Skip to content

Apps#785

Open
Hadamcik wants to merge 461 commits into
xch-dev:mainfrom
Hadamcik:apps
Open

Apps#785
Hadamcik wants to merge 461 commits into
xch-dev:mainfrom
Hadamcik:apps

Conversation

@Hadamcik

Copy link
Copy Markdown
Contributor

Reviewer map

sage-apps crate

Sage Apps is built around one core rule: backend owns state and authority. The frontend is only a presentation layer and is not trusted to decide permissions, app identity, runtime state, wallet scope, approval results, install/update validity, or storage/origin ownership.

Most sensitive behavior is intentionally funneled through a small exported surface from crates/sage-apps/src/lib.rs, so lib.rs is the best first review file.

crates/sage-apps/src/lib.rs

The crate exports the following authority entry points:

// State
pub use db::AppsDb;
pub use host::AppsHostState;

// Commands
pub use bridge::commands::{apps_invoke_bridge, apps_invoke_system_bridge};
pub use environment::commands::apps_set_environment_theme;
pub use lifecycle::{
    apps_clear_runtime_browsing_data,
    install::commands::apps_list_installed_apps,
    uninstall::apps_uninstall_app,
    update::commands::{apps_apply_app_update, apps_check_app_update},
};
pub use runtime::commands::{
    apps_clear_active_taskbar_runtime, apps_dev_reload_runtime, apps_enter_workspace,
    apps_focus_taskbar_runtime, apps_kill_taskbar_runtime, apps_leave_workspace,
    apps_list_runtimes, apps_start_system_app, apps_start_user_app,
};
pub use sandbox::commands::{
    apps_get_app_launch_gate, apps_get_sandbox_state, apps_rerun_sandbox_tests,
};
pub use settings::{apps_get_auto_update_enabled, apps_set_auto_update_enabled};

// Bridge protocol
pub use security::{handle_system_app_protocol_request, handle_user_app_protocol_request};

// SDK types
pub use bridge::ts_exports::{export_system_bridge_typescript, export_user_bridge_typescript};

// Operations
pub use lifecycle::{process_pending_storage_cleanup, start_background_app_update_checker};
pub use runtime::process_sage_network_change;
pub use sandbox::runner::ensure_initial_sandbox_run;

// Docs
pub use build::docs::generate_docs;

Where to go from lib.rs

lib.rs is the map of the crate boundary. From each export group, follow these review paths.

1. Bridge protocol: how apps interact with Sage

From:

pub use bridge::commands::{apps_invoke_bridge, apps_invoke_system_bridge};
pub use security::{handle_system_app_protocol_request, handle_user_app_protocol_request};

Review:

  • crates/sage-apps/src/bridge/commands.rs
  • crates/sage-apps/src/bridge/registry.rs
  • crates/sage-apps/src/bridge/methods/shared.rs
  • crates/sage-apps/src/bridge/methods/user/**
  • crates/sage-apps/src/bridge/methods/system/**
  • crates/sage-apps/src/security/**

Important things to verify:

  • all app calls funnel through a small number of backend entry points
  • user bridge and system bridge are isolated
  • bridge methods explicitly declare required capabilities
  • backend re-checks authority at execution time
  • approval UI is not treated as authority
  • runtime capability requests only allow requestable_by_app
  • wallet methods enforce wallet scope

2. App isolation model: what apps are allowed to be

Review:

  • crates/sage-apps/src/types/app/common.rs
  • crates/sage-apps/src/types/app/wallet_scope.rs
  • crates/sage-apps/src/types/invariants/permission.rs
  • crates/sage-apps/src/types/permissions/**
  • crates/sage-apps/src/capabilities/definitions.rs
  • crates/sage-apps/src/capabilities/types.rs
  • crates/sage-apps/src/db/**

Important things to verify:

  • permissions are normalized in backend types
  • secret access cannot coexist with external/network access
  • secret access cannot coexist with tainted persistent webview storage
  • wallet scope is backend-owned durable state
  • capability flags are enforced consistently:
    • user_grantable
    • requestable_by_app
    • shared_with_app

3. Install/update/permission mutation: what changes app authority

Review:

  • crates/sage-apps/src/lifecycle/package.rs
  • crates/sage-apps/src/lifecycle/install/**
  • crates/sage-apps/src/lifecycle/update/**
  • crates/sage-apps/src/lifecycle/mutation/**
  • crates/sage-apps/src/bridge/methods/system/app_install/**
  • crates/sage-apps/src/bridge/methods/system/app_update/**
  • crates/sage-apps/src/bridge/methods/system/app_permissions/**

Important things to verify:

