GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/migrations/016_add_is_compound_column.sql

@@ -0,0 +1,24 @@
+-- Migration 016: Add is_compound column to model_configs
+-- Required for Compound model pass-through pricing
+-- Date: 2025-12-02
+
+-- Add column if it doesn't exist
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM information_schema.columns
+        WHERE table_name = 'model_configs' AND column_name = 'is_compound'
+    ) THEN
+        ALTER TABLE public.model_configs
+        ADD COLUMN is_compound BOOLEAN DEFAULT FALSE;
+    END IF;
+END $$;
+
+-- Mark compound models
+UPDATE public.model_configs
+SET is_compound = true
+WHERE model_id LIKE '%compound%'
+  AND is_compound IS NOT TRUE;
+
+-- Verify
+SELECT model_id, is_compound FROM public.model_configs WHERE model_id LIKE '%compound%';