Merge remote-tracking branch 'upstream/main'

backend/internal/service/email_service.go

@@ -140,6 +140,8 @@ func (s *EmailService) SendEmailWithConfig(config *SMTPConfig, to, subject, body
 func (s *EmailService) sendMailTLS(addr string, auth smtp.Auth, from, to string, msg []byte, host string) error {
 	tlsConfig := &tls.Config{
 		ServerName: host,
+		// 强制 TLS 1.2+，避免协议降级导致的弱加密风险。
+		MinVersion: tls.VersionTLS12,
 	}
 
 	conn, err := tls.Dial("tcp", addr, tlsConfig)
@@ -311,7 +313,11 @@ func (s *EmailService) TestSMTPConnectionWithConfig(config *SMTPConfig) error {
 	addr := fmt.Sprintf("%s:%d", config.Host, config.Port)
 
 	if config.UseTLS {
-		tlsConfig := &tls.Config{ServerName: config.Host}
+		tlsConfig := &tls.Config{
+			ServerName: config.Host,
+			// 与发送逻辑一致，显式要求 TLS 1.2+。
+			MinVersion: tls.VersionTLS12,
+		}
 		conn, err := tls.Dial("tcp", addr, tlsConfig)
 		if err != nil {
 			return fmt.Errorf("tls connection failed: %w", err)

backend/internal/service/gateway_multiplatform_test.go

@@ -105,6 +105,9 @@ func (m *mockAccountRepoForPlatform) SetError(ctx context.Context, id int64, err
 func (m *mockAccountRepoForPlatform) SetSchedulable(ctx context.Context, id int64, schedulable bool) error {
 	return nil
 }
+func (m *mockAccountRepoForPlatform) AutoPauseExpiredAccounts(ctx context.Context, now time.Time) (int64, error) {
+	return 0, nil
+}
 func (m *mockAccountRepoForPlatform) BindGroups(ctx context.Context, accountID int64, groupIDs []int64) error {
 	return nil
 }

backend/internal/service/gateway_service.go

@@ -35,6 +35,7 @@ const (
 	stickySessionTTL        = time.Hour // 粘性会话TTL
 	defaultMaxLineSize      = 10 * 1024 * 1024
 	claudeCodeSystemPrompt  = "You are Claude Code, Anthropic's official CLI for Claude."
+	maxCacheControlBlocks   = 4 // Anthropic API 允许的最大 cache_control 块数量
 )
 
 // sseDataRe matches SSE data lines with optional whitespace after colon.
@@ -43,6 +44,16 @@ var (
 	sseDataRe            = regexp.MustCompile(`^data:\s*`)
 	sessionIDRegex       = regexp.MustCompile(`session_([a-f0-9-]{36})`)
 	claudeCliUserAgentRe = regexp.MustCompile(`^claude-cli/\d+\.\d+\.\d+`)
+
+	// claudeCodePromptPrefixes 用于检测 Claude Code 系统提示词的前缀列表
+	// 支持多种变体：标准版、Agent SDK 版、Explore Agent 版、Compact 版等
+	// 注意：前缀之间不应存在包含关系，否则会导致冗余匹配
+	claudeCodePromptPrefixes = []string{
+		"You are Claude Code, Anthropic's official CLI for Claude",             // 标准版 & Agent SDK 版（含 running within...）
+		"You are a Claude agent, built on Anthropic's Claude Agent SDK",        // Agent SDK 变体
+		"You are a file search specialist for Claude Code",                     // Explore Agent 版
+		"You are a helpful AI assistant tasked with summarizing conversations", // Compact 版
+	}
 )
 
 // allowedHeaders 白名单headers（参考CRS项目）
@@ -104,6 +115,7 @@ type ForwardResult struct {
 	Stream           bool
 	Duration         time.Duration
 	FirstTokenMs     *int // 首字时间（流式请求）
+	ClientDisconnect bool // 客户端是否在流式传输过程中断开
 
 	// 图片生成计费字段（仅 gemini-3-pro-image 使用）
 	ImageCount int    // 生成的图片数量
@@ -355,17 +367,8 @@ func (s *GatewayService) SelectAccountForModelWithExclusions(ctx context.Context
 		return s.selectAccountWithMixedScheduling(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
 	}
 
-	// 强制平台模式：优先按分组查找，找不到再查全部该平台账户
-	if hasForcePlatform && groupID != nil {
-		account, err := s.selectAccountForModelWithPlatform(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
-		if err == nil {
-			return account, nil
-		}
-		// 分组中找不到，回退查询全部该平台账户
-		groupID = nil
-	}
-
 	// antigravity 分组、强制平台模式或无分组使用单平台选择
+	// 注意：强制平台模式也必须遵守分组限制，不再回退到全平台查询
 	return s.selectAccountForModelWithPlatform(ctx, groupID, sessionHash, requestedModel, excludedIDs, platform)
 }
 
@@ -443,7 +446,8 @@ func (s *GatewayService) SelectAccountWithLoadAwareness(ctx context.Context, gro
 		accountID, err := s.cache.GetSessionAccountID(ctx, sessionHash)
 		if err == nil && accountID > 0 && !isExcluded(accountID) {
 			account, err := s.accountRepo.GetByID(ctx, accountID)
-			if err == nil && s.isAccountAllowedForPlatform(account, platform, useMixed) &&
+			if err == nil && s.isAccountInGroup(account, groupID) &&
+				s.isAccountAllowedForPlatform(account, platform, useMixed) &&
 				account.IsSchedulable() &&
 				(requestedModel == "" || s.isModelSupportedByAccount(account, requestedModel)) {
 				result, err := s.tryAcquireAccountSlot(ctx, accountID, account.Concurrency)
@@ -660,9 +664,7 @@ func (s *GatewayService) listSchedulableAccounts(ctx context.Context, groupID *i
 		accounts, err = s.accountRepo.ListSchedulableByPlatform(ctx, platform)
 	} else if groupID != nil {
 		accounts, err = s.accountRepo.ListSchedulableByGroupIDAndPlatform(ctx, *groupID, platform)
-		if err == nil && len(accounts) == 0 && hasForcePlatform {
-			accounts, err = s.accountRepo.ListSchedulableByPlatform(ctx, platform)
-		}
+		// 分组内无账号则返回空列表，由上层处理错误，不再回退到全平台查询
 	} else {
 		accounts, err = s.accountRepo.ListSchedulableByPlatform(ctx, platform)
 	}
@@ -685,6 +687,23 @@ func (s *GatewayService) isAccountAllowedForPlatform(account *Account, platform
 	return account.Platform == platform
 }
 
+// isAccountInGroup checks if the account belongs to the specified group.
+// Returns true if groupID is nil (no group restriction) or account belongs to the group.
+func (s *GatewayService) isAccountInGroup(account *Account, groupID *int64) bool {
+	if groupID == nil {
+		return true // 无分组限制
+	}
+	if account == nil {
+		return false
+	}
+	for _, ag := range account.AccountGroups {
+		if ag.GroupID == *groupID {
+			return true
+		}
+	}
+	return false
+}
+
 func (s *GatewayService) tryAcquireAccountSlot(ctx context.Context, accountID int64, maxConcurrency int) (*AcquireResult, error) {
 	if s.concurrencyService == nil {
 		return &AcquireResult{Acquired: true, ReleaseFunc: func() {}}, nil
@@ -723,8 +742,8 @@ func (s *GatewayService) selectAccountForModelWithPlatform(ctx context.Context,
 		if err == nil && accountID > 0 {
 			if _, excluded := excludedIDs[accountID]; !excluded {
 				account, err := s.accountRepo.GetByID(ctx, accountID)
-				// 检查账号平台是否匹配（确保粘性会话不会跨平台）
-				if err == nil && account.Platform == platform && account.IsSchedulable() && (requestedModel == "" || s.isModelSupportedByAccount(account, requestedModel)) {
+				// 检查账号分组归属和平台匹配（确保粘性会话不会跨分组或跨平台）
+				if err == nil && s.isAccountInGroup(account, groupID) && account.Platform == platform && account.IsSchedulable() && (requestedModel == "" || s.isModelSupportedByAccount(account, requestedModel)) {
 					if err := s.cache.RefreshSessionTTL(ctx, sessionHash, stickySessionTTL); err != nil {
 						log.Printf("refresh session ttl failed: session=%s err=%v", sessionHash, err)
 					}
@@ -812,8 +831,8 @@ func (s *GatewayService) selectAccountWithMixedScheduling(ctx context.Context, g
 		if err == nil && accountID > 0 {
 			if _, excluded := excludedIDs[accountID]; !excluded {
 				account, err := s.accountRepo.GetByID(ctx, accountID)
-				// 检查账号是否有效：原生平台直接匹配，antigravity 需要启用混合调度
-				if err == nil && account.IsSchedulable() && (requestedModel == "" || s.isModelSupportedByAccount(account, requestedModel)) {
+				// 检查账号分组归属和有效性：原生平台直接匹配，antigravity 需要启用混合调度
+				if err == nil && s.isAccountInGroup(account, groupID) && account.IsSchedulable() && (requestedModel == "" || s.isModelSupportedByAccount(account, requestedModel)) {
 					if account.Platform == nativePlatform || (account.Platform == PlatformAntigravity && account.IsMixedSchedulingEnabled()) {
 						if err := s.cache.RefreshSessionTTL(ctx, sessionHash, stickySessionTTL); err != nil {
 							log.Printf("refresh session ttl failed: session=%s err=%v", sessionHash, err)
@@ -1013,15 +1032,15 @@ func isClaudeCodeClient(userAgent string, metadataUserID string) bool {
 }
 
 // systemIncludesClaudeCodePrompt 检查 system 中是否已包含 Claude Code 提示词
-// 支持 string 和 []any 两种格式
+// 使用前缀匹配支持多种变体（标准版、Agent SDK 版等）
 func systemIncludesClaudeCodePrompt(system any) bool {
 	switch v := system.(type) {
 	case string:
-		return v == claudeCodeSystemPrompt
+		return hasClaudeCodePrefix(v)
 	case []any:
 		for _, item := range v {
 			if m, ok := item.(map[string]any); ok {
-				if text, ok := m["text"].(string); ok && text == claudeCodeSystemPrompt {
+				if text, ok := m["text"].(string); ok && hasClaudeCodePrefix(text) {
 					return true
 				}
 			}
@@ -1030,6 +1049,16 @@ func systemIncludesClaudeCodePrompt(system any) bool {
 	return false
 }
 
+// hasClaudeCodePrefix 检查文本是否以 Claude Code 提示词的特征前缀开头
+func hasClaudeCodePrefix(text string) bool {
+	for _, prefix := range claudeCodePromptPrefixes {
+		if strings.HasPrefix(text, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
 // injectClaudeCodePrompt 在 system 开头注入 Claude Code 提示词
 // 处理 null、字符串、数组三种格式
 func injectClaudeCodePrompt(body []byte, system any) []byte {
@@ -1073,6 +1102,124 @@ func injectClaudeCodePrompt(body []byte, system any) []byte {
 	return result
 }
 
+// enforceCacheControlLimit 强制执行 cache_control 块数量限制（最多 4 个）
+// 超限时优先从 messages 中移除 cache_control，保护 system 中的缓存控制
+func enforceCacheControlLimit(body []byte) []byte {
+	var data map[string]any
+	if err := json.Unmarshal(body, &data); err != nil {
+		return body
+	}
+
+	// 计算当前 cache_control 块数量
+	count := countCacheControlBlocks(data)
+	if count <= maxCacheControlBlocks {
+		return body
+	}
+
+	// 超限：优先从 messages 中移除，再从 system 中移除
+	for count > maxCacheControlBlocks {
+		if removeCacheControlFromMessages(data) {
+			count--
+			continue
+		}
+		if removeCacheControlFromSystem(data) {
+			count--
+			continue
+		}
+		break
+	}
+
+	result, err := json.Marshal(data)
+	if err != nil {
+		return body
+	}
+	return result
+}
+
+// countCacheControlBlocks 统计 system 和 messages 中的 cache_control 块数量
+func countCacheControlBlocks(data map[string]any) int {
+	count := 0
+
+	// 统计 system 中的块
+	if system, ok := data["system"].([]any); ok {
+		for _, item := range system {
+			if m, ok := item.(map[string]any); ok {
+				if _, has := m["cache_control"]; has {
+					count++
+				}
+			}
+		}
+	}
+
+	// 统计 messages 中的块
+	if messages, ok := data["messages"].([]any); ok {
+		for _, msg := range messages {
+			if msgMap, ok := msg.(map[string]any); ok {
+				if content, ok := msgMap["content"].([]any); ok {
+					for _, item := range content {
+						if m, ok := item.(map[string]any); ok {
+							if _, has := m["cache_control"]; has {
+								count++
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return count
+}
+
+// removeCacheControlFromMessages 从 messages 中移除一个 cache_control（从头开始）
+// 返回 true 表示成功移除，false 表示没有可移除的
+func removeCacheControlFromMessages(data map[string]any) bool {
+	messages, ok := data["messages"].([]any)
+	if !ok {
+		return false
+	}
+
+	for _, msg := range messages {
+		msgMap, ok := msg.(map[string]any)
+		if !ok {
+			continue
+		}
+		content, ok := msgMap["content"].([]any)
+		if !ok {
+			continue
+		}
+		for _, item := range content {
+			if m, ok := item.(map[string]any); ok {
+				if _, has := m["cache_control"]; has {
+					delete(m, "cache_control")
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// removeCacheControlFromSystem 从 system 中移除一个 cache_control（从尾部开始，保护注入的 prompt）
+// 返回 true 表示成功移除，false 表示没有可移除的
+func removeCacheControlFromSystem(data map[string]any) bool {
+	system, ok := data["system"].([]any)
+	if !ok {
+		return false
+	}
+
+	// 从尾部开始移除，保护开头注入的 Claude Code prompt
+	for i := len(system) - 1; i >= 0; i-- {
+		if m, ok := system[i].(map[string]any); ok {
+			if _, has := m["cache_control"]; has {
+				delete(m, "cache_control")
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // Forward 转发请求到Claude API
 func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *Account, parsed *ParsedRequest) (*ForwardResult, error) {
 	startTime := time.Now()
@@ -1093,6 +1240,9 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 		body = injectClaudeCodePrompt(body, parsed.System)
 	}
 
+	// 强制执行 cache_control 块数量限制（最多 4 个）
+	body = enforceCacheControlLimit(body)
+
 	// 应用模型映射（仅对apikey类型账号）
 	originalModel := reqModel
 	if account.Type == AccountTypeAPIKey {
@@ -1316,6 +1466,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 	// 处理正常响应
 	var usage *ClaudeUsage
 	var firstTokenMs *int
+	var clientDisconnect bool
 	if reqStream {
 		streamResult, err := s.handleStreamingResponse(ctx, resp, c, account, startTime, originalModel, reqModel)
 		if err != nil {
@@ -1328,6 +1479,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 		}
 		usage = streamResult.usage
 		firstTokenMs = streamResult.firstTokenMs
+		clientDisconnect = streamResult.clientDisconnect
 	} else {
 		usage, err = s.handleNonStreamingResponse(ctx, resp, c, account, originalModel, reqModel)
 		if err != nil {
@@ -1342,6 +1494,7 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *A
 		Stream:           reqStream,
 		Duration:         time.Since(startTime),
 		FirstTokenMs:     firstTokenMs,
+		ClientDisconnect: clientDisconnect,
 	}, nil
 }
 
@@ -1698,6 +1851,7 @@ func (s *GatewayService) handleRetryExhaustedError(ctx context.Context, resp *ht
 type streamingResult struct {
 	usage            *ClaudeUsage
 	firstTokenMs     *int
+	clientDisconnect bool // 客户端是否在流式传输过程中断开
 }
 
 func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http.Response, c *gin.Context, account *Account, startTime time.Time, originalModel, mappedModel string) (*streamingResult, error) {
@@ -1793,14 +1947,27 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 	}
 
 	needModelReplace := originalModel != mappedModel
+	clientDisconnected := false // 客户端断开标志，断开后继续读取上游以获取完整usage
 
 	for {
 		select {
 		case ev, ok := <-events:
 			if !ok {
-				return &streamingResult{usage: usage, firstTokenMs: firstTokenMs}, nil
+				// 上游完成，返回结果
+				return &streamingResult{usage: usage, firstTokenMs: firstTokenMs, clientDisconnect: clientDisconnected}, nil
 			}
 			if ev.err != nil {
+				// 检测 context 取消（客户端断开会导致 context 取消，进而影响上游读取）
+				if errors.Is(ev.err, context.Canceled) || errors.Is(ev.err, context.DeadlineExceeded) {
+					log.Printf("Context canceled during streaming, returning collected usage")
+					return &streamingResult{usage: usage, firstTokenMs: firstTokenMs, clientDisconnect: true}, nil
+				}
+				// 客户端已通过写入失败检测到断开，上游也出错了，返回已收集的 usage
+				if clientDisconnected {
+					log.Printf("Upstream read error after client disconnect: %v, returning collected usage", ev.err)
+					return &streamingResult{usage: usage, firstTokenMs: firstTokenMs, clientDisconnect: true}, nil
+				}
+				// 客户端未断开，正常的错误处理
 				if errors.Is(ev.err, bufio.ErrTooLong) {
 					log.Printf("SSE line too long: account=%d max_size=%d error=%v", account.ID, maxLineSize, ev.err)
 					sendErrorEvent("response_too_large")
@@ -1811,38 +1978,40 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 			}
 			line := ev.line
 			if line == "event: error" {
+				// 上游返回错误事件，如果客户端已断开仍返回已收集的 usage
+				if clientDisconnected {
+					return &streamingResult{usage: usage, firstTokenMs: firstTokenMs, clientDisconnect: true}, nil
+				}
 				return nil, errors.New("have error in stream")
 			}
 
 			// Extract data from SSE line (supports both "data: " and "data:" formats)
+			var data string
 			if sseDataRe.MatchString(line) {
-				data := sseDataRe.ReplaceAllString(line, "")
-
+				data = sseDataRe.ReplaceAllString(line, "")
 				// 如果有模型映射，替换响应中的model字段
 				if needModelReplace {
 					line = s.replaceModelInSSELine(line, mappedModel, originalModel)
 				}
+			}
 
-				// 转发行
+			// 写入客户端（统一处理 data 行和非 data 行）
+			if !clientDisconnected {
 				if _, err := fmt.Fprintf(w, "%s\n", line); err != nil {
-					sendErrorEvent("write_failed")
-					return &streamingResult{usage: usage, firstTokenMs: firstTokenMs}, err
-				}
+					clientDisconnected = true
+					log.Printf("Client disconnected during streaming, continuing to drain upstream for billing")
+				} else {
 					flusher.Flush()
+				}
+			}
 
-				// 记录首字时间：第一个有效的 content_block_delta 或 message_start
-				if firstTokenMs == nil && data != "" && data != "[DONE]" {
+			// 无论客户端是否断开，都解析 usage（仅对 data 行）
+			if data != "" {
+				if firstTokenMs == nil && data != "[DONE]" {
 					ms := int(time.Since(startTime).Milliseconds())
 					firstTokenMs = &ms
 				}
 				s.parseSSEUsage(data, usage)
-			} else {
-				// 非 data 行直接转发
-				if _, err := fmt.Fprintf(w, "%s\n", line); err != nil {
-					sendErrorEvent("write_failed")
-					return &streamingResult{usage: usage, firstTokenMs: firstTokenMs}, err
-				}
-				flusher.Flush()
 			}
 
 		case <-intervalCh:
@@ -1850,6 +2019,11 @@ func (s *GatewayService) handleStreamingResponse(ctx context.Context, resp *http
 			if time.Since(lastRead) < streamInterval {
 				continue
 			}
+			if clientDisconnected {
+				// 客户端已断开，上游也超时了，返回已收集的 usage
+				log.Printf("Upstream timeout after client disconnect, returning collected usage")
+				return &streamingResult{usage: usage, firstTokenMs: firstTokenMs, clientDisconnect: true}, nil
+			}
 			log.Printf("Stream data interval timeout: account=%d model=%s interval=%s", account.ID, originalModel, streamInterval)
 			sendErrorEvent("stream_timeout")
 			return &streamingResult{usage: usage, firstTokenMs: firstTokenMs}, fmt.Errorf("stream data interval timeout")
@@ -2003,6 +2177,7 @@ type RecordUsageInput struct {
 	User         *User
 	Account      *Account
 	Subscription *UserSubscription // 可选：订阅信息
+	UserAgent    string            // 请求的 User-Agent
 }
 
 // RecordUsage 记录使用量并扣费（或更新订阅用量）
@@ -2088,6 +2263,11 @@ func (s *GatewayService) RecordUsage(ctx context.Context, input *RecordUsageInpu
 		CreatedAt:           time.Now(),
 	}
 
+	// 添加 UserAgent
+	if input.UserAgent != "" {
+		usageLog.UserAgent = &input.UserAgent
+	}
+
 	// 添加分组和订阅关联
 	if apiKey.GroupID != nil {
 		usageLog.GroupID = apiKey.GroupID

backend/internal/service/gemini_multiplatform_test.go

@@ -90,6 +90,9 @@ func (m *mockAccountRepoForGemini) SetError(ctx context.Context, id int64, error
 func (m *mockAccountRepoForGemini) SetSchedulable(ctx context.Context, id int64, schedulable bool) error {
 	return nil
 }
+func (m *mockAccountRepoForGemini) AutoPauseExpiredAccounts(ctx context.Context, now time.Time) (int64, error) {
+	return 0, nil
+}
 func (m *mockAccountRepoForGemini) BindGroups(ctx context.Context, accountID int64, groupIDs []int64) error {
 	return nil
 }

backend/internal/service/openai_gateway_service.go

@@ -1092,6 +1092,7 @@ type OpenAIRecordUsageInput struct {
 	User         *User
 	Account      *Account
 	Subscription *UserSubscription
+	UserAgent    string // 请求的 User-Agent
 }
 
 // RecordUsage records usage and deducts balance
@@ -1161,6 +1162,11 @@ func (s *OpenAIGatewayService) RecordUsage(ctx context.Context, input *OpenAIRec
 		CreatedAt:           time.Now(),
 	}
 
+	// 添加 UserAgent
+	if input.UserAgent != "" {
+		usageLog.UserAgent = &input.UserAgent
+	}
+
 	if apiKey.GroupID != nil {
 		usageLog.GroupID = apiKey.GroupID
 	}

backend/internal/service/usage_log.go

@@ -38,6 +38,7 @@ type UsageLog struct {
 	Stream       bool
 	DurationMs   *int
 	FirstTokenMs *int
+	UserAgent    *string
 
 	// 图片生成字段
 	ImageCount int

backend/internal/service/usage_service.go

@@ -319,3 +319,12 @@ func (s *UsageService) GetGlobalStats(ctx context.Context, startTime, endTime ti
 	}
 	return stats, nil
 }
+
+// GetStatsWithFilters returns usage stats with optional filters.
+func (s *UsageService) GetStatsWithFilters(ctx context.Context, filters usagestats.UsageLogFilters) (*usagestats.UsageStats, error) {
+	stats, err := s.usageRepo.GetStatsWithFilters(ctx, filters)
+	if err != nil {
+		return nil, fmt.Errorf("get usage stats with filters: %w", err)
+	}
+	return stats, nil
+}

backend/internal/service/wire.go

@@ -47,6 +47,13 @@ func ProvideTokenRefreshService(
 	return svc
 }
 
+// ProvideAccountExpiryService creates and starts AccountExpiryService.
+func ProvideAccountExpiryService(accountRepo AccountRepository) *AccountExpiryService {
+	svc := NewAccountExpiryService(accountRepo, time.Minute)
+	svc.Start()
+	return svc
+}
+
 // ProvideTimingWheelService creates and starts TimingWheelService
 func ProvideTimingWheelService() *TimingWheelService {
 	svc := NewTimingWheelService()
@@ -110,6 +117,7 @@ var ProviderSet = wire.NewSet(
 	NewCRSSyncService,
 	ProvideUpdateService,
 	ProvideTokenRefreshService,
+	ProvideAccountExpiryService,
 	ProvideTimingWheelService,
 	ProvideDeferredService,
 	NewAntigravityQuotaFetcher,

backend/migrations/028_add_usage_logs_user_agent.sql

+-- Add user_agent column to usage_logs table
+-- Records the User-Agent header from API requests for analytics and debugging
+
+ALTER TABLE usage_logs
+    ADD COLUMN IF NOT EXISTS user_agent VARCHAR(512);
+
+-- Optional: Add index for user_agent queries (uncomment if needed for analytics)
+-- CREATE INDEX IF NOT EXISTS idx_usage_logs_user_agent ON usage_logs(user_agent);
+
+COMMENT ON COLUMN usage_logs.user_agent IS 'User-Agent header from the API request';

