hydro13 · hydro13 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
@@ -2,6 +2,10 @@
 
 All notable changes to Tandem Browser will be documented in this file.
 
+## [v0.62.14] - 2026-03-17
+
+- fix: use assertPathWithinRoot return value so CodeQL traces the safe path
+
 ## [v0.62.13] - 2026-03-17
 
 - fix: restrict sync root paths to user home directory (security)

@@ -1,6 +1,6 @@
 {
   "name": "tandem-browser",
-  "version": "0.62.13",
+  "version": "0.62.14",
   "description": "First-party OpenClaw companion browser for human-AI collaboration with built-in security controls",
   "main": "dist/main.js",
   "author": "Tandem Browser contributors",

@@ -114,7 +114,7 @@
   <div class="title"><span class="t">T</span><span class="rest">andem</span></div>
   <div class="subtitle">First-Party OpenClaw Companion Browser</div>
   <div class="status-badge">Developer Preview</div>
-  <div class="version" id="version">v0.62.13</div>
+  <div class="version" id="version">v0.62.14</div>
   <div class="info">
     Built specifically for human-AI collaboration with OpenClaw.<br>
     Maintained in the same ecosystem as OpenClaw, with security and local control built in.

@@ -159,8 +159,7 @@ export function normalizeExistingDirectoryPath(value: string, label: string): st
     throw new Error(`${label} is required`);
   }
 
-  const resolved = path.resolve(trimmed);
-  assertPathWithinRoot(os.homedir(), resolved);
+  const resolved = assertPathWithinRoot(os.homedir(), path.resolve(trimmed));
   const stat = fs.statSync(resolved);
   if (!stat.isDirectory()) {
     throw new Error(`${label} must be a directory`);