Skip to content

v0.0.3 — security hardening, zero-friction setup

Latest

Choose a tag to compare

@iamdecatalyst iamdecatalyst released this 08 May 10:05

What's new

Bug fixes

  • Target inference is correct again. describeTargetUnder was picking up our own overlay canvas instead of the live page element underneath each rect. Now it toggles pointer-events:none on the overlay during the lookup.
  • Bubble drag no longer leaks pointer state when the user releases off-window — pointercancel cleans up.
  • Capture has a 30s timeout with a useful error message instead of spinning forever on tainted CORS images.

Friction reduction

  • annotator setup (new command). Drop into your project directory, run one command:
    cd ~/my-project
    annotator setup
    It detects Vite / Next.js / plain HTML, finds the right entry file, injects the script tag, generates a token, writes .env.local (mode 600), updates .gitignore. No manual file edits.
  • npm shim now gives platform-specific install commands when Python isn't installed (brew install pipx, sudo apt install pipx, etc.).
  • /w.js has Cache-Control: max-age=300, must-revalidate so widget updates roll out cleanly.
  • Dashboard now prompts for project + token (was hardcoded to local); persists in localStorage; image fetch via auth blob (was 401-spamming logs).

Security hardening

  • Console buffer scrubs secret-shaped strings before submission — Bearer tokens, JWTs (eyJ…), Stripe keys (sk_live_…), AWS keys (AKIA…), GitHub PATs (gh[ps]_…), and generic long token-shapes get [REDACTED].
  • Network buffer query-string redaction: token=…, api_key=…, password=…, sig=…, jwt=…, session=… etc. are stripped.
  • Server validates PNG magic bytes and rejects malformed base64.
  • CORS locked: only X-Annot-Token and Content-Type headers, only GET/POST/OPTIONS methods.
  • New SECURITY.md documenting the redaction list and threat model.

Install

pipx upgrade vylth-annotator     # if you had 0.0.1 / 0.0.2
pipx install vylth-annotator     # fresh

The hosted instance at https://annot.vylth.com/w.js is already serving the new bundle.