diegosouzapw/OmniRoute v3.8.8

on GitHub

[3.8.8] — 2026-06-03

Added

• Plugins framework (src/lib/plugins/, /api/plugins/*, /dashboard/plugins) — hooks + registry unification, plugin SDK (definePlugin), worker-thread sandbox, per-plugin hook rate limiting, SHA-256 integrity verification, semver-gated upgrade, and execution analytics. Plugin routes are loopback-only (isLocalOnlyPath) and child_process exec is opt-in via OMNIROUTE_PLUGINS_ALLOW_EXEC. (#2913 / #3041 — thanks @oyi77)
• Plugin system: response-hook wiring + startup load + example plugin — wires the plugin onResponse hook into the chat success path, loads active plugins on server startup so they survive restarts (pluginManager.loadAll() in server-init), and ships a welcome-banner example plugin (examples/plugins/) plus a comprehensive plugin test suite. (#3045 — thanks @oyi77)
• API key option: disable non-published models — a per-key flag restricting the key to discovered, public models (combos / auto/* / qtSd/* routing still allowed). (#3017 — thanks @androw)
• SessionPool — modular & provider-agnostic (open-sse/services/sessionPool/) — pooled
  cookie/session manager with round-robin fingerprint rotation (distinct fingerprint per pooled
  session), per-session cooldown/backoff, and a provider-agnostic webExecutorWrapper. Adds pool
  support for DuckDuckGo Web and LLM7 providers and an MCP poolTools toolset. (#2954 / #2978 — thanks @oyi77)
• AgentBridge (/dashboard/tools/agent-bridge) — MITM proxy consolidating 9 IDE agents
  (Antigravity, Kiro, GitHub Copilot, OpenAI Codex, Cursor IDE, Zed Industries, Claude Code,
  Open Code, Trae stub) with server card, per-agent setup wizard, model mapping table,
  bypass list, upstream CA cert support, and redirect from legacy /dashboard/system/mitm-proxy.
  See docs/frameworks/AGENTBRIDGE.md. (#2858 — thanks @diegosouzapw)
• Traffic Inspector (/dashboard/tools/traffic-inspector) — LLM-aware HTTPS debugger with
  4 capture modes (AgentBridge hook, Custom Hosts DNS, HTTP_PROXY :8080, System-wide proxy),
  DevTools split UI, 7 detail tabs (Conversation, Headers, Request, Response, Timing, LLM Details,
  Stats), resizable panels, session recording (.har/.jsonl export), SSE stream merger,
  conversation normalizer (multi-provider), system-prompt fingerprint colorization, and annotations.
  See docs/frameworks/TRAFFIC_INSPECTOR.md.
• MITM handler base + 9 agent handlers (src/mitm/handlers/) — MitmHandlerBase abstract
  class with hookBufferStart/hookBufferUpdate for Traffic Inspector integration; concrete
  handlers for all 9 agents.
• MITM targets registry (src/mitm/targets/) — declarative MitmTarget shape per agent;
  emits DATA_DIR/mitm/targets.json for dynamic server.cjs resolution.
• Traffic Inspector core (src/mitm/inspector/) — TrafficBuffer in-memory ring,
  kindDetector, sseMerger (MIT port from chouzz/llm-interceptor), conversationNormalizer
  (MIT port), contextKey fingerprinting, httpProxyServer, systemProxyConfig.
• AgentBridge passthrough + bypass (src/mitm/passthrough.ts) — TCP tunnel for
  non-mapped hosts; bypass list with default sensitive-host patterns + user-defined patterns.
• Upstream CA cert (src/mitm/upstreamTrust.ts) — AGENTBRIDGE_UPSTREAM_CA_CERT for
  corporate TLS environments.
• Secret masking (src/mitm/maskSecrets.ts) — sk-/Bearer/generic token masking before
  any log or Traffic Inspector broadcast.
• DB migrations 073–075 — agent_bridge_state, agent_bridge_mappings,
