Repairs the CI Windows compile (first build to reach the Rust after the web/
case-collision failures cleared): these two COM interfaces live in
windows::Win32::UI::Shell::Common (feature Win32_UI_Shell_Common), not
System::Com nor Shell. Added the feature; corrected the import.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
script-src drops unsafe-inline/blob/data/http/https (any-origin script exec is
gone); the single inline shim in index.html is hash-pinned; object-src 'none',
base-uri 'self'. Kept deliberately: 'unsafe-eval' (the window.eval native→web
bridge + crypto wasm), broad connect-src (arbitrary homeservers), http: in
img/media (plain-http homeservers), and review-added allowances for Google
Fonts (VT323) and the OpenStreetMap location iframe.
NEEDS RUNTIME SMOKE ON WINDOWS before release (CI can't catch CSP breakage):
boot, avatars/media, VT323 renders, location map embeds, calls connect, deep
links navigate.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
From the deep-audit wave (reviewer-verified: capability identifiers valid, no
removed-crate references, GDI free ordering correct):
- Removed 8 never-registered plugins (clipboard-manager, fs, shell, http,
process, os, dialog, global-shortcut) from Cargo.toml AND their capability
grants (shell:allow-execute, unscoped fs writes, http:default, …) — verified
the web never invokes any of them. A latent RCE-class surface is gone.
- on_new_window: only http/https/mailto reach the OS opener (file:///custom
schemes previously bypassed the opener capability scope entirely).
- set_badge_count: freed hdc + hdc_screen on all three GDI error paths
(leaked per badge update in a long-running tray app).
- 8s reveal failsafe gated by an AtomicBool: no longer re-shows a window the
user closed to tray; page-load reveal now fires once only (logout reloads
don't re-surface a tray-hidden window); recovery for a missed page-load
event preserved.
- toast.rs: store pruned on Activated too + capped at 20 (was unbounded).
- Startup no longer panics when the bundled icon is missing (tray skipped
gracefully); msSmartScreenProtection no longer disabled (throttling
disables kept); rust-version corrected to 1.77.2.
- release.yml update-manifest: fails on empty signatures (was: could publish
a manifest that traps Windows users in a failed-update loop); partial-
failure window documented. Deleted the stale upstream tauri.yml workflow.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Four unresolved-import/type errors from the release build (first real compile):
- toast.rs: generic IMap moved to the windows-collections crate; read the reply
from the ValueSet returned by UserInput() directly (HasKey/Lookup are exposed
on the class).
- jumplist.rs: PROPVARIANT lives in Win32::System::Com::StructuredStorage (not
windows::core); IObjectArray/IObjectCollection in Win32::System::Com (not
UI::Shell); PKEY_Title in Win32::Storage::EnhancedStorage (feature added);
build the title PROPVARIANT via From<&str> (VT_LPWSTR).
- smtc.rs: event registrations return a plain i64 token in windows 0.61 (the
EventRegistrationToken newtype is gone).
- thumbbar.rs: HICON was imported inside the fn body but used in its signature —
fully qualify the return type.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Brings in the TitleBar drag fix (explicit window_start_drag) and the expanded
custom accent coverage (links, ::selection, focus rings).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Root cause: lib.rs applies a Mica backdrop to the main window at startup;
set_custom_chrome then stripped the frame with set_decorations(false), and
Mica + frameless is a broken combination on Windows (DWM backdrop glitches
the whole surface).
- set_custom_chrome: clear_mica() before undecorating, re-apply_mica() when
restoring the native frame; set_shadow(true) so the frameless window keeps
its drop shadow + resize borders.
- window-state plugin: exclude StateFlags::DECORATIONS — the chrome toggle
owns the decorated flag; restoring a saved decorated=false at startup would
recreate the Mica-on-frameless glitch before the web side loads.
Pairs with the web-side TitleBar drag fix (explicit window_start_drag on
mousedown instead of data-tauri-drag-region) in the cinny repo.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add WebView2 additional_browser_args to disable Chromium background throttling
(--disable-background-timer-throttling / -renderer-backgrounding /
-backgrounding-occluded-windows) so the existing JS Matrix /sync loop and
notifications keep running full-speed when the app is closed to the tray, instead
of standing up a second headless Rust sync client. Tauri's default WebView2 args
are preserved (setting this overrides them). Windows/WebView2 only; does not block
system sleep (that's P5-46, calls-only). CI Windows compile pending.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- toast.rs: Windows.UI.Notifications rich toast (reply input + Send action);
in-process Activated event → emit lotus-notification-activate {path} (click) /
lotus-notification-reply {roomId,text}. Falls back to tauri-plugin-notification
(WinRT error / non-Windows). The NOTIFICATION_BRIDGE now routes notifications
carrying a roomId (tag) to show_rich_toast. Features: UI_Notifications,
Data_Xml_Dom, Foundation_Collections.
- focus_assist.rs: SHQueryUserNotificationState poll thread → emit
focus-assist-changed {active} on QUNS_QUIET_TIME/PRESENTATION/D3D_FULLSCREEN/BUSY.
No new Cargo features.
CI Windows compile pending (no local Rust toolchain). Runtime caveat: WinRT toasts
need a Start-menu shortcut + matching AppUserModelID (org.lotusguild.lotus-chat);
without it CreateToastNotifier errors and the code falls back to the plugin.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds a `native/` module system (each feature = its own module exposing
`#[tauri::command]`s + optional `setup`; `emit_to_web` pushes DOM CustomEvents to
the web like `forward_deeplink`). Wired into generate_handler! + native::setup;
windows-crate feature union added to Cargo.toml.
- power.rs (P5-46): SetThreadExecutionState held on the main thread while a call
is active; released on end. Cross-platform (no-op off Windows).
- jumplist.rs (P5-36): ICustomDestinationList "Recent Rooms" of IShellLink tasks
launching the exe with a matrix: arg (existing deep-link handler opens the room).
- thumbbar.rs (P5-44): ITaskbarList3 ThumbBar Mute/Deafen/End (GDI HICONs) + a
window subclass catching THBN_CLICKED → emit thumbbar-action.
- smtc.rs (P5-43): WinRT SystemMediaTransportControls via GetForWindow; ButtonPressed
→ smtc-action; call-state command. (Experimental for a non-media app.)
- network.rs (P5-49): INetworkListManager poll thread → emit network-changed.
- chrome.rs (P5-47): cross-platform window-control commands + set_custom_chrome
(set_decorations) for the opt-in TDS titlebar.
NOT compile-verified locally (no Rust/Windows toolchain on the dev box) — this is
for the CI Windows compile pass (GitHub test.yml / Gitea windows runner). Expect a
possible fixup round (windows-crate feature/namespace paths, e.g. subclass APIs).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The injected notification bridge defined `permission` as a getter-only property.
When the notification plugin / a polyfill assigned `Notification.permission`, it
threw "Cannot set property permission of function TauriNotification ... which has
only a getter" at page load. Add a no-op setter so it still reads 'granted' but
assignment can't crash.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>