chore(MOC-65): v2.1.17 版本号 bump + release notes + 回填 16 个缺失版本

- bump 2.1.16→2.1.17: Cargo.toml / tauri.conf.json / Cargo.lock / codex_plugin_unlocker.rs / README 中英 footer
- 新增 release-notes/v2.1.17.md(单主题:tool_search 全链路 + MCP 可移植保险箱 + Usage 命中率 + Code Graph + 稳定性修复)
- 回填 16 个远端缺失的 release-notes/*.md(v2.0.1 / v2.0.9-11 / v2.1.0-6 / v2.1.9-12 / v2.1.16,照各自发布版式 verbatim)
- CHANGELOG 补 v2.1.16 + v2.1.17 两条

Refs MOC-65

Author: Cmochance

CHANGELOG.md

@@ -2,6 +2,27 @@
 
 逐版本要点。详细变更见 [GitHub Releases](https://github.com/Cmochance/codex-app-transfer/releases) 与 `release-notes/v*.md`。
 
+## v2.1.17 — 2026-05-29
+
+**tool_search 工具链打通 + MCP 授权可移植保险箱 + Usage 命中率 + Code Graph + 稳定性修复**:自 v2.1.16 起合入 16 个 PR。
+
+- **`tool_search` 工具链全链路**(#289 / #290 / #291 / #293 / MOC-48 #296):Codex 0.130+ 把 server-side MCP 工具 defer 到 `tool_search`、不再直接进 `tools[]`,代理此前会 silently drop;现 chat 路径打通(`tool_search_output` 发现工具 → 注入 chat `tools[]` → 按 `namespace` 路由回上游),新增 dropped-tools 计数器 dashboard + observability,README 兼容矩阵补说明
+- **MCP 授权可移植保险箱**(MOC-62 #307,默认开):Codex MCP OAuth 凭据改存可移植文件 `~/.codex/.credentials.json`(0o600)+ 在 `~/.codex` 之外维护镜像;整个凭据文件被切账号 / 误删 / 换机清掉时,下次启动弹确认从备份恢复,单个 server 的主动登出不复活;不解决 OAuth 自然过期,token 明文落盘(0o600)
+- **Usage 缓存命中率**(#305):按对话视图显示缓存命中率 + 逐轮命中率直方图;proxy 本地记录 `session → 真实上游模型`,模型列显示真实上游模型而非 `gpt-5.x` 占位
+- **Code Graph 自动生成 + Pages 部署**(MOC-52 #298 / #300 / #297):`cargo metadata` 生成交互式 crate 依赖图,GitHub Actions 直接部署 Pages(无 gh-pages 分支、不提交 main)
+- **稳定性修复**:`apply_patch` chat 长文档信封修复(#303)、启动防白屏 try-catch(#257)、`model_catalog.json` 自动同步(#266 / #287)、桌面宠物开关真正关闭(MOC-34 #286)、残留扫描启动竞态 + 致谢长度 CI 门禁 + 活跃度图单点态(MOC-54 #306)、fetch 失败修复(#285)
+
+完整改动:[v2.1.16...v2.1.17](https://github.com/Cmochance/codex-app-transfer/compare/v2.1.16...v2.1.17)。
+
+## v2.1.16 — 2026-05-26
+
+**Token 用量统计 + 启用按钮重启解耦**:新增 Usage tab 展示对话 token 用量,并把启用按钮跟重启 Codex Desktop 解耦。
+
+- **Usage tab**(MOC-15 / PR #280):sidebar 第 4 个入口,4 张顶部 KPI 卡 + 三视图(按日 / 按模型 / 按对话),ccusage 同款表格形态;用量解析层 vendor 自 [ryoppippi/ccusage](https://github.com/ryoppippi/ccusage)(MIT)
+- **解耦启用与重启 Codex**(MOC-20 / PR #282):Apply 现在只写配置 + toast,不再强制弹重启 modal,避免误点重启杀 Codex 进程丢对话上下文 / 草稿 / 思考
+
+完整改动:[v2.1.15...v2.1.16](https://github.com/Cmochance/codex-app-transfer/compare/v2.1.15...v2.1.16)。
+
 ## v2.1.15 — 2026-05-26
 
