<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* The GraphQL interactive UI is now available only in development
environments and will not be accessible in production. This change
affects only the availability of the interactive interface; public
exports and API context types remain unchanged. Users in development can
continue to use the tool as before, while production deployments will no
longer expose the interactive UI.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
Currently, it is only possible to disable all registrations. However, it
would be helpful if you could disable normal registration but enable
OAuth registration.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a setting to enable/disable new user signups via OAuth (default:
enabled).
* Admin Settings (Authentication) now includes a toggle for OAuth
signups.
* OAuth signup flow now respects this setting, preventing new
registrations via OAuth when disabled.
* Self-hosted configuration schema updated to include the new option.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Hudint Finn Weigand <dev@hudint.de>
Co-authored-by: DarkSky <darksky2048@gmail.com>
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
Add missing themed icon support for android app icon.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Android app icon now supports a monochrome variant for adaptive icons,
enabling themed icons on compatible launchers.
* Improved icon consistency and visibility across system themes
(including dark mode).
* Applied to both standard and round launcher icons.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixed spacing issue in AI partner description.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Documentation**
* Improved readability by fixing a minor punctuation/spacing issue in
the project’s introductory text (added a space after a comma).
* Polished wording to better reflect professional tone without altering
meaning.
* No changes to functionality, configuration, or user workflows.
* No impact on APIs, interfaces, or compatibility.
* No additional steps required for users; purely a documentation
refinement.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Simplified the AI chat composer tip: removed the dynamic
embedding-status tooltip so only a single static caution remains — “AI
outputs can be misleading or wrong.”
* **Tests**
* One end-to-end test related to embedding status was commented out and
is no longer executed.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Requires https://github.com/toeverything/AFFiNE/pull/13606 to be merged.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Introduced an in-app Paywall with Pro, AI, and Believer plans, feature
previews, paging dots, and selectable pricing options.
- Added purchase and restore actions, plus a unified, polished UI using
new color/icon resources.
- Documentation
- Added Swift Code Style Guidelines.
- Chores
- Updated dependencies (including MarkdownView 3.4.2), added new
resource packages, and removed an unused dependency.
- Raised iOS deployment target to 16.5 and refreshed project settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: DarkSky <25152247+darkskygit@users.noreply.github.com>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Built-in Then-style DSL for fluent configuration.
- Centralized theming via a new resources library exposing standardized
colors and icons for SwiftUI and UIKit.
- Refactor
- Migrated color and icon accessors to the new resources provider.
- Removed redundant imports and streamlined UI configuration.
- Dependencies
- Updated MarkdownView to 3.4.2.
- Removed the Then third-party dependency; updated package sources;
added resources package and assets.
- Documentation
- Added iOS Swift code style and architecture guidelines.
- Chores
- Updated Xcode project format and repository ignore rules.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix AI-419
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- New API to fetch available models for a prompt, returning default,
optional, and pro models with human‑readable names.
- Added temperature and topP settings to prompt configuration for finer
control.
- Refactor
- When no model is chosen, the default model is used instead of
auto-picking a pro model.
- Model metadata across providers now includes readable names, improving
listings and selection UX.
- Tests
- Updated test snapshots and descriptions to reflect the new
default-model behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Introduced a new iOS Paywall plugin with a simple API to display a
paywall and receive a success response.
- Added JavaScript wrapper and type definitions for easy integration.
- Refactor
- Reorganized the iOS project structure for plugins.
- Chores
- Removed unused legacy iOS plugins to streamline the app and reduce
build complexity.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close
[BS-3610](https://linear.app/affine-design/issue/BS-3610/bug-每次按空格会出现重复单词-,特定输入法,比如swiftkey)
#### PR Dependency Tree
* **PR #13591**
* **PR #13590** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Android: More reliable Backspace/delete handling, preventing missed
inputs and double-deletions.
- Android: Cursor/selection is correctly restored after merging a
paragraph with the previous block.
- Android: Smoother IME composition input; captures correct composition
range.
- Deletion across lines and around embeds/empty lines is more
consistent.
