Changelog

[3.0.0] — 2026-03-24

🎉 OmniRoute v3.0.0 — The Free AI Gateway, Now with 67+ Providers

The biggest release ever. From 36 providers in v2.9.5 to 67+ providers in v3.0.0 — with MCP Server, A2A Protocol, auto-combo engine, Provider Icons, Registered Keys API, 926 tests, and contributions from 12 community members across 10 merged PRs.

Consolidated from v3.0.0-rc.1 through rc.17 (17 release candidates over 3 days of intense development).

🆕 New Providers (+31 since v2.9.5)

Total: 67+ providers (4 Free, 8 OAuth, 55 API Key) + unlimited OpenAI/Anthropic-Compatible custom providers.

✨ Major Features

🔑 Registered Keys Provisioning API (#464)

Auto-generate and issue OmniRoute API keys programmatically with per-provider and per-account quota enforcement.

Security: Keys stored as SHA-256 hashes. Raw key shown once on creation, never retrievable again.

🎨 Provider Icons via @lobehub/icons (#529)

130+ provider logos using @lobehub/icons React components (SVG). Fallback chain: Lobehub SVG → existing PNG → generic icon. Applied across Dashboard, Providers, and Agents pages with standardized ProviderIcon component.

🔄 Model Auto-Sync Scheduler (#488)

Auto-refreshes model lists for connected providers every 24 hours. Runs on server startup. Configurable via MODEL_SYNC_INTERVAL_HOURS.

🔀 Per-Model Combo Routing (#563)

Map model name patterns (glob) to specific combos for automatic routing:

• claude-sonnet* → code-combo, gpt-4o* → openai-combo, gemini-* → google-combo
• New model_combo_mappings table with glob-to-regex matching
• Dashboard UI section: "Model Routing Rules" with inline add/edit/toggle/delete

🧭 API Endpoints Dashboard

Interactive catalog, webhooks management, OpenAPI viewer — all in one tabbed page at /dashboard/endpoint.

🔍 Web Search Providers

5 new search provider integrations: Perplexity Search, Serper, Brave Search, Exa, Tavily — enabling grounded AI responses with real-time web data.

📊 Search Analytics

New tab in /dashboard/analytics — provider breakdown, cache hit rate, cost tracking. API: GET /api/v1/search/analytics.

🛡️ Per-API-Key Rate Limits (#452)

max_requests_per_day and max_requests_per_minute columns with in-memory sliding-window enforcement returning HTTP 429.

🎵 Media Playground

Full media generation playground at /dashboard/media: Image Generation, Video, Music, Audio Transcription (2GB upload limit), and Text-to-Speech.

🔒 Security & CI/CD

• CodeQL remediation — Fixed 10+ alerts: 6 polynomial-redos, 1 insecure-randomness (Math.random() → crypto.randomUUID()), 1 shell-command-injection
• Route validation — Zod schemas + validateBody() on 176/176 API routes — CI enforced
• CVE fix — dompurify XSS vulnerability (GHSA-v2wj-7wpq-c8vv) resolved via npm overrides
• Flatted — Bumped 3.3.3 → 3.4.2 (CWE-1321 prototype pollution)
• Docker — Upgraded docker/setup-buildx-action v3 → v4

🐛 Bug Fixes (40+)

OAuth & Auth

• #537 — Gemini CLI OAuth: clear actionable error when GEMINI_OAUTH_CLIENT_SECRET missing in Docker
• #549 — CLI settings routes now resolve real API key from keyId (not masked strings)
• #574 — Login no longer freezes after skipping wizard password setup
• #506 — Cross-platform machineId rewritten (Windows REG.exe → macOS ioreg → Linux → hostname fallback)

Providers & Routing

• #536 — LongCat AI: fixed baseUrl and authHeader
• #535 — Pinned model override: body.model correctly set to pinnedModel
• #570 — Unprefixed Claude models now resolve to Anthropic provider
• #585 — <omniModel> internal tags no longer leak to clients in SSE streaming
• #493 — Custom provider model naming no longer mangled by prefix stripping
• #490 — Streaming + context cache protection via TransformStream injection
• #511 — <omniModel> tag injected into first content chunk (not after [DONE])

CLI & Tools

• #527 — Claude Code + Codex loop: tool_result blocks now converted to text
• #524 — OpenCode config saved correctly (XDG_CONFIG_HOME, TOML format)
• #522 — API Manager: removed misleading "Copy masked key" button
• #546 — --version returning unknown on Windows (PR by @k0valik)
• #544 — Secure CLI tool detection via known installation paths (PR by @k0valik)
• #510 — Windows MSYS2/Git-Bash paths normalized automatically
• #492 — CLI detects mise/nvm-managed Node when app/server.js missing

