From 870ed274359a4546e93fcf116e2af549aef9f00a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 17:40:55 +0800
Subject: [PATCH] Add release notes (#3854)
Co-authored-by: EndlessSeeker <153817598+EndlessSeeker@users.noreply.github.com>
---
release-notes/2.2.2/README.md | 349 ++++++++++++++++++++++++++++++
release-notes/2.2.2/README_ZH.md | 351 +++++++++++++++++++++++++++++++
2 files changed, 700 insertions(+)
create mode 100644 release-notes/2.2.2/README.md
create mode 100644 release-notes/2.2.2/README_ZH.md
diff --git a/release-notes/2.2.2/README.md b/release-notes/2.2.2/README.md
new file mode 100644
index 00000000..f2d67464
--- /dev/null
+++ b/release-notes/2.2.2/README.md
@@ -0,0 +1,349 @@
+# Higress
+
+
+## 📋 Overview of This Release
+
+This release includes **37** updates, covering feature enhancements, bug fixes, performance optimizations, and more.
+
+### Distribution of Updates
+
+- **New Features**: 13 items
+- **Bug Fixes**: 18 items
+- **Documentation Updates**: 5 items
+- **Testing Improvements**: 1 item
+
+---
+
+## 📝 Full Change Log
+
+### 🚀 New Features (Features)
+
+- **Related PR**: [#3827](https://github.com/higress-group/higress/pull/3827) \
+ **Contributor**: @rinfx \
+ **Change Log**: Added the `modelToHeader` configuration option, with default value `x-higress-llm-model-final`; synchronously updates this header after parsing the `newModel` from the request body to ensure downstream logic such as rate limiting and metering aligns with the model mapping result; calls `DisableReroute` when reading the body to prevent routing conflicts. \
+ **Feature Value**: Enhances model routing consistency and reliability, enabling fallback, model-based rate limiting, and metering features to accurately reflect the actual matched model; users gain more stable and precise model dispatching capabilities without modifying business logic, reducing the risk of policy deviation caused by header synchronization issues.
+
+- **Related PR**: [#3823](https://github.com/higress-group/higress/pull/3823) \
+ **Contributor**: @johnlanni \
+ **Change Log**: Introduced an nginx-rewrite-compatible WASM plugin that implements compatible parsing of Nginx `rewrite` + `set` semantics, securely executes rewriting logic within a WASM sandbox to avoid the CVE-2026-42945 heap overflow vulnerability, and supports path matching, variable capture, and substitution. \
+ **Feature Value**: Enables Higress users to smoothly migrate existing Nginx rewrite rules while ensuring compatibility and eliminating critical security risks, lowering the refactoring cost and operational risk for legacy services transitioning from Nginx to Higress.
+
+- **Related PR**: [#3820](https://github.com/higress-group/higress/pull/3820) \
+ **Contributor**: @wydream \
+ **Change Log**: Refactored the `/v1/messages` request handling for the Bedrock Provider: replaced the original two-layer protocol conversion chain (OpenAI → Converse) with direct connectivity to the native Bedrock Mantle Anthropic Messages API; added support for the Mantle endpoint, restructured request routing logic, and extended capability declarations. \
+ **Feature Value**: Delivers lower latency, higher compatibility, and native Anthropic feature support (e.g., tool use, beta headers) for `/v1/messages` calls; avoids semantic loss and performance overhead associated with protocol translation, significantly improving the Bedrock integration experience and stability.
+
+- **Related PR**: [#3766](https://github.com/higress-group/higress/pull/3766) \
+ **Contributor**: @rinfx \
+ **Change Log**: Added support for cached token usage (`CacheReadInputTokens`) in the streaming response transformation logic from OpenAI to Claude; modified core transformer code and added corresponding unit test cases to ensure the Claude compatibility layer accurately conveys cached token count information. \
+ **Feature Value**: Enables AI agents to correctly report input token savings resulting from cache hits when invoking Claude models, helping users precisely monitor and optimize API costs; simultaneously improves transparency and billing consistency across multi-model metering, enhancing enterprise-grade usage analytics capabilities.
+
+- **Related PR**: [#3748](https://github.com/higress-group/higress/pull/3748) \
+ **Contributor**: @zat366 \
+ **Change Log**: Added the `enable_path_suffixes` configuration option to the `QuotaConfig` struct to support custom path suffix matching; updated configuration parsing logic to handle default values; modified the `getOperationMode` function to accommodate the new path suffix logic; enhanced test coverage for the new configuration and its impact on operation modes. \
+ **Feature Value**: Allows users to flexibly define API path suffix matching rules per business requirements, increasing quota control precision and adaptability; administrators can manage quota policies for different AI service paths with finer granularity, enhancing plugin applicability and maintainability across diverse scenarios.
+
+- **Related PR**: [#3742](https://github.com/higress-group/higress/pull/3742) \
+ **Contributor**: @wydream \
+ **Change Log**: Added KlingAI provider support, featuring official AK/SK JWT authentication and third-party gateway static Bearer token authentication modes, covering both OpenAI-compatible and native Kling protocols, and enabling full interface capabilities including text-to-video and image-to-video generation. \
+ **Feature Value**: Users can directly invoke KlingAI video generation capabilities via the AI proxy service without implementing JWT signing or adapting to various gateways—significantly lowering the integration barrier and expanding platform support for AIGC video-generation models.
+
+- **Related PR**: [#3739](https://github.com/higress-group/higress/pull/3739) \
+ **Contributor**: @johnlanni \
+ **Change Log**: Added the `replace` configuration option to the `ai-prompt-decorator` plugin, supporting ordered, role-conditioned text replacement in the `content` field of the final assembled `messages`, using either literal strings or RE2 regular expressions, enhancing dynamic request content rewriting capabilities. \
+ **Feature Value**: Enables users to flexibly implement text processing needs—including sensitive word filtering, brand term normalization, and placeholder desensitization—without modifying business logic, improving the AI gateway’s adaptability in compliance, security, and multi-tenant scenarios.
+
+- **Related PR**: [#3738](https://github.com/higress-group/higress/pull/3738) \
+ **Contributor**: @JianweiWang \
+ **Change Log**: Added configurable fallback JSON paths for response content extraction (`responseContentFallbackJsonPaths` and `responseStreamContentFallbackJsonPaths`) to the `ai-security-guard` plugin, supporting non-OpenAI formats such as Anthropic Claude; when the primary path yields an empty result, fallback paths are attempted sequentially, automatically skipping any fallback path identical to the primary one. \
+ **Feature Value**: Enhances plugin compatibility and robustness, allowing users to perform content safety checks against diverse LLMs (e.g., Claude) without code changes—reducing multi-model adaptation effort and ensuring stable, accurate response content extraction.
+
+- **Related PR**: [#3734](https://github.com/higress-group/higress/pull/3734) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Added existence check for the `patch` command in the `build-envoy.sh` script; triggers early failure if missing; also optimized error handling during `build-envoy.patch` application to prevent silent Bazel dependency errors caused by unexecuted patches. \
+ **Feature Value**: Significantly improves observability and robustness of the Envoy build process; users receive immediate, clear error messages if the `patch` command is absent, drastically lowering debugging effort and environment configuration troubleshooting costs.
+
+- **Related PR**: [#3724](https://github.com/higress-group/higress/pull/3724) \
+ **Contributor**: @wydream \
+ **Change Log**: Added Qwen rerank and conversations API path support to the AI Proxy plugin, extending path mapping rules, API name constants, and Qwen-specific routing logic; supplemented comprehensive regression test cases covering path recognition and provider routing functionality. \
+ **Feature Value**: Users can invoke Qwen’s reranking and conversational capabilities via standard-compatibility interfaces, improving unified multi-model service access experiences; broadens AI Proxy support for domestic large language models (Qwen), lowering business integration barriers and boosting routing accuracy.
+
+- **Related PR**: [#3700](https://github.com/higress-group/higress/pull/3700) \
+ **Contributor**: @wydream \
+ **Change Log**: Added the `cooldownDuration` configuration option to the `ai-proxy` failover mechanism, enabling automatically restored API keys after a specified millisecond cooldown period—eliminating dependency on real requests for health checking and reducing token consumption and configuration complexity. \
+ **Feature Value**: Empowers users to manage API key availability more flexibly, mitigating long-term unavailability risks due to rate limiting, saving invocation costs, and simplifying failover configuration to enhance system stability and operational efficiency.
+
+- **Related PR**: [#3694](https://github.com/higress-group/higress/pull/3694) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Added configurable forwarding capability for attributes in external authorization requests, supporting transparent transmission of key contextual fields such as `route_name` and `cluster_name`; implemented via extension of the `AuthorizationRequest` struct with an `AllowedProperties` field, alongside updates to configuration parsing logic and SDK dependencies. \
+ **Feature Value**: Enables users to access richer Envoy gateway context information in external authorization services, improving the precision and flexibility of authorization policies and facilitating fine-grained access control based on dimensions like route and cluster—lowering customization development costs.