- Chores
- Internal event handling updated to improve Android compatibility and
stability (no user-facing changes).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13591**
* **PR #13590** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
#### PR Dependency Tree
* **PR #13591** 👈
* **PR #13590**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Improved drag-and-drop stability: draggables, drop targets, and
monitors now respond when option sources or external data change.
- Improved async actions and permission checks to always use the latest
callbacks and error handlers.
- Chores
- Lint/Prettier configs updated to ignore the Git directory.
- Upgraded oxlint dev dependency.
- Tests
- Updated several end-to-end tests for more reliable text selection,
focus handling, and timing.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.3.5` ->
`6.3.6`](https://renovatebot.com/diffs/npm/vite/6.3.5/6.3.6) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-58751](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c)
### Summary
Files starting with the same name with the public directory were served
bypassing the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
[`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- uses [the public directory
feature](https://vite.dev/guide/assets.html#the-public-directory)
(enabled by default)
- a symlink exists in the public directory
### Details
The
[servePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L79))
function is in charge of serving public files from the server. It
returns the
[viteServePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L106))
function which runs the needed tests and serves the page. The
viteServePublicMiddleware function [checks if the publicFiles variable
is
defined](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L111)),
and then uses it to determine if the requested page is public. In the
case that the publicFiles is undefined, the code will treat the
requested page as a public page, and go on with the serving function.
[publicFiles may be undefined if there is a symbolic link anywhere
inside the public
directory](9719497ade/packages/vite/src/node/publicDir.ts (L21)).
In that case, every requested page will be passed to the public serving
function. The serving function is based on the
[sirv](https://redirect.github.com/lukeed/sirv) library. Vite patches
the library to add the possibility to test loading access to pages, but
when the public page middleware [disables this
functionality](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L89))
since public pages are meant to be available always, regardless of
whether they are in the allow or deny list.
In the case of public pages, the serving function is [provided with the
path to the public
directory](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L85))
as a root directory. The code of the sirv library [uses the join
function to get the full path to the requested
file](d061616827/packages/sirv/index.mjs (L42)).
For example, if the public directory is "/www/public", and the requested
file is "myfile", the code will join them to the string
"/www/public/myfile". The code will then pass this string to the
normalize function. Afterwards, the code will [use the string's
startsWith
function](d061616827/packages/sirv/index.mjs (L43))
to determine whether the created path is within the given directory or
not. Only if it is, it will be served.
Since [sirv trims the trailing slash of the public
directory](d061616827/packages/sirv/index.mjs (L119)),
the string's startsWith function may return true even if the created
path is not within the public directory. For example, if the server's
root is at "/www", and the public directory is at "/www/p", if the
created path will be "/www/private.txt", the startsWith function will
still return true, because the string "/www/private.txt" starts with
"/www/p". To achieve this, the attacker will use ".." to ask for the
file "../private.txt". The code will then join it to the "/www/p"
string, and will receive "/www/p/../private.txt". Then, the normalize
function will return "/www/private.txt", which will then be passed to
the startsWith function, which will return true, and the processing of
the page will continue without checking the deny list (since this is the
public directory middleware which doesn't check that).
### PoC
Execute the following shell commands:
```
npm create vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo "secret" > private.txt
npm install
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is 'http://localhost:5173/private.txt'`
You will receive a 403 HTTP Response, because private.txt is denied.
Now in the same shell run the following command:
`curl -v --path-as-is 'http://localhost:5173/../private.txt'`
You will receive the contents of private.txt.
### Related links
-
f0113f3f82
####
[CVE-2025-58752](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3)
### Summary
Any HTML files on the machine were served regardless of the `server.fs`
settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
[server.host config
option](https://vitejs.dev/config/server-options.html#server-host))
- `appType: 'spa'` (default) or `appType: 'mpa'` is used
This vulnerability also affects the preview server. The preview server
allowed HTML files not under the output directory to be served.
### Details
The
[serveStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L123))
function is in charge of serving static files from the server. It
returns the
[viteServeStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L136))
function which runs the needed tests and serves the page. The
viteServeStaticMiddleware function [checks if the extension of the
requested file is
".html"](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L144)).
