309 Commits

Author SHA1 Message Date
Diego Rodrigues de Sa e Souza 3432dfd280 Release v3.6.9 (#1404)
Build Electron Desktop App / Validate version (push) Failing after 35s
Build Electron Desktop App / Build Electron (macos-arm64) (push) Has been skipped
Build Electron Desktop App / Build Electron (linux) (push) Has been skipped
Build Electron Desktop App / Build Electron (macos-intel) (push) Has been skipped
Build Electron Desktop App / Build Electron (windows) (push) Has been skipped
Build Electron Desktop App / Create Release (push) Has been skipped
Build Electron Desktop App / Publish to npm (push) Has been skipped
* test: resolve typescript strictness complaints in unit tests

* Update Claude Code obfuscation to version 2.1.114 (#1403)

* fix(cloud-code): scope thinking stripping to executor boundaries (#1401)

* fix(cloud-code): scope thinking stripping to executors

* fix(cloud-code): guard antigravity normalized body

* Update Claude Code obfuscation to version 2.1.114

- Update Claude Code version from 2.1.87 to 2.1.114
- Update X-Stainless-Package-Version from 0.80.0 to 0.81.0
- Add new beta flags: redact-thinking-2026-02-12, advisor-tool-2026-03-01, advanced-tool-use-2025-11-20
- Add missing headers: anthropic-version, anthropic-dangerous-direct-browser-access, x-app, X-Stainless-Timeout
- Add all X-Stainless-* headers (Arch, Lang, OS, Runtime, Runtime-Version, Retry-Count)
- Fix accept-encoding header: identity -> gzip, deflate, br, zstd
- Add connection: keep-alive header
- Update tool name mapping: add lsp, apply_patch, websearch

These changes ensure that requests from OpenCode through Omniroute are indistinguishable from genuine Claude Code 2.1.114 requests, allowing proper authentication with Anthropic's API without triggering extra credits errors.

* fix: resolve CodeQL password hash alert and TruffleHog CI failure

---------

Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Diego Rodrigues de Sa e Souza <8016841+diegosouzapw@users.noreply.github.com>
Co-authored-by: Nikolay Popov <ekklesio.dev@gmail.com>
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>

* fix(claude-code): scope obfuscation to cli clients and fix tests

* docs(workflows): enforce PR merge instead of manual close

* docs(changelog): update 3.6.9 notes with missing PR 1403 and fixes

* docs(workflows): update generate-release to use full changelog for PR body

* fix(tsc): silence baseUrl deprecation warnings for TS 5.5+

* fix(chatcore): apply proactive compression before provider translation (#1406)

Integrated into release/v3.6.9

* docs(changelog): add PR 1406

* Makes text visible in dark-mode (#1409)

Integrated into release/v3.6.9

* docs(changelog): add PR 1409

* chore: save local work

* chore(release): sync version references to 3.6.9

* fix(codex): prevent proactive token refresh consumption and strip background parameter

* ci: shard long-running suites and relax timeouts

* ci: allow manual CI dispatch for release branches

* feat(skills): provider-aware marketplace UX, scored AUTO injection, and memory pipeline hardening (#1411)

* fix/400 for GeminiCLI(add "ref" in GEMINI_UNSUPPORTED_SCHEMA_KEYS)

* feat(cc-compatible): align request shape with Claude CLI

* fix(cc-compatible): add Claude CLI system skeleton for OpenAI input

* preserve reasoning when translating chat to responses (#1414)

Integrated into release/v3.6.9

* fix(skills): optimize AUTO scoring and include Responses input context (#1418)

Integrated into release/v3.6.9

* chore: fix TS errors and update review-prs workflow

* fix(api): stop sending unsupported Gemini and Codex parameters

Prevent Gemini request translation from injecting default
thoughtSignature values that the upstream API strictly validates and
rejects. Only preserve real signatures resolved from prior upstream
responses, and strip additionalProperties from Gemini function schemas
to avoid 400 "Unknown name" errors.

Also remove fallback-injected session_id and conversation_id fields
before sending Codex requests, and restore compatibility with the
legacy OUTBOUND_SSRF_GUARD_ENABLED flag when determining whether
private provider URLs are allowed.

Updates the Gemini translator and regression tests for issue #1410
and related 400 error cases.

* fix(core): stabilization fixes for token refresh, usage translation, and testing

- Update Codex token refresh detection logic
- Mark provider connections invalid on unrecoverable refresh error
- Fix Claude usage translation under-reporting cached tokens
- Update test expectations
- Update CHANGELOG.md for v3.6.9

* fix(auth): reload fresh token state and unify expiry persistence

Refresh checks now re-read the latest stored provider connection before
attempting rotation so they do not use stale refresh tokens captured by
an earlier sweep.

Token updates also persist both expiresAt and tokenExpiresAt across the
health check, usage-limit refresh path, and SSE refresh flow. This keeps
known token expiry metadata in sync and avoids interval-based refreshes
for connections whose tokens are still valid well into the future.

* fix: resolve SSRF environment static evaluation bug (#1427)

Fix import aliases and strict TS typings for tests and ACP agents.

