dashboard: render SVG file previews

SVG files in the side-panel file preview showed only raw source. Add a rendered/source tabbed view: 'rendered' (default) shows the image, 'source' shows the markup. The image loads via an <img> data: URI — <img>-loaded SVG runs in the browser's secure static mode (scripts + external fetches disabled), so an untrusted SVG from an agent's state dir can't execute code in the dashboard origin. Tabs reuse the existing diff-base-tab styling; a checkerboard backs the image so transparent regions read clearly. closes #188
2026-05-21 20:29:41 +02:00 · 2026-05-21 20:29:41 +02:00 · a8ab91ecd8
commit a8ab91ecd8
parent fc3490086b
3 changed files with 57 additions and 5 deletions
--- a/docs/web-ui.md
+++ b/docs/web-ui.md
@ -68,7 +68,11 @@ node)` swaps the body; the JS builders for file previews,
 approval diffs, and journald logs all render into it. Markdown
 file previews (`.md` / `.markdown`) render through the vendored
 `marked` bundle (`GET /static/marked.js`) into a `.md` block;
-other files stay raw in a `<pre>`.
+SVG previews (`.svg`) get a `rendered` / `source` tabbed view —
+`rendered` shows the image via an `<img>` `data:` URI (the
+browser's secure static mode, so an untrusted SVG can't run
+scripts), `source` shows the raw markup; other files stay raw
+in a `<pre>`.

 Both bind their listeners with `SO_REUSEADDR` via
 `tokio::net::TcpSocket` plus a retry loop on `AddrInUse` (12 tries,