v0.1.1 — Security & Polish
tinycode v0.1.1
Security fixes, new features, and release readiness polish.
Security
- Timing-safe password comparison (
crypto.timingSafeEqual) - Command injection prevention in pdftotext and omt tools (
execFileSync) - Security headers middleware (X-Frame-Options, Referrer-Policy, Permissions-Policy)
- Auth token query parameter deprecation warning
- Provider filter fix —
enabled_providers/disabled_providersnow apply to locally-discovered providers - Dependency updates: ws 8.21.0 (DoS fix), dompurify 3.4.11 (XSS bypass fixes)
Added
- Mock LLM provider for deterministic testing (
ProviderTest.fake({ scenarios })) - Plugin lifecycle hooks:
session.start,session.end,session.switch,session.model.change - Session export to HTML (
tinycode export --format html) - Session tree sidebar in TUI (
<leader>b) - CI workflow (lint, typecheck, test on PRs)
- Dependency audit CI (daily
bun audit) - CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md, CHANGELOG.md
- Issue/PR templates, CODEOWNERS, Dependabot
Fixed
- Removed dead omt LSP stub tools
- Fixed 6 failing tests (TUI sync, help snapshots, provider filter, CORS)
- Updated README with accurate agent/skill lists, badges, ecosystem details