Fixes a bug reported on Discord with relative links inside a
repository's subdir would resolve incorrectly since we were naively
"absoluting" the link destination.

Now, we resolve it against the current (parent) directory. For example,
if lol/x.md has a link

[foo](./some.png) => /lol/some.png (instead of just /some.png)

thanks @cinny.bun.how on bluesky.

also setup nix devshell to configure TANGLED_OAUTH_JWK in a shellhook
for seamless local oauth dev.

[preview](https://cdn.discordapp.com/attachments/1361968270516949092/1371809102023622699/image.png?ex=68247c48&is=68232ac8&hm=d743ac41cf52bdee418f3260a99860fad4ad11d2c105954e663dabf2735e18f3&)

the pull-id was extracted out of transaction

how it works:

- hx-indicator adds the htmx-request class to the target of choice
- with tailwind, we can use `group-[.class]` to check if a parent
element has a certain class, and style things conditionally
- by applying `group-[.htmx-request]`, we can detect when a request is
in progress, and show/hide a lucide loader
- the loader is a static icon made to spin using the `animate-spin`
class

setting TANGLED_DEV=true now lets you work on tangled without creating
ngrok/localtunnel tunnels.

NixOS 24.11 doesn't provide go-1.24 which is now required for this
project.

Additionally fix the `CGO_ENABLED` warnings that comes with the newer
nixpkgs version.

Lets us use it without an import cycle.

This serves the go-import meta tag if the user-agent is
Go-http-client/1.1 and there's a ?go-get=1 query parameter present. This
should run before the router 404's a path that technically doesn't exist
like tangled.sh/foo.com/some-go/v5.

the current transaction model only rollsback on db failures. this
changeset makes the transaction encapsulate the entire NewPull flow. if
creating the pds record fails, the db is still rolled back.

Also does some driveby config refactoring.

Add a space between the Discord link and the next word "or". This only
shows up on the timeline if you are not logged in...meaning it's one of
the first things a new user sees.

gotta be more explicit apparently

subsequently, every RenderMarkdown call has been wrapped with
bluemonday sanitization.

This reverts commit 44f2b1f562faf1f36be90385a699a60991db6b86.

this will come in handy when we create repos from firehose records.

avoids path traversal attempts.

Chill, it's not what you think. Helpers and middleware for tracing and
metrics provided by OpenTelemetry.

the pull-source information chip displayed `fork branch` but the two
bits of information were styled differently.

this patch unifies the styles, moves both bits of info into the same
pill, styles them identically, and uses a `:` to separate them
`fork:branch`.

also add classes here and there for leah

This fixes two issues I had when deploying the eeg.cl.cam.ac.uk knot:

1) The permissions on the volumes are currently set at build time, which means that when a fresh volume is mounted it has the wrong permissions. This fixes it to run the chmods on the volumes dynamically at entrypoint time, which lets a fresh volume work with a knotserver.
The error before was:
```
knot-1 | time=2025-05-04T13:58:36.054Z level=ERROR msg="failed to setup db" error="unable to open database file: no such file or directory"
```

2) It's a little odd for the default setup to expose 5555 and insecure http to the Internet, given that the appview will try to connect to the knot over https. This adds a standalone Caddy server as the default and removes port 5555 from being directly explosed. A more advanced user with an existing proxy can easily remove this from the compose file and hook in their own.

The only remaining footgun my users have encountered is that of port 2222 being the default. Almost all the users have forgotten to add the `port 2222` directive in their ssh_config, and the _host_ sshd rejects them. In my local setup, I've swapped the host and knot ports around so that the knot runs on 2222, but a really elegant solution would be for some sort of ssh proxy on the host ssh to redirect the `git` user to the knotserver sshd. I haven't done that yet though!

It's the clients problem now. Also add a tiny exception for svgs since
those get picked up as text/xml otherwise.

i could have sworn chi.URLParam was supposed to do this...

Proxies images against a HMAC signature -- this prevents knot URLs from
directly being hit and possibly spammed. Also caches images in
Cloudflare's global CDN.

this was a known issue, but just ignored until now. when a patch reverts
all changes from an older patch, the combined patch for that file is
nil.