No description
Find a file
Johannes Millan 542da1eb6c
fix(sync): isolate file-provider state across target changes (#9063)
* fix(sync): invalidate file-provider target state on config change

Task 2 (sync-simplification plan), core increment. The file adapter keys all
per-target state (sync version, revs, vector clocks, seq cursor, within-cycle
caches) by provider id only, and nothing cleared it on a configuration save. A
provider switch, an account switch behind the same provider id, or an
identity-affecting setting change would reuse the previous target's state
against the new target — reading or writing one target's data against another.

- Extract the delete-all reset into a shared _resetTargetState() over a single
  _targetScopedMaps source of truth; this also closes the one-field gap where
  deleteAllData never cleared _lastRecoveredCorruptRev.
- Add invalidateAllTargets() (+ a target generation counter for the later
  in-flight guard) and call it from WrappedProviderService's existing
  providerConfigChanged$ subscription.

Machine-only token refreshes go through the credential store (setComplete), not
setProviderConfig, so they do not fire providerConfigChanged$ and correctly do
not invalidate.

Remaining Task 2 scope (follow-ups): Electron LocalFile picker + Android
setupSaf ingresses that bypass providerConfigChanged$, and in-flight generation
validation before each remote side effect (incl. the #9023 REPAIR rebase loop).

* fix(sync): invalidate file target on LocalFile picker/SAF change

Task 2 follow-up. The Electron LocalFile folder picker (persists main-side
post-#8228) and Android setupSaf() (writes safFolderUri to the credential store)
change the sync target without going through setProviderConfig(), so they never
fired providerConfigChanged$ — leaving the file adapter's per-target revs/clocks/
caches (keyed only by the unchanged LocalFile provider id) pointed at the old
folder. Route both ingresses through the existing providerConfigChanged$ signal
via a module-level bridge, so WrappedProviderService clears its cache and calls
invalidateAllTargets() exactly as it does for a config save.

Remaining Task 2 scope: in-flight generation validation before each remote side
effect (incl. the #9023 REPAIR rebase loop).

* fix(sync): abort file upload when the target changes mid-operation

Task 2 follow-up (in-flight guard). The file adapter keys per-target state by
provider id, and the same provider object reads live config, so a target switch
(provider/account/folder/identity-affecting setting) DURING an upload would let
the in-flight write commit the previous target's merged data to the new target.

Capture the target generation at the _uploadOps boundary and thread a
write-guarded provider (Proxy over uploadFile/removeFile) through every write
path — single-file, split, REPAIR snapshot, and backups. A generation bump
(invalidateAllTargets) between capture and a write throws FileSyncTargetChangedError
before the write; reads pass through. SyncWrapper maps it to UNKNOWN_OR_CHANGED
(silent self-healing re-sync), like a concurrent-upload rev mismatch.

Residual (documented): a check->write TOCTOU window remains (narrowed, not
closed), and the REPAIR rebaseStaleRepair loop across RejectedOpsHandlerService/
RepairOperationService is not yet generation-threaded (follow-up #2b).

Tests: adapter guard (mid-op abort writes nothing; removeFile guarded; reads
pass), sync-wrapper mapping (silent UNKNOWN_OR_CHANGED).

* fix(sync): extend in-flight target guard to snapshot uploads

Completes the Task 2 in-flight guard. #2a guarded _uploadOps, but the file
adapter has a SECOND remote-write entry point — uploadSnapshot/_uploadSnapshot
(initial/recovery/migration + the #9023 REPAIR snapshot via
_conditionalUploadRepairSnapshot and its backups) — which bypassed _uploadOps
and was left unguarded. Apply the same generation-capture-at-boundary +
write-guarded-provider shadow to _uploadSnapshot.