* test: resolve remaining strict type errors in test files

* test: fix provider service assertion for anthropic-compatible header

* fix(codex): respect openaiStoreEnabled setting during native passthrough (#1432)

* fix(codex): fix token refresh unrecoverable detection for expired tokens

* fix(ci): restore release v3.6.9 build and flaky tests

* fix(cc-compatible): trim default OpenAI system skeleton (#1433)

Integrated into release/v3.6.9

* fix: prevent masked API keys from being written to CLI tool configs (#1435)

* feat: mark Qwen provider as deprecated and add deprecation warning to CLI tool (#1437)

* docs(changelog): comprehensive v3.6.9 update with all 59 commits since v3.6.8

* test(ci): align qwen guide settings assertions

* fix(security): resolve CodeQL alert 163 for incomplete URL sanitization in Qwen CLI settings

---------

Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Nikolay Popov <74762779+nikolay-popov-ideogram@users.noreply.github.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Nikolay Popov <ekklesio.dev@gmail.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: Tim Massey <tim-massey@users.noreply.github.com>
Co-authored-by: Paijo <oyi77@users.noreply.github.com>
Co-authored-by: dail45 <dail45@yandex.ru>
Co-authored-by: R.D. <rogerproself@gmail.com>
2026-04-19 19:50:30 -03:00
Benson K B 4a560c0b1c feat(cli): add direct config save for Qwen Code (#1394)
Integrated into release/v3.6.9
2026-04-18 10:59:11 -03:00
Benson K B 891189bbf3 feat(cli): derive Claude CLI model defaults from provider registry dynamically (#1393)
Integrated into release/v3.6.9
2026-04-18 10:49:34 -03:00
diegosouzapw 7bc4ac1833 fix: Type error in Header electronAPI 2026-04-18 04:59:17 -03:00
diegosouzapw 7e1e0e362e feat: implement #1350 #1367 #1369 — persistent API key, backup pruning, GPU optimization
#1350 — Persist API-Key via Docker volume:
- isValidApiKey() now checks OMNIROUTE_API_KEY/ROUTER_API_KEY env vars
  before querying SQLite, making keys survive container restarts/restores
- Env-var keys bypass DB entirely — no regeneration needed

#1367 — Limit Database Backup Count:
- Already implemented: UI controls (keepLatest, retentionDays) in
  SystemStorageTab + backend cleanupDbBackups() with DB_BACKUP_MAX_FILES
- Closed as already resolved

#1369 — Reduce GPU usage:
- Removed backdrop-blur-xl from Sidebar.tsx and Header.tsx
- Made --color-sidebar CSS vars fully opaque (eliminates GPU compositing)
- Added data memoization to RequestLoggerV2/ProxyLogger via
  logsSignatureRef — skips setLogs when data unchanged (~80% fewer re-renders)

Tests: 36/36 pass, typecheck:core pass
2026-04-18 04:54:59 -03:00
diegosouzapw 4ea123a2c0 build(next): tighten standalone tracing and ignore runtime fs lookups
Trim standalone output by excluding repository-only directories from Next
file tracing and mark runtime path resolution with turbopackIgnore so
build analysis does not treat host-specific files as bundled assets.

Align the proxy debug toggle with the current change handler signature to
avoid incorrect state transitions during settings updates.
2026-04-17 23:48:37 -03:00
diegosouzapw a3d1dc6cf9 fix(api): support image-only models and authless search providers
Allow image generation requests to omit prompts for models that only
accept image input, and validate required inputs from model metadata
instead of enforcing a text prompt for every request.

Treat authless search providers as executable with built-in defaults so
SearXNG can run without stored credentials, including during provider
auto-selection.

Also align runtime support with Node.js 24 LTS, harden thinking tag
compression and proxy wildcard matching, and update tests for the new
route and runtime behavior.
2026-04-17 18:45:32 -03:00
diegosouzapw ea67216bf2 refactor: Split CLI runner and decouple migration engine for extensibility
Closes #1358
2026-04-17 17:02:00 -03:00
diegosouzapw 1e3ac5fff7 feat: add CC Compatible connection-level 1M context toggle
Closes #1357
2026-04-17 16:59:18 -03:00
diegosouzapw 8cf78ddf00 feat(auth): enforce dashboard sessions for management routes
Require dashboard session cookies on protected management APIs and
reject bearer API keys with explicit 403 responses to prevent
privilege escalation across provider, settings, and model alias routes.

Add a dedicated payload rules management surface with dashboard UI,
OpenAPI documentation, route normalization, and tests for hot-reloaded
runtime updates.

Consolidate provider catalog metadata for dashboard pages, add
Perplexity web-cookie provider support, retire the legacy provider
creation page, and improve upstream proxy handling.

Harden startup and runtime behavior by moving cloud sync bootstrap to
server instrumentation, skipping background services during build/test,
making models.dev sync abortable, pruning isolated build artifacts, and
improving DB backup and recovery safeguards.
2026-04-17 16:45:27 -03:00
diegosouzapw 4ae488b25b feat(runtime): add hot-reloadable guardrails and model diagnostics
Introduce a runtime settings layer that hydrates persisted config at startup
and reapplies aliases, payload rules, cache behavior, CLI compatibility,
usage tuning, and related switches when settings change or SQLite updates.

Replace the legacy prompt injection middleware path with a guardrail
registry that supports prompt injection detection, PII masking, disabled
guardrail overrides, and post-call response handling across the chat
pipeline.

Add a metadata registry for model catalog and alias resolution so catalog
endpoints return enriched capabilities plus diagnostic headers and typed
alias errors instead of ad hoc responses.

Convert unsupported built-in web_search tools into an OmniRoute fallback
tool, execute them through builtin skills, and preserve Responses API
function call output with sanitized usage fields.

Centralize provider header fingerprints for GitHub, Cursor, Qwen, Qoder,
Kiro, and Antigravity, and migrate management passwords from env or
plaintext storage into persisted bcrypt hashes during startup and login.
2026-04-17 11:56:52 -03:00
diegosouzapw dc6d9e2e4b feat(core): add payload rules, tag routing, and scheduled budgets
Introduce runtime-configurable payload mutation/filter rules with file
reload support and a settings API so upstream request bodies can be
customized per model and protocol without restarts.

Expand search support with Google PSE, Linkup, SearchAPI, and SearXNG,
including validation, routing, analytics costing, MCP schema updates,
and search-type-aware provider selection. Update Pollinations to support
anonymous access, endpoint failover, and the latest public model lineup.

