Skip to content

Clayrune v2.0.1 — security release

Choose a tag to compare

@ronle ronle released this 10 Jun 00:24

Security release — all users should update.

Closes a LAN unauthenticated remote-code-execution chain (a forgeable Cf-Access-* header could bypass the local passcode gate; CORS is now a strict allowlist, blocking drive-by access from any website). Plus hardening: git argument-injection guards, secrets-at-rest file permissions, serve-image path confinement, control-plane dev-auth fail-closed, and opt-in Cloudflare Access JWT verification. Drops the unused Tauri desktop target.

Full details in CHANGELOG.md.

Install / update

  • Existing installs auto-update from master — open Clayrune and check for updates.
  • Windows: run Clayrune-Setup.bat (pulls the latest source).
  • macOS: download MissionControl-macOS.zip below, unzip, then right-click the app ▸ Open. If macOS blocks it ("Apple could not verify…"), approve it once in System Settings ▸ Privacy & Security ▸ Open Anyway.

The macOS build attached here is pending notarization; the signed build will replace it shortly (removes the Gatekeeper prompt).