github diegosouzapw/OmniRoute v3.7.0
on GitHub

3 hours ago

✨ New Features

  • feat(providers): Implement Image Generation and Editing capabilities for ChatGPT Web, including in-band chat image generation and caching (#1606).

  • feat(ui): Integrate OpenCode Zen/Go API tool logo SVG and polish API key copy-to-clipboard interactions (#1607).

  • feat(providers): Add CrofAI as a built-in API-key provider with quota/usage monitoring wired into the dashboard Limits page (#1604, #1606).

  • feat(skills): Add workspace-scoped built-in skills (file_read, file_write, http_request, eval_code, execute_command) with real sandbox execution via Docker, replacing stub responses. Browser skills now fail explicitly when runtime is not configured.

  • feat(providers): Integrate AgentRouter as a new OpenAI-compatible passthrough provider with $200 free credits via sign-up (Issue #1572).

  • feat(ui): Implement on-demand per-model testing in the provider dashboard, allowing single-token diagnostic checks without triggering rate-limits (Issue #1532).

  • feat(provider): add ChatGPT Web (Plus/Pro) session provider (#1593)

  • feat(provider): add Baidu Qianfan chat provider (#1582)

  • feat(codex): support GPT-5.5 responses websocket (#1573)

  • feat(sse): Codex CLI image_generation + DALL-E-style image route (#1544)

  • feat(dashboard): Complete the reconciled v3.7.0 dashboard task set: MCP cache tools and count, video endpoint visibility, provider taxonomy, upstream proxy visibility, provider count badges, costs overview, eval suite management, Custom CLI builder, ACP-focused Agents copy, Translator stream transformer, logs convergence, learned rate-limit health cards, docs expansion, and active request payload inspection.

  • feat(mcp): Register omniroute_cache_stats and omniroute_cache_flush across MCP schemas, server registration, handlers, docs, and tests.

  • feat(providers): Complete the v3.7.0 provider onboarding wave with self-hosted/local providers (lm-studio, vllm, lemonade, llamafile, triton, docker-model-runner, xinference, oobabooga), OpenAI-compatible gateways (glhf, cablyai, thebai, fenayai, empower, poe), enterprise providers (datarobot, azure-openai, azure-ai, bedrock, watsonx, oci, sap), specialty providers (clarifai, modal, reka, nous-research, nlpcloud, petals, vertex-partner), amazon-q, GitLab/GitLab Duo, and Chutes.ai.

  • feat(providers): Add Cloudflare Workers AI integration and UI support for robust backend execution.

  • feat(telemetry): Implement proactive public IP capture from client headers (x-forwarded-for, x-real-ip, etc.) within safeLogEvents for accurate database observability.

  • feat(audio): Add AWS Polly as an audio speech provider with SigV4 request signing, static engine catalog, provider validation, managed-provider UI coverage, and sanitization for AWS secret/session fields.

  • feat(search): Add You.com search provider support with dashboard discovery, validation, livecrawl option handling, and search handler normalization.

  • feat(video): Add RunwayML task-based video generation support, task polling, provider catalog metadata, validation, and dashboard/model-list coverage.

  • feat(providers): Add search functionality to the providers dashboard with i18n support. (#1511 — thanks @th-ch)

  • feat(providers): Register 6 new models in the opencode-go provider catalog. (#1510 — thanks @kang-heewon)

  • feat(providers): Add ModelScope provider (Chinese AI marketplace) with Kimi K2.5, GLM-5, and Step-3.5-Flash integration. (#1430 — thanks @clousky2020)

  • feat(providers): Add LM Studio as an OpenAI-compatible local provider for self-hosted model inference.

  • feat(providers): Add Grok 4.3 thinking model support for xAI web executor requests.

  • feat(core): Implement provider-level Circuit Breaker to prevent cascading failures across connections, enforcing a 10-minute cooldown after 5 consecutive transient failures. (#1430)

  • feat(core): Add daily quota exhaustion lock to detect "quota exceeded" signals and lock the specific model until midnight. (#1430)

  • feat(core): Auto-inject stream_options.include_usage = true for OpenAI format streams to guarantee token usage is reported correctly during streaming. (#1423)

  • feat(core): Add OpenAI Batch Processing API support — submit, monitor, and manage batch jobs through the proxy with full lifecycle tracking.

