Claude Opus 4.7 (Anthropic's top model) was used to audit the codebase for security issues. Several low-to-medium findings have been addressed in this release. No confirmed exploits in the wild — this is proactive hardening.
Highlights:
- Agent credentials — authentication tokens now use a stricter at-rest storage scheme. Migration is automatic on each agent's next heartbeat; no intervention needed.
- Server-side privileged operations — the internal helper used for borg and SSH maintenance now accepts a narrower set of inputs, reducing the blast radius of a hypothetical admin-account compromise.
- Input validation — several gaps in internal APIs and UI handlers have been closed against crafted input.
- Filesystem boundaries — paths passed to privileged operations are validated against canonical forms to prevent traversal-style bypasses.
No breaking changes. No reinstall required.
Recommended: update promptly.
Bare metal: Settings → Updates → Update.
Docker:
```
docker compose pull
docker compose up -d
```
(Docker Hub multi-arch build takes ~15 min after tag.)
❤️ Sponsor this project if you find it useful.