If so, it doesn't serve the page. Instead, the server will go on to the
next middlewares, in this case
[htmlFallbackMiddleware](9719497ade/packages/vite/src/node/server/middlewares/htmlFallback.ts (L14)),
and then to
[indexHtmlMiddleware](9719497ade/packages/vite/src/node/server/middlewares/indexHtml.ts (L438)).
These middlewares don't perform any test against allow or deny rules,
and they don't make sure that the accessed file is in the root directory
of the server. They just find the file and send back its contents to the
client.
### PoC
Execute the following shell commands:
```
npm create vite@latest
cd vite-project/
echo "secret" > /tmp/secret.html
npm install
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is
'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`
The contents of /tmp/secret.html will be returned.
This will also work for HTML files that are in the root directory of the
project, but are in the deny list (or not in the allow list). Test that
by stopping the running server (CTRL+C), and running the following
commands in the server's shell:
```
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})' > [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`
You will receive a 403 HTTP Response, because everything in the
secret_files directory is denied.
Now in the same shell run the following command:
`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`
You will receive the contents of secret_files/secret.html.
---
### Release Notes
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v6.3.6`](https://redirect.github.com/vitejs/vite/releases/tag/v6.3.6)
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v6.3.5...v6.3.6)
Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md)
for details.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.11
to 2.4.12.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/browserify/sha.js/blob/master/CHANGELOG.md">sha.js's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/browserify/sha.js/compare/v2.4.11...v2.4.12">v2.4.12</a>
- 2025-07-01</h2>
<h3>Commits</h3>
<ul>
<li>[eslint] switch to eslint <a
href="7acadfbd3a"><code>7acadfb</code></a></li>
<li>[meta] add <code>auto-changelog</code> <a
href="b46e7116eb"><code>b46e711</code></a></li>
<li>[eslint] fix package.json indentation <a
href="df9d521e16"><code>df9d521</code></a></li>
<li>[Tests] migrate from travis to GHA <a
href="c43c64adc6"><code>c43c64a</code></a></li>
<li>[Fix] support multi-byte wide typed arrays <a
href="f2a258e9f2"><code>f2a258e</code></a></li>
<li>[meta] reorder package.json <a
href="d8d77c0a72"><code>d8d77c0</code></a></li>
<li>[meta] add <code>npmignore</code> <a
href="35aec35c66"><code>35aec35</code></a></li>
<li>[Tests] avoid console logs <a
href="73e33ae0ca"><code>73e33ae</code></a></li>
<li>[Tests] fix tests run in batch <a
href="262913006e"><code>2629130</code></a></li>
<li>[Tests] drop node requirement to 0.10 <a
href="00c7f234aa"><code>00c7f23</code></a></li>
<li>[Dev Deps] update <code>buffer</code>,
<code>hash-test-vectors</code>, <code>standard</code>,
<code>tape</code>, <code>typedarray</code> <a
href="92b5de5f67"><code>92b5de5</code></a></li>
<li>[Tests] drop node requirement to v3 <a
href="9b5eca80fd"><code>9b5eca8</code></a></li>
<li>[meta] set engines to <code>&gt;= 4</code> <a
href="807084c5c0"><code>807084c</code></a></li>
<li>Only apps should have lockfiles <a
href="c72789c7a1"><code>c72789c</code></a></li>
<li>[Deps] update <code>inherits</code>, <code>safe-buffer</code> <a
href="5428cfc6f7"><code>5428cfc</code></a></li>
<li>[Dev Deps] update <code>@ljharb/eslint-config</code> <a
href="2dbe0aab41"><code>2dbe0aa</code></a></li>
<li>update README to reflect LICENSE <a
href="8938256dbb"><code>8938256</code></a></li>
<li>[Dev Deps] add missing peer dep <a
href="d52889688c"><code>d528896</code></a></li>
<li>[Dev Deps] remove unused <code>buffer</code> dep <a
href="94ca7247f4"><code>94ca724</code></a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="eb4ea2fd3d"><code>eb4ea2f</code></a>
v2.4.12</li>
<li><a
href="d8d77c0a72"><code>d8d77c0</code></a>
[meta] reorder package.json</li>
<li><a
href="df9d521e16"><code>df9d521</code></a>
[eslint] fix package.json indentation</li>
<li><a
href="35aec35c66"><code>35aec35</code></a>
[meta] add <code>npmignore</code></li>
<li><a
href="d52889688c"><code>d528896</code></a>
[Dev Deps] add missing peer dep</li>
<li><a
href="b46e7116eb"><code>b46e711</code></a>
[meta] add <code>auto-changelog</code></li>
<li><a
href="94ca7247f4"><code>94ca724</code></a>
