Merge pull request #629 from diegosouzapw/release/v3.0.7

chore(release): v3.0.7 — Antigravity token fix, Playground selector, CLI models
2026-03-25 19:30:06 -03:00 · 2026-03-25 19:27:40 -03:00 · 2026-03-25 19:24:16 -03:00 · 2026-03-25 19:24:07 -03:00 · 2026-03-25 19:18:00 -03:00 · 2026-03-25 19:13:29 -03:00
353 changed files with 33991 additions and 5134 deletions
@@ -0,0 +1,39 @@
+---
+description: Deploy the latest OmniRoute code to the Akamai VPS (69.164.221.35)
+---
+
+# Deploy to Akamai VPS Workflow
+
+Deploy OmniRoute to the Akamai VPS using `npm pack + scp` + PM2.
+
+**Akamai VPS:** `69.164.221.35`
+**Process manager:** PM2 (`omniroute`)
+**Port:** `20128`
+
+## Steps
+
+### 1. Build + pack locally
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+```
+
+### 2. Copy to Akamai VPS and install
+
+// turbo-all
+
+```bash
+scp omniroute-*.tgz root@69.164.221.35:/tmp/
+```
+
+```bash
+ssh root@69.164.221.35 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Akamai done'"
+```
+
+### 3. Verify the deployment
+
+```bash
+curl -s -o /dev/null -w 'AKAMAI HTTP %{http_code}\n' http://69.164.221.35:20128/
+```
@@ -0,0 +1,49 @@
+---
+description: Deploy the latest OmniRoute code to BOTH the Akamai VPS and the Local VPS
+---
+
+# Deploy to VPS (Both) Workflow
+
+Deploy OmniRoute to the production VPSs using `npm pack + scp` + PM2.
+
+**Akamai VPS:** `69.164.221.35`
+**Local VPS:** `192.168.0.15`
+**Process manager:** PM2 (`omniroute`)
+**Port:** `20128`
+**PM2 entry:** `/usr/lib/node_modules/omniroute/app/server.js`
+
+> [!IMPORTANT]
+> The npm registry rejects packages > 100MB, so deployment uses **npm pack + scp**.
+
+## Steps
+
+### 1. Build + pack locally
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+```
+
+### 2. Copy to both VPS and install
+
+// turbo-all
+
+```bash
+scp omniroute-*.tgz root@69.164.221.35:/tmp/ && scp omniroute-*.tgz root@192.168.0.15:/tmp/
+```
+
+```bash
+ssh root@69.164.221.35 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Akamai done'"
+```
+
+```bash
+ssh root@192.168.0.15 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Local done'"
+```
+
+### 3. Verify the deployment
+
+```bash
+curl -s -o /dev/null -w 'AKAMAI HTTP %{http_code}\n' http://69.164.221.35:20128/
+curl -s -o /dev/null -w 'LOCAL HTTP %{http_code}\n' http://192.168.0.15:20128/
+```
@@ -0,0 +1,39 @@
+---
+description: Deploy the latest OmniRoute code to the Local VPS (192.168.0.15)
+---
+
+# Deploy to Local VPS Workflow
+
+Deploy OmniRoute to the Local VPS using `npm pack + scp` + PM2.
+
+**Local VPS:** `192.168.0.15`
+**Process manager:** PM2 (`omniroute`)
+**Port:** `20128`
+
+## Steps
+
+### 1. Build + pack locally
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+```
+
+### 2. Copy to Local VPS and install
+
+// turbo-all
+
+```bash
+scp omniroute-*.tgz root@192.168.0.15:/tmp/
+```
+
+```bash
+ssh root@192.168.0.15 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Local done'"
+```
+
+### 3. Verify the deployment
+
+```bash
+curl -s -o /dev/null -w 'LOCAL HTTP %{http_code}\n' http://192.168.0.15:20128/
+```
@@ -1,102 +0,0 @@
---
-description: Deploy the latest OmniRoute code to the Akamai VPS (69.164.221.35) via npm
---
-
-# Deploy to VPS Workflow
-
-Deploy OmniRoute to the production VPS using `npm pack + scp` + PM2.
-
-**VPS:** `69.164.221.35` (Akamai, Ubuntu 24.04, 1GB RAM + 2.5GB swap)
-**Local VPS:** `192.168.0.15` (same setup)
-**Process manager:** PM2 (`omniroute`)
-**Port:** `20128`
-**PM2 entry:** `/usr/lib/node_modules/omniroute/app/server.js`
-
-> [!IMPORTANT]
-> PM2 runs from the global npm package at `/usr/lib/node_modules/omniroute`.
-> The Next.js standalone build is at `app/server.js` inside that directory.
-> The npm registry rejects packages > 100MB, so deployment uses **npm pack + scp**.
-
-> [!CAUTION]
-> **NEVER** use `pm2 restart omniroute` after `npm install -g`. This drops env vars.
-> Always use `pm2 delete omniroute && pm2 start <ecosystem.config.cjs> --update-env`.
-> After `npm install -g`, always rebuild better-sqlite3: `cd .../app && npm rebuild better-sqlite3`
-
-## Steps
-
-### 1. Build + pack locally
-
-Run the full build (includes hash-strip patch) and create the .tgz:
-
-// turbo
-
-```bash
-cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
-```
-
-### 2. Copy to both VPS and install
-
-// turbo-all
-
-```bash
-scp omniroute-*.tgz root@69.164.221.35:/tmp/ && scp omniroute-*.tgz root@192.168.0.15:/tmp/
-```
-
-```bash
-ssh root@69.164.221.35 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Akamai done'"
-```
-
-```bash
-ssh root@192.168.0.15 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Local done'"
-```
-
-### 3. Verify the deployment
-
-```bash
-ssh root@69.164.221.35 "pm2 list && cat \$(npm root -g)/omniroute/app/package.json | grep version | head -1 && curl -s -o /dev/null -w 'HTTP %{http_code}' http://localhost:20128/"
-```
-
-```bash
-ssh root@192.168.0.15 "pm2 list && cat \$(npm root -g)/omniroute/app/package.json | grep version | head -1 && curl -s -X POST http://localhost:20128/api/auth/login -H 'Content-Type: application/json' -d '{\"password\":\"123456\"}'"
-```
-
-Expected: PM2 shows `online`, version matches, login returns `{"success":true}`.
-
-## How it works
-
-1. `npm run build:cli` builds Next.js standalone → `app/` and strips Turbopack hashed require() calls from chunks
-2. `npm pack --ignore-scripts` packages without re-running the build
-3. `scp` transfers the .tgz to each VPS (~286MB)
-4. `npm install -g /tmp/omniroute-*.tgz --ignore-scripts` installs pre-built package
-5. `npm rebuild better-sqlite3` recompiles native bindings for the VPS Node.js version
-6. `pm2 delete` + `pm2 start ecosystem.config.cjs --update-env` restarts with env vars
-7. `pm2 save` persists the process list for reboot survival
-
-## Ecosystem Config
-
-Both VPSs have `ecosystem.config.cjs` at `/root/.omniroute/ecosystem.config.cjs`.
-This file defines env vars (PORT, DATA_DIR, INITIAL_PASSWORD, OAuth secrets, etc.)
-that `pm2 restart` does NOT inject — only `pm2 start --update-env` does.
-
-## PM2 Setup (one-time — if reconfiguring from scratch)
-
-```bash
-ssh root@<VPS> "
-  pm2 delete omniroute 2>/dev/null;
-  cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 &&
-  pm2 start /root/.omniroute/ecosystem.config.cjs --update-env &&
-  pm2 save && pm2 startup
-"
-```
-
-> [!NOTE]
-> Ensure `/root/.omniroute/ecosystem.config.cjs` exists with all required env vars.
-> For fresh installs, copy from the existing VPS or create from the template in `.env`.
-
-## Notes
-
- Env vars are in `/root/.omniroute/ecosystem.config.cjs` (NOT `.env` in app dir)
- PM2 is configured with `pm2 startup` to auto-restart on reboot
- Nginx proxies `omniroute.online` → `localhost:20128`
- The VPS has only 1GB RAM — builds happen locally, never on the VPS
- After `npm install -g`, `better-sqlite3` MUST be rebuilt in the `app/` subdir
@@ -4,16 +4,36 @@ description: Create a new release, bump version up to 1.x.10 threshold, update c

 # Generate Release Workflow

-Bump version, finalize CHANGELOG, commit, tag, push, publish to npm, and create GitHub release.
+Bump version, finalize CHANGELOG, commit, open a **PR to main** and wait for user confirmation before tagging, publishing, and deploying.

 > **VERSION RULE: Always use PATCH bumps (2.x.y → 2.x.y+1)**
 > NEVER use `npm version minor` or `npm version major`.
 > Always use: `npm version patch --no-git-tag-version`
 > The threshold rule: when `y` reaches 10, bump to `2.(x+1).0` — e.g. `2.1.10` → `2.2.0`.

-## Steps
+---

-### 1. Determine new version
+## ⚠️ Two-Phase Flow
+
+```
+Phase 1 (automated): bump → docs → i18n → commit → push → open PR
+  ↕  🛑 STOP: Notify user, wait for PR confirmation
+Phase 2 (post-merge): tag → publish → GitHub release → Docker → deploy
+```
+
+**NEVER push directly to main or create tags before the user confirms the PR.**
+
+---
+
+## Phase 1: Pre-Merge
+
+### 1. Create release branch
+
+```bash
+git checkout -b release/v2.x.y
+```
+
+### 2. Determine new version

 Check current version in `package.json` and increment the **patch** number only:

@@ -27,11 +47,6 @@ Version format: `2.x.y` — examples:
 - `2.1.9` → `2.1.10` (patch)
 - `2.1.10` → `2.2.0` (minor threshold — do manually with `sed`)

-```bash
-# ALWAYS use patch:
-npm version patch --no-git-tag-version
-```
-
 > **⚠️ ATOMIC COMMIT RULE — Version bump MUST happen before committing feature files.**
 >
 > **CORRECT order:**
@@ -53,7 +68,7 @@ npm version patch --no-git-tag-version
 > This ensures that `git show v2.x.y` always contains both code changes and the version bump together.
 > The GitHub release tag will point to a commit that includes ALL changes for that version.

-### 2. Regenerate lock file (REQUIRED after version bump)
+### 3. Regenerate lock file (REQUIRED after version bump)

 **Mandatory** — skipping causes `@swc/helpers` lock mismatch and CI failures:

@@ -61,7 +76,7 @@ npm version patch --no-git-tag-version
 npm install
 ```

-### 3. Finalize CHANGELOG.md
+### 4. Finalize CHANGELOG.md

 Replace `[Unreleased]` header with the new version and date.
 Keep an empty `## [Unreleased]` section above it.
@@ -74,7 +89,7 @@ Keep an empty `## [Unreleased]` section above it.
 ## [2.x.y] — YYYY-MM-DD
 ```

-### 4. Update openapi.yaml version ⚠️ MANDATORY
+### 5. Update openapi.yaml version ⚠️ MANDATORY

 > **CI will fail** if `docs/openapi.yaml` version ≠ `package.json` version (`check:docs-sync` enforces this).

@@ -84,33 +99,97 @@ Keep an empty `## [Unreleased]` section above it.
 VERSION=$(node -p "require('./package.json').version") && sed -i "s/  version: .*/  version: $VERSION/" docs/openapi.yaml && echo "✓ openapi.yaml → $VERSION"
 ```

-### 5. Stage, commit, and tag
+### 6. Update README.md and i18n docs
+
+Run `/update-docs` workflow steps to:
+
+- Update feature table rows in `README.md`
+- Sync changes to all 29 language `docs/i18n/*/README.md` files
+- Update `docs/FEATURES.md` if Settings section changed
+
+### 7. Run tests
+
+// turbo
+
+```bash
+npm test
+```
+
+All tests must pass before creating the PR.
+
+### 8. Stage, commit, and push

 // turbo-all

 ```bash
-git add package.json package-lock.json CHANGELOG.md docs/openapi.yaml
+git add -A
 git commit -m "chore(release): v2.x.y — summary of changes"
+git push origin release/v2.x.y
+```
+
+### 9. Open PR to main
+
+```bash
+gh pr create \
+  --repo diegosouzapw/OmniRoute \
+  --base main \
+  --head release/v2.x.y \
+  --title "chore(release): v2.x.y — summary" \
+  --body "## 🚀 Release v2.x.y
+
+### Changes
+...
+
+### Tests
+- X/X tests pass
+
+### ⚠️ After merging: run Phase 2 steps to tag, publish, and deploy."
+```
+
+### 10. 🛑 STOP — Notify User & Await PR Confirmation
+
+**This is a mandatory stop point.** Use `notify_user` with `BlockedOnUser: true`:
+
+Inform the user:
+
+- PR URL
+- Summary of changes
+- Test results
+- List of files changed
+
+**DO NOT proceed to Phase 2 until the user confirms the PR looks good and merges it.**
+
+---
+
+## Phase 2: Post-Merge (only after user confirms)
+
+> Run these steps only AFTER the user has merged the PR.
+
+### 11. Pull main and create tag
+
+```bash
+git checkout main
+git pull origin main
 git tag -a v2.x.y -m "Release v2.x.y"
 ```

-### 6. Push to GitHub
+### 12. Push tag to GitHub

 ```bash
-git push origin main --tags
+git push origin --tags
 ```

-### 7. Create GitHub release
+### 13. Create GitHub release

 ```bash
 gh release create v2.x.y --title "v2.x.y — summary" --notes "..."
 ```

-### 8. 🐳 Trigger Docker Hub build (MANDATORY — keep npm and Docker in sync)
+### 14. 🐳 Trigger Docker Hub build (MANDATORY — keep npm and Docker in sync)

 > **CRITICAL**: Docker Hub and npm MUST always publish the same version.
 > The Docker image is built automatically via GitHub Actions when a new tag is pushed.
-> After pushing the tag in step 5-6, **verify the workflow runs**:
+> After pushing the tag in step 11-12, **verify the workflow runs**:

 ```bash
 # Verify the Docker workflow triggered
@@ -129,7 +208,7 @@ If the Docker build was not triggered automatically, trigger it manually:
 gh workflow run docker-publish.yml --repo diegosouzapw/OmniRoute --ref v2.x.y
 ```

-### 9. Deploy to BOTH VPS environments (MANDATORY)
+### 15. Deploy to BOTH VPS environments (MANDATORY)

 > Always deploy to **both** environments after every release.
 > See `/deploy-vps` workflow for detailed steps.
@@ -151,18 +230,27 @@ curl -s -o /dev/null -w "LOCAL:  HTTP %{http_code}\n" http://192.168.0.15:20128/
 curl -s -o /dev/null -w "AKAMAI: HTTP %{http_code}\n" http://69.164.221.35:20128/
 ```

+### 16. Clean up release branch
+
+```bash
+git branch -d release/v2.x.y
+```
+
+---
+
 ## Notes

 - Always run `/update-docs` BEFORE this workflow (ensures CHANGELOG and README are current)
 - The `prepublishOnly` script runs `npm run build:cli` automatically during `npm publish`
 - After npm publish, verify with `npm info omniroute version`
 - Lock file sync errors are caused by skipping `npm install` after version bump
+- Use `gh auth switch -u diegosouzapw` if git push fails with wrong account

 ## Known CI Pitfalls

 | CI failure                                                                | Cause                                                    | Fix                                                                    |
 | ------------------------------------------------------------------------- | -------------------------------------------------------- | ---------------------------------------------------------------------- |
-| `[docs-sync] FAIL - OpenAPI version differs from package.json`            | Skipped step 4 — `docs/openapi.yaml` version not updated | Run step 4 (`sed -i ...`) and commit                                   |
+| `[docs-sync] FAIL - OpenAPI version differs from package.json`            | Skipped step 5 — `docs/openapi.yaml` version not updated | Run step 5 (`sed -i ...`) and commit                                   |
 | `[docs-sync] FAIL - CHANGELOG.md first section must be "## [Unreleased]"` | `## [Unreleased]` missing or not at top of CHANGELOG     | Add `## [Unreleased]\n\n---\n` before the first versioned `## [x.y.z]` |
 | Electron Linux `.deb` build fails (`FpmTarget` error)                     | `fpm` Ruby gem not installed on `ubuntu-latest` runner   | Already fixed in `electron-release.yml` (`gem install fpm` step)       |
 | Docker Hub `502 error writing layer blob`                                 | Transient Docker Hub network error during ARM64 push     | Re-run the Docker publish workflow; no code change needed              |
@@ -0,0 +1,118 @@
+---
+description: Read all open GitHub Discussions, summarize them, respond to pending ones, and create issues from actionable feature requests
+---
+
+# /review-discussions — GitHub Discussions Review & Response Workflow
+
+## Overview
+
+This workflow reads all open GitHub Discussions, generates a categorized summary, identifies which ones need a response, drafts and posts replies, and optionally creates issues from actionable feature requests. It follows the same flow used for Issues but adapted for the Discussions forum.
+
+// turbo-all
+
+## Steps
+
+### 1. Identify the GitHub Repository
+
+- Run: `git -C <project_root> remote get-url origin` to extract the owner/repo
+- Parse the owner and repo name from the URL
+
+### 2. Fetch All Open Discussions
+
+- Use `read_url_content` to fetch `https://github.com/<owner>/<repo>/discussions`
+- Parse the discussion list to get all discussion titles, IDs, authors, categories, and dates
+- For each discussion, fetch the individual page to read the full content and all comments/replies
+
+### 3. Summarize All Discussions
+
+For each discussion, extract:
+
+- **Title** and **#Number**
+- **Author** (GitHub username)
+- **Category** (Announcements, General, Ideas, Q&A, Show and tell)
+- **Date** created
+- **Summary** of the original post (1-2 sentences)
+- **Comments count** and key participants
+- **Your previous response** (if any)
+- **Pending action** — whether a response or follow-up is needed
+
+### 4. Present Summary Report to User
+
+Present the full summary to the user organized by category, using a table:
+
+| #   | Category | Title | Author | Date   | Status            |
+| --- | -------- | ----- | ------ | ------ | ----------------- |
+| #N  | Ideas    | Title | @user  | Mar 23 | ⚠️ Needs response |
+| #N  | Q&A      | Title | @user  | Mar 9  | ✅ Answered       |
+| #N  | General  | Title | @user  | Mar 19 | ⚠️ Needs response |
+
+Highlight:
+
+- **⚠️ Needs response** — No reply from maintainer, or a follow-up comment was left unanswered
+- **✅ Answered** — Maintainer already responded
+- **🐛 Bug reported** — A bug was mentioned that needs tracking
+- **💡 Actionable** — Contains a concrete feature request that could become an issue
+
+### 5. Draft & Post Responses
+
+For each discussion that needs a response, draft a reply following these guidelines:
+
+#### Response Style
+
+- **Friendly and professional** — Start with "Hey @username!"
+- **Acknowledge the contribution** — Thank the user for their input
+- **Be specific** — Reference existing features, settings, or dashboard pages if the feature already exists
+- **Provide workarounds** — If the request isn't implemented yet, suggest current alternatives
+- **Commit to action** — If the request is valid, state that you'll open an issue or add it to the roadmap
+- **Keep it concise** — 3-5 paragraphs max
+
+#### Posting via Browser
+
+- Use `browser_subagent` to navigate to each discussion and post the comment
+- **IMPORTANT**: When typing text in GitHub comment boxes via the browser, use only plain ASCII characters:
+  - Use regular hyphens `-` instead of em-dashes
+  - Use `->` instead of arrow symbols
+  - Do NOT use emoji Unicode characters (the browser keyboard may fail on them)
+  - Use `**bold**` and `\`code\`` markdown formatting
+- Click the green "Comment" button (or "Reply" for threaded replies) after typing
+- Verify the comment was posted by checking the page shows the new comment
+
+### 6. Create Issues from Actionable Feature Requests
+
+For discussions that contain concrete, actionable feature requests:
+
+1. Ask the user which ones should become issues
+2. For each approved request, create a GitHub issue via `browser_subagent`:
+   - Navigate to `https://github.com/<owner>/<repo>/issues/new`
+   - **Title**: `<Feature Name> - <Short description>`
+   - **Body** should include:
+     - `## Feature Request` header
+     - `**Source:** Discussion #N by @author`
+     - `## Problem` — What limitation the user hit
+     - `## Proposed Solution` — How it could work
+     - `### Implementation Ideas` — Technical approach
+     - `### Current Workarounds` — What users can do today
+     - `## Additional Context` — Links to related issues/discussions
+   - Add `enhancement` label
+   - Click "Submit new issue" / "Create"
+3. After creation, go back to the original discussion and post a comment linking to the new issue:
+   - "I've opened Issue #N to track this feature request. Follow along there for updates!"
+
+### 7. Final Report
+
+Present a final summary to the user:
+
+| Discussion | Action Taken                       |
+| ---------- | ---------------------------------- |
+| #N — Title | Responded with workarounds         |
+| #N — Title | Responded + created Issue #N       |
+| #N — Title | Already answered, no action needed |
+| #N — Title | Responded to follow-up comment     |
+
+## Notes
+
+- This workflow is **interactive** — always present the summary and wait for user approval before posting responses or creating issues
+- If the user says "pode responder" (or similar approval), proceed with posting all drafted responses
+- For discussions in non-English languages, respond in the same language as the original post
+- Always reference specific dashboard paths, config options, or code files when explaining existing features
+- When a discussion reveals a bug, note it separately from feature requests
@@ -21,18 +21,18 @@ jobs:
      IMAGE_NAME: diegosouzapw/omniroute
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/v{0}', inputs.version) || '' }}

      - name: Set up QEMU (for multi-arch builds)
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -50,7 +50,7 @@ jobs:
          echo "Publishing Docker image: $IMAGE_NAME:$VERSION"

      - name: Build and push multi-arch image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          target: runner-base
@@ -70,7 +70,7 @@ jobs:
          docker buildx imagetools inspect "${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}"

      - name: Update Docker Hub description
-        uses: peter-evans/dockerhub-description@v4
+        uses: peter-evans/dockerhub-description@v5
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -201,3 +201,13 @@ jobs:
            release-assets/*.source.zip
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  publish-npm:
+    name: Publish to npm
+    needs: [validate, release]
+    uses: ./.github/workflows/npm-publish.yml
+    with:
+      version: ${{ needs.validate.outputs.version }}
+      tag: latest
+    secrets:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -6,9 +6,31 @@ on:
  workflow_dispatch:
    inputs:
      version:
-        description: "Version tag to publish (e.g. 2.6.0)"
+        description: "Version to publish (e.g. 2.9.5 or 3.0.0-rc.15)"
        required: true
        type: string
+      tag:
+        description: "npm dist-tag (latest / next)"
+        required: false
+        default: "latest"
+        type: choice
+        options:
+          - latest
+          - next
+  workflow_call:
+    inputs:
+      version:
+        description: "Version to publish (without v prefix)"
+        required: true
+        type: string
+      tag:
+        description: "npm dist-tag (latest / next)"
+        required: false
+        default: "latest"
+        type: string
+    secrets:
+      NPM_TOKEN:
+        required: true

 permissions:
  contents: read
@@ -31,16 +53,35 @@ jobs:
      - name: Install dependencies (skip scripts to avoid heavy build)
        run: npm install --ignore-scripts --no-audit --no-fund

-      - name: Sync version from release tag or input
+      - name: Resolve version and dist-tag
+        id: resolve
        run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ inputs.version }}"
-          else
-            VERSION="${GITHUB_REF_NAME}"
-            VERSION="${VERSION#v}"
+          case "${{ github.event_name }}" in
+            workflow_dispatch|workflow_call)
+              VERSION="${{ inputs.version }}"
+              TAG="${{ inputs.tag }}"
+              ;;
+            release)
+              VERSION="${GITHUB_REF_NAME}"
+              ;;
+          esac
+          # Strip v prefix if present
+          VERSION="${VERSION#v}"
+          # Default dist-tag logic
+          if [ -z "$TAG" ]; then
+            if [[ "$VERSION" == *-* ]]; then
+              TAG="next"
+            else
+              TAG="latest"
+            fi
          fi
-          npm version "$VERSION" --no-git-tag-version --allow-same-version
-          echo "Publishing version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "📦 Publishing omniroute@$VERSION with tag=$TAG"
+
+      - name: Sync package.json version
+        run: |
+          npm version "${{ steps.resolve.outputs.version }}" --no-git-tag-version --allow-same-version

      - name: Build CLI bundle (standalone app)
        env:
@@ -49,12 +90,18 @@ jobs:

      - name: Publish to npm
        run: |
-          VERSION=$(node -p "require('./package.json').version")
+          VERSION="${{ steps.resolve.outputs.version }}"
+          TAG="${{ steps.resolve.outputs.tag }}"
          # Check if this version is already published — skip instead of failing with E403
          if npm view "omniroute@${VERSION}" version --silent 2>/dev/null | grep -q "^${VERSION}$"; then
-            echo "️⚠️ Version ${VERSION} is already published on npm — skipping."
+            echo "⚠️ Version ${VERSION} is already published on npm — skipping."
            exit 0
          fi
-          npm publish --access public
+          if [ "$TAG" = "latest" ]; then
+            npm publish --access public
+          else
+            npm publish --access public --tag "$TAG"
+          fi
+          echo "✅ Published omniroute@$VERSION (tag: $TAG)"
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -89,6 +89,7 @@ docs/*
 !docs/MCP-SERVER.md
 !docs/CLI-TOOLS.md

+
 # open-sse tests
 open-sse/test/*

@@ -130,3 +131,6 @@ vscode-extension/
 *.sqlite-shm
 *.sqlite-wal
 *.sqlite-journal
+
+# Compiled npm-package build artifact (not source, should not be in git)
+/app
@@ -49,19 +49,22 @@ but the real logic lives in `src/lib/db/`.

 Translation between provider formats: `open-sse/translator/`

+**Upstream model extra headers** (`compatByProtocol` / custom models): merged in executors after default auth; **same header name replaces** the executor value (e.g. custom `Authorization` overrides Bearer). In `open-sse/handlers/chatCore.ts`, the primary request merges headers for **both** the client model id and `resolveModelAlias(clientModel)` (resolved id wins on key conflicts). **T5 intra-family fallback** recomputes headers using only the fallback model id and `resolveModelAlias(fallback)` so sibling models do not inherit another model’s headers. Forbidden header names live in `src/shared/constants/upstreamHeaders.ts` — keep sanitize (`models.ts`), Zod (`schemas.ts`), and unit tests aligned when editing that list.
+
 ### MCP Server (`open-sse/mcp-server/`)

 16 tools for AI agent control via **3 transport modes**:
+
 - **stdio** — Local IDE integration (Claude Desktop, Cursor, VS Code)
 - **SSE** — Remote Server-Sent Events at `/api/mcp/sse`
 - **Streamable HTTP** — Modern bidirectional HTTP at `/api/mcp/stream`

 HTTP transports run in-process via `httpTransport.ts` singleton using `WebStandardStreamableHTTPServerTransport`.

-| Category   | Tools                                                                                                                     |
-| ---------- | ------------------------------------------------------------------------------------------------------------------------- |
-| Essential  | `get_health`, `list_combos`, `get_combo_metrics`, `switch_combo`, `check_quota`, `route_request`, `cost_report`, `list_models_catalog` |
-| Advanced   | `simulate_route`, `set_budget_guard`, `set_resilience_profile`, `test_combo`, `get_provider_metrics`, `best_combo_for_task`, `explain_route`, `get_session_snapshot` |
+| Category  | Tools                                                                                                                                                                |
+| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Essential | `get_health`, `list_combos`, `get_combo_metrics`, `switch_combo`, `check_quota`, `route_request`, `cost_report`, `list_models_catalog`                               |
+| Advanced  | `simulate_route`, `set_budget_guard`, `set_resilience_profile`, `test_combo`, `get_provider_metrics`, `best_combo_for_task`, `explain_route`, `get_session_snapshot` |

 - Scoped authorization (9 scopes), audit logging, Zod schemas
 - IDE configs for Claude Desktop, Cursor, VS Code Copilot
@@ -79,25 +82,26 @@ Agent-to-Agent v0.3 protocol:
 ### Auto-Combo Engine (`open-sse/services/autoCombo/`)

 Self-healing routing optimization:
+
 - 6-factor scoring, 4 mode packs, bandit exploration
 - Progressive cooldown, probe-based re-admission

 ### Dashboard (`src/app/(dashboard)/`)

-| Page                         | Description                                                    |
-| ---------------------------- | -------------------------------------------------------------- |
-| `/dashboard`                 | Home with quick start, provider overview                       |
-| `/dashboard/endpoint`        | **Endpoints** (tabbed): Endpoint Proxy, MCP, A2A, API Endpoints |
-| `/dashboard/providers`       | Provider management and connections                            |
-| `/dashboard/combos`          | Combo configurations with routing strategies                   |
-| `/dashboard/logs`            | Request, Proxy, Audit, Console logs (tabbed)                   |
-| `/dashboard/analytics`       | Usage analytics and evaluations                                |
-| `/dashboard/costs`           | Cost tracking and breakdown                                    |
-| `/dashboard/health`          | Uptime, circuit breakers, latency                              |
-| `/dashboard/cli-tools`       | CLI tool integrations (Claude, Codex, Antigravity, etc.)       |
-| `/dashboard/media`           | Image, Video, Music generation playground                      |
-| `/dashboard/settings`        | System settings with multiple tabs                             |
-| `/dashboard/api-manager`     | API key management with model permissions                      |
+| Page                     | Description                                                     |
+| ------------------------ | --------------------------------------------------------------- |
+| `/dashboard`             | Home with quick start, provider overview                        |
+| `/dashboard/endpoint`    | **Endpoints** (tabbed): Endpoint Proxy, MCP, A2A, API Endpoints |
+| `/dashboard/providers`   | Provider management and connections                             |
+| `/dashboard/combos`      | Combo configurations with routing strategies                    |
+| `/dashboard/logs`        | Request, Proxy, Audit, Console logs (tabbed)                    |
+| `/dashboard/analytics`   | Usage analytics and evaluations                                 |
+| `/dashboard/costs`       | Cost tracking and breakdown                                     |
+| `/dashboard/health`      | Uptime, circuit breakers, latency                               |
+| `/dashboard/cli-tools`   | CLI tool integrations (Claude, Codex, Antigravity, etc.)        |
+| `/dashboard/media`       | Image, Video, Music generation playground                       |
+| `/dashboard/settings`    | System settings with multiple tabs                              |
+| `/dashboard/api-manager` | API key management with model permissions                       |

 ### OAuth & Tokens (`src/lib/oauth/`)

@@ -2,7 +2,7 @@

 ### Never stop coding. Smart routing to **FREE & low-cost AI models** with automatic fallback.

-_Your universal API proxy — one endpoint, 44+ providers, zero downtime. Now with **MCP & A2A** agent orchestration._
+_Your universal API proxy — one endpoint, 67+ providers, zero downtime. Now with **MCP & A2A** agent orchestration._

 **Chat Completions • Embeddings • Image Generation • Video • Music • Audio • Reranking • **Web Search** • MCP Server • A2A Protocol • 100% TypeScript**

@@ -11,7 +11,9 @@ _Your universal API proxy — one endpoint, 44+ providers, zero downtime. Now wi
 <div align="center">

 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
+[![npm downloads](https://img.shields.io/npm/dm/omniroute?color=cb3837&logo=npm&label=npm%20downloads)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
+[![Docker Pulls](https://img.shields.io/docker/pulls/diegosouzapw/omniroute?logo=docker&color=2496ED&label=docker%20pulls)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
 [![Website](https://img.shields.io/badge/Website-omniroute.online-blue?logo=google-chrome&logoColor=white)](https://omniroute.online)
 [![WhatsApp](https://img.shields.io/badge/WhatsApp-Community-25D366?logo=whatsapp&logoColor=white)](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
@@ -24,6 +26,28 @@ _Your universal API proxy — one endpoint, 44+ providers, zero downtime. Now wi

 ---

+## 🆕 What's New in v3.0.0
+
+> **Upgrading from v2.9.5?** — See the [full CHANGELOG](CHANGELOG.md#300--2026-03-22-release-candidate--not-yet-merged-to-main) for all changes.
+
+| Area                         | Change                                                                                                                                                                    |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🔒 **CodeQL Security**       | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection remediation                                                                               |
+| ✅ **Route Validation**      | All 176 API routes now validated with Zod schemas + `validateBody()` — CI `check:route-validation:t06` passes                                                             |
+| 🐛 **omniModel Tag Leak**    | Internal `<omniModel>` tags no longer leak to clients in SSE streaming responses (#585)                                                                                   |
+| 🔑 **Registered Keys API**   | Auto-provision API keys via `POST /api/v1/registered-keys` with per-provider/account quota enforcement, idempotency, SHA-256 storage, and optional GitHub issue reporting |
+| 🎨 **Provider Icons**        | 130+ provider logos via `@lobehub/icons` (SVG) with PNG → generic fallback chain                                                                                          |
+| 🔄 **Model Auto-Sync**       | 24h scheduler and manual UI toggle to sync model lists for built-in and custom OpenAI-compatible providers                                                                |
+| 🌐 **OpenCode Zen/Go**       | Two new providers from @kang-heewon via PR #530: free tier + subscription tier via `OpencodeExecutor`                                                                     |
+| 🐛 **Gemini CLI OAuth**      | Actionable error when `GEMINI_OAUTH_CLIENT_SECRET` is missing in Docker (was cryptic Google error)                                                                        |
+| 🐛 **OpenCode config**       | `saveOpenCodeConfig()` now correctly writes TOML to `XDG_CONFIG_HOME`                                                                                                     |
+| 🐛 **Pinned model override** | `body.model` correctly set to `pinnedModel` on context-cache protection                                                                                                   |
+| 🐛 **Codex/Claude loop**     | `tool_result` blocks now converted to text to stop infinite loops                                                                                                         |
+| 🐛 **Login redirect**        | Login no longer freezes after skipping password setup                                                                                                                     |
+| 🐛 **Windows paths**         | MSYS2/Git-Bash paths (`/c/...`) normalized to `C:\...` automatically                                                                                                      |
+
+---
+
 ## 🖼️ Main Dashboard

 <div align="center">
@@ -234,7 +258,7 @@ OpenAI uses one format, Claude (Anthropic) uses another, Gemini yet another. If

 **How OmniRoute solves it:**

- **Unified Endpoint** — A single `http://localhost:20128/v1` serves as proxy for all 44+ providers
+- **Unified Endpoint** — A single `http://localhost:20128/v1` serves as proxy for all 67+ providers
 - **Format Translation** — Automatic and transparent: OpenAI ↔ Claude ↔ Gemini ↔ Responses API
 - **Response Sanitization** — Strips non-standard fields (`x_groq`, `usage_breakdown`, `service_tier`) that break OpenAI SDK v1.83+
 - **Role Normalization** — Converts `developer` → `system` for non-OpenAI providers; `system` → `user` for GLM/ERNIE
@@ -320,7 +344,7 @@ Developers use Cursor, Claude Code, Codex CLI, OpenClaw, Gemini CLI, Kilo Code..
 - **CLI Tools Dashboard** — Dedicated page with one-click setup for Claude Code, Codex CLI, OpenClaw, Kilo Code, Antigravity, Cline
 - **GitHub Copilot Config Generator** — Generates `chatLanguageModels.json` for VS Code with bulk model selection
 - **Onboarding Wizard** — Guided 4-step setup for first-time users
- **One endpoint, all models** — Configure `http://localhost:20128/v1` once, access 44+ providers
+- **One endpoint, all models** — Configure `http://localhost:20128/v1` once, access 67+ providers

 </details>

@@ -716,7 +740,7 @@ Outcome: deep fallback depth for deadline-critical workloads

 **Point any IDE/CLI to:** `http://localhost:20128/v1` · API Key: `any-string` · Done.

-> **Optional extra coverage (also free):** Groq API key (30 RPM free), NVIDIA NIM (40 RPM free, 70+ models), Cerebras (1M tok/day).
+> **Optional extra coverage (also free):** Groq API key (30 RPM free), NVIDIA NIM (40 RPM free, 70+ models), Cerebras (1M tok/day), LongCat API key (50M tokens/day!), Cloudflare Workers AI (10K Neurons/day, 50+ models).

 ## ⚡ Quick Start

@@ -921,18 +945,28 @@ When minimized, OmniRoute lives in your system tray with quick actions:
 | **🆓 FREE**         | iFlow                       | **$0**                    | Unlimited        | 5 models unlimited                |
 |                     | Qwen                        | **$0**                    | Unlimited        | 4 models unlimited                |
 |                     | Kiro                        | **$0**                    | Unlimited        | Claude Sonnet/Haiku (AWS Builder) |
+|                     | LongCat Flash-Lite 🆕       | **$0** (50M tok/day 🔥)   | 1 RPS            | Largest free quota on Earth       |
+|                     | Pollinations AI 🆕          | **$0** (no key needed)    | 1 req/15s        | GPT-5, Claude, DeepSeek, Llama 4  |
+|                     | Cloudflare Workers AI 🆕    | **$0** (10K Neurons/day)  | ~150 resp/day    | 50+ models, global edge           |
+|                     | Scaleway AI 🆕              | **$0** (1M tokens total)  | Rate limited     | EU/GDPR, Qwen3 235B, Llama 70B    |

 > 🆕 **New models added (Mar 2026):** Grok-4 Fast family at $0.20/$0.50/M (benchmarked at 1143ms — 30% faster than Gemini 2.5 Flash), GLM-5 via Z.AI with 128K output, MiniMax M2.5 reasoning, DeepSeek V3.2 updated pricing, Kimi K2.5 via Moonshot direct API.

 **💡 $0 Combo Stack — The Complete Free Setup:**

 ```
-Gemini CLI (180K/mo free)
-  → iFlow (unlimited: kimi-k2-thinking, qwen3-coder-plus, deepseek-r1)
-  → Kiro (Claude Sonnet 4.5 + Haiku — unlimited, via AWS Builder ID)
-  → Qwen (4 models — unlimited)
-  → Groq (14.4K req/day — ultra-fast)
-  → NVIDIA NIM (70+ models — 40 RPM forever)
+# 🆓 Ultimate Free Stack 2026 — 11 Providers, $0 Forever
+Kiro (kr/)             → Claude Sonnet/Haiku UNLIMITED
+iFlow (if/)            → kimi-k2-thinking, qwen3-coder-plus, deepseek-r1 UNLIMITED
+LongCat Lite (lc/)     → LongCat-Flash-Lite — 50M tokens/day 🔥
+Pollinations (pol/)    → GPT-5, Claude, DeepSeek, Llama 4 — no key needed
+Qwen (qw/)             → qwen3-coder-plus, qwen3-coder-flash, qwen3-coder-next UNLIMITED
+Gemini (gemini/)       → Gemini 2.5 Flash — 1,500 req/day free API key
+Cloudflare AI (cf/)    → Llama 70B, Gemma 3, Mistral — 10K Neurons/day
+Scaleway (scw/)        → Qwen3 235B, Llama 70B — 1M free tokens (EU)
+Groq (groq/)           → Llama/Gemma ultra-fast — 14.4K req/day
+NVIDIA NIM (nvidia/)   → 70+ open models — 40 RPM forever
+Cerebras (cerebras/)   → Llama/Qwen world-fastest — 1M tok/day
 ```

 **Zero cost. Never stops coding.** Configure this as one OmniRoute combo and all fallbacks happen automatically — no manual switching ever.
@@ -1003,19 +1037,66 @@ Available free: `llama-3.3-70b`, `llama-3.1-8b`, `deepseek-r1-distill-llama-70b`

 Available free: `llama-3.3-70b-versatile`, `gemma2-9b-it`, `mixtral-8x7b`, `whisper-large-v3`

-> **💡 The Ultimate Free Stack:**
+### 🔴 LONGCAT AI (Free API Key — longcat.chat) 🆕
+
+| Model                         | Prefix | Daily Free Quota  | Notes                   |
+| ----------------------------- | ------ | ----------------- | ----------------------- |
+| `LongCat-Flash-Lite`          | `lc/`  | **50M tokens** 💥 | Largest free quota ever |
+| `LongCat-Flash-Chat`          | `lc/`  | 500K tokens       | Multi-turn chat         |
+| `LongCat-Flash-Thinking`      | `lc/`  | 500K tokens       | Reasoning / CoT         |
+| `LongCat-Flash-Thinking-2601` | `lc/`  | 500K tokens       | Jan 2026 version        |
+| `LongCat-Flash-Omni-2603`     | `lc/`  | 500K tokens       | Multimodal              |
+
+> 100% free while in public beta. Sign up at [longcat.chat](https://longcat.chat) with email or phone. Resets daily 00:00 UTC.
+
+### 🟢 POLLINATIONS AI (No API Key Required) 🆕
+
+| Model      | Prefix | Rate Limit | Provider Behind    |
+| ---------- | ------ | ---------- | ------------------ |
+| `openai`   | `pol/` | 1 req/15s  | GPT-5              |
+| `claude`   | `pol/` | 1 req/15s  | Anthropic Claude   |
+| `gemini`   | `pol/` | 1 req/15s  | Google Gemini      |
+| `deepseek` | `pol/` | 1 req/15s  | DeepSeek V3        |
+| `llama`    | `pol/` | 1 req/15s  | Meta Llama 4 Scout |
+| `mistral`  | `pol/` | 1 req/15s  | Mistral AI         |
+
+> ✨ **Zero friction:** No signup, no API key. Add the Pollinations provider with an empty key field and it works immediately.
+
+### 🟠 CLOUDFLARE WORKERS AI (Free API Key — cloudflare.com) 🆕
+
+| Tier | Daily Neurons | Equivalent Usage                        | Notes                   |
+| ---- | ------------- | --------------------------------------- | ----------------------- |
+| Free | **10,000**    | ~150 LLM resp / 500s audio / 15K embeds | Global edge, 50+ models |
+
+Popular free models: `@cf/meta/llama-3.3-70b-instruct`, `@cf/google/gemma-3-12b-it`, `@cf/openai/whisper-large-v3-turbo` (free audio!), `@cf/qwen/qwen2.5-coder-15b-instruct`
+
+> Requires API Token + Account ID from [dash.cloudflare.com](https://dash.cloudflare.com). Store Account ID in provider settings.
+
+### 🟣 SCALEWAY AI (1M Free Tokens — scaleway.com) 🆕
+
+| Tier | Free Quota    | Location     | Notes                               |
+| ---- | ------------- | ------------ | ----------------------------------- |
+| Free | **1M tokens** | 🇫🇷 Paris, EU | No credit card needed within limits |
+
+Available free: `qwen3-235b-a22b-instruct-2507` (Qwen3 235B!), `llama-3.1-70b-instruct`, `mistral-small-3.2-24b-instruct-2506`, `deepseek-v3-0324`
+
+> EU/GDPR compliant. Get API key at [console.scaleway.com](https://console.scaleway.com).
+
+> **💡 The Ultimate Free Stack (11 Providers, $0 Forever):**
 >
 > ```
-> Kiro (Claude, unlimited)
->  → iFlow (5 models, unlimited)
->  → Qwen (4 models, unlimited)
->  → Gemini CLI (180K/mo)
->  → Cerebras (1M tok/day)
->  → Groq (14.4K req/day)
->  → NVIDIA NIM (40 RPM, 70+ models)
+> Kiro (kr/)             → Claude Sonnet/Haiku UNLIMITED
+> iFlow (if/)            → kimi-k2-thinking, qwen3-coder-plus, deepseek-r1 UNLIMITED
+> LongCat Lite (lc/)     → LongCat-Flash-Lite — 50M tokens/day 🔥
+> Pollinations (pol/)    → GPT-5, Claude, DeepSeek, Llama 4 — no key needed
+> Qwen (qw/)             → qwen3-coder models UNLIMITED
+> Gemini (gemini/)       → Gemini 2.5 Flash — 1,500 req/day free
+> Cloudflare AI (cf/)    → 50+ models — 10K Neurons/day
+> Scaleway (scw/)        → Qwen3 235B, Llama 70B — 1M free tokens (EU)
+> Groq (groq/)           → Llama/Gemma — 14.4K req/day ultra-fast
+> NVIDIA NIM (nvidia/)   → 70+ open models — 40 RPM forever
+> Cerebras (cerebras/)   → Llama/Qwen world-fastest — 1M tok/day
 > ```
->
-> Configure this as an OmniRoute combo and you'll never pay for AI again.

 ## 🎙️ Free Transcription Combo

@@ -1105,17 +1186,17 @@ OmniRoute v2.0 is built as an operational platform, not just a relay proxy.

 ### 🎵 Multi-Modal APIs

-| Feature                    | What It Does                                                                                                 |
-| -------------------------- | ------------------------------------------------------------------------------------------------------------ |
-| 🖼️ **Image Generation**    | `/v1/images/generations` with cloud and local backends                                                       |
-| 📐 **Embeddings**          | `/v1/embeddings` for search and RAG pipelines                                                                |
-| 🎤 **Audio Transcription** | `/v1/audio/transcriptions` (Whisper and additional providers)                                                |
-| 🔊 **Text-to-Speech**      | `/v1/audio/speech` (multiple engines/providers)                                                              |
-| 🎬 **Video Generation**    | `/v1/videos/generations` (ComfyUI + SD WebUI workflows)                                                      |
-| 🎵 **Music Generation**    | `/v1/music/generations` (ComfyUI workflows)                                                                  |
-| 🛡️ **Moderations**         | `/v1/moderations` safety checks                                                                              |
-| 🔀 **Reranking**           | `/v1/rerank` for relevance scoring                                                                           |
-| 🔍 **Web Search** 🆕       | `/v1/search` — 5 providers (Serper, Brave, Perplexity, Exa, Tavily), 6,500+ free/month, auto-failover, cache |
+| Feature                    | What It Does                                                                                                                                                               |
+| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Image Generation**    | `/v1/images/generations` with cloud and local backends                                                                                                                     |
+| 📐 **Embeddings**          | `/v1/embeddings` for search and RAG pipelines                                                                                                                              |
+| 🎤 **Audio Transcription** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Text-to-Speech**      | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise) with correct error messages          |
+| 🎬 **Video Generation**    | `/v1/videos/generations` (ComfyUI + SD WebUI workflows)                                                                                                                    |
+| 🎵 **Music Generation**    | `/v1/music/generations` (ComfyUI workflows)                                                                                                                                |
+| 🛡️ **Moderations**         | `/v1/moderations` safety checks                                                                                                                                            |
+| 🔀 **Reranking**           | `/v1/rerank` for relevance scoring                                                                                                                                         |
+| 🔍 **Web Search** 🆕       | `/v1/search` — 5 providers (Serper, Brave, Perplexity, Exa, Tavily), 6,500+ free/month, auto-failover, cache                                                               |

 ### 🛡️ Resilience, Security & Governance

@@ -116,10 +116,8 @@ if (args.includes("--help") || args.includes("-h")) {

 if (args.includes("--version") || args.includes("-v")) {
  try {
-    const pkg = await import(join(ROOT, "package.json"), {
-      with: { type: "json" },
-    });
-    console.log(pkg.default.version);
+    const { version } = JSON.parse(readFileSync(join(ROOT, "package.json"), "utf8"));
+    console.log(version);
  } catch {
    console.log("unknown");
  }
@@ -189,8 +187,27 @@ const serverJs = join(APP_DIR, "server.js");

 if (!existsSync(serverJs)) {
  console.error("\x1b[31m✖ Server not found at:\x1b[0m", serverJs);
-  console.error("  This usually means the package was not built correctly.");
-  console.error("  Try reinstalling: npm install -g omniroute");
+  console.error("  The package may not have been built correctly.");
+  console.error("");
+  // (#492) Detect common non-standard Node managers that cause this issue
+  const nodeExec = process.execPath || "";
+  const isMise = nodeExec.includes("mise") || nodeExec.includes(".local/share/mise");
+  const isNvm = nodeExec.includes(".nvm") || nodeExec.includes("nvm");
+  if (isMise) {
+    console.error(
+      "  \x1b[33m⚠ mise detected:\x1b[0m If you installed via `npm install -g omniroute`,"
+    );
+    console.error("    try: \x1b[36mnpx omniroute@latest\x1b[0m  (downloads a fresh copy)");
+    console.error("    or:  \x1b[36mmise exec -- npx omniroute\x1b[0m");
+  } else if (isNvm) {
+    console.error(
+      "  \x1b[33m⚠ nvm detected:\x1b[0m Try reinstalling after loading the correct Node version:"
+    );
+    console.error("    \x1b[36mnvm use --lts && npm install -g omniroute\x1b[0m");
+  } else {
+    console.error("  Try: \x1b[36mnpm install -g omniroute\x1b[0m  (reinstall)");
+    console.error("  Or:  \x1b[36mnpx omniroute@latest\x1b[0m");
+  }
  process.exit(1);
 }

@@ -16,7 +16,7 @@ services:
    container_name: omniroute-prod
    build:
      context: .
-      target: runner-base
+      target: runner-cli
    image: omniroute:prod
    restart: unless-stopped
    env_file: .env
@@ -38,15 +38,20 @@ Content-Type: application/json

 ### Custom Headers

-| Header                   | Direction | Description                       |
-| ------------------------ | --------- | --------------------------------- |
-| `X-OmniRoute-No-Cache`   | Request   | Set to `true` to bypass cache     |
-| `X-OmniRoute-Progress`   | Request   | Set to `true` for progress events |
-| `Idempotency-Key`        | Request   | Dedup key (5s window)             |
-| `X-Request-Id`           | Request   | Alternative dedup key             |
-| `X-OmniRoute-Cache`      | Response  | `HIT` or `MISS` (non-streaming)   |
-| `X-OmniRoute-Idempotent` | Response  | `true` if deduplicated            |
-| `X-OmniRoute-Progress`   | Response  | `enabled` if progress tracking on |
+| Header                   | Direction | Description                                      |
+| ------------------------ | --------- | ------------------------------------------------ |
+| `X-OmniRoute-No-Cache`   | Request   | Set to `true` to bypass cache                    |
+| `X-OmniRoute-Progress`   | Request   | Set to `true` for progress events                |
+| `X-Session-Id`           | Request   | Sticky session key for external session affinity |
+| `x_session_id`           | Request   | Underscore variant also accepted (direct HTTP)   |
+| `Idempotency-Key`        | Request   | Dedup key (5s window)                            |
+| `X-Request-Id`           | Request   | Alternative dedup key                            |
+| `X-OmniRoute-Cache`      | Response  | `HIT` or `MISS` (non-streaming)                  |
+| `X-OmniRoute-Idempotent` | Response  | `true` if deduplicated                           |
+| `X-OmniRoute-Progress`   | Response  | `enabled` if progress tracking on                |
+| `X-OmniRoute-Session-Id` | Response  | Effective session ID used by OmniRoute           |
+
+> Nginx note: if you rely on underscore headers (for example `x_session_id`), enable `underscores_in_headers on;`.

 ---

@@ -137,10 +142,10 @@ The provider prefix is auto-added if missing. Mismatched models return `400`.

 ```bash
 # Get cache stats
-GET /api/cache
+GET /api/cache/stats

 # Clear all caches
-DELETE /api/cache
+DELETE /api/cache/stats
 ```

 Response example:
@@ -213,7 +218,7 @@ Response example:

 | Endpoint                        | Method  | Description            |
 | ------------------------------- | ------- | ---------------------- |
-| `/api/settings`                 | GET/PUT | General settings       |
+| `/api/settings`                 | GET/PUT/PATCH | General settings  |
 | `/api/settings/proxy`           | GET/PUT | Network proxy config   |
 | `/api/settings/proxy/test`      | POST    | Test proxy connection  |
 | `/api/settings/ip-filter`       | GET/PUT | IP allowlist/blocklist |
@@ -226,8 +231,8 @@ Response example:
 | ------------------------ | ---------- | ----------------------- |
 | `/api/sessions`          | GET        | Active session tracking |
 | `/api/rate-limits`       | GET        | Per-account rate limits |
-| `/api/monitoring/health` | GET        | Health check            |
-| `/api/cache`             | GET/DELETE | Cache stats / clear     |
+| `/api/monitoring/health` | GET        | Health check + provider summary (`catalogCount`, `configuredCount`, `activeCount`, `monitoredCount`) |
+| `/api/cache/stats`       | GET/DELETE | Cache stats / clear     |

 ### Backup & Export/Import

@@ -274,7 +279,7 @@ GET response includes `agents[]` (id, name, binary, version, installed, protocol

 | Endpoint                | Method  | Description                     |
 | ----------------------- | ------- | ------------------------------- |
-| `/api/resilience`       | GET/PUT | Get/update resilience profiles  |
+| `/api/resilience`       | GET/PATCH | Get/update resilience profiles |
 | `/api/resilience/reset` | POST    | Reset circuit breakers          |
 | `/api/rate-limits`      | GET     | Per-account rate limit status   |
 | `/api/rate-limit`       | GET     | Global rate limit configuration |
@@ -2,7 +2,7 @@

 🌐 **Languages:** 🇺🇸 [English](ARCHITECTURE.md) | 🇧🇷 [Português (Brasil)](i18n/pt-BR/ARCHITECTURE.md) | 🇪🇸 [Español](i18n/es/ARCHITECTURE.md) | 🇫🇷 [Français](i18n/fr/ARCHITECTURE.md) | 🇮🇹 [Italiano](i18n/it/ARCHITECTURE.md) | 🇷🇺 [Русский](i18n/ru/ARCHITECTURE.md) | 🇨🇳 [中文 (简体)](i18n/zh-CN/ARCHITECTURE.md) | 🇩🇪 [Deutsch](i18n/de/ARCHITECTURE.md) | 🇮🇳 [हिन्दी](i18n/in/ARCHITECTURE.md) | 🇹🇭 [ไทย](i18n/th/ARCHITECTURE.md) | 🇺🇦 [Українська](i18n/uk-UA/ARCHITECTURE.md) | 🇸🇦 [العربية](i18n/ar/ARCHITECTURE.md) | 🇯🇵 [日本語](i18n/ja/ARCHITECTURE.md) | 🇻🇳 [Tiếng Việt](i18n/vi/ARCHITECTURE.md) | 🇧🇬 [Български](i18n/bg/ARCHITECTURE.md) | 🇩🇰 [Dansk](i18n/da/ARCHITECTURE.md) | 🇫🇮 [Suomi](i18n/fi/ARCHITECTURE.md) | 🇮🇱 [עברית](i18n/he/ARCHITECTURE.md) | 🇭🇺 [Magyar](i18n/hu/ARCHITECTURE.md) | 🇮🇩 [Bahasa Indonesia](i18n/id/ARCHITECTURE.md) | 🇰🇷 [한국어](i18n/ko/ARCHITECTURE.md) | 🇲🇾 [Bahasa Melayu](i18n/ms/ARCHITECTURE.md) | 🇳🇱 [Nederlands](i18n/nl/ARCHITECTURE.md) | 🇳🇴 [Norsk](i18n/no/ARCHITECTURE.md) | 🇵🇹 [Português (Portugal)](i18n/pt/ARCHITECTURE.md) | 🇷🇴 [Română](i18n/ro/ARCHITECTURE.md) | 🇵🇱 [Polski](i18n/pl/ARCHITECTURE.md) | 🇸🇰 [Slovenčina](i18n/sk/ARCHITECTURE.md) | 🇸🇪 [Svenska](i18n/sv/ARCHITECTURE.md) | 🇵🇭 [Filipino](i18n/phi/ARCHITECTURE.md) | 🇨🇿 [Čeština](i18n/cs/ARCHITECTURE.md)

-_Last updated: 2026-03-04_
+_Last updated: 2026-03-24_

 ## Executive Summary

@@ -65,6 +65,26 @@ Primary runtime model:
 - Provider SLA/control plane outside local process
 - External CLI binaries themselves (Claude CLI, Codex CLI, etc.)

