Add a 4096-character cap before persisting official channel tokens, map that validation failure to HTTP 400 in the dashboard route, and cover both paths with regression tests.
- add dependency injection to export-command, binary-manager,
codex-plan-compatibility, config-command, and usage-syncer
- override process.exit in api-export test to prevent silent
termination in Bun's parallel test runner
- harden test-environment bootstrap with process.env isolation
- fix auth middleware to avoid config upgrade during checks
- replace the Discord-only config with multi-channel official channels selection
- add Telegram token handling and iMessage platform-aware runtime gating
- expand CLI, dashboard, and tests for Telegram, Discord, and iMessage
Refs #783
- add runtime injection for official Discord Channels on eligible native Claude sessions
- add CLI and dashboard configuration plus secure token handling
- add tests for launch planning, token sync, and config routing
Refs #783
- serialize deleteInstance with the same profile and plugin-layout locks as ensure
- lock non-account marketplace normalization paths and ignore .locks as an instance source
Support native Anthropic API keys (sk-ant-...) via `ccs api create --preset anthropic`.
Profiles use ANTHROPIC_API_KEY env var without BASE_URL, letting Claude CLI
authenticate natively with x-api-key header instead of proxy Bearer token.
- Add anthropic preset to provider catalog
- Branch profile-writer env structure (native vs proxy)
- Add validateAnthropicKey() preflight with x-api-key header
- Auto-detect api.anthropic.com URL in interactive flow
- Fix hasApiKey/isConfigured to recognize ANTHROPIC_API_KEY
- Update delegation-validator for native mode profiles
- Add Droid target API key fallback (ANTHROPIC_API_KEY)
Closes#688
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Extract generic shouldCacheQuotaResult replacing 4 identical functions
- Move parseTarget to route-helpers.ts (was duplicated in profile/variant routes)
- Add createRouteErrorHelpers factory (was duplicated in auth/settings routes)
- Fix config read-then-write race in proxy-routes.ts and misc-routes.ts
using mutateUnifiedConfig for atomic read-modify-write
- Replace raw error messages in 500 responses with generic messages +
server-side logging across all cliproxy-stats-routes handlers
- Convert extractErrorLogMetadata from sync fs to async fs.promises
- Fix X-Forwarded-For header spoofing in requireSensitiveLocalAccess (use socket-level address only)
- Add model ID length validation (max 256 chars) in PUT /models/:provider
- Add provider name validation (alphanumeric, max 64 chars) to prevent path traversal
- Add stale entry eviction for unbounded quotaRateLimits Map (>1000 entries)
- Fix concurrent refresh race in usage aggregator (wait for in-flight before forced refresh)
- Sanitize internal URLs/paths from OAuth failure diagnostics
- Add ValidationError class for denylist violations (distinct from system errors)
- Make CLIProxy sync interval configurable via CCS_CLIPROXY_SYNC_INTERVAL env var
- Improve legacy continuity config error logging (unconditional warn)
- Add CACHE_VERSION history comments