diegosouzapw/OmniRoute v3.8.6

on GitHub

[3.8.6] — 2026-05-29

✨ New Features

• providers (Unlimited LLM Access): add 7 new web-cookie providers plus a research catalog and discovery tool, expanding free/session-based model access (#2887 — thanks @oyi77)
• combo (Zero-Latency Combos): add Hedging, Proactive Compression, and Predictive TTFT strategies for lower tail latency on combo routing (#2868 — thanks @herjarsa)
• api,oauth (agy): add the agy (Antigravity CLI) standalone provider with CLI token import (#2899 — thanks @diegosouzapw)
• usage: per-API-key token limits scoped to model / provider / global, backed by migration 073_per_model_token_limits (#2888 — thanks @mugnimaestra)
• providers (web-cookie audit): fix 4 missing registry entries and add DuckDuckGo (#2862 — thanks @oyi77)
• logs: add clean log history action button to Logs page dashboard (#2799 — thanks @apoapostolov)
• settings: restore settings-driven home page layout toggles and auto-refresh limits widget (#2800 — thanks @apoapostolov)
• modelSpecs: register explicit model specifications and context/output caps for Moonshot, Qwen, Hunyuan, DeepSeek, MiniMax, GLM on the opencode-go provider (#2802 — thanks @jeferssonlemes)
• claude: default xhigh reasoning-effort support for newer Opus models (#2874 — thanks @rdself)
• compression (RTK): add RTK command filters for kubectl, docker-build, composer, and gh (#2824 — thanks @leninejunior)
• compression: expand the pt-BR "troglodita" compression pack from 15 to 49 rules (#2818 — thanks @leninejunior)
• opencode-go: register 4 missing models from the upstream catalog (#2790 — thanks @jeferssonlemes)
• build: nix multi-OS package-manager install (flake.nix / flake.lock) (#2806 — thanks @levonk)

🛡️ Security

• mitm: refactor runElevatedPowerShell to write the elevated payload to a per-call temp .ps1 file (mode 0o600) and reference it via -File instead of -EncodedCommand <base64utf16le>, removing the textbook fingerprint flagged by Socket.dev (#2863 — thanks @a-dmx)
• cloud-sync: require HMAC verification of the Cloud response (X-Cloud-Sig) when OMNIROUTE_CLOUD_SYNC_SECRET is set; default-off opt-in OMNIROUTE_CLOUD_SYNC_SECRETS flag now required to overwrite accessToken / refreshToken / providerSpecificData from the Cloud payload. Closes silent-credential-swap surface (#2863)
• providers/zed-import: split into 2-step discover + import flow. /import now requires confirmedAccounts: [{ service, account, fingerprint }] and re-reads the keychain server-side to filter by fingerprint, so a tampered discover response cannot trick the endpoint into saving an unrelated token. OMNIROUTE_ZED_IMPORT_LEGACY_ONE_STEP=true preserves v3.8.5 behaviour (deprecated, removed in v3.9) (#2863)
• build: add OMNIROUTE_BUILD_PROFILE=minimal (npm run build:secure) that physically removes the four sensitive modules (MITM cert install, Zed keychain reader, Cloud Sync, 9router installer) from the standalone bundle via webpack NormalModuleReplacementPlugin aliases. Stubs return HTTP 503 feature-disabled at runtime. Intended for the omniroute-secure artifact (#2863)
• docs: add docs/security/SOCKET_DEV_FINDINGS.md per-finding maintainer attestation + socket.yml v2 config + in-source SECURITY-AUDITOR-NOTE: blocks at every flagged call site (#2863)
• windsurf: redact the public Firebase Web key from the Windsurf provider spec (secret-scanning #7) and document the SHA-256 cache-key rationale (code-scanning #261) (#2894, #2896 — thanks @diegosouzapw)

