From 7f38058b7f07c6c775e44cb50ea60dfd80fbe42e Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Tue, 7 Apr 2026 18:50:08 -1000
Subject: [PATCH] chore: bump version and changelog (v0.15.17.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md | 5 +++++
 VERSION      | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 137b1462..d89b840f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.15.17.0] - 2026-04-07
+
+### Fixed
+- Cookie picker no longer leaks the browse server auth token. Previously, opening the cookie picker page exposed the master bearer token in the HTML source, letting any local process extract it and execute arbitrary JavaScript in your browser session. Now uses a one-time code exchange with an HttpOnly session cookie. The token never appears in HTML, URLs, or browser history. (Reported by Horoshi at Vagabond Research, CVSS 7.8)
+
 ## [0.15.16.0] - 2026-04-06
 
 ### Added
diff --git a/VERSION b/VERSION
index 006a1444..4a2a39e3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.15.16.0
+0.15.17.0