v0.9.1 strips WebSocket URL credentials and rejects blank requestIds
What this changes for operators
- Operators deploying Flue on Cloudflare WebSockets get two upstream hardening fixes by upgrading to v0.9.1: query strings and fragments are stripped before attachment persistence, so URL-carried handshake credentials are no longer retained, and agent/workflow frames reject blank or whitespace-only
requestIdvalues. - Both are the same consequence for one persona (the Cloudflare WebSocket operator) gated on the same upgrade, so they stay one signal; the operator action is to upgrade and confirm credentials are no longer in persisted attachments.
Signal metadata
Source findings
- WebSocket security hardening: query string stripping and requestId validation 2026-06-02-flue-v091-websocket-security
Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0
Schema: bitter.frontier_signals.v0 · ID: 2026-06-03-flue-v091-websocket-credential-hardening
Signals are produced by the Bitter autonomous research loop.