All notable changes to OmniRoute are documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
1.1.0 — 2026-02-21
Fixes missing remote-server OAuth configurations and adds ChatGPT Business account quota monitoring.
- OAuth Client Secret — Omitted explicitly empty
client_secretparameters to resolve token exchange connection rejection on remote servers missing environment variables for Antigravity, Gemini and iFlow (#103) - Codex Business Quotas — Automatically fetches the appropriate ChatGPT workspace to unlock the 5-hour Business usage limits directly inside the Quota tab and mapped
BIZstring variant perfectly (#101)
Solves the issue where adding a second Qwen account would overwrite the first one.
- OAuth Accounts — Extracted user email from the
id_tokenusing JWT decoding for Qwen and similar providers, allowing multiple accounts of the same provider to be authenticated simultaneously instead of triggering the fallback overwrite logic (#99)
Fixes blocked providers and API auth toggle not being saved after page reload.
- Settings Persistence — Added
requireAuthForModels(boolean) andblockedProviders(string array) to the Zod validation schema, which was silently stripping these fields during PATCH requests, preventing them from being saved to the database
Adds API Endpoint Protection for
/models, Windows server startup fixes, and UI improvements.
- API Endpoint Protection (
/models) — New Security Tab settings to optionally require an API key for the/v1/modelsendpoint (returns 404 when unauthorized) and to selectively block specific providers from appearing in the models list (#100, #96) - Interactive Provider UI — Blocked Providers setting features an interactive chip selector with visual badges for all available AI providers
- Windows Server Startup — Fixed
ERR_INVALID_FILE_URL_PATHcrash on Windows by safely wrappingimport.meta.urlresolution with a fallback toprocess.cwd()for globally installed npm packages (#98) - Combo buttons visibility — Fixed layout overlap and tight spacing for the Quick Action buttons (Clone / Delete / Test) on the Combos page on narrower screens (#95)
1.0.7 — 2026-02-20
Fixes three community-reported issues: stream default now follows OpenAI spec, custom OpenAI-compatible providers appear in
/v1/models, and Google OAuth shows a clear error + tutorial for remote deployments.
streamdefaults tofalse— Aligns with the OpenAI specification which explicitly statesstreamdefaults tofalse. Previously OmniRoute defaulted totrue, causing SSE data to be returned instead of a JSON object, breaking clients like Spacebot, OpenCode, and standard Python/Rust/Go OpenAI SDKs that don't explicitly setstream: true(#89)- Custom AI providers now appear in
/v1/models— OpenAI-compatible custom providers (e.g. FriendLI) whose provider ID wasn't in the built-in alias map were silently excluded from the models list even when active. Fixed by also checking the raw provider ID from the database against active connections (#90) - OAuth
redirect_uri_mismatch— improved UX for remote deployments — Google OAuth providers (Antigravity, Gemini CLI) now always uselocalhostas redirect URI matching the registered credentials. Remote-access users see a targeted amber warning with a link to the new setup guide. The token exchange error message explains the root cause and guides users to configure their own credentials (#91)
- OAuth em Servidor Remoto tutorial — New README section with step-by-step guide to configure custom Google Cloud OAuth 2.0 credentials for remote/VPS/Docker deployments
.env.exampleGoogle OAuth block — Added prominent warning block explaining remote credential requirements with direct links to Google Cloud Console
| File | Change |
|---|---|
open-sse/handlers/chatCore.ts |
stream defaults to false (was true) per OpenAI spec |
src/app/api/v1/models/route.ts |
Added raw providerId check for custom models active-provider filter |
src/shared/components/OAuthModal.tsx |
Force localhost redirect for Google OAuth; improved redirect_uri_mismatch error message |
.env.example |
Added |
README.md |
New "🔐 OAuth em Servidor Remoto" tutorial section |
1.0.6 — 2026-02-20
/v1/modelsnow shows only models from providers with active connections. Combos and providers can be toggled on/off directly from the dashboard.
