Skip to content

refactor: remove unused capability kernel#288

Merged
chhoumann merged 1 commit into
masterfrom
refactor/remove-capability-kernel
Jul 11, 2026
Merged

refactor: remove unused capability kernel#288
chhoumann merged 1 commit into
masterfrom
refactor/remove-capability-kernel

Conversation

@chhoumann

Copy link
Copy Markdown
Owner

Remove the unshipped schema-v3 and capability-network architecture before any user data can migrate into it.

The capability aggregate was constructed and disposed by the plugin lifecycle but had no production feed, download, playback, or transcription consumer. This deletes that complete dependency closure and removes the now-dead lifecycle wiring.

The review boundary intentionally preserves:

  • the refactor: separate feed retrieval from parsing #278 retrieval/parsing split and injected FeedDocumentSource
  • LiteralTargetClassifier and its tests for the follow-up assertFetchableUrl fold-in
  • schema-v2 persistence and its hostile-input handling
  • SecretStorage-backed OpenAI and Deepgram credentials

requestUrl's concrete host limitations remain documented in capability-neutral language so the next network-boundary PR does not overstate redirect, DNS, peer, or cancellation guarantees.

Review focus:

  • deletion-closure completeness
  • preservation of the parser/retrieval seam and URL classifier
  • absence of any surviving import into the removed modules

Validation:

  • npm run lint
  • npm run format:check
  • npm run typecheck
  • npm run build
  • npm run test - 75 files, 1,121 tests, zero Svelte warnings
  • MkDocs 1.6.1 / Material 9.7.6 build
  • real Obsidian 1.13.0 isolated-vault load, plugin enabled, no captured errors
  • required capability grep over src returns no matches
  • detect-secrets scan over every surviving modified file found no credential values

Bundle impact:

  • raw: 491,646 -> 438,266 bytes (-53,380, -10.9%)
  • gzip: 143,223 -> 128,618 bytes (-14,605, -10.2%)

Release impact: none. This is a behavior-neutral refactor and should not cut a release.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying podnotes with  Cloudflare Pages  Cloudflare Pages

Latest commit: 340d9c0
Status: ✅  Deploy successful!
Preview URL: https://71da4cce.podnotes.pages.dev
Branch Preview URL: https://refactor-remove-capability-k.podnotes.pages.dev

View logs

@chhoumann chhoumann marked this pull request as ready for review July 11, 2026 00:12
@chhoumann chhoumann merged commit 6ac0187 into master Jul 11, 2026
6 checks passed
@chhoumann chhoumann deleted the refactor/remove-capability-kernel branch July 11, 2026 00:12
chhoumann added a commit that referenced this pull request Jul 11, 2026
…gate

Route every fetch call site (episode download, streaming, chapters, iTunes
search, Deepgram diarization, feed documents, universal links) through a
single requestWithTimeout gate that classifies the target, bounds request
and response sizes, applies timeouts, and returns redacted typed errors.

Fold LiteralTargetClassifier's stricter address classification into
assertFetchableUrl (full IANA special-purpose IPv4/IPv6 registries,
canonical-form-only literal parsing) and delete the module - the last
remnant of the removed capability architecture.

Replace ad hoc per-site guards with one chokepoint so new call sites
cannot bypass classification. requestUrl's documented limitations (no
per-hop redirect inspection, no native cancellation, buffered bodies)
remain the accepted design ceiling per #288.

Concurrent downloads to the same destination now dedupe on the normalized
destination path with ownership validation instead of racing.
chhoumann added a commit that referenced this pull request Jul 11, 2026
…gate (#290)

* fix(security): consolidate all outbound requests behind one hardened gate

Route every fetch call site (episode download, streaming, chapters, iTunes
search, Deepgram diarization, feed documents, universal links) through a
single requestWithTimeout gate that classifies the target, bounds request
and response sizes, applies timeouts, and returns redacted typed errors.

Fold LiteralTargetClassifier's stricter address classification into
assertFetchableUrl (full IANA special-purpose IPv4/IPv6 registries,
canonical-form-only literal parsing) and delete the module - the last
remnant of the removed capability architecture.

Replace ad hoc per-site guards with one chokepoint so new call sites
cannot bypass classification. requestUrl's documented limitations (no
per-hop redirect inspection, no native cancellation, buffered bodies)
remain the accepted design ceiling per #288.

Concurrent downloads to the same destination now dedupe on the normalized
destination path with ownership validation instead of racing.

* fix(download): defer destination-collision check to the sniffed final path

The fast path threw a destination collision when a foreign file occupied
the provisional URL-extension path, but that path is only a guess - the
probe can resolve a different final extension whose destination is free.
The fast path now returns early only for the registered owner and
otherwise falls through; the collision check runs on the resolved final
path, where it already existed. Costs one Range probe before the error
in the true-collision case. (Codex review finding on #290.)
chhoumann added a commit that referenced this pull request Jul 11, 2026
…sts (#297)

* fix(security): keep generated notes from making browser-managed requests

Feed-controlled show-notes HTML could embed active media elements (img,
audio, video, source, iframe, object, embed, link) whose requests fire
when a generated note renders - reaching feed-selected local/private
targets without ever passing PodNotes' network gate. Markdown image
syntax in feed text formed the same live embeds after conversion.

feedHtmlToMarkdown now strips active elements before htmlToMarkdown
(keeping image alt text), neutralizes Markdown embeds afterwards with
balanced escaping, and the portable resource tags ({{artwork}},
{{episodeartwork}}, {{feedartwork}}, {{stream}}) emit only public
http(s) URLs without embedded credentials - anything else renders as an
empty string.

Deliberate UX change: show-note images render as their alt text instead
of live embeds; a note render is an ambient fetch the reader never
chose, unlike clicking a link (links are preserved).

Ported from the salvaged pre-#288 hardening pass (salvage branch
0bf89a4) onto the current gate API.

* docs: name the DNS-rebinding residual on portable resource URLs

Review follow-up: sanitizePortableResourceUrl blocks literal private and
credentialed targets but a public hostname that DNS-resolves to a private
address still passes - the same ceiling #290 documents, unfixable without
DNS resolution the render layer can't do. Document it rather than imply
complete protection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant