manifest 5.38.1 → 5.38.4

package/dist/backend/common/utils/hash.util.js

@@ -20,8 +20,11 @@ function verifyKey(input, storedHash) {
         const actual = (0, crypto_1.scryptSync)(input, salt, KEY_LENGTH);
         return expected.length === KEY_LENGTH && (0, crypto_1.timingSafeEqual)(actual, expected);
     }
-    const legacyHash = (0, crypto_1.scryptSync)(input, LEGACY_SALT, KEY_LENGTH).toString('hex');
-    return legacyHash === storedHash;
+    if (!/^[0-9a-fA-F]{64}$/.test(storedHash))
+        return false;
+    const legacyHashBuf = (0, crypto_1.scryptSync)(input, LEGACY_SALT, KEY_LENGTH);
+    const storedBuf = Buffer.from(storedHash, 'hex');
+    return (0, crypto_1.timingSafeEqual)(legacyHashBuf, storedBuf);
 }
 function keyPrefix(key) {
     return key.substring(0, 12);

package/dist/backend/common/utils/url-validation.js

@@ -54,7 +54,7 @@ function isCloudMetadataIp(ip) {
     return CLOUD_METADATA_RANGES.some((range) => (addr & range.mask) === range.addr);
 }
 async function validatePublicUrl(url) {
-    if (process.env['NODE_ENV'] === 'test')
+    if (process.env['NODE_ENV'] === 'test' && process.env['SKIP_SSRF_VALIDATION'] !== 'false')
         return;
     let parsed;
     try {

package/dist/backend/database/database-seeder.service.js

@@ -61,6 +61,7 @@ let DatabaseSeederService = DatabaseSeederService_1 = class DatabaseSeederServic
             await this.seedTenantAndAgent();
             await this.seedAgentMessages();
             this.logger.log('Seeded demo data (dev/test only, SEED_DATA=true)');
+            this.logger.warn('SECURITY: Default seed credentials are active (admin@manifest.build). Do NOT use in production.');
         }
     }
     async runBetterAuthMigrations() {

package/dist/backend/database/models-dev-sync.service.js

@@ -43,6 +43,10 @@ const SHORT_DATE_SUFFIX_RE = /-\d{4}$/;
 const LATEST_SUFFIX = '-latest';
 const GOOGLE_VARIANT_RE = /-(?:preview(?:-\d{2,4}){1,3}|exp-\d{4}|latest)$/;
 const REASONING_SUFFIX_RE = /-(reasoning|non-reasoning)$/;
+const LEGACY_NAME_ALIASES = new Map([
+    ['open-mistral-nemo', 'mistral-nemo'],
+    ['mistral-tiny', 'open-mistral-7b'],
+]);
 let ModelsDevSyncService = ModelsDevSyncService_1 = class ModelsDevSyncService {
     logger = new common_1.Logger(ModelsDevSyncService_1.name);
     cache = new Map();
@@ -90,6 +94,18 @@ let ModelsDevSyncService = ModelsDevSyncService_1 = class ModelsDevSyncService {
         const exact = providerModels.get(modelId);
         if (exact)
             return exact;
+        const aliasBase = modelId
+            .replace(DATE_SUFFIX_RE, '')
+            .replace(SHORT_DATE_SUFFIX_RE, '')
+            .replace(/-latest$/, '');
+        const aliasTarget = LEGACY_NAME_ALIASES.get(aliasBase) ??
+            LEGACY_NAME_ALIASES.get(modelId) ??
+            LEGACY_NAME_ALIASES.get(modelId.replace(/-latest$/, ''));
+        if (aliasTarget) {
+            const found = providerModels.get(aliasTarget);
+            if (found)
+                return found;
+        }
         const noVersion = modelId.replace(VERSION_SUFFIX_RE, '');
         if (noVersion !== modelId) {
             const found = providerModels.get(noVersion);
@@ -135,6 +151,17 @@ let ModelsDevSyncService = ModelsDevSyncService_1 = class ModelsDevSyncService {
                     return withLatest;
             }
         }
+        if (modelId.endsWith(LATEST_SUFFIX)) {
+            const base = modelId.slice(0, -LATEST_SUFFIX.length);
+            const prefix = `${base}-`;
+            for (const [key, entry] of providerModels) {
+                if (key.startsWith(prefix) && key !== modelId)
+                    return entry;
+            }
+            const baseMatch = providerModels.get(base);
+            if (baseMatch)
+                return baseMatch;
+        }
         return null;
     }
     getModelsForProvider(providerId) {

