github diegosouzapw/OmniRoute v3.8.4
on GitHub

latest release: v3.8.5
5 hours ago

πŸ”’ Security

  • authz: redirect /home and /home/:path* to /login when unauthenticated β€” Next.js middleware matcher omitted /home, so any visit reached the page directly on REQUIRE_LOGIN deployments (#2712 β€” thanks @diegosouzapw)
  • review: resolve v3.8.4 important + minor findings from consolidated review including SSRF guards (#2749 β€” thanks @diegosouzapw)

✨ New Features

  • feat(credential-health): fail-fast credential health check with TTL cache and background scheduler β€” validates API key + OAuth connections before combo dispatch, skips failed targets in <1ms instead of 10-30s timeout
  • feat(middleware): pre-request middleware pipeline with global, combo-specific, and per-request scopes β€” hooks can mutate body/headers/model, short-circuit, or skip remaining hooks
  • feat(websocket): live dashboard WebSocket server on port 20129 with EventBus integration β€” real-time request started/combo target attempt/succeeded/failed and credential health events
  • feat(circuit-breaker): three-state circuit breaker (CLOSEDβ†’DEGRADEDβ†’OPEN) with adaptive backoff per failure kind (rate-limit/auth/timeout), escalation count, and historical state tracking
  • feat(key-groups): API key groups with migration 066 β€” key_groups, group_model_permissions, key_group_members tables and CRUD, REST endpoints, group auth integration
  • feat(copilot): OmniRoute Copilot with CodeGraph knowledge base and CLI harness β€” LLM-guided configurator at POST /api/copilot/chat
  • feat(combo-playground): combo routing simulation API and dashboard UI under /dashboard/combos/playground/
  • feat(pwa): improved PWA manifest with icons, categories, and service worker with push notification support
  • feat(relay): serverless relay proxies with migration 067 β€” relay_tokens, relay_rate_limits, relay_logs, public endpoint at /api/v1/relay/chat/completions, management API, dashboard UI
  • feat(cost): cost optimization engine with alerts (budget/spike/trend thresholds), 6 REST endpoints, dashboard alerts UI
  • feat(backup): backup and restore system with export/import API and dashboard UI
  • feat(config-templates): config templates with migration 070, seed data, CRUD + apply API, dashboard UI
  • feat(custom-models): custom model registry with migration 069, CRUD API, dashboard UI
  • feat(webhooks-cicd): webhook CI/CD actions with migration 071 β€” ActionEngine supporting deploy/restart/sync actions, REST API
  • feat(multitenant): multi-tenant dashboard with per-API-key usage aggregation and provider/model breakdown
  • feat(sla): SLA dashboard with uptime/latency/error rate queries, summary/trend APIs, uptime badges and sparklines
  • feat(routing-analytics): AI-powered usage pattern analysis and routing recommendations β€” combo_metrics queries, hourly failure heatmap, provider breakdown, cost-vs-latency scatter chart
  • feat(teams): fixed team execution with 13 git worktrees and project-level team configs
  • feat(providers): add Inner.ai provider support with native executor, translation support, and model catalog definitions (#2704 β€” thanks @df4p)
  • feat(proxy): unified free proxy pool, Vercel Relay serverless endpoints, and a redesigned 4-tab proxy dashboard interface (#2705 β€” thanks @diegosouzapw)
  • feat(webhooks): 3-step configuration wizard for Slack, Telegram, Discord, and Custom webhook destinations, with reorganized React components (#2703 β€” thanks @diegosouzapw)
  • feat(openapi): comprehensive API endpoints content audit with 100% schema coverage, authz security tiers, and full i18n localization support (#2701 β€” thanks @diegosouzapw)
  • feat(providers): add BluesMinds, FreeModel.dev, and FreeAIAPIKey to the provider catalog (#2709 β€” thanks @oyi77)
  • feat(routing/providers): broaden routing, provider capabilities, and dashboard views β€” adds AWS Bedrock provider executor, combo scoring inspector, route explainability, reset-aware combo routing, and improves UI views for quota and resilience (#2750 β€” thanks @JxnLexn)
  • feat(batch-fixes): clean batch UI, Docker compose base profile, and support for parallel testing execution (#2761 β€” thanks @diegosouzapw)
  • chore(deps): added ws + @types/ws for WebSocket support, recharts ^3.8.1 for analytics charts

