Shell Pilot 1.13.6
Bug fixes — July 5, 2026
Fixed — Backend
- Fixed Stripe webhook raw body handling in Firebase Functions v2 (webhook signature verification was silently failing).
- Fixed race condition in license creation — concurrent webhook events could generate duplicate license keys.
- Added license status filtering to getLicense endpoint (revoked licenses are no longer returned).
- Added rate limiting to getLicense endpoint (10 requests per minute per IP) to prevent email enumeration.
- Added CORS headers to getLicense and createCheckoutSession API responses.
- Added input validation to createCheckoutSession endpoint.
Fixed — Frontend
- Fixed n-gram autocomplete being dead code due to an inverted cursor position guard — history-based suggestions now work.
- Fixed NGramModel async loadModel race condition — persisted model is now correctly loaded on app start.
- Fixed remote directory listing failing for paths containing spaces or special characters.
- Fixed zsh extended history parsing — commands in extended format are now correctly extracted.
- Fixed semantic suggestion cursor position check to prevent terminal corruption when cursor is mid-line.
- Fixed double-encoding of spaces in terminal directory URL resolution.
- Fixed escape sequence parser using order-independent string containment instead of ordered parsing.
- Fixed injected SSH bootstrap commands triggering onCommandComplete and interfering with SSH state tracking.