Skip to content

GlycemicGPT

v0.2.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Affected surfaces

auth rbac

Summary

AI summary

Session-scoped OTP cooldowns close an abuse vector and usage alerts warn owners before billing caps hit.

Full changelog

0.2.0 (2026-04-04)

✨ Features

  • add AGP chart, CGM stats, insulin summary, and bolus table to mobile home screen (#346) (fe29abe)
  • add automated DAST and auth flow penetration testing (story 28.11) (#314) (6d97912)
  • add custom alert sounds and silent mode override (#278) (481f9a1)
  • add funding infrastructure - GitHub Sponsors + Open Collective (Epic 41) (#406) (892ab22)
  • add navigation scaffold and detail page architecture for hub-and-spoke dashboard (#344) (348034a)
  • ai: AI Research Pipeline with configurable sources (Story 35.12) (#390) (6a72bb9)
  • ai: conversation memory for multi-turn AI chat (Story 35.3) (#388) (9f279c3)
  • ai: enrich all AI analysis prompts with pump profile context (Story 35.1) (#387) (2761091)
  • ai: Knowledge Base viewer with document list, preview, and management (Story 35.10) (#391) (2c25fc0)
  • ai: RAG infrastructure with pgvector, fastembed, and clinical knowledge (Story 35.9) (#389) (9669f6e)
  • chart tooltip, mode-colored basal, zoom/pan/brush, and 3-way bolus categorization (#338) (140b24d)
  • chat: add text-to-speech for AI responses on phone and watch (#381) (5cf4cc3)
  • chat: TTS voice picker with watch sync (#385) (b3a2f16)
  • ci: automated sync-main-to-develop after promotions (#445) (dac1e5f)
  • ci: ProxmoxVE-style changelog with emojis, sub-categories, and releases (#459) (9a5d09f)
  • data: initial pump history sync for fresh installs (#384) (da08451)
  • Epic 26 -- runtime plugin loading via DexClassLoader (#297) (0606010)
  • Epic 28 security hardening (stories 28.1-28.10) (#310) (83c75ac)
  • Epic 29 -- app icons and branding (#323) (8617aa3)
  • full-platform visual polish with light/dark theme support (#355) (cc2de0e)
  • GitHub org migration - secrets, references, and slogan (Epic 41) (#403) (4196658)
  • mobile: 5-bucket TIR display and CGM stats with active % (#354) (10252a5)
  • mobile: phone-side Watch Face Push via ChannelClient (#360) (9b57cec)
  • mobile: remove AGP chart, add retention-aware period options (#353) (2ceb8ab)
  • mobile: Settings > Watch full management UI (Story 32.4) (#361) (f7a9b32)
  • navigation scaffold and tap-to-expand landscape chart detail (#345) (1a94f0d)
  • org teams, team-based CODEOWNERS, and governance overhaul (Epic 41) (#404) (41d8f2d)
  • Phase 2+3 -- Gradle module split and backend-synced safety limits (#282) (39ed772)
  • Phase 4 -- General-purpose plugin platform architecture (#289) (b36d392)
  • Phase 6 -- Backend treatment safety scaffolding (#291) (6625f5f)
  • plugin-aware bolus category system with editable labels (#351) (74f6fc4)
  • production security gates, dependency scanning, and documentation (#316) (cefdb21)
  • security: API security hardening with IDOR, SSRF, and rate limiting tests (Story 35.11a) (#392) (6ce30e5)
  • security: auto-create GitHub Issues from security findings (Story 40.1) (#393) (8b103e0)
  • security: full suite issue lifecycle management (Story 40.2 + 40.3) (#398) (ec85fc2)
  • security: PR auto-close, tool-aware guards, source-pr updates (Story 40.2) (#400) (0d7d3d7)
  • security: track info-level findings, fix OpenAPI schema bug (#425) (02738b5)
  • security: unauthenticated ZAP scanning + promotion PR cleanup fix (#410) (ad3be18)
  • Stories 30.1 + 30.2 -- aggregate stats API & extended time periods (#324) (941c6ec)
  • Story 28.7 -- device binding & API security foundation (#322) (e3b18ff)
  • Story 30.3 -- CGM Summary Stats Panel (#325) (2eb0019)
  • Story 30.5 -- AGP percentile band glucose chart (#330) (41bc57a)
  • Story 30.7 -- Insulin Summary and Bolus Review dashboard panels (#332) (e52dd66)
  • universal Tandem plugin + auth persistence fix (#309) (1b4e8e9)
  • universal Tandem plugin with BLE protocol naming and Mobi support (#308) (3c2d3fd)
  • wear: create wear-device module with watch-side services (#358) (1bd7c3d)
  • wear: feature toggle sync phone -> watch via DataClient (Story 32.5) (#363) (44a837f)
  • wear: watch APK self-update via phone app (Story 32.12) (#374) (99598c9)
  • wear: watch face buttons, interactive graph, voice chat, and chat relay fix (#380) (c90e84b)
  • wear: watch face graph rendering, variant cleanup, and complication binding fix (#377) (c29289f)
  • wear: Watch Face Push API integration (watch side) (#359) (9bc583e)
  • wear: watch-to-phone AI chat and alert dismiss (Story 32.8) (#365) (79f0321)
  • web: clinical report, dashboard scroll fix, print CSS rearchitecture (#357) (ac88083)
  • wire all bots, label-based changelog, governance alignment (Epic 41) (#405) (0e2995a)

