release: v1.5.0 — audit hardening, JS test harness, CI lint gate

Author: davidtorcivia

.github/workflows/build.yml

@@ -27,8 +27,49 @@ jobs:
         run: |
           gh release delete nightly --repo "${{ github.repository }}" --cleanup-tag --yes || echo "no nightly release to delete"
 
-  build:
+  # Fast fail gate: runs the Rust + JS test/lint suites on a cheap Linux
+  # runner in parallel with the reset-nightly gate, and the build matrix
+  # waits on it so a formatting slip, clippy warning, or failing test
+  # blocks the release artifacts rather than being discovered mid-build.
+  lint:
     needs: reset-nightly
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Install Rust stable (with fmt + clippy)
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Rust cache
+        uses: swatinem/rust-cache@v2
+        with:
+          workspaces: src-tauri -> target
+
+      - name: cargo fmt --check
+        working-directory: src-tauri
+        run: cargo fmt --check
+
+      - name: cargo clippy (-D warnings)
+        working-directory: src-tauri
+        run: cargo clippy --all-targets -- -D warnings
+
+      - name: cargo test
+        working-directory: src-tauri
+        run: cargo test
+
+      - name: Install Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 22
+
+      - name: node --test (JS url helpers)
+        run: node --test "js/**/*.test.mjs"
+
+  build:
+    needs: [reset-nightly, lint]
     permissions:
       contents: write
     strategy:

js/urltest.mjs

@@ -0,0 +1,71 @@
+// Pure-function copies of the URL helpers that live inside FloatView's
+// injected control strip (src-tauri/src/injection.js). Extracted here so
+// they can be exercised under `node --test` without booting the webview.
+//
+// KEEP IN SYNC with:
+//   - injection.js `urlsMatch` (~line 3346)
+//   - injection.js URL-bar normalization logic (~line 3087)
+//   - src-tauri/src/urls.rs `urls_match` / `normalize_url` (the Rust
+//     authoritative copy)
+//
+// The shared Rust/JS truth table lives in src-tauri/src/url_fixtures.rs
+// (`URL_MATCH_CASES`) and is duplicated (with a cross-reference comment)
+// in urltest.test.mjs. Drift between the two is exactly what these tests
+// exist to catch.
+
+/// Compare two URLs for bookmark-style equivalence.
+///
+/// Equal if identical, or if origin + userinfo + path
+/// (trailing-slash-insensitive) + query match. Fragments are ignored.
+///
+/// Userinfo (username/password) is compared explicitly because
+/// `URL.origin` excludes it (RFC 6454): without the check,
+/// `https://user:pass@host/` would silently dedup against plain
+/// `https://host/`. Mirrors Rust `urls::urls_match`.
+export function urlsMatch(a, b) {
+    if (a === b) return true;
+    try {
+        const ua = new URL(a);
+        const ub = new URL(b);
+        return (
+            ua.origin === ub.origin &&
+            ua.username === ub.username &&
+            ua.password === ub.password &&
+            ua.pathname.replace(/\/+$/, '') === ub.pathname.replace(/\/+$/, '') &&
+            ua.search === ub.search
+        );
+    } catch {
+        return false;
+    }
+}
+
+/// Normalize a URL-bar input the way the injected strip does: prepend
+/// `https://` when no scheme is present, and send anything that isn't a
+/// clean http(s) URL (spaces, no dots, an explicit non-http scheme) to
+/// DuckDuckGo as a search. Returns the final href string.
+///
+/// Mirrors the URL-bar handler in injection.js and the normalize+search
+/// fallback in src/main.js.
+export function normalizeUrlInput(raw) {
+    const trimmed = String(raw).trim();
+    if (!trimmed) return null;
+
+    let url = trimmed;
+    if (!/^https?:\/\//.test(url)) {
+        if (url.includes(' ') || (!url.includes('.') && !url.includes(':'))) {
+            return 'https://duckduckgo.com/?q=' + encodeURIComponent(trimmed);
+        }
+        url = 'https://' + url;
+    }
+
+    let parsed;
+    try {
+        parsed = new URL(url);
+    } catch {
+        parsed = null;
+    }
+    if (!parsed || !/^https?:$/.test(parsed.protocol)) {
+        return 'https://duckduckgo.com/?q=' + encodeURIComponent(trimmed);
+    }
+    return parsed.toString();
+}

