v1.0.1

Security

• SSRF hardening (CodeQL alerts #6, #12, #22-#30): All fetch URLs are now built from hardcoded constants or server-side environment variables. User-supplied URLs are validated for shape only and never reach the network destination.
• Gemini API key moved out of URL: ?key=\ query parameter replaced with \x-goog-api-key\ header across /api/translate, /api/models, and /api/test-connection. This removes the only remaining tainted data flow into a fetch URL.

Mobile UX

• Settings page rebuilt for mobile: Full-screen layout with sticky header (logo + connection status) and horizontal-scrolling tab bar on small screens. Section spacing, hero card, API URL row, and Data-tab purge all stack and tighten at <md.
• Translator, About, History, Favorites: Padding, type scale, and filter bars tuned for mobile breakpoints.

Notes

• Local-provider custom ports now require \LM_STUDIO_API_URL\ / \OLLAMA_API_URL\ / \CUSTOM_API_URL\ environment variables. Default ports (\1234\ / \11434) still work without configuration.
• Docker builds are amd64-only (ARM64 + QEMU removed) for faster CI.

v1.0.0

Initial stable release.