● NEXUS AI · CHANGELOG
Back
What's new in Nexus
A live record of every shipped change: features, fixes, and behind-the-scenes work.
For the full git history, see github.com/Thyfwx/nexus.
v5.6.12
PATCHES
2026-06-12
A quality drop for the AI. Nexus now answers about this site and its creator from real facts instead of guessing, admits when it is not sure rather than making something up, and image generation shrugs off rapid or repeated requests without tripping over itself.
— ADDED
- Nexus grounds its answers about the site and its creator in real facts, so it stops filling gaps with guesses.
— PATCHES
- Sharper, more accurate replies. When Nexus does not know something, it now says so instead of inventing an answer.
- Image generation handles rapid or repeated requests more reliably.
v5.6.11
SECURITY
PATCHES
2026-06-10
A pure hardening drop. Nothing new to click, everything underneath got tougher. The owner account picked up a kill switch, the age check moved from the sign-in screen into the backend where it belongs, image generation got a second cap layer, and the backend now tells on itself the moment it breaks. The terms grew the standard protective clauses while we were in there.
— SECURITY
- Owner session kill switch. One call logs the owner out everywhere, instantly, on every device. If an owner login ever leaks, it dies on the spot instead of living out its 30 days.
- The 18+ confirmation is now enforced by the server, not just the sign-in screen. Unfiltered checks the recorded confirmation on every message. People who already confirmed are carried over automatically.
- Image generation gained a per network daily cap on top of the per account one, so a pile of throwaway accounts cannot drain the image budget everyone shares.
- The backend now sends a crash alert the moment anything 500s, so breakage gets fixed before anyone has to report it.
— PATCHES
- The terms picked up the standard protective clauses: a copyright takedown process, indemnification, governing law, and acceptance of risk.
- Removed a leftover dev sign-in button from the lobby that pointed at an endpoint that no longer exists.
- A writing pass across every page. Cleaner titles, cleaner punctuation, same content.
v5.6.10
FEATURES
SECURITY
PATCHES
2026-06-09
Tightened up who can hit the AI and how hard, and moved Unfiltered behind a real sign-in. Guests get capped by the minute and by the day now so nobody scripts the free quota dry, signed in accounts get more room, and Unfiltered wants a Google account plus a one-time age check before it talks. A round of backend hardening landed alongside it, and the public pages got cleaned up so search engines read Nexus as the moderated site it is.
— FEATURES
- Chat limits scale by who you are now. Guests are capped by the minute and by the day, signed in accounts get more room, and the owner runs unthrottled. No single script can torch the free quota everyone shares.
- Unfiltered moved behind a sign-in. You need a Google account and a one-time age check to get in, and guests land on Nexus Core instead.
— SECURITY
- Image generation picked up its own rate cap, so it cannot be hammered the way an open endpoint could.
- Leaderboard writes sit behind an auth check now, on top of the score validation from v5.6.9.
- Session tokens handle unicode names correctly, handles get checked against an allowed character set, and the content security policy dropped unsafe-eval.
— PATCHES
- Reined in the Unfiltered tone. Still crude, still blunt, it just stopped going after real people.
- Fixed the guest pages that still claimed unlimited chat. They do not anymore, because it is not true.
- Reframed the public pages: dropped the 18+ and adult labels but kept every safety and age gate line, so the indexed pages read clean. Privacy and terms caught up with the new caps, the sign-in requirement, and the daily rate counter.
v5.6.9
SECURITY
PATCHES
2026-05-30
A security hardening pass across the terminal and the backend, plus a fix so the boot line always shows the version that is actually deployed. Nothing changed on the surface, the terminal looks and works exactly the same. It just got a lot harder to abuse and honest about its own version.
— SECURITY
- Terminal output is locked down. AI replies and anything you type always render as plain text, never as live markup, so untrusted content cannot slip code into the page.
- The AI got hardened against prompt injection. It treats every message and the whole history as untrusted, refuses to reveal or change its own instructions, and ignores any attempt to flip its rules or its mode.
- Leaderboards validate scores and cap how often you can submit now, so the boards cannot be flooded or stuffed with impossible numbers.
- Rate limiting added across chat and the report endpoints, plus spam limits on the alert webhook, so no single source can hammer the service.
