Primary threat: Untrusted text content from external sources.

VGlyph is a text rendering library that processes user-provided text. The main security concerns are:

1. Malformed input - Invalid UTF-8, extreme sizes, malicious paths
2. Resource exhaustion - DoS through large text, many glyphs
3. Memory corruption - Buffer overflows, use-after-free in C libraries

All public APIs validate input at entry:

Validation functions in validation.v:

• validate_text_input() - UTF-8 and length checks
• validate_font_path() - Path traversal and existence checks
• validate_size() - Size range enforcement
• validate_dimension() - Dimension bounds enforcement

• All errors include source location (@FILE:@LINE)
• C library errors wrapped with context (e.g., "FreeType error 6 loading font X")
• No silent failures in public APIs - functions return !T result types
• V result types enforce error handling at compile time

Error categories:

• Validation errors: Invalid input detected before processing
• C library errors: FreeType, Pango, FontConfig failures wrapped with context
• Resource errors: Allocation failures, atlas full conditions

FT_Face ownership: Faces are borrowed from Pango via pango_ft2_font_get_face. VGlyph does not own these pointers and must not call FT_Done_Face. The face lifetime is tied to the PangoFont that provides it.

AttrList lifecycle pattern:

1. Copy existing or create new (caller owns, refcount=1)
2. Modify with pango_attr_list_insert (list takes ownership of attributes)
3. Call set_attributes (layout refs the list)
4. MUST unref caller's copy (exactly once after set_attributes)

Atlas lifecycle:

• Pages allocated via vcalloc with nil check
• Old textures queued for cleanup in garbage list (avoid destroying while bound)
• cleanup() called per frame to release old resources after frame completes
• LRU eviction when max_pages reached

Enable debug builds (v -d debug) for additional checks:

The overlay API discovers MTKView by walking NSWindow's subview tree. This enables transparent IME overlay creation without requiring direct handle access.

[TRUSTED]              [BOUNDARY]            [VALIDATED]
V application    -->   FFI call      -->     NSWindow view tree
editor_demo.v          vglyph_discover_      Subviews checked via
                       mtkview_from_window() isKindOfClass

• NULL check on NSWindow before access
• Depth limit 100 levels to prevent infinite recursion
• isKindOfClass runtime type check (not string matching)
• NULL return on not found (no exceptions)

Returns NULL when MTKView not found. Caller falls back to global callbacks. No exceptions thrown. Logs discovery failure to stderr.

• Cannot crash (all pointers validated)
• Cannot be spoofed (runtime type checking)
• Fails safe (returns NULL)
• No privilege escalation possible

• Assumes MTKView present (sokol always creates one)
• Does not validate subclass behavior beyond type check

1. Korean IME first-keypress - macOS-level bug, documented upstream. User workaround: type first character twice, or refocus field.

2. Font format validation - Delegated entirely to FreeType. VGlyph validates path existence but not font file contents.

3. Thread safety - VGlyph is designed for single-threaded use (V's default model). Context, Renderer, and TextSystem are not thread-safe.

4. Overlay API macOS-only - Overlay discovery requires NSWindow. Non-macOS platforms use global callback fallback. Not a security issue.

Before releasing:

• All public APIs validate input before processing
• All C library calls check return values
• All allocations checked against limits
• All FreeType/Pango objects cleaned up on all exit paths
• Error messages include location context
• Tests cover error paths

Report security issues to: GitHub Issues with security label

For critical vulnerabilities, please mark the issue as confidential or contact maintainers directly before public disclosure.