refactor(antigravity): optimize response handling in Claude model with JSON manipulation

Refactor-watcher-phase3

config.example.yaml

@@ -48,6 +48,9 @@ usage-statistics-enabled: false
 # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/
 proxy-url: ""
 
+# When true, unprefixed model requests only use credentials without a prefix (except when prefix == model name).
+force-model-prefix: false
+
 # Number of times to retry a request. Retries will occur if the HTTP response code is 403, 408, 500, 502, 503, or 504.
 request-retry: 3
 
@@ -65,6 +68,7 @@ ws-auth: false
 # Gemini API keys
 # gemini-api-key:
 #   - api-key: "AIzaSy...01"
+#     prefix: "test" # optional: require calls like "test/gemini-3-pro-preview" to target this credential
 #     base-url: "https://generativelanguage.googleapis.com"
 #     headers:
 #       X-Custom-Header: "custom-value"
@@ -79,6 +83,7 @@ ws-auth: false
 # Codex API keys
 # codex-api-key:
 #   - api-key: "sk-atSM..."
+#     prefix: "test" # optional: require calls like "test/gpt-5-codex" to target this credential
 #     base-url: "https://www.example.com" # use the custom codex API endpoint
 #     headers:
 #       X-Custom-Header: "custom-value"
@@ -93,6 +98,7 @@ ws-auth: false
 # claude-api-key:
 #   - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
 #   - api-key: "sk-atSM..."
+#     prefix: "test" # optional: require calls like "test/claude-sonnet-latest" to target this credential
 #     base-url: "https://www.example.com" # use the custom claude API endpoint
 #     headers:
 #       X-Custom-Header: "custom-value"
@@ -109,6 +115,7 @@ ws-auth: false
 # OpenAI compatibility providers
 # openai-compatibility:
 #   - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
+#     prefix: "test" # optional: require calls like "test/kimi-k2" to target this provider's credentials
 #     base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
 #     headers:
 #       X-Custom-Header: "custom-value"
@@ -123,6 +130,7 @@ ws-auth: false
 # Vertex API keys (Vertex-compatible endpoints, use API key + base URL)
 # vertex-api-key:
 #   - api-key: "vk-123..."                        # x-goog-api-key header
+#     prefix: "test"                              # optional: require calls like "test/vertex-pro" to target this credential
 #     base-url: "https://example.com/api"         # e.g. https://zenmux.ai/api
 #     proxy-url: "socks5://proxy.example.com:1080" # optional per-key proxy override
 #     headers:

internal/api/modules/amp/amp_test.go

@@ -146,6 +146,9 @@ func TestAmpModule_OnConfigUpdated_CacheInvalidation(t *testing.T) {
 	m := &AmpModule{enabled: true}
 	ms := NewMultiSourceSecretWithPath("", p, time.Minute)
 	m.secretSource = ms
+	m.lastConfig = &config.AmpCode{
+		UpstreamAPIKey: "old-key",
+	}
 
 	// Warm the cache
 	if _, err := ms.Get(context.Background()); err != nil {
@@ -157,7 +160,7 @@ func TestAmpModule_OnConfigUpdated_CacheInvalidation(t *testing.T) {
 	}
 
 	// Update config - should invalidate cache
-	if err := m.OnConfigUpdated(&config.Config{AmpCode: config.AmpCode{UpstreamURL: "http://x"}}); err != nil {
+	if err := m.OnConfigUpdated(&config.Config{AmpCode: config.AmpCode{UpstreamURL: "http://x", UpstreamAPIKey: "new-key"}}); err != nil {
 		t.Fatal(err)
 	}
 

internal/api/modules/amp/routes.go

@@ -267,7 +267,7 @@ func (m *AmpModule) registerProviderAliases(engine *gin.Engine, baseHandler *han
 	v1betaAmp := provider.Group("/v1beta")
 	{
 		v1betaAmp.GET("/models", geminiHandlers.GeminiModels)
-		v1betaAmp.POST("/models/:action", fallbackHandler.WrapHandler(geminiHandlers.GeminiHandler))
-		v1betaAmp.GET("/models/:action", geminiHandlers.GeminiGetHandler)
+		v1betaAmp.POST("/models/*action", fallbackHandler.WrapHandler(geminiHandlers.GeminiHandler))
+		v1betaAmp.GET("/models/*action", geminiHandlers.GeminiGetHandler)
 	}
 }

internal/api/modules/amp/routes_test.go

@@ -32,7 +32,9 @@ func TestRegisterManagementRoutes(t *testing.T) {
 	m.setProxy(proxy)
 
 	base := &handlers.BaseAPIHandler{}
-	m.registerManagementRoutes(r, base)
+	m.registerManagementRoutes(r, base, nil)
+	srv := httptest.NewServer(r)
+	defer srv.Close()
 
 	managementPaths := []struct {
 		path   string
@@ -63,11 +65,17 @@ func TestRegisterManagementRoutes(t *testing.T) {
 	for _, path := range managementPaths {
 		t.Run(path.path, func(t *testing.T) {
 			proxyCalled = false
-			req := httptest.NewRequest(path.method, path.path, nil)
-			w := httptest.NewRecorder()
-			r.ServeHTTP(w, req)
+			req, err := http.NewRequest(path.method, srv.URL+path.path, nil)
+			if err != nil {
+				t.Fatalf("failed to build request: %v", err)
+			}
+			resp, err := http.DefaultClient.Do(req)
+			if err != nil {
+				t.Fatalf("request failed: %v", err)
+			}
+			defer resp.Body.Close()
 
-			if w.Code == http.StatusNotFound {
+			if resp.StatusCode == http.StatusNotFound {
 				t.Fatalf("route %s not registered", path.path)
 			}
 			if !proxyCalled {

internal/api/server.go

@@ -230,13 +230,9 @@ func NewServer(cfg *config.Config, authManager *auth.Manager, accessManager *sdk
 	envManagementSecret := envAdminPasswordSet && envAdminPassword != ""
 
 	// Create server instance
-	providerNames := make([]string, 0, len(cfg.OpenAICompatibility))
-	for _, p := range cfg.OpenAICompatibility {
-		providerNames = append(providerNames, p.Name)
-	}
 	s := &Server{
 		engine:              engine,
-		handlers:            handlers.NewBaseAPIHandlers(&cfg.SDKConfig, authManager, providerNames),
+		handlers:            handlers.NewBaseAPIHandlers(&cfg.SDKConfig, authManager),
 		cfg:                 cfg,
 		accessManager:       accessManager,
 		requestLogger:       requestLogger,
@@ -334,8 +330,8 @@ func (s *Server) setupRoutes() {
 	v1beta.Use(AuthMiddleware(s.accessManager))
 	{
 		v1beta.GET("/models", geminiHandlers.GeminiModels)
-		v1beta.POST("/models/:action", geminiHandlers.GeminiHandler)
-		v1beta.GET("/models/:action", geminiHandlers.GeminiGetHandler)
+		v1beta.POST("/models/*action", geminiHandlers.GeminiHandler)
+		v1beta.GET("/models/*action", geminiHandlers.GeminiGetHandler)
 	}
 
 	// Root endpoint
@@ -919,12 +915,6 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 	// Save YAML snapshot for next comparison
 	s.oldConfigYaml, _ = yaml.Marshal(cfg)
 
-	providerNames := make([]string, 0, len(cfg.OpenAICompatibility))
-	for _, p := range cfg.OpenAICompatibility {
-		providerNames = append(providerNames, p.Name)
-	}
-	s.handlers.OpenAICompatProviders = providerNames
-
 	s.handlers.UpdateClients(&cfg.SDKConfig)
 
 	if !cfg.RemoteManagement.DisableControlPanel {

internal/config/config.go

@@ -187,6 +187,9 @@ type ClaudeKey struct {
 	// APIKey is the authentication key for accessing Claude API services.
 	APIKey string `yaml:"api-key" json:"api-key"`
 
+	// Prefix optionally namespaces models for this credential (e.g., "teamA/claude-sonnet-4").
+	Prefix string `yaml:"prefix,omitempty" json:"prefix,omitempty"`
+
 	// BaseURL is the base URL for the Claude API endpoint.
 	// If empty, the default Claude API URL will be used.
 	BaseURL string `yaml:"base-url" json:"base-url"`
@@ -219,6 +222,9 @@ type CodexKey struct {
 	// APIKey is the authentication key for accessing Codex API services.
 	APIKey string `yaml:"api-key" json:"api-key"`
 
+	// Prefix optionally namespaces models for this credential (e.g., "teamA/gpt-5-codex").
+	Prefix string `yaml:"prefix,omitempty" json:"prefix,omitempty"`
+
 	// BaseURL is the base URL for the Codex API endpoint.
 	// If empty, the default Codex API URL will be used.
 	BaseURL string `yaml:"base-url" json:"base-url"`
@@ -239,6 +245,9 @@ type GeminiKey struct {
 	// APIKey is the authentication key for accessing Gemini API services.
 	APIKey string `yaml:"api-key" json:"api-key"`
 
+	// Prefix optionally namespaces models for this credential (e.g., "teamA/gemini-3-pro-preview").
+	Prefix string `yaml:"prefix,omitempty" json:"prefix,omitempty"`
+
 	// BaseURL optionally overrides the Gemini API endpoint.
 	BaseURL string `yaml:"base-url,omitempty" json:"base-url,omitempty"`
 
@@ -258,6 +267,9 @@ type OpenAICompatibility struct {
 	// Name is the identifier for this OpenAI compatibility configuration.
 	Name string `yaml:"name" json:"name"`
 
+	// Prefix optionally namespaces model aliases for this provider (e.g., "teamA/kimi-k2").
+	Prefix string `yaml:"prefix,omitempty" json:"prefix,omitempty"`
+
 	// BaseURL is the base URL for the external OpenAI-compatible API endpoint.
 	BaseURL string `yaml:"base-url" json:"base-url"`
 
@@ -422,6 +434,7 @@ func (cfg *Config) SanitizeOpenAICompatibility() {
 	for i := range cfg.OpenAICompatibility {
 		e := cfg.OpenAICompatibility[i]
 		e.Name = strings.TrimSpace(e.Name)
+		e.Prefix = normalizeModelPrefix(e.Prefix)
 		e.BaseURL = strings.TrimSpace(e.BaseURL)
 		e.Headers = NormalizeHeaders(e.Headers)
 		if e.BaseURL == "" {
@@ -442,6 +455,7 @@ func (cfg *Config) SanitizeCodexKeys() {
 	out := make([]CodexKey, 0, len(cfg.CodexKey))
 	for i := range cfg.CodexKey {
 		e := cfg.CodexKey[i]
+		e.Prefix = normalizeModelPrefix(e.Prefix)
 		e.BaseURL = strings.TrimSpace(e.BaseURL)
 		e.Headers = NormalizeHeaders(e.Headers)
 		e.ExcludedModels = NormalizeExcludedModels(e.ExcludedModels)
@@ -460,6 +474,7 @@ func (cfg *Config) SanitizeClaudeKeys() {
 	}
 	for i := range cfg.ClaudeKey {
 		entry := &cfg.ClaudeKey[i]
+		entry.Prefix = normalizeModelPrefix(entry.Prefix)
 		entry.Headers = NormalizeHeaders(entry.Headers)
 		entry.ExcludedModels = NormalizeExcludedModels(entry.ExcludedModels)
 	}
@@ -479,6 +494,7 @@ func (cfg *Config) SanitizeGeminiKeys() {
 		if entry.APIKey == "" {
 			continue
 		}
+		entry.Prefix = normalizeModelPrefix(entry.Prefix)
 		entry.BaseURL = strings.TrimSpace(entry.BaseURL)
 		entry.ProxyURL = strings.TrimSpace(entry.ProxyURL)
 		entry.Headers = NormalizeHeaders(entry.Headers)
@@ -492,6 +508,18 @@ func (cfg *Config) SanitizeGeminiKeys() {
 	cfg.GeminiKey = out
 }
 
+func normalizeModelPrefix(prefix string) string {
+	trimmed := strings.TrimSpace(prefix)
+	trimmed = strings.Trim(trimmed, "/")
+	if trimmed == "" {
+		return ""
+	}
+	if strings.Contains(trimmed, "/") {
+		return ""
+	}
+	return trimmed
+}
+
 func syncInlineAccessProvider(cfg *Config) {
 	if cfg == nil {
 		return

internal/config/vertex_compat.go

@@ -13,6 +13,9 @@ type VertexCompatKey struct {
 	// Maps to the x-goog-api-key header.
 	APIKey string `yaml:"api-key" json:"api-key"`
 
+	// Prefix optionally namespaces model aliases for this credential (e.g., "teamA/vertex-pro").
+	Prefix string `yaml:"prefix,omitempty" json:"prefix,omitempty"`
+
 	// BaseURL is the base URL for the Vertex-compatible API endpoint.
 	// The executor will append "/v1/publishers/google/models/{model}:action" to this.
 	// Example: "https://zenmux.ai/api" becomes "https://zenmux.ai/api/v1/publishers/google/models/..."
@@ -53,6 +56,7 @@ func (cfg *Config) SanitizeVertexCompatKeys() {
 		if entry.APIKey == "" {
 			continue
 		}
+		entry.Prefix = normalizeModelPrefix(entry.Prefix)
 		entry.BaseURL = strings.TrimSpace(entry.BaseURL)
 		if entry.BaseURL == "" {
 			// BaseURL is required for Vertex API key entries

internal/registry/model_definitions.go

@@ -630,6 +630,13 @@ func GetQwenModels() []*ModelInfo {
 	}
 }
 
+// iFlowThinkingSupport is a shared ThinkingSupport configuration for iFlow models
+// that support thinking mode via chat_template_kwargs.enable_thinking (boolean toggle).
+// Uses level-based configuration so standard normalization flows apply before conversion.
+var iFlowThinkingSupport = &ThinkingSupport{
+	Levels: []string{"none", "auto", "minimal", "low", "medium", "high", "xhigh"},
+}
+
 // GetIFlowModels returns supported models for iFlow OAuth accounts.
 func GetIFlowModels() []*ModelInfo {
 	entries := []struct {
@@ -645,9 +652,9 @@ func GetIFlowModels() []*ModelInfo {
 		{ID: "qwen3-vl-plus", DisplayName: "Qwen3-VL-Plus", Description: "Qwen3 multimodal vision-language", Created: 1758672000},
 		{ID: "qwen3-max-preview", DisplayName: "Qwen3-Max-Preview", Description: "Qwen3 Max preview build", Created: 1757030400},
 		{ID: "kimi-k2-0905", DisplayName: "Kimi-K2-Instruct-0905", Description: "Moonshot Kimi K2 instruct 0905", Created: 1757030400},
-		{ID: "glm-4.6", DisplayName: "GLM-4.6", Description: "Zhipu GLM 4.6 general model", Created: 1759190400},
+		{ID: "glm-4.6", DisplayName: "GLM-4.6", Description: "Zhipu GLM 4.6 general model", Created: 1759190400, Thinking: iFlowThinkingSupport},
 		{ID: "kimi-k2", DisplayName: "Kimi-K2", Description: "Moonshot Kimi K2 general model", Created: 1752192000},
-		{ID: "kimi-k2-thinking", DisplayName: "Kimi-K2-Thinking", Description: "Moonshot Kimi K2 thinking model", Created: 1762387200, Thinking: &ThinkingSupport{Levels: []string{"low", "medium", "high"}}},
+		{ID: "kimi-k2-thinking", DisplayName: "Kimi-K2-Thinking", Description: "Moonshot Kimi K2 thinking model", Created: 1762387200},
 		{ID: "deepseek-v3.2-chat", DisplayName: "DeepSeek-V3.2", Description: "DeepSeek V3.2 Chat", Created: 1764576000},
 		{ID: "deepseek-v3.2-reasoner", DisplayName: "DeepSeek-V3.2", Description: "DeepSeek V3.2 Reasoner", Created: 1764576000},
 		{ID: "deepseek-v3.2", DisplayName: "DeepSeek-V3.2-Exp", Description: "DeepSeek V3.2 experimental", Created: 1759104000},
@@ -655,10 +662,10 @@ func GetIFlowModels() []*ModelInfo {
 		{ID: "deepseek-r1", DisplayName: "DeepSeek-R1", Description: "DeepSeek reasoning model R1", Created: 1737331200},
 		{ID: "deepseek-v3", DisplayName: "DeepSeek-V3-671B", Description: "DeepSeek V3 671B", Created: 1734307200},
 		{ID: "qwen3-32b", DisplayName: "Qwen3-32B", Description: "Qwen3 32B", Created: 1747094400},
-		{ID: "qwen3-235b-a22b-thinking-2507", DisplayName: "Qwen3-235B-A22B-Thinking", Description: "Qwen3 235B A22B Thinking (2507)", Created: 1753401600, Thinking: &ThinkingSupport{Levels: []string{"low", "medium", "high"}}},
+		{ID: "qwen3-235b-a22b-thinking-2507", DisplayName: "Qwen3-235B-A22B-Thinking", Description: "Qwen3 235B A22B Thinking (2507)", Created: 1753401600},
 		{ID: "qwen3-235b-a22b-instruct", DisplayName: "Qwen3-235B-A22B-Instruct", Description: "Qwen3 235B A22B Instruct", Created: 1753401600},
 		{ID: "qwen3-235b", DisplayName: "Qwen3-235B-A22B", Description: "Qwen3 235B A22B", Created: 1753401600},
-		{ID: "minimax-m2", DisplayName: "MiniMax-M2", Description: "MiniMax M2", Created: 1758672000, Thinking: &ThinkingSupport{Levels: []string{"low", "medium", "high"}}},
+		{ID: "minimax-m2", DisplayName: "MiniMax-M2", Description: "MiniMax M2", Created: 1758672000},
 	}
 	models := make([]*ModelInfo, 0, len(entries))
 	for _, entry := range entries {

internal/runtime/executor/antigravity_executor.go

@@ -69,6 +69,10 @@ func (e *AntigravityExecutor) PrepareRequest(_ *http.Request, _ *cliproxyauth.Au
 
 // Execute performs a non-streaming request to the Antigravity API.
 func (e *AntigravityExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (resp cliproxyexecutor.Response, err error) {
+	if strings.Contains(req.Model, "claude") {
+		return e.executeClaudeNonStream(ctx, auth, req, opts)
+	}
+
 	token, updatedAuth, errToken := e.ensureAccessToken(ctx, auth)
 	if errToken != nil {
 		return resp, errToken
@@ -160,6 +164,336 @@ func (e *AntigravityExecutor) Execute(ctx context.Context, auth *cliproxyauth.Au
 	return resp, err
 }
 
+// executeClaudeNonStream performs a claude non-streaming request to the Antigravity API.
+func (e *AntigravityExecutor) executeClaudeNonStream(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (resp cliproxyexecutor.Response, err error) {
+	token, updatedAuth, errToken := e.ensureAccessToken(ctx, auth)
+	if errToken != nil {
+		return resp, errToken
+	}
+	if updatedAuth != nil {
+		auth = updatedAuth
+	}
+
+	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
+	defer reporter.trackFailure(ctx, &err)
+
+	from := opts.SourceFormat
+	to := sdktranslator.FromString("antigravity")
+	translated := sdktranslator.TranslateRequest(from, to, req.Model, bytes.Clone(req.Payload), true)
+
+	translated = applyThinkingMetadataCLI(translated, req.Metadata, req.Model)
+	translated = util.ApplyDefaultThinkingIfNeededCLI(req.Model, translated)
+	translated = normalizeAntigravityThinking(req.Model, translated)
+
+	baseURLs := antigravityBaseURLFallbackOrder(auth)
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
+
+	var lastStatus int
+	var lastBody []byte
+	var lastErr error
+
+	for idx, baseURL := range baseURLs {
+		httpReq, errReq := e.buildRequest(ctx, auth, token, req.Model, translated, true, opts.Alt, baseURL)
+		if errReq != nil {
+			err = errReq
+			return resp, err
+		}
+
+		httpResp, errDo := httpClient.Do(httpReq)
+		if errDo != nil {
+			recordAPIResponseError(ctx, e.cfg, errDo)
+			lastStatus = 0
+			lastBody = nil
+			lastErr = errDo
+			if idx+1 < len(baseURLs) {
+				log.Debugf("antigravity executor: request error on base url %s, retrying with fallback base url: %s", baseURL, baseURLs[idx+1])
+				continue
+			}
+			err = errDo
+			return resp, err
+		}
+		recordAPIResponseMetadata(ctx, e.cfg, httpResp.StatusCode, httpResp.Header.Clone())
+		if httpResp.StatusCode < http.StatusOK || httpResp.StatusCode >= http.StatusMultipleChoices {
+			bodyBytes, errRead := io.ReadAll(httpResp.Body)
+			if errClose := httpResp.Body.Close(); errClose != nil {
+				log.Errorf("antigravity executor: close response body error: %v", errClose)
+			}
+			if errRead != nil {
+				recordAPIResponseError(ctx, e.cfg, errRead)
+				lastStatus = 0
+				lastBody = nil
+				lastErr = errRead
+				if idx+1 < len(baseURLs) {
+					log.Debugf("antigravity executor: read error on base url %s, retrying with fallback base url: %s", baseURL, baseURLs[idx+1])
+					continue
+				}
+				err = errRead
+				return resp, err
+			}
+			appendAPIResponseChunk(ctx, e.cfg, bodyBytes)
+			lastStatus = httpResp.StatusCode
+			lastBody = append([]byte(nil), bodyBytes...)
+			lastErr = nil
+			if httpResp.StatusCode == http.StatusTooManyRequests && idx+1 < len(baseURLs) {
+				log.Debugf("antigravity executor: rate limited on base url %s, retrying with fallback base url: %s", baseURL, baseURLs[idx+1])
+				continue
+			}
+			err = statusErr{code: httpResp.StatusCode, msg: string(bodyBytes)}
+			return resp, err
+		}
+
+		out := make(chan cliproxyexecutor.StreamChunk)
+		go func(resp *http.Response) {
+			defer close(out)
+			defer func() {
+				if errClose := resp.Body.Close(); errClose != nil {
+					log.Errorf("antigravity executor: close response body error: %v", errClose)
+				}
+			}()
+			scanner := bufio.NewScanner(resp.Body)
+			scanner.Buffer(nil, streamScannerBuffer)
+			for scanner.Scan() {
+				line := scanner.Bytes()
+				appendAPIResponseChunk(ctx, e.cfg, line)
+
+				// Filter usage metadata for all models
+				// Only retain usage statistics in the terminal chunk
+				line = FilterSSEUsageMetadata(line)
+
+				payload := jsonPayload(line)
+				if payload == nil {
+					continue
+				}
+
+				if detail, ok := parseAntigravityStreamUsage(payload); ok {
+					reporter.publish(ctx, detail)
+				}
+
+				out <- cliproxyexecutor.StreamChunk{Payload: payload}
+			}
+			if errScan := scanner.Err(); errScan != nil {
+				recordAPIResponseError(ctx, e.cfg, errScan)
+				reporter.publishFailure(ctx)
+				out <- cliproxyexecutor.StreamChunk{Err: errScan}
+			} else {
+				reporter.ensurePublished(ctx)
+			}
+		}(httpResp)
+
+		var buffer bytes.Buffer
+		for chunk := range out {
+			if chunk.Err != nil {
+				return resp, chunk.Err
+			}
+			if len(chunk.Payload) > 0 {
+				_, _ = buffer.Write(chunk.Payload)
+				_, _ = buffer.Write([]byte("\n"))
+			}
+		}
+		resp = cliproxyexecutor.Response{Payload: e.convertStreamToNonStream(buffer.Bytes())}
+
+		reporter.publish(ctx, parseAntigravityUsage(resp.Payload))
+		var param any
+		converted := sdktranslator.TranslateNonStream(ctx, to, from, req.Model, bytes.Clone(opts.OriginalRequest), translated, resp.Payload, &param)
+		resp = cliproxyexecutor.Response{Payload: []byte(converted)}
+		reporter.ensurePublished(ctx)
+
+		return resp, nil
+	}
+
+	switch {
+	case lastStatus != 0:
+		err = statusErr{code: lastStatus, msg: string(lastBody)}
+	case lastErr != nil:
+		err = lastErr
+	default:
+		err = statusErr{code: http.StatusServiceUnavailable, msg: "antigravity executor: no base url available"}
+	}
+	return resp, err
+}
+
+func (e *AntigravityExecutor) convertStreamToNonStream(stream []byte) []byte {
+	responseTemplate := ""
+	var traceID string
+	var finishReason string
+	var modelVersion string
+	var responseID string
+	var role string
+	var usageRaw string
+	parts := make([]map[string]interface{}, 0)
+	var pendingKind string
+	var pendingText strings.Builder
+	var pendingThoughtSig string
+
+	flushPending := func() {
+		if pendingKind == "" {
+			return
+		}
+		text := pendingText.String()
+		switch pendingKind {
+		case "text":
+			if strings.TrimSpace(text) == "" {
+				pendingKind = ""
+				pendingText.Reset()
+				pendingThoughtSig = ""
+				return
+			}
+			parts = append(parts, map[string]interface{}{"text": text})
+		case "thought":
+			if strings.TrimSpace(text) == "" && pendingThoughtSig == "" {
+				pendingKind = ""
+				pendingText.Reset()
+				pendingThoughtSig = ""
+				return
+			}
+			part := map[string]interface{}{"thought": true}
+			part["text"] = text
+			if pendingThoughtSig != "" {
+				part["thoughtSignature"] = pendingThoughtSig
+			}
+			parts = append(parts, part)
+		}
+		pendingKind = ""
+		pendingText.Reset()
+		pendingThoughtSig = ""
+	}
+
+	normalizePart := func(partResult gjson.Result) map[string]interface{} {
+		var m map[string]interface{}
+		_ = json.Unmarshal([]byte(partResult.Raw), &m)
+		if m == nil {
+			m = map[string]interface{}{}
+		}
+		sig := partResult.Get("thoughtSignature").String()
+		if sig == "" {
+			sig = partResult.Get("thought_signature").String()
+		}
+		if sig != "" {
+			m["thoughtSignature"] = sig
+			delete(m, "thought_signature")
+		}
+		if inlineData, ok := m["inline_data"]; ok {
+			m["inlineData"] = inlineData
+			delete(m, "inline_data")
+		}
+		return m
+	}
+
+	for _, line := range bytes.Split(stream, []byte("\n")) {
+		trimmed := bytes.TrimSpace(line)
+		if len(trimmed) == 0 || !gjson.ValidBytes(trimmed) {
+			continue
+		}
+
+		root := gjson.ParseBytes(trimmed)
+		responseNode := root.Get("response")
+		if !responseNode.Exists() {
+			if root.Get("candidates").Exists() {
+				responseNode = root
+			} else {
+				continue
+			}
+		}
+		responseTemplate = responseNode.Raw
+
+		if traceResult := root.Get("traceId"); traceResult.Exists() && traceResult.String() != "" {
+			traceID = traceResult.String()
+		}
+
+		if roleResult := responseNode.Get("candidates.0.content.role"); roleResult.Exists() {
+			role = roleResult.String()
+		}
+
+		if finishResult := responseNode.Get("candidates.0.finishReason"); finishResult.Exists() && finishResult.String() != "" {
+			finishReason = finishResult.String()
+		}
+
+		if modelResult := responseNode.Get("modelVersion"); modelResult.Exists() && modelResult.String() != "" {
+			modelVersion = modelResult.String()
+		}
+		if responseIDResult := responseNode.Get("responseId"); responseIDResult.Exists() && responseIDResult.String() != "" {
+			responseID = responseIDResult.String()
+		}
+		if usageResult := responseNode.Get("usageMetadata"); usageResult.Exists() {
+			usageRaw = usageResult.Raw
+		} else if usageResult := root.Get("usageMetadata"); usageResult.Exists() {
+			usageRaw = usageResult.Raw
+		}
+
+		if partsResult := responseNode.Get("candidates.0.content.parts"); partsResult.IsArray() {
+			for _, part := range partsResult.Array() {
+				hasFunctionCall := part.Get("functionCall").Exists()
+				hasInlineData := part.Get("inlineData").Exists() || part.Get("inline_data").Exists()
+				sig := part.Get("thoughtSignature").String()
+				if sig == "" {
+					sig = part.Get("thought_signature").String()
+				}
+				text := part.Get("text").String()
+				thought := part.Get("thought").Bool()
+
+				if hasFunctionCall || hasInlineData {
+					flushPending()
+					parts = append(parts, normalizePart(part))
+					continue
+				}
+
+				if thought || part.Get("text").Exists() {
+					kind := "text"
+					if thought {
+						kind = "thought"
+					}
+					if pendingKind != "" && pendingKind != kind {
+						flushPending()
+					}
+					pendingKind = kind
+					pendingText.WriteString(text)
+					if kind == "thought" && sig != "" {
+						pendingThoughtSig = sig
+					}
+					continue
+				}
+
+				flushPending()
+				parts = append(parts, normalizePart(part))
+			}
+		}
+	}
+	flushPending()
+
+	if responseTemplate == "" {
+		responseTemplate = `{"candidates":[{"content":{"role":"model","parts":[]}}]}`
+	}
+
+	partsJSON, _ := json.Marshal(parts)
+	responseTemplate, _ = sjson.SetRaw(responseTemplate, "candidates.0.content.parts", string(partsJSON))
+	if role != "" {
+		responseTemplate, _ = sjson.Set(responseTemplate, "candidates.0.content.role", role)
+	}
+	if finishReason != "" {
+		responseTemplate, _ = sjson.Set(responseTemplate, "candidates.0.finishReason", finishReason)
+	}
+	if modelVersion != "" {
+		responseTemplate, _ = sjson.Set(responseTemplate, "modelVersion", modelVersion)
+	}
+	if responseID != "" {
+		responseTemplate, _ = sjson.Set(responseTemplate, "responseId", responseID)
+	}
+	if usageRaw != "" {
+		responseTemplate, _ = sjson.SetRaw(responseTemplate, "usageMetadata", usageRaw)
+	} else if !gjson.Get(responseTemplate, "usageMetadata").Exists() {
+		responseTemplate, _ = sjson.Set(responseTemplate, "usageMetadata.promptTokenCount", 0)
+		responseTemplate, _ = sjson.Set(responseTemplate, "usageMetadata.candidatesTokenCount", 0)
+		responseTemplate, _ = sjson.Set(responseTemplate, "usageMetadata.totalTokenCount", 0)
+	}
+
+	output := `{"response":{},"traceId":""}`
+	output, _ = sjson.SetRaw(output, "response", responseTemplate)
+	if traceID != "" {
+		output, _ = sjson.Set(output, "traceId", traceID)
+	}
+	return []byte(output)
+}
+
 // ExecuteStream performs a streaming request to the Antigravity API.
 func (e *AntigravityExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (stream <-chan cliproxyexecutor.StreamChunk, err error) {
 	ctx = context.WithValue(ctx, "alt", "")
@@ -545,27 +879,9 @@ func (e *AntigravityExecutor) buildRequest(ctx context.Context, auth *cliproxyau
 			strJSON, _ = util.RenameKey(strJSON, p, p[:len(p)-len("parametersJsonSchema")]+"parameters")
 		}
 
-		strJSON = util.DeleteKey(strJSON, "$schema")
-		strJSON = util.DeleteKey(strJSON, "maxItems")
-		strJSON = util.DeleteKey(strJSON, "minItems")
-		strJSON = util.DeleteKey(strJSON, "minLength")
-		strJSON = util.DeleteKey(strJSON, "maxLength")
-		strJSON = util.DeleteKey(strJSON, "exclusiveMinimum")
-		strJSON = util.DeleteKey(strJSON, "exclusiveMaximum")
-		strJSON = util.DeleteKey(strJSON, "$ref")
-		strJSON = util.DeleteKey(strJSON, "$defs")
-
-		paths = make([]string, 0)
-		util.Walk(gjson.Parse(strJSON), "", "anyOf", &paths)
-		for _, p := range paths {
-			anyOf := gjson.Get(strJSON, p)
-			if anyOf.IsArray() {
-				anyOfItems := anyOf.Array()
-				if len(anyOfItems) > 0 {
-					strJSON, _ = sjson.SetRaw(strJSON, p[:len(p)-len(".anyOf")], anyOfItems[0].Raw)
-				}
-			}
-		}
+		// Use the centralized schema cleaner to handle unsupported keywords,
+		// const->enum conversion, and flattening of types/anyOf.
+		strJSON = util.CleanJSONSchemaForGemini(strJSON)
 
 		payload = []byte(strJSON)
 	}

internal/runtime/executor/iflow_executor.go

@@ -66,6 +66,7 @@ func (e *IFlowExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, re
 	if errValidate := ValidateThinkingConfig(body, upstreamModel); errValidate != nil {
 		return resp, errValidate
 	}
+	body = applyIFlowThinkingConfig(body)
 	body = applyPayloadConfig(e.cfg, req.Model, body)
 
 	endpoint := strings.TrimSuffix(baseURL, "/") + iflowDefaultEndpoint
@@ -157,6 +158,7 @@ func (e *IFlowExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 	if errValidate := ValidateThinkingConfig(body, upstreamModel); errValidate != nil {
 		return nil, errValidate
 	}
+	body = applyIFlowThinkingConfig(body)
 	// Ensure tools array exists to avoid provider quirks similar to Qwen's behaviour.
 	toolsResult := gjson.GetBytes(body, "tools")
 	if toolsResult.Exists() && toolsResult.IsArray() && len(toolsResult.Array()) == 0 {
@@ -442,3 +444,21 @@ func ensureToolsArray(body []byte) []byte {
 	}
 	return updated
 }
+
+// applyIFlowThinkingConfig converts normalized reasoning_effort to iFlow chat_template_kwargs.enable_thinking.
+// This should be called after NormalizeThinkingConfig has processed the payload.
+// iFlow only supports boolean enable_thinking, so any non-"none" effort enables thinking.
+func applyIFlowThinkingConfig(body []byte) []byte {
+	effort := gjson.GetBytes(body, "reasoning_effort")
+	if !effort.Exists() {
+		return body
+	}
+
+	val := strings.ToLower(strings.TrimSpace(effort.String()))
+	enableThinking := val != "none" && val != ""
+
+	body, _ = sjson.DeleteBytes(body, "reasoning_effort")
+	body, _ = sjson.SetBytes(body, "chat_template_kwargs.enable_thinking", enableThinking)
+
+	return body
+}

internal/runtime/executor/payload_helpers.go

@@ -72,13 +72,7 @@ func ApplyReasoningEffortMetadata(payload []byte, metadata map[string]any, model
 	// Fallback: numeric thinking_budget suffix for level-based (OpenAI-style) models.
 	if util.ModelUsesThinkingLevels(baseModel) || allowCompat {
 		if budget, _, _, matched := util.ThinkingFromMetadata(metadata); matched && budget != nil {
-			if effort, ok := util.OpenAIThinkingBudgetToEffort(baseModel, *budget); ok && effort != "" {
-				if *budget == 0 && effort == "none" && util.ModelUsesThinkingLevels(baseModel) {
-					if _, supported := util.NormalizeReasoningEffortLevel(baseModel, effort); !supported {
-						return StripThinkingFields(payload, false)
-					}
-				}
-
+			if effort, ok := util.ThinkingBudgetToEffort(baseModel, *budget); ok && effort != "" {
 				if updated, err := sjson.SetBytes(payload, field, effort); err == nil {
 					return updated
 				}
@@ -273,7 +267,7 @@ func StripThinkingFields(payload []byte, effortOnly bool) []byte {
 		"reasoning.effort",
 	}
 	if !effortOnly {
-		fieldsToRemove = append([]string{"reasoning"}, fieldsToRemove...)
+		fieldsToRemove = append([]string{"reasoning", "thinking"}, fieldsToRemove...)
 	}
 	out := payload
 	for _, field := range fieldsToRemove {

internal/translator/antigravity/claude/antigravity_claude_request.go

@@ -7,10 +7,8 @@ package claude
 
 import (
 	"bytes"
-	"encoding/json"
 	"strings"
 
-	client "github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/translator/gemini/common"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	"github.com/tidwall/gjson"
@@ -42,27 +40,30 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 	rawJSON = bytes.Replace(rawJSON, []byte(`"url":{"type":"string","format":"uri",`), []byte(`"url":{"type":"string",`), -1)
 
 	// system instruction
-	var systemInstruction *client.Content
+	systemInstructionJSON := ""
+	hasSystemInstruction := false
 	systemResult := gjson.GetBytes(rawJSON, "system")
 	if systemResult.IsArray() {
 		systemResults := systemResult.Array()
-		systemInstruction = &client.Content{Role: "user", Parts: []client.Part{}}
+		systemInstructionJSON = `{"role":"user","parts":[]}`
 		for i := 0; i < len(systemResults); i++ {
 			systemPromptResult := systemResults[i]
 			systemTypePromptResult := systemPromptResult.Get("type")
 			if systemTypePromptResult.Type == gjson.String && systemTypePromptResult.String() == "text" {
 				systemPrompt := systemPromptResult.Get("text").String()
-				systemPart := client.Part{Text: systemPrompt}
-				systemInstruction.Parts = append(systemInstruction.Parts, systemPart)
+				partJSON := `{}`
+				if systemPrompt != "" {
+					partJSON, _ = sjson.Set(partJSON, "text", systemPrompt)
+				}
+				systemInstructionJSON, _ = sjson.SetRaw(systemInstructionJSON, "parts.-1", partJSON)
+				hasSystemInstruction = true
 			}
 		}
-		if len(systemInstruction.Parts) == 0 {
-			systemInstruction = nil
-		}
 	}
 