— PATCHES
- The boot line reads the live deployed version straight from the backend now, so it never lags behind the real version again.
v5.6.8
HOTFIX
2026-05-22
The free Gemini 2.5 endpoint throws 503s when it is busy, so the summarizer retries once and then drops to the lighter Gemini 2.5 Flash Lite before it ever gives up. Verified end to end: a 64 word summary back in 8 seconds, no chatty opener, no empty title.
— PATCHES
- Summary calls wrap in a retry chain: one retry with a one second backoff on a 503 or 429, then a fall back to Gemini 2.5 Flash Lite, also free and rarely throttled. The full Flash endpoint stalls under load, Lite picks up the slack.
- Clearer message when both models are tapped out: "Summary service is busy. Try again in a minute." instead of the old blank "No summary returned."
v5.6.7
HOTFIX
2026-05-22
v5.6.6 shipped with the TL;DR button still cutting off after one line. Turned out Gemini 2.5 Flash burns its token budget on hidden reasoning before it writes a word, so the fix was to switch that off for summaries.
— PATCHES
- Summaries tell Gemini 2.5 Flash to skip its internal thinking step now and spend the whole budget on visible text. A five sentence summary does not need chain of thought. Full summaries come back instead of a single fragment, and the output ceiling went up to 512 for headroom.
v5.6.6
PATCHES
2026-05-22
The TL;DR summarizer moved to free Gemini 2.5 Flash with a 24 hour cache, so portfolio summaries stopped costing anything and the daily cap jumped to 100. The prompt got tightened too, no more chatty openers.
— PATCHES
- Summarizer swapped from paid Gemini 2.0 Flash to free Gemini 2.5 Flash. Same quality, zero cost per call, which is what made the higher cap possible.
- Summaries sit behind a 24 hour KV cache now, so re-summarizing the same page is instant and free. The input cap dropped from 50K to 8K characters to stay inside the model budget.
- TL;DR button stopped opening with "okay, so this post is called ...". The frontend hands the Worker the page's real H1 as a dedicated title field, and the prompt has hard rules against conversational openers like "okay", "so", "alright", "basically", and "well". The cache key includes the title now, so pages with similar bodies stop colliding.
- Daily summarize cap raised from 30 to 100 per visitor a day. Cache hits still cost nothing, and the free Gemini 2.5 quota is comfortable at that rate.
- JSON-LD, nav, header, and footer get stripped from the page before it reaches the model, so the 8K budget goes to the actual article instead of markup.
v5.6.5
FEATURE
PATCHES
2026-05-17
Mancala joins as the eighth game. Nexus Invaders gets a cleaner full bleed look, the PWA picks up a fresh icon set, and a JSON-LD and AdSense compliance pass tightens how the standalone pages show up in search.
— FEATURES
- Mancala, the eighth Nexus game. Click a pit on your side to sow the stones counter-clockwise, capture when your last stone lands in an empty pit of yours sitting across from a loaded enemy pit, and take another turn whenever it drops in your store. The AI runs minimax with alpha-beta pruning at three depths: 1 for Easy, 4 for Medium, 6 for Hard. Beat Hard to build a win streak, a loss or a draw resets it, and the Hard streak gets its own tab on the public leaderboard.
— PATCHES
- Nexus Invaders cleaned up. The canvas fills the whole frame now, with the close button, the exit bar, and the nested boxing all stripped out. Standalone difficulty caps at wave 6.
- PWA icons redesigned to match the magenta brand mark, across the manifest and the login page references.
- JSON-LD structured data added so search engines read the pages as real apps and articles, not loose text.
- Privacy policy expanded with explicit AdSense, Google Funding Choices, and CCPA plus US state disclosures, closing out the AdSense compliance pass.
v5.6.4
FEATURES
PATCHES
CLEANED UP
2026-05-17
Nexus Invaders rebuilt from scratch with power-ups, boss waves, and pixel-art aliens. Lobby redesigned with auto-redirect for signed-in users. Full AdSense SEO pass across every page. Speed test download fixed. Security issue resolved.
