- Replaced hardcoded LINUX_CERT_DIR with dynamic filesystem probing to support Debian, Arch, Fedora, and openSUSE system trust stores.
- Added updateNssDatabases helper to seamlessly inject root certificates directly into browser NSS databases (e.g., ~/.pki/nssdb, ~/.mozilla/firefox).
- Supported standard and snap-based Chrome/Chromium and Firefox installations.
- Made browser cert injection resilient, executing under the current user to prevent file ownership issues, and safely falling back if certutil is absent.
Deepseek API (and likely other providers) reject messages with
role: 'developer' — only accept system, user, assistant, tool.
filterToOpenAIFormat() normalizes content blocks but never touched
message roles, so developer passed through unmodified and caused
400 errors (issue #773).
Fix: add one-line developer → system mapping in filterToOpenAIFormat()
before role-specific logic. This is the common normalization point
called for all targetFormat=openai providers (Deepseek, Groq, Mistral,
Perplexity, Together, Fireworks, Cerebras, xAI, NVIDIA, etc.)
Closes#773
Internal model test routes fetched 127.0.0.1:UPDATER_CONFIG.appPort
(hardcoded 20128). When PORT env is set to a different value, the app
listens on PORT but the internal fetch still targets 20128, causing
"fetch failed" on /api/models/test and /api/providers/[id]/test-models.
Fall back to UPDATER_CONFIG.appPort only when process.env.PORT is unset.
## Features
- Add Cline & Kilo Code tool cards
- Tailscale TUN mode for stable Funnel TLS
- Sort APIKEY providers by usage, collapse to top 20
## Improvements
- Local Material Symbols font (no Google Fonts)
- Docker base: Bun → Node 22-alpine
- MITM reads aliases from JSON cache (no native sqlite)
- Stream stall timeout (2 min) in open-sse
## Fixes
- Fal.ai key test: use stable models endpoint
Two findings, neither blocked by anything else:
1. src/app/callback/page.js — the OAuth callback page posted the
{ code, state } payload to window.opener with targetOrigin "*", so any
page that opened the popup against the well-known redirect_uri received
the live OAuth code. The expectedOrigins list was already computed but
never used. Iterate over it and pass the origin per send.
2. open-sse/utils/proxyFetch.js — createBypassRequest() set
rejectUnauthorized: false on the HTTPS request that runs after the
Google-DNS-resolved real-IP fallback (used for cloudcode-pa.googleapis,
GitHub Copilot, Cursor, AWS LLM endpoints). Combined with servername:
parsedUrl.hostname this gave SNI-correct connections that nonetheless
ignored cert validation, so an on-path attacker could swap in their
own cert and read the user's API tokens / prompts. Drop the flag.
Detected by Aeon + semgrep (javascript.browser.security.wildcard-postmessage-configuration
+ problem-based-packs.insecure-transport.js-node.bypass-tls-verification).
Severity: HIGH (#1) / MEDIUM (#2).
CWEs: CWE-1385 (#1), CWE-295 (#2).
Co-authored-by: aeonframework <aeon@aeonframework.dev>
- Add global CSS rules for select elements in dark mode
- Use color-scheme property to signal dark mode to browser
- Explicitly style option elements with dark theme colors
- Fix UsageStats dropdown to use correct CSS variables (bg-surface, text-text-main)
Fixes dropdown text being unreadable in dark theme on usage page:
- Provider filter dropdown
- Table view selector (Model/Account/API Key/Endpoint)
- Pagination page size selector
Tested in Chrome and Firefox with both light and dark themes.
## Features
- Add bun:sqlite adapter with automatic runtime detection (Bun/Node)
- Add bulk API key import (format: `name|sk-key`, one per line)
## Fixes
- Fix add API key for custom providers
Update all DeepSeek model prices to match current V4 Flash pricing
($0.14/$0.28 per 1M input/output tokens), and add V4 Pro model with
its own pricing ($0.435/$0.87). Also add deepseek-v4-pro to the
provider model list.
Co-authored-by: smarthomeblack <truongbber@gmail.com>
With this single file, it becomes very easy to deploy this service on a caprover instance
All that needs to be done to do so on the caprover dashboard is:
- Create a new app with persistance
- Set these envs:
PORT=20128
HOSTNAME=0.0.0.0
NEXT_PUBLIC_BASE_URL=https://your-domain-here.com
DATA_DIR=/app/data
- Add a persistent directory with /app/data
- Set CONTAINER HTTP PORT to 20128, enable HTTPS and websockets
- Go in deployment -> Method 3 -> Set the git url to this repo on branch main and add your github email and a PAT
- Save and force build
- Introduced OllamaLocalExecutor to handle requests for the "ollama-local" provider.
- Removed the direct URL construction for "ollama-local" from BaseExecutor.
- Updated index.js to include the new OllamaLocalExecutor in the executors mapping.
- Enhanced the ProvidersPage component to support dynamic addition of OpenAI/Anthropic compatible providers.
The totalRequests on dashboard/usage overview always showed lifetime total
instead of respecting the selected period (24h/7d/30d/60d). Now calculated
from period-filtered data like other stats.
Co-authored-by: Tuan-TC <tuan-tc@users.noreply.github.com>
- Implemented handleDeselectModel function to allow users to deselect models in both ComboFormModal and ComboDetailPage.
- Updated ModelSelectModal to handle deselection and visually indicate selected models.
- Enhanced user experience by allowing models to be removed from the selection without closing the modal.
