Changes since v0.13.1
- fix(api): convert apiRequest transport errors to ApiResponse envelope; idempotent-method retry on transient timeouts; never throw on
response.text()/response.json()reject. Sync server.json drift (v0.13.1 release bypassed release.sh). - fix(api/acl/cli): tighten apiRequest absolute-URL allowlist to
https://api.tailscale.com/(defense-in-depth against future SSRF / credential exfiltration); normalizevalidate_acl{}body as valid (matches cli.ts:parseValidationError); fixtailscale_pingcount description (the no--cpath uses tailscale CLI's default, not 1). - docs(tools): security notes on tools that return / accept secrets (
create_key,create_webhook,rotate_webhook_secret,create_posture_integration,update_posture_integration,set_log_stream_config); reciprocal rationale comments documenting the deliberate semantic divergence betweenset_devices_authorizedandset_contactsresponse shapes. - deps: esbuild 0.28.1 (dependabot alert), biome 2.5.0, @types/node 25.9.3.
Tests
1033 tests, 0 failures.
Artifacts
SEA binaries for linux-x64, darwin-x64, darwin-arm64, win32-x64, win32-arm64 below.