chore: sync VERSION file with release v1.1.246 [skip ci]

fix: 修复PR #814 遗留bug
chore: sync VERSION file with release v1.1.245 [skip ci]
2026-01-22 16:43:35 +00:00 · 2025-12-26 07:48:03 +00:00 · 2025-12-26 15:47:45 +08:00 · 2025-12-26 06:57:35 +00:00 · 2025-12-26 14:57:14 +08:00 · 2025-12-26 06:39:48 +00:00
70 changed files with 10148 additions and 395 deletions
--- a/.env.example
+++ b/.env.example
@@ -33,6 +33,41 @@ CLAUDE_API_URL=https://api.anthropic.com/v1/messages
 CLAUDE_API_VERSION=2023-06-01
 CLAUDE_BETA_HEADER=claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14

+# 🤖 Gemini OAuth / Antigravity 配置（可选）
+# 不配置时使用内置默认值；如需自定义或避免在代码中出现 client secret，可在此覆盖
+# GEMINI_OAUTH_CLIENT_ID=
+# GEMINI_OAUTH_CLIENT_SECRET=
+# Gemini CLI OAuth redirect_uri（可选，默认 https://codeassist.google.com/authcode）
+# GEMINI_OAUTH_REDIRECT_URI=
+# ANTIGRAVITY_OAUTH_CLIENT_ID=
+# ANTIGRAVITY_OAUTH_CLIENT_SECRET=
+# Antigravity OAuth redirect_uri（可选，默认 http://localhost:45462；用于避免 redirect_uri_mismatch）
+# ANTIGRAVITY_OAUTH_REDIRECT_URI=http://localhost:45462
+# Antigravity 上游地址（可选，默认 sandbox）
+# ANTIGRAVITY_API_URL=https://daily-cloudcode-pa.sandbox.googleapis.com
+# Antigravity User-Agent（可选）
+# ANTIGRAVITY_USER_AGENT=antigravity/1.11.3 windows/amd64
+
+# Claude Code（Anthropic Messages API）路由分流（无需额外环境变量）：
+# - /api             -> Claude 账号池（默认）
+# - /antigravity/api  -> Antigravity OAuth
+# - /gemini-cli/api   -> Gemini CLI OAuth
+
+# （可选）Claude Code 调试 Dump：会在项目根目录写入 jsonl 文件，便于排查 tools/schema/回包问题
+# - anthropic-requests-dump.jsonl
+# - anthropic-responses-dump.jsonl
+# - anthropic-tools-dump.jsonl
+# ANTHROPIC_DEBUG_REQUEST_DUMP=true
+# ANTHROPIC_DEBUG_REQUEST_DUMP_MAX_BYTES=2097152
+# ANTHROPIC_DEBUG_RESPONSE_DUMP=true
+# ANTHROPIC_DEBUG_RESPONSE_DUMP_MAX_BYTES=2097152
+# ANTHROPIC_DEBUG_TOOLS_DUMP=true
+#
+# （可选）Antigravity 上游请求 Dump：会在项目根目录写入 jsonl 文件，便于核对最终发往上游的 payload（含 tools/schema 清洗后的结果）
+# - antigravity-upstream-requests-dump.jsonl
+# ANTIGRAVITY_DEBUG_UPSTREAM_REQUEST_DUMP=true
+# ANTIGRAVITY_DEBUG_UPSTREAM_REQUEST_DUMP_MAX_BYTES=2097152
+
 # 🚫 529错误处理配置
 # 启用529错误处理，0表示禁用，>0表示过载状态持续时间（分钟）
 CLAUDE_OVERLOAD_HANDLING_MINUTES=0
@@ -131,3 +166,7 @@ DEFAULT_USER_ROLE=user
 USER_SESSION_TIMEOUT=86400000
 MAX_API_KEYS_PER_USER=1
 ALLOW_USER_DELETE_API_KEYS=false
+
+# Pass through incoming OpenAI-format system prompts to Claude.
+# Enable this when using generic OpenAI-compatible clients (e.g. MineContext) that rely on system prompts.
+# CRS_PASSTHROUGH_SYSTEM_PROMPT=true
--- a/README.md
+++ b/README.md
@@ -1,5 +1,10 @@
 # Claude Relay Service

+> [!CAUTION]
+> **安全更新通知**：v1.1.240 及以下版本存在严重的管理员认证绕过漏洞，攻击者可未授权访问管理面板。
+>
+> **请立即更新到 v1.1.241+ 版本**，或迁移到新一代项目 **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
+
 <div align="center">

 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -389,13 +394,31 @@ docker-compose.yml 已包含：

 **Claude Code 设置环境变量：**

-默认使用标准 Claude 账号池：
+默认使用标准 Claude 账号池（Claude/Console/Bedrock/CCR）：

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:3000/api/" # 根据实际填写你服务器的ip地址或者域名
 export ANTHROPIC_AUTH_TOKEN="后台创建的API密钥"
 ```

+如果希望 Claude Code 通过 Anthropic 协议直接使用 Gemini OAuth 账号池（路径分流，不需要在模型名里加前缀）：
+
+Antigravity OAuth（支持 `claude-opus-4-5` 等 Antigravity 模型）：
+
+```bash
+export ANTHROPIC_BASE_URL="http://127.0.0.1:3000/antigravity/api/"
+export ANTHROPIC_AUTH_TOKEN="后台创建的API密钥（permissions 需要是 all 或 gemini）"
+export ANTHROPIC_MODEL="claude-opus-4-5"
+```
+
+Gemini CLI OAuth（使用 Gemini 模型）：
+
+```bash
+export ANTHROPIC_BASE_URL="http://127.0.0.1:3000/gemini-cli/api/"
+export ANTHROPIC_AUTH_TOKEN="后台创建的API密钥（permissions 需要是 all 或 gemini）"
+export ANTHROPIC_MODEL="gemini-2.5-pro"
+```
+
 **VSCode Claude 插件配置：**

 如果使用 VSCode 的 Claude 插件，需要在 `~/.claude/config.json` 文件中配置：
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,5 +1,10 @@
 # Claude Relay Service

+> [!CAUTION]
+> **Security Update**: v1.1.240 and below contain a critical admin authentication bypass vulnerability allowing unauthorized access to the admin panel.
+>
+> **Please update to v1.1.241+ immediately**, or migrate to the next-generation project **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
+
 <div align="center">

 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -238,13 +243,31 @@ Now you can replace the official API with your own service:

 **Claude Code Set Environment Variables:**

-Default uses standard Claude account pool:
+Default uses standard Claude account pool (Claude/Console/Bedrock/CCR):

 ```bash
 export ANTHROPIC_BASE_URL="http://127.0.0.1:3000/api/" # Fill in your server's IP address or domain
 export ANTHROPIC_AUTH_TOKEN="API key created in the backend"
 ```

+If you want Claude Code to use Gemini OAuth accounts via the Anthropic protocol (path-based routing, no vendor prefix in `model`):
+
+Antigravity OAuth (supports `claude-opus-4-5` and other Antigravity models):
+
+```bash
+export ANTHROPIC_BASE_URL="http://127.0.0.1:3000/antigravity/api/"
+export ANTHROPIC_AUTH_TOKEN="API key created in the backend (permissions must be all or gemini)"
+export ANTHROPIC_MODEL="claude-opus-4-5"
+```
+
+Gemini CLI OAuth (Gemini models):
+
+```bash
+export ANTHROPIC_BASE_URL="http://127.0.0.1:3000/gemini-cli/api/"
+export ANTHROPIC_AUTH_TOKEN="API key created in the backend (permissions must be all or gemini)"
+export ANTHROPIC_MODEL="gemini-2.5-pro"
+```
+
 **VSCode Claude Plugin Configuration:**

 If using VSCode Claude plugin, configure in `~/.claude/config.json`:
@@ -604,4 +627,4 @@ This project uses the [MIT License](LICENSE).

 **🤝 Feel free to submit Issues for problems, welcome PRs for improvement suggestions**

-</div>
+</div>
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.239
+1.1.246
--- a/config/config.example.js
+++ b/config/config.example.js
@@ -205,6 +205,14 @@ const config = {
    hotReload: process.env.HOT_RELOAD === 'true'
  },

+  // 💰 账户余额相关配置
+  accountBalance: {
+    // 是否允许执行自定义余额脚本（安全开关）
+    // 说明：脚本能力可发起任意 HTTP 请求并在服务端执行 extractor 逻辑，建议仅在受控环境开启
+    // 默认保持开启；如需禁用请显式设置：BALANCE_SCRIPT_ENABLED=false
+    enableBalanceScript: process.env.BALANCE_SCRIPT_ENABLED !== 'false'
+  },
+
  // 📬 用户消息队列配置
  // 优化说明：锁在请求发送成功后立即释放（而非请求完成后），因为 Claude API 限流基于请求发送时刻计算
  userMessageQueue: {
--- a/src/app.js
+++ b/src/app.js
@@ -52,6 +52,16 @@ class Application {
      await redis.connect()
      logger.success('✅ Redis connected successfully')

+      // 💳 初始化账户余额查询服务（Provider 注册）
+      try {
+        const accountBalanceService = require('./services/accountBalanceService')
+        const { registerAllProviders } = require('./services/balanceProviders')
+        registerAllProviders(accountBalanceService)
+        logger.info('✅ 账户余额查询服务已初始化')
+      } catch (error) {
+        logger.warn('⚠️ 账户余额查询服务初始化失败:', error.message)
+      }
+
      // 💰 初始化价格服务
      logger.info('🔄 Initializing pricing service...')
      await pricingService.initialize()
@@ -68,6 +78,10 @@ class Application {
      logger.info('🔄 Initializing admin credentials...')
      await this.initializeAdmin()

+      // 🔒 安全启动：清理无效/伪造的管理员会话
+      logger.info('🔒 Cleaning up invalid admin sessions...')
