CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-06 05:35:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

chore: bump version and changelog (v0.11.16.0)

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-03-24 14:20:10 -07:00
parent 3330b8e68d
commit a19418a028
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+21
View File
@@ -1,5 +1,26 @@
# Changelog
## [0.11.16.0] - 2026-03-24 — Supabase Telemetry Security Lockdown
### Fixed
- **Your telemetry data is no longer publicly readable.** A live audit found that the Supabase anon key (checked into the repo) could read all ~10.8k telemetry events — including installation IDs, session patterns, and crash data. Despite docs claiming "INSERT only," the actual RLS policies allowed full SELECT and UPDATE access. All anon policies are now dropped.
- **Telemetry now flows through validated edge functions.** Previously, the CLI posted directly to PostgREST with no server-side validation — anyone could insert arbitrary data. Now all writes go through edge functions that enforce schema checks, event type allowlists, and field length limits.
- **The installations table can no longer be overwritten by anyone.** An unrestricted UPDATE policy let any anonymous caller modify any row in the installations table. Removed.
- **The `skill_sequences` view can no longer be used as a DoS vector.** This expensive self-join view was publicly queryable and caused statement timeouts. Anonymous access is now revoked.
- **Community dashboard queries are cached server-side.** The dashboard now calls a single edge function that caches aggregated stats for 1 hour, instead of fetching 1000 raw events and processing them client-side.
### Changed
- **Telemetry sync uses `GSTACK_SUPABASE_URL` instead of `GSTACK_TELEMETRY_ENDPOINT`.** Edge functions need the base URL, not the REST API path. The old variable is removed from `config.sh`.
- **Cursor advancement is now safe.** The sync script checks the edge function's `inserted` count before advancing — if zero events were inserted (systemic format issue), the cursor holds and retries next run.
### For contributors
- New migration: `supabase/migrations/002_tighten_rls.sql`
- New smoke test: `supabase/verify-rls.sh` (9 checks: 5 reads + 4 writes)
- Extended `test/telemetry.test.ts` with field name verification
## [0.11.15.0] - 2026-03-24 — E2E Test Coverage for Plan Reviews & Codex
### Added
VERSION
+1 -1
View File
@@ -1 +1 @@
0.11.15.0
0.11.16.0