v3.0.6 — security + stability hardening

A hardening release from a full code-review pass. Every fix was adversarially verified and validated against live T2V + character-HQ renders before shipping.

Security

• CivitAI token leak fixed. The LoRA-download host check (endswith("civitai.com")) also matched lookalike domains, and your CivitAI API token rode through HTTP redirects to any host. Now an exact-host allowlist plus a redirect handler that strips the auth header the moment a redirect leaves civitai.com. If you've used the CivitAI browser, this one matters.

Fixes

• HDR / IC-LoRA mode revived. It referenced an undefined variable and crashed at startup on every run — it had never actually worked. One-line fix.
• Image-during-video OOM guard. Generating an image while a video render was in flight could run two heavy GPU jobs at once and kill the video on a memory-constrained Mac. The image request now waits politely until the render finishes.
• HiDream renders can no longer hang the queue forever (watchdog deadline), and HiDream is now covered by the RAM pre-flight so a too-small Mac gets a clear message instead of an OOM.
• Stats history is now crash-safe (atomic write — a crash mid-save no longer wipes accumulated data).
• Smaller: orphaned temp-file cleanup at boot, tighter crash-report file permissions, a Qwen-LoRA family guard, and a CivitAI cert-bundle pin so HTTPS can't break after an update.

Under the hood

• The helper now reports the exact ltx-2-mlx version it loaded, and warns loudly on a version mismatch — the root cause behind several recent hard-to-diagnose render failures.

Update

Update once from the Phosphene tile. If you're on anything older than v3.0.1, Update twice.