  • feat(vision-bridge): Add automatic image description fallback for non-vision models via VisionBridgeGuardrail (priority 5). Intercepts image-bearing requests to non-vision models, extracts descriptions via a configurable vision model (default: gpt-4o-mini), and replaces images with text before forwarding. Fails open on any error. (#1476)

  • feat(dashboard): Introduce real-time model status badges with countdown timers in the provider detail and combo panel interfaces. (#1430)

  • feat(dashboard): Add Batch/File management data grid with full i18n translations for batch processing workflows. (#1479)

  • feat(usage): MiniMax + MiniMax-CN quota tracking in provider limits dashboard. (#1516)

  • feat(providers): Fix OpenRouter remote discovery and unify managed model sync. (#1521)

  • feat(providers): Implement provider and account-level concurrency cap enforcement (maxConcurrent) using robust semaphore mechanisms. (#1524)

  • feat(core): Implement Hermes CLI config generation and message content stripping. (#1475)

  • feat(combos): Add expert combo configuration mode for advanced routing controls. (#1547)

  • feat(providers): Register Codex auto review and expand icon coverage.

  • feat(tunnels): Add Tailscale tunnel management routes and runtime helpers for install, login, daemon start, enable/disable, and health checks.

🐛 Bug Fixes

  • fix(mitm): Compile MITM utilities as NodeNext ESM during prepublish, copy the CommonJS MITM server into the standalone artifact, and resolve MITM data paths without relying on Next.js aliases in packaged runtime.

  • fix(build): Move the local .tmp/wine32 Wine prefix out of the isolated Next.js build path so Windows Electron packaging artifacts cannot trigger EACCES scans during Node 24 builds.

  • fix(build): Copy the wreq-js native runtime directory into the isolated Next.js standalone output so packaged Playwright/E2E starts can load the instrumentation hook on Linux.

  • fix(api): Validate the Codex Responses websocket bridge and /v1/batches JSON payloads with Zod before use, keeping request.json() route validation green and returning explicit 400 responses for invalid bodies.

  • fix(providers): Add explicit typing to provider alias and category helpers so the strict typecheck:noimplicit:core CI gate passes.

  • fix(ui): Keep the upstream proxy provider detail page labeled with a fallback "Managed via Upstream Proxy Settings" management surface when translations are unavailable.

  • fix(electron): Harden the production desktop CSP by removing unsafe-eval outside development and adding object, base URI, form action, frame ancestor, and worker restrictions.

  • fix(cli): Replace shell-interpolated setup and privileged command execution paths with argument-based spawn/execFile helpers for database setup, Tailscale sudo commands, MITM DNS edits, and certificate install/uninstall flows.

  • fix(ui): Keep provider icons resilient by using direct @lobehub/icons components first, then local PNG/SVG fallbacks, avoiding the @lobehub/ui peer runtime in the dashboard.

  • fix(chatgpt-web): Fix empty-file race in tlsFetchStreaming where waitForFile accepted zero-byte files, silently degrading streaming requests to buffered mode. Replaced with waitForContent requiring file.size > 0 with early exit on request settlement. (#1597 — thanks @trader-payne)

  • fix(chatgpt-web): Fix stale NextAuth session-token cookies surviving rotation shape changes (unchunked↔chunked). mergeRefreshedCookie now drops all session-token family members via SESSION_TOKEN_FAMILY_RE before appending the refreshed set, preventing auth failures from dual cookie submission. (#1597 — thanks @trader-payne)

  • fix(codex): WebSocket memory retention and weekly limit handling (#1581)

  • fix(providers): Default models list logic (#1577)

  • fix(ui): Dashboard endpoint URL hydration respects NEXT_PUBLIC_BASE_URL when behind a reverse proxy (#1579)

  • fix(providers): Restore strict PascalCase header masquerading for Claude Code to resolve HTTP 429 upstream errors (#1556)

  • fix(sse): make Responses passthrough robust for size-sensitive clients (#1580)

  • fix(codex): update client version for gpt-5.5 (#1578)

  • fix(vision-bridge): force GPT-family image fallback (#1571)

  • fix(claude): skip adaptive thinking defaults for unsupported models (#1563)

  • fix(claude): preserve tool_result adjacency in native and CC-compatible paths (#1555)

  • fix(reasoning): Preserve OpenAI Chat Completions reasoning_effort through assistant-prefill requests and label OpenAI request protocols explicitly as OpenAI-Chat or OpenAI-Responses. (#1550)

  • fix(codex): Fix Codex auto-review model routing so review traffic resolves to the intended configured model. (#1551)

  • fix(resilience): Route HTTP 429 cooldowns through runtime settings so cooldown behavior follows the configured resilience profile. (#1548)

  • fix(providers): Normalize Anthropic header keys to lowercase in the provider registry to avoid duplicate or case-variant upstream headers. (#1527)

  • fix(providers): Preserve audio, embedding, rerank, image, video, and OpenAI-compatible alias metadata when /v1/models merges static and discovered catalogs.

