Merge pull request #83 from router-for-me/oaifix

fix(cliproxy): Use model name as fallback for ID if alias is empty

cmd/server/main.go

@@ -4,7 +4,6 @@
 package main
 
 import (
-	"context"
 	"flag"
 	"fmt"
 	"os"
@@ -14,7 +13,6 @@ import (
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/cmd"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
-	"github.com/router-for-me/CLIProxyAPI/v6/internal/managementasset"
 	_ "github.com/router-for-me/CLIProxyAPI/v6/internal/translator"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/usage"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
@@ -116,13 +114,6 @@ func main() {
 	}
 	usage.SetStatisticsEnabled(cfg.UsageStatisticsEnabled)
 
-	staticDir := managementasset.StaticDir(configFilePath)
-	if !cfg.RemoteManagement.DisableControlPanel {
-		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir)
-	} else {
-		log.Debug("management control panel disabled; skip asset sync")
-	}
-
 	if err = logging.ConfigureLogOutput(cfg.LoggingToFile); err != nil {
 		log.Fatalf("failed to configure log output: %v", err)
 	}

config.example.yaml

@@ -12,6 +12,9 @@ remote-management:
   # Leave empty to disable the Management API entirely (404 for all /v0/management routes).
   secret-key: ""
 
+  # Disable the bundled management control panel asset download and HTTP route when true.
+  disable-control-panel: false
+
 # Authentication directory (supports ~ for home directory)
 auth-dir: "~/.cli-proxy-api"
 

internal/api/server.go

@@ -13,6 +13,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -126,6 +127,11 @@ type Server struct {
 	// management handler
 	mgmt *managementHandlers.Handler
 
+	// managementRoutesRegistered tracks whether the management routes have been attached to the engine.
+	managementRoutesRegistered atomic.Bool
+	// managementRoutesEnabled controls whether management endpoints serve real handlers.
+	managementRoutesEnabled atomic.Bool
+
 	localPassword string
 
 	keepAliveEnabled   bool
@@ -210,6 +216,12 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 		optionState.routerConfigurator(engine, s.handlers, cfg)
 	}
 
+	// Register management routes only when a secret is present at startup.
+	s.managementRoutesEnabled.Store(cfg.RemoteManagement.SecretKey != "")
+	if cfg.RemoteManagement.SecretKey != "" {
+		s.registerManagementRoutes()
+	}
+
 	if optionState.keepAliveEnabled {
 		s.enableKeepAlive(optionState.keepAliveTimeout, optionState.keepAliveOnTimeout)
 	}
@@ -308,85 +320,104 @@ func (s *Server) setupRoutes() {
 		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
 	})
 
-	// Management API routes (delegated to management handlers)
-	// New logic: if remote-management-key is empty, do not expose any management endpoint (404).
-	if s.cfg.RemoteManagement.SecretKey != "" {
-		mgmt := s.engine.Group("/v0/management")
-		mgmt.Use(s.mgmt.Middleware())
-		{
-			mgmt.GET("/usage", s.mgmt.GetUsageStatistics)
-			mgmt.GET("/config", s.mgmt.GetConfig)
+	// Management routes are registered lazily by registerManagementRoutes when a secret is configured.
+}
 
-			mgmt.GET("/debug", s.mgmt.GetDebug)
-			mgmt.PUT("/debug", s.mgmt.PutDebug)
-			mgmt.PATCH("/debug", s.mgmt.PutDebug)
+func (s *Server) registerManagementRoutes() {
+	if s == nil || s.engine == nil || s.mgmt == nil {
+		return
+	}
+	if !s.managementRoutesRegistered.CompareAndSwap(false, true) {
+		return
+	}
 
-			mgmt.GET("/logging-to-file", s.mgmt.GetLoggingToFile)
-			mgmt.PUT("/logging-to-file", s.mgmt.PutLoggingToFile)
-			mgmt.PATCH("/logging-to-file", s.mgmt.PutLoggingToFile)
+	log.Info("management routes registered after secret key configuration")
 
