What We Shipped

Two new additions to the generation tools.

SVG Generation (/tools/svg-generation) creates vector graphics from text prompts using the QuiverAI Arrow model. Output is valid SVG you can edit in Figma, Illustrator, or any vector tool. 15 credits per generation.

Nano Banana 2 is a new image generation model on fal.ai. Fast, affordable, with 1K/2K/4K resolution tiers and web search support. 5 credits per image.

API routes now support both session cookies and Bearer tokens through a single requireAuth() helper. Previously, some routes only worked with cookies and others had their own token handling.

• Bearer token auth gets the same permission checks as session-based auth
• Middleware decomposed into composable pieces (anonymous guard, credit checks, usage logging)
• MCP server switched from hand-rolled JWT verification to jose
• New /api/organizations endpoint and MCP tool for listing organizations

Pages now load faster across the board. We cut ~2.1 MB from the client-side JavaScript bundle through barrel file tree-shaking, moving mammoth to server-side only, and lazy-loading Sentry Replay.

On top of that, a full dead code audit removed over 7,000 lines of unused code across 40+ files using knip.

Two new ways to get files into your library. Paste images directly from your clipboard with Ctrl+V, or drag entire folders into the upload zone. Folders are auto-created in the DAM to match the structure you drop.

• Clipboard paste works anywhere the upload zone is visible
• Folder drag & drop preserves your folder structure
• Resilient upload retry on network failures
• Unified upload component across all pages

Permission checks are faster and more reliable. The RBAC cache now uses deterministic invalidation instead of pattern-based key deletion, with split TTLs for different permission types.

Added a circuit breaker for Redis failures so permission checks fall back gracefully instead of blocking requests when Redis is down.

A full security audit identified and fixed 20 issues across critical, high, and medium severity.

• SQL injection vulnerability patched in smart collection filters
• Vendor upload authorization now properly enforced
• Smart collection validation prevents invalid filter configs
• Unbounded array queries capped to prevent memory exhaustion
• N+1 query eliminated in asset listing
• Atomic rate limiter with separate upload/read/write buckets

Navigation inside the dashboard is now noticeably faster. We eliminated the white flash between pages, reduced redundant API calls, and pre-populate sessions on the server.

• Sidebar navigation no longer triggers full page reloads
• SSR skipped for DAM shell with client-side prefetch instead
• Lightweight auth in dashboard layout cuts initial load time
• Org switching works across layout boundaries without flashing

Click and drag to select multiple assets in the DAM library, just like you'd expect from a file manager. Combined with new keyboard shortcuts for a way faster workflow.

• Marquee selection with click-drag in the asset grid
• Shift+click to extend selection range
• Click empty space to deselect all
• Keyboard navigation for moving between assets

Five vendor upload rules that previously relied on AI vision (and cost credits) are now powered by deterministic pixel analysis using Sharp. They're faster, free, and more consistent.

• Blur detection via Laplace variance (replaces AI-based blur check)
• Background color, resolution, aspect ratio, and file size checks run locally
• Zero credit cost for these rules going forward

Switched to the shadcn Vega theme. Cleaner look, better contrast ratios, and consistent spacing across all components. No functionality changes.