+## Dashboard Surface (Current)
+
+Main pages under `src/app/(dashboard)/dashboard/`:
+
+- `/dashboard` — quick start + provider overview
+- `/dashboard/endpoint` — endpoint proxy + MCP + A2A + API endpoint tabs
+- `/dashboard/providers` — provider connections and credentials
+- `/dashboard/combos` — combo strategies, templates, model routing rules
+- `/dashboard/costs` — cost aggregation and pricing visibility
+- `/dashboard/analytics` — usage analytics and evaluations
+- `/dashboard/limits` — quota/rate controls
+- `/dashboard/cli-tools` — CLI onboarding, runtime detection, config generation
+- `/dashboard/agents` — detected ACP agents + custom agent registration
+- `/dashboard/media` — image/video/music playground
+- `/dashboard/search-tools` — search provider testing and history
+- `/dashboard/health` — uptime, circuit breakers, rate limits
+- `/dashboard/logs` — request/proxy/audit/console logs
+- `/dashboard/settings` — system settings tabs (general, routing, combo defaults, etc.)
+- `/dashboard/api-manager` — API key lifecycle and model permissions
+
 ## High-Level System Context

 ```mermaid
@@ -9,7 +9,7 @@ cost tracking, model switching, and request logging across every tool.
 ## How It Works

 ```
-Claude / Codex / Gemini CLI / OpenCode / Cline / KiloCode / Continue / Kiro CLI
+Claude / Codex / OpenCode / Cline / KiloCode / Continue / Kiro / Cursor / Copilot
           │
           ▼  (all point to OmniRoute)
    http://YOUR_SERVER:20128/v1
@@ -27,21 +27,38 @@ Claude / Codex / Gemini CLI / OpenCode / Cline / KiloCode / Continue / Kiro CLI

 ---

-## Supported Tools
+## Supported Tools (Dashboard Source of Truth)

-| Tool             | Command             | Type              | Install Method |
-| ---------------- | ------------------- | ----------------- | -------------- |
-| **Claude Code**  | `claude`            | CLI               | npm            |
-| **OpenAI Codex** | `codex`             | CLI               | npm            |
-| **Gemini CLI**   | `gemini`            | CLI               | npm            |
-| **OpenCode**     | `opencode`          | CLI               | npm            |
-| **Cline**        | `cline`             | CLI + VS Code ext | npm            |
-| **KiloCode**     | `kilocode` / `kilo` | CLI + VS Code ext | npm            |
-| **Continue**     | guide-based         | VS Code ext       | VS Code        |
-| **Kiro CLI**     | `kiro-cli`          | CLI               | curl installer |
-| **Cursor**       | `cursor`            | Desktop app       | Download       |
-| **Droid**        | web-based           | Built-in agent    | OmniRoute      |
-| **OpenClaw**     | web-based           | Built-in agent    | OmniRoute      |
+The dashboard cards in `/dashboard/cli-tools` are generated from `src/shared/constants/cliTools.ts`.
+Current list (v3.0.0-rc.16):
+
+| Tool             | ID            | Command      | Setup Mode | Install Method |
+| ---------------- | ------------- | ------------ | ---------- | -------------- |
+| **Claude Code**  | `claude`      | `claude`     | env        | npm            |
+| **OpenAI Codex** | `codex`       | `codex`      | custom     | npm            |
+| **Factory Droid**| `droid`       | `droid`      | custom     | bundled/CLI    |
+| **OpenClaw**     | `openclaw`    | `openclaw`   | custom     | bundled/CLI    |
+| **Cursor**       | `cursor`      | app          | guide      | desktop app    |
+| **Cline**        | `cline`       | `cline`      | custom     | npm            |
+| **Kilo Code**    | `kilo`        | `kilocode`   | custom     | npm            |
+| **Continue**     | `continue`    | extension    | guide      | VS Code        |
+| **Antigravity**  | `antigravity` | internal     | mitm       | OmniRoute      |
+| **GitHub Copilot**| `copilot`    | extension    | custom     | VS Code        |
+| **OpenCode**     | `opencode`    | `opencode`   | guide      | npm            |
+| **Kiro AI**      | `kiro`        | app/cli      | mitm       | desktop/CLI    |
+
+### CLI fingerprint sync (Agents + Settings)
+
+`/dashboard/agents` and `Settings > CLI Fingerprint` use `src/shared/constants/cliCompatProviders.ts`.
+This keeps provider IDs aligned with CLI cards and legacy IDs.
+
+| CLI ID | Fingerprint Provider ID |
+| ------ | ----------------------- |
+| `kilo` | `kilocode`              |
+| `copilot` | `github`             |
+| `claude` / `codex` / `antigravity` / `kiro` / `cursor` / `cline` / `opencode` / `droid` / `openclaw` | same ID |
+
+Legacy IDs still accepted for compatibility: `copilot`, `kimi-coding`, `qwen`.

 ---

@@ -67,9 +84,6 @@ npm install -g @anthropic-ai/claude-code
 # OpenAI Codex
 npm install -g @openai/codex

-# Gemini CLI (Google)
-npm install -g @google/gemini-cli
-
 # OpenCode
 npm install -g opencode-ai

@@ -77,7 +91,7 @@ npm install -g opencode-ai
 npm install -g cline

 # KiloCode
-npm install -g kilecode
+npm install -g kilocode

 # Kiro CLI (Amazon — requires curl + unzip)
 apt-get install -y unzip   # on Debian/Ubuntu
@@ -90,7 +104,6 @@ export PATH="$HOME/.local/bin:$PATH"   # add to ~/.bashrc
 ```bash
 claude --version     # 2.x.x
 codex --version      # 0.x.x
-gemini --version     # 0.x.x
 opencode --version   # x.x.x
 cline --version      # 2.x.x
 kilocode --version   # x.x.x (or: kilo --version)
@@ -153,21 +166,6 @@ EOF

 ---

-### Gemini CLI
-
-```bash
-mkdir -p ~/.gemini && cat > ~/.gemini/settings.json << EOF
-{
-  "apiKey": "sk-your-omniroute-key",
-  "baseUrl": "http://localhost:20128/v1"
-}
-EOF
-```
-
-**Test:** `gemini "hello"`
-
---
-
 ### OpenCode

 ```bash
@@ -324,17 +322,16 @@ They run as internal routes and use OmniRoute's model routing automatically.
 OMNIROUTE_URL="http://localhost:20128/v1"
 OMNIROUTE_KEY="sk-your-omniroute-key"

-npm install -g @anthropic-ai/claude-code @openai/codex @google/gemini-cli opencode-ai cline kilecode
+npm install -g @anthropic-ai/claude-code @openai/codex opencode-ai cline kilocode

 # Kiro CLI
 apt-get install -y unzip 2>/dev/null; curl -fsSL https://cli.kiro.dev/install | bash

 # Write configs
-mkdir -p ~/.claude ~/.codex ~/.gemini ~/.config/opencode ~/.continue
+mkdir -p ~/.claude ~/.codex ~/.config/opencode ~/.continue

 cat > ~/.claude/settings.json   <<< "{\"apiBaseUrl\":\"$OMNIROUTE_URL\",\"apiKey\":\"$OMNIROUTE_KEY\"}"
 cat > ~/.codex/config.yaml      <<< "model: auto\napiKey: $OMNIROUTE_KEY\napiBaseUrl: $OMNIROUTE_URL"
-cat > ~/.gemini/settings.json   <<< "{\"apiKey\":\"$OMNIROUTE_KEY\",\"baseUrl\":\"$OMNIROUTE_URL\"}"
 cat >> ~/.bashrc << EOF
 export OPENAI_BASE_URL="$OMNIROUTE_URL"
 export OPENAI_API_KEY="$OMNIROUTE_KEY"
@@ -578,6 +578,22 @@ Configure via **Dashboard → Settings → Routing**.
 | **Least Used**                 | Routes to the account with the oldest `lastUsedAt` timestamp, distributing traffic evenly        |
 | **Cost Optimized**             | Routes to the account with the lowest priority value, optimizing for lowest-cost providers       |

+#### External Sticky Session Header
+
+For external session affinity (for example, Claude Code/Codex agents behind reverse proxies), send:
+
+```http
+X-Session-Id: your-session-key
+```
+
+OmniRoute also accepts `x_session_id` and returns the effective session key in `X-OmniRoute-Session-Id`.
+
+If you use Nginx and send underscore-form headers, enable:
+
+```nginx
+underscores_in_headers on;
+```
+
 #### Wildcard Model Aliases

 Create wildcard patterns to remap model names:
@@ -8,73 +8,6 @@ _وكيل API العالمي الخاص بك - نقطة نهاية واحدة،

 ---

-### 🆕 الجديد في v2.7.0
-
- **RouterStrategy قابل للتوصيل** — استراتيجيات القواعد والتكلفة والكمون
- **كشف النية متعدد اللغات** — تسجيل التوجيه بأكثر من 30 لغة
- **إلغاء تكرار الطلبات** — تجنب مكالمات API المكررة عبر تجزئة المحتوى
- **مزودون جدد:** Grok-4 Fast (xAI) وGLM-5 / Z.AI وMiniMax M2.5 وKimi K2.5
- **أسعار محدثة:** Grok-4 Fast $0.20/$0.50/M، GLM-5 $0.50/M، MiniMax M2.5 $0.30/M
-
---
-
-<div align="center">
-
-[![إصدار npm](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
-[![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
-[![الترخيص](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
-[![موقع الويب](https://img.shields.io/badge/Website-omniroute.online-blue?logo=google-chrome&logoColor=white)](https://omniroute.online)
-[![WhatsApp](https://img.shields.io/badge/WhatsApp-Community-25D366?logo=whatsapp&logoColor=white)](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-[🌐 الموقع الإلكتروني](https://omniroute.online) • [🚀 البداية السريعة](#-quick-start) • [💡 الميزات](#-key-features) • [📖 المستندات](#-documentation) • [💰 التسعير](#-pricing-at-a-glance) • [💬 واتساب](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-</div>
-
-🌐 **متوفر باللغة:** 🇺🇸 [الإنجليزية](../../README.md) | 🇧🇷 [البرتغالية (البرازيل)](../pt-BR/README.md) | 🇪🇸 [الإسبانية](../es/README.md) | 🇫🇷 [Français](../fr/README.md) | 🇮🇹 [الإيطالية](../it/README.md) | 🇷🇺 [Русский](../ru/README.md) | 🇨🇳 [中文 (简体)](../zh-CN/README.md) | 🇩🇪 [الألمانية](../de/README.md) | 🇮🇳 [هندي](../in/README.md) | 🇹🇭 [ไทย](../th/README.md) | 🇺🇦 [أوكرانيا](../uk-UA/README.md) | 🇸🇦 [العربية](../ar/README.md) | 🇯🇵 [日本語](../ja/README.md) | 🇻🇳 [تيانج فيت](../vi/README.md) | 🇧🇬 [بلغارسكي](../bg/README.md) | 🇩🇰 [الدانسك](../da/README.md) | 🇫🇮 [سومي](../fi/README.md) | 🇮🇱 [العربية](../he/README.md) | 🇭🇺 [المجرية](../hu/README.md) | 🇮🇩 [البهاسا الإندونيسية](../id/README.md) | 🇰🇷 [한국어](../ko/README.md) | 🇲🇾 [البهاسا ملايو](../ms/README.md) | 🇳🇱 [هولندا](../nl/README.md) | 🇳🇴 [نورسك](../no/README.md) | 🇵🇹 [البرتغالية (البرتغال)](../pt/README.md) | 🇷🇴 [روماني](../ro/README.md) | 🇵🇱 [بولسكي](../pl/README.md) | 🇸🇰 [سلوفينسينا](../sk/README.md) | 🇸🇪 [سفينسكا](../sv/README.md) | 🇵🇭 [فلبينية](../phi/README.md)
-
---
-
-## 🖼️ لوحة التحكم الرئيسية
-
-<div align="center">
-  <img src="./docs/screenshots/MainOmniRoute.png" alt="OmniRoute Dashboard" width="800"/>
-</div>
-
---
-
-## 📸 معاينة لوحة التحكم
-
-<details>
-<summary><b>انقر لرؤية لقطات شاشة لوحة القيادة</b></summary>
-
-| صفحة                  | لقطة شاشة                                          |
-| --------------------- | -------------------------------------------------- |
-| ** مقدمو الخدمة **    | ![مقدمو الخدمة](docs/screenshots/01-providers.png) |
-| **المجموعات**         | ![المجموعات](docs/screenshots/02-combos.png)       |
-| **تحليلات**           | ![تحليلات](docs/screenshots/03-analytics.png)      |
-| **الصحة**             | ![الصحة](docs/screenshots/04-health.png)           |
-| **مترجم**             | ![مترجم](docs/screenshots/05-translator.png)       |
-| **الإعدادات**         | ![الإعدادات](docs/screenshots/06-settings.png)     |
-| **أدوات سطر الأوامر** | ![أدوات CLI](docs/screenshots/07-cli-tools.png)    |
-| **سجلات الاستخدام**   | ![الاستخدام](docs/screenshots/08-usage.png)        |
-| **نقطة النهاية**      | ![نقطة النهاية](docs/screenshots/09-endpoint.png)  |
-
-</details>
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 موفر الذكاء الاصطناعي المجاني لوكلاء البرمجة المفضلين لديك

 _قم بتوصيل أي أداة IDE أو CLI مدعومة بالذكاء الاصطناعي من خلال OmniRoute - بوابة واجهة برمجة التطبيقات المجانية للترميز غير المحدود._
@@ -159,6 +92,38 @@ _قم بتوصيل أي أداة IDE أو CLI مدعومة بالذكاء الا

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 ## 🤔 لماذا OmniRoute؟

 **توقف عن إهدار المال وضرب الحدود:**
@@ -932,8 +897,8 @@ npm run electron:build:linux   # Linux (.AppImage)
 | ميزة | ماذا يفعل || -------------------------- | ------------------------------------------------------------- |
 | 🖼️ **إنشاء الصور** | `/v1/images/generations` مع الواجهات الخلفية السحابية والمحلية |
 | 📐 **المضامين** | `/v1/embeddings` للبحث وخطوط أنابيب RAG |
-| 🎤 **نسخ صوتي** | `/v1/audio/transcriptions` (مقدمو خدمات الهمس والإضافيون) |
-| 🔊 **تحويل النص إلى كلام** | `/v1/audio/speech` (محركات/موفرو متعددون) |
+| 🎤 **نسخ صوتي** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **تحويل النص إلى كلام** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise) |
 | 🎬 **توليد الفيديو** | `/v1/videos/generations` (سير عمل ComfyUI + SD WebUI) |
 | 🎵 **جيل الموسيقى** | `/v1/music/generations` (سير عمل ComfyUI) |
 | 🛡️ **اعتدالات** | فحوصات السلامة `/v1/moderations` |
@@ -8,73 +8,6 @@ _Вашият универсален API прокси — една крайна

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-<div align="center">
-
-[![npm версия](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
-[![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
-[![Лиценз](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
-[![Уебсайт](https://img.shields.io/badge/Website-omniroute.online-blue?logo=google-chrome&logoColor=white)](https://omniroute.online)
-[![WhatsApp](https://img.shields.io/badge/WhatsApp-Community-25D366?logo=whatsapp&logoColor=white)](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-[🌐 Уебсайт](https://omniroute.online) • [🚀 Бърз старт](#-quick-start) • [💡 Функции](#-key-features) • [📖 Документи](#-documentation) • [💰 Ценообразуване](#-pricing-at-a-glance) • [💬 WhatsApp](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-</div>
-
-🌐 **Налично на:** 🇺🇸 [английски](../../README.md) | 🇧🇷 [Португалски (Бразилия)](../pt-BR/README.md) | 🇪🇸 [Испански] (../es/README.md) | 🇫🇷 [Français](../fr/README.md) | 🇮🇹 [италиански] (../it/README.md) | 🇷🇺 [Русский](../ru/README.md) | 🇨🇳 [中文 (简体)](../zh-CN/README.md) | 🇩🇪 [Deutsch](../de/README.md) | 🇮🇳 [हिन्दी] (../in/README.md) | 🇹🇭 [ไทย](../th/README.md) | 🇺🇦 [Українська](../uk-UA/README.md) | 🇸🇦 [العربية](../ar/README.md) | 🇯🇵 [日本語](../ja/README.md) | 🇻🇳 [Tiếng Việt](../vi/README.md) | 🇧🇬 [Български](../bg/README.md) | 🇩🇰 [Dansk](../da/README.md) | 🇫🇮 [Suomi](../fi/README.md) | 🇮🇱 [עברית](../he/README.md) | 🇭🇺 [маджарски] (../hu/README.md) | 🇮🇩 [бахаса Индонезия](../id/README.md) | 🇰🇷 [한국어](../ko/README.md) | 🇲🇾 [Bahasa Melayu](../ms/README.md) | 🇳🇱 [Нидерландия](../nl/README.md) | 🇳🇴 [Norsk](../no/README.md) | 🇵🇹 [Português (Португалия)](../pt/README.md) | 🇷🇴 [Română](../ro/README.md) | 🇵🇱 [Полски](../pl/README.md) | 🇸🇰 [Slovenčina](../sk/README.md) | 🇸🇪 [Svenska](../sv/README.md) | 🇵🇭 [филипински] (../phi/README.md)
-
---
-
-## 🖼️ Главно табло за управление
-
-<div align="center">
-  <img src="./docs/screenshots/MainOmniRoute.png" alt="OmniRoute Dashboard" width="800"/>
-</div>
-
---
-
-## 📸 Визуализация на таблото за управление
-
-<details>
-<summary><b>Щракнете, за да видите екранни снимки на таблото </b></summary>
-
-| Страница                   | Екранна снимка                                        |
-| -------------------------- | ----------------------------------------------------- |
-| **Доставчици**             | ![Доставчици](docs/screenshots/01-providers.png)      |
-| **Комбота**                | ![Комбота](docs/screenshots/02-combos.png)            |
-| **Анализ**                 | ![Анализ](docs/screenshots/03-analytics.png)          |
-| **Здраве**                 | ![Здраве](docs/screenshots/04-health.png)             |
-| **Преводач**               | ![Преводач](docs/screenshots/05-translator.png)       |
-| **Настройки**              | ![Настройки](docs/screenshots/06-settings.png)        |
-| **CLI инструменти**        | ![CLI инструменти](docs/screenshots/07-cli-tools.png) |
-| **Регистри за използване** | ![Използване](docs/screenshots/08-usage.png)          |
-| **Крайна точка**           | ![Крайна точка](docs/screenshots/09-endpoint.png)     |
-
-</details>
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Безплатен доставчик на AI за вашите любими кодиращи агенти

 _Свържете всеки базиран на AI IDE или CLI инструмент чрез OmniRoute — безплатен API шлюз за неограничено кодиране._
@@ -159,6 +92,38 @@ _Свържете всеки базиран на AI IDE или CLI инстру

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 ## 🤔 Защо OmniRoute?

 **Спрете да пилеете пари и да достигате лимити:**
@@ -933,8 +898,8 @@ OmniRoute v2.0 е създаден като операционна платфо
 | Характеристика | Какво прави || -------------------------- | ------------------------------------------------------------ |
 | 🖼️ **Генериране на изображения** | `/v1/images/generations` с облак и локален бекенд |
 | 📐 **Вграждания** | `/v1/embeddings` за търсене и RAG тръбопроводи |
-| 🎤 **Аудио транскрипция** | `/v1/audio/transcriptions` (Whisper и допълнителни доставчици) |
-| 🔊 **Текст към говор** | `/v1/audio/speech` (множество машини/доставчици) |
+| 🎤 **Аудио транскрипция** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Текст към говор** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise) |
 | 🎬 **Видео генериране** | `/v1/videos/generations` (работни процеси ComfyUI + SD WebUI) |
 | 🎵 **Музикално поколение** | `/v1/music/generations` (работни процеси на ComfyUI) |
 | 🛡️ **Модерации** | `/v1/moderations` проверки за безопасност |
@@ -38,15 +38,15 @@ Content-Type: application/json

 ### Vlastní záhlaví

-Záhlaví | Směr | Popis
--- | --- | ---
-`X-OmniRoute-No-Cache` | Žádost | Nastavením na `true` se vynechá mezipaměť
-`X-OmniRoute-Progress` | Žádost | Nastaveno na `true` pro události průběhu
-`Idempotency-Key` | Žádost | Klíč pro deduplikaci (okno 5 s)
-`X-Request-Id` | Žádost | Alternativní klíč pro odstranění duplicitních dat
-`X-OmniRoute-Cache` | Odpověď | `HIT` or `MISS` (nestreamované)
-`X-OmniRoute-Idempotent` | Odpověď | `true` , pokud je odstraněna duplikace
-`X-OmniRoute-Progress` | Odpověď | `enabled` pokud je zapnuto sledování průběhu
+| Záhlaví                  | Směr    | Popis                                             |
+| ------------------------ | ------- | ------------------------------------------------- |
+| `X-OmniRoute-No-Cache`   | Žádost  | Nastavením na `true` se vynechá mezipaměť         |
+| `X-OmniRoute-Progress`   | Žádost  | Nastaveno na `true` pro události průběhu          |
+| `Idempotency-Key`        | Žádost  | Klíč pro deduplikaci (okno 5 s)                   |
+| `X-Request-Id`           | Žádost  | Alternativní klíč pro odstranění duplicitních dat |
+| `X-OmniRoute-Cache`      | Odpověď | `HIT` or `MISS` (nestreamované)                   |
+| `X-OmniRoute-Idempotent` | Odpověď | `true` , pokud je odstraněna duplikace            |
+| `X-OmniRoute-Progress`   | Odpověď | `enabled` pokud je zapnuto sledování průběhu      |

 ---

@@ -108,18 +108,18 @@ Authorization: Bearer your-api-key

 ## Koncové body kompatibility

-Metoda | Cesta | Formát
--- | --- | ---
-ZVEŘEJNIT | `/v1/chat/completions` | OpenAI
-ZVEŘEJNIT | `/v1/messages` | Antropický
-ZVEŘEJNIT | `/v1/responses` | Reakce OpenAI
-ZVEŘEJNIT | `/v1/embeddings` | OpenAI
-ZVEŘEJNIT | `/v1/images/generations` | OpenAI
-ZÍSKAT | `/v1/models` | OpenAI
-ZVEŘEJNIT | `/v1/messages/count_tokens` | Antropický
-ZÍSKAT | `/v1beta/models` | Blíženci
-ZVEŘEJNIT | `/v1beta/models/{...path}` | Gemini generuje obsah
-ZVEŘEJNIT | `/v1/api/chat` | Ollama
+| Metoda | Cesta                       | Formát                |
+| ------ | --------------------------- | --------------------- |
+| POST   | `/v1/chat/completions`      | OpenAI                |
+| POST   | `/v1/messages`              | Anthropic             |
+| POST   | `/v1/responses`             | Reakce OpenAI         |
+| POST   | `/v1/embeddings`            | OpenAI                |
+| POST   | `/v1/images/generations`    | OpenAI                |
+| GET    | `/v1/models`                | OpenAI                |
+| POST   | `/v1/messages/count_tokens` | Anthropic             |
+| GET    | `/v1beta/models`            | Blíženci              |
+| POST   | `/v1beta/models/{...path}`  | Gemini generuje obsah |
+| POST   | `/v1/api/chat`              | Ollama                |

 ### Vyhrazené trasy poskytovatelů

@@ -166,154 +166,154 @@ Příklad odpovědi:

 ### Ověřování

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/auth/login` | ZVEŘEJNIT | Přihlášení
-`/api/auth/logout` | ZVEŘEJNIT | Odhlásit se
-`/api/settings/require-login` | ZÍSKAT/VLOŽIT | Vyžaduje se přepnutí přihlášení
+| Koncový bod                   | Metoda  | Popis                           |
+| ----------------------------- | ------- | ------------------------------- |
+| `/api/auth/login`             | POST    | Přihlášení                      |
+| `/api/auth/logout`            | POST    | Odhlásit se                     |
+| `/api/settings/require-login` | GET/PUT | Vyžaduje se přepnutí přihlášení |

 ### Správa poskytovatelů

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/providers` | ZÍSKAT/ODESLAT | Seznam / vytvoření poskytovatelů
-`/api/providers/[id]` | ZÍSKAT/VLOŽIT/ODSTRANIT | Správa poskytovatele
-`/api/providers/[id]/test` | ZVEŘEJNIT | Testovací připojení poskytovatele
-`/api/providers/[id]/models` | ZÍSKAT | Seznam modelů poskytovatelů
-`/api/providers/validate` | ZVEŘEJNIT | Ověření konfigurace poskytovatele
-`/api/provider-nodes*` | Různé | Správa uzlů poskytovatelů
-`/api/provider-models` | ZÍSKAT/ODESLAT/SMAZAT | Vlastní modely
+| Koncový bod                  | Metoda          | Popis                             |
+| ---------------------------- | --------------- | --------------------------------- |
+| `/api/providers`             | GET/POST        | Seznam / vytvoření poskytovatelů  |
+| `/api/providers/[id]`        | GET/PUT/DELETE  | Správa poskytovatele              |
+| `/api/providers/[id]/test`   | POST            | Testovací připojení poskytovatele |
+| `/api/providers/[id]/models` | GET             | Seznam modelů poskytovatelů       |
+| `/api/providers/validate`    | POST            | Ověření konfigurace poskytovatele |
+| `/api/provider-nodes*`       | Různé           | Správa uzlů poskytovatelů         |
+| `/api/provider-models`       | GET/POST/DELETE | Vlastní modely                    |

 ### Toky OAuth

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/oauth/[provider]/[action]` | Různé | OAuth specifický pro poskytovatele
+| Koncový bod                      | Metoda | Popis                              |
+| -------------------------------- | ------ | ---------------------------------- |
+| `/api/oauth/[provider]/[action]` | Různé  | OAuth specifický pro poskytovatele |

 ### Směrování a konfigurace

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/models/alias` | ZÍSKAT/ODESLAT | Aliasy modelů
-`/api/models/catalog` | ZÍSKAT | Všechny modely podle poskytovatele + typu
-`/api/combos*` | Různé | Správa kombinací
-`/api/keys*` | Různé | Správa klíčů API
-`/api/pricing` | ZÍSKAT | Cena modelu
+| Koncový bod           | Metoda   | Popis                                     |
+| --------------------- | -------- | ----------------------------------------- |
+| `/api/models/alias`   | GET/POST | Aliasy modelů                             |
+| `/api/models/catalog` | GET      | Všechny modely podle poskytovatele + typu |
+| `/api/combos*`        | Různé    | Správa kombinací                          |
+| `/api/keys*`          | Různé    | Správa klíčů API                          |
+| `/api/pricing`        | GET      | Cena modelu                               |

 ### Využití a analýzy

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/usage/history` | ZÍSKAT | Historie používání
-`/api/usage/logs` | ZÍSKAT | Protokoly používání
-`/api/usage/request-logs` | ZÍSKAT | Protokoly na úrovni požadavků
-`/api/usage/[connectionId]` | ZÍSKAT | Využití na připojení
+| Koncový bod                 | Metoda | Popis                         |
+| --------------------------- | ------ | ----------------------------- |
+| `/api/usage/history`        | GET    | Historie používání            |
+| `/api/usage/logs`           | GET    | Protokoly používání           |
+| `/api/usage/request-logs`   | GET    | Protokoly na úrovni požadavků |
+| `/api/usage/[connectionId]` | GET    | Využití na připojení          |

 ### Nastavení

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/settings` | ZÍSKAT/VLOŽIT | Obecná nastavení
-`/api/settings/proxy` | ZÍSKAT/VLOŽIT | Konfigurace síťového proxy serveru
-`/api/settings/proxy/test` | ZVEŘEJNIT | Testovací připojení k proxy serveru
-`/api/settings/ip-filter` | ZÍSKAT/VLOŽIT | Seznam povolených/blokovaných IP adres
-`/api/settings/thinking-budget` | ZÍSKAT/VLOŽIT | Zdůvodnění rozpočtu tokenů
-`/api/settings/system-prompt` | ZÍSKAT/VLOŽIT | Globální systémový výzva
+| Koncový bod                     | Metoda  | Popis                                  |
+| ------------------------------- | ------- | -------------------------------------- |
+| `/api/settings`                 | GET/PUT | Obecná nastavení                       |
+| `/api/settings/proxy`           | GET/PUT | Konfigurace síťového proxy serveru     |
+| `/api/settings/proxy/test`      | POST    | Testovací připojení k proxy serveru    |
+| `/api/settings/ip-filter`       | GET/PUT | Seznam povolených/blokovaných IP adres |
+| `/api/settings/thinking-budget` | GET/PUT | Zdůvodnění rozpočtu tokenů             |
+| `/api/settings/system-prompt`   | GET/PUT | Globální systémový výzva               |

 ### Monitorování

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/sessions` | ZÍSKAT | Sledování aktivních relací
-`/api/rate-limits` | ZÍSKAT | Limity sazeb na účet
-`/api/monitoring/health` | ZÍSKAT | Kontrola stavu
-`/api/cache` | ZÍSKAT/SMAZAT | Statistiky mezipaměti / vymazat
+| Koncový bod              | Metoda     | Popis                           |
+| ------------------------ | ---------- | ------------------------------- |
+| `/api/sessions`          | GET        | Sledování aktivních relací      |
+| `/api/rate-limits`       | GET        | Limity sazeb na účet            |
+| `/api/monitoring/health` | GET        | Kontrola stavu                  |
+| `/api/cache`             | GET/DELETE | Statistiky mezipaměti / vymazat |

 ### Zálohování a export/import

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/db-backups` | ZÍSKAT | Seznam dostupných záloh
-`/api/db-backups` | DÁT | Vytvořte ruční zálohu
-`/api/db-backups` | ZVEŘEJNIT | Obnovení z konkrétní zálohy
-`/api/db-backups/export` | ZÍSKAT | Stáhnout databázi jako soubor .sqlite
-`/api/db-backups/import` | ZVEŘEJNIT | Nahrajte soubor .sqlite pro nahrazení databáze
-`/api/db-backups/exportAll` | ZÍSKAT | Stáhnout plnou zálohu jako archiv .tar.gz
+| Koncový bod                 | Metoda | Popis                                          |
+| --------------------------- | ------ | ---------------------------------------------- |
+| `/api/db-backups`           | GET    | Seznam dostupných záloh                        |
+| `/api/db-backups`           | DÁT    | Vytvořte ruční zálohu                          |
+| `/api/db-backups`           | POST   | Obnovení z konkrétní zálohy                    |
+| `/api/db-backups/export`    | GET    | Stáhnout databázi jako soubor .sqlite          |
+| `/api/db-backups/import`    | POST   | Nahrajte soubor .sqlite pro nahrazení databáze |
+| `/api/db-backups/exportAll` | GET    | Stáhnout plnou zálohu jako archiv .tar.gz      |

 ### Synchronizace s cloudem

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/sync/cloud` | Různé | Operace synchronizace s cloudem
-`/api/sync/initialize` | ZVEŘEJNIT | Inicializovat synchronizaci
-`/api/cloud/*` | Různé | Správa cloudu
+| Koncový bod            | Metoda | Popis                           |
+| ---------------------- | ------ | ------------------------------- |
+| `/api/sync/cloud`      | Různé  | Operace synchronizace s cloudem |
+| `/api/sync/initialize` | POST   | Inicializovat synchronizaci     |
+| `/api/cloud/*`         | Různé  | Správa cloudu                   |

 ### Nástroje CLI

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/cli-tools/claude-settings` | ZÍSKAT | Stav Clauda CLI
-`/api/cli-tools/codex-settings` | ZÍSKAT | Stav příkazového řádku Codexu
-`/api/cli-tools/droid-settings` | ZÍSKAT | Stav příkazového řádku Droidu
-`/api/cli-tools/openclaw-settings` | ZÍSKAT | Stav rozhraní příkazového řádku OpenClaw
-`/api/cli-tools/runtime/[toolId]` | ZÍSKAT | Generické běhové prostředí CLI
+| Koncový bod                        | Metoda | Popis                                    |
+| ---------------------------------- | ------ | ---------------------------------------- |
+| `/api/cli-tools/claude-settings`   | GET    | Stav Clauda CLI                          |
+| `/api/cli-tools/codex-settings`    | GET    | Stav příkazového řádku Codexu            |
+| `/api/cli-tools/droid-settings`    | GET    | Stav příkazového řádku Droidu            |
+| `/api/cli-tools/openclaw-settings` | GET    | Stav rozhraní příkazového řádku OpenClaw |
+| `/api/cli-tools/runtime/[toolId]`  | GET    | Generické běhové prostředí CLI           |

 Mezi odpovědi CLI patří: `installed` , `runnable` , `command` , `commandPath` , `runtimeMode` , `reason` .

 ### Agenti ACP

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/acp/agents` | ZÍSKAT | Zobrazit seznam všech detekovaných agentů (vestavěných + vlastních) se stavem
-`/api/acp/agents` | ZVEŘEJNIT | Přidat vlastního agenta nebo obnovit mezipaměť detekce
-`/api/acp/agents` | VYMAZAT | Odebrání vlastního agenta podle parametru dotazu `id`
+| Koncový bod       | Metoda  | Popis                                                                         |
+| ----------------- | ------- | ----------------------------------------------------------------------------- |
+| `/api/acp/agents` | GET     | Zobrazit seznam všech detekovaných agentů (vestavěných + vlastních) se stavem |
+| `/api/acp/agents` | POST    | Přidat vlastního agenta nebo obnovit mezipaměť detekce                        |
+| `/api/acp/agents` | VYMAZAT | Odebrání vlastního agenta podle parametru dotazu `id`                         |

 Odpověď GET obsahuje `agents[]` (id, name, binary, version, installed, protocol, isCustom) a `summary` (total, installed, notFound, builtIn, custom).

 ### Odolnost a limity rychlosti

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/resilience` | ZÍSKAT/VLOŽIT | Získání/aktualizace profilů odolnosti
-`/api/resilience/reset` | ZVEŘEJNIT | Resetujte jističe
-`/api/rate-limits` | ZÍSKAT | Stav limitu sazby na účet
-`/api/rate-limit` | ZÍSKAT | Konfigurace globálního limitu rychlosti
+| Koncový bod             | Metoda  | Popis                                   |
+| ----------------------- | ------- | --------------------------------------- |
+| `/api/resilience`       | GET/PUT | Získání/aktualizace profilů odolnosti   |
+| `/api/resilience/reset` | POST    | Resetujte jističe                       |
+| `/api/rate-limits`      | GET     | Stav limitu sazby na účet               |
+| `/api/rate-limit`       | GET     | Konfigurace globálního limitu rychlosti |

 ### Evals

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/evals` | ZÍSKAT/ODESLAT | Vypsat eval sady / spustit vyhodnocení
+| Koncový bod  | Metoda   | Popis                                  |
+| ------------ | -------- | -------------------------------------- |
+| `/api/evals` | GET/POST | Vypsat eval sady / spustit vyhodnocení |

 ### Zásady

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/policies` | ZÍSKAT/ODESLAT/SMAZAT | Správa směrovacích zásad
+| Koncový bod     | Metoda          | Popis                    |
+| --------------- | --------------- | ------------------------ |
+| `/api/policies` | GET/POST/DELETE | Správa směrovacích zásad |

 ### Dodržování

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/compliance/audit-log` | ZÍSKAT | Protokol auditu shody (poslední N)
+| Koncový bod                 | Metoda | Popis                              |
+| --------------------------- | ------ | ---------------------------------- |
+| `/api/compliance/audit-log` | GET    | Protokol auditu shody (poslední N) |

 ### v1beta (kompatibilní s Gemini)

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/v1beta/models` | ZÍSKAT | Seznam modelů ve formátu Gemini
-`/v1beta/models/{...path}` | ZVEŘEJNIT | Koncový bod Gemini `generateContent`
+| Koncový bod                | Metoda | Popis                                |
+| -------------------------- | ------ | ------------------------------------ |
+| `/v1beta/models`           | GET    | Seznam modelů ve formátu Gemini      |
+| `/v1beta/models/{...path}` | POST   | Koncový bod Gemini `generateContent` |

 Tyto koncové body zrcadlí formát API Gemini pro klienty, kteří očekávají nativní kompatibilitu sady Gemini SDK.

 ### Interní / systémová API

-Koncový bod | Metoda | Popis
--- | --- | ---
-`/api/init` | ZÍSKAT | Kontrola inicializace aplikace (používá se při prvním spuštění)
-`/api/tags` | ZÍSKAT | Tagy modelů kompatibilní s Ollamou (pro klienty Ollamy)
-`/api/restart` | ZVEŘEJNIT | Spustit řádný restart serveru
-`/api/shutdown` | ZVEŘEJNIT | Spustit řádné vypnutí serveru
+| Koncový bod     | Metoda | Popis                                                           |
+| --------------- | ------ | --------------------------------------------------------------- |
+| `/api/init`     | GET    | Kontrola inicializace aplikace (používá se při prvním spuštění) |
+| `/api/tags`     | GET    | Tagy modelů kompatibilní s Ollamou (pro klienty Ollamy)         |
+| `/api/restart`  | POST   | Spustit řádný restart serveru                                   |
+| `/api/shutdown` | POST   | Spustit řádné vypnutí serveru                                   |

 > **Poznámka:** Tyto koncové body používá interně systém nebo pro kompatibilitu s klienty Ollama. Koncoví uživatelé je obvykle nevolají.

@@ -2,7 +2,7 @@

 🌐 **Jazyky:** 🇺🇸 [angličtina](ARCHITECTURE.md) | 🇧🇷 [Português (Brazílie)](i18n/pt-BR/ARCHITECTURE.md) | 🇪🇸 [Español](i18n/es/ARCHITECTURE.md) | 🇫🇷 [Français](i18n/fr/ARCHITECTURE.md) | 🇮🇹 [Italiano](i18n/it/ARCHITECTURE.md) | 🇷🇺 [Русский](i18n/ru/ARCHITECTURE.md) | 🇨🇳[中文 (简体)](i18n/zh-CN/ARCHITECTURE.md) | 🇩🇪 [Deutsch](i18n/de/ARCHITECTURE.md) | 🇮🇳 [हिन्दी](i18n/in/ARCHITECTURE.md) | 🇹🇭 [ไทย](i18n/th/ARCHITECTURE.md) | 🇺🇦 [Українська](i18n/uk-UA/ARCHITECTURE.md) | 🇸🇦 [العربية](i18n/ar/ARCHITECTURE.md) | 🇯🇵[日本語](i18n/ja/ARCHITECTURE.md)| 🇻🇳 [Tiếng Việt](i18n/vi/ARCHITECTURE.md) | 🇧🇬 [Български](i18n/bg/ARCHITECTURE.md) | 🇩🇰 [Dánsko](i18n/da/ARCHITECTURE.md) | 🇫🇮 [Suomi](i18n/fi/ARCHITECTURE.md) | 🇮🇱 [עברית](i18n/he/ARCHITECTURE.md) | 🇭🇺 [maďarština](i18n/hu/ARCHITECTURE.md) | 🇮🇩 [Bahasa Indonésie](i18n/id/ARCHITECTURE.md) | 🇰🇷 [한국어](i18n/ko/ARCHITECTURE.md) | 🇲🇾 [Bahasa Melayu](i18n/ms/ARCHITECTURE.md) | 🇳🇱 [Nizozemsko](i18n/nl/ARCHITECTURE.md) | 🇳🇴 [Norsk](i18n/no/ARCHITECTURE.md) | 🇵🇹 [Português (Portugalsko)](i18n/pt/ARCHITECTURE.md) | 🇷🇴 [Română](i18n/ro/ARCHITECTURE.md) | 🇵🇱 [Polski](i18n/pl/ARCHITECTURE.md) | 🇸🇰 [Slovenčina](i18n/sk/ARCHITECTURE.md) | 🇸🇪 [Svenska](i18n/sv/ARCHITECTURE.md) | 🇵🇭 [Filipínec](i18n/phi/ARCHITECTURE.md) | 🇨🇿 [Čeština](i18n/cs/ARCHITECTURE.md)

-*Poslední aktualizace: 2026-03-04*
+_Poslední aktualizace: 2026-03-04_

 ## Shrnutí pro manažery

@@ -590,45 +590,45 @@ flowchart LR

 Každý poskytovatel má specializovaný exekutor rozšiřující `BaseExecutor` (v `open-sse/executors/base.ts` ), který zajišťuje vytváření URL adres, konstrukci hlaviček, opakování s exponenciálním odkladem, hooky pro obnovení pověření a orchestrační metodu `execute()` .

-Vykonavatel | Poskytovatel(é) | Speciální manipulace
--- | --- | ---
-`DefaultExecutor` | OpenAI, Claude, Gemini, Qwen, iFlow, OpenRouter, GLM, Kimi, MiniMax, DeepSeek, Groq, xAI, Mistral, Perplexity, Together, Fireworks, Cerebras, Cohere, NVIDIA | Konfigurace dynamické adresy URL/záhlaví pro každého poskytovatele
-`AntigravityExecutor` | Google Antigravitace | Vlastní ID projektů/relací, analýza Opakování po
-`CodexExecutor` | Kodex OpenAI | Vkládá systémové instrukce, vynucuje úsilí k uvažování
-`CursorExecutor` | IDE kurzoru | Protokol ConnectRPC, kódování Protobuf, podepisování požadavků pomocí kontrolního součtu
-`GithubExecutor` | GitHub Copilot | Aktualizace tokenu Copilot, hlavičky napodobující VSCode
-`KiroExecutor` | AWS CodeWhisperer/Kiro | Binární formát AWS EventStream → konverze SSE
-`GeminiCLIExecutor` | Rozhraní příkazového řádku Gemini | Cyklus obnovy tokenu Google OAuth
+| Vykonavatel           | Poskytovatel(é)                                                                                                                                              | Speciální manipulace                                                                     |
+| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- |
+| `DefaultExecutor`     | OpenAI, Claude, Gemini, Qwen, iFlow, OpenRouter, GLM, Kimi, MiniMax, DeepSeek, Groq, xAI, Mistral, Perplexity, Together, Fireworks, Cerebras, Cohere, NVIDIA | Konfigurace dynamické adresy URL/záhlaví pro každého poskytovatele                       |
+| `AntigravityExecutor` | Google Antigravity                                                                                                                                           | Vlastní ID projektů/relací, analýza Opakování po                                         |
+| `CodexExecutor`       | OpenAI Codex                                                                                                                                                 | Vkládá systémové instrukce, vynucuje úsilí k uvažování                                   |
+| `CursorExecutor`      | IDE kurzoru                                                                                                                                                  | Protokol ConnectRPC, kódování Protobuf, podepisování požadavků pomocí kontrolního součtu |
+| `GithubExecutor`      | GitHub Copilot                                                                                                                                               | Aktualizace tokenu Copilot, hlavičky napodobující VSCode                                 |
+| `KiroExecutor`        | AWS CodeWhisperer/Kiro                                                                                                                                       | Binární formát AWS EventStream → konverze SSE                                            |
+| `GeminiCLIExecutor`   | Gemini CLI                                                                                                                                                   | Cyklus obnovy tokenu Google OAuth                                                        |

 Všichni ostatní poskytovatelé (včetně uzlů kompatibilních s vlastními funkcemi) používají `DefaultExecutor` .

 ## Matice kompatibility poskytovatelů

-Poskytovatel | Formát | Autorizace | Proud | Nestreamované | Obnovení tokenu | API pro použití
--- | --- | --- | --- | --- | --- | ---
-Claude | Claude | Klíč API / OAuth | ✅ | ✅ | ✅ | ⚠️ Pouze pro administrátory
-Blíženci | Blíženci | Klíč API / OAuth | ✅ | ✅ | ✅ | ⚠️ Cloudová konzole
-Rozhraní příkazového řádku Gemini | gemini-cli | OAuth | ✅ | ✅ | ✅ | ⚠️ Cloudová konzole
-Antigravitace | antigravitace | OAuth | ✅ | ✅ | ✅ | ✅ Plná kvóta API
-OpenAI | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Kodex | openai-odpovědi | OAuth | ✅ vynucený | ❌ | ✅ | ✅ Limity sazeb
-GitHub Copilot | otevřeno | OAuth + token Copilota | ✅ | ✅ | ✅ | ✅ Snímky kvót
-Kurzor | kurzor | Vlastní kontrolní součet | ✅ | ✅ | ❌ | ❌
-Kiro | Kiro | OIDC pro jednotné přihlašování AWS | ✅ (Stream událostí) | ❌ | ✅ | ✅ Limity použití
-Qwen | otevřeno | OAuth | ✅ | ✅ | ✅ | ⚠️ Na vyžádání
-iFlow | otevřeno | OAuth (základní) | ✅ | ✅ | ✅ | ⚠️ Na vyžádání
-OpenRouter | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-GLM/Kimi/MiniMax | Claude | Klíč API | ✅ | ✅ | ❌ | ❌
-Hluboké vyhledávání | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Groq | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-xAI (Grok) | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Mistral | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Zmatek | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Společně s umělou inteligencí | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Ohňostroj s umělou inteligencí | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Mozky | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-Soudržný | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
-NVIDIA NIM | otevřeno | Klíč API | ✅ | ✅ | ❌ | ❌
+| Poskytovatel                   | Formát          | Autorizace                         | Proud                | Nestreamované | Obnovení tokenu | API pro použití             |
+| ------------------------------ | --------------- | ---------------------------------- | -------------------- | ------------- | --------------- | --------------------------- |
+| Claude                         | Claude          | Klíč API / OAuth                   | ✅                   | ✅            | ✅              | ⚠️ Pouze pro administrátory |
+| Blíženci                       | Blíženci        | Klíč API / OAuth                   | ✅                   | ✅            | ✅              | ⚠️ Cloudová konzole         |
+| Gemini CLI                     | gemini-cli      | OAuth                              | ✅                   | ✅            | ✅              | ⚠️ Cloudová konzole         |
+| Antigravity                    | antigravitace   | OAuth                              | ✅                   | ✅            | ✅              | ✅ Plná kvóta API           |
+| OpenAI                         | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Kodex                          | openai-odpovědi | OAuth                              | ✅ vynucený          | ❌            | ✅              | ✅ Limity sazeb             |
+| GitHub Copilot                 | otevřeno        | OAuth + token Copilota             | ✅                   | ✅            | ✅              | ✅ Snímky kvót              |
+| Kurzor                         | kurzor          | Vlastní kontrolní součet           | ✅                   | ✅            | ❌              | ❌                          |
+| Kiro                           | Kiro            | OIDC pro jednotné přihlašování AWS | ✅ (Stream událostí) | ❌            | ✅              | ✅ Limity použití           |
+| Qwen                           | otevřeno        | OAuth                              | ✅                   | ✅            | ✅              | ⚠️ Na vyžádání              |
+| iFlow                          | otevřeno        | OAuth (základní)                   | ✅                   | ✅            | ✅              | ⚠️ Na vyžádání              |
+| OpenRouter                     | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| GLM/Kimi/MiniMax               | Claude          | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Hluboké vyhledávání            | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Groq                           | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| xAI (Grok)                     | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Mistral                        | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Zmatek                         | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Společně s umělou inteligencí  | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Ohňostroj s umělou inteligencí | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Mozky                          | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| Soudržný                       | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |
+| NVIDIA NIM                     | otevřeno        | Klíč API                           | ✅                   | ✅            | ❌              | ❌                          |

 ## Pokrytí překladů formátů

@@ -643,7 +643,7 @@ Cílové formáty zahrnují:

 - Chat/Odpovědi v OpenAI
 - Claude
- Obálka Gemini/Gemini-CLI/Antigravitace
+- Obálka Gemini/Gemini-CLI/Antigravity
 - Kiro
 - Kurzor

@@ -664,25 +664,25 @@ Další vrstvy zpracování v překladovém kanálu:

 ## Podporované koncové body API

-Koncový bod | Formát | Psovod
--- | --- | ---
-`POST /v1/chat/completions` | Chat s OpenAI | `src/sse/handlers/chat.ts`
-`POST /v1/messages` | Claude Messages | Stejný obslužný program (automaticky detekováno)
-`POST /v1/responses` | Reakce OpenAI | `open-sse/handlers/responsesHandler.ts`
-`POST /v1/embeddings` | Vkládání OpenAI | `open-sse/handlers/embeddings.ts`
-`GET /v1/embeddings` | Seznam modelů | Trasa API
-`POST /v1/images/generations` | Obrázky OpenAI | `open-sse/handlers/imageGeneration.ts`
-`GET /v1/images/generations` | Seznam modelů | Trasa API
-`POST /v1/providers/{provider}/chat/completions` | Chat s OpenAI | Vyhrazené pro každého poskytovatele s ověřováním modelu
-`POST /v1/providers/{provider}/embeddings` | Vkládání OpenAI | Vyhrazené pro každého poskytovatele s ověřováním modelu
-`POST /v1/providers/{provider}/images/generations` | Obrázky OpenAI | Vyhrazené pro každého poskytovatele s ověřováním modelu
-`POST /v1/messages/count_tokens` | Počet žetonů Claude | Trasa API
-`GET /v1/models` | Seznam modelů OpenAI | Trasa API (chat + vkládání + obrázek + vlastní modely)
-`GET /api/models/catalog` | Katalog | Všechny modely seskupené podle poskytovatele + typu
-`POST /v1beta/models/*:streamGenerateContent` | Rodák z Blíženců | Trasa API
-`GET/PUT/DELETE /api/settings/proxy` | Konfigurace proxy serveru | Konfigurace síťového proxy serveru
-`POST /api/settings/proxy/test` | Připojení proxy serveru | Koncový bod testu stavu/připojení proxy serveru
-`GET/POST/DELETE /api/provider-models` | Vlastní modely | Správa vlastních modelů pro každého poskytovatele
+| Koncový bod                                        | Formát                    | Psovod                                                  |
+| -------------------------------------------------- | ------------------------- | ------------------------------------------------------- |
+| `POST /v1/chat/completions`                        | Chat s OpenAI             | `src/sse/handlers/chat.ts`                              |
+| `POST /v1/messages`                                | Claude Messages           | Stejný obslužný program (automaticky detekováno)        |
+| `POST /v1/responses`                               | Reakce OpenAI             | `open-sse/handlers/responsesHandler.ts`                 |
+| `POST /v1/embeddings`                              | Vkládání OpenAI           | `open-sse/handlers/embeddings.ts`                       |
+| `GET /v1/embeddings`                               | Seznam modelů             | Trasa API                                               |
+| `POST /v1/images/generations`                      | Obrázky OpenAI            | `open-sse/handlers/imageGeneration.ts`                  |
+| `GET /v1/images/generations`                       | Seznam modelů             | Trasa API                                               |
+| `POST /v1/providers/{provider}/chat/completions`   | Chat s OpenAI             | Vyhrazené pro každého poskytovatele s ověřováním modelu |
+| `POST /v1/providers/{provider}/embeddings`         | Vkládání OpenAI           | Vyhrazené pro každého poskytovatele s ověřováním modelu |
+| `POST /v1/providers/{provider}/images/generations` | Obrázky OpenAI            | Vyhrazené pro každého poskytovatele s ověřováním modelu |
+| `POST /v1/messages/count_tokens`                   | Počet žetonů Claude       | Trasa API                                               |
+| `GET /v1/models`                                   | Seznam modelů OpenAI      | Trasa API (chat + vkládání + obrázek + vlastní modely)  |
+| `GET /api/models/catalog`                          | Katalog                   | Všechny modely seskupené podle poskytovatele + typu     |
+| `POST /v1beta/models/*:streamGenerateContent`      | Rodák z Blíženců          | Trasa API                                               |
+| `GET/PUT/DELETE /api/settings/proxy`               | Konfigurace proxy serveru | Konfigurace síťového proxy serveru                      |
+| `POST /api/settings/proxy/test`                    | Připojení proxy serveru   | Koncový bod testu stavu/připojení proxy serveru         |
+| `GET/POST/DELETE /api/provider-models`             | Vlastní modely            | Správa vlastních modelů pro každého poskytovatele       |

 ## Obejít obslužnou rutinu

@@ -27,19 +27,19 @@ Claude / Codex / Gemini CLI / OpenCode / Cline / KiloCode / Continue / Kiro CLI

 ## Podporované nástroje

-Nástroj | Příkaz | Typ | Metoda instalace
--- | --- | --- | ---
-**Claude Code** | `claude` | Rozhraní příkazového řádku | npm
-**Kodex OpenAI** | `codex` | Rozhraní příkazového řádku | npm
-**Rozhraní příkazového řádku Gemini** | `gemini` | Rozhraní příkazového řádku | npm
-**OpenCode** | `opencode` | Rozhraní příkazového řádku | npm
-**Cline** | `cline` | Rozšíření CLI + VS kódu | npm
-**KiloCode** | `kilocode` / `kilo` | Rozšíření CLI + VS kódu | npm
-**Pokračovat** | průvodce | VS Code ext | VS kód
-**Kiro CLI** | `kiro-cli` | Rozhraní příkazového řádku | instalační program Curl
-**Kurzor** | `cursor` | Aplikace pro stolní počítače | Stáhnout
-**Droid** | webový | Vestavěný agent | OmniRoute
-**OpenClaw** | webový | Vestavěný agent | OmniRoute
+| Nástroj          | Příkaz              | Typ             | Instalace      |
+| ---------------- | ------------------- | --------------- | -------------- |
+| **Claude Code**  | `claude`            | CLI             | npm            |
+| **OpenAI Codex** | `codex`             | CLI             | npm            |
+| **Gemini CLI**   | `gemini`            | CLI             | npm            |
+| **OpenCode**     | `opencode`          | CLI             | npm            |
+| **Cline**        | `cline`             | CLI + VS Code   | npm            |
+| **KiloCode**     | `kilocode` / `kilo` | CLI + VS Code   | npm            |
+| **Continue**     | průvodce            | VS Code ext     | VS kód         |
+| **Kiro CLI**     | `kiro-cli`          | CLI             | curl instalace |
+| **Kurzor**       | `cursor`            | Aplikace pro PC | Download       |
+| **Droid**        | webový              | Built-in agent  | OmniRoute      |
+| **OpenClaw**     | webový              | Built-in agent  | OmniRoute      |

 ---

@@ -136,7 +136,7 @@ EOF

 ---

-### Kodex OpenAI
+### OpenAI Codex

 ```bash
 mkdir -p ~/.codex && cat > ~/.codex/config.yaml << EOF
@@ -150,7 +150,7 @@ EOF

 ---

-### Rozhraní příkazového řádku Gemini
+### Gemini CLI

 ```bash
 mkdir -p ~/.gemini && cat > ~/.gemini/settings.json << EOF
@@ -220,7 +220,7 @@ Nebo použijte dashboard OmniRoute → **CLI Tools → KiloCode → Apply Config

 ---

-### Pokračovat (rozšíření kódu VS)
+### Continue (rozšíření kódu VS)

 Upravit `~/.continue/config.yaml` :

@@ -286,28 +286,28 @@ Ovládací panel OmniRoute automatizuje konfiguraci většiny nástrojů:

 ## Dostupné koncové body API

-Koncový bod | Popis | Použití pro
--- | --- | ---
-`/v1/chat/completions` | Standardní chat (všichni poskytovatelé) | Všechny moderní nástroje
-`/v1/responses` | API pro odpovědi (formát OpenAI) | Kodex, agentické pracovní postupy
-`/v1/completions` | Doplňování starších textů | Starší nástroje používající `prompt:`
-`/v1/embeddings` | Vkládání textu | RAG, vyhledávání
-`/v1/images/generations` | Generování obrázků | DALL-E, Flux atd.
-`/v1/audio/speech` | Převod textu na řeč | ElevenLabs, OpenAI TTS
-`/v1/audio/transcriptions` | Převod řeči na text | Deepgram, AssemblyAI
+| Koncový bod                | Popis                                   | Použití pro                           |
+| -------------------------- | --------------------------------------- | ------------------------------------- |
+| `/v1/chat/completions`     | Standardní chat (všichni poskytovatelé) | Všechny moderní nástroje              |
+| `/v1/responses`            | API pro odpovědi (formát OpenAI)        | Kodex, agentické pracovní postupy     |
+| `/v1/completions`          | Doplňování starších textů               | Starší nástroje používající `prompt:` |
+| `/v1/embeddings`           | Vkládání textu                          | RAG, vyhledávání                      |
+| `/v1/images/generations`   | Generování obrázků                      | DALL-E, Flux atd.                     |
+| `/v1/audio/speech`         | Převod textu na řeč                     | ElevenLabs, OpenAI TTS                |
+| `/v1/audio/transcriptions` | Převod řeči na text                     | Deepgram, AssemblyAI                  |

 ---

 ## Odstraňování problémů

-Chyba | Příčina | Opravit
--- | --- | ---
-`Connection refused` | OmniRoute neběží | `pm2 start omniroute`
-`401 Unauthorized` | Chybný klíč API | Zkontrolovat `/dashboard/api-manager`
-`No combo configured` | Žádná aktivní routingová kombinace | Nastavení v `/dashboard/combos`
-`invalid model` | Model není v katalogu | Použijte `auto` nebo zkontrolujte `/dashboard/providers`
-CLI zobrazuje „není nainstalováno“ | Binární soubor není v cestě PATH | Zkontrolujte, `which <command>`
-`kiro-cli: not found` | Není v PATH | `export PATH="$HOME/.local/bin:$PATH"`
+| Chyba                              | Příčina                            | Opravit                                                  |
+| ---------------------------------- | ---------------------------------- | -------------------------------------------------------- |
+| `Connection refused`               | OmniRoute neběží                   | `pm2 start omniroute`                                    |
+| `401 Unauthorized`                 | Chybný klíč API                    | Zkontrolovat `/dashboard/api-manager`                    |
+| `No combo configured`              | Žádná aktivní routingová kombinace | Nastavení v `/dashboard/combos`                          |
+| `invalid model`                    | Model není v katalogu              | Použijte `auto` nebo zkontrolujte `/dashboard/providers` |
+| CLI zobrazuje „není nainstalováno“ | Binární soubor není v cestě PATH   | Zkontrolujte, `which <command>`                          |
+| `kiro-cli: not found`              | Není v PATH                        | `export PATH="$HOME/.local/bin:$PATH"`                   |

 ---

@@ -110,14 +110,14 @@ omniroute/

 Jediný **zdroj pravdivých informací** pro všechny konfigurace poskytovatelů.

