Garry Tan 808ce0de8e fix(security): wrap snapshot output in untrusted-content envelope ...

The sidebar system prompt pushes the agent to run \`\$B snapshot\` as its
primary read path, but snapshot was NOT in PAGE_CONTENT_COMMANDS, so its
ARIA-name output flowed to Claude unwrapped. A malicious page's
aria-label attributes became direct agent input without the trust
boundary markers that every other read path gets.

Adding 'snapshot' to the set runs the output through
wrapUntrustedContent() like text/html/links/forms already do.

Caught by codex adversarial review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 11:06:45 +08:00

..

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)

2026-03-19 18:20:50 -07:00

scripts

fix: ngrok Windows build + close CI error-swallowing gap (v0.18.0.1) (#1024)

2026-04-16 13:49:04 -07:00

src

fix(security): wrap snapshot output in untrusted-content envelope

2026-04-20 11:06:45 +08:00

test

test(security): source-level contracts for the security wiring

2026-04-20 07:09:52 +08:00

PLAN-snapshot-dropdown-interactive.md

fix: snapshot -i auto-detects dropdown/popover interactive elements (#845)

2026-04-05 22:57:45 -07:00

SKILL.md

fix(preamble): emit EXPLAIN_LEVEL + QUESTION_TUNING bash echoes

2026-04-20 07:05:43 +08:00

SKILL.md.tmpl

feat(browse): Puppeteer parity — load-html, screenshot --selector, viewport --scale, file:// (v1.1.0.0) (#1062)

2026-04-18 23:25:33 +08:00