 	// contents
-	contents := make([]client.Content, 0)
+	contentsJSON := "[]"
+	hasContents := false
 	messagesResult := gjson.GetBytes(rawJSON, "messages")
 	if messagesResult.IsArray() {
 		messageResults := messagesResult.Array()
@@ -76,7 +77,8 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 			if role == "assistant" {
 				role = "model"
 			}
-			clientContent := client.Content{Role: role, Parts: []client.Part{}}
+			clientContentJSON := `{"role":"","parts":[]}`
+			clientContentJSON, _ = sjson.Set(clientContentJSON, "role", role)
 			contentsResult := messageResult.Get("content")
 			if contentsResult.IsArray() {
 				contentResults := contentsResult.Array()
@@ -90,25 +92,39 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 						if signatureResult.Exists() {
 							signature = signatureResult.String()
 						}
-						clientContent.Parts = append(clientContent.Parts, client.Part{Text: prompt, Thought: true, ThoughtSignature: signature})
+						partJSON := `{}`
+						partJSON, _ = sjson.Set(partJSON, "thought", true)
+						if prompt != "" {
+							partJSON, _ = sjson.Set(partJSON, "text", prompt)
+						}
+						if signature != "" {
+							partJSON, _ = sjson.Set(partJSON, "thoughtSignature", signature)
+						}
+						clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
 					} else if contentTypeResult.Type == gjson.String && contentTypeResult.String() == "text" {
 						prompt := contentResult.Get("text").String()
-						clientContent.Parts = append(clientContent.Parts, client.Part{Text: prompt})
+						partJSON := `{}`
+						if prompt != "" {
+							partJSON, _ = sjson.Set(partJSON, "text", prompt)
+						}
+						clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
 					} else if contentTypeResult.Type == gjson.String && contentTypeResult.String() == "tool_use" {
 						functionName := contentResult.Get("name").String()
 						functionArgs := contentResult.Get("input").String()
 						functionID := contentResult.Get("id").String()
-						var args map[string]any
-						if err := json.Unmarshal([]byte(functionArgs), &args); err == nil {
-							if strings.Contains(modelName, "claude") {
-								clientContent.Parts = append(clientContent.Parts, client.Part{
-									FunctionCall: &client.FunctionCall{ID: functionID, Name: functionName, Args: args},
-								})
-							} else {
-								clientContent.Parts = append(clientContent.Parts, client.Part{
-									FunctionCall:     &client.FunctionCall{ID: functionID, Name: functionName, Args: args},
-									ThoughtSignature: geminiCLIClaudeThoughtSignature,
-								})
+						if gjson.Valid(functionArgs) {
+							argsResult := gjson.Parse(functionArgs)
+							if argsResult.IsObject() {
+								partJSON := `{}`
+								if !strings.Contains(modelName, "claude") {
+									partJSON, _ = sjson.Set(partJSON, "thoughtSignature", geminiCLIClaudeThoughtSignature)
+								}
+								if functionID != "" {
+									partJSON, _ = sjson.Set(partJSON, "functionCall.id", functionID)
+								}
+								partJSON, _ = sjson.Set(partJSON, "functionCall.name", functionName)
+								partJSON, _ = sjson.SetRaw(partJSON, "functionCall.args", argsResult.Raw)
+								clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
 							}
 						}
 					} else if contentTypeResult.Type == gjson.String && contentTypeResult.String() == "tool_result" {
@@ -117,37 +133,74 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 							funcName := toolCallID
 							toolCallIDs := strings.Split(toolCallID, "-")
 							if len(toolCallIDs) > 1 {
-								funcName = strings.Join(toolCallIDs[0:len(toolCallIDs)-1], "-")
+								funcName = strings.Join(toolCallIDs[0:len(toolCallIDs)-2], "-")
 							}
-							responseData := contentResult.Get("content").Raw
-							functionResponse := client.FunctionResponse{ID: toolCallID, Name: funcName, Response: map[string]interface{}{"result": responseData}}
-							clientContent.Parts = append(clientContent.Parts, client.Part{FunctionResponse: &functionResponse})
+							functionResponseResult := contentResult.Get("content")
+
+							functionResponseJSON := `{}`
+							functionResponseJSON, _ = sjson.Set(functionResponseJSON, "id", toolCallID)
+							functionResponseJSON, _ = sjson.Set(functionResponseJSON, "name", funcName)
+
+							responseData := ""
+							if functionResponseResult.Type == gjson.String {
+								responseData = functionResponseResult.String()
+								functionResponseJSON, _ = sjson.Set(functionResponseJSON, "response.result", responseData)
+							} else if functionResponseResult.IsArray() {
+								frResults := functionResponseResult.Array()
+								if len(frResults) == 1 {
+									functionResponseJSON, _ = sjson.SetRaw(functionResponseJSON, "response.result", frResults[0].Raw)
+								} else {
+									functionResponseJSON, _ = sjson.SetRaw(functionResponseJSON, "response.result", functionResponseResult.Raw)
+								}
+
+							} else if functionResponseResult.IsObject() {
+								functionResponseJSON, _ = sjson.SetRaw(functionResponseJSON, "response.result", functionResponseResult.Raw)
+							} else {
+								functionResponseJSON, _ = sjson.SetRaw(functionResponseJSON, "response.result", functionResponseResult.Raw)
+							}
+
+							partJSON := `{}`
+							partJSON, _ = sjson.SetRaw(partJSON, "functionResponse", functionResponseJSON)
+							clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
 						}
 					} else if contentTypeResult.Type == gjson.String && contentTypeResult.String() == "image" {
 						sourceResult := contentResult.Get("source")
 						if sourceResult.Get("type").String() == "base64" {
-							inlineData := &client.InlineData{
-								MimeType: sourceResult.Get("media_type").String(),
-								Data:     sourceResult.Get("data").String(),
+							inlineDataJSON := `{}`
+							if mimeType := sourceResult.Get("media_type").String(); mimeType != "" {
+								inlineDataJSON, _ = sjson.Set(inlineDataJSON, "mime_type", mimeType)
 							}
-							clientContent.Parts = append(clientContent.Parts, client.Part{InlineData: inlineData})
+							if data := sourceResult.Get("data").String(); data != "" {
+								inlineDataJSON, _ = sjson.Set(inlineDataJSON, "data", data)
+							}
+
+							partJSON := `{}`
+							partJSON, _ = sjson.SetRaw(partJSON, "inlineData", inlineDataJSON)
+							clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
 						}
 					}
 				}
-				contents = append(contents, clientContent)
+				contentsJSON, _ = sjson.SetRaw(contentsJSON, "-1", clientContentJSON)
+				hasContents = true
 			} else if contentsResult.Type == gjson.String {
 				prompt := contentsResult.String()
-				contents = append(contents, client.Content{Role: role, Parts: []client.Part{{Text: prompt}}})
+				partJSON := `{}`
+				if prompt != "" {
+					partJSON, _ = sjson.Set(partJSON, "text", prompt)
+				}
+				clientContentJSON, _ = sjson.SetRaw(clientContentJSON, "parts.-1", partJSON)
+				contentsJSON, _ = sjson.SetRaw(contentsJSON, "-1", clientContentJSON)
+				hasContents = true
 			}
 		}
 	}
 
 	// tools
-	var tools []client.ToolDeclaration
+	toolsJSON := ""
+	toolDeclCount := 0
 	toolsResult := gjson.GetBytes(rawJSON, "tools")
 	if toolsResult.IsArray() {
-		tools = make([]client.ToolDeclaration, 1)
-		tools[0].FunctionDeclarations = make([]any, 0)
+		toolsJSON = `[{"functionDeclarations":[]}]`
 		toolsResults := toolsResult.Array()
 		for i := 0; i < len(toolsResults); i++ {
 			toolResult := toolsResults[i]
@@ -158,30 +211,23 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 				tool, _ = sjson.SetRaw(tool, "parametersJsonSchema", inputSchema)
 				tool, _ = sjson.Delete(tool, "strict")
 				tool, _ = sjson.Delete(tool, "input_examples")
-				var toolDeclaration any
-				if err := json.Unmarshal([]byte(tool), &toolDeclaration); err == nil {
-					tools[0].FunctionDeclarations = append(tools[0].FunctionDeclarations, toolDeclaration)
-				}
+				toolsJSON, _ = sjson.SetRaw(toolsJSON, "0.functionDeclarations.-1", tool)
+				toolDeclCount++
 			}
 		}
-	} else {
-		tools = make([]client.ToolDeclaration, 0)
 	}
 
 	// Build output Gemini CLI request JSON
 	out := `{"model":"","request":{"contents":[]}}`
 	out, _ = sjson.Set(out, "model", modelName)
-	if systemInstruction != nil {
-		b, _ := json.Marshal(systemInstruction)
-		out, _ = sjson.SetRaw(out, "request.systemInstruction", string(b))
+	if hasSystemInstruction {
+		out, _ = sjson.SetRaw(out, "request.systemInstruction", systemInstructionJSON)
 	}
-	if len(contents) > 0 {
-		b, _ := json.Marshal(contents)
-		out, _ = sjson.SetRaw(out, "request.contents", string(b))
+	if hasContents {
+		out, _ = sjson.SetRaw(out, "request.contents", contentsJSON)
 	}
-	if len(tools) > 0 && len(tools[0].FunctionDeclarations) > 0 {
-		b, _ := json.Marshal(tools)
-		out, _ = sjson.SetRaw(out, "request.tools", string(b))
+	if toolDeclCount > 0 {
+		out, _ = sjson.SetRaw(out, "request.tools", toolsJSON)
 	}
 
 	// Map Anthropic thinking -> Gemini thinkingBudget/include_thoughts when type==enabled

internal/translator/antigravity/claude/antigravity_claude_response.go

@@ -9,7 +9,6 @@ package claude
 import (
 	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"strings"
 	"sync/atomic"
@@ -350,24 +349,25 @@ func ConvertAntigravityResponseToClaudeNonStream(_ context.Context, _ string, or
 		}
 	}
 
-	response := map[string]interface{}{
-		"id":            root.Get("response.responseId").String(),
-		"type":          "message",
-		"role":          "assistant",
-		"model":         root.Get("response.modelVersion").String(),
-		"content":       []interface{}{},
-		"stop_reason":   nil,
-		"stop_sequence": nil,
-		"usage": map[string]interface{}{
-			"input_tokens":  promptTokens,
-			"output_tokens": outputTokens,
-		},
+	responseJSON := `{"id":"","type":"message","role":"assistant","model":"","content":null,"stop_reason":null,"stop_sequence":null,"usage":{"input_tokens":0,"output_tokens":0}}`
+	responseJSON, _ = sjson.Set(responseJSON, "id", root.Get("response.responseId").String())
+	responseJSON, _ = sjson.Set(responseJSON, "model", root.Get("response.modelVersion").String())
+	responseJSON, _ = sjson.Set(responseJSON, "usage.input_tokens", promptTokens)
+	responseJSON, _ = sjson.Set(responseJSON, "usage.output_tokens", outputTokens)
+
+	contentArrayInitialized := false
+	ensureContentArray := func() {
+		if contentArrayInitialized {
+			return
+		}
+		responseJSON, _ = sjson.SetRaw(responseJSON, "content", "[]")
+		contentArrayInitialized = true
 	}
 
 	parts := root.Get("response.candidates.0.content.parts")
-	var contentBlocks []interface{}
 	textBuilder := strings.Builder{}
 	thinkingBuilder := strings.Builder{}
+	thinkingSignature := ""
 	toolIDCounter := 0
 	hasToolCall := false
 
@@ -375,28 +375,43 @@ func ConvertAntigravityResponseToClaudeNonStream(_ context.Context, _ string, or
 		if textBuilder.Len() == 0 {
 			return
 		}
-		contentBlocks = append(contentBlocks, map[string]interface{}{
-			"type": "text",
-			"text": textBuilder.String(),
-		})
+		ensureContentArray()
+		block := `{"type":"text","text":""}`
+		block, _ = sjson.Set(block, "text", textBuilder.String())
+		responseJSON, _ = sjson.SetRaw(responseJSON, "content.-1", block)
 		textBuilder.Reset()
 	}
 
 	flushThinking := func() {
-		if thinkingBuilder.Len() == 0 {
+		if thinkingBuilder.Len() == 0 && thinkingSignature == "" {
 			return
 		}
-		contentBlocks = append(contentBlocks, map[string]interface{}{
-			"type":     "thinking",
-			"thinking": thinkingBuilder.String(),
-		})
+		ensureContentArray()
+		block := `{"type":"thinking","thinking":""}`
+		block, _ = sjson.Set(block, "thinking", thinkingBuilder.String())
+		if thinkingSignature != "" {
+			block, _ = sjson.Set(block, "signature", thinkingSignature)
+		}
+		responseJSON, _ = sjson.SetRaw(responseJSON, "content.-1", block)
 		thinkingBuilder.Reset()
+		thinkingSignature = ""
 	}
 
 	if parts.IsArray() {
 		for _, part := range parts.Array() {
+			isThought := part.Get("thought").Bool()
+			if isThought {
+				sig := part.Get("thoughtSignature")
+				if !sig.Exists() {
+					sig = part.Get("thought_signature")
+				}
+				if sig.Exists() && sig.String() != "" {
+					thinkingSignature = sig.String()
+				}
+			}
+
 			if text := part.Get("text"); text.Exists() && text.String() != "" {
-				if part.Get("thought").Bool() {
+				if isThought {
 					flushText()
 					thinkingBuilder.WriteString(text.String())
 					continue
@@ -413,21 +428,16 @@ func ConvertAntigravityResponseToClaudeNonStream(_ context.Context, _ string, or
 
 				name := functionCall.Get("name").String()
 				toolIDCounter++
-				toolBlock := map[string]interface{}{
-					"type":  "tool_use",
-					"id":    fmt.Sprintf("tool_%d", toolIDCounter),
-					"name":  name,
-					"input": map[string]interface{}{},
+				toolBlock := `{"type":"tool_use","id":"","name":"","input":{}}`
+				toolBlock, _ = sjson.Set(toolBlock, "id", fmt.Sprintf("tool_%d", toolIDCounter))
+				toolBlock, _ = sjson.Set(toolBlock, "name", name)
+
+				if args := functionCall.Get("args"); args.Exists() && args.Raw != "" && gjson.Valid(args.Raw) {
+					toolBlock, _ = sjson.SetRaw(toolBlock, "input", args.Raw)
 				}
 
-				if args := functionCall.Get("args"); args.Exists() {
-					var parsed interface{}
-					if err := json.Unmarshal([]byte(args.Raw), &parsed); err == nil {
-						toolBlock["input"] = parsed
-					}
-				}
-
-				contentBlocks = append(contentBlocks, toolBlock)
+				ensureContentArray()
+				responseJSON, _ = sjson.SetRaw(responseJSON, "content.-1", toolBlock)
 				continue
 			}
 		}
@@ -436,8 +446,6 @@ func ConvertAntigravityResponseToClaudeNonStream(_ context.Context, _ string, or
 	flushThinking()
 	flushText()
 
-	response["content"] = contentBlocks
-
 	stopReason := "end_turn"
 	if hasToolCall {
 		stopReason = "tool_use"
@@ -453,19 +461,15 @@ func ConvertAntigravityResponseToClaudeNonStream(_ context.Context, _ string, or
 			}
 		}
 	}
-	response["stop_reason"] = stopReason
+	responseJSON, _ = sjson.Set(responseJSON, "stop_reason", stopReason)
 
-	if usage := response["usage"].(map[string]interface{}); usage["input_tokens"] == int64(0) && usage["output_tokens"] == int64(0) {
+	if promptTokens == 0 && outputTokens == 0 {
 		if usageMeta := root.Get("response.usageMetadata"); !usageMeta.Exists() {
-			delete(response, "usage")
+			responseJSON, _ = sjson.Delete(responseJSON, "usage")
 		}
 	}
 
-	encoded, err := json.Marshal(response)
-	if err != nil {
-		return ""
-	}
-	return string(encoded)
+	return responseJSON
 }
 
 func ClaudeTokenCount(ctx context.Context, count int64) string {

internal/translator/antigravity/openai/chat-completions/antigravity_openai_request.go

@@ -222,62 +222,61 @@ func ConvertOpenAIRequestToAntigravity(modelName string, inputRawJSON []byte, _
 				}
 				out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
 			} else if role == "assistant" {
+				node := []byte(`{"role":"model","parts":[]}`)
+				p := 0
 				if content.Type == gjson.String {
-					// Assistant text -> single model content
-					node := []byte(`{"role":"model","parts":[{"text":""}]}`)
-					node, _ = sjson.SetBytes(node, "parts.0.text", content.String())
+					node, _ = sjson.SetBytes(node, "parts.-1.text", content.String())
 					out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
-				} else if !content.Exists() || content.Type == gjson.Null {
-					// Tool calls -> single model content with functionCall parts
-					tcs := m.Get("tool_calls")
-					if tcs.IsArray() {
-						node := []byte(`{"role":"model","parts":[]}`)
-						p := 0
-						fIDs := make([]string, 0)
-						for _, tc := range tcs.Array() {
-							if tc.Get("type").String() != "function" {
-								continue
-							}
-							fid := tc.Get("id").String()
-							fname := tc.Get("function.name").String()
-							fargs := tc.Get("function.arguments").String()
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.id", fid)
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
-							node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiCLIFunctionThoughtSignature)
-							p++
-							if fid != "" {
-								fIDs = append(fIDs, fid)
-							}
-						}
-						out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
+					p++
+				}
 
-						// Append a single tool content combining name + response per function
-						toolNode := []byte(`{"role":"user","parts":[]}`)
-						pp := 0
-						for _, fid := range fIDs {
-							if name, ok := tcID2Name[fid]; ok {
-								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.id", fid)
-								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
-								resp := toolResponses[fid]
-								if resp == "" {
-									resp = "{}"
-								}
-								// Handle non-JSON output gracefully (matches dev branch approach)
-								if resp != "null" {
-									parsed := gjson.Parse(resp)
-									if parsed.Type == gjson.JSON {
-										toolNode, _ = sjson.SetRawBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", []byte(parsed.Raw))
-									} else {
-										toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", resp)
-									}
-								}
-								pp++
+				// Tool calls -> single model content with functionCall parts
+				tcs := m.Get("tool_calls")
+				if tcs.IsArray() {
+					fIDs := make([]string, 0)
+					for _, tc := range tcs.Array() {
+						if tc.Get("type").String() != "function" {
+							continue
+						}
+						fid := tc.Get("id").String()
+						fname := tc.Get("function.name").String()
+						fargs := tc.Get("function.arguments").String()
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.id", fid)
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
+						node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiCLIFunctionThoughtSignature)
+						p++
+						if fid != "" {
+							fIDs = append(fIDs, fid)
+						}
+					}
+					out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
+
+					// Append a single tool content combining name + response per function
+					toolNode := []byte(`{"role":"user","parts":[]}`)
+					pp := 0
+					for _, fid := range fIDs {
+						if name, ok := tcID2Name[fid]; ok {
+							toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.id", fid)
+							toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
+							resp := toolResponses[fid]
+							if resp == "" {
+								resp = "{}"
 							}
+							// Handle non-JSON output gracefully (matches dev branch approach)
+							if resp != "null" {
+								parsed := gjson.Parse(resp)
+								if parsed.Type == gjson.JSON {
+									toolNode, _ = sjson.SetRawBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", []byte(parsed.Raw))
+								} else {
+									toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", resp)
+								}
+							}
+							pp++
 						}
-						if pp > 0 {
-							out, _ = sjson.SetRawBytes(out, "request.contents.-1", toolNode)
-						}
+					}
+					if pp > 0 {
+						out, _ = sjson.SetRawBytes(out, "request.contents.-1", toolNode)
 					}
 				}
 			}
@@ -361,18 +360,3 @@ func ConvertOpenAIRequestToAntigravity(modelName string, inputRawJSON []byte, _
 
 // itoa converts int to string without strconv import for few usages.
 func itoa(i int) string { return fmt.Sprintf("%d", i) }
-
-// quoteIfNeeded ensures a string is valid JSON value (quotes plain text), pass-through for JSON objects/arrays.
-func quoteIfNeeded(s string) string {
-	s = strings.TrimSpace(s)
-	if s == "" {
-		return "\"\""
-	}
-	if len(s) > 0 && (s[0] == '{' || s[0] == '[') {
-		return s
-	}
-	// escape quotes minimally
-	s = strings.ReplaceAll(s, "\\", "\\\\")
-	s = strings.ReplaceAll(s, "\"", "\\\"")
-	return "\"" + s + "\""
-}

internal/translator/codex/claude/codex_claude_request.go

@@ -219,15 +219,20 @@ func ConvertClaudeRequestToCodex(modelName string, inputRawJSON []byte, _ bool)
 	// Convert thinking.budget_tokens to reasoning.effort for level-based models
 	reasoningEffort := "medium" // default
 	if thinking := rootResult.Get("thinking"); thinking.Exists() && thinking.IsObject() {
-		if thinking.Get("type").String() == "enabled" {
+		switch thinking.Get("type").String() {
+		case "enabled":
 			if util.ModelUsesThinkingLevels(modelName) {
 				if budgetTokens := thinking.Get("budget_tokens"); budgetTokens.Exists() {
 					budget := int(budgetTokens.Int())
-					if effort, ok := util.OpenAIThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
+					if effort, ok := util.ThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
 						reasoningEffort = effort
 					}
 				}
 			}
+		case "disabled":
+			if effort, ok := util.ThinkingBudgetToEffort(modelName, 0); ok && effort != "" {
+				reasoningEffort = effort
+			}
 		}
 	}
 	template, _ = sjson.Set(template, "reasoning.effort", reasoningEffort)

internal/translator/codex/gemini/codex_gemini_request.go

@@ -253,7 +253,7 @@ func ConvertGeminiRequestToCodex(modelName string, inputRawJSON []byte, _ bool)
 			if util.ModelUsesThinkingLevels(modelName) {
 				if thinkingBudget := thinkingConfig.Get("thinkingBudget"); thinkingBudget.Exists() {
 					budget := int(thinkingBudget.Int())
-					if effort, ok := util.OpenAIThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
+					if effort, ok := util.ThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
 						reasoningEffort = effort
 					}
 				}

internal/translator/gemini-cli/openai/chat-completions/gemini-cli_openai_request.go

@@ -205,52 +205,52 @@ func ConvertOpenAIRequestToGeminiCLI(modelName string, inputRawJSON []byte, _ bo
 				}
 				out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
 			} else if role == "assistant" {
+				p := 0
+				node := []byte(`{"role":"model","parts":[]}`)
 				if content.Type == gjson.String {
 					// Assistant text -> single model content
-					node := []byte(`{"role":"model","parts":[{"text":""}]}`)
-					node, _ = sjson.SetBytes(node, "parts.0.text", content.String())
+					node, _ = sjson.SetBytes(node, "parts.-1.text", content.String())
 					out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
-				} else if !content.Exists() || content.Type == gjson.Null {
-					// Tool calls -> single model content with functionCall parts
-					tcs := m.Get("tool_calls")
-					if tcs.IsArray() {
-						node := []byte(`{"role":"model","parts":[]}`)
-						p := 0
-						fIDs := make([]string, 0)
-						for _, tc := range tcs.Array() {
-							if tc.Get("type").String() != "function" {
-								continue
-							}
-							fid := tc.Get("id").String()
-							fname := tc.Get("function.name").String()
-							fargs := tc.Get("function.arguments").String()
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
-							node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiCLIFunctionThoughtSignature)
-							p++
-							if fid != "" {
-								fIDs = append(fIDs, fid)
-							}
-						}
-						out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
+					p++
+				}
 
-						// Append a single tool content combining name + response per function
-						toolNode := []byte(`{"role":"tool","parts":[]}`)
-						pp := 0
-						for _, fid := range fIDs {
-							if name, ok := tcID2Name[fid]; ok {
-								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
-								resp := toolResponses[fid]
-								if resp == "" {
-									resp = "{}"
-								}
-								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", []byte(resp))
-								pp++
+				// Tool calls -> single model content with functionCall parts
+				tcs := m.Get("tool_calls")
+				if tcs.IsArray() {
+					fIDs := make([]string, 0)
+					for _, tc := range tcs.Array() {
+						if tc.Get("type").String() != "function" {
+							continue
+						}
+						fid := tc.Get("id").String()
+						fname := tc.Get("function.name").String()
+						fargs := tc.Get("function.arguments").String()
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
+						node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiCLIFunctionThoughtSignature)
+						p++
+						if fid != "" {
+							fIDs = append(fIDs, fid)
+						}
+					}
+					out, _ = sjson.SetRawBytes(out, "request.contents.-1", node)
+
+					// Append a single tool content combining name + response per function
+					toolNode := []byte(`{"role":"tool","parts":[]}`)
+					pp := 0
+					for _, fid := range fIDs {
+						if name, ok := tcID2Name[fid]; ok {
+							toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
+							resp := toolResponses[fid]
+							if resp == "" {
+								resp = "{}"
 							}
+							toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", []byte(resp))
+							pp++
 						}
-						if pp > 0 {
-							out, _ = sjson.SetRawBytes(out, "request.contents.-1", toolNode)
-						}
+					}
+					if pp > 0 {
+						out, _ = sjson.SetRawBytes(out, "request.contents.-1", toolNode)
 					}
 				}
 			}
@@ -334,18 +334,3 @@ func ConvertOpenAIRequestToGeminiCLI(modelName string, inputRawJSON []byte, _ bo
 
 // itoa converts int to string without strconv import for few usages.
 func itoa(i int) string { return fmt.Sprintf("%d", i) }
-
-// quoteIfNeeded ensures a string is valid JSON value (quotes plain text), pass-through for JSON objects/arrays.
-func quoteIfNeeded(s string) string {
-	s = strings.TrimSpace(s)
-	if s == "" {
-		return "\"\""
-	}
-	if len(s) > 0 && (s[0] == '{' || s[0] == '[') {
-		return s
-	}
-	// escape quotes minimally
-	s = strings.ReplaceAll(s, "\\", "\\\\")
-	s = strings.ReplaceAll(s, "\"", "\\\"")
-	return "\"" + s + "\""
-}

internal/translator/gemini/claude/gemini_claude_response.go

@@ -25,7 +25,7 @@ type Params struct {
 	HasFirstResponse bool
 	ResponseType     int
 	ResponseIndex    int
-	HasContent       bool // Tracks whether any content (text, thinking, or tool use) has been output
+	HasContent bool // Tracks whether any content (text, thinking, or tool use) has been output
 }
 
 // toolUseIDCounter provides a process-wide unique counter for tool use identifiers.
@@ -179,6 +179,18 @@ func ConvertGeminiResponseToClaude(_ context.Context, _ string, originalRequestR
 				usedTool = true
 				fcName := functionCallResult.Get("name").String()
 
+				// FIX: Handle streaming split/delta where name might be empty in subsequent chunks.
+				// If we are already in tool use mode and name is empty, treat as continuation (delta).
+				if (*param).(*Params).ResponseType == 3 && fcName == "" {
+					if fcArgsResult := functionCallResult.Get("args"); fcArgsResult.Exists() {
+						output = output + "event: content_block_delta\n"
+						data, _ := sjson.Set(fmt.Sprintf(`{"type":"content_block_delta","index":%d,"delta":{"type":"input_json_delta","partial_json":""}}`, (*param).(*Params).ResponseIndex), "delta.partial_json", fcArgsResult.Raw)
+						output = output + fmt.Sprintf("data: %s\n\n\n", data)
+					}
+					// Continue to next part without closing/opening logic
+					continue
+				}
+
 				// Handle state transitions when switching to function calls
 				// Close any existing function call block first
 				if (*param).(*Params).ResponseType == 3 {

internal/translator/gemini/openai/chat-completions/gemini_openai_request.go

@@ -207,15 +207,16 @@ func ConvertOpenAIRequestToGemini(modelName string, inputRawJSON []byte, _ bool)
 				}
 				out, _ = sjson.SetRawBytes(out, "contents.-1", node)
 			} else if role == "assistant" {
+				node := []byte(`{"role":"model","parts":[]}`)
+				p := 0
+
 				if content.Type == gjson.String {
 					// Assistant text -> single model content
-					node := []byte(`{"role":"model","parts":[{"text":""}]}`)
-					node, _ = sjson.SetBytes(node, "parts.0.text", content.String())
+					node, _ = sjson.SetBytes(node, "parts.-1.text", content.String())
 					out, _ = sjson.SetRawBytes(out, "contents.-1", node)
+					p++
 				} else if content.IsArray() {
 					// Assistant multimodal content (e.g. text + image) -> single model content with parts
-					node := []byte(`{"role":"model","parts":[]}`)
-					p := 0
 					for _, item := range content.Array() {
 						switch item.Get("type").String() {
 						case "text":
@@ -237,47 +238,45 @@ func ConvertOpenAIRequestToGemini(modelName string, inputRawJSON []byte, _ bool)
 						}
 					}
 					out, _ = sjson.SetRawBytes(out, "contents.-1", node)
-				} else if !content.Exists() || content.Type == gjson.Null {
-					// Tool calls -> single model content with functionCall parts
-					tcs := m.Get("tool_calls")
-					if tcs.IsArray() {
-						node := []byte(`{"role":"model","parts":[]}`)
-						p := 0
-						fIDs := make([]string, 0)
-						for _, tc := range tcs.Array() {
-							if tc.Get("type").String() != "function" {
-								continue
-							}
-							fid := tc.Get("id").String()
-							fname := tc.Get("function.name").String()
-							fargs := tc.Get("function.arguments").String()
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
-							node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
-							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiFunctionThoughtSignature)
-							p++
-							if fid != "" {
-								fIDs = append(fIDs, fid)
-							}
-						}
-						out, _ = sjson.SetRawBytes(out, "contents.-1", node)
+				}
 
-						// Append a single tool content combining name + response per function
-						toolNode := []byte(`{"role":"tool","parts":[]}`)
-						pp := 0
-						for _, fid := range fIDs {
-							if name, ok := tcID2Name[fid]; ok {
-								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
-								resp := toolResponses[fid]
-								if resp == "" {
-									resp = "{}"
-								}
-								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", []byte(resp))
-								pp++
+				// Tool calls -> single model content with functionCall parts
+				tcs := m.Get("tool_calls")
+				if tcs.IsArray() {
+					fIDs := make([]string, 0)
+					for _, tc := range tcs.Array() {
+						if tc.Get("type").String() != "function" {
+							continue
+						}
+						fid := tc.Get("id").String()
+						fname := tc.Get("function.name").String()
+						fargs := tc.Get("function.arguments").String()
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
+						node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
+						node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiFunctionThoughtSignature)
+						p++
+						if fid != "" {
+							fIDs = append(fIDs, fid)
+						}
+					}
+					out, _ = sjson.SetRawBytes(out, "contents.-1", node)
+
+					// Append a single tool content combining name + response per function
+					toolNode := []byte(`{"role":"tool","parts":[]}`)
+					pp := 0
+					for _, fid := range fIDs {
+						if name, ok := tcID2Name[fid]; ok {
+							toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
+							resp := toolResponses[fid]
+							if resp == "" {
+								resp = "{}"
 							}
+							toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.response.result", []byte(resp))
+							pp++
 						}
-						if pp > 0 {
-							out, _ = sjson.SetRawBytes(out, "contents.-1", toolNode)
-						}
+					}
+					if pp > 0 {
+						out, _ = sjson.SetRawBytes(out, "contents.-1", toolNode)
 					}
 				}
 			}
@@ -363,18 +362,3 @@ func ConvertOpenAIRequestToGemini(modelName string, inputRawJSON []byte, _ bool)
 
 // itoa converts int to string without strconv import for few usages.
 func itoa(i int) string { return fmt.Sprintf("%d", i) }
-
-// quoteIfNeeded ensures a string is valid JSON value (quotes plain text), pass-through for JSON objects/arrays.
-func quoteIfNeeded(s string) string {
-	s = strings.TrimSpace(s)
-	if s == "" {
-		return "\"\""
-	}
-	if len(s) > 0 && (s[0] == '{' || s[0] == '[') {
-		return s
-	}
-	// escape quotes minimally
-	s = strings.ReplaceAll(s, "\\", "\\\\")
-	s = strings.ReplaceAll(s, "\"", "\\\"")
-	return "\"" + s + "\""
-}

internal/translator/openai/claude/openai_claude_request.go

@@ -63,10 +63,22 @@ func ConvertClaudeRequestToOpenAI(modelName string, inputRawJSON []byte, stream
 
 	// Thinking: Convert Claude thinking.budget_tokens to OpenAI reasoning_effort
 	if thinking := root.Get("thinking"); thinking.Exists() && thinking.IsObject() {
-		if thinkingType := thinking.Get("type"); thinkingType.Exists() && thinkingType.String() == "enabled" {
-			if budgetTokens := thinking.Get("budget_tokens"); budgetTokens.Exists() {
-				budget := int(budgetTokens.Int())
-				if effort, ok := util.OpenAIThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
+		if thinkingType := thinking.Get("type"); thinkingType.Exists() {
+			switch thinkingType.String() {
+			case "enabled":
+				if budgetTokens := thinking.Get("budget_tokens"); budgetTokens.Exists() {
+					budget := int(budgetTokens.Int())
+					if effort, ok := util.ThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
+						out, _ = sjson.Set(out, "reasoning_effort", effort)
+					}
+				} else {
+					// No budget_tokens specified, default to "auto" for enabled thinking
+					if effort, ok := util.ThinkingBudgetToEffort(modelName, -1); ok && effort != "" {
+						out, _ = sjson.Set(out, "reasoning_effort", effort)
+					}
+				}
+			case "disabled":
+				if effort, ok := util.ThinkingBudgetToEffort(modelName, 0); ok && effort != "" {
 					out, _ = sjson.Set(out, "reasoning_effort", effort)
 				}
 			}

internal/translator/openai/claude/openai_claude_response.go

@@ -128,9 +128,10 @@ func convertOpenAIStreamingChunkToAnthropic(rawJSON []byte, param *ConvertOpenAI
 		param.CreatedAt = root.Get("created").Int()
 	}
 
