This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+11 more
Affected surfaces
ReleasePort's take
Moderate signalVersion v1.9.41 hardens Homebrew installs, deployment pipelines, and web servers with mandatory SHA‑256 verification, SSH host‑key enforcement, token‑guarded terminal bridges, and rejection of unauthenticated non‑loopback binds.
Why it matters: All deployments must enforce SHA‑256 checksums; remote connections require verified SSH host keys; any unauthenticated external bind to the web server is now refused. These mandatory checks trigger immediately on upgrade.
Summary
AI summarySecurity hardening across recommended Homebrew installation, remote deploy verification, and web server authentication.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Enforce SHA-256 verification before deployment. Enforce SHA-256 verification before deployment. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | Critical |
Enforce SSH host‑key stance for remote connections. Enforce SSH host‑key stance for remote connections. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | Critical |
Add checksum verification to install.sh script. Add checksum verification to install.sh script. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | Critical |
RemoveAll containment and use environment variables for secrets. RemoveAll containment and use environment variables for secrets. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | Critical |
Shell‑quote spawn arguments to prevent injection. Shell‑quote spawn arguments to prevent injection. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | High |
Refuse unauthenticated non‑loopback binds in web server. Refuse unauthenticated non‑loopback binds in web server. Source: llm_adapter@2026-05-27 Confidence: high |
— |
| Security | High |
Gate terminal bridge with token authentication. Gate terminal bridge with token authentication. Source: llm_adapter@2026-05-27 Confidence: high |
— |
Full changelog
Agent Deck v1.9.41
Terminal session manager for AI coding agents.
Installation
Homebrew (recommended):
brew install asheshgoplani/tap/agent-deck
Quick Install:
curl -fsSL https://raw.githubusercontent.com/asheshgoplani/agent-deck/main/install.sh | bash
Go Install:
go install github.com/asheshgoplani/agent-deck/cmd/[email protected]
Changelog
- 320ba9ddd30b81b2feb14ee718fc7a29e7fcda8c chore(release): v1.9.41 — security hardening (SHA-256 verify, non-loopback bind auth, install.sh checksum)
- 1cf808b603f9a657afaa8e3ced03bd576e369ce5 fix(remote): verify SHA-256 before deploy + enforce SSH host-key stance (security hardening) (#1207)
- 50bf56d886d23c95f3e4ee3f6fc58894f3f1cf38 fix(security): install.sh checksum + RemoveAll containment + secret-via-env + shell-quote spawn args (#1210)
- a5ef0ddf29120e9a31da88a74e26c15bf51bfb88 fix(web): refuse unauthenticated non-loopback bind + token-gate terminal bridge (security) (#1209)
Full Changelog: https://github.com/asheshgoplani/agent-deck/compare/v1.9.40...v1.9.41
Security Fixes
- install.sh now verifies SHA-256 checksum before execution
- Remote deploy verification enforces SSH host‑key stance and checks SHA-256 of artifacts
- Web server refuses unauthenticated non-loopback binds and requires token for terminal bridge
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About agent-deck
Terminal session manager for AI coding agents. One TUI for Claude, Gemini, OpenCode, Codex, and more.
Related context
Related tools
Beta — feedback welcome: [email protected]