package/dist/backend/model-discovery/known-model-prices.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.lookupKnownPrice = lookupKnownPrice;
+const PER_MILLION = 1_000_000;
+const KNOWN_PRICES = [
+    { prefix: 'moonshot-v1-', price: { input: 1.66 / PER_MILLION, output: 1.66 / PER_MILLION } },
+    { prefix: 'gemma-3-1b-it', price: { input: 0, output: 0 } },
+    { prefix: 'gemini-pro-latest', price: { input: 1.25 / PER_MILLION, output: 10.0 / PER_MILLION } },
+];
+function lookupKnownPrice(modelId) {
+    for (const entry of KNOWN_PRICES) {
+        if (modelId.startsWith(entry.prefix) || modelId === entry.prefix) {
+            return entry.price;
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=known-model-prices.js.map

package/dist/backend/model-discovery/model-discovery.service.js

@@ -30,6 +30,7 @@ const qwen_region_1 = require("../routing/qwen-region");
 const copilot_token_service_1 = require("../routing/proxy/copilot-token.service");
 const anthropic_subscription_probe_1 = require("./anthropic-subscription-probe");
 const model_fallback_1 = require("./model-fallback");
+const known_model_prices_1 = require("./known-model-prices");
 const customProviderKey = (id) => `custom:${id}`;
 const customModelKey = (id, modelName) => `custom:${id}/${modelName}`;
 function isQwenProvider(providerId) {
@@ -209,7 +210,10 @@ let ModelDiscoveryService = ModelDiscoveryService_1 = class ModelDiscoveryServic
         return all.find((m) => m.id === modelName);
     }
     enrichModel(model, providerId) {
-        if (model.inputPricePerToken !== null && model.inputPricePerToken >= 0) {
+        if (model.inputPricePerToken !== null &&
+            model.inputPricePerToken >= 0 &&
+            model.outputPricePerToken !== null &&
+            model.outputPricePerToken >= 0) {
             return this.computeScore(this.applyCapabilities(model, providerId));
         }
         if (this.modelsDevSync) {
@@ -251,6 +255,14 @@ let ModelDiscoveryService = ModelDiscoveryService_1 = class ModelDiscoveryServic
                 });
             }
         }
+        const known = (0, known_model_prices_1.lookupKnownPrice)(model.id);
+        if (known) {
+            return this.computeScore({
+                ...model,
+                inputPricePerToken: known.input,
+                outputPricePerToken: known.output,
+            });
+        }
         return this.computeScore(model);
     }
     applyCapabilities(model, providerId) {

package/dist/backend/model-discovery/model-fallback.js

@@ -32,10 +32,23 @@ function findOpenRouterPrefix(providerId) {
     }
     return null;
 }
+const OPENROUTER_NAME_ALIASES = new Map([
+    ['voxtral-small', 'voxtral-small-24b'],
+    ['open-mistral-nemo', 'mistral-nemo'],
+    ['mistral-tiny', 'open-mistral-7b'],
+]);
 function lookupWithVariants(pricingSync, prefix, modelId) {
     const exact = pricingSync.lookupPricing(`${prefix}/${modelId}`);
     if (exact)
         return exact;
+    for (const [from, to] of OPENROUTER_NAME_ALIASES) {
+        if (modelId.includes(from)) {
+            const aliased = modelId.replace(from, to);
+            const aliasResult = pricingSync.lookupPricing(`${prefix}/${aliased}`);
+            if (aliasResult)
+                return aliasResult;
+        }
+    }
     const dotVariant = modelId.replace(/-(\d+)-(\d)/g, '-$1.$2');
     if (dotVariant !== modelId) {
         const dotResult = pricingSync.lookupPricing(`${prefix}/${dotVariant}`);
@@ -69,6 +82,17 @@ function lookupWithVariants(pricingSync, prefix, modelId) {
         if (result)
             return result;
     }
+    if (modelId.endsWith('-latest')) {
+        const base = modelId.slice(0, -'-latest'.length);
+        const scanPrefix = `${prefix}/${base}-`;
+        for (const [key] of pricingSync.getAll()) {
+            if (key.startsWith(scanPrefix)) {
+                const found = pricingSync.lookupPricing(key);
+                if (found)
+                    return found;
+            }
+        }
+    }
     return null;
 }
 function buildModelsDevFallback(modelsDevSync, providerId) {

