Skip to content

v2.65.1 — project-audit fixes (CSRF guard · green tests · lint)

Choose a tag to compare

View all tags
@avelikiy avelikiy released this 10 Jun 12:34
· 68 commits to main since this release
v2.65.1
This tag was signed with the committer’s verified signature.
avelikiy Alex
SSH Key Fingerprint: nD9xQzAb/3YFTUEHwDpi26wMHeq89yGJsV5XW/FadYQ
Verified
Learn about vigilant mode.
8c3e767
This commit was signed with the committer’s verified signature.
avelikiy Alex
SSH Key Fingerprint: nD9xQzAb/3YFTUEHwDpi26wMHeq89yGJsV5XW/FadYQ
Verified
Learn about vigilant mode.

Fixes from a project health audit.

  • Security (CSRF) — the board set Access-Control-Allow-Origin: * with no Origin check on most mutation endpoints; a page the user visits could POST to localhost and approve an autopilot gate (→ run an irreversible connector write), approve a dev gate, or mutate tasks. Added a same-origin guard on every POST/PUT/PATCH/DELETE (exempting the HMAC-authenticated /api/autopilot/ingest webhook). Cross-origin mutations → 403; reads, same-origin, and CLI calls unaffected.
  • Testspacks-integration was red (2 fail): the reviewer test now parses PACK_REVIEWERS dynamically and the overlay harness gained the 4 missing packs. 5/5.
  • Lintagent-prompt-lint mis-read YAML block scalars (description: |) as 1 char → 3 false errors (exit 1). Now parses |/> block bodies; exit 0.

No regression: lib 348/348, hooks 63/63, board-gate 5/5, tsc 0.

Assets 2
Loading