feat(openai): OpenAI Fast/Flex Policy 完整实现（HTTP + WebSocket + Admin）

对称参照 Claude BetaPolicy 的 fast-mode 过滤实现，新增针对 OpenAI 上游 service_tier 字段（priority / flex，含客户端 "fast" → "priority" 归一化）的 pass / filter / block 三态策略，覆盖全部 OpenAI 入口 + admin 配置入口。后端核心 - 新增 SettingKeyOpenAIFastPolicySettings、OpenAIFastPolicyRule、 OpenAIFastPolicySettings 配置模型，含规则的 service_tier × action × scope × 模型白名单 × fallback action 维度。 - SettingService.Get/SetOpenAIFastPolicySettings；缺失时返回内置默认策略（所有模型的 priority 走 filter，whitelist 为空，fallback=pass）。设计依据：service_tier=fast 是用户级开关，与 model 字段正交，默认锁定特定 model slug 会留下"用 gpt-4 + fast 透传 priority 上游"的绕过路径。JSON 解析失败不再静默 fallback，slog.Warn 记录脏数据，便于运维定位。 - service_tier 归一化（trim + ToLower + fast→priority + 白名单 priority/flex）与策略评估（evaluateOpenAIFastPolicy）作为唯一真实来源，HTTP / WS 共用。抽出纯函数 evaluateOpenAIFastPolicyWithSettings，配合 ctx-bound settings 快照（withOpenAIFastPolicyContext / openAIFastPolicySettingsFromContext）， WS 长会话入口预取一次后所有帧复用，避免每帧打到 settingService。 HTTP 入口（4 个） - Chat Completions、Anthropic 兼容（Messages，含 BetaFastMode→priority 二次命中）、原生 Responses、Passthrough Responses 全部接入 applyOpenAIFastPolicyToBody，filter 走 sjson 顶层删除 service_tier，block 返回 403 forbidden_error JSON。 - 4 入口统一使用 upstream 视角的 model（GetMappedModel + normalizeOpenAIModelForUpstream + Codex OAuth normalize 后的 slug），避免 chat/messages/native /responses/passthrough 因为 model 维度不同造成 whitelist 命中差异。 - 在 pass 路径也把客户端 "fast" 别名归一化为 "priority" 写回 body，否则 native /responses 与 passthrough 入口会把 "fast" 原样透传给上游导致 400/拒绝（chat-completions 入口的 normalizeResponsesBodyServiceTier 此前已具备同等行为）。 WebSocket 入口 - 新增 applyOpenAIFastPolicyToWSResponseCreate：严格匹配 type="response.create"，仅处理顶层 service_tier；filter 用 sjson 删字段， block 返回 typed *OpenAIFastBlockedError。 - ingress 路径在 parseClientPayload 内调用，block 命中先 Write Realtime 风格 error event 再返回 OpenAIWSClientCloseError(StatusPolicyViolation =1008)，依赖底层 WebSocket Conn.Write 的同步 flush 保证 error 先于 close。 - passthrough 路径在 RunEntry 前对 firstClientMessage 应用策略，并通过 openAIWSPolicyEnforcingFrameConn 包装 ReadFrame 对每个 client→upstream 帧执行策略；后续帧无 model 字段时回退到 capturedSessionModel。 filter 闭包内同时侦测 session.update / session.created 帧的 session.model 字段刷新 capturedSessionModel，封堵"首帧 model=gpt-4o（pass）→ session.update 改为 gpt-5.5 → 不带 model 的 response.create fallback 到 gpt-4o"的 mid-session 绕过路径。 - passthrough billing：requestServiceTier 在策略 filter 之后再从 firstClientMessage 提取，filter 命中时 OpenAIForwardResult.ServiceTier 上报 nil（default tier），与 HTTP 入口（reqBody 来自 post-filter map） / WS ingress（payload 来自 post-filter bytes）的语义一致。 - 错误事件 schema：{event_id: "evt_<32hex>", type: "error", error: {type: "forbidden_error", code: "policy_violation", message}}，与 OpenAI codex 客户端 error event 解析兼容。 Admin / Frontend - dto.SystemSettings / UpdateSettingsRequest 新增 openai_fast_policy_settings 字段（omitempty），bulk GET/PUT 接入。 - Settings 页 Gateway 页签新增 Fast/Flex Policy 表单卡片： service_tier × action × scope × 模型白名单 × fallback action 全字段配置。 - 前端守门：openaiFastPolicyLoaded 标志仅在 GET 真带回字段时才允许回写，避免 rollout/错误把默认规则覆盖成空；saveSettings 回写循环 skip 该字段，由专用刷新逻辑处理；仅 action=block 时发送 error_message，匹配后端 omitempty 行为。测试 - HTTP 路径：openai_fast_policy_test.go 覆盖默认配置（whitelist=[]，所有模型 priority filter）/ block 自定义错误 / scope 区分 / filter 删字段 / block 不改 body / block 短路上游 / Anthropic BetaFastMode 触发 OpenAI fast policy 等场景。 - WebSocket 路径：openai_fast_policy_ws_test.go 覆盖 helper 单元（filter / fast→priority 归一化 / flex 透传 / block typed error / 无 service_tier 字节不变 / 非 response.create 帧不动 / 空 type 帧不动 / event_id+code 字段断言 / 非字符串 service_tier 容错）+ pass 路径 fast 别名归一化回归 + ingress 端到端（filter 后上游不含 service_tier / block 后客户端先收 error event 再收 close 1008 且上游 0 写）+ passthrough capturedSessionModel fallback 用例（whitelist 策略下首帧建立、缺 model 命中 fallback、缺少 fallback 时的 leak 文档化）+ passthrough session.update / session.created 旋转 capturedSessionModel 的 mid-session 绕过回归 + passthrough billing post-filter ServiceTier 与 idempotent filter 回归。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

feat(openai): OpenAI Fast/Flex Policy 完整实现（HTTP + WebSocket + Admin）
对称参照 Claude BetaPolicy 的 fast-mode 过滤实现，新增针对 OpenAI 上游 service_tier 字段（priority / flex，含客户端 "fast" → "priority" 归一化）的 pass / filter / block 三态策略，覆盖全部 OpenAI 入口 + admin 配置入口。后端核心 - 新增 SettingKeyOpenAIFastPolicySettings、OpenAIFastPolicyRule、 OpenAIFastPolicySettings 配置模型，含规则的 service_tier × action × scope × 模型白名单 × fallback action 维度。 - SettingService.Get/SetOpenAIFastPolicySettings；缺失时返回内置默认策略（所有模型的 priority 走 filter，whitelist 为空，fallback=pass）。设计依据：service_tier=fast 是用户级开关，与 model 字段正交，默认锁定特定 model slug 会留下"用 gpt-4 + fast 透传 priority 上游"的绕过路径。JSON 解析失败不再静默 fallback，slog.Warn 记录脏数据，便于运维定位。 - service_tier 归一化（trim + ToLower + fast→priority + 白名单 priority/flex）与策略评估（evaluateOpenAIFastPolicy）作为唯一真实来源，HTTP / WS 共用。抽出纯函数 evaluateOpenAIFastPolicyWithSettings，配合 ctx-bound settings 快照（withOpenAIFastPolicyContext / openAIFastPolicySettingsFromContext）， WS 长会话入口预取一次后所有帧复用，避免每帧打到 settingService。 HTTP 入口（4 个） - Chat Completions、Anthropic 兼容（Messages，含 BetaFastMode→priority 二次命中）、原生 Responses、Passthrough Responses 全部接入 applyOpenAIFastPolicyToBody，filter 走 sjson 顶层删除 service_tier，block 返回 403 forbidden_error JSON。 - 4 入口统一使用 upstream 视角的 model（GetMappedModel + normalizeOpenAIModelForUpstream + Codex OAuth normalize 后的 slug），避免 chat/messages/native /responses/passthrough 因为 model 维度不同造成 whitelist 命中差异。 - 在 pass 路径也把客户端 "fast" 别名归一化为 "priority" 写回 body，否则 native /responses 与 passthrough 入口会把 "fast" 原样透传给上游导致 400/拒绝（chat-completions 入口的 normalizeResponsesBodyServiceTier 此前已具备同等行为）。 WebSocket 入口 - 新增 applyOpenAIFastPolicyToWSResponseCreate：严格匹配 type="response.create"，仅处理顶层 service_tier；filter 用 sjson 删字段， block 返回 typed *OpenAIFastBlockedError。 - ingress 路径在 parseClientPayload 内调用，block 命中先 Write Realtime 风格 error event 再返回 OpenAIWSClientCloseError(StatusPolicyViolation =1008)，依赖底层 WebSocket Conn.Write 的同步 flush 保证 error 先于 close。 - passthrough 路径在 RunEntry 前对 firstClientMessage 应用策略，并通过 openAIWSPolicyEnforcingFrameConn 包装 ReadFrame 对每个 client→upstream 帧执行策略；后续帧无 model 字段时回退到 capturedSessionModel。 filter 闭包内同时侦测 session.update / session.created 帧的 session.model 字段刷新 capturedSessionModel，封堵"首帧 model=gpt-4o（pass）→ session.update 改为 gpt-5.5 → 不带 model 的 response.create fallback 到 gpt-4o"的 mid-session 绕过路径。 - passthrough billing：requestServiceTier 在策略 filter 之后再从 firstClientMessage 提取，filter 命中时 OpenAIForwardResult.ServiceTier 上报 nil（default tier），与 HTTP 入口（reqBody 来自 post-filter map） / WS ingress（payload 来自 post-filter bytes）的语义一致。 - 错误事件 schema：{event_id: "evt_<32hex>", type: "error", error: {type: "forbidden_error", code: "policy_violation", message}}，与 OpenAI codex 客户端 error event 解析兼容。 Admin / Frontend - dto.SystemSettings / UpdateSettingsRequest 新增 openai_fast_policy_settings 字段（omitempty），bulk GET/PUT 接入。 - Settings 页 Gateway 页签新增 Fast/Flex Policy 表单卡片： service_tier × action × scope × 模型白名单 × fallback action 全字段配置。 - 前端守门：openaiFastPolicyLoaded 标志仅在 GET 真带回字段时才允许回写，避免 rollout/错误把默认规则覆盖成空；saveSettings 回写循环 skip 该字段，由专用刷新逻辑处理；仅 action=block 时发送 error_message，匹配后端 omitempty 行为。测试 - HTTP 路径：openai_fast_policy_test.go 覆盖默认配置（whitelist=[]，所有模型 priority filter）/ block 自定义错误 / scope 区分 / filter 删字段 / block 不改 body / block 短路上游 / Anthropic BetaFastMode 触发 OpenAI fast policy 等场景。 - WebSocket 路径：openai_fast_policy_ws_test.go 覆盖 helper 单元（filter / fast→priority 归一化 / flex 透传 / block typed error / 无 service_tier 字节不变 / 非 response.create 帧不动 / 空 type 帧不动 / event_id+code 字段断言 / 非字符串 service_tier 容错）+ pass 路径 fast 别名归一化回归 + ingress 端到端（filter 后上游不含 service_tier / block 后客户端先收 error event 再收 close 1008 且上游 0 写）+ passthrough capturedSessionModel fallback 用例（whitelist 策略下首帧建立、缺 model 命中 fallback、缺少 fallback 时的 leak 文档化）+ passthrough session.update / session.created 旋转 capturedSessionModel 的 mid-session 绕过回归 + passthrough billing post-filter ServiceTier 与 idempotent filter 回归。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
30f55a1f · DaydreamCoding · c92b88e3 · 30f55a1f · 30f55a1f · 30f55a1f
Commit 30f55a1f authored Apr 28, 2026 by DaydreamCoding
--- a/frontend/src/i18n/locales/en.ts
+++ b/frontend/src/i18n/locales/en.ts
@@ -5535,6 +5535,38 @@ export default {
        presetOpusOnlyDesc: 'Pass for Opus, filter others',
        commonPatterns: 'Common patterns'
      },
+      openaiFastPolicy: {
+        title: 'OpenAI Fast/Flex Policy',
+        description: 'Intercept, filter, or pass OpenAI fast(priority) / flex requests based on the request body service_tier field. Applies to the OpenAI gateway only.',
+        empty: 'No rules configured. Click the button below to add one.',
+        ruleHeader: 'Rule #{index}',
+        removeRule: 'Remove rule',
+        addRule: 'Add rule',
+        saveHint: 'Saved together with system settings (click the global Save button at the bottom of the page).',
+        serviceTier: 'service_tier match',
+        tierAll: 'All tiers',
+        tierPriority: 'priority (fast)',
+        tierFlex: 'flex',
+        action: 'Action',
+        actionPass: 'Pass (keep service_tier)',
+        actionFilter: 'Filter (remove service_tier)',
+        actionBlock: 'Block (reject request)',
+        scope: 'Scope',
+        scopeAll: 'All accounts',
+        scopeOAuth: 'OAuth only',
+        scopeAPIKey: 'API Key only',
+        scopeBedrock: 'Bedrock only',
+        errorMessage: 'Error message',
+        errorMessagePlaceholder: 'Custom error message when blocked',
+        errorMessageHint: 'Leave empty for the default message.',
+        modelWhitelist: 'Model whitelist',
+        modelWhitelistHint: 'Leave empty to apply to all models. Supports exact match and wildcard prefix (e.g., gpt-5.5*).',
+        modelPatternPlaceholder: 'e.g., gpt-5.5 or gpt-5.5*',
+        addModelPattern: 'Add model pattern',
+        fallbackAction: 'Fallback action',
+        fallbackActionHint: 'Action for models not matching the whitelist.',
+        fallbackErrorMessagePlaceholder: 'Custom error message when non-whitelisted models are blocked'
+      },
      wechatConnect: {
        title: 'WeChat Connect',
        description: 'Third-party login configuration for WeChat Open Platform or Official Account / Mini Program.',

--- a/frontend/src/i18n/locales/zh.ts
+++ b/frontend/src/i18n/locales/zh.ts
@@ -5695,6 +5695,38 @@ export default {
        presetOpusOnlyDesc: 'Opus 透传，其他模型过滤',
        commonPatterns: '常用模式'
      },
+      openaiFastPolicy: {
+        title: 'OpenAI Fast/Flex 策略',
+        description: '基于请求体 service_tier 字段拦截/过滤/透传 OpenAI fast(priority) 与 flex 请求；仅作用于 OpenAI 网关。',
+        empty: '尚未配置任何规则。点击下方按钮新增。',
+        ruleHeader: '规则 #{index}',
+        removeRule: '删除规则',
+        addRule: '新增规则',
+        saveHint: '保存时随系统设置一起提交（点击页面底部「保存」按钮）。',
+        serviceTier: 'service_tier 匹配',
+        tierAll: '全部 tier',
+        tierPriority: 'priority（fast）',
+        tierFlex: 'flex',
+        action: '处理方式',
+        actionPass: '透传（保留 service_tier）',