+
+- **Related PR**: [#3690](https://github.com/higress-group/higress/pull/3690) \
+ **Contributor**: @JianweiWang \
+ **Change Log**: Added support for sensitive data masking, enabling desensitization and replacement of sensitive fields in API responses via the `riskAction` configuration (`block`/`mask`); introduced new dimension types—`customLabel`, `maliciousFile`, and `waterMark`—and added dimension-level action configuration to improve risk mitigation flexibility. \
+ **Feature Value**: Allows dynamic desensitization of sensitive information without service interruption, strengthening AI application compliance capabilities; multi-dimensional, fine-grained risk control strategies enable more precise content security governance—reducing false positives and satisfying regulatory requirements across diverse business scenarios.
+
+### 🐛 Bug Fixes (Bug Fixes)
+
+- **Related PR**: [#3829](https://github.com/higress-group/higress/pull/3829) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed a typo in the JSON/YAML tag for the `apiTokens` field in the `ProviderConfig` struct within the `ai-proxy` plugin, correcting it to the proper format to ensure correct configuration parsing and serialization. \
+ **Feature Value**: Prevents configuration parsing failures or incorrect loading of API tokens caused by erroneous field tags, enhancing the stability and reliability of the AI proxy service and enabling users to seamlessly configure and utilize authentication credentials for various AI providers.
+
+- **Related PR**: [#3801](https://github.com/higress-group/higress/pull/3801) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed logging issues during `EnvoyFilter` construction regarding unsupported upstream protocols, by adding missing formatting parameters to ensure warning logs correctly display the protocol type and context. \
+ **Feature Value**: Improves debugging and operational observability, enabling users to accurately identify unsupported protocols and their locations upon misconfiguration—reducing troubleshooting time and enhancing Ingress gateway configuration robustness and maintainability.
+
+- **Related PR**: [#3799](https://github.com/higress-group/higress/pull/3799) \
+ **Contributor**: @Betula-L \
+ **Change Log**: Fixed an issue where empty input objects (`input:{}`) in Claude tool calls were unexpectedly omitted during internal bridge conversion to Bedrock Converse format; addressed via adjustments to struct field JSON tags and expanded test coverage to ensure empty maps are preserved correctly. \
+ **Feature Value**: Ensures Claude messages using parameterless tools are accurately relayed to the underlying Bedrock service, preventing tool call failures or abnormal behavior caused by missing inputs—improving AI proxy compatibility and reliability in multi-model adaptation scenarios.
+
+- **Related PR**: [#3788](https://github.com/higress-group/higress/pull/3788) \
+ **Contributor**: @Betula-L \
+ **Change Log**: Fixed structural data loss in Bedrock Claude inference blocks during `ai-proxy` protocol bridging by refactoring the `convertEventFromBedrockToOpenAI` logic and introducing `redactedBlockIndexes` state management—ensuring `reasoningContent` remains within native Anthropic message blocks rather than being merged into plain text. \
+ **Feature Value**: Users invoking Bedrock Claude models will correctly receive structured reasoning blocks (e.g., `...`), avoiding accidental exposure of reasoning processes to end users—enhancing response semantic integrity and compatibility, and guaranteeing Anthropic Messages API specification–compliant interactions.
+
+- **Related PR**: [#3786](https://github.com/higress-group/higress/pull/3786) \
+ **Contributor**: @Betula-L \
+ **Change Log**: Fixed incorrect mapping between `contentBlockIndex` in Bedrock Claude streaming responses and `tool_calls[].index` in OpenAI format, properly handling index misalignment for parallel tool calls and refining `tool_choice` parameter conversion logic to preserve semantic consistency and ordering fidelity in streaming tool calls within `ai-proxy`. \
+ **Feature Value**: Users performing parallel multi-tool calls with Bedrock Claude models will receive accurate, predictable streaming `tool_calls` indices and correctly triggered `tool_choice` behaviors—preventing tool execution disorder or loss and significantly enhancing production-environment compatibility and reliability.
+
+- **Related PR**: [#3779](https://github.com/higress-group/higress/pull/3779) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed an issue where certain controller logs continued outputting as plaintext despite enabling the `--log_as_json` flag; resolved by uniformly replacing log package imports with `istio.io/istio/pkg/log`, ensuring all components use the same JSON logging implementation. \
+ **Feature Value**: Improves log format consistency and observability, facilitating centralized collection, parsing, and analysis of Higress controller logs in environments like Kubernetes—reducing operational troubleshooting cost and strengthening production log standardization.
+
+- **Related PR**: [#3777](https://github.com/higress-group/higress/pull/3777) \
+ **Contributor**: @wydream \
+ **Change Log**: Fixed API key injection issues for Vertex AI Express Mode’s raw REST endpoints in the `ai-proxy` plugin, expanding regex patterns to match Express Mode URLs lacking `/projects/{project}/locations/{location}` path segments and adding test cases validating request header processing logic. \
+ **Feature Value**: Enables users to correctly invoke simplified Vertex AI Express Mode REST interfaces (e.g., `streamGenerateContent`) without manually constructing complex paths, enhancing proxy compatibility and usability—and avoiding 401 authentication failures caused by missing key injection.
+
+- **Related PR**: [#3770](https://github.com/higress-group/higress/pull/3770) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed inability to skip TLS certificate verification for HTTPS upstream connections by adding configuration support for certificate verification bypass in `upstreamtls.go`, and supplementing protobuf and `google.golang.org` dependencies in test files to support unit testing of the new capability. \
+ **Feature Value**: Enables Higress to support HTTPS upstream services using self-signed certificates, resolving connection failures arising from untrusted certificates in enterprise internal or testing environments—improving deployment flexibility and compatibility.
+
+- **Related PR**: [#3765](https://github.com/higress-group/higress/pull/3765) \
+ **Contributor**: @wydream \
+ **Change Log**: Fixed `ai-proxy` support for Azure OpenAI v1 service URLs by adding recognition and routing logic for `/openai/v1` and subpaths, accommodating the new URL format without `api-version` parameters, while retaining `api-version` validation logic for legacy deployment URLs. \
+ **Feature Value**: Enables users to seamlessly integrate with Azure OpenAI’s latest v1 REST API standard without manually appending `api-version`, enhancing configuration flexibility and service compatibility—reducing request failure rates due to URL format changes and strengthening proxy stability and usability.
+
+- **Related PR**: [#3757](https://github.com/higress-group/higress/pull/3757) \
+ **Contributor**: @srpatcha \
+ **Change Log**: Added nil checks, safe type assertions, and panic protection mechanisms to fix multiple potential nil pointer dereferences and type assertion failures; additionally optimized regex compilation logic in WASM plugins to prevent runtime panics. \
+ **Feature Value**: Significantly improves gateway stability and robustness, preventing service crashes due to anomalous inputs or misconfigurations; users benefit from a more reliable API gateway experience, lowering online failure rates and operational overhead.
+
+- **Related PR**: [#3756](https://github.com/higress-group/higress/pull/3756) \
+ **Contributor**: @wydream \
+ **Change Log**: Fixed loss of `thinking`/`redacted_thinking` content blocks during `/v1/messages` to OpenAI `chat/completions` request transformation for Claude, enhanced transmission of tool-call reasoning context, and introduced `preserve_thinking` and `promote_thinking_on_empty` configuration options for provider-level compatibility control. \
+ **Feature Value**: Ensures AI proxies backed by Claude correctly convey complete chain-of-thought information to models supporting `reasoning_content` (e.g., Qwen), while avoiding compatibility breakage for strict-standard providers like OpenAI/Azure—improving functional consistency and reliability in multi-model routing scenarios.
+
+- **Related PR**: [#3733](https://github.com/higress-group/higress/pull/3733) \
+ **Contributor**: @wydream \
+ **Change Log**: Fixed compatibility issues with non-standard upstream responses in Claude streaming transformations: correctly handles empty-string `finish_reason`, prevents duplicate triggering of `message_stop` due to `usage`, and avoids processing redundant chunks after `message_stop` to prevent event reordering. \
+ **Feature Value**: Enhances AI proxy stability and reliability in multi-vendor compatibility scenarios, preventing streaming response interruptions or disorder—ensuring users receive complete, chronologically ordered Claude-style SSE streams and improving the overall LLM invocation experience.
+
+- **Related PR**: [#3731](https://github.com/higress-group/higress/pull/3731) \
+ **Contributor**: @JianweiWang \
+ **Change Log**: Removed the mandatory fallback interception logic for `Suggestion=block` in the AI Security Guard, replacing it with unified risk-dimension–based threshold evaluation; modified core assessment logic in `config.go` and updated multiple test cases to accurately cover threshold-driven `RiskBlock` decision paths. \
+ **Feature Value**: Improves risk interception accuracy and configurability, preventing unintended blocking caused by misconfigured `Suggestion=block`; users now exert precise control over interception behavior via thresholds—enhancing policy transparency, debuggability, and reducing false positive rates.
