Open Chat Updates

Production builds for the web app now consistently use the correct backend endpoint, reducing the risk of shipping a build that points to the wrong environment. This helps ensure the production site connects to the intended service automatically, leading to fewer deployment-time surprises and more predictable releases.

Preview environments are now cleaned up more reliably when a pull request is closed. This reduces the chance of leftover previews sticking around after work is merged or closed, keeping your project tidier with less manual follow-up.

Preview deployments are now more dependable by ensuring the web preview consistently connects to the correct backend. Preview authentication is also simplified to email and password only, reducing setup friction and avoiding sign-in flows that are not supported in preview environments.

Preview environments now rely on Vercel’s native preview deployments instead of Railway. This makes preview links and cleanup behavior align with Vercel, so it’s clearer where to find the frontend preview and what gets automatically removed when a PR is closed.

The web app’s frontend deployment has been moved to Vercel. This helps ensure the app builds and runs correctly in Vercel’s environment, making deployments more reliable for users accessing the hosted site.

Local development now supports running the web app at openchat.localhost:1355. This release also tightens local server binding and updates allowed dev origins so your browser can connect cleanly during local testing.

This release tightens account security by requiring verified emails for email sign-ups and for migration-based account linking. It also reduces the chance of chat data lingering on shared devices by moving drafts and stream state to session-only storage and clearing sensitive session data on sign-out. Rate limiting is now harder to bypass when proxy headers are involved.

This release tightens security around the web app by verifying third party scripts before they run and reducing how long chat list metadata is stored in the browser. It also adds safer cleanup and workflow endpoints with stricter validation, helping protect against accidental or unauthorized bulk actions.

This release tightens security around file attachments and trusted requests. Attachment links are now only generated for files you own, and localhost is no longer treated as a trusted origin in production, reducing the risk of unauthorized access and CSRF-like attacks.

This release tightens privacy and security across the app. Analytics pageviews now exclude sensitive URL parameters, user lookups no longer return encrypted credentials to clients, and third party scripts are verified with integrity checks to reduce supply chain risk.