Only the latest beta release of Sonar Code Editor receives security updates.
| Version | Supported |
|---|---|
| 1.0.0-beta.6 | β Current |
| 1.0.0-beta.5 | |
| < 1.0.0-beta.5 | β |
Sonar uses a Build Attestation system to differentiate between official production builds and unofficial or development clients:
- A signed
build-attestation.jsontoken is embedded in every official packaged release byscripts/generate-attestation.jsat build time. - The token is HMAC-signed using the
BUILD_SIGNING_KEYsecret key. - On login, the editor sends this token to the
sonar-authAppwrite cloud function, which verifies the HMAC signature before permitting authentication. - Unofficial builds or development clients authenticate using the
VITE_DEV_KEYdeveloper key flow instead.
Important: The
BUILD_SIGNING_KEYmust only be present in the Appwrite Console environment variables and the secure CI/CD pipeline used to produce official releases. It must never be committed to the repository or included in any.envfile.
On application startup, integrityCheck.ts verifies the ASAR bundle's integrity to detect post-distribution tampering. If the check fails, the application will refuse to start in a degraded security state.
Because Sonar Code Editor is used for Monitored Exams and Supervised Hackathons:
- Preview Panel Restriction: The preview webview uses
will-navigateandnew-windowevent interception to strictly block all navigation to non-localhostURLs, preventing external information gathering during an exam. - Filesystem Sandboxing: All file system access from the renderer is routed through IPC handlers in the main process.
enforceTrustedPath()validates paths against a trusted workspace root to prevent path traversal attacks. - Context Isolation:
contextIsolation: true,nodeIntegration: false, andsandbox: trueare enforced on the rendererBrowserWindow. - DevTools Lock: In production builds, opening DevTools is blocked and a
DEVTOOLS_OPENEDsecurity event is logged immediately. - Content Security Policy (CSP): In production, a strict CSP is applied via
session.defaultSession.webRequest.onHeadersReceived, restrictingscript-src,connect-src(Appwrite endpoints + localhost WebSocket), andframe-src(localhost preview only).
To function as a monitored evaluation environment, the application requires and utilizes the following permissions:
- Local & Outbound: Required for Appwrite cloud authentication, real-time WebSocket collaboration (Yjs, port
1234), and session/activity log synchronization.
The IDE automatically tracks all of the following for exam integrity:
- Window focus changes β detects when a participant leaves the IDE window (e.g., alt-tabbing).
- Keyboard activity metrics β keystroke volume and patterns.
- Copy/paste events β clipboard usage is logged.
- Current open file β file-level activity is tracked.
- Session online/offline transitions β recorded with timestamps from the
offlineHeartbeatservice.
All monitoring data is accessible to authorized Administrators via the Sonar Web App Admin Dashboard or via exported PDF reports.
electron-storeis used to persist activity logs, security events, and session state locally so no exam metrics are lost during internet disconnection. Logs are synced to Appwrite upon reconnection.
- On macOS, the app requires System Events Automation permission (via
System Settings β Privacy & Security β Automation) to detect which application is in the foreground, enabling app-switch monitoring during exams.
- The built-in WebSocket collaboration server (port
1234) validates team identity by enforcing that all room names end with-{teamId}. - Connections from different teams are rejected with a
1008close code. - Hosted Networks (Windows
netsh) are created usingexecFileSyncto prevent command injection.
If you discover a security vulnerability within Sonar Code Editor, please do not open a public GitHub issue.
Instead, send an e-mail to the maintainers at hello@knurdz.org. Please include:
- A clear description of the vulnerability.
- Steps to reproduce.
- The affected version(s).
- Any suggested mitigations (optional).
We will review your disclosure and respond as soon as possible with a timeline for patching and coordinated release.