* chore(config): ignore additional agent workflow command files
Add newly introduced agent workflow and Claude command files to
.gitignore so proprietary automation assets are not committed.
* feat(deepseek-web): fix auth to use userToken + WASM PoW solver
Rewrite deepseek-web executor from broken cookie auth to userToken
Bearer flow (like Chat2API). Replace pure JS Keccak PoW with WASM
solver (5.8s → 86ms). Add 14 models, validation, and dashboard UX.
* fix(deepseek-web): update target_path to use challenge property
* refactor(deepseek-web): streamline token handling and implement cache eviction
* fix(deepseek-web): fix SSE parser, prompt format, and error handling
- Handle all 3 DeepSeek SSE stream formats: initial fragments,
APPEND operations, and bare string tokens (fixes truncated responses)
- Simplify prompt builder to send system + last user message only
(DeepSeek web API is single-turn, full history caused marker leakage)
- Check json.code before token extraction (fixes "did not return
access token: Authorization" on code 40003 with HTTP 200)
- Clear session cache alongside token cache on auth errors
- Add dev origin for remote testing
Co-authored-by: Cursor <cursoragent@cursor.com>
* chore: ignore memory-bank and cursor agent rules from tracking
Co-authored-by: Cursor <cursoragent@cursor.com>
* feat: enhance documentation and configuration for Fumadocs integration
- Added Fumadocs MDX support in the Next.js configuration.
- Updated transpile packages to include fumadocs-ui and fumadocs-core.
- Implemented a comprehensive set of redirects for documentation paths to improve navigation.
- Removed the generate-docs-index script as it is no longer needed.
- Updated various documentation titles for consistency and clarity.
- Enhanced global styles to incorporate Fumadocs UI themes and styles.
* refactor(docs): cleanup fumadocs PR — revert deepseek, add i18n fallback, restore LanguageSelector
- Revert unrelated deepseek-web.ts changes (should be separate PR)
- Add .source/ to .gitignore (Fumadocs generated files)
- Remove contributor IP from allowedDevOrigins
- Add i18n runtime fallback: reads NEXT_LOCALE cookie, loads translated
.md from docs/i18n/<locale>/docs/ (preserves existing translation pipeline)
- Restore LanguageSelector in Fumadocs layout nav
- Restore SEO metadata (title template, description, robots)
* fix(codex): use allowlist to strip non-Responses-API fields in non-passthrough path (#2608) (#2615)
Integrated into release/v3.8.3 — fix(codex): allowlist-based sanitization for gpt-5.5 Responses API
* fix(deepseek-web): fix SSE parser, prompt format, error handling, and cache keys (#2616)
Integrated into release/v3.8.3 — fix(deepseek-web): SSE parser (APPEND + bare tokens), prompt builder, error handling, session cache cleanup
* chore(config): ignore additional agent workflow command files
Add newly introduced agent workflow and Claude command files to
.gitignore so proprietary automation assets are not committed.
