• feat(auth): X-Bn-Verified-Captcha trusted header + CaptchaVerified helper

    Ghost released this 2026-07-07 14:53:50 +00:00 | 6 commits to main since this release

    The host verifies (and consumes) a request's cap-token against its
    stateful captcha server before wasm dispatch and stamps this header;
    guests enforce captcha by checking CaptchaVerified, fail closed.
    Included in AllTrustedHeaders so the host's strip-then-stamp loop
    makes it unforgeable, like the identity headers.

    Co-Authored-By: Claude Fable 5 noreply@anthropic.com

    Downloads