-	// Check if this is the first chunk (has role)
+	// Emit message_start on the very first chunk, regardless of whether it has a role field.
+	// Some providers (like Copilot) may send tool_calls in the first chunk without a role field.
 	if delta := root.Get("choices.0.delta"); delta.Exists() {
-		if role := delta.Get("role"); role.Exists() && role.String() == "assistant" && !param.MessageStarted {
+		if !param.MessageStarted {
 			// Send message_start event
 			messageStart := map[string]interface{}{
 				"type": "message_start",

internal/translator/openai/gemini/openai_gemini_request.go

@@ -83,7 +83,7 @@ func ConvertGeminiRequestToOpenAI(modelName string, inputRawJSON []byte, stream
 		if thinkingConfig := genConfig.Get("thinkingConfig"); thinkingConfig.Exists() && thinkingConfig.IsObject() {
 			if thinkingBudget := thinkingConfig.Get("thinkingBudget"); thinkingBudget.Exists() {
 				budget := int(thinkingBudget.Int())
-				if effort, ok := util.OpenAIThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
+				if effort, ok := util.ThinkingBudgetToEffort(modelName, budget); ok && effort != "" {
 					out, _ = sjson.Set(out, "reasoning_effort", effort)
 				}
 			}

internal/util/gemini_schema.go

@@ -0,0 +1,496 @@
+// Package util provides utility functions for the CLI Proxy API server.
+package util
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+)
+
+var gjsonPathKeyReplacer = strings.NewReplacer(".", "\\.", "*", "\\*", "?", "\\?")
+
+// CleanJSONSchemaForGemini transforms a JSON schema to be compatible with Gemini/Antigravity API.
+// It handles unsupported keywords, type flattening, and schema simplification while preserving
+// semantic information as description hints.
+func CleanJSONSchemaForGemini(jsonStr string) string {
+	// Phase 1: Convert and add hints
+	jsonStr = convertRefsToHints(jsonStr)
+	jsonStr = convertConstToEnum(jsonStr)
+	jsonStr = addEnumHints(jsonStr)
+	jsonStr = addAdditionalPropertiesHints(jsonStr)
+	jsonStr = moveConstraintsToDescription(jsonStr)
+
+	// Phase 2: Flatten complex structures
+	jsonStr = mergeAllOf(jsonStr)
+	jsonStr = flattenAnyOfOneOf(jsonStr)
+	jsonStr = flattenTypeArrays(jsonStr)
+
+	// Phase 3: Cleanup
+	jsonStr = removeUnsupportedKeywords(jsonStr)
+	jsonStr = cleanupRequiredFields(jsonStr)
+
+	return jsonStr
+}
+
+// convertRefsToHints converts $ref to description hints (Lazy Hint strategy).
+func convertRefsToHints(jsonStr string) string {
+	paths := findPaths(jsonStr, "$ref")
+	sortByDepth(paths)
+
+	for _, p := range paths {
+		refVal := gjson.Get(jsonStr, p).String()
+		defName := refVal
+		if idx := strings.LastIndex(refVal, "/"); idx >= 0 {
+			defName = refVal[idx+1:]
+		}
+
+		parentPath := trimSuffix(p, ".$ref")
+		hint := fmt.Sprintf("See: %s", defName)
+		if existing := gjson.Get(jsonStr, descriptionPath(parentPath)).String(); existing != "" {
+			hint = fmt.Sprintf("%s (%s)", existing, hint)
+		}
+
+		replacement := `{"type":"object","description":""}`
+		replacement, _ = sjson.Set(replacement, "description", hint)
+		jsonStr = setRawAt(jsonStr, parentPath, replacement)
+	}
+	return jsonStr
+}
+
+func convertConstToEnum(jsonStr string) string {
+	for _, p := range findPaths(jsonStr, "const") {
+		val := gjson.Get(jsonStr, p)
+		if !val.Exists() {
+			continue
+		}
+		enumPath := trimSuffix(p, ".const") + ".enum"
+		if !gjson.Get(jsonStr, enumPath).Exists() {
+			jsonStr, _ = sjson.Set(jsonStr, enumPath, []interface{}{val.Value()})
+		}
+	}
+	return jsonStr
+}
+
+func addEnumHints(jsonStr string) string {
+	for _, p := range findPaths(jsonStr, "enum") {
+		arr := gjson.Get(jsonStr, p)
+		if !arr.IsArray() {
+			continue
+		}
+		items := arr.Array()
+		if len(items) <= 1 || len(items) > 10 {
+			continue
+		}
+
+		var vals []string
+		for _, item := range items {
+			vals = append(vals, item.String())
+		}
+		jsonStr = appendHint(jsonStr, trimSuffix(p, ".enum"), "Allowed: "+strings.Join(vals, ", "))
+	}
+	return jsonStr
+}
+
+func addAdditionalPropertiesHints(jsonStr string) string {
+	for _, p := range findPaths(jsonStr, "additionalProperties") {
+		if gjson.Get(jsonStr, p).Type == gjson.False {
+			jsonStr = appendHint(jsonStr, trimSuffix(p, ".additionalProperties"), "No extra properties allowed")
+		}
+	}
+	return jsonStr
+}
+
+var unsupportedConstraints = []string{
+	"minLength", "maxLength", "exclusiveMinimum", "exclusiveMaximum",
+	"pattern", "minItems", "maxItems",
+}
+
+func moveConstraintsToDescription(jsonStr string) string {
+	for _, key := range unsupportedConstraints {
+		for _, p := range findPaths(jsonStr, key) {
+			val := gjson.Get(jsonStr, p)
+			if !val.Exists() || val.IsObject() || val.IsArray() {
+				continue
+			}
+			parentPath := trimSuffix(p, "."+key)
+			if isPropertyDefinition(parentPath) {
+				continue
+			}
+			jsonStr = appendHint(jsonStr, parentPath, fmt.Sprintf("%s: %s", key, val.String()))
+		}
+	}
+	return jsonStr
+}
+
+func mergeAllOf(jsonStr string) string {
+	paths := findPaths(jsonStr, "allOf")
+	sortByDepth(paths)
+
+	for _, p := range paths {
+		allOf := gjson.Get(jsonStr, p)
+		if !allOf.IsArray() {
+			continue
+		}
+		parentPath := trimSuffix(p, ".allOf")
+
+		for _, item := range allOf.Array() {
+			if props := item.Get("properties"); props.IsObject() {
+				props.ForEach(func(key, value gjson.Result) bool {
+					destPath := joinPath(parentPath, "properties."+escapeGJSONPathKey(key.String()))
+					jsonStr, _ = sjson.SetRaw(jsonStr, destPath, value.Raw)
+					return true
+				})
+			}
+			if req := item.Get("required"); req.IsArray() {
+				reqPath := joinPath(parentPath, "required")
+				current := getStrings(jsonStr, reqPath)
+				for _, r := range req.Array() {
+					if s := r.String(); !contains(current, s) {
+						current = append(current, s)
+					}
+				}
+				jsonStr, _ = sjson.Set(jsonStr, reqPath, current)
+			}
+		}
+		jsonStr, _ = sjson.Delete(jsonStr, p)
+	}
+	return jsonStr
+}
+
+func flattenAnyOfOneOf(jsonStr string) string {
+	for _, key := range []string{"anyOf", "oneOf"} {
+		paths := findPaths(jsonStr, key)
+		sortByDepth(paths)
+
+		for _, p := range paths {
+			arr := gjson.Get(jsonStr, p)
+			if !arr.IsArray() || len(arr.Array()) == 0 {
+				continue
+			}
+
+			parentPath := trimSuffix(p, "."+key)
+			parentDesc := gjson.Get(jsonStr, descriptionPath(parentPath)).String()
+
+			items := arr.Array()
+			bestIdx, allTypes := selectBest(items)
+			selected := items[bestIdx].Raw
+
+			if parentDesc != "" {
+				selected = mergeDescriptionRaw(selected, parentDesc)
+			}
+
+			if len(allTypes) > 1 {
+				hint := "Accepts: " + strings.Join(allTypes, " | ")
+				selected = appendHintRaw(selected, hint)
+			}
+
+			jsonStr = setRawAt(jsonStr, parentPath, selected)
+		}
+	}
+	return jsonStr
+}
+
+func selectBest(items []gjson.Result) (bestIdx int, types []string) {
+	bestScore := -1
+	for i, item := range items {
+		t := item.Get("type").String()
+		score := 0
+
+		switch {
+		case t == "object" || item.Get("properties").Exists():
+			score, t = 3, orDefault(t, "object")
+		case t == "array" || item.Get("items").Exists():
+			score, t = 2, orDefault(t, "array")
+		case t != "" && t != "null":
+			score = 1
+		default:
+			t = orDefault(t, "null")
+		}
+
+		if t != "" {
+			types = append(types, t)
+		}
+		if score > bestScore {
+			bestScore, bestIdx = score, i
+		}
+	}
+	return
+}
+
+func flattenTypeArrays(jsonStr string) string {
+	paths := findPaths(jsonStr, "type")
+	sortByDepth(paths)
+
+	nullableFields := make(map[string][]string)
+
+	for _, p := range paths {
+		res := gjson.Get(jsonStr, p)
+		if !res.IsArray() || len(res.Array()) == 0 {
+			continue
+		}
+
+		hasNull := false
+		var nonNullTypes []string
+		for _, item := range res.Array() {
+			s := item.String()
+			if s == "null" {
+				hasNull = true
+			} else if s != "" {
+				nonNullTypes = append(nonNullTypes, s)
+			}
+		}
+
+		firstType := "string"
+		if len(nonNullTypes) > 0 {
+			firstType = nonNullTypes[0]
+		}
+
+		jsonStr, _ = sjson.Set(jsonStr, p, firstType)
+
+		parentPath := trimSuffix(p, ".type")
+		if len(nonNullTypes) > 1 {
+			hint := "Accepts: " + strings.Join(nonNullTypes, " | ")
+			jsonStr = appendHint(jsonStr, parentPath, hint)
+		}
+
+		if hasNull {
+			parts := splitGJSONPath(p)
+			if len(parts) >= 3 && parts[len(parts)-3] == "properties" {
+				fieldNameEscaped := parts[len(parts)-2]
+				fieldName := unescapeGJSONPathKey(fieldNameEscaped)
+				objectPath := strings.Join(parts[:len(parts)-3], ".")
+				nullableFields[objectPath] = append(nullableFields[objectPath], fieldName)
+
+				propPath := joinPath(objectPath, "properties."+fieldNameEscaped)
+				jsonStr = appendHint(jsonStr, propPath, "(nullable)")
+			}
+		}
+	}
+
+	for objectPath, fields := range nullableFields {
+		reqPath := joinPath(objectPath, "required")
+		req := gjson.Get(jsonStr, reqPath)
+		if !req.IsArray() {
+			continue
+		}
+
+		var filtered []string
+		for _, r := range req.Array() {
+			if !contains(fields, r.String()) {
+				filtered = append(filtered, r.String())
+			}
+		}
+
+		if len(filtered) == 0 {
+			jsonStr, _ = sjson.Delete(jsonStr, reqPath)
+		} else {
+			jsonStr, _ = sjson.Set(jsonStr, reqPath, filtered)
+		}
+	}
+	return jsonStr
+}
+
+func removeUnsupportedKeywords(jsonStr string) string {
+	keywords := append(unsupportedConstraints,
+		"$schema", "$defs", "definitions", "const", "$ref", "additionalProperties",
+	)
+	for _, key := range keywords {
+		for _, p := range findPaths(jsonStr, key) {
+			if isPropertyDefinition(trimSuffix(p, "."+key)) {
+				continue
+			}
+			jsonStr, _ = sjson.Delete(jsonStr, p)
+		}
+	}
+	return jsonStr
+}
+
+func cleanupRequiredFields(jsonStr string) string {
+	for _, p := range findPaths(jsonStr, "required") {
+		parentPath := trimSuffix(p, ".required")
+		propsPath := joinPath(parentPath, "properties")
+
+		req := gjson.Get(jsonStr, p)
+		props := gjson.Get(jsonStr, propsPath)
+		if !req.IsArray() || !props.IsObject() {
+			continue
+		}
+
+		var valid []string
+		for _, r := range req.Array() {
+			key := r.String()
+			if props.Get(escapeGJSONPathKey(key)).Exists() {
+				valid = append(valid, key)
+			}
+		}
+
+		if len(valid) != len(req.Array()) {
+			if len(valid) == 0 {
+				jsonStr, _ = sjson.Delete(jsonStr, p)
+			} else {
+				jsonStr, _ = sjson.Set(jsonStr, p, valid)
+			}
+		}
+	}
+	return jsonStr
+}
+
+// --- Helpers ---
+
+func findPaths(jsonStr, field string) []string {
+	var paths []string
+	Walk(gjson.Parse(jsonStr), "", field, &paths)
+	return paths
+}
+
+func sortByDepth(paths []string) {
+	sort.Slice(paths, func(i, j int) bool { return len(paths[i]) > len(paths[j]) })
+}
+
+func trimSuffix(path, suffix string) string {
+	if path == strings.TrimPrefix(suffix, ".") {
+		return ""
+	}
+	return strings.TrimSuffix(path, suffix)
+}
+
+func joinPath(base, suffix string) string {
+	if base == "" {
+		return suffix
+	}
+	return base + "." + suffix
+}
+
+func setRawAt(jsonStr, path, value string) string {
+	if path == "" {
+		return value
+	}
+	result, _ := sjson.SetRaw(jsonStr, path, value)
+	return result
+}
+
+func isPropertyDefinition(path string) bool {
+	return path == "properties" || strings.HasSuffix(path, ".properties")
+}
+
+func descriptionPath(parentPath string) string {
+	if parentPath == "" || parentPath == "@this" {
+		return "description"
+	}
+	return parentPath + ".description"
+}
+
+func appendHint(jsonStr, parentPath, hint string) string {
+	descPath := parentPath + ".description"
+	if parentPath == "" || parentPath == "@this" {
+		descPath = "description"
+	}
+	existing := gjson.Get(jsonStr, descPath).String()
+	if existing != "" {
+		hint = fmt.Sprintf("%s (%s)", existing, hint)
+	}
+	jsonStr, _ = sjson.Set(jsonStr, descPath, hint)
+	return jsonStr
+}
+
+func appendHintRaw(jsonRaw, hint string) string {
+	existing := gjson.Get(jsonRaw, "description").String()
+	if existing != "" {
+		hint = fmt.Sprintf("%s (%s)", existing, hint)
+	}
+	jsonRaw, _ = sjson.Set(jsonRaw, "description", hint)
+	return jsonRaw
+}
+
+func getStrings(jsonStr, path string) []string {
+	var result []string
+	if arr := gjson.Get(jsonStr, path); arr.IsArray() {
+		for _, r := range arr.Array() {
+			result = append(result, r.String())
+		}
+	}
+	return result
+}
+
+func contains(slice []string, item string) bool {
+	for _, s := range slice {
+		if s == item {
+			return true
+		}
+	}
+	return false
+}
+
+func orDefault(val, def string) string {
+	if val == "" {
+		return def
+	}
+	return val
+}
+
+func escapeGJSONPathKey(key string) string {
+	return gjsonPathKeyReplacer.Replace(key)
+}
+
+func unescapeGJSONPathKey(key string) string {
+	if !strings.Contains(key, "\\") {
+		return key
+	}
+	var b strings.Builder
+	b.Grow(len(key))
+	for i := 0; i < len(key); i++ {
+		if key[i] == '\\' && i+1 < len(key) {
+			i++
+			b.WriteByte(key[i])
+			continue
+		}
+		b.WriteByte(key[i])
+	}
+	return b.String()
+}
+
+func splitGJSONPath(path string) []string {
+	if path == "" {
+		return nil
+	}
+
+	parts := make([]string, 0, strings.Count(path, ".")+1)
+	var b strings.Builder
+	b.Grow(len(path))
+
+	for i := 0; i < len(path); i++ {
+		c := path[i]
+		if c == '\\' && i+1 < len(path) {
+			b.WriteByte('\\')
+			i++
+			b.WriteByte(path[i])
+			continue
+		}
+		if c == '.' {
+			parts = append(parts, b.String())
+			b.Reset()
+			continue
+		}
+		b.WriteByte(c)
+	}
+	parts = append(parts, b.String())
+	return parts
+}
+
+func mergeDescriptionRaw(schemaRaw, parentDesc string) string {
+	childDesc := gjson.Get(schemaRaw, "description").String()
+	switch {
+	case childDesc == "":
+		schemaRaw, _ = sjson.Set(schemaRaw, "description", parentDesc)
+		return schemaRaw
+	case childDesc == parentDesc:
+		return schemaRaw
+	default:
+		combined := fmt.Sprintf("%s (%s)", parentDesc, childDesc)
+		schemaRaw, _ = sjson.Set(schemaRaw, "description", combined)
+		return schemaRaw
+	}
+}

internal/util/gemini_schema_test.go

@@ -0,0 +1,613 @@
+package util
+
+import (
+	"encoding/json"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestCleanJSONSchemaForGemini_ConstToEnum(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"kind": {
+				"type": "string",
+				"const": "InsightVizNode"
+			}
+		}
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"kind": {
+				"type": "string",
+				"enum": ["InsightVizNode"]
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_TypeFlattening_Nullable(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"name": {
+				"type": ["string", "null"]
+			},
+			"other": {
+				"type": "string"
+			}
+		},
+		"required": ["name", "other"]
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"name": {
+				"type": "string",
+				"description": "(nullable)"
+			},
+			"other": {
+				"type": "string"
+			}
+		},
+		"required": ["other"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_ConstraintsToDescription(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"tags": {
+				"type": "array",
+				"description": "List of tags",
+				"minItems": 1
+			},
+			"name": {
+				"type": "string",
+				"description": "User name",
+				"minLength": 3
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	// minItems should be REMOVED and moved to description
+	if strings.Contains(result, `"minItems"`) {
+		t.Errorf("minItems keyword should be removed")
+	}
+	if !strings.Contains(result, "minItems: 1") {
+		t.Errorf("minItems hint missing in description")
+	}
+
+	// minLength should be moved to description
+	if !strings.Contains(result, "minLength: 3") {
+		t.Errorf("minLength hint missing in description")
+	}
+	if strings.Contains(result, `"minLength":`) || strings.Contains(result, `"minLength" :`) {
+		t.Errorf("minLength keyword should be removed")
+	}
+}
+
+func TestCleanJSONSchemaForGemini_AnyOfFlattening_SmartSelection(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"query": {
+				"anyOf": [
+					{ "type": "null" },
+					{
+						"type": "object",
+						"properties": {
+							"kind": { "type": "string" }
+						}
+					}
+				]
+			}
+		}
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"query": {
+				"type": "object",
+				"description": "Accepts: null | object",
+				"properties": {
+					"kind": { "type": "string" }
+				}
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_OneOfFlattening(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"config": {
+				"oneOf": [
+					{ "type": "string" },
+					{ "type": "integer" }
+				]
+			}
+		}
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"config": {
+				"type": "string",
+				"description": "Accepts: string | integer"
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_AllOfMerging(t *testing.T) {
+	input := `{
+		"type": "object",
+		"allOf": [
+			{
+				"properties": {
+					"a": { "type": "string" }
+				},
+				"required": ["a"]
+			},
+			{
+				"properties": {
+					"b": { "type": "integer" }
+				},
+				"required": ["b"]
+			}
+		]
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"a": { "type": "string" },
+			"b": { "type": "integer" }
+		},
+		"required": ["a", "b"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_RefHandling(t *testing.T) {
+	input := `{
+		"definitions": {
+			"User": {
+				"type": "object",
+				"properties": {
+					"name": { "type": "string" }
+				}
+			}
+		},
+		"type": "object",
+		"properties": {
+			"customer": { "$ref": "#/definitions/User" }
+		}
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"customer": {
+				"type": "object",
+				"description": "See: User"
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_RefHandling_DescriptionEscaping(t *testing.T) {
+	input := `{
+		"definitions": {
+			"User": {
+				"type": "object",
+				"properties": {
+					"name": { "type": "string" }
+				}
+			}
+		},
+		"type": "object",
+		"properties": {
+			"customer": {
+				"description": "He said \"hi\"\\nsecond line",
+				"$ref": "#/definitions/User"
+			}
+		}
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"customer": {
+				"type": "object",
+				"description": "He said \"hi\"\\nsecond line (See: User)"
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_CyclicRefDefaults(t *testing.T) {
+	input := `{
+		"definitions": {
+			"Node": {
+				"type": "object",
+				"properties": {
+					"child": { "$ref": "#/definitions/Node" }
+				}
+			}
+		},
+		"$ref": "#/definitions/Node"
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	var resMap map[string]interface{}
+	json.Unmarshal([]byte(result), &resMap)
+
+	if resMap["type"] != "object" {
+		t.Errorf("Expected type: object, got: %v", resMap["type"])
+	}
+
+	desc, ok := resMap["description"].(string)
+	if !ok || !strings.Contains(desc, "Node") {
+		t.Errorf("Expected description hint containing 'Node', got: %v", resMap["description"])
+	}
+}
+
+func TestCleanJSONSchemaForGemini_RequiredCleanup(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"a": {"type": "string"},
+			"b": {"type": "string"}
+		},
+		"required": ["a", "b", "c"]
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"a": {"type": "string"},
+			"b": {"type": "string"}
+		},
+		"required": ["a", "b"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_AllOfMerging_DotKeys(t *testing.T) {
+	input := `{
+		"type": "object",
+		"allOf": [
+			{
+				"properties": {
+					"my.param": { "type": "string" }
+				},
+				"required": ["my.param"]
+			},
+			{
+				"properties": {
+					"b": { "type": "integer" }
+				},
+				"required": ["b"]
+			}
+		]
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"my.param": { "type": "string" },
+			"b": { "type": "integer" }
+		},
+		"required": ["my.param", "b"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_PropertyNameCollision(t *testing.T) {
+	// A tool has an argument named "pattern" - should NOT be treated as a constraint
+	input := `{
+		"type": "object",
+		"properties": {
+			"pattern": {
+				"type": "string",
+				"description": "The regex pattern"
+			}
+		},
+		"required": ["pattern"]
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"pattern": {
+				"type": "string",
+				"description": "The regex pattern"
+			}
+		},
+		"required": ["pattern"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+
+	var resMap map[string]interface{}
+	json.Unmarshal([]byte(result), &resMap)
+	props, _ := resMap["properties"].(map[string]interface{})
+	if _, ok := props["description"]; ok {
+		t.Errorf("Invalid 'description' property injected into properties map")
+	}
+}
+
+func TestCleanJSONSchemaForGemini_DotKeys(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"my.param": {
+				"type": "string",
+				"$ref": "#/definitions/MyType"
+			}
+		},
+		"definitions": {
+			"MyType": { "type": "string" }
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	var resMap map[string]interface{}
+	if err := json.Unmarshal([]byte(result), &resMap); err != nil {
+		t.Fatalf("Failed to unmarshal result: %v", err)
+	}
+
+	props, ok := resMap["properties"].(map[string]interface{})
+	if !ok {
+		t.Fatalf("properties missing")
+	}
+
+	if val, ok := props["my.param"]; !ok {
+		t.Fatalf("Key 'my.param' is missing. Result: %s", result)
+	} else {
+		valMap, _ := val.(map[string]interface{})
+		if _, hasRef := valMap["$ref"]; hasRef {
+			t.Errorf("Key 'my.param' still contains $ref")
+		}
+		if _, ok := props["my"]; ok {
+			t.Errorf("Artifact key 'my' created by sjson splitting")
+		}
+	}
+}
+
+func TestCleanJSONSchemaForGemini_AnyOfAlternativeHints(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"value": {
+				"anyOf": [
+					{ "type": "string" },
+					{ "type": "integer" },
+					{ "type": "null" }
+				]
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	if !strings.Contains(result, "Accepts:") {
+		t.Errorf("Expected alternative types hint, got: %s", result)
+	}
+	if !strings.Contains(result, "string") || !strings.Contains(result, "integer") {
+		t.Errorf("Expected all alternative types in hint, got: %s", result)
+	}
+}
+
+func TestCleanJSONSchemaForGemini_NullableHint(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"name": {
+				"type": ["string", "null"],
+				"description": "User name"
+			}
+		},
+		"required": ["name"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	if !strings.Contains(result, "(nullable)") {
+		t.Errorf("Expected nullable hint, got: %s", result)
+	}
+	if !strings.Contains(result, "User name") {
+		t.Errorf("Expected original description to be preserved, got: %s", result)
+	}
+}
+
+func TestCleanJSONSchemaForGemini_TypeFlattening_Nullable_DotKey(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"my.param": {
+				"type": ["string", "null"]
+			},
+			"other": {
+				"type": "string"
+			}
+		},
+		"required": ["my.param", "other"]
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"my.param": {
+				"type": "string",
+				"description": "(nullable)"
+			},
+			"other": {
+				"type": "string"
+			}
+		},
+		"required": ["other"]
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_EnumHint(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"status": {
+				"type": "string",
+				"enum": ["active", "inactive", "pending"],
+				"description": "Current status"
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	if !strings.Contains(result, "Allowed:") {
+		t.Errorf("Expected enum values hint, got: %s", result)
+	}
+	if !strings.Contains(result, "active") || !strings.Contains(result, "inactive") {
+		t.Errorf("Expected enum values in hint, got: %s", result)
+	}
+}
+
+func TestCleanJSONSchemaForGemini_AdditionalPropertiesHint(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"name": { "type": "string" }
+		},
+		"additionalProperties": false
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	if !strings.Contains(result, "No extra properties allowed") {
+		t.Errorf("Expected additionalProperties hint, got: %s", result)
+	}
+}
+
+func TestCleanJSONSchemaForGemini_AnyOfFlattening_PreservesDescription(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"config": {
+				"description": "Parent desc",
+				"anyOf": [
+					{ "type": "string", "description": "Child desc" },
+					{ "type": "integer" }
+				]
+			}
+		}
+	}`
+
+	expected := `{
+		"type": "object",
+		"properties": {
+			"config": {
+				"type": "string",
+				"description": "Parent desc (Child desc) (Accepts: string | integer)"
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+	compareJSON(t, expected, result)
+}
+
+func TestCleanJSONSchemaForGemini_SingleEnumNoHint(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"kind": {
+				"type": "string",
+				"enum": ["fixed"]
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	if strings.Contains(result, "Allowed:") {
+		t.Errorf("Single value enum should not add Allowed hint, got: %s", result)
+	}
+}
+
+func TestCleanJSONSchemaForGemini_MultipleNonNullTypes(t *testing.T) {
+	input := `{
+		"type": "object",
+		"properties": {
+			"value": {
+				"type": ["string", "integer", "boolean"]
+			}
+		}
+	}`
+
+	result := CleanJSONSchemaForGemini(input)
+
+	if !strings.Contains(result, "Accepts:") {
+		t.Errorf("Expected multiple types hint, got: %s", result)
+	}
+	if !strings.Contains(result, "string") || !strings.Contains(result, "integer") || !strings.Contains(result, "boolean") {
+		t.Errorf("Expected all types in hint, got: %s", result)
+	}
+}
+
+func compareJSON(t *testing.T, expectedJSON, actualJSON string) {
+	var expMap, actMap map[string]interface{}
+	errExp := json.Unmarshal([]byte(expectedJSON), &expMap)
+	errAct := json.Unmarshal([]byte(actualJSON), &actMap)
+
+	if errExp != nil || errAct != nil {
+		t.Fatalf("JSON Unmarshal error. Exp: %v, Act: %v", errExp, errAct)
+	}
+
+	if !reflect.DeepEqual(expMap, actMap) {
+		expBytes, _ := json.MarshalIndent(expMap, "", "  ")
+		actBytes, _ := json.MarshalIndent(actMap, "", "  ")
+		t.Errorf("JSON mismatch:\nExpected:\n%s\n\nActual:\n%s", string(expBytes), string(actBytes))
+	}
+}

internal/util/openai_thinking.go

@@ -1,37 +0,0 @@
-package util
-
-// OpenAIThinkingBudgetToEffort maps a numeric thinking budget (tokens)
-// into an OpenAI-style reasoning effort level for level-based models.
-//
-// Ranges:
-//   - 0            -> "none"
-//   - -1           -> "auto"
-//   - 1..1024      -> "low"
-//   - 1025..8192   -> "medium"
-//   - 8193..24576  -> "high"
-//   - 24577..      -> highest supported level for the model (defaults to "xhigh")
-//
-// Negative values other than -1 are treated as unsupported.
-func OpenAIThinkingBudgetToEffort(model string, budget int) (string, bool) {
-	switch {
-	case budget == -1:
-		return "auto", true
-	case budget < -1:
-		return "", false
-	case budget == 0:
-		return "none", true
-	case budget > 0 && budget <= 1024:
-		return "low", true
-	case budget <= 8192:
-		return "medium", true
-	case budget <= 24576:
-		return "high", true
-	case budget > 24576:
-		if levels := GetModelThinkingLevels(model); len(levels) > 0 {
-			return levels[len(levels)-1], true
-		}
-		return "xhigh", true
-	default:
-		return "", false
-	}
-}

internal/util/thinking.go

@@ -118,3 +118,83 @@ func IsOpenAICompatibilityModel(model string) bool {
 	}
 	return strings.EqualFold(strings.TrimSpace(info.Type), "openai-compatibility")
 }
+
+// ThinkingEffortToBudget maps a reasoning effort level to a numeric thinking budget (tokens),
+// clamping the result to the model's supported range.
+//
+// Mappings (values are normalized to model's supported range):
+//   - "none"    -> 0
+//   - "auto"    -> -1
+//   - "minimal" -> 512
+//   - "low"     -> 1024
+//   - "medium"  -> 8192
+//   - "high"    -> 24576
+//   - "xhigh"   -> 32768
+//
+// Returns false when the effort level is empty or unsupported.
+func ThinkingEffortToBudget(model, effort string) (int, bool) {
+	if effort == "" {
+		return 0, false
+	}
+	normalized, ok := NormalizeReasoningEffortLevel(model, effort)
+	if !ok {
+		normalized = strings.ToLower(strings.TrimSpace(effort))
+	}
+	switch normalized {
+	case "none":
+		return 0, true
+	case "auto":
+		return NormalizeThinkingBudget(model, -1), true
+	case "minimal":
+		return NormalizeThinkingBudget(model, 512), true
+	case "low":
+		return NormalizeThinkingBudget(model, 1024), true
+	case "medium":
+		return NormalizeThinkingBudget(model, 8192), true
+	case "high":
+		return NormalizeThinkingBudget(model, 24576), true
+	case "xhigh":
+		return NormalizeThinkingBudget(model, 32768), true
+	default:
+		return 0, false
+	}
+}
+
+// ThinkingBudgetToEffort maps a numeric thinking budget (tokens)
+// to a reasoning effort level for level-based models.
+//
+// Mappings:
+//   - 0            -> "none" (or lowest supported level if model doesn't support "none")
+//   - -1           -> "auto"
+//   - 1..1024      -> "low"
+//   - 1025..8192   -> "medium"
+//   - 8193..24576  -> "high"
+//   - 24577..      -> highest supported level for the model (defaults to "xhigh")
+//
+// Returns false when the budget is unsupported (negative values other than -1).
+func ThinkingBudgetToEffort(model string, budget int) (string, bool) {
+	switch {
+	case budget == -1:
+		return "auto", true
+	case budget < -1:
+		return "", false
+	case budget == 0:
+		if levels := GetModelThinkingLevels(model); len(levels) > 0 {
+			return levels[0], true
+		}
+		return "none", true
+	case budget > 0 && budget <= 1024:
+		return "low", true
+	case budget <= 8192:
+		return "medium", true
+	case budget <= 24576:
+		return "high", true
+	case budget > 24576:
+		if levels := GetModelThinkingLevels(model); len(levels) > 0 {
+			return levels[len(levels)-1], true
+		}
+		return "xhigh", true
+	default:
+		return "", false
+	}
+}

internal/util/thinking_suffix.go

@@ -201,36 +201,6 @@ func ReasoningEffortFromMetadata(metadata map[string]any) (string, bool) {
 	return "", true
 }
 
-// ThinkingEffortToBudget maps reasoning effort levels to approximate budgets,
-// clamping the result to the model's supported range.
-func ThinkingEffortToBudget(model, effort string) (int, bool) {
-	if effort == "" {
-		return 0, false
-	}
-	normalized, ok := NormalizeReasoningEffortLevel(model, effort)
-	if !ok {
-		normalized = strings.ToLower(strings.TrimSpace(effort))
-	}
-	switch normalized {
-	case "none":
-		return 0, true
-	case "auto":
-		return NormalizeThinkingBudget(model, -1), true
-	case "minimal":
-		return NormalizeThinkingBudget(model, 512), true
-	case "low":
-		return NormalizeThinkingBudget(model, 1024), true
-	case "medium":
-		return NormalizeThinkingBudget(model, 8192), true
-	case "high":
-		return NormalizeThinkingBudget(model, 24576), true
-	case "xhigh":
-		return NormalizeThinkingBudget(model, 32768), true
-	default:
-		return 0, false
-	}
-}
-
 // ResolveOriginalModel returns the original model name stored in metadata (if present),
 // otherwise falls back to the provided model.
 func ResolveOriginalModel(model string, metadata map[string]any) string {

internal/util/translator.go

@@ -6,6 +6,7 @@ package util
 import (
 	"bytes"
 	"fmt"
+	"strings"
 
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
@@ -28,10 +29,17 @@ func Walk(value gjson.Result, path, field string, paths *[]string) {
 		// For JSON objects and arrays, iterate through each child
 		value.ForEach(func(key, val gjson.Result) bool {
 			var childPath string
+			// Escape special characters for gjson/sjson path syntax
+			// . -> \.
+			// * -> \*
+			// ? -> \?
+			var keyReplacer = strings.NewReplacer(".", "\\.", "*", "\\*", "?", "\\?")
+			safeKey := keyReplacer.Replace(key.String())
+
 			if path == "" {
-				childPath = key.String()
+				childPath = safeKey
 			} else {
-				childPath = path + "." + key.String()
+				childPath = path + "." + safeKey
 			}
 			if key.String() == field {
 				*paths = append(*paths, childPath)

internal/watcher/clients.go

@@ -0,0 +1,270 @@
+// clients.go implements watcher client lifecycle logic and persistence helpers.
+// It reloads clients, handles incremental auth file changes, and persists updates when supported.
+package watcher
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	log "github.com/sirupsen/logrus"
+)
+
+func (w *Watcher) reloadClients(rescanAuth bool, affectedOAuthProviders []string, forceAuthRefresh bool) {
+	log.Debugf("starting full client load process")
+
+	w.clientsMutex.RLock()
+	cfg := w.config
+	w.clientsMutex.RUnlock()
+
+	if cfg == nil {
+		log.Error("config is nil, cannot reload clients")
+		return
+	}
+
+	if len(affectedOAuthProviders) > 0 {
+		w.clientsMutex.Lock()
+		if w.currentAuths != nil {
+			filtered := make(map[string]*coreauth.Auth, len(w.currentAuths))
+			for id, auth := range w.currentAuths {
+				if auth == nil {
+					continue
+				}
+				provider := strings.ToLower(strings.TrimSpace(auth.Provider))
+				if _, match := matchProvider(provider, affectedOAuthProviders); match {
+					continue
+				}
+				filtered[id] = auth
+			}
+			w.currentAuths = filtered
+			log.Debugf("applying oauth-excluded-models to providers %v", affectedOAuthProviders)
+		} else {
+			w.currentAuths = nil
+		}
+		w.clientsMutex.Unlock()
+	}
+
+	geminiAPIKeyCount, vertexCompatAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount := BuildAPIKeyClients(cfg)
+	totalAPIKeyClients := geminiAPIKeyCount + vertexCompatAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
+	log.Debugf("loaded %d API key clients", totalAPIKeyClients)
+
+	var authFileCount int
+	if rescanAuth {
+		authFileCount = w.loadFileClients(cfg)
+		log.Debugf("loaded %d file-based clients", authFileCount)
+	} else {
+		w.clientsMutex.RLock()
+		authFileCount = len(w.lastAuthHashes)
+		w.clientsMutex.RUnlock()
+		log.Debugf("skipping auth directory rescan; retaining %d existing auth files", authFileCount)
+	}
+
+	if rescanAuth {
+		w.clientsMutex.Lock()
+
+		w.lastAuthHashes = make(map[string]string)
+		if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir); errResolveAuthDir != nil {
+			log.Errorf("failed to resolve auth directory for hash cache: %v", errResolveAuthDir)
+		} else if resolvedAuthDir != "" {
+			_ = filepath.Walk(resolvedAuthDir, func(path string, info fs.FileInfo, err error) error {
+				if err != nil {
+					return nil
+				}
+				if !info.IsDir() && strings.HasSuffix(strings.ToLower(info.Name()), ".json") {
+					if data, errReadFile := os.ReadFile(path); errReadFile == nil && len(data) > 0 {
+						sum := sha256.Sum256(data)
+						normalizedPath := w.normalizeAuthPath(path)
+						w.lastAuthHashes[normalizedPath] = hex.EncodeToString(sum[:])
+					}
+				}
+				return nil
+			})
+		}
+		w.clientsMutex.Unlock()
+	}
+
+	totalNewClients := authFileCount + geminiAPIKeyCount + vertexCompatAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + openAICompatCount
+
+	if w.reloadCallback != nil {
+		log.Debugf("triggering server update callback before auth refresh")
+		w.reloadCallback(cfg)
+	}
+
+	w.refreshAuthState(forceAuthRefresh)
+
+	log.Infof("full client load complete - %d clients (%d auth files + %d Gemini API keys + %d Vertex API keys + %d Claude API keys + %d Codex keys + %d OpenAI-compat)",
+		totalNewClients,
+		authFileCount,
+		geminiAPIKeyCount,
+		vertexCompatAPIKeyCount,
+		claudeAPIKeyCount,
+		codexAPIKeyCount,
+		openAICompatCount,
+	)
+}
+
+func (w *Watcher) addOrUpdateClient(path string) {
+	data, errRead := os.ReadFile(path)
+	if errRead != nil {
+		log.Errorf("failed to read auth file %s: %v", filepath.Base(path), errRead)
+		return
+	}
+	if len(data) == 0 {
+		log.Debugf("ignoring empty auth file: %s", filepath.Base(path))
+		return
+	}
+
+	sum := sha256.Sum256(data)
+	curHash := hex.EncodeToString(sum[:])
+	normalized := w.normalizeAuthPath(path)
+
+	w.clientsMutex.Lock()
+
+	cfg := w.config
+	if cfg == nil {
+		log.Error("config is nil, cannot add or update client")
+		w.clientsMutex.Unlock()
+		return
+	}
+	if prev, ok := w.lastAuthHashes[normalized]; ok && prev == curHash {
+		log.Debugf("auth file unchanged (hash match), skipping reload: %s", filepath.Base(path))
+		w.clientsMutex.Unlock()
+		return
+	}
+
+	w.lastAuthHashes[normalized] = curHash
+
+	w.clientsMutex.Unlock() // Unlock before the callback
+
+	w.refreshAuthState(false)
+
+	if w.reloadCallback != nil {
+		log.Debugf("triggering server update callback after add/update")
+		w.reloadCallback(cfg)
+	}
+	w.persistAuthAsync(fmt.Sprintf("Sync auth %s", filepath.Base(path)), path)
+}
+
+func (w *Watcher) removeClient(path string) {
+	normalized := w.normalizeAuthPath(path)
+	w.clientsMutex.Lock()
+
+	cfg := w.config
+	delete(w.lastAuthHashes, normalized)
+
+	w.clientsMutex.Unlock() // Release the lock before the callback
+
+	w.refreshAuthState(false)
+
+	if w.reloadCallback != nil {
+		log.Debugf("triggering server update callback after removal")
+		w.reloadCallback(cfg)
+	}
+	w.persistAuthAsync(fmt.Sprintf("Remove auth %s", filepath.Base(path)), path)
+}
+
+func (w *Watcher) loadFileClients(cfg *config.Config) int {
+	authFileCount := 0
+	successfulAuthCount := 0
+
+	authDir, errResolveAuthDir := util.ResolveAuthDir(cfg.AuthDir)
+	if errResolveAuthDir != nil {
+		log.Errorf("failed to resolve auth directory: %v", errResolveAuthDir)
+		return 0
+	}
+	if authDir == "" {
+		return 0
+	}
+
+	errWalk := filepath.Walk(authDir, func(path string, info fs.FileInfo, err error) error {
+		if err != nil {
+			log.Debugf("error accessing path %s: %v", path, err)
+			return err
+		}
+		if !info.IsDir() && strings.HasSuffix(strings.ToLower(info.Name()), ".json") {
+			authFileCount++
+			log.Debugf("processing auth file %d: %s", authFileCount, filepath.Base(path))
+			if data, errCreate := os.ReadFile(path); errCreate == nil && len(data) > 0 {
+				successfulAuthCount++
+			}
+		}
+		return nil
+	})
+
+	if errWalk != nil {
+		log.Errorf("error walking auth directory: %v", errWalk)
+	}
+	log.Debugf("auth directory scan complete - found %d .json files, %d readable", authFileCount, successfulAuthCount)
+	return authFileCount
+}
+
+func BuildAPIKeyClients(cfg *config.Config) (int, int, int, int, int) {
+	geminiAPIKeyCount := 0
+	vertexCompatAPIKeyCount := 0
+	claudeAPIKeyCount := 0
+	codexAPIKeyCount := 0
+	openAICompatCount := 0
+
+	if len(cfg.GeminiKey) > 0 {
+		geminiAPIKeyCount += len(cfg.GeminiKey)
+	}
+	if len(cfg.VertexCompatAPIKey) > 0 {
+		vertexCompatAPIKeyCount += len(cfg.VertexCompatAPIKey)
+	}
+	if len(cfg.ClaudeKey) > 0 {
+		claudeAPIKeyCount += len(cfg.ClaudeKey)
+	}
+	if len(cfg.CodexKey) > 0 {
+		codexAPIKeyCount += len(cfg.CodexKey)
+	}
+	if len(cfg.OpenAICompatibility) > 0 {
+		for _, compatConfig := range cfg.OpenAICompatibility {
+			openAICompatCount += len(compatConfig.APIKeyEntries)
+		}
+	}
+	return geminiAPIKeyCount, vertexCompatAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount
+}
+
+func (w *Watcher) persistConfigAsync() {
+	if w == nil || w.storePersister == nil {
+		return
+	}
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := w.storePersister.PersistConfig(ctx); err != nil {
+			log.Errorf("failed to persist config change: %v", err)
+		}
+	}()
+}
+
+func (w *Watcher) persistAuthAsync(message string, paths ...string) {
+	if w == nil || w.storePersister == nil {
+		return
+	}
+	filtered := make([]string, 0, len(paths))
+	for _, p := range paths {
+		if trimmed := strings.TrimSpace(p); trimmed != "" {
+			filtered = append(filtered, trimmed)
+		}
+	}
+	if len(filtered) == 0 {
+		return
+	}
+	go func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		if err := w.storePersister.PersistAuthFiles(ctx, message, filtered...); err != nil {
+			log.Errorf("failed to persist auth changes: %v", err)
+		}
+	}()
+}