+
+- **Related PR**: [#3722](https://github.com/higress-group/higress/pull/3722) \
+ **Contributor**: @wydream \
+ **Change Log**: Migrated Qwen-compatible response endpoint path from the deprecated legacy URL `/api/v2/apps/protocols/compatible-mode/v1/responses` to the new official path `/compatible-mode/v1/responses`, updating path constants and assertions in `provider/qwen.go` and test files to ensure continued valid interface invocation by the AI proxy. \
+ **Feature Value**: Prevents service disruption caused by Qwen (DashScope) deprecation of the legacy API path, safeguarding stability and continuity of Qwen model invocation via `ai-proxy`—enabling seamless transition to the new interface without client-side code changes.
+
+- **Related PR**: [#3695](https://github.com/higress-group/higress/pull/3695) \
+ **Contributor**: @wydream \
+ **Change Log**: Fixed missing API Key authentication in Vertex Raw Express Mode by appending the API Key to the URL query string in `OnRequestBody` and cleaning the `Authorization` header; also resolved global authentication header leakage and URL construction logic defects in Express Mode. \
+ **Feature Value**: Enables Vertex Raw Express Mode to authenticate correctly against Google Vertex AI services via API Key—preventing 401 errors; improves proxy stability and compatibility, ensuring users can reliably invoke large language model APIs in this mode.
+
+- **Related PR**: [#3682](https://github.com/higress-group/higress/pull/3682) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed absence of `TARGET_ARCH` validity checking in the `golang-filter` during `build-gateway-local`, by introducing a `VALID_ARCHS` whitelist and error-checking logic in `Makefile.core.mk`—supporting only `amd64` and `arm64`, preventing build failures or erroneous binaries from invalid architecture parameters. \
+ **Feature Value**: Enhances robustness and maintainability of multi-architecture builds, preventing silent build errors or runtime anomalies due to invalid `TARGET_ARCH` values (e.g., `x86`, `ppc64le`); guarantees correct compilation and deployment of the Higress gateway across diverse CPU architectures.
+
+- **Related PR**: [#3576](https://github.com/higress-group/higress/pull/3576) \
+ **Contributor**: @Jing-ze \
+ **Change Log**: Fixed stale `ROUTE_NAME` attribute returning outdated route names post-reroute in WASM contexts, by correcting the `StreamInfoImpl::getRouteName()` invocation logic in Envoy 1.36 to ensure fresh route names are retrieved after `clearRouteCache`. \
+ **Feature Value**: Ensures WASM plugins correctly match rules following rerouting, preventing `matchRule` failures due to stale route names—improving routing policy execution accuracy and stability, which is critical for user features relying on dynamic route matching.
+
+- **Related PR**: [#3425](https://github.com/higress-group/higress/pull/3425) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Added a default value (`higress-registry.cn-hangzhou.cr.aliyuncs.com/higress`) to the `HUB` argument in `Dockerfile.higress`, eliminating build-time warnings when `HUB` is not explicitly provided, while preserving backward compatibility: explicitly passed values retain precedence. \
+ **Feature Value**: Removes redundant warnings during Docker builds, improving CI/CD pipeline readability and stability; users can complete local builds without specifying the `HUB` parameter—lowering entry barriers and maintenance costs.
+
+### 📚 Documentation Updates (Documentation)
+
+- **Related PR**: [#3830](https://github.com/higress-group/higress/pull/3830) \
+ **Contributor**: @EndlessSeeker \
+ **Change Log**: Added OpenSSF Best Practices badges to README files in English, Chinese, and Japanese versions, embedded via Markdown image links pointing to the project’s assessment page on the OpenSSF Best Practices platform—enhancing project compliance and credibility visibility. \
+ **Feature Value**: Strengthens project transparency and trustworthiness, enabling users to quickly assess Higress’ adherence to open-source best practices in security and maintainability—boosting community and enterprise user confidence and adoption willingness.
+
+- **Related PR**: [#3764](https://github.com/higress-group/higress/pull/3764) \
+ **Contributor**: @EndlessSeeker \
+ **Change Log**: Updated `SECURITY.md`, `CONTRIBUTING` series documentation, and added `GOVERNANCE.md`, formalizing vulnerability reporting procedures, defining security response SLAs and teams, and clarifying CNCF governance models—meeting CNCF Sandbox and OpenSSF Best Practices certification requirements. \
+ **Feature Value**: Elevates project security compliance and transparency, providing users with standardized channels and response commitments for security issues—strengthening enterprise user trust; simultaneously enhances multilingual contribution guidelines, lowering global developer participation barriers and promoting healthy, sustainable community growth.
+
+- **Related PR**: [#3754](https://github.com/higress-group/higress/pull/3754) \
+ **Contributor**: @johnlanni \
+ **Change Log**: Added a top-level `MAINTAINERS.md` file listing current Higress project maintainers, including maintainer responsibility descriptions and CNCF Sandbox compliance statements—providing essential governance documentation required for CNCF sandbox onboarding. \
+ **Feature Value**: Enhances project transparency and community governance standardization, assisting external contributors in identifying core maintenance teams, accelerating CNCF sandbox certification, and laying foundations for future maintainer transitions and permission management—bolstering user confidence in the project’s long-term stability.
+
+- **Related PR**: [#3730](https://github.com/higress-group/higress/pull/3730) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Updated English and Chinese README files to align with the latest configuration parsing logic, correcting contradictory defaults, inaccurate path descriptions, and unclear string concatenation formats, and removing outdated build instructions (e.g., `tinygo` requirements). \
+ **Feature Value**: Improves documentation accuracy and consistency, preventing plugin activation failures stemming from obsolete or erroneous configuration examples; synchronized bilingual documentation lowers comprehension barriers for multilingual users—enhancing AI caching plugin usability and reliability.
+
+- **Related PR**: [#3696](https://github.com/higress-group/higress/pull/3696) \
+ **Contributor**: @github-actions[bot] \
+ **Change Log**: Added bilingual release notes files for version 2.2.1 (`README.md` and `README_ZH.md`), automatically summarizing 65 updates spanning new features, bug fixes, refactorings, optimizations, and documentation improvements—with categorical statistics. \
+ **Feature Value**: Provides users with a well-structured, multilingual overview of version changes, accelerating understanding of upgrade benefits and impact scope—enhancing transparency and maintainability and lowering upgrade decision-making costs.
+
+### 🧪 Testing Improvements (Testing)
+
+- **Related PR**: [#3790](https://github.com/higress-group/higress/pull/3790) \
+ **Contributor**: @Jing-ze \
+ **Change Log**: Expanded integration test coverage for the AI Proxy WASM plugin, including boundary cases for configuration parsing, streaming response body handling, failover verification, and utility function testing; added `export_test.go` to expose internal functions for testing purposes—significantly improving WASM environment test completeness. \
+ **Feature Value**: Strengthens stability and compatibility assurance for the AI Proxy plugin across diverse WASM runtimes and AI service providers, lowering risks of service interruption arising from configuration anomalies or network failures—enhancing reliability and maintainability for production deployments.
+
+---
+
+## 📊 Release Statistics
+
+- 🚀 New Features: 13 items
+- 🐛 Bug Fixes: 18 items
+- 📚 Documentation Updates: 5 items
+- 🧪 Testing Improvements: 1 item
+
+**Total**: 37 changes
+
+Thank you to all contributors for your hard work! 🎉
+
+# Higress Console
+
+
+## 📋 Overview of This Release
+
+This release includes **18** updates, covering feature enhancements, bug fixes, performance optimizations, and more.
+
+### Distribution of Updates
+
+- **New Features**: 7 items
+- **Bug Fixes**: 9 items
+- **Documentation Updates**: 2 items
+
+---
+
+## 📝 Full Change Log
+
+### 🚀 New Features (Features)
+
+- **Related PR**: [#621](https://github.com/higress-group/higress-console/pull/621) \
+ **Contributor**: @Thomas-Eliot \
+ **Change Log**: Enhanced MCP Server interaction capabilities: added support for automatic `Host` header rewriting for DNS backends; improved transport protocol selection and full-path configuration in direct routing scenarios; enhanced parsing of special characters (e.g., `@`) in DSNs for DB-to-MCP Server scenarios. \
+ **Feature Value**: Improves flexibility and compatibility of MCP Server integration, enabling users to connect more easily to backend services deployed in diverse environments, reducing configuration complexity, and preventing connectivity issues caused by path prefix misinterpretation or DSN parsing failures.
+
+- **Related PR**: [#608](https://github.com/higress-group/higress-console/pull/608) \
+ **Contributor**: @Libres-coder \
+ **Change Log**: Added plugin visibility functionality to the AI Route Management page: supports expanding rows to view enabled plugins and displays an `'Enabled'` badge on the configuration page; extended `PluginList` component logic to support `AI_ROUTE`-type queries, and enhanced cleanup of i18n language-change listeners in `route.tsx`. \
+ **Feature Value**: Users can now intuitively view plugins enabled for AI routes, aligning the experience with that of conventional route management—improving maintainability and observability of AI route configurations; unified UI interactions reduce learning overhead and enhance completeness of platform support for AI use cases.