-Soubor | Účel
--- | ---
-`constants.ts` | Objekt `PROVIDERS` se základními URL adresami, přihlašovacími údaji OAuth (výchozí), záhlavími a výchozími systémovými výzvami pro každého poskytovatele. Definuje také `HTTP_STATUS` , `ERROR_TYPES` , `COOLDOWN_MS` , `BACKOFF_CONFIG` a `SKIP_PATTERNS` .
-`credentialLoader.ts` | Načte externí přihlašovací údaje z `data/provider-credentials.json` a sloučí je s pevně zakódovanými výchozími hodnotami v `PROVIDERS` . Uchovává tajné údaje mimo kontrolu zdrojového kódu a zároveň zachovává zpětnou kompatibilitu.
-`providerModels.ts` | Centrální registr modelů: mapuje aliasy poskytovatelů → ID modelů. Funkce jako `getModels()` , `getProviderByAlias()` .
-`codexInstructions.ts` | Systémové instrukce vložené do požadavků Codexu (omezení úprav, pravidla sandboxu, zásady schvalování).
-`defaultThinkingSignature.ts` | Výchozí „myšlenkové“ podpisy pro modely Claude a Gemini.
-`ollamaModels.ts` | Definice schématu pro lokální Ollama modely (název, velikost, rodina, kvantizace).
+| Soubor                        | Účel                                                                                                                                                                                                                                                         |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `constants.ts`                | Objekt `PROVIDERS` se základními URL adresami, přihlašovacími údaji OAuth (výchozí), záhlavími a výchozími systémovými výzvami pro každého poskytovatele. Definuje také `HTTP_STATUS` , `ERROR_TYPES` , `COOLDOWN_MS` , `BACKOFF_CONFIG` a `SKIP_PATTERNS` . |
+| `credentialLoader.ts`         | Načte externí přihlašovací údaje z `data/provider-credentials.json` a sloučí je s pevně zakódovanými výchozími hodnotami v `PROVIDERS` . Uchovává tajné údaje mimo kontrolu zdrojového kódu a zároveň zachovává zpětnou kompatibilitu.                       |
+| `providerModels.ts`           | Centrální registr modelů: mapuje aliasy poskytovatelů → ID modelů. Funkce jako `getModels()` , `getProviderByAlias()` .                                                                                                                                      |
+| `codexInstructions.ts`        | Systémové instrukce vložené do požadavků Codexu (omezení úprav, pravidla sandboxu, zásady schvalování).                                                                                                                                                      |
+| `defaultThinkingSignature.ts` | Výchozí „myšlenkové“ podpisy pro modely Claude a Gemini.                                                                                                                                                                                                     |
+| `ollamaModels.ts`             | Definice schématu pro lokální Ollama modely (název, velikost, rodina, kvantizace).                                                                                                                                                                           |

 #### Postup načítání přihlašovacích údajů

@@ -194,17 +194,17 @@ classDiagram
    BaseExecutor <|-- GithubExecutor
 ```

-Vykonavatel | Poskytovatel | Klíčové specializace
--- | --- | ---
-`base.ts` | — | Abstraktní základ: tvorba URL adres, hlavičky, logika opakování, aktualizace přihlašovacích údajů
-`default.ts` | Claude, Gemini, OpenAI, GLM, Kimi, MiniMax | Aktualizace generického tokenu OAuth pro standardní poskytovatele
-`antigravity.ts` | Kód Google Cloud | Generování ID projektu/relace, záložní více URL adres, vlastní analýza opakovaných pokusů z chybových zpráv („reset po 2h7m23s“)
-`cursor.ts` | IDE kurzoru | **Nejsložitější** : autorizace kontrolního součtu SHA-256, kódování požadavků Protobuf, analýza binárních EventStream → SSE odpovědí
-`codex.ts` | Kodex OpenAI | Vkládá systémové instrukce, spravuje úrovně myšlení, odstraňuje nepodporované parametry
-`gemini-cli.ts` | Rozhraní příkazového řádku Google Gemini | Vytvoření vlastní URL adresy ( `streamGenerateContent` ), aktualizace tokenu Google OAuth
-`github.ts` | GitHub Copilot | Systém duálních tokenů (GitHub OAuth + Copilot token), napodobování hlaviček VSCode
-`kiro.ts` | AWS CodeWhisperer | Binární parsování AWS EventStream, rámce událostí AMZN, odhad tokenů
-`index.ts` | — | Továrna: název poskytovatele map → třída exekutoru s výchozím záložním nastavením
+| Vykonavatel      | Poskytovatel                               | Klíčové specializace                                                                                                                 |
+| ---------------- | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
+| `base.ts`        | —                                          | Abstraktní základ: tvorba URL adres, hlavičky, logika opakování, aktualizace přihlašovacích údajů                                    |
+| `default.ts`     | Claude, Gemini, OpenAI, GLM, Kimi, MiniMax | Aktualizace generického tokenu OAuth pro standardní poskytovatele                                                                    |
+| `antigravity.ts` | Kód Google Cloud                           | Generování ID projektu/relace, záložní více URL adres, vlastní analýza opakovaných pokusů z chybových zpráv („reset po 2h7m23s“)     |
+| `cursor.ts`      | IDE kurzoru                                | **Nejsložitější** : autorizace kontrolního součtu SHA-256, kódování požadavků Protobuf, analýza binárních EventStream → SSE odpovědí |
+| `codex.ts`       | OpenAI Codex                               | Vkládá systémové instrukce, spravuje úrovně myšlení, odstraňuje nepodporované parametry                                              |
+| `gemini-cli.ts`  | Google Gemini CLI                          | Vytvoření vlastní URL adresy ( `streamGenerateContent` ), aktualizace tokenu Google OAuth                                            |
+| `github.ts`      | GitHub Copilot                             | Systém duálních tokenů (GitHub OAuth + Copilot token), napodobování hlaviček VSCode                                                  |
+| `kiro.ts`        | AWS CodeWhisperer                          | Binární parsování AWS EventStream, rámce událostí AMZN, odhad tokenů                                                                 |
+| `index.ts`       | —                                          | Továrna: název poskytovatele map → třída exekutoru s výchozím záložním nastavením                                                    |

 ---

@@ -212,12 +212,12 @@ Vykonavatel | Poskytovatel | Klíčové specializace

 **Orchestrační vrstva** – koordinuje překlad, provádění, streamování a zpracování chyb.

-Soubor | Účel
--- | ---
-`chatCore.ts` | **Centrální orchestrátor** (~600 řádků). Zvládá kompletní životní cyklus požadavku: detekce formátu → překlad → odeslání exekutoru → streamovaná/nestreamovaná odpověď → aktualizace tokenu → zpracování chyb → protokolování využití.
-`responsesHandler.ts` | Adaptér pro OpenAI Responses API: převádí formát odpovědí → Dokončení chatu → odesílá do `chatCore` → převádí SSE zpět do formátu odpovědí.
-`embeddings.ts` | Obslužná rutina generování embeddingu: řeší model embeddingu → poskytovatele, odesílá do API poskytovatele, vrací odpověď na embedding kompatibilní s OpenAI. Podporuje 6+ poskytovatelů.
-`imageGeneration.ts` | Obslužná rutina generování obrázků: řeší model obrázku → poskytovatele, podporuje režimy kompatibilní s OpenAI, Gemini-image (Antigravity) a fallback (Nebius). Vrací obrázky v base64 nebo URL.
+| Soubor                | Účel                                                                                                                                                                                                                                   |
+| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `chatCore.ts`         | **Centrální orchestrátor** (~600 řádků). Zvládá kompletní životní cyklus požadavku: detekce formátu → překlad → odeslání exekutoru → streamovaná/nestreamovaná odpověď → aktualizace tokenu → zpracování chyb → protokolování využití. |
+| `responsesHandler.ts` | Adaptér pro OpenAI Responses API: převádí formát odpovědí → Dokončení chatu → odesílá do `chatCore` → převádí SSE zpět do formátu odpovědí.                                                                                            |
+| `embeddings.ts`       | Obslužná rutina generování embeddingu: řeší model embeddingu → poskytovatele, odesílá do API poskytovatele, vrací odpověď na embedding kompatibilní s OpenAI. Podporuje 6+ poskytovatelů.                                              |
+| `imageGeneration.ts`  | Obslužná rutina generování obrázků: řeší model obrázku → poskytovatele, podporuje režimy kompatibilní s OpenAI, Gemini-image (Antigravity) a fallback (Nebius). Vrací obrázky v base64 nebo URL.                                       |

 #### Životní cyklus požadavku (chatCore.ts)

@@ -262,22 +262,22 @@ sequenceDiagram

 Obchodní logika, která podporuje obslužné rutiny a vykonavatele.

-Soubor | Účel
--- | ---
-`provider.ts` | **Detekce formátu** ( `detectFormat` ): analyzuje strukturu těla požadavku a identifikuje formáty Claude/OpenAI/Gemini/Antigravity/Responses (včetně heuristiky `max_tokens` pro Claude). Dále: tvorba URL, tvorba hlaviček, normalizace konfigurace thinking. Podporuje dynamické poskytovatele kompatibilní `openai-compatible-*` a `anthropic-compatible-*` .
-`model.ts` | Analýza řetězců modelu ( `claude/model-name` → `{provider: "claude", model: "model-name"}` ), rozlišení aliasů s detekcí kolizí, sanitizace vstupu (odmítá průchod cestou/řídicí znaky) a rozlišení informací o modelu s podporou asynchronních metod pro získávání aliasů.
-`accountFallback.ts` | Ovládání limitů rychlosti: exponenciální upomínka (1 s → 2 s → 4 s → max. 2 min), správa doby zpoždění účtu, klasifikace chyb (které chyby spouštějí fallback a které ne).
-`tokenRefresh.ts` | Aktualizace tokenu OAuth pro **všechny poskytovatele** : Google (Gemini, Antigravity), Claude, Codex, Qwen, iFlow, GitHub (duální token OAuth + Copilot), Kiro (AWS SSO OIDC + sociální ověřování). Zahrnuje mezipaměť deduplikace promise za provozu a opakování s exponenciálním zpožděním.
-`combo.ts` | **Kombinované modely** : řetězce záložních modelů. Pokud model A selže s chybou způsobilou pro záložní model, zkuste model B, poté C atd. Vrací skutečné stavové kódy upstreamu.
-`usage.ts` | Načítá data o kvótách/využití z API poskytovatelů (kvóty GitHub Copilot, kvóty modelu Antigravity, limity rychlosti Codexu, rozpisy využití Kiro, nastavení Claude).
-`accountSelector.ts` | Inteligentní výběr účtu s algoritmem bodování: pro výběr optimálního účtu pro každý požadavek se zohledňuje priorita, zdravotní stav, pozice v systému round robin a stav ochlazování.
-`contextManager.ts` | Správa životního cyklu kontextu požadavku: vytváří a sleduje objekty kontextu pro každý požadavek s metadaty (ID požadavku, časová razítka, informace o poskytovateli) pro ladění a protokolování.
-`ipFilter.ts` | Řízení přístupu založené na IP adrese: podporuje režimy povolených seznamů a blokovaných seznamů. Před zpracováním požadavků API ověřuje IP adresu klienta podle nakonfigurovaných pravidel.
-`sessionManager.ts` | Sledování relací s otisky prstů klientů: sleduje aktivní relace pomocí hašovaných identifikátorů klientů, monitoruje počty požadavků a poskytuje metriky relací.
-`signatureCache.ts` | Mezipaměť deduplikace na základě signatur požadavků: zabraňuje duplicitním požadavkům ukládáním nedávných signatur požadavků do mezipaměti a vrácením odpovědí z mezipaměti pro identické požadavky v rámci časového okna.
-`systemPrompt.ts` | Globální vložení systémového výzvy: přidá konfigurovatelnou systémovou výzvu ke všem požadavkům s možností kompatibility pro jednotlivé poskytovatele.
-`thinkingBudget.ts` | Správa rozpočtu tokenů uvažování: podporuje režimy průchodu, automatický (konfigurace strip thinking), vlastní (pevný rozpočet) a adaptivní (měřítko složitosti) pro řízení tokenů myšlení/uvažování.
-`wildcardRouter.ts` | Směrování podle vzorů zástupných znaků: rozpoznává vzory zástupných znaků (např. `*/claude-*` ) na konkrétní páry poskytovatel/model na základě dostupnosti a priority.
+| Soubor               | Účel                                                                                                                                                                                                                                                                                                                                                             |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `provider.ts`        | **Detekce formátu** ( `detectFormat` ): analyzuje strukturu těla požadavku a identifikuje formáty Claude/OpenAI/Gemini/Antigravity/Responses (včetně heuristiky `max_tokens` pro Claude). Dále: tvorba URL, tvorba hlaviček, normalizace konfigurace thinking. Podporuje dynamické poskytovatele kompatibilní `openai-compatible-*` a `anthropic-compatible-*` . |
+| `model.ts`           | Analýza řetězců modelu ( `claude/model-name` → `{provider: "claude", model: "model-name"}` ), rozlišení aliasů s detekcí kolizí, sanitizace vstupu (odmítá průchod cestou/řídicí znaky) a rozlišení informací o modelu s podporou asynchronních metod pro získávání aliasů.                                                                                      |
+| `accountFallback.ts` | Ovládání limitů rychlosti: exponenciální upomínka (1 s → 2 s → 4 s → max. 2 min), správa doby zpoždění účtu, klasifikace chyb (které chyby spouštějí fallback a které ne).                                                                                                                                                                                       |
+| `tokenRefresh.ts`    | Aktualizace tokenu OAuth pro **všechny poskytovatele** : Google (Gemini, Antigravity), Claude, Codex, Qwen, iFlow, GitHub (duální token OAuth + Copilot), Kiro (AWS SSO OIDC + sociální ověřování). Zahrnuje mezipaměť deduplikace promise za provozu a opakování s exponenciálním zpožděním.                                                                    |
+| `combo.ts`           | **Kombinované modely** : řetězce záložních modelů. Pokud model A selže s chybou způsobilou pro záložní model, zkuste model B, poté C atd. Vrací skutečné stavové kódy upstreamu.                                                                                                                                                                                 |
+| `usage.ts`           | Načítá data o kvótách/využití z API poskytovatelů (kvóty GitHub Copilot, kvóty modelu Antigravity, limity rychlosti Codexu, rozpisy využití Kiro, nastavení Claude).                                                                                                                                                                                             |
+| `accountSelector.ts` | Inteligentní výběr účtu s algoritmem bodování: pro výběr optimálního účtu pro každý požadavek se zohledňuje priorita, zdravotní stav, pozice v systému round robin a stav ochlazování.                                                                                                                                                                           |
+| `contextManager.ts`  | Správa životního cyklu kontextu požadavku: vytváří a sleduje objekty kontextu pro každý požadavek s metadaty (ID požadavku, časová razítka, informace o poskytovateli) pro ladění a protokolování.                                                                                                                                                               |
+| `ipFilter.ts`        | Řízení přístupu založené na IP adrese: podporuje režimy povolených seznamů a blokovaných seznamů. Před zpracováním požadavků API ověřuje IP adresu klienta podle nakonfigurovaných pravidel.                                                                                                                                                                     |
+| `sessionManager.ts`  | Sledování relací s otisky prstů klientů: sleduje aktivní relace pomocí hašovaných identifikátorů klientů, monitoruje počty požadavků a poskytuje metriky relací.                                                                                                                                                                                                 |
+| `signatureCache.ts`  | Mezipaměť deduplikace na základě signatur požadavků: zabraňuje duplicitním požadavkům ukládáním nedávných signatur požadavků do mezipaměti a vrácením odpovědí z mezipaměti pro identické požadavky v rámci časového okna.                                                                                                                                       |
+| `systemPrompt.ts`    | Globální vložení systémového výzvy: přidá konfigurovatelnou systémovou výzvu ke všem požadavkům s možností kompatibility pro jednotlivé poskytovatele.                                                                                                                                                                                                           |
+| `thinkingBudget.ts`  | Správa rozpočtu tokenů uvažování: podporuje režimy průchodu, automatický (konfigurace strip thinking), vlastní (pevný rozpočet) a adaptivní (měřítko složitosti) pro řízení tokenů myšlení/uvažování.                                                                                                                                                            |
+| `wildcardRouter.ts`  | Směrování podle vzorů zástupných znaků: rozpoznává vzory zástupných znaků (např. `*/claude-*` ) na konkrétní páry poskytovatel/model na základě dostupnosti a priority.                                                                                                                                                                                          |

 #### Deduplikace obnovení tokenů

@@ -374,13 +374,13 @@ graph TD
    end
 ```

-Adresář | Soubory | Popis
--- | --- | ---
-`request/` | 8 překladatelů | Převod těl požadavků mezi formáty. Každý soubor se při importu sám zaregistruje pomocí `register(from, to, fn)` .
-`response/` | 7 překladatelů | Převádí bloky odpovědí streamovaných dat mezi formáty. Zpracovává typy událostí SSE, myšlenkové bloky a volání nástrojů.
-`helpers/` | 6 pomocníků | Sdílené utility: `claudeHelper` (extrakce systémových prompts, thinking config), `geminiHelper` (mapování částí/obsahu), `openaiHelper` (filtrování formátů), `toolCallHelper` (generování ID, vkládání chybějících odpovědí), `maxTokensHelper` , `responsesApiHelper` .
-`index.ts` | — | Překladový engine: `translateRequest()` , `translateResponse()` , správa stavu, registr.
-`formats.ts` | — | Formátovací konstanty: `OPENAI` , `CLAUDE` , `GEMINI` , `ANTIGRAVITY` , `KIRO` , `CURSOR` , `OPENAI_RESPONSES` .
+| Adresář      | Soubory        | Popis                                                                                                                                                                                                                                                                     |
+| ------------ | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `request/`   | 8 překladatelů | Převod těl požadavků mezi formáty. Každý soubor se při importu sám zaregistruje pomocí `register(from, to, fn)` .                                                                                                                                                         |
+| `response/`  | 7 překladatelů | Převádí bloky odpovědí streamovaných dat mezi formáty. Zpracovává typy událostí SSE, myšlenkové bloky a volání nástrojů.                                                                                                                                                  |
+| `helpers/`   | 6 pomocníků    | Sdílené utility: `claudeHelper` (extrakce systémových prompts, thinking config), `geminiHelper` (mapování částí/obsahu), `openaiHelper` (filtrování formátů), `toolCallHelper` (generování ID, vkládání chybějících odpovědí), `maxTokensHelper` , `responsesApiHelper` . |
+| `index.ts`   | —              | Překladový engine: `translateRequest()` , `translateResponse()` , správa stavu, registr.                                                                                                                                                                                  |
+| `formats.ts` | —              | Formátovací konstanty: `OPENAI` , `CLAUDE` , `GEMINI` , `ANTIGRAVITY` , `KIRO` , `CURSOR` , `OPENAI_RESPONSES` .                                                                                                                                                          |

 #### Klíčový design: Samoregistrující se pluginy

@@ -397,15 +397,15 @@ import "./request/claude-to-openai.js"; // ← self-registers

 ### 4.6 Nástroje ( `open-sse/utils/` )

-Soubor | Účel
--- | ---
-`error.ts` | Vytváření chybové odezvy (formát kompatibilní s OpenAI), parsování chyb v upstreamu, extrakce doby opakování Antigravity z chybových zpráv, streamování chyb SSE.
-`stream.ts` | **SSE Transform Stream** — základní streamovací kanál. Dva režimy: `TRANSLATE` (plný překlad formátu) a `PASSTHROUGH` (normalizace + extrakce využití). Zpracovává ukládání bloků do vyrovnávací paměti, odhad využití a sledování délky obsahu. Instance kodéru/dekodéru pro každý stream se vyhýbají sdílenému stavu.
-`streamHelpers.ts` | Nízkoúrovňové utility SSE: `parseSSELine` (tolerantní k bílým znakům), `hasValuableContent` (filtruje prázdné segmenty pro OpenAI/Claude/Gemini), `fixInvalidId` , `formatSSE` (serializace SSE s ohledem na formát s čištěním `perf_metrics` ).
-`usageTracking.ts` | Extrakce využití tokenů z libovolného formátu (Claude/OpenAI/Gemini/Responses), odhad s oddělenými poměry znaků na token pro jednotlivé nástroje/zprávy, přidání vyrovnávací paměti (bezpečnostní rezerva 2000 tokenů), filtrování polí specifických pro formát, protokolování konzole s barvami ANSI.
-`requestLogger.ts` | Protokolování požadavků na základě souborů (přihlášení pomocí `ENABLE_REQUEST_LOGS=true` ). Vytváří složky relací s očíslovanými soubory: `1_req_client.json` → `7_res_client.txt` . Veškeré I/O operace jsou asynchronní (aktivní a zapomenutý). Maskuje citlivé hlavičky.
-`bypassHandler.ts` | Zachycuje specifické vzory z Claude CLI (extrakce názvu, zahřívání, počet) a vrací falešné odpovědi bez volání jakéhokoli poskytovatele. Podporuje streamování i nestreamování. Záměrně omezeno na rozsah Claude CLI.
-`networkProxy.ts` | Rozpozná URL odchozí proxy pro daného poskytovatele s prioritou: konfigurace specifická pro poskytovatele → globální konfigurace → proměnné prostředí ( `HTTPS_PROXY` / `HTTP_PROXY` / `ALL_PROXY` ). Podporuje výjimky `NO_PROXY` . Ukládá konfiguraci do mezipaměti po dobu 30 sekund.
+| Soubor             | Účel                                                                                                                                                                                                                                                                                                                    |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `error.ts`         | Vytváření chybové odezvy (formát kompatibilní s OpenAI), parsování chyb v upstreamu, extrakce doby opakování Antigravity z chybových zpráv, streamování chyb SSE.                                                                                                                                                       |
+| `stream.ts`        | **SSE Transform Stream** — základní streamovací kanál. Dva režimy: `TRANSLATE` (plný překlad formátu) a `PASSTHROUGH` (normalizace + extrakce využití). Zpracovává ukládání bloků do vyrovnávací paměti, odhad využití a sledování délky obsahu. Instance kodéru/dekodéru pro každý stream se vyhýbají sdílenému stavu. |
+| `streamHelpers.ts` | Nízkoúrovňové utility SSE: `parseSSELine` (tolerantní k bílým znakům), `hasValuableContent` (filtruje prázdné segmenty pro OpenAI/Claude/Gemini), `fixInvalidId` , `formatSSE` (serializace SSE s ohledem na formát s čištěním `perf_metrics` ).                                                                        |
+| `usageTracking.ts` | Extrakce využití tokenů z libovolného formátu (Claude/OpenAI/Gemini/Responses), odhad s oddělenými poměry znaků na token pro jednotlivé nástroje/zprávy, přidání vyrovnávací paměti (bezpečnostní rezerva 2000 tokenů), filtrování polí specifických pro formát, protokolování konzole s barvami ANSI.                  |
+| `requestLogger.ts` | Protokolování požadavků na základě souborů (přihlášení pomocí `ENABLE_REQUEST_LOGS=true` ). Vytváří složky relací s očíslovanými soubory: `1_req_client.json` → `7_res_client.txt` . Veškeré I/O operace jsou asynchronní (aktivní a zapomenutý). Maskuje citlivé hlavičky.                                             |
+| `bypassHandler.ts` | Zachycuje specifické vzory z Claude CLI (extrakce názvu, zahřívání, počet) a vrací falešné odpovědi bez volání jakéhokoli poskytovatele. Podporuje streamování i nestreamování. Záměrně omezeno na rozsah Claude CLI.                                                                                                   |
+| `networkProxy.ts`  | Rozpozná URL odchozí proxy pro daného poskytovatele s prioritou: konfigurace specifická pro poskytovatele → globální konfigurace → proměnné prostředí ( `HTTPS_PROXY` / `HTTP_PROXY` / `ALL_PROXY` ). Podporuje výjimky `NO_PROXY` . Ukládá konfiguraci do mezipaměti po dobu 30 sekund.                                |

 #### Streamovací kanál SSE

@@ -449,32 +449,32 @@ logs/

 ### 4.7 Aplikační vrstva ( `src/` )

-Adresář | Účel
--- | ---
-`src/app/` | Webové uživatelské rozhraní, trasy API, middleware Express, obslužné rutiny zpětných volání OAuth
-`src/lib/` | Přístup k databázi ( `localDb.ts` , `usageDb.ts` ), ověřování, sdílení
-`src/mitm/` | Nástroje proxy typu „man-in-the-middle“ pro zachycení provozu poskytovatelů
-`src/models/` | Definice modelů databáze
-`src/shared/` | Obálky kolem funkcí open-sse (provider, stream, error atd.)
-`src/sse/` | Obslužné rutiny koncových bodů SSE, které propojují knihovnu open-sse s trasami Express
-`src/store/` | Správa stavu aplikací
+| Adresář       | Účel                                                                                              |
+| ------------- | ------------------------------------------------------------------------------------------------- |
+| `src/app/`    | Webové uživatelské rozhraní, trasy API, middleware Express, obslužné rutiny zpětných volání OAuth |
+| `src/lib/`    | Přístup k databázi ( `localDb.ts` , `usageDb.ts` ), ověřování, sdílení                            |
+| `src/mitm/`   | Nástroje proxy typu „man-in-the-middle“ pro zachycení provozu poskytovatelů                       |
+| `src/models/` | Definice modelů databáze                                                                          |
+| `src/shared/` | Obálky kolem funkcí open-sse (provider, stream, error atd.)                                       |
+| `src/sse/`    | Obslužné rutiny koncových bodů SSE, které propojují knihovnu open-sse s trasami Express           |
+| `src/store/`  | Správa stavu aplikací                                                                             |

 #### Významné trasy API

-Trasa | Metody | Účel
--- | --- | ---
-`/api/provider-models` | ZÍSKAT/ODESLAT/SMAZAT | CRUD pro vlastní modely na poskytovatele
-`/api/models/catalog` | ZÍSKAT | Agregovaný katalog všech modelů (chat, embedding, image, custom) seskupených podle poskytovatele
-`/api/settings/proxy` | ZÍSKAT/VLOŽIT/ODSTRANIT | Konfigurace hierarchické odchozí proxy ( `global/providers/combos/keys` )
-`/api/settings/proxy/test` | ZVEŘEJNIT | Ověřuje připojení proxy a vrací veřejnou IP adresu/latenci
-`/v1/providers/[provider]/chat/completions` | ZVEŘEJNIT | Vyhrazené dokončování chatu pro jednotlivé poskytovatele s ověřováním modelu
-`/v1/providers/[provider]/embeddings` | ZVEŘEJNIT | Vyhrazené vkládání pro jednotlivé poskytovatele s ověřováním modelu
-`/v1/providers/[provider]/images/generations` | ZVEŘEJNIT | Vyhrazené generování obrázků pro každého poskytovatele s ověřováním modelu
-`/api/settings/ip-filter` | ZÍSKAT/VLOŽIT | Správa povolených/blokovaných IP adres
-`/api/settings/thinking-budget` | ZÍSKAT/VLOŽIT | Konfigurace rozpočtu tokenů zdůvodnění (průchozí/automatická/vlastní/adaptivní)
-`/api/settings/system-prompt` | ZÍSKAT/VLOŽIT | Globální vložení systémového promptu pro všechny požadavky
-`/api/sessions` | ZÍSKAT | Sledování a metriky aktivních relací
-`/api/rate-limits` | ZÍSKAT | Stav limitu sazby na účet
+| Trasa                                         | Metody          | Účel                                                                                             |
+| --------------------------------------------- | --------------- | ------------------------------------------------------------------------------------------------ |
+| `/api/provider-models`                        | GET/POST/DELETE | CRUD pro vlastní modely na poskytovatele                                                         |
+| `/api/models/catalog`                         | GET             | Agregovaný katalog všech modelů (chat, embedding, image, custom) seskupených podle poskytovatele |
+| `/api/settings/proxy`                         | GET/PUT/DELETE  | Konfigurace hierarchické odchozí proxy ( `global/providers/combos/keys` )                        |
+| `/api/settings/proxy/test`                    | POST            | Ověřuje připojení proxy a vrací veřejnou IP adresu/latenci                                       |
+| `/v1/providers/[provider]/chat/completions`   | POST            | Vyhrazené dokončování chatu pro jednotlivé poskytovatele s ověřováním modelu                     |
+| `/v1/providers/[provider]/embeddings`         | POST            | Vyhrazené vkládání pro jednotlivé poskytovatele s ověřováním modelu                              |
+| `/v1/providers/[provider]/images/generations` | POST            | Vyhrazené generování obrázků pro každého poskytovatele s ověřováním modelu                       |
+| `/api/settings/ip-filter`                     | GET/PUT         | Správa povolených/blokovaných IP adres                                                           |
+| `/api/settings/thinking-budget`               | GET/PUT         | Konfigurace rozpočtu tokenů zdůvodnění (průchozí/automatická/vlastní/adaptivní)                  |
+| `/api/settings/system-prompt`                 | GET/PUT         | Globální vložení systémového promptu pro všechny požadavky                                       |
+| `/api/sessions`                               | GET             | Sledování a metriky aktivních relací                                                             |
+| `/api/rate-limits`                            | GET             | Stav limitu sazby na účet                                                                        |

 ---

@@ -512,38 +512,38 @@ K hlášenému využití je přidána vyrovnávací paměť o kapacitě 2000 tok

 ## 6. Podporované formáty

-Formát | Směr | Identifikátor
--- | --- | ---
-Dokončení chatu OpenAI | zdroj + cíl | `openai`
-API pro odpovědi OpenAI | zdroj + cíl | `openai-responses`
-Antropický Claude | zdroj + cíl | `claude`
-Google Gemini | zdroj + cíl | `gemini`
-Rozhraní příkazového řádku Google Gemini | pouze cíl | `gemini-cli`
-Antigravitace | zdroj + cíl | `antigravity`
-AWS Kiro | pouze cíl | `kiro`
-Kurzor | pouze cíl | `cursor`
+| Formát                  | Směr        | Identifikátor      |
+| ----------------------- | ----------- | ------------------ |
+| OpenAI Chat Completions | zdroj + cíl | `openai`           |
+| OpenAI Responses API    | zdroj + cíl | `openai-responses` |
+| Anthropic Claude        | zdroj + cíl | `claude`           |
+| Google Gemini           | zdroj + cíl | `gemini`           |
+| Google Gemini CLI       | jen cíl     | `gemini-cli`       |
+| Antigravity             | zdroj + cíl | `antigravity`      |
+| AWS Kiro                | jen cíl     | `kiro`             |
+| Cursor                  | jen cíl     | `cursor`           |

 ---

 ## 7. Podporovaní poskytovatelé

-Poskytovatel | Metoda ověřování | Vykonavatel | Klíčové poznámky
--- | --- | --- | ---
-Antropický Claude | Klíč API nebo OAuth | Výchozí | Používá hlavičku `x-api-key`
-Google Gemini | Klíč API nebo OAuth | Výchozí | Používá hlavičku `x-goog-api-key`
-Rozhraní příkazového řádku Google Gemini | OAuth | GeminiCLI | Používá koncový bod `streamGenerateContent`
-Antigravitace | OAuth | Antigravitace | Záložní více URL adres, vlastní analýza opakovaných pokusů
-OpenAI | Klíč API | Výchozí | Autorizace standardního nosiče
-Kodex | OAuth | Kodex | Vkládá systémové instrukce, řídí myšlení
-GitHub Copilot | OAuth + token Copilot | Github | Duální token, napodobování záhlaví VSCode
-Kiro (AWS) | AWS SSO OIDC nebo sociální sítě | Kiro | Analýza binárního EventStreamu
-IDE kurzoru | Autorizace kontrolního součtu | Kurzor | Kódování Protobuf, kontrolní součty SHA-256
-Qwen | OAuth | Výchozí | Standardní ověřování
-iFlow | OAuth (základní + nosič) | Výchozí | Duální hlavička pro autorizaci
-OpenRouter | Klíč API | Výchozí | Autorizace standardního nosiče
-GLM, Kimi, MiniMax | Klíč API | Výchozí | Kompatibilní s Claude, použijte `x-api-key`
-`openai-compatible-*` | Klíč API | Výchozí | Dynamické: jakýkoli koncový bod kompatibilní s OpenAI
-`anthropic-compatible-*` | Klíč API | Výchozí | Dynamický: jakýkoli koncový bod kompatibilní s Claude
+| Poskytovatel             | Metoda ověřování         | Vykonavatel | Klíčové poznámky                             |
+| ------------------------ | ------------------------ | ----------- | -------------------------------------------- |
+| Anthropic Claude         | API klíč nebo OAuth      | Výchozí     | Používá hlavičku `x-api-key`                 |
+| Google Gemini            | API klíč nebo OAuth      | Výchozí     | Používá hlavičku `x-goog-api-key`            |
+| Google Gemini CLI        | OAuth                    | GeminiCLI   | Používá koncový bod `streamGenerateContent`  |
+| Antigravity              | OAuth                    | Antigravity | Záložní více URL, analýza opakovaných pokusů |
+| OpenAI                   | API klíč                 | Výchozí     | Autorizace standardního nosiče               |
+| Codex                    | OAuth                    | Codex       | Vkládá systémové instrukce, řídí myšlení     |
+| GitHub Copilot           | OAuth + Copilot token    | Github      | Duální token, napodobování záhlaví VSCode    |
+| Kiro (AWS)               | AWS SSO OIDC nebo Social | Kiro        | Analýza binárního EventStreamu               |
+| Cursor IDE               | Checksum auth            | Cursor      | Kódování Protobuf, kontrolní součty SHA-256  |
+| Qwen                     | OAuth                    | Výchozí     | Standardní ověřování                         |
+| iFlow                    | OAuth (Basic + Bearer)   | Výchozí     | Duální hlavička pro autorizaci               |
+| OpenRouter               | API klíč                 | Výchozí     | Autorizace standardního nosiče               |
+| GLM, Kimi, MiniMax       | API klíč                 | Výchozí     | Kompatibilní s Claude, použijte `x-api-key`  |
+| `openai-compatible-*`    | API klíč                 | Výchozí     | Dynamické: jakýkoli OpenAI kompatibilní      |
+| `anthropic-compatible-*` | API klíč                 | Výchozí     | Dynamické: jakýkoli Claude kompatibilní      |

 ---

@@ -20,30 +20,30 @@ Kompletní průvodce konfigurací poskytovatelů, vytvářením kombinací, inte

 ## 💰 Přehled cen

-Úroveň | Poskytovatel | Náklady | Obnovení kvóty | Nejlepší pro
--- | --- | --- | --- | ---
-**💳 PŘEDPLATNÉ** | Claude Code (profesionál) | 20 dolarů měsíčně | 5 hodin + týdně | Již přihlášen/a k odběru
- | Kodex (Plus/Pro) | 20–200 USD/měsíc | 5 hodin + týdně | Uživatelé OpenAI
- | Rozhraní příkazového řádku Gemini | **UVOLNIT** | 180 tisíc měsíčně + 1 tisíc denně | Každý!
- | GitHub Copilot | 10–19 USD/měsíc | Měsíční | Uživatelé GitHubu
-**🔑 KLÍČ API** | Hluboké vyhledávání | Platba za použití | Žádný | Laciné uvažování
- | Groq | Platba za použití | Žádný | Ultrarychlá inference
- | xAI (Grok) | Platba za použití | Žádný | Grok 4 uvažování
- | Mistral | Platba za použití | Žádný | Modely hostované v EU
- | Zmatek | Platba za použití | Žádný | Rozšířené vyhledávání
- | Společně s umělou inteligencí | Platba za použití | Žádný | Modely s otevřeným zdrojovým kódem
- | Ohňostroj s umělou inteligencí | Platba za použití | Žádný | Rychlé snímky FLUX
- | Mozky | Platba za použití | Žádný | Rychlost v měřítku destičky
- | Soudržný | Platba za použití | Žádný | Příkaz R+ RAG
- | NVIDIA NIM | Platba za použití | Žádný | Podnikové modely
-**💰 LEVNÉ** | GLM-4.7 | 0,6 USD/1 milion | Denně v 10:00 | Záloha rozpočtu
- | MiniMax M2.1 | 0,2 USD/1 milion | 5hodinové válcování | Nejlevnější varianta
- | Kimi K2 | 9 dolarů měsíčně bez závazků | 10 milionů tokenů/měsíc | Předvídatelné náklady
-**🆓 ZDARMA** | iFlow | 0 dolarů | Neomezený | 8 modelů zdarma
- | Qwen | 0 dolarů | Neomezený | 3 modely zdarma
- | Kiro | 0 dolarů | Neomezený | Claude zdarma
+| Úroveň            | Poskytovatel      | Náklady          | Obnovení kvóty      | Nejlepší pro               |
+| ----------------- | ----------------- | ---------------- | ------------------- | -------------------------- |
+| **💳 PŘEDPLATNÉ** | Claude Code (pro) | 20 USD měsíc     | 5h + týdně          | Již přihlášené             |
+|                   | Kodex (Plus/Pro)  | 20–200 USD/měsíc | 5h + týdně          | Uživatele OpenAI           |
+|                   | Gemini CLI        | **ZDARMA**       | 180K/mo + 1K/den    | Každého!                   |
+|                   | GitHub Copilot    | 10–19 USD/měsíc  | Měsíční             | Uživatele GitHubu          |
+| **🔑 KLÍČ API**   | DeepSeek          | Dle užití        | Žádné               | Laciné uvažování           |
+|                   | Groq              | Dle užití        | Žádné               | Ultrarychlá inference      |
+|                   | xAI (Grok)        | Dle užití        | Žádné               | Grok 4 uvažování           |
+|                   | Mistral           | Dle užití        | Žádné               | Modely hostované v EU      |
+|                   | Perplexity        | Dle užití        | Žádné               | Rozšířené vyhledávání      |
+|                   | Together AI       | Dle užití        | Žádné               | Open Source modely         |
+|                   | Fireworks AI      | Dle užití        | Žádné               | Rychlé FLUX obrázky        |
+|                   | Cerebras          | Dle užití        | Žádné               | Rychlost destičkového čipu |
+|                   | Cohere            | Dle užití        | Žádné               | Command R+ RAG             |
+|                   | NVIDIA NIM        | Dle užití        | Žádné               | Podnikové modely           |
+| **💰 LEVNÉ**      | GLM-4.7           | $0.6/1M          | Denně 10:00         | Levná záloha               |
+|                   | MiniMax M2.1      | $0.2/1M          | 5hodinové válcování | Nejlevnější varianta       |
+|                   | Kimi K2           | 9 USD měsíc      | 10M tokens/měsíc    | Předvídatelné náklady      |
+| **🆓 ZDARMA**     | iFlow             | $0               | Neomezený           | 8 modelů zdarma            |
+|                   | Qwen              | $0               | Neomezený           | 3 modely zdarma            |
+|                   | Kiro              | $0               | Neomezený           | Claude zdarma              |

-**💡 Tip pro profesionály:** Začněte s kombinací Gemini CLI (180 tisíc zdarma/měsíc) + iFlow (neomezeně zdarma) = 0 dolarů!
+**💡 Pro Tip:** Začněte s kombinací Gemini CLI (180K zdarma/měsíc) + iFlow (neomezeně zdarma) = $0!

 ---

@@ -271,7 +271,7 @@ Upravit `~/.claude/config.json` :
 }
 ```

-### CLI Codexu
+### Codex CLI

 ```bash
 export OPENAI_BASE_URL="http://localhost:20128"
@@ -335,7 +335,7 @@ omniroute
 omniroute --port 3000
 ```

-Rozhraní příkazového řádku automaticky načte `.env` z adresáře `~/.omniroute/.env` nebo `./.env` .
+CLI automaticky načte `.env` z adresáře `~/.omniroute/.env` nebo `./.env` .

 ### Nasazení VPS

@@ -407,23 +407,23 @@ Informace o režimu integrovaném s hostitelem s binárními soubory CLI nalezne

 ### Proměnné prostředí

-Proměnná | Výchozí | Popis
--- | --- | ---
-`JWT_SECRET` | `omniroute-default-secret-change-me` | Tajný klíč podpisu JWT ( **změna v produkčním prostředí** )
-`INITIAL_PASSWORD` | `123456` | První přihlašovací heslo
-`DATA_DIR` | `~/.omniroute` | Datový adresář (db, využití, protokoly)
-`PORT` | výchozí nastavení rámce | Servisní port ( `20128` v příkladech)
-`HOSTNAME` | výchozí nastavení rámce | Vázat hostitele (Docker má výchozí hodnotu `0.0.0.0` )
-`NODE_ENV` | výchozí nastavení za běhu | Nastavení `production` pro nasazení
-`BASE_URL` | `http://localhost:20128` | Interní základní URL na straně serveru
-`CLOUD_URL` | `https://omniroute.dev` | Základní adresa URL koncového bodu synchronizace s cloudem
-`API_KEY_SECRET` | `endpoint-proxy-api-key-secret` | Tajný klíč HMAC pro generované klíče API
-`REQUIRE_API_KEY` | `false` | Vynutit klíč rozhraní Bearer API na `/v1/*`
-`ENABLE_REQUEST_LOGS` | `false` | Povoluje protokolování požadavků/odpovědí
-`AUTH_COOKIE_SECURE` | `false` | Vynutit soubor cookie `Secure` ověřování (za reverzní proxy HTTPS)
-`OMNIROUTE_MEMORY_MB` | `512` | Limit haldy Node.js v MB
-`PROMPT_CACHE_MAX_SIZE` | `50` | Maximální počet položek mezipaměti výzev
-`SEMANTIC_CACHE_MAX_SIZE` | `100` | Maximální počet položek sémantické mezipaměti
+| Proměnná                  | Výchozí                              | Popis                                                              |
+| ------------------------- | ------------------------------------ | ------------------------------------------------------------------ |
+| `JWT_SECRET`              | `omniroute-default-secret-change-me` | Tajný klíč podpisu JWT ( **změna v produkčním prostředí** )        |
+| `INITIAL_PASSWORD`        | `123456`                             | První přihlašovací heslo                                           |
+| `DATA_DIR`                | `~/.omniroute`                       | Datový adresář (db, využití, protokoly)                            |
+| `PORT`                    | výchozí nastavení rámce              | Servisní port ( `20128` v příkladech)                              |
+| `HOSTNAME`                | výchozí nastavení rámce              | Vázat hostitele (Docker má výchozí hodnotu `0.0.0.0` )             |
+| `NODE_ENV`                | výchozí nastavení za běhu            | Nastavení `production` pro nasazení                                |
+| `BASE_URL`                | `http://localhost:20128`             | Interní základní URL na straně serveru                             |
+| `CLOUD_URL`               | `https://omniroute.dev`              | Základní adresa URL koncového bodu synchronizace s cloudem         |
+| `API_KEY_SECRET`          | `endpoint-proxy-api-key-secret`      | Tajný klíč HMAC pro generované klíče API                           |
+| `REQUIRE_API_KEY`         | `false`                              | Vynutit klíč rozhraní Bearer API na `/v1/*`                        |
+| `ENABLE_REQUEST_LOGS`     | `false`                              | Povoluje protokolování požadavků/odpovědí                          |
+| `AUTH_COOKIE_SECURE`      | `false`                              | Vynutit soubor cookie `Secure` ověřování (za reverzní proxy HTTPS) |
+| `OMNIROUTE_MEMORY_MB`     | `512`                                | Limit haldy Node.js v MB                                           |
+| `PROMPT_CACHE_MAX_SIZE`   | `50`                                 | Maximální počet položek mezipaměti výzev                           |
+| `SEMANTIC_CACHE_MAX_SIZE` | `100`                                | Maximální počet položek sémantické mezipaměti                      |

 Úplný přehled proměnných prostředí naleznete v souboru [README](../README.md) .

@@ -439,7 +439,7 @@ Proměnná | Výchozí | Popis

 **Codex ( `cx/` )** — Plus/Pro: `cx/gpt-5.2-codex` , `cx/gpt-5.1-codex-max`

-**Rozhraní příkazového řádku Gemini ( `gc/` )** — ZDARMA: `gc/gemini-3-flash-preview` , `gc/gemini-2.5-pro`
+**Gemini CLI ( `gc/` )** — ZDARMA: `gc/gemini-3-flash-preview` , `gc/gemini-2.5-pro`

 **GitHub Copilot ( `gh/` )** : `gh/gpt-5` , `gh/claude-4.5-sonnet`

@@ -473,9 +473,6 @@ Proměnná | Výchozí | Popis

 **NVIDIA NIM ( `nvidia/` )** : `nvidia/nvidia/llama-3.3-70b-instruct`

-
-
-
 ---

 ## 🧩 Pokročilé funkce
@@ -552,12 +549,12 @@ Vrátí modely seskupené podle poskytovatele s typy ( `chat` , `embedding` , `i

 Přístup přes **Dashboard → Translator** . Ladění a vizualizace toho, jak OmniRoute překládá požadavky API mezi poskytovateli.

-Režim | Účel
--- | ---
-**Dětské hřiště** | Vyberte zdrojový/cílový formát, vložte požadavek a okamžitě si prohlédněte přeložený výstup
-**Tester chatu** | Odesílejte zprávy živého chatu přes proxy a kontrolujte celý cyklus požadavku/odpovědi
-**Zkušební stolice** | Spusťte dávkové testy napříč různými kombinacemi formátů pro ověření správnosti překladu
-**Živý monitor** | Sledujte překlady v reálném čase, jak požadavky procházejí proxy serverem
+| Režim                | Účel                                                                                        |
+| -------------------- | ------------------------------------------------------------------------------------------- |
+| **Dětské hřiště**    | Vyberte zdrojový/cílový formát, vložte požadavek a okamžitě si prohlédněte přeložený výstup |
+| **Tester chatu**     | Odesílejte zprávy živého chatu přes proxy a kontrolujte celý cyklus požadavku/odpovědi      |
+| **Zkušební stolice** | Spusťte dávkové testy napříč různými kombinacemi formátů pro ověření správnosti překladu    |
+| **Živý monitor**     | Sledujte překlady v reálném čase, jak požadavky procházejí proxy serverem                   |

 **Případy použití:**

@@ -571,14 +568,14 @@ Režim | Účel

 Konfigurace přes **Dashboard → Nastavení → Routing** .

-Strategie | Popis
--- | ---
-**Nejprve vyplňte** | Používá účty podle priority – primární účet zpracovává všechny požadavky, dokud není k dispozici.
-**Round Robin** | Cykluje mezi všemi účty s nastavitelným trvalým limitem (výchozí: 3 volání na účet)
-**P2C (Síla dvou možností)** | Vybere 2 náhodné účty a nasměruje je k tomu zdravějšímu – vyvažuje zátěž s povědomím o zdraví
-**Náhodný** | Náhodně vybere účet pro každý požadavek pomocí Fisher-Yatesova náhodného výběru.
-**Nejméně používané** | Směruje k účtu s nejstarším časovým razítkem `lastUsedAt` a rovnoměrně rozděluje provoz.
-**Optimalizované náklady** | Směruje k účtu s nejnižší prioritou a optimalizuje pro poskytovatele s nejnižšími náklady.
+| Strategie                    | Popis                                                                                             |
+| ---------------------------- | ------------------------------------------------------------------------------------------------- |
+| **Nejprve vyplňte**          | Používá účty podle priority – primární účet zpracovává všechny požadavky, dokud není k dispozici. |
+| **Round Robin**              | Cykluje mezi všemi účty s nastavitelným trvalým limitem (výchozí: 3 volání na účet)               |
+| **P2C (Síla dvou možností)** | Vybere 2 náhodné účty a nasměruje je k tomu zdravějšímu – vyvažuje zátěž s povědomím o zdraví     |
+| **Náhodný**                  | Náhodně vybere účet pro každý požadavek pomocí Fisher-Yatesova náhodného výběru.                  |
+| **Nejméně používané**        | Směruje k účtu s nejstarším časovým razítkem `lastUsedAt` a rovnoměrně rozděluje provoz.          |
+| **Optimalizované náklady**   | Směruje k účtu s nejnižší prioritou a optimalizuje pro poskytovatele s nejnižšími náklady.        |

 #### Aliasy zástupných znaků modelů

@@ -611,24 +608,21 @@ Konfigurace přes **Dashboard → Settings → Resilience** .
 OmniRoute implementuje odolnost na úrovni poskytovatele se čtyřmi komponentami:

 1. **Profily poskytovatelů** – Konfigurace pro jednotlivé poskytovatele pro:
-
-    - Práh selhání (počet selhání před otevřením)
-    - Doba zchlazení
-    - Citlivost detekce limitu frekvence
-    - Exponenciální backoff parametry
+   - Práh selhání (počet selhání před otevřením)
+   - Doba zchlazení
+   - Citlivost detekce limitu frekvence
+   - Exponenciální backoff parametry

 2. **Upravitelné limity rychlosti** – Výchozí nastavení na úrovni systému konfigurovatelná na řídicím panelu:
-
-    - **Požadavky za minutu (RPM)** — Maximální počet požadavků za minutu na účet
-    - **Minimální doba mezi požadavky** — Minimální mezera v milisekundách mezi požadavky
-    - **Max. počet souběžných požadavků** — Maximální počet souběžných požadavků na účet
-    - Klikněte na **Upravit** pro úpravu a poté **na Uložit** nebo **Zrušit** . Hodnoty se ukládají prostřednictvím rozhraní API pro odolnost.
+   - **Požadavky za minutu (RPM)** — Maximální počet požadavků za minutu na účet
+   - **Minimální doba mezi požadavky** — Minimální mezera v milisekundách mezi požadavky
+   - **Max. počet souběžných požadavků** — Maximální počet souběžných požadavků na účet
+   - Klikněte na **Upravit** pro úpravu a poté **na Uložit** nebo **Zrušit** . Hodnoty se ukládají prostřednictvím rozhraní API pro odolnost.

 3. **Jistič** – Sleduje poruchy u jednotlivých poskytovatelů a automaticky rozpojuje obvod, když je dosaženo prahové hodnoty:
-
-    - **ZAVŘENO** (v pořádku) – Požadavky probíhají normálně.
-    - **OTEVŘENO** — Poskytovatel je dočasně zablokován po opakovaných selháních
-    - **HALF_OPEN** — Testování, zda se poskytovatel zotavil
+   - **ZAVŘENO** (v pořádku) – Požadavky probíhají normálně.
+   - **OTEVŘENO** — Poskytovatel je dočasně zablokován po opakovaných selháních
+   - **HALF_OPEN** — Testování, zda se poskytovatel zotavil

 4. **Zásady a uzamčené identifikátory** – Zobrazuje stav jističe a uzamčené identifikátory s možností vynuceného odemčení.

@@ -642,11 +636,11 @@ OmniRoute implementuje odolnost na úrovni poskytovatele se čtyřmi komponentam

 Správa záloh databáze se provádí v **nabídce Ovládací panel → Nastavení → Systém a úložiště** .

-Akce | Popis
--- | ---
-**Exportovat databázi** | Stáhne aktuální databázi SQLite jako soubor `.sqlite`
-**Exportovat vše (.tar.gz)** | Stáhne kompletní zálohu včetně: databáze, nastavení, kombinací, připojení k poskytovatelům (bez přihlašovacích údajů) a metadat klíče API.
-**Importovat databázi** | Nahrajte soubor `.sqlite` , který nahradí aktuální databázi. Záloha před importem se vytvoří automaticky.
+| Akce                         | Popis                                                                                                                                      |
+| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
+| **Exportovat databázi**      | Stáhne aktuální databázi SQLite jako soubor `.sqlite`                                                                                      |
+| **Exportovat vše (.tar.gz)** | Stáhne kompletní zálohu včetně: databáze, nastavení, kombinací, připojení k poskytovatelům (bez přihlašovacích údajů) a metadat klíče API. |
+| **Importovat databázi**      | Nahrajte soubor `.sqlite` , který nahradí aktuální databázi. Záloha před importem se vytvoří automaticky.                                  |

 ```bash
 # API: Export database
@@ -674,13 +668,13 @@ curl -X POST http://localhost:20128/api/db-backups/import \

 Stránka nastavení je pro snadnou navigaci uspořádána do 5 záložek:

-Záložka | Obsah
--- | ---
-**Zabezpečení** | Nastavení přihlášení/hesla, řízení přístupu k IP adrese, autorizace API pro `/models` a blokování poskytovatelů
-**Směrování** | Globální strategie směrování (6 možností), aliasy zástupných znaků, záložní řetězce, kombinované výchozí hodnoty
-**Odolnost** | Profily poskytovatelů, upravitelné limity sazeb, stav jističů, zásady a uzamčené identifikátory
-**Umělá inteligence** | Konfigurace rozpočtu promyšleného projektu, globální vkládání promptu do systému, statistiky mezipaměti promptu
-**Moderní** | Globální konfigurace proxy (HTTP/SOCKS5)
+| Záložka               | Obsah                                                                                                            |
+| --------------------- | ---------------------------------------------------------------------------------------------------------------- |
+| **Zabezpečení**       | Nastavení přihlášení/hesla, řízení přístupu k IP adrese, autorizace API pro `/models` a blokování poskytovatelů  |
+| **Směrování**         | Globální strategie směrování (6 možností), aliasy zástupných znaků, záložní řetězce, kombinované výchozí hodnoty |
+| **Odolnost**          | Profily poskytovatelů, upravitelné limity sazeb, stav jističů, zásady a uzamčené identifikátory                  |
+| **Umělá inteligence** | Konfigurace rozpočtu promyšleného projektu, globální vkládání promptu do systému, statistiky mezipaměti promptu  |
+| **Moderní**           | Globální konfigurace proxy (HTTP/SOCKS5)                                                                         |

 ---

@@ -688,10 +682,10 @@ Záložka | Obsah

 Přístup přes **Dashboard → Náklady** .

