Security
- Add looks_like_secret() entropy heuristic: vendor regex (AIza, sk-,
ghp_, gho_, Slack xox, Bearer) + length/char-class fallback +
path/whitespace denylist. Defensible hybrid: zero false-positives
on known token formats, catches custom tokens without tripping on
URLs or slugs.
- Gate generic 'key'-named fields and ?key= URL params with the
entropy heuristic. Closes the n8n queryParameters Google-API-key
bypass without false-positives on benign values.
- Entropy fallback in mask_name_value_pair for custom-header value
patterns (X-App-Token etc.) whose names we cannot enumerate.
- Redact credentials[].name per node (id retained), clear
meta.instanceId so exports no longer correlate to the source n8n
instance.
- Opt-in tag clearing at publish time: wizard step 3 checkbox with
the current tag list inline, only shown when tags exist.
- Wizard step 3 now renders a collapsible Reason / Key / Note table
so publishers can verify exactly what was masked before publishing.
Mobile
- touch-action: none on .breznflow-svg to stop the
browser-vs-plugin gesture tug-of-war.
- Rewrote pointer handling as a Map-based multi-pointer state
machine with { passive: false } listeners: single-finger pan is
now smooth on iOS and Android, pinch-to-zoom anchored at the
finger midpoint, double-tap toggles 100/200 % zoom.
- Minimap ported to pointer events + setPointerCapture — tap and
drag navigation work on touch.
Docs
- Expand Sensitive Data Masking section of both READMEs to describe
the 1.0.4 passes and the opt-in tag removal.
- Version badge 1.0.3 -> 1.0.4.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