🔧 Bug Fixes

• antigravity: harden signature-less tool history handling to prevent malformed tool-call replays (#2878 — thanks @dhaern)
• providers: provider model-sync pruning and dynamic Antigravity MITM proxy mappings (#2886 — thanks @herjarsa)
• audio: build the multipart body manually to preserve Content-Type on transcription requests (#2842 — thanks @soyelmismo)
• opencode-go: add a provider-limits quota fetcher so quota state is reported correctly (#2861 — thanks @RajvardhanPatil07)
• validation: add specialty validators for connection test, bypassing the /models probe for providers that don't expose it (#2837 — thanks @oyi77)
• cli: restore omniroute logs command — create missing /api/cli-tools/logs route that log-streamer.ts was calling, returning filtered pino log entries with follow and filter query-param support (#2756)
• cli: replace cli-table3 dependency with a ~50-line hand-rolled ASCII formatter to resolve Node 24 / ESM interop breakage and remove tourniquet package.json overrides pinning ansi-regex@^5, strip-ansi@^6, string-width@^4 (#2752)
• fix(opencode-go,opencode-zen): mark qwen3.7-max / 3.6-plus / 3.5-plus as supportsVision:false to stop forwarding image blocks to vision-incapable upstream models ([#2822])
• nous-research: append /chat/completions to provider baseUrl so DefaultExecutor's default URL builder hits the correct endpoint instead of returning 404 ([#2826])
• fix(quota): honor explicit per-connection quotaPreflightEnabled: false even when the provider has global window defaults — adds early-return guard before the AND-of-negations gate in auth.ts ([#2831])
• api: include noAuth providers (opencode, etc.) in /v1/models active aliases so their models surface without a DB connection row (#2798)
• opencode-go: route Qwen3.x via Claude messages format and repair fixMissingToolResponses helper for Claude-shape upstreams (#2791 — thanks @jeferssonlemes)
• validation: register missing validation helper checks for web-cookie providers (claude-web, gemini-web, copilot-web, t3-web) (#2793 — thanks @oyi77)
• docker: check and warn if /app/data is not writable in the Docker entrypoint script to fail fast with helpful host instructions (#2795 — thanks @hartmark)
• oauth: repair native Google loopback callback flow and support remote callbacks via state matching on 127.0.0.1 (#2796 — thanks @akarray)
• combo: resolve custom openai-compatible-responses-* provider targets correctly when called via combo name — combo steps storing the internal UUID-prefixed provider id now match the provider node by id as well as by prefix, fixing 503 errors for users with custom providers used inside combos (#2778)
• combos: fix combo handling so transient 429 rate limit errors do not poison or persist the rate limited state for the same-provider connection (#2800 — thanks @apoapostolov)
• gemini: translate signature-less Gemini thinking model tool calls to text parts to prevent 400 "missing thought_signature" errors (#2801 — thanks @herjarsa)
• translator: strip safety_identifier from /v1/responses body before forwarding to Chat Completions upstream; fixes LobeHub-originated 400 errors (#2770)
• warning-cleanup: relax node engine constraint to >=22.0.0 and clean dependencies (keeping marked-terminal to prevent TUI REPL crash) (#2792 — thanks @oyi77)
• combo: normalize upstream Headers into a plain object before classification to avoid Node 24 / undici cross-instance Cannot read private member #headers crash on combo failover (#2751)
• translator: silently drop tool_search built-in tool type instead of returning 400 — newer Codex clients send tool_search as a Responses API built-in with no Chat Completions equivalent (#2766)
• usage: un-invert GitHub Copilot Free / limited plan quota — limited_user_quotas is the remaining count, not used, so the dashboard now shows 100% when the quota is untouched and 0% when fully exhausted (#2876 — thanks @androw)
• fix(cli): register openclaw in the CLI tool-detector so it appears in omniroute status alongside its existing API and config support (#2833)
• oauth (windsurf): hotfix Windsurf login — drop the dead PKCE flow and promote the import-token flow as the default (#2884 — thanks @yunaamelia)
• antigravity: normalize textual SSE tool calls and classify Gemini Antigravity resource exhaustion as a model lockout instead of a connection failure (#2828 — thanks @Ardem2025)
• reasoning: gate reasoning replay by the interleaved capability field and guard the interleaved capability lookup (#2843 — thanks @nickwizard)
• gemini-cli: prefer real project IDs over default-project during discovery (#2841 — thanks @nickwizard)
• geminiHelper: support the rec.image content shape and warn on dropped remote image URLs (#2855 — thanks @Tushar49)
• deepseek-web: return 400 when the client sends tools[] — chat.deepseek.com has no tool support (#2854 — thanks @Tushar49)
• claude: preserve max reasoning effort for supported models (#2875 — thanks @rdself)
• github: route claude-opus-4.6 via the chat-completions path (#2821 — thanks @marchlhw)
• logs: rename proxy-log "Public IP" to "Client IP" (#2880 — thanks @rdself)
• qoder: reject invalid/expired PATs that surface as a Cosy 500 error (#2860 — thanks @herjarsa)
• combo: preserve system messages during context-handoff summary generation (#2865 — thanks @herjarsa)
• cli: allow nullable/optional apiKey in cliMitmStartSchema (#2857 — thanks @herjarsa)
• chatCore: wire CLIProxyAPI fallback settings into the chatCore routing engine (#2866 — thanks @oyi77)
• skills: skip interception for unregistered client-native tools (#2817 — thanks @jeferssonlemes)
• mcp: redirect console.log/console.warn to stderr in --mcp stdio mode so they don't corrupt the JSON-RPC stream (#2840 — thanks @disonjer)
• cli: respect the PORT env var in the serve command (#2845 — thanks @gogones)
• sse (RTK): repair RTK engine defaults so dedup and direct calls work (#2825 — thanks @leninejunior)
• i18n: translate 144 new __MISSING__ pt-BR strings (#2816 — thanks @leninejunior); complete and sync remaining pt-BR strings with en.json (#2870 — thanks @alltomatos); translate 162 missing zh-CN UI strings (#2789 — thanks @InkshadeWoods)