  agent_bridge_bypass, inspector_custom_hosts, inspector_sessions,
  inspector_session_requests.
• ~28 API routes under /api/tools/agent-bridge/ (12 routes) and
  /api/tools/traffic-inspector/ (16+ routes). All LOCAL_ONLY + SPAWN_CAPABLE.
• i18n PT-BR + EN for all new keys in agentBridge.* and trafficInspector.* namespaces;
  all other locales fall back to EN automatically.
• E2E smoke tests — tests/e2e/agent-bridge.spec.ts,
  tests/e2e/traffic-inspector.spec.ts, tests/e2e/agent-bridge-traffic-cross.spec.ts
  (skip-gated on CI by RUN_AGENT_BRIDGE_E2E / RUN_TRAFFIC_INSPECTOR_E2E / RUN_CROSS_E2E).
• Documentation — docs/frameworks/AGENTBRIDGE.md and docs/frameworks/TRAFFIC_INSPECTOR.md;
  docs/architecture/REPOSITORY_MAP.md updated; docs/reference/openapi.yaml updated with
  ~28 new routes and 20+ new schemas.
• i18n: translate Ukrainian (uk-UA) menu and UI strings, plus complete uk-UA UI coverage (#2981 / #2988 — thanks @Lion-killer)
• providers: add SiliconFlow endpoint selector (#2975 — thanks @xz-dev)
• oauth: add Trae SOLO provider (work/code modes) (#2964 — thanks @S0yora)
• providers: add Qwen Web (chat.qwen.ai) web-cookie provider (#2947 — thanks @oyi77)
• Quota Share Engine — multi-provider quota pools — Monitoring/Costs reorg plus a Quota Share Engine: group selector, grouped pool cards, exclusive-quota API keys (allowedQuotas), quotaShared-* routing models via combos, a 3-step pool wizard (legacy Plans page retired), endpoint + key preview, and full pool editing. Adds quota-pool DB migrations. (#2859 / #3022 / #3032 — thanks @diegosouzapw)
• Dashboard page redesigns (Nav Restructure) — agent-skills + omni-skills with a dynamic 42-skill catalog and MCP/A2A discovery (#2827); CLI Code's + CLI Agents + ACP Agents pages (#2839); translator friendly redesign, 5 tabs → 2 (#2847); functional /batch + /batch/files redesign (#2849); Playground Studio + Search Tools Studio (#2869); memory engine redesign — sqlite-vec + hybrid RRF + Studio UI (#2873). (thanks @diegosouzapw)
• notion: add Notion as an MCP context source — 6 tools (notion_search, notion_list_databases, notion_get_database, notion_query_database, notion_read, notion_append_blocks) scoped under read:notion / write:notion, with dashboard "Context Sources" tab, settings API, and token persistence in key_value table (#2959 — thanks @branben)
• Per-API-key stream default mode — a per-key setting that forces JSON or SSE as the default response shape (migration 077_api_key_stream_default_mode), so integrations that expect non-streaming JSON work without client changes. (thanks @JxnLexn)
• Codex Responses-over-WebSocket — opt-out flag OMNIROUTE_CODEX_WS_ENABLED (default ON) upgrading Codex Responses traffic to a WebSocket bridge with a clean handshake and bridge-secret auth; the Quota Share endpoints card now surfaces the Responses + codex-WS endpoints. (thanks @diegosouzapw)
• Xiaomi MiMo usage tracking — self-reported usage accounting for Xiaomi MiMo plus a monthly cap preset; DeepSeek USD preset and a Claude plan preset (percent 5h + weekly) seeded into the plan registry. (thanks @diegosouzapw)
• API Manager: Normal vs Quota key sections — the API keys screen now splits keys into Normal and Quota sections in a compact 2-table layout, and the Quota Share screen gains a beta banner, live per-account upstream quota, and a real-time Codex quota view backed by the cascade-safe serialized refresh. (thanks @diegosouzapw)

