Conversation
…ndows - Remove devtools from default Tauri features; gate behind opt-in Cargo feature so production builds never expose DevTools - Add IPC origin validation (require_trusted_window) to 9 sensitive commands: get_secret, get_all_secrets, set_secret, delete_secret, get_local_api_token, read/write/delete_cache_entry, fetch_polymarket - Isolate youtube-login window into restricted capability (core:window only) — prevents external-origin webview from invoking app commands - Add 5-minute TTL to cached sidecar auth token in fetch patch closure - Document renderer trust boundary threat model in runtime.ts
…y policy - Add Contributors section to README with all 16 GitHub contributors - Add Security Acknowledgments crediting Cody Richard for 3 disclosures - Update SECURITY.md with desktop runtime security model (Tauri IPC origin validation, DevTools gating, sidecar auth, capability isolation, fetch patch trust boundary) - Add Tauri-specific items to security report scope - Correct API key storage description to cover both web and desktop
The desktop update check and sidecar requests were getting 403'd by the middleware's bot UA filter (curl/) and short UA check.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
andreteow
pushed a commit
to andreteow/worldmonitor-a47
that referenced
this pull request
Feb 25, 2026
… /api/version (koala73#348) * security: harden IPC commands, gate DevTools, and isolate external windows - Remove devtools from default Tauri features; gate behind opt-in Cargo feature so production builds never expose DevTools - Add IPC origin validation (require_trusted_window) to 9 sensitive commands: get_secret, get_all_secrets, set_secret, delete_secret, get_local_api_token, read/write/delete_cache_entry, fetch_polymarket - Isolate youtube-login window into restricted capability (core:window only) — prevents external-origin webview from invoking app commands - Add 5-minute TTL to cached sidecar auth token in fetch patch closure - Document renderer trust boundary threat model in runtime.ts * docs: add contributors, security acknowledgments, and desktop security policy - Add Contributors section to README with all 16 GitHub contributors - Add Security Acknowledgments crediting Cody Richard for 3 disclosures - Update SECURITY.md with desktop runtime security model (Tauri IPC origin validation, DevTools gating, sidecar auth, capability isolation, fetch patch trust boundary) - Add Tauri-specific items to security report scope - Correct API key storage description to cover both web and desktop * fix: exempt /api/version from bot-blocking middleware The desktop update check and sidecar requests were getting 403'd by the middleware's bot UA filter (curl/) and short UA check.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
get_secret,set_secret,get_local_api_token,read_cache_entry,write_cache_entry,fetch_polymarket) now validate the calling window label against aTRUSTED_WINDOWSallowlist. The YouTube login window (external-origin) is blocked from secret/cache/token IPC.tauri/devtoolsmoved from default dependency to opt-indevtoolsfeature. Production builds have no DevTools menu item or keyboard shortcut.desktop:devscript passes-f devtoolsautomatically.youtube-login.jsoncapability file with onlycore:window:default— no access to secret, cache, or token commands.LOCAL_API_TOKENcached in the fetch closure now has a 5-minute TTL and re-fetches on expiry, limiting exposure window./api/version: Desktop update checker and sidecar hit/api/versionwith non-browser UAs (caught bycurl/regex and short-UA check). AddedPUBLIC_API_PATHSallowlist to bypass bot filtering on public endpoints.Test plan
npm run desktop:dev— DevTools available via Help menu (Cmd+Alt+I)desktop:build:full) — no DevTools menu item, Cmd+Alt+I does nothingget_secret/get_local_api_tokenvia consolecurl https://worldmonitor.app/api/versionreturns 200 (not 403)tsc --noEmitpasses