The REPAIR rebase loop itself needs no guard: rebaseStaleRepair (RepairOperation
Service) performs NO remote I/O — it rebuilds the repair op from local state
(stateSnapshotService + opLogStore.replaceRejectedRepair) and defers the
re-upload to the next sync cycle, which flows through the now-guarded write
paths. deleteAllData's removeFile stays unguarded by design: it is a deliberate
user-initiated wipe of a chosen target, not an in-flight-sync write race.

Test: a target switch during the snapshot's archive-load phase aborts before the
write with FileSyncTargetChangedError.

* fix(sync): guard split-migration writes on the download path

Review follow-up (two independent reviewers). The in-flight target guard covered
the two upload entry points, but the split-format DOWNLOAD path also writes: when
a remote carries a pending split-migration marker, _downloadOpsSplit ->
_resumePendingSplitMigration force-writes the state file, tombstone/.bak, and
migration marker via the RAW provider. A target switch during that resume could
land the previous target's migration on the new one — the same corruption class
the guard prevents.

Apply the same generation-capture-at-boundary shadow to _downloadOps so the
resume writes are guarded; reads (downloadFile/getFileRev) still pass through, so
normal downloads are unaffected.

Test (e2c): a target switch during a pending-migration download aborts the resume
writes with FileSyncTargetChangedError.

* docs(sync): correct Task 2 guard comments; make targetGeneration private

Multi-review cleanup (no behavior change):
- Fix the _targetGeneration doc comment (the in-flight guard it called a
  'follow-up' shipped in the same work; it drives _withTargetGuard now).
- Correct the _targetScopedMaps comment, which overstated the guarantee: a
  mid-download switch can repopulate a cache (read path) and a switch between
  download and upload is caught by neither per-operation guard. What actually
  prevents a cross-target write is the generation guard + the conditional-write
  rev check, which self-heals on the next sync — document that honestly.
- Make the targetGeneration getter private (test-only surface; the guard reads
  the private field directly); specs use bracket access.

* fix(sync): abort a download whose target changed before committing its baseline

Multi-review (Codex) found a data-loss window the write-guard missed: a download
READS target A, and if the target then switches mid-download, staging A's
baseline (sync-version/clock/rev) and letting the caller advance the seq cursor
under the shared provider id makes the NEXT sync skip the new target's ops from a
stale cursor. The write-guard only covers writes; reads pass through.

Capture the generation at the download boundary and, before committing the
baseline (single-file and split paths), abort + reset the target-scoped state if
it changed — SyncWrapper maps the error to a silent self-heal. Closes the
dominant switch-during-download window; a switch after a successful download
(during op-apply / an upload's own cursor commit) is a narrower residual only
per-cycle session capture can fully close (documented).

* fix(sync): map FileSyncTargetChangedError on the force-upload paths

Multi-review (Codex): the error was only mapped in the normal sync() catch. The
forceUpload and USE_LOCAL conflict-resolution catches handled only
EncryptNoPasswordError, so a target switch during a force upload aborted safely
(guard held — no data loss) but surfaced a scary ERROR snack instead of the
silent UNKNOWN_OR_CHANGED self-heal. Add the branch to both force paths.

* refactor(sync): compile-enforce the in-flight guard via a branded provider type

Multi-review (Architecture) hardening: the guard was threaded by an implicit
call-graph convention — a future entry point or write-helper caller that forgot
the _withTargetGuard shadow would silently re-open cross-target writes, the
worst failure class here. Introduce a phantom-branded GuardedFileSyncProvider
(FileSyncProvider & { [unique symbol]: true }) returned by _withTargetGuard and
required by every write-path helper param. Passing a raw provider to a write
path is now a compile error (verified: TS2345). Only createAdapter and the
intentionally-unguarded _deleteAllData keep the raw type. No runtime/behavior
change (brand is a phantom type); adapter suite 135/135.

