Release v1.14.0

This release includes important security improvements and dependency updates.

Security Fixes

This release addresses 5 security issues identified in a comprehensive security review:

🔒 Input Validation Hardening

• Command Injection Prevention: Restricted transaction ID validation to numeric-only (^[0-9]+$) to prevent potential command injection through DNF's argument parsing.

🔐 Transport Security

• HTTPS by Default: Changed default server URL from http://localhost:8080 to https://localhost:8080 to ensure credentials are not transmitted in plaintext.
• Configuration Warnings: Added security warnings in the configuration file about using HTTPS, file permissions, and authentication best practices.

🛡️ Information Disclosure Prevention

• Error Message Sanitization: Removed server response bodies from error messages to prevent potential information leakage.

📁 File Permissions

• Config File Protection: Set explicit file permissions (0600) for /etc/txlog.yaml in package configurations (nfpm.yaml and .goreleaser.yaml) to ensure credentials are only readable by root.

📋 Documentation

• Privacy Documentation: Added comprehensive documentation about data collection practices, including what data is collected, why it's needed, and privacy considerations for compliance with regulations like GDPR and CCPA.

Dependency Updates

• github.com/mark3labs/mcp-go bumped from 0.47.1 to 0.49.0

Upgrade Notes

When upgrading from v1.13.0 or earlier:

1. Configuration: If you relied on the default HTTP URL, update your /etc/txlog.yaml to use HTTPS or explicitly set your desired URL.
2. File Permissions: Ensure /etc/txlog.yaml has permissions 0600 (RPM packages will set this automatically on fresh installs).

Full Changelog: v1.13.0...v1.14.0