release: v1.4.7 — opacity dim fix, audit hardening, UI consistency pass

Opacity: faded page content now dims toward a black backdrop (fv-dimmed
class) instead of washing out to white — CSS opacity blends toward the
backdrop, and under the layered window's uniform alpha only a black
backdrop reads as desktop showing through.

Security: strict CSP for app pages (landing script moved to src/main.js),
IPC fallback capture validates Tauri internals shape, window titles strip
control characters, startup click-through recovery logs failures.

Bugs: bookmark/hotkey commands return bool so JS can distinguish success
from IPC failure (local bookmark state no longer diverges); hotkey resume
retries once before giving up; urls_match compares userinfo.

Performance: media MutationObservers debounced to one full scan per 150ms;
title/URL fallback polls 2s/3s → 10s with pushState/replaceState/hashchange
hooks and title-observer re-attach.

UI/UX: landing page restyled to the strip's warm-orange/dark-gray language;
WCAG contrast bumps; focus-visible coverage for recent items, settings
sliders, context menu; settings sliders mirror the strip slider; radius and
shadow tokens; popup mutual exclusion includes the volume popup; URL bar
selection/caret styling, select-all-on-click, text-height highlight.

Maintainability: AppConfig gains config_version for future migrations;
AGENTS.md/README/designdoc updated.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

Author: davidtorcivia

AGENTS.md

@@ -34,7 +34,8 @@ cd src-tauri && cargo test   # Run unit tests
 ```
 floatview/
 ├── src/
-│   └── index.html              # Landing page (URL input)
+│   ├── index.html              # Landing page (URL input)
+│   └── main.js                 # Landing page logic (external so the CSP can stay strict)
 ├── src-tauri/
 │   ├── src/
 │   │   ├── main.rs             # Binary shim; just calls `floatview::run()`
@@ -165,6 +166,7 @@ This ensures that:
 