Streaming & SSE

• PR #587 — Revert resolveDataDir import in responsesTransformer for Cloudflare Workers compat (@k0valik)
• PR #495 — Bottleneck 429 infinite wait: drop waiting jobs on rate limit (@xandr0s)
• #483 — Stop trailing data: null after [DONE] signal
• #473 — Zombie SSE streams: timeout reduced 300s → 120s for faster fallback

Media & Transcription

• Transcription — Deepgram video/mp4 → audio/mp4 MIME mapping, auto language detection, punctuation
• TTS — [object Object] error display fixed for ElevenLabs-style nested errors
• Upload limits — Media transcription increased to 2GB (nginx client_max_body_size 2g + maxDuration=300)

🔧 Infrastructure & Improvements

Sub2api Gap Analysis (T01–T15 + T23–T42)

• T01 — requested_model column in call logs (migration 009)
• T02 — Strip empty text blocks from nested tool_result.content
• T03 — Parse x-codex-5h-* / x-codex-7d-* quota headers
• T04 — X-Session-Id header for external sticky routing
• T05 — Rate-limit DB persistence with dedicated API
• T06 — Account deactivated → permanent block (1-year cooldown)
• T07 — X-Forwarded-For IP validation (extractClientIp())
• T08 — Per-API-key session limits with sliding-window enforcement
• T09 — Codex vs Spark rate-limit scopes (separate pools)
• T10 — Credits exhausted → distinct 1h cooldown fallback
• T11 — max reasoning effort → 131072 budget tokens
• T12 — MiniMax M2.7 pricing entries
• T13 — Stale quota display fix (reset window awareness)
• T14 — Proxy fast-fail TCP check (≤2s, cached 30s)
• T15 — Array content normalization for Anthropic
• T23 — Intelligent quota reset fallback (header extraction)
• T24 — 503 cooldown + 406 mapping
• T25 — Provider validation fallback
• T29 — Vertex AI Service Account JWT auth
• T33 — Thinking level to budget conversion
• T36 — 403 vs 429 error classification
• T38 — Centralized model specifications (modelSpecs.ts)
• T39 — Endpoint fallback for fetchAvailableModels
• T41 — Background task auto-redirect to flash models
• T42 — Image generation aspect ratio mapping

Other Improvements

• Per-model upstream custom headers — via configuration UI (PR #575 by @zhangqiang8vip)
• Model context length — configurable in model metadata (PR #578 by @hijak)
• Model prefix stripping — option to remove provider prefix from model names (PR #582 by @jay77721)
• Gemini CLI deprecation — marked deprecated with Google OAuth restriction warning
• YAML parser — replaced custom parser with js-yaml for correct OpenAPI spec parsing
• ZWS v5 — HMR leak fix (485 DB connections → 1, memory 2.4GB → 195MB)
• Log export — New JSON export button on dashboard with time range dropdown
• Update notification banner — dashboard homepage shows when new versions are available

🌐 i18n & Documentation

• 30 languages at 100% parity — 2,788 missing keys synced
• Czech — Full translation: 22 docs, 2,606 UI strings (PR by @zen0bit)
• Chinese (zh-CN) — Complete retranslation (PR by @only4copilot)
• VM Deployment Guide — Translated to English as source document
• API Reference — Added /v1/embeddings and /v1/audio/speech endpoints
• Provider count — Updated from 36+/40+/44+ to 67+ across README and all 30 i18n READMEs

🔀 Community PRs Merged (10)

Thank you to all contributors! 🙏

📋 Issues Resolved (50+)

#452 #458 #462 #464 #466 #473 #474 #481 #483 #487 #488 #489 #490 #491 #492 #493 #506 #508 #509 #510 #511 #513 #520 #521 #522 #524 #525 #527 #529 #531 #532 #535 #536 #537 #541 #546 #549 #563 #570 #574 #585

🧪 Tests

• 926 tests, 0 failures (up from 821 in v2.9.5)
• +105 new tests covering: model-combo mappings, registered keys, OpencodeExecutor, Bailian provider, route validation, error classification, aspect ratio mapping, and more

📦 Database Migrations

⬆️ Upgrading from v2.9.5

# npm
npm install -g omniroute@3.0.0

# Docker
docker pull diegosouzapw/omniroute:3.0.0

# Migrations run automatically on first startup

Breaking changes: None. All existing configurations, combos, and API keys are preserved.
Database migrations 008-010 run automatically on startup.

