@@ -7,6 +7,44 @@ version.
77
88The format is loosely Keep-a-Changelog, dates in ISO order.
99
10+ ## 1.1.0 — 2026-06-10
11+
12+ ### Added
13+ - ** Claude Fable 5 support.** The Anthropic provider now defaults to
14+ ` claude-fable-5 ` , Anthropic's newest model ($10/M in, $50/M out —
15+ bundled price snapshot updated to match). Override with
16+ ` ANTHROPIC_TEXT_MODEL ` as before.
17+ - ** ` scripts/optimize-hero-images.sh ` ** — one-command maintenance
18+ script that recompresses existing AI hero PNGs in R2 to WebP
19+ (~ 97% smaller; a 10-post /blog page drops from ~ 14 MB of images
20+ to under 600 KB) and repoints ` blog_posts ` at the new keys.
21+ - ** Proper 404s.** A branded ` public/404.html ` replaces the previous
22+ SPA fallback that returned the homepage with HTTP 200 for unknown
23+ URLs (a classic soft-404 that wastes crawl budget).
24+ - ** Marketing site redesign.** Editorial press-sheet look: serif
25+ display headlines, highlighter-yellow accents, provider ticker,
26+ ghost folio numerals, full-bleed nav, closing CTA band, dark mode.
27+
28+ ### Changed
29+ - ** Hero images store their real format.** The image step now sniffs
30+ the provider's bytes (JPEG/WebP/PNG) and writes the matching
31+ extension + content-type instead of assuming PNG.
32+ - ** All public pages self-host fonts.** Blog index, posts,
33+ programmatic pages, and docs no longer call Google Fonts — fonts
34+ load from ` /_fonts/ ` with preload hints (faster first paint, one
35+ fewer third-party origin).
36+ - ** Blog index LCP.** The first card image loads eagerly with
37+ ` fetchpriority=high ` (plus a preload hint and og: image ); the rest
38+ stay lazy. Page-1 now ships ` twitter:card=summary_large_image ` .
39+
40+ ### Security
41+ - ** Constant-time admin-token comparison.** Bearer/X-Admin-Token
42+ checks no longer short-circuit on the first differing byte.
43+ - ** Baseline security headers.** ` X-Content-Type-Options: nosniff ` +
44+ ` Referrer-Policy ` on static assets and rendered pages;
45+ ` X-Frame-Options: DENY ` + ` Cache-Control: no-store ` on the admin
46+ SPA and sign-in page (clickjacking defence).
47+
1048## 1.0.6 — 2026-06-07
1149
1250### Removed
0 commit comments