Apps#785
Open
Hadamcik wants to merge 450 commits into
Open
Conversation
- Replaced inline logic in runtime management functions with centralized utilities in `webview_locator`. - Updated `find_*` and `get_*` window/webview calls for better readability and error handling. - Modified runtime state updates to streamline `write_runtime` and ensure `runtimes_changed` events are emitted consistently. - Removed redundant logic in `start.rs`, `stop.rs`, and `manager.rs` by leveraging new locator utilities. - Adjusted imports and transitioned `locator` module to `webview_locator` for clarity.
…runtime modules and add delayed `setAttaching` logic in `useAppEmbeddedRuntime`.
- Renamed `invoke` to `process` for clarity and moved it to `bridge_request.rs` under `comms::app`. - Updated `commands.rs` to use `process` for bridge command handling. - Removed redundant `invoke.rs` and updated module imports accordingly.
- Removed `comms::sage` module and merged `emit_approval_requested` into `bridge_request`. - Reorganized event emitters under new `bridge::event_emit` module for modularity. - Updated `resolve_app` to accept `AppHandle` and refactored its calls for consistency. - Simplified base path resolution by eliminating redundant `app_data_dir` usage. - Renamed variables for clarity across bridge and runtime modules.
…e response emit logic.
- Replace `BridgeRegistryKind` with `app-specific registry` and update related logic. - Simplify runtime state handlers: remove redundant result propagation. - Add `get_pending_approval` helper for managing bridge approvals. - Consolidate `response_channel` utilities for better readability and modularity.
- Relocate and rename `app_comms::bridge_request` to `bridge::bridge_request` for improved clarity. - Introduce `write_pending_approval` helper to streamline pending approval management. - Replace `authorize_*` functions with `verify_*` for better naming consistency. - Remove unused `app_comms` module and update imports across bridge modules accordingly.
- Add `BridgeState` with `pending_approvals` field protected by `Mutex`. - Move `BridgeState` definition from `types.rs` to `state.rs` for better module separation. - Update imports across bridge modules to reflect the new location.
- Extract installation commands to a dedicated `commands.rs` file for improved organization. - Introduce `ZipInstallSource` and `UrlInstallSource` to encapsulate source-specific installation logic. - Refactor `install_app_zip` and `install_app_url` to use `install_app_from_source` for reduced duplication. - Relocate reusable functions to dedicated modules for better modularity. - Streamline permission normalization and validation across install commands.
…nstallSource`: - Introduced comprehensive unit tests for `UrlInstallSource` and `ZipInstallSource` methods. - Added storage resolution support with `InstallStorageResolver`. - Refactored shared installation logic into `install_app_from_source_with_storage`. - Improved lifecycle handling for retired app origins and cleanup management.
…sts: - Moved `slugify_name` implementation to `utils.rs` as `slugify_app_name`. - Replaced duplication in `UrlInstallSource` and `ZipInstallSource` with shared `slugify_app_name` utility. - Simplified retired app tests by introducing `fake_retired_app_origins` helper for reusability.
- Extract update-related commands into a new `commands.rs` file for better organization. - Separate types and utilities into dedicated `types.rs` and `utils.rs` modules. - Simplify `uninstall.rs` and update imports to leverage the new structure.
- Removed redundant `types`, `registry.rs`, and `update/utils.rs` files. - Merged `types` and lifecycle-related functions into `lifecycle/registry/mod.rs` for improved modularity. - Simplified lifecycle path utilities and removed unused test cases.
- Standardized `BridgeMethod` error handling by introducing `BridgeMethodHandleError`. - Replaced repetitive parameter parsing logic with `parse_required_params`. - Simplified runtime methods (`listRuntimes`, `killRuntime`, etc.) to use unified error-handling and result serialization. - Removed redundant `RustBridgeResponse` and `parse_runtime_target_params` usage. - Modularized `BridgeRegistry` initialization with helper `insert_method`.
- Replace `Option<RustBridgeApprovalRequest>` with `BridgeApprovalRequestResult` for improved error handling. - Update bridge methods (`killRuntime`, `hideRuntime`, etc.) to use new approval result type. - Add `normalize_network_permission_target` for cleaner target normalization in network grant requests. - Standardize `approval_request` logic across bridge modules.
- Deleted `normalize/capabilities.rs` and `normalize/network.rs` as they were unused. - Relocated and modularized capability definitions to `capabilities/definitions.rs`. - Simplified permission normalization by removing unnecessary indirection.
- Extract `normalize_requested_permissions` to a new `normalization.rs` module for better structure. - Refactor `normalize_and_validate_*` functions to separate concerns and improve readability. - Remove redundant logic from `validation.rs` and consolidate permission workflows.
