* fix(minimax): switch auth from x-api-key to Authorization Bearer (#1076)
Integrated into release/v3.5.6 — MiniMax auth fix with authHeader consistency normalization
* feat(CI,i18n): autogenerate language files + Add missing strings (#1071)
Integrated into release/v3.5.6 — i18n translations for memory, skills, and missing keys across 31 languages
* fix(ci): restore i18n continue-on-error, remove auto-commit race condition
* fix(husky): load nvm in hooks for VS Code compatibility
* fix(husky): gracefully skip hooks when npm is not in PATH
* fix: convert OpenAI function tool_choice to Claude tool format (#1072)
* fix: prevent EPIPE feedback loop filling logs at GB/s (#1006)
* fix: fallback to native fetch when undici dispatcher fails (#1054)
* fix: improve Qoder PAT validation with actionable error messages (#966)
- Add QODER_PERSONAL_ACCESS_TOKEN env var fallback for both validation and execution
- Pre-flight ping check to diagnose connectivity issues (Docker/proxy)
- Detect encrypted auth blobs from ~/.qoder/.auth/user and guide to website PAT
- Clear error messages for auth failures with link to integrations page
- Treat non-auth 4xx as auth-pass (request format issue, not token issue)
- Update tests to cover new validation paths (23 tests, all passing)
* feat: Improve the Chinese translation (#1079)
Integrated into release/v3.5.6
* chore(release): v3.5.6 — i18n updates and credential security fixes
* fix(ci): resolve e2e and docs-sync pipeline failures
* fix(security): bump next to 16.2.3 to resolve SNYK-JS-NEXT-15954202
* fix: guard Memory/Cache UI against null toLocaleString crash (#1083)
* fix: translate OpenAI tool_choice type 'function' to Claude 'tool' format (#1072)
* fix: pass custom baseUrl in provider API key validation (#1078)
* docs: update CHANGELOG with v3.5.6 bug fixes and security patches
* docs: rewrite implement-features workflow with 5-phase harvest-research-report-plan-execute pipeline
* docs: organize _ideia/ into viable/defer/notfit + add Phase 2.5 auto-response workflow
* docs: implementation plans for #1025, #750, #960, #1046 + close already-implemented #833, #973, #982
* feat: mask email addresses in dashboard for privacy (#1025)
* feat: add OpenRouter and GitHub to embedding/image provider registries (#960)
* feat: add model visibility toggle and search filter to provider page (#750)
* docs: move implemented features to notfit, update task plans status
* chore: untrack _ideia/ and _tasks/ from git — private/internal only
* chore(release): bump to v3.5.6 — changelog, docs, version sync & any-budget fix
* fix: remove explicit .ts extension in qoderCli import that caused 500 error in production build
---------
Co-authored-by: Jean Brito <jeanfbrito@gmail.com>
Co-authored-by: zenobit <zenobit@disroot.org>
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Ethan Hunt <136065060+only4copilot@users.noreply.github.com>
Stop shipping a default Gemini OAuth client secret and require it to
come from the environment instead.
Also tighten proxy fetch typing to avoid any-based undici calls and
move db setup utilities under scripts while removing generated debug
and scratch artifacts.
- Fix `handoffProviders` and `nextBody` unknown property TS errors in contextHandoff
- Correct fallback payload parsing from responses `input` array in combo service
When running OmniRoute with Node.js >=24, the better-sqlite3 native module
fails to load, causing a confusing 'not a valid Win32 application' or
'Module did not self-register' error at the login screen.
This change adds proactive Node.js version detection:
- API: /api/settings/require-login now returns nodeVersion and nodeCompatible
fields, computed before any SQLite access so they work even when the DB fails
- UI: A prominent red warning banner appears on the login page when an
incompatible Node.js version is detected, showing the current version and
instructions to install Node 22 LTS via nvm
- i18n: Added 4 new translation keys for the warning banner
Closes#1060, Closes#1040
- Fix SSRF (CodeQL #73): sync-models route uses localhost allowlist instead of
user-provided request.url to construct internal fetch target
- Fix insecure randomness (CodeQL #33,#34): already fixed in geminiHelper.ts
using crypto.randomBytes, stale alerts will close on rescan
- Fix incomplete URL sanitization (CodeQL #109,#110): already fixed with
startsWith in previous commit, stale alerts will close on rescan
- Fix incomplete hostname regexp (CodeQL #103-108): already fixed with escaped
dots in previous commit, stale alerts will close on rescan
- Fix Dependabot #50-55: override hono@4.12.12 and @hono/node-server@1.19.13
to patch cookie bypass, IP restriction, path traversal, and serveStatic
middleware bypass vulnerabilities
- Fix CI: update context-manager test expectation from 1000000 to 1048576 to
match registry defaultContextLength for gemini
- Fix CI: sync-models route now correctly resolves localhost origin from
incoming request for test compatibility
- Added Step 3.5 to redirect PR base branches from main to release/vX.Y.Z
- Updated merge commands to target release branch
- Replaced close-PR step with sync-local-branch step
- Added test coverage verification in finalization step
- Ensures all changes accumulate in release branch before final merge to main
- Split combined message/input/tools sanitization test into separate tests
to avoid Responses format detection triggered by input field (PR #1002)
- Updated tool assertions to handle both function-wrapped and top-level
name properties (built-in tool type preservation from PR #1014)
- Adapted input name sanitization test for Responses-to-Chat translation
Fixes Cursor/Codex Responses compatibility: hoists system messages to instructions, normalizes tools, and translates responses-style traffic. Integrated into release/v3.5.4.
