From 4c10490e0488b03de70a6e0d7d7432347dcce00a Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Fri, 10 Apr 2026 09:48:44 +0300
Subject: processor: document trusted inbox trust boundary for markdown HTML

Markdown uses goldmark html.WithUnsafe for intentional raw HTML in
personal-inbox posts. Package and processMd comments state the trust
model and warn against untrusted input on the same path.

Made-with: Cursor
---
 internal/processor/processor.go | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'internal/processor/processor.go')

diff --git a/internal/processor/processor.go b/internal/processor/processor.go
index b6fa40b..34aca90 100644
--- a/internal/processor/processor.go
+++ b/internal/processor/processor.go
@@ -2,6 +2,13 @@
 // each one into a self-contained post directory under outdir/posts/.
 // Supported formats: .txt, .md, .png, .jpg, .jpeg, .gif, .mp3.
 // Each processed source file is deleted from the input directory afterward.
+//
+// Markdown trust boundary: .md files are expected only from a trusted personal
+// inbox (the operator’s own email or equivalent). Goldmark is configured with
+// html.WithUnsafe so raw HTML and GFM features in those files pass through to
+// post HTML intentionally. This is not a multi-tenant or public-submission
+// pipeline; do not point an untrusted drop folder at the same input directory
+// without replacing that rendering path with sanitization or a stricter parser.
 package processor
 
 import (
-- 
cgit v1.2.3