backend/migrations/030_add_account_expires_at.sql

+-- Add expires_at for account expiration configuration
+ALTER TABLE accounts ADD COLUMN IF NOT EXISTS expires_at timestamptz;
+-- Document expires_at meaning
+COMMENT ON COLUMN accounts.expires_at IS 'Account expiration time (NULL means no expiration).';
+-- Add auto_pause_on_expired for account expiration scheduling control
+ALTER TABLE accounts ADD COLUMN IF NOT EXISTS auto_pause_on_expired boolean NOT NULL DEFAULT true;
+-- Document auto_pause_on_expired meaning
+COMMENT ON COLUMN accounts.auto_pause_on_expired IS 'Auto pause scheduling when account expires.';
+-- Ensure existing accounts are enabled by default
+UPDATE accounts SET auto_pause_on_expired = true;

config.yaml

+# Sub2API Configuration File
+# Sub2API 配置文件
+#
+# Copy this file to /etc/sub2api/config.yaml and modify as needed
+# 复制此文件到 /etc/sub2api/config.yaml 并根据需要修改
+#
+# Documentation / 文档: https://github.com/Wei-Shaw/sub2api
+
+# =============================================================================
+# Server Configuration
+# 服务器配置
+# =============================================================================
+server:
+  # Bind address (0.0.0.0 for all interfaces)
+  # 绑定地址（0.0.0.0 表示监听所有网络接口）
+  host: "0.0.0.0"
+  # Port to listen on
+  # 监听端口
+  port: 8080
+  # Mode: "debug" for development, "release" for production
+  # 运行模式："debug" 用于开发，"release" 用于生产环境
+  mode: "release"
+  # Trusted proxies for X-Forwarded-For parsing (CIDR/IP). Empty disables trusted proxies.
+  # 信任的代理地址（CIDR/IP 格式），用于解析 X-Forwarded-For 头。留空则禁用代理信任。
+  trusted_proxies: []
+
+# =============================================================================
+# Run Mode Configuration
+# 运行模式配置
+# =============================================================================
+# Run mode: "standard" (default) or "simple" (for internal use)
+# 运行模式："standard"（默认）或 "simple"（内部使用）
+# - standard: Full SaaS features with billing/balance checks
+# - standard: 完整 SaaS 功能，包含计费和余额校验
+# - simple: Hides SaaS features and skips billing/balance checks
+# - simple: 隐藏 SaaS 功能，跳过计费和余额校验
+run_mode: "standard"
+
+# =============================================================================
+# CORS Configuration
+# 跨域资源共享 (CORS) 配置
+# =============================================================================
+cors:
+  # Allowed origins list. Leave empty to disable cross-origin requests.
+  # 允许的来源列表。留空则禁用跨域请求。
+  allowed_origins: []
+  # Allow credentials (cookies/authorization headers). Cannot be used with "*".
+  # 允许携带凭证（cookies/授权头）。不能与 "*" 通配符同时使用。
+  allow_credentials: true
+
+# =============================================================================
+# Security Configuration
+# 安全配置
+# =============================================================================
+security:
+  url_allowlist:
+    # Enable URL allowlist validation (disable to skip all URL checks)
+    # 启用 URL 白名单验证（禁用则跳过所有 URL 检查）
+    enabled: false
+    # Allowed upstream hosts for API proxying
+    # 允许代理的上游 API 主机列表
+    upstream_hosts:
+      - "api.openai.com"
+      - "api.anthropic.com"
+      - "api.kimi.com"
+      - "open.bigmodel.cn"
+      - "api.minimaxi.com"
+      - "generativelanguage.googleapis.com"
+      - "cloudcode-pa.googleapis.com"
+      - "*.openai.azure.com"
+    # Allowed hosts for pricing data download
+    # 允许下载定价数据的主机列表
+    pricing_hosts:
+      - "raw.githubusercontent.com"
+    # Allowed hosts for CRS sync (required when using CRS sync)
+    # 允许 CRS 同步的主机列表（使用 CRS 同步功能时必须配置）
+    crs_hosts: []
+    # Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks)
+    # 允许本地/私有 IP 地址用于上游/定价/CRS（仅在可信网络中使用）
+    allow_private_hosts: true
+    # Allow http:// URLs when allowlist is disabled (default: false, require https)
+    # 白名单禁用时是否允许 http:// URL（默认: false，要求 https）
+    allow_insecure_http: true
+  response_headers:
+    # Enable configurable response header filtering (disable to use default allowlist)
+    # 启用可配置的响应头过滤（禁用则使用默认白名单）
+    enabled: false
+    # Extra allowed response headers from upstream
+    # 额外允许的上游响应头
+    additional_allowed: []
+    # Force-remove response headers from upstream
+    # 强制移除的上游响应头
+    force_remove: []
+  csp:
+    # Enable Content-Security-Policy header
+    # 启用内容安全策略 (CSP) 响应头
+    enabled: true
+    # Default CSP policy (override if you host assets on other domains)
+    # 默认 CSP 策略（如果静态资源托管在其他域名，请自行覆盖）
+    policy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+  proxy_probe:
+    # Allow skipping TLS verification for proxy probe (debug only)
+    # 允许代理探测时跳过 TLS 证书验证（仅用于调试）
+    insecure_skip_verify: false
+
+# =============================================================================
+# Gateway Configuration
+# 网关配置
+# =============================================================================
+gateway:
+  # Timeout for waiting upstream response headers (seconds)
+  # 等待上游响应头超时时间（秒）
+  response_header_timeout: 600
+  # Max request body size in bytes (default: 100MB)
+  # 请求体最大字节数（默认 100MB）
+  max_body_size: 104857600
+  # Connection pool isolation strategy:
+  # 连接池隔离策略：
+  # - proxy: Isolate by proxy, same proxy shares connection pool (suitable for few proxies, many accounts)
+  # - proxy: 按代理隔离，同一代理共享连接池（适合代理少、账户多）
+  # - account: Isolate by account, same account shares connection pool (suitable for few accounts, strict isolation)
+  # - account: 按账户隔离，同一账户共享连接池（适合账户少、需严格隔离）
+  # - account_proxy: Isolate by account+proxy combination (default, finest granularity)
+  # - account_proxy: 按账户+代理组合隔离（默认，最细粒度）
+  connection_pool_isolation: "account_proxy"
+  # HTTP upstream connection pool settings (HTTP/2 + multi-proxy scenario defaults)
+  # HTTP 上游连接池配置（HTTP/2 + 多代理场景默认值）
+  # Max idle connections across all hosts
+  # 所有主机的最大空闲连接数
+  max_idle_conns: 240
+  # Max idle connections per host
+  # 每个主机的最大空闲连接数
+  max_idle_conns_per_host: 120
+  # Max connections per host
+  # 每个主机的最大连接数
+  max_conns_per_host: 240
+  # Idle connection timeout (seconds)
+  # 空闲连接超时时间（秒）
+  idle_conn_timeout_seconds: 90
+  # Upstream client cache settings
+  # 上游连接池客户端缓存配置
+  # max_upstream_clients: Max cached clients, evicts least recently used when exceeded
+  # max_upstream_clients: 最大缓存客户端数量，超出后淘汰最久未使用的
+  max_upstream_clients: 5000
+  # client_idle_ttl_seconds: Client idle reclaim threshold (seconds), reclaimed when idle and no active requests
+  # client_idle_ttl_seconds: 客户端空闲回收阈值（秒），超时且无活跃请求时回收
+  client_idle_ttl_seconds: 900
+  # Concurrency slot expiration time (minutes)
+  # 并发槽位过期时间（分钟）
+  concurrency_slot_ttl_minutes: 30
+  # Stream data interval timeout (seconds), 0=disable
+  # 流数据间隔超时（秒），0=禁用
+  stream_data_interval_timeout: 180
+  # Stream keepalive interval (seconds), 0=disable
+  # 流式 keepalive 间隔（秒），0=禁用
+  stream_keepalive_interval: 10
+  # SSE max line size in bytes (default: 10MB)
+  # SSE 单行最大字节数（默认 10MB）
+  max_line_size: 10485760
+  # Log upstream error response body summary (safe/truncated; does not log request content)
+  # 记录上游错误响应体摘要（安全/截断；不记录请求内容）
+  log_upstream_error_body: false
+  # Max bytes to log from upstream error body
+  # 记录上游错误响应体的最大字节数
+  log_upstream_error_body_max_bytes: 2048
+  # Auto inject anthropic-beta header for API-key accounts when needed (default: off)
+  # 需要时自动为 API-key 账户注入 anthropic-beta 头（默认：关闭）
+  inject_beta_for_apikey: false
+  # Allow failover on selected 400 errors (default: off)
+  # 允许在特定 400 错误时进行故障转移（默认：关闭）
+  failover_on_400: false
+
+# =============================================================================
