GitLab

Cherry-picked from release/custom-0.1.106: a9117600

Allow redeem codes with negative values to enable refund scenarios:
- Balance: negative value deducts balance (clamped to 0, never negative)
- Concurrency: negative value reduces concurrency (clamped to 0)
- Subscription: negative validity_days reduces remaining days; if
  remaining days <= 0, the subscription is canceled (set to expired)

All deductions generate standard redeem code records for audit trail.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

从 /backend-api/accounts/check 的 entitlement.expires_at 提取订阅
到期日期，每次 token 刷新时更新并存入 credentials，前端账号列表
的订阅类型和隐私下方以灰色小字显示（仅非 Free 账号）。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

1. CreateAccount 补齐 OpenAI OAuth 隐私入口（与 BatchCreate 对齐）
2. disableOpenAITraining 请求头修正：覆盖 ImpersonateChrome() 的
   浏览器导航默认头（accept: text/html, sec-fetch-mode: navigate），
   改为 API 请求语义（Accept: application/json, sec-fetch-mode: cors），
   避免 Cloudflare 将 PATCH API 请求误判为异常导航流量而拦截
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Prevents token silent expiry during 7-day rate limit periods.

Made-with: Cursor

- ratelimit_service: detect non-standard OpenAI 401 format and permanently disable account
- account_test_service: mark account error on 401 during connection test

Made-with: Cursor

账号订阅类型可能每月变化，id_token 中的 plan_type 是签发时的快照，
不一定反映当前状态。移除 plan_type == "" 前置条件，确保每次刷新都
调用 ChatGPT backend-api 获取实时订阅类型并覆盖旧值。
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- refreshSingleAccount ProjectIDMissing 提前返回前补上 EnsureAntigravityPrivacy 调用
- EnsureAntigravityPrivacy 跳过条件从"有任何值"改为"仅 privacy_set 成功时跳过"，
  privacy_set_failed 允许重试，对齐 OpenAI shouldSkipOpenAIPrivacyEnsure 的行为
- 后台 TokenRefreshService.ensureAntigravityPrivacy 同步修改
- ExchangeCode/ValidateRefreshToken 获得令牌后立即调用 setAntigravityPrivacy，
  不依赖后续账号创建流程

Made-with: Cursor

- buffer 公式从 baseRPM/5 改为 concurrency + maxSessions
  保留 baseRPM/5 作为 floor 向后兼容
- 粘性路径 fallback 新增 [StickyCacheMiss] 结构化日志
  reason: rpm_red / gate_check / session_limit / wait_queue_full / account_cleared
- session_limit 路径跳过 wait queue 重试（RegisterSession 拒绝无副作用）
- 典型配置 buffer 从 3 提升至 13，大幅减少高峰期 Prompt Cache Miss
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

为 OpenAI/Antigravity/Anthropic/Gemini 分组新增两个布尔控制字段：
- require_oauth_only: 创建/更新账号绑定分组时拒绝 apikey 类型加入
- require_privacy_set: 调度选号时跳过 privacy 未成功设置的账号并标记 error

后端：Ent schema 新增字段 + 迁移、Group CRUD 全链路透传、
      gateway_service 与 openai_account_scheduler 两套调度路径过滤
前端：创建/编辑表单 toggle 开关（OpenAI/Antigravity/Anthropic/Gemini 平台可见）
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- token_refresh: 不可重试错误和重试耗尽两条路径添加 ensureAntigravityPrivacy
- admin_service: CreateAccount 为 Antigravity OAuth 账号异步设置隐私
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Anthropic compat requests normalize reasoning suffixes before forwarding, but the account mapping step was still using the raw request model. Resolve billing and upstream models from the normalized compat model so explicit account mappings win over fallback defaults.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent

)
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

使用 sync.Once 包裹 close(stopCh)，避免多次调用 Stop() 时
触发 panic: close of closed channel。

当账号配置了模型映射（如 claude-sonnet-4-6 → glm-5.0）时，系统错误地
使用映射后的上游模型名计算费用。由于上游模型（如 glm-5.0）在定价系统中
没有价格配置，导致计费失败后被静默置为 0，用户不被扣费。

修改 forwardResultBillingModel 优先返回请求模型名，并移除 OpenAI 路径
中 BillingModel 字段对计费模型的覆盖逻辑。

Replace charset→base64url double-encoding with standard random
bytes→base64url approach to match official client behavior and avoid
risk control detection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Align OAuth scopes with upstream Claude Code client which now includes
the user:file_upload scope for file upload support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Cover isAntigravityInternalServerError body matching,
applyInternal500Penalty tier escalation, handleInternal500RetryExhausted
nil-safety and error handling, and resetInternal500Counter paths.

Move constants, detection, and penalty functions from
antigravity_gateway_service.go to antigravity_internal500_penalty.go.
Fix gofmt alignment and replace hardcoded duration strings with
constant references.

Move the reset logic after urlFallbackLoop so it covers both direct
success and smart retry (429/503) success paths.

When an antigravity account returns 500 "Internal error encountered."
on all 3 retry attempts, increment a Redis counter and apply escalating
penalties:
- 1st round: temp unschedulable 10 minutes
- 2nd round: temp unschedulable 10 hours
- 3rd round: permanently mark as error

Counter resets on any successful response (< 400).

injectClaudeCodePrompt 和 systemIncludesClaudeCodePrompt 的 type switch
无法匹配 json.RawMessage 类型（Go typed nil 陷阱），导致 ForwardAsResponses
和 ForwardAsChatCompletions 路径中用户 system prompt 被替换为仅 Claude Code
banner。新增 normalizeSystemParam 将 json.RawMessage 转为标准 Go 类型。
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

参照 Antigravity 的模式，单个创建时同步调用 ForceOpenAIPrivacy，
批量创建时收集 OpenAI OAuth 账号后异步 goroutine 设置，避免阻塞请求。
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

刷新失败不代表 access_token 无效，在后台定时刷新（不可重试错误 +
重试耗尽）和前端批量/单次刷新的失败路径中，均利用可能仍有效的
access_token 调用隐私设置。
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>