What's Changed
- Reduced inline add-note affordance flicker by hiding it during scroll and only showing it after pointer movement by @benvinegar in #328 and #331
- Hardened the local session daemon against browser-originated requests by validating Host and Origin headers and requiring JSON content types for API posts by @benvinegar in #329
- Disabled the generic broker HTTP API by default so Hunk's supported session API is the only app-daemon command surface by @benvinegar in #332
- Bounded session daemon memory by capping HTTP request body and websocket message sizes and rejecting oversized session registrations by @benvinegar in #333
Full Changelog: v0.13.0...v0.13.1