Use ComSpec-aware shell selection for escaped wrapper launches.
Apply it to the remaining Windows Claude launch paths.
Rewrite the Codex exec regression test to use scoped spies so the full suite stays isolated.
- skip managed Claude browser attach when the default CCS browser profile
directory has not been created yet
- keep explicit env override flows failing fast so real misconfiguration still
surfaces clearly
- add regression coverage for default and settings-profile launches
- skip CLIProxy auto-update checks on runtime bootstrap paths
- fail fast when local startup needs a missing binary instead of attempting installs
- add regression coverage for dashboard limited mode and startup test isolation
- keep headless paste routing aligned with the selected Kiro auth method
- validate local callback replay targets and add prompt cancellation safeguards
- wire IDC params through the dashboard start route and support equals-form CLI flags
- auto-select Builder ID for the default Kiro AWS auth flow
- support IDC auth flags and callback-based Kiro paste replay
- update regression coverage for Kiro auth routing
- keep Codex team and personal auth files as separate identities
- resolve quota and live monitor stats by token file-backed account id
- surface duplicate-aware account labels across the dashboard and variant UI
- add safer error responses for settings/auth routes to avoid leaking internals
- guard sensitive AGY settings endpoints to localhost when dashboard auth is off
- validate start-route bodies and reject OAuth start in remote mode for consistency
- preserve cliproxy.kiro_no_incognito and token_refresh during config merges
- enforce AGY acknowledgement in remote auth-token run/auth command paths
- P2: Edit dialog no longer seeds empty model string
Changed `variant.model || ''` to `variant.model ?? undefined`
Added payload filtering to exclude undefined/empty values before API call
Prevents unintended model overwrites when user only changes other fields
- P3: Composite --config guidance now uses variant name
Added profileName to ExecutorConfig interface
Error message now shows correct variant name instead of default tier provider
e.g., "ccs cliproxy edit my-mix" instead of "ccs cliproxy edit gemini"
- P1: Remove premature variant deletion in --force mode
Fix destructive overwrite path - old variant preserved if user
cancels auth or creation fails (createVariant handles overwrite)
- P2: Validate all composite tier providers at runtime
Backend gating now checks all providers in composite, not just
default tier. Prevents kiro/ghcp on non-default tiers bypassing
Plus backend requirement.
- P2: Preserve tier thinking when default tier is off
Early return skipped tier processing when default thinking was
"off". Now uses flag-based approach - only main model skipped,
tier loop continues with per-tier thinking config.
- Continue to remaining providers on auth failure instead of throwing
- Aggregate failures and show summary of succeeded/failed providers
- Improves UX when one provider fails in composite variant
- Add getCompositeEnvVars() for root URL + per-tier model env vars
- Extend ProxyChainConfig with composite fields
- Route composite variants through root URL in buildClaudeEnvironment()
- Multi-provider auth check for composite (all tiers must pass)
- Multi-provider token refresh for composite
- Per-tier broken model check
- Block --config for composite variants
- Pass composite config through to env resolver
Refs #506
* fix(cliproxy): migrate deprecated gemini-claude-* model names to upstream claude-* names (#515)
* fix(cliproxy): migrate deprecated gemini-claude-* model names to upstream claude-* names
CLIProxyAPI registry no longer recognizes the gemini-claude-* prefix convention.
Model names in catalog, base config, and user settings are migrated to upstream
claude-* names. Auto-migration in env-builder rewrites existing user settings on
load and persists the change.
Closes#513
* fix: address code review feedback — sync UI layer and add migration tests
- Sync UI isNativeGeminiModel() with backend (remove gemini-claude- exclusion)
- Update UI model catalog agy entries from gemini-claude-* to claude-*
- Update CI/CD workflow and code-reviewer default model names
- Add unit tests for migrateDeprecatedModelNames() logic
* fix(hooks): isolate image type check before error-prone processing (#514)
* fix(hooks): isolate image type check before error-prone processing
Restructure processHook() into two phases so non-image Read calls
never see hook error messages. Phase 1 defensively checks tool name
and file extension, exiting 0 silently on any failure. Phase 2 only
runs for confirmed image/PDF files where errors are relevant.
Closes#511
* fix(hooks): sync image analyzer hook file on every profile launch
Add installImageAnalyzerHook() call to cliproxy executor, matching
the existing installWebSearchHook() pattern. This ensures the .cjs
file in ~/.ccs/hooks/ gets refreshed from the npm package on every
launch, so users receive hook updates after npm update.
