- Add protocol validation (http/https only) to prevent SSRF via file:/ftp: URLs
- Hash both apiBase+apiKey together in cache key to prevent collision attacks
- Simplify frontend error detection (use TypeError instanceof instead of fragile string check)
- Make smoke test error code assertion more precise with regex
Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
- Add 🧠 Persona Studio navigation tab in docs/index.html sidebar
- Update smoke tests to target api-proxy.js (port 3721) instead of persona-studio backend (3002)
- Update error code assertion to match improved error specificity
- Add test for INVALID_API_BASE validation
- Replace auth/login tests with /api/health check (auth is on separate service)
Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
- Use const/let instead of var for block-scoped variables in frontend
- Add header injection validation for API Key (reject newline chars)
- Include original error message in fetchModels error callback
- Use more reliable hostname for unreachable API base test
Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>
- Add backend route POST /api/ps/apikey/detect-models for model auto-detection with 1-hour caching
- Add backend route POST /api/ps/apikey/chat for proxying chat through user's own API credentials
- Update login page with API Key login section (API Base URL + API Key + model detection + model list)
- Update chat.js to support API Key mode with dynamic model usage (selected_model)
- Update styles for API Key login UI (detect status, model list, etc.)
- Add smoke tests for new endpoints and dev_id login backward compatibility
- Security: API Key stored only in sessionStorage, never persisted on backend
Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com>