-Záložka | Účel
--- | ---
-**Rozpočet** | Nastavte limity útrat pro každý klíč API s denními/týdenními/měsíčními rozpočty a sledováním v reálném čase
-**Ceny** | Zobrazení a úprava cenových položek modelu – cena za 1000 vstupních/výstupních tokenů na poskytovatele
+| Záložka      | Účel                                                                                                        |
+| ------------ | ----------------------------------------------------------------------------------------------------------- |
+| **Rozpočet** | Nastavte limity útrat pro každý klíč API s denními/týdenními/měsíčními rozpočty a sledováním v reálném čase |
+| **Ceny**     | Zobrazení a úprava cenových položek modelu – cena za 1000 vstupních/výstupních tokenů na poskytovatele      |

 ```bash
 # API: Set a budget
@@ -733,14 +727,14 @@ Podporované zvukové formáty: `mp3` , `wav` , `m4a` , `flac` , `ogg` , `webm`

 Nastavte vyvažování jednotlivých kombinací v **nabídce Dashboard → Kombinace → Vytvořit/Upravit → Strategie** .

-Strategie | Popis
--- | ---
-**Round-Robin** | Postupně prochází modely
-**Přednost** | Vždy se pokusí o první model; vrací se pouze v případě chyby.
-**Náhodný** | Pro každý požadavek vybere náhodný model z komba
-**Vážené** | Trasy proporcionálně na základě přiřazených vah pro každý model
-**Nejméně používané** | Směruje k modelu s nejmenším počtem nedávných požadavků (používá kombinované metriky)
-**Optimalizované z hlediska nákladů** | Trasy k nejlevnějšímu dostupnému modelu (používá ceník)
+| Strategie                             | Popis                                                                                 |
+| ------------------------------------- | ------------------------------------------------------------------------------------- |
+| **Round-Robin**                       | Postupně prochází modely                                                              |
+| **Přednost**                          | Vždy se pokusí o první model; vrací se pouze v případě chyby.                         |
+| **Náhodný**                           | Pro každý požadavek vybere náhodný model z komba                                      |
+| **Vážené**                            | Trasy proporcionálně na základě přiřazených vah pro každý model                       |
+| **Nejméně používané**                 | Směruje k modelu s nejmenším počtem nedávných požadavků (používá kombinované metriky) |
+| **Optimalizované z hlediska nákladů** | Trasy k nejlevnějšímu dostupnému modelu (používá ceník)                               |

 Globální výchozí hodnoty kombinací lze nastavit v **nabídce Dashboard → Settings → Routing → Combo Defaults** .

@@ -750,14 +744,14 @@ Globální výchozí hodnoty kombinací lze nastavit v **nabídce Dashboard →

 Přístup přes **Dashboard → Stav** . Přehled stavu systému v reálném čase se 6 kartami:

-Karta | Co to ukazuje
--- | ---
-**Stav systému** | Doba provozuschopnosti, verze, využití paměti, datový adresář
-**Zdraví poskytovatelů** | Stav jističe podle dodavatele (Zapnuto/Vypnuto/Napůl vypnuto)
-**Limity sazeb** | Aktivní limit rychlosti cooldownů na účet se zbývajícím časem
-**Aktivní výluky** | Poskytovatelé dočasně blokovaní politikou uzamčení
-**Mezipaměť podpisů** | Statistiky mezipaměti pro deduplikaci (aktivní klíče, míra zásahů)
-**Telemetrie latence** | Agregace latence p50/p95/p99 na poskytovatele
+| Karta                    | Co to ukazuje                                                      |
+| ------------------------ | ------------------------------------------------------------------ |
+| **Stav systému**         | Doba provozuschopnosti, verze, využití paměti, datový adresář      |
+| **Zdraví poskytovatelů** | Stav jističe podle dodavatele (Zapnuto/Vypnuto/Napůl vypnuto)      |
+| **Limity sazeb**         | Aktivní limit rychlosti cooldownů na účet se zbývajícím časem      |
+| **Aktivní výluky**       | Poskytovatelé dočasně blokovaní politikou uzamčení                 |
+| **Mezipaměť podpisů**    | Statistiky mezipaměti pro deduplikaci (aktivní klíče, míra zásahů) |
+| **Telemetrie latence**   | Agregace latence p50/p95/p99 na poskytovatele                      |

 **Tip pro profesionály:** Stránka Zdraví se automaticky obnovuje každých 10 sekund. Pomocí karty jističe můžete zjistit, kteří poskytovatelé mají problémy.

@@ -795,20 +789,20 @@ Výstup → `electron/dist-electron/`

 ### Klíčové vlastnosti

-Funkce | Popis
--- | ---
-**Připravenost serveru** | Před zobrazením okna se dotazuje server (žádná prázdná obrazovka)
-**Systémový zásobník** | Minimalizovat do zásobníku, změnit port, ukončit menu v zásobníku
-**Správa přístavů** | Změna portu serveru z panelu úloh (automatické restartování serveru)
-**Zásady zabezpečení obsahu** | Omezující CSP prostřednictvím záhlaví relace
-**Jedna instance** | V daném okamžiku může běžet pouze jedna instance aplikace
-**Offline režim** | Dodávaný server Next.js funguje bez internetu
+| Funkce                        | Popis                                                                |
+| ----------------------------- | -------------------------------------------------------------------- |
+| **Připravenost serveru**      | Před zobrazením okna se dotazuje server (žádná prázdná obrazovka)    |
+| **Systémový zásobník**        | Minimalizovat do zásobníku, změnit port, ukončit menu v zásobníku    |
+| **Správa přístavů**           | Změna portu serveru z panelu úloh (automatické restartování serveru) |
+| **Zásady zabezpečení obsahu** | Omezující CSP prostřednictvím záhlaví relace                         |
+| **Jedna instance**            | V daném okamžiku může běžet pouze jedna instance aplikace            |
+| **Offline režim**             | Dodávaný server Next.js funguje bez internetu                        |

 ### Proměnné prostředí

-Proměnná | Výchozí | Popis
--- | --- | ---
-`OMNIROUTE_PORT` | `20128` | Port serveru
-`OMNIROUTE_MEMORY_MB` | `512` | Limit haldy Node.js (64–16384 MB)
+| Proměnná              | Výchozí | Popis                             |
+| --------------------- | ------- | --------------------------------- |
+| `OMNIROUTE_PORT`      | `20128` | Port serveru                      |
+| `OMNIROUTE_MEMORY_MB` | `512`   | Limit haldy Node.js (64–16384 MB) |

 📖 Úplná dokumentace: [`electron/README.md`](../electron/README.md)
@@ -8,73 +8,6 @@ _Din universelle API-proxy — ét slutpunkt, 36+ udbydere, ingen nedetid. Nu me

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-<div align="center">
-
-[![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
-[![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
-[![Licens](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
-[![Websted](https://img.shields.io/badge/Website-omniroute.online-blue?logo=google-chrome&logoColor=white)](https://omniroute.online)
-[![WhatsApp](https://img.shields.io/badge/WhatsApp-Community-25D366?logo=whatsapp&logoColor=white)](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-[🌐 Hjemmeside](https://omniroute.online) • [🚀 Hurtig start](#-quick-start) • [💡 Funktioner](#-key-features) • [📖 Docs](#-documentation) • [💡 Priser](#-pricing-at-a-glance) • [💬 WhatsApp](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-</div>
-
-🌐 **Tilgængelig på:** 🇺🇸 [engelsk](../../README.md) | 🇧🇷 [Português (Brasil)](../pt-BR/README.md) | 🇪🇸 [Español](../es/README.md) | 🇫🇷 [Français](../fr/README.md) | 🇮🇹 [Italiano](../it/README.md) | 🇷🇺 [Русский](../ru/README.md) | 🇨🇳 [中文 (简体)](../zh-CN/README.md) | 🇩🇪 [Tysk](../de/README.md) | 🇮🇳 [हिन्दी](../in/README.md) | 🇹🇭 [ไทย](../th/README.md) | 🇺🇦 [Українська](../uk-UA/README.md) | 🇸🇦 [العربية](../ar/README.md) | 🇯🇵 [日本語](../ja/README.md) | 🇻🇳 [Tiếng Việt](../vi/README.md) | 🇧🇬 [Български](../bg/README.md) | 🇩🇰 [Dansk](../da/README.md) | 🇫🇮 [Suomi](../fi/README.md) | 🇮🇱 [engelsk](../he/README.md) | 🇭🇺 [Magyar](../hu/README.md) | 🇮🇩 [Bahasa Indonesien](../id/README.md) | 🇰🇷 [한국어](../ko/README.md) | 🇲🇾 [Bahasa Melayu](../ms/README.md) | 🇳🇱 [Nederlands](../nl/README.md) | 🇳🇴 [norsk](../no/README.md) | 🇵🇹 [Português (Portugal)](../pt/README.md) | 🇷🇴 [Română](../ro/README.md) | 🇵🇱 [Polski](../pl/README.md) | 🇸🇰 [Slovenčina](../sk/README.md) | 🇸🇪 [Svenska](../sv/README.md) | 🇵🇭 [filippinsk](../phi/README.md)
-
---
-
-## 🖼️ Hovedbetjeningspanel
-
-<div align="center">
-  <img src="./docs/screenshots/MainOmniRoute.png" alt="OmniRoute Dashboard" width="800"/>
-</div>
-
---
-
-## 📸 Dashboard Preview
-
-<details>
-<summary><b>Klik for at se skærmbilleder af dashboard</b></summary>
-
-| Side              | Skærmbillede                                        |
-| ----------------- | --------------------------------------------------- |
-| **Udbydere**      | ![Udbydere](docs/screenshots/01-providers.png)      |
-| **Komboer**       | ![Combos](docs/screenshots/02-combos.png)           |
-| **Analyse**       | ![Analytics](docs/screenshots/03-analytics.png)     |
-| **Sundhed**       | ![Sundhed](docs/screenshots/04-health.png)          |
-| **Oversætter**    | ![Oversætter](docs/screenshots/05-translator.png)   |
-| **Indstillinger** | ![Indstillinger](docs/screenshots/06-settings.png)  |
-| **CLI-værktøjer** | ![CLI-værktøjer](docs/screenshots/07-cli-tools.png) |
-| **Brugslogfiler** | ![Brug](docs/screenshots/08-usage.png)              |
-| **Endpunkt**      | ![Endpoint](docs/screenshots/09-endpoint.png)       |
-
-</details>
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Gratis AI-udbyder til dine foretrukne kodningsagenter

 _Tilslut ethvert AI-drevet IDE- eller CLI-værktøj gennem OmniRoute - gratis API-gateway til ubegrænset kodning._
@@ -159,6 +92,38 @@ _Tilslut ethvert AI-drevet IDE- eller CLI-værktøj gennem OmniRoute - gratis AP

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 ## 🤔 Hvorfor OmniRoute?

 **Stop med at spilde penge og nå grænser:**
@@ -934,8 +899,8 @@ OmniRoute v2.0 er bygget som en operationel platform, ikke kun en relæ-proxy.
 | Funktion | Hvad det gør || -------------------------- | -------------------------------------------------------------------- |
 | 🖼️ **Billedgenerering** | `/v1/images/generations` med cloud og lokale backends |
 | 📐 **Indlejringer** | `/v1/embeddings` til søgning og RAG-rørledninger |
-| 🎤 **Lydtransskription** | `/v1/audio/transcriptions` (Whisper og yderligere udbydere) |
-| 🔊 **Tekst-til-tale** | `/v1/audio/speech` (flere motorer/udbydere) |
+| 🎤 **Lydtransskription** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Tekst-til-tale** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise) |
 | 🎬 **Videogenerering** | `/v1/videos/generations` (ComfyUI + SD WebUI-arbejdsgange) |
 | 🎵 **Music Generation** | `/v1/music/generations` (ComfyUI-arbejdsgange) |
 | 🛡️ **Moderationer** | `/v1/moderations` sikkerhedstjek |
@@ -8,61 +8,6 @@ _Ihr universeller API-Proxy – ein Endpunkt, mehr als 36 Anbieter, keine Ausfal

 ---

-### 🆕 Neu in v2.7.0
-
- **Erweiterbare RouterStrategy** — Regeln-, Kosten- und Latenzstrategien
- **Mehrsprachige Absichtserkennung** — Routing-Scoring in 30+ Sprachen
- **Anfrage-Deduplizierung** — doppelte API-Aufrufe per Content-Hash vermeiden
- **Neue Anbieter:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Aktualisierte Preise:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-<div align="center">
-
-[![npm-Version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
-[![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
-[![Lizenz](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
-[![Website](https://img.shields.io/badge/Website-omniroute.online-blue?logo=google-chrome&logoColor=white)](https://omniroute.online)
-[![WhatsApp](https://img.shields.io/badge/WhatsApp-Community-25D366?logo=whatsapp&logoColor=white)](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-[🌐 Website](https://omniroute.online) • [🚀 Schnellstart](#-quick-start) • [💡 Funktionen](#-key-features) • [📖 Dokumente](#-documentation) • [💰 Preise](#-pricing-at-a-glance) • [💬 WhatsApp](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
-
-</div>
-
-🌐 **Verfügbar in:** 🇺🇸 [Englisch](../../README.md) | 🇧🇷 [Português (Brasilien)](../pt-BR/README.md) | 🇪🇸 [Español](../es/README.md) | 🇫🇷 [Français](../fr/README.md) | 🇮🇹 [Italienisch](../it/README.md) | 🇷🇺 [Русский](../ru/README.md) | 🇨🇳 [中文 (简体)](../zh-CN/README.md) | 🇩🇪 [Deutsch](../de/README.md) | 🇮🇳 [हिन्दी](../in/README.md) | 🇹🇭 [ไทย](../th/README.md) | 🇺🇦 [Українська](../uk-UA/README.md) | 🇸🇦 [العربية](../ar/README.md) | 🇯🇵 [日本語](../ja/README.md) | 🇻🇳 [Tiếng Việt](../vi/README.md) | 🇧🇬 [Български](../bg/README.md) | 🇩🇰 [Dänisch](../da/README.md) | 🇫🇮 [Suomi](../fi/README.md) | 🇮🇱 [עברית](../he/README.md) | 🇭🇺 [Magyar](../hu/README.md) | 🇮🇩 [Bahasa Indonesia](../id/README.md) | 🇰🇷 [한국어](../ko/README.md) | 🇲🇾 [Bahasa Melayu](../ms/README.md) | 🇳🇱 [Niederlande](../nl/README.md) | 🇳🇴 [Norsk](../no/README.md) | 🇵🇹 [Português (Portugal)](../pt/README.md) | 🇷🇴 [Română](../ro/README.md) | 🇵🇱 [Polski](../pl/README.md) | 🇸🇰 [Slovenčina](../sk/README.md) | 🇸🇪 [Svenska](../sv/README.md) | 🇵🇭 [Philippinisch](../phi/README.md)
-
---
-
-## 🖼️ Haupt-Dashboard
-
-<div align="center">
-  <img src="./docs/screenshots/MainOmniRoute.png" alt="OmniRoute Dashboard" width="800"/>
-</div>
-
---
-
-## 📸 Dashboard-Vorschau
-
-<details>
-<summary><b>Klicken Sie hier, um Dashboard-Screenshots anzuzeigen</b></summary>
-
-| Seite                  | Screenshot                                         |
-| ---------------------- | -------------------------------------------------- |
-| **Anbieter**           | ![Anbieter](docs/screenshots/01-providers.png)     |
-| **Kombinationen**      | ![Combos](docs/screenshots/02-combos.png)          |
-| **Analytik**           | ![Analytics](docs/screenshots/03-analytics.png)    |
-| **Gesundheit**         | ![Gesundheit](docs/screenshots/04-health.png)      |
-| **Übersetzer**         | ![Übersetzer](docs/screenshots/05-translator.png)  |
-| **Einstellungen**      | ![Einstellungen](docs/screenshots/06-settings.png) |
-| **CLI-Tools**          | ![CLI-Tools](docs/screenshots/07-cli-tools.png)    |
-| **Nutzungsprotokolle** | ![Verwendung](docs/screenshots/08-usage.png)       |
-| **Endpunkt**           | ![Endpunkt](docs/screenshots/09-endpoint.png)      |
-
-</details>
-
---
-
 ### 🤖 Kostenloser KI-Anbieter für Ihre bevorzugten Programmieragenten

 _Verbinden Sie jedes KI-gestützte IDE- oder CLI-Tool über OmniRoute – kostenloses API-Gateway für unbegrenzte Codierung._
@@ -147,6 +92,38 @@ _Verbinden Sie jedes KI-gestützte IDE- oder CLI-Tool über OmniRoute – kosten

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 ## 🤔 Warum OmniRoute?

 **Hören Sie auf, Geld zu verschwenden und an Grenzen zu stoßen:**
@@ -890,18 +867,6 @@ Wenn OmniRoute minimiert ist, befindet es sich mit schnellen Aktionen in Ihrer T

 OmniRoute v2.0 ist als Betriebsplattform konzipiert und nicht nur als Relay-Proxy.

-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Agenten- und Protokolloperationen (v2.0)| Funktion | Was es tut |

 | ------------------------------------ | -------------------------------------------------------------------------------- |
@@ -939,8 +904,8 @@ OmniRoute v2.0 ist als Betriebsplattform konzipiert und nicht nur als Relay-Prox
 | Funktion | Was es tut || -------------------------- | ------------------------------------------------------------- |
 | 🖼️ **Bilderzeugung** | `/v1/images/generations` mit Cloud- und lokalen Backends |
 | 📐 **Einbettungen** | `/v1/embeddings` für Such- und RAG-Pipelines |
-| 🎤 **Audio-Transkription** | `/v1/audio/transcriptions` (Whisper und zusätzliche Anbieter) |
-| 🔊 **Text-to-Speech** | `/v1/audio/speech` (mehrere Engines/Anbieter) |
+| 🎤 **Audio-Transkription** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Text-to-Speech** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise) |
 | 🎬 **Videogenerierung** | `/v1/videos/generations` (ComfyUI + SD WebUI-Workflows) |
 | 🎵 **Musikgeneration** | `/v1/music/generations` (ComfyUI-Workflows) |
 | 🛡️ **Moderationen** | `/v1/moderations` Sicherheitsprüfungen |
@@ -11,28 +11,6 @@ _Tu proxy de API universal — un endpoint, 36+ proveedores, cero tiempo de inac

 ---

-### 🆕 Novedades en v2.7.0
-
- **RouterStrategy enchufable** — estrategias de reglas, costo y latencia
- **Detección de intención multilingüe** — puntuación de enrutamiento en 30+ idiomas
- **Deduplicación de solicitudes** — evita llamadas duplicadas por hash de contenido
- **Nuevos proveedores:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Precios actualizados:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Proveedor de IA Gratuito para tus agentes de programación favoritos

 _Conecta cualquier IDE o herramienta CLI con IA a través de OmniRoute — gateway de API gratuito para programación ilimitada._
@@ -118,6 +96,38 @@ _Conecta cualquier IDE o herramienta CLI con IA a través de OmniRoute — gatew

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -877,14 +887,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 APIs Multi-Modal

-| Característica                | Qué Hace                                               |
-| ----------------------------- | ------------------------------------------------------ |
-| 🖼️ **Generación de Imágenes** | `/v1/images/generations` — 4 proveedores, 9+ modelos   |
-| 📐 **Embeddings**             | `/v1/embeddings` — 6 proveedores, 9+ modelos           |
-| 🎤 **Transcripción de Audio** | `/v1/audio/transcriptions` — Compatible con Whisper    |
-| 🔊 **Texto a Voz**            | `/v1/audio/speech` — Síntesis de audio multi-proveedor |
-| 🛡️ **Moderaciones**           | `/v1/moderations` — Verificaciones de seguridad        |
-| 🔀 **Reranking**              | `/v1/rerank` — Reranking de relevancia de documentos   |
+| Característica                | Qué Hace                                                                                                                                                                   |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Generación de Imágenes** | `/v1/images/generations` — 4 proveedores, 9+ modelos                                                                                                                       |
+| 📐 **Embeddings**             | `/v1/embeddings` — 6 proveedores, 9+ modelos                                                                                                                               |
+| 🎤 **Transcripción de Audio** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Texto a Voz**            | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderaciones**           | `/v1/moderations` — Verificaciones de seguridad                                                                                                                            |
+| 🔀 **Reranking**              | `/v1/rerank` — Reranking de relevancia de documentos                                                                                                                       |

 ### 🛡️ Resiliencia y Seguridad

@@ -11,28 +11,6 @@ _Universaali API-välityspalvelin – yksi päätepiste, yli 36 palveluntarjoaja

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Ilmainen AI Provider suosikkikoodaajillesi

 _Yhdistä mikä tahansa tekoälyllä toimiva IDE- tai CLI-työkalu OmniRouten kautta – ilmainen API-yhdyskäytävä rajoittamattomaan koodaukseen._
@@ -118,6 +96,38 @@ _Yhdistä mikä tahansa tekoälyllä toimiva IDE- tai CLI-työkalu OmniRouten ka

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multimodaaliset sovellusliittymät

-| Ominaisuus                | Mitä se tekee                                             |
-| ------------------------- | --------------------------------------------------------- |
-| 🖼️ **Kuvan luominen**     | `/v1/images/generations` — 4 toimittajaa, 9+ mallia       |
-| 📐 **Upotukset**          | `/v1/embeddings` — 6 toimittajaa, 9+ mallia               |
-| 🎤 **Äänitranskriptio**   | `/v1/audio/transcriptions` — Kuiskausyhteensopiva         |
-| 🔊 **Tekstistä puheeksi** | `/v1/audio/speech` — Usean palveluntarjoajan äänisynteesi |
-| 🛡️ **Moderaatiot**        | `/v1/moderations` — Sisällön turvallisuustarkistukset     |
-| 🔀 **Uudelleenjärjestys** | `/v1/rerank` — Asiakirjan osuvuuden uudelleensijoitus     |
+| Ominaisuus                | Mitä se tekee                                                                                                                                                              |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Kuvan luominen**     | `/v1/images/generations` — 4 toimittajaa, 9+ mallia                                                                                                                        |
+| 📐 **Upotukset**          | `/v1/embeddings` — 6 toimittajaa, 9+ mallia                                                                                                                                |
+| 🎤 **Äänitranskriptio**   | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Tekstistä puheeksi** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderaatiot**        | `/v1/moderations` — Sisällön turvallisuustarkistukset                                                                                                                      |
+| 🔀 **Uudelleenjärjestys** | `/v1/rerank` — Asiakirjan osuvuuden uudelleensijoitus                                                                                                                      |

 ### 🛡️ Joustavuus ja turvallisuus

@@ -11,28 +11,6 @@ _Votre proxy API universel — un endpoint, 36+ fournisseurs, zéro temps d'arr

 ---

-### 🆕 Nouveautés dans v2.7.0
-
- **RouterStrategy extensible** — stratégies de règles, coût et latence
- **Détection d'intention multilingue** — scoring de routage en 30+ langues
- **Déduplication des requêtes** — évite les appels dupliqués via hash de contenu
- **Nouveaux fournisseurs :** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Tarifs mis à jour :** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Fournisseur IA gratuit pour vos agents de programmation préférés

 _Connectez n'importe quel IDE ou outil CLI alimenté par l'IA via OmniRoute — passerelle API gratuite pour un codage illimité._
@@ -118,6 +96,38 @@ _Connectez n'importe quel IDE ou outil CLI alimenté par l'IA via OmniRoute —

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -875,14 +885,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 APIs multi-modales

-| Fonctionnalité             | Ce qu'elle fait                                         |
-| -------------------------- | ------------------------------------------------------- |
-| 🖼️ **Génération d'images** | `/v1/images/generations` — 4 fournisseurs, 9+ modèles   |
-| 📐 **Embeddings**          | `/v1/embeddings` — 6 fournisseurs, 9+ modèles           |
-| 🎤 **Transcription audio** | `/v1/audio/transcriptions` — compatible Whisper         |
-| 🔊 **Texte vers parole**   | `/v1/audio/speech` — synthèse audio multi-fournisseur   |
-| 🛡️ **Modérations**         | `/v1/moderations` — vérifications de sécurité           |
-| 🔀 **Reranking**           | `/v1/rerank` — reclassement de pertinence des documents |
+| Fonctionnalité             | Ce qu'elle fait                                                                                                                                                            |
+| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Génération d'images** | `/v1/images/generations` — 4 fournisseurs, 9+ modèles                                                                                                                      |
+| 📐 **Embeddings**          | `/v1/embeddings` — 6 fournisseurs, 9+ modèles                                                                                                                              |
+| 🎤 **Transcription audio** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Texte vers parole**   | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Modérations**         | `/v1/moderations` — vérifications de sécurité                                                                                                                              |
+| 🔀 **Reranking**           | `/v1/rerank` — reclassement de pertinence des documents                                                                                                                    |

 ### 🛡️ Résilience & Sécurité

@@ -11,28 +11,6 @@ _שרת ה-API האוניברסלי שלך - נקודת קצה אחת, 36+ ספ

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 ספק AI בחינם עבור סוכני הקידוד המועדפים עליך

 _חבר כל כלי IDE או CLI המופעל על ידי AI דרך OmniRoute - שער API בחינם לקידוד בלתי מוגבל._
@@ -118,6 +96,38 @@ _חבר כל כלי IDE או CLI המופעל על ידי AI דרך OmniRoute -

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 ממשקי API רב-מודאליים

-| תכונה               | מה זה עושה                                    |
-| ------------------- | --------------------------------------------- |
-| 🖼️ **יצירת תמונות** | `/v1/images/generations` — 4 ספקים, 9+ דגמים  |
-| 📐 **הטבעות**       | `/v1/embeddings` — 6 ספקים, 9+ דגמים          |
-| 🎤 **תמלול אודיו**  | `/v1/audio/transcriptions` — תואם לחישה       |
-| 🔊 **טקסט לדיבור**  | `/v1/audio/speech` — סינתזת אודיו מרובה ספקים |
-| 🛡️ **מנחים**        | `/v1/moderations` — בדיקות בטיחות תוכן        |
-| 🔀 **דירוג מחדש**   | `/v1/rerank` — דירוג מחדש של רלוונטיות המסמך  |
+| תכונה               | מה זה עושה                                                                                                                                                                 |
+| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **יצירת תמונות** | `/v1/images/generations` — 4 ספקים, 9+ דגמים                                                                                                                               |
+| 📐 **הטבעות**       | `/v1/embeddings` — 6 ספקים, 9+ דגמים                                                                                                                                       |
+| 🎤 **תמלול אודיו**  | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **טקסט לדיבור**  | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **מנחים**        | `/v1/moderations` — בדיקות בטיחות תוכן                                                                                                                                     |
+| 🔀 **דירוג מחדש**   | `/v1/rerank` — דירוג מחדש של רלוונטיות המסמך                                                                                                                               |

 ### 🛡️ חוסן וביטחון

@@ -11,28 +11,6 @@ _Az univerzális API-proxy – egy végpont, 36+ szolgáltató, nulla állásid

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Ingyenes mesterséges intelligencia szolgáltató kedvenc kódoló ügynökei számára

 _Csatlakoztasson bármilyen mesterséges intelligencia-alapú IDE-t vagy CLI-eszközt az OmniRoute-on keresztül – ingyenes API-átjáró a korlátlan kódoláshoz._
@@ -118,6 +96,38 @@ _Csatlakoztasson bármilyen mesterséges intelligencia-alapú IDE-t vagy CLI-esz

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multimodális API-k

-| Funkció                | Mit csinál                                                   |
-| ---------------------- | ------------------------------------------------------------ |
-| 🖼️ **Képgenerálás**    | `/v1/images/generations` — 4 szolgáltató, 9+ modell          |
-| 📐 **Beágyazás**       | `/v1/embeddings` — 6 szolgáltató, 9+ modell                  |
-| 🎤 **Audio átírás**    | `/v1/audio/transcriptions` — Suttogás-kompatibilis           |
-| 🔊 **Szövegfelolvasó** | `/v1/audio/speech` — Hangszintézis több szolgáltatónál       |
-| 🛡️ **Moderálás**       | `/v1/moderations` — Tartalombiztonsági ellenőrzések          |
-| 🔀 **Átsorolás**       | `/v1/rerank` — A dokumentumok relevancia szerinti átsorolása |
+| Funkció                | Mit csinál                                                                                                                                                                 |
+| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Képgenerálás**    | `/v1/images/generations` — 4 szolgáltató, 9+ modell                                                                                                                        |
+| 📐 **Beágyazás**       | `/v1/embeddings` — 6 szolgáltató, 9+ modell                                                                                                                                |
+| 🎤 **Audio átírás**    | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Szövegfelolvasó** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderálás**       | `/v1/moderations` — Tartalombiztonsági ellenőrzések                                                                                                                        |
+| 🔀 **Átsorolás**       | `/v1/rerank` — A dokumentumok relevancia szerinti átsorolása                                                                                                               |

 ### 🛡️ Rugalmasság és biztonság

@@ -11,28 +11,6 @@ _Proksi API universal Anda — satu titik akhir, 36+ penyedia, tanpa waktu henti

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Penyedia AI gratis untuk agen coding favorit Anda

 _Hubungkan alat IDE atau CLI apa pun yang didukung AI melalui OmniRoute — gerbang API gratis untuk pengkodean tanpa batas._
@@ -118,6 +96,38 @@ _Hubungkan alat IDE atau CLI apa pun yang didukung AI melalui OmniRoute — gerb

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 API Multi-Modal

-| Fitur                      | Apa Fungsinya                                          |
-| -------------------------- | ------------------------------------------------------ |
-| 🖼️ **Pembuatan Gambar**    | `/v1/images/generations` — 4 penyedia, 9+ model        |
-| 📐 **Sematan**             | `/v1/embeddings` — 6 penyedia, 9+ model                |
-| 🎤 **Transkripsi Audio**   | `/v1/audio/transcriptions` — Kompatibel dengan bisikan |
-| 🔊 **Teks-ke-Ucapan**      | `/v1/audio/speech` — Sintesis audio multi-penyedia     |
-| 🛡️ **Moderasi**            | `/v1/moderations` — Pemeriksaan keamanan konten        |
-| 🔀 **Pemeringkatan Ulang** | `/v1/rerank` — Pemeringkatan ulang relevansi dokumen   |
+| Fitur                      | Apa Fungsinya                                                                                                                                                              |
+| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Pembuatan Gambar**    | `/v1/images/generations` — 4 penyedia, 9+ model                                                                                                                            |
+| 📐 **Sematan**             | `/v1/embeddings` — 6 penyedia, 9+ model                                                                                                                                    |
+| 🎤 **Transkripsi Audio**   | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Teks-ke-Ucapan**      | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderasi**            | `/v1/moderations` — Pemeriksaan keamanan konten                                                                                                                            |
+| 🔀 **Pemeringkatan Ulang** | `/v1/rerank` — Pemeringkatan ulang relevansi dokumen                                                                                                                       |

 ### 🛡️ Ketahanan & Keamanan

@@ -13,28 +13,6 @@ _आपका सार्वभौमिक एपीआई प्रॉक्

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 आपके पसंदीदा कोडिंग एजेंटों के लिए निःशुल्क एआई प्रदाता

 _OmniRoute के माध्यम से किसी भी AI-संचालित IDE या CLI टूल को कनेक्ट करें - असीमित कोडिंग के लिए निःशुल्क API गेटवे।_
@@ -43,6 +21,38 @@ _OmniRoute के माध्यम से किसी भी AI-संचा

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -770,14 +780,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 मल्टी-मॉडल एपीआई

-| फ़ीचर                        | यह क्या करता है                                   |
-| ---------------------------- | ------------------------------------------------- |
-| 🖼️ **छवि निर्माण**           | `/v1/images/generations` - 4 प्रदाता, 9+ मॉडल     |
-| 📐 **एंबेडिंग**              | `/v1/embeddings` — 6 प्रदाता, 9+ मॉडल             |
-| 🎤 **ऑडियो ट्रांस्क्रिप्शन** | `/v1/audio/transcriptions` - कानाफूसी-संगत        |
-| 🔊 **टेक्स्ट-टू-स्पीच**      | `/v1/audio/speech` - बहु-प्रदाता ऑडियो संश्लेषण   |
-| 🛡️ **संयम**                  | `/v1/moderations` — सामग्री सुरक्षा जांच          |
-| 🔀 **पुनर्रैंकिंग**          | `/v1/rerank` — दस्तावेज़ प्रासंगिकता पुनर्रैंकिंग |
+| फ़ीचर                        | यह क्या करता है                                                                                                                                                            |
+| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **छवि निर्माण**           | `/v1/images/generations` - 4 प्रदाता, 9+ मॉडल                                                                                                                              |
+| 📐 **एंबेडिंग**              | `/v1/embeddings` — 6 प्रदाता, 9+ मॉडल                                                                                                                                      |
+| 🎤 **ऑडियो ट्रांस्क्रिप्शन** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **टेक्स्ट-टू-स्पीच**      | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **संयम**                  | `/v1/moderations` — सामग्री सुरक्षा जांच                                                                                                                                   |
+| 🔀 **पुनर्रैंकिंग**          | `/v1/rerank` — दस्तावेज़ प्रासंगिकता पुनर्रैंकिंग                                                                                                                          |

 ### 🛡️ लचीलापन और सुरक्षा

@@ -5,34 +5,12 @@

 ### Non smettere mai di programmare. Routing intelligente verso **modelli IA GRATUITI e economici** con fallback automatico.

-_Il tuo proxy API universale — un endpoint, 36+ provider, zero downtime._
+_Il tuo proxy API universale — un endpoint, 67+ provider, zero downtime._

 **Chat Completions • Embeddings • Generazione Immagini • Audio • Reranking • 100% TypeScript**

 ---

-### 🆕 Novità in v2.7.0
-
- **RouterStrategy estensibile** — strategie per regole, costo e latenza
- **Rilevamento intento multilingue** — scoring di routing in 30+ lingue
- **Deduplicazione richieste** — evita chiamate duplicate tramite hash del contenuto
- **Nuovi provider:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Prezzi aggiornati:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Provider IA gratuito per i tuoi agenti di programmazione preferiti

 _Connetti qualsiasi IDE o strumento CLI con IA tramite OmniRoute — gateway API gratuito per programmazione illimitata._
@@ -118,6 +96,38 @@ _Connetti qualsiasi IDE o strumento CLI con IA tramite OmniRoute — gateway API

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 API Multi-modali

-| Funzionalità                | Cosa Fa                                              |
-| --------------------------- | ---------------------------------------------------- |
-| 🖼️ **Generazione immagini** | `/v1/images/generations` — 4 provider, 9+ modelli    |
-| 📐 **Embeddings**           | `/v1/embeddings` — 6 provider, 9+ modelli            |
-| 🎤 **Trascrizione audio**   | `/v1/audio/transcriptions` — Compatibile Whisper     |
-| 🔊 **Testo a voce**         | `/v1/audio/speech` — Sintesi audio multi-provider    |
-| 🛡️ **Moderazioni**          | `/v1/moderations` — Controlli di sicurezza           |
-| 🔀 **Reranking**            | `/v1/rerank` — Riclassificazione rilevanza documenti |
+| Funzionalità                | Cosa Fa                                                                                                                                                                    |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Generazione immagini** | `/v1/images/generations` — 4 provider, 9+ modelli                                                                                                                          |
+| 📐 **Embeddings**           | `/v1/embeddings` — 6 provider, 9+ modelli                                                                                                                                  |
+| 🎤 **Trascrizione audio**   | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Testo a voce**         | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderazioni**          | `/v1/moderations` — Controlli di sicurezza                                                                                                                                 |
+| 🔀 **Reranking**            | `/v1/rerank` — Riclassificazione rilevanza documenti                                                                                                                       |

 ### 🛡️ Resilienza & Sicurezza

@@ -11,28 +11,6 @@ _ユニバーサル API プロキシ — 1 つのエンドポイント、36 以

 ---

-### 🆕 v2.7.0 の新機能
-
- **プラガブル RouterStrategy** — ルール・コスト・レイテンシ戦略をサポート
- **多言語インテント検出** — 30以上の言語でルーティングスコアリング
- **リクエスト重複排除** — コンテンツハッシュで重複 API 呼び出しを防止
- **新しいプロバイダー：** Grok-4 Fast (xAI)、GLM-5 / Z.AI、MiniMax M2.5、Kimi K2.5
- **価格更新：** Grok-4 Fast $0.20/$0.50/M、GLM-5 $0.50/M、MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 お気に入りのコーディング エージェント向けの無料 AI プロバイダー

 _AI を活用した IDE または CLI ツールを、無制限のコーディングのための無料 API ゲートウェイである OmniRoute 経由で接続します。_
@@ -118,6 +96,38 @@ _AI を活用した IDE または CLI ツールを、無制限のコーディン

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 マルチモーダル API

-| 特集                    | 何をするのか                                                    |
-| ----------------------- | --------------------------------------------------------------- |
-| 🖼️ **画像生成**         | `/v1/images/generations` — 4 つのプロバイダー、9 つ以上のモデル |
-| 📐 **埋め込み**         | `/v1/embeddings` — 6 つのプロバイダー、9 つ以上のモデル         |
-| 🎤 **音声文字起こし**   | `/v1/audio/transcriptions` — ウィスパー互換                     |
-| 🔊 **テキスト読み上げ** | `/v1/audio/speech` — マルチプロバイダーのオーディオ合成         |
-| 🛡️ **モデレーション**   | `/v1/moderations` — コンテンツの安全性チェック                  |
-| 🔀 **再ランキング**     | `/v1/rerank` — ドキュメントの関連性の再ランキング               |
+| 特集                    | 何をするのか                                                                                                                                                               |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **画像生成**         | `/v1/images/generations` — 4 つのプロバイダー、9 つ以上のモデル                                                                                                            |
+| 📐 **埋め込み**         | `/v1/embeddings` — 6 つのプロバイダー、9 つ以上のモデル                                                                                                                    |
+| 🎤 **音声文字起こし**   | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **テキスト読み上げ** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **モデレーション**   | `/v1/moderations` — コンテンツの安全性チェック                                                                                                                             |
+| 🔀 **再ランキング**     | `/v1/rerank` — ドキュメントの関連性の再ランキング                                                                                                                          |

 ### 🛡️ 復元力とセキュリティ

@@ -11,28 +11,6 @@ _범용 API 프록시 — 하나의 엔드포인트, 36개 이상의 공급자,

 ---

-### 🆕 v2.7.0 새로운 기능
-
- **플러그형 RouterStrategy** — 규칙, 비용, 지연 전략 지원
- **다국어 의도 감지** — 30개 이상 언어로 라우팅 스코어링
- **요청 중복 제거** — 콘텐츠 해시로 중복 API 호출 방지
- **새 공급자:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **가격 업데이트:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 좋아하는 코딩 에이전트를 위한 무료 AI 제공업체

 _무제한 코딩을 위한 무료 API 게이트웨이인 OmniRoute를 통해 AI 기반 IDE 또는 CLI 도구를 연결하세요._
@@ -118,6 +96,38 @@ _무제한 코딩을 위한 무료 API 게이트웨이인 OmniRoute를 통해 AI

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 다중 모드 API

-| 기능                    | 그것이 하는 일                                         |
-| ----------------------- | ------------------------------------------------------ |
-| 🖼️ **이미지 생성**      | `/v1/images/generations` — 4개 공급자, 9개 이상의 모델 |
-| 📐 **임베딩**           | `/v1/embeddings` — 6개 공급자, 9개 이상의 모델         |
-| 🎤 **오디오 전사**      | `/v1/audio/transcriptions` — 속삭임 호환               |
-| 🔊 **텍스트 음성 변환** | `/v1/audio/speech` — 다중 제공자 오디오 합성           |
-| 🛡️ **조정**             | `/v1/moderations` — 콘텐츠 안전 확인                   |
-| 🔀 **재순위**           | `/v1/rerank` — 문서 관련성 재순위                      |
+| 기능                    | 그것이 하는 일                                                                                                                                                             |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **이미지 생성**      | `/v1/images/generations` — 4개 공급자, 9개 이상의 모델                                                                                                                     |
+| 📐 **임베딩**           | `/v1/embeddings` — 6개 공급자, 9개 이상의 모델                                                                                                                             |
+| 🎤 **오디오 전사**      | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **텍스트 음성 변환** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **조정**             | `/v1/moderations` — 콘텐츠 안전 확인                                                                                                                                       |
+| 🔀 **재순위**           | `/v1/rerank` — 문서 관련성 재순위                                                                                                                                          |

 ### 🛡️ 복원력 및 보안

@@ -11,28 +11,6 @@ _Proksi API universal anda — satu titik akhir, 36+ pembekal, masa henti sifar.

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Pembekal AI percuma untuk ejen pengekodan kegemaran anda

 _Sambungkan mana-mana alat IDE atau CLI berkuasa AI melalui OmniRoute — get laluan API percuma untuk pengekodan tanpa had._
@@ -118,6 +96,38 @@ _Sambungkan mana-mana alat IDE atau CLI berkuasa AI melalui OmniRoute — get la

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 API Berbilang Modal

-| Ciri                     | Apa yang Dilakukan                                     |
-| ------------------------ | ------------------------------------------------------ |
-| 🖼️ **Penjanaan Imej**    | `/v1/images/generations` — 4 pembekal, 9+ model        |
-| 📐 **Pembenaman**        | `/v1/embeddings` — 6 pembekal, 9+ model                |
-| 🎤 **Transkripsi Audio** | `/v1/audio/transcriptions` — Serasi dengan bisikan     |
-| 🔊 **Teks-ke-Ucapan**    | `/v1/audio/speech` — Sintesis audio berbilang pembekal |
-| 🛡️ **Kesederhanaan**     | `/v1/moderations` — Pemeriksaan keselamatan kandungan  |
-| 🔀 **Penyusunan semula** | `/v1/rerank` — Penarafan semula perkaitan dokumen      |
+| Ciri                     | Apa yang Dilakukan                                                                                                                                                         |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Penjanaan Imej**    | `/v1/images/generations` — 4 pembekal, 9+ model                                                                                                                            |
+| 📐 **Pembenaman**        | `/v1/embeddings` — 6 pembekal, 9+ model                                                                                                                                    |
+| 🎤 **Transkripsi Audio** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Teks-ke-Ucapan**    | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Kesederhanaan**     | `/v1/moderations` — Pemeriksaan keselamatan kandungan                                                                                                                      |
+| 🔀 **Penyusunan semula** | `/v1/rerank` — Penarafan semula perkaitan dokumen                                                                                                                          |

 ### 🛡️ Ketahanan & Keselamatan

@@ -11,28 +11,6 @@ _Uw universele API-proxy: één eindpunt, meer dan 36 providers, geen downtime._

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Gratis AI-provider voor uw favoriete codeeragenten

 _Verbind elke AI-aangedreven IDE- of CLI-tool via OmniRoute: gratis API-gateway voor onbeperkte codering._
@@ -118,6 +96,38 @@ _Verbind elke AI-aangedreven IDE- of CLI-tool via OmniRoute: gratis API-gateway

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -246,7 +256,7 @@ OpenAI gebruikt het ene formaat, Claude (Anthropic) gebruikt een ander, Gemini n

 **Hoe OmniRoute het oplost:**

- **Unified Endpoint** — Eén enkele `http://localhost:20128/v1` dient als proxy voor alle 36+ providers
+- **Unified Endpoint** — Eén enkele `http://localhost:20128/v1` dient als proxy voor alle 67+ providers
 - **Formatvertaling** — Automatisch en transparant: OpenAI ↔ Claude ↔ Gemini ↔ Responses API
 - **Response Sanitization** — Verwijdert niet-standaardvelden (`x_groq`, `usage_breakdown`, `service_tier`) die OpenAI SDK v1.83+ breken
 - **Rolnormalisatie** — Converteert `developer` → `system` voor niet-OpenAI-providers; `system` → `user` voor GLM/ERNIE
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multimodale API's

-| Kenmerk                  | Wat het doet                                              |
-| ------------------------ | --------------------------------------------------------- |
-| 🖼️ **Beeldgeneratie**    | `/v1/images/generations` — 4 providers, 9+ modellen       |
-| 📐 **Insluitingen**      | `/v1/embeddings` — 6 providers, 9+ modellen               |
-| 🎤 **Audiotranscriptie** | `/v1/audio/transcriptions` — Whisper-compatibel           |
-| 🔊 **Tekst-naar-spraak** | `/v1/audio/speech` — Audiosynthese van meerdere providers |
-| 🛡️ **Moderaties**        | `/v1/moderations` — Veiligheidscontroles van inhoud       |
-| 🔀 **Herschikking**      | `/v1/rerank` — Herschikking van documentrelevantie        |
+| Kenmerk                  | Wat het doet                                                                                                                                                               |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Beeldgeneratie**    | `/v1/images/generations` — 4 providers, 9+ modellen                                                                                                                        |
+| 📐 **Insluitingen**      | `/v1/embeddings` — 6 providers, 9+ modellen                                                                                                                                |
+| 🎤 **Audiotranscriptie** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Tekst-naar-spraak** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderaties**        | `/v1/moderations` — Veiligheidscontroles van inhoud                                                                                                                        |
+| 🔀 **Herschikking**      | `/v1/rerank` — Herschikking van documentrelevantie                                                                                                                         |

 ### 🛡️ Veerkracht en veiligheid

@@ -11,28 +11,6 @@ _Din universelle API-proxy – ett endepunkt, 36+ leverandører, null nedetid._

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Gratis AI-leverandør for dine favorittkodeagenter

 _Koble til ethvert AI-drevet IDE- eller CLI-verktøy gjennom OmniRoute – gratis API-gateway for ubegrenset koding._
@@ -118,6 +96,38 @@ _Koble til ethvert AI-drevet IDE- eller CLI-verktøy gjennom OmniRoute – grati

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multi-Modal APIer

-| Funksjon                | Hva det gjør                                           |
-| ----------------------- | ------------------------------------------------------ |
-| 🖼️ **Bildegenerering**  | `/v1/images/generations` — 4 leverandører, 9+ modeller |
-| 📐 **Innbygging**       | `/v1/embeddings` — 6 leverandører, 9+ modeller         |
-| 🎤 **Lydtranskripsjon** | `/v1/audio/transcriptions` — Whisper-kompatibel        |
-| 🔊 **Tekst-til-tale**   | `/v1/audio/speech` — Multi-leverandør lydsyntese       |
-| 🛡️ **Moderasjoner**     | `/v1/moderations` — Innholdssikkerhetssjekker          |
-| 🔀 **Omrangering**      | `/v1/rerank` — Rerangering av dokumentrelevans         |
+| Funksjon                | Hva det gjør                                                                                                                                                               |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Bildegenerering**  | `/v1/images/generations` — 4 leverandører, 9+ modeller                                                                                                                     |
+| 📐 **Innbygging**       | `/v1/embeddings` — 6 leverandører, 9+ modeller                                                                                                                             |
+| 🎤 **Lydtranskripsjon** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Tekst-til-tale**   | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderasjoner**     | `/v1/moderations` — Innholdssikkerhetssjekker                                                                                                                              |
+| 🔀 **Omrangering**      | `/v1/rerank` — Rerangering av dokumentrelevans                                                                                                                             |

 ### 🛡️ Spenst og sikkerhet

@@ -5,34 +5,12 @@

 ### Huwag kailanman ihinto ang coding. Smart routing sa **LIBRE at murang mga modelo ng AI** na may awtomatikong fallback.

-_Iyong unibersal na API proxy — isang endpoint, 36+ provider, zero downtime._
+_Iyong unibersal na API proxy — isang endpoint, 67+ provider, zero downtime._

 **Mga Pagkumpleto ng Chat • Mga Pag-embed • Pagbuo ng Imahe • Audio • Pag-rerank • 100% TypeScript**

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Libreng AI Provider para sa iyong mga paboritong coding agent

 _Ikonekta ang anumang AI-powered IDE o CLI tool sa pamamagitan ng OmniRoute — libreng API gateway para sa walang limitasyong coding._
@@ -118,6 +96,38 @@ _Ikonekta ang anumang AI-powered IDE o CLI tool sa pamamagitan ng OmniRoute —

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -246,7 +256,7 @@ Gumagamit ang OpenAI ng isang format, gumagamit si Claude (Anthropic) ng isa pa,

 **Paano ito niresolba ng OmniRoute:**

- **Pinag-isang Endpoint** — Isang `http://localhost:20128/v1` ang nagsisilbing proxy para sa lahat ng 36+ provider
+- **Pinag-isang Endpoint** — Isang `http://localhost:20128/v1` ang nagsisilbing proxy para sa lahat ng 67+ provider
 - **Format Translation** — Awtomatiko at transparent: OpenAI ↔ Claude ↔ Gemini ↔ Responses API
 - **Response Sanitization** — Tinatanggal ang mga hindi karaniwang field (`x_groq`, `usage_breakdown`, `service_tier`) na sumisira sa OpenAI SDK v1.83+
 - **Role Normalization** — Kino-convert ang `developer` → `system` para sa mga provider na hindi OpenAI; `system` → `user` para sa GLM/ERNIE
@@ -331,7 +341,7 @@ Gumagamit ang mga developer ng Cursor, Claude Code, Codex CLI, OpenClaw, Gemini
 - **CLI Tools Dashboard** — Nakatuon na page na may isang-click na setup para sa Claude Code, Codex CLI, OpenClaw, Kilo Code, Antigravity, Cline
 - **GitHub Copilot Config Generator** — Bumubuo ng `chatLanguageModels.json` para sa VS Code na may maramihang pagpili ng modelo
 - **Onboarding Wizard** — May gabay na 4-step na pag-setup para sa mga unang beses na user
- **Isang endpoint, lahat ng modelo** — I-configure ang `http://localhost:20128/v1` nang isang beses, i-access ang 36+ provider
+- **Isang endpoint, lahat ng modelo** — I-configure ang `http://localhost:20128/v1` nang isang beses, i-access ang 67+ provider

 </details>

@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Mga Multi-Modal na API

-| Tampok                     | Ano ang Ginagawa Nito                                        |
-| -------------------------- | ------------------------------------------------------------ |
-| 🖼️ **Pagbuo ng Larawan**   | `/v1/images/generations` — 4 na provider, 9+ na modelo       |
-| 📐 **Mga Pag-embed**       | `/v1/embeddings` — 6 na provider, 9+ na modelo               |
-| 🎤 **Audio Transcription** | `/v1/audio/transcriptions` — Whisper-compatible              |
-| 🔊 **Text-to-Speech**      | `/v1/audio/speech` — Multi-provider audio synthesis          |
-| 🛡️ **Mga Pag-moderate**    | `/v1/moderations` — Mga pagsusuri sa kaligtasan ng nilalaman |
-| 🔀 **Reranking**           | `/v1/rerank` — Muling pagraranggo ng kaugnayan ng dokumento  |
+| Tampok                     | Ano ang Ginagawa Nito                                                                                                                                                      |
+| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Pagbuo ng Larawan**   | `/v1/images/generations` — 4 na provider, 9+ na modelo                                                                                                                     |
+| 📐 **Mga Pag-embed**       | `/v1/embeddings` — 6 na provider, 9+ na modelo                                                                                                                             |
+| 🎤 **Audio Transcription** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Text-to-Speech**      | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Mga Pag-moderate**    | `/v1/moderations` — Mga pagsusuri sa kaligtasan ng nilalaman                                                                                                               |
+| 🔀 **Reranking**           | `/v1/rerank` — Muling pagraranggo ng kaugnayan ng dokumento                                                                                                                |

 ### 🛡️ Katatagan at Seguridad

@@ -11,28 +11,6 @@ _Twój uniwersalny serwer proxy API — jeden punkt końcowy, ponad 36 dostawcó

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Bezpłatny dostawca AI dla Twoich ulubionych agentów kodujących

 _Połącz dowolne narzędzie IDE lub CLI oparte na sztucznej inteligencji poprzez OmniRoute — bezpłatną bramę API dla nieograniczonego kodowania._
@@ -118,6 +96,38 @@ _Połącz dowolne narzędzie IDE lub CLI oparte na sztucznej inteligencji poprze

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Wielomodalne interfejsy API

-| Funkcja                       | Co to robi                                             |
-| ----------------------------- | ------------------------------------------------------ |
-| 🖼️ **Generowanie obrazu**     | `/v1/images/generations` — 4 dostawców, ponad 9 modeli |
-| 📐 **Osadzenia**              | `/v1/embeddings` — 6 dostawców, ponad 9 modeli         |
-| 🎤 **Transkrypcja audio**     | `/v1/audio/transcriptions` — Kompatybilny z szeptem    |
-| 🔊 **Zamiana tekstu na mowę** | `/v1/audio/speech` — Synteza dźwięku wielu dostawców   |
-| 🛡️ **Moderacje**              | `/v1/moderations` — Kontrola bezpieczeństwa treści     |
-| 🔀 **Ponowna pozycja**        | `/v1/rerank` — Zmiana rankingu trafności dokumentu     |
+| Funkcja                       | Co to robi                                                                                                                                                                 |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Generowanie obrazu**     | `/v1/images/generations` — 4 dostawców, ponad 9 modeli                                                                                                                     |
+| 📐 **Osadzenia**              | `/v1/embeddings` — 6 dostawców, ponad 9 modeli                                                                                                                             |
+| 🎤 **Transkrypcja audio**     | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Zamiana tekstu na mowę** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderacje**              | `/v1/moderations` — Kontrola bezpieczeństwa treści                                                                                                                         |
+| 🔀 **Ponowna pozycja**        | `/v1/rerank` — Zmiana rankingu trafności dokumentu                                                                                                                         |

 ### 🛡️ Odporność i bezpieczeństwo

@@ -11,28 +11,6 @@ _Seu proxy de API universal — um endpoint, 36+ provedores, zero tempo de inati

 ---

-### 🆕 Novidades na v2.7.0
-
- **RouterStrategy plugável** — estratégias de regras, custo e latência
- **Detecção de intenção multilíngue** — scoring de roteamento em 30+ idiomas
- **Deduplicação de requisições** — evita chamadas duplicadas por hash de conteúdo
- **Novos provedores:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Preços atualizados:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Provedor de IA Gratuito para seus agentes de programação favoritos

 _Conecte qualquer IDE ou ferramenta CLI com IA através do OmniRoute — gateway de API gratuito para programação ilimitada._
@@ -118,6 +96,38 @@ _Conecte qualquer IDE ou ferramenta CLI com IA através do OmniRoute — gateway

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -819,24 +829,28 @@ Quando minimizado, o OmniRoute fica na bandeja do sistema com ações rápidas:

 ## 💰 Preços Resumidos

-| Tier              | Provedor          | Custo                        | Reset de Cota     | Melhor Para             |
-| ----------------- | ----------------- | ---------------------------- | ----------------- | ----------------------- |
-| **💳 ASSINATURA** | Claude Code (Pro) | $20/mês                      | 5h + semanal      | Já é assinante          |
-|                   | Codex (Plus/Pro)  | $20-200/mês                  | 5h + semanal      | Usuários OpenAI         |
-|                   | Gemini CLI        | **GRATUITO**                 | 180K/mês + 1K/dia | Todos!                  |
-|                   | GitHub Copilot    | $10-19/mês                   | Mensal            | Usuários GitHub         |
-| **🔑 API KEY**    | NVIDIA NIM        | **GRATUITO** (1000 créditos) | Único             | Testes gratuitos        |
-|                   | DeepSeek          | Por uso                      | Nenhum            | Melhor preço/qualidade  |
-|                   | Groq              | Tier gratuito + pago         | Limitado          | Inferência ultra-rápida |
-|                   | xAI (Grok)        | Por uso                      | Nenhum            | Modelos Grok            |
-|                   | Mistral           | Tier gratuito + pago         | Limitado          | IA Europeia             |
-|                   | OpenRouter        | Por uso                      | Nenhum            | 100+ modelos            |
-| **💰 BARATO**     | GLM-4.7           | $0.6/1M                      | Diário 10h        | Backup econômico        |
-|                   | MiniMax M2.1      | $0.2/1M                      | Rotativo 5h       | Opção mais barata       |
-|                   | Kimi K2           | $9/mês fixo                  | 10M tokens/mês    | Custo previsível        |
-| **🆓 GRATUITO**   | iFlow             | $0                           | Ilimitado         | 8 modelos gratuitos     |
-|                   | Qwen              | $0                           | Ilimitado         | 3 modelos gratuitos     |
-|                   | Kiro              | $0                           | Ilimitado         | Claude gratuito         |
+| Tier              | Provedor          | Custo                        | Reset de Cota     | Melhor Para                    |
+| ----------------- | ----------------- | ---------------------------- | ----------------- | ------------------------------ |
+| **💳 ASSINATURA** | Claude Code (Pro) | $20/mês                      | 5h + semanal      | Já é assinante                 |
+|                   | Codex (Plus/Pro)  | $20-200/mês                  | 5h + semanal      | Usuários OpenAI                |
+|                   | Gemini CLI        | **GRATUITO**                 | 180K/mês + 1K/dia | Todos!                         |
+|                   | GitHub Copilot    | $10-19/mês                   | Mensal            | Usuários GitHub                |
+| **🔑 API KEY**    | NVIDIA NIM        | **GRATUITO** (1000 créditos) | Único             | Testes gratuitos               |
+|                   | DeepSeek          | Por uso                      | Nenhum            | Melhor preço/qualidade         |
+|                   | Groq              | Tier gratuito + pago         | Limitado          | Inferência ultra-rápida        |
+|                   | xAI (Grok)        | Por uso                      | Nenhum            | Modelos Grok                   |
+|                   | Mistral           | Tier gratuito + pago         | Limitado          | IA Europeia                    |
+|                   | OpenRouter        | Por uso                      | Nenhum            | 100+ modelos                   |
+| **💰 BARATO**     | GLM-4.7           | $0.6/1M                      | Diário 10h        | Backup econômico               |
+|                   | MiniMax M2.1      | $0.2/1M                      | Rotativo 5h       | Opção mais barata              |
+|                   | Kimi K2           | $9/mês fixo                  | 10M tokens/mês    | Custo previsível               |
+| **🆓 GRATUITO**   | iFlow             | $0                           | Ilimitado         | 8 modelos gratuitos            |
+|                   | Qwen              | $0                           | Ilimitado         | 3 modelos gratuitos            |
+|                   | Kiro              | $0                           | Ilimitado         | Claude gratuito                |
+|                   | LongCat 🆕        | **$0** (50M tok/dia 🔥)      | 1 req/s           | Maior cota grátis do mundo     |
+|                   | Pollinations 🆕   | **$0** (sem chave API)       | 1 req/15s         | GPT-5, Claude, DeepSeek, Llama |
+|                   | Cloudflare AI 🆕  | **$0** (10K Neurons/dia)     | ~150 resp/dia     | 50+ modelos, edge global       |
+|                   | Scaleway AI 🆕    | **$0** (1M tokens total)     | Limitado por taxa | EU/GDPR, Qwen3 235B, Llama 70B |

 **💡 Dica Pro:** Comece com Gemini CLI (180K grátis/mês) + iFlow (ilimitado grátis) = $0 de custo!

@@ -879,16 +893,16 @@ Por que isso é relevante:

 ### 🎵 APIs Multi-Modal

-| Funcionalidade              | O que Faz                                                                                                   |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------- |
-| 🖼️ **Geração de Imagem**    | `/v1/images/generations` — 10 provedores, 20+ modelos (cloud + local)                                       |
-| 📐 **Embeddings**           | `/v1/embeddings` — 6 provedores, 9+ modelos                                                                 |
-| 🎤 **Transcrição de Áudio** | `/v1/audio/transcriptions` — Whisper + Nvidia NIM, HuggingFace, Qwen3                                       |
-| 🔊 **Texto para Fala**      | `/v1/audio/speech` — ElevenLabs, Nvidia NIM, HuggingFace, Coqui, Tortoise, Qwen3, Inworld, Cartesia, PlayHT |
-| 🎬 **Geração de Vídeo**     | `/v1/videos/generations` — ComfyUI (AnimateDiff, SVD), SD WebUI                                             |
-| 🎵 **Geração de Música**    | `/v1/music/generations` — ComfyUI (Stable Audio Open, MusicGen)                                             |
-| 🛡️ **Moderações**           | `/v1/moderations` — Verificações de segurança                                                               |
-| 🔀 **Reranking**            | `/v1/rerank` — Reranking de relevância de documentos                                                        |
+| Funcionalidade              | O que Faz                                                                                                                                                                  |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Geração de Imagem**    | `/v1/images/generations` — 10 provedores, 20+ modelos (cloud + local)                                                                                                      |
+| 📐 **Embeddings**           | `/v1/embeddings` — 6 provedores, 9+ modelos                                                                                                                                |
+| 🎤 **Transcrição de Áudio** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Texto para Fala**      | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🎬 **Geração de Vídeo**     | `/v1/videos/generations` — ComfyUI (AnimateDiff, SVD), SD WebUI                                                                                                            |
+| 🎵 **Geração de Música**    | `/v1/music/generations` — ComfyUI (Stable Audio Open, MusicGen)                                                                                                            |
+| 🛡️ **Moderações**           | `/v1/moderations` — Verificações de segurança                                                                                                                              |
+| 🔀 **Reranking**            | `/v1/rerank` — Reranking de relevância de documentos                                                                                                                       |

 ### 🛡️ Resiliência e Segurança

@@ -1223,6 +1237,53 @@ Modelos:
  kr/claude-haiku-4.5
 ```

