Release Vasyapp v0.8.0 · suenot/vasyaapp

[0.8.0] - 2026-06-12

Vasyapp now runs in the browser. The same React UI talks to a remote vasya-server over HTTP/SSE instead of the in-process Tauri engine. Self-host it from backend/deploy/; connect with your server URL + a JWT (email/password against the backend) or an access token. Builds can pre-fill the API origin via the VITE_VASYA_API_URL build var.

Date separators in the message list — Telegram-style "Today / Yesterday / 10 June" day dividers between messages of different calendar days.
Rich link previews — pages shared in chat render a card (site name, title, description) instead of a bare "Link Preview" placeholder. vasya-server now extracts the Telegram webPage metadata; the desktop backend still shows the minimal preview (parity pending).

Telegram over a SOCKS5 proxy — set TELEGRAM_PROXY_URL (e.g. socks5://user:pass@127.0.0.1:1080) to route MTProto through an egress when the host's own IP has Telegram blocked. Unset = direct connection (unchanged). Enabled via grammers' proxy feature in vasya-core.

Telegram sessions are now encrypted at rest (ChaCha20-Poly1305). The master key lives in the OS keychain (Keychain / Credential Manager), with a 0600 key-file fallback. Existing plaintext sessions are migrated automatically on first launch and the plaintext file is deleted.
Per-user account isolation on the sync backend: data routes accept a personal JWT and an account is bound to the first user who syncs it; other users get 403. Legacy shared-API-key mode still works unless REQUIRE_USER_AUTH=true.
Rate limiting on backend login/register (per-IP); JWT_SECRET fails fast if set but shorter than 32 chars.
Calls are now behind an off-by-default "Experimental" toggle (VoIP audio is not end-to-end encrypted yet).
Local Whisper is the default STT provider — no audio leaves the device unless you opt into Deepgram.
Tightened CSP (object-src/frame-src 'none', base-uri/form-action 'self').

My QR Code: share your contact via a t.me QR like the native Telegram app (sidebar header → QR icon).
Backend account sign-in/registration in Settings → Storage (issues the JWT used for synced data).

File sending uses raw IPC (binary body) instead of a JSON number array — ~4× smaller bridge payload.

Login phone field now formats per country (libphonenumber as-you-type) like the native Telegram apps — e.g. +998 90 829 55 93 instead of the mis-grouped +9 989 082 95 59 3.

Deepgram API key is no longer embedded in the binary — add your own key in Settings → STT (or use local Whisper)
Validate transcription file paths (must stay inside app data dir)
Mask phone numbers in logs; remove stale .bak/patch files
Allowlist URL schemes in rendered messages (http/https/tg/mailto) — blocks javascript:/data:/file: links
Narrow asset protocol scope to the media directory; disable devtools and withGlobalTauri

Virtualized chat list and message list (@tanstack/react-virtual) — long chats no longer render thousands of DOM nodes
Chat list updates live on incoming messages: preview, unread badge, chat moves to top
Fixed re-render hotspots: proper Zustand selectors, rAF-throttled call audio levels, batched avatar updates, memoized translations, stable hotkey handlers
Autoscroll on new messages only when already near the bottom

The app can no longer be dragged down past the top (document rubber-band) — native WKWebView bounce disabled + CSS overscroll-behavior
Pinch/double-tap zoom of the UI is disabled (in-app image viewer zoom still works)
Media auto-download is viewport-scoped: only photos/stickers/voice actually on screen are fetched; scrolling away cancels queued downloads; tap-to-download jumps the queue