SteelDynamite/onyx-tasks
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
200 commits 10 branches 0 tags 1.4 MiB
Commit graph

7 commits

Author SHA1 Message Date
Claude 85748f4c95
Audit fixes: panic safety, path hardening, code quality 
- Replace 2 production unwrap() calls in workspace.rs with proper error
  handling to prevent panics on inconsistent state
- Add AppState::save_config() helper to eliminate 11 duplicated
  save_to_file patterns in Tauri lib.rs
- Log file watcher errors instead of silently swallowing them
- Harden path traversal check in storage.rs: re-verify after
  canonicalization to catch symlink escapes
- Add Windows reserved device name handling (CON, NUL, etc.) to
  sanitize_filename
- Clean up stale .tmp files from interrupted atomic writes on startup

All 107 core tests pass.

https://claude.ai/code/session_01EnSrQsowc64rAwzD9BnJpc
 2026-04-06 10:41:03 +00:00
Tristan Michael 5e33416b22 Slim task frontmatter: remove timestamps, add version counter + self-healing dedup 
Remove created_at/updated_at from Task struct and frontmatter. Add a
version counter (u64) that increments on every write, defaults to 1 for
old files. list_tasks now groups by UUID and auto-deletes stale
duplicates (keeping highest version), preventing sync-induced dupes from
surfacing in the UI. has_time and parent are omitted from frontmatter
when false/null.

Update CLI, Tauri frontend types, and Svelte components to match.
 2026-04-05 19:22:10 -07:00
Tristan Michael 50d859ef80 Refactor workspaces to use UUID keys 
Change workspace identifiers from display names to UUID strings so
multiple workspaces can share the same display name. WorkspaceConfig now
stores a name field; add_workspace returns a generated UUID. Update all
CLI, Tauri commands, frontend stores and screens, WebDAV managed
directories, and tests to use/resolve workspace IDs; add helpers
find_by_name/resolve_name to map display names to IDs when needed. This
removes duplicate-name checks, avoids filesystem conflicts, and
preserves display names while using stable unique IDs internally.
 2026-04-05 14:58:31 -07:00
Tristan Michael be6b8d0d90 security: update callers for hardened credential API 
- Handle Result from WebDavClient::new in CLI sync, core sync, and Tauri
- Unwrap Zeroizing<String> at Tauri serialization boundary
- Use .as_str() for basic_auth calls with Zeroizing<String> fields

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-03 10:11:40 -07:00
Tristan Michael fa1125bfeb fix: harden core data integrity — move_task rollback, path traversal, migration safety 
Add rollback to move_task: if delete-from-source fails after write-to-
destination, clean up the duplicate. Reject list names with path separators
or '..' to prevent traversal; canonicalize() failures now return errors
instead of silently falling back to unchecked paths. Add validation and
rollback to CLI workspace migration: check destination is empty, track
moved files, and reverse on failure.
 2026-04-02 09:37:43 -07:00
Tristan Michael 68f1bff93b fix: prevent path traversal, enable CSP, and harden URL domain extraction 
Validate that resolved list paths stay within the workspace root to prevent
directory traversal via malicious list names. Enable Content Security Policy
in Tauri config instead of leaving it null. Fix CLI domain extraction to
strip userinfo (user:pass@) from URLs before using as keyring service name.
 2026-04-02 09:35:38 -07:00
Tristan Michael 27363c8424 rename onyx-cli crate (formerly bevy-tasks-cli) 2026-03-31 09:47:02 -07:00