RELEASE NOTES

WHAT'S NEW

VANTAGE BETA — V1.0.0  ·  MARCH 2026
Everything that changed from Alpha to Beta, plus a look at what's coming next.

v1.0.0-BETA
BUILD 1
// RELEASED MARCH 2026
SECURITY
FIX
PASSWORD VALIDATION NOW MATCHES BACKEND
Alpha accepted passwords as short as 6 characters. Beta enforces the real backend requirements: 12+ characters, at least one uppercase, one lowercase, one number, and one special character (@$!%*?&). The same validator runs on both frontend and backend — no more confusing rejections after signup.
SECURITY
DEBUG SECRETS REMOVED FROM LOGS
Alpha printed APP_SECRET and its decrypted value to stdout in plain text. These debug lines have been removed entirely. Your app secret no longer appears in any console output or log file.
SECURITY
LOGGING LEVEL HARDENED TO CRITICAL
Alpha ran with logging.INFO, which exposed session details and internal state. Beta sets the root logger to CRITICAL — only fatal errors are surfaced. No credentials, tokens, or user data appear in the log stream by default.
NEW FEATURES
NEW
EMAIL VERIFICATION WITH OTP FLOW
New accounts now go through an email OTP verification step. After signup a 6-digit code is sent to your inbox — enter it in the new verification dialog to activate your vault. Existing unverified accounts are gracefully detected at both login and signup and redirected to verify.
NEW
SUPPORT TAB — DEDICATED IN-APP HELP CENTER
A full Support tab has been added to the main interface. It includes contact channels (email & Discord), response time SLAs, a bug reporting guide, pre-contact tips, and a dedicated security vulnerability reporting section — all without leaving the app.
NEW
SEND PASSWORD RESET EMAIL (VIA RESEND)
A new "Send Reset Email" option in Settings dispatches a password reset link to your email via Resend. Links expire in 1 hour. This replaces the recovery-code-only flow for users who prefer email-based resets.
NEW
KEYBOARD SHORTCUT: CTRL+U TO UPLOAD
Press Ctrl+U anywhere in the app to open the file picker and start a new deposit immediately. No need to navigate to the upload tab first.
NEW
WEBP FILE FORMAT SUPPORT
The file picker now accepts .webp images in addition to PNG, JPG, JPEG, BMP, and GIF.
NEW
50MB CLIENT-SIDE FILE SIZE GUARD
Attempting to upload a file over 50MB now shows a clear error before the upload even starts — matching the backend cap exactly. Includes the actual file size in MB so you know by how much it needs to be reduced.
NEW
HISTORY TAB: REVEAL NAMES BUTTON
System logs now hide deposit names by default (shown as ••••••••) regardless of Ghost Mode state. A "👁 REVEAL NAMES" toggle in the history toolbar lets you show them on demand — toggling Ghost Mode also refreshes history accordingly.
NEW
PRIVACY POLICY & TERMS BUTTONS IN SIDEBAR
The Security & Privacy box in the sidebar now includes direct buttons linking to vantagevault.dev/privacy and vantagevault.dev/terms, replacing the plain text security blurb from Alpha.
NEW
VERSION & WHAT'S NEW LABELS IN SIDEBAR
The sidebar footer now shows the current version and build number, plus a "WHAT'S NEW" button that opens vantagevault.dev/whats-new directly in your browser.
IMPROVEMENTS
IMPROVED
LOGIN IS NOW NON-BLOCKING (RUNS IN BACKGROUND THREAD)
Alpha ran the login request on the main UI thread, causing the window to freeze while authenticating. Beta dispatches it to a background thread — the interface stays responsive throughout. The login button also shows "AUTHENTICATING..." state during the request.
IMPROVED
RATE LIMIT & EMAIL UNCONFIRMED ERRORS HANDLED PROPERLY
Login now specifically handles HTTP 429 (too many attempts — shows 15-minute lockout message) and HTTP 403 with email_not_confirmed detail (redirects to the OTP verification dialog instead of just saying "access denied").
