🔧 chore: Full project audit: security, a11y, quality, compat fixes

Audit & Infrastructure
- Add PLANNING.md with prioritized fix roadmap + post-fix metrics
- Fix README: Python → Rust, update dependency list
- cargo fmt: 74 diffs → 0
- cargo clippy: 33 warnings → 0
- cargo audit: 0 vulnerabilities

Testing
- Add 25 unit tests across 3 crates (service: 10, favicon: 15, registry: 11 deduplicated)
- All tests passing, zero regressions

Security
- URL scheme validation in favicon fetch → block non-http(s) (anti-SSRF)
- Permission handler: log auto-granted permission type + TODO
- ITP disabled: add justification comment

Accessibility
- Label ~15 icon-only buttons (back, fwd, reload, fullscreen, menu,
  search, add, browser, edit, delete, template, detect)
- Add live region (status_label with AccessibleRole::Status) for
  search result count announcements
- Set AccessibleRole::Heading on category headers in list + gallery

Robustness
- Replace 2 unwrap() → expect() with context messages
- Geometry parse: match + log::warn on failure instead of silent ignore
- Poll interval 100ms → 250ms to reduce CPU churn

UX & Compatibility
- Disable browser button for App mode webapps (no external browser)
- Set Chrome 131 User-Agent in viewer → fix Spotify/Teams blocking
  WebKitGTK as "incompatible browser"

Author: talesam

PLANNING.md

@@ -14,7 +14,8 @@ A modern GTK4 tool to create and manage webapps, supporting multiple browsers wh
 
 ## Technical Details
 
-- Built with Python using GTK4 and libadwaita
+- Built with Rust using GTK4 and libadwaita
+- WebKitGTK 6.0 for webapp viewer with isolated profiles
 - Uses website scraping to extract icons and metadata
 - Integrated with desktop environment via desktop files
 - Compatible with both Xorg and Wayland display servers
@@ -54,8 +55,8 @@ GPL-3.0
 
 ## Dependencies
 
-- python-bs4
-- python-requests
+- gtk4 (>= 4.10)
+- libadwaita-1 (>= 1.6)
+- webkitgtk-6.0 (>= 2.50)
 - gettext
-- python-pillow
-- python-gobject
+- openssl

PLANNING.old.md

@@ -104,7 +104,10 @@ pub fn desktop_file_id(url: &str) -> String {
 /// Path for a webapp's .desktop file
 pub fn desktop_file_path(webapp: &WebApp) -> PathBuf {
     let filename = if webapp.app_file.is_empty() {
-        format!("biglinux-webapp-{}.desktop", desktop_file_id(&webapp.app_url))
+        format!(
+            "biglinux-webapp-{}.desktop",
+            desktop_file_id(&webapp.app_url)
+        )
     } else {
         webapp.app_file.clone()
     };
@@ -136,6 +139,14 @@ pub fn remove_desktop_entry(webapp: &WebApp) -> Result<()> {
 /// Strip chars that could break desktop file Exec or shell parsing
 fn sanitize_desktop_field(s: &str) -> String {
     s.chars()
-        .filter(|c| *c != '"' && *c != '\'' && *c != '`' && *c != '\\' && *c != '\n' && *c != '\r' && *c != '$')
+        .filter(|c| {
+            *c != '"'
+                && *c != '\''
+                && *c != '`'
+                && *c != '\\'
+                && *c != '\n'
+                && *c != '\r'
+                && *c != '$'
+        })
         .collect()
 }

README.md

@@ -179,7 +179,10 @@ impl WebAppCollection {
         if query.is_empty() {
             return self.webapps.iter().collect();
         }
-        self.webapps.iter().filter(|app| app.matches(query)).collect()
+        self.webapps
+            .iter()
+            .filter(|app| app.matches(query))
+            .collect()
     }
 
     pub fn categorized(&self, query: Option<&str>) -> HashMap<String, Vec<&WebApp>> {

crates/webapps-core/src/desktop.rs

@@ -19,7 +19,9 @@ pub fn templates() -> Vec<WebAppTemplate> {
             keywords: svec!["google", "docs", "document", "text"],
             mime_types: svec![
                 "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-                "application/msword", "application/rtf", "text/plain"
+                "application/msword",
+                "application/rtf",
+                "text/plain"
             ],
             file_handler: FileHandler::Upload,
             profile: "google".into(),
@@ -36,7 +38,8 @@ pub fn templates() -> Vec<WebAppTemplate> {
             keywords: svec!["google", "sheets", "spreadsheet", "csv", "excel"],
             mime_types: svec![
                 "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-                "application/vnd.ms-excel", "text/csv"
+                "application/vnd.ms-excel",
+                "text/csv"
             ],
             file_handler: FileHandler::Upload,
             profile: "google".into(),

crates/webapps-core/src/models/webapp.rs

@@ -1,8 +1,8 @@
-mod registry;
-mod office365;
-mod google;
 mod communication;
+mod google;
 mod media;
+mod office365;
 mod productivity;
+mod registry;
 