Add OmniRoute response metadata headers/SSE comments, per-connection
model exclusion rules, combo tag-based routing, buffered spend writes,
and scheduled daily/weekly/monthly budget resets. Update model catalog
and dashboard UIs to surface source labels and hide models excluded by
all active connections.
2026-04-17 09:00:32 -03:00
diegosouzapw 7b51ccd9e4 feat(antigravity): add client model aliases and signature bypass modes
Expose client-visible Antigravity preview model aliases while resolving
them back to upstream IDs for execution and provider discovery. Refresh
the Antigravity user agent from cached latest release metadata so model
discovery and requests track current CLI versions more reliably.

Add configurable Gemini thought signature cache modes in settings to
allow validated client-provided signatures in bypass flows while
preserving the existing stored-signature behavior by default.

Also centralize Anthropics header/version constants, enrich image model
catalog metadata with input and output modalities, add dashboard image
input support for advanced image providers, and exclude task docs from
Next standalone tracing to keep isolated builds stable.
2026-04-16 20:53:35 -03:00
diegosouzapw ce8e9b96ca feat(providers): expand image provider registry and model support
Add Fal.ai, Stability AI, Black Forest Labs, Recraft, and Topaz
image provider metadata and expose their static model catalogs through the
providers models API.

Unify dashboard image model listings with the runtime image registry to
avoid drift, add image model aliases for FLUX variants, and extend image
generation handling for new provider formats and edit endpoints.

Include tests covering alias resolution and provider-specific image
generation flows.
2026-04-16 19:32:38 -03:00
Paijo 5cbc08a6a2 docs: fix outdated Node 24 warnings in TROUBLESHOOTING.md (#1343)
Integrated into release/v3.6.7
2026-04-16 16:07:29 -03:00
Randi 01bd0d6760 Add Claude Opus 4.7 to Claude Code OAuth models (#1347)
Integrated into release/v3.6.7
2026-04-16 16:07:18 -03:00
Paijo 03b8e21f23 feat: add Node.js 24 LTS (Krypton) support (#1340)
Integrated into release/v3.6.7
2026-04-16 14:29:29 -03:00
diegosouzapw 6e9b23c8e2 fix(providers): support batch testing for web, search, and audio
Add dedicated batch test modes for web-cookie, search, and audio
providers in the dashboard, API route, and request validation so
category-level testing targets the correct connections.

Rename legacy qoder refresh and usage helpers from iflow to qoder
for consistency, and tighten regex handling in response cleaning,
thinking compression, and proxy matching to address edge cases and
static analysis findings.

Also update related tests, typing fixes, and README star history
embeds.
2026-04-16 11:52:53 -03:00
Diego Rodrigues de Sa e Souza 57395ed05c Merge pull request #1324 from clousky2020/feat/i18n-clean
fix(i18n): resolve code review issues for PR #1318
2026-04-16 10:17:42 -03:00
clousky 2206fed7e4 fix(requestLogger): add missing cacheSource and tps columns to i18n
Add cacheSource and tps to the translated columns array and their
corresponding translation keys in en.json and zh-CN.json.
2026-04-16 20:43:03 +08:00
clousky 67fc68683d fix(i18n): resolve code review issues for PR #1318
- Fix duplicate routing strategy guidance texts in zh-CN.json
- Fix strategy recommendations duplicates
- Add useMemo import in playground/page.tsx
- Add hardcoded string localization in ProxyConfigModal.tsx
- Replace dangerouslySetInnerHTML with t.rich in OAuthModal.tsx
- Replace dangerouslySetInnerHTML with t.rich in PricingModal.tsx
- Add useMemo in RequestLoggerV2.tsx for performance

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-16 20:27:16 +08:00
Diego Rodrigues de Sa e Souza b3909b4af5 Merge pull request #1318 from clousky2020/feat/i18n-clean
feat(i18n): add internationalization support for combo features and dashboard components
2026-04-16 08:32:50 -03:00
clousky f07c7aea2f fix(i18n): add Chinese i18n support to remaining dashboard components
- Add translations for playground page endpoints and UI elements
- Localize ProxyRegistryManager component text
- Add Chinese support for CursorAuthModal, OAuthModal, PricingModal
- Localize ProxyConfigModal and RequestLoggerV2 components
- Update both English and Chinese message files with new translation keys

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-16 17:35:41 +08:00
ivan_yakimkin cb71fb6907 fix: restore horizontal layout with w-max wrapper 2026-04-16 12:14:31 +03:00
ivan_yakimkin f10474548b fix: address review — unified scroll container, sticky weekday labels
- Wrap month labels and grid in a single scrollable container so
  month labels stay aligned with date columns during scroll
- Add sticky left-0 + bg-surface to weekday labels (Mon/Wed/Fri)
  so they remain visible when scrolled to the right
- Remove extra blank lines for code style consistency
2026-04-16 11:40:42 +03:00
ivan_yakimkin 813191beef fix: auto-scroll ActivityHeatmap to show current date
The 365-day activity heatmap renders left-to-right from oldest to newest,
but the container with overflow-x:auto starts scrolled to the left edge.
Users cannot see the most recent activity without manually scrolling.