  • manifest permissions are normalized before persistence
  • install/update review is backend-owned
  • permission changes are diffed correctly
  • wallet scope changes are backend-owned
  • permission/scope changes trigger required runtime reload/reopen behavior
  • ZIP extraction is bounded and cannot escape extraction root

4. Runtime lifecycle: how durable app state becomes webviews

From:

pub use runtime::commands::{
    apps_clear_active_taskbar_runtime, apps_dev_reload_runtime, apps_enter_workspace,
    apps_focus_taskbar_runtime, apps_kill_taskbar_runtime, apps_leave_workspace,
    apps_list_runtimes, apps_start_system_app, apps_start_user_app,
};
pub use runtime::process_sage_network_change;

Review:

  • crates/sage-apps/src/runtime/state/**
  • crates/sage-apps/src/runtime/start.rs
  • crates/sage-apps/src/runtime/stop.rs
  • crates/sage-apps/src/runtime/resolve.rs
  • crates/sage-apps/src/runtime/webview.rs
  • crates/sage-apps/src/runtime/commands.rs

Important things to verify:

  • backend runtime state is authority
  • user apps cannot escalate into system presentations
  • runtime reload/reopen paths are centralized
  • stale runtime state cannot silently survive permission/storage changes
  • runtime visibility/focus is backend-controlled

5. Storage/origin rotation and cleanup

From:

pub use lifecycle::{
    apps_clear_runtime_browsing_data,
};
pub use lifecycle::{process_pending_storage_cleanup, start_background_app_update_checker};

Review:

  • crates/sage-apps/src/types/storage/**
  • crates/sage-apps/src/db/storage.rs
  • crates/sage-apps/src/lifecycle/clear_data/**
  • crates/sage-apps/src/lifecycle/storage_cleanup/**
  • crates/sage-apps/src/lifecycle/update/permissions.rs

Important things to verify:

  • storage and origin are explicit durable state
  • clearing/rotating storage invalidates affected runtimes
  • runtimes cannot continue using invalidated storage/origins
  • origin taint persists correctly
  • abandoned cleanup is secondary to runtime invalidation

6. Sandbox validation

From:

pub use sandbox::commands::{
    apps_get_app_launch_gate, apps_get_sandbox_state, apps_rerun_sandbox_tests,
};
pub use sandbox::runner::ensure_initial_sandbox_run;

Review:

  • crates/sage-apps/src/sandbox/**
  • builtin-apps/src/sandbox-test/**

Important things to verify:

  • sandbox tests validate expected isolation behavior
  • tests cover storage isolation
  • tests cover network restrictions
  • tests cover bridge restrictions
  • launch gating behaves correctly

7. Secondary/supporting exports

From:

pub use settings::{apps_get_auto_update_enabled, apps_set_auto_update_enabled};
pub use bridge::ts_exports::{export_system_bridge_typescript, export_user_bridge_typescript};
pub use build::docs::generate_docs;

Review later:

  • crates/sage-apps/src/settings.rs
  • crates/sage-apps/src/bridge/ts_exports.rs
  • crates/sage-apps/src/build/docs.rs
  • SDK/package/generated output

Hadamcik added 30 commits April 26, 2026 04:50
…sts:

- Moved `slugify_name` implementation to `utils.rs` as `slugify_app_name`.
- Replaced duplication in `UrlInstallSource` and `ZipInstallSource` with shared `slugify_app_name` utility.
- Simplified retired app tests by introducing `fake_retired_app_origins` helper for reusability.
- Extract update-related commands into a new `commands.rs` file for better organization.
- Separate types and utilities into dedicated `types.rs` and `utils.rs` modules.
- Simplify `uninstall.rs` and update imports to leverage the new structure.
- Removed redundant `types`, `registry.rs`, and `update/utils.rs` files.
- Merged `types` and lifecycle-related functions into `lifecycle/registry/mod.rs` for improved modularity.
- Simplified lifecycle path utilities and removed unused test cases.
- Standardized `BridgeMethod` error handling by introducing `BridgeMethodHandleError`.
- Replaced repetitive parameter parsing logic with `parse_required_params`.
- Simplified runtime methods (`listRuntimes`, `killRuntime`, etc.) to use unified error-handling and result serialization.
- Removed redundant `RustBridgeResponse` and `parse_runtime_target_params` usage.
- Modularized `BridgeRegistry` initialization with helper `insert_method`.
- Replace `Option<RustBridgeApprovalRequest>` with `BridgeApprovalRequestResult` for improved error handling.
- Update bridge methods (`killRuntime`, `hideRuntime`, etc.) to use new approval result type.
- Add `normalize_network_permission_target` for cleaner target normalization in network grant requests.
- Standardize `approval_request` logic across bridge modules.
- Deleted `normalize/capabilities.rs` and `normalize/network.rs` as they were unused.
- Relocated and modularized capability definitions to `capabilities/definitions.rs`.
- Simplified permission normalization by removing unnecessary indirection.
- Extract `normalize_requested_permissions` to a new `normalization.rs` module for better structure.
- Refactor `normalize_and_validate_*` functions to separate concerns and improve readability.
- Remove redundant logic from `validation.rs` and consolidate permission workflows.
…effective_granted_capabilities` and modularize implementation

