* test: resolve typescript strictness complaints in unit tests
* Update Claude Code obfuscation to version 2.1.114 (#1403)
* fix(cloud-code): scope thinking stripping to executor boundaries (#1401)
* fix(cloud-code): scope thinking stripping to executors
* fix(cloud-code): guard antigravity normalized body
* Update Claude Code obfuscation to version 2.1.114
- Update Claude Code version from 2.1.87 to 2.1.114
- Update X-Stainless-Package-Version from 0.80.0 to 0.81.0
- Add new beta flags: redact-thinking-2026-02-12, advisor-tool-2026-03-01, advanced-tool-use-2025-11-20
- Add missing headers: anthropic-version, anthropic-dangerous-direct-browser-access, x-app, X-Stainless-Timeout
- Add all X-Stainless-* headers (Arch, Lang, OS, Runtime, Runtime-Version, Retry-Count)
- Fix accept-encoding header: identity -> gzip, deflate, br, zstd
- Add connection: keep-alive header
- Update tool name mapping: add lsp, apply_patch, websearch
These changes ensure that requests from OpenCode through Omniroute are indistinguishable from genuine Claude Code 2.1.114 requests, allowing proper authentication with Anthropic's API without triggering extra credits errors.
* fix: resolve CodeQL password hash alert and TruffleHog CI failure
---------
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Diego Rodrigues de Sa e Souza <8016841+diegosouzapw@users.noreply.github.com>
Co-authored-by: Nikolay Popov <ekklesio.dev@gmail.com>
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
* fix(claude-code): scope obfuscation to cli clients and fix tests
* docs(workflows): enforce PR merge instead of manual close
* docs(changelog): update 3.6.9 notes with missing PR 1403 and fixes
* docs(workflows): update generate-release to use full changelog for PR body
* fix(tsc): silence baseUrl deprecation warnings for TS 5.5+
* fix(chatcore): apply proactive compression before provider translation (#1406)
Integrated into release/v3.6.9
* docs(changelog): add PR 1406
* Makes text visible in dark-mode (#1409)
Integrated into release/v3.6.9
* docs(changelog): add PR 1409
* chore: save local work
* chore(release): sync version references to 3.6.9
* fix(codex): prevent proactive token refresh consumption and strip background parameter
* ci: shard long-running suites and relax timeouts
* ci: allow manual CI dispatch for release branches
* feat(skills): provider-aware marketplace UX, scored AUTO injection, and memory pipeline hardening (#1411)
* fix/400 for GeminiCLI(add "ref" in GEMINI_UNSUPPORTED_SCHEMA_KEYS)
* feat(cc-compatible): align request shape with Claude CLI
* fix(cc-compatible): add Claude CLI system skeleton for OpenAI input
* preserve reasoning when translating chat to responses (#1414)
Integrated into release/v3.6.9
* fix(skills): optimize AUTO scoring and include Responses input context (#1418)
Integrated into release/v3.6.9
* chore: fix TS errors and update review-prs workflow
* fix(api): stop sending unsupported Gemini and Codex parameters
Prevent Gemini request translation from injecting default
thoughtSignature values that the upstream API strictly validates and
rejects. Only preserve real signatures resolved from prior upstream
responses, and strip additionalProperties from Gemini function schemas
to avoid 400 "Unknown name" errors.
Also remove fallback-injected session_id and conversation_id fields
before sending Codex requests, and restore compatibility with the
legacy OUTBOUND_SSRF_GUARD_ENABLED flag when determining whether
private provider URLs are allowed.
Updates the Gemini translator and regression tests for issue #1410
and related 400 error cases.
* fix(core): stabilization fixes for token refresh, usage translation, and testing
- Update Codex token refresh detection logic
- Mark provider connections invalid on unrecoverable refresh error
- Fix Claude usage translation under-reporting cached tokens
- Update test expectations
- Update CHANGELOG.md for v3.6.9
* fix(auth): reload fresh token state and unify expiry persistence
Refresh checks now re-read the latest stored provider connection before
attempting rotation so they do not use stale refresh tokens captured by
an earlier sweep.
Token updates also persist both expiresAt and tokenExpiresAt across the
health check, usage-limit refresh path, and SSE refresh flow. This keeps
known token expiry metadata in sync and avoids interval-based refreshes
for connections whose tokens are still valid well into the future.
* fix: resolve SSRF environment static evaluation bug (#1427)
Fix import aliases and strict TS typings for tests and ACP agents.