-			mgmt.GET("/usage-statistics-enabled", s.mgmt.GetUsageStatisticsEnabled)
-			mgmt.PUT("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
-			mgmt.PATCH("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+	mgmt := s.engine.Group("/v0/management")
+	mgmt.Use(s.managementAvailabilityMiddleware(), s.mgmt.Middleware())
+	{
+		mgmt.GET("/usage", s.mgmt.GetUsageStatistics)
+		mgmt.GET("/config", s.mgmt.GetConfig)
 
-			mgmt.GET("/proxy-url", s.mgmt.GetProxyURL)
-			mgmt.PUT("/proxy-url", s.mgmt.PutProxyURL)
-			mgmt.PATCH("/proxy-url", s.mgmt.PutProxyURL)
-			mgmt.DELETE("/proxy-url", s.mgmt.DeleteProxyURL)
+		mgmt.GET("/debug", s.mgmt.GetDebug)
+		mgmt.PUT("/debug", s.mgmt.PutDebug)
+		mgmt.PATCH("/debug", s.mgmt.PutDebug)
 
-			mgmt.GET("/quota-exceeded/switch-project", s.mgmt.GetSwitchProject)
-			mgmt.PUT("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
-			mgmt.PATCH("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
+		mgmt.GET("/logging-to-file", s.mgmt.GetLoggingToFile)
+		mgmt.PUT("/logging-to-file", s.mgmt.PutLoggingToFile)
+		mgmt.PATCH("/logging-to-file", s.mgmt.PutLoggingToFile)
 
-			mgmt.GET("/quota-exceeded/switch-preview-model", s.mgmt.GetSwitchPreviewModel)
-			mgmt.PUT("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
-			mgmt.PATCH("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
+		mgmt.GET("/usage-statistics-enabled", s.mgmt.GetUsageStatisticsEnabled)
+		mgmt.PUT("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
+		mgmt.PATCH("/usage-statistics-enabled", s.mgmt.PutUsageStatisticsEnabled)
 
-			mgmt.GET("/api-keys", s.mgmt.GetAPIKeys)
-			mgmt.PUT("/api-keys", s.mgmt.PutAPIKeys)
-			mgmt.PATCH("/api-keys", s.mgmt.PatchAPIKeys)
-			mgmt.DELETE("/api-keys", s.mgmt.DeleteAPIKeys)
+		mgmt.GET("/proxy-url", s.mgmt.GetProxyURL)
+		mgmt.PUT("/proxy-url", s.mgmt.PutProxyURL)
+		mgmt.PATCH("/proxy-url", s.mgmt.PutProxyURL)
+		mgmt.DELETE("/proxy-url", s.mgmt.DeleteProxyURL)
 
-			mgmt.GET("/generative-language-api-key", s.mgmt.GetGlKeys)
-			mgmt.PUT("/generative-language-api-key", s.mgmt.PutGlKeys)
-			mgmt.PATCH("/generative-language-api-key", s.mgmt.PatchGlKeys)
-			mgmt.DELETE("/generative-language-api-key", s.mgmt.DeleteGlKeys)
+		mgmt.GET("/quota-exceeded/switch-project", s.mgmt.GetSwitchProject)
+		mgmt.PUT("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
+		mgmt.PATCH("/quota-exceeded/switch-project", s.mgmt.PutSwitchProject)
 
-			mgmt.GET("/request-log", s.mgmt.GetRequestLog)
-			mgmt.PUT("/request-log", s.mgmt.PutRequestLog)
-			mgmt.PATCH("/request-log", s.mgmt.PutRequestLog)
+		mgmt.GET("/quota-exceeded/switch-preview-model", s.mgmt.GetSwitchPreviewModel)
+		mgmt.PUT("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
+		mgmt.PATCH("/quota-exceeded/switch-preview-model", s.mgmt.PutSwitchPreviewModel)
 
