Security
- CDP origin restriction — Chrome debug port now only accepts connections from
localhost/127.0.0.1(was*) - Base URL allowlist —
NOTEBOOKLM_BASE_URLvalidated against Google domains only (HTTPS required) - Download path traversal protection — blocks writes to
.ssh,.aws,.gnupg, and other sensitive directories - File permission hardening — auth files and storage dir use
0o600/0o700 - CDP WebSocket timeout — 30s timeout prevents infinite hangs on stale connections
Thanks to @wccheung11011001 for the security audit (PR #133)!
New Features
- Custom video style prompts (PR #131) —
--style custom --style-prompt "your description"for CLI,video_style_promptfor MCP. Style prompt is also returned in studio status. Thanks to @agarwalvipin! - Audio source support (PR #134) —
nlm source add --filenow handles audio uploads (m4a, wav, mp3). AddsSOURCE_TYPE_AUDIO = 10, fixes transient status 3 handling for audio, and adds--wait-timeoutflag (default 600s) for long recordings. Thanks to @stanleykao72! - CONTRIBUTING.md — Contributor guide with architecture rules, API capture workflow, testing requirements, and security guidelines
Bug Fixes
build_labeldata loss —Profile.to_dict()was silently dropping thebuild_labelfield on save- Ruff lint/format fixes — B904 exception chaining, format violations across 4 files
Upgrade
uv tool install notebooklm-mcp-cli --upgrade
# or: pip install --upgrade notebooklm-mcp-cliThen restart your MCP client to pick up the changes.
Full changelog: https://github.com/jacob-bd/notebooklm-mcp-cli/blob/main/CHANGELOG.md