 **Codex Desktop UX 集成 + 通用 provider 修复综合更新**:本版主要把 transfer 跟 Codex Desktop 的集成面继续做深(主题 / context 圆环 / system prompts i18n / plugin-unlock 强化),同时收掉一批 per-provider reasoning / autocompact 真机暴露的 bug。

Cargo.lock

@@ -28,7 +28,7 @@ Codex App Transfer is a lightweight desktop config + forwarding tool for the **O
 
 After starting forwarding, Codex App talks to this tool at `127.0.0.1:18080`. Closing the window minimizes the app to the system tray; right-click the tray icon and choose "Exit" to fully quit.
 
-Current version **v2.1.16** (see [Changelog](CHANGELOG.md) and [Releases](https://github.com/Cmochance/codex-app-transfer/releases)).
+Current version **v2.1.17** (see [Changelog](CHANGELOG.md) and [Releases](https://github.com/Cmochance/codex-app-transfer/releases)).
 
 ## Preview
 

README.en.md

@@ -28,7 +28,7 @@ Codex App Transfer 是一个面向 **OpenAI Codex APP** 的轻量桌面配置 +
 
 启动转发后,Codex APP 通过本机 `127.0.0.1:18080` 与本工具通信。关闭窗口会缩到系统托盘继续运行,右键托盘"退出"才完全退出。
 
-当前版本 **v2.1.16**(详见 [Changelog](CHANGELOG.md) 与 [Releases](https://github.com/Cmochance/codex-app-transfer/releases))。
+当前版本 **v2.1.17**(详见 [Changelog](CHANGELOG.md) 与 [Releases](https://github.com/Cmochance/codex-app-transfer/releases))。
 
 ## 界面预览
 

README.md

@@ -0,0 +1,32 @@
+> ⚠️ **中间版本归档:v2.0.0 ~ v2.0.5 是从 Python 迁移到 Rust/Tauri 过程中的迭代版本,存在已知不稳定问题。**
+>
+> **不建议下载使用**。生产请用 [v2.0.6](https://github.com/Cmochance/codex-app-transfer/releases/tag/v2.0.6) 或退回 [v1.0.3](https://github.com/Cmochance/codex-app-transfer/releases/tag/v1.0.3) 稳定版。
+>
+> 本归档仅保留源代码和 release notes 用于历史回溯,不提供平台二进制(.dmg / .exe / .msi / .deb / .AppImage)。
+
+---
+
+# Codex App Transfer v2.0.1
+
+> 中间版本归档。详细 release notes 当时未单独维护,主要内容是 v2.0.0 → v2.0.1 的 release pipeline 修复(详见 PR / commits)。
+
+## 概要
+
+- 修复 v2.0.0 release pipeline 的 macOS ad-hoc 签名问题
+- 三平台 release pipeline(macOS / Windows / Linux)就绪
+
+详见 commits:`git log v2.0.0..v2.0.1` 或 GitHub commit 历史。
+
+
+## What's Changed
+* chore: Phase 2 — 切换 release pipeline 到 Tauri bundler + GH Actions by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/3
+* fix(release): 修 PR #3 dispatch test 暴露的 3 个 release pipeline 问题 by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/6
+* chore: Phase 3 — xtask 重写跨语言契约工具 by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/4
+* chore: Phase 4 — README/migration-plan 收尾 + cleanup 归档 by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/5
+* docs(readme): 邀请用户提 PR 协助完善 by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/8
+* fix: align Responses reasoning schema and history repair by @cw881014 in https://github.com/Cmochance/codex-app-transfer/pull/7
+* ci: 拆 fast-check + 条件 tauri-check, 终结每 PR 都跑 7min apt by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/9
+* chore(release): bump 2.0.0 → 2.0.1 准备 v2.0.1 release by @Cmochance in https://github.com/Cmochance/codex-app-transfer/pull/10
+
+
+**Full Changelog**: https://github.com/Cmochance/codex-app-transfer/compare/v2.0.0...v2.0.1

