),
+		[]byte("acl:\n  allow: [\"*\"]\n"), 0o644); err != nil {
+		t.Fatalf("write PublicProj .zddc: %v", err)
+	}
+	if err := os.WriteFile(filepath.Join(root, "PrivateProj", ".zddc"),
+		[]byte("acl:\n  allow: [admin@example.com]\n"), 0o644); err != nil {
+		t.Fatalf("write PrivateProj .zddc: %v", err)
+	}
+
+	cfg := config.Config{Root: root, EmailHeader: "X-Auth-Request-Email"}
+
+	t.Run("anonymous JSON GET / does not 403", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Accept", "application/json")
+		// Anonymous: empty email in context.
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusOK {
+			t.Fatalf("status = %d, want 200 (root is public); body = %s",
+				rec.Code, rec.Body.String())
+		}
+	})
+
+	t.Run("anonymous JSON GET / hides private projects", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Accept", "application/json")
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusOK {
+			t.Fatalf("status = %d, want 200; body = %s", rec.Code, rec.Body.String())
+		}
+
+		var entries []map[string]any
+		if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
+			t.Fatalf("invalid JSON: %v\n%s", err, rec.Body.String())
+		}
+
+		names := map[string]bool{}
+		for _, e := range entries {
+			if n, ok := e["name"].(string); ok {
+				names[n] = true
+			}
+		}
+		if !names["PublicProj/"] {
+			t.Errorf("PublicProj missing from anonymous listing: %v", names)
+		}
+		if names["PrivateProj/"] {
+			t.Errorf("PrivateProj leaked to anonymous listing: %v", names)
+		}
+	})
+
+	t.Run("admin JSON GET / sees both projects", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Accept", "application/json")
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, "admin@example.com"))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusOK {
+			t.Fatalf("admin status = %d, want 200", rec.Code)
+		}
+
+		var entries []map[string]any
+		if err := json.Unmarshal(rec.Body.Bytes(), &entries); err != nil {
+			t.Fatalf("invalid JSON: %v", err)
+		}
+		if len(entries) != 2 {
+			t.Errorf("admin should see both projects; got %d", len(entries))
+		}
+	})
+
+	t.Run("anonymous still gets 403 on private subdirectory", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/PrivateProj/", nil)
+		req.Header.Set("Accept", "application/json")
+		req = req.WithContext(context.WithValue(req.Context(), EmailKey, ""))
+		rec := httptest.NewRecorder()
+		ServeDirectory(cfg, rec, req)
+
+		if rec.Code != http.StatusForbidden {
+			t.Errorf("private subdir for anonymous: status = %d, want 403", rec.Code)
+		}
+	})
+}

zddc/internal/handler/form.html

@@ -741,7 +741,7 @@ body.help-open .app-header {
             </svg>
             <div class="header-title-group">
                 <span class="app-header__title" id="form-title">ZDDC Form</span>
-                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · e67c1b2</span></span>
+                <span class="build-timestamp"><span style="color:red;font-weight:bold">v0.0.16-beta · 2026-05-04 · 62ce6e9</span></span>
             </div>
         </div>
         <div class="header-right">