Skip to content
← Back to release notes
v0.11.1 beta

Release v0.11.1

Mar 12, 2026

Comprehensive security hardening from a 10-section audit, Windows scheduled task reliability rewrite, and cross-platform helper deployment.

Added

  • Helper Binary Deployment: Breeze Helper (Tauri desktop app) can now be downloaded and installed by the agent as platform-native packages — MSI on Windows, DMG on macOS, AppImage on Linux.
  • Headless Mode Detection: macOS LaunchDaemon and Linux systemd agents now detect headless mode and route desktop/screenshot commands through IPC to the user-session helper instead of attempting direct screen capture.

Improved

  • 35+ security remediations from a comprehensive 10-section audit covering multi-tenant isolation, auth hardening, input validation, rate limiting, WebSocket security, secrets management, CORS/headers, agent communication, and data protection.
  • Windows scheduled task collection rewritten to use base64/TSV transport, eliminating PowerShell JSON serialization failures on task descriptions containing special characters.
  • Helper installers hardened: streaming file copy on Linux, fixed macOS DMG mount flags, Windows msiexec exit code 3010 handled as success, and secure temp file creation across all platforms.

Fixed

  • Fixed agent WebSocket auth running after upgrade instead of before, preventing unauthenticated resource consumption.
  • Fixed path traversal vulnerability in file list/download Zod schemas.
  • Fixed timingSafeEqual crash on buffer length mismatch in agent token comparison.
  • Fixed SSRF vulnerability in OIDC discovery endpoint (IPv4/IPv6 private range blocking).
  • Fixed unbounded array inputs across 12+ agent schemas (now capped with .max() limits).
  • Fixed alert routing rule DELETE/PATCH missing org-scoped WHERE clauses.
  • Fixed agent config file permission TOCTOU race with atomic write pattern.
  • Fixed stale WebSocket connections via server-side ping/pong detection.

v0.11.1 is a security and reliability release. A comprehensive 10-section security audit produced 35+ remediations across the API, agent, and infrastructure — including moving WebSocket auth before connection upgrade, adding path traversal protection, SSRF blocking on OIDC discovery, and capping unbounded inputs across agent schemas.

The Windows scheduled task collector was rewritten to avoid PowerShell’s JSON serialization failures with special characters. The Breeze Helper desktop app can now be deployed by the agent as native platform installers, and macOS/Linux agents correctly detect headless mode to route desktop commands through IPC instead of failing silently.