- providers.ts: close the unterminated `dify` APIKEY_PROVIDERS entry (Wave-1b #2488
merge artifact) that broke the entire build (esbuild 'Expected }').
- CHANGELOG.md: restore the `# Changelog` header and an empty `[Unreleased]` section
(docs-sync requires the first section to be Unreleased); remove the duplicated
`[3.8.1]` block.
- Bump package.json / electron / open-sse / openapi.yaml to 3.8.2 to match the
CHANGELOG release header.
- Mirror the `[3.8.2]` section into all 41 i18n CHANGELOGs so docs-sync passes.
Unblocks all commits on release/v3.8.2-based branches.
Resolves conflicts in 9 files to bring 181 commits from release/v3.8.0 into
the dashboard refactor branch ahead of merging back to release.
Layout strategy: our pages overhaul (tabs→pages, restructured sidebar,
removed redundant headers, OpenCode Free no-auth card) is the source of
truth. Release's functional additions are adapted into our layout.
Conflict resolution:
- package.json/package-lock.json: take release's deps (axios bump, CLI v4
deps, tls-client-node/wreq-js move to optionalDependencies); re-add our
@xyflow/react addition; regenerate lockfile.
- src/shared/constants/sidebarVisibility.ts: keep our 9-section restructure
— release's new IDs (limits, media, cli-tools, agents, cloud-agents,
memory, skills, agent-skills, context-*) are all already present in our
groups.
- src/i18n/messages/en.json: auto-merge picked up all release's new keys
(autoCatalog*, quotaCutoffs*, systemTransforms*, schema-coercion, vision);
only naming conflict was OmniSkills/AgentSkills — kept ours (no space).
- src/app/(dashboard)/dashboard/HomePageClient.tsx: kept our Provider
Topology card; ported release's TierCoverageWidget (placed before
topology).
- src/app/(dashboard)/dashboard/settings/page.tsx: kept our redirect to
/settings/general (we moved tabs to separate pages); release's sticky
tab CSS change is moot in our structure.
- src/app/(dashboard)/dashboard/skills/page.tsx: rerere applied — release
hardcoded "OmniSkills" h1 was already removed by our header-cleanup
refactor.
- src/app/(dashboard)/dashboard/agent-skills/page.tsx: both branches
created this file independently with identical data source; kept our
Tailwind-themed 2-column grid (release's version used inline styles).
- src/app/(dashboard)/dashboard/batch/page.tsx: kept our single-tab
structure (FilesListTab moved to /batch/files page); ported release's
onRefresh prop addition.
- src/app/(dashboard)/dashboard/batch/files/page.tsx (not in conflict but
updated): added batches fetch + batches prop to preserve release's
feature of showing related batches in the file detail modal.
Pre-existing typecheck errors in open-sse/services/contextManager.ts
(lines 141, 154, 167) come from release/v3.8.0 and are not introduced by
this merge.
- next-themes: required by TierFlowDiagram.tsx (onboarding)
- sql.js: required by CLI runtime sqliteRuntime.mjs
- Add sql.js to serverExternalPackages in next.config.mjs to prevent
webpack static resolution failures during build
Adiciona dashboard TUI com 7 abas (Overview, Combos, Providers, Keys, Logs, Health, Cost)
via Ink, 13 componentes reutilizáveis em tui-components/, menu interativo ao iniciar sem
subcomando, e flag --tui no comando dashboard.
- 8.2: update-notifier em omniroute.mjs (cache 24h, stderr-only, respeita CI/quiet/json/opt-out)
- 8.12: cliToken.mjs (sha256 de machineId + salt) injetado automaticamente em apiFetch
- 8.12: middleware cliTokenAuth.ts valida token apenas em loopback, timing-safe compare
- 8.12: requireManagementAuth aceita CLI token como bypass local
- env-doc-sync: OMNIROUTE_DISABLE_CLI_TOKEN e OMNIROUTE_NO_UPDATE_NOTIFIER no allowlist
- Instala commander@^14.0.0 com suporte nativo a ESM
- Cria bin/cli/program.mjs: programa raiz com opções globais
(--output, --quiet, --no-color, --timeout, --api-key, --base-url)
- Cria bin/cli/commands/registry.mjs: adaptadores legados que delegam
para os run*Command existentes sem quebrar compatibilidade
- Cria bin/cli/commands/serve.mjs: ação padrão (isDefault: true) com
lógica de spawn extraída de omniroute.mjs, imports de runtime lazy
- Cria bin/cli/commands/reset-encrypted-columns.mjs: bypass de recuperação
- Refatora bin/omniroute.mjs: ~500 → ~90 linhas, delega ao Commander
- Adiciona strings i18n program.* e serve.description/port/no_open/daemon
em en.json e pt-BR.json
- Adiciona 21 testes em tests/unit/cli-program.test.ts
http-proxy-middleware 4.x (introduced via #2228) requires Node >=22.15.0.
Updated engines.node to >=22.22.2 <23 || >=24.0.0 <27 (drops 20.x).
BREAKING CHANGE: users on Node 20.x must upgrade to Node 22.22.2+ or 24+.
