Merge pull request #1033 from diegosouzapw/release/v3.5.3

chore(release): v3.5.3 — Core Resilience, i18n Sync & Preflight Enhancements
chore(release): v3.5.3 — finalize changelog for deployment
2026-04-07 12:52:08 -03:00 · 2026-04-07 12:46:52 -03:00 · 2026-04-07 12:15:04 -03:00 · 2026-04-07 12:14:34 -03:00 · 2026-04-07 11:53:49 -03:00 · 2026-04-07 11:10:57 -03:00
1681 changed files with 359931 additions and 217013 deletions
@@ -0,0 +1,49 @@
+---
+description: Automatically run the browser_subagent to visually validate all new UI features from the current release and capture evidence WebP recordings of the changes.
+---
+
+# Capture Release Evidences Workflow
+
+Use this workflow to automatically drive the `browser_subagent` to explore the newly deployed or locally running application and record evidence of the UI changes introduced in the latest release.
+
+## Prerequisites
+
+- OmniRoute must be actively running and accessible (e.g. locally at `http://localhost:20128` or on the Local VPS at `http://192.168.0.15:20128`).
+- The user must provide the target URL to be tested, or default to `http://192.168.0.15:20128`.
+
+## Workflow Steps
+
+### 1. Identify Target Features
+
+Review the `CHANGELOG.md` for the latest version to map out the new UI elements. For example:
+
+- **CLI Tools Settings**
+- **New Provider/Model Listings (e.g., Gemini 3.1, Qoder PAT)**
+- **New Feature Modals**
+
+### 2. Run the Browser Subagent
+
+For each identified feature, invoke the `browser_subagent` using the `default_api:browser_subagent` tool.
+**Important Task Guidelines for the Subagent:**
+
+- `TaskName`: Give it a clear name like "Validate CLIProxyAPI Tool Tab".
+- `TaskSummary`: "Navigate to the CLI Tools tab and verify the new Integration settings."
+- `Task`: Provide unambiguous instructions for the subagent, such as: "Navigate to http://192.168.0.15:20128/dashboard. Click on the 'Settings' or 'CLI Tools' nav link. Scroll down to find the CLIProxyAPI integration card. Hover over it to trigger UI state. Verify the components render correctly and exit."
+- `RecordingName`: Ensure it describes the feature (e.g. `v3_4_5_cli_proxy_api`). This is required and strictly automatically saved as a WebP artifacts video by the system.
+
+_(Note: The `browser_subagent` automatically creates a WebP recording named by the `RecordingName` parameter. No additional tools for screenshots are needed.)_
+
+### 3. Generate Report Artifact
+
+After the `browser_subagent` finishes its sessions, generate a final Markdown artifact (using `write_to_file` and `IsArtifact=true`) to present the recordings inline to the user using the `![caption](/absolute/path/to/media.webp)` syntax.
+
+### Example Invocation
+
+\```json
+{
+"TaskName": "Validating Qoder PAT Configuration UI",
+"TaskSummary": "Validates the Qoder provider configuration modal",
+"Task": "Go to http://192.168.0.15:20128/dashboard. Click on the 'Providers' tab. Find 'Qoder' in the list. Click 'Add Token' or 'Configure'. Type 'test_token' and submit. Return when done.",
+"RecordingName": "qoder_pat_ui_validation"
+}
+\```
@@ -17,7 +17,7 @@ Deploy OmniRoute to the Akamai VPS using `npm pack + scp` + PM2.
 // turbo

 ```bash
-cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+cd /home/diegosouzapw/dev/proxys/9router && rm -f omniroute-*.tgz && rm -rf .next/cache app/.next/cache && npm run build:cli && rm -rf app/logs app/coverage app/.git app/.app-build-backup* && npm pack --ignore-scripts
 ```

 ### 2. Copy to Akamai VPS and install
@@ -22,7 +22,7 @@ Deploy OmniRoute to the production VPSs using `npm pack + scp` + PM2.
 // turbo

 ```bash
-cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+cd /home/diegosouzapw/dev/proxys/9router && rm -f omniroute-*.tgz && rm -rf .next/cache app/.next/cache && npm run build:cli && rm -rf app/logs app/coverage app/.git app/.app-build-backup* && npm pack --ignore-scripts
 ```

 ### 2. Copy to both VPS and install
@@ -17,7 +17,7 @@ Deploy OmniRoute to the Local VPS using `npm pack + scp` + PM2.
 // turbo

 ```bash
-cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+cd /home/diegosouzapw/dev/proxys/9router && rm -f omniroute-*.tgz && rm -rf .next/cache app/.next/cache && npm run build:cli && rm -rf app/logs app/coverage app/.git app/.app-build-backup* && npm pack --ignore-scripts
 ```

 ### 2. Copy to Local VPS and install
@@ -11,6 +11,8 @@ Bump version, finalize CHANGELOG, commit, open a **PR to main** and wait for use
 > Always use: `npm version patch --no-git-tag-version`
 > The threshold rule: when `y` reaches 10, bump to `2.(x+1).0` — e.g. `2.1.10` → `2.2.0`.

+> **🔴 SINGLE BRANCH RULE**: The `release/vX.Y.Z` branch is the **ONLY** development branch for the entire release cycle. ALL work — bug fixes, feature implementations, PR integrations, issue resolutions — MUST be committed directly on this branch. Never create separate `fix/`, `feat/`, or topic branches. When running `/resolve-issues`, `/implement-features`, or `/review-prs`, always work on the current release branch.
+
 ---

 ## ⚠️ Two-Phase Flow
@@ -25,6 +27,23 @@ Phase 2 (post-merge): tag → publish → GitHub release → Docker → deploy

 ---

+## Phase 0: Security Verification (MANDATORY)
+
+Before creating the release, you must ensure the codebase and supply chain are secure and free of known vulnerabilities.
+
+1. **Run Local Dependencies Audit:**
+
+   ```bash
+   npm audit
+   ```
+
+   _Fix any `high` or `critical` vulnerabilities identified._
+
+2. **Check GitHub CodeQL & Dependabot Alerts:**
+   Navigate to the repository's **Security** tab on GitHub, or use the project's `vulnerability-scanner` skill to analyze active alerts. Ensure all static analysis findings (e.g., prototype pollution, insecure randomness, ReDoS, shell injections) are addressed and logically committed on a target branch.
+
+---
+
 ## Phase 1: Pre-Merge

 ### 1. Create release branch
@@ -176,24 +195,17 @@ Inform the user:

 > Run these steps only AFTER the user has merged the PR.

-### 11. Pull main and create tag
+### 11. Create Git Tag and GitHub Release (MANDATORY)
+
+// turbo

 ```bash
 git checkout main
 git pull origin main
-git tag -a v2.x.y -m "Release v2.x.y"
-```
-
-### 12. Push tag to GitHub
-
-```bash
+VERSION=$(node -p "require('./package.json').version")
+git tag -a "v$VERSION" -m "Release v$VERSION"
 git push origin --tags
-```
-
-### 13. Create GitHub release
-
-```bash
-gh release create v2.x.y --title "v2.x.y — summary" --notes "..."
+gh release create "v$VERSION" --title "v$VERSION" --notes "OmniRoute v$VERSION Release" --target main
 ```

 ### 14. 🐳 Trigger Docker Hub build (MANDATORY — keep npm and Docker in sync)
@@ -226,15 +238,15 @@ gh workflow run docker-publish.yml --repo diegosouzapw/OmniRoute --ref v2.x.y

 ```bash
 # Build and pack locally
-cd /home/diegosouzapw/dev/proxys/9router && npm run build:cli && npm pack --ignore-scripts
+cd /home/diegosouzapw/dev/proxys/9router && rm -f omniroute-*.tgz && rm -rf .next/cache app/.next/cache && npm run build:cli && rm -rf app/logs app/coverage app/.git app/.app-build-backup* && npm pack --ignore-scripts

 # Deploy to LOCAL VPS (192.168.0.15)
 scp omniroute-*.tgz root@192.168.0.15:/tmp/
-ssh root@192.168.0.15 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && pm2 restart omniroute && pm2 save"
+ssh root@192.168.0.15 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Local done'"

 # Deploy to AKAMAI VPS (69.164.221.35)
 scp omniroute-*.tgz root@69.164.221.35:/tmp/
-ssh root@69.164.221.35 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && pm2 restart omniroute && pm2 save"
+ssh root@69.164.221.35 "npm install -g /tmp/omniroute-*.tgz --ignore-scripts && cd /usr/lib/node_modules/omniroute/app && npm rebuild better-sqlite3 && pm2 delete omniroute 2>/dev/null; pm2 start /root/.omniroute/ecosystem.config.cjs --update-env && pm2 save && echo '✅ Akamai done'"

 # Verify both
 curl -s -o /dev/null -w "LOCAL:  HTTP %{http_code}\n" http://192.168.0.15:20128/
@@ -6,7 +6,9 @@ description: Analyze open feature request issues, implement viable ones on dedic

 ## Overview

-Fetches open feature request issues, analyzes each against the current codebase, implements viable ones on dedicated branches, and responds to authors with results. Does NOT merge to main — leaves branches for author validation.
+Fetches open feature request issues, analyzes each against the current codebase, implements viable ones **on the current release branch** (`release/vX.Y.Z`), and responds to authors with results. Does NOT merge to main — the release branch is later merged via PR.
+
+> **BRANCH RULE**: All work MUST happen on the current `release/vX.Y.Z` branch. Never create separate `feat/` branches. If no release branch exists yet, create one first using `/generate-release` Phase 1 steps 1–5.

 ## Steps

@@ -16,15 +18,48 @@ Fetches open feature request issues, analyzes each against the current codebase,

 - Run: `git -C <project_root> remote get-url origin` to extract owner/repo

-### 2. Fetch Open Feature Request Issues
+### 2. Ensure Release Branch Exists

 // turbo

- Run: `gh issue list --repo <owner>/<repo> --state open --limit 50 --json number,title,labels,body,comments,createdAt,author`
- Filter for issues that are feature requests (label `enhancement`/`feature`, or body describes new functionality, or previously classified as feature request)
- Sort by oldest first
+Before doing any work, ensure you are on the current release branch:

-### 3. Analyze Each Feature Request
+```bash
+# Check current branch
+git branch --show-current
+
+# If on main, determine next version and create the release branch
+VERSION=$(node -p "require('./package.json').version")
+NEXT=$(node -p "const [a,b,c]=('$VERSION').split('.').map(Number); c>=9?a+'.'+(b+1)+'.0':a+'.'+b+'.'+(c+1)")
+git checkout -b release/v$NEXT
+npm version patch --no-git-tag-version
+npm install
+```
+
+If already on a `release/vX.Y.Z` branch, continue working there.
+
+### 3. Fetch Open Feature Request Issues
+
+// turbo-all
+
+**⚠️ CRITICAL**: The JSON output of `gh issue list` can be truncated by the tool, silently hiding issues and their comments. You MUST use the two-step approach below to guarantee **all** feature requests and their full conversations are fetched.
+
+**Step 3a — Get Issue numbers only** (small output, never truncated):
+
+- Run: `gh issue list --repo <owner>/<repo> --state open --labels "enhancement" --limit 500 --json number --jq '.[].number'`
+- (Also run the same for `--labels "feature"` if they are separated, or filter all open issues if labels are not strictly used).
+- This outputs one issue number per line. Count them and confirm total.
+
+**Step 3b — Fetch full metadata & conversations for each Issue** (one call per issue):
+
+- For each issue number from step 3a, run:
+  `gh issue view <NUMBER> --repo <owner>/<repo> --json number,title,labels,body,comments,createdAt,author`
+- Read not just the body, but **ALL comments (`comments` array)** completely to understand the full context, agreements, and restrictions discussed by the community.
+- You may batch these into parallel calls (up to 4 at a time).
+- Filter for issues that are feature requests (if not already filtered by label).
+- Sort by oldest first.
+
+### 4. Analyze Each Feature Request

 For each feature request issue, perform a **two-level analysis**:

@@ -46,21 +81,16 @@ Ask yourself:

 #### Level 2 — Implementation (only for VIABLE features)

+> **⚠️ ALL implementation happens on the release branch.**
+
 1. **Research** — Read all related source files to understand the current architecture
 2. **Design** — Plan the implementation, filling gaps in the original request
-3. **Create branch** — Name format: `feat/issue-<NUMBER>-<short-slug>`
-   ```bash
-   git checkout main
-   git pull origin main
-   git checkout -b feat/issue-<NUMBER>-<short-slug>
-   ```
-4. **Implement** — Build the complete solution following project patterns
-5. **Build** — Run `npm run build` to verify compilation
-6. **Commit** — Commit with: `feat: <description> (#<NUMBER>)`
-7. **Push** — Push the branch: `git push -u origin feat/issue-<NUMBER>-<short-slug>`
-8. **Return to main** — `git checkout main`
+3. **Implement** — Build the complete solution following project patterns, **on the release branch**
+4. **Build** — Run `npm run build` to verify compilation
+5. **Commit** — Commit with: `feat: <description> (#<NUMBER>)`
+6. **Continue** — Move to the next feature (do not switch branches)

-### 4. Respond to Authors
+### 5. Respond to Authors

 #### For VIABLE (implemented) features:

@@ -70,9 +100,9 @@ Post a comment on the issue:
 ````markdown
 ## ✅ Feature Implemented!

-Hi @<author>! We've analyzed your request and implemented it on a dedicated branch.
+Hi @<author>! We've analyzed your request and implemented it.

-**Branch:** `feat/issue-<NUMBER>-<short-slug>`
+**Branch:** `release/vX.Y.Z` (upcoming release)

 ### What was implemented:

@@ -82,31 +112,24 @@ Hi @<author>! We've analyzed your request and implemented it on a dedicated bran

 ```bash
 git fetch origin
-git checkout feat/issue-<NUMBER>-<short-slug>
+git checkout release/vX.Y.Z
 npm install && npm run dev
 ```
-````

 ### Next steps:

 1. **Test it** — Please verify it works as you expected
-2. **Want to improve it?** — You're welcome to contribute! Just:
-   ```bash
-   git checkout feat/issue-<NUMBER>-<short-slug>
-   # Make your improvements
-   git add -A && git commit -m "improve: <your changes>"
-   git push origin feat/issue-<NUMBER>-<short-slug>
-   ```
-   Then open a Pull Request from your branch to `main` 🎉
+2. **Want to improve it?** — Feel free to open a follow-up PR targeting `release/vX.Y.Z`
 3. **Not quite right?** — Let us know in this issue what needs to change

-Looking forward to your feedback! 🚀
-
-```
+This will be included in the next release. Looking forward to your feedback! 🚀
+````

 #### For NEEDS MORE INFO:
+
 // turbo
 Post a comment asking for specific missing details needed to implement, e.g.:
+
 - "Could you describe the exact behavior when X happens?"
 - "Which API endpoints should be affected?"
 - "Should this apply to all providers or only specific ones?"
@@ -114,18 +137,28 @@ Post a comment asking for specific missing details needed to implement, e.g.:
 Add the context of WHY you need each piece of information.

 #### For NOT VIABLE:
+
 // turbo
 Post a polite comment explaining why the feature doesn't fit at this time:
+
 - If the idea is decent but timing is wrong: "This is an interesting idea, but it doesn't align with our current priorities. Feel free to open a new issue with more details if you'd like us to reconsider."
 - If fundamentally flawed: Explain the technical or architectural reasons why it won't work, suggest alternatives if possible.
 - Close the issue after posting the comment.

-### 5. Summary Report
+### 6. Finalize & Push
+
+After implementing all viable features:
+
+1. **Update CHANGELOG.md** on the release branch with all new feature entries
+2. Push the release branch: `git push origin release/vX.Y.Z`
+3. Run `/generate-release` workflow Phase 1 steps 7–10 (tests → commit → push → open PR to main → wait for user)
+
+### 7. Summary Report
+
 Present a summary report to the user via `notify_user`:

-| Issue | Title | Verdict | Branch / Action |
-|---|---|---|---|
-| #N | Title | ✅ Implemented | `feat/issue-N-slug` |
-| #N | Title | ❓ Needs Info | Comment posted |
-| #N | Title | ❌ Not Viable | Closed with explanation |
-```
+| Issue | Title | Verdict        | Action                  |
+| ----- | ----- | -------------- | ----------------------- |
+| #N    | Title | ✅ Implemented | Committed on release/vX |
+| #N    | Title | ❓ Needs Info  | Comment posted          |
+| #N    | Title | ❌ Not Viable  | Closed with explanation |
@@ -6,7 +6,9 @@ description: Fetch all open GitHub issues, analyze bugs, resolve what's possible

 ## Overview

-This workflow fetches all open issues from the project's GitHub repository, classifies them, analyzes bugs, resolves what can be fixed, and triages issues with insufficient information. **It does NOT merge or release automatically** — it creates a PR and waits for user validation before merging.
+This workflow fetches all open issues from the project's GitHub repository, classifies them, analyzes bugs, resolves what can be fixed, and triages issues with insufficient information. **All fixes are committed on the current release branch** (`release/vX.Y.Z`). It does NOT merge or release automatically — the release branch is later merged via PR to main.
+
+> **BRANCH RULE**: All work MUST happen on the current `release/vX.Y.Z` branch. Never create separate `fix/` branches. If no release branch exists yet, create one first using `/generate-release` Phase 1 steps 1–5.

 ## Steps

@@ -17,25 +19,45 @@ This workflow fetches all open issues from the project's GitHub repository, clas
 - Run: `git -C <project_root> remote get-url origin` to extract the owner/repo
 - Parse the owner and repo name from the URL

-### 2. Fetch All Open Issues
+### 2. Ensure Release Branch Exists
+
+// turbo
+
+Before doing any work, ensure you are on the current release branch:
+
+```bash
+# Check current branch
+git branch --show-current
+
+# If on main, determine next version and create the release branch
+VERSION=$(node -p "require('./package.json').version")
+NEXT=$(node -p "const [a,b,c]=('$VERSION').split('.').map(Number); c>=9?a+'.'+(b+1)+'.0':a+'.'+b+'.'+(c+1)")
+git checkout -b release/v$NEXT
+npm version patch --no-git-tag-version
+npm install
+```
+
+If already on a `release/vX.Y.Z` branch, continue working there.
+
+### 3. Fetch All Open Issues

 // turbo-all

 **⚠️ CRITICAL**: The JSON output of `gh issue list` can be truncated by the tool, silently hiding issues. You MUST use the two-step approach below to guarantee **all** issues are fetched.

-**Step 2a — Get Issue numbers only** (small output, never truncated):
+**Step 3a — Get Issue numbers only** (small output, never truncated):

 - Run: `gh issue list --repo <owner>/<repo> --state open --limit 500 --json number --jq '.[].number'`
 - This outputs one issue number per line. Count them and confirm total.

-**Step 2b — Fetch full metadata for each Issue** (one call per issue):
+**Step 3b — Fetch full metadata for each Issue** (one call per issue):

- For each issue number from step 2a, run:
+- For each issue number from step 3a, run:
  `gh issue view <NUMBER> --repo <owner>/<repo> --json number,title,labels,body,comments,createdAt,author`
 - You may batch these into parallel calls (up to 4 at a time).
 - Sort by oldest first (FIFO).

-### 3. Classify Each Issue
+### 4. Classify Each Issue

 For each issue, determine its type:

@@ -46,85 +68,111 @@ For each issue, determine its type:

 Focus ONLY on **Bugs** for resolution. Feature requests and questions should be skipped with a note in the final report.

-### 4. Analyze Each Bug — For each bug issue:
+### 5. Deep-Read Each Bug Issue (One-by-One Analysis)

-#### 4a. Check Information Sufficiency
+**IMPORTANT**: Read each bug issue thoroughly, one at a time, before moving to the next. This is NOT a batch process — each issue needs focused attention.

-Verify the issue contains enough information to reproduce and fix:
+#### 5a. Understand the Problem
+
+For each bug issue, perform the full analysis:
+
+1. **Read the entire body** — including Description, Steps to Reproduce, Expected/Actual Behavior, Error Logs, and Screenshots
+2. **Read ALL comments** — including bot triage comments (Kilo, etc.) and owner/community responses. Pay attention to:
+   - Whether someone already responded with a fix
+   - Whether a community member confirmed the issue is resolved
+   - Whether the issue was marked as duplicate by a bot
+3. **Identify the claimed error** — extract the exact error message, status code, and provider/model involved
+
+#### 5b. Check Information Sufficiency
+
+Verify the issue contains enough to act on:

 - [ ] Clear description of the problem
- [ ] Steps to reproduce
- [ ] Error messages or logs
+- [ ] Steps to reproduce OR error logs
+- [ ] Provider/model/version information
 - [ ] Expected vs actual behavior

-#### 4b. If Information Is INSUFFICIENT
+#### 5c. Determine Issue Disposition

-Call the `/issue-triage` workflow (located at `~/.gemini/antigravity/global_workflows/issue-triage.md`):
-// turbo
+For each bug, classify into one of 5 actions:

- Post a comment asking for more details using `gh issue comment`
- Add `needs-info` label using `gh issue edit`
- Mark this issue as **DEFERRED** and move to the next one
+| Disposition                  | When to Apply                                                                               | Action                                              |
+| ---------------------------- | ------------------------------------------------------------------------------------------- | --------------------------------------------------- |
+| **✅ CLOSE — Already Fixed** | Owner responded with fix + no user follow-up, OR community confirmed fix                    | Close with comment citing which version fixed it    |
+| **✅ CLOSE — Duplicate**     | Bot flagged >85% similarity + user provides no new info                                     | Close referencing the original issue                |
+| **📝 RESPOND — Needs Info**  | Issue is real but missing critical reproduction details                                     | Comment asking for specifics per `/issue-triage`    |
+| **📝 RESPOND — User Config** | Error is caused by unsupported env (Node version, wrong model path, missing API enablement) | Comment explaining the user-side fix                |
+| **🔧 FIX — Code Change**     | Root cause is confirmed in the codebase                                                     | Research, implement, test, commit on release branch |

-#### 4c. If Information Is SUFFICIENT
+#### 5d. For "FIX — Code Change" Issues

-Proceed with resolution:
+Before coding, perform deep source analysis:

-1. **Create a fix branch** — `git checkout -b fix/issue-<NUMBER>-<short-description>`
-2. **Research** — Search the codebase for files related to the issue
-3. **Root Cause** — Identify the root cause by reading the relevant source files
-4. **Implement Fix** — Apply the fix following existing code patterns and conventions
-5. **Test** — Build the project and run tests to verify the fix
-6. **Commit** — Commit with message format: `fix: <description> (#<issue_number>)`
+1. **Search the codebase** — `grep_search` for error strings, relevant function names, affected files
+2. **Search the web** — for upstream API changes, SDK updates, or breaking changes that explain the bug
+3. **Read the full source file** — don't rely on grep snippets; understand the surrounding logic
+4. **Verify the root cause** — confirm the bug is reproducible based on the code, not just a user misconfiguration
+5. **Implement the fix** — follow existing code patterns and conventions
+6. **Run tests** — `node --import tsx/esm --test tests/unit/*.test.mjs` (must pass 100%)
+7. **Commit** — `fix: <description> (#<issue_number>)`

-### 5. Generate Report & Wait for Validation
+#### 5e. For "RESPOND" Issues
+
+Post a substantive comment that:
+
+- Acknowledges the specific error they reported
+- Explains the likely root cause
+- Provides concrete steps to resolve (version upgrade, env var fix, model path correction)
+- Asks for follow-up info if needed
+
+**Do NOT post generic template responses.** Every comment should reference the user's specific error messages and environment.
+
+### 6. Generate Report & Wait for Validation

 Present a summary report to the user via `notify_user` with `BlockedOnUser: true`:

-| Issue | Title | Status        | Action                        |
-| ----- | ----- | ------------- | ----------------------------- |
-| #N    | Title | ✅ Ready      | Files changed (not committed) |
-| #N    | Title | ❓ Needs Info | Triage comment posted         |
-| #N    | Title | ⏭️ Skipped    | Feature request / not a bug   |
+| Issue | Title | Status        | Action                      |
+| ----- | ----- | ------------- | --------------------------- |
+| #N    | Title | ✅ Closed     | Already fixed / duplicate   |
+| #N    | Title | 🔧 Fixed      | Code fix applied            |
+| #N    | Title | 📝 Responded  | Guidance comment posted     |
+| #N    | Title | ❓ Needs Info | Triage comment posted       |
+| #N    | Title | ⏭️ Skipped    | Feature request / not a bug |

-> **⚠️ IMPORTANT**: Do NOT commit, close issues, or generate releases at this step.
+> **⚠️ IMPORTANT**: Do NOT merge or generate releases at this step.
 > Wait for the user to review the changes and respond with **OK** before proceeding.

- If the user says **OK** or approves → Proceed to step 6
+- If the user says **OK** or approves → Proceed to step 7
 - If the user requests changes → Apply the requested adjustments first, then present the report again
 - If the user rejects → Revert the changes and stop

-### 6. Commit & Push Fix Branch (only after user approval)
+### 7. Commit & Push (only after user approval)

 After the user validates:

- Commit each fix individually with message format: `fix: <description> (#<issue_number>)`
- Push the fix branch: `git push origin fix/issue-<NUMBER>-<short-description>`
- Create a PR: `gh pr create --title "fix: <description> (#<issue_number>)" --body "<details>" --base main`
+- Commit each fix individually on the release branch with message format: `fix: <description> (#<issue_number>)`
+- Push the release branch: `git push origin release/vX.Y.Z`
+- **Update CHANGELOG.md** with all new bug fix entries

-### 7. 🛑 WAIT — Notify User & Await PR Verification
+### 8. 🛑 WAIT — Notify User & Await Verification

 **This is a mandatory stop point.** Use `notify_user` with `BlockedOnUser: true`:

- Inform the user that the PR was created and is **awaiting their verification**
- Include the PR number, URL, and a summary of what was changed
+- Inform the user that fixes have been **committed and pushed to the release branch**
+- Include summary of fixes, test status, and files changed
 - **DO NOT merge, close issues, generate releases, or deploy until the user confirms**

 Wait for the user to respond:

- **User confirms** → Proceed to step 8
+- **User confirms** → Proceed to step 9
 - **User requests changes** → Apply changes, push to the same branch, notify again
- **User rejects** → Close the PR and stop
+- **User rejects** → Revert and stop

-### 8. Merge, Close Issues & Release (only after user confirms PR)
+### 9. Close Issues & Finalize (only after user confirms)

-After the user confirms the PR:
+After the user confirms:

-1. **Merge** the PR: `gh pr merge <NUMBER> --merge --repo <owner>/<repo>` or via local merge
-2. **Close** resolved issues with a comment: `gh issue close <NUMBER> --repo <owner>/<repo> --comment "Fixed in <commit_hash>. The fix will be included in the next release."`
-3. **Switch to main**: `git checkout main && git pull`
-4. Run the `/update-docs` workflow (at `~/.gemini/antigravity/global_workflows/update-docs.md`) to update CHANGELOG and README
-5. Run the `/generate-release` workflow (at `.agents/workflows/generate-release.md`) to bump version, tag, and publish
-6. Deploy to local VPS: `ssh root@192.168.0.15 "npm install -g omniroute@<VERSION> && pm2 restart omniroute"`
+1. **Close** resolved issues with a comment: `gh issue close <NUMBER> --repo <owner>/<repo> --comment "Fixed in release/vX.Y.Z. The fix will be included in the next release."`
+2. Run `/generate-release` workflow Phase 1 steps 7–10 (tests → commit → push → open PR to main → wait for user)

 If NO fixes were committed, skip this step and just present the report.
@@ -6,7 +6,9 @@ description: Analyze open Pull Requests from the project's GitHub repository, ge

 ## Overview

-This workflow fetches all open PRs from the project's GitHub repository, performs a critical analysis of each one, generates a detailed report, and waits for user approval before proceeding with implementation. **All improvements are committed on top of the PR branch** and the user must verify before merge.
+This workflow fetches all open PRs from the project's GitHub repository, performs a critical analysis of each one, generates a detailed report, and waits for user approval before proceeding with implementation. **All improvements are committed on the current release branch** (`release/vX.Y.Z`).
+
+> **BRANCH RULE**: All work MUST happen on the current `release/vX.Y.Z` branch. Never create separate feature or fix branches. If no release branch exists yet, create one first using `/generate-release` Phase 1 steps 1–5.

 ## Steps

@@ -16,24 +18,45 @@ This workflow fetches all open PRs from the project's GitHub repository, perform
  // turbo
 - Run: `git -C <project_root> remote get-url origin` to extract the owner/repo

-### 2. Fetch Open Pull Requests
+### 2. Ensure Release Branch Exists
+
+// turbo
+
+Before doing any work, ensure you are on the current release branch:
+
+```bash
+# Check current branch
+git branch --show-current
+
+# If on main, determine next version and create the release branch
+VERSION=$(node -p "require('./package.json').version")
+# Bump patch: e.g. 3.3.11 → 3.3.12
+NEXT=$(node -p "const [a,b,c]=('$VERSION').split('.').map(Number); c>=9?a+'.'+(b+1)+'.0':a+'.'+b+'.'+(c+1)")
+git checkout -b release/v$NEXT
+npm version patch --no-git-tag-version
+npm install
+```
+
+If already on a `release/vX.Y.Z` branch, continue working there.
+
+### 3. Fetch Open Pull Requests

 // turbo-all

 **⚠️ CRITICAL**: The JSON output of `gh pr list` can be truncated by the tool, silently hiding PRs. You MUST use the two-step approach below to guarantee **all** PRs are fetched.

-**Step 2a — Get PR numbers only** (small output, never truncated):
+**Step 3a — Get PR numbers only** (small output, never truncated):

 - Run: `gh pr list --repo <owner>/<repo> --state open --limit 500 --json number --jq '.[].number'`
 - This outputs one PR number per line. Count them and confirm total.

-**Step 2b — Fetch full metadata for each PR** (one call per PR):
+**Step 3b — Fetch full metadata for each PR** (one call per PR):

- For each PR number from step 2a, run:
+- For each PR number from step 3a, run:
  `gh pr view <NUMBER> --repo <owner>/<repo> --json number,title,author,headRefName,body,createdAt,additions,deletions,files`
 - You may batch these into parallel calls (up to 4 at a time).

-**Step 2c — Fetch diffs for each PR** (one call per PR, saved to /tmp):
+**Step 3c — Fetch diffs for each PR** (one call per PR, saved to /tmp):

 - For each PR number, run:
  `gh pr diff <NUMBER> --repo <owner>/<repo> > /tmp/pr<NUMBER>.diff`
@@ -45,44 +68,44 @@ This workflow fetches all open PRs from the project's GitHub repository, perform
  - Files changed (diff)
  - Existing review comments (from bots or humans)

-**Verification**: Confirm the count of PRs analyzed matches the count from step 2a before proceeding.
+**Verification**: Confirm the count of PRs analyzed matches the count from step 3a before proceeding.

-### 3. Analyze Each PR — For each open PR, perform the following analysis:
+### 4. Analyze Each PR — For each open PR, perform the following analysis:

-#### 3a. Feature Assessment
+#### 4a. Feature Assessment

 - **Does it make sense?** Evaluate if the feature fills a real gap or solves a valid problem
 - **Alignment** — Check if it aligns with the project's architecture and roadmap
 - **Complexity** — Assess if the scope is reasonable or if it should be split

-#### 3b. Code Quality Review
+#### 4b. Code Quality Review

 - Check for code duplication
 - Evaluate error handling patterns (consistent with existing codebase?)
 - Check naming conventions and code style
 - Verify TypeScript types (any `any` usage, missing types?)

-#### 3c. Security Review
+#### 4c. Security Review

 - Check for missing authentication/authorization on new endpoints
 - Check for injection vulnerabilities (URL params, SQL, XSS)
 - Verify input validation on all user-controlled data
 - Check for hardcoded secrets or credentials

-#### 3d. Architecture Review
+#### 4d. Architecture Review

 - Does the change follow existing patterns?
 - Are there any breaking changes to public APIs?
 - Is the database schema affected? Migration needed?
 - Impact on performance (N+1 queries, missing indexes?)

-#### 3e. Test Coverage
+#### 4e. Test Coverage

 - Does the PR include tests?
 - Are edge cases covered?
 - Would existing tests break?

-#### 3f. Cross-Layer (Global) Analysis
+#### 4f. Cross-Layer (Global) Analysis

 Perform a **global impact assessment** to verify whether the PR changes are complete across all layers of the application:

@@ -97,7 +120,7 @@ Perform a **global impact assessment** to verify whether the PR changes are comp
 - **Cross-cutting concerns**: Check shared layers (types, DTOs, validation schemas, routes, middleware) for completeness
 - **Document gaps** — If missing layers are detected, list them as **IMPORTANT** issues in the report with concrete suggestions for what should be added

-### 4. Generate Report — Create a markdown report for each PR including:
+### 5. Generate Report — Create a markdown report for each PR including:

 - **PR Summary** — What it does, files affected, commit count
 - **Improvements/Benefits** — Numbered list with impact level (HIGH/MEDIUM/LOW)
@@ -106,62 +129,71 @@ Perform a **global impact assessment** to verify whether the PR changes are comp
 - **Verdict** — Ready to merge? With mandatory vs optional fixes
 - **Next Steps** — What will happen if approved

-### 5. Present to User
+### 6. Present to User

 - Show the report via `notify_user` with `BlockedOnUser: true`
 - Wait for user decision:
-  - **Approved** → Proceed to step 6
+  - **Approved** → Proceed to step 7
  - **Approved with changes** → Implement the fixes and corrections before merging
  - **Rejected** → Close the PR or leave a review comment

-### 6. Implementation (if approved)
+### 7. Pre-Merge Fixes & CI Green-Lighting (if approved)

- Checkout the PR branch: `gh pr checkout <NUMBER>`
- Implement any required fixes identified in the analysis
- If the Cross-Layer Analysis (3f) identified missing frontend/backend counterparts, implement them
- **Commit improvements on top of the PR branch** with descriptive commit messages
- Run the project's test suite to verify nothing breaks
+> **⚠️ Fixes should be pushed back to the PR branch before merging.** We want the PR itself to be green and fully valid before it integrates.
+
+- **Sync latest fixes:** Merge `main` or the current `release` branch into the PR branch so the PR inherits any latest CI or integration test fixes (preventing false-positive failures).
+- **Implement improvements:** Apply the required fixes identified in the analysis directly on the PR branch (e.g., adding missing API routes, fixing SSRF, applying comments from other agents).
+- **Pushing changes to PR branches:**
+
+  ```bash
+  # Checkout the PR locally
+  gh pr checkout <NUMBER>
+
+  # Apply fixes, commit your changes
+  git commit -m "chore: apply review suggestions and missing layers"
+
+  # Attempt to push directly to the PR branch
+  git push
+  ```
+
+- **Fallback (For external forks without maintainer edit access):**
+  If `git push` fails because the PR comes from an external fork without write access, you MUST:
+  1. Create a new branch ending in `-fix` (e.g., `checkout -b fix-pr-<NUMBER>`).
+  2. Push your branch to the main repo (`git push origin fix-pr-<NUMBER>`).
+  3. Create a Pull Request targeting the contributor's repository and branch (use `gh pr create --repo <contributor-repo> --base <contributor-branch> --head diegosouzapw:fix-pr-<NUMBER>`).
+  4. Once they accept our PR into their branch, their original PR to our `main` will automatically update and become green.
+
+- Run the project's test suite locally to verify nothing breaks:
  // turbo
 - Run: `npm test` or equivalent test command
- Build the project to verify compilation
-  // turbo
- Run: `npm run build` or equivalent build command
- Push the updated branch: `git push origin <branch-name>`

-### 7. 🛑 WAIT — Notify User & Await PR Verification
+### 8. Merge & Integrate

-**This is a mandatory stop point.** Use `notify_user` with `BlockedOnUser: true`:
+- Once the PR is green (you can check with `gh pr status`), proceed to merge the PR into the current release branch (`release/vX.Y.Z`).

- Inform the user that the PR has been **improved and pushed**, and is **awaiting their verification**
- Include:
-  - PR number and URL
-  - Summary of improvements/fixes applied
-  - Build/test status
-  - List of files changed
- **DO NOT merge, generate releases, or deploy until the user confirms**
-
-Wait for the user to respond:
-
- **User confirms** → Proceed to step 8
- **User requests more changes** → Apply changes, push to the same branch, notify again
- **User rejects** → Leave a review comment and stop
-
-### 8. Thank the Contributor
+  ```bash
+  gh pr merge <NUMBER> --repo <owner>/<repo>
+  ```

 - Post a **thank-you comment** on the PR via the GitHub API
 - The message should:
  - Thank the author by name/username for their contribution
  - Briefly mention what the PR accomplishes and any improvements applied
+  - Note it will be included in the upcoming release
  - Be friendly, professional, and encouraging
- Example: _"Thanks @author for this great contribution! 🎉 The [feature/fix] is now merged and will be part of the next release. We appreciate your effort!"_
+- Example: _"Thanks @author for this great contribution! 🎉 The [feature/fix] has been integrated into the release/vX.Y.Z branch and will be part of the next release. We appreciate your effort!"_

-### 9. Merge & Release (only after user confirms PR)
+### 9. Close the Original PR

-After the user confirms the PR:
+- Close the original PR with a comment explaining it was integrated into the release branch:
+  ```bash
+  gh pr close <NUMBER> --repo <owner>/<repo> --comment "Integrated into release/vX.Y.Z. Will be released as part of v3.X.Y. Thank you!"
+  ```

-1. **Merge** the PR into main (local merge with `--no-ff` or via `gh pr merge`)
-2. **Push** to main: `git push origin main`
-3. **Clean up** the feature branch: `git branch -d <branch-name>`
-4. **Update CHANGELOG.md** with the new feature/fix
-5. Run the `/generate-release` workflow (at `.agents/workflows/generate-release.md`) to bump version, tag, and publish
-6. Deploy to local VPS: `ssh root@192.168.0.15 "npm install -g omniroute@<VERSION> && pm2 restart omniroute"`
+### 10. Continue or Finalize
+
+After processing all approved PRs:
+
+- If more PRs remain, go back to step 7
+- When all PRs are processed, **update CHANGELOG.md** on the release branch with all new entries
+- Run `/generate-release` workflow Phase 1 steps 7–10 (tests → commit → push → open PR to main → wait for user)
@@ -1,105 +0,0 @@
---
-description: How to automatically summarize recent changes and update README and CHANGELOG
---
-
-# Update Documentation Workflow
-
-Update CHANGELOG.md, README.md, docs/ files, and all multi-language translations whenever features are added or changed.
-
-## Steps
-
-### 1. Summarize recent changes
-
-Review git log and identify new features, fixes, or changes since the last release tag:
-
-```bash
-git log $(git describe --tags --abbrev=0)..HEAD --oneline
-```
-
-### 2. Update English CHANGELOG.md
-
-Add an `[Unreleased]` section (or version header if releasing) with:
-
- `### ✨ New Features` — each feature as a bullet point
- `### 🐛 Bug Fixes` — if applicable
- `### 🧪 Tests` — test count changes
- `### 📁 New Files` — table of new files with purpose
-
-### 3. Update English README.md
-
-Update the feature tables in these sections:
-
- **🧠 Routing & Intelligence** — for routing/model features
- **🛡️ Resilience & Security** — for security/resilience features
- **📊 Observability & Analytics** — for monitoring features
- **☁️ Deploy & Sync** — for deployment features
-
-### 4. Update docs/ files
-
- `docs/FEATURES.md` — update the Settings section description
- `docs/API_REFERENCE.md` — add new API routes if any
- `docs/ARCHITECTURE.md` — update architecture if structural changes
-
-### 5. 🌐 Sync Multi-Language Documentation (CRITICAL)
-
-// turbo-all
-
-**This step MUST be run after every README or docs update.**
-
-The project has **30 language versions** of documentation:
-
-**README files (root directory):**
-
-```
-README.md (English - source of truth)
-README.pt-BR.md README.pt.md README.es.md README.fr.md README.it.md
-README.de.md README.nl.md README.sv.md README.no.md README.da.md README.fi.md
-README.ru.md README.uk-UA.md README.bg.md README.sk.md README.pl.md README.ro.md README.hu.md
-README.ar.md README.he.md README.th.md README.in.md README.id.md README.ms.md README.vi.md
-README.ja.md README.ko.md README.zh-CN.md README.phi.md README.cs.md
-```
-
-**docs/i18n/ directories (29 languages):**
-
-```
-docs/i18n/{ar,bg,cs,da,de,es,fi,fr,he,hu,id,in,it,ja,ko,ms,nl,no,phi,pl,pt,pt-BR,ro,ru,sk,sv,th,uk-UA,vi,zh-CN}/
-Each contains: API_REFERENCE.md, ARCHITECTURE.md, CODEBASE_DOCUMENTATION.md, FEATURES.md, TROUBLESHOOTING.md, USER_GUIDE.md
-```
-
-**Sync approach for feature table updates:**
-
-a. Identify which feature table rows were added to English README.md
-b. For each translated README, find the corresponding anchor lines:
-
- **Routing section:** Find the `💬` (System Prompt) table row — the line before it is always the last routing feature. Insert new routing features before System Prompt.
- **Resilience section:** Find the `📊` Rate Limits table row (the one in lines 590-600, NOT the quota tracking one in lines 560-570). Insert new resilience features after it.
-  c. The new feature entries can stay in English for technical features, matching the pattern used in the existing translations.
-  d. Use `sed` or similar tool to batch-insert across all 29 translated READMEs.
-
-**Verification:**
-
-```bash
-# Verify all READMEs have the new features
-grep -l "NEW_FEATURE_NAME" README.*.md | wc -l
-# Should return 30 (all language versions)
-```
-
-**FEATURES.md sync:**
-
-```bash
-# Update Settings description in all docs/i18n/*/FEATURES.md
-for dir in docs/i18n/*/; do
-  # Update the Settings section description to mention new features
-  # Check FEATURES.md in each directory
-done
-```
-
-### 6. Verify documentation changes
-
-```bash
-# Check all modified files
-git status --short
-
-# Verify no broken markdown
-# Optional: run markdownlint if available
-```
@@ -0,0 +1,327 @@
+---
+description: Bump version, auto-generate CHANGELOG from git commits, update all versioned files, and refresh root + docs/ documentation to reflect the current project state
+---
+
+# Version Bump Workflow
+
+Automatically bump the project version, generate CHANGELOG entries from git history since the last tag, update every file that references the version, and refresh project documentation to reflect the current state.
+
+> **VERSION RULE: Always use PATCH bumps (3.x.y → 3.x.y+1)**
+> NEVER use `npm version minor` or `npm version major`.
+> Always use: `npm version patch --no-git-tag-version`
+> The threshold rule: when `y` reaches 10, bump to `3.(x+1).0` — e.g. `3.4.10` → `3.5.0`.
+
+---
+
+## Phase 1: Determine Version
+
+### 1. Read current version and last tag
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+CURRENT_VERSION=$(node -p "require('./package.json').version")
+LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+CURRENT_BRANCH=$(git branch --show-current)
+echo "Current version: $CURRENT_VERSION"
+echo "Last tag: $LAST_TAG"
+echo "Current branch: $CURRENT_BRANCH"
+```
+
+### 2. Calculate new version
+
+Apply the patch bump rule:
+
+- If the current patch number is `9`, the new version is `3.(minor+1).0`
+- Otherwise, increment patch: `3.x.y` → `3.x.(y+1)`
+
+If the version was ALREADY bumped (e.g. you are on a release branch and package.json already has the new version), **skip the npm version bump** and use the existing version.
+
+### 3. Bump package.json (if needed)
+
+// turbo
+
+```bash
+# Only if version hasn't been bumped yet
+npm version patch --no-git-tag-version
+```
+
+Or for threshold (y=10):
+
+```bash
+# Manual threshold bump
+VERSION="3.X.0"  # compute manually
+npm version "$VERSION" --no-git-tag-version
+```
+
+---
+
+## Phase 2: Generate CHANGELOG from Git History
+
+### 4. Collect commits since last tag
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null)
+echo "=== Commits since $LAST_TAG ==="
+git log "$LAST_TAG"..HEAD --pretty=format:"%h %s" --no-merges | head -100
+echo ""
+echo "=== Merge commits ==="
+git log "$LAST_TAG"..HEAD --merges --pretty=format:"%h %s" | head -50
+```
+
+### 5. Classify commits and generate CHANGELOG section
+
+Analyze each commit message and classify into categories based on the conventional-commit prefix and content:
+
+| Category            | Patterns                                         |
+| ------------------- | ------------------------------------------------ |
+| ✨ New Features     | `feat:`, `feat(*):`                              |
+| 🐛 Bug Fixes        | `fix:`, `fix(*):`                                |
+| ⚠️ Breaking Changes | `BREAKING CHANGE`, `!:` suffix                   |
+| 🛠️ Maintenance      | `chore:`, `refactor:`, `perf:`, `build:`         |
+| 🧪 Tests            | `test:`, `tests:`                                |
+| 📝 Documentation    | `docs:`                                          |
+| 🔒 Security         | `security:`, CVE references, vulnerability fixes |
+| 🌍 i18n             | translation updates, locale changes              |
+
+For each category with entries, create a markdown section with descriptive bullet points. Use the commit messages but rewrite them to be human-readable and descriptive (not raw commit messages).
+
+**If a commit references a PR number** (e.g. `#880`, `PR #885`), include it in the description.
+
+### 6. Update CHANGELOG.md
+
+Replace the `## [Unreleased]` section content with the generated entries, then add the new versioned section:
+
+```markdown
+## [Unreleased]
+
+---
+
+## [NEW_VERSION] — YYYY-MM-DD
+
+### ✨ New Features
+
+- **Feature name:** Description (#PR)
+
+### 🐛 Bug Fixes
+
+- **Fix name:** Description (#PR)
+
+### 🛠️ Maintenance
+
+- **Item:** Description
+
+---
+
+## [PREVIOUS_VERSION] — YYYY-MM-DD
+
+...
+```
+
+The date must be today's date in `YYYY-MM-DD` format.
+
+---
+
+## Phase 3: Sync Version Across All Files
+
+### 7. Update workspace package.json files and openapi.yaml
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+VERSION=$(node -p "require('./package.json').version")
+
+# Update docs/openapi.yaml version
+sed -i "s/  version: .*/  version: $VERSION/" docs/openapi.yaml
+echo "✓ docs/openapi.yaml → $VERSION"
+
+# Update workspace packages (open-sse, electron)
+for dir in electron open-sse; do
+  if [ -d "$dir" ] && [ -f "$dir/package.json" ]; then
+    (cd "$dir" && npm version "$VERSION" --no-git-tag-version --allow-same-version > /dev/null)
+    echo "✓ $dir/package.json → $VERSION"
+  fi
+done
+
+echo "✓ All workspace packages synced to $VERSION"
+```
+
+### 8. Update llm.txt version references
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+VERSION=$(node -p "require('./package.json').version")
+OLD_VERSION_PATTERN='[0-9]\+\.[0-9]\+\.[0-9]\+'
+
+# Update "Current version:" line
+sed -i "s/\*\*Current version:\*\* $OLD_VERSION_PATTERN/**Current version:** $VERSION/" llm.txt
+
+# Update "Key Features (vX.Y.Z)" header
+sed -i "s/## Key Features (v$OLD_VERSION_PATTERN)/## Key Features (v$VERSION)/" llm.txt
+
+echo "✓ llm.txt → $VERSION"
+```
+
+### 9. Regenerate lock file
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+npm install
+echo "✓ Lock file regenerated"
+```
+
+---
+
+## Phase 4: Update Root Documentation
+
+Based on the CHANGELOG entries generated in Phase 2, review and update these root-level files if relevant changes warrant updates:
+
+### 10. Review and update root documentation files
+
+For each file below, read the current content and determine if the CHANGELOG entries require any updates. Only modify files where substantive changes have occurred:
+
+| File              | When to update                                                                                                              |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| `README.md`       | New providers, major features, stats changes (test count, provider count), badges, installation instructions, feature table |
+| `AGENTS.md`       | Architecture changes, new modules, new commands, new providers, new services/handlers/executors                             |
+| `CONTRIBUTING.md` | Dev workflow changes, new tooling, test infrastructure changes                                                              |
+| `SECURITY.md`     | Security fixes, new auth mechanisms, vulnerability disclosures                                                              |
+| `llm.txt`         | Provider count changes, new features, architecture changes                                                                  |
+
+**Update rules:**
+
+- **README.md**: Update provider count, test count, feature highlights table, badges if any numbers changed. If a new provider was added, add it to the provider table. If a major feature was added, add it to the features section.
+- **AGENTS.md**: If new architecture components (handlers, executors, services, DB modules) were added, update the Architecture section. If new commands were added, update the Build/Test table.
+- **SECURITY.md**: Add new vulnerability fixes or security improvements to the relevant section.
+- **llm.txt**: Update provider count, feature list, version references.
+
+### 11. Review and update docs/ files (excluding i18n/)
+
+For each file in `docs/` (excluding `docs/i18n/`), review if CHANGELOG changes affect it:
+
+| File                             | When to update                                      |
+| -------------------------------- | --------------------------------------------------- |
+| `docs/API_REFERENCE.md`          | New API endpoints, changed request/response formats |
+| `docs/ARCHITECTURE.md`           | New modules, new services, changed data flow        |
+| `docs/CLI-TOOLS.md`              | New CLI tool integrations, config format changes    |
+| `docs/FEATURES.md`               | New features, removed features, changed settings    |
+| `docs/MCP-SERVER.md`             | New MCP tools, changed tool signatures              |
+| `docs/A2A-SERVER.md`             | New A2A skills, protocol changes                    |
+| `docs/USER_GUIDE.md`             | UX changes, new dashboard pages, settings changes   |
+| `docs/VM_DEPLOYMENT_GUIDE.md`    | Deployment changes, new env vars                    |
+| `docs/TROUBLESHOOTING.md`        | New known issues, resolved problems                 |
+| `docs/AUTO-COMBO.md`             | Routing changes, new strategies                     |
+| `docs/CODEBASE_DOCUMENTATION.md` | New files, architectural changes                    |
+| `docs/RELEASE_CHECKLIST.md`      | Process changes                                     |
+| `docs/COVERAGE_PLAN.md`          | Test changes                                        |
+| `docs/openapi.yaml`              | Already updated in step 7                           |
+
+**Only update files where the CHANGELOG entries directly affect the documented content.** Do NOT update files just to bump a version number — only when the documented behavior, features, or architecture has actually changed.
+
+---
+
+## Phase 5: Verify
+
+### 12. Run lint check
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+npm run lint
+```
+
+### 13. Run tests
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+npm test
+```
+
+### 14. Verify version sync across all files
+
+// turbo
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+VERSION=$(node -p "require('./package.json').version")
+echo "Expected version: $VERSION"
+echo ""
+
+echo "--- package.json ---"
+grep '"version"' package.json | head -1
+
+echo "--- open-sse/package.json ---"
+grep '"version"' open-sse/package.json | head -1
+
+echo "--- electron/package.json ---"
+[ -f electron/package.json ] && grep '"version"' electron/package.json | head -1
+
+echo "--- docs/openapi.yaml ---"
+grep "  version:" docs/openapi.yaml | head -1
+
+echo "--- llm.txt ---"
+grep "Current version:" llm.txt
+
+echo "--- CHANGELOG.md (first versioned entry) ---"
+grep "^## \[" CHANGELOG.md | head -2
+```
+
+### 15. 🛑 STOP — Present Summary to User
+
+**STOP** and present a summary to the user including:
+
+- Old version → New version
+- CHANGELOG entries generated
+- Files modified
+- Test results
+- Any documentation updates made
+
+**Wait for the user to confirm before committing.**
+
+---
+
+## Phase 6: Commit (only after user approval)
+
+### 16. Stage and commit
+
+// turbo-all
+
+```bash
+cd /home/diegosouzapw/dev/proxys/9router
+git add -A
+VERSION=$(node -p "require('./package.json').version")
+git commit -m "chore(release): bump to v$VERSION — changelog, docs, version sync"
+```
+
+---
+
+## Notes
+
+- This workflow does **NOT** create tags, releases, or deploy. Use `/generate-release` for the full release cycle after this.
+- This workflow does **NOT** update `docs/i18n/` translations. Use `/update-i18n` separately after committing.
+- The CHANGELOG generation is based on git commits since the last tag. If there are no new commits, the workflow should inform the user and stop.
+- Always verify the generated CHANGELOG entries make sense — raw commit messages may need rewriting for clarity.
+- If the version was already bumped (e.g. you're on a `release/vX.Y.Z` branch), skip the `npm version` step and use the existing version.
+
+## Version Touchpoints Checklist
+
+| File                    | Field/Pattern                                               |
+| ----------------------- | ----------------------------------------------------------- |
+| `package.json`          | `"version": "X.Y.Z"`                                        |
+| `open-sse/package.json` | `"version": "X.Y.Z"`                                        |
+| `electron/package.json` | `"version": "X.Y.Z"`                                        |
+| `docs/openapi.yaml`     | `version: X.Y.Z`                                            |
+| `llm.txt`               | `**Current version:** X.Y.Z` and `## Key Features (vX.Y.Z)` |
+| `CHANGELOG.md`          | `## [X.Y.Z] — YYYY-MM-DD`                                   |
@@ -30,3 +30,40 @@ npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 .pnpm-debug.log*
+
+# Test suites
+tests
+test-results
+playwright-report
+blob-report
+
+# Documentation (not needed in container)
+docs
+*.md
+!README.md
+
+# Electron (separate build)
+electron
+
+# VS Code extension (separate project)
+vscode-extension
+
+# Build artifacts
+*.tgz
+*.AppImage
+*.deb
+*.rpm
+
+# Package manager lock (bun)
+bun.lock
+
+# Agent config
+.agents
+.gemini
+
+# Misc
+llm.txt
+images
+clipr
+omnirouteCloud
+omnirouteSite
@@ -18,9 +18,11 @@ STORAGE_DRIVER=sqlite
 # Generate with: openssl rand -hex 32
 STORAGE_ENCRYPTION_KEY=
 STORAGE_ENCRYPTION_KEY_VERSION=v1
-LOG_RETENTION_DAYS=90
+APP_LOG_RETENTION_DAYS=90
+CALL_LOG_RETENTION_DAYS=90
 SQLITE_MAX_SIZE_MB=2048
 SQLITE_CLEAN_LEGACY_FILES=true
+DISABLE_SQLITE_AUTO_BACKUP=false

 # Recommended runtime variables
 # Canonical/base port (keeps backward compatibility)
@@ -37,10 +39,10 @@ INSTANCE_NAME=omniroute

 # Recommended security and ops variables
 MACHINE_ID_SALT=endpoint-proxy-salt
-ENABLE_REQUEST_LOGS=false
 AUTH_COOKIE_SECURE=false
 REQUIRE_API_KEY=false
 ALLOW_API_KEY_REVEAL=false
+PROVIDER_LIMITS_SYNC_INTERVAL_MINUTES=70

 # Input Sanitizer (FASE-01 — prompt injection & PII protection)
 # INPUT_SANITIZER_ENABLED=true
@@ -187,21 +189,35 @@ GEMINI_CLI_USER_AGENT=google-api-nodejs-client/9.15.1
 # Provider keys above (openai, mistral, together, fireworks, nvidia) also work for embeddings

 # Timeout settings
-# FETCH_TIMEOUT_MS=120000
-# STREAM_IDLE_TIMEOUT_MS=60000
+# REQUEST_TIMEOUT_MS=600000
+# STREAM_IDLE_TIMEOUT_MS=600000
+# Advanced timeout overrides (optional)
+# FETCH_TIMEOUT_MS=600000
+# FETCH_HEADERS_TIMEOUT_MS=600000
+# FETCH_BODY_TIMEOUT_MS=600000
+# FETCH_CONNECT_TIMEOUT_MS=30000
+# FETCH_KEEPALIVE_TIMEOUT_MS=4000
+# TLS_CLIENT_TIMEOUT_MS=600000
 # API bridge timeout for /v1 proxy requests (default: 30000)
-# API_BRIDGE_PROXY_TIMEOUT_MS=120000
+# API_BRIDGE_PROXY_TIMEOUT_MS=600000
+# API_BRIDGE_SERVER_REQUEST_TIMEOUT_MS=600000
+# API_BRIDGE_SERVER_HEADERS_TIMEOUT_MS=60000
+# API_BRIDGE_SERVER_KEEPALIVE_TIMEOUT_MS=5000
+# API_BRIDGE_SERVER_SOCKET_TIMEOUT_MS=0

 # CORS configuration (default: * allows all origins)
 # CORS_ORIGINS=*

 # Logging
-# LOG_LEVEL=info
-# LOG_FORMAT=text
-LOG_TO_FILE=true
-# LOG_FILE_PATH=logs/application/app.log
-# LOG_MAX_FILE_SIZE=50M
-# LOG_RETENTION_DAYS=7
+# APP_LOG_LEVEL=info
+# APP_LOG_FORMAT=text
+APP_LOG_TO_FILE=true
+# APP_LOG_FILE_PATH=logs/application/app.log
+# APP_LOG_MAX_FILE_SIZE=50M
+# APP_LOG_RETENTION_DAYS=7
+# APP_LOG_MAX_FILES=20
+# CALL_LOG_RETENTION_DAYS=7
+# CALL_LOG_MAX_ENTRIES=10000

 # ─────────────────────────────────────────────────────────────────────────────
 # Memory Optimization (Low-RAM configurations)
@@ -220,6 +236,4 @@ LOG_TO_FILE=true
 # SEMANTIC_CACHE_TTL_MS=1800000

 # In-memory log buffers
-# PROXY_LOG_MAX_ENTRIES=200
-# CALL_LOGS_MAX=200
 # STREAM_HISTORY_MAX=50
@@ -0,0 +1,2 @@
+* @diegosouzapw
+
@@ -119,6 +119,20 @@ body:
    validations:
      required: true

+  - type: dropdown
+    id: test-impact
+    attributes:
+      label: Test Impact
+      description: "What automated test coverage should exist for this bug?"
+      options:
+        - Needs a new unit test
+        - Needs a new integration test
+        - Needs a new e2e test
+        - Existing automated test already fails
+        - Unsure
+    validations:
+      required: true
+
  - type: textarea
    id: logs
    attributes:
@@ -143,3 +157,15 @@ body:
      description: "Any other context about the problem (e.g. proxy config, number of accounts, network setup)."
    validations:
      required: false
+
+  - type: textarea
+    id: validation-plan
+    attributes:
+      label: Validation Plan
+      description: "Which commands or tests should prove this bug is fixed?"
+      placeholder: |
+        Example:
+        - node --import tsx/esm --test tests/unit/my-file.test.mjs
+        - npm run test:coverage
+    validations:
+      required: false
@@ -1,4 +1,4 @@
-blank_issues_enabled: true
+blank_issues_enabled: false
 contact_links:
  - name: Question / Help
    url: https://github.com/diegosouzapw/OmniRoute/discussions
@@ -33,6 +33,19 @@ body:
    validations:
      required: false

+  - type: textarea
+    id: acceptance
+    attributes:
+      label: Acceptance Criteria
+      description: "Describe the concrete behaviors or outcomes that should be validated before this is considered done."
+      placeholder: |
+        Example:
+        - API route returns 200 with valid payload
+        - Unit coverage added for the new branch
+        - Existing integrations remain green
+    validations:
+      required: true
+
  - type: dropdown
    id: area
    attributes:
@@ -68,3 +81,16 @@ body:
      description: "Any other context, mockups, or references."
    validations:
      required: false
+
+  - type: textarea
+    id: test-plan
+    attributes:
+      label: Expected Test Plan
+      description: "Which automated tests or coverage changes should accompany this work?"
+      placeholder: |
+        Example:
+        - Add unit tests for open-sse/services/combo.ts
+        - Extend integration coverage for /api/v1/models
+        - Keep npm run test:coverage at 60%+
+    validations:
+      required: false
@@ -0,0 +1,73 @@
+name: Test Coverage Task
+description: Create a focused coverage-improvement issue tied to concrete files and targets
+title: "[Coverage] "
+labels: ["test", "coverage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Use this template for scoped coverage work. Keep it tied to specific files, measurable targets, and the gate that must stay green.
+
+  - type: input
+    id: baseline
+    attributes:
+      label: Current Coverage Baseline
+      description: "Paste the current overall or file-level coverage number that justifies this task."
+      placeholder: "e.g. Lines 79.00%, Branches 72.85%, open-sse/handlers/chatCore.ts = 67.22%"
+    validations:
+      required: true
+
+  - type: textarea
+    id: scope
+    attributes:
+      label: Target Files Or Modules
+      description: "List the concrete source files or directories that this task will cover."
+      placeholder: |
+        Example:
+        - open-sse/handlers/chatCore.ts
+        - open-sse/services/combo.ts
+        - tests/integration/chat-pipeline.test.mjs
+    validations:
+      required: true
+
+  - type: textarea
+    id: scenarios
+    attributes:
+      label: Missing Scenarios
+      description: "Describe the specific behaviors, branches, or failure paths that are currently uncovered."
+      placeholder: |
+        Example:
+        - Upstream timeout path
+        - Empty tool_calls normalization
+        - Fallback route after first provider failure
+    validations:
+      required: true
+
+  - type: input
+    id: target
+    attributes:
+      label: Coverage Target
+      description: "Set the expected target for this task."
+      placeholder: "e.g. Raise open-sse/handlers to 80%+ lines and keep global gate >= 60%"
+    validations:
+      required: true
+
+  - type: textarea
+    id: validation
+    attributes:
+      label: Validation Commands
+      description: "List the commands that must pass before this issue can be closed."
+      placeholder: |
+        Example:
+        - node --import tsx/esm --test tests/unit/my-suite.test.mjs
+        - npm run test:coverage
+    validations:
+      required: true
+
+  - type: textarea
+    id: notes
+    attributes:
+      label: Notes
+      description: "Optional context, blockers, or dependencies."
+    validations:
+      required: false
@@ -0,0 +1,15 @@
+# OmniRoute PR and Coverage Instructions
+
+- Treat `npm run test:coverage` as a required gate for PR work.
+- The repository minimum is `60%` for statements, lines, functions, and branches.
+- If a PR changes production code in `src/`, `open-sse/`, `electron/`, or `bin/`, it must include automated tests in the same PR.
+- When reviewing or updating a PR, if the report shows missing tests or coverage below `60%`, do not stop after reporting the problem. Add or update tests in the PR first, rerun the coverage gate, and only then ask for confirmation.
+- Prefer the smallest test layer that proves the behavior:
+  - unit tests first
+  - integration tests when multiple modules or DB state are involved
+  - e2e only when the behavior is truly UI or workflow-dependent
+- For bug issues, try to encode the reproduction as an automated test before or alongside the fix.
+- In the final PR report, include:
+  - the commands you ran
+  - the changed test files
+  - the final coverage result
@@ -0,0 +1,30 @@
+## Summary
+
+- Describe the user-facing or operational change.
+
+## Related Issues
+
+- Closes #
+- Related to #
+
+## Validation
+
+- [ ] `npm run lint`
+- [ ] `npm run test:unit`
+- [ ] `npm run test:coverage`
+- [ ] Coverage is still `>= 60%` for statements, lines, functions, and branches
+- [ ] SonarQube PR analysis is green or any remaining issues are explicitly documented below
+
+## Tests Added Or Updated
+
+- List every changed or added automated test file.
+- If no production code changed, state that here.
+
+## Coverage Notes
+
+- If this PR changes `src/`, `open-sse/`, `electron/`, or `bin/`, explain which tests cover the change.
+- If coverage moved down in any touched file, explain why and what follow-up task will recover it.
+
+## Reviewer Notes
+
+- Call out any risky areas, migrations, feature flags, or manual validation that reviewers should know about.
@@ -5,6 +5,7 @@ on:
    branches: [main]
  pull_request:
    branches: [main]
+    types: [opened, synchronize, reopened, ready_for_review]

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,8 +19,8 @@ jobs:
    name: Lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
@@ -32,21 +33,102 @@ jobs:
      - run: npm run typecheck:core
      - run: npm run typecheck:noimplicit:core

-  security:
-    name: Security Audit
+  i18n-matrix:
+    name: Build language matrix
+    runs-on: ubuntu-latest
+    outputs:
+      langs: ${{ steps.langs.outputs.langs }}
+    steps:
+      - uses: actions/checkout@v6
+      - id: langs
+        run: |
+          LANG_DIR="src/i18n/messages"
+          LANGS=$(ls "$LANG_DIR"/*.json | xargs -n1 basename | sed 's/.json$//' | grep -v '^en$' | jq -R . | jq -s . | jq -c .)
+          echo "langs=${LANGS}" >> "$GITHUB_OUTPUT"
+
+  i18n:
+    name: i18n Validation
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        lang: ${{ fromJson(needs.i18n-matrix.outputs.langs) }}
+    needs: i18n-matrix
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Validate ${{ matrix.lang }}
+        run: |
+          python3 scripts/validate_translation.py quick -l '${{ matrix.lang }}' > result.txt
+
+      - name: Upload result
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: i18n-${{ matrix.lang }}
+          path: result.txt
+
+  pr-test-policy:
+    name: PR Test Policy
+    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+      - name: Fetch base branch
+        run: git fetch --no-tags origin "${GITHUB_BASE_REF}" --depth=1
+      - name: Validate source changes include tests
+        run: node scripts/check-pr-test-policy.mjs --summary-file .artifacts/pr-test-policy.md
+      - name: Publish PR test policy summary
+        if: always()
+        run: |
+          if [ -f .artifacts/pr-test-policy.md ]; then
+            cat .artifacts/pr-test-policy.md >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+  advanced-security:
+    name: Advanced Security Scans
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --only-verified
+
+      - uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
+
      - run: npm ci
+
      - name: Dependency audit
-        run: npm audit --audit-level=high --omit=dev
+        run: npm audit --audit-level=high --omit=dev || true
+
      - name: Check for known vulnerabilities
-        run: npx is-my-node-vulnerable
-        continue-on-error: true
+        run: npx is-my-node-vulnerable || true
+
+      - name: Run Snyk Vulnerability checks
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high

  build:
    name: Build
@@ -55,8 +137,8 @@ jobs:
      matrix:
        node-version: [20, 22]
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm
@@ -66,6 +148,7 @@ jobs:
  test-unit:
    name: Unit Tests
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    needs: build
    strategy:
      matrix:
@@ -74,8 +157,8 @@ jobs:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm
@@ -85,43 +168,180 @@ jobs:
  test-coverage:
    name: Coverage
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    needs: build
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
      - run: npm ci
-      - run: npm run test:coverage
-      - name: Check coverage threshold
+      - name: Run coverage gate
+        run: npm run test:coverage
+      - name: Build coverage summary
+        if: always()
        run: |
-          echo "Coverage report generated. Check output for threshold compliance."
+          mkdir -p coverage
+          if [ -f coverage/coverage-summary.json ]; then
+            node scripts/test-report-summary.mjs \
+              --input coverage/coverage-summary.json \
+              --output coverage/coverage-report.md \
+              --threshold 60
+          else
+            printf '%s\n' \
+              '# Coverage Report' \
+              '' \
+              'Coverage summary JSON was not generated. Inspect the Coverage job logs.' \
+              > coverage/coverage-report.md
+          fi
+          cat coverage/coverage-report.md >> "$GITHUB_STEP_SUMMARY"
+      - name: Upload coverage artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: |
+            coverage/coverage-summary.json
+            coverage/lcov.info
+            coverage/coverage-report.md
+          if-no-files-found: warn
+
+  sonarqube:
+    name: SonarQube
+    runs-on: ubuntu-latest
+    needs: test-coverage
+    if: ${{ always() && needs.test-coverage.result == 'success' }}
+    env:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: actions/download-artifact@v4
+        with:
+          name: coverage-report
+          path: .
+      - name: Explain SonarQube skip
+        if: ${{ env.SONAR_TOKEN == '' || env.SONAR_HOST_URL == '' }}
+        run: |
+          echo "SonarQube scan skipped because SONAR_TOKEN or SONAR_HOST_URL is not configured." >> "$GITHUB_STEP_SUMMARY"
+      - name: SonarQube Scan
+        if: ${{ env.SONAR_TOKEN != '' && env.SONAR_HOST_URL != '' }}
+        uses: SonarSource/sonarqube-scan-action@v7
+        env:
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
+          SONAR_HOST_URL: ${{ env.SONAR_HOST_URL }}
+
+  coverage-pr-comment:
+    name: PR Coverage Comment
+    runs-on: ubuntu-latest
+    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false }}
+    needs:
+      - pr-test-policy
+      - test-coverage
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Download coverage artifact
+        if: ${{ needs.test-coverage.result != 'cancelled' }}
+        continue-on-error: true
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-report
+          path: .
+      - name: Prepare PR coverage comment
+        env:
+          COVERAGE_RESULT: ${{ needs.test-coverage.result }}
+          POLICY_RESULT: ${{ needs.pr-test-policy.result }}
+        run: |
+          mkdir -p .artifacts
+          {
+            echo "<!-- omniroute-coverage-report -->"
+            echo "## CI Coverage Report"
+            echo ""
+            echo "- Coverage job: \`${COVERAGE_RESULT}\`"
+            echo "- PR test policy: \`${POLICY_RESULT}\`"
+            echo ""
+            if [ -f coverage/coverage-report.md ]; then
+              cat coverage/coverage-report.md
+            else
+              echo "Coverage artifact was not available for this run."
+            fi
+            if [ "${POLICY_RESULT}" = "failure" ]; then
+              echo ""
+              echo "## PR Test Policy"
+              echo ""
+              echo "This PR changes production code in \`src/\`, \`open-sse/\`, \`electron/\`, or \`bin/\` without accompanying automated tests."
+            fi
+          } > .artifacts/pr-coverage-comment.md
+      - uses: actions/github-script@v8
+        with:
+          script: |
+            const fs = require("fs");
+            const marker = "<!-- omniroute-coverage-report -->";
+            const body = fs.readFileSync(".artifacts/pr-coverage-comment.md", "utf8");
+            const { owner, repo } = context.repo;
+            const issue_number = context.issue.number;
+
+            const comments = await github.paginate(github.rest.issues.listComments, {
+              owner,
+              repo,
+              issue_number,
+              per_page: 100,
+            });
+
+            const existing = comments.find((comment) => comment.body?.includes(marker));
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner,
+                repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner,
+                repo,
+                issue_number,
+                body,
+              });
+            }

  test-e2e:
-    name: E2E Tests
+    name: E2E Tests (${{ matrix.shard }}/4)
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        shard: [1, 2, 3, 4]
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npx playwright install --with-deps chromium
      - run: npm run build
-      - run: npm run test:e2e
+      - run: npx playwright test tests/e2e/*.spec.ts --shard=${{ matrix.shard }}/4

  test-integration:
    name: Integration Tests
    runs-on: ubuntu-latest
+    timeout-minutes: 10
    needs: build
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
@@ -129,8 +349,8 @@ jobs:
      INITIAL_PASSWORD: ci-test-password-for-integration
      DATA_DIR: /tmp/omniroute-ci
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
@@ -145,10 +365,108 @@ jobs:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run test:security
+
+  ci-summary:
+    name: CI Dashboard
+    runs-on: ubuntu-latest
+    if: always()
+    needs:
+      - lint
+      - i18n
+      - pr-test-policy
+      - advanced-security
+      - build
+      - test-unit
+      - test-coverage
+      - sonarqube
+      - coverage-pr-comment
+      - test-e2e
+      - test-integration
+      - test-security
+    steps:
+      - name: Download i18n results
+        continue-on-error: true
+        uses: actions/download-artifact@v4
+        with:
+          pattern: i18n-*
+          path: results
+          merge-multiple: true
+
+      - name: Generate dashboard
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          status() {
+            case "$1" in
+              success) echo "🟢 PASS" ;;
+              failure) echo "🔴 FAIL" ;;
+              cancelled) echo "⚫ CANCELLED" ;;
+              skipped) echo "⚪ SKIPPED" ;;
+              *) echo "🟡 UNKNOWN" ;;
+            esac
+          }
+
+          echo "# 🚀 CI Dashboard" >> "$GITHUB_STEP_SUMMARY"
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+
+          echo "## 🧱 Core Checks" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Job | Status |" >> "$GITHUB_STEP_SUMMARY"
+          echo "|-----|--------|" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Lint | $(status '${{ needs.lint.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| PR Test Policy | $(status '${{ needs.pr-test-policy.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Advanced Security | $(status '${{ needs.advanced-security.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| SonarQube | $(status '${{ needs.sonarqube.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "## 🏗️ Build" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Job | Status |" >> "$GITHUB_STEP_SUMMARY"
+          echo "|-----|--------|" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Build Matrix | $(status '${{ needs.build.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "## 🧪 Tests" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Suite | Status |" >> "$GITHUB_STEP_SUMMARY"
+          echo "|-------|--------|" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Unit | $(status '${{ needs.test-unit.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Coverage | $(status '${{ needs.test-coverage.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| PR Coverage Comment | $(status '${{ needs.coverage-pr-comment.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| E2E | $(status '${{ needs.test-e2e.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Integration | $(status '${{ needs.test-integration.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Security Tests | $(status '${{ needs.test-security.result }}') |" >> "$GITHUB_STEP_SUMMARY"
+
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "## 🌍 Translations" >> "$GITHUB_STEP_SUMMARY"
+
+          total=0
+          langs=0
+
+          if [ -d results ]; then
+            for file in results/*.txt; do
+              [ -f "$file" ] || continue
+              val=$(sed -r 's/\x1B\[[0-9;]*[mK]//g' "$file" | grep "Untranslated:" | awk '{print $2}')
+              val=${val:-0}
+              total=$((total + val))
+              langs=$((langs + 1))
+            done
+          fi
+
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Metric | Value |" >> "$GITHUB_STEP_SUMMARY"
+          echo "|--------|------|" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Languages checked | $langs |" >> "$GITHUB_STEP_SUMMARY"
+          echo "| Total untranslated | $total |" >> "$GITHUB_STEP_SUMMARY"
+
+          if [ "$total" -gt 0 ]; then
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+            echo "⚠️ **Translations need attention**" >> "$GITHUB_STEP_SUMMARY"
+          else
+            echo "" >> "$GITHUB_STEP_SUMMARY"
+            echo "✅ **All translations complete**" >> "$GITHUB_STEP_SUMMARY"
+          fi
@@ -6,6 +6,9 @@ on:
    types: [completed]
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  deploy:
    if: >-
@@ -25,15 +25,15 @@ jobs:
      IMAGE_NAME: diegosouzapw/omniroute
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          ref: ${{ github.event_name == 'workflow_dispatch' && format('refs/tags/v{0}', inputs.version) || '' }}

      - name: Set up QEMU (for multi-arch builds)
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Login to Docker Hub
        uses: docker/login-action@v3
@@ -24,7 +24,7 @@ jobs:
      version: ${{ steps.validate.outputs.version }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

@@ -72,10 +72,10 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: 22
          cache: npm
@@ -159,12 +159,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
        with:
          path: release-assets
          merge-multiple: true
@@ -43,10 +43,10 @@ jobs:
    environment: NPM_TOKEN
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: 22
          registry-url: https://registry.npmjs.org
@@ -1,43 +0,0 @@
-name: Sync Upstream
-
-on:
-  schedule:
-    # Run every 6 hours
-    - cron: '0 */6 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-jobs:
-  sync:
-    name: Sync with upstream
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Fetch upstream
-        run: |
-          git remote add upstream https://github.com/diegosouzapw/OmniRoute.git || true
-          git fetch upstream
-          git fetch origin
-
-      - name: Sync main branch
-        run: |
-          git checkout main
-          git merge upstream/main --no-edit || {
-            echo "Merge conflict detected. Manual intervention required."
-            exit 1
-          }
-
-      - name: Push changes
-        run: git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/tombii/OmniRoute.git main
@@ -5,6 +5,12 @@
 omnirouteCloud/
 omnirouteSite/

+# Root-level underscore-prefixed directories (private/draft — never commit)
+/_*/
+
+# Draft features documentation (internal only)
+docs/new-features/
+
 # dependencies
 node_modules/
 /.pnp
@@ -14,9 +20,12 @@ node_modules/
 !.yarn/plugins
 !.yarn/releases
 !.yarn/versions
+.data/
+.next-playwright/

 # testing
 coverage/
+coverage**

 # next.js
 .next/
@@ -50,6 +59,7 @@ next-env.d.ts

 # data and logs
 data/
+.data/
 logs/*

 # analysis directories (generated, not tracked)
@@ -88,6 +98,7 @@ docs/*
 !docs/AUTO-COMBO.md
 !docs/MCP-SERVER.md
 !docs/CLI-TOOLS.md
+!docs/COVERAGE_PLAN.md


 # open-sse tests
@@ -135,3 +146,18 @@ vscode-extension/

 # Compiled npm-package build artifact (not source, should not be in git)
 /app
+
+# IDEA
+.idea/
+
+# Local OpenCode agent config
+.config/
+
+# Empty/dangling files
+typescript
+
+# Gemini Antigravity agent data
+.gemini/
+
+# Superpowers plans/specs (internal tooling, not project code)
+docs/superpowers/
@@ -1,3 +1,3 @@
 npx lint-staged
 node scripts/check-docs-sync.mjs
-npm run test:unit
+npm run check:any-budget:t11
@@ -0,0 +1 @@
+npm run test:unit
@@ -26,14 +26,19 @@ scripts/
 .github/
 .husky/
 .vscode/
+.agents/
 .env*
 eslint.config.mjs
 prettier.config.mjs
 postcss.config.mjs
 next.config.mjs
 tsconfig.json
+tsconfig.typecheck-core.json
+tsconfig.typecheck-noimplicit-core.json
 playwright.config.ts
+vitest.config.ts
 next-env.d.ts
+llm.txt

 # Docker
 docker-compose*.yml
@@ -41,8 +46,8 @@ Dockerfile
 .dockerignore

 # Misc
-restart.sh
 AGENTS.md
+bun.lock

 # Build artifacts (pre-built goes inside app/)
 .next/
@@ -56,3 +61,9 @@ node_modules/
 electron/
 app/electron/
 app/vscode-extension/
+
+# Subprojects
+clipr/
+omnirouteCloud/
+omnirouteSite/
+vscode-extension/
@@ -0,0 +1,250 @@
+{
+  "version": "1.0.0",
+  "lastScanned": 1775016362438,
+  "projectRoot": "/home/openclaw/omniroute-src",
+  "techStack": {
+    "languages": [
+      {
+        "name": "JavaScript/TypeScript",
+        "version": ">=18.0.0 <24.0.0",
+        "confidence": "high",
+        "markers": ["package.json"]
+      },
+      {
+        "name": "TypeScript",
+        "version": null,
+        "confidence": "high",
+        "markers": ["tsconfig.json"]
+      }
+    ],
+    "frameworks": [
+      {
+        "name": "express",
+        "version": "5.2.1",
+        "category": "backend"
+      },
+      {
+        "name": "next",
+        "version": "16.0.10",
+        "category": "fullstack"
+      },
+      {
+        "name": "react",
+        "version": "19.2.4",
+        "category": "frontend"
+      },
+      {
+        "name": "react-dom",
+        "version": "19.2.4",
+        "category": "frontend"
+      },
+      {
+        "name": "@playwright/test",
+        "version": "1.58.2",
+        "category": "testing"
+      },
+      {
+        "name": "vitest",
+        "version": "4.0.18",
+        "category": "testing"
+      }
+    ],
+    "packageManager": "npm",
+    "runtime": "Node.js 18.0.024.0.0"
+  },
+  "build": {
+    "buildCommand": "npm run build",
+    "testCommand": "npm test",
+    "lintCommand": "npm run lint",
+    "devCommand": "npm run dev",
+    "scripts": {
+      "dev": "node scripts/run-next.mjs dev",
+      "build": "node scripts/build-next-isolated.mjs",
+      "build:cli": "node scripts/prepublish.mjs",
+      "start": "node scripts/run-next.mjs start",
+      "lint": "eslint .",
+      "electron:dev": "concurrently \"npm run dev\" \"wait-on http://localhost:20128 && cd electron && npm run dev\"",
+      "electron:build": "npm run build && cd electron && npm run build",
+      "electron:build:win": "npm run build && cd electron && npm run build:win",
+      "electron:build:mac": "npm run build && cd electron && npm run build:mac",
+      "electron:build:linux": "npm run build && cd electron && npm run build:linux",
+      "test": "node --import tsx/esm --test tests/unit/*.test.mjs",
+      "test:unit": "node --import tsx/esm --test tests/unit/*.test.mjs",
+      "test:plan3": "node --import tsx/esm --test tests/unit/plan3-p0.test.mjs",
+      "test:fixes": "node --import tsx/esm --test tests/unit/fixes-p1.test.mjs",
+      "test:security": "node --import tsx/esm --test tests/unit/security-fase01.test.mjs",
+      "check:cycles": "node scripts/check-cycles.mjs",
+      "check:route-validation:t06": "node scripts/check-route-validation.mjs",
+      "check:any-budget:t11": "node scripts/check-t11-any-budget.mjs",
+      "check:docs-sync": "node scripts/check-docs-sync.mjs",
+      "typecheck:core": "tsc --pretty false -p tsconfig.typecheck-core.json",
+      "typecheck:noimplicit:core": "tsc --pretty false -p tsconfig.typecheck-noimplicit-core.json",
+      "test:integration": "node --import tsx/esm --test tests/integration/*.test.mjs",
+      "test:e2e": "node scripts/run-playwright-tests.mjs test tests/e2e/*.spec.ts",
+      "test:protocols:e2e": "node scripts/run-protocol-clients-tests.mjs",
+      "test:vitest": "vitest run open-sse/mcp-server/__tests__/*.test.ts open-sse/services/autoCombo/__tests__/*.test.ts",
+      "test:ecosystem": "node scripts/run-ecosystem-tests.mjs",
+      "test:coverage": "c8 --exclude=tests/** --exclude=**/*.test.* --reporter=text-summary --reporter=html --reporter=json-summary --reporter=lcov --check-coverage --statements 55 --lines 55 --functions 55 --branches 60 node --import tsx/esm --test tests/unit/*.test.mjs",
+      "test:coverage:legacy": "c8 --exclude=open-sse --check-coverage --lines 50 --functions 50 --branches 50 node --import tsx/esm --test tests/unit/*.test.mjs",
+      "coverage:report": "c8 report --exclude=tests/** --exclude=**/*.test.* --reporter=text --reporter=text-summary --reporter=html --reporter=json-summary --reporter=lcov",
+      "coverage:report:legacy": "c8 report --exclude=open-sse --reporter=text --reporter=text-summary",
+      "test:all": "npm run test:unit && npm run test:vitest && npm run test:ecosystem && npm run test:e2e",
+      "check": "npm run lint && npm run test",
+      "prepublishOnly": "npm run build:cli",
+      "postinstall": "node scripts/postinstall.mjs",
+      "prepare": "husky",
+      "system-info": "node scripts/system-info.mjs"
+    }
+  },
+  "conventions": {
+    "namingStyle": "camelCase",
+    "importStyle": null,
+    "testPattern": null,
+    "fileOrganization": null
+  },
+  "structure": {
+    "isMonorepo": true,
+    "workspaces": ["open-sse"],
+    "mainDirectories": ["bin", "docs", "public", "scripts", "src", "tests"],
+    "gitBranches": {
+      "defaultBranch": "main",
+      "branchingStrategy": null
+    }
+  },
+  "customNotes": [],
+  "directoryMap": {
+    "bin": {
+      "path": "bin",
+      "purpose": "Executable scripts",
+      "fileCount": 3,
+      "lastAccessed": 1775016362426,
+      "keyFiles": ["mcp-server.mjs", "omniroute.mjs", "reset-password.mjs"]
+    },
+    "docs": {
+      "path": "docs",
+      "purpose": "Documentation",
+      "fileCount": 14,
+      "lastAccessed": 1775016362426,
+      "keyFiles": [
+        "A2A-SERVER.md",
+        "API_REFERENCE.md",
+        "ARCHITECTURE.md",
+        "AUTO-COMBO.md",
+        "CLI-TOOLS.md"
+      ]
+    },
+    "electron": {
+      "path": "electron",
+      "purpose": null,
+      "fileCount": 5,
+      "lastAccessed": 1775016362431,
+      "keyFiles": ["README.md", "main.js", "package.json", "preload.js", "types.d.ts"]
+    },
+    "images": {
+      "path": "images",
+      "purpose": null,
+      "fileCount": 1,
+      "lastAccessed": 1775016362434,
+      "keyFiles": ["omniroute.png"]
+    },
+    "logs": {
+      "path": "logs",
+      "purpose": null,
+      "fileCount": 3,
+      "lastAccessed": 1775016362434,
+      "keyFiles": ["build_clean_tools.log", "build_debug.log", "build_force_clean.log"]
+    },
+    "open-sse": {
+      "path": "open-sse",
+      "purpose": null,
+      "fileCount": 5,
+      "lastAccessed": 1775016362434,
+      "keyFiles": ["index.ts", "package.json", "tsconfig.json", "types.d.ts"]
+    },
+    "public": {
+      "path": "public",
+      "purpose": "Public files",
+      "fileCount": 3,
+      "lastAccessed": 1775016362435,
+      "keyFiles": ["apple-touch-icon.svg", "favicon.svg", "icon-192.svg"]
+    },
+    "scripts": {
+      "path": "scripts",
+      "purpose": "Build/utility scripts",
+      "fileCount": 23,
+      "lastAccessed": 1775016362435,
+      "keyFiles": [
+        "bootstrap-env.mjs",
+        "build-next-isolated.mjs",
+        "check-cycles.mjs",
+        "check-docs-sync.mjs",
+        "check-route-validation.mjs"
+      ]
+    },
+    "src": {
+      "path": "src",
+      "purpose": "Source code",
+      "fileCount": 4,
+      "lastAccessed": 1775016362435,
+      "keyFiles": ["instrumentation-node.ts", "instrumentation.ts", "proxy.ts", "server-init.ts"]
+    },
+    "tests": {
+      "path": "tests",
+      "purpose": "Test files",
+      "fileCount": 0,
+      "lastAccessed": 1775016362435,
+      "keyFiles": []
+    },
+    "electron/assets": {
+      "path": "electron/assets",
+      "purpose": "Static assets",
+      "fileCount": 4,
+      "lastAccessed": 1775016362436,
+      "keyFiles": ["icon.icns", "icon.ico", "icon.png"]
+    },
+    "open-sse/config": {
+      "path": "open-sse/config",
+      "purpose": "Configuration files",
+      "fileCount": 17,
+      "lastAccessed": 1775016362436,
+      "keyFiles": ["audioRegistry.ts", "cliFingerprints.ts", "codexInstructions.ts"]
+    },
+    "open-sse/services": {
+      "path": "open-sse/services",
+      "purpose": "Business logic services",
+      "fileCount": 35,
+      "lastAccessed": 1775016362437,
+      "keyFiles": ["accountFallback.ts", "accountSelector.ts", "apiKeyRotator.ts"]
+    },
+    "src/app": {
+      "path": "src/app",
+      "purpose": "Application code",
+      "fileCount": 7,
+      "lastAccessed": 1775016362438,
+      "keyFiles": ["error.tsx", "global-error.tsx", "globals.css"]
+    },
+    "src/lib": {
+      "path": "src/lib",
+      "purpose": "Library code",
+      "fileCount": 30,
+      "lastAccessed": 1775016362438,
+      "keyFiles": ["apiBridgeServer.ts", "apiKeyExposure.ts", "cacheControlSettings.ts"]
+    },
+    "src/middleware": {
+      "path": "src/middleware",
+      "purpose": "Middleware",
+      "fileCount": 1,
+      "lastAccessed": 1775016362438,
+      "keyFiles": ["promptInjectionGuard.ts"]
+    },
+    "src/models": {
+      "path": "src/models",
+      "purpose": "Data models",
+      "fileCount": 1,
+      "lastAccessed": 1775016362438,
+      "keyFiles": ["index.ts"]
+    }
+  },
+  "hotPaths": [],
+  "userDirectives": []
+}
@@ -0,0 +1,8 @@
+{
+  "session_id": "53c002c3-36a6-47c3-a52d-a8f756c264eb",
+  "ended_at": "2026-04-01T04:06:04.924Z",
+  "reason": "prompt_input_exit",
+  "agents_spawned": 0,
+  "agents_completed": 0,
+  "modes_used": []
+}
@@ -0,0 +1 @@
+[   32698ms] [ERROR] Failed to load resource: the server responded with a status of 404 (Not Found) @ http://localhost:20130/dashboard/usage?_rsc=18t7j:0
@@ -0,0 +1,158 @@
+- generic [active] [ref=e1]:
+    - link "Skip to content" [ref=e2] [cursor=pointer]:
+        - /url: "#main-content"
+    - generic [ref=e3]:
+        - complementary [ref=e5]:
+            - link "Skip to content" [ref=e6] [cursor=pointer]:
+                - /url: "#main-content"
+            - link "OmniRoute v3.5.0" [ref=e12] [cursor=pointer]:
+                - /url: /dashboard
+                - img [ref=e14]
+                - generic [ref=e26]:
+                    - heading "OmniRoute" [level=1] [ref=e27]
+                    - generic [ref=e28]: v3.5.0
+            - navigation "Main navigation" [ref=e29]:
+                - generic [ref=e30]:
+                    - link "home Home" [ref=e31] [cursor=pointer]:
+                        - /url: /dashboard
+                        - generic [ref=e32]: home
+                        - generic [ref=e33]: Home
+                    - link "api Endpoints" [ref=e34] [cursor=pointer]:
+                        - /url: /dashboard/endpoint
+                        - generic [ref=e35]: api
+                        - generic [ref=e36]: Endpoints
+                    - link "vpn_key API Manager" [ref=e37] [cursor=pointer]:
+                        - /url: /dashboard/api-manager
+                        - generic [ref=e38]: vpn_key
+                        - generic [ref=e39]: API Manager
+                    - link "dns Providers" [ref=e40] [cursor=pointer]:
+                        - /url: /dashboard/providers
+                        - generic [ref=e41]: dns
+                        - generic [ref=e42]: Providers
+                    - link "layers Combos" [ref=e43] [cursor=pointer]:
+                        - /url: /dashboard/combos
+                        - generic [ref=e44]: layers
+                        - generic [ref=e45]: Combos
+                    - link "auto_awesome Auto Combo" [ref=e46] [cursor=pointer]:
+                        - /url: /dashboard/auto-combo
+                        - generic [ref=e47]: auto_awesome
+                        - generic [ref=e48]: Auto Combo
+                    - link "account_balance_wallet Costs" [ref=e49] [cursor=pointer]:
+                        - /url: /dashboard/costs
+                        - generic [ref=e50]: account_balance_wallet
+                        - generic [ref=e51]: Costs
+                    - link "analytics Analytics" [ref=e52] [cursor=pointer]:
+                        - /url: /dashboard/analytics
+                        - generic [ref=e53]: analytics
+                        - generic [ref=e54]: Analytics
+                    - link "tune Limits & Quotas" [ref=e55] [cursor=pointer]:
+                        - /url: /dashboard/limits
+                        - generic [ref=e56]: tune
+                        - generic [ref=e57]: Limits & Quotas
+                    - link "cached Cache" [ref=e58] [cursor=pointer]:
+                        - /url: /dashboard/cache
+                        - generic [ref=e59]: cached
+                        - generic [ref=e60]: Cache
+                    - link "perm_media Media" [ref=e61] [cursor=pointer]:
+                        - /url: /dashboard/cache/media
+                        - generic [ref=e62]: perm_media
+                        - generic [ref=e63]: Media
+                - generic [ref=e64]:
+                    - paragraph [ref=e65]: CLI
+                    - link "terminal Tools" [ref=e66] [cursor=pointer]:
+                        - /url: /dashboard/cli-tools
+                        - generic [ref=e67]: terminal
+                        - generic [ref=e68]: Tools
+                    - link "smart_toy Agents" [ref=e69] [cursor=pointer]:
+                        - /url: /dashboard/agents
+                        - generic [ref=e70]: smart_toy
+                        - generic [ref=e71]: Agents
+                    - link "psychology Memory" [ref=e72] [cursor=pointer]:
+                        - /url: /dashboard/memory
+                        - generic [ref=e73]: psychology
+                        - generic [ref=e74]: Memory
+                    - link "auto_fix_high Skills" [ref=e75] [cursor=pointer]:
+                        - /url: /dashboard/skills
+                        - generic [ref=e76]: auto_fix_high
+                        - generic [ref=e77]: Skills
+                - generic [ref=e78]:
+                    - paragraph [ref=e79]: System
+                    - link "health_and_safety Health" [ref=e80] [cursor=pointer]:
+                        - /url: /dashboard/health
+                        - generic [ref=e81]: health_and_safety
+                        - generic [ref=e82]: Health
+                    - link "description Logs" [ref=e83] [cursor=pointer]:
+                        - /url: /dashboard/logs
+                        - generic [ref=e84]: description
+                        - generic [ref=e85]: Logs
+                    - link "history Audit Log" [ref=e86] [cursor=pointer]:
+                        - /url: /dashboard/audit
+                        - generic [ref=e87]: history
+                        - generic [ref=e88]: Audit Log
+                    - link "settings Settings" [ref=e89] [cursor=pointer]:
+                        - /url: /dashboard/settings
+                        - generic [ref=e90]: settings
+                        - generic [ref=e91]: Settings
+                - generic [ref=e92]:
+                    - paragraph [ref=e93]: Help
+                    - link "menu_book Docs" [ref=e94] [cursor=pointer]:
+                        - /url: /docs
+                        - generic [ref=e95]: menu_book
+                        - generic [ref=e96]: Docs
+                    - link "bug_report Issues" [ref=e97] [cursor=pointer]:
+                        - /url: https://github.com/diegosouzapw/OmniRoute/issues
+                        - generic [ref=e98]: bug_report
+                        - generic [ref=e99]: Issues
+            - generic [ref=e100]:
+                - button "restart_alt Restart" [ref=e101]:
+                    - generic: restart_alt
+                    - text: Restart
+                - button "power_settings_new Shutdown" [ref=e102]:
+                    - generic: power_settings_new
+                    - text: Shutdown
+        - main [ref=e103]:
+            - generic [ref=e104]:
+                - button "menu" [ref=e106]:
+                    - generic: menu
+                - generic [ref=e107]:
+                    - button "🇺🇸 EN expand_more" [ref=e109]:
+                        - generic [ref=e110]: 🇺🇸
+                        - generic [ref=e111]: EN
+                        - generic: expand_more
+                    - button "Switch to dark mode" [ref=e112]:
+                        - generic: dark_mode
+                    - button "logout" [ref=e113]:
+                        - generic: logout
+            - generic [ref=e115]:
+                - navigation "Breadcrumb" [ref=e116]:
+                    - link "Dashboard" [ref=e118] [cursor=pointer]:
+                        - /url: /dashboard
+                    - generic [ref=e119]:
+                        - generic [ref=e120]: ›
+                        - generic [ref=e121]: Onboarding
+                - generic [ref=e123]:
+                    - generic [ref=e124]:
+                        - generic [ref=e126]: "1"
+                        - generic [ref=e129]: "2"
+                        - generic [ref=e132]: "3"
+                        - generic [ref=e135]: "4"
+                        - generic [ref=e138]: "5"
+                    - generic [ref=e139]:
+                        - generic [ref=e140]:
+                            - generic [ref=e141]: waving_hand
+                            - heading "Welcome" [level=2] [ref=e142]
+                        - generic [ref=e144]:
+                            - paragraph [ref=e145]: OmniRoute is your local AI API proxy. It routes requests to multiple AI providers with load balancing, failover, and usage tracking.
+                            - generic [ref=e146]:
+                                - generic [ref=e147]:
+                                    - generic [ref=e148]: swap_horiz
+                                    - text: Multi-Provider
+                                - generic [ref=e149]:
+                                    - generic [ref=e150]: monitoring
+                                    - text: Usage Tracking
+                                - generic [ref=e151]:
+                                    - generic [ref=e152]: shield
+                                    - text: API Key Mgmt
+                        - button "Get Started" [ref=e155] [cursor=pointer]
+                    - button "Skip wizard entirely" [ref=e157] [cursor=pointer]
+    - alert [ref=e158]
@@ -0,0 +1,132 @@
+- generic [active] [ref=e1]:
+    - link "Skip to content" [ref=e2] [cursor=pointer]:
+        - /url: "#main-content"
+    - generic [ref=e3]:
+        - complementary [ref=e5]:
+            - link "Skip to content" [ref=e6] [cursor=pointer]:
+                - /url: "#main-content"
+            - link "OmniRoute v3.5.0" [ref=e12] [cursor=pointer]:
+                - /url: /dashboard
+                - img [ref=e14]
+                - generic [ref=e26]:
+                    - heading "OmniRoute" [level=1] [ref=e27]
+                    - generic [ref=e28]: v3.5.0
+            - navigation "Main navigation" [ref=e29]:
+                - generic [ref=e30]:
+                    - link "home Home" [ref=e31] [cursor=pointer]:
+                        - /url: /dashboard
+                        - generic [ref=e32]: home
+                        - generic [ref=e33]: Home
+                    - link "api Endpoints" [ref=e34] [cursor=pointer]:
+                        - /url: /dashboard/endpoint
+                        - generic [ref=e35]: api
+                        - generic [ref=e36]: Endpoints
+                    - link "vpn_key API Manager" [ref=e37] [cursor=pointer]:
+                        - /url: /dashboard/api-manager
+                        - generic [ref=e38]: vpn_key
+                        - generic [ref=e39]: API Manager
+                    - link "dns Providers" [ref=e40] [cursor=pointer]:
+                        - /url: /dashboard/providers
+                        - generic [ref=e41]: dns
+                        - generic [ref=e42]: Providers
+                    - link "layers Combos" [ref=e43] [cursor=pointer]:
+                        - /url: /dashboard/combos
+                        - generic [ref=e44]: layers
+                        - generic [ref=e45]: Combos
+                    - link "auto_awesome Auto Combo" [ref=e46] [cursor=pointer]:
+                        - /url: /dashboard/auto-combo
+                        - generic [ref=e47]: auto_awesome
+                        - generic [ref=e48]: Auto Combo
+                    - link "account_balance_wallet Costs" [ref=e49] [cursor=pointer]:
+                        - /url: /dashboard/costs
+                        - generic [ref=e50]: account_balance_wallet
+                        - generic [ref=e51]: Costs
+                    - link "analytics Analytics" [ref=e52] [cursor=pointer]:
+                        - /url: /dashboard/analytics
+                        - generic [ref=e53]: analytics
+                        - generic [ref=e54]: Analytics
+                    - link "tune Limits & Quotas" [ref=e55] [cursor=pointer]:
+                        - /url: /dashboard/limits
+                        - generic [ref=e56]: tune
+                        - generic [ref=e57]: Limits & Quotas
+                    - link "cached Cache" [ref=e58] [cursor=pointer]:
+                        - /url: /dashboard/cache
+                        - generic [ref=e59]: cached
+                        - generic [ref=e60]: Cache
+                    - link "perm_media Media" [ref=e61] [cursor=pointer]:
+                        - /url: /dashboard/cache/media
+                        - generic [ref=e62]: perm_media
+                        - generic [ref=e63]: Media
+                - generic [ref=e64]:
+                    - paragraph [ref=e65]: CLI
+                    - link "terminal Tools" [ref=e66] [cursor=pointer]:
+                        - /url: /dashboard/cli-tools
+                        - generic [ref=e67]: terminal
+                        - generic [ref=e68]: Tools
+                    - link "smart_toy Agents" [ref=e69] [cursor=pointer]:
+                        - /url: /dashboard/agents
+                        - generic [ref=e70]: smart_toy
+                        - generic [ref=e71]: Agents
+                    - link "psychology Memory" [ref=e72] [cursor=pointer]:
+                        - /url: /dashboard/memory
+                        - generic [ref=e73]: psychology
+                        - generic [ref=e74]: Memory
+                    - link "auto_fix_high Skills" [ref=e75] [cursor=pointer]:
+                        - /url: /dashboard/skills
+                        - generic [ref=e76]: auto_fix_high
+                        - generic [ref=e77]: Skills
+                - generic [ref=e78]:
+                    - paragraph [ref=e79]: System
+                    - link "health_and_safety Health" [ref=e80] [cursor=pointer]:
+                        - /url: /dashboard/health
+                        - generic [ref=e81]: health_and_safety
+                        - generic [ref=e82]: Health
+                    - link "description Logs" [ref=e83] [cursor=pointer]:
+                        - /url: /dashboard/logs
+                        - generic [ref=e84]: description
+                        - generic [ref=e85]: Logs
+                    - link "history Audit Log" [ref=e86] [cursor=pointer]:
+                        - /url: /dashboard/audit
+                        - generic [ref=e87]: history
+                        - generic [ref=e88]: Audit Log
+                    - link "settings Settings" [ref=e89] [cursor=pointer]:
+                        - /url: /dashboard/settings
+                        - generic [ref=e90]: settings
+                        - generic [ref=e91]: Settings
+                - generic [ref=e92]:
+                    - paragraph [ref=e93]: Help
+                    - link "menu_book Docs" [ref=e94] [cursor=pointer]:
+                        - /url: /docs
+                        - generic [ref=e95]: menu_book
+                        - generic [ref=e96]: Docs
+                    - link "bug_report Issues" [ref=e97] [cursor=pointer]:
+                        - /url: https://github.com/diegosouzapw/OmniRoute/issues
+                        - generic [ref=e98]: bug_report
+                        - generic [ref=e99]: Issues
+            - generic [ref=e100]:
+                - button "restart_alt Restart" [ref=e101]:
+                    - generic: restart_alt
+                    - text: Restart
+                - button "power_settings_new Shutdown" [ref=e102]:
+                    - generic: power_settings_new
+                    - text: Shutdown
+        - main [ref=e103]:
+            - generic [ref=e104]:
+                - button "menu" [ref=e106]:
+                    - generic: menu
+                - generic [ref=e107]:
+                    - button "🇺🇸 EN expand_more" [ref=e109]:
+                        - generic [ref=e110]: 🇺🇸
+                        - generic [ref=e111]: EN
+                        - generic: expand_more
+                    - button "Switch to dark mode" [ref=e112]:
+                        - generic: dark_mode
+                    - button "logout" [ref=e113]:
+                        - generic: logout
+            - navigation "Breadcrumb" [ref=e116]:
+                - link "Dashboard" [ref=e118] [cursor=pointer]:
+                    - /url: /dashboard
+                - generic [ref=e119]:
+                    - generic [ref=e120]: ›
+                    - generic [ref=e121]: Providers
+    - alert [ref=e135]
@@ -3,162 +3,263 @@
 ## Project

 Unified AI proxy/router — route any LLM through one endpoint. Multi-provider support
-(OpenAI, Anthropic, Gemini, DeepSeek, Groq, xAI, Mistral, Fireworks, Cohere, etc.)
-with **MCP Server** (16 tools for agent control) and **A2A v0.3 Protocol** (Agent-to-Agent orchestration).
+with **60+ providers** (OpenAI, Anthropic, Gemini, DeepSeek, Groq, xAI, Mistral, Fireworks,
+Cohere, NVIDIA, Cerebras, Pollinations, Puter, Cloudflare AI, HuggingFace, and many more)
+with **MCP Server** (25 tools), **A2A v0.3 Protocol**, and **Electron desktop app**.

 ## Stack

- **Runtime**: Next.js 16 (App Router), Node.js, ES Modules
- **Language**: TypeScript 5.9 (`src/`) + JavaScript (`open-sse/`)
+- **Runtime**: Next.js 16 (App Router), Node.js ≥18 <24, ES Modules (`"type": "module"`)
+- **Language**: TypeScript 5.9 (`src/`) + JavaScript (`open-sse/`, `electron/`)
 - **Database**: better-sqlite3 (SQLite) — `DATA_DIR` configurable, default `~/.omniroute/`
- **Streaming**: SSE via `open-sse` internal package
+- **Streaming**: SSE via `open-sse` internal workspace package
 - **Styling**: Tailwind CSS v4
- **Docker**: Multi-stage Dockerfile, 3 profiles (base / cli / host)
- **i18n**: next-intl with 30 languages (`src/i18n/messages/`)
+- **i18n**: next-intl with 30 languages
+- **Desktop**: Electron (cross-platform: Windows, macOS, Linux)
+- **Schemas**: Zod v4 for all API / MCP input validation
+
+---
+
+## Build, Lint, and Test Commands
+
+| Command                             | Description                       |
+| ----------------------------------- | --------------------------------- |
+| `npm run dev`                       | Start Next.js dev server          |
+| `npm run build`                     | Production build (isolated)       |
+| `npm run start`                     | Run production build              |
+| `npm run build:cli`                 | Build CLI package                 |
+| `npm run lint`                      | ESLint on all source files        |
+| `npm run typecheck:core`            | TypeScript core type checking     |
+| `npm run typecheck:noimplicit:core` | Strict checking (no implicit any) |
+| `npm run check`                     | Run lint + test                   |
+| `npm run check:cycles`              | Check for circular dependencies   |
+| `npm run electron:dev`              | Run Electron app in dev mode      |
+| `npm run electron:build`            | Build Electron app for current OS |
+
+### Running Tests
+
+```bash
+# All tests (unit + vitest + ecosystem + e2e)
+npm run test:all
+
+# Single test file (Node.js native test runner — most tests use this)
+node --import tsx/esm --test tests/unit/your-file.test.mjs
+node --import tsx/esm --test tests/unit/plan3-p0.test.mjs
+node --import tsx/esm --test tests/unit/fixes-p1.test.mjs
+node --import tsx/esm --test tests/unit/security-fase01.test.mjs
+
+# Integration tests
+node --import tsx/esm --test tests/integration/*.test.mjs
+
+# Vitest (MCP server, autoCombo)
+npm run test:vitest
+
+# E2E with Playwright
+npm run test:e2e
+
+# Protocol clients E2E (MCP transports, A2A)
+npm run test:protocols:e2e
+
+# Ecosystem compatibility tests
+npm run test:ecosystem
+
+# Coverage (60% minimum for statements, lines, functions, and branches)
+npm run test:coverage
+```
+
+### PR Coverage Policy
+
+- `npm run test:coverage` is the PR coverage gate in CI.
+- The repository minimum is **60%** for statements, lines, functions, and branches.
+- If a PR changes production code in `src/`, `open-sse/`, `electron/`, or `bin/`, it must include or update automated tests in the same PR.
+- For agent-driven review or coding flows: if coverage is below the gate or source changes ship without tests, do not stop at reporting. Add or update tests first, rerun the gate, and only then ask for confirmation.
+
+---
+
+## Code Style Guidelines
+
+### Formatting (Prettier — enforced via lint-staged)
+
+2 spaces · semicolons required · double quotes (`"`) · 100 char width · es5 trailing commas.
+Always run `prettier --write` on changed files.
+
+### TypeScript
+
+- **Target**: ES2022 · **Module**: `esnext` · **Resolution**: `bundler`
+- `strict: false` — prefer explicit types, don't rely on inference
+- Path aliases: `@/*` → `src/`, `@omniroute/open-sse` → `open-sse/`, `@omniroute/open-sse/*` → `open-sse/*`
+
+### ESLint Rules
+
+- **Security (error, everywhere)**: `no-eval`, `no-implied-eval`, `no-new-func`
+- **Relaxed in `open-sse/` and `tests/`**: `@typescript-eslint/no-explicit-any` = warn
+- React hooks rules and `@next/next/no-assign-module-variable` disabled in `open-sse/` and `tests/`
+
+### Naming
+
+| Element             | Convention                       | Example                              |
+| ------------------- | -------------------------------- | ------------------------------------ |
+| Files               | camelCase / kebab-case           | `chatCore.ts`, `tokenHealthCheck.ts` |
+| React components    | PascalCase                       | `Dashboard.tsx`, `ProviderCard.tsx`  |
+| Functions/variables | camelCase                        | `getHealth()`, `switchCombo()`       |
+| Constants           | UPPER_SNAKE                      | `MAX_RETRIES`, `DEFAULT_TIMEOUT`     |
+| Interfaces          | PascalCase (`I` prefix optional) | `ProviderConfig`                     |
+| Enums               | PascalCase (members too)         | `LogLevel.Error`                     |
+
+### Imports
+
+- **Order**: external → internal (`@/`, `@omniroute/open-sse`) → relative (`./`, `../`)
+- **No barrel imports** from `localDb.ts` — import from the specific `db/` module instead
+
+### Error Handling
+
+- try/catch with specific error types; always log with context (pino logger)
+- Never silently swallow errors in SSE streams — use abort signals for cleanup
+- Return proper HTTP status codes (4xx client, 5xx server)
+
+### Security
+
+- **NEVER** commit API keys, secrets, or credentials
+- Validate all user inputs with Zod schemas
+- Auth middleware required on all API routes
+- Never log SQLite encryption keys
+- Sanitize user content (dompurify for HTML)
+
+---

 ## Architecture

 ### Data Layer (`src/lib/db/`)

 All persistence uses SQLite through domain-specific modules:
-
-| Module         | Responsibility                             |
-| -------------- | ------------------------------------------ |
-| `core.ts`      | SQLite engine, migrations, WAL, encryption |
-| `providers.ts` | Provider connections & nodes               |
-| `models.ts`    | Model aliases, MITM aliases, custom models |
-| `combos.ts`    | Combo configurations                       |
-| `apiKeys.ts`   | API key management & validation            |
-| `settings.ts`  | Settings, pricing, proxy config            |
-| `backup.ts`    | Backup / restore operations                |
-
-`src/lib/localDb.ts` is a **re-export layer only** — all 27+ consumers import from it,
-but the real logic lives in `src/lib/db/`.
+`core.ts`, `providers.ts`, `models.ts`, `combos.ts`, `apiKeys.ts`, `settings.ts`,
+`backup.ts`, `proxies.ts`, `prompts.ts`, `webhooks.ts`, `detailedLogs.ts`,
+`domainState.ts`, `registeredKeys.ts`, `quotaSnapshots.ts`, `modelComboMappings.ts`,
+`cliToolState.ts`, `encryption.ts`, `readCache.ts`, `secrets.ts`, `stateReset.ts`.
+Schema migrations live in `db/migrations/` and run via `migrationRunner.ts`.
+`src/lib/localDb.ts` is a **re-export layer only** — never add logic there.

 ### Request Pipeline (`open-sse/`)

-| Handler                 | Role                                        |
-| ----------------------- | ------------------------------------------- |
-| `chatCore.js`           | Main chat completions proxy (SSE / non-SSE) |
-| `responsesHandler.js`   | OpenAI Responses API compat                 |
-| `responseTranslator.js` | Format translation for Responses API        |
-| `embeddings.js`         | Embedding proxy                             |
-| `imageGeneration.js`    | Image generation proxy                      |
-| `sseParser.js`          | SSE stream parser                           |
-| `usageExtractor.js`     | Token usage extraction from responses       |
+`chatCore.ts` → executor → upstream provider. Translations in `open-sse/translator/`.

-Translation between provider formats: `open-sse/translator/`
+**Handlers** (`open-sse/handlers/`): `chatCore.ts`, `responsesHandler.ts`, `embeddings.ts`,
+`imageGeneration.ts`, `videoGeneration.ts`, `musicGeneration.ts`, `audioSpeech.ts`,
+`audioTranscription.ts`, `moderations.ts`, `rerank.ts`, `search.ts`.

-**Upstream model extra headers** (`compatByProtocol` / custom models): merged in executors after default auth; **same header name replaces** the executor value (e.g. custom `Authorization` overrides Bearer). In `open-sse/handlers/chatCore.ts`, the primary request merges headers for **both** the client model id and `resolveModelAlias(clientModel)` (resolved id wins on key conflicts). **T5 intra-family fallback** recomputes headers using only the fallback model id and `resolveModelAlias(fallback)` so sibling models do not inherit another model’s headers. Forbidden header names live in `src/shared/constants/upstreamHeaders.ts` — keep sanitize (`models.ts`), Zod (`schemas.ts`), and unit tests aligned when editing that list.
+**Upstream headers**: merged after default auth; same header name replaces executor value.
+**T5 intra-family fallback** recomputes headers using only the fallback model id.
+Forbidden header names: `src/shared/constants/upstreamHeaders.ts` — keep sanitize,
+Zod schemas, and unit tests aligned when editing.
+
+### Provider Categories
+
+- **Free** (4): Qoder AI, Qwen Code, Gemini CLI (deprecated), Kiro AI
+- **OAuth** (8): Claude Code, Antigravity, Codex, GitHub Copilot, Cursor, Kimi Coding, Kilo Code, Cline
+- **API Key** (48+): OpenAI, Anthropic, Gemini, DeepSeek, Groq, xAI, Mistral, Perplexity,
+  Together, Fireworks, Cerebras, Cohere, NVIDIA, Nebius, SiliconFlow, Hyperbolic,
+  HuggingFace, OpenRouter, Vertex AI, Cloudflare AI, Scaleway, AI/ML API, Pollinations,
+  Puter, Longcat, Alibaba, Kimi, Minimax, Blackbox, Synthetic, Kilo Gateway,
+  Z.AI, GLM, Deepgram, AssemblyAI, ElevenLabs, Cartesia, PlayHT, Inworld,
+  NanoBanana, SD WebUI, ComfyUI, Ollama Cloud, Perplexity Search, Serper, Brave, Exa,
+  Tavily, OpenCode Zen/Go, Bailian Coding Plan, and more.
+- **Custom**: OpenAI-compatible (`openai-compatible-*`) and Anthropic-compatible (`anthropic-compatible-*`) prefixes
+
+Providers are registered in `src/shared/constants/providers.ts` with Zod validation at module load.
+
+### Executors (`open-sse/executors/`)
+
+Provider-specific request executors: `base.ts`, `default.ts`, `cursor.ts`, `codex.ts`,
+`antigravity.ts`, `github.ts`, `gemini-cli.ts`, `kiro.ts`, `qoder.ts`, `vertex.ts`,
+`cloudflare-ai.ts`, `opencode.ts`, `pollinations.ts`, `puter.ts`.
+
+### Translator (`open-sse/translator/`)
+
+Translates between API formats (OpenAI-format ↔ Anthropic, Gemini, etc.).
+Includes request/response translators with helpers for image handling.
+
+### Transformer (`open-sse/transformer/`)
+
+`responsesTransformer.ts` — transforms Responses API format to/from Chat Completions format.
+
+### Services (`open-sse/services/`)
+
+36+ service modules including: `combo.ts` (routing engine), `usage.ts`, `tokenRefresh.ts`,
+`rateLimitManager.ts`, `accountFallback.ts`, `sessionManager.ts`, `wildcardRouter.ts`,
+`autoCombo/`, `intentClassifier.ts`, `taskAwareRouter.ts`, `thinkingBudget.ts`,
+`contextManager.ts`, `modelDeprecation.ts`, `modelFamilyFallback.ts`,
+`emergencyFallback.ts`, `workflowFSM.ts`, `backgroundTaskDetector.ts`, `ipFilter.ts`,
+`signatureCache.ts`, `volumeDetector.ts`, and more.
+
+### Domain Layer (`src/domain/`)
+
+Policy engine modules: `policyEngine.ts`, `comboResolver.ts`, `costRules.ts`,
+`degradation.ts`, `fallbackPolicy.ts`, `lockoutPolicy.ts`, `modelAvailability.ts`,
+`providerExpiration.ts`, `quotaCache.ts`, `responses.ts`, `configAudit.ts`.

 ### MCP Server (`open-sse/mcp-server/`)

-16 tools for AI agent control via **3 transport modes**:
+25 tools, 3 transports (stdio / SSE / Streamable HTTP). Scoped auth (10 scopes), Zod schemas.

- **stdio** — Local IDE integration (Claude Desktop, Cursor, VS Code)
- **SSE** — Remote Server-Sent Events at `/api/mcp/sse`
- **Streamable HTTP** — Modern bidirectional HTTP at `/api/mcp/stream`
+**Core tools** (18): get_health, list_combos, get_combo_metrics, switch_combo, check_quota,
+route_request, cost_report, list_models_catalog, simulate_route, set_budget_guard,
+set_routing_strategy, set_resilience_profile, test_combo, get_provider_metrics,
+best_combo_for_task, explain_route, get_session_snapshot, sync_pricing.

-HTTP transports run in-process via `httpTransport.ts` singleton using `WebStandardStreamableHTTPServerTransport`.
+**Memory tools** (3): memory_search, memory_add, memory_clear.

-| Category  | Tools                                                                                                                                                                |
-| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Essential | `get_health`, `list_combos`, `get_combo_metrics`, `switch_combo`, `check_quota`, `route_request`, `cost_report`, `list_models_catalog`                               |
-| Advanced  | `simulate_route`, `set_budget_guard`, `set_resilience_profile`, `test_combo`, `get_provider_metrics`, `best_combo_for_task`, `explain_route`, `get_session_snapshot` |
-
- Scoped authorization (9 scopes), audit logging, Zod schemas
- IDE configs for Claude Desktop, Cursor, VS Code Copilot
+**Skill tools** (4): skills_list, skills_enable, skills_execute, skills_executions.

 ### A2A Server (`src/lib/a2a/`)

-Agent-to-Agent v0.3 protocol:
+JSON-RPC 2.0, SSE streaming, Task Manager with TTL cleanup(
+Agent Card at `/.well-known/agent.json`.
+Skills: `quotaManagement.ts`, `smartRouting.ts`.

- JSON-RPC 2.0: `message/send`, `message/stream`, `tasks/get`, `tasks/cancel`
- Agent Card at `/.well-known/agent.json`
- Skills: `smart-routing`, `quota-management`
- SSE streaming with 15s heartbeat
- Task Manager with state machine and TTL-based cleanup
+### ACP Module (`src/lib/acp/`)

-### Auto-Combo Engine (`open-sse/services/autoCombo/`)
+Agent Communication Protocol registry and manager.

-Self-healing routing optimization:
+### Memory System (`src/lib/memory/`)

- 6-factor scoring, 4 mode packs, bandit exploration
- Progressive cooldown, probe-based re-admission
+Extraction, injection, retrieval, summarization, and store modules for persistent
+conversational memory across sessions.

-### Dashboard (`src/app/(dashboard)/`)
+### Skills System (`src/lib/skills/`)

-| Page                     | Description                                                     |
-| ------------------------ | --------------------------------------------------------------- |
-| `/dashboard`             | Home with quick start, provider overview                        |
-| `/dashboard/endpoint`    | **Endpoints** (tabbed): Endpoint Proxy, MCP, A2A, API Endpoints |
-| `/dashboard/providers`   | Provider management and connections                             |
-| `/dashboard/combos`      | Combo configurations with routing strategies                    |
-| `/dashboard/logs`        | Request, Proxy, Audit, Console logs (tabbed)                    |
-| `/dashboard/analytics`   | Usage analytics and evaluations                                 |
-| `/dashboard/costs`       | Cost tracking and breakdown                                     |
-| `/dashboard/health`      | Uptime, circuit breakers, latency                               |
-| `/dashboard/cli-tools`   | CLI tool integrations (Claude, Codex, Antigravity, etc.)        |
-| `/dashboard/media`       | Image, Video, Music generation playground                       |
-| `/dashboard/settings`    | System settings with multiple tabs                              |
-| `/dashboard/api-manager` | API key management with model permissions                       |
+Extensible skill framework: registry, executor, sandbox, built-in skills,
+custom skill support, interception, and injection.

-### OAuth & Tokens (`src/lib/oauth/`)
+### Compliance (`src/lib/compliance/`)

-18 modules handling OAuth flows, token refresh, and provider credentials.
-Default credentials are hardcoded in `src/lib/oauth/constants/oauth.ts`,
-overridable via env vars or `data/provider-credentials.json`.
+Policy index for compliance enforcement.

-### Supporting Systems
+### MITM Proxy (`src/mitm/`)

-| System                     | Location                                          |
-| -------------------------- | ------------------------------------------------- |
-| Usage tracking & analytics | `src/lib/usageDb.ts`, `src/lib/usageAnalytics.ts` |
-| Token health checks        | `src/lib/tokenHealthCheck.ts`                     |
-| Cloud sync                 | `src/lib/cloudSync.ts`                            |
-| Proxy logging              | `src/lib/proxyLogger.ts`                          |
-| Data paths resolution      | `src/lib/dataPaths.ts`                            |
+MITM proxy capability with certificate management, DNS handling, and target routing.
+
+### Middleware (`src/middleware/`)
+
+Request middleware including `promptInjectionGuard.ts`.

 ### Adding a New Provider

 1. Register in `src/shared/constants/providers.ts`
-2. Add executor in `open-sse/executors/`
-3. Add translator rules in `open-sse/translator/` (if non-OpenAI format)
+2. Add executor in `open-sse/executors/` (if custom logic needed)
+3. Add translator in `open-sse/translator/` (if non-OpenAI format)
 4. Add OAuth config in `src/lib/oauth/constants/oauth.ts` (if OAuth-based)
+5. Add models in `open-sse/config/providerRegistry.ts`
+
+---

 ## Review Focus

-### Security
-
- No hardcoded API keys or secrets in commits
- Auth middleware on all API routes
- Input validation on user-facing endpoints (Zod schemas)
- SQLite encryption key must not be logged
-
-### Architecture
-
- DB operations go through `src/lib/db/` modules, never raw SQL in routes
- Provider requests flow through `open-sse/handlers/`
- Translations use `open-sse/translator/` modules
- `localDb.ts` is re-exports only — add new functions to the proper `db/*.ts` module
- MCP and A2A pages are embedded as tabs inside `/dashboard/endpoint`, not standalone routes
-
-### Code Quality
-
- Consistent error handling with try/catch
- Proper HTTP status codes
- No memory leaks in SSE streams (abort signals, cleanup)
- Rate limit headers must be parsed correctly
- All API inputs validated with Zod schemas
-
-### Docker
-
- Dockerfile has two targets: `runner-base` and `runner-cli`
- `docker-compose.yml` — development (3 profiles)
- `docker-compose.prod.yml` — isolated production instance (port 20130)
- Data persists in named volumes (`omniroute-data` / `omniroute-prod-data`)
-
-### Review Mode
-
- Provide analysis and suggestions only
- Focus on bugs, security, performance, and best practices
+- **DB ops** go through `src/lib/db/` modules, never raw SQL in routes
+- **Provider requests** flow through `open-sse/handlers/`
+- **MCP/A2A pages** are tabs inside `/dashboard/endpoint`, not standalone routes
+- **No memory leaks** in SSE streams (abort signals, cleanup)
+- **Rate limit headers** must be parsed correctly
+- All API inputs validated with **Zod schemas**
+- **Provider constants** validated at module load via Zod (`src/shared/validation/providerSchema.ts`)
+- **Pricing data** syncs from LiteLLM via `src/lib/pricingSync.ts`
+- **Memory/Skills** are cross-cutting: affect MCP tools, request pipeline, and A2A skills
@@ -4,6 +4,319 @@

 ---

+## [3.5.3] - 2026-04-07
+
+### Security
+
+- **Vulnerabilities:** Fully remediated 12 High-Severity CodeQL vulnerabilities by migrating from Math.random to `crypto.randomUUID()`, wrapping SSE injection points with aggressive backslash escaping, sanitizing trailing HTTP fragments, and enforcing rigid SSRF HTTP verification schemes across internal routes.
+- **Dependencies:** Upgraded Next.js to `^16.2.2` and Vite to `>=8.0.5` resolving critical DoS, arbitrary file reads and CSRF vectors in the build/server environments.
+
+### Fixed
+
+- **E2E Stability:** Eliminated extreme CI unreliability and transient test timeouts (Playwright) by propagating internal standalone `_next/static` assets properly and refactoring deep UI interactions inside defensive `expect().toPass()` loops.
+- **Middleware:** Resolved infinite redirect loop on dashboard for fresh instances when requireLogin is disabled.
+- **Core Fallbacks:** Preserved primary failure contexts and enhanced Edge-case error handling pipelines across chat and fallback loops.
+- **Proxy/Hooks:** Optimized local git hooks, normalized token coverage endpoints into `/coverage`, and guarded GLM region lookups.
+
+### 🛠️ Maintenance
+
+- **CI/CD Stabilization:** Prevented random GitHub Runner freezes by decoupling sharded processes, adjusting test concurrencies, unref-ing active connections on server teardown, and strictly capping job timeout durations.
+
+### Documentation
+
+- **I18n Engine:** Synchronized and pushed deep Machine Translation updates across all 32 natively-supported languages (682 translation nodes aligned).
+
+### Coverage
+
+- **Testing:** Consolidated the workspace test coverage framework hitting 92.1% statement line coverage, with new rigid unit-tests matching API key policies and tool scopes.
+
+---
+
+## [3.5.2] — 2026-04-05
+
+### ✨ New Features
+
+- **Qoder API Native Integration:** Completely refactored the Qoder Executor to bypass the legacy COSY AES/RSA encryption algorithm, routing directly into the native DashScope OpenAi-compatible URL. Eliminates complex dependencies on Node `crypto` modules while improving stream fidelity.
+- **Resilience Engine Overhaul:** Integrated context overflow graceful fallbacks, proactive OAuth token detection, and empty-content emission prevention (#990).
+- **Context-Optimized Routing Strategy:** Added new intelligent routing capability to natively maximize context windows in automated combo deployments (#990).
+
+### 🐛 Bug Fixes
+
+- **Responses API Stream Corruption:** Fixed deep-cloning corruption where Anthropic/OpenAI translation boundaries stripped `response.` specific SSE prefixes from streaming boundaries (#992).
+- **Claude Cache Passthrough Alignment:** Aligned CC-Compatible cache markers consistently with upstream Client Pass-Through mode preserving prompt caching.
+- **Turbopack Memory Leak:** Pinned Next.js to strict `16.0.10` preventing memory leaks and build staleness from recent upstream Turbopack hashed module regressions (#987).
+
+---
+
+## [3.5.1] — 2026-04-04
+
+### ✨ New Features
+
+- **Models.dev Integration:** Integrated models.dev as the authoritative runtime source for model pricing, capabilities, and specifications, overriding hardcoded prices. Includes a settings UI to manage sync intervals, translation strings for all 30 languages, and robust test coverage.
+- **Provider Native Capabilities:** Added support for declaring and checking native API features (e.g. `systemInstructions_supported`) preventing failures by sanitizing invalid roles. Currently configured for Gemini Base and Antigravity OAuth providers.
+- **API Provider Advanced Settings:** Added per-connection custom `User-Agent` overrides for API-key provider connections. The override is stored in `providerSpecificData.customUserAgent` and now applies to validation probes and upstream execution requests.
+
+### 🐛 Bug Fixes
+
+- **Qwen OAuth Reliability:** Resolved a series of OAuth integration issues including a 400 Bad Request blocker on expired tokens, fallback generation for parsing OIDC `access_token` properties when `id_token` is omitted, model catalog discovery errors, and strict filtering of `X-Dashscope-*` headers to avoid 400 rejection from OpenAI-compatible endpoints.
+
+## [3.5.0] — 2026-04-03
+
+### ✨ New Features
+
+- **Auto-Combo & Routing:** Completed native CRUD lifecycle integration for the advanced Auto-Combo engine (#955).
+- **Core Operations:** Fixed missing translations for new native Auto-Combos options (#955).
+- **Security Validation:** Disabled SQLite auto-backup tasks natively during unit test CI execution to explicitly resolve Node 22 Event Loop hanging memory leaks (#956).
+- **Ecosystem Proxies:** Completed explicit integration mapping model synchronization schedulers, OAuth cycles, and Token Check refreshes safely through OmniRoute's native system upstream proxies (#953).
+- **MCP Extensibility:** Added and successfully registered the new `omniroute_web_search` MCP framework tool out of beta into production schemas (#951).
+- **Tokens Buffer Logic:** Added runtime configuration limits extending configurable input/output token buffers for precise Usage Tracking metrics (#959).
+
+### 🐛 Bug Fixes
+
+- **CodeQL Remediation:** Fully resolved and secured critical string indexing operations preventing Server-Side Request Forgery (SSRF) arrays indexing heuristics alongside polynomial algorithmic backtracking (ReDoS) inside deep proxy dispatcher modules.
+- **Crypto Hashes:** Replaced weak unverified legacy OAuth 1.0 hashes with robust HMAC-SHA-256 standard validation primitives ensuring tight access controls.
+- **API Boundary Protection:** Correctly verified and mapped structural route protections enforcing strict `isAuthenticated()` middleware logic covering newer dynamic endpoints targeting settings manipulation and native skills loading.
+- **CLI Ecosystem Compat:** Resolved broken native runtime parser bindings crashing `where` environment detectors strictly over `.cmd/.exe` edge cases gracefully for external plugins (#969).
+- **Cache Architecture:** Refactored exact Analytics and System Settings dashboard parameters layout structure caching to maintain stable re-hydration persistence cycles resolving visual unaligned state flashes (#952).
+- **Claude Caching Standards:** Normalized and accurately strictly preserved critical ephemeral block markers `ephemeral` caching TTL orders for downstream nodes enforcing standard compatible CC requests mapping cleanly without dropped metrics (#948).
+- **Internal Aliases Auth:** Simplified internal runtime mappings normalizing Codex credential payload lookups inside global translation parameters resolving 401 unauthenticated drops (#958).
+
+### 🛠️ Maintenance
+
+- **UI Discoverability:** Correctly adjusted layout categorizations explicitly separating free tier providers logic improving UX sorting flows inside the general API registry pages (#950).
+- **Deployment Topology:** Unified Docker deployment artifacts ensuring the root `fly.toml` matches expected cloud instance parameters out-of-the-box natively handling automated deployments scaling properly.
+- **Development Tooling:** Decoupled `LKGP` runtime parameters into explicit DB layer abstraction caching utilities ensuring strict test isolation coverage for core caching layers safely.
+
+---
+
+## [3.4.9] — 2026-04-03
+
+### Features & Refactoring
+
+- **Dashboard Auto-Combo Panel:** Completely refactored the `/dashboard/auto-combo` UI to seamlessly integrate with native Dashboard Cards and standardized visual padding/headers. Added dynamic visual progress bars mapping model selection weight mechanisms.
+- **Settings Routing Sync:** Fully exposed advanced routing `priority` and `weighted` schema targets internally inside global settings fallback lists.
+
+### Bug Fixes
+
+- **Memory & Skills Locale Nodes:** Resolved empty rendering tags for Memory and Skills options directly inside global settings views by wiring all `settings.*` mapping values internally into `en.json` (also mapped implicitly for cross-translation tools).
+
+### Internal Integrations
+
+- Integrated PR #946 — fix: preserve Claude Code compatibility in responses conversion
+- Integrated PR #944 — fix(gemini): preserve thought signatures across antigravity tool calls
+- Integrated PR #943 — fix: restore GitHub Copilot body
+- Integrated PR #942 — Fix cc-compatible cache markers
+- Integrated PR #941 — refactor(auth): improve NVIDIA alias lookup + add LKGP error logging
+- Integrated PR #939 — Restore Claude OAuth localhost callback handling
+- _(Note: PR #934 was omitted from 3.4.9 cycle to prevent core conflict regressions)_
+
+---
+
+## [3.4.8] — 2026-04-03
+
+### Security
+
+- Fully remediated all outstanding Github Advanced Security (CodeQL) findings and Dependabot alerts.
+- Fixed insecure randomness vulnerabilities by migrating from `Math.random` to `crypto.randomUUID()`.
+- Secured shell commands in automated scripts from string injection.
+- Migrated vulnerable catastrophic backtracking RegEx parsing patterns in chat/translation pipelines.
+- Enhanced output sanitization controls inside React UI components and Server Sent Events (SSE) tag injection.
+
+---
+
+## [3.4.7] — 2026-04-03
+
+### Features
+
+- Added `Cryptography` node to Monitoring and MCP health checks (#798)
+- Hardened model-catalog route permissions mapping (`/models`) (#781)
+
+### Bug Fixes
+
+- Fixed Claude OAuth token refreshes failing to preserve cache contexts (#937)
+- Fixed CC-Compatible provider errors rendering cached models unreachable (#937)
+- Fixed GitHub Executor errors related to invalid context arrays (#937)
+- Fixed NPM-installed CLI tools healthcheck failures on Windows (#935)
+- Fixed payload translation dropping valid content due to invalid API fields (#927)
+- Fixed runtime crash in Node 25 regarding API key execution (#867)
+- Fixed MCP standalone module-resolution (`ERR_MODULE_NOT_FOUND`) via `esbuild` (#936)
+- Fixed NVIDIA NIM routing credential resolution alias mismatch (#931)
+
+### Security
+
+- Added safe strict input boundary protection against raw `shell: true` remote-code execution injections.
+
+---
+
+## [3.4.6] - 2026-04-02
+
+### ✨ New Features
+
+- **Providers:** Registered new image, video, and audio generation providers from the community-requested list (#926).
+- **Dashboard UI:** Added standalone sidebar navigation for the new Memory and Skills modules (#926).
+- **i18n:** Added translation strings and layout mappings across 30 languages for the Memory and Skills namespaces.
+
+### 🐛 Bug Fixes
+
+- **Resilience:** Prevented the proxy Circuit Breaker from becoming stuck in an OPEN state indefinitely by handling direct transitions to CLOSED state inside fallback combo paths (#930).
+- **Protocol Translation:** Patched the streaming transformer to sanitize response blocks based on the expected _source_ protocol rather than the provider _target_ protocol, fixing Anthropics models wrapped in OpenAI payloads crashing Claude Code (#929).
+- **API Specs & Gemini:** Fixed `thought_signature` parsing in `openai-to-gemini` and `claude-to-gemini` translators, preventing HTTP 400 errors across all Gemini 3 API tool-calls.
+- **Providers:** Cleaned up non-OpenAI-compatible endpoints preventing valid upstream connections (#926).
+- **Cache Trends:** Fixed an invalid property mapping data mismatch causing Cache Trends UI charts to crash, and extracted redundant cache metric widgets (#926).
+
+---
+
+## [3.4.5] - 2026-04-02
+
+### ✨ New Features
+
+- **CLIProxyAPI Ecosystem Integration:** Added the `cliproxyapi` executor with built-in module-level caching and proxy routing. Introduced a comprehensive Version Manager service to automatically test health, download binaries from GitHub, spawn isolated background processes, and cleanly manage the lifecycle of external CLI tools directly through the UI. Includes DB tables for proxy configuration to enable automatic SSRF-gated cross-routing of external OpenAI requests via the local CLI tool layer (#914, #915, #916).
+- **Qoder PAT Support:** Integrated Personal Access Tokens (PAT) support directly via the local `qodercli` transport instead of legacy remote `.cn` browser configurations (#913).
+- **Gemini 3.1 Pro Preview (GitHub):** Added `gemini-3.1-pro-preview` canonical explicit model support natively into the GitHub Copilot provider while preserving older routing aliases (#924).
+
+### 🐛 Bug Fixes
+
+- **GitHub Copilot Token Stability:** Repaired the Copilot token refresh loop where stale tokens weren't deep-merged into DB, and removed `reasoning_text` fields that were fatally breaking downstream Anthropic block conversions for multi-turn chats (#923).
+- **Global Timeout Matrix:** Centralized and parameterized request timeouts explicitly from `REQUEST_TIMEOUT_MS` to prevent hidden (~300s) default fetch buffers prematurely cutting off long-lived SSE streaming responses from heavy reasoning models (#918).
+- **Cloudflare Quick Tunnels State:** Fixed a severe state inconsistency where restarted OmniRoute instances erroneously showed destroyed tunnels as active, and defaulted cloudflared tunneling to `HTTP/2` to eliminate UDP receive buffer log spam (#925).
+- **i18n Translation Overhaul (Czech & Hindi):** Fixed Hindi code from DEPRECATED `in.json` to canonical `hi.json`, overhauled Czech text mappings, extracted `untranslatable-keys.json` to fix CI/CD false-positive validations, and generated comprehensive `I18N.md` docs to guide translators (#912).
+- **Tokens Provider Recovery:** Fixed Qwen losing specific `resourceUrl` endpoints after automatic health-check token refreshes because of missing DB deep merges (#917).
+- **CC Compatible UX & Streaming:** Unified the Add CC/OpenAI/Anthropic compatible actions around the Anthropic UI treatment, forced CC-compatible upstream requests to use SSE while still returning streaming or non-streaming responses based on the client request, removed CC model-list configuration/import support in favor of an explicit unsupported-model-listing error, and made CC-compatible Available Models mirror the OAuth Claude Code registry list (#921).
+
+---
+
+## [3.4.4] - 2026-04-02
+
+### 🐛 Bug Fixes
+
+- **Responses API Token Reporting:** Emit `response.completed` with correct `input_tokens`/`output_tokens` fields for Codex CLI clients, fixing token usage display (#909 — thanks @christopher-s).
+- **SQLite WAL Checkpoint on Shutdown:** Flush WAL changes into the primary database file during graceful shutdown/restart, preventing data loss on Docker container stops (#905 — thanks @rdself).
+- **Graceful Shutdown Signal:** Changed `/api/restart` and `/api/shutdown` routes from `process.exit(0)` to `process.kill(SIGTERM)`, ensuring the shutdown handler runs before exit.
+- **Docker Stop Grace Period:** Added `stop_grace_period: 40s` to Docker Compose files and `--stop-timeout 40` to Docker run examples.
+
+### 🛠️ Maintenance
+
+- Closed 5 resolved/not-a-bug issues (#872, #814, #816, #890, #877).
+- Triaged 6 issues with needs-info requests (#892, #887, #886, #865, #895, #870).
+- Responded to CLI detection tracking issue (#863) with contributor guidance.
+
+---
+
+## [3.4.3] - 2026-04-02
+
+### ✨ New Features
+
+- **Antigravity Memory & Skills:** Completed remote memory and skills injection for the Antigravity provider at the proxy network level.
+- **Claude Code Compatibility:** Built a natively hidden compatibility bridge for Claude Code, passing tools and formatting through cleanly.
+- **Web Search MCP:** Added the `omniroute_web_search` tool with the `execute:search` scope.
+- **Cache Components:** Implemented dynamic cache components utilizing TDD.
+- **UI & Customization:** Added custom favicon support, appearance tabs, wired whitelabeling to the sidebar, and added Windsurf guide steps across all 33 languages.
+- **Log Retention:** Unified request log retention and artifacts natively.
+- **Model Enhancements:** Added explicit `contextLength` for all opencode-zen models.
+- **i18n & translations:** Integrated 33 language translations natively, including placeholder CI validations and Chinese documentation updates (#873, #869).
+
+### 🐛 Bug Fixes
+
+- **Qwen OAuth Mapping:** Reverted `id_token` reliance to `access_token` and enabled dynamic `resource_url` API endpoint injection for proper regional routing (#900).
+- **Model Sync Engine:** Stored the strict internal Provider ID in `getCustomModels()` sync routines instead of the UI Channel Alias format, preventing SQLite catalog insertion failures (#903).
+- **Claude Code & Codex:** Standardized non-streaming blank responses to Anthropic-formatted `(empty response)` to prevent CLI proxy crashes (#866).
+- **CC Compatible Routing:** Resolved duplicate `/v1` endpoint collision during path concatenation for generic Claude Code gateways (#904).
+- **Antigravity Dashboards:** Blocked unlimited quota models from falsely registering as exhausted `100% Usage` limit states in the Provider Usage UI (#857).
+- **Claude Image Passthrough:** Fixed Claude models missing image block passthroughs (#898).
+- **Gemini CLI Routing:** Resolved 403 authorization lockouts and content accumulation issues by refreshing the project ID via `loadCodeAssist` (#868).
+- **Antigravity Stability:** Corrected model access lists, enforced 404 lockouts, fixed 429 cascades locking out standard connections, and capped `gemini-3.1-pro` output tokens (#885).
+- **Provider Sync Cadence:** Repaired the provider limits synchronization cadence via the internal scheduler (#888).
+- **Dashboard Optimization:** Resolved `/dashboard/limits` UI freezing when processing 70+ accounts via chunk parallelization (#784).
+- **SSRF Hardening:** Enforced strict SSRF IP range filtering and blocked the `::1` loopback interface.
+- **MIME Types:** Standardized `mime_type` to snake_case to match Gemini API specifications.
+- **CI Stabilization:** Fixed failing analytics/settings Playwright selectors and request assertions so GitHub Actions E2E runs pass reliably across localized UIs and switch-based controls.
+- **Deterministic Tests:** Removed date-sensitive quota fixtures from Copilot usage tests and aligned idempotency/model catalog tests with the merged runtime behavior.
+- **MCP Type Hardening:** Removed zero-budget explicit `any` regressions from the MCP server tool registration path.
+- **Model Sync Engine:** Bypassed destructive `replace` overrides when the provider's auto-sync yields an empty model list, maintaining stability for dynamic catalogs (#899).
+
+### 🛠️ Maintenance
+
+- **Pipeline Logging:** Refined pipeline logging artifacts and enforce retention caps (#880).
+- **AGENTS.md Overhaul:** Condensed from 297→153 lines. Added build/test/style guidelines, code workflows (Prettier, TypeScript, ESLint), and trimmed verbose tables (#882).
+- **Release Branch Integration:** Consolidated the active feature branches into `release/v3.4.2` on top of current `main` and validated the branch with lint, unit, coverage, build, and CI-mode E2E runs.
+- **Testing:** Added vitest configuration for component testing and Playwright specs for settings toggles.
+- **Doc Updates:** Expanded root readmes, translated chinese documents natively, and cleaned up obsolete files.
+
+## [3.4.1] - 2026-03-31
+
+> [!WARNING]
+> **BREAKING CHANGE: request logging, retention, and logging environment variables have been redesigned.**
+> On the first startup after upgrading, OmniRoute archives legacy request logs from `DATA_DIR/logs/`, legacy `DATA_DIR/call_logs/`, and `DATA_DIR/log.txt` into `DATA_DIR/log_archives/*.zip`, then removes the deprecated layout and switches to the new unified artifact format under `DATA_DIR/call_logs/`.
+
+### ✨ New Features
+
+- **.ENV Migration Utility:** Included `scripts/migrate-env.mjs` to seamlessly migrate `<v3.3` configurations to `v3.4.x` strict security validation constraints (FASE-01), repairing startup crashes caused by short `JWT_SECRET` instances.
+- **Kiro AI Cache Optimization:** Implemented deterministic `conversationId` generation (uuidv5) to enable AWS Builder ID Prompt Caching properly across invocations (#814).
+- **Dashboard UI Restoration & Consolidation:** Resolved sidebar logic omitting the Debug section, and cleared Nextjs routing warnings by moving standalone `/dashboard/mcp` and `/dashboard/a2a` pages explicitly into embedded Endpoint Proxy UI components.
+- **Unified Request Log Artifacts:** Request logging now stores one SQLite index row plus one JSON artifact per request under `DATA_DIR/call_logs/`, with optional pipeline capture embedded in the same file.
+- **Language:** Improved the Chinese translation (#855)
+- **Opencode-Zen Models:** Added 4 free models to opencode-zen registry (#854)
+- **Tests:** Added unit and E2E tests for settings toggles and bug fixes (#850)
+
+### 🐛 Bug Fixes
+
+- **429 Quota Parsing:** Parsed long quota reset times from error bodies to honor correct backoffs and prevent rate-limited account bans (#859)
+- **Prompt Caching:** Preserved client `cache_control` headers for all Claude-protocol providers (like Minimax, GLM, and Bailian), correctly recognizing caching support (#856)
+- **Model Sync Logs:** Reduced log spam by recording `sync-models` only when the channel actually modifies the list (#853)
+- **Provider Quota & Token Parsing:** Switched Antigravity limits to use `retrieveUserQuota` natively and correctly mapped Claude token refresh payloads to URL-encoded forms (#862)
+- **Rate-Limiting Stability:** Universalized the 429 Retry-After parsing architecture to cap provider-induced cooldowns at 24 hours max (#862)
+- **Dashboard Limit Rendering:** Re-architected `/dashboard/limits` quota mapping to render immediately inside chunks, fixing a major UI freezing delay on accounts exceeding 70 active connections (#784)
+- **QWEN OAuth Authorization:** Mapped the OIDC `id_token` as the primary API Bearer token for Dashscope requests, fixing immediate 401 Unauthorized errors after connecting accounts or refreshing tokens (#864)
+- **ZAI API Stability:** Hardened Server-Sent Events compiler to gracefully fallback to empty strings when DeepSeek providers stream mathematically null content during reasoning phases (#871)
+- **Claude Code/Codex Translations:** Protected non-streaming payload conversions against empty responses from upstream Codex tools, avoiding catastrophic TypeErrors (#866)
+- **NVIDIA NIM Rendering:** Conditionally stripped identical provider prefixes dynamically pushed by audio models, eliminating duplicate `nim/nim` tag structures throwing 404 on the Media Playground (#872)
+
+### ⚠️ Breaking Changes
+
+- **Request Log Layout:** Removed the old multi-file `DATA_DIR/logs/` request log sessions and the `DATA_DIR/log.txt` summary file. New requests are written as single JSON artifacts in `DATA_DIR/call_logs/YYYY-MM-DD/`.
+- **Logging Environment Variables:** Replaced `LOG_*`, `ENABLE_REQUEST_LOGS`, `CALL_LOGS_MAX`, `CALL_LOG_PAYLOAD_MODE`, and `PROXY_LOG_MAX_ENTRIES` with the new `APP_LOG_*` and `CALL_LOG_RETENTION_DAYS` configuration model.
+- **Pipeline Toggle Setting:** Replaced the legacy `detailed_logs_enabled` setting with `call_log_pipeline_enabled`. New pipeline details are embedded inside the request artifact instead of being stored as separate `request_detail_logs` records.
+
+### 🛠️ Maintenance
+
+- **Legacy Request Log Upgrade Backup:** Upgrades now archive old `data/logs/`, legacy `data/call_logs/`, and `data/log.txt` layouts into `DATA_DIR/log_archives/*.zip` before removing the deprecated structure.
+- **Streaming Usage Persistence:** Streaming requests now write a single `usage_history` row on completion instead of emitting a duplicate in-progress usage row with empty status metadata.
+- **Logging Follow-up Cleanup:** Pipeline logs no longer capture `SOURCE REQUEST`, request artifact entries now honor `CALL_LOG_MAX_ENTRIES`, and application log archives now honor `APP_LOG_MAX_FILES`.
+
+---
+
+## [3.4.0] - 2026-03-31
+
+### 🚀 Features
+
+- **Subscription Utilization Analytics:** Added quota snapshot time-series tracking, Provider Utilization and Combo Health tabs with recharts visualizations, and corresponding API endpoints (#847)
+- **SQLite Backup Control:** New `OMNIROUTE_DISABLE_AUTO_BACKUP` env flag to disable automatic SQLite backups (#846)
+- **Model Registry Update:** Injected `gpt-5.4-mini` into the Codex provider's array of models (#756)
+- **Provider Limit Tracking:** Track and display when provider rate limits were last refreshed per account (#843)
+
+### 🐛 Bug Fixes
+
+- **Qwen Auth Routing:** Re-routed Qwen OAuth completions from the DashScope API to the Web Inference API (`chat.qwen.ai`), resolving authorization failures (#844, #807, #832)
+- **Qwen Auto-Retry Loop:** Added targeted 429 Quota Exceeded backoff handling inside `chatCore` protecting burst requests
+- **Codex OAuth Fallback:** Modern browser popup blocking no longer traps the user; it automatically falls back to manual URL entry (#808)
+- **Claude Token Refresh:** Anthropic's strict `application/json` boundaries are now respected during token generation instead of encoded URLs (#836)
+- **Codex Messages Schema:** Stripped purist `messages` injects from native passthrough requests to avoid structural rejections from the ChatGPT upstream (#806)
+- **CLI Detection Size Limit:** Safely bumped the Node binary scanning upper bound from 100MB to 350MB, allowing heavy standalone tools like Claude Code (229MB) and OpenCode (153MB) to be correctly detected by the VPS runtime (#809)
+- **CLI Runtime Environment:** Restored ability for CLI configurations to respect user override paths (`CLI_{PROVIDER}_BIN`) bypassing strict path-bound discovery rules
+- **Nvidia Header Conflicts:** Removed `prompt_cache_key` properties from upstream headers when calling non-Anthropic providers (#848)
+- **Codex Fast Tier Toggle:** Restored Codex service tier toggle contrast in light mode (#842)
+- **Test Infrastructure:** Updated `t28-model-catalog-updates` test that incorrectly expected the outdated DashScope endpoint for the Qwen native registry
+
+---
+
+## [3.3.9] - 2026-03-31
+
+### 🐛 Bug Fixes
+
+- **Custom Provider Rotation:** Integrated `getRotatingApiKey` internally inside DefaultExecutor, ensuring `extraApiKeys` rotation triggers correctly for custom and compatible upstream providers (#815)
+
+---
+
 ## [3.3.8] - 2026-03-30

 ### 🚀 Features
@@ -1116,7 +1429,7 @@ OmniRoute now automatically refreshes model lists for connected providers every
 #### Developer Experience

 - **#489 — Antigravity:** Missing `googleProjectId` returns a structured 422 error with reconnect guidance instead of a cryptic crash.
- **#510 — Windows paths:** MSYS2/Git-Bash paths (`/c/Program Files/...`) are now normalized to `C:\\Program Files\\...` automatically.
+- **#510 — Windows paths:** MSYS2/Git-Bash paths (`/c/Program Files/...`) are now normalized to `C:\Program Files\...` automatically.
 - **#492 — CLI startup:** `omniroute` CLI now detects `mise`/`nvm`-managed Node when `app/server.js` is missing and shows targeted fix instructions.

 ---
@@ -1238,7 +1551,7 @@ OmniRoute now automatically refreshes model lists for connected providers every
 - **#527** — Claude Code + Codex superpowers loop: `tool_result` blocks now converted to text instead of dropped
 - **#532** — OpenCode GO API key validation now uses the correct `zen/v1` endpoint (`testKeyBaseUrl`)
 - **#489** — Antigravity: missing `googleProjectId` returns structured 422 error with reconnect guidance
- **#510** — Windows: MSYS2/Git-Bash paths (`/c/Program Files/...`) are now normalized to `C:\\Program Files\\...`
+- **#510** — Windows: MSYS2/Git-Bash paths (`/c/Program Files/...`) are now normalized to `C:\Program Files\...`
 - **#492** — `omniroute` CLI now detects `mise`/`nvm` when `app/server.js` is missing and shows targeted fix

 ### 📖 Documentation
@@ -1260,7 +1573,9 @@ OmniRoute now automatically refreshes model lists for connected providers every

 - **CLI tools save masked API key to config files** — `claude-settings`, `cline-settings`, and `openclaw-settings` POST routes now accept a `keyId` param and resolve the real API key from DB before writing to disk. `ClaudeToolCard` updated to send `keyId` instead of the masked display string. Fixes #523, #526.
 - **Custom embedding providers: `No credentials` error** — `/v1/embeddings` now tracks `credentialsProviderId` separately from the routing prefix, so credentials are fetched from the matching provider node ID rather than the public prefix string. Fixes a regression where `google/gemini-embedding-001` and similar custom-provider models would always fail with a credentials error. Fixes #532-related. (PR #528 by @jacob2826)
- **Context cache protection regex misses `\n` prefix** — `CACHE_TAG_PATTERN` in `comboAgentMiddleware.ts` updated to match both literal `\n` (backslash-n) and actual newline U+000A that `combo.ts` streaming injects around the `<omniModel>` tag after fix #515. Fixes #531.
+- **Context cache protection regex misses `
+` prefix** — `CACHE_TAG_PATTERN` in `comboAgentMiddleware.ts` updated to match both literal `
+` (backslash-n) and actual newline U+000A that `combo.ts` streaming injects around the `<omniModel>` tag after fix #515. Fixes #531.

 ### ✨ New Providers

@@ -1280,9 +1595,10 @@ OmniRoute now automatically refreshes model lists for connected providers every
  — The field is a cache-affinity signal used by Codex; stripping it was preventing prompt cache hits.
  Fixed in `openai-responses.ts` and `responsesApiHelper.ts`.

- **fix(combo)**: Escape `\n` in `tagContent` so injected JSON string is valid (#515)
+- **fix(combo)**: Escape `
+` in `tagContent` so injected JSON string is valid (#515)
  — Template literal newlines (U+000A) are not allowed unescaped inside JSON string values.
-  Replaced with `\\n` literal sequences in `open-sse/services/combo.ts`.
+  Replaced with `\n` literal sequences in `open-sse/services/combo.ts`.

 - **fix(usage)**: Sync expired token status back to DB on live auth failure (#491)
  — When the Limits & Quotas live check returns 401/403, the connection `testStatus` is now updated
@@ -1831,7 +2147,7 @@ OmniRoute now automatically refreshes model lists for connected providers every

 ### 🐛 Bug Fixes

- **fix(ci)**: Remove word "any" from comments in `openai-responses.ts` and `chatCore.ts` that were failing the t11 `\bany\b` budget check (false positive from regex counting comments)
+- **fix(ci)**: Remove word "any" from comments in `openai-responses.ts` and `chatCore.ts` that were failing the t11 `any` budget check (false positive from regex counting comments)
 - **fix(chatCore)**: Normalize unsupported content part types before forwarding to providers (#409 — Cursor sends `{type:"file"}` when `.md` files are attached; Copilot and other OpenAI-compat providers reject with "type has to be either 'image_url' or 'text'"; fix converts `file`/`document` blocks to `text` and drops unknown types)

 ### 🔧 Workflow
@@ -8,7 +8,7 @@ Thank you for your interest in contributing! This guide covers everything you ne

 ### Prerequisites

- **Node.js** 20+ (recommended: 22 LTS)
+- **Node.js** >= 18 < 24 (recommended: 22 LTS)
 - **npm** 10+
 - **Git**

@@ -33,13 +33,24 @@ echo "API_KEY_SECRET=$(openssl rand -hex 32)" >> .env

 Key variables for development:

-| Variable               | Development Default     | Description               |
-| ---------------------- | ----------------------- | ------------------------- |
-| `PORT`                 | `3000`                  | Server port               |
-| `NEXT_PUBLIC_BASE_URL` | `http://localhost:3000` | Base URL for frontend     |
-| `JWT_SECRET`           | (generate above)        | JWT signing secret        |
-| `INITIAL_PASSWORD`     | `123456`                | First login password      |
-| `ENABLE_REQUEST_LOGS`  | `false`                 | Enable debug request logs |
+| Variable               | Development Default      | Description           |
+| ---------------------- | ------------------------ | --------------------- |
+| `PORT`                 | `20128`                  | Server port           |
+| `NEXT_PUBLIC_BASE_URL` | `http://localhost:20128` | Base URL for frontend |
+| `JWT_SECRET`           | (generate above)         | JWT signing secret    |
+| `INITIAL_PASSWORD`     | `CHANGEME`               | First login password  |
+| `APP_LOG_LEVEL`        | `info`                   | Log verbosity level   |
+
+### Dashboard Settings
+
+The dashboard provides UI toggles for features that can also be configured via environment variables:
+
+| Setting Location    | Toggle             | Description                    |
+| ------------------- | ------------------ | ------------------------------ |
+| Settings → Advanced | Debug Mode         | Enable debug request logs (UI) |
+| Settings → General  | Sidebar Visibility | Show/hide sidebar sections     |
+
+These settings are stored in the database and persist across restarts, overriding env var defaults when set.

 ### Running Locally

@@ -57,8 +68,8 @@ PORT=20128 NEXT_PUBLIC_BASE_URL=http://localhost:20128 npm run dev

 Default URLs:

- **Dashboard**: `http://localhost:3000/dashboard`
- **API**: `http://localhost:3000/v1`
+- **Dashboard**: `http://localhost:20128/dashboard`
+- **API**: `http://localhost:20128/v1`

 ---

@@ -97,28 +108,35 @@ test: add observability unit tests
 refactor(db): consolidate rate limit tables
 ```

-Scopes: `db`, `sse`, `oauth`, `dashboard`, `api`, `cli`, `docker`, `ci`.
+Scopes: `db`, `sse`, `oauth`, `dashboard`, `api`, `cli`, `docker`, `ci`, `mcp`, `a2a`, `memory`, `skills`.

 ---

 ## Running Tests

 ```bash
-# All unit tests
-npm test
-npm run test:unit
+# All tests (unit + vitest + ecosystem + e2e)
+npm run test:all

-# Specific test suites
-npm run test:security     # Security tests
-npm run test:fixes        # Fix verification tests
+# Single test file (Node.js native test runner — most tests use this)
+node --import tsx/esm --test tests/unit/your-file.test.mjs

-# With coverage
-npm run test:coverage
-npm run coverage:report
+# Vitest (MCP server, autoCombo, cache)
+npm run test:vitest

 # E2E tests (requires Playwright)
 npm run test:e2e

+# Protocol clients E2E (MCP transports, A2A)
+npm run test:protocols:e2e
+
+# Ecosystem compatibility tests
+npm run test:ecosystem
+
+# Coverage (60% min statements/lines/functions/branches)
+npm run test:coverage
+npm run coverage:report
+
 # Lint + format check
 npm run lint
 npm run check
@@ -127,27 +145,43 @@ npm run check
 Coverage notes:

 - `npm run test:coverage` measures source coverage for the main unit test suite, excludes `tests/**`, and includes `open-sse/**`
+- Pull requests must keep the overall coverage gate at **60% or higher** for statements, lines, functions, and branches
+- If a PR changes production code in `src/`, `open-sse/`, `electron/`, or `bin/`, it must add or update automated tests in the same PR
 - `npm run coverage:report` prints the detailed file-by-file report from the latest coverage run
 - `npm run test:coverage:legacy` preserves the older metric for historical comparison
+- See `docs/COVERAGE_PLAN.md` for the phased coverage improvement roadmap

-Current test status: **968+ unit tests** covering:
+### Pull Request Requirements
+
+Before opening or merging a PR:
+
+- Run `npm run test:unit`
+- Run `npm run test:coverage`
+- Ensure the coverage gate stays at **60%+** for all metrics
+- Include the changed or added test files in the PR description when production code changed
+- Check the SonarQube result on the PR when the project secrets are configured in CI
+
+Current test status: **122 unit test files** covering:

 - Provider translators and format conversion
 - Rate limiting, circuit breaker, and resilience
 - Semantic cache, idempotency, progress tracking
- Database operations and schema
+- Database operations and schema (21 DB modules)
 - OAuth flows and authentication
- API endpoint validation
+- API endpoint validation (Zod v4)
+- MCP server tools and scope enforcement
+- Memory and Skills systems

 ---

 ## Code Style

 - **ESLint** — Run `npm run lint` before committing
- **Prettier** — Auto-formatted via `lint-staged` on commit
- **TypeScript** — All `src/` code uses `.ts`/`.tsx`; document with TSDoc (`@param`, `@returns`, `@throws`)
+- **Prettier** — Auto-formatted via `lint-staged` on commit (2 spaces, semicolons, double quotes, 100 char width, es5 trailing commas)
+- **TypeScript** — All `src/` code uses `.ts`/`.tsx`; `open-sse/` uses `.ts`/`.js`; document with TSDoc (`@param`, `@returns`, `@throws`)
 - **No `eval()`** — ESLint enforces `no-eval`, `no-implied-eval`, `no-new-func`
- **Zod validation** — Use Zod schemas for API input validation
+- **Zod validation** — Use Zod v4 schemas for all API input validation
+- **Naming**: Files = camelCase/kebab-case, components = PascalCase, constants = UPPER_SNAKE

 ---

@@ -155,40 +189,60 @@ Current test status: **968+ unit tests** covering:

 ```
 src/                        # TypeScript (.ts / .tsx)
-├── app/                    # Next.js App Router
-│   ├── (dashboard)/        # Dashboard pages (.tsx)
-│   ├── api/                # API routes (.ts)
+├── app/                    # Next.js 16 App Router
+│   ├── (dashboard)/        # Dashboard pages (23 sections)
+│   ├── api/                # API routes (51 directories)
 │   └── login/              # Auth pages (.tsx)
-├── domain/                 # Domain types and response helpers (.ts)
+├── domain/                 # Policy engine (policyEngine, comboResolver, costRules, etc.)
 ├── lib/                    # Core business logic (.ts)
-│   ├── db/                 # SQLite database layer
-│   ├── oauth/              # OAuth services per provider
-│   ├── cacheLayer.ts       # LRU cache
-│   ├── semanticCache.ts    # Semantic response cache
-│   ├── idempotencyLayer.ts # Request deduplication
-│   └── localDb.ts          # Settings facade (LowDB for config, SQLite for domain data)
+│   ├── a2a/                # Agent-to-Agent v0.3 protocol server
+│   ├── acp/                # Agent Communication Protocol registry
+│   ├── compliance/         # Compliance policy engine
+│   ├── db/                 # SQLite database layer (21 modules + 16 migrations)
+│   ├── memory/             # Persistent conversational memory
+│   ├── oauth/              # OAuth providers, services, and utilities
+│   ├── skills/             # Extensible skill framework
+│   ├── usage/              # Usage tracking and cost calculation
+│   └── localDb.ts          # Re-export layer only — never add logic here
+├── middleware/              # Request middleware (promptInjectionGuard)
+├── mitm/                   # MITM proxy (cert, DNS, target routing)
 ├── shared/
 │   ├── components/         # React components (.tsx)
-│   ├── middleware/          # Correlation IDs, etc.
-│   ├── utils/              # Circuit breaker, sanitizer, etc.
-│   └── validation/         # Zod schemas
-└── sse/                    # SSE chat handlers (.ts)
+│   ├── constants/          # Provider definitions (60+), MCP scopes, routing strategies
+│   ├── utils/              # Circuit breaker, sanitizer, auth helpers
+│   └── validation/         # Zod v4 schemas
+└── sse/                    # SSE proxy pipeline

-open-sse/                   # @omniroute/open-sse workspace (JavaScript)
-├── handlers/               # chatCore.js — main request handler
-├── services/               # Rate limit, fallback
-├── translators/            # Format converters (OpenAI ↔ Claude ↔ Gemini)
-└── utils/                  # Progress tracker, stream helpers
+open-sse/                   # @omniroute/open-sse workspace
+├── executors/              # 14 provider-specific request executors
+├── handlers/               # 11 request handlers (chat, responses, embeddings, images, etc.)
+├── mcp-server/             # MCP server (25 tools, 3 transports, 10 scopes)
+├── services/               # 36+ services (combo, autoCombo, rateLimitManager, etc.)
+├── translator/             # Format translators (OpenAI ↔ Claude ↔ Gemini ↔ Responses ↔ Ollama)
+├── transformer/            # Responses API transformer
+└── utils/                  # 22 utility modules (stream, TLS, proxy, logging)
+
+electron/                   # Electron desktop app (cross-platform)

 tests/
-├── unit/                   # Node.js test runner (.test.mjs)
-└── e2e/                    # Playwright tests
+├── unit/                   # Node.js test runner (122 test files)
+├── integration/            # Integration tests
+├── e2e/                    # Playwright tests
+├── security/               # Security tests
+├── translator/             # Translator-specific tests
+└── load/                   # Load tests

 docs/                       # Documentation
-├── USER_GUIDE.md           # Provider setup, CLI integration
-├── API_REFERENCE.md        # All endpoints
-├── TROUBLESHOOTING.md      # Common issues
 ├── ARCHITECTURE.md         # System architecture
+├── API_REFERENCE.md        # All endpoints
+├── USER_GUIDE.md           # Provider setup, CLI integration
+├── TROUBLESHOOTING.md      # Common issues
+├── MCP-SERVER.md           # MCP server (25 tools)
+├── A2A-SERVER.md           # A2A agent protocol
+├── AUTO-COMBO.md           # Auto-combo engine
+├── CLI-TOOLS.md            # CLI tools integration
+├── COVERAGE_PLAN.md        # Test coverage improvement plan
+├── openapi.yaml            # OpenAPI specification
 └── adr/                    # Architecture Decision Records
 ```

@@ -196,50 +250,25 @@ docs/                       # Documentation

 ## Adding a New Provider

-### Step 1: OAuth Service (if using OAuth)
+### Step 1: Register Provider Constants

-Create `src/lib/oauth/services/your-provider.ts` extending `OAuthService`:
+Add to `src/shared/constants/providers.ts` — Zod-validated at module load.

-```typescript
-import { OAuthService } from "../OAuthService";
+### Step 2: Add Executor (if custom logic needed)

-export class YourProviderService extends OAuthService {
-  constructor() {
-    super({
-      name: "your-provider",
-      authUrl: "https://provider.com/oauth/authorize",
-      tokenUrl: "https://provider.com/oauth/token",
-      clientId: "...",
-      scopes: ["..."],
-    });
-  }
-}
-```
+Create executor in `open-sse/executors/your-provider.ts` extending the base executor.

-### Step 2: Register Provider
+### Step 3: Add Translator (if non-OpenAI format)

-Add to `src/lib/oauth/providers.ts`:
+Create request/response translators in `open-sse/translator/`.

-```typescript
-import { YourProviderService } from "./services/your-provider";
-// Add to the providers map
-```
+### Step 4: Add OAuth Config (if OAuth-based)

-### Step 3: Add Constants
+Add OAuth credentials in `src/lib/oauth/constants/oauth.ts` and service in `src/lib/oauth/services/`.

-Add provider constants in `src/lib/providerConstants.ts`:
+### Step 5: Register Models

- Provider prefix (e.g., `yp/`)
- Default models
- Pricing info
-
-### Step 4: Add Translator (if non-OpenAI format)
-
-Create translator in `open-sse/translators/` if the provider uses a custom API format.
-
-### Step 5: Add Timeout
-
-Add request timeout configuration in `src/shared/utils/requestTimeout.ts`.
+Add model definitions in `open-sse/config/providerRegistry.ts`.

 ### Step 6: Add Tests

@@ -258,6 +287,7 @@ Write unit tests in `tests/unit/` covering at minimum:
 - [ ] Build succeeds (`npm run build`)
 - [ ] TypeScript types added for new public functions and interfaces
 - [ ] No hardcoded secrets or fallback values
+- [ ] All inputs validated with Zod schemas
 - [ ] CHANGELOG updated (if user-facing change)
 - [ ] Documentation updated (if applicable)

@@ -265,16 +295,13 @@ Write unit tests in `tests/unit/` covering at minimum:

 ## Releasing

-When a new GitHub Release is created (e.g. `v0.4.0`), the package is **automatically published to npm** via GitHub Actions:
-
-```bash
-gh release create v0.4.0 --title "v0.4.0" --generate-notes
-```
+Releases are managed via the `/generate-release` workflow. When a new GitHub Release is created, the package is **automatically published to npm** via GitHub Actions.

 ---

 ## Getting Help

 - **Architecture**: See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md)
+- **API Reference**: See [`docs/API_REFERENCE.md`](docs/API_REFERENCE.md)
 - **Issues**: [github.com/diegosouzapw/OmniRoute/issues](https://github.com/diegosouzapw/OmniRoute/issues)
 - **ADRs**: See `docs/adr/` for architectural decision records
@@ -2,7 +2,7 @@

 ### Never stop coding. Smart routing to **FREE & low-cost AI models** with automatic fallback.

-_Your universal API proxy — one endpoint, 67+ providers, zero downtime. Now with **MCP & A2A** agent orchestration._
+_Your universal API proxy — one endpoint, 60+ providers, zero downtime. Now with **MCP Server (25 tools)**, **A2A Protocol**, **Memory/Skills Systems** & **Electron Desktop App**._

 **Chat Completions • Embeddings • Image Generation • Video • Music • Audio • Reranking • **Web Search** • MCP Server • A2A Protocol • 100% TypeScript**

@@ -11,9 +11,28 @@ _Your universal API proxy — one endpoint, 67+ providers, zero downtime. Now wi
 <div align="center">

 [![npm version](https://img.shields.io/npm/v/omniroute?color=cb3837&logo=npm)](https://www.npmjs.com/package/omniroute)
-[![npm downloads](https://img.shields.io/npm/dm/omniroute?color=cb3837&logo=npm&label=npm%20downloads)](https://www.npmjs.com/package/omniroute)
 [![Docker Hub](https://img.shields.io/docker/v/diegosouzapw/omniroute?label=Docker%20Hub&logo=docker&color=2496ED)](https://hub.docker.com/r/diegosouzapw/omniroute)
-[![Docker Pulls](https://img.shields.io/docker/pulls/diegosouzapw/omniroute?logo=docker&color=2496ED&label=docker%20pulls)](https://hub.docker.com/r/diegosouzapw/omniroute)
+
+![NPM Downloads](https://img.shields.io/npm/dw/omniroute?label=npm%20down%20week&color=red)
+![NPM Downloads](https://img.shields.io/npm/dm/omniroute?label=npm%20down%20month&color=red)
+
+![NPM Downloads](https://img.shields.io/npm/d18m/omniroute?label=npm%20down%20year&color=red)
+![Docker Pulls](https://img.shields.io/docker/pulls/diegosouzapw/omniroute)
+![GitHub Downloads (all assets, all releases)](https://img.shields.io/github/downloads/diegosouzapw/omniroute/total?style=flat&label=eletron%20donwloads&color=blue)
+
+[![stars](https://custom-icon-badges.demolab.com/github/stars/diegosouzapw/OmniRoute?logo=star&style=flat)](https://github.com/diegosouzapw/OmniRoute/stargazers)
+[![open issues](https://custom-icon-badges.demolab.com/github/issues-raw/diegosouzapw/OmniRoute?logo=issue)](https://github.com/diegosouzapw/OmniRoute/issues)
+[![license](https://custom-icon-badges.demolab.com/github/license/diegosouzapw/OmniRoute?logo=law)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
+[![last commit](https://custom-icon-badges.demolab.com/github/last-commit/diegosouzapw/OmniRoute?logo=history&logoColor=white)](https://github.com/diegosouzapw/OmniRoute/commits/main)
+[![total contributions](https://custom-icon-badges.demolab.com/badge/dynamic/json?logo=graph&logoColor=fff&color=blue&label=total%20contributions&query=%24.totalContributions&url=https%3A%2F%2Fstreak-stats.demolab.com%2F%3Fuser%3Ddiegosouzapw%26type%3Djson)](https://github.com/diegosouzapw)
+[![code size](https://custom-icon-badges.demolab.com/github/languages/code-size/diegosouzapw/OmniRoute?logo=file-code&logoColor=white)](https://github.com/diegosouzapw/OmniRoute)
+[![pr closed](https://custom-icon-badges.demolab.com/github/issues-pr-closed/diegosouzapw/OmniRoute?color=purple&logo=git-pull-request&logoColor=white)](https://github.com/diegosouzapw/OmniRoute/pulls?q=is%3Apr+is%3Aclosed)
+[![tag](https://custom-icon-badges.demolab.com/github/v/tag/diegosouzapw/OmniRoute?logo=tag&logoColor=white)](https://github.com/diegosouzapw/OmniRoute/tags)
+[![github streak](https://custom-icon-badges.demolab.com/badge/dynamic/json?logo=fire&logoColor=fff&color=orange&label=github%20streak&query=%24.currentStreak.length&suffix=%20days&url=https%3A%2F%2Fstreak-stats.demolab.com%2F%3Fuser%3Ddiegosouzapw%26type%3Djson)](https://github.com/diegosouzapw)
+[![followers](https://custom-icon-badges.demolab.com/github/followers/diegosouzapw?logo=person-add)](https://github.com/diegosouzapw?tab=followers)
+[![fork](https://custom-icon-badges.demolab.com/github/forks/diegosouzapw/OmniRoute?logo=fork)](https://github.com/diegosouzapw/OmniRoute/network/members)
+[![watch](https://custom-icon-badges.demolab.com/github/watchers/diegosouzapw/OmniRoute?logo=eye)](https://github.com/diegosouzapw/OmniRoute/watchers)
+
 [![License](https://img.shields.io/github/license/diegosouzapw/OmniRoute)](https://github.com/diegosouzapw/OmniRoute/blob/main/LICENSE)
 [![Website](https://img.shields.io/badge/Website-omniroute.online-blue?logo=google-chrome&logoColor=white)](https://omniroute.online)
 [![WhatsApp](https://img.shields.io/badge/WhatsApp-Community-25D366?logo=whatsapp&logoColor=white)](https://chat.whatsapp.com/JI7cDQ1GyaiDHhVBpLxf8b?mode=gi_t)
@@ -26,28 +45,6 @@ _Your universal API proxy — one endpoint, 67+ providers, zero downtime. Now wi

 ---

-## 🆕 What's New in v3.0.0
-
-> **Upgrading from v2.9.5?** — See the [full CHANGELOG](CHANGELOG.md#300--2026-03-22-release-candidate--not-yet-merged-to-main) for all changes.
-
-| Area                         | Change                                                                                                                                                                    |
-| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 🔒 **CodeQL Security**       | Fixed 10+ CodeQL alerts: polynomial-redos, insecure-randomness, shell-injection remediation                                                                               |
-| ✅ **Route Validation**      | All 176 API routes now validated with Zod schemas + `validateBody()` — CI `check:route-validation:t06` passes                                                             |
-| 🐛 **omniModel Tag Leak**    | Internal `<omniModel>` tags no longer leak to clients in SSE streaming responses (#585)                                                                                   |
-| 🔑 **Registered Keys API**   | Auto-provision API keys via `POST /api/v1/registered-keys` with per-provider/account quota enforcement, idempotency, SHA-256 storage, and optional GitHub issue reporting |
-| 🎨 **Provider Icons**        | 130+ provider logos via `@lobehub/icons` (SVG) with PNG → generic fallback chain                                                                                          |
-| 🔄 **Model Auto-Sync**       | 24h scheduler and manual UI toggle to sync model lists for built-in and custom OpenAI-compatible providers                                                                |
-| 🌐 **OpenCode Zen/Go**       | Two new providers from @kang-heewon via PR #530: free tier + subscription tier via `OpencodeExecutor`                                                                     |
-| 🐛 **Gemini CLI OAuth**      | Actionable error when `GEMINI_OAUTH_CLIENT_SECRET` is missing in Docker (was cryptic Google error)                                                                        |
-| 🐛 **OpenCode config**       | `saveOpenCodeConfig()` now correctly writes TOML to `XDG_CONFIG_HOME`                                                                                                     |
-| 🐛 **Pinned model override** | `body.model` correctly set to `pinnedModel` on context-cache protection                                                                                                   |
-| 🐛 **Codex/Claude loop**     | `tool_result` blocks now converted to text to stop infinite loops                                                                                                         |
-| 🐛 **Login redirect**        | Login no longer freezes after skipping password setup                                                                                                                     |
-| 🐛 **Windows paths**         | MSYS2/Git-Bash paths (`/c/...`) normalized to `C:\...` automatically                                                                                                      |
-
---
-
 ## 🖼️ Main Dashboard

 <div align="center">
@@ -244,9 +241,9 @@ Developers pay $20–200/month for Claude Pro, Codex Pro, or GitHub Copilot. Eve
 **How OmniRoute solves it:**

 - **Smart 4-Tier Fallback** — If subscription quota runs out, automatically redirects to API Key → Cheap → Free with zero manual intervention
- **Real-Time Quota Tracking** — Shows token consumption in real-time with reset countdown (5h, daily, weekly)
+- **Provider Limits Tracking** — Cached quota snapshots refresh on a server-side schedule (default `PROVIDER_LIMITS_SYNC_INTERVAL_MINUTES=70`) with manual refresh available in the UI
 - **Multi-Account Support** — Multiple accounts per provider with auto round-robin — when one runs out, switches to the next
- **Custom Combos** — Customizable fallback chains with 6 balancing strategies (fill-first, round-robin, P2C, random, least-used, cost-optimized)
+- **Custom Combos** — Customizable fallback chains with 9 balancing strategies (priority, weighted, fill-first, round-robin, P2C, random, least-used, cost-optimized, strict-random)
 - **Codex Business Quotas** — Business/Team workspace quota monitoring directly in the dashboard

 </details>
@@ -258,7 +255,7 @@ OpenAI uses one format, Claude (Anthropic) uses another, Gemini yet another. If

 **How OmniRoute solves it:**

- **Unified Endpoint** — A single `http://localhost:20128/v1` serves as proxy for all 67+ providers
+- **Unified Endpoint** — A single `http://localhost:20128/v1` serves as proxy for all 60+ providers
 - **Format Translation** — Automatic and transparent: OpenAI ↔ Claude ↔ Gemini ↔ Responses API
 - **Response Sanitization** — Strips non-standard fields (`x_groq`, `usage_breakdown`, `service_tier`) that break OpenAI SDK v1.83+
 - **Role Normalization** — Converts `developer` → `system` for non-OpenAI providers; `system` → `user` for GLM/ERNIE
@@ -344,7 +341,7 @@ Developers use Cursor, Claude Code, Codex CLI, OpenClaw, Gemini CLI, Kilo Code..
 - **CLI Tools Dashboard** — Dedicated page with one-click setup for Claude Code, Codex CLI, OpenClaw, Kilo Code, Antigravity, Cline
 - **GitHub Copilot Config Generator** — Generates `chatLanguageModels.json` for VS Code with bulk model selection
 - **Onboarding Wizard** — Guided 4-step setup for first-time users
- **One endpoint, all models** — Configure `http://localhost:20128/v1` once, access 67+ providers
+- **One endpoint, all models** — Configure `http://localhost:20128/v1` once, access 60+ providers

 </details>

@@ -391,7 +388,7 @@ When a call fails, the dev doesn't know if it was a rate limit, expired token, w
 - **SQLite Proxy Logs** — Persistent logs that survive server restarts
 - **Translator Playground** — 4 debugging modes: Playground (format translation), Chat Tester (round-trip), Test Bench (batch), Live Monitor (real-time)
 - **Request Telemetry** — p50/p95/p99 latency + X-Request-Id tracing
- **File-Based Logging with Rotation** — Console interceptor captures everything to JSON log with size-based rotation
+- **File-Based Logging with Rotation** — App logs rotate by size, retention days, and archive count; call log artifacts rotate by retention days and file count
 - **System Info Report** — `npm run system-info` generates `system-info.txt` with your full environment (Node version, OmniRoute version, OS, CLI tools, Docker/PM2 status). Attach it when reporting issues for instant triage.

 </details>
@@ -409,7 +406,7 @@ Installing, configuring, and maintaining an AI proxy across different environmen
 - **Electron Desktop App** — Native app for Windows/macOS/Linux with system tray, auto-start, offline mode
 - **Split-Port Mode** — API and Dashboard on separate ports for advanced scenarios (reverse proxy, container networking)
 - **Cloud Sync** — Config synchronization across devices via Cloudflare Workers
- **DB Backups** — Automatic backup, restore, export and import of all settings
+- **DB Backups** — Automatic backup, restore, export and import of all settings, with `DISABLE_SQLITE_AUTO_BACKUP` for externally managed backups

 </details>

@@ -486,7 +483,7 @@ Developers who want all responses in a specific language, with a specific tone,

 - **System Prompt Injection** — Global prompt applied to all requests
 - **Thinking Budget Validation** — Reasoning token allocation control per request (passthrough, auto, custom, adaptive)
- **6 Routing Strategies** — Global strategies that determine how requests are distributed
+- **9 Routing Strategies** — Global strategies that determine how requests are distributed
 - **Wildcard Router** — `provider/*` patterns route dynamically to any provider
 - **Combo Enable/Disable Toggle** — Toggle combos directly from the dashboard
 - **Provider Toggle** — Enable/disable all connections for a provider with one click
@@ -553,7 +550,7 @@ Different clients should have least-privilege access to tool categories.

 **How OmniRoute solves it:**

- 9 granular MCP scopes for controlled tool access
+- 10 granular MCP scopes for controlled tool access
 - Scope enforcement and visibility in MCP management UI
 - Safe default posture for operational tooling

@@ -777,6 +774,36 @@ PORT=20128 DASHBOARD_PORT=20129 omniroute
 # Dashboard: http://localhost:20129
 ```

+### Long-Running Streaming Timeouts
+
+For most deployments, you only need:
+
+| Variable                 | Default                       | Purpose                                                                                                                     |
+| ------------------------ | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| `REQUEST_TIMEOUT_MS`     | `600000`                      | Shared baseline for upstream fetch, hidden Undici timeouts, TLS fingerprint requests, and API bridge request/proxy timeouts |
+| `STREAM_IDLE_TIMEOUT_MS` | inherits `REQUEST_TIMEOUT_MS` | Maximum gap between streaming chunks before OmniRoute aborts the SSE stream                                                 |
+
+Backward compatibility is preserved: existing `FETCH_TIMEOUT_MS`, `API_BRIDGE_PROXY_TIMEOUT_MS`, and other per-layer timeout vars still work and override the shared baseline.
+
+Advanced overrides are available if you need finer control:
+
+| Variable                                 | Default                                    | Purpose                                                              |
+| ---------------------------------------- | ------------------------------------------ | -------------------------------------------------------------------- |
+| `FETCH_TIMEOUT_MS`                       | inherits `REQUEST_TIMEOUT_MS`              | Total upstream request timeout used by the main fetch abort signal   |
+| `FETCH_HEADERS_TIMEOUT_MS`               | inherits `FETCH_TIMEOUT_MS`                | Undici time limit for receiving upstream response headers            |
+| `FETCH_BODY_TIMEOUT_MS`                  | inherits `FETCH_TIMEOUT_MS`                | Undici time limit between upstream body chunks (`0` disables it)     |
+| `FETCH_CONNECT_TIMEOUT_MS`               | `30000`                                    | Undici TCP connect timeout                                           |
+| `FETCH_KEEPALIVE_TIMEOUT_MS`             | `4000`                                     | Undici idle keep-alive socket timeout                                |
+| `TLS_CLIENT_TIMEOUT_MS`                  | inherits `FETCH_TIMEOUT_MS`                | Timeout for TLS fingerprint requests made through `wreq-js`          |
+| `API_BRIDGE_PROXY_TIMEOUT_MS`            | inherits `REQUEST_TIMEOUT_MS` or `30000`   | Timeout for `/v1` proxy forwarding from API port to dashboard port   |
+| `API_BRIDGE_SERVER_REQUEST_TIMEOUT_MS`   | `max(API_BRIDGE_PROXY_TIMEOUT_MS, 300000)` | Incoming request timeout on the API bridge server                    |
+| `API_BRIDGE_SERVER_HEADERS_TIMEOUT_MS`   | `60000`                                    | Incoming header timeout on the API bridge server                     |
+| `API_BRIDGE_SERVER_KEEPALIVE_TIMEOUT_MS` | `5000`                                     | Keep-alive timeout on the API bridge server                          |
+| `API_BRIDGE_SERVER_SOCKET_TIMEOUT_MS`    | `0`                                        | Socket inactivity timeout on the API bridge server (`0` disables it) |
+
+If you run OmniRoute behind Nginx, Caddy, Cloudflare, or another reverse proxy, make sure the proxy
+timeouts are also higher than your OmniRoute stream/fetch timeouts.
+
 ### 2) Connect providers and create your API key

 1. Open Dashboard → `Providers` and connect at least one provider (OAuth or API key).
@@ -834,6 +861,113 @@ npm install
 PORT=20128 DASHBOARD_PORT=20129 NEXT_PUBLIC_BASE_URL=http://localhost:20129 npm run dev
 ```

+<details>
+<summary><b>Void Linux (`xbps-src` template)</b></summary>
+
+For Void Linux users, you can build a native package using `xbps-src`. Save this block as `srcpkgs/omniroute/template`:
+
+```bash
+# Template file for 'omniroute'
+pkgname=omniroute
+version=3.4.1
+revision=1
+hostmakedepends="nodejs python3 make"
+depends="openssl"
+short_desc="Universal AI gateway with smart routing for multiple LLM providers"
+maintainer="zenobit <zenobit@disroot.org>"
+license="MIT"
+homepage="https://github.com/diegosouzapw/OmniRoute"
+distfiles="https://github.com/diegosouzapw/OmniRoute/archive/refs/tags/v${version}.tar.gz"
+checksum=009400afee90a9f32599d8fe734145cfd84098140b7287990183dde45ae2245b
+system_accounts="_omniroute"
+omniroute_homedir="/var/lib/omniroute"
+export NODE_ENV=production
+export npm_config_engine_strict=false
+export npm_config_loglevel=error
+export npm_config_fund=false
+export npm_config_audit=false
+
+do_build() {
+	# Determine target CPU arch for node-gyp
+	local _gyp_arch
+	case "$XBPS_TARGET_MACHINE" in
+		aarch64*) _gyp_arch=arm64 ;;
+		armv7*|armv6*) _gyp_arch=arm ;;
+		i686*) _gyp_arch=ia32 ;;
+		*) _gyp_arch=x64 ;;
+	esac
+
+	# 1) Install all deps – skip scripts (no network in do_build, native modules
+	#    compiled separately below; better-sqlite3 is serverExternalPackage so
+	#    Next.js does not execute it during next build)
+	NODE_ENV=development npm ci --ignore-scripts
+
+	# 2) Build the Next.js standalone bundle
+	npm run build
+
+	# 3) Copy static assets into standalone
+	cp -r .next/static .next/standalone/.next/static
+	[ -d public ] && cp -r public .next/standalone/public || true
+
+	# 4) Compile better-sqlite3 native binding for the target architecture.
+	#    Use node-gyp directly so CC/CXX from xbps-src cross-toolchain are used
+	#    without npm altering them.
+	local _node_gyp=/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
+	(cd node_modules/better-sqlite3 && node "$_node_gyp" rebuild --arch="$_gyp_arch")
+
+	# 5) Place the compiled binding into the standalone bundle
+	local _bs3_release=.next/standalone/node_modules/better-sqlite3/build/Release
+	mkdir -p "$_bs3_release"
+	cp node_modules/better-sqlite3/build/Release/better_sqlite3.node "$_bs3_release/"
+
+	# 6) Remove arch-specific sharp bundles – upstream sets images.unoptimized=true
+	#    so sharp is not used at runtime; x64 .so files would break aarch64 strip
+	rm -rf .next/standalone/node_modules/@img
+
+	# 7) Copy pino runtime deps omitted by Next.js static analysis:
+	#    pino-abstract-transport – required by pino's worker thread
+	#    split2 – dep of pino-abstract-transport
+	#    process-warning – dep of pino itself
+	for _mod in pino-abstract-transport split2 process-warning; do
+		cp -r "node_modules/$_mod" .next/standalone/node_modules/
+	done
+}
+
+do_check() {
+	npm run test:unit
+}
+
+do_install() {
+	vmkdir usr/lib/omniroute/.next
+
+	vcopy .next/standalone/. usr/lib/omniroute/.next/standalone
+
+	# Prevent removal of empty Next.js app router dirs by the post-install hook
+	for _d in \
+		.next/standalone/.next/server/app/dashboard \
+		.next/standalone/.next/server/app/dashboard/settings \
+		.next/standalone/.next/server/app/dashboard/providers; do
+		touch "${DESTDIR}/usr/lib/omniroute/${_d}/.keep"
+	done
+
+	cat > "${WRKDIR}/omniroute" <<'EOF'
+#!/bin/sh
+export PORT="${PORT:-20128}"
+export DATA_DIR="${DATA_DIR:-${XDG_DATA_HOME:-${HOME}/.local/share}/omniroute}"
+export LOG_TO_FILE="${LOG_TO_FILE:-false}"
+mkdir -p "${DATA_DIR}"
+exec node /usr/lib/omniroute/.next/standalone/server.js "$@"
+EOF
+	vbin "${WRKDIR}/omniroute"
+}
+
+post_install() {
+	vlicense LICENSE
+}
+```
+
+</details>
+
 ---

 ## 🐳 Docker
@@ -846,6 +980,7 @@ OmniRoute is available as a public Docker image on [Docker Hub](https://hub.dock
 docker run -d \
  --name omniroute \
  --restart unless-stopped \
+  --stop-timeout 40 \
  -p 20128:20128 \
  -v omniroute-data:/app/data \
  diegosouzapw/omniroute:latest
@@ -860,6 +995,7 @@ cp .env.example .env
 docker run -d \
  --name omniroute \
  --restart unless-stopped \
+  --stop-timeout 40 \
  --env-file .env \
  -p 20128:20128 \
  -v omniroute-data:/app/data \
@@ -881,8 +1017,12 @@ Dashboard support for Docker deployments now includes a one-click **Cloudflare Q
 Notes:

 - Quick Tunnel URLs are temporary and change after every restart.
+- Quick Tunnels are not auto-restored after an OmniRoute or container restart. Re-enable them from the dashboard when needed.
 - Managed install currently supports Linux, macOS, and Windows on `x64` / `arm64`.
+- Managed Quick Tunnels default to HTTP/2 transport to avoid noisy QUIC UDP buffer warnings in constrained container environments. Set `CLOUDFLARED_PROTOCOL=quic` or `auto` if you want a different transport.
 - Docker images bundle system CA roots and pass them to managed `cloudflared`, which avoids TLS trust failures when the tunnel bootstraps inside the container.
+- SQLite runs in WAL mode. `docker stop` should be allowed to finish so OmniRoute can checkpoint the latest changes back into `storage.sqlite`.
+- The bundled Compose files already set a 40s stop grace period. If you run the image directly, keep `--stop-timeout 40` (or similar) so manual stops do not cut off shutdown cleanup.
 - Set `CLOUDFLARED_BIN=/absolute/path/to/cloudflared` if you want OmniRoute to use an existing binary instead of downloading one.

 **Using Docker Compose with Caddy (HTTPS Auto-TLS):**
@@ -1025,7 +1165,7 @@ Cerebras (cerebras/)   → Llama/Qwen world-fastest — 1M tok/day
 | `claude-haiku-4.5`  | `kr/`  | **Unlimited** | No reported daily cap |
 | `claude-opus-4.6`   | `kr/`  | **Unlimited** | Latest Opus via Kiro  |

-### 🟢 QODER MODELS (Free OAuth — No Credit Card)
+### 🟢 QODER MODELS (Free PAT via qodercli)

 | Model              | Prefix | Limit         | Rate Limit      |
 | ------------------ | ------ | ------------- | --------------- |
@@ -1035,6 +1175,9 @@ Cerebras (cerebras/)   → Llama/Qwen world-fastest — 1M tok/day
 | `minimax-m2.1`     | `if/`  | **Unlimited** | No reported cap |
 | `kimi-k2`          | `if/`  | **Unlimited** | No reported cap |

+> Recommended connection method: **Personal Access Token + `qodercli`**. Browser OAuth is
+> experimental and disabled by default unless `QODER_OAUTH_*` environment variables are configured.
+
 ### 🟡 QWEN MODELS (Device Code Auth)

 | Model               | Prefix | Limit         | Rate Limit          |
@@ -1190,19 +1333,19 @@ OmniRoute v2.0 is built as an operational platform, not just a relay proxy.

 ### 🤖 Agent & Protocol Operations (v2.0)

-| Feature                               | What It Does                                                                                       |
-| ------------------------------------- | -------------------------------------------------------------------------------------------------- |
-| 🔧 **MCP Server (16 tools)**          | IDE/agent tools via 3 transports: stdio, SSE (`/api/mcp/sse`), Streamable HTTP (`/api/mcp/stream`) |
-| 🤝 **A2A Server (JSON-RPC + SSE)**    | Agent-to-agent task execution with sync and streaming flows                                        |
-| 🧭 **Consolidated Endpoints Page**    | Tabbed management page with Endpoint Proxy, MCP, A2A, and API Endpoints tabs                       |
-| 🎚️ **Service Enable/Disable Toggles** | ON/OFF switches for MCP and A2A with settings persistence (default: OFF)                           |
-| 🛰️ **MCP Runtime Heartbeat**          | Real process status (pid, uptime, heartbeat age, transport, scope mode)                            |
-| 📋 **MCP Audit Trail**                | Filterable audit logs with success/failure and key attribution                                     |
-| 🔐 **MCP Scope Enforcement**          | 9 granular scope permissions for controlled tool access                                            |
-| 📡 **A2A Task Lifecycle Management**  | List/filter tasks, inspect events/artifacts, cancel running tasks                                  |
-| 📋 **Agent Card Discovery**           | `/.well-known/agent.json` for client auto-discovery                                                |
-| 🧪 **Protocol E2E Test Harness**      | Real MCP SDK + A2A client flows in `test:protocols:e2e`                                            |
-| ⚙️ **Operational Controls**           | Switch combo, apply resilience profiles, reset breakers from one control surface                   |
+| Feature                               | What It Does                                                                                                                           |
+| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| 🔧 **MCP Server (25 tools)**          | IDE/agent tools via 3 transports: stdio, SSE (`/api/mcp/sse`), Streamable HTTP (`/api/mcp/stream`). 18 core + 3 memory + 4 skill tools |
+| 🤝 **A2A Server (JSON-RPC + SSE)**    | Agent-to-agent task execution with sync and streaming flows                                                                            |
+| 🧭 **Consolidated Endpoints Page**    | Tabbed management page with Endpoint Proxy, MCP, A2A, and API Endpoints tabs                                                           |
+| 🎚️ **Service Enable/Disable Toggles** | ON/OFF switches for MCP and A2A with settings persistence (default: OFF)                                                               |
+| 🛰️ **MCP Runtime Heartbeat**          | Real process status (pid, uptime, heartbeat age, transport, scope mode)                                                                |
+| 📋 **MCP Audit Trail**                | Filterable audit logs with success/failure and key attribution                                                                         |
+| 🔐 **MCP Scope Enforcement**          | 10 granular scope permissions for controlled tool access                                                                               |
+| 📡 **A2A Task Lifecycle Management**  | List/filter tasks, inspect events/artifacts, cancel running tasks                                                                      |
+| 📋 **Agent Card Discovery**           | `/.well-known/agent.json` for client auto-discovery                                                                                    |
+| 🧪 **Protocol E2E Test Harness**      | Real MCP SDK + A2A client flows in `test:protocols:e2e`                                                                                |
+| ⚙️ **Operational Controls**           | Switch combo, apply resilience profiles, reset breakers from one control surface                                                       |

 ### 🧠 Routing & Intelligence

@@ -1213,7 +1356,7 @@ OmniRoute v2.0 is built as an operational platform, not just a relay proxy.
 | 🔄 **Format Translation**          | OpenAI ↔ Claude ↔ Gemini ↔ Responses with schema-safe conversions        |
 | 👥 **Multi-Account Support**       | Multiple accounts per provider with intelligent selection                |
 | 🔄 **Auto Token Refresh**          | OAuth tokens refresh automatically with retry                            |
-| 🎨 **Custom Combos**               | 6 balancing strategies + fallback chain control                          |
+| 🎨 **Custom Combos**               | 9 balancing strategies + fallback chain control                          |
 | 🌐 **Wildcard Router**             | `provider/*` dynamic routing                                             |
 | 🧠 **Thinking Budget Controls**    | Passthrough, auto, custom, and adaptive reasoning limits                 |
 | 🔀 **Model Aliases**               | Built-in + custom model aliasing and migration safety                    |
@@ -1276,21 +1419,22 @@ OmniRoute v2.0 is built as an operational platform, not just a relay proxy.

 ### ☁️ Deployment & Platform

-| Feature                       | What It Does                                              |
-| ----------------------------- | --------------------------------------------------------- |
-| 🌐 **Deploy Anywhere**        | Localhost, VPS, Docker, Cloud environments                |
-| 🚇 **Cloudflare Tunnel** 🆕   | One-click Quick Tunnel integration from the dashboard     |
-| 💾 **Cloud Sync**             | Configuration sync via cloud worker                       |
-| 🔄 **Backup/Restore**         | Export/import and disaster recovery flows                 |
-| 🧙 **Onboarding Wizard**      | First-run guided setup                                    |
-| 🔧 **CLI Tools Dashboard**    | One-click setup for popular coding tools                  |
-| 🎮 **Model Playground**       | Test any provider/model/endpoint from the dashboard       |
-| 🔏 **CLI Fingerprint Toggle** | Per-provider fingerprint matching in Settings > Security  |
-| 🌐 **i18n (30 languages)**    | Full dashboard + docs language support with RTL coverage  |
-| 🧹 **Clear All Models**       | One-click model list clearing in provider details         |
-| 👁️ **Sidebar Controls** 🆕    | Hide components and integrations from Appearance Settings |
-| 📋 **Issue Templates**        | Standardized GitHub templates for bugs and features       |
-| 📂 **Custom Data Directory**  | `DATA_DIR` override for storage location                  |
+| Feature                        | What It Does                                                          |
+| ------------------------------ | --------------------------------------------------------------------- |
+| 🌐 **Deploy Anywhere**         | Localhost, VPS, Docker, Cloud environments                            |
+| 🚇 **Cloudflare Tunnel** 🆕    | One-click Quick Tunnel integration from the dashboard                 |
+| 🔑 **API Key Model Filtering** | Native /v1/models response filtered via assigned Bearer context roles |
+| ⚡ **Smart Cache Bypass**      | Configurable TTL heuristics and forced refetch controls               |
+| 🔄 **Backup/Restore**          | Export/import and disaster recovery flows                             |
+| 🧙 **Onboarding Wizard**       | First-run guided setup                                                |
+| 🔧 **CLI Tools Dashboard**     | One-click setup for popular coding tools                              |
+| 🎮 **Model Playground**        | Test any provider/model/endpoint from the dashboard                   |
+| 🔏 **CLI Fingerprint Toggle**  | Per-provider fingerprint matching in Settings > Security              |
+| 🌐 **i18n (30 languages)**     | Full dashboard + docs language support with RTL coverage              |
+| 🧹 **Clear All Models**        | One-click model list clearing in provider details                     |
+| 👁️ **Sidebar Controls** 🆕     | Hide components and integrations from Appearance Settings             |
+| 📋 **Issue Templates**         | Standardized GitHub templates for bugs and features                   |
+| 📂 **Custom Data Directory**   | `DATA_DIR` override for storage location                              |

 ### Feature Deep Dive

@@ -1497,7 +1641,7 @@ Dashboard → Providers → Connect GitHub
 Models:
  gh/gpt-5
  gh/claude-4.5-sonnet
-  gh/gemini-3-pro
+  gh/gemini-3.1-pro-preview
 ```

 </details>
@@ -1810,7 +1954,10 @@ opencode

 **No request logs**

- Set `ENABLE_REQUEST_LOGS=true` in `.env`
+- Request artifacts are written to `DATA_DIR/call_logs/` as one JSON file per request
+- Enable pipeline capture from Dashboard → Logs → Request Logs if you need detailed per-stage payloads
+- Set `APP_LOG_TO_FILE=true` if you also want application console logs in `logs/application/app.log`
+- Adjust `APP_LOG_MAX_FILE_SIZE`, `APP_LOG_RETENTION_DAYS`, `APP_LOG_MAX_FILES`, and `CALL_LOG_MAX_ENTRIES` as needed

 **Connection test shows "Invalid" for OpenAI-compatible providers**

@@ -20,9 +20,9 @@ If you discover a security vulnerability in OmniRoute, please report it responsi

 | Version | Support Status |
 | ------- | -------------- |
-| 1.0.x   | ✅ Active      |
-| 0.8.x   | ✅ Security    |
-| < 0.8.0 | ❌ Unsupported |
+| 3.4.x   | ✅ Active      |
+| 3.0.x   | ✅ Security    |
+| < 3.0.0 | ❌ Unsupported |

 ---

@@ -43,6 +43,7 @@ Request → CORS → API Key Auth → Prompt Injection Guard → Input Sanitizer
 | **OAuth 2.0 + PKCE** | Secure provider auth (Claude, Codex, Gemini, Cursor, etc.) |
 | **Token Refresh**    | Automatic OAuth token refresh before expiry                |
 | **Secure Cookies**   | `AUTH_COOKIE_SECURE=true` for HTTPS environments           |
+| **MCP Scopes**       | 10 granular scopes for MCP tool access control             |

 ### 🛡️ Encryption at Rest

@@ -98,9 +99,11 @@ PII_REDACTION_ENABLED=true
 | Feature                  | Description                                                      |
 | ------------------------ | ---------------------------------------------------------------- |
 | **CORS**                 | Configurable origin control (`CORS_ORIGIN` env var, default `*`) |
-| **IP Filtering**         | Whitelist/blacklist IP ranges in dashboard                       |
+| **IP Filtering**         | Allowlist/blocklist IP ranges in dashboard                       |
 | **Rate Limiting**        | Per-provider rate limits with automatic backoff                  |
 | **Anti-Thundering Herd** | Mutex + per-connection locking prevents cascading 502s           |
+| **TLS Fingerprint**      | Browser-like TLS fingerprint spoofing to reduce bot detection    |
+| **CLI Fingerprint**      | Per-provider header/body ordering to match native CLI signatures |

 ### 🔌 Resilience & Availability

@@ -113,11 +116,13 @@ PII_REDACTION_ENABLED=true

 ### 📋 Compliance

-| Feature            | Description                                         |
-| ------------------ | --------------------------------------------------- |
-| **Log Retention**  | Automatic cleanup after `LOG_RETENTION_DAYS`        |
-| **No-Log Opt-out** | Per API key `noLog` flag disables request logging   |
-| **Audit Log**      | Administrative actions tracked in `audit_log` table |
+| Feature            | Description                                                 |
+| ------------------ | ----------------------------------------------------------- |
+| **Log Retention**  | Automatic cleanup after `CALL_LOG_RETENTION_DAYS`           |
+| **No-Log Opt-out** | Per API key `noLog` flag disables request logging           |
+| **Audit Log**      | Administrative actions tracked in `audit_log` table         |
+| **MCP Audit**      | SQLite-backed audit logging for all MCP tool calls          |
+| **Zod Validation** | All API inputs validated with Zod v4 schemas at module load |

 ---

@@ -167,3 +172,4 @@ docker run -d \
 - Keep dependencies updated
 - The project uses `husky` + `lint-staged` for pre-commit checks
 - CI pipeline runs ESLint security rules on every push
+- Provider constants validated at module load via Zod (`src/shared/validation/providerSchema.ts`)
@@ -0,0 +1,203 @@
+{
+  "auditReportVersion": 2,
+  "vulnerabilities": {
+    "next": {
+      "name": "next",
+      "severity": "high",
+      "isDirect": true,
+      "via": [
+        {
+          "source": 1112592,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
+          "url": "https://github.com/advisories/GHSA-9g9p-9gw9-jx7f",
+          "severity": "moderate",
+          "cwe": ["CWE-400", "CWE-770"],
+          "cvss": {
+            "score": 5.9,
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+          },
+          "range": ">=15.6.0-canary.0 <16.1.5"
+        },
+        {
+          "source": 1112646,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
+          "url": "https://github.com/advisories/GHSA-h25m-26qc-wcjf",
+          "severity": "high",
+          "cwe": ["CWE-400", "CWE-502"],
+          "cvss": {
+            "score": 7.5,
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+          },
+          "range": ">=16.0.0-beta.0 <16.0.11"
+        },
+        {
+          "source": 1112990,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",
+          "url": "https://github.com/advisories/GHSA-5f7q-jpqc-wp7h",
+          "severity": "moderate",
+          "cwe": ["CWE-400", "CWE-409", "CWE-770"],
+          "cvss": {
+            "score": 5.9,
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+          },
+          "range": ">=16.0.0-beta.0 <16.1.5"
+        },
+        {
+          "source": 1114898,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js: HTTP request smuggling in rewrites",
+          "url": "https://github.com/advisories/GHSA-ggv3-7p47-pfv8",
+          "severity": "moderate",
+          "cwe": ["CWE-444"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=16.0.0-beta.0 <16.1.7"
+        },
+        {
+          "source": 1114941,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js: Unbounded next/image disk cache growth can exhaust storage",
+          "url": "https://github.com/advisories/GHSA-3x4c-7xq6-9pq8",
+          "severity": "moderate",
+          "cwe": ["CWE-400"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=16.0.0-beta.0 <16.1.7"
+        },
+        {
+          "source": 1114942,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js: Unbounded postponed resume buffering can lead to DoS",
+          "url": "https://github.com/advisories/GHSA-h27x-g6w4-24gq",
+          "severity": "moderate",
+          "cwe": ["CWE-770"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=16.0.1 <16.1.7"
+        },
+        {
+          "source": 1114943,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js: null origin can bypass Server Actions CSRF checks",
+          "url": "https://github.com/advisories/GHSA-mq59-m269-xvcx",
+          "severity": "moderate",
+          "cwe": ["CWE-352"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=16.0.1 <16.1.7"
+        },
+        {
+          "source": 1115360,
+          "name": "next",
+          "dependency": "next",
+          "title": "Next.js: null origin can bypass dev HMR websocket CSRF checks",
+          "url": "https://github.com/advisories/GHSA-jcc7-9wpm-mj36",
+          "severity": "low",
+          "cwe": ["CWE-1385"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=16.0.1 <16.1.7"
+        }
+      ],
+      "effects": [],
+      "range": "15.6.0-canary.0 - 16.1.6",
+      "nodes": ["node_modules/next"],
+      "fixAvailable": {
+        "name": "next",
+        "version": "16.2.2",
+        "isSemVerMajor": false
+      }
+    },
+    "vite": {
+      "name": "vite",
+      "severity": "high",
+      "isDirect": false,
+      "via": [
+        {
+          "source": 1116007,
+          "name": "vite",
+          "dependency": "vite",
+          "title": "Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
+          "url": "https://github.com/advisories/GHSA-4w7w-66w2-5vf9",
+          "severity": "moderate",
+          "cwe": ["CWE-22", "CWE-200"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=8.0.0 <=8.0.4"
+        },
+        {
+          "source": 1116009,
+          "name": "vite",
+          "dependency": "vite",
+          "title": "Vite: `server.fs.deny` bypassed with queries",
+          "url": "https://github.com/advisories/GHSA-v2wj-q39q-566r",
+          "severity": "high",
+          "cwe": ["CWE-180", "CWE-284"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=8.0.0 <=8.0.4"
+        },
+        {
+          "source": 1116012,
+          "name": "vite",
+          "dependency": "vite",
+          "title": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket",
+          "url": "https://github.com/advisories/GHSA-p9ff-h696-f583",
+          "severity": "high",
+          "cwe": ["CWE-200", "CWE-306"],
+          "cvss": {
+            "score": 0,
+            "vectorString": null
+          },
+          "range": ">=8.0.0 <=8.0.4"
+        }
+      ],
+      "effects": [],
+      "range": "8.0.0 - 8.0.4",
+      "nodes": ["node_modules/vite"],
+      "fixAvailable": true
+    }
+  },
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 2,
+      "critical": 0,
+      "total": 2
+    },
+    "dependencies": {
+      "prod": 407,
+      "dev": 485,
+      "optional": 154,
+      "peer": 480,
+      "peerOptional": 0,
+      "total": 1455
+    }
+  }
+}
@@ -17,7 +17,7 @@ import { createInterface } from "node:readline";
 import { resolve, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { existsSync } from "node:fs";
-import { createHash } from "node:crypto";
+import bcrypt from "bcryptjs";

 const __dirname = dirname(fileURLToPath(import.meta.url));

@@ -34,8 +34,10 @@ function ask(question) {
  return new Promise((resolve) => rl.question(question, resolve));
 }

-function hashPassword(password) {
-  return createHash("sha256").update(password).digest("hex");
+function generateSecretDigest(input) {
+  // Use bcrypt with a salt round of 10 to match login/route.ts expectations
+  // and resolve CodeQL js/insufficient-password-hash warning.
+  return bcrypt.hashSync(input, 10);
 }

 console.log("\n🔑 OmniRoute — Password Reset\n");
@@ -86,7 +88,7 @@ async function main() {
    process.exit(1);
  }

-  const hashed = hashPassword(password);
+  const hashed = generateSecretDigest(password);

  // Upsert the password
  const stmt = db.prepare(`
@@ -0,0 +1,23 @@
+#!/usr/bin/env node
+
+import { spawn } from 'node:child_process'
+
+const env = { ...process.env }
+
+await exec('npx next build --experimental-build-mode generate')
+
+// launch application
+await exec(process.argv.slice(2).join(' '))
+
+function exec(command) {
+  const child = spawn(command, { shell: true, stdio: 'inherit', env })
+  return new Promise((resolve, reject) => {
+    child.on('exit', code => {
+      if (code === 0) {
+        resolve()
+      } else {
+        reject(new Error(`${command} failed rc=${code}`))
+      }
+    })
+  })
+}
@@ -0,0 +1,17 @@
+import process from "node:process";
+import fs from "node:fs";
+
+setTimeout(() => {
+  const activeHandles = process._getActiveHandles();
+  console.log("ACTIVE HANDLES: " + activeHandles.length);
+  activeHandles.forEach((handle, i) => {
+    console.log(`Handle ${i}:`, handle?.constructor?.name);
+    // if it's a timer or socket, let's see more
+    if (handle?.constructor?.name === "Timeout") {
+      console.log("  Timer wrapper:", handle?._onTimeout?.toString().slice(0, 50));
+    }
+  });
+  process.exit(1);
+}, 2000);
+
+await import("./tests/integration/chat-pipeline.test.mjs");
@@ -0,0 +1,14 @@
+import process from "node:process";
+import("./tests/integration/chat-pipeline.test.mjs").then((mod) => {
+  setTimeout(() => {
+    const activeHandles = process._getActiveHandles();
+    console.log("ACTIVE HANDLES: " + activeHandles.length);
+    activeHandles.forEach((handle, i) => {
+      console.log(`Handle ${i}:`, handle?.constructor?.name);
+      if (handle?.constructor?.name === "Socket") {
+        console.log("Socket ports:", handle?.localPort, handle?.remotePort);
+      }
+    });
+    process.exit(1);
+  }, 15000);
+});
@@ -0,0 +1,339 @@
+TAP version 13
+# Subtest: Chat Pipeline — handleSingleModelChat decomposition
+    # Subtest: should define resolveModelOrError helper
+    ok 1 - should define resolveModelOrError helper
+      ---
+      duration_ms: 2.870676
+      type: 'test'
+      ...
+    # Subtest: should define checkPipelineGates helper
+    ok 2 - should define checkPipelineGates helper
+      ---
+      duration_ms: 0.539959
+      type: 'test'
+      ...
+    # Subtest: should define executeChatWithBreaker helper
+    ok 3 - should define executeChatWithBreaker helper
+      ---
+      duration_ms: 0.540611
+      type: 'test'
+      ...
+    # Subtest: should keep cost accounting in the core chat pipeline
+    ok 4 - should keep cost accounting in the core chat pipeline
+      ---
+      duration_ms: 0.583888
+      type: 'test'
+      ...
+    # Subtest: handleSingleModelChat should use resolveModelOrError
+    ok 5 - handleSingleModelChat should use resolveModelOrError
+      ---
+      duration_ms: 0.395358
+      type: 'test'
+      ...
+    # Subtest: handleSingleModelChat should use checkPipelineGates
+    ok 6 - handleSingleModelChat should use checkPipelineGates
+      ---
+      duration_ms: 0.725771
+      type: 'test'
+      ...
+    # Subtest: handleSingleModelChat should use executeChatWithBreaker
+    ok 7 - handleSingleModelChat should use executeChatWithBreaker
+      ---
+      duration_ms: 0.384009
+      type: 'test'
+      ...
+    # Subtest: chatCore should record cost for both non-streaming and streaming responses
+    ok 8 - chatCore should record cost for both non-streaming and streaming responses
+      ---
+      duration_ms: 0.717301
+      type: 'test'
+      ...
+    1..8
+ok 1 - Chat Pipeline — handleSingleModelChat decomposition
+  ---
+  duration_ms: 12.510313
+  type: 'suite'
+  ...
+# Subtest: Chat Pipeline — combo fallback support
+    # Subtest: should import handleComboChat
+    ok 1 - should import handleComboChat
+      ---
+      duration_ms: 0.683569
+      type: 'test'
+      ...
+    # Subtest: should delegate to handleSingleModelChat for each combo model
+    ok 2 - should delegate to handleSingleModelChat for each combo model
+      ---
+      duration_ms: 0.903143
+      type: 'test'
+      ...
+    # Subtest: should check model availability before attempting combo models
+    ok 3 - should check model availability before attempting combo models
+      ---
+      duration_ms: 0.37494
+      type: 'test'
+      ...
+    1..3
+ok 2 - Chat Pipeline — combo fallback support
+  ---
+  duration_ms: 2.526966
+  type: 'suite'
+  ...
+# Subtest: Chat Pipeline — circuit breaker integration
+    # Subtest: should import CircuitBreakerOpenError
+    ok 1 - should import CircuitBreakerOpenError
+      ---
+      duration_ms: 0.500942
+      type: 'test'
+      ...
+    # Subtest: should handle CircuitBreakerOpenError with retry-after
+    ok 2 - should handle CircuitBreakerOpenError with retry-after
+      ---
+      duration_ms: 0.262275
+      type: 'test'
+      ...
+    # Subtest: should reject requests when circuit is open
+    ok 3 - should reject requests when circuit is open
+      ---
+      duration_ms: 0.399071
+      type: 'test'
+      ...
+    1..3
+ok 3 - Chat Pipeline — circuit breaker integration
+  ---
+  duration_ms: 1.532005
+  type: 'suite'
+  ...
+# Subtest: DI Container — container.ts
+    # Subtest: should export a container singleton
+    ok 1 - should export a container singleton
+      ---
+      duration_ms: 293.16418
+      type: 'test'
+      ...
+    # Subtest: should register and resolve a custom service
+    ok 2 - should register and resolve a custom service
+      ---
+      duration_ms: 9.047061
+      type: 'test'
+      ...
+    # Subtest: should return cached singleton on repeated resolve
+    ok 3 - should return cached singleton on repeated resolve
+      ---
+      duration_ms: 2.700355
+      type: 'test'
+      ...
+    # Subtest: should throw on resolving unregistered service
+    ok 4 - should throw on resolving unregistered service
+      ---
+      duration_ms: 3.280776
+      type: 'test'
+      ...
+    # Subtest: should have default registrations
+    ok 5 - should have default registrations
+      ---
+      duration_ms: 2.960963
+      type: 'test'
+      ...
+    # Subtest: should support re-registration (overwrite)
+    ok 6 - should support re-registration (overwrite)
+      ---
+      duration_ms: 2.683065
+      type: 'test'
+      ...
+    1..6
+ok 4 - DI Container — container.ts
+  ---
+  duration_ms: 314.82733
+  type: 'suite'
+  ...
+# [Plugins] Registered "test-logger" (priority: 10, enabled: true)
+# Subtest: Plugin Architecture — plugins/index.ts
+    # Subtest: should register and list plugins
+    ok 1 - should register and list plugins
+      ---
+      duration_ms: 7.470741
+      type: 'test'
+      ...
+# [Plugins] Registered "low" (priority: 200, enabled: true)
+# [Plugins] Registered "high" (priority: 1, enabled: true)
+# [Plugins] Registered "mid" (priority: 50, enabled: true)
+    # Subtest: should sort plugins by priority
+    ok 2 - should sort plugins by priority
+      ---
+      duration_ms: 3.51882
+      type: 'test'
+      ...
+# [Plugins] Registered "first" (priority: 1, enabled: true)
+# [Plugins] Registered "second" (priority: 2, enabled: true)
+    # Subtest: should run onRequest hooks in order
+    ok 3 - should run onRequest hooks in order
+      ---
+      duration_ms: 2.940782
+      type: 'test'
+      ...
+# [Plugins] Registered "blocker" (priority: 1, enabled: true)
+# [Plugins] Registered "never-runs" (priority: 2, enabled: true)
+# [Plugins] Request blocked by "blocker"
+    # Subtest: should support request blocking
+    ok 4 - should support request blocking
+      ---
+      duration_ms: 3.293988
+      type: 'test'
+      ...
+# [Plugins] Registered "toggle-me" (priority: 100, enabled: true)
+    # Subtest: should enable/disable plugins at runtime
+    ok 5 - should enable/disable plugins at runtime
+      ---
+      duration_ms: 2.784824
+      type: 'test'
+      ...
+# [Plugins] Registered "removable" (priority: 100, enabled: true)
+    # Subtest: should unregister plugins
+    ok 6 - should unregister plugins
+      ---
+      duration_ms: 2.608295
+      type: 'test'
+      ...
+# [Plugins] Registered "response-modifier" (priority: 100, enabled: true)
+    # Subtest: should run onResponse hooks
+    ok 7 - should run onResponse hooks
+      ---
+      duration_ms: 2.746361
+      type: 'test'
+      ...
+# [Plugins] Registered "error-handler" (priority: 100, enabled: true)
+# [Plugins] Error recovered by "error-handler"
+    # Subtest: should run onError hooks and allow recovery
+    ok 8 - should run onError hooks and allow recovery
+      ---
+      duration_ms: 2.899465
+      type: 'test'
+      ...
+    # Subtest: should return null from onError if no recovery
+    ok 9 - should return null from onError if no recovery
+      ---
+      duration_ms: 2.313171
+      type: 'test'
+      ...
+    1..9
+ok 5 - Plugin Architecture — plugins/index.ts
+  ---
+  duration_ms: 31.770504
+  type: 'suite'
+  ...
+# Subtest: Prompt Template Versioning — prompts.ts module existence
+    # Subtest: prompts.ts should exist
+    ok 1 - prompts.ts should exist
+      ---
+      duration_ms: 0.369635
+      type: 'test'
+      ...
+    # Subtest: should export CRUD functions
+    ok 2 - should export CRUD functions
+      ---
+      duration_ms: 0.391134
+      type: 'test'
+      ...
+    # Subtest: should define PromptTemplate interface
+    ok 3 - should define PromptTemplate interface
+      ---
+      duration_ms: 0.333598
+      type: 'test'
+      ...
+    # Subtest: should use content hashing for deduplication
+    ok 4 - should use content hashing for deduplication
+      ---
+      duration_ms: 0.31716
+      type: 'test'
+      ...
+    1..4
+ok 6 - Prompt Template Versioning — prompts.ts module existence
+  ---
+  duration_ms: 1.752975
+  type: 'suite'
+  ...
+# Subtest: Eval Scheduler — scheduler.ts module existence
+    # Subtest: scheduler.ts should exist
+    ok 1 - scheduler.ts should exist
+      ---
+      duration_ms: 0.347059
+      type: 'test'
+      ...
+    # Subtest: should export scheduling functions
+    ok 2 - should export scheduling functions
+      ---
+      duration_ms: 0.582836
+      type: 'test'
+      ...
+    # Subtest: should define ScheduledEval and EvalRunResult types
+    ok 3 - should define ScheduledEval and EvalRunResult types
+      ---
+      duration_ms: 0.459196
+      type: 'test'
+      ...
+    # Subtest: should have pluggable output provider
+    ok 4 - should have pluggable output provider
+      ---
+      duration_ms: 0.310267
+      type: 'test'
+      ...
+    1..4
+ok 7 - Eval Scheduler — scheduler.ts module existence
+  ---
+  duration_ms: 1.961338
+  type: 'suite'
+  ...
+# Subtest: Migration System — files exist
+    # Subtest: migrationRunner.ts should exist
+    ok 1 - migrationRunner.ts should exist
+      ---
+      duration_ms: 0.381312
+      type: 'test'
+      ...
+    # Subtest: 001_initial_schema.sql should exist
+    ok 2 - 001_initial_schema.sql should exist
+      ---
+      duration_ms: 0.248336
+      type: 'test'
+      ...
+    # Subtest: core.ts should reference migration runner
+    ok 3 - core.ts should reference migration runner
+      ---
+      duration_ms: 0.542947
+      type: 'test'
+      ...
+    1..3
+ok 8 - Migration System — files exist
+  ---
+  duration_ms: 1.448447
+  type: 'suite'
+  ...
+# Subtest: CORS — centralized configuration
+    # Subtest: shared/utils/cors.ts should exist
+    ok 1 - shared/utils/cors.ts should exist
+      ---
+      duration_ms: 0.374376
+      type: 'test'
+      ...
+    # Subtest: should export CORS_HEADERS and CORS_ORIGIN
+    ok 2 - should export CORS_HEADERS and CORS_ORIGIN
+      ---
+      duration_ms: 0.390035
+      type: 'test'
+      ...
+    1..2
+ok 9 - CORS — centralized configuration
+  ---
+  duration_ms: 0.962465
+  type: 'suite'
+  ...
+1..9
+# tests 42
+# suites 9
+# pass 42
+# fail 0
+# cancelled 0
+# skipped 0
+# todo 0
+# duration_ms 869.387894
@@ -19,6 +19,7 @@ services:
      target: runner-cli
    image: omniroute:prod
    restart: unless-stopped
+    stop_grace_period: 40s
    env_file: .env
    environment:
      - NODE_ENV=production
@@ -6,11 +6,14 @@
 #    base  → minimal image, no CLI tools
 #    cli   → CLIs installed inside the container (portable)
 #    host  → runner-base + host-mounted CLI binaries (Linux-first)
+#    cliproxyapi → CLIProxyAPI sidecar on port 8317
 #
 #  Usage:
 #    docker compose --profile base up -d
 #    docker compose --profile cli up -d
 #    docker compose --profile host up -d
+#    docker compose --profile cliproxyapi up -d
+#    docker compose --profile cli --profile cliproxyapi up -d
 #
 #  Before first run, copy .env.example → .env and edit your secrets.
 # ──────────────────────────────────────────────────────────────────────
@@ -109,6 +112,30 @@ services:
    profiles:
      - host

+  # ── Profile: cliproxyapi (CLIProxyAPI as sidecar) ─────────────────
+  cliproxyapi:
+    container_name: cliproxyapi
+    image: ghcr.io/router-for-me/cliproxyapi:v6.9.7
+    restart: unless-stopped
+    ports:
+      - "${CLIPROXYAPI_PORT:-8317}:${CLIPROXYAPI_PORT:-8317}"
+    volumes:
+      - cliproxyapi-data:/root/.cli-proxy-api
+    environment:
+      - PORT=${CLIPROXYAPI_PORT:-8317}
+      - HOST=0.0.0.0
+    healthcheck:
+      test:
+        ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:${CLIPROXYAPI_PORT:-8317}/v1/models"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    profiles:
+      - cliproxyapi
+
 volumes:
  omniroute-data:
    name: omniroute-data
+  cliproxyapi-data:
+    name: cliproxyapi-data
@@ -0,0 +1,451 @@
+# OmniRoute Fly.io 部署指南
+
+本文档记录 OmniRoute 在 Fly.io 上的实际部署方法，适用于两类场景：
+
+- 首次把当前项目部署到 Fly.io
+- 后续代码更新后继续发布
+- 新项目参考同样流程部署
+
+本文基于当前项目已经验证通过的配置整理，应用名为 `omniroute`。
+
+---
+
+## 1. 部署目标
+
+- 平台：Fly.io
+- 部署方式：本地 `flyctl` 直接发布
+- 运行方式：使用仓库内现有 `Dockerfile` 和 `fly.toml`
+- 数据持久化：Fly Volume 挂载到 `/data`
+- 访问地址：`https://omniroute.fly.dev/`
+
+---
+
+## 2. 当前项目关键配置
+
+当前仓库中的 `fly.toml` 已确认包含以下关键项：
+
+```toml
+app = 'omniroute'
+primary_region = 'sin'
+
+[[mounts]]
+  source = 'data'
+  destination = '/data'
+
+[processes]
+  app = 'node run-standalone.mjs'
+
+[http_service]
+  internal_port = 20128
+
+[env]
+  TZ = "Asia/Shanghai"
+  HOST = "0.0.0.0"
+  HOSTNAME = "0.0.0.0"
+  BIND = "0.0.0.0"
+```
+
+说明：
+
+- `app = 'omniroute'` 决定实际部署到哪个 Fly 应用
+- `destination = '/data'` 决定持久卷挂载目录
+- 本项目必须让 `DATA_DIR=/data`，否则数据库和密钥会写到容器临时目录
+
+---
+
+## 3. 必备工具
+
+### 3.1 安装 Fly CLI
+
+Windows PowerShell：
+
+```powershell
+pwsh -Command "iwr https://fly.io/install.ps1 -useb | iex"
+```
+
+如果安装脚本在当前环境失败，也可以手动下载 `flyctl` 二进制并放到 `PATH` 中。
+
+### 3.2 登录 Fly 账号
+
+```powershell
+flyctl auth login
+```
+
+### 3.3 检查登录状态
+
+```powershell
+flyctl auth whoami
+flyctl version
+```
+
+---
+
+## 4. 首次部署当前项目
+
+### 4.1 获取代码并进入目录
+
+```powershell
+git clone https://github.com/xiaoge1688/OmniRoute.git
+cd OmniRoute
+```
+
+### 4.2 确认应用名
+
+打开 `fly.toml`，重点看这一行：
+
+```toml
+app = 'omniroute'
+```
+
+如果你准备部署到自己的新应用，可改成全局唯一名称，例如：
+
+```toml
+app = 'omniroute-yourname'
+```
+
+注意：
+
+- 控制台里要看的是与 `fly.toml` 里 `app` 一致的应用
+- 以前如果用过别的名字，例如 `oroute`，不要和 `omniroute` 混淆
+
+### 4.3 创建应用
+
+如果该应用尚不存在：
+
+```powershell
+flyctl apps create omniroute
+```
+
+如果你已经改成别的应用名，把 `omniroute` 替换成你的名字。
+
+### 4.4 首次部署
+
+```powershell
+flyctl deploy
+```
+
+---
+
+## 5. 必配参数
+
+本项目在 Fly.io 上建议至少配置以下参数。
+
+### 5.1 已验证使用的参数
+
+这些参数已经在当前 `omniroute` 应用上实际部署：
+
+- `API_KEY_SECRET`
+- `DATA_DIR`
+- `JWT_SECRET`
+- `MACHINE_ID_SALT`
+- `NEXT_PUBLIC_BASE_URL`
+- `STORAGE_ENCRYPTION_KEY`
+
+### 5.2 关于 `INITIAL_PASSWORD`
+
+当前项目没有设置 `INITIAL_PASSWORD`，因为本次部署按需求不使用它。
+
+如果不设置：
+
+- 启动日志会提示默认密码是 `CHANGEME`
+- 部署后应尽快在系统设置中修改登录密码
+
+如果你希望无人值守初始化后台密码，也可以后续补：
+
+- `INITIAL_PASSWORD`
+
+---
+
+## 6. 推荐参数说明
+
+### 6.1 Secrets 中设置
+
+建议放入 Fly Secrets：
+
+| 变量名 | 是否推荐 | 说明 |
+| --- | --- | --- |
+| `API_KEY_SECRET` | 必需 | API Key 生成与校验使用 |
+| `JWT_SECRET` | 必需 | 登录态和 JWT 签名使用 |
+| `STORAGE_ENCRYPTION_KEY` | 强烈推荐 | 加密存储敏感连接信息 |
+| `MACHINE_ID_SALT` | 推荐 | 生成稳定机器标识 |
+| `INITIAL_PASSWORD` | 可选 | 首次部署时直接指定后台初始密码 |
+| OAuth/API 私密凭证 | 按需 | 各类外部平台鉴权配置 |
+
+### 6.2 当前项目推荐值
+
+| 变量名 | 推荐值 |
+| --- | --- |
+| `DATA_DIR` | `/data` |
+| `NEXT_PUBLIC_BASE_URL` | `https://omniroute.fly.dev` |
+
+说明：
+
+- `DATA_DIR=/data` 非常关键，必须与 Fly Volume 挂载点一致
+- `NEXT_PUBLIC_BASE_URL` 用于调度器和前端回调等场景
+
+---
+
+## 7. 一键设置参数
+
+下面命令会生成安全随机值，并把当前项目需要的参数一次性写入 Fly Secrets。
+
+说明：
+
+- 不包含 `INITIAL_PASSWORD`
+- 适用于当前项目 `omniroute`
+
+```powershell
+$apiKeySecret = [Convert]::ToHexString((1..32 | ForEach-Object { Get-Random -Minimum 0 -Maximum 256 })).ToLower()
+$jwtSecret = [Convert]::ToHexString((1..64 | ForEach-Object { Get-Random -Minimum 0 -Maximum 256 })).ToLower()
+$machineIdSalt = [Convert]::ToHexString((1..32 | ForEach-Object { Get-Random -Minimum 0 -Maximum 256 })).ToLower()
+$storageKey = [Convert]::ToHexString((1..32 | ForEach-Object { Get-Random -Minimum 0 -Maximum 256 })).ToLower()
+
+flyctl secrets set `
+  API_KEY_SECRET=$apiKeySecret `
+  JWT_SECRET=$jwtSecret `
+  MACHINE_ID_SALT=$machineIdSalt `
+  STORAGE_ENCRYPTION_KEY=$storageKey `
+  DATA_DIR=/data `
+  NEXT_PUBLIC_BASE_URL=https://omniroute.fly.dev `
+  -a omniroute
+```
+
+如果你还要加初始密码：
+
+```powershell
+flyctl secrets set INITIAL_PASSWORD=你的强密码 -a omniroute
+```
+
+---
+
+## 8. 查看当前参数
+
+```powershell
+flyctl secrets list -a omniroute
+```
+
+如果控制台 `Secrets` 页面没有显示你期待的变量，先检查：
+
+- 看的应用是不是 `omniroute`
+- `fly.toml` 的 `app` 是否和控制台应用一致
+
+---
+
+## 9. 后续更新发布
+
+代码有更新后，发布步骤很简单：
+
+```powershell
+git pull
+flyctl deploy
+```
+
+如果只更新参数，不改代码：
+
+```powershell
+flyctl secrets set KEY=value -a omniroute
+```
+
+Fly 会自动滚动更新机器。
+
+### 9.1 跟踪原仓库更新并保留 fork 的 `fly.toml`
+
+如果当前仓库是 fork，并且你要同步上游 `https://github.com/diegosouzapw/OmniRoute` 的更新，推荐按下面流程执行。
+
+先确认远程：
+
+```powershell
+git remote -v
+```
+
+应至少包含：
+
+- `origin` 指向你自己的 fork
+- `upstream` 指向原仓库
+
+如果没有 `upstream`，先添加：
+
+```powershell
+git remote add upstream https://github.com/diegosouzapw/OmniRoute.git
+```
+
+同步上游前，先抓取最新提交和标签：
+
+```powershell
+git fetch upstream --tags
+```
+
+查看当前版本和上游标签：
+
+```powershell
+git describe --tags --always
+git show --no-patch --oneline v3.4.7
+```
+
+如果你想合并上游最新 `main`，并强制保留 fork 当前的 `fly.toml`，可按下面流程执行：
+
+```powershell
+git merge upstream/main
+git checkout HEAD~1 -- fly.toml
+git add -- fly.toml
+git commit -m "chore(deploy): keep fork fly.toml"
+git push origin main
+```
+
+说明：
+
+- `git merge upstream/main` 用于同步原仓库最新代码
+- `git checkout HEAD~1 -- fly.toml` 用于恢复合并前你 fork 自己的 `fly.toml`
+- 如果上游没有改 `fly.toml`，这一步不会带来额外差异
+- 如果上游改了 `fly.toml`，这一步能确保 Fly 应用名、挂载卷、区域等 fork 自定义部署配置不被覆盖
+
+如果你明确只想对齐某个发布标签，例如 `v3.4.7`，也可以先确认标签是否已经包含在 `upstream/main`：
+
+```powershell
+git merge-base --is-ancestor v3.4.7 upstream/main
+```
+
+返回成功表示 `upstream/main` 已经包含该版本，直接合并 `upstream/main` 即可。
+
+### 9.2 同步上游后的标准发布顺序
+
+同步原仓库完成后，推荐按下面顺序发布：
+
+1. `git fetch upstream --tags`
+2. `git merge upstream/main`
+3. 恢复 fork 的 `fly.toml`
+4. `git push origin main`
+5. `flyctl deploy`
+6. `flyctl status -a omniroute`
+7. `flyctl logs --no-tail -a omniroute`
+
+这就是当前项目升级到 `v3.4.7` 时使用的实际流程。
+
+---
+
+## 10. 发布后检查
+
+### 10.1 查看应用状态
+
+```powershell
+flyctl status -a omniroute
+```
+
+### 10.2 查看启动日志
+
+```powershell
+flyctl logs --no-tail -a omniroute
+```
+
+### 10.3 检查网站可访问
+
+```powershell
+try {
+  (Invoke-WebRequest -Uri "https://omniroute.fly.dev" -MaximumRedirection 5 -UseBasicParsing).StatusCode
+} catch {
+  if ($_.Exception.Response) {
+    $_.Exception.Response.StatusCode.value__
+  } else {
+    throw
+  }
+}
+```
+
+返回 `200` 说明站点已正常响应。
+
+---
+
+## 11. 成功标志
+
+部署成功后，日志里应看到类似内容：
+
+```text
+[bootstrap] Secrets persisted to: /data/server.env
+[DB] SQLite database ready: /data/storage.sqlite
+```
+
+这两个点很关键：
+
+- `/data/server.env` 说明运行时密钥落到了持久卷
+- `/data/storage.sqlite` 说明数据库写入持久卷
+
+如果你看到的是 `/app/data/...`，说明 `DATA_DIR` 没配对，需要立即修正。
+
+---
+
+## 12. 常见问题
+
+### 12.1 `Secrets` 页面是空的
+
+通常有两种原因：
+
+- 你还没执行 `flyctl secrets set`
+- 你打开的是另一个应用，例如 `oroute`，不是 `omniroute`
+
+### 12.2 `flyctl deploy` 报 `app not found`
+
+先创建应用：
+
+```powershell
+flyctl apps create omniroute
+```
+
+### 12.3 `fly.toml` 解析失败
+
+重点检查：
+
+- 注释里是否有乱码字符
+- TOML 引号和缩进是否正确
+
+### 12.4 数据没有持久化
+
+检查以下两点：
+
+- `fly.toml` 中是否存在 `destination = '/data'`
+- `DATA_DIR` 是否设置为 `/data`
+
+### 12.5 不设置 `INITIAL_PASSWORD` 是否能跑
+
+可以运行，但会回退到默认 `CHANGEME`。生产环境建议尽快修改后台密码。
+
+---
+
+## 13. 新项目复用建议
+
+如果以后是新项目照着这份文档部署，最少改这几项：
+
+1. 修改 `fly.toml` 里的 `app`
+2. 修改 `NEXT_PUBLIC_BASE_URL`
+3. 保持 `DATA_DIR=/data`
+4. 重新生成 `API_KEY_SECRET`、`JWT_SECRET`、`MACHINE_ID_SALT`、`STORAGE_ENCRYPTION_KEY`
+5. 首次部署后检查日志是否写入 `/data`
+
+不要直接复用旧项目的密钥。
+
+---
+
+## 14. 当前项目的最小发布清单
+
+当前项目后续最常用的命令如下：
+
+```powershell
+flyctl auth whoami
+flyctl status -a omniroute
+flyctl secrets list -a omniroute
+flyctl deploy
+flyctl logs --no-tail -a omniroute
+```
+
+如果只是正常发版，核心就是：
+
+```powershell
+flyctl deploy
+```
+
+如果是新环境首次部署，核心就是：
+
+1. `flyctl auth login`
+2. `flyctl apps create omniroute`
+3. `flyctl secrets set ... -a omniroute`
+4. `flyctl deploy`
+5. `flyctl logs --no-tail -a omniroute`
@@ -0,0 +1,409 @@
+# i18n — Internationalization Guide
+
+OmniRoute supports **30 languages** with full dashboard UI translation, translated documentation, and RTL support for Arabic and Hebrew.
+
+🌐 **Languages:** 🇺🇸 [English](../I18N.md) | 🇧🇷 [Português (Brasil)](./pt-BR/I18N.md) | 🇪🇸 [Español](./es/I18N.md) | 🇫🇷 [Français](./fr/I18N.md) | 🇩🇪 [Deutsch](./de/I18N.md) | 🇮🇹 [Italiano](./it/I18N.md) | 🇷🇺 [Русский](./ru/I18N.md) | 🇨🇳 [中文 (简体)](./zh-CN/I18N.md) | 🇯🇵 [日本語](./ja/I18N.md) | 🇰🇷 [한국어](./ko/I18N.md) | 🇸🇦 [العربية](./ar/I18N.md) | 🇮🇳 [हिन्दी](./hi/I18N.md) | 🇹🇭 [ไทย](./th/I18N.md) | 🇹🇷 [Türkçe](./tr/I18N.md) | 🇺🇦 [Українська](./uk-UA/I18N.md) | 🇻🇳 [Tiếng Việt](./vi/I18N.md) | 🇧🇬 [Български](./bg/I18N.md) | 🇩🇰 [Dansk](./da/I18N.md) | 🇫🇮 [Suomi](./fi/I18N.md) | 🇮🇱 [עברית](./he/I18N.md) | 🇭🇺 [Magyar](./hu/I18N.md) | 🇮🇩 [Bahasa Indonesia](./id/I18N.md) | 🇲🇾 [Bahasa Melayu](./ms/I18N.md) | 🇳🇱 [Nederlands](./nl/I18N.md) | 🇳🇴 [Norsk](./no/I18N.md) | 🇵🇹 [Português (Portugal)](./pt/I18N.md) | 🇷🇴 [Română](./ro/I18N.md) | 🇵🇱 [Polski](./pl/I18N.md) | 🇸🇰 [Slovenčina](./sk/I18N.md) | 🇸🇪 [Svenska](./sv/I18N.md) | 🇵🇭 [Filipino](./phi/I18N.md) | 🇨🇿 [Čeština](./cs/I18N.md)
+
+## Quick Reference
+
+| Task | Command |
+|------|---------|
+| Generate translations | `node scripts/i18n/generate-multilang.mjs messages` |
+| Translate docs (LLM) | `python3 scripts/i18n_autotranslate.py --api-url <url> --api-key <key> --model <model>` |
+| Validate a locale | `python3 scripts/validate_translation.py quick -l cs` |
+| Check code keys | `python3 scripts/check_translations.py` |
+| Generate QA report | `node scripts/i18n/generate-qa-checklist.mjs` |
+| Visual QA (Playwright) | `node scripts/i18n/run-visual-qa.mjs` |
+
+## Architecture
+
+### Source of Truth
+- **UI strings**: `src/i18n/messages/en.json` (English source, ~2800 keys)
+- **Locale files**: `src/i18n/messages/{locale}.json` (30 translations)
+- **Framework**: `next-intl` with cookie-based locale resolution
+- **Config**: `src/i18n/config.ts` — defines all 30 locales, language names, flags
+
+### Runtime Flow
+1. User selects language → `NEXT_LOCALE` cookie set
+2. `src/i18n/request.ts` resolves locale: cookie → `Accept-Language` header → fallback `en`
+3. Dynamic import loads `messages/{locale}.json`
+4. Components use `useTranslations("namespace")` and `t("key")`
+
+### Supported Locales
+
+| Code | Language | RTL | Google Translate Code |
+|------|----------|-----|----------------------|
+| `ar` | العربية | Yes | `ar` |
+| `bg` | Български | No | `bg` |
+| `cs` | Čeština | No | `cs` |
+| `da` | Dansk | No | `da` |
+| `de` | Deutsch | No | `de` |
+| `es` | Español | No | `es` |
+| `fi` | Suomi | No | `fi` |
+| `fr` | Français | No | `fr` |
+| `he` | עברית | Yes | `iw` |
+| `hi` | हिन्दी | No | `hi` |
+| `hu` | Magyar | No | `hu` |
+| `id` | Bahasa Indonesia | No | `id` |
+| `it` | Italiano | No | `it` |
+| `ja` | 日本語 | No | `ja` |
+| `ko` | 한국어 | No | `ko` |
+| `ms` | Bahasa Melayu | No | `ms` |
+| `nl` | Nederlands | No | `nl` |
+| `no` | Norsk | No | `no` |
+| `phi` | Filipino | No | `tl` |
+| `pl` | Polski | No | `pl` |
+| `pt` | Português (Portugal) | No | `pt` |
+| `pt-BR` | Português (Brasil) | No | `pt` |
+| `ro` | Română | No | `ro` |
+| `ru` | Русский | No | `ru` |
+| `sk` | Slovenčina | No | `sk` |
+| `sv` | Svenska | No | `sv` |
+| `th` | ไทย | No | `th` |
+| `tr` | Türkçe | No | `tr` |
+| `uk-UA` | Українська | No | `uk` |
+| `vi` | Tiếng Việt | No | `vi` |
+| `zh-CN` | 中文 (简体) | No | `zh-CN` |
+
+## Adding a New Language
+
+### 1. Register the Locale
+Edit `src/i18n/config.ts`:
+```ts
+// Add to LOCALES array
+"xx",
+// Add to LANGUAGES array
+{ code: "xx", label: "XX", name: "Language Name", flag: "🏳️" },
+```
+
+### 2. Add to Generator
+Edit `scripts/i18n/generate-multilang.mjs` — add entry to `LOCALE_SPECS`:
+```js
+{
+  code: "xx",
+  googleTl: "xx",
+  label: "XX",
+  flag: "🏳️",
+  languageName: "Language Name",
+  readmeName: "Language Name",
+  docsName: "Language Name",
+},
+```
+
+### 3. Generate Initial Translation
+```bash
+node scripts/i18n/generate-multilang.mjs messages
+```
+This creates `src/i18n/messages/xx.json` auto-translated from `en.json` via Google Translate.
+
+### 4. Review & Fix Auto-Translations
+Auto-translations are a starting point. Review manually for:
+- Technical accuracy
+- Context-appropriate terminology
+- Proper handling of placeholders (`{count}`, `{value}`, etc.)
+
+### 5. Validate
+```bash
+python3 scripts/validate_translation.py quick -l xx
+python3 scripts/validate_translation.py diff common -l xx
+```
+
+### 6. Generate Translated Documentation
+```bash
+node scripts/i18n/generate-multilang.mjs docs
+```
+
+## Auto-Translation Pipeline
+
+### generate-multilang.mjs (Google Translate)
+
+**Primary auto-translation engine** — uses Google Translate free API to generate translations for UI strings, READMEs, and documentation.
+
+```bash
+node scripts/i18n/generate-multilang.mjs [messages|readme|docs|all]
+```
+
+| Mode | What it does |
+|------|-------------|
+| `messages` | Translates missing keys in `src/i18n/messages/{locale}.json` from `en.json` |
+| `readme` | Translates `README.md` into all locales as `README.{code}.md` in project root |
+| `docs` | Translates `DOC_SOURCE_FILES` into `docs/i18n/{locale}/{docName}` |
+| `all` | Runs all three modes |
+
+**Features:**
+- **Text protection**: Masks code blocks (```` ``` ````), inline code (`` ` ``), markdown links/images (`[text](url)`), HTML tags, tables, and ICU placeholders (`{count}`, `{value}`, `{total}`, etc.) before translation, then restores them
+- **Chunked batching**: Joins multiple strings with `__OMNIROUTE_I18N_SEPARATOR__` delimiters to minimize API calls (max 1800 chars per request)
+- **In-memory cache**: Avoids redundant API calls for repeated strings within a session
+- **Retry logic**: Exponential backoff (up to 5 attempts with 300ms × attempt delay) for 429/5xx errors
+- **Timeout**: 20 seconds per request
+- **Skip existing**: If target file already exists, it is NOT overwritten
+
+**Important behaviors:**
+- `docs/i18n/README.md` is **regenerated** each run — it's an auto-generated index of all docs
+- Root `README.{code}.md` files are only created if they don't exist (skips locales in `EXISTING_README_CODES`)
+- Language bars (`🌐 **Languages:** ...`) are automatically inserted/updated in all translated docs
+
+### i18n_autotranslate.py (LLM-based)
+
+**Secondary translator** — uses any OpenAI-compatible LLM API (including OmniRoute itself) to translate existing `docs/i18n/` markdown files. Best for polishing or re-translating docs with better quality than Google Translate.
+
+```bash
+python3 scripts/i18n_autotranslate.py \
+  --api-url http://localhost:20128/v1 \
+  --api-key sk-your-key \
+  --model gpt-4o
+```
+
+**Features:**
+- Scans `docs/i18n/` markdown files for English paragraphs
+- Skips code blocks, tables, and already-translated content
+- Sends paragraphs to LLM with technical translation system prompt
+- Supports all 30 languages
+
+## Validation & QA
+
+### validate_translation.py
+
+**Translation validator** — compares any locale JSON against `en.json` and reports issues.
+
+```bash
+# Quick check (counts only)
+python3 scripts/validate_translation.py quick -l cs
+# Output:
+# Missing: 0
+# Untranslated: 0
+# Ignored (UNTRANSLATABLE_KEYS): 236
+
+# Detailed diff by category
+python3 scripts/validate_translation.py diff common -l cs
+python3 scripts/validate_translation.py diff settings -l cs
+
+# Export to CSV
+python3 scripts/validate_translation.py csv -l cs > report.csv
+
+# Export to Markdown
+python3 scripts/validate_translation.py md -l cs > report.md
+
+# Full report (default)
+python3 scripts/validate_translation.py -l cs
+```
+
+**Detects:**
+- **Missing keys** — keys in `en.json` but not in locale file
+- **Extra keys** — keys in locale file but not in `en.json`
+- **Untranslated keys** — keys where locale value equals English source (excluding allowlist)
+- **Placeholder mismatches** — ICU placeholders that don't match between source and translation
+
+**Exit codes:**
+| Code | Meaning |
+|------|---------|
+| 0 | OK |
+| 1 | Generic error |
+| 2 | Missing strings (hard error) |
+| 3 | Untranslated warning (soft) |
+
+**Environment:** Set `TRANSLATION_LANG=cs` or use `-l cs` flag.
+
+### check_translations.py
+
+**Code-to-JSON key checker** — scans `src/**/*.tsx` and `src/**/*.ts` for `useTranslations()` calls and verifies all referenced keys exist in `en.json`.
+
+```bash
+# Basic check
+python3 scripts/check_translations.py
+
+# Verbose output
+python3 scripts/check_translations.py --verbose
+
+# Auto-fix (adds missing keys to en.json)
+python3 scripts/check_translations.py --fix
+```
+
+### generate-qa-checklist.mjs
+
+**Static analysis QA** — scans Next.js page files for i18n risk metrics and generates a Markdown report.
+
+```bash
+node scripts/i18n/generate-qa-checklist.mjs
+```
+
+**Checks:**
+- Fixed-width class usage (overflow risk)
+- Directional left/right classes (RTL risk)
+- Clipping-prone patterns
+- Locale parity (missing/extra keys vs `en.json`)
+- README language selector bars in priority locales (`es`, `fr`, `de`, `ja`, `ar`)
+
+**Output:** `docs/reports/i18n-qa-checklist-{date}.md`
+
+### run-visual-qa.mjs
+
+**Visual QA via Playwright** — takes screenshots of all dashboard routes in multiple locales and viewports, then evaluates page health.
+
+```bash
+# Default: es, fr, de, ja, ar on localhost:20128
+node scripts/i18n/run-visual-qa.mjs
+
+# Custom base URL and locales
+QA_BASE_URL=http://staging.example.com QA_LOCALES=de,fr node scripts/i18n/run-visual-qa.mjs
+
+# Custom routes
+QA_ROUTES=/dashboard/settings,/dashboard/providers node scripts/i18n/run-visual-qa.mjs
+```
+
+**Detects:**
+- Text overflow
+- Element clipping
+- RTL layout mismatches
+
+**Output:** `docs/reports/i18n-visual-qa-{date}.md` + JSON report
+
+## Managing Untranslatable Keys
+
+### untranslatable-keys.json
+
+**File:** `scripts/i18n/untranslatable-keys.json`
+
+Allowlist of keys that should remain identical to English source. Used by `validate_translation.py` to avoid false-positive "untranslated" warnings.
+
+```json
+{
+  "description": "Keys that should remain untranslated...",
+  "keys": [
+    "common.model",
+    "common.oauth",
+    "health.cpu",
+    ...
+  ]
+}
+```
+
+**What belongs here:**
+- Brand/product names: `landing.brandName`, `common.social-github`
+- Technical terms/acronyms: `health.cpu`, `mcpDashboard.pid`, `settings.ai`
+- ICU/format strings: `apiManager.modelsCount`, `health.millisecondsShort`
+- Placeholder values: `providers.openaiBaseUrlPlaceholder`, `cliTools.baseUrlPlaceholder`
+- Protocol names: `common.http`, `common.oauth`, `providers.oauth2Label`
+- Navigation sections: `sidebar.primarySection`, `sidebar.cliSection`
+
+**To add a key:** Edit the `keys` array in `scripts/i18n/untranslatable-keys.json` and re-run validation.
+
+## CI Integration
+
+### GitHub Actions (`.github/workflows/ci.yml`)
+
+The CI pipeline validates all locales on every push and PR:
+
+1. **`i18n-matrix` job** — dynamically discovers all locale files (excluding `en.json`)
+2. **`i18n` job** — runs `validate_translation.py quick -l '<lang>'` for each locale in parallel
+3. **`ci-summary` job** — aggregates results into a dashboard summary
+
+```yaml
+# i18n-matrix: discovers languages
+LANGS=$(ls src/i18n/messages/*.json | xargs -n1 basename | sed 's/.json$//' | grep -v '^en$')
+
+# i18n: validates each language
+python3 scripts/validate_translation.py quick -l '${{ matrix.lang }}'
+```
+
+**Dashboard output:**
+```
+## 🌍 Translations
+| Metric | Value |
+|--------|------|
+| Languages checked | 30 |
+| Total untranslated | 0 |
+
+✅ All translations complete
+```
+
+## File Structure
+
+```
+src/i18n/
+├── config.ts                    # Locale definitions (30 locales, RTL config)
+├── request.ts                   # Runtime locale resolution
+└── messages/
+    ├── en.json                  # Source of truth (~2800 keys)
+    ├── cs.json                  # Czech translation
+    ├── de.json                  # German translation
+    └── ...                      # 30 locale files total
+
+scripts/
+├── i18n/
+│   ├── generate-multilang.mjs   # Auto-translation engine (Google Translate, 888 lines)
+│   ├── generate-qa-checklist.mjs # Static analysis QA
+│   ├── run-visual-qa.mjs        # Playwright visual QA
+│   └── untranslatable-keys.json # Allowlist for validation (236 keys)
+├── validate_translation.py      # Translation validator
+├── check_translations.py        # Code-to-JSON key checker
+└── i18n_autotranslate.py        # LLM-based doc translator
+
+.github/workflows/
+└── ci.yml                       # i18n validation in CI matrix
+
+docs/
+├── I18N.md                      # This file — i18n toolchain documentation
+├── i18n/
+│   ├── README.md                # Auto-generated language index
+│   ├── cs/                      # Czech docs
+│   │   └── docs/
+│   │       ├── I18N.md          # Czech translation of this file
+│   │       └── ...
+│   ├── de/                      # German docs
+│   └── ...                      # 30 locale directories
+└── reports/
+    ├── i18n-qa-checklist-*.md   # Static analysis reports
+    └── i18n-visual-qa-*.md      # Visual QA reports
+```
+
+## Best Practices
+
+### When Editing Translations
+1. **Always edit `en.json` first** — it's the source of truth
+2. **Run `generate-multilang.mjs messages`** to propagate new keys to all locales
+3. **Review auto-translations** — Google Translate is a starting point, not final
+4. **Validate before committing** — `python3 scripts/validate_translation.py quick -l <lang>`
+5. **Update `untranslatable-keys.json`** if a key should remain in English
+
+### Placeholder Safety
+- ICU placeholders (`{count}`, `{value}`, `{total}`, `{seconds}`) must be preserved exactly
+- Plural formats (`{count, plural, one {# model} other {# models}}`) must maintain structure
+- The validator detects placeholder mismatches automatically
+
+### Adding New Translation Keys in Code
+```tsx
+// Use namespaced keys
+const t = useTranslations("settings");
+t("cacheSettings"); // maps to settings.cacheSettings in JSON
+
+// Run check_translations.py to verify keys exist
+python3 scripts/check_translations.py --verbose
+```
+
+### RTL Considerations
+- Arabic (`ar`) and Hebrew (`he`) are RTL locales
+- Avoid hardcoded `left`/`right` CSS — use `start`/`end` logical properties
+- Visual QA catches RTL layout mismatches via `run-visual-qa.mjs`
+
+## Known Issues & History
+
+### `in.json` → `hi.json` Fix
+The generator originally used `code: "in"` (deprecated Google Translate code) for Hindi instead of the correct ISO 639-1 `hi`. This created an orphaned `in.json` duplicate of `hi.json`. Fixed by changing `code: "in"` to `code: "hi"` in `generate-multilang.mjs` and removing the orphaned file.
+
+### `docs/i18n/README.md` Is Auto-Generated
+The `docs/i18n/README.md` file is completely regenerated by `generate-multilang.mjs docs`. Any manual edits will be lost. Use `docs/I18N.md` (this file) for hand-written documentation that should persist.
+
+### External Untranslatable Keys List
+The `untranslatable-keys.json` allowlist was moved from an inline Python set in `validate_translation.py` to an external JSON file for easier maintenance. The validator loads it at runtime.
+
+### `generate-multilang.mjs` Hindi Code Fix
+The generator originally used `code: "in"` (deprecated Google Translate code) for Hindi instead of the correct ISO 639-1 `hi`. This was introduced in upstream commit `952b0b22c` by `diegosouzapw`. Fixed by changing `code: "in"` to `code: "hi"` in the `LOCALE_SPECS` array and removing the orphaned `in.json` file.
+
+### `validate_translation.py` Ignored Count Output
+The `quick` check now displays the count of ignored keys from `untranslatable-keys.json`:
+```
+Missing: 0
+Untranslated: 0
+Ignored (UNTRANSLATABLE_KEYS): 236
+```
@@ -164,7 +164,7 @@ Dashboard → Providers → Connect GitHub
 Models:
  gh/gpt-5
  gh/claude-4.5-sonnet
-  gh/gemini-3-pro
+  gh/gemini-3.1-pro-preview
 ```

 ### 💰 Cheap Providers
@@ -507,25 +507,28 @@ post_install() {

 ### Environment Variables

-| Variable                  | Default                              | Description                                                      |
-| ------------------------- | ------------------------------------ | ---------------------------------------------------------------- |
-| `JWT_SECRET`              | `omniroute-default-secret-change-me` | JWT signing secret (**change in production**)                    |
-| `INITIAL_PASSWORD`        | `123456`                             | First login password                                             |
-| `DATA_DIR`                | `~/.omniroute`                       | Data directory (db, usage, logs)                                 |
-| `PORT`                    | framework default                    | Service port (`20128` in examples)                               |
-| `HOSTNAME`                | framework default                    | Bind host (Docker defaults to `0.0.0.0`)                         |
-| `NODE_ENV`                | runtime default                      | Set `production` for deploy                                      |
-| `BASE_URL`                | `http://localhost:20128`             | Server-side internal base URL                                    |
-| `CLOUD_URL`               | `https://omniroute.dev`              | Cloud sync endpoint base URL                                     |
-| `API_KEY_SECRET`          | `endpoint-proxy-api-key-secret`      | HMAC secret for generated API keys                               |
-| `REQUIRE_API_KEY`         | `false`                              | Enforce Bearer API key on `/v1/*`                                |
-| `ALLOW_API_KEY_REVEAL`    | `false`                              | Allow Api Manager to copy full API keys on demand                |
-| `ENABLE_REQUEST_LOGS`     | `false`                              | Enables request/response logs                                    |
-| `AUTH_COOKIE_SECURE`      | `false`                              | Force `Secure` auth cookie (behind HTTPS reverse proxy)          |
-| `CLOUDFLARED_BIN`         | unset                                | Use an existing `cloudflared` binary instead of managed download |
-| `OMNIROUTE_MEMORY_MB`     | `512`                                | Node.js heap limit in MB                                         |
-| `PROMPT_CACHE_MAX_SIZE`   | `50`                                 | Max prompt cache entries                                         |
-| `SEMANTIC_CACHE_MAX_SIZE` | `100`                                | Max semantic cache entries                                       |
+| Variable                                | Default                              | Description                                                                                               |
+| --------------------------------------- | ------------------------------------ | --------------------------------------------------------------------------------------------------------- |
+| `JWT_SECRET`                            | `omniroute-default-secret-change-me` | JWT signing secret (**change in production**)                                                             |
+| `INITIAL_PASSWORD`                      | `123456`                             | First login password                                                                                      |
+| `DATA_DIR`                              | `~/.omniroute`                       | Data directory (db, usage, logs)                                                                          |
+| `PORT`                                  | framework default                    | Service port (`20128` in examples)                                                                        |
+| `HOSTNAME`                              | framework default                    | Bind host (Docker defaults to `0.0.0.0`)                                                                  |
+| `NODE_ENV`                              | runtime default                      | Set `production` for deploy                                                                               |
+| `BASE_URL`                              | `http://localhost:20128`             | Server-side internal base URL                                                                             |
+| `CLOUD_URL`                             | `https://omniroute.dev`              | Cloud sync endpoint base URL                                                                              |
+| `API_KEY_SECRET`                        | `endpoint-proxy-api-key-secret`      | HMAC secret for generated API keys                                                                        |
+| `REQUIRE_API_KEY`                       | `false`                              | Enforce Bearer API key on `/v1/*`                                                                         |
+| `ALLOW_API_KEY_REVEAL`                  | `false`                              | Allow Api Manager to copy full API keys on demand                                                         |
+| `PROVIDER_LIMITS_SYNC_INTERVAL_MINUTES` | `70`                                 | Server-side refresh cadence for cached Provider Limits data; UI refresh buttons still trigger manual sync |
+| `DISABLE_SQLITE_AUTO_BACKUP`            | `false`                              | Disable automatic SQLite snapshots before writes/import/restore; manual backups still work                |
+| `ENABLE_REQUEST_LOGS`                   | `false`                              | Enables request/response logs                                                                             |
+| `AUTH_COOKIE_SECURE`                    | `false`                              | Force `Secure` auth cookie (behind HTTPS reverse proxy)                                                   |
+| `CLOUDFLARED_BIN`                       | unset                                | Use an existing `cloudflared` binary instead of managed download                                          |
+| `CLOUDFLARED_PROTOCOL`                  | `http2`                              | Transport for managed Quick Tunnels (`http2`, `quic`, or `auto`)                                          |
+| `OMNIROUTE_MEMORY_MB`                   | `512`                                | Node.js heap limit in MB                                                                                  |
+| `PROMPT_CACHE_MAX_SIZE`                 | `50`                                 | Max prompt cache entries                                                                                  |
+| `SEMANTIC_CACHE_MAX_SIZE`               | `100`                                | Max semantic cache entries                                                                                |

 For the full environment variable reference, see the [README](../README.md).

@@ -650,7 +653,10 @@ Returns models grouped by provider with types (`chat`, `embedding`, `image`).
 - Available in **Dashboard → Endpoints** for Docker and other self-hosted deployments
 - Creates a temporary `https://*.trycloudflare.com` URL that forwards to your current OpenAI-compatible `/v1` endpoint
 - First enable installs `cloudflared` only when needed; later restarts reuse the same managed binary
+- Quick Tunnels are not auto-restored after an OmniRoute or container restart; re-enable them from the dashboard when needed
 - Tunnel URLs are ephemeral and change every time you stop/start the tunnel
+- Managed Quick Tunnels default to HTTP/2 transport to avoid noisy QUIC UDP buffer warnings in constrained containers
+- Set `CLOUDFLARED_PROTOCOL=quic` or `auto` if you want to override the managed transport choice
 - Set `CLOUDFLARED_BIN` if you prefer using a preinstalled `cloudflared` binary instead of the managed download

 ### LLM Gateway Intelligence (Phase 9)
@@ -768,11 +774,11 @@ OmniRoute implements provider-level resilience with four components:

 Manage database backups in **Dashboard → Settings → System & Storage**.

-| Action                   | Description                                                                                                                    |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------ |
-| **Export Database**      | Downloads the current SQLite database as a `.sqlite` file                                                                      |
-| **Export All (.tar.gz)** | Downloads a full backup archive including: database, settings, combos, provider connections (no credentials), API key metadata |
-| **Import Database**      | Upload a `.sqlite` file to replace the current database. A pre-import backup is automatically created                          |
+| Action                   | Description                                                                                                                                    |
+| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Export Database**      | Downloads the current SQLite database as a `.sqlite` file                                                                                      |
+| **Export All (.tar.gz)** | Downloads a full backup archive including: database, settings, combos, provider connections (no credentials), API key metadata                 |
+| **Import Database**      | Upload a `.sqlite` file to replace the current database. A pre-import backup is automatically created unless `DISABLE_SQLITE_AUTO_BACKUP=true` |

 ```bash
 # API: Export database
@@ -213,8 +213,8 @@ server {
        # SSE (Server-Sent Events) — streaming AI responses
        proxy_buffering off;
        proxy_cache off;
-        proxy_read_timeout 300s;
-        proxy_send_timeout 300s;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
    }
 }

@@ -228,6 +228,10 @@ server {
 NGINX
 ```

+Keep reverse-proxy stream timeouts aligned with your OmniRoute timeout env vars. If you raise
+`FETCH_TIMEOUT_MS` / `STREAM_IDLE_TIMEOUT_MS`, raise `proxy_read_timeout` / `proxy_send_timeout`
+above the same threshold.
+
 ### 3.3 Enable and Test

 ```bash
@@ -1,46 +0,0 @@
-# ADR-0001: Proxy Registry + Usage Control Generalization
-
-Date: 2026-03-17
-Status: Accepted
-
-## Context
-
-OmniRoute sudah punya:
-
- Proxy assignment berbasis config-map (`global`, `providers`, `combos`, `keys`).
- Quota-aware selection khusus provider tertentu (notably `codex`).
-
-Gap utama:
-
- Proxy belum menjadi aset reusable yang bisa di-manage sebagai entitas (metadata, where-used, safe delete).
- Usage policy belum konsisten lintas provider.
- Error contract API belum seragam untuk endpoint manajemen.
-
-## Decision
-
-1. Tambah **Proxy Registry** sebagai domain baru di DB (`proxy_registry`, `proxy_assignments`).
-2. Pertahankan kompatibilitas assignment lama (fallback ke `proxyConfig` lama).
-3. Resolver runtime pakai prioritas:
-   - account -> provider -> global (registry)
-   - fallback ke legacy resolver jika registry belum ada assignment
-4. Wajib redaction kredensial di output list registry default.
-5. Standarkan error JSON untuk endpoint manajemen proxy agar konsisten dan punya `requestId`.
-
-## Consequences
-
-Positif:
-
- Proxy reusable dan bisa dilacak pemakaiannya.
- Safe delete bisa ditegakkan (409 saat masih dipakai).
- Migrasi bertahap tanpa breaking change runtime.
-
-Negatif:
-
- Ada dual-source sementara (registry + legacy config) sampai migrasi selesai.
- Butuh endpoint assignment tambahan dan pemetaan scope yang konsisten.
-
-## Follow-up
-
- Migrasi UI provider/account dari input raw proxy ke selector registry.
- Tambah health telemetry per proxy dan alerting.
- Generalisasi usage control ke provider lain melalui interface policy yang sama.
@@ -1,32 +0,0 @@
-# ADR-0002: Error Contract for Management Endpoints
-
-Date: 2026-03-17
-Status: Accepted
-
-## Decision
-
-Management endpoints (proxy config, proxy registry, and proxy assignments) return a uniform error body:
-
-```json
-{
-  "error": {
-    "message": "Human-readable summary",
-    "type": "invalid_request | not_found | conflict | server_error",
-    "details": {}
-  },
-  "requestId": "uuid"
-}
-```
-
-## Status Mapping
-
- 400: invalid request / validation failure
- 404: resource not found
- 409: resource conflict (for example, proxy still assigned)
- 500: unexpected server error
-
-## Notes
-
- `requestId` is mandatory for log correlation.
- `details` is optional and only used for safe validation details.
- Sensitive secrets (proxy credentials, tokens) must never appear in `message` or `details`.
@@ -1,16 +0,0 @@
-# ADR-0003: Security Checklist for Proxy Registry and Usage Controls
-
-Date: 2026-03-17
-Status: Accepted
-
-## Checklist
-
- Validate all management payloads with Zod.
- Reject malformed scope assignment updates with status 400.
- Reject deleting an in-use proxy with status 409 unless forced.
- Never expose proxy username/password in list responses by default.
- Never log raw credentials or token values.
- Keep error responses free from internal stack traces.
- Protect management endpoints with existing auth middleware policy.
- Audit mutating operations: create/update/delete/assign/migrate.
- Ensure resolver fallback to legacy config while migration is in transition.
@@ -1,6 +1,6 @@
 # 🌐 Multilingual Documentation — 9router

-Translations of documentation into 30 languages. Code blocks remain in English.
+Translations of documentation into 32 languages. Code blocks remain in English.

 ---

@@ -13,7 +13,8 @@ Translations of documentation into 30 languages. Code blocks remain in English.
 - 🇯🇵 **日本語** (`ja`): [Docs Root](./ja/README.md)
 - 🇰🇷 **한국어** (`ko`): [Docs Root](./ko/README.md)
 - 🇸🇦 **العربية** (`ar`): [Docs Root](./ar/README.md)
- 🇮🇳 **हिन्दी** (`in`): [Docs Root](./in/README.md)
+- 🇮🇳 **हिन्दी** (`hi`): [Docs Root](./hi/README.md)
+- 🇮🇳 **हिन्दी (IN)** (`in`): [Docs Root](./in/README.md)
 - 🇹🇭 **ไทย** (`th`): [Docs Root](./th/README.md)
 - 🇻🇳 **Tiếng Việt** (`vi`): [Docs Root](./vi/README.md)
 - 🇮🇩 **Bahasa Indonesia** (`id`): [Docs Root](./id/README.md)
@@ -33,3 +34,5 @@ Translations of documentation into 30 languages. Code blocks remain in English.
 - 🇮🇱 **עברית** (`he`): [Docs Root](./he/README.md)
 - 🇵🇭 **Filipino** (`phi`): [Docs Root](./phi/README.md)
 - 🇧🇷 **Português (Brasil)** (`pt-BR`): [Docs Root](./pt-BR/README.md)
+- 🇨🇿 **Čeština** (`cs`): [Docs Root](./cs/README.md)
+- 🇹🇷 **Türkçe** (`tr`): [Docs Root](./tr/README.md)
@@ -1,67 +0,0 @@
-🌐 **Languages:** 🇺🇸 [English](../../README.md) · 🇧🇷 [pt-BR](../pt-BR/AUTO-COMBO.md) · 🇪🇸 [es](../es/AUTO-COMBO.md) · 🇫🇷 [fr](../fr/AUTO-COMBO.md) · 🇩🇪 [de](../de/AUTO-COMBO.md) · 🇮🇹 [it](../it/AUTO-COMBO.md) · 🇷🇺 [ru](../ru/AUTO-COMBO.md) · 🇨🇳 [zh-CN](../zh-CN/AUTO-COMBO.md) · 🇯🇵 [ja](../ja/AUTO-COMBO.md) · 🇰🇷 [ko](../ko/AUTO-COMBO.md) · 🇸🇦 [ar](../ar/AUTO-COMBO.md) · 🇮🇳 [in](../in/AUTO-COMBO.md) · 🇹🇭 [th](../th/AUTO-COMBO.md) · 🇻🇳 [vi](../vi/AUTO-COMBO.md) · 🇮🇩 [id](../id/AUTO-COMBO.md) · 🇲🇾 [ms](../ms/AUTO-COMBO.md) · 🇳🇱 [nl](../nl/AUTO-COMBO.md) · 🇵🇱 [pl](../pl/AUTO-COMBO.md) · 🇸🇪 [sv](../sv/AUTO-COMBO.md) · 🇳🇴 [no](../no/AUTO-COMBO.md) · 🇩🇰 [da](../da/AUTO-COMBO.md) · 🇫🇮 [fi](../fi/AUTO-COMBO.md) · 🇵🇹 [pt](../pt/AUTO-COMBO.md) · 🇷🇴 [ro](../ro/AUTO-COMBO.md) · 🇭🇺 [hu](../hu/AUTO-COMBO.md) · 🇧🇬 [bg](../bg/AUTO-COMBO.md) · 🇸🇰 [sk](../sk/AUTO-COMBO.md) · 🇺🇦 [uk-UA](../uk-UA/AUTO-COMBO.md) · 🇮🇱 [he](../he/AUTO-COMBO.md) · 🇵🇭 [phi](../phi/AUTO-COMBO.md)
-
---
-
-# OmniRoute Auto-Combo Engine
-
-> Self-managing model chains with adaptive scoring
-
-## How It Works
-
-The Auto-Combo Engine dynamically selects the best provider/model for each request using a **6-factor scoring function**:
-
-| Factor     | Weight | Description                                     |
-| :--------- | :----- | :---------------------------------------------- |
-| Quota      | 0.20   | Remaining capacity [0..1]                       |
-| Health     | 0.25   | Circuit breaker: CLOSED=1.0, HALF=0.5, OPEN=0.0 |
-| CostInv    | 0.20   | Inverse cost (cheaper = higher score)           |
-| LatencyInv | 0.15   | Inverse p95 latency (faster = higher)           |
-| TaskFit    | 0.10   | Model × task type fitness score                 |
-| Stability  | 0.10   | Low variance in latency/errors                  |
-
-## Mode Packs
-
-| Pack                    | Focus        | Key Weight       |
-| :---------------------- | :----------- | :--------------- |
-| 🚀 **Ship Fast**        | Speed        | latencyInv: 0.35 |
-| 💰 **Cost Saver**       | Economy      | costInv: 0.40    |
-| 🎯 **Quality First**    | Best model   | taskFit: 0.40    |
-| 📡 **Offline Friendly** | Availability | quota: 0.40      |
-
-## Self-Healing
-
- **Temporary exclusion**: Score < 0.2 → excluded for 5 min (progressive backoff, max 30 min)
- **Circuit breaker awareness**: OPEN → auto-excluded; HALF_OPEN → probe requests
- **Incident mode**: >50% OPEN → disable exploration, maximize stability
- **Cooldown recovery**: After exclusion, first request is a "probe" with reduced timeout
-
-## Bandit Exploration
-
-5% of requests (configurable) are routed to random providers for exploration. Disabled in incident mode.
-
-## API
-
-```bash
-# Create auto-combo
-curl -X POST http://localhost:20128/api/combos/auto \
-  -H "Content-Type: application/json" \
-  -d '{"id":"my-auto","name":"Auto Coder","candidatePool":["anthropic","google","openai"],"modePack":"ship-fast"}'
-
-# List auto-combos
-curl http://localhost:20128/api/combos/auto
-```
-
-## Task Fitness
-
-30+ models scored across 6 task types (`coding`, `review`, `planning`, `analysis`, `debugging`, `documentation`). Supports wildcard patterns (e.g., `*-coder` → high coding score).
-
-## Files
-
-| File                                         | Purpose                               |
-| :------------------------------------------- | :------------------------------------ |
-| `open-sse/services/autoCombo/scoring.ts`     | Scoring function & pool normalization |
-| `open-sse/services/autoCombo/taskFitness.ts` | Model × task fitness lookup           |
-| `open-sse/services/autoCombo/engine.ts`      | Selection logic, bandit, budget cap   |
-| `open-sse/services/autoCombo/selfHealing.ts` | Exclusion, probes, incident mode      |
-| `open-sse/services/autoCombo/modePacks.ts`   | 4 weight profiles                     |
-| `src/app/api/combos/auto/route.ts`           | REST API                              |
@@ -1,351 +0,0 @@
-🌐 **Languages:** 🇺🇸 [English](../../CLI-TOOLS.md) · 🇧🇷 [pt-BR](../pt-BR/CLI-TOOLS.md) · 🇪🇸 [es](../es/CLI-TOOLS.md) · 🇫🇷 [fr](../fr/CLI-TOOLS.md) · 🇩🇪 [de](../de/CLI-TOOLS.md) · 🇮🇹 [it](../it/CLI-TOOLS.md) · 🇷🇺 [ru](../ru/CLI-TOOLS.md) · 🇨🇳 [zh-CN](../zh-CN/CLI-TOOLS.md) · 🇯🇵 [ja](../ja/CLI-TOOLS.md) · 🇰🇷 [ko](../ko/CLI-TOOLS.md) · 🇸🇦 [ar](../ar/CLI-TOOLS.md)
-
-# دليل إعداد أدوات CLI — OmniRoute
-
-يشرح هذا الدليل كيفية تثبيت وتهيئة جميع أدوات CLI المدعومة لاستخدام **OmniRoute** كخلفية موحدة.
-
-This guide explains how to install and configure all supported AI coding CLI tools
-to use **OmniRoute** as the unified backend, giving you centralized key management,
-cost tracking, model switching, and request logging across every tool.
-
---
-
-## How It Works
-
-```
-Claude / Codex / Gemini CLI / OpenCode / Cline / KiloCode / Continue / Kiro CLI
-           │
-           ▼  (all point to OmniRoute)
-    http://YOUR_SERVER:20128/v1
-           │
-           ▼  (OmniRoute routes to the right provider)
-    Anthropic / OpenAI / Gemini / DeepSeek / Groq / Mistral / ...
-```
-
-**Benefits:**
-
- One API key to manage all tools
- Cost tracking across all CLIs in the dashboard
- Model switching without reconfiguring every tool
- Works locally and on remote servers (VPS)
-
---
-
-## Supported Tools
-
-| Tool             | Command             | Type              | Install Method |
-| ---------------- | ------------------- | ----------------- | -------------- |
-| **Claude Code**  | `claude`            | CLI               | npm            |
-| **OpenAI Codex** | `codex`             | CLI               | npm            |
-| **Gemini CLI**   | `gemini`            | CLI               | npm            |
-| **OpenCode**     | `opencode`          | CLI               | npm            |
-| **Cline**        | `cline`             | CLI + VS Code ext | npm            |
-| **KiloCode**     | `kilocode` / `kilo` | CLI + VS Code ext | npm            |
-| **Continue**     | guide-based         | VS Code ext       | VS Code        |
-| **Kiro CLI**     | `kiro-cli`          | CLI               | curl installer |
-| **Cursor**       | `cursor`            | Desktop app       | Download       |
-| **Droid**        | web-based           | Built-in agent    | OmniRoute      |
-| **OpenClaw**     | web-based           | Built-in agent    | OmniRoute      |
-
---
-
-## Step 1 — Get an OmniRoute API Key
-
-1. Open the OmniRoute dashboard → **API Manager** (`/dashboard/api-manager`)
-2. Click **Create API Key**
-3. Give it a name (e.g. `cli-tools`) and select all permissions
-4. Copy the key — you'll need it for every CLI below
-
-> Your key looks like: `sk-xxxxxxxxxxxxxxxx-xxxxxxxxx`
-
---
-
-## Step 2 — Install CLI Tools
-
-All npm-based tools require Node.js 18+:
-
-```bash
-# Claude Code (Anthropic)
-npm install -g @anthropic-ai/claude-code
-
-# OpenAI Codex
-npm install -g @openai/codex
-
-# Gemini CLI (Google)
-npm install -g @google/gemini-cli
-
-# OpenCode
-npm install -g opencode-ai
-
-# Cline
-npm install -g cline
-
-# KiloCode
-npm install -g kilecode
-
-# Kiro CLI (Amazon — requires curl + unzip)
-apt-get install -y unzip   # on Debian/Ubuntu
-curl -fsSL https://cli.kiro.dev/install | bash
-export PATH="$HOME/.local/bin:$PATH"   # add to ~/.bashrc
-```
-
-**Verify:**
-
-```bash
-claude --version     # 2.x.x
-codex --version      # 0.x.x
-gemini --version     # 0.x.x
-opencode --version   # x.x.x
-cline --version      # 2.x.x
-kilocode --version   # x.x.x (or: kilo --version)
-kiro-cli --version   # 1.x.x
-```
-
---
-
-## Step 3 — Set Global Environment Variables
-
-Add to `~/.bashrc` (or `~/.zshrc`), then run `source ~/.bashrc`:
-
-```bash
-# OmniRoute Universal Endpoint
-export OPENAI_BASE_URL="http://localhost:20128/v1"
-export OPENAI_API_KEY="sk-your-omniroute-key"
-export ANTHROPIC_BASE_URL="http://localhost:20128/v1"
-export ANTHROPIC_API_KEY="sk-your-omniroute-key"
-export GEMINI_BASE_URL="http://localhost:20128/v1"
-export GEMINI_API_KEY="sk-your-omniroute-key"
-```
-
-> For a **remote server** replace `localhost:20128` with the server IP or domain,
-> e.g. `http://192.168.0.15:20128`.
-
---
-
-## Step 4 — Configure Each Tool
-
-### Claude Code
-
-```bash
-# Via CLI:
-claude config set --global api-base-url http://localhost:20128/v1
-
-# Or create ~/.claude/settings.json:
-mkdir -p ~/.claude && cat > ~/.claude/settings.json << EOF
-{
-  "apiBaseUrl": "http://localhost:20128/v1",
-  "apiKey": "sk-your-omniroute-key"
-}
-EOF
-```
-
-**Test:** `claude "say hello"`
-
---
-
-### OpenAI Codex
-
-```bash
-mkdir -p ~/.codex && cat > ~/.codex/config.yaml << EOF
-model: auto
-apiKey: sk-your-omniroute-key
-apiBaseUrl: http://localhost:20128/v1
-EOF
-```
-
-**Test:** `codex "what is 2+2?"`
-
---
-
-### Gemini CLI
-
-```bash
-mkdir -p ~/.gemini && cat > ~/.gemini/settings.json << EOF
-{
-  "apiKey": "sk-your-omniroute-key",
-  "baseUrl": "http://localhost:20128/v1"
-}
-EOF
-```
-
-**Test:** `gemini "hello"`
-
---
-
-### OpenCode
-
-```bash
-mkdir -p ~/.config/opencode && cat > ~/.config/opencode/config.toml << EOF
-[provider.openai]
-base_url = "http://localhost:20128/v1"
-api_key = "sk-your-omniroute-key"
-EOF
-```
-
-**Test:** `opencode`
-
---
-
-### Cline (CLI or VS Code)
-
-**CLI mode:**
-
-```bash
-mkdir -p ~/.cline/data && cat > ~/.cline/data/globalState.json << EOF
-{
-  "apiProvider": "openai",
-  "openAiBaseUrl": "http://localhost:20128/v1",
-  "openAiApiKey": "sk-your-omniroute-key"
-}
-EOF
-```
-
-**VS Code mode:**
-Cline extension settings → API Provider: `OpenAI Compatible` → Base URL: `http://localhost:20128/v1`
-
-Or use the OmniRoute dashboard → **CLI Tools → Cline → Apply Config**.
-
---
-
-### KiloCode (CLI or VS Code)
-
-**CLI mode:**
-
-```bash
-kilocode --api-base http://localhost:20128/v1 --api-key sk-your-omniroute-key
-```
-
-**VS Code settings:**
-
-```json
-{
-  "kilo-code.openAiBaseUrl": "http://localhost:20128/v1",
-  "kilo-code.apiKey": "sk-your-omniroute-key"
-}
-```
-
-Or use the OmniRoute dashboard → **CLI Tools → KiloCode → Apply Config**.
-
---
-
-### Continue (VS Code Extension)
-
-Edit `~/.continue/config.yaml`:
-
-```yaml
-models:
-  - name: OmniRoute
-    provider: openai
-    model: auto
-    apiBase: http://localhost:20128/v1
-    apiKey: sk-your-omniroute-key
-    default: true
-```
-
-Restart VS Code after editing.
-
---
-
-### Kiro CLI (Amazon)
-
-```bash
-# Login to your AWS/Kiro account:
-kiro-cli login
-
-# The CLI uses its own auth — OmniRoute is not needed as backend for Kiro CLI itself.
-# Use kiro-cli alongside OmniRoute for other tools.
-kiro-cli status
-```
-
---
-
-### Cursor (Desktop App)
-
-> **Note:** Cursor routes requests through its cloud. For OmniRoute integration,
-> enable **Cloud Endpoint** in OmniRoute Settings and use your public domain URL.
-
-Via GUI: **Settings → Models → OpenAI API Key**
-
- Base URL: `https://your-domain.com/v1`
- API Key: your OmniRoute key
-
---
-
-## Dashboard Auto-Configuration
-
-The OmniRoute dashboard automates configuration for most tools:
-
-1. Go to `http://localhost:20128/dashboard/cli-tools`
-2. Expand any tool card
-3. Select your API key from the dropdown
-4. Click **Apply Config** (if tool is detected as installed)
-5. Or copy the generated config snippet manually
-
---
-
-## Built-in Agents: Droid & OpenClaw
-
-**Droid** and **OpenClaw** are AI agents built directly into OmniRoute — no installation needed.
-They run as internal routes and use OmniRoute's model routing automatically.
-
- Access: `http://localhost:20128/dashboard/agents`
- Configure: same combos and providers as all other tools
- No API key or CLI install required
-
---
-
-## Available API Endpoints
-
-| Endpoint                   | Description                   | Use For                     |
-| -------------------------- | ----------------------------- | --------------------------- |
-| `/v1/chat/completions`     | Standard chat (all providers) | All modern tools            |
-| `/v1/responses`            | Responses API (OpenAI format) | Codex, agentic workflows    |
-| `/v1/completions`          | Legacy text completions       | Older tools using `prompt:` |
-| `/v1/embeddings`           | Text embeddings               | RAG, search                 |
-| `/v1/images/generations`   | Image generation              | DALL-E, Flux, etc.          |
-| `/v1/audio/speech`         | Text-to-speech                | ElevenLabs, OpenAI TTS      |
-| `/v1/audio/transcriptions` | Speech-to-text                | Deepgram, AssemblyAI        |
-
---
-
-## Troubleshooting
-
-| Error                     | Cause                   | Fix                                        |
-| ------------------------- | ----------------------- | ------------------------------------------ |
-| `Connection refused`      | OmniRoute not running   | `pm2 start omniroute`                      |
-| `401 Unauthorized`        | Wrong API key           | Check in `/dashboard/api-manager`          |
-| `No combo configured`     | No active routing combo | Set up in `/dashboard/combos`              |
-| `invalid model`           | Model not in catalog    | Use `auto` or check `/dashboard/providers` |
-| CLI shows "not installed" | Binary not in PATH      | Check `which <command>`                    |
-| `kiro-cli: not found`     | Not in PATH             | `export PATH="$HOME/.local/bin:$PATH"`     |
-
---
-
-## Quick Setup Script (One Command)
-
-```bash
-# Install all CLIs and configure for OmniRoute (replace with your key and server URL)
-OMNIROUTE_URL="http://localhost:20128/v1"
-OMNIROUTE_KEY="sk-your-omniroute-key"
-
-npm install -g @anthropic-ai/claude-code @openai/codex @google/gemini-cli opencode-ai cline kilecode
-
-# Kiro CLI
-apt-get install -y unzip 2>/dev/null; curl -fsSL https://cli.kiro.dev/install | bash
-
-# Write configs
-mkdir -p ~/.claude ~/.codex ~/.gemini ~/.config/opencode ~/.continue
-
-cat > ~/.claude/settings.json   <<< "{\"apiBaseUrl\":\"$OMNIROUTE_URL\",\"apiKey\":\"$OMNIROUTE_KEY\"}"
-cat > ~/.codex/config.yaml      <<< "model: auto\napiKey: $OMNIROUTE_KEY\napiBaseUrl: $OMNIROUTE_URL"
-cat > ~/.gemini/settings.json   <<< "{\"apiKey\":\"$OMNIROUTE_KEY\",\"baseUrl\":\"$OMNIROUTE_URL\"}"
-cat >> ~/.bashrc << EOF
-export OPENAI_BASE_URL="$OMNIROUTE_URL"
-export OPENAI_API_KEY="$OMNIROUTE_KEY"
-export ANTHROPIC_BASE_URL="$OMNIROUTE_URL"
-export ANTHROPIC_API_KEY="$OMNIROUTE_KEY"
-EOF
-
-source ~/.bashrc
-echo "✅ All CLIs installed and configured for OmniRoute"
-```
@@ -0,0 +1,235 @@
+# Contributing to OmniRoute (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../CONTRIBUTING.md) · 🇪🇸 [es](../es/CONTRIBUTING.md) · 🇫🇷 [fr](../fr/CONTRIBUTING.md) · 🇩🇪 [de](../de/CONTRIBUTING.md) · 🇮🇹 [it](../it/CONTRIBUTING.md) · 🇷🇺 [ru](../ru/CONTRIBUTING.md) · 🇨🇳 [zh-CN](../zh-CN/CONTRIBUTING.md) · 🇯🇵 [ja](../ja/CONTRIBUTING.md) · 🇰🇷 [ko](../ko/CONTRIBUTING.md) · 🇸🇦 [ar](../ar/CONTRIBUTING.md) · 🇮🇳 [hi](../hi/CONTRIBUTING.md) · 🇮🇳 [in](../in/CONTRIBUTING.md) · 🇹🇭 [th](../th/CONTRIBUTING.md) · 🇻🇳 [vi](../vi/CONTRIBUTING.md) · 🇮🇩 [id](../id/CONTRIBUTING.md) · 🇲🇾 [ms](../ms/CONTRIBUTING.md) · 🇳🇱 [nl](../nl/CONTRIBUTING.md) · 🇵🇱 [pl](../pl/CONTRIBUTING.md) · 🇸🇪 [sv](../sv/CONTRIBUTING.md) · 🇳🇴 [no](../no/CONTRIBUTING.md) · 🇩🇰 [da](../da/CONTRIBUTING.md) · 🇫🇮 [fi](../fi/CONTRIBUTING.md) · 🇵🇹 [pt](../pt/CONTRIBUTING.md) · 🇷🇴 [ro](../ro/CONTRIBUTING.md) · 🇭🇺 [hu](../hu/CONTRIBUTING.md) · 🇧🇬 [bg](../bg/CONTRIBUTING.md) · 🇸🇰 [sk](../sk/CONTRIBUTING.md) · 🇺🇦 [uk-UA](../uk-UA/CONTRIBUTING.md) · 🇮🇱 [he](../he/CONTRIBUTING.md) · 🇵🇭 [phi](../phi/CONTRIBUTING.md) · 🇧🇷 [pt-BR](../pt-BR/CONTRIBUTING.md) · 🇨🇿 [cs](../cs/CONTRIBUTING.md) · 🇹🇷 [tr](../tr/CONTRIBUTING.md)
+
+---
+
+شكرا لاهتمامك بالمساهمة! يغطي هذا الدليل كل ما تحتاجه للبدء.---##إعداد التطوير### Prerequisites
+
+-**Node.js**>= 18 < 24 (موصى به: 22 LTS) -**npm**10+ -**جيت**### النسخ والتثبيت`bash
+استنساخ بوابة https://github.com/diegosouzapw/OmniRoute.git
+قرص مضغوط OmniRoute
+تثبيت npm`
+
+### Environment Variables
+
+````bash
+# قم بإنشاء .env الخاص بك من القالب
+cp .env.example .env
+
+# توليد الأسرار المطلوبة
+صدى "JWT_SECRET=$(openssl rand -base64 48)" >> .env
+صدى "API_KEY_SECRET=$(openssl rand -hex 32)" >> .env```
+
+المساهمة في التنمية الرئيسية:
+
+| فنية | التطوير الافتراضي | الوصف |
+| ---------------------- | ------------------------ | --------------------- |
+| "ميناء" | `20128` | منفذ الخادم |
+| `NEXT_PUBLIC_BASE_URL` | `http://localhost:20128` | عنوان URL الأساسي للواجهة |
+| `JWT_SECRET` | (أنشئ أعلاه) | سر توقيع JWT |
+| `INITIAL_PASSWORD` | "التغيير" | كلمة المرور الأولى لتسجيل الدخول |
+| `APP_LOG_LEVEL` | `معلومات` | تسجيل مستوى الإسهاب |### إعدادات لوحة التحكم
+
+توفر أدوات تعديل لوحة المعلومات للمستخدم للميزات التي يمكن تهيئتها أيضًا عبر البيئات المتنوعة:
+
+| تحديد الموقع | تغيير | الوصف |
+| ------------------- | ------------------ | ------------------------------ |
+| الإعدادات → متقدمة | وضع الرقعة | أرشيف الطلبات التصحيح (UI) |
+| الإعدادات → عام | رؤية الشريط الجانبي | إخفاء/ إخفاء أقسام الفصل الجانبي |
+
+يتم تخزين هذه الإعدادات في قاعدة البيانات وتستمر من خلال عمليات إعادة تشغيل التشغيل، مما يؤدي إلى تجاوز إعدادات env var الافتراضية عند ضبطها.### التشغيل محليًا```bash
+# Development mode (hot reload)
+npm run dev
+
+# Production build
+npm run build
+npm run start
+
+# Common port configuration
+PORT=20128 NEXT_PUBLIC_BASE_URL=http://localhost:20128 npm run dev
+````
+
+عناوين URL الافتراضية:
+
+-**لوحة المعلومات**: `http://localhost:20128/dashboard` -**واجهة برمجة التطبيقات**: `http://localhost:20128/v1`---## Git Workflow
+
+> ⚠️**لا تلتزم مطلقًا بـ "الرئيسي".**استخدم ميزات الميزات دائمًا.```bash
+> git checkout -b feat/your-feature-name
+> #...إجراءات جديدة...
+> git الالتزام -m "الفذ: وصف التغيير الخاص بك"
+> git Push -u Origin feat/your-feature-name
+
+# قم بتسجيل الطلب على GitHub```### Branch Naming
+
+| المبادئ         | الحصاد                    |
+| --------------- | ------------------------- | ------------------ |
+| `الفذ/`         | مميزات جديدة              |
+| `/`             | إصلاحات الشويب            |
+| `إعادة البناء/` | إعادة هيكلة الكود         |
+| `المستندات/`    | تأثيرات التوثيق           |
+| `اختبار/`       | الإضافات/إصلاحات الاختبار |
+| `العمل الرتيب/` | الأدوات، CI، التبعيات     | ### رسائل الالتزام |
+
+اتبع [الالتزامات التقليدية](https://www.conventionalcommits.org/):`
+الفذ: إضافة قاطع الدائرة لمكالمات المزود
+الإصلاح: حل حالة حافة التحقق السري من JWT
+المستندات: قم بتحديث SECURITY.md مع حماية معلومات تحديد الهوية الشخصية (PII).
+الاختبار: إضافة اختبارات وحدة الملاحظة
+refactor(db): توحيد جداول حدود المعدل`
+
+النطاقات: `db`، `sse`، `oauth`، `dashboard`، `api`، `cli`، `docker`، `ci`، `mcp`، `a2a`، `memory`، `skills`.---## Running Tests
+
+````bash
+# جميع الاختبارات (الوحدة + فيتيست + النظام البيئي + e2e)
+اختبار تشغيل npm: الكل
+
+# ملف اختبار فردي (مشغل الاختبار الأصلي لـ Node.js — تستخدمه معظم الاختبارات)
+العقدة - استيراد tsx/esm - اختبارات الاختبار/الوحدة/your-file.test.mjs
+
+# Vitest (خادم MCP، autoCombo، ذاكرة التخزين المؤقت)
+اختبار تشغيل npm: vitest
+
+# اختبارات E2E (يتطلب الكاتب المسرحي)
+اختبار تشغيل npm: e2e
+
+# عملاء البروتوكول E2E (نقل MCP، A2A)
+اختبار تشغيل npm: البروتوكولات: e2e
+
+# اختبارات توافق النظام البيئي
+اختبار تشغيل npm: النظام البيئي
+
+# التغطية (60% الحد الأدنى من البيانات/السطور/الوظائف/الفروع)
+اختبار تشغيل npm: التغطية
+تغطية تشغيل npm: تقرير
+
+# فحص الوبر + التنسيق
+npm تشغيل الوبر
+فحص تشغيل npm```
+
+تغطية التعليقات:
+
+- `npm run test:coverage` يقيس المصدر لمجموعة اختبار الوحدة الرئيسية، ويستبعد `tests/**`، بما في ذلك `open-sse/**`
+- يجب أن تحافظ على طلبات التنظيف على بوابة التغطية الشاملة عند**60% أو أعلى**للكشوفات والخطوط والوظائف والأروع
+- إذا قام ممثل العلاقات العامة تغيير رمز الإنتاج في `src/` أو `open-sse/` أو `electron/` أو `bin/`، فيجب عليه إضافة أو تحديث النقاشة التلقائية في نفس العلاقات العامة
+- `تغطية تشغيل npm: التقرير' يطبع التقرير التفصيلي لكل ملف على المدى الطويل من أحدث طرق التغطية
+- `اختبار تشغيل npm:التغطية:التراث` يحافظ على قياس الأقدم للمقارنة التاريخية
+- راجع`docs/COVERAGE_PLAN.md` للحصول على خارطة طريق تحسين التغطية العامة### سحب متطلبات الطلب
+
+قبل فتح أو دمج العلاقات العامة:
+
+- اختبار تشغيل npm: الوحدة
+- اختبار تشغيل npm: التغطية
+- تأكد من بقاء بوابة التغطية عند**60%+**لجميع المعايير
+- تتضمن ملفات الاختبار التي تم تغييرها أو الهاتفا في وصف العلاقات العامة عند تغيير رمز الإنتاج
+- التحقق من نتيجة SonarQube على PR عندما يتم التأكد من أسرار المشروع في CI
+
+الاختبار الحالي:**ملفات اختبار 122 وحدة**تغطي:
+
+- تحويل المترجمين باستمرار
+- الحد من المعدل، وقواطع الضوء، والمرونة
+- ذاكرة تخزين مؤقتة الدلالية، والعجز، وتتبع التقدم
+- عمليات قاعدة البيانات والمخطط (21 وحدة قاعدة بيانات)
+- تدفقات OAuth والمصادقة
+- التحقق من صحة نقطة نهاية واجهة برمجة التطبيقات (Zod v4)
+- أدوات خادمة MCP وكارثة النطاق
+- لأنظمة الذاكرة والمهارات---## Code Style
+
+-**ESLint**— يسمح npm run lint قبل الالتزام
+-**Prettier**— يتم بشكل متزايد من خلال ``التجهيز المرحلي`` عند الالتزام (مسافتان، فواصل منقوطة، علامات رسل مزدوجة، عرض 100 حرف، فاصلة زائدة es5)
+-**TypeScript**— يستخدم جميع أكواد `src/` `.ts`/`.tsx`؛ `open-sse/` يستخدم `.ts`/`.js`؛ مستند باستخدام TSDoc (`@param`، `@returns`، `@throws`)
+-**لا يوجد `eval()`**- يفرض ESLint `no-eval`، `no-implied-eval`، `no-new-func`.
+-**التحقق من صحة Zod**— استخدم مخطط Zod v4 للتأكد من صحة واجهة برمجة التطبيقات (API).
+-**التسميه**: الملفات = الجمله/علبة الكباب، المكونات = PascalCase، الثوابت = UPPER_SNAKE---## Project Structure
+
+````
+
+src/ # تايب سكريبت (.ts / .tsx)
+├── التطبيق/ # Next.js 16 App Router
+│ ├── (لوحة المعلومات)/ # صفحات لوحة المعلومات (23 قسم)
+│ ├── واجهة برمجة التطبيقات/ # مسارات واجهة برمجة التطبيقات (51 دليلاً)
+│ └── تسجيل الدخول/ # صفحات المصادقة (.tsx)
+├── المجال/ # محرك السياسة (policyEngine، comboResolver، costRules، إلخ.)
+├── lib/ # منطق العمل الأساسي (.ts)
+│ ├── a2a/ # خادم بروتوكول وكيل إلى وكيل v0.3
+│ ├── acp/ # تسجيل بروتوكول اتصال الوكيل
+│ ├── الامتثال/ # محرك سياسة الامتثال
+│ ├── db/ # طبقة قاعدة بيانات SQLite (21 وحدة + 16 عملية ترحيل)
+│ ├── الذاكرة/ # ذاكرة المحادثة المستمرة
+│ ├── oauth/ # موفرو OAuth والخدمات والأدوات المساعدة
+│ ├── المهارات/ # إطار المهارات الموسعة
+│ ├── الاستخدام/ # تتبع الاستخدام وحساب التكلفة
+│ └── localDb.ts # طبقة إعادة التصدير فقط - لا تقم أبدًا بإضافة المنطق هنا
+├── البرامج الوسيطة/ # طلب البرامج الوسيطة (promptInjectionGuard)
+├── mitm/ # وكيل MITM (الشهادة، DNS، التوجيه المستهدف)
+├── مشترك/
+│ ├── المكونات/ # مكونات التفاعل (.tsx)
+│ ├── الثوابت/ # تعريفات الموفر (60+)، نطاقات MCP، استراتيجيات التوجيه
+│ ├── utils/ # قاطع الدائرة، المطهر، مساعدي المصادقة
+│ └── التحقق من الصحة/ # مخططات Zod v4
+└── sse/ # خط أنابيب الوكيل SSE
+
+open-sse/ # @omniroute/open-sse Workspace
+├── المنفذون/ # 14 منفذو الطلبات الخاصة بموفر الخدمة
+├── المعالجات/ # 11 معالجات الطلب (الدردشة والردود والتضمين والصور وما إلى ذلك)
+├── mcp-server/ # خادم MCP (25 أداة، 3 عمليات نقل، 10 نطاقات)
+├── الخدمات/ # 36+ خدمة (combo، autoCombo، RateLimitManager، إلخ.)
+├── مترجم/ # مترجمو التنسيق (OpenAI ↔ كلود ↔ الجوزاء ↔ الردود ↔ أولاما)
+├── محول/ # محول API الردود
+└── utils/ # 22 وحدة مساعدة (الدفق، TLS، الوكيل، التسجيل)
+
+إلكترون/ # تطبيق إلكترون لسطح المكتب (متعدد المنصات)
+
+الاختبارات/
+├── الوحدة/ # مشغل اختبار Node.js (122 ملف اختبار)
+├── التكامل/ # اختبارات التكامل
+├── e2e/ # اختبارات الكاتب المسرحي
+├── الأمان/ # اختبارات الأمان
+├── المترجم/ # اختبارات خاصة بالمترجم
+└── تحميل/ # اختبارات التحميلمستندات/ # التوثيق
+├── ARCHITECTURE.md # بنية النظام
+├── API_REFERENCE.md # جميع نقاط النهاية
+├── USER_GUIDE.md # إعداد الموفر، تكامل CLI
+├── استكشاف الأخطاء وإصلاحها.md # المشكلات الشائعة
+├── MCP-SERVER.md # خادم MCP (25 أداة)
+├── A2A-SERVER.md # بروتوكول الوكيل A2A
+├── AUTO-COMBO.md # محرك التحرير والسرد التلقائي
+├── تكامل أدوات CLI-TOOLS.md # تكامل أدوات CLI
+├── COVERAGE_PLAN.md # اختبار خطة تحسين التغطية
+├── openapi.yaml # مواصفات OpenAPI
+└── adr/ # سجلات قرارات الهندسة المعمارية```
+
+---
+
+## Adding a New Provider
+
+### Step 1: Register Provider Constants
+
+أضف إلى `src/shared/constants/providers.ts` - تم التحقق من صحة Zod عند تحميل الوحدة.### الخطوة 2: إضافة Executor (إذا كانت هناك حاجة إلى منطق مخصص)
+
+موجود بالفعل منفذ تنفيذي في open-sse/executors/your-provider.ts لتوسيع المنفذ الأساسي.### الخطوة 3: إضافة مترجم (إذا كان تنسيق غير OpenAI)
+
+يجب أن تكون موجودة في الطلب المترجم/الاستجابة في `open-sse/translator/`.### الخطوة 4: إضافة تكوين OAuth (إذا كان يعتمد على OAuth)
+
+إضافة بيانات موثوقة OAuth في `src/lib/oauth/constants/oauth.ts` وتطبيقات في `src/lib/oauth/services/`.### الخطوة 5: تسجيل النماذج
+
+أضف تعريفات الارتباطات في "open-sse/config/providerRegistry.ts".### الخطوة 6: إضافة الاختبارات
+
+اكتب السيولة الوحدة في `الاختبارات/الوحدة/` التي تغطي الحد الأدنى:
+
+- تسجيل المزود
+- ترجمة الطلب/الرد
+  -تسبب سبب---## Pull Request Checklist
+
+- [ ] اجتياز الاختبار (`اختبار npm`)
+- [ ] طباعات القلم (`npm run lint`)
+- [ ] نجاح البناء (`npm run build`)
+- [ ] تمت إضافة أنواع TypeScript للوظائف والواجهات العامة الجديدة
+- [ ] لا توجد أسرار ضمنية أو قيم بيعة
+- [ ] تم التحقق من صحة جميع المدخلات باستخدام مخططات Zod
+- [ ] تم تحديث سجل التغيير (في حالة التغيير الذي يواجهه المستخدم)
+- [ ] تم تحديث الوثائق (إن وجدت)---## Releasing
+
+تم إدارة الاختلاف عبر سير العمل `/generate-release`. عند إنشاء إصدار GitHub جديد، يتم**نشر المنتج اليدوي إلى npm**عبر إجراءات GitHub.---## Getting Help
+
+-**الهندسة المعمارية**: تجدد [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) -**مرجع واجهة برمجة التطبيقات**: راجع [`docs/API_REFERENCE.md`](docs/API_REFERENCE.md) -**المشاكل**: [github.com/diegosouzapw/OmniRoute/issues](https://github.com/diegosouzapw/OmniRoute/issues) -**ADRs**: راجع `docs/adr/`
@@ -1,147 +0,0 @@
-# OmniRoute — Dashboard Features Gallery (العربية)
-
-🌐 **Languages:** 🇺🇸 [English](../../../README.md) · 🇧🇷 [pt-BR](../pt-BR/README.md) · 🇪🇸 [es](../es/README.md) · 🇫🇷 [fr](../fr/README.md) · 🇩🇪 [de](../de/README.md) · 🇮🇹 [it](../it/README.md) · 🇷🇺 [ru](../ru/README.md) · 🇨🇳 [zh-CN](../zh-CN/README.md) · 🇯🇵 [ja](../ja/README.md) · 🇰🇷 [ko](../ko/README.md) · 🇸🇦 [ar](../ar/README.md) · 🇮🇳 [in](../in/README.md) · 🇹🇭 [th](../th/README.md) · 🇻🇳 [vi](../vi/README.md) · 🇮🇩 [id](../id/README.md) · 🇲🇾 [ms](../ms/README.md) · 🇳🇱 [nl](../nl/README.md) · 🇵🇱 [pl](../pl/README.md) · 🇸🇪 [sv](../sv/README.md) · 🇳🇴 [no](../no/README.md) · 🇩🇰 [da](../da/README.md) · 🇫🇮 [fi](../fi/README.md) · 🇵🇹 [pt](../pt/README.md) · 🇷🇴 [ro](../ro/README.md) · 🇭🇺 [hu](../hu/README.md) · 🇧🇬 [bg](../bg/README.md) · 🇸🇰 [sk](../sk/README.md) · 🇺🇦 [uk-UA](../uk-UA/README.md) · 🇮🇱 [he](../he/README.md) · 🇵🇭 [phi](../phi/README.md)
-
-> 🇺🇸 [English](../../../docs/FEATURES.md)
-
---
-
-Visual guide to every section of the OmniRoute dashboard.
-
---
-
-## 🔌 Providers
-
-Manage AI provider connections: OAuth providers (Claude Code, Codex, Gemini CLI), API key providers (Groq, DeepSeek, OpenRouter), and free providers (Qoder, Qwen, Kiro). Kiro accounts include credit balance tracking — remaining credits, total allowance, and renewal date visible in Dashboard → Usage.
-
-![Providers Dashboard](screenshots/01-providers.png)
-
---
-
-## 🎨 Combos
-
-Create model routing combos with 6 strategies: priority, weighted, round-robin, random, least-used, and cost-optimized. Each combo chains multiple models with automatic fallback and includes quick templates and readiness checks.
-
-![Combos Dashboard](screenshots/02-combos.png)
-
---
-
-## 📊 Analytics
-
-Comprehensive usage analytics with token consumption, cost estimates, activity heatmaps, weekly distribution charts, and per-provider breakdowns.
-
-![Analytics Dashboard](screenshots/03-analytics.png)
-
---
-
-## 🏥 System Health
-
-Real-time monitoring: uptime, memory, version, latency percentiles (p50/p95/p99), cache statistics, and provider circuit breaker states.
-
-![Health Dashboard](screenshots/04-health.png)
-
---
-
-## 🔧 Translator Playground
-
-Four modes for debugging API translations: **Playground** (format converter), **Chat Tester** (live requests), **Test Bench** (batch tests), and **Live Monitor** (real-time stream).
-
-![Translator Playground](screenshots/05-translator.png)
-
---
-
-## 🎮 Model Playground _(v2.0.9+)_
-
-Test any model directly from the dashboard. Select provider, model, and endpoint, write prompts with Monaco Editor, stream responses in real-time, abort mid-stream, and view timing metrics.
-
---
-
-## 🎨 Themes _(v2.0.5+)_
-
-Customizable color themes for the entire dashboard. Choose from 7 preset colors (Coral, Blue, Red, Green, Violet, Orange, Cyan) or create a custom theme by picking any hex color. Supports light, dark, and system mode.
-
---
-
-## ⚙️ Settings
-
-Comprehensive settings panel with tabs:
-
- **General** — System storage, backup management (export/import database)
- **Appearance** — Theme selector (dark/light/system), color theme presets and custom colors, health log visibility, sidebar item visibility controls
- **Security** — API endpoint protection, custom provider blocking, IP filtering, session info
- **Routing** — Model aliases, background task degradation
- **Resilience** — Rate limit persistence, circuit breaker tuning
- **Advanced** — Configuration overrides
-
-![Settings Dashboard](screenshots/06-settings.png)
-
---
-
-## 🔧 CLI Tools
-
-One-click configuration for AI coding tools: Claude Code, Codex CLI, Gemini CLI, OpenClaw, Kilo Code, Antigravity, Cline, Continue, Cursor, and Factory Droid. Features automated config apply/reset, connection profiles, and model mapping.
-
-![CLI Tools Dashboard](screenshots/07-cli-tools.png)
-
---
-
-## 🤖 CLI Agents _(v2.0.11+)_
-
-Dashboard for discovering and managing CLI agents. Shows a grid of 14 built-in agents (Codex, Claude, Goose, Gemini CLI, OpenClaw, Aider, OpenCode, Cline, Qwen Code, ForgeCode, Amazon Q, Open Interpreter, Cursor CLI, Warp) with:
-
- **Installation status** — Installed / Not Found with version detection
- **Protocol badges** — stdio, HTTP, etc.
- **Custom agents** — Register any CLI tool via form (name, binary, version command, spawn args)
- **CLI Fingerprint Matching** — Per-provider toggle to match native CLI request signatures, reducing ban risk while preserving proxy IP
-
---
-
-## 🖼️ Media _(v2.0.3+)_
-
-Generate images, videos, and music from the dashboard. Supports OpenAI, xAI, Together, Hyperbolic, SD WebUI, ComfyUI, AnimateDiff, Stable Audio Open, and MusicGen.
-
---
-
-## 📝 Request Logs
-
-Real-time request logging with filtering by provider, model, account, and API key. Shows status codes, token usage, latency, and response details.
-
-![Usage Logs](screenshots/08-usage.png)
-
---
-
-## 🌐 API Endpoint
-
-Your unified API endpoint with capability breakdown: Chat Completions, Responses API, Embeddings, Image Generation, Reranking, Audio Transcription, Text-to-Speech, Moderations, and registered API keys. Cloud proxy support for remote access.
-
-![Endpoint Dashboard](screenshots/09-endpoint.png)
-
---
-
-## 🔑 API Key Management
-
-Create, scope, and revoke API keys. Each key can be restricted to specific models/providers with full access or read-only permissions. Visual key management with usage tracking.
-
---
-
-## 📋 Audit Log
-
-Administrative action tracking with filtering by action type, actor, target, IP address, and timestamp. Full security event history.
-
---
-
-## 🖥️ Desktop Application
-
-Native Electron desktop app for Windows, macOS, and Linux. Run OmniRoute as a standalone application with system tray integration, offline support, auto-update, and one-click install.
-
-Key features:
-
- Server readiness polling (no blank screen on cold start)
- System tray with port management
- Content Security Policy
- Single-instance lock
- Auto-update on restart
- Platform-conditional UI (macOS traffic lights, Windows/Linux default titlebar)
- Hardened Electron build packaging — symlinked `node_modules` in the standalone bundle is detected and rejected before packaging, preventing runtime dependency on the build machine (v2.5.5+)
-
-📖 See [`electron/README.md`](../electron/README.md) for full documentation.
@@ -1,37 +0,0 @@
-🌐 **Languages:** 🇺🇸 [English](../../README.md) · 🇧🇷 [pt-BR](../pt-BR/RELEASE_CHECKLIST.md) · 🇪🇸 [es](../es/RELEASE_CHECKLIST.md) · 🇫🇷 [fr](../fr/RELEASE_CHECKLIST.md) · 🇩🇪 [de](../de/RELEASE_CHECKLIST.md) · 🇮🇹 [it](../it/RELEASE_CHECKLIST.md) · 🇷🇺 [ru](../ru/RELEASE_CHECKLIST.md) · 🇨🇳 [zh-CN](../zh-CN/RELEASE_CHECKLIST.md) · 🇯🇵 [ja](../ja/RELEASE_CHECKLIST.md) · 🇰🇷 [ko](../ko/RELEASE_CHECKLIST.md) · 🇸🇦 [ar](../ar/RELEASE_CHECKLIST.md) · 🇮🇳 [in](../in/RELEASE_CHECKLIST.md) · 🇹🇭 [th](../th/RELEASE_CHECKLIST.md) · 🇻🇳 [vi](../vi/RELEASE_CHECKLIST.md) · 🇮🇩 [id](../id/RELEASE_CHECKLIST.md) · 🇲🇾 [ms](../ms/RELEASE_CHECKLIST.md) · 🇳🇱 [nl](../nl/RELEASE_CHECKLIST.md) · 🇵🇱 [pl](../pl/RELEASE_CHECKLIST.md) · 🇸🇪 [sv](../sv/RELEASE_CHECKLIST.md) · 🇳🇴 [no](../no/RELEASE_CHECKLIST.md) · 🇩🇰 [da](../da/RELEASE_CHECKLIST.md) · 🇫🇮 [fi](../fi/RELEASE_CHECKLIST.md) · 🇵🇹 [pt](../pt/RELEASE_CHECKLIST.md) · 🇷🇴 [ro](../ro/RELEASE_CHECKLIST.md) · 🇭🇺 [hu](../hu/RELEASE_CHECKLIST.md) · 🇧🇬 [bg](../bg/RELEASE_CHECKLIST.md) · 🇸🇰 [sk](../sk/RELEASE_CHECKLIST.md) · 🇺🇦 [uk-UA](../uk-UA/RELEASE_CHECKLIST.md) · 🇮🇱 [he](../he/RELEASE_CHECKLIST.md) · 🇵🇭 [phi](../phi/RELEASE_CHECKLIST.md)
-
---
-
-# Release Checklist
-
-Use this checklist before tagging or publishing a new OmniRoute release.
-
-## Version and Changelog
-
-1. Bump `package.json` version (`x.y.z`) in the release branch.
-2. Move release notes from `## [Unreleased]` in `CHANGELOG.md` to a dated section:
-   - `## [x.y.z] — YYYY-MM-DD`
-3. Keep `## [Unreleased]` as the first changelog section for upcoming work.
-4. Ensure the latest semver section in `CHANGELOG.md` equals `package.json` version.
-
-## API Docs
-
-1. Update `docs/openapi.yaml`:
-   - `info.version` must equal `package.json` version.
-2. Validate endpoint examples if API contracts changed.
-
-## Runtime Docs
-
-1. Review `docs/ARCHITECTURE.md` for storage/runtime drift.
-2. Review `docs/TROUBLESHOOTING.md` for env var and operational drift.
-3. Update localized docs if source docs changed significantly.
-
-## Automated Check
-
-Run the sync guard locally before opening PR:
-
-```bash
-npm run check:docs-sync
-```
-
-CI also runs this check in `.github/workflows/ci.yml` (lint job).
@@ -0,0 +1,141 @@
+# Security Policy (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../SECURITY.md) · 🇪🇸 [es](../es/SECURITY.md) · 🇫🇷 [fr](../fr/SECURITY.md) · 🇩🇪 [de](../de/SECURITY.md) · 🇮🇹 [it](../it/SECURITY.md) · 🇷🇺 [ru](../ru/SECURITY.md) · 🇨🇳 [zh-CN](../zh-CN/SECURITY.md) · 🇯🇵 [ja](../ja/SECURITY.md) · 🇰🇷 [ko](../ko/SECURITY.md) · 🇸🇦 [ar](../ar/SECURITY.md) · 🇮🇳 [hi](../hi/SECURITY.md) · 🇮🇳 [in](../in/SECURITY.md) · 🇹🇭 [th](../th/SECURITY.md) · 🇻🇳 [vi](../vi/SECURITY.md) · 🇮🇩 [id](../id/SECURITY.md) · 🇲🇾 [ms](../ms/SECURITY.md) · 🇳🇱 [nl](../nl/SECURITY.md) · 🇵🇱 [pl](../pl/SECURITY.md) · 🇸🇪 [sv](../sv/SECURITY.md) · 🇳🇴 [no](../no/SECURITY.md) · 🇩🇰 [da](../da/SECURITY.md) · 🇫🇮 [fi](../fi/SECURITY.md) · 🇵🇹 [pt](../pt/SECURITY.md) · 🇷🇴 [ro](../ro/SECURITY.md) · 🇭🇺 [hu](../hu/SECURITY.md) · 🇧🇬 [bg](../bg/SECURITY.md) · 🇸🇰 [sk](../sk/SECURITY.md) · 🇺🇦 [uk-UA](../uk-UA/SECURITY.md) · 🇮🇱 [he](../he/SECURITY.md) · 🇵🇭 [phi](../phi/SECURITY.md) · 🇧🇷 [pt-BR](../pt-BR/SECURITY.md) · 🇨🇿 [cs](../cs/SECURITY.md) · 🇹🇷 [tr](../tr/SECURITY.md)
+
+---
+
+## Reporting Vulnerabilities
+
+إذا وجدت ثغرة أمنية في OmniRoute، فيرجى إمدادها بطريقة مختلفة:
+
+1.**لا**تفتح مشكلة عامة على GitHub 2. استخدم [GitHub Security Advisories](https://github.com/diegosouzapw/OmniRoute/security/advisories/new) 3. تشمل: الوصف، وخطوات الاستنساخ، والأثر للمناسب## Response Timeline
+
+| المرحلة        | الهدف                    |
+| -------------- | ------------------------ | --------- |
+| شكر وتقدير     | 48 ساعة                  |
+| الفرز والتقييم | 5 أيام عمل               |
+| الإصدار        | التعديل 14 يوم عمل (حرج) | # التغيير |
+
+| النسخة  | حالة الدعم   |
+| ------- | ------------ | -------------------- |
+| 3.4.x   | ✅ المشتريات |
+| 3.0.x   | ✅ الأمان    |
+| < 3.0.0 | ❌ غير مدعوم | ---## البنية الأمنية |
+
+تم تطبيق نموذج OmniRoute متعدد الأمان: `
+طلب ← CORS ← مصادقة مفتاح API ← منع الاشتراك الرسمي ← معقم الإدخال ← محدد المعدل ← قاطع ← الموفر`### 🔐 Authentication & Authorization
+
+| غرض                                    | التنفيذ                                                                        |
+| -------------------------------------- | ------------------------------------------------------------------------------ | ------------------------- |
+| **تسجيل الدخول إلى لوحة التحكم**       | اعتماد تعتمد على كلمة المرور باستخدام رموز JWT (ملفات تعريف الارتباط HttpOnly) |
+| **مصادقة مفتاح واجهة برمجة التطبيقات** | مفاتيح موقعة من HMAC مع التحقق من صحة CRC                                      |
+| **OAuth 2.0 + PKCE**                   | مصادقة الموفر المنشط (Claude، Codex، Gemini، Cursor، إلخ)                      |
+| **تحديث الرمز المميز**                 | التحديث التلقائي لرمز OAuth قبل انتهاء الصلاحية                                |
+| **ملفات تعريف الارتباط التنسيقة**      | `AUTH_COOKIE_SECURE=true` لبيئات HTTPS                                         |
+| **نطاقات MCP**                         | 10 نطاقات تفصيلية للتحكم في الوصول إلى أداة MCP                                | ### 🛡️ التشفير عند الراحة |
+
+يتم قراءة كافة التفاصيل المخزنة في SQLite باستخدام**AES-256-GCM**مع اشتقاق مفتاح التشفير:
+
+- لوحة مفاتيح برمجة التطبيقات، ورموز الوصول، ورموز التحديث، والرموز المعروفة
+- النسخة البرتغالية: `enc:v1:<iv>:<ciphertext>:<authTag>`
+- وضع العبور (نص عادي) عندما لا يتم تعيين `STORAGE_ENCRYPTION_KEY````bash
+
+# إنشاء مفتاح التشفير:
+
+STORAGE_ENCRYPTION_KEY=$(openssl rand -hex 32)```
+
+### 🧠 Prompt Injection Guard
+
+بسبب الوسيطة التي تكتشف وتمنع الهجمات الرابعة في طلبات LLM:
+
+| نوع النمط           | دان   | مثال                             |
+| ------------------- | ----- | -------------------------------- |
+| تجاوز النظام        | عالية | " تجاهل كافة التعليمات السابقة"  |
+| اختطاف الدور        | عالية | "أنت الآن دان، يمكنك فعل أي شيء" |
+| لغرض الشفاء         | مي    | فواصل مشفرة لكسر نطاق السياقة    |
+| دان/الهروب من السجن | عالية | أسباب مطالبة الهروب من السجن     |
+| تسرب التعليمات      | مي    | "أرني متشوق النظام الخاص بك"     |
+
+قم بالتكوين عبر معلومات اللوحة (الإعدادات → الأمان) أو `.env`:`env
+INPUT_SANITIZER_ENABLED=صحيح
+INPUT_SANITIZER_MODE=block # تحذير | كتلة | تنقيح`
+
+### 🔒 PII Redaction
+
+الكشف التلقائي والتنقيح الاختياري لمعلومات التعريف الشخصية:
+
+| نوع معلومات تحديد الهوية الشخصية    | نمط                   | الاستبدال          |
+| ----------------------------------- | --------------------- | ------------------ | ------ |
+| البريد الإلكتروني                   | `user@domain.com`     | `[EMAIL_REDACTED]` |
+| CPF (البرازيل)                      | `123.456.789-00`      | `[CPF_REDACTED]`   |
+| CNPJ (البرازيل)                     | `12.345.678/0001-00`  | `[CNPJ_REDACTED]`  |
+| بطاقة الائتمان                      | `4111-1111-1111-1111` | `[CC_REDACTED]`    |
+| هاتف                                | `+55 11 99999-9999`   | `[PHONE_REDACTED]` |
+| الضمان الاجتماعي (الولايات المتحدة) | `123-45-6789`         | `[SSN_REDACTED]`   | ```env |
+
+PII_REDACTION_ENABLED=true
+
+````
+
+### 🌐 Network Security
+
+| | الوصف |
+| ------------------------ | ---------------------------------------------------------------- |
+|**كورس**| أصلية قابلة للتكوين (`CORS_ORIGIN` env var، افتراضية `*`) |
+|**تصفية IP**| نطاقات IP المخصصة لها/القائمة المحظورة في لوحة المعلومات |
+|**تحديد المعدل**| حدود الحدود لكل الحدود بدقة تلقائية |
+|**القطيع الغذائي الرعد**| يمنع Mutex + القفل لكل اتصال 502s المتتالية |
+|**بصمة TLS**| انتحال بصمة TLS الشبيهة بالمتصفح الرئيسي لاكتشاف الروبوتات |
+|**بصمة سطر مود**| التنسيق/النص لكل موفر لمطابقة التوقيعات CLI الأصلية |### 🔌 متوافقة والتوافر
+
+| | الوصف |
+| ----------------------- | ------------------------------------------------------------------ |
+|**قاطع القراءات**| 3 حالات (مغلق → → مفتوح مفتوح) لكل، بسبب SQLite |
+|**طلب العجز**| نافذة dedup لمدة 5 ثواني للتحميلات المكررة |
+|**التراجع الأسي**| إعادة المحاولة الجديدة مع زيادة |
+|**لوحة المعلومات الصحية**| صحة لرعاية خدمة الوقت الحقيقي |### 📋 مراقبة كاملة
+
+| | الوصف |
+| ------------------ | ----------------------------------------------------------- |
+|**الاحتفاظ بالسجل**| التنظيف التلقائي بعد `CALL_LOG_RETENTION_DAYS` |
+|**إلغاء الاشتراك في عدم التسجيل**| تعمل علامة noLog لكل مفتاح API على تسجيل الطلبات |
+|**سجل التدقيق**| الإجراءات الإدارية التي تم تتبعها في جدول `audit_log` |
+|**تدقيق MCP**| تسجيل التدقيق التجاري من SQLite لجميع أدوات الاتصال MCP |
+|**التحقق من صحة زود**| تم التحقق من صحة جميع مدخلات واجهة برمجة التطبيقات (API) باستخدام مخططات Zod v4 عند تحميل الوحدة النموذجية |---## متغيرات البيئة المطلوبة
+
+يجب ضبط جميع الاستخدامات قبل إنشاء الضيوف. سوف يفشل العميل بسرعة**إذا كان مفقودًا أو ضعيف.```bash
+#مطلوب — لن يبدأ بدون ما يلي:
+JWT_SECRET=$(openssl rand -base64 48) # دقيقة 32 حرفًا
+API_KEY_SECRET=$(openssl rand -hex 32) # دقيقة 16 حرفًا
+
+#موصى به — يتيح التشفير في حالة عدم النشاط:
+STORAGE_ENCRYPTION_KEY=$(openssl rand -hex 32)```
+
+يرفض المعلم تعلمياً القيم والضعيفة مثل `changeme` أو `secret` أو `password`.---## Docker Security
+
+- استخدم المستخدم غير جيجا في الإنتاج
+- منزل جبلار كمجلدات للقراءة فقط
+- لا تنسى أبدًا بنسخ ملفات `.env` إلى صور Docker
+- استخدام `.dockerignore` لاستبعاد الملفات الحساسة
+- اضبط `AUTH_COOKIE_SECURE=true` عندما يكون خلف HTTPS```bash
+تشغيل عامل الميناء -d \
+  --اسم الطريق الشامل \
+  --إعادة التشغيل ما لم تتوقف \
+  --للقراءة فقط \
+  -ص20128:20128\
+  -v بيانات المسار الشامل:/app/data \
+  -e JWT_SECRET="$(openssl rand -base64 48)" \
+  -e API_KEY_SECRET = "$ (openssl rand -hex 32)" \
+  -e STORAGE_ENCRYPTION_KEY = "$(openssl rand -hex 32)" \
+  diegosouzapw/omniroute:latest```
+
+---
+
+## Dependencies
+
+- يسمح له بدقيق npm
+- حافظ على تحديثات التبعيات
+- يستخدم المشروع "husky" + "lint-staged" لفحوصات ما قبل التنفيذ
+- يقوم بخط أنابيب CI يسمح بمتطلبات أمان ESLint في كل خطوة
+- تم التحقق من صحة ثوابت الموفر عند تحميل الوحدة عبر Zod (`src/shared/validation/providerSchema.ts`)
+````
@@ -1,258 +0,0 @@
-🌐 **Languages:** 🇺🇸 [English](../../README.md) · 🇧🇷 [pt-BR](../pt-BR/TROUBLESHOOTING.md) · 🇪🇸 [es](../es/TROUBLESHOOTING.md) · 🇫🇷 [fr](../fr/TROUBLESHOOTING.md) · 🇩🇪 [de](../de/TROUBLESHOOTING.md) · 🇮🇹 [it](../it/TROUBLESHOOTING.md) · 🇷🇺 [ru](../ru/TROUBLESHOOTING.md) · 🇨🇳 [zh-CN](../zh-CN/TROUBLESHOOTING.md) · 🇯🇵 [ja](../ja/TROUBLESHOOTING.md) · 🇰🇷 [ko](../ko/TROUBLESHOOTING.md) · 🇸🇦 [ar](../ar/TROUBLESHOOTING.md) · 🇮🇳 [in](../in/TROUBLESHOOTING.md) · 🇹🇭 [th](../th/TROUBLESHOOTING.md) · 🇻🇳 [vi](../vi/TROUBLESHOOTING.md) · 🇮🇩 [id](../id/TROUBLESHOOTING.md) · 🇲🇾 [ms](../ms/TROUBLESHOOTING.md) · 🇳🇱 [nl](../nl/TROUBLESHOOTING.md) · 🇵🇱 [pl](../pl/TROUBLESHOOTING.md) · 🇸🇪 [sv](../sv/TROUBLESHOOTING.md) · 🇳🇴 [no](../no/TROUBLESHOOTING.md) · 🇩🇰 [da](../da/TROUBLESHOOTING.md) · 🇫🇮 [fi](../fi/TROUBLESHOOTING.md) · 🇵🇹 [pt](../pt/TROUBLESHOOTING.md) · 🇷🇴 [ro](../ro/TROUBLESHOOTING.md) · 🇭🇺 [hu](../hu/TROUBLESHOOTING.md) · 🇧🇬 [bg](../bg/TROUBLESHOOTING.md) · 🇸🇰 [sk](../sk/TROUBLESHOOTING.md) · 🇺🇦 [uk-UA](../uk-UA/TROUBLESHOOTING.md) · 🇮🇱 [he](../he/TROUBLESHOOTING.md) · 🇵🇭 [phi](../phi/TROUBLESHOOTING.md)
-
---
-
-# Troubleshooting
-
-🌐 **Languages:** 🇺🇸 [English](TROUBLESHOOTING.md) | 🇧🇷 [Português (Brasil)](i18n/pt-BR/TROUBLESHOOTING.md) | 🇪🇸 [Español](i18n/es/TROUBLESHOOTING.md) | 🇫🇷 [Français](i18n/fr/TROUBLESHOOTING.md) | 🇮🇹 [Italiano](i18n/it/TROUBLESHOOTING.md) | 🇷🇺 [Русский](i18n/ru/TROUBLESHOOTING.md) | 🇨🇳 [中文 (简体)](i18n/zh-CN/TROUBLESHOOTING.md) | 🇩🇪 [Deutsch](i18n/de/TROUBLESHOOTING.md) | 🇮🇳 [हिन्दी](i18n/in/TROUBLESHOOTING.md) | 🇹🇭 [ไทย](i18n/th/TROUBLESHOOTING.md) | 🇺🇦 [Українська](i18n/uk-UA/TROUBLESHOOTING.md) | 🇸🇦 [العربية](i18n/ar/TROUBLESHOOTING.md) | 🇯🇵 [日本語](i18n/ja/TROUBLESHOOTING.md) | 🇻🇳 [Tiếng Việt](i18n/vi/TROUBLESHOOTING.md) | 🇧🇬 [Български](i18n/bg/TROUBLESHOOTING.md) | 🇩🇰 [Dansk](i18n/da/TROUBLESHOOTING.md) | 🇫🇮 [Suomi](i18n/fi/TROUBLESHOOTING.md) | 🇮🇱 [עברית](i18n/he/TROUBLESHOOTING.md) | 🇭🇺 [Magyar](i18n/hu/TROUBLESHOOTING.md) | 🇮🇩 [Bahasa Indonesia](i18n/id/TROUBLESHOOTING.md) | 🇰🇷 [한국어](i18n/ko/TROUBLESHOOTING.md) | 🇲🇾 [Bahasa Melayu](i18n/ms/TROUBLESHOOTING.md) | 🇳🇱 [Nederlands](i18n/nl/TROUBLESHOOTING.md) | 🇳🇴 [Norsk](i18n/no/TROUBLESHOOTING.md) | 🇵🇹 [Português (Portugal)](i18n/pt/TROUBLESHOOTING.md) | 🇷🇴 [Română](i18n/ro/TROUBLESHOOTING.md) | 🇵🇱 [Polski](i18n/pl/TROUBLESHOOTING.md) | 🇸🇰 [Slovenčina](i18n/sk/TROUBLESHOOTING.md) | 🇸🇪 [Svenska](i18n/sv/TROUBLESHOOTING.md) | 🇵🇭 [Filipino](i18n/phi/TROUBLESHOOTING.md)
-
-Common problems and solutions for OmniRoute.
-
---
-
-## Quick Fixes
-
-| Problem                       | Solution                                                           |
-| ----------------------------- | ------------------------------------------------------------------ |
-| First login not working       | Set `INITIAL_PASSWORD` in `.env` (no hardcoded default)            |
-| Dashboard opens on wrong port | Set `PORT=20128` and `NEXT_PUBLIC_BASE_URL=http://localhost:20128` |
-| No request logs under `logs/` | Set `ENABLE_REQUEST_LOGS=true`                                     |
-| EACCES: permission denied     | Set `DATA_DIR=/path/to/writable/dir` to override `~/.omniroute`    |
-| Routing strategy not saving   | Update to v1.4.11+ (Zod schema fix for settings persistence)       |
-
---
-
-## Provider Issues
-
-### "Language model did not provide messages"
-
-**Cause:** Provider quota exhausted.
-
-**Fix:**
-
-1. Check dashboard quota tracker
-2. Use a combo with fallback tiers
-3. Switch to cheaper/free tier
-
-### Rate Limiting
-
-**Cause:** Subscription quota exhausted.
-
-**Fix:**
-
- Add fallback: `cc/claude-opus-4-6 → glm/glm-4.7 → if/kimi-k2-thinking`
- Use GLM/MiniMax as cheap backup
-
-### OAuth Token Expired
-
-OmniRoute auto-refreshes tokens. If issues persist:
-
-1. Dashboard → Provider → Reconnect
-2. Delete and re-add the provider connection
-
---
-
-## Cloud Issues
-
-### Cloud Sync Errors
-
-1. Verify `BASE_URL` points to your running instance (e.g., `http://localhost:20128`)
-2. Verify `CLOUD_URL` points to your cloud endpoint (e.g., `https://omniroute.dev`)
-3. Keep `NEXT_PUBLIC_*` values aligned with server-side values
-
-### Cloud `stream=false` Returns 500
-
-**Symptom:** `Unexpected token 'd'...` on cloud endpoint for non-streaming calls.
-
-**Cause:** Upstream returns SSE payload while client expects JSON.
-
-**Workaround:** Use `stream=true` for cloud direct calls. Local runtime includes SSE→JSON fallback.
-
-### Cloud Says Connected but "Invalid API key"
-
-1. Create a fresh key from local dashboard (`/api/keys`)
-2. Run cloud sync: Enable Cloud → Sync Now
-3. Old/non-synced keys can still return `401` on cloud
-
---
-
-## Docker Issues
-
-### CLI Tool Shows Not Installed
-
-1. Check runtime fields: `curl http://localhost:20128/api/cli-tools/runtime/codex | jq`
-2. For portable mode: use image target `runner-cli` (bundled CLIs)
-3. For host mount mode: set `CLI_EXTRA_PATHS` and mount host bin directory as read-only
-4. If `installed=true` and `runnable=false`: binary was found but failed healthcheck
-
-### Quick Runtime Validation
-
-```bash
-curl -s http://localhost:20128/api/cli-tools/codex-settings | jq '{installed,runnable,commandPath,runtimeMode,reason}'
-curl -s http://localhost:20128/api/cli-tools/claude-settings | jq '{installed,runnable,commandPath,runtimeMode,reason}'
-curl -s http://localhost:20128/api/cli-tools/openclaw-settings | jq '{installed,runnable,commandPath,runtimeMode,reason}'
-```
-
---
-
-## Cost Issues
-
-### High Costs
-
-1. Check usage stats in Dashboard → Usage
-2. Switch primary model to GLM/MiniMax
-3. Use free tier (Gemini CLI, Qoder) for non-critical tasks
-4. Set cost budgets per API key: Dashboard → API Keys → Budget
-
---
-
-## Debugging
-
-### Enable Request Logs
-
-Set `ENABLE_REQUEST_LOGS=true` in your `.env` file. Logs appear under `logs/` directory.
-
-### Check Provider Health
-
-```bash
-# Health dashboard
-http://localhost:20128/dashboard/health
-
-# API health check
-curl http://localhost:20128/api/monitoring/health
-```
-
-### Runtime Storage
-
- Main state: `${DATA_DIR}/storage.sqlite` (providers, combos, aliases, keys, settings)
- Usage: SQLite tables in `storage.sqlite` (`usage_history`, `call_logs`, `proxy_logs`) + optional `${DATA_DIR}/log.txt` and `${DATA_DIR}/call_logs/`
- Request logs: `<repo>/logs/...` (when `ENABLE_REQUEST_LOGS=true`)
-
---
-
-## Circuit Breaker Issues
-
-### Provider stuck in OPEN state
-
-When a provider's circuit breaker is OPEN, requests are blocked until the cooldown expires.
-
-**Fix:**
-
-1. Go to **Dashboard → Settings → Resilience**
-2. Check the circuit breaker card for the affected provider
-3. Click **Reset All** to clear all breakers, or wait for the cooldown to expire
-4. Verify the provider is actually available before resetting
-
-### Provider keeps tripping the circuit breaker
-
-If a provider repeatedly enters OPEN state:
-
-1. Check **Dashboard → Health → Provider Health** for the failure pattern
-2. Go to **Settings → Resilience → Provider Profiles** and increase the failure threshold
-3. Check if the provider has changed API limits or requires re-authentication
-4. Review latency telemetry — high latency may cause timeout-based failures
-
---
-
-## Audio Transcription Issues
-
-### "Unsupported model" error
-
- Ensure you're using the correct prefix: `deepgram/nova-3` or `assemblyai/best`
- Verify the provider is connected in **Dashboard → Providers**
-
-### Transcription returns empty or fails
-
- Check supported audio formats: `mp3`, `wav`, `m4a`, `flac`, `ogg`, `webm`
- Verify file size is within provider limits (typically < 25MB)
- Check provider API key validity in the provider card
-
---
-
-## Translator Debugging
-
-Use **Dashboard → Translator** to debug format translation issues:
-
-| Mode             | When to Use                                                                                  |
-| ---------------- | -------------------------------------------------------------------------------------------- |
-| **Playground**   | Compare input/output formats side by side — paste a failing request to see how it translates |
-| **Chat Tester**  | Send live messages and inspect the full request/response payload including headers           |
-| **Test Bench**   | Run batch tests across format combinations to find which translations are broken             |
-| **Live Monitor** | Watch real-time request flow to catch intermittent translation issues                        |
-
-### Common format issues
-
- **Thinking tags not appearing** — Check if the target provider supports thinking and the thinking budget setting
- **Tool calls dropping** — Some format translations may strip unsupported fields; verify in Playground mode
- **System prompt missing** — Claude and Gemini handle system prompts differently; check translation output
- **SDK returns raw string instead of object** — Fixed in v1.1.0: response sanitizer now strips non-standard fields (`x_groq`, `usage_breakdown`, etc.) that cause OpenAI SDK Pydantic validation failures
- **GLM/ERNIE rejects `system` role** — Fixed in v1.1.0: role normalizer automatically merges system messages into user messages for incompatible models
- **`developer` role not recognized** — Fixed in v1.1.0: automatically converted to `system` for non-OpenAI providers
- **`json_schema` not working with Gemini** — Fixed in v1.1.0: `response_format` is now converted to Gemini's `responseMimeType` + `responseSchema`
-
---
-
-## Resilience Settings
-
-### Auto rate-limit not triggering
-
- Auto rate-limit only applies to API key providers (not OAuth/subscription)
- Verify **Settings → Resilience → Provider Profiles** has auto-rate-limit enabled
- Check if the provider returns `429` status codes or `Retry-After` headers
-
-### Tuning exponential backoff
-
-Provider profiles support these settings:
-
- **Base delay** — Initial wait time after first failure (default: 1s)
- **Max delay** — Maximum wait time cap (default: 30s)
- **Multiplier** — How much to increase delay per consecutive failure (default: 2x)
-
-### Anti-thundering herd
-
-When many concurrent requests hit a rate-limited provider, OmniRoute uses mutex + auto rate-limiting to serialize requests and prevent cascading failures. This is automatic for API key providers.
-
---
-
-## Optional RAG / LLM failure taxonomy (16 problems)
-
-Some OmniRoute users place the gateway in front of RAG or agent stacks. In those setups it is common to see a strange pattern: OmniRoute looks healthy (providers up, routing profiles ok, no rate limit alerts) but the final answer is still wrong.
-
-In practice these incidents usually come from the downstream RAG pipeline, not from the gateway itself.
-
-If you want a shared vocabulary to describe those failures you can use the WFGY ProblemMap, an external MIT license text resource that defines sixteen recurring RAG / LLM failure patterns. At a high level it covers:
-
- retrieval drift and broken context boundaries
- empty or stale indexes and vector stores
- embedding versus semantic mismatch
- prompt assembly and context window issues
- logic collapse and overconfident answers
- long chain and agent coordination failures
- multi agent memory and role drift
- deployment and bootstrap ordering problems
-
-The idea is simple:
-
-1. When you investigate a bad response, capture:
-   - user task and request
-   - route or provider combo in OmniRoute
-   - any RAG context used downstream (retrieved documents, tool calls, etc)
-2. Map the incident to one or two WFGY ProblemMap numbers (`No.1` … `No.16`).
-3. Store the number in your own dashboard, runbook, or incident tracker next to the OmniRoute logs.
-4. Use the corresponding WFGY page to decide whether you need to change your RAG stack, retriever, or routing strategy.
-
-Full text and concrete recipes live here (MIT license, text only):
-
-[WFGY ProblemMap README](https://github.com/onestardao/WFGY/blob/main/ProblemMap/README.md)
-
-You can ignore this section if you do not run RAG or agent pipelines behind OmniRoute.
-
---
-
-## Still Stuck?
-
- **GitHub Issues**: [github.com/diegosouzapw/OmniRoute/issues](https://github.com/diegosouzapw/OmniRoute/issues)
- **Architecture**: See [`docs/ARCHITECTURE.md`](ARCHITECTURE.md) for internal details
- **API Reference**: See [`docs/API_REFERENCE.md`](API_REFERENCE.md) for all endpoints
- **Health Dashboard**: Check **Dashboard → Health** for real-time system status
- **Translator**: Use **Dashboard → Translator** to debug format issues
@@ -1,929 +0,0 @@
-# User Guide (العربية)
-
-🌐 **Languages:** 🇺🇸 [English](../../USER_GUIDE.md) · 🇧🇷 [pt-BR](../pt-BR/USER_GUIDE.md) · 🇪🇸 [es](../es/USER_GUIDE.md) · 🇫🇷 [fr](../fr/USER_GUIDE.md) · 🇩🇪 [de](../de/USER_GUIDE.md) · 🇮🇹 [it](../it/USER_GUIDE.md) · 🇷🇺 [ru](../ru/USER_GUIDE.md) · 🇨🇳 [zh-CN](../zh-CN/USER_GUIDE.md) · 🇯🇵 [ja](../ja/USER_GUIDE.md) · 🇰🇷 [ko](../ko/USER_GUIDE.md) · 🇸🇦 [ar](../ar/USER_GUIDE.md) · 🇮🇳 [in](../in/USER_GUIDE.md) · 🇹🇭 [th](../th/USER_GUIDE.md) · 🇻🇳 [vi](../vi/USER_GUIDE.md) · 🇮🇩 [id](../id/USER_GUIDE.md) · 🇲🇾 [ms](../ms/USER_GUIDE.md) · 🇳🇱 [nl](../nl/USER_GUIDE.md) · 🇵🇱 [pl](../pl/USER_GUIDE.md) · 🇸🇪 [sv](../sv/USER_GUIDE.md) · 🇳🇴 [no](../no/USER_GUIDE.md) · 🇩🇰 [da](../da/USER_GUIDE.md) · 🇫🇮 [fi](../fi/USER_GUIDE.md) · 🇵🇹 [pt](../pt/USER_GUIDE.md) · 🇷🇴 [ro](../ro/USER_GUIDE.md) · 🇭🇺 [hu](../hu/USER_GUIDE.md) · 🇧🇬 [bg](../bg/USER_GUIDE.md) · 🇸🇰 [sk](../sk/USER_GUIDE.md) · 🇺🇦 [uk-UA](../uk-UA/USER_GUIDE.md) · 🇮🇱 [he](../he/USER_GUIDE.md) · 🇵🇭 [phi](../phi/USER_GUIDE.md)
-
-> 🇺🇸 [English](../../USER_GUIDE.md)
-
---
-
-Complete guide for configuring providers, creating combos, integrating CLI tools, and deploying OmniRoute.
-
---
-
-## Table of Contents
-
- [Pricing at a Glance](#-pricing-at-a-glance)
- [Use Cases](#-use-cases)
- [Provider Setup](#-provider-setup)
- [CLI Integration](#-cli-integration)
- [Deployment](#-deployment)
- [Available Models](#-available-models)
- [Advanced Features](#-advanced-features)
-
---
-
-## 💰 Pricing at a Glance
-
-| Tier                | Provider          | Cost        | Quota Reset      | Best For             |
-| ------------------- | ----------------- | ----------- | ---------------- | -------------------- |
-| **💳 SUBSCRIPTION** | Claude Code (Pro) | $20/mo      | 5h + weekly      | Already subscribed   |
-|                     | Codex (Plus/Pro)  | $20-200/mo  | 5h + weekly      | OpenAI users         |
-|                     | Gemini CLI        | **FREE**    | 180K/mo + 1K/day | Everyone!            |
-|                     | GitHub Copilot    | $10-19/mo   | Monthly          | GitHub users         |
-| **🔑 API KEY**      | DeepSeek          | Pay per use | None             | Cheap reasoning      |
-|                     | Groq              | Pay per use | None             | Ultra-fast inference |
-|                     | xAI (Grok)        | Pay per use | None             | Grok 4 reasoning     |
-|                     | Mistral           | Pay per use | None             | EU-hosted models     |
-|                     | Perplexity        | Pay per use | None             | Search-augmented     |
-|                     | Together AI       | Pay per use | None             | Open-source models   |
-|                     | Fireworks AI      | Pay per use | None             | Fast FLUX images     |
-|                     | Cerebras          | Pay per use | None             | Wafer-scale speed    |
-|                     | Cohere            | Pay per use | None             | Command R+ RAG       |
-|                     | NVIDIA NIM        | Pay per use | None             | Enterprise models    |
-| **💰 CHEAP**        | GLM-4.7           | $0.6/1M     | Daily 10AM       | Budget backup        |
-|                     | MiniMax M2.1      | $0.2/1M     | 5-hour rolling   | Cheapest option      |
-|                     | Kimi K2           | $9/mo flat  | 10M tokens/mo    | Predictable cost     |
-| **🆓 FREE**         | Qoder             | $0          | Unlimited        | 8 models free        |
-|                     | Qwen              | $0          | Unlimited        | 3 models free        |
-|                     | Kiro              | $0          | Unlimited        | Claude free          |
-
-**💡 Pro Tip:** Start with Gemini CLI (180K free/month) + Qoder (unlimited free) combo = $0 cost!
-
---
-
-## 🎯 Use Cases
-
-### Case 1: "I have Claude Pro subscription"
-
-**Problem:** Quota expires unused, rate limits during heavy coding
-
-```
-Combo: "maximize-claude"
-  1. cc/claude-opus-4-6        (use subscription fully)
-  2. glm/glm-4.7               (cheap backup when quota out)
-  3. if/kimi-k2-thinking       (free emergency fallback)
-
-Monthly cost: $20 (subscription) + ~$5 (backup) = $25 total
-vs. $20 + hitting limits = frustration
-```
-
-### Case 2: "I want zero cost"
-
-**Problem:** Can't afford subscriptions, need reliable AI coding
-
-```
-Combo: "free-forever"
-  1. gc/gemini-3-flash         (180K free/month)
-  2. if/kimi-k2-thinking       (unlimited free)
-  3. qw/qwen3-coder-plus       (unlimited free)
-
-Monthly cost: $0
-Quality: Production-ready models
-```
-
-### Case 3: "I need 24/7 coding, no interruptions"
-
-**Problem:** Deadlines, can't afford downtime
-
-```
-Combo: "always-on"
-  1. cc/claude-opus-4-6        (best quality)
-  2. cx/gpt-5.2-codex          (second subscription)
-  3. glm/glm-4.7               (cheap, resets daily)
-  4. minimax/MiniMax-M2.1      (cheapest, 5h reset)
-  5. if/kimi-k2-thinking       (free unlimited)
-
-Result: 5 layers of fallback = zero downtime
-Monthly cost: $20-200 (subscriptions) + $10-20 (backup)
-```
-
-### Case 4: "I want FREE AI in OpenClaw"
-
-**Problem:** Need AI assistant in messaging apps, completely free
-
-```
-Combo: "openclaw-free"
-  1. if/glm-4.7                (unlimited free)
-  2. if/minimax-m2.1           (unlimited free)
-  3. if/kimi-k2-thinking       (unlimited free)
-
-Monthly cost: $0
-Access via: WhatsApp, Telegram, Slack, Discord, iMessage, Signal...
-```
-
---
-
-## 📖 Provider Setup
-
-### 🔐 Subscription Providers
-
-#### Claude Code (Pro/Max)
-
-```bash
-Dashboard → Providers → Connect Claude Code
-→ OAuth login → Auto token refresh
-→ 5-hour + weekly quota tracking
-
-Models:
-  cc/claude-opus-4-6
-  cc/claude-sonnet-4-5-20250929
-  cc/claude-haiku-4-5-20251001
-```
-
-**Pro Tip:** Use Opus for complex tasks, Sonnet for speed. OmniRoute tracks quota per model!
-
-#### OpenAI Codex (Plus/Pro)
-
-```bash
-Dashboard → Providers → Connect Codex
-→ OAuth login (port 1455)
-→ 5-hour + weekly reset
-
-Models:
-  cx/gpt-5.2-codex
-  cx/gpt-5.1-codex-max
-```
-
-#### Gemini CLI (FREE 180K/month!)
-
-```bash
-Dashboard → Providers → Connect Gemini CLI
-→ Google OAuth
-→ 180K completions/month + 1K/day
-
-Models:
-  gc/gemini-3-flash-preview
-  gc/gemini-2.5-pro
-```
-
-**Best Value:** Huge free tier! Use this before paid tiers.
-
-#### GitHub Copilot
-
-```bash
-Dashboard → Providers → Connect GitHub
-→ OAuth via GitHub
-→ Monthly reset (1st of month)
-
-Models:
-  gh/gpt-5
-  gh/claude-4.5-sonnet
-  gh/gemini-3-pro
-```
-
-### 💰 Cheap Providers
-
-#### GLM-4.7 (Daily reset, $0.6/1M)
-
-1. Sign up: [Zhipu AI](https://open.bigmodel.cn/)
-2. Get API key from Coding Plan
-3. Dashboard → Add API Key: Provider: `glm`, API Key: `your-key`
-
-**Use:** `glm/glm-4.7` — **Pro Tip:** Coding Plan offers 3× quota at 1/7 cost! Reset daily 10:00 AM.
-
-#### MiniMax M2.1 (5h reset, $0.20/1M)
-
-1. Sign up: [MiniMax](https://www.minimax.io/)
-2. Get API key → Dashboard → Add API Key
-
-**Use:** `minimax/MiniMax-M2.1` — **Pro Tip:** Cheapest option for long context (1M tokens)!
-
-#### Kimi K2 ($9/month flat)
-
-1. Subscribe: [Moonshot AI](https://platform.moonshot.ai/)
-2. Get API key → Dashboard → Add API Key
-
-**Use:** `kimi/kimi-latest` — **Pro Tip:** Fixed $9/month for 10M tokens = $0.90/1M effective cost!
-
-### 🆓 FREE Providers
-
-#### Qoder (8 FREE models)
-
-```bash
-Dashboard → Connect Qoder → OAuth login → Unlimited usage
-
-Models: if/kimi-k2-thinking, if/qwen3-coder-plus, if/glm-4.7, if/minimax-m2, if/deepseek-r1
-```
-
-#### Qwen (3 FREE models)
-
-```bash
-Dashboard → Connect Qwen → Device code auth → Unlimited usage
-
-Models: qw/qwen3-coder-plus, qw/qwen3-coder-flash
-```
-
-#### Kiro (Claude FREE)
-
-```bash
-Dashboard → Connect Kiro → AWS Builder ID or Google/GitHub → Unlimited
-
-Models: kr/claude-sonnet-4.5, kr/claude-haiku-4.5
-```
-
---
-
-## 🎨 Combos
-
-### Example 1: Maximize Subscription → Cheap Backup
-
-```
-Dashboard → Combos → Create New
-
-Name: premium-coding
-Models:
-  1. cc/claude-opus-4-6 (Subscription primary)
-  2. glm/glm-4.7 (Cheap backup, $0.6/1M)
-  3. minimax/MiniMax-M2.1 (Cheapest fallback, $0.20/1M)
-
-Use in CLI: premium-coding
-```
-
-### Example 2: Free-Only (Zero Cost)
-
-```
-Name: free-combo
-Models:
-  1. gc/gemini-3-flash-preview (180K free/month)
-  2. if/kimi-k2-thinking (unlimited)
-  3. qw/qwen3-coder-plus (unlimited)
-
-Cost: $0 forever!
-```
-
---
-
-## 🔧 CLI Integration
-
-### Cursor IDE
-
-```
-Settings → Models → Advanced:
-  OpenAI API Base URL: http://localhost:20128/v1
-  OpenAI API Key: [from omniroute dashboard]
-  Model: cc/claude-opus-4-6
-```
-
-### Claude Code
-
-Edit `~/.claude/config.json`:
-
-```json
-{
-  "anthropic_api_base": "http://localhost:20128/v1",
-  "anthropic_api_key": "your-omniroute-api-key"
-}
-```
-
-### Codex CLI
-
-```bash
-export OPENAI_BASE_URL="http://localhost:20128"
-export OPENAI_API_KEY="your-omniroute-api-key"
-codex "your prompt"
-```
-
-### OpenClaw
-
-Edit `~/.openclaw/openclaw.json`:
-
-```json
-{
-  "agents": {
-    "defaults": {
-      "model": { "primary": "omniroute/if/glm-4.7" }
-    }
-  },
-  "models": {
-    "providers": {
-      "omniroute": {
-        "baseUrl": "http://localhost:20128/v1",
-        "apiKey": "your-omniroute-api-key",
-        "api": "openai-completions",
-        "models": [{ "id": "if/glm-4.7", "name": "glm-4.7" }]
-      }
-    }
-  }
-}
-```
-
-**Or use Dashboard:** CLI Tools → OpenClaw → Auto-config
-
-### Cline / Continue / RooCode
-
-```
-Provider: OpenAI Compatible
-Base URL: http://localhost:20128/v1
-API Key: [from dashboard]
-Model: cc/claude-opus-4-6
-```
-
---
-
-## 🚀 Deployment
-
-### Global npm install (Recommended)
-
-```bash
-npm install -g omniroute
-
-# Create config directory
-mkdir -p ~/.omniroute
-
-# Create .env file (see .env.example)
-cp .env.example ~/.omniroute/.env
-
-# Start server
-omniroute
-# Or with custom port:
-omniroute --port 3000
-```
-
-The CLI automatically loads `.env` from `~/.omniroute/.env` or `./.env`.
-
-### VPS Deployment
-
-```bash
-git clone https://github.com/diegosouzapw/OmniRoute.git
-cd OmniRoute && npm install && npm run build
-
-export JWT_SECRET="your-secure-secret-change-this"
-export INITIAL_PASSWORD="your-password"
-export DATA_DIR="/var/lib/omniroute"
-export PORT="20128"
-export HOSTNAME="0.0.0.0"
-export NODE_ENV="production"
-export NEXT_PUBLIC_BASE_URL="http://localhost:20128"
-export API_KEY_SECRET="endpoint-proxy-api-key-secret"
-
-npm run start
-# Or: pm2 start npm --name omniroute -- start
-```
-
-### PM2 Deployment (Low Memory)
-
-For servers with limited RAM, use the memory limit option:
-
-```bash
-# With 512MB limit (default)
-pm2 start npm --name omniroute -- start
-
-# Or with custom memory limit
-OMNIROUTE_MEMORY_MB=512 pm2 start npm --name omniroute -- start
-
-# Or using ecosystem.config.js
-pm2 start ecosystem.config.js
-```
-
-Create `ecosystem.config.js`:
-
-```javascript
-module.exports = {
-  apps: [
-    {
-      name: "omniroute",
-      script: "npm",
-      args: "start",
-      env: {
-        NODE_ENV: "production",
-        OMNIROUTE_MEMORY_MB: "512",
-        JWT_SECRET: "your-secret",
-        INITIAL_PASSWORD: "your-password",
-      },
-      node_args: "--max-old-space-size=512",
-      max_memory_restart: "300M",
-    },
-  ],
-};
-```
-
-### Docker
-
-```bash
-# Build image (default = runner-cli with codex/claude/droid preinstalled)
-docker build -t omniroute:cli .
-
-# Portable mode (recommended)
-docker run -d --name omniroute -p 20128:20128 --env-file ./.env -v omniroute-data:/app/data omniroute:cli
-```
-
-For host-integrated mode with CLI binaries, see the Docker section in the main docs.
-
-### Void Linux (xbps-src)
-
-Void Linux users can package and install OmniRoute natively using the `xbps-src` cross-compilation framework. This automates the Node.js standalone build along with the required `better-sqlite3` native bindings.
-
-<details>
-<summary><b>View xbps-src template</b></summary>
-
-```bash
-# Template file for 'omniroute'
-pkgname=omniroute
-version=3.2.4
-revision=1
-hostmakedepends="nodejs python3 make"
-depends="openssl"
-short_desc="Universal AI gateway with smart routing for multiple LLM providers"
-maintainer="zenobit <zenobit@disroot.org>"
-license="MIT"
-homepage="https://github.com/diegosouzapw/OmniRoute"
-distfiles="https://github.com/diegosouzapw/OmniRoute/archive/refs/tags/v${version}.tar.gz"
-checksum=009400afee90a9f32599d8fe734145cfd84098140b7287990183dde45ae2245b
-system_accounts="_omniroute"
-omniroute_homedir="/var/lib/omniroute"
-export NODE_ENV=production
-export npm_config_engine_strict=false
-export npm_config_loglevel=error
-export npm_config_fund=false
-export npm_config_audit=false
-
-do_build() {
-	# Determine target CPU arch for node-gyp
-	local _gyp_arch
-	case "$XBPS_TARGET_MACHINE" in
-		aarch64*) _gyp_arch=arm64 ;;
-		armv7*|armv6*) _gyp_arch=arm ;;
-		i686*) _gyp_arch=ia32 ;;
-		*) _gyp_arch=x64 ;;
-	esac
-
-	# 1) Install all deps – skip scripts
-	NODE_ENV=development npm ci --ignore-scripts
-
-	# 2) Build the Next.js standalone bundle
-	npm run build
-
-	# 3) Copy static assets into standalone
-	cp -r .next/static .next/standalone/.next/static
-	[ -d public ] && cp -r public .next/standalone/public || true
-
-	# 4) Compile better-sqlite3 native binding
-	local _node_gyp=/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
-	(cd node_modules/better-sqlite3 && node "$_node_gyp" rebuild --arch="$_gyp_arch")
-
-	# 5) Place the compiled binding into the standalone bundle
-	local _bs3_release=.next/standalone/node_modules/better-sqlite3/build/Release
-	mkdir -p "$_bs3_release"
-	cp node_modules/better-sqlite3/build/Release/better_sqlite3.node "$_bs3_release/"
-
-	# 6) Remove arch-specific sharp bundles
-	rm -rf .next/standalone/node_modules/@img
-
-	# 7) Copy pino runtime deps omitted by Next.js static analysis:
-	for _mod in pino-abstract-transport split2 process-warning; do
-		cp -r "node_modules/$_mod" .next/standalone/node_modules/
-	done
-}
-
-do_check() {
-	npm run test:unit
-}
-
-do_install() {
-	vmkdir usr/lib/omniroute/.next
-	vcopy .next/standalone/. usr/lib/omniroute/.next/standalone
-
-	# Prevent removal of empty Next.js app router dirs by the post-install hook
-	for _d in \
-		.next/standalone/.next/server/app/dashboard \
-		.next/standalone/.next/server/app/dashboard/settings \
-		.next/standalone/.next/server/app/dashboard/providers; do
-		touch "${DESTDIR}/usr/lib/omniroute/${_d}/.keep"
-	done
-
-	cat > "${WRKDIR}/omniroute" <<'EOF'
-#!/bin/sh
-export PORT="${PORT:-20128}"
-export DATA_DIR="${DATA_DIR:-${XDG_DATA_HOME:-${HOME}/.local/share}/omniroute}"
-export LOG_TO_FILE="${LOG_TO_FILE:-false}"
-mkdir -p "${DATA_DIR}"
-exec node /usr/lib/omniroute/.next/standalone/server.js "$@"
-EOF
-	vbin "${WRKDIR}/omniroute"
-}
-
-post_install() {
-	vlicense LICENSE
-}
-```
-
-</details>
-
-### Environment Variables
-
-| Variable                  | Default                              | Description                                             |
-| ------------------------- | ------------------------------------ | ------------------------------------------------------- |
-| `JWT_SECRET`              | `omniroute-default-secret-change-me` | JWT signing secret (**change in production**)           |
-| `INITIAL_PASSWORD`        | `123456`                             | First login password                                    |
-| `DATA_DIR`                | `~/.omniroute`                       | Data directory (db, usage, logs)                        |
-| `PORT`                    | framework default                    | Service port (`20128` in examples)                      |
-| `HOSTNAME`                | framework default                    | Bind host (Docker defaults to `0.0.0.0`)                |
-| `NODE_ENV`                | runtime default                      | Set `production` for deploy                             |
-| `BASE_URL`                | `http://localhost:20128`             | Server-side internal base URL                           |
-| `CLOUD_URL`               | `https://omniroute.dev`              | Cloud sync endpoint base URL                            |
-| `API_KEY_SECRET`          | `endpoint-proxy-api-key-secret`      | HMAC secret for generated API keys                      |
-| `REQUIRE_API_KEY`         | `false`                              | Enforce Bearer API key on `/v1/*`                       |
-| `ENABLE_REQUEST_LOGS`     | `false`                              | Enables request/response logs                           |
-| `AUTH_COOKIE_SECURE`      | `false`                              | Force `Secure` auth cookie (behind HTTPS reverse proxy) |
-| `OMNIROUTE_MEMORY_MB`     | `512`                                | Node.js heap limit in MB                                |
-| `PROMPT_CACHE_MAX_SIZE`   | `50`                                 | Max prompt cache entries                                |
-| `SEMANTIC_CACHE_MAX_SIZE` | `100`                                | Max semantic cache entries                              |
-
-For the full environment variable reference, see the [README](../README.md).
-
---
-
-## 📊 Available Models
-
-<details>
-<summary><b>View all available models</b></summary>
-
-**Claude Code (`cc/`)** — Pro/Max: `cc/claude-opus-4-6`, `cc/claude-sonnet-4-5-20250929`, `cc/claude-haiku-4-5-20251001`
-
-**Codex (`cx/`)** — Plus/Pro: `cx/gpt-5.2-codex`, `cx/gpt-5.1-codex-max`
-
-**Gemini CLI (`gc/`)** — FREE: `gc/gemini-3-flash-preview`, `gc/gemini-2.5-pro`
-
-**GitHub Copilot (`gh/`)**: `gh/gpt-5`, `gh/claude-4.5-sonnet`
-
-**GLM (`glm/`)** — $0.6/1M: `glm/glm-4.7`
-
-**MiniMax (`minimax/`)** — $0.2/1M: `minimax/MiniMax-M2.1`
-
-**Qoder (`if/`)** — FREE: `if/kimi-k2-thinking`, `if/qwen3-coder-plus`, `if/deepseek-r1`
-
-**Qwen (`qw/`)** — FREE: `qw/qwen3-coder-plus`, `qw/qwen3-coder-flash`
-
-**Kiro (`kr/`)** — FREE: `kr/claude-sonnet-4.5`, `kr/claude-haiku-4.5`
-
-**DeepSeek (`ds/`)**: `ds/deepseek-chat`, `ds/deepseek-reasoner`
-
-**Groq (`groq/`)**: `groq/llama-3.3-70b-versatile`, `groq/llama-4-maverick-17b-128e-instruct`
-
-**xAI (`xai/`)**: `xai/grok-4`, `xai/grok-4-0709-fast-reasoning`, `xai/grok-code-mini`
-
-**Mistral (`mistral/`)**: `mistral/mistral-large-2501`, `mistral/codestral-2501`
-
-**Perplexity (`pplx/`)**: `pplx/sonar-pro`, `pplx/sonar`
-
-**Together AI (`together/`)**: `together/meta-llama/Llama-3.3-70B-Instruct-Turbo`
-
-**Fireworks AI (`fireworks/`)**: `fireworks/accounts/fireworks/models/deepseek-v3p1`
-
-**Cerebras (`cerebras/`)**: `cerebras/llama-3.3-70b`
-
-**Cohere (`cohere/`)**: `cohere/command-r-plus-08-2024`
-
-**NVIDIA NIM (`nvidia/`)**: `nvidia/nvidia/llama-3.3-70b-instruct`
-
-</details>
-
---
-
-## 🧩 Advanced Features
-
-### Custom Models
-
-Add any model ID to any provider without waiting for an app update:
-
-```bash
-# Via API
-curl -X POST http://localhost:20128/api/provider-models \
-  -H "Content-Type: application/json" \
-  -d '{"provider": "openai", "modelId": "gpt-4.5-preview", "modelName": "GPT-4.5 Preview"}'
-
-# List: curl http://localhost:20128/api/provider-models?provider=openai
-# Remove: curl -X DELETE "http://localhost:20128/api/provider-models?provider=openai&model=gpt-4.5-preview"
-```
-
-Or use Dashboard: **Providers → [Provider] → Custom Models**.
-
-### Dedicated Provider Routes
-
-Route requests directly to a specific provider with model validation:
-
-```bash
-POST http://localhost:20128/v1/providers/openai/chat/completions
-POST http://localhost:20128/v1/providers/openai/embeddings
-POST http://localhost:20128/v1/providers/fireworks/images/generations
-```
-
-The provider prefix is auto-added if missing. Mismatched models return `400`.
-
-### Network Proxy Configuration
-
-```bash
-# Set global proxy
-curl -X PUT http://localhost:20128/api/settings/proxy \
-  -d '{"global": {"type":"http","host":"proxy.example.com","port":"8080"}}'
-
-# Per-provider proxy
-curl -X PUT http://localhost:20128/api/settings/proxy \
-  -d '{"providers": {"openai": {"type":"socks5","host":"proxy.example.com","port":"1080"}}}'
-
-# Test proxy
-curl -X POST http://localhost:20128/api/settings/proxy/test \
-  -d '{"proxy":{"type":"socks5","host":"proxy.example.com","port":"1080"}}'
-```
-
-**Precedence:** Key-specific → Combo-specific → Provider-specific → Global → Environment.
-
-### Model Catalog API
-
-```bash
-curl http://localhost:20128/api/models/catalog
-```
-
-Returns models grouped by provider with types (`chat`, `embedding`, `image`).
-
-### Cloud Sync
-
- Sync providers, combos, and settings across devices
- Automatic background sync with timeout + fail-fast
- Prefer server-side `BASE_URL`/`CLOUD_URL` in production
-
-### LLM Gateway Intelligence (Phase 9)
-
- **Semantic Cache** — Auto-caches non-streaming, temperature=0 responses (bypass with `X-OmniRoute-No-Cache: true`)
- **Request Idempotency** — Deduplicates requests within 5s via `Idempotency-Key` or `X-Request-Id` header
- **Progress Tracking** — Opt-in SSE `event: progress` events via `X-OmniRoute-Progress: true` header
-
---
-
-### Translator Playground
-
-Access via **Dashboard → Translator**. Debug and visualize how OmniRoute translates API requests between providers.
-
-| Mode             | Purpose                                                                                |
-| ---------------- | -------------------------------------------------------------------------------------- |
-| **Playground**   | Select source/target formats, paste a request, and see the translated output instantly |
-| **Chat Tester**  | Send live chat messages through the proxy and inspect the full request/response cycle  |
-| **Test Bench**   | Run batch tests across multiple format combinations to verify translation correctness  |
-| **Live Monitor** | Watch real-time translations as requests flow through the proxy                        |
-
-**Use cases:**
-
- Debug why a specific client/provider combination fails
- Verify that thinking tags, tool calls, and system prompts translate correctly
- Compare format differences between OpenAI, Claude, Gemini, and Responses API formats
-
---
-
-### Routing Strategies
-
-Configure via **Dashboard → Settings → Routing**.
-
-| Strategy                       | Description                                                                                      |
-| ------------------------------ | ------------------------------------------------------------------------------------------------ |
-| **Fill First**                 | Uses accounts in priority order — primary account handles all requests until unavailable         |
-| **Round Robin**                | Cycles through all accounts with a configurable sticky limit (default: 3 calls per account)      |
-| **P2C (Power of Two Choices)** | Picks 2 random accounts and routes to the healthier one — balances load with awareness of health |
-| **Random**                     | Randomly selects an account for each request using Fisher-Yates shuffle                          |
-| **Least Used**                 | Routes to the account with the oldest `lastUsedAt` timestamp, distributing traffic evenly        |
-| **Cost Optimized**             | Routes to the account with the lowest priority value, optimizing for lowest-cost providers       |
-
-#### External Sticky Session Header
-
-For external session affinity (for example, Claude Code/Codex agents behind reverse proxies), send:
-
-```http
-X-Session-Id: your-session-key
-```
-
-OmniRoute also accepts `x_session_id` and returns the effective session key in `X-OmniRoute-Session-Id`.
-
-If you use Nginx and send underscore-form headers, enable:
-
-```nginx
-underscores_in_headers on;
-```
-
-#### Wildcard Model Aliases
-
-Create wildcard patterns to remap model names:
-
-```
-Pattern: claude-sonnet-*     →  Target: cc/claude-sonnet-4-5-20250929
-Pattern: gpt-*               →  Target: gh/gpt-5.1-codex
-```
-
-Wildcards support `*` (any characters) and `?` (single character).
-
-#### Fallback Chains
-
-Define global fallback chains that apply across all requests:
-
-```
-Chain: production-fallback
-  1. cc/claude-opus-4-6
-  2. gh/gpt-5.1-codex
-  3. glm/glm-4.7
-```
-
---
-
-### Resilience & Circuit Breakers
-
-Configure via **Dashboard → Settings → Resilience**.
-
-OmniRoute implements provider-level resilience with four components:
-
-1. **Provider Profiles** — Per-provider configuration for:
-   - Failure threshold (how many failures before opening)
-   - Cooldown duration
-   - Rate limit detection sensitivity
-   - Exponential backoff parameters
-
-2. **Editable Rate Limits** — System-level defaults configurable in the dashboard:
-   - **Requests Per Minute (RPM)** — Maximum requests per minute per account
-   - **Min Time Between Requests** — Minimum gap in milliseconds between requests
-   - **Max Concurrent Requests** — Maximum simultaneous requests per account
-   - Click **Edit** to modify, then **Save** or **Cancel**. Values persist via the resilience API.
-
-3. **Circuit Breaker** — Tracks failures per provider and automatically opens the circuit when a threshold is reached:
-   - **CLOSED** (Healthy) — Requests flow normally
-   - **OPEN** — Provider is temporarily blocked after repeated failures
-   - **HALF_OPEN** — Testing if provider has recovered
-
-4. **Policies & Locked Identifiers** — Shows circuit breaker status and locked identifiers with force-unlock capability.
-
-5. **Rate Limit Auto-Detection** — Monitors `429` and `Retry-After` headers to proactively avoid hitting provider rate limits.
-
-**Pro Tip:** Use **Reset All** button to clear all circuit breakers and cooldowns when a provider recovers from an outage.
-
---
-
-### Database Export / Import
-
-Manage database backups in **Dashboard → Settings → System & Storage**.
-
-| Action                   | Description                                                                                                                    |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------ |
-| **Export Database**      | Downloads the current SQLite database as a `.sqlite` file                                                                      |
-| **Export All (.tar.gz)** | Downloads a full backup archive including: database, settings, combos, provider connections (no credentials), API key metadata |
-| **Import Database**      | Upload a `.sqlite` file to replace the current database. A pre-import backup is automatically created                          |
-
-```bash
-# API: Export database
-curl -o backup.sqlite http://localhost:20128/api/db-backups/export
-
-# API: Export all (full archive)
-curl -o backup.tar.gz http://localhost:20128/api/db-backups/exportAll
-
-# API: Import database
-curl -X POST http://localhost:20128/api/db-backups/import \
-  -F "file=@backup.sqlite"
-```
-
-**Import Validation:** The imported file is validated for integrity (SQLite pragma check), required tables (`provider_connections`, `provider_nodes`, `combos`, `api_keys`), and size (max 100MB).
-
-**Use Cases:**
-
- Migrate OmniRoute between machines
- Create external backups for disaster recovery
- Share configurations between team members (export all → share archive)
-
---
-
-### Settings Dashboard
-
-The settings page is organized into 5 tabs for easy navigation:
-
-| Tab            | Contents                                                                                       |
-| -------------- | ---------------------------------------------------------------------------------------------- |
-| **Security**   | Login/Password settings, IP Access Control, API auth for `/models`, and Provider Blocking      |
-| **Routing**    | Global routing strategy (6 options), wildcard model aliases, fallback chains, combo defaults   |
-| **Resilience** | Provider profiles, editable rate limits, circuit breaker status, policies & locked identifiers |
-| **AI**         | Thinking budget configuration, global system prompt injection, prompt cache stats              |
-| **Advanced**   | Global proxy configuration (HTTP/SOCKS5)                                                       |
-
---
-
-### Costs & Budget Management
-
-Access via **Dashboard → Costs**.
-
-| Tab         | Purpose                                                                                  |
-| ----------- | ---------------------------------------------------------------------------------------- |
-| **Budget**  | Set spending limits per API key with daily/weekly/monthly budgets and real-time tracking |
-| **Pricing** | View and edit model pricing entries — cost per 1K input/output tokens per provider       |
-
-```bash
-# API: Set a budget
-curl -X POST http://localhost:20128/api/usage/budget \
-  -H "Content-Type: application/json" \
-  -d '{"keyId": "key-123", "limit": 50.00, "period": "monthly"}'
-
-# API: Get current budget status
-curl http://localhost:20128/api/usage/budget
-```
-
-**Cost Tracking:** Every request logs token usage and calculates cost using the pricing table. View breakdowns in **Dashboard → Usage** by provider, model, and API key.
-
---
-
-### Audio Transcription
-
-OmniRoute supports audio transcription via the OpenAI-compatible endpoint:
-
-```bash
-POST /v1/audio/transcriptions
-Authorization: Bearer your-api-key
-Content-Type: multipart/form-data
-
-# Example with curl
-curl -X POST http://localhost:20128/v1/audio/transcriptions \
-  -H "Authorization: Bearer your-api-key" \
-  -F "file=@audio.mp3" \
-  -F "model=deepgram/nova-3"
-```
-
-Available providers: **Deepgram** (`deepgram/`), **AssemblyAI** (`assemblyai/`).
-
-Supported audio formats: `mp3`, `wav`, `m4a`, `flac`, `ogg`, `webm`.
-
---
-
-### Combo Balancing Strategies
-
-Configure per-combo balancing in **Dashboard → Combos → Create/Edit → Strategy**.
-
-| Strategy           | Description                                                              |
-| ------------------ | ------------------------------------------------------------------------ |
-| **Round-Robin**    | Rotates through models sequentially                                      |
-| **Priority**       | Always tries the first model; falls back only on error                   |
-| **Random**         | Picks a random model from the combo for each request                     |
-| **Weighted**       | Routes proportionally based on assigned weights per model                |
-| **Least-Used**     | Routes to the model with the fewest recent requests (uses combo metrics) |
-| **Cost-Optimized** | Routes to the cheapest available model (uses pricing table)              |
-
-Global combo defaults can be set in **Dashboard → Settings → Routing → Combo Defaults**.
-
---
-
-### Health Dashboard
-
-Access via **Dashboard → Health**. Real-time system health overview with 6 cards:
-
-| Card                  | What It Shows                                               |
-| --------------------- | ----------------------------------------------------------- |
-| **System Status**     | Uptime, version, memory usage, data directory               |
-| **Provider Health**   | Per-provider circuit breaker state (Closed/Open/Half-Open)  |
-| **Rate Limits**       | Active rate limit cooldowns per account with remaining time |
-| **Active Lockouts**   | Providers temporarily blocked by the lockout policy         |
-| **Signature Cache**   | Deduplication cache stats (active keys, hit rate)           |
-| **Latency Telemetry** | p50/p95/p99 latency aggregation per provider                |
-
-**Pro Tip:** The Health page auto-refreshes every 10 seconds. Use the circuit breaker card to identify which providers are experiencing issues.
-
---
-
-## 🖥️ Desktop Application (Electron)
-
-OmniRoute is available as a native desktop application for Windows, macOS, and Linux.
-
-### تثبيت
-
-```bash
-# From the electron directory:
-cd electron
-npm install
-
-# Development mode (connect to running Next.js dev server):
-npm run dev
-
-# Production mode (uses standalone build):
-npm start
-```
-
-### Building Installers
-
-```bash
-cd electron
-npm run build          # Current platform
-npm run build:win      # Windows (.exe NSIS)
-npm run build:mac      # macOS (.dmg universal)
-npm run build:linux    # Linux (.AppImage)
-```
-
-Output → `electron/dist-electron/`
-
-### Key Features
-
-| Feature                     | Description                                          |
-| --------------------------- | ---------------------------------------------------- |
-| **Server Readiness**        | Polls server before showing window (no blank screen) |
-| **System Tray**             | Minimize to tray, change port, quit from tray menu   |
-| **Port Management**         | Change server port from tray (auto-restarts server)  |
-| **Content Security Policy** | Restrictive CSP via session headers                  |
-| **Single Instance**         | Only one app instance can run at a time              |
-| **Offline Mode**            | Bundled Next.js server works without internet        |
-
-### Environment Variables
-
-| Variable              | Default | Description                      |
-| --------------------- | ------- | -------------------------------- |
-| `OMNIROUTE_PORT`      | `20128` | Server port                      |
-| `OMNIROUTE_MEMORY_MB` | `512`   | Node.js heap limit (64–16384 MB) |
-
-📖 Full documentation: [`electron/README.md`](../electron/README.md)
@@ -1,401 +0,0 @@
-# OmniRoute — دليل النشر على VM باستخدام Cloudflare
-
-🌐 **Languages:** 🇺🇸 [English](../../VM_DEPLOYMENT_GUIDE.md) | 🇧🇷 [Português (Brasil)](../pt-BR/VM_DEPLOYMENT_GUIDE.md) | 🇪🇸 [Español](../es/VM_DEPLOYMENT_GUIDE.md) | 🇫🇷 [Français](../fr/VM_DEPLOYMENT_GUIDE.md) | 🇮🇹 [Italiano](../it/VM_DEPLOYMENT_GUIDE.md) | 🇷🇺 [Русский](../ru/VM_DEPLOYMENT_GUIDE.md) | 🇨🇳 [中文 (简体)](../zh-CN/VM_DEPLOYMENT_GUIDE.md) | 🇩🇪 [Deutsch](../de/VM_DEPLOYMENT_GUIDE.md) | 🇮🇳 [हिन्दी](../in/VM_DEPLOYMENT_GUIDE.md) | 🇹🇭 [ไทย](../th/VM_DEPLOYMENT_GUIDE.md) | 🇺🇦 [Українська](../uk-UA/VM_DEPLOYMENT_GUIDE.md) | 🇸🇦 [العربية](../ar/VM_DEPLOYMENT_GUIDE.md) | 🇯🇵 [日本語](../ja/VM_DEPLOYMENT_GUIDE.md) | 🇻🇳 [Tiếng Việt](../vi/VM_DEPLOYMENT_GUIDE.md) | 🇧🇬 [Български](../bg/VM_DEPLOYMENT_GUIDE.md) | 🇩🇰 [Dansk](../da/VM_DEPLOYMENT_GUIDE.md) | 🇫🇮 [Suomi](../fi/VM_DEPLOYMENT_GUIDE.md) | 🇮🇱 [עברית](../he/VM_DEPLOYMENT_GUIDE.md) | 🇭🇺 [Magyar](../hu/VM_DEPLOYMENT_GUIDE.md) | 🇮🇩 [Bahasa Indonesia](../id/VM_DEPLOYMENT_GUIDE.md) | 🇰🇷 [한국어](../ko/VM_DEPLOYMENT_GUIDE.md) | 🇲🇾 [Bahasa Melayu](../ms/VM_DEPLOYMENT_GUIDE.md) | 🇳🇱 [Nederlands](../nl/VM_DEPLOYMENT_GUIDE.md) | 🇳🇴 [Norsk](../no/VM_DEPLOYMENT_GUIDE.md) | 🇵🇹 [Português (Portugal)](../pt/VM_DEPLOYMENT_GUIDE.md) | 🇷🇴 [Română](../ro/VM_DEPLOYMENT_GUIDE.md) | 🇵🇱 [Polski](../pl/VM_DEPLOYMENT_GUIDE.md) | 🇸🇰 [Slovenčina](../sk/VM_DEPLOYMENT_GUIDE.md) | 🇸🇪 [Svenska](../sv/VM_DEPLOYMENT_GUIDE.md) | 🇵🇭 [Filipino](../phi/VM_DEPLOYMENT_GUIDE.md) | 🇨🇿 [Čeština](../cs/VM_DEPLOYMENT_GUIDE.md)
-
-الدليل الكامل لتثبيت OmniRoute وتكوينه على VM (VPS) مع المجال المُدار عبر Cloudflare.
-
---
-
-## المتطلبات الأساسية
-
-| العنصر                       | الحد الأدنى                         | موصى به                             |
-| ---------------------------- | ----------------------------------- | ----------------------------------- |
-| ** وحدة المعالجة المركزية ** | 1 وحدة المعالجة المركزية الافتراضية | 2 وحدة المعالجة المركزية الافتراضية |
-| **ذاكرة الوصول العشوائي**    | 1 جيجا                              | 2 جيجا                              |
-| **القرص**                    | 10 جيجا اس اس دي                    | 25 جيجا اس اس دي                    |
-| **نظام التشغيل**             | أوبونتو 22.04 LTS                   | أوبونتو 24.04 LTS                   |
-| **المجال**                   | مسجل في Cloudflare                  | —                                   |
-| ** عامل الميناء **           | محرك دوكر 24+                       | عامل الميناء 27+                    |
-
-**المزودون الذين تم اختبارهم**: Akamai (Linode)، DigitalOcean، Vultr، Hetzner، AWS Lightsail.
-
---
-
-## 1. قم بتكوين الجهاز الافتراضي
-
-### 1.1 إنشاء المثيل
-
-على موفر VPS المفضل لديك:
-
- اختر Ubuntu 24.04 LTS
- حدد الحد الأدنى للخطة (1 vCPU / 1 جيجابايت من ذاكرة الوصول العشوائي)
- قم بتعيين كلمة مرور جذر قوية أو قم بتكوين مفتاح SSH
- لاحظ **عنوان IP العام** (على سبيل المثال، `203.0.113.10`)
-
-### 1.2 الاتصال عبر SSH
-
-```bash
-ssh root@203.0.113.10
-```
-
-### 1.3 تحديث النظام
-
-```bash
-apt update && apt upgrade -y
-```
-
-### 1.4 تثبيت عامل الميناء
-
-```bash
-# Install dependencies
-apt install -y ca-certificates curl gnupg
-
-# Add official Docker repository
-install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-chmod a+r /etc/apt/keyrings/docker.gpg
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $ (. /etc/os-release && echo “$VERSION_CODENAME”) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
-apt update
-apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-```
-
-### 1.5 تثبيت nginx
-
-```bash
-apt install -y nginx
-```
-
-### 1.6 تكوين جدار الحماية (UFW)
-
-```bash
-ufw default deny incoming
-ufw default allow outgoing
-ufw allow 22/tcp    # SSH
-ufw allow 80/tcp    # HTTP (redirect)
-ufw allow 443/tcp   # HTTPS
-ufw enable
-```
-
-> **نصيحة**: للحصول على الحد الأقصى من الأمان، قم بتقييد المنفذين 80 و443 بعناوين Cloudflare IP فقط. راجع قسم [Advanced Security](#advanced-security).
-
---
-
-## 2. قم بتثبيت OmniRoute
-
-### 2.1 إنشاء دليل التكوين
-
-```bash
-mkdir -p /opt/omniroute
-```
-
-### 2.2 إنشاء ملف متغيرات البيئة
-
-```bash
-cat > /opt/omniroute/.env << ‘EOF’
-# === Security ===
-JWT_SECRET=CHANGE-TO-A-UNIQUE-64-CHAR-SECRET-KEY
-INITIAL_PASSWORD=YourSecurePassword123!
-API_KEY_SECRET=REPLACE-WITH-ANOTHER-SECRET-KEY
-STORAGE_ENCRYPTION_KEY=REPLACE-WITH-THIRD-SECRET-KEY
-STORAGE_ENCRYPTION_KEY_VERSION=v1
-MACHINE_ID_SALT=CHANGE-TO-A-UNIQUE-SALT
-
-# === App ===
-PORT=20128
-NODE_ENV=production
-HOSTNAME=0.0.0.0
-DATA_DIR=/app/data
-STORAGE_DRIVER=sqlite
-ENABLE_REQUEST_LOGS=true
-AUTH_COOKIE_SECURE=false
-REQUIRE_API_KEY=false
-
-# === Domain (change to your domain) ===
-BASE_URL=https://llms.seudominio.com
-NEXT_PUBLIC_BASE_URL=https://llms.seudominio.com
-
-# === Cloud Sync (optional) ===
-# CLOUD_URL=https://cloud.omniroute.online
-# NEXT_PUBLIC_CLOUD_URL=https://cloud.omniroute.online
-EOF
-```
-
-> ⚠️ **هام**: أنشئ مفاتيح سرية فريدة! استخدم `openssl rand -hex 32` لكل مفتاح.
-
-### 2.3 ابدأ الحاوية
-
-```bash
-docker pull diegosouzapw/omniroute:latest
-
-docker run -d \
-  --name omniroute \
-  --restart unless-stopped \
-  --env-file /opt/omniroute/.env \
-  -p 20128:20128 \
-  -v omniroute-data:/app/data \
-  diegosouzapw/omniroute:latest
-```
-
-### 2.4 التحقق من أنه قيد التشغيل
-
-```bash
-docker ps | grep omniroute
-docker logs omniroute --tail 20
-```
-
-يجب أن يعرض: `[DB] SQLite database ready` و`listening on port 20128`.
-
---
-
-## 3. تكوين nginx (الوكيل العكسي)
-
-### 3.1 إنشاء شهادة SSL (أصل Cloudflare)
-
-في لوحة معلومات Cloudflare:
-
-1. انتقل إلى **SSL/TLS → خادم الأصل**
-2. انقر **إنشاء شهادة**
-3. احتفظ بالإعدادات الافتراضية (15 عامًا، \*.yourdomain.com)
-4. انسخ **شهادة المنشأ** و**المفتاح الخاص**
-
-```bash
-mkdir -p /etc/nginx/ssl
-
-# Paste the certificate
-nano /etc/nginx/ssl/origin.crt
-
-# Paste the private key
-nano /etc/nginx/ssl/origin.key
-
-chmod 600 /etc/nginx/ssl/origin.key
-```
-
-### 3.2 تكوين إنجينكس
-
-```bash
-cat > /etc/nginx/sites-available/omniroute << ‘NGINX’
-# Default server — blocks direct access via IP
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-    ssl_certificate     /etc/nginx/ssl/origin.crt;
-    ssl_certificate_key /etc/nginx/ssl/origin.key;
-    server_name _;
-    return 444;
-}
-
-# OmniRoute — HTTPS
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name llms.yourdomain.com;  # Change to your domain
-
-    ssl_certificate     /etc/nginx/ssl/origin.crt;
-    ssl_certificate_key /etc/nginx/ssl/origin.key;
-    ssl_protocols TLSv1.2 TLSv1.3;
-
-    client_max_body_size 100M;
-
-    location / {
-        proxy_pass http://127.0.0.1:20128;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        # WebSocket support
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection “upgrade”;
-
-        # SSE (Server-Sent Events) — streaming AI responses
-        proxy_buffering off;
-        proxy_cache off;
-        proxy_read_timeout 300s;
-        proxy_send_timeout 300s;
-    }
-}
-
-# HTTP → HTTPS redirect
-server {
-    listen 80;
-    listen [::]:80;
-    server_name llms.yourdomain.com;
-    return 301 https://$server_name$request_uri;
-}
-NGINX
-```
-
-### 3.3 تمكين واختبار
-
-```bash
-# Remove default configuration
-rm -f /etc/nginx/sites-enabled/default
-
-# Enable OmniRoute
-ln -sf /etc/nginx/sites-available/omniroute /etc/nginx/sites-enabled/omniroute
-
-# Test and reload
-nginx -t && systemctl reload nginx
-```
-
---
-
-## 4. تكوين Cloudflare DNS
-
-### 4.1 إضافة سجل DNS
-
-في لوحة معلومات Cloudflare → DNS:
-
-| اكتب | الاسم  | المحتوى                | الوكيل   |
-| ---- | ------ | ---------------------- | -------- |
-| أ    | `llms` | `203.0.113.10` (VM IP) | ✅ توكيل |
-
-### 4.2 تكوين SSL
-
-ضمن **SSL/TLS → نظرة عامة**:
-
- الوضع: **كامل (صارم)**
-
-ضمن **SSL/TLS → شهادات الحافة**:
-
- استخدم HTTPS دائمًا: ✅ قيد التشغيل
- الحد الأدنى لإصدار TLS: TLS 1.2
- إعادة كتابة HTTPS تلقائيًا: ✅ تشغيل
-
-### 4.3 الاختبار
-
-```bash
-curl -sI https://llms.seudominio.com/health
-# Should return HTTP/2 200
-```
-
---
-
-## 5. العمليات والصيانة
-
-### الترقية إلى الإصدار الجديد
-
-```bash
-docker pull diegosouzapw/omniroute:latest
-docker stop omniroute && docker rm omniroute
-docker run -d --name omniroute --restart unless-stopped \
-  --env-file /opt/omniroute/.env \
-  -p 20128:20128 \
-  -v omniroute-data:/app/data \
-  diegosouzapw/omniroute:latest
-```
-
-### عرض السجلات
-
-```bash
-docker logs -f omniroute          # Real-time stream
-docker logs omniroute --tail 50   # Last 50 lines
-```
-
-### النسخ الاحتياطي لقاعدة البيانات يدويا
-
-```bash
-# Copy data from the volume to the host
-docker cp omniroute:/app/data ./backup-$(date +%F)
-
-# Or compress the entire volume
-docker run --rm -v omniroute-data:/data -v $(pwd):/backup \
-  alpine tar czf /backup/omniroute-data-$(date +%F).tar.gz /data
-```
-
-### الاستعادة من النسخة الاحتياطية
-
-```bash
-docker stop omniroute
-docker run --rm -v omniroute-data:/data -v $(pwd):/backup \
-  alpine sh -c “rm -rf /data/* && tar xzf /backup/omniroute-data-YYYY-MM-DD.tar.gz -C /”
-docker start omniroute
-```
-
---
-
-## 6. الأمان المتقدم
-
-### تقييد nginx على عناوين IP الخاصة بـ Cloudflare
-
-```bash
-cat > /etc/nginx/cloudflare-ips.conf << ‘CF’
-# Cloudflare IPv4 ranges — update periodically
-# https://www.cloudflare.com/ips-v4/
-set_real_ip_from 173.245.48.0/20;
-set_real_ip_from 103.21.244.0/22;
-set_real_ip_from 103.22.200.0/22;
-set_real_ip_from 103.31.4.0/22;
-set_real_ip_from 141.101.64.0/18;
-set_real_ip_from 108.162.192.0/18;
-set_real_ip_from 190.93.240.0/20;
-set_real_ip_from 188.114.96.0/20;
-set_real_ip_from 197.234.240.0/22;
-set_real_ip_from 198.41.128.0/17;
-set_real_ip_from 162.158.0.0/15;
-set_real_ip_from 104.16.0.0/13;
-set_real_ip_from 104.24.0.0/14;
-set_real_ip_from 172.64.0.0/13;
-set_real_ip_from 131.0.72.0/22;
-real_ip_header CF-Connecting-IP;
-CF
-```
-
-أضف ما يلي إلى `nginx.conf` داخل الكتلة `http {}`:
-
-```nginx
-include /etc/nginx/cloudflare-ips.conf;
-```
-
-### تثبيت Fail2ban
-
-```bash
-apt install -y fail2ban
-systemctl enable fail2ban
-systemctl start fail2ban
-
-# Check status
-fail2ban-client status sshd
-```
-
-### منع الوصول المباشر إلى منفذ Docker
-
-```bash
-# Prevent direct external access to port 20128
-iptables -I DOCKER-USER -p tcp --dport 20128 -j DROP
-iptables -I DOCKER-USER -i lo -p tcp --dport 20128 -j ACCEPT
-
-# Persist the rules
-apt install -y iptables-persistent
-netfilter-persistent save
-```
-
---
-
-## 7. النشر إلى عمال Cloudflare (اختياري)
-
-للوصول عن بعد عبر Cloudflare Workers (دون الكشف عن الجهاز الافتراضي مباشرة):
-
-```bash
-# In the local repository
-cd omnirouteCloud
-npm install
-npx wrangler login
-npx wrangler deploy
-```
-
-راجع الوثائق الكاملة على [omnirouteCloud/README.md](../omnirouteCloud/README.md).
-
---
-
-## ملخص المنفذ
-
-| ميناء | الخدمة        | الوصول                        |
-| ----- | ------------- | ----------------------------- |
-| 22    | سش            | عام (مع Fail2ban)             |
-| 80    | إنجينكس HTTP  | إعادة التوجيه → HTTPS         |
-| 443   | إنجينكس HTTPS | عبر وكيل Cloudflare           |
-| 20128 | أومنيروتي     | المضيف المحلي فقط (عبر nginx) |
@@ -0,0 +1,170 @@
+# OmniRoute A2A Server Documentation (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/A2A-SERVER.md) · 🇪🇸 [es](../../es/docs/A2A-SERVER.md) · 🇫🇷 [fr](../../fr/docs/A2A-SERVER.md) · 🇩🇪 [de](../../de/docs/A2A-SERVER.md) · 🇮🇹 [it](../../it/docs/A2A-SERVER.md) · 🇷🇺 [ru](../../ru/docs/A2A-SERVER.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/A2A-SERVER.md) · 🇯🇵 [ja](../../ja/docs/A2A-SERVER.md) · 🇰🇷 [ko](../../ko/docs/A2A-SERVER.md) · 🇸🇦 [ar](../../ar/docs/A2A-SERVER.md) · 🇮🇳 [hi](../../hi/docs/A2A-SERVER.md) · 🇮🇳 [in](../../in/docs/A2A-SERVER.md) · 🇹🇭 [th](../../th/docs/A2A-SERVER.md) · 🇻🇳 [vi](../../vi/docs/A2A-SERVER.md) · 🇮🇩 [id](../../id/docs/A2A-SERVER.md) · 🇲🇾 [ms](../../ms/docs/A2A-SERVER.md) · 🇳🇱 [nl](../../nl/docs/A2A-SERVER.md) · 🇵🇱 [pl](../../pl/docs/A2A-SERVER.md) · 🇸🇪 [sv](../../sv/docs/A2A-SERVER.md) · 🇳🇴 [no](../../no/docs/A2A-SERVER.md) · 🇩🇰 [da](../../da/docs/A2A-SERVER.md) · 🇫🇮 [fi](../../fi/docs/A2A-SERVER.md) · 🇵🇹 [pt](../../pt/docs/A2A-SERVER.md) · 🇷🇴 [ro](../../ro/docs/A2A-SERVER.md) · 🇭🇺 [hu](../../hu/docs/A2A-SERVER.md) · 🇧🇬 [bg](../../bg/docs/A2A-SERVER.md) · 🇸🇰 [sk](../../sk/docs/A2A-SERVER.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/A2A-SERVER.md) · 🇮🇱 [he](../../he/docs/A2A-SERVER.md) · 🇵🇭 [phi](../../phi/docs/A2A-SERVER.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/A2A-SERVER.md) · 🇨🇿 [cs](../../cs/docs/A2A-SERVER.md) · 🇹🇷 [tr](../../tr/docs/A2A-SERVER.md)
+
+---
+
+> بروتوكول وكيل إلى وكيل v0.3 — OmniRoute كوكيل توجيه ذكي## Agent Discovery```bash
+> curl http://localhost:20128/.well-known/agent.json
+
+````
+
+إرجاع بطاقة الوكيل التي تصف قدرات OmniRoute ومهاراتها ومتطلبات المصادقة.---## Authentication
+
+تتطلب جميع الطلبات `/a2a` مفتاح برمجة التطبيقات عبر رأس `الإعلان`:```
+التفويض: الحامل YOUR_OMNIROUTE_API_KEY```
+
+إذا لم يتم تكوين أي مفتاح API على الخادم، فسيتم تجاوز المصادقة.---
+
+## JSON-RPC 2.0 Methods
+
+### `message/send` — Synchronous Execution
+
+يرسل رسالة إلى المهارة وينتظر الرد الكامل.```bash
+curl -X POST http://localhost:20128/a2a \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer YOUR_KEY" \
+  -d '{
+    "jsonrpc": "2.0",
+    "id": "1",
+    "method": "message/send",
+    "params": {
+      "skill": "smart-routing",
+      "messages": [{"role": "user", "content": "Write a hello world in Python"}],
+      "metadata": {"model": "auto", "combo": "fast-coding"}
+    }
+  }'
+````
+
+**إجابة:**`json
+{
+  "jsonrpc": "2.0",
+  "المعرف": "1"،
+  "النتيجة": {
+    "المهمة": { "المعرف": "uuid"، "الحالة": "مكتمل" }،
+    "المصنوعات": [{ "النوع": "نص"، "محتوى": "..." }]،
+    "البيانات الوصفية": {
+      "routing_explanation": "سونيتة claude مختارة عبر الموفر \"anthropic\" (زمن الوصول: 1200 مللي ثانية، التكلفة: 0.003 USD)"،
+      "cost_envelope": { "المقدرة": 0.005، "الفعلي": 0.003، "العملة": "USD" }،
+      ""resilience_trace": [
+        { "الحدث": "primary_selected"، "provider": "anthropic"، "timestamp": "..." }
+      ]،
+      "policy_verdict": { "مسموح": صحيح، "السبب": "ضمن حدود الميزانية والحصة" }
+    }
+  }
+}`
+
+### `message/stream` — SSE Streaming
+
+نفس `الرسالة/الإرسال` ولكنها تُرجع الأحداث المرسلة من الخادم للبث في الوقت الفعلي.```bash
+curl -N -X POST http://localhost:20128/a2a \
+ -H "Content-Type: application/json" \
+ -H "Authorization: Bearer YOUR_KEY" \
+ -d '{
+"jsonrpc": "2.0",
+"id": "1",
+"method": "message/stream",
+"params": {
+"skill": "smart-routing",
+"messages": [{"role": "user", "content": "Explain quantum computing"}]
+}
+}'
+
+````
+
+**أحداث SSE:**```
+البيانات: {"jsonrpc": "2.0"، "method": "message/stream"، "params": {"task": {"id": "..."، "state": "working"}، "chunk": {"type": "text"، "content": "..."}}}
+
+: نبضات القلب 2026-03-03T17:00:00Z
+
+البيانات: {"jsonrpc": "2.0"، "method": "message/stream"، "params": {"task": {"id": "..."، "state": "Completed"}، "بيانات التعريف": {...}}}```
+
+### `tasks/get` — Query Task Status
+
+```bash
+حليقة -X POST http://localhost:20128/a2a \
+  -H "نوع المحتوى: application/json" \
+  -H "التفويض: حامل YOUR_KEY" \
+  -d '{"jsonrpc": "2.0"، "id": "2"، "method": "tasks/get"، "params": {"taskId": "TASK_UUID"}}'```
+
+### `tasks/cancel` — Cancel a Task
+
+```bash
+حليقة -X POST http://localhost:20128/a2a \
+  -H "نوع المحتوى: application/json" \
+  -H "التفويض: حامل YOUR_KEY" \
+  -d '{"jsonrpc": "2.0"، "id": "3"، "method": "tasks/cancel"، "params": {"taskId": "TASK_UUID"}}'```
+
+---
+
+## Available Skills
+
+| مهارة | الوصف |
+| :----------------- | :------------------------------------------------------------------------------------------------------------------------------- |
+| `التوجيه الذكي` | تطالب الطرق عبر خط أنابيب OmniRoute الذكي. إرجاع الاستجابة مع شرح التوجيه والتكلفة وتتبع المرونة. |
+| `إدارة الحصص` | يجيب على استفسارات اللغة الطبيعية حول حصص الموفرين، ويقترح مجموعات مجانية، ويوفر تصنيفات الحصص.                      |---
+
+## Task Lifecycle
+
+````
+
+تم الإرسال ← العمل ← مكتمل
+→ فشل
+→ ألغيت```
+
+- تنتهي المهام بعد 5 دقائق (قابلة للتكوين)
+- حالات الوحدة الطرفية: "مكتمل"، "فشل"، "تم الإلغاء".
+- سجل الأحداث يتتبع كل انتقال للحالة---
+
+## Error Codes
+
+| الكود  | معنى                                 |
+| :----- | :----------------------------------- | --- |
+| -32700 | خطأ في التحليل (JSON غير صالح)       |
+| -32600 | طلب غير صالح / غير مصرح به           |
+| -32601 | لم يتم العثور على الطريقة أو المهارة |
+| -32602 | معلمات غير صالحة                     |
+| -32603 | خطأ داخلي                            | --- |
+
+## Integration Examples
+
+### Python (requests)
+
+````python
+طلبات الاستيراد
+
+resp = request.post("http://localhost:20128/a2a", json={
+    "jsonrpc": "2.0"، "id": "1"،
+    "الطريقة": "رسالة/إرسال"،
+    "المعلمات": {
+        "المهارة": "التوجيه الذكي"،
+        "messages": [{"role": "user", "content": "Hello"}]
+    }
+}, headers={"Authorization": "Bearer YOUR_KEY"})
+
+النتيجة = resp.json () ["النتيجة"]
+طباعة (نتيجة ["المصنوعات"] [0] ["المحتوى"])
+طباعة (نتيجة ["بيانات التعريف"] ["routing_explanation"])```
+
+### TypeScript (fetch)
+
+```typescript
+const resp = انتظار الجلب("http://localhost:20128/a2a", {
+  الطريقة: "POST"،
+  رؤوس: {
+    "نوع المحتوى": "application/json"،
+    التفويض: "الحامل YOUR_KEY"،
+  },
+  الجسم: JSON.stringify({
+    جسونربك: "2.0"،
+    المعرف: "1"،
+    الطريقة: "رسالة/إرسال"،
+    المعلمات: {
+      المهارة: "التوجيه الذكي"،
+      الرسائل: [{ الدور: "المستخدم"، المحتوى: "مرحبًا" }]،
+    },
+  }),
+});
+const { result } = انتظار resp.json();
+console.log(result.metadata.routing_explanation);```
+````
@@ -0,0 +1,388 @@
+# API Reference (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/API_REFERENCE.md) · 🇪🇸 [es](../../es/docs/API_REFERENCE.md) · 🇫🇷 [fr](../../fr/docs/API_REFERENCE.md) · 🇩🇪 [de](../../de/docs/API_REFERENCE.md) · 🇮🇹 [it](../../it/docs/API_REFERENCE.md) · 🇷🇺 [ru](../../ru/docs/API_REFERENCE.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/API_REFERENCE.md) · 🇯🇵 [ja](../../ja/docs/API_REFERENCE.md) · 🇰🇷 [ko](../../ko/docs/API_REFERENCE.md) · 🇸🇦 [ar](../../ar/docs/API_REFERENCE.md) · 🇮🇳 [hi](../../hi/docs/API_REFERENCE.md) · 🇮🇳 [in](../../in/docs/API_REFERENCE.md) · 🇹🇭 [th](../../th/docs/API_REFERENCE.md) · 🇻🇳 [vi](../../vi/docs/API_REFERENCE.md) · 🇮🇩 [id](../../id/docs/API_REFERENCE.md) · 🇲🇾 [ms](../../ms/docs/API_REFERENCE.md) · 🇳🇱 [nl](../../nl/docs/API_REFERENCE.md) · 🇵🇱 [pl](../../pl/docs/API_REFERENCE.md) · 🇸🇪 [sv](../../sv/docs/API_REFERENCE.md) · 🇳🇴 [no](../../no/docs/API_REFERENCE.md) · 🇩🇰 [da](../../da/docs/API_REFERENCE.md) · 🇫🇮 [fi](../../fi/docs/API_REFERENCE.md) · 🇵🇹 [pt](../../pt/docs/API_REFERENCE.md) · 🇷🇴 [ro](../../ro/docs/API_REFERENCE.md) · 🇭🇺 [hu](../../hu/docs/API_REFERENCE.md) · 🇧🇬 [bg](../../bg/docs/API_REFERENCE.md) · 🇸🇰 [sk](../../sk/docs/API_REFERENCE.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/API_REFERENCE.md) · 🇮🇱 [he](../../he/docs/API_REFERENCE.md) · 🇵🇭 [phi](../../phi/docs/API_REFERENCE.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/API_REFERENCE.md) · 🇨🇿 [cs](../../cs/docs/API_REFERENCE.md) · 🇹🇷 [tr](../../tr/docs/API_REFERENCE.md)
+
+---
+
+مرجع كامل لجميع نهاية نقاط OmniRoute API.---## Table of Contents
+
+- [إكمالات الدردشة](#إكمالات الدردشة)
+- [التضمينات](#التضمينات)
+- [ إنشاء الصور ](#image-generation)
+- [قائمة التطورات](#list-models)
+- [نقاط نهاية التوافق](#نقاط نهاية التوافق)
+- [ذاكرة التخزين المؤقتة الدلالية](#ذاكرة التخزين المؤقتة الدلالية)
+- [لوحة التحكم والإدارة](#dashboard--management)
+- [معالجة الطلب](#request-processing)
+- [المصادقة](#المصادقة)---## Chat Completions
+
+```bash
+POST /v1/chat/completions
+Authorization: Bearer your-api-key
+Content-Type: application/json
+
+{
+  "model": "cc/claude-opus-4-6",
+  "messages": [
+    {"role": "user", "content": "Write a function to..."}
+  ],
+  "stream": true
+}
+```
+
+### Custom Headers
+
+| رأس                      |      | الوصف                                        |
+| ------------------------ | ---- | -------------------------------------------- |
+| `X-OmniRoute-No-Cache`   | طلب  | اضبط على "صحيح" لتجاوز ذاكرة التخزين المؤقتة |
+| `X-OmniRoute-Progress`   | طلب  | اضبط على "صحيح" لأحداث التقدم                |
+| `معرف الاستماع X`        | طلب  | مفتاح جلسة لوجه الفعل                        |
+| `x_session_id`           | طلب  | يتم أيضًا قبول التكيف البيئي (HTTP)          |
+| `مفتاح العجز`            | طلب  | مفتاح Dedup (نافذة 5 ثواني)                  |
+| `معرف الطلب X`           | طلب  | مفتاح إلغاء الحذف الحذف                      |
+| `X-OmniRoute-Cache`      | الرد | `HIT` أو `MISS` (غير متدفق)                  |
+| `X-OmniRoute-Idempotent` | الرد | `صحيح` إذا تم إلغاء التكرار                  |
+| `X-OmniRoute-Progress`   | الرد | `ممكن تشغيل` في حالة تتبع التقدم             |
+| `معرف جلسة X-OmniRoute`  | الرد | الرقم التعريفي الفعال الذي يستخدمه OmniRoute |
+
+> لاحظ Nginx: إذا كنت تعتمد على التكييف الهوائي (على سبيل المثال `x_session_id`)، إلا بتمكين `الشرطات الكهربائية_in_headers on;`.---## Embeddings
+
+```bash
+POST /v1/embeddings
+Authorization: Bearer your-api-key
+Content-Type: application/json
+
+{
+  "model": "nebius/Qwen/Qwen3-Embedding-8B",
+  "input": "The food was delicious"
+}
+```
+
+مقدمو خدمة متاحون: Nebius، وOpenAI، وMistral، وTogether AI، وFireworks، وNVIDIA.```bash
+
+# قائمة بجميع نماذج التضمين
+
+الحصول على /v1/embeddings```
+
+---
+
+## Image Generation
+
+````bash
+ما بعد /v1/صور/أجيال
+التفويض: حامل مفتاح API الخاص بك
+نوع المحتوى: application/json
+
+{
+  "نموذج": "openai/dall-e-3"،
+  "prompt": "غروب الشمس الجميل فوق الجبال"،
+  "الحجم": "1024x1024"
+}```
+
+الموفرون المتاحون: OpenAI (DALL-E)، xAI (Grok Image)، Together AI (FLUX)، Fireworks AI.```bash
+# List all image models
+GET /v1/images/generations
+````
+
+---
+
+## List Models
+
+```bash
+GET /v1/models
+Authorization: Bearer your-api-key
+
+→ Returns all chat, embedding, and image models + combos in OpenAI format
+```
+
+---
+
+## Compatibility Endpoints
+
+| الطريقة  | المسار                      | التنسيق               |
+| -------- | --------------------------- | --------------------- | -------------------------------- |
+| مشاركة   | `/v1/chat/completions`      | أوبن آي               |
+| مشاركة   | `/v1/messages`              | انثروبى               |
+| مشاركة   | `/v1/الردود`                | ردود OpenAI           |
+| مشاركة   | `/v1/embeddings`            | أوبن آي               |
+| مشاركة   | `/v1/images/أجيال`          | أوبن آي               |
+| احصل على | `/v1/ النماذج`              | أوبن آي               |
+| مشاركة   | `/v1/messages/count_tokens` | انثروبى               |
+| احصل على | `/v1beta/models`            | الجوزاء               |
+| مشاركة   | `/v1beta/models/{...path}`  | الجوزاء توليد المحتوى |
+| مشاركة   | `/v1/api/chat`              | أولاما                | ### مسارات الموفر المخصصة```bash |
+
+POST /v1/providers/{provider}/chat/completions
+POST /v1/providers/{provider}/embeddings
+POST /v1/providers/{provider}/images/generations
+
+````
+
+تتم إضافة المبادئ الأصلية للمنتج الأصلي في حالة اشتعالها. الاستعلام عن الارتباطات غير المتطابقة "400".---## Semantic Cache
+
+```bash
+# Get cache stats
+GET /api/cache/stats
+
+# Clear all caches
+DELETE /api/cache/stats
+````
+
+المثال النموذجي:`json
+{
+  "ذاكرة التخزين المؤقت الدلالية": {
+    "حجم الذاكرة": 42،
+    "memoryMaxSize": 500،
+    "حجم ديسيبل": 128،
+    "معدل الإصابة": 0.65
+  },
+  "العجز": {
+    "المفاتيح النشطة": 3،
+    "windows": 5000
+  }
+}`
+
+---
+
+## Dashboard & Management
+
+### Authentication
+
+| نقطة النهاية                  | الطريقة        | الوصف                    |
+| ----------------------------- | -------------- | ------------------------ | ----------------------- |
+| `/api/auth/login`             | مشاركة         | تسجيل الدخول             |
+| `/api/auth/logout`            | مشاركة         | تسجيل الخروج             |
+| `/api/settings/require-login` | الحصول على/وضع | تبديل تسجيل الدخول مطلوب | ### Provider Management |
+
+| نقطة النهاية                 | الطريقة            | الوصف                       |
+| ---------------------------- | ------------------ | --------------------------- | --------------- |
+| `/api/providers`             | الحصول على/النشر   | قائمة / إنشاء مقدمي الخدمات |
+| `/api/providers/[id]`        | الحصول على/وضع/حذف | إدارة مزود                  |
+| `/api/providers/[id]/test`   | مشاركة             | اختبار اتصال الموفر         |
+| `/api/providers/[id]/models` | احصل على           | قائمة نماذج المزود          |
+| `/api/providers/validate`    | مشاركة             | التحقق من صحة تكوين الموفر  |
+| `/api/provider-nodes*`       | منوعه              | إدارة عقدة الموفر           |
+| `/api/provider-models`       | الحصول على/نشر/حذف | نماذج مخصصة                 | ### OAuth Flows |
+
+| نقطة النهاية                     | الطريقة | الوصف                    |
+| -------------------------------- | ------- | ------------------------ | -------------------- |
+| `/api/oauth/[provider]/[action]` | متنوع   | OAuth الخاص بموفر الخدمة | ### Routing & Config |
+
+| نقطة النهاية          | الطريقة          | الوصف                             |
+| --------------------- | ---------------- | --------------------------------- | --------------------- |
+| `/api/models/alias`   | الحصول على/النشر | الأسماء المستعارة للنموذج         |
+| `/api/models/catalog` | احصل على         | جميع الموديلات حسب المزود + النوع |
+| `/api/combos*`        | متنوع            | إدارة التحرير والسرد              |
+| `/api/keys*`          | متنوع            | إدارة مفاتيح API                  |
+| `/api/pricing`        | احصل على         | التسعير النموذجي                  | ### Usage & Analytics |
+
+| نقطة النهاية                | الطريقة  | الوصف                 |
+| --------------------------- | -------- | --------------------- | ------------ |
+| `/api/usage/history`        | احصل على | تاريخ الاستخدام       |
+| `/api/usage/logs`           | احصل على | سجلات الاستخدام       |
+| `/api/usage/request-logs`   | احصل على | سجلات على مستوى الطلب |
+| `/api/usage/[connectionId]` | احصل على | الاستخدام لكل اتصال   | ### Settings |
+
+| نقطة النهاية                    | الطريقة                | الوصف                                           |
+| ------------------------------- | ---------------------- | ----------------------------------------------- | -------------- |
+| `/api/settings`                 | الحصول على/وضع/التصحيح | الإعدادات العامة                                |
+| `/api/settings/proxy`           | الحصول على/وضع         | تكوين وكيل الشبكة                               |
+| `/api/settings/proxy/test`      | مشاركة                 | اختبار اتصال الوكيل                             |
+| `/api/settings/ip-filter`       | الحصول على/وضع         | القائمة المسموح بها/القائمة المحظورة لعناوين IP |
+| `/api/settings/thinking-budget` | الحصول على/وضع         | الميزانية الرمزية المنطقية                      |
+| `/api/settings/system-prompt`   | الحصول على/وضع         | موجه النظام العالمي                             | ### Monitoring |
+
+| نقطة النهاية             | الطريقة        | الوصف                                                                                              |
+| ------------------------ | -------------- | -------------------------------------------------------------------------------------------------- | -------------------------- |
+| `/api/sessions`          | احصل على       | تتبع الجلسة النشطة                                                                                 |
+| `/api/rate-limits`       | احصل على       | حدود المعدل لكل حساب                                                                               |
+| `/api/monitoring/health` | احصل على       | التحقق من الصحة + ملخص الموفر (`catalogCount`، `configuredCount`، `activeCount`، `monitoredCount`) |
+| `/api/cache/stats`       | الحصول على/حذف | إحصائيات ذاكرة التخزين المؤقت / مسح                                                                | ### Backup & Export/Import |
+
+| نقطة النهاية                | الطريقة  | الوصف                                              |
+| --------------------------- | -------- | -------------------------------------------------- | -------------- |
+| `/api/db-backups`           | احصل على | قائمة النسخ الاحتياطية المتاحة                     |
+| `/api/db-backups`           | ضع       | إنشاء نسخة احتياطية يدوية                          |
+| `/api/db-backups`           | مشاركة   | استعادة من نسخة احتياطية محددة                     |
+| `/api/db-backups/export`    | احصل على | تنزيل قاعدة البيانات كملف .sqlite                  |
+| `/api/db-backups/import`    | مشاركة   | قم بتحميل ملف .sqlite لاستبدال قاعدة البيانات      |
+| `/api/db-backups/exportAll` | احصل على | قم بتنزيل النسخة الاحتياطية الكاملة كأرشيف .tar.gz | ### Cloud Sync |
+
+| نقطة النهاية           | الطريقة | الوصف                    |
+| ---------------------- | ------- | ------------------------ | ----------- |
+| `/api/sync/cloud`      | متنوع   | عمليات المزامنة السحابية |
+| `/api/sync/initialize` | مشاركة  | تهيئة المزامنة           |
+| `/api/cloud/*`         | متنوع   | إدارة السحابة            | ### Tunnels |
+
+| نقطة النهاية               | الطريقة  | الوصف                                                         |
+| -------------------------- | -------- | ------------------------------------------------------------- | ------------- |
+| `/api/tunnels/cloudflared` | احصل على | اقرأ حالة تثبيت/تشغيل Cloudflare Quick Tunnel للوحة المعلومات |
+| `/api/tunnels/cloudflared` | مشاركة   | تمكين أو تعطيل نفق Cloudflare السريع (`الإجراء=تمكين/تعطيل`)  | ### CLI Tools |
+
+| نقطة النهاية                       | الطريقة  | الوصف               |
+| ---------------------------------- | -------- | ------------------- |
+| `/api/cli-tools/claude-settings`   | احصل على | حالة كلود CLI       |
+| `/api/cli-tools/codex-settings`    | احصل على | حالة Codex CLI      |
+| `/api/cli-tools/droid-settings`    | احصل على | حالة Droid CLI      |
+| `/api/cli-tools/openclaw-settings` | احصل على | حالة OpenClaw CLI   |
+| `/api/cli-tools/runtime/[toolId]`  | احصل على | وقت تشغيل CLI العام |
+
+تتضمن استجابات واجهة سطر الأوامر: `تم التثبيت`، و`القابل للتشغيل`، و`الأمر`، و`commandPath`، و`runtimeMode`، و`السبب`.### ACP Agents
+
+| نقطة النهاية      | الطريقة  | الوصف                                                          |
+| ----------------- | -------- | -------------------------------------------------------------- |
+| `/api/acp/agents` | احصل على | قم بإدراج جميع الوكلاء المكتشفين (المضمنين + المخصصين) بالحالة |
+| `/api/acp/agents` | مشاركة   | إضافة وكيل مخصص أو تحديث ذاكرة التخزين المؤقت للكشف            |
+| `/api/acp/agents` | حذف      | قم بإزالة وكيل مخصص بواسطة معلمة الاستعلام `id`                |
+
+تتضمن استجابة GET `الوكلاء []` (المعرف، الاسم، الثنائي، الإصدار، المثبت، البروتوكول، isCustom) و`الملخص` (الإجمالي، المثبت، غير موجود، مدمج، مخصص).### Resilience & Rate Limits
+
+| نقطة النهاية            | الطريقة            | الوصف                                |
+| ----------------------- | ------------------ | ------------------------------------ | --------- |
+| `/api/المرونة`          | الحصول على/التصحيح | الحصول على/تحديث ملفات تعريف المرونة |
+| `/api/resilience/reset` | مشاركة             | إعادة ضبط قواطع الدائرة              |
+| `/api/rate-limits`      | احصل على           | حالة حد المعدل لكل حساب              |
+| `/api/rate-limit`       | احصل على           | تكوين حد المعدل العالمي              | ### Evals |
+
+| نقطة النهاية | الطريقة          | الوصف                                 |
+| ------------ | ---------------- | ------------------------------------- | ------------ |
+| `/api/evals` | الحصول على/النشر | قائمة مجموعات التقييم / تشغيل التقييم | ### Policies |
+
+| نقطة النهاية    | الطريقة            | الوصف                |
+| --------------- | ------------------ | -------------------- | -------------- |
+| `/api/policies` | الحصول على/نشر/حذف | إدارة سياسات التوجيه | ### Compliance |
+
+| نقطة النهاية                | الطريقة  | الوصف                        |
+| --------------------------- | -------- | ---------------------------- | ------------------------------ |
+| `/api/compliance/audit-log` | احصل على | سجل تدقيق الامتثال (آخر رقم) | ### v1beta (Gemini-Compatible) |
+
+| نقطة النهاية               | الطريقة  | الوصف                                |
+| -------------------------- | -------- | ------------------------------------ |
+| `/v1beta/models`           | احصل على | قائمة النماذج بصيغة الجوزاء          |
+| `/v1beta/models/{...path}` | مشاركة   | الجوزاء `توليد المحتوى` نقطة النهاية |
+
+تعكس نقاط النهاية هذه تنسيق Gemini API للعملاء الذين يتوقعون توافق Gemini SDK الأصلي.### Internal / System APIs
+
+| نقطة النهاية    | الطريقة  | الوصف                                              |
+| --------------- | -------- | -------------------------------------------------- |
+| `/api/init`     | احصل على | فحص تهيئة التطبيق (يستخدم عند التشغيل لأول مرة)    |
+| `/api/tags`     | احصل على | علامات النماذج المتوافقة مع Ollama (لعملاء Ollama) |
+| `/api/restart`  | مشاركة   | تشغيل إعادة تشغيل الخادم الرشيقة                   |
+| `/api/shutdown` | مشاركة   | تشغيل إيقاف تشغيل الخادم بشكل رشيق                 |
+
+> **ملاحظة:**يتم استخدام نقاط النهاية هذه داخليًا بواسطة النظام أو للتوافق مع عميل Ollama. ولا يتم استدعاؤها عادة من قبل المستخدمين النهائيين.---
+
+## Audio Transcription
+
+````bash
+POST /v1/audio/transcriptions
+التفويض: حامل مفتاح API الخاص بك
+نوع المحتوى: بيانات متعددة الأجزاء/النموذج```
+
+قم بنسخ الملفات الصوتية باستخدام Deepgram أو AssemblyAI.
+
+**طلب:**```bash
+curl -X POST http://localhost:20128/v1/audio/transcriptions \
+  -H "Authorization: Bearer your-api-key" \
+  -F "file=@recording.mp3" \
+  -F "model=deepgram/nova-3"
+````
+
+**إجابة:**`json
+{
+  "text": "مرحبًا، هذا هو المحتوى الصوتي المكتوب.",
+  "مهمة": "نسخ"،
+  "اللغة": "ar"،
+  "المدة": 12.5
+}`
+
+**مقدمو الخدمة المدعومين:**`deepgram/nova-3`، `assemblyai/best`.
+
+**الصيغ المدعومة:**`mp3`، `wav`، `m4a`، `flac`، `ogg`، `webm`.---
+
+## Ollama Compatibility
+
+للعملاء الذين يستخدمون تنسيق واجهة برمجة تطبيقات Olma:```bash
+
+# Chat endpoint (Ollama format)
+
+POST /v1/api/chat
+
+# Model listing (Ollama format)
+
+GET /api/tags
+
+````
+
+ترجمة الطلبات الأصلية بين التنسيقات التنسيقات الداخلية.---## Telemetry
+
+```bash
+# Get latency telemetry summary (p50/p95/p99 per provider)
+GET /api/telemetry/summary
+````
+
+**إجابة:**`json
+{
+  "مقدمو الخدمات": {
+    "claudeCode": { "p50": 245, "p95": 890, "p99": 1200, "count": 150 },
+    "github": { "p50": 180، "p95": 620، "p99": 950، "count": 320 }
+  }
+}`
+
+---
+
+## Budget
+
+````bash
+# احصل على حالة الميزانية لجميع مفاتيح API
+الحصول على /api/usage/budget
+
+# تعيين أو تحديث الميزانية
+POST /api/usage/budget
+نوع المحتوى: application/json
+
+{
+  "معرف المفتاح": "مفتاح-123"،
+  "الحد": 50.00،
+  "الفترة": "الشهرية"
+}```
+
+---
+
+## Model Availability
+
+```bash
+# احصل على توفر النموذج في الوقت الفعلي عبر جميع مقدمي الخدمة
+الحصول على /api/models/availability
+
+# التحقق من توفر طراز معين
+POST /api/models/availability
+نوع المحتوى: application/json
+
+{
+  "نموذج": "كلود السوناتة-4-5-20250929"
+}```
+
+---
+
+## Request Processing
+
+1. يرسل العميل طلبًا إلى `/v1/*`
+2. يستدعي معالج المسار "handleChat"، أو "handleEmbedding"، أو "handleAudioTranscription"، أو "handleImageGeneration".
+3. تم حل النموذج (المزود/النموذج المباشر أو الاسم المستعار/السرد)
+4. تم تحديد بيانات الاعتماد من قاعدة البيانات المحلية مع تصفية توفر الحساب
+5. للدردشة: `handleChatCore` - اكتشاف التنسيق، والترجمة، والتحقق من ذاكرة التخزين المؤقت، والتحقق من الكفاءة
+6. يقوم منفذ الموفر بإرسال طلب المنبع
+7. تتم ترجمة الاستجابة مرة أخرى إلى تنسيق العميل (الدردشة) أو إعادتها كما هي (التضمينات/الصور/الصوت)
+8. تم تسجيل الاستخدام/التسجيل
+9. يتم تطبيق الإجراء الاحتياطي على الأخطاء وفقًا لقواعد التحرير والسرد
+
+مرجع البنية الكاملة: [`ARCHITECTURE.md`](ARCHITECTURE.md)---
+
+## Authentication
+
+- تستخدم مسارات لوحة المعلومات (`/dashboard/*`) ملف تعريف الارتباط `auth_token`
+- يستخدم تسجيل الدخول تجزئة كلمة المرور المحفوظة؛ الرجوع إلى `INITIAL_PASSWORD`
+- `requireLogin` قابل للتبديل عبر `/api/settings/require-login`
+- تتطلب المسارات `/v1/*` بشكل اختياري مفتاح Bearer API عندما يكون `REQUIRE_API_KEY=true`
+````
@@ -0,0 +1,719 @@
+# OmniRoute Architecture (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/ARCHITECTURE.md) · 🇪🇸 [es](../../es/docs/ARCHITECTURE.md) · 🇫🇷 [fr](../../fr/docs/ARCHITECTURE.md) · 🇩🇪 [de](../../de/docs/ARCHITECTURE.md) · 🇮🇹 [it](../../it/docs/ARCHITECTURE.md) · 🇷🇺 [ru](../../ru/docs/ARCHITECTURE.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/ARCHITECTURE.md) · 🇯🇵 [ja](../../ja/docs/ARCHITECTURE.md) · 🇰🇷 [ko](../../ko/docs/ARCHITECTURE.md) · 🇸🇦 [ar](../../ar/docs/ARCHITECTURE.md) · 🇮🇳 [hi](../../hi/docs/ARCHITECTURE.md) · 🇮🇳 [in](../../in/docs/ARCHITECTURE.md) · 🇹🇭 [th](../../th/docs/ARCHITECTURE.md) · 🇻🇳 [vi](../../vi/docs/ARCHITECTURE.md) · 🇮🇩 [id](../../id/docs/ARCHITECTURE.md) · 🇲🇾 [ms](../../ms/docs/ARCHITECTURE.md) · 🇳🇱 [nl](../../nl/docs/ARCHITECTURE.md) · 🇵🇱 [pl](../../pl/docs/ARCHITECTURE.md) · 🇸🇪 [sv](../../sv/docs/ARCHITECTURE.md) · 🇳🇴 [no](../../no/docs/ARCHITECTURE.md) · 🇩🇰 [da](../../da/docs/ARCHITECTURE.md) · 🇫🇮 [fi](../../fi/docs/ARCHITECTURE.md) · 🇵🇹 [pt](../../pt/docs/ARCHITECTURE.md) · 🇷🇴 [ro](../../ro/docs/ARCHITECTURE.md) · 🇭🇺 [hu](../../hu/docs/ARCHITECTURE.md) · 🇧🇬 [bg](../../bg/docs/ARCHITECTURE.md) · 🇸🇰 [sk](../../sk/docs/ARCHITECTURE.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/ARCHITECTURE.md) · 🇮🇱 [he](../../he/docs/ARCHITECTURE.md) · 🇵🇭 [phi](../../phi/docs/ARCHITECTURE.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/ARCHITECTURE.md) · 🇨🇿 [cs](../../cs/docs/ARCHITECTURE.md) · 🇹🇷 [tr](../../tr/docs/ARCHITECTURE.md)
+
+---
+
+_آخر تحديث: 2026-03-28_## الملخص التنفيذي
+
+OmniRoute عبارة عن بوابة توجيه نقطة تعمل بالذكاء الاصطناعي ولوحة معلومات مبنية على Next.js.
+وهو يوفر نقطة نهاية واحدة متوافقة مع OpenAI (`/v1/*`) ويوجه حركة المرور عبر العديد من الخدمات الموفري الأولية مع الترجمة والاحتياط وتحديث الرمز المميز وتتبع الاستخدام.
+
+التان الأساسية:
+
+- سطح API متوافق مع OpenAI لـ CLI/الأدوات (28 منتجًا)
+- ترجمة الطلب/الاستجابة عبر التنسيقات الموفر
+- نموذج بناء التحرير والسرد (سلسلة الارتباطات المتعددة)
+- موازنة حساب الحساب (حسابات متعددة لكل شخص)
+- إدارة اتصال موفر OAuth + API-key
+- إنشاء التضمين عبر `/v1/embeddings` (6 مقدمي خدمات، 9 نماذج)
+- إنشاء الصور عبر `/v1/images/Generation` (4 مقدمي خدمات، 9 نماذج)
+- فكر في تحليل العلامات (`<think>...</think>`) لنماذج الاستدلال
+- تحديد القيمة للتوافق مع OpenAI SDK
+- تطبيع الدور (المطور → النظام، النظام → المستخدم) للتوافق بين الموفرين
+- تحويل المنتج منظم (json_schema → Gemini ResponseSchema)
+- الثبات المحلي لمقدمي الخدمات والمفاتيح والأسماء المستعارة والمجموعات والإعدادات والتسعير
+- تتبع تكلفة/التكلفة وتسجيل الطلب
+- نوبات سحابية اختيارية للأجهزة/الحالة الثابتة
+- القائمة الخاصة بها/القائمة المحظورة لـ IP للتحكم في الوصول إلى واجهة برمجة التطبيقات
+- التفكير في إدارة الميزانية (العبور / التلقائي / المقصود / التكيفي)
+- هيكل البناء العالمي
+- تتبع البصمات
+- تحديد المحسن لكل حساب مع الملفات الشخصية الخاصة بالمزود
+- تقطع فاصل لمرونة المورد
+- حماية القطيع ضد الرعد مع موتكس
+- ذاكرة التخزين المؤقتة لإلغاء البيانات المكررة للطلبة المستندية للتوقيع
+- المجال: توفر النموذج، وقواعد التكلفة، والسياسة الاحتياطية، وسياسة فك الضغط
+- فرانسيسكوية المجال المجال (ذاكرة التخزين المؤقتة للكتاب في SQLite للاحتياطيات والميزانيات وفتح قواطع الضوء)
+- السياسة التي تحدد الطلب المركزي (التأمين → الميزانية → الاحتياطي)
+- طلب القياس عن بعد مع تجميع الكمون ص50/ص95/ص99
+- معرف الارتباط (X-Request-Id) للتتبع الشامل
+- تسجيل تدقيق كامل مع إلغاء الاشتراك لمفتاح API
+- إطار تقييمي وجودة LLM
+- لوحة تحكم واجهة المستخدم المرنة مع فاصل زمني في العمل
+- مفري OAuth المطاطيون (12 وحدة ضمن `src/lib/oauth/providers/`)
+
+وقت نموذج التشغيل الأساسي:
+
+- تقوم مسارات تطبيق Next.js ضمن `src/app/api/*` ولتتمكن كل من واجهات تطبيقات برمجة لوحة المعلومات وواجهات برمجة تطبيقات التوافق
+- نواة توجيه/SSE اشترك في `src/sse/*` + `open-sse/*` تمويل مع تنفيذ الموفر والترجمة والتدفق والرجوع والاستخدام## النطاق والحدود### In Scope
+
+- وقت تشغيل البوابة المحلية
+- واجهات برمجة التطبيقات المبتكرة للوحة المعلومات
+- مصادقة الموفر وتحديث الرمز المميز
+- طلب الترجمة و التدفق SSE
+- الحالة المحلية + استمرارية الاستخدام
+- نوبات سحابية اختيارية### خارج النطاق
+
+- تنفيذ خدمة السحابية خلف `NEXT_PUBLIC_CLOUD_URL`
+- مستوى تحرير السودان/مستوى التحكم خارج نطاق العمل
+- ثنائيات CLI الخارجية نفسها (Claude CLI، Codex CLI، وما إلى ذلك) ## سطح لوحة القيادة (الحالي)
+
+الصفحة الرئيسية ضمن `src/app/(dashboard)/dashboard/`:
+
+- `/dashboard` - بداية سريعة + نظرة عامة على الموفر
+- `/dashboard/endpoint` - وكيل نقطة النهاية + علامات نهاية نقطة النهاية MCP + A2A + API
+- `/dashboard/providers` - اتصالات الموفر وبيانات الاعتماد
+- `/dashboard/combos` - إستراتيجيات التحرير والسرد والقوالب وقواعد توجيه التطورات
+- `/dashboard/costs` - تجميع الأسعار ورؤية الأسعار
+- `/dashboard/analytics` - تحليلات تعاطيات البناء
+- `/dashboard/limits` - ضوابط الحصص/المعدلات
+- `/dashboard/cli-tools` - إعداد واجهة سطر مودم، والكشف عن وقت التشغيل، ويشمل ذلك
+- `/dashboard/agents` — تم ابتكار عملاء ACP + تسجيل عميل مخصص
+- `/dashboard/media` — ساحة لعب الصور/الفيديو/الموسيقى
+- `/dashboard/search-tools` - اختبار خريطة البحث
+- `/dashboard/health` - وقت التشغيل، قواطع الدائرة، حدود المعدل
+- `/dashboard/logs` - سجلات الطلب/الوكيل/التدقيق/وحدة التحكم
+- `/dashboard/settings` - علامات إعدادات النظام (عامة، توجيه، إعدادات التحرير والإعدادات البرمجية، إلخ.)
+- `/dashboard/api-manager` - دورة حياة مفتاح برمجة برمجة التطبيقات والأذونات النموذجية## سياق النظام عالي المستوى```mermaid
+  flowchart LR
+  subgraph Clients[Developer Clients]
+  C1[Claude Code]
+  C2[Codex CLI]
+  C3[OpenClaw / Droid / Cline / Continue / Roo]
+  C4[Custom OpenAI-compatible clients]
+  BROWSER[Browser Dashboard]
+  end
+
+      subgraph Router[OmniRoute Local Process]
+          API[V1 Compatibility API\n/v1/*]
+          DASH[Dashboard + Management API\n/api/*]
+          CORE[SSE + Translation Core\nopen-sse + src/sse]
+          DB[(storage.sqlite)]
+          UDB[(usage tables + log artifacts)]
+      end
+
+      subgraph Upstreams[Upstream Providers]
+          P1[OAuth Providers\nClaude/Codex/Gemini/Qwen/Qoder/GitHub/Kiro/Cursor/Antigravity]
+          P2[API Key Providers\nOpenAI/Anthropic/OpenRouter/GLM/Kimi/MiniMax\nDeepSeek/Groq/xAI/Mistral/Perplexity\nTogether/Fireworks/Cerebras/Cohere/NVIDIA]
+          P3[Compatible Nodes\nOpenAI-compatible / Anthropic-compatible]
+      end
+
+      subgraph Cloud[Optional Cloud Sync]
+          CLOUD[Cloud Sync Endpoint\nNEXT_PUBLIC_CLOUD_URL]
+      end
+
+      C1 --> API
+      C2 --> API
+      C3 --> API
+      C4 --> API
+      BROWSER --> DASH
+
+      API --> CORE
+      DASH --> DB
+      CORE --> DB
+      CORE --> UDB
+
+      CORE --> P1
+      CORE --> P2
+      CORE --> P3
+
+      DASH --> CLOUD
+
+````
+
+## Core Runtime Components
+
+## 1) API and Routing Layer (Next.js App Routes)
+
+الدلائل الرئيسية:
+
+- `src/app/api/v1/*` و `src/app/api/v1beta/*` لواجهات برمجة التطبيقات المتوافقة
+- `src/app/api/*` لواجهات برمجة تطبيقات للإدارة/التكوين
+- إعادة الكتابة التالية في الخريطة `next.config.mjs` `/v1/*` إلى `/api/v1/*`
+
+طرق التوافق:
+
+- `src/app/api/v1/chat/completions/route.ts`
+- `src/app/api/v1/messages/route.ts`
+- `src/app/api/v1/responses/route.ts`
+- `src/app/api/v1/models/route.ts` - تشمل نماذج مخصصة ذات `مخصصة: صحيح`
+- `src/app/api/v1/embeddings/route.ts` - إنشاء التضمين (6 مفري)
+- `src/app/api/v1/images/ Generations/route.ts` - إنشاء الصور (4+ موفري خدمات بما في ذلك Antigravity/Nebius)
+- `src/app/api/v1/messages/count_tokens/route.ts`
+- `src/app/api/v1/providers/[provider]/chat/completions/route.ts` - دردشة مخصصة لكل المرشحين
+- `src/app/api/v1/providers/[provider]/embeddings/route.ts` - عمليات التضمين المخصصة لكل المجالات
+- `src/app/api/v1/providers/[provider]/images/ Generations/route.ts` - صور مخصصة لكل إطار
+- `src/app/api/v1beta/models/route.ts`
+- `src/app/api/v1beta/models/[...path]/route.ts`
+
+الفترات الإدارية:
+
+- المصادقة/الإعدادات: `src/app/api/auth/*`، `src/app/api/settings/*`
+- مقدمو الخدمة/الاتصالات: `src/app/api/providers*`
+- عقد الموفر: `src/app/api/provider-nodes*`
+- الروابط ذات الصلة: `src/app/api/provider-models` (GET/POST/DELETE)
+- كتالوج الارتباطات: `src/app/api/models/route.ts` (GET)
+- الوكيل التنفيذي: `src/app/api/settings/proxy` (GET/PUT/DELETE) + `src/app/api/settings/proxy/test` (POST)
+- OAuth: `src/app/api/oauth/*`
+-لوحة المفاتيح/الأسماء المستعارة/المجموعات/التسعير: `src/app/api/keys*`، `src/app/api/models/alias`، `src/app/api/combos*`، `src/app/api/pricing`
+-استخدام: `src/app/api/usage/*`
+- الناقلات/السحابة: `src/app/api/sync/*`، `src/app/api/cloud/*`
+- مساعدي أدوات CLI: `src/app/api/cli-tools/*`
+- مرشح IP: `src/app/api/settings/ip-filter` (GET/PUT)
+- تكلفة التفكير: `src/app/api/settings/thinking-budget` (GET/PUT)
+- متشوق النظام: `src/app/api/settings/system-prompt` (GET/PUT)
+- الجلسات: `src/app/api/sessions` (GET)
+- النطاق المعدل: `src/app/api/rate-limits` (GET)
+- معطف: `src/app/api/resilience` (GET/PATCH) - ملفات تعريف الموفر، التفاضل والتكامل، حالة لا يمكن تعديلها
+- إعادة ضبط ضبط: `src/app/api/resilience/reset` (POST) - إعادة ضبط القواطع + تخفيف التهدئة
+- إحصائيات ذاكرة تخزين مؤقتة: `src/app/api/cache/stats` (GET/DELETE)
+- توفر النموذج: `src/app/api/models/availability` (GET/POST)
+- القياس عن بعد: `src/app/api/telemetry/summary` (GET)
+- الميزانية: `src/app/api/usage/budget` (GET/POST)
+- السلاسل الاحتياطية: `src/app/api/fallback/chains` (GET/POST/DELETE)
+- تدقيق تماما: `src/app/api/compliance/audit-log` (GET)
+- التقييمات: `src/app/api/evals` (GET/POST)، `src/app/api/evals/[suiteId]` (GET)
+- للمزيد: `src/app/api/policies` (GET/POST)## 2) SSE + Translation Core
+
+وحدات السرعة الرئيسية:- الإدخال: `src/sse/handlers/chat.ts`
+- أريد الأساسي: `open-sse/handlers/chatCore.ts`
+- محولات تنفيذ الموفر: `open-sse/executors/*`
+- الاكتشاف الجديد/تكوين الموفر: `open-sse/services/provider.ts`
+- تحليل/حل النموذج: `src/sse/services/model.ts`، `open-sse/services/model.ts`
+- الحساب الاحتياطي للحساب: `open-sse/services/accountFallback.ts`
+- سجل الترجمة: `open-sse/translator/index.ts`
+- تحويلات الدفق: `open-sse/utils/stream.ts`، `open-sse/utils/streamHandler.ts`
+-الطلب/تطبيع الاستخدام: `open-sse/utils/usageTracking.ts`
+- فكر في محلل العناوين: `open-sse/utils/thinkTagParser.ts`
+-معالج التضمين: `open-sse/handlers/embeddings.ts`
+- سجل موفر التضمين: open-sse/config/embeddingRegistry.ts
+-معالج إنشاء الصور: `open-sse/handlers/imageGeneration.ts`
+- سجل موفر الصور: `open-sse/config/imageRegistry.ts`
+- تعريف القيمة: `open-sse/handlers/responseSanitizer.ts`
+- تطبيع الدور: `open-sse/services/roleNormalizer.ts`
+
+الخدمات (منطقة الأعمال):
+
+- اختيار الحساب/تسجيل النقاط: `open-sse/services/accountSelector.ts`
+- إدارة دورة حياة السياق: `open-sse/services/contextManager.ts`
+- فرض مرشح IP: `open-sse/services/ipFilter.ts`
+- تعقيب النظر: `open-sse/services/sessionManager.ts`
+-طلب إلغاء البيانات المكررة: `open-sse/services/signatureCache.ts`
+- البناء الكامل: `open-sse/services/systemPrompt.ts`
+- التفكير في إدارة الميزانية: `open-sse/services/thinkingBudget.ts`
+- توجيه نموذج حرف البدل: `open-sse/services/wildcardRouter.ts`
+- إدارة إلى حد التعديل: `open-sse/services/rateLimitManager.ts`
+- قاطع الدائرة: `open-sse/services/circuitBreaker.ts`
+
+وحدات المجال:
+
+- توفر النموذج: `src/lib/domain/modelAvailability.ts`
+- متطلبات/ميزانيات التكلفة: `src/lib/domain/costRules.ts`
+- السياسة الافتراضية: `src/lib/domain/fallbackPolicy.ts`
+- محلل التحرير والسرد: `src/lib/domain/comboResolver.ts`
+- تأمين التأمين: `src/lib/domain/lockoutPolicy.ts`
+- محرك السياسة: `src/domain/policyEngine.ts` - القفل المركزي ← الميزانية ← التقييم الاحتياطي
+- كتالوج الرموز لسبب: `src/lib/domain/errorCodes.ts`
+- معرف الطلب: `src/lib/domain/requestId.ts`
+- مهلة الجلب: `src/lib/domain/fetchTimeout.ts`
+-طلب القياس عن بعد: `src/lib/domain/requestTelemetry.ts`
+- شامل/الدقيق: `src/lib/domain/compliance/index.ts`
+- عداء التقييم: `src/lib/domain/evalRunner.ts`
+- دونية المجال المجال: `src/lib/db/domainState.ts` - SQLite CRUD للسلاسل الاحتياطية، والميزانيات، خسر التكلفة، وحالة القفل، وقواطع الضوء
+
+وحدات موفر OAuth (12 ملفًا فرديًا ضمن `src/lib/oauth/providers/`):
+
+- فهرس التسجيل: `src/lib/oauth/providers/index.ts`
+- مقدمو الخدمات الأشخاص: `claude.ts`، `codex.ts`، `gemini.ts`، `antigravity.ts`، `qode.ts`، `qwen.ts`، `kimi-coding.ts`، `github.ts`، `kiro.ts`، `cursor.ts`، `kilocode.ts`، `cline.ts`
+- طعام السباحة: `src/lib/oauth/providers.ts` - يُعاد تصديره من العناصر العناصر## 3) طبقة الثبات
+
+قاعدة بيانات الحالة الأساسية (SQLite):- المعرفة البشرية الأساسية: `src/lib/db/core.ts` (better-sqlite3، migrations، WAL)
+- واجهة إعادة التصدير: `src/lib/localDb.ts` (طبقة توافق مختلفة للمتصلين)
+- الملف: `${DATA_DIR}/storage.sqlite` (أو `$XDG_CONFIG_HOME/omniroute/storage.sqlite` عند الضرورة، وإلا `~/.omniroute/storage.sqlite`)
+- كيانات (الجداول + أسماء KV): ProvideConnections، وproviderNodes، وmodelAliases، والمجموعات، WapiKeys، والإعدادات، والتسعير،**customModels**،**proxyConfig**،**ipFilter**،**thinkingBudget**،**systemPrompt**
+
+بمرور الوقت الاستخدام:
+
+- الواجهة: `src/lib/usageDb.ts` (وحدات متحللة في `src/lib/usage/*`)
+- جداول SQLite في `storage.sqlite`: `usage_history`، `call_logs`، `proxy_logs`
+- تبرز عناصر الملف الاختياري للتوافق/تصحيح سبب (`${DATA_DIR}/log.txt`, `${DATA_DIR}/call_logs/`, `<repo>/logs/...`)
+- يتم رحيل ملفات JSON القديمة إلى SQLite عن طريق عمليات رحيل بدء التشغيل عند وجودها
+
+قاعدة بيانات المجال (SQLite):
+
+- `src/lib/db/domainState.ts` - عمليات إنتاج CRUD لحالة المجال
+- الجداول (التي تم تحديدها في `src/lib/db/core.ts`): `domain_fallback_chains`، `domain_budgets`، `domain_cost_history`، `domain_lockout_state`، `domain_circuit_breakers`.
+- نمط ذاكرة التخزين المؤقت للكتابة: قرص الاتصال موجود في الذاكرة الموثوقة في وقت التشغيل؛ تتم كتابة الطفرات بشكل متزامن إلى SQLite؛ يتم استعادة حالة قاعدة البيانات عند البداية الباردة ## 4) المصادقة + الأسطح الأمنية
+
+- مصادقة ملف تعريف الارتباط في لوحة المعلومات: `src/proxy.ts`، `src/app/api/auth/login/route.ts`
+- إنشاء/التحقق من مفتاح واجهة برمجة التطبيقات: `src/shared/utils/apiKey.ts`
+-أسرار الموفر في الخطوط "providerConnections".
+- دعم خارجي تمامًا عبر `open-sse/utils/proxyFetch.ts` (env vars) و`open-sse/utils/networkProxy.ts` (قابل للتكوين لكل المرشحين أو عالمي)## 5) Cloud Sync
+
+- جدولة init: `src/lib/initCloudSync.ts`، `src/shared/services/initializeCloudSync.ts`، `src/shared/services/modelSyncScheduler.ts`
+- أهم الأحداث: `src/shared/services/cloudSyncScheduler.ts`
+- أهم الأحداث: `src/shared/services/modelSyncScheduler.ts`
+- التحكم في المسار: `src/app/api/sync/cloud/route.ts`## دورة حياة الطلب (`/v1/chat/completions`)```mermaid
+sequenceDiagram
+    autonumber
+    participant Client as CLI/SDK Client
+    participant Route as /api/v1/chat/completions
+    participant Chat as src/sse/handlers/chat
+    participant Core as open-sse/handlers/chatCore
+    participant Model as Model Resolver
+    participant Auth as Credential Selector
+    participant Exec as Provider Executor
+    participant Prov as Upstream Provider
+    participant Stream as Stream Translator
+    participant Usage as usageDb
+
+    Client->>Route: POST /v1/chat/completions
+    Route->>Chat: handleChat(request)
+    Chat->>Model: parse/resolve model or combo
+
+    alt Combo model
+        Chat->>Chat: iterate combo models (handleComboChat)
+    end
+
+    Chat->>Auth: getProviderCredentials(provider)
+    Auth-->>Chat: active account + tokens/api key
+
+    Chat->>Core: handleChatCore(body, modelInfo, credentials)
+    Core->>Core: detect source format
+    Core->>Core: translate request to target format
+    Core->>Exec: execute(provider, transformedBody)
+    Exec->>Prov: upstream API call
+    Prov-->>Exec: SSE/JSON response
+    Exec-->>Core: response + metadata
+
+    alt 401/403
+        Core->>Exec: refreshCredentials()
+        Exec-->>Core: updated tokens
+        Core->>Exec: retry request
+    end
+
+    Core->>Stream: translate/normalize stream to client format
+    Stream-->>Client: SSE chunks / JSON response
+
+    Stream->>Usage: extract usage + persist history/log
+````
+
+## Combo + Account Fallback Flow
+
+```mermaid
+flowchart TD
+    A[Incoming model string] --> B{Is combo name?}
+    B -- Yes --> C[Load combo models sequence]
+    B -- No --> D[Single model path]
+
+    C --> E[Try model N]
+    E --> F[Resolve provider/model]
+    D --> F
+
+    F --> G[Select account credentials]
+    G --> H{Credentials available?}
+    H -- No --> I[Return provider unavailable]
+    H -- Yes --> J[Execute request]
+
+    J --> K{Success?}
+    K -- Yes --> L[Return response]
+    K -- No --> M{Fallback-eligible error?}
+
+    M -- No --> N[Return error]
+    M -- Yes --> O[Mark account unavailable cooldown]
+    O --> P{Another account for provider?}
+    P -- Yes --> G
+    P -- No --> Q{In combo with next model?}
+    Q -- Yes --> E
+    Q -- No --> R[Return all unavailable]
+```
+
+يتم اتخاذ القرار الاحتياطي بواسطة `open-sse/services/accountFallback.ts` باستخدام رموز الحالة للاستدلال على رسائل الخطأ. تسهيل توجيه التشغيل والتنسيق بين الطرفين طوعًا للمساعدة في تقديم الطلبات: يتم التعامل مع 400s على نطاق الموفر مثل كتلة المحتوى الأول وفشل التحقق من صحة الدور على أنها فشل رئيسي للنموذج، لذا لا يزال لا يزال مطلوبًا التحرير والسرد التالي.## OAuth Onboarding and Token Refresh Lifecycle```mermaid
+sequenceDiagram
+autonumber
+participant UI as Dashboard UI
+participant OAuth as /api/oauth/[provider]/[action]
+participant ProvAuth as Provider Auth Server
+participant DB as localDb
+participant Test as /api/providers/[id]/test
+participant Exec as Provider Executor
+
+    UI->>OAuth: GET authorize or device-code
+    OAuth->>ProvAuth: create auth/device flow
+    ProvAuth-->>OAuth: auth URL or device code payload
+    OAuth-->>UI: flow data
+
+    UI->>OAuth: POST exchange or poll
+    OAuth->>ProvAuth: token exchange/poll
+    ProvAuth-->>OAuth: access/refresh tokens
+    OAuth->>DB: createProviderConnection(oauth data)
+    OAuth-->>UI: success + connection id
+
+    UI->>Test: POST /api/providers/[id]/test
+    Test->>Exec: validate credentials / optional refresh
+    Exec-->>Test: valid or refreshed token info
+    Test->>DB: update status/tokens/errors
+    Test-->>UI: validation result
+
+````
+
+يتم تنفيذ التحديث أثناء حركة التحرير المباشر داخل `open-sse/handlers/chatCore.ts` عبر المنفذ `refreshCredentials()`.## دورة حياة المزامنة السحابية (تمكين / مزامنة / تعطيل)```mermaid
+sequenceDiagram
+    autonumber
+    participant UI as Endpoint Page UI
+    participant Sync as /api/sync/cloud
+    participant DB as localDb
+    participant Cloud as External Cloud Sync
+    participant Claude as ~/.claude/settings.json
+
+    UI->>Sync: POST action=enable
+    Sync->>DB: set cloudEnabled=true
+    Sync->>DB: ensure API key exists
+    Sync->>Cloud: POST /sync/{machineId} (providers/aliases/combos/keys)
+    Cloud-->>Sync: sync result
+    Sync->>Cloud: GET /{machineId}/v1/verify
+    Sync-->>UI: enabled + verification status
+
+    UI->>Sync: POST action=sync
+    Sync->>Cloud: POST /sync/{machineId}
+    Cloud-->>Sync: remote data
+    Sync->>DB: update newer local tokens/status
+    Sync-->>UI: synced
+
+    UI->>Sync: POST action=disable
+    Sync->>DB: set cloudEnabled=false
+    Sync->>Cloud: DELETE /sync/{machineId}
+    Sync->>Claude: switch ANTHROPIC_BASE_URL back to local (if needed)
+    Sync-->>UI: disabled
+````
+
+يتم تشغيل الدورية بواسطة "CloudSyncScheduler" عند السحابة.## نموذج البيانات وخريطة التخزين```mermaid
+erDiagram
+SETTINGS ||--o{ PROVIDER_CONNECTION : controls
+PROVIDER_NODE ||--o{ PROVIDER_CONNECTION : backs_compatible_provider
+PROVIDER_CONNECTION ||--o{ USAGE_ENTRY : emits_usage
+
+    SETTINGS {
+      boolean cloudEnabled
+      number stickyRoundRobinLimit
+      boolean requireLogin
+      string password_hash
+      string fallbackStrategy
+      json rateLimitDefaults
+      json providerProfiles
+    }
+
+    PROVIDER_CONNECTION {
+      string id
+      string provider
+      string authType
+      string name
+      number priority
+      boolean isActive
+      string apiKey
+      string accessToken
+      string refreshToken
+      string expiresAt
+      string testStatus
+      string lastError
+      string rateLimitedUntil
+      json providerSpecificData
+    }
+
+    PROVIDER_NODE {
+      string id
+      string type
+      string name
+      string prefix
+      string apiType
+      string baseUrl
+    }
+
+    MODEL_ALIAS {
+      string alias
+      string targetModel
+    }
+
+    COMBO {
+      string id
+      string name
+      string[] models
+    }
+
+    API_KEY {
+      string id
+      string name
+      string key
+      string machineId
+    }
+
+    USAGE_ENTRY {
+      string provider
+      string model
+      number prompt_tokens
+      number completion_tokens
+      string connectionId
+      string timestamp
+    }
+
+    CUSTOM_MODEL {
+      string id
+      string name
+      string providerId
+    }
+
+    PROXY_CONFIG {
+      string global
+      json providers
+    }
+
+    IP_FILTER {
+      string mode
+      string[] allowlist
+      string[] blocklist
+    }
+
+    THINKING_BUDGET {
+      string mode
+      number customBudget
+      string effortLevel
+    }
+
+    SYSTEM_PROMPT {
+      boolean enabled
+      string prompt
+      string position
+    }
+
+````
+
+ملفات الوضع المالي:
+
+- قاعدة بيانات وقت التشغيل الأساسي: `${DATA_DIR}/storage.sqlite`
+- أسطر سجل الطلب: `${DATA_DIR}/log.txt` (أداة متوافقة/تصحيح سبب)
+- أرشيفات استضافة المؤتمرات التنظيمية: `${DATA_DIR}/call_logs/`
+- مجموعات تصحيح الأخطاء المترجم/الطلب الاختيارية: `<repo>/logs/...`## Deployment Topology```mermaid
+flowchart LR
+    subgraph LocalHost[Developer Host]
+        CLI[CLI Tools]
+        Browser[Dashboard Browser]
+    end
+
+    subgraph ContainerOrProcess[OmniRoute Runtime]
+        Next[Next.js Server\nPORT=20128]
+        Core[SSE Core + Executors]
+        MainDB[(storage.sqlite)]
+        UsageDB[(usage tables + log artifacts)]
+    end
+
+    subgraph External[External Services]
+        Providers[AI Providers]
+        SyncCloud[Cloud Sync Service]
+    end
+
+    CLI --> Next
+    Browser --> Next
+    Next --> Core
+    Next --> MainDB
+    Core --> MainDB
+    Core --> UsageDB
+    Core --> Providers
+    Next --> SyncCloud
+````
+
+## Module Mapping (Decision-Critical)
+
+### Route and API Modules
+
+- `src/app/api/v1/*`، `src/app/api/v1beta/*`: واجهات برمجة التطبيقات المتوافقة
+- `src/app/api/v1/providers/[provider]/*`: مسارات مخصصة لكل دليل (الدردشة والتضمينات والصور)
+- `src/app/api/providers*`: موفر CRUD، التحقق من الصحة، الاختبار
+- `src/app/api/provider-nodes*`: إدارة العقد المتوافقة المخصصة
+- `src/app/api/provider-models`: إدارة الارتباطات المخصصة (CRUD)
+- `src/app/api/models/route.ts`: برمجة تطبيقات كتالوج الارتباطات (الأسماء المستعارة + الارتباطات البديلة)
+- `src/app/api/oauth/*`: تدفقات رمز OAuth/الجهاز
+- `src/app/api/keys*`: دورة حياة مفتاح برمجة التطبيقات المحلية
+- `src/app/api/models/alias`: إدارة الأسماء المستعارة
+- `src/app/api/combos*`: إدارة التحرير والسرد الاحتياطي
+- `src/app/api/pricing`: تجاوزات التسعير لحساب التكلفة
+- `src/app/api/settings/proxy`: الصارم المعتمد (GET/PUT/DELETE)
+- `src/app/api/settings/proxy/test`: اختبار تشغيل الوكيل (POST)
+- `src/app/api/usage/*`: واجهات برمجة تطبيقات الاستخدام والسجلات
+- `src/app/api/sync/*` + `src/app/api/cloud/*`: نوبات السحابية والمساعدون الذين يتحملون السحابة
+- `src/app/api/cli-tools/*`: كاتب/أداة الدما لتكوين CLI المحلي
+- `src/app/api/settings/ip-filter`: قائمة IP مخصصة لها/القائمة المبتكرة (GET/PUT)
+- `src/app/api/settings/thinking-budget`: الاختيار المناسب رمز التفكير (GET/PUT)
+- `src/app/api/settings/system-prompt`: موجه النظام العام (GET/PUT)
+- `src/app/api/sessions`: قائمة العناصر العضوية (GET)
+- `src/app/api/rate-limits`: حالة لا يمكن تعديلها لكل حساب (GET)### التوجيه والتنفيذ الأساسي
+
+- `src/sse/handlers/chat.ts`: تحليل الطلب، ومعالجة التحرير والسرد، حلقة الحساب
+- `open-sse/handlers/chatCore.ts`: الترجمة، المنفذ، إعادة المحاولة/التحديث، إعداد الدفق
+- `open-sse/executors/*`: التحكم الشبكة والتنسيق الخاص بالموفر### سجل الترجمة ومحولات التنسيق
+
+- `open-sse/translator/index.ts`: تسجيل المترجم وتنسيقه
+  -طلب المترجمين: `open-sse/translator/request/*`
+- مترجمو المصدر: `open-sse/translator/response/*`
+- ثوابت عادة: `open-sse/translator/formats.ts`### Persistence
+
+- `src/lib/db/*`: تفعيل/الحالة الفعالة واستمرارية المجال على SQLite
+- `src/lib/localDb.ts`: إعادة تصدير التوافق لوحدات قاعدة البيانات
+- `src/lib/usageDb.ts`: واجهة سجل/سجلات استخدامات المكالمات أعلى جداول SQLite## Provider Executor Coverage (Strategy Pattern)
+
+| يحتوي على كل موفر على منفذ تنفيذي متخصص لعدة `BaseExecutor` (في `open-sse/executors/base.ts`)، والذي يوفر بيانات إنشاء عنوان URL، ولكنه، جاهز المحاولة مع الأسيي، ومآثر تحديث الاعتماد، وطريقة استمرار `execute()`. | المنفذ                                                                                                                                                                  | المزود (المقدمون)                                                       | التعامل الخاص |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | ------------- |
+| `المنفذ الافتراضي`                                                                                                                                                                                                  | أوبن إيه آي، كلود، جيميني، كوين، كيودر، أوبن روتر، جي إل إم، كيمي، ميني ماكس، ديب سيك، جروك، إكس آي آي، ميسترال، بيربليكسيتي، توغا، فاير ووركس، سيريبراس، كوهير، نفيديا | الاختيارية عنوان URL/الرأس الكيميائي لكل                                |
+| `منفذ مضاد للجغرافيا`                                                                                                                                                                                               | جوجل مكافحة الجاذبية                                                                                                                                                    | معرفات المشروع/الجلسة المخصصة، إعادة المحاولة بعد التحليل               |
+| `منفذ الكودكس`                                                                                                                                                                                                      | OpenAI Codex                                                                                                                                                            | يحقن تعليمات النظام، ويفرض جهدًا منطقيًا                                |
+| `منفذ مفصل`                                                                                                                                                                                                         | بيئة تطوير متكاملة للمؤشر                                                                                                                                               | البروتوكول ConnectRPC، ترجمة Protobuf، طلب التوقيع عبر الفصول الاختباري |
+| `GithubExecutor`                                                                                                                                                                                                    | جيثب مساعد الطيار                                                                                                                                                       | تحديث الرمز المميز لـ Copilot، ورؤوس محاكاة VSCode                      |
+| `KiroExecutor`                                                                                                                                                                                                      | AWS CodeWhisperer/كيرو                                                                                                                                                  | يتغير الثنائي لـ AWS EventStream → تحويل SSE                            |
+| `الجوزاءCLIEExecutor`                                                                                                                                                                                               | الجوزاء CLI                                                                                                                                                             | دورة تحديث رمز OAuth المميز لـ Google                                   |
+
+| يستخدم جميع الموفرين الآخرين (بما في ذلك العقد المتوافق المخصص) "DefaultExecutor".## مصفوفة توافق الموفرين | مقدم             | التنسيق                                | مصادقة          | تيار مستمر | غير دفق | تحديث الرمز المميز      | برمجة تطبيقات الاستخدام |
+| ---------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------------- | --------------- | ---------- | ------- | ----------------------- | ----------------------- |
+| كلود                                                                                                       | كلود             | واجهة برمجة التطبيقات الرئيسية / OAuth | ✅              | ✅         | ✅      | ⚠️ المشرف فقط           |
+| الجوزاء                                                                                                    | الجوزاء          | واجهة برمجة التطبيقات الرئيسية / OAuth | ✅              | ✅         | ✅      | ⚠️ وحدة التحكم السحابية |
+| الجوزاء CLI                                                                                                | الجوزاء-cli      | أووث                                   | ✅              | ✅         | ✅      | ⚠️ وحدة التحكم السحابية |
+| مكافحة الجاذبية                                                                                            | ضد الجاذبية      | أووث                                   | ✅              | ✅         | ✅      | ✅ الحصة الكاملة API    |
+| أوبن آي                                                                                                    | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| الدستور الغذائي                                                                                            | openai-responses | أووث                                   | ✅ مجبور        | ❌         | ✅      | ✅الحدود المعدلة        |
+| جيثب مساعد الطيار                                                                                          | أوبيناي          | OAuth + رمز مساعد الطيار               | ✅              | ✅         | ✅      | ✅ لقطات الحصص          |
+|                                                                                                            | مؤثر             | مؤثر الاستطلاع المفضل                  | ✅              | ✅         | ❌      | ❌                      |
+| كيرو                                                                                                       | كيرو             | AWS SSO OIDC                           | ✅(ايفنت ستريم) | ❌         | ✅      | ✅ حدود الاستخدام       |
+| كوين                                                                                                       | أوبيناي          | أووث                                   | ✅              | ✅         | ✅      | ⚠️ طلب حسب الطلب        |
+| قدير                                                                                                       | أوبيناي          | OAuth (أساسي)                          | ✅              | ✅         | ✅      | ⚠️ طلب حسب الطلب        |
+| اوبن راوتر                                                                                                 | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| جي إل إم/كيمي/ميني ماكس                                                                                    | كلود             | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| ديب سيك                                                                                                    | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| جروك                                                                                                       | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| xAI (جروك)                                                                                                 | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| ميسترال                                                                                                    | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| الحيرة                                                                                                     | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| منظمة العفو الدولية                                                                                        | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| منظمة العفو الدولية للعبة                                                                                  | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| الشيخ                                                                                                      | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| كوهير                                                                                                      | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      |
+| نفيديا نيم                                                                                                 | أوبيناي          | مفتاح واجهة برمجة التطبيقات            | ✅              | ✅         | ❌      | ❌                      | ## تنسيق تغطية الترجمة  |
+
+تتضمن التنسيقات المصدر المكتشفة ما يلي:
+
+- `أوبيني`
+- `الردود المفتوحة`
+- "كلود".
+- "الجوزاء".
+
+تتضمن الواردات التفصيلية ما يلي:
+
+- دردشة/ردود OpenAI
+- كلود
+  -الجوزاء/الجوزاء-CLI/الظرف للجاذبية
+- كيرو
+- مرض
+
+استخدم الترجمات**OpenAI كتنسيق مركزي**— جرب جميع التحويلات عبر OpenAI كتنسيق وسيط:`
+تنسيق المصدر → OpenAI (المحور) → التنسيق المستهدف`
+
+يتم تحديد الترجمات ديناميكيًا استنادًا إلى شكل حمولة المصدر والتنسيق المستهدف للموفر.
+
+طبقات معالجة إضافية في مسار الترجمة:
+
+-**تطهير الاستجابة**— يزيل الحقول غير القياسية من استجابات تنسيق OpenAI (سواء المتدفقة أو غير المتدفقة) لضمان الامتثال الصارم لـ SDK -**تطبيع الدور**— تحويل `المطور` ← `النظام` للأهداف غير التابعة لـ OpenAI؛ يدمج "النظام" → "المستخدم" للنماذج التي ترفض دور النظام (GLM، ERNIE) -**استخراج علامة التفكير**— يوزع كتل `<think>...</think>` من المحتوى إلى حقل `reasoning_content` -**الإخراج المنظم**— يحول OpenAI `response_format.json_schema` إلى `responseMimeType` + `responseSchema` الخاص بـ Gemini## Supported API Endpoints
+
+| نقطة النهاية                                       | تنسيق              | معالج                                                                     |
+| -------------------------------------------------- | ------------------ | ------------------------------------------------------------------------- | ----------------- |
+| `POST /v1/chat/completions`                        | دردشة OpenAI       | `src/sse/handlers/chat.ts`                                                |
+| `POST /v1/messages`                                | رسائل كلود         | نفس المعالج (تم اكتشافه تلقائيًا)                                         |
+| `POST /v1/responses`                               | ردود OpenAI        | `open-sse/handlers/responsesHandler.ts`                                   |
+| `POST /v1/embeddings`                              | تضمينات OpenAI     | `open-sse/handlers/embeddings.ts`                                         |
+| `الحصول على /v1/embeddings`                        | قائمة النماذج      | طريق API                                                                  |
+| `POST /v1/images/أجيال`                            | صور OpenAI         | `open-sse/handlers/imageGeneration.ts`                                    |
+| `الحصول على /v1/images/أجيال`                      | قائمة النماذج      | طريق API                                                                  |
+| `POST /v1/providers/{provider}/chat/completions`   | دردشة OpenAI       | مخصص لكل مزود مع التحقق من صحة النموذج                                    |
+| `POST /v1/providers/{provider}/embeddings`         | تضمينات OpenAI     | مخصص لكل مزود مع التحقق من صحة النموذج                                    |
+| `POST /v1/providers/{provider}/images/generations` | صور OpenAI         | مخصص لكل مزود مع التحقق من صحة النموذج                                    |
+| `POST /v1/messages/count_tokens`                   | عدد كلود توكن      | طريق API                                                                  |
+| `الحصول على /v1/models`                            | قائمة نماذج OpenAI | مسار واجهة برمجة التطبيقات (الدردشة + التضمين + الصورة + النماذج المخصصة) |
+| `الحصول على /api/models/catalog`                   | كتالوج             | جميع النماذج مجمعة حسب الموفر + النوع                                     |
+| `POST /v1beta/models/*:streamGenerateContent`      | مولود برج الجوزاء  | طريق API                                                                  |
+| `الحصول على/PUT/DELETE /api/settings/proxy`        | تكوين الوكيل       | تكوين وكيل الشبكة                                                         |
+| `POST /api/settings/proxy/test`                    | اتصال الوكيل       | نقطة نهاية اختبار صحة الوكيل/الاتصال                                      |
+| `الحصول على/النشر/الحذف /api/provider-models`      | نماذج المزود       | البيانات الوصفية لنموذج الموفر تدعم النماذج المتاحة المخصصة والمدارة      | ## Bypass Handler |
+
+يعترض معالج التجاوز (`open-sse/utils/bypassHandler.ts`) طلبات "رمية سريعة" معروفة من Claude CLI - أصوات التمهيد، واستخراج العناوين، وعدد الرموز المميزة - ويعيد**استجابة زائفة**دون استهلاك الرموز المميزة للموفر الرئيسي. يتم تشغيل هذا فقط عندما يحتوي "User-Agent" على "clude-cli".## Request Logger Pipeline
+
+يوفر مسجل الطلب (`open-sse/utils/requestLogger.ts`) مسارًا لتسجيل تصحيح الأخطاء مكون من 7 مراحل، معطل افتراضيًا، وممكن عبر `ENABLE_REQUEST_LOGS=true`:```
+1_req_client.json → 2_req_source.json → 3_req_openai.json → 4_req_target.json
+→ 5_res_provider.txt → 6_res_openai.txt → 7_res_client.txt
+
+```
+
+تتم كتابة الملفات إلى `<repo>/logs/<session>/` لكل جلسة طلب.## أوضاع الفشل والمرونة## 1) Account/Provider Availability
+
+- عبارة عن حساب الموفر عند أخطاء/معدل/مصادقة
+- إرجاع الحساب قبل فشل الطلب
+- نموذج التحرير والسرد الاحتياطي عند استنفاد مسار النموذج/المزود الحالي## 2) Token Expiry
+
+- ملفات التقدم والتحديث مع إعادة محاولة توفير خدمة موثوقة للتحديث
+- 401/403 إعادة المحاولة بعد محاولة التحديث في المسار الأساسي## 3) Stream Safety
+
+- وحدة تحكم قطع الاتصال بالتيار المستمر
+- دفق الترجمة تدفق مع نهاية الدفق و `[تم]`
+- ترخيص للاستخدام عندما تكون البيانات الوصفية للاستخدام الموفر المفقود## 4) تدهور المزامنة السحابية
+
+- أخطاء الأخطاء ولكن استمر تشغيلها محليًا
+- يحتوي على المجدول على منطقه قادر على إعادة المحاولة، ولكن التنفيذ الدوري يستدعي حاليا متزامنة التفعيل بشكل افتراضي## 5) Data Integrity
+
+- عمليات ترحيل مخطط SQLite وفواتير الترقية التلقائية عند بدء التشغيل
+- JSON القديم → مسار التوافق ترحيل SQLite## إمكانية المراقبة والإشارات التشغيلية
+
+مصادر معرفة وقت التشغيل:
+
+- أرشيف وحدة التحكم من `src/sse/utils/logger.ts`
+- مجاميع الاستخدام لكل طلب في SQLite (`usage_history`، `call_logs`، `proxy_logs`)
+- التقاط التفاصيل الصافية الصافية على أربع مراحل في SQLite (`request_detail_logs`) عندما تكون `settings.detailed_logs_enabled=true`
+- سجل حالة الطلب النصي في "log.txt" (اختياري/متوافق)
+- سجلات الطلب/الترجمة المتخصصة الاختيارية ضمن `السجلات/` عندما يكون `ENABLE_REQUEST_LOGS=true`
+- نقاط نهاية استخدام معلومات اللوحة (`/api/usage/*`) لاستهلاك واجهة المستخدم
+
+يقوم بالتقاط تكتيكات متعددة بتخزين ما يصل إلى أربع مراحل من نشاطات JSON لكل ما يستقبل بصرية:
+
+- الطلب الوارد من العميل
+- تم إرسال الطلب المترجم إلى المنبع
+- إعادة بناء الرابط الموفر JSON؛ يتم ضغط الاستجابات المتدفقة إلى الملخص النهائي بالإضافة إلى بيانات تعريف الدفق
+-الرد النهائي الذي تم إرجاعه بواسطة OmniRoute؛ يتم تخزين الاستجابات المتدفقة في نفس النموذج الملخص المكون## الحدود الحساسة للأمان
+
+- يعمل سر JWT (`JWT_SECRET`) على تأمين المصادقة/التوقيع على ملف تعريف الارتباط لجلسة لوحة المعلومات
+- يجب الالتزام بالبراءة الأولية لكلمة المرور (`INITIAL_PASSWORD`) ووافق على الاعتراف بها لأول مرة
+- يعمل سر HMAC لمفتاح API (`API_KEY_SECRET`) على تنسيق تنسيق مفتاح API المحلي الذي تم التعاقد معه
+- تظلل أسرار الموفر (مفاتيح/رموز برمجة التطبيقات) موجودة في قاعدة البيانات الأصلية وحماتها على مستوى نظام الملفات
+- تعتمد نقاط نهاية الهجمات السحابية على مصادقة مفتاح API + دلالات معرف الجهاز## مصفوفة البيئة ووقت التشغيل
+
+تحريرات البيئة المستخدمة بشكل نشط بواسطة تعليمات الحظر:- التطبيق/المصادقة: `JWT_SECRET`، `INITIAL_PASSWORD`
+- التخزين: `DATA_DIR`
+- العقدة المتوافقة: `ALLOW_MULTI_CONNECTIONS_PER_COMPAT_NODE`
+- تجاوز قاعدة الاختيار الاختيارية (Linux/macOS عند إلغاء تعيين `DATA_DIR`): `XDG_CONFIG_HOME`
+- التجزئة الأمنية: `API_KEY_SECRET`، `MACHINE_ID_SALT`
+- التسجيل: `ENABLE_REQUEST_LOGS`
+- عناوين URL للاستقبال/السحابة: `NEXT_PUBLIC_BASE_URL`، `NEXT_PUBLIC_CLOUD_URL`
+- الوكيل الشامل: `HTTP_PROXY`، `HTTPS_PROXY`، `ALL_PROXY`، `NO_PROXY` ومتغيرات الصغيرة الصغيرة
+- علامات ميزات SOCKS5: `ENABLE_SOCKS5_PROXY`، `NEXT_PUBLIC_ENABLE_SOCKS5_PROXY`
+- مساعدو النظام الأساسي/وقت التشغيل (وليس تفعيل الخاص بالتطبيق): `APPDATA`، `NODE_ENV`، `PORT`، `HOSTNAME`## الملاحظات المعمارية المعروفة
+
+1. تشارك `usageDb` و`localDb` في نفس الدليل الأساسي (`DATA_DIR` -> `XDG_CONFIG_HOME/omniroute` -> ``~/.omniroute`) مع ترحيل الملفات القديمة.
+2. يفوض `/api/v1/route.ts` إلى نفس منشئ الكتالوج الموحد الذي يستخدمه `/api/v1/models` (`src/app/api/v1/models/catalog.ts`) العلم الانحراف الدلالي.
+3. يقوم بطلب تسجيل بكتابة الرؤوس/النص الكامل عند جاكسونه؛ التعامل مع سجل الدليل على أنه حساسية.
+4. يعتمد حماية السحابة على `NEXT_PUBLIC_BASE_URL` صحيح وإمكانية الوصول إلى نقطة نهاية السحابة.
+5. تم نشر الدليل `open-sse/` باسم `@omniroute/open-sse`**حزمة مساحة العمل npm**. يقوم بكود المصدر باستيراده عبر `@omniroute/open-sse/...` (تم حله بواسطة Next.js `transpilePackages`). لا تسلك الطرق المستمرة في هذا المستند استخدم اسم الدليل `open-sse/` للاتساق.
+6. نستخدم الكائنات الموجودة في لوحة المعلومات**Recharts**(المستندة إلى SVG) لتصورات التحليلات التفاعلية التي يمكن الوصول إليها (المخططات الشريطية للاستخدام للنموذج، والجرافيك المستخدمة للمخرجين مع النجاح).
+7.استخدام السيولة E2E**Playwright**(`tests/e2e/`)، ويمكنها عبر `npm run test:e2e`. المستخدمة في الوحدة**Node.js test runner**(`tests/unit/`)، ويمكن تشغيلها عبر `npm run test:unit`. كود المصدر ضمن `src/` هو**TypeScript**(`.ts`/`.tsx`)؛ تختلف مساحة العمل `open-sse/` JavaScript (`.js`).
+8. تم ضبط صفحة الإعدادات في 5 علامات: الأمان، التوجيه (6 إستراتيجيات عالمية: التعبئة العامة، جولة روبن، p2c، تنظيم غير محدد لاستخدامًا، تحسين التكلفة)، اشتراك (حدود الرسوم المتحركة للتحرير، قطع الدقة، إبداع)، الذكاء الاصطناعي (ميزانية التفكير، متشوق للنظام، ذاكرة التخزين المؤقت السريع)، المتقدمة (الوكيل).## قائمة التحقق من التشغيل
+
+- البناء من المصدر: ``npm run build``
+- إنشاء صورة Docker: `docker build -t omniroute .`
+- بدء الخدمة والتحقق:
+- `الحصول على /api/settings`
+- `الحصول على /api/v1/models`
+- يجب أن يكون عنوان URL الأساسي لهدف واجهة سطر اللاسلكي هو `http://<host>:20128/v1` عندما يكون `PORT=20128`
+```
@@ -0,0 +1,55 @@