* feat(docs): migrate /docs to Fumadocs MDX with nested routes (#2614)
Integrated into release/v3.8.3 — Fumadocs MDX migration with nested routes, search API, and 50+ URL redirects
* fix(catalog): skip static PROVIDER_MODELS when synced models exist (#2625)
Integrated into release/v3.8.3
* fix(qoder): Cosy auth fallback for PAT tokens + vision support for qwen3-vl-plus (#2629)
Integrated into release/v3.8.3
* fix(cli): register tsx loader and add opencode config subcommand (#2631)
Integrated into release/v3.8.3
* feat(dashboard): add search and filters to /dashboard/api-manager (#2628)
Integrated into release/v3.8.3
* fix(claude): improve Pi and OpenCode compatibility (#2621)
Integrated into release/v3.8.3
* fix: restore semantic passthrough system-role-only extraction instead of full normalization (#2620)
Integrated into release/v3.8.3
* fix(kiro): stabilize conversationId across prompt compression (#2630)
Integrated into release/v3.8.3
* fix(deepseek-web): SSE thinking/search routing and session lifecycle (#2624)
Integrated into release/v3.8.3 — DeepSeek Web SSE thinking/search routing overhaul
* feat(dashboard): free-tier grouping with symbolic link in /providers (#2632)
Integrated into release/v3.8.3
* fix: close implementation gaps — t3-chat-web, stream_options, combo_strategy, batch config (#2634)
Integrated into release/v3.8.3
* feat(dashboard): risk notice modal for sensitive providers (#2633)
Integrated into release/v3.8.3
* fix(reasoning): extend reasoning_content injection to Kimi K2 and other replay models (#2639)
Integrated into release/v3.8.3
* fix(cli): Linux autostart via systemd user service (fixes#2627) (#2635)
Integrated into release/v3.8.3
* Refactor/providers free tier (#2640)
Integrated into release/v3.8.3
* fix(tests): remove duplicate assertion in schema coercion & fix(cli): ignore system vars in env check
* fix(combo): preserve omniModel tag in streaming output for round-trip context pinning (#2646)
Integrated into release/v3.8.3
* feat(dashboard): media providers pages + Web Fetch category (#2645)
Integrated into release/v3.8.3
* Feature provider adapta org com tutorial de conexão em modal (#2643)
Integrated into release/v3.8.3
* fix(rtk): skip content-based filter matching for non-shell tool results (#2642)
Integrated into release/v3.8.3
* fix(translator): enable Claude extended thinking for Copilot Responses-API requests (#2647)
Integrated into release/v3.8.3
* feat(dashboard): add search and filters to /dashboard/api-manager (#2641)
Integrated into release/v3.8.3
* feat(dashboard): risk notice modal for sensitive providers (#2638)
Integrated into release/v3.8.3
* feat(dashboard): mini-playground inline (Phase 4) (#2648)
Integrated into release/v3.8.3
* fix(settings): fix Require Login modal Cancel button text and dismissal (#2649)
Integrated into release/v3.8.3
* feat(combos): universal context handoff for cross-model conversation continuity (#2653)
Integrated into release/v3.8.3
* chore(release): bump to v3.8.3 — changelog, docs, version sync
* feat(i18n): complete zh-CN translations for 1220 missing keys (#2655)
Integrated into release/v3.8.3
* chore(release): include electron package changes in v3.8.3
* docs(changelog): integrate PR #2655 into v3.8.3
* feat(i18n): translate 377 additional zh-CN entries (81 new keys + 296 same-as-en) (#2659)
Integrated into release/v3.8.3
* feat(dashboard): add Cmd+K / Ctrl+K command palette for sidebar navigation (#2656)
Integrated into release/v3.8.3
* docs: update changelog for PR integrations under v3.8.3
* feat(cli): integrate native updates, autostart and headless CLI mode (#2662)
Integrated into release/v3.8.3
* fix(proxy): save dashboard custom proxies in registry (#2661)
Integrated into release/v3.8.3
* feat(dashboard): chat-first test slide-over (Option A) (#2660)
Integrated into release/v3.8.3
* docs: update changelog with Batch 2 PR merges for v3.8.3
* fix: add xhigh+max to effortLevel schema; add opencode-plugin publish job (#2666)
Integrated into release/v3.8.3
* docs: update changelog with Batch 3 PR #2666 merge for v3.8.3
* feat(quota+providers): card-grid layout, provider group headers, Codex race fix (#2667)
Integrated into release/v3.8.3
* feat(dashboard): real-time live WebSocket monitoring (#2668)
Integrated into release/v3.8.3
* feat(copilot): AI assistant with CodeGraph + CLI + knowledge base (#2669)
Integrated into release/v3.8.3
* feat(pipeline): pre-request middleware hooks (#2670)
Integrated into release/v3.8.3
* feat(resilience): credential health check + adaptive circuit breaker (#2671)
Integrated into release/v3.8.3
* feat(playground): combo routing visual simulator (#2672)
Integrated into release/v3.8.3
* feat(auth): API key groups with model-level permissions (#2673)
Integrated into release/v3.8.3
* feat(pwa): enhanced manifest + push notification support (#2674)
Integrated into release/v3.8.3
* feat(proxy): serverless relay endpoints with rate limiting (#2675)
Integrated into release/v3.8.3
* docs(changelog): update changelog for PRs 2667-2675 & fix: resolve typescript compile-time errors
* fix(db): remove transactions from migrations
Remove explicit transaction wrappers from recent migrations and correct
the API key groups migration metadata. Also fix codegraph path resolution
for ESM environments and refresh generated fumadocs source output.
