v0.1.6
What's Changed
- fix(md): href stripped — links rendered as plain text instead of text by @kiakiraki in #3
- security: stream response bodies with size cap and read deadline by @yusukebe in #4
- security: installer verifies SHA-256 against the pinned release by @yusukebe in #6
- security: untrusted-content rules for agents (SKILL.md + agent-context) by @yusukebe in #7
- security: strip terminal escape sequences from extracted output by @yusukebe in #8
- security: pin GitHub Actions to commit SHAs, least-privilege workflow permissions by @yusukebe in #9
- security: harden the fetch cache (0700/0600, atomic writes, --no-cache, no-store) by @yusukebe in #5
- security: website CSP (hash-based, no unsafe-inline) + standard security headers by @yusukebe in #10
- chore: SECURITY.md + drop unused js-yaml dependency by @yusukebe in #11
- site: PNG favicon + apple-touch-icon (Safari fallback) by @yusukebe in #13
New Contributors
- @kiakiraki made their first contribution in #3
- @yusukebe made their first contribution in #4
Full Changelog: v0.1.5...v0.1.6