release-notes/v2.0.1.md

@@ -0,0 +1,82 @@
+## 🔥 关键修复:第三方 provider 协议路由 + 反爬 UA 注入
+
+**症状 (Kimi For Coding · Windows)**:`403 access_terminated_error`,而 macOS 同账号同 key 正常。
+
+**症状 (MiMo Token Plan · 全平台)**:404,请求直接打到 `https://token-plan-cn.xiaomimimo.com/responses`,**dashboard 显示 0 请求**(我们的代理也零日志)。
+
+**根因(三层叠加)**:
+
+(1) **`apiFormat == "responses"` 被误读为"上游原生 Responses 透传"**:历史代码据此把 `desktop_config_target_for_provider` 路由到 `direct_provider` 模式,直接把 Codex CLI 的 `openai_base_url` 写成第三方上游 → CLI 走 `/responses` 直连 → MiMo 等只懂 chat completions 的上游必 404,且**整条请求绕过代理零观测**。但 `ResponsesAdapter` 本质是 chat ↔ responses **协议转换器**,不是透传 —— 第三方原生 Responses 在 v2.x 不存在。
+
+(2) **fallback 全栈不一致**:8 处后端 / 前端 fallback 写 "responses",与 schema serde default + `AdapterRegistry::lookup` 的 "未知 → openai_chat" 矛盾,造成 v1.x 老配置升级 / 表单未填字段 → 落 responses → 触发 (1)。
+
+(3) **healing 识别条件覆盖不到真机配置**:旧 `heal_builtin_provider_fields` 仅对 `isBuiltin=true && id == preset.id` 生效,但实测真机配置全部 `isBuiltin=false`、id 是随机 hex(`b405e7b0` 等),完全跳过 healing → KimiCLI UA / authScheme / apiFormat 都没被注入 → Windows 端 Codex CLI 透传 `codex_cli_rs/...` UA → Kimi 反爬 403。
+
+**修法(三段)**:
+
+(1) **删 direct_provider 分支,所有 provider 永远走 local_proxy**;Responses↔Chat 协议转换由代理在本地完成。
+
+(2) **fallback 全栈统一为 `openai_chat`**:后端 (add+update+import) + 前端 (mapProvider/providerBody/getPresets/选预设/编辑) 共 8 处全改,与 schema default 对齐。
+
+(3) **healing 按 baseUrl 命中 preset**:`normalize_base_url` 做宽松匹配(去 scheme / 末尾 `/` / `/v\d+` / 大小写),preset 的 `baseUrl` + `baseUrlOptions[*].value` 统一索引;命中即视作该 preset,**强制覆盖** `apiFormat / authScheme / extraHeaders` + 把 `isBuiltin=true`,**不动** id / name / baseUrl / apiKey / models。admin 路径 heal 后**写回磁盘**根治旧残留。
+
+| Provider 场景 | v2.0.9 | v2.0.10 |
+|---|---|---|
+| MiMo Token Plan(任何集群) | ❌ 404 + 零观测 | ✓ 走代理 + 协议转换 |
+| Kimi For Coding · Windows | ❌ 403 反爬 | ✓ KimiCLI UA 强制注入 |
+| 老配置 / 用户手改坏 apiFormat | ❌ 散播错值 | ✓ 启动即根治 + 写盘 |
+| 用户自建反代(baseUrl 不命中) | ✓ 不动 | ✓ 不动 |
+
+---
+
+## 主线改动
+
+**(1) admin/handlers.rs 5229 行 → 13 模块拆分**(PR #54+#55):按职责切到 `common / desktop / providers/{crud,test,models,balance} / proxy / settings / feedback / update / mod`,_legacy 整体删除。无运行时行为变化,纯结构性 refactor,后续小改 / review 不再卡在巨型文件。
+
+**(2) Codex CLI 身份头出站剔除 + 默认 UA neutral 化**(PR #57):反向适配 Kimi / 通用反爬上游对客户端身份的检测;`originator / x-codex-* / x-openai-*` 等强制 strip,无 provider extras 指定时默认 UA 不再透传 `codex_cli_rs/...`。配合 healing 的 baseUrl 命中,Kimi For Coding 的 KimiCLI UA 现在能稳定注入。
+
+**(3) extra_headers 提交时校验 + 仓库 docs 结构整理**(PR #58+#56):前者把"运行时静默丢 header"(如 UA 字符串带换行 → resolver `HeaderValue::from_str` 失败)前移到保存时硬错;后者把 docs 按 setup / refactor / litellm / archive 分类。
+
+---
+
+## English
+
+## 🔥 Critical fixes: third-party provider protocol routing + anti-scraper UA injection
+
+**Symptom (Kimi For Coding · Windows)**: `403 access_terminated_error`; same account + key works on macOS.
+
+**Symptom (MiMo Token Plan · all platforms)**: 404, request hitting `https://token-plan-cn.xiaomimimo.com/responses` directly, **zero requests on the upstream dashboard** (and zero logs in our proxy).
+
+**Root cause (three layers)**:
+
