Skip to content

v1.5.1 — Security Hardening

Released: 2026-04-08

A security-focused patch release. No new features — every change here closes a gate leak, hardens an endpoint, or adds a supply chain verification step.

Security

Section titled “Security”

Community Mode Gate Enforcement

Section titled “Community Mode Gate Enforcement”
  • Closed 3 gate bypass pathscanopy map, canopy search, and canopy pattern were accessible in Community Mode despite being gated features. All three now check the license tier before executing and display the Community Mode upgrade message when unlicensed.
  • Added /releases/latest/ redirect — the R2 binary distribution endpoint now serves a stable URL that resolves to the latest release. Useful for install scripts.

Admin Portal Hardening

Section titled “Admin Portal Hardening”
  • Constant-time shared secret comparison — the admin portal’s webhook authentication now uses crypto.timingSafeEqual() instead of string equality to prevent timing side-channel attacks.
  • CORS lockdown — removed localhost from the production CORS allowlist. Development origins are only permitted when ENVIRONMENT=development.
  • Session cookie scoping — admin session cookies now set SameSite=Strict, Secure, and Path=/admin to prevent cross-site and cross-path leakage.
  • D1-backed rate limiting — magic-link login endpoints are rate-limited to 5 attempts per email per 15-minute window, enforced server-side via D1 rather than client-side tokens.

Supply Chain

Section titled “Supply Chain”
  • cargo-deny integration — new deny.toml configuration with a strict license allowlist (MIT, Apache-2.0, BSD, ISC, MPL-2.0, and other permissive licenses). Copyleft dependencies (GPL, AGPL, SSPL) are denied by default.
  • cargo-audit advisory scanning — checks every dependency against the RustSec advisory database on every CI run.
  • GitHub Actions SHA-pinning — all CI actions are pinned to exact commit SHAs instead of mutable tags. Prevents supply chain attacks via tag re-pointing.

Fixed

Section titled “Fixed”
  • Admin portal invite INSERT — the INSERT statement for team invitations was missing the email column bind, causing a 500 error on every invite. Fixed.
  • Admin portal me shortcut — routes using the /me convenience path now resolve team_id from the authenticated session instead of requiring it in the URL.

Upgrade Notes

Section titled “Upgrade Notes”

Drop-in replacement for v1.5.0. No configuration changes required. The license file format, MCP tool signatures, and CLI command surface are unchanged.