* fix(cli-tools): guard modelId type before calling indexOf
E2E shakedown v3.8.0: cli-tools quebrava com TypeError quando dynamicModels
continha entradas sem .id (objeto retornado diretamente em vez de string).
* fix(offline): avoid SSR/CSR hydration mismatch on navigator.onLine
Replace useState+lazy-initializer with useSyncExternalStore so the server
snapshot (() => false) and client snapshot (() => navigator.onLine) are
declared separately. React hydrates with the server value and switches to
the real online status client-side without a mismatch.
* chore(i18n): add missing en.json keys for translator, cli-tools, memory, onboarding
Adds 58 missing keys identified by the new dashboard audit script:
- cliTools: 18 custom CLI builder keys (CustomCliCard)
- translator: 24 keys covering stream transformer, live monitor, test bench
- memory: 12 health/pagination/dialog keys
- onboarding.tier: 8 keys for the tier tour walkthrough
Also adds scripts/i18n/audit-dashboard-pages.mjs which scans all dashboard
pages, reports t() calls referencing missing en.json keys, and flags
candidate hardcoded JSX/attribute strings.
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 1)
Subagents refactored 8 high-impact dashboard pages, replacing 81 of the
407 hardcoded English/PT strings flagged by the audit with proper
useTranslations() lookups. Added 73 corresponding keys to en.json across
the home, apiManager, providers, settings, and usage namespaces.
Pages affected:
- BudgetTab (27 → 0)
- HomePageClient (2 → 0)
- RoutingTab (25 → 7)
- ResilienceTab (38 → 18)
- SystemStorageTab (42 → 21)
- providers/[id] (17 → 15)
- ApiManagerPageClient (14 → 13)
- OneproxyTab (13 → 10)
Also adds two helper scripts:
- scripts/i18n/extract-keys-from-diff.mjs — extracts new keys from git diff
- scripts/i18n/merge-keys.mjs — merges a pending-keys JSON into en.json
Remaining hardcoded strings will be addressed in follow-up rounds.
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 2)
Continues round 1 (commit 8d34f4c65). Round-2 subagents refactored
additional dashboard pages, replacing 77 more hardcoded strings with
useTranslations() lookups. Added 79 corresponding keys to en.json
across the a2aDashboard, agents, analytics, apiManager, cliTools,
common, and settings namespaces.
Pages affected:
- a2a/page (new useTranslations + 6 keys)
- agent-skills/page (new useTranslations + 9 keys)
- AutoRoutingAnalyticsTab (new useTranslations + 6 keys)
- AppearanceTab (8 → 6 remaining)
- OneproxyTab (10 → 0)
- ResilienceTab (18 → 0 missing key)
- RoutingTab (7 → 0 missing key)
- VisionBridgeSettingsTab (new useTranslations + 6 keys)
- CopilotToolCard (7 → 0 missing key)
- ApiManagerPageClient (13 → 0 missing key)
- gamification/admin (new useTranslations + 7 keys)
Hardcoded total: 326 → 249. Real missing keys: 0 (the 6 still flagged
are false positives in exampleTemplates.tsx where t is passed as a
parameter — keys exist at translator.templatePayloads.*).
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 3)
Round-3 subagents and manual edits refactored 9 more dashboard pages
(plus 2 small extras), replacing ~80 hardcoded strings with
useTranslations() lookups. Added 79 corresponding keys to en.json
across analytics, cloudAgents, combos, common, health, settings, and
usage namespaces.
Pages affected:
- analytics/ComboHealthTab (new useTranslations + 15 keys)
- analytics/CompressionAnalyticsTab (new useTranslations + 11 keys)
- settings/SystemStorageTab (21 → 0 missing key)
- tokens/page (new useTranslations + 13 keys)
- usage/BudgetTab (9 missing fixed)
- health/page (manual: 6 keys)
- cloud-agents/page (manual: 3 keys)
- combos/page (manual: 1 key)
Hardcoded total: 249 → 164. Real missing keys: 0 (6 remaining are
exampleTemplates.tsx false positives).
Also adds scripts/i18n/build-pending-from-missing.mjs which reads
_audit.json and locates English values from HEAD to rebuild
_pending-keys.json after race-condition resets between subagent edits.
* chore(i18n): localize remaining dashboard settings labels
Replace hardcoded labels in compression and resilience settings with
translation lookups to continue the dashboard i18n cleanup.
Add the v3.8.0 dashboard shakedown runbook to document the manual
smoke-test process and known dev environment pitfalls.
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 4)
Round-4 subagent + manual key-resolution refactored remaining strings in
3 high-traffic settings/API tabs, plus extracted English values for
keys that were already added as t() calls but lost during the previous
en.json race-condition resets.
Pages affected:
- api-manager/ApiManagerPageClient (7 → 0 missing key)
- settings/CompressionSettingsTab (8 → 0 missing key)
- settings/MemorySkillsTab (8 → 0 missing key)
- settings/ResilienceTab (4 more keys recovered)
Hardcoded total: 164 → 140. Real missing keys: 0 (6 remaining are the
exampleTemplates.tsx false positives — t passed as parameter).
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 5)
Round-5 agent began processing the remaining smaller dashboard files.
Added 5 more keys to en.json for providers/[id]/page.tsx OAuth flow
labels and the cross-OS auto-detection hint.
Pages affected:
- providers/[id]/page.tsx (5 keys)
Hardcoded total: 140 → 136. Real missing keys: 0.