+(1) **`apiFormat == "responses"` misread as "upstream-native Responses passthrough"**: legacy code routed `desktop_config_target_for_provider` to `direct_provider` mode, writing the third-party upstream straight into Codex CLI's `openai_base_url` → CLI calls `/responses` directly → MiMo and other chat-completions-only upstreams 404, with the **entire request bypassing our proxy and producing zero observability**. But `ResponsesAdapter` is really a chat ↔ responses **protocol converter** — third-party native Responses doesn't exist in v2.x.
+
+(2) **Inconsistent fallbacks across the stack**: 8 backend/frontend fallback sites wrote `"responses"`, contradicting the schema serde default + `AdapterRegistry::lookup` "unknown → openai_chat" rule.
+
+(3) **Healing didn't match real-world configs**: old `heal_builtin_provider_fields` only matched `isBuiltin=true && id == preset.id`, but real machine configs all had `isBuiltin=false` and random hex ids — healing was completely skipped → KimiCLI UA / authScheme / apiFormat were never injected → Codex CLI on Windows leaked its native `codex_cli_rs/...` UA → Kimi 403.
+
+**Fix (three parts)**:
+
+(1) **Drop the `direct_provider` branch — every provider always goes through `local_proxy`**; Responses ↔ Chat conversion happens locally in the proxy.
+
+(2) **Stack-wide fallback unified to `openai_chat`**: backend (add+update+import) + frontend (mapProvider / providerBody / getPresets / preset-pick / edit), 8 sites total.
+
+(3) **Healing matches presets via baseUrl**: `normalize_base_url` does loose matching (strip scheme / trailing `/` / trailing `/v\d+` / lowercase); `baseUrl` + `baseUrlOptions[*].value` indexed together; on hit, **force-overwrite** `apiFormat / authScheme / extraHeaders` + set `isBuiltin=true`, while **leaving** id / name / baseUrl / apiKey / models alone. Admin path **persists to disk** so legacy residue heals on first launch.
+
+| Provider scenario | v2.0.9 | v2.0.10 |
+|---|---|---|
+| MiMo Token Plan (any cluster) | ❌ 404 + zero observability | ✓ proxied + converted |
+| Kimi For Coding · Windows | ❌ 403 anti-scraper | ✓ KimiCLI UA force-injected |
+| Old config / hand-edited bad apiFormat | ❌ propagated bad value | ✓ healed at launch + persisted |
+| Self-built reverse proxy (baseUrl miss) | ✓ untouched | ✓ untouched |
+
+---
+
+## Mainline changes
+
+**(1) admin/handlers.rs 5229-line split → 13 modules** (PR #54 + #55): Sliced by responsibility into `common / desktop / providers/{crud,test,models,balance} / proxy / settings / feedback / update / mod`; `_legacy` entirely removed. No runtime behavior change.
+
+**(2) Codex-CLI identity headers stripped on outbound + neutral default UA** (PR #57): Adapts to Kimi / generic anti-scraper fingerprinting. `originator / x-codex-* / x-openai-*` etc. are force-stripped; when no UA in extras, the proxy no longer leaks `codex_cli_rs/...`. Combined with the healing baseUrl match, Kimi For Coding's KimiCLI UA injection is now stable.
+
+**(3) extra_headers validated at submit + docs cleanup** (PR #58 + #56): Moves "header silently dropped at runtime" (e.g. UA string with newline → `HeaderValue::from_str` fails) into hard error at save time; sorts docs into setup / refactor / litellm / archive subfolders.
+