+        actionFilter: '过滤（移除 service_tier）',
+        actionBlock: '拦截（拒绝请求）',
+        scope: '生效范围',
+        scopeAll: '全部账号',
+        scopeOAuth: '仅 OAuth 账号',
+        scopeAPIKey: '仅 API Key 账号',
+        scopeBedrock: '仅 Bedrock 账号',
+        errorMessage: '错误消息',
+        errorMessagePlaceholder: '拦截时返回的自定义错误消息',
+        errorMessageHint: '留空则使用默认错误消息。',
+        modelWhitelist: '模型白名单',
+        modelWhitelistHint: '留空表示对所有模型生效；支持精确匹配与通配符（如 gpt-5.5*）。',
+        modelPatternPlaceholder: '例如: gpt-5.5 或 gpt-5.5*',
+        addModelPattern: '添加模型规则',
+        fallbackAction: '未匹配模型处理方式',
+        fallbackActionHint: '当请求模型不在白名单中时的处理方式。',
+        fallbackErrorMessagePlaceholder: '未匹配模型被拦截时返回的自定义错误消息'
+      },
      wechatConnect: {
        title: '微信登录',
        description: '用于微信开放平台或公众号/小程序的第三方登录配置。',

--- a/frontend/src/views/admin/SettingsView.vue
+++ b/frontend/src/views/admin/SettingsView.vue
@@ -949,6 +949,285 @@
              </template>
            </div>
          </div>
+          <!-- OpenAI Fast/Flex Policy Settings -->
+          <div class="card">
+            <div
+              class="border-b border-gray-100 px-6 py-4 dark:border-dark-700"
+            >
+              <h2 class="text-lg font-semibold text-gray-900 dark:text-white">
+                {{ t("admin.settings.openaiFastPolicy.title") }}
+              </h2>
+              <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+                {{ t("admin.settings.openaiFastPolicy.description") }}
+              </p>
+            </div>
+            <div class="space-y-5 p-6">
+              <!-- Empty state -->
+              <div
+                v-if="openaiFastPolicyForm.rules.length === 0"
+                class="rounded-lg border border-dashed border-gray-200 p-6 text-center text-sm text-gray-500 dark:border-dark-600 dark:text-gray-400"
+              >
+                {{ t("admin.settings.openaiFastPolicy.empty") }}
+              </div>
+              <!-- Rule Cards -->
+              <div
+                v-for="(rule, ruleIndex) in openaiFastPolicyForm.rules"
+                :key="ruleIndex"
+                class="rounded-lg border border-gray-200 p-4 dark:border-dark-600"
+              >
+                <div class="mb-3 flex items-center justify-between">
+                  <span
+                    class="text-sm font-medium text-gray-900 dark:text-white"
+                  >
+                    {{
+                      t("admin.settings.openaiFastPolicy.ruleHeader", {
+                        index: ruleIndex + 1,
+                      })
+                    }}
+                  </span>
+                  <button
+                    type="button"
+                    @click="removeOpenAIFastPolicyRule(ruleIndex)"
+                    class="rounded p-1 text-red-400 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
+                    :title="t('admin.settings.openaiFastPolicy.removeRule')"
+                  >
+                    <svg
+                      class="h-4 w-4"
+                      fill="none"
+                      viewBox="0 0 24 24"
+                      stroke="currentColor"
+                      stroke-width="2"
+                    >
+                      <path
+                        stroke-linecap="round"
+                        stroke-linejoin="round"
+                        d="M6 18L18 6M6 6l12 12"
+                      />
+                    </svg>
+                  </button>
+                </div>
+                <div class="grid grid-cols-1 gap-4 md:grid-cols-3">
+                  <!-- Service Tier -->
+                  <div>
