If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/Martichou/rquickshare shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Mixed signals — read the receipts

• Last commit 1w ago
• 10 active contributors
• GPL-3.0 licensed
• CI configured
• Tests present
• ⚠ Concentrated ownership — top contributor handles 73% of recent commits
• ⚠ GPL-3.0 is copyleft — check downstream compatibility

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live Martichou/rquickshare repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/Martichou/rquickshare.

What it runs against: a local clone of Martichou/rquickshare — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in Martichou/rquickshare | Confirms the artifact applies here, not a fork | | 2 | License is still GPL-3.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 37 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of Martichou/rquickshare. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/Martichou/rquickshare.git
#   cd rquickshare
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of Martichou/rquickshare and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "Martichou/rquickshare(\\.git)?\\b" \\
  && ok "origin remote is Martichou/rquickshare" \\
  || miss "origin remote is not Martichou/rquickshare (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(GPL-3\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"GPL-3\\.0\"" package.json 2>/dev/null) \\
  && ok "license is GPL-3.0" \\
  || miss "license drift — was GPL-3.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 37 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~7d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/Martichou/rquickshare"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

rquickshare is a Rust/Tauri desktop application that implements Google's NearbyShare/QuickShare protocol for Linux and macOS, enabling seamless file and text sharing over local Wi-Fi networks without requiring Android devices. It's a cross-platform port of Android's native sharing feature, built with a Rust backend (in src-tauri/Cargo.toml) communicating via a Vue 3 + TypeScript frontend to provide a native desktop experience. Monorepo structure with app/main/ as the primary frontend (Vue 3 + Vite), and app/main/src-tauri/ containing the Rust backend (Tauri binary). Frontend is in app/main/src with TypeScript/Vue components; Rust code in src-tauri compiles to a native binary. Core protocol logic likely lives in app/main/src-tauri/src/, with Tauri managing IPC between frontend and backend, and separate linked dependency @martichou/core_lib (referenced in package.json) for shared protocol logic.

Linux and macOS desktop users who want to share files and text with Android devices on the same Wi-Fi network, similar to Apple's AirDrop; also developers contributing to open-source cross-platform networking applications using Rust and Tauri.

Actively maintained with structured release processes (release-please-manifest.json, semantic versioning in CHANGELOG.md). CI/CD pipelines exist (build.yml, lint.yml, release.yml), indicating production intent. However, explicit test presence is not evident in the file list; the project has clear limitations (Wi-Fi LAN only) and multi-version support strategy (legacy vs. main branches for different Ubuntu GLIBC versions), suggesting it's production-ready but with known constraints.

Single maintainer (Martichou) visible in repo ownership; moderate dependency footprint with @tauri-apps plugins + pinia + vue ecosystem. The project's core dependency on mDNS and local network protocols means network configuration issues are common failure modes (per FAQ). Tauri framework adds a layer of abstraction that could lag behind security updates, though Tauri is well-maintained. No visibility into test coverage from the file list.

Active development with release automation via release-please. Dependabot configured (dependabot.yml) for automated dependency updates. Build matrix likely testing multiple Linux distributions (legacy GLIBC versions) and macOS. No specific pending issues visible from file list, but the dual-version strategy (legacy + main in earlier releases) suggests ongoing effort to maintain broad platform compatibility.

git clone https://github.com/Martichou/rquickshare.git
cd rquickshare/app/main
pnpm install
pnpm run dev

This starts the Tauri dev server with hot-reload, running both the Vue frontend and Rust backend concurrently (see package.json 'dev' script with concurrently).

Daily commands:

pnpm run dev          # Concurrent Tauri dev + Vue devtools (with RUST_BACKTRACE=1)
pnpm run build        # Production build (creates .deb, .dmg, .AppImage, .rpm)
pnpm run vite:dev     # Vue frontend dev only
pnpm run tauri build -d  # Debug binary

For the Rust backend: cd app/main/src-tauri && cargo check validates compilation.

