v1.0.24 — Security Hardening

Security Hardening Release

Addresses 21 of 22 findings from a comprehensive white-box security assessment (GHSA-28qw-m7hw-95h8). VULN-09 (encryption at rest) is accepted risk for a localhost-only, single-user application.

Critical fixes

• Stored XSS in dashboard — DOMPurify sanitizes all markdown rendering
• Auth tokens in captured URLs — sensitive query params stripped from Chrome URLs

High fixes

• API authentication — token-based auth with auto-generated secrets, Bearer header + HttpOnly cookie
• Timeline XSS — all user-derived values HTML-escaped in generated timeline HTML
• SECRET_KEY hardening — auto-generates random key on first startup, refuses placeholder

Medium fixes

• CDN Subresource Integrity (SRI) hashes on all 6 script/link tags
• Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
• WebSocket origin + auth validation on connect
• Digest force-regenerate mutex (429 on concurrent requests)
• Prompt injection mitigation via metadata delimiters
• Timeline image size reduction (inference JPEG preferred over full-res PNG)
• LLM base_url validation warns on non-localhost endpoints

Low / Informational fixes

• Rate limiting via flask-limiter (120/min default, stricter on mutations)
• Werkzeug dev server hardened, Server header removed
• Log output sanitization, configurable log level
• Bind address warning on non-localhost
• Fail-closed screen lock and camera detection

Testing

• 10 new authentication tests added
• All 352 tests pass, zero lint errors

See CHANGELOG.md for full details.