Garry Tan 36a20c5d59 fix: chain scope bypass + /health info leak when tunneled ...

1. Chain command now pre-validates ALL subcommand scopes before
   executing any. A read+meta token can no longer escalate to
   admin via chain (eval, js, cookies were dispatched without
   scope checks). tokenInfo flows through handleMetaCommand into
   the chain handler. Rejects entire chain if any subcommand fails.

2. /health strips sensitive fields (currentUrl, agent.currentMessage,
   session) when tunnel is active. Only operational metadata (status,
   mode, uptime, tabs) exposed to the internet. Previously anyone
   reaching the ngrok URL could surveil browsing activity.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-05 00:49:31 -07:00

..

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)

2026-03-19 18:20:50 -07:00

scripts

fix: Windows support — Node.js server fallback for Playwright (#255)

2026-03-20 12:22:11 -07:00

src

fix: chain scope bypass + /health info leak when tunneled

2026-04-05 00:49:31 -07:00

test

fix: chain scope bypass + /health info leak when tunneled

2026-04-05 00:49:31 -07:00

SKILL.md

feat: interactive /plan-devex-review + plan mode skill fix (v0.15.5.0) (#796)

2026-04-04 14:36:23 -07:00

SKILL.md.tmpl

feat: sidebar CSS inspector + per-tab agents (v0.13.9.0) (#650)

2026-03-30 12:51:05 -06:00