fix(security): wave 3 — rendererLog hardening, binary SHA256, Sentry env tag

- main.ts: rendererLog now caps each arg at 4 KiB and redacts when the
  serialized payload matches credential-like patterns (Authorization,
  bearer, jwt, password). Earlier renderer XSS could pour the entire
  localStorage (incl. daemon JWT) into main.log via one IPC call.
- BinaryCatalog.cs: BinaryRelease record gained optional Sha256 field.
- BinaryDownloader.cs: verifies Sha256 before publishing the archive
  under its final name. Mismatch deletes the temp file and throws.
  Missing Sha256 logs a WARN — current static catalog has unhashed
  legacy rows; once those are populated this should hard-fail.
- src/main.ts (renderer): Sentry now tags events with environment
  (production/development) + release nks-wdc-electron@<version>,
  matching the main-process Sentry init.

Author: lukyrys

src/daemon/NKS.WebDevConsole.Core/Models/BinaryCatalog.cs

@@ -12,7 +12,13 @@ public sealed record BinaryRelease(
     string Arch,        // "x64", "arm64"
     string ArchiveType, // "zip", "tar.gz", "tar.xz"
     string Source,      // "apachelounge", "php.net", "dev.mysql.com" — for attribution
-    string? UserAgent = null  // some sites (apachelounge) require browser UA
+    string? UserAgent = null,  // some sites (apachelounge) require browser UA
+    // Lowercase hex SHA-256 of the archive bytes. Optional today (the
+    // static catalog ships entries without hashes) but the BinaryDownloader
+    // verifies whenever a value is present, so populating this field on
+    // an existing entry retroactively hardens the download against MITM
+    // / cache-poisoning of the upstream CDN. New entries SHOULD include it.
+    string? Sha256 = null
 );
 
 /// <summary>

src/daemon/NKS.WebDevConsole.Daemon/Binaries/BinaryDownloader.cs

@@ -72,11 +72,47 @@ public async Task<string> DownloadAsync(
             }
         }
 
+        // Integrity check BEFORE publishing the archive under its final
+        // name — otherwise a poisoned upstream CDN/mirror could swap the
+        // binary underneath us and BinaryManager would cheerfully extract
+        // and execute a backdoored mysqld/php-cgi/httpd. When the catalog
+        // entry carries an Sha256 we MUST match it; if it doesn't, log a
+        // WARN so support bundles surface the gap and the maintainer can
+        // backfill the entry (current static catalog has many unhashed
+        // legacy rows — once those are populated this should hard-fail
+        // on missing Sha256 too, mirroring the plugin downloader).
+        if (!string.IsNullOrWhiteSpace(release.Sha256))
+        {
+            var actual = await ComputeSha256Async(tempPath, ct);
+            if (!actual.Equals(release.Sha256, StringComparison.OrdinalIgnoreCase))
+            {
+                try { File.Delete(tempPath); } catch { /* best-effort cleanup */ }
+                throw new InvalidOperationException(
+                    $"SHA256 mismatch for {release.App} {release.Version}: " +
+                    $"expected {release.Sha256}, got {actual}. Refusing to install.");
+            }
+            _logger.LogInformation("SHA256 verified for {App} {Version}", release.App, release.Version);
+        }
+        else
+        {
+            _logger.LogWarning(
+                "No SHA256 in catalog for {App} {Version} — install proceeds without integrity check",
+                release.App, release.Version);
+        }
+
         File.Move(tempPath, archivePath, overwrite: true);
         _logger.LogInformation("Downloaded {App} {Version} ({Size} bytes)", release.App, release.Version, new FileInfo(archivePath).Length);
         return archivePath;
     }
 
