mirror of
https://github.com/diegosouzapw/OmniRoute.git
synced 2026-04-28 06:19:46 +00:00
* fix(minimax): switch auth from x-api-key to Authorization Bearer (#1076) Integrated into release/v3.5.6 — MiniMax auth fix with authHeader consistency normalization * feat(CI,i18n): autogenerate language files + Add missing strings (#1071) Integrated into release/v3.5.6 — i18n translations for memory, skills, and missing keys across 31 languages * fix(ci): restore i18n continue-on-error, remove auto-commit race condition * fix(husky): load nvm in hooks for VS Code compatibility * fix(husky): gracefully skip hooks when npm is not in PATH * fix: convert OpenAI function tool_choice to Claude tool format (#1072) * fix: prevent EPIPE feedback loop filling logs at GB/s (#1006) * fix: fallback to native fetch when undici dispatcher fails (#1054) * fix: improve Qoder PAT validation with actionable error messages (#966) - Add QODER_PERSONAL_ACCESS_TOKEN env var fallback for both validation and execution - Pre-flight ping check to diagnose connectivity issues (Docker/proxy) - Detect encrypted auth blobs from ~/.qoder/.auth/user and guide to website PAT - Clear error messages for auth failures with link to integrations page - Treat non-auth 4xx as auth-pass (request format issue, not token issue) - Update tests to cover new validation paths (23 tests, all passing) * feat: Improve the Chinese translation (#1079) Integrated into release/v3.5.6 * chore(release): v3.5.6 — i18n updates and credential security fixes * fix(ci): resolve e2e and docs-sync pipeline failures * fix(security): bump next to 16.2.3 to resolve SNYK-JS-NEXT-15954202 * fix: guard Memory/Cache UI against null toLocaleString crash (#1083) * fix: translate OpenAI tool_choice type 'function' to Claude 'tool' format (#1072) * fix: pass custom baseUrl in provider API key validation (#1078) * docs: update CHANGELOG with v3.5.6 bug fixes and security patches * docs: rewrite implement-features workflow with 5-phase harvest-research-report-plan-execute pipeline * docs: organize _ideia/ into viable/defer/notfit + add Phase 2.5 auto-response workflow * docs: implementation plans for #1025, #750, #960, #1046 + close already-implemented #833, #973, #982 * feat: mask email addresses in dashboard for privacy (#1025) * feat: add OpenRouter and GitHub to embedding/image provider registries (#960) * feat: add model visibility toggle and search filter to provider page (#750) * docs: move implemented features to notfit, update task plans status * chore: untrack _ideia/ and _tasks/ from git — private/internal only * chore(release): bump to v3.5.6 — changelog, docs, version sync & any-budget fix * fix: remove explicit .ts extension in qoderCli import that caused 500 error in production build --------- Co-authored-by: Jean Brito <jeanfbrito@gmail.com> Co-authored-by: zenobit <zenobit@disroot.org> Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com> Co-authored-by: Ethan Hunt <136065060+only4copilot@users.noreply.github.com>
260 lines
11 KiB
Text
260 lines
11 KiB
Text
# OmniRoute environment contract
|
|
# This file reflects actual runtime usage in the current codebase.
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# REQUIRED SECRETS — Generate strong values!
