feat(safari): localstorage extraction

[moonD4rk]

Summary

• Closes the last unchecked item in feat: add Safari browser support on macOS #565 — Safari localStorage.
• Handles Safari 17+'s nested WebKit layout (WebsiteDataStore/<uuid>/Origins/<h>/<h>/LocalStorage/localstorage.sqlite3 for named profiles, WebsiteData/Default/... for the default), including the binary SecurityOrigin file and UTF-16 LE value decoding. Reports the frame origin so partitioned storage is attributed correctly.
• New RFC-011 documents Safari data storage end-to-end; defers Keychain content to RFC-006 §7.

Test plan

• go test ./browser/safari/... -count=1 (21 new LocalStorage tests + existing suite)
• go test ./... -count=1
• golangci-lint run ./...
• gofumpt -l browser/safari/ + goimports -l -local github.com/moond4rk/hackbrowserdata browser/safari/
• GOOS=linux + GOOS=windows cross-compile
• Live run on macOS Safari (2 profiles): 110 entries across 18 origins; sqlite3 ground-truth cross-check on weather.com (24 rows) matches HBD output; explicit-port origin (http://192.168.50.102:30002) rendered correctly alongside default-port sibling.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 76.04167% with 46 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.66%. Comparing base (d75738b) to head (3c0ffe0).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
browser/safari/extract_storage.go	74.01%	28 Missing and 18 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #582      +/-   ##
==========================================
+ Coverage   73.55%   73.66%   +0.11%     
==========================================
  Files          57       58       +1     
  Lines        2401     2586     +185     
==========================================
+ Hits         1766     1905     +139     
- Misses        481      509      +28     
- Partials      154      172      +18     

Flag	Coverage Δ
unittests	73.66% <76.04%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Adds Safari LocalStorage extraction support by traversing Safari 17+ WebKit “Origins” layout, parsing the binary origin file for correct (partition-aware) attribution, decoding UTF-16LE values, and documenting Safari storage end-to-end.

Changes:

• Implement Safari LocalStorage extraction + counting from the nested WebKit Origins layout (including origin-file parsing and UTF-16LE decoding).
• Wire LocalStorage source discovery for default and named Safari profiles (directory sources + acquisition).
• Add a new Safari storage RFC and comprehensive Safari LocalStorage tests/fixtures.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
rfcs/011-safari-data-storage.md	Documents Safari storage locations/formats (incl. LocalStorage Origins layout) and platform quirks.
browser/safari/source.go	Adds LocalStorage directory sources for default and named profiles.
browser/safari/safari.go	Hooks LocalStorage into extract/count category dispatch.
browser/safari/extract_storage.go	Implements Origins traversal, origin-file parsing, and localStorage.sqlite3 reading/decoding.
browser/safari/testutil_test.go	Adds fixtures to generate nested Origins layout + origin/localstorage DB test data.
browser/safari/extract_storage_test.go	Adds unit + end-to-end tests for origin parsing, UTF-16 decoding, extraction, and counting.
browser/safari/safari_test.go	Extends profile/source resolution tests and category extract/count tests for LocalStorage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Origin parsing tests only cover originEncASCII via encodeOriginFile. Consider adding a case where scheme/host are stored with originEncUTF16, plus a case asserting unknown encoding bytes are rejected (once handled), to cover the remaining branches in readOriginString.

[Copilot]

originEncASCII is documented as Latin-1/ASCII, but this branch converts bytes with string(chunk) (UTF-8). If WebKit stores Latin-1 here, non-ASCII bytes will be mis-decoded. Consider decoding ISO-8859-1 (similar to browser/chromium/extract_storage.go’s decodeLatin1) to match the documented encoding.

[Copilot]

The default branch silently accepts unknown origin string encodings by returning string(chunk). This can propagate corrupted scheme/host into output URLs. Consider returning an error on unknown encodings (similar to Chromium’s decodeChromiumString behavior) so the caller can skip the partition cleanly.

[Copilot]

ItemTable key is scanned into sql.NullString but key.Valid is not checked. If a row has a NULL key, it will be emitted as an empty string, potentially causing collisions and misleading output. Consider skipping rows where key.Valid is false (or logging and continuing).

Suggested change

	}
	}
	if !key.Valid {
	log.Debugf("safari localstorage: skip row with NULL key in %s", path)
	continue
	}

[Copilot]

countLocalStorage currently calls extractLocalStorage and decodes all values just to compute a count. For large Origins trees this can be significantly slower than necessary during CountEntries. Consider counting without value decoding (e.g., traverse origin dirs and run SELECT COUNT(*) per localstorage.sqlite3, summing results).