+### LongCat AI (GRATUITO 50M tokens/dia!) 🆕
+
+1. Cadastre-se: [longcat.chat](https://longcat.chat) com e-mail ou telefone
+2. Gere uma chave de API gratuita
+3. Dashboard → Adicionar Provedor → LongCat
+
+**Modelos:**
+
+- `lc/LongCat-Flash-Lite` — **50M tokens/dia** 💥 (maior cota gratuita do mundo!)
+- `lc/LongCat-Flash-Chat` — 500K tokens/dia
+- `lc/LongCat-Flash-Thinking` — 500K tokens/dia (raciocínio)
+
+> 100% gratuito durante o beta público. Reset diário à meia-noite UTC.
+
+### Pollinations AI (SEM CHAVE NECESSÁRIA!) 🆕
+
+1. Adicione o provedor Pollinations no Dashboard
+2. Deixe o campo de chave API vazio (ou coloque qualquer string)
+3. Comece a usar imediatamente!
+
+**Modelos via `pol/`:** `openai` (GPT-5), `claude`, `gemini`, `deepseek`, `llama` (Llama 4)
+
+> Sem cadastro, sem chave, sem cartão de crédito. 1 req/15s ilimitado.
+
+### Cloudflare Workers AI (GRATUITO 10K Neurons/dia!) 🆕
+
+1. Cadastre-se: [dash.cloudflare.com](https://dash.cloudflare.com)
+2. Gere um API Token em Profile → API Tokens
+3. Copie seu Account ID (coluna direita do dashboard)
+4. Dashboard → Adicionar Provedor → Cloudflare AI
+   - API Key: seu token
+   - Account ID: seu account ID
+
+**Modelos via `cf/`:** `@cf/meta/llama-3.3-70b-instruct`, `@cf/google/gemma-3-12b-it`, 50+ mais
+
+> 10K Neurons/dia ≈ 150 respostas de LLM ou 500s de transcrição Whisper gratuita!
+
+### Scaleway AI (1M tokens gratuitos!) 🆕
+
+1. Cadastre-se: [console.scaleway.com](https://console.scaleway.com)
+2. Gere uma chave de API IAM
+3. Dashboard → Adicionar Provedor → Scaleway
+
+**Modelos via `scw/`:** `qwen3-235b-a22b-instruct-2507` (Qwen3 235B!), `llama-3.1-70b-instruct`
+
+> 1M tokens gratuitos para novas contas. Dados processados na 🇫🇷 França (EU/GDPR).
+
 </details>

 <details>
@@ -11,28 +11,6 @@ _Seu proxy de API universal — um endpoint, mais de 36 provedores, tempo de ina

 ---

-### 🆕 Novidades na v2.7.0
-
- **RouterStrategy extensível** — estratégias de regras, custo e latência
- **Deteção de intenção multilíngue** — scoring de encaminhamento em 30+ idiomas
- **Deduplicação de pedidos** — evita chamadas duplicadas por hash de conteúdo
- **Novos fornecedores:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Preços atualizados:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Provedor de IA gratuito para seus agentes de codificação favoritos

 _Conecte qualquer ferramenta IDE ou CLI com tecnologia de IA por meio do OmniRoute - gateway de API gratuito para codificação ilimitada._
@@ -118,6 +96,38 @@ _Conecte qualquer ferramenta IDE ou CLI com tecnologia de IA por meio do OmniRou

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 APIs multimodais

-| Recurso                           | O que faz                                                   |
-| --------------------------------- | ----------------------------------------------------------- |
-| 🖼️ **Geração de imagens**         | `/v1/images/generations` — 4 provedores, mais de 9 modelos  |
-| 📐 **Incorporações**              | `/v1/embeddings` — 6 provedores, mais de 9 modelos          |
-| 🎤 **Transcrição de áudio**       | `/v1/audio/transcriptions` — Compatível com sussurro        |
-| 🔊 **Conversão de texto em fala** | `/v1/audio/speech` — Síntese de áudio multiprovedor         |
-| 🛡️ **Moderações**                 | `/v1/moderations` — Verificações de segurança de conteúdo   |
-| 🔀 **Reclassificação**            | `/v1/rerank` — Reclassificação da relevância dos documentos |
+| Recurso                           | O que faz                                                                                                                                                                  |
+| --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Geração de imagens**         | `/v1/images/generations` — 4 provedores, mais de 9 modelos                                                                                                                 |
+| 📐 **Incorporações**              | `/v1/embeddings` — 6 provedores, mais de 9 modelos                                                                                                                         |
+| 🎤 **Transcrição de áudio**       | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Conversão de texto em fala** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderações**                 | `/v1/moderations` — Verificações de segurança de conteúdo                                                                                                                  |
+| 🔀 **Reclassificação**            | `/v1/rerank` — Reclassificação da relevância dos documentos                                                                                                                |

 ### 🛡️ Resiliência e segurança

@@ -11,28 +11,6 @@ _Proxy-ul dvs. universal API - un punct final, peste 36 de furnizori, zero timpi

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Furnizor AI gratuit pentru agenții tăi preferați de codare

 _Conectați orice instrument IDE sau CLI alimentat de AI prin OmniRoute — gateway API gratuit pentru codare nelimitată._
@@ -118,6 +96,38 @@ _Conectați orice instrument IDE sau CLI alimentat de AI prin OmniRoute — gate

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -875,14 +885,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 API-uri multimodale

-| Caracteristica            | Ce face                                                    |
-| ------------------------- | ---------------------------------------------------------- |
-| 🖼️ **Generarea imaginii** | `/v1/images/generations` — 4 furnizori, peste 9 modele     |
-| 📐 **Inglobări**          | `/v1/embeddings` — 6 furnizori, peste 9 modele             |
-| 🎤 **Transcriere audio**  | `/v1/audio/transcriptions` — Compatibil cu Whisper         |
-| 🔊 **Text-to-speech**     | `/v1/audio/speech` — Sinteză audio cu mai mulți furnizori  |
-| 🛡️ **Moderații**          | `/v1/moderations` — Verificări de siguranță a conținutului |
-| 🔀 **Reclasificare**      | `/v1/rerank` — Reclasificarea relevanței documentului      |
+| Caracteristica            | Ce face                                                                                                                                                                    |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Generarea imaginii** | `/v1/images/generations` — 4 furnizori, peste 9 modele                                                                                                                     |
+| 📐 **Inglobări**          | `/v1/embeddings` — 6 furnizori, peste 9 modele                                                                                                                             |
+| 🎤 **Transcriere audio**  | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Text-to-speech**     | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderații**          | `/v1/moderations` — Verificări de siguranță a conținutului                                                                                                                 |
+| 🔀 **Reclasificare**      | `/v1/rerank` — Reclasificarea relevanței documentului                                                                                                                      |

 ### 🛡️ Reziliență și securitate

@@ -11,28 +11,6 @@ _Ваш универсальный API-прокси — одна точка до

 ---

-### 🆕 Новое в v2.7.0
-
- **Подключаемая RouterStrategy** — стратегии по правилам, стоимости и задержке
- **Многоязычное распознавание намерений** — маршрутизация на 30+ языках
- **Дедупликация запросов** — устранение дублей по хэшу содержимого
- **Новые провайдеры:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Обновлённые цены:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Бесплатный AI-провайдер для ваших любимых агентов программирования

 _Подключайте любую IDE или CLI-инструмент с AI через OmniRoute — бесплатный API gateway для неограниченного программирования._
@@ -118,6 +96,38 @@ _Подключайте любую IDE или CLI-инструмент с AI ч

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -376,7 +386,7 @@ Claude Code, Codex, Gemini CLI, Copilot — все используют OAuth 2.
 - **Панель управления унифицированными журналами** — 4 вкладки: журналы запросов, журналы прокси, журналы аудита, консоль.
 - **Консольный просмотр журнала** — просмотрщик в режиме терминала в режиме реального времени с уровнями с цветовой кодировкой, автоматической прокруткой, поиском и фильтрацией.
 - **Журналы прокси-сервера SQLite** — постоянные журналы, сохраняющиеся после перезапуска сервера.
- **Площадка переводчика** — 4 режима отладки: Площадка (перевод формата), Тестер чата (туда и обратно), Тестовый стенд (пакетный), Мониторинг в реальном времени (в режиме реального времени).
+- **Площадка транслятора (Translator Playground)** — 4 режима отладки: Площадка (перевод формата), Тестер чата (туда и обратно), Тестовый стенд (пакетный), Мониторинг в реальном времени (в режиме реального времени).
 - **Запрос телеметрии** — задержка p50/p95/p99 + отслеживание X-Request-Id
 - **Журналирование на основе файлов с ротацией** — перехватчик консоли записывает все в журнал JSON с ротацией на основе размера.

@@ -441,7 +451,7 @@ Claude Code, Codex, Gemini CLI, Copilot — все используют OAuth 2.

 - **Оценки LLM** — тестирование золотого набора с 10 предварительно загруженными вариантами, охватывающими приветствия, математику, географию, генерацию кода, соответствие JSON, перевод, уценку, отказ от безопасности.
 - **4 стратегии сопоставления** — `exact`, `contains`, `regex`, `custom` (функция JS)
- **Тестовый стенд Translator Playground** — пакетное тестирование с несколькими входными данными и ожидаемыми результатами, сравнение между поставщиками.
+- **Тестовый стенд (Testbed)** — пакетное тестирование с несколькими входными данными и ожидаемыми результатами, сравнение между поставщиками.
 - **Тестер чата** — полный цикл с визуальным отображением ответов.
 - **Живой монитор** — поток всех запросов, проходящих через прокси, в реальном времени.

@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Мультимодальные API

-| Функция                      | Что делает                                          |
-| ---------------------------- | --------------------------------------------------- |
-| 🖼️ **Генерация изображений** | `/v1/images/generations` — 4 провайдера, 9+ моделей |
-| 📐 **Embeddings**            | `/v1/embeddings` — 6 провайдеров, 9+ моделей        |
-| 🎤 **Транскрипция аудио**    | `/v1/audio/transcriptions` — Совместимо с Whisper   |
-| 🔊 **Текст в речь**          | `/v1/audio/speech` — Мульти-провайдерный синтез     |
-| 🛡️ **Модерация**             | `/v1/moderations` — Проверки безопасности контента  |
-| 🔀 **Reranking**             | `/v1/rerank` — Переранжирование релевантности       |
+| Функция                      | Что делает                                                                                                                                                                 |
+| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Генерация изображений** | `/v1/images/generations` — 4 провайдера, 9+ моделей                                                                                                                        |
+| 📐 **Embeddings**            | `/v1/embeddings` — 6 провайдеров, 9+ моделей                                                                                                                               |
+| 🎤 **Транскрипция аудио**    | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Текст в речь**          | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Модерация**             | `/v1/moderations` — Проверки безопасности контента                                                                                                                         |
+| 🔀 **Reranking**             | `/v1/rerank` — Переранжирование релевантности                                                                                                                              |

 ### 🛡️ Устойчивость и безопасность

@@ -1006,7 +1016,7 @@ OmniRoute включает встроенный фреймворк оценки

 - Приветствия, математика, география, генерация кода
 - Соответствие формату JSON, перевод, markdown
- Отказ от небезопасного контента, подсчёт, булева логика
+- Отказ от небезопасного контента (Safety refusal), подсчёт, булева логика

 ### Стратегии оценки

@@ -11,28 +11,6 @@ _Váš univerzálny proxy server API – jeden koncový bod, 36+ poskytovateľov

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Bezplatný poskytovateľ AI pre vašich obľúbených kódovacích agentov

 _Pripojte akýkoľvek nástroj IDE alebo CLI poháňaný AI cez OmniRoute – bezplatnú bránu API pre neobmedzené kódovanie._
@@ -118,6 +96,38 @@ _Pripojte akýkoľvek nástroj IDE alebo CLI poháňaný AI cez OmniRoute – be

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -877,14 +887,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multimodálne API

-| Funkcia                     | Čo to robí                                                       |
-| --------------------------- | ---------------------------------------------------------------- |
-| 🖼️ **Generovanie obrázkov** | `/v1/images/generations` — 4 poskytovatelia, 9+ modelov          |
-| 📐 **Vloženie**             | `/v1/embeddings` — 6 poskytovateľov, 9+ modelov                  |
-| 🎤 **Prepis zvuku**         | `/v1/audio/transcriptions` — Kompatibilné so šepotom             |
-| 🔊 **Prevod textu na reč**  | `/v1/audio/speech` — Zvuková syntéza od viacerých poskytovateľov |
-| 🛡️ **Moderovania**          | `/v1/moderations` — Kontroly bezpečnosti obsahu                  |
-| 🔀 **Reranking**            | `/v1/rerank` — Zmena poradia relevantnosti dokumentu             |
+| Funkcia                     | Čo to robí                                                                                                                                                                 |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Generovanie obrázkov** | `/v1/images/generations` — 4 poskytovatelia, 9+ modelov                                                                                                                    |
+| 📐 **Vloženie**             | `/v1/embeddings` — 6 poskytovateľov, 9+ modelov                                                                                                                            |
+| 🎤 **Prepis zvuku**         | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Prevod textu na reč**  | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderovania**          | `/v1/moderations` — Kontroly bezpečnosti obsahu                                                                                                                            |
+| 🔀 **Reranking**            | `/v1/rerank` — Zmena poradia relevantnosti dokumentu                                                                                                                       |

 ### 🛡️ Odolnosť a bezpečnosť

@@ -11,28 +11,6 @@ _Din universella API-proxy — en slutpunkt, 36+ leverantörer, noll driftstopp.

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Gratis AI-leverantör för dina favoritkodningsagenter

 _Anslut alla AI-drivna IDE- eller CLI-verktyg via OmniRoute — gratis API-gateway för obegränsad kodning._
@@ -118,6 +96,38 @@ _Anslut alla AI-drivna IDE- eller CLI-verktyg via OmniRoute — gratis API-gatew

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multimodala API:er

-| Funktion                 | Vad det gör                                            |
-| ------------------------ | ------------------------------------------------------ |
-| 🖼️ **Bildgenerering**    | `/v1/images/generations` — 4 leverantörer, 9+ modeller |
-| 📐 **Inbäddningar**      | `/v1/embeddings` — 6 leverantörer, 9+ modeller         |
-| 🎤 **Ljudtranskription** | `/v1/audio/transcriptions` — Whisper-kompatibel        |
-| 🔊 **Text-till-tal**     | `/v1/audio/speech` — Ljudsyntes med flera leverantörer |
-| 🛡️ **Moderationer**      | `/v1/moderations` — Innehållssäkerhetskontroller       |
-| 🔀 **Omrankning**        | `/v1/rerank` — Omrankning av dokumentrelevans          |
+| Funktion                 | Vad det gör                                                                                                                                                                |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Bildgenerering**    | `/v1/images/generations` — 4 leverantörer, 9+ modeller                                                                                                                     |
+| 📐 **Inbäddningar**      | `/v1/embeddings` — 6 leverantörer, 9+ modeller                                                                                                                             |
+| 🎤 **Ljudtranskription** | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Text-till-tal**     | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Moderationer**      | `/v1/moderations` — Innehållssäkerhetskontroller                                                                                                                           |
+| 🔀 **Omrankning**        | `/v1/rerank` — Omrankning av dokumentrelevans                                                                                                                              |

 ### 🛡️ Motståndskraft och säkerhet

@@ -11,28 +11,6 @@ _พร็อกซี API สากลของคุณ — จุดสิ้

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 ผู้ให้บริการ AI ฟรีสำหรับตัวแทนการเขียนโค้ดที่คุณชื่นชอบ

 _เชื่อมต่อเครื่องมือ IDE หรือ CLI ที่ขับเคลื่อนด้วย AI ผ่าน OmniRoute — เกตเวย์ API ฟรีสำหรับการเข้ารหัสไม่จำกัด_
@@ -118,6 +96,38 @@ _เชื่อมต่อเครื่องมือ IDE หรือ CLI

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Multi-Modal API

-| คุณสมบัติ               | มันทำอะไร                                                     |
-| ----------------------- | ------------------------------------------------------------- |
-| 🖼️ **การสร้างภาพ**      | `/v1/images/generations` — ผู้ให้บริการ 4 ราย รุ่น 9+         |
-| 📐 **การฝัง**           | `/v1/embeddings` — ผู้ให้บริการ 6 ราย รุ่น 9+                 |
-| 🎶 **การถอดเสียง**      | `/v1/audio/transcriptions` — รองรับการกระซิบ                  |
-| 🔊 **ข้อความเป็นคำพูด** | `/v1/audio/speech` — การสังเคราะห์เสียงจากผู้ให้บริการหลายราย |
-| 🛡️ **การกลั่นกรอง**     | `/v1/moderations` — การตรวจสอบความปลอดภัยของเนื้อหา           |
-| 🔀 **จัดอันดับ**        | `/v1/rerank` — การจัดอันดับความเกี่ยวข้องของเอกสาร            |
+| คุณสมบัติ               | มันทำอะไร                                                                                                                             |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **การสร้างภาพ**      | `/v1/images/generations` — ผู้ให้บริการ 4 ราย รุ่น 9+                                                                                 |
+| 📐 **การฝัง**           | `/v1/embeddings` — ผู้ให้บริการ 6 ราย รุ่น 9+                                                                                         |
+| 🎶 **การถอดเสียง**      | `/v1/audio/transcriptions` — รองรับการกระซิบ                                                                                          |
+| 🔊 **ข้อความเป็นคำพูด** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise) |
+| 🛡️ **การกลั่นกรอง**     | `/v1/moderations` — การตรวจสอบความปลอดภัยของเนื้อหา                                                                                   |
+| 🔀 **จัดอันดับ**        | `/v1/rerank` — การจัดอันดับความเกี่ยวข้องของเอกสาร                                                                                    |

 ### 🛡️ ความยืดหยุ่นและความปลอดภัย

@@ -11,28 +11,6 @@ _Ваш універсальний API-проксі — одна кінцева

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Безкоштовний постачальник AI для ваших улюблених агентів кодування

 _Підключіть будь-який інструмент IDE або CLI на основі штучного інтелекту через OmniRoute — безкоштовний шлюз API для необмеженого програмування._
@@ -118,6 +96,38 @@ _Підключіть будь-який інструмент IDE або CLI на

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -878,14 +888,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 Мультимодальні API

-| Особливість                        | Що він робить                                         |
-| ---------------------------------- | ----------------------------------------------------- |
-| 🖼️ **Створення зображень**         | `/v1/images/generations` — 4 провайдери, 9+ моделей   |
-| 📐 **Вбудовування**                | `/v1/embeddings` — 6 провайдерів, 9+ моделей          |
-| 🎤 **Транскрипція аудіо**          | `/v1/audio/transcriptions` — сумісний із Whisper      |
-| 🔊 **Створення тексту в мовлення** | `/v1/audio/speech` — Багатопровайдерний аудіосинтез   |
-| 🛡️ **Модерації**                   | `/v1/moderations` — Перевірка безпеки вмісту          |
-| 🔀 **Переранжування**              | `/v1/rerank` — Переранжування релевантності документа |
+| Особливість                        | Що він робить                                                                                                                                                              |
+| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Створення зображень**         | `/v1/images/generations` — 4 провайдери, 9+ моделей                                                                                                                        |
+| 📐 **Вбудовування**                | `/v1/embeddings` — 6 провайдерів, 9+ моделей                                                                                                                               |
+| 🎤 **Транскрипція аудіо**          | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Створення тексту в мовлення** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Модерації**                   | `/v1/moderations` — Перевірка безпеки вмісту                                                                                                                               |
+| 🔀 **Переранжування**              | `/v1/rerank` — Переранжування релевантності документа                                                                                                                      |

 ### 🛡️ Стійкість і безпека

@@ -11,28 +11,6 @@ _Proxy API phổ quát của bạn — một điểm cuối, hơn 36 nhà cung c

 ---

-### 🆕 What's New in v2.7.0
-
- **Pluggable RouterStrategy** — rules, cost, and latency routing strategies
- **Multilingual intent detection** — routing scoring in 30+ languages
- **Request deduplication** — prevent duplicate API calls via content hash
- **New providers:** Grok-4 Fast (xAI), GLM-5 / Z.AI, MiniMax M2.5, Kimi K2.5
- **Updated pricing:** Grok-4 Fast $0.20/$0.50/M, GLM-5 $0.50/M, MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 Nhà cung cấp AI miễn phí cho các tác nhân mã hóa yêu thích của bạn

 _Kết nối mọi công cụ IDE hoặc CLI được hỗ trợ bởi AI thông qua OmniRoute — cổng API miễn phí để mã hóa không giới hạn._
@@ -118,6 +96,38 @@ _Kết nối mọi công cụ IDE hoặc CLI được hỗ trợ bởi AI thông

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -874,14 +884,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 API đa phương thức

-| Tính năng                             | Nó làm gì                                                    |
-| ------------------------------------- | ------------------------------------------------------------ |
-| 🖼️ **Tạo hình ảnh**                   | `/v1/images/generations` — 4 nhà cung cấp, hơn 9 mô hình     |
-| 📐 **Nhúng**                          | `/v1/embeddings` — 6 nhà cung cấp, hơn 9 mô hình             |
-| 🎤 **Phiên âm âm thanh**              | `/v1/audio/transcriptions` — Tương thích với lời thì thầm    |
-| 🔊 **Chuyển văn bản thành giọng nói** | `/v1/audio/speech` — Tổng hợp âm thanh từ nhiều nhà cung cấp |
-| 🛡️ **Kiểm duyệt**                     | `/v1/moderations` — Kiểm tra an toàn nội dung                |
-| 🔀 **Sắp xếp lại**                    | `/v1/rerank` — Sắp xếp lại mức độ liên quan của tài liệu     |
+| Tính năng                             | Nó làm gì                                                                                                                                                                  |
+| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **Tạo hình ảnh**                   | `/v1/images/generations` — 4 nhà cung cấp, hơn 9 mô hình                                                                                                                   |
+| 📐 **Nhúng**                          | `/v1/embeddings` — 6 nhà cung cấp, hơn 9 mô hình                                                                                                                           |
+| 🎤 **Phiên âm âm thanh**              | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **Chuyển văn bản thành giọng nói** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **Kiểm duyệt**                     | `/v1/moderations` — Kiểm tra an toàn nội dung                                                                                                                              |
+| 🔀 **Sắp xếp lại**                    | `/v1/rerank` — Sắp xếp lại mức độ liên quan của tài liệu                                                                                                                   |

 ### 🛡️ Khả năng phục hồi và bảo mật

@@ -11,28 +11,6 @@ _您的通用 API 代理 — 一个端点，36+ 提供商，零停机时间。_

 ---

-### 🆕 v2.7.0 新功能
-
- **可插拔 RouterStrategy** — 支持规则、成本和延迟策略
- **多语言意图检测** — 支持 30+ 语言的路由评分
- **请求去重** — 基于内容哈希避免重复 API 调用
- **新增提供商：** Grok-4 Fast (xAI)、GLM-5 / Z.AI、MiniMax M2.5、Kimi K2.5
- **价格更新：** Grok-4 Fast $0.20/$0.50/M，GLM-5 $0.50/M，MiniMax M2.5 $0.30/M
-
---
-
-### 🚀 New in v2.0.9+ — Playground, CLI Fingerprints & ACP
-
-| Feature                                    | What It Does                                                                                                                                  |
-| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🎮 **Model Playground**                    | Dashboard page to test any model directly — provider/model/endpoint selectors, Monaco Editor, streaming, abort, timing                        |
-| 🔏 **CLI Fingerprint Matching**            | Per-provider header/body ordering to match native CLI signatures — toggle per provider in Settings > Security. **Your proxy IP is preserved** |
-| 🤝 **ACP Support (Agent Client Protocol)** | CLI agent discovery (Codex, Claude, Goose, Gemini CLI, OpenClaw), process spawner, `/api/acp/agents` endpoint                                 |
-| 🤖 **ACP Agents Dashboard**                | Debug > Agents page — grid of 14 agents with install status, version, custom agent form for any CLI tool                                      |
-| 🔧 **Custom Model `apiFormat` Routing**    | Custom models with `apiFormat: "responses"` now correctly route to the Responses API translator                                               |
-| 🏢 **Codex Workspace Isolation**           | Multiple Codex workspaces per email — OAuth correctly separates connections by workspace ID                                                   |
-| 🔄 **Electron Auto-Update**                | Desktop app checks for updates + auto-install on restart                                                                                      |
-
 ### 🤖 为您最爱的编程代理提供免费 AI

 _通过 OmniRoute 连接任何 AI 驱动的 IDE 或 CLI 工具 — 免费 API 网关，无限编程。_
@@ -118,6 +96,38 @@ _通过 OmniRoute 连接任何 AI 驱动的 IDE 或 CLI 工具 — 免费 API

 ---

+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+
+
+### 🆕 What's New in v3.0.0
+
+| Area | Change |
+| --- | --- |
+| 🔒 **CodeQL Security** | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection |
+| ✅ **Route Validation** | All 176 API routes validated with Zod schemas + `validateBody()` |
+| 🐛 **omniModel Tag Leak** | Internal `<omniModel>` tags no longer leak to clients in SSE streams (#585) |
+| 🔑 **Registered Keys API** | Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement |
+| 🎨 **Provider Icons** | 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback |
+| 🔄 **Model Auto-Sync** | 24h scheduler refreshes model lists for 16 providers |
+| 🌐 **OpenCode Zen/Go** | Two new providers: free tier + subscription tier |
+| 🔧 **926 Tests** | Full test suite passes with 0 failures |
+
+---
+
+
+
 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
@@ -873,14 +883,14 @@ npm run electron:build:linux   # Linux (.AppImage)

 ### 🎵 多模态 API

-| 功能              | 功能描述                                       |
-| ----------------- | ---------------------------------------------- |
-| 🖼️ **图像生成**   | `/v1/images/generations` — 4 个提供商，9+ 模型 |
-| 📐 **Embeddings** | `/v1/embeddings` — 6 个提供商，9+ 模型         |
-| 🎤 **音频转录**   | `/v1/audio/transcriptions` — Whisper 兼容      |
-| 🔊 **文字转语音** | `/v1/audio/speech` — 多提供商音频合成          |
-| 🛡️ **内容审核**   | `/v1/moderations` — 内容安全检查               |
-| 🔀 **重排序**     | `/v1/rerank` — 文档相关性重排序                |
+| 功能              | 功能描述                                                                                                                                                                   |
+| ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 🖼️ **图像生成**   | `/v1/images/generations` — 4 个提供商，9+ 模型                                                                                                                             |
+| 📐 **Embeddings** | `/v1/embeddings` — 6 个提供商，9+ 模型                                                                                                                                     |
+| 🎤 **音频转录**   | `/v1/audio/transcriptions` — 7 providers (Deepgram Nova 3, AssemblyAI, Groq Whisper, HuggingFace, ElevenLabs, OpenAI, Azure), auto-language detection, MP4/MP3/WAV support |
+| 🔊 **文字转语音** | `/v1/audio/speech` — 10 providers (ElevenLabs, OpenAI, Deepgram, Cartesia, PlayHT, HuggingFace, Nvidia NIM, Inworld, Coqui, Tortoise)                                      |
+| 🛡️ **内容审核**   | `/v1/moderations` — 内容安全检查                                                                                                                                           |
+| 🔀 **重排序**     | `/v1/rerank` — 文档相关性重排序                                                                                                                                            |

 ### 🛡️ 弹性与安全

@@ -1,7 +1,7 @@
 openapi: 3.1.0
 info:
  title: OmniRoute API
-  version: 2.8.4
+  version: 3.0.7
  description: |
    OmniRoute is a local-first AI API proxy router. It provides an OpenAI-compatible
    endpoint that routes requests to multiple AI providers with load balancing,
@@ -29,6 +29,7 @@ const eslintConfig = [
    ignores: [
      // Next.js build output
      ".next/**",
+      "src/.next/**",
      "out/**",
      "build/**",
      "next-env.d.ts",
@@ -1,6 +1,6 @@
 # OmniRoute

-> OmniRoute is a free, open-source AI Gateway that acts as a universal API proxy for multi-provider LLMs. It provides smart routing, automatic fallback, load balancing, and format translation across 36+ AI providers — all through a single OpenAI-compatible endpoint.
+> OmniRoute is a free, open-source AI Gateway that acts as a universal API proxy for multi-provider LLMs. It provides smart routing, automatic fallback, load balancing, and format translation across 67+ AI providers — all through a single OpenAI-compatible endpoint.

 ## Overview

@@ -8,19 +8,19 @@ OmniRoute solves the problem of managing multiple AI provider subscriptions, quo

 **Key value:** One endpoint (`http://localhost:20128/v1`), unlimited models, zero downtime, minimal cost.

-**Current version:** 2.0.13
+**Current version:** 3.0.0

 ## Tech Stack

 - **Runtime:** Node.js >= 18
- **Framework:** Next.js 16 (App Router) with TypeScript
+- **Framework:** Next.js 16 (App Router) with TypeScript 5.9
 - **Database:** SQLite via better-sqlite3 (local, zero-config)
- **State management:** Zustand (client), lowdb (server JSON persistence)
- **UI:** React 19, Tailwind CSS 4, Recharts for analytics
+- **State management:** Zustand (client), SQLite (server persistence)
+- **UI:** React 19, Tailwind CSS 4, Recharts for analytics, @lobehub/icons for 130+ provider SVG icons
 - **Auth:** OAuth 2.0 (PKCE) for providers, bcrypt for local user auth
- **Background jobs:** Custom token health check scheduler
+- **Background jobs:** Custom token health check scheduler, 24h model auto-sync
 - **Streaming:** Server-Sent Events (SSE) for real-time proxy responses
- **Proxy engine:** Custom pipeline with format translation, circuit breaker, rate limiting
+- **Proxy engine:** Custom pipeline with format translation, circuit breaker, rate limiting, auto-combo engine
 - **i18n:** next-intl with 30 languages
 - **Package:** Published on npm (`omniroute`) and Docker Hub (`diegosouzapw/omniroute`)