 ```rust
 pub struct AppConfig {
+    pub config_version: u32,        // schema version; bump on rename/restructure, NOT additions
     pub window: WindowConfig,       // x, y, width, height, monitor, always_on_top, opacity, locked
     pub last_url: Option<String>,
     pub recent_urls: Option<Vec<String>>,
@@ -177,6 +179,8 @@ pub struct AppConfig {
 }
 ```
 
+New fields only need `#[serde(default)]`. If you rename, retype, or restructure a field, bump `CONFIG_VERSION` in `config.rs` and branch on the stored `config_version` during load so old configs migrate instead of silently resetting.
+
 ### Tray Menu Dynamic Updates
 
 The tray uses `CheckMenuItem` for **Always on Top** and **Click-Through Mode**, with check marks that mirror the current state, and a conditional **Install Update vX.Y.Z** item that's disabled until an update is available.
@@ -273,10 +277,16 @@ Key injection.js features:
 
 17. **Opacity clamping** -- Always go through `config::clamp_opacity`; it snaps near-opaque to 1.0 (lets the Windows backend drop `WS_EX_LAYERED`) and rejects non-finite inputs that would otherwise poison the saved config.
 
-18. **Title truncation** -- `set_window_title` calls `truncate_title`, which respects UTF-8 char boundaries. Do NOT revert to `&title[..N]` slicing; it panics on multi-byte codepoints that any page can craft into a title.
+17b. **Opacity dim backdrop** -- Below full opacity, page content is faded with CSS (`--fv-content-opacity`) while the window alpha floors at `WINDOW_ALPHA_FLOOR`. While faded, `applyContentOpacity` puts an `fv-dimmed` class on `<html>` that forces a **black** html/body backdrop: CSS opacity blends content toward the backdrop, and under the layered window's uniform alpha a black backdrop reads as "desktop showing through" whereas the default white backdrop washes the page out to milky white. Don't remove the class toggle when touching the opacity path.
+
+17c. **Unit-returning commands look like failures in JS** -- The JS `invoke()` wrapper returns `null` on IPC failure, and Tauri serializes `Result<(), _>` success as `null` too. Commands whose callers need to distinguish success (bookmarks, pause/resume hotkeys) return `Ok(true)` instead of `Ok(())`. Follow that pattern for new commands when the JS side gates state changes on success.
+
+18. **Title truncation** -- `set_window_title` calls `truncate_title`, which strips control characters (page-supplied titles can embed newlines/NUL to garble or spoof the title bar) and respects UTF-8 char boundaries. Do NOT revert to `&title[..N]` slicing; it panics on multi-byte codepoints that any page can craft into a title.
 
 19. **Capabilities** -- The `global-shortcut` plugin's JS register/unregister permissions are NOT granted. Hotkey management is Rust-only; don't add those permissions without a matching JS feature.
 
+20. **CSP** -- `tauri.conf.json` sets a strict CSP that applies to the app's own pages (the landing page) only — external sites bring their own. It allows `script-src 'self'` and no inline scripts, which is why the landing page logic lives in `src/main.js` instead of an inline `<script>`. Keep it that way; Tauri appends its own nonces for the scripts it injects.
+
 ## Testing
 
 Run unit tests in `src-tauri/` (via `cargo test`). Test manually:

README.md

@@ -250,6 +250,8 @@ Configuration files are stored separately and not removed by default:
 
 This program will not transfer any information to other networked systems unless specifically requested by the user. The only automated network request is the optional **Check for Updates** feature in Settings, which queries the [GitHub Releases API](https://github.com/davidtorcivia/floatview/releases) to check for new versions. No personal data, telemetry, or usage statistics are collected or transmitted.
 
+Note that, like most desktop browsers, FloatView stores its settings — including bookmarks, recent URLs, and the last visited page — as plain-text JSON in your local app-data folder. Anyone with access to your user account (or disk) can read that file, so treat shared machines accordingly. **Clear Recent** / **Clear Bookmarks** in Settings remove those lists, and **Clear Site Data** wipes the webview's cookies and storage.
+
 ## License
 
 [MIT](LICENSE)

designdoc.md

@@ -1,4 +1,4 @@
-# FloatView — Technical Design Document (v3, updated for v1.1.0)
+# FloatView — Technical Design Document (v4, updated for v1.4.7)
 
 ## Overview
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "floatview",
-  "version": "1.4.6",
+  "version": "1.4.7",
   "description": "A minimal floating browser window for streaming media on a secondary monitor",
   "scripts": {
     "tauri": "tauri",

src-tauri/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "floatview"
-version = "1.4.6"
+version = "1.4.7"
 description = "A minimal floating browser window for streaming media"
