OpenReader

v3.0.0 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 20d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

deepinfra-api document epub epub-reader epubjs gpt-4o-mini-tts

+14 more

kitten-tts kokoro-tts markdown-reader open-ai open-ai-tts openai-api orpheus-tts pdf pdf-reader replicate-ai replicate-api text-to-speech tts txt-files

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 9d

The v3.0.0 release removes three environment variables and notes that rotating AUTH_SECRET invalidates stored TTS provider credentials.

Why it matters: Rotating AUTH_SECRET (severity 80) immediately revokes all saved admin‑provider API keys; re‑enter them post‑rotation to maintain service access.

Summary

AI summary

API_KEY, API_BASE, and NEXT_PUBLIC_DEFAULT_TTS_MODEL env vars are removed; rotating AUTH_SECRET invalidates stored TTS provider credentials.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Rotating `AUTH_SECRET` invalidates stored admin provider API keys; re‑enter them after rotation. Rotating `AUTH_SECRET` invalidates stored admin provider API keys; re‑enter them after rotation. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Feature
Feature	Medium	Admin panel added with Shared TTS Providers and Site Features sub-sections. Admin panel added with Shared TTS Providers and Site Features sub-sections. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	TTS audio stored per-segment in S3, persisting across restarts and sessions. TTS audio stored per-segment in S3, persisting across restarts and sessions. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Segments sidebar in reader shows synthesis status for the current document. Segments sidebar in reader shows synthesis status for the current document. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Per-document TTS tuning controls added: segment preload depth, lookahead per page, max block length. Per-document TTS tuning controls added: segment preload depth, lookahead per page, max block length. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Runtime site config moved from env vars to Admin panel; changes apply on next page load. Runtime site config moved from env vars to Admin panel; changes apply on next page load. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	New Changelog tab in Settings pulls in release notes and auto-opens after an upgrade. New Changelog tab in Settings pulls in release notes and auto-opens after an upgrade. Source: llm_adapter@2026-05-21 Confidence: high	—
Deprecation	Medium	`NEXT_PUBLIC_DEFAULT_TTS_MODEL` environment variable is removed; set defaults per provider in Admin panel. `NEXT_PUBLIC_DEFAULT_TTS_MODEL` environment variable is removed; set defaults per provider in Admin panel. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Bugfix
Bugfix	Medium	Fixed stale TTS playback issue after pausing and resuming. Fixed stale TTS playback issue after pausing and resuming. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Skeleton loading placeholders replace spinner text across library and settings panels. Skeleton loading placeholders replace spinner text across library and settings panels. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Various TTS pause, segment grouping, and locator fixes implemented. Various TTS pause, segment grouping, and locator fixes implemented. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Low	`API_KEY` / `API_BASE` now seed a default shared provider only on first boot; env vars can be removed afterward. `API_KEY` / `API_BASE` now seed a default shared provider only on first boot; env vars can be removed afterward. Source: granite4.1:30b@2026-05-22-audit Confidence: high	—

Full changelog

✨ What's New

🔐 Admin Panel

New Admin tab in Settings (for users in ADMIN_EMAILS) with two sub-sections:
- Shared TTS Providers: set up server-managed TTS providers with encrypted API keys. Users select them by name; credentials never leave the server.
- Site Features: toggle features and change defaults live, without redeploying (user signups, API key restrictions, word highlight, audiobook export, and more).

🔊 Persistent TTS Segment Storage

TTS audio is now synthesized and stored per-segment in S3, persisting across restarts and sessions. Previously, only a short-lived in-memory cache existed between the server and the upstream provider.
Re-opening a document picks up from stored segments instead of re-synthesizing from scratch.
Segments warm-cache before playback begins and retry automatically on error.
New Segments sidebar in the reader shows synthesis status for the current document.

🎛️ Per-Document TTS Tuning

New Segment and queue behavior controls in Document Settings let you tune how aggressively TTS prepares ahead:
- Segment preload depth — how many upcoming pages/locations to queue.
- Segment lookahead per page — how many segments to prepare per queued page or section.
- Max block length — max characters per TTS segment block, useful for tuning chunk size with different providers.

⚙️ Runtime Site Config

Site-wide settings (signups, provider defaults, feature flags) are now managed from the Admin panel instead of env vars. Changes apply on the next page load with no redeploy needed.

📋 Changelog Panel

New Changelog tab in Settings pulls in release notes and auto-opens after an upgrade.

🐛 Bug Fixes & Polish

Fixed stale TTS playback after pausing and resuming.
Skeleton loading placeholders replace spinner text across library and settings panels.
Various TTS pause, segment grouping, and locator fixes.

⚠️ Upgrading from v2.2.0

Just pull the new image and restart. A few things to be aware of:

API_KEY / API_BASE are only read once on first boot to seed a default-openai shared provider. After upgrading, confirm it appears in Settings > Admin > Shared providers, then you can remove the env vars.
NEXT_PUBLIC_DEFAULT_TTS_MODEL is removed. Set a default model per provider in the Admin panel instead.
Rotating AUTH_SECRET will invalidate stored admin provider API keys. Re-enter them in the Admin panel afterward.

Full Changelog: https://github.com/richardr1126/openreader/compare/v2.2.0...v3.0.0

Breaking Changes

Removed env vars `API_KEY` and `API_BASE`; they are now seeded only on first boot for a default OpenAI provider and must be managed in Settings > Admin > Shared providers.
Removed env var `NEXT_PUBLIC_DEFAULT_TTS_MODEL`; default TTS model per provider is set via the Admin panel.
Rotating `AUTH_SECRET` invalidates stored admin provider API keys; they must be re‑entered after rotation.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track OpenReader

Get notified when new releases ship.

About OpenReader

EPUB, PDF, DOCX, MD, and TXT file text to speech document reader. Read documents in realtime with high-quality TTS; or extract audiobooks.

All releases →

Related context

Related tools

Earlier breaking changes

v4.0.0 Legacy `/api/whisper` path and old `whisper.cpp` integration removed from active runtime.
v4.0.0 Auth is now required; set BASE_URL and AUTH_SECRET before starting v4.