@@ -35,14 +35,14 @@ OmniRoute solves the problem of managing multiple AI provider subscriptions, quo
 │   │   │       ├── agents/       # ACP Agents dashboard (CLI agent detection + custom agents)
 │   │   │       ├── analytics/    # Usage analytics and charts
 │   │   │       ├── api-manager/  # API key management
-│   │   │       ├── cli-tools/    # CLI tool configuration (Claude, Codex, Gemini, etc.)
-│   │   │       ├── combos/       # Model combo management
-│   │   │       ├── costs/        # Cost tracking
-│   │   │       ├── endpoint/     # Endpoint info and cloud proxy
-│   │   │       ├── health/       # System health monitoring
+│   │   │       ├── cli-tools/    # CLI tool configuration (Claude Code, Codex, Gemini CLI, etc.)
+│   │   │       ├── combos/       # Model combo management (9 strategies + 4 templates)
+│   │   │       ├── costs/        # Cost tracking per provider/model
+│   │   │       ├── endpoint/     # Unified: Endpoint Proxy, MCP, A2A, API Endpoints tabs
+│   │   │       ├── health/       # System health (uptime, circuit breakers, latency)
 │   │   │       ├── limits/       # Rate limits dashboard
-│   │   │       ├── logs/         # Request logs viewer
-│   │   │       ├── media/        # Image/video/music generation
+│   │   │       ├── logs/         # Request, Proxy, Audit, Console logs (tabbed)
+│   │   │       ├── media/        # Image/video/music generation + transcription
 │   │   │       ├── playground/   # Model playground (Monaco editor, streaming)
 │   │   │       ├── providers/    # Provider management (OAuth + API key + free)
 │   │   │       ├── settings/     # Settings tabs (General, Appearance, Security, Routing, Resilience, Advanced)
@@ -51,7 +51,7 @@ OmniRoute solves the problem of managing multiple AI provider subscriptions, quo
 │   │   ├── api/                  # REST API endpoints
 │   │   │   ├── v1/               # OpenAI-compatible API (chat, models, embeddings, images, audio)
 │   │   │   ├── acp/              # ACP agent management API
-│   │   │   ├── oauth/            # OAuth flows per provider (authorize, exchange, callback)
+│   │   │   ├── oauth/            # OAuth flows per provider
 │   │   │   ├── providers/        # Provider CRUD and batch testing
 │   │   │   ├── models/           # Dashboard model listing and aliases
 │   │   │   ├── combos/           # Combo CRUD (multi-model fallback chains)
@@ -59,131 +59,143 @@ OmniRoute solves the problem of managing multiple AI provider subscriptions, quo
 │   │   └── login/                # Login page
 │   ├── domain/                   # Domain types and business logic interfaces
 │   ├── i18n/                     # Internationalization
-│   │   └── messages/             # 30 language JSON files (ar, bg, cs, da, de, en, es, fi, fr, he, hu, id, in, it, ja, ko, ms, nl, no, phi, pl, pt, pt-BR, ro, ru, sk, sv, th, uk-UA, vi, zh-CN)
+│   │   └── messages/             # 30 language JSON files
 │   ├── lib/                      # Core libraries
-│   │   ├── acp/                  # ACP agent registry and manager (14 built-in agents + custom)
-│   │   ├── db/                   # SQLite database layer (providers, combos, prompts, logs)
+│   │   ├── a2a/                  # Agent-to-Agent v0.3 protocol server
+│   │   ├── acp/                  # ACP agent registry and manager (14 built-in + custom)
+│   │   ├── db/                   # SQLite database layer (core, providers, models, combos, apiKeys, settings, backup)
 │   │   ├── oauth/                # OAuth providers, services, and utilities
-│   │   │   ├── providers/        # Provider-specific OAuth configs (GitHub, Google, Claude, etc.)
+│   │   │   ├── constants/        # Default OAuth credentials (overridable via env)
+│   │   │   ├── providers/        # Provider-specific OAuth configs
 │   │   │   ├── services/         # Provider-specific token exchange logic
 │   │   │   └── utils/            # PKCE, callback server, token helpers
 │   │   ├── cloudSync.ts          # Cloud sync via Cloudflare Workers
 │   │   ├── tokenHealthCheck.ts   # Background OAuth token refresh scheduler
-│   │   └── localDb.ts            # Unified database access layer
+│   │   └── localDb.ts            # Unified re-export layer for all DB modules
 │   ├── shared/                   # Shared utilities, components, and constants
-│   │   ├── components/           # Reusable UI components (Card, Badge, Button, Modal, Sidebar, etc.)
-│   │   ├── constants/            # Provider definitions, model lists, pricing
-│   │   ├── validation/           # Zod schemas (settings, providers, etc.)
+│   │   ├── components/           # Reusable UI components (Card, Badge, Button, Modal, Sidebar, ProviderIcon, etc.)
+│   │   ├── constants/            # Provider definitions, model lists, pricing, upstream headers
+│   │   ├── validation/           # Zod schemas (settings, providers, routes)
 │   │   └── utils/                # Helpers (auth, CORS, error codes, machine ID)
 │   ├── sse/                      # SSE proxy pipeline
 │   │   ├── services/             # Auth resolution, format translation, response handling
 │   │   └── middleware/           # Rate limiting, circuit breaker, caching, idempotency
 │   ├── store/                    # Zustand client-side stores (theme, providers, etc.)
-│   ├── types/                    # TypeScript type definitions
-│   ├── proxy.ts                  # Main proxy request handler
-│   └── server-init.ts            # Server initialization (DB, health checks)
+│   └── types/                    # TypeScript type definitions
 ├── open-sse/                     # Standalone SSE server (npm workspace)
 │   ├── config/                   # Model registries (embedding, image, audio, rerank, moderation, CLI fingerprints)
-│   ├── handlers/                 # Request handlers per API type
-│   ├── mcp-server/               # Built-in MCP server (16 tools, audit logging, scope auth)
-│   └── translators/              # Format translators (OpenAI ↔ Claude ↔ Gemini ↔ Responses ↔ Ollama)
-├── tests/                        # Test suites
+│   ├── handlers/                 # Request handlers per API type (chat, responses, embeddings, images, audio, search)
+│   ├── mcp-server/               # Built-in MCP server (16 tools, 3 transports: stdio/SSE/streamable-HTTP)
+│   ├── services/                 # Auto-combo engine (6-factor scoring, 4 mode packs, bandit exploration)
+│   └── translator/               # Format translators (OpenAI ↔ Claude ↔ Gemini ↔ Responses ↔ Ollama ↔ DeepSeek)
+├── tests/                        # Test suites (926 assertions)
 │   ├── unit/                     # Unit tests (32+ test files)
 │   └── integration/              # Integration tests
-├── docs/                         # Documentation (with 29-language i18n subdirectories)
-│   ├── i18n/                     # Translated docs (ar, bg, cs, da, de, es, fi, fr, he, hu, id, in, it, ja, ko, ms, nl, no, phi, pl, pt, pt-BR, ro, ru, sk, sv, th, uk-UA, vi, zh-CN)
+├── docs/                         # Documentation
+│   ├── i18n/                     # 30-language translated READMEs
 │   ├── screenshots/              # Dashboard screenshots
 │   ├── a2a-server.md             # A2A agent protocol documentation
 │   ├── auto-combo.md             # Auto-combo engine (6-factor scoring)
 │   └── mcp-server.md             # MCP server (16 tools)
-├── electron/                     # Electron desktop app
 ├── bin/                          # CLI entry points (omniroute, reset-password)
 └── .env.example                  # Environment variable template
 ```

-## Key Features (v2.0.13)
+## Key Features (v3.0.0)

 ### Core Proxy
- **36+ AI providers** with automatic format translation
+- **67+ AI providers** with automatic format translation
 - **6 routing strategies**: priority, weighted, round-robin, random, least-used, cost-optimized
 - **4-tier fallback**: Subscription → API Key → Cheap → Free
+- **Auto-combo engine**: Self-healing routing optimization with 6-factor scoring, bandit exploration, progressive cooldown
 - **Semantic caching** with cache hit/miss headers
 - **Idempotency** with configurable dedup window
 - **Circuit breaker** per provider with configurable thresholds
+- **Provider Icons**: 130+ provider logos via `@lobehub/icons` (SVG) with PNG fallback
+- **Model Auto-Sync**: 24h scheduler refreshes model lists for 16 providers
+- **Registered Keys API**: Auto-provision API keys via `POST /api/v1/registered-keys` with quota enforcement
+- **926 tests** with 0 failures

-### Anti-Ban Protection
+### Security
+- **CodeQL security**: Fixed 10+ CodeQL alerts (polynomial-redos, insecure-randomness, shell-injection)
+- **Route validation**: All 176 API routes validated with Zod schemas + `validateBody()`
+- **omniModel tag sanitization**: Internal `<omniModel>` tags never leak to clients in SSE streams
 - **TLS Fingerprint Spoofing** — Browser-like TLS fingerprint to reduce bot detection
- **CLI Fingerprint Matching** — Per-provider request signature matching (headers/body ordering) to match native CLI tools. Proxy IP is preserved.
+- **CLI Fingerprint Matching** — Per-provider request signature matching

 ### Dashboard Pages
- **Providers** — OAuth, API key, and free provider management
- **Combos** — Multi-model fallback chain builder with templates
+- **Providers** — OAuth, API key, and free provider management with ProviderIcon SVG icons
+- **Combos** — Multi-model combo builder with 4 templates (Free Stack, High Availability, Cost Saver, Balanced) + 9 strategies
 - **Analytics** — Token consumption, cost, heatmaps, distributions
 - **Health** — Uptime, memory, latency percentiles, circuit breakers
- **Logs** — Real-time request log viewer with filtering
+- **Logs** — Request, Proxy, Audit, Console (tabbed)
 - **Costs** — Cost tracking per provider/model
 - **Limits** — Rate limit monitoring
 - **CLI Tools** — One-click configuration for 10+ AI CLI tools
- **CLI Agents** — Grid of 14 built-in agents with install detection + custom agent registration
+- **CLI Agents** — Grid of 14+ built-in agents with ProviderIcon and install detection + custom agent registration
 - **Playground** — Test any model with Monaco editor, streaming responses
- **Media** — Image/video/music generation (DALL-E, FLUX, AnimateDiff, etc.)
+- **Media** — Image/video/music generation (DALL-E, FLUX, etc.) + audio transcription (up to 2GB files)
 - **Translator** — Format debugging: playground, chat tester, test bench, live monitor
 - **Settings** — General, Appearance (7 color themes), Security (TLS/CLI fingerprint, IP filter), Routing, Resilience, Advanced
- **Endpoint** — Unified API endpoint info + cloud proxy
-
-### Sidebar Organization
- **Main**: Home, Endpoints, API Manager, Providers, Combos, Costs, Analytics, Limits
- **CLI**: Tools, Agents
- **Debug**: Translator, Playground, Media
- **System**: Health, Logs, Settings
- **Help**: Docs, Issues
+- **Endpoint** — Unified: Endpoint Proxy, MCP Server, A2A Server, API Endpoints (tabbed)

 ### Protocol Support
- **OpenAI-compatible** — `/v1/chat/completions`, `/v1/models`, `/v1/embeddings`, `/v1/images/generations`, `/v1/audio/transcriptions`
+- **OpenAI-compatible** — `/v1/chat/completions`, `/v1/models`, `/v1/embeddings`, `/v1/images/generations`, `/v1/audio/transcriptions`, `/v1/audio/speech`
 - **Anthropic** — `/v1/messages`, `/v1/messages/count_tokens`
 - **OpenAI Responses** — `/v1/responses`
 - **Gemini** — `/v1beta/models`, `/v1beta/models/{...path}`
 - **Ollama** — `/v1/api/chat`, `/api/tags`
- **MCP** — 16-tool MCP server with scope-based auth
- **A2A** — Agent-to-Agent protocol (smart-routing, quota-management skills)
+- **MCP** — 16-tool MCP server with scope-based auth (3 transports: stdio, SSE, streamable HTTP)
+- **A2A** — Agent-to-Agent v0.3 protocol (JSON-RPC 2.0, smart-routing + quota-management skills)
 - **ACP** — Agent detection, custom agent registry

+### MCP Server (16 Tools)
+| Category  | Tools |
+|-----------|-------|
+| Essential | `get_health`, `list_combos`, `get_combo_metrics`, `switch_combo`, `check_quota`, `route_request`, `cost_report`, `list_models_catalog` |
+| Advanced  | `simulate_route`, `set_budget_guard`, `set_resilience_profile`, `test_combo`, `get_provider_metrics`, `best_combo_for_task`, `explain_route`, `get_session_snapshot` |
+
 ### Internationalization
- 30 languages for UI (sidebar, settings, agents, and all dashboard pages)
- 30 READMEs (root README.md + 29 translated README.*.md)
- 29 translated doc sets in docs/i18n/
+- 30 languages for UI (all dashboard pages)
+- 30 translated READMEs in docs/i18n/
+- Language switcher in documentation

 ## Key Architectural Decisions

-1. **OpenAI-compatible API surface:** All incoming requests follow the OpenAI API format (`/v1/chat/completions`, `/v1/models`, etc.). This makes OmniRoute a drop-in replacement for any tool that supports custom OpenAI endpoints.
+1. **OpenAI-compatible API surface:** All incoming requests follow the OpenAI API format. This makes OmniRoute a drop-in replacement for any tool that supports custom OpenAI endpoints.

-2. **Provider abstraction via format translators:** Each AI provider (Claude, Gemini, etc.) has a translator in `open-sse/translators/` that converts between the OpenAI format and the provider's native format. This happens transparently.
+2. **Provider abstraction via format translators:** Each AI provider has a translator in `open-sse/translator/` that converts between OpenAI format and the provider's native format transparently.

-3. **Connection-based provider model:** Providers are stored as "connections" in SQLite. Each connection has an `id`, `provider`, `authType` (oauth/apikey/free), `isActive` flag, and credentials. Multiple connections per provider are supported for multi-account rotation.
+3. **Connection-based provider model:** Providers are stored as "connections" in SQLite. Each connection has an `id`, `provider`, `authType` (oauth/apikey/free), `isActive` flag, and credentials. Multiple connections per provider for multi-account rotation.

-4. **Combo system for fallback:** Users create "combos" — ordered lists of `provider/model` pairs. The proxy tries each in order until one succeeds. Supports 6 strategies.
+4. **Combo system for fallback:** Users create "combos" — ordered lists of `provider/model` pairs. The proxy tries each in order until one succeeds. Supports 9 strategies including auto-combo with self-healing.

-5. **SSE proxy pipeline (`src/sse/`):** The proxy pipeline is middleware-based: request → auth resolution → rate limiting → circuit breaker → format translation → upstream call → response translation → SSE streaming back to client.
+5. **SSE proxy pipeline:** The proxy pipeline is middleware-based: request → auth resolution → rate limiting → circuit breaker → format translation → upstream call → response translation → SSE streaming back to client.

-6. **SQLite for persistence:** All state (providers, combos, logs, settings) is stored in a single SQLite database file at `data/omniroute.db`. This keeps the app self-contained and zero-config.
+6. **SQLite for persistence:** All state (providers, combos, logs, settings, API keys) stored in a single SQLite database. All DB operations go through `src/lib/db/` modules, never raw SQL in routes.

-7. **OAuth with PKCE:** OAuth flows use PKCE for security. A local callback server handles the redirect. Token refresh is handled by a background job (`tokenHealthCheck.ts`).
+7. **OAuth with PKCE:** OAuth flows use PKCE for security. Token refresh handled by background job (`tokenHealthCheck.ts`).

-8. **ACP Agent Registry:** 14 built-in CLI agents with dynamic detection and a 60-second cache. Custom agents can be added via dashboard or API, stored in settings DB.
+8. **ProviderIcon component:** Unified icon system using `@lobehub/icons` (130+ SVG) with PNG fallback and generic icon fallback chain. Used on providers, dashboard, and agents pages.
+
+9. **DB architecture:** `localDb.ts` is a re-export layer only — real logic lives in `src/lib/db/` modules (core, providers, models, combos, apiKeys, settings, backup).
+
+10. **Upstream headers:** Custom headers merged in executors after default auth; same header name replaces executor value. Forbidden header names in `src/shared/constants/upstreamHeaders.ts`.

 ## Main Flows

 ### Proxy Request Flow
 1. Client sends OpenAI-format request to `/v1/chat/completions`
-2. API key validation (`src/shared/utils/apiAuth.ts`)
+2. API key validation
 3. Model resolution: direct model or combo lookup
-4. For combos: iterate through models in fallback order
+4. For combos: iterate through models with selected strategy
 5. Auth resolution: get credentials for the target provider
 6. Format translation: OpenAI → provider native format
 7. CLI fingerprint matching (if enabled for provider)
 8. Upstream request with circuit breaker and rate limiting
 9. Response translation: provider → OpenAI format
-10. SSE streaming back to client
+10. omniModel tag sanitization (strip internal tags)
+11. SSE streaming back to client

 ### OAuth Flow
 1. Dashboard initiates `/api/oauth/[provider]/authorize`
@@ -192,31 +204,27 @@ OmniRoute solves the problem of managing multiple AI provider subscriptions, quo
 4. Tokens stored as a provider connection in SQLite
 5. Background job refreshes tokens before expiry

-### Model Listing
- `/api/models` — Dashboard endpoint, lists all defined models with aliases
- `/v1/models` — OpenAI-compatible endpoint, lists only models from active providers
-
 ## Important Notes for LLMs

-1. **Two model endpoints exist:** `/api/models` (dashboard, all models) and `/v1/models` (OpenAI-compatible, active only). Don't confuse them.
+1. **Two model endpoints exist:** `/api/models` (dashboard, all models) and `/v1/models` (OpenAI-compatible, active only).

 2. **Provider IDs vs aliases:** Providers have both an ID (`claude`, `github`) and a short alias (`cc`, `gh`). Models are referenced as `alias/model-name` (e.g., `cc/claude-opus-4-6`).

-3. **The `open-sse/` directory is a separate npm workspace** with its own config, handlers, and translators. It handles the actual SSE streaming and format translation.
+3. **The `open-sse/` directory is a separate npm workspace** with its own config, handlers, and translators.

 4. **Environment variables:** All configuration is in `.env` (from `.env.example`). Key vars: `PORT`, `NEXT_PUBLIC_BASE_URL`, `API_KEY`, `ADMIN_PASSWORD`.

-5. **Database migrations:** SQLite schema is managed inline in `src/lib/db/core.ts` and `src/lib/db/providers.ts`. No migration framework — schema changes are applied on startup.
+5. **Database layer:** Operations go through `src/lib/db/` modules. `localDb.ts` is re-exports only — add new functions to the proper `db/*.ts` module.

-6. **Tests use Node.js built-in test runner:** Run `npm test` or `node --test tests/unit/*.test.mjs`. Playwright is used for E2E tests.
+6. **Tests use Node.js built-in test runner:** 926 assertions across 32+ test files. Run `npm test`.

-7. **The proxy pipeline is in `src/sse/`**, not in `src/app/api/v1/`. The API routes in `src/app/api/v1/` delegate to the SSE server running on a separate Express instance.
+7. **MCP and A2A pages are embedded as tabs inside `/dashboard/endpoint`**, not standalone routes.

-8. **Sidebar sections:** Main nav, CLI (Tools + Agents), Debug (Translator + Playground + Media), System (Health + Logs + Settings), Help (Docs + Issues).
+8. **ACP agents** are in `src/lib/acp/registry.ts` (14 built-in) with a 60s detection cache. Custom agents stored via settings DB.

-9. **ACP agents** are in `src/lib/acp/registry.ts` (14 built-in) with a 60s detection cache. Custom agents stored via `src/shared/validation/settingsSchemas.ts`.
+9. **Auto-combo engine** in `open-sse/services/autoCombo/` — 6-factor scoring, 4 mode packs, bandit exploration, progressive cooldown.

-10. **CLI fingerprint configs** are in `open-sse/config/cliFingerprints.ts`. They match native CLI request patterns per provider.
+10. **Docker:** Dockerfile has two targets: `runner-base` and `runner-cli`. `docker-compose.yml` for dev (3 profiles), `docker-compose.prod.yml` for production (port 20130).

 ## Links

@@ -13,7 +13,11 @@ const nextConfig = {
  },
  output: "standalone",
  serverExternalPackages: [
+    "pino",
+    "pino-pretty",
+    "thread-stream",
    "better-sqlite3",
+    "keytar",
    "zod",
    "child_process",
    "fs",
@@ -37,8 +41,16 @@ const nextConfig = {
  images: {
    unoptimized: true,
  },
-  webpack: (config, { isServer }) => {
+  webpack: (config, { isServer, webpack }) => {
    if (isServer) {
+      // Webpack IgnorePlugin: skip thread-stream test files that contain
+      // intentionally broken syntax/imports (they cause Turbopack build errors)
+      config.plugins.push(
+        new webpack.IgnorePlugin({
+          resourceRegExp: /\/test\//,
+          contextRegExp: /thread-stream/,
+        })
+      );
      // ── Turbopack / Next.js 16 module-hash patch (#394, #396, #398) ────────
      //
      // Next.js 16 (with or without Turbopack) compiles the instrumentation hook
@@ -59,6 +71,7 @@ const nextConfig = {

      const KNOWN_EXTERNALS = new Set([
        "better-sqlite3",
+        "keytar",
        "zod",
        "pino",
        "pino-pretty",
@@ -1,12 +1,12 @@
 import { loadProviderCredentials } from "./credentialLoader.ts";

 // Timeout for non-streaming fetch requests (ms). Prevents stalled connections.
-export const FETCH_TIMEOUT_MS = parseInt(process.env.FETCH_TIMEOUT_MS || "120000", 10);
+export const FETCH_TIMEOUT_MS = parseInt(process.env.FETCH_TIMEOUT_MS || "600000", 10);

 // Idle timeout for SSE streams (ms). Closes stream if no data for this duration.
-// Default: 300s to support extended-thinking models (claude-opus-4-6, o3, etc.)
-// that may pause for >60s during deep reasoning phases. Override with STREAM_IDLE_TIMEOUT_MS env var.
-export const STREAM_IDLE_TIMEOUT_MS = parseInt(process.env.STREAM_IDLE_TIMEOUT_MS || "300000", 10);
+// Default: 120s balances deep-reasoning pauses with fast zombie stream detection (#473).
+// Extended-thinking models rarely pause >90s between chunks. Override with STREAM_IDLE_TIMEOUT_MS env var.
+export const STREAM_IDLE_TIMEOUT_MS = parseInt(process.env.STREAM_IDLE_TIMEOUT_MS || "600000", 10);

 // Provider configurations
 // OAuth credentials read from env vars with hardcoded fallbacks for backward compatibility.
@@ -16,6 +16,7 @@

 import { readFileSync, existsSync } from "fs";
 import { join } from "path";
+import { resolveDataDir } from "../../src/lib/dataPaths";

 // Fields that can be overridden per provider
 const CREDENTIAL_FIELDS = ["clientId", "clientSecret", "tokenUrl", "authUrl", "refreshUrl"];
@@ -25,13 +26,21 @@ const CONFIG_TTL_MS = 60_000;
 let lastLoadTime = 0;
 let cachedProviders = null;

+// Survives Next.js dev HMR: module-level cache resets but process is the same (V4 pattern).
+type CredGlobals = typeof globalThis & { __omnirouteCredNoFileLogged?: boolean };
+function credGlobals(): CredGlobals {
+  return globalThis as CredGlobals;
+}
+
 /**
- * Resolve the path to provider-credentials.json
- * Priority: DATA_DIR env → ./data (project root)
+ * Resolves the path to provider-credentials.json using the application's
+ * data directory. Delegates to resolveDataDir() which handles DATA_DIR env,
+ * platform-specific defaults, and fallback logic.
+ *
+ * previous: Priority: DATA_DIR env → ./data (project root)
 */
 function resolveCredentialsPath() {
-  const dataDir = process.env.DATA_DIR || join(process.cwd(), "data");
-  return join(dataDir, "provider-credentials.json");
+  return join(resolveDataDir(), "provider-credentials.json");
 }

 /**
@@ -51,8 +60,9 @@ export function loadProviderCredentials(providers) {
  const credPath = resolveCredentialsPath();

  if (!existsSync(credPath)) {
-    if (!cachedProviders) {
+    if (!credGlobals().__omnirouteCredNoFileLogged) {
      console.log("[CREDENTIALS] No external credentials file found, using defaults.");
+      credGlobals().__omnirouteCredNoFileLogged = true;
    }
    cachedProviders = providers;
    lastLoadTime = Date.now();
@@ -93,7 +103,11 @@ export function loadProviderCredentials(providers) {
      `[CREDENTIALS] ${isReload ? "Reloaded" : "Loaded"} external credentials: ${overrideCount} field(s) from ${credPath}`
    );
  } catch (err) {
-    console.log(`[CREDENTIALS] Error reading credentials file: ${err.message}. Using defaults.`);
+    const reason =
+      err instanceof SyntaxError
+        ? "Invalid JSON format"
+        : (err as NodeJS.ErrnoException).code || "read error";
+    console.log(`[CREDENTIALS] Error reading credentials file (${reason}). Using defaults.`);
  }

  cachedProviders = providers;
@@ -17,6 +17,7 @@ export interface EmbeddingProvider {
 }

 export interface EmbeddingProviderNodeRow {
+  id?: string;
  prefix: string;
  name: string;
  baseUrl: string;
@@ -6,6 +6,8 @@
 * is auto-generated from this registry.
 */

+import { platform, arch } from "os";
+
 // ── Types ─────────────────────────────────────────────────────────────────

 export interface RegistryModel {
@@ -14,6 +16,8 @@ export interface RegistryModel {
  toolCalling?: boolean;
  targetFormat?: string;
  unsupportedParams?: readonly string[];
+  /** Maximum context window in tokens */
+  contextLength?: number;
 }

 // Reasoning models reject temperature, top_p, penalties, logprobs, n.
@@ -47,6 +51,8 @@ export interface RegistryEntry {
  executor: string;
  baseUrl?: string;
  baseUrls?: string[];
+  /** Override base URL used only for API key validation (e.g., opencode-go validates on zen/v1) */
+  testKeyBaseUrl?: string;
  responsesBaseUrl?: string;
  urlSuffix?: string;
  urlBuilder?: (base: string, model: string, stream: boolean) => string;
@@ -61,6 +67,8 @@ export interface RegistryEntry {
  chatPath?: string;
  clientVersion?: string;
  passthroughModels?: boolean;
+  /** Default context window for all models in this provider (can be overridden per-model) */
+  defaultContextLength?: number;
 }

 interface LegacyProvider {
@@ -94,6 +102,32 @@ const KIMI_CODING_SHARED = {
  ] as RegistryModel[],
 } as const;

+function mapStainlessOs() {
+  switch (platform()) {
+    case "darwin":
+      return "MacOS";
+    case "win32":
+      return "Windows";
+    case "linux":
+      return "Linux";
+    default:
+      return `Other::${platform()}`;
+  }
+}
+
+function mapStainlessArch() {
+  switch (arch()) {
+    case "x64":
+      return "x64";
+    case "arm64":
+      return "arm64";
+    case "ia32":
+      return "x86";
+    default:
+      return `other::${arch()}`;
+  }
+}
+
 // ── Registry ──────────────────────────────────────────────────────────────

 export const REGISTRY: Record<string, RegistryEntry> = {
@@ -107,22 +141,23 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    urlSuffix: "?beta=true",
    authType: "oauth",
    authHeader: "x-api-key",
+    defaultContextLength: 200000,
    headers: {
      "Anthropic-Version": "2023-06-01",
      "Anthropic-Beta":
-        "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14,context-management-2025-06-27",
+        "claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05",
      "Anthropic-Dangerous-Direct-Browser-Access": "true",
-      "User-Agent": "claude-cli/1.0.83 (external, cli)",
+      "User-Agent": "claude-cli/2.1.63 (external, cli)",
      "X-App": "cli",
      "X-Stainless-Helper-Method": "stream",
      "X-Stainless-Retry-Count": "0",
      "X-Stainless-Runtime-Version": "v24.3.0",
-      "X-Stainless-Package-Version": "0.55.1",
+      "X-Stainless-Package-Version": "0.74.0",
      "X-Stainless-Runtime": "node",
      "X-Stainless-Lang": "js",
-      "X-Stainless-Arch": "arm64",
-      "X-Stainless-Os": "MacOS",
-      "X-Stainless-Timeout": "60",
+      "X-Stainless-Arch": mapStainlessArch(),
+      "X-Stainless-Os": mapStainlessOs(),
+      "X-Stainless-Timeout": "600",
    },
    oauth: {
      clientIdEnv: "CLAUDE_OAUTH_CLIENT_ID",
@@ -150,6 +185,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    },
    authType: "apikey",
    authHeader: "x-goog-api-key",
+    defaultContextLength: 1000000,
    oauth: {
      clientIdEnv: "GEMINI_OAUTH_CLIENT_ID",
      clientIdDefault: "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com",
@@ -157,9 +193,13 @@ export const REGISTRY: Record<string, RegistryEntry> = {
      clientSecretDefault: "",
    },
    models: [
+      { id: "gemini-3.1-pro-high", name: "Gemini 3.1 Pro High" },
+      { id: "gemini-3.1-pro-low", name: "Gemini 3.1 Pro Low" },
      { id: "gemini-3.1-pro", name: "Gemini 3.1 Pro" },
      { id: "gemini-3-1-pro", name: "Gemini 3.1 Pro (Alt ID)" },
      { id: "gemini-3.1-pro-preview", name: "Gemini 3.1 Pro Preview" },
+      { id: "gemini-3.1-flash-lite-preview", name: "Gemini 3.1 Flash Lite Preview" },
+      { id: "gemini-3-flash-preview", name: "Gemini 3 Flash Preview" },
      { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro" },
      { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash" },
      { id: "gemini-2.5-flash-lite", name: "Gemini 2.5 Flash Lite" },
@@ -182,6 +222,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    },
    authType: "oauth",
    authHeader: "bearer",
+    defaultContextLength: 1000000,
    oauth: {
      clientIdEnv: "GEMINI_CLI_OAUTH_CLIENT_ID",
      clientIdDefault: "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com",
@@ -189,9 +230,13 @@ export const REGISTRY: Record<string, RegistryEntry> = {
      clientSecretDefault: "",
    },
    models: [
+      { id: "gemini-3.1-pro-high", name: "Gemini 3.1 Pro High" },
+      { id: "gemini-3.1-pro-low", name: "Gemini 3.1 Pro Low" },
      { id: "gemini-3.1-pro", name: "Gemini 3.1 Pro" },
      { id: "gemini-3-1-pro", name: "Gemini 3.1 Pro (Alt ID)" },
      { id: "gemini-3.1-pro-preview", name: "Gemini 3.1 Pro Preview" },
+      { id: "gemini-3.1-flash-lite-preview", name: "Gemini 3.1 Flash Lite Preview" },
+      { id: "gemini-3-flash-preview", name: "Gemini 3 Flash Preview" },
      { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro" },
      { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash" },
      { id: "gemini-2.5-flash-lite", name: "Gemini 2.5 Flash Lite" },
@@ -209,6 +254,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    baseUrl: "https://chatgpt.com/backend-api/codex/responses",
    authType: "oauth",
    authHeader: "bearer",
+    defaultContextLength: 400000,
    headers: {
      Version: "0.92.0",
      "Openai-Beta": "responses=experimental",
@@ -320,7 +366,11 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    alias: "ag",
    format: "antigravity",
    executor: "antigravity",
-    baseUrls: ["https://daily-cloudcode-pa.googleapis.com", "https://cloudcode-pa.googleapis.com"],
+    baseUrls: [
+      "https://daily-cloudcode-pa.googleapis.com",
+      "https://daily-cloudcode-pa.sandbox.googleapis.com",
+      "https://cloudcode-pa.googleapis.com",
+    ],
    urlBuilder: (base, model, stream) => {
      const path = stream
        ? "/v1internal:streamGenerateContent?alt=sse"
@@ -330,22 +380,27 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    authType: "oauth",
    authHeader: "bearer",
    headers: {
-      "User-Agent": "antigravity/1.104.0 darwin/arm64",
+      "User-Agent": `antigravity/1.107.0 ${platform()}/${arch()}`,
    },
    oauth: {
      clientIdEnv: "ANTIGRAVITY_OAUTH_CLIENT_ID",
      clientIdDefault: "1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com",
      clientSecretEnv: "ANTIGRAVITY_OAUTH_CLIENT_SECRET",
-      clientSecretDefault: "",
+      clientSecretDefault: "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",
    },
    models: [
      { id: "claude-opus-4-6-thinking", name: "Claude Opus 4.6 Thinking" },
      { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6" },
+      { id: "claude-sonnet-4-5", name: "Claude Sonnet 4.5" },
+      { id: "claude-sonnet-4", name: "Claude Sonnet 4" },
      { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro" },
      { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash" },
      { id: "gemini-2.0-flash", name: "Gemini 2.0 Flash" },
      { id: "gpt-oss-120b-medium", name: "GPT OSS 120B Medium" },
+      { id: "gpt-5", name: "GPT 5" },
+      { id: "gpt-5-mini", name: "GPT 5 Mini" },
    ],
+    passthroughModels: true,
  },

  github: {
@@ -357,11 +412,12 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    responsesBaseUrl: "https://api.githubcopilot.com/responses",
    authType: "oauth",
    authHeader: "bearer",
+    defaultContextLength: 128000,
    headers: {
      "copilot-integration-id": "vscode-chat",
-      "editor-version": "vscode/1.107.1",
-      "editor-plugin-version": "copilot-chat/0.26.7",
-      "user-agent": "GitHubCopilotChat/0.26.7",
+      "editor-version": "vscode/1.110.0",
+      "editor-plugin-version": "copilot-chat/0.38.0",
+      "user-agent": "GitHubCopilotChat/0.38.0",
      "openai-intent": "conversation-panel",
      "x-github-api-version": "2025-04-01",
      "x-vscode-user-agent-library-version": "electron-fetch",
@@ -405,6 +461,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    baseUrl: "https://codewhisperer.us-east-1.amazonaws.com/generateAssistantResponse",
    authType: "oauth",
    authHeader: "bearer",
+    defaultContextLength: 200000,
    headers: {
      "Content-Type": "application/json",
      Accept: "application/vnd.amazon.eventstream",
@@ -431,6 +488,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    chatPath: "/aiserver.v1.ChatService/StreamUnifiedChatWithTools",
    authType: "oauth",
    authHeader: "bearer",
+    defaultContextLength: 200000,
    headers: {
      "connect-accept-encoding": "gzip",
      "connect-protocol-version": "1",
@@ -459,6 +517,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    baseUrl: "https://api.openai.com/v1/chat/completions",
    authType: "apikey",
    authHeader: "bearer",
+    defaultContextLength: 128000,
    models: [
      { id: "gpt-4o", name: "GPT-4o" },
      { id: "gpt-4o-mini", name: "GPT-4o Mini" },
@@ -480,6 +539,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    urlSuffix: "?beta=true",
    authType: "apikey",
    authHeader: "x-api-key",
+    defaultContextLength: 200000,
    headers: {
      "Anthropic-Version": "2023-06-01",
    },
@@ -495,6 +555,44 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    ],
  },

+  "opencode-go": {
+    id: "opencode-go",
+    alias: "opencode-go",
+    format: "openai",
+    executor: "opencode",
+    baseUrl: "https://opencode.ai/zen/go/v1",
+    // (#532) Key validation must hit the main zen endpoint (same key works for both tiers)
+    testKeyBaseUrl: "https://opencode.ai/zen/v1",
+    authType: "apikey",
+    authHeader: "Authorization",
+    authPrefix: "Bearer",
+    defaultContextLength: 200000,
+    models: [
+      { id: "glm-5", name: "GLM-5" },
+      { id: "kimi-k2.5", name: "Kimi K2.5" },
+      { id: "minimax-m2.7", name: "MiniMax M2.7", targetFormat: "claude" },
+      { id: "minimax-m2.5", name: "MiniMax M2.5", targetFormat: "claude" },
+    ],
+  },
+
+  "opencode-zen": {
+    id: "opencode-zen",
+    alias: "opencode-zen",
+    format: "openai",
+    executor: "opencode",
+    baseUrl: "https://opencode.ai/zen/v1",
+    modelsUrl: "https://opencode.ai/zen/v1/models",
+    authType: "apikey",
+    authHeader: "Authorization",
+    authPrefix: "Bearer",
+    defaultContextLength: 200000,
+    models: [
+      { id: "minimax-m2.5-free", name: "MiniMax M2.5 Free" },
+      { id: "big-pickle", name: "Big Pickle" },
+      { id: "gpt-5-nano", name: "GPT 5 Nano" },
+    ],
+  },
+
  openrouter: {
    id: "openrouter",
    alias: "openrouter",
@@ -503,6 +601,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    baseUrl: "https://openrouter.ai/api/v1/chat/completions",
    authType: "apikey",
    authHeader: "bearer",
+    defaultContextLength: 128000,
    headers: {
      "HTTP-Referer": "https://endpoint-proxy.local",
      "X-Title": "Endpoint Proxy",
@@ -516,6 +615,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    format: "claude",
    executor: "default",
    baseUrl: "https://api.z.ai/api/anthropic/v1/messages",
+    defaultContextLength: 200000,
    urlSuffix: "?beta=true",
    authType: "apikey",
    authHeader: "x-api-key",
@@ -709,6 +809,10 @@ export const REGISTRY: Record<string, RegistryEntry> = {
      "Anthropic-Beta": "claude-code-20250219,interleaved-thinking-2025-05-14",
    },
    models: [
+      // T12/T28: MiniMax default upgraded from M2.5 to M2.7
+      { id: "minimax-m2.7", name: "MiniMax M2.7" },
+      { id: "MiniMax-M2.7", name: "MiniMax M2.7 (Legacy Alias)" },
+      { id: "minimax-m2.7-highspeed", name: "MiniMax M2.7 Highspeed" },
      { id: "minimax-m2.5", name: "MiniMax M2.5" },
      { id: "MiniMax-M2.5", name: "MiniMax M2.5 (Legacy Alias)" },
      { id: "MiniMax-M2.1", name: "MiniMax M2.1" },
@@ -730,6 +834,9 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    },
    models: [
      // Keep parity with minimax to ensure model discovery works for minimax-cn connections.
+      { id: "minimax-m2.7", name: "MiniMax M2.7" },
+      { id: "MiniMax-M2.7", name: "MiniMax M2.7 (Legacy Alias)" },
+      { id: "minimax-m2.7-highspeed", name: "MiniMax M2.7 Highspeed" },
      { id: "minimax-m2.5", name: "MiniMax M2.5" },
      { id: "MiniMax-M2.5", name: "MiniMax M2.5 (Legacy Alias)" },
      { id: "MiniMax-M2.1", name: "MiniMax M2.1" },
@@ -883,6 +990,12 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    authType: "apikey",
    authHeader: "bearer",
    models: [
+      { id: "meta-llama/Llama-3.3-70B-Instruct-Turbo-Free", name: "Llama 3.3 70B Turbo (🆓 Free)" },
+      { id: "meta-llama/Llama-Vision-Free", name: "Llama Vision (🆓 Free)" },
+      {
+        id: "deepseek-ai/DeepSeek-R1-Distill-Llama-70B-Free",
+        name: "DeepSeek R1 Distill 70B (🆓 Free)",
+      },
      { id: "meta-llama/Llama-3.3-70B-Instruct-Turbo", name: "Llama 3.3 70B Turbo" },
      { id: "deepseek-ai/DeepSeek-R1", name: "DeepSeek R1" },
      { id: "Qwen/Qwen3-235B-A22B", name: "Qwen3 235B" },
@@ -1103,7 +1216,7 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    alias: "vertex",
    // Vertex AI uses Google's generateContent format (same as Gemini)
    format: "gemini",
-    executor: "default",
+    executor: "vertex",
    // URL uses {project_id} and {region} from providerSpecificData — handled by custom executor or fallback
    // Default to us-central1 / generic endpoint; users configure project via providerSpecificData
    baseUrl: "https://us-central1-aiplatform.googleapis.com/v1/projects",
@@ -1117,14 +1230,210 @@ export const REGISTRY: Record<string, RegistryEntry> = {
    authType: "apikey",
    authHeader: "bearer",
    models: [
+      { id: "gemini-3.1-pro-preview", name: "Gemini 3.1 Pro Preview (Vertex)" },
+      { id: "gemini-3.1-flash-lite-preview", name: "Gemini 3.1 Flash Lite Preview (Vertex)" },
+      { id: "gemini-3-flash-preview", name: "Gemini 3 Flash Preview (Vertex)" },
      { id: "gemini-2.5-pro", name: "Gemini 2.5 Pro (Vertex)" },
      { id: "gemini-2.5-flash", name: "Gemini 2.5 Flash (Vertex)" },
      { id: "gemini-2.0-flash-thinking-exp", name: "Gemini 2.0 Flash Thinking Exp (Vertex)" },
      { id: "gemma-2-27b-it", name: "Gemma 2 27B (Vertex)" },
+      { id: "deepseek-v3.2", name: "DeepSeek V3.2 (Vertex Partner)" },
+      { id: "qwen3-next-80b", name: "Qwen3 Next 80B (Vertex Partner)" },
+      { id: "glm-5", name: "GLM-5 (Vertex Partner)" },
      { id: "claude-opus-4-5@20251101", name: "Claude Opus 4.5 (Vertex)" },
      { id: "claude-sonnet-4-5@20251101", name: "Claude Sonnet 4.5 (Vertex)" },
    ],
  },
+
+  alibaba: {
+    id: "alibaba",
+    alias: "ali",
+    format: "openai",
+    executor: "default",
+    // DashScope international OpenAI-compatible endpoint.
+    // China users should set providerSpecificData.baseUrl to:
+    //   https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions
+    baseUrl: "https://dashscope-intl.aliyuncs.com/compatible-mode/v1/chat/completions",
+    modelsUrl: "https://dashscope-intl.aliyuncs.com/compatible-mode/v1/models",
+    authType: "apikey",
+    authHeader: "bearer",
+    models: [
+      { id: "qwen-max", name: "Qwen Max" },
+      { id: "qwen-max-2025-01-25", name: "Qwen Max (2025-01-25)" },
+      { id: "qwen-plus", name: "Qwen Plus" },
+      { id: "qwen-plus-2025-07-14", name: "Qwen Plus (2025-07-14)" },
+      { id: "qwen-turbo", name: "Qwen Turbo" },
+      { id: "qwen-turbo-2025-11-01", name: "Qwen Turbo (2025-11-01)" },
+      { id: "qwen3-coder-plus", name: "Qwen3 Coder Plus" },
+      { id: "qwen3-coder-flash", name: "Qwen3 Coder Flash" },
+      { id: "qwq-plus", name: "QwQ Plus (Reasoning)" },
+      { id: "qwq-32b", name: "QwQ 32B" },
+      { id: "qwen3-32b", name: "Qwen3 32B" },
+      { id: "qwen3-235b-a22b", name: "Qwen3 235B A22B" },
+    ],
+    passthroughModels: true,
+  },
+
+  // ── New Free Providers (2026) ─────────────────────────────────────────────
+
+  longcat: {
+    id: "longcat",
+    alias: "lc",
+    format: "openai",
+    executor: "default",
+    baseUrl: "https://api.longcat.chat/openai/v1/chat/completions",
+    authType: "apikey",
+    authHeader: "Authorization",
+    authPrefix: "Bearer",
+    // Free tier: 50M tokens/day (Flash-Lite) + 500K/day (Chat/Thinking) — 100% free while public beta
+    models: [
+      { id: "LongCat-Flash-Lite", name: "LongCat Flash-Lite (50M tok/day 🆓)" },
+      { id: "LongCat-Flash-Chat", name: "LongCat Flash-Chat (500K tok/day 🆓)" },
+      { id: "LongCat-Flash-Thinking", name: "LongCat Flash-Thinking (500K tok/day 🆓)" },
+      { id: "LongCat-Flash-Thinking-2601", name: "LongCat Flash-Thinking-2601 (🆓)" },
+      { id: "LongCat-Flash-Omni-2603", name: "LongCat Flash-Omni-2603 (🆓)" },
+    ],
+  },
+
+  pollinations: {
+    id: "pollinations",
+    alias: "pol",
+    format: "openai",
+    executor: "pollinations",
+    // No API key required for basic use. Proxy to GPT-5, Claude, Gemini, DeepSeek, Llama 4.
+    baseUrl: "https://text.pollinations.ai/openai/chat/completions",
+    authType: "apikey", // Optional — works without one too
+    authHeader: "bearer",
+    models: [
+      { id: "openai", name: "GPT-5 via Pollinations (🆓)" },
+      { id: "claude", name: "Claude via Pollinations (🆓)" },
+      { id: "gemini", name: "Gemini via Pollinations (🆓)" },
+      { id: "deepseek", name: "DeepSeek V3 via Pollinations (🆓)" },
+      { id: "llama", name: "Llama 4 via Pollinations (🆓)" },
+      { id: "mistral", name: "Mistral via Pollinations (🆓)" },
+    ],
+  },
+
+  puter: {
+    id: "puter",
+    alias: "pu",
+    format: "openai",
+    executor: "puter",
+    // OpenAI-compatible gateway with 500+ models (GPT, Claude, Gemini, Grok, DeepSeek, Qwen…)
+    // Auth: Bearer <puter_auth_token> from puter.com/dashboard → Copy Auth Token
+    // Model IDs use provider/model-name format for non-OpenAI models.
+    // Only chat completions (incl. streaming) are available via REST.
+    // Image gen, TTS, STT, video are puter.js SDK-only (browser).
+    baseUrl: "https://api.puter.com/puterai/openai/v1/chat/completions",
+    authType: "apikey",
+    authHeader: "bearer",
+    models: [
+      // OpenAI — use bare IDs
+      { id: "gpt-4o-mini", name: "GPT-4o Mini (🆓 Puter)" },
+      { id: "gpt-4o", name: "GPT-4o (Puter)" },
+      { id: "gpt-4.1", name: "GPT-4.1 (Puter)" },
+      { id: "gpt-4.1-mini", name: "GPT-4.1 Mini (Puter)" },
+      { id: "gpt-5-nano", name: "GPT-5 Nano (Puter)" },
+      { id: "gpt-5-mini", name: "GPT-5 Mini (Puter)" },
+      { id: "gpt-5", name: "GPT-5 (Puter)" },
+      { id: "o3-mini", name: "OpenAI o3-mini (Puter)" },
+      { id: "o3", name: "OpenAI o3 (Puter)" },
+      { id: "o4-mini", name: "OpenAI o4-mini (Puter)" },
+      // Anthropic Claude — use bare IDs (confirmed working)
+      { id: "claude-haiku-4-5", name: "Claude Haiku 4.5 (Puter)" },
+      { id: "claude-sonnet-4-5", name: "Claude Sonnet 4.5 (Puter)" },
+      { id: "claude-opus-4-5", name: "Claude Opus 4.5 (Puter)" },
+      { id: "claude-sonnet-4", name: "Claude Sonnet 4 (Puter)" },
+      { id: "claude-opus-4", name: "Claude Opus 4 (Puter)" },
+      // Google Gemini — use google/ prefix (confirmed working)
+      { id: "google/gemini-2.0-flash", name: "Gemini 2.0 Flash (Puter)" },
+      { id: "google/gemini-2.5-flash", name: "Gemini 2.5 Flash (Puter)" },
+      { id: "google/gemini-2.5-pro", name: "Gemini 2.5 Pro (Puter)" },
+      { id: "google/gemini-3-flash", name: "Gemini 3 Flash (Puter)" },
+      { id: "google/gemini-3-pro", name: "Gemini 3 Pro (Puter)" },
+      // DeepSeek — use deepseek/ prefix (confirmed working)
+      { id: "deepseek/deepseek-chat", name: "DeepSeek Chat (Puter)" },
+      { id: "deepseek/deepseek-r1", name: "DeepSeek R1 (Puter)" },
+      { id: "deepseek/deepseek-v3.2", name: "DeepSeek V3.2 (Puter)" },
+      // xAI Grok — use x-ai/ prefix
+      { id: "x-ai/grok-3", name: "Grok 3 (Puter)" },
+      { id: "x-ai/grok-3-mini", name: "Grok 3 Mini (Puter)" },
+      { id: "x-ai/grok-4", name: "Grok 4 (Puter)" },
+      { id: "x-ai/grok-4-fast", name: "Grok 4 Fast (Puter)" },
+      // Meta Llama — bare IDs (confirmed ✅)
+      { id: "llama-4-scout", name: "Llama 4 Scout (Puter)" },
+      { id: "llama-4-maverick", name: "Llama 4 Maverick (Puter)" },
+      { id: "llama-3.3-70b-instruct", name: "Llama 3.3 70B (Puter)" },
+      // Mistral — bare IDs (confirmed ✅)
+      { id: "mistral-small-latest", name: "Mistral Small (Puter)" },
+      { id: "mistral-medium-latest", name: "Mistral Medium (Puter)" },
+      { id: "open-mistral-nemo", name: "Mistral Nemo (Puter)" },
+      // Qwen — use qwen/ prefix (confirmed ✅)
+      { id: "qwen/qwen3-235b-a22b", name: "Qwen3 235B (Puter)" },
+      { id: "qwen/qwen3-32b", name: "Qwen3 32B (Puter)" },
+      { id: "qwen/qwen3-coder", name: "Qwen3 Coder 480B (Puter)" },
+    ],
+    passthroughModels: true, // 500+ models available — users can type arbitrary Puter model IDs
+  },
+
+  "cloudflare-ai": {
+    id: "cloudflare-ai",
+    alias: "cf",
+    format: "openai",
+    executor: "cloudflare-ai",
+    // URL is dynamic: uses accountId from credentials. The executor builds it.
+    baseUrl: "https://api.cloudflare.com/client/v4/accounts",
+    authType: "apikey",
+    authHeader: "bearer",
+    // 10K Neurons/day free: ~150 LLM responses or 500s Whisper audio — global edge
+    models: [
+      { id: "@cf/meta/llama-3.3-70b-instruct", name: "Llama 3.3 70B (🆓 ~150 resp/day)" },
+      { id: "@cf/meta/llama-3.1-8b-instruct", name: "Llama 3.1 8B (🆓)" },
+      { id: "@cf/google/gemma-3-12b-it", name: "Gemma 3 12B (🆓)" },
+      { id: "@cf/mistral/mistral-7b-instruct-v0.2-lora", name: "Mistral 7B (🆓)" },
+      { id: "@cf/qwen/qwen2.5-coder-15b-instruct", name: "Qwen 2.5 Coder 15B (🆓)" },
+      { id: "@cf/deepseek-ai/deepseek-r1-distill-qwen-32b", name: "DeepSeek R1 Distill 32B (🆓)" },
+    ],
+  },
+
+  scaleway: {
+    id: "scaleway",
+    alias: "scw",
+    format: "openai",
+    executor: "default",
+    baseUrl: "https://api.scaleway.ai/v1/chat/completions",
+    authType: "apikey",
+    authHeader: "bearer",
+    // 1M tokens free for new accounts — EU/GDPR (Paris), no credit card needed under limit
+    models: [
+      { id: "qwen3-235b-a22b-instruct-2507", name: "Qwen3 235B A22B (1M free tok 🆓)" },
+      { id: "llama-3.1-70b-instruct", name: "Llama 3.1 70B (🆓 EU)" },
+      { id: "llama-3.1-8b-instruct", name: "Llama 3.1 8B (🆓 EU)" },
+      { id: "mistral-small-3.2-24b-instruct-2506", name: "Mistral Small 3.2 (🆓 EU)" },
+      { id: "deepseek-v3-0324", name: "DeepSeek V3 (🆓 EU)" },
+      { id: "gpt-oss-120b", name: "GPT-OSS 120B (🆓 EU)" },
+    ],
+  },
+
+  aimlapi: {
+    id: "aimlapi",
+    alias: "aiml",
+    format: "openai",
+    executor: "default",
+    baseUrl: "https://api.aimlapi.com/v1/chat/completions",
+    authType: "apikey",
+    authHeader: "bearer",
+    // $0.025/day free credits — 200+ models via single aggregator endpoint
+    models: [
+      { id: "gpt-4o", name: "GPT-4o (via AI/ML API)" },
+      { id: "claude-3-5-sonnet-20241022", name: "Claude 3.5 Sonnet (via AI/ML API)" },
+      { id: "gemini-1.5-pro", name: "Gemini 1.5 Pro (via AI/ML API)" },
+      { id: "meta-llama/Meta-Llama-3.1-70B-Instruct-Turbo", name: "Llama 3.1 70B (via AI/ML API)" },
+      { id: "deepseek-chat", name: "DeepSeek Chat (via AI/ML API)" },
+      { id: "mistral-large-latest", name: "Mistral Large (via AI/ML API)" },
+    ],
+    passthroughModels: true,
+  },
 };

 // ── Generator Functions ───────────────────────────────────────────────────
@@ -1,5 +1,5 @@
 import crypto from "crypto";
-import { BaseExecutor } from "./base.ts";
+import { BaseExecutor, mergeUpstreamExtraHeaders } from "./base.ts";
 import { PROVIDERS, OAUTH_ENDPOINTS, HTTP_STATUS } from "../config/constants.ts";

 const MAX_RETRY_AFTER_MS = 10000;
@@ -44,12 +44,28 @@ export class AntigravityExecutor extends BaseExecutor {
    // stale/wrong client-side values causing 404/403 from Cloud Code endpoints.
    // Opt-in escape hatch: set OMNIROUTE_ALLOW_BODY_PROJECT_OVERRIDE=1.
    const projectId =
-      allowBodyProjectOverride && bodyProjectId ? bodyProjectId : credentialsProjectId || bodyProjectId;
+      allowBodyProjectOverride && bodyProjectId
+        ? bodyProjectId
+        : credentialsProjectId || bodyProjectId;

    if (!projectId) {
-      throw new Error(
-        "Missing Google projectId for Antigravity account. Please reconnect OAuth so OmniRoute can fetch your real Cloud Code project (loadCodeAssist)."
-      );
+      // (#489) Return a structured error instead of throwing — gives the client a clear signal
+      // to show a "Reconnect OAuth" prompt rather than an opaque "Internal Server Error".
+      const errorMsg =
+        "Missing Google projectId for Antigravity account. Please reconnect OAuth in Providers → Antigravity so OmniRoute can fetch your Cloud Code project.";
+      const errorBody = {
+        error: {
+          message: errorMsg,
+          type: "oauth_missing_project_id",
+          code: "missing_project_id",
+        },
+      };
+      const resp = new Response(JSON.stringify(errorBody), {
+        status: 422,
+        headers: { "Content-Type": "application/json" },
+      });
+      // Returning a Response object signals the executor to stop and forward it
+      return resp as unknown as never;
    }

    // Fix contents for Claude models via Antigravity
@@ -182,7 +198,7 @@ export class AntigravityExecutor extends BaseExecutor {
    return totalMs > 0 ? totalMs : null;
  }

-  async execute({ model, body, stream, credentials, signal, log }) {
+  async execute({ model, body, stream, credentials, signal, log, upstreamExtraHeaders }) {
    const fallbackCount = this.getFallbackCount();
    let lastError = null;
    let lastStatus = 0;
@@ -192,6 +208,7 @@ export class AntigravityExecutor extends BaseExecutor {
    for (let urlIndex = 0; urlIndex < fallbackCount; urlIndex++) {
      const url = this.buildUrl(model, stream, urlIndex);
      const headers = this.buildHeaders(credentials, stream);
+      mergeUpstreamExtraHeaders(headers, upstreamExtraHeaders);
      const transformedBody = this.transformRequest(model, body, stream, credentials);

      // Initialize retry counter for this URL
@@ -2,6 +2,20 @@ import { HTTP_STATUS, FETCH_TIMEOUT_MS } from "../config/constants.ts";
 import { applyFingerprint, isCliCompatEnabled } from "../config/cliFingerprints.ts";
 import { getRotatingApiKey } from "../services/apiKeyRotator.ts";

+/**
+ * Sanitizes a custom API path to prevent path traversal attacks.
+ * Valid paths must start with '/', contain no '..' segments,
+ * no null bytes, and be reasonable in length.
+ */
+function sanitizePath(path: string): boolean {
+  if (typeof path !== "string") return false;
+  if (!path.startsWith("/")) return false;
+  if (path.includes("\0")) return false; // null byte
+  if (path.includes("..")) return false; // path traversal
+  if (path.length > 512) return false; // sanity limit
+  return true;
+}
+
 type JsonRecord = Record<string, unknown>;

 export type ProviderConfig = {
@@ -44,8 +58,23 @@ export type ExecuteInput = {
  signal?: AbortSignal | null;
  log?: ExecutorLog | null;
  extendedContext?: boolean;
+  /** Merged after auth + CLI fingerprint headers (values override same-named defaults). */
+  upstreamExtraHeaders?: Record<string, string> | null;
 };

+/** Apply model-level extra upstream headers (e.g. Authentication, X-Custom-Auth). */
+export function mergeUpstreamExtraHeaders(
+  headers: Record<string, string>,
+  extra?: Record<string, string> | null
+): void {
+  if (!extra) return;
+  for (const [k, v] of Object.entries(extra)) {
+    if (typeof k === "string" && k.length > 0 && typeof v === "string") {
+      headers[k] = v;
+    }
+  }
+}
+
 function mergeAbortSignals(primary: AbortSignal, secondary: AbortSignal): AbortSignal {
  const controller = new AbortController();

@@ -103,7 +132,9 @@ export class BaseExecutor {
      const psd = credentials?.providerSpecificData;
      const baseUrl = typeof psd?.baseUrl === "string" ? psd.baseUrl : "https://api.openai.com/v1";
      const normalized = baseUrl.replace(/\/$/, "");
-      const customPath = typeof psd?.chatPath === "string" && psd.chatPath ? psd.chatPath : null;
+      // Sanitize custom path: must start with '/', no path traversal, no null bytes
+      const rawPath = typeof psd?.chatPath === "string" && psd.chatPath ? psd.chatPath : null;
+      const customPath = rawPath && sanitizePath(rawPath) ? rawPath : null;
      if (customPath) return `${normalized}${customPath}`;
      const path = this.provider.includes("responses") ? "/responses" : "/chat/completions";
      return `${normalized}${path}`;
@@ -188,7 +219,16 @@ export class BaseExecutor {
    return { status: response.status, message: bodyText || `HTTP ${response.status}` };
  }

-  async execute({ model, body, stream, credentials, signal, log, extendedContext }: ExecuteInput) {
+  async execute({
+    model,
+    body,
+    stream,
+    credentials,
+    signal,
+    log,
+    extendedContext,
+    upstreamExtraHeaders,
+  }: ExecuteInput) {
    const fallbackCount = this.getFallbackCount();
    let lastError: unknown = null;
    let lastStatus = 0;
@@ -242,6 +282,8 @@ export class BaseExecutor {
          bodyString = fingerprinted.bodyString;
        }

+        mergeUpstreamExtraHeaders(finalHeaders, upstreamExtraHeaders);
+
        const fetchOptions: RequestInit = {
          method: "POST",
          headers: finalHeaders,
@@ -273,7 +315,7 @@ export class BaseExecutor {
          continue;
        }

-        return { response, url, headers, transformedBody };
+        return { response, url, headers: finalHeaders, transformedBody };
      } catch (error) {
        // Distinguish timeout errors from other abort errors
        const err = error instanceof Error ? error : new Error(String(error));
@@ -0,0 +1,59 @@
+import { BaseExecutor } from "./base.ts";
+import { PROVIDERS } from "../config/constants.ts";
+
+/**
+ * CloudflareAIExecutor — handles dynamic URL construction with accountId.
+ * Cloudflare Workers AI uses the authenticated user's account ID in the URL.
+ *
+ * URL pattern: https://api.cloudflare.com/client/v4/accounts/{accountId}/ai/v1/chat/completions
+ * Auth: Bearer <API Token>
+ * Docs: https://developers.cloudflare.com/workers-ai/
+ *
+ * Free tier: 10,000 Neurons/day = ~150 LLM responses or 500s Whisper audio
+ * API Token: dash.cloudflare.com/profile/api-tokens
+ * Account ID: right sidebar of dash.cloudflare.com
+ */
+export class CloudflareAIExecutor extends BaseExecutor {
+  constructor() {
+    super("cloudflare-ai", PROVIDERS["cloudflare-ai"] || { format: "openai" });
+  }
+
+  buildUrl(_model: string, _stream: boolean, _urlIndex = 0, credentials: any = null): string {
+    // Account ID can be stored in providerSpecificData or at top level credentials
+    const accountId =
+      credentials?.providerSpecificData?.accountId ||
+      credentials?.accountId ||
+      process.env.CLOUDFLARE_ACCOUNT_ID;
+
+    if (!accountId) {
+      throw new Error(
+        "Cloudflare Workers AI requires an Account ID. " +
+          "Add it in provider settings under 'Account ID'. " +
+          "Find it at: https://dash.cloudflare.com (right sidebar)."
+      );
+    }
+
+    return `https://api.cloudflare.com/client/v4/accounts/${accountId}/ai/v1/chat/completions`;
+  }
+
+  buildHeaders(credentials: any, stream = true): Record<string, string> {
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${credentials.apiKey || credentials.accessToken}`,
+    };
+
+    if (stream) {
+      headers["Accept"] = "text/event-stream";
+    }
+
+    return headers;
+  }
+
+  transformRequest(_model: string, body: any, _stream: boolean, _credentials: any): any {
+    // Cloudflare uses full model paths like @cf/meta/llama-3.3-70b-instruct
+    // No transformation needed — user sends the full Cloudflare model path.
+    return body;
+  }
+}
+
+export default CloudflareAIExecutor;
@@ -3,6 +3,112 @@ import { CODEX_DEFAULT_INSTRUCTIONS } from "../config/codexInstructions.ts";
 import { PROVIDERS } from "../config/constants.ts";
 import { refreshCodexToken } from "../services/tokenRefresh.ts";