* fix(sync): invalidate file-adapter state only on real target moves

Task 2's invalidation was wired to "any privateCfg was saved", but its
semantics are "the sync target moved". setProviderConfig() fires
providerConfigChanged$ unconditionally, so two content-only writes
reached invalidateAllTargets():

1. The sync-settings dialog saves with isForce=true, which bypasses the
   JSON-equality dedup, and _updatePrivateConfig then rewrites privateCfg
   unconditionally. So changing the sync interval, toggling compression,
   or pressing Save with nothing changed wiped _localSeqCounters and
   persisted it. A cursor back at 0 makes the next download return a
   snapshotState (isForceFromZero); for a client holding unsynced ops
   that classifies CONCURRENT, and with AUTO_MERGE_CONCURRENT_SNAPSHOT
   false it dead-ends in a binary conflict dialog whose either answer
   discards data. file-based-sync-adapter.service.ts already documented
   this exact hazard at the latestSeq computation.

2. WrappedProviderService fires the GHSA-9544 isEncryptionEnabled
   backfill fire-and-forget on adapter creation. Its setProviderConfig()
   lands within ms (local IO) while the sync it was spawned from is still
   on the network, so it wiped the cursor mid-cycle and aborted that sync
   with FileSyncTargetChangedError even though nothing moved. (The abort
   does not heal the cursor: invalidateAllTargets clears and persists it
   before the abort throws, so the next cycle still bootstraps from 0.)

providerConfigChanged$ now carries isTargetChanged, set from
isSyncTargetChanged(). Every subscriber still drops config-derived caches
(the adapter closes over the resolved encryption key/intent); only a real
move additionally calls invalidateAllTargets(). Both facts ride one
emission so a caller cannot raise a move without the cache drop.

isSyncTargetChanged treats only encryptKey/isEncryptionEnabled as
content-only and everything else as identity-affecting, so an unknown or
newly added field errs toward invalidating rather than reusing one
target's cursor against another. Both directions can lose data; the false
negative is worse only because it is silent.

The OneDrive pre-auth cfg write (dialog-sync-cfg) bypasses
setProviderConfig, so by the time the save's setProviderConfig runs the
diff is a no-op and a folder move would have silently kept the previous
folder's cursor. It now asserts the move directly, gated on a real diff
since it runs on every save. Covered by a test verified to fail without
the fix.

Also correct two comments: invalidateAllTargets' trigger, and the
download-abort's mechanism (a stale cursor suppresses gap detection so
the new target's snapshot is never loaded — it does not skip ops; both
download paths return every op and dedup via appliedOpIds).