[3.0.0-rc.17] — 2026-03-24

🔒 Security & CI/CD

• CodeQL remediation — Fixed 10+ alerts:
  • 6 polynomial-redos in provider.ts / chatCore.ts (replaced (?:^|/) alternation patterns with segment-based matching)
  • 1 insecure-randomness in acp/manager.ts (Math.random() → crypto.randomUUID())
  • 1 shell-command-injection in prepublish.mjs (JSON.stringify() path escaping)
• Route validation — Added Zod schemas + validateBody() to 5 routes missing validation:
  • model-combo-mappings (POST, PUT), webhooks (POST, PUT), openapi/try (POST)
  • CI check:route-validation:t06 now passes: 176/176 routes validated

🐛 Bug Fixes

• #585 — <omniModel> internal tags no longer leak to clients in SSE responses. Added outbound sanitization TransformStream in combo.ts

⚙️ Infrastructure

• Docker — Upgraded docker/setup-buildx-action from v3 → v4 (Node.js 20 deprecation fix)
• CI cleanup — Deleted 150+ failed/cancelled workflow runs

🧪 Tests

• Test suite: 926 tests, 0 failures (+3 new)

[3.0.0-rc.16] — 2026-03-24

✨ New Features

• Increased media transcription limits
• Added Model Context Length to registry metadata
• Added per-model upstream custom headers via configuration UI
• Fixed multiple bugs, Zod valiadation for patches, and resolved various community issues.

[3.0.0-rc.15] — 2026-03-24

✨ New Features

• #563 — Per-model Combo Routing: map model name patterns (glob) to specific combos for automatic routing
  • New model_combo_mappings table (migration 010) with pattern, combo_id, priority, enabled
  • resolveComboForModel() DB function with glob-to-regex matching (case-insensitive, * and ? wildcards)
  • getComboForModel() in model.ts: augments getCombo() with model-pattern fallback
  • chat.ts: routing decision now checks model-combo mappings before single-model handling
  • API: GET/POST /api/model-combo-mappings, GET/PUT/DELETE /api/model-combo-mappings/:id
  • Dashboard: "Model Routing Rules" section added to Combos page with inline add/edit/toggle/delete
  • Examples: claude-sonnet* → code-combo, gpt-4o* → openai-combo, gemini-* → google-combo

🌐 i18n

• Full i18n Sync: 2,788 missing keys added across 30 language files — all languages now at 100% parity with en.json
• Agents page i18n: OpenCode Integration section fully internationalized (title, description, scanning, download labels)
• 6 new keys added to agents namespace for OpenCode section

🎨 UI/UX

• Provider Icons: 16 missing provider icons added (3 copied, 2 downloaded, 11 SVG created)
• SVG fallback: ProviderIcon component updated with 4-tier strategy: Lobehub → PNG → SVG → Generic icon
• Agents fingerprinting: Synced with CLI tools — added droid, openclaw, copilot, opencode to fingerprint list (14 total)

🔒 Security

• CVE fix: Resolved dompurify XSS vulnerability (GHSA-v2wj-7wpq-c8vv) via npm overrides forcing dompurify@^3.3.2
• npm audit now reports 0 vulnerabilities

🧪 Tests

• Test suite: 923 tests, 0 failures (+15 new model-combo mapping tests)

[3.0.0-rc.14] — 2026-03-23

🔀 Community PRs Merged

🧪 Tests

• Test suite: 908 tests, 0 failures

[3.0.0-rc.13] — 2026-03-23

🔧 Bug Fixes

• config: resolve real API key from keyId in CLI settings routes (codex-settings, droid-settings, kilo-settings) to prevent writing masked strings (#549)

[3.0.0-rc.12] — 2026-03-23

🔀 Community PRs Merged

🔧 Bug Fixes

• TDZ fix in cliRuntime.ts — validateEnvPath was used before initialization at module startup by getExpectedParentPaths(). Reordered declarations to fix ReferenceError.
• Build fixes — Added pino and pino-pretty to serverExternalPackages to prevent Turbopack from breaking Pino's internal worker loading.