+      await this.cleanupInvalidSessions()
+
      // 💰 初始化费用数据
      logger.info('💰 Checking cost data initialization...')
      const costInitService = require('./services/costInitService')
@@ -264,6 +278,25 @@ class Application {
      this.app.use('/api', apiRoutes)
      this.app.use('/api', unifiedRoutes) // 统一智能路由（支持 /v1/chat/completions 等）
      this.app.use('/claude', apiRoutes) // /claude 路由别名，与 /api 功能相同
+      // Anthropic (Claude Code) 路由：按路径强制分流到 Gemini OAuth 账户
+      // - /antigravity/api/v1/messages -> Antigravity OAuth
+      // - /gemini-cli/api/v1/messages -> Gemini CLI OAuth
+      this.app.use(
+        '/antigravity/api',
+        (req, res, next) => {
+          req._anthropicVendor = 'antigravity'
+          next()
+        },
+        apiRoutes
+      )
+      this.app.use(
+        '/gemini-cli/api',
+        (req, res, next) => {
+          req._anthropicVendor = 'gemini-cli'
+          next()
+        },
+        apiRoutes
+      )
      this.app.use('/admin', adminRoutes)
      this.app.use('/users', userRoutes)
      // 使用 web 路由（包含 auth 和页面重定向）
@@ -426,6 +459,54 @@ class Application {
    }
  }

+  // 🔒 清理无效/伪造的管理员会话（安全启动检查）
+  async cleanupInvalidSessions() {
+    try {
+      const client = redis.getClient()
+
+      // 获取所有 session:* 键
+      const sessionKeys = await client.keys('session:*')
+
+      let validCount = 0
+      let invalidCount = 0
+
+      for (const key of sessionKeys) {
+        // 跳过 admin_credentials（系统凭据）
+        if (key === 'session:admin_credentials') {
+          continue
+        }
+
+        const sessionData = await client.hgetall(key)
+
+        // 检查会话完整性：必须有 username 和 loginTime
+        const hasUsername = !!sessionData.username
+        const hasLoginTime = !!sessionData.loginTime
+
+        if (!hasUsername || !hasLoginTime) {
+          // 无效会话 - 可能是漏洞利用创建的伪造会话
+          invalidCount++
+          logger.security(
+            `🔒 Removing invalid session: ${key} (username: ${hasUsername}, loginTime: ${hasLoginTime})`
+          )
+          await client.del(key)
+        } else {
+          validCount++
+        }
+      }
+
+      if (invalidCount > 0) {
+        logger.security(`🔒 Startup security check: Removed ${invalidCount} invalid sessions`)
+      }
+
+      logger.success(
+        `✅ Session cleanup completed: ${validCount} valid, ${invalidCount} invalid removed`
+      )
+    } catch (error) {
+      // 清理失败不应阻止服务启动
+      logger.error('❌ Failed to cleanup invalid sessions:', error.message)
+    }
+  }
+
  // 🔍 Redis健康检查
  async checkRedisHealth() {
    try {
--- a/src/handlers/geminiHandlers.js
+++ b/src/handlers/geminiHandlers.js
@@ -9,6 +9,7 @@ const logger = require('../utils/logger')
 const geminiAccountService = require('../services/geminiAccountService')
 const geminiApiAccountService = require('../services/geminiApiAccountService')
 const { sendGeminiRequest, getAvailableModels } = require('../services/geminiRelayService')
+const { sendAntigravityRequest } = require('../services/antigravityRelayService')
 const crypto = require('crypto')
 const sessionHelper = require('../utils/sessionHelper')
 const unifiedGeminiScheduler = require('../services/unifiedGeminiScheduler')
@@ -86,8 +87,7 @@ function generateSessionHash(req) {
 * 检查 API Key 权限
 */
 function checkPermissions(apiKeyData, requiredPermission = 'gemini') {
-  const permissions = apiKeyData?.permissions || 'all'
-  return permissions === 'all' || permissions === requiredPermission
+  return apiKeyService.hasPermission(apiKeyData?.permissions, requiredPermission)
 }

 /**
@@ -508,20 +508,37 @@ async function handleMessages(req, res) {
      // OAuth 账户：使用现有的 sendGeminiRequest
      // 智能处理项目ID：优先使用配置的 projectId，降级到临时 tempProjectId
      const effectiveProjectId = account.projectId || account.tempProjectId || null
+      const oauthProvider = account.oauthProvider || 'gemini-cli'

-      geminiResponse = await sendGeminiRequest({
-        messages,
-        model,
-        temperature,
-        maxTokens: max_tokens,
-        stream,
-        accessToken: account.accessToken,
-        proxy: account.proxy,
-        apiKeyId: apiKeyData.id,
-        signal: abortController.signal,
-        projectId: effectiveProjectId,
-        accountId: account.id
-      })
+      if (oauthProvider === 'antigravity') {
+        geminiResponse = await sendAntigravityRequest({
+          messages,
+          model,
+          temperature,
+          maxTokens: max_tokens,
+          stream,
+          accessToken: account.accessToken,
+          proxy: account.proxy,
+          apiKeyId: apiKeyData.id,
+          signal: abortController.signal,
+          projectId: effectiveProjectId,
+          accountId: account.id
+        })
+      } else {
+        geminiResponse = await sendGeminiRequest({
+          messages,
+          model,
+          temperature,
+          maxTokens: max_tokens,
+          stream,
+          accessToken: account.accessToken,
+          proxy: account.proxy,
+          apiKeyId: apiKeyData.id,
+          signal: abortController.signal,
+          projectId: effectiveProjectId,
+          accountId: account.id
+        })
+      }
    }

    if (stream) {
@@ -754,8 +771,16 @@ async function handleModels(req, res) {
        ]
      }
    } else {
-      // OAuth 账户：使用 OAuth token 获取模型列表
-      models = await getAvailableModels(account.accessToken, account.proxy)
+      // OAuth 账户：根据 OAuth provider 选择上游
+      const oauthProvider = account.oauthProvider || 'gemini-cli'
+      models =
+        oauthProvider === 'antigravity'
+          ? await geminiAccountService.fetchAvailableModelsAntigravity(
+              account.accessToken,
+              account.proxy,
+              account.refreshToken
+            )
+          : await getAvailableModels(account.accessToken, account.proxy)
    }

    res.json({
@@ -927,7 +952,8 @@ function handleSimpleEndpoint(apiMethod) {
      const client = await geminiAccountService.getOauthClient(
        accessToken,
        refreshToken,
-        proxyConfig
+        proxyConfig,
+        account.oauthProvider
      )

      // 直接转发请求体，不做特殊处理
@@ -1006,7 +1032,12 @@ async function handleLoadCodeAssist(req, res) {
    // 解析账户的代理配置
    const proxyConfig = parseProxyConfig(account)

-    const client = await geminiAccountService.getOauthClient(accessToken, refreshToken, proxyConfig)
+    const client = await geminiAccountService.getOauthClient(
+      accessToken,
+      refreshToken,
+      proxyConfig,
+      account.oauthProvider
+    )

    // 智能处理项目ID
    const effectiveProjectId = projectId || cloudaicompanionProject || null
@@ -1104,7 +1135,12 @@ async function handleOnboardUser(req, res) {
    // 解析账户的代理配置
    const proxyConfig = parseProxyConfig(account)

-    const client = await geminiAccountService.getOauthClient(accessToken, refreshToken, proxyConfig)
+    const client = await geminiAccountService.getOauthClient(
+      accessToken,
+      refreshToken,
+      proxyConfig,
+      account.oauthProvider
+    )

    // 智能处理项目ID
    const effectiveProjectId = projectId || cloudaicompanionProject || null
@@ -1256,7 +1292,8 @@ async function handleCountTokens(req, res) {
      const client = await geminiAccountService.getOauthClient(
        accessToken,
        refreshToken,
-        proxyConfig
+        proxyConfig,
+        account.oauthProvider
      )
      response = await geminiAccountService.countTokens(client, contents, model, proxyConfig)
    }
@@ -1366,13 +1403,20 @@ async function handleGenerateContent(req, res) {
    // 解析账户的代理配置
    const proxyConfig = parseProxyConfig(account)

-    const client = await geminiAccountService.getOauthClient(accessToken, refreshToken, proxyConfig)
+    const client = await geminiAccountService.getOauthClient(
+      accessToken,
+      refreshToken,
+      proxyConfig,
+      account.oauthProvider
+    )

    // 智能处理项目ID：优先使用配置的 projectId，降级到临时 tempProjectId
    let effectiveProjectId = account.projectId || account.tempProjectId || null

+    const oauthProvider = account.oauthProvider || 'gemini-cli'
+
    // 如果没有任何项目ID，尝试调用 loadCodeAssist 获取
-    if (!effectiveProjectId) {
+    if (!effectiveProjectId && oauthProvider !== 'antigravity') {
      try {
        logger.info('📋 No projectId available, attempting to fetch from loadCodeAssist...')
        const loadResponse = await geminiAccountService.loadCodeAssist(client, null, proxyConfig)
@@ -1388,6 +1432,12 @@ async function handleGenerateContent(req, res) {
      }
    }

+    if (!effectiveProjectId && oauthProvider === 'antigravity') {
+      // Antigravity 账号允许没有 projectId：生成一个稳定的临时 projectId 并缓存
+      effectiveProjectId = `ag-${crypto.randomUUID().replace(/-/g, '').slice(0, 16)}`
+      await geminiAccountService.updateTempProjectId(accountId, effectiveProjectId)
+    }
+
    // 如果还是没有项目ID，返回错误
    if (!effectiveProjectId) {
      return res.status(403).json({
@@ -1410,14 +1460,24 @@ async function handleGenerateContent(req, res) {
          : '从loadCodeAssist获取'
    })

-    const response = await geminiAccountService.generateContent(
-      client,
-      { model, request: actualRequestData },
-      user_prompt_id,
-      effectiveProjectId,
-      req.apiKey?.id,
-      proxyConfig
-    )
+    const response =
+      oauthProvider === 'antigravity'
+        ? await geminiAccountService.generateContentAntigravity(
+            client,
+            { model, request: actualRequestData },
+            user_prompt_id,
+            effectiveProjectId,
+            req.apiKey?.id,
+            proxyConfig
+          )
+        : await geminiAccountService.generateContent(
+            client,
+            { model, request: actualRequestData },
+            user_prompt_id,
+            effectiveProjectId,
+            req.apiKey?.id,
+            proxyConfig
+          )

    // 记录使用统计
    if (response?.response?.usageMetadata) {
@@ -1578,13 +1638,20 @@ async function handleStreamGenerateContent(req, res) {
    // 解析账户的代理配置
    const proxyConfig = parseProxyConfig(account)

-    const client = await geminiAccountService.getOauthClient(accessToken, refreshToken, proxyConfig)
+    const client = await geminiAccountService.getOauthClient(
+      accessToken,
+      refreshToken,
+      proxyConfig,
+      account.oauthProvider
+    )

    // 智能处理项目ID：优先使用配置的 projectId，降级到临时 tempProjectId
    let effectiveProjectId = account.projectId || account.tempProjectId || null

+    const oauthProvider = account.oauthProvider || 'gemini-cli'
+
    // 如果没有任何项目ID，尝试调用 loadCodeAssist 获取
-    if (!effectiveProjectId) {
+    if (!effectiveProjectId && oauthProvider !== 'antigravity') {
      try {
        logger.info('📋 No projectId available, attempting to fetch from loadCodeAssist...')
