processor: document trusted inbox trust boundary for markdown HTML

Markdown uses goldmark html.WithUnsafe for intentional raw HTML in personal-inbox posts. Package and processMd comments state the trust model and warn against untrusted input on the same path. Made-with: Cursor
author: Paul Buetow <paul@buetow.org> 2026-04-10 09:48:44 +0300
committer: Paul Buetow <paul@buetow.org> 2026-04-10 09:48:44 +0300
commit: 4c10490e0488b03de70a6e0d7d7432347dcce00a (patch)
tree: 33fc822cba99c29b926bfc046b5c2c72608587a6 /internal/processor/processor.go
parent: 4ff456a6111d8553893308a84e9f0e992d4809bf (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/internal/processor/processor.go b/internal/processor/processor.go
index b6fa40b..34aca90 100644
--- a/internal/processor/processor.go
+++ b/internal/processor/processor.go
@@ -2,6 +2,13 @@
 // each one into a self-contained post directory under outdir/posts/.
 // Supported formats: .txt, .md, .png, .jpg, .jpeg, .gif, .mp3.
 // Each processed source file is deleted from the input directory afterward.
+//
+// Markdown trust boundary: .md files are expected only from a trusted personal
+// inbox (the operator’s own email or equivalent). Goldmark is configured with
+// html.WithUnsafe so raw HTML and GFM features in those files pass through to
+// post HTML intentionally. This is not a multi-tenant or public-submission
+// pipeline; do not point an untrusted drop folder at the same input directory
+// without replacing that rendering path with sanitization or a stricter parser.
 package processor
 
 import (
author	Paul Buetow <paul@buetow.org>	2026-04-10 09:48:44 +0300
committer	Paul Buetow <paul@buetow.org>	2026-04-10 09:48:44 +0300
commit	4c10490e0488b03de70a6e0d7d7432347dcce00a (patch)
tree	33fc822cba99c29b926bfc046b5c2c72608587a6 /internal/processor/processor.go
parent	4ff456a6111d8553893308a84e9f0e992d4809bf (diff)