🧪 Tests

• Test suite: 905 tests, 0 failures

[3.0.0-rc.10] — 2026-03-23

🔧 Bug Fixes

• #509 / #508 — Electron build regression: downgraded Next.js from 16.1.x to 16.0.10 to eliminate Turbopack module-hashing instability that caused blank screens in the Electron desktop bundle.
• Unit test fixes — Corrected two stale test assertions (nanobanana-image-handler aspect ratio/resolution, thinking-budget Gemini thinkingConfig field mapping) that had drifted after recent implementation changes.
• #541 — Responded to user feedback about installation complexity; no code changes required.

[3.0.0-rc.9] — 2026-03-23

✨ New Features

• T29 — Vertex AI SA JSON Executor: implemented using the jose library to handle JWT/Service Account auth, along with configurable regions in the UI and automatic partner model URL building.
• T42 — Image generation aspect ratio mapping: created sizeMapper logic for generic OpenAI formats (size), added native imagen3 handling, and updated NanoBanana endpoints to utilize mapped aspect ratios automatically.
• T38 — Centralized model specifications: modelSpecs.ts created for limits and parameters per model.

🔧 Improvements

• T40 — OpenCode CLI tools integration: native opencode-zen and opencode-go integration completed in earlier PR.

[3.0.0-rc.8] — 2026-03-23

🔧 Bug Fixes & Improvements (Fallback, Quota & Budget)

• T24 — 503 cooldown await fix + 406 mapping: mapped 406 Not Acceptable to 503 Service Unavailable with proper cooldown intervals.
• T25 — Provider validation fallback: graceful fallback to standard validation models when a specific validationModelId is not present.
• T36 — 403 vs 429 provider handling refinement: extracted into errorClassifier.ts to properly segregate hard permissions failures (403) from rate limits (429).
• T39 — Endpoint Fallback for fetchAvailableModels: implemented a tri-tier mechanism (/models -> /v1/models -> local generic catalog) + list_models_catalog MCP tool updates to reflect source and warning.
• T33 — Thinking level to budget conversion: translates qualitative thinking levels into precise budget allocations.
• T41 — Background task auto redirect: routes heavy background evaluation tasks to flash/efficient models automatically.
• T23 — Intelligent quota reset fallback: accurately extracts x-ratelimit-reset / retry-after header values or maps static cooldowns.

[3.0.0-rc.7] — 2026-03-23 (What's New vs v2.9.5 — will be released as v3.0.0)

Upgrade from v2.9.5: 16 issues resolved · 2 community PRs merged · 2 new providers · 7 new API endpoints · 3 new features · DB migration 008+009 · 832 tests passing · 15 sub2api gap improvements (T01–T15 complete).

🆕 New Providers

Both providers use the new OpencodeExecutor with multi-format routing (/chat/completions, /messages, /responses, /models/{model}:generateContent).

✨ New Features

🔑 Registered Keys Provisioning API (#464)

Auto-generate and issue OmniRoute API keys programmatically with per-provider and per-account quota enforcement.

DB — Migration 008: Three new tables: registered_keys, provider_key_limits, account_key_limits.
Security: Keys stored as SHA-256 hashes. Raw key shown once on creation, never retrievable again.
Quota types: maxActiveKeys, dailyIssueLimit, hourlyIssueLimit per provider and per account.
Idempotency: idempotency_key field prevents duplicate issuance. Returns 409 IDEMPOTENCY_CONFLICT if key was already used.
Budget per key: dailyBudget / hourlyBudget — limits how many requests a key can route per window.
GitHub reporting: Optional. Set GITHUB_ISSUES_REPO + GITHUB_ISSUES_TOKEN to auto-create GitHub issues on quota exceeded or issuance failures.

🎨 Provider Icons — @lobehub/icons (#529)

All provider icons in the dashboard now use @lobehub/icons React components (130+ providers with SVG).
Fallback chain: Lobehub SVG → existing /providers/{id}.png → generic icon. Uses a proper React ErrorBoundary pattern.

🔄 Model Auto-Sync Scheduler (#488)

OmniRoute now automatically refreshes model lists for connected providers every 24 hours.

• Runs on server startup via the existing /api/sync/initialize hook
• Configurable via MODEL_SYNC_INTERVAL_HOURS environment variable
• Covers 16 major providers
• Records last sync time in the settings database

🔧 Bug Fixes

OAuth & Auth

• #537 — Gemini CLI OAuth: Clear actionable error when GEMINI_OAUTH_CLIENT_SECRET is missing in Docker/self-hosted deployments. Previously showed cryptic client_secret is missing from Google. Now provides specific docker-compose.yml and ~/.omniroute/.env instructions.

