Skip to content

v1.2.1 — Security hardening

Choose a tag to compare

View all tags
@VelimirMueller VelimirMueller released this 09 Jun 13:29
· 109 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.2.1
This tag was signed with the committer’s verified signature.
VelimirMueller Velimir Müller
GPG key ID: 192918DAF6E2A125
Verified
Learn about vigilant mode.
56b0104
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security hardening

Closes 3 untouched P0 security findings:

  • Path traversal (#14) — the indexer no longer resolves imports outside the project root, and index_directory is sandboxed to the working directory (extend via CODE_CONTEXT_ALLOWED_ROOTS).
  • SQL injection (#15a)query/execute now use allowlist validation plus a driver-level read/write check, closing the semicolon / comment / subquery bypasses.
  • Unauthenticated dashboard (#15b) — all /api/* routes require a bearer token (auto-generated + gitignored; CODE_CONTEXT_DASHBOARD_TOKEN to override). SSE authenticates via ?token.

Also removes the npm publish workflow — releases are git tag + GitHub release only (no npm).

See CHANGELOG.md for full details.

Assets 3
Loading