Scope
Phase 3 added 73 Tauri IPC commands across 10 files. The dashboard-only commands check window-label authorization, but three different patterns coexist for what is the same intent. Cross-PR drift visible only at milestone scope.
Finding
- Locations:
crates/forge-shell/src/credentials_ipc.rs:111 — local authz_check() helpercrates/forge-shell/src/memory_ipc.rs:197 (and :233, :257, :284) — require_window_label_in(&webview, &["dashboard"], false, ...)crates/forge-shell/src/containers_ipc.rs:290 — crate::ipc::require_window_label(&webview, CONTAINERS_OWNER_LABEL, ...)crates/forge-shell/src/ipc.rs:1520 — require_window_label_in(&webview, &["dashboard"], true, ...) (dashboard OR session)
- Severity: high
- Concern class: IPC command shape consistency
- Estimated effort: small
All three forms emit the same LABEL_MISMATCH_ERROR and log at the same target: "forge_shell::ipc::authz". Functionally equivalent for dashboard-only commands; semantically identical. The three call shapes exist purely as accidental cross-PR drift. Each new IPC command author has had to choose which to copy.
The third boolean argument to require_window_label_in (allow_session_prefix) is also load-bearing and undocumented at call sites — false means dashboard-only, true means dashboard-or-session. Without naming this clearly, future authors will guess.
Remediation
- Retire
credentials_ipc::authz_check(). Migrate its callers to require_window_label.
- Standardize: dashboard-only →
require_window_label(&webview, "dashboard", ...); dashboard-or-session → keep require_window_label_in but rename the third arg from allow_session_prefix to allow_any_session and add a doc comment.
- Update
containers_ipc::CONTAINERS_OWNER_LABEL to use the same helper.
- Add a single doc comment in
ipc.rs documenting the two patterns and when to use each.
Definition of Done
Scope
Phase 3 added 73 Tauri IPC commands across 10 files. The dashboard-only commands check window-label authorization, but three different patterns coexist for what is the same intent. Cross-PR drift visible only at milestone scope.
Finding
crates/forge-shell/src/credentials_ipc.rs:111— localauthz_check()helpercrates/forge-shell/src/memory_ipc.rs:197(and:233,:257,:284) —require_window_label_in(&webview, &["dashboard"], false, ...)crates/forge-shell/src/containers_ipc.rs:290—crate::ipc::require_window_label(&webview, CONTAINERS_OWNER_LABEL, ...)crates/forge-shell/src/ipc.rs:1520—require_window_label_in(&webview, &["dashboard"], true, ...)(dashboard OR session)All three forms emit the same
LABEL_MISMATCH_ERRORand log at the sametarget: "forge_shell::ipc::authz". Functionally equivalent for dashboard-only commands; semantically identical. The three call shapes exist purely as accidental cross-PR drift. Each new IPC command author has had to choose which to copy.The third boolean argument to
require_window_label_in(allow_session_prefix) is also load-bearing and undocumented at call sites —falsemeans dashboard-only,truemeans dashboard-or-session. Without naming this clearly, future authors will guess.Remediation
credentials_ipc::authz_check(). Migrate its callers torequire_window_label.require_window_label(&webview, "dashboard", ...); dashboard-or-session → keeprequire_window_label_inbut rename the third arg fromallow_session_prefixtoallow_any_sessionand add a doc comment.containers_ipc::CONTAINERS_OWNER_LABELto use the same helper.ipc.rsdocumenting the two patterns and when to use each.Definition of Done
require_window_labelfor strict,require_window_label_infor permissive)credentials_ipc::authz_checkremovedipc.rscargo clippy --all-targets --all-features -- -D warningsclean