Refs: #2228
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update Pollinations request transformation to send the selected model
and stream flag so requests match the active endpoint behavior.
Align the ChatGPT TLS client with shared proxy resolution so dashboard
proxy context is honored before falling back to environment settings.
Also refresh provider display names across dashboard pages, correct the
Claude extra-usage toggle messaging and visual state, and mark
Pollinations as offering a free public endpoint.
Replace regex-based compression artifact cleanup with linear helpers to
avoid pathological backtracking and normalize whitespace safely.
Tighten request and response parsing in assess, Gemini translation, and
executor telemetry to avoid unsafe property access and invalid category
filtering.
Also add managed database backup support for legacy encrypted
connection migration, improve SQLite load error handling, and cover the
regressions with unit tests.
* chore: add GPT-5.5 Instant and support Node 26 (#1977)
chore: add GPT-5.5 Instant model to Codex registry + Node 26 support with CI + improved native SQLite error handling. Integrated into release/v3.7.9
* feat: enhance cost formatting and add Codex GPT-5.5 pricing support
* fix formatting
---------
Co-authored-by: backryun <bakryun0718@proton.me>
Co-authored-by: Jan Leon <jan.gaschler@gmail.com>
Co-authored-by: 05dunski <05dunski-kredo@icloud.com>
* chore(release): v3.7.9 — gemini-cli cloud code separation
* chore(provider): Update Jina AI model catalog (#1874)
Integrated into release/v3.7.9
* docs: update CHANGELOG for PR 1874 and retroactive credits
* fix: resolve stream defaults and codex prompt mapping (#1873, #1872)
* chore(compression): start caveman compression update
* feat(compression): expand caveman compression and analytics pipeline
Add caveman intensity levels, output mode instructions, validation, and
preview diffs across the compression pipeline.
Extend MCP and dashboard settings to support auto-trigger mode, system
prompt preservation, MCP description compression, and caveman rule
metadata. Record richer compression analytics with receipt fields,
validation fallbacks, output mode data, and add the related database
migration.
Improve preservation handling for code, URLs, markdown, math, and other
protected content while adding broad unit, integration, and golden-set
coverage for caveman parity and compression behavior.
* feat(compression): expose rule intensities and track usd savings
Add estimated USD savings to compression analytics so saved tokens can
be reported in cost terms alongside existing token metrics.
Expose caveman rule intensity metadata for settings consumers and add a
settings API route alias for rule lookup. Also preserve system prompts
when aggressive compression falls back to lite mode.
* feat(compression): RTK compression roadmap (#1889)
* chore(rtk): initialize compression roadmap branch
* feat(compression): add RTK engine and compression combos
Introduce RTK command-aware tool-output compression alongside
stacked RTK -> Caveman pipelines for mixed prompt contexts.
Add engine registration, declarative RTK filter packs, language-aware
Caveman rule loading, compression combo persistence and assignments,
analytics grouped by engine/combo, and new MCP/API endpoints for
configuration, previews, filters, and combo management.
Expose the new capabilities in the dashboard with dedicated Context &
Cache pages for Caveman, RTK, and compression combos, and update docs,
i18n strings, migrations, and tests to cover the expanded compression
surface.
* feat(compression): expand RTK DSL, filter catalog, and recovery APIs
Add RTK parity features across the compression pipeline, dashboard,
and management APIs. This expands the built-in filter catalog, adds
trust-gated custom filter loading, inline filter verification, code
stripping, smarter detection, and optional redacted raw-output
retention for authenticated recovery.
Also extend Caveman with file-based multilingual rule packs, localized
output-mode instructions, stricter preview/config schemas, engine
registry metadata, analytics fields, and broad unit test coverage for
RTK, rule loading, and stacked compression behavior.
* fix(auth): protect oauth routes and health reset operations
Require authenticated dashboard access for OAuth endpoints that can
create or import provider connections when login enforcement is
enabled.
Move `/api/monitoring/health` to the readonly public route list so
safe methods remain public while DELETE now returns 401 for anonymous
requests.
Also update Next.js native `.node` handling to avoid webpack parse
failures from external packages such as ngrok and keytar, and add
coverage for the new auth behavior.
* build(compression): ship RTK rule and filter assets with app bundles
Include compression JSON assets in Next output tracing, prepublish copies,
and pack artifact policy checks so standalone and packaged builds can
load RTK filters and caveman rule packs at runtime.
Also harden compression runtime behavior by resolving alternate asset
directories, scoping rule cache entries by source path, carrying RTK raw
output pointers through stacked runs, degrading oversized preview diffs,
and applying combo language/output mode defaults during chat routing.
Add coverage for packaging rules, provider-scoped model parsing, smart
truncate edge cases, raw output retention, and combo-driven compression
behavior.
* docs(workflows): update local repo paths to OmniRoute
Replace outdated `/home/diegosouzapw/dev/proxys/9router` references
with the current `OmniRoute` directory across deploy, release, and
version bump workflow guides so local command examples match the
renamed repository layout
* feat(compression): complete RTK parity coverage
* test(build): align next config assertions
---------
Co-authored-by: diegosouzapw <diego.souza.pw@gmail.com>
* feat(compression): expand caveman parity and MCP metadata compression
Compress MCP registry and list metadata descriptions for tools, prompts,
resources, and resource templates while keeping tool-response bodies
unchanged. Expose those savings in compression status as
`mcp_metadata_estimate` metadata rather than provider usage.
