✨ Minor Changes
- 039afbe: Duplicate an agent in one click — hover any agent card on the Workspace to reveal a menu with Duplicate and Delete, or use the new "Duplicate agent" button on the Settings page. Creates a new agent with a fresh API key and carries over every provider credential, custom provider, tier override, and specificity override. Messages, logs, and notification rules stay with the original.
🐛 Patch Changes
-
5110901: Polish routing page copy and UX: rewrite tier descriptions, standardize casing and pluralization, always show the "How routing works" help button, toggle tiers by clicking the manage-modal row, and add a pen icon on custom tier cards to open the edit modal directly.
-
91a7467: Low-risk cleanups from the 2026-04-23 OWASP audit that cause no behaviour change for operators or users:
- Scope agent rename cascades by
tenant_idonagent_messages/notification_rules/notification_logs. Forward-only fix — no backfill — so any pre-existing row that was mislabelled when slugs collided across tenants stays as-is; new renames no longer touch other tenants' data. - Replace
ApiKeyGuard.safeComparewithBuffer.from+ length-check +timingSafeEqual. Same observable behaviour; cleaner canonical pattern. - Add a snapshot test for
ThresholdAlertEmailagainst hostile agent names (angle brackets, attribute-context quote payloads) — verifies React's existing escaping, no runtime change. npm audit fixfor the moderate@nestjs/coreadvisory (11.1.17 → 11.1.19).
All other findings from the audit are deferred — they required breaking changes or operator action and live in a separate tracking issue.
- Scope agent rename cascades by