Security & robustness hardening of the v0.3.0 product surface (from a
dedicated multi-agent review pass).
Fixed
- Console XSS → token theft closed: event/task ids (attacker-shaped) now
ride escapeddata-*attributes with delegated listeners, never inline
handlers. - All API auth uses constant-time comparison (
hmac.compare_digest); uvicorn
binds127.0.0.1explicitly on both servers. - Composio webhook: timestamp freshness (±5 min anti-replay), 1 MiB body
cap before buffering, non-ASCII signature headers no longer 500, non-dict
trigger data wrapped instead of crashing. - Console task-approve honors
task.executor(was hardcodedclaude_code— an
escalation over the query-only shell executor). - History search runs in SQL, so matches beyond the newest rows are found.
- One
apply_feedbackpath behind HTTP/MCP/Telegram/console: the natural
should/shouldn't-interrupt signals now learn identically everywhere (MCP and
Telegram previously only stored a raw row); unknown signals are rejected. chief connectbacks up and refuses to rewrite configs its serializer can't
round-trip, instead of corrupting them in place.