-			mgmt.GET("/request-retry", s.mgmt.GetRequestRetry)
-			mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry)
-			mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry)
+		mgmt.GET("/api-keys", s.mgmt.GetAPIKeys)
+		mgmt.PUT("/api-keys", s.mgmt.PutAPIKeys)
+		mgmt.PATCH("/api-keys", s.mgmt.PatchAPIKeys)
+		mgmt.DELETE("/api-keys", s.mgmt.DeleteAPIKeys)
 
-			mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys)
-			mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys)
-			mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
-			mgmt.DELETE("/claude-api-key", s.mgmt.DeleteClaudeKey)
+		mgmt.GET("/generative-language-api-key", s.mgmt.GetGlKeys)
+		mgmt.PUT("/generative-language-api-key", s.mgmt.PutGlKeys)
+		mgmt.PATCH("/generative-language-api-key", s.mgmt.PatchGlKeys)
+		mgmt.DELETE("/generative-language-api-key", s.mgmt.DeleteGlKeys)
 
-			mgmt.GET("/codex-api-key", s.mgmt.GetCodexKeys)
-			mgmt.PUT("/codex-api-key", s.mgmt.PutCodexKeys)
-			mgmt.PATCH("/codex-api-key", s.mgmt.PatchCodexKey)
-			mgmt.DELETE("/codex-api-key", s.mgmt.DeleteCodexKey)
+		mgmt.GET("/request-log", s.mgmt.GetRequestLog)
+		mgmt.PUT("/request-log", s.mgmt.PutRequestLog)
+		mgmt.PATCH("/request-log", s.mgmt.PutRequestLog)
 
-			mgmt.GET("/openai-compatibility", s.mgmt.GetOpenAICompat)
-			mgmt.PUT("/openai-compatibility", s.mgmt.PutOpenAICompat)
-			mgmt.PATCH("/openai-compatibility", s.mgmt.PatchOpenAICompat)
-			mgmt.DELETE("/openai-compatibility", s.mgmt.DeleteOpenAICompat)
+		mgmt.GET("/request-retry", s.mgmt.GetRequestRetry)
+		mgmt.PUT("/request-retry", s.mgmt.PutRequestRetry)
+		mgmt.PATCH("/request-retry", s.mgmt.PutRequestRetry)
 
-			mgmt.GET("/auth-files", s.mgmt.ListAuthFiles)
-			mgmt.GET("/auth-files/download", s.mgmt.DownloadAuthFile)
-			mgmt.POST("/auth-files", s.mgmt.UploadAuthFile)
-			mgmt.DELETE("/auth-files", s.mgmt.DeleteAuthFile)
+		mgmt.GET("/claude-api-key", s.mgmt.GetClaudeKeys)
+		mgmt.PUT("/claude-api-key", s.mgmt.PutClaudeKeys)
+		mgmt.PATCH("/claude-api-key", s.mgmt.PatchClaudeKey)
+		mgmt.DELETE("/claude-api-key", s.mgmt.DeleteClaudeKey)
 
