driftwood/docs/plans/2026-02-27-audit-fixes-design.md

Audit Fixes Design

Goal

Fix all 29 findings from the full codebase audit, organized by severity tier with build verification between tiers.

Approach

Fix by severity tier (Critical -> High -> Medium -> Low). Run cargo build after each tier to catch regressions early.

Tier 1: Critical (5 items)

#1 - security.rs: Fix unsquashfs argument order

detect_version_from_binary passes appimage_path after the extract pattern. unsquashfs expects the archive before patterns. Move appimage_path before the file pattern, remove the -e flag.

#2 - integrator.rs: Quote Exec path in .desktop files

Exec={exec} %U breaks for paths with spaces. Change to Exec="{exec}" %U.

#3 - duplicates.rs: Fix compare_versions total order

compare_versions("1.0", "v1.0") returns Less both ways (violates antisymmetry). Use clean_version() on both inputs for the equality check.

#4 - inspector.rs: Chunk-based signature detection

detect_signature reads entire files (1.5GB+) into memory. Replace with BufReader reading 64KB chunks, scanning each for the signature bytes.

#5 - updater.rs: Read only first 12 bytes in verify_appimage

Replace fs::read(path) with File::open + read_exact for just the ELF/AI magic bytes.

Tier 2: High (6 items)

#6 - database.rs: Handle NULL severity in CVE summaries

get_cve_summary and get_all_cve_summary fail on NULL severity. Change to Option<String>, default None to "MEDIUM".

#7 - inspector.rs: Fix deadlock in extract_metadata_files

Piped stderr + .status() can deadlock. Change to Stdio::null() since we don't use stderr.

#8 - updater.rs: Fix glob_match edge case

After matching the last part with ends_with, reduce the search text before checking middle parts.

#9 - backup.rs: Prevent archive filename collisions

Use relative paths from home directory instead of bare filenames, so two dirs with the same leaf name don't collide.

#10 - launcher.rs: Async crash detection

Remove the 1.5s blocking sleep from execute_appimage. Return Started immediately with the Child. Callers (already async) handle crash detection by polling the child after a delay.

#11 - launcher.rs: Drop stderr pipe on success

After returning Started, either drop child.stderr or use Stdio::null() for stderr to prevent pipe buffer deadlock on long-running apps.

Tier 3: Medium (9 items)

#12 - window.rs: Gate scan on auto-scan-on-startup

Wrap self.trigger_scan() in if self.settings().boolean("auto-scan-on-startup").

#13 - window.rs: Fix window size persistence

Change self.default_size() to (self.width(), self.height()).

#14 - widgets.rs: Fix announce() for any container

Change announce() to not require a gtk::Box - use a more generic approach or fix callers to pass the correct widget type.

#15 - detail_view.rs: Claim gesture in lightbox

Add gesture.set_state(gtk::EventSequenceState::Claimed) in the picture click handler.

#16 - cli.rs: Use serde_json for JSON output

Replace hand-crafted format! JSON with serde_json::json!().

#17 - style.css: Remove dead @media blocks

Delete @media (prefers-color-scheme: dark) and @media (prefers-contrast: more) blocks. libadwaita named colors already adapt.

#18 - gschema.xml + detail_view.rs: Wire detail-tab persistence

Save active tab on switch, restore on open.

#19 - metainfo.xml: Remove invalid categories

Delete <categories> block (already in .desktop file, invalid in metainfo per AppStream spec).

#20 - fuse.rs: Byte-level search

Replace String::from_utf8_lossy().to_lowercase() with direct byte-level case-insensitive search using windows().

Tier 4: Low (9 items)

#21 - wayland.rs: Tighten env var detection

Remove WAYLAND_DISPLAY from fallback heuristic. Keep only GDK_BACKEND and QT_QPA_PLATFORM.

#22 - inspector.rs: Add ELF magic validation

Check \x7fELF magic and endianness byte before parsing e_machine.

#23 - updater.rs: Add timeout to extract_update_info_runtime

Add 5-second timeout to prevent indefinite blocking.

#24 - launcher.rs: Handle quoted args

Use a shell-like tokenizer that respects double-quoted strings in parse_launch_args.

#25 - (merged with #20)

#26 - window.rs: Stop watcher timer on window destroy

Return glib::ControlFlow::Break when window_weak.upgrade() returns None.

#27 - gschema.xml: Add choices/range constraints

Add <choices> to enumerated string keys, <range> to backup-retention-days.

#28 - style.css: Remove unused CSS classes

Delete .quick-action-pill, .badge-row, .detail-view-switcher, base .letter-icon.

#29 - style.css/app_card.rs: Fix status-ok/status-attention

Define CSS rules for these classes or remove the class additions from code.

Verification

After each tier: cargo build with zero errors and zero warnings. After all tiers: manual app launch test.