+                    <label
+                      class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
+                    >
+                      {{ t("admin.settings.openaiFastPolicy.serviceTier") }}
+                    </label>
+                    <Select
+                      :modelValue="rule.service_tier"
+                      @update:modelValue="
+                        rule.service_tier = $event as
+                          | 'all'
+                          | 'priority'
+                          | 'flex'
+                      "
+                      :options="openaiFastPolicyTierOptions"
+                    />
+                  </div>
+                  <!-- Action -->
+                  <div>
+                    <label
+                      class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
+                    >
+                      {{ t("admin.settings.openaiFastPolicy.action") }}
+                    </label>
+                    <Select
+                      :modelValue="rule.action"
+                      @update:modelValue="
+                        rule.action = $event as 'pass' | 'filter' | 'block'
+                      "
+                      :options="openaiFastPolicyActionOptions"
+                    />
+                  </div>
+                  <!-- Scope -->
+                  <div>
+                    <label
+                      class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
+                    >
+                      {{ t("admin.settings.openaiFastPolicy.scope") }}
+                    </label>
+                    <Select
+                      :modelValue="rule.scope"
+                      @update:modelValue="
+                        rule.scope = $event as
+                          | 'all'
+                          | 'oauth'
+                          | 'apikey'
+                          | 'bedrock'
+                      "
+                      :options="openaiFastPolicyScopeOptions"
+                    />
+                  </div>
+                </div>
+                <!-- Error Message (only when action=block) -->
+                <div v-if="rule.action === 'block'" class="mt-3">
+                  <label
+                    class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
+                  >
+                    {{ t("admin.settings.openaiFastPolicy.errorMessage") }}
+                  </label>
+                  <input
+                    v-model="rule.error_message"
+                    type="text"
+                    class="input"
+                    :placeholder="
+                      t(
+                        'admin.settings.openaiFastPolicy.errorMessagePlaceholder',
+                      )
+                    "
+                  />
+                  <p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
+                    {{ t("admin.settings.openaiFastPolicy.errorMessageHint") }}
+                  </p>
+                </div>
+                <!-- Model Whitelist -->
+                <div class="mt-3">
+                  <label
+                    class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
+                  >
+                    {{ t("admin.settings.openaiFastPolicy.modelWhitelist") }}
+                  </label>
+                  <p class="mb-2 text-xs text-gray-400 dark:text-gray-500">
+                    {{
+                      t("admin.settings.openaiFastPolicy.modelWhitelistHint")
+                    }}
+                  </p>
+                  <div
+                    v-for="(_, patternIdx) in rule.model_whitelist || []"
