Merge remote-tracking branch 'origin/main' into garrytan/resolver-factoring

# Conflicts:
#	CHANGELOG.md
This commit is contained in:
Garry Tan
2026-03-29 21:48:24 -07:00
24 changed files with 309 additions and 41 deletions
+19
View File
@@ -1,5 +1,24 @@
# Changelog
## [0.13.8.0] - 2026-03-29 — Security Audit Round 2
Browse output is now wrapped in trust boundary markers so agents can tell page content from tool output. Markers are escape-proof. The Chrome extension validates message senders. CDP binds to localhost only. Bun installs use checksum verification.
### Fixed
- **Trust boundary markers are escape-proof.** URLs sanitized (no newlines), marker strings escaped in content. A malicious page can't forge the END marker to break out of the untrusted block.
### Added
- **Content trust boundary markers.** Every browse command that returns page content (`text`, `html`, `links`, `forms`, `accessibility`, `console`, `dialog`, `snapshot`, `diff`, `resume`, `watch stop`) wraps output in `--- BEGIN/END UNTRUSTED EXTERNAL CONTENT ---` markers. Agents know what's page content vs tool output.
- **Extension sender validation.** Chrome extension rejects messages from unknown senders and enforces a message type allowlist. Prevents cross-extension message spoofing.
- **CDP localhost-only binding.** `bin/chrome-cdp` now passes `--remote-debugging-address=127.0.0.1` and `--remote-allow-origins` to prevent remote debugging exposure.
- **Checksum-verified bun install.** The browse SKILL.md bootstrap now downloads the bun install script to a temp file and verifies SHA-256 before executing. No more piping curl to bash.
### Removed
- **Factory Droid support.** Removed `--host factory`, `.factory/` generated skills, Factory CI checks, and all Factory-specific code paths.
## [0.13.7.0] - 2026-03-29 — Composable Skills + Community Wave
Skills can now load other skills inline, and six community fixes landed with 16 new tests.