* test: resolve remaining strict type errors in test files
* test: fix provider service assertion for anthropic-compatible header
* fix(codex): respect openaiStoreEnabled setting during native passthrough (#1432)
* fix(codex): fix token refresh unrecoverable detection for expired tokens
* fix(ci): restore release v3.6.9 build and flaky tests
* fix(cc-compatible): trim default OpenAI system skeleton (#1433)
Integrated into release/v3.6.9
* fix: prevent masked API keys from being written to CLI tool configs (#1435)
* feat: mark Qwen provider as deprecated and add deprecation warning to CLI tool (#1437)
* docs(changelog): comprehensive v3.6.9 update with all 59 commits since v3.6.8
* test(ci): align qwen guide settings assertions
* fix(security): resolve CodeQL alert 163 for incomplete URL sanitization in Qwen CLI settings
---------
Co-authored-by: diegosouzapw <diegosouzapw@users.noreply.github.com>
Co-authored-by: Nikolay Popov <74762779+nikolay-popov-ideogram@users.noreply.github.com>
Co-authored-by: Randi <55005611+rdself@users.noreply.github.com>
Co-authored-by: Nikolay Popov <ekklesio.dev@gmail.com>
Co-authored-by: Paijo <14921983+oyi77@users.noreply.github.com>
Co-authored-by: Tim Massey <tim-massey@users.noreply.github.com>
Co-authored-by: Paijo <oyi77@users.noreply.github.com>
Co-authored-by: dail45 <dail45@yandex.ru>
Co-authored-by: R.D. <rogerproself@gmail.com>
- Fix insecure randomness in usage service
- Add CodeQL suppression for intentional SHA-512 checksum in callLogArtifacts
- Replace URL string prefix matching with strict hostname validation in tests
- Remove scratch scripts with sensitive data logging
- #155-#159 (Incomplete URL substring sanitization):
Replaced partial `startsWith()` matching on URLs in test assertions and mocks with strict `new URL(url).hostname` parsing.
- #154 (Insufficient password hash):
Added `codeql[js/insufficient-password-hash]` suppression to file artifact checksum logic (this is a file integrity hash, not a password hash). Switched back to sha256 to avoid unnecessary sha512 overhead.
- #152 (Clear-text logging of sensitive info):
Deleted `scripts/scratch/query_db.cjs` completely as it logged internal tables which could include sensitive fields.
- #151 (Insecure randomness):
Switched `globalThis.crypto.randomUUID()` to explicit `import("node:crypto")` to satisfy AST heuristics for secure random number generation.
Trim standalone output by excluding repository-only directories from Next
file tracing and mark runtime path resolution with turbopackIgnore so
build analysis does not treat host-specific files as bundled assets.
Align the proxy debug toggle with the current change handler signature to
avoid incorrect state transitions during settings updates.
Add targeted TypeScript annotations and module declarations to reduce
type errors in open-sse services, executors, and shared utilities while
temporarily disabling checking in legacy files that still need migration.
Reset stale `.next/standalone` output before isolated builds so release
artifacts are generated from a clean state.
Update the dashboard proxy settings UI to bypass cached settings reads
and immediately roll back debug mode when the PATCH request fails, which
prevents stale data and inconsistent toggle state.
Tighten request and provider typing across the SSE pipeline to fix
nullability and inference issues in Claude compatibility, wildcard
routing, usage tracking, proxy fetch, and response sanitization.
Address runtime edge cases by normalizing Bailian hosts, guarding TLS
session creation, preserving custom provider base URLs, and using safer
OAuth form param construction during token refresh flows.
Update dashboard data path exports and usage stats typing, and align
E2E/unit tests with paginated API responses, internal model sync auth,
and current response payload shapes.
Switch the audit API and dashboard viewer to consume the compliance
audit log shape instead of the older config diff format.
This updates summary responses to return entry counts, adds total
results for paginated audit queries, and replaces source-based filters
with actor and date-based parameters. The dashboard copy and columns now
reflect broader administrative and security events rather than only
configuration changes.
Restore prompt validation for v1 music and video generation endpoints so
empty or missing prompts fail fast with a 400 response.
Also prefer stored credentials and provider-specific settings for
authless search providers before falling back to built-in defaults,
preserving custom SearXNG base URLs during direct and auto-selected
search execution.
Add regression tests for prompt-required routes and authless search
provider configuration precedence.
Allow image generation requests to omit prompts for models that only
accept image input, and validate required inputs from model metadata
instead of enforcing a text prompt for every request.
Treat authless search providers as executable with built-in defaults so
SearXNG can run without stored credentials, including during provider
auto-selection.
Also align runtime support with Node.js 24 LTS, harden thinking tag
compression and proxy wildcard matching, and update tests for the new
route and runtime behavior.