Known residual: OneDrive's PROVIDER_FIELD_DEFAULTS are the only ones not
seeded with '', so a config missing one still reports a spurious move on
its first save (one-time, self-correcting). Documented at isUnset.
2026-07-16 15:21:16 +02:00
.agents/skills/commit-messages chore(config): adopt AGENTS.md as shared AI-agent config with skills (#8864) 2026-07-09 15:30:56 +02:00
.air 18.4.2 2026-05-01 23:07:19 +02:00
.codex chore: add project-scoped Angular MCP 2026-07-13 10:31:37 +02:00
.devcontainer chore: add git and testing tools out of the box in devcontainers 2025-05-12 11:13:06 +02:00
.github fix(sync): isolate provider encryption settings + enforce critical e2e coverage (#9044) 2026-07-15 14:24:49 +02:00
.husky fix(build): auto-generate env.generated.ts on checkout via husky hook 2026-03-06 16:39:21 +01:00
.signpath/policies/super-productivity build: sign path setup 4 2026-01-28 12:51:50 +01:00
.vscode chore: add git and testing tools out of the box in devcontainers 2025-05-12 11:13:06 +02:00
android fix(android): keep material icons aligned with system font scaling (#8992) 2026-07-14 12:38:12 +02:00
build chore(ui): removes dead utilities and op-log leftovers [#8260 - Tier A] (#8892) 2026-07-11 13:05:34 +02:00
docs fix(sync): freeze the conflict-review producers before the next release (#9061) 2026-07-16 14:43:33 +02:00
e2e fix(planner): don't erase day-scheduled subtasks on parent plan (#9019) (#9027) 2026-07-15 14:28:24 +02:00
electron fix(electron): assert renderer IPC boundary at window creation (#9018) 2026-07-15 10:37:10 +02:00
eslint-local-rules fix(sync): harden file-based .bak recovery, split gap detection & conflict counts (#8857) 2026-07-08 16:45:16 +02:00
fastlane fix(sync): name the discarded title in LWW conflict banner + fix fr dismiss label (#8694) (#8724) 2026-07-03 14:13:43 +02:00
ios feat(rate-dialog): calm, recurring, win-timed store rating prompt (#8704) 2026-07-02 13:52:10 +02:00
nginx refactor(e2e): migrate to production Dockerfile for E2E tests 2026-01-21 14:30:24 +01:00
packages fix(sync): authenticate LWW project-move footprint (#9053) (#9054) 2026-07-15 21:52:06 +02:00
scripts chore(scripts): remove one-off codemod scripts [#8260 - Tier A] (#8893) 2026-07-11 10:36:24 +02:00
snap/hooks fix(snap): add filesystem and desktop integration plugs 2026-01-17 12:44:30 +01:00
src fix(sync): isolate file-provider state across target changes (#9063) 2026-07-16 15:21:16 +02:00
tools ci(lighthouse): raise script-count budget to 220, align warn to 210 (#8740) 2026-07-03 18:13:23 +02:00
.browserslistrc build: update browser support list 2025-08-13 19:47:44 +02:00
.dockerignore fix(docker): simplify env handling for Docker builds 2025-08-09 12:16:31 +02:00
.editorconfig chore: update gradle/java indent_size to 4 2024-09-29 09:40:49 +08:00
.env.example docs: change template of the .env file to include the mandatory unsplash key 2025-08-12 18:10:59 +02:00
.gitattributes chore: fix LF/CRLF for errant SCSS file (again) (#7117) 2026-04-09 19:42:54 +02:00
.gitignore fix(config): restore day-start offset after operation replay (#8899) 2026-07-10 13:59:48 +02:00
.gitmodules chore: Update android submodule to use feat/platform-android-offline branch (for capacitor) 2024-09-12 09:49:41 +08:00
.gitpod.yml refactor: make prettier work for angular 2025-02-21 14:31:22 +01:00
.npmrc chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685) 2026-05-20 11:50:30 +02:00
.nvmrc feat: add .nvmrc file with Node.js v22.18.0 2025-08-13 19:47:44 +02:00
.prettierignore feat(sync): add Helm chart and WebSocket push for SuperSync (#6971) 2026-03-30 21:34:30 +02:00
.prettierrc.json refactor: make prettier work for angular 2025-02-21 14:31:22 +01:00
.stylelintrc.mjs build(stylelint): fix font-family-no-missing-generic-family-keyword 2025-01-04 13:49:50 +01:00
AGENTS.md docs(sync): add sync simplification roadmap (#9062) 2026-07-16 13:42:38 +02:00
angular.json refactor(sync-providers): extract local file provider 2026-05-13 11:36:19 +02:00
ARCHITECTURE-DECISIONS.md fix(sync): make marked project deletions win LWW conflicts (#9009) 2026-07-14 19:58:33 +02:00
capacitor.config.ts feat(android): migrate edge-to-edge to built-in SystemBars (#8543) 2026-06-22 16:07:06 +02:00
CLAUDE.md chore(config): adopt AGENTS.md as shared AI-agent config with skills (#8864) 2026-07-09 15:30:56 +02:00
CONTRIBUTING.md docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
docker-compose.e2e.fast.yaml fix(ci): fix WebDAV config path for hacdias/webdav v5 2026-02-16 11:07:52 +01:00
docker-compose.e2e.yaml fix(ci): fix WebDAV config path for hacdias/webdav v5 2026-02-16 11:07:52 +01:00
docker-compose.supersync.yaml fix(dev): update default SuperSync port to 1901 for local development 2026-01-24 21:14:57 +01:00
docker-compose.yaml fix(infra): close db-startup race in supersync e2e stack 2026-04-29 16:17:56 +02:00
docker-entrypoint.sh refactor(e2e): migrate to production Dockerfile for E2E tests 2026-01-21 14:30:24 +01:00
Dockerfile fix(docker): include sync packages in image build 2026-05-16 20:48:38 +02:00
Dockerfile.e2e.dev feat(e2e): add Docker-based E2E test isolation 2026-01-04 17:09:39 +01:00
Dockerfile.e2e.dev.fast build(e2e): add fast local Docker Compose setup for E2E tests 2026-01-09 18:00:24 +01:00
electron-builder.yaml fix(caldav-plugin): make recurring-occurrence edits/deletes safe and quiet #7492 (#8149) 2026-06-08 16:05:52 +02:00
eslint.config.js docs(sync): add sync simplification roadmap (#9062) 2026-07-16 13:42:38 +02:00
funding.json chore(funding): drop broken repositoryUrl.wellKnown line 2026-05-14 17:21:39 +02:00
Gemfile 10.1.1 2024-11-06 19:44:38 +01:00
Gemfile.lock chore(deps): bump faraday in the bundler group across 1 directory (#8625) 2026-06-29 13:09:27 +02:00
LICENSE fix: typo in license 2019-01-29 18:21:51 +00:00
ngsw-config.json fix(pwa): cache the hashed icon font so it renders offline on iOS #8138 2026-06-08 18:29:55 +02:00
package-lock.json 18.14.0 2026-07-10 17:23:35 +02:00
package.json chore: update npm for release-age policy 2026-07-13 10:31:37 +02:00
README.md docs(readme): fix typo/missing words (#8453) 2026-06-17 16:02:08 +02:00
SECURITY.md build: update links to match our new organization 2026-01-05 14:45:06 +01:00
tsconfig.base.json fix(keyboard): resolve macOS global shortcut layout mismatch (#8378) (#8381) 2026-06-17 12:57:47 +02:00
tsconfig.json build: try to get rid of inline compilation to js 2025-04-25 12:58:16 +02:00
webdav.yaml build: simplify docker setup and fix e2e 2025-07-18 20:00:10 +02:00