🧹 Chores

• ci: resolve release/v3.8.6 gate failures — docs-sync, any-budget, and pack-artifact (#2895 — thanks @diegosouzapw)
• security (re-land): re-integrate the Socket.dev supply-chain mitigations, secrets opt-in, and minimal build profile onto the release branch (#2871 — thanks @diegosouzapw)
• skills: implement automated skill workflows and update system configuration + validation schemas (thanks @diegosouzapw)
• tests: stabilize unit suites (blackbox-web, schema-coercion, translator-helper-branches, usage-service-hardening, audio-transcription) and isolate services-branch-hardening DB directory to avoid concurrency flakes (thanks @diegosouzapw)
• chore: remove stale agent skill documentation files and streamline maintenance workflows (thanks @diegosouzapw)
• gitignore: ignore .claude/settings.local.json so per-user Claude Code permissions never get committed by accident
• release: version bump and metadata sync (package.json, package-lock.json, electron, open-sse, openapi.yaml)

🏆 Hall of Contributors

A special thanks to everyone who contributed code, reviews, and tests for this release:
@akarray, @alltomatos, @androw, @apoapostolov, @Ardem2025, @dhaern, @disonjer, @gogones, @hartmark, @herjarsa, @InkshadeWoods, @jeferssonlemes, @leninejunior, @levonk, @marchlhw, @mugnimaestra, @nickwizard, @oyi77, @RajvardhanPatil07, @rdself, @soyelmismo, @Tushar49, @yunaamelia

What's Changed

• fix(docker): rebuild better-sqlite3 after hardened install by @thanet-s in #2772
• ci: build Docker platforms on native runners by @thanet-s in #2774
• fix(combos): make target timeout configurable by @rdself in #2775
• feat: fix so restart of server restarts batch jobs instead of failing them by @hartmark in #2755
• feat(api): add endpoint restrictions for client API keys by @hijak in #2777
• fix: use public callbacks for remote Google OAuth with custom creds by @akarray in #2787
• Allow rate-limited provider connections after transient 429s by @JxnLexn in #2786
• fix: keep database log settings in sync with the pipeline toggle by @JxnLexn in #2785
• fix: speedup docker creation by reducing steps and bunch up copy operations by @hartmark in #2784
• fix(codex): apply global service tiers to combo request bodies by @JxnLexn in #2783
• docs: fix broken documentation links in README after Fumadocs migration by @kjhq in #2782
• fix(i18n): translate 162 missing zh-CN UI strings by @InkshadeWoods in #2789
• feat(opencode-go): register 4 missing models from upstream catalog by @jeferssonlemes in #2790
• Release v3.8.6 by @diegosouzapw in #2804

New Contributors

• @kjhq made their first contribution in #2782

Full Changelog: v3.8.5...v3.8.6