security(chronicle): PAT not exposed in input.value, fix manifest icon purpose

- GitHub PAT: replaced input.value with placeholder to avoid exposing token in DOM - manifest.json: split 'any maskable' into two separate icon entries per spec Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-24 16:44:04 +09:00 · 2026-04-24 16:44:04 +09:00 · ccc60626bb
parent ffc144fd31
commit ccc60626bb
2 changed files with 3 additions and 2 deletions
--- a/index.html
+++ b/index.html
@ -512,7 +512,7 @@ function getGhPat() { return localStorage.getItem(GH_PAT_KEY) || ''; }
    const status = document.getElementById('ghPatStatus');
    const pat = getGhPat();
    if (pat) {
-        input.value = pat;
+        input.placeholder = '設定済み（変更する場合は再入力）';
        status.textContent = '設定済み';
        status.style.color = 'var(--accent)';
    }
--- a/manifest.json
+++ b/manifest.json
@ -11,6 +11,7 @@
    "orientation": "portrait-primary",
    "categories": ["productivity"],
    "icons": [
-        { "src": "/logo.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "any maskable" }
+        { "src": "/logo.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "any" },
+        { "src": "/logo.svg", "sizes": "any", "type": "image/svg+xml", "purpose": "maskable" }
    ]
 }