2026-04-05 - 2026-07-05

Overview

3 Active Pull Requests
14 Active Issues
Excluding merges, 2 authors have pushed 83 commits to main and 95 commits to all branches. On main, 294 files have changed and there have been 56463 additions and 12682 deletions.

2 Releases published by 1 user

Published v0.3.0 Release v0.3.0 2026-05-31 17:10:58 -07:00

Published v0.2.2 Release v0.2.2 2026-05-29 11:41:21 -07:00

3 Pull requests merged by 1 user

14 Issues created by 1 user

Opened #8 SPEC-018 review: deferred hardening follow-ups (hot-path unwraps, panic-guard scope, nits) 2026-06-03 15:13:55 -07:00

Opened #10 [C1] Secrets/tokens in WebSocket URL query strings 2026-06-05 17:34:55 -07:00

Opened #11 [C2] Unauthenticated downloads.rs: hardcoded prod relay URL + default API-key fallback + false support-embedding docstring 2026-06-05 17:35:00 -07:00

Opened #12 [C3] downloads.rs body().unwrap() on attacker-controlled Content-Disposition filename -> unauthenticated panic/DoS 2026-06-05 17:35:05 -07:00

Opened #13 [C4] Agent block_in_place/Handle::block_on in main async session loop -> thread-starvation/deadlock 2026-06-05 17:35:11 -07:00

Opened #14 [C5] Auto-update verified only by SHA-256 over same channel, no signature -> fleet-wide SYSTEM RCE on MITM 2026-06-05 17:35:20 -07:00

Opened #15 [H1] No rate-limit/lockout on the login path 2026-06-05 17:35:23 -07:00

Opened #16 [H2] Bootstrap admin plaintext password written to .admin-credentials + info! log fallback 2026-06-05 17:35:28 -07:00

Opened #17 [H3] revoke_user_tokens is a 501 stub whose comment claims partial behavior 2026-06-05 17:35:33 -07:00

Opened #18 [H4] token_blacklist cleanup_expired re-verifies every JWT signature; stores whole tokens in RAM 2026-06-05 17:35:38 -07:00

Opened #19 [H5] Server does not block self-role-demotion (only self-delete); lockout guard is client-only 2026-06-05 17:35:45 -07:00

Opened #20 [H6] Dashboard JWT in sessionStorage, blindly attached as Bearer, no exp/refresh/idle-timeout 2026-06-05 17:35:49 -07:00

Opened #21 [H7] Attended-consent MessageBoxW awaited inside agent main loop -> up to ~60s of no heartbeats/stop processing 2026-06-05 17:35:54 -07:00

Opened #22 [H8] cak_ store ACL set via bare icacls (PATH search) from SYSTEM -> LPE; silent weaker store on failure 2026-06-05 17:35:59 -07:00

3 Unresolved Conversations

Open #1 Native viewer protocol URL parsing needs testing 2026-06-05 17:34:55 -07:00

Open #3 Document and implement AGENT_API_KEY for persistent agents 2026-06-02 10:33:01 -07:00

Open #2 Duplicate machines in database need cleanup 2026-05-29 19:13:16 -07:00