Clayrune v2.0.1 — security release
Security release — all users should update.
Closes a LAN unauthenticated remote-code-execution chain (a forgeable Cf-Access-* header could bypass the local passcode gate; CORS is now a strict allowlist, blocking drive-by access from any website). Plus hardening: git argument-injection guards, secrets-at-rest file permissions, serve-image path confinement, control-plane dev-auth fail-closed, and opt-in Cloudflare Access JWT verification. Drops the unused Tauri desktop target.
Full details in CHANGELOG.md.
Install / update
- Existing installs auto-update from
master— open Clayrune and check for updates. - Windows: run
Clayrune-Setup.bat(pulls the latest source). - macOS: download
MissionControl-macOS.zipbelow, unzip, then right-click the app ▸ Open. If macOS blocks it ("Apple could not verify…"), approve it once in System Settings ▸ Privacy & Security ▸ Open Anyway.
The macOS build attached here is pending notarization; the signed build will replace it shortly (removes the Gatekeeper prompt).