What's Changed
- fix(api): enforce scoped API key permissions by @tinsever in #1374
- fix(auth): enforce disabled local login by @tinsever in #1375
- fix(editor): reject active embed URL schemes by @tinsever in #1376
- fix(gitea): restrict webhook secret access by @tinsever in #1377
- fix(gitea): bind webhooks to signed integration by @tinsever in #1378
- fix(mcp): require explicit OAuth consent by @tinsever in #1372
- fix(assets): prevent active content execution by @tinsever in #1373
- fix(labels): enforce task workspace boundary by @tinsever in #1380
- fix(mcp): validate registered redirect URIs by @tinsever in #1381
- docs(security): remove public default MinIO credentials by @tinsever in #1382
- fix(api): prioritize project workspace lookup by @tinsever in #1383
- fix(tasks): prevent cross-workspace moves by @tinsever in #1384
- fix(tasks): prevent cross-workspace relations by @tinsever in #1385
- fix(auth): protect invitation acceptance from unverified accounts by @tinsever in #1386
- fix(auth): require verified email for account linking by @tinsever in #1387
- fix(comments): unify API and activity storage by @tinsever in #1389
- fix(auth): restore guest sign-in access by @tinsever in #1391
- feat: standardize avatar fallback initials by @yigit-serin in #1401
New Contributors
- @yigit-serin made their first contribution in #1401
Full Changelog: v2.9.1...v2.9.2