package/dist/backend/model-discovery/provider-model-fetcher.service.js

@@ -63,10 +63,10 @@ function parseOpenAIDeduped(body, provider) {
 }
 exports.UNIVERSAL_NON_CHAT_RE = /(?:embed|tts|whisper|dall-e|imagen|cogview|wanx|sambert|paraformer|text-embedding|speech-to|voice-|audio-turbo)/i;
 exports.PROVIDER_NON_CHAT = {
-    openai: /(?:moderation|davinci|babbage|^text-|realtime|-transcribe|^sora|^gpt-3\.5-turbo-instruct|audio|^chatgpt-image)/i,
+    openai: /(?:moderation|davinci|babbage|^text-|realtime|-transcribe|^sora|^gpt-3\.5-turbo-instruct|audio|^chatgpt-image|search-api)/i,
     'openai-subscription': /(?:moderation|davinci|babbage|^text-|realtime|-transcribe|^sora|audio|^chatgpt-image)/i,
-    gemini: /(?:^aqs-|nano-banana|^deep-research|computer-use|^lyria|^gemini-2\.0-flash-lite$|flash-lite-preview)/i,
-    mistral: /(?:^mistral-ocr|moderation|voxtral-.*-(?:transcribe|realtime)|^labs-)/i,
+    gemini: /(?:^aqs-|nano-banana|^deep-research|computer-use|^lyria|^gemini-2\.0-flash-lite$|flash-lite-preview|robotics)/i,
+    mistral: /(?:^mistral-ocr|moderation|voxtral-.*-(?:transcribe|realtime)|^labs-|^mistral-vibe-cli)/i,
     xai: /(?:imagine|multi-agent)/i,
 };
 exports.PROVIDER_BLOCKLIST = {
@@ -174,8 +174,8 @@ function parseOpenRouter(body, provider) {
             displayName: entry.name || entry.id,
             provider,
             contextWindow: entry.context_length ?? 128000,
-            inputPricePerToken: prompt !== null && Number.isFinite(prompt) ? prompt : null,
-            outputPricePerToken: completion !== null && Number.isFinite(completion) ? completion : null,
+            inputPricePerToken: prompt !== null && Number.isFinite(prompt) && prompt >= 0 ? prompt : null,
+            outputPricePerToken: completion !== null && Number.isFinite(completion) && completion >= 0 ? completion : null,
             capabilityReasoning: false,
             capabilityCode: false,
             qualityScore: 3,

package/dist/backend/notifications/dto/set-notification-email.dto.js

@@ -0,0 +1,24 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SetNotificationEmailDto = void 0;
+const class_validator_1 = require("class-validator");
+const class_transformer_1 = require("class-transformer");
+class SetNotificationEmailDto {
+    email;
+}
+exports.SetNotificationEmailDto = SetNotificationEmailDto;
+__decorate([
+    (0, class_validator_1.IsEmail)(),
+    (0, class_transformer_1.Transform)(({ value }) => (typeof value === 'string' ? value.trim().toLowerCase() : value)),
+    __metadata("design:type", String)
+], SetNotificationEmailDto.prototype, "email", void 0);
+//# sourceMappingURL=set-notification-email.dto.js.map

package/dist/backend/notifications/notifications.controller.js

@@ -23,6 +23,7 @@ const notification_cron_service_1 = require("./services/notification-cron.servic
 const limit_check_service_1 = require("./services/limit-check.service");
 const notification_rule_dto_1 = require("./dto/notification-rule.dto");
 const set_email_provider_dto_1 = require("./dto/set-email-provider.dto");
+const set_notification_email_dto_1 = require("./dto/set-notification-email.dto");
 let NotificationsController = NotificationsController_1 = class NotificationsController {
     rulesService;
     notificationLog;
@@ -145,7 +146,7 @@ __decorate([
     __param(0, (0, current_user_decorator_1.CurrentUser)()),
     __param(1, (0, common_1.Body)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:paramtypes", [Object, set_notification_email_dto_1.SetNotificationEmailDto]),
     __metadata("design:returntype", Promise)
 ], NotificationsController.prototype, "setNotificationEmail", null);
 __decorate([