+# Concurrency Wait Configuration
+# 并发等待配置
+# =============================================================================
+concurrency:
+  # SSE ping interval during concurrency wait (seconds)
+  # 并发等待期间的 SSE ping 间隔（秒）
+  ping_interval: 10
+
+# =============================================================================
+# Database Configuration (PostgreSQL)
+# 数据库配置 (PostgreSQL)
+# =============================================================================
+database:
+  # Database host address
+  # 数据库主机地址
+  host: "localhost"
+  # Database port
+  # 数据库端口
+  port: 5432
+  # Database username
+  # 数据库用户名
+  user: "postgres"
+  # Database password
+  # 数据库密码
+  password: "your_secure_password_here"
+  # Database name
+  # 数据库名称
+  dbname: "sub2api"
+  # SSL mode: disable, require, verify-ca, verify-full
+  # SSL 模式：disable（禁用）, require（要求）, verify-ca（验证CA）, verify-full（完全验证）
+  sslmode: "disable"
+
+# =============================================================================
+# Redis Configuration
+# Redis 配置
+# =============================================================================
+redis:
+  # Redis host address
+  # Redis 主机地址
+  host: "localhost"
+  # Redis port
+  # Redis 端口
+  port: 6379
+  # Redis password (leave empty if no password is set)
+  # Redis 密码（如果未设置密码则留空）
+  password: ""
+  # Database number (0-15)
+  # 数据库编号（0-15）
+  db: 0
+
+# =============================================================================
+# JWT Configuration
+# JWT 配置
+# =============================================================================
+jwt:
+  # IMPORTANT: Change this to a random string in production!
+  # 重要：生产环境中请更改为随机字符串！
+  # Generate with / 生成命令: openssl rand -hex 32
+  secret: "change-this-to-a-secure-random-string"
+  # Token expiration time in hours (max 24)
+  # 令牌过期时间（小时，最大 24）
+  expire_hour: 24
+
+# =============================================================================
+# Default Settings
+# 默认设置
+# =============================================================================
+default:
+  # Initial admin account (created on first run)
+  # 初始管理员账户（首次运行时创建）
+  admin_email: "admin@example.com"
+  admin_password: "admin123"
+
+  # Default settings for new users
+  # 新用户默认设置
+  # Max concurrent requests per user
+  # 每用户最大并发请求数
+  user_concurrency: 5
+  # Initial balance for new users
+  # 新用户初始余额
+  user_balance: 0
+
+  # API key settings
+  # API 密钥设置
+  # Prefix for generated API keys
+  # 生成的 API 密钥前缀
+  api_key_prefix: "sk-"
+
+  # Rate multiplier (affects billing calculation)
+  # 费率倍数（影响计费计算）
+  rate_multiplier: 1.0
+
+# =============================================================================
+# Rate Limiting
+# 速率限制
+# =============================================================================
+rate_limit:
+  # Cooldown time (in minutes) when upstream returns 529 (overloaded)
+  # 上游返回 529（过载）时的冷却时间（分钟）
+  overload_cooldown_minutes: 10
+
+# =============================================================================
+# Pricing Data Source (Optional)
+# 定价数据源（可选）
+# =============================================================================
+pricing:
+  # URL to fetch model pricing data (default: LiteLLM)
+  # 获取模型定价数据的 URL（默认：LiteLLM）
+  remote_url: "https://raw.githubusercontent.com/BerriAI/litellm/main/model_prices_and_context_window.json"
+  # Hash verification URL (optional)
+  # 哈希校验 URL（可选）
+  hash_url: ""
+  # Local data directory for caching
+  # 本地数据缓存目录
+  data_dir: "./data"
+  # Fallback pricing file
+  # 备用定价文件
+  fallback_file: "./resources/model-pricing/model_prices_and_context_window.json"
+  # Update interval in hours
+  # 更新间隔（小时）
+  update_interval_hours: 24
+  # Hash check interval in minutes
+  # 哈希检查间隔（分钟）
+  hash_check_interval_minutes: 10
+
+# =============================================================================
+# Billing Configuration
+# 计费配置
+# =============================================================================
+billing:
+  circuit_breaker:
+    # Enable circuit breaker for billing service
+    # 启用计费服务熔断器
+    enabled: true
+    # Number of failures before opening circuit
+    # 触发熔断的失败次数阈值
+    failure_threshold: 5
+    # Time to wait before attempting reset (seconds)
+    # 熔断后重试等待时间（秒）
+    reset_timeout_seconds: 30
+    # Number of requests to allow in half-open state
+    # 半开状态允许通过的请求数
+    half_open_requests: 3
+
+# =============================================================================
+# Turnstile Configuration
+# Turnstile 人机验证配置
+# =============================================================================
+turnstile:
+  # Require Turnstile in release mode (when enabled, login/register will fail if not configured)
+  # 在 release 模式下要求 Turnstile 验证（启用后，若未配置则登录/注册会失败）
+  required: false
+
+# =============================================================================
+# Gemini OAuth (Required for Gemini accounts)
+# Gemini OAuth 配置（Gemini 账户必需）
+# =============================================================================
+# Sub2API supports TWO Gemini OAuth modes:
+# Sub2API 支持两种 Gemini OAuth 模式：
+#
+# 1. Code Assist OAuth (requires GCP project_id)
+# 1. Code Assist OAuth（需要 GCP project_id）
+#    - Uses: cloudcode-pa.googleapis.com (Code Assist API)
+#    - 使用：cloudcode-pa.googleapis.com（Code Assist API）
+#
+# 2. AI Studio OAuth (no project_id needed)
+# 2. AI Studio OAuth（不需要 project_id）
+#    - Uses: generativelanguage.googleapis.com (AI Studio API)
+#    - 使用：generativelanguage.googleapis.com（AI Studio API）
+#
+# Default: Uses Gemini CLI's public OAuth credentials (same as Google's official CLI tool)
+# 默认：使用 Gemini CLI 的公开 OAuth 凭证（与 Google 官方 CLI 工具相同）
+gemini:
+  oauth:
+    # Gemini CLI public OAuth credentials (works for both Code Assist and AI Studio)
+    # Gemini CLI 公开 OAuth 凭证（适用于 Code Assist 和 AI Studio）
+    client_id: "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com"
+    client_secret: "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"
+    # Optional scopes (space-separated). Leave empty to auto-select based on oauth_type.
+    # 可选的权限范围（空格分隔）。留空则根据 oauth_type 自动选择。
+    scopes: ""
+  quota:
+    # Optional: local quota simulation for Gemini Code Assist (local billing).
+    # 可选：Gemini Code Assist 本地配额模拟（本地计费）。
+    # These values are used for UI progress + precheck scheduling, not official Google quotas.
+    # 这些值用于 UI 进度显示和预检调度，并非 Google 官方配额。
+    tiers:
+      LEGACY:
+        # Pro model requests per day
+        # Pro 模型每日请求数
+        pro_rpd: 50
+        # Flash model requests per day
+        # Flash 模型每日请求数
+        flash_rpd: 1500
+        # Cooldown time (minutes) after hitting quota
+        # 达到配额后的冷却时间（分钟）
+        cooldown_minutes: 30
+      PRO:
+        # Pro model requests per day
+        # Pro 模型每日请求数
+        pro_rpd: 1500
+        # Flash model requests per day
+        # Flash 模型每日请求数
+        flash_rpd: 4000
+        # Cooldown time (minutes) after hitting quota
+        # 达到配额后的冷却时间（分钟）
+        cooldown_minutes: 5
+      ULTRA:
+        # Pro model requests per day
+        # Pro 模型每日请求数
+        pro_rpd: 2000
+        # Flash model requests per day (0 = unlimited)
+        # Flash 模型每日请求数（0 = 无限制）
+        flash_rpd: 0
+        # Cooldown time (minutes) after hitting quota
+        # 达到配额后的冷却时间（分钟）
+        cooldown_minutes: 5

deploy/.env.example

@@ -69,6 +69,24 @@ JWT_EXPIRE_HOUR=24
 # Leave unset to use default ./config.yaml
 #CONFIG_FILE=./config.yaml
 