+
+- **Related PR**: [#604](https://github.com/higress-group/higress-console/pull/604) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Introduced support for regex-based path rewriting via the `higress.io/rewrite-target` annotation, extended Kubernetes annotation constants, route transformation logic, and front-end/back-end internationalized copy, thereby increasing routing match flexibility. \
+ **Feature Value**: Enables precise control over path rewriting behavior using regular expressions, meeting complex routing requirements such as dynamic path parameter extraction and mapping—significantly enhancing the expressiveness of gateway configuration and its adaptability to business needs.
+
+- **Related PR**: [#603](https://github.com/higress-group/higress-console/pull/603) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Added the constant `STATIC_SERVICE_PORT = 80` to the static service source form component and explicitly displays this fixed port in the UI, making users clearly aware that static services default to port 80—improving configuration transparency and predictability. \
+ **Feature Value**: Users configuring static service sources can immediately see that the default port is 80, avoiding configuration errors or debugging difficulties caused by port misconceptions—lowering entry barriers and improving deployment efficiency and consistency of user experience.
+
+- **Related PR**: [#602](https://github.com/higress-group/higress-console/pull/602) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Added a search function to the upstream service selection component in AI route configuration; extended the `Select` component logic in `index.tsx` to enable real-time searching and filtering across large numbers of upstream services—improving configuration efficiency and accuracy. \
+ **Feature Value**: Users can quickly locate target upstream services when configuring AI routes instead of manually scrolling through long lists—significantly reducing configuration error rates, especially in complex AI gateway scenarios with dozens or more services—enhancing both operational and development efficiency.
+
+- **Related PR**: [#566](https://github.com/higress-group/higress-console/pull/566) \
+ **Contributor**: @OuterCyrex \
+ **Change Log**: Added support for Tongyi Qwen large language model (LLM) services, including custom service endpoint configuration, Internet search toggle, and file ID upload; implemented `QwenLlmProviderHandler` on the backend and added multilingual support and provider form adaptation on the frontend. \
+ **Feature Value**: Enables flexible integration with self-hosted or cloud-based Qwen services, supporting search augmentation and file context injection—improving compatibility and extensibility of the AI gateway for domestic LLMs and lowering enterprise private-deployment barriers.
+
+- **Related PR**: [#552](https://github.com/higress-group/higress-console/pull/552) \
+ **Contributor**: @lcfang \
+ **Change Log**: Introduced the `VPort` virtual port attribute, extending MCP Bridge registry configuration capabilities; added the `vport` field and corresponding CRD model to `ServiceSource`, enabling uniform specification of default backend ports for service instances—resolving routing failures caused by inconsistent actual port numbers across instances registered in Eureka/Nacos registries. \
+ **Feature Value**: Allows users to explicitly declare a virtual port during service discovery configuration, ensuring routing rules remain resilient to backend port changes—preventing traffic disruptions due to dynamic instance port changes, thus improving microservice governance stability and operational predictability.
+
+### 🐛 Bug Fixes (Bug Fixes)
+
+- **Related PR**: [#620](https://github.com/higress-group/higress-console/pull/620) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed a spelling error in the `sortWasmPluginMatchRules` logic—corrected variable names or logical typos causing potential behavioral anomalies during matching rule sorting—ensuring WASM plugin matching rules are sorted by priority as intended. \
+ **Feature Value**: Prevents incorrect rule ordering caused by typographical errors, guaranteeing that WASM plugins take effect in Kubernetes strictly according to user-specified priorities—enhancing reliability and consistency of plugin routing and policy enforcement.
+
+- **Related PR**: [#619](https://github.com/higress-group/higress-console/pull/619) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed duplicate version information storage when converting `AiRoute` to `ConfigMap`: removed the `version` field from the `data` JSON payload, retaining it exclusively in the `ConfigMap` metadata—to eliminate data redundancy and potential inconsistency. \
+ **Feature Value**: Improves accuracy and consistency of configuration management, preventing parsing errors or deployment anomalies caused by duplicated version fields—enhancing system stability and maintainability, delivering direct benefits to users managing route configurations via Kubernetes `ConfigMap`.
+
+- **Related PR**: [#618](https://github.com/higress-group/higress-console/pull/618) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Refactored API authentication logic in `SystemController`, introducing an `AllowAnonymous` annotation mechanism to uniformly handle unauthenticated endpoints—replacing hard-coded whitelisting checks—thereby improving maintainability and security of authentication logic. \
+ **Feature Value**: Resolves potential security vulnerabilities in the system controller that could allow unauthorized access to sensitive API endpoints—enhancing overall platform security, safeguarding user data and system resources from illicit calls, and strengthening compliance and trustworthiness in enterprise production environments.
+
+- **Related PR**: [#617](https://github.com/higress-group/higress-console/pull/617) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed missing unique `key` props in front-end list rendering (triggering React warnings), resolved Content Security Policy (CSP) blocking of external image loading, and corrected a type definition error for the `Consumer.name` field (erroneously typed as `boolean` instead of `string`)—improving component robustness and type safety. \
+ **Feature Value**: Eliminates console warnings and image-loading failures, improving developer experience and debugging efficiency; corrects interface type definitions to prevent runtime type errors—enhancing application stability and developer collaboration reliability, delivering smoother, warning-free UI interactions for end users.
+
+- **Related PR**: [#614](https://github.com/higress-group/higress-console/pull/614) \
+ **Contributor**: @lc0138 \
+ **Change Log**: Fixed a type definition error for the `type` field (indicating service source) in the `ServiceSource` class and added validation logic for dictionary values—ensuring incoming registry types belong exclusively to a predefined valid set—to prevent illegal values from triggering runtime exceptions. \
+ **Feature Value**: Enhances robustness and security of service source configuration, preventing service registration failure or system exceptions due to invalid `type` field values—ensuring stable, predictable behavior when configuring various service registries.
+
+- **Related PR**: [#613](https://github.com/higress-group/higress-console/pull/613) \
+ **Contributor**: @lc0138 \
+ **Change Log**: Fixed missing Content Security Policy (CSP) configuration on the front end—added a meta tag in `document.tsx` to declare the security policy—mitigating risks such as XSS attacks and strengthening security controls over page resource loading and script execution. \
+ **Feature Value**: Enhances front-end application security posture, effectively mitigating common web threats like cross-site scripting (XSS)—safeguarding user data and interactions, fulfilling enterprise-level security compliance requirements, and reinforcing end-user trust.
+
+- **Related PR**: [#612](https://github.com/higress-group/higress-console/pull/612) \
+ **Contributor**: @zhwaaaaaa \
+ **Change Log**: Added logic in `DashboardServiceImpl` to ignore hop-to-hop HTTP headers (e.g., `Transfer-Encoding: chunked`) per RFC 2616 Section 13.5.1—preventing reverse proxy forwarding anomalies caused by illegal pass-through of hop-to-hop headers, which previously broke Grafana dashboard rendering. \
+ **Feature Value**: Resolves Grafana console page loading failures caused by reverse proxies forwarding hop-to-hop headers like `Transfer-Encoding: chunked`—improving console stability and user experience and ensuring reliable availability of monitoring integration features.
+
+- **Related PR**: [#609](https://github.com/higress-group/higress-console/pull/609) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: Fixed a type error in the `Consumer` interface where the `name` field was incorrectly declared as `boolean`; corrected it to `string` to ensure alignment between front-end data structures and actual back-end response payloads—avoiding runtime errors or TypeScript compilation warnings caused by type mismatches. \
+ **Feature Value**: Enhances type safety and front-end/back-end data consistency—preventing UI rendering anomalies or flawed logic decisions due to field-type mismatches—boosting application stability, reducing developer debugging effort, and improving overall development experience.
+
+- **Related PR**: [#605](https://github.com/higress-group/higress-console/pull/605) \
+ **Contributor**: @SaladDay \
+ **Change Log**: Corrected the front-end form validation regex for AI route names to support periods (`.`) while restricting characters to lowercase letters only; synchronized English and Chinese error message texts to ensure UI prompts precisely reflect actual validation logic. \
+ **Feature Value**: Resolves issues where users’ AI routes were erroneously rejected or inaccurately warned about names containing periods—improving form usability and user experience; strict alignment between validation rules and UI guidance reduces user cognitive load and operation failure rates.
+
+### 📚 Documentation Updates (Documentation)
+
+- **Related PR**: [#611](https://github.com/higress-group/higress-console/pull/611) \
+ **Contributor**: @qshuai \
+ **Change Log**: Corrected API endpoint annotations in `LlmProvidersController` for newly added LLM provider methods—replaced inaccurate summary `'Add a new route'` with a title accurately reflecting functionality—ensuring generated API documentation (e.g., Swagger) correctly describes actual behavior. \
+ **Feature Value**: Improves API documentation accuracy and developer experience—preventing misunderstandings by front-end or client developers caused by misleading summaries; enhances professionalism and maintainability of console API docs for users, reducing integration and debugging costs.