-			mgmt.GET("/anthropic-auth-url", s.mgmt.RequestAnthropicToken)
-			mgmt.GET("/codex-auth-url", s.mgmt.RequestCodexToken)
-			mgmt.GET("/gemini-cli-auth-url", s.mgmt.RequestGeminiCLIToken)
-			mgmt.POST("/gemini-web-token", s.mgmt.CreateGeminiWebToken)
-			mgmt.GET("/qwen-auth-url", s.mgmt.RequestQwenToken)
-			mgmt.GET("/get-auth-status", s.mgmt.GetAuthStatus)
+		mgmt.GET("/codex-api-key", s.mgmt.GetCodexKeys)
+		mgmt.PUT("/codex-api-key", s.mgmt.PutCodexKeys)
+		mgmt.PATCH("/codex-api-key", s.mgmt.PatchCodexKey)
+		mgmt.DELETE("/codex-api-key", s.mgmt.DeleteCodexKey)
+
+		mgmt.GET("/openai-compatibility", s.mgmt.GetOpenAICompat)
+		mgmt.PUT("/openai-compatibility", s.mgmt.PutOpenAICompat)
+		mgmt.PATCH("/openai-compatibility", s.mgmt.PatchOpenAICompat)
+		mgmt.DELETE("/openai-compatibility", s.mgmt.DeleteOpenAICompat)
+
+		mgmt.GET("/auth-files", s.mgmt.ListAuthFiles)
+		mgmt.GET("/auth-files/download", s.mgmt.DownloadAuthFile)
+		mgmt.POST("/auth-files", s.mgmt.UploadAuthFile)
+		mgmt.DELETE("/auth-files", s.mgmt.DeleteAuthFile)
+
+		mgmt.GET("/anthropic-auth-url", s.mgmt.RequestAnthropicToken)
+		mgmt.GET("/codex-auth-url", s.mgmt.RequestCodexToken)
+		mgmt.GET("/gemini-cli-auth-url", s.mgmt.RequestGeminiCLIToken)
+		mgmt.POST("/gemini-web-token", s.mgmt.CreateGeminiWebToken)
+		mgmt.GET("/qwen-auth-url", s.mgmt.RequestQwenToken)
+		mgmt.GET("/get-auth-status", s.mgmt.GetAuthStatus)
+	}
+}
+
+func (s *Server) managementAvailabilityMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if !s.managementRoutesEnabled.Load() {
+			c.AbortWithStatus(http.StatusNotFound)
+			return
 		}
+		c.Next()
 	}
 }
 
@@ -405,7 +436,7 @@ func (s *Server) serveManagementControlPanel(c *gin.Context) {
 
 	if _, err := os.Stat(filePath); err != nil {
 		if os.IsNotExist(err) {
-			go managementasset.EnsureLatestManagementHTML(context.Background(), managementasset.StaticDir(s.configFilePath))
+			go managementasset.EnsureLatestManagementHTML(context.Background(), managementasset.StaticDir(s.configFilePath), cfg.ProxyURL)
 			c.AbortWithStatus(http.StatusNotFound)
 			return
 		}
@@ -641,13 +672,36 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 		}
 	}
 
+	prevSecretEmpty := true
+	if oldCfg != nil {
+		prevSecretEmpty = oldCfg.RemoteManagement.SecretKey == ""
+	}
+	newSecretEmpty := cfg.RemoteManagement.SecretKey == ""
+	switch {
+	case prevSecretEmpty && !newSecretEmpty:
+		s.registerManagementRoutes()
+		if s.managementRoutesEnabled.CompareAndSwap(false, true) {
+			log.Info("management routes enabled after secret key update")
+		} else {
+			s.managementRoutesEnabled.Store(true)
+		}
+	case !prevSecretEmpty && newSecretEmpty:
+		if s.managementRoutesEnabled.CompareAndSwap(true, false) {
+			log.Info("management routes disabled after secret key removal")
+		} else {
+			s.managementRoutesEnabled.Store(false)
+		}
+	default:
+		s.managementRoutesEnabled.Store(!newSecretEmpty)
+	}
+
 	s.applyAccessConfig(oldCfg, cfg)
 	s.cfg = cfg
 	s.handlers.UpdateClients(&cfg.SDKConfig)
 
 	if !cfg.RemoteManagement.DisableControlPanel {
 		staticDir := managementasset.StaticDir(s.configFilePath)
-		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir)
+		go managementasset.EnsureLatestManagementHTML(context.Background(), staticDir, cfg.ProxyURL)
 	}
 	if s.mgmt != nil {
 		s.mgmt.SetConfig(cfg)

internal/cmd/login.go

@@ -154,11 +154,14 @@ func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage
 		"pluginType": "GEMINI",
 	}
 