        const loadResponse = await geminiAccountService.loadCodeAssist(client, null, proxyConfig)
@@ -1600,6 +1667,11 @@ async function handleStreamGenerateContent(req, res) {
      }
    }

+    if (!effectiveProjectId && oauthProvider === 'antigravity') {
+      effectiveProjectId = `ag-${crypto.randomUUID().replace(/-/g, '').slice(0, 16)}`
+      await geminiAccountService.updateTempProjectId(accountId, effectiveProjectId)
+    }
+
    // 如果还是没有项目ID，返回错误
    if (!effectiveProjectId) {
      return res.status(403).json({
@@ -1622,15 +1694,26 @@ async function handleStreamGenerateContent(req, res) {
          : '从loadCodeAssist获取'
    })

-    const streamResponse = await geminiAccountService.generateContentStream(
-      client,
-      { model, request: actualRequestData },
-      user_prompt_id,
-      effectiveProjectId,
-      req.apiKey?.id,
-      abortController.signal,
-      proxyConfig
-    )
+    const streamResponse =
+      oauthProvider === 'antigravity'
+        ? await geminiAccountService.generateContentStreamAntigravity(
+            client,
+            { model, request: actualRequestData },
+            user_prompt_id,
+            effectiveProjectId,
+            req.apiKey?.id,
+            abortController.signal,
+            proxyConfig
+          )
+        : await geminiAccountService.generateContentStream(
+            client,
+            { model, request: actualRequestData },
+            user_prompt_id,
+            effectiveProjectId,
+            req.apiKey?.id,
+            abortController.signal,
+            proxyConfig
+          )

    // 设置 SSE 响应头
    res.setHeader('Content-Type', 'text/event-stream')
@@ -1978,15 +2061,23 @@ async function handleStandardGenerateContent(req, res) {
    } else {
      // OAuth 账户
      const { accessToken, refreshToken } = account
+      const oauthProvider = account.oauthProvider || 'gemini-cli'
      const client = await geminiAccountService.getOauthClient(
        accessToken,
        refreshToken,
-        proxyConfig
+        proxyConfig,
+        oauthProvider
      )

      let effectiveProjectId = account.projectId || account.tempProjectId || null

-      if (!effectiveProjectId) {
+      if (oauthProvider === 'antigravity') {
+        if (!effectiveProjectId) {
+          // Antigravity 账号允许没有 projectId：生成一个稳定的临时 projectId 并缓存
+          effectiveProjectId = `ag-${crypto.randomUUID().replace(/-/g, '').slice(0, 16)}`
+          await geminiAccountService.updateTempProjectId(actualAccountId, effectiveProjectId)
+        }
+      } else if (!effectiveProjectId) {
        try {
          logger.info('📋 No projectId available, attempting to fetch from loadCodeAssist...')
          const loadResponse = await geminiAccountService.loadCodeAssist(client, null, proxyConfig)
@@ -2024,14 +2115,25 @@ async function handleStandardGenerateContent(req, res) {

      const userPromptId = `${crypto.randomUUID()}########0`

-      response = await geminiAccountService.generateContent(
-        client,
-        { model, request: actualRequestData },
-        userPromptId,
-        effectiveProjectId,
-        req.apiKey?.id,
-        proxyConfig
-      )
+      if (oauthProvider === 'antigravity') {
+        response = await geminiAccountService.generateContentAntigravity(
+          client,
+          { model, request: actualRequestData },
+          userPromptId,
+          effectiveProjectId,
+          req.apiKey?.id,
+          proxyConfig
+        )
+      } else {
+        response = await geminiAccountService.generateContent(
+          client,
+          { model, request: actualRequestData },
+          userPromptId,
+          effectiveProjectId,
+          req.apiKey?.id,
+          proxyConfig
+        )
+      }
    }

    // 记录使用统计
@@ -2263,12 +2365,20 @@ async function handleStandardStreamGenerateContent(req, res) {
      const client = await geminiAccountService.getOauthClient(
        accessToken,
        refreshToken,
-        proxyConfig
+        proxyConfig,
+        account.oauthProvider
      )

      let effectiveProjectId = account.projectId || account.tempProjectId || null

-      if (!effectiveProjectId) {
+      const oauthProvider = account.oauthProvider || 'gemini-cli'
+
+      if (oauthProvider === 'antigravity') {
+        if (!effectiveProjectId) {
+          effectiveProjectId = `ag-${crypto.randomUUID().replace(/-/g, '').slice(0, 16)}`
+          await geminiAccountService.updateTempProjectId(actualAccountId, effectiveProjectId)
+        }
+      } else if (!effectiveProjectId) {
        try {
          logger.info('📋 No projectId available, attempting to fetch from loadCodeAssist...')
          const loadResponse = await geminiAccountService.loadCodeAssist(client, null, proxyConfig)
@@ -2306,15 +2416,27 @@ async function handleStandardStreamGenerateContent(req, res) {

      const userPromptId = `${crypto.randomUUID()}########0`

-      streamResponse = await geminiAccountService.generateContentStream(
-        client,
-        { model, request: actualRequestData },
-        userPromptId,
-        effectiveProjectId,
-        req.apiKey?.id,
-        abortController.signal,
-        proxyConfig
-      )
+      if (oauthProvider === 'antigravity') {
+        streamResponse = await geminiAccountService.generateContentStreamAntigravity(
+          client,
+          { model, request: actualRequestData },
+          userPromptId,
+          effectiveProjectId,
+          req.apiKey?.id,
+          abortController.signal,
+          proxyConfig
+        )
+      } else {
+        streamResponse = await geminiAccountService.generateContentStream(
+          client,
+          { model, request: actualRequestData },
+          userPromptId,
+          effectiveProjectId,
+          req.apiKey?.id,
+          abortController.signal,
+          proxyConfig
+        )
+      }
    }

    // 设置 SSE 响应头
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -1389,6 +1389,18 @@ const authenticateAdmin = async (req, res, next) => {
      })
    }

+    // 🔒 安全修复：验证会话必须字段（防止伪造会话绕过认证）
+    if (!adminSession.username || !adminSession.loginTime) {
+      logger.security(
+        `🔒 Corrupted admin session from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
+      )
+      await redis.deleteSession(token) // 清理无效/伪造的会话
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 检查会话活跃性（可选：检查最后活动时间）
    const now = new Date()
    const lastActivity = new Date(adminSession.lastActivity || adminSession.loginTime)
--- a/src/models/redis.js
+++ b/src/models/redis.js
@@ -1521,6 +1521,123 @@ class RedisClient {
    return await this.client.del(key)
  }

+  // 💰 账户余额缓存（API 查询结果）
+  async setAccountBalance(platform, accountId, balanceData, ttl = 3600) {
+    const key = `account_balance:${platform}:${accountId}`
+
+    const payload = {
+      balance:
+        balanceData && balanceData.balance !== null && balanceData.balance !== undefined
+          ? String(balanceData.balance)
+          : '',
+      currency: balanceData?.currency || 'USD',
+      lastRefreshAt: balanceData?.lastRefreshAt || new Date().toISOString(),
+      queryMethod: balanceData?.queryMethod || 'api',
+      status: balanceData?.status || 'success',
+      errorMessage: balanceData?.errorMessage || balanceData?.error || '',
+      rawData: balanceData?.rawData ? JSON.stringify(balanceData.rawData) : '',
+      quota: balanceData?.quota ? JSON.stringify(balanceData.quota) : ''
+    }
+
+    await this.client.hset(key, payload)
+    await this.client.expire(key, ttl)
+  }
+
+  async getAccountBalance(platform, accountId) {
+    const key = `account_balance:${platform}:${accountId}`
+    const [data, ttlSeconds] = await Promise.all([this.client.hgetall(key), this.client.ttl(key)])
+
+    if (!data || Object.keys(data).length === 0) {
+      return null
+    }
+
+    let rawData = null
+    if (data.rawData) {
+      try {
+        rawData = JSON.parse(data.rawData)
+      } catch (error) {
+        rawData = null
+      }
+    }
+
+    let quota = null
+    if (data.quota) {
+      try {
+        quota = JSON.parse(data.quota)
+      } catch (error) {
+        quota = null
+      }
+    }
+
+    return {
+      balance: data.balance ? parseFloat(data.balance) : null,
+      currency: data.currency || 'USD',
+      lastRefreshAt: data.lastRefreshAt || null,
+      queryMethod: data.queryMethod || null,
+      status: data.status || null,
+      errorMessage: data.errorMessage || '',
+      rawData,
+      quota,
+      ttlSeconds: Number.isFinite(ttlSeconds) ? ttlSeconds : null
+    }
+  }
+
+  // 📊 账户余额缓存（本地统计）
+  async setLocalBalance(platform, accountId, statisticsData, ttl = 300) {
+    const key = `account_balance_local:${platform}:${accountId}`
+
+    await this.client.hset(key, {
+      estimatedBalance: JSON.stringify(statisticsData || {}),
+      lastCalculated: new Date().toISOString()
+    })
+    await this.client.expire(key, ttl)
+  }
+
+  async getLocalBalance(platform, accountId) {
+    const key = `account_balance_local:${platform}:${accountId}`
+    const data = await this.client.hgetall(key)
+
+    if (!data || !data.estimatedBalance) {
+      return null
+    }
+
+    try {
+      return JSON.parse(data.estimatedBalance)
+    } catch (error) {
+      return null
+    }
+  }
+
+  async deleteAccountBalance(platform, accountId) {
+    const key = `account_balance:${platform}:${accountId}`
+    const localKey = `account_balance_local:${platform}:${accountId}`
+    await this.client.del(key, localKey)
+  }
+
+  // 🧩 账户余额脚本配置
+  async setBalanceScriptConfig(platform, accountId, scriptConfig) {
+    const key = `account_balance_script:${platform}:${accountId}`