Add a useRef + useEffect that auto-scrolls the grid container to its
right edge after the weeks data is computed, ensuring the current date
and recent activity are immediately visible.
2026-04-16 11:29:10 +03:00
Diego Rodrigues de Sa e Souza 9e45baae58 chore(release): v3.6.6 — Stabilization (#1241)
Build Electron Desktop App / Validate version (push) Failing after 43s
Build Electron Desktop App / Build Electron (macos-arm64) (push) Has been skipped
Build Electron Desktop App / Build Electron (linux) (push) Has been skipped
Build Electron Desktop App / Build Electron (macos-intel) (push) Has been skipped
Build Electron Desktop App / Build Electron (windows) (push) Has been skipped
Build Electron Desktop App / Create Release (push) Has been skipped
Build Electron Desktop App / Publish to npm (push) Has been skipped
* fix(streaming): #1211 greedy strip omniModel tags to prevent literal \n\n artifacts

- Changed regex quantifier from ? to * in combo.ts, comboAgentMiddleware.ts,
  and contextHandoff.ts to greedily strip all JSON-escaped newline sequences
  surrounding <omniModel> tags in SSE streaming chunks
- Added \r to the character class for cross-platform robustness
- Fixed Playwright strict-mode violation in combo-unification.spec.ts
- Bumped OpenAPI version and CHANGELOG to 3.6.6

* fix: 3 bugs found during issue triage (#1175, #1187/#1218, #1202)

- fix(gemini): strip VS Code JSON Schema extensions from tool schemas (#1175)
  Add enumDescriptions, markdownDescription, markdownEnumDescriptions,
  enumItemLabels and tags to UNSUPPORTED_SCHEMA_CONSTRAINTS so the Gemini
  sanitizer removes them before forwarding. GitHub Copilot injects these
  non-standard fields into tool definitions, causing Gemini to reject with
  'Unknown name enumDescriptions at functionDeclarations[n].parameters'.

- fix(health-check): unwrap proxy config object before passing to getAccessToken (#1187 #1218)
  resolveProxyForConnection() returns { proxy, level, levelId } but the health
  check loop was passing the full wrapper to getAccessToken(), which expects the
  inner config object (.host, .port etc). The proxy dispatcher validated .host
  on the wrapper (undefined) and threw 'Context proxy host is required', silently
  marking every connection as unhealthy every sweep. Fix mirrors the pattern
  already used in chatHelpers.ts: proxyResult?.proxy || null.

- fix(ui): debounce models.dev sync interval slider to save only on release (#1202)
  The slider's onChange fired updateInterval() on every drag tick, sending a
  PATCH per pixel of movement. Rapid API responses overwrote UI state mid-drag.
  Introduce draftIntervalHours for smooth visual feedback; the PATCH fires
  on onMouseUp / onBlur once the user releases the control.

* fix(providers): update Xiaomi MiMo token-plan endpoints (#1238)

Integrated into release/v3.6.6

* fix(cc-compatible): trim beta flags and preserve cache passthrough (#1230)

Integrated into release/v3.6.6

* feat(memory+skills): full-featured memory & skills systems with tests (#1228)

Integrated into release/v3.6.6

* fix: forward client x-initiator header to GitHub Copilot upstream (#1227)

Integrated into release/v3.6.6

* feat(bailian-quota): add Alibaba Coding Plan quota monitoring (#1235)

* fix: resolve v3.6.6 backlog bugs (#1206, #1211, #1220, #1231)

- fix(core): #1206 inject startup guard against app/ and src/app/ conflict
- fix(health): #1220 add HEALTHCHECK_STAGGER_MS to prevent token refresh bursting
- fix(proxy): #1231 prioritize HTTP 429 over quota body heuristics
- fix(sse): #1211 strip leading double-newlines in responses API stream

* fix(tests): resolve memory migration and skills route pagination bugs from PR overlaps

* docs: Update CHANGELOG.md with v3.6.6 features (#1182, #1165, #1177)

* chore(release): bump version to 3.6.6

Update package versions for the electron app and open-sse package.
Sync llm.txt metadata and feature headings with the 3.6.6 release.

* feat(core): harden outbound provider calls and add cooldown retries

Add guarded outbound fetch helpers with private/local URL blocking,
controlled retries, timeout normalization, and route-level status
propagation for provider validation and model discovery.

Introduce cooldown-aware chat retries with configurable
requestRetry and maxRetryIntervalSec settings, model-scoped cooldown
responses, and improved rate-limit learning from headers and error
bodies so short upstream lockouts can recover automatically.

Also align Antigravity and Codex header handling, require API keys
for Pollinations, validate web runtime env at startup, restore
sanitized Gemini tool names in translated responses, and inject a
synthetic Claude text block when upstream SSE completes empty.

* feat(models): add glmt preset and hybrid token counting

Introduce GLM Thinking as a first-class provider preset with shared GLM
model metadata, pricing, usage sync, dashboard support, and provider
request defaults for higher token budgets and longer timeouts.

Use provider-side /messages/count_tokens when a Claude-compatible
upstream supports it, while preserving estimated fallback behavior for
missing models, missing credentials, and upstream failures.

Also add startup seeding for default model aliases and normalize common
cross-proxy model dialects so canonical slashful model ids do not get
misrouted during resolution.

* feat(api): add sync tokens and v1 websocket bridge

Add dedicated sync token storage, issuance, revocation, and bundle
download routes backed by stable config bundle versioning and ETag
support.

Expose the v1 websocket handshake route and custom Next server bridge so
OpenAI-compatible websocket traffic can be upgraded and proxied through
the dashboard and API bridge.

Expand compliance auditing with structured metadata, pagination, request
context, auth and provider credential events, and SSRF-blocked
validation logging.

* docs: Update all documentation for v3.6.6

- CHANGELOG: Add WebSocket bridge, GLM Thinking preset, safe outbound
  fetch/SSRF guard, cooldown-aware retries, compliance audit v2, model
  alias seeding, and all Internal Improvements for the 3 new commits
- README: Expand v3.6.x highlights table with 10 new features; add
  SafeOutboundFetch, CooldownAwareRetry, SSRF guard, TPS metric, sync
  tokens, WebSocket bridge to Resilience/Observability/Deployment tables
- ARCHITECTURE: Bump date; add new modules to executive summary, API
  routes, SSE core services, Auth/Security section; add SSRF/Outbound
  guard failure mode (section 6); expand module mapping
- ENVIRONMENT: Add OMNIROUTE_CRYPT_KEY/OMNIROUTE_API_KEY_BASE64 legacy
  aliases, OUTBOUND_SSRF_GUARD_ENABLED, CODEX_CLIENT_VERSION, and
  REQUEST_RETRY/MAX_RETRY_INTERVAL_SEC cooldown retry settings
- FEATURES: Add 6 new feature sections — V1 WebSocket Bridge, Sync
  Tokens & Config Bundle, GLM Thinking Preset, Safe Outbound Fetch &
  SSRF Guard, Cooldown-Aware Retries, Compliance Audit v2

