No description
Find a file
Johannes Millan 7182ff4fba
feat(plugins): persist nodeExecution consent per plugin (#8512) (#8600)
* feat(plugins): persist nodeExecution consent per plugin (#8512)

Phase 2 of #8512: remember an uploaded plugin's nodeExecution consent so
it is asked once, not every app session, while keeping the trust decision
local to the device.

- Main-owned, local-only store (electron/plugin-node-consent-store.ts,
  wrapping simple-store under key 'pluginNodeExecutionConsent'); never
  pfapi-synced, so a grant on one device never auto-grants on another.
- Ask-once is scoped to UPLOADED plugins; built-in plugins (sync-md) keep
  the per-session verified prompt unchanged (regression-safe).
- Consent is written only after a native Allow in main; the renderer has a
  delete-only clearConsent IPC (fail-safe) and no way to self-grant.
- Cleared on disable / uninstall / re-upload (never in generic teardown),
  so revoke = the existing disable toggle and changed code re-consents.
- No code hash: re-ask-on-change is structural (re-upload clears consent);
  a renderer hash would be forgeable and security-worthless. version:1 is
  the migration anchor if main-owned hashing is ever added.

Tests: electron 154 pass (consent-store + executor ask-once/deny/clear/
built-in-never-persisted); 474 plugin specs pass incl. the sync-exclusion
guard. Docs updated.

* fix(plugins): harden persisted consent against prototype-pollution ids

Multi-review (security) found a CRITICAL in the Phase 2 consent store: the
consents map was a plain object keyed on an attacker-controlled pluginId, so
an uploaded plugin with id 'constructor' / 'toString' / 'valueOf' /
'hasOwnProperty' resolved consents[id] to the inherited Object.prototype
member (a truthy function). The executor's ask-once check treated that as a
prior grant and minted a nodeExecution token with NO consent dialog on a fresh
install — full code execution with zero user approval. ('__proto__' was already
blocked by the id allowlist; these names pass it.) Unit tests missed it because
the executor test stub used a Map, which is immune to the footgun.

Fix:
- Store: null-prototype consents map (Object.create(null)) + own-property
  (hasOwnProperty) guarded reads + reject non-object entries. Closes the class
  for any prototype-member id, including across a disk round-trip.
- Executor: reject __proto__/prototype/constructor in assertSafePluginId as
  defense-in-depth at the boundary.
- Regression tests: consent store returns null for prototype-member ids (fresh,
  after a real set, after clear); grant request for these ids is rejected with
  no dialog and no mint.

Also from review: ask-once path now re-checks the sender URL after the consent
read (parity with the dialog path); clarified why the consent mutation queue is
not redundant with simple-store's save queue.

Electron suite 156/156 pass.

* refactor(plugins): log consent persist-failure via electron-log

Multi-review follow-ups (non-blocking):
- Route the best-effort consent persist-failure to electron-log/main (the
  user-exportable host log) instead of console; console in the executor is
  otherwise the sandboxed plugin's own output. Only the validated id is logged.
- Clarify the disable-path comment: clearing revokes the live session grant
  always, and the persisted consent only for uploaded plugins (built-ins have
  none).

* fix(plugins): clear persisted consent on cache-clear and disclose persistence in dialog

Two gaps found in multi-agent review of the Phase 2 persisted-consent feature:

- clearUploadedPluginsFromMemory() (the 'Clear plugin cache' button) wiped the
  plugin code from IndexedDB but left the main-owned persisted nodeExecution
  consent behind. A later re-upload of the same id has no existingState, so the
  re-upload consent-clear in loadPluginFromZip never fired and the (possibly
  different) code was silently granted node execution with no prompt — defeating
  the 'replacing code under an id always re-asks' invariant. Now clears consent
  for every evicted uploaded id, mirroring removeUploadedPlugin.

- The uploaded-plugin native consent dialog still said access was valid 'for this
  app session', but Allow is now persisted across sessions. The prompt now
  discloses that the choice is remembered on the device until disable / remove /
  re-upload, so the user consents to the actual scope.

Regression tests added on both sides.