+
+- **Related PR**: [#610](https://github.com/higress-group/higress-console/pull/610) \
+ **Contributor**: @heimanba \
+ **Change Log**: Updated `frontend-gray` plugin documentation to mark `rewrite`, `backendVersion`, and `enabled` fields as optional; updated the `rules.name` association path to `grayDeployments[].name`; and synchronized field descriptions and terminology in both English and Chinese `README`s and `spec.yaml`—ensuring configuration guidance accurately reflects the latest design for enhanced flexibility. \
+ **Feature Value**: Improves compatibility and usability of gray-scale configurations—lowering user configuration barriers; precise field descriptions and consistent terminology reduce misunderstandings and configuration errors—helping developers adopt front-end gray-scale features more efficiently and accurately.
+
+---
+
+## 📊 Release Statistics
+
+- 🚀 New Features: 7 items
+- 🐛 Bug Fixes: 9 items
+- 📚 Documentation Updates: 2 items
+
+**Total**: 18 changes
+
+Thanks to all contributors for their hard work! 🎉
+
diff --git a/release-notes/2.2.2/README_ZH.md b/release-notes/2.2.2/README_ZH.md
new file mode 100644
index 00000000..7361ac44
--- /dev/null
+++ b/release-notes/2.2.2/README_ZH.md
@@ -0,0 +1,351 @@
+# Higress
+
+
+## 📋 本次发布概览
+
+本次发布包含 **37** 项更新,涵盖了功能增强、Bug修复、性能优化等多个方面。
+
+### 更新内容分布
+
+- **新功能**: 13项
+- **Bug修复**: 18项
+- **文档更新**: 5项
+- **测试改进**: 1项
+
+---
+
+## 📝 完整变更日志
+
+### 🚀 新功能 (Features)
+
+- **Related PR**: [#3827](https://github.com/higress-group/higress/pull/3827) \
+ **Contributor**: @rinfx \
+ **Change Log**: 新增modelToHeader配置项,默认值为x-higress-llm-model-final;在请求体解析出newModel后同步更新该header,确保限流/计量等下游逻辑与模型映射结果一致;读取body时调用DisableReroute避免路由冲突。 \
+ **Feature Value**: 提升模型路由一致性与可靠性,使fallback、按模型限流和计量等功能准确反映实际匹配模型;用户无需修改业务逻辑即可获得更稳定精准的模型分发能力,降低因header不同步导致的策略偏差风险。
+
+- **Related PR**: [#3823](https://github.com/higress-group/higress/pull/3823) \
+ **Contributor**: @johnlanni \
+ **Change Log**: 新增nginx-rewrite-compatible WASM插件,实现Nginx rewrite + set语义的兼容解析,通过WASM沙箱安全执行重写逻辑,避免CVE-2026-42945堆溢出漏洞,支持路径匹配、变量捕获与替换。 \
+ **Feature Value**: 为Higress用户提供平滑迁移Nginx rewrite规则的能力,保障兼容性的同时消除严重安全风险,降低存量业务从Nginx迁移到Higress的改造成本和运维风险。
+
+- **Related PR**: [#3820](https://github.com/higress-group/higress/pull/3820) \
+ **Contributor**: @wydream \
+ **Change Log**: 将 Bedrock Provider 的 /v1/messages 请求从原有 OpenAI→Converse 两层协议转换链路,改为直连 Bedrock Mantle Anthropic Messages 原生接口,新增 Mantle endpoint 支持、请求路由逻辑重构及能力声明扩展。 \
+ **Feature Value**: 用户调用 /v1/messages 时获得更低延迟、更高兼容性与原生 Anthropic 功能支持(如 tool use、beta headers),避免协议转换导致的语义丢失和性能损耗,提升 Bedrock 接入体验与稳定性。
+
+- **Related PR**: [#3766](https://github.com/higress-group/higress/pull/3766) \
+ **Contributor**: @rinfx \
+ **Change Log**: 在OpenAI转Claude的流式响应转换逻辑中新增了对缓存Token使用量(CacheReadInputTokens)的支持,修改了转换器核心代码并补充了对应单元测试用例,确保Claude兼容层能准确传递缓存token计数信息。 \
+ **Feature Value**: 使AI代理在调用Claude模型时能正确上报缓存命中带来的输入token节省,帮助用户精准监控和优化API成本;同时提升多模型统一计量的透明度与计费一致性,增强企业级用量分析能力。
+
+- **Related PR**: [#3748](https://github.com/higress-group/higress/pull/3748) \
+ **Contributor**: @zat366 \
+ **Change Log**: 新增enable_path_suffixes配置项到QuotaConfig结构体,支持自定义路径后缀;更新配置解析逻辑以处理默认值;修改getOperationMode函数以适配新路径后缀逻辑;增强测试覆盖新配置及其对操作模式的影响。 \
+ **Feature Value**: 用户可根据业务需求灵活配置API路径后缀匹配规则,提升配额控制的精确性和适应性;管理员能更细粒度地管理不同AI服务路径的配额策略,增强插件在多场景下的适用性和可维护性。
+
+- **Related PR**: [#3742](https://github.com/higress-group/higress/pull/3742) \
+ **Contributor**: @wydream \
+ **Change Log**: 新增KlingAI provider,支持官方AK/SK JWT鉴权和第三方网关静态Bearer token两种模式,覆盖OpenAI兼容协议与Kling原始协议,实现文生视频、图生视频等全接口能力。 \
+ **Feature Value**: 用户可直接通过AI代理服务调用KlingAI视频生成能力,无需自行处理JWT签名或适配不同网关,显著降低接入门槛,扩展平台对AIGC视频类模型的支持范围。
+
+- **Related PR**: [#3739](https://github.com/higress-group/higress/pull/3739) \
+ **Contributor**: @johnlanni \
+ **Change Log**: 为ai-prompt-decorator插件新增replace配置项,支持基于literal或RE2正则对最终组装的messages中content字段进行顺序化、角色条件限制的文本替换,增强请求内容动态改写能力。 \
+ **Feature Value**: 用户可在不修改业务逻辑前提下,灵活实现敏感词过滤、品牌词归一、占位符脱敏等文本处理需求,提升AI网关在合规性、安全性和多租户场景下的适应能力。
+
+- **Related PR**: [#3738](https://github.com/higress-group/higress/pull/3738) \
+ **Contributor**: @JianweiWang \
+ **Change Log**: 为ai-security-guard插件新增可配置的响应内容提取备用JSON路径(responseContentFallbackJsonPaths和responseStreamContentFallbackJsonPaths),支持Anthropic Claude等非OpenAI格式,当主路径提取为空时按序尝试fallback路径,自动跳过与主路径相同的备选路径。 \
+ **Feature Value**: 提升插件兼容性与鲁棒性,使用户在接入不同大模型(如Claude)时无需修改代码即可完成内容安全检测,降低多模型适配成本,保障响应内容提取的稳定性与准确性。
+
+- **Related PR**: [#3734](https://github.com/higress-group/higress/pull/3734) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 在build-envoy.sh脚本中新增patch命令存在性检查,若缺失则提前报错;同时优化build-envoy.patch应用时的错误处理逻辑,避免因patch未执行导致隐蔽的Bazel依赖错误。 \
+ **Feature Value**: 显著提升Envoy构建过程的可观测性与健壮性,用户在缺少patch命令时能立即获得明确错误提示,大幅降低调试门槛和环境配置失败排查成本。
+
+- **Related PR**: [#3724](https://github.com/higress-group/higress/pull/3724) \
+ **Contributor**: @wydream \
+ **Change Log**: 为AI代理插件新增Qwen rerank和conversations API路径支持,扩展了路径映射规则、API名称常量及Qwen专属路由逻辑,并补充了完整的回归测试用例,覆盖路径识别与提供商路由功能。 \
+ **Feature Value**: 用户可通过标准兼容接口调用Qwen的rerank和对话能力,提升多模型服务统一接入体验;增强了AI代理对国产大模型Qwen的支持广度,降低业务集成门槛并提高路由准确性。
+
+- **Related PR**: [#3700](https://github.com/higress-group/higress/pull/3700) \
+ **Contributor**: @wydream \
+ **Change Log**: 为ai-proxy failover机制新增cooldownDuration配置,使被摘除的API Key可在指定毫秒冷却期后自动恢复,避免依赖真实请求的健康检查,减少token消耗和配置复杂度。 \
+ **Feature Value**: 用户可更灵活地管理API Key可用性,降低因限流导致的长期不可用风险,节省调用成本,并简化failover配置,提升系统稳定性和运维效率。