package/dist/backend/public-stats/public-stats.controller.js

@@ -15,91 +15,91 @@ const common_1 = require("@nestjs/common");
 const public_decorator_1 = require("../common/decorators/public.decorator");
 const cache_constants_1 = require("../common/constants/cache.constants");
 const public_stats_service_1 = require("./public-stats.service");
-let cachedStats = null;
-let statsTimestamp = 0;
-let statsInflight = null;
-let cachedCatalog = null;
-let catalogTimestamp = 0;
-let catalogInflight = null;
+let cachedUsage = null;
+let usageTimestamp = 0;
+let usageInflight = null;
+let cachedFree = null;
+let freeTimestamp = 0;
+let freeInflight = null;
 let PublicStatsController = PublicStatsController_1 = class PublicStatsController {
     service;
     logger = new common_1.Logger(PublicStatsController_1.name);
     constructor(service) {
         this.service = service;
     }
-    async getStats() {
-        if (cachedStats && Date.now() - statsTimestamp < cache_constants_1.PUBLIC_STATS_CACHE_TTL_MS) {
-            return cachedStats;
+    async getUsage() {
+        if (cachedUsage && Date.now() - usageTimestamp < cache_constants_1.PUBLIC_STATS_CACHE_TTL_MS) {
+            return cachedUsage;
         }
-        if (!statsInflight) {
-            statsInflight = this.refreshStats().finally(() => {
-                statsInflight = null;
+        if (!usageInflight) {
+            usageInflight = this.refreshUsage().finally(() => {
+                usageInflight = null;
             });
         }
-        return statsInflight;
+        return usageInflight;
     }
-    async getModelCatalog() {
-        if (cachedCatalog && Date.now() - catalogTimestamp < cache_constants_1.PUBLIC_STATS_CACHE_TTL_MS) {
-            return cachedCatalog;
+    async getFreeModels() {
+        if (cachedFree && Date.now() - freeTimestamp < cache_constants_1.PUBLIC_STATS_CACHE_TTL_MS) {
+            return cachedFree;
         }
-        if (!catalogInflight) {
-            catalogInflight = this.refreshCatalog().finally(() => {
-                catalogInflight = null;
+        if (!freeInflight) {
+            freeInflight = this.refreshFreeModels().finally(() => {
+                freeInflight = null;
             });
         }
-        return catalogInflight;
+        return freeInflight;
     }
-    async refreshStats() {
+    async refreshUsage() {
         try {
             const stats = await this.service.getUsageStats();
-            cachedStats = {
+            cachedUsage = {
                 total_messages: stats.total_messages,
                 top_models: stats.top_models,
                 cached_at: new Date().toISOString(),
             };
-            statsTimestamp = Date.now();
+            usageTimestamp = Date.now();
         }
         catch (err) {
             const msg = err instanceof Error ? err.message : String(err);
             this.logger.error(`Failed to fetch usage stats: ${msg}`);
         }
-        return (cachedStats ?? { total_messages: 0, top_models: [], cached_at: new Date().toISOString() });
+        return (cachedUsage ?? { total_messages: 0, top_models: [], cached_at: new Date().toISOString() });
     }
-    async refreshCatalog() {
+    async refreshFreeModels() {
         try {
             const stats = await this.service.getUsageStats();
             const models = this.service.getFreeModels(stats.token_map);
-            cachedCatalog = {
+            cachedFree = {
                 models,
                 total_models: models.length,
                 cached_at: new Date().toISOString(),
             };
-            catalogTimestamp = Date.now();
+            freeTimestamp = Date.now();
         }
         catch (err) {
             const msg = err instanceof Error ? err.message : String(err);
-            this.logger.error(`Failed to fetch model catalog: ${msg}`);
+            this.logger.error(`Failed to fetch free models: ${msg}`);
         }
-        return cachedCatalog ?? { models: [], total_models: 0, cached_at: new Date().toISOString() };
+        return cachedFree ?? { models: [], total_models: 0, cached_at: new Date().toISOString() };
     }
 };
 exports.PublicStatsController = PublicStatsController;
 __decorate([
     (0, public_decorator_1.Public)(),
-    (0, common_1.Get)('public-stats'),
+    (0, common_1.Get)('usage'),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", []),
     __metadata("design:returntype", Promise)
-], PublicStatsController.prototype, "getStats", null);
+], PublicStatsController.prototype, "getUsage", null);
 __decorate([
     (0, public_decorator_1.Public)(),
-    (0, common_1.Get)('public-stats/models'),
+    (0, common_1.Get)('free-models'),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", []),
     __metadata("design:returntype", Promise)
-], PublicStatsController.prototype, "getModelCatalog", null);
+], PublicStatsController.prototype, "getFreeModels", null);
 exports.PublicStatsController = PublicStatsController = PublicStatsController_1 = __decorate([
-    (0, common_1.Controller)('api/v1'),
+    (0, common_1.Controller)('api/v1/public'),
     __metadata("design:paramtypes", [public_stats_service_1.PublicStatsService])
 ], PublicStatsController);
 //# sourceMappingURL=public-stats.controller.js.map

