The shutdown API calls `process.exit(0)` on POST without any authentication or authorization checks. Any party that can reach this endpoint can terminate the server process, causing immediate service disruption.
Affected files: route.js
Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Cursor's API now rejects requests with outdated client versions,
returning [400]: Update Required for Composer 2. Bump
x-cursor-client-version from 2.3.41 to 3.1.0 across all three
locations where it is set.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sửa lỗi /v1/models chỉ biết lấy model từ danh sách tĩnh hoặc từ providerSpecificData.enabledModels. Với API Key Compatible Providers, endpoint test /api/providers/<id>/models vẫn lấy được model động từ upstream, nhưng /v1/models lại không fallback sang danh sách động đó. Ngoài ra alias trả ra cũng đang dùng providerId nội bộ thay vì prefix trong cấu hình.
Đã fix để OpenAI/Anthropic Compatible dùng đúng prefix làm alias public nếu chưa có enabledModels, /v1/models sẽ tự fetch động từ upstream /models
checkAndRefreshToken() updated providerSpecificData.copilotToken but
not the top-level creds.copilotToken. GithubExecutor.buildHeaders()
reads the top-level key, so every request after a proactive refresh
still sent the expired token, causing 401 "IDE token expired".
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Add /api/providers/kilo/free-models endpoint with 1hr cache
- Fetch and merge Kilo free models with hardcoded models for kilocode provider
- Display 'Free' badge on models fetched from Kilo API
- Fix Windows build: add cross-env, remove --webpack flag, add turbopack config
- Add outputFileTracingExcludes for Windows system directories
- Encode thoughtSignature into tool_call.id using _TSIG_ delimiter and base64url
- Decode _TSIG_ on request to restore thoughtSignature for Gemini multi-turn thinking
- Track pendingThoughtSignature across parts for deferred signature attachment
- Add LocalMutex (2-layer locking) to prevent ELOCKED on concurrent DB access
- Increase lockfile retries from 5 to 15 for multi-process robustness
- Restore db.json seed on first run to prevent ENOENT on lockfile.lock
- Use process.env.BASE_URL fallback in models test route
- Remove gemini-3-flash-lite-preview from provider models
Co-authored-by: kwanLeeFrmVi <quanle96@outlook.com>
Closes#450
Made-with: Cursor
- Add claudeHeaderCache.js to intercept and cache live Claude Code client headers
- Forward cached headers dynamically to api.anthropic.com via default.js
- Strip first-party identity headers (x-app, claude-code-* beta) for non-Anthropic upstreams
- Validate and sanitize tool call IDs to match Anthropic pattern (^[a-zA-Z0-9_-]+$)
- Skip thinking blocks when applying cache_control; fix max_tokens buffer (+1024)
- Strip cache_control from thinking blocks in openai-to-claude translator
- Comment out thoughtSignature in Gemini translator (kept for reference)
- Expand .gitignore to match all deploy*.sh variants
Co-authored-by: kwanLeeFrmVi <quanle96@outlook.com>
Closes#433
Made-with: Cursor
Adds OpenCode (https://github.com/opencode-ai/opencode) as a supported
provider. OpenCode is an open-source terminal AI coding assistant with
an OpenAI-compatible API running locally.
Changes:
- open-sse/config/providers.js: add opencode baseUrl (localhost:4096)
with openai format (fully compatible, no custom headers needed)
- open-sse/services/model.js: add 'oc' alias → opencode
- src/shared/constants/providers.js: add opencode to subscription
providers with alias 'oc', icon 'terminal', color #E87040
Usage after setup: use model prefix 'oc/<model>' to route through
a running OpenCode instance (e.g. oc/claude-sonnet-4-5).
Closes#378
On Linux, verify that Cursor IDE is actually installed before importing
tokens. Previously, leftover config files from a removed Cursor installation
would trigger a false positive, creating a phantom Cursor provider connection.
The check uses `which cursor` and falls back to checking for a .desktop file
in ~/.local/share/applications/
Fixes#313
Co-authored-by: Ibrahim Ryan <ryan@nuevanext.com>
Made-with: Cursor
Change Codex test from token-expiry-only check to probing the real
Codex API endpoint. Sends a minimal request body that triggers a fast
400 without consuming quota. A 400 confirms auth works; only 401/403
indicates a bad token.
Also adds generic acceptStatuses support to the OAuth test framework
so other providers can define non-200 success statuses.
When a provider has credentials but all are disabled, return 404 (NOT_FOUND)
instead of 400 (BAD_REQUEST). The combo handler already treats 404 as a
fallbackable error, so it will skip to the next model in the chain.
Previously, the 400 status caused the combo to stop with a hard error,
killing the client (e.g., Claude Code) even though other models in the
combo chain were available.
Also changed log level from error to warn since disabled credentials
are an expected configuration state, not an error.
Fixes#334
Add ability to configure round-robin strategy for individual combos,
similar to per-provider strategy overrides.
Changes:
- Add comboStrategies setting to store per-combo strategy overrides
- Add Round Robin toggle to each combo card in combos page
- Update chat handler to check combo-specific strategy before global
- Combo-specific strategy takes precedence over global comboStrategy
When enabled, each request to that combo will cycle through providers
instead of always starting with the first one.
Made-with: Cursor
- Add comboRotationState Map to track rotation per combo
- Add getRotatedModels() to rotate model order based on strategy
- Pass comboName and comboStrategy to handleComboChat()
- Add comboStrategy setting (default: fallback)
- Add UI toggle for Combo Round Robin in profile settings
When enabled, each request to a combo starts with a different provider
instead of always starting with the first one, distributing load evenly.
Co-authored-by: Antigravity Agent <antigravity@example.com>
Add a simple chat UI to the dashboard for quickly testing AI models from
connected providers. Features include:
- Model picker from all connected providers
- Streaming chat responses
- Image attachment support
- Session history with localStorage persistence
- Responsive design with dark theme
Note: Removed build.sh from original PR as it contained syntax errors and
was unrelated to the chat UI feature.
Co-authored-by: Nguyễn Trung Hiếu <140531897+bonelag@users.noreply.github.com>
Made-with: Cursor
* fix(usage): track lifetime request total beyond history cap
* fix(ui): restore provider assets and model availability endpoint
* fix(cursor): remove sql.js dependency from auto-import route
- Replaced message state with modalError in both components for better error management.
- Removed unused message display logic and adjusted action handling to improve clarity.
- Enhanced error handling in doAction and doDnsAction functions to ignore errors gracefully.
- Updated API call responses to streamline user feedback on actions.
Add MiniMax-M2.7 to provider models and pricing config alongside
existing M2.5. M2.7 is the latest reasoning model with 204K context.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
