v0.0.73
Released Jul 14, 2026
All releases
Release Notes
Hosted MCP grows up: sessions renew themselves instead of expiring, connecting shows exactly what you're granting, and agents get a direct feedback channel. Plus a friendlier installer and a stack of cloud reliability fixes.
Added
- Hosted MCP sessions no longer expire out from under you. Connecting over OAuth now issues rotating refresh tokens, so a session renews itself silently instead of going stale and demanding a browser re-consent every 30 days. Any replay of an already-used refresh token revokes the whole session family on the spot.
- The MCP consent screen shows exactly what you're granting. Approving a client now lists each permission (run audits, view credits, create API keys) with individual toggles, and the required read access is clearly marked. A client that asks for nothing specific no longer receives a full-access grant by default.
- Agents can send feedback mid-session. A new
send_feedbackMCP tool takes a category and a message, optionally tied to a run or website, so an agent can report confusing output or missing data the moment it hits it. Works with read-only credentials. - The terminal report now leads with the big picture.
squirrel auditoutput opens with the four top-level group scores as a bar breakdown, and categories are ordered most-severe-first, matching the other report formats. - A friendlier install. The install script greets you with the CLI's own banner and finishes with a numbered get-started guide: first audit, agent skills, cloud login, plus shell completion and
squirrel self doctorhints. - Failed installs can now tell us why. The install scripts report a failure's platform, step, and a sanitized error line (paths scrubbed, nothing personal) so broken installs get fixed fast. Reporting never blocks or slows an install, and setting
NO_TELEMETRYdisables it, same as the CLI.
Fixed
- A cloud audit that wedges mid-run is now failed at its own deadline and refunded. Stuck running audits were previously reaped by a blanket 75-minute backstop; each run is now judged against its own configured budget, fails promptly with an honest message, and refunds automatically whichever path notices first.
- Quick audits stay quick. The post-crawl phase (site metadata, technology detection) now respects the audit's overall time budget instead of adding up to four unbounded minutes to a fast crawl.
- Rendered audits no longer lose cookies. A header-handling bug made cloud rendering drop every cookie a site set, breaking pages behind cookie-dependent front-ends and blinding the cookie security rules. All Set-Cookie headers now survive the full render path.
- CLI settings writes are now atomic. A crash or full disk mid-write can no longer corrupt
settings.json; settings are written with owner-only permissions, and a permission problem reading credentials is reported loudly instead of being treated as logged out. - Crawls cut short now say so. A crawl interrupted by the time backstop gets a distinct "stopped" status: its collected pages are still analyzable, and
squirrel reportexplains the crawl stopped before finishing instead of leaving an ambiguous state. - Max pages per audit now follows your plan on every path. A couple of API paths could start an audit above the plan's page ceiling or estimate below it; dispatch and pricing now clamp consistently, and a stored setting above your plan's ceiling is honored at the ceiling.
- Publishing a report with an extremely long list of findings on a single check no longer fails the audit; oversized lists are trimmed safely with a note, keeping the rest of the report intact.
- Toggling a website's badge on and off in quick succession now always lands on the state you chose, even when the clicks race.
- When an audit fails because the CLI that started it disconnected, the failure message now says exactly that instead of a generic infrastructure error.
Update to this version
squirrelscan will auto-update, or run this command to update now:
$