|
|
# ═══════════════════════════════════════════════════
|
|
# Generate with: openssl rand -base64 48
|
|
JWT_SECRET=
|
|
# Generate with: openssl rand -hex 32
|
|
API_KEY_SECRET=
|
|
|
|
# Initial admin password — CHANGE THIS before first use!
|
|
INITIAL_PASSWORD=CHANGEME
|
|
# DATA_DIR=/var/lib/omniroute
|
|
|
|
# Storage (SQLite)
|
|
STORAGE_DRIVER=sqlite
|
|
# Generate with: openssl rand -hex 32
|
|
STORAGE_ENCRYPTION_KEY=
|
|
STORAGE_ENCRYPTION_KEY_VERSION=v1
|
|
APP_LOG_RETENTION_DAYS=90
|
|
CALL_LOG_RETENTION_DAYS=90
|
|
SQLITE_MAX_SIZE_MB=2048
|
|
SQLITE_CLEAN_LEGACY_FILES=true
|
|
DISABLE_SQLITE_AUTO_BACKUP=false
|
|
|
|
# Recommended runtime variables
|
|
# Canonical/base port (keeps backward compatibility)
|
|
PORT=20128
|
|
# Optional split ports:
|
|
# API_PORT=20129
|
|
# API_HOST=0.0.0.0
|
|
# DASHBOARD_PORT=20128
|
|
# Optional Docker production host publish ports:
|
|
# PROD_DASHBOARD_PORT=20130
|
|
# PROD_API_PORT=20131
|
|
NODE_ENV=production
|
|
INSTANCE_NAME=omniroute
|
|
|
|
# Recommended security and ops variables
|
|
MACHINE_ID_SALT=endpoint-proxy-salt
|
|
AUTH_COOKIE_SECURE=false
|
|
REQUIRE_API_KEY=false
|
|
ALLOW_API_KEY_REVEAL=false
|
|
PROVIDER_LIMITS_SYNC_INTERVAL_MINUTES=70
|
|
|
|
# Input Sanitizer (FASE-01 — prompt injection & PII protection)
|
|
# INPUT_SANITIZER_ENABLED=true
|
|
# INPUT_SANITIZER_MODE=warn # warn | block | redact
|
|
# PII_REDACTION_ENABLED=false
|
|
|
|
# Cloud sync variables
|
|
# Must point to this running instance so internal sync jobs can call /api/sync/cloud.
|
|
# Server-side preferred variables:
|
|
BASE_URL=http://localhost:20128
|
|
CLOUD_URL=
|
|
# Backward-compatible/public variables:
|
|
# NEXT_PUBLIC_BASE_URL is also used as the OAuth redirect_uri origin when running behind a
|
|
# reverse proxy (e.g., nginx). Set this to your public-facing URL so OAuth callbacks work.
|
|
# Example: NEXT_PUBLIC_BASE_URL=https://omniroute.example.com
|
|
NEXT_PUBLIC_BASE_URL=http://localhost:20128
|
|
NEXT_PUBLIC_CLOUD_URL=
|
|
|
|
# Optional outbound proxy variables for upstream provider calls
|
|
# Lowercase variants are also supported: http_proxy, https_proxy, all_proxy, no_proxy
|
|
# SOCKS5 proxy support
|
|
ENABLE_SOCKS5_PROXY=true
|
|
NEXT_PUBLIC_ENABLE_SOCKS5_PROXY=true
|
|
# HTTP_PROXY=http://127.0.0.1:7890
|
|
# HTTPS_PROXY=http://127.0.0.1:7890
|
|
# ALL_PROXY=socks5://127.0.0.1:7890
|
|
# NO_PROXY=localhost,127.0.0.1
|
|
|
|
# TLS fingerprint spoofing (opt-in) — mimics Chrome 124 TLS handshake via wreq-js
|
|
# Reduces risk of JA3/JA4 fingerprint-based blocking by providers (e.g., Google)
|
|
# Requires wreq-js to be installed (included in dependencies)
|
|
# ENABLE_TLS_FINGERPRINT=true
|
|
|
|
# Optional CLI runtime overrides (Docker/host integration)
|
|
# CLI_MODE=auto
|
|
# CLI_EXTRA_PATHS=/host-cli/bin
|
|
# CLI_CONFIG_HOME=/root
|
|
# CLI_ALLOW_CONFIG_WRITES=true
|
|
# CLI_CLAUDE_BIN=claude
|
|
# CLI_CODEX_BIN=codex
|
|
# CLI_DROID_BIN=droid
|
|
# CLI_OPENCLAW_BIN=openclaw
|
|
# CLI_CURSOR_BIN=agent
|
|
# CLI_CLINE_BIN=cline
|
|
# CLI_ROO_BIN=roo
|
|
# CLI_CONTINUE_BIN=cn
|
|
|
|
# Internal agent / tool integrations (optional)
|
|
# Used by the MCP server, A2A skills, and CLI sidecars when they need to call
|
|
# the running OmniRoute instance explicitly instead of relying on localhost.
|
|
# OMNIROUTE_BASE_URL=http://localhost:20128
|
|
# OMNIROUTE_API_KEY=
|
|
# ROUTER_API_KEY=
|
|
# MODEL_SYNC_INTERVAL_HOURS=24
|
|
|
|
# ═══════════════════════════════════════════════════
|