package/dist/backend/public-stats/public-stats.service.js

@@ -19,6 +19,11 @@ const typeorm_2 = require("typeorm");
 const agent_message_entity_1 = require("../entities/agent-message.entity");
 const model_pricing_cache_service_1 = require("../model-prices/model-pricing-cache.service");
 const sql_dialect_1 = require("../common/utils/sql-dialect");
+const MAX_RESULTS = 10;
+const EXCLUDED_PROVIDERS = new Set(['Unknown']);
+function isCustomModel(model) {
+    return model.startsWith('custom:');
+}
 let PublicStatsService = class PublicStatsService {
     messageRepo;
     pricingCache;
@@ -37,7 +42,6 @@ let PublicStatsService = class PublicStatsService {
                 .where('at.model IS NOT NULL')
                 .groupBy('at.model')
                 .orderBy('usage_count', 'DESC')
-                .limit(20)
                 .getRawMany(),
             this.messageRepo
                 .createQueryBuilder('at')
@@ -52,12 +56,18 @@ let PublicStatsService = class PublicStatsService {
         for (const r of tokenRows) {
             tokenMap.set(r.model, Number(r.tokens ?? 0));
         }
-        const topModels = topRows.map((r, i) => {
+        const eligible = [];
+        for (const r of topRows) {
             const modelName = r.model;
+            if (isCustomModel(modelName))
+                continue;
             const pricing = this.pricingCache.getByModel(modelName);
-            return {
+            const provider = pricing?.provider || 'Unknown';
+            if (EXCLUDED_PROVIDERS.has(provider))
+                continue;
+            eligible.push({
                 model: modelName,
-                provider: pricing?.provider || 'Unknown',
+                provider,
                 tokens_7d: tokenMap.get(modelName) ?? 0,
                 input_price_per_million: pricing?.input_price_per_token != null
                     ? Number(pricing.input_price_per_token) * 1_000_000
@@ -65,9 +75,12 @@ let PublicStatsService = class PublicStatsService {
                 output_price_per_million: pricing?.output_price_per_token != null
                     ? Number(pricing.output_price_per_token) * 1_000_000
                     : null,
-                usage_rank: i + 1,
-            };
-        });
+                usage_rank: 0,
+            });
+        }
+        eligible.sort((a, b) => b.tokens_7d - a.tokens_7d);
+        const topModels = eligible.slice(0, MAX_RESULTS);
+        topModels.forEach((m, i) => (m.usage_rank = i + 1));
         return {
             total_messages: Number(countRow?.total ?? 0),
             top_models: topModels,
@@ -77,12 +90,23 @@ let PublicStatsService = class PublicStatsService {
     getFreeModels(tokenMap) {
         return this.pricingCache
             .getAll()
-            .filter((e) => (e.input_price_per_token ?? 0) === 0 && (e.output_price_per_token ?? 0) === 0)
+            .filter((e) => {
+            if ((e.input_price_per_token ?? 0) !== 0 || (e.output_price_per_token ?? 0) !== 0)
+                return false;
+            if (isCustomModel(e.model_name))
+                return false;
+            const provider = e.provider || 'Unknown';
+            if (EXCLUDED_PROVIDERS.has(provider))
+                return false;
+            return (tokenMap.get(e.model_name) ?? 0) > 0;
+        })
             .map((e) => ({
             model_name: e.model_name,
             provider: e.provider || 'Unknown',
             tokens_7d: tokenMap.get(e.model_name) ?? 0,
-        }));
+        }))
+            .sort((a, b) => b.tokens_7d - a.tokens_7d)
+            .slice(0, MAX_RESULTS);
     }
 };
 exports.PublicStatsService = PublicStatsService;

