KooshaPari · KooshaPari · Mar 25, 2026 · Feb 26, 2026 · Feb 23, 2026 · Feb 23, 2026
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,16 @@
+name: Bug Report
+description: File a report to help us improve Phenotype
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: bug-description
+    attributes:
+      label: Bug Description
+      description: A clear and concise description of what the bug is.
+      placeholder: What happened?
+    validations:
+      required: true
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,11 @@
+name: Feature Request
+description: Suggest an idea for Phenotype
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: feature-description
+    attributes:
+      label: Feature Description
+      description: A clear and concise description of what you want to happen.
+    validations:
+      required: true
diff --git a/.github/workflows/pages-deploy.yml b/.github/workflows/pages-deploy.yml
@@ -0,0 +1,22 @@
+name: pages-deploy
+on:
+  push:
+    branches: [main]
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+jobs:
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/configure-pages@v4
+      - uses: actions/upload-pages-artifact@v3
+        with:
+          path: '.'
+      - id: deployment
+        uses: actions/deploy-pages@v4
diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
@@ -0,0 +1,9 @@
+name: quality-gate
+on: [pull_request]
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run quality checks
+        run: ./scripts/quality-gate.sh verify
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -0,0 +1,12 @@
+name: Release Drafter
+on:
+  push:
+    branches:
+      - main
+jobs:
+  update_release_draft:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/self-merge-gate.yml b/.github/workflows/self-merge-gate.yml
@@ -0,0 +1,9 @@
+name: self-merge-gate
+on: [pull_request_review]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    if: github.event.review.state == 'approved'
+    steps:
+      - name: Check self-merge eligibility
+        run: ./scripts/self-merge-gate.sh
diff --git a/.github/workflows/tag-automation.yml b/.github/workflows/tag-automation.yml
@@ -0,0 +1,12 @@
+name: Tag Automation
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create release tag
+        run: echo "Creating release for ${{ github.ref_name }}"
diff --git a/.worktrees/config/m/config-build/active/.dockerignore b/.worktrees/config/m/config-build/active/.dockerignore
@@ -0,0 +1,36 @@
+# Git and GitHub folders
+.git/*
+.github/*
+
+# Docker and CI/CD related files
+docker-compose.yml
+.dockerignore
+.gitignore
+.goreleaser.yml
+Dockerfile
+
+# Documentation and license
+docs/*
+README.md
+README_CN.md
+LICENSE
+
+# Runtime data folders (should be mounted as volumes)
+auths/*
+logs/*
+conv/*
+config.yaml
+
+# Development/editor
+bin/*
+.vscode/*
+.claude/*
+.codex/*
+.gemini/*
+.serena/*
+.agent/*
+.agents/*
+.opencode/*
+.bmad/*
+_bmad/*
+_bmad-output/*
diff --git a/.worktrees/config/m/config-build/active/.env.example b/.worktrees/config/m/config-build/active/.env.example
@@ -0,0 +1,34 @@
+# Example environment configuration for CLIProxyAPI.
+# Copy this file to `.env` and uncomment the variables you need.
+#
+# NOTE: Environment variables are only required when using remote storage options.
+# For local file-based storage (default), no environment variables need to be set.
+
+# ------------------------------------------------------------------------------
+# Management Web UI
+# ------------------------------------------------------------------------------
+# MANAGEMENT_PASSWORD=change-me-to-a-strong-password
+
+# ------------------------------------------------------------------------------
+# Postgres Token Store (optional)
+# ------------------------------------------------------------------------------
+# PGSTORE_DSN=postgresql://user:pass@localhost:5432/cliproxy
+# PGSTORE_SCHEMA=public
+# PGSTORE_LOCAL_PATH=/var/lib/cliproxy
+
+# ------------------------------------------------------------------------------
+# Git-Backed Config Store (optional)
+# ------------------------------------------------------------------------------
+# GITSTORE_GIT_URL=https://github.com/your-org/cli-proxy-config.git
+# GITSTORE_GIT_USERNAME=git-user
+# GITSTORE_GIT_TOKEN=ghp_your_personal_access_token
+# GITSTORE_LOCAL_PATH=/data/cliproxy/gitstore
+
+# ------------------------------------------------------------------------------
+# Object Store Token Store (optional)
+# ------------------------------------------------------------------------------
+# OBJECTSTORE_ENDPOINT=https://s3.your-cloud.example.com
+# OBJECTSTORE_BUCKET=cli-proxy-config
+# OBJECTSTORE_ACCESS_KEY=your_access_key
+# OBJECTSTORE_SECRET_KEY=your_secret_key
+# OBJECTSTORE_LOCAL_PATH=/data/cliproxy/objectstore
diff --git a/.worktrees/config/m/config-build/active/.github/FUNDING.yml b/.worktrees/config/m/config-build/active/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [router-for-me]
diff --git a/.worktrees/config/m/config-build/active/.github/ISSUE_TEMPLATE/bug_report.md b/.worktrees/config/m/config-build/active/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,44 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is it a request payload issue?**
+[  ] Yes, this is a request payload issue. I am using a client/cURL to send a request payload, but I received an unexpected error.
