The /tmp directory often doesn't allow web servers to create subdirectories. Now uses:
- Config admin: ~/.aisbf/temp_uploads/
- Database users: ~/.aisbf/user_auth_files/{user_id}/temp_uploads/

This ensures uploads work in all environments including restrictive web server configurations.

5MB chunks were still hitting reverse proxy limits for some configurations. 1MB is universally supported and will work with nginx, Cloudflare, and all other reverse proxies with default configurations.

Fixed mismatch between config object names and status element IDs:
- kiro_config → kiro
- kilo_config → kilo
- claude_config → claude
- qwen_config → qwen
- codex_config → codex

- Auto-expands the provider details panel when selecting a file to upload
- Prevents TypeError: Cannot set properties of null (setting 'innerHTML')
- Upload status is always visible after you select a file

- Added generic chunked upload handler (5MB chunks)
- All 5 provider upload functions now use chunked upload endpoint
- Progress percentage displayed during upload
- No more 413 Request Entity Too Large errors
- Supports very large files including multi-GB SQLite databases
- Uses existing chunked upload backend endpoint

The following functions were missing from providers.html:
- uploadKiroFile()
- uploadKiloFile()
- uploadClaudeFile()
- uploadQwenFile()
- uploadCodexFile()

All credential file uploads now work correctly with proper status handling and configuration updates.

The bug was that the upload handler was checking request.session.get('user_id') directly instead of using the proper authenticated user_id from request.state. When API authentication was also active, the middleware would set request.state.user_id which was being ignored.

Now correctly uses:
current_user_id = getattr(request.state, 'user_id', request.session.get('user_id'))

This respects both session authentication and API authentication state while properly identifying the config admin from aisbf.json who has no user_id.

- Replaced all is_config_admin checks to properly check role == 'admin'
- Fixed 19 occurrences throughout the codebase
- Config admin file uploads now save to filesystem instead of database
- This fixes credential file uploads for aisbf.json defined admin users

- Added md5 filter to Jinja2 templates for Gravatar
- Added popup=1 parameter to OAuth2 URLs
- Added persistent oauth2_popup_mode session flag
- Both Google and GitHub OAuth flows now properly detect popup mode
- Callback now correctly sends postMessage to opener window
- Popup closes automatically and main window redirects to dashboard

OAuth2 signup/login endpoints (/auth/oauth2/google, /auth/oauth2/github) now work correctly when API authentication is enabled. API authentication should only apply to LLM proxy endpoints, not authentication/signup routes.

Fix: Model performance Type column now shows provider type (kilo, claude, qwen, etc) instead of generic 'Provider Model'

- Added fallback logic to get provider/model combinations from token_usage table
- Added context dimension recording in request success path
- Model performance now displays data even if context_dimensions table is empty
- Skip providers with zero requests in selected time range

- Simplified get_cost_overview to use tokens from provider stats (which already respect date range)
- Removed redundant get_token_usage_by_date_range call
- Cost overview now properly reflects selected time period filter

- Added from_datetime and to_datetime parameters to get_model_performance()
- Added from_datetime and to_datetime parameters to get_optimization_recommendations()
- Model performance now uses date-filtered provider stats instead of all-time stats
- All analytics sections now respect the selected time range filter
- Added optimization_savings placeholder to template context

- Fixed analytics token counting for Kilo/Kilocode ChatCompletion objects
- Fixed database migrations to add missing columns (success, latency_ms, error_type, token_id)
- Restored model retrieval with proper handle_model_list method
- Fixed response cache serialization for ChatCompletion objects
- Fixed MySQL timezone issues in all analytics queries using _format_timestamp()
- Added comprehensive cost calculation debug logging at INFO level
- Added kilo providers to DEFAULT_PRICING with $0.00 (subscription/free)
- Enhanced database tracking with full parameter trace logging
- Added 'Yesterday' time range filter to analytics page
- Improved custom date range handling
- All changes maintain 100% backwards compatibility
- Version bumped to 0.99.33

- Fixed duplicate authentication area in providers dashboard
- Restored full OAuth authentication with popup windows for all providers
- Added missing JavaScript authentication functions (authenticateClaude, authenticateQwen, authenticateCodex, authenticateKilo)
- Added missing backend endpoint /dashboard/providers/{provider_name}/auth/check
- Fixed import errors and attribute access for OAuth provider configs
- Fixed credential structure access for each OAuth provider type
- Fixed polling status responses (approved -> completed)
- Added human-readable expiration time formatting (days, hours, minutes, seconds)
- All OAuth flows now work with proper popup windows, polling, and status updates

- Restore Rate Limits and Response Cache links in analytics page for admin users
- Add detailed Optimization Savings section with token and cost breakdown
- Fix JavaScript syntax error in rate limits page
- Add response cache dashboard page with statistics and management
- Update setup.py to include new response cache template

- Add Estimated Savings card showing money saved from cache hits
- Fetch cache statistics via AJAX and calculate savings
- Display savings prominently in Cost Overview section
- Assumes average cost of $0.002 per cached request

- Add quick links navigation to Analytics, Response Cache, and Rate Limits pages
- Create response_cache.html template with cache statistics and management
- Add /dashboard/response-cache route to display cache page (not just JSON)
- Fix rate_limits URL in navigation (use /dashboard/rate-limits)
- All three pages now have consistent navigation between them

- Move updateUsers and getUrlParams functions outside DOMContentLoaded
- Add attachEventListeners function to reattach event handlers after AJAX updates
- Fixes 'updateUsers is not defined' error when performing bulk operations

- Add status_filter and role_filter query parameters with validation
- Pass filter parameters to database method
- Include filter values in template context for UI persistence

- Add back search controls with filter dropdowns (status/role) that were accidentally removed
- Add missing bulk action helper functions: updateBulkActionsVisibility, updateSelectAllState, clearSelection, performBulkAction
- Ensure bulk selection and bulk operations work correctly

- Implement POST /dashboard/users/bulk route for bulk operations
- Support enable, disable, delete, and tier change actions
- Add input validation for action and user_ids parameters
- Include error handling and appropriate JSON responses
- Log errors for debugging purposes

- Add status filter (active/inactive) and role filter (admin/user) dropdowns
- Add select all checkbox and individual user checkboxes
- Add bulk action bar with tier change, enable/disable, delete buttons
- Include selection counter and clear selection button

- Add status_filter parameter (active/inactive)
- Add role_filter parameter (admin/user)
- Combine filters with existing search functionality
- Update both main query and count query

- Advanced filtering by user status (active/inactive) and role (admin/user)
- Bulk selection with checkboxes and select all functionality
- Bulk operations: enable, disable, delete, change tier
- Confirmation dialogs for destructive actions
- Selection counter and clear selection
- Combined filtering with existing search/sorting/pagination