+    await this.client.set(key, JSON.stringify(scriptConfig || {}))
+  }
+
+  async getBalanceScriptConfig(platform, accountId) {
+    const key = `account_balance_script:${platform}:${accountId}`
+    const raw = await this.client.get(key)
+    if (!raw) {
+      return null
+    }
+    try {
+      return JSON.parse(raw)
+    } catch (error) {
+      return null
+    }
+  }
+
+  async deleteBalanceScriptConfig(platform, accountId) {
+    const key = `account_balance_script:${platform}:${accountId}`
+    return await this.client.del(key)
+  }
+
  // 📈 系统统计
  async getSystemStats() {
    const keys = await Promise.all([
--- a/src/routes/admin/accountBalance.js
+++ b/src/routes/admin/accountBalance.js
@@ -0,0 +1,214 @@
+const express = require('express')
+const { authenticateAdmin } = require('../../middleware/auth')
+const logger = require('../../utils/logger')
+const accountBalanceService = require('../../services/accountBalanceService')
+const balanceScriptService = require('../../services/balanceScriptService')
+const { isBalanceScriptEnabled } = require('../../utils/featureFlags')
+
+const router = express.Router()
+
+const ensureValidPlatform = (rawPlatform) => {
+  const normalized = accountBalanceService.normalizePlatform(rawPlatform)
+  if (!normalized) {
+    return { ok: false, status: 400, error: '缺少 platform 参数' }
+  }
+
+  const supported = accountBalanceService.getSupportedPlatforms()
+  if (!supported.includes(normalized)) {
+    return { ok: false, status: 400, error: `不支持的平台: ${normalized}` }
+  }
+
+  return { ok: true, platform: normalized }
+}
+
+// 1) 获取账户余额（默认本地统计优先，可选触发 Provider）
+// GET /admin/accounts/:accountId/balance?platform=xxx&queryApi=false
+router.get('/accounts/:accountId/balance', authenticateAdmin, async (req, res) => {
+  try {
+    const { accountId } = req.params
+    const { platform, queryApi } = req.query
+
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    const balance = await accountBalanceService.getAccountBalance(accountId, valid.platform, {
+      queryApi
+    })
+
+    if (!balance) {
+      return res.status(404).json({ success: false, error: 'Account not found' })
+    }
+
+    return res.json(balance)
+  } catch (error) {
+    logger.error('获取账户余额失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+// 2) 强制刷新账户余额（强制触发查询：优先脚本；Provider 仅为降级）
+// POST /admin/accounts/:accountId/balance/refresh
+// Body: { platform: 'xxx' }
+router.post('/accounts/:accountId/balance/refresh', authenticateAdmin, async (req, res) => {
+  try {
+    const { accountId } = req.params
+    const { platform } = req.body || {}
+
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    logger.info(`手动刷新余额: ${valid.platform}:${accountId}`)
+
+    const balance = await accountBalanceService.refreshAccountBalance(accountId, valid.platform)
+    if (!balance) {
+      return res.status(404).json({ success: false, error: 'Account not found' })
+    }
+
+    return res.json(balance)
+  } catch (error) {
+    logger.error('刷新账户余额失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+// 3) 批量获取平台所有账户余额
+// GET /admin/accounts/balance/platform/:platform?queryApi=false
+router.get('/accounts/balance/platform/:platform', authenticateAdmin, async (req, res) => {
+  try {
+    const { platform } = req.params
+    const { queryApi } = req.query
+
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    const balances = await accountBalanceService.getAllAccountsBalance(valid.platform, { queryApi })
+
+    return res.json({ success: true, data: balances })
+  } catch (error) {
+    logger.error('批量获取余额失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+// 4) 获取余额汇总（Dashboard 用）
+// GET /admin/accounts/balance/summary
+router.get('/accounts/balance/summary', authenticateAdmin, async (req, res) => {
+  try {
+    const summary = await accountBalanceService.getBalanceSummary()
+    return res.json({ success: true, data: summary })
+  } catch (error) {
+    logger.error('获取余额汇总失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+// 5) 清除缓存
+// DELETE /admin/accounts/:accountId/balance/cache?platform=xxx
+router.delete('/accounts/:accountId/balance/cache', authenticateAdmin, async (req, res) => {
+  try {
+    const { accountId } = req.params
+    const { platform } = req.query
+
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    await accountBalanceService.clearCache(accountId, valid.platform)
+
+    return res.json({ success: true, message: '缓存已清除' })
+  } catch (error) {
+    logger.error('清除缓存失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+// 6) 获取/保存/测试余额脚本配置（单账户）
+router.get('/accounts/:accountId/balance/script', authenticateAdmin, async (req, res) => {
+  try {
+    const { accountId } = req.params
+    const { platform } = req.query
+
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    const config = await accountBalanceService.redis.getBalanceScriptConfig(
+      valid.platform,
+      accountId
+    )
+    return res.json({ success: true, data: config || null })
+  } catch (error) {
+    logger.error('获取余额脚本配置失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+router.put('/accounts/:accountId/balance/script', authenticateAdmin, async (req, res) => {
+  try {
+    const { accountId } = req.params
+    const { platform } = req.query
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    const payload = req.body || {}
+    await accountBalanceService.redis.setBalanceScriptConfig(valid.platform, accountId, payload)
+    return res.json({ success: true, data: payload })
+  } catch (error) {
+    logger.error('保存余额脚本配置失败', error)
+    return res.status(500).json({ success: false, error: error.message })
+  }
+})
+
+router.post('/accounts/:accountId/balance/script/test', authenticateAdmin, async (req, res) => {
+  try {
+    const { accountId } = req.params
+    const { platform } = req.query
+    const valid = ensureValidPlatform(platform)
+    if (!valid.ok) {
+      return res.status(valid.status).json({ success: false, error: valid.error })
+    }
+
+    if (!isBalanceScriptEnabled()) {
+      return res.status(403).json({
+        success: false,
+        error: '余额脚本功能已禁用（可通过 BALANCE_SCRIPT_ENABLED=true 启用）'
+      })
+    }
+
+    const payload = req.body || {}
+    const { scriptBody } = payload
+    if (!scriptBody) {
+      return res.status(400).json({ success: false, error: '脚本内容不能为空' })
+    }
+
+    const result = await balanceScriptService.execute({
+      scriptBody,
+      timeoutSeconds: payload.timeoutSeconds || 10,
+      variables: {
+        baseUrl: payload.baseUrl || '',
+        apiKey: payload.apiKey || '',
+        token: payload.token || '',
+        accountId,
+        platform: valid.platform,
+        extra: payload.extra || ''
+      }
+    })
+
+    return res.json({ success: true, data: result })
+  } catch (error) {
+    logger.error('测试余额脚本失败', error)
+    return res.status(400).json({ success: false, error: error.message })
+  }
+})
+
+module.exports = router
--- a/src/routes/admin/apiKeys.js
+++ b/src/routes/admin/apiKeys.js
@@ -8,6 +8,60 @@ const config = require('../../../config/config')

 const router = express.Router()

+// 有效的权限值列表
+const VALID_PERMISSIONS = ['claude', 'gemini', 'openai', 'droid']
+
+/**
+ * 验证权限数组格式
+ * @param {any} permissions - 权限值（可以是数组或其他）
+ * @returns {string|null} - 返回错误消息，null 表示验证通过
+ */
+function validatePermissions(permissions) {
+  // 空值或未定义表示全部服务
+  if (permissions === undefined || permissions === null || permissions === '') {
+    return null
+  }
+  // 兼容字符串格式
+  if (typeof permissions === 'string') {
+    // 旧格式 'all' 表示全部服务
+    if (permissions === 'all') {
+      return null
+    }
+    // 单个有效权限
+    if (VALID_PERMISSIONS.includes(permissions)) {
+      return null
+    }
+    // 尝试解析 JSON 数组字符串（如 "[]" 或 '["claude","gemini"]'）
+    if (permissions.startsWith('[')) {
+      try {
+        const parsed = JSON.parse(permissions)
+        if (Array.isArray(parsed)) {
+          // 递归验证解析后的数组
+          return validatePermissions(parsed)
+        }
+      } catch (e) {
+        // 解析失败，返回错误
+      }
+    }
+    return `Invalid permissions value. Must be an array of: ${VALID_PERMISSIONS.join(', ')}`
+  }
+  // 新格式数组
+  if (Array.isArray(permissions)) {
+    // 空数组表示全部服务
+    if (permissions.length === 0) {
+      return null
+    }
+    // 验证数组中的每个值
+    for (const perm of permissions) {
+      if (!VALID_PERMISSIONS.includes(perm)) {
+        return `Invalid permission value "${perm}". Valid values are: ${VALID_PERMISSIONS.join(', ')}`
+      }
+    }
+    return null
+  }
+  return `Permissions must be an array. Valid values are: ${VALID_PERMISSIONS.join(', ')}`
+}
+
 // 👥 用户管理 (用于API Key分配)

 // 获取所有用户列表（用于API Key分配）
@@ -1382,16 +1436,10 @@ router.post('/api-keys', authenticateAdmin, async (req, res) => {
      }
    }

-    // 验证服务权限字段
-    if (
-      permissions !== undefined &&
-      permissions !== null &&
-      permissions !== '' &&
-      !['claude', 'gemini', 'openai', 'droid', 'all'].includes(permissions)
-    ) {
-      return res.status(400).json({
-        error: 'Invalid permissions value. Must be claude, gemini, openai, droid, or all'
-      })
+    // 验证服务权限字段（支持数组格式）
+    const permissionsError = validatePermissions(permissions)
+    if (permissionsError) {
+      return res.status(400).json({ error: permissionsError })
    }

    const newKey = await apiKeyService.generateApiKey({
@@ -1481,15 +1529,10 @@ router.post('/api-keys/batch', authenticateAdmin, async (req, res) => {
        .json({ error: 'Base name must be less than 90 characters to allow for numbering' })
    }

-    if (
-      permissions !== undefined &&
-      permissions !== null &&
-      permissions !== '' &&
-      !['claude', 'gemini', 'openai', 'droid', 'all'].includes(permissions)