* fix: use api64 for proxy test (#1255)

Integrated into release/v3.6.6 — IPv6 proxy test fix

* fix(page): update custom models section to include all providers #1200 (#1256)

Integrated into release/v3.6.6 — Gemini custom model picker fix

* fix: provide default client_id fallbacks to prevent broken OAuth requests (#1246)

Integrated into release/v3.6.6 — OAuth client_id default fallbacks

* fix: translate max_tokens/max_completion_tokens → max_output_tokens in Chat→Responses translator (#1245)

Integrated into release/v3.6.6 — max_tokens → max_output_tokens Responses API translation + unit tests

* feat(oauth): support cursor-agent CLI as Cursor credential source (#1258)

Integrated into release/v3.6.6 — cursor-agent CLI credential source support

* fix(cc-compatible): restore upstream SSE and correct stream/combo timeout behavior (#1257)

Integrated into release/v3.6.6 — CC-compatible upstream SSE restore + stream timeout fix + README table repair

* fix(cli-tools): resolve API key resolution and model mapping bugs in CLI tools (#1263)

Integrated into release/v3.6.6

* feat(cli-tools): add Qwen Code CLI integration (#1266)

Integrated into release/v3.6.6

* fix(i18n): add missing zh-CN translations and fix logger imports (#1269)

Integrated into release/v3.6.6

* fix(i18n): add Chinese i18n support to dashboard components (#1274)

Integrated into release/v3.6.6

* feat: update Pollinations to require API key, remove free tier flag (#1177)

* feat: friendly error messages for crypto/encryption failures (#1165)

* feat: add TPS (tokens per second) metric column to request logs (#1182)

* feat: merge custom/imported models into filter list for all providers (#1191)

* feat(fallback): Fix provider-profile-driven lockouts (#1267)

This integrates rdself's unify-provider-profile-locks PR manually to handle structural conflicts.

* fix(claude): proper Anthropic SDK integration (#1271)

* fix(healthcheck): use correct proxy wrapper format for getAccessToken (#1272)

* chore(release): v3.6.6 — skills registry stability fix + final integration

* fix(auth): harden bootstrap auth and memory dashboard behavior

Restrict unauthenticated writes to /api/settings/require-login to
the initial bootstrap window while keeping read-only checks public.
This prevents post-setup config changes without blocking first-run
login setup, and the onboarding flow now logs in immediately after
setting the password.

Restore memory API filtering and pagination behavior by supporting q
searches, honoring offset-based requests, and avoiding unrelated
fallback results when FTS misses. Update dashboard stats fallback to
use the response totals consistently.

Package the MCP server with explicit file entries and add regression
tests for bootstrap auth and memory route behavior

* fix(codex): remove max_output_tokens from body for compatibility

* chore(release): v3.6.6 — include PR 1274 fixes in changelog

* chore: exclude additional build artifacts and internal directories from npm package distribution

* fix: update Gemini OAuth test to match registry defaults + codex UI improvements

* fix: restore .mjs refs for scripts/ in test imports after ts migration

* fix: restore next.config.mjs ref in dev-origins test

* fix: implement db migration safety checks and codex config format

* fix: disable mass-migration abort during unit tests based on auto-backup flag

* fix: update script regex in auto-update tests to use .mjs

* feat: Add Perplexity Web (Session) provider (#1289)

Integrated into release/v3.6.6

* fix(cli): resolve codex routing config parsing, standardize select model button positioning, and clarify oauth documentation

* docs(changelog): record recent cli, provider, and test updates

Document the latest fixes for Codex routing configuration parsing and
Lobehub provider icon fallback behavior.

Add the note that the remaining JavaScript test files were migrated to
TypeScript ES modules to reflect the completed test stack transition.

* chore(release): merge #1286 minor improvements manually to avoid testing conflict

* chore(test): rename perplexity-web.test.mjs to .ts to maintain 100% TS codebase

* chore(docs): update CHANGELOG.md for perplexity-web provider

* fix(security): resolve CodeQL incomplete URL substring sanitization via URL parsing in test mocks

* fix: integrate compressContext() into chatCore.ts request pipeline

Proactively compress oversized contexts before sending to upstream providers,
preventing context_length_exceeded errors. Compression triggers at 85% of
model's context limit using the existing 3-layer compressContext() function.

- Import compressContext, estimateTokens, getTokenLimit from contextManager
- Add compression check after translation, before executor dispatch
- Estimate tokens and compare against 85% threshold of model's context limit
- Apply 3-layer compression (trim tools, compress thinking, purify history)
- Log compression events with before/after token counts and layers applied
- Audit compression events for observability
- Add unit tests verifying integration behavior

Closes #1290

* fix(tests): align reasoning expectations with GLM thinking structure

* fix: prevent orphaned tool_result messages in purifyHistory()

When purifyHistory() drops oldest messages to fit context window, it can
split tool_use/tool_result pairs — keeping the tool_result but dropping
the tool_use that initiated it. This causes upstream providers to reject
the request with format errors.