+	trimmedRequest := strings.TrimSpace(requestedProject)
+	explicitProject := trimmedRequest != ""
+
 	loadReqBody := map[string]any{
 		"metadata": metadata,
 	}
-	if requestedProject != "" {
-		loadReqBody["cloudaicompanionProject"] = requestedProject
+	if explicitProject {
+		loadReqBody["cloudaicompanionProject"] = trimmedRequest
 	}
 
 	var loadResp map[string]any
@@ -182,11 +185,18 @@ func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage
 		}
 	}
 
-	projectID := strings.TrimSpace(requestedProject)
+	projectID := trimmedRequest
 	if projectID == "" {
 		if id, okProject := loadResp["cloudaicompanionProject"].(string); okProject {
 			projectID = strings.TrimSpace(id)
 		}
+		if projectID == "" {
+			if projectMap, okProject := loadResp["cloudaicompanionProject"].(map[string]any); okProject {
+				if id, okID := projectMap["id"].(string); okID {
+					projectID = strings.TrimSpace(id)
+				}
+			}
+		}
 	}
 	if projectID == "" {
 		return &projectSelectionRequiredError{}
@@ -208,16 +218,30 @@ func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage
 		}
 
 		if done, okDone := onboardResp["done"].(bool); okDone && done {
+			responseProjectID := ""
 			if resp, okResp := onboardResp["response"].(map[string]any); okResp {
-				if project, okProject := resp["cloudaicompanionProject"].(map[string]any); okProject {
-					if id, okID := project["id"].(string); okID && strings.TrimSpace(id) != "" {
-						storage.ProjectID = strings.TrimSpace(id)
+				switch projectValue := resp["cloudaicompanionProject"].(type) {
+				case map[string]any:
+					if id, okID := projectValue["id"].(string); okID {
+						responseProjectID = strings.TrimSpace(id)
 					}
+				case string:
+					responseProjectID = strings.TrimSpace(projectValue)
 				}
 			}
-			storage.ProjectID = strings.TrimSpace(storage.ProjectID)
+
+			finalProjectID := projectID
+			if responseProjectID != "" {
+				if explicitProject && !strings.EqualFold(responseProjectID, projectID) {
+					log.Warnf("Gemini onboarding returned project %s instead of requested %s; keeping requested project ID.", responseProjectID, projectID)
+				} else {
+					finalProjectID = responseProjectID
+				}
+			}
+
+			storage.ProjectID = strings.TrimSpace(finalProjectID)
 			if storage.ProjectID == "" {
-				storage.ProjectID = projectID
+				storage.ProjectID = strings.TrimSpace(projectID)
 			}
 			if storage.ProjectID == "" {
 				return fmt.Errorf("onboard user completed without project id")
@@ -409,8 +433,8 @@ func showProjectSelectionHelp(email string, projects []interfaces.GCPProjectProj
 func checkCloudAPIIsEnabled(ctx context.Context, httpClient *http.Client, projectID string) (bool, error) {
 	serviceUsageURL := "https://serviceusage.googleapis.com"
 	requiredServices := []string{
-		"geminicloudassist.googleapis.com", // Gemini Cloud Assist API
-		"cloudaicompanion.googleapis.com",  // Gemini for Google Cloud API
+		// "geminicloudassist.googleapis.com", // Gemini Cloud Assist API
+		"cloudaicompanion.googleapis.com", // Gemini for Google Cloud API
 	}
 	for _, service := range requiredServices {
 		checkUrl := fmt.Sprintf("%s/v1/projects/%s/services/%s", serviceUsageURL, projectID, service)

internal/managementasset/updater.go

@@ -14,6 +14,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -26,7 +28,14 @@ const (
 // ManagementFileName exposes the control panel asset filename.
 const ManagementFileName = managementAssetName
 
