Skip to content

feat: add secure Provider Guard for session visibility#1517

Open
k9ight000 wants to merge 1 commit into
BigPizzaV3:mainfrom
k9ight000:codex/provider-guard-script-market
Open

feat: add secure Provider Guard for session visibility#1517
k9ight000 wants to merge 1 commit into
BigPizzaV3:mainfrom
k9ight000:codex/provider-guard-script-market

Conversation

@k9ight000

Copy link
Copy Markdown

Summary

  • add a read-only Provider Guard bridge status endpoint
  • add native-manager-only backup and repair flow for stable provider id \custom`n- inspect SQLite provider buckets without returning credentials or private endpoint details
  • harden script marketplace downloads with HTTPS/loopback restrictions, size limits, and mandatory SHA-256 verification
  • explicitly keep repair unavailable to injected marketplace scripts

Safety

  • marketplace JavaScript can only inspect status and open the native manager
  • repair requires a native manager confirmation
  • config is backed up and rechecked before atomic update
  • provider sync keeps its existing session/SQLite backup and rollback behavior
  • no API keys, tokens, full URLs, or config contents are returned to injected scripts

Verification

  • frontend unit tests: 14 passed
  • marketplace JS syntax and manifest hash verified
  • full Rust/TypeScript/build verification delegated to GitHub Actions because the local machine has no Rust toolchain or installed frontend dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant