Skip to content

v0.2.0 — Security hardening + Monaco self-hosted

Choose a tag to compare

View all tags
@Pinperepette Pinperepette released this 03 May 10:04
· 2 commits to main since this release
v0.2.0
5facc9d

Highlights

Security hardening (covers ~15 review findings):

  • Auth token + Bearer on /api/* and /ws (no more local processes calling the bun server)
  • CSP enforce by default (no inline scripts, no third-party CDN)
  • Path traversal closed on /api/file (local + remote)
  • sshpass -e instead of -p (no password in ps aux)
  • ShellType whitelist enforced server-side
  • identity_file / cwd validated in PTY
  • shell:allow-execute capability removed
  • Git input validation on 7 endpoints (checkout, stash pop/drop, discard, diff, stage, unstage, diff-range)

App:

  • Monaco editor self-hosted (no jsdelivr CDN, app works offline)
  • Session persistence fix: reload now resumes the right Claude session via --resume
  • Bun sidecar auto-restart with exponential backoff
  • WebSocket reconnect no longer leaves UI stuck on streaming
  • Per-session PTY locking (no head-of-line blocking on slow SSH)

Downloads

Platform Architecture File
macOS Intel x64 SubLodeX_0.2.0_x64.dmg
macOS Apple Silicon SubLodeX_0.2.0_aarch64.dmg
Linux Debian / Ubuntu x64 SubLodeX_0.2.0_amd64.deb
Windows x64 (MSI) SubLodeX_0.2.0_x64_en-US.msi
Windows x64 (NSIS installer) SubLodeX_0.2.0_x64-setup.exe
Assets 7
Loading