[Dev Deps] remove unused <code>buffer</code> dep</li>
<li><a
href="2dbe0aab41"><code>2dbe0aa</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li><a
href="73e33ae0ca"><code>73e33ae</code></a>
[Tests] avoid console logs</li>
<li><a
href="f2a258e9f2"><code>f2a258e</code></a>
[Fix] support multi-byte wide typed arrays</li>
<li>Additional commits viewable in <a
href="https://github.com/crypto-browserify/sha.js/compare/v2.4.11...v2.4.12">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ljharb">ljharb</a>, a new releaser for
sha.js since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/toeverything/AFFiNE/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Close
[BS-3625](https://linear.app/affine-design/issue/BS-3625/移动端database-table-view无法横向滚动)
#### PR Dependency Tree
* **PR #13494** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved iOS mobile table view scrolling: horizontal overflow is no
longer forcibly hidden, preventing clipped content and enabling smoother
horizontal navigation.
* Users can now access columns that previously appeared truncated on
narrow screens.
* Vertical scrolling behavior remains unchanged.
* No impact on non‑iOS devices.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close
[AF-2789](https://linear.app/affine-design/issue/AF-2789/安卓客户端日期没了)
#### PR Dependency Tree
* **PR #13493** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved editing mode stability in mobile Kanban cells by preventing
redundant enter/exit transitions, resulting in smoother interactions and
reduced flicker.
* Enhanced mobile Table cells to avoid duplicate editing state changes,
minimizing unnecessary updates and improving responsiveness.
* Overall, editing transitions are now idempotent across affected mobile
views, reducing visual jitter and improving performance during edit
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix AI-417
#### PR Dependency Tree
* **PR #13492** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Copying code snippets now uses a rich format for improved paste
fidelity in compatible editors.
* Preserves code block formatting and language when pasted, reducing
manual cleanup.
* Continues to support plain text and HTML paste for broad
compatibility.
* Works more reliably when moving content within the app.
* Existing copy confirmation remains unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close
[AI-415](https://linear.app/affine-design/issue/AI-415/code-artifact-复制更好的支持code-block和插入正文)
#### PR Dependency Tree
* **PR #13490** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Editor now deactivates when text selection moves outside the app,
preventing unintended interactions.
* Better handling when selection changes to external content, reducing
cases where the editor stayed active incorrectly.
* **Stability**
* Improved reliability around selection, focus, and visibility changes
to avoid accidental edits or actions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13490** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
#### PR Dependency Tree
* **PR #13464**
* **PR #13465**
* **PR #13471** 👈
* **PR #13472**
* **PR #13473**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* DOM rendering added for groups, mind maps and connectors so group
titles/outlines and mindmap connectors are visible on canvas.
* Shapes now support right-to-left text with proper vertical alignment.
* **Improvements**
* Connector labels scale with viewport zoom for crisper display.
* Group-related selections (including nested groups) now update visuals
consistently.
* **Performance**
* Reduced DOM churn and fewer redraws during rendering and selection
changes.
* **Refactor**
* Renderer import/export surfaces consolidated with no user-facing
behavior changes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix AI-415
#### PR Dependency Tree
* **PR #13489** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved code block stability to prevent layout shifts and overlapping
during syntax highlighting.
* Ensured consistent height and alignment for code snippets.
* **Style**
* Refined code block appearance for clearer, more polished presentation.
* **Chores**
* Internal adjustments to support more reliable rendering of highlighted
code.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13485** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Style**
* Improved mobile toast notification layout for better responsiveness
across screen sizes.
* Replaced fixed left alignment with dynamic edge offsets, ensuring
consistent spacing near screen edges.
