Escape backslashes before injecting combo stream tags so tagged SSE
payloads remain valid JSON, and call the provider models handler
directly during sync to avoid internal fetch SSRF warnings.
Also restore crypto UUID generation for Gemini request translation,
tighten dashboard error sanitization, and update tests to use stricter
URL matching and UUID-based fixture keys.
fix(test): security-fase01.test.mjs imports inputSanitizer.js → .ts
- The file is TypeScript-only (no compiled .js). Node was failing with
ERR_MODULE_NOT_FOUND in CI because the import path pointed to a
non-existent .js file.
fix(acp): add validateBody(jsonObjectSchema) to POST /api/acp/agents
- Satisfies check:route-validation:t06 lint rule that requires all
routes using request.json() to go through validateBody().
- Uses jsonObjectSchema (passthrough) since body shape varies between
the 'refresh' action and the custom agent creation payload.
- Manual field validation below remains unchanged.
- All 139 routes now pass the route-validation lint check.
fix(deploy-vps): add continue-on-error on SSH step + command_timeout
- SSH connection failures (host unreachable / secrets not set) no
longer mark the workflow run as failed.
- The DEPLOY_ENABLED guard still prevents the job from running when
the variable is not set to 'true'.
- Add deploy-vps.yml: auto-deploys via SSH after Docker Hub publish
- Remove API key management section from Endpoint page (now in API Manager)
- Remove unused Link import from EndpointPageClient.tsx
