* fix(minimax): switch auth from x-api-key to Authorization Bearer (#1076)
Integrated into release/v3.5.6 — MiniMax auth fix with authHeader consistency normalization
* feat(CI,i18n): autogenerate language files + Add missing strings (#1071)
Integrated into release/v3.5.6 — i18n translations for memory, skills, and missing keys across 31 languages
* fix(ci): restore i18n continue-on-error, remove auto-commit race condition
* fix(husky): load nvm in hooks for VS Code compatibility
* fix(husky): gracefully skip hooks when npm is not in PATH
* fix: convert OpenAI function tool_choice to Claude tool format (#1072)
* fix: prevent EPIPE feedback loop filling logs at GB/s (#1006)
* fix: fallback to native fetch when undici dispatcher fails (#1054)
* fix: improve Qoder PAT validation with actionable error messages (#966)
- Add QODER_PERSONAL_ACCESS_TOKEN env var fallback for both validation and execution
- Pre-flight ping check to diagnose connectivity issues (Docker/proxy)
- Detect encrypted auth blobs from ~/.qoder/.auth/user and guide to website PAT
- Clear error messages for auth failures with link to integrations page
- Treat non-auth 4xx as auth-pass (request format issue, not token issue)
- Update tests to cover new validation paths (23 tests, all passing)
* feat: Improve the Chinese translation (#1079)
Integrated into release/v3.5.6
* chore(release): v3.5.6 — i18n updates and credential security fixes
* fix(ci): resolve e2e and docs-sync pipeline failures
* fix(security): bump next to 16.2.3 to resolve SNYK-JS-NEXT-15954202
* fix: guard Memory/Cache UI against null toLocaleString crash (#1083)
* fix: translate OpenAI tool_choice type 'function' to Claude 'tool' format (#1072)
* fix: pass custom baseUrl in provider API key validation (#1078)
* docs: update CHANGELOG with v3.5.6 bug fixes and security patches
* docs: rewrite implement-features workflow with 5-phase harvest-research-report-plan-execute pipeline
* docs: organize _ideia/ into viable/defer/notfit + add Phase 2.5 auto-response workflow
* docs: implementation plans for #1025, #750, #960, #1046 + close already-implemented #833, #973, #982
* feat: mask email addresses in dashboard for privacy (#1025)
* feat: add OpenRouter and GitHub to embedding/image provider registries (#960)
* feat: add model visibility toggle and search filter to provider page (#750)
* docs: move implemented features to notfit, update task plans status
* chore: untrack _ideia/ and _tasks/ from git — private/internal only
* chore(release): bump to v3.5.6 — changelog, docs, version sync & any-budget fix
* fix: remove explicit .ts extension in qoderCli import that caused 500 error in production build
---------
Co-authored-by: Jean Brito <jeanfbrito@gmail.com>
Co-authored-by: zenobit <zenobit@disroot.org>
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Ethan Hunt <136065060+only4copilot@users.noreply.github.com>
Keep getPreferredEnvFilePath consistent with its env parameter by
passing that env through resolveDataDir in both bootstrap and Electron.
This avoids silently falling back to process.env when a custom env map
is supplied.
Treat empty or whitespace-only dataDirOverride values as unset so
bootstrapEnv keeps using the normal DATA_DIR and .env lookup path.
Adds a focused regression test for the whitespace override case.
Propagate database inspection failures instead of treating them as
missing encrypted credentials.
This keeps startup from generating a fresh encryption key when an
existing database cannot be inspected and adds a regression test for
that path.
Align the app bootstrap paths with the documented CLI env lookup.
The CLI wrapper already loads DATA_DIR/.env, ~/.omniroute/.env, or ./.env,
but run-next, run-standalone, and Electron were bypassing that behavior.
On machines with encrypted credentials, that could generate a fresh
STORAGE_ENCRYPTION_KEY in server.env and make existing tokens unreadable.
This change:
- uses the same preferred .env lookup in bootstrapEnv and Electron
- keeps Electron secrets rooted in DATA_DIR and passes DATA_DIR to the child
- refuses to mint a new encryption key over an existing encrypted database
- adds a focused regression test for env precedence and key safety
Resolves root cause of #252 (Electron black screen) and #249 (OAuth fail)
for users running with zero configuration (no .env needed).
New: scripts/bootstrap-env.mjs
- Auto-generates JWT_SECRET (64 bytes), STORAGE_ENCRYPTION_KEY (32 bytes),
API_KEY_SECRET (32 bytes) if missing or empty
- Persists to {DATA_DIR}/server.env — survives restarts, Docker volume
remounts, and upgrades without changing secrets
- Reads .env from CWD (user overrides), then merges process.env (highest prio)
- Logs friendly warnings for missing optional OAuth secrets
Updated: run-standalone.mjs + run-next.mjs
- Call bootstrapEnv() before spawning server — covers npm + Docker paths
Updated: electron/main.js (synchronous inline — CJS cannot await import ESM)
- Reads userData/server.env, generates missing secrets with crypto.randomBytes()
- Persists back to server.env, sets OMNIROUTE_BOOTSTRAPPED=true
New: BootstrapBanner.tsx + page.tsx update
- Dismissable amber banner on dashboard home when running in zero-config mode
- Shows where server.env is located and how to customize secrets