js/urltest.test.mjs

@@ -0,0 +1,86 @@
+// Test suite for the JS URL helpers, run via `node --test`
+// (or `npm test`, which the package.json "test" script wires to
+// `node --test js/`).
+//
+// The URL_MATCH_CASES array below is a MANUAL DUPLICATE of
+// src-tauri/src/url_fixtures.rs::URL_MATCH_CASES. The Rust file is the
+// source of truth — when you change a case there, change it here too.
+// A shared JSON file would avoid the duplication but would add a build
+// step; a duplicated array with this cross-reference is the pragmatic
+// zero-dependency choice. The Rust side independently asserts its own
+// table in urls::tests::urls_match_matches_shared_truth_table.
+
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { urlsMatch, normalizeUrlInput } from './urltest.mjs';
+
+const URL_MATCH_CASES = [
+    ['https://example.com/', 'https://example.com/', true],
+    ['https://example.com/', 'https://example.com', true],
+    ['https://example.com/path', 'https://example.com/path/', true],
+    ['https://example.com/?q=1', 'https://example.com?q=1', true],
+    ['https://example.com/a', 'https://example.com/b', false],
+    ['https://example.com/', 'http://example.com/', false],
+    ['https://example.com/?q=1', 'https://example.com/?q=2', false],
+    ['https://example.com/a#frag', 'https://example.com/a', true],
+    ['https://a.example.com/', 'https://b.example.com/', false],
+    ['https://user:pass@example.com/', 'https://example.com/', false],
+    ['https://alice@example.com/', 'https://bob@example.com/', false],
+    ['https://user:pass@example.com/path', 'https://user:pass@example.com/path/', true],
+    ['https://u@example.com/', 'https://example.com/', false],
+    ['not a url', 'not a url', true],
+    ['not a url', 'https://example.com/', false],
+];
+
+test('urlsMatch agrees with the shared Rust/JS truth table', () => {
+    URL_MATCH_CASES.forEach(([a, b, expected], i) => {
+        assert.equal(
+            urlsMatch(a, b),
+            expected,
+            `case #${i}: urlsMatch(${JSON.stringify(a)}, ${JSON.stringify(b)}) expected ${expected}`,
+        );
+    });
+});
+
+test('normalizeUrlInput adds https scheme to bare hosts', () => {
+    assert.equal(normalizeUrlInput('example.com'), 'https://example.com/');
+});
+
+test('normalizeUrlInput sends multi-word input to DuckDuckGo', () => {
+    assert.equal(
+        normalizeUrlInput('rust web framework'),
+        'https://duckduckgo.com/?q=rust%20web%20framework',
+    );
+});
+
+test('normalizeUrlInput sends dotless non-port input to DuckDuckGo', () => {
+    assert.equal(
+        normalizeUrlInput('localhost search term'),
+        'https://duckduckgo.com/?q=localhost%20search%20term',
+    );
+});
+
+test('normalizeUrlInput keeps an explicit https URL canonical', () => {
+    assert.equal(normalizeUrlInput('https://example.com/foo?q=1'), 'https://example.com/foo?q=1');
+});
+
+test('normalizeUrlInput prepends https to a dotted non-http scheme (matches injection.js URL bar)', () => {
+    // The injected URL bar's heuristic only special-cases spaces and
+    // dotless/portless input; anything else with a `.` gets `https://`
+    // prepended. So `ftp://example.com` (which contains a dot) becomes
+    // `https://ftp//example.com` — odd, but it's the documented URL-bar
+    // behavior, NOT a search. (The landing page `src/main.js` is stricter
+    // and would send this to search; the two paths genuinely differ.)
+    // Pinning the URL-bar semantics here so a future "cleanup" doesn't
+    // silently change what the strip does.
+    assert.equal(normalizeUrlInput('ftp://example.com'), 'https://ftp//example.com');
+});
+
+test('normalizeUrlInput trims whitespace', () => {
+    assert.equal(normalizeUrlInput('  example.com  '), 'https://example.com/');
+});
+
+test('normalizeUrlInput rejects empty input', () => {
+    assert.equal(normalizeUrlInput(''), null);
+    assert.equal(normalizeUrlInput('   '), null);
+});