-var httpClient = &http.Client{Timeout: 15 * time.Second}
+func newHTTPClient(proxyURL string) *http.Client {
+	client := &http.Client{Timeout: 15 * time.Second}
+
+	sdkCfg := &sdkconfig.SDKConfig{ProxyURL: strings.TrimSpace(proxyURL)}
+	util.SetProxy(sdkCfg, client)
+
+	return client
+}
 
 type releaseAsset struct {
 	Name               string `json:"name"`
@@ -59,7 +68,7 @@ func FilePath(configFilePath string) string {
 
 // EnsureLatestManagementHTML checks the latest management.html asset and updates the local copy when needed.
 // The function is designed to run in a background goroutine and will never panic.
-func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
+func EnsureLatestManagementHTML(ctx context.Context, staticDir string, proxyURL string) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
@@ -75,6 +84,8 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 		return
 	}
 
+	client := newHTTPClient(proxyURL)
+
 	localPath := filepath.Join(staticDir, managementAssetName)
 	localHash, err := fileSHA256(localPath)
 	if err != nil {
@@ -84,7 +95,7 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 		localHash = ""
 	}
 
-	asset, remoteHash, err := fetchLatestAsset(ctx)
+	asset, remoteHash, err := fetchLatestAsset(ctx, client)
 	if err != nil {
 		log.WithError(err).Warn("failed to fetch latest management release information")
 		return
@@ -95,7 +106,7 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 		return
 	}
 
-	data, downloadedHash, err := downloadAsset(ctx, asset.BrowserDownloadURL)
+	data, downloadedHash, err := downloadAsset(ctx, client, asset.BrowserDownloadURL)
 	if err != nil {
 		log.WithError(err).Warn("failed to download management asset")
 		return
@@ -113,7 +124,7 @@ func EnsureLatestManagementHTML(ctx context.Context, staticDir string) {
 	log.Infof("management asset updated successfully (hash=%s)", downloadedHash)
 }
 
-func fetchLatestAsset(ctx context.Context) (*releaseAsset, string, error) {
+func fetchLatestAsset(ctx context.Context, client *http.Client) (*releaseAsset, string, error) {
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, managementReleaseURL, nil)
 	if err != nil {
 		return nil, "", fmt.Errorf("create release request: %w", err)
@@ -121,7 +132,7 @@ func fetchLatestAsset(ctx context.Context) (*releaseAsset, string, error) {
 	req.Header.Set("Accept", "application/vnd.github+json")
 	req.Header.Set("User-Agent", httpUserAgent)
 
-	resp, err := httpClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, "", fmt.Errorf("execute release request: %w", err)
 	}
@@ -150,7 +161,7 @@ func fetchLatestAsset(ctx context.Context) (*releaseAsset, string, error) {
 	return nil, "", fmt.Errorf("management asset %s not found in latest release", managementAssetName)
 }
 
-func downloadAsset(ctx context.Context, downloadURL string) ([]byte, string, error) {
+func downloadAsset(ctx context.Context, client *http.Client, downloadURL string) ([]byte, string, error) {
 	if strings.TrimSpace(downloadURL) == "" {
 		return nil, "", fmt.Errorf("empty download url")
 	}
@@ -161,7 +172,7 @@ func downloadAsset(ctx context.Context, downloadURL string) ([]byte, string, err
 	}
 	req.Header.Set("User-Agent", httpUserAgent)
 
-	resp, err := httpClient.Do(req)
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, "", fmt.Errorf("execute download request: %w", err)
 	}

internal/runtime/executor/codex_executor.go

@@ -76,6 +76,7 @@ func (e *CodexExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	}
 
 	body, _ = sjson.SetBytes(body, "stream", true)
+	body, _ = sjson.DeleteBytes(body, "previous_response_id")
 
 	url := strings.TrimSuffix(baseURL, "/") + "/responses"
 	recordAPIRequest(ctx, e.cfg, body)
@@ -161,6 +162,8 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 		}
 	}
 
