straw

History

Kayos c960a1f424 vc=68: audit-fix sprint round 1 (11 HIGH + MED batch) Block B — enrichment lifecycle drift: * SubscriptionFeedViewModel tracks enrichJob, cancelled in refresh + clearInMemoryCache so spam-refresh and cache-toggle no longer leave a globalScope coroutine writing to a destroyed _ui * Enrich now runs on viewModelScope, channels snapshotted at job start so the terminal merge doesn't read a stale subs list * mergeFromCache moved off Main on both the refresh path AND the init-hydration path — 750-item flatMap+sort+regex no longer blocks the UI thread * VideoDetailViewModel dual loadedUrl bookkeeping collapsed to the UiState field only; the rejected-URL path also stamps loadedUrl so the gate reads coherently Block A — auto-update authenticity: * AppUpdateClient pins the fdroid.sulkta.com leaf SPKI + the Let's Encrypt E7 intermediate via OkHttp CertificatePinner * file.name accepted only when matching ^/[A-Za-z0-9._-]+\.apk$ * versionCode clamped to (0, 10_000_000] before we trust the 'update available' notification — a hostile index can no longer pin us to MAX_VALUE Block C — captureResumePosition perf: * ResumePositionsStore.record short-circuits when the existing entry matches position+duration so the 5s poll's before !== next guard actually skips the SP write * JSON encode + SP write off Main via globalScope IO Block D — Rust feed.rs hardening: * Shared reqwest Client via OnceLock — 50 channels no longer pay 50 TLS handshakes * Response body capped at 2 MiB via bytes_stream — adversarial feeds can't OOM the JVM * parse_rss returns partial results on quick-xml errors instead of nuking everything already parsed * extract_channel_id widened (m./www./http(s)?/trailing path) and validates exact 24-char UC<22 base64-ish> * Skip entries with empty title/published * iso_to_relative future dates → 'just now' (clock skew no longer pins items to top) * civil_to_days year clamp 1970..=2200 before the i64 arithmetic * Redirect chain capped at 3 * Dropped the broken lexicographic sort on upload_date_relative * Cap parsed entries at 50 per channel MED batch: * ThumbnailProgressOverlay uses derivedStateOf so only rows whose specific entry changed recompose on the 5s positions tick * EnrichmentStore.put short-circuits on identical view+duration so re-enrich within TTL doesn't write SP * EnrichmentStore.load prunes TTL-expired entries on hydration * FeedRefreshWorker distinguishes transient (Result.retry) from parse (Result.success) failures * WorkManager interval coerceAtLeast(15L) on both schedulers	2026-05-26 20:53:25 -07:00
..
src/main/kotlin	vc=68: audit-fix sprint round 1 (11 HIGH + MED batch)	2026-05-26 20:53:25 -07:00
build.gradle.kts	Relocate toml lint task to buildSrc and extend against default task	2025-11-21 20:08:26 +08:00

Kayos c960a1f424 vc=68: audit-fix sprint round 1 (11 HIGH + MED batch)

Block B — enrichment lifecycle drift:
  * SubscriptionFeedViewModel tracks enrichJob, cancelled in refresh
    + clearInMemoryCache so spam-refresh and cache-toggle no longer
    leave a globalScope coroutine writing to a destroyed _ui
  * Enrich now runs on viewModelScope, channels snapshotted at job
    start so the terminal merge doesn't read a stale subs list
  * mergeFromCache moved off Main on both the refresh path AND the
    init-hydration path — 750-item flatMap+sort+regex no longer
    blocks the UI thread
  * VideoDetailViewModel dual loadedUrl bookkeeping collapsed to
    the UiState field only; the rejected-URL path also stamps
    loadedUrl so the gate reads coherently

Block A — auto-update authenticity:
  * AppUpdateClient pins the fdroid.sulkta.com leaf SPKI + the
    Let's Encrypt E7 intermediate via OkHttp CertificatePinner
  * file.name accepted only when matching ^/[A-Za-z0-9._-]+\.apk$
  * versionCode clamped to (0, 10_000_000] before we trust the
    'update available' notification — a hostile index can no longer
    pin us to MAX_VALUE

Block C — captureResumePosition perf:
  * ResumePositionsStore.record short-circuits when the existing
    entry matches position+duration so the 5s poll's
    before !== next guard actually skips the SP write
  * JSON encode + SP write off Main via globalScope IO

Block D — Rust feed.rs hardening:
  * Shared reqwest Client via OnceLock — 50 channels no longer
    pay 50 TLS handshakes
  * Response body capped at 2 MiB via bytes_stream — adversarial
    feeds can't OOM the JVM
  * parse_rss returns partial results on quick-xml errors instead
    of nuking everything already parsed
  * extract_channel_id widened (m./www./http(s)?/trailing path)
    and validates exact 24-char UC<22 base64-ish>
  * Skip entries with empty title/published
  * iso_to_relative future dates → 'just now' (clock skew
    no longer pins items to top)
  * civil_to_days year clamp 1970..=2200 before the i64 arithmetic
  * Redirect chain capped at 3
  * Dropped the broken lexicographic sort on upload_date_relative
  * Cap parsed entries at 50 per channel

MED batch:
  * ThumbnailProgressOverlay uses derivedStateOf so only rows
    whose specific entry changed recompose on the 5s positions tick
  * EnrichmentStore.put short-circuits on identical view+duration
    so re-enrich within TTL doesn't write SP
  * EnrichmentStore.load prunes TTL-expired entries on hydration
  * FeedRefreshWorker distinguishes transient (Result.retry) from
    parse (Result.success) failures
  * WorkManager interval coerceAtLeast(15L) on both schedulers

2026-05-26 20:53:25 -07:00

src/main/kotlin

vc=68: audit-fix sprint round 1 (11 HIGH + MED batch)

2026-05-26 20:53:25 -07:00

build.gradle.kts

Relocate toml lint task to buildSrc and extend against default task

2025-11-21 20:08:26 +08:00