- Provider toggle on Providers page — Enable/disable all connections for a provider directly from the main Providers list. Toggle is always visible, no hover needed
- Combo enable/disable toggle — Each combo on the Combos page now has a toggle. Disabled combos are excluded from
/v1/models - OAuth private IP support — Expanded localhost detection to include private/LAN IPs (
192.168.x.x,10.x.x.x,172.16-31.x.x) for correct OAuth redirect URIs
/v1/modelsstrict filtering — Models are now shown only from providers with active, enabled connections. Previously, if no connections existed or all were disabled, all 378+ models were shown as a fallback- Disabled provider models hidden — Toggling off a provider immediately removes its models from
/v1/models
1.0.5 — 2026-02-20
Filters all model types in
/v1/modelsby active providers and fixes Docker data directory mismatch.
/v1/modelsfull filtering — Embedding, image, rerank, audio, and moderation models are now filtered by active provider connections, matching chat model behavior. Providers like Together AI no longer appear without a configured API key (#88)- Docker
DATA_DIR— AddedENV DATA_DIR=/app/datato Dockerfile anddocker-compose.ymlensuring the volume mount always matches the app data directory — prevents empty database on container recreation
1.0.4 — 2026-02-19
Dashboard model filtering by active providers, provider enable/disable visual indicators, OAuth login fix for nginx reverse proxy, and LLM onboarding documentation.
- API Models filtering —
GET /api/modelsnow returns only models from active providers; use?all=truefor all models (#85) - Provider disabled indicator — Provider cards show ⏸ "Disabled" badge with reduced opacity when all connections are inactive (#85)
llm.txt— Comprehensive LLM onboarding file with project overview, architecture, flows, and conventions (#84)- WhatsApp Community — Added WhatsApp group link to README badges and Support section
- OAuth behind nginx — Fixed OAuth login failing when behind a reverse proxy by using
window.location.originfor redirect URI instead of hardcodedlocalhost(#86) NEXT_PUBLIC_BASE_URLfor OAuth — Documented env var usage as redirect URI override for proxy deployments (#86)
| File | Purpose |
|---|---|
llm.txt |
LLM and contributor onboarding (llms.txt standard) |
| File | Change |
|---|---|
src/app/api/models/route.ts |
Filter by active providers, ?all=true param, available field |
src/app/(dashboard)/dashboard/providers/page.tsx |
allDisabled detection + ⏸ badge + opacity-50 on provider cards |
src/shared/components/OAuthModal.tsx |
Proxy-aware redirect URI using window.location.origin |
.env.example |
Documented NEXT_PUBLIC_BASE_URL for OAuth behind proxy |
1.0.3 — 2026-02-19
Unified logs interface with real-time console log viewer, file-based logging via console interception, and server initialization improvements.
- Logs Dashboard — Consolidated 4-tab page at
/dashboard/logswith Request Logs, Proxy Logs, Audit Logs, and Console tabs - Console Log Viewer — Terminal-style real-time log viewer with color-coded log levels, auto-scroll, search/filtering, level filter, and 5-second polling
- Console Interceptor — Monkey-patches
console.log/info/warn/error/debugat server start to capture all application output as JSON lines tologs/application/app.log - Log Rotation — Size-based rotation and retention-based cleanup for log files
- Instrumentation consolidation — Moved
initAuditLog(),cleanupExpiredLogs(), and console interceptor initialization to Next.jsinstrumentation.ts(runs on both dev and prod server start) - Structured Logger file output —
structuredLogger.tsnow also appends JSON log entries to the log file - Pino Logger fix — Fixed broken mix of pino
transporttargets + manualcreateWriteStream; now usespino/filetransport targets exclusively with absolute paths
| File | Purpose |
|---|---|
src/app/(dashboard)/dashboard/logs/page.tsx |
Tabbed Logs Dashboard page |
src/app/(dashboard)/dashboard/logs/AuditLogTab.tsx |
Audit log tab component extracted from standalone page |
src/shared/components/ConsoleLogViewer.tsx |
Terminal-style real-time log viewer |
src/app/api/logs/console/route.ts |
API endpoint to read log file (filters last 1h, level, component) |
src/lib/consoleInterceptor.ts |
Console method monkey-patching for file capture |
src/lib/logRotation.ts |
Log rotation by size and cleanup by retention days |
| File | Change |
|---|---|
src/shared/components/Sidebar.tsx |
Nav: "Request Logs" → "Logs" with description icon |
src/shared/components/Breadcrumbs.tsx |
Added breadcrumb labels for logs, audit-log, console |
src/instrumentation.ts |
Added console interceptor + audit log init + expired log cleanup |
src/server-init.ts |
Added console interceptor import (backup init) |
src/shared/utils/logger.ts |
Fixed pino file transport using pino/file targets |
src/shared/utils/structuredLogger.ts |
Added appendFileSync file writing + log file config |
.env.example |
Added LOG_TO_FILE, LOG_FILE_PATH, LOG_MAX_FILE_SIZE, LOG_RETENTION_DAYS |
New environment variables:
| Variable | Default | Description |
|---|---|---|
LOG_TO_FILE |
true |
Enable/disable file logging |
LOG_FILE_PATH |
logs/application/app.log |
Log file path |
LOG_MAX_FILE_SIZE |
50M |
Max file size before rotation |
LOG_RETENTION_DAYS |
7 |
Days to retain old log files |
1.0.2 — 2026-02-18
Comprehensive audit-driven improvements across security, architecture, testing, and user experience.
