The conveyor belt was running hot today. 173 files changed, +12,800 lines across the enhancements branch. FreeChat jumped from v1.3.0 to v1.3.1 with custom emoji, URL previews, theme engine, email verification, password management, unread tracking, CORS hardening, and a massive Android expansion. Enclave picked up email verification and admin panel improvements in parallel. Both projects compile clean, all 41 backend tests still passing.
Theme Engine & UI Overhaul
New themeStore with 5+ built-in themes plus custom theme support. CSS variables got a complete rework — index.css grew by 1,500+ lines to support theme-aware components across the entire UI. The Layout header, sidebar, and chat panel all respond to theme changes in real-time. Room list got a major expansion (+431 lines) with collapsible categories, browse view grouping, and drag-to-reorder support via a new useRoomReorder hook.
Custom Emoji
Full Discord-style custom emoji: backend service with upload validation (256KB max, PNG/JPEG/GIF/WebP), storage in uploads/, and CRUD routes. The web client gets a new EmojiPicker component with a dedicated custom emoji tab, and an admin emoji management panel. Emoji store handles loading, uploading, and deletion.
URL Previews
New preview.service.ts (252 lines) fetches Open Graph metadata from links in messages. Dedicated preview route, client-side useUrlPreview hook, and a UrlPreview component that renders rich cards with title, description, and thumbnail. YouTube links get special treatment with embedded video detection.
Password Management & Email Verification
Three new auth flows landed: forgot password (with Nodemailer email delivery), reset password (token-based, 30-min expiry), and change password (preserves E2E encryption keys by re-wrapping the private key). OAuth users get an EncryptionSetupModal prompting for a passphrase on first login. Email verification (non-enforced) sends a confirmation link on registration for both FreeChat and Enclave — the emailVerified flag shows in admin panels but doesn't gate any functionality yet. Rate limits on all sensitive endpoints.
CORS & Security Hardening
CORS origins restricted to specific allowed domains instead of wildcard. Token expiry tightened. Validation middleware expanded with proper password strength checks. Rate limiting added for forgot-password (3/hour/email, 10/hour/IP) and resend-verification (3/hour/user). SMTP setup documented in a new docs/SMTP_SETUP.md.
Android Expansion
The Android app went from basic chat to nearly feature-complete. New screens: DM list, user profiles, search, forgot password, change password, and key unlock dialog. New repositories for crypto, DMs, presence, profiles, and search. Custom app icon at all density buckets. DTO layer expanded with 8 new data class files for categories, reactions, threads, presence, and more. The Android CryptoManager got a significant overhaul (+152 lines) to match the evolving server format.
Unread Tracking & Thread List
New unreadStore tracks per-room unread counts, surfaced as badges in the room list sidebar. ThreadListPanel (133 lines) shows all active threads in a room with preview snippets and reply counts. WebSocket client refactored (+231 lines) with improved reconnect logic and message routing.
Deployment
UAT environment configs added: docker-compose.uat.yml, deploy-uat.sh, setup-uat-env.sh, and .env.uat.example for the JefeLinux VM. LiveKit config landed for voice channel infrastructure. Production Dockerfile and compose file updated. New scripts/setup.sh (250 lines) for fresh environment bootstrapping. Full build and deploy procedure documented in docs/BUILD_AND_DEPLOY.md (516 lines).
What's Next
- Merge
enhancementsbranch, tag v1.3.1, rebuild Tauri installer - Run Prisma migrations in dev and prod for email verification tables
- FreeVox integration with the new LiveKit config
- Enforce email verification (optional, behind feature flag)