fix: media_refs consistency, list_media N+1, path guard hardening

- versions.py: revert path was updating backlinks but not media_references,
  leaving the deletion guard out of sync with actual references
- database.py: rebuild_all_media_refs guard now uses PRAGMA user_version so
  the one-time backfill runs on wikis that already had media rows
- media.py: list_media replaces per-item JOIN with a single grouped query
- media.py: path traversal guard uses Path.is_relative_to instead of a
  string suffix check
- MediaPickerModal / Admin: strip []() from filename before embedding into
  generated markdown

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: PttCodingMan

backend/app/database.py

@@ -890,18 +890,24 @@ async def rebuild_all_backlinks(db):
 
 
 async def rebuild_all_media_refs(db):
-    """Rebuild media_references for all existing pages (one-time backfill)."""
+    """Rebuild media_references for all existing pages (one-time backfill).
+
+    Tracked via PRAGMA user_version bit 0x1. The previous COUNT(*)>0 guard
+    skipped the scan as soon as any row existed, which meant pages created
+    before the feature shipped never got their refs backfilled on a wiki
+    that had already added media after the first deploy.
+    """
     from app.services.media_ref import parse_and_update_media_refs
 
-    rows = await db.execute_fetchall("SELECT COUNT(*) as cnt FROM media_references")
-    if rows[0]["cnt"] > 0:
-        return  # Already populated
+    rows = await db.execute_fetchall("PRAGMA user_version")
+    current = rows[0]["user_version"] if rows else 0
+    if current & 0x1:
+        return
 
     pages = await db.execute_fetchall("SELECT id, content_md FROM pages")
     for p in pages:
         await parse_and_update_media_refs(db, p["id"], p["content_md"])
-    if pages:
-        await db.commit()
+    await db.execute(f"PRAGMA user_version = {current | 0x1}")
 
 
 async def seed_welcome_page(db):

backend/app/routers/media.py

@@ -76,18 +76,24 @@ async def list_media(user=Depends(get_current_user)):
            ORDER BY m.uploaded_at DESC"""
     )
 
+    # Single grouped query for referenced pages across all media, keyed by media_id.
+    ref_rows = await db.execute_fetchall(
+        """SELECT mr.media_id, p.id, p.slug, p.title
+           FROM media_references mr
+           JOIN pages p ON p.id = mr.page_id
+           WHERE p.deleted_at IS NULL
+           ORDER BY p.title"""
+    )
+    refs_by_media: dict[int, list[dict]] = {}
+    for r in ref_rows:
+        refs_by_media.setdefault(r["media_id"], []).append(
+            {"id": r["id"], "slug": r["slug"], "title": r["title"]}
+        )
+
     items: list[dict] = []
     for r in rows:
         item = dict(r)
-        pages = await db.execute_fetchall(
-            """SELECT p.id, p.slug, p.title
-               FROM media_references mr
-               JOIN pages p ON p.id = mr.page_id
-               WHERE mr.media_id = ? AND p.deleted_at IS NULL
-               ORDER BY p.title""",
-            (item["id"],),
-        )
-        item["referenced_pages"] = [dict(p) for p in pages]
+        item["referenced_pages"] = refs_by_media.get(item["id"], [])
         item["url"] = f"/api/media/{item['filename']}"
         items.append(item)
     return items
@@ -119,7 +125,7 @@ async def delete_media(media_id: int, user=Depends(require_admin)):
     # Remove the file on disk. Guard against path traversal and missing files.
     media_dir = Path(settings.MEDIA_DIR).resolve()
     filepath = (media_dir / rows[0]["filename"]).resolve()
-    if str(filepath).startswith(str(media_dir) + "/") and filepath.exists():
+    if filepath.is_relative_to(media_dir) and filepath.exists():
         try:
             filepath.unlink()
         except OSError:
@@ -135,7 +141,7 @@ async def get_media(filename: str):
     filepath = (media_dir / filename).resolve()
 
     # Prevent path traversal: resolved path must be inside MEDIA_DIR
-    if not str(filepath).startswith(str(media_dir) + "/"):
+    if not filepath.is_relative_to(media_dir):
         raise HTTPException(status_code=400, detail="Invalid filename")
 
     if not filepath.exists():

backend/app/routers/versions.py

@@ -4,6 +4,7 @@
 from app.database import get_db
 from app.services.search import rebuild_search_index
 from app.services.wikilink import parse_and_update_backlinks
+from app.services.media_ref import parse_and_update_media_refs
 from app.routers.activity import log_activity
 
 router = APIRouter(prefix="/api/pages", tags=["versions"])
@@ -149,6 +150,7 @@ async def revert_to_version(slug: str, num: int, user=Depends(get_current_user))
     )
     await rebuild_search_index(db, current["id"], version[0]["title"], version[0]["content_md"])
     await parse_and_update_backlinks(db, current["id"], version[0]["content_md"])
+    await parse_and_update_media_refs(db, current["id"], version[0]["content_md"])
     await log_activity(
         db, user["id"], "reverted", "page", current["id"],
         {"title": version[0]["title"], "slug": slug, "to_version": num},

frontend/src/components/Editor/MediaPickerModal.jsx

@@ -59,9 +59,8 @@ export default function MediaPickerModal({ open, onClose, onInsert }) {
 
   const buildMarkdown = (item) => {
     const isImage = item.mime_type?.startsWith('image/')
-    return isImage
-      ? `![${item.original_name}](${item.url})`
-      : `[${item.original_name}](${item.url})`
+    const label = (item.original_name || '').replace(/[[\]()]/g, '')
+    return isImage ? `![${label}](${item.url})` : `[${label}](${item.url})`
   }
 
   const q = query.trim().toLowerCase()

frontend/src/pages/Admin.jsx

@@ -269,9 +269,10 @@ function MediaLibrarySection() {
   }
 
   const copyMarkdown = async (item) => {
+    const label = (item.original_name || '').replace(/[[\]()]/g, '')
     const snippet = item.mime_type?.startsWith('image/')
-      ? `![${item.original_name}](${item.url})`
-      : `[${item.original_name}](${item.url})`
+      ? `![${label}](${item.url})`
+      : `[${label}](${item.url})`
     try {
       await navigator.clipboard.writeText(snippet)
       setCopied(item.id)