+                    :key="patternIdx"
+                    class="mb-1.5 flex items-center gap-2"
+                  >
+                    <input
+                      v-model="rule.model_whitelist![patternIdx]"
+                      type="text"
+                      class="input input-sm flex-1"
+                      :placeholder="
+                        t(
+                          'admin.settings.openaiFastPolicy.modelPatternPlaceholder',
+                        )
+                      "
+                    />
+                    <button
+                      type="button"
+                      @click="
+                        removeOpenAIFastPolicyModelPattern(rule, patternIdx)
+                      "
+                      class="shrink-0 rounded p-1 text-red-400 transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
+                    >
+                      <svg
+                        class="h-4 w-4"
+                        fill="none"
+                        viewBox="0 0 24 24"
+                        stroke="currentColor"
+                        stroke-width="2"
+                      >
+                        <path
+                          stroke-linecap="round"
+                          stroke-linejoin="round"
+                          d="M6 18L18 6M6 6l12 12"
+                        />
+                      </svg>
+                    </button>
+                  </div>
+                  <button
+                    type="button"
+                    @click="addOpenAIFastPolicyModelPattern(rule)"
+                    class="mb-2 inline-flex items-center gap-1 text-xs text-primary-600 transition-colors hover:text-primary-700 dark:text-primary-400 dark:hover:text-primary-300"
+                  >
+                    <svg
+                      class="h-3.5 w-3.5"
+                      fill="none"
+                      viewBox="0 0 24 24"
+                      stroke="currentColor"
+                      stroke-width="2"
+                    >
+                      <path
+                        stroke-linecap="round"
+                        stroke-linejoin="round"
+                        d="M12 4v16m8-8H4"
+                      />
+                    </svg>
+                    {{ t("admin.settings.openaiFastPolicy.addModelPattern") }}
+                  </button>
+                </div>
+                <!-- Fallback Action (only when model_whitelist is non-empty) -->
+                <div
+                  v-if="
+                    rule.model_whitelist && rule.model_whitelist.length > 0
+                  "
+                  class="mt-3"
+                >
+                  <label
+                    class="mb-1 block text-xs font-medium text-gray-600 dark:text-gray-400"
+                  >
+                    {{ t("admin.settings.openaiFastPolicy.fallbackAction") }}
+                  </label>
+                  <Select
+                    :modelValue="rule.fallback_action || 'pass'"
+                    @update:modelValue="
+                      rule.fallback_action = $event as
+                        | 'pass'
+                        | 'filter'
+                        | 'block'
+                    "
+                    :options="openaiFastPolicyActionOptions"
+                  />
+                  <p class="mt-1 text-xs text-gray-400 dark:text-gray-500">
+                    {{
+                      t("admin.settings.openaiFastPolicy.fallbackActionHint")
+                    }}
+                  </p>
+                  <div v-if="rule.fallback_action === 'block'" class="mt-2">