* chore(release): 7.41.0-dev.1 [skip ci]
* fix(cliproxy): add fork:true for Claude model aliases in config generator (#523)
Config generator now outputs fork:true for Claude model alias entries,
ensuring both upstream (claude-*) and aliased (gemini-claude-*) model
names appear in /v1/models listings. Also preserves fork flag when
parsing user-added aliases during config regeneration.
Bumps config version to v7 to trigger regeneration on next ccs doctor.
Closes#522
* chore(release): 7.41.0-dev.2 [skip ci]
* feat(cliproxy): add account safety guards to prevent Google account bans (#516)
* feat(cliproxy): add account safety guards to prevent Google account bans
Implements cross-provider isolation to prevent Google from flagging
concurrent OAuth usage across different client IDs (ref: #509, #512).
Three pillars:
1. Auto-pause enforcement at session launch — conflicting accounts in
other Google OAuth providers are paused so CLIProxyAPI can't use them,
restored on session exit with crash recovery via auto-paused.json
2. Ban/disable detection — error responses matching Google ban patterns
auto-pause the affected account to prevent further damage
3. Cross-provider conflict warnings during OAuth registration
Key design decisions:
- PID-based session tracking for crash recovery (dead PID = restore)
- Timestamp comparison prevents restoring ban-paused accounts on exit
- Schema validation on auto-paused.json prevents corrupted state
- Falls back to warn-only when another session is managing isolation
* fix(cliproxy): address code review feedback (attempt 1/5)
- Re-read auto-paused.json before write in enforceProviderIsolation to
reduce concurrent write race window
- Use actual email from registry for display instead of raw accountId
- Export maskEmail for testability
- Add 27 unit tests covering ban detection, email masking,
cross-provider duplicate detection, enforcement lifecycle,
crash recovery, and timestamp-guarded restore
* fix(cliproxy): address remaining review feedback (attempt 2/5)
- Add handleBanDetection test verifying account pause on ban error
- Add warnCrossProviderDuplicates tests (true/false/non-Google)
- Document PID reuse limitation in isPidAlive JSDoc comment
* chore(release): 7.41.0-dev.3 [skip ci]
* feat(cliproxy): runtime quota monitoring during active sessions (#529)
* feat(cliproxy): add runtime quota monitoring during active sessions
Adds adaptive background quota polling to detect and respond to quota
exhaustion during active CLIProxy sessions. Prevents rate-limit-driven
account bans by auto-cooling exhausted accounts and switching defaults.
- Adaptive polling: 300s normal, 60s at 20% threshold, stops at 0%
- Stderr warnings at 20%, boxed exhaustion alerts at 0%
- Cooldown + default switch on exhaustion (existing patterns)
- Configurable via quota_management.runtime_monitor in config.yaml
- Timer.unref() prevents blocking process exit
- monitorStopped guard for in-flight poll safety
Closes#524
* fix: address code review feedback (attempt 1/5)
- M1: Round quotaPercent display with Math.round() to avoid ugly floats
- M2: Rename exhaust_threshold -> exhaustion_threshold for consistency
with existing auto.exhaustion_threshold config field
- M3: Replace async not.toThrow() with direct await assertion pattern
* fix: address code review feedback (attempt 2/5)
- Remove .claude/agent-memory/ from tracking and add to .gitignore
- Unify cooldown_minutes default to 5 (was 10 in runtime_monitor, 5 in auto)
- Add threshold validation in startQuotaMonitor (warn > exhaustion)
- Document intentional post-switch monitoring gap in code comment
* chore(release): 7.41.0-dev.4 [skip ci]
* fix(cliproxy): mask email in ban detection and fix JSDoc default
- Use maskEmail() in handleBanDetection output for consistency
- Fix cooldown_minutes JSDoc: default is 5, not 10
* chore(release): 7.41.0-dev.5 [skip ci]
* fix(cliproxy): address all review feedback (Low + informational)
- Add sync constraint comment on process.exit handler (executor)
- Add TOCTOU race acceptability comment (account-safety)
- Mask email in handleQuotaExhaustion reason string
- Use realistic exhaustion_threshold (5) in test configs
* chore(release): 7.41.0-dev.6 [skip ci]
---------
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>