— FEATURES
- Nexus Invaders rebuilt. Pixel-art alien sprites (4 types), starfield backgrounds that change per wave, entrance animations, 6 wave formations (grid, V, diamond, scatter, walls, heavy). Power-up drops from killed enemies: Rapid Fire, Spread Shot, Shield, Score x2, Pulse. Grab the same power-up twice to make it permanent for the run. Mini-boss every 3 waves, big boss every 9 waves with health bars and aimed shots.
- Lobby redesigned. Signed-in Google users skip the lobby and go straight to the terminal. Guests see a clean single-box layout with a "What's Inside" feature card. Subtitle updated to explain what Nexus is instead of flavor text.
- AdSense SEO: sitemap.xml created, canonical URLs on all pages, meta descriptions on all pages, Open Graph tags on all pages, JSON-LD structured data on portfolio, internal footer nav linking pages together.
- Portfolio expanded. About section beefed up. All 6 project cards have detailed second paragraphs. 30 rotating tech tips (random on each refresh). Footer nav with 5 links to Nexus pages.
- Speed test educational content section added below the test explaining what download, upload, latency, and jitter mean in plain language.
- Typing test now has a static description above the UI for search engines to index.
- Nexus Worker version display now updates automatically from wrangler.toml environment variable.
- Mobile page rewritten with honest copy instead of a redundant feature bullet list.
— PATCHES
- Speed test download was showing 0.0 Mbps. The Worker's crypto.getRandomValues call exceeded the 65,536-byte limit. Fixed by filling the array in chunks.
- Terms modal in the lobby still referenced "home server" and "developer's machine" from the old Render era. Updated for Cloudflare Worker reality.
- Portfolio content cleaned. Em dashes replaced with periods throughout visible text. Tech tips simplified from jargon to plain language.
- Lobby auto-redirect clears stale guest data so returning guests get a fresh login screen instead of broken state.
— CLEANED UP
- Visitor tracking script removed from portfolio (main.js). Was collecting IP addresses via ipinfo.io and device specs, then POSTing to a telemetry endpoint. Triggered Google Safe Browsing "deceptive pages" flag. Cloudflare Analytics handles visitor stats now.
- Leaderboard link removed from all standalone page footers. Leaderboard is only accessible from inside the terminal sidebar.
v5.6.3
FEATURES
PATCHES
CLEANED UP
2026-05-15
Game modal redesigned with a frameless, wider look: more room for the canvas and side ad rail. Invaders gets mouse-aim + click-to-shoot. Breakout fixed (was launching but never rendering). Breach Protocol retired.
— FEATURES
- Game modal redesigned: frameless translucent shell, slim header, floating close button. Max width bumped from 660 → 880 px (1040 px when an ad rail is showing) so canvases breathe and ads have real estate.
- Invaders: mouse aim and click-to-shoot. Move the mouse to slide the player, click to fire. Arrow keys + spacebar still work as a fallback.
— PATCHES
- Breakout: game launches and actually plays now. The render loop was never being kicked off after the difficulty pick (missing requestAnimationFrame call).
- Breakout: stop function now cancels the correct animation frame handle. Was leaving the old loop running across game switches.
— CLEANED UP
- Breach Protocol retired. The hex-code memory game had a 300-point score ceiling and didn't add much to the lineup. Sidebar drops from 8 games to 7. Leaderboard tab removed.
v5.6.2
FEATURES
SECURITY
PATCHES
CLEANED UP
2026-05-15
PWA install support, typing test expansion, device fingerprinting, Cloudflare security hardening, Worker migration complete, Discord bot integration. Plus instant PWA update propagation and edge-cache stale-page fixes.
— FEATURES
- PWA support: Nexus can now be installed as a desktop app. Manifest, service worker, and icons added. Works on Chrome, Edge, Safari.
- PWA self-updating: every standalone page (changelog, about, terms, privacy, leaderboard, speedtest, typing, etc.) now auto-checks for service worker updates and reloads when a new SW takes over. Future updates roll out instantly with no hard-refresh needed.
- Typing test: "impossible" difficulty: literary prose, legal language, scientific text, complex punctuation. 368 total sentences across 4 difficulties.
- Typing test: 200-word count option. Auto-finish when last word is typed. Visible "submit to leaderboard" button on results screen.
- Cloudflare Worker: 48+ endpoints now live: image generation proxy, lockout system, moderation alerts, rate limiting (15/min browser, 10/min bot), origin gate.