* Removed forced centering and rigid width constraints to reduce
clipping and overlap on narrow viewports.
* Visual behavior only; no changes to interaction or functionality.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
> CLOSE PD-2697
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Removing an attachment chip now also removes duplicate attachments
with the same source, preventing duplicate attachments in the AI chat
chip list.
* Removing a selected context chip now also removes duplicate selected
contexts with the same identifier, preventing duplicate context chips.
* Attachments from different sources and chips of other types (document,
file, tag, collection) remain unaffected.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13464**
* **PR #13465** 👈
* **PR #13471**
* **PR #13472**
* **PR #13473**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved stacking order across canvas elements (shapes, connectors,
brush, highlighter), reducing unexpected overlap.
* Corrected z-index application for placeholders and fully rendered
elements to ensure consistent layering during edits.
* **Refactor**
* Centralized z-index handling for canvas elements to provide
predictable, uniform layering behavior across the app.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13464** 👈
* **PR #13465**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* DOM-based SVG rendering for Brush and Highlighter with zoom, rotation,
layering and improved visualization.
* **Refactor**
* Consolidated renderer exports into a single entry point for simpler
integration.
* **Chores**
* Updated view registrations to include the new DOM renderer extensions.
* Improved highlighter sizing consistency based on serialized bounds.
* **Revert**
* Removed highlighter renderer registration from the shape module.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13464** 👈
* **PR #13465**
* **PR #13471**
* **PR #13472**
* **PR #13473**
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
Close [AI-413](https://linear.app/affine-design/issue/AI-413)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Chat messages now scroll vertically, preventing content from being cut
off.
* Chat actions are no longer displayed or fetched, reducing unnecessary
loading.
* Peek view chat composer behavior is aligned with the main chat,
ensuring consistent feature availability across views.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Enforced a consistent step limit for AI responses across providers,
preventing excessively long generations in both text and streaming modes
for more predictable results.
- Refactor
- Centralized step limit configuration into a shared provider, ensuring
uniform behavior across providers and simplifying future maintenance.
- Standardized application of step limits in text generation and
streaming flows to align provider behavior and improve overall
reliability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
In recent versions of Android (or maybe webview), the
`KeyboardEvent.key` for the backspace key now has the correct value.
This PR remove the patch since it will trigger two delete actions when
press backspace at the first character of paragraph"
Related PR https://github.com/toeverything/AFFiNE/issues/10523
#### PR Dependency Tree
* **PR #13483** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Refactor**
* Streamlined keyboard shortcut handling for greater consistency across
platforms.
* Reduced overhead by consolidating event bindings; no change to
expected shortcut behavior for end-users.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13484** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Reduced repeated mobile editing notifications; the notice now appears
once and only reappears after you dismiss it.
- More consistent notification behavior on mobile for a less disruptive
editing experience.
- Refactor
- Streamlined internal event handling to improve reliability and reduce
potential listener leaks, resulting in smoother interactions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13481** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- The “Update payment method” prompt now appears only when your
subscription is past due.
- Payment Method section now shows whenever a paid plan record exists
(loading placeholders unchanged).
- Action button styling adjusts for past-due subscriptions (uses the
alternate/secondary style).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added GPT-5 family and made GPT-5/-mini the new defaults for Copilot
scenarios and prompts.
- Bug Fixes
- Improved streaming chunk formats and reasoning/text semantics,
consistent attachment mediaType handling, and more reliable reranking
via log-prob handling.
- Refactor
- Unified maxOutputTokens usage; removed per-call step caps and migrated
several tools to a unified inputSchema shape.
- Chores
- Upgraded AI SDK dependencies and bumped an internal dependency
version.
- Tests
- Updated mocks and tests to reference GPT-5 variants and new stream
formats.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
fix CLOUD-238, CLOUD-239
#### PR Dependency Tree
* **PR #13477** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Payment method management is now always available directly within AI
and Pro plan cards.
* **Bug Fixes**
* Past-due subscriptions are now included in subscription status
results, ensuring they appear in billing views.
* **Style**
* Plan actions are moved inline within each plan’s description for a
cleaner, more compact layout.
* Actions are grouped horizontally with improved spacing.