-    ) {
-      return res.status(400).json({
-        error: 'Invalid permissions value. Must be claude, gemini, openai, droid, or all'
-      })
+    // 验证服务权限字段（支持数组格式）
+    const batchPermissionsError = validatePermissions(permissions)
+    if (batchPermissionsError) {
+      return res.status(400).json({ error: batchPermissionsError })
    }

    // 生成批量API Keys
@@ -1592,13 +1635,12 @@ router.put('/api-keys/batch', authenticateAdmin, async (req, res) => {
      })
    }

-    if (
-      updates.permissions !== undefined &&
-      !['claude', 'gemini', 'openai', 'droid', 'all'].includes(updates.permissions)
-    ) {
-      return res.status(400).json({
-        error: 'Invalid permissions value. Must be claude, gemini, openai, droid, or all'
-      })
+    // 验证服务权限字段（支持数组格式）
+    if (updates.permissions !== undefined) {
+      const updatePermissionsError = validatePermissions(updates.permissions)
+      if (updatePermissionsError) {
+        return res.status(400).json({ error: updatePermissionsError })
+      }
    }

    logger.info(
@@ -1873,11 +1915,10 @@ router.put('/api-keys/:keyId', authenticateAdmin, async (req, res) => {
    }

    if (permissions !== undefined) {
-      // 验证权限值
-      if (!['claude', 'gemini', 'openai', 'droid', 'all'].includes(permissions)) {
-        return res.status(400).json({
-          error: 'Invalid permissions value. Must be claude, gemini, openai, droid, or all'
-        })
+      // 验证服务权限字段（支持数组格式）
+      const singlePermissionsError = validatePermissions(permissions)
+      if (singlePermissionsError) {
+        return res.status(400).json({ error: singlePermissionsError })
      }
      updates.permissions = permissions
    }
--- a/src/routes/admin/balanceScripts.js
+++ b/src/routes/admin/balanceScripts.js
@@ -0,0 +1,41 @@
+const express = require('express')
+const { authenticateAdmin } = require('../../middleware/auth')
+const balanceScriptService = require('../../services/balanceScriptService')
+const router = express.Router()
+
+// 获取全部脚本配置列表
+router.get('/balance-scripts', authenticateAdmin, (req, res) => {
+  const items = balanceScriptService.listConfigs()
+  return res.json({ success: true, data: items })
+})
+
+// 获取单个脚本配置
+router.get('/balance-scripts/:name', authenticateAdmin, (req, res) => {
+  const { name } = req.params
+  const config = balanceScriptService.getConfig(name || 'default')
+  return res.json({ success: true, data: config })
+})
+
+// 保存脚本配置
+router.put('/balance-scripts/:name', authenticateAdmin, (req, res) => {
+  try {
+    const { name } = req.params
+    const saved = balanceScriptService.saveConfig(name || 'default', req.body || {})
+    return res.json({ success: true, data: saved })
+  } catch (error) {
+    return res.status(400).json({ success: false, error: error.message })
+  }
+})
+
+// 测试脚本（不落库）
+router.post('/balance-scripts/:name/test', authenticateAdmin, async (req, res) => {
+  try {
+    const { name } = req.params
+    const result = await balanceScriptService.testScript(name || 'default', req.body || {})
+    return res.json({ success: true, data: result })
+  } catch (error) {
+    return res.status(400).json({ success: false, error: error.message })
+  }
+})
+
+module.exports = router
--- a/src/routes/admin/dashboard.js
+++ b/src/routes/admin/dashboard.js
@@ -6,13 +6,11 @@ const bedrockAccountService = require('../../services/bedrockAccountService')
 const ccrAccountService = require('../../services/ccrAccountService')
 const geminiAccountService = require('../../services/geminiAccountService')
 const droidAccountService = require('../../services/droidAccountService')
-const openaiAccountService = require('../../services/openaiAccountService')
 const openaiResponsesAccountService = require('../../services/openaiResponsesAccountService')
 const redis = require('../../models/redis')
 const { authenticateAdmin } = require('../../middleware/auth')
 const logger = require('../../utils/logger')
 const CostCalculator = require('../../utils/costCalculator')
-const pricingService = require('../../services/pricingService')
 const config = require('../../../config/config')

 const router = express.Router()
--- a/src/routes/admin/geminiAccounts.js
+++ b/src/routes/admin/geminiAccounts.js
@@ -11,14 +11,19 @@ const { formatAccountExpiry, mapExpiryField } = require('./utils')
 const router = express.Router()

 // 🤖 Gemini OAuth 账户管理
+function getDefaultRedirectUri(oauthProvider) {
+  if (oauthProvider === 'antigravity') {
+    return process.env.ANTIGRAVITY_OAUTH_REDIRECT_URI || 'http://localhost:45462'
+  }
+  return process.env.GEMINI_OAUTH_REDIRECT_URI || 'https://codeassist.google.com/authcode'
+}

 // 生成 Gemini OAuth 授权 URL
 router.post('/generate-auth-url', authenticateAdmin, async (req, res) => {
  try {
-    const { state, proxy } = req.body // 接收代理配置
+    const { state, proxy, oauthProvider } = req.body // 接收代理配置与OAuth Provider

-    // 使用新的 codeassist.google.com 回调地址
-    const redirectUri = 'https://codeassist.google.com/authcode'
+    const redirectUri = getDefaultRedirectUri(oauthProvider)

    logger.info(`Generating Gemini OAuth URL with redirect_uri: ${redirectUri}`)

@@ -26,8 +31,9 @@ router.post('/generate-auth-url', authenticateAdmin, async (req, res) => {
      authUrl,
      state: authState,
      codeVerifier,
-      redirectUri: finalRedirectUri
-    } = await geminiAccountService.generateAuthUrl(state, redirectUri, proxy)
+      redirectUri: finalRedirectUri,
+      oauthProvider: resolvedOauthProvider
+    } = await geminiAccountService.generateAuthUrl(state, redirectUri, proxy, oauthProvider)

    // 创建 OAuth 会话，包含 codeVerifier 和代理配置
    const sessionId = authState
@@ -37,6 +43,7 @@ router.post('/generate-auth-url', authenticateAdmin, async (req, res) => {
      redirectUri: finalRedirectUri,
      codeVerifier, // 保存 PKCE code verifier
      proxy: proxy || null, // 保存代理配置
+      oauthProvider: resolvedOauthProvider,
      createdAt: new Date().toISOString()
    })

@@ -45,7 +52,8 @@ router.post('/generate-auth-url', authenticateAdmin, async (req, res) => {
      success: true,
      data: {
        authUrl,
-        sessionId
+        sessionId,
+        oauthProvider: resolvedOauthProvider
      }
    })
  } catch (error) {
@@ -80,13 +88,14 @@ router.post('/poll-auth-status', authenticateAdmin, async (req, res) => {
 // 交换 Gemini 授权码
 router.post('/exchange-code', authenticateAdmin, async (req, res) => {
  try {
-    const { code, sessionId, proxy: requestProxy } = req.body
+    const { code, sessionId, proxy: requestProxy, oauthProvider } = req.body
+    let resolvedOauthProvider = oauthProvider

    if (!code) {
      return res.status(400).json({ error: 'Authorization code is required' })
    }

-    let redirectUri = 'https://codeassist.google.com/authcode'
+    let redirectUri = getDefaultRedirectUri(resolvedOauthProvider)
    let codeVerifier = null
    let proxyConfig = null

@@ -97,11 +106,16 @@ router.post('/exchange-code', authenticateAdmin, async (req, res) => {
        const {
          redirectUri: sessionRedirectUri,
          codeVerifier: sessionCodeVerifier,
-          proxy
+          proxy,
+          oauthProvider: sessionOauthProvider
        } = sessionData
        redirectUri = sessionRedirectUri || redirectUri
        codeVerifier = sessionCodeVerifier
        proxyConfig = proxy // 获取代理配置
+        if (!resolvedOauthProvider && sessionOauthProvider) {
+          // 会话里保存的 provider 仅作为兜底
+          resolvedOauthProvider = sessionOauthProvider
+        }
        logger.info(
          `Using session redirect_uri: ${redirectUri}, has codeVerifier: ${!!codeVerifier}, has proxy from session: ${!!proxyConfig}`
        )
@@ -120,7 +134,8 @@ router.post('/exchange-code', authenticateAdmin, async (req, res) => {
      code,
      redirectUri,
      codeVerifier,
-      proxyConfig // 传递代理配置
+      proxyConfig, // 传递代理配置
+      resolvedOauthProvider
    )

    // 清理 OAuth 会话
@@ -129,7 +144,7 @@ router.post('/exchange-code', authenticateAdmin, async (req, res) => {
    }

    logger.success('✅ Successfully exchanged Gemini authorization code')
-    return res.json({ success: true, data: { tokens } })
+    return res.json({ success: true, data: { tokens, oauthProvider: resolvedOauthProvider } })
  } catch (error) {
    logger.error('❌ Failed to exchange Gemini authorization code:', error)
    return res.status(500).json({ error: 'Failed to exchange code', message: error.message })
--- a/src/routes/admin/index.js
+++ b/src/routes/admin/index.js
@@ -21,9 +21,11 @@ const openaiResponsesAccountsRoutes = require('./openaiResponsesAccounts')
 const droidAccountsRoutes = require('./droidAccounts')
 const dashboardRoutes = require('./dashboard')
 const usageStatsRoutes = require('./usageStats')
+const accountBalanceRoutes = require('./accountBalance')
 const systemRoutes = require('./system')
 const concurrencyRoutes = require('./concurrency')
 const claudeRelayConfigRoutes = require('./claudeRelayConfig')
+const syncRoutes = require('./sync')

 // 挂载所有子路由
 // 使用完整路径的模块（直接挂载到根路径）
@@ -36,9 +38,11 @@ router.use('/', openaiResponsesAccountsRoutes)
 router.use('/', droidAccountsRoutes)
 router.use('/', dashboardRoutes)
 router.use('/', usageStatsRoutes)
+router.use('/', accountBalanceRoutes)
 router.use('/', systemRoutes)
 router.use('/', concurrencyRoutes)
 router.use('/', claudeRelayConfigRoutes)
+router.use('/', syncRoutes)

 // 使用相对路径的模块（需要指定基础路径前缀）
 router.use('/account-groups', accountGroupsRoutes)
--- a/src/routes/admin/sync.js
+++ b/src/routes/admin/sync.js
@@ -0,0 +1,460 @@
+/**
+ * Admin Routes - Sync / Export (for migration)
+ * Exports account data (including secrets) for safe server-to-server syncing.