+
+- **Related PR**: [#3694](https://github.com/higress-group/higress/pull/3694) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 新增外部授权请求中允许转发的属性配置能力,支持route_name、cluster_name等关键上下文字段透传,通过扩展AuthorizationRequest结构体并增加AllowedProperties字段实现,同时更新了配置解析逻辑和SDK依赖。 \
+ **Feature Value**: 使用户能在外部授权服务中获取更丰富的Envoy网关上下文信息,提升鉴权策略的精准性和灵活性,便于实现基于路由、集群等维度的细粒度访问控制,降低定制化开发成本。
+
+- **Related PR**: [#3690](https://github.com/higress-group/higress/pull/3690) \
+ **Contributor**: @JianweiWang \
+ **Change Log**: 新增敏感数据掩码支持,通过riskAction配置(block/mask)实现API响应中敏感字段的脱敏替换;新增customLabel、maliciousFile、waterMark维度类型及dimension级动作配置,提升风险处置灵活性。 \
+ **Feature Value**: 用户可在不阻断服务前提下对敏感信息进行动态脱敏,增强AI应用合规能力;多维度细粒度风险控制策略支持更精准的内容安全治理,降低误拦率并满足不同业务场景的监管要求。
+
+### 🐛 Bug修复 (Bug Fixes)
+
+- **Related PR**: [#3829](https://github.com/higress-group/higress/pull/3829) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了ai-proxy插件中ProviderConfig结构体的apiTokens字段的标签拼写错误,将错误的JSON/YAML标签更正为正确形式,确保配置解析和序列化功能正常工作。 \
+ **Feature Value**: 避免因字段标签错误导致的配置解析失败或API Token无法正确加载,提升AI代理服务的稳定性与可靠性,使用户能顺利配置和使用不同AI服务提供商的认证凭证。
+
+- **Related PR**: [#3801](https://github.com/higress-group/higress/pull/3801) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复EnvoyFilter构建过程中对不支持上游协议的日志打印问题,补充缺失的格式化参数,避免日志输出异常或信息不全,确保警告日志能正确显示协议类型和上下文。 \
+ **Feature Value**: 提升调试与运维可观测性,使用户在配置错误协议时能准确获知具体不支持的协议及发生位置,减少排查时间,增强Ingress网关配置的健壮性和可维护性。
+
+- **Related PR**: [#3799](https://github.com/higress-group/higress/pull/3799) \
+ **Contributor**: @Betula-L \
+ **Change Log**: 修复了Claude工具调用中空输入对象(input:{})在通过内部bridge转换为Bedrock Converse格式时被JSON序列化意外省略的问题,通过调整结构体字段的JSON标签和测试覆盖确保空map正确保留。 \
+ **Feature Value**: 确保使用无参数工具的Claude消息能被准确透传至底层Bedrock服务,避免因输入丢失导致工具调用失败或行为异常,提升AI代理在多模型适配场景下的兼容性与可靠性。
+
+- **Related PR**: [#3788](https://github.com/higress-group/higress/pull/3788) \
+ **Contributor**: @Betula-L \
+ **Change Log**: 修复Bedrock Claude推理块在ai-proxy协议桥接中的结构丢失问题,通过重构convertEventFromBedrockToOpenAI逻辑和新增redactedBlockIndexes状态管理,确保reasoningContent保留在原生Anthropic消息块中而非混入普通文本。 \
+ **Feature Value**: 用户调用Bedrock Claude模型时将正确获得结构化推理块(如...),避免推理过程意外暴露给终端用户,提升响应语义完整性与兼容性,保障符合Anthropic Messages API规范的交互体验。
+
+- **Related PR**: [#3786](https://github.com/higress-group/higress/pull/3786) \
+ **Contributor**: @Betula-L \
+ **Change Log**: 修复了Bedrock Claude工具调用流式响应中contentBlockIndex到OpenAI tool_calls[].index的映射错误,正确处理并行工具调用的索引错位和tool_choice参数转换逻辑,确保流式工具调用在ai-proxy中保持语义一致性和顺序正确性。 \
+ **Feature Value**: 用户在使用Bedrock Claude模型进行多工具并行调用时,将获得准确、可预测的流式tool_calls索引和正确触发的tool_choice行为,避免工具执行错乱或丢失,显著提升生产环境下的兼容性与可靠性。
+
+- **Related PR**: [#3779](https://github.com/higress-group/higress/pull/3779) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了启用--log_as_json参数后控制器部分日志仍以纯文本输出的问题,通过统一替换日志包导入路径为istio.io/istio/pkg/log,确保所有组件使用一致的JSON日志实现。 \
+ **Feature Value**: 提升日志格式一致性与可观察性,便于用户在K8s等环境中集中采集、解析和分析Higress控制器日志,降低运维排查成本,增强生产环境日志标准化能力。
+
+- **Related PR**: [#3777](https://github.com/higress-group/higress/pull/3777) \
+ **Contributor**: @wydream \
+ **Change Log**: 修复了ai-proxy插件中Vertex AI Express Mode原始REST端点的API密钥注入问题,扩展正则表达式以匹配不包含/projects/{project}/locations/{location}路径段的Express模式URL,并新增对应测试用例验证请求头处理逻辑。 \
+ **Feature Value**: 使用户能够正确调用Vertex AI Express Mode的简化REST接口(如streamGenerateContent),无需构造复杂路径,提升代理兼容性与易用性,避免因密钥未注入导致的401认证失败。
+
+- **Related PR**: [#3770](https://github.com/higress-group/higress/pull/3770) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 该PR修复了HTTPS上游连接中TLS证书验证无法跳过的问题,通过在upstreamtls.go中新增配置支持跳过TLS证书验证,并在测试文件中补充了相关protobuf和google.golang依赖以支持新功能的单元测试。 \
+ **Feature Value**: 使Higress能够支持使用自签名证书的HTTPS上游服务,解决了企业内部或测试环境中因证书不被信任而导致的连接失败问题,提升了部署灵活性和兼容性。
+
+- **Related PR**: [#3765](https://github.com/higress-group/higress/pull/3765) \
+ **Contributor**: @wydream \
+ **Change Log**: 修复AI代理对Azure OpenAI v1服务URL的支持,新增对/openai/v1及子路径的识别与路由处理,兼容无api-version参数的新URL格式,同时保留对旧版部署URL的api-version校验逻辑。 \
+ **Feature Value**: 使用户能无缝对接Azure OpenAI最新v1 REST API标准,无需手动拼接api-version,提升配置灵活性与服务兼容性;降低因URL格式变更导致的请求失败率,增强代理稳定性与易用性。
+
+- **Related PR**: [#3757](https://github.com/higress-group/higress/pull/3757) \
+ **Contributor**: @srpatcha \
+ **Change Log**: 添加了nil检查、安全类型断言和panic防护机制,修复多处潜在空指针解引用和类型断言失败风险;同时优化了WASM插件中正则编译逻辑,避免运行时panic。 \
+ **Feature Value**: 显著提升网关稳定性与健壮性,防止因异常输入或配置错误导致服务崩溃;用户将获得更可靠的API网关运行体验,降低线上故障率和运维负担。
+
+- **Related PR**: [#3756](https://github.com/higress-group/higress/pull/3756) \
+ **Contributor**: @wydream \
+ **Change Log**: 修复Claude /v1/messages 到 OpenAI chat/completions 请求转换时对 thinking/redacted_thinking 内容块的丢失问题,增强 tool-call 推理上下文透传能力,并引入 preserve_thinking 和 promote_thinking_on_empty 配置项实现 provider 级兼容性控制。 \
+ **Feature Value**: 确保使用 Claude 后端的 AI 代理能正确向支持 reasoning_content 的模型(如 Qwen)传递完整思维链信息,同时避免对 OpenAI/Azure 等严格标准 provider 造成兼容性破坏,提升多模型路由场景下的功能一致性与可靠性。
+
+- **Related PR**: [#3733](https://github.com/higress-group/higress/pull/3733) \
+ **Contributor**: @wydream \
+ **Change Log**: 修复Claude流式转换中对非标准上游响应的兼容性问题:正确处理空字符串finish_reason、避免usage重复触发message_stop、防止message_stop后继续处理重复chunk导致事件乱序。 \
+ **Feature Value**: 提升AI代理在多厂商兼容场景下的稳定性与可靠性,避免流式响应中断或错乱,确保用户获得完整、有序的Claude风格SSE流,改善LLM调用体验。
+
+- **Related PR**: [#3731](https://github.com/higress-group/higress/pull/3731) \
+ **Contributor**: @JianweiWang \
+ **Change Log**: 移除了AI安全守卫中Suggestion=block的强制兜底拦截逻辑,改为统一基于风险维度阈值进行判断;修改了config.go核心评估逻辑,并同步更新了多处测试用例以准确覆盖阈值驱动的RiskBlock判定路径。 \
