The latest release is now the source of truth for plugin versions, so
the registry version only serves as a display fallback. Validate its
format only when present.
List entries now show each plugin's latest release version and compute
update availability against it, falling back to the registry version
when the lookup fails. Lookups run concurrently and are cached per
repository with a short failure TTL to respect API rate limits.
Replace the tag-pinned release lookup with the repository latest
release endpoint. Derive the plugin version from the release tag,
validate it, and attach an optional token to API requests to raise
the rate limit.
- Removed the entire `jshandler` plugin implementation, including `abi.go`, `engine.go`, `config.go`, and associated test files.
- Deleted the `scripts` directory containing JavaScript examples.
- Cleaned up the `go.mod` and `go.sum` dependencies related to `jshandler`.
- Ensured redundant code and files associated with the removed plugin are purged from the repository.
- Introduced `htmlsanitize` package for escaping HTML and handling JSON body sanitization to prevent XSS vulnerabilities.
- Integrated sanitization functions into plugin store, plugin host, and API management handlers to ensure all user-facing content is escaped.
- Added unit tests to verify proper escaping of HTML strings, JSON bodies, and nested data structures.
- Updated existing management and plugin-related tests to validate sanitization implementations.
- Introduced logic to handle plugin unloading during updates to prevent conflicts with loaded plugins.
- Preserved existing plugin configurations during updates, ensuring seamless transitions and maintaining custom fields.
- Added support for reloading the configuration after management saves changes.
- Enhanced unit tests to validate unloading, configuration preservation, and reloading behaviors.
- Introduced `SupportPluginHeaderValue` to indicate CGO build status (`1` for enabled, `0` for disabled).
- Updated API response headers in `handler.go` to include "X-CPA-SUPPORT-PLUGIN".
- Added unit tests to verify proper header behavior under varying conditions.
- Replaced Chinese test strings in `claude_openai-responses_response_test.go` with English equivalents (e.g., "**对比竞品**" -> "**Compare competitors**").
- Updated comments in `config.example.yaml` to English to align with project language standards.
- Introduced `claudeResponsesUsageTokens` to manage detailed token statistics, including input, output, cache read, and cache creation tokens.
- Updated aggregation logic to include cached tokens in total usage calculations.
- Refactored usage processing to simplify token merging and ensure consistent handling across streaming and non-streaming responses.
- Added unit tests (`TestConvertClaudeResponseToOpenAIResponses_ReportsCacheTokens`) to verify correct cache token inclusion in usage metrics.
Closes: #3807
- Introduced test scenarios to validate `previous_response_id` injection during incremental and non-incremental requests.
- Verified behavior for pending tool calls, including proper inclusion or exclusion in websocket requests.
- Updated websocket handling logic to track `lastResponseID` and `pendingToolCallIDs`.
- Added utility functions for pending tool call validation and cleanup.
- Updated host model callback logic to skip originating plugin's interceptors during nested model executions.
- Added `SkipInterceptorPluginID` field to plugin API structs for controlling interceptor bypass behavior.
- Introduced supporting logic in host API handlers, plugin host registry, and callback contexts to identify and skip specific plugins.
- Enhanced unit tests across plugin host, API handlers, and execution paths to verify interceptor skipping behavior and plugin isolation.
- Revised documentation to clarify non-recursive behavior of host model callbacks and the use of `SkipInterceptorPluginID`.
- Added an example plugin `host-model-callback` in Go to summarize host model callbacks.
- Implemented `cliproxy_plugin_init`, `cliproxyPluginCall`, and other plugin functions for callback handling.
- Introduced API handlers for `ModelExecution` and `ModelExecutionStream` with support for both streaming and non-streaming requests.
- Included unit tests (`model_execution_test.go`) to validate execution logic and streaming responses.
- Implemented logic to aggregate text blocks until `message_stop` for improved consistency.
- Introduced support for message annotations like `citations_delta` in content responses.
- Added methods (`finalizeAssistantMessage`, `appendMessageAnnotation`) to handle message grouping and annotation appending cleanly.
- Updated unit tests to verify message aggregation, annotation handling, and suppression of unwanted native events.
Closes: #3801
- Added tests (`TestCliFinishReasonOnlyOnFinalChunk`, `TestGeminiFinishReasonOnlyOnFinalChunk`) to validate correct `finish_reason` and `native_finish_reason` assignment.
- Refactored Gemini and CLI translators to track `SawToolCall` and `UpstreamFinishReason` for accurate final-chunk determination.
