From ccc60626bbe02cb5606052361ecb519be9490345 Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Fri, 24 Apr 2026 16:44:04 +0900
Subject: [PATCH] security(chronicle): PAT not exposed in input.value, fix
 manifest icon purpose

- GitHub PAT: replaced input.value with placeholder to avoid exposing token in DOM
- manifest.json: split 'any maskable' into two separate icon entries per spec

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 index.html    | 2 +-
 manifest.json | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index a64ed12..8ac0678 100644
--- a/index.html
+++ b/index.html
@@ -512,7 +512,7 @@ function getGhPat() { return localStorage.getItem(GH_PAT_KEY) || ''; }
     const status = document.getElementById('ghPatStatus');
     const pat = getGhPat();
     if (pat) {
-        input.value = pat;
+        input.placeholder = '設定済み（変更する場合は再入力）';
         status.textContent = '設定済み';
         status.style.color = 'var(--accent)';
     }
diff --git a/manifest.json b/manifest.json
index 72c6e58..46dba69 100644
--- a/manifest.json
+++ b/manifest.json
@@ -11,6 +11,7 @@
     "orientation": "portrait-primary",
     "categories": ["productivity"],
     "icons": [
-        { "src": "/logo.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "any maskable" }
+        { "src": "/logo.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "any" },
+        { "src": "/logo.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "maskable" }
     ]
 }