---------
Co-authored-by: Ömer Vehbe <ovehbe@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Mr. Meowgi <mr@meowgi.dev>
Co-authored-by: Hernan Javier Ardila Sanchez <hjasgr@gmail.com>
Co-authored-by: amogus22877769 <y.lev357@gmail.com>
Co-authored-by: Halil Tezcan KARABULUT <info@hlltzcnkb.com>
Co-authored-by: Tentoxa <53821604+Tentoxa@users.noreply.github.com>
Co-authored-by: HALDRO <121296348+HALDRO@users.noreply.github.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: janeza2 <49841619+janeza2@users.noreply.github.com>
Co-authored-by: df4p <38404+df4p@users.noreply.github.com>
Co-authored-by: ivan-mezentsev <ivan@mezentsev.me>
Co-authored-by: Chewji <126886556+Chewji9875@users.noreply.github.com>
Co-authored-by: L-aros <107354918+L-aros@users.noreply.github.com>
Co-authored-by: M.M <mr.maatoug@gmail.com>
Co-authored-by: Benson K B <bensonkbmca@gmail.com>
Co-authored-by: terence71-glitch <mcdowellterence71@gmail.com>
Prevent raw exception messages from leaking stack frames or absolute
paths in the console logs and token health endpoints.
Also harden the i18n mirror move script by replacing shell-based git
commands with execFileSync and a safer fallback for untracked files.
Fixes the 4 fixable alerts opened in the recent scan and adds enforceable
guardrails so future development follows the same pattern.
Code fixes:
- src/mitm/cert/install.ts: pass certPath/certName/action via exec()'s env
option instead of string-interpolating them into the bash script
(CodeQL js/shell-command-injection-from-environment #225)
- scripts/docs/{gen-provider-reference,add-frontmatter,fix-internal-links}:
escape backslash before other regex/markdown metacharacters
(CodeQL js/incomplete-sanitization #227, #228, #229)
Documentation (mandatory patterns):
- docs/security/PUBLIC_CREDS.md — embedding public upstream OAuth/Firebase
identifiers via resolvePublicCred(); never as string literals
- docs/security/ERROR_SANITIZATION.md — routing every error response through
sanitizeErrorMessage()/buildErrorBody(); never raw err.stack/err.message
- CLAUDE.md: 4 new Hard Rules (#11-#14) + Security section + scenario notes
- AGENTS.md, CONTRIBUTING.md: cross-reference the two new docs
- SECURITY.md: extended Hard Security Rules with the new mandatory patterns
- docs/README.md: index entries pointing to the two new docs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- scripts/docs/gen-openapi-module.mjs (new): build helper that loads
docs/reference/openapi.yaml via js-yaml, flattens paths × methods, and
emits src/app/docs/lib/openapi.generated.ts with strongly-typed
OPENAPI_ENDPOINTS, OPENAPI_TAGS, OPENAPI_VERSION, OPENAPI_TITLE plus
the OpenApiEndpoint interface (no `any`, deterministic ordering).
By default it skips internal management paths (anything under /api/
that isn't /api/v1/*) so the Api Explorer focuses on the OpenAI-
compatible public surface — 19 endpoints for v3.8.0 (Chat, Messages,
Responses, Embeddings, Images, Audio, Moderations, Rerank, Models,
System). Add --include-management to emit all 121 paths if needed.
- src/app/docs/components/ApiExplorerClient.tsx: drop the 13-entry
hardcoded API_ENDPOINTS array; the component now imports from
@/app/docs/lib/openapi.generated. Tags come from the spec; the
"Try It" form picks an example body keyed by full path (8 well-known
bodies pre-seeded, everything else starts empty). The header pill
now shows endpoint count + OpenAPI version, and an "auth" pill is
rendered next to operations whose spec declares non-empty security.