IMPROVED
HISTORY SHOWS ALL DEPOSITS (NO LONGER CAPPED AT 20)
Alpha silently limited history display to the last 20 deposits. Beta shows all deposits. The textbox is also set to disabled state after population so users can't accidentally edit it.
IMPROVED
SESSION CHECK CHANGED FROM GET TO POST
The /session_check endpoint call was switched from GET to POST to match the backend's expected method. This fixes silent auth failures on auto-login when the server was available but responding with method-not-allowed errors.
IMPROVED
FULL NODE ID NOW VISIBLE IN SIDEBAR
Alpha truncated the user ID to 12 characters followed by "...". Beta displays the full UID — useful when filing support requests or checking your identity in the Support tab.
IMPROVED
GALLERY & HISTORY REFRESH AFTER UPLOAD
fetch_history() is now called after a successful upload completes, keeping the System Logs tab in sync without needing a manual refresh.
IMPROVED
SCROLLBAR STYLING UNIFIED ACROSS ALL PANELS
All CTkScrollableFrame instances now share a consistent scrollbar style — teal accent on a dark track — replacing the default CustomTkinter scrollbars that clashed with the overall aesthetic.
IMPROVED
SETTINGS: RECOVERY KEY DETECTION USES CORRECT FIELD
Alpha checked for settings.get('recovery_key'). Beta correctly checks settings.get('recovery_key_hash') to match the actual backend field name — fixing false "no recovery code" warnings for users who had already generated one.
IMPROVED
DUPLICATE THREAD CALL REMOVED IN UPDATE_STATS
Alpha accidentally called threading.Thread(target=run, daemon=True).start() twice at the end of update_stats(), doubling network requests every time stats updated. The duplicate has been removed.
IMPROVED
TITLE BAR: ALPHA → BETA
Window title and splash screen version label updated from "ALPHA | BY SYNCPOINTFLOW" to "BETA | BY SYNCPOINTFLOW".
IMPROVED
PROXY URL UPDATED TO BETA ENDPOINT
PROXY_URL now points to the vantagebeta Hugging Face Space instead of the Alpha space, routing all requests to the new backend.
IMPROVED
EMAIL ENTRY AUTO-FILLED ON PASSWORD RESET DIALOG
The password reset dialog (accessible from the login screen) now hints the email requirement more clearly, and the perform_password_reset_from_login flow reads directly from the email field already visible on screen.
REMOVED
REMOVED
GOOGLE SIGN-IN BUTTON HIDDEN FROM LOGIN SCREEN
The Google OAuth login button has been removed from the auth screen in Beta. The backend implementation is retained and the flow is kept in code for a future re-release once the OAuth redirect experience is polished.
REMOVED
LEGACY ROOT WINDOW (root = ctk.CTk()) REMOVED
Alpha instantiated a bare ctk.CTk() root window at module load, which caused a ghost window to flash on startup. Beta uses only the VantageApp class window — cleaner launch sequence.
ROADMAP
COMING NEXT
// FEATURES IN ACTIVE DEVELOPMENT FOR UPCOMING BUILDS
🌐
GOOGLE SIGN-IN

OAuth flow is built and tested. Re-launching once the redirect experience is fully polished for a seamless one-click login.

IN PROGRESS
🍎
MACOS BUILD

A native macOS package is in progress. Pyinstaller spec and code-signing are being worked through.

PLANNED
🐧
LINUX BUILD

.deb and AppImage builds are planned following macOS.

PLANNED
📦
DRAG & DROP UPLOAD

Drop images directly onto the app window to trigger an instant deposit — no file picker dialog required.

IN PROGRESS
🗂️
DATE RANGE FILTERS & BULK DELETE

Filter gallery by date range, sort by size or name, and select multiple deposits for deletion in a single action.

PLANNED
TOKEN AUTO-REFRESH

Silent background token refresh every 45 minutes so long-running sessions never get unexpectedly logged out mid-session.

IN PROGRESS