Added
agentpantry sinkwarns at startup when the bind address exposes the sink beyond loopback, mirroring the existingdoctorcheck at the moment it matters.keygennow tells the operator to delete thepsk.key.bak.<timestamp>backup once a rotation is confirmed, since it holds retired key material.
Changed
- go.mod now pins
toolchain go1.25.11, so from-source installs (go install ...@latest) build with the patched standard library instead of whatever Go 1.25.x the machine happens to have. Release binaries were already built with 1.25.11. - SECURITY.md’s key rotation guidance now describes the
rotate-keydual-key grace-window flow introduced in v0.4.0, withkeygendocumented as the stop-the-world fallback. - CI’s test jobs now run
scripts/verify(plusgo test -race) so the build/vet/test gate is defined in exactly one place. - CI pins
govulncheckandgosecto tagged versions instead of@latest, so the security and vuln gates are reproducible. scripts/verifynow gofmt-gates the tree, and a new.gitattributesforces LF on source files so the gate is consistent across platforms (including the Windows CI job).
Fixed
- The CDP cookie reader sets a read deadline, so a hung or crashed DevTools target fails the sync cycle instead of wedging it.