- Auth guard — API route protection via
withAuthmiddleware for all dashboard routes - CSRF protection — Token-based CSRF guard for all state-changing API routes
- Request payload validation — Zod schemas for provider, combo, key, and settings endpoints
- Prompt injection guard — Input sanitization against malicious prompt patterns
- Body size guard — Route-specific body size limits with dedicated audio upload threshold
- Rate limiter — Per-IP rate limiting with configurable windows and thresholds
- DI container — Simple dependency injection container for service registration
- Policy engine — Consolidated
PolicyEnginefor routing, security, and rate limiting - SQLite migration — Database migration system with versioned migration runner
- Graceful shutdown — Clean server shutdown with connection draining
- TypeScript fixes — Resolved all
tscerrors; removed redundant@ts-checkdirectives - Pipeline decomposition —
handleSingleModelChatdecomposed into composable pipeline stages - Prompt template versioning — Version-tracked prompt templates with rollback support
- Eval scheduling — Automated evaluation suite scheduling with cron-based runner
- Plugin architecture — Extensible plugin system for custom middleware and handlers
- Coverage thresholds — Jest coverage thresholds enforced in CI (368 tests passing)
- Proxy pipeline integration tests — End-to-end tests for the proxy request pipeline
- CI audit workflow — npm audit and security scanning in GitHub Actions
- k6 load tests — Performance testing with ramping VUs and custom metrics
- Session management — Session info card with login time, age, user agent, and logout
- Focus indicators — Global
:focus-visiblestyles and--focus-ringCSS utility - Audit log viewer — Security event audit log with structured data display
- Dashboard cleanup — Removed unused files, fixed Quick Start links to Endpoint page
- Documentation — Troubleshooting guide, deployment improvements
1.0.1 — 2026-02-18
Response sanitization, role normalization, and structured output improvements for strict OpenAI SDK compatibility and cross-provider robustness.
