diff --git a/.jules/warden.md b/.jules/warden.md
index 2e821b3..0acfae9 100644
--- a/.jules/warden.md
+++ b/.jules/warden.md
@@ -161,3 +161,8 @@ Observation / Pruned:
 Assessed JULES/BOLT's optimization gracefully handling Express body-parser 4xx client errors (charset.unsupported, encoding.unsupported, request.aborted) by intercepting them and returning explicit 415 or 400 JSON responses. This prevents unhandled errors from falling through to the global error handler and causing 500 Internal Server Error log spam. Precomputed standard JSON buffers were used to avoid repetitive allocation. Ran tests and robustness scripts to verify correct validation edge cases pass. Zero unused files or exports were identified for pruning.
 Alignment / Deferred:
 Appended release notes for error handling patch. Version bumped to 1.1.28.
+2026-05-01 — Assessment & Lifecycle
+Observation / Pruned:
+Assessed JULES/BOLT's optimization fixing X-Powered-By header leak on bypassed endpoints. By globally disabling the 'x-powered-by' header via app.disable('x-powered-by'), endpoints like /health that are defined before global security middlewares (helmet) are protected from leaking the framework identifier. The change successfully improves security while saving CPU overhead. Ran tests and verified robustness. Zero dead code identified.
+Alignment / Deferred:
+Appended release notes for the security fix. Version bumped to 1.1.29.
diff --git a/CHANGELOG.md b/CHANGELOG.md
index aa56047..b264396 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## [1.1.29] - 2026-05-01
+### Changed
+* **[Security & Performance]:** Fixed an issue where high-frequency endpoints bypassing global middlewares leaked the `X-Powered-By` framework identifier. Globally disabled the header during application initialization, successfully mitigating the leak and saving CPU overhead across all requests. Zero dead code was pruned.
+
 ## [1.1.28] - 2026-04-30
 ### Changed
 * **[Reliability & Security]:** Gracefully handle Express body-parser 4xx client errors (`charset.unsupported`, `encoding.unsupported`, `request.aborted`) by returning explicit 415 or 400 JSON responses instead of falling through to the generic 500 error handler. Precomputed standard JSON responses to optimize error paths. Zero dead code pruned.
diff --git a/package-lock.json b/package-lock.json
index 5802356..69a8920 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "one-api",
-  "version": "1.1.28",
+  "version": "1.1.29",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "one-api",
-      "version": "1.1.28",
+      "version": "1.1.29",
       "license": "MIT",
       "dependencies": {
         "compression": "^1.8.1",
diff --git a/package.json b/package.json
index 3f125cd..d58ba1c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "one-api",
-  "version": "1.1.28",
+  "version": "1.1.29",
   "description": "One API to rule them all. Unified gateway for 20+ LLM providers. OpenAI-compatible, single binary, zero config.",
   "main": "src/index.js",
   "scripts": {