Add Caveman rule-pack support for custom regex flags and match-specific
replacement maps, update English rules for upstream parity, and tighten
article and pleasantry handling. Also process RTK multipart text blocks
independently so mixed media content compresses safely without
duplicating output.
* feat(compression): unify config validation and persist MCP savings
Centralize compression config schemas across settings, preview, RTK,
and combo APIs to enforce consistent validation for stacked pipelines
and engine-specific options.
Expand caveman and stacked compression behavior by applying default
combos at runtime, surfacing validation and fallback metadata, and
exposing aggressive and ultra adapter schemas for configuration UI and
tests.
Persist MCP description compression snapshots into analytics without
counting them as provider usage, and extend the dashboard with the new
RTK controls and localized labels.
* fix(auth): require dashboard management auth for compression preview
Block preview requests unless they come from a valid management session
token so protected settings cannot be probed through the preview API.
Add unit coverage for unauthenticated requests, invalid bearer tokens,
and successful authenticated preview execution.
* fix(compression): preserve stacked defaults and secure metadata routes
Only apply saved default compression combos when they contain a stacked
pipeline so seeded Caveman-only defaults do not replace the builtin
stacked behavior.
Also require management auth for compression language pack and rules
metadata endpoints, and defer usage receipt attachment until compression
analytics writes have completed to keep analytics records consistent.
* fix(compression): align seeded standard savings combo with stacked default
Update the seeded default compression combo to use the RTK then
Caveman pipeline in both fresh installs and upgraded databases.
Add a targeted migration and runtime guard that only rewrites the
legacy seeded record when its original metadata and single-step
pipeline still match, preserving user-customized default combos.
Refresh docs and tests to reflect the stacked default and expanded
RTK filter catalog.
* docs(compression): document RTK+Caveman stacked savings ranges
Refresh the compression docs and README to describe the default
stacked pipeline in terms of eligible-context savings instead of the
older generic token-saving range.
Add upstream RTK and Caveman benchmark references, explain the
multiplicative savings math behind the stacked default, and update
feature summaries plus package metadata to match the revised
positioning.
* feat(image-gen): add NanoGPT image generation provider (#1899)
Integrated into release/v3.7.9
* fix(codex): sanitize raw responses input (#1895)
Integrated into release/v3.7.9
* Fix combo provider breaker profile handling (#1891)
Integrated into release/v3.7.9
* fix(combos): align strategy contracts (#1892)
Integrated into release/v3.7.9
* feat(proxy): move proxy configuration to dedicated System → Proxy page (#1907)
Integrated into release/v3.7.9
* feat: add K/M/B/T cost shortener to prevent UI overflow (#1902)
Integrated into release/v3.7.9
* feat(providers): implement bulk paste for extra API keys (#1916)
Integrated into release/v3.7.9
* fix(migrations): treat duplicate-column ALTER as no-op (#1886)
Integrated into release/v3.7.9
* fix(analytics): robust model pricing resolution, dark mode charts and SQL aggregation fixes (#1896)
Integrated into release/v3.7.9 (migration renumbered to 044)
* fix(oauth): per-connection mutex for rotating refresh tokens (#1885)
Integrated into release/v3.7.9
* fix: resolve 3 bugs — Codex tool normalization (#1914), image gen proxy (#1904), zero-arg MCP tools (#1898)
- fix(codex): flatten Chat Completions tool format to Responses format in
normalizeCodexTools. Prevents 'Missing required parameter: tools[0].name'
upstream errors when clients send {type:'function', function:{name,...}}
instead of {type:'function', name,...}.
- fix(proxy): add proxy-aware execution context to image generation route.
Image requests now correctly use proxy settings from the connection's
ProxyRegistry assignment, matching the pattern used by chat pipeline.
- fix(translator): inject properties:{} into zero-argument MCP tool schemas
during Anthropic→OpenAI translation. OpenAI strict mode requires explicit
properties even for empty object schemas.
Closes#1914, Closes#1904, Closes#1898
* chore(release): v3.7.9 — all changes in ONE commit
* fix: allow local ollama provider connections (#1893)
* fix(copilot): emit compatible reasoning text deltas (#1919)
Integrated into release/v3.7.9
* fix(api-manager): show validation errors inline in modals, not behind backdrop (#1920)
Integrated into release/v3.7.9
* docs: update changelog and pr body with merged prs
* fix(providers): route agentrouter through anthropic endpoint headers
Update the AgentRouter provider registry to use the Claude-compatible
messages API and required Anthropic-style authentication headers. This
bypasses unauthorized_client_error responses and exposes the supported
model list through passthrough configuration.
