bb6f2b64b0
Security: - Reaction signatures: ed25519 sign/verify (sign_reaction, verify_reaction_signature) Backward-compatible — unsigned reactions from old nodes still accepted - Comment signature verification: verify_comment_signature now called on receipt - Reaction removal authorization: only reactor or post author can remove - BlobHeader author verification: lookup actual author from storage, don't trust payload Lock contention (4 fixes): - ManifestPush discovery: cm lock released before PostFetch I/O - Pull request handler: load under lock, filter without lock, brief re-lock for is_deleted - Pull sender: split into two brief locks (store posts, then batch upstream+sync) - Engagement checker: batch all chunk results, single lock for writes Data cleanup: - Post deletion cleans post_downstream, post_upstream, seen_engagement tables - Added TODO-hardening.md documenting remaining DOS/security/lock/data issues Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
38 lines
894 B
JSON
38 lines
894 B
JSON
{
|
|
"productName": "itsgoin",
|
|
"version": "0.4.1",
|
|
"identifier": "com.itsgoin.app",
|
|
"build": {
|
|
"frontendDist": "../../frontend",
|
|
"beforeDevCommand": "",
|
|
"beforeBuildCommand": ""
|
|
},
|
|
"app": {
|
|
"withGlobalTauri": true,
|
|
"windows": [
|
|
{
|
|
"title": "ItsGoin",
|
|
"width": 800,
|
|
"height": 700,
|
|
"resizable": true
|
|
}
|
|
],
|
|
"security": {
|
|
"csp": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: http://asset.localhost; media-src 'self' blob:",
|
|
"assetProtocol": {
|
|
"enable": true,
|
|
"scope": ["$APPDATA/**", "$HOME/.local/share/itsgoin/**"]
|
|
}
|
|
}
|
|
},
|
|
"bundle": {
|
|
"active": true,
|
|
"icon": [
|
|
"icons/32x32.png",
|
|
"icons/128x128.png",
|
|
"icons/128x128@2x.png",
|
|
"icons/icon.icns",
|
|
"icons/icon.ico"
|
|
]
|
|
}
|
|
}
|