GitLab

- Fix 7 stale comments still mentioning "限制检查" in handlers/services
- Make billingModelForRestriction explicitly list channel_mapped case
- Add slog.Warn for error swallowing in ResolveChannelMapping and
  needsUpstreamChannelRestrictionCheck
- Document sticky session upstream check exemption

Move the model pricing restriction check from 8 handler entry points
to the account scheduling phase (SelectAccountForModelWithExclusions /
SelectAccountWithLoadAwareness), aligning restriction with billing:

- requested: check original request model against pricing list
- channel_mapped: check channel-mapped model against pricing list
- upstream: per-account check using account-mapped model

Handler layer now only resolves channel mapping (no restriction).
Scheduling layer performs pre-check for requested/channel_mapped,
and per-account filtering for upstream billing source.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

b2e379cf 引入的 BufferedResponseAccumulator 已修复了 chat_completions
非流式路径和 responses OAuth 非流式路径，但遗漏了 Anthropic /v1/messages
非流式路径 (handleAnthropicBufferedStreamingResponse)。

当客户端请求 stream=false 且模型开启思考时，上游 response.completed
终态事件的 output 字段可能为空，实际 message 内容通过
response.output_text.delta 增量事件下发。旧代码只读终态事件的 Response，
导致客户端收到的 content 字段为空 ([{"type":"text"}])。

本 commit 将 b2e379cf 的相同修复模式镜像到 Anthropic 路径：在 SSE 扫描
过程中用 BufferedResponseAccumulator 累积 delta 内容，终态 output 为空
时通过 SupplementResponseOutput 补充重建。

同时修复 handleAnthropicBufferedStreamingResponse 遗漏 response.done
事件类型的问题，与 chat completions 路径保持一致，避免上游发送
response.done 时 handler 认不出终态事件、最终返回 502 的潜在问题。

BufferedResponseAccumulator 已在 chatcompletions_responses_test.go 有
完整单元测试覆盖（TextOnly/ToolCalls/Reasoning/Mixed/SupplementEmpty/
NoSupplementWhenOutputExists/EmptyDeltas/IgnoresNonFunctionCallItems），
本次复用相同累加器无需新增测试。

fix(payment): fix Alipay/Wxpay direct provider type mapping and enable cross-provider load balancing

Two issues fixed:

1. Alipay.SupportedTypes() returned ["alipay_direct"] and Wxpay returned
   ["wxpay_direct"], but the frontend sends payment_type="alipay"/"wxpay".
   The registry lookup failed with "payment method (alipay) is not
   configured". Fix: return the base types ["alipay"]/["wxpay"].

2. When multiple providers support the same payment type (e.g. EasyPay
   and Alipay direct both handle "alipay"), only the last-registered
   provider's instances were reachable — the registry mapped one type to
   one provider key, and SelectInstance queried by that single key.

   Fix: bypass the registry in invokeProvider and let SelectInstance
   query across all providers when providerKey is empty. The selected
   instance's own ProviderKey (now included in InstanceSelection) is
   used to create the correct provider, enabling true cross-provider
   load balancing.

Closes #1592

When an Anthropic API key's credit balance is depleted, the upstream
returns HTTP 400 with message containing "credit balance". Previously,
the 400 handler only checked for "organization has been disabled",
so credit-exhausted accounts kept being scheduled — every request
returned the same error.

Treat this case identically to 402 (Payment Required): call
handleAuthError → SetError to stop scheduling the account until
an admin manually recovers it after topping up credits.

Closes #1586

在前一个 commit 的 isResponsesShape 短路路径基础上,补充对 Cursor 云端
带过来的、Codex 上游统一不支持的顶层 Responses API 参数的剥离:

  - prompt_cache_retention
  - safety_identifier
  - metadata
  - stream_options

根因补充:这条 raw-body 透传路径为了保留 Cursor 的 input 数组整体结构,
不再经过 ChatCompletionsRequest 的反序列化过滤,所以这些 Go 结构体里
没有对应字段的参数会被原样发到上游,上游返回:
    Unsupported parameter: <field>
常规 Chat Completions 转换路径天然通过 ChatCompletionsRequest 丢弃未知字段,
不受影响;此处仅在 isResponsesShape 分支内用 sjson.DeleteBytes 显式过滤,
作用域最小。剥离列表与 openai_gateway_service.go:2034 的
unsupportedFields 语义对齐。

另外在 applyCodexOAuthTransform 的 OAuth 兜底 strip 列表里同步追加
prompt_cache_retention,作为对该函数所有其他 OAuth 调用点的 defense
in depth(当前只有 Cursor 路径的短路已在前面剥过,但保留这一层更稳)。

测试:
- TestCursorMixedShape_StripsUnsupportedFields — 验证所有 4 个字段都被剥
- TestApplyCodexOAuthTransform_StripsPromptCacheRetention — OAuth 兜底路径
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Cursor 云端 (User-Agent: Go-http-client/2.0) 发往 /v1/chat/completions 的
body 使用 Responses API 格式:
    {"model":"gpt-5.4","input":[{"role":"system","content":"..."}],"stream":true}

原代码用 ChatCompletionsRequest 反序列化,该结构体没有 Input 字段,
Cursor 的 input 数组被静默丢弃,ChatCompletionsToResponses 转换后产出
input: null,Codex 上游以 "Invalid type for 'input': expected a string,
but got an object" 拒绝请求(上游 typeof null === 'object')。