* refactor(plugins): key persisted consent on a Map, not a null-prototype object

Multi-review simplification. The consent store keyed an attacker-controlled
pluginId into a plain object, defended against `Object.prototype` member names
(constructor/toString/…) with a null-prototype object + hasOwn guards + a
typeof-object read check. A `Map` makes that safety structural and self-evident —
an unstored key is simply `undefined` — and matches the sibling `grants` Map in
the executor. The on-disk format is unchanged (a plain {version, consents} object);
the Map is serialized via Object.fromEntries (define-semantics, no prototype write)
and rebuilt via Object.entries with the well-formedness guard moved to load time.

Also corrects the stale 'never downgrade-corrupt it' comment with the accurate
downgrade behavior, and adds a round-trip test proving a hand-edited on-disk
__proto__ data key loads inertly without polluting Object.prototype.

* refactor(plugins): funnel disable through PluginService.disablePlugin and de-dup dialog display

Two more multi-review items, now that we own the PR:

- 'Disabling a node plugin revokes its consent' previously lived only in the
  plugin-management UI handler, so a future programmatic disable path could unload
  the plugin yet leave persisted consent behind — re-enabling would then silently
  re-grant node execution. Added PluginService.disablePlugin(setEnabled=false +
  unload + clearNodeExecutionConsent) and routed the UI through it, making the
  revoke a structural invariant. The consent clear is a safe no-op for non-node
  plugins, so the previous requiresNodeExecution gate is dropped.

- The uploaded-plugin name/version were sanitized once for the dialog and again for
  persistence (same lengths/fallbacks, duplicated). Extracted sanitizedUploadedDisplay
  as the single source of truth so the persisted record always matches what the user
  saw in the prompt.

Tests added for the disablePlugin invariant.

* fix(plugins): harden persisted nodeExecution consent (multi-review)

Follow-ups from a multi-agent review of #8600:

- Re-ask structurally on every upload: clear consent unconditionally in
  loadPluginFromZip (outside the `existingState` branch) so a same-id
  re-upload always re-prompts even if consent was orphaned (crash
  mid-uninstall, IndexedDB eviction, external/partial wipe).
- Fail closed on upload: clearNodeExecutionConsent reports a persist failure
  via its return value; loadPluginFromZip aborts the upload if the prior
  consent could not be revoked, so replacement code can't inherit a stale
  grant. Lifecycle edges (disable/uninstall/cache-clear) ignore the result so
  a rare disk failure can't abort their bookkeeping.
- Mint the grant before the best-effort consent persist in the executor so a
  navigation/destroy during the write drops it via cleanup and a persist
  failure can't lose an approved grant.
- Validate the full consent record shape on load so a corrupt {}/array entry
  can't read as a grant.
- Log only the validated id + error code on persist failure (no userData path).
- Fix a stale comment (the store keys consent in a Map, not null-proto objects).

Adds regression tests: mint-before-persist ordering, best-effort persist,
malformed-entry rejection, and the consent-clear fail-closed return contract.

