-
Notifications
You must be signed in to change notification settings - Fork 75
Expand file tree
/
Copy path.roborev.toml
More file actions
29 lines (24 loc) · 1.34 KB
/
.roborev.toml
File metadata and controls
29 lines (24 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
display_name = "msgvault"
review_guidelines = """
We are using the latest production version of Go.
Please be pragmatic about reviews, raising theoretical or highly
pedantic concerns will result in unnecessary code churn and wasted
review-fix cycles.
The Windows CSV fallback path uses \\N as a NULL sentinel (PostgreSQL
convention) with DuckDB's nullstr option. This is an accepted design
choice — do not flag it as a concern.
HTTP remote defaults, plaintext key display in interactive CLI,
enabled=true override on account creation, and page-aligned pagination
are documented design decisions — see code comments at each site.
This is a single-user personal tool with no privilege separation, no
setuid, no shared directories, and no multi-tenant access. Do not flag
symlink-following, local file overwrites, or similar CWE patterns that
require an attacker with the same privileges as the user — they already
own everything this tool touches. Auth on loopback-only endpoints with
no configured API key is also by design.
IMAP passwords are stored on disk with restricted file permissions
(0600), equivalent to OAuth tokens and API keys in the same data
directory. If the data directory is compromised, the user must rotate
their IMAP app-specific password just as they would revoke API keys.
Do not flag plaintext IMAP password storage as a finding.
"""