<feed xmlns='http://www.w3.org/2005/Atom'>
<title>doot.git/internal/middleware/security.go, branch master</title>
<subtitle>doot — personal productivity web app
</subtitle>
<id>https://git.terst.org/doot.git/atom?h=master</id>
<link rel='self' href='https://git.terst.org/doot.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/'/>
<updated>2026-06-18T01:10:30+00:00</updated>
<entry>
<title>fix: add cdn.jsdelivr.net to CSP style-src for scout's Tailwind CSS</title>
<updated>2026-06-18T01:10:30+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-06-18T01:10:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=38f4ea5af664c26b8ec50e2b49ea583c3d974a67'/>
<id>urn:sha1:38f4ea5af664c26b8ec50e2b49ea583c3d974a67</id>
<content type='text'>
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Add Agent Context API for external agent integration</title>
<updated>2026-01-29T08:19:28+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-29T08:19:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=05b1930e04ac222d73ffb2f45c1b1febb69f893d'/>
<id>urn:sha1:05b1930e04ac222d73ffb2f45c1b1febb69f893d</id>
<content type='text'>
Phase 1: Authentication and read-only context
- POST /agent/auth/request - request access with name + agent_id
- GET /agent/auth/poll - poll for approval status
- POST /agent/auth/approve|deny - user approval (browser auth required)
- GET /agent/context - 7-day timeline context (agent session required)

Phase 1.5: Browser-only agent endpoints (HTML pages)
- GET /agent/web/request - request page with token
- GET /agent/web/status - status page with polling
- GET /agent/web/context - context page with timeline data

WebSocket notifications:
- GET /ws/notifications - push agent requests to browsers
- Approval modal with trust indicators and countdown timer

Database:
- agents table for registered agent tracking
- agent_sessions table for pending/active sessions

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Fix CSP to allow conditions page embeds and fonts</title>
<updated>2026-01-27T20:28:26+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-27T20:28:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=994b92f6c6ce204675b9e20ff1e9b4a3bfa39bea'/>
<id>urn:sha1:994b92f6c6ce204675b9e20ff1e9b4a3bfa39bea</id>
<content type='text'>
Allow external resources in Content-Security-Policy:
- frame-src: youtube.com, embed.windy.com (for webcams/weather)
- style-src: fonts.googleapis.com (for Inter font)
- font-src: fonts.gstatic.com (for font files)

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Phase 1: Critical security fixes</title>
<updated>2026-01-26T17:01:25+00:00</updated>
<author>
<name>Peter Stone</name>
<email>thepeterstone@gmail.com</email>
</author>
<published>2026-01-26T17:01:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/doot.git/commit/?id=8c2c88f90039e87b29ce32cd31b7b0361b5803d0'/>
<id>urn:sha1:8c2c88f90039e87b29ce32cd31b7b0361b5803d0</id>
<content type='text'>
- Remove default password fallback - require DEFAULT_PASS in all environments
- Fix XSS vulnerabilities in HTML generation (handlers.go:795,920)
- Add security headers middleware (X-Frame-Options, CSP, HSTS, etc.)
- Add rate limiting on login endpoint (5 req/15min per IP)

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
</content>
</entry>
</feed>