|
# OAUTH PROVIDER CREDENTIALS
|
|
# ═══════════════════════════════════════════════════
|
|
# These are the built-in default credentials that work for localhost setups.
|
|
# For remote/VPS deployments, register your own credentials at each provider.
|
|
# The sync-env script will auto-populate these in your .env if missing.
|
|
#
|
|
# These can also be overridden via data/provider-credentials.json where supported.
|
|
|
|
# ── Claude Code (Anthropic) ──
|
|
CLAUDE_OAUTH_CLIENT_ID=9d1c250a-e61b-44d9-88ed-5944d1962f5e
|
|
|
|
# ── Codex / OpenAI ──
|
|
CODEX_OAUTH_CLIENT_ID=app_EMoamEEZ73f0CkXaXp7hrann
|
|
|
|
# ── Gemini (Google) ──
|
|
GEMINI_OAUTH_CLIENT_ID=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com
|
|
GEMINI_OAUTH_CLIENT_SECRET=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
|
|
|
|
# ── Gemini CLI (Google) ──
|
|
GEMINI_CLI_OAUTH_CLIENT_ID=681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com
|
|
GEMINI_CLI_OAUTH_CLIENT_SECRET=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
|
|
|
|
# ── Qwen (Alibaba) ──
|
|
QWEN_OAUTH_CLIENT_ID=f0304373b74a44d2b584a3fb70ca9e56
|
|
|
|
# ── Kimi Coding (Moonshot) ──
|
|
KIMI_CODING_OAUTH_CLIENT_ID=17e5f671-d194-4dfb-9706-5516cb48c098
|
|
|
|
# ── Antigravity (Google Cloud Code) ──
|
|
ANTIGRAVITY_OAUTH_CLIENT_ID=1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com
|
|
ANTIGRAVITY_OAUTH_CLIENT_SECRET=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
|
|
|
|
# ── GitHub Copilot ──
|
|
GITHUB_OAUTH_CLIENT_ID=Iv1.b507a08c87ecfe98
|
|
|
|
# ── Qoder ──
|
|
QODER_OAUTH_CLIENT_SECRET=4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW
|
|
|
|
# ── Qoder (URLs — set these to enable Qoder OAuth login) ──
|
|
# QODER_OAUTH_AUTHORIZE_URL=
|
|
# QODER_OAUTH_TOKEN_URL=
|
|
# QODER_OAUTH_USERINFO_URL=
|
|
# QODER_OAUTH_CLIENT_ID=
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# ⚠️ GOOGLE OAUTH (Antigravity, Gemini CLI) — IMPORTANT FOR REMOTE SERVERS
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# The credentials above ONLY work when OmniRoute runs on localhost.
|
|
# If you are hosting OmniRoute on a remote server, register your own:
|
|
# 1. Go to https://console.cloud.google.com/apis/credentials
|
|
# 2. Create an OAuth 2.0 Client ID (type: "Web application")
|
|
# 3. Add your server URL as Authorized redirect URI
|
|
# 4. Replace the values above with your credentials.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Provider User-Agent Overrides (optional — customize per-provider UA headers)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Format: {PROVIDER_ID}_USER_AGENT=custom-value
|
|
# When set, overrides the default User-Agent header sent to that provider.
|
|
# Useful when providers update versions or block old user-agents.
|
|
CLAUDE_USER_AGENT=claude-cli/1.0.83 (external, cli)
|
|
CODEX_USER_AGENT=codex-cli/0.92.0 (Windows 10.0.26100; x64)
|
|
GITHUB_USER_AGENT=GitHubCopilotChat/0.26.7
|
|
ANTIGRAVITY_USER_AGENT=antigravity/1.104.0 darwin/arm64
|
|
KIRO_USER_AGENT=AWS-SDK-JS/3.0.0 kiro-ide/1.0.0
|
|
QODER_USER_AGENT=Qoder-Cli
|
|
QWEN_USER_AGENT=QwenCode/0.12.3 (linux; x64)
|
|
CURSOR_USER_AGENT=connect-es/1.6.1
|
|
GEMINI_CLI_USER_AGENT=google-api-nodejs-client/9.15.1
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# CLI Fingerprint Compatibility (optional — match native CLI binary signatures)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# When enabled, OmniRoute reorders HTTP headers and JSON body fields to match