  • fix(providers): Discover Azure OpenAI deployments from resource endpoints using api-key auth and configurable API versions.

  • fix(providers): Keep local OpenAI-style providers authless when no API key is configured, including the Lemonade Server default endpoint.

  • fix(translator): Preserve Antigravity default system instructions and caller-provided system prompts as separate Gemini systemInstruction parts instead of concatenating them.

  • fix(security): Sanitize provider-specific AWS secrets and session tokens from provider management API responses.

  • fix(release): Resolve combo prefixing, Electron packaging, CLI auth, and release-branch integration regressions. (#1471, #1492, #1496, #1497, #1486)

  • fix(providers): Resolve 400 errors for GLM and Antigravity Claude adapter during request translation by scoping prompt caching to compatible Anthropic endpoints and flattening system instructions. (#1514, #1520, #1522)

  • fix(core): Strip reasoning_content from OpenAI format messages for non-reasoning models to prevent upstream HTTP 400 validation errors. (#1505)

  • fix(sse): Map Claude output_config/thinking to OpenAI reasoning_effort for proper Antigravity tool translation. (#1528)

  • fix(combo): Fallback to next model on all-accounts-rate-limited (HTTP 503/429) to maintain high availability. (#1523)

  • fix(api): Harden batch and file endpoints for auth and recovery to prevent schema state collisions.

  • fix(ui): Add missing UI wiring for "Add Memory" and "Import" buttons on the /dashboard/memory page. (#1506)

  • fix(ui): Prevent Dark Mode FOUC (Flash of Unstyled Content) by injecting a synchronous theme initialization script into the root layout.tsx.

  • fix(ui): Fix mobile layout text overflow in provider and combo cards, and enable touch-friendly reordering arrows across all combo strategies.

  • fix(core): Add periodic runtime log rotation checks to prevent disk exhaustion in long-running instances. (#1504 — thanks @ether-btc)

  • fix(build): Resolve missing process module in webpack client build for pino-abstract-transport. (#1509 — thanks @hartmark)

  • fix(ui): Add dark mode support for native dropdown <option> elements on Linux/Windows, resolving invisible text in settings and combo builders (#1488)

  • fix(batch): Add batch item dispatching to specific handlers based on URL to support embeddings and other modalities (#1495 — thanks @hartmark)

  • fix(dashboard): Correct TOML round-trip corruption in Codex config serializer by dequoting keys and preserving array/boolean structures properly. (#1438 — thanks @benzntech)

  • fix(security): Resolve CodeQL alert 164 (ReDoS in extraction) and 163 (incomplete URL sanitization). (#163, #164)

  • fix(providers): Add optional chaining to connection object before accessing providerSpecificData, preventing runtime errors when the connection is null/undefined.

  • fix(codex): Preserve namespace MCP tools forwarded to Codex Responses API, preventing tool name stripping during translation. (#1483)

  • fix(codex): Deduplicate case-variant anthropic-version header in Claude Code patch to prevent duplicate header injection. (#1481)

  • fix(fallback): Use shared CircuitBreaker instead of undefined constants, fixing runtime errors in provider failure handling. (#1485)

  • fix(fallback): Merge new provider failure threshold fields (providerFailureThreshold, providerFailureWindowMs, providerCooldownMs) into resilience profiles.

  • fix(fallback): Remove 429 from PROVIDER_FAILURE_ERROR_CODES — rate limits are already handled by model-level and account-level locks; including them in the provider-wide circuit breaker caused premature cooldown.

  • fix(sse): Enable tool calling for GPT OSS and DeepSeek Reasoner models. (#1455)

  • fix(encryption): Return null on decryption failure to prevent sending encrypted tokens to providers. (#1462)

  • fix(combo): Resolve cross-provider thinking 400 errors and HTTP clipboard issues during combo routing. (#1444)

  • fix(core): Resolve skills, memory, and encryption system issues affecting startup and runtime stability. (#1456)

  • fix(core): Fix model ID parsing for providers with slashes in model names — use indexOf/substring instead of split to handle models like modelscope/moonshotai/Kimi-K2.5.

  • fix(core): Fix reference counting in ModelStatusContext — changed registeredModels from Set to Map<string, number> to prevent polling stop when one component unmounts while others still track the same model.

  • fix(security): Prompt injection guard failures now return an explicit 500 response instead of silently passing through (fail-closed policy).

  • fix(security): Encryption now derives new keys from a secret-based salt while falling back to the legacy static-salt key during decryption, preserving existing stored credentials.

