Skip to main content
Wizzo

Wizzo v0.44.1 Release Notes

Released Feb 11, 2026Public Beta

Highlights

  • Hardened production API exposure controls with verified post-deploy endpoint gating and payload redaction for sensitive diagnostics and migration routes.
  • Added security-focused production validation assertions so endpoint access-control regressions fail release validation before rollout sign-off.

Fixes

  • Hardened owner-scoped APIs by enforcing session-bound ownership checks across achievements, streaks, priorities, wins, trial/task mutations, and related rebuild/batch endpoints.
  • Locked down `/api/agentic/sessions` so sessions, confirmations, and retrieval are restricted to the authenticated owner instead of caller-supplied `ownerId`.
  • Hardened `/api/conversations` and `/api/conversations/[id]` by removing non-production dev-owner fallback auth and preserving proper 401/404 propagation on route errors.
  • Removed non-production owner fallback from `/api/chat`, keeping only explicit `E2E_BYPASS` behavior for test environments.
  • Secured `/api/goals/adjustments` with authenticated owner enforcement for both reads and writes.
  • Required migration secret validation for both migration execution and migration status endpoints (`/api/migrate`) across environments.
  • Reduced diagnostics exposure by limiting full health/monitoring details to internal token-authenticated probes.
  • Fixed `/api/migrate` error handling to preserve intended auth failures (`401`/`403`) instead of swallowing route errors into `500` responses.
  • Added pnpm overrides for `lodash` and `lodash-es` `4.17.23`, updated lockfile, and removed the remaining `pnpm audit` findings.
  • Removed stale API backup/fixed route artifacts from `apps/web/src/app/api/**` to reduce accidental exposure and source drift.
  • Added `/api/conversations/[id]` API tests for unauthorized, not-found, ownership mismatch, and successful delete flows.
  • Added focused route tests for `/api/health`, `/api/test-monitoring`, and `/api/migrate`, and extended production validation to assert public payload redaction + access control on sensitive endpoints.
  • Added a CI migration-prefix guard (`guard:migrations`) to block new duplicate Drizzle migration prefixes beyond the current legacy baseline.
  • Tightened GitHub bug intake by disabling blank issues and requiring reproducible build/version, payload, and telemetry details in the bug report template.

Known issues

  • _None yet_
Back to releases