Security
- Debug endpoints now require authentication.
/debug/*routes were previously accessible on the LAN without a token, exposing snapshot HTML, cascade IDs, Language Server connection details, and button inventories. They now require the same Bearer token as the REST API. - Localhost guard on Language Server RPC calls.
lsPost,cancelCascadeInvocation, andprobePortnow assert the destination URL is127.0.0.1before connecting. Requests to any other host are rejected. - Hardened PID shell interpolation.
findConnectPortvalidatespidas a positive integer below 10,000,000 and converts it to an explicit base-10 string before interpolation into shell commands. - README network claim made precise. The "no network access outside your LAN" statement now explicitly lists the three local destinations so the claim is verifiable.
rejectUnauthorized: falsedocumented. All LS RPC call sites now explain that cert validation is intentionally skipped because the destination is always127.0.0.1.