- Add user_id parameter to ContextManager
- Check database for user-specific prompts before filesystem
- Pass user_id from RequestHandler to ContextManager
- Update autoselect prompt loading to respect user-specific prompts
- All authenticated requests get user-specific prompts when available
- Global tokens skip database lookup entirely

- Make user_rotations.html and user_autoselects.html identical to admin templates
- Remove global config fallback for database users in handlers
- Separate provider/rotation visibility: users only see their own, admin only global
- Update version to 0.99.38

The /tmp directory often doesn't allow web servers to create subdirectories. Now uses:
- Config admin: ~/.aisbf/temp_uploads/
- Database users: ~/.aisbf/user_auth_files/{user_id}/temp_uploads/

This ensures uploads work in all environments including restrictive web server configurations.

5MB chunks were still hitting reverse proxy limits for some configurations. 1MB is universally supported and will work with nginx, Cloudflare, and all other reverse proxies with default configurations.

Fixed mismatch between config object names and status element IDs:
- kiro_config → kiro
- kilo_config → kilo
- claude_config → claude
- qwen_config → qwen
- codex_config → codex

- Auto-expands the provider details panel when selecting a file to upload
- Prevents TypeError: Cannot set properties of null (setting 'innerHTML')
- Upload status is always visible after you select a file

- Added generic chunked upload handler (5MB chunks)
- All 5 provider upload functions now use chunked upload endpoint
- Progress percentage displayed during upload
- No more 413 Request Entity Too Large errors
- Supports very large files including multi-GB SQLite databases
- Uses existing chunked upload backend endpoint

The following functions were missing from providers.html:
- uploadKiroFile()
- uploadKiloFile()
- uploadClaudeFile()
- uploadQwenFile()
- uploadCodexFile()

All credential file uploads now work correctly with proper status handling and configuration updates.

The bug was that the upload handler was checking request.session.get('user_id') directly instead of using the proper authenticated user_id from request.state. When API authentication was also active, the middleware would set request.state.user_id which was being ignored.

Now correctly uses:
current_user_id = getattr(request.state, 'user_id', request.session.get('user_id'))

This respects both session authentication and API authentication state while properly identifying the config admin from aisbf.json who has no user_id.

- Replaced all is_config_admin checks to properly check role == 'admin'
- Fixed 19 occurrences throughout the codebase
- Config admin file uploads now save to filesystem instead of database
- This fixes credential file uploads for aisbf.json defined admin users

- Added md5 filter to Jinja2 templates for Gravatar
- Added popup=1 parameter to OAuth2 URLs
- Added persistent oauth2_popup_mode session flag
- Both Google and GitHub OAuth flows now properly detect popup mode
- Callback now correctly sends postMessage to opener window
- Popup closes automatically and main window redirects to dashboard

OAuth2 signup/login endpoints (/auth/oauth2/google, /auth/oauth2/github) now work correctly when API authentication is enabled. API authentication should only apply to LLM proxy endpoints, not authentication/signup routes.

Fix: Model performance Type column now shows provider type (kilo, claude, qwen, etc) instead of generic 'Provider Model'

- Added fallback logic to get provider/model combinations from token_usage table
- Added context dimension recording in request success path
- Model performance now displays data even if context_dimensions table is empty
- Skip providers with zero requests in selected time range

- Simplified get_cost_overview to use tokens from provider stats (which already respect date range)
- Removed redundant get_token_usage_by_date_range call
- Cost overview now properly reflects selected time period filter

- Added from_datetime and to_datetime parameters to get_model_performance()
- Added from_datetime and to_datetime parameters to get_optimization_recommendations()
- Model performance now uses date-filtered provider stats instead of all-time stats
- All analytics sections now respect the selected time range filter
- Added optimization_savings placeholder to template context