Banner

An advanced todo list app with timeboxing & time tracking capabilities that supports importing tasks from your calendar, Jira, GitHub and others

🌐 Open Web App or 💻 Download


MIT license   GitHub Discussions

Reddit Community   Super Productivity on Mastodon   Tweet

animated

💻 Downloads & Install

Get it on Flathub Get it from the Snap Store English badge Play Store Badge F-Droid Badge Obtanium Badge App Store Badge

For all current downloads, package links, and platform-specific notes: check the wiki
Get it on GitHub


Ukraine Flag
Humanitarian Aid for Ukraine
Support humanitarian relief via the official National Bank of Ukraine account.


✔️ Features

  • Keep organized and focused! Plan and categorize your tasks using sub-tasks, projects and tags and color code them as needed.
  • Use timeboxing and track your time. Create time sheets and work summaries in a breeze to easily export them to your company's time tracking system.
  • Helps you to establish healthy & productive habits:
    • A break reminder reminds you when it's time to step away.
    • The anti-procrastination feature helps you gain perspective when you really need to.
    • Need some extra focus? A Pomodoro timer is also always at hand.
    • Collect personal metrics to see, which of your work routines need adjustments.
  • Integrate with Jira, Trello, GitHub, GitLab, Gitea, OpenProject, Linear, ClickUp and Azure DevOps. Auto import tasks assigned to you, plan the details locally, automatically create work logs, and get notified immediately, when something changes.
  • Basic CalDAV integration.
  • Back up and synchronize your data across multiple devices with Dropbox and WebDAV support
  • Attach context information to tasks and projects. Create notes, attach files or create project-level bookmarks for links, files, and even commands.
  • Super Productivity respects your privacy and does NOT collect any data and there are no user accounts or registration. You decide where you store your data!
  • It's free and open source and always will be.

