diegosouzapw/OmniRoute v2.2.1 on GitHub

Bug Fixes

Gemini image routing (#273) — gemini-3.1-flash-image-preview added to antigravity image provider registry; was falling through to chat handler instead of Gemini image handler.
Ollama Cloud model listing (#276) — ollama-cloud added to PROVIDER_MODELS_CONFIG; listing models from api.ollama.com was returning 400.
Missing apiKey error clarity (#277) — Models route now returns 400 with a clear message when no API key is configured, instead of a generic 401 Unauthorized.

TLS validation re-enabled — mitm/server.ts: rejectUnauthorized now defaults to true. Opt-out via MITM_DISABLE_TLS_VERIFY=1.
Path traversal hardening — safePath() / safeProfilePath() / safeLogPath() helpers added across backupService.ts, db/backup.ts, codex-profiles/route.ts, mitm/server.ts.
Prototype pollution fix — usageHistory.ts maps use Object.create(null) + hasOwnProperty guards.
dompurify ^3.3.2 — Resolves CVE-2026-0540 (XSS).
GitHub Actions: permissions: contents: read added globally to ci.yml.

Lock file sync — @swc/helpers: "^0.5.19" override added; package-lock.json regenerated. Fixes npm ci failures in CI and Docker builds.
npm-publish: skip if version exists — Exits cleanly with warning on E403 (duplicate publish).
npm-publish: npm install instead of npm ci — Prevents failure on tag lock file drift.
Lint: cursor.ts any-budget — isToolBoundaryAbort param: any → unknown.