Skip to content

v1.0.18 — security review (2026-07-05)

Choose a tag to compare

@tcconnally tcconnally released this 05 Jul 22:54
77c7df5

Patch release carrying the 2026-07-05 pre-launch security review fixes.

Code hardening (#681): @tree symlink-escape (out-of-tree filename disclosure) closed; @tool --flag=value allow-list bypass closed; federation fetch/push SSRF-guarded (scheme + private-IP block + no-redirect); bounded LLM response reads.

Deploy/supply-chain posture (#682): Docker image no longer bakes PERSEUS_ALLOW_DANGEROUS=1 and runs non-root; bootstrap.sh installer repointed off the personal fork to the org namespace (+ optional version pin); pyyaml capped <7.

Full ranked review: docs/security-review-2026-07-05.md. Verified sound with no change: the @query/@agent double-gate, path containment, MCP SSE auth, build integrity, PyPI OIDC publishing.