This release focuses on privacy and security hardening in a few key areas that affect how data is shared and validated.
Privacy and security updates
Pageview analytics now send a sanitized URL that strips sensitive query parameters. Only allowlisted marketing parameters, like UTMs and ref, are included, which helps prevent accidental capture of auth and OAuth values.
Client-facing user lookups were updated to avoid returning encrypted credentials. Responses now include a simple boolean indicator for whether a user has an OpenRouter key, while keeping encrypted fields out of public queries.
Third party scripts loaded in the app now include Subresource Integrity and crossOrigin attributes. This helps ensure the browser only executes the expected script content and reduces exposure to tampered third party assets.
Access control checks
The chat API now verifies chat ownership through Convex before returning chat data or initializing streaming state. This adds an authoritative permission check so users can only access chats they own.