- Improved response parsing logic to align with upstream metadata and provide consistent reasoning on chunk outputs.
- Introduced `applyRequestAfterAuthInterceptor` to modify requests after credential selection and before executor translation.
- Added `InterceptRequestAfterAuth` method across plugin adapters with corresponding tests for context validation.
- Enhanced format resolution logic (`requestToFormat`) to support additional providers and formats.
- Updated JavaScript handler to include a new `on_after_auth_request` hook for post-auth request handling.
- Refactored interceptor methods for clarity and better encapsulation of request/response lifecycles.
- Updated `README.md`, `README_JA.md`, and `README_CN.md` to include Unity2.ai sponsorship information.
- Highlighted features, benefits, and registration perks offered by Unity2.ai.
- Added Unity2.ai logo (`unity2.jpg`) to the project assets.
- Added new model `Claude Fable 5` to `models.json` with enhanced reasoning and long-horizon capabilities.
- Included detailed parameters such as context length, max completion tokens, and thinking level configurations.
- Added `resources` field in `management.register` for defining browser-accessible resources.
- Updated examples and documentation to reflect resource-based paths under `/v0/resource/plugins/<pluginID>/...`.
- Replaced legacy `GET` menu routes with resource-based implementations for consistent plugin behavior.
- Enhanced request handling for resource paths, including proper response headers and streamlined test coverage.
- Added `HostCallbackID` to request, response, and stream chunk interceptors for enhanced context tracking.
- Updated JavaScript engine to support custom console logging with `HostCallbackID` forwarding.
- Introduced tests verifying proper integration of `HostCallbackID` in all interceptor flows and engine logging.
- Enhanced logging and error handling for consistent callback-related logic implementation.
- Removed `pluginDelegateRoundRobin` and related logic to streamline plugin scheduler management.
- Consolidated scheduler strategies under `builtinSchedulerStrategy` with `pickViaBuiltinScheduler`.
- Introduced new methods `pickSingleWithStrategy` and `pickMixedWithStrategy` for strategy-specific behavior.
- Updated tests to reflect changes, including added coverage for round-robin and mixed-provider scenarios.
- Improved maintainability by unifying scheduling logic and reducing redundant structures.
- Added `opts.OriginalRequest` handling to `applyResponseInterceptors` for improved context passing.
- Introduced new test `TestApplyJSBeforeRequestUsesReturnedCtxBody` to validate JavaScript interceptor behavior.
- Updated JavaScript-based handler to safely rewrite sensitive content and headers in requests.
- Refined interceptor logic to ensure consistent state retention across request processing.
- Added `pluginSchedulerState` interface with `HasScheduler` method for improved plugin scheduler state checks.
- Updated `Manager.hasPluginScheduler` to handle `HasScheduler` logic.
- Implemented and tested fast-path handling for inactive plugin schedulers, including mixed provider scenarios.
- Expanded unit test coverage to ensure correct behavior in various scheduler states.
- Added a Go scheduler plugin demonstrating CLIProxyAPI capabilities, such as `plugin.register`, `plugin.reconfigure`, and `scheduler.pick`.
- Implemented methods for plugin configuration, built-in scheduler delegation (`fill-first`, `round-robin`), dynamic candidate selection, and error handling.
- Extended `pluginhost` with scheduler handling, candidate normalization, and fallback mechanisms.
- Included examples, tests, and detailed documentation for scheduler usage and implementation.
- Introduced `FrontendAuthProviderExclusive` capability to restrict authentication to a single selected provider.
- Added `SetExclusiveProvider` and `ClearExclusiveProvider` methods for managing exclusive providers in the access registry.
- Updated `pluginhost` to prioritize and enforce exclusive providers based on plugin priority and ID.
- Enhanced RPC capabilities schema to include `FrontendAuthProviderExclusive` field.
- Added example plugin and tests for exclusive frontend auth behavior.
- Implemented `RequestInterceptor`, `ResponseInterceptor`, and `StreamChunkInterceptor` using embedded JavaScript.
- Added support for configuring script paths, built-in script resolution, and safe execution.
- Introduced ABI lifecycle management, plugin registration, and execution monitoring.
- Enhanced with extensive test coverage for both plugin behavior and configuration logic.
- Implemented `RequestInterceptor`, `ResponseInterceptor`, and `StreamChunkInterceptor` capabilities.
- Added `sanitizePluginMetadata` to clean metadata for RPC compatibility.
- Enhanced interceptor chaining, error handling, and test coverage.
- Updated plugin configuration to register and dispatch interceptor methods.