package/dist/backend/routing/oauth/openai-oauth.controller.js

@@ -15,6 +15,7 @@ var OpenaiOauthController_1;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OpenaiOauthController = void 0;
 const common_1 = require("@nestjs/common");
+const crypto_1 = require("crypto");
 const public_decorator_1 = require("../../common/decorators/public.decorator");
 const current_user_decorator_1 = require("../../auth/current-user.decorator");
 const openai_oauth_service_1 = require("./openai-oauth.service");
@@ -85,9 +86,10 @@ let OpenaiOauthController = OpenaiOauthController_1 = class OpenaiOauthControlle
     }
     done(ok, res) {
         const success = ok === '1';
+        const nonce = (0, crypto_1.randomBytes)(16).toString('base64');
         res.setHeader('Content-Type', 'text/html');
-        res.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'");
-        res.send((0, openai_oauth_service_1.oauthDoneHtml)(success));
+        res.setHeader('Content-Security-Policy', `default-src 'none'; script-src 'nonce-${nonce}'`);
+        res.send((0, openai_oauth_service_1.oauthDoneHtml)(success, nonce));
     }
 };
 exports.OpenaiOauthController = OpenaiOauthController;

package/dist/backend/routing/oauth/openai-oauth.types.js

@@ -22,18 +22,19 @@ function parseOAuthTokenBlob(rawValue) {
         return null;
     }
 }
-function oauthDoneHtml(success) {
+function oauthDoneHtml(success, nonce) {
     const message = success ? 'manifest-oauth-success' : 'manifest-oauth-error';
     const text = success
         ? 'Login successful!'
         : 'Login failed. Please close this window and try again.';
+    const nonceAttr = nonce ? ` nonce="${nonce}"` : '';
     return `<!DOCTYPE html>
 <html>
 <head><title>Manifest — OpenAI Login</title></head>
 <body style="font-family:system-ui;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0;background:#111;color:#eee;">
 <p>${text}</p>
 <p id="hint" style="font-size:13px;color:#888;display:none;">You can close this window.</p>
-<script>
+<script${nonceAttr}>
 try{var bc=new BroadcastChannel('manifest-oauth');bc.postMessage({type:'${message}'});bc.close();}catch(e){}
 if(window.opener){window.opener.postMessage({type:'${message}'},window.location.origin);}
 setTimeout(function(){window.close();document.getElementById('hint').style.display='block';},1500);

package/dist/backend/routing/proxy/proxy-error-sanitizer.js

@@ -14,6 +14,13 @@ const KNOWN_ERROR_MESSAGES = {
     503: 'Upstream provider temporarily unavailable',
     504: 'Upstream provider gateway timeout',
 };
+function sanitizeSensitivePatterns(msg) {
+    return msg
+        .replace(/sk-ant-[a-zA-Z0-9_-]{20,}/g, 'sk-ant-***')
+        .replace(/sk-[a-zA-Z0-9_-]{20,}/g, 'sk-***')
+        .replace(/key=[^&\s"]+/g, 'key=***')
+        .replace(/Bearer\s+[^\s"]+/gi, 'Bearer ***');
+}
 function sanitizeProviderError(status, rawBody, nodeEnv) {
     const generic = KNOWN_ERROR_MESSAGES[status] ?? `Upstream provider returned HTTP ${status}`;
     if ((nodeEnv ?? 'production') === 'production')
@@ -23,7 +30,7 @@ function sanitizeProviderError(status, rawBody, nodeEnv) {
         const error = parsed.error;
         const message = error?.message ?? parsed.message;
         if (typeof message === 'string' && message.length > 0) {
-            return message.slice(0, 500);
+            return sanitizeSensitivePatterns(message).slice(0, 500);
         }
     }
     catch {

