worldmonitor

eliott/worldmonitor

Fork 0

mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00

Commit Graph

Author	SHA1	Message	Date
Elie Habib	408d5d3374	security: harden IPC, gate DevTools, isolate external windows, exempt /api/version (#348 ) * security: harden IPC commands, gate DevTools, and isolate external windows - Remove devtools from default Tauri features; gate behind opt-in Cargo feature so production builds never expose DevTools - Add IPC origin validation (require_trusted_window) to 9 sensitive commands: get_secret, get_all_secrets, set_secret, delete_secret, get_local_api_token, read/write/delete_cache_entry, fetch_polymarket - Isolate youtube-login window into restricted capability (core:window only) — prevents external-origin webview from invoking app commands - Add 5-minute TTL to cached sidecar auth token in fetch patch closure - Document renderer trust boundary threat model in runtime.ts * docs: add contributors, security acknowledgments, and desktop security policy - Add Contributors section to README with all 16 GitHub contributors - Add Security Acknowledgments crediting Cody Richard for 3 disclosures - Update SECURITY.md with desktop runtime security model (Tauri IPC origin validation, DevTools gating, sidecar auth, capability isolation, fetch patch trust boundary) - Add Tauri-specific items to security report scope - Correct API key storage description to cover both web and desktop * fix: exempt /api/version from bot-blocking middleware The desktop update check and sidecar requests were getting 403'd by the middleware's bot UA filter (curl/) and short UA check.	2026-02-25 06:14:16 +00:00
Sebastien Melki	3e935e3541	docs: add community guidelines (contributing, code of conduct, security) (#226 ) * docs: add community guidelines — contributing guide, code of conduct, and security policy Add three community health files for the open-source project: - CONTRIBUTING.md: comprehensive guide covering architecture overview (sebuf, variants, directory structure), development setup with make commands, AI-assisted development policy, sebuf RPC workflow, data source and RSS feed contribution guides, coding standards, and PR process - CODE_OF_CONDUCT.md: Contributor Covenant v2.1 adapted for World Monitor - SECURITY.md: responsible disclosure policy, security considerations for edge functions/sebuf handlers, and contributor best practices Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add missing blank line before list in CONTRIBUTING.md (MD032) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: expand AI section with LLM label attribution and rationale Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: remove GitHub link from AI section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: simplify AI section back to concise version with PR labels Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-22 16:26:13 +02:00

Author

SHA1

Message

Date

Elie Habib

408d5d3374

security: harden IPC, gate DevTools, isolate external windows, exempt /api/version (#348 )

* security: harden IPC commands, gate DevTools, and isolate external windows

- Remove devtools from default Tauri features; gate behind opt-in
  Cargo feature so production builds never expose DevTools
- Add IPC origin validation (require_trusted_window) to 9 sensitive
  commands: get_secret, get_all_secrets, set_secret, delete_secret,
  get_local_api_token, read/write/delete_cache_entry, fetch_polymarket
- Isolate youtube-login window into restricted capability (core:window
  only) — prevents external-origin webview from invoking app commands
- Add 5-minute TTL to cached sidecar auth token in fetch patch closure
- Document renderer trust boundary threat model in runtime.ts

* docs: add contributors, security acknowledgments, and desktop security policy

- Add Contributors section to README with all 16 GitHub contributors
- Add Security Acknowledgments crediting Cody Richard for 3 disclosures
- Update SECURITY.md with desktop runtime security model (Tauri IPC
  origin validation, DevTools gating, sidecar auth, capability isolation,
  fetch patch trust boundary)
- Add Tauri-specific items to security report scope
- Correct API key storage description to cover both web and desktop

* fix: exempt /api/version from bot-blocking middleware

The desktop update check and sidecar requests were getting 403'd by the
middleware's bot UA filter (curl/) and short UA check.

2026-02-25 06:14:16 +00:00

Sebastien Melki

3e935e3541

docs: add community guidelines (contributing, code of conduct, security) (#226 )

* docs: add community guidelines — contributing guide, code of conduct, and security policy

Add three community health files for the open-source project:

- CONTRIBUTING.md: comprehensive guide covering architecture overview (sebuf,
  variants, directory structure), development setup with make commands,
  AI-assisted development policy, sebuf RPC workflow, data source and RSS
  feed contribution guides, coding standards, and PR process
- CODE_OF_CONDUCT.md: Contributor Covenant v2.1 adapted for World Monitor
- SECURITY.md: responsible disclosure policy, security considerations for
  edge functions/sebuf handlers, and contributor best practices

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing blank line before list in CONTRIBUTING.md (MD032)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: expand AI section with LLM label attribution and rationale

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: remove GitHub link from AI section

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: simplify AI section back to concise version with PR labels

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-22 16:26:13 +02:00

2 Commits