Apply updated Codex repository kit

2026-05-03 22:22:57 +02:00
parent b2e09396ba
commit c02413813b
10 changed files with 335 additions and 1 deletions
--- a/docs/security-review.md
+++ b/docs/security-review.md
@@ -0,0 +1,55 @@
+# Security Review
+
+## Scope
+
+Project:
+
+```text
+Modrinth Plus
+```
+
+Reviewed version or commit:
+
+```text
+main
+```
+
+## Code Patterns Checked
+
+- [ ] No `eval`.
+- [ ] No dynamic `Function` constructor.
+- [ ] No unsafe HTML injection.
+- [ ] No unexpected shell execution.
+- [x] External network calls documented for Connected Library.
+- [x] No private Connected Library credentials are persisted in v1.
+- [x] Connected Library requires HTTPS manifest and `.mrpack` URLs.
+
+## Dependency Review
+
+Command:
+
+```bash
+pnpm --filter @modrinth/app-frontend run lint
+cargo clippy --package theseus
+```
+
+Result:
+
+```text
+Pending successful Gitea Actions run.
+```
+
+## Runtime Review
+
+- [x] Connected Library manifests are stored locally in SQLite.
+- [x] Connected Library auto-update is disabled by default.
+- [x] `GITEA_TOKEN` is only for local agent API checks, not runtime app use.
+- [ ] Full Tauri runtime permission review pending.
+
+## Release Notes
+
+Known residual risks:
+
+```text
+Connected Library update behavior is conservative and does not yet implement strict removed-file sync.
+```