Apps#785
Open
Hadamcik wants to merge 442 commits into
Open
Conversation
…e`, streamline bindings: - Removed unused `emit_route_request` function and `emit_route` parameter in `focus_runtime`. - Updated `focus_runtime` calls across modules to match the new signature. - Reorganized bindings: moved `appsClearRuntimeBrowsingData` and `appsCreateInlineRuntime` functions for consistency.
- Deleted `activeBatchCount`, `activeSocketCount`, and `inFlightRequestCount` fields from runtime data structures and related computations. - Updated `build.mjs` to include type checking for system apps with `pnpm exec tsc`.
- Introduced a new `state` module to encapsulate runtime state handling (`read.rs`, `write.rs`, `remove.rs`, `types.rs`). - Migrated runtime record operations (`get_runtime_record_by_app_id`, `write_runtime_record`, `list_runtimes`) from `records.rs` to `state` module. - Replaced `by_runtime_id` and `runtime_by_app_id` implementations with `AppRuntimeState` for a unified runtime state structure. - Refactored imports and references across modules to align with the new `state` structure.
…dularity and simplification.
- Introduced `write_pending_stop_ready` and `remove_pending_stop_ready` functions for handling pending stop acknowledgments. - Integrated `pending_stop_ready` management into `wait_for_before_stop_ack` to streamline state updates. - Moved `should_use_incognito` logic into `start.rs` and removed duplication in `resolve.rs`.
- Added `commands.rs` to manage bridge-related Tauri commands (`apps_invoke_bridge`, `apps_invoke_system_bridge`, `apps_resolve_bridge_approval`, `get_user_capability_definitions`). - Created `invoke.rs` to centralize bridge invocation logic. - Added event emitters (`emit_approval_requested`, `emit_bridge_response_to_source`, etc.) in `events.rs` for streamlined bridge interactions. - Replaced `failure` and `success` utilities with `RustBridgeResponse` for consistent error handling. - Updated module imports and references across bridge-related components to align with the new structure.
- Moved bridge event emitters (`emit_*`) to new `bridge::comms` modules (`app::events` and `sage::events`) for improved modularity. - Introduced `EventForApp` enum to unify capability and network whitelist change events. - Refactored runtime state helpers (`get_runtime_*`) to use new `find_runtime_*` equivalents for better readability. - Consolidated `emit_granted_*` calls under `emit_bridge_event_to_app_id` for consistency. - Added `runtime::locator` module to centralize runtime webview handling utilities.
- Replaced inline logic in runtime management functions with centralized utilities in `webview_locator`. - Updated `find_*` and `get_*` window/webview calls for better readability and error handling. - Modified runtime state updates to streamline `write_runtime` and ensure `runtimes_changed` events are emitted consistently. - Removed redundant logic in `start.rs`, `stop.rs`, and `manager.rs` by leveraging new locator utilities. - Adjusted imports and transitioned `locator` module to `webview_locator` for clarity.
…runtime modules and add delayed `setAttaching` logic in `useAppEmbeddedRuntime`.
- Renamed `invoke` to `process` for clarity and moved it to `bridge_request.rs` under `comms::app`. - Updated `commands.rs` to use `process` for bridge command handling. - Removed redundant `invoke.rs` and updated module imports accordingly.
- Removed `comms::sage` module and merged `emit_approval_requested` into `bridge_request`. - Reorganized event emitters under new `bridge::event_emit` module for modularity. - Updated `resolve_app` to accept `AppHandle` and refactored its calls for consistency. - Simplified base path resolution by eliminating redundant `app_data_dir` usage. - Renamed variables for clarity across bridge and runtime modules.
…e response emit logic.
- Replace `BridgeRegistryKind` with `app-specific registry` and update related logic. - Simplify runtime state handlers: remove redundant result propagation. - Add `get_pending_approval` helper for managing bridge approvals. - Consolidate `response_channel` utilities for better readability and modularity.
