OmniRoute/docs
Arthur Bodera 1c18be4f8f
fix: centralize public origin checks for proxied dashboards (#5278)
Centralizes browser-mutation origin validation into `src/server/origin/publicOrigin.ts` and wires it through the authz pipeline, replacing the per-route same-origin-only check that 403'd dashboard mutations when served behind a reverse proxy on a different public origin. The new module resolves the allowed public origin from configured base-URL env vars or trusted forwarded headers (only when OMNIROUTE_TRUST_PROXY is set AND the peer is loopback/LAN via peer-stamp), validates Sec-Fetch-Site metadata, and sanitizes Host/Forwarded inputs (rejects control chars, userinfo, path/query in Host).

Reviewed sound; validated locally: authz/public-origin + pipeline suites 27/27 green (incl. invalid-origin reject + configured-origin accept), typecheck clean. Maintainer fix-up: moved the new test from tests/unit/server/ (not collected by any runner — orphan-test gate fail) into tests/unit/authz/. Remaining red CI shards are the pre-existing #4076 Dockerfile heap base-red on `main` (unrelated; de-brittled in the v3.8.40 release line).

Co-authored-by: Thinkscape <Thinkscape@users.noreply.github.com>
2026-06-29 01:43:14 -03:00
..
architecture Release v3.8.37 (#5053) 2026-06-26 02:51:06 -03:00
comparison Release v3.8.37 (#5053) 2026-06-26 02:51:06 -03:00
compression Release v3.8.36 (#4854) 2026-06-25 13:17:40 -03:00
dev Release v3.8.2 (#2503) 2026-05-23 01:46:59 -03:00
diagrams Release v3.8.37 (#5053) 2026-06-26 02:51:06 -03:00
features Release v3.8.32 (#4418) 2026-06-21 08:56:51 -03:00
frameworks Release v3.8.37 (#5053) 2026-06-26 02:51:06 -03:00
getting-started Release v3.8.29 (#4126) 2026-06-19 06:49:01 -03:00
guides fix: centralize public origin checks for proxied dashboards (#5278) 2026-06-29 01:43:14 -03:00
i18n fix(docker): copy open-sse workspace manifest before npm ci (v3.8.39 image build) (#5223) 2026-06-28 07:39:27 -03:00
marketing Release v3.8.2 (#2503) 2026-05-23 01:46:59 -03:00
ops fix: centralize public origin checks for proxied dashboards (#5278) 2026-06-29 01:43:14 -03:00
plugins Release v3.8.18 (#3482) 2026-06-09 15:56:24 -03:00
providers Release v3.8.38 (#5078) 2026-06-27 09:07:12 -03:00
reference fix: centralize public origin checks for proxied dashboards (#5278) 2026-06-29 01:43:14 -03:00
releases Release v3.8.2 (#2503) 2026-05-23 01:46:59 -03:00
research Release v3.8.21 (#3593) 2026-06-11 04:01:24 -03:00
routing Release v3.8.39 (#5164) 2026-06-28 06:58:29 -03:00
screenshots Release v3.8.28 (#4053) 2026-06-17 19:26:32 -03:00
security Release v3.8.38 (#5078) 2026-06-27 09:07:12 -03:00
DOCUMENTATION_OVERHAUL_PLAN.md fix(docs): move DOCUMENTATION_OVERHAUL_PLAN out of the fumadocs guides collection (#4123) 2026-06-17 19:58:28 -03:00
INCIDENT_RESPONSE.md Release v3.8.36 (#4854) 2026-06-25 13:17:40 -03:00
meta.json fix(docs): add ACP.md frontmatter and flatten docs/meta.json pages format 2026-06-09 02:48:41 -03:00
openapi.yaml Release v3.8.39 (#5164) 2026-06-28 06:58:29 -03:00
PERF_BUDGETS.md Release v3.8.36 (#4854) 2026-06-25 13:17:40 -03:00
PROVIDERS.md Release v3.8.29 (#4126) 2026-06-19 06:49:01 -03:00
README.md Release v3.8.37 (#5053) 2026-06-26 02:51:06 -03:00
SUBMIT_PR.md Release v3.8.24 (#3747) 2026-06-13 17:27:40 -03:00
THREAT_MODEL.md Release v3.8.35 (#4743) 2026-06-23 17:06:18 -03:00

title version lastUpdated
OmniRoute Documentation 3.8.24 2026-06-13

OmniRoute Documentation

Navigable index of the OmniRoute documentation set. Topics are grouped by intent so you can find what you need quickly.

Looking for the project overview, install steps, or release notes? See the root README.md, CHANGELOG.md, and CONTRIBUTING.md.


architecture/

How the system is put together — read these to understand the runtime, code layout, and resilience model.

For Non-Tech Users

Simple guides for using OmniRoute — no technical background needed.

getting-started/

guides/

For Tech Users

Technical documentation for developers and contributors.

reference/

Lookup material — API surface, environment variables, CLI flags, provider catalog.

frameworks/

Pluggable subsystems exposed to clients, agents, and operators.

routing/

Combo routing, scoring, and replay.

security/

Guardrails, compliance, stealth, and the mandatory patterns for handling public credentials and error messages.

  • GUARDRAILS.md — PII, prompt injection, vision guardrails.
  • COMPLIANCE.md — audit trails and compliance.
  • STEALTH_GUIDE.md — TLS / fingerprint stealth.
  • PUBLIC_CREDS.mdmandatory pattern for embedding public upstream OAuth client_id/secret + Firebase Web keys without tripping secret scanners.
  • ERROR_SANITIZATION.mdmandatory pattern for routing every error response through sanitizeErrorMessage to prevent stack-trace exposure.

compression/

Prompt compression engines, rules, and language packs.

ops/

Release, deployment, proxies, tunnels, coverage.

diagrams/

Mermaid sources and exported SVG/PNG diagrams referenced from the docs above. Populated incrementally — see diagrams/README.md.

i18n/

Translated mirrors of the documentation in 42 locales. See i18n/README.md for the supported language list.

screenshots/

Static screenshots used by the dashboard and the README. Not part of the doc body.


Auto-generated artifacts

  • reference/PROVIDER_REFERENCE.md is generated by scripts/docs/gen-provider-reference.ts from src/shared/constants/providers.ts. Do not edit by hand.
  • The /docs UI is backed by Fumadocs MDX source generation from the subfolders above.