+	body, _ = sjson.DeleteBytes(body, "previous_response_id")
+
 	url := strings.TrimSuffix(baseURL, "/") + "/responses"
 	recordAPIRequest(ctx, e.cfg, body)
 	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(body))

internal/runtime/executor/openai_compat_executor.go

@@ -40,8 +40,8 @@ func (e *OpenAICompatExecutor) PrepareRequest(_ *http.Request, _ *cliproxyauth.A
 
 func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
 	baseURL, apiKey := e.resolveCredentials(auth)
-	if baseURL == "" || apiKey == "" {
-		return cliproxyexecutor.Response{}, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL or apiKey"}
+	if baseURL == "" {
+		return cliproxyexecutor.Response{}, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL"}
 	}
 	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
 
@@ -60,7 +60,9 @@ func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.A
 		return cliproxyexecutor.Response{}, err
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	if apiKey != "" {
+		httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	}
 	httpReq.Header.Set("User-Agent", "cli-proxy-openai-compat")
 
 	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
@@ -89,8 +91,8 @@ func (e *OpenAICompatExecutor) Execute(ctx context.Context, auth *cliproxyauth.A
 
 func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (<-chan cliproxyexecutor.StreamChunk, error) {
 	baseURL, apiKey := e.resolveCredentials(auth)
-	if baseURL == "" || apiKey == "" {
-		return nil, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL or apiKey"}
+	if baseURL == "" {
+		return nil, statusErr{code: http.StatusUnauthorized, msg: "missing provider baseURL"}
 	}
 	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
 	from := opts.SourceFormat
@@ -107,7 +109,9 @@ func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxy
 		return nil, err
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	if apiKey != "" {
+		httpReq.Header.Set("Authorization", "Bearer "+apiKey)
+	}
 	httpReq.Header.Set("User-Agent", "cli-proxy-openai-compat")
 	httpReq.Header.Set("Accept", "text/event-stream")
 	httpReq.Header.Set("Cache-Control", "no-cache")
@@ -171,8 +175,8 @@ func (e *OpenAICompatExecutor) resolveCredentials(auth *cliproxyauth.Auth) (base
 		return "", ""
 	}
 	if auth.Attributes != nil {
-		baseURL = auth.Attributes["base_url"]
-		apiKey = auth.Attributes["api_key"]
+		baseURL = strings.TrimSpace(auth.Attributes["base_url"])
+		apiKey = strings.TrimSpace(auth.Attributes["api_key"])
 	}
 	return
 }

internal/watcher/watcher.go

@@ -430,8 +430,15 @@ func (w *Watcher) handleEvent(event fsnotify.Event) {
 		}
 		fmt.Printf("config file changed, reloading: %s\n", w.configPath)
 		if w.reloadConfig() {
+			finalHash := newHash
+			if updatedData, errRead := os.ReadFile(w.configPath); errRead == nil && len(updatedData) > 0 {
+				sumUpdated := sha256.Sum256(updatedData)
+				finalHash = hex.EncodeToString(sumUpdated[:])
+			} else if errRead != nil {
+				log.WithError(errRead).Debug("failed to compute updated config hash after reload")
+			}
 			w.clientsMutex.Lock()
-			w.lastConfigHash = newHash
+			w.lastConfigHash = finalHash
 			w.clientsMutex.Unlock()
 		}
 		return
@@ -532,6 +539,21 @@ func (w *Watcher) reloadConfig() bool {
 		if oldConfig.RemoteManagement.AllowRemote != newConfig.RemoteManagement.AllowRemote {
 			log.Debugf("  remote-management.allow-remote: %t -> %t", oldConfig.RemoteManagement.AllowRemote, newConfig.RemoteManagement.AllowRemote)
 		}
+		if oldConfig.RemoteManagement.SecretKey != newConfig.RemoteManagement.SecretKey {
+			switch {
+			case oldConfig.RemoteManagement.SecretKey == "" && newConfig.RemoteManagement.SecretKey != "":
+				log.Debug("  remote-management.secret-key: created")
+			case oldConfig.RemoteManagement.SecretKey != "" && newConfig.RemoteManagement.SecretKey == "":
+				log.Debug("  remote-management.secret-key: deleted")
+			default:
+				log.Debug("  remote-management.secret-key: updated")
+			}
+			if newConfig.RemoteManagement.SecretKey == "" {
+				log.Info("management routes will be disabled after secret key removal")
+			} else {
+				log.Info("management routes will be enabled after secret key update")
+			}
+		}
 		if oldConfig.RemoteManagement.DisableControlPanel != newConfig.RemoteManagement.DisableControlPanel {
 			log.Debugf("  remote-management.disable-control-panel: %t -> %t", oldConfig.RemoteManagement.DisableControlPanel, newConfig.RemoteManagement.DisableControlPanel)
 		}
@@ -799,23 +821,23 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 			base := strings.TrimSpace(compat.BaseURL)
 