+ */
+
+const express = require('express')
+const router = express.Router()
+
+const { authenticateAdmin } = require('../../middleware/auth')
+const redis = require('../../models/redis')
+const claudeAccountService = require('../../services/claudeAccountService')
+const claudeConsoleAccountService = require('../../services/claudeConsoleAccountService')
+const openaiAccountService = require('../../services/openaiAccountService')
+const openaiResponsesAccountService = require('../../services/openaiResponsesAccountService')
+const logger = require('../../utils/logger')
+
+function toBool(value, defaultValue = false) {
+  if (value === undefined || value === null || value === '') {
+    return defaultValue
+  }
+  if (value === true || value === 'true') {
+    return true
+  }
+  if (value === false || value === 'false') {
+    return false
+  }
+  return defaultValue
+}
+
+function normalizeProxy(proxy) {
+  if (!proxy || typeof proxy !== 'object') {
+    return null
+  }
+
+  const protocol = proxy.protocol || proxy.type || proxy.scheme || ''
+  const host = proxy.host || ''
+  const port = Number(proxy.port || 0)
+
+  if (!protocol || !host || !Number.isFinite(port) || port <= 0) {
+    return null
+  }
+
+  return {
+    protocol: String(protocol),
+    host: String(host),
+    port,
+    username: proxy.username ? String(proxy.username) : '',
+    password: proxy.password ? String(proxy.password) : ''
+  }
+}
+
+function buildModelMappingFromSupportedModels(supportedModels) {
+  if (!supportedModels) {
+    return null
+  }
+
+  if (Array.isArray(supportedModels)) {
+    const mapping = {}
+    for (const model of supportedModels) {
+      if (typeof model === 'string' && model.trim()) {
+        mapping[model.trim()] = model.trim()
+      }
+    }
+    return Object.keys(mapping).length ? mapping : null
+  }
+
+  if (typeof supportedModels === 'object') {
+    const mapping = {}
+    for (const [from, to] of Object.entries(supportedModels)) {
+      if (typeof from === 'string' && typeof to === 'string' && from.trim() && to.trim()) {
+        mapping[from.trim()] = to.trim()
+      }
+    }
+    return Object.keys(mapping).length ? mapping : null
+  }
+
+  return null
+}
+
+function safeParseJson(raw, fallback = null) {
+  if (!raw || typeof raw !== 'string') {
+    return fallback
+  }
+  try {
+    return JSON.parse(raw)
+  } catch (_) {
+    return fallback
+  }
+}
+
+// Export accounts for migration (includes secrets).
+// GET /admin/sync/export-accounts?include_secrets=true
+router.get('/sync/export-accounts', authenticateAdmin, async (req, res) => {
+  try {
+    const includeSecrets = toBool(req.query.include_secrets, false)
+    if (!includeSecrets) {
+      return res.status(400).json({
+        success: false,
+        error: 'include_secrets_required',
+        message: 'Set include_secrets=true to export secrets'
+      })
+    }
+
+    // ===== Claude official OAuth / Setup Token accounts =====
+    const rawClaudeAccounts = await redis.getAllClaudeAccounts()
+    const claudeAccounts = rawClaudeAccounts.map((account) => {
+      // Backward compatible extraction: prefer individual fields, fallback to claudeAiOauth JSON blob.
+      let decryptedClaudeAiOauth = null
+      if (account.claudeAiOauth) {
+        try {
+          const raw = claudeAccountService._decryptSensitiveData(account.claudeAiOauth)
+          decryptedClaudeAiOauth = raw ? JSON.parse(raw) : null
+        } catch (_) {
+          decryptedClaudeAiOauth = null
+        }
+      }
+
+      const rawScopes =
+        account.scopes && account.scopes.trim()
+          ? account.scopes
+          : decryptedClaudeAiOauth?.scopes
+            ? decryptedClaudeAiOauth.scopes.join(' ')
+            : ''
+
+      const scopes = rawScopes && rawScopes.trim() ? rawScopes.trim().split(' ') : []
+      const isOAuth = scopes.includes('user:profile') && scopes.includes('user:inference')
+      const authType = isOAuth ? 'oauth' : 'setup-token'
+
+      const accessToken =
+        account.accessToken && String(account.accessToken).trim()
+          ? claudeAccountService._decryptSensitiveData(account.accessToken)
+          : decryptedClaudeAiOauth?.accessToken || ''
+
+      const refreshToken =
+        account.refreshToken && String(account.refreshToken).trim()
+          ? claudeAccountService._decryptSensitiveData(account.refreshToken)
+          : decryptedClaudeAiOauth?.refreshToken || ''
+
+      let expiresAt = null
+      const expiresAtMs = Number.parseInt(account.expiresAt, 10)
+      if (Number.isFinite(expiresAtMs) && expiresAtMs > 0) {
+        expiresAt = new Date(expiresAtMs).toISOString()
+      } else if (decryptedClaudeAiOauth?.expiresAt) {
+        try {
+          expiresAt = new Date(Number(decryptedClaudeAiOauth.expiresAt)).toISOString()
+        } catch (_) {
+          expiresAt = null
+        }
+      }
+
+      const proxy = account.proxy ? normalizeProxy(safeParseJson(account.proxy)) : null
+
+      // 🔧 Parse subscriptionInfo to extract org_uuid and account_uuid
+      let orgUuid = null
+      let accountUuid = null
+      if (account.subscriptionInfo) {
+        try {
+          const subscriptionInfo = JSON.parse(account.subscriptionInfo)
+          orgUuid = subscriptionInfo.organizationUuid || null
+          accountUuid = subscriptionInfo.accountUuid || null
+        } catch (_) {
+          // Ignore parse errors
+        }
+      }
+
+      // 🔧 Calculate expires_in from expires_at
+      let expiresIn = null
+      if (expiresAt) {
+        try {
+          const expiresAtTime = new Date(expiresAt).getTime()
+          const nowTime = Date.now()
+          const diffSeconds = Math.floor((expiresAtTime - nowTime) / 1000)
+          if (diffSeconds > 0) {
+            expiresIn = diffSeconds
+          }
+        } catch (_) {
+          // Ignore calculation errors
+        }
+      }
+      // 🔧 Use default expires_in if calculation failed (Anthropic OAuth: 8 hours)
+      if (!expiresIn && isOAuth) {
+        expiresIn = 28800 // 8 hours
+      }
+
+      const credentials = {
+        access_token: accessToken,
+        refresh_token: refreshToken || undefined,
+        expires_at: expiresAt || undefined,
+        expires_in: expiresIn || undefined,
+        scope: scopes.join(' ') || undefined,
+        token_type: 'Bearer'
+      }
+      // 🔧 Add auth info as top-level credentials fields
+      if (orgUuid) {
+        credentials.org_uuid = orgUuid
+      }
+      if (accountUuid) {
+        credentials.account_uuid = accountUuid
+      }
+
+      // 🔧 Store complete original CRS data in extra
+      const extra = {
+        crs_account_id: account.id,
+        crs_kind: 'claude-account',
+        crs_id: account.id,
+        crs_name: account.name,
+        crs_description: account.description || '',
+        crs_platform: account.platform || 'claude',
+        crs_auth_type: authType,
+        crs_is_active: account.isActive === 'true',
+        crs_schedulable: account.schedulable !== 'false',
+        crs_priority: Number.parseInt(account.priority, 10) || 50,
+        crs_status: account.status || 'active',
+        crs_scopes: scopes,
+        crs_subscription_info: account.subscriptionInfo || undefined
+      }
+
+      return {
+        kind: 'claude-account',
+        id: account.id,
+        name: account.name,
+        description: account.description || '',
+        platform: account.platform || 'claude',
+        authType,
+        isActive: account.isActive === 'true',
+        schedulable: account.schedulable !== 'false',
+        priority: Number.parseInt(account.priority, 10) || 50,
+        status: account.status || 'active',
+        proxy,
+        credentials,
+        extra
+      }
+    })
+
+    // ===== Claude Console API Key accounts =====
+    const claudeConsoleSummaries = await claudeConsoleAccountService.getAllAccounts()
+    const claudeConsoleAccounts = []
+    for (const summary of claudeConsoleSummaries) {
+      const full = await claudeConsoleAccountService.getAccount(summary.id)
+      if (!full) {
+        continue
+      }
+
+      const proxy = normalizeProxy(full.proxy)
+      const modelMapping = buildModelMappingFromSupportedModels(full.supportedModels)
+
+      const credentials = {
+        api_key: full.apiKey,
+        base_url: full.apiUrl
+      }
+
+      if (modelMapping) {
+        credentials.model_mapping = modelMapping
+      }
+
+      if (full.userAgent) {
+        credentials.user_agent = full.userAgent
+      }
+
+      claudeConsoleAccounts.push({
+        kind: 'claude-console-account',
+        id: full.id,
+        name: full.name,
+        description: full.description || '',
+        platform: full.platform || 'claude-console',
+        isActive: full.isActive === true,
+        schedulable: full.schedulable !== false,
+        priority: Number.parseInt(full.priority, 10) || 50,
+        status: full.status || 'active',
+        proxy,
+        maxConcurrentTasks: Number.parseInt(full.maxConcurrentTasks, 10) || 0,
+        credentials,
+        extra: {
+          crs_account_id: full.id,
+          crs_kind: 'claude-console-account',
+          crs_id: full.id,
+          crs_name: full.name,
+          crs_description: full.description || '',
+          crs_platform: full.platform || 'claude-console',
+          crs_is_active: full.isActive === true,
+          crs_schedulable: full.schedulable !== false,
+          crs_priority: Number.parseInt(full.priority, 10) || 50,
+          crs_status: full.status || 'active'
+        }
+      })
+    }
+
+    // ===== OpenAI OAuth accounts =====
+    const openaiOAuthAccounts = []
+    {
+      const client = redis.getClientSafe()
+      const openaiKeys = await client.keys('openai:account:*')
+      for (const key of openaiKeys) {