And much more!

Work View with global links

Note

The web version has some limitations: See the Web App vs Desktop comparison for more details.

📖 Documentation and Guides

Getting Started

Starting Point in Wiki:
First stepsReferenceHow-To

Productivity Tips:
Keyboard ShortcutsShort Syntax

Need Help?
Visit the discussions page

See the bottom of the README for more information on the documentation.

Advanced Topics

Here are some other topics covered in the official wiki:

Development:
Run dev serverPackage the appBuild for AndroidRun with Docker

Data Management:
User DataIssue ProvidersSync Providers

Customization:
PluginsThemes

APIs:
Sync ServerPluginsREST

Community

The development of Super Productivity is driven by a wonderful community of users and contributors. Thank you all so much for your support!

👀 Check out our awesome curated list of community-created resources about Super Productivity

♥️ Contributing

If you want to get involved, please check out the CONTRIBUTING.md

There are several ways to help.

  1. Spread the word: More users mean more people testing and contributing to the app which in turn means better stability and possibly more and better features. You can vote for Super Productivity on Slant, Product Hunt, Softpedia or on AlternativeTo, you can tweet about it, share it on LinkedIn, reddit or any of your favorite social media platforms. Every little bit helps!

  2. Provide a Pull Request: Here is a list of the most popular community requests and here some info on how to run the development build (wiki). Please make sure that you're following the commit message format and to also include the issue number in your commit message, if you're fixing a particular issue (e.g.: feat: add nice feature #31).

  3. Answer questions: You know the answer to another user's problem? Share your knowledge!

  4. Provide your opinion: Some community suggestions are controversial. Your input might be helpful and if it is just an up- or down-vote.

  5. Provide a more refined UI spec for existing feature requests

  6. Report bugs

  7. Make a feature or improvement request: Something can be done better? Something essential missing? Let us know!

  8. Translations, Icons, etc.: You don't have to be a programmer to help; learn how to contribute translations!

  1. Sponsor the project

  2. Create custom plugins or custom themes

Special Thanks to our Sponsors!!!

Recently support for Super Productivity has been growing! A big thank you to all our sponsors!

(If you are, intend to or have been a sponsor and want to be shown here, please let me know!)

Code Signing

Windows binaries are signed. Free code signing is provided by SignPath.io, certificate by SignPath Foundation.

Documentation: Manual versus Automated

There are two wikis: the official one hosted in by GitHub and the autonomously generated variant using DeepWiki.com. The manually curated version is a more stable and approachable resource designed to help you understand the app from a more human-focused perspective whereas DeepWiki is optimized for explaining the code itself with little regard for context beyond that.

Official Wiki

It is preferable to maintain local documentation rather than rely on an external service. It also preferable that the documentation is updated in tandem with the code changes as demonstrated in this commit.

Changes to files within ./docs/wiki are linted in CI before being automatically sync'd to the repository's official Wiki hosted by GitHub.

Migrating to Docusaurus is a long-term goal once the content and structure of the wiki has matured and the remaining "legacy docs" have either been reworked or removed. There are some automations in development to help reduce the difference between the published docs and the state of the code while retaining a human-in-the-loop.

DeepWiki.com

If you have very specific questions about how the code works or why a bug might be producing a particular message it might be useful to Ask DeepWiki . It can help "cite your sources" when discussing functionality and code that you don't fully understand as part of feature requests or bug reports.

This automated reference does come with some significant drawbacks:

  1. Intent: Describes what code does, not why decisions or tradeoffs were made.
  2. Staleness: Will *always* lag behind the code.
  3. Code-Focused: Does not provide guides or conceptual explanations.
  4. Cost: Potential future cost and higher resource usage than static docs.