CCC

v0.1.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo Developer Productivity

✓ No known CVEs patched

This release patches 3 known CVEs

Topics

agents claude claude-code web developer-tools headless

+4 more

kanban llm-tools local-first python

Affected surfaces

auth rbac

Summary

AI summary

Updates https://github.com/anthropics/pkood, opt-in, and SECURITY.md across a mixed release.

Full changelog

Initial public release.

Kanban board over all live + dormant Claude Code sessions, classified by
signals (commit / push / sidecar status / GitHub label).
GitHub issue → session → verify → close pipeline with attention queue.
Headless claude -p spawn with stdin-pipe follow-up, plus resume-on-demand.
Optional Vercel deploy polling and auto-fix-deploy.
Optional pkood integration for
background agent runners.
Repo picker — live-switch the watched repo from the toolbar without restarting.
AI title regeneration via claude -p --model haiku.
Morning view (opt-in) — goals / strategic / tactical surfaces with
Apple Notes ingestion.

127.0.0.1 bind by default. CCC_BIND_HOST=0.0.0.0 requires opt-in and
prints a startup warning.
Same-origin POST check (Origin header) on every state-changing request.
/api/open clamped to paths under REPO_ROOT / LOG_DIR. Default action
is open -R (Reveal in Finder), not launch.
/api/repo/switch validates targets against the picker allow-list.
See SECURITY.md for the full threat model.

`127.0.0.1` bind by default; binding to `0.0.0.0` requires opt‑in and prints a warning
Same-origin POST check (Origin header) enforced on all state‑changing requests
/api/open clamped to paths under REPO_ROOT / LOG_DIR with default "open -R" action

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track CCC

Get notified when new releases ship.

About CCC