- cors_allowed_origins now uses CORS_ORIGINS from config (default: None)
- None restricts to same-origin only, blocking cross-site WebSocket hijacking
- Set CORS_ORIGINS in config.json or env var to allow specific domains
- User-to-user PMs now use a server-derived shared room key (HMAC-SHA256)
instead of each user's personal PBKDF2 key (which differed per user,
making cross-user decryption impossible)
- Server sends room_key in pm_ready, pm_invite, and pm/history responses
- crypto.js: add importKeyBase64() for importing server-provided keys
- chat.js: use sharedKey for encrypt/decrypt in user-to-user PMs
- Violet AI transit encryption still uses personal key (unchanged)
- PM history decryption now handles errors gracefully per-message
- Encodes otherUser in history URL to prevent injection
- Only emit pm_invite when target_sid exists (real user)
- Violet has no socket session, so emitting to None would broadcast
to all connected clients, leaking who is chatting with the AI
- Track pending PM invitations per socket session
- pm_accept now rejects room joins unless user has a valid invite
- Clean up pending invites on disconnect
- Prevents eavesdropping on other users' PM conversations
- Create config.py with shared constants, AES-GCM helpers, and JWT helpers
- app.py and routes.py now import from the single source of truth
- Eliminates JWT secret mismatch (routes.py had hardcoded default)
- Removes all duplicate _issue_jwt, _verify_jwt, _aesgcm_encrypt,
_aesgcm_decrypt definitions
- start.py also uses shared config loader
3nd3r
Antigravity
ComputerTech