- Response sanitizer module — New
responseSanitizer.tsstrips non-standard fields (x_groq,usage_breakdown,service_tier, etc.) from all OpenAI-format provider responses, fixing OpenAI Python SDK v1.83+ Pydantic validation failures that returned raw strings instead of parsedChatCompletionobjects - Streaming chunk sanitization — Passthrough streaming mode now sanitizes each SSE chunk in real-time via
sanitizeStreamingChunk(), ensuring strictchat.completion.chunkschema compliance - ID/Object/Usage normalization — Ensures
id,object,created,model,choices, andusagefields always exist with correct types - Usage field cleanup — Strips non-standard usage sub-fields, keeps only
prompt_tokens,completion_tokens,total_tokens, and OpenAI detail fields
<think>tag extraction — Automatically extracts<think>...</think>blocks from thinking model responses (DeepSeek R1, Kimi K2 Thinking, etc.) into OpenAI's standardreasoning_contentfield- Streaming think-tag stripping — Real-time
<think>extraction in passthrough SSE stream, preventing JSON parsing errors in downstream tools - Preserves native reasoning — Providers that already send
reasoning_contentnatively (e.g., OpenAI o1) are not overwritten
developer→systemconversion — OpenAI's newdeveloperrole is automatically converted tosystemfor all non-OpenAI providers (Claude, Gemini, Kiro, etc.)system→usermerging — For models that reject thesystemrole (GLM, ERNIE), system messages are intelligently merged into the first user message with clear delimiters- Model-aware normalization — Uses model name prefix matching (
glm-*,ernie-*) for compatibility decisions, avoiding hardcoded provider-level flags
response_format→ Gemini conversion — OpenAI'sjson_schemastructured output is now translated to Gemini'sresponseMimeType+responseSchemain the translator pipelinejson_objectsupport —response_format: { type: "json_object" }maps to Gemini'sapplication/jsonMIME type- Schema cleanup — Automatically removes unsupported JSON Schema keywords (
$schema,additionalProperties) for Gemini compatibility
| File | Purpose |
|---|---|
open-sse/handlers/responseSanitizer.ts |
Response field stripping, think-tag extraction, ID/usage normalization |
open-sse/services/roleNormalizer.ts |
Developer→system, system→user role conversion pipeline |
| File | Change |
|---|---|
open-sse/handlers/chatCore.ts |
Integrated response sanitizer for non-streaming OpenAI responses |
open-sse/utils/stream.ts |
Integrated streaming chunk sanitizer + think-tag extraction in passthrough mode |
open-sse/translator/index.ts |
Integrated role normalizer into the request translation pipeline |
open-sse/translator/request/openai-to-gemini.ts |
Added response_format → responseMimeType/responseSchema conversion |
1.0.0 — 2026-02-18
OmniRoute is an intelligent API gateway that unifies 20+ AI providers behind a single OpenAI-compatible endpoint. This release represents the culmination of the entire development effort — from initial prototype to production-ready platform.
- Smart 4-tier fallback — Auto-routing: Subscription → Cheap → Free → Emergency
- 6 routing strategies — Fill First, Round Robin, Power-of-Two-Choices, Random, Least Used, Cost Optimized
- Semantic caching — Auto-cache responses for deduplication with configurable TTL
- Request idempotency — Prevent duplicate processing of identical requests
- Thinking budget validation — Control reasoning token allocation per request
- System prompt injection — Configurable global system prompts for all requests
- 20+ AI providers — OpenAI, Claude (Anthropic), Gemini, GitHub Copilot, DeepSeek, Groq, xAI, Mistral, Qwen, iFlow, Kiro, OpenRouter, GLM, MiniMax, Kimi, NVIDIA NIM, and more
- Multi-account support — Multiple accounts per provider with automatic rotation
- OAuth 2.0 (PKCE) — Automatic token management and refresh for Claude Code, Codex, Gemini CLI, Copilot, Kiro
- Auto token refresh — Background refresh with expiry detection and unrecoverable error handling
- Model import — Import models from API-compatible passthrough providers
- OpenAI-compatible validation — Fallback validation via chat completions for providers without
/modelsendpoint - TLS fingerprint spoofing — Browser-like TLS fingerprinting via
wreq-jsto bypass bot detection
- Multi-format translation — Seamless OpenAI ↔ Claude ↔ Gemini ↔ OpenAI Responses API conversion
- Translator Playground — 4 interactive modes:
- Playground — Test format translations between any provider formats
- Chat Tester — Send real requests through the proxy with visual response rendering
- Test Bench — Automated batch testing across multiple providers
- Live Monitor — Real-time stream of active proxy requests and translations
- Custom combos — Create model combinations with multi-provider fallback chains
- 6 combo balancing strategies — Fill First, Round Robin, Random, Least Used, P2C, Cost Optimized
- Combo circuit breaker — Auto-disable failing providers within a combo chain
