Skip to content

MulmoClaude

v@mulmobridge/[email protected] Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo LLM Frameworks
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Affected surfaces

auth

Summary

AI summary

Updates Highlights, Quick start ```bash, and MVP across a mixed release.

Full changelog

Highlights

  • Cloudflare Workers relay for MulmoBridge — receives webhooks from messaging platforms, queues messages when MulmoClaude is offline, forwards via WebSocket on reconnect
  • LINE + Telegram support (MVP)
  • Durable Object — WebSocket server + persistent message queue (1000 msg cap)
  • Security — LINE HMAC-SHA256 timing-safe verification, Telegram secret_token, bearer token auth for WS, 1MB body limit

Architecture

LINE ─────→ /webhook/line ─────┐
Telegram ─→ /webhook/telegram ─┼→ Durable Object → WS → MulmoClaude
(future) ─→ /webhook/...  ────┘   (queue if offline)    (home PC)

Quick start

# Deploy to your Cloudflare account
cd packages/relay
wrangler login
wrangler deploy

# Set secrets
wrangler secret put RELAY_TOKEN
wrangler secret put LINE_CHANNEL_SECRET
wrangler secret put LINE_CHANNEL_ACCESS_TOKEN

📦 npm: @mulmobridge/[email protected]

Security Fixes

  • LINE HMAC‑SHA256 timing‑safe verification added
  • Telegram secret_token usage enforced
  • WebSocket connections now require bearer token auth
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track MulmoClaude

Get notified when new releases ship.

Sign up free

About MulmoClaude

All releases →

Related context

Earlier breaking changes

  • v0.6.4 `General` role split into lean `General` and new `Personal` role; Encore seed role pinned to Personal.

Beta — feedback welcome: [email protected]