v0.2.5 is a reliability release. Every subsystem – sync engine, crypto lifecycle, SFTP, and terminal – went through a read-only audit, and every finding was fixed before this build shipped. 38 findings in four subsystems, zero criticals, zero deferred.
What was audited
- sync engine – write-through contract, pull-back race conditions, logout teardown
- crypto lifecycle – lock/unlock/setup state machine, biometric parity
- SFTP – destructive remote file operations, session lifecycle, credential isolation
- terminal – PTY resize, scroll buffer persistence, listener cleanup
Sync engine – stopping silent divergence
The sync audit found that host metadata mutations committed local state before the API write completed, and that SSE pull-back could revert a pending edit. Five high-severity findings were addressed across the store layer and the sync bridge.
The trickiest fix was T3.1 (SYNC-W-3): host writes were full-row PUTs with no version precondition – concurrent mutators clobbered each other. The fix adds an updated_at optimistic concurrency token: the server returns 409 when the token doesn’t match, and the renderer auto-resolves by merging the server version with the user’s pending edits and retrying once.
Crypto – locking on sleep, not just idle
The crypto audit confirmed the I-2 boundary is sound – key material never enters the JS heap – but identified two high-severity gaps. The first: crypto_unwrap_dek lacked the live-DEK-replacement guard that crypto_set_dek had, an asymmetry in the defense-in-depth layer. The second: the only auto-lock mechanism was a 10-second-interval idle check (default 30 minutes). Keys stayed live in Rust when the user closed the laptop lid. The fix adds a hybrid lock: a 5-minute grace timer on window blur, immediate lock on system sleep, and a re-check on focus.
SFTP – timeouts, eviction, and overwrite protection
The SFTP audit found two high-severity issues: upload and rename could silently overwrite existing remote files with no confirmation, and the session could hang indefinitely on a dead connection. The fixes add a destructive-confirm dialog before overwriting, per-operation timeouts (15s init, 30s metadata, 120s I/O, 300s recursive delete), and automatic eviction and re-initialization of broken SFTP channels. Directory delete was also fixed – it now handles recursive deletion with a count-aware confirmation.
Terminal – PTY resize and scroll buffer
A separate terminal audit caught one critical finding: the PTY size was not re-synchronized on reconnect, causing display corruption when the window was resized while disconnected. Additional fixes addressed listener leaks, scroll buffer persistence across view switches, and keyboard shortcut capture ordering to prevent the terminal renderer from swallowing keys before the shortcut handler runs.
All 38 findings across the four subsystems shipped fixed in this release. No findings were deferred.