- Replaced calls to `resolve_effective_granted_capabilities` with `get_effective_granted_capabilities` across multiple modules for improved clarity.
- Moved `get_effective_granted_capabilities` implementation to `capabilities/mod.rs` for better modularization and reuse.
- Removed redundant `resolve_effective_granted_capabilities` function and updated relevant imports and references.
…dularize flags logic

- Renamed `SageAppCapabilityFlags` to `SageAppFlags` for better naming consistency.
- Replaced `resolve_capability_flags` with `get_app_flags` across the codebase.
- Moved flags-related logic to a new `flags.rs` module for improved modularity.
- Updated relevant imports, tests, and references to match the new implementation structure.
- Removed the now redundant `resolve_capability_flags` from the permissions module.
…zation logic

- Replaced `normalize_granted_capabilities` and `validate_granted_capabilities` with `normalize_and_validate_granted_capabilities` for clarity.
- Replaced `get_effective_granted_capabilities` with `get_and_validate_effective_granted_capabilities` to integrate validation.
- Simplified capabilities logic by consolidating workflows across modules.
- Updated imports, tests, and references to align with the new structure.
…ith `resolve_effective_granted_capabilities` and modularize capabilities logic

- Replaced `get_and_validate_effective_granted_capabilities` with `resolve_effective_granted_capabilities` across the codebase for naming consistency.
- Introduced `requested_user_grantable_capabilities` for cleaner user-grantable capabilities handling.
- Standardized visibility and modularized capabilities logic in `capabilities/mod.rs` and `definitions.rs`.
- Updated imports, tests, and references to align with the updated structure.
- Changed `CapabilityFlags` visibility from `pub` to `pub(crate)` for internal use.
- Removed redundant `types` module re-export and updated direct imports.
- Simplified `capabilities/mod.rs` by consolidating and reorganizing imports.
- Removed unused `CapabilitySummary` struct to clean up codebase.
…rmalization

- Introduced `validate_granted_network` function in `validation.rs` for cleaner and reusable validation logic.
- Added `normalize_granted_network` function to streamline granted network entries normalization.
- Simplified `normalize_and_validate_granted_network` by separating normalization and validation concerns.
- Updated visibility and structure of `normalization` and `validation` modules for improved organization.
…tion

- Replaced `normalize_and_validate_granted_capabilities` with `normalize_and_validate_user_granted_capabilities` for naming clarity.
- Updated `resolve_effective_granted_capabilities` to `resolve_and_validate_effective_granted_capabilities` for improved modularity and consistency.
- Consolidated `capabilities` logic by integrating validation within normalization workflows.
- Added comprehensive test coverage in `validation.rs` and `tests.rs` for updated capability workflows.
- Simplified imports and visibility settings across modules to improve code organization.
- Eliminated `clear_storage_taint` parameter from permission handling functions.
- Removed associated logic from `update_app_permissions` and internal workflows.
- Deleted obsolete unit test `update_app_permissions_internal_can_clear_storage_taint_without_capabilities`.
- Simplified imports by removing `clear_storage_may_contain_secrets` usage.
…normalization

- Merged required and optional whitelist logic into a single `allowed` set in `validation.rs` for cleaner validation.
- Simplified `normalize_network_entries` by using functional constructs and removing manual sorting in `normalization.rs`.
- Deleted tests and helper functions that have overlapping coverage or were no longer relevant to streamlined validation workflows (`bridge`, `capabilities`, and `lifecycle` modules).
- Consolidated core testing logic into related modules for better organization and clarity.
- Updated imports and visibility settings across affected files.
- Deleted multiple normalization and validation functions in `capabilities` and `network` modules.
- Refactored to rely on simplified permission handling workflows.
- Updated associated imports, tests, and permissions logic for streamlined workflow integration.
- Added detailed structs for Sage App representation (`SageApp`, `UserSageApp`, `SystemSageApp`, etc.) to enhance capability and permission management.
- Included manifest parsers and validators (`SageAppPackageManifest`, `SageRequestedPermissions`, etc.) for strict compliance with app specifications.
- Modularized app-related types (`app.rs`, `permissions.rs`, `manifest.rs`, `network.rs`, `storage.rs`) for improved maintainability.
- Enhanced validation workflows for network and capabilities permissions.
- Defined reusable logic for app lifecycle management and manifest integrity checks.
- Implemented custom deserialization logic for `SageNetworkWhitelistEntry` to support both string and object formats.
- Replaced basic manifest deserialization with `serde_path_to_error` for detailed error reporting.
- Updated `Cargo.toml` to include `serde_path_to_error` dependency.
- Adjusted related structs and logic across `permissions.rs` and `network.rs` for improved consistency and flexibility.
- Deleted deprecated `types_legacy.rs` file and its content.
- Removed obsolete unit tests that referenced legacy type definitions or workflows.
… handling

