From b3aaae5774525343d8bb4e4da8a7df10c0d3457e Mon Sep 17 00:00:00 2001
From: Robin Waslander <r.waslander@gmail.com>
Date: Tue, 17 Mar 2026 12:32:01 +0100
Subject: [PATCH 1/2] fix: use assertPathWithinRoot return value so CodeQL
 traces the safe path

---
 src/utils/security.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/utils/security.ts b/src/utils/security.ts
index 0d959a3..6738b06 100644
--- a/src/utils/security.ts
+++ b/src/utils/security.ts
@@ -159,8 +159,7 @@ export function normalizeExistingDirectoryPath(value: string, label: string): st
     throw new Error(`${label} is required`);
   }
 
-  const resolved = path.resolve(trimmed);
-  assertPathWithinRoot(os.homedir(), resolved);
+  const resolved = assertPathWithinRoot(os.homedir(), path.resolve(trimmed));
   const stat = fs.statSync(resolved);
   if (!stat.isDirectory()) {
     throw new Error(`${label} must be a directory`);

From 268929aeb44708a581580067ff0089ded3c3a281 Mon Sep 17 00:00:00 2001
From: Robin Waslander <r.waslander@gmail.com>
Date: Tue, 17 Mar 2026 12:32:01 +0100
Subject: [PATCH 2/2] chore: bump to v0.62.14

---
 CHANGELOG.md      | 4 ++++
 package-lock.json | 4 ++--
 package.json      | 2 +-
 shell/about.html  | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cf74e92..ec123fc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to Tandem Browser will be documented in this file.
 
+## [v0.62.14] - 2026-03-17
+
+- fix: use assertPathWithinRoot return value so CodeQL traces the safe path
+
 ## [v0.62.13] - 2026-03-17
 
 - fix: restrict sync root paths to user home directory (security)
diff --git a/package-lock.json b/package-lock.json
index c37144e..652b66d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "tandem-browser",
-  "version": "0.62.13",
+  "version": "0.62.14",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "tandem-browser",
-      "version": "0.62.13",
+      "version": "0.62.14",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
diff --git a/package.json b/package.json
index da84966..028142e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "tandem-browser",
-  "version": "0.62.13",
+  "version": "0.62.14",
   "description": "First-party OpenClaw companion browser for human-AI collaboration with built-in security controls",
   "main": "dist/main.js",
   "author": "Tandem Browser contributors",
diff --git a/shell/about.html b/shell/about.html
index 698b40c..0b35d2b 100644
--- a/shell/about.html
+++ b/shell/about.html
@@ -114,7 +114,7 @@
   <div class="title"><span class="t">T</span><span class="rest">andem</span></div>
   <div class="subtitle">First-Party OpenClaw Companion Browser</div>
   <div class="status-badge">Developer Preview</div>
-  <div class="version" id="version">v0.62.13</div>
+  <div class="version" id="version">v0.62.14</div>
   <div class="info">
     Built specifically for human-AI collaboration with OpenClaw.<br>
     Maintained in the same ecosystem as OpenClaw, with security and local control built in.