- package.json: prebuild:docs now chains gen-openapi-module after the
docs index generator so `next build` always sees a fresh module.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Every .md under docs/{architecture,guides,reference,frameworks,routing,
security,compression,ops,diagrams} plus docs/README.md now opens with:
---
title: "<inferred from first H1>"
version: 3.8.0
lastUpdated: 2026-05-13
---
46 files updated (no docs were skipped — none had pre-existing
frontmatter). [slug]/page.tsx already reads frontmatter.version and
frontmatter.lastUpdated via gray-matter and renders a "v3.8.0" pill
plus a "Last updated" caption, so the UI picks these up automatically.
Helper: scripts/docs/add-frontmatter.mjs — idempotent (skips files that
already start with `---`), falls back to a humanized basename when no
leading H1 exists. Excludes docs/i18n/, docs/screenshots/,
docs/superpowers/, docs/diagrams/exported/. Re-runnable safely.
Also regenerated src/app/docs/lib/docs-auto-generated.ts: 44 docs across
8 sections (Architecture / Guides / Reference / Frameworks / Routing /
Security / Compression / Ops), which now includes the 14 docs that were
missing from the v3.7 sidebar (Cloud Agents, Guardrails, Memory, Skills,
Webhooks, Evals, Authz, Agent Protocols, Repository Map, Provider
Reference, Reasoning Replay, Stealth Guide, Tunnels Guide, Electron
Guide).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolves two conflicts:
- docs/diagrams/README.md: FASE 3 created a placeholder, FASE 4 created the
canonical content. Adopts FASE 4 content and updates the doc paths to the
FASE 3 subfolder layout (architecture/, frameworks/, routing/, guides/).
- package.json: combined FASE 1's new scripts/build/ and scripts/check/ paths
with FASE 4's new docs:render-diagrams script.
Post-merge fixes:
- Rewrites diagram link paths in the 7 subfolder docs from ./diagrams/X to
../diagrams/X (FASE 4 added flat-layout links before FASE 3's subfolder move).
- Adds the i18n-flow diagram link to docs/guides/I18N.md (auto-merge missed it).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reorganizes /docs into 8 subfolders (architecture, guides, reference, frameworks,
routing, security, compression, ops). Resolves two conflicts:
- scripts/docs/gen-provider-reference.ts: combined FASE 1's new __dirname-based
ROOT (two levels up from scripts/docs/) with FASE 3's new output path
(docs/reference/PROVIDER_REFERENCE.md).
- scripts/check-env-doc-sync.mjs: deleted by FASE 1, modified by FASE 3; FASE 1's
delete wins (file is at scripts/check/ now). The FASE 3 intent (point to
docs/reference/ENVIRONMENT.md) was applied to the strict checker at the new path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add scripts/docs/render-diagrams.mjs as a thin wrapper around
@mermaid-js/mermaid-cli (mmdc):
- Renders every docs/diagrams/*.mmd into docs/diagrams/exported/*.svg
- Writes a Puppeteer config with --no-sandbox for Ubuntu 23.10+/WSL
- Exits non-zero on first failure so CI can gate on rendering
Expose it as `npm run docs:render-diagrams` and commit the initial
8 rendered SVGs so reviewers see the diagrams without having to install
the renderer locally.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Update tooling for the new docs/<subfolder>/ layout:
- scripts/generate-docs-index.mjs walks the 8 subfolders in defined order and
emits fileName values relative to docs/ (e.g. "architecture/ARCHITECTURE.md").
- scripts/check-docs-sync.mjs reads docs/reference/openapi.yaml.
- scripts/check-docs-counts-sync.mjs targets new doc paths.
- scripts/check-env-doc-sync.mjs reads docs/reference/ENVIRONMENT.md.
- scripts/gen-provider-reference.ts writes to docs/reference/PROVIDER_REFERENCE.md.
- scripts/pack-artifact-policy.ts allowlists docs/reference/openapi.yaml.
- New scripts/docs/{fix-internal-links,move-i18n-mirrors}.mjs are one-shot
FASE 3 helpers, safe to delete after merge.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
