brew-browser v0.2.1
Hotfix on top of v0.2.0 — addresses three GitHub-auth issues users hit immediately, plus a few quality-of-life touches.
Fixes
macOS Keychain prompt on every launch
v0.2.0 eagerly probed the Keychain on app start to know whether you were signed in to GitHub. macOS treats a new binary signature as a new app for ACL purposes, so fresh installs of v0.2.0 fired the "brew-browser wants to use your confidential information stored in dev.openbrew.browser" prompt on every launch — even users who'd never touched a GitHub feature.
v0.2.1 makes the Keychain probe lazy: the OS prompt only fires when you actually click Star / Watch / File-issue, or open Settings → GitHub. If you never use a GitHub feature, the Keychain is never touched, and the prompt never fires. When it does fire, it's contextual — you're about to use the token, the prompt is meaningful.
GitHub auth toast bugs
- "Signed in as @github user." — the post-sign-in success toast was reading
status.usernamebefore the username had been fetched. Fixed: status loads beforesigninStateflips to approved. - Stack of duplicate "Signed in to GitHub" toasts — the toast effect re-ran on every status hydration. Fixed:
untrack()wrapping in the Svelte 5 effect so it's pinned to one toast per real state transition.
Star / Watch / File-issue worked correctly when authed
v0.2.0 bounced authenticated users to Settings → GitHub instead of running the action. This is the same root cause as the Keychain prompt — fixed in the same patch (lazy probe in requireGithubSignIn).
Small things
- Real screenshots — the README and landing page now show actual product UI (Dashboard light/dark + Services). Landing's hero
<picture>usesprefers-color-schemeso visitors see the screenshot matching their system theme. - Accurate build credit — "Powered by Anthropic's Claude Opus 4.7 and the Claude Agent SDK" → "Powered by Claude Code in the terminal, running Opus 4.7 [1m]." Claude Code is the runtime (this CLI), Opus 4.7 [1m] is the model.
- gitleaks allowlist — added
.gitleaks.tomlallowlisting the public OAuth Device Flow client_id. Per RFC 8628 §3.1, Device Flow client_ids aren't credentials; the false-positive flag was the only thing gitleaks caught.
Security audit re-run
Full tool battery passed against the v0.2.0/v0.2.1 surface:
| Tool | Result |
|---|---|
cargo audit
| 0 vulnerabilities |
cargo deny check
| advisories ok, bans ok, licenses ok, sources ok |
npm audit --omit=dev
| 0 vulnerabilities |
semgrep (security-audit + OWASP-10 + Rust + TS, 113 rules, 104 targets)
| 0 findings |
gitleaks
| 0 leaks (after allowlist) |
Verdict: READY-FOR-SCRUTINY preserved. Full breakdown in memory-bank/security.md §14.
Install
Download the signed + notarized .dmg below, open, drag to Applications. No Gatekeeper warning. macOS 13 (Ventura) or newer · Apple Silicon.
Full changelog
Built with Agency Agents, by the creator of Agency Agents. Powered by Claude Code in the terminal, running Opus 4.7 [1m]. If brew-browser saves you time, sponsor on GitHub ♥.