Cotton Sync Desktop

Cotton Sync desktop client build.

Version: 0.5.0-desktop-sync-client.1
Branch: feature/desktop-sync-client
Commit: 19eb64de4772bd8567a65296c3e62e2fee2382da

Release 0.4.30

Hardens public file access, WebDAV auth, and external URL generation

This update tightens several public-facing file and auth flows:

• Protects inline file responses from active-content execution by forcing dangerous browser-rendered types such as HTML, SVG, and XML to safe download responses, with defensive nosniff/CSP headers.

• Applies the same file response hardening to owned downloads, shared file links, shared-folder file downloads, archive downloads, and HEAD responses.

• Prevents users from reusing another account's existing file manifest unless they own every referenced chunk.

• Adds dedicated WebDAV token handling for new users and rate-limits repeated failed WebDAV Basic auth attempts.

• Avoids share token collisions across file-share and folder-share tokens.

• Adds public shared-folder archive protections, including anonymous rate limiting and a 5,000-entry archive limit.

• Uses the configured public base URL for OIDC redirects, passkey origins, and shared-page social preview URLs instead of deriving runtime URLs from request host data.

• Keeps request-derived base URL fallback limited to initial/settings bootstrap paths.

• Adds a direct download action in search results and adjusts file-list action spacing so the full action set fits cleanly.

• Clarifies app-code approval messaging and shows loopback requests as coming from this device.

Includes integration and frontend coverage for the new download safety, WebDAV token/rate-limit, share/archive, URL, and UI behaviors.

Release 0.4.29

feat: add Cotton SDK, search history, and localized notifications

Add a typed Cotton SDK for auth, app-code sign-in, files, chunks, nodes, settings, sync changes, and realtime events, with path-safe URL handling and covered token refresh behavior.

Add synced search history through user preferences, including history panels in global and full-page search plus smoother initial loading while debounced results are pending.

Localize app-code approval and server notification templates, including local-network and unknown-location rendering for newer and legacy notification metadata.

Load notifications in the background so the menu opens with cached or loading state instead of briefly showing an empty list.

Cover the new SDK, search history, notification rendering, and network address behavior with focused tests.

Release 0.4.28

Release: app-code authorization and sync foundation

Adds browser-approved app-code authorization for desktop and native clients, shared API contracts for auth/files/nodes/sync, durable sync-change feed support, file ETag concurrency handling, metadata compatibility cleanup, GeoIP lookup test results, and frontend localization updates.

Release 0.4.27

fix(database): fully bridge integrity repair

Release 0.4.26

fix(database): restore hard integrity failures during bridge rollout

Release 0.4.25

refactor(database): simplify backfill service and update integrity descriptor handling

Release 0.4.24

Repair legacy file-manifest integrity upgrades

Release 0.4.23

Reliable file sync, smarter uploads, and better media playback

This release makes Cotton more dependable for clients that sync files, improves everyday upload conflict handling, and polishes media playback and administration screens.

What’s new

• File and folder changes are now recorded in a durable sync feed, so sync clients can catch up reliably after being offline.

• Sync clients now get a clear expired-cursor signal when they are too far behind, instead of silently missing older changes.

• Upload conflicts can now be resolved by overwriting an existing file in place, while keeping the existing rename, skip, skip all, and cancel choices.

• Browser and operating-system media controls now follow the active audio or video preview more reliably, including play, pause, seek, and playlist navigation.

• Search results now use the same rich file list experience as regular folders, including previews, media lightbox support, downloads, sharing, and opening a file’s folder.

For admins

• The security diagnostics page now explains risks, passed checks, likely impact, and suggested fixes more clearly.

• File API responses now include stronger manifest metadata such as content hashes, ETags, manifest ids, and file lineage ids for clients that need them.

Fixes and polish

• Permanent deletion from Trash no longer creates duplicate sync delete events.

• Restoring files or folders with missing parent folders now records the recreated folders in the correct sync order.

• Navigation, notifications, user menu storage usage, profile encryption settings, loaders, previews, and localized UI text received smaller polish updates.

Release 0.4.22

Release: merge develop updates

Includes technical documentation refresh, layout search extraction and fixes, Markdown file creation, trash ordering and background bulk delete tasks, stale folder route handling, storage usage and CPU security diagnostics, preview/storage consistency cleanup, CodeFactor cleanup, and recursive client-side encryption folder policy/task progress fixes.