Changed

• Sidebar Tools group: added agent-bridge and traffic-inspector items after cloud-agents.
• /api/tools/agent-bridge/ and /api/tools/traffic-inspector/ added to LOCAL_ONLY_API_PREFIXES
  and SPAWN_CAPABLE_PREFIXES in src/server/authz/routeGuard.ts.
• .env.example: documented 9 new env vars (AGENTBRIDGE_UPSTREAM_CA_CERT,
  INSPECTOR_BUFFER_SIZE, INSPECTOR_HTTP_PROXY_PORT, INSPECTOR_HTTP_PROXY_AUTOSTART,
  INSPECTOR_TLS_INTERCEPT, INSPECTOR_SYSTEM_PROXY_GUARD_MINUTES, INSPECTOR_MAX_BODY_KB,
  INSPECTOR_MASK_SECRETS, INSPECTOR_LLM_HOSTS_EXTRA, INSPECTOR_INTERNAL_INGEST_TOKEN).

Fixed

• memory: the recent retrieval strategy no longer drops recent memories whose
  text doesn't overlap the current prompt. It was internally mapped to the exact
  path, which relevance-filtered by the forwarded prompt (score > 0), so
  recency-based injection silently returned nothing for unrelated prompts. The
  prompt is no longer forwarded for recent (semantic/hybrid still use it for
  vector search).
• combo: custom-provider credential lookup now expands provider_nodes prefixes
  (e.g. 78code/gpt-5.4) to the generated internal connection ids during account
  selection, so combos targeting compatible/custom providers resolve their live
  credentials instead of failing to find a connection. (#3058)
• build: Docker image build (docker compose --profile cli build, which runs
  next build with Turbopack) no longer errors. Two Turbopack-only failures were
  fixed: sqlite-vec is now externalized so Turbopack stops trying to bundle its
  native vec0.so ("Unknown module type"), and manager.stub.ts now exports
  getAllAgentsStatus (statically imported by /api/tools/agent-bridge/state — the
  missing export aborted the build). The webpack-based VM build was unaffected, which
  is why the deploy validated while the Docker build errored. The sqlite-vec native
  binary is also now bundled into the standalone output, so vector/semantic memory keeps
  working in the container instead of silently degrading to FTS5 keyword search.
  (#3066 — thanks @freefrank)
• codex/providers: POST /api/providers/[id]/refresh (the manual/auto "refresh
  token" endpoint) no longer rotates rotating-refresh providers (Codex/OpenAI share
  one Auth0 client_id). This was the last unguarded proactive-refresh entry point:
  when the dashboard auto-refreshed every expiring connection on a page load (or an
  old cached frontend bulk-called it), each Codex account's single-use refresh_token
  was rotated, and Auth0 revoked the whole token family (openai/codex#9648) — every
  account but the last died with [403] <!DOCTYPE. The endpoint now skips proactive
  rotation for rotating providers and defers to the reactive, serialized 401 path
  (same guard as refreshAndUpdateCredentials and the connection-test route).
• codex/quota: opening the Quota / Providers dashboard no longer disconnects
  Codex multi-account setups. The quota-sync path
  (refreshAndUpdateCredentials) proactively refreshed every connection — for
  rotating-refresh providers (Codex/OpenAI share one Auth0 client_id) it
  refreshed siblings concurrently, so Auth0 revoked the whole token family
  (openai/codex#9648) and every account but the last died with
  [403] <!DOCTYPE html>. The quota path now skips proactive refresh for
  rotating providers (rotationGroupFor) and reuses the current access_token,
  deferring genuine expiry to the reactive, serialized 401 path. Defense in
  depth: serializeRefresh now leaves a settle gap between two queued sibling
  refreshes (default 2000 ms, tunable via CODEX_REFRESH_SPACING_MS, "0" to
  opt out) while releasing a lone refresh immediately, so the reactive path adds
  no latency.
• payload-rules: saved payload rules now survive a server restart. When no
  in-memory override is set (fresh process before the boot hook ran, or a
  separate module instance in the standalone build), getPayloadRulesConfig