- Circuit breakers — Auto-recovery with configurable thresholds and cooldown periods
- Exponential backoff — Progressive retry delays for failed requests
- Anti-thundering herd — Mutex-based protection against concurrent retry storms
- Rate limit detection — Per-provider RPM, min gap, and max concurrent request tracking
- Editable rate limits — Configurable defaults via Settings → Resilience with persistence
- Prompt injection guard — Input sanitization for malicious prompt patterns
- PII redaction — Automatic detection and masking of personally identifiable information
- AES-256-GCM encryption — Credential encryption at rest
- IP access control — Whitelist/blacklist IP filtering
- SOCKS5 proxy support — Outbound proxy for upstream provider calls
- Analytics dashboard — Recharts-based SVG charts: stat cards, model usage bar chart, provider breakdown table with success rates and latency
- Real-time health monitoring — Provider health, rate limits, latency telemetry
- Request logs — Dedicated page with SQLite-persisted proxy request/response logs
- Limits & Quotas — Separate dashboard for quota monitoring with reset countdowns
- Cost analytics — Token cost tracking and budget management per provider
- Request telemetry — Correlation IDs, structured logging, request timing
- Dual database — LowDB (JSON) for config + SQLite for domain state and proxy logs
- Export database —
GET /api/db-backups/export— Download SQLite database file - Export all —
GET /api/db-backups/exportAll— Full backup as.tar.gzarchive (DB + settings + combos + providers + masked API keys) - Import database —
POST /api/db-backups/import— Upload and restore with validation, integrity check, and pre-import backup - Automatic backups — Configurable backup schedule with retention
- Storage health — Dashboard widget with database size, path, and backup status
- Full dashboard — Provider management, analytics, health monitoring, settings, CLI tools
- 9 dashboard sections — Providers, Combos, Analytics, Health, Translator, Settings, CLI Tools, Usage, Endpoint
- Settings restructure — 6 tabs: Security, Routing, Resilience, AI, System/Storage, Advanced
- Shared UI component library — Reusable components (Avatar, Badge, Button, Card, DataTable, Modal, etc.)
- Dark/Light/System theme — Persistent theme selection with system preference detection
- Agent showcase grid — Visual grid of 10 AI coding agents in README header
- Provider logos — Logo assets for all supported agents and providers
- Red shield badges — Styled badge icons across all documentation
- Docker support — Multi-stage Dockerfile with
baseandcliprofiles - Docker Hub —
diegosouzapw/omniroutewithlatestand versioned tags - Docker CI/CD — GitHub Actions auto-build and push on release
- npm CLI package —
npx omniroutewith auto-launch - npm CI/CD — GitHub Actions auto-publish to npm on release
- Akamai VM deployment — Production deployment on Nanode 1GB with nginx reverse proxy
- Cloud sync — Sync configuration across devices via Cloudflare Worker
- Edge compatibility — Native
crypto.randomUUID()for Cloudflare Workers
- 100% TypeScript — Full migration of
src/(200+ files) andopen-sse/(94 files) — zero@ts-ignore, zero TypeScript errors - CI/CD pipeline — GitHub Actions for lint, build, test, npm publish, Docker publish
- Unit tests — 20+ test suites covering domain logic, security, caching, routing
- E2E tests — Playwright specs for API, navigation, and responsive behavior
- LLM evaluations — Golden set testing framework with 4 match strategies (
exact,contains,regex,custom) - Security tests — CLI runtime, Docker hardening, cloud sync, and OpenAI compatibility
- 8 language READMEs — English, Portuguese (pt-BR), Spanish, Russian, Chinese (zh-CN), German, French, Italian
- VM Deployment Guide — Complete guide (VM + Docker + nginx + Cloudflare + security)
- Features Gallery — 9 dashboard screenshots with descriptions
- API Reference — Full endpoint documentation including backup/export/import
- User Guide — Step-by-step setup, configuration, and usage instructions
- Architecture docs — System design, component decomposition, ADRs
- OpenAPI specification — Machine-readable API documentation
- Troubleshooting guide — Common issues and solutions
- Security policy —
SECURITY.mdwith vulnerability reporting via GitHub Security Advisories - Roadmap — 150+ planned features across 6 categories
/v1/chat/completions— OpenAI-compatible chat endpoint with format translation/v1/embeddings— Embedding generation/v1/images/generations— Image generation/v1/models— Model listing with provider filtering/v1/rerank— Re-ranking endpoint/v1/audio/*— Audio transcription and translation/v1/moderations— Content moderation/api/db-backups/export— Database export/api/db-backups/exportAll— Full archive export/api/db-backups/import— Database import with validation- 30+ dashboard API routes for providers, combos, settings, analytics, health, CLI tools