- Relocate and rename `app_comms::bridge_request` to `bridge::bridge_request` for improved clarity. - Introduce `write_pending_approval` helper to streamline pending approval management. - Replace `authorize_*` functions with `verify_*` for better naming consistency. - Remove unused `app_comms` module and update imports across bridge modules accordingly.
- Add `BridgeState` with `pending_approvals` field protected by `Mutex`. - Move `BridgeState` definition from `types.rs` to `state.rs` for better module separation. - Update imports across bridge modules to reflect the new location.
- Extract installation commands to a dedicated `commands.rs` file for improved organization. - Introduce `ZipInstallSource` and `UrlInstallSource` to encapsulate source-specific installation logic. - Refactor `install_app_zip` and `install_app_url` to use `install_app_from_source` for reduced duplication. - Relocate reusable functions to dedicated modules for better modularity. - Streamline permission normalization and validation across install commands.
…nstallSource`: - Introduced comprehensive unit tests for `UrlInstallSource` and `ZipInstallSource` methods. - Added storage resolution support with `InstallStorageResolver`. - Refactored shared installation logic into `install_app_from_source_with_storage`. - Improved lifecycle handling for retired app origins and cleanup management.
…sts: - Moved `slugify_name` implementation to `utils.rs` as `slugify_app_name`. - Replaced duplication in `UrlInstallSource` and `ZipInstallSource` with shared `slugify_app_name` utility. - Simplified retired app tests by introducing `fake_retired_app_origins` helper for reusability.
- Extract update-related commands into a new `commands.rs` file for better organization. - Separate types and utilities into dedicated `types.rs` and `utils.rs` modules. - Simplify `uninstall.rs` and update imports to leverage the new structure.
- Removed redundant `types`, `registry.rs`, and `update/utils.rs` files. - Merged `types` and lifecycle-related functions into `lifecycle/registry/mod.rs` for improved modularity. - Simplified lifecycle path utilities and removed unused test cases.
- Standardized `BridgeMethod` error handling by introducing `BridgeMethodHandleError`. - Replaced repetitive parameter parsing logic with `parse_required_params`. - Simplified runtime methods (`listRuntimes`, `killRuntime`, etc.) to use unified error-handling and result serialization. - Removed redundant `RustBridgeResponse` and `parse_runtime_target_params` usage. - Modularized `BridgeRegistry` initialization with helper `insert_method`.
- Replace `Option<RustBridgeApprovalRequest>` with `BridgeApprovalRequestResult` for improved error handling. - Update bridge methods (`killRuntime`, `hideRuntime`, etc.) to use new approval result type. - Add `normalize_network_permission_target` for cleaner target normalization in network grant requests. - Standardize `approval_request` logic across bridge modules.
- Deleted `normalize/capabilities.rs` and `normalize/network.rs` as they were unused. - Relocated and modularized capability definitions to `capabilities/definitions.rs`. - Simplified permission normalization by removing unnecessary indirection.
- Extract `normalize_requested_permissions` to a new `normalization.rs` module for better structure. - Refactor `normalize_and_validate_*` functions to separate concerns and improve readability. - Remove redundant logic from `validation.rs` and consolidate permission workflows.
…effective_granted_capabilities` and modularize implementation - Replaced calls to `resolve_effective_granted_capabilities` with `get_effective_granted_capabilities` across multiple modules for improved clarity. - Moved `get_effective_granted_capabilities` implementation to `capabilities/mod.rs` for better modularization and reuse. - Removed redundant `resolve_effective_granted_capabilities` function and updated relevant imports and references.
…dularize flags logic - Renamed `SageAppCapabilityFlags` to `SageAppFlags` for better naming consistency. - Replaced `resolve_capability_flags` with `get_app_flags` across the codebase. - Moved flags-related logic to a new `flags.rs` module for improved modularity. - Updated relevant imports, tests, and references to match the new implementation structure. - Removed the now redundant `resolve_capability_flags` from the permissions module.
