Release v2.14.0-20260614

KeePass file watching on Android is now more reliable, particularly for files accessed via the content:// scheme and on older OS versions. One-time password generation has been improved; exported otpauth:// URIs are now spec-compliant and the mOTP period has been corrected to the standard 10 seconds. This release also rejects pre-login KDF downgrades, cleans up stale SSH agent state on restart, and properly binds the agent socket in Flatpak environments.

All changes

• 793c953a - fix: Reject pre-login KDF downgrade
• 14edc0ff - fix(Android): Observe the .kdbx file under content:// scheme
• ffd0b477 - fix(otpauth): Make exported otpauth:// URIs spec-compliant
• a378651b - fix: Use the standard 10s period for mOTP instead of a custom 30s one
• 1d95b0e2 - fix: Fully clean-up old stale ssh agent state on agent restart
• 5b0f47b6 - fix: Http connection leak if file preview fails early
• 5a8ee16c - fix: Notification worker now respects app's lifecycle
• 5d68da5d - fix: Support desktop file watcher cancellation
• b9177ecc - fix(KeePass): Support file watching before Android 10
• 5ce5d665 - fix: Propagate HIBP password range HTTP errors
• dc3485c6 - refactor(Linux): Observe portal color scheme over DBus
• efd7ff3d - refactor: Safely handle case where biometric result contains no crypto object
• 3622a4a6 - fix(Desktop): Prevent URL override command execution from blocking on output
• ffe5ef92 - fix(Sync): Compare cipher folder using local ids
• e0f3a96e - fix(export): Fail on attachment download errors
• f3164a6e - fix: reject unsupported MD5 OTP algorithms
• c763a09f - fix(Desktop): Bind SSH agent socket to a visible path in flatpak #640
• 51b1bf81 - Add required display length for flatpak metadata (#1452)
• 4efd77bf - @JustAdreamerFL has signed the CLA in #1452
• 92f31e17 - fix(Desktop): Mark concealed Linux clipboard contents as sensitive (#1448)
• 36146845 - @jbwfu has signed the CLA in #1448