feat: comprehensive project audit, design system, and product improvements #194
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Readied — Environment Variables | ||
| # Copy this file to .env and fill in the values. | ||
| # The desktop app runs fully offline — these are only needed for the API and web app. | ||
|
|
||
| # ─── API (Cloudflare Workers) ─────────────────────────────── | ||
| # Set via `wrangler secret put <KEY>` for deployed environments. | ||
| # For local dev, create packages/api/.dev.vars with these values. | ||
|
|
||
| TURSO_DATABASE_URL=libsql://your-db.turso.io | ||
| TURSO_AUTH_TOKEN=your_token_here | ||
| JWT_SECRET=your_secret_here # openssl rand -base64 32 | ||
| RESEND_API_KEY=re_your_key_here # Resend email service | ||
| SITE_URL=https://readied.app | ||
|
|
||
| # ─── Stripe ───────────────────────────────────────────────── | ||
| STRIPE_SECRET_KEY=sk_test_your_key_here | ||
| STRIPE_WEBHOOK_SECRET=whsec_your_secret_here | ||
| STRIPE_PRICE_MONTHLY=price_your_monthly_id_here | ||
| STRIPE_PRICE_ANNUAL=price_your_annual_id_here | ||
|
|
||
| # ─── Admin ────────────────────────────────────────────────── | ||
| ADMIN_TOKEN=your_admin_token_here # Token for /admin endpoints | ||
|
|
||
| # ─── GitHub Actions (repo secrets) ────────────────────────── | ||
| # GH_TOKEN # PAT with repo scope (releases, PRs) | ||
| # CSC_LINK # macOS code signing cert (base64) | ||
| # CSC_KEY_PASSWORD # macOS cert password | ||
| # APPLE_ID # Apple notarization | ||
| # APPLE_APP_SPECIFIC_PASSWORD # Apple app-specific password | ||
| # APPLE_TEAM_ID # Apple Developer Team ID |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| pnpm typecheck |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -53,7 +53,7 @@ | |
| "better-sqlite3": "^11.7.0", | ||
| "cross-fetch": "^4.1.0", | ||
| "diff": "^8.0.2", | ||
| "electron-updater": "^6.8.3", | ||
| "highlight.js": "^11.11.1", | ||
| "isomorphic-git": "^1.36.1", | ||
| "lucide-react": "^0.562.0", | ||
|
|
@@ -75,7 +75,7 @@ | |
| "@types/react-dom": "^18.2.25", | ||
| "@types/turndown": "^5.0.6", | ||
| "@vitejs/plugin-react": "^4.2.1", | ||
| "electron": "^35.7.5", | ||
|
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Inspect git history for the prior electron version to determine whether this is an upgrade or a downgrade.
git log --oneline -n 20 -- apps/desktop/package.json
git show HEAD~1:apps/desktop/package.json 2>/dev/null | rg -n '"electron"' || trueRepository: tomymaritano/readide Length of output: 145 🌐 Web query:
💡 Result: Electron 35.7.5 was released around late 2025 (after v35.7.0 on 2025-07-02 and before 2026-04-23). It is a security patch primarily fixing CVE-2025-55305 (ASAR Integrity Bypass via resource modification, GHSA-vmqv-hx8q-j7mg), which allows arbitrary code injection by modifying the resources folder when embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses are enabled. The release notes list only a non-security fix for shell.openPath, but security advisories confirm it patches this vulnerability affecting <35.7.5. Electron 35 is end-of-life (Chromium M134, Node 22), with developers urged to upgrade. Electron 39.x (stable release ~Oct/Nov 2025, latest v39.8.x in Mar 2026) uses newer Chromium M142 (vs 35's M134), Node 22.20+, V8 14.2 (vs 13.4). It includes all 35.x security fixes plus many additional Chromium-upstream security patches and Electron-specific fixes for multiple CVEs (e.g., CVE-2026-34764 to CVE-2026-34781 series, fixed in 39.8.0+), such as context isolation bypasses via VideoFrame/contextBridge (CVE-2026-34780), commandLineSwitches injection (CVE-2026-34769), window.open target scoping (CVE-2026-34765), webRequest header injection (CVE-2026-34767), and more. These address renderer sandbox escapes, privilege escalations, and other high-severity issues. 39.x also stabilizes ASAR integrity checking. Upgrade to 39.x for comprehensive security improvements, newer web platform features, and ongoing support (latest three majors supported as of 2026-04-23). Citations:
🏁 Script executed: #!/bin/bash
# Get the git diff for the package.json file to see the actual change
git diff HEAD~1 HEAD -- apps/desktop/package.json | grep -A 3 -B 3 "electron" || echo "No diff available"
# Also try to show the previous version directly
git show HEAD~1:apps/desktop/package.json 2>/dev/null | grep -A 1 -B 1 '"electron"' || echo "Previous version not found"
# Check if there are any other recent commits affecting this file
git log --all --oneline -- apps/desktop/package.json | head -5Repository: tomymaritano/readide Length of output: 477 Confirm Electron version rollback: This is a downgrade from 39.8.5 to 35.7.5, not the 29→35 upgrade stated in the PR narrative. Git history shows Electron was previously bumped from 29.4.6 → 39.8.4 → 39.8.5 (commits 🤖 Prompt for AI Agents |
||
| "electron-builder": "^26.0.12", | ||
| "electron-devtools-installer": "^4.0.0", | ||
| "electron-vite": "^2.1.0", | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: tomymaritano/readide
Length of output: 659
Do not swallow sync PR creation failures with
|| echo.The broad error suppression on line 170 turns authentication, API, rate-limit, and missing branch errors into silent successes, leaving
developunsynced after a release. Check for an existing PR first, then let realgh pr createfailures fail the workflow.🔧 Proposed fix
📝 Committable suggestion
🤖 Prompt for AI Agents