+        const id = key.split(':').slice(2).join(':')
+        const account = await openaiAccountService.getAccount(id)
+        if (!account) {
+          continue
+        }
+
+        const accessToken = account.accessToken
+          ? openaiAccountService.decrypt(account.accessToken)
+          : ''
+        if (!accessToken) {
+          // Skip broken/legacy records without decryptable token
+          continue
+        }
+
+        const scopes =
+          account.scopes && typeof account.scopes === 'string' && account.scopes.trim()
+            ? account.scopes.trim().split(' ')
+            : []
+
+        const proxy = normalizeProxy(account.proxy)
+
+        // 🔧 Calculate expires_in from expires_at
+        let expiresIn = null
+        if (account.expiresAt) {
+          try {
+            const expiresAtTime = new Date(account.expiresAt).getTime()
+            const nowTime = Date.now()
+            const diffSeconds = Math.floor((expiresAtTime - nowTime) / 1000)
+            if (diffSeconds > 0) {
+              expiresIn = diffSeconds
+            }
+          } catch (_) {
+            // Ignore calculation errors
+          }
+        }
+        // 🔧 Use default expires_in if calculation failed (OpenAI OAuth: 10 days)
+        if (!expiresIn) {
+          expiresIn = 864000 // 10 days
+        }
+
+        const credentials = {
+          access_token: accessToken,
+          refresh_token: account.refreshToken || undefined,
+          id_token: account.idToken || undefined,
+          expires_at: account.expiresAt || undefined,
+          expires_in: expiresIn || undefined,
+          scope: scopes.join(' ') || undefined,
+          token_type: 'Bearer'
+        }
+        // 🔧 Add auth info as top-level credentials fields
+        if (account.accountId) {
+          credentials.chatgpt_account_id = account.accountId
+        }
+        if (account.chatgptUserId) {
+          credentials.chatgpt_user_id = account.chatgptUserId
+        }
+        if (account.organizationId) {
+          credentials.organization_id = account.organizationId
+        }
+
+        // 🔧 Store complete original CRS data in extra
+        const extra = {
+          crs_account_id: account.id,
+          crs_kind: 'openai-oauth-account',
+          crs_id: account.id,
+          crs_name: account.name,
+          crs_description: account.description || '',
+          crs_platform: account.platform || 'openai',
+          crs_is_active: account.isActive === 'true',
+          crs_schedulable: account.schedulable !== 'false',
+          crs_priority: Number.parseInt(account.priority, 10) || 50,
+          crs_status: account.status || 'active',
+          crs_scopes: scopes,
+          crs_email: account.email || undefined,
+          crs_chatgpt_account_id: account.accountId || undefined,
+          crs_chatgpt_user_id: account.chatgptUserId || undefined,
+          crs_organization_id: account.organizationId || undefined
+        }
+
+        openaiOAuthAccounts.push({
+          kind: 'openai-oauth-account',
+          id: account.id,
+          name: account.name,
+          description: account.description || '',
+          platform: account.platform || 'openai',
+          authType: 'oauth',
+          isActive: account.isActive === 'true',
+          schedulable: account.schedulable !== 'false',
+          priority: Number.parseInt(account.priority, 10) || 50,
+          status: account.status || 'active',
+          proxy,
+          credentials,
+          extra
+        })
+      }
+    }
+
+    // ===== OpenAI Responses API Key accounts =====
+    const openaiResponsesAccounts = []
+    const client = redis.getClientSafe()
+    const openaiResponseKeys = await client.keys('openai_responses_account:*')
+    for (const key of openaiResponseKeys) {
+      const id = key.split(':').slice(1).join(':')
+      const full = await openaiResponsesAccountService.getAccount(id)
+      if (!full) {
+        continue
+      }
+
+      const proxy = normalizeProxy(full.proxy)
+
+      const credentials = {
+        api_key: full.apiKey,
+        base_url: full.baseApi
+      }
+
+      if (full.userAgent) {
+        credentials.user_agent = full.userAgent
+      }
+
+      openaiResponsesAccounts.push({
+        kind: 'openai-responses-account',
+        id: full.id,
+        name: full.name,
+        description: full.description || '',
+        platform: full.platform || 'openai-responses',
+        isActive: full.isActive === 'true',
+        schedulable: full.schedulable !== 'false',
+        priority: Number.parseInt(full.priority, 10) || 50,
+        status: full.status || 'active',
+        proxy,
+        credentials,
+        extra: {
+          crs_account_id: full.id,
+          crs_kind: 'openai-responses-account',
+          crs_id: full.id,
+          crs_name: full.name,
+          crs_description: full.description || '',
+          crs_platform: full.platform || 'openai-responses',
+          crs_is_active: full.isActive === 'true',
+          crs_schedulable: full.schedulable !== 'false',
+          crs_priority: Number.parseInt(full.priority, 10) || 50,
+          crs_status: full.status || 'active'
+        }
+      })
+    }
+
+    return res.json({
+      success: true,
+      data: {
+        exportedAt: new Date().toISOString(),
+        claudeAccounts,
+        claudeConsoleAccounts,
+        openaiOAuthAccounts,
+        openaiResponsesAccounts
+      }
+    })
+  } catch (error) {
+    logger.error('❌ Failed to export accounts for sync:', error)
+    return res.status(500).json({
+      success: false,
+      error: 'export_failed',
+      message: error.message
+    })
+  }
+})
+
+module.exports = router
--- a/src/routes/admin/system.js
+++ b/src/routes/admin/system.js
@@ -4,6 +4,10 @@ const path = require('path')
 const axios = require('axios')
 const claudeCodeHeadersService = require('../../services/claudeCodeHeadersService')
 const claudeAccountService = require('../../services/claudeAccountService')
+const claudeConsoleAccountService = require('../../services/claudeConsoleAccountService')
+const geminiAccountService = require('../../services/geminiAccountService')
+const bedrockAccountService = require('../../services/bedrockAccountService')
+const droidAccountService = require('../../services/droidAccountService')
 const redis = require('../../models/redis')
 const { authenticateAdmin } = require('../../middleware/auth')
 const logger = require('../../utils/logger')
@@ -254,30 +258,43 @@ router.get('/check-updates', authenticateAdmin, async (req, res) => {

 // ==================== OEM 设置管理 ====================

+// 默认OEM设置
+const defaultOemSettings = {
+  siteName: 'Claude Relay Service',
+  siteIcon: '',
+  siteIconData: '', // Base64编码的图标数据
+  showAdminButton: true, // 是否显示管理后台按钮
+  publicStatsEnabled: false, // 是否在首页显示公开统计概览
+  // 公开统计显示选项
+  publicStatsShowModelDistribution: true, // 显示模型使用分布
+  publicStatsModelDistributionPeriod: 'today', // 模型使用分布时间范围: today, 24h, 7d, 30d, all
+  publicStatsShowTokenTrends: false, // 显示Token使用趋势
+  publicStatsShowApiKeysTrends: false, // 显示API Keys使用趋势
+  publicStatsShowAccountTrends: false, // 显示账号使用趋势
+  updatedAt: new Date().toISOString()
+}
+
+// 获取OEM设置的辅助函数
+async function getOemSettings() {
+  const client = redis.getClient()
+  const oemSettings = await client.get('oem:settings')
+
+  let settings = { ...defaultOemSettings }
+  if (oemSettings) {
+    try {
+      settings = { ...defaultOemSettings, ...JSON.parse(oemSettings) }
+    } catch (err) {
+      logger.warn('⚠️ Failed to parse OEM settings, using defaults:', err.message)
+    }
+  }
+  return settings
+}
+
 // 获取OEM设置（公开接口，用于显示）
 // 注意：这个端点没有 authenticateAdmin 中间件，因为前端登录页也需要访问
 router.get('/oem-settings', async (req, res) => {
  try {
-    const client = redis.getClient()
-    const oemSettings = await client.get('oem:settings')
-
-    // 默认设置
-    const defaultSettings = {
-      siteName: 'Claude Relay Service',
-      siteIcon: '',
-      siteIconData: '', // Base64编码的图标数据
-      showAdminButton: true, // 是否显示管理后台按钮
-      updatedAt: new Date().toISOString()
-    }
-
-    let settings = defaultSettings
-    if (oemSettings) {
-      try {
-        settings = { ...defaultSettings, ...JSON.parse(oemSettings) }
-      } catch (err) {
-        logger.warn('⚠️ Failed to parse OEM settings, using defaults:', err.message)
-      }
-    }
+    const settings = await getOemSettings()

    // 添加 LDAP 启用状态到响应中
    return res.json({
@@ -296,7 +313,18 @@ router.get('/oem-settings', async (req, res) => {
 // 更新OEM设置
 router.put('/oem-settings', authenticateAdmin, async (req, res) => {
  try {
-    const { siteName, siteIcon, siteIconData, showAdminButton } = req.body
+    const {
+      siteName,
+      siteIcon,
+      siteIconData,
+      showAdminButton,
+      publicStatsEnabled,
+      publicStatsShowModelDistribution,
+      publicStatsModelDistributionPeriod,
+      publicStatsShowTokenTrends,
+      publicStatsShowApiKeysTrends,
+      publicStatsShowAccountTrends
+    } = req.body

    // 验证输入
    if (!siteName || typeof siteName !== 'string' || siteName.trim().length === 0) {
@@ -323,11 +351,24 @@ router.put('/oem-settings', authenticateAdmin, async (req, res) => {
      }
    }

+    // 验证时间范围值
+    const validPeriods = ['today', '24h', '7d', '30d', 'all']
+    const periodValue = validPeriods.includes(publicStatsModelDistributionPeriod)
+      ? publicStatsModelDistributionPeriod
+      : 'today'
+
    const settings = {
      siteName: siteName.trim(),
      siteIcon: (siteIcon || '').trim(),
      siteIconData: (siteIconData || '').trim(), // Base64数据
      showAdminButton: showAdminButton !== false, // 默认为true
+      publicStatsEnabled: publicStatsEnabled === true, // 默认为false