internal/watcher/config_reload.go

@@ -0,0 +1,134 @@
+// config_reload.go implements debounced configuration hot reload.
+// It detects material changes and reloads clients when the config changes.
+package watcher
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"os"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher/diff"
+	"gopkg.in/yaml.v3"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func (w *Watcher) stopConfigReloadTimer() {
+	w.configReloadMu.Lock()
+	if w.configReloadTimer != nil {
+		w.configReloadTimer.Stop()
+		w.configReloadTimer = nil
+	}
+	w.configReloadMu.Unlock()
+}
+
+func (w *Watcher) scheduleConfigReload() {
+	w.configReloadMu.Lock()
+	defer w.configReloadMu.Unlock()
+	if w.configReloadTimer != nil {
+		w.configReloadTimer.Stop()
+	}
+	w.configReloadTimer = time.AfterFunc(configReloadDebounce, func() {
+		w.configReloadMu.Lock()
+		w.configReloadTimer = nil
+		w.configReloadMu.Unlock()
+		w.reloadConfigIfChanged()
+	})
+}
+
+func (w *Watcher) reloadConfigIfChanged() {
+	data, err := os.ReadFile(w.configPath)
+	if err != nil {
+		log.Errorf("failed to read config file for hash check: %v", err)
+		return
+	}
+	if len(data) == 0 {
+		log.Debugf("ignoring empty config file write event")
+		return
+	}
+	sum := sha256.Sum256(data)
+	newHash := hex.EncodeToString(sum[:])
+
+	w.clientsMutex.RLock()
+	currentHash := w.lastConfigHash
+	w.clientsMutex.RUnlock()
+
+	if currentHash != "" && currentHash == newHash {
+		log.Debugf("config file content unchanged (hash match), skipping reload")
+		return
+	}
+	log.Infof("config file changed, reloading: %s", w.configPath)
+	if w.reloadConfig() {
+		finalHash := newHash
+		if updatedData, errRead := os.ReadFile(w.configPath); errRead == nil && len(updatedData) > 0 {
+			sumUpdated := sha256.Sum256(updatedData)
+			finalHash = hex.EncodeToString(sumUpdated[:])
+		} else if errRead != nil {
+			log.WithError(errRead).Debug("failed to compute updated config hash after reload")
+		}
+		w.clientsMutex.Lock()
+		w.lastConfigHash = finalHash
+		w.clientsMutex.Unlock()
+		w.persistConfigAsync()
+	}
+}
+
+func (w *Watcher) reloadConfig() bool {
+	log.Debug("=========================== CONFIG RELOAD ============================")
+	log.Debugf("starting config reload from: %s", w.configPath)
+
+	newConfig, errLoadConfig := config.LoadConfig(w.configPath)
+	if errLoadConfig != nil {
+		log.Errorf("failed to reload config: %v", errLoadConfig)
+		return false
+	}
+
+	if w.mirroredAuthDir != "" {
+		newConfig.AuthDir = w.mirroredAuthDir
+	} else {
+		if resolvedAuthDir, errResolveAuthDir := util.ResolveAuthDir(newConfig.AuthDir); errResolveAuthDir != nil {
+			log.Errorf("failed to resolve auth directory from config: %v", errResolveAuthDir)
+		} else {
+			newConfig.AuthDir = resolvedAuthDir
+		}
+	}
+
+	w.clientsMutex.Lock()
+	var oldConfig *config.Config
+	_ = yaml.Unmarshal(w.oldConfigYaml, &oldConfig)
+	w.oldConfigYaml, _ = yaml.Marshal(newConfig)
+	w.config = newConfig
+	w.clientsMutex.Unlock()
+
+	var affectedOAuthProviders []string
+	if oldConfig != nil {
+		_, affectedOAuthProviders = diff.DiffOAuthExcludedModelChanges(oldConfig.OAuthExcludedModels, newConfig.OAuthExcludedModels)
+	}
+
+	util.SetLogLevel(newConfig)
+	if oldConfig != nil && oldConfig.Debug != newConfig.Debug {
+		log.Debugf("log level updated - debug mode changed from %t to %t", oldConfig.Debug, newConfig.Debug)
+	}
+
+	if oldConfig != nil {
+		details := diff.BuildConfigChangeDetails(oldConfig, newConfig)
+		if len(details) > 0 {
+			log.Debugf("config changes detected:")
+			for _, d := range details {
+				log.Debugf("  %s", d)
+			}
+		} else {
+			log.Debugf("no material config field changes detected")
+		}
+	}
+
+	authDirChanged := oldConfig == nil || oldConfig.AuthDir != newConfig.AuthDir
+	forceAuthRefresh := oldConfig != nil && oldConfig.ForceModelPrefix != newConfig.ForceModelPrefix
+
+	log.Infof("config successfully reloaded, triggering client reload")
+	w.reloadClients(authDirChanged, affectedOAuthProviders, forceAuthRefresh)
+	return true
+}

internal/watcher/diff/config_diff.go

@@ -0,0 +1,303 @@
+package diff
+
+import (
+	"fmt"
+	"net/url"
+	"reflect"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+// BuildConfigChangeDetails computes a redacted, human-readable list of config changes.
+// Secrets are never printed; only structural or non-sensitive fields are surfaced.
+func BuildConfigChangeDetails(oldCfg, newCfg *config.Config) []string {
+	changes := make([]string, 0, 16)
+	if oldCfg == nil || newCfg == nil {
+		return changes
+	}
+
+	// Simple scalars
+	if oldCfg.Port != newCfg.Port {
+		changes = append(changes, fmt.Sprintf("port: %d -> %d", oldCfg.Port, newCfg.Port))
+	}
+	if oldCfg.AuthDir != newCfg.AuthDir {
+		changes = append(changes, fmt.Sprintf("auth-dir: %s -> %s", oldCfg.AuthDir, newCfg.AuthDir))
+	}
+	if oldCfg.Debug != newCfg.Debug {
+		changes = append(changes, fmt.Sprintf("debug: %t -> %t", oldCfg.Debug, newCfg.Debug))
+	}
+	if oldCfg.LoggingToFile != newCfg.LoggingToFile {
+		changes = append(changes, fmt.Sprintf("logging-to-file: %t -> %t", oldCfg.LoggingToFile, newCfg.LoggingToFile))
+	}
+	if oldCfg.UsageStatisticsEnabled != newCfg.UsageStatisticsEnabled {
+		changes = append(changes, fmt.Sprintf("usage-statistics-enabled: %t -> %t", oldCfg.UsageStatisticsEnabled, newCfg.UsageStatisticsEnabled))
+	}
+	if oldCfg.DisableCooling != newCfg.DisableCooling {
+		changes = append(changes, fmt.Sprintf("disable-cooling: %t -> %t", oldCfg.DisableCooling, newCfg.DisableCooling))
+	}
+	if oldCfg.RequestLog != newCfg.RequestLog {
+		changes = append(changes, fmt.Sprintf("request-log: %t -> %t", oldCfg.RequestLog, newCfg.RequestLog))
+	}
+	if oldCfg.RequestRetry != newCfg.RequestRetry {
+		changes = append(changes, fmt.Sprintf("request-retry: %d -> %d", oldCfg.RequestRetry, newCfg.RequestRetry))
+	}
+	if oldCfg.MaxRetryInterval != newCfg.MaxRetryInterval {
+		changes = append(changes, fmt.Sprintf("max-retry-interval: %d -> %d", oldCfg.MaxRetryInterval, newCfg.MaxRetryInterval))
+	}
+	if oldCfg.ProxyURL != newCfg.ProxyURL {
+		changes = append(changes, fmt.Sprintf("proxy-url: %s -> %s", formatProxyURL(oldCfg.ProxyURL), formatProxyURL(newCfg.ProxyURL)))
+	}
+	if oldCfg.WebsocketAuth != newCfg.WebsocketAuth {
+		changes = append(changes, fmt.Sprintf("ws-auth: %t -> %t", oldCfg.WebsocketAuth, newCfg.WebsocketAuth))
+	}
+	if oldCfg.ForceModelPrefix != newCfg.ForceModelPrefix {
+		changes = append(changes, fmt.Sprintf("force-model-prefix: %t -> %t", oldCfg.ForceModelPrefix, newCfg.ForceModelPrefix))
+	}
+
+	// Quota-exceeded behavior
+	if oldCfg.QuotaExceeded.SwitchProject != newCfg.QuotaExceeded.SwitchProject {
+		changes = append(changes, fmt.Sprintf("quota-exceeded.switch-project: %t -> %t", oldCfg.QuotaExceeded.SwitchProject, newCfg.QuotaExceeded.SwitchProject))
+	}
+	if oldCfg.QuotaExceeded.SwitchPreviewModel != newCfg.QuotaExceeded.SwitchPreviewModel {
+		changes = append(changes, fmt.Sprintf("quota-exceeded.switch-preview-model: %t -> %t", oldCfg.QuotaExceeded.SwitchPreviewModel, newCfg.QuotaExceeded.SwitchPreviewModel))
+	}
+
+	// API keys (redacted) and counts
+	if len(oldCfg.APIKeys) != len(newCfg.APIKeys) {
+		changes = append(changes, fmt.Sprintf("api-keys count: %d -> %d", len(oldCfg.APIKeys), len(newCfg.APIKeys)))
+	} else if !reflect.DeepEqual(trimStrings(oldCfg.APIKeys), trimStrings(newCfg.APIKeys)) {
+		changes = append(changes, "api-keys: values updated (count unchanged, redacted)")
+	}
+	if len(oldCfg.GeminiKey) != len(newCfg.GeminiKey) {
+		changes = append(changes, fmt.Sprintf("gemini-api-key count: %d -> %d", len(oldCfg.GeminiKey), len(newCfg.GeminiKey)))
+	} else {
+		for i := range oldCfg.GeminiKey {
+			o := oldCfg.GeminiKey[i]
+			n := newCfg.GeminiKey[i]
+			if strings.TrimSpace(o.BaseURL) != strings.TrimSpace(n.BaseURL) {
+				changes = append(changes, fmt.Sprintf("gemini[%d].base-url: %s -> %s", i, strings.TrimSpace(o.BaseURL), strings.TrimSpace(n.BaseURL)))
+			}
+			if strings.TrimSpace(o.ProxyURL) != strings.TrimSpace(n.ProxyURL) {
+				changes = append(changes, fmt.Sprintf("gemini[%d].proxy-url: %s -> %s", i, formatProxyURL(o.ProxyURL), formatProxyURL(n.ProxyURL)))
+			}
+			if strings.TrimSpace(o.Prefix) != strings.TrimSpace(n.Prefix) {
+				changes = append(changes, fmt.Sprintf("gemini[%d].prefix: %s -> %s", i, strings.TrimSpace(o.Prefix), strings.TrimSpace(n.Prefix)))
+			}
+			if strings.TrimSpace(o.APIKey) != strings.TrimSpace(n.APIKey) {
+				changes = append(changes, fmt.Sprintf("gemini[%d].api-key: updated", i))
+			}
+			if !equalStringMap(o.Headers, n.Headers) {
+				changes = append(changes, fmt.Sprintf("gemini[%d].headers: updated", i))
+			}
+			oldExcluded := SummarizeExcludedModels(o.ExcludedModels)
+			newExcluded := SummarizeExcludedModels(n.ExcludedModels)
+			if oldExcluded.hash != newExcluded.hash {
+				changes = append(changes, fmt.Sprintf("gemini[%d].excluded-models: updated (%d -> %d entries)", i, oldExcluded.count, newExcluded.count))
+			}
+		}
+	}
+
+	// Claude keys (do not print key material)
+	if len(oldCfg.ClaudeKey) != len(newCfg.ClaudeKey) {
+		changes = append(changes, fmt.Sprintf("claude-api-key count: %d -> %d", len(oldCfg.ClaudeKey), len(newCfg.ClaudeKey)))
+	} else {
+		for i := range oldCfg.ClaudeKey {
+			o := oldCfg.ClaudeKey[i]
+			n := newCfg.ClaudeKey[i]
+			if strings.TrimSpace(o.BaseURL) != strings.TrimSpace(n.BaseURL) {
+				changes = append(changes, fmt.Sprintf("claude[%d].base-url: %s -> %s", i, strings.TrimSpace(o.BaseURL), strings.TrimSpace(n.BaseURL)))
+			}
+			if strings.TrimSpace(o.ProxyURL) != strings.TrimSpace(n.ProxyURL) {
+				changes = append(changes, fmt.Sprintf("claude[%d].proxy-url: %s -> %s", i, formatProxyURL(o.ProxyURL), formatProxyURL(n.ProxyURL)))
+			}
+			if strings.TrimSpace(o.Prefix) != strings.TrimSpace(n.Prefix) {
+				changes = append(changes, fmt.Sprintf("claude[%d].prefix: %s -> %s", i, strings.TrimSpace(o.Prefix), strings.TrimSpace(n.Prefix)))
+			}
+			if strings.TrimSpace(o.APIKey) != strings.TrimSpace(n.APIKey) {
+				changes = append(changes, fmt.Sprintf("claude[%d].api-key: updated", i))
+			}
+			if !equalStringMap(o.Headers, n.Headers) {
+				changes = append(changes, fmt.Sprintf("claude[%d].headers: updated", i))
+			}
+			oldExcluded := SummarizeExcludedModels(o.ExcludedModels)
+			newExcluded := SummarizeExcludedModels(n.ExcludedModels)
+			if oldExcluded.hash != newExcluded.hash {
+				changes = append(changes, fmt.Sprintf("claude[%d].excluded-models: updated (%d -> %d entries)", i, oldExcluded.count, newExcluded.count))
+			}
+		}
+	}
+
+	// Codex keys (do not print key material)
+	if len(oldCfg.CodexKey) != len(newCfg.CodexKey) {
+		changes = append(changes, fmt.Sprintf("codex-api-key count: %d -> %d", len(oldCfg.CodexKey), len(newCfg.CodexKey)))
+	} else {
+		for i := range oldCfg.CodexKey {
+			o := oldCfg.CodexKey[i]
+			n := newCfg.CodexKey[i]
+			if strings.TrimSpace(o.BaseURL) != strings.TrimSpace(n.BaseURL) {
+				changes = append(changes, fmt.Sprintf("codex[%d].base-url: %s -> %s", i, strings.TrimSpace(o.BaseURL), strings.TrimSpace(n.BaseURL)))
+			}
+			if strings.TrimSpace(o.ProxyURL) != strings.TrimSpace(n.ProxyURL) {
+				changes = append(changes, fmt.Sprintf("codex[%d].proxy-url: %s -> %s", i, formatProxyURL(o.ProxyURL), formatProxyURL(n.ProxyURL)))
+			}
+			if strings.TrimSpace(o.Prefix) != strings.TrimSpace(n.Prefix) {
+				changes = append(changes, fmt.Sprintf("codex[%d].prefix: %s -> %s", i, strings.TrimSpace(o.Prefix), strings.TrimSpace(n.Prefix)))
+			}
+			if strings.TrimSpace(o.APIKey) != strings.TrimSpace(n.APIKey) {
+				changes = append(changes, fmt.Sprintf("codex[%d].api-key: updated", i))
+			}
+			if !equalStringMap(o.Headers, n.Headers) {
+				changes = append(changes, fmt.Sprintf("codex[%d].headers: updated", i))
+			}
+			oldExcluded := SummarizeExcludedModels(o.ExcludedModels)
+			newExcluded := SummarizeExcludedModels(n.ExcludedModels)
+			if oldExcluded.hash != newExcluded.hash {
+				changes = append(changes, fmt.Sprintf("codex[%d].excluded-models: updated (%d -> %d entries)", i, oldExcluded.count, newExcluded.count))
+			}
+		}
+	}
+
+	// AmpCode settings (redacted where needed)
+	oldAmpURL := strings.TrimSpace(oldCfg.AmpCode.UpstreamURL)
+	newAmpURL := strings.TrimSpace(newCfg.AmpCode.UpstreamURL)
+	if oldAmpURL != newAmpURL {
+		changes = append(changes, fmt.Sprintf("ampcode.upstream-url: %s -> %s", oldAmpURL, newAmpURL))
+	}
+	oldAmpKey := strings.TrimSpace(oldCfg.AmpCode.UpstreamAPIKey)
+	newAmpKey := strings.TrimSpace(newCfg.AmpCode.UpstreamAPIKey)
+	switch {
+	case oldAmpKey == "" && newAmpKey != "":
+		changes = append(changes, "ampcode.upstream-api-key: added")
+	case oldAmpKey != "" && newAmpKey == "":
+		changes = append(changes, "ampcode.upstream-api-key: removed")
+	case oldAmpKey != newAmpKey:
+		changes = append(changes, "ampcode.upstream-api-key: updated")
+	}
+	if oldCfg.AmpCode.RestrictManagementToLocalhost != newCfg.AmpCode.RestrictManagementToLocalhost {
+		changes = append(changes, fmt.Sprintf("ampcode.restrict-management-to-localhost: %t -> %t", oldCfg.AmpCode.RestrictManagementToLocalhost, newCfg.AmpCode.RestrictManagementToLocalhost))
+	}
+	oldMappings := SummarizeAmpModelMappings(oldCfg.AmpCode.ModelMappings)
+	newMappings := SummarizeAmpModelMappings(newCfg.AmpCode.ModelMappings)
+	if oldMappings.hash != newMappings.hash {
+		changes = append(changes, fmt.Sprintf("ampcode.model-mappings: updated (%d -> %d entries)", oldMappings.count, newMappings.count))
+	}
+	if oldCfg.AmpCode.ForceModelMappings != newCfg.AmpCode.ForceModelMappings {
+		changes = append(changes, fmt.Sprintf("ampcode.force-model-mappings: %t -> %t", oldCfg.AmpCode.ForceModelMappings, newCfg.AmpCode.ForceModelMappings))
+	}
+
+	if entries, _ := DiffOAuthExcludedModelChanges(oldCfg.OAuthExcludedModels, newCfg.OAuthExcludedModels); len(entries) > 0 {
+		changes = append(changes, entries...)
+	}
+
+	// Remote management (never print the key)
+	if oldCfg.RemoteManagement.AllowRemote != newCfg.RemoteManagement.AllowRemote {
+		changes = append(changes, fmt.Sprintf("remote-management.allow-remote: %t -> %t", oldCfg.RemoteManagement.AllowRemote, newCfg.RemoteManagement.AllowRemote))
+	}
+	if oldCfg.RemoteManagement.DisableControlPanel != newCfg.RemoteManagement.DisableControlPanel {
+		changes = append(changes, fmt.Sprintf("remote-management.disable-control-panel: %t -> %t", oldCfg.RemoteManagement.DisableControlPanel, newCfg.RemoteManagement.DisableControlPanel))
+	}
+	oldPanelRepo := strings.TrimSpace(oldCfg.RemoteManagement.PanelGitHubRepository)
+	newPanelRepo := strings.TrimSpace(newCfg.RemoteManagement.PanelGitHubRepository)
+	if oldPanelRepo != newPanelRepo {
+		changes = append(changes, fmt.Sprintf("remote-management.panel-github-repository: %s -> %s", oldPanelRepo, newPanelRepo))
+	}
+	if oldCfg.RemoteManagement.SecretKey != newCfg.RemoteManagement.SecretKey {
+		switch {
+		case oldCfg.RemoteManagement.SecretKey == "" && newCfg.RemoteManagement.SecretKey != "":
+			changes = append(changes, "remote-management.secret-key: created")
+		case oldCfg.RemoteManagement.SecretKey != "" && newCfg.RemoteManagement.SecretKey == "":
+			changes = append(changes, "remote-management.secret-key: deleted")
+		default:
+			changes = append(changes, "remote-management.secret-key: updated")
+		}
+	}
+
+	// OpenAI compatibility providers (summarized)
+	if compat := DiffOpenAICompatibility(oldCfg.OpenAICompatibility, newCfg.OpenAICompatibility); len(compat) > 0 {
+		changes = append(changes, "openai-compatibility:")
+		for _, c := range compat {
+			changes = append(changes, "  "+c)
+		}
+	}
+
+	// Vertex-compatible API keys
+	if len(oldCfg.VertexCompatAPIKey) != len(newCfg.VertexCompatAPIKey) {
+		changes = append(changes, fmt.Sprintf("vertex-api-key count: %d -> %d", len(oldCfg.VertexCompatAPIKey), len(newCfg.VertexCompatAPIKey)))
+	} else {
+		for i := range oldCfg.VertexCompatAPIKey {
+			o := oldCfg.VertexCompatAPIKey[i]
+			n := newCfg.VertexCompatAPIKey[i]
+			if strings.TrimSpace(o.BaseURL) != strings.TrimSpace(n.BaseURL) {
+				changes = append(changes, fmt.Sprintf("vertex[%d].base-url: %s -> %s", i, strings.TrimSpace(o.BaseURL), strings.TrimSpace(n.BaseURL)))
+			}
+			if strings.TrimSpace(o.ProxyURL) != strings.TrimSpace(n.ProxyURL) {
+				changes = append(changes, fmt.Sprintf("vertex[%d].proxy-url: %s -> %s", i, formatProxyURL(o.ProxyURL), formatProxyURL(n.ProxyURL)))
+			}
+			if strings.TrimSpace(o.Prefix) != strings.TrimSpace(n.Prefix) {
+				changes = append(changes, fmt.Sprintf("vertex[%d].prefix: %s -> %s", i, strings.TrimSpace(o.Prefix), strings.TrimSpace(n.Prefix)))
+			}
+			if strings.TrimSpace(o.APIKey) != strings.TrimSpace(n.APIKey) {
+				changes = append(changes, fmt.Sprintf("vertex[%d].api-key: updated", i))
+			}
+			oldModels := SummarizeVertexModels(o.Models)
+			newModels := SummarizeVertexModels(n.Models)
+			if oldModels.hash != newModels.hash {
+				changes = append(changes, fmt.Sprintf("vertex[%d].models: updated (%d -> %d entries)", i, oldModels.count, newModels.count))
+			}
+			if !equalStringMap(o.Headers, n.Headers) {
+				changes = append(changes, fmt.Sprintf("vertex[%d].headers: updated", i))
+			}
+		}
+	}
+
+	return changes
+}
+
+func trimStrings(in []string) []string {
+	out := make([]string, len(in))
+	for i := range in {
+		out[i] = strings.TrimSpace(in[i])
+	}
+	return out
+}
+
+func equalStringMap(a, b map[string]string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for k, v := range a {
+		if b[k] != v {
+			return false
+		}
+	}
+	return true
+}
+
+func formatProxyURL(raw string) string {
+	trimmed := strings.TrimSpace(raw)
+	if trimmed == "" {
+		return "<none>"
+	}
+	parsed, err := url.Parse(trimmed)
+	if err != nil {
+		return "<redacted>"
+	}
+	host := strings.TrimSpace(parsed.Host)
+	scheme := strings.TrimSpace(parsed.Scheme)
+	if host == "" {
+		// Allow host:port style without scheme.
+		parsed2, err2 := url.Parse("http://" + trimmed)
+		if err2 == nil {
+			host = strings.TrimSpace(parsed2.Host)
+		}
+		scheme = ""
+	}
+	if host == "" {
+		return "<redacted>"
+	}
+	if scheme == "" {
+		return host
+	}
+	return scheme + "://" + host
+}