+// ─── T09: Codex vs Spark Scope-Aware Rate Limiting ────────────────────────
+// Codex has two independent quota pools: "codex" (standard) and "spark" (premium).
+// Exhausting one should NOT block requests to the other.
+// Ref: sub2api PR #1129 (feat(openai): split codex spark rate limiting from codex)
+
+/**
+ * Maps model name substrings to their rate-limit scope.
+ * Checked in order — first match wins.
+ */
+const CODEX_SCOPE_PATTERNS: Array<{ pattern: string; scope: "codex" | "spark" }> = [
+  { pattern: "codex-spark", scope: "spark" },
+  { pattern: "spark", scope: "spark" },
+  { pattern: "codex", scope: "codex" },
+  { pattern: "gpt-5", scope: "codex" }, // gpt-5.2-codex, gpt-5.3-codex, etc.
+];
+
+/**
+ * T09: Determine the rate-limit scope for a Codex model.
+ * Use this key as the suffix for per-scope rate limit state:
+ *   `${accountId}:${getModelScope(model)}`
+ *
+ * @param model - The Codex model ID (e.g. "gpt-5.3-codex", "codex-spark-mini")
+ * @returns "codex" | "spark"
+ */
+export function getCodexModelScope(model: string): "codex" | "spark" {
+  const lower = model.toLowerCase();
+  for (const { pattern, scope } of CODEX_SCOPE_PATTERNS) {
+    if (lower.includes(pattern)) return scope;
+  }
+  return "codex"; // default scope
+}
+
+/**
+ * T09: Get the scope-keyed rate limit identifier for an account+model combination.
+ * Use this as the key for rateLimitState maps to ensure scope isolation.
+ */
+export function getCodexRateLimitKey(accountId: string, model: string): string {
+  return `${accountId}:${getCodexModelScope(model)}`;
+}
+
+/**
+ * T03: Parsed quota snapshot from Codex response headers.
+ * Codex includes per-account usage windows that allow precise reset scheduling.
+ * Ref: sub2api PR #357 (feat(oauth): persist usage snapshots and window cooldown)
+ */
+export interface CodexQuotaSnapshot {
+  usage5h: number; // tokens used in 5h window
+  limit5h: number; // token limit for 5h window
+  resetAt5h: string | null; // ISO timestamp when 5h window resets
+  usage7d: number; // tokens used in 7d window
+  limit7d: number; // token limit for 7d window
+  resetAt7d: string | null; // ISO timestamp when 7d window resets
+}
+
+/**
+ * T03: Parse Codex-specific quota headers from a provider response.
+ * Returns null if none of the relevant headers are present.
+ *
+ * Extracts:
+ *   x-codex-5h-usage / x-codex-5h-limit / x-codex-5h-reset-at
+ *   x-codex-7d-usage / x-codex-7d-limit / x-codex-7d-reset-at
+ */
+export function parseCodexQuotaHeaders(headers: Headers): CodexQuotaSnapshot | null {
+  const usage5h = headers.get("x-codex-5h-usage");
+  const limit5h = headers.get("x-codex-5h-limit");
+  const resetAt5h = headers.get("x-codex-5h-reset-at");
+  const usage7d = headers.get("x-codex-7d-usage");
+  const limit7d = headers.get("x-codex-7d-limit");
+  const resetAt7d = headers.get("x-codex-7d-reset-at");
+
+  // Return null if none of the quota headers are present (not a quota-aware response)
+  if (!usage5h && !limit5h && !resetAt5h && !usage7d && !limit7d && !resetAt7d) {
+    return null;
+  }
+
+  return {
+    usage5h: usage5h ? parseFloat(usage5h) : 0,
+    limit5h: limit5h ? parseFloat(limit5h) : Infinity,
+    resetAt5h: resetAt5h ?? null,
+    usage7d: usage7d ? parseFloat(usage7d) : 0,
+    limit7d: limit7d ? parseFloat(limit7d) : Infinity,
+    resetAt7d: resetAt7d ?? null,
+  };
+}
+
+/**
+ * T03: Get the soonest quota reset time from a CodexQuotaSnapshot.
+ * 7d window takes priority (wider window, harder limit) but we use whichever
+ * is further in the future to avoid releasing the block too early.
+ *
+ * @returns Unix timestamp (ms) of the soonest effective reset, or null
+ */
+export function getCodexResetTime(quota: CodexQuotaSnapshot): number | null {
+  const times: number[] = [];
+  if (quota.resetAt7d) {
+    const t = new Date(quota.resetAt7d).getTime();
+    if (!isNaN(t) && t > Date.now()) times.push(t);
+  }
+  if (quota.resetAt5h) {
+    const t = new Date(quota.resetAt5h).getTime();
+    if (!isNaN(t) && t > Date.now()) times.push(t);
+  }
+  if (times.length === 0) return null;
+  return Math.max(...times); // Use furthest-out reset to avoid premature unblock
+}
+
 // Ordered list of effort levels from lowest to highest
 const EFFORT_ORDER = ["none", "low", "medium", "high", "xhigh"] as const;
 type EffortLevel = (typeof EFFORT_ORDER)[number];
@@ -20,7 +20,7 @@ declare const EdgeRuntime: string | undefined;
 * @see cursorProtobuf.js for Protobuf encoding/decoding utilities
 */

-import { BaseExecutor } from "./base.ts";
+import { BaseExecutor, mergeUpstreamExtraHeaders } from "./base.ts";
 import { PROVIDERS, HTTP_STATUS } from "../config/constants.ts";
 import {
  generateCursorBody,
@@ -363,9 +363,10 @@ export class CursorExecutor extends BaseExecutor {
    });
  }

-  async execute({ model, body, stream, credentials, signal, log }) {
+  async execute({ model, body, stream, credentials, signal, log, upstreamExtraHeaders }) {
    const url = this.buildUrl();
    const headers = this.buildHeaders(credentials);
+    mergeUpstreamExtraHeaders(headers, upstreamExtraHeaders);
    const transformedBody = this.transformRequest(model, body, stream, credentials);

    try {
@@ -80,18 +80,14 @@ export class DefaultExecutor extends BaseExecutor {
  }

  /**
-   * For compatible providers, ensure the model name sent upstream
-   * is the clean model name without internal routing prefixes.
-   * e.g. "openapi-chat-anti/claude-opus-4-6-thinking" → "claude-opus-4-6-thinking"
+   * For compatible providers, the model name is already clean by the time
+   * it reaches the executor (chatCore sets body.model = modelInfo.model,
+   * which is the parsed model ID without internal routing prefixes).
+   *
+   * Models may legitimately contain "/" as part of their ID (e.g. "zai-org/GLM-5-FP8",
+   * "org/model-name") — we must NOT strip path segments. (Fix #493)
   */
  transformRequest(model, body, stream, credentials) {
-    if (
-      this.provider?.startsWith?.("openai-compatible-") ||
-      this.provider?.startsWith?.("anthropic-compatible-")
-    ) {
-      const cleanModel = model.includes("/") ? model.split("/").slice(1).join("/") : model;
-      return { ...body, model: cleanModel };
-    }
    return body;
  }

@@ -1,4 +1,4 @@
-import { BaseExecutor } from "./base.ts";
+import { BaseExecutor, ExecuteInput } from "./base.ts";
 import { PROVIDERS, OAUTH_ENDPOINTS } from "../config/constants.ts";
 import { getModelTargetFormat } from "../config/providerModels.ts";

@@ -19,15 +19,82 @@ export class GithubExecutor extends BaseExecutor {
    return this.config.baseUrl;
  }

+  injectResponseFormat(messages: any[], responseFormat: any) {
+    if (!responseFormat) return messages;
+
+    let formatInstruction = "";
+    if (responseFormat.type === "json_object") {
+      formatInstruction =
+        "Respond only with valid JSON. Do not include any text before or after the JSON object.";
+    } else if (responseFormat.type === "json_schema" && responseFormat.json_schema) {
+      formatInstruction = `Respond only with valid JSON matching this schema:\n${JSON.stringify(
+        responseFormat.json_schema.schema,
+        null,
+        2
+      )}\nDo not include any text before or after the JSON.`;
+    }
+
+    if (!formatInstruction) return messages;
+
+    const systemIdx = messages.findIndex((m: any) => m.role === "system");
+    if (systemIdx >= 0) {
+      return messages.map((m: any, i: number) =>
+        i === systemIdx ? { ...m, content: `${m.content}\n\n${formatInstruction}` } : m
+      );
+    }
+
+    return [{ role: "system", content: formatInstruction }, ...messages];
+  }
+
+  transformRequest(model: string, body: any, stream: boolean, credentials: any): any {
+    const modifiedBody = JSON.parse(JSON.stringify(body));
+    if (modifiedBody.response_format && model.toLowerCase().includes("claude")) {
+      modifiedBody.messages = this.injectResponseFormat(
+        modifiedBody.messages,
+        modifiedBody.response_format
+      );
+      delete modifiedBody.response_format;
+    }
+    return modifiedBody;
+  }
+
+  async execute(input: ExecuteInput) {
+    const result = await super.execute(input);
+    if (!result || !result.response?.body) return result;
+
+    const isStreaming = input.stream === true;
+    if (isStreaming) {
+      const decoder = new TextDecoder();
+      const transformStream = new TransformStream({
+        transform(chunk, controller) {
+          const text = decoder.decode(chunk, { stream: true });
+          if (text.includes("data: [DONE]")) {
+            return;
+          }
+          controller.enqueue(chunk);
+        },
+      });
+
+      const newResponse = new Response(result.response.body.pipeThrough(transformStream), {
+        status: result.response.status,
+        statusText: result.response.statusText,
+        headers: result.response.headers, // Headers class carries over correctly
+      });
+      result.response = newResponse;
+    }
+
+    return result;
+  }
+
  buildHeaders(credentials, stream = true) {
    const token = credentials.copilotToken || credentials.accessToken;
    return {
      Authorization: `Bearer ${token}`,
      "Content-Type": "application/json",
      "copilot-integration-id": "vscode-chat",
-      "editor-version": "vscode/1.107.1",
-      "editor-plugin-version": "copilot-chat/0.26.7",
-      "user-agent": "GitHubCopilotChat/0.26.7",
+      "editor-version": "vscode/1.110.0",
+      "editor-plugin-version": "copilot-chat/0.38.0",
+      "user-agent": "GitHubCopilotChat/0.38.0",
      "openai-intent": "conversation-panel",
      "x-github-api-version": "2025-04-01",
      "x-request-id":
@@ -44,7 +111,7 @@ export class GithubExecutor extends BaseExecutor {
        headers: {
          Authorization: `token ${githubAccessToken}`,
          "User-Agent": "GithubCopilot/1.0",
-          "Editor-Version": "vscode/1.100.0",
+          "Editor-Version": "vscode/1.110.0",
          "Editor-Plugin-Version": "copilot/1.300.0",
          Accept: "application/json",
        },
@@ -6,6 +6,11 @@ import { KiroExecutor } from "./kiro.ts";
 import { CodexExecutor } from "./codex.ts";
 import { CursorExecutor } from "./cursor.ts";
 import { DefaultExecutor } from "./default.ts";
+import { PollinationsExecutor } from "./pollinations.ts";
+import { CloudflareAIExecutor } from "./cloudflare-ai.ts";
+import { OpencodeExecutor } from "./opencode.ts";
+import { PuterExecutor } from "./puter.ts";
+import { VertexExecutor } from "./vertex.ts";

 const executors = {
  antigravity: new AntigravityExecutor(),
@@ -16,6 +21,15 @@ const executors = {
  codex: new CodexExecutor(),
  cursor: new CursorExecutor(),
  cu: new CursorExecutor(), // Alias for cursor
+  pollinations: new PollinationsExecutor(),
+  pol: new PollinationsExecutor(), // Alias
+  "cloudflare-ai": new CloudflareAIExecutor(),
+  cf: new CloudflareAIExecutor(), // Alias
+  "opencode-zen": new OpencodeExecutor("opencode-zen"),
+  "opencode-go": new OpencodeExecutor("opencode-go"),
+  puter: new PuterExecutor(),
+  pu: new PuterExecutor(), // Alias
+  vertex: new VertexExecutor(),
 };

 const defaultCache = new Map();
@@ -39,3 +53,8 @@ export { KiroExecutor } from "./kiro.ts";
 export { CodexExecutor } from "./codex.ts";
 export { CursorExecutor } from "./cursor.ts";
 export { DefaultExecutor } from "./default.ts";
+export { PollinationsExecutor } from "./pollinations.ts";
+export { CloudflareAIExecutor } from "./cloudflare-ai.ts";
+export { OpencodeExecutor } from "./opencode.ts";
+export { PuterExecutor } from "./puter.ts";
+export { VertexExecutor } from "./vertex.ts";
@@ -1,5 +1,6 @@
 import {
  BaseExecutor,
+  mergeUpstreamExtraHeaders,
  type ExecuteInput,
  type ExecutorLog,
  type ProviderCredentials,
@@ -89,9 +90,18 @@ export class KiroExecutor extends BaseExecutor {
  /**
   * Custom execute for Kiro - handles AWS EventStream binary response
   */
-  async execute({ model, body, stream, credentials, signal, log }: ExecuteInput) {
+  async execute({
+    model,
+    body,
+    stream,
+    credentials,
+    signal,
+    log,
+    upstreamExtraHeaders,
+  }: ExecuteInput) {
    const url = this.buildUrl(model, stream, 0);
    const headers = this.buildHeaders(credentials, stream);
+    mergeUpstreamExtraHeaders(headers, upstreamExtraHeaders);
    const transformedBody = this.transformRequest(model, body, stream, credentials);

    const response = await fetch(url, {
@@ -0,0 +1,61 @@
+import { BaseExecutor, type ExecuteInput, type ProviderCredentials } from "./base.ts";
+import { PROVIDERS } from "../config/constants.ts";
+import { getModelTargetFormat } from "../config/providerModels.ts";
+
+export class OpencodeExecutor extends BaseExecutor {
+  _requestFormat: string | null = null;
+
+  constructor(provider: string) {
+    super(provider, PROVIDERS[provider] || PROVIDERS.openai);
+  }
+
+  async execute(input: ExecuteInput) {
+    this._requestFormat = getModelTargetFormat(this.provider, input.model) || "openai";
+    try {
+      return await super.execute(input);
+    } finally {
+      this._requestFormat = null;
+    }
+  }
+
+  buildUrl(
+    model: string,
+    stream: boolean,
+    urlIndex = 0,
+    credentials: ProviderCredentials | null = null
+  ) {
+    void urlIndex;
+    void credentials;
+
+    const base = this.config.baseUrl;
+    switch (this._requestFormat) {
+      case "claude":
+        return `${base}/messages`;
+      case "openai-responses":
+        return `${base}/responses`;
+      case "gemini":
+        return `${base}/models/${model}:${stream ? "streamGenerateContent?alt=sse" : "generateContent"}`;
+      default:
+        return `${base}/chat/completions`;
+    }
+  }
+
+  buildHeaders(credentials: ProviderCredentials | null, stream = true) {
+    const headers: Record<string, string> = { "Content-Type": "application/json" };
+    const key = credentials?.apiKey || credentials?.accessToken;
+
+    if (key) {
+      headers["Authorization"] = `Bearer ${key}`;
+    }
+
+    if (this._requestFormat === "claude") {
+      headers["anthropic-version"] = "2023-06-01";
+    }
+
+    if (stream) {
+      headers["Accept"] = "text/event-stream";
+    }
+
+    return headers;
+  }
+}
@@ -0,0 +1,46 @@
+import { BaseExecutor } from "./base.ts";
+import { PROVIDERS } from "../config/constants.ts";
+
+/**
+ * PollinationsExecutor — handles optional API key auth.
+ * Pollinations AI works WITHOUT any API key for basic use (1 req/15s).
+ * If an API key is provided, higher rate limits apply.
+ *
+ * Endpoint: https://text.pollinations.ai/openai/chat/completions
+ * Docs: https://pollinations.ai/docs
+ */
+export class PollinationsExecutor extends BaseExecutor {
+  constructor() {
+    super("pollinations", PROVIDERS["pollinations"] || { format: "openai" });
+  }
+
+  buildUrl(_model: string, _stream: boolean, _urlIndex = 0, _credentials = null): string {
+    return "https://text.pollinations.ai/openai/chat/completions";
+  }
+
+  buildHeaders(credentials: any, stream = true): Record<string, string> {
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+
+    // API key is OPTIONAL — skip Authorization header if no key provided
+    const key = credentials?.apiKey || credentials?.accessToken;
+    if (key) {
+      headers["Authorization"] = `Bearer ${key}`;
+    }
+
+    if (stream) {
+      headers["Accept"] = "text/event-stream";
+    }
+
+    return headers;
+  }
+
+  transformRequest(model: string, body: any, _stream: boolean, _credentials: any): any {
+    // Pollinations uses model names directly like "openai", "claude", "deepseek", etc.
+    // No transformation needed — the model name is already the Pollinations alias.
+    return body;
+  }
+}
+
+export default PollinationsExecutor;
@@ -0,0 +1,59 @@
+import { BaseExecutor } from "./base.ts";
+import { PROVIDERS } from "../config/constants.ts";
+
+/**
+ * PuterExecutor — OpenAI-compatible proxy for Puter AI.
+ *
+ * Puter exposes 500+ models (GPT, Claude, Gemini, Grok, DeepSeek, Qwen, Mistral...)
+ * through a single OpenAI-compatible REST endpoint.
+ *
+ * Endpoint: https://api.puter.com/puterai/openai/v1/chat/completions
+ * Auth:     Bearer <puter_auth_token>  (from puter.com/dashboard → Copy Auth Token)
+ * Docs:     https://docs.puter.com/AI/
+ *
+ * Model ID examples:
+ *   OpenAI:   "gpt-4o-mini", "gpt-4o", "gpt-4.1"
+ *   Claude:   "claude-sonnet-4-5", "claude-opus-4", "claude-haiku-4-5"
+ *   Gemini:   "google/gemini-2.0-flash", "google/gemini-2.5-pro"
+ *   DeepSeek: "deepseek/deepseek-chat", "deepseek/deepseek-r1"
+ *   Grok:     "x-ai/grok-3", "x-ai/grok-4"
+ *   Mistral:  "mistralai/mistral-small-3.2"
+ *   Meta:     "meta-llama/llama-3.3-70b-instruct"
+ *
+ * Note: Image generation, TTS, STT, and video are puter.js SDK-only features.
+ * Only text chat completions (with streaming SSE) are available via REST.
+ */
+export class PuterExecutor extends BaseExecutor {
+  constructor() {
+    super("puter", PROVIDERS["puter"] || { format: "openai" });
+  }
+
+  buildUrl(_model: string, _stream: boolean, _urlIndex = 0, _credentials = null): string {
+    return "https://api.puter.com/puterai/openai/v1/chat/completions";
+  }
+
+  buildHeaders(credentials: any, stream = true): Record<string, string> {
+    const headers: Record<string, string> = {
+      "Content-Type": "application/json",
+    };
+
+    const key = credentials?.apiKey || credentials?.accessToken;
+    if (key) {
+      headers["Authorization"] = `Bearer ${key}`;
+    }
+
+    if (stream) {
+      headers["Accept"] = "text/event-stream";
+    }
+
+    return headers;
+  }
+
+  transformRequest(model: string, body: any, _stream: boolean, _credentials: any): any {
+    // Puter accepts model IDs directly from its catalog.
+    // No transformation required — model string is passed as-is.
+    return body;
+  }
+}
+
+export default PuterExecutor;
@@ -0,0 +1,150 @@
+import { SignJWT, importPKCS8 } from "jose";
+import { BaseExecutor, ExecuteInput } from "./base.ts";
+import { PROVIDERS } from "../config/constants.ts";
+
+interface ServiceAccount {
+  type: string;
+  project_id: string;
+  private_key_id: string;
+  private_key: string;
+  client_email: string;
+  [key: string]: unknown;
+}
+
+const TOKEN_CACHE = new Map<string, { token: string; expiresAt: number }>();
+
+function parseSAFromApiKey(apiKey: string): ServiceAccount {
+  try {
+    return JSON.parse(apiKey);
+  } catch {
+    throw new Error("Vertex AI requires a valid Service Account JSON as the API key");
+  }
+}
+
+async function getAccessToken(sa: ServiceAccount): Promise<string> {
+  if (!sa.client_email || !sa.private_key) {
+    throw new Error(
+      "Service Account JSON is missing required fields (client_email or private_key)"
+    );
+  }
+
+  const cacheKey = sa.client_email;
+  const cached = TOKEN_CACHE.get(cacheKey);
+
+  // Buffer of 60 seconds
+  if (cached && Date.now() < cached.expiresAt - 60_000) {
+    return cached.token;
+  }
+
+  const privateKey = await importPKCS8(sa.private_key, "RS256");
+  const now = Math.floor(Date.now() / 1000);
+
+  const jwt = await new SignJWT({
+    iss: sa.client_email,
+    sub: sa.client_email,
+    aud: "https://oauth2.googleapis.com/token",
+    iat: now,
+    exp: now + 3600,
+    scope: "https://www.googleapis.com/auth/cloud-platform",
+  })
+    .setProtectedHeader({ alg: "RS256", kid: sa.private_key_id })
+    .sign(privateKey);
+
+  const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      assertion: jwt,
+    }),
+  });
+
+  if (!tokenRes.ok) {
+    const errorText = await tokenRes.text();
+    throw new Error(
+      `Failed to exchange JWT for Vertex access token: ${tokenRes.status} ${errorText}`
+    );
+  }
+
+  const tokenData = await tokenRes.json();
+  const accessToken = tokenData.access_token;
+
+  if (!accessToken) {
+    throw new Error("Vertex AI token exchange succeeded but no access_token found");
+  }
+
+  TOKEN_CACHE.set(cacheKey, {
+    token: accessToken,
+    expiresAt: (now + 3600) * 1000,
+  });
+
+  return accessToken;
+}
+
+const PARTNER_MODELS = new Set([
+  "claude-3-5-sonnet",
+  "claude-3-opus",
+  "claude-3-haiku",
+  "deepseek-v3",
+  "deepseek-v3.2",
+  "deepseek-deepseek-r1",
+  "qwen3-next-80b",
+  "llama-3.1",
+  "mistral-",
+  "glm-5",
+  "meta/llama",
+]);
+
+function isPartnerModel(model: string) {
+  return [...PARTNER_MODELS].some((prefix) => model.startsWith(prefix));
+}
+
+export class VertexExecutor extends BaseExecutor {
+  constructor() {
+    super("vertex", PROVIDERS.vertex);
+  }
+
+  async execute(input: ExecuteInput) {
+    const { credentials, log } = input;
+    if (credentials.apiKey && !credentials.accessToken) {
+      try {
+        const sa = parseSAFromApiKey(credentials.apiKey);
+        credentials.accessToken = await getAccessToken(sa);
+      } catch (err: any) {
+        log?.error?.("VERTEX", `Failed to generate JWT token: ${err.message}`);
+        throw err;
+      }
+    }
+    return super.execute(input);
+  }
+
+  buildUrl(model: string, stream: boolean, urlIndex = 0, credentials: any = null) {
+    const region = credentials?.providerSpecificData?.region || "us-central1";
+    let project = "unknown-project";
+
+    if (credentials?.apiKey) {
+      try {
+        const sa = parseSAFromApiKey(credentials.apiKey);
+        if (sa.project_id) project = sa.project_id;
+      } catch {
+        // Ignored, handled in execute
+      }
+    }
+
+    if (isPartnerModel(model)) {
+      return `https://aiplatform.googleapis.com/v1/projects/${project}/locations/global/endpoints/openapi/chat/completions`;
+    }
+    return `https://aiplatform.googleapis.com/v1/projects/${project}/locations/${region}/publishers/google/models/${model}:${stream ? "streamGenerateContent?alt=sse" : "generateContent"}`;
+  }
+
+  buildHeaders(credentials: any, stream = true) {
+    const headers: Record<string, string> = { "Content-Type": "application/json" };
+    if (credentials.accessToken) {
+      headers["Authorization"] = `Bearer ${credentials.accessToken}`;
+    }
+    if (stream) {
+      headers["Accept"] = "text/event-stream";
+    }
+    return headers;
+  }
+}
@@ -28,13 +28,17 @@ function upstreamErrorResponse(res, errText) {
  let errorMessage: string;
  try {
    const parsed = JSON.parse(errText);
-    errorMessage =
+    // Extract a human-readable message from various error response shapes.
+    // Guard against `parsed.error` being an object (e.g. ElevenLabs returns
+    // { error: { message: "...", status_code: 401 } } or { detail: { ... } })
+    const raw =
      parsed?.err_msg ||
      parsed?.error?.message ||
-      parsed?.error ||
+      (typeof parsed?.error === "string" ? parsed.error : null) ||
      parsed?.message ||
-      parsed?.detail ||
-      errText;
+      (typeof parsed?.detail === "string" ? parsed.detail : parsed?.detail?.message) ||
+      null;
+    errorMessage = raw ? String(raw) : errText || `Upstream error (${res.status})`;
  } catch {
    errorMessage = errText || `Upstream error (${res.status})`;
  }
@@ -34,13 +34,15 @@ function upstreamErrorResponse(res, errText) {
  let errorMessage: string;
  try {
    const parsed = JSON.parse(errText);
-    errorMessage =
+    // Guard against `parsed.error` or `parsed.detail` being objects
+    const raw =
      parsed?.err_msg ||
      parsed?.error?.message ||
-      parsed?.error ||
+      (typeof parsed?.error === "string" ? parsed.error : null) ||
      parsed?.message ||
-      parsed?.detail ||
-      errText;
+      (typeof parsed?.detail === "string" ? parsed.detail : parsed?.detail?.message) ||
+      null;
+    errorMessage = raw ? String(raw) : errText || `Upstream error (${res.status})`;
  } catch {
    errorMessage = errText || `Upstream error (${res.status})`;
  }
@@ -65,13 +67,67 @@ function getUploadedFileName(file: Blob & { name?: unknown }): string {
  return typeof file.name === "string" && file.name.length > 0 ? file.name : "audio.wav";
 }

+/**
+ * Infer a suitable Content-Type for Deepgram from the browser-provided MIME
+ * type and the original filename.  Deepgram accepts `audio/*` and many raw
+ * formats, but `video/*` causes it to silently fail with "no speech detected".
+ *
+ * Strategy:
+ * 1. If the browser says `audio/*`, keep it as-is.
+ * 2. If it's `video/*` (e.g. `.mp4`), remap to the audio equivalent so
+ *    Deepgram extracts the audio track.  `.mp4` → `audio/mp4`, etc.
+ * 3. Fall back to `application/octet-stream` which tells Deepgram to
+ *    auto-detect from the raw bytes (most reliable for unknown formats).
+ */
+function resolveAudioContentType(file: Blob & { name?: unknown }): string {
+  const browserType = (file.type || "").toLowerCase();
+  const fileName = typeof file.name === "string" ? file.name.toLowerCase() : "";
+
+  // 1) Browser already says it's audio — trust it
+  if (browserType.startsWith("audio/")) return browserType;
+
+  // 2) Derive from file extension (covers video/* and empty MIME)
+  const ext = fileName.includes(".") ? fileName.split(".").pop() : "";
+  const EXT_TO_MIME: Record<string, string> = {
+    mp3: "audio/mpeg",
+    mp4: "audio/mp4",
+    m4a: "audio/mp4",
+    wav: "audio/wav",
+    ogg: "audio/ogg",
+    flac: "audio/flac",
+    webm: "audio/webm",
+    aac: "audio/aac",
+    wma: "audio/x-ms-wma",
+    opus: "audio/opus",
+  };
+  if (ext && EXT_TO_MIME[ext]) return EXT_TO_MIME[ext];
+
+  // 3) Fallback — let Deepgram auto-detect from raw bytes
+  return "application/octet-stream";
+}
+
 /**
 * Handle Deepgram transcription (raw binary audio, model via query param)
 */
-async function handleDeepgramTranscription(providerConfig, file, modelId, token) {
+async function handleDeepgramTranscription(
+  providerConfig,
+  file,
+  modelId,
+  token,
+  formData?: FormData
+) {
  const url = new URL(providerConfig.baseUrl);
  url.searchParams.set("model", modelId);
  url.searchParams.set("smart_format", "true");
+  url.searchParams.set("punctuate", "true");
+
+  // Language: if caller specified one, use it; otherwise let Deepgram auto-detect
+  const langParam = formData?.get("language");
+  if (typeof langParam === "string" && langParam.trim()) {
+    url.searchParams.set("language", langParam.trim());
+  } else {
+    url.searchParams.set("detect_language", "true");
+  }

  const arrayBuffer = await file.arrayBuffer();

@@ -79,7 +135,7 @@ async function handleDeepgramTranscription(providerConfig, file, modelId, token)
    method: "POST",
    headers: {
      ...buildAuthHeaders(providerConfig, token),
-      "Content-Type": file.type || "audio/wav",
+      "Content-Type": resolveAudioContentType(file),
    },
    body: arrayBuffer,
  });
@@ -212,7 +268,7 @@ async function handleHuggingFaceTranscription(providerConfig, file, modelId, tok
    method: "POST",
    headers: {
      ...buildAuthHeaders(providerConfig, token),
-      "Content-Type": file.type || "audio/wav",
+      "Content-Type": resolveAudioContentType(file),
    },
    body: arrayBuffer,
  });
@@ -283,7 +339,7 @@ export async function handleAudioTranscription({

  // Route to provider-specific handler
  if (providerConfig.format === "deepgram") {
-    return handleDeepgramTranscription(providerConfig, file, modelId, token);
+    return handleDeepgramTranscription(providerConfig, file, modelId, token, formData);
  }

  if (providerConfig.format === "assemblyai") {
@@ -1,5 +1,5 @@
 import { getCorsOrigin } from "../utils/cors.ts";
-import { detectFormat, getTargetFormat } from "../services/provider.ts";
+import { detectFormatFromEndpoint, getTargetFormat } from "../services/provider.ts";
 import { translateRequest, needsTranslation } from "../translator/index.ts";
 import { FORMATS } from "../translator/formats.ts";
 import {
@@ -16,6 +16,9 @@ import { resolveModelAlias } from "../services/modelDeprecation.ts";
 import { getUnsupportedParams } from "../config/providerRegistry.ts";
 import { createErrorResult, parseUpstreamError, formatProviderError } from "../utils/error.ts";
 import { HTTP_STATUS } from "../config/constants.ts";
+import { classifyProviderError, PROVIDER_ERROR_TYPES } from "../services/errorClassifier.ts";
+import { updateProviderConnection } from "@/lib/db/providers";
+import { logAuditEvent } from "@/lib/compliance";
 import { handleBypassRequest } from "../utils/bypassHandler.ts";
 import {
  saveRequestUsage,
@@ -23,8 +26,17 @@ import {
  appendRequestLog,
  saveCallLog,
 } from "@/lib/usageDb";
-import { getModelNormalizeToolCallId } from "@/lib/db/models";
+import {
+  getModelNormalizeToolCallId,
+  getModelPreserveOpenAIDeveloperRole,
+  getModelUpstreamExtraHeaders,
+} from "@/lib/localDb";
 import { getExecutor } from "../executors/index.ts";
+import {
+  parseCodexQuotaHeaders,
+  getCodexResetTime,
+  getCodexModelScope,
+} from "../executors/codex.ts";
 import { translateNonStreamingResponse } from "./responseTranslator.ts";
 import { extractUsageFromResponse } from "./usageExtractor.ts";
 import { parseSSEToOpenAIResponse, parseSSEToResponsesOutput } from "./sseParser.ts";
@@ -44,11 +56,17 @@ import { getIdempotencyKey, checkIdempotency, saveIdempotency } from "@/lib/idem
 import { createProgressTransform, wantsProgress } from "../utils/progressTracker.ts";
 import { isModelUnavailableError, getNextFamilyFallback } from "../services/modelFamilyFallback.ts";
 import { computeRequestHash, deduplicate, shouldDeduplicate } from "../services/requestDedup.ts";
+import {
+  getBackgroundTaskReason,
+  getDegradedModel,
+  getBackgroundDegradationConfig,
+} from "../services/backgroundTaskDetector.ts";
 import {
  shouldUseFallback,
  isFallbackDecision,
  EMERGENCY_FALLBACK_CONFIG,
 } from "../services/emergencyFallback.ts";
+import { resolveStreamFlag, stripMarkdownCodeFence } from "../utils/aiSdkCompat.ts";

 export function shouldUseNativeCodexPassthrough({
  provider,
@@ -62,7 +80,8 @@ export function shouldUseNativeCodexPassthrough({
  if (provider !== "codex") return false;
  if (sourceFormat !== FORMATS.OPENAI_RESPONSES) return false;
  const normalizedEndpoint = String(endpointPath || "").replace(/\/+$/, "");
-  return /(?:^|\/)responses(?:\/.*)?$/i.test(normalizedEndpoint);
+  const segments = normalizedEndpoint.split("/");
+  return segments.includes("responses");
 }

 /**
@@ -93,7 +112,9 @@ export async function handleChatCore({
  userAgent,
  comboName,
 }) {
-  const { provider, model, extendedContext } = modelInfo;
+  let { provider, model, extendedContext } = modelInfo;
+  const requestedModel =
+    typeof body?.model === "string" && body.model.trim().length > 0 ? body.model : model;
  const startTime = Date.now();
  const persistFailureUsage = (statusCode: number, errorCode?: string | null) => {
    saveRequestUsage({
@@ -112,6 +133,67 @@ export async function handleChatCore({
    }).catch(() => {});
  };

+  const persistCodexQuotaState = async (
+    headers: Headers | Record<string, string> | null,
+    status = 0
+  ) => {
+    if (provider !== "codex" || !connectionId || !headers) return;
+
+    try {
+      const quota = parseCodexQuotaHeaders(headers as Headers);
+      if (!quota) return;
+
+      const existingProviderData =
+        credentials?.providerSpecificData && typeof credentials.providerSpecificData === "object"
+          ? credentials.providerSpecificData
+          : {};
+      const scope = getCodexModelScope(model || requestedModel || "");
+      const quotaState = {
+        usage5h: quota.usage5h,
+        limit5h: quota.limit5h,
+        resetAt5h: quota.resetAt5h,
+        usage7d: quota.usage7d,
+        limit7d: quota.limit7d,
+        resetAt7d: quota.resetAt7d,
+        scope,
+        updatedAt: new Date().toISOString(),
+      };
+
+      const nextProviderData: Record<string, unknown> = {
+        ...existingProviderData,
+        codexQuotaState: quotaState,
+      };
+
+      // T03/T09: on 429, persist exact reset time per scope to avoid global over-blocking.
+      if (status === 429) {
+        const resetTimeMs = getCodexResetTime(quota);
+        if (resetTimeMs && resetTimeMs > Date.now()) {
+          const scopeUntil = new Date(resetTimeMs).toISOString();
+          const scopeMapRaw =
+            existingProviderData &&
+            typeof existingProviderData === "object" &&
+            existingProviderData.codexScopeRateLimitedUntil &&
+            typeof existingProviderData.codexScopeRateLimitedUntil === "object"
+              ? existingProviderData.codexScopeRateLimitedUntil
+              : {};
+
+          nextProviderData.codexScopeRateLimitedUntil = {
+            ...(scopeMapRaw as Record<string, unknown>),
+            [scope]: scopeUntil,
+          };
+        }
+      }
+
+      await updateProviderConnection(connectionId, {
+        providerSpecificData: nextProviderData,
+      });
+
+      credentials.providerSpecificData = nextProviderData;
+    } catch (err) {
+      log?.debug?.("CODEX", `Failed to persist codex quota state: ${err?.message || err}`);
+    }
+  };
+
  // ── Phase 9.2: Idempotency check ──
  const idempotencyKey = getIdempotencyKey(clientRawRequest?.headers);
  const cachedIdemp = checkIdempotency(idempotencyKey);
@@ -139,9 +221,10 @@ export async function handleChatCore({
    credentials.connectionId = connectionId;
  }

-  const sourceFormat = detectFormat(body);
  const endpointPath = String(clientRawRequest?.endpoint || "");
-  const isResponsesEndpoint = /(?:^|\/)responses(?:\/.*)?$/i.test(endpointPath);
+  const sourceFormat = detectFormatFromEndpoint(body, endpointPath);
+  const isResponsesEndpoint =
+    /\/responses(?=\/|$)/i.test(endpointPath) || /^responses(?=\/|$)/i.test(endpointPath);
  const nativeCodexPassthrough = shouldUseNativeCodexPassthrough({
    provider,
    sourceFormat,
@@ -157,6 +240,37 @@ export async function handleChatCore({
  // Detect source format and get target format
  // Model-specific targetFormat takes priority over provider default

+  // ── Background Task Redirection (T41) ──
+  const bgConfig = getBackgroundDegradationConfig();
+  const backgroundReason = bgConfig.enabled
+    ? getBackgroundTaskReason(body, clientRawRequest?.headers)
+    : null;
+  if (backgroundReason) {
+    const degradedModel = getDegradedModel(model);
+    if (degradedModel !== model) {
+      const originalModel = model;
+      log?.info?.(
+        "BACKGROUND",
+        `Background task redirect (${backgroundReason}): ${originalModel} → ${degradedModel}`
+      );
+      model = degradedModel;
+      if (body && typeof body === "object") {
+        body.model = model;
+      }
+
+      logAuditEvent({
+        action: "routing.background_task_redirect",
+        actor: apiKeyInfo?.name || "system",
+        target: connectionId || provider || "chat",
+        details: {
+          original_model: originalModel,
+          redirected_to: degradedModel,
+          reason: backgroundReason,
+        },
+      });
+    }
+  }
+
  // Apply custom model aliases (Settings → Model Aliases → Pattern→Target) before routing (#315, #472)
  // Custom aliases take priority over built-in and must be resolved here so the
  // downstream getModelTargetFormat() lookup AND the actual provider request use
@@ -172,8 +286,30 @@ export async function handleChatCore({
  const modelTargetFormat = getModelTargetFormat(alias, resolvedModel);
  const targetFormat = modelTargetFormat || getTargetFormat(provider);

+  // Primary path: merge client model id + alias target so config on either key applies; resolved
+  // id wins on same header name. T5 family fallback uses only (nextModel, resolveModelAlias(next))
+  // so A-model headers are not sent to B — see buildUpstreamHeadersForExecute.
+  const buildUpstreamHeadersForExecute = (modelToCall: string): Record<string, string> => {
+    if (modelToCall === effectiveModel) {
+      return {
+        ...getModelUpstreamExtraHeaders(provider || "", model || "", sourceFormat),
+        ...getModelUpstreamExtraHeaders(provider || "", resolvedModel || "", sourceFormat),
+      };
+    }
+    const r = resolveModelAlias(modelToCall);
+    return {
+      ...getModelUpstreamExtraHeaders(provider || "", modelToCall || "", sourceFormat),
+      ...getModelUpstreamExtraHeaders(provider || "", r || "", sourceFormat),
+    };
+  };
+
  // Default to false unless client explicitly sets stream: true (OpenAI spec compliant)
-  const stream = body.stream === true;
+  const acceptHeader =
+    clientRawRequest?.headers && typeof clientRawRequest.headers.get === "function"
+      ? clientRawRequest.headers.get("accept") || clientRawRequest.headers.get("Accept")
+      : (clientRawRequest?.headers || {})["accept"] || (clientRawRequest?.headers || {})["Accept"];
+
+  const stream = resolveStreamFlag(body?.stream, acceptHeader);

  // ── Phase 9.1: Semantic cache check (non-streaming, temp=0 only) ──
  if (isCacheable(body, clientRawRequest?.headers)) {
@@ -219,11 +355,42 @@ export async function handleChatCore({
      translatedBody = { ...body, _nativeCodexPassthrough: true };
      log?.debug?.("FORMAT", "native codex passthrough enabled");
    } else if (isClaudePassthrough) {
-      // Claude-to-Claude passthrough: forward body completely untouched.
-      // No translation, no field stripping, no thinking normalization.
-      // We are just a gateway -- do not interfere with the request in the slightest.
-      translatedBody = { ...body };
-      log?.debug?.("FORMAT", "claude->claude passthrough -- forwarding untouched");
+      // Claude OAuth expects the same Claude Code prompt + structural normalization
+      // as the OpenAI-compatible chat path. Round-trip through OpenAI to reuse the
+      // working Claude translator instead of forwarding raw Messages payloads.
+      const normalizeToolCallId = getModelNormalizeToolCallId(
+        provider || "",
+        model || "",
+        sourceFormat
+      );
+      const preserveDeveloperRole = getModelPreserveOpenAIDeveloperRole(
+        provider || "",
+        model || "",
+        sourceFormat
+      );
+      translatedBody = translateRequest(
+        FORMATS.CLAUDE,
+        FORMATS.OPENAI,
+        model,
+        { ...body },
+        stream,
+        credentials,
+        provider,
+        reqLogger,
+        { normalizeToolCallId, preserveDeveloperRole }
+      );
+      translatedBody = translateRequest(
+        FORMATS.OPENAI,
+        FORMATS.CLAUDE,
+        model,
+        translatedBody,
+        stream,
+        credentials,
+        provider,
+        reqLogger,
+        { normalizeToolCallId, preserveDeveloperRole }
+      );
+      log?.debug?.("FORMAT", "claude->openai->claude normalized passthrough");
    } else {
      translatedBody = { ...body };

@@ -308,6 +475,27 @@ export async function handleChatCore({
                  }
                  return [];
                }
+                // (#527) tool_result → convert to text instead of dropping.
+                // When Claude Code + superpowers routes through Codex, it sends tool_result
+                // blocks in user messages. Silently dropping them causes Codex to loop
+                // because it never receives the tool response and keeps re-requesting it.
+                if (block.type === "tool_result") {
+                  const toolId = block.tool_use_id ?? block.id ?? "unknown";
+                  const resultContent = block.content ?? block.text ?? block.output ?? "";
+                  const resultText =
+                    typeof resultContent === "string"
+                      ? resultContent
+                      : Array.isArray(resultContent)
+                        ? resultContent
+                            .filter((c: Record<string, unknown>) => c.type === "text")
+                            .map((c: Record<string, unknown>) => c.text)
+                            .join("\n")
+                        : JSON.stringify(resultContent);
+                  if (resultText.length > 0) {
+                    return [{ type: "text", text: `[Tool Result: ${toolId}]\n${resultText}` }];
+                  }
+                  return [];
+                }
                // Unknown types: drop silently
                log?.debug?.("CONTENT", `Dropped unsupported content part type="${block.type}"`);
                return [];
@@ -317,7 +505,16 @@ export async function handleChatCore({
        }
      }

-      const normalizeToolCallId = getModelNormalizeToolCallId(provider || "", model || "");
+      const normalizeToolCallId = getModelNormalizeToolCallId(
+        provider || "",
+        model || "",
+        sourceFormat
+      );
+      const preserveDeveloperRole = getModelPreserveOpenAIDeveloperRole(
+        provider || "",
+        model || "",
+        sourceFormat
+      );
      translatedBody = translateRequest(
        sourceFormat,
        targetFormat,
@@ -327,7 +524,7 @@ export async function handleChatCore({
        credentials,
        provider,
        reqLogger,
-        { normalizeToolCallId }
+        { normalizeToolCallId, preserveDeveloperRole }
      );
    }
  } catch (error) {
@@ -419,6 +616,7 @@ export async function handleChatCore({
          signal: streamController.signal,
          log,
          extendedContext,
+          upstreamExtraHeaders: buildUpstreamHeadersForExecute(modelToCall),
        })
      );

@@ -427,7 +625,7 @@ export async function handleChatCore({
      // Non-stream responses need cloning for shared dedup consumers.
      const status = rawResult.response.status;
      const statusText = rawResult.response.statusText;
-      const headers = Array.from(rawResult.response.headers.entries());
+      const headers = Array.from(rawResult.response.headers.entries()) as [string, string][];
      const payload = await rawResult.response.text();

      return {
@@ -502,6 +700,7 @@ export async function handleChatCore({
      path: clientRawRequest?.endpoint || "/v1/chat/completions",
      status: error.name === "AbortError" ? 499 : HTTP_STATUS.BAD_GATEWAY,
      model,
+      requestedModel,
      provider,
      connectionId,
      duration: Date.now() - startTime,
@@ -549,16 +748,19 @@ export async function handleChatCore({
        await onCredentialsRefreshed(newCredentials);
      }

-      // Retry with new credentials
+      // Retry with new credentials — model + extra headers follow translatedBody.model so they
+      // stay aligned if this block ever runs after a path that mutates body.model (e.g. fallback).
      try {
+        const retryModelId = String(translatedBody.model || effectiveModel);
        const retryResult = await executor.execute({
-          model,
+          model: retryModelId,
          body: translatedBody,
          stream,
          credentials: getExecutionCredentials(),
          signal: streamController.signal,
          log,
          extendedContext,
+          upstreamExtraHeaders: buildUpstreamHeadersForExecute(retryModelId),
        });

        if (retryResult.response.ok) {
@@ -573,6 +775,8 @@ export async function handleChatCore({
    }
  }

+  await persistCodexQuotaState(providerResponse.headers, providerResponse.status);
+
  // Check provider response - return error info for fallback handling
  if (!providerResponse.ok) {
    trackPendingRequest(model, provider, connectionId, false);
@@ -580,6 +784,54 @@ export async function handleChatCore({
      providerResponse,
      provider
    );
+
+    // T06/T10/T36: classify provider errors and persist terminal account states.
+    const errorType = classifyProviderError(statusCode, message);
+    if (connectionId && errorType) {
+      try {
+        if (errorType === PROVIDER_ERROR_TYPES.FORBIDDEN) {
+          await updateProviderConnection(connectionId, {
+            isActive: false,
+            testStatus: "banned",
+            lastErrorType: errorType,
+            lastError: message,
+            errorCode: statusCode,
+          });
+          console.warn(
+            `[provider] Node ${connectionId} banned (${statusCode}) — disabling permanently`
+          );
+        } else if (errorType === PROVIDER_ERROR_TYPES.QUOTA_EXHAUSTED) {
+          await updateProviderConnection(connectionId, {
+            testStatus: "credits_exhausted",
+            lastErrorType: errorType,
+            lastError: message,
+            errorCode: statusCode,
+          });
+          console.warn(`[provider] Node ${connectionId} exhausted quota (${statusCode})`);
+        } else if (errorType === PROVIDER_ERROR_TYPES.ACCOUNT_DEACTIVATED) {
+          await updateProviderConnection(connectionId, {
+            isActive: false,
+            testStatus: "expired",
+            lastErrorType: errorType,
+            lastError: message,
+            errorCode: statusCode,
+          });
+          console.warn(
+            `[provider] Node ${connectionId} account deactivated (${statusCode}) — marked expired`
+          );
+        } else if (errorType === PROVIDER_ERROR_TYPES.UNAUTHORIZED) {
+          // Normal 401 (token/session auth issue): keep account active for refresh/re-auth.
+          await updateProviderConnection(connectionId, {
+            lastErrorType: errorType,
+            lastError: message,
+            errorCode: statusCode,
+          });
+        }
+      } catch {
+        // Best-effort state update; request flow should continue with fallback handling.
+      }
+    }
+
    appendRequestLog({ model, provider, connectionId, status: `FAILED ${statusCode}` }).catch(
      () => {}
    );
@@ -588,6 +840,7 @@ export async function handleChatCore({
      path: clientRawRequest?.endpoint || "/v1/chat/completions",
      status: statusCode,
      model,
+      requestedModel,
      provider,
      connectionId,
      duration: Date.now() - startTime,
@@ -778,6 +1031,7 @@ export async function handleChatCore({
      path: clientRawRequest?.endpoint || "/v1/chat/completions",
      status: 200,
      model,
+      requestedModel,
      provider,
      connectionId,
      duration: Date.now() - startTime,
@@ -814,10 +1068,38 @@ export async function handleChatCore({
    }

    // Translate response to client's expected format (usually OpenAI)
+    // Pass toolNameMap so Claude OAuth proxy_ prefix is stripped in tool_use blocks (#605)
    let translatedResponse = needsTranslation(targetFormat, sourceFormat)
-      ? translateNonStreamingResponse(responseBody, targetFormat, sourceFormat)
+      ? translateNonStreamingResponse(
+          responseBody,
+          targetFormat,
+          sourceFormat,
+          toolNameMap as Map<string, string> | null
+        )
      : responseBody;

+    // T26: Strip markdown code blocks if provider format is Claude
+    if (sourceFormat === "claude" && !stream) {
+      if (typeof translatedResponse?.choices?.[0]?.message?.content === "string") {
+        translatedResponse.choices[0].message.content = stripMarkdownCodeFence(
+          translatedResponse.choices[0].message.content
+        ) as string;
+      }
+    }
+
+    // T18: Normalize finish_reason to 'tool_calls' if tool calls are present
+    if (translatedResponse?.choices) {
+      for (const choice of translatedResponse.choices) {
+        if (
+          choice.message?.tool_calls &&
+          choice.message.tool_calls.length > 0 &&
+          choice.finish_reason !== "tool_calls"
+        ) {
+          choice.finish_reason = "tool_calls";
+        }
+      }
+    }
+
    // Sanitize response for OpenAI SDK compatibility
    // Strips non-standard fields (x_groq, usage_breakdown, service_tier, etc.)
    // Extracts <think> tags into reasoning_content
@@ -891,6 +1173,7 @@ export async function handleChatCore({
      path: clientRawRequest?.endpoint || "/v1/chat/completions",
      status: streamStatus || 200,
      model,
+      requestedModel,
      provider,
      connectionId,
      duration: Date.now() - startTime,
@@ -16,6 +16,7 @@
 */

 import { getImageProvider, parseImageModel } from "../config/imageRegistry.ts";
+import { mapImageSize } from "../translator/image/sizeMapper.ts";
 import { saveCallLog } from "@/lib/usageDb";
 import {
  submitComfyWorkflow,
@@ -95,11 +96,21 @@ export async function handleImageGeneration({ body, credentials, log, resolvedPr
    });
  }

-  // Route to format-specific handler
  if (providerConfig.format === "gemini-image") {
    return handleGeminiImageGeneration({ model, providerConfig, body, credentials, log });
  }

+  if (providerConfig.format === "imagen3") {
+    return handleImagen3ImageGeneration({
+      model,
+      provider,
+      providerConfig,
+      body,
+      credentials,
+      log,
+    });
+  }
+
  if (providerConfig.format === "hyperbolic") {
    return handleHyperbolicImageGeneration({
      model,
@@ -539,7 +550,7 @@ async function handleNanoBananaImageGeneration({
      ? body.aspectRatio
      : typeof body.aspect_ratio === "string"
        ? body.aspect_ratio
-        : inferAspectRatioFromSize(body.size) || "1:1";
+        : mapImageSize(body.size);

  let resolution =
    typeof body.resolution === "string"
@@ -856,18 +867,6 @@ async function normalizeNanoBananaTaskResult(taskData, body, log) {
  return [];
 }

-function inferAspectRatioFromSize(size) {
-  if (typeof size !== "string") return null;
-  const [wRaw, hRaw] = size.split("x");
-  const width = Number(wRaw);
-  const height = Number(hRaw);
-  if (!Number.isFinite(width) || !Number.isFinite(height) || width <= 0 || height <= 0) return null;
-
-  const gcd = (a, b) => (b === 0 ? a : gcd(b, a % b));
-  const div = gcd(Math.round(width), Math.round(height));
-  return `${Math.round(width / div)}:${Math.round(height / div)}`;
-}
-
 function inferResolutionFromSize(size) {
  if (typeof size !== "string") return null;
  const [wRaw, hRaw] = size.split("x");
@@ -1081,3 +1080,129 @@ async function handleComfyUIImageGeneration({ model, provider, providerConfig, b
    return { success: false, status: 502, error: `Image provider error: ${err.message}` };
  }
 }
+
+type Imagen3ImageGenArgs = {
+  model: string;
+  provider: string;
+  providerConfig: { baseUrl: string };
+  body: { prompt?: string; size?: string; n?: number };
+  credentials: { apiKey?: string; accessToken?: string };
+  log?: { info?: (tag: string, msg: string) => void; error?: (tag: string, msg: string) => void } | null;
+};
+
+type Imagen3NormalizedImage = {
+  b64_json?: unknown;
+  url?: unknown;
+  revised_prompt?: string;
+};
+
+/**
+ * Handle Imagen 3 image generation
+ */
+async function handleImagen3ImageGeneration({
+  model,
+  provider,
+  providerConfig,
+  body,
+  credentials,
+  log,
+}: Imagen3ImageGenArgs) {
+  const startTime = Date.now();
+  const token = credentials.apiKey || credentials.accessToken;
+  const aspectRatio = mapImageSize(body.size);
+
+  const upstreamBody = {
+    prompt: body.prompt,
+    aspect_ratio: aspectRatio,
+    number_of_images: body.n ?? 1,
+  };
+
+  if (log) {
+    const promptPreview = String(body.prompt ?? "").slice(0, 60);
+    log.info(
+      "IMAGE",
+      `${provider}/${model} (imagen3) | prompt: "${promptPreview}..." | aspect_ratio: ${aspectRatio}`
+    );
+  }
+
+  try {
+    const response = await fetch(providerConfig.baseUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`,
+      },
+      body: JSON.stringify(upstreamBody),
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      if (log)
+        log.error("IMAGE", `${provider} error ${response.status}: ${errorText.slice(0, 200)}`);
+
+      saveCallLog({
+        method: "POST",
+        path: "/v1/images/generations",
+        status: response.status,
+        model: `${provider}/${model}`,
+        provider,
+        duration: Date.now() - startTime,
+        error: errorText.slice(0, 500),
+        requestBody: upstreamBody,
+      }).catch(() => {});
+
+      return { success: false, status: response.status, error: errorText };
+    }
+
+    const data = await response.json();
+
+    // Normalize response to OpenAI format
+    const images: Imagen3NormalizedImage[] = [];
+    if (Array.isArray(data.images)) {
+      images.push(
+        ...data.images.map((img: Record<string, unknown>) => ({
+          b64_json: img.image ?? img.b64_json ?? img.url ?? img,
+          revised_prompt: body.prompt,
+        }))
+      );
+    } else if (Array.isArray(data.data)) {
+      images.push(...data.data);
+    } else if (data.url || data.b64_json || data.image) {
+      images.push({
+        b64_json: data.image || data.b64_json || data.url,
+        url: data.url,
+        revised_prompt: body.prompt,
+      });
+    }
+
+    saveCallLog({
+      method: "POST",
+      path: "/v1/images/generations",
+      status: 200,
+      model: `${provider}/${model}`,
+      provider,
+      duration: Date.now() - startTime,
+      responseBody: { images_count: images.length },
+    }).catch(() => {});
+
+    return {
+      success: true,
+      data: { created: data.created || Math.floor(Date.now() / 1000), data: images },
+    };
+  } catch (err: unknown) {
+    const errMsg = err instanceof Error ? err.message : String(err);
+    if (log) log.error("IMAGE", `${provider} fetch error: ${errMsg}`);
+
+    saveCallLog({
+      method: "POST",
+      path: "/v1/images/generations",
+      status: 502,
+      model: `${provider}/${model}`,
+      provider,
+      duration: Date.now() - startTime,
+      error: errMsg,
+    }).catch(() => {});
+
+    return { success: false, status: 502, error: `Image provider error: ${errMsg}` };
+  }
+}
@@ -20,14 +20,62 @@ function toNumber(value: unknown, fallback = 0): number {
  return Number.isFinite(parsed) ? parsed : fallback;
 }

+function extractMessageOutputText(item: JsonRecord): string {
+  if (!Array.isArray(item.content)) return "";
+  let text = "";
+  for (const part of item.content) {
+    if (!part || typeof part !== "object") continue;
+    const partObj = toRecord(part);
+    if (partObj.type === "output_text" && typeof partObj.text === "string") {
+      text += partObj.text;
+    }
+  }
+  return text;
+}
+
+/**
+ * T19: Pick the last non-empty message output text from Responses API output.
+ * Falls back to the last message item even when all message texts are empty.
+ */
+function findBestMessageText(output: unknown[]): {
+  text: string;
+  selectedMessageIndex: number;
+  messageItems: JsonRecord[];
+} {
+  const messageItems = output
+    .map((item) => toRecord(item))
+    .filter((item) => item.type === "message" && Array.isArray(item.content));
+
+  for (let i = messageItems.length - 1; i >= 0; i -= 1) {
+    const text = extractMessageOutputText(messageItems[i]);
+    if (text.trim().length > 0) {
+      return { text, selectedMessageIndex: i, messageItems };
+    }
+  }
+
+  if (messageItems.length > 0) {
+    const lastIndex = messageItems.length - 1;
+    return {
+      text: extractMessageOutputText(messageItems[lastIndex]),
+      selectedMessageIndex: lastIndex,
+      messageItems,
+    };
+  }
+
+  return { text: "", selectedMessageIndex: -1, messageItems: [] };
+}
+
 /**
 * Translate non-streaming response to OpenAI format
 * Handles different provider response formats (Gemini, Claude, etc.)
+ *
+ * @param toolNameMap - Optional Map<prefixedName, originalName> for Claude OAuth tool name stripping
 */
 export function translateNonStreamingResponse(
  responseBody: unknown,
  targetFormat: string,
-  sourceFormat: string
+  sourceFormat: string,
+  toolNameMap?: Map<string, string> | null
 ): unknown {
  // If already in source format (usually OpenAI), return as-is
  if (targetFormat === sourceFormat || targetFormat === FORMATS.OPENAI) {
@@ -44,7 +92,8 @@ export function translateNonStreamingResponse(
    const output = Array.isArray(response.output) ? response.output : [];
    const usage = toRecord(response.usage ?? responseRoot.usage);

-    let textContent = "";
+    const messageSelection = findBestMessageText(output);
+    let textContent = messageSelection.text;
    let reasoningContent = "";
    const toolCalls: JsonRecord[] = [];

@@ -56,9 +105,7 @@ export function translateNonStreamingResponse(
        for (const part of itemObj.content) {
          if (!part || typeof part !== "object") continue;
          const partObj = toRecord(part);
-          if (partObj.type === "output_text" && typeof partObj.text === "string") {
-            textContent += partObj.text;
-          } else if (partObj.type === "summary_text" && typeof partObj.text === "string") {
+          if (partObj.type === "summary_text" && typeof partObj.text === "string") {
            reasoningContent += partObj.text;
          }
        }
@@ -78,11 +125,14 @@ export function translateNonStreamingResponse(
          typeof itemObj.arguments === "string"
            ? itemObj.arguments
            : JSON.stringify(itemObj.arguments || {});
+        const rawName = toString(itemObj.name);
+        // Strip Claude OAuth proxy_ prefix using toolNameMap (mirrors tool_use fix for #605)
+        const resolvedName = toolNameMap?.get(rawName) ?? rawName;
        toolCalls.push({
          id: callId,
          type: "function",
          function: {
-            name: toString(itemObj.name),
+            name: resolvedName,
            arguments: fnArgs,
          },
        });
@@ -103,6 +153,18 @@ export function translateNonStreamingResponse(
      message.content = "";
    }

+    if (process.env.DEBUG_RESPONSES_SSE_TO_JSON === "true") {
+      console.log(
+        `[ResponsesSSE] ${output.length} output items, ${messageSelection.messageItems.length} message items`