Providers & Routing

• #536 — LongCat AI: Fixed baseUrl (api.longcat.chat/openai) and authHeader (Authorization: Bearer).
• #535 — Pinned model override: body.model is now correctly set to pinnedModel when context-cache protection is active.
• #532 — OpenCode Go key validation: Now uses the zen/v1 test endpoint (testKeyBaseUrl) — same key works for both tiers.

CLI & Tools

• #527 — Claude Code + Codex loop: tool_result blocks are now converted to text instead of dropped, stopping infinite tool-result loops.
• #524 — OpenCode config save: Added saveOpenCodeConfig() handler (XDG_CONFIG_HOME aware, writes TOML).
• #521 — Login stuck: Login no longer freezes after skipping password setup — redirects correctly to onboarding.
• #522 — API Manager: Removed misleading "Copy masked key" button (replaced with a lock icon tooltip).
• #532 — OpenCode Go config: Guide settings handler now handles opencode toolId.

Developer Experience

• #489 — Antigravity: Missing googleProjectId returns a structured 422 error with reconnect guidance instead of a cryptic crash.
• #510 — Windows paths: MSYS2/Git-Bash paths (/c/Program Files/...) are now normalized to C:\\Program Files\\... automatically.
• #492 — CLI startup: omniroute CLI now detects mise/nvm-managed Node when app/server.js is missing and shows targeted fix instructions.

📖 Documentation Updates

• #513 — Docker password reset: INITIAL_PASSWORD env var workaround documented
• #520 — pnpm: pnpm approve-builds better-sqlite3 step documented

✅ Issues Resolved in v3.0.0

#464 #488 #489 #492 #510 #513 #520 #521 #522 #524 #527 #529 #532 #535 #536 #537

🔀 Community PRs Merged

[3.0.0-rc.7] - 2026-03-23

🔧 Improvements (sub2api Gap Analysis — T05, T08, T09, T13, T14)

• T05 — Rate-limit DB persistence: setConnectionRateLimitUntil(), isConnectionRateLimited(), getRateLimitedConnections() in providers.ts. The existing rate_limited_until column is now exposed as a dedicated API — OAuth token refresh must NOT touch this field to prevent rate-limit loops.
• T08 — Per-API-key session limit: max_sessions INTEGER DEFAULT 0 added to api_keys via auto-migration. sessionManager.ts gains registerKeySession(), unregisterKeySession(), checkSessionLimit(), and getActiveSessionCountForKey(). Callers in chatCore.js can enforce the limit and decrement on req.close.
• T09 — Codex vs Spark rate-limit scopes: getCodexModelScope() and getCodexRateLimitKey() in codex.ts. Standard models (gpt-5.x-codex, codex-mini) get scope "codex"; spark models (codex-spark*) get scope "spark". Rate-limit keys should be ${accountId}:${scope} so exhausting one pool doesn't block the other.
• T13 — Stale quota display fix: getEffectiveQuotaUsage(used, resetAt) returns 0 when the reset window has passed; formatResetCountdown(resetAt) returns a human-readable countdown string (e.g. "2h 35m"). Both exported from providers.ts + localDb.ts for dashboard consumption.
• T14 — Proxy fast-fail: new src/lib/proxyHealth.ts with isProxyReachable(proxyUrl, timeoutMs=2000) (TCP check, ≤2s instead of 30s timeout), getCachedProxyHealth(), invalidateProxyHealth(), and getAllProxyHealthStatuses(). Results cached 30s by default; configurable via PROXY_FAST_FAIL_TIMEOUT_MS / PROXY_HEALTH_CACHE_TTL_MS.

🧪 Tests

• Test suite: 832 tests, 0 failures

[3.0.0-rc.6] - 2026-03-23

🔧 Bug Fixes & Improvements (sub2api Gap Analysis — T01–T15)