Also update the changelog and release PR notes to document the fix for
#1921
* feat(logs): show compression tokens in request log UI (#1923)
* docs: add PR #1923 to changelog
---------
Co-authored-by: diegosouzapw <diego.souza.pw@gmail.com>
Co-authored-by: backryun <bakryun0718@proton.me>
Co-authored-by: Aculeasis <42580940+Aculeasis@users.noreply.github.com>
Co-authored-by: Raxxoor <manker_lol@hotmail.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: Tubagus <54710482+0xtbug@users.noreply.github.com>
Co-authored-by: smartenok-ops <smartenok@gmail.com>
Co-authored-by: Gi99lin <74502520+Gi99lin@users.noreply.github.com>
Co-authored-by: ivan-mezentsev <ivan@mezentsev.me>
Co-authored-by: Andrew Munsell <andrew@wizardapps.net>
* feat(api-keys): add rename support in permissions modal
Add an editable key name field at the top of the permissions modal,
allowing users to rename API keys alongside existing permission settings.
The backend already supported name updates via PATCH /api/keys/:id — this
wires the UI to send the name field and refreshes the key list on success.
Changes:
- Add keyName state and text input to PermissionsModal
- Update handleUpdatePermissions to validate and send name in PATCH body
- Add integration test for rename via PATCH (valid, empty, too-long names)
- Update E2E mock to handle PATCH requests
* chore(release): bump version to 3.7.6
* chore(release): v3.7.6 — merge API key rename feature and sync docs
* chore(release): expand contributor credits to 155 PRs across full project history
- Expanded acknowledgment table from 29 to 53 contributors
- Added 100+ previously uncredited PRs from project inception through v3.7.5
- Moved contributor credits section to v3.7.6 (current release)
- Synced llm.txt version to 3.7.6
* fix: resolve security ReDoS in codex and bugs #1797#1789
* feat(dashboard): implement remaining v3.7.6 dashboard features and fixes
* fix(xiaomi-mimo): update models to V2.5, fix Token Plan validation and default region (#1823)
Integrated into release/v3.7.6
* fix(dashboard): correct loadPresets ReferenceError in CostOverviewTab
* fix(codex): omit compact client metadata (#1822)
Integrated into release/v3.7.6
* feat(chatgpt-web): support thinking_effort (Standard/Extended) for thinking-capable models (#1821)
Integrated into release/v3.7.6
* Fix endpoint visibility, A2A status, and API catalog (#1806)
Integrated into release/v3.7.6
* fix(analytics): use pure SQL aggregations — no history rows loaded (#1802)
Integrated into release/v3.7.6
* fix(stability): resolve codex input validation, enable combo circuit breaker, and fix broken unit tests
* docs(changelog): update for stability bug fixes#1804#1805
* fix: clear active requests and recover providers (#1824)
Integrated into release/v3.7.6
* feat: inject fallback tool names to prevent upstream 400 errors (#1775)
* feat: auto-restore probe-failed database to prevent data loss (#1810)
* fix: safely cast inputs to strings before calling trim() to avoid crashes on numeric fields in proxy modal (#1825)
* chore(release): v3.7.6 — final stability patches for production
* test: update expected db probe-failure error message for auto-restore feature
* chore(workflow): mandate implementation plan generation in resolve-issues
* docs(changelog): rewrite v3.7.6 with complete commit-accurate entries
* feat(analytics): add cost-based usage insights and activity streaks
Expand usage analytics to report total cost, per-series cost totals,
API key counts, and current activity streaks using pricing-aware token
calculations.
Also make probe-failed database recovery choose the newest backup by
its embedded timestamp instead of filesystem mtime so auto-restore
selects the intended snapshot reliably.
* fix(mitm): enforce transparent interception on port 443 only
Reject non-443 MITM port updates in the settings API and normalize
stored configuration back to the required transparent interception
port.
Lock the dashboard port field to 443, update the validation copy, and
add integration coverage to prevent stale custom ports from being
accepted or surfaced.
* docs(changelog): update for analytics and mitm features
---------
Co-authored-by: Andrew Munsell <andrew@wizardapps.net>
Co-authored-by: Antigravity Assistant <bot@antigravity.local>
Co-authored-by: Gi99lin <74502520+Gi99lin@users.noreply.github.com>
Co-authored-by: Sergey Morozov <tr0st@bk.ru>
Co-authored-by: payne <baboialex95@gmail.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: ipanghu <bypanghu@163.com>
* docs(changelog): record PR #1748 for next release
* fix(models): apply blocked providers filter to non-chat catalog models (#1752)
* chore(release): v3.7.5 — integrate ngrok tunnel and fix models filter (#1753, #1752)
* chore(release): update changelog format for v3.7.5
* Speed up endpoint initial render
* Address endpoint review feedback
* Add endpoint loading model translations
* fix: resolve build issues and implement memory UPSERT logic (#1763)
* fix: resolve build issues for v3.7.5 and apply memory/translation fixes
1. antigravityHeaders.ts: restore ANTIGRAVITY_LOAD_CODE_ASSIST_* exports for oauth.ts compatibility
2. next.config.mjs: add @ngrok/ngrok to serverExternalPackages and webpack externals to handle native .node modules
3. Memory system: UPSERT logic to prevent duplicate entries with same apiKeyId + key
4. Chinese translations: complete CLI tools and memory dashboard localizations
5. Test fixes: unique keys for pagination tests to comply with unique constraint
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: address Gemini Code Assist review feedback
1. store.ts: add expires_at to UPDATE statement in UPSERT logic
- Previously, expires_at was not being persisted to database on update
- This caused state mismatch between returned Memory object and actual DB row
2. package-lock.json: revert react-markdown registry to official npmjs.org
- Mirror-specific registry URL (npmmirror.com) should not be in lockfile
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(antigravity): normalize Gemini bridge payloads (#1769)
* fix(antigravity): normalize Gemini bridge payloads
Clamp Claude bridge output tokens, use Gemini-valid system roles and tool names, and serialize antigravity requests from a cloned body so Cloud Code payload shaping stays valid.
