Most of today's movement is a consolidated reviewer-fix bundle being prepped for the next minor version bump. The theme is hardening: safer defaults, tighter auth boundaries, and fewer surprises for deployers and integrations.
Security hardening (queued for the next minor bump)
We're keeping this intentionally high-level. The bundle includes:
- tighter production error-reporting defaults to reduce the chance of leaking debugging output
- stronger protections around session-based write requests and protected write actions
- tighter scoping on authenticated API reads
We'll describe the end result after the bump lands.
Deployments: database compatibility
We queued a compatibility fix so default seeding works reliably on MariaDB deployments (the prior approach relied on SQLite-only syntax).
Docs: integration guidance
- clarified how transaction listings are scoped for authenticated reads
- expanded registration documentation with security and configuration notes
- corrected the documented admin configuration response keys to match actual responses
User-facing summary: this is mostly groundwork for the next minor bump: better security posture, smoother MariaDB deployments, and clearer docs for integrations.