- Moved `builtin_apps_root` into the `utils` module for consistency and reusability.
- Updated references across `system_apps`, `sandbox`, and `build` modules.
- Simplified file path resolution and validation for system apps manifest and directories.
- Improved error messages related to builtin system app handling.
- Adjusted `sage-manifest.json` to correctly reference the public icon path.
- Extracted common app update retrieval logic into `fetch_pending_update`.
- Simplified `check_app_update`, `update_app_pending_state`, and `apply_app_update` for better maintainability.
- Added `from_pending_update` constructor to `SageAppUrlPreview` for consistency.
…n` components

- Extracted icon rendering logic into reusable `AppIconContent` and `AppIcon` components.
- Replaced inline logic for app icons across multiple files (`AppTaskBar`, `InstallDialog`, `AppTile`, etc.) to improve consistency.
- Adjusted `InstallSource` type export for shared use.
- Simplified icon URL resolution and fallback logic for better maintainability.
Hadamcik and others added 30 commits May 23, 2026 14:17
- Implemented `environment.getNetwork` method for fetching active network details.
- Added corresponding capability definition `EnvironmentGetNetwork` to enable access control.
- Updated bindings, capability list, and documentation to reflect the new method and capability.
…ip_snapshot`.

- Added `validate_package_has_no_undeclared_files` to ensure all files in a package are declared in the manifest.
- Introduced stricter checks in snapshot preparation to reject undeclared or invalid files.
- Enhanced unit tests to cover file validation scenarios.
- Added download size checks with `download_bytes_with_limit` and exact size validation with `download_exact_bytes`.
…dules

- Added stricter file validation in `prepare_zip_snapshot` to reject undeclared, nested, or invalid files.
- Refactored response size and hash validation into reusable functions (`ensure_within_max_response_size`, `ensure_expected_size`, `ensure_expected_hash`).
- Enhanced unit test coverage for file declarations, size limits, and hash mismatches.
…ermissions

- Added unit tests to ensure sensitive secret access and external network access cannot coexist in permissions.
- Refactored `sample_app` to accommodate modular requested permissions handling.
- Introduced `sample_requested_permissions` and `sample_app_with_requested_permissions` helper functions.
- Added network whitelist tests for required and optional network cases with sensitive capabilities.
- Improved error reporting for invalid permission combinations.
- Added tests to verify rejection of external access permissions when origin storage may contain secrets.
- Introduced test coverage for pending update decisions involving network-specific entries.
- Introduced `MAX_REMOTE_ICON_BYTES` to define size limit for remote app icons (1 MB).
- Added `read_remote_icon_bytes` function to handle remote icon downloads with size checks.
- Implemented `ensure_remote_icon_size` to validate icon size during download.
- Enhanced error handling for size overflows and download failures.
- Added unit tests to verify size limit enforcement.
- Introduced tests to ensure `connect-src` respects active network-specific whitelists.
- Verified shared and network-specific entries are correctly applied within CSP generation.
- Added helper functions for test setup, including managing requested and granted permissions.
…y checks

- Added tests for `resolve_file_path` behavior with default, root, and nested paths.
- Validated rejection of traversal components and escaping symlinks.
- Ensured robust handling of file paths within snapshot boundaries.
…ction and add unit tests for validation and security checks
- Introduced `set_builtin_apps_root` to allow dynamic configuration of the `builtin-apps` root directory.
- Updated Tauri app initialization to set `builtin-apps` root from bundled resources directory if available.
- Modified `tauri.conf.json` to include `builtin-apps` in bundled resources.
… locales

- Synced translation changes in `en-US`, `es-MX`, `zh-CN`, and `de-DE` locales.
- Added new entries for "Apps" and adjusted context references for updated components.
- Addressed line number updates and structural changes in `src/components/Nav.tsx` and other related components.
…ld process

- Introduced a new `generate_docs` binary in `sage-apps` for generating Sage app documentation.
- Updated `build.rs` to remove in-process docs generation in favor of the new binary.
- Modified `package.json` to include `generate:app-docs` script and integrate docs generation into the `build:builtin-apps` process.
- Added Tauri Android and iOS configuration files with a `beforeBuildCommand` to build the frontend.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants