> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tuteliq.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Changelog

> Latest updates to the Tuteliq API

## v1.12.0 — May 2026

### New — Read-only dashboard surface

Four new endpoints under `/api/v1/incidents` give programmatic access to the same data a moderator sees in the Tuteliq dashboard, scoped per API key:

* `GET /api/v1/incidents` — paginated, filterable listing (category, severity, status, source, platform, external\_id, customer\_id, time-window). Cursor-based pagination. Optional `include_summary=true` decrypts the summary text per row (extra credit per row).
* `GET /api/v1/incidents/:id` — full incident detail. Server-encrypted fields decrypted server-side; BYOK fields returned as hybrid envelopes for client-side decryption with the customer's RSA private key.
* `GET /api/v1/incidents/overview` — KPI snapshot over a time window (total, requires-review queue size, 24h/7d/30d totals, counts by category/severity/source/status, top 5 platforms).
* `GET /api/v1/incidents/trends` — time-bucketed counts with per-bucket severity breakdown. Buckets: hour, day (default), week.

Available via [@tuteliq/sdk 2.12+](https://www.npmjs.com/package/@tuteliq/sdk) (`listIncidents`, `getIncident`, `getIncidentsOverview`, `getIncidentTrends`) and [@tuteliq/mcp 3.15.4+](https://www.npmjs.com/package/@tuteliq/mcp) (the four matching tools render as interactive dashboard widgets in MCP hosts).

### Updated — `detect_grooming` 50-turn ceiling

Multi-turn `detect_grooming` calls have a documented ceiling of **\~50 turns per request**. Earlier this month a regression dropped the effective ceiling below 20 turns (the output-token budget was clipping the JSON response mid-`message_analysis` array, causing a parse failure that surfaced as `analysis_status: "engine_error"`). Fixed via an adaptive output budget that scales with conversation length (`base + N × per-turn`, capped at the model's safe output ceiling).

The graceful `engine_error` envelope still exists — beyond the ceiling, callers receive `recommended_action: "flag_for_moderator"` rather than a silent pass. For conversations beyond \~30 turns we recommend chunked sliding windows of 10–15 turns with `continuation_token` carrying trajectory state across calls. See [Grooming detection](/grooming-detection) for the tactic taxonomy and the long-conversation pattern.

### Updated — `meeting_request` as a first-class grooming tactic

`detect_grooming` now returns `meeting_request` as a distinct flag (previously subsumed under `boundary_pushing`). Meeting attempts convert online risk into physical-safety risk and warrant a different operational response — most platforms route them directly to law-enforcement-aware workflows. The full six-tactic taxonomy is documented at [Grooming detection](/grooming-detection).

### New — Composable safety primitives

Documented `cross_endpoint_modifier` and `vulnerability_profile` on `detect_vulnerability_exploitation`. Both fields have been returning real data for months but were undocumented — they let agents amplify sibling detectors' verdicts when a target is identified as vulnerable, and route to vulnerability-dimension-specific intervention workflows. See [Composable safety primitives](/composability) for the worked TypeScript + Python examples.

### Fixed — Account observability endpoints

`/account/consent` and `/account/audit-logs` now respond reliably for accounts with larger or filtered datasets. Both endpoints are part of the GDPR / SOC 2 observability surface and should be considered stable for compliance workflows.

### Fixed — Response key consistency across usage and pricing endpoints

`/usage/monthly`, `/usage/history`, and `/pricing/details` now return snake\_case keys consistent with the rest of the API. SDK consumers no longer need to alias field names; existing snake\_case-aware code works directly.

***

## v1.11.0 — May 2026

### Updated — Credit costs

Per-endpoint credit costs for text-detection endpoints have been updated. See [Pricing & Credits](/credits) for the full table.

**`/analyse/multi`** now uses a `1 base + 1 per endpoint` formula instead of summing per-endpoint costs (e.g. 3 endpoints = 4 credits, 7 endpoints = 8 credits). Server-side execution is parallel via `Promise.allSettled`, so the price reflects the actual wall-clock cost rather than the sum of individual calls.

***

## v1.10.0 — May 2026

### New — Prescreen lexicon for SDK-side filtering

Public endpoint `GET /v1/prescreen/lexicon` returns Tuteliq's curated set of high-precision phrase patterns mapped to category flags. SDKs fetch it on startup, cache by version, and run it **client-side** against content before making an API call. Two wins:

* **Clearly-benign content never leaves the device** (greetings, thanks, small talk → SDK skips the API call entirely)
* **Positive matches are attached as structured hints** on the request via the new `prescreen_flags` field, giving the server a strong prior

v1 covers grooming, distress-signals, bullying, coercive-control, and self-harm crisis indicators in English. Multilingual coverage rolling out in subsequent lexicon versions. See the new [Prescreen Lexicon](/prescreen-lexicon) page for the matching contract and SDK behaviour.

### Improved — Continuation tokens now feed conversation trajectory into the LLM

When a `continuation_token` is supplied, the LLM now receives the derived conversation state (turn count, accumulated categories with max confidence, severity trajectory, last recommended action) as injected context for the new turn. Translation: the model considers escalation patterns across the whole conversation when scoring the new message — without us ever storing the conversation.

This closes the gap between v1.9 (token carries state across calls; response shows trajectory) and the full conversation-aware analysis that was previously only available by re-sending `conversation_history` on every call.

Same five endpoints: `/safety/grooming`, `/safety/distress-signals`, `/safety/bullying`, `/safety/coercive-control`, `/safety/vulnerability-exploitation`.

***

## v1.9.0 — May 2026

### New — Continuation tokens (privacy-first conversation memory)

Five safety endpoints now return a signed, opaque `continuation_token` in every response. Pass it back on the next call to get conversation-aware analysis **without re-sending the conversation history and without Tuteliq ever storing it**. The token IS the analysis state — you hold it, we hold the signature.

* **Supported:** `/safety/grooming`, `/safety/distress-signals`, `/safety/bullying`, `/safety/coercive-control`, `/safety/vulnerability-exploitation`
* **What's in the token:** derived signals only — turn count, accumulated category confidences, severity trajectory, recommended actions
* **What's NOT in the token:** raw text, PII, anything we couldn't already return in the public API response
* **Properties enforced by construction:** per-key binding (cannot be replayed across customers), per-endpoint binding, tamper-evident HMAC, 24h default lifetime, bounded payload size
* New request fields: `continuation_token`, `reset_conversation`, `message_id`
* New response fields: `continuation_token`, `continuation_expires_at`, `state_source` (`token` / `fresh` / `reset`)
* See the new [Continuation Tokens](/continuation-tokens) page for usage, errors, and best practices

`/safety/grooming`'s legacy `session_id` continues to work but is scheduled for deprecation — the continuation token is the privacy-first replacement.

### Backwards compatible

* All existing requests work exactly as before. The new fields are optional.
* If you send a stale or scope-mismatched token, you get a structured `CONTINUATION_TOKEN_*` error and can fall back to one call with `conversation_history` to re-seed.

***

## v1.8.0 — May 2026

### Breaking — Endpoint renamed: `emotional-distress` → `distress-signals`

**`POST /v1/safety/emotional-distress` is removed.** The endpoint is now **`POST /v1/safety/distress-signals`** — request and response shapes are unchanged. Calls to the legacy path return **HTTP 410 Gone** with a JSON body pointing to the new endpoint.

**Why:** EU AI Act Article 5(1)(f) framing. The detector is and always was a content classifier — it identifies linguistic patterns in text that are historically associated with distress. The old name implied emotion recognition, which is prohibited in workplaces and educational institutions outside child-safety contexts. The rename, an updated prompt that explicitly disclaims emotion inference, and a published intended-use scope (safety component for child-safety; not for workplace or general-purpose education monitoring) keep the endpoint inside the Art 5(1)(f) safety exception.

**Action required:**

* Update integrations to call `POST /v1/safety/distress-signals`
* In `/analyse/multi`, change endpoint ID `emotional-distress` → `distress-signals`
* MCP tool renamed: `detect_emotional_distress` → `detect_distress_signals`
* Settings keys (`enabled_endpoints` / `disabled_endpoints`) renamed accordingly

Response shape, categories (`LONELINESS`, `FEELING_UNHEARD`, `OVERWHELM`, etc.), exploitation-risk fields, and the 5-credit cost are unchanged.

### Breaking — Removed: per-customer synthetic profile endpoint

**`GET /v1/safety/synthetic-content/profile/:customer_id` is removed.** The endpoint and the underlying per-customer aggregation have been deleted; stored aggregates have been purged from cache.

**Why:** EU AI Act Article 5(1)(c) social-scoring concern and GDPR data minimisation. A per-natural-person aggregated synthetic-content score retained across detections resembles social scoring when used across unrelated contexts. Removing both the endpoint and the storage closes the retrieval surface and the stored artefact.

**Action required:** If you were polling the profile endpoint, aggregate detection responses on your side instead. The per-call detection endpoints (`/safety/synthetic-content`, `/image`, `/audio`, `/video`) continue to return classifications unchanged.

***

## v1.7.0 — May 2026

### Emotional Distress Detection (Early Warning)

* **`POST /v1/safety/emotional-distress`** — detects pre-vulnerability emotional distress signals before exploitation begins
* Based on criminological research: emotional distress is both a consequence AND a driver of vulnerability to child sexual exploitation
* **12 distress signal categories**: loneliness, feeling unheard, overwhelm, low self-worth, trust-seeking, withdrawal, family conflict, identity distress, academic pressure, sleep disturbance, appetite change, emotional numbing
* **Exploitation risk assessment** — returns per-type vulnerability scores for grooming, sextortion, trafficking, radicalisation, self-harm, and substance use
* **Vulnerability level scoring** — none, low, elevated, high, critical
* Key risk combinations: loneliness + trust-seeking = HIGH grooming risk; family conflict + withdrawal = HIGH trafficking risk; low self-worth + overwhelm = HIGH sextortion risk
* 5 credits per call

### Tech-Facilitated Gender-Based Violence (TFGBV) Detection

* **`POST /v1/safety/tfgbv`** — detects technology-facilitated gender-based violence, rooted in gender inequalities and power imbalances
* **13 TFGBV categories**: image-based abuse, cyber stalking, online harassment, doxing, impersonation, outing, post-separation abuse, sextortion, digital coercion, sexualised deepfakes, gendered hate speech, reproductive surveillance, economic abuse digital
* **TFGBV amplifier assessment** — identifies which technology amplifiers are active: scale, speed, anonymity, permanence, cross-border reach
* **Intersectionality flags** — identifies compounding discrimination factors (LGBTQIA+, disability, racial, etc.)
* Child-specific detection with heightened sensitivity for minors
* 5 credits per call

### Multi-Endpoint Support

* Both new endpoints available in `/analyse/multi` — use endpoint IDs `emotional-distress` and `tfgbv`
* MCP tools: `detect_emotional_distress` and `detect_tfgbv`

***

## v1.6.1 — April 2026

### Credit Pricing Update

All per-endpoint credit costs have been revised to reflect processing complexity more accurately. See [Pricing & Credits](/credits) for the full breakdown.

**Text & Safety Detections:** 5 credits per call (was 1)

* `detectBullying`, `detectUnsafe`, `detectSocialEngineering`, `detectAppFraud`, `detectRomanceScam`, `detectMuleRecruitment`, `detectGamblingHarm`, `detectCoerciveControl`, `detectVulnerabilityExploitation`, `detectRadicalisation`

**Conversation-Based:** 6 credits per 10 messages (was 1)

* `detectGrooming`, `analyzeEmotions`

**Analysis & Guidance:**

* `getActionPlan`: 9 credits (was 2)
* `generateReport`: 13 credits (was 3)

**Media:**

* `analyzeImage`: 7 credits (was 3)
* `analyzeVoice`: 21 credits base + 15 per extra minute over 60s (was flat 5)
* `analyzeVideo`: 95 credits (was 10)
* Voice stream (per flush): 7 credits (was 1)
* Video stream (per frame): 7 credits (was 3)
* `detectSyntheticContent`: 5 credits (was 2)

**Verification:**

* `verifyAge` (full): 20 credits (was 5)
* `verifyAge` (liveness only): 10 credits (new)
* `verifyIdentity`: 25 credits (was 10)

**Document Analysis:**

* `analyzeDocument`: minimum 10 credits (was 3)

### Age & Identity Verification Improvements

* **Liveness-only mode** now charged at 10 credits (reduced from full verification cost)
* **Passport number validation** — passport document numbers are no longer incorrectly validated against national ID formats (e.g., Swedish personnummer)
* **Vision AI OCR fallback** — when Tesseract OCR fails, document fields (name, DOB, document number) are extracted via vision AI and the confidence score reflects the extraction quality
* **i18n for camera overlay** — all liveness challenge text (instructions, blink/smile prompts) now translates correctly when switching languages

***

## v1.6.0 — April 2026

### Multi-Signal Forensic Synthetic Content Detection

The synthetic content detection pipeline has been completely rebuilt into a **multi-signal forensic system** that runs up to 6 independent analysis engines in parallel for images and 5 for video — replacing the previous single-model approach.

**Image Detection — 6-Signal Pipeline:**

* **EXIF Metadata Extraction** — Detects AI generator signatures in EXIF tags, XMP data, and PNG tEXt chunks (Stable Diffusion parameters). Flags suspicious absence of camera metadata (no camera model + no GPS + high resolution).
* **Pixel Statistics** — Shannon entropy, Laplacian edge density, and channel uniformity analysis. GAN images produce distinctive statistical signatures.
* **C2PA Content Credentials** — Detects and validates C2PA manifests from DALL-E 3, Adobe Firefly, Google Imagen. When C2PA declares AI generation, the result is forced to `confirmed_synthetic` with confidence ≥ 0.95.
* **Invisible Watermark Detection** — High-frequency energy analysis, periodic pattern detection at known watermark frequencies, LSB distribution analysis, and corner entropy checks.
* **Perceptual Hashing (pHash)** — DCT-based 64-bit perceptual hash compared against a Redis-backed database of known synthetic content via Hamming distance. Matches force `confirmed_synthetic`.
* **Weighted Signal Aggregation** — All signals aggregated into a weighted ensemble (vision 30%, metadata 15%, pixel stats 15%, C2PA 15%, watermarks 10%, pHash 15%) with fault isolation via `Promise.allSettled`.

**Audio Detection — Spectral Forensics:**

* **Mel Spectrogram Analysis** — FFmpeg generates a mel spectrogram image, analyzed by a dedicated vision prompt for frequency band uniformity, harmonic anomalies, missing breath noise, onset/offset patterns, and aliasing artifacts.
* **Quantitative Audio Statistics** — RMS mean/peak, dynamic range, silence ratio, flat factor, and DC offset extracted via FFmpeg `astats` filter.
* Spectral analysis runs in parallel with transcription. Even speech-free audio can be flagged if spectral patterns indicate synthesis.

**Video Detection — Temporal + Lip-Sync:**

* **Temporal Consistency Analysis** — face-api.js tracks face identity across frames via 128-dimensional descriptor Euclidean distance. Real faces: \< 0.4, deepfakes: spikes > 0.6. Landmark stability measured via eye-to-nose ratio variance.
* **Lip-Sync Correlation** — Mouth openness from 68-point face landmarks correlated against frame-aligned audio energy. Pearson correlation > 0.5 = authentic, \< 0.3 = deepfake. Detects silent mouth movement and voice-without-movement.
* All 5 video analysis tracks (per-frame vision, temporal consistency, lip-sync, spectral, transcription) run via fault-isolated `Promise.allSettled`.

**Account-Level Profiling:**

* **`GET /v1/safety/synthetic-content/profile/:customer_id`** — 30-day rolling window with synthetic count, account score, trend detection (`increasing`/`stable`/`decreasing`), and category distribution.
* Automatic, zero-cost profiling when `customer_id` is provided on any detection request.

**New Response Fields (additive — no breaking changes):**

* Image: `metadata_analysis`, `provenance`, `forensic_signals`, `perceptual_hash`, `known_synthetic_match`
* Audio: `audio_stats`, `spectral_signals`
* Video: `temporal_consistency`, `lip_sync`, `audio_stats`, `spectral_signals`

### Age & Identity Verification Improvements

* **ICAO 9303 MRZ Validator** — Full check digit validation for TD1 (ID cards, 3×30), TD2 (ID cards, 2×36), and TD3 (passports, 2×44) Machine Readable Zones with weighted mod-7 algorithm
* **PDF417 Barcode Reader** — Decodes AAMVA-structured data from US/Canadian driver's licenses via `zxing-wasm` — extracts name, DOB, expiry, document number, address, and more
* **45-Country Document Number Validator** — Algorithmic check digit verification for CPF (Brazil), personnummer (Sweden), Aadhaar (India), Codice Fiscale (Italy), CURP (Mexico), SSN (US), SIN (Canada), TFN (Australia), and 37 more country-specific document formats
* **Visual Liveness Analyzer** — Multi-signal liveness detection: landmark motion analysis, texture analysis (Laplacian variance + moire detection), depth cue analysis (face/background sharpness ratio), and cross-frame consistency checks
* **AI-Powered Document Authenticator** — Vision model analyzes document layout, security features, fonts, color consistency, and photo integration against known templates. Detects screen photos, printout recaptures, and digital manipulation.
* **MRZ/OCR/Barcode Cross-Referencing** — Compares name, DOB, and document number between MRZ, OCR text, barcode data, front and back sides, flagging any inconsistency as potential tampering

***

## v1.5.0 — March 2026

### Document Analysis

* **`POST /v1/safety/document`** — Upload a PDF (max 50 MB, 100 pages) for multi-endpoint safety analysis with per-page detection results
* Supports 8 detection endpoints: `unsafe`, `bullying`, `grooming`, `social-engineering`, `coercive-control`, `radicalisation`, `romance-scam`, `mule-recruitment`
* SHA-256 document hashing for chain-of-custody verification in compliance audits
* Zero-retention processing — no document data stored after response
* Bounded concurrency (3 pages at a time) with text chunking for long pages

### Dynamic Credit Pricing for Documents

* Document analysis uses **per-page, per-endpoint pricing**: `max(10, pages_analyzed × endpoint_count)` (minimum updated in v1.6.1)
* Each page-endpoint combination costs 1 credit
* Minimum charge of 10 credits covers extraction overhead
* Examples: 5 pages × 3 endpoints = 15 credits; 20 pages × 8 endpoints = 160 credits

### Model Refinements

* **TCO Regulation classification** — Radicalisation responses now include EU Regulation 2021/784 Art. 2(7) content classification
* **Self-harm CONTAGION sub-category** — Detects suicide pacts, method sharing, cluster effects, and gateway escalation
* **PII/Doxxing detection** — New PII\_DOXXING category for doxxing threats and digital footprint weaponisation
* **Legacy response normalization** — Bullying, grooming, and unsafe endpoints now include a `normalized` block with a unified response shape matching newer endpoints

***

## v1.4.4 — March 2026

### New Features

* **`country` context field** — Pass an ISO 3166-1 alpha-2 country code (e.g., `"GB"`, `"US"`, `"SE"`) in the `context` object to receive geo-localised crisis helpline data in detection responses. Falls back to user profile country if omitted.
* **Improved action escalation for minors** — All detection endpoints now enforce a minimum `flag_for_review` action when harm is detected and the subject is a minor. Criminal indicators (SEXTORTION, TRAFFICKING, CSAM, DEBT\_BONDAGE, FORCED\_CRIMINALITY, HONOUR\_ESCALATION) targeting minors automatically escalate to `immediate_intervention`.
* **Graduated risk scoring** — Risk scores now use the full 0.0–1.0 range with graduated bands instead of clustering around a single value.
* **Evidence tactic normalization** — Evidence tactic fields are now always returned in SCREAMING\_SNAKE\_CASE format (e.g., `"EMOTIONAL_MANIPULATION"` instead of `"Emotional Manipulation"`).

### SDK Releases

* `@tuteliq/sdk` v2.5.0 — adds `country` context field, graduated risk scoring, tactic normalization
* `@tuteliq/mcp` v3.7.0 — adds `country` context field, minor action escalation, tactic normalization

***

## v1.4.3 — March 2026

### Bug Fixes & Improvements

* **`support_threshold` now works correctly across all 11 detection endpoints** — setting `"critical"` correctly suppresses crisis helplines for High severity results. Previously the parameter was accepted without error but had no effect on the response.
* **`sender_trust: "verified"` fully suppresses `AUTH_IMPERSONATION`** — verified senders no longer trigger impersonation detection. Routine urgency (schedules, deadlines, appointments) is also suppressed. Only genuinely malicious elements (credential theft, phishing links, financial demands) will flag a verified sender.
* **Empty `categories` field in `detect_unsafe` fixed** — stronger prompt enforcement and code-level fallback extraction ensure the categories array is populated when the rationale references specific harms.
* **MCP session recovery** — stale MCP sessions (after Cloud Run deployment or instance recycling) now recover transparently without requiring the client to reconnect.

### Documentation

* Added `support_threshold` behaviour reference to API docs, Node SDK, and MCP README
* Added `sender_trust` effect on scoring to all documentation
* Added `analyse_multi` accepted endpoint values to MCP README and API docs
* Added complete context field reference across all packages

### SDK Releases

* `@tuteliq/sdk` v2.4.0 — adds `confidence` to `AnalyzeResult`, optional `risk_level` to `UnsafeResult`
* `@tuteliq/mcp` v3.5.0 — wires `support_threshold` through all detection MCP tools, shows confidence and support in analyze tool

***

## v1.4.2 — March 2026

### Full EU Language Coverage

* Added 13 new languages: **Romanian** (`ro`), **Greek** (`el`), **Czech** (`cs`), **Hungarian** (`hu`), **Bulgarian** (`bg`), **Croatian** (`hr`), **Slovak** (`sk`), **Lithuanian** (`lt`), **Latvian** (`lv`), **Estonian** (`et`), **Slovenian** (`sl`), **Maltese** (`mt`), **Irish** (`ga`)
* Tuteliq now supports **27 languages** — all 24 EU official languages + Ukrainian, Norwegian, and Turkish
* Enhanced all language entries with grooming indicators, self-harm coded vocabulary, filter evasion techniques, and youth slang coverage
* All new languages are in **Beta** status

***

## v1.4.1 — March 2026

### Language Support Expansion

* Added 4 new languages: **Dutch** (`nl`), **Polish** (`pl`), **Italian** (`it`), **Turkish** (`tr`)
* Tuteliq now supports 14 languages with auto-detection and culture-aware analysis
* Each language includes culturally-specific safety guidelines, slur databases, and prompt calibration
* All new languages are in **Beta** status

***

## v1.4.0 — March 2026

### Age Verification (Beta)

* `POST /v1/verification/age` — verify user age through document analysis and biometric age estimation
* Supports government-issued ID documents (passport, driving licence, national ID)
* Biometric age estimation from selfie photo
* Returns `verified`, `estimated_age`, `age_range`, `confidence`, and `document_type`
* 20 credits per verification (updated in v1.6.1)
* Available on **Pro** tier and above

### Identity Verification (Beta)

* `POST /v1/verification/identity` — confirm user identity with document verification and liveness detection
* Document authenticity checks (MRZ validation, hologram detection, tamper analysis)
* Liveness detection to prevent spoofing (photo-of-photo, screen replay, mask attacks)
* Face matching between document photo and selfie
* Returns `verified`, `match_score`, `liveness_passed`, `document_authenticated`, and `flags`
* 25 credits per verification (updated in v1.6.1)
* Available on **Business** tier and above

### Tier Access

* Age Verification requires **Pro** tier (\$99/mo) or above
* Identity Verification requires **Business** tier (\$349/mo) or above
* Both features are in **Beta** — endpoints and response schemas may evolve

***

## v1.3.0 — February 2026

### Fraud Detection Endpoints

* `POST /v1/fraud/social-engineering` — detect social engineering tactics: pretexting, impersonation, urgency manipulation, authority exploitation
* `POST /v1/fraud/app-fraud` — identify fraudulent app promotion, fake reviews, malicious download links, and clone app distribution
* `POST /v1/fraud/romance-scam` — detect romance scam patterns: love-bombing, financial requests, identity fabrication, isolation tactics
* `POST /v1/fraud/mule-recruitment` — flag money mule recruitment: easy money offers, account sharing requests, laundering language

### Safety Extended Endpoints

* `POST /v1/safety/gambling-harm` — detect gambling harm: underage gambling promotion, addiction patterns, predatory odds, bet pressure
* `POST /v1/safety/coercive-control` — identify coercive control: isolation tactics, financial control, monitoring/surveillance, threat patterns
* `POST /v1/safety/vulnerability-exploitation` — detect exploitation of vulnerable individuals with cross-endpoint vulnerability modifier and vulnerability profile scoring
* `POST /v1/safety/radicalisation` — flag radicalisation indicators: extremist rhetoric, us-vs-them framing, recruitment patterns, dehumanisation

### Multi-Endpoint Analysis

* `POST /v1/analyse/multi` — fan-out a single text to up to 10 detection endpoints in parallel
* Automatic vulnerability modifier: when `vulnerability-exploitation` is included, its cross-endpoint modifier adjusts severity scores across all other results
* Aggregated response with `summary.highest_severity`, `summary.total_credits_used`, and per-endpoint breakdown
* Supports both legacy (bullying, grooming, unsafe) and new detection endpoints

### SDK & Tool Support

* All new endpoints available across all SDKs: [Node.js](/sdks/node), [Python](/sdks/python), [Swift](/sdks/swift), [Kotlin](/sdks/kotlin), [Flutter](/sdks/flutter), [React Native](/sdks/react-native), [.NET](/sdks/dotnet), [Unity](/sdks/unity)
* [CLI](/sdks/cli) — new `detect social-engineering`, `detect app-fraud`, `detect romance-scam`, `detect mule-recruitment`, `detect gambling-harm`, `detect coercive-control`, `detect vulnerability-exploitation`, `detect radicalisation`, and `detect multi` commands
* [MCP Server](/sdks/mcp) — 10 new tools for fraud, extended safety, multi-endpoint analysis, and video analysis

### Tier Access

* New endpoints require **Indie** tier or above (Starter tier retains access to bullying, grooming, and unsafe only)
* All new endpoints cost 5 credits per call (updated in v1.6.1); multi-endpoint costs the sum of individual endpoints

***

## v1.2.0 — February 2026

### Video Analysis

* `POST /v1/safety/video` — upload a video file (mp4, webm, quicktime, avi — max 100MB, 10 min) and receive per-frame vision analysis with flagged timestamps
* Frame extraction powered by ffmpeg with configurable `max_frames` (default 10, max 20)
* Aggregated `overall_risk_score` and `overall_severity` across all frames
* Automatic incident recording and webhook alerts for flagged videos
* 95 credits per video analysis (updated in v1.6.1)