+[  ] No, it's another issue.
+
+**If it's a request payload issue, you MUST know**
+Our team doesn't have any GODs or ORACLEs or MIND READERs. Please make sure to attach the request log or curl payload.
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**CLI Type**
+What type of CLI account do you use?  (gemini-cli, gemini, codex, claude code or openai-compatibility)
+
+**Model Name**
+What model are you using? (example: gemini-2.5-pro, claude-sonnet-4-20250514, gpt-5, etc.)
+
+**LLM Client**
+What LLM Client are you using? (example: roo-code, cline, claude code, etc.)
+
+**Request Information**
+The best way is to paste the cURL command of the HTTP request here.
+Alternatively, you can set `request-log: true` in the `config.yaml` file and then upload the detailed log file.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**OS Type**
+ - OS: [e.g. macOS]
+ - Version [e.g. 15.6.0]
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.worktrees/config/m/config-build/active/.github/dependabot.yml b/.worktrees/config/m/config-build/active/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values haha
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/.worktrees/config/m/config-build/active/.github/policies/approved-external-endpoints.txt b/.worktrees/config/m/config-build/active/.github/policies/approved-external-endpoints.txt
@@ -0,0 +1,42 @@
+# Approved external endpoint hosts.
+# Matching is exact host or subdomain of an entry.
+
+accounts.google.com
+aiplatform.googleapis.com
+ampcode.com
+api.anthropic.com
+api.api.githubcopilot.com
+api.deepseek.com
+api.fireworks.ai
+api.github.com
+api.groq.com
+api.kilo.ai
+api.kimi.com
+api.minimax.chat
+api.minimax.io
+api.mistral.ai
+api.novita.ai
+api.openai.com
+api.roocode.com
+api.siliconflow.cn
+api.together.xyz
+apis.iflow.cn
+auth.openai.com
+chat.qwen.ai
+chatgpt.com
+claude.ai
+cloudcode-pa.googleapis.com
+cloudresourcemanager.googleapis.com
+generativelanguage.googleapis.com
+github.com
+golang.org
+iflow.cn
+integrate.api.nvidia.com
+oauth2.googleapis.com
+openrouter.ai
+platform.iflow.cn
+platform.openai.com
+portal.qwen.ai
+raw.githubusercontent.com
+serviceusage.googleapis.com
+www.googleapis.com
diff --git a/.worktrees/config/m/config-build/active/.github/release-required-checks.txt b/.worktrees/config/m/config-build/active/.github/release-required-checks.txt
@@ -0,0 +1,13 @@
+# workflow_file|job_name
+pr-test-build.yml|go-ci
+pr-test-build.yml|quality-ci
+pr-test-build.yml|quality-staged-check
+pr-test-build.yml|fmt-check
+pr-test-build.yml|golangci-lint
+pr-test-build.yml|route-lifecycle
+pr-test-build.yml|test-smoke
+pr-test-build.yml|pre-release-config-compat-smoke
+pr-test-build.yml|distributed-critical-paths
+pr-test-build.yml|changelog-scope-classifier
+pr-test-build.yml|docs-build
+pr-test-build.yml|ci-summary
diff --git a/.worktrees/config/m/config-build/active/.github/required-checks.txt b/.worktrees/config/m/config-build/active/.github/required-checks.txt
@@ -0,0 +1,16 @@
+# workflow_file|job_name
+pr-test-build.yml|go-ci
+pr-test-build.yml|quality-ci
+pr-test-build.yml|quality-staged-check
+pr-test-build.yml|fmt-check
+pr-test-build.yml|golangci-lint
+pr-test-build.yml|route-lifecycle
+pr-test-build.yml|provider-smoke-matrix
+pr-test-build.yml|provider-smoke-matrix-cheapest
+pr-test-build.yml|test-smoke
+pr-test-build.yml|pre-release-config-compat-smoke
+pr-test-build.yml|distributed-critical-paths
+pr-test-build.yml|changelog-scope-classifier
+pr-test-build.yml|docs-build
+pr-test-build.yml|ci-summary
+pr-path-guard.yml|ensure-no-translator-changes