 			// Handle new APIKeyEntries format (preferred)
+			createdEntries := 0
 			if len(compat.APIKeyEntries) > 0 {
 				for j := range compat.APIKeyEntries {
 					entry := &compat.APIKeyEntries[j]
 					key := strings.TrimSpace(entry.APIKey)
-					if key == "" {
-						continue
-					}
 					proxyURL := strings.TrimSpace(entry.ProxyURL)
 					idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
 					id, token := idGen.next(idKind, key, base, proxyURL)
 					attrs := map[string]string{
 						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
 						"base_url":     base,
-						"api_key":      key,
 						"compat_name":  compat.Name,
 						"provider_key": providerName,
 					}
+					if key != "" {
+						attrs["api_key"] = key
+					}
 					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
 						attrs["models_hash"] = hash
 					}
@@ -830,6 +852,7 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 						UpdatedAt:  now,
 					}
 					out = append(out, a)
+					createdEntries++
 				}
 			} else {
 				// Handle legacy APIKeys format for backward compatibility
@@ -843,10 +866,10 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 					attrs := map[string]string{
 						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
 						"base_url":     base,
-						"api_key":      key,
 						"compat_name":  compat.Name,
 						"provider_key": providerName,
 					}
+					attrs["api_key"] = key
 					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
 						attrs["models_hash"] = hash
 					}
@@ -860,8 +883,32 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {
 						UpdatedAt:  now,
 					}
 					out = append(out, a)
+					createdEntries++
 				}
 			}
+			if createdEntries == 0 {
+				idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+				id, token := idGen.next(idKind, base)
+				attrs := map[string]string{
+					"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+					"base_url":     base,
+					"compat_name":  compat.Name,
+					"provider_key": providerName,
+				}
+				if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
+					attrs["models_hash"] = hash
+				}
+				a := &coreauth.Auth{
+					ID:         id,
+					Provider:   providerName,
+					Label:      compat.Name,
+					Status:     coreauth.StatusActive,
+					Attributes: attrs,
+					CreatedAt:  now,
+					UpdatedAt:  now,
+				}
+				out = append(out, a)
+			}
 		}
 	}
 	// Also synthesize auth entries directly from auth files (for OAuth/file-backed providers)

sdk/cliproxy/service.go

@@ -534,8 +534,13 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 					ms := make([]*ModelInfo, 0, len(compat.Models))
 					for j := range compat.Models {
 						m := compat.Models[j]
+						// Use alias as model ID, fallback to name if alias is empty
+						modelID := m.Alias
+						if modelID == "" {
+							modelID = m.Name
+						}
 						ms = append(ms, &ModelInfo{
-							ID:          m.Alias,
+							ID:          modelID,
 							Object:      "model",
 							Created:     time.Now().Unix(),
 							OwnedBy:     compat.Name,