From 95314ff2298bb4088ee7e37d69fc9673cae91799 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.example.org>
Date: Fri, 27 Feb 2026 11:34:48 -0800
Subject: [PATCH] security: replace predictable sequential approval IDs with
 crypto.randomUUID()

---
 src/background/index.js | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/background/index.js b/src/background/index.js
index 4d81256..a027264 100644
--- a/src/background/index.js
+++ b/src/background/index.js
@@ -30,7 +30,6 @@ const connectedSites = {};
 
 // Pending approval requests: { id: { origin, hostname, resolve } }
 const pendingApprovals = {};
-let nextApprovalId = 1;
 
 async function getState() {
     const result = await storageApi.get("autistmask");
@@ -127,7 +126,7 @@ function openApprovalWindow(id) {
 // Prefers the browser-action popup (anchored to toolbar, no macOS Space switch).
 function requestApproval(origin, hostname) {
     return new Promise((resolve) => {
-        const id = nextApprovalId++;
+        const id = crypto.randomUUID();
         pendingApprovals[id] = { origin, hostname, resolve };
 
         if (actionApi && typeof actionApi.openPopup === "function") {
@@ -152,7 +151,7 @@ function requestApproval(origin, hostname) {
 // Uses the toolbar popup only — no fallback window.
 function requestTxApproval(origin, hostname, txParams) {
     return new Promise((resolve) => {
-        const id = nextApprovalId++;
+        const id = crypto.randomUUID();
         pendingApprovals[id] = {
             origin,
             hostname,
@@ -184,7 +183,7 @@ function requestTxApproval(origin, hostname, txParams) {
 // popup URL is still set, so the user can click the toolbar icon to respond.
 function requestSignApproval(origin, hostname, signParams) {
     return new Promise((resolve) => {
-        const id = nextApprovalId++;
+        const id = crypto.randomUUID();
         pendingApprovals[id] = {
             origin,
             hostname,
@@ -216,7 +215,7 @@ function requestSignApproval(origin, hostname, signParams) {
 // popups naturally close on focus loss and the user can reopen them.
 runtime.onConnect.addListener((port) => {
     if (port.name.startsWith("approval:")) {
-        const id = parseInt(port.name.split(":")[1], 10);
+        const id = port.name.split(":")[1];
         port.onDisconnect.addListener(() => {
             const approval = pendingApprovals[id];
             if (approval) {