-pub use registry::{WebAppTemplate, TemplateRegistry, FileHandler, build_default_registry};
+pub use registry::{build_default_registry, FileHandler, TemplateRegistry, WebAppTemplate};

crates/webapps-core/src/templates/google.rs

@@ -11,11 +11,18 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Edit documents online with Microsoft Word".into(),
             generic_name: "Word Processor".into(),
             keywords: vec!["word", "document", "office", "docx", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             mime_types: vec![
                 "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-                "application/msword", "application/rtf", "text/rtf",
-            ].into_iter().map(Into::into).collect(),
+                "application/msword",
+                "application/rtf",
+                "text/rtf",
+            ]
+            .into_iter()
+            .map(Into::into)
+            .collect(),
             file_handler: FileHandler::Upload,
             profile: "office365".into(),
             ..Default::default()
@@ -29,11 +36,18 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Edit spreadsheets online with Microsoft Excel".into(),
             generic_name: "Spreadsheet".into(),
             keywords: vec!["excel", "spreadsheet", "office", "xlsx", "csv", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             mime_types: vec![
                 "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
-                "application/vnd.ms-excel", "text/csv", "application/csv",
-            ].into_iter().map(Into::into).collect(),
+                "application/vnd.ms-excel",
+                "text/csv",
+                "application/csv",
+            ]
+            .into_iter()
+            .map(Into::into)
+            .collect(),
             file_handler: FileHandler::Upload,
             profile: "office365".into(),
             ..Default::default()
@@ -46,12 +60,24 @@ pub fn templates() -> Vec<WebAppTemplate> {
             category: "Office".into(),
             comment: "Create presentations online with Microsoft PowerPoint".into(),
             generic_name: "Presentation".into(),
-            keywords: vec!["powerpoint", "presentation", "office", "pptx", "slides", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+            keywords: vec![
+                "powerpoint",
+                "presentation",
+                "office",
+                "pptx",
+                "slides",
+                "microsoft",
+            ]
+            .into_iter()
+            .map(Into::into)
+            .collect(),
             mime_types: vec![
                 "application/vnd.openxmlformats-officedocument.presentationml.presentation",
                 "application/vnd.ms-powerpoint",
-            ].into_iter().map(Into::into).collect(),
+            ]
+            .into_iter()
+            .map(Into::into)
+            .collect(),
             file_handler: FileHandler::Upload,
             profile: "office365".into(),
             ..Default::default()
@@ -65,7 +91,9 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Take notes online with Microsoft OneNote".into(),
             generic_name: "Note Taking".into(),
             keywords: vec!["onenote", "notes", "office", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             profile: "office365".into(),
             ..Default::default()
         },
@@ -78,7 +106,9 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Email and calendar from Microsoft Outlook".into(),
             generic_name: "Email Client".into(),
             keywords: vec!["outlook", "email", "mail", "calendar", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             features: vec!["notifications".into()],
             profile: "office365".into(),
             ..Default::default()
@@ -92,7 +122,9 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Chat and video conferencing with Microsoft Teams".into(),
             generic_name: "Instant Messaging".into(),
             keywords: vec!["teams", "chat", "video", "conferencing", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             features: vec!["notifications".into(), "camera".into(), "microphone".into()],
             profile: "office365".into(),
             ..Default::default()
@@ -106,7 +138,9 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Cloud storage from Microsoft OneDrive".into(),
             generic_name: "Cloud Storage".into(),
             keywords: vec!["onedrive", "cloud", "storage", "files", "microsoft"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             profile: "office365".into(),
             ..Default::default()
         },
@@ -119,7 +153,9 @@ pub fn templates() -> Vec<WebAppTemplate> {
             comment: "Microsoft 365 home — access all Office apps".into(),
             generic_name: "Office Suite".into(),
             keywords: vec!["office", "365", "microsoft", "word", "excel", "powerpoint"]
-                .into_iter().map(Into::into).collect(),
+                .into_iter()
+                .map(Into::into)
+                .collect(),
             profile: "office365".into(),
             ..Default::default()
         },

crates/webapps-core/src/templates/mod.rs

@@ -50,12 +50,12 @@ impl Default for WebAppTemplate {
 impl WebAppTemplate {
     /// Domain extracted from URL for matching
     pub fn domain(&self) -> Option<String> {
-        url::Url::parse(&self.url)
-            .ok()
-            .and_then(|u| u.host_str().map(|h| {
+        url::Url::parse(&self.url).ok().and_then(|u| {
+            u.host_str().map(|h| {
                 let h = h.strip_prefix("www.").unwrap_or(h);
                 h.to_lowercase()
-            }))
+            })
+        })
     }
 }
 