  • fix(combo): Resolve context truncation bug in combo routing to prevent incomplete execution states. (#1517)

  • fix(compression): Implement bidirectional tool_pair cleaning for anthropic inputs (fixes #1592).

  • fix: Resolve v3.7.0 stabilization issues including dashboard navigation routing, ProxyRegistryManager component layout, and models API response merging (#1566, #1560, #1559).

  • fix(cli): Preserve TOML integer/boolean types in Codex config round-trip to prevent tui.model_availability_nux validation errors.

  • fix(tailscale): Support sudo auth prompts and live daemon socket detection for non-root tunnel management.

  • fix(dashboard): Stabilize usage tab loading and refresh behavior to prevent empty state flashes.

  • fix(i18n): Translate 519 untranslated pt-BR keys and add missing Windsurf/Cline/Kimi docs keys.

  • fix(i18n): Add missing dashboard message keys across all 30 locales.

  • fix(cli): Align OpenCode config preview and add multi-model selection (#1602).

  • fix(security): Harden management API auth and OpenAPI try-proxy endpoint.

  • fix(security): Resolve vulnerability scan findings for auth-guarded routes.

♻️ Refactoring

  • refactor(fallback): Make provider failure thresholds configurable via PROVIDER_PROFILES instead of hardcoded constants, supporting different failure tolerance per provider type. (#1449)
  • refactor(resilience): Unify resilience controls across the codebase for consistent circuit breaker and fallback behavior. (#1449)
  • refactor(core): Implement shared path utilities, add custom date formatting, improve type safety, and unify database imports across modules.
  • refactor(security): Harden backup archive creation by switching to execFileSync, validate ACP agent IDs, expand shared CORS handling.
  • refactor(release): Remove obsolete agent workflow playbooks and the stale compiled src/lib/dataPaths.js artifact. (#1541)

🧪 Tests

  • test(providers): Add targeted coverage for AWS Polly SigV4 speech/validation, Azure OpenAI deployment discovery, Lemonade local discovery, provider dashboard taxonomy, managed provider catalog behavior, and merged /v1/models alias metadata.
  • test(catalog): Add v3.7.0 catalog coverage for Pollinations text models, Perplexity Sonar via Puter, and NVIDIA free-model alias resolution.
  • test(vision-bridge): Add 51 unit tests covering all VisionBridge spec scenarios (VB-S01 through VB-S10), including helper functions for callVisionModel, extractImageParts, replaceImageParts, and resolveImageAsDataUri.
  • test(batch-api): Isolate batch API unit tests with temp DATA_DIR to prevent schema state collisions.
  • test(settings-api): Add test harness with createSettingsApiHarness function for proper temp directory setup and storage reset between tests.
  • test(security): Update prompt injection test for fail-closed policy alignment.
  • test(core): Restore local test fixes for encryption and resilience modules.
  • test(next): Align transpile package expectations for the Next.js standalone build.
  • test(ci): Fix CI-only test failures from environment differences — clear INITIAL_PASSWORD and JWT_SECRET in integration tests, handle XDG_CONFIG_HOME for guide-settings tests.

📚 Documentation

  • docs: Update the root changelog with all release-branch changes through 2026-04-24, including PRs #1544, #1555, #1551, #1550, #1548, #1547, #1541, #1538, #1536, and #1527.
  • docs: Fix broken README and localized documentation links. (#1536)
  • docs: Add dashboard docs coverage for current API endpoints, management APIs, ACP, MCP tools, provider onboarding, and v3.7.0 task reconciliation.
  • docs: Add Arch Linux AUR install notes for community package support. (#1478)
  • docs(i18n): Improve Ukrainian (uk-UA) translation quality — full Ukrainian translation for README, SECURITY, A2A-SERVER, API_REFERENCE, AUTO-COMBO, and USER_GUIDE documents. Fix mixed Latin/Cyrillic typos, translate model table entries, and standardize section headers.

🛠️ Maintenance

  • chore: Add .tmp/ to .gitignore to keep local build/test artifacts out of release diffs. (#1538)
  • chore(release): Clarify release version parity and changelog segregation rules for generated release workflows.

📦 Dependencies

  • deps: Bump the development group with 4 updates. (#1464)
  • deps: Bump the production group with 4 updates. (#1463)
  • deps: Update @lobehub/icons to 5.5.4, add explicit react-is@19.2.5 for Recharts, pin npm installs to skip unused peer auto-installs, and override Electron's transitive @xmldom/xmldom to 0.9.10 so audit findings stay closed.
Check out latest releases or
releases around diegosouzapw/OmniRoute v3.7.0

Don't miss a new OmniRoute release

NewReleases is sending notifications on new releases.

Get notifications