Add fixToolPairs() that runs after each purification pass to remove:
- OpenAI format: orphaned role='tool' messages without matching tool_calls ID
- Claude format: orphaned tool_result content blocks without matching tool_use ID

Closes #1291

* fix(tests): supply tool_use in mock so it is not dropped

* chore: convert remaining test to TypeScript

* fix(tests): restore compatibility with compressContext threshold test after tsx migration

* docs: finalize v3.6.6 release documentation

* fix(core): finalize provider removal, type issues, and codex API key config

* fix(dashboard): render Web/Cookie, Search, Audio provider sections and fix TypeScript errors

* fix: increase MCP web_search timeout to 60s (#1278)

* fix: route combo testing properly for embedding models (#1260)

* fix: accumulate excluded accounts in combo fallback loop (#1233)

* fix: strip leading whitespace and newlines from first streaming chunk (#1211)

* docs: clarify VPS and Docker settings for OAuth credentials (#1204)

* fix: return real retry-after for pipeline gates (#1301)

Integrated into release/v3.6.6 — returns real Retry-After values from pipeline gates

* feat: streaming semantic cache, Cursor auto-version detection, and call-log enhancements (#1296)

Integrated into release/v3.6.6 — streaming semantic cache, Cursor auto-version detection, call-log cache_source tracking

* feat(api): support more OpenAI types (image, embeddings, audio-transcriptions, audio-speech) (#1297)

Integrated into release/v3.6.6 — adds embeddings, audio-transcriptions, audio-speech, and images-generations support for custom OpenAI-compatible providers, plus Pollinations image registry

* deps: bump hono from 4.12.12 to 4.12.14 (#1302)

Integrated into release/v3.6.6

* deps: bump hono from 4.12.12 to 4.12.14 (#1306)

Integrated into release/v3.6.6

* chore: stabilization fixes for v3.6.6 (#1298, #1254, #59, CI)

* fix(providers): match correct endpoint for Xiaomi MiMo, strip routing prefix for custom openai endpoints (#1303, #1261)

* feat(storage): add database backup cleanup controls

* chore(release): v3.6.6 — Final Stabilization Push

* Backport call log storage refactor to release/v3.6.6 (#1307)

Integrated into release/v3.6.6

* deps: update dompurify to 3.4.0 to resolve CVE-XYZ (#60)

* test: disable sqlite auto backup in CI to resolve E2E timeout (#24481475058)

* chore(docs): sync CHANGELOG for v3.6.6 with missing features and fixes

* chore(release): prep v3.6.6 infrastructure and type safety fixes

- Migrated legacy .mjs scripts to .ts (bin, prepublish, policies)
- Resolved pre-commit strict lint (t11 budget) errors in combo.ts
- Explicitly typed all TS bindings in pack-artifact policies
- Updated package.json commands to run Node via tsx/esm internally
- Hardened CI/CD with explicit node version 22.22.2 checks
- Completed stage validations for v3.6.6 final release

* chore: fix TS build errors and e2e timeouts in CI

- Migrate nodeRuntimeSupport to TS interfaces avoiding implicit any
- Increase visibility timeouts in skills-marketplace E2E test to 15s to bypass CI flakiness
- Complete migration of .mjs scripts to .ts ensuring type safety

* chore(release): sync package version 3.6.6 across workspaces

* test(e2e): universally increase UI component visibility timeouts from 5s to 15s to bypass CI starvation

* chore(build): inject baseUrl, paths, and types:node into MITM tsconfig within prepublish hook to fix missing types in CI check

---------

Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Jack <5443152+hijak@users.noreply.github.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: Samuel Cedric <ceds.sam@gmail.com>
Co-authored-by: Max Garmash <max@37bytes.com>
Co-authored-by: Markus Hartung <mail@hartmark.se>
Co-authored-by: Gi99lin <74502520+Gi99lin@users.noreply.github.com>
Co-authored-by: Payne <baboialex95@gmail.com>
Co-authored-by: Benson K B <bensonkbmca@gmail.com>
Co-authored-by: clousky2020 <33016567+clousky2020@users.noreply.github.com>
Co-authored-by: Ravi Tharuma <25951435+RaviTharuma@users.noreply.github.com>
Co-authored-by: oyi77 <oyi77@users.noreply.github.com>
Co-authored-by: Hdsje <vovan877@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: xiaoge1688 <moyekongling@gmail.com>
2026-04-16 05:26:17 -03:00
Ravi Tharuma 97dca71c2c feat: add Grok Web (Subscription) provider
Adds a new provider that routes through Grok's internal NDJSON API using
an X/Grok subscription SSO cookie, enabling access to Grok 3, 4, 4.1,
4.2/4.20, and 4 Heavy via grok.com without xAI API costs.

- GrokWebExecutor with full NDJSON→OpenAI translation
- 12 models incl. grok-4.2 (4.20 beta), grok-4-heavy (SuperGrok)
- Dynamic x-statsig-id generation (base64 fake TypeError)
- W3C traceparent headers for Cloudflare compatibility
- Thinking/reasoning mode for mini/thinking/expert/heavy variants
- SSO cookie auth with auto-strip of 'sso=' prefix
- Fetch timeout + upstreamExtraHeaders (BaseExecutor parity)
- 16 unit tests, all passing

Derived from: GrokProxy, GrokBridge, grok-web-api, grok2api-merged,
Grok API Research Report
2026-04-15 23:01:25 +02:00
diegosouzapw e7c2998cf9 feat: implement email masking for test result labels and refactor sidebar route matching logic 2026-04-13 17:39:45 -03:00
diegosouzapw 7efa672976 fix(core): restore degradation settings and clean combo stream output
Persist background degradation settings as structured data so they can
be reloaded during node startup without double-encoding JSON.

Update settings validation to accept the missing fields used by the
API and align models.dev sync interval bounds with millisecond-based
values.

Also strip omniModel tags when they are wrapped by either literal
escaped newlines or actual newline characters, and adjust the combo
routing test to match the cleaned streamed content.
2026-04-13 14:35:26 -03:00
diegosouzapw 488f9653e6 Merge PR #1193
# Conflicts:
#	open-sse/services/claudeCodeCompatible.ts
2026-04-13 13:12:22 -03:00
diegosouzapw 48467bc514 feat(core): add db health checks and provider interoperability
Add automated SQLite health diagnostics with optional auto-repair,
startup and scheduled execution, authenticated API routes, an MCP tool,
and dashboard visibility for status and repair actions.