+                    <input
+                      v-model="rule.fallback_error_message"
+                      type="text"
+                      class="input"
+                      :placeholder="
+                        t(
+                          'admin.settings.openaiFastPolicy.fallbackErrorMessagePlaceholder',
+                        )
+                      "
+                    />
+                  </div>
+                </div>
+              </div>
+              <!-- Add Rule Button -->
+              <div>
+                <button
+                  type="button"
+                  @click="addOpenAIFastPolicyRule"
+                  class="btn btn-secondary btn-sm inline-flex items-center gap-1"
+                >
+                  <svg
+                    class="h-4 w-4"
+                    fill="none"
+                    viewBox="0 0 24 24"
+                    stroke="currentColor"
+                    stroke-width="2"
+                  >
+                    <path
+                      stroke-linecap="round"
+                      stroke-linejoin="round"
+                      d="M12 4v16m8-8H4"
+                    />
+                  </svg>
+                  {{ t("admin.settings.openaiFastPolicy.addRule") }}
+                </button>
+                <p class="mt-2 text-xs text-gray-400 dark:text-gray-500">
+                  {{ t("admin.settings.openaiFastPolicy.saveHint") }}
+                </p>
+              </div>
+            </div>
+          </div>
        </div>
        <!-- /Tab: Gateway -->
@@ -5199,6 +5478,7 @@ import type {
  SystemSettings,
  UpdateSettingsRequest,
  DefaultSubscriptionSetting,
+  OpenAIFastPolicyRule,
  WeChatConnectMode,
  WebSearchEmulationConfig,
  WebSearchProviderConfig,
@@ -5337,6 +5617,14 @@ const betaPolicyForm = reactive({
  }>,
 });
+// OpenAI Fast/Flex Policy 状态
+const openaiFastPolicyForm = reactive({
+  rules: [] as OpenAIFastPolicyRule[],
+});
+// 标记 openai_fast_policy_settings 是否已成功从后端加载，
+// 避免后端 GET 出错或字段缺失时，保存把默认规则覆盖成空数组。
+const openaiFastPolicyLoaded = ref(false);
 const tablePageSizeMin = 5;
 const tablePageSizeMax = 1000;
 const tablePageSizeDefault = 20;
@@ -6116,6 +6404,23 @@ async function loadSettings() {
    );
    form.oidc_connect_client_secret = "";
+    // Load OpenAI fast/flex policy rules from bulk settings.
+    // 仅当 payload 真的包含该字段时填充并标记为已加载；否则保持表单空值，
+    // 让 saveSettings 在未加载时跳过该字段，防止覆盖后端默认规则。
+    if (
+      settings.openai_fast_policy_settings &&
+      Array.isArray(settings.openai_fast_policy_settings.rules)
+    ) {
+      openaiFastPolicyForm.rules =
+        settings.openai_fast_policy_settings.rules.map((rule) => ({
+          ...rule,
+          model_whitelist: rule.model_whitelist
+            ? [...rule.model_whitelist]
+            : [],
+        }));
+      openaiFastPolicyLoaded.value = true;
+    }
    // Load web search emulation config separately
    await loadWebSearchConfig();
  } catch (error: unknown) {
@@ -6460,10 +6765,39 @@ async function saveSettings() {
      affiliate_enabled: form.affiliate_enabled,
    };
+    // 仅当 openai_fast_policy_settings 已成功从后端加载时才回写，
+    // 否则省略整个字段，让后端保留既有规则（含默认值）。
+    if (openaiFastPolicyLoaded.value) {
+      payload.openai_fast_policy_settings = {
+        rules: openaiFastPolicyForm.rules.map((rule) => {
+          const whitelist = (rule.model_whitelist || [])
+            .map((p) => p.trim())
+            .filter((p) => p !== "");
+          const hasWhitelist = whitelist.length > 0;
+          return {
+            service_tier: rule.service_tier,
+            action: rule.action,