Add input_audio and audio_url content type handlers to
convertOpenAIContentToParts() in geminiHelper.js, converting
OpenAI audio format to Gemini inlineData format.
Also add audio types to VALID_OPENAI_CONTENT_TYPES in
openaiHelper.js so they are not stripped by filterToOpenAIFormat().
Fixes#912
- Introduced DEFAULT_QUICK_TUNNEL_PROTOCOL and QUICK_TUNNEL_PROTOCOLS to allow users to specify the transport protocol for quick tunnels.
- Updated spawnQuickTunnel function to utilize the specified protocol from environment variables, defaulting to HTTP/2 if not provided.
- Enhanced the child process environment to include the selected tunnel transport protocol.
- Request translation: add codeWhispererToMessages() to convert CodeWhisperer conversationState to OpenAI messages array
- Response format: replace pipeSSE() with pipeOpenAIasEventStream() to return AWS EventStream binary frames instead of SSE text
- Protocol headers: add required Smithy system headers (:message-type, :event-type, :content-type) to every EventStream frame
- Tool support: add extractTools() to convert CodeWhisperer toolSpecification to OpenAI tool format
- Tool arguments: add safeArgsString() to prevent '[object Object]' corruption during SSE accumulation
- Multi-turn context: add convertAssistantResponseMessage() and convertUserInputMessage() to preserve toolUses and toolResults in history
- Tool dispatch: send toolUseEvent.input as raw JSON string instead of parsed object to match Kiro's internal JSON.parse() expectation
- BaseUrlSelect: add cloud endpoint option, custom URL local state, always
default to first option; new cliEndpointMatch helper; CLI tool cards refactor
- API: new /v1/audio/voices and /v1/models/info; /v1/models filters disabled
models, drop unused timestamp
- initializeApp: guard tunnel/tailscale auto-resume to once-per-process
- geminiHelper: ensureObjectType for schemas with properties but no type
- skills: minor SKILL.md tweaks (chat/embeddings/image/stt/tts/web-*)
- Introduced a caching mechanism for in-flight token refresh requests to prevent race conditions and reduce unnecessary API calls.
- Added error handling for unrecoverable refresh errors, ensuring that the application can gracefully handle token reuse and invalidation scenarios.
- Updated the MITM server management to handle port 443 conflicts, allowing users to kill processes occupying the port before starting the server.
- Improved user feedback in the MitmServerCard component regarding port conflicts and admin privileges.
- Refactored the ComboList component to streamline the display of media provider combos.
This update aims to enhance the reliability and user experience of the token management and MITM functionalities.
- Updated global CSS to implement a new brand color palette and improve light/dark theme consistency.
- Enhanced the MitmServerCard component to provide clearer user feedback regarding admin privileges.
- Filtered LLM combos in the CombosPage to ensure only relevant data is displayed.
- Improved APIPageClient layout for better usability and visual consistency.
- Added functionality to save and load DNS tool states in the MITM manager.
- Updated OAuth configuration URLs for Qwen to reflect the new endpoint structure.
- Refined tunnel management logic to improve reliability and user experience.
commit 8b2ab7c9e05689c1bf55002cc79db8d22a398c75
Author: kundeng <kundeng@live.com>
Date: Mon Apr 20 11:26:58 2026 -0400
fix: send providerSpecificData in Edit modal validate calls
The Check button in the Edit modal was sending only apiKey without the
Azure endpoint/deployment/org, causing validation to fail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
commit c894fa838d035ecd9a160339342371042697c327
Author: kundeng <kundeng@live.com>
Date: Mon Apr 20 01:45:13 2026 -0400
fix: persist Azure providerSpecificData and add connection test
- Read body.providerSpecificData in POST /api/providers so Azure fields
(endpoint, deployment, apiVersion, organization) are actually stored
- Add azure case to testApiKeyConnection so the Test button works
correctly instead of falling through to "not supported"
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
commit 00bd1a4151f4e73616969e25d1786c87d1ec0d5e
Author: kundeng <kundeng@live.com>
Date: Mon Apr 20 01:24:39 2026 -0400
fix: add Azure validation and make Organization required
- Add Azure case to /api/providers/validate that sends a test chat
completion with api-key header and organization
- Pass Azure-specific data (endpoint, deployment, apiVersion, org) from
Add modal to validate endpoint
- Make Organization field required (needed for billing)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
commit a66a04daab69b07baa4cc6b28772249e4b25ea19
Author: kundeng <kundeng@live.com>
Date: Mon Apr 20 01:15:53 2026 -0400
fix: add Azure config fields to Add API Key modal
The Add modal was missing the Azure-specific fields (endpoint, deployment,
API version, organization) — only the Edit modal had them.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
commit 6ac3f4a97af8468d210594495ce754f5d7a7978a
Author: kundeng <kundeng@live.com>
Date: Mon Apr 20 01:06:45 2026 -0400
feat: add Azure OpenAI as a dedicated provider
Azure OpenAI uses a different URL scheme (deployments-based) and api-key
header auth instead of Bearer tokens. This adds a dedicated AzureExecutor
that constructs the correct URL and headers, plus dashboard UI fields for
endpoint, deployment, API version, and organization.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add reusable EndpointPresetControl for CLI tool Base URL/API key
presets, stored in browser localStorage. Wire into Claude, Codex,
OpenCode, Droid, OpenClaw, Hermes, and Copilot cards. Allow
selecting preset API keys not in dashboard keys list.
Thanks @dmdfami for the contribution!
Co-authored-by: dmdfami <dmdfami@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