…effective_granted_capabilities` and modularize implementation - Replaced calls to `resolve_effective_granted_capabilities` with `get_effective_granted_capabilities` across multiple modules for improved clarity. - Moved `get_effective_granted_capabilities` implementation to `capabilities/mod.rs` for better modularization and reuse. - Removed redundant `resolve_effective_granted_capabilities` function and updated relevant imports and references.
…dularize flags logic - Renamed `SageAppCapabilityFlags` to `SageAppFlags` for better naming consistency. - Replaced `resolve_capability_flags` with `get_app_flags` across the codebase. - Moved flags-related logic to a new `flags.rs` module for improved modularity. - Updated relevant imports, tests, and references to match the new implementation structure. - Removed the now redundant `resolve_capability_flags` from the permissions module.
…er clarity and organization.
…zation logic - Replaced `normalize_granted_capabilities` and `validate_granted_capabilities` with `normalize_and_validate_granted_capabilities` for clarity. - Replaced `get_effective_granted_capabilities` with `get_and_validate_effective_granted_capabilities` to integrate validation. - Simplified capabilities logic by consolidating workflows across modules. - Updated imports, tests, and references to align with the new structure.
…ith `resolve_effective_granted_capabilities` and modularize capabilities logic - Replaced `get_and_validate_effective_granted_capabilities` with `resolve_effective_granted_capabilities` across the codebase for naming consistency. - Introduced `requested_user_grantable_capabilities` for cleaner user-grantable capabilities handling. - Standardized visibility and modularized capabilities logic in `capabilities/mod.rs` and `definitions.rs`. - Updated imports, tests, and references to align with the updated structure.
- Changed `CapabilityFlags` visibility from `pub` to `pub(crate)` for internal use. - Removed redundant `types` module re-export and updated direct imports. - Simplified `capabilities/mod.rs` by consolidating and reorganizing imports. - Removed unused `CapabilitySummary` struct to clean up codebase.
…rmalization - Introduced `validate_granted_network` function in `validation.rs` for cleaner and reusable validation logic. - Added `normalize_granted_network` function to streamline granted network entries normalization. - Simplified `normalize_and_validate_granted_network` by separating normalization and validation concerns. - Updated visibility and structure of `normalization` and `validation` modules for improved organization.
…tion - Replaced `normalize_and_validate_granted_capabilities` with `normalize_and_validate_user_granted_capabilities` for naming clarity. - Updated `resolve_effective_granted_capabilities` to `resolve_and_validate_effective_granted_capabilities` for improved modularity and consistency. - Consolidated `capabilities` logic by integrating validation within normalization workflows. - Added comprehensive test coverage in `validation.rs` and `tests.rs` for updated capability workflows. - Simplified imports and visibility settings across modules to improve code organization.
- Eliminated `clear_storage_taint` parameter from permission handling functions. - Removed associated logic from `update_app_permissions` and internal workflows. - Deleted obsolete unit test `update_app_permissions_internal_can_clear_storage_taint_without_capabilities`. - Simplified imports by removing `clear_storage_may_contain_secrets` usage.
…normalization - Merged required and optional whitelist logic into a single `allowed` set in `validation.rs` for cleaner validation. - Simplified `normalize_network_entries` by using functional constructs and removing manual sorting in `normalization.rs`.
- Deleted tests and helper functions that have overlapping coverage or were no longer relevant to streamlined validation workflows (`bridge`, `capabilities`, and `lifecycle` modules). - Consolidated core testing logic into related modules for better organization and clarity. - Updated imports and visibility settings across affected files.
- Deleted multiple normalization and validation functions in `capabilities` and `network` modules. - Refactored to rely on simplified permission handling workflows. - Updated associated imports, tests, and permissions logic for streamlined workflow integration.
- Restart app runtime if persistent storage permissions are modified. - Introduced `network_change_affects_current_network` helper for network-related permission handling. - Refined logic to reload app runtime only for relevant network changes.
…Db` and `AppStorage` modules
…s for zip extraction and capability requests.
…by_app` methods - Covered edge cases for zip extraction, including path validation, file size limits, and absolute paths. - Added tests for capability request validation to ensure correct behavior for allowed and disallowed capabilities.
- Deleted `wallet.getKeys` functionality, along with its capability definitions, routes, and support in bindings. - Updated documentation to reflect the removal of `wallet.getKeys`. - Introduced `require_scoped_fingerprint` validation for `wallet.getKey` and `wallet.getSecretKey` methods.
…eferences - Deleted `apps_get_user_capability_definitions` functionality from the codebase, along with its capability definition, commands, and imports.
…-based settings handling.
- Implemented `environment.getNetwork` method for fetching active network details. - Added corresponding capability definition `EnvironmentGetNetwork` to enable access control. - Updated bindings, capability list, and documentation to reflect the new method and capability.
… for hostname rules.
