clawdforge

History

Kayos 7e878e6f45 clients/swift: apply audit findings — multipart fix + token redaction (`e4e8192` → HEAD) P1 (release blocker): - multipart now RFC 7578 compliant (was injecting bare LF before file content via Swift """...""" multi-line literals; corrupted binary uploads — PNG/PDF/JPEG). Body now built via explicit "\r\n" concatenation so every byte on the wire is auditable. P2: - CustomStringConvertible redacts token on ForgeClient + AppToken (default mirror was leaking plaintext via print / String(reflecting:) / SwiftUI string interpolation). - revokeToken now pre-validates name against ^[a-z0-9_-]{1,64}$ and rejects path-traversal sequences with ForgeError.invalidArgument before percent-encoding (urlPathAllowed left /, +, ;, =, ,, @ unescaped). - baseURL with non-empty path/query/fragment rejected at construct. init is now `throws` — host-only URLs only, since the SDK builds request URLs by string concatenation. P3: - Fixed misleading "custom encoding" comment on RunRequest (it's just Optional + JSONEncoder default behavior). - public init on RunFailure (was decode-only). - Task.checkCancellation() inside the multipart chunk loop — multi-GB uploads now abort promptly when the parent Task is cancelled. - 0o600 perms on the staged temp upload file (was inheriting umask, typically 0o644 — unwanted in multi-tenant /tmp). - Documented JSONValue.number Double precision limit (loses precision for ints > 2^53). Tests: - testMultipartIsCRLFCompliant: writes a PNG-signature payload, scans the captured body for the `\r\n\n` bare-LF pattern AND verifies the bytes after `Content-Type: image/png\r\n\r\n` match the payload exactly. - testForgeClientDescriptionRedactsToken - testAppTokenDescriptionRedactsToken (covers both nil and non-nil token cases) - testRevokeTokenRejectsTraversalName: foo/../bar, FOO, spaces, +, ;, =, @, 65-char names, empty - testBaseURLWithPathRejected: /api, /v1, ?query, #fragment; host-only variants still accepted - testRunFailurePublicInit - testTempFilePerms: scans /tmp during the in-flight upload to verify the staged clawdforge-upload-* file is 0o600 - Existing tests updated for the now-throwing init. README + Examples updated for the throwing init. Audit: memory/clawdforge-audits/swift-e4e8192.md Note: untested locally — Swift toolchain not present in this sandbox. Needs `swift build -c release` + `swift test` verification on a Swift 5.9+ host (macOS or Linux) before tagging the next release.	2026-04-28 23:12:17 -07:00
..
Basic	clients/swift: apply audit findings — multipart fix + token redaction (`e4e8192` → HEAD)	2026-04-28 23:12:17 -07:00

Kayos 7e878e6f45 clients/swift: apply audit findings — multipart fix + token redaction (e4e8192 → HEAD)

P1 (release blocker):
- multipart now RFC 7578 compliant (was injecting bare LF before file
  content via Swift """...""" multi-line literals; corrupted binary
  uploads — PNG/PDF/JPEG). Body now built via explicit "\r\n"
  concatenation so every byte on the wire is auditable.

P2:
- CustomStringConvertible redacts token on ForgeClient + AppToken
  (default mirror was leaking plaintext via print / String(reflecting:)
  / SwiftUI string interpolation).
- revokeToken now pre-validates name against ^[a-z0-9_-]{1,64}$ and
  rejects path-traversal sequences with ForgeError.invalidArgument
  before percent-encoding (urlPathAllowed left /, +, ;, =, ,, @
  unescaped).
- baseURL with non-empty path/query/fragment rejected at construct.
  init is now `throws` — host-only URLs only, since the SDK builds
  request URLs by string concatenation.

P3:
- Fixed misleading "custom encoding" comment on RunRequest (it's just
  Optional + JSONEncoder default behavior).
- public init on RunFailure (was decode-only).
- Task.checkCancellation() inside the multipart chunk loop — multi-GB
  uploads now abort promptly when the parent Task is cancelled.
- 0o600 perms on the staged temp upload file (was inheriting umask,
  typically 0o644 — unwanted in multi-tenant /tmp).
- Documented JSONValue.number Double precision limit (loses precision
  for ints > 2^53).

Tests:
- testMultipartIsCRLFCompliant: writes a PNG-signature payload, scans
  the captured body for the `\r\n\n` bare-LF pattern AND verifies the
  bytes after `Content-Type: image/png\r\n\r\n` match the payload
  exactly.
- testForgeClientDescriptionRedactsToken
- testAppTokenDescriptionRedactsToken (covers both nil and non-nil
  token cases)
- testRevokeTokenRejectsTraversalName: foo/../bar, FOO, spaces, +, ;,
  =, @, 65-char names, empty
- testBaseURLWithPathRejected: /api, /v1, ?query, #fragment; host-only
  variants still accepted
- testRunFailurePublicInit
- testTempFilePerms: scans /tmp during the in-flight upload to verify
  the staged clawdforge-upload-* file is 0o600
- Existing tests updated for the now-throwing init.

README + Examples updated for the throwing init.

Audit: memory/clawdforge-audits/swift-e4e8192.md

Note: untested locally — Swift toolchain not present in this sandbox.
Needs `swift build -c release` + `swift test` verification on a Swift
5.9+ host (macOS or Linux) before tagging the next release.

2026-04-28 23:12:17 -07:00

Basic clients/swift: apply audit findings — multipart fix + token redaction (e4e8192 → HEAD) 2026-04-28 23:12:17 -07:00