diff --git a/.worktrees/config/m/config-build/active/.github/scripts/check-approved-external-endpoints.sh b/.worktrees/config/m/config-build/active/.github/scripts/check-approved-external-endpoints.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+policy_file=".github/policies/approved-external-endpoints.txt"
+if [[ ! -f "${policy_file}" ]]; then
+  echo "Missing policy file: ${policy_file}"
+  exit 1
+fi
+
+mapfile -t approved_hosts < <(grep -Ev '^\s*#|^\s*$' "${policy_file}" | tr '[:upper:]' '[:lower:]')
+if [[ "${#approved_hosts[@]}" -eq 0 ]]; then
+  echo "No approved hosts in policy file"
+  exit 1
+fi
+
+matches_policy() {
+  local host="$1"
+  local approved
+  for approved in "${approved_hosts[@]}"; do
+    if [[ "${host}" == "${approved}" || "${host}" == *."${approved}" ]]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+mapfile -t discovered_hosts < <(
+  rg -No --hidden \
+    --glob '!docs/**' \
+    --glob '!**/*_test.go' \
+    --glob '!**/node_modules/**' \
+    --glob '!**/*.png' \
+    --glob '!**/*.jpg' \
+    --glob '!**/*.jpeg' \
+    --glob '!**/*.gif' \
+    --glob '!**/*.svg' \
+    --glob '!**/*.webp' \
+    'https?://[^"\047 )\]]+' \
+    cmd pkg sdk scripts .github/workflows config.example.yaml README.md README_CN.md 2>/dev/null \
+    | awk -F'://' '{print $2}' \
+    | cut -d/ -f1 \
+    | cut -d: -f1 \
+    | tr '[:upper:]' '[:lower:]' \
+    | sort -u
+)
+
+unknown=()
+for host in "${discovered_hosts[@]}"; do
+  [[ -z "${host}" ]] && continue
+  [[ "${host}" == *"%"* ]] && continue
+  [[ "${host}" == *"{"* ]] && continue
+  [[ "${host}" == "localhost" || "${host}" == "127.0.0.1" || "${host}" == "0.0.0.0" ]] && continue
+  [[ "${host}" == "example.com" || "${host}" == "www.example.com" ]] && continue
+  [[ "${host}" == "proxy.com" || "${host}" == "proxy.local" ]] && continue
+  [[ "${host}" == "api.example.com" ]] && continue
+  if ! matches_policy "${host}"; then
+    unknown+=("${host}")
+  fi
+done
+
+if [[ "${#unknown[@]}" -ne 0 ]]; then
+  echo "Found external hosts not in ${policy_file}:"
+  printf '  - %s\n' "${unknown[@]}"
+  exit 1
+fi
+
+echo "external endpoint policy check passed"
diff --git a/.worktrees/config/m/config-build/active/.github/scripts/check-distributed-critical-paths.sh b/.worktrees/config/m/config-build/active/.github/scripts/check-distributed-critical-paths.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "[distributed-critical-paths] validating filesystem-sensitive paths"
+go test -count=1 -run '^(TestMultiSourceSecret_FileHandling|TestMultiSourceSecret_CacheBehavior|TestMultiSourceSecret_Concurrency|TestAmpModule_OnConfigUpdated_CacheInvalidation)$' ./pkg/llmproxy/api/modules/amp
+
+echo "[distributed-critical-paths] validating ops endpoint route registration"
+go test -count=1 -run '^TestRegisterManagementRoutes$' ./pkg/llmproxy/api/modules/amp
+
+echo "[distributed-critical-paths] validating compute/cache-sensitive paths"
+go test -count=1 -run '^(TestEnsureCacheControl|TestCacheControlOrder|TestCountOpenAIChatTokens|TestCountClaudeChatTokens)$' ./pkg/llmproxy/runtime/executor
+
+echo "[distributed-critical-paths] validating queue telemetry to provider metrics path"
+go test -count=1 -run '^TestBuildProviderMetricsFromSnapshot_FailoverAndQueueTelemetry$' ./pkg/llmproxy/usage
+
+echo "[distributed-critical-paths] validating signature cache primitives"
+go test -count=1 -run '^(TestCacheSignature_BasicStorageAndRetrieval|TestCacheSignature_ExpirationLogic)$' ./pkg/llmproxy/cache
+
+echo "[distributed-critical-paths] all targeted checks passed"