* fix(cli): stop fallback after unsafe known paths
Preserve known-path security checks by stopping command discovery when a configured CLI path is suspicious or non-executable, instead of falling through to PATH discovery.
* test(memory): make query result assertion deterministic
Avoid relying on database result ordering when checking filtered memory keys so the unit suite remains stable across runs.
* fix(review): preserve safe cloning and CLI reasons
Handle non-cloneable antigravity request bodies without throwing and preserve specific CLI known-path failure reasons instead of masking them as not_found.
* fix(sse): propagate AbortSignal to pre-fetch semaphore and rate-limit awaits (#1771)
When a combo target takes too long, the request-level deadline fires
and calls abortController.abort() on the stream controller, but the
abort signal never reaches pending awaits in acquireAccountSemaphore()
or withRateLimit(). These awaits sit between stream controller creation
and executor.execute(), causing requests to hang indefinitely past the
600s deadline.
Pass streamController.signal to both functions so they can respond to
abort events and terminate early when the request deadline expires.
Signed-off-by: wucm667 <stevenwucongmin@gmail.com>
* Fix model sync import handling (#1755)
* Fix model sync import handling
* Align model import storage semantics
* Address model review feedback
* fix(codex): stabilize copilot responses reasoning and tool replay (#1750)
* chore(xiaomi): Update Xiaomi provider model list (#1759)
* Move DB health to management API (#1757)
* Move DB health to management API
* Address DB health review feedback
* fix(kiro): support organization IDC OAuth with regional endpoints and refresh (#1754)
* fix(kiro): support organization IDC OAuth with regional endpoints and refresh
* fix(kiro): refresh IDC tokens with stored region
---------
Co-authored-by: ngocdb <ngocdb@ngocdb.local>
* chore(workflows): add strict PR contributor credit policy
- Add ABSOLUTE PROHIBITION section to review-prs.md
- Add PR PROHIBITION rule to resolve-issues.md
- Add contributor credit rule to AGENTS.md Review Focus
- Based on audit finding: 37 PRs had code absorbed without merge credit
* chore(release): acknowledge 29 community contributors with retroactive credit
This commit formally recognizes 29 contributors whose code was manually
integrated across releases v3.4.0 through v3.7.4 without proper GitHub
merge credit. Their PRs were resolved locally due to merge conflicts
but closed instead of merged, preventing them from appearing in the
Contributors graph. We have updated our workflows to ensure this never
happens again.
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Benson K B <4044180+benzntech@users.noreply.github.com>
Co-authored-by: clousky2020 <33016567+clousky2020@users.noreply.github.com>
Co-authored-by: Raxxoor <7317522+dhaern@users.noreply.github.com>
Co-authored-by: Jason Landbridge <15127381+JasonLandbridge@users.noreply.github.com>
Co-authored-by: slewis3600 <35925982+slewis3600@users.noreply.github.com>
Co-authored-by: Markus Hartung <12826053+hartmark@users.noreply.github.com>
Co-authored-by: Hernan Javier Ardila Sanchez <204746071+herjarsa@users.noreply.github.com>
Co-authored-by: 3_1_3_u <5846351+andruwa13@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: i1hwan <35260883+i1hwan@users.noreply.github.com>
Co-authored-by: xandr0s <1709302+xandr0s@users.noreply.github.com>
Co-authored-by: backryun <24198422+backryun@users.noreply.github.com>
Co-authored-by: Owen <36758131+kang-heewon@users.noreply.github.com>
Co-authored-by: Ravi Tharuma <25951435+RaviTharuma@users.noreply.github.com>
Co-authored-by: Chris <3751981+christopher-s@users.noreply.github.com>
Co-authored-by: Wellington Fonseca <5421548+wlfonseca@users.noreply.github.com>
Co-authored-by: Ethan Hunt <136065060+only4copilot@users.noreply.github.com>
Co-authored-by: tombii <6607822+tombii@users.noreply.github.com>
Co-authored-by: AndrewDragonIV <7906124+AndrewDragonIV@users.noreply.github.com>
Co-authored-by: Danh Thanh <50534210+dt418@users.noreply.github.com>
Co-authored-by: Will F <30637450+willbnu@users.noreply.github.com>
Co-authored-by: defhouse <232128212+defhouse@users.noreply.github.com>
Co-authored-by: Skydwest <186351198+mercs2910@users.noreply.github.com>
Co-authored-by: zenobit <6384793+zen0bit@users.noreply.github.com>
Co-authored-by: Ivan <16905671+razllivan@users.noreply.github.com>
Co-authored-by: foxy1402 <45601526+foxy1402@users.noreply.github.com>
Co-authored-by: Luan Dias <65574834+luandiasrj@users.noreply.github.com>
Co-authored-by: Sergei Korolev <891832+knopki@users.noreply.github.com>
Co-authored-by: dail45 <69967573+dail45@users.noreply.github.com>
* fix(combo): include 429 in provider circuit breaker to stop infinite retry on exhausted quotas (#1767)
Previously, PROVIDER_FAILURE_ERROR_CODES only included {408, 500, 502, 503, 504},
meaning 429 responses never counted toward the circuit breaker threshold. This caused
exhausted accounts to be retried every 3-5 seconds indefinitely instead of being
blocked by the provider breaker.
