github alexgreensh/token-optimizer v5.7.5
on GitHub

4 hours ago

Dashboard Security Hardening + Bug Fixes

Security

  • Path disclosure eliminated: All dashboard-facing paths use ~ instead of /Users/xxx/.... Commands use shlex.quote on absolute paths
  • CSP headers: Content-Security-Policy + Referrer-Policy added to both HTTP servers
  • CSP meta tag: Added to all HTML dashboards (Claude Code, OpenClaw, fleet-demo) for file:// mode protection
  • Shell injection: shlex.quote() added to 6 unquoted command generation sites (skill archive/restore, MCP disable/enable)
  • CORS fix: X-TO-Token added to OPTIONS preflight headers
  • Port disclosure: Removed window.location.origin from dashboard UI

Bug Fixes

  • Manage tab checkbox reversal now correctly restores original state
  • Date picker respects active range button instead of hardcoding to 7
  • safeRender split into per-section calls (blank tabs now show proper error cards)
  • Coach prompt click handler properly bound after DOM insertion
  • Standalone dashboard per-turn preloading works with tilde-prefixed paths
  • startswith(home) uses trailing separator guard to prevent prefix collisions
  • pyenv shims filtered out for launchd plist python3 resolution
  • quality_cache stores filename-only (no full filesystem path)

Quality

Reviewed by 8 specialized agents across 3 rounds: security-engineer, ce-correctness-reviewer, /simplify 7-angle scan. All CRITICAL, HIGH, and MEDIUM findings resolved.

Check out latest releases or
releases around alexgreensh/token-optimizer v5.7.5

Don't miss a new token-optimizer release

NewReleases is sending notifications on new releases.

Get notifications