+ **Feature Value**: 提升了风险拦截策略的准确性和可配置性,避免因误设Suggestion=block导致的非预期拦截;用户现在能更精确地通过阈值控制拦截行为,增强策略透明度与调试能力,降低误报率。
+
+- **Related PR**: [#3722](https://github.com/higress-group/higress/pull/3722) \
+ **Contributor**: @wydream \
+ **Change Log**: 该PR将Qwen兼容响应端点路径从已弃用的旧URL /api/v2/apps/protocols/compatible-mode/v1/responses 迁移至新官方路径 /compatible-mode/v1/responses,涉及 provider/qwen.go 和测试文件中的路径常量及断言更新,确保AI代理持续调用有效接口。 \
+ **Feature Value**: 避免因Qwen(DashScope)停用旧API路径导致服务中断,保障用户通过ai-proxy调用Qwen模型的稳定性与连续性,无需修改客户端代码即可平滑过渡到新接口。
+
+- **Related PR**: [#3695](https://github.com/higress-group/higress/pull/3695) \
+ **Contributor**: @wydream \
+ **Change Log**: 修复 Vertex Raw Express Mode 下 API Key 认证缺失问题,通过在 OnRequestBody 中追加 API Key 到 URL query 并清理 Authorization header;同时修复 Express Mode 全局的认证头残留和 URL 构造逻辑缺陷。 \
+ **Feature Value**: 使 Vertex Raw Express Mode 能正确通过 API Key 认证访问 Google Vertex AI 服务,避免 401 错误;提升代理稳定性与兼容性,确保用户在该模式下可正常调用大模型 API。
+
+- **Related PR**: [#3682](https://github.com/higress-group/higress/pull/3682) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了golang-filter在build-gateway-local过程中未校验TARGET_ARCH有效性的问题,通过在Makefile.core.mk中引入VALID_ARCHS白名单及错误检查逻辑,确保仅支持amd64和arm64架构,避免因非法架构参数导致构建失败或生成错误二进制。 \
+ **Feature Value**: 提升了多架构构建的健壮性和可维护性,防止用户因误设TARGET_ARCH(如错填x86、ppc64le等)引发静默构建错误或运行时异常,保障Higress网关在不同CPU架构环境下的正确编译与部署。
+
+- **Related PR**: [#3576](https://github.com/higress-group/higress/pull/3576) \
+ **Contributor**: @Jing-ze \
+ **Change Log**: 修复WASM上下文中reroute后ROUTE_NAME属性返回陈旧路由名的问题,通过修正Envoy 1.36中StreamInfoImpl::getRouteName()的调用逻辑,确保clearRouteCache后能获取最新路由名称。 \
+ **Feature Value**: 保障WASM插件在重路由后能正确匹配规则,避免因路由名未更新导致matchRule失效,提升路由策略执行的准确性和稳定性,对依赖动态路由匹配的用户功能至关重要。
+
+- **Related PR**: [#3425](https://github.com/higress-group/higress/pull/3425) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 为Dockerfile.higress中的ARG HUB参数添加默认值(higress-registry.cn-hangzhou.cr.aliyuncs.com/higress),避免因未传入HUB参数导致构建时产生警告,同时保持向后兼容:显式传参时仍优先使用传入值。 \
+ **Feature Value**: 消除Docker构建过程中的冗余警告,提升CI/CD流水线的可读性与稳定性;用户无需额外指定HUB参数即可顺利完成本地构建,降低入门门槛和维护成本。
+
+### 📚 文档更新 (Documentation)
+
+- **Related PR**: [#3830](https://github.com/higress-group/higress/pull/3830) \
+ **Contributor**: @EndlessSeeker \
+ **Change Log**: 在英文、中文和日文三个语言版本的README文件中添加OpenSSF最佳实践徽章,通过Markdown图片链接形式嵌入,并指向项目在OpenSSF Best Practices平台的评估页面,提升项目合规性与可信度展示。 \
+ **Feature Value**: 增强项目透明度和可信度,帮助用户快速了解Higress在安全性、维护性等开源实践方面的达标情况,提升社区和企业用户对项目的信任感与采用意愿。
+
+- **Related PR**: [#3764](https://github.com/higress-group/higress/pull/3764) \
+ **Contributor**: @EndlessSeeker \
+ **Change Log**: 更新SECURITY.md、CONTRIBUTING系列文档及新增GOVERNANCE.md,正式化漏洞报告流程、定义安全响应SLA与团队、明确CNCF治理模型,满足CNCF Sandbox和OpenSSF最佳实践认证要求。 \
+ **Feature Value**: 提升项目安全合规性与透明度,为用户提供标准化的安全问题上报渠道和响应承诺,增强企业用户信任;同时完善多语言贡献指南,降低全球开发者参与门槛,促进社区健康可持续发展。
+
+- **Related PR**: [#3754](https://github.com/higress-group/higress/pull/3754) \
+ **Contributor**: @johnlanni \
+ **Change Log**: 新增顶层MAINTAINERS.md文件,列出Higress项目当前维护者名单,包含维护者职责说明及CNCF Sandbox合规性声明,为CNCF沙箱入驻提供必需的治理文档支持。 \
+ **Feature Value**: 提升项目透明度与社区治理规范性,便于外部贡献者识别核心维护团队,加速CNCF沙箱认证流程,并为后续维护者交接和权限管理奠定基础,增强用户对项目长期稳定性的信心。
+
+- **Related PR**: [#3730](https://github.com/higress-group/higress/pull/3730) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 更新中英文README文件,使其与最新的配置解析逻辑保持一致,修正默认值矛盾、路径描述错误、字符串拼接格式不清晰等问题,并同步删除过时的构建说明(如tinygo相关要求)。 \
+ **Feature Value**: 提升文档准确性和一致性,避免用户因过时或错误的配置示例导致插件启用失败;中英文文档同步优化降低了多语言用户的理解门槛,增强AI缓存插件的易用性与可靠性。
+
+- **Related PR**: [#3696](https://github.com/higress-group/higress/pull/3696) \
+ **Contributor**: @github-actions[bot] \
+ **Change Log**: PR新增了2.2.1版本的中英文发布说明文件(README.md和README_ZH.md),自动汇总65项更新,涵盖新功能、Bug修复、重构优化和文档更新,并按类别统计分布。 \
+ **Feature Value**: 为用户提供了结构清晰、多语言支持的版本变更概览,帮助快速掌握升级价值与影响范围,提升透明度和可维护性,降低升级决策成本。
+
+### 🧪 测试改进 (Testing)
+
+- **Related PR**: [#3790](https://github.com/higress-group/higress/pull/3790) \
+ **Contributor**: @Jing-ze \
+ **Change Log**: 新增了AI代理WASM插件的集成测试覆盖,包括配置解析边界场景、流式响应体处理、故障转移验证及工具函数测试,并添加export_test.go导出内部函数供测试使用,显著提升WASM环境下的测试完备性。 \
+ **Feature Value**: 增强AI代理插件在各类WASM运行时和AI服务提供商下的稳定性与兼容性保障,降低因配置异常或网络故障导致服务中断的风险,提升用户生产环境部署的可靠性和可维护性。
+
+---
+
+## 📊 发布统计
+
+- 🚀 新功能: 13项
+- 🐛 Bug修复: 18项
+- 📚 文档更新: 5项
+- 🧪 测试改进: 1项
+
+**总计**: 37项更改
+
+感谢所有贡献者的辛勤付出!🎉
+
+
+# Higress Console
+
+
+## 📋 本次发布概览
+
+本次发布包含 **18** 项更新,涵盖了功能增强、Bug修复、性能优化等多个方面。
+
+### 更新内容分布
+
+- **新功能**: 7项
+- **Bug修复**: 9项
+- **文档更新**: 2项
+
+---
+
+## 📝 完整变更日志
+
+### 🚀 新功能 (Features)
+
+- **Related PR**: [#621](https://github.com/higress-group/higress-console/pull/621) \
+ **Contributor**: @Thomas-Eliot \
+ **Change Log**: 优化MCP Server交互能力:支持DNS后端自动重写Host头;增强直接路由场景的传输协议选择与完整路径配置;改进DB到MCP Server场景的DSN特殊字符(如@)解析能力。 \
+ **Feature Value**: 提升MCP Server集成灵活性与兼容性,使用户能更便捷地对接不同部署方式的后端服务,降低配置复杂度,避免因路径前缀误解或DSN解析失败导致的接入问题。
+
+- **Related PR**: [#608](https://github.com/higress-group/higress-console/pull/608) \
+ **Contributor**: @Libres-coder \
+ **Change Log**: 在AI路由管理页面新增插件显示功能,支持展开行查看已启用插件,并在配置页展示'Enabled'标签;通过扩展PluginList组件逻辑支持AI_ROUTE类型查询,同时增强route.tsx中i18n语言变更监听的清理机制。 \
+ **Feature Value**: 用户 now 可直观查看AI路由关联的已启用插件,与常规路由管理体验保持一致,提升AI路由配置的可维护性与可观测性;统一UI交互降低学习成本,增强平台对AI场景的功能覆盖完整性。
+
+- **Related PR**: [#604](https://github.com/higress-group/higress-console/pull/604) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 新增支持通过higress.io/rewrite-target注解实现基于正则表达式的路径重写功能,扩展了Kubernetes注解常量、路由转换逻辑及前后端国际化文案,增强路由匹配灵活性。 \