- Discord bot integration ready: Nexus Core personality available via API with shared-secret auth. Other modes redirect users to the website.
— SECURITY
- Device fingerprinting: non-identifying device hash for ban enforcement. Prevents ban evasion via guest mode, network switching, or cookie clearing.
- Content Security Policy headers on both frontend sites (portfolio + Nexus).
- HSTS preload submitted: thyfwxit.com pending inclusion in browser preload lists.
- Certificate Transparency Monitoring enabled: alerts if someone issues a cert for thyfwxit.com.
- AI bot blocking: all known AI training crawlers blocked on all pages.
- AI Labyrinth enabled: traps scraper bots in generated content.
- Hotlink protection: prevents other sites from embedding images.
— PATCHES
- Ban bypass closed: guest mode, network switching, and cookie clearing no longer bypass account bans. Three-layer enforcement: email + IP + device fingerprint.
- Duplicate Discord logs: dedup guard prevents the same message from being logged twice within 5 seconds.
- Worker API responses now include X-Robots-Tag (noindex), X-Content-Type-Options (nosniff), HSTS, Referrer-Policy, and Permissions-Policy headers.
- Nexus AI Core ping diagnostic rewritten for Cloudflare Worker. The portfolio was still showing Render-era "cold start / spinning down" copy.
- Proxmox status dot + last-checked timestamp restored. A security pass had blocked the uptime.thyfwxit.com fetch via CSP.
- Normal-refresh always shows fresh content now. Service worker rewritten as network-first for HTML; HTML pages set to no-cache; pwa.js bootstrap forces SW update on every page load.
- sw.js and manifest.json now exempt from 30-day edge cache. Prevents future PWA updates from getting stuck behind stale Cloudflare cache entries.
- Cloudflare edge cache purged for previously-stuck sw.js (was serving the old cache-first SW for 19+ hours after the fix was deployed).
- Portfolio main.js, style.css, and adblock_recovery.js gained cache busters. They were holding old code in browsers for 30 days.
— CLEANED UP
- nexus-evil-proxy Worker deleted from Cloudflare. All references cleaned from code and CSP.
- Stale "thyfwxit" Pages project deleted (old manual deploy, 2 months unused).
- Keepalive GitHub workflow deleted: Workers have zero cold start. Was a Render-only workaround that was firing exit-22 failures every 14 minutes from Bot Fight Mode.
- Every Render reference scrubbed from project docs, internal memory, ping diagnostics, and about page. Backend has been Cloudflare-only since 2026-05-14.
v5.6.1
FEATURES
PATCHES
REMOVED
2026-05-12
Typing test (NEXUS TYPE) standalone page, ban page with ads, 18+ age gate, DevPanel ban management, shared link lobby redirect, AI disclaimer.
— FEATURES
- NEXUS TYPE: standalone typing test page with easy/normal/hard difficulty, real sentences, punctuation and numbers toggles, personal best tracking, leaderboard submission.
- Ban page (banned.html): dedicated page for permanently banned users with explanation, appeal info, and AdSense ads.
- 18+ age gate modal: non-owner Google users must confirm they are 18 or older before accessing the terminal. Logged to backend.
- DevPanel account ban tab: list, ban, and unban Google accounts by email directly from the owner panel.
- Ban check on page load: banned accounts automatically redirected to the ban page.
- Shared link redirect: anyone opening thyfwxit.com/nexus/ directly (bookmarks, shared links) goes through the lobby first.
- AI disclaimer bar in terminal: permanent warning about AI accuracy and personal data. Matches terminal theme.
- AdSense on about, changelog, and leaderboard pages.
- robots.txt at domain root for AdSense crawler.
- Cloudflare Worker foundation deployed (nexus-api): AI chat working, zero cold starts. Migration from Render in progress.
— PATCHES
- Cross-origin auth: revealTerminal() crash on login.html fixed for 18+ gate flow.
- Typing test restart: fixed state cleanup so tests can be repeated without page reload.
- Portfolio mobile: single-column status grid, accessibility bottom sheet with no scrollbar, tighter spacing.
- Nexus preview on portfolio: removed fake boot words, shows live data, "open full console" references removed.
