Garry Tan 79f7a24eb4 fix(token-registry): UTF-8 byte-length short-circuit before timingSafeEqual ...

Constant-time compare on the root token now compares UTF-8 byte lengths
before crypto.timingSafeEqual, which throws on length-mismatched buffers.
A multibyte input whose JS string length matches but byte length differs
no longer crashes on the auth path; isRootToken returns false instead.

Tests cover the four interesting cases: multibyte byte-length mismatch,
extra-prefix length mismatch, same-length last-byte flip, and empty input
against a set root.

Contributed by @RagavRida (#1416).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-10 11:04:54 -07:00

..

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)

2026-03-19 18:20:50 -07:00

scripts

fix: ngrok Windows build + close CI error-swallowing gap (v0.18.0.1) (#1024)

2026-04-16 13:49:04 -07:00

src

fix(token-registry): UTF-8 byte-length short-circuit before timingSafeEqual

2026-05-10 11:04:54 -07:00

test

fix(token-registry): UTF-8 byte-length short-circuit before timingSafeEqual

2026-05-10 11:04:54 -07:00

PLAN-snapshot-dropdown-interactive.md

fix: snapshot -i auto-detects dropdown/popover interactive elements (#845)

2026-04-05 22:57:45 -07:00

SKILL.md

v1.31.0.0 fix: delete AskUserQuestion fallback (root cause of forever war) + harness primitives (#1390)

2026-05-09 17:01:13 -07:00

SKILL.md.tmpl

v1.28.0.0 feat: browse --headed/--proxy/--navigate + gstack/llms.txt + webdriver-only stealth (#1363)

2026-05-07 20:14:59 -07:00