You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
v0.13.0 - security hardening
Red-team pass of the launch surface (findings confirmed with PoCs):
- web: reject non-loopback Host (DNS rebinding) and cross-origin Origin
- resume: never auto-launch Codex/Gemini into a session-claimed directory
(a planted session could load an attacker's AGENTS.md); print the command
- resolve: escape LIKE wildcards so a web id of '%' can't dump a session
- install.sh: honest about checksum scope (corruption, not malicious release)
