diegosouzapw/OmniRoute v3.6.6

on GitHub

✨ New Features

• feat(storage): Add database backup cleanup controls, UI management, and customizable retention period env vars (#1304)
• feat(providers): Add Freepik Pikaso image generation provider with support for cookie/subscription-based auth modes (#1277)
• feat(providers): Add Perplexity Web (Session) Provider — Routes through Perplexity's internal SSE API using a session cookie, giving native proxy access without separate API costs to GPT-5.4, Claude Opus, Gemini 3.1 Pro, and Nemotron via preferences mapping (#1289)
• feat(api): Sync Tokens & V1 WebSocket Bridge — Dedicated sync token storage, issuance, revocation, and bundle download routes backed by stable config bundle versioning with ETag support. Exposes /v1/ws WebSocket upgrade route and a custom Next.js server bridge (scripts/v1-ws-bridge.mjs) so OpenAI-compatible WebSocket traffic can be proxied through the gateway. Compliance auditing expanded with structured metadata, pagination, request context, auth/provider credential events, and SSRF-blocked validation logging. New migrations: 024_create_sync_tokens.sql. New modules: syncTokens.ts, src/lib/sync/bundle.ts, src/lib/sync/tokens.ts, src/lib/ws/handshake.ts, src/lib/apiBridgeServer.ts, src/lib/compliance/providerAudit.ts.
• feat(models): GLM Thinking Preset & Hybrid Token Counting — GLM Thinking (glmt) registered as a first-class provider preset with shared GLM model metadata, pricing, per-connection usage sync, dashboard support, and maxTokens: 65536 / thinkingBudgetTokens: 24576 request defaults with 900s extended timeout. Provider-side /messages/count_tokens endpoint used when a Claude-compatible upstream supports it; gracefully falls back to estimation on missing models, missing credentials, or upstream failures. Startup seeding of default model aliases (src/lib/modelAliasSeed.ts) normalizes common cross-proxy model dialects so canonical slash-based model IDs are not misrouted. New file open-sse/config/glmProvider.ts.
• feat(core): Hardened Outbound Provider Calls & Cooldown Retries — Guarded outbound fetch helpers (src/shared/network/safeOutboundFetch.ts, src/shared/network/outboundUrlGuard.ts) blocking private/local URLs with configurable retry, timeout normalisation, and route-level status propagation for provider validation and model discovery. Cooldown-aware chat retries (src/sse/services/cooldownAwareRetry.ts) with configurable requestRetry and maxRetryIntervalSec settings and model-scoped cooldown responses. Improved rate-limit learning from headers and error bodies so short upstream lockouts can recover automatically. Runtime environment validation (src/lib/env/runtimeEnv.ts) checks env at startup. Pollinations now requires an API key. Antigravity and Codex header handling aligned via open-sse/config/antigravityUpstream.ts and open-sse/config/codexClient.ts. Gemini tool names restored in translated responses; synthetic Claude text block injected when upstream SSE completes empty.
• feat(logs): Add TPS (Tokens Per Second) metric to log details modal metadata grid (#1182)
• feat(memory+skills): Full-featured Memory & Skills systems with FTS5 SQLite search, dynamic UI pagination, backend observability, and extensive test coverage (#1228)
• feat(bailian-quota): Add Alibaba Coding Plan quota monitoring, multi-window quota extraction, and UI credential validation (#1235)
• feat(storage): Call Log Storage Refactor — Extracted heavy request/response JSON payloads from the core SQLite database (storage.sqlite) into filesystem artifacts stored within DATA_DIR/call_logs. This massively reduces WAL bloat and eliminates SQLITE_FULL crashes on high-traffic nodes (#1307).
• feat(providers): Add Grok Web (Subscription) Provider — Routes through the xAI web interface for subscription users via cookie session mapping (#1295).
• feat(api): Advanced Media Support — Extends OpenAI generic proxy layer to natively support image, embeddings, audio-transcriptions, and audio-speech workflows (#1297).
• feat(cli-tools): Qwen Code CLI Integration — Full integration for Qwen Code local execution mapping, model resolution, and dynamic API key fetching (#1266, #1263).
• feat(oauth): Supports cursor-agent CLI as a native Cursor credential source alongside the standard configuration (#1258).
• feat(models): Custom and imported models now merge correctly into filter lists for all available global providers (#1191).