 authors = ["David Torcivia"]
 license = "MIT"

src-tauri/Cargo.toml

@@ -159,11 +159,13 @@ pub async fn pause_global_hotkeys(
     app: AppHandle,
     state: tauri::State<'_, AppState>,
     token: String,
-) -> Result<(), String> {
+) -> Result<bool, String> {
     authorize_command(&state, &token, "pause_global_hotkeys")?;
     use tauri_plugin_global_shortcut::GlobalShortcutExt;
     let _ = app.global_shortcut().unregister_all();
-    Ok(())
+    // bool (not unit) so the JS invoke wrapper — which maps IPC failures
+    // to null — can tell success apart from failure.
+    Ok(true)
 }
 
 /// Re-register global shortcuts from the current config. Pair with
@@ -174,10 +176,11 @@ pub async fn resume_global_hotkeys(
     app: AppHandle,
     state: tauri::State<'_, AppState>,
     token: String,
-) -> Result<(), String> {
+) -> Result<bool, String> {
     authorize_command(&state, &token, "resume_global_hotkeys")?;
     crate::hotkeys::register_hotkeys(&app);
-    Ok(())
+    // See pause_global_hotkeys for why this returns bool, not unit.
+    Ok(true)
 }
 
 #[tauri::command]
@@ -680,10 +683,15 @@ pub async fn set_window_title(
 /// Truncate a window title to a Win32-safe byte length, respecting UTF-8 char
 /// boundaries. A naive `&s[..253]` panics when byte 253 lands inside a
 /// multi-byte codepoint, which any page can trigger by crafting a title.
+///
+/// Control characters are stripped first: the title is page-supplied, and
+/// embedded control codes (newlines, NUL, C0/C1) can garble taskbar/title
+/// rendering or spoof multi-line text.
 fn truncate_title(title: &str) -> String {
     const MAX_BYTES: usize = 256;
+    let title: String = title.chars().filter(|c| !c.is_control()).collect();
     if title.len() <= MAX_BYTES {
-        return title.to_string();
+        return title;
     }
     let ellipsis = "...";
     let budget = MAX_BYTES - ellipsis.len();
@@ -702,35 +710,39 @@ pub async fn add_bookmark(
     state: tauri::State<'_, AppState>,
     url: String,
     token: String,
-) -> Result<(), String> {
+) -> Result<bool, String> {
     authorize_command(&state, &token, "add_bookmark")?;
     let url = normalize_url(&url)?;
     let mut config = state.config.lock().map_err(|e| e.to_string())?;
     if config.bookmarks.iter().any(|b| urls_match(b, &url)) {
-        return Ok(());
+        return Ok(true);
     }
     if config.bookmarks.len() >= MAX_BOOKMARKS {
         return Err(format!("Bookmark limit reached (max {MAX_BOOKMARKS})"));
     }
     config.bookmarks.push(url);
     save_config(&state, &config);
     drop(config);
-    Ok(())
+    // Returns a value (not unit) so the JS invoke wrapper — which maps IPC
+    // failures to null — can tell success apart from failure.
+    Ok(true)
 }
 
 #[tauri::command]
 pub async fn remove_bookmark(
     state: tauri::State<'_, AppState>,
     url: String,
     token: String,
-) -> Result<(), String> {
+) -> Result<bool, String> {
     authorize_command(&state, &token, "remove_bookmark")?;
     let url = normalize_url(&url)?;
     let mut config = state.config.lock().map_err(|e| e.to_string())?;
     config.bookmarks.retain(|u| !urls_match(u, &url));
     save_config(&state, &config);
     drop(config);
-    Ok(())
+    // Returns a value (not unit) so the JS invoke wrapper — which maps IPC
+    // failures to null — can tell success apart from failure.
+    Ok(true)
 }
 
 #[tauri::command]
@@ -804,6 +816,14 @@ mod tests {
         assert_eq!(truncate_title(title), title);
     }
 
+    #[test]
+    fn truncate_title_strips_control_characters() {
+        assert_eq!(
+            truncate_title("Line one\nLine two\r\0\u{1b}[31m"),
+            "Line oneLine two[31m"
+        );
+    }
+
     #[test]
     fn truncate_title_appends_ellipsis_past_limit() {
         let title = "a".repeat(300);

src-tauri/src/commands.rs

@@ -104,8 +104,21 @@ pub struct CropConfig {
     pub height: f64,
 }
 
+/// Current config schema version. Bump ONLY when a field is renamed,
+/// retyped, or restructured — plain additions are covered by
+/// `#[serde(default)]`. Load code can branch on the stored value to
+/// migrate old files instead of silently resetting user data.
+pub const CONFIG_VERSION: u32 = 1;
+
+fn default_config_version() -> u32 {
+    // Pre-1.4.7 configs have no version field; they are schema v1.
+    CONFIG_VERSION
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AppConfig {
+    #[serde(default = "default_config_version")]
+    pub config_version: u32,
     pub window: WindowConfig,
     pub last_url: Option<String>,
     pub recent_urls: Option<Vec<String>>,
@@ -133,6 +146,7 @@ fn default_true() -> bool {
 impl Default for AppConfig {
     fn default() -> Self {
         Self {
+            config_version: CONFIG_VERSION,
             window: WindowConfig::default(),
             last_url: None,
             recent_urls: Some(Vec::new()),