package/dist/backend/routing/routing-core/tier-auto-assign.service.js

@@ -31,8 +31,10 @@ function filterSubModels(models) {
     }
     const result = [];
     for (const providerModels of byProvider.values()) {
-        const zeroCost = providerModels.filter((m) => (m.inputPricePerToken == null || m.inputPricePerToken === 0) &&
-            (m.outputPricePerToken == null || m.outputPricePerToken === 0));
+        const zeroCost = providerModels.filter((m) => m.inputPricePerToken != null &&
+            m.outputPricePerToken != null &&
+            m.inputPricePerToken === 0 &&
+            m.outputPricePerToken === 0);
         result.push(...(zeroCost.length > 0 ? zeroCost : providerModels));
     }
     return result;
@@ -82,11 +84,14 @@ let TierAutoAssignService = TierAutoAssignService_1 = class TierAutoAssignServic
     pickBest(models, tier) {
         if (models.length === 0)
             return null;
-        const totalPrice = (m) => (m.inputPricePerToken != null ? Number(m.inputPricePerToken) : 0) +
-            (m.outputPricePerToken != null ? Number(m.outputPricePerToken) : 0);
+        const totalPrice = (m) => {
+            if (m.inputPricePerToken == null || m.outputPricePerToken == null)
+                return Infinity;
+            return Number(m.inputPricePerToken) + Number(m.outputPricePerToken);
+        };
         const quality = (m) => m.qualityScore ?? 3;
         const byPrice = [...models].sort((a, b) => totalPrice(a) - totalPrice(b));
-        let picked;
+        let picked = byPrice[0];
         switch (tier) {
             case 'simple': {
                 picked = byPrice[0];

package/dist/backend/scoring/index.js

@@ -119,18 +119,10 @@ function scoreRequest(input, configOverride, momentum) {
     const hasTools = tools && tools.length > 0;
     const hasMomentum = momentum?.recentTiers && momentum.recentTiers.length > 0;
     if (lastUserText.length > 0 && lastUserText.length < 50 && !hasTools) {
-        if (!hasMomentum) {
-            return {
-                tier: 'simple',
-                score: -0.3,
-                confidence: 0.9,
-                reason: 'short_message',
-                dimensions: emptyDimensions(config),
-                momentum: null,
-            };
-        }
         const lastMatches = trie.scan(lastUserText);
-        if (lastMatches.some((m) => m.dimension === 'simpleIndicators')) {
+        const hasSimpleIndicator = lastMatches.some((m) => m.dimension === 'simpleIndicators');
+        const hasComplexSignal = lastMatches.some((m) => m.dimension !== 'simpleIndicators' && m.dimension !== 'relay');
+        if (!hasComplexSignal && (!hasMomentum || hasSimpleIndicator)) {
             return {
                 tier: 'simple',
                 score: -0.3,

package/dist/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "manifest",
   "name": "Manifest Self-Hosted LLM Router",
-  "version": "5.38.1",
+  "version": "5.38.4",
   "description": "Run the Manifest LLM router locally with SQLite. Zero-config dashboard included.",
   "author": "MNFST Inc.",
   "homepage": "https://manifest.build",

package/openclaw.plugin.json

@@ -1,7 +1,7 @@
 {
   "id": "manifest",
   "name": "Manifest Self-Hosted LLM Router",
-  "version": "5.38.1",
+  "version": "5.38.4",
   "description": "Run the Manifest LLM router locally with SQLite. Zero-config dashboard included.",
   "author": "MNFST Inc.",
   "homepage": "https://manifest.build",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "manifest",
-  "version": "5.38.1",
+  "version": "5.38.4",
   "description": "Self-hosted Manifest LLM router with embedded server, SQLite database, and dashboard",
   "main": "dist/index.js",
   "license": "MIT",