2026-01-05 - 2026-07-05
Overview
2 Releases published by 1 user
Published
v0.3.0
Release v0.3.0
Published
v0.2.2
Release v0.2.2
3 Pull requests merged by 1 user
Merged
#9 SPEC-018 review fixes: agent_id persistence, managed fallback, HKEY typing
Merged
#7 SPEC-018 Phase 1: managed agent as LocalSystem service host
Merged
#5 SPEC-016 Phase A: zero-touch enrollment backend + migration
14 Issues created by 1 user
Opened
#8 SPEC-018 review: deferred hardening follow-ups (hot-path unwraps, panic-guard scope, nits)
Opened
#10 [C1] Secrets/tokens in WebSocket URL query strings
Opened
#11 [C2] Unauthenticated downloads.rs: hardcoded prod relay URL + default API-key fallback + false support-embedding docstring
Opened
#12 [C3] downloads.rs body().unwrap() on attacker-controlled Content-Disposition filename -> unauthenticated panic/DoS
Opened
#13 [C4] Agent block_in_place/Handle::block_on in main async session loop -> thread-starvation/deadlock
Opened
#14 [C5] Auto-update verified only by SHA-256 over same channel, no signature -> fleet-wide SYSTEM RCE on MITM
Opened
#15 [H1] No rate-limit/lockout on the login path
Opened
#16 [H2] Bootstrap admin plaintext password written to .admin-credentials + info! log fallback
Opened
#17 [H3] revoke_user_tokens is a 501 stub whose comment claims partial behavior
Opened
#18 [H4] token_blacklist cleanup_expired re-verifies every JWT signature; stores whole tokens in RAM
Opened
#19 [H5] Server does not block self-role-demotion (only self-delete); lockout guard is client-only
Opened
#20 [H6] Dashboard JWT in sessionStorage, blindly attached as Bearer, no exp/refresh/idle-timeout
Opened
#21 [H7] Attended-consent MessageBoxW awaited inside agent main loop -> up to ~60s of no heartbeats/stop processing
Opened
#22 [H8] cak_ store ACL set via bare icacls (PATH search) from SYSTEM -> LPE; silent weaker store on failure
3 Unresolved Conversations
Open
#1
Native viewer protocol URL parsing needs testing
Open
#3
Document and implement AGENT_API_KEY for persistent agents
Open
#2
Duplicate machines in database need cleanup