security(phase-9): complete security hardening

- Add safeJsonParse utility with schema validation - Migrate tokens to OS keyring storage - Add Ed25519 key encryption at rest - Enable WSS configuration option - Fix JSON.parse in HandParamsForm, WorkflowEditor, WorkflowList - Update test mock data to match valid status values Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-15 19:22:51 +08:00
parent e3d164e9d2
commit a6b1255dc0
10 changed files with 499 additions and 74 deletions
--- a/desktop/src/components/WorkflowEditor.tsx
+++ b/desktop/src/components/WorkflowEditor.tsx
@@ -23,6 +23,7 @@ import {
  AlertCircle,
  GitBranch,
 } from 'lucide-react';
+import { safeJsonParse } from '../lib/json-utils';

 // === Types ===

@@ -163,11 +164,15 @@ function StepEditor({ step, hands, index, onUpdate, onRemove, onMoveUp, onMoveDo
            <textarea
              value={step.params ? JSON.stringify(step.params, null, 2) : ''}
              onChange={(e) => {
-                try {
-                  const params = e.target.value.trim() ? JSON.parse(e.target.value) : undefined;
-                  onUpdate({ ...step, params });
-                } catch {
-                  // Invalid JSON, keep current params
+                const text = e.target.value.trim();
+                if (text) {
+                  const result = safeJsonParse<Record<string, unknown>>(text);
+                  if (result.success) {
+                    onUpdate({ ...step, params: result.data });
+                  }
+                  // If parse fails, keep current params
+                } else {
+                  onUpdate({ ...step, params: undefined });
                }
              }}
              placeholder='{"key": "value"}'