πŸ”§ Bug Fixes

  • validation: add Poolside specialty validator (direct /chat/completions probe β€” Poolside has no /v1/models endpoint and returns 401 for unknown routes, which the generic /models flow misread as "invalid API key") (#2723)
  • validation: add NVIDIA NIM specialty validator and harden normalizeBaseUrl against non-string providerSpecificData.baseUrl β€” fixes the e.startsWith is not a function TypeError that surfaced after minification (#2463)
  • cli: omniroute compression * falls back to direct REST endpoints (/api/settings/compression, /api/context/combos, /api/context/analytics) when /api/mcp/tools/call returns 404; normalize none β†’ off / hybrid β†’ stacked engine aliases (#2688)
  • cli: import cli-helper/tool-detector and cli-helper/doctor/checks with the explicit .ts extension that tsx resolves directly, so the published npm package (which ships only the .ts source) no longer crashes with Cannot find module '…tool-detector.js' (#2509)
  • authz: make the DB feature-flag override authoritative over process.env for OMNIROUTE_ALLOW_PRIVATE_PROVIDER_URLS, so toggling "Allow Private Provider URLs" in the Electron dashboard takes effect without restarting the spawned server (#2575)
  • fix(antigravity): stabilize model detection, OAuth handling, and token refresh logic (#2757 β€” thanks @oyi77)
  • fix(batch): recover and resume stale batch jobs on server restart instead of failing them, and add configurable concurrency limit (#2755 β€” thanks @hartmark)
  • fix(harness): resolve Headers private slot errors and type check compiler issues, and stabilize cooldown retry test flakiness (#2763 β€” thanks @diegosouzapw)
  • Fix combo cascade skipping on credential check timeout
  • Fix team sessions going idle (worktree initialization)
  • feat(providers): enhance Google Gemini, CLI, and Antigravity resilience and features β€” introduces explicit TypeScript typing to translation layers, adds new Gemini 2.0 models, implements backoff and retry logic in the Gemini CLI executor, extracts Google Search grounding metadata into standard citations, and adds backend definitions for the vertex-partner provider. (#2676 β€” thanks @alltomatos)
  • fix(proxy): atomically save and assign custom dashboard proxies in a single SQLite transaction, preventing orphan configuration rows (#2697 β€” thanks @terence71-glitch)
  • fix(reasoning): inject thinking blocks into Claude-format messages for Kimi K2 to prevent infinite tool-calling loops (#2699 β€” thanks @herjarsa)
  • fix(antigravity): default exhausted quota status display to 0% instead of 100% (#2700 β€” thanks @ahmet-cetinkaya)
  • fix(electron): add Caps Lock indicator, custom reset warnings, and suppress shell window spawning on startup (#2714 β€” thanks @benzntech)
  • fix(combos): resolve context handoff tags ordering issue and enforce a 60-second request timeout limit per combo target to prevent capacity leaks (#2717 β€” thanks @herjarsa)
  • fix(oauth): resolve parallel token refresh race conditions in Codex and implement comprehensive error checking across OAuth providers (#2718 β€” thanks @diegosouzapw)
  • fix(docker): install python3, make, and g++ in the Docker builder stage to support native Node.js addon compilation (#2713 β€” thanks @mrmm)
  • fix(i18n): restore real hint and placeholder translation strings for web-cookie providers in en.json (#2694 β€” thanks @diegosouzapw)
  • fix(db): resolve migration version prefix collision between services and webhook metadata tables (#2727 β€” thanks @diegosouzapw)
  • fix(vision-bridge): ensure images are processed when a vision-capable model is matched through a combo routing mapping (#2706 β€” thanks @herjarsa)
  • mcp: break callLogs ↔ compliance ESM cycle that deadlocks the bundled MCP server on Node.js 24 β€” extract no-log state to compliance/noLog.ts, switch callers to the leaf module, keep compliance/index.ts re-exports for backwards compat (#2650 β€” thanks @disonjer)
  • deepseek: guard PoW solver Web Worker handler so require() no longer throws ReferenceError: onmessage is not defined under Node strict mode (#2724 β€” thanks @thanet-s)
  • combos: include no-auth providers (FreeAIAPIKey, BluesMinds, FreeModel.dev, opencode, …) in the combo builder picker β€” they were invisible because they never get rows in provider_connections (#2737 β€” thanks @herjarsa)
  • translator: allow the web_search server-tool family (web_search_20250305, web_search_20250101, plain web_search) in the Responses API translator and preserve the original versioned name on output (#2695 β€” thanks @diegosouzapw)
  • oauth: register the missing trae provider with import_token flow so the Trae IDE no longer 500s during token import (#2658 β€” thanks @diegosouzapw)
  • model: merge settings-based aliases with the legacy DB alias namespace so aliases set via the Settings UI (e.g. gpt-5.4 β†’ cx/gpt-5.4) are honored instead of being overridden by provider inference (#2618, #2208 β€” thanks @diegosouzapw)
  • kiro: fall back to document.execCommand("copy") when the Clipboard API is unavailable (HTTP/non-secure contexts), so the "Copy authorization link" button works on LAN deployments (#2689 β€” thanks @disonjer)
  • cli: raise omniroute serve ready timeout from 20s to 60s and add a TCP-listening fallback so Windows users no longer get phantom timeouts during slow Next.js cold start (#2460 β€” thanks @benzntech)
  • mcp: break circular await deadlock in complianceβ†’callLogs + Kiro refresh resilience (#2747 β€” thanks @disonjer)
  • ui: claude-web provider shows 'API Key' label instead of 'Session Cookie' (#2744 β€” thanks @oyi77)
  • deepseek-web: lazy start session refresh (#2742 β€” thanks @thanet-s)
  • docker: keep fumadocs doc assets in Docker build context (#2741 β€” thanks @janeza2)
  • vision-bridge: force bridge for opencode-go/zen models that overstate vision support (#2740 β€” thanks @herjarsa)
  • combos: enable universal handoff by default to preserve cross-model conversation context (#2736 β€” thanks @herjarsa)