  now reads the DB-persisted rules (the source of truth) before the file config,
  instead of silently returning the empty file default. (#2986)
• models/custom: custom models can now carry a per-model targetFormat
  override (e.g. an opencode-go custom model that must use the Anthropic Messages
  shape). Previously custom models always routed as OpenAI-compatible because
  targetFormat was neither persisted nor consulted at routing time. Threaded
  through addCustomModel/replaceCustomModels/updateCustomModel, the API
  schema/route, getModelInfo, and chatCore's targetFormat resolution. (#2905)
• providers/pollinations: route to gen.pollinations.ai/v1 instead of the
  retired text.pollinations.ai host, which now returns 404 "legacy API" for
  all models. The gen gateway is the current OpenAI-compatible endpoint. (#2987)
• executors/codex: drop the CLI-injected image_generation hosted tool for
  free-plan Codex accounts (workspacePlanType === "free"), which can't run it
  server-side and would otherwise get an upstream 400. Paid plans keep it.
  (mirrors CLIProxyAPI's free-plan guard; spun off from the #2980 analysis)
• dashboard: custom providers (openai-compatible-* / anthropic-compatible-*)
  now show their user-given node name instead of the raw UUID id across the
  active-requests panel, proxy logger, and home-page provider topology. The
  display-label resolver was extracted into a shared util reused by all surfaces
  (previously only the request-log viewer resolved it). (#2968)
• docker: the standalone launcher (Docker CMD) now honors
  OMNIROUTE_MEMORY_MB (default 512, clamped [64, 16384]) and overrides the
  image NODE_OPTIONS fallback, fixing random OOM crashes under load / with
  large SQLite DBs. Previously only omniroute serve honored the knob. (#2939)
• docker: add a web compose profile (omniroute-web, target runner-web,
  image omniroute:web) so web-cookie providers (gemini-web, claude-web,
  claude-turnstile) work out of the box — the default base image ships without
  Chromium/Playwright, which made those providers fail with
  "Executable doesn't exist at .../ms-playwright/chromium...". (#2832)
• routing/codex: fix two gpt-5.5 Codex defects (#2877). (A) For a Codex-only
  account, a bare gpt-5.5 Responses request was rerouted to codex with the
  model hardcoded to gpt-5.5-medium (chatHelpers.ts); the executor read that
  -medium suffix as an explicit modelEffort that (per #2331) overrode a
  client reasoning.effort=xhigh, silently demoting it — now it keeps the bare
  gpt-5.5 id so the client effort wins. (B) gpt-5.5-xhigh/-high/-low
  misrouted to openai (→ "No credentials" for codex-only users); the suffixed
  variants are now in CODEX_PREFERRED_UNPREFIXED_MODELS so they infer codex.
• sse/chatCore: remove a duplicate const settings declaration in
  handleChatCore (introduced alongside the per-key stream-default-mode
  feature). The same-scope redeclaration made esbuild/tsx fail with
  "The symbol 'settings' has already been declared", which turned every unit
  test that imports chatCore red and broke the production build. The earlier
  consolidated settings const is now reused.
• db/migrations: resolve a 077 migration version collision
  (077_api_key_stream_default_mode.sql vs 077_quota_pools.sql) that made
  getMigrationFiles() throw and blocked getDbInstance() at startup (app would
  not boot; every DB-touching test was red). Renumbered the dependency-free,
  idempotent quota_pools migration to 085, kept the non-idempotent
  api_key_stream_default_mode ALTER at 077, added a retroactive
  isSchemaAlreadyApplied guard (case 085), and a regression test enforcing
  unique migration prefixes.
• routing/reasoning-replay: OpenCode big-pickle (provider opencode/oc
  and opencode-zen) now declares the interleaved reasoning_content contract
  via a new RegistryModel.interleavedField field, so follow-up/tool-use turns
  replay reasoning_content. Previously big-pickle matched no replay pattern and
