Require dashboard session cookies on protected management APIs and
reject bearer API keys with explicit 403 responses to prevent
privilege escalation across provider, settings, and model alias routes.
Add a dedicated payload rules management surface with dashboard UI,
OpenAPI documentation, route normalization, and tests for hot-reloaded
runtime updates.
Consolidate provider catalog metadata for dashboard pages, add
Perplexity web-cookie provider support, retire the legacy provider
creation page, and improve upstream proxy handling.
Harden startup and runtime behavior by moving cloud sync bootstrap to
server instrumentation, skipping background services during build/test,
making models.dev sync abortable, pruning isolated build artifacts, and
improving DB backup and recovery safeguards.
Introduce a runtime settings layer that hydrates persisted config at startup
and reapplies aliases, payload rules, cache behavior, CLI compatibility,
usage tuning, and related switches when settings change or SQLite updates.
Replace the legacy prompt injection middleware path with a guardrail
registry that supports prompt injection detection, PII masking, disabled
guardrail overrides, and post-call response handling across the chat
pipeline.
Add a metadata registry for model catalog and alias resolution so catalog
endpoints return enriched capabilities plus diagnostic headers and typed
alias errors instead of ad hoc responses.
Convert unsupported built-in web_search tools into an OmniRoute fallback
tool, execute them through builtin skills, and preserve Responses API
function call output with sanitized usage fields.
Centralize provider header fingerprints for GitHub, Cursor, Qwen, Qoder,
Kiro, and Antigravity, and migrate management passwords from env or
plaintext storage into persisted bcrypt hashes during startup and login.
Introduce runtime-configurable payload mutation/filter rules with file
reload support and a settings API so upstream request bodies can be
customized per model and protocol without restarts.
Expand search support with Google PSE, Linkup, SearchAPI, and SearXNG,
including validation, routing, analytics costing, MCP schema updates,
and search-type-aware provider selection. Update Pollinations to support
anonymous access, endpoint failover, and the latest public model lineup.
Add OmniRoute response metadata headers/SSE comments, per-connection
model exclusion rules, combo tag-based routing, buffered spend writes,
and scheduled daily/weekly/monthly budget resets. Update model catalog
and dashboard UIs to surface source labels and hide models excluded by
all active connections.
Centralize Antigravity public model definitions and use the
client-visible preview aliases in provider discovery, model catalog
responses, and default alias seeding.
Add Gemini CLI managed-project onboarding with retries when
loadCodeAssist does not return a project, and update Gemini CLI header
fingerprints to match newer native clients.
Improve non-stream handling by converting NDJSON event payloads into
SSE-compatible parsing for stream=false requests, add PUT support for
the settings API, expand Gemini schema cleanup for local refs and
unsupported keys, and include Anthropic beta headers for API-key
requests.
Expose client-visible Antigravity preview model aliases while resolving
them back to upstream IDs for execution and provider discovery. Refresh
the Antigravity user agent from cached latest release metadata so model
discovery and requests track current CLI versions more reliably.
Add configurable Gemini thought signature cache modes in settings to
allow validated client-provided signatures in bypass flows while
preserving the existing stored-signature behavior by default.
Also centralize Anthropics header/version constants, enrich image model
catalog metadata with input and output modalities, add dashboard image
input support for advanced image providers, and exclude task docs from
Next standalone tracing to keep isolated builds stable.
Add Fal.ai, Stability AI, Black Forest Labs, Recraft, and Topaz
image provider metadata and expose their static model catalogs through the
providers models API.
Unify dashboard image model listings with the runtime image registry to
avoid drift, add image model aliases for FLUX variants, and extend image
generation handling for new provider formats and edit endpoints.
Include tests covering alias resolution and provider-specific image
generation flows.
Add one-off database inspection and cleanup scripts under
`scripts/scratch/` for local debugging and maintenance work.
Document root cleanliness and file placement expectations for AI
assistants in `GEMINI.md` to keep temporary scripts and tests out of
the project root.
Add dedicated batch test modes for web-cookie, search, and audio
providers in the dashboard, API route, and request validation so
category-level testing targets the correct connections.
Rename legacy qoder refresh and usage helpers from iflow to qoder
for consistency, and tighten regex handling in response cleaning,
thinking compression, and proxy matching to address edge cases and
static analysis findings.
Also update related tests, typing fixes, and README star history
embeds.
diegosouzapw