+# -----------------------------------------------------------------------------
+# Security Configuration
+# -----------------------------------------------------------------------------
+# URL Allowlist Configuration
+# 启用 URL 白名单验证（false 则跳过白名单检查，仅做基本格式校验）
+SECURITY_URL_ALLOWLIST_ENABLED=false
+
+# 关闭白名单时，是否允许 http:// URL（默认 false，只允许 https://）
+# ⚠️ 警告：允许 HTTP 存在安全风险（明文传输），仅建议在开发/测试环境或可信内网中使用
+# Allow insecure HTTP URLs when allowlist is disabled (default: false, requires https)
+# ⚠️ WARNING: Allowing HTTP has security risks (plaintext transmission)
+#             Only recommended for dev/test environments or trusted networks
+SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP=true
+
+# 是否允许本地/私有 IP 地址用于上游/定价/CRS（仅在可信网络中使用）
+# Allow localhost/private IPs for upstream/pricing/CRS (use only in trusted networks)
+SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=true
+
 # -----------------------------------------------------------------------------
 # Gemini OAuth (OPTIONAL, required only for Gemini OAuth accounts)
 # -----------------------------------------------------------------------------
@@ -105,3 +123,17 @@ GEMINI_OAUTH_SCOPES=
 # Example:
 # GEMINI_QUOTA_POLICY={"tiers":{"LEGACY":{"pro_rpd":50,"flash_rpd":1500,"cooldown_minutes":30},"PRO":{"pro_rpd":1500,"flash_rpd":4000,"cooldown_minutes":5},"ULTRA":{"pro_rpd":2000,"flash_rpd":0,"cooldown_minutes":5}}}
 GEMINI_QUOTA_POLICY=
+
+# -----------------------------------------------------------------------------
+# Update Configuration (在线更新配置)
+# -----------------------------------------------------------------------------
+# Proxy URL for accessing GitHub (used for online updates and pricing data)
+# 用于访问 GitHub 的代理地址（用于在线更新和定价数据获取）
+# Supports: http, https, socks5, socks5h
+# Examples:
+#   HTTP proxy: http://127.0.0.1:7890
+#   SOCKS5 proxy: socks5://127.0.0.1:1080
+#   With authentication: http://user:pass@proxy.example.com:8080
+# Leave empty for direct connection (recommended for overseas servers)
+# 留空表示直连（适用于海外服务器）
+UPDATE_PROXY_URL=

deploy/config.example.yaml

@@ -388,3 +388,18 @@ gemini:
         # Cooldown time (minutes) after hitting quota
         # 达到配额后的冷却时间（分钟）
         cooldown_minutes: 5
+
+# =============================================================================
+# Update Configuration (在线更新配置)
+# =============================================================================
+update:
+  # Proxy URL for accessing GitHub (used for online updates and pricing data)
+  # 用于访问 GitHub 的代理地址（用于在线更新和定价数据获取）
+  # Supports: http, https, socks5, socks5h
+  # Examples:
+  #   - HTTP proxy: "http://127.0.0.1:7890"
+  #   - SOCKS5 proxy: "socks5://127.0.0.1:1080"
+  #   - With authentication: "http://user:pass@proxy.example.com:8080"
+  # Leave empty for direct connection (recommended for overseas servers)
+  # 留空表示直连（适用于海外服务器）
+  proxy_url: ""

deploy/docker-compose.yml

@@ -101,9 +101,21 @@ services:
       # =======================================================================
       # Security Configuration (URL Allowlist)
       # =======================================================================
-      - SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS=${SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS:-}
-      # Allow private IP addresses for CRS sync (for internal deployments)
+      # Enable URL allowlist validation (false to skip allowlist checks)
+      - SECURITY_URL_ALLOWLIST_ENABLED=${SECURITY_URL_ALLOWLIST_ENABLED:-false}
+      # Allow insecure HTTP URLs when allowlist is disabled (default: false, requires https)
+      - SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP=${SECURITY_URL_ALLOWLIST_ALLOW_INSECURE_HTTP:-false}
+      # Allow private IP addresses for upstream/pricing/CRS (for internal deployments)
       - SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS=${SECURITY_URL_ALLOWLIST_ALLOW_PRIVATE_HOSTS:-false}
+      # Upstream hosts whitelist (comma-separated, only used when enabled=true)
+      - SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS=${SECURITY_URL_ALLOWLIST_UPSTREAM_HOSTS:-}
+
+      # =======================================================================
+      # Update Configuration (在线更新配置)
+      # =======================================================================
+      # Proxy for accessing GitHub (online updates + pricing data)
+      # Examples: http://host:port, socks5://host:port
+      - UPDATE_PROXY_URL=${UPDATE_PROXY_URL:-}
     depends_on:
       postgres:
         condition: service_healthy

frontend/audit.json

+{
+  "actions": [
+    {
+      "action": "review",
+      "module": "xlsx",
+      "resolves": [
+        {
+          "id": 1108110,
+          "path": ".>xlsx",
+          "dev": false,
+          "bundled": false,
+          "optional": false
+        },
+        {
+          "id": 1108111,
+          "path": ".>xlsx",
+          "dev": false,
+          "bundled": false,
+          "optional": false
+        }
+      ]
+    }
+  ],
+  "advisories": {
+    "1108110": {
+      "findings": [
+        {
+          "version": "0.18.5",
+          "paths": [
+            ".>xlsx"
+          ]
+        }
+      ],
+      "found_by": null,
+      "deleted": null,
+      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2986\n- https://cdn.sheetjs.com\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6",
+      "created": "2023-04-24T09:30:19.000Z",
+      "id": 1108110,
+      "npm_advisory_id": null,
+      "overview": "All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained. Version 0.19.3 can be downloaded via https://cdn.sheetjs.com/.",
+      "reported_by": null,
+      "title": "Prototype Pollution in sheetJS",
+      "metadata": null,
+      "cves": [
+        "CVE-2023-30533"
+      ],
+      "access": "public",
+      "severity": "high",
+      "module_name": "xlsx",
+      "vulnerable_versions": "<0.19.3",
+      "github_advisory_id": "GHSA-4r6h-8v6p-xvw6",
+      "recommendation": "None",
+      "patched_versions": "<0.0.0",
+      "updated": "2025-09-19T15:23:41.000Z",
+      "cvss": {
+        "score": 7.8,
+        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+      },
+      "cwe": [
+        "CWE-1321"
+      ],
+      "url": "https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"
+    },
+    "1108111": {
+      "findings": [
+        {
+          "version": "0.18.5",
+          "paths": [
+            ".>xlsx"
+          ]
+        }
+      ],
+      "found_by": null,
+      "deleted": null,
+      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2024-22363\n- https://cdn.sheetjs.com/advisories/CVE-2024-22363\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2\n- https://cdn.sheetjs.com\n- https://github.com/advisories/GHSA-5pgg-2g8v-p4x9",
+      "created": "2024-04-05T06:30:46.000Z",
+      "id": 1108111,
+      "npm_advisory_id": null,
+      "overview": "SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained. Version 0.20.2 can be downloaded via https://cdn.sheetjs.com/.",
+      "reported_by": null,
+      "title": "SheetJS Regular Expression Denial of Service (ReDoS)",
+      "metadata": null,
+      "cves": [
+        "CVE-2024-22363"
+      ],
+      "access": "public",
+      "severity": "high",
+      "module_name": "xlsx",
+      "vulnerable_versions": "<0.20.2",
+      "github_advisory_id": "GHSA-5pgg-2g8v-p4x9",
+      "recommendation": "None",
+      "patched_versions": "<0.0.0",
+      "updated": "2025-09-19T15:23:26.000Z",
+      "cvss": {
+        "score": 7.5,
+        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+      },
+      "cwe": [
+        "CWE-1333"
+      ],
+      "url": "https://github.com/advisories/GHSA-5pgg-2g8v-p4x9"
+    }
+  },
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 2,
+      "critical": 0
+    },
+    "dependencies": 639,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 639
+  }
+}

frontend/src/api/admin/usage.ts

@@ -54,15 +54,21 @@ export async function list(
 
 /**
  * Get usage statistics with optional filters (admin only)
- * @param params - Query parameters (user_id, api_key_id, period/date range)
+ * @param params - Query parameters for filtering
  * @returns Usage statistics
  */
 export async function getStats(params: {
   user_id?: number
   api_key_id?: number
+  account_id?: number
+  group_id?: number
+  model?: string
+  stream?: boolean
+  billing_type?: number
   period?: string
   start_date?: string
   end_date?: string
+  timezone?: string
 }): Promise<AdminUsageStatsResponse> {
   const { data } = await apiClient.get<AdminUsageStatsResponse>('/admin/usage/stats', {
     params

frontend/src/api/client.ts

@@ -21,6 +21,15 @@ export const apiClient: AxiosInstance = axios.create({
 
 // ==================== Request Interceptor ====================
 
+// Get user's timezone
+const getUserTimezone = (): string => {
+  try {
+    return Intl.DateTimeFormat().resolvedOptions().timeZone
+  } catch {
+    return 'UTC'
+  }
+}
+
 apiClient.interceptors.request.use(
   (config: InternalAxiosRequestConfig) => {
     // Attach token from localStorage
@@ -34,6 +43,14 @@ apiClient.interceptors.request.use(
       config.headers['Accept-Language'] = getLocale()
     }
 