+# OmniRoute Auto-Combo Engine (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/AUTO-COMBO.md) · 🇪🇸 [es](../../es/docs/AUTO-COMBO.md) · 🇫🇷 [fr](../../fr/docs/AUTO-COMBO.md) · 🇩🇪 [de](../../de/docs/AUTO-COMBO.md) · 🇮🇹 [it](../../it/docs/AUTO-COMBO.md) · 🇷🇺 [ru](../../ru/docs/AUTO-COMBO.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/AUTO-COMBO.md) · 🇯🇵 [ja](../../ja/docs/AUTO-COMBO.md) · 🇰🇷 [ko](../../ko/docs/AUTO-COMBO.md) · 🇸🇦 [ar](../../ar/docs/AUTO-COMBO.md) · 🇮🇳 [hi](../../hi/docs/AUTO-COMBO.md) · 🇮🇳 [in](../../in/docs/AUTO-COMBO.md) · 🇹🇭 [th](../../th/docs/AUTO-COMBO.md) · 🇻🇳 [vi](../../vi/docs/AUTO-COMBO.md) · 🇮🇩 [id](../../id/docs/AUTO-COMBO.md) · 🇲🇾 [ms](../../ms/docs/AUTO-COMBO.md) · 🇳🇱 [nl](../../nl/docs/AUTO-COMBO.md) · 🇵🇱 [pl](../../pl/docs/AUTO-COMBO.md) · 🇸🇪 [sv](../../sv/docs/AUTO-COMBO.md) · 🇳🇴 [no](../../no/docs/AUTO-COMBO.md) · 🇩🇰 [da](../../da/docs/AUTO-COMBO.md) · 🇫🇮 [fi](../../fi/docs/AUTO-COMBO.md) · 🇵🇹 [pt](../../pt/docs/AUTO-COMBO.md) · 🇷🇴 [ro](../../ro/docs/AUTO-COMBO.md) · 🇭🇺 [hu](../../hu/docs/AUTO-COMBO.md) · 🇧🇬 [bg](../../bg/docs/AUTO-COMBO.md) · 🇸🇰 [sk](../../sk/docs/AUTO-COMBO.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/AUTO-COMBO.md) · 🇮🇱 [he](../../he/docs/AUTO-COMBO.md) · 🇵🇭 [phi](../../phi/docs/AUTO-COMBO.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/AUTO-COMBO.md) · 🇨🇿 [cs](../../cs/docs/AUTO-COMBO.md) · 🇹🇷 [tr](../../tr/docs/AUTO-COMBO.md)
+
+---
+
+> نماذج النماذج الذاتية الإدارة مع تسجيل التعديلات التكيفية## How It Works
+
+يقوم محرك التحرير والسرد التلقائي باختيار أفضل/نموذج ديناميكي لكل طلب باستخدام**وظيفة تسجيل مكونة من 6 اختيارات**:
+
+| عامل            | الوزن | الوصف                                  |
+| :-------------- | :---- | :------------------------------------- | ------------- |
+| الحصة           | 0.20  | القدرة المتبقية [0..1]                 |
+| الصحة           | 0.25  | الفاصل: مغلق=1.0، نصف=0.5، مفتوح=0.0   |
+| تكلفة الاستثمار | 0.20  | التكلفة العكسية (أرخص = الدرجة الأعلى) |
+| الكمون          | 0.15  | الكمون العكسي p95 (أسرع = الأعلى)      |
+| تاسكفيت         | 0.10  | نموذج × درجة اللياقة البدنية لنوع مهم  |
+|                 | 0.10  | متباينة في الوصول إلى زمن/الأخطاء      | ## Mode Packs |
+
+| حزمة                     | التركيز    | الوزن الرئيسي       |
+| :----------------------- | :--------- | :------------------ | ---------------- |
+| 🚀**الشحن السريع**       | السرعة     | الكمون: 0.35        |
+| 💰**توفير التكلفة**      | اقتصاد     | تكلفة التكلفة: 0.40 |
+| 🎯**الجودة الجديدة**     | أفضل نموذج | المهمة فيت: 0.40    |
+| 📡**غير متصل بالإنترنت** | التوفر     | الحصة: 0.40         | ## الشفاء الذاتي |
+
+-**الاستبعاد المؤقت**: النتيجة < 0.2 ← تم الاستبعاد لمدة 5 صباحا ( التراجع المتقدم، الأقصى 30 دقيقة) -**التوعية بقاطع الدورة**: مفتوح → مدمر التدمير؛ HALF_OPEN → طلبات التحقيق -**وضع الحادث**: >50% متوقع → ثم الاستكشاف المتوقع -**استرداد فترة التهدئة**: بعد الاختفاء، يكون الطلب الأول من "تحقيق" مع مهلة الأقل## Bandit Exploration
+
+يتم توجيه 5% من الطلبات (القابلة للتكوين) إلى موفر خدمات غير آمنة للاستكشاف. معطل في الحادث.## API```bash
+
+# Create auto-combo
+
+curl -X POST http://localhost:20128/api/combos/auto \
+ -H "Content-Type: application/json" \
+ -d '{"id":"my-auto","name":"Auto Coder","candidatePool":["anthropic","google","openai"],"modePack":"ship-fast"}'
+
+# List auto-combos
+
+curl http://localhost:20128/api/combos/auto
+
+```
+
+## Task Fitness
+
+تم تسجيل أكثر من 30 نموذجًا عبر 6 أنواع من المهام (`الترميز`، و`المراجعة`، و`التخطيط`، و`التحليل`، و`تصحيح سبب`، و`التوثيق`). محترف أحرف البدل (على سبيل المثال، `*-coder` → درجة ترميز عالية).## Files
+
+| ملف | الحصاد |
+| :------------------------------------------- | :------------------------------------ |
+| `open-sse/services/autoCombo/scoring.ts` | وظيفة الهديف وتطبيع التكيف |
+| `open-sse/services/autoCombo/taskFitness.ts` | نموذج × مهمة بحث اللياقة البدنية |
+| `open-sse/services/autoCombo/engine.ts` | الاختيار المنطقي، قطاع الطرق، ميزانية الإنفاق |
+| `open-sse/services/autoCombo/selfHealing.ts` | الابعاد، التفاصيل، حالة الحادث |
+| `open-sse/services/autoCombo/modePacks.ts` | 4 ملفات تعريف للوزن |
+| `src/app/api/combos/auto/route.ts` | ريست API |
+```
@@ -0,0 +1,289 @@
+# CLI Tools Setup Guide — OmniRoute (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/CLI-TOOLS.md) · 🇪🇸 [es](../../es/docs/CLI-TOOLS.md) · 🇫🇷 [fr](../../fr/docs/CLI-TOOLS.md) · 🇩🇪 [de](../../de/docs/CLI-TOOLS.md) · 🇮🇹 [it](../../it/docs/CLI-TOOLS.md) · 🇷🇺 [ru](../../ru/docs/CLI-TOOLS.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/CLI-TOOLS.md) · 🇯🇵 [ja](../../ja/docs/CLI-TOOLS.md) · 🇰🇷 [ko](../../ko/docs/CLI-TOOLS.md) · 🇸🇦 [ar](../../ar/docs/CLI-TOOLS.md) · 🇮🇳 [hi](../../hi/docs/CLI-TOOLS.md) · 🇮🇳 [in](../../in/docs/CLI-TOOLS.md) · 🇹🇭 [th](../../th/docs/CLI-TOOLS.md) · 🇻🇳 [vi](../../vi/docs/CLI-TOOLS.md) · 🇮🇩 [id](../../id/docs/CLI-TOOLS.md) · 🇲🇾 [ms](../../ms/docs/CLI-TOOLS.md) · 🇳🇱 [nl](../../nl/docs/CLI-TOOLS.md) · 🇵🇱 [pl](../../pl/docs/CLI-TOOLS.md) · 🇸🇪 [sv](../../sv/docs/CLI-TOOLS.md) · 🇳🇴 [no](../../no/docs/CLI-TOOLS.md) · 🇩🇰 [da](../../da/docs/CLI-TOOLS.md) · 🇫🇮 [fi](../../fi/docs/CLI-TOOLS.md) · 🇵🇹 [pt](../../pt/docs/CLI-TOOLS.md) · 🇷🇴 [ro](../../ro/docs/CLI-TOOLS.md) · 🇭🇺 [hu](../../hu/docs/CLI-TOOLS.md) · 🇧🇬 [bg](../../bg/docs/CLI-TOOLS.md) · 🇸🇰 [sk](../../sk/docs/CLI-TOOLS.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/CLI-TOOLS.md) · 🇮🇱 [he](../../he/docs/CLI-TOOLS.md) · 🇵🇭 [phi](../../phi/docs/CLI-TOOLS.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/CLI-TOOLS.md) · 🇨🇿 [cs](../../cs/docs/CLI-TOOLS.md) · 🇹🇷 [tr](../../tr/docs/CLI-TOOLS.md)
+
+---
+
+يشرح هذا الدليل كيفية تثبيت وتكوين جميع أدوات CLI البسيطة للذكاء الاصطناعي والمدعم
+استخدام**OmniRoute**ك واجهة خلفية موحدة، مما يتيح لك إدارة المفاتيح التركية،
+تتبع التكلفة، وتبديل الارتباطات، والتسجيل عبر كل أداة.---## How It Works
+
+```
+Claude / Codex / OpenCode / Cline / KiloCode / Continue / Kiro / Cursor / Copilot
+           │
+           ▼  (all point to OmniRoute)
+    http://YOUR_SERVER:20128/v1
+           │
+           ▼  (OmniRoute routes to the right provider)
+    Anthropic / OpenAI / Gemini / DeepSeek / Groq / Mistral / ...
+```
+
+**الفوائد:**
+
+- مفتاح API واحد لإبتكار جميع الأدوات
+- تتبع التكلفة عبر جميع CLIs في لوحة المعلومات
+- النموذج النموذجي دون إعادة كل أداة
+- يعمل محليا وعلى الموقع البعيد (VPS)---## Supported Tools (Dashboard Source of Truth)
+
+يتم إنشاء بطاقة معلومات اللوحة في `/dashboard/cli-tools` من `src/shared/constants/cliTools.ts`.
+القائمة الحالية (v3.0.0-rc.16):
+
+| أداة                  | معرف             | الأمر         | وضع الإعداد | طريقة التثبيت      |
+| --------------------- | ---------------- | ------------- | ----------- | ------------------ | ----------------------------------------- |
+| **كود كلود**          | "كلود"           | "كلود"        | ببيئة       | نم                 |
+| **مخطوطة OpenAI**     | `المخطوطة`       | `المخطوطة`    | مخصص        | نم                 |
+| **مصنع الروبوت**      | "الروبوت"        | "الروبوت"     | مخصص        | المجمعة/CLI        |
+| **أوبنكلاو**          | `مخلب مفتوح`     | `مخلب مفتوح`  | مخصص        | المجمعة/CLI        |
+| **المؤشر**            | `المؤشر`         | التطبيق       | دليل        | تطبيق سطح المكتب   |
+| **كلاين**             | `كلاين`          | `كلاين`       | مخصص        | نم                 |
+| **كيلو كود**          | `كيلو`           | `الكيلو كود`  | مخصص        | نم                 |
+| **تابع**              | `متابعة`         | امتداد        | دليل        | كود مقابل          |
+| **مضادة الجاذبية**    | `مضادة الجاذبية` |               | ميتوم       | أومنيروتي          |
+| **جيثب مساعد الطيار** | `مساعد الطيار`   | امتداد        | مخصص        | كود مقابل          |
+| **الكود مفتوح**       | `الرمز مفتوح`    | `الرمز مفتوح` | دليل        | نم                 |
+| **كيرو آي**           | `كيرو`           | التطبيق/كلي   | ميتوم       | سطح المكتب/سطر مود | ### مزامنة بصمة CLI (الوكلاء + الإعدادات) |
+
+استخدم `/dashboard/agents` و`Settings > CLI Fingerprint` src/shared/constants/cliCompatProviders.ts.
+يؤدي ذلك إلى تفاصيل البطاقات الموفر المعتمدة ببطاقات CLI والمعارف القديمة.
+
+| معرف واجهة سطر مود                                                                                    | معرف بصمة الإصبع |
+| ----------------------------------------------------------------------------------------------------- | ---------------- |
+| `كيلو`                                                                                                | `الكيلو كود`     |
+| `مساعد الطيار`                                                                                        | `جيثب`           |
+| `كلود` / `كوديكس` / `مضاد الجاذبية` / `كيرو` / `المؤشر` / `كلاين` / `opencode` / `droid` / `openclaw` | نفس المعرف       |
+
+لا تزال المعرفات القديمة مقبولة للتوافق: `مساعد الطيار`، `كيمي كودينج`، `كوين`.---## Step 1 — Get an OmniRoute API Key
+
+1. تسجيل الدخول إلى لوحة التحكم OmniRoute →**API Manager**(`/dashboard/api-manager`)
+2. انقر**إنشاء مفتاح واجهة برمجة التطبيقات**
+3. أعطته اسمًا (على سبيل المثال، "أدوات cli") وتحديد جميع الأذونات
+4. انسخ المفتاح — ستحتاج إليه لكل واجهة سطر الأوامر (CLI) أدناه
+
+> يبدو مفتاحك كما يلي: `sk-xxxxxxxxxxxxxxxxxx-xxxxxxxxx`---## Step 2 — Install CLI Tools
+
+تتطلب جميع المستندات المستندة إلى npm Node.js 18+:```bash
+
+# كلود كود (أنثروبي)
+
+تثبيت npm -g @anthropic-ai/claude-code
+
+# مخطوطة OpenAI
+
+تثبيت npm -g @openai/codex
+
+# الكود المفتوح
+
+تثبيت npm -g opencode-ai
+
+# كلاين
+
+تثبيت npm -g cline
+
+# كيلو كود
+
+تثبيت npm -g كيلوكود
+
+# Kiro CLI (أمازون - يتطلب تجعيد + فك الضغط)
+
+apt-get install -y unzip # على Debian/Ubuntu
+حليقة -fsSL https://cli.kiro.dev/install | باش
+تصدير PATH = "$HOME/.local/bin:$PATH" # إضافة إلى ~/.bashrc```
+
+**يؤكد:**```bash
+claude --version # 2.x.x
+codex --version # 0.x.x
+opencode --version # x.x.x
+cline --version # 2.x.x
+kilocode --version # x.x.x (or: kilo --version)
+kiro-cli --version # 1.x.x
+
+````
+
+---
+
+## Step 3 — Set Global Environment Variables
+
+إضافة إلى `~/.bashrc` (أو `~/.zshrc`)، ثم قم ويسمح `المصدر ~/.bashrc`:```bash
+# نقطة النهاية العالمية OmniRoute
+تصدير OPENAI_BASE_URL = "http://localhost:20128/v1"
+تصدير OPENAI_API_KEY = "sk-your-omniroute-key"
+تصدير ANTHROPIC_BASE_URL = "http://localhost:20128/v1"
+تصدير ANTHROPIC_API_KEY = "sk-your-omniroute-key"
+تصدير GEMINI_BASE_URL = "http://localhost:20128/v1"
+تصدير GEMINI_API_KEY = "sk-your-omniroute-key"```
+
+> بالنسبة إلى**الخادم البعيد**، استبدل `localhost:20128` بعنوان IP للخادم أو المجال،
+> على سبيل المثال `http://192.168.0.15:20128`.---
+
+## Step 4 — Configure Each Tool
+
+### Claude Code
+
+```bash
+# عبر سطر الأوامر:
+مجموعة تكوين كلود - عنوان URL لواجهة برمجة التطبيقات العالمية http://localhost:20128/v1
+
+# أو قم بإنشاء ~/.claude/settings.json:
+mkdir -p ~/.claude && cat > ~/.claude/settings.json << EOF
+{
+  "apiBaseUrl": "http://localhost:20128/v1",
+  "apiKey": "مفتاح sk-your-omniroute-"
+}
+EOF```
+
+**اختبار:**`كلود "قل مرحبا"`---
+
+### OpenAI Codex
+
+```bash
+mkdir -p ~/.codex && cat > ~/.codex/config.yaml << EOF
+نموذج: السيارات
+apiKey: sk-your-omniroute-key
+رابط واجهة برمجة التطبيقات: http://localhost:20128/v1
+EOF```
+
+**اختبار:**`مخطوطة "ما هو 2+2؟"'---
+
+### OpenCode
+
+```bash
+mkdir -p ~/.config/opencode && cat > ~/.config/opencode/config.toml << EOF
+[provider.openai]
+base_url = "http://localhost:20128/v1"
+api_key = "مفتاح sk-omniroute"
+EOF```
+
+**اختبار:**`الرمز المفتوح`---
+
+### Cline (CLI or VS Code)
+
+**وضع سطر الأوامر:**```bash
+mkdir -p ~/.cline/data && cat > ~/.cline/data/globalState.json << EOF
+{
+  "apiProvider": "openai",
+  "openAiBaseUrl": "http://localhost:20128/v1",
+  "openAiApiKey": "sk-your-omniroute-key"
+}
+EOF
+````
+
+**وضع رمز VS:**
+إعدادات امتداد Cline ← موفر واجهة برمجة التطبيقات: `متوافق مع OpenAI` ← عنوان URL الأساسي: `http://localhost:20128/v1`
+
+استخدام لوحة معلومات OmniRoute →**أدوات CLI → Cline → تطبيق المتاح**.---### KiloCode (CLI or VS Code)
+
+**وضع سطر مود:**`bash
+كيلو كود --api-base http://localhost:20128/v1 --api-key sk-your-omniroute-key`
+
+**إعدادات رمز VS:**```json
+{
+"kilo-code.openAiBaseUrl": "http://localhost:20128/v1",
+"kilo-code.apiKey": "sk-your-omniroute-key"
+}
+
+````
+
+استخدام لوحة معلومات OmniRoute →**CLI → KiloCode → تطبيق تفعيل**.---### Continue (VS Code Extension)
+
+تحرير `~/.continue/config.yaml`:```yaml
+النماذج:
+  - الاسم: OmniRoute
+    المزود: openai
+    نموذج: السيارات
+    واجهة برمجة التطبيقات: http://localhost:20128/v1
+    apiKey: sk-your-omniroute-key
+    الافتراضي: صحيح```
+
+أعد تشغيل VS Code بعد التحرير.---
+
+### Kiro CLI (Amazon)
+
+```bash
+# قم بتسجيل الدخول إلى حساب AWS/Kiro الخاص بك:
+كيرو كلي تسجيل الدخول
+
+# تستخدم واجهة سطر الأوامر (CLI) مصادقة خاصة بها — ليست هناك حاجة إلى OmniRoute كواجهة خلفية لـ Kiro CLI نفسها.
+# استخدم kiro-cli بجانب OmniRoute لأدوات أخرى.
+حالة كيرو كلي```
+
+---
+
+### Cursor (Desktop App)
+
+>**ملاحظة:**يقوم المؤشر بتوجيه الطلبات عبر السحابة الخاصة به. لتكامل OmniRoute،
+> قم بتمكين**Cloud Endpoint**في إعدادات OmniRoute واستخدم عنوان URL للنطاق العام الخاص بك.
+
+عبر واجهة المستخدم الرسومية:**الإعدادات → النماذج → مفتاح OpenAI API**
+
+- عنوان URL الأساسي: `https://your-domain.com/v1`
+- مفتاح API: مفتاح OmniRoute الخاص بك---
+
+## Dashboard Auto-Configuration
+
+تقوم لوحة معلومات OmniRoute بأتمتة التكوين لمعظم الأدوات:
+
+1. انتقل إلى `http://localhost:20128/dashboard/cli-tools`
+2. قم بتوسيع أي بطاقة أداة
+3. حدد مفتاح API الخاص بك من القائمة المنسدلة
+4. انقر فوق**تطبيق التكوين**(إذا تم اكتشاف الأداة على أنها مثبتة)
+5. أو انسخ مقتطف التكوين الذي تم إنشاؤه يدويًا---
+
+## Built-in Agents: Droid & OpenClaw
+
+**Droid**و**OpenClaw**هما وكيلان للذكاء الاصطناعي مدمجان مباشرة في OmniRoute — لا حاجة للتثبيت.
+يتم تشغيلها كمسارات داخلية وتستخدم توجيه نموذج OmniRoute تلقائيًا.
+
+- الوصول: `http://localhost:20128/dashboard/agents`
+- التكوين: نفس المجموعات ومقدمي الخدمات مثل جميع الأدوات الأخرى
+- لا يلزم تثبيت مفتاح API أو CLI---
+
+## Available API Endpoints
+
+| نقطة النهاية | الوصف | استخدم لـ |
+| -------------------------- | ----------------------------- | --------------------------- |
+| `/v1/chat/completions` | الدردشة القياسية (جميع مقدمي الخدمة) | جميع الأدوات الحديثة |
+| `/v1/الردود` | واجهة برمجة تطبيقات الردود (تنسيق OpenAI) | الدستور الغذائي، سير العمل الوكيل |
+| `/v1/الإكمال` | إكمال النص القديم | الأدوات القديمة التي تستخدم `المطالبة:` |
+| `/v1/embeddings` | تضمينات النص | راج، بحث |
+| `/v1/images/أجيال` | توليد الصور | DALL-E، الجريان، وما إلى ذلك |
+| `/v1/audio/speech` | تحويل النص إلى كلام | أحد عشر مختبرًا، OpenAI TTS |
+| `/v1/audio/transcriptions` | تحويل الكلام إلى نص | ديبجرام، الجمعية AI |---
+
+## استكشاف الأخطاء
+
+| خطأ | السبب | إصلاح |
+| ------------------------- | ----------------------- | ------------------------------------------ |
+| `تم رفض الاتصال` | OmniRoute لا يعمل | `pm2 ابدأ في كل الاتجاهات` |
+| `401 غير مصرح به' | مفتاح API خاطئ | قم بتسجيل الدخول `/dashboard/api-manager` |
+| `لم يتم تكوين التحرير والسرد` | لا يوجد مجموعة توجيه نشطة | تم الإعداد في `/dashboard/combos` |
+| `نموذج غير صالح` | الموديل غير موجود في الكتالوج | استخدم "تلقائي" أو حدد "/dashboard/providers" |
+| يظهر سطر الأوامر "غير مثبت" | ثنائي ليس في PATH | حدد `أي <command>` |
+| `كيرو كلي: غير موجود` | ليس في المسار | `تصدير المسار = "$HOME/.local/bin:$PATH"` |---
+
+## Quick Setup Script (One Command)
+
+```bash
+# تثبيت جميع واجهات سطر الأوامر (CLI) وتكوين OmniRoute (استبدلها بمفتاحك وعنوان URL الخاص بالخادم)
+OMNIROUTE_URL="http://localhost:20128/v1"
+OMNIROUTE_KEY="sk-your-omniroute-key"
+
+تثبيت npm -g @anthropic-ai/clude-code @openai/codex opencode-ai cline Kilocode
+
+# كيرو كلي
+apt-get install -y unzip 2>/dev/null; حليقة -fsSL https://cli.kiro.dev/install | باش
+
+# كتابة التكوينات
+mkdir -p ~/.claude ~/.codex ~/.config/opencode ~/.continue
+
+cat > ~/.claude/settings.json <<< "{\"apiBaseUrl\":\"$OMNIROUTE_URL\",\"apiKey\":\"$OMNIROUTE_KEY\"}"
+cat > ~/.codex/config.yaml <<< "model: auto\napiKey: $OMNIROUTE_KEY\napiBaseUrl: $OMNIROUTE_URL"
+القط >> ~/.bashrc << EOF
+تصدير OPENAI_BASE_URL="$OMNIROUTE_URL"
+تصدير OPENAI_API_KEY = "$OMNIROUTE_KEY"
+تصدير ANTHROPIC_BASE_URL="$OMNIROUTE_URL"
+تصدير ANTHROPIC_API_KEY = "$OMNIROUTE_KEY"
+EOF
+
+المصدر ~/.bashrc
+صدى " ✅ تم تثبيت جميع واجهات سطر الأوامر (CLI) وتكوينها لـ OmniRoute"```
+````
@@ -0,0 +1,527 @@
+# omniroute — Codebase Documentation (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/CODEBASE_DOCUMENTATION.md) · 🇪🇸 [es](../../es/docs/CODEBASE_DOCUMENTATION.md) · 🇫🇷 [fr](../../fr/docs/CODEBASE_DOCUMENTATION.md) · 🇩🇪 [de](../../de/docs/CODEBASE_DOCUMENTATION.md) · 🇮🇹 [it](../../it/docs/CODEBASE_DOCUMENTATION.md) · 🇷🇺 [ru](../../ru/docs/CODEBASE_DOCUMENTATION.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/CODEBASE_DOCUMENTATION.md) · 🇯🇵 [ja](../../ja/docs/CODEBASE_DOCUMENTATION.md) · 🇰🇷 [ko](../../ko/docs/CODEBASE_DOCUMENTATION.md) · 🇸🇦 [ar](../../ar/docs/CODEBASE_DOCUMENTATION.md) · 🇮🇳 [hi](../../hi/docs/CODEBASE_DOCUMENTATION.md) · 🇮🇳 [in](../../in/docs/CODEBASE_DOCUMENTATION.md) · 🇹🇭 [th](../../th/docs/CODEBASE_DOCUMENTATION.md) · 🇻🇳 [vi](../../vi/docs/CODEBASE_DOCUMENTATION.md) · 🇮🇩 [id](../../id/docs/CODEBASE_DOCUMENTATION.md) · 🇲🇾 [ms](../../ms/docs/CODEBASE_DOCUMENTATION.md) · 🇳🇱 [nl](../../nl/docs/CODEBASE_DOCUMENTATION.md) · 🇵🇱 [pl](../../pl/docs/CODEBASE_DOCUMENTATION.md) · 🇸🇪 [sv](../../sv/docs/CODEBASE_DOCUMENTATION.md) · 🇳🇴 [no](../../no/docs/CODEBASE_DOCUMENTATION.md) · 🇩🇰 [da](../../da/docs/CODEBASE_DOCUMENTATION.md) · 🇫🇮 [fi](../../fi/docs/CODEBASE_DOCUMENTATION.md) · 🇵🇹 [pt](../../pt/docs/CODEBASE_DOCUMENTATION.md) · 🇷🇴 [ro](../../ro/docs/CODEBASE_DOCUMENTATION.md) · 🇭🇺 [hu](../../hu/docs/CODEBASE_DOCUMENTATION.md) · 🇧🇬 [bg](../../bg/docs/CODEBASE_DOCUMENTATION.md) · 🇸🇰 [sk](../../sk/docs/CODEBASE_DOCUMENTATION.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/CODEBASE_DOCUMENTATION.md) · 🇮🇱 [he](../../he/docs/CODEBASE_DOCUMENTATION.md) · 🇵🇭 [phi](../../phi/docs/CODEBASE_DOCUMENTATION.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/CODEBASE_DOCUMENTATION.md) · 🇨🇿 [cs](../../cs/docs/CODEBASE_DOCUMENTATION.md) · 🇹🇷 [tr](../../tr/docs/CODEBASE_DOCUMENTATION.md)
+
+---
+
+> دليل شامل ومناسب للمبتدئين إلى مدير المدير AI**omniroute**متعدد الموفرين.---## 1. What Is omniroute?
+
+omniroute هو**جهاز وكيل التوجيه**يقع بين عملاء الذكاء الاصطناعي (Claude CLI، وCodex، وCursor IDE، وما إلى ذلك) وموفري الذكاء الاصطناعي (Anthropic، وGoogle، وOpenAI، وAWS، وGitHub، وما إلى ذلك). يحل مشكلة واحدة كبيرة:
+
+> **يتحدث عملاء الذكاء الاصطناعي المختلفون "لغات" مختلفة (تنسيقات واجهة برمجة التطبيقات)، ويتوقع مقدمو خدمات الذكاء الاصطناعي المختلفون "لغات مختلفة" أيضاً.**يترجم المسار الشامل بما فيه الكفاية.
+
+فكر في الأمر التالي مترجم عالمي في الأمم المتحدة - يمكن لأي مندوبات أي لغة، والمترجم هل يمكن أن يترجمها لأي مندوب آخر.---## 2. Architecture Overview
+
+```mermaid
+graph LR
+    subgraph Clients
+        A[Claude CLI]
+        B[Codex]
+        C[Cursor IDE]
+        D[OpenAI-compatible]
+    end
+
+    subgraph omniroute
+        E[Handler Layer]
+        F[Translator Layer]
+        G[Executor Layer]
+        H[Services Layer]
+    end
+
+    subgraph Providers
+        I[Anthropic Claude]
+        J[Google Gemini]
+        K[OpenAI / Codex]
+        L[GitHub Copilot]
+        M[AWS Kiro]
+        N[Antigravity]
+        O[Cursor API]
+    end
+
+    A --> E
+    B --> E
+    C --> E
+    D --> E
+    E --> F
+    F --> G
+    G --> I
+    G --> J
+    G --> K
+    G --> L
+    G --> M
+    G --> N
+    G --> O
+    H -.-> E
+    H -.-> G
+```
+
+### Core Principle: Hub-and-Spoke Translation
+
+تمر جميع ترجمةات عبر**تنسيق OpenAI كمركز**:`
+تنسيق العميل → [OpenAI Hub] → تنسيق الموفر (طلب)
+تنسيق الموفر → [OpenAI Hub] → تنسيق العميل (الاستجابة)`
+
+هذا يعني أنك تحتاج فقط إلى مترجمين**N**(واحد لكل تنسيق) بدلاً من**N²**(كل زوج).---
+
+## 3. Project Structure
+
+````
+الطريق الشامل/
+├── open-sse/ ← مكتبة الوكيل الأساسية (محمول، لا إطاري)
+│ ├── Index.js ← نقطة الدخول الرئيسية، تصدر كل شيء
+│ ├── التكوين/ ← التكوين والثوابت
+│ ├── المنفذون/ ← تنفيذ الطلب الخاص بالمزود
+│ ├── معالجات/ ← طلب تنسيق التعامل
+│ ├── الخدمات/ ← منطق الأعمال (المصادقة، النماذج، الاحتياطي، الاستخدام)
+│ ├── مترجم/ ← تنسيق محرك الترجمة
+│ │ ├── طلب/ ← طلب مترجمين (8 ملفات)
+│ │ ├── استجابة/ ← مترجمو الاستجابة (7 ملفات)
+│ │ └── مساعدون/ ← أدوات الترجمة المشتركة (6 ملفات)
+│ └── المرافق/ ← وظائف المرافق
+├── src/ ← طبقة التطبيق (وقت تشغيل Express/Worker)
+│ ├── التطبيق/ ← واجهة مستخدم الويب، مسارات واجهة برمجة التطبيقات، البرامج الوسيطة
+│ ├── lib/ ← قاعدة البيانات والمصادقة وكود المكتبة المشتركة
+│ ├── mitm/ ← أدوات الوكيل الوسيطة
+│ ├── النماذج/ ← نماذج قواعد البيانات
+│ ├── مشترك/ ← أدوات مساعدة مشتركة (مغلفات حول open-sse)
+│ ├── sse/ ← معالجات نقطة النهاية SSE
+│ └── المتجر/ ← إدارة الدولة
+├── البيانات/ ← بيانات وقت التشغيل (بيانات الاعتماد والسجلات)
+│ └── Provider-credentials.json (تجاوز بيانات الاعتماد الخارجية، gitignored)
+└── اختبار/ ← اختبار المرافق```
+
+---
+
+## 4. Module-by-Module Breakdown
+
+### 4.1 Config (`open-sse/config/`)
+
+**المصدر الوحيد للحقيقة**لجميع إعدادات الموفر.
+
+| ملف | الغرض |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `الثوابت.ts` | كائن `PROVIDERS` يحتوي على عناوين URL الأساسية وبيانات اعتماد OAuth (الافتراضية) والرؤوس ومطالبات النظام الافتراضية لكل موفر. يحدد أيضًا `HTTP_STATUS` و`ERROR_TYPES` و`COOLDOWN_MS` و`BACKOFF_CONFIG` و`SKIP_PATTERNS`. |
+| "credentialLoader.ts" | يقوم بتحميل بيانات الاعتماد الخارجية من "data/provider-credentials.json" ويدمجها في الإعدادات الافتراضية المضمنة في "PROVIDERS". يحافظ على الأسرار خارج نطاق التحكم بالمصدر مع الحفاظ على التوافق مع الإصدارات السابقة.               |
+| `providerModels.ts` | سجل النموذج المركزي: الأسماء المستعارة لموفر الخرائط → معرفات النموذج. وظائف مثل `getModels()` و`getProviderByAlias()`.                                                                                                          |
+| `codexInstructions.ts` | تعليمات النظام التي تم إدخالها في طلبات الدستور الغذائي (قيود التحرير، قواعد الاختبار، سياسات الموافقة).                                                                                                                 |
+| `defaultThinkingSignature.ts` | توقيعات "التفكير" الافتراضية لنماذج كلود وجيميني.                                                                                                                                                               |
+| `olmaModels.ts` | تعريف المخطط لنماذج أولاما المحلية (الاسم، الحجم، العائلة، التكميم).                                                                                                                                             |#### Credential Loading Flow
+
+```mermaid
+مخطط انسيابي TD
+    A["يبدأ التطبيق"] --> B["constants.ts يحدد مقدمي الخدمة\nبإعدادات افتراضية مضمنة"]
+    B --> C{"data/provider-credentials.json\nexists؟"}
+    ج -->|نعم| D["credentialLoader يقرأ JSON"]
+    ج -->|لا| E["استخدام الإعدادات الافتراضية المشفرة"]
+    D --> F{"لكل موفر في JSON"}
+    F --> G{"الموفر موجود\nفي الموفرين؟"}
+    ز -->|لا| H["تحذير السجل، تخطي"]
+    ز -->|نعم| أنا{"القيمة هي كائن؟"}
+    أنا -->|لا| J["تحذير السجل، تخطي"]
+    أنا -->|نعم| K["دمج معرف العميل، ClientSecret،\ntokenUrl، authUrl، RefreshUrl"]
+    ك --> ف
+    ح --> ف
+    ي --> ف
+    F -->|تم| L["الموفرون جاهزون\nببيانات اعتماد مدمجة"]
+    ه --> ل```
+
+---
+
+### 4.2 Executors (`open-sse/executors/`)
+
+يقوم المنفذون بتغليف**المنطق الخاص بالمزود**باستخدام**نمط الإستراتيجية**. يتجاوز كل منفذ الأساليب الأساسية حسب الحاجة.```mermaid
+classDiagram
+    class BaseExecutor {
+        +buildUrl(model, stream, options)
+        +buildHeaders(credentials, stream, body)
+        +transformRequest(body, model, stream, credentials)
+        +execute(url, options)
+        +shouldRetry(status, error)
+        +refreshCredentials(credentials, log)
+    }
+
+    class DefaultExecutor {
+        +refreshCredentials()
+    }
+
+    class AntigravityExecutor {
+        +buildUrl()
+        +buildHeaders()
+        +transformRequest()
+        +shouldRetry()
+        +refreshCredentials()
+    }
+
+    class CursorExecutor {
+        +buildUrl()
+        +buildHeaders()
+        +transformRequest()
+        +parseResponse()
+        +generateChecksum()
+    }
+
+    class KiroExecutor {
+        +buildUrl()
+        +buildHeaders()
+        +transformRequest()
+        +parseEventStream()
+        +refreshCredentials()
+    }
+
+    BaseExecutor <|-- DefaultExecutor
+    BaseExecutor <|-- AntigravityExecutor
+    BaseExecutor <|-- CursorExecutor
+    BaseExecutor <|-- KiroExecutor
+    BaseExecutor <|-- CodexExecutor
+    BaseExecutor <|-- GeminiCLIExecutor
+    BaseExecutor <|-- GithubExecutor
+````
+
+| المنفذ               | مقدم                                                | التخصص الرئيسي                                                                                                                    |
+| -------------------- | --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| `base.ts`            | —                                                   | قاعدة الملخصات: إنشاء عنوان URL، والرؤوس، ومنطقة إعادة المحاولة، وتحديث بيانات الاعتماد                                           |
+| `default.ts`         | كلود، جيميني، أوبن آي آي، جي إل إم، كيمي، ميني ماكس | تحديث رمز OAuth العام للموفرين الكلاسيكيين                                                                                        |
+| `مكافحة الجاذبية.ts` | جوجل كلود كود                                       | إنشاء معرف المشروع/الجلسة، وإرجاع عناوين URL الإعلامية، بعد محاولة تحديد موقع رسائل الخطأ ("إعادة بعد 2 ساعة و7 دقائق و23 ثانية") |
+| `cursor.ts`          | منطقة تطوير متعددة للمؤشر                           | **الأكثر مخاطرًا**: مصادقة التسجيل الاختباري SHA-256، وترميز طلب Protobuf، وEventStream ثنائي → تحليل اتصال SSE                   |
+| `codex.ts`           | OpenAI Codex                                        | حجم تعليمات النظام، وإدارة مستويات التفكير، تجديد المعلمات غير المدعومة                                                           |
+| `الجوزاء-cli.ts`     | جوجل الجوزاء CLI                                    | إنشاء عنوان URL مخصص (`streamGenerateContent`)، وتحديث رمز OAuth المميز لـ Google                                                 |
+| `جيثب.ts`            | جيثب مساعد الطيار                                   | نظام رمزي ثنائي (GitHub OAuth + Copilot token)، محاكاة رأس VSCode                                                                 |
+| `kiro.ts`            | AWS CodeWhisperer                                   | التحليل الثنائي لـ AWS EventStream، وإطارات أحداث AMZN، والتقدير المميز                                                           |
+| `index.ts`           | —                                                   | المصنع: اسم موفر ← فئة المنفذ، مع خيار بديل افتراضي                                                                               | ---### 4.3 Handlers (`open-sse/handlers/`) |
+
+**طبقة تأتي**— تترتب على الترجمة والتنفيذ والتدفق ويسبب سبب.
+
+| ملف                   | الحصاد                                                                                                                                                            |
+| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- |
+| `chatCore.ts`         | **المنسق المركزي**(~ 600 سطر). لاحظ مع دورة حياة الطلب الكامل: اكتشاف ← الترجمة ← رحلة مميزة ← عزيزي القارئ/غير المتدفق ← تحديث ← أسباب ← تسجيل الاستخدام.        |
+| `responsesHandler.ts` | محول برمجة تطبيقات الخاصة بـ OpenAI: تحويل تنسيق الردود ← إرسال ملفات الدردشة ← إرسال إلى `chatCore` ← تحويل SSE مرة أخرى إلى تنسيق الردود.                       |
+| `embeddings.ts`       | محرك إنشاء التضمين: يحل نموذج التضمين → الموفر، ويرسل إلى واجهة برمجة تطبيقات الموفر، ويعيد الاتصال بالتضمين المتوافق مع OpenAI. يدعم 6+ مقدمي الخدمات.           |
+| `imageGeneration.ts`  | معالج إنشاء الصور: يحل نموذج الصورة → الموفر، ويدعم الأوضاع المتوافقة مع OpenAI، وGemini-image (Antigravity)، والوضع الاحتياطي (Nebius). إرجاع صور base64 أو URL. | #### دورة حياة الطلب (chatCore.ts)```mermaid |
+
+sequenceDiagram
+participant Client
+participant chatCore
+participant Translator
+participant Executor
+participant Provider
+
+    Client->>chatCore: Request (any format)
+    chatCore->>chatCore: Detect source format
+    chatCore->>chatCore: Check bypass patterns
+    chatCore->>chatCore: Resolve model & provider
+    chatCore->>Translator: Translate request (source → OpenAI → target)
+    chatCore->>Executor: Get executor for provider
+    Executor->>Executor: Build URL, headers, transform request
+    Executor->>Executor: Refresh credentials if needed
+    Executor->>Provider: HTTP fetch (streaming or non-streaming)
+
+    alt Streaming
+        Provider-->>chatCore: SSE stream
+        chatCore->>chatCore: Pipe through SSE transform stream
+        Note over chatCore: Transform stream translates<br/>each chunk: target → OpenAI → source
+        chatCore-->>Client: Translated SSE stream
+    else Non-streaming
+        Provider-->>chatCore: JSON response
+        chatCore->>Translator: Translate response
+        chatCore-->>Client: Translated JSON
+    end
+
+    alt Error (401, 429, 500...)
+        chatCore->>Executor: Retry with credential refresh
+        chatCore->>chatCore: Account fallback logic
+    end
+
+````
+
+---
+
+### 4.4 Services (`open-sse/services/`)
+
+منطق الأعمال الذي يدعم المعالجات والمنفذين.| File                 | Purpose                                                                                                                                                                                                                                                                                                                                |
+| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `provider.ts`        | **Format detection** (`detectFormat`): analyzes request body structure to identify Claude/OpenAI/Gemini/Antigravity/Responses formats (includes `max_tokens` heuristic for Claude). Also: URL building, header building, thinking config normalization. Supports `openai-compatible-*` and `anthropic-compatible-*` dynamic providers. |
+| `model.ts`           | Model string parsing (`claude/model-name` → `{provider: "claude", model: "model-name"}`), alias resolution with collision detection, input sanitization (rejects path traversal/control chars), and model info resolution with async alias getter support.                                                                             |
+| `accountFallback.ts` | Rate-limit handling: exponential backoff (1s → 2s → 4s → max 2min), account cooldown management, error classification (which errors trigger fallback vs. not).                                                                                                                                                                         |
+| `tokenRefresh.ts`    | OAuth token refresh for **every provider**: Google (Gemini, Antigravity), Claude, Codex, Qwen, Qoder, GitHub (OAuth + Copilot dual-token), Kiro (AWS SSO OIDC + Social Auth). Includes in-flight promise deduplication cache and retry with exponential backoff.                                                                       |
+| `combo.ts`           | **Combo models**: chains of fallback models. If model A fails with a fallback-eligible error, try model B, then C, etc. Returns actual upstream status codes.                                                                                                                                                                          |
+| `usage.ts`           | Fetches quota/usage data from provider APIs (GitHub Copilot quotas, Antigravity model quotas, Codex rate limits, Kiro usage breakdowns, Claude settings).                                                                                                                                                                              |
+| `accountSelector.ts` | Smart account selection with scoring algorithm: considers priority, health status, round-robin position, and cooldown state to pick the optimal account for each request.                                                                                                                                                              |
+| `contextManager.ts`  | Request context lifecycle management: creates and tracks per-request context objects with metadata (request ID, timestamps, provider info) for debugging and logging.                                                                                                                                                                  |
+| `ipFilter.ts`        | IP-based access control: supports allowlist and blocklist modes. Validates client IP against configured rules before processing API requests.                                                                                                                                                                                          |
+| `sessionManager.ts`  | Session tracking with client fingerprinting: tracks active sessions using hashed client identifiers, monitors request counts, and provides session metrics.                                                                                                                                                                            |
+| `signatureCache.ts`  | Request signature-based deduplication cache: prevents duplicate requests by caching recent request signatures and returning cached responses for identical requests within a time window.                                                                                                                                              |
+| `systemPrompt.ts`    | Global system prompt injection: prepends or appends a configurable system prompt to all requests, with per-provider compatibility handling.                                                                                                                                                                                            |
+| `thinkingBudget.ts`  | Reasoning token budget management: supports passthrough, auto (strip thinking config), custom (fixed budget), and adaptive (complexity-scaled) modes for controlling thinking/reasoning tokens.                                                                                                                                        |
+| `wildcardRouter.ts`  | Wildcard model pattern routing: resolves wildcard patterns (e.g., `*/claude-*`) to concrete provider/model pairs based on availability and priority.                                                                                                                                                                                   |
+
+#### Token Refresh Deduplication
+
+```mermaid
+sequenceDiagram
+    participant R1 as Request 1
+    participant R2 as Request 2
+    participant Cache as refreshPromiseCache
+    participant OAuth as OAuth Provider
+
+    R1->>Cache: getAccessToken("gemini", token)
+    Cache->>Cache: No in-flight promise
+    Cache->>OAuth: Start refresh
+    R2->>Cache: getAccessToken("gemini", token)
+    Cache->>Cache: Found in-flight promise
+    Cache-->>R2: Return existing promise
+    OAuth-->>Cache: New access token
+    Cache-->>R1: New access token
+    Cache-->>R2: Same access token (shared)
+    Cache->>Cache: Delete cache entry
+````
+
+#### Account Fallback State Machine
+
+```mermaid
+stateDiagram-v2
+    [*] --> Active
+    Active --> Error: Request fails (401/429/500)
+    Error --> Cooldown: Apply backoff
+    Cooldown --> Active: Cooldown expires
+    Active --> Active: Request succeeds (reset backoff)
+
+    state Error {
+        [*] --> ClassifyError
+        ClassifyError --> ShouldFallback: Rate limit / Auth / Transient
+        ClassifyError --> NoFallback: 400 Bad Request
+    }
+
+    state Cooldown {
+        [*] --> ExponentialBackoff
+        ExponentialBackoff: Level 0 = 1s
+        ExponentialBackoff: Level 1 = 2s
+        ExponentialBackoff: Level 2 = 4s
+        ExponentialBackoff: Max = 2min
+    }
+```
+
+#### Combo Model Chain
+
+```mermaid
+flowchart LR
+    A["Request with\ncombo model"] --> B["Model A"]
+    B -->|"2xx Success"| C["Return response"]
+    B -->|"429/401/500"| D{"Fallback\neligible?"}
+    D -->|Yes| E["Model B"]
+    D -->|No| F["Return error"]
+    E -->|"2xx Success"| C
+    E -->|"429/401/500"| G{"Fallback\neligible?"}
+    G -->|Yes| H["Model C"]
+    G -->|No| F
+    H -->|"2xx Success"| C
+    H -->|"Fail"| I["All failed →\nReturn last status"]
+```
+
+---
+
+### 4.5 Translator (`open-sse/translator/`)
+
+**محرك استعداد**باستخدام نظام التوقيع الذاتي.#### الكائنات```mermaid
+graph TD
+subgraph "Request Translation"
+A["Claude → OpenAI"]
+B["Gemini → OpenAI"]
+C["Antigravity → OpenAI"]
+D["OpenAI Responses → OpenAI"]
+E["OpenAI → Claude"]
+F["OpenAI → Gemini"]
+G["OpenAI → Kiro"]
+H["OpenAI → Cursor"]
+end
+
+    subgraph "Response Translation"
+        I["Claude → OpenAI"]
+        J["Gemini → OpenAI"]
+        K["Kiro → OpenAI"]
+        L["Cursor → OpenAI"]
+        M["OpenAI → Claude"]
+        N["OpenAI → Antigravity"]
+        O["OpenAI → Responses"]
+    end
+
+````
+
+| الدليل | ملفات | الوصف |
+| ------------ | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `طلب/` | 8 مترجمين | تحويل أجسام بين الصيغ. يتم تسجيل كل ملف ذاتيًا عبر "التسجيل (من، إلى، fn)" عند الاستيراد.                                                                                                                                                         |
+| `الاستجابة/` | 7 مترجمين | تحويل قطع المضخّم بين الصيغة. للتعرف على أنواع أحداث SSE وكتل التفكير وأدوات الأدوات.                                                                                                                                                         |
+| `المساعدين/` | 6 مساعدين | الأداة المساعدة المشتركة: `cludeHelper` (استخراج النظام، البحث المطلوب البحث)، `geminiHelper` (تخطيط الأجزاء/المحتويات)، `openaiHelper` (خيار مناسب)، `toolCallHelper` (إنشاء المعرف، البحث المطلوب المطلوبة)، `maxTokensHelper`، `responsesApiHelper`. |
+| `index.ts` | — | ترجمة المحرك: `translateRequest()`، `translateResponse()`، إدارة الحالة، التسجيل.                                                                                                                                                                     |
+| `formats.ts` | — | ثوابت عادة: `OPENAI`، `CLAUDE`، `GEMINI`، `ANTIGRAVITY`، `KIRO`، `CURSOR`، `OPENAI_RESPONSES`.                                                                                                                                                             |#### التصميم الرئيسي: المكونات الإضافية ذاتية التسجيل```javascript
+// Each translator file calls register() on import:
+import { register } from "../index.js";
+register("claude", "openai", translateClaudeToOpenAI);
+
+// The index.js imports all translator files, triggering registration:
+import "./request/claude-to-openai.js"; // ← self-registers
+````
+
+---
+
+### 4.6 Utils (`open-sse/utils/`)
+
+| ملف                | الحصاد                                                                                                                                                                                                                                                             |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- |
+| "خطأ.ts"           | إنشاء كلمات للأخطاء (تنسيق متوافق مع OpenAI)، وسبب المشكلة، واستخراجها، وحاول إعادة محاولة Antigravity من رسائل الخطأ، وأخطاء SSE.                                                                                                                                 |
+| "stream.ts"        | **SSE Transform Stream**— خط أنابيب البث الأساسي. وضعان: "الترجمة" (ترجمة كاملة) و"العبور" (التطبيع + الطلب المستخدم). وأخذ بعين الاعتبار التخزين المؤقت للقطعة وتقدير استخدامها وتتبع طول الفيديو. تجنب مثيلات وحدة التشفير/وحدة فك التشفير لكل حالة DC المشتركة. |
+| `streamHelpers.ts` | SSE ذات المستوى المنخفض: `parseSSELine` (متسامح مع المسافات البيضاء)، `hasValuableContent` ( تصفية أدوات الفارغة لـ OpenAI/Claude/Gemini)، `fixInvalidId`، `formatSSE` (تسلسل SSE مدرك للتنسيق مع `perf_metrics`).                                                 |
+| `usageTracking.ts` | استخدام النسخة المميزة من أي تنسيق (Claude/OpenAI/Gemini/Responses)، والاستعانة بـ DNS لكل رمز مميز للأداة/الرسالة، والمخزن المؤقت (هامش أمان 2000 رمز مميز)، وتصفية الخاصيات بالتنسيق، وتسجيل وحدة التحكم مع ANSI.                                                |
+| `requestLogger.ts` | تسجيل الطلب إلى الملف (قم بالاشتراك عبر `ENABLE_REQUEST_LOGS=true`). ينشئ مجلدات الجلسة بملفات مرقمة: `1_req_client.json` → `7_res_client.txt`. كل عمليات الإدخال/الإخراج غير متزامنة (أطلق النار وانسى). داخل المسام.                                             |
+| `bypassHandler.ts` | ويمثل خيارًا محددًا لـ Claude CLI (عنوان الإنتاج، والحماية، والعد) ويعيد ميزة دون الاتصال بأي مكان. يدعم كل من الدف وغير الدف. لذلك عمدا على نطاق كلود CLI.                                                                                                        |
+| `networkProxy.ts`  | يحل عنوان URL للوكلاء لموفر معين مع الأسبقية: تفعيل الخاص بالموفر → تفعيل العام → متغيرات البيئة (`HTTPS_PROXY`/`HTTP_PROXY`/`ALL_PROXY`). يدعم استثناءات `NO_PROXY`. اختيارية ذاكرة تخزين مؤقتة لمدة 30 ثانية.                                                    | #### خط أنابيب تدفق SSE```mermaid |
+
+flowchart TD
+A["Provider SSE stream"] --> B["TextDecoder\n(per-stream instance)"]
+B --> C["Buffer lines\n(split on newline)"]
+C --> D["parseSSELine()\n(trim whitespace, parse JSON)"]
+D --> E{"Mode?"}
+E -->|TRANSLATE| F["translateResponse()\ntarget → OpenAI → source"]
+E -->|PASSTHROUGH| G["fixInvalidId()\nnormalize chunk"]
+F --> H["hasValuableContent()\nfilter empty chunks"]
+G --> H
+H -->|"Has content"| I["extractUsage()\ntrack token counts"]
+H -->|"Empty"| J["Skip chunk"]
+I --> K["formatSSE()\nserialize + clean perf_metrics"]
+K --> L["TextEncoder\n(per-stream instance)"]
+L --> M["Enqueue to\nclient stream"]
+
+    style A fill:#f9f,stroke:#333
+    style M fill:#9f9,stroke:#333
+
+```
+
+#### Request Logger Session Structure
+
+```
+
+logs/
+└── claude_gemini_claude-sonnet_20260208_143045/
+├── 1_req_client.json ← Raw client request
+├── 2_req_source.json ← After initial conversion
+├── 3_req_openai.json ← OpenAI intermediate format
+├── 4_req_target.json ← Final target format
+├── 5_res_provider.txt ← Provider SSE chunks (streaming)
+├── 5_res_provider.json ← Provider response (non-streaming)
+├── 6_res_openai.txt ← OpenAI intermediate chunks
+├── 7_res_client.txt ← Client-facing SSE chunks
+└── 6_error.json ← Error details (if any)
+
+````
+
+---
+
+### 4.7 Application Layer (`src/`)
+
+| الدليل | الحصاد |
+| ------------- | ---------------------------------------------------------------------- |
+| `src/app/` | واجهة مستخدم الويب، مسارات واجهة برمجة التطبيقات (API)، البرامج الأساسية السريعة، معالجات رد اتصال OAuth |
+| `src/lib/` | إلى قاعدة الوصول إلى البيانات (`localDb.ts`، `usageDb.ts`)، المصادقة، البرمجة |
+| `src/mitm/` | أداة مساعدة للوسيط لاعتراض حركة المرور |
+| `src/models/` | تعريفات قواعد البيانات |
+| `src/shared/` | أغلفة حول وظائف open-sse (المزود، الدفق، الخطأ، إلخ) |
+| `src/sse/` | معالجات نقطة نهاية SSE التي تتوفر في مكتبة open-sse بمسارات Express |
+| `src/store/` | إدارة التطبيق |#### مسارات API البارزة
+
+| الطريق | طرق | الحصاد |
+| --------------------------------------------- | --------------- | ------------------------------------------------------------------------------------- |
+| `/api/provider-models` | الحصول على/نشر/حذف | CRUD للنماذج المتخصصة لكل |
+| `/api/models/catalog` | احصل على | مجمع كتالوج لجميع الارتباطات (الدردشة، التضمين، الصورة، تخصيص) مجمعة حسب الموفر |
+| `/api/settings/proxy` | الحصول على/وضع/حذف | الجاهزة التفصيلي (`العالمي/الموفرون/المجموعات/المفاتيح`) |
+| `/api/settings/proxy/test` | مشاركة | التحقق من صحة الاتصال الوكيل وإرجاع IP/زمن الوصول العام |
+| `/v1/providers/[provider]/chat/completions` | مشاركة | عمليات البحث عن الاختيار المناسب لكل شخص مع التحقق من صحة النموذج |
+| `/v1/providers/[provider]/embeddings` | مشاركة | عمليات تضمين التخصص حسب الاختيار مع نموذج التحقق من الصحة |
+| `/v1/providers/[provider]/images/ Generations` | مشاركة | إنشاء صور مخصصة لكل وثيقة معتمدة من نموذج صحة |
+| `/api/settings/ip-filter` | الحصول على/وضع | قائمة IP الخاصة بها/إدارة القائمة المحظورة |
+| `/api/settings/thinking-budget` | الحصول على/وضع | المحددة المحددة الرمز (العبور/التلقائي/المخصص/التكيفي) |
+| `/api/settings/system-prompt` | الحصول على/وضع | القطع المؤقتة لأدوات البناء العالمية |
+| `/api/sessions` | احصل على | تحديد العضوية ومعاييرها |
+| `/api/rate-limits` | احصل على | الحالة لا يمكن تعديلها لكل حساب |---## 5. Key Design Patterns
+
+### 5.1 Hub-and-Spoke Translation
+
+تتم ترجمة جميع الاحتمالات من خلال**تنسيق OpenAI كمحور**. لا تتطلب إضافة موفر جديد سوى كتابة**زوج واحد**من المترجمين (من/ إلى OpenAI)، وليس عدد N من المترجمين.### 5.2 Executor Strategy Pattern
+
+كل ما لديها فئة تنفيذية مخصصة ترث من "BaseExecutor". تم تصنيع المصنع الموجود في "executors/index.ts" وبالتالي أصبح المصنع جاهزًا في وقت التشغيل.### 5.3 نظام البرنامج الإضافي للتسجيل الذاتي
+
+وحدات المترجمة نفسها عند الاستيراد عبر ``تسجيل ()'. إن إضافة مترجم جديد يعني مجرد إنشاء ملف واستيراده.### 5.4 Account Fallback with Exponential Backoff
+
+عندما يقوم بتقديم خدمة بإرجاع 429/401/500، يمكن أن يتكامل مع الحساب التالي، مع تطبيق أحدث الحداثات الأسية (1ث → 2ث → 4ث → 2 دقيقة الضرر التام).### 5.5 Combo Model Chains
+
+يقوم "التحرير والسرد" بتجميع سلاسل "المزود/النموذج" حاسوبياً. في حالة الفشل الأول، يتم الرجوع إلى المنتج الأصلي.### 5.6 الترجمة المتدفقة ذات الحالة
+
+الحفاظ على ترجمة الأجزاء ذات الحالة عبر SSE (تتبع كتلة التفكير، وتراكم الاتصال بالجهة، وفهرسة كتلة المحتوى) عبر تقنية `initState()`.### 5.7 المخزن المؤقت لسلامة الاستخدام
+
+تم إضافة مخزن مؤقت مكون من 2000 رمز مميز إلى الحد الأقصى من الاستخدام لمساعدة العملاء على الوصول إلى حدود النافذة بسبب الحمل الزائد من مطالبات النظام وترجمة السائقين.---## 6. Supported Formats
+
+| التنسيق | | المعرف |
+| ----------------------- | --------------- | ------------------ |
+| استكمالات الدردشة OpenAI | المصدر + الهدف | `أوبيني` |
+| برمجة تطبيقات استجابات OpenAI | المصدر + الهدف | `الردود المفتوحة` |
+| أنثروب كلود | المصدر + الهدف | "كلود" |
+| جوجل الجوزاء | المصدر + الهدف | `الجوزاء` |
+| جوجل الجوزاء CLI | الهدف فقط | `الجوزاء-كلي` |
+| مكافحة الجاذبية | المصدر + الهدف | `مضادة الجاذبية` |
+| أوس كيرو | الهدف فقط | `كيرو` |
+| |مؤثر الهدف فقط | `المؤشر` |---## 7. Supported Providers
+
+| مقدم | طريقة المصادقة | المنفذ | المذكرة الرئيسية |
+| ------------------------ | ---------------------- | ----------- | --------------------------------------------- |
+| أنثروب كلود | واجهة برمجة التطبيقات الرئيسية أو OAuth | افتراضي | يستخدم رأس `x-api-key` |
+| جوجل الجوزاء | واجهة برمجة التطبيقات الرئيسية أو OAuth | افتراضي | يستخدم رأس `x-goog-api-key` |
+| جوجل الجوزاء CLI | أووث | الجوزاء كلي | يستخدم نقطة نهاية "streamGenerateContent" |
+| مكافحة الجاذبية | أووث | مكافحة الجاذبية | شراء عناوين URL الخاصة بها، إعادة محاولة البحث عن المواقع |
+| أوبن آي | واجهة برمجة التطبيقات الرئيسية | افتراضي | مصادقة الحامل |
+| الدستور الغذائي | أووث | الدستور الغذائي | يدخل تعليمات النظام ويدير التفكير |
+| جيثب مساعد الطيار | OAuth + رمز مساعد الطيار | جيثب | رمز مزدوج، محاكاة رأس VSCode |
+| كيرو (AWS) | AWS SSO OIDC أو اجتماعي | كيرو | تحليل دفق الأحداث الثنائية |
+| بيئة تطوير متكاملة للمؤشر | تصويت الاختياري | |مؤثر ترميز Protobuf، الجلسات الاختباري SHA-256 |
+| كوين | أووث | افتراضي | المصادقة القياسية |
+| قدير | OAuth (أساسي + حامل) | افتراضي | رأس المصادقة |
+| اوبن راوتر | واجهة برمجة التطبيقات الرئيسية | افتراضي | مصادقة الحامل |
+| جي إل إم، كيمي، ميني ماكس | واجهة برمجة التطبيقات الرئيسية | افتراضي | متوافق مع كلود، استخدم `x-api-key` |
+| `متوافق مع openai-*` | واجهة برمجة التطبيقات الرئيسية | افتراضي | برمجة: أي نقطة نهاية متوافقة مع OpenAI |
+| `متوافق مع البشر-*` | واجهة برمجة التطبيقات الرئيسية | افتراضي | برمجة: أي نقطة نهاية متوافقة مع كلود |---## 8. Data Flow Summary
+
+### Streaming Request
+
+```mermaid
+flowchart LR
+    A["Client"] --> B["detectFormat()"]
+    B --> C["translateRequest()\nsource → OpenAI → target"]
+    C --> D["Executor\nbuildUrl + buildHeaders"]
+    D --> E["fetch(providerURL)"]
+    E --> F["createSSEStream()\nTRANSLATE mode"]
+    F --> G["parseSSELine()"]
+    G --> H["translateResponse()\ntarget → OpenAI → source"]
+    H --> I["extractUsage()\n+ addBuffer"]
+    I --> J["formatSSE()"]
+    J --> K["Client receives\ntranslated SSE"]
+    K --> L["logUsage()\nsaveRequestUsage()"]
+````
+
+### Non-Streaming Request
+
+```mermaid
+flowchart LR
+    A["Client"] --> B["detectFormat()"]
+    B --> C["translateRequest()\nsource → OpenAI → target"]
+    C --> D["Executor.execute()"]
+    D --> E["translateResponse()\ntarget → OpenAI → source"]
+    E --> F["Return JSON\nresponse"]
+```
+
+### Bypass Flow (Claude CLI)
+
+```mermaid
+flowchart LR
+    A["Claude CLI request"] --> B{"Match bypass\npattern?"}
+    B -->|"Title/Warmup/Count"| C["Generate fake\nOpenAI response"]
+    B -->|"No match"| D["Normal flow"]
+    C --> E["Translate to\nsource format"]
+    E --> F["Return without\ncalling provider"]
+```
@@ -0,0 +1,137 @@
+# Test Coverage Plan (العربية)
+
+🌐 **Languages:** 🇺🇸 [English](../../../../docs/COVERAGE_PLAN.md) · 🇪🇸 [es](../../es/docs/COVERAGE_PLAN.md) · 🇫🇷 [fr](../../fr/docs/COVERAGE_PLAN.md) · 🇩🇪 [de](../../de/docs/COVERAGE_PLAN.md) · 🇮🇹 [it](../../it/docs/COVERAGE_PLAN.md) · 🇷🇺 [ru](../../ru/docs/COVERAGE_PLAN.md) · 🇨🇳 [zh-CN](../../zh-CN/docs/COVERAGE_PLAN.md) · 🇯🇵 [ja](../../ja/docs/COVERAGE_PLAN.md) · 🇰🇷 [ko](../../ko/docs/COVERAGE_PLAN.md) · 🇸🇦 [ar](../../ar/docs/COVERAGE_PLAN.md) · 🇮🇳 [hi](../../hi/docs/COVERAGE_PLAN.md) · 🇮🇳 [in](../../in/docs/COVERAGE_PLAN.md) · 🇹🇭 [th](../../th/docs/COVERAGE_PLAN.md) · 🇻🇳 [vi](../../vi/docs/COVERAGE_PLAN.md) · 🇮🇩 [id](../../id/docs/COVERAGE_PLAN.md) · 🇲🇾 [ms](../../ms/docs/COVERAGE_PLAN.md) · 🇳🇱 [nl](../../nl/docs/COVERAGE_PLAN.md) · 🇵🇱 [pl](../../pl/docs/COVERAGE_PLAN.md) · 🇸🇪 [sv](../../sv/docs/COVERAGE_PLAN.md) · 🇳🇴 [no](../../no/docs/COVERAGE_PLAN.md) · 🇩🇰 [da](../../da/docs/COVERAGE_PLAN.md) · 🇫🇮 [fi](../../fi/docs/COVERAGE_PLAN.md) · 🇵🇹 [pt](../../pt/docs/COVERAGE_PLAN.md) · 🇷🇴 [ro](../../ro/docs/COVERAGE_PLAN.md) · 🇭🇺 [hu](../../hu/docs/COVERAGE_PLAN.md) · 🇧🇬 [bg](../../bg/docs/COVERAGE_PLAN.md) · 🇸🇰 [sk](../../sk/docs/COVERAGE_PLAN.md) · 🇺🇦 [uk-UA](../../uk-UA/docs/COVERAGE_PLAN.md) · 🇮🇱 [he](../../he/docs/COVERAGE_PLAN.md) · 🇵🇭 [phi](../../phi/docs/COVERAGE_PLAN.md) · 🇧🇷 [pt-BR](../../pt-BR/docs/COVERAGE_PLAN.md) · 🇨🇿 [cs](../../cs/docs/COVERAGE_PLAN.md) · 🇹🇷 [tr](../../tr/docs/COVERAGE_PLAN.md)
+
+---
+
+آخر تحديث: 2026-03-28##
+
+هناك تفاصيل تفصيلية متعددة حول كيفية حساب التقرير. للتخطيط، واحد منهم فقط مفيد.
+
+| متري         | النطاق                                 | بقدر / سطور |    فرع | الوظائف | تعليقات                                         |
+| ------------ | -------------------------------------- | ----------: | -----: | ------: | ----------------------------------------------- |
+| تراث         | اختبار تشغيل npm القديم: غلاف          |      79.42% | 75.15% |  67.94% | مضخم: يحصي اختبارات الاختبار ويستبعد `open-sse` |
+| التشخيص      | المصدر فقط، التمييز و السبب `open-sse` |      68.16% | 63.55% |  64.06% | مفيد فقط لعزل `src/**`                          |
+| خط الأساس له | المصدر فقط، لغرض القسم `open-sse`      |      56.95% | 66.05% |  57.80% | هذا هو خط الأساس لتحسين المشروع                 |
+
+خط الأساس به هو الرقم المطلوب وتحسينه.## Rules
+
+- تستهدف تحديد الملفات المصدر، وليس على "الاختبارات/\*\*".
+- `open-sse/**` هو جزء من المنتج ويجب أن يختفي في نطاقه.
+- يجب ألا تحدد الكود الجديد من المناطق التي تم لمسها.
+- تفضيل الاختبار ونتائج الجهة على تفاصيل التنفيذ.
+- تفضيلات متطلبات بيانات SQLite المطر والتركيبات الصغيرة على الارتباطات المتخصصة لـ src/lib/db/\*\*`.## مجموعة الأوامر الحالية
+
+- `اختبار تشغيل npm: التغطية`
+  - بوابة المصدر الرئيسي لمجموعة اختبار الوحدة
+  - إنشاء ملخص النص، وhtml، وملخص json، ولكوف
+- `تغطية تشغيل npm: تقرير`
+  - تقرير مفصل لملف الآخر من العملية الأخيرة
+- `اختبار تشغيل npm:التغطية:تراث`
+  - لتحدث التاريخية فقط## المعالم
+
+| المرحلة         |         الهدف | التركيز                                           |
+| --------------- | ------------: | ------------------------------------------------- |
+| المرحلة 1       | 60% لذلك/سطور | مكاسب سريعة وتغطية شاملة لمختلف الفئات            |
+| المرحلة الثانية | 65% لذلك/سطور | أسس قاعدة البيانات والطريق                        |
+| المرحلة 3       | 70% لذلك/سطور | التحقق من صحة الموفر وتحليلات الاستخدام           |
+| الخطوة الرابعة  | 75% لذلك/سطور | مترجمون ومساعدون `open-sse'                       |
+| المرحلة الخامسة | 80% لذلك/سطور | رامات وروعة الزجاجة `open-sse`                    |
+| المرحلة السادسة | 85% لذلك/سطور | الحالات القصوى، الديون الدينية، وأجنحة الانحدار   |
+| المرحلة السابعة | 90% لذلك/سطور | الاجتياح النهائي، الإغلاق الشامل، السقاطة الساكنة |
+
+يجب أن ترتكز الجذور والوظائف مع كل مرحلة، ولكن الهدف الأساسي الثابت هو البيانات/السطور.## النقاط الساخنة ذات الأولوية
+
+توفر هذه الملفات أو المناطق أفضل عائد للمراحل التالية:1. "فتح sse/معالجات".
+
+- `chatCore.ts` بنسبة 7.57%
+- الدليل الشامل بنسبة 29.07% 2.`open-sse/translator/request`
+- الرد المرسل إليه 36.39%
+- لا يزال العديد من المترجمين على مقربة من تغطية ما يكفي من رقم واحد
+
+3. "open-sse/translator/response".
+   - الرد المرسل إليه 8.07%
+4. "open-sse/المنفذين".
+   - البريد المرسل إليه 36.62% 5.`src/lib/db`
+   - `models.ts` بنسبة 20.66%
+   - "المفاتيح الجديدة" بنسبة 34.46%
+   - `modelComboMappings.ts` بنسبة 36.25%
+   - `settings.ts` عند 46.40%
+   - `webhooks.ts' بنسبة 33.33%
+6.`src/lib/usage`
+   - `usageHistory.ts` بنسبة 21.12%
+   - `usageStats.ts` بنسبة 9.56%
+   - `costCalculator.ts` بنسبة 30.00% 7.`src/lib/providers`
+   - `validation.ts` بنسبة 41.16%
+5. ملفات المساعدة وواجهة برمجة التطبيقات (API) ذات القدرة الضعيفة على فقدان القليل
+   - `src/shared/utils/upstreamError.ts`
+   - `src/shared/utils/apiAuth.ts`
+   - `src/lib/api/errorResponse.ts`
+   - `src/app/api/settings/require-login/route.ts`
+   - `src/app/api/providers/[id]/models/route.ts`## قائمة التحقق من التنفيذ### Phase 1: 56.95% -> 60%
+
+- [x] مقياس التغطية بحيث يعكس اللون الأفضل من ملفات الاختبار
+- [x] تستخدم بنص التغطية القديم للمقارنة
+- [x] قام بعدم وجود خط الأساس ونقاط الاتصال في الريبو
+- [ ] إضافة السيولة المركزية للمرافق المتعددة:
+  - `src/shared/utils/upstreamError.ts`
+  - `src/shared/utils/fetchTimeout.ts`
+  - `src/lib/api/errorResponse.ts`
+  - `src/shared/utils/apiAuth.ts`
+  - `src/lib/display/names.ts`
+- [ ] إضافة السيولة لـ:
+  - `src/app/api/settings/require-login/route.ts`
+  - `src/app/api/providers/[id]/models/route.ts`### المرحلة الثانية: 60% -> 65%
+
+- [ ] إضافة السيولة المدعومة بقاعدة البيانات لـ:
+  - `src/lib/db/modelComboMappings.ts`
+  - `src/lib/db/settings.ts`
+  - `src/lib/db/registeredKeys.ts`
+- [ ] اشتباكات الفرع في:
+  - `src/lib/providers/validation.ts`
+  - `src/app/api/v1/embeddings/route.ts`
+  - `src/app/api/v1/moderations/route.ts`### المرحلة الثالثة: 65% -> 70%
+
+- [ ] إضافة السيولة تحليلات الاستخدام لـ:
+  - `src/lib/usage/usageHistory.ts`
+  - `src/lib/usage/usageStats.ts`
+  - `src/lib/usage/costCalculator.ts`
+- [ ] التغطية المكثفة للمحتوى الإبداعي متنوع ### المرحلة 4: 70% -> 75%
+
+- [ ] تغطية مساعدي المترجم ومسارات الترجمة المركزية:
+  - `open-sse/translator/index.ts`
+  - `open-sse/translator/helpers/*`
+  - `open-sse/translator/request/*`
+  - `open-sse/translator/response/*`### المرحلة الخامسة: 75% -> 80%
+
+- [ ] إضافة السيولة على مستوى رام لـ:
+  - `open-sse/handlers/chatCore.ts`
+  - `open-sse/handlers/responsesHandler.js`
+  - `open-sse/handlers/imageGeneration.js`
+  - `open-sse/handlers/embeddings.js`
+- [ ] إضافة المنفذ الفرعي للمصادقة الخاصة بالموفر، لتقديم المحاولة، وتجاوزات نقطة النهاية### المرحلة 6: 80% -> 85%
+
+- [ ] دمج المزيد من مجموعات الأحداث المتقدمة في مسار التغطية الرئيسية
+- [ ] الزيادة الوظيفية للوحدات قاعدة البيانات ذات التغطية الضعيفة للمنشئ/المساعد
+- [ ] إغلاق فجوات الفروع في "settings.ts"، و"registeredKeys.ts"، و"validation.ts"، ومساعدي المترجم### المرحلة السابعة: 85% -> 90%
+
+- [ ] بعض القضايا ذات الميزانية المحدودة المتبقية على أدوات الحظر
+- [ ] إضافة نسبة الانحدار لكل خطأ إنتاجي تم اكتشافه وإصلاحه أثناء الدفع إلى 90%
+- [ ] رفع بوابة التغطية في CI فقط بعد أن يكون الخط المحلي الأساسي قائمًا لتشغيلتين متتاليتين على الأقل## Ratchet Policy
+
+قم بالتأكيد بعتبات تشغيل npm: التغطية فقط بعد التجاوز الفعلي فعليًا، المرحلة الرئيسية التالية في مخزن الراحة.
+
+سلسلة السقاطة لسبب:
+
+1. 55/60/55
+2. 60/62/58
+3. 65/64/62
+4. 70/66/66
+5. 75/70/72
+6. 80/75/78
+7. 85/80/84
+8. 90/85/88
+
+الترتيب هو "أسطر البيانات / الفروع / الوظائف".## الثغرة المعروفة
+
+يقيس أمر التغطية الحالية لمجموعة العقد الرئيسية بمشاركة المصدر الذي يتم الوصول إليه منه، بما في ذلك `open-sse`. لم أدمج بعد تغطية Vitest في التقرير الموحد الواحد. وقد تم إنجاز هذا لاحقًا، ولكن لا تزيد سرعة زيادة الذاكرة بنسبة 60% -> 80%.
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`[ 32698ms] [ERROR] Failed to load resource: the server responded with a status of 404 (Not Found) @ http://localhost:20130/dashboard/usage?_rsc=18t7j:0`