  failed with [400] The reasoning_content in the thinking mode must be passed back to the API (its DeepSeek-thinking upstream is not detectable from the
  model id, and requiresReasoningReplay does not consume supportsReasoning).
  getResolvedModelCapabilities now surfaces the registry interleavedField. (#2900)
• providers/github-copilot: built-in GitHub Copilot Claude Opus and Gemini
  models (claude-opus-4.7, claude-opus-4-5-20251101, gemini-3.1-pro-preview,
  gemini-3-flash-preview) no longer carry targetFormat: "openai-responses", so
  they route through chat/completions (the provider default, like the working
  claude-opus-4.6) instead of the Responses API, which Copilot does not serve for
  non-OpenAI models (returned [400]). Native OpenAI gpt-* models keep the
  Responses API. (#2911)
• translator/responses: Codex Desktop injects an image_generation hosted
  tool into every Responses API request (even text-only ones), which OmniRoute
  rejected with [400] image_generation tool type is not supported. It is now
  treated like tool_search: allowed past the tool-type validator and dropped
  silently from the tools array before forwarding to Chat Completions. (#2950)
• combo/builder: no-auth OpenCode Free combo entries now use the oc/ routing
  alias instead of the opencode/ prefix. parseModel("opencode/<model>")
  resolves to the opencode-zen api-key tier (via a manual ALIAS_TO_PROVIDER_ID
  override), so combos built with the bare provider id misrouted away from the
  no-auth opencode provider; oc/<model> resolves correctly. (#2901)
• resilience/providers: a route-restriction 403 (e.g. Fireworks Fire Pass
  fpk_* keys returning "…not authorized for this route." on /models, while
  chat still works) no longer marks the connection unavailable. Provider
  validation falls through to the chat probe for such 403s instead of returning
  "Invalid API key", and checkFallbackError short-circuits them to no cooldown.
  Genuine auth failures (401 / generic 403) still fail fast. (#2929)
• auth/opencode-zen: the OpenCode Zen free model now works in the Playground
  and combos without an API key. opencode-zen serves the public, signup-free
  endpoint (https://opencode.ai/zen/v1); when no api-key connection is
  configured, credential resolution now falls back to anonymous (no-auth) access
  instead of failing with "No credentials for provider: opencode-zen". A
  configured, active key is still used when present. (#2962)
• translator/responses: fixed an upstream [400] Messages with role 'tool' must be a response to a preceding message with 'tool_calls' when a Codex
  client sent a function_call with an empty/missing call_id. The orphaned
  function_call_output previously slipped past the orphan filter. Now
  empty-call_id function calls are skipped (no dangling assistant tool_call)
  and any tool result without a matching tool_call id is dropped. (#2893)
• deps: remove the proxifly npm dependency (#3000 — thanks @terence71-glitch)
• proxy: use connection proxy for OAuth refresh (#3012 — thanks @terence71-glitch)
• usage: export pure helper functions for unit testing (#3015 — thanks @oyi77)
• docs/docker: align memory default docs to 1024MB (#3006 — thanks @terence71-glitch)
• providers: fix DuckDuckGo missing API key & update OpenCode free model list (#3008 — thanks @NekoMonci12)
• claude: bump Claude Code identity to 2.1.158 and sync beta flags (#3010 — thanks @Tentoxa)
• test: increase DB and usage utils coverage to >60% (#3018 — thanks @oyi77)
• oom: resolve memory leak in Bottleneck limiter caches and provider registry (#2965 — thanks @soyelmismo)
• proxy: show registry provider proxies in dashboard after Custom proxy flow moved them into the proxy registry (#2963 — thanks @terence71-glitch)
• routing: add agy to executor map so it uses AntigravityExecutor (#2957 — thanks @ReqX)
• skills: avoid Claude assistant tool_result blocks (#2956 — thanks @terence71-glitch)
