This release focuses on reducing exposure to common web security risks while keeping day to day usage smooth.
Security updates
Third party scripts are now loaded with Subresource Integrity and crossOrigin protections, so the browser can verify the script contents before executing them. This helps mitigate supply chain tampering risks for externally hosted scripts.
The chat list cache in the sidebar now uses sessionStorage instead of localStorage, and only stores the minimal fields needed to render the list. This reduces how long chat metadata persists on a device and lowers impact if a browser session is ever compromised.
Workflows and API changes
Chat model discovery now goes through a dedicated /api/models endpoint instead of calling the upstream models API directly from the client. This adds caching and rate limiting to help keep the models list more reliable under load.
Several long running actions have been moved to workflow backed endpoints, including chat title generation, chat export, and account deletion. These endpoints include additional validation and rate limiting to help prevent abuse and make bulk operations safer to run.
Data cleanup now has an explicit batch endpoint with authorization checks and strict bounds for retention and batch sizes. This reduces the risk of accidental overly large deletions while keeping routine cleanup predictable.