internal/watcher/diff/config_diff_test.go

@@ -0,0 +1,529 @@
+package diff
+
+import (
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
+)
+
+func TestBuildConfigChangeDetails(t *testing.T) {
+	oldCfg := &config.Config{
+		Port:    8080,
+		AuthDir: "/tmp/auth-old",
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "old", BaseURL: "http://old", ExcludedModels: []string{"old-model"}},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamURL:                   "http://old-upstream",
+			ModelMappings:                 []config.AmpModelMapping{{From: "from-old", To: "to-old"}},
+			RestrictManagementToLocalhost: false,
+		},
+		RemoteManagement: config.RemoteManagement{
+			AllowRemote:           false,
+			SecretKey:             "old",
+			DisableControlPanel:   false,
+			PanelGitHubRepository: "repo-old",
+		},
+		OAuthExcludedModels: map[string][]string{
+			"providerA": {"m1"},
+		},
+		OpenAICompatibility: []config.OpenAICompatibility{
+			{
+				Name: "compat-a",
+				APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+					{APIKey: "k1"},
+				},
+				Models: []config.OpenAICompatibilityModel{{Name: "m1"}},
+			},
+		},
+	}
+
+	newCfg := &config.Config{
+		Port:    9090,
+		AuthDir: "/tmp/auth-new",
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "old", BaseURL: "http://old", ExcludedModels: []string{"old-model", "extra"}},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamURL:                   "http://new-upstream",
+			RestrictManagementToLocalhost: true,
+			ModelMappings: []config.AmpModelMapping{
+				{From: "from-old", To: "to-old"},
+				{From: "from-new", To: "to-new"},
+			},
+		},
+		RemoteManagement: config.RemoteManagement{
+			AllowRemote:           true,
+			SecretKey:             "new",
+			DisableControlPanel:   true,
+			PanelGitHubRepository: "repo-new",
+		},
+		OAuthExcludedModels: map[string][]string{
+			"providerA": {"m1", "m2"},
+			"providerB": {"x"},
+		},
+		OpenAICompatibility: []config.OpenAICompatibility{
+			{
+				Name: "compat-a",
+				APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+					{APIKey: "k1"},
+				},
+				Models: []config.OpenAICompatibilityModel{{Name: "m1"}, {Name: "m2"}},
+			},
+			{
+				Name: "compat-b",
+				APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+					{APIKey: "k2"},
+				},
+			},
+		},
+	}
+
+	details := BuildConfigChangeDetails(oldCfg, newCfg)
+
+	expectContains(t, details, "port: 8080 -> 9090")
+	expectContains(t, details, "auth-dir: /tmp/auth-old -> /tmp/auth-new")
+	expectContains(t, details, "gemini[0].excluded-models: updated (1 -> 2 entries)")
+	expectContains(t, details, "ampcode.upstream-url: http://old-upstream -> http://new-upstream")
+	expectContains(t, details, "ampcode.model-mappings: updated (1 -> 2 entries)")
+	expectContains(t, details, "remote-management.allow-remote: false -> true")
+	expectContains(t, details, "remote-management.secret-key: updated")
+	expectContains(t, details, "oauth-excluded-models[providera]: updated (1 -> 2 entries)")
+	expectContains(t, details, "oauth-excluded-models[providerb]: added (1 entries)")
+	expectContains(t, details, "openai-compatibility:")
+	expectContains(t, details, "  provider added: compat-b (api-keys=1, models=0)")
+	expectContains(t, details, "  provider updated: compat-a (models 1 -> 2)")
+}
+
+func TestBuildConfigChangeDetails_NoChanges(t *testing.T) {
+	cfg := &config.Config{
+		Port: 8080,
+	}
+	if details := BuildConfigChangeDetails(cfg, cfg); len(details) != 0 {
+		t.Fatalf("expected no change entries, got %v", details)
+	}
+}
+
+func TestBuildConfigChangeDetails_GeminiVertexHeadersAndForceMappings(t *testing.T) {
+	oldCfg := &config.Config{
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "g1", Headers: map[string]string{"H": "1"}, ExcludedModels: []string{"a"}},
+		},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v1", BaseURL: "http://v-old", Models: []config.VertexCompatModel{{Name: "m1"}}},
+		},
+		AmpCode: config.AmpCode{
+			ModelMappings:      []config.AmpModelMapping{{From: "a", To: "b"}},
+			ForceModelMappings: false,
+		},
+	}
+	newCfg := &config.Config{
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "g1", Headers: map[string]string{"H": "2"}, ExcludedModels: []string{"a", "b"}},
+		},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v1", BaseURL: "http://v-new", Models: []config.VertexCompatModel{{Name: "m1"}, {Name: "m2"}}},
+		},
+		AmpCode: config.AmpCode{
+			ModelMappings:      []config.AmpModelMapping{{From: "a", To: "c"}},
+			ForceModelMappings: true,
+		},
+	}
+
+	details := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, details, "gemini[0].headers: updated")
+	expectContains(t, details, "gemini[0].excluded-models: updated (1 -> 2 entries)")
+	expectContains(t, details, "ampcode.model-mappings: updated (1 -> 1 entries)")
+	expectContains(t, details, "ampcode.force-model-mappings: false -> true")
+}
+
+func TestBuildConfigChangeDetails_ModelPrefixes(t *testing.T) {
+	oldCfg := &config.Config{
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "g1", Prefix: "old-g", BaseURL: "http://g", ProxyURL: "http://gp"},
+		},
+		ClaudeKey: []config.ClaudeKey{
+			{APIKey: "c1", Prefix: "old-c", BaseURL: "http://c", ProxyURL: "http://cp"},
+		},
+		CodexKey: []config.CodexKey{
+			{APIKey: "x1", Prefix: "old-x", BaseURL: "http://x", ProxyURL: "http://xp"},
+		},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v1", Prefix: "old-v", BaseURL: "http://v", ProxyURL: "http://vp"},
+		},
+	}
+	newCfg := &config.Config{
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "g1", Prefix: "new-g", BaseURL: "http://g", ProxyURL: "http://gp"},
+		},
+		ClaudeKey: []config.ClaudeKey{
+			{APIKey: "c1", Prefix: "new-c", BaseURL: "http://c", ProxyURL: "http://cp"},
+		},
+		CodexKey: []config.CodexKey{
+			{APIKey: "x1", Prefix: "new-x", BaseURL: "http://x", ProxyURL: "http://xp"},
+		},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v1", Prefix: "new-v", BaseURL: "http://v", ProxyURL: "http://vp"},
+		},
+	}
+
+	changes := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, changes, "gemini[0].prefix: old-g -> new-g")
+	expectContains(t, changes, "claude[0].prefix: old-c -> new-c")
+	expectContains(t, changes, "codex[0].prefix: old-x -> new-x")
+	expectContains(t, changes, "vertex[0].prefix: old-v -> new-v")
+}
+
+func TestBuildConfigChangeDetails_NilSafe(t *testing.T) {
+	if details := BuildConfigChangeDetails(nil, &config.Config{}); len(details) != 0 {
+		t.Fatalf("expected empty change list when old nil, got %v", details)
+	}
+	if details := BuildConfigChangeDetails(&config.Config{}, nil); len(details) != 0 {
+		t.Fatalf("expected empty change list when new nil, got %v", details)
+	}
+}
+
+func TestBuildConfigChangeDetails_SecretsAndCounts(t *testing.T) {
+	oldCfg := &config.Config{
+		SDKConfig: sdkconfig.SDKConfig{
+			APIKeys: []string{"a"},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamAPIKey: "",
+		},
+		RemoteManagement: config.RemoteManagement{
+			SecretKey: "",
+		},
+	}
+	newCfg := &config.Config{
+		SDKConfig: sdkconfig.SDKConfig{
+			APIKeys: []string{"a", "b", "c"},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamAPIKey: "new-key",
+		},
+		RemoteManagement: config.RemoteManagement{
+			SecretKey: "new-secret",
+		},
+	}
+
+	details := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, details, "api-keys count: 1 -> 3")
+	expectContains(t, details, "ampcode.upstream-api-key: added")
+	expectContains(t, details, "remote-management.secret-key: created")
+}
+
+func TestBuildConfigChangeDetails_FlagsAndKeys(t *testing.T) {
+	oldCfg := &config.Config{
+		Port:                   1000,
+		AuthDir:                "/old",
+		Debug:                  false,
+		LoggingToFile:          false,
+		UsageStatisticsEnabled: false,
+		DisableCooling:         false,
+		RequestRetry:           1,
+		MaxRetryInterval:       1,
+		WebsocketAuth:          false,
+		QuotaExceeded:          config.QuotaExceeded{SwitchProject: false, SwitchPreviewModel: false},
+		ClaudeKey:              []config.ClaudeKey{{APIKey: "c1"}},
+		CodexKey:               []config.CodexKey{{APIKey: "x1"}},
+		AmpCode:                config.AmpCode{UpstreamAPIKey: "keep", RestrictManagementToLocalhost: false},
+		RemoteManagement:       config.RemoteManagement{DisableControlPanel: false, PanelGitHubRepository: "old/repo", SecretKey: "keep"},
+		SDKConfig: sdkconfig.SDKConfig{
+			RequestLog:       false,
+			ProxyURL:         "http://old-proxy",
+			APIKeys:          []string{"key-1"},
+			ForceModelPrefix: false,
+		},
+	}
+	newCfg := &config.Config{
+		Port:                   2000,
+		AuthDir:                "/new",
+		Debug:                  true,
+		LoggingToFile:          true,
+		UsageStatisticsEnabled: true,
+		DisableCooling:         true,
+		RequestRetry:           2,
+		MaxRetryInterval:       3,
+		WebsocketAuth:          true,
+		QuotaExceeded:          config.QuotaExceeded{SwitchProject: true, SwitchPreviewModel: true},
+		ClaudeKey: []config.ClaudeKey{
+			{APIKey: "c1", BaseURL: "http://new", ProxyURL: "http://p", Headers: map[string]string{"H": "1"}, ExcludedModels: []string{"a"}},
+			{APIKey: "c2"},
+		},
+		CodexKey: []config.CodexKey{
+			{APIKey: "x1", BaseURL: "http://x", ProxyURL: "http://px", Headers: map[string]string{"H": "2"}, ExcludedModels: []string{"b"}},
+			{APIKey: "x2"},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamAPIKey:                "",
+			RestrictManagementToLocalhost: true,
+			ModelMappings:                 []config.AmpModelMapping{{From: "a", To: "b"}},
+		},
+		RemoteManagement: config.RemoteManagement{
+			DisableControlPanel:   true,
+			PanelGitHubRepository: "new/repo",
+			SecretKey:             "",
+		},
+		SDKConfig: sdkconfig.SDKConfig{
+			RequestLog:       true,
+			ProxyURL:         "http://new-proxy",
+			APIKeys:          []string{" key-1 ", "key-2"},
+			ForceModelPrefix: true,
+		},
+	}
+
+	details := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, details, "debug: false -> true")
+	expectContains(t, details, "logging-to-file: false -> true")
+	expectContains(t, details, "usage-statistics-enabled: false -> true")
+	expectContains(t, details, "disable-cooling: false -> true")
+	expectContains(t, details, "request-log: false -> true")
+	expectContains(t, details, "request-retry: 1 -> 2")
+	expectContains(t, details, "max-retry-interval: 1 -> 3")
+	expectContains(t, details, "proxy-url: http://old-proxy -> http://new-proxy")
+	expectContains(t, details, "ws-auth: false -> true")
+	expectContains(t, details, "force-model-prefix: false -> true")
+	expectContains(t, details, "quota-exceeded.switch-project: false -> true")
+	expectContains(t, details, "quota-exceeded.switch-preview-model: false -> true")
+	expectContains(t, details, "api-keys count: 1 -> 2")
+	expectContains(t, details, "claude-api-key count: 1 -> 2")
+	expectContains(t, details, "codex-api-key count: 1 -> 2")
+	expectContains(t, details, "ampcode.restrict-management-to-localhost: false -> true")
+	expectContains(t, details, "ampcode.upstream-api-key: removed")
+	expectContains(t, details, "remote-management.disable-control-panel: false -> true")
+	expectContains(t, details, "remote-management.panel-github-repository: old/repo -> new/repo")
+	expectContains(t, details, "remote-management.secret-key: deleted")
+}
+
+func TestBuildConfigChangeDetails_AllBranches(t *testing.T) {
+	oldCfg := &config.Config{
+		Port:                   1,
+		AuthDir:                "/a",
+		Debug:                  false,
+		LoggingToFile:          false,
+		UsageStatisticsEnabled: false,
+		DisableCooling:         false,
+		RequestRetry:           1,
+		MaxRetryInterval:       1,
+		WebsocketAuth:          false,
+		QuotaExceeded:          config.QuotaExceeded{SwitchProject: false, SwitchPreviewModel: false},
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "g-old", BaseURL: "http://g-old", ProxyURL: "http://gp-old", Headers: map[string]string{"A": "1"}},
+		},
+		ClaudeKey: []config.ClaudeKey{
+			{APIKey: "c-old", BaseURL: "http://c-old", ProxyURL: "http://cp-old", Headers: map[string]string{"H": "1"}, ExcludedModels: []string{"x"}},
+		},
+		CodexKey: []config.CodexKey{
+			{APIKey: "x-old", BaseURL: "http://x-old", ProxyURL: "http://xp-old", Headers: map[string]string{"H": "1"}, ExcludedModels: []string{"x"}},
+		},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v-old", BaseURL: "http://v-old", ProxyURL: "http://vp-old", Headers: map[string]string{"H": "1"}, Models: []config.VertexCompatModel{{Name: "m1"}}},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamURL:                   "http://amp-old",
+			UpstreamAPIKey:                "old-key",
+			RestrictManagementToLocalhost: false,
+			ModelMappings:                 []config.AmpModelMapping{{From: "a", To: "b"}},
+			ForceModelMappings:            false,
+		},
+		RemoteManagement: config.RemoteManagement{
+			AllowRemote:           false,
+			DisableControlPanel:   false,
+			PanelGitHubRepository: "old/repo",
+			SecretKey:             "old",
+		},
+		SDKConfig: sdkconfig.SDKConfig{
+			RequestLog: false,
+			ProxyURL:   "http://old-proxy",
+			APIKeys:    []string{" keyA "},
+		},
+		OAuthExcludedModels: map[string][]string{"p1": {"a"}},
+		OpenAICompatibility: []config.OpenAICompatibility{
+			{
+				Name: "prov-old",
+				APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+					{APIKey: "k1"},
+				},
+				Models: []config.OpenAICompatibilityModel{{Name: "m1"}},
+			},
+		},
+	}
+	newCfg := &config.Config{
+		Port:                   2,
+		AuthDir:                "/b",
+		Debug:                  true,
+		LoggingToFile:          true,
+		UsageStatisticsEnabled: true,
+		DisableCooling:         true,
+		RequestRetry:           2,
+		MaxRetryInterval:       3,
+		WebsocketAuth:          true,
+		QuotaExceeded:          config.QuotaExceeded{SwitchProject: true, SwitchPreviewModel: true},
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "g-new", BaseURL: "http://g-new", ProxyURL: "http://gp-new", Headers: map[string]string{"A": "2"}, ExcludedModels: []string{"x", "y"}},
+		},
+		ClaudeKey: []config.ClaudeKey{
+			{APIKey: "c-new", BaseURL: "http://c-new", ProxyURL: "http://cp-new", Headers: map[string]string{"H": "2"}, ExcludedModels: []string{"x", "y"}},
+		},
+		CodexKey: []config.CodexKey{
+			{APIKey: "x-new", BaseURL: "http://x-new", ProxyURL: "http://xp-new", Headers: map[string]string{"H": "2"}, ExcludedModels: []string{"x", "y"}},
+		},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v-new", BaseURL: "http://v-new", ProxyURL: "http://vp-new", Headers: map[string]string{"H": "2"}, Models: []config.VertexCompatModel{{Name: "m1"}, {Name: "m2"}}},
+		},
+		AmpCode: config.AmpCode{
+			UpstreamURL:                   "http://amp-new",
+			UpstreamAPIKey:                "",
+			RestrictManagementToLocalhost: true,
+			ModelMappings:                 []config.AmpModelMapping{{From: "a", To: "c"}},
+			ForceModelMappings:            true,
+		},
+		RemoteManagement: config.RemoteManagement{
+			AllowRemote:           true,
+			DisableControlPanel:   true,
+			PanelGitHubRepository: "new/repo",
+			SecretKey:             "",
+		},
+		SDKConfig: sdkconfig.SDKConfig{
+			RequestLog: true,
+			ProxyURL:   "http://new-proxy",
+			APIKeys:    []string{"keyB"},
+		},
+		OAuthExcludedModels: map[string][]string{"p1": {"b", "c"}, "p2": {"d"}},
+		OpenAICompatibility: []config.OpenAICompatibility{
+			{
+				Name: "prov-old",
+				APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+					{APIKey: "k1"},
+					{APIKey: "k2"},
+				},
+				Models: []config.OpenAICompatibilityModel{{Name: "m1"}, {Name: "m2"}},
+			},
+			{
+				Name:          "prov-new",
+				APIKeyEntries: []config.OpenAICompatibilityAPIKey{{APIKey: "k3"}},
+			},
+		},
+	}
+
+	changes := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, changes, "port: 1 -> 2")
+	expectContains(t, changes, "auth-dir: /a -> /b")
+	expectContains(t, changes, "debug: false -> true")
+	expectContains(t, changes, "logging-to-file: false -> true")
+	expectContains(t, changes, "usage-statistics-enabled: false -> true")
+	expectContains(t, changes, "disable-cooling: false -> true")
+	expectContains(t, changes, "request-retry: 1 -> 2")
+	expectContains(t, changes, "max-retry-interval: 1 -> 3")
+	expectContains(t, changes, "proxy-url: http://old-proxy -> http://new-proxy")
+	expectContains(t, changes, "ws-auth: false -> true")
+	expectContains(t, changes, "quota-exceeded.switch-project: false -> true")
+	expectContains(t, changes, "quota-exceeded.switch-preview-model: false -> true")
+	expectContains(t, changes, "api-keys: values updated (count unchanged, redacted)")
+	expectContains(t, changes, "gemini[0].base-url: http://g-old -> http://g-new")
+	expectContains(t, changes, "gemini[0].proxy-url: http://gp-old -> http://gp-new")
+	expectContains(t, changes, "gemini[0].api-key: updated")
+	expectContains(t, changes, "gemini[0].headers: updated")
+	expectContains(t, changes, "gemini[0].excluded-models: updated (0 -> 2 entries)")
+	expectContains(t, changes, "claude[0].base-url: http://c-old -> http://c-new")
+	expectContains(t, changes, "claude[0].proxy-url: http://cp-old -> http://cp-new")
+	expectContains(t, changes, "claude[0].api-key: updated")
+	expectContains(t, changes, "claude[0].headers: updated")
+	expectContains(t, changes, "claude[0].excluded-models: updated (1 -> 2 entries)")
+	expectContains(t, changes, "codex[0].base-url: http://x-old -> http://x-new")
+	expectContains(t, changes, "codex[0].proxy-url: http://xp-old -> http://xp-new")
+	expectContains(t, changes, "codex[0].api-key: updated")
+	expectContains(t, changes, "codex[0].headers: updated")
+	expectContains(t, changes, "codex[0].excluded-models: updated (1 -> 2 entries)")
+	expectContains(t, changes, "vertex[0].base-url: http://v-old -> http://v-new")
+	expectContains(t, changes, "vertex[0].proxy-url: http://vp-old -> http://vp-new")
+	expectContains(t, changes, "vertex[0].api-key: updated")
+	expectContains(t, changes, "vertex[0].models: updated (1 -> 2 entries)")
+	expectContains(t, changes, "vertex[0].headers: updated")
+	expectContains(t, changes, "ampcode.upstream-url: http://amp-old -> http://amp-new")
+	expectContains(t, changes, "ampcode.upstream-api-key: removed")
+	expectContains(t, changes, "ampcode.restrict-management-to-localhost: false -> true")
+	expectContains(t, changes, "ampcode.model-mappings: updated (1 -> 1 entries)")
+	expectContains(t, changes, "ampcode.force-model-mappings: false -> true")
+	expectContains(t, changes, "oauth-excluded-models[p1]: updated (1 -> 2 entries)")
+	expectContains(t, changes, "oauth-excluded-models[p2]: added (1 entries)")
+	expectContains(t, changes, "remote-management.allow-remote: false -> true")
+	expectContains(t, changes, "remote-management.disable-control-panel: false -> true")
+	expectContains(t, changes, "remote-management.panel-github-repository: old/repo -> new/repo")
+	expectContains(t, changes, "remote-management.secret-key: deleted")
+	expectContains(t, changes, "openai-compatibility:")
+}
+
+func TestFormatProxyURL(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{name: "empty", in: "", want: "<none>"},
+		{name: "invalid", in: "http://[::1", want: "<redacted>"},
+		{name: "fullURLRedactsUserinfoAndPath", in: "http://user:pass@example.com:8080/path?x=1#frag", want: "http://example.com:8080"},
+		{name: "socks5RedactsUserinfoAndPath", in: "socks5://user:pass@192.168.1.1:1080/path?x=1", want: "socks5://192.168.1.1:1080"},
+		{name: "socks5HostPort", in: "socks5://proxy.example.com:1080/", want: "socks5://proxy.example.com:1080"},
+		{name: "hostPortNoScheme", in: "example.com:1234/path?x=1", want: "example.com:1234"},
+		{name: "relativePathRedacted", in: "/just/path", want: "<redacted>"},
+		{name: "schemeAndHost", in: "https://example.com", want: "https://example.com"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := formatProxyURL(tt.in); got != tt.want {
+				t.Fatalf("expected %q, got %q", tt.want, got)
+			}
+		})
+	}
+}
+
+func TestBuildConfigChangeDetails_SecretAndUpstreamUpdates(t *testing.T) {
+	oldCfg := &config.Config{
+		AmpCode: config.AmpCode{
+			UpstreamAPIKey: "old",
+		},
+		RemoteManagement: config.RemoteManagement{
+			SecretKey: "old",
+		},
+	}
+	newCfg := &config.Config{
+		AmpCode: config.AmpCode{
+			UpstreamAPIKey: "new",
+		},
+		RemoteManagement: config.RemoteManagement{
+			SecretKey: "new",
+		},
+	}
+
+	changes := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, changes, "ampcode.upstream-api-key: updated")
+	expectContains(t, changes, "remote-management.secret-key: updated")
+}
+
+func TestBuildConfigChangeDetails_CountBranches(t *testing.T) {
+	oldCfg := &config.Config{}
+	newCfg := &config.Config{
+		GeminiKey: []config.GeminiKey{{APIKey: "g"}},
+		ClaudeKey: []config.ClaudeKey{{APIKey: "c"}},
+		CodexKey:  []config.CodexKey{{APIKey: "x"}},
+		VertexCompatAPIKey: []config.VertexCompatKey{
+			{APIKey: "v", BaseURL: "http://v"},
+		},
+	}
+
+	changes := BuildConfigChangeDetails(oldCfg, newCfg)
+	expectContains(t, changes, "gemini-api-key count: 0 -> 1")
+	expectContains(t, changes, "claude-api-key count: 0 -> 1")
+	expectContains(t, changes, "codex-api-key count: 0 -> 1")
+	expectContains(t, changes, "vertex-api-key count: 0 -> 1")
+}
+
+func TestTrimStrings(t *testing.T) {
+	out := trimStrings([]string{" a ", "b", "  c"})
+	if len(out) != 3 || out[0] != "a" || out[1] != "b" || out[2] != "c" {
+		t.Fatalf("unexpected trimmed strings: %v", out)
+	}
+}

internal/watcher/diff/model_hash.go

@@ -0,0 +1,102 @@
+package diff
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"sort"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+// ComputeOpenAICompatModelsHash returns a stable hash for OpenAI-compat models.
+// Used to detect model list changes during hot reload.
+func ComputeOpenAICompatModelsHash(models []config.OpenAICompatibilityModel) string {
+	keys := normalizeModelPairs(func(out func(key string)) {
+		for _, model := range models {
+			name := strings.TrimSpace(model.Name)
+			alias := strings.TrimSpace(model.Alias)
+			if name == "" && alias == "" {
+				continue
+			}
+			out(strings.ToLower(name) + "|" + strings.ToLower(alias))
+		}
+	})
+	return hashJoined(keys)
+}
+
+// ComputeVertexCompatModelsHash returns a stable hash for Vertex-compatible models.
+func ComputeVertexCompatModelsHash(models []config.VertexCompatModel) string {
+	keys := normalizeModelPairs(func(out func(key string)) {
+		for _, model := range models {
+			name := strings.TrimSpace(model.Name)
+			alias := strings.TrimSpace(model.Alias)
+			if name == "" && alias == "" {
+				continue
+			}
+			out(strings.ToLower(name) + "|" + strings.ToLower(alias))
+		}
+	})
+	return hashJoined(keys)
+}
+
+// ComputeClaudeModelsHash returns a stable hash for Claude model aliases.
+func ComputeClaudeModelsHash(models []config.ClaudeModel) string {
+	keys := normalizeModelPairs(func(out func(key string)) {
+		for _, model := range models {
+			name := strings.TrimSpace(model.Name)
+			alias := strings.TrimSpace(model.Alias)
+			if name == "" && alias == "" {
+				continue
+			}
+			out(strings.ToLower(name) + "|" + strings.ToLower(alias))
+		}
+	})
+	return hashJoined(keys)
+}
+
+// ComputeExcludedModelsHash returns a normalized hash for excluded model lists.
+func ComputeExcludedModelsHash(excluded []string) string {
+	if len(excluded) == 0 {
+		return ""
+	}
+	normalized := make([]string, 0, len(excluded))
+	for _, entry := range excluded {
+		if trimmed := strings.TrimSpace(entry); trimmed != "" {
+			normalized = append(normalized, strings.ToLower(trimmed))
+		}
+	}
+	if len(normalized) == 0 {
+		return ""
+	}
+	sort.Strings(normalized)
+	data, _ := json.Marshal(normalized)
+	sum := sha256.Sum256(data)
+	return hex.EncodeToString(sum[:])
+}
+
+func normalizeModelPairs(collect func(out func(key string))) []string {
+	seen := make(map[string]struct{})
+	keys := make([]string, 0)
+	collect(func(key string) {
+		if _, exists := seen[key]; exists {
+			return
+		}
+		seen[key] = struct{}{}
+		keys = append(keys, key)
+	})
+	if len(keys) == 0 {
+		return nil
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func hashJoined(keys []string) string {
+	if len(keys) == 0 {
+		return ""
+	}
+	sum := sha256.Sum256([]byte(strings.Join(keys, "\n")))
+	return hex.EncodeToString(sum[:])
+}

internal/watcher/diff/model_hash_test.go

@@ -0,0 +1,159 @@
+package diff
+
+import (
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+func TestComputeOpenAICompatModelsHash_Deterministic(t *testing.T) {
+	models := []config.OpenAICompatibilityModel{
+		{Name: "gpt-4", Alias: "gpt4"},
+		{Name: "gpt-3.5-turbo"},
+	}
+	hash1 := ComputeOpenAICompatModelsHash(models)
+	hash2 := ComputeOpenAICompatModelsHash(models)
+	if hash1 == "" {
+		t.Fatal("hash should not be empty")
+	}
+	if hash1 != hash2 {
+		t.Fatalf("hash should be deterministic, got %s vs %s", hash1, hash2)
+	}
+	changed := ComputeOpenAICompatModelsHash([]config.OpenAICompatibilityModel{{Name: "gpt-4"}, {Name: "gpt-4.1"}})
+	if hash1 == changed {
+		t.Fatal("hash should change when model list changes")
+	}
+}
+
+func TestComputeOpenAICompatModelsHash_NormalizesAndDedups(t *testing.T) {
+	a := []config.OpenAICompatibilityModel{
+		{Name: "gpt-4", Alias: "gpt4"},
+		{Name: " "},
+		{Name: "GPT-4", Alias: "GPT4"},
+		{Alias: "a1"},
+	}
+	b := []config.OpenAICompatibilityModel{
+		{Alias: "A1"},
+		{Name: "gpt-4", Alias: "gpt4"},
+	}
+	h1 := ComputeOpenAICompatModelsHash(a)
+	h2 := ComputeOpenAICompatModelsHash(b)
+	if h1 == "" || h2 == "" {
+		t.Fatal("expected non-empty hashes for non-empty model sets")
+	}
+	if h1 != h2 {
+		t.Fatalf("expected normalized hashes to match, got %s / %s", h1, h2)
+	}
+}
+
+func TestComputeVertexCompatModelsHash_DifferentInputs(t *testing.T) {
+	models := []config.VertexCompatModel{{Name: "gemini-pro", Alias: "pro"}}
+	hash1 := ComputeVertexCompatModelsHash(models)
+	hash2 := ComputeVertexCompatModelsHash([]config.VertexCompatModel{{Name: "gemini-1.5-pro", Alias: "pro"}})
+	if hash1 == "" || hash2 == "" {
+		t.Fatal("hashes should not be empty for non-empty models")
+	}
+	if hash1 == hash2 {
+		t.Fatal("hash should differ when model content differs")
+	}
+}
+
+func TestComputeVertexCompatModelsHash_IgnoresBlankAndOrder(t *testing.T) {
+	a := []config.VertexCompatModel{
+		{Name: "m1", Alias: "a1"},
+		{Name: " "},
+		{Name: "M1", Alias: "A1"},
+	}
+	b := []config.VertexCompatModel{
+		{Name: "m1", Alias: "a1"},
+	}
+	if h1, h2 := ComputeVertexCompatModelsHash(a), ComputeVertexCompatModelsHash(b); h1 == "" || h1 != h2 {
+		t.Fatalf("expected same hash ignoring blanks/dupes, got %q / %q", h1, h2)
+	}
+}
+
+func TestComputeClaudeModelsHash_Empty(t *testing.T) {
+	if got := ComputeClaudeModelsHash(nil); got != "" {
+		t.Fatalf("expected empty hash for nil models, got %q", got)
+	}
+	if got := ComputeClaudeModelsHash([]config.ClaudeModel{}); got != "" {
+		t.Fatalf("expected empty hash for empty slice, got %q", got)
+	}
+}
+
+func TestComputeClaudeModelsHash_IgnoresBlankAndDedup(t *testing.T) {
+	a := []config.ClaudeModel{
+		{Name: "m1", Alias: "a1"},
+		{Name: " "},
+		{Name: "M1", Alias: "A1"},
+	}
+	b := []config.ClaudeModel{
+		{Name: "m1", Alias: "a1"},
+	}
+	if h1, h2 := ComputeClaudeModelsHash(a), ComputeClaudeModelsHash(b); h1 == "" || h1 != h2 {
+		t.Fatalf("expected same hash ignoring blanks/dupes, got %q / %q", h1, h2)
+	}
+}
+
+func TestComputeExcludedModelsHash_Normalizes(t *testing.T) {
+	hash1 := ComputeExcludedModelsHash([]string{" A ", "b", "a"})
+	hash2 := ComputeExcludedModelsHash([]string{"a", " b", "A"})
+	if hash1 == "" || hash2 == "" {
+		t.Fatal("hash should not be empty for non-empty input")
+	}
+	if hash1 != hash2 {
+		t.Fatalf("hash should be order/space insensitive for same multiset, got %s vs %s", hash1, hash2)
+	}
+	hash3 := ComputeExcludedModelsHash([]string{"c"})
+	if hash1 == hash3 {
+		t.Fatal("hash should differ for different normalized sets")
+	}
+}
+
+func TestComputeOpenAICompatModelsHash_Empty(t *testing.T) {
+	if got := ComputeOpenAICompatModelsHash(nil); got != "" {
+		t.Fatalf("expected empty hash for nil input, got %q", got)
+	}
+	if got := ComputeOpenAICompatModelsHash([]config.OpenAICompatibilityModel{}); got != "" {
+		t.Fatalf("expected empty hash for empty slice, got %q", got)
+	}
+	if got := ComputeOpenAICompatModelsHash([]config.OpenAICompatibilityModel{{Name: " "}, {Alias: ""}}); got != "" {
+		t.Fatalf("expected empty hash for blank models, got %q", got)
+	}
+}
+
+func TestComputeVertexCompatModelsHash_Empty(t *testing.T) {
+	if got := ComputeVertexCompatModelsHash(nil); got != "" {
+		t.Fatalf("expected empty hash for nil input, got %q", got)
+	}
+	if got := ComputeVertexCompatModelsHash([]config.VertexCompatModel{}); got != "" {
+		t.Fatalf("expected empty hash for empty slice, got %q", got)
+	}
+	if got := ComputeVertexCompatModelsHash([]config.VertexCompatModel{{Name: " "}}); got != "" {
+		t.Fatalf("expected empty hash for blank models, got %q", got)
+	}
+}
+
+func TestComputeExcludedModelsHash_Empty(t *testing.T) {
+	if got := ComputeExcludedModelsHash(nil); got != "" {
+		t.Fatalf("expected empty hash for nil input, got %q", got)
+	}
+	if got := ComputeExcludedModelsHash([]string{}); got != "" {
+		t.Fatalf("expected empty hash for empty slice, got %q", got)
+	}
+	if got := ComputeExcludedModelsHash([]string{"  ", ""}); got != "" {
+		t.Fatalf("expected empty hash for whitespace-only entries, got %q", got)
+	}
+}
+
+func TestComputeClaudeModelsHash_Deterministic(t *testing.T) {
+	models := []config.ClaudeModel{{Name: "a", Alias: "A"}, {Name: "b"}}
+	h1 := ComputeClaudeModelsHash(models)
+	h2 := ComputeClaudeModelsHash(models)
+	if h1 == "" || h1 != h2 {
+		t.Fatalf("expected deterministic hash, got %s / %s", h1, h2)
+	}
+	if h3 := ComputeClaudeModelsHash([]config.ClaudeModel{{Name: "a"}}); h3 == h1 {
+		t.Fatalf("expected different hash when models change, got %s", h3)
+	}
+}

internal/watcher/diff/oauth_excluded.go

@@ -0,0 +1,151 @@
+package diff
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+type ExcludedModelsSummary struct {
+	hash  string
+	count int
+}
+
+// SummarizeExcludedModels normalizes and hashes an excluded-model list.
+func SummarizeExcludedModels(list []string) ExcludedModelsSummary {
+	if len(list) == 0 {
+		return ExcludedModelsSummary{}
+	}
+	seen := make(map[string]struct{}, len(list))
+	normalized := make([]string, 0, len(list))
+	for _, entry := range list {
+		if trimmed := strings.ToLower(strings.TrimSpace(entry)); trimmed != "" {
+			if _, exists := seen[trimmed]; exists {
+				continue
+			}
+			seen[trimmed] = struct{}{}
+			normalized = append(normalized, trimmed)
+		}
+	}
+	sort.Strings(normalized)
+	return ExcludedModelsSummary{
+		hash:  ComputeExcludedModelsHash(normalized),
+		count: len(normalized),
+	}
+}
+
+// SummarizeOAuthExcludedModels summarizes OAuth excluded models per provider.
+func SummarizeOAuthExcludedModels(entries map[string][]string) map[string]ExcludedModelsSummary {
+	if len(entries) == 0 {
+		return nil
+	}
+	out := make(map[string]ExcludedModelsSummary, len(entries))
+	for k, v := range entries {
+		key := strings.ToLower(strings.TrimSpace(k))
+		if key == "" {
+			continue
+		}
+		out[key] = SummarizeExcludedModels(v)
+	}
+	return out
+}
+
+// DiffOAuthExcludedModelChanges compares OAuth excluded models maps.
+func DiffOAuthExcludedModelChanges(oldMap, newMap map[string][]string) ([]string, []string) {
+	oldSummary := SummarizeOAuthExcludedModels(oldMap)
+	newSummary := SummarizeOAuthExcludedModels(newMap)
+	keys := make(map[string]struct{}, len(oldSummary)+len(newSummary))
+	for k := range oldSummary {
+		keys[k] = struct{}{}
+	}
+	for k := range newSummary {
+		keys[k] = struct{}{}
+	}
+	changes := make([]string, 0, len(keys))
+	affected := make([]string, 0, len(keys))
+	for key := range keys {
+		oldInfo, okOld := oldSummary[key]
+		newInfo, okNew := newSummary[key]
+		switch {
+		case okOld && !okNew:
+			changes = append(changes, fmt.Sprintf("oauth-excluded-models[%s]: removed", key))
+			affected = append(affected, key)
+		case !okOld && okNew:
+			changes = append(changes, fmt.Sprintf("oauth-excluded-models[%s]: added (%d entries)", key, newInfo.count))
+			affected = append(affected, key)
+		case okOld && okNew && oldInfo.hash != newInfo.hash:
+			changes = append(changes, fmt.Sprintf("oauth-excluded-models[%s]: updated (%d -> %d entries)", key, oldInfo.count, newInfo.count))
+			affected = append(affected, key)
+		}
+	}
+	sort.Strings(changes)
+	sort.Strings(affected)
+	return changes, affected
+}
+
+type AmpModelMappingsSummary struct {
+	hash  string
+	count int
+}
+
+// SummarizeAmpModelMappings hashes Amp model mappings for change detection.
+func SummarizeAmpModelMappings(mappings []config.AmpModelMapping) AmpModelMappingsSummary {
+	if len(mappings) == 0 {
+		return AmpModelMappingsSummary{}
+	}
+	entries := make([]string, 0, len(mappings))
+	for _, mapping := range mappings {
+		from := strings.TrimSpace(mapping.From)
+		to := strings.TrimSpace(mapping.To)
+		if from == "" && to == "" {
+			continue
+		}
+		entries = append(entries, from+"->"+to)
+	}
+	if len(entries) == 0 {
+		return AmpModelMappingsSummary{}
+	}
+	sort.Strings(entries)
+	sum := sha256.Sum256([]byte(strings.Join(entries, "|")))
+	return AmpModelMappingsSummary{
+		hash:  hex.EncodeToString(sum[:]),
+		count: len(entries),
+	}
+}
+
+type VertexModelsSummary struct {
+	hash  string
+	count int
+}
+
+// SummarizeVertexModels hashes vertex-compatible models for change detection.
+func SummarizeVertexModels(models []config.VertexCompatModel) VertexModelsSummary {
+	if len(models) == 0 {
+		return VertexModelsSummary{}
+	}
+	names := make([]string, 0, len(models))
+	for _, m := range models {
+		name := strings.TrimSpace(m.Name)
+		alias := strings.TrimSpace(m.Alias)
+		if name == "" && alias == "" {
+			continue
+		}
+		if alias != "" {
+			name = alias
+		}
+		names = append(names, name)
+	}
+	if len(names) == 0 {
+		return VertexModelsSummary{}
+	}
+	sort.Strings(names)
+	sum := sha256.Sum256([]byte(strings.Join(names, "|")))
+	return VertexModelsSummary{
+		hash:  hex.EncodeToString(sum[:]),
+		count: len(names),
+	}
+}

internal/watcher/diff/oauth_excluded_test.go

@@ -0,0 +1,109 @@
+package diff
+
+import (
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+func TestSummarizeExcludedModels_NormalizesAndDedupes(t *testing.T) {
+	summary := SummarizeExcludedModels([]string{"A", " a ", "B", "b"})
+	if summary.count != 2 {
+		t.Fatalf("expected 2 unique entries, got %d", summary.count)
+	}
+	if summary.hash == "" {
+		t.Fatal("expected non-empty hash")
+	}
+	if empty := SummarizeExcludedModels(nil); empty.count != 0 || empty.hash != "" {
+		t.Fatalf("expected empty summary for nil input, got %+v", empty)
+	}
+}
+
+func TestDiffOAuthExcludedModelChanges(t *testing.T) {
+	oldMap := map[string][]string{
+		"ProviderA": {"model-1", "model-2"},
+		"providerB": {"x"},
+	}
+	newMap := map[string][]string{
+		"providerA": {"model-1", "model-3"},
+		"providerC": {"y"},
+	}
+
+	changes, affected := DiffOAuthExcludedModelChanges(oldMap, newMap)
+	expectContains(t, changes, "oauth-excluded-models[providera]: updated (2 -> 2 entries)")
+	expectContains(t, changes, "oauth-excluded-models[providerb]: removed")
+	expectContains(t, changes, "oauth-excluded-models[providerc]: added (1 entries)")
+
+	if len(affected) != 3 {
+		t.Fatalf("expected 3 affected providers, got %d", len(affected))
+	}
+}
+
+func TestSummarizeAmpModelMappings(t *testing.T) {
+	summary := SummarizeAmpModelMappings([]config.AmpModelMapping{
+		{From: "a", To: "A"},
+		{From: "b", To: "B"},
+		{From: " ", To: " "}, // ignored
+	})
+	if summary.count != 2 {
+		t.Fatalf("expected 2 entries, got %d", summary.count)
+	}
+	if summary.hash == "" {
+		t.Fatal("expected non-empty hash")
+	}
+	if empty := SummarizeAmpModelMappings(nil); empty.count != 0 || empty.hash != "" {
+		t.Fatalf("expected empty summary for nil input, got %+v", empty)
+	}
+	if blank := SummarizeAmpModelMappings([]config.AmpModelMapping{{From: " ", To: " "}}); blank.count != 0 || blank.hash != "" {
+		t.Fatalf("expected blank mappings ignored, got %+v", blank)
+	}
+}
+
+func TestSummarizeOAuthExcludedModels_NormalizesKeys(t *testing.T) {
+	out := SummarizeOAuthExcludedModels(map[string][]string{
+		"ProvA": {"X"},
+		"":      {"ignored"},
+	})
+	if len(out) != 1 {
+		t.Fatalf("expected only non-empty key summary, got %d", len(out))
+	}
+	if _, ok := out["prova"]; !ok {
+		t.Fatalf("expected normalized key 'prova', got keys %v", out)
+	}
+	if out["prova"].count != 1 || out["prova"].hash == "" {
+		t.Fatalf("unexpected summary %+v", out["prova"])
+	}
+	if outEmpty := SummarizeOAuthExcludedModels(nil); outEmpty != nil {
+		t.Fatalf("expected nil map for nil input, got %v", outEmpty)
+	}
+}
+
+func TestSummarizeVertexModels(t *testing.T) {
+	summary := SummarizeVertexModels([]config.VertexCompatModel{
+		{Name: "m1"},
+		{Name: " ", Alias: "alias"},
+		{}, // ignored
+	})
+	if summary.count != 2 {
+		t.Fatalf("expected 2 vertex models, got %d", summary.count)
+	}
+	if summary.hash == "" {
+		t.Fatal("expected non-empty hash")
+	}
+	if empty := SummarizeVertexModels(nil); empty.count != 0 || empty.hash != "" {
+		t.Fatalf("expected empty summary for nil input, got %+v", empty)
+	}
+	if blank := SummarizeVertexModels([]config.VertexCompatModel{{Name: " "}}); blank.count != 0 || blank.hash != "" {
+		t.Fatalf("expected blank model ignored, got %+v", blank)
+	}
+}
+
+func expectContains(t *testing.T, list []string, target string) {
+	t.Helper()
+	for _, entry := range list {
+		if entry == target {
+			return
+		}
+	}
+	t.Fatalf("expected list to contain %q, got %#v", target, list)
+}

internal/watcher/diff/openai_compat.go

@@ -0,0 +1,183 @@
+package diff
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+// DiffOpenAICompatibility produces human-readable change descriptions.
+func DiffOpenAICompatibility(oldList, newList []config.OpenAICompatibility) []string {
+	changes := make([]string, 0)
+	oldMap := make(map[string]config.OpenAICompatibility, len(oldList))
+	oldLabels := make(map[string]string, len(oldList))
+	for idx, entry := range oldList {
+		key, label := openAICompatKey(entry, idx)
+		oldMap[key] = entry
+		oldLabels[key] = label
+	}
+	newMap := make(map[string]config.OpenAICompatibility, len(newList))
+	newLabels := make(map[string]string, len(newList))
+	for idx, entry := range newList {
+		key, label := openAICompatKey(entry, idx)
+		newMap[key] = entry
+		newLabels[key] = label
+	}
+	keySet := make(map[string]struct{}, len(oldMap)+len(newMap))
+	for key := range oldMap {
+		keySet[key] = struct{}{}
+	}
+	for key := range newMap {
+		keySet[key] = struct{}{}
+	}
+	orderedKeys := make([]string, 0, len(keySet))
+	for key := range keySet {
+		orderedKeys = append(orderedKeys, key)
+	}
+	sort.Strings(orderedKeys)
+	for _, key := range orderedKeys {
+		oldEntry, oldOk := oldMap[key]
+		newEntry, newOk := newMap[key]
+		label := oldLabels[key]
+		if label == "" {
+			label = newLabels[key]
+		}
+		switch {
+		case !oldOk:
+			changes = append(changes, fmt.Sprintf("provider added: %s (api-keys=%d, models=%d)", label, countAPIKeys(newEntry), countOpenAIModels(newEntry.Models)))
+		case !newOk:
+			changes = append(changes, fmt.Sprintf("provider removed: %s (api-keys=%d, models=%d)", label, countAPIKeys(oldEntry), countOpenAIModels(oldEntry.Models)))
+		default:
+			if detail := describeOpenAICompatibilityUpdate(oldEntry, newEntry); detail != "" {
+				changes = append(changes, fmt.Sprintf("provider updated: %s %s", label, detail))
+			}
+		}
+	}
+	return changes
+}
+
+func describeOpenAICompatibilityUpdate(oldEntry, newEntry config.OpenAICompatibility) string {
+	oldKeyCount := countAPIKeys(oldEntry)
+	newKeyCount := countAPIKeys(newEntry)
+	oldModelCount := countOpenAIModels(oldEntry.Models)
+	newModelCount := countOpenAIModels(newEntry.Models)
+	details := make([]string, 0, 3)
+	if oldKeyCount != newKeyCount {
+		details = append(details, fmt.Sprintf("api-keys %d -> %d", oldKeyCount, newKeyCount))
+	}
+	if oldModelCount != newModelCount {
+		details = append(details, fmt.Sprintf("models %d -> %d", oldModelCount, newModelCount))
+	}
+	if !equalStringMap(oldEntry.Headers, newEntry.Headers) {
+		details = append(details, "headers updated")
+	}
+	if len(details) == 0 {
+		return ""
+	}
+	return "(" + strings.Join(details, ", ") + ")"
+}
+
+func countAPIKeys(entry config.OpenAICompatibility) int {
+	count := 0
+	for _, keyEntry := range entry.APIKeyEntries {
+		if strings.TrimSpace(keyEntry.APIKey) != "" {
+			count++
+		}
+	}
+	return count
+}
+
+func countOpenAIModels(models []config.OpenAICompatibilityModel) int {
+	count := 0
+	for _, model := range models {
+		name := strings.TrimSpace(model.Name)
+		alias := strings.TrimSpace(model.Alias)
+		if name == "" && alias == "" {
+			continue
+		}
+		count++
+	}
+	return count
+}
+
+func openAICompatKey(entry config.OpenAICompatibility, index int) (string, string) {
+	name := strings.TrimSpace(entry.Name)
+	if name != "" {
+		return "name:" + name, name
+	}
+	base := strings.TrimSpace(entry.BaseURL)
+	if base != "" {
+		return "base:" + base, base
+	}
+	for _, model := range entry.Models {
+		alias := strings.TrimSpace(model.Alias)
+		if alias == "" {
+			alias = strings.TrimSpace(model.Name)
+		}
+		if alias != "" {
+			return "alias:" + alias, alias
+		}
+	}
+	sig := openAICompatSignature(entry)
+	if sig == "" {
+		return fmt.Sprintf("index:%d", index), fmt.Sprintf("entry-%d", index+1)
+	}
+	short := sig
+	if len(short) > 8 {
+		short = short[:8]
+	}
+	return "sig:" + sig, "compat-" + short
+}
+
+func openAICompatSignature(entry config.OpenAICompatibility) string {
+	var parts []string
+
+	if v := strings.TrimSpace(entry.Name); v != "" {
+		parts = append(parts, "name="+strings.ToLower(v))
+	}
+	if v := strings.TrimSpace(entry.BaseURL); v != "" {
+		parts = append(parts, "base="+v)
+	}
+
+	models := make([]string, 0, len(entry.Models))
+	for _, model := range entry.Models {
+		name := strings.TrimSpace(model.Name)
+		alias := strings.TrimSpace(model.Alias)
+		if name == "" && alias == "" {
+			continue
+		}
+		models = append(models, strings.ToLower(name)+"|"+strings.ToLower(alias))
+	}
+	if len(models) > 0 {
+		sort.Strings(models)
+		parts = append(parts, "models="+strings.Join(models, ","))
+	}
+
+	if len(entry.Headers) > 0 {
+		keys := make([]string, 0, len(entry.Headers))
+		for k := range entry.Headers {
+			if trimmed := strings.TrimSpace(k); trimmed != "" {
+				keys = append(keys, strings.ToLower(trimmed))
+			}
+		}
+		if len(keys) > 0 {
+			sort.Strings(keys)
+			parts = append(parts, "headers="+strings.Join(keys, ","))
+		}
+	}
+
+	// Intentionally exclude API key material; only count non-empty entries.
+	if count := countAPIKeys(entry); count > 0 {
+		parts = append(parts, fmt.Sprintf("api_keys=%d", count))
+	}
+
+	if len(parts) == 0 {
+		return ""
+	}
+	sum := sha256.Sum256([]byte(strings.Join(parts, "|")))
+	return hex.EncodeToString(sum[:])
+}