* chore(i18n): resolve last 2 missing providers/[id] keys
Adds providerDetailMyClaudeAccountPlaceholder and
providerDetailPathAutoDetected — the final user-visible labels in the
providers/[id] page that the round-5 subagent rewrote to t() calls
without yet adding to en.json.
Real missing keys: 0 (6 remaining are exampleTemplates.tsx false
positives — t is passed as a parameter so the audit cannot resolve the
namespace; keys do exist at translator.templatePayloads.*).
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 6 — 10 parallel agents)
Round-6 dispatched 10 parallel subagents covering all 57 remaining
dashboard files. Each agent worked on a disjoint file set to avoid
en.json race conditions. Added ~60 new i18n keys across 9 namespaces
covering small UI labels, table headers, search placeholders, and
empty-state messages.
Major changes:
- analytics: SearchAnalyticsTab, ProviderUtilizationTab, DiversityScoreCard, CompressionAnalyticsTab (new useTranslations + keys)
- batch: BatchDetailModal, BatchListTab, FileDetailModal, FilesListTab (new useTranslations + keys)
- settings: CliproxyapiSettingsTab, PayloadRulesTab, ModelCooldownsCard, AppearanceTab, PricingTab (mostly new useTranslations)
- endpoint: TokenSaverCard, ApiEndpointsTab, EndpointPageClient
- cache: CachePerformance, IdempotencyLayer, ReasoningCacheTab, MediaPageClient, page
- combos: IntelligentComboPanel, page
- playground: ChatPlayground, SearchPlayground
- providers: ProviderCard
- onboarding: TierFlowDiagram
- changelog: ChangelogViewer
- home: ProviderTopology, TierCoverageWidget, BootstrapBanner, BadgeToast
- usage: BudgetTab, BudgetTelemetryCards, QuotaTable
- quotaShare: QuotaSharePageClient
- profile: page
- leaderboard: page
- skills: page
Hardcoded total: 131 → 60. Real missing keys: 0 plus 1 false-positive
for combos.modePack (lookup via prop-passed t).
* chore(i18n): finalize round-6 keys for batch/cache/endpoint/usage
Adds the remaining keys produced by parallel agents A4, A6, A8, A9:
- common: batch-related labels (BatchDetailModal, BatchListTab,
FileDetailModal, FilesListTab, page) + profile/leaderboard
- cache: hit rate, latency, retry, avg chars
- endpoint: token saver, API endpoints, copy URL, cloud/local labels
- usage: noSpend, activeSessions, quotaAlerts, budget timing
- skills: install/marketplace/filter
- proxyRegistry/quotaShare/mcpDashboard: misc labels
Hardcoded total: 60 → 48. Real missing keys: 0 (modePack remaining is a
false positive — combos.modePack exists but the audit can't resolve it
since IntelligentComboPanel receives t as a prop).
* fix(playground): dedupe filteredModels to avoid duplicate React key warning
The /v1/models endpoint can return the same model id twice (e.g., when a
model is listed by both an alias and its canonical provider), which made
the <Select> emit two <option> elements with the same key — triggering
"Encountered two children with the same key, codex/gpt-5.5".
Replace the chained filter + map with a single pass that skips ids
already added.
* fix(playground): guard against non-string model ids before .split/.startsWith
The /v1/models endpoint can include synthetic entries (combos, locals,
in-progress imports) with a null/undefined id. The playground used to
call m.id.split("/") in the provider-discovery loop, which threw on the
first non-string entry; the surrounding .catch(() => {}) silently
swallowed the error, so the provider/model/account dropdowns ended up
empty even though /v1/models returned thousands of valid entries.
- Skip entries without a string id before split/startsWith.
- Log the rejection in the .catch handler so future regressions are
visible in DevTools instead of silently emptying the UI.
* fix(playground): guard ChatPlayground filteredModels for non-string ids
Same root cause as commit 49fe356b9: ChatPlayground filtered models
with m.id.startsWith(...) which crashed on null/undefined ids returned
by /v1/models (synthetic combo entries). Apply the same defensive guard
and dedupe used in the parent page.
* fix(claude): drop orphan tool_result after fixToolAdjacency strip (discussion #2410)
Discussion #2410 reports Claude returning 400 for sequences like:
assistant: tool_use(id=X)
user: <plain text> ← breaks adjacency
user: tool_result(id=X)
The previous round added `fixToolAdjacency` (commit 44d9abac9) which
correctly strips the orphan tool_use from the assistant message. But
that left the now-unmatched tool_result intact, so the upstream
rejected the request with:
messages.N.content.M: unexpected `tool_use_id` found in `tool_result`
blocks: X. Each tool_result block must have a corresponding tool_use
block in the previous message.
Fix: after running `fixToolAdjacency`, re-run `fixToolPairs` to drop
the orphaned tool_result blocks. All three call sites updated:
- contextManager.purifyHistory (both inside the binary-search loop
and the final pass)
- BaseExecutor message-prep (Claude path)
- claudeCodeCompatible request signer
Also tightens an unrelated dynamic-key access in
readNestedString (claudeCodeCompatible) to satisfy the prototype-
pollution scanner triggered by the post-tool semgrep hook.
* fix(mitm): point runtime manager re-export to js entrypoint
Use the emitted `.js` path for the runtime manager re-export so dynamic
runtime loading resolves correctly outside the Turbopack alias handling.
* docs: add AgentRouter setup guide (#2422)
Integrated into release/v3.8.0 — AgentRouter setup guide docs.
* feat: add new feature on combos - falloverBeforeRetry (#2417)
Integrated into release/v3.8.0 — falloverBeforeRetry for per-model quota skipping in combos.