+    private static async Task<string> ComputeSha256Async(string path, CancellationToken ct)
+    {
+        using var stream = File.OpenRead(path);
+        using var sha = System.Security.Cryptography.SHA256.Create();
+        var hash = await sha.ComputeHashAsync(stream, ct);
+        return Convert.ToHexString(hash).ToLowerInvariant();
+    }
+
     public async Task<string> ExtractAsync(
         string archivePath,
         string destinationDir,

src/frontend/electron/main.ts

@@ -1265,10 +1265,45 @@ ipcMain.handle('reveal-in-folder', async (_evt, targetPath: string) => {
 // posts `{ level, args }` via this channel; we fan it into the main
 // logger at the matching level. Dropped messages fail-closed (return
 // false) so the renderer doesn't block on unresponsive main.
+// Cap on the serialized payload size — renderer XSS could otherwise dump
+// the entire localStorage (including the daemon JWT) into main.log via a
+// single rendererLog() call. 4 KiB is enough for a normal stack trace +
+// a few breadcrumb objects but cuts off attacker dumps long before any
+// useful credential material lands on disk.
+const RENDERER_LOG_MAX_BYTES = 4096
+// Substrings whose presence in a log argument signals likely credential
+// material. Matched against each argument's JSON-stringified form; if a
+// match hits we drop that argument entirely and replace with a redaction
+// marker so the surrounding context still lands in the log.
+const RENDERER_LOG_REDACT_PATTERNS = [
+  /authorization\s*[:=]/i,
+  /\btoken\s*[=:]/i,
+  /bearer\s+[A-Za-z0-9._\-+/=]{16,}/i,
+  /\bjwt\b/i,
+  /password\s*[:=]/i,
+]
+
+function safeRendererLogArg(arg: unknown): unknown {
+  let serialized: string
+  try {
+    serialized = typeof arg === 'string' ? arg : JSON.stringify(arg)
+  } catch {
+    return '[unserializable]'
+  }
+  if (serialized.length > RENDERER_LOG_MAX_BYTES) {
+    return `${serialized.slice(0, RENDERER_LOG_MAX_BYTES)}…[truncated ${serialized.length - RENDERER_LOG_MAX_BYTES}B]`
+  }
+  for (const pat of RENDERER_LOG_REDACT_PATTERNS) {
+    if (pat.test(serialized)) return '[redacted: contained credential-like pattern]'
+  }
+  return arg
+}
+
 ipcMain.handle('renderer-log', (_evt, payload: { level?: string; args?: unknown[] }) => {
   try {
     const level = (payload?.level ?? 'info').toLowerCase()
-    const args = Array.isArray(payload?.args) ? payload.args : []
+    const rawArgs = Array.isArray(payload?.args) ? payload.args : []
+    const args = rawArgs.map(safeRendererLogArg)
     const fn = (log as unknown as Record<string, (...a: unknown[]) => void>)[level] ?? log.info
     fn('[renderer]', ...args)
     return true

src/frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nks-hub/webdev-console",
-  "version": "0.2.24",
+  "version": "0.2.25",
   "description": "Unified local development environment for Windows, macOS, and Linux — manage Apache/Nginx, PHP versions, MySQL/MariaDB, and SSL from one interface.",
   "author": {
     "name": "NKS Hub",

src/frontend/src/main.ts

@@ -73,6 +73,14 @@ try {
   // need the base init to wire up the IPC scope + breadcrumbs.
   Sentry.init({
     ...(VITE_SENTRY_DSN ? { dsn: VITE_SENTRY_DSN } : {}),
+    // Tag every renderer event with the same environment label as the
+    // main process Sentry init (production for packaged builds, otherwise
+    // development). Lets Sentry filter dashboards by deployment without
+    // operators having to remember the URL/release-tag heuristic. Vite's
+    // `import.meta.env.PROD` is true for `vite build` output, false for
+    // `vite dev` — exactly the discriminator we want.
+    environment: import.meta.env.PROD ? 'production' : 'development',
+    release: typeof window.__APP_VERSION__ === 'string' ? `nks-wdc-electron@${window.__APP_VERSION__}` : undefined,
     // Drop benign daemon-disconnect noise. `Failed to fetch` from the
     // shared json() helper in api/daemon.ts fires every time the daemon
     // is restarting (factory reset, SSO callback racing the port file,