+    // Attach timezone for all GET requests (backend may use it for default date ranges)
+    if (config.method === 'get') {
+      if (!config.params) {
+        config.params = {}
+      }
+      config.params.timezone = getUserTimezone()
+    }
+
     return config
   },
   (error) => {

frontend/src/components/account/CreateAccountModal.vue

@@ -1012,7 +1012,7 @@
       </div>
 
       <!-- Temp Unschedulable Rules -->
-      <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
+      <div class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4">
         <div class="mb-3 flex items-center justify-between">
           <div>
             <label class="input-label mb-0">{{ t('admin.accounts.tempUnschedulable.title') }}</label>
@@ -1213,7 +1213,41 @@
           <p class="input-hint">{{ t('admin.accounts.priorityHint') }}</p>
         </div>
       </div>
+      <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
+        <label class="input-label">{{ t('admin.accounts.expiresAt') }}</label>
+        <input v-model="expiresAtInput" type="datetime-local" class="input" />
+        <p class="input-hint">{{ t('admin.accounts.expiresAtHint') }}</p>
+      </div>
+
+      <div>
+        <div class="flex items-center justify-between">
+          <div>
+            <label class="input-label mb-0">{{
+              t('admin.accounts.autoPauseOnExpired')
+            }}</label>
+            <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+              {{ t('admin.accounts.autoPauseOnExpiredDesc') }}
+            </p>
+          </div>
+          <button
+            type="button"
+            @click="autoPauseOnExpired = !autoPauseOnExpired"
+            :class="[
+              'relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
+              autoPauseOnExpired ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
+            ]"
+          >
+            <span
+              :class="[
+                'pointer-events-none inline-block h-5 w-5 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+                autoPauseOnExpired ? 'translate-x-5' : 'translate-x-0'
+              ]"
+            />
+          </button>
+        </div>
+      </div>
 
+      <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
         <!-- Mixed Scheduling (only for antigravity accounts) -->
         <div v-if="form.platform === 'antigravity'" class="flex items-center gap-2">
           <label class="flex cursor-pointer items-center gap-2">
@@ -1253,6 +1287,7 @@
           :mixed-scheduling="mixedScheduling"
           data-tour="account-form-groups"
         />
+      </div>
 
     </form>
 
@@ -1598,6 +1633,7 @@ import Icon from '@/components/icons/Icon.vue'
 import ProxySelector from '@/components/common/ProxySelector.vue'
 import GroupSelector from '@/components/common/GroupSelector.vue'
 import ModelWhitelistSelector from '@/components/account/ModelWhitelistSelector.vue'
+import { formatDateTimeLocalInput, parseDateTimeLocalInput } from '@/utils/format'
 import OAuthAuthorizationFlow from './OAuthAuthorizationFlow.vue'
 
 // Type for exposed OAuthAuthorizationFlow component
@@ -1713,6 +1749,7 @@ const customErrorCodesEnabled = ref(false)
 const selectedErrorCodes = ref<number[]>([])
 const customErrorCodeInput = ref<number | null>(null)
 const interceptWarmupRequests = ref(false)
+const autoPauseOnExpired = ref(true)
 const mixedScheduling = ref(false) // For antigravity accounts: enable mixed scheduling
 const tempUnschedEnabled = ref(false)
 const tempUnschedRules = ref<TempUnschedRuleForm[]>([])
@@ -1795,7 +1832,8 @@ const form = reactive({
   proxy_id: null as number | null,
   concurrency: 10,
   priority: 1,
-  group_ids: [] as number[]
+  group_ids: [] as number[],
+  expires_at: null as number | null
 })
 
 // Helper to check if current type needs OAuth flow
@@ -1805,6 +1843,13 @@ const isManualInputMethod = computed(() => {
   return oauthFlowRef.value?.inputMethod === 'manual'
 })
 
+const expiresAtInput = computed({
+  get: () => formatDateTimeLocal(form.expires_at),
+  set: (value: string) => {
+    form.expires_at = parseDateTimeLocal(value)
+  }
+})
+
 const canExchangeCode = computed(() => {
   const authCode = oauthFlowRef.value?.authCode || ''
   if (form.platform === 'openai') {
@@ -2055,6 +2100,7 @@ const resetForm = () => {
   form.concurrency = 10
   form.priority = 1
   form.group_ids = []
+  form.expires_at = null
   accountCategory.value = 'oauth-based'
   addMethod.value = 'oauth'
   apiKeyBaseUrl.value = 'https://api.anthropic.com'
@@ -2066,6 +2112,7 @@ const resetForm = () => {
   selectedErrorCodes.value = []
   customErrorCodeInput.value = null
   interceptWarmupRequests.value = false
+  autoPauseOnExpired.value = true
   tempUnschedEnabled.value = false
   tempUnschedRules.value = []
   geminiOAuthType.value = 'code_assist'
@@ -2133,7 +2180,6 @@ const handleSubmit = async () => {
   if (interceptWarmupRequests.value) {
     credentials.intercept_warmup_requests = true
   }
-
   if (!applyTempUnschedConfig(credentials)) {
     return
   }
@@ -2144,7 +2190,8 @@ const handleSubmit = async () => {
   try {
     await adminAPI.accounts.create({
       ...form,
-      group_ids: form.group_ids
+      group_ids: form.group_ids,
+      auto_pause_on_expired: autoPauseOnExpired.value
     })
     appStore.showSuccess(t('admin.accounts.accountCreated'))
     emit('created')
@@ -2182,6 +2229,9 @@ const handleGenerateUrl = async () => {
   }
 }
 
+const formatDateTimeLocal = formatDateTimeLocalInput
+const parseDateTimeLocal = parseDateTimeLocalInput
+
 // Create account and handle success/failure
 const createAccountAndFinish = async (
   platform: AccountPlatform,
@@ -2202,7 +2252,9 @@ const createAccountAndFinish = async (
     proxy_id: form.proxy_id,
     concurrency: form.concurrency,
     priority: form.priority,
-    group_ids: form.group_ids
+    group_ids: form.group_ids,
+    expires_at: form.expires_at,
+    auto_pause_on_expired: autoPauseOnExpired.value
   })
   appStore.showSuccess(t('admin.accounts.accountCreated'))
   emit('created')
@@ -2416,7 +2468,8 @@ const handleCookieAuth = async (sessionKey: string) => {
           extra,
           proxy_id: form.proxy_id,
           concurrency: form.concurrency,
-          priority: form.priority
+          priority: form.priority,
+          auto_pause_on_expired: autoPauseOnExpired.value
         })
 
         successCount++

frontend/src/components/account/EditAccountModal.vue

@@ -365,7 +365,7 @@
       </div>
 
       <!-- Temp Unschedulable Rules -->
-      <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
+      <div class="border-t border-gray-200 pt-4 dark:border-dark-600 space-y-4">
         <div class="mb-3 flex items-center justify-between">
           <div>
             <label class="input-label mb-0">{{ t('admin.accounts.tempUnschedulable.title') }}</label>
@@ -565,7 +565,41 @@
           />
         </div>
       </div>
+      <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
+        <label class="input-label">{{ t('admin.accounts.expiresAt') }}</label>
+        <input v-model="expiresAtInput" type="datetime-local" class="input" />
+        <p class="input-hint">{{ t('admin.accounts.expiresAtHint') }}</p>
+      </div>
 
