Remove collapsible "More Presets" toggle. All alternative providers are
now always visible in a labeled section below Featured Providers,
improving discoverability for users like Minimax, GLM, DeepSeek.
Closes#892
- route dashboard WebSocket traffic through /ws to avoid Vite HMR collisions
- run the dev entrypoint with node so bun run dev stays stable in this repo
- restore the Image settings scroll container contract and add regression coverage
Move reverse proxy under /api/cliproxy-local so it sits behind auth
middleware. Enforce localhost-only access when dashboard auth is disabled.
Resolve the target port from unified config instead of hardcoding 8317.
Re-serialize parsed JSON bodies before forwarding so writes still work
behind express.json(). Clean up proxy connections on client abort.
On the frontend, point the iframe and health check at the new same-origin
API path, probe the proxy directly, and tighten iframe origin/path
validation before sending the auto-login secret.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- keep Codex team and personal auth files as separate identities
- resolve quota and live monitor stats by token file-backed account id
- surface duplicate-aware account labels across the dashboard and variant UI
In Docker, the browser cannot directly reach the container-internal CLIProxy
port (8317). This adds a reverse proxy at /cliproxy-local/* that forwards
requests through the dashboard Express server to 127.0.0.1:8317 internally.
The control panel embed now uses same-origin API endpoints for health checks
and the proxy path for the management iframe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Covers the shared-base-time fix to prevent one account from
dominating the timeline. 9 test cases: multi-account interleaving,
sort order, empty inputs, missing lastUsedAt, future-timestamp guard.
Connection Timeline sidebar showed only one account because
generateConnectionEvents() used per-account lastUsedAt as the base
timestamp. Accounts with more recent lastUsedAt dominated the
recency-sorted 100-event cap.
Use the maximum lastUsedAt across all accounts so events interleave
proportionally.
Closes#856
- add guided editors for top-level settings, trust, profiles, providers, MCP, and features
- refresh raw snapshots after patch saves to avoid stale mtime conflicts
- block structured saves while raw TOML is dirty and add route plus hook coverage
- update CLI, API, route, and dashboard surfaces to recognize the Codex runtime target
- normalize persisted codex targets back to claude so runtime-only behavior stays truthful
- add regression coverage for help text, route parsing, and profile storage normalization
Refs #773
The auth check endpoint always returned authRequired=false when auth
was disabled, even for remote clients. This caused the UI to render
the dashboard directly, where all data API calls return 403 silently.
Now detects remote access via isLoopbackRemoteAddress and sets
effectiveAuthRequired=true, so the UI properly redirects to the login
page. Also fixes misleading catch handler comment in auth-context.
When the auth check API call fails (e.g., 403 from the localhost
security middleware), the catch block assumed no auth was needed and
marked the user as authenticated. This caused a silently broken
dashboard with no providers and no error feedback.
Now treats auth check failure as auth-required, redirecting to the
login page where users get a clear prompt to configure credentials.
HeroSection defaulted to '5.0.0' when version prop was undefined,
causing a misleading version badge when the overview API fails (e.g.,
403 from remote access without auth). Now hides the badge entirely
until a real version is loaded.
- add masked dashboard-managed API key state for Exa, Tavily, and Brave
- persist WebSearch keys through global_env while keeping WebSearch as the UX surface
- treat dashboard-managed keys as ready in status checks and cover the flow with route/UI tests