License:
- Add MIT LICENSE file (Copyright 2025 Shaun Arman)
- Add MIT badge and Support/Buy-Me-A-Coffee section to README
- Update license section from private to MIT with attribution note
Security (from pre-release audit):
- Remove unscoped fs:allow-read and fs:allow-write from Tauri capabilities
(H5: unscoped fs permissions undermined filesystem sandboxing; the
scoped app/temp variants already cover all required paths)
- Add SECURITY_AUDIT.md to .gitignore
Repo hygiene:
- Untrack src-tauri/target/ (6347 build artifacts that should never
have been committed; .gitignore already listed the path)
- Update .gitignore: remove vendor-specific filenames, replace with
generic internal-doc patterns (TICKET_*.md, ~$*.docx, etc.)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove high-risk defaults and tighten data handling across auth, storage, IPC, provider calls, and capabilities so sensitive data is better protected by default. Also update README/wiki security guidance and add targeted tests for the new hardening behaviors.
Made-with: Cursor
Fixes:
- Added shell:allow-open permission to fix OAuth integration flows
- Added user_id field to ProviderConfig for Custom REST provider CORE ID
- Added UI field for user_id when api_format is custom_rest
- Made userId optional in Custom REST provider requests (only sent if provided)
- Added X-msi-genai-client header to Custom REST provider requests
- Updated CSP to include Custom REST provider domains
- Bumped version to 0.2.6
This fixes:
- OAuth error: 'Command plugin:shell|open not allowed by ACL'
- Missing User ID field in Custom REST provider configuration UI