+      <div>
+        <div class="flex items-center justify-between">
+          <div>
+            <label class="input-label mb-0">{{
+              t('admin.accounts.autoPauseOnExpired')
+            }}</label>
+            <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+              {{ t('admin.accounts.autoPauseOnExpiredDesc') }}
+            </p>
+          </div>
+          <button
+            type="button"
+            @click="autoPauseOnExpired = !autoPauseOnExpired"
+            :class="[
+              'relative inline-flex h-6 w-11 flex-shrink-0 cursor-pointer rounded-full border-2 border-transparent transition-colors duration-200 ease-in-out focus:outline-none focus:ring-2 focus:ring-primary-500 focus:ring-offset-2',
+              autoPauseOnExpired ? 'bg-primary-600' : 'bg-gray-200 dark:bg-dark-600'
+            ]"
+          >
+            <span
+              :class="[
+                'pointer-events-none inline-block h-5 w-5 transform rounded-full bg-white shadow ring-0 transition duration-200 ease-in-out',
+                autoPauseOnExpired ? 'translate-x-5' : 'translate-x-0'
+              ]"
+            />
+          </button>
+        </div>
+      </div>
+
+      <div class="border-t border-gray-200 pt-4 dark:border-dark-600">
         <div>
           <label class="input-label">{{ t('common.status') }}</label>
           <Select v-model="form.status" :options="statusOptions" />
@@ -601,6 +635,7 @@
             </div>
           </div>
         </div>
+      </div>
 
       <!-- Group Selection - 仅标准模式显示 -->
       <GroupSelector
@@ -666,6 +701,7 @@ import Icon from '@/components/icons/Icon.vue'
 import ProxySelector from '@/components/common/ProxySelector.vue'
 import GroupSelector from '@/components/common/GroupSelector.vue'
 import ModelWhitelistSelector from '@/components/account/ModelWhitelistSelector.vue'
+import { formatDateTimeLocalInput, parseDateTimeLocalInput } from '@/utils/format'
 import {
   getPresetMappingsByPlatform,
   commonErrorCodes,
@@ -721,6 +757,7 @@ const customErrorCodesEnabled = ref(false)
 const selectedErrorCodes = ref<number[]>([])
 const customErrorCodeInput = ref<number | null>(null)
 const interceptWarmupRequests = ref(false)
+const autoPauseOnExpired = ref(false)
 const mixedScheduling = ref(false) // For antigravity accounts: enable mixed scheduling
 const tempUnschedEnabled = ref(false)
 const tempUnschedRules = ref<TempUnschedRuleForm[]>([])
@@ -771,7 +808,8 @@ const form = reactive({
   concurrency: 1,
   priority: 1,
   status: 'active' as 'active' | 'inactive',
-  group_ids: [] as number[]
+  group_ids: [] as number[],
+  expires_at: null as number | null
 })
 
 const statusOptions = computed(() => [
@@ -779,6 +817,13 @@ const statusOptions = computed(() => [
   { value: 'inactive', label: t('common.inactive') }
 ])
 
+const expiresAtInput = computed({
+  get: () => formatDateTimeLocal(form.expires_at),
+  set: (value: string) => {
+    form.expires_at = parseDateTimeLocal(value)
+  }
+})
+
 // Watchers
 watch(
   () => props.account,
@@ -791,10 +836,12 @@ watch(
       form.priority = newAccount.priority
       form.status = newAccount.status as 'active' | 'inactive'
       form.group_ids = newAccount.group_ids || []
+      form.expires_at = newAccount.expires_at ?? null
 
       // Load intercept warmup requests setting (applies to all account types)
       const credentials = newAccount.credentials as Record<string, unknown> | undefined
       interceptWarmupRequests.value = credentials?.intercept_warmup_requests === true
+      autoPauseOnExpired.value = newAccount.auto_pause_on_expired === true
 
       // Load mixed scheduling setting (only for antigravity accounts)
       const extra = newAccount.extra as Record<string, unknown> | undefined
@@ -1042,6 +1089,9 @@ function toPositiveNumber(value: unknown) {
   return Math.trunc(num)
 }
 
+const formatDateTimeLocal = formatDateTimeLocalInput
+const parseDateTimeLocal = parseDateTimeLocalInput
+
 // Methods
 const handleClose = () => {
   emit('close')
@@ -1057,6 +1107,10 @@ const handleSubmit = async () => {
     if (updatePayload.proxy_id === null) {
       updatePayload.proxy_id = 0
     }
+    if (form.expires_at === null) {
+      updatePayload.expires_at = 0
+    }
+    updatePayload.auto_pause_on_expired = autoPauseOnExpired.value
 
     // For apikey type, handle credentials update
     if (props.account.type === 'apikey') {
@@ -1097,7 +1151,6 @@ const handleSubmit = async () => {
       if (interceptWarmupRequests.value) {
         newCredentials.intercept_warmup_requests = true
       }
-
       if (!applyTempUnschedConfig(newCredentials)) {
         submitting.value = false
         return
@@ -1114,7 +1167,6 @@ const handleSubmit = async () => {
       } else {
         delete newCredentials.intercept_warmup_requests
       }
-
       if (!applyTempUnschedConfig(newCredentials)) {
         submitting.value = false
         return
@@ -1140,7 +1192,7 @@ const handleSubmit = async () => {
     emit('updated')
     handleClose()
   } catch (error: any) {
-    appStore.showError(error.response?.data?.detail || t('admin.accounts.failedToUpdate'))
+    appStore.showError(error.response?.data?.message || error.response?.data?.detail || t('admin.accounts.failedToUpdate'))
   } finally {
     submitting.value = false
   }

frontend/src/components/admin/account/AccountTableFilters.vue

@@ -7,15 +7,18 @@
       @update:model-value="$emit('update:searchQuery', $event)"
       @search="$emit('change')"
     />
-    <Select v-model="filters.platform" class="w-40" :options="pOpts" @change="$emit('change')" />
-    <Select v-model="filters.type" class="w-40" :options="tOpts" @change="$emit('change')" />
-    <Select v-model="filters.status" class="w-40" :options="sOpts" @change="$emit('change')" />
+    <Select :model-value="filters.platform" class="w-40" :options="pOpts" @update:model-value="updatePlatform" @change="$emit('change')" />
+    <Select :model-value="filters.type" class="w-40" :options="tOpts" @update:model-value="updateType" @change="$emit('change')" />
+    <Select :model-value="filters.status" class="w-40" :options="sOpts" @update:model-value="updateStatus" @change="$emit('change')" />
   </div>
 </template>
 
 <script setup lang="ts">
 import { computed } from 'vue'; import { useI18n } from 'vue-i18n'; import Select from '@/components/common/Select.vue'; import SearchInput from '@/components/common/SearchInput.vue'
-defineProps(['searchQuery', 'filters']); defineEmits(['update:searchQuery', 'change']); const { t } = useI18n()
+const props = defineProps(['searchQuery', 'filters']); const emit = defineEmits(['update:searchQuery', 'update:filters', 'change']); const { t } = useI18n()
+const updatePlatform = (value: string | number | boolean | null) => { emit('update:filters', { ...props.filters, platform: value }) }
+const updateType = (value: string | number | boolean | null) => { emit('update:filters', { ...props.filters, type: value }) }
+const updateStatus = (value: string | number | boolean | null) => { emit('update:filters', { ...props.filters, status: value }) }
 const pOpts = computed(() => [{ value: '', label: t('admin.accounts.allPlatforms') }, { value: 'anthropic', label: 'Anthropic' }, { value: 'openai', label: 'OpenAI' }, { value: 'gemini', label: 'Gemini' }, { value: 'antigravity', label: 'Antigravity' }])
 const tOpts = computed(() => [{ value: '', label: t('admin.accounts.allTypes') }, { value: 'oauth', label: t('admin.accounts.oauthType') }, { value: 'setup-token', label: t('admin.accounts.setupToken') }, { value: 'apikey', label: t('admin.accounts.apiKey') }])
 const sOpts = computed(() => [{ value: '', label: t('admin.accounts.allStatus') }, { value: 'active', label: t('admin.accounts.status.active') }, { value: 'inactive', label: t('admin.accounts.status.inactive') }, { value: 'error', label: t('admin.accounts.status.error') }])