29 Releases 37 Tags

RSS Feed

• v1.7.7 d01e7801ed

  Compare

  AOC v1.7.7 Stable

  tomas.kracmar released this 2026-04-27 07:16:57 +00:00 | 8 commits to main since this release

  Security Hardening

  This release is a focused security patch addressing findings from an internal audit. All users running AOC in production are encouraged to upgrade.

  Webhook authentication

  • ClientState validation — Notifications now require a matching WEBHOOK_CLIENT_SECRET.
  • Rejects spoofed notification payloads with 401 Unauthorized.

  Rate limiting

  • Redis-backed fixed-window rate limiting is now enabled by default.
  • Per-category limits: fetch 10/hr, ask 30/min, write 20/min, default 120/min.
  • Returns 429 Too Many Requests with Retry-After header.

  SSRF protection for LLM calls

  • LLM_BASE_URL is now validated before every outbound request.
  • Blocks non-HTTPS URLs, localhost, link-local addresses, and private IP ranges.

  CORS enforcement

  • Wildcard (*) origins are automatically stripped when AUTH_ENABLED=true.

  Content Security Policy

  • API and HTML responses now include a Content-Security-Policy header.

  Audit trail integrity

  • The audit middleware no longer parses JWT tokens without signature verification.
  • Verified claims are now propagated safely via contextvars.

  Standalone MCP server

  • Prints a prominent security warning on startup.

  Operational Improvements

  • Bulk tag cap — POST /api/events/bulk-tags limited to 10,000 events.
  • Generic error responses — Internal exception details no longer leaked to clients.
  • Alert rule schema — Strict AlertCondition Pydantic model replaces unconstrained list[dict].
  • Docker Compose — MongoDB and Redis ports removed from host exposure.

  Upgrade notes

  No breaking changes. Existing event data, tags, comments, and saved searches are preserved.

  export AOC_VERSION=v1.7.7
  docker compose -f docker-compose.prod.yml pull
  docker compose -f docker-compose.prod.yml up -d
  

  Downloads

  • Source Code (ZIP)
  • Source Code (TAR.GZ)