* test(plugins): add clearNodeExecutionConsent to PluginBridgeService spy

loadPluginFromZip now clears prior persisted nodeExecution consent
before loading replacement code (#8512 Phase 2). The spy in this spec
lacked the method, so the call threw, was caught, returned false, and
aborted the upload, failing both load-from-zip tests.
2026-06-29 16:12:00 +02:00
.air 18.4.2 2026-05-01 23:07:19 +02:00
.devcontainer chore: add git and testing tools out of the box in devcontainers 2025-05-12 11:13:06 +02:00
.github chore(deps)(deps): bump the github-actions-minor group with 3 updates (#8622) 2026-06-29 12:46:38 +02:00
.husky fix(build): auto-generate env.generated.ts on checkout via husky hook 2026-03-06 16:39:21 +01:00
.signpath/policies/super-productivity build: sign path setup 4 2026-01-28 12:51:50 +01:00
.vscode chore: add git and testing tools out of the box in devcontainers 2025-05-12 11:13:06 +02:00
android fix(android): keyboard + status-bar follow-ups for edge-to-edge (#8508) (#8548) 2026-06-23 11:57:49 +02:00
build 18.12.1 2026-06-22 13:37:54 +02:00
docs feat(plugins): persist nodeExecution consent per plugin (#8512) (#8600) 2026-06-29 16:12:00 +02:00
e2e fix(tasks): make "Add subtask" work in the Planner detail panel (#8617) (#8630) 2026-06-29 15:57:44 +02:00
electron feat(plugins): persist nodeExecution consent per plugin (#8512) (#8600) 2026-06-29 16:12:00 +02:00
eslint-local-rules docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
fastlane fix(ci): repair v18.9.0 release pipeline (MAS build, iOS submit, flaky lock test) (#8040) 2026-06-05 22:26:42 +02:00
ios fix(ci): repair v18.9.0 release pipeline (MAS build, iOS submit, flaky lock test) (#8040) 2026-06-05 22:26:42 +02:00
nginx refactor(e2e): migrate to production Dockerfile for E2E tests 2026-01-21 14:30:24 +01:00
packages fix(sync): verify file-based upload size to catch truncated writes (#8604) (#8628) 2026-06-29 15:38:08 +02:00
scripts refactor(scripts): share log migration helper #7917 (#8116) 2026-06-08 12:09:45 +02:00
snap/hooks fix(snap): add filesystem and desktop integration plugs 2026-01-17 12:44:30 +01:00
src feat(plugins): persist nodeExecution consent per plugin (#8512) (#8600) 2026-06-29 16:12:00 +02:00
tools fix(release-notes): strip non-Apple platform references from App Store What's New 2026-06-25 16:10:33 +02:00
.browserslistrc build: update browser support list 2025-08-13 19:47:44 +02:00
.dockerignore fix(docker): simplify env handling for Docker builds 2025-08-09 12:16:31 +02:00
.editorconfig chore: update gradle/java indent_size to 4 2024-09-29 09:40:49 +08:00
.env.example docs: change template of the .env file to include the mandatory unsplash key 2025-08-12 18:10:59 +02:00
.gitattributes chore: fix LF/CRLF for errant SCSS file (again) (#7117) 2026-04-09 19:42:54 +02:00
.gitignore chore(task-repeat): revert RRULE Phase 1 from master (#7948) Develop the full RFC-5545 RRULE epic on the long-running feat/rrule-epic branch and merge once complete and testable in final form, rather than landing 13 phases into master one half-state at a time. Work preserved on feat/rrule-epic. Not yet shipped (post-v18.9.1), so no user impact. 2026-06-09 13:56:38 +02:00
.gitmodules chore: Update android submodule to use feat/platform-android-offline branch (for capacitor) 2024-09-12 09:49:41 +08:00
.gitpod.yml refactor: make prettier work for angular 2025-02-21 14:31:22 +01:00
.npmrc chore(deps): add cooldown for NPM and GH Actions to reduce supply chain attack risk (#7685) 2026-05-20 11:50:30 +02:00
.nvmrc feat: add .nvmrc file with Node.js v22.18.0 2025-08-13 19:47:44 +02:00
.prettierignore feat(sync): add Helm chart and WebSocket push for SuperSync (#6971) 2026-03-30 21:34:30 +02:00
.prettierrc.json refactor: make prettier work for angular 2025-02-21 14:31:22 +01:00
.stylelintrc.mjs build(stylelint): fix font-family-no-missing-generic-family-keyword 2025-01-04 13:49:50 +01:00
AGENTS.md docs: update AGENTS.md to include CLAUDE.md reference 2026-01-15 17:20:39 +01:00
angular.json refactor(sync-providers): extract local file provider 2026-05-13 11:36:19 +02:00
ARCHITECTURE-DECISIONS.md feat(project): project completion experience (#8036) 2026-06-08 13:43:38 +02:00
capacitor.config.ts feat(android): migrate edge-to-edge to built-in SystemBars (#8543) 2026-06-22 16:07:06 +02:00
CLAUDE.md docs: add product principles / anti-feature-creep guidance to CLAUDE.md 2026-06-26 13:12:02 +02:00
CONTRIBUTING.md docs(sync): consolidate sync docs + enforce the contributor model 2026-05-15 16:51:50 +02:00
docker-compose.e2e.fast.yaml fix(ci): fix WebDAV config path for hacdias/webdav v5 2026-02-16 11:07:52 +01:00
docker-compose.e2e.yaml fix(ci): fix WebDAV config path for hacdias/webdav v5 2026-02-16 11:07:52 +01:00
docker-compose.supersync.yaml fix(dev): update default SuperSync port to 1901 for local development 2026-01-24 21:14:57 +01:00
docker-compose.yaml fix(infra): close db-startup race in supersync e2e stack 2026-04-29 16:17:56 +02:00
docker-entrypoint.sh refactor(e2e): migrate to production Dockerfile for E2E tests 2026-01-21 14:30:24 +01:00
Dockerfile fix(docker): include sync packages in image build 2026-05-16 20:48:38 +02:00
Dockerfile.e2e.dev feat(e2e): add Docker-based E2E test isolation 2026-01-04 17:09:39 +01:00
Dockerfile.e2e.dev.fast build(e2e): add fast local Docker Compose setup for E2E tests 2026-01-09 18:00:24 +01:00
electron-builder.yaml fix(caldav-plugin): make recurring-occurrence edits/deletes safe and quiet #7492 (#8149) 2026-06-08 16:05:52 +02:00
eslint.config.js build(lint): enforce Log helpers over console.* in src/app (#8239) 2026-06-10 13:08:17 +02:00
funding.json chore(funding): drop broken repositoryUrl.wellKnown line 2026-05-14 17:21:39 +02:00
Gemfile 10.1.1 2024-11-06 19:44:38 +01:00
Gemfile.lock chore(deps): bump faraday in the bundler group across 1 directory (#8625) 2026-06-29 13:09:27 +02:00
LICENSE fix: typo in license 2019-01-29 18:21:51 +00:00
ngsw-config.json fix(pwa): cache the hashed icon font so it renders offline on iOS #8138 2026-06-08 18:29:55 +02:00
package-lock.json feat(android): migrate edge-to-edge to built-in SystemBars (#8543) 2026-06-22 16:07:06 +02:00
package.json fix(release-notes): strip non-Apple platform references from App Store What's New 2026-06-25 16:10:33 +02:00
README.md docs(readme): fix typo/missing words (#8453) 2026-06-17 16:02:08 +02:00
SECURITY.md build: update links to match our new organization 2026-01-05 14:45:06 +01:00
tsconfig.base.json fix(keyboard): resolve macOS global shortcut layout mismatch (#8378) (#8381) 2026-06-17 12:57:47 +02:00
tsconfig.json build: try to get rid of inline compilation to js 2025-04-25 12:58:16 +02:00
webdav.yaml build: simplify docker setup and fix e2e 2025-07-18 20:00:10 +02:00

