What's new
Bug fixes
- Target inference is correct again.
describeTargetUnderwas picking up our own overlay canvas instead of the live page element underneath each rect. Now it togglespointer-events:noneon the overlay during the lookup. - Bubble drag no longer leaks pointer state when the user releases off-window —
pointercancelcleans up. - Capture has a 30s timeout with a useful error message instead of spinning forever on tainted CORS images.
Friction reduction
annotator setup(new command). Drop into your project directory, run one command:It detects Vite / Next.js / plain HTML, finds the right entry file, injects the script tag, generates a token, writescd ~/my-project annotator setup
.env.local(mode 600), updates.gitignore. No manual file edits.- npm shim now gives platform-specific install commands when Python isn't installed (
brew install pipx,sudo apt install pipx, etc.). /w.jshasCache-Control: max-age=300, must-revalidateso widget updates roll out cleanly.- Dashboard now prompts for project + token (was hardcoded to
local); persists in localStorage; image fetch via auth blob (was 401-spamming logs).
Security hardening
- Console buffer scrubs secret-shaped strings before submission — Bearer tokens, JWTs (
eyJ…), Stripe keys (sk_live_…), AWS keys (AKIA…), GitHub PATs (gh[ps]_…), and generic long token-shapes get[REDACTED]. - Network buffer query-string redaction:
token=…,api_key=…,password=…,sig=…,jwt=…,session=…etc. are stripped. - Server validates PNG magic bytes and rejects malformed base64.
- CORS locked: only
X-Annot-TokenandContent-Typeheaders, onlyGET/POST/OPTIONSmethods. - New SECURITY.md documenting the redaction list and threat model.
Install
pipx upgrade vylth-annotator # if you had 0.0.1 / 0.0.2
pipx install vylth-annotator # freshThe hosted instance at https://annot.vylth.com/w.js is already serving the new bundle.