feat: add Config Presets

[dejely]

Fixes: #2
Fixes: #5

[llamapreview]

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Request Changes
This PR introduces distro presets and dynamic service unit configuration, but removes Content Security Policy protection, exposing the app to potential script injection. Additionally, minor bugs in path handling and a breaking API change need attention.

📄 Documentation Diagram

This diagram documents the first-run setup workflow for distro presets.

sequenceDiagram
    participant User
    participant App
    participant FrontendState
    participant LocalStorage

    User->>App: Opens app
    App->>LocalStorage: Check setupComplete
    alt Not complete
        App->>User: Show preset selection
        User->>App: Select distro preset
        App->>FrontendState: Apply preset defaults
        App->>User: Show project setup
        User->>App: Fill fields and click Continue
        App->>LocalStorage: Save settings
        App->>FrontendState: Set setupComplete = true
        App->>User: Show dashboard
    else Complete
        App->>User: Show dashboard
    end
    note over App,LocalStorage: PR introduces distro presets<br/>and first-run flow

Loading

🌟 Strengths

• Introduces distro presets for easier first-run setup.
• Adds validation for service unit names, improving robustness.

Priority	File	Category	Impact Summary (≤12 words)	Anchors
P1	src-tauri/tauri.conf.json	Security	CSP disabled, losing XSS protection
P2	src-tauri/src/main.rs	Architecture	Breaking API change for get_service_statuses	path:src/App.tsx
P2	src/App.tsx	Bug	Path joining inconsistent on mixed separators

📈 Risk Diagram

This diagram illustrates the security regression caused by disabling CSP, exposing the app to script injection.

sequenceDiagram
    participant App as Tauri Webview
    participant External as Malicious URL/File

    App->>App: User configures phpMyAdminUrl<br/>or opens local file
    App->>External: Load resource (if user-configured)<br/>e.g., phpMyAdminUrl
    External->>App: Serve malicious HTML/JS<br/>(no CSP to block)
    App->>App: Execute injected script<br/>(XSS, data exfiltration)
    note over App: R1(P1): Content Security Policy is null;<br/>script injection and data exfiltration possible

Loading

---

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

[llamapreview]

P1 | Confidence: High

The entire csp and devCsp objects have been replaced with "csp": null, effectively disabling Content Security Policy for both production and development. Without CSP, the Tauri webview loses defense-in-depth against script injection, data exfiltration via inline styles, and open-redirect attacks (e.g., if an attacker-controlled phpMyAdminUrl is loaded). The app allows user-configurable URLs and local file paths, which could be used to load malicious HTML/JS. CSP removal is a deliberate regression in the application's security posture.

Suggested change

	"security": {
	"csp": {
	"default-src": "'self' customprotocol: asset:",
	"connect-src": "ipc: http://ipc.localhost",
	"script-src": "'self'",
	"style-src": "'self' 'unsafe-inline'",
	"img-src": "'self' asset: http://asset.localhost blob: data:",
	"font-src": "'self' data:",
	"object-src": "'none'",
	"base-uri": "'none'",
	"form-action": "'none'",
	"frame-ancestors": "'none'",
	"worker-src": "'none'",
	"media-src": "'none'"
	},
	"devCsp": {
	"default-src": "'self' customprotocol: asset: http://localhost:1420",
	"connect-src": "ipc: http://ipc.localhost http://localhost:1420 ws://localhost:1420",
	"script-src": "'self' 'unsafe-eval' http://localhost:1420",
	"style-src": "'self' 'unsafe-inline'",
	"img-src": "'self' asset: http://asset.localhost blob: data:",
	"font-src": "'self' data:"
	}
	"csp": null
	},
	"security": {
	"csp": {
	"default-src": "'self' customprotocol: asset:",
	"connect-src": "ipc: http://ipc.localhost",
	"script-src": "'self'",
	"style-src": "'self' 'unsafe-inline'",
	"img-src": "'self' asset: http://asset.localhost blob: data:",
	"font-src": "'self' data:",
	"object-src": "'none'",
	"base-uri": "'none'",
	"form-action": "'none'",
	"frame-ancestors": "'none'",
	"worker-src": "'none'",
	"media-src": "'none'"
	},
	"devCsp": {
	"default-src": "'self' customprotocol: asset: http://localhost:1420",
	"connect-src": "ipc: http://ipc.localhost http://localhost:1420 ws://localhost:1420",
	"script-src": "'self' 'unsafe-eval' http://localhost:1420",
	"style-src": "'self' 'unsafe-inline'",
	"img-src": "'self' asset: http://asset.localhost blob: data:",
	"font-src": "'self' data:"
	}
	}

[llamapreview]

P2 | Confidence: Medium

The Tauri command get_service_statuses changed from accepting no arguments to requiring a Vec<ServiceRequest>. The frontend caller in src/App.tsx (loadStatuses) has been updated to pass serviceDefinitions. However, the PR does not include any updates to existing integration tests (if any), and the related_context shows no test files. Any future external consumer (e.g., a CLI tool or another frontend) using this command will fail to compile. This is a breaking API change. Since the PR is owned and merged by the same author, the risk is lower, but it introduces a coupling that may break automated workflows or CI that invoke the command directly. Additionally, the old resolve_service fallback is gone; the new approach validates the service name on each call, which is more flexible but requires callers to supply the list consistently.

[llamapreview]

P2 | Confidence: Medium

The joinPaths function uses trimmedRoot.includes("\\") as a heuristic to determine Windows-style joining. If a user supplies a Unix root containing a backslash (e.g., an unusual Unicode path or an embedded escape sequence), the function will incorrectly treat it as a Windows path and produce a backslash‑joined result. More importantly, paths like C:/xampp/htdocs (forward slash) are correctly recognized by isWindowsAbsolutePath but then joined using \\, yielding C:/xampp/htdocs\my-project (mixed separators). On Windows, many APIs accept forward slashes, but mixed separators can cause issues with openPath or PHP server arguments. This inconsistency may lead to failures on Windows when the user enters a path with forward slashes.

Suggested change

	const trimmedRoot = root.trim();
	function joinPaths(root: string, child: string) {
	const trimmedRoot = root.trim();
	const trimmedChild = child.trim().replace(/\\/g, '/');
	const useWindowsStyle = isWindowsAbsolutePath(trimmedRoot) || trimmedRoot.includes('\\');
	return useWindowsStyle
	? `${trimmedRoot.replace(/[\\/]+$/g, '')}\\${trimmedChild.replace(/^[\\/]+/g, '/')}`
	: `${trimmedRoot.replace(/\/+$/g, '')}/${trimmedChild.replace(/^\/+/g, '')}`;
	}