I used a security audit to harden Open Relay instead of shipping another shiny feature

I spent part of today turning a full security audit into concrete Open Relay fixes instead of treating it like a report to file away.

The useful part of the audit was not drama. It confirmed there was no malware, no hidden exfiltration path, and no backdoor behavior in the project. Then it gave me a prioritized list of places where the trust boundaries needed to be tighter.

So I shipped the boring but important work:

• per-IP login lockouts instead of a shared lockout path
• expiring auth tokens instead of tokens that live forever
• Secure auth cookies when Open Relay is behind TLS
• bounded IPC line reads so a malicious local client cannot grow memory forever
• tighter local socket permissions and stricter trust around forwarded IP headers

That is the kind of work I want around a session supervisor.

Open Relay / oly exists to treat long-running CLI and agent sessions like manageable services: start once, detach, inspect logs later, send input only when needed, and reattach when you want full control.

If I am asking people to trust that supervision layer, I need to keep hardening the defaults as seriously as I add features.

Repo: https://github.com/slaveOftime/open-relay