+            scope: rule.scope,
+            error_message:
+              rule.action === "block" ? rule.error_message : undefined,
+            model_whitelist: hasWhitelist ? whitelist : undefined,
+            fallback_action: hasWhitelist
+              ? rule.fallback_action || "pass"
+              : undefined,
+            fallback_error_message:
+              hasWhitelist && rule.fallback_action === "block"
+                ? rule.fallback_error_message
+                : undefined,
+          };
+        }),
+      };
+    }
    appendAuthSourceDefaultsToUpdateRequest(payload, authSourceDefaults);
    const updated = await adminAPI.settings.updateSettings(payload);
    for (const [key, value] of Object.entries(updated)) {
+      if (key === "openai_fast_policy_settings") continue;
      if (value !== null && value !== undefined) {
        (form as Record<string, unknown>)[key] = value;
      }
@@ -6507,6 +6841,20 @@ async function saveSettings() {
      form.wechat_connect_mode,
    );
    form.oidc_connect_client_secret = "";
+    // Refresh OpenAI fast/flex policy from server response
+    if (
+      updated.openai_fast_policy_settings &&
+      Array.isArray(updated.openai_fast_policy_settings.rules)
+    ) {
+      openaiFastPolicyForm.rules =
+        updated.openai_fast_policy_settings.rules.map((rule) => ({
+          ...rule,
+          model_whitelist: rule.model_whitelist
+            ? [...rule.model_whitelist]
+            : [],
+        }));
+      openaiFastPolicyLoaded.value = true;
+    }
    // Save web search emulation config separately (errors handled internally)
    const wsOk = await saveWebSearchConfig();
    // Refresh cached settings so sidebar/header update immediately
@@ -6846,6 +7194,61 @@ async function loadBetaPolicySettings() {
  }
 }
+// ==================== OpenAI Fast/Flex Policy ====================
+const openaiFastPolicyTierOptions = computed(() => [
+  { value: "all", label: t("admin.settings.openaiFastPolicy.tierAll") },
+  {
+    value: "priority",
+    label: t("admin.settings.openaiFastPolicy.tierPriority"),
+  },
+  { value: "flex", label: t("admin.settings.openaiFastPolicy.tierFlex") },
+]);
+const openaiFastPolicyActionOptions = computed(() => [
+  { value: "pass", label: t("admin.settings.openaiFastPolicy.actionPass") },
+  { value: "filter", label: t("admin.settings.openaiFastPolicy.actionFilter") },
+  { value: "block", label: t("admin.settings.openaiFastPolicy.actionBlock") },
+]);
+const openaiFastPolicyScopeOptions = computed(() => [
+  { value: "all", label: t("admin.settings.openaiFastPolicy.scopeAll") },
+  { value: "oauth", label: t("admin.settings.openaiFastPolicy.scopeOAuth") },
+  { value: "apikey", label: t("admin.settings.openaiFastPolicy.scopeAPIKey") },
+  {
+    value: "bedrock",
+    label: t("admin.settings.openaiFastPolicy.scopeBedrock"),
+  },
+]);
+function addOpenAIFastPolicyRule() {
+  openaiFastPolicyForm.rules.push({
+    service_tier: "priority",
+    action: "filter",
+    scope: "all",
+    error_message: "",
+    model_whitelist: [],
+    fallback_action: "pass",
+    fallback_error_message: "",
+  });
+}
+function removeOpenAIFastPolicyRule(index: number) {
+  openaiFastPolicyForm.rules.splice(index, 1);
+}
+function addOpenAIFastPolicyModelPattern(rule: OpenAIFastPolicyRule) {
+  if (!rule.model_whitelist) rule.model_whitelist = [];
+  rule.model_whitelist.push("");
+}
+function removeOpenAIFastPolicyModelPattern(
+  rule: OpenAIFastPolicyRule,
+  idx: number,
+) {
+  rule.model_whitelist?.splice(idx, 1);
+}
 async function saveBetaPolicySettings() {
  betaPolicySaving.value = true;
  try {