+ **Feature Value**: 用户可通过正则表达式精准控制路径重写行为,满足复杂路由场景需求,如动态路径参数提取与映射,显著提升网关配置的表达能力和业务适配性。
+
+- **Related PR**: [#603](https://github.com/higress-group/higress-console/pull/603) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 在静态服务源表单组件中新增常量STATIC_SERVICE_PORT = 80,并在UI中显式展示该固定端口,使用户明确知晓静态服务默认使用80端口,提升配置透明度和可预期性。 \
+ **Feature Value**: 用户在配置静态服务源时能直观看到默认端口为80,避免因端口认知偏差导致的配置错误或调试困难,降低使用门槛,提升部署效率与体验一致性。
+
+- **Related PR**: [#602](https://github.com/higress-group/higress-console/pull/602) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 在AI路由配置的上游服务选择组件中新增搜索功能,通过在index.tsx中扩展Select组件逻辑,支持用户实时搜索和过滤大量上游服务,提升配置效率与准确性。 \
+ **Feature Value**: 用户在配置AI路由时可快速定位目标上游服务,避免手动滚动查找,显著降低配置错误率,尤其适用于拥有数十个以上服务的复杂AI网关场景,提升运维与开发效率。
+
+- **Related PR**: [#566](https://github.com/higress-group/higress-console/pull/566) \
+ **Contributor**: @OuterCyrex \
+ **Change Log**: 新增通义千问(Qwen)大模型服务支持,包括自定义服务地址、互联网搜索开关、文件ID上传等配置能力;后端新增QwenLlmProviderHandler实现,前端增加多语言支持及Provider表单适配。 \
+ **Feature Value**: 用户可灵活对接自建或云上Qwen服务,支持搜索增强和文件上下文注入,提升AI网关在国产大模型场景下的兼容性与扩展性,降低企业私有化部署门槛。
+
+- **Related PR**: [#552](https://github.com/higress-group/higress-console/pull/552) \
+ **Contributor**: @lcfang \
+ **Change Log**: 新增VPort虚拟端口属性,扩展MCP Bridge注册中心配置能力,在ServiceSource中增加vport字段及对应CRD模型,支持为服务实例统一指定默认后端端口,解决Eureka/Nacos等注册中心中实例真实端口不一致导致的路由失效问题。 \
+ **Feature Value**: 用户可在配置服务发现时显式声明虚拟端口,确保路由规则对后端端口变更具备弹性兼容性,避免因实例端口动态变化引发的流量中断,提升微服务治理稳定性和运维可预测性。
+
+### 🐛 Bug修复 (Bug Fixes)
+
+- **Related PR**: [#620](https://github.com/higress-group/higress-console/pull/620) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了sortWasmPluginMatchRules逻辑中的拼写错误,修正了匹配规则排序时因变量名或逻辑误写导致的潜在行为异常,确保WASM插件匹配规则按预期优先级正确排序。 \
+ **Feature Value**: 避免因拼写错误引发的规则排序错误,保障WASM插件在Kubernetes中按用户配置的优先级准确生效,提升插件路由和策略执行的可靠性与一致性。
+
+- **Related PR**: [#619](https://github.com/higress-group/higress-console/pull/619) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了AiRoute转换为ConfigMap时重复存储版本信息的问题,从data JSON中移除version字段,仅保留在ConfigMap metadata中,避免数据冗余和潜在不一致。 \
+ **Feature Value**: 提升了配置管理的准确性和一致性,防止因版本信息重复导致的解析错误或部署异常,增强系统稳定性与可维护性,对使用Kubernetes ConfigMap管理路由配置的用户有直接收益。
+
+- **Related PR**: [#618](https://github.com/higress-group/higress-console/pull/618) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 重构SystemController中的API认证逻辑,引入AllowAnonymous注解机制,统一处理无需认证的接口路径,移除硬编码的免认证判断,增强认证逻辑的可维护性与安全性。 \
+ **Feature Value**: 修复了系统控制器中潜在的安全漏洞,防止未授权访问敏感API接口,提升了平台整体安全性,保障用户数据和系统资源不被非法调用,增强企业级生产环境的合规性与可信度。
+
+- **Related PR**: [#617](https://github.com/higress-group/higress-console/pull/617) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了前端列表渲染缺少唯一key导致的React警告、Content Security Policy阻止外部图片加载的问题,以及Consumer.name字段类型定义错误(由boolean误写为string),提升了组件健壮性和类型安全性。 \
+ **Feature Value**: 消除了控制台警告和图片加载失败问题,改善开发体验与调试效率;修正接口类型定义,避免运行时类型错误,提升应用稳定性与开发者协作可靠性,用户将获得更流畅、无异常提示的界面交互体验。
+
+- **Related PR**: [#614](https://github.com/higress-group/higress-console/pull/614) \
+ **Contributor**: @lc0138 \
+ **Change Log**: 修复了ServiceSource类中服务来源type字段的类型定义错误,增加了对字典值的校验逻辑,确保传入的注册中心类型必须属于预定义的合法集合,防止非法值引发运行时异常。 \
+ **Feature Value**: 提升了服务来源配置的健壮性和安全性,避免因type字段值非法导致的服务注册失败或系统异常,保障用户在配置不同注册中心时的稳定性和可预期性。
+
+- **Related PR**: [#613](https://github.com/higress-group/higress-console/pull/613) \
+ **Contributor**: @lc0138 \
+ **Change Log**: 修复前端Content Security Policy(CSP)配置缺失问题,在document.tsx中新增meta标签以声明安全策略,防止XSS等攻击,增强页面资源加载和脚本执行的安全控制。 \
+ **Feature Value**: 提升前端应用的安全防护能力,有效缓解跨站脚本(XSS)等常见Web安全风险,保障用户数据与交互安全,符合企业级安全合规要求,增强终端用户信任感。
+
+- **Related PR**: [#612](https://github.com/higress-group/higress-console/pull/612) \
+ **Contributor**: @zhwaaaaaa \
+ **Change Log**: 在DashboardServiceImpl中新增对hop-to-hop HTTP头部(如Transfer-Encoding: chunked)的忽略逻辑,依据RFC 2616第13.5.1节规范,避免反向代理转发时因非法透传逐跳头部导致Grafana页面异常。 \
+ **Feature Value**: 修复了因反向代理透传Transfer-Encoding: chunked等hop-to-hop头部导致Grafana控制台页面无法正常加载的问题,提升控制台稳定性与用户体验,确保监控集成功能可靠可用。
+
+- **Related PR**: [#609](https://github.com/higress-group/higress-console/pull/609) \
+ **Contributor**: @CH3CHO \
+ **Change Log**: 修复了Consumer接口中name字段的类型错误,将原本错误声明为boolean的类型更正为string,确保前端数据结构与后端实际返回值一致,避免类型不匹配导致的运行时错误或TypeScript编译警告。 \
+ **Feature Value**: 提升了代码类型安全性与前后端数据一致性,防止因字段类型错误引发的UI渲染异常、逻辑判断失误等问题,增强应用稳定性,降低开发者调试成本,改善整体开发体验。
+
+- **Related PR**: [#605](https://github.com/higress-group/higress-console/pull/605) \
+ **Contributor**: @SaladDay \
+ **Change Log**: 修正AI路由名称的前端表单验证正则表达式,使其支持点号(.)并限制仅小写字母;同步更新中英文错误提示文案,确保界面提示与实际校验逻辑一致。 \
+ **Feature Value**: 解决了用户创建AI路由时因名称含点号被误拒或提示不准确的问题,提升表单体验和可用性;使验证规则与UI说明严格一致,降低用户理解成本和操作失败率。
+
+### 📚 文档更新 (Documentation)
+
+- **Related PR**: [#611](https://github.com/higress-group/higress-console/pull/611) \
+ **Contributor**: @qshuai \
+ **Change Log**: 修正了LlmProvidersController中新增LLM提供者的API接口注解描述,将错误的'Add a new route'更新为准确反映功能的标题,确保Swagger文档等生成的API说明与实际功能一致。 \
+ **Feature Value**: 提升API文档准确性与开发者体验,避免前端或调用方因错误摘要产生误解;对用户而言,增强了控制台API文档的专业性和可维护性,降低集成和调试成本。
+
+- **Related PR**: [#610](https://github.com/higress-group/higress-console/pull/610) \
+ **Contributor**: @heimanba \
+ **Change Log**: 修改 frontend-gray 插件文档中 rewrite、backendVersion、enabled 字段为非必填,更新 rules.name 关联路径为 grayDeployments[].name,并同步中英文 README 和 spec.yaml 的字段描述与术语,确保配置说明准确反映最新灵活性设计。 \
+ **Feature Value**: 提升灰度配置的兼容性与易用性,降低用户配置门槛;通过精确的字段说明和术语统一,减少误解和配置错误,帮助开发者更高效、准确地使用前端灰度功能。
+
+---
+
+## 📊 发布统计
+
+- 🚀 新功能: 7项
+- 🐛 Bug修复: 9项
+- 📚 文档更新: 2项
+
+**总计**: 18项更改
+
+感谢所有贡献者的辛勤付出!🎉
+
+