…ip_snapshot`. - Added `validate_package_has_no_undeclared_files` to ensure all files in a package are declared in the manifest. - Introduced stricter checks in snapshot preparation to reject undeclared or invalid files. - Enhanced unit tests to cover file validation scenarios. - Added download size checks with `download_bytes_with_limit` and exact size validation with `download_exact_bytes`.
…dules - Added stricter file validation in `prepare_zip_snapshot` to reject undeclared, nested, or invalid files. - Refactored response size and hash validation into reusable functions (`ensure_within_max_response_size`, `ensure_expected_size`, `ensure_expected_hash`). - Enhanced unit test coverage for file declarations, size limits, and hash mismatches.
…ermissions - Added unit tests to ensure sensitive secret access and external network access cannot coexist in permissions. - Refactored `sample_app` to accommodate modular requested permissions handling. - Introduced `sample_requested_permissions` and `sample_app_with_requested_permissions` helper functions. - Added network whitelist tests for required and optional network cases with sensitive capabilities. - Improved error reporting for invalid permission combinations.
- Added tests to verify rejection of external access permissions when origin storage may contain secrets. - Introduced test coverage for pending update decisions involving network-specific entries.
- Introduced `MAX_REMOTE_ICON_BYTES` to define size limit for remote app icons (1 MB). - Added `read_remote_icon_bytes` function to handle remote icon downloads with size checks. - Implemented `ensure_remote_icon_size` to validate icon size during download. - Enhanced error handling for size overflows and download failures. - Added unit tests to verify size limit enforcement.
- Introduced tests to ensure `connect-src` respects active network-specific whitelists. - Verified shared and network-specific entries are correctly applied within CSP generation. - Added helper functions for test setup, including managing requested and granted permissions.
…y checks - Added tests for `resolve_file_path` behavior with default, root, and nested paths. - Validated rejection of traversal components and escaping symlinks. - Ensured robust handling of file paths within snapshot boundaries.
…ction and add unit tests for validation and security checks
Import changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reviewer map
sage-appscrateSage Apps is built around one core rule: backend owns state and authority. The frontend is only a presentation layer and is not trusted to decide permissions, app identity, runtime state, wallet scope, approval results, install/update validity, or storage/origin ownership.
Most sensitive behavior is intentionally funneled through a small exported surface from
crates/sage-apps/src/lib.rs, solib.rsis the best first review file.crates/sage-apps/src/lib.rsThe crate exports the following authority entry points:
Where to go from
lib.rslib.rsis the map of the crate boundary. From each export group, follow these review paths.1. Bridge protocol: how apps interact with Sage
From:
Review:
crates/sage-apps/src/bridge/commands.rscrates/sage-apps/src/bridge/registry.rscrates/sage-apps/src/bridge/methods/shared.rscrates/sage-apps/src/bridge/methods/user/**crates/sage-apps/src/bridge/methods/system/**crates/sage-apps/src/security/**Important things to verify:
requestable_by_app2. App isolation model: what apps are allowed to be
Review:
crates/sage-apps/src/types/app/common.rscrates/sage-apps/src/types/app/wallet_scope.rscrates/sage-apps/src/types/invariants/permission.rscrates/sage-apps/src/types/permissions/**crates/sage-apps/src/capabilities/definitions.rscrates/sage-apps/src/capabilities/types.rscrates/sage-apps/src/db/**Important things to verify:
user_grantablerequestable_by_appshared_with_app3. Install/update/permission mutation: what changes app authority
Review:
crates/sage-apps/src/lifecycle/package.rscrates/sage-apps/src/lifecycle/install/**crates/sage-apps/src/lifecycle/update/**crates/sage-apps/src/lifecycle/mutation/**crates/sage-apps/src/bridge/methods/system/app_install/**crates/sage-apps/src/bridge/methods/system/app_update/**crates/sage-apps/src/bridge/methods/system/app_permissions/**Important things to verify:
4. Runtime lifecycle: how durable app state becomes webviews
From:
Review:
crates/sage-apps/src/runtime/state/**crates/sage-apps/src/runtime/start.rscrates/sage-apps/src/runtime/stop.rscrates/sage-apps/src/runtime/resolve.rscrates/sage-apps/src/runtime/webview.rscrates/sage-apps/src/runtime/commands.rsImportant things to verify:
5. Storage/origin rotation and cleanup
From:
Review:
crates/sage-apps/src/types/storage/**crates/sage-apps/src/db/storage.rscrates/sage-apps/src/lifecycle/clear_data/**crates/sage-apps/src/lifecycle/storage_cleanup/**crates/sage-apps/src/lifecycle/update/permissions.rsImportant things to verify:
6. Sandbox validation
From:
Review:
crates/sage-apps/src/sandbox/**builtin-apps/src/sandbox-test/**Important things to verify:
7. Secondary/supporting exports
From:
Review later:
crates/sage-apps/src/settings.rscrates/sage-apps/src/bridge/ts_exports.rscrates/sage-apps/src/build/docs.rs