### Video Streaming

* WebSocket voice streaming now supports **video frames** alongside audio
* Send video frames as binary with a `0x01` prefix byte; audio uses `0x00` or no prefix (backward compatible)
* New `frame_analysis` server event with per-frame vision results
* New config options: `enable_video`, `frame_interval_seconds` (min 3s, default 5s)
* `session_summary` event now includes `video_frames_analyzed` count
* 7 credits per video frame analysis (updated in v1.6.1)

### Voice Streaming Enhancements

* Updated authentication: `?api_key=` query param or `Authorization: Bearer` header
* Tier-based connection limits (1 for Starter, up to unlimited for Enterprise)
* Subscription-aware credit tracking per flush
* Heartbeat ping/pong every 30 seconds for stale connection detection

***

## v1.1.0 — February 2026

### Multilingual Support

* **27 languages supported** — English (stable), all 24 EU official languages + Ukrainian, Norwegian, Turkish (beta)
* **Layered auto-detection** — Trigram analysis (franc) confirmed by LLM-based detection for maximum reliability
* **Culture-aware analysis** — Language-specific guidelines for local slang, idioms, and harmful terms injected into classification prompts
* All safety endpoints now return `language`, `language_status`, and `detected_language` fields in responses
* No explicit `language` parameter required — detection is fully automatic

***

## v1.0.0 — February 2026

Initial public release of the Tuteliq API.

### Safety Endpoints

* `POST /v1/safety/unsafe` — detect harmful content across all nine KOSA categories
* `POST /v1/safety/bullying` — dedicated bullying and harassment detection
* `POST /v1/safety/grooming` — conversation-level grooming pattern analysis
* `POST /v1/safety/voice` — audio file transcription and safety analysis
* `POST /v1/safety/image` — image analysis for visual content risks

### Analysis & Guidance Endpoints

* `POST /v1/analysis/emotions` — emotional well-being analysis from text and conversations
* `POST /v1/guidance/action-plan` — age-appropriate guidance and intervention recommendations
* `POST /v1/reports/incident` — structured safety report generation

### Voice Streaming

* `WSS /v1/safety/voice/stream` — real-time voice moderation via WebSocket with configurable severity thresholds

### Webhooks

* `POST /v1/webhooks` — register webhook endpoints for safety alerts and batch events
* HMAC-SHA256 signature verification on all webhook deliveries
* Automatic retry with exponential backoff (3 attempts)

### GDPR Compliance

* `DELETE /v1/account/data` — right to erasure (Article 17)
* `GET /v1/account/data/export` — right to data portability (Article 20)
* `PATCH /v1/account/data` — right to rectification (Article 16)
* Consent management endpoints for granular data processing consent
* Public transparency endpoints: DPA, sub-processors, retention policy

### SDKs & Tools

* [Node.js SDK](/sdks/node) — `@tuteliq/sdk` on npm
* [Python SDK](/sdks/python) — `tuteliq` on PyPI
* [Swift SDK](/sdks/swift) — via Swift Package Manager
* [Kotlin SDK](/sdks/kotlin) — via Maven Central
* [Flutter SDK](/sdks/flutter) — `tuteliq` on pub.dev
* [React Native SDK](/sdks/react-native) — `@tuteliq/react-native` on npm
* [.NET SDK](/sdks/dotnet) — `Tuteliq` on NuGet
* [Unity SDK](/sdks/unity) — via Unity Package Manager
* [CLI](/sdks/cli) — `@tuteliq/cli` on npm / Homebrew
* [MCP Server](/sdks/mcp) — `@tuteliq/mcp` on npm

### Platform

* Credit-based billing with per-endpoint pricing
* Tier-based rate limiting (Free, Basic, Premium, Enterprise)
* API key authentication via Bearer token or `x-api-key` header
* Full KOSA harm category coverage with age-calibrated severity scoring
