What's New
🔒 Security
- Fixed axios supply chain vulnerability — audited CI deps, patched Anthropic SDK CVE
- Addressed secret-handling review feedback across CI pipeline
🐛 Bug Fixes
- Magic link login on HTTPS: Middleware now correctly uses
__Secure-cookie prefix on HTTPS, fixing magic link auth on production deployments behind TLS - Profile name update: Name changes in Settings now persist correctly after page reload — JWT callback always reads fresh name from DB
- Impersonation banner: Shows immediately without requiring a page refresh; visible in dark mode
- Self-settlement blocked: Users can no longer settle a debt with themselves
- Archived group mutations blocked: Cannot create expenses or settlements on archived groups
- Group not found UX: Shows a styled empty state instead of a blank page
- Email fallback: Shows email when user name is not set
✨ Features
- GitHub Sponsors banner in sidebar for supporting development
- Admin: expired guest split cleanup — purge stale guest splits from the admin dashboard
- JWT middleware validation — forged/malformed JWTs are properly rejected
- Mock AI provider for CI testing without real API keys
- Registration control — admin can set open/invite-only/closed registration modes
⚡ Performance
- E2E test parallelization: Tests run in ~5 min (down from ~9 min) using serial/parallel project split
📝 Docs & Community
- Added CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md
- Added GitHub issue/PR templates and FUNDING.yml
- Pre-public cleanup: removed stale scripts, workspace files, and dev artifacts
📦 Dependencies
- Upgraded @rynfar/meridian to 1.26.6
Full Changelog: v0.3.0...v0.3.1