about summary refs log tree commit diff stats
Commit message (Collapse)AuthorAgeFilesLines
* sandbox: UXKartik K. Agaram2021-12-251-1/+3
|
* sandbox: another scenario, some UX ideasKartik K. Agaram2021-12-251-0/+8
| | | | | | | | | | | | | I'd originally thought of allowing policies to be influenced by arbitrary code. But that may be overkill: - it's probably not a good idea to allow policies to read/write from file system - it's even less a good idea to allow policies to access the network - particularly since it's difficult (error-prone) to distinguish GET/POST in arbitrary protocols - once you allow file system and network, you're pretty close to owned So let's first focus on the simplest policy, the one that is easiest to secure. We'll add capabilities to policies as we gain confidence we can secure them.
* sandbox: record scenarios I've thought of so farKartik K. Agaram2021-12-251-4/+24
|
* sandbox: no system()Kartik K. Agaram2021-12-252-8/+5
| | | | | Too hard to sandbox. Maybe we'll get back to it if there's some use case only it can satisfy.
* .Kartik K. Agaram2021-12-251-2/+2
|
* stop futzing around and start sandboxingKartik K. Agaram2021-12-244-0/+937
|
* clarify 'hardcoded colors' in the ReadmeKartik K. Agaram2021-12-241-1/+2
|
* .Kartik K. Agaram2021-12-231-0/+7
|
* toot-toot: support backspace on MacKartik K. Agaram2021-12-231-1/+1
|
* toot-toot: cursor_down now handles wrapping linesKartik K. Agaram2021-12-231-8/+31
|
* clean up debug printsKartik K. Agaram2021-12-231-9/+0
|
* toot-toot: plug width into cursor movementKartik K. Agaram2021-12-231-3/+4
|
* cleaner test messageKartik K. Agaram2021-12-231-3/+2
| | | | Was printing over passing tests for some reason.
* toot-toot: reorg definitionsKartik K. Agaram2021-12-231-209/+113
|
* toot-toot: clean up historyKartik K. Agaram2021-12-231-233/+60
|
* toot-toot: cursor_up now handles wrapping linesKartik K. Agaram2021-12-231-6/+12
|
* snapshot: more tests for cursor_upKartik K. Agaram2021-12-231-0/+208
| | | | I think this may be all the tests. Now to make them pass..
* toot-toot: more elaborate cursor_upKartik K. Agaram2021-12-221-12/+59
|
* toot-toot: more verbose but clearer cursor_downKartik K. Agaram2021-12-221-16/+44
| | | | I actually got all tests to pass on the first try.
* clean up my debug conlangKartik K. Agaram2021-12-221-6/+0
| | | | | This isn't the ideal implementation either. Pure spaghetti. But I need to clean up the debug prints to see that.
* toot-toot: redo cursor_down as an experimentKartik K. Agaram2021-12-221-9/+30
| | | | | | | I want to support cursor movement across wrapped lines, and the old implementation doesn't seem on the right track for that. Interesting that this required me to add the new symmetric test.
* .Kartik K. Agaram2021-12-221-1/+1
|
* errors during tests are now handledKartik K. Agaram2021-12-221-1/+8
| | | | | | | | | | | | | | | | I should have documented that I'd never actually seen that code path trigger before. Here's a minimal test that did it just now: function test_foo() return a+1 end E2: [string "test_foo"]:2: attempt to perform arithmetic on global 'a' (a nil value) A simple missing variable doesn't do it since it just evaluates to nil. Without this commit, the above test was silently continuing to the main app after failing tests.
* toot-toot: a few more testsKartik K. Agaram2021-12-221-1/+16
| | | | ..before a change in approach.
* .Kartik K. Agaram2021-12-221-29/+19
|
* more precise control over menu orderKartik K. Agaram2021-12-226-12/+26
| | | | I can't believe I didn't notice this until now.
* gemini: back buttonKartik K. Agaram2021-12-221-0/+8
|
* .Kartik K. Agaram2021-12-221-1/+1
|
* .Kartik K. Agaram2021-12-221-8/+4
|
* fix arrow keys in big picture view on MacKartik K. Agaram2021-12-211-5/+5
| | | | Turns out arrow keys are considered `isprint()` on Mac.
* gemini: linksKartik K. Agaram2021-12-211-19/+101
|
* bugfix: ensure definition to edit has some nameKartik K. Agaram2021-12-211-4/+6
|
* less confusing nameKartik K. Agaram2021-12-212-12/+10
|
* arrow keys in big picture viewKartik K. Agaram2021-12-212-12/+105
|
* gemini: echo urls while typing inKartik K. Agaram2021-12-211-0/+3
| | | | Let's see how much we need to tweak this solution.