internal/watcher/diff/openai_compat_test.go

@@ -0,0 +1,187 @@
+package diff
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+func TestDiffOpenAICompatibility(t *testing.T) {
+	oldList := []config.OpenAICompatibility{
+		{
+			Name: "provider-a",
+			APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+				{APIKey: "key-a"},
+			},
+			Models: []config.OpenAICompatibilityModel{
+				{Name: "m1"},
+			},
+		},
+	}
+	newList := []config.OpenAICompatibility{
+		{
+			Name: "provider-a",
+			APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+				{APIKey: "key-a"},
+				{APIKey: "key-b"},
+			},
+			Models: []config.OpenAICompatibilityModel{
+				{Name: "m1"},
+				{Name: "m2"},
+			},
+			Headers: map[string]string{"X-Test": "1"},
+		},
+		{
+			Name:          "provider-b",
+			APIKeyEntries: []config.OpenAICompatibilityAPIKey{{APIKey: "key-b"}},
+		},
+	}
+
+	changes := DiffOpenAICompatibility(oldList, newList)
+	expectContains(t, changes, "provider added: provider-b (api-keys=1, models=0)")
+	expectContains(t, changes, "provider updated: provider-a (api-keys 1 -> 2, models 1 -> 2, headers updated)")
+}
+
+func TestDiffOpenAICompatibility_RemovedAndUnchanged(t *testing.T) {
+	oldList := []config.OpenAICompatibility{
+		{
+			Name:          "provider-a",
+			APIKeyEntries: []config.OpenAICompatibilityAPIKey{{APIKey: "key-a"}},
+			Models:        []config.OpenAICompatibilityModel{{Name: "m1"}},
+		},
+	}
+	newList := []config.OpenAICompatibility{
+		{
+			Name:          "provider-a",
+			APIKeyEntries: []config.OpenAICompatibilityAPIKey{{APIKey: "key-a"}},
+			Models:        []config.OpenAICompatibilityModel{{Name: "m1"}},
+		},
+	}
+	if changes := DiffOpenAICompatibility(oldList, newList); len(changes) != 0 {
+		t.Fatalf("expected no changes, got %v", changes)
+	}
+
+	newList = nil
+	changes := DiffOpenAICompatibility(oldList, newList)
+	expectContains(t, changes, "provider removed: provider-a (api-keys=1, models=1)")
+}
+
+func TestOpenAICompatKeyFallbacks(t *testing.T) {
+	entry := config.OpenAICompatibility{
+		BaseURL: "http://base",
+		Models:  []config.OpenAICompatibilityModel{{Alias: "alias-only"}},
+	}
+	key, label := openAICompatKey(entry, 0)
+	if key != "base:http://base" || label != "http://base" {
+		t.Fatalf("expected base key, got %s/%s", key, label)
+	}
+
+	entry.BaseURL = ""
+	key, label = openAICompatKey(entry, 1)
+	if key != "alias:alias-only" || label != "alias-only" {
+		t.Fatalf("expected alias fallback, got %s/%s", key, label)
+	}
+
+	entry.Models = nil
+	key, label = openAICompatKey(entry, 2)
+	if key != "index:2" || label != "entry-3" {
+		t.Fatalf("expected index fallback, got %s/%s", key, label)
+	}
+}
+
+func TestOpenAICompatKey_UsesName(t *testing.T) {
+	entry := config.OpenAICompatibility{Name: "My-Provider"}
+	key, label := openAICompatKey(entry, 0)
+	if key != "name:My-Provider" || label != "My-Provider" {
+		t.Fatalf("expected name key, got %s/%s", key, label)
+	}
+}
+
+func TestOpenAICompatKey_SignatureFallbackWhenOnlyAPIKeys(t *testing.T) {
+	entry := config.OpenAICompatibility{
+		APIKeyEntries: []config.OpenAICompatibilityAPIKey{{APIKey: "k1"}, {APIKey: "k2"}},
+	}
+	key, label := openAICompatKey(entry, 0)
+	if !strings.HasPrefix(key, "sig:") || !strings.HasPrefix(label, "compat-") {
+		t.Fatalf("expected signature key, got %s/%s", key, label)
+	}
+}
+
+func TestOpenAICompatSignature_EmptyReturnsEmpty(t *testing.T) {
+	if got := openAICompatSignature(config.OpenAICompatibility{}); got != "" {
+		t.Fatalf("expected empty signature, got %q", got)
+	}
+}
+
+func TestOpenAICompatSignature_StableAndNormalized(t *testing.T) {
+	a := config.OpenAICompatibility{
+		Name:    "  Provider  ",
+		BaseURL: "http://base",
+		Models: []config.OpenAICompatibilityModel{
+			{Name: "m1"},
+			{Name: "  "},
+			{Alias: "A1"},
+		},
+		Headers: map[string]string{
+			"X-Test": "1",
+			"  ":     "ignored",
+		},
+		APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+			{APIKey: "k1"},
+			{APIKey: " "},
+		},
+	}
+	b := config.OpenAICompatibility{
+		Name:    "provider",
+		BaseURL: "http://base",
+		Models: []config.OpenAICompatibilityModel{
+			{Alias: "a1"},
+			{Name: "m1"},
+		},
+		Headers: map[string]string{
+			"x-test": "2",
+		},
+		APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+			{APIKey: "k2"},
+		},
+	}
+
+	sigA := openAICompatSignature(a)
+	sigB := openAICompatSignature(b)
+	if sigA == "" || sigB == "" {
+		t.Fatalf("expected non-empty signatures, got %q / %q", sigA, sigB)
+	}
+	if sigA != sigB {
+		t.Fatalf("expected normalized signatures to match, got %s / %s", sigA, sigB)
+	}
+
+	c := b
+	c.Models = append(c.Models, config.OpenAICompatibilityModel{Name: "m2"})
+	if sigC := openAICompatSignature(c); sigC == sigB {
+		t.Fatalf("expected signature to change when models change, got %s", sigC)
+	}
+}
+
+func TestCountOpenAIModelsSkipsBlanks(t *testing.T) {
+	models := []config.OpenAICompatibilityModel{
+		{Name: "m1"},
+		{Name: ""},
+		{Alias: ""},
+		{Name: " "},
+		{Alias: "a1"},
+	}
+	if got := countOpenAIModels(models); got != 2 {
+		t.Fatalf("expected 2 counted models, got %d", got)
+	}
+}
+
+func TestOpenAICompatKeyUsesModelNameWhenAliasEmpty(t *testing.T) {
+	entry := config.OpenAICompatibility{
+		Models: []config.OpenAICompatibilityModel{{Name: "model-name"}},
+	}
+	key, label := openAICompatKey(entry, 5)
+	if key != "alias:model-name" || label != "model-name" {
+		t.Fatalf("expected model-name fallback, got %s/%s", key, label)
+	}
+}

internal/watcher/dispatcher.go

@@ -0,0 +1,273 @@
+// dispatcher.go implements auth update dispatching and queue management.
+// It batches, deduplicates, and delivers auth updates to registered consumers.
+package watcher
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"sync"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher/synthesizer"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+func (w *Watcher) setAuthUpdateQueue(queue chan<- AuthUpdate) {
+	w.clientsMutex.Lock()
+	defer w.clientsMutex.Unlock()
+	w.authQueue = queue
+	if w.dispatchCond == nil {
+		w.dispatchCond = sync.NewCond(&w.dispatchMu)
+	}
+	if w.dispatchCancel != nil {
+		w.dispatchCancel()
+		if w.dispatchCond != nil {
+			w.dispatchMu.Lock()
+			w.dispatchCond.Broadcast()
+			w.dispatchMu.Unlock()
+		}
+		w.dispatchCancel = nil
+	}
+	if queue != nil {
+		ctx, cancel := context.WithCancel(context.Background())
+		w.dispatchCancel = cancel
+		go w.dispatchLoop(ctx)
+	}
+}
+
+func (w *Watcher) dispatchRuntimeAuthUpdate(update AuthUpdate) bool {
+	if w == nil {
+		return false
+	}
+	w.clientsMutex.Lock()
+	if w.runtimeAuths == nil {
+		w.runtimeAuths = make(map[string]*coreauth.Auth)
+	}
+	switch update.Action {
+	case AuthUpdateActionAdd, AuthUpdateActionModify:
+		if update.Auth != nil && update.Auth.ID != "" {
+			clone := update.Auth.Clone()
+			w.runtimeAuths[clone.ID] = clone
+			if w.currentAuths == nil {
+				w.currentAuths = make(map[string]*coreauth.Auth)
+			}
+			w.currentAuths[clone.ID] = clone.Clone()
+		}
+	case AuthUpdateActionDelete:
+		id := update.ID
+		if id == "" && update.Auth != nil {
+			id = update.Auth.ID
+		}
+		if id != "" {
+			delete(w.runtimeAuths, id)
+			if w.currentAuths != nil {
+				delete(w.currentAuths, id)
+			}
+		}
+	}
+	w.clientsMutex.Unlock()
+	if w.getAuthQueue() == nil {
+		return false
+	}
+	w.dispatchAuthUpdates([]AuthUpdate{update})
+	return true
+}
+
+func (w *Watcher) refreshAuthState(force bool) {
+	auths := w.SnapshotCoreAuths()
+	w.clientsMutex.Lock()
+	if len(w.runtimeAuths) > 0 {
+		for _, a := range w.runtimeAuths {
+			if a != nil {
+				auths = append(auths, a.Clone())
+			}
+		}
+	}
+	updates := w.prepareAuthUpdatesLocked(auths, force)
+	w.clientsMutex.Unlock()
+	w.dispatchAuthUpdates(updates)
+}
+
+func (w *Watcher) prepareAuthUpdatesLocked(auths []*coreauth.Auth, force bool) []AuthUpdate {
+	newState := make(map[string]*coreauth.Auth, len(auths))
+	for _, auth := range auths {
+		if auth == nil || auth.ID == "" {
+			continue
+		}
+		newState[auth.ID] = auth.Clone()
+	}
+	if w.currentAuths == nil {
+		w.currentAuths = newState
+		if w.authQueue == nil {
+			return nil
+		}
+		updates := make([]AuthUpdate, 0, len(newState))
+		for id, auth := range newState {
+			updates = append(updates, AuthUpdate{Action: AuthUpdateActionAdd, ID: id, Auth: auth.Clone()})
+		}
+		return updates
+	}
+	if w.authQueue == nil {
+		w.currentAuths = newState
+		return nil
+	}
+	updates := make([]AuthUpdate, 0, len(newState)+len(w.currentAuths))
+	for id, auth := range newState {
+		if existing, ok := w.currentAuths[id]; !ok {
+			updates = append(updates, AuthUpdate{Action: AuthUpdateActionAdd, ID: id, Auth: auth.Clone()})
+		} else if force || !authEqual(existing, auth) {
+			updates = append(updates, AuthUpdate{Action: AuthUpdateActionModify, ID: id, Auth: auth.Clone()})
+		}
+	}
+	for id := range w.currentAuths {
+		if _, ok := newState[id]; !ok {
+			updates = append(updates, AuthUpdate{Action: AuthUpdateActionDelete, ID: id})
+		}
+	}
+	w.currentAuths = newState
+	return updates
+}
+
+func (w *Watcher) dispatchAuthUpdates(updates []AuthUpdate) {
+	if len(updates) == 0 {
+		return
+	}
+	queue := w.getAuthQueue()
+	if queue == nil {
+		return
+	}
+	baseTS := time.Now().UnixNano()
+	w.dispatchMu.Lock()
+	if w.pendingUpdates == nil {
+		w.pendingUpdates = make(map[string]AuthUpdate)
+	}
+	for idx, update := range updates {
+		key := w.authUpdateKey(update, baseTS+int64(idx))
+		if _, exists := w.pendingUpdates[key]; !exists {
+			w.pendingOrder = append(w.pendingOrder, key)
+		}
+		w.pendingUpdates[key] = update
+	}
+	if w.dispatchCond != nil {
+		w.dispatchCond.Signal()
+	}
+	w.dispatchMu.Unlock()
+}
+
+func (w *Watcher) authUpdateKey(update AuthUpdate, ts int64) string {
+	if update.ID != "" {
+		return update.ID
+	}
+	return fmt.Sprintf("%s:%d", update.Action, ts)
+}
+
+func (w *Watcher) dispatchLoop(ctx context.Context) {
+	for {
+		batch, ok := w.nextPendingBatch(ctx)
+		if !ok {
+			return
+		}
+		queue := w.getAuthQueue()
+		if queue == nil {
+			if ctx.Err() != nil {
+				return
+			}
+			time.Sleep(10 * time.Millisecond)
+			continue
+		}
+		for _, update := range batch {
+			select {
+			case queue <- update:
+			case <-ctx.Done():
+				return
+			}
+		}
+	}
+}
+
+func (w *Watcher) nextPendingBatch(ctx context.Context) ([]AuthUpdate, bool) {
+	w.dispatchMu.Lock()
+	defer w.dispatchMu.Unlock()
+	for len(w.pendingOrder) == 0 {
+		if ctx.Err() != nil {
+			return nil, false
+		}
+		w.dispatchCond.Wait()
+		if ctx.Err() != nil {
+			return nil, false
+		}
+	}
+	batch := make([]AuthUpdate, 0, len(w.pendingOrder))
+	for _, key := range w.pendingOrder {
+		batch = append(batch, w.pendingUpdates[key])
+		delete(w.pendingUpdates, key)
+	}
+	w.pendingOrder = w.pendingOrder[:0]
+	return batch, true
+}
+
+func (w *Watcher) getAuthQueue() chan<- AuthUpdate {
+	w.clientsMutex.RLock()
+	defer w.clientsMutex.RUnlock()
+	return w.authQueue
+}
+
+func (w *Watcher) stopDispatch() {
+	if w.dispatchCancel != nil {
+		w.dispatchCancel()
+		w.dispatchCancel = nil
+	}
+	w.dispatchMu.Lock()
+	w.pendingOrder = nil
+	w.pendingUpdates = nil
+	if w.dispatchCond != nil {
+		w.dispatchCond.Broadcast()
+	}
+	w.dispatchMu.Unlock()
+	w.clientsMutex.Lock()
+	w.authQueue = nil
+	w.clientsMutex.Unlock()
+}
+
+func authEqual(a, b *coreauth.Auth) bool {
+	return reflect.DeepEqual(normalizeAuth(a), normalizeAuth(b))
+}
+
+func normalizeAuth(a *coreauth.Auth) *coreauth.Auth {
+	if a == nil {
+		return nil
+	}
+	clone := a.Clone()
+	clone.CreatedAt = time.Time{}
+	clone.UpdatedAt = time.Time{}
+	clone.LastRefreshedAt = time.Time{}
+	clone.NextRefreshAfter = time.Time{}
+	clone.Runtime = nil
+	clone.Quota.NextRecoverAt = time.Time{}
+	return clone
+}
+
+func snapshotCoreAuths(cfg *config.Config, authDir string) []*coreauth.Auth {
+	ctx := &synthesizer.SynthesisContext{
+		Config:      cfg,
+		AuthDir:     authDir,
+		Now:         time.Now(),
+		IDGenerator: synthesizer.NewStableIDGenerator(),
+	}
+
+	var out []*coreauth.Auth
+
+	configSynth := synthesizer.NewConfigSynthesizer()
+	if auths, err := configSynth.Synthesize(ctx); err == nil {
+		out = append(out, auths...)
+	}
+
+	fileSynth := synthesizer.NewFileSynthesizer()
+	if auths, err := fileSynth.Synthesize(ctx); err == nil {
+		out = append(out, auths...)
+	}
+
+	return out
+}

internal/watcher/events.go

@@ -0,0 +1,194 @@
+// events.go implements fsnotify event handling for config and auth file changes.
+// It normalizes paths, debounces noisy events, and triggers reload/update logic.
+package watcher
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"github.com/fsnotify/fsnotify"
+	log "github.com/sirupsen/logrus"
+)
+
+func matchProvider(provider string, targets []string) (string, bool) {
+	p := strings.ToLower(strings.TrimSpace(provider))
+	for _, t := range targets {
+		if strings.EqualFold(p, strings.TrimSpace(t)) {
+			return p, true
+		}
+	}
+	return p, false
+}
+
+func (w *Watcher) start(ctx context.Context) error {
+	if errAddConfig := w.watcher.Add(w.configPath); errAddConfig != nil {
+		log.Errorf("failed to watch config file %s: %v", w.configPath, errAddConfig)
+		return errAddConfig
+	}
+	log.Debugf("watching config file: %s", w.configPath)
+
+	if errAddAuthDir := w.watcher.Add(w.authDir); errAddAuthDir != nil {
+		log.Errorf("failed to watch auth directory %s: %v", w.authDir, errAddAuthDir)
+		return errAddAuthDir
+	}
+	log.Debugf("watching auth directory: %s", w.authDir)
+
+	go w.processEvents(ctx)
+
+	w.reloadClients(true, nil, false)
+	return nil
+}
+
+func (w *Watcher) processEvents(ctx context.Context) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case event, ok := <-w.watcher.Events:
+			if !ok {
+				return
+			}
+			w.handleEvent(event)
+		case errWatch, ok := <-w.watcher.Errors:
+			if !ok {
+				return
+			}
+			log.Errorf("file watcher error: %v", errWatch)
+		}
+	}
+}
+
+func (w *Watcher) handleEvent(event fsnotify.Event) {
+	// Filter only relevant events: config file or auth-dir JSON files.
+	configOps := fsnotify.Write | fsnotify.Create | fsnotify.Rename
+	normalizedName := w.normalizeAuthPath(event.Name)
+	normalizedConfigPath := w.normalizeAuthPath(w.configPath)
+	normalizedAuthDir := w.normalizeAuthPath(w.authDir)
+	isConfigEvent := normalizedName == normalizedConfigPath && event.Op&configOps != 0
+	authOps := fsnotify.Create | fsnotify.Write | fsnotify.Remove | fsnotify.Rename
+	isAuthJSON := strings.HasPrefix(normalizedName, normalizedAuthDir) && strings.HasSuffix(normalizedName, ".json") && event.Op&authOps != 0
+	if !isConfigEvent && !isAuthJSON {
+		// Ignore unrelated files (e.g., cookie snapshots *.cookie) and other noise.
+		return
+	}
+
+	now := time.Now()
+	log.Debugf("file system event detected: %s %s", event.Op.String(), event.Name)
+
+	// Handle config file changes
+	if isConfigEvent {
+		log.Debugf("config file change details - operation: %s, timestamp: %s", event.Op.String(), now.Format("2006-01-02 15:04:05.000"))
+		w.scheduleConfigReload()
+		return
+	}
+
+	// Handle auth directory changes incrementally (.json only)
+	if event.Op&(fsnotify.Remove|fsnotify.Rename) != 0 {
+		if w.shouldDebounceRemove(normalizedName, now) {
+			log.Debugf("debouncing remove event for %s", filepath.Base(event.Name))
+			return
+		}
+		// Atomic replace on some platforms may surface as Rename (or Remove) before the new file is ready.
+		// Wait briefly; if the path exists again, treat as an update instead of removal.
+		time.Sleep(replaceCheckDelay)
+		if _, statErr := os.Stat(event.Name); statErr == nil {
+			if unchanged, errSame := w.authFileUnchanged(event.Name); errSame == nil && unchanged {
+				log.Debugf("auth file unchanged (hash match), skipping reload: %s", filepath.Base(event.Name))
+				return
+			}
+			log.Infof("auth file changed (%s): %s, processing incrementally", event.Op.String(), filepath.Base(event.Name))
+			w.addOrUpdateClient(event.Name)
+			return
+		}
+		if !w.isKnownAuthFile(event.Name) {
+			log.Debugf("ignoring remove for unknown auth file: %s", filepath.Base(event.Name))
+			return
+		}
+		log.Infof("auth file changed (%s): %s, processing incrementally", event.Op.String(), filepath.Base(event.Name))
+		w.removeClient(event.Name)
+		return
+	}
+	if event.Op&(fsnotify.Create|fsnotify.Write) != 0 {
+		if unchanged, errSame := w.authFileUnchanged(event.Name); errSame == nil && unchanged {
+			log.Debugf("auth file unchanged (hash match), skipping reload: %s", filepath.Base(event.Name))
+			return
+		}
+		log.Infof("auth file changed (%s): %s, processing incrementally", event.Op.String(), filepath.Base(event.Name))
+		w.addOrUpdateClient(event.Name)
+	}
+}
+
+func (w *Watcher) authFileUnchanged(path string) (bool, error) {
+	data, errRead := os.ReadFile(path)
+	if errRead != nil {
+		return false, errRead
+	}
+	if len(data) == 0 {
+		return false, nil
+	}
+	sum := sha256.Sum256(data)
+	curHash := hex.EncodeToString(sum[:])
+
+	normalized := w.normalizeAuthPath(path)
+	w.clientsMutex.RLock()
+	prevHash, ok := w.lastAuthHashes[normalized]
+	w.clientsMutex.RUnlock()
+	if ok && prevHash == curHash {
+		return true, nil
+	}
+	return false, nil
+}
+
+func (w *Watcher) isKnownAuthFile(path string) bool {
+	normalized := w.normalizeAuthPath(path)
+	w.clientsMutex.RLock()
+	defer w.clientsMutex.RUnlock()
+	_, ok := w.lastAuthHashes[normalized]
+	return ok
+}
+
+func (w *Watcher) normalizeAuthPath(path string) string {
+	trimmed := strings.TrimSpace(path)
+	if trimmed == "" {
+		return ""
+	}
+	cleaned := filepath.Clean(trimmed)
+	if runtime.GOOS == "windows" {
+		cleaned = strings.TrimPrefix(cleaned, `\\?\`)
+		cleaned = strings.ToLower(cleaned)
+	}
+	return cleaned
+}
+
+func (w *Watcher) shouldDebounceRemove(normalizedPath string, now time.Time) bool {
+	if normalizedPath == "" {
+		return false
+	}
+	w.clientsMutex.Lock()
+	if w.lastRemoveTimes == nil {
+		w.lastRemoveTimes = make(map[string]time.Time)
+	}
+	if last, ok := w.lastRemoveTimes[normalizedPath]; ok {
+		if now.Sub(last) < authRemoveDebounceWindow {
+			w.clientsMutex.Unlock()
+			return true
+		}
+	}
+	w.lastRemoveTimes[normalizedPath] = now
+	if len(w.lastRemoveTimes) > 128 {
+		cutoff := now.Add(-2 * authRemoveDebounceWindow)
+		for p, t := range w.lastRemoveTimes {
+			if t.Before(cutoff) {
+				delete(w.lastRemoveTimes, p)
+			}
+		}
+	}
+	w.clientsMutex.Unlock()
+	return false
+}

internal/watcher/synthesizer/config.go

@@ -0,0 +1,294 @@
+package synthesizer
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher/diff"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+// ConfigSynthesizer generates Auth entries from configuration API keys.
+// It handles Gemini, Claude, Codex, OpenAI-compat, and Vertex-compat providers.
+type ConfigSynthesizer struct{}
+
+// NewConfigSynthesizer creates a new ConfigSynthesizer instance.
+func NewConfigSynthesizer() *ConfigSynthesizer {
+	return &ConfigSynthesizer{}
+}
+
+// Synthesize generates Auth entries from config API keys.
+func (s *ConfigSynthesizer) Synthesize(ctx *SynthesisContext) ([]*coreauth.Auth, error) {
+	out := make([]*coreauth.Auth, 0, 32)
+	if ctx == nil || ctx.Config == nil {
+		return out, nil
+	}
+
+	// Gemini API Keys
+	out = append(out, s.synthesizeGeminiKeys(ctx)...)
+	// Claude API Keys
+	out = append(out, s.synthesizeClaudeKeys(ctx)...)
+	// Codex API Keys
+	out = append(out, s.synthesizeCodexKeys(ctx)...)
+	// OpenAI-compat
+	out = append(out, s.synthesizeOpenAICompat(ctx)...)
+	// Vertex-compat
+	out = append(out, s.synthesizeVertexCompat(ctx)...)
+
+	return out, nil
+}
+
+// synthesizeGeminiKeys creates Auth entries for Gemini API keys.
+func (s *ConfigSynthesizer) synthesizeGeminiKeys(ctx *SynthesisContext) []*coreauth.Auth {
+	cfg := ctx.Config
+	now := ctx.Now
+	idGen := ctx.IDGenerator
+
+	out := make([]*coreauth.Auth, 0, len(cfg.GeminiKey))
+	for i := range cfg.GeminiKey {
+		entry := cfg.GeminiKey[i]
+		key := strings.TrimSpace(entry.APIKey)
+		if key == "" {
+			continue
+		}
+		prefix := strings.TrimSpace(entry.Prefix)
+		base := strings.TrimSpace(entry.BaseURL)
+		proxyURL := strings.TrimSpace(entry.ProxyURL)
+		id, token := idGen.Next("gemini:apikey", key, base)
+		attrs := map[string]string{
+			"source":  fmt.Sprintf("config:gemini[%s]", token),
+			"api_key": key,
+		}
+		if base != "" {
+			attrs["base_url"] = base
+		}
+		addConfigHeadersToAttrs(entry.Headers, attrs)
+		a := &coreauth.Auth{
+			ID:         id,
+			Provider:   "gemini",
+			Label:      "gemini-apikey",
+			Prefix:     prefix,
+			Status:     coreauth.StatusActive,
+			ProxyURL:   proxyURL,
+			Attributes: attrs,
+			CreatedAt:  now,
+			UpdatedAt:  now,
+		}
+		ApplyAuthExcludedModelsMeta(a, cfg, entry.ExcludedModels, "apikey")
+		out = append(out, a)
+	}
+	return out
+}
+
+// synthesizeClaudeKeys creates Auth entries for Claude API keys.
+func (s *ConfigSynthesizer) synthesizeClaudeKeys(ctx *SynthesisContext) []*coreauth.Auth {
+	cfg := ctx.Config
+	now := ctx.Now
+	idGen := ctx.IDGenerator
+
+	out := make([]*coreauth.Auth, 0, len(cfg.ClaudeKey))
+	for i := range cfg.ClaudeKey {
+		ck := cfg.ClaudeKey[i]
+		key := strings.TrimSpace(ck.APIKey)
+		if key == "" {
+			continue
+		}
+		prefix := strings.TrimSpace(ck.Prefix)
+		base := strings.TrimSpace(ck.BaseURL)
+		id, token := idGen.Next("claude:apikey", key, base)
+		attrs := map[string]string{
+			"source":  fmt.Sprintf("config:claude[%s]", token),
+			"api_key": key,
+		}
+		if base != "" {
+			attrs["base_url"] = base
+		}
+		if hash := diff.ComputeClaudeModelsHash(ck.Models); hash != "" {
+			attrs["models_hash"] = hash
+		}
+		addConfigHeadersToAttrs(ck.Headers, attrs)
+		proxyURL := strings.TrimSpace(ck.ProxyURL)
+		a := &coreauth.Auth{
+			ID:         id,
+			Provider:   "claude",
+			Label:      "claude-apikey",
+			Prefix:     prefix,
+			Status:     coreauth.StatusActive,
+			ProxyURL:   proxyURL,
+			Attributes: attrs,
+			CreatedAt:  now,
+			UpdatedAt:  now,
+		}
+		ApplyAuthExcludedModelsMeta(a, cfg, ck.ExcludedModels, "apikey")
+		out = append(out, a)
+	}
+	return out
+}
+
+// synthesizeCodexKeys creates Auth entries for Codex API keys.
+func (s *ConfigSynthesizer) synthesizeCodexKeys(ctx *SynthesisContext) []*coreauth.Auth {
+	cfg := ctx.Config
+	now := ctx.Now
+	idGen := ctx.IDGenerator
+
+	out := make([]*coreauth.Auth, 0, len(cfg.CodexKey))
+	for i := range cfg.CodexKey {
+		ck := cfg.CodexKey[i]
+		key := strings.TrimSpace(ck.APIKey)
+		if key == "" {
+			continue
+		}
+		prefix := strings.TrimSpace(ck.Prefix)
+		id, token := idGen.Next("codex:apikey", key, ck.BaseURL)
+		attrs := map[string]string{
+			"source":  fmt.Sprintf("config:codex[%s]", token),
+			"api_key": key,
+		}
+		if ck.BaseURL != "" {
+			attrs["base_url"] = ck.BaseURL
+		}
+		addConfigHeadersToAttrs(ck.Headers, attrs)
+		proxyURL := strings.TrimSpace(ck.ProxyURL)
+		a := &coreauth.Auth{
+			ID:         id,
+			Provider:   "codex",
+			Label:      "codex-apikey",
+			Prefix:     prefix,
+			Status:     coreauth.StatusActive,
+			ProxyURL:   proxyURL,
+			Attributes: attrs,
+			CreatedAt:  now,
+			UpdatedAt:  now,
+		}
+		ApplyAuthExcludedModelsMeta(a, cfg, ck.ExcludedModels, "apikey")
+		out = append(out, a)
+	}
+	return out
+}
+
+// synthesizeOpenAICompat creates Auth entries for OpenAI-compatible providers.
+func (s *ConfigSynthesizer) synthesizeOpenAICompat(ctx *SynthesisContext) []*coreauth.Auth {
+	cfg := ctx.Config
+	now := ctx.Now
+	idGen := ctx.IDGenerator
+
+	out := make([]*coreauth.Auth, 0)
+	for i := range cfg.OpenAICompatibility {
+		compat := &cfg.OpenAICompatibility[i]
+		prefix := strings.TrimSpace(compat.Prefix)
+		providerName := strings.ToLower(strings.TrimSpace(compat.Name))
+		if providerName == "" {
+			providerName = "openai-compatibility"
+		}
+		base := strings.TrimSpace(compat.BaseURL)
+
+		// Handle new APIKeyEntries format (preferred)
+		createdEntries := 0
+		for j := range compat.APIKeyEntries {
+			entry := &compat.APIKeyEntries[j]
+			key := strings.TrimSpace(entry.APIKey)
+			proxyURL := strings.TrimSpace(entry.ProxyURL)
+			idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+			id, token := idGen.Next(idKind, key, base, proxyURL)
+			attrs := map[string]string{
+				"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+				"base_url":     base,
+				"compat_name":  compat.Name,
+				"provider_key": providerName,
+			}
+			if key != "" {
+				attrs["api_key"] = key
+			}
+			if hash := diff.ComputeOpenAICompatModelsHash(compat.Models); hash != "" {
+				attrs["models_hash"] = hash
+			}
+			addConfigHeadersToAttrs(compat.Headers, attrs)
+			a := &coreauth.Auth{
+				ID:         id,
+				Provider:   providerName,
+				Label:      compat.Name,
+				Prefix:     prefix,
+				Status:     coreauth.StatusActive,
+				ProxyURL:   proxyURL,
+				Attributes: attrs,
+				CreatedAt:  now,
+				UpdatedAt:  now,
+			}
+			out = append(out, a)
+			createdEntries++
+		}
+		// Fallback: create entry without API key if no APIKeyEntries
+		if createdEntries == 0 {
+			idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+			id, token := idGen.Next(idKind, base)
+			attrs := map[string]string{
+				"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+				"base_url":     base,
+				"compat_name":  compat.Name,
+				"provider_key": providerName,
+			}
+			if hash := diff.ComputeOpenAICompatModelsHash(compat.Models); hash != "" {
+				attrs["models_hash"] = hash
+			}
+			addConfigHeadersToAttrs(compat.Headers, attrs)
+			a := &coreauth.Auth{
+				ID:         id,
+				Provider:   providerName,
+				Label:      compat.Name,
+				Prefix:     prefix,
+				Status:     coreauth.StatusActive,
+				Attributes: attrs,
+				CreatedAt:  now,
+				UpdatedAt:  now,
+			}
+			out = append(out, a)
+		}
+	}
+	return out
+}
+
+// synthesizeVertexCompat creates Auth entries for Vertex-compatible providers.
+func (s *ConfigSynthesizer) synthesizeVertexCompat(ctx *SynthesisContext) []*coreauth.Auth {
+	cfg := ctx.Config
+	now := ctx.Now
+	idGen := ctx.IDGenerator
+
+	out := make([]*coreauth.Auth, 0, len(cfg.VertexCompatAPIKey))
+	for i := range cfg.VertexCompatAPIKey {
+		compat := &cfg.VertexCompatAPIKey[i]
+		providerName := "vertex"
+		base := strings.TrimSpace(compat.BaseURL)
+
+		key := strings.TrimSpace(compat.APIKey)
+		prefix := strings.TrimSpace(compat.Prefix)
+		proxyURL := strings.TrimSpace(compat.ProxyURL)
+		idKind := "vertex:apikey"
+		id, token := idGen.Next(idKind, key, base, proxyURL)
+		attrs := map[string]string{
+			"source":       fmt.Sprintf("config:vertex-apikey[%s]", token),
+			"base_url":     base,
+			"provider_key": providerName,
+		}
+		if key != "" {
+			attrs["api_key"] = key
+		}
+		if hash := diff.ComputeVertexCompatModelsHash(compat.Models); hash != "" {
+			attrs["models_hash"] = hash
+		}
+		addConfigHeadersToAttrs(compat.Headers, attrs)
+		a := &coreauth.Auth{
+			ID:         id,
+			Provider:   providerName,
+			Label:      "vertex-apikey",
+			Prefix:     prefix,
+			Status:     coreauth.StatusActive,
+			ProxyURL:   proxyURL,
+			Attributes: attrs,
+			CreatedAt:  now,
+			UpdatedAt:  now,
+		}
+		ApplyAuthExcludedModelsMeta(a, cfg, nil, "apikey")
+		out = append(out, a)
+	}
+	return out
+}

