Skip to content

v1.4.2

Choose a tag to compare

View all tags
@ianwieds ianwieds released this 12 May 02:44
· 9 commits to main since this release
v1.4.2
7ee89b5

Added

  • src/utils/sanitize-url.js β€” zero-trust URL gate for shell.openExternal and friends. Returns the URL unchanged when protocol is http:/https:, '' for anything else (javascript:, data:, file:, vbscript:, chrome:, custom schemes). 9 unit tests.
  • docs/boot-sequence.md β€” full ordered list of manager.initialize() steps + rationale. Migrated out of CLAUDE.md.
  • docs/cross-context-helpers.md β€” helper table, adding new helpers, EM_* build-mode env vars. Migrated out of CLAUDE.md.

Changed

  • Zero-trust URL sanitization at 5 call sites that previously passed potentially attacker-controllable URLs to shell.openExternal: context-menu.js (params.linkURL), tray.js + menu.js (getWebsiteUrl()), restart-manager.js (Linux .deb URL), hero-demo-form.js ($form.dataset.redirect).
  • CLAUDE.md restructured: 347 β†’ 181 lines. Deep references moved into docs/<topic>.md files. Top-of-file note added: meat goes into docs/*.md, not CLAUDE.md.
  • ~/.claude/CLAUDE.md (global) strengthened with the <250-line rule + default-to-docs/ directive so future sessions write deep references in docs/ instead of growing CLAUDE.md.

All 602 tests pass.

Assets 2
Loading