v3.5.3 — Security RBAC fixes + TUI chat session persistence

🔒 Security

WebSocket RBAC Bypass — fixed (CVSS 9.9 → mitigated)

Reported by @BlessedOn3 (#66)

• WebSocket terminal-input/terminal-resize now enforces terminal permission — viewer cannot execute OS commands via WS
• POST /api/file now requires requireAuth + requirePerm('files.write') — viewer cannot overwrite files
• socket.user stored on WS connect for permission enforcement
• Unauthenticated → 401, viewer → 403

🐛 Bug Fixes

TUI Chat session persistence — fixed (#68)

Reported by @Patrick-81, confirmed by @MattXcz

• Subsequent messages no longer trigger session.resume → new slash_worker
• Message 1 → chat.start (session init)
• Message 2+ → chat.send (direct prompt.submit, zero overhead)
• No more orphan slash_worker processes

⬆️ Dependencies (#67)

Package	From	To
ws	8.20.0	8.21.0
express-rate-limit	8.4.1	8.5.2
helmet	8.1.0	8.2.0
yaml	2.8.3	2.9.0
vite	8.0.10	8.0.14
rolldown	1.0.0-rc.17	1.0.2

📊 Stats

• Commit: 1419564
• Files: 5 changed, +44 / −6
• Tests: 12/13 pass
• npm audit: 0 vulnerabilities