internal/watcher/synthesizer/config_test.go

@@ -0,0 +1,613 @@
+package synthesizer
+
+import (
+	"testing"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+func TestNewConfigSynthesizer(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	if synth == nil {
+		t.Fatal("expected non-nil synthesizer")
+	}
+}
+
+func TestConfigSynthesizer_Synthesize_NilContext(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	auths, err := synth.Synthesize(nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 0 {
+		t.Fatalf("expected empty auths, got %d", len(auths))
+	}
+}
+
+func TestConfigSynthesizer_Synthesize_NilConfig(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      nil,
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 0 {
+		t.Fatalf("expected empty auths, got %d", len(auths))
+	}
+}
+
+func TestConfigSynthesizer_GeminiKeys(t *testing.T) {
+	tests := []struct {
+		name       string
+		geminiKeys []config.GeminiKey
+		wantLen    int
+		validate   func(*testing.T, []*coreauth.Auth)
+	}{
+		{
+			name: "single gemini key",
+			geminiKeys: []config.GeminiKey{
+				{APIKey: "test-key-123", Prefix: "team-a"},
+			},
+			wantLen: 1,
+			validate: func(t *testing.T, auths []*coreauth.Auth) {
+				if auths[0].Provider != "gemini" {
+					t.Errorf("expected provider gemini, got %s", auths[0].Provider)
+				}
+				if auths[0].Prefix != "team-a" {
+					t.Errorf("expected prefix team-a, got %s", auths[0].Prefix)
+				}
+				if auths[0].Label != "gemini-apikey" {
+					t.Errorf("expected label gemini-apikey, got %s", auths[0].Label)
+				}
+				if auths[0].Attributes["api_key"] != "test-key-123" {
+					t.Errorf("expected api_key test-key-123, got %s", auths[0].Attributes["api_key"])
+				}
+				if auths[0].Status != coreauth.StatusActive {
+					t.Errorf("expected status active, got %s", auths[0].Status)
+				}
+			},
+		},
+		{
+			name: "gemini key with base url and proxy",
+			geminiKeys: []config.GeminiKey{
+				{
+					APIKey:   "api-key",
+					BaseURL:  "https://custom.api.com",
+					ProxyURL: "http://proxy.local:8080",
+					Prefix:   "custom",
+				},
+			},
+			wantLen: 1,
+			validate: func(t *testing.T, auths []*coreauth.Auth) {
+				if auths[0].Attributes["base_url"] != "https://custom.api.com" {
+					t.Errorf("expected base_url https://custom.api.com, got %s", auths[0].Attributes["base_url"])
+				}
+				if auths[0].ProxyURL != "http://proxy.local:8080" {
+					t.Errorf("expected proxy_url http://proxy.local:8080, got %s", auths[0].ProxyURL)
+				}
+			},
+		},
+		{
+			name: "gemini key with headers",
+			geminiKeys: []config.GeminiKey{
+				{
+					APIKey:  "api-key",
+					Headers: map[string]string{"X-Custom": "value"},
+				},
+			},
+			wantLen: 1,
+			validate: func(t *testing.T, auths []*coreauth.Auth) {
+				if auths[0].Attributes["header:X-Custom"] != "value" {
+					t.Errorf("expected header:X-Custom=value, got %s", auths[0].Attributes["header:X-Custom"])
+				}
+			},
+		},
+		{
+			name: "empty api key skipped",
+			geminiKeys: []config.GeminiKey{
+				{APIKey: ""},
+				{APIKey: "  "},
+				{APIKey: "valid-key"},
+			},
+			wantLen: 1,
+		},
+		{
+			name: "multiple gemini keys",
+			geminiKeys: []config.GeminiKey{
+				{APIKey: "key-1", Prefix: "a"},
+				{APIKey: "key-2", Prefix: "b"},
+				{APIKey: "key-3", Prefix: "c"},
+			},
+			wantLen: 3,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			synth := NewConfigSynthesizer()
+			ctx := &SynthesisContext{
+				Config: &config.Config{
+					GeminiKey: tt.geminiKeys,
+				},
+				Now:         time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+				IDGenerator: NewStableIDGenerator(),
+			}
+
+			auths, err := synth.Synthesize(ctx)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(auths) != tt.wantLen {
+				t.Fatalf("expected %d auths, got %d", tt.wantLen, len(auths))
+			}
+
+			if tt.validate != nil && len(auths) > 0 {
+				tt.validate(t, auths)
+			}
+		})
+	}
+}
+
+func TestConfigSynthesizer_ClaudeKeys(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			ClaudeKey: []config.ClaudeKey{
+				{
+					APIKey:  "sk-ant-api-xxx",
+					Prefix:  "main",
+					BaseURL: "https://api.anthropic.com",
+					Models: []config.ClaudeModel{
+						{Name: "claude-3-opus"},
+						{Name: "claude-3-sonnet"},
+					},
+				},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+
+	if auths[0].Provider != "claude" {
+		t.Errorf("expected provider claude, got %s", auths[0].Provider)
+	}
+	if auths[0].Label != "claude-apikey" {
+		t.Errorf("expected label claude-apikey, got %s", auths[0].Label)
+	}
+	if auths[0].Prefix != "main" {
+		t.Errorf("expected prefix main, got %s", auths[0].Prefix)
+	}
+	if auths[0].Attributes["api_key"] != "sk-ant-api-xxx" {
+		t.Errorf("expected api_key sk-ant-api-xxx, got %s", auths[0].Attributes["api_key"])
+	}
+	if _, ok := auths[0].Attributes["models_hash"]; !ok {
+		t.Error("expected models_hash in attributes")
+	}
+}
+
+func TestConfigSynthesizer_ClaudeKeys_SkipsEmptyAndHeaders(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			ClaudeKey: []config.ClaudeKey{
+				{APIKey: ""},    // empty, should be skipped
+				{APIKey: "   "}, // whitespace, should be skipped
+				{APIKey: "valid-key", Headers: map[string]string{"X-Custom": "value"}},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth (empty keys skipped), got %d", len(auths))
+	}
+	if auths[0].Attributes["header:X-Custom"] != "value" {
+		t.Errorf("expected header:X-Custom=value, got %s", auths[0].Attributes["header:X-Custom"])
+	}
+}
+
+func TestConfigSynthesizer_CodexKeys(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			CodexKey: []config.CodexKey{
+				{
+					APIKey:   "codex-key-123",
+					Prefix:   "dev",
+					BaseURL:  "https://api.openai.com",
+					ProxyURL: "http://proxy.local",
+				},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+
+	if auths[0].Provider != "codex" {
+		t.Errorf("expected provider codex, got %s", auths[0].Provider)
+	}
+	if auths[0].Label != "codex-apikey" {
+		t.Errorf("expected label codex-apikey, got %s", auths[0].Label)
+	}
+	if auths[0].ProxyURL != "http://proxy.local" {
+		t.Errorf("expected proxy_url http://proxy.local, got %s", auths[0].ProxyURL)
+	}
+}
+
+func TestConfigSynthesizer_CodexKeys_SkipsEmptyAndHeaders(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			CodexKey: []config.CodexKey{
+				{APIKey: ""},   // empty, should be skipped
+				{APIKey: "  "}, // whitespace, should be skipped
+				{APIKey: "valid-key", Headers: map[string]string{"Authorization": "Bearer xyz"}},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth (empty keys skipped), got %d", len(auths))
+	}
+	if auths[0].Attributes["header:Authorization"] != "Bearer xyz" {
+		t.Errorf("expected header:Authorization=Bearer xyz, got %s", auths[0].Attributes["header:Authorization"])
+	}
+}
+
+func TestConfigSynthesizer_OpenAICompat(t *testing.T) {
+	tests := []struct {
+		name    string
+		compat  []config.OpenAICompatibility
+		wantLen int
+	}{
+		{
+			name: "with APIKeyEntries",
+			compat: []config.OpenAICompatibility{
+				{
+					Name:    "CustomProvider",
+					BaseURL: "https://custom.api.com",
+					APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+						{APIKey: "key-1"},
+						{APIKey: "key-2"},
+					},
+				},
+			},
+			wantLen: 2,
+		},
+		{
+			name: "empty APIKeyEntries included (legacy)",
+			compat: []config.OpenAICompatibility{
+				{
+					Name:    "EmptyKeys",
+					BaseURL: "https://empty.api.com",
+					APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+						{APIKey: ""},
+						{APIKey: "   "},
+					},
+				},
+			},
+			wantLen: 2,
+		},
+		{
+			name: "without APIKeyEntries (fallback)",
+			compat: []config.OpenAICompatibility{
+				{
+					Name:    "NoKeyProvider",
+					BaseURL: "https://no-key.api.com",
+				},
+			},
+			wantLen: 1,
+		},
+		{
+			name: "empty name defaults",
+			compat: []config.OpenAICompatibility{
+				{
+					Name:    "",
+					BaseURL: "https://default.api.com",
+				},
+			},
+			wantLen: 1,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			synth := NewConfigSynthesizer()
+			ctx := &SynthesisContext{
+				Config: &config.Config{
+					OpenAICompatibility: tt.compat,
+				},
+				Now:         time.Now(),
+				IDGenerator: NewStableIDGenerator(),
+			}
+
+			auths, err := synth.Synthesize(ctx)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(auths) != tt.wantLen {
+				t.Fatalf("expected %d auths, got %d", tt.wantLen, len(auths))
+			}
+		})
+	}
+}
+
+func TestConfigSynthesizer_VertexCompat(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			VertexCompatAPIKey: []config.VertexCompatKey{
+				{
+					APIKey:  "vertex-key-123",
+					BaseURL: "https://vertex.googleapis.com",
+					Prefix:  "vertex-prod",
+				},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+
+	if auths[0].Provider != "vertex" {
+		t.Errorf("expected provider vertex, got %s", auths[0].Provider)
+	}
+	if auths[0].Label != "vertex-apikey" {
+		t.Errorf("expected label vertex-apikey, got %s", auths[0].Label)
+	}
+	if auths[0].Prefix != "vertex-prod" {
+		t.Errorf("expected prefix vertex-prod, got %s", auths[0].Prefix)
+	}
+}
+
+func TestConfigSynthesizer_VertexCompat_SkipsEmptyAndHeaders(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			VertexCompatAPIKey: []config.VertexCompatKey{
+				{APIKey: "", BaseURL: "https://vertex.api"},   // empty key creates auth without api_key attr
+				{APIKey: "  ", BaseURL: "https://vertex.api"}, // whitespace key creates auth without api_key attr
+				{APIKey: "valid-key", BaseURL: "https://vertex.api", Headers: map[string]string{"X-Vertex": "test"}},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	// Vertex compat doesn't skip empty keys - it creates auths without api_key attribute
+	if len(auths) != 3 {
+		t.Fatalf("expected 3 auths, got %d", len(auths))
+	}
+	// First two should not have api_key attribute
+	if _, ok := auths[0].Attributes["api_key"]; ok {
+		t.Error("expected first auth to not have api_key attribute")
+	}
+	if _, ok := auths[1].Attributes["api_key"]; ok {
+		t.Error("expected second auth to not have api_key attribute")
+	}
+	// Third should have headers
+	if auths[2].Attributes["header:X-Vertex"] != "test" {
+		t.Errorf("expected header:X-Vertex=test, got %s", auths[2].Attributes["header:X-Vertex"])
+	}
+}
+
+func TestConfigSynthesizer_OpenAICompat_WithModelsHash(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			OpenAICompatibility: []config.OpenAICompatibility{
+				{
+					Name:    "TestProvider",
+					BaseURL: "https://test.api.com",
+					Models: []config.OpenAICompatibilityModel{
+						{Name: "model-a"},
+						{Name: "model-b"},
+					},
+					APIKeyEntries: []config.OpenAICompatibilityAPIKey{
+						{APIKey: "key-with-models"},
+					},
+				},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+	if _, ok := auths[0].Attributes["models_hash"]; !ok {
+		t.Error("expected models_hash in attributes")
+	}
+	if auths[0].Attributes["api_key"] != "key-with-models" {
+		t.Errorf("expected api_key key-with-models, got %s", auths[0].Attributes["api_key"])
+	}
+}
+
+func TestConfigSynthesizer_OpenAICompat_FallbackWithModels(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			OpenAICompatibility: []config.OpenAICompatibility{
+				{
+					Name:    "NoKeyWithModels",
+					BaseURL: "https://nokey.api.com",
+					Models: []config.OpenAICompatibilityModel{
+						{Name: "model-x"},
+					},
+					Headers: map[string]string{"X-API": "header-value"},
+					// No APIKeyEntries - should use fallback path
+				},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+	if _, ok := auths[0].Attributes["models_hash"]; !ok {
+		t.Error("expected models_hash in fallback path")
+	}
+	if auths[0].Attributes["header:X-API"] != "header-value" {
+		t.Errorf("expected header:X-API=header-value, got %s", auths[0].Attributes["header:X-API"])
+	}
+}
+
+func TestConfigSynthesizer_VertexCompat_WithModels(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			VertexCompatAPIKey: []config.VertexCompatKey{
+				{
+					APIKey:  "vertex-key",
+					BaseURL: "https://vertex.api",
+					Models: []config.VertexCompatModel{
+						{Name: "gemini-pro", Alias: "pro"},
+						{Name: "gemini-ultra", Alias: "ultra"},
+					},
+				},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+	if _, ok := auths[0].Attributes["models_hash"]; !ok {
+		t.Error("expected models_hash in vertex auth with models")
+	}
+}
+
+func TestConfigSynthesizer_IDStability(t *testing.T) {
+	cfg := &config.Config{
+		GeminiKey: []config.GeminiKey{
+			{APIKey: "stable-key", Prefix: "test"},
+		},
+	}
+
+	// Generate IDs twice with fresh generators
+	synth1 := NewConfigSynthesizer()
+	ctx1 := &SynthesisContext{
+		Config:      cfg,
+		Now:         time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+		IDGenerator: NewStableIDGenerator(),
+	}
+	auths1, _ := synth1.Synthesize(ctx1)
+
+	synth2 := NewConfigSynthesizer()
+	ctx2 := &SynthesisContext{
+		Config:      cfg,
+		Now:         time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+		IDGenerator: NewStableIDGenerator(),
+	}
+	auths2, _ := synth2.Synthesize(ctx2)
+
+	if auths1[0].ID != auths2[0].ID {
+		t.Errorf("same config should produce same ID: got %q and %q", auths1[0].ID, auths2[0].ID)
+	}
+}
+
+func TestConfigSynthesizer_AllProviders(t *testing.T) {
+	synth := NewConfigSynthesizer()
+	ctx := &SynthesisContext{
+		Config: &config.Config{
+			GeminiKey: []config.GeminiKey{
+				{APIKey: "gemini-key"},
+			},
+			ClaudeKey: []config.ClaudeKey{
+				{APIKey: "claude-key"},
+			},
+			CodexKey: []config.CodexKey{
+				{APIKey: "codex-key"},
+			},
+			OpenAICompatibility: []config.OpenAICompatibility{
+				{Name: "compat", BaseURL: "https://compat.api"},
+			},
+			VertexCompatAPIKey: []config.VertexCompatKey{
+				{APIKey: "vertex-key", BaseURL: "https://vertex.api"},
+			},
+		},
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 5 {
+		t.Fatalf("expected 5 auths, got %d", len(auths))
+	}
+
+	providers := make(map[string]bool)
+	for _, a := range auths {
+		providers[a.Provider] = true
+	}
+
+	expected := []string{"gemini", "claude", "codex", "compat", "vertex"}
+	for _, p := range expected {
+		if !providers[p] {
+			t.Errorf("expected provider %s not found", p)
+		}
+	}
+}

internal/watcher/synthesizer/context.go

@@ -0,0 +1,19 @@
+package synthesizer
+
+import (
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+// SynthesisContext provides the context needed for auth synthesis.
+type SynthesisContext struct {
+	// Config is the current configuration
+	Config *config.Config
+	// AuthDir is the directory containing auth files
+	AuthDir string
+	// Now is the current time for timestamps
+	Now time.Time
+	// IDGenerator generates stable IDs for auth entries
+	IDGenerator *StableIDGenerator
+}

internal/watcher/synthesizer/file.go

@@ -0,0 +1,224 @@
+package synthesizer
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/runtime/geminicli"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+// FileSynthesizer generates Auth entries from OAuth JSON files.
+// It handles file-based authentication and Gemini virtual auth generation.
+type FileSynthesizer struct{}
+
+// NewFileSynthesizer creates a new FileSynthesizer instance.
+func NewFileSynthesizer() *FileSynthesizer {
+	return &FileSynthesizer{}
+}
+
+// Synthesize generates Auth entries from auth files in the auth directory.
+func (s *FileSynthesizer) Synthesize(ctx *SynthesisContext) ([]*coreauth.Auth, error) {
+	out := make([]*coreauth.Auth, 0, 16)
+	if ctx == nil || ctx.AuthDir == "" {
+		return out, nil
+	}
+
+	entries, err := os.ReadDir(ctx.AuthDir)
+	if err != nil {
+		// Not an error if directory doesn't exist
+		return out, nil
+	}
+
+	now := ctx.Now
+	cfg := ctx.Config
+
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		if !strings.HasSuffix(strings.ToLower(name), ".json") {
+			continue
+		}
+		full := filepath.Join(ctx.AuthDir, name)
+		data, errRead := os.ReadFile(full)
+		if errRead != nil || len(data) == 0 {
+			continue
+		}
+		var metadata map[string]any
+		if errUnmarshal := json.Unmarshal(data, &metadata); errUnmarshal != nil {
+			continue
+		}
+		t, _ := metadata["type"].(string)
+		if t == "" {
+			continue
+		}
+		provider := strings.ToLower(t)
+		if provider == "gemini" {
+			provider = "gemini-cli"
+		}
+		label := provider
+		if email, _ := metadata["email"].(string); email != "" {
+			label = email
+		}
+		// Use relative path under authDir as ID to stay consistent with the file-based token store
+		id := full
+		if rel, errRel := filepath.Rel(ctx.AuthDir, full); errRel == nil && rel != "" {
+			id = rel
+		}
+
+		proxyURL := ""
+		if p, ok := metadata["proxy_url"].(string); ok {
+			proxyURL = p
+		}
+
+		prefix := ""
+		if rawPrefix, ok := metadata["prefix"].(string); ok {
+			trimmed := strings.TrimSpace(rawPrefix)
+			trimmed = strings.Trim(trimmed, "/")
+			if trimmed != "" && !strings.Contains(trimmed, "/") {
+				prefix = trimmed
+			}
+		}
+
+		a := &coreauth.Auth{
+			ID:       id,
+			Provider: provider,
+			Label:    label,
+			Prefix:   prefix,
+			Status:   coreauth.StatusActive,
+			Attributes: map[string]string{
+				"source": full,
+				"path":   full,
+			},
+			ProxyURL:  proxyURL,
+			Metadata:  metadata,
+			CreatedAt: now,
+			UpdatedAt: now,
+		}
+		ApplyAuthExcludedModelsMeta(a, cfg, nil, "oauth")
+		if provider == "gemini-cli" {
+			if virtuals := SynthesizeGeminiVirtualAuths(a, metadata, now); len(virtuals) > 0 {
+				for _, v := range virtuals {
+					ApplyAuthExcludedModelsMeta(v, cfg, nil, "oauth")
+				}
+				out = append(out, a)
+				out = append(out, virtuals...)
+				continue
+			}
+		}
+		out = append(out, a)
+	}
+	return out, nil
+}
+
+// SynthesizeGeminiVirtualAuths creates virtual Auth entries for multi-project Gemini credentials.
+// It disables the primary auth and creates one virtual auth per project.
+func SynthesizeGeminiVirtualAuths(primary *coreauth.Auth, metadata map[string]any, now time.Time) []*coreauth.Auth {
+	if primary == nil || metadata == nil {
+		return nil
+	}
+	projects := splitGeminiProjectIDs(metadata)
+	if len(projects) <= 1 {
+		return nil
+	}
+	email, _ := metadata["email"].(string)
+	shared := geminicli.NewSharedCredential(primary.ID, email, metadata, projects)
+	primary.Disabled = true
+	primary.Status = coreauth.StatusDisabled
+	primary.Runtime = shared
+	if primary.Attributes == nil {
+		primary.Attributes = make(map[string]string)
+	}
+	primary.Attributes["gemini_virtual_primary"] = "true"
+	primary.Attributes["virtual_children"] = strings.Join(projects, ",")
+	source := primary.Attributes["source"]
+	authPath := primary.Attributes["path"]
+	originalProvider := primary.Provider
+	if originalProvider == "" {
+		originalProvider = "gemini-cli"
+	}
+	label := primary.Label
+	if label == "" {
+		label = originalProvider
+	}
+	virtuals := make([]*coreauth.Auth, 0, len(projects))
+	for _, projectID := range projects {
+		attrs := map[string]string{
+			"runtime_only":           "true",
+			"gemini_virtual_parent":  primary.ID,
+			"gemini_virtual_project": projectID,
+		}
+		if source != "" {
+			attrs["source"] = source
+		}
+		if authPath != "" {
+			attrs["path"] = authPath
+		}
+		metadataCopy := map[string]any{
+			"email":             email,
+			"project_id":        projectID,
+			"virtual":           true,
+			"virtual_parent_id": primary.ID,
+			"type":              metadata["type"],
+		}
+		proxy := strings.TrimSpace(primary.ProxyURL)
+		if proxy != "" {
+			metadataCopy["proxy_url"] = proxy
+		}
+		virtual := &coreauth.Auth{
+			ID:         buildGeminiVirtualID(primary.ID, projectID),
+			Provider:   originalProvider,
+			Label:      fmt.Sprintf("%s [%s]", label, projectID),
+			Status:     coreauth.StatusActive,
+			Attributes: attrs,
+			Metadata:   metadataCopy,
+			ProxyURL:   primary.ProxyURL,
+			Prefix:     primary.Prefix,
+			CreatedAt:  primary.CreatedAt,
+			UpdatedAt:  primary.UpdatedAt,
+			Runtime:    geminicli.NewVirtualCredential(projectID, shared),
+		}
+		virtuals = append(virtuals, virtual)
+	}
+	return virtuals
+}
+
+// splitGeminiProjectIDs extracts and deduplicates project IDs from metadata.
+func splitGeminiProjectIDs(metadata map[string]any) []string {
+	raw, _ := metadata["project_id"].(string)
+	trimmed := strings.TrimSpace(raw)
+	if trimmed == "" {
+		return nil
+	}
+	parts := strings.Split(trimmed, ",")
+	result := make([]string, 0, len(parts))
+	seen := make(map[string]struct{}, len(parts))
+	for _, part := range parts {
+		id := strings.TrimSpace(part)
+		if id == "" {
+			continue
+		}
+		if _, ok := seen[id]; ok {
+			continue
+		}
+		seen[id] = struct{}{}
+		result = append(result, id)
+	}
+	return result
+}
+
+// buildGeminiVirtualID constructs a virtual auth ID from base ID and project ID.
+func buildGeminiVirtualID(baseID, projectID string) string {
+	project := strings.TrimSpace(projectID)
+	if project == "" {
+		project = "project"
+	}
+	replacer := strings.NewReplacer("/", "_", "\\", "_", " ", "_")
+	return fmt.Sprintf("%s::%s", baseID, replacer.Replace(project))
+}

internal/watcher/synthesizer/file_test.go

@@ -0,0 +1,612 @@
+package synthesizer
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+func TestNewFileSynthesizer(t *testing.T) {
+	synth := NewFileSynthesizer()
+	if synth == nil {
+		t.Fatal("expected non-nil synthesizer")
+	}
+}
+
+func TestFileSynthesizer_Synthesize_NilContext(t *testing.T) {
+	synth := NewFileSynthesizer()
+	auths, err := synth.Synthesize(nil)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 0 {
+		t.Fatalf("expected empty auths, got %d", len(auths))
+	}
+}
+
+func TestFileSynthesizer_Synthesize_EmptyAuthDir(t *testing.T) {
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     "",
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 0 {
+		t.Fatalf("expected empty auths, got %d", len(auths))
+	}
+}
+
+func TestFileSynthesizer_Synthesize_NonExistentDir(t *testing.T) {
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     "/non/existent/path",
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 0 {
+		t.Fatalf("expected empty auths, got %d", len(auths))
+	}
+}
+
+func TestFileSynthesizer_Synthesize_ValidAuthFile(t *testing.T) {
+	tempDir := t.TempDir()
+
+	// Create a valid auth file
+	authData := map[string]any{
+		"type":      "claude",
+		"email":     "test@example.com",
+		"proxy_url": "http://proxy.local",
+		"prefix":    "test-prefix",
+	}
+	data, _ := json.Marshal(authData)
+	err := os.WriteFile(filepath.Join(tempDir, "claude-auth.json"), data, 0644)
+	if err != nil {
+		t.Fatalf("failed to write auth file: %v", err)
+	}
+
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     tempDir,
+		Now:         time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+
+	if auths[0].Provider != "claude" {
+		t.Errorf("expected provider claude, got %s", auths[0].Provider)
+	}
+	if auths[0].Label != "test@example.com" {
+		t.Errorf("expected label test@example.com, got %s", auths[0].Label)
+	}
+	if auths[0].Prefix != "test-prefix" {
+		t.Errorf("expected prefix test-prefix, got %s", auths[0].Prefix)
+	}
+	if auths[0].ProxyURL != "http://proxy.local" {
+		t.Errorf("expected proxy_url http://proxy.local, got %s", auths[0].ProxyURL)
+	}
+	if auths[0].Status != coreauth.StatusActive {
+		t.Errorf("expected status active, got %s", auths[0].Status)
+	}
+}
+
+func TestFileSynthesizer_Synthesize_GeminiProviderMapping(t *testing.T) {
+	tempDir := t.TempDir()
+
+	// Gemini type should be mapped to gemini-cli
+	authData := map[string]any{
+		"type":  "gemini",
+		"email": "gemini@example.com",
+	}
+	data, _ := json.Marshal(authData)
+	err := os.WriteFile(filepath.Join(tempDir, "gemini-auth.json"), data, 0644)
+	if err != nil {
+		t.Fatalf("failed to write auth file: %v", err)
+	}
+
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     tempDir,
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+
+	if auths[0].Provider != "gemini-cli" {
+		t.Errorf("gemini should be mapped to gemini-cli, got %s", auths[0].Provider)
+	}
+}
+
+func TestFileSynthesizer_Synthesize_SkipsInvalidFiles(t *testing.T) {
+	tempDir := t.TempDir()
+
+	// Create various invalid files
+	_ = os.WriteFile(filepath.Join(tempDir, "not-json.txt"), []byte("text content"), 0644)
+	_ = os.WriteFile(filepath.Join(tempDir, "invalid.json"), []byte("not valid json"), 0644)
+	_ = os.WriteFile(filepath.Join(tempDir, "empty.json"), []byte(""), 0644)
+	_ = os.WriteFile(filepath.Join(tempDir, "no-type.json"), []byte(`{"email": "test@example.com"}`), 0644)
+
+	// Create one valid file
+	validData, _ := json.Marshal(map[string]any{"type": "claude", "email": "valid@example.com"})
+	_ = os.WriteFile(filepath.Join(tempDir, "valid.json"), validData, 0644)
+
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     tempDir,
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("only valid auth file should be processed, got %d", len(auths))
+	}
+	if auths[0].Label != "valid@example.com" {
+		t.Errorf("expected label valid@example.com, got %s", auths[0].Label)
+	}
+}
+
+func TestFileSynthesizer_Synthesize_SkipsDirectories(t *testing.T) {
+	tempDir := t.TempDir()
+
+	// Create a subdirectory with a json file inside
+	subDir := filepath.Join(tempDir, "subdir.json")
+	err := os.Mkdir(subDir, 0755)
+	if err != nil {
+		t.Fatalf("failed to create subdir: %v", err)
+	}
+
+	// Create a valid file in root
+	validData, _ := json.Marshal(map[string]any{"type": "claude"})
+	_ = os.WriteFile(filepath.Join(tempDir, "valid.json"), validData, 0644)
+
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     tempDir,
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+}
+
+func TestFileSynthesizer_Synthesize_RelativeID(t *testing.T) {
+	tempDir := t.TempDir()
+
+	authData := map[string]any{"type": "claude"}
+	data, _ := json.Marshal(authData)
+	err := os.WriteFile(filepath.Join(tempDir, "my-auth.json"), data, 0644)
+	if err != nil {
+		t.Fatalf("failed to write auth file: %v", err)
+	}
+
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     tempDir,
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(auths) != 1 {
+		t.Fatalf("expected 1 auth, got %d", len(auths))
+	}
+
+	// ID should be relative path
+	if auths[0].ID != "my-auth.json" {
+		t.Errorf("expected ID my-auth.json, got %s", auths[0].ID)
+	}
+}
+
+func TestFileSynthesizer_Synthesize_PrefixValidation(t *testing.T) {
+	tests := []struct {
+		name       string
+		prefix     string
+		wantPrefix string
+	}{
+		{"valid prefix", "myprefix", "myprefix"},
+		{"prefix with slashes trimmed", "/myprefix/", "myprefix"},
+		{"prefix with spaces trimmed", "  myprefix  ", "myprefix"},
+		{"prefix with internal slash rejected", "my/prefix", ""},
+		{"empty prefix", "", ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			authData := map[string]any{
+				"type":   "claude",
+				"prefix": tt.prefix,
+			}
+			data, _ := json.Marshal(authData)
+			_ = os.WriteFile(filepath.Join(tempDir, "auth.json"), data, 0644)
+
+			synth := NewFileSynthesizer()
+			ctx := &SynthesisContext{
+				Config:      &config.Config{},
+				AuthDir:     tempDir,
+				Now:         time.Now(),
+				IDGenerator: NewStableIDGenerator(),
+			}
+
+			auths, err := synth.Synthesize(ctx)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(auths) != 1 {
+				t.Fatalf("expected 1 auth, got %d", len(auths))
+			}
+			if auths[0].Prefix != tt.wantPrefix {
+				t.Errorf("expected prefix %q, got %q", tt.wantPrefix, auths[0].Prefix)
+			}
+		})
+	}
+}
+
+func TestSynthesizeGeminiVirtualAuths_NilInputs(t *testing.T) {
+	now := time.Now()
+
+	if SynthesizeGeminiVirtualAuths(nil, nil, now) != nil {
+		t.Error("expected nil for nil primary")
+	}
+	if SynthesizeGeminiVirtualAuths(&coreauth.Auth{}, nil, now) != nil {
+		t.Error("expected nil for nil metadata")
+	}
+	if SynthesizeGeminiVirtualAuths(nil, map[string]any{}, now) != nil {
+		t.Error("expected nil for nil primary with metadata")
+	}
+}
+
+func TestSynthesizeGeminiVirtualAuths_SingleProject(t *testing.T) {
+	now := time.Now()
+	primary := &coreauth.Auth{
+		ID:       "test-id",
+		Provider: "gemini-cli",
+		Label:    "test@example.com",
+	}
+	metadata := map[string]any{
+		"project_id": "single-project",
+		"email":      "test@example.com",
+		"type":       "gemini",
+	}
+
+	virtuals := SynthesizeGeminiVirtualAuths(primary, metadata, now)
+	if virtuals != nil {
+		t.Error("single project should not create virtuals")
+	}
+}
+
+func TestSynthesizeGeminiVirtualAuths_MultiProject(t *testing.T) {
+	now := time.Now()
+	primary := &coreauth.Auth{
+		ID:       "primary-id",
+		Provider: "gemini-cli",
+		Label:    "test@example.com",
+		Prefix:   "test-prefix",
+		ProxyURL: "http://proxy.local",
+		Attributes: map[string]string{
+			"source": "test-source",
+			"path":   "/path/to/auth",
+		},
+	}
+	metadata := map[string]any{
+		"project_id": "project-a, project-b, project-c",
+		"email":      "test@example.com",
+		"type":       "gemini",
+	}
+
+	virtuals := SynthesizeGeminiVirtualAuths(primary, metadata, now)
+
+	if len(virtuals) != 3 {
+		t.Fatalf("expected 3 virtuals, got %d", len(virtuals))
+	}
+
+	// Check primary is disabled
+	if !primary.Disabled {
+		t.Error("expected primary to be disabled")
+	}
+	if primary.Status != coreauth.StatusDisabled {
+		t.Errorf("expected primary status disabled, got %s", primary.Status)
+	}
+	if primary.Attributes["gemini_virtual_primary"] != "true" {
+		t.Error("expected gemini_virtual_primary=true")
+	}
+	if !strings.Contains(primary.Attributes["virtual_children"], "project-a") {
+		t.Error("expected virtual_children to contain project-a")
+	}
+
+	// Check virtuals
+	projectIDs := []string{"project-a", "project-b", "project-c"}
+	for i, v := range virtuals {
+		if v.Provider != "gemini-cli" {
+			t.Errorf("expected provider gemini-cli, got %s", v.Provider)
+		}
+		if v.Status != coreauth.StatusActive {
+			t.Errorf("expected status active, got %s", v.Status)
+		}
+		if v.Prefix != "test-prefix" {
+			t.Errorf("expected prefix test-prefix, got %s", v.Prefix)
+		}
+		if v.ProxyURL != "http://proxy.local" {
+			t.Errorf("expected proxy_url http://proxy.local, got %s", v.ProxyURL)
+		}
+		if v.Attributes["runtime_only"] != "true" {
+			t.Error("expected runtime_only=true")
+		}
+		if v.Attributes["gemini_virtual_parent"] != "primary-id" {
+			t.Errorf("expected gemini_virtual_parent=primary-id, got %s", v.Attributes["gemini_virtual_parent"])
+		}
+		if v.Attributes["gemini_virtual_project"] != projectIDs[i] {
+			t.Errorf("expected gemini_virtual_project=%s, got %s", projectIDs[i], v.Attributes["gemini_virtual_project"])
+		}
+		if !strings.Contains(v.Label, "["+projectIDs[i]+"]") {
+			t.Errorf("expected label to contain [%s], got %s", projectIDs[i], v.Label)
+		}
+	}
+}
+
+func TestSynthesizeGeminiVirtualAuths_EmptyProviderAndLabel(t *testing.T) {
+	now := time.Now()
+	// Test with empty Provider and Label to cover fallback branches
+	primary := &coreauth.Auth{
+		ID:         "primary-id",
+		Provider:   "", // empty provider - should default to gemini-cli
+		Label:      "", // empty label - should default to provider
+		Attributes: map[string]string{},
+	}
+	metadata := map[string]any{
+		"project_id": "proj-a, proj-b",
+		"email":      "user@example.com",
+		"type":       "gemini",
+	}
+
+	virtuals := SynthesizeGeminiVirtualAuths(primary, metadata, now)
+
+	if len(virtuals) != 2 {
+		t.Fatalf("expected 2 virtuals, got %d", len(virtuals))
+	}
+
+	// Check that empty provider defaults to gemini-cli
+	if virtuals[0].Provider != "gemini-cli" {
+		t.Errorf("expected provider gemini-cli (default), got %s", virtuals[0].Provider)
+	}
+	// Check that empty label defaults to provider
+	if !strings.Contains(virtuals[0].Label, "gemini-cli") {
+		t.Errorf("expected label to contain gemini-cli, got %s", virtuals[0].Label)
+	}
+}
+
+func TestSynthesizeGeminiVirtualAuths_NilPrimaryAttributes(t *testing.T) {
+	now := time.Now()
+	primary := &coreauth.Auth{
+		ID:         "primary-id",
+		Provider:   "gemini-cli",
+		Label:      "test@example.com",
+		Attributes: nil, // nil attributes
+	}
+	metadata := map[string]any{
+		"project_id": "proj-a, proj-b",
+		"email":      "test@example.com",
+		"type":       "gemini",
+	}
+
+	virtuals := SynthesizeGeminiVirtualAuths(primary, metadata, now)
+
+	if len(virtuals) != 2 {
+		t.Fatalf("expected 2 virtuals, got %d", len(virtuals))
+	}
+	// Nil attributes should be initialized
+	if primary.Attributes == nil {
+		t.Error("expected primary.Attributes to be initialized")
+	}
+	if primary.Attributes["gemini_virtual_primary"] != "true" {
+		t.Error("expected gemini_virtual_primary=true")
+	}
+}
+
+func TestSplitGeminiProjectIDs(t *testing.T) {
+	tests := []struct {
+		name     string
+		metadata map[string]any
+		want     []string
+	}{
+		{
+			name:     "single project",
+			metadata: map[string]any{"project_id": "proj-a"},
+			want:     []string{"proj-a"},
+		},
+		{
+			name:     "multiple projects",
+			metadata: map[string]any{"project_id": "proj-a, proj-b, proj-c"},
+			want:     []string{"proj-a", "proj-b", "proj-c"},
+		},
+		{
+			name:     "with duplicates",
+			metadata: map[string]any{"project_id": "proj-a, proj-b, proj-a"},
+			want:     []string{"proj-a", "proj-b"},
+		},
+		{
+			name:     "with empty parts",
+			metadata: map[string]any{"project_id": "proj-a, , proj-b, "},
+			want:     []string{"proj-a", "proj-b"},
+		},
+		{
+			name:     "empty project_id",
+			metadata: map[string]any{"project_id": ""},
+			want:     nil,
+		},
+		{
+			name:     "no project_id",
+			metadata: map[string]any{},
+			want:     nil,
+		},
+		{
+			name:     "whitespace only",
+			metadata: map[string]any{"project_id": "   "},
+			want:     nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := splitGeminiProjectIDs(tt.metadata)
+			if len(got) != len(tt.want) {
+				t.Fatalf("expected %v, got %v", tt.want, got)
+			}
+			for i := range got {
+				if got[i] != tt.want[i] {
+					t.Errorf("expected %v, got %v", tt.want, got)
+					break
+				}
+			}
+		})
+	}
+}
+
+func TestFileSynthesizer_Synthesize_MultiProjectGemini(t *testing.T) {
+	tempDir := t.TempDir()
+
+	// Create a gemini auth file with multiple projects
+	authData := map[string]any{
+		"type":       "gemini",
+		"email":      "multi@example.com",
+		"project_id": "project-a, project-b, project-c",
+	}
+	data, _ := json.Marshal(authData)
+	err := os.WriteFile(filepath.Join(tempDir, "gemini-multi.json"), data, 0644)
+	if err != nil {
+		t.Fatalf("failed to write auth file: %v", err)
+	}
+
+	synth := NewFileSynthesizer()
+	ctx := &SynthesisContext{
+		Config:      &config.Config{},
+		AuthDir:     tempDir,
+		Now:         time.Now(),
+		IDGenerator: NewStableIDGenerator(),
+	}
+
+	auths, err := synth.Synthesize(ctx)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	// Should have 4 auths: 1 primary (disabled) + 3 virtuals
+	if len(auths) != 4 {
+		t.Fatalf("expected 4 auths (1 primary + 3 virtuals), got %d", len(auths))
+	}
+
+	// First auth should be the primary (disabled)
+	primary := auths[0]
+	if !primary.Disabled {
+		t.Error("expected primary to be disabled")
+	}
+	if primary.Status != coreauth.StatusDisabled {
+		t.Errorf("expected primary status disabled, got %s", primary.Status)
+	}
+
+	// Remaining auths should be virtuals
+	for i := 1; i < 4; i++ {
+		v := auths[i]
+		if v.Status != coreauth.StatusActive {
+			t.Errorf("expected virtual %d to be active, got %s", i, v.Status)
+		}
+		if v.Attributes["gemini_virtual_parent"] != primary.ID {
+			t.Errorf("expected virtual %d parent to be %s, got %s", i, primary.ID, v.Attributes["gemini_virtual_parent"])
+		}
+	}
+}
+
+func TestBuildGeminiVirtualID(t *testing.T) {
+	tests := []struct {
+		name      string
+		baseID    string
+		projectID string
+		want      string
+	}{
+		{
+			name:      "basic",
+			baseID:    "auth.json",
+			projectID: "my-project",
+			want:      "auth.json::my-project",
+		},
+		{
+			name:      "with slashes",
+			baseID:    "path/to/auth.json",
+			projectID: "project/with/slashes",
+			want:      "path/to/auth.json::project_with_slashes",
+		},
+		{
+			name:      "with spaces",
+			baseID:    "auth.json",
+			projectID: "my project",
+			want:      "auth.json::my_project",
+		},
+		{
+			name:      "empty project",
+			baseID:    "auth.json",
+			projectID: "",
+			want:      "auth.json::project",
+		},
+		{
+			name:      "whitespace project",
+			baseID:    "auth.json",
+			projectID: "   ",
+			want:      "auth.json::project",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := buildGeminiVirtualID(tt.baseID, tt.projectID)
+			if got != tt.want {
+				t.Errorf("expected %q, got %q", tt.want, got)
+			}
+		})
+	}
+}