Suggested change

	entries, err := extractLocalStorage(root)
	if err != nil {
	return 0, err
	}
	return len(entries), nil
	}
	dirs, err := findOriginDataDirs(root)
	if err != nil {
	return 0, err
	}
	total := 0
	for _, od := range dirs {
	dbPath := filepath.Join(od, webkitLocalStorageSubdir, webkitLocalStorageDB)
	n, err := countLocalStorageFile(dbPath)
	if err != nil {
	log.Debugf("safari localstorage: db %s: %v", dbPath, err)
	continue
	}
	total += n
	}
	return total, nil
	}
	func countLocalStorageFile(dbPath string) (int, error) {
	db, err := sql.Open("sqlite", dbPath)
	if err != nil {
	return 0, err
	}
	defer db.Close()
	var count int
	if err := db.QueryRow(`SELECT COUNT(*) FROM ItemTable`).Scan(&count); err != nil {
	return 0, err
	}
	return count, nil
	}

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

immutable=1 disables WAL replay, but the extractor is reading from the temp copy of the Origins directory (and the repo’s filemanager.Session copies WAL/SHM). Dropping immutable=1 and keeping read-only access will make localStorage extraction include committed data that hasn’t been checkpointed yet.

[Copilot]

Querying ItemTable without an ORDER BY can yield nondeterministic output ordering across runs/SQLite versions. Consider ordering by key (and/or rowid) to keep exports stable and tests/consumers deterministic.

Suggested change

	rows, err := db.Query(`SELECT key, value FROM ItemTable`)
	rows, err := db.Query(`SELECT key, value FROM ItemTable ORDER BY key, rowid`)

[Copilot]

readOriginFile returns the raw os.ReadFile error without path context, which makes debug logs harder to interpret. Wrap the error with the filename (e.g. fmt.Errorf("read origin file %s: %w", path, err)) for consistent diagnostics with the rest of this package.

Suggested change

	return "", err
	return "", fmt.Errorf("read origin file %s: %w", path, err)

[Copilot]

This fixture helper always serializes scheme/host as originEncASCII and uses len(s) (UTF-8 byte length) as the record length. That diverges from WebKit’s origin encoding rules and will produce malformed fixtures if a test ever uses non-ASCII/Latin-1 hosts (or wants to cover UTF-16 origin records). Consider encoding Latin-1 bytes explicitly when possible and falling back to UTF-16 LE with originEncUTF16 (and a byte-length) for other strings.

Suggested change

	func appendOriginRecord(buf []byte, s string) []byte {
	lenBytes := make([]byte, 4)
	binary.LittleEndian.PutUint32(lenBytes, uint32(len(s)))
	buf = append(buf, lenBytes...)
	buf = append(buf, originEncASCII)
	return append(buf, []byte(s)...)
	func encodeOriginRecordString(s string) (byte, []byte) {
	latin1 := make([]byte, 0, len(s))
	for _, r := range s {
	if r > 0xFF {
	u16 := utf16.Encode([]rune(s))
	encoded := make([]byte, 2*len(u16))
	for i, v := range u16 {
	binary.LittleEndian.PutUint16(encoded[i*2:], v)
	}
	return originEncUTF16, encoded
	}
	latin1 = append(latin1, byte(r))
	}
	return originEncASCII, latin1
	}
	func appendOriginRecord(buf []byte, s string) []byte {
	enc, payload := encodeOriginRecordString(s)
	lenBytes := make([]byte, 4)
	binary.LittleEndian.PutUint32(lenBytes, uint32(len(payload)))
	buf = append(buf, lenBytes...)
	buf = append(buf, enc)
	return append(buf, payload...)

[Copilot]

The error returned here doesn’t include the root path, which makes it harder to trace which profile/store failed when multiple Origins roots are processed. Including root in the formatted message would improve diagnostics.

Suggested change

	return nil, fmt.Errorf("read origins root: %w", err)
	return nil, fmt.Errorf("read origins root %s: %w", root, err)

[Copilot]

Using immutable=1 here prevents SQLite from replaying a copied -wal file. filemanager.Session.Acquire copies WAL/SHM companions, so counting against only the main DB can undercount committed localStorage entries that are still in WAL. Prefer opening the copied DB with read-only mode (e.g. mode=ro without immutable=1) so WAL is applied on the snapshot, or explicitly document/justify intentionally ignoring WAL.