Introduce a new Google Tasks workspace mode that performs a one-way,
read-only pull from the Google Tasks API into the local
FileSystemStorage format. This adds a Google Tasks client (token
refresh, paginated list fetching, stable UUID v5 mapping), desktop
PKCE+loopback OAuth flow (Android stub), credential storage, workspace
creation and sync commands, UI flows for sign-in/creation, and guards to
disable write operations for Google Tasks workspaces. Changes also
include Cargo dependency updates and exports to wire the new module into
the app.
Hide editing UI for Google Tasks workspaces
Make Google Tasks workspaces read-only by hiding editing controls and
the FAB when app.isGoogleTasks is true. This prevents rename,
delete-completed, and new-task actions in read-only Google Tasks
workspaces and adjusts menu options (Rename removed, Group by due date
and Show subtasks remain with proper toggles). The change clarifies the
UX for Google Tasks by disabling interaction where appropriate and
conditionally showing the FAB only for editable workspaces.
Add Google Tasks workspace (read-only)
Introduce Google Tasks as a third workspace mode to allow one-way,
read-only sync from the Google Tasks API into local FileSystemStorage.
This includes a new WorkspaceMode::GoogleTasks, workspace google_account
metadata, a GoogleTasks client and sync logic (with stable UUID v5 task
IDs), OAuth PKCE+loopback flow for desktop (Android uses a
credential-manager stub), UI changes to mark Google Tasks workspaces as
read-only and disable write operations, and commands to create and sync
Google Tasks workspaces. Dependency updates add sha2/sha1_smol/reqwest
for OAuth and API calls.
when I go to create a google tasks workspace, I see the content associated with creating a webdav workspace as part of the interface
- SetupScreen.svelte: fixed template structure where WebDAV branches lacked mode === "webdav" guards, causing them to render when mode === "googletasks"; folded Google Tasks steps into the main if/else chain and removed the separate Google Tasks {#if} block that was appending below the WebDAV content
- Enforce HTTPS for WebDAV URLs (reject http:// to prevent plaintext credentials)
- Replace String with Zeroizing<String> for credential fields and load_credentials return
- Remove manual Drop impl (Zeroizing handles zeroize-on-drop automatically)
- Scope keyring password entries by domain+username to prevent collisions
- Add migration fallback for legacy unscoped keyring entries
- Sanitize error messages to not leak keyring service patterns or env var names
- Add log warnings when falling back to env var credentials
- Add log dependency to onyx-core
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Back up local files before overwriting during ConflictRemoteWins so data
is never silently lost. Fix false-positive change detection by parsing
timestamps before comparing (different formats like RFC3339 vs HTTP date
were never equal as strings). Add zeroize crate to zero WebDAV credentials
in memory on drop, preventing exposure in core dumps.
Make keyring optional behind keyring-storage feature in onyx-core.
Make notify/notify-debouncer-mini optional behind desktop feature in Tauri.
Gate all file watcher code behind #[cfg(not(target_os = "android"))].
Provide env-var-only credential fallbacks when keyring is disabled.
Tristan Michael