internal/watcher/synthesizer/helpers.go

@@ -0,0 +1,110 @@
+package synthesizer
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/watcher/diff"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+// StableIDGenerator generates stable, deterministic IDs for auth entries.
+// It uses SHA256 hashing with collision handling via counters.
+// It is not safe for concurrent use.
+type StableIDGenerator struct {
+	counters map[string]int
+}
+
+// NewStableIDGenerator creates a new StableIDGenerator instance.
+func NewStableIDGenerator() *StableIDGenerator {
+	return &StableIDGenerator{counters: make(map[string]int)}
+}
+
+// Next generates a stable ID based on the kind and parts.
+// Returns the full ID (kind:hash) and the short hash portion.
+func (g *StableIDGenerator) Next(kind string, parts ...string) (string, string) {
+	if g == nil {
+		return kind + ":000000000000", "000000000000"
+	}
+	hasher := sha256.New()
+	hasher.Write([]byte(kind))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		hasher.Write([]byte{0})
+		hasher.Write([]byte(trimmed))
+	}
+	digest := hex.EncodeToString(hasher.Sum(nil))
+	if len(digest) < 12 {
+		digest = fmt.Sprintf("%012s", digest)
+	}
+	short := digest[:12]
+	key := kind + ":" + short
+	index := g.counters[key]
+	g.counters[key] = index + 1
+	if index > 0 {
+		short = fmt.Sprintf("%s-%d", short, index)
+	}
+	return fmt.Sprintf("%s:%s", kind, short), short
+}
+
+// ApplyAuthExcludedModelsMeta applies excluded models metadata to an auth entry.
+// It computes a hash of excluded models and sets the auth_kind attribute.
+func ApplyAuthExcludedModelsMeta(auth *coreauth.Auth, cfg *config.Config, perKey []string, authKind string) {
+	if auth == nil || cfg == nil {
+		return
+	}
+	authKindKey := strings.ToLower(strings.TrimSpace(authKind))
+	seen := make(map[string]struct{})
+	add := func(list []string) {
+		for _, entry := range list {
+			if trimmed := strings.TrimSpace(entry); trimmed != "" {
+				key := strings.ToLower(trimmed)
+				if _, exists := seen[key]; exists {
+					continue
+				}
+				seen[key] = struct{}{}
+			}
+		}
+	}
+	if authKindKey == "apikey" {
+		add(perKey)
+	} else if cfg.OAuthExcludedModels != nil {
+		providerKey := strings.ToLower(strings.TrimSpace(auth.Provider))
+		add(cfg.OAuthExcludedModels[providerKey])
+	}
+	combined := make([]string, 0, len(seen))
+	for k := range seen {
+		combined = append(combined, k)
+	}
+	sort.Strings(combined)
+	hash := diff.ComputeExcludedModelsHash(combined)
+	if auth.Attributes == nil {
+		auth.Attributes = make(map[string]string)
+	}
+	if hash != "" {
+		auth.Attributes["excluded_models_hash"] = hash
+	}
+	if authKind != "" {
+		auth.Attributes["auth_kind"] = authKind
+	}
+}
+
+// addConfigHeadersToAttrs adds header configuration to auth attributes.
+// Headers are prefixed with "header:" in the attributes map.
+func addConfigHeadersToAttrs(headers map[string]string, attrs map[string]string) {
+	if len(headers) == 0 || attrs == nil {
+		return
+	}
+	for hk, hv := range headers {
+		key := strings.TrimSpace(hk)
+		val := strings.TrimSpace(hv)
+		if key == "" || val == "" {
+			continue
+		}
+		attrs["header:"+key] = val
+	}
+}

internal/watcher/synthesizer/helpers_test.go

@@ -0,0 +1,264 @@
+package synthesizer
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+func TestNewStableIDGenerator(t *testing.T) {
+	gen := NewStableIDGenerator()
+	if gen == nil {
+		t.Fatal("expected non-nil generator")
+	}
+	if gen.counters == nil {
+		t.Fatal("expected non-nil counters map")
+	}
+}
+
+func TestStableIDGenerator_Next(t *testing.T) {
+	tests := []struct {
+		name       string
+		kind       string
+		parts      []string
+		wantPrefix string
+	}{
+		{
+			name:       "basic gemini apikey",
+			kind:       "gemini:apikey",
+			parts:      []string{"test-key", ""},
+			wantPrefix: "gemini:apikey:",
+		},
+		{
+			name:       "claude with base url",
+			kind:       "claude:apikey",
+			parts:      []string{"sk-ant-xxx", "https://api.anthropic.com"},
+			wantPrefix: "claude:apikey:",
+		},
+		{
+			name:       "empty parts",
+			kind:       "codex:apikey",
+			parts:      []string{},
+			wantPrefix: "codex:apikey:",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gen := NewStableIDGenerator()
+			id, short := gen.Next(tt.kind, tt.parts...)
+
+			if !strings.Contains(id, tt.wantPrefix) {
+				t.Errorf("expected id to contain %q, got %q", tt.wantPrefix, id)
+			}
+			if short == "" {
+				t.Error("expected non-empty short id")
+			}
+			if len(short) != 12 {
+				t.Errorf("expected short id length 12, got %d", len(short))
+			}
+		})
+	}
+}
+
+func TestStableIDGenerator_Stability(t *testing.T) {
+	gen1 := NewStableIDGenerator()
+	gen2 := NewStableIDGenerator()
+
+	id1, _ := gen1.Next("gemini:apikey", "test-key", "https://api.example.com")
+	id2, _ := gen2.Next("gemini:apikey", "test-key", "https://api.example.com")
+
+	if id1 != id2 {
+		t.Errorf("same inputs should produce same ID: got %q and %q", id1, id2)
+	}
+}
+
+func TestStableIDGenerator_CollisionHandling(t *testing.T) {
+	gen := NewStableIDGenerator()
+
+	id1, short1 := gen.Next("gemini:apikey", "same-key")
+	id2, short2 := gen.Next("gemini:apikey", "same-key")
+
+	if id1 == id2 {
+		t.Error("collision should be handled with suffix")
+	}
+	if short1 == short2 {
+		t.Error("short ids should differ")
+	}
+	if !strings.Contains(short2, "-1") {
+		t.Errorf("second short id should contain -1 suffix, got %q", short2)
+	}
+}
+
+func TestStableIDGenerator_NilReceiver(t *testing.T) {
+	var gen *StableIDGenerator = nil
+	id, short := gen.Next("test:kind", "part")
+
+	if id != "test:kind:000000000000" {
+		t.Errorf("expected test:kind:000000000000, got %q", id)
+	}
+	if short != "000000000000" {
+		t.Errorf("expected 000000000000, got %q", short)
+	}
+}
+
+func TestApplyAuthExcludedModelsMeta(t *testing.T) {
+	tests := []struct {
+		name     string
+		auth     *coreauth.Auth
+		cfg      *config.Config
+		perKey   []string
+		authKind string
+		wantHash bool
+		wantKind string
+	}{
+		{
+			name: "apikey with excluded models",
+			auth: &coreauth.Auth{
+				Provider:   "gemini",
+				Attributes: make(map[string]string),
+			},
+			cfg:      &config.Config{},
+			perKey:   []string{"model-a", "model-b"},
+			authKind: "apikey",
+			wantHash: true,
+			wantKind: "apikey",
+		},
+		{
+			name: "oauth with provider excluded models",
+			auth: &coreauth.Auth{
+				Provider:   "claude",
+				Attributes: make(map[string]string),
+			},
+			cfg: &config.Config{
+				OAuthExcludedModels: map[string][]string{
+					"claude": {"claude-2.0"},
+				},
+			},
+			perKey:   nil,
+			authKind: "oauth",
+			wantHash: true,
+			wantKind: "oauth",
+		},
+		{
+			name: "nil auth",
+			auth: nil,
+			cfg:  &config.Config{},
+		},
+		{
+			name:     "nil config",
+			auth:     &coreauth.Auth{Provider: "test"},
+			cfg:      nil,
+			authKind: "apikey",
+		},
+		{
+			name: "nil attributes initialized",
+			auth: &coreauth.Auth{
+				Provider:   "gemini",
+				Attributes: nil,
+			},
+			cfg:      &config.Config{},
+			perKey:   []string{"model-x"},
+			authKind: "apikey",
+			wantHash: true,
+			wantKind: "apikey",
+		},
+		{
+			name: "apikey with duplicate excluded models",
+			auth: &coreauth.Auth{
+				Provider:   "gemini",
+				Attributes: make(map[string]string),
+			},
+			cfg:      &config.Config{},
+			perKey:   []string{"model-a", "MODEL-A", "model-b", "model-a"},
+			authKind: "apikey",
+			wantHash: true,
+			wantKind: "apikey",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ApplyAuthExcludedModelsMeta(tt.auth, tt.cfg, tt.perKey, tt.authKind)
+
+			if tt.auth != nil && tt.cfg != nil {
+				if tt.wantHash {
+					if _, ok := tt.auth.Attributes["excluded_models_hash"]; !ok {
+						t.Error("expected excluded_models_hash in attributes")
+					}
+				}
+				if tt.wantKind != "" {
+					if got := tt.auth.Attributes["auth_kind"]; got != tt.wantKind {
+						t.Errorf("expected auth_kind=%s, got %s", tt.wantKind, got)
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestAddConfigHeadersToAttrs(t *testing.T) {
+	tests := []struct {
+		name    string
+		headers map[string]string
+		attrs   map[string]string
+		want    map[string]string
+	}{
+		{
+			name: "basic headers",
+			headers: map[string]string{
+				"Authorization": "Bearer token",
+				"X-Custom":      "value",
+			},
+			attrs: map[string]string{"existing": "key"},
+			want: map[string]string{
+				"existing":             "key",
+				"header:Authorization": "Bearer token",
+				"header:X-Custom":      "value",
+			},
+		},
+		{
+			name:    "empty headers",
+			headers: map[string]string{},
+			attrs:   map[string]string{"existing": "key"},
+			want:    map[string]string{"existing": "key"},
+		},
+		{
+			name:    "nil headers",
+			headers: nil,
+			attrs:   map[string]string{"existing": "key"},
+			want:    map[string]string{"existing": "key"},
+		},
+		{
+			name:    "nil attrs",
+			headers: map[string]string{"key": "value"},
+			attrs:   nil,
+			want:    nil,
+		},
+		{
+			name: "skip empty keys and values",
+			headers: map[string]string{
+				"":      "value",
+				"key":   "",
+				"  ":    "value",
+				"valid": "valid-value",
+			},
+			attrs: make(map[string]string),
+			want: map[string]string{
+				"header:valid": "valid-value",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			addConfigHeadersToAttrs(tt.headers, tt.attrs)
+			if !reflect.DeepEqual(tt.attrs, tt.want) {
+				t.Errorf("expected %v, got %v", tt.want, tt.attrs)
+			}
+		})
+	}
+}

internal/watcher/synthesizer/interface.go

@@ -0,0 +1,16 @@
+// Package synthesizer provides auth synthesis strategies for the watcher package.
+// It implements the Strategy pattern to support multiple auth sources:
+// - ConfigSynthesizer: generates Auth entries from config API keys
+// - FileSynthesizer: generates Auth entries from OAuth JSON files
+package synthesizer
+
+import (
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+)
+
+// AuthSynthesizer defines the interface for generating Auth entries from various sources.
+type AuthSynthesizer interface {
+	// Synthesize generates Auth entries from the given context.
+	// Returns a slice of Auth pointers and any error encountered.
+	Synthesize(ctx *SynthesisContext) ([]*coreauth.Auth, error)
+}

sdk/api/handlers/gemini/gemini_handlers.go

@@ -84,7 +84,8 @@ func (h *GeminiAPIHandler) GeminiGetHandler(c *gin.Context) {
 		})
 		return
 	}
-	switch request.Action {
+	action := strings.TrimPrefix(request.Action, "/")
+	switch action {
 	case "gemini-3-pro-preview":
 		c.JSON(http.StatusOK, gin.H{
 			"name":             "models/gemini-3-pro-preview",
@@ -189,7 +190,7 @@ func (h *GeminiAPIHandler) GeminiHandler(c *gin.Context) {
 		})
 		return
 	}
-	action := strings.Split(request.Action, ":")
+	action := strings.Split(strings.TrimPrefix(request.Action, "/"), ":")
 	if len(action) != 2 {
 		c.JSON(http.StatusNotFound, handlers.ErrorResponse{
 			Error: handlers.ErrorDetail{

sdk/api/handlers/handlers.go

@@ -49,9 +49,6 @@ type BaseAPIHandler struct {
 
 	// Cfg holds the current application configuration.
 	Cfg *config.SDKConfig
-
-	// OpenAICompatProviders is a list of provider names for OpenAI compatibility.
-	OpenAICompatProviders []string
 }
 
 // NewBaseAPIHandlers creates a new API handlers instance.
@@ -63,11 +60,10 @@ type BaseAPIHandler struct {
 //
 // Returns:
 //   - *BaseAPIHandler: A new API handlers instance
-func NewBaseAPIHandlers(cfg *config.SDKConfig, authManager *coreauth.Manager, openAICompatProviders []string) *BaseAPIHandler {
+func NewBaseAPIHandlers(cfg *config.SDKConfig, authManager *coreauth.Manager) *BaseAPIHandler {
 	return &BaseAPIHandler{
-		Cfg:                   cfg,
-		AuthManager:           authManager,
-		OpenAICompatProviders: openAICompatProviders,
+		Cfg:         cfg,
+		AuthManager: authManager,
 	}
 }
 
@@ -342,30 +338,19 @@ func (h *BaseAPIHandler) getRequestDetails(modelName string) (providers []string
 	// Resolve "auto" model to an actual available model first
 	resolvedModelName := util.ResolveAutoModel(modelName)
 
-	providerName, extractedModelName, isDynamic := h.parseDynamicModel(resolvedModelName)
-
-	targetModelName := resolvedModelName
-	if isDynamic {
-		targetModelName = extractedModelName
-	}
-
 	// Normalize the model name to handle dynamic thinking suffixes before determining the provider.
-	normalizedModel, metadata = normalizeModelMetadata(targetModelName)
+	normalizedModel, metadata = normalizeModelMetadata(resolvedModelName)
 
-	if isDynamic {
-		providers = []string{providerName}
-	} else {
-		// For non-dynamic models, use the normalizedModel to get the provider name.
-		providers = util.GetProviderName(normalizedModel)
-		if len(providers) == 0 && metadata != nil {
-			if originalRaw, ok := metadata[util.ThinkingOriginalModelMetadataKey]; ok {
-				if originalModel, okStr := originalRaw.(string); okStr {
-					originalModel = strings.TrimSpace(originalModel)
-					if originalModel != "" && !strings.EqualFold(originalModel, normalizedModel) {
-						if altProviders := util.GetProviderName(originalModel); len(altProviders) > 0 {
-							providers = altProviders
-							normalizedModel = originalModel
-						}
+	// Use the normalizedModel to get the provider name.
+	providers = util.GetProviderName(normalizedModel)
+	if len(providers) == 0 && metadata != nil {
+		if originalRaw, ok := metadata[util.ThinkingOriginalModelMetadataKey]; ok {
+			if originalModel, okStr := originalRaw.(string); okStr {
+				originalModel = strings.TrimSpace(originalModel)
+				if originalModel != "" && !strings.EqualFold(originalModel, normalizedModel) {
+					if altProviders := util.GetProviderName(originalModel); len(altProviders) > 0 {
+						providers = altProviders
+						normalizedModel = originalModel
 					}
 				}
 			}
@@ -383,30 +368,6 @@ func (h *BaseAPIHandler) getRequestDetails(modelName string) (providers []string
 	return providers, normalizedModel, metadata, nil
 }
 
-func (h *BaseAPIHandler) parseDynamicModel(modelName string) (providerName, model string, isDynamic bool) {
-	var providerPart, modelPart string
-	for _, sep := range []string{"://"} {
-		if parts := strings.SplitN(modelName, sep, 2); len(parts) == 2 {
-			providerPart = parts[0]
-			modelPart = parts[1]
-			break
-		}
-	}
-
-	if providerPart == "" {
-		return "", modelName, false
-	}
-
-	// Check if the provider is a configured openai-compatibility provider
-	for _, pName := range h.OpenAICompatProviders {
-		if pName == providerPart {
-			return providerPart, modelPart, true
-		}
-	}
-
-	return "", modelName, false
-}
-
 func cloneBytes(src []byte) []byte {
 	if len(src) == 0 {
 		return nil

sdk/cliproxy/auth/manager.go

@@ -363,10 +363,11 @@ func (m *Manager) executeWithProvider(ctx context.Context, provider string, req
 	if provider == "" {
 		return cliproxyexecutor.Response{}, &Error{Code: "provider_not_found", Message: "provider identifier is empty"}
 	}
+	routeModel := req.Model
 	tried := make(map[string]struct{})
 	var lastErr error
 	for {
-		auth, executor, errPick := m.pickNext(ctx, provider, req.Model, opts, tried)
+		auth, executor, errPick := m.pickNext(ctx, provider, routeModel, opts, tried)
 		if errPick != nil {
 			if lastErr != nil {
 				return cliproxyexecutor.Response{}, lastErr
@@ -396,8 +397,10 @@ func (m *Manager) executeWithProvider(ctx context.Context, provider string, req
 			execCtx = context.WithValue(execCtx, roundTripperContextKey{}, rt)
 			execCtx = context.WithValue(execCtx, "cliproxy.roundtripper", rt)
 		}
-		resp, errExec := executor.Execute(execCtx, auth, req, opts)
-		result := Result{AuthID: auth.ID, Provider: provider, Model: req.Model, Success: errExec == nil}
+		execReq := req
+		execReq.Model, execReq.Metadata = rewriteModelForAuth(routeModel, req.Metadata, auth)
+		resp, errExec := executor.Execute(execCtx, auth, execReq, opts)
+		result := Result{AuthID: auth.ID, Provider: provider, Model: routeModel, Success: errExec == nil}
 		if errExec != nil {
 			result.Error = &Error{Message: errExec.Error()}
 			var se cliproxyexecutor.StatusError
@@ -420,10 +423,11 @@ func (m *Manager) executeCountWithProvider(ctx context.Context, provider string,
 	if provider == "" {
 		return cliproxyexecutor.Response{}, &Error{Code: "provider_not_found", Message: "provider identifier is empty"}
 	}
+	routeModel := req.Model
 	tried := make(map[string]struct{})
 	var lastErr error
 	for {
-		auth, executor, errPick := m.pickNext(ctx, provider, req.Model, opts, tried)
+		auth, executor, errPick := m.pickNext(ctx, provider, routeModel, opts, tried)
 		if errPick != nil {
 			if lastErr != nil {
 				return cliproxyexecutor.Response{}, lastErr
@@ -453,8 +457,10 @@ func (m *Manager) executeCountWithProvider(ctx context.Context, provider string,
 			execCtx = context.WithValue(execCtx, roundTripperContextKey{}, rt)
 			execCtx = context.WithValue(execCtx, "cliproxy.roundtripper", rt)
 		}
-		resp, errExec := executor.CountTokens(execCtx, auth, req, opts)
-		result := Result{AuthID: auth.ID, Provider: provider, Model: req.Model, Success: errExec == nil}
+		execReq := req
+		execReq.Model, execReq.Metadata = rewriteModelForAuth(routeModel, req.Metadata, auth)
+		resp, errExec := executor.CountTokens(execCtx, auth, execReq, opts)
+		result := Result{AuthID: auth.ID, Provider: provider, Model: routeModel, Success: errExec == nil}
 		if errExec != nil {
 			result.Error = &Error{Message: errExec.Error()}
 			var se cliproxyexecutor.StatusError
@@ -477,10 +483,11 @@ func (m *Manager) executeStreamWithProvider(ctx context.Context, provider string
 	if provider == "" {
 		return nil, &Error{Code: "provider_not_found", Message: "provider identifier is empty"}
 	}
+	routeModel := req.Model
 	tried := make(map[string]struct{})
 	var lastErr error
 	for {
-		auth, executor, errPick := m.pickNext(ctx, provider, req.Model, opts, tried)
+		auth, executor, errPick := m.pickNext(ctx, provider, routeModel, opts, tried)
 		if errPick != nil {
 			if lastErr != nil {
 				return nil, lastErr
@@ -510,14 +517,16 @@ func (m *Manager) executeStreamWithProvider(ctx context.Context, provider string
 			execCtx = context.WithValue(execCtx, roundTripperContextKey{}, rt)
 			execCtx = context.WithValue(execCtx, "cliproxy.roundtripper", rt)
 		}
-		chunks, errStream := executor.ExecuteStream(execCtx, auth, req, opts)
+		execReq := req
+		execReq.Model, execReq.Metadata = rewriteModelForAuth(routeModel, req.Metadata, auth)
+		chunks, errStream := executor.ExecuteStream(execCtx, auth, execReq, opts)
 		if errStream != nil {
 			rerr := &Error{Message: errStream.Error()}
 			var se cliproxyexecutor.StatusError
 			if errors.As(errStream, &se) && se != nil {
 				rerr.HTTPStatus = se.StatusCode()
 			}
-			result := Result{AuthID: auth.ID, Provider: provider, Model: req.Model, Success: false, Error: rerr}
+			result := Result{AuthID: auth.ID, Provider: provider, Model: routeModel, Success: false, Error: rerr}
 			result.RetryAfter = retryAfterFromError(errStream)
 			m.MarkResult(execCtx, result)
 			lastErr = errStream
@@ -535,18 +544,66 @@ func (m *Manager) executeStreamWithProvider(ctx context.Context, provider string
 					if errors.As(chunk.Err, &se) && se != nil {
 						rerr.HTTPStatus = se.StatusCode()
 					}
-					m.MarkResult(streamCtx, Result{AuthID: streamAuth.ID, Provider: streamProvider, Model: req.Model, Success: false, Error: rerr})
+					m.MarkResult(streamCtx, Result{AuthID: streamAuth.ID, Provider: streamProvider, Model: routeModel, Success: false, Error: rerr})
 				}
 				out <- chunk
 			}
 			if !failed {
-				m.MarkResult(streamCtx, Result{AuthID: streamAuth.ID, Provider: streamProvider, Model: req.Model, Success: true})
+				m.MarkResult(streamCtx, Result{AuthID: streamAuth.ID, Provider: streamProvider, Model: routeModel, Success: true})
 			}
 		}(execCtx, auth.Clone(), provider, chunks)
 		return out, nil
 	}
 }
 
+func rewriteModelForAuth(model string, metadata map[string]any, auth *Auth) (string, map[string]any) {
+	if auth == nil || model == "" {
+		return model, metadata
+	}
+	prefix := strings.TrimSpace(auth.Prefix)
+	if prefix == "" {
+		return model, metadata
+	}
+	needle := prefix + "/"
+	if !strings.HasPrefix(model, needle) {
+		return model, metadata
+	}
+	rewritten := strings.TrimPrefix(model, needle)
+	return rewritten, stripPrefixFromMetadata(metadata, needle)
+}
+
+func stripPrefixFromMetadata(metadata map[string]any, needle string) map[string]any {
+	if len(metadata) == 0 || needle == "" {
+		return metadata
+	}
+	keys := []string{
+		util.ThinkingOriginalModelMetadataKey,
+		util.GeminiOriginalModelMetadataKey,
+	}
+	var out map[string]any
+	for _, key := range keys {
+		raw, ok := metadata[key]
+		if !ok {
+			continue
+		}
+		value, okStr := raw.(string)
+		if !okStr || !strings.HasPrefix(value, needle) {
+			continue
+		}
+		if out == nil {
+			out = make(map[string]any, len(metadata))
+			for k, v := range metadata {
+				out[k] = v
+			}
+		}
+		out[key] = strings.TrimPrefix(value, needle)
+	}
+	if out == nil {
+		return metadata
+	}
+	return out
+}
+
 func (m *Manager) normalizeProviders(providers []string) []string {
 	if len(providers) == 0 {
 		return nil

sdk/cliproxy/auth/types.go

@@ -19,6 +19,8 @@ type Auth struct {
 	Index uint64 `json:"-"`
 	// Provider is the upstream provider key (e.g. "gemini", "claude").
 	Provider string `json:"provider"`
+	// Prefix optionally namespaces models for routing (e.g., "teamA/gemini-3-pro-preview").
+	Prefix string `json:"prefix,omitempty"`
 	// FileName stores the relative or absolute path of the backing auth file.
 	FileName string `json:"-"`
 	// Storage holds the token persistence implementation used during login flows.

sdk/cliproxy/service.go

@@ -787,7 +787,7 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 						if providerKey == "" {
 							providerKey = "openai-compatibility"
 						}
-						GlobalModelRegistry().RegisterClient(a.ID, providerKey, ms)
+						GlobalModelRegistry().RegisterClient(a.ID, providerKey, applyModelPrefixes(ms, a.Prefix, s.cfg.ForceModelPrefix))
 					} else {
 						// Ensure stale registrations are cleared when model list becomes empty.
 						GlobalModelRegistry().UnregisterClient(a.ID)
@@ -807,7 +807,7 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		if key == "" {
 			key = strings.ToLower(strings.TrimSpace(a.Provider))
 		}
-		GlobalModelRegistry().RegisterClient(a.ID, key, models)
+		GlobalModelRegistry().RegisterClient(a.ID, key, applyModelPrefixes(models, a.Prefix, s.cfg != nil && s.cfg.ForceModelPrefix))
 		return
 	}
 
@@ -987,6 +987,48 @@ func applyExcludedModels(models []*ModelInfo, excluded []string) []*ModelInfo {
 	return filtered
 }
 
+func applyModelPrefixes(models []*ModelInfo, prefix string, forceModelPrefix bool) []*ModelInfo {
+	trimmedPrefix := strings.TrimSpace(prefix)
+	if trimmedPrefix == "" || len(models) == 0 {
+		return models
+	}
+
+	out := make([]*ModelInfo, 0, len(models)*2)
+	seen := make(map[string]struct{}, len(models)*2)
+
+	addModel := func(model *ModelInfo) {
+		if model == nil {
+			return
+		}
+		id := strings.TrimSpace(model.ID)
+		if id == "" {
+			return
+		}
+		if _, exists := seen[id]; exists {
+			return
+		}
+		seen[id] = struct{}{}
+		out = append(out, model)
+	}
+
+	for _, model := range models {
+		if model == nil {
+			continue
+		}
+		baseID := strings.TrimSpace(model.ID)
+		if baseID == "" {
+			continue
+		}
+		if !forceModelPrefix || trimmedPrefix == baseID {
+			addModel(model)
+		}
+		clone := *model
+		clone.ID = trimmedPrefix + "/" + baseID
+		addModel(&clone)
+	}
+	return out
+}
+
 // matchWildcard performs case-insensitive wildcard matching where '*' matches any substring.
 func matchWildcard(pattern, value string) bool {
 	if pattern == "" {

sdk/config/config.go

@@ -9,6 +9,11 @@ type SDKConfig struct {
 	// ProxyURL is the URL of an optional proxy server to use for outbound requests.
 	ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
 
+	// ForceModelPrefix requires explicit model prefixes (e.g., "teamA/gemini-3-pro-preview")
+	// to target prefixed credentials. When false, unprefixed model requests may use prefixed
+	// credentials as well.
+	ForceModelPrefix bool `yaml:"force-model-prefix" json:"force-model-prefix"`
+
 	// RequestLog enables or disables detailed request logging functionality.
 	RequestLog bool `yaml:"request-log" json:"request-log"`
 

test/thinking_conversion_test.go

@@ -295,7 +295,7 @@ func TestThinkingConversionsAcrossProtocolsAndModels(t *testing.T) {
 									}
 									// Check numeric budget fallback for allowCompat
 									if budget, _, _, matched := util.ThinkingFromMetadata(metadata); matched && budget != nil {
-										if mapped, okMap := util.OpenAIThinkingBudgetToEffort(normalizedModel, *budget); okMap && mapped != "" {
+										if mapped, okMap := util.ThinkingBudgetToEffort(normalizedModel, *budget); okMap && mapped != "" {
 											return true, mapped, false
 										}
 									}
@@ -308,7 +308,7 @@ func TestThinkingConversionsAcrossProtocolsAndModels(t *testing.T) {
 								effort, ok := util.ReasoningEffortFromMetadata(metadata)
 								if !ok || strings.TrimSpace(effort) == "" {
 									if budget, _, _, matched := util.ThinkingFromMetadata(metadata); matched && budget != nil {
-										if mapped, okMap := util.OpenAIThinkingBudgetToEffort(normalizedModel, *budget); okMap {
+										if mapped, okMap := util.ThinkingBudgetToEffort(normalizedModel, *budget); okMap {
 											effort = mapped
 											ok = true
 										}
@@ -336,7 +336,7 @@ func TestThinkingConversionsAcrossProtocolsAndModels(t *testing.T) {
 									return false, "", true
 								}
 								if budget, _, _, matched := util.ThinkingFromMetadata(metadata); matched && budget != nil {
-									if mapped, okMap := util.OpenAIThinkingBudgetToEffort(normalizedModel, *budget); okMap && mapped != "" {
+									if mapped, okMap := util.ThinkingBudgetToEffort(normalizedModel, *budget); okMap && mapped != "" {
 										mapped = strings.ToLower(strings.TrimSpace(mapped))
 										if normalized, okLevel := util.NormalizeReasoningEffortLevel(normalizedModel, mapped); okLevel {
 											return true, normalized, false
@@ -609,7 +609,7 @@ func TestRawPayloadThinkingConversions(t *testing.T) {
 										return true, normalized, false
 									}
 									if budget, ok := cs.thinkingParam.(int); ok {
-										if mapped, okM := util.OpenAIThinkingBudgetToEffort(model, budget); okM && mapped != "" {
+										if mapped, okM := util.ThinkingBudgetToEffort(model, budget); okM && mapped != "" {
 											return true, mapped, false
 										}
 									}
@@ -625,7 +625,7 @@ func TestRawPayloadThinkingConversions(t *testing.T) {
 									return false, "", true // invalid level
 								}
 								if budget, ok := cs.thinkingParam.(int); ok {
-									if mapped, okM := util.OpenAIThinkingBudgetToEffort(model, budget); okM && mapped != "" {
+									if mapped, okM := util.ThinkingBudgetToEffort(model, budget); okM && mapped != "" {
 										// Check if the mapped effort is valid for this model
 										if _, validLevel := util.NormalizeReasoningEffortLevel(model, mapped); !validLevel {
 											return true, mapped, true // expect validation error
@@ -646,7 +646,7 @@ func TestRawPayloadThinkingConversions(t *testing.T) {
 									return false, "", true
 								}
 								if budget, ok := cs.thinkingParam.(int); ok {
-									if mapped, okM := util.OpenAIThinkingBudgetToEffort(model, budget); okM && mapped != "" {
+									if mapped, okM := util.ThinkingBudgetToEffort(model, budget); okM && mapped != "" {
 										// Check if the mapped effort is valid for this model
 										if _, validLevel := util.NormalizeReasoningEffortLevel(model, mapped); !validLevel {
 											return true, mapped, true // expect validation error
@@ -721,7 +721,7 @@ func TestRawPayloadThinkingConversions(t *testing.T) {
 	}
 }
 
-func TestOpenAIThinkingBudgetToEffortRanges(t *testing.T) {
+func TestThinkingBudgetToEffort(t *testing.T) {
 	cleanup := registerCoreModels(t)
 	defer cleanup()
 
@@ -733,7 +733,7 @@ func TestOpenAIThinkingBudgetToEffortRanges(t *testing.T) {
 		ok     bool
 	}{
 		{name: "dynamic-auto", model: "gpt-5", budget: -1, want: "auto", ok: true},
-		{name: "zero-none", model: "gpt-5", budget: 0, want: "none", ok: true},
+		{name: "zero-none", model: "gpt-5", budget: 0, want: "minimal", ok: true},
 		{name: "low-min", model: "gpt-5", budget: 1, want: "low", ok: true},
 		{name: "low-max", model: "gpt-5", budget: 1024, want: "low", ok: true},
 		{name: "medium-min", model: "gpt-5", budget: 1025, want: "medium", ok: true},
@@ -741,14 +741,14 @@ func TestOpenAIThinkingBudgetToEffortRanges(t *testing.T) {
 		{name: "high-min", model: "gpt-5", budget: 8193, want: "high", ok: true},
 		{name: "high-max", model: "gpt-5", budget: 24576, want: "high", ok: true},
 		{name: "over-max-clamps-to-highest", model: "gpt-5", budget: 64000, want: "high", ok: true},
-		{name: "over-max-xhigh-model", model: "gpt-5.2", budget: 50000, want: "xhigh", ok: true},
+		{name: "over-max-xhigh-model", model: "gpt-5.2", budget: 64000, want: "xhigh", ok: true},
 		{name: "negative-unsupported", model: "gpt-5", budget: -5, want: "", ok: false},
 	}
 
 	for _, cs := range cases {
 		cs := cs
 		t.Run(cs.name, func(t *testing.T) {
-			got, ok := util.OpenAIThinkingBudgetToEffort(cs.model, cs.budget)
+			got, ok := util.ThinkingBudgetToEffort(cs.model, cs.budget)
 			if ok != cs.ok {
 				t.Fatalf("ok mismatch for model=%s budget=%d: expect %v got %v", cs.model, cs.budget, cs.ok, ok)
 			}
@@ -758,3 +758,41 @@ func TestOpenAIThinkingBudgetToEffortRanges(t *testing.T) {
 		})
 	}
 }
+
+func TestThinkingEffortToBudget(t *testing.T) {
+	cleanup := registerCoreModels(t)
+	defer cleanup()
+
+	cases := []struct {
+		name   string
+		model  string
+		effort string
+		want   int
+		ok     bool
+	}{
+		{name: "none", model: "gemini-2.5-pro", effort: "none", want: 0, ok: true},
+		{name: "auto", model: "gemini-2.5-pro", effort: "auto", want: -1, ok: true},
+		{name: "minimal", model: "gemini-2.5-pro", effort: "minimal", want: 512, ok: true},
+		{name: "low", model: "gemini-2.5-pro", effort: "low", want: 1024, ok: true},
+		{name: "medium", model: "gemini-2.5-pro", effort: "medium", want: 8192, ok: true},
+		{name: "high", model: "gemini-2.5-pro", effort: "high", want: 24576, ok: true},
+		{name: "xhigh", model: "gemini-2.5-pro", effort: "xhigh", want: 32768, ok: true},
+		{name: "empty-unsupported", model: "gemini-2.5-pro", effort: "", want: 0, ok: false},
+		{name: "invalid-unsupported", model: "gemini-2.5-pro", effort: "ultra", want: 0, ok: false},
+		{name: "case-insensitive", model: "gemini-2.5-pro", effort: "LOW", want: 1024, ok: true},
+		{name: "case-insensitive-medium", model: "gemini-2.5-pro", effort: "MEDIUM", want: 8192, ok: true},
+	}
+
+	for _, cs := range cases {
+		cs := cs
+		t.Run(cs.name, func(t *testing.T) {
+			got, ok := util.ThinkingEffortToBudget(cs.model, cs.effort)
+			if ok != cs.ok {
+				t.Fatalf("ok mismatch for model=%s effort=%s: expect %v got %v", cs.model, cs.effort, cs.ok, ok)
+			}
+			if got != cs.want {
+				t.Fatalf("value mismatch for model=%s effort=%s: expect %d got %d", cs.model, cs.effort, cs.want, got)
+			}
+		})
+	}
+}