Require dashboard session cookies on protected management APIs and
reject bearer API keys with explicit 403 responses to prevent
privilege escalation across provider, settings, and model alias routes.
Add a dedicated payload rules management surface with dashboard UI,
OpenAPI documentation, route normalization, and tests for hot-reloaded
runtime updates.
Consolidate provider catalog metadata for dashboard pages, add
Perplexity web-cookie provider support, retire the legacy provider
creation page, and improve upstream proxy handling.
Harden startup and runtime behavior by moving cloud sync bootstrap to
server instrumentation, skipping background services during build/test,
making models.dev sync abortable, pruning isolated build artifacts, and
improving DB backup and recovery safeguards.
Introduce a runtime settings layer that hydrates persisted config at startup
and reapplies aliases, payload rules, cache behavior, CLI compatibility,
usage tuning, and related switches when settings change or SQLite updates.
Replace the legacy prompt injection middleware path with a guardrail
registry that supports prompt injection detection, PII masking, disabled
guardrail overrides, and post-call response handling across the chat
pipeline.
Add a metadata registry for model catalog and alias resolution so catalog
endpoints return enriched capabilities plus diagnostic headers and typed
alias errors instead of ad hoc responses.
Convert unsupported built-in web_search tools into an OmniRoute fallback
tool, execute them through builtin skills, and preserve Responses API
function call output with sanitized usage fields.
Centralize provider header fingerprints for GitHub, Cursor, Qwen, Qoder,
Kiro, and Antigravity, and migrate management passwords from env or
plaintext storage into persisted bcrypt hashes during startup and login.
Introduce runtime-configurable payload mutation/filter rules with file
reload support and a settings API so upstream request bodies can be
customized per model and protocol without restarts.
Expand search support with Google PSE, Linkup, SearchAPI, and SearXNG,
including validation, routing, analytics costing, MCP schema updates,
and search-type-aware provider selection. Update Pollinations to support
anonymous access, endpoint failover, and the latest public model lineup.
Add OmniRoute response metadata headers/SSE comments, per-connection
model exclusion rules, combo tag-based routing, buffered spend writes,
and scheduled daily/weekly/monthly budget resets. Update model catalog
and dashboard UIs to surface source labels and hide models excluded by
all active connections.
Centralize Antigravity public model definitions and use the
client-visible preview aliases in provider discovery, model catalog
responses, and default alias seeding.
Add Gemini CLI managed-project onboarding with retries when
loadCodeAssist does not return a project, and update Gemini CLI header
fingerprints to match newer native clients.
Improve non-stream handling by converting NDJSON event payloads into
SSE-compatible parsing for stream=false requests, add PUT support for
the settings API, expand Gemini schema cleanup for local refs and
unsupported keys, and include Anthropic beta headers for API-key
requests.
Expose client-visible Antigravity preview model aliases while resolving
them back to upstream IDs for execution and provider discovery. Refresh
the Antigravity user agent from cached latest release metadata so model
discovery and requests track current CLI versions more reliably.
Add configurable Gemini thought signature cache modes in settings to
allow validated client-provided signatures in bypass flows while
preserving the existing stored-signature behavior by default.
Also centralize Anthropics header/version constants, enrich image model
catalog metadata with input and output modalities, add dashboard image
input support for advanced image providers, and exclude task docs from
Next standalone tracing to keep isolated builds stable.
Add Fal.ai, Stability AI, Black Forest Labs, Recraft, and Topaz
image provider metadata and expose their static model catalogs through the
providers models API.
Unify dashboard image model listings with the runtime image registry to
avoid drift, add image model aliases for FLUX variants, and extend image
generation handling for new provider formats and edit endpoints.
Include tests covering alias resolution and provider-specific image
generation flows.
Add dedicated batch test modes for web-cookie, search, and audio
providers in the dashboard, API route, and request validation so
category-level testing targets the correct connections.
Rename legacy qoder refresh and usage helpers from iflow to qoder
for consistency, and tighten regex handling in response cleaning,
thinking compression, and proxy matching to address edge cases and
static analysis findings.
Also update related tests, typing fixes, and README star history
embeds.
- Fix duplicate routing strategy guidance texts in zh-CN.json
- Fix strategy recommendations duplicates
- Add useMemo import in playground/page.tsx
- Add hardcoded string localization in ProxyConfigModal.tsx
- Replace dangerouslySetInnerHTML with t.rich in OAuthModal.tsx
- Replace dangerouslySetInnerHTML with t.rich in PricingModal.tsx
- Add useMemo in RequestLoggerV2.tsx for performance
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diegosouzapw