whykusanagi · whykusanagi · May 25, 2026 · May 25, 2026
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -11,6 +11,10 @@ jobs:
   checks:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    # Minimum scope needed: checkout reads repo contents, no other API calls.
+    # Closes CodeQL actions/missing-workflow-permissions warning.
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 

diff --git a/examples/components/png-export.html b/examples/components/png-export.html
@@ -239,9 +239,12 @@ <h3><i class="fas fa-code"></i> Usage</h3>
 
   <!--
     Load html2canvas from CDN so the demo works without a local npm install.
+    SRI hash pinned so a compromised CDN can't substitute a tampered build.
     In a real project: npm install html2canvas  (then it loads via dynamic import)
   -->
-  <script src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/1.4.1/html2canvas.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/html2canvas/1.4.1/html2canvas.min.js"
+          integrity="sha384-ZZ1pncU3bQe8y31yfZdMFdSpttDoPmOZg2wguVK9almUodir1PghgT0eY7Mrty8H"
+          crossorigin="anonymous"></script>
   <script type="module">
     import { exportElementAsPng } from '../../src/lib/png-export.js';
 

diff --git a/examples/components/websocket-manager.html b/examples/components/websocket-manager.html
@@ -297,7 +297,15 @@ <h3><i class="fas fa-code"></i> Usage</h3>
       const now = new Date().toLocaleTimeString('en-US', { hour12: false });
       const entry = document.createElement('div');
       entry.className = 'log-entry';
-      entry.innerHTML = `<span class="log-ts">[${now}]</span><span class="log-${type}">${text}</span>`;
+      // Build child spans with textContent so incoming WS messages
+      // can't inject markup into the page log.
+      const tsSpan = document.createElement('span');
+      tsSpan.className = 'log-ts';
+      tsSpan.textContent = `[${now}]`;
+      const msgSpan = document.createElement('span');
+      msgSpan.className = `log-${type}`;
+      msgSpan.textContent = text;
+      entry.append(tsSpan, msgSpan);
       logEl.appendChild(entry);
       logEl.scrollTop = logEl.scrollHeight;
     }

diff --git a/src/lib/celeste-widget.js b/src/lib/celeste-widget.js
@@ -1163,10 +1163,14 @@ class CelesteAgent {
     }
 
     /**
-     * Generate a unique session ID
+     * Generate a unique session ID using cryptographic randomness so the
+     * value can't be predicted or collided by another tab/visitor.
      */
     generateSessionId() {
-        return 'celeste_' + Date.now() + '_' + Math.random().toString(36).substr(2, 9);
+        const uuid = (typeof crypto !== 'undefined' && crypto.randomUUID)
+            ? crypto.randomUUID()
+            : 'fallback_' + Date.now();
+        return 'celeste_' + uuid;
     }
 
     /**