— REMOVED
- "Open Console" buttons from portfolio: entry point is now PING + Enter Nexus only.
v5.6.0
FEATURES
PATCHES
CLEANED UP
2026-05-09
Backend moved to api.thyfwxit.com (same-site cookies), server-side OAuth fallback, Speed Test as standalone page with ads, Maintenance Hub redesigned, cross-origin auth fixed.
— FEATURES
- Backend moved to api.thyfwxit.com (DNS CNAME). Cookies now flow correctly without 3rd-party blocking.
- Server-side Google OAuth redirect flow as a fallback when the popup library is blocked by ad blockers or privacy settings.
- Speed Test moved to its own standalone page (speedtest.html) with side-rail ads on desktop and top/bottom ads on mobile.
- Speed Test results now show human-readable notes for each metric (e.g. "4K streaming, no bottleneck" for 200+ Mbps).
- Maintenance Hub redesigned with dashboard layout, tappable info tips, live mode updates, and CPU architecture detection.
- Standalone pages (privacy, terms, about, changelog, leaderboard, speedtest) now have consistent footer navigation.
- AdSense ad units wired on speedtest.html and leaderboard.html.
- ads.txt added at domain root for AdSense full account approval.
— PATCHES
- Owner cookie never being set in production: auth fetch was missing credentials:'include' on cross-origin requests.
- Image quota header showing 0/5 for owner: same credentials:'include' bug on the quota poll.
- Server info showing "?" for city: now maps country codes to full names and hides unknown cities.
- Login status messages cleaned up ("Signing in..." instead of "SYNCHRONIZING IDENTITY...").
— CLEANED UP
- Speed Test button from sidebar tools (access via Maintenance Hub only now).
v5.5.1
FEATURES
PATCHES
CLEANED UP
2026-05-08
AdSense wired in, ad-loop bugs fixed, moderation patterns hardened, three game bugs squashed.
— FEATURES
- Google AdSense bootstrap script integrated for monetization (publisher ID + ad-block recovery).
- AI Profile rebuilt with 4 tabs: IDENTITY · MEMORY · MODE · TOOLS.
- System Settings rebuilt with 4 tabs: VISUAL · TEXT · INPUT · AUDIO + automatic OS-preference detection (reduce-motion, contrast, etc.).
- Hard refusal policy now applies in every chat mode for critical content.
— PATCHES
- Pong crash on game-over (submitScore was undefined).
- Wordle physical keyboard now works (Backspace, Enter, A-Z).
- Snake cells no longer visually overlap the wall border.
- Critical-content moderation: 18/18 prompts caught (was 5/18). New patterns for arson, kidnapping, body disposal, school violence.
- Cross-domain cookies now work on production (SameSite=None on HTTPS). Owner DevPanel API endpoints stop returning 403 after re-login.
— CLEANED UP
- Critical-lockout auto-redirect to dedicated locked page (caused a tight reload loop with rehydrate-on-boot).
v5.5.0
FEATURES
MODERATION
SFW PIVOT
2026-05-07
Major SFW pivot: NSFW image generation removed entirely. ComfyUI retired. Replicate becomes the paid SFW image generator. AdSense-eligible build.
— FEATURES
- Replicate Flux-schnell as the primary paid SFW image provider ($0.003 per image, $15/mo cap).
- Dedicated lockout page (
/nexus/locked.html) with countdown timer and access-restoration UI.
- Combined strike counter: NSFW + hostility tracked together. Three strikes triggers escalating lockout. Slurs hit 30-min lockout instantly.
- Unfiltered chaos rage system with role-aware rates and smart lockout ladder.
- Discord moderation webhook severity routing (silent for low/medium, owner-mention for high/critical).
- Live commit-status indicator on portfolio Nexus preview (sandbox-ahead-of-main shows as ONGOING).
— SFW PIVOT
- All explicit/NSFW image generation system-wide. Image generation is now SFW only in every mode.
- ComfyUI provider entirely (was running on GTX 1070 Ti home GPU).
- Coder and Education modes can no longer generate images (per topic-lock policy).
v5.4.x
EARLIER
~2026-04
DevPanel cleanup, lobby v5.2.6 lock, sandbox/main worktree workflow, image gen tier system, accessibility kernel.
- Detailed release notes for older versions are being backfilled. See commit history for now.