* feat(batch): implement 10 feature requests harvested (#2414)
Integrated into release/v3.8.0 — batch of 10 feature requests: llama.cpp local provider, upstream error exposure, Termux detection, providers rotate CLI, t3.chat web skeleton, Zed Docker integration, Kiro multi-account OAuth isolation, auto-combo cost blending, auto-combo context filter, combo provider-level exhaustion tracking (#1731). Conflicts with #2417 (falloverBeforeRetry) resolved.
* fix(gamification): resolve SQL bug, auth gap, pagination, and anomaly scoring (#2421)
Integrated into release/v3.8.0 — 6 critical gamification bug fixes: SQL SELECT in checkActionCountBadges, federation auth enforcement, leaderboard pagination offset, real z-score computation, addXp level calculation, and barrel index.ts
* docs(changelog): add post-release entries for #2414#2417#2421#2422
- feat(batch): T3-Chat-Web executor, exhaustedProviders set (#1731), Zed Docker
- feat(combos): falloverBeforeRetry + setTry loop (#2417 — @hartmark)
- fix(gamification): SQL SELECT bug, federation auth, pagination, z-score (#2421 — @oyi77)
- docs: AgentRouter setup guide (#2422 — @leninejunior)
* fix(security): resolve CodeQL random/password-hash alerts and sync docs & tests
* feat/fix: integrate PRs #2423, #2425, #2427, #2428 with test & security fixes
* docs(changelog): credit contributors for PRs #2423, #2425, #2427, #2428
* fix(mitm): drop .js extension on manager.runtime re-export for webpack build (#2425)
Merged into release/v3.8.0
* fix: persist STORAGE_ENCRYPTION_KEY across upgrades (closes#1622) (#2428)
Merged into release/v3.8.0
* fix: auto-reset apiKeyHealth on successful connection test (#2427)
Merged into release/v3.8.0
* fix: support Antigravity image generation, Add Gemini 3.5 Flash (#2423)
Merged into release/v3.8.0
---------
Co-authored-by: diegosouzapw <diego.souza.pw@gmail.com>
Co-authored-by: Lenine Júnior <lenine@engrene.com.br>
Co-authored-by: Markus Hartung <mail@hartmark.se>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: Anton <39598727+NomenAK@users.noreply.github.com>
Co-authored-by: Chewji <126886556+Chewji9875@users.noreply.github.com>
Co-authored-by: clousky2020 <33016567+clousky2020@users.noreply.github.com>
Co-authored-by: backryun <bakryun0718@proton.me>
* fix(cli-tools): guard modelId type before calling indexOf
E2E shakedown v3.8.0: cli-tools quebrava com TypeError quando dynamicModels
continha entradas sem .id (objeto retornado diretamente em vez de string).
* fix(offline): avoid SSR/CSR hydration mismatch on navigator.onLine
Replace useState+lazy-initializer with useSyncExternalStore so the server
snapshot (() => false) and client snapshot (() => navigator.onLine) are
declared separately. React hydrates with the server value and switches to
the real online status client-side without a mismatch.
* chore(i18n): add missing en.json keys for translator, cli-tools, memory, onboarding
Adds 58 missing keys identified by the new dashboard audit script:
- cliTools: 18 custom CLI builder keys (CustomCliCard)
- translator: 24 keys covering stream transformer, live monitor, test bench
- memory: 12 health/pagination/dialog keys
- onboarding.tier: 8 keys for the tier tour walkthrough
Also adds scripts/i18n/audit-dashboard-pages.mjs which scans all dashboard
pages, reports t() calls referencing missing en.json keys, and flags
candidate hardcoded JSX/attribute strings.
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 1)
Subagents refactored 8 high-impact dashboard pages, replacing 81 of the
407 hardcoded English/PT strings flagged by the audit with proper
useTranslations() lookups. Added 73 corresponding keys to en.json across
the home, apiManager, providers, settings, and usage namespaces.
Pages affected:
- BudgetTab (27 → 0)
- HomePageClient (2 → 0)
- RoutingTab (25 → 7)
- ResilienceTab (38 → 18)
- SystemStorageTab (42 → 21)
- providers/[id] (17 → 15)
- ApiManagerPageClient (14 → 13)
- OneproxyTab (13 → 10)
Also adds two helper scripts:
- scripts/i18n/extract-keys-from-diff.mjs — extracts new keys from git diff
- scripts/i18n/merge-keys.mjs — merges a pending-keys JSON into en.json
Remaining hardcoded strings will be addressed in follow-up rounds.
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 2)
Continues round 1 (commit 8d34f4c65). Round-2 subagents refactored
additional dashboard pages, replacing 77 more hardcoded strings with
useTranslations() lookups. Added 79 corresponding keys to en.json
across the a2aDashboard, agents, analytics, apiManager, cliTools,
common, and settings namespaces.
Pages affected:
- a2a/page (new useTranslations + 6 keys)
- agent-skills/page (new useTranslations + 9 keys)
- AutoRoutingAnalyticsTab (new useTranslations + 6 keys)
- AppearanceTab (8 → 6 remaining)
- OneproxyTab (10 → 0)
- ResilienceTab (18 → 0 missing key)
- RoutingTab (7 → 0 missing key)
- VisionBridgeSettingsTab (new useTranslations + 6 keys)
- CopilotToolCard (7 → 0 missing key)
- ApiManagerPageClient (13 → 0 missing key)
- gamification/admin (new useTranslations + 7 keys)
Hardcoded total: 326 → 249. Real missing keys: 0 (the 6 still flagged
are false positives in exampleTemplates.tsx where t is passed as a
parameter — keys exist at translator.templatePayloads.*).