…er clarity and organization.
…zation logic - Replaced `normalize_granted_capabilities` and `validate_granted_capabilities` with `normalize_and_validate_granted_capabilities` for clarity. - Replaced `get_effective_granted_capabilities` with `get_and_validate_effective_granted_capabilities` to integrate validation. - Simplified capabilities logic by consolidating workflows across modules. - Updated imports, tests, and references to align with the new structure.
- Added new built-in runtime app `origin-cleanup` with associated assets (`app.js`, `index.html`, `sage-manifest.json`). - Implemented logic to clear `localStorage`, `sessionStorage`, cookies, caches, and IndexedDB. - Updated runtime handling to support the `origin-cleanup` app, including bridge payload ingestion. - Refactored build scripts to process `origin-cleanup` under runtime apps.
…handling: - Introduced unit tests for validating abandoned unmanaged storage cleanup logic. - Added a delay to background tasks for startup stability and improved logging for cleanup workflows. - Enhanced `AppBuildError` to support detailed manifest failure messages.
…ons in `PermissionsReviewBody`.
…w` UI - Replaced scheme buttons with a primary checkbox for streamlined permission toggling. - Updated logic to determine `primaryScheme` and handle editable/disabled states. - Simplified UI structure by consolidating visible scheme rendering.
- Added `resolveBackgroundTintWithAlpha` for dynamic background rendering with blur effect. - Adjusted popover position and CSS for improved layout and visibility.
- Introduced `requireScrollEnd` and `onScrollEndChange` props in `AppModalShell`. - Disabled confirmation buttons until permissions are viewed. - Added visual indicator prompting users to scroll to view all permissions before proceeding.
- Restart app runtime if persistent storage permissions are modified. - Introduced `network_change_affects_current_network` helper for network-related permission handling. - Refined logic to reload app runtime only for relevant network changes.
…Db` and `AppStorage` modules
…s for zip extraction and capability requests.
…by_app` methods - Covered edge cases for zip extraction, including path validation, file size limits, and absolute paths. - Added tests for capability request validation to ensure correct behavior for allowed and disallowed capabilities.
- Deleted `wallet.getKeys` functionality, along with its capability definitions, routes, and support in bindings. - Updated documentation to reflect the removal of `wallet.getKeys`. - Introduced `require_scoped_fingerprint` validation for `wallet.getKey` and `wallet.getSecretKey` methods.
…eferences - Deleted `apps_get_user_capability_definitions` functionality from the codebase, along with its capability definition, commands, and imports.
…-based settings handling.
- Implemented `environment.getNetwork` method for fetching active network details. - Added corresponding capability definition `EnvironmentGetNetwork` to enable access control. - Updated bindings, capability list, and documentation to reflect the new method and capability.
… for hostname rules.
…ip_snapshot`. - Added `validate_package_has_no_undeclared_files` to ensure all files in a package are declared in the manifest. - Introduced stricter checks in snapshot preparation to reject undeclared or invalid files. - Enhanced unit tests to cover file validation scenarios. - Added download size checks with `download_bytes_with_limit` and exact size validation with `download_exact_bytes`.
…dules - Added stricter file validation in `prepare_zip_snapshot` to reject undeclared, nested, or invalid files. - Refactored response size and hash validation into reusable functions (`ensure_within_max_response_size`, `ensure_expected_size`, `ensure_expected_hash`). - Enhanced unit test coverage for file declarations, size limits, and hash mismatches.
…ermissions - Added unit tests to ensure sensitive secret access and external network access cannot coexist in permissions. - Refactored `sample_app` to accommodate modular requested permissions handling. - Introduced `sample_requested_permissions` and `sample_app_with_requested_permissions` helper functions. - Added network whitelist tests for required and optional network cases with sensitive capabilities. - Improved error reporting for invalid permission combinations.
