Highlights
🔒 Security (from the #326 review by @elfrost)
- SSRF guard on the open-access PDF download path — third-party (Unpaywall/Semantic Scholar) URLs are validated against a public-host allowlist with per-redirect-hop re-checking (#327).
- Credential hygiene + DoS hardening — API key masked in setup output by default,
0o600on credential files,getpass/env-var over--api-key, subprocess timeout forpdfannots2json, non-root Docker image (#328).
✨ Features
zotero_get_page_layout— figure/table region detection with caption association (#312).zotero_add_by_bibtex/zotero_add_by_csl_json— import from BibTeX or CSL JSON, preserving citation keys (#241).zotero_read_pdf_pages— read a specific page range after outline-based section ID.- RSS feed items now include publication date (#316).
🛠 Fixes & deps
- Native
citationKeylookup (#319), ChromaDB embedding-function registration (#315), bounded API lock (#311), arXiv-outage resilience (#310), WebDAV routing foradd_by_doi(#314),lastReadstrip on attachment updates (#318). - Dependency floors:
pyzotero>=1.8.0(#322),chromadb>=1.0.0(#324).
See CHANGELOG.md for the full list.