Banner

An advanced todo list app with timeboxing & time tracking capabilities that supports importing tasks from your calendar, Jira, GitHub and others

🌐 Open Web App or 💻 Download


MIT license   GitHub Discussions

Reddit Community   Super Productivity on Mastodon   Tweet

animated

💻 Downloads & Install

Get it on Flathub Get it from the Snap Store English badge Play Store Badge F-Droid Badge Obtanium Badge App Store Badge

For all current downloads, package links, and platform-specific notes: check the wiki
Get it on GitHub


Ukraine Flag
Humanitarian Aid for Ukraine
Support humanitarian relief via the official National Bank of Ukraine account.


✔️ Features

  • Keep organized and focused! Plan and categorize your tasks using sub-tasks, projects and tags and color code them as needed.
  • Use timeboxing and track your time. Create time sheets and work summaries in a breeze to easily export them to your company's time tracking system.
  • Helps you to establish healthy & productive habits:
    • A break reminder reminds you when it's time to step away.
    • The anti-procrastination feature helps you gain perspective when you really need to.
    • Need some extra focus? A Pomodoro timer is also always at hand.
    • Collect personal metrics to see, which of your work routines need adjustments.
  • Integrate with Jira, Trello, GitHub, GitLab, Gitea, OpenProject, Linear, ClickUp and Azure DevOps. Auto import tasks assigned to you, plan the details locally, automatically create work logs, and get notified immediately, when something changes.
  • Basic CalDAV integration.
  • Back up and synchronize your data across multiple devices with Dropbox and WebDAV support
  • Attach context information to tasks and projects. Create notes, attach files or create project-level bookmarks for links, files, and even commands.
  • Super Productivity respects your privacy and does NOT collect any data and there are no user accounts or registration. You decide where you store your data!
  • It's free and open source and always will be.