修复:在 ForwardAsChatCompletions 里用 gjson 检测 body shape,当 input
存在且 messages 缺失时,跳过 Chat→Responses 转换,用 sjson 仅改写 model
字段后原样透传 body。billing 所需的 ServiceTier 和 Reasoning.Effort 通过
gjson 从 raw body 提取,下游 codex OAuth transform 路径保持不变。

测试:新增 openai_cursor_warmup_pipeline_test.go,覆盖 5 个 shape 检测
用例(正向/标准请求不误伤/两字段共存/空 body/JSON 回读)。
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Backend:
- Parse EasyPay `payurl2` field, prefer H5 link on mobile
- Add `device=mobile` to EasyPay submit.php (popup) mode
- Expand isMobile detection keywords (add ipad/ipod)

Frontend:
- Add `isMobileDevice()` utility (userAgentData + UA regex)
- Mobile + pay_url: direct redirect instead of QR/popup
- Popup blocked fallback: auto-redirect when window.open fails
- Stripe WeChat Pay: dynamic client param (mobile_web vs web)

Backend:
- Split payment_order.go (546→314 lines) into payment_order_lifecycle.go
- Replace magic strings with constants in factory, easypay, webhook handler
- Add rate limit/validity unit constants in payment_order_lifecycle, payment_service
- Fix critical regression: add PaymentEnabled to GetPublicSettings response
- Add missing migration 099_fix_migrated_purchase_menu_label_icon.sql

Frontend:
- Fix StripePopupView.vue: replace `as any` with typed interface, use extractApiErrorMessage
- Fix AdminOrderTable.vue: replace hardcoded column labels with i18n t() calls
- Fix SubscriptionsView.vue: replace hardcoded Today/Tomorrow with i18n
- Extract duplicate statusBadgeClass/canRefund/formatOrderDateTime to orderUtils.ts
- Add missing i18n keys: common.today, common.tomorrow, payment.orders.orderType/actions
- Remove dead PurchaseSubscriptionView.vue (replaced by PaymentView)

Add a full payment and subscription system supporting EasyPay (Alipay/WeChat),
Stripe, and direct Alipay/WeChat Pay providers with multi-instance load balancing.

LoadFactor 字段在构建调度快照缓存时缺失，导致调度算法
EffectiveLoadFactor() 无法使用配置的负载因子，回退到 Concurrency。
这会影响账号的负载率计算，进而影响调度优先级。

修复：在 buildSchedulerMetadataAccount 中添加 LoadFactor 字段。

10KB is too aggressive for modern LLM API requests where conversation
context routinely exceeds 1MB. This causes error logs to contain only
a minimal placeholder, making it impossible to debug upstream failures.

256KB retains enough context for effective debugging while the existing
multi-pass trimming logic handles larger payloads gracefully.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Suppress errcheck for xxhash Digest.Write (never returns error)
- Add enable_cch_signing field to settings API contract test

- Sync cc_version in x-anthropic-billing-header with the fingerprint
  User-Agent version, preserving the message-derived suffix
- Implement xxHash64-based CCH signing to replace the cch=00000
  placeholder with a computed hash
- Add admin toggle (enable_cch_signing) under gateway forwarding settings,
  disabled by default

commit f3aa54b7 的 rewriteSystemForNonClaudeCode 未能通过 Anthropic 第三方检测，
根因是两个关键信号与真实 Claude Code 不一致：

1. anthropic-beta 头缺少 claude-code-20250219：伪装路径主动将该 beta
   加入 drop set 并移除，但 Anthropic 依赖此 beta 识别 Claude Code 请求。
   修复：非 haiku 模型的伪装请求强制包含 claude-code beta。

2. system 字段使用 string 格式而非 array+cache_control：真实 Claude Code
   始终以 [{type,text,cache_control:{type:"ephemeral"}}] 发送 system，
   string 格式成为第三方检测信号。
   修复：rewriteSystemForNonClaudeCode 改为注入 array 格式。

附带调整：stripSystemCacheControl 按 system 是否被重写动态决定，
重写时保留 CC prompt 的 cache_control，未重写时（haiku/已含CC前缀）
保持原有剥离行为。

当上游返回SSE格式响应(如sub2api链路)时，API Key账号的非流式路径
未检测SSE，导致终态事件中空output直接透传给客户端。

- 将Content-Type SSE检测从仅OAuth扩展至所有账号类型
- 重命名handleOAuthSSEToJSON为handleSSEToJSON（无OAuth专属逻辑）
- 为透传路径新增handlePassthroughSSEToJSON，支持SSE转JSON及空output重建
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

上游API近期更新后，response.completed终态SSE事件的output字段可能为空，
实际内容仅通过response.output_text.delta等增量事件下发。流式路径不受影响，
但chat_completions非流式路径和responses OAuth非流式路径只依赖终态事件的
output，导致返回空响应。

新增BufferedResponseAccumulator累积器，在SSE扫描过程中收集delta事件内容
（文本、function_call、reasoning），当终态output为空时补充重建。

同时修复handleChatBufferedStreamingResponse遗漏response.done事件类型的问题。

Anthropic近期引入基于system参数内容的第三方应用检测机制，原有的前置追加
Claude Code提示词策略无法通过检测（后续内容仍为非Claude Code格式触发429）。

新策略：对非Claude Code客户端的OAuth/SetupToken账号请求，将system字段
完整替换为Claude Code标识提示词，原始system内容作为user/assistant消息对
注入messages开头，模型仍接收完整指令。

仅影响/v1/messages路径，chat_completions和responses路径保持原有逻辑不变。
真正的Claude Code客户端请求完全不受影响（原样透传）。