Genome Forge v0.1.12

Genome Forge v0.1.12

Release date: 2026-05-15

Highlights

• Added defense-in-depth security headers to the local HTTP server.
• Added a documented local-first security model for workstation/lab usage.
• Added integration tests that verify root-page and API responses emit the expected browser security boundary.

Security Headers

The local server now sends:

• Content-Security-Policy
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Referrer-Policy: no-referrer
• Cross-Origin-Opener-Policy: same-origin
• Permissions-Policy

The CSP keeps scripts local with script-src 'self', blocks object/frame embedding, and keeps network calls local with connect-src 'self'.

Validation

• python3 docs/validate_docs.py
• python3 -m py_compile web_ui.py tests/test_web_ui_security.py docs/validate_docs.py
• for f in webui/js/*.js; do node --check "$f" || exit 1; done
• ./.venv-docs/bin/python -m pytest
• python3 -m unittest discover -s tests -p 'test_*.py'
• python3 smoke_test.py
• python3 real_world_functional_test.py
• npm run test:e2e
• git diff --check

Validation Snapshot

• Unit tests: 41/41
• Smoke checks: 115/115
• Real-world functional checks: 104/104
• Browser E2E tests: 15/15

Notes

• This is a focused local-server hardening release following v0.1.11.
• Genome Forge remains a local-first workstation app, not a production multi-tenant hosted service.