This release focuses on faster navigation and safer account and request handling. You can now sign in with email, tailor keyboard shortcuts to your workflow, and rely on stronger protections behind the scenes.
New capabilities
Email and password authentication is now available alongside existing OAuth options. You can sign in or create an account directly from the sign-in page, without needing a redirect flow.
Global keyboard shortcuts are now built into the web app. You can open a shortcuts dialog with Cmd+/, search by action, and remap bindings in Settings so the app matches your preferred keys.
Prompt drafts are now saved per chat and restored automatically if you navigate away or reload. Drafts clear on send and expire after a period of inactivity to keep things tidy.
On preview deployments, the hosted cloud option is now unavailable to prevent confusing dead-ends. The UI clearly guides you toward using your own provider connection instead.
UI updates and fixes
Chat navigation is smoother when switching between conversations. Revisiting a chat no longer replays trailing text, and the reasoning panel state is preserved without flicker.
AI responses stream more naturally with adaptive smooth text rendering, and message rendering avoids jarring load-in animations. Lists also display with clearer indentation and bullet styling for easier reading.
Code blocks in AI messages have been refreshed for readability. They now render with syntax highlighting and more copy-friendly actions, with fewer visual glitches during streaming.
Sidebar multi-select behavior is more predictable. Clicking a chat while selections exist now toggles that chat’s selection instead of clearing everything, and shift-click selection has a more reliable anchor.
Security and privacy
Request protections have been tightened to better prevent cross-site request attacks. State-changing requests now require a valid origin, including rejecting null origins and treating missing origins as invalid.
Rate limiting no longer trusts spoofable client IP headers by default. This reduces the risk of attackers bypassing throttling by forging forwarded IP information.
Sensitive provider connection data is no longer stored client-side. Instead, the app checks status without exposing the underlying secret, reducing the impact of client-side compromise.
Trusted origin handling is now more restrictive, using exact matches rather than wildcard patterns. This helps prevent other apps on shared domains from being treated as trusted.
Documentation
The README has been refreshed with updated branding, clearer structure, and current links. This makes it easier to get started and follow self-hosting and deployment guidance.