Adding 429 ensures persistent rate limiting triggers the circuit breaker after the
configured failure threshold, giving the provider time to recover.
* fix(claude): respect client thinking/effort params to prevent forced quota drain (#1761)
Previously, OmniRoute unconditionally injected thinking: {type: 'adaptive'} and
output_config: {effort: 'high'} for Claude Opus 4.7 in Claude Code client requests.
This caused Claude Max 5h quota to drain in ~15 minutes.
Now checks the original client body: if thinking or output_config are explicitly set
(even to null or a different value), the injection is skipped. Users can opt-out by
sending thinking: null or output_config: {effort: 'low'}.
* Add MseeP.ai badge to README.md (#1727)
Integrated into release/v3.7.5
* chore(docs): update CHANGELOG for PR #1727
* fix(tests): update stream-utils assertion for responses api compliance
* feat: Fix support for claude-cli using Gemini provider (#1779)
Integrated into release/v3.7.5
* fix(codex): align client identity metadata (#1778)
Integrated into release/v3.7.5
* fix(blackbox-web): correct cookie name and populate session/subscription fields (#1776)
Integrated into release/v3.7.5
* Fix Codex /responses/compact passthrough (#1777)
Integrated into release/v3.7.5
* test(reasoning-cache): isolate DB state using mkdtempSync to prevent 401 middleware errors
* chore(release): v3.7.5 — integrate remaining PRs and finalize stability
* chore(config): remove local patch artifacts and trim workspace config
Delete temporary patch scripts and local OMC session files that should not
ship with the repository.
Also remove the Next.js config file and expand editor and TypeScript
exclusions to ignore large local workspace directories and reduce
unnecessary indexing.
* fix(antigravity): cap Claude bridge output tokens (#1785)
Integrated into release/v3.7.5
* fix(codex): stabilize Copilot responses replay state (#1791)
Integrated into release/v3.7.5
* fix(chatgpt-web): restore validator + expand model catalog to ChatGPT Plus tier (#1792)
Integrated into release/v3.7.5
* fix(antigravity): scrub internal OmniRoute headers (#1794)
Integrated into release/v3.7.5
* fix(grok-web): fix Grok validator and cookie parsing (#1793)
Integrated into release/v3.7.5
* chore(release): v3.7.5 — finalize changelog for LTS patch
* feat(api-keys): add rename support in permissions modal
Add an editable key name field at the top of the permissions modal,
allowing users to rename API keys alongside existing permission settings.
The backend already supported name updates via PATCH /api/keys/:id — this
wires the UI to send the name field and refreshes the key list on success.
Changes:
- Add keyName state and text input to PermissionsModal
- Update handleUpdatePermissions to validate and send name in PATCH body
- Add integration test for rename via PATCH (valid, empty, too-long names)
- Update E2E mock to handle PATCH requests
* chore(release): finalize v3.7.5 LTS release with schema and db initialization fixes
* test: fix json escaping in stream-utilities test
* fix(build): restore next.config.mjs that was accidentally deleted
* fix(sse): decrement pending requests on passthrough mode failure (#1798)
Integrated into release/v3.7.5
* fix(grok-web): repair validator probe + accept full cookie blobs (#1793)
Integrated into release/v3.7.5
* docs(i18n): sync documentation updates to 40 languages
---------
Signed-off-by: wucm667 <stevenwucongmin@gmail.com>
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: R.D. <rogerproself@gmail.com>
Co-authored-by: clousky2020 <33016567+clousky2020@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: cloudy <37777261+uwuclxdy@users.noreply.github.com>
Co-authored-by: wucm667 <109257021+wucm667@users.noreply.github.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: ivan-mezentsev <ivan@mezentsev.me>
Co-authored-by: backryun <bakryun0718@proton.me>
Co-authored-by: Dao Bao Ngoc <42265865+daongoc315@users.noreply.github.com>
Co-authored-by: ngocdb <ngocdb@ngocdb.local>
Co-authored-by: Benson K B <4044180+benzntech@users.noreply.github.com>
Co-authored-by: Raxxoor <7317522+dhaern@users.noreply.github.com>
Co-authored-by: Jason Landbridge <15127381+JasonLandbridge@users.noreply.github.com>