- Added tests to verify rejection of external access permissions when origin storage may contain secrets. - Introduced test coverage for pending update decisions involving network-specific entries.
- Introduced `MAX_REMOTE_ICON_BYTES` to define size limit for remote app icons (1 MB). - Added `read_remote_icon_bytes` function to handle remote icon downloads with size checks. - Implemented `ensure_remote_icon_size` to validate icon size during download. - Enhanced error handling for size overflows and download failures. - Added unit tests to verify size limit enforcement.
- Introduced tests to ensure `connect-src` respects active network-specific whitelists. - Verified shared and network-specific entries are correctly applied within CSP generation. - Added helper functions for test setup, including managing requested and granted permissions.
…y checks - Added tests for `resolve_file_path` behavior with default, root, and nested paths. - Validated rejection of traversal components and escaping symlinks. - Ensured robust handling of file paths within snapshot boundaries.
…ction and add unit tests for validation and security checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reviewer map
sage-appscrateSage Apps is built around one core rule: backend owns state and authority. The frontend is only a presentation layer and is not trusted to decide permissions, app identity, runtime state, wallet scope, approval results, install/update validity, or storage/origin ownership.
Most sensitive behavior is intentionally funneled through a small exported surface from
crates/sage-apps/src/lib.rs, solib.rsis the best first review file.crates/sage-apps/src/lib.rsThe crate exports the following authority entry points:
Where to go from
lib.rslib.rsis the map of the crate boundary. From each export group, follow these review paths.1. Bridge protocol: how apps interact with Sage
From:
Review:
crates/sage-apps/src/bridge/commands.rscrates/sage-apps/src/bridge/registry.rscrates/sage-apps/src/bridge/methods/shared.rscrates/sage-apps/src/bridge/methods/user/**crates/sage-apps/src/bridge/methods/system/**crates/sage-apps/src/security/**Important things to verify:
requestable_by_app2. App isolation model: what apps are allowed to be
Review:
crates/sage-apps/src/types/app/common.rscrates/sage-apps/src/types/app/wallet_scope.rscrates/sage-apps/src/types/invariants/permission.rscrates/sage-apps/src/types/permissions/**crates/sage-apps/src/capabilities/definitions.rscrates/sage-apps/src/capabilities/types.rscrates/sage-apps/src/db/**Important things to verify:
user_grantablerequestable_by_appshared_with_app3. Install/update/permission mutation: what changes app authority
Review:
crates/sage-apps/src/lifecycle/package.rscrates/sage-apps/src/lifecycle/install/**crates/sage-apps/src/lifecycle/update/**crates/sage-apps/src/lifecycle/mutation/**crates/sage-apps/src/bridge/methods/system/app_install/**crates/sage-apps/src/bridge/methods/system/app_update/**crates/sage-apps/src/bridge/methods/system/app_permissions/**Important things to verify:
4. Runtime lifecycle: how durable app state becomes webviews
From:
Review:
crates/sage-apps/src/runtime/state/**crates/sage-apps/src/runtime/start.rscrates/sage-apps/src/runtime/stop.rscrates/sage-apps/src/runtime/resolve.rscrates/sage-apps/src/runtime/webview.rscrates/sage-apps/src/runtime/commands.rsImportant things to verify:
5. Storage/origin rotation and cleanup
From:
Review:
crates/sage-apps/src/types/storage/**crates/sage-apps/src/db/storage.rscrates/sage-apps/src/lifecycle/clear_data/**crates/sage-apps/src/lifecycle/storage_cleanup/**crates/sage-apps/src/lifecycle/update/permissions.rsImportant things to verify:
6. Sandbox validation
From:
Review:
crates/sage-apps/src/sandbox/**builtin-apps/src/sandbox-test/**Important things to verify:
7. Secondary/supporting exports
From:
Review later:
crates/sage-apps/src/settings.rscrates/sage-apps/src/bridge/ts_exports.rscrates/sage-apps/src/build/docs.rs