- MCP auth middleware now rejects requests without API key when users exist - Image /from-url route distinguishes validation errors (400) from server errors (500) - Password change route returns 401 when no session cookie instead of crashing Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>