* gemini: slightly cleaner rendering of owner inputKartik K. Agaram2021-12-211-0/+7
| | | | | | | This still only works if I remove the call to `refresh()` inside `Wgetch()`. With that call no keystrokes are displayed. Looks like ncurses doesn't include user input when refreshing the window. Unclear if there's an easy way to support that while keeping the menu visible.
* nail down trusted Teliva channels a little moreKartik K. Agaram2021-12-219-14/+16
| | | | | | | | | | | | | | | | | | | | | | In each session, Teliva has to bootstrap a trusted channel with the computer owner while running arbitrarily untrusted code. So let's get really, really precise about what the trusted channel consists of: - the bottom-most row of screen containing the menu - the keystrokes the owner types in - ncurses COLOR_PAIR slots 254 (menu) and 255 (error) One reason the menu colors are important: we don't want people to get used to apps that hide the menu colors by setting default foreground/background to invisible and then drawing their own menu one row up. The error COLOR_PAIR I don't see any reason to carve out right now, but it seems like a good idea for Teliva the framework to not get into the habit of apps doing some things for it. I'm not sure how realistic all this is (I feel quite ill-equipped to think about security), but it seems worthwhile to err on the side of paranoia. Teliva will be paranoid so people don't have to be.
* keep Teliva apps from pretending to be TelivaKartik K. Agaram2021-12-212-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Kind of a subtle idea. Teliva the framework is intended to be trustworthy software that people install on their computers. The apps people run using Teliva may be less trustworthy. The whole point of Teliva is to provide a sandbox for running code before you trust it. One way (of many) apps can be malicious is by subtly getting between what people see and reality. Imagine, for example, an app that draws a fake menu bar and offers a different hotkey to edit source code. When someone presses that hotkey they think they're using the standard Teliva editor but they're really using an editor within the app, which the app uses to hide its most malicious bits from view. Down the road Teliva will have more bits of UI, such as for asking for permission to read sensitive data. It's important that people understand what they're granting permission to, that apps can't tamper with the communications channel between them and Teliva. This is likely just one of many ways for an app to break out of its sandbox. Teliva isn't sandboxed yet. I'm just taking my first steps on this journey. In particular, there are other mechanisms for asking for user input besides `getch()`. I don't yet have a big-picture view of the Teliva sandbox. It seems clear that I need to educate people on the difference between different parts of screen. Depending on the app you install, most of the screen may be a dark forest. It'll be important to know where the safe path is, where you can speak to trusted advisors while in the forest.
* minor tweaksKartik K. Agaram2021-12-213-22/+3
|
* gemini: ctrl-g to open a new pageKartik K. Agaram2021-12-211-67/+115
|
* start of a gemini browserKartik K. Agaram2021-12-201-0/+357
|
* fix stale readmeKartik K. Agaram2021-12-201-4/+3
|
* document dbgKartik K. Agaram2021-12-182-0/+4
|
* toot-toot: save prose somewhereKartik K. Agaram2021-12-181-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is still quite klunky. Don't expect toot-toot to be a complete text editor. In particular, it'll happily lose toot data if you try to edit the app while editing a toot. Teliva is paranoid about avoiding data loss, but toot-toot.tlv is not. Mostly I just want toot-toot to interact with the clipboard. The only reason save exists is that copying directly from within the app inserts spurious line breaks. So now I'm saving to file, then `cat`ing file, then copying each toot out. I initially tried to use ctrl-s for the save hotkey, but that conflicts with terminal flow-control, and it's not obvious how ncurses manages IXON. And I don't want to go around ncurses and do something that's very likely to be unportable. Even ctrl-w, I worry that there are terminals out there that will close tab or something stupid like that. Feature wish list: - a hook to execute after exit. Just calling os.exit() doesn't work because the screen still clears any final prints when Teliva exits. Not sure how to handle this. Ncurses doesn't seem to have anything beyond endwin() for cleaning up after itself. - a hook to execute before exit, for things like asking for confirmation/save - a place for 'flash' notification messages, like that the file was saved
* pay more attention to where we display the cursorKartik K. Agaram2021-12-183-1/+4
| | | | | It's still just in app control; I'm resisting the urge to introduce "smarts".
* streamline an app; pull useful stuff into templateKartik K. Agaram2021-12-182-8813/+87
|
* drop ASan from MakefileKartik K. Agaram2021-12-181-2/+2
| | | | | Accidentally added at some point. It's a useful debugging aide, but I don't want to require the additional dependencies on a first run.
* mention programming framework in ReadmeKartik K. Agaram2021-12-181-0/+6
|
* ctrl-u: clear proseKartik K. Agaram2021-12-172-2/+98
|
* bug: handle digits in proseKartik K. Agaram2021-12-171-4/+686
| | | | | Lua has some Javascript-esque gotchas here. Too quick to coerce between types.