V3.8.0

🌍 View in other languages

OmniRoute v3.8.0 — Release Notes

Release date: 2026-05-15 Highlights: 7 new features + tier UX overhaul + 10 public AI agent skills.

New features

MCP smart text filter (Task 1)

Compression engine specifically for verbose MCP outputs (browser snapshots, accessibility trees). Collapses ≥30 repeated sibling lines into head + summary

• tail, preserves [ref=eXX] anchors required by Playwright/computer-use, hard-truncates oversized text with a navigation hint.

• New engine: open-sse/services/compression/engines/mcpAccessibility/
• Settings: compression.mcpAccessibility (migration 056)
• Expected savings: 60-80% on browser snapshot tool results

Public AI agent skills (Task 2)

Ten SKILL.md manifests under skills/omniroute*/ published for external AI agents (Claude Desktop, ChatGPT, Cursor, Cline) to consume via raw GitHub URL. Zero-friction onboarding: tell your agent to fetch one URL and start routing.

Standalone system tray (Task 3)

CLI users now get a system tray icon without needing Electron. Windows uses PowerShell NotifyIcon (zero new binaries, AV-friendly). macOS/Linux use the systray2 fork installed lazily into ~/.omniroute/runtime/. Includes cross-platform autostart (LaunchAgent / .desktop / registry).

• New flag: omniroute --tray
• New command: omniroute config tray <enable|disable>
• New modules: bin/cli/tray/

CLI machine-ID token (Task 4)

HMAC-SHA256(machine-id, salt) → constant-time-compared token sent via x-omniroute-cli-token header. Lets CLI commands authenticate locally without JWT/password.

• Accepted only on loopback host + whitelisted read-only routes
• Salt rotation via OMNIROUTE_CLI_SALT env var
• Falls back to ~/.omniroute/machine-id (0600) if node-machine-id fails
• Docs: docs/security/CLI_TOKEN.md

Route protection tiers (Task 5)

All API routes classified into 5 tiers (public, read-only, protected, always, local-only). Spawn-capable routes (MCP, CLI tools, OAuth callbacks, MITM, skills) enforce loopback host+origin even with valid JWT — leaked JWT via tunnel can no longer trigger child process spawn.

• New module: src/lib/auth/routeGuard.ts
• New Hard Rule #15 in CLAUDE.md
• Docs: docs/security/ROUTE_GUARD_TIERS.md

Caveman SHARED_BOUNDARIES (Task 6)

Caveman prompts (LITE/FULL/ULTRA) now embed a shared boundary clause instructing the LLM to keep code blocks, file paths, commands, errors, and URLs exact, and to write security warnings and irreversible-action confirmations in normal prose.

• New constant: SHARED_BOUNDARIES in open-sse/services/compression/outputMode.ts
• All 6 languages × 3 intensities updated
• alreadyApplied check order fixed (must precede shouldBypassCavemanOutputMode)

Dynamic SQLite runtime installer (Task 7)

Five-step driver resolution chain: bundled better-sqlite3 → runtime-installed better-sqlite3 → lazy install → node:sqlite (Node ≥22.5) → bundled sql.js (WASM). Each native binary is validated against expected platform magic bytes (ELF / Mach-O / PE) before load. Solves Windows EBUSY error on global updates while OmniRoute is running.

• New scripts: scripts/postinstall.mjs, bin/cli/runtime/
• Runtime dir: ~/.omniroute/runtime/
• New helper: src/lib/db/core.ts::ensureDbInitialized()
• Docs: docs/ops/SQLITE_RUNTIME.md

Tier 1/2/3 marketing & onboarding (Task 8)

README "Why OmniRoute?" section enhanced with ASCII tier diagram and comparison table. New /dashboard/onboarding/steps/TierTour.tsx step shows tier flow on first run with light/dark SVG assets. Home dashboard gains "Tier coverage" widget with empty-state CTA.

• New assets: images/tier-flow-light.svg, images/tier-flow-dark.svg
• New docs: docs/marketing/TIERS.md

Improvements

• New i18n strings for tier UI (en first; translations in v3.8.2)
• Compression analytics dashboard now reports per-engine savings
• 47 RTK filters documented in provider reference

Security

• Route protection tiers (Task 5) — spawn-capable routes blocked off loopback
• Hard Rule #15 in CLAUDE.md — assertRouteAllowed(req) mandatory for spawn routes
• CLI machine-ID token does NOT bypass always-protected routes (shutdown, db export)

Documentation

• docs/security/CLI_TOKEN.md
• docs/security/ROUTE_GUARD_TIERS.md
• docs/ops/SQLITE_RUNTIME.md
• docs/marketing/TIERS.md
• docs/comparison/OMNIROUTE_VS_ALTERNATIVES.md

Breaking changes

getDbInstance() now requires ensureDbInitialized() to have run first. The server startup orchestrator awaits it automatically. In tests or custom embeddings, call await ensureDbInitialized() before any src/lib/db/* import that triggers instance access.

Migration guide

For existing installations:

npm install -g omniroute@3.8.0
omniroute setup   # optional — re-runs onboarding to show new tier tour

CLI tokens are derived automatically; no migration needed. To enable tray: omniroute --tray or omniroute config tray enable.

For developers embedding OmniRoute:

• Replace getDbInstance() direct calls with await ensureDbInitialized(); getDbInstance()