🐛 Bug Fixes

  • address CodeRabbit findings from Epic 29 icon generation (#326) (fbe76d4)
  • alerts: eliminate SSE reconnect storm in AlertStreamService (#382) (aa6585e)
  • chat: upgrade WearChatRelayService to foreground service (#383) (05f4d07)
  • ci: changelog CodeRabbit findings - tag collision, timezone, database scope (#463) (9c40c03)
  • ci: complete bot whitelist, update attribution messaging and docs (#440) (15958fd)
  • ci: fix changelog bot author check, document squash promotion fallback (#449) (549b152)
  • correct basal rate aggregation in insulin summary (#336) (d1db948)
  • deduplicate insulin aggregation across sources and event types (#337) (1725b0a)
  • deps: update dependency androidx.datastore:datastore-preferences to v1.2.0 (#292) (6c3e0f1)
  • deps: update dependency androidx.datastore:datastore-preferences to v1.2.1 (#372) (ec4366d)
  • deps: update dependency androidx.hilt:hilt-compiler to v1.3.0 (#293) (b6c510f)
  • deps: update dependency androidx.security:security-crypto to v1.1.0 (#299) (88128de)
  • deps: update dependency androidx.sqlite:sqlite to v2.6.2 (#335) (6534ab3)
  • deps: update dependency androidx.test.espresso:espresso-core to v3.7.0 (#300) (d965275)
  • deps: update dependency androidx.test.ext:junit to v1.3.0 (#301) (11900a8)
  • deps: update dependency androidx.wear.watchface:watchface-complications-data-source-ktx to v1.3.0 (#339) (8c77bcd)
  • deps: update dependency androidx.work:work-runtime-ktx to v2.11.1 (#302) (789f85a)
  • deps: update dependency io.mockk:mockk to v1.14.9 (#304) (908316f)
  • deps: update dependency lucide-react to ^0.575.0 (#305) (127176b)
  • deps: update dependency lucide-react to ^0.577.0 (#350) (49971ad)
  • deps: update dependency org.bouncycastle:bcprov-jdk18on to v1.83 (#306) (02beeba)
  • deps: update kotlinx-coroutines monorepo to v1.10.2 (#312) (189398b)
  • deps: update retrofit monorepo to v2.12.0 (#348) (9f21c99)
  • deps: upgrade cryptography, ecdsa, path-to-regexp for CVE fixes (#401) (3e5af0c)
  • eliminate alert notification spam for sustained high glucose (#277) (2460d6d)
  • GHCR token, flaky tests, funding docs (Epic 41) (#407) (acc5696)
  • ignore false positive DEV_BUILD_NUMBER in Renovate (#295) (ef6e16e)
  • preserve mobile session on transient errors and request notification permission (#276) (efabe28)
  • security: fix nosemgrep placement for CORS and exported_activity (#424) (c0fc043)
  • security: suppress false positive exported_activity on launcher (Closes #399) (#409) (2188116)
  • Story 28.12 -- code quality audit (secure UUID, exception handling, resource leaks) (#321) (9ee53eb)
  • use shared debug keystore for CI dev builds (#296) (85a4a6e)
  • wear: battery optimization -- throttle updates, cache graph, TimeDifference (#386) (8e3e3b1)
  • wear: Watch Face Push validation token via DwfValidatorFactory (#370) (ae354ff)
  • wear: WFF APK validation, watch detection, and push pipeline fixes (#371) (c9bb38d)

📚 Documentation

  • add plugin architecture guide and medical disclaimer (Phase 5) (#290) (5fbe978)
  • align release-please language in branching strategy (#455) (ebddf35)
  • wear: update architecture docs and dev scripts for Epic 32 (#366) (548f29d)

♻️ Code Refactoring

  • consolidate TIR display -- upgrade bar to 5 buckets, remove donut (#328) (09891a6)
  • decouple pump activity modes from Control-IQ automation (#341) (8c4a3ab)
  • extract pump interfaces for plugin architecture (Phase 1) (#279) (6757400)
  • reorganize plugin directory structure (#303) (728bd30)
  • split mobile app into Gradle modules for plugin architecture (Phase 2) (#281) (5c250c0)
  • wear: remove legacy wear/ module, update all references to wear-device (#364) (c42e9cb)

🐳 Container Images

| Image | Tags |
|-------|------|
| ghcr.io/GlycemicGPT/glycemicgpt-api | 0.2.0, latest |
| ghcr.io/GlycemicGPT/glycemicgpt-web | 0.2.0, latest |
| ghcr.io/GlycemicGPT/glycemicgpt-sidecar | 0.2.0, latest |

Pull commands:

docker pull ghcr.io/GlycemicGPT/glycemicgpt-api:0.2.0
docker pull ghcr.io/GlycemicGPT/glycemicgpt-web:0.2.0
docker pull ghcr.io/GlycemicGPT/glycemicgpt-sidecar:0.2.0

Security Fixes

  • Authflow cooldowns now session-scoped — closes abuse vector where users changed phone/email mid-flow to reset OTP cooldowns
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track GlycemicGPT

Get notified when new releases ship.

Sign up free

About GlycemicGPT

All releases →

Related context

Earlier breaking changes

  • v0.7.0 Changes CI release-body extraction to single-shot without historical bleed

Beta — feedback welcome: [email protected]