v3.6.2

Fixed

• GraphQL error responses now correctly return 400 status instead of always 200
• OpenAPI docs UI now respects custom openapi_route instead of hardcoding /schema.yml
• before_requests default type mismatch that could crash routes called outside the router
• Blocking synchronous file I/O in Response.stream_file() — now uses async I/O via anyio
• Memory leak in rate limiter (empty bucket keys never cleaned up)
• Race condition in rate limiter check() — added thread-safe locking
• WSGI fallback catching all TypeErrors instead of just call-signature mismatches
• Pydantic request/response model validation crashing on non-dict bodies
• CaseInsensitiveDict missing __delitem__, pop, and setdefault overrides
• assert used for input validation in OpenAPI extension (stripped by python -O)
• Potential XSS in GraphiQL template endpoint injection

Changed

• DELETE requests now participate in Pydantic request body validation
• Simplified status code category check to use chained comparison

Removed

• Unused method parameter from load_target()
• Unused Node.js setup step from CI test workflow