Security
- Move ARL token storage from plaintext JSON to OS credential store (Windows Credential Manager / macOS Keychain / Linux Secret Service) with automatic migration
- Obfuscate Blowfish and AES cryptographic keys at rest in the binary (XOR deobfuscation at runtime)
- Generate real Ed25519/minisign updater signing keypair (replaces placeholder public key)
- Sanitize lyrics HTML output to prevent XSS injection from Deezer API data
- Add path traversal protection to theme load/save/delete operations
- Restrict settings file permissions to
0600on Unix to protect stored ARL token - Disable
withGlobalTaurito prevent exposing Tauri IPC onwindow.__TAURI__ - Remove all verbose debug logging that could leak sensitive settings, user IDs, or session details
- Add CSV formula injection protection to download history export
- Enforce minimum TLS 1.2 and HTTPS-only on the HTTP client
- Remove overly broad
process:defaultTauri capability, scope toprocess:allow-restartonly