Security hardening release. Full audit of the library + CLI daemon + MCP server — 8 findings + 2 review-found bugs, all PoC-verified and regression-tested (162 tests passing).

Highlights

• Daemon auth: per-session token required on /command (was unauthenticated eval over shared loopback); session.json 0600, dir 0700.
• Artifacts (snapshots, saveState, logs) written owner-only 0600.
• Navigation guard: file:/view-source:/chrome:/etc. blocked by default; opt-in blockPrivateNetwork (SSRF) and uploadDir (upload sandbox).
• Cookies: precise RFC-6265 domain match (was over-broad LIKE substring).
• Hardening: shell-free browser discovery, Atomics.wait cleanup, .gitignore, pinned wearehere.

Breaking

1. file:/chrome:/etc. navigation now throws by default — pass allowLocalUrls: true to restore.
2. CLI daemon requires the token (transparent via the bundled client); third-party clients hitting the daemon HTTP API must send x-barebrowse-token from session.json.

See CHANGELOG.md for the full entry.