And much more!

Work View with global links

Note

The web version has some limitations: See the Web App vs Desktop comparison for more details.

📖 Documentation and Guides

Getting Started

Starting Point in Wiki:
First stepsReferenceHow-To

Productivity Tips:
Keyboard ShortcutsShort Syntax

Need Help?
Visit the discussions page

See the bottom of the README for more information on the documentation.

Advanced Topics

Here are some other topics covered in the official wiki:

Development:
Run dev serverPackage the appBuild for AndroidRun with Docker

Data Management:
User DataIssue ProvidersSync Providers

Customization:
PluginsThemes

APIs:
Sync ServerPluginsREST

Community

The development of Super Productivity is driven by a wonderful community of users and contributors. Thank you all so much for your support!

👀 Check out our awesome curated list of community-created resources about Super Productivity

♥️ Contributing

If you want to get involved, please check out the CONTRIBUTING.md

There are several ways to help.

  1. Spread the word: More users mean more people testing and contributing to the app which in turn means better stability and possibly more and better features. You can vote for Super Productivity on Slant, Product Hunt, Softpedia or on AlternativeTo, you can tweet about it, share it on LinkedIn, reddit or any of your favorite social media platforms. Every little bit helps!

  2. Provide a Pull Request: Here is a list of the most popular community requests and here some info on how to run the development build (wiki). Please make sure that you're following the commit message format and to also include the issue number in your commit message, if you're fixing a particular issue (e.g.: feat: add nice feature #31).

  3. Answer questions: You know the answer to another user's problem? Share your knowledge!

  4. Provide your opinion: Some community suggestions are controversial. Your input might be helpful and if it is just an up- or down-vote.

  5. Provide a more refined UI spec for existing feature requests

  6. Report bugs

  7. Make a feature or improvement request: Something can be done better? Something essential missing? Let us know!

  8. Translations, Icons, etc.: You don't have to be a programmer to help; learn how to contribute translations!

  1. Sponsor the project

  2. Create custom plugins or custom themes

Special Thanks to our Sponsors!!!

Recently support for Super Productivity has been growing! A big thank you to all our sponsors!

(If you are, intend to or have been a sponsor and want to be shown here, please let me know!)

Code Signing

Windows binaries are signed. Free code signing is provided by SignPath.io, certificate by SignPath Foundation.

Documentation: Manual versus Automated

There are two wikis: the official one hosted in by GitHub and the autonomously generated variant using DeepWiki.com. The manually curated version is a more stable and approachable resource designed to help you understand the app from a more human-focused perspective whereas DeepWiki is optimized for explaining the code itself with little regard for context beyond that.

Official Wiki

It is preferable to maintain local documentation rather than rely on an external service. It also preferable that the documentation is updated in tandem with the code changes as demonstrated in this commit.

Changes to files within ./docs/wiki are linted in CI before being automatically sync'd to the repository's official Wiki hosted by GitHub.

Migrating to Docusaurus is a long-term goal once the content and structure of the wiki has matured and the remaining "legacy docs" have either been reworked or removed. There are some automations in development to help reduce the difference between the published docs and the state of the code while retaining a human-in-the-loop.

DeepWiki.com

If you have very specific questions about how the code works or why a bug might be producing a particular message it might be useful to Ask DeepWiki . It can help "cite your sources" when discussing functionality and code that you don't fully understand as part of feature requests or bug reports.

This automated reference does come with some significant drawbacks:

  1. Intent: Describes what code does, not why decisions or tradeoffs were made.
  2. Staleness: Will *always* lag behind the code.
  3. Code-Focused: Does not provide guides or conceptual explanations.
  4. Cost: Potential future cost and higher resource usage than static docs.