Skip to content

Commit 3433ce4

Browse files
ojongeriusojongerius
authored
chore(release): bump to v0.5.0 (#80)
1 parent 9f36017 commit 3433ce4

1 file changed

Lines changed: 5 additions & 2 deletions

File tree

CHANGELOG.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,14 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [0.5.0] - 2026-06-03
11+
1012
### Added
1113

1214
- **Forensic key: path input and auto-load** — the "Forensic decryption key" modal now accepts a file path in addition to the file picker and paste field. The path input is pre-filled with the default location (`~/.local/share/agent-receipts/forensic.key`) so most operators can load their key with a single click. Leading `~` is expanded to the user's home directory on the server. Additionally, when the dashboard starts on a loopback address and finds a key file at that default location, it loads the key automatically — no UI step required for a standard single-user install. New endpoint: `POST /api/forensic-key/path`.
1315
- **Decrypted parameter previews on receipt rows** — when the forensic key is loaded, the hover tooltip on encrypted-disclosure rows now shows the decrypted input/output snippets inline, so the operator no longer has to click into the detail modal to read the parameters. Decrypted snippets are cached in the browser tab only and dropped whenever the forensic key state changes.
1416

1517
### Security
1618

17-
- **CSRF guard on `/api/forensic-key/path`** — the endpoint now requires `Content-Type: application/json`, forcing cross-origin browser POSTs through a CORS preflight rather than letting a hostile page issue a "simple" request that would trigger arbitrary server-side file reads. The existing `POST /api/forensic-key` accepts a raw body for compatibility and is not affected by this change; consider a similar guard there in a follow-up.
19+
- **CSRF guard on `/api/forensic-key/path`** — the endpoint now requires `Content-Type: application/json`, forcing cross-origin browser POSTs through a CORS preflight rather than letting a hostile page issue a "simple" request that would trigger arbitrary server-side file reads. The existing `POST /api/forensic-key` accepts a raw body for compatibility and is not affected by this change; tracked in [#79](https://github.com/agent-receipts/dashboard/issues/79).
1820

1921
## [0.4.0] - 2026-06-03
2022

@@ -141,7 +143,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
141143

142144
- Server now binds to `localhost` by default; `--host` flag added for custom binding
143145

144-
[Unreleased]: https://github.com/agent-receipts/dashboard/compare/v0.4.0...HEAD
146+
[Unreleased]: https://github.com/agent-receipts/dashboard/compare/v0.5.0...HEAD
147+
[0.5.0]: https://github.com/agent-receipts/dashboard/compare/v0.4.0...v0.5.0
145148
[0.4.0]: https://github.com/agent-receipts/dashboard/compare/v0.3.0...v0.4.0
146149
[0.3.0]: https://github.com/agent-receipts/dashboard/compare/v0.2.2...v0.3.0
147150
[0.2.2]: https://github.com/agent-receipts/dashboard/compare/v0.2.1...v0.2.2

0 commit comments

Comments
 (0)