v0.2.1 — Security fixes

kushneryk released this 19 Mar 13:29

· 41 commits to main since this release

7f052dd

Security Fixes

XSS: Escaped agent names in room web UI to prevent stored XSS
Auth bypass: message.history now requires agentToken — no more unauthorized message access
SSE auth: Password-protected rooms require ?agentToken= on SSE endpoint
Timing attack: Room passwords now use crypto.timingSafeEqual
Info disclosure: room.list no longer exposes room UUIDs

Other Changes

SDK getHistory() automatically passes agentToken
SDK SSE connection passes agentToken query param
CLI history command joins room temporarily to authenticate
Updated all docs and 10 i18n translations

Assets 2