package.json

@@ -1,11 +1,12 @@
 {
   "name": "floatview",
-  "version": "1.4.7",
+  "version": "1.5.0",
   "description": "A minimal floating browser window for streaming media on a secondary monitor",
   "scripts": {
     "tauri": "tauri",
     "dev": "tauri dev",
-    "build": "tauri build"
+    "build": "tauri build",
+    "test": "node --test \"js/**/*.test.mjs\""
   },
   "devDependencies": {
     "@tauri-apps/cli": "^2"

src-tauri/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "floatview"
-version = "1.4.7"
+version = "1.5.0"
 description = "A minimal floating browser window for streaming media"
 authors = ["David Torcivia"]
 license = "MIT"

src-tauri/Cargo.toml

@@ -2,11 +2,30 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+    <!--
+      Hardened-runtime entitlements. Kept as narrow as possible:
+
+      - allow-jit: required for the WKWebView/JavaScriptCore JIT that the
+        Tauri shell relies on for page execution. Dropping this would
+        force JIT-LESS mode and tank page performance.
+
+      Deliberately NOT granted (previously cargo-culted from Tauri
+      templates; nothing in this app uses them):
+        - com.apple.security.cs.allow-unsigned-executable-memory
+          Only needed for runtimes that map writable+executable memory
+          themselves (some game engines, older JIT runtimes). WKWebView
+          handles this internally under allow-jit.
+        - com.apple.security.cs.allow-dyld-environment-variables
+          Only needed for dynamic-linker injection (DYLD_INSERT_LIBRARIES),
+          which this app never uses; granting it widens the attack
+          surface for library injection.
+
+      If a future macOS build regression appears right after a change
+      here, the fastest revert is to re-add the dropped keys above. The
+      macOS build is gated in CI (.github/workflows/build.yml) so a
+      breakage surfaces on the next push, not at release.
+    -->
     <key>com.apple.security.cs.allow-jit</key>
     <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
-    <true/>
 </dict>
 </plist>

src-tauri/Entitlements.plist

@@ -74,15 +74,36 @@ pub fn do_install_update(app: &AppHandle) {
     });
 }
 
-pub async fn install_update(app: AppHandle) -> Result<bool, String> {
+/// Check for an update and, if one exists, download + install it.
+///
+/// `on_chunk` receives `(chunk_bytes, total_bytes)` deltas during the
+/// download so callers can drive a progress UI; pass a no-op for the
+/// silent tray path. Returns `Ok(true)` if an update was installed,
+/// `Ok(false)` if none was available, `Err(_)` on failure. The caller
+/// owns restart-on-success and status-event emission — those differ
+/// between the tray (best-effort, restarts from `do_install_update`) and
+/// the JS command (emits granular status + restarts itself), so they
+/// stay at the call sites rather than being baked in here.
+pub async fn install_update_with_progress<F>(
+    app: AppHandle,
+    mut on_chunk: F,
+) -> Result<bool, String>
+where
+    F: FnMut(u64, Option<u64>) + Send + 'static,
+{
     let updater = app.updater().map_err(|e| e.to_string())?;
-    if let Some(update) = updater.check().await.map_err(|e| e.to_string())? {
-        info!(version = %update.version, "Installing update from native action");
-        update
-            .download_and_install(|_, _| {}, || {})
-            .await
-            .map_err(|e| e.to_string())?;
-        return Ok(true);
-    }
-    Ok(false)
+    let Some(update) = updater.check().await.map_err(|e| e.to_string())? else {
+        return Ok(false);
+    };
+    info!(version = %update.version, "Installing update from native action");
+    update
+        .download_and_install(move |chunk, total| on_chunk(chunk as u64, total), || {})
+        .await
+        .map_err(|e| e.to_string())?;
+    Ok(true)
+}
+
+pub async fn install_update(app: AppHandle) -> Result<bool, String> {
+    // Silent tray path: no per-chunk progress reporting.
+    install_update_with_progress(app, |_, _| {}).await
 }