fix: security hardening — Keychain, no hardcoded creds, safe URLs

- Add KeychainService for encrypted token storage (auth, refresh, health JWT, API key) - Remove hardcoded email/password from HealthAPIService, store in Keychain - Move all tokens from UserDefaults to Keychain - API key sent via X-API-Key header instead of URL query parameter - Replace force unwrap URL(string:)! with guard let + throws - Fix force unwrap Calendar.date() in HealthKitService - Mark HealthKitService @MainActor for thread-safe @Published - Use withTaskGroup for parallel habit log fetching in TrackerView - Check notification permission before scheduling reminders - Add input validation (title max 200 chars) - Add privacy policy and terms links in Settings - Update CLAUDE.md with security section Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 14:11:10 +03:00
parent 28fca1de89
commit 44c759c190
10 changed files with 167 additions and 58 deletions
--- a/PulseHealth/Views/Tasks/AddTaskView.swift
+++ b/PulseHealth/Views/Tasks/AddTaskView.swift
@@ -66,6 +66,7 @@ struct AddTaskView: View {
                            TextField("Что нужно сделать?", text: $title, axis: .vertical)
                                .lineLimit(1...3).foregroundColor(.white).padding(14)
                                .background(RoundedRectangle(cornerRadius: 12).fill(Color.white.opacity(0.07)))
+                                .onChange(of: title) { if title.count > 200 { title = String(title.prefix(200)) } }
                        }
                        // Description
                        VStack(alignment: .leading, spacing: 8) {