• perf: CPU leak from Bottleneck limiter accumulation + per-request optimizations (#2951 — thanks @soyelmismo)
• combo: combo credential resolution ignores target.providerId — prefer combo target's providerId over model-inferred provider (#2946 — thanks @oyi77)
• dashboard: v3.8.8 screen fixes — agent-bridge SSR + audit/logs/memory/playground (#2944)
• claude: sanitize tool schemas + cloak third-party tool names on native Claude OAuth (#2943 — thanks @NomenAK)
• auth: prevent Codex multi-account refresh_token family revocation (#2941)
• combo: fix combo vision passthrough and Codex tool history repair (#2940 — thanks @charithharshana)
• claude: map WebSearch to Responses web_search (#2938 — thanks @makcimbx)
• claude: strip empty Read pages tool input (#2937 — thanks @makcimbx)
• dashboard: improve self-service provider quota visibility (#2931 — thanks @guanbear)
• antigravity: avoid visible signatureless tool history (#2927 — thanks @dhaern)
• sse/web-search: bypass the web-search fallback on a Claude → Claude passthrough so native Claude requests aren't rewritten (#2960 — thanks @terence71-glitch)
• oom: prevent per-request memory accumulation (~256MB heap growth) (#2973 — thanks @soyelmismo)
• perf/proxy: parallelize provider proxy overlay lookups (#2984 — thanks @terence71-glitch)
• privacy/PII: resolve the PII feature flag correctly and fix PII response sanitization in streaming SSE requests (#3021 — thanks @dangeReis)
• electron: improve macOS window chrome (#3029 — thanks @bobbyunknown)
• i18n: fix missing API key scope translations (#3031 — thanks @guanbear)
• stream/responses: drop a leaked chat bootstrap chunk for Responses-API clients (#3035 — thanks @CitrusIce)
• docker: warn-only on the /app/data permission check instead of exit 1, so a non-writable bind mount no longer kills the container at boot (#3036 — thanks @wussh)
• mcp: resolve streamable-HTTP transport readiness reporting an offline status (#3037 — thanks @Chewji9875)
• dashboard: use a lightweight ping endpoint for the MaintenanceBanner (fixes #3040) (#3043 — thanks @herjarsa)
• test: resolve pre-existing test failures — env sync, PII, quota, sidebar (#3039 — thanks @oyi77)
• docs/mcp: regenerate the mcp-tools diagram for 43 tools and fix the tool count (#3028 — thanks @diegosouzapw)
• mcp: move enforceScopes guard before MCP_TOOL_MAP lookup, add inline scopes parameter to withScopeEnforcement(), and declare scopes on all 24 dynamic tool definitions (memory, skills, plugins, gamification, compression) to fix scope enforcement for dynamic MCP tool groups (#2958 — thanks @branben)
• sse/chatCore: the heap-pressure guard now auto-calibrates its threshold to 85%
  of the live V8 heap ceiling (floor 400 MB) instead of a fixed 200 MB that sat below
  the app's ~260 MB baseline and returned 503 Service temporarily unavailable due to resource pressure for every request once the heap warmed up. It now tracks
  --max-old-space-size across 1 GB / 2 GB / large VPS; HEAP_PRESSURE_THRESHOLD_MB
  still overrides. (#3052)
• proxy: fail closed for OAuth usage-account proxies (#3051 — thanks @terence71-glitch)
• proxy: resolve registry proxy assignments for combo and key levels (#3048 — thanks @terence71-glitch)
• providers/web: wire the session pool for fingerprint rotation on Pollinations / DuckDuckGo (#3049 — thanks @oyi77)
• providers/claude-web: add cf_clearance cookie support and session-pool fingerprint rotation for Pollinations / DuckDuckGo (#3046 — thanks @oyi77)
• usage: handle MiniMax coding-plan percent quotas (general/percent dimension) so MiniMax coding plans report remaining quota correctly. (thanks @diegosouzapw)
• home: pass providerId to the quota widget icons so provider brand icons resolve on the home dashboard (#3064 — thanks @xz-dev)
• quota: block qtSd/* models for keys with no quota-pool allocation (enforcement Check 2.9), and never flag rotating-refresh providers (Codex/OpenAI) as expired during the quota sync (#3030). (thanks @diegosouzapw)