• T01 — requested_model column in call_logs (migration 009): track which model the client originally requested vs the actual routed model. Enables fallback rate analytics.
• T02 — Strip empty text blocks from nested tool_result.content: prevents Anthropic 400 errors (text content blocks must be non-empty) when Claude Code chains tool results.
• T03 — Parse x-codex-5h-* / x-codex-7d-* headers: parseCodexQuotaHeaders() + getCodexResetTime() extract Codex quota windows for precise cooldown scheduling instead of generic 5-min fallback.
• T04 — X-Session-Id header for external sticky routing: extractExternalSessionId() in sessionManager.ts reads x-session-id / x-omniroute-session headers with ext: prefix to avoid collision with internal SHA-256 session IDs. Nginx-compatible (hyphenated header).
• T06 — Account deactivated → permanent block: isAccountDeactivated() in accountFallback.ts detects 401 deactivation signals and applies a 1-year cooldown to prevent retrying permanently dead accounts.
• T07 — X-Forwarded-For IP validation: new src/lib/ipUtils.ts with extractClientIp() and getClientIpFromRequest() — skips unknown/non-IP entries in X-Forwarded-For chains (Nginx/proxy-forwarded requests).
• T10 — Credits exhausted → distinct fallback: isCreditsExhausted() in accountFallback.ts returns 1h cooldown with creditsExhausted flag, distinct from generic 429 rate limiting.
• T11 — max reasoning effort → 131072 budget tokens: EFFORT_BUDGETS and THINKING_LEVEL_MAP updated; reverse mapping now returns "max" for full-budget responses. Unit test updated.
• T12 — MiniMax M2.7 pricing entries added: minimax-m2.7, MiniMax-M2.7, minimax-m2.7-highspeed added to pricing table (sub2api PR #1120). M2.5/GLM-4.7/GLM-5/Kimi pricing already existed.
• T15 — Array content normalization: normalizeContentToString() helper in openai-to-claude.ts correctly collapses array-formatted system/tool messages to string before sending to Anthropic.

🧪 Tests

• Test suite: 832 tests, 0 failures (unchanged from rc.5)

[3.0.0-rc.5] - 2026-03-22

✨ New Features

• #464 — Registered Keys Provisioning API: auto-issue API keys with per-provider & per-account quota enforcement
  • POST /api/v1/registered-keys — issue keys with idempotency support
  • GET /api/v1/registered-keys — list (masked) registered keys
  • GET /api/v1/registered-keys/{id} — get key metadata
  • DELETE /api/v1/registered-keys/{id} / POST ../{id}/revoke — revoke keys
  • GET /api/v1/quotas/check — pre-validate before issuing
  • PUT /api/v1/providers/{id}/limits — set provider issuance limits
  • PUT /api/v1/accounts/{id}/limits — set account issuance limits
  • POST /api/v1/issues/report — optional GitHub issue reporting
  • DB migration 008: registered_keys, provider_key_limits, account_key_limits tables

[3.0.0-rc.4] - 2026-03-22

✨ New Features

• #530 (PR) — OpenCode Zen and OpenCode Go providers added (by @kang-heewon)
  • New OpencodeExecutor with multi-format routing (/chat/completions, /messages, /responses)
  • 7 models across both tiers

[3.0.0-rc.3] - 2026-03-22

✨ New Features

• #529 — Provider icons now use @lobehub/icons with graceful PNG fallback and a ProviderIcon component (130+ providers supported)
• #488 — Auto-update model lists every 24h via modelSyncScheduler (configurable via MODEL_SYNC_INTERVAL_HOURS)

🔧 Bug Fixes

• #537 — Gemini CLI OAuth: now shows clear actionable error when GEMINI_OAUTH_CLIENT_SECRET is missing in Docker/self-hosted deployments

[3.0.0-rc.2] - 2026-03-22

🔧 Bug Fixes

• #536 — LongCat AI key validation: fixed baseUrl (api.longcat.chat/openai) and authHeader (Authorization: Bearer)
• #535 — Pinned model override: body.model is now set to pinnedModel when context-cache protection detects a pinned model
• #524 — OpenCode config now saved correctly: added saveOpenCodeConfig() handler (XDG_CONFIG_HOME aware, writes TOML)

[3.0.0-rc.1] - 2026-03-22

🔧 Bug Fixes

• #521 — Login no longer gets stuck after skipping password setup (redirects to onboarding)
• #522 — API Manager: Removed misleading "Copy masked key" button (replaced with lock icon tooltip)
• #527 — Claude Code + Codex superpowers loop: tool_result blocks now converted to text instead of dropped
• #532 — OpenCode GO API key validation now uses the correct zen/v1 endpoint (testKeyBaseUrl)
• #489 — Antigravity: missing googleProjectId returns structured 422 error with reconnect guidance
• #510 — Windows: MSYS2/Git-Bash paths (/c/Program Files/...) are now normalized to C:\\Program Files\\...
• #492 — omniroute CLI now detects mise/nvm when app/server.js is missing and shows targeted fix

📖 Documentation

• #513 — Docker password reset: INITIAL_PASSWORD env var workaround documented
• #520 — pnpm: pnpm approve-builds better-sqlite3 documented

✅ Closed Issues

#489, #492, #510, #513, #520, #521, #522, #525, #527, #532