- Change openrouter/pony-alpha model status from 'alpha' to 'beta' to prevent deletion
- Fix ReferenceError where heartbeat was used before initialization in cleanupStream
- Declare heartbeat and streamTimeout with let before cleanupStream function
- Change const assignments to let assignments for timer variables
- Capture todowrite tool events and store todos on messages
- Add API endpoint GET /api/sessions/:sessionId/todos
- Clear todos on message finish, undo, and redo
- Create renderStructuredTodos function with status icons
- Integrate todo display into message rendering
- Add CSS styling for todo items by status and priority
- Professional plan: reduced from 10M to 5M tokens per month
- Enterprise plan: reduced from 50M to 20M tokens per month
- Hobby (50k) and Starter (100k) remain unchanged
These limits align with the updated pricing structure from shopify-ai.
- Add comprehensive prompt injection security module with 160+ attack pattern detection
- Implement security checks in message handling with proper blocking and user feedback
- Add OpenRouter paid API key support (OPENROUTER_PAID_API_KEY) for premium models
- Update model discovery and chat functions to use paid API key for premium models
- Add comprehensive test suite with 434 test cases (98.39% accuracy)
- Tests cover legitimate WordPress development queries, injection attacks, obfuscated attempts
- Improve builder loading indicators with text-based progress (building/planning)
- Replace spinning animations with 'Starting build/planning process' messages
