Swept against the Jahia/jahia-security-scan taxonomy: clean on all high-severity classes (no XSS sink, no SQL2 injection, no custom endpoint/CSRF surface, no SSRF, no system session). Two low-severity items hardened:
- Author identity is never client-trusted — the displayed name is resolved from the server-set
jcr:createdBy; the spoofable client-setauthorNameis no longer written or read (CND field kept as legacy). - Task text is stripped of
</>before being copied into ajnt:tasktitle/description (defense in depth).
Plus a README currency pass (identity model, build version, full changelog).