Co-authored-by: slewis3600 <35925982+slewis3600@users.noreply.github.com>
Co-authored-by: Markus Hartung <12826053+hartmark@users.noreply.github.com>
Co-authored-by: Hernan Javier Ardila Sanchez <204746071+herjarsa@users.noreply.github.com>
Co-authored-by: 3_1_3_u <5846351+andruwa13@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: i1hwan <35260883+i1hwan@users.noreply.github.com>
Co-authored-by: xandr0s <1709302+xandr0s@users.noreply.github.com>
Co-authored-by: backryun <24198422+backryun@users.noreply.github.com>
Co-authored-by: Owen <36758131+kang-heewon@users.noreply.github.com>
Co-authored-by: Ravi Tharuma <25951435+RaviTharuma@users.noreply.github.com>
Co-authored-by: Chris <3751981+christopher-s@users.noreply.github.com>
Co-authored-by: Wellington Fonseca <5421548+wlfonseca@users.noreply.github.com>
Co-authored-by: Ethan Hunt <136065060+only4copilot@users.noreply.github.com>
Co-authored-by: tombii <6607822+tombii@users.noreply.github.com>
Co-authored-by: AndrewDragonIV <7906124+AndrewDragonIV@users.noreply.github.com>
Co-authored-by: Danh Thanh <50534210+dt418@users.noreply.github.com>
Co-authored-by: Will F <30637450+willbnu@users.noreply.github.com>
Co-authored-by: defhouse <232128212+defhouse@users.noreply.github.com>
Co-authored-by: Skydwest <186351198+mercs2910@users.noreply.github.com>
Co-authored-by: zenobit <6384793+zen0bit@users.noreply.github.com>
Co-authored-by: Ivan <16905671+razllivan@users.noreply.github.com>
Co-authored-by: foxy1402 <45601526+foxy1402@users.noreply.github.com>
Co-authored-by: Luan Dias <65574834+luandiasrj@users.noreply.github.com>
Co-authored-by: Sergei Korolev <891832+knopki@users.noreply.github.com>
Co-authored-by: dail45 <69967573+dail45@users.noreply.github.com>
Co-authored-by: MseeP.ai <mseep@skydeck.ai>
Co-authored-by: Markus Hartung <mail@hartmark.se>
Co-authored-by: Raxxoor <manker_lol@hotmail.com>
Co-authored-by: Jack <5443152+hijak@users.noreply.github.com>
Co-authored-by: Sergey Morozov <tr0st@bk.ru>
Co-authored-by: payne <baboialex95@gmail.com>
Co-authored-by: Antigravity Assistant <bot@antigravity.local>
Co-authored-by: Andrew Munsell <andrew@wizardapps.net>
- Use jsonc-parser to update only provider.omniroute in opencode.json,
preserving MCP servers, comments, and other provider entries
- Add /api/cli-tools/keys endpoint returning raw keys for CLI tools UI
(session-auth protected via requireCliToolsAuth)
- Fix OpenCode guide step 3 to use ICU-style {baseUrl} placeholder
instead of broken {{baseUrl}} across all 40+ locales
- Restore valid OpenCode light/dark SVG logos (were broken HTML downloads)
- Add customCliTab translation key to en.json
- Add modelLabels support for human-readable model names in config
- Fix 9 additional locale files (bn, fa, gu, in, mr, sw, ta, te, ur)
that were added after the original PR and still had double-braces
Co-authored-by: JasonLandbridge <JasonLandbridge@users.noreply.github.com>
Adds a new chatgpt-web provider that routes through chatgpt.com's internal
backend-api using a Plus/Pro subscription session cookie, enabling access
to GPT-5.x models without an OpenAI API key.
Heavier than perplexity-web/grok-web because chatgpt.com layers more bot
protection — this PR builds out the full pipeline needed to look like a
real browser session.
## New executor: open-sse/executors/chatgpt-web.ts
Auth/request pipeline (per chat completion):
1. exchangeSession() GET /api/auth/session cookie -> JWT (cached ~5min)
2. fetchDpl() GET / scrape data-build + script src
3. runSessionWarmup() GET /backend-api/me, /conversations, /models
4. POST /sentinel/chat-requirements/prepare -> prepare_token
5. POST /sentinel/chat-requirements -> chat-requirements-token + PoW seed/diff
6. solveProofOfWork() SHA3-512 loop -> "gAAAAAB..." sentinel proof token
7. POST /backend-api/f/conversation with all sentinel headers
8. parse SSE stream -> OpenAI chat.completion[.chunk] format
Notable details:
- 18-element prekey config matching chat2api/openai-sentinel (browser fingerprint
values, U+2212 MINUS SIGN in `webdriver−false`). Thin shapes get escalated to
mandatory Turnstile.
- Two-stage Sentinel handshake (/prepare + /chat-requirements) — sending only
the prepare result returns a 403 "Unusual activity" response.