|
|
# the exact signature of official CLI tools, reducing account flagging risk.
|
|
# Your proxy IP is preserved — you get both stealth AND IP masking.
|
|
#
|
|
# Enable per-provider:
|
|
# CLI_COMPAT_CODEX=1
|
|
# CLI_COMPAT_CLAUDE=1
|
|
# CLI_COMPAT_GITHUB=1
|
|
# CLI_COMPAT_ANTIGRAVITY=1
|
|
# CLI_COMPAT_KIRO=1
|
|
# CLI_COMPAT_CURSOR=1
|
|
# CLI_COMPAT_KIMI_CODING=1
|
|
# CLI_COMPAT_KILOCODE=1
|
|
# CLI_COMPAT_CLINE=1
|
|
# CLI_COMPAT_QWEN=1
|
|
#
|
|
# Or enable for all providers at once:
|
|
# CLI_COMPAT_ALL=1
|
|
|
|
# API Key Providers (Phase 1 + Phase 4)
|
|
# Add via Dashboard → Providers → Add API Key, or set here
|
|
# DEEPSEEK_API_KEY=
|
|
# GROQ_API_KEY=
|
|
# XAI_API_KEY=
|
|
# MISTRAL_API_KEY=
|
|
# PERPLEXITY_API_KEY=
|
|
# TOGETHER_API_KEY=
|
|
# FIREWORKS_API_KEY=
|
|
# CEREBRAS_API_KEY=
|
|
# COHERE_API_KEY=
|
|
# NVIDIA_API_KEY=
|
|
|
|
# Embedding Providers (optional — used by /v1/embeddings)
|
|
# NEBIUS_API_KEY=
|
|
# Provider keys above (openai, mistral, together, fireworks, nvidia) also work for embeddings
|
|
|
|
# Timeout settings
|
|
# REQUEST_TIMEOUT_MS=600000
|
|
# STREAM_IDLE_TIMEOUT_MS=600000
|
|
# Advanced timeout overrides (optional)
|
|
# FETCH_TIMEOUT_MS=600000
|
|
# FETCH_HEADERS_TIMEOUT_MS=600000
|
|
# FETCH_BODY_TIMEOUT_MS=600000
|
|
# FETCH_CONNECT_TIMEOUT_MS=30000
|
|
# FETCH_KEEPALIVE_TIMEOUT_MS=4000
|
|
# TLS_CLIENT_TIMEOUT_MS=600000
|
|
# API bridge timeout for /v1 proxy requests (default: 30000)
|
|
# API_BRIDGE_PROXY_TIMEOUT_MS=600000
|
|
# API_BRIDGE_SERVER_REQUEST_TIMEOUT_MS=600000
|
|
# API_BRIDGE_SERVER_HEADERS_TIMEOUT_MS=60000
|
|
# API_BRIDGE_SERVER_KEEPALIVE_TIMEOUT_MS=5000
|
|
# API_BRIDGE_SERVER_SOCKET_TIMEOUT_MS=0
|
|
|
|
# CORS configuration (default: * allows all origins)
|
|
# CORS_ORIGIN=*
|
|
|
|
# Logging
|
|
# APP_LOG_LEVEL=info
|
|
# APP_LOG_FORMAT=text
|
|
APP_LOG_TO_FILE=true
|
|
# APP_LOG_FILE_PATH=logs/application/app.log
|
|
# APP_LOG_MAX_FILE_SIZE=50M
|
|
# APP_LOG_RETENTION_DAYS=7
|
|
# APP_LOG_MAX_FILES=20
|
|
# CALL_LOG_RETENTION_DAYS=7
|
|
# CALL_LOG_MAX_ENTRIES=10000
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Memory Optimization (Low-RAM configurations)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Node.js heap limit in MB (default: 256 for Docker, system default for npm)
|
|
# OMNIROUTE_MEMORY_MB=256
|
|
|
|
# Prompt cache settings
|
|
# PROMPT_CACHE_MAX_SIZE=50
|
|
# PROMPT_CACHE_MAX_BYTES=2097152
|
|
# PROMPT_CACHE_TTL_MS=300000
|
|
|
|
# Semantic cache settings (temperature=0 responses)
|
|
# SEMANTIC_CACHE_MAX_SIZE=100
|
|
# SEMANTIC_CACHE_MAX_BYTES=4194304
|
|
# SEMANTIC_CACHE_TTL_MS=1800000
|
|
|
|
# In-memory log buffers
|
|
# STREAM_HISTORY_MAX=50
|