Changed
- 🔑 Stronger auto-generated API keys — increased from 192-bit (32 chars) to 384-bit (64 chars) entropy, making brute-force attacks computationally infeasible.
- 🔒 API key required to start — the server now refuses to start without an API key configured. The CLI auto-generates one as before, but running via
uvicorndirectly without settingOPEN_TERMINAL_API_KEYis no longer allowed. - 🛡️ Constant-time API key comparison — both HTTP and WebSocket authentication now use
hmac.compare_digest()instead of!=, preventing timing-based key extraction. - ⚠️ CORS default warning — a prominent yellow box is printed at startup when
--cors-allowed-originsis left at the default*, warning operators to restrict it for production.