VihariKanukollu
|
cbbe9dd0a2
|
security: harden credential handling, API auth, and archive extraction
- Control UI: switch token/password from query params to URL fragments (#token=...)
- Auto-strips after first load, never logged in server access logs
- Added defense-in-depth headers (Referrer-Policy, X-Frame-Options, CSP, nosniff)
- macOS: "Open Dashboard" now uses fragments instead of query params
- CLI/onboarding: emit fragment links instead of query param links
- Plugin HTTP: /api/** now requires Gateway auth (fixes unauthenticated Nostr API)
- Added config toggle gateway.plugins.http.protectApiPaths (default: true)
- Control UI: sends Authorization header for Nostr profile save/import
- Android hardening:
- WebView: disabled mixed content, multi-window, reduced file URL privileges
- A2UI bridge: origin validation + 64KB payload cap
- TLS: enabled hostname verification for DNS names
- Archive extraction: block path traversal + symlink/hardlink entries
- Dependencies: upgraded tar 7.5.7, hono 4.11.7, added overrides for vulnerabilities
Breaking: Old ?token=... dashboard links no longer auto-auth; use #token=... instead
|
2026-01-29 16:05:38 +05:30 |
|
Dan Guido
|
48aea87028
|
feat: add prek pre-commit hooks and dependabot (#1720)
* feat: add prek pre-commit hooks and dependabot
Pre-commit hooks (via prek):
- Basic hygiene: trailing-whitespace, end-of-file-fixer, check-yaml, check-added-large-files, check-merge-conflict
- Security: detect-secrets, zizmor (GitHub Actions audit)
- Linting: shellcheck, actionlint, oxlint, swiftlint
- Formatting: oxfmt, swiftformat
Dependabot:
- npm and GitHub Actions ecosystems
- Grouped updates (production/development/actions)
- 7-day cooldown for supply chain protection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add prek install instruction to AGENTS.md
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
|
2026-01-25 10:53:23 +00:00 |
|