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 3)
Round-3 subagents and manual edits refactored 9 more dashboard pages
(plus 2 small extras), replacing ~80 hardcoded strings with
useTranslations() lookups. Added 79 corresponding keys to en.json
across analytics, cloudAgents, combos, common, health, settings, and
usage namespaces.
Pages affected:
- analytics/ComboHealthTab (new useTranslations + 15 keys)
- analytics/CompressionAnalyticsTab (new useTranslations + 11 keys)
- settings/SystemStorageTab (21 → 0 missing key)
- tokens/page (new useTranslations + 13 keys)
- usage/BudgetTab (9 missing fixed)
- health/page (manual: 6 keys)
- cloud-agents/page (manual: 3 keys)
- combos/page (manual: 1 key)
Hardcoded total: 249 → 164. Real missing keys: 0 (6 remaining are
exampleTemplates.tsx false positives).
Also adds scripts/i18n/build-pending-from-missing.mjs which reads
_audit.json and locates English values from HEAD to rebuild
_pending-keys.json after race-condition resets between subagent edits.
* chore(i18n): localize remaining dashboard settings labels
Replace hardcoded labels in compression and resilience settings with
translation lookups to continue the dashboard i18n cleanup.
Add the v3.8.0 dashboard shakedown runbook to document the manual
smoke-test process and known dev environment pitfalls.
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 4)
Round-4 subagent + manual key-resolution refactored remaining strings in
3 high-traffic settings/API tabs, plus extracted English values for
keys that were already added as t() calls but lost during the previous
en.json race-condition resets.
Pages affected:
- api-manager/ApiManagerPageClient (7 → 0 missing key)
- settings/CompressionSettingsTab (8 → 0 missing key)
- settings/MemorySkillsTab (8 → 0 missing key)
- settings/ResilienceTab (4 more keys recovered)
Hardcoded total: 164 → 140. Real missing keys: 0 (6 remaining are the
exampleTemplates.tsx false positives — t passed as parameter).
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 5)
Round-5 agent began processing the remaining smaller dashboard files.
Added 5 more keys to en.json for providers/[id]/page.tsx OAuth flow
labels and the cross-OS auto-detection hint.
Pages affected:
- providers/[id]/page.tsx (5 keys)
Hardcoded total: 140 → 136. Real missing keys: 0.
* chore(i18n): resolve last 2 missing providers/[id] keys
Adds providerDetailMyClaudeAccountPlaceholder and
providerDetailPathAutoDetected — the final user-visible labels in the
providers/[id] page that the round-5 subagent rewrote to t() calls
without yet adding to en.json.
Real missing keys: 0 (6 remaining are exampleTemplates.tsx false
positives — t is passed as a parameter so the audit cannot resolve the
namespace; keys do exist at translator.templatePayloads.*).
* chore(i18n): replace hardcoded UI text with t() calls across dashboard (round 6 — 10 parallel agents)
Round-6 dispatched 10 parallel subagents covering all 57 remaining
dashboard files. Each agent worked on a disjoint file set to avoid
en.json race conditions. Added ~60 new i18n keys across 9 namespaces
covering small UI labels, table headers, search placeholders, and
empty-state messages.
Major changes:
- analytics: SearchAnalyticsTab, ProviderUtilizationTab, DiversityScoreCard, CompressionAnalyticsTab (new useTranslations + keys)
- batch: BatchDetailModal, BatchListTab, FileDetailModal, FilesListTab (new useTranslations + keys)
- settings: CliproxyapiSettingsTab, PayloadRulesTab, ModelCooldownsCard, AppearanceTab, PricingTab (mostly new useTranslations)
- endpoint: TokenSaverCard, ApiEndpointsTab, EndpointPageClient
- cache: CachePerformance, IdempotencyLayer, ReasoningCacheTab, MediaPageClient, page
- combos: IntelligentComboPanel, page
- playground: ChatPlayground, SearchPlayground
- providers: ProviderCard
- onboarding: TierFlowDiagram
- changelog: ChangelogViewer
- home: ProviderTopology, TierCoverageWidget, BootstrapBanner, BadgeToast
- usage: BudgetTab, BudgetTelemetryCards, QuotaTable
- quotaShare: QuotaSharePageClient
- profile: page
- leaderboard: page
- skills: page
Hardcoded total: 131 → 60. Real missing keys: 0 plus 1 false-positive
for combos.modePack (lookup via prop-passed t).
* chore(i18n): finalize round-6 keys for batch/cache/endpoint/usage
Adds the remaining keys produced by parallel agents A4, A6, A8, A9:
- common: batch-related labels (BatchDetailModal, BatchListTab,
FileDetailModal, FilesListTab, page) + profile/leaderboard
- cache: hit rate, latency, retry, avg chars
- endpoint: token saver, API endpoints, copy URL, cloud/local labels
- usage: noSpend, activeSessions, quotaAlerts, budget timing
- skills: install/marketplace/filter
- proxyRegistry/quotaShare/mcpDashboard: misc labels
Hardcoded total: 60 → 48. Real missing keys: 0 (modePack remaining is a
false positive — combos.modePack exists but the audit can't resolve it
since IntelligentComboPanel receives t as a prop).
* fix(playground): dedupe filteredModels to avoid duplicate React key warning
The /v1/models endpoint can return the same model id twice (e.g., when a
model is listed by both an alias and its canonical provider), which made
the <Select> emit two <option> elements with the same key — triggering
"Encountered two children with the same key, codex/gpt-5.5".
Replace the chained filter + map with a single pass that skips ids
already added.
* fix(playground): guard against non-string model ids before .split/.startsWith
The /v1/models endpoint can include synthetic entries (combos, locals,
in-progress imports) with a null/undefined id. The playground used to
call m.id.split("/") in the provider-discovery loop, which threw on the
first non-string entry; the surrounding .catch(() => {}) silently
swallowed the error, so the provider/model/account dropdowns ended up
empty even though /v1/models returned thousands of valid entries.
- Skip entries without a string id before split/startsWith.
- Log the rejection in the .catch handler so future regressions are
visible in DevTools instead of silently emptying the UI.
* fix(playground): guard ChatPlayground filteredModels for non-string ids
Same root cause as commit 49fe356b9: ChatPlayground filtered models
with m.id.startsWith(...) which crashed on null/undefined ids returned
by /v1/models (synthetic combo entries). Apply the same defensive guard
and dedupe used in the parent page.
* fix(claude): drop orphan tool_result after fixToolAdjacency strip (discussion #2410)
Discussion #2410 reports Claude returning 400 for sequences like:
assistant: tool_use(id=X)
user: <plain text> ← breaks adjacency
user: tool_result(id=X)
The previous round added `fixToolAdjacency` (commit 44d9abac9) which
correctly strips the orphan tool_use from the assistant message. But
that left the now-unmatched tool_result intact, so the upstream
rejected the request with:
messages.N.content.M: unexpected `tool_use_id` found in `tool_result`
blocks: X. Each tool_result block must have a corresponding tool_use
block in the previous message.
Fix: after running `fixToolAdjacency`, re-run `fixToolPairs` to drop
the orphaned tool_result blocks. All three call sites updated:
- contextManager.purifyHistory (both inside the binary-search loop
and the final pass)
- BaseExecutor message-prep (Claude path)
- claudeCodeCompatible request signer
Also tightens an unrelated dynamic-key access in
readNestedString (claudeCodeCompatible) to satisfy the prototype-
pollution scanner triggered by the post-tool semgrep hook.
* fix(mitm): point runtime manager re-export to js entrypoint
Use the emitted `.js` path for the runtime manager re-export so dynamic
runtime loading resolves correctly outside the Turbopack alias handling.
* docs: add AgentRouter setup guide (#2422)
Integrated into release/v3.8.0 — AgentRouter setup guide docs.
* feat: add new feature on combos - falloverBeforeRetry (#2417)
Integrated into release/v3.8.0 — falloverBeforeRetry for per-model quota skipping in combos.
* feat(batch): implement 10 feature requests harvested (#2414)
Integrated into release/v3.8.0 — batch of 10 feature requests: llama.cpp local provider, upstream error exposure, Termux detection, providers rotate CLI, t3.chat web skeleton, Zed Docker integration, Kiro multi-account OAuth isolation, auto-combo cost blending, auto-combo context filter, combo provider-level exhaustion tracking (#1731). Conflicts with #2417 (falloverBeforeRetry) resolved.
* fix(gamification): resolve SQL bug, auth gap, pagination, and anomaly scoring (#2421)
Integrated into release/v3.8.0 — 6 critical gamification bug fixes: SQL SELECT in checkActionCountBadges, federation auth enforcement, leaderboard pagination offset, real z-score computation, addXp level calculation, and barrel index.ts
* docs(changelog): add post-release entries for #2414#2417#2421#2422
- feat(batch): T3-Chat-Web executor, exhaustedProviders set (#1731), Zed Docker
- feat(combos): falloverBeforeRetry + setTry loop (#2417 — @hartmark)
- fix(gamification): SQL SELECT bug, federation auth, pagination, z-score (#2421 — @oyi77)
- docs: AgentRouter setup guide (#2422 — @leninejunior)
* fix(security): resolve CodeQL random/password-hash alerts and sync docs & tests
---------
Co-authored-by: diegosouzapw <diego.souza.pw@gmail.com>
Co-authored-by: Lenine Júnior <lenine@engrene.com.br>
Co-authored-by: Markus Hartung <mail@hartmark.se>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Remove the unsupported `timelineItems` field from `ghIssueView`, add
`ghPrSearchOpen` wrapper, and synthesize `issue.timelineItems` in the
main loop so `classifyIssue` stays unchanged.
New files added via package.json files[] field in the cli-tools feature:
- src/lib/cli-helper/ (config generators, doctor checks, log-streamer, tool-detector)
- @omniroute/opencode-provider/ (workspace package published alongside)
- scripts/postinstall.mjs and scripts/build/sync-env.mjs (new install scripts)
Resolves conflicts in 9 files to bring 181 commits from release/v3.8.0 into
the dashboard refactor branch ahead of merging back to release.
Layout strategy: our pages overhaul (tabs→pages, restructured sidebar,
removed redundant headers, OpenCode Free no-auth card) is the source of
truth. Release's functional additions are adapted into our layout.
Conflict resolution:
- package.json/package-lock.json: take release's deps (axios bump, CLI v4
deps, tls-client-node/wreq-js move to optionalDependencies); re-add our
@xyflow/react addition; regenerate lockfile.
- src/shared/constants/sidebarVisibility.ts: keep our 9-section restructure
— release's new IDs (limits, media, cli-tools, agents, cloud-agents,
memory, skills, agent-skills, context-*) are all already present in our
groups.
- src/i18n/messages/en.json: auto-merge picked up all release's new keys
(autoCatalog*, quotaCutoffs*, systemTransforms*, schema-coercion, vision);
only naming conflict was OmniSkills/AgentSkills — kept ours (no space).
- src/app/(dashboard)/dashboard/HomePageClient.tsx: kept our Provider
Topology card; ported release's TierCoverageWidget (placed before
topology).
- src/app/(dashboard)/dashboard/settings/page.tsx: kept our redirect to
/settings/general (we moved tabs to separate pages); release's sticky
tab CSS change is moot in our structure.
- src/app/(dashboard)/dashboard/skills/page.tsx: rerere applied — release
hardcoded "OmniSkills" h1 was already removed by our header-cleanup
refactor.
- src/app/(dashboard)/dashboard/agent-skills/page.tsx: both branches
created this file independently with identical data source; kept our
Tailwind-themed 2-column grid (release's version used inline styles).
- src/app/(dashboard)/dashboard/batch/page.tsx: kept our single-tab
structure (FilesListTab moved to /batch/files page); ported release's
onRefresh prop addition.
- src/app/(dashboard)/dashboard/batch/files/page.tsx (not in conflict but
updated): added batches fetch + batches prop to preserve release's
feature of showing related batches in the file detail modal.
Pre-existing typecheck errors in open-sse/services/contextManager.ts
(lines 141, 154, 167) come from release/v3.8.0 and are not introduced by
this merge.
Gera automaticamente 24 grupos de comandos (170+ operações) em bin/cli/api-commands/ a
partir de docs/reference/openapi.yaml via npm run build:cli-api. Integrado em registry.mjs;
prepublishOnly regenera antes de publicar.
- Adiciona health.description e health.noServer em en.json e pt-BR.json
- scripts/check/check-cli-i18n.mjs: valida que todas as 567 chaves t() dos
comandos existem em en.json e que pt-BR.json tem as mesmas seções top-level
- Adiciona check-cli-i18n ao hook pre-commit
- 7 testes unitários: completude do catálogo, detecção de locale (OMNIROUTE_LANG),
fallback en, interpolação {var}, t() pt-BR
- Move wreq-js and tls-client-node to optionalDependencies
- Lazy-load wreq-js WS proxy with graceful 503 when unavailable
- Auto-detect Android platform for headless mode (no browser open)
- Set GYP_DEFINES for better-sqlite3 build on Android/ARM
- Extended build timeout to 600s for ARM compilation
- Skip wreq-js binary fix on Android (unsupported platform)
- Platform warnings for unsupported features (WS proxy, TLS, Electron, MITM)
Co-authored-by: t-way666 <t-way666@users.noreply.github.com>
- 8.2: update-notifier em omniroute.mjs (cache 24h, stderr-only, respeita CI/quiet/json/opt-out)
- 8.12: cliToken.mjs (sha256 de machineId + salt) injetado automaticamente em apiFetch
- 8.12: middleware cliTokenAuth.ts valida token apenas em loopback, timing-safe compare
- 8.12: requireManagementAuth aceita CLI token como bypass local
- env-doc-sync: OMNIROUTE_DISABLE_CLI_TOKEN e OMNIROUTE_NO_UPDATE_NOTIFIER no allowlist
- Add az locale to config/i18n.json (source of truth, 42 locales total)
- Create src/i18n/messages/az.json (UI strings from en.json base)
- Create docs/i18n/az/ directory with full documentation set
- Add 🇦🇿 Azərbaycan dili to README.md language bar
- Add az entry to docs/i18n/README.md index (40 doc languages)
- Add az to generate-multilang.mjs LOCALE_SPECS (Google TL: az)
- Add az to i18n_autotranslate.py lang_map
- Update CHANGELOG.md with feat(i18n) entry
Remove o monolito bin/cli-commands.mjs (2853 linhas) e helpers redundantes
(bin/cli/args.mjs, tests/unit/cli-args.test.ts). Todos os subcomandos já foram
migrados individualmente para bin/cli/commands/ nas Fases 1.1–1.7. Atualiza
pack-artifact-policy para referenciar bin/cli/program.mjs no lugar de
bin/cli-commands.mjs e bin/cli/index.mjs. Atualiza docs e CHANGELOG.
Adds bin/cli/runtime/sqliteRuntime.mjs that resolves better-sqlite3 from:
(1) bundled optionalDependency, (2) ~/.omniroute/runtime/ install,
(3) lazy npm install into runtime dir, (4) node:sqlite stdlib (Node >=22.5),
(5) bundled sql.js WASM. Each native binary is validated against expected
platform magic bytes (ELF/Mach-O/PE) before load.
Adds bin/cli/runtime/magicBytes.mjs with validateBinaryMagic() helper
(9 tests). Adds bin/cli/runtime/index.mjs as warmUpRuntimes() orchestrator.
Adds scripts/postinstall.mjs warm-up hook (non-fatal, skipped in CI).
Integrates it as the last step of scripts/build/postinstall.mjs.
Extends src/lib/db/core.ts with ensureDbInitialized() (async, idempotent)
and getDriverInfo() so the startup orchestrator can await the resolver
before any DB access, enabling graceful degradation without crashing the
process on missing better-sqlite3.
Solves Windows EBUSY error on 'npm install -g omniroute@latest' while the
previous version is still running, and works in environments without C++
build tools or with unreachable npm registry.
Documents OMNIROUTE_SKIP_POSTINSTALL in .env.example and ENVIRONMENT.md.
Ref: 9router/cli/hooks/sqliteRuntime.js (pattern origin).
Cross-platform system tray for `omniroute --tray`: Windows uses a
PowerShell NotifyIcon script (zero native binary, AV-safe); macOS/Linux
use systray2 lazy-installed at runtime into ~/.omniroute/runtime/.
Includes per-platform autostart (LaunchAgent / .desktop / registry) and
`omniroute config tray <enable|disable>` CLI command.
DISPLAY added to env-sync allowlist as an OS/X11 variable, not an
OmniRoute config variable.
Phase 0.1 — single source of truth for CLI Tools documentation.
`docs/CLI-TOOLS.md` was a 492-line copy frozen at v3.0.0-rc.16 (13 tools,
outdated provider tables). The current source of truth is
`docs/reference/CLI-TOOLS.md` (v3.8.0, 17 tools, referenced by CLAUDE.md
and every cross-doc link in docs/).
Changes:
- delete docs/CLI-TOOLS.md (no remaining references; all docs already
pointed at docs/reference/CLI-TOOLS.md)
- scripts/check/check-docs-sync.mjs: add anti-regression check that
fails if a legacy superseded doc reappears
Verified: \`npm run check:docs-sync\` passes; rg shows zero remaining
references to the legacy path outside _references/ and _tasks/.
Refs: _tasks/features-v3.8.0/cli/fase-0-preparacao/0.1-limpar-docs-duplicada.md
Prevent raw exception messages from leaking stack frames or absolute
paths in the console logs and token health endpoints.
Also harden the i18n mirror move script by replacing shell-based git
commands with execFileSync and a safer fallback for untracked files.
Fixes the 4 fixable alerts opened in the recent scan and adds enforceable
guardrails so future development follows the same pattern.
Code fixes:
- src/mitm/cert/install.ts: pass certPath/certName/action via exec()'s env
option instead of string-interpolating them into the bash script
(CodeQL js/shell-command-injection-from-environment #225)
- scripts/docs/{gen-provider-reference,add-frontmatter,fix-internal-links}:
escape backslash before other regex/markdown metacharacters
(CodeQL js/incomplete-sanitization #227, #228, #229)
Documentation (mandatory patterns):
- docs/security/PUBLIC_CREDS.md — embedding public upstream OAuth/Firebase
identifiers via resolvePublicCred(); never as string literals
- docs/security/ERROR_SANITIZATION.md — routing every error response through
sanitizeErrorMessage()/buildErrorBody(); never raw err.stack/err.message
- CLAUDE.md: 4 new Hard Rules (#11-#14) + Security section + scenario notes
- AGENTS.md, CONTRIBUTING.md: cross-reference the two new docs
- SECURITY.md: extended Hard Security Rules with the new mandatory patterns
- docs/README.md: index entries pointing to the two new docs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fixes the 4 fixable alerts opened in the recent scan and adds enforceable
guardrails so future development follows the same pattern.
Code fixes:
- src/mitm/cert/install.ts: pass certPath/certName/action via exec()'s env
option instead of string-interpolating them into the bash script
(CodeQL js/shell-command-injection-from-environment #225)
- scripts/docs/{gen-provider-reference,add-frontmatter,fix-internal-links}:
escape backslash before other regex/markdown metacharacters
(CodeQL js/incomplete-sanitization #227, #228, #229)
Documentation (mandatory patterns):
- docs/security/PUBLIC_CREDS.md — embedding public upstream OAuth/Firebase
identifiers via resolvePublicCred(); never as string literals
- docs/security/ERROR_SANITIZATION.md — routing every error response through
sanitizeErrorMessage()/buildErrorBody(); never raw err.stack/err.message
- CLAUDE.md: 4 new Hard Rules (#11-#14) + Security section + scenario notes
- AGENTS.md, CONTRIBUTING.md: cross-reference the two new docs
- SECURITY.md: extended Hard Security Rules with the new mandatory patterns
- docs/README.md: index entries pointing to the two new docs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds scripts/check/check-doc-links.mjs that scans every docs/**/*.md
(excluding i18n mirrors, screenshots, exported diagrams, and superpowers
plans) and verifies that every internal markdown/HTML link resolves to a
file on disk. External URLs (http/https/mailto/tel), anchor-only links,
and fenced code blocks are ignored.
Supports --report (informational, exit 0), --json (machine-readable),
and --help. Default mode exits 1 when any broken link is found, so this
can be wired as a CI gate. Initial baseline reveals ~270 pre-existing
broken links carried over from prior reorgs (i18n relative paths,
removed RFC drafts, stale screenshot refs) that FASE 9 will clean up.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- scripts/docs/gen-openapi-module.mjs (new): build helper that loads
docs/reference/openapi.yaml via js-yaml, flattens paths × methods, and
emits src/app/docs/lib/openapi.generated.ts with strongly-typed
OPENAPI_ENDPOINTS, OPENAPI_TAGS, OPENAPI_VERSION, OPENAPI_TITLE plus
the OpenApiEndpoint interface (no `any`, deterministic ordering).
By default it skips internal management paths (anything under /api/
that isn't /api/v1/*) so the Api Explorer focuses on the OpenAI-
compatible public surface — 19 endpoints for v3.8.0 (Chat, Messages,
Responses, Embeddings, Images, Audio, Moderations, Rerank, Models,
System). Add --include-management to emit all 121 paths if needed.
- src/app/docs/components/ApiExplorerClient.tsx: drop the 13-entry
hardcoded API_ENDPOINTS array; the component now imports from
@/app/docs/lib/openapi.generated. Tags come from the spec; the
"Try It" form picks an example body keyed by full path (8 well-known
bodies pre-seeded, everything else starts empty). The header pill
now shows endpoint count + OpenAPI version, and an "auth" pill is
rendered next to operations whose spec declares non-empty security.
- package.json: prebuild:docs now chains gen-openapi-module after the
docs index generator so `next build` always sees a fresh module.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Every .md under docs/{architecture,guides,reference,frameworks,routing,
security,compression,ops,diagrams} plus docs/README.md now opens with:
---
title: "<inferred from first H1>"
version: 3.8.0
lastUpdated: 2026-05-13
---
46 files updated (no docs were skipped — none had pre-existing
frontmatter). [slug]/page.tsx already reads frontmatter.version and
frontmatter.lastUpdated via gray-matter and renders a "v3.8.0" pill
plus a "Last updated" caption, so the UI picks these up automatically.
Helper: scripts/docs/add-frontmatter.mjs — idempotent (skips files that
already start with `---`), falls back to a humanized basename when no
leading H1 exists. Excludes docs/i18n/, docs/screenshots/,
docs/superpowers/, docs/diagrams/exported/. Re-runnable safely.
Also regenerated src/app/docs/lib/docs-auto-generated.ts: 44 docs across
8 sections (Architecture / Guides / Reference / Frameworks / Routing /
Security / Compression / Ops), which now includes the 14 docs that were
missing from the v3.7 sidebar (Cloud Agents, Guardrails, Memory, Skills,
Webhooks, Evals, Authz, Agent Protocols, Repository Map, Provider
Reference, Reasoning Replay, Stealth Guide, Tunnels Guide, Electron
Guide).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- ARCHITECTURE.md and CODEBASE_DOCUMENTATION.md: 179 → 177 registered
providers (canonical from src/shared/constants/providers.ts).
- FEATURES.md and en.json wizard step: 13 → 14 routing strategies; lists
all 14 explicitly including reset-aware (the missing one).
- llm.txt root: combo strategy count corrected in 3 places (UI tree,
dashboard summary, fallback semantics).
- MCP-SERVER.md: 37 tool count was already correct; added a "Related
Frameworks (v3.8.0)" section pointing to Cloud Agents
(docs/frameworks/CLOUD_AGENT.md) and Guardrails
(docs/security/GUARDRAILS.md), both sibling frameworks intentionally
outside the MCP tool catalog.
- scripts/i18n/sync-llm-mirrors.mjs (new): idempotent helper to push
root llm.txt body into the 40 docs/i18n/<locale>/llm.txt mirrors
while preserving each locale's heading + language bar prefix; ran
it to refresh all 40 mirrors so `check:docs-sync` is green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New script `scripts/i18n/check-ui-keys-coverage.mjs` compares every
`src/i18n/messages/<locale>.json` against `en.json` and reports
per-locale coverage: missing keys, __MISSING__ placeholder counts,
and real translated coverage percentage.
Modes:
- default: fail with exit 1 if any locale falls below `--threshold`
(default 80%)
- `--report`: print the same table but always exit 0 (informational)
- `--json`: machine-readable output for CI dashboards
Wired into `i18n:check-ui-coverage` npm script (added in the previous
commit). FASE 8 will decide whether to make this a pre-push gate.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New script `scripts/i18n/sync-ui-keys.mjs` replicates keys present in
`src/i18n/messages/en.json` into every other locale catalog, marking
missing strings with a `__MISSING__:<english_value>` sentinel so the
drift is auditable and recoverable.
The script also accepts `--translate-markers` to call the OmniRoute
translation backend (same env vars as run-translation.mjs) and replace
those placeholders with real translations. Bounded concurrency, fail-
fast on missing env vars, and a `--dry-run` mode mirror the existing
docs translation pipeline.
Adds the matching `i18n:sync-ui` / `i18n:sync-ui:dry` npm scripts and
`i18n:check-ui-coverage` (next commit) wiring placeholder so the JSON
files can be backfilled with `npm run i18n:sync-ui`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a tiny built-in dotenv loader at the top of run-translation.mjs that
parses the repo-root .env file into process.env (without pulling dotenv
as a dependency). Existing process.env values still take precedence, so
shell/CI overrides keep working.
Before: `npm run i18n:run` failed with "Missing required env var:
OMNIROUTE_TRANSLATION_API_URL" unless the operator exported the vars in
the current shell.
After: the npm scripts (i18n:run, i18n:run:dry) pick up .env automatically.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
src/i18n/config.ts is now a thin adapter that reads config/i18n.json
(canonical locale list) and exports the same shape — LOCALES, LANGUAGES,
RTL_LOCALES, DEFAULT_LOCALE, Locale type, LOCALE_COOKIE — that
LanguageSelector, layout.tsx, request.ts, and the rest of the codebase
already consume. No call-site changes were required. Adds
DOCS_TARGET_LOCALES and getLanguage() helpers for new code.
The legacy scripts now print a deprecation warning on stderr at startup:
- scripts/i18n/i18n_autotranslate.py (banner + module-level warn)
- scripts/i18n/generate-multilang.mjs (banner + console.warn)
They keep working for messages and readme modes (UI strings / root README
variants), which are still outside the new pipeline's scope. Both will be
removed in v3.10.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds scripts/i18n/check-translation-drift.mjs — a deterministic CI gate that
verifies every source recorded in .i18n-state.json still hashes to the same
SHA-256 on disk and every produced translation target exists with its
recorded hash. No API calls.
Modes: --strict (default, exit 1 on any drift), --warn (exit 0 with report),
--json (machine-readable report).
Also adds three npm scripts:
- i18n:run run the translator (incremental, hash-based)
- i18n:run:dry preview what would happen (no API calls, no writes)
- i18n:check drift checker (used in CI / pre-merge)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
