gstack

mirror of https://github.com/garrytan/gstack.git synced 2026-05-05 05:05:08 +02:00

Files

T

Garry Tan cd85bdc196 fix: CSO security fixes — token leak, domain bypass, input validation

1. Remove root token from /health endpoint entirely (CSO #1 CRITICAL).
   Origin header is spoofable. Extension reads from ~/.gstack/.auth.json.
2. Add domain check for newtab URL (CSO #5). Previously only goto was
   checked, allowing domain-restricted agents to bypass via newtab.
3. Validate scope values, rateLimit, expiresSeconds in createToken()
   (CSO #4). Rejects invalid scopes and negative values.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-04 23:37:36 -07:00

bin

feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226 )

2026-03-19 18:20:50 -07:00

scripts

fix: Windows support — Node.js server fallback for Playwright (#255 )

2026-03-20 12:22:11 -07:00

src

fix: CSO security fixes — token leak, domain bypass, input validation

2026-04-04 23:37:36 -07:00

test

fix: CSO security fixes — token leak, domain bypass, input validation

2026-04-04 23:37:36 -07:00

SKILL.md

feat: interactive /plan-devex-review + plan mode skill fix (v0.15.5.0) (#796 )

2026-04-04 14:36:23 -07:00

SKILL.md.tmpl

feat: sidebar CSS inspector + per-tab agents (v0.13.9.0) (#650 )

2026-03-30 12:51:05 -06:00