🐛 Bug Fixes

• fix(providers): match correct endpoint api.xiaomimimo.com for Xiaomi MiMo (#1303)

• fix(core): strip provider alias routing prefix from payload for custom endpoints to fix Azure OpenAI 400 errors (#1261)

• fix(core): ProxyFetch Undici dispatcher automatically bypasses LAN/local addresses, preventing fetch failures on internal OpenRouter requests (#1254)

• fix(core): Gemini thought stream signature detection upgraded to use native part.thought boolean, preventing reasoning text leaks (#1298)

• deps: bump hono from 4.12.12 to 4.12.14 to resolve CVE SSR HTML injection vulnerability (#1306, #59)

• deps: update dompurify to 3.4.0 in frontend overrides mitigating XSS HTML Injection (CVE-XYZ / Dependabot #60)

• test: Disable SQLite automatic backups during continuous integration (CI) tests to resolve E2E timeout issues limiting runner scaling (#24481475058)

• feat(core): Proactive Context Compression — chatCore now proactively compresses oversized message contexts before hitting upstream providers to dramatically reduce context_length_exceeded errors. Employs binary-search message pruning with structural integrity guarantees tracking explicit tool_use boundaries ensuring truncated tool inputs drop paired outputs appropriately (#1292, #1293)

• fix(cli): Resolve codex routing config parsing by strictly quoting section keys array, enforcing responses wire_api with fallback, and standardizing select-model button positioning mirroring Claude UI

• fix(providers): Correct Lobehub provider icons rendering by removing unsupported local references ensuring local SVG/PNG fallback mechanism invokes natively

• fix(db): Implement Database migration tracking safety abort safeguards (pre-migration backups via VACUUM INTO and mass renumbering warnings) to protect existing database structures on startup upgrades (#1281)

• fix(dashboard): Cleaned up target codex config.toml structure preventing recursive section rendering by enforcing quotes on section dot paths and mapping correct UI OMNIROUTE_API_KEY names.

• fix(mcp): Add dedicated explicit timeout constraint overrides for search handlers (#1280)

• fix(crypto): Add validation guard to encryption layer to surface clear UI errors when cryptographic environment variables are missing, replacing raw Node.js TypeErrors. Legacy env vars OMNIROUTE_CRYPT_KEY and OMNIROUTE_API_KEY_BASE64 now also accepted as fallbacks (#1165)

• fix(providers): Update Pollinations provider definition to require API keys and specify their new limited pollen/hour free tier (#1177)

• Streaming \n\n Artifact Fix (#1211): Changed <omniModel> tag-stripping regex from ? to * quantifier across combo.ts, comboAgentMiddleware.ts, and contextHandoff.ts to greedily strip all accumulated JSON-escaped newline sequences surrounding the tag. This prevents literal \n\n prefix artifacts from appearing in consumer streaming responses

• E2E Combo Test Locator: Fixed Playwright strict-mode violation in combo-unification.spec.ts by replacing ambiguous getByRole locator with a compound filter locator for the "All" strategy tab

• fix(cc-compatible): Trim beta flags and preserve cache passthrough for third-party HTTP proxy compatibility (#1230)

• fix(providers): Update Xiaomi MiMo endpoints to the live token-plan, migrating away from dead API URLs (#1238)

• fix: Forward client x-initiator header to GitHub Copilot upstream to accurately distinguish agent vs user turns (#1227)

• fix: Resolve backlog bugs including streaming edge cases, unhandled rejections, and quota parse failures (#1206, #1220, #1231, #1175, #1187, #1218, #1202)

• fix(tests): Resolve memory migration and skills route pagination bugs arising from PR overlaps

• fix(i18n): Add missing Chinese i18n support to dashboard components (DataTable, EmptyState, etc), update en.json/zh-CN.json routing keys, and natively resolve JSX defaults via next-intl (#1274)

🔧 Internal Improvements

• Compliance Audit Expansion: src/lib/compliance/index.ts expanded with structured metadata, pagination support, request context enrichment, and new providerAudit.ts module logging auth and provider credential events, SSRF-blocked validation attempts, and provider CRUD operations
• Config Sync Bundle: src/lib/sync/bundle.ts exports buildConfigBundle() generating a versioned JSON snapshot of settings, provider connections, nodes, model aliases, combos, and API keys (passwords redacted) with ETag support for bandwidth-efficient polling
• Codex Client Constants: Centralized CODEX_CLIENT_VERSION, CODEX_USER_AGENT_PLATFORM, and pattern-validated env overrides (CODEX_CLIENT_VERSION, CODEX_USER_AGENT) in open-sse/config/codexClient.ts
• Antigravity Upstream Constants: open-sse/config/antigravityUpstream.ts consolidates all Antigravity base URLs and model/fetchAvailableModels discovery path builders
• Model Alias Seed: src/lib/modelAliasSeed.ts seeds 30+ cross-proxy model dialect aliases (e.g. openai/gpt-5 → gpt-5, anthropic/claude-opus-4-6 → cc/claude-opus-4-6) at startup via idempotent upsert
• Test Coverage: 15+ new unit test suites covering sync routes, WebSocket bridge, compliance index, GLM provider config, cooldown-aware retry, safe outbound fetch, stream utilities, Codex executor, provider validation branches, model cross-proxy compatibility, and model alias seeding
• TypeScript Migration: Finalized migration of remaining JS tests (proxy-load and testFromFile) to TypeScript ES modules, ensuring a fully synchronized TS stack.
• Reliability & Resilience: Added exponential backoff to models.dev auto-sync to combat transient network failures, raised interval floor to 1 hour, and added LKGP debug logging for enhanced observability during routing. (#1286)