• app/main/src-tauri/Cargo.toml: Defines all Rust dependencies and build configuration for the NearbyShare protocol implementation; critical for backend logic
• app/main/package.json: Frontend build, dev server, and Tauri app orchestration; entry point for pnpm scripts and Tauri CLI integration
• app/main/src-tauri/build.rs: Tauri build script that may bundle protocol definitions or native libraries needed for mDNS and network communication
• .github/workflows/build.yml: CI/CD pipeline for cross-platform builds (Linux deb/rpm/AppImage, macOS dmg); defines reproducible build steps
• app/main/src-tauri/capabilities/migrated.json: Tauri 2.0 permissions manifest; controls what system APIs (file access, network, notifications) the app can use
• app/main/index.html: Vite entry point and Tauri window host; loads the Vue app into the native window

Frontend changes: Edit .vue files in app/main/src/ (UI logic), modify store in app/main/src/store/ (state with Pinia), or update app/main/eslint.config.mjs (linting). Backend/Protocol changes: Modify app/main/src-tauri/src/ (Rust command handlers, NearbyShare protocol), or build.rs (compile-time setup). Dependencies: Update pnpm-lock.yaml via pnpm add/remove, or Cargo.lock via cargo add/remove in src-tauri. UI styling: Edit app/main/tailwind.config.ts or app/main/postcss.config.cjs.

1. mDNS network requirement: The app silently fails if mDNS is blocked on the network; no clear UI feedback per FAQ. 2) GLIBC version pinning: Linux packages are versioned by minimum GLIBC (check with ldd --version before installing); mismatched versions cause hard failures. 3) Library dependencies on Linux: libayatana-appindicator or libappindicator3 must be pre-installed; dpkg/rpm may not auto-resolve these, requiring manual apt/dnf install. 4) Tauri 2.x breaking changes: Capabilities JSON format changed (migrated.json); upgrading @tauri-apps packages may require capability re-migration. 5) macOS code signing: .dmg requires explicit allow in Privacy & Security on first run (per README); users unfamiliar with this will get confusing permission dialogs.

• mDNS (Multicast DNS) — rquickshare relies entirely on mDNS for device discovery on the local network; understanding mDNS is critical to diagnosing connection failures and network compatibility issues
• NearbyShare Protocol — The core wire protocol rquickshare implements; understanding the message format, encryption, and handshake is essential for extending or debugging device pairing
• Tauri IPC (Inter-Process Communication) — Bridge between Vue frontend and Rust backend; all file transfers and device discovery results flow through Tauri commands, making it critical to understand for debugging frontend-backend integration
• AppImage format — rquickshare distributes as AppImage on Linux; understanding how AppImage bundles dependencies helps troubleshoot missing library errors and portability issues
• Vite module bundling — Vite is the build tool for the Vue frontend; understanding Vite's dev server and HMR (hot module replacement) is essential for frontend development workflow
• TLS/mTLS for device pairing — NearbyShare uses certificate-based authentication to verify devices; rquickshare must validate certificates and manage device trust, which is central to the security model
• Semantic Versioning & release-please automation — rquickshare uses release-please for CHANGELOG and version management; understanding this automation prevents manual versioning mistakes and integrates CI/CD properly

• mozilla/firefox-accounts — Cross-platform authentication and sync protocol; shares similar multi-OS binary distribution and security challenges as rquickshare
• tauri-apps/tauri — The framework powering rquickshare's desktop app; essential for understanding IPC, capabilities, and build process
• google/nearby — Official Google Nearby reference implementation; rquickshare reverse-engineered the NearbyShare protocol from this
• hyperium/hyper — HTTP client/server library used by many Rust networking projects; relevant if rquickshare uses HTTP for device communication
• tokio-rs/tokio — Async runtime for Rust; likely powers concurrent mDNS discovery and file transfer handling in rquickshare's backend

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add E2E tests for Tauri commands in src-tauri/src/cmds/

The repo has a test script in package.json but no visible test files for the Rust Tauri commands (discovery.rs, send_to_rs.rs, send_payload.rs, etc.). These are critical paths for the QuickShare functionality and deserve integration tests to prevent regressions in device discovery and file transmission logic.

• [ ] Create app/main/src-tauri/src/cmds/tests/ directory with module-level tests
• [ ] Add unit tests for discovery.rs mocking nearby device detection
• [ ] Add unit tests for send_to_rs.rs and send_payload.rs mocking file transfer flows
• [ ] Update app/main/src-tauri/Cargo.toml to include dev-dependencies if needed
• [ ] Add cargo test step to .github/workflows/build.yml

Add missing Vue component tests in app/main/src/

The package.json includes vitest but the src/ directory structure is not shown in the file listing. Given this is a Vue 3 + TypeScript Tauri app, there should be unit tests for Vue components, composables, and stores (pinia). This would improve code quality and catch UI regressions early.

