Skip to content

Releases: VYLTH/annotator

v0.0.3 — security hardening, zero-friction setup

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 08 May 10:05

What's new

Bug fixes

  • Target inference is correct again. describeTargetUnder was picking up our own overlay canvas instead of the live page element underneath each rect. Now it toggles pointer-events:none on the overlay during the lookup.
  • Bubble drag no longer leaks pointer state when the user releases off-window — pointercancel cleans up.
  • Capture has a 30s timeout with a useful error message instead of spinning forever on tainted CORS images.

Friction reduction

  • annotator setup (new command). Drop into your project directory, run one command:
    cd ~/my-project
    annotator setup
    It detects Vite / Next.js / plain HTML, finds the right entry file, injects the script tag, generates a token, writes .env.local (mode 600), updates .gitignore. No manual file edits.
  • npm shim now gives platform-specific install commands when Python isn't installed (brew install pipx, sudo apt install pipx, etc.).
  • /w.js has Cache-Control: max-age=300, must-revalidate so widget updates roll out cleanly.
  • Dashboard now prompts for project + token (was hardcoded to local); persists in localStorage; image fetch via auth blob (was 401-spamming logs).

Security hardening

  • Console buffer scrubs secret-shaped strings before submission — Bearer tokens, JWTs (eyJ…), Stripe keys (sk_live_…), AWS keys (AKIA…), GitHub PATs (gh[ps]_…), and generic long token-shapes get [REDACTED].
  • Network buffer query-string redaction: token=…, api_key=…, password=…, sig=…, jwt=…, session=… etc. are stripped.
  • Server validates PNG magic bytes and rejects malformed base64.
  • CORS locked: only X-Annot-Token and Content-Type headers, only GET/POST/OPTIONS methods.
  • New SECURITY.md documenting the redaction list and threat model.

Install

pipx upgrade vylth-annotator     # if you had 0.0.1 / 0.0.2
pipx install vylth-annotator     # fresh

The hosted instance at https://annot.vylth.com/w.js is already serving the new bundle.

v0.0.2 — capture-on-send fix

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 08 May 08:33

Fixes

  • Capture no longer freezes the page. The screenshot is now taken when you click Send (with a spinner), not when you click the bubble. Eliminates the 'Page is loading slowly' termination on complex sites.
  • Bubble is draggable. Drag it anywhere; position persists in localStorage. Avoids clashing with site-native chat widgets (Intercom / Crisp / Drift).
  • Neumorphic black-and-white restyle. Red accents replaced with white-on-dark. Premium feel.
  • Highlighter icon replaces the previous chat-bubble glyph.
  • Dashboard auth fixed. Was hardcoded to a 'local' token; now prompts for project + token on first load and persists in localStorage. Switch-project button at top right.
  • Dashboard images now fetch with the auth header (was 401-spamming the logs).

Install

pipx upgrade vylth-annotator      # if you had 0.0.1
pipx install vylth-annotator      # fresh

The hosted instance at https://annot.vylth.com/w.js was updated separately and is already serving the fix to anyone using the script tag.

Browser extension

annotator-extension-0.0.1.zip (unchanged from v0.0.1) is attached for sideload.

v0.0.1 — initial release

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 07 May 17:51

What ships

Quick start

pipx install vylth-annotator
annotator run                          # opens dashboard at http://localhost:8092
annotator skill install --target auto  # tells Claude/Codex/Cursor where to look

Drop into your dev site:

<script src="http://localhost:8092/w.js" data-project="local" data-token="local" data-webhook="http://localhost:8092/v1/feedback"></script>

Annotations land as PNG + Markdown pairs under ./.annot/<project>/ — agent-readable out of the box.