+      );
+      messageSelection.messageItems.forEach((item, idx) => {
+        const textLen = extractMessageOutputText(item).length;
+        console.log(`  [${idx}] text length: ${textLen}`);
+      });
+      console.log(`  → Selected message index: ${messageSelection.selectedMessageIndex}`);
+      console.log(`  → Final text content length: ${textContent.length}`);
+    }
+
    const createdAt = toNumber(response.created_at, Math.floor(Date.now() / 1000));
    const model = toString(response.model || responseRoot.model, "openai-responses");
    const finishReason = toolCalls.length > 0 ? "tool_calls" : "stop";
@@ -278,11 +340,15 @@ export function translateNonStreamingResponse(
      } else if (blockObj.type === "thinking") {
        thinkingContent += toString(blockObj.thinking);
      } else if (blockObj.type === "tool_use") {
+        // Strip Claude OAuth tool name prefix (proxy_) using the map from request translation.
+        // Fallback to raw name if block wasn't prefixed (disableToolPrefix path).
+        const rawName = toString(blockObj.name);
+        const strippedName = toolNameMap?.get(rawName) ?? rawName;
        toolCalls.push({
          id: toString(blockObj.id, `call_${Date.now()}_${toolCalls.length}`),
          type: "function",
          function: {
-            name: toString(blockObj.name),
+            name: strippedName,
            arguments: JSON.stringify(blockObj.input || {}),
          },
        });
@@ -23,9 +23,25 @@ export function parseSSEToOpenAIResponse(rawSSE, fallbackModel) {
  const first = chunks[0];
  const contentParts = [];
  const reasoningParts = [];
+  type AccumulatedToolCall = {
+    id: string | null;
+    index: number;
+    type: string;
+    function: { name: string; arguments: string };
+  };
+
+  const accumulatedToolCalls = new Map<string, AccumulatedToolCall>();
+  let unknownToolCallSeq = 0;
  let finishReason = "stop";
  let usage = null;

+  const getToolCallKey = (toolCall: Record<string, unknown>) => {
+    if (toolCall?.id) return `id:${toolCall.id}`;
+    if (Number.isInteger(toolCall?.index)) return `idx:${toolCall.index}`;
+    unknownToolCallSeq += 1;
+    return `seq:${unknownToolCallSeq}`;
+  };
+
  for (const chunk of chunks) {
    const choice = chunk?.choices?.[0];
    const delta = choice?.delta || {};
@@ -36,6 +52,40 @@ export function parseSSEToOpenAIResponse(rawSSE, fallbackModel) {
    if (typeof delta.reasoning_content === "string" && delta.reasoning_content.length > 0) {
      reasoningParts.push(delta.reasoning_content);
    }
+
+    // T18: Accumulate tool calls correctly across streamed chunks
+    if (delta.tool_calls) {
+      for (const tc of delta.tool_calls) {
+        const key = getToolCallKey(tc);
+        const existing = accumulatedToolCalls.get(key);
+        const deltaArgs = typeof tc?.function?.arguments === "string" ? tc.function.arguments : "";
+
+        if (!existing) {
+          accumulatedToolCalls.set(key, {
+            id: tc?.id ?? null,
+            index: Number.isInteger(tc?.index) ? tc.index : accumulatedToolCalls.size,
+            type: tc?.type || "function",
+            function: {
+              name: tc?.function?.name || "unknown",
+              arguments: deltaArgs,
+            },
+          });
+        } else {
+          existing.id = existing.id || tc?.id || null;
+          if (!Number.isInteger(existing.index) && Number.isInteger(tc?.index)) {
+            existing.index = tc.index;
+          }
+          if (tc?.function?.name && !existing.function?.name) {
+            existing.function = existing.function || {};
+            existing.function.name = tc.function.name;
+          }
+          existing.function = existing.function || {};
+          existing.function.arguments = `${existing.function.arguments || ""}${deltaArgs}`;
+          accumulatedToolCalls.set(key, existing);
+        }
+      }
+    }
+
    if (choice?.finish_reason) {
      finishReason = choice.finish_reason;
    }
@@ -46,12 +96,22 @@ export function parseSSEToOpenAIResponse(rawSSE, fallbackModel) {

  const message: Record<string, unknown> = {
    role: "assistant",
-    content: contentParts.join(""),
+    content: contentParts.length > 0 ? contentParts.join("") : null,
  };
  if (reasoningParts.length > 0) {
    message.reasoning_content = reasoningParts.join("");
  }

+  const finalToolCalls = [...accumulatedToolCalls.values()].filter(Boolean).sort((a, b) => {
+    const ai = Number.isInteger(a?.index) ? a.index : 0;
+    const bi = Number.isInteger(b?.index) ? b.index : 0;
+    return ai - bi;
+  });
+  if (finalToolCalls.length > 0) {
+    finishReason = "tool_calls"; // T18 normalization
+    message.tool_calls = finalToolCalls;
+  }
+
  const result: Record<string, unknown> = {
    id: first.id || `chatcmpl-${Date.now()}`,
    object: "chat.completion",
@@ -36,6 +36,7 @@ export {
 // Services
 export {
  detectFormat,
+  detectFormatFromEndpoint,
  getProviderConfig,
  buildProviderUrl,
  buildProviderHeaders,
@@ -1,5 +1,5 @@
 /**
- * MCP HTTP Transport Layer — Singleton server + SSE/Streamable HTTP handlers.
+ * MCP HTTP Transport Layer — session-aware handlers for SSE and Streamable HTTP.
 *
 * Runs the MCP server **inside** the Next.js process so it can be toggled
 * from the dashboard without requiring `omniroute --mcp`.
@@ -14,58 +14,188 @@ import { createMcpServer } from "./server.ts";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";

-// ────── Singleton ──────────────────────────────────────────
+let _sseServer: McpServer | null = null;
+let _sseTransport: WebStandardStreamableHTTPServerTransport | null = null;
+let _sseStartedAt: number | null = null;

-let _server: McpServer | null = null;
-let _transport: WebStandardStreamableHTTPServerTransport | null = null;
-let _startedAt: number | null = null;
-let _activeTransportMode: "sse" | "streamable-http" | null = null;
+type StreamableSession = {
+  sessionId: string;
+  server: McpServer;
+  transport: WebStandardStreamableHTTPServerTransport;
+  startedAt: number;
+};

-function ensureServer(mode: "sse" | "streamable-http"): {
+const _streamableSessions = new Map<string, StreamableSession>();
+
+function closeSseTransport(): void {
+  if (_sseTransport) {
+    try {
+      _sseTransport.close();
+    } catch {
+      // ignore shutdown errors
+    }
+  }
+  _sseServer = null;
+  _sseTransport = null;
+  _sseStartedAt = null;
+}
+
+function closeStreamableSession(sessionId: string): void {
+  const session = _streamableSessions.get(sessionId);
+  if (!session) {
+    return;
+  }
+
+  try {
+    session.transport.close();
+  } catch {
+    // ignore shutdown errors
+  }
+  _streamableSessions.delete(sessionId);
+}
+
+function closeAllStreamableSessions(): void {
+  for (const sessionId of _streamableSessions.keys()) {
+    closeStreamableSession(sessionId);
+  }
+}
+
+function ensureSseServer(): {
  server: McpServer;
  transport: WebStandardStreamableHTTPServerTransport;
 } {
-  if (_server && _transport && _activeTransportMode === mode) {
-    return { server: _server, transport: _transport };
+  if (_sseServer && _sseTransport) {
+    return { server: _sseServer, transport: _sseTransport };
  }

-  // Shutdown previous if switching modes
-  if (_transport) {
-    try { _transport.close(); } catch { /* ignore */ }
-  }
+  closeAllStreamableSessions();

-  _server = createMcpServer();
-  _transport = new WebStandardStreamableHTTPServerTransport({
+  _sseServer = createMcpServer();
+  _sseTransport = new WebStandardStreamableHTTPServerTransport({
    sessionIdGenerator: () => randomUUID(),
  });
-  _activeTransportMode = mode;
-  _startedAt = Date.now();
+  _sseStartedAt = Date.now();

-  // Connect server to transport (fire-and-forget, will be ready by first request)
-  void _server.connect(_transport);
+  void _sseServer.connect(_sseTransport);

-  console.log(`[MCP] HTTP transport started (${mode})`);
-  return { server: _server, transport: _transport };
+  console.log("[MCP] HTTP transport started (sse)");
+  return { server: _sseServer, transport: _sseTransport };
 }

-// ────── Streamable HTTP Handler ────────────────────────────
+function createStreamableSession(): StreamableSession {
+  closeSseTransport();
+
+  const sessionId = randomUUID();
+  const server = createMcpServer();
+  const transport = new WebStandardStreamableHTTPServerTransport({
+    sessionIdGenerator: () => sessionId,
+  });
+  const session = {
+    sessionId,
+    server,
+    transport,
+    startedAt: Date.now(),
+  };
+
+  void server.connect(transport);
+  _streamableSessions.set(sessionId, session);
+  console.log(`[MCP] HTTP transport started (streamable-http:${sessionId})`);
+  return session;
+}
+
+async function isInitializeRequest(request: Request): Promise<boolean> {
+  if (request.method !== "POST") {
+    return false;
+  }
+
+  try {
+    const body = (await request.clone().json()) as { method?: unknown };
+    return body?.method === "initialize";
+  } catch {
+    return false;
+  }
+}
+
+function errorResponse(message: string, code: number, status = 400): Response {
+  return new Response(
+    JSON.stringify({
+      jsonrpc: "2.0",
+      error: { code, message },
+      id: null,
+    }),
+    {
+      status,
+      headers: { "Content-Type": "application/json" },
+    }
+  );
+}
+
+function withSessionHeader(response: Response, sessionId: string): Response {
+  if (response.headers.get("mcp-session-id")) {
+    return response;
+  }
+
+  const headers = new Headers(response.headers);
+  headers.set("mcp-session-id", sessionId);
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers,
+  });
+}
+
+async function handleStreamableRequest(request: Request): Promise<Response> {
+  const sessionId = request.headers.get("mcp-session-id");
+
+  if (sessionId) {
+    const session = _streamableSessions.get(sessionId);
+    if (!session) {
+      return errorResponse("Bad Request: Unknown Mcp-Session-Id header", -32000);
+    }
+
+    try {
+      const response = await session.transport.handleRequest(request);
+      if (request.method === "DELETE") {
+        closeStreamableSession(sessionId);
+      }
+      return withSessionHeader(response, sessionId);
+    } catch (err) {
+      console.error("[MCP] Streamable HTTP error:", err);
+      if (request.method === "DELETE") {
+        closeStreamableSession(sessionId);
+      }
+      return new Response(JSON.stringify({ error: "MCP transport error" }), {
+        status: 500,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+  }
+
+  if (!(await isInitializeRequest(request))) {
+    return errorResponse("Bad Request: Mcp-Session-Id header is required", -32000);
+  }
+
+  const session = createStreamableSession();
+
+  try {
+    const response = await session.transport.handleRequest(request);
+    return withSessionHeader(response, session.sessionId);
+  } catch (err) {
+    closeStreamableSession(session.sessionId);
+    console.error("[MCP] Streamable HTTP error:", err);
+    return new Response(JSON.stringify({ error: "MCP transport error" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+}

 /**
 * Handle Streamable HTTP requests (POST / GET / DELETE).
 * Used by the Next.js route at /api/mcp/stream.
 */
 export async function handleMcpStreamableHTTP(request: Request): Promise<Response> {
-  const { transport } = ensureServer("streamable-http");
-
-  try {
-    return await transport.handleRequest(request);
-  } catch (err) {
-    console.error("[MCP] Streamable HTTP error:", err);
-    return new Response(
-      JSON.stringify({ error: "MCP transport error" }),
-      { status: 500, headers: { "Content-Type": "application/json" } },
-    );
-  }
+  return handleStreamableRequest(request);
 }

 /**
@@ -74,47 +204,47 @@ export async function handleMcpStreamableHTTP(request: Request): Promise<Respons
 * and POST for messages (the Streamable HTTP transport supports both patterns).
 */
 export async function handleMcpSSE(request: Request): Promise<Response> {
-  const { transport } = ensureServer("sse");
+  const { transport } = ensureSseServer();

  try {
    return await transport.handleRequest(request);
  } catch (err) {
    console.error("[MCP] SSE error:", err);
-    return new Response(
-      JSON.stringify({ error: "MCP SSE transport error" }),
-      { status: 500, headers: { "Content-Type": "application/json" } },
-    );
+    return new Response(JSON.stringify({ error: "MCP SSE transport error" }), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
  }
 }

-// ────── Status & Lifecycle ─────────────────────────────────
-
 export function getMcpHttpStatus(): {
  online: boolean;
  transport: string | null;
  startedAt: number | null;
  uptime: string | null;
 } {
-  const online = _transport !== null && _activeTransportMode !== null;
+  const streamableStartedAt =
+    _streamableSessions.size > 0
+      ? Math.min(...Array.from(_streamableSessions.values(), (session) => session.startedAt))
+      : null;
+  const startedAt = streamableStartedAt ?? _sseStartedAt;
+  const transport = _streamableSessions.size > 0 ? "streamable-http" : _sseTransport ? "sse" : null;
+  const online = transport !== null;
+
  return {
    online,
-    transport: _activeTransportMode,
-    startedAt: _startedAt,
-    uptime: _startedAt ? `${Math.floor((Date.now() - _startedAt) / 1000)}s` : null,
+    transport,
+    startedAt,
+    uptime: startedAt ? `${Math.floor((Date.now() - startedAt) / 1000)}s` : null,
  };
 }

 export function shutdownMcpHttp(): void {
-  if (_transport) {
-    try { _transport.close(); } catch { /* ignore */ }
-  }
-  _server = null;
-  _transport = null;
-  _activeTransportMode = null;
-  _startedAt = null;
+  closeSseTransport();
+  closeAllStreamableSessions();
  console.log("[MCP] HTTP transport shutdown");
 }

 export function isMcpHttpActive(): boolean {
-  return _transport !== null;
+  return _sseTransport !== null || _streamableSessions.size > 0;
 }
@@ -57,7 +57,7 @@ export const TaskInputSchema = z.object({
  role: z
    .enum(["coding", "review", "planning", "analysis", "debugging", "documentation"])
    .optional(),
-  metadata: z.record(z.unknown()).optional(),
+  metadata: z.record(z.string(), z.unknown()).optional(),
 });

 export const CostEnvelopeSchema = z.object({
@@ -120,7 +120,7 @@ export type PolicyVerdict = z.infer<typeof PolicyVerdictSchema>;
 export const JsonRpcRequestSchema = z.object({
  jsonrpc: z.literal("2.0"),
  method: z.enum(["message/send", "message/stream", "tasks/get", "tasks/cancel"]),
-  params: z.record(z.unknown()),
+  params: z.record(z.string(), z.unknown()),
  id: z.union([z.string(), z.number()]),
 });

@@ -151,7 +151,7 @@ export const MessageSendParamsSchema = z.object({
  message: z.object({
    role: z.string().default("user"),
    content: z.string(),
-    metadata: z.record(z.unknown()).optional(),
+    metadata: z.record(z.string(), z.unknown()).optional(),
  }),
  config: z
    .object({
@@ -433,23 +433,48 @@ async function handleListModelsCatalog(args: { provider?: string; capability?: s
  const start = Date.now();
  try {
    let path = "/v1/models";
-    const params = new URLSearchParams();
-    if (args.provider) params.set("provider", args.provider);
-    if (args.capability) params.set("capability", args.capability);
-    if (params.toString()) path += `?${params.toString()}`;
+    let isProviderSpecific = false;
+    let source = "local_catalog";
+    let warning: string | undefined;
+
+    if (args.provider && !args.capability) {
+      // Use direct provider fetch to get real-time API status
+      path = `/api/providers/${encodeURIComponent(args.provider)}/models`;
+      isProviderSpecific = true;
+    } else {
+      const params = new URLSearchParams();
+      if (args.provider) params.set("provider", args.provider);
+      if (args.capability) params.set("capability", args.capability);
+      if (params.toString()) path += `?${params.toString()}`;
+    }

    const raw = toRecord(await omniRouteFetch(path));
+
+    // If we used the direct provider endpoint
+    let rawModels: unknown[] = [];
+    if (isProviderSpecific) {
+      rawModels = Array.isArray(raw.models) ? raw.models : [];
+      source = typeof raw.source === "string" ? raw.source : "api";
+      if (raw.warning) warning = String(raw.warning);
+    } else {
+      rawModels = Array.isArray(raw.data) ? raw.data : [];
+      source = "local_catalog";
+      // OmniRoute's global /v1/models is always a cached/local catalog
+    }
+
    const result = {
-      models: toArray(raw.data).map((rawModel) => {
+      models: rawModels.map((rawModel) => {
        const model = toRecord(rawModel);
        return {
          id: toString(model.id, ""),
-          provider: toString(model.owned_by, toString(model.provider, "unknown")),
+          provider: toString(model.owned_by, toString(model.provider, args.provider || "unknown")),
          capabilities: toStringArray(model.capabilities, ["chat"]),
          status: toString(model.status, "available"),
          pricing: model.pricing,
        };
      }),
+      source,
+      ...(warning ? { warning } : {}),
    };

    await logToolCall(
@@ -8,6 +8,46 @@ import {
 } from "../config/constants.ts";
 import { getProviderCategory } from "../config/providerRegistry.ts";

+// T06 (sub2api PR #1037): Signals that indicate permanent account deactivation.
+// When a 401 body contains these strings, the account is permanently dead
+// and should NOT be retried after token refresh.
+export const ACCOUNT_DEACTIVATED_SIGNALS = [
+  "account_deactivated",
+  "account has been deactivated",
+  "account has been disabled",
+  "your account has been suspended",
+  "this account is deactivated",
+];
+
+// T10 (sub2api PR #1169): Signals that indicate billing credits are exhausted.
+// Distinct from rate-limit 429 — the account won't recover until credits are added.
+export const CREDITS_EXHAUSTED_SIGNALS = [
+  "insufficient_quota",
+  "billing_hard_limit_reached",
+  "exceeded your current quota",
+  "credit_balance_too_low",
+  "your credit balance is too low",
+  "credits exhausted",
+  "out of credits",
+  "payment required",
+];
+
+/**
+ * T06: Returns true if response body indicates the account is permanently deactivated.
+ */
+export function isAccountDeactivated(errorText: string): boolean {
+  const lower = String(errorText || "").toLowerCase();
+  return ACCOUNT_DEACTIVATED_SIGNALS.some((sig) => lower.includes(sig));
+}
+
+/**
+ * T10: Returns true if response body indicates credits/quota are permanently exhausted.
+ */
+export function isCreditsExhausted(errorText: string): boolean {
+  const lower = String(errorText || "").toLowerCase();
+  return CREDITS_EXHAUSTED_SIGNALS.some((sig) => lower.includes(sig));
+}
+
 // ─── Provider Profile Helper ────────────────────────────────────────────────

 /**
@@ -201,6 +241,14 @@ export function classifyErrorText(errorText) {
  ) {
    return RateLimitReason.QUOTA_EXHAUSTED;
  }
+  // T10: credits_exhausted signals
+  if (isCreditsExhausted(errorText)) {
+    return RateLimitReason.QUOTA_EXHAUSTED;
+  }
+  // T06: account_deactivated signals
+  if (isAccountDeactivated(errorText)) {
+    return RateLimitReason.AUTH_ERROR;
+  }
  if (
    lower.includes("rate limit") ||
    lower.includes("too many requests") ||
@@ -294,13 +342,67 @@ export function checkFallbackError(
  errorText,
  backoffLevel = 0,
  model = null,
-  provider = null
+  provider = null,
+  headers = null
 ) {
+  const errorStr = (errorText || "").toString();
+
+  function parseResetFromHeaders(headers, errorStr = "") {
+    if (!headers) return null;
+
+    // Retry-After header
+    const retryAfter =
+      typeof headers.get === "function"
+        ? headers.get("retry-after")
+        : headers["retry-after"] || headers["Retry-After"];
+
+    if (retryAfter) {
+      const seconds = parseInt(retryAfter, 10);
+      if (!isNaN(seconds) && String(seconds) === String(retryAfter).trim()) {
+        return Date.now() + seconds * 1000;
+      }
+      const date = new Date(retryAfter);
+      if (!isNaN(date.getTime())) return date.getTime();
+    }
+
+    // X-RateLimit-Reset
+    const rlReset =
+      typeof headers.get === "function"
+        ? headers.get("x-ratelimit-reset")
+        : headers["x-ratelimit-reset"] || headers["X-RateLimit-Reset"];
+
+    if (rlReset) {
+      const ts = parseInt(rlReset, 10);
+      if (!isNaN(ts)) {
+        return ts > 10000000000 ? ts : ts * 1000;
+      }
+    }
+    return null;
+  }
  // Check error message FIRST - specific patterns take priority over status codes
  if (errorText) {
-    const errorStr = typeof errorText === "string" ? errorText : JSON.stringify(errorText);
    const lowerError = errorStr.toLowerCase();

+    // T06 (sub2api #1037): Permanent account deactivation — do NOT retry, mark as permanent failure
+    if (isAccountDeactivated(errorStr)) {
+      return {
+        shouldFallback: true,
+        cooldownMs: 365 * 24 * 60 * 60 * 1000, // 1 year = effectively permanent
+        reason: RateLimitReason.AUTH_ERROR,
+        permanent: true,
+      };
+    }
+
+    // T10 (sub2api #1169): Credits/quota exhausted — long cooldown, distinct from rate limit
+    if (isCreditsExhausted(errorStr)) {
+      return {
+        shouldFallback: true,
+        cooldownMs: COOLDOWN_MS.paymentRequired ?? 3600 * 1000, // 1h cooldown
+        reason: RateLimitReason.QUOTA_EXHAUSTED,
+        creditsExhausted: true,
+      };
+    }
+
    if (lowerError.includes("no credentials")) {
      return {
        shouldFallback: true,
@@ -325,6 +427,18 @@ export function checkFallbackError(
      lowerError.includes("capacity") ||
      lowerError.includes("overloaded")
    ) {
+      const resetTime = parseResetFromHeaders(headers);
+      if (resetTime) {
+        const waitMs = resetTime - Date.now();
+        if (waitMs > 60_000) {
+          return {
+            shouldFallback: true,
+            cooldownMs: waitMs,
+            newBackoffLevel: 0,
+            reason: RateLimitReason.RATE_LIMIT_EXCEEDED,
+          };
+        }
+      }
      const newLevel = Math.min(backoffLevel + 1, BACKOFF_CONFIG.maxLevel);
      const reason = classifyErrorText(errorStr);
      return {
@@ -362,6 +476,19 @@ export function checkFallbackError(

  // 429 - Rate limit with exponential backoff
  if (status === HTTP_STATUS.RATE_LIMITED) {
+    const resetTime = parseResetFromHeaders(headers);
+    if (resetTime) {
+      const waitMs = resetTime - Date.now();
+      if (waitMs > 60_000) {
+        return {
+          shouldFallback: true,
+          cooldownMs: waitMs,
+          newBackoffLevel: 0,
+          reason: RateLimitReason.RATE_LIMIT_EXCEEDED,
+        };
+      }
+    }
+
    const newLevel = Math.min(backoffLevel + 1, BACKOFF_CONFIG.maxLevel);
    return {
      shouldFallback: true,
@@ -381,6 +508,19 @@ export function checkFallbackError(
    HTTP_STATUS.GATEWAY_TIMEOUT,
  ];
  if (transientStatuses.includes(status)) {
+    const resetTime = parseResetFromHeaders(headers, errorStr);
+    if (resetTime) {
+      const waitMs = resetTime - Date.now();
+      if (waitMs > 60_000) {
+        return {
+          shouldFallback: true,
+          cooldownMs: waitMs,
+          newBackoffLevel: 0,
+          reason: RateLimitReason.SERVER_ERROR,
+        };
+      }
+    }
+
    const profile = provider ? getProviderProfile(provider) : null;
    const baseCooldown = profile?.transientCooldown ?? COOLDOWN_MS.transientInitial;
    const maxLevel = profile?.maxBackoffLevel ?? BACKOFF_CONFIG.maxLevel;
@@ -7,6 +7,7 @@

 import fs from "fs";
 import path from "path";
+import { resolveDataDir } from "../../../src/lib/dataPaths";

 export interface AdaptationState {
  comboId: string;
@@ -23,7 +24,7 @@ export interface AdaptationState {
  lastUpdated: string;
 }

-const PERSISTENCE_DIR = path.join(process.cwd(), "data");
+const PERSISTENCE_DIR = resolveDataDir();
 const STATE_FILE = path.join(PERSISTENCE_DIR, "auto_combo_state.json");

 let stateCache = new Map<string, AdaptationState>();
@@ -47,16 +47,16 @@ const DEFAULT_DETECTION_PATTERNS = [

 const DEFAULT_DEGRADATION_MAP: Record<string, string> = {
  // Premium → Cheap alternatives
-  "claude-opus-4-6": "gemini-2.5-flash",
-  "claude-opus-4-6-thinking": "gemini-2.5-flash",
-  "claude-opus-4-5-20251101": "gemini-2.5-flash",
-  "claude-sonnet-4-5-20250929": "gemini-2.5-flash",
-  "claude-sonnet-4-20250514": "gemini-2.5-flash",
-  "claude-sonnet-4": "gemini-2.5-flash",
-  "gemini-3.1-pro": "gemini-3.1-flash",
-  "gemini-3.1-pro-high": "gemini-3.1-flash",
+  "claude-opus-4-6": "gemini-3-flash",
+  "claude-opus-4-6-thinking": "gemini-3-flash",
+  "claude-opus-4-5-20251101": "gemini-3-flash",
+  "claude-sonnet-4-5-20250929": "gemini-3-flash",
+  "claude-sonnet-4-20250514": "gemini-3-flash",
+  "claude-sonnet-4": "gemini-3-flash",
+  "gemini-3.1-pro": "gemini-3-flash",
+  "gemini-3.1-pro-high": "gemini-3-flash",
  "gemini-3-pro-preview": "gemini-3-flash-preview",
-  "gemini-2.5-pro": "gemini-2.5-flash",
+  "gemini-2.5-pro": "gemini-3-flash",
  "gpt-4o": "gpt-4o-mini",
  "gpt-5": "gpt-5-mini",
  "gpt-5.1": "gpt-5-mini",
@@ -114,12 +114,93 @@ interface BackgroundMessage {
 interface BackgroundTaskBody {
  messages?: BackgroundMessage[];
  input?: BackgroundMessage[];
+  max_tokens?: unknown;
+  max_completion_tokens?: unknown;
+  max_output_tokens?: unknown;
 }

 function toMessageArray(value: unknown): BackgroundMessage[] {
  return Array.isArray(value) ? (value as BackgroundMessage[]) : [];
 }

+function toFiniteNumber(value: unknown): number | null {
+  if (typeof value === "number" && Number.isFinite(value)) return value;
+  if (typeof value === "string" && value.trim().length > 0) {
+    const parsed = Number(value);
+    return Number.isFinite(parsed) ? parsed : null;
+  }
+  return null;
+}
+
+function headerValue(headers: Record<string, string> | null, key: string): string {
+  if (!headers) return "";
+  const value = headers[key] ?? headers[key.toLowerCase()] ?? headers[key.toUpperCase()];
+  return typeof value === "string" ? value.trim() : "";
+}
+
+/**
+ * Get reason label when request is a background/utility task.
+ *
+ * @param {object} body - Request body
+ * @param {object} [headers] - Request headers (optional)
+ * @returns {string | null} Reason label or null when not detected
+ */
+export function getBackgroundTaskReason(
+  body: BackgroundTaskBody | unknown,
+  headers: Record<string, string> | null = null
+): string | null {
+  if (!body || typeof body !== "object") return null;
+  const typedBody = body as BackgroundTaskBody;
+
+  // 1. Check explicit header
+  if (headers) {
+    const taskType = headerValue(headers, "x-task-type");
+    const priority = headerValue(headers, "x-request-priority");
+    const initiator = headerValue(headers, "x-initiator");
+    const explicitValue = [taskType, priority, initiator].find(Boolean);
+    if (explicitValue && explicitValue.toLowerCase() === "background") {
+      return "header_background";
+    }
+  }
+
+  // 2. Very low max tokens usually indicates utility/background tasks
+  const maxTokens = toFiniteNumber(
+    typedBody.max_tokens ?? typedBody.max_completion_tokens ?? typedBody.max_output_tokens
+  );
+  if (maxTokens !== null && maxTokens > 0 && maxTokens < 50) {
+    return "low_max_tokens";
+  }
+
+  // 3. Check system prompt for background task patterns
+  const messages = toMessageArray(typedBody.messages ?? typedBody.input ?? []);
+  if (!Array.isArray(messages) || messages.length === 0) return null;
+
+  // Find system message
+  const systemMsg = messages.find(
+    (message: BackgroundMessage) => message.role === "system" || message.role === "developer"
+  );
+  if (!systemMsg) return null;
+
+  const systemContent =
+    typeof systemMsg.content === "string" ? systemMsg.content.toLowerCase() : "";
+
+  if (!systemContent) return null;
+
+  // Check against detection patterns
+  const matched = _config.detectionPatterns.some((pattern) =>
+    systemContent.includes(pattern.toLowerCase())
+  );
+
+  if (!matched) return null;
+
+  // 4. Additional heuristic: background tasks typically have very few messages
+  // (system + 1-2 user messages)
+  const userMessages = messages.filter((message: BackgroundMessage) => message.role === "user");
+  if (userMessages.length > 3) return null; // Too many turns for a background task
+
+  return "system_prompt_pattern";
+}
+
 /**
 * Check if a request is a background/utility task.
 *
@@ -131,44 +212,7 @@ export function isBackgroundTask(
  body: BackgroundTaskBody | unknown,
  headers: Record<string, string> | null = null
 ): boolean {
-  if (!body || typeof body !== "object") return false;
-  const typedBody = body as BackgroundTaskBody;
-
-  // 1. Check explicit header
-  if (headers) {
-    const priority =
-      headers["x-request-priority"] || headers["X-Request-Priority"] || headers["x-initiator"];
-    if (priority === "background" || priority === "Background") return true;
-  }
-
-  // 2. Check system prompt for background task patterns
-  const messages = toMessageArray(typedBody.messages ?? typedBody.input ?? []);
-  if (!Array.isArray(messages) || messages.length === 0) return false;
-
-  // Find system message
-  const systemMsg = messages.find(
-    (message: BackgroundMessage) => message.role === "system" || message.role === "developer"
-  );
-  if (!systemMsg) return false;
-
-  const systemContent =
-    typeof systemMsg.content === "string" ? systemMsg.content.toLowerCase() : "";
-
-  if (!systemContent) return false;
-
-  // Check against detection patterns
-  const matched = _config.detectionPatterns.some((pattern) =>
-    systemContent.includes(pattern.toLowerCase())
-  );
-
-  if (!matched) return false;
-
-  // 3. Additional heuristic: background tasks typically have very few messages
-  // (system + 1-2 user messages)
-  const userMessages = messages.filter((message: BackgroundMessage) => message.role === "user");
-  if (userMessages.length > 3) return false; // Too many turns for a background task
-
-  return true;
+  return getBackgroundTaskReason(body, headers) !== null;
 }

 /**
@@ -447,8 +447,10 @@ export async function handleComboChat({
  const handleSingleModelWrapped = combo.context_cache_protection
    ? async (b, modelStr) => {
        const res = await handleSingleModel(b, modelStr);
-        // Inject tag only on success and only for non-streaming non-binary responses
-        if (res.ok && !b.stream) {
+        if (!res.ok) return res;
+
+        // Non-streaming: inject tag into JSON response (existing logic)
+        if (!b.stream) {
          try {
            const json = await res.clone().json();
            const msgs = Array.isArray(json?.messages) ? json.messages : [];
@@ -460,10 +462,108 @@ export async function handleComboChat({
              });
            }
          } catch {
-            /* non-JSON or stream — skip tagging */
+            /* non-JSON — skip tagging */
          }
+          return res;
        }
-        return res;
+
+        // Streaming (Fix #490 + #511): prepend omniModel tag into the first
+        // non-empty content chunk so it arrives BEFORE finish_reason:stop.
+        // SDKs close the connection on finish_reason, so anything sent after
+        // that marker is silently dropped.
+        if (!res.body) return res;
+        const tagContent = `\\n<omniModel>${modelStr}</omniModel>\\n`;
+        const encoder = new TextEncoder();
+        const decoder = new TextDecoder();
+        let tagInjected = false;
+
+        const transform = new TransformStream({
+          transform(chunk, controller) {
+            if (tagInjected) {
+              // Already injected — passthrough
+              controller.enqueue(chunk);
+              return;
+            }
+
+            const text = decoder.decode(chunk, { stream: true });
+
+            // Look for the first SSE data line with non-empty content
+            // Pattern: "content":"<non-empty>" — we inject tag at the start
+            const contentMatch = text.match(/"content":"([^"]+)/);
+            if (contentMatch) {
+              // Inject tag at the beginning of the first content value
+              const injected = text.replace(
+                /"content":"([^"]+)/,
+                `"content":"${tagContent.replace(/"/g, '\\"')}$1`
+              );
+              tagInjected = true;
+              controller.enqueue(encoder.encode(injected));
+              return;
+            }
+
+            // No content yet — passthrough
+            controller.enqueue(chunk);
+          },
+          flush(controller) {
+            // If stream ends without ever finding content (edge case),
+            // inject tag as a standalone chunk before the stream closes
+            if (!tagInjected) {
+              const tagChunk = `data: ${JSON.stringify({
+                choices: [
+                  {
+                    delta: { content: tagContent },
+                    index: 0,
+                    finish_reason: null,
+                  },
+                ],
+              })}\n\n`;
+              controller.enqueue(encoder.encode(tagChunk));
+            }
+          },
+        });
+
+        // FIX #585: Sanitize outbound stream — strip <omniModel> tags from
+        // visible content so they don't leak to the user. The tag is still
+        // present in the full response for round-trip context pinning, but
+        // we clean it from each SSE chunk's content field before delivery.
+        //
+        // IMPORTANT: Use a SEPARATE TextDecoder from the transform stream above.
+        // The transform stream's decoder accumulates UTF-8 state; reusing it here
+        // would corrupt multi-byte characters split across chunk boundaries.
+        const sanitizeDecoder = new TextDecoder();
+        const sanitize = new TransformStream({
+          transform(chunk, controller) {
+            const text = sanitizeDecoder.decode(chunk, { stream: true });
+            if (text) {
+              if (text.includes("<omniModel>")) {
+                const cleaned = text.replace(/\n?<omniModel>[^<]+<\/omniModel>\n?/g, "");
+                if (cleaned) controller.enqueue(encoder.encode(cleaned));
+              } else {
+                controller.enqueue(encoder.encode(text));
+              }
+            }
+          },
+          flush(controller) {
+            const tail = sanitizeDecoder.decode();
+            if (tail) {
+              if (tail.includes("<omniModel>")) {
+                const cleaned = tail.replace(/\n?<omniModel>[^<]+<\/omniModel>\n?/g, "");
+                if (cleaned) controller.enqueue(encoder.encode(cleaned));
+              } else {
+                controller.enqueue(encoder.encode(tail));
+              }
+            }
+          },
+        });
+
+        const transformedStream = res.body.pipeThrough(transform).pipeThrough(sanitize);
+        // Add model info as response header for clients that support it
+        const headers = new Headers(res.headers);
+        headers.set("X-OmniRoute-Model", modelStr);
+        return new Response(transformedStream, {
+          status: res.status,
+          headers,
+        });
      }
    : handleSingleModel;
  // ─────────────────────────────────────────────────────────────────────────
@@ -778,7 +878,8 @@ export async function handleComboChat({
        errorText,
        0,
        null,
-        provider
+        provider,
+        result.headers
      );

      // Record failure in circuit breaker for transient errors
@@ -802,6 +903,12 @@ export async function handleComboChat({
      if (!lastStatus) lastStatus = result.status;
      if (i > 0) fallbackCount++;
      log.warn("COMBO", `Model ${modelStr} failed, trying next`, { status: result.status });
+
+      if ([502, 503, 504].includes(result.status) && cooldownMs > 0 && cooldownMs <= 5000) {
+        log.info("COMBO", `Waiting ${cooldownMs}ms before fallback to next model`);
+        await new Promise((r) => setTimeout(r, cooldownMs));
+      }
+
      break; // Move to next model
    }
  }
@@ -823,7 +930,20 @@ export async function handleComboChat({
    );
  }

-  const status = lastStatus || 406;
+  if (!lastStatus) {
+    return new Response(
+      JSON.stringify({
+        error: {
+          message: "Service temporarily unavailable: all upstream accounts are inactive",
+          type: "service_unavailable",
+          code: "ALL_ACCOUNTS_INACTIVE",
+        },
+      }),
+      { status: 503, headers: { "Content-Type": "application/json" } }
+    );
+  }
+
+  const status = lastStatus;
  const msg = lastError || "All combo models unavailable";

  if (earliestRetryAfter) {
@@ -878,7 +998,7 @@ async function handleRoundRobinCombo({

  const modelCount = orderedModels.length;
  if (modelCount === 0) {
-    return unavailableResponse(406, "Round-robin combo has no models");
+    return unavailableResponse(503, "Round-robin combo has no models");
  }

  // Get and increment atomic counter
@@ -1014,7 +1134,8 @@ async function handleRoundRobinCombo({
          errorText,
          0,
          null,
-          provider
+          provider,
+          result.headers
        );

        // Transient errors → mark in semaphore AND record circuit breaker failure
@@ -1043,6 +1164,12 @@ async function handleRoundRobinCombo({
        if (!lastStatus) lastStatus = result.status;
        if (offset > 0) fallbackCount++;
        log.warn("COMBO-RR", `${modelStr} failed, trying next model`, { status: result.status });
+
+        if ([502, 503, 504].includes(result.status) && cooldownMs > 0 && cooldownMs <= 5000) {
+          log.info("COMBO-RR", `Waiting ${cooldownMs}ms before fallback to next model`);
+          await new Promise((r) => setTimeout(r, cooldownMs));
+        }
+
        break;
      }
    } finally {
@@ -1073,7 +1200,20 @@ async function handleRoundRobinCombo({
    );
  }

-  const status = lastStatus || 406;
+  if (!lastStatus) {
+    return new Response(
+      JSON.stringify({
+        error: {
+          message: "Service temporarily unavailable: all upstream accounts are inactive",
+          type: "service_unavailable",
+          code: "ALL_ACCOUNTS_INACTIVE",
+        },
+      }),
+      { status: 503, headers: { "Content-Type": "application/json" } }
+    );
+  }
+
+  const status = lastStatus;
  const msg = lastError || "All round-robin combo models unavailable";

  if (earliestRetryAfter) {
@@ -34,7 +34,11 @@ interface Message {

 // ── Context Caching Tag ─────────────────────────────────────────────────────

-const CACHE_TAG_PATTERN = /<omniModel>([^<]+)<\/omniModel>/;
+// Handles both actual newlines (U+000A) and literal \n sequences injected
+// by combo.ts streaming around the <omniModel> tag (#531). Non-global so that
+// .exec() and .test() stay stateless; callers that need full replacement use
+// String.prototype.replace() which replaces all non-overlapping matches.
+const CACHE_TAG_PATTERN = /(?:\\n|\n)?<omniModel>([^<]+)<\/omniModel>(?:\\n|\n)?/;

 /**
 * Inject the model tag into the last assistant message (or append a new one).
@@ -52,7 +56,15 @@ export function injectModelTag(messages: Message[], providerModel: string): Mess

  // Find last assistant message with string content
  const lastAssistantIdx = cleaned.map((m) => m.role).lastIndexOf("assistant");
-  if (lastAssistantIdx === -1) return cleaned;
+
+  // #474: If no assistant message exists yet (first turn), append a synthetic one
+  // so the tag is present when the client sends the next request with the response.
+  if (lastAssistantIdx === -1) {
+    return [
+      ...cleaned,
+      { role: "assistant", content: `\n<omniModel>${providerModel}</omniModel>` },
+    ];
+  }

  const msg = cleaned[lastAssistantIdx];
  if (typeof msg.content !== "string") return cleaned;
@@ -157,7 +169,11 @@ export function applyComboAgentMiddleware(
  if (comboConfig.context_cache_protection) {
    pinnedModel = extractPinnedModel(messages);
    if (pinnedModel) {
-      // Model is pinned — caller should override model selection
+      // (#535) Model is pinned via <omniModel> tag — override body.model so the combo
+      // router uses exactly this model instead of picking a different one. Without this,
+      // the extracted pinnedModel is returned but body.model is unchanged, breaking
+      // context cache sessions by sending subsequent turns to a different model.
+      body = { ...body, model: pinnedModel };
    }
  }

@@ -9,7 +9,7 @@ const DEFAULT_COMBO_CONFIG = {
  strategy: "priority",
  maxRetries: 1,
  retryDelayMs: 2000,
-  timeoutMs: 120000,
+  timeoutMs: 600000,
  concurrencyPerModel: 3, // max simultaneous requests per model (round-robin)
  queueTimeoutMs: 30000, // max wait time in semaphore queue (round-robin)
  healthCheckEnabled: true,
@@ -5,14 +5,34 @@
 * 3 layers: trim tool messages, compress thinking, aggressive purification.
 */

-// Default token limits per provider (rough estimates based on model context windows)
-const DEFAULT_LIMITS = {
+import { REGISTRY } from "../config/providerRegistry.ts";
+
+// Default token limits per provider (fallbacks when not in registry)
+const DEFAULT_LIMITS: Record<string, number> = {
  claude: 200000,
  openai: 128000,
  gemini: 1000000,
+  codex: 400000,
  default: 128000,
 };

+// Environment variable overrides (highest priority)
+function getEnvOverride(provider: string): number | null {
+  const envKey = `CONTEXT_LENGTH_${provider.toUpperCase().replace(/[^A-Z0-9]/g, "_")}`;
+  const envValue = process.env[envKey];
+  if (envValue) {
+    const parsed = parseInt(envValue, 10);
+    if (!isNaN(parsed) && parsed > 0) return parsed;
+  }
+  // Global override
+  const globalValue = process.env.CONTEXT_LENGTH_DEFAULT;
+  if (globalValue) {
+    const parsed = parseInt(globalValue, 10);
+    if (!isNaN(parsed) && parsed > 0) return parsed;
+  }
+  return null;
+}
+
 // Rough chars-per-token ratio for quick estimation
 const CHARS_PER_TOKEN = 4;

@@ -27,9 +47,20 @@ export function estimateTokens(text) {

 /**
 * Get token limit for a provider/model combination
+ * Priority: Env override > Registry defaultContextLength > DEFAULT_LIMITS
 */
 export function getTokenLimit(provider, model = null) {
-  // Check if model has a known limit
+  // 1. Check environment variable override first
+  const envOverride = getEnvOverride(provider);
+  if (envOverride) return envOverride;
+
+  // 2. Check registry for provider default
+  const registryEntry = REGISTRY[provider];
+  if (registryEntry?.defaultContextLength) {
+    return registryEntry.defaultContextLength;
+  }
+
+  // 3. Check if model name hints at a known limit
  if (model) {
    const lower = model.toLowerCase();
    if (lower.includes("claude")) return DEFAULT_LIMITS.claude;
@@ -38,10 +69,13 @@ export function getTokenLimit(provider, model = null) {
      lower.includes("gpt") ||
      lower.includes("o1") ||
      lower.includes("o3") ||
-      lower.includes("o4")
+      lower.includes("o4") ||
+      lower.includes("codex")
    )
-      return DEFAULT_LIMITS.openai;
+      return DEFAULT_LIMITS.codex;
  }
+
+  // 4. Fallback to DEFAULT_LIMITS or default
  return DEFAULT_LIMITS[provider] || DEFAULT_LIMITS.default;
 }

@@ -0,0 +1,53 @@
+import { isAccountDeactivated, isCreditsExhausted } from "./accountFallback.ts";
+
+export const PROVIDER_ERROR_TYPES = {
+  RATE_LIMITED: "rate_limited", // 429 — transient, retry with backoff
+  UNAUTHORIZED: "unauthorized", // 401 — token expired, refresh
+  ACCOUNT_DEACTIVATED: "account_deactivated", // 401 + deactivation signal
+  FORBIDDEN: "forbidden", // 403 — account banned/revoked, disable node
+  SERVER_ERROR: "server_error", // 500/502/503 — retry limited
+  QUOTA_EXHAUSTED: "quota_exhausted", // 402/429/400 + billing signals
+};
+
+function responseBodyToString(responseBody: unknown): string {
+  if (typeof responseBody === "string") return responseBody;
+  if (responseBody !== null && typeof responseBody === "object") {
+    try {
+      return JSON.stringify(responseBody);
+    } catch {
+      return "";
+    }
+  }
+  return "";
+}
+
+export function classifyProviderError(statusCode: number, responseBody: unknown): string | null {
+  const bodyStr = responseBodyToString(responseBody);
+  const creditsExhausted = isCreditsExhausted(bodyStr);
+  const accountDeactivated = isAccountDeactivated(bodyStr);
+
+  // T10: credits exhausted is terminal and can appear as 400/402/429 depending on provider.
+  if (
+    creditsExhausted &&
+    (statusCode === 400 || statusCode === 402 || statusCode === 429 || statusCode === 403)
+  ) {
+    return PROVIDER_ERROR_TYPES.QUOTA_EXHAUSTED;
+  }
+
+  if (statusCode === 429) {
+    return PROVIDER_ERROR_TYPES.RATE_LIMITED;
+  }
+
+  // T06: only deactivation-like 401s should be treated as permanent account expiry.
+  if (statusCode === 401) {
+    return accountDeactivated
+      ? PROVIDER_ERROR_TYPES.ACCOUNT_DEACTIVATED
+      : PROVIDER_ERROR_TYPES.UNAUTHORIZED;
+  }
+
+  if (statusCode === 402) return PROVIDER_ERROR_TYPES.QUOTA_EXHAUSTED;
+  if (statusCode === 403) return PROVIDER_ERROR_TYPES.FORBIDDEN;
+  if (statusCode >= 500) return PROVIDER_ERROR_TYPES.SERVER_ERROR;
+
+  return null;
+}
@@ -4,6 +4,8 @@
 * IP-based access control with blacklist, whitelist, priority modes, and temporary bans.
 */

+import { isIP } from "node:net";
+
 // In-memory IP lists
 let _config = {
  enabled: false,
@@ -161,10 +163,10 @@ export function createIPFilterMiddleware() {
 */
 export function checkRequestIP(request) {
  const ip =
-    request.headers?.get?.("x-forwarded-for")?.split(",")[0].trim() ||
-    request.headers?.get?.("x-real-ip") ||
-    request.headers?.get?.("cf-connecting-ip") ||
-    request.ip ||
+    pickFirstValidIp(request.headers?.get?.("cf-connecting-ip")) ||
+    pickFirstValidIp(request.headers?.get?.("x-forwarded-for")) ||
+    pickFirstValidIp(request.headers?.get?.("x-real-ip")) ||
+    normalizeIP(request.ip || "") ||
    "unknown";
  return checkIP(ip);
 }
@@ -177,6 +179,18 @@ function normalizeIP(ip) {
  return ip.replace(/^::ffff:/, "").trim();
 }

+function pickFirstValidIp(rawValue) {
+  if (typeof rawValue !== "string" || rawValue.trim().length === 0) return null;
+  const candidates = rawValue.split(",");
+  for (const candidate of candidates) {
+    const normalized = normalizeIP(candidate);
+    if (normalized && isIP(normalized) !== 0) {
+      return normalized;
+    }
+  }
+  return null;
+}
+
 function matchesAny(ip, ipSet) {
  // Direct match
  if (ipSet.has(ip)) return true;
@@ -225,12 +239,13 @@ function matchesWildcard(ip, pattern) {
 }

 function extractClientIP(req) {
+  const headers = req.headers || {};
  return (
-    req.headers?.["x-forwarded-for"]?.split(",")[0].trim() ||
-    req.headers?.["x-real-ip"] ||
-    req.headers?.["cf-connecting-ip"] ||
-    req.socket?.remoteAddress ||
-    req.ip ||
+    pickFirstValidIp(headers["cf-connecting-ip"]) ||
+    pickFirstValidIp(headers["x-forwarded-for"]) ||
+    pickFirstValidIp(headers["x-real-ip"]) ||
+    pickFirstValidIp(req.socket?.remoteAddress) ||
+    pickFirstValidIp(req.ip) ||
    "unknown"
  );
 }
@@ -242,8 +242,8 @@ export async function getModelInfoCore(modelStr, aliasesOrGetter) {
  // FIX #73: Models like claude-haiku-4-5-20251001 sent without provider prefix
  // would incorrectly route to OpenAI. Use heuristic prefix detection first.
  if (/^claude-/i.test(modelId)) {
-    // Claude models → Antigravity (Anthropic) provider
-    return { provider: "antigravity", model: modelId, extendedContext };
+    // Claude models → Anthropic provider (canonical source for Claude models)
+    return { provider: "anthropic", model: modelId, extendedContext };
  }
  if (/^gemini-/i.test(modelId) || /^gemma-/i.test(modelId)) {
    // Gemini/Gemma models → Gemini provider
@@ -18,6 +18,8 @@ const BUILT_IN_ALIASES: Record<string, string> = {
  "gemini-1.5-flash": "gemini-2.5-flash",
  "gemini-1.0-pro": "gemini-2.5-pro",
  "gemini-2.0-flash": "gemini-2.5-flash",
+  "gemini-3-pro-high": "gemini-3.1-pro-high",
+  "gemini-3-pro-low": "gemini-3.1-pro-low",

  // Claude legacy → current
  "claude-3-opus-20240229": "claude-opus-4-20250514",
@@ -101,6 +101,7 @@ const MODEL_UNAVAILABLE_FRAGMENTS = [
  "does not support",
  "not enabled for",
  "access to model",
+  "improperly formed request", // Kiro 400 (model unavailable)
 ];

 /**
@@ -35,6 +35,27 @@ function buildAnthropicCompatibleUrl(baseUrl) {
  return `${normalized}/messages`;
 }

+// Detect request format from endpoint first when the route is known.
+// This avoids ambiguous bodies like OpenAI /chat/completions requests that also
+// contain max_tokens or Claude model names.
+export function detectFormatFromEndpoint(body, endpointPath = "") {
+  const path = String(endpointPath || "");
+
+  if (/\/responses(?=\/|$)/i.test(path) || /^responses(?=\/|$)/i.test(path)) {
+    return "openai-responses";
+  }
+
+  if (/\/messages(?=\/|$)/i.test(path) || /^messages(?=\/|$)/i.test(path)) {
+    return "claude";
+  }
+
+  if (/\/(?:chat\/completions|completions)(?=\/|$)/i.test(path) || /^(?:chat\/completions|completions)(?=\/|$)/i.test(path)) {
+    return "openai";
+  }
+
+  return detectFormat(body);
+}
+
 // Detect request format from body structure
 export function detectFormat(body) {
  // OpenAI Responses API:
@@ -12,6 +12,7 @@ import Bottleneck from "bottleneck";
 import { parseRetryAfterFromBody, lockModel } from "./accountFallback.ts";
 import { getProviderCategory } from "../config/providerRegistry.ts";
 import { DEFAULT_API_LIMITS } from "../config/constants.ts";
+import { getCodexRateLimitKey } from "../executors/codex.ts";

 interface LearnedLimitEntry {
  provider: string;
@@ -195,8 +196,15 @@ export function isRateLimitEnabled(connectionId) {
 /**
 * Get or create a limiter for a given provider+connection combination
 */
+function getLimiterKey(provider, connectionId, model = null) {
+  if (provider === "codex" && model) {
+    return `${provider}:${getCodexRateLimitKey(connectionId, model)}`;
+  }
+  return `${provider}:${connectionId}`;
+}
+
 function getLimiter(provider, connectionId, model = null) {
-  const key = model ? `${provider}:${connectionId}:${model}` : `${provider}:${connectionId}`;
+  const key = getLimiterKey(provider, connectionId, model);

  if (!limiters.has(key)) {
    const limiter = new Bottleneck({
@@ -235,7 +243,7 @@ export async function withRateLimit(provider, connectionId, model, fn) {
    return fn();
  }

-  const limiter = getLimiter(provider, connectionId, null);
+  const limiter = getLimiter(provider, connectionId, model);
  return limiter.schedule(fn);
 }

@@ -320,7 +328,7 @@ export function updateFromHeaders(provider, connectionId, headers, status, model
  if (!enabledConnections.has(connectionId)) return;
  if (!headers) return;

-  const limiter = getLimiter(provider, connectionId, null);
+  const limiter = getLimiter(provider, connectionId, model);
  const headerMap =
    provider === "claude" || provider === "anthropic" ? ANTHROPIC_HEADERS : STANDARD_HEADERS;

@@ -339,14 +347,19 @@ export function updateFromHeaders(provider, connectionId, headers, status, model
  // Handle 429 — rate limited
  if (status === 429) {
    const retryAfterMs = parseResetTime(retryAfterStr) || 60000; // Default 60s
+    const counts = limiter.counts();
+    const limiterKey = getLimiterKey(provider, connectionId, model);
    console.log(
-      `🚫 [RATE-LIMIT] ${provider}:${connectionId.slice(0, 8)} — 429 received, pausing for ${Math.ceil(retryAfterMs / 1000)}s`
+      `🚫 [RATE-LIMIT] ${provider}:${connectionId.slice(0, 8)} — 429 received, pausing for ${Math.ceil(retryAfterMs / 1000)}s, dropping ${counts.QUEUED} queued request(s)`
    );

-    limiter.updateSettings({
-      reservoir: 0,
-      reservoirRefreshAmount: limit || 60,
-      reservoirRefreshInterval: retryAfterMs,
+    // Stop the limiter and drop all waiting jobs so they fail immediately
+    // instead of hanging in the queue until reservoir refreshes (which can
+    // be hours for providers like Codex with long rate limit windows).
+    // This lets upstream callers (e.g. LiteLLM) trigger fallback to other providers.
+    // After stop, delete from Map so getLimiter() creates a fresh instance.
+    limiter.stop({ dropWaitingJobs: true }).finally(() => {
+      limiters.delete(limiterKey);
    });
    return;
  }
@@ -392,7 +405,12 @@ export function updateFromHeaders(provider, connectionId, headers, status, model
    limiter.updateSettings(updates);

    // Persist learned limits (debounced)
-    recordLearnedLimit(provider, connectionId, { limit, remaining, minTime: updates.minTime });
+    recordLearnedLimit(
+      provider,
+      connectionId,
+      { limit, remaining, minTime: updates.minTime },
+      model
+    );
  }
 }

@@ -454,9 +472,10 @@ export function getLearnedLimits() {
 function recordLearnedLimit(
  provider: string,
  connectionId: string,
-  limits: Partial<Omit<LearnedLimitEntry, "provider" | "connectionId" | "lastUpdated">>
+  limits: Partial<Omit<LearnedLimitEntry, "provider" | "connectionId" | "lastUpdated">>,
+  model: string | null = null
 ) {
-  const key = `${provider}:${connectionId}`;
+  const key = getLimiterKey(provider, connectionId, model);
  learnedLimits[key] = {
    ...limits,
    provider,
@@ -76,26 +76,35 @@ function supportsSystemRole(provider: string, model: string): boolean {
 }

 /**
- * Normalize the `developer` role to `system` for non-OpenAI providers.
- * OpenAI introduced `developer` as a replacement for `system` in newer models,
- * but most other providers still expect `system`.
+ * Normalize the `developer` role to `system` when the upstream does not support it.
+ * OpenAI Responses API sends `developer`; MiniMax and most OpenAI-compatible gateways
+ * only accept system/user/assistant/tool and return "role param error" otherwise.
+ *
+ * Logic:
+ * - When targetFormat !== "openai": always convert developer → system (Claude, Gemini, etc.).
+ * - When targetFormat === "openai": convert only when preserveDeveloperRole === false.
+ *   This covers OpenAI-compatible providers (MiniMax, etc.) that use targetFormat "openai"
+ *   but do not accept the developer role; the per-model preserveDeveloperRole flag is set
+ *   via the dashboard "Compatibility" toggle ("Do not preserve developer role").
+ * - When targetFormat === "openai" && preserveDeveloperRole !== false: keep developer (e.g. official OpenAI).
 *
 * @param messages - Array of messages
 * @param targetFormat - The target format (e.g., "openai", "claude", "gemini")
- * @returns Modified messages array
+ * @param preserveDeveloperRole - For targetFormat openai: undefined/true = keep developer (legacy default); false = map to system (MiniMax and other OpenAI-compatible gateways that reject developer)
 */
 export function normalizeDeveloperRole(
  messages: NormalizedMessage[] | unknown,
-  targetFormat: string
+  targetFormat: string,
+  preserveDeveloperRole?: boolean
 ): NormalizedMessage[] | unknown {
  if (!Array.isArray(messages)) return messages;

-  // For OpenAI format, keep developer role as-is (it's valid)
-  // For all other formats, convert developer → system
-  if (targetFormat === "openai") return messages;
+  if (targetFormat === "openai" && preserveDeveloperRole !== false) return messages;

  return messages.map((msg: NormalizedMessage) => {
-    if (msg.role === "developer") {
+    if (!msg || typeof msg !== "object") return msg;
+    const role = typeof msg.role === "string" ? msg.role : "";
+    if (role.toLowerCase() === "developer") {
      return { ...msg, role: "system" };
    }
    return msg;
@@ -169,25 +178,25 @@ export function normalizeSystemRole(
 /**
 * Full role normalization pipeline.
 * Call this before sending the request to the provider.
+ * Applies developer→system (when needed) then system→user for providers/models that do not support system role.
 *
- * @param messages - Array of messages
- * @param provider - Provider name/id
- * @param model - Model name
- * @param targetFormat - Target API format
- * @returns Normalized messages array
+ * @param messages - Array of messages to normalize (or non-array, returned as-is)
+ * @param provider - Provider id for capability lookup (e.g. system role support)
+ * @param model - Model id for capability lookup
+ * @param targetFormat - Target request format (e.g. "openai", "claude", "gemini"); see {@link normalizeDeveloperRole}
+ * @param preserveDeveloperRole - Optional; see {@link normalizeDeveloperRole}. When false, developer role is mapped to system.
+ * @returns Normalized messages array, or the original value if messages is not an array
 */
 export function normalizeRoles(
  messages: NormalizedMessage[] | unknown,
  provider: string,
  model: string,
-  targetFormat: string
+  targetFormat: string,
+  preserveDeveloperRole?: boolean
 ): NormalizedMessage[] | unknown {
  if (!Array.isArray(messages)) return messages;

-  // Step 1: Normalize developer → system (for non-OpenAI formats)
-  let result = normalizeDeveloperRole(messages, targetFormat);
-
-  // Step 2: Normalize system → user (for providers that don't support system role)
+  let result = normalizeDeveloperRole(messages, targetFormat, preserveDeveloperRole);
  result = normalizeSystemRole(result, provider, model);

  return result;
--- a/Show More
+++ b/Show More