Browse skills — in-app skill store
Settings → Plugins → Skills now has a "Browse skills" section. Search a curated catalog of ~1,900 top skills (scraped from skillsmp.com at release time), sort by stars or recency, and install with one click. The SKILL.md is fetched live from GitHub and dropped into ~/.openyak/skills/<slug>/, picked up by the registry without restarting the app. The catalog itself ships with the backend — zero runtime dependency on a third-party API, no per-user rate limit, and refreshed on every release.
Local API hardening
A round of work on the loopback-bound HTTP server: tighter request authentication, scoped CORS, and a per-run session token written 0600 so another local user on a shared host cannot reach the API. No functional change for typical desktop usage; native consumers (Tauri shell, mobile companion, curl, CI scripts) already speak the right handshakes. The full technical write-up will land once the install base has fully rolled to 1.1.6.
Window, menus, and chat polish
Default window size is now 1360×840 (golden ratio) and re-centers on every cold start — the window-state plugin no longer persists size or position across sessions, so the app opens predictably regardless of what the previous run looked like. The chat workspace pill becomes one-step (click opens the folder picker, inline × clears) and the context / dropdown menu density tightens to match VS Code, Linear, and Raycast (13px text, 6px vertical padding, 14px icons). Multi-step assistant turns no longer render duplicate blocks during streaming, and the new-session route swap stops triggering a whole-page fade-in.
GPT-5.5 default + April leaderboard
The OpenAI subscription provider now defaults to GPT-5.5 (with GPT-5.4 fallback for tiers that haven't rolled it out yet). The intelligence-index leaderboard is refreshed for the April release: GPT-5.5 60.2, Claude Opus 4.7 57.3, Kimi K2.6 53.9, MiMo V2.5 Pro 53.8, GPT-5.2 51.3. Older subscription entries (GPT-5.3 Codex, GPT-5.2, GPT-5.2 Code, GPT-5.1 Codex variants) are removed to keep the dropdown clean.
What 1.1.3 → 1.1.6 was about
1.1.3 shipped the local API hardening, but a CSP regression blocked Tauri's IPC channel and made the desktop app unable to reach its own backend; the auto-updater rides the same channel so it couldn't recover itself either. 1.1.4 fixed the CSP and the cross-origin OPTIONS preflight, but a cached rejected promise in the token resolver poisoned every authenticated call after the first IPC miss. 1.1.5 added retry-with-backoff to the token resolver, which surfaced the deeper problem: the backend was writing the session-token file one directory deeper than the Rust shell was polling, a mismatch that dev mode happened to cancel out. 1.1.6 fixes the path, end-to-end. If you watched the release feed update four times in a day — sorry. They each fixed a real issue; only 1.1.6 has every piece working together.
Upgrading from 1.1.2 (or 1.1.3 / 1.1.4 / 1.1.5)
1.1.4 and 1.1.5 update automatically — the in-app updater itself runs in Rust and never touched the broken token paths, so it stays healthy across all 1.1.x versions. 1.1.2 and earlier likewise auto-update normally. The exception is 1.1.3: its CSP regression blocked the updater's own IPC, so it cannot upgrade itself. If 1.1.3 is what you have, please reinstall by hand from open-yak.com/download. No migrations, no reconfiguration — everything carries over.