• [ ] Explore and document the actual app/main/src/ structure in a separate PR or comment
• [ ] Create app/main/src/tests/ directory following Vue testing best practices
• [ ] Add tests for main store(s) using pinia testing utilities
• [ ] Add tests for critical UI components (device list, file transfer UI, settings)
• [ ] Update vitest config in vite.config.ts if it exists, or create vitest.config.ts
• [ ] Add test coverage reporting to .github/workflows/lint.yml or build.yml

Add GitHub Action workflow for dependency security audits (cargo-audit + npm audit)

The repo uses both Rust (Tauri backend) and Node.js (Vue frontend) dependencies but lacks automated security scanning. With .github/dependabot.yml already in place, adding a dedicated security audit workflow would catch vulnerabilities in supply chain before they reach users, especially important for a file-sharing application.

• [ ] Create .github/workflows/security-audit.yml with cargo-audit step for Rust dependencies in app/main/src-tauri/
• [ ] Add npm audit step for app/main/ dependencies
• [ ] Configure workflow to run on: push (main), pull_request, and schedule (weekly)
• [ ] Set up artifact reporting or create GitHub security alerts
• [ ] Document security findings process in CONTRIBUTING.md or BUILD.md

• Add unit tests for Rust protocol parsing in app/main/src-tauri/src/: currently no test files visible; create test modules for NearbyShare packet parsing and mDNS discovery logic to improve reliability.
• Implement explicit error handling UI in app/main/src/components/: add dismissible error notifications when mDNS discovery fails or network is unreachable, with actionable messages (currently users see silent failures per FAQ).
• Expand FAQ and troubleshooting in README.md with concrete network diagnostic steps (e.g., how to check if mDNS is blocked, verify Wi-Fi SSID matching, test with mDNS utilities like avahi-browse).

The rquickshare codebase demonstrates reasonable security practices with automated dependency management (Dependabot) and use of modern frameworks. However, several medium-risk issues exist: potential file path traversal vulnerabilities in download operations, missing Content Security Policy configuration, and insufficient clipboard content sanitization. The application should prioritize validating file operations, implementing CSP headers, and sanitizing clipboard data. Low-severity concerns include exposed development tools in dev scripts and missing production-specific security configurations. Overall security posture is acceptable but requires attention to the identified medium-severity items before production deployment.

• Medium · Outdated ESLint Configuration Dependencies — app/main/package.json - devDependencies. The project uses ESLint 9.17.0 and @eslint/js 9.17.0, which may have known vulnerabilities. Regular dependency updates should be automated and monitored. Fix: Implement automated dependency scanning with tools like Dependabot (already present in .github/dependabot.yml) and ensure regular updates are applied. Consider using npm audit or pnpm audit in CI/CD pipeline.
• Medium · Missing Content Security Policy Headers — app/main/src-tauri/tauri.conf.json or build configuration. Tauri application (app/main/src-tauri) lacks explicit CSP configuration visible in the codebase. CSP helps prevent XSS attacks in web-based UI components. Fix: Define and implement Content Security Policy in Tauri configuration to restrict script sources, disable inline scripts, and control other resource origins.
• Medium · Potential Unvalidated File Operations — app/main/src-tauri/src/cmds/change_download_path.rs. The file 'app/main/src-tauri/src/cmds/change_download_path.rs' suggests user-controlled file path operations. Without proper validation, this could lead to directory traversal attacks. Fix: Implement strict validation of file paths including canonicalization, allowlist checks, and ensure paths cannot escape designated directories. Use safe path manipulation APIs.
• Medium · Clipboard Plugin Without Sanitization Control — app/main/package.json - @tauri-apps/plugin-clipboard-manager and Vue components. The @tauri-apps/plugin-clipboard-manager dependency is used but there's no evidence of content sanitization before pasting clipboard data into the UI, potentially enabling clipboard-based XSS. Fix: Implement content sanitization for any clipboard data before rendering. Use DOMPurify or similar libraries to sanitize HTML content from clipboard operations.
• Low · Missing HTTP Security Headers Configuration — app/main/src-tauri/tauri.conf.json. No explicit security headers (HSTS, X-Content-Type-Options, X-Frame-Options) configuration visible for the Tauri webview. Fix: Configure Tauri's security settings to include appropriate HTTP headers and webview security policies in tauri.conf.json.
• Low · Devtools Exposed in Dev Script — app/main/package.json - scripts.dev. The package.json 'dev' script includes 'pnpm devtools' which enables Vue DevTools. While useful for development, ensure this is disabled in production builds. Fix: Ensure DevTools are only enabled in development mode. Verify that production builds do not include debugging tools or development dependencies.
• Low · Missing Integrity Checks for Local Dependencies — app/main/package.json - dependencies. The project uses a local link dependency '@martichou/core_lib' without visible version pinning or integrity verification mechanism. Fix: Implement version pinning and checksum verification for local dependencies. Consider using workspace management features or submodule integrity checks.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.