max / balanced_breakfast
1 file changed,
+9 insertions,
-0 deletions
| @@ -59,6 +59,15 @@ BB is free. Cloud sync is the only revenue source. See `MNW/server/docs/internal | |||
| 59 | 59 | - [ ] Annual billing messaging: explain why annual is preferred (Stripe fee transparency) | |
| 60 | 60 | - [ ] Test full checkout flow against live Stripe (end-to-end: subscribe → webhook → sync gate passes) | |
| 61 | 61 | ||
| 62 | + | ## SyncKit Parity with GoingsOn (2026-05-11) | |
| 63 | + | ||
| 64 | + | Fixes needed to match GO's working end-to-end SyncKit flow: | |
| 65 | + | ||
| 66 | + | - [ ] **synckit.toml** — create `synckit.toml` with BB's API key (need to create sync app on MNW dashboard first). Replace `option_env!("SYNCKIT_API_KEY")` in state.rs with `include_str!("../../synckit.toml")` + parser. Current approach breaks silently on recompile without env var. | |
| 67 | + | - [ ] **OAuth callback CORS** — `commands/sync.rs` callback server responses missing `Access-Control-Allow-Origin: *` header. Tauri origin `tauri://localhost` blocked from polling `http://127.0.0.1:{port}/result`. | |
| 68 | + | - [ ] **OAuth poll loop** — `settings-sync.js` uses manual "Check Status" button instead of automatic polling. Replace with 1s interval poll loop that skips `status: "pending"` responses (copy pattern from GO's `pollSyncAuthResult`). | |
| 69 | + | - [ ] **CSP blocks localhost** — `tauri.conf.json` CSP missing `http://127.0.0.1` in `connect-src`. Either add it or revert CSP to `null` (app uses inline handlers throughout). | |
| 70 | + | ||
| 62 | 71 | --- | |
| 63 | 72 | ||
| 64 | 73 | ## Fuzz Findings (2026-04-27) |