Skip to content

release: v6.7.1 — DNS-rebinding fix for ops dashboard#256

Merged
silversurfer562 merged 1 commit into
mainfrom
release/v6.7.1
May 12, 2026
Merged

release: v6.7.1 — DNS-rebinding fix for ops dashboard#256
silversurfer562 merged 1 commit into
mainfrom
release/v6.7.1

Conversation

@silversurfer562
Copy link
Copy Markdown
Member

@silversurfer562 silversurfer562 commented May 12, 2026

Summary

Patch release for the ops dashboard DNS-rebinding vulnerability fixed in #254, plus the UX changes that shipped between v6.7.0 and now.

Users running attune ops should upgrade. v6.7.1 fixes a DNS-rebinding vulnerability that allowed any visited website to invoke ops dashboard endpoints (including endpoints that trigger workflow execution) on the local machine. Pre-existing since the ops runner first shipped — not introduced by recent changes.

Version bumps

  • pyproject.toml, uv.lock
  • plugin/.claude-plugin/{plugin,marketplace}.json
  • plugin/core/__init__.py
  • .claude-plugin/marketplace.json (root)
  • .claude/CLAUDE.md (header + footer)
  • docs/reference/API_REFERENCE.md (header + footer)

test_all_versions_match confirms parity.

Changelog (highlights)

Test plan

  • pytest tests/unit/plugins/test_plugin_config_validation.py::TestVersionConsistency passes locally
  • CI green on this PR
  • Tag v6.7.1 on the merge commit after squash
  • publish-pypi.yml approved and v6.7.1 live on PyPI

🤖 Generated with Claude Code

@silversurfer562
release: v6.7.1 — DNS-rebinding fix for ops dashboard
9013401 
Patches a DNS-rebinding vulnerability in the local ops
dashboard that allowed any visited website to invoke ops
endpoints (including workflow execution) on the local
machine. Fix landed in #254.

Also bundles UI/UX changes shipped between v6.7.0 and now:
Tier 1 rich rendering (#247), full-page run view (#251),
specs tab (#236/#239/#240), humanized 409s + tab cleanup
(#228/#231), run-enabled-by-default ops mode (#227).

Bumps version in pyproject.toml, plugin manifests, root
marketplace.json, .claude/CLAUDE.md, API_REFERENCE.md, and
uv.lock. CHANGELOG entry leads on the security fix.
@vercel
Copy link
Copy Markdown

vercel Bot commented May 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
attune-ai Error Error May 12, 2026 0:05am
website Ready Ready Preview, Comment May 12, 2026 0:05am

@github-actions github-actions Bot added documentation Improvements or additions to documentation dependencies labels May 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

🔒 Security Scan Results

Status: PASSED - No blocking issues

Summary

Severity Count Action
🔴 CRITICAL 0 BLOCKS PR
🟡 MEDIUM 0 ⚠️ Review recommended
🔵 LOW 0 ℹ️ Informational

Total Findings: 0

🛠️ Need Help?

If findings are false positives:

  1. Add clarifying comments in code (e.g., # Security Note: Test data only)
  2. Request security review: Add security-review label
  3. Security team will evaluate and add security-approved label if safe

For emergency hotfixes:

  1. Add hotfix label to bypass blocking
  2. Create follow-up ticket to address findings
  3. Security team will review post-deployment

Scanner Accuracy: ~82% (Industry-leading!)

Powered by Attune AI Security Scanner | Documentation

@codecov
Copy link
Copy Markdown

codecov Bot commented May 12, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@silversurfer562 silversurfer562 merged commit fd5bb32 into main May 12, 2026
31 of 37 checks passed
@silversurfer562 silversurfer562 deleted the release/v6.7.1 branch May 12, 2026 12:27
@silversurfer562 silversurfer562 mentioned this pull request May 12, 2026
Merged
4 tasks
silversurfer562 added a commit that referenced this pull request May 12, 2026
@silversurfer562 @claude
feat(ops/security): add Phase 2.3 test + close ops-security-hardening…
b4926f8 
… spec (#280)

Phases 1-4 of docs/specs/ops-security-hardening/ all landed across
v6.7.1 PRs (#254 + #256) earlier today. This adds the one missing
piece — Phase 2.3 regression guard — and closes the spec docs.

CODE
- tests/unit/ops/test_runner.py: add
  test_subscriber_queue_does_not_block_fast_subscribers. Regression
  guard asserting that a slow subscriber doesn't block fast ones —
  _broadcast is a synchronous per-subscriber put_nowait, so QueueFull
  on one subscriber must not affect others. Pairs with the existing
  test_subscriber_queue_drops_slow_subscriber.

SPEC
- All 4 spec files: status draft -> complete (2026-05-12, pending
  Phase 5 smoke). Phase 5 = Patrick's manual curl + browser checks;
  not automatable from a session.
- decisions.md: closure entry with the 3-PR table, satisfied
  resolution criteria, and the "out-of-scope items remain deferred,
  not regressions" note.
- tasks.md: Phase 1-4 boxes ticked. Phase 5-6 remain open (10 items)
  pending manual verification.

Local: tests/unit/ops/ 142 passed in 2.69s (was 141; +1 new test).

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@silversurfer562