Improve provider compatibility by adding Cursor usage fetching and
v3.1.0 parity headers, introducing a per-connection Codex Responses
store opt-in with session fallback, fixing Codex non-stream combo and
SSE translation behavior, sanitizing Gemini googleSearch tool payloads
and Qwen thinking tool_choice handling, and hardening cleanup and call
log storage paths.
2026-04-13 13:11:30 -03:00
R.D. a58db791e1 fix(timeout): align cc-compatible timeout header with runtime config 2026-04-12 23:27:09 -04:00
Randi 1e2b7e728d Fix Codex combo fallback and move Codex defaults to connections (#1176)
Integrated into release/v3.6.5. Added CHANGELOG breaking change entry for the removed /api/settings/codex-service-tier endpoint and deduplicated getCodexRequestDefaults in page.tsx (now imports from requestDefaults.ts).
2026-04-12 21:40:32 -03:00
diegosouzapw c286fdc96a fix(auth): require admin auth for backup and translator routes
Protect database backup, export, restore, and translator save endpoints
with authentication checks to block unauthenticated data access and
state changes.

Also remove the insecure API key secret fallback, ignore nested app env
files from package publishes, and align tests with explicit
application/json Accept headers for non-stream requests
2026-04-12 19:08:06 -03:00
diegosouzapw 25bd04e400 feat(settings): unify routing rules and model aliases controls
Move model routing management into Settings and add a unified
model alias editor for exact and wildcard remaps.

Sync combo defaults with global routing strategy settings, add
localized combo onboarding copy, and expand routing i18n across
supported locales.

Also fix supporting routing behavior by accepting all strategy
values in settings schemas, preserving connection ids in combo
tests, honoring non-stream JSON requests for CC-compatible
providers, and handling hashed external package subpaths.
2026-04-12 18:43:19 -03:00
diegosouzapw 816db26a75 feat(combos): unify auto-combo into main combos page — LKGP standalone, intelligent routing panel, builder step, i18n consolidation 2026-04-12 13:51:03 -03:00
diegosouzapw ea61d00cf7 feat: v3.6.4 — Combo Builder v2, Composite Tiers, P2C Credentials, Observability Layer
## New Features
- Combo Builder v2 wizard UI (multi-stage: Basics → Steps → Strategy → Review)
- Combo Step Architecture Schema v2 (ComboModelStep, ComboRefStep, pinned accounts)
- Composite Tiers system for tiered model routing with fallback chains
- Model Capabilities Registry (unified resolver merging specs + registry + synced data)
- Observability module (buildHealthPayload, buildTelemetryPayload, buildSessionsSummary)
- Session & Quota Monitor panels on Health dashboard
- Combo Health per-target analytics via resolveNestedComboTargets()
- Combo Builder Options API (GET /api/combos/builder/options)

## Performance
- Middleware lazy loading (apiAuth, db/settings, modelSyncScheduler)
- E2E auth bypass mode (NEXT_PUBLIC_OMNIROUTE_E2E_MODE)

## Bug Fixes
- P2C credential selection with quota headroom awareness
- Fixed-account combo steps bypass model cooldowns/circuit breakers
- Combo metrics per-target tracking (byTarget with executionKey)
- Call logs schema expansion (7 new columns + composite index)
- Quota monitor lifecycle enrichment (status, snapshots, summary)
- Codex quota fetcher hardening

## Maintenance
- DB migration 021 (combo_call_log_targets)
- Combo CRUD normalization on read
- Playwright config + build script improvements
- OpenAPI spec version sync to 3.6.4

## Tests
- 16 new test suites + 12 existing test updates
- 86 files changed, +8318 -1378 lines
2026-04-12 10:34:10 -03:00
diegosouzapw 4d460109dd chore(release): v3.6.3 — Fix cloudflare config, prompt cache payloads, and openai-compatible validation 2026-04-11 18:00:20 -03:00
diegosouzapw e89015649e fix(tests): align maskEmail test assertions with new less-aggressive masking behavior
Updated mask-email.test.mjs and model-sync-route.test.mjs to match
the revised maskEmail function that preserves full domain names for
account differentiation (die********@gmail.com vs old di*********@g****.com).
2026-04-11 12:09:20 -03:00
diegosouzapw d4609762bb fix: resolve macOS Electron ABI mismatch and test regressions (#1081) 2026-04-11 11:36:58 -03:00
diegosouzapw 3effbe5f06 fix: decrease email mask aggression to maintain account distinction (#1137) 2026-04-11 11:36:58 -03:00
diegosouzapw 8bacde0262 feat: global email privacy toggle with eye icon button
- Add emailPrivacyStore (Zustand + persist) for global toggle state
- Add EmailPrivacyToggle component with eye open/closed icons
- Add pickDisplayValue() visibility-aware masking function
- Integrate toggle into provider detail, usage limits & playground pages
- Per-modal showEmail now uses global store (synced across all pages)
- Default: emails hidden; toggle persists across page reloads
- Add showEmails/hideEmails i18n keys
- Update CHANGELOG.md and openapi.yaml to v3.6.2
2026-04-11 09:38:17 -03:00
Diego Rodrigues de Sa e Souza 37cc63e493 Release v3.6.0 (#1109)
Build Electron Desktop App / Validate version (push) Failing after 31s
Build Electron Desktop App / Build Electron (macos-arm64) (push) Has been skipped
Build Electron Desktop App / Build Electron (linux) (push) Has been skipped
Build Electron Desktop App / Build Electron (macos-intel) (push) Has been skipped
Build Electron Desktop App / Build Electron (windows) (push) Has been skipped
Build Electron Desktop App / Create Release (push) Has been skipped
Build Electron Desktop App / Publish to npm (push) Has been skipped
* chore: create release/v3.6.0 branch