* Minor class name and spacing tweaks for consistent styling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<img width="971" height="681" alt="iShot_2025-08-10_14 29 01"
src="https://github.com/user-attachments/assets/eff3e6d5-3129-42ac-aceb-994c18f675ab"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Mermaid diagram previews for code blocks with interactive zoom, pan,
and reset controls.
* Improved rendering feedback with loading, error states, retry
behavior, and fallback messaging.
* **Chores**
* Added Mermaid as a frontend dependency to enable diagram rendering.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: L-Sun <zover.v@gmail.com>
fix#12721
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Improved handling of non‑ASCII filenames when unzipping archives: the
extractor now tries alternative encodings and validates results so
filenames are preserved and displayed correctly after extraction. This
change reduces corrupt or garbled names while keeping existing
extraction behavior otherwise unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Smarter embedding pipeline skips re-embedding when content hasn’t
changed; added content sanitization for embeddings and workspace content
retrieval.
- Bug Fixes
- Re-embedding now requires both a document update and the last
embedding being older than 10 minutes, reducing unnecessary work.
- Refactor
- Consolidated embedding preprocessing and moved sanitization utilities
into shared models; upserts now refresh stored content.
- Tests
- Expanded snapshot-based tests covering multiple time/age scenarios for
embedding decision logic.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Prevents accidental deletion of placeholder documents during embedding
cleanup.
* Improves accuracy when identifying documents to remove, using multiple
data sources.
* Skips unnecessary cleanup when no embeddings or snapshots exist,
reducing noise and overhead.
* **Chores**
* Streamlined and centralized document filtering logic to ensure
consistent cleanup behavior.
* Parallelized data checks to make cleanup more efficient without
changing user workflows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close [AI-410](https://linear.app/affine-design/issue/AI-410)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- None
- Bug Fixes
- Middle-click panning now reliably returns to the previously active
tool, including after using Copilot or frame navigation.
- Smoother, more responsive transition into panning to reduce accidental
selections.
- Refactor
- Simplified AI panel click-outside handling with no change to
user-visible behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
> CLOSE PD-2698
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **Refactor**
- Optimized context chip handling in the AI chat composer to process
additions concurrently.
- Improves responsiveness when adding multiple documents or attachments
as context, reducing wait times and making the composing experience
smoother.
- No changes to visible functionality; users should notice faster
updates when selecting several items at once.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Close [AI-411](https://linear.app/affine-design/issue/AI-411)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- Bug Fixes
- Releasing the mouse now always ends panning, preventing stuck states.
- Actions cancel correctly when you release without dragging.
- Refactor
- More consistent Copilot activation: use right-click or Ctrl (⌘ on Mac)
+ left-click.
- Smoother switching to Copilot with improved drag-state reset and
cleanup.
- Removed automatic restoration of previous selection when activating
Copilot.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13462** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated default configuration: The DOM-based renderer is now disabled
by default on all platforms. Previously, it was enabled by default on
iOS. This change standardizes the out-of-the-box experience across
devices. If you rely on the DOM renderer, you can still enable it via
feature flags in your environment or settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- None
- Bug Fixes
- Ensures a placeholder embedding is always created when content is
empty or after deletion, reducing errors and improving Copilot
stability.
- Refactor
- Centralized empty-embedding handling for consistent behavior across
workflows.
- Standardized embedding dimension configuration to a single source for
reliability.
- Chores
- Simplified internal embedding module surface and imports for
maintainability.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
oxlint-tsgolint install fails had been fixed
see https://github.com/oxc-project/oxc/issues/12892
#### PR Dependency Tree
* **PR #13457** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated the version range for a development dependency to allow for
newer compatible releases.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13460** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- The DOM renderer setting is now configurable across all builds, not
just beta/canary. This expands access to the feature flag for all users,
enabling broader experimentation and customization.
- Users on stable releases can now enable or disable the DOM renderer
through standard configuration, ensuring consistent behavior across
release channels.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
#### PR Dependency Tree
* **PR #13449** 👈
This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Expanded the list of approvers for the manual approval step in the
release workflow.
* Added more keywords that can be used to deny approval during the
release process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