🏆 Contributors

A special thanks to everyone who contributed to this release — 746 commits since v3.8.7:

A special thanks to everyone who contributed code, reviews, and tests for this release:
@androw, @bobbyunknown, @branben, @charithharshana, @Chewji9875, @CitrusIce, @dangeReis, @dhaern, @diegosouzapw, @freefrank, @guanbear, @herjarsa, @JxnLexn, @Lion-killer, @makcimbx, @NekoMonci12, @NomenAK, @oyi77, @ReqX, @S0yora, @soyelmismo, @Tentoxa, @terence71-glitch, @wussh, @xz-dev

What's Changed

• feat(monitoring,costs,quota): Monitoring reorg + Costs section + Quota Share Engine (planos 16+22) by @diegosouzapw in #2859
• feat(mitm,inspector): AgentBridge + Traffic Inspector (planos 11+12 / Group A) by @diegosouzapw in #2858
• feat(translator): friendly redesign (5 tabs → 2) by @diegosouzapw in #2847
• feat(dashboard,cli): redesign CLI pages — CLI Code's + CLI Agents + ACP Agents (Plan 14) by @diegosouzapw in #2839
• feat(skills): redesign agent-skills + omni-skills with dynamic 42-skill catalog + MCP/A2A discovery by @diegosouzapw in #2827
• feat(batch): functional & explanatory redesign for /batch + /batch/files by @diegosouzapw in #2849
• feat(memory): memory engine redesign — sqlite-vec + hybrid RRF + Studio UI (plan 21) by @diegosouzapw in #2873
• feat(playground,search-tools): Playground Studio + Search Tools Studio (planos 17+18) by @diegosouzapw in #2869
• fix(sse): bypass web-search fallback on Claude passthrough by @terence71-glitch in #2960
• feat(notion): add Notion MCP context source with 6 tools, dashboard tab, and 20 tests by @branben in #2959
• fix(mcp): reorder enforceScopes guard before MCP_TOOL_MAP lookup, add scopes to all dynamic tool definitions by @branben in #2958
• fix(routing): add agy to executor map so it uses AntigravityExecutor by @ReqX in #2957
• fix(skills): avoid Claude assistant tool_result blocks by @terence71-glitch in #2956
• fix: CPU leak from Bottleneck limiter accumulation + per-request optimizations by @soyelmismo in #2951
• feat: add Qwen Web (chat.qwen.ai) web-cookie provider by @oyi77 in #2947
• fix: combo credential resolution ignores target.providerId by @oyi77 in #2946
• fix(dashboard): v3.8.8 screen fixes — agent-bridge SSR + audit/logs/memory/playground by @diegosouzapw in #2944
• fix(claude): sanitize tool schemas + cloak third-party tool names on native Claude OAuth by @NomenAK in #2943
• fix(auth): prevent Codex multi-account refresh_token family revocation (openai/codex#9648) by @diegosouzapw in #2941
• Fix combo vision passthrough and Codex tool history repair by @charithharshana in #2940
• fix(claude): map WebSearch to Responses web_search by @makcimbx in #2938
• fix(claude): strip empty Read pages tool input by @makcimbx in #2937
• Improve self-service provider quota visibility by @guanbear in #2931
• fix(proxy): show registry provider proxies in dashboard by @terence71-glitch in #2963
• fix(db): resolve 077 migration version collision blocking getDbInstance by @diegosouzapw in #2966
• fix(routing): replay reasoning_content for OpenCode big-pickle (#2900) by @diegosouzapw in #2967
• fix(providers): route Copilot Claude/Gemini via chat/completions (#2911) by @diegosouzapw in #2969
• fix(translator): drop Codex image_generation tool in Responses→Chat (#2950) by @diegosouzapw in #2970
• fix(combo): no-auth OpenCode combos use oc/ prefix, not opencode/ (#2901) by @diegosouzapw in #2971
• fix(resilience): route-restriction 403 must not mark a connection unavailable (#2929) by @diegosouzapw in #2972
• fix(auth): opencode-zen falls back to anonymous no-auth when no key (#2962) by @diegosouzapw in #2974
• fix(translator): drop orphan tool results from empty call_id (#2893) by @diegosouzapw in #2976
• perf(proxy): parallelize provider proxy overlay lookups by @terence71-glitch in #2984
• fix(i18n): translate Ukrainian (uk-UA) menu and UI strings by @Lion-killer in #2981
• feat(providers): add SiliconFlow endpoint selector by @xz-dev in #2975
• fix(sse): remove duplicate const settings in handleChatCore (release-blocker) by @diegosouzapw in #2989
• fix(routing): honor client reasoning.effort for gpt-5.5 + route suffixed variants to codex (#2877) by @diegosouzapw in #2990
• fix(docker): add 'web' compose profile for web-cookie providers (#2832) by @diegosouzapw in #2991
• fix(docker): honor OMNIROUTE_MEMORY_MB heap limit in standalone launcher (#2939) by @diegosouzapw in #2993
• fix(dashboard): resolve custom provider display name across surfaces (#2968) by @diegosouzapw in #2994