* fix: add row count limits to prevent DB bloat and handle HTML error responses (#1104)

Integrated into release/v3.6.0

* fix combo smoke test payload for thinking models (#1105)

Integrated into release/v3.6.0

* fix: improve Android/Termux ARM64 support for better-sqlite3 (#1107)

Integrated into release/v3.6.0

* chore: finalize CHANGELOG and sync versions for v3.6.0

* fix(tests): align CI tests with v3.6.0 changes

- compliance: match new cleanupExpiredLogs return shape (trimmed/maxRows)
- model-sync: accept masked email in account field
- e2e: allow 401/403/307 for auth-protected /api/providers endpoint

---------

Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Suhayli <73960279+Suhay1i@users.noreply.github.com>
2026-04-10 09:56:42 -03:00
Randi 74a5bcb3a9 Add persistent combo ordering and reorder sidebar items (#1095)
Integrated into release/v3.5.9 with openapi.yaml version fix
2026-04-09 21:16:42 -03:00
Randi 9f55159bd5 Fix request log detail token layout (#1096)
Integrated into release/v3.5.9
2026-04-09 21:15:14 -03:00
Randi f118082f6b fix(docker): handle EXDEV in isolated build (#1097)
Integrated into release/v3.5.9
2026-04-09 21:15:12 -03:00
Diego Rodrigues de Sa e Souza 336d889034 Release v3.5.8 (#1092)
* chore: bump to v3.5.8-dev

* fix(combo): quarantine degraded provider-model pairs adaptively (#1090)

Integrated into release/v3.5.8

* fix(healthcheck): keep active accounts routable after refresh failure (#1085)

Integrated into release/v3.5.8

* chore: squash PR 1089

* Merge PR 1088: docs(deps): bump axios from 1.14.0 to 1.15.0

---------

Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Wellington Fonseca <wf.tecnologia@hotmail.com>
Co-authored-by: xiaoge1688 <129356184+xiaoge1688@users.noreply.github.com>
2026-04-09 18:18:45 -03:00
Diego Rodrigues de Sa e Souza 1442c47bbb chore(release): v3.5.6 — email masking, model toggle, OpenRouter registries & bug fixes (#1080)
Build Electron Desktop App / Validate version (push) Failing after 24s
Build Electron Desktop App / Build Electron (macos-arm64) (push) Has been skipped
Build Electron Desktop App / Build Electron (linux) (push) Has been skipped
Build Electron Desktop App / Build Electron (macos-intel) (push) Has been skipped
Build Electron Desktop App / Build Electron (windows) (push) Has been skipped
Build Electron Desktop App / Create Release (push) Has been skipped
Build Electron Desktop App / Publish to npm (push) Has been skipped
* fix(minimax): switch auth from x-api-key to Authorization Bearer (#1076)

Integrated into release/v3.5.6 — MiniMax auth fix with authHeader consistency normalization

* feat(CI,i18n): autogenerate language files + Add missing strings (#1071)

Integrated into release/v3.5.6 — i18n translations for memory, skills, and missing keys across 31 languages

* fix(ci): restore i18n continue-on-error, remove auto-commit race condition

* fix(husky): load nvm in hooks for VS Code compatibility

* fix(husky): gracefully skip hooks when npm is not in PATH

* fix: convert OpenAI function tool_choice to Claude tool format (#1072)

* fix: prevent EPIPE feedback loop filling logs at GB/s (#1006)

* fix: fallback to native fetch when undici dispatcher fails (#1054)

* fix: improve Qoder PAT validation with actionable error messages (#966)

- Add QODER_PERSONAL_ACCESS_TOKEN env var fallback for both validation and execution
- Pre-flight ping check to diagnose connectivity issues (Docker/proxy)
- Detect encrypted auth blobs from ~/.qoder/.auth/user and guide to website PAT
- Clear error messages for auth failures with link to integrations page
- Treat non-auth 4xx as auth-pass (request format issue, not token issue)
- Update tests to cover new validation paths (23 tests, all passing)

* feat: Improve the Chinese translation (#1079)

Integrated into release/v3.5.6

* chore(release): v3.5.6 — i18n updates and credential security fixes

* fix(ci): resolve e2e and docs-sync pipeline failures

* fix(security): bump next to 16.2.3 to resolve SNYK-JS-NEXT-15954202

* fix: guard Memory/Cache UI against null toLocaleString crash (#1083)

* fix: translate OpenAI tool_choice type 'function' to Claude 'tool' format (#1072)

* fix: pass custom baseUrl in provider API key validation (#1078)

* docs: update CHANGELOG with v3.5.6 bug fixes and security patches

* docs: rewrite implement-features workflow with 5-phase harvest-research-report-plan-execute pipeline

* docs: organize _ideia/ into viable/defer/notfit + add Phase 2.5 auto-response workflow

* docs: implementation plans for #1025, #750, #960, #1046 + close already-implemented #833, #973, #982

* feat: mask email addresses in dashboard for privacy (#1025)

* feat: add OpenRouter and GitHub to embedding/image provider registries (#960)

* feat: add model visibility toggle and search filter to provider page (#750)

* docs: move implemented features to notfit, update task plans status

* chore: untrack _ideia/ and _tasks/ from git — private/internal only

* chore(release): bump to v3.5.6 — changelog, docs, version sync & any-budget fix

* fix: remove explicit .ts extension in qoderCli import that caused 500 error in production build

---------

Co-authored-by: Jean Brito <jeanfbrito@gmail.com>
Co-authored-by: zenobit <zenobit@disroot.org>
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Ethan Hunt <136065060+only4copilot@users.noreply.github.com>
2026-04-09 15:55:59 -03:00
diegosouzapw 581ff5fc73 docs: update system documentation and sync i18n for v3.5.5 2026-04-08 13:40:04 -03:00