- `turnstile.required: true` from Sentinel is treated as advisory; the conv
endpoint accepts requests without a Turnstile token as long as PoW + chat-
requirements-token are valid. Optional bring-your-own Turnstile via
`providerSpecificData.turnstileToken` for accounts that hard-require it.
- SSE parser tracks message_id and resets the accumulator on a new turn —
chatgpt.com echoes prior assistant messages (with status finished_successfully)
before sending the new turn.
- entity["...","value", ...] internal markup stripped from output (browser
renders these client-side).
- Conversation-continuity cache disabled by default: we send
history_and_training_disabled: true (Temporary Chat mode) and those
conversation_ids expire too fast to reuse — re-using returned 404. Each
request now sends conversation_id: null and replays full history, matching
what Open WebUI and OpenAI-API-style clients send anyway.
## TLS impersonation: open-sse/services/chatgptTlsClient.ts
ChatGPT's Cloudflare config pins cf_clearance to JA3/JA4 TLS fingerprint +
HTTP/2 SETTINGS frame. Plain Node Undici fetch always returns
cf-mitigated: challenge regardless of cookies. The wrapper module loads
`tls-client-node` (Firefox 148 fingerprint) in native runtime mode (.so via
koffi) — managed mode spawns a sidecar that conflicts with OmniRoute's
global fetch proxy patch.
- Lazy singleton TLSClient with process exit hooks
- Streaming-capable (file tail) and non-streaming modes
- Test injection point: __setTlsFetchOverrideForTesting() lets unit tests mock
the client without touching globalThis.fetch
## Provider wiring
- open-sse/executors/index.ts — register ChatGptWebExecutor with cgpt-web alias
- open-sse/config/providerRegistry.ts — registry entry, format=openai,
authHeader=cookie, model gpt-5.3-instant
- src/shared/constants/providers.ts — WEB_COOKIE_PROVIDERS UI metadata
(icon, color, authHint)
- src/lib/providers/validation.ts — validateChatGptWebProvider hits
/api/auth/session via the TLS client, detects cf-mitigated/HTML responses
and returns a clear "paste full Cookie line" hint instead of a generic
"Invalid"
- next.config.mjs — mark tls-client-node, koffi, tough-cookie as external
packages (Turbopack can't bundle the native .so)
## Cookie format
Validator and executor accept any of:
- bare value: "eyJhbGc..."
- unchunked cookie line: "__Secure-next-auth.session-token=eyJ..."
- chunked cookie line: "__Secure-next-auth.session-token.0=...; __Secure-next-auth.session-token.1=..."
- full DevTools Cookie header line: "Cookie: __Secure-next-auth.session-token.0=...; cf_clearance=...; ..."
NextAuth chunks the JWE when it exceeds 4KB; chunked cookies pass through
verbatim (NextAuth reassembles server-side). Recommend pasting the full
DevTools Cookie line so cf_clearance, __cf_bm, _cfuvid, _puid travel along —
without cf_clearance, Cloudflare blocks the request before NextAuth sees it.
## Tests
tests/unit/chatgpt-web.test.ts — 27 tests, all passing:
- Registration + alias resolution
- Token exchange (cookie -> Bearer flow)
- Token cache TTL
- Refreshed cookie surfaced via onCredentialsRefreshed callback
- Sentinel call ordering (session -> prepare -> chat-requirements -> conv)
- Sentinel chat-requirements-token forwarded on conv request
- PoW token has gAAAAAB prefix
- Turnstile.required: true does NOT block conv (passes through)
- Non-streaming chat.completion JSON
- Streaming SSE chunks ending with [DONE]
- Cumulative-parts diffing yields non-overlapping deltas
- Errors: 401 session, 403 sentinel, 429 conv rate-limit
- Empty messages -> 400 without any fetch
- Missing apiKey -> 401 without any fetch
- Cookie format: bare value, unchunked, chunked, "Cookie: ..." DevTools line
- Conversation continuity: each call starts a fresh conversation
- Browser-like headers on conv POST (UA, Origin, Sec-Fetch-Site, Accept)
- Payload shape (action, model=gpt-5-3, history_and_training_disabled)
- Provider registry contains chatgpt-web with gpt-5.3-instant model
Verification: typecheck:core clean, lint clean (no new warnings),
end-to-end manually verified across single-turn, multi-turn (memory
preserved), streaming, and Open WebUI-style sequential growing-history
flows.
## References
- bogdanfinn/tls-client (Go) — TLS impersonation upstream
- fatihkabakk/tls-client-node — Node bindings
- lanqian528/chat2api — Sentinel/PoW/prekey reference impl (Python)
- leetanshaj/openai-sentinel — Prekey config + SHA3-512 solver
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Compile MITM utilities as NodeNext ESM for prepublish builds, copy the
CommonJS MITM server into standalone artifacts, and resolve MITM data
paths without relying on Next.js aliases at runtime.
Replace shell-interpolated setup and elevated command flows with
argument-based spawn and execFile helpers for database setup, DNS edits,
certificate install flows, and Tailscale sudo execution. Also tighten
the Electron production CSP, update provider icon loading to use direct
@lobehub/icons imports with local fallbacks, and pin dependency
configuration to avoid unused peer installs and known audit findings.