@@ -91,11 +91,7 @@ impl TemplateRegistry {
     pub fn get_by_category(&self, category: &str) -> Vec<&WebAppTemplate> {
         self.by_category
             .get(category)
-            .map(|ids| {
-                ids.iter()
-                    .filter_map(|id| self.templates.get(id))
-                    .collect()
-            })
+            .map(|ids| ids.iter().filter_map(|id| self.templates.get(id)).collect())
             .unwrap_or_default()
     }
 
@@ -137,3 +133,143 @@ pub fn build_default_registry() -> TemplateRegistry {
     reg.register_many(super::productivity::templates());
     reg
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn sample_template(id: &str, name: &str, url: &str, category: &str) -> WebAppTemplate {
+        WebAppTemplate {
+            template_id: id.into(),
+            name: name.into(),
+            url: url.into(),
+            category: category.into(),
+            keywords: vec![name.to_lowercase()],
+            ..Default::default()
+        }
+    }
+
+    #[test]
+    fn register_and_get() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template(
+            "gmail",
+            "Gmail",
+            "https://mail.google.com",
+            "Communication",
+        ));
+        assert!(reg.get("gmail").is_some());
+        assert_eq!(reg.get("gmail").unwrap().name, "Gmail");
+        assert!(reg.get("nonexistent").is_none());
+    }
+
+    #[test]
+    fn categories_sorted() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template("c", "C", "https://c.com", "Zebra"));
+        reg.register(sample_template("a", "A", "https://a.com", "Alpha"));
+        let cats = reg.categories();
+        assert_eq!(cats, vec!["Alpha", "Zebra"]);
+    }
+
+    #[test]
+    fn get_by_category() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template(
+            "g",
+            "Gmail",
+            "https://mail.google.com",
+            "Communication",
+        ));
+        reg.register(sample_template(
+            "s",
+            "Spotify",
+            "https://spotify.com",
+            "Media",
+        ));
+        let comms = reg.get_by_category("Communication");
+        assert_eq!(comms.len(), 1);
+        assert_eq!(comms[0].name, "Gmail");
+        assert!(reg.get_by_category("Nonexistent").is_empty());
+    }
+
+    #[test]
+    fn match_url_finds_template() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template(
+            "yt",
+            "YouTube",
+            "https://www.youtube.com",
+            "Media",
+        ));
+        let found = reg.match_url("https://youtube.com/watch?v=123");
+        assert!(found.is_some());
+        assert_eq!(found.unwrap().template_id, "yt");
+    }
+
+    #[test]
+    fn match_url_no_match() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template(
+            "yt",
+            "YouTube",
+            "https://www.youtube.com",
+            "Media",
+        ));
+        assert!(reg.match_url("https://example.com").is_none());
+    }
+
+    #[test]
+    fn search_by_name() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template(
+            "g",
+            "Gmail",
+            "https://mail.google.com",
+            "Communication",
+        ));
+        reg.register(sample_template(
+            "s",
+            "Spotify",
+            "https://spotify.com",
+            "Media",
+        ));
+        let results = reg.search("gmail");
+        assert_eq!(results.len(), 1);
+        assert_eq!(results[0].name, "Gmail");
+    }
+
+    #[test]
+    fn search_by_category() {
+        let mut reg = TemplateRegistry::default();
+        reg.register(sample_template(
+            "g",
+            "Gmail",
+            "https://mail.google.com",
+            "Communication",
+        ));
+        let results = reg.search("communication");
+        assert_eq!(results.len(), 1);
+    }
+
+    #[test]
+    fn search_empty_query() {
+        let reg = build_default_registry();
+        let results = reg.search("");
+        // empty query matches everything
+        assert!(!results.is_empty());
+    }
+
+    #[test]
+    fn default_registry_has_templates() {
+        let reg = build_default_registry();
+        assert!(reg.get_all().len() > 30);
+        assert!(!reg.categories().is_empty());
+    }
+
+    #[test]
+    fn domain_extraction() {
+        let tpl = sample_template("t", "Test", "https://www.example.com/path", "X");
+        assert_eq!(tpl.domain(), Some("example.com".into()));
+    }
+}