Skip to content

v0.16.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 09 Jun 05:21
· 2 commits to main since this release
v0.16.0
283e4ee

Local-first, open-source AI test authoring β€” drive your real Chrome, crystallize clean runs into plain @playwright/test that runs in CI with no AI. This release makes the agent see your code, and hardens the whole stack.

Highlights

  • πŸ”“ codeContext β€” white-box mode (opt-in, off by default). A read-only, fenced source reader (read_source MCP β€” secrets / .env / .git / build output are refused; no write, no exec). Its biggest payoff: the red pentest mode goes white-box β€” the agent confirms a finding against the real query / authz check and points the report at the exact file:line β€” and it authors smarter selectors from your actual code. Flip it on per-integration with codeContext: true.
  • πŸ” Runs survive widget reconnects. An agent navigation (a pentest payload in the URL) or an HMR reload no longer aborts the run β€” it's held service-side and re-attaches when the widget comes back.
  • πŸ›‘οΈ Verified code-audit pass. A multi-agent audit (adversarially verified) fixed an orphan-agent-on-shutdown leak, secrets leaking into committed specs/reports (numeric SSN/credit-card, a auth body field, unsanitized report URLs), a second-widget stream hijack, and removed dead code across the monorepo.
  • πŸ”΄ Pentest red mode, polished. Deep-red launcher + mode-owned Save menu ("Findings report"), structured coverage gaps + browser-confirmed findings, seed category gating (orange pulls authz, red pulls all), and new offensive seeds: open-redirect / path-traversal / GraphQL.

Install / upgrade

npx @hover-dev/cli setup        # new projects
# or bump @hover-dev/* + your bundler plugin to ^0.16.0

The optional plugins version independently: @hover-dev/security and @hover-dev/pentest (the red mode) are on their own tags.

What's Changed

  • ci(publish): independent versioning for the security/pentest plugins by @chihyungchang in #66
  • feat: red pentest mode β€” offensive scan objective + hover scan CLI by @chihyungchang in #67
  • feat: Phase 4 β€” RED pentest mode in the widget by @chihyungchang in #68
  • feat: structured coverage gaps in the pentest findings report by @chihyungchang in #69
  • fix(widget): pentest mode visuals + Findings-report save entry by @chihyungchang in #71
  • feat(pentest): record browser-confirmed findings + fix stale save menu by @chihyungchang in #72
  • feat(core): keep the agent run alive across widget reconnects by @chihyungchang in #73
  • fix(audit): critical correctness + secret-leak fixes by @chihyungchang in #74
  • refactor(audit): apply the remaining 37 audit findings (dead code, bugs, refactors) by @chihyungchang in #75
  • ci(publish): pin @hover-dev/pentest's security dep on publish by @chihyungchang in #77
  • feat(site): lead with the triad β€” author Β· optimize Β· secure by @chihyungchang in #76
  • feat: feature the red pentest mode β€” two security modes (site + README) by @chihyungchang in #78
  • feat(core): opt-in codeContext β€” fenced read-only source access for the agent by @chihyungchang in #79
  • docs(site,readme): feature codeContext white-box pentest by @chihyungchang in #80

Full Changelog: v0.15.0...v0.16.0

Contributors

chihyungchang
Assets 10
Loading