security: gate lxma://test-* deep-link handlers behind #if DEBUG

torlando-agent[bot] · claude · torlando-agent[bot] · commit f0090c053141 · 2026-05-31T04:17:33.000-04:00
The test-only URL handlers (test-call, test-send, test-identity-switch,
test-restart, test-ble-*, etc.) were registered unconditionally in
onOpenURL. In a release build that ships remote-control backdoors: a
crafted lxma://test-call?to=HEX places a call, test-send sends a message
from the user's identity, and test-identity-switch wipes the active
identity — all from just opening a URL. Wrap the whole test block in
#if DEBUG; the production lxma:// fall-through (pendingDeepLink) stays
outside the guard, and the interop harness runs DEBUG builds so it's
unaffected. (Smoke tests use a separate lxma-test:// surface.)

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/Sources/ColumbaApp/App/ColumbaApp.swift b/Sources/ColumbaApp/App/ColumbaApp.swift
@@ -75,6 +75,15 @@ struct ColumbaApp: App {
             .id(ThemeManager.shared.themeVersion)
             .onOpenURL { url in
                 guard url.scheme == "lxma" else { return }
+                #if DEBUG
+                // Test-only deep links — DEBUG builds ONLY. In a release build
+                // these would be remote-control backdoors: a crafted
+                // lxma://test-call / test-send / test-identity-switch URL could
+                // place a call, send a message as the user, or wipe the active
+                // identity with no interaction beyond opening the URL. The
+                // interop test harness runs DEBUG builds, so it keeps them; the
+                // production lxma:// deep-link fall-through (pendingDeepLink,
+                // below) stays outside this guard.
                 // Test trigger: lxma://test-send?to=HEX&content=...
                 // bypasses the UI and directly invokes PythonRNSBackend.sendOpportunistic
                 // so external scripts can exercise the Python round-trip during the smoke test.
@@ -345,6 +354,7 @@ struct ColumbaApp: App {
                     )
                     return
                 }
+                #endif
                 pendingDeepLink = url.absoluteString
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,15 @@ struct ColumbaApp: App {`
`75`	`75`	`.id(ThemeManager.shared.themeVersion)`
`76`	`76`	`.onOpenURL { url in`
`77`	`77`	`guard url.scheme == "lxma" else { return }`
	`78`	`+ #if DEBUG`
	`79`	`+ // Test-only deep links — DEBUG builds ONLY. In a release build`
	`80`	`+ // these would be remote-control backdoors: a crafted`
	`81`	`+ // lxma://test-call / test-send / test-identity-switch URL could`
	`82`	`+ // place a call, send a message as the user, or wipe the active`
	`83`	`+ // identity with no interaction beyond opening the URL. The`
	`84`	`+ // interop test harness runs DEBUG builds, so it keeps them; the`
	`85`	`+ // production lxma:// deep-link fall-through (pendingDeepLink,`
	`86`	`+ // below) stays outside this guard.`
`78`	`87`	`// Test trigger: lxma://test-send?to=HEX&content=...`
`79`	`88`	`// bypasses the UI and directly invokes PythonRNSBackend.sendOpportunistic`
`80`	`89`	`// so external scripts can exercise the Python round-trip during the smoke test.`
`@@ -345,6 +354,7 @@ struct ColumbaApp: App {`
`345`	`354`	`)`
`346`	`355`	`return`
`347`	`356`	`}`
	`357`	`+ #endif`
`348`	`358`	`pendingDeepLink = url.absoluteString`
`349`	`359`	`}`
`350`	`360`	`}`