πŸš€ Embedded Services

  • feat(services): embedded service manager for 9Router and CLIProxyAPI β€” introduces a full lifecycle management system for locally-run AI proxy daemons accessible on loopback only:
  • ServiceSupervisor (src/lib/services/supervisor.ts) β€” EventEmitter-based child process manager with state machine (not_installed β†’ stopped β†’ starting β†’ running β†’ stopping β†’ error), ring-buffer log capture (5 MB/service), health polling, and configurable stop timeout.
  • ServiceRegistry (src/lib/services/registry.ts) β€” process-scoped map of active ServiceSupervisor instances; integrates with bootstrap.ts for auto-start on app launch.
  • 9Router lifecycle β€” npm-installer (src/lib/services/installers/ninerouter.ts), 8 REST endpoints under /api/services/9router/ (install, start, stop, restart, update, status, auto-start, rotate-key), NineRouterExecutor at open-sse/executors/ninerouter.ts, model-sync job, and provider registration.
  • CLIProxyAPI lifecycle β€” GitHub-release installer (src/lib/services/installers/cliproxy.ts), 7 REST endpoints under /api/services/cliproxy/ (install, start, stop, restart, update, status, auto-start), health probe at /v1/models (CPA 6.x has no /health endpoint).
  • SSE log streaming β€” /api/services/{name}/logs with tail and filter query params, snapshot + log SSE events, 30-second heartbeat.
  • WebSocket proxy β€” /api/services/{name}/ws reverse-proxies WebSocket connections to the embedded service UI port (port 20131); isLocalOnlyPath() guard in routeGuard.ts (Hard Rule #17).
  • HTTP UI proxy β€” /api/services/9router/proxy/[...path] for iframe asset loading.
  • Dashboard page /dashboard/providers/services β€” URL-based tab navigation (?tab=cliproxy default / ?tab=9router), shared components (ServiceStatusCard, ServiceLifecycleButtons, ServiceLogsPanel), sidebar item under Omni Proxy (hideable, material-symbols-outlined: deployed_code).
  • CliproxyServiceTab β€” auto-start toggle, fallback routing card (enable/disable, URL, status codes); fallback settings remain mirrored in Settings β†’ CLIProxyAPI for backward compatibility.
  • NinerouterServiceTab β€” auto-start toggle, API key display + rotation, collapsible embedded Web UI iframe (sandbox="allow-scripts allow-same-origin allow-forms", loopback-only).
  • DB migration 071 (originally 068, renumbered post-merge to avoid collision with 068_free_proxies and 068_webhooks_kind_metadata) β€” extends version_manager table with autoStart, autoUpdate, providerExpose, apiKey, and port columns. migrationRunner.ts now throws at boot if two .sql files share the same numeric prefix.
  • All service routes classified as LOCAL_ONLY in routeGuard.ts; loopback enforcement is unconditional before any auth check (leaked JWT via tunnel cannot trigger process spawning).

πŸ† Hall de Contribuidores

Um agradecimento especial a todos que contribuΓ­ram com cΓ³digo, revisΓ΅es e testes para este release:
@ahmet-cetinkaya, @alltomatos, @benzntech, @Chewji9875, @df4p, @diegosouzapw, @disonjer, @hartmark, @herjarsa, @janeza2, @JxnLexn, @mrmm, @oyi77, @thanet-s, @terence71-glitch

What's Changed

Full Changelog: v2.6.4...v3.8.4

Check out latest releases or
releases around diegosouzapw/OmniRoute v3.8.4

Don't miss a new OmniRoute release

NewReleases is sending notifications on new releases.

Get notifications