• fix(codex): drop image_generation for free-plan accounts (#2980 spin-off) by @diegosouzapw in #2999
• feat(oauth): add Trae SOLO provider by @S0yora in #2964
• fix(oom): prevent unbounded memory growth causing heap OOM crashes by @soyelmismo in #2965
• fix(providers): route Pollinations to gen.pollinations.ai/v1 (#2987) by @diegosouzapw in #3002
• fix(models): honor per-model targetFormat for custom models (#2905) by @diegosouzapw in #3004
• fix(payload-rules): read DB-persisted rules when no in-memory override (#2986) by @diegosouzapw in #3005
• fix(deps): remove the proxifly npm dependency by @terence71-glitch in #3000
• fix(proxy): use connection proxy for OAuth refresh by @terence71-glitch in #3012
• fix(usage): export pure helper functions for unit testing by @oyi77 in #3015
• fix(sse): stop Codex multi-account family-revocation cascade on quota-sync by @diegosouzapw in #3019
• feat(quota): Pool Groups + correções de enforcement → v3.8.8 (+ authz peer-IP, screen fixes) by @diegosouzapw in #3022
• docs(mcp): regenerate mcp-tools diagram for 43 tools + fix count by @diegosouzapw in #3028
• fix(api): guard rotating providers in manual token-refresh route (Codex family-revocation) by @diegosouzapw in #3030
• feat(quota): Quota Share v2 — nav move, 3-col grouped layout, endpoints+key preview, full pool edit by @diegosouzapw in #3032
• test: increase coverage to >60% — 353 new test cases by @oyi77 in #3018
• refactor: Make SessionPool modular & provider-agnostic by @oyi77 in #2978
• Fix missing API key scope translations by @guanbear in #3031
• fix(i18n): complete Ukrainian (uk-UA) UI translation coverage by @Lion-killer in #2988
• fix(stream): drop leaked chat bootstrap chunk for responses clients by @CitrusIce in #3035
• chore: bump Claude Code identity to 2.1.158 + sync anthropic-beta flags from live captures by @Tentoxa in #3010
• fix(oom): prevent per-request memory accumulation (256MB heap) by @soyelmismo in #2973
• fix: improve macOS Electron window chrome by @bobbyunknown in #3029
• Fix DuckDuckGo Missing Api Key & Update OpenCode Free Model List by @NekoMonci12 in #3008
• fix(docker): warn-only on /app/data permission check, remove exit 1 by @wussh in #3036
• fix(privacy): resolve PII feature flag correctly and fix PII response sanitization in streaming SSE requests by @dangeReis in #3021
• fix(mcp): resolve streamable http transport readiness offline status by @Chewji9875 in #3037
• fix(dashboard): use lightweight ping endpoint for MaintenanceBanner (fixes #3040) by @herjarsa in #3043
• fix: resolve pre-existing test failures (env sync, PII, quota, sidebar) by @oyi77 in #3039
• feat: plugins framework (#2913) + disable-non-public-models (#3017) — integrated + security-hardened by @diegosouzapw in #3041
• feat(plugins): comprehensive test suite + welcome banner PoC by @oyi77 in #3045
• fix(claude-web): cf_clearance + fix(pollinations/duckduckgo): wire session pool by @oyi77 in #3046
• fix(pollinations/duckduckgo): wire session pool for fingerprint rotation by @oyi77 in #3049
• fix(proxy): fail closed for OAuth usage account proxies by @terence71-glitch in #3051
• fix(proxy): resolve registry assignments for combo and key levels by @terence71-glitch in #3048
• fix(sse): auto-calibrate heap-pressure threshold to the V8 heap ceiling by @diegosouzapw in #3052
• chore: remove 9 dead/unreachable free providers by @oyi77 in #3054
• fix(pii): preserve custom event names and insert SSE separators on flush by @dangeReis in #3056
• fix(pii): preserve custom event names and apply stream PII sanitization fixes by @dangeReis in #3059
• fix(combo): align custom provider ids across creation and auth lookup by @CitrusIce in #3058
• fix(sse): stop infinite account-fallback loop on no-auth providers (#3061) by @diegosouzapw in #3062
• fix(home): pass providerId to quota widget icons by @xz-dev in #3064
• Release/v3.8.8 by @diegosouzapw in #2930
• Default Nextcloud OpenAI integration to JSON streaming by @JxnLexn in #2945

New Contributors

• @branben made their first contribution in #2959
• @ReqX made their first contribution in #2957
• @charithharshana made their first contribution in #2940
• @makcimbx made their first contribution in #2938
• @Lion-killer made their first contribution in #2981
• @xz-dev made their first contribution in #2975
• @S0yora made their first contribution in #2964
• @CitrusIce made their first contribution in #3035
• @bobbyunknown made their first contribution in #3029
• @wussh made their first contribution in #3036
• @dangeReis made their first contribution in #3021

Full Changelog: v3.8.7...v3.8.8