+      // 公开统计显示选项
+      publicStatsShowModelDistribution: publicStatsShowModelDistribution !== false, // 默认为true
+      publicStatsModelDistributionPeriod: periodValue, // 时间范围
+      publicStatsShowTokenTrends: publicStatsShowTokenTrends === true, // 默认为false
+      publicStatsShowApiKeysTrends: publicStatsShowApiKeysTrends === true, // 默认为false
+      publicStatsShowAccountTrends: publicStatsShowAccountTrends === true, // 默认为false
      updatedAt: new Date().toISOString()
    }

@@ -398,4 +439,420 @@ router.post('/claude-code-version/clear', authenticateAdmin, async (req, res) =>
  }
 })

+// ==================== 公开统计概览 ====================
+
+// 获取公开统计数据（无需认证，用于首页展示）
+// 只在 publicStatsEnabled 开启时返回数据
+router.get('/public-stats', async (req, res) => {
+  try {
+    // 检查是否启用了公开统计
+    const settings = await getOemSettings()
+    if (!settings.publicStatsEnabled) {
+      return res.json({
+        success: true,
+        enabled: false,
+        data: null
+      })
+    }
+
+    // 辅助函数：规范化布尔值
+    const normalizeBoolean = (value) => value === true || value === 'true'
+    const isRateLimitedFlag = (status) => {
+      if (!status) {
+        return false
+      }
+      if (typeof status === 'string') {
+        return status === 'limited'
+      }
+      if (typeof status === 'object') {
+        return status.isRateLimited === true
+      }
+      return false
+    }
+
+    // 并行获取统计数据
+    const [
+      claudeAccounts,
+      claudeConsoleAccounts,
+      geminiAccounts,
+      bedrockAccountsResult,
+      droidAccounts,
+      todayStats,
+      modelStats
+    ] = await Promise.all([
+      claudeAccountService.getAllAccounts(),
+      claudeConsoleAccountService.getAllAccounts(),
+      geminiAccountService.getAllAccounts(),
+      bedrockAccountService.getAllAccounts(),
+      droidAccountService.getAllAccounts(),
+      redis.getTodayStats(),
+      getPublicModelStats(settings.publicStatsModelDistributionPeriod || 'today')
+    ])
+
+    const bedrockAccounts = bedrockAccountsResult.success ? bedrockAccountsResult.data : []
+
+    // 计算各平台正常账户数
+    const normalClaudeAccounts = claudeAccounts.filter(
+      (acc) =>
+        acc.isActive &&
+        acc.status !== 'blocked' &&
+        acc.status !== 'unauthorized' &&
+        acc.schedulable !== false &&
+        !(acc.rateLimitStatus && acc.rateLimitStatus.isRateLimited)
+    ).length
+    const normalClaudeConsoleAccounts = claudeConsoleAccounts.filter(
+      (acc) =>
+        acc.isActive &&
+        acc.status !== 'blocked' &&
+        acc.status !== 'unauthorized' &&
+        acc.schedulable !== false &&
+        !(acc.rateLimitStatus && acc.rateLimitStatus.isRateLimited)
+    ).length
+    const normalGeminiAccounts = geminiAccounts.filter(
+      (acc) =>
+        acc.isActive &&
+        acc.status !== 'blocked' &&
+        acc.status !== 'unauthorized' &&
+        acc.schedulable !== false &&
+        !(
+          acc.rateLimitStatus === 'limited' ||
+          (acc.rateLimitStatus && acc.rateLimitStatus.isRateLimited)
+        )
+    ).length
+    const normalBedrockAccounts = bedrockAccounts.filter(
+      (acc) =>
+        acc.isActive &&
+        acc.status !== 'blocked' &&
+        acc.status !== 'unauthorized' &&
+        acc.schedulable !== false &&
+        !(acc.rateLimitStatus && acc.rateLimitStatus.isRateLimited)
+    ).length
+    const normalDroidAccounts = droidAccounts.filter(
+      (acc) =>
+        normalizeBoolean(acc.isActive) &&
+        acc.status !== 'blocked' &&
+        acc.status !== 'unauthorized' &&
+        normalizeBoolean(acc.schedulable) &&
+        !isRateLimitedFlag(acc.rateLimitStatus)
+    ).length
+
+    // 计算总正常账户数
+    const totalNormalAccounts =
+      normalClaudeAccounts +
+      normalClaudeConsoleAccounts +
+      normalGeminiAccounts +
+      normalBedrockAccounts +
+      normalDroidAccounts
+
+    // 判断服务状态
+    const isHealthy = redis.isConnected && totalNormalAccounts > 0
+
+    // 构建公开统计数据（脱敏后的数据）
+    const publicStats = {
+      // 服务状态
+      serviceStatus: isHealthy ? 'healthy' : 'degraded',
+      uptime: process.uptime(),
+
+      // 平台可用性（只显示是否有可用账户，不显示具体数量）
+      platforms: {
+        claude: normalClaudeAccounts + normalClaudeConsoleAccounts > 0,
+        gemini: normalGeminiAccounts > 0,
+        bedrock: normalBedrockAccounts > 0,
+        droid: normalDroidAccounts > 0
+      },
+
+      // 今日统计
+      todayStats: {
+        requests: todayStats.requestsToday || 0,
+        tokens: todayStats.tokensToday || 0,
+        inputTokens: todayStats.inputTokensToday || 0,
+        outputTokens: todayStats.outputTokensToday || 0
+      },
+
+      // 系统时区
+      systemTimezone: config.system.timezoneOffset || 8,
+
+      // 显示选项
+      showOptions: {
+        modelDistribution: settings.publicStatsShowModelDistribution !== false,
+        tokenTrends: settings.publicStatsShowTokenTrends === true,
+        apiKeysTrends: settings.publicStatsShowApiKeysTrends === true,
+        accountTrends: settings.publicStatsShowAccountTrends === true
+      }
+    }
+
+    // 根据设置添加可选数据
+    if (settings.publicStatsShowModelDistribution !== false) {
+      // modelStats 现在返回 { stats: [], period }
+      publicStats.modelDistribution = modelStats.stats
+      publicStats.modelDistributionPeriod = modelStats.period
+    }
+
+    // 获取趋势数据（最近7天）
+    if (
+      settings.publicStatsShowTokenTrends ||
+      settings.publicStatsShowApiKeysTrends ||
+      settings.publicStatsShowAccountTrends
+    ) {
+      const trendData = await getPublicTrendData(settings)
+      if (settings.publicStatsShowTokenTrends && trendData.tokenTrends) {
+        publicStats.tokenTrends = trendData.tokenTrends
+      }
+      if (settings.publicStatsShowApiKeysTrends && trendData.apiKeysTrends) {
+        publicStats.apiKeysTrends = trendData.apiKeysTrends
+      }
+      if (settings.publicStatsShowAccountTrends && trendData.accountTrends) {
+        publicStats.accountTrends = trendData.accountTrends
+      }
+    }
+
+    return res.json({
+      success: true,
+      enabled: true,
+      data: publicStats
+    })
+  } catch (error) {
+    logger.error('❌ Failed to get public stats:', error)
+    return res.status(500).json({
+      success: false,
+      error: 'Failed to get public stats',
+      message: error.message
+    })
+  }
+})
+
+// 获取公开模型统计的辅助函数
+// period: 'today' | '24h' | '7d' | '30d' | 'all'
+async function getPublicModelStats(period = 'today') {
+  try {
+    const client = redis.getClientSafe()
+    const today = redis.getDateStringInTimezone()
+    const tzDate = redis.getDateInTimezone()
+
+    // 根据period生成日期范围
+    const getDatePatterns = () => {
+      const patterns = []
+
+      if (period === 'today') {
+        patterns.push(`usage:model:daily:*:${today}`)
+      } else if (period === '24h') {
+        // 过去24小时 = 今天 + 昨天
+        patterns.push(`usage:model:daily:*:${today}`)
+        const yesterday = new Date(tzDate)
+        yesterday.setDate(yesterday.getDate() - 1)
+        patterns.push(`usage:model:daily:*:${redis.getDateStringInTimezone(yesterday)}`)
+      } else if (period === '7d') {
+        // 过去7天
+        for (let i = 0; i < 7; i++) {
+          const date = new Date(tzDate)
+          date.setDate(date.getDate() - i)
+          patterns.push(`usage:model:daily:*:${redis.getDateStringInTimezone(date)}`)
+        }
+      } else if (period === '30d') {
+        // 过去30天
+        for (let i = 0; i < 30; i++) {
+          const date = new Date(tzDate)
+          date.setDate(date.getDate() - i)
+          patterns.push(`usage:model:daily:*:${redis.getDateStringInTimezone(date)}`)
+        }
+      } else if (period === 'all') {
+        // 所有数据
+        patterns.push('usage:model:daily:*')
+      } else {
+        // 默认今天
+        patterns.push(`usage:model:daily:*:${today}`)
+      }
+
+      return patterns
+    }
+
+    const patterns = getDatePatterns()
+    let allKeys = []
+
+    for (const pattern of patterns) {
+      const keys = await client.keys(pattern)
+      allKeys.push(...keys)
+    }
+
+    // 去重
+    allKeys = [...new Set(allKeys)]
+
+    if (allKeys.length === 0) {
+      return { stats: [], period }
+    }
+
+    // 模型名标准化
+    const normalizeModelName = (model) => {
+      if (!model || model === 'unknown') {
+        return model
+      }
+      if (model.includes('.anthropic.') || model.includes('.claude')) {
+        let normalized = model.replace(/^[a-z0-9-]+\./, '')
+        normalized = normalized.replace('anthropic.', '')
+        normalized = normalized.replace(/-v\d+:\d+$/, '')
+        return normalized
+      }
+      return model.replace(/-v\d+:\d+|:latest$/, '')
+    }
+
+    // 聚合模型数据
+    const modelStatsMap = new Map()
+    let totalRequests = 0
+
+    for (const key of allKeys) {
+      const match = key.match(/usage:model:daily:(.+):\d{4}-\d{2}-\d{2}$/)
+      if (!match) {
+        continue
+      }
+
+      const rawModel = match[1]
+      const normalizedModel = normalizeModelName(rawModel)
+      const data = await client.hgetall(key)
+
+      if (data && Object.keys(data).length > 0) {
+        const requests = parseInt(data.requests) || 0
+        totalRequests += requests
+
+        const stats = modelStatsMap.get(normalizedModel) || { requests: 0 }
+        stats.requests += requests
+        modelStatsMap.set(normalizedModel, stats)
+      }
+    }
+
+    // 转换为数组并计算占比
+    const modelStats = []
+    for (const [model, stats] of modelStatsMap) {
+      modelStats.push({
+        model,
+        percentage: totalRequests > 0 ? Math.round((stats.requests / totalRequests) * 100) : 0
+      })
+    }
+
+    // 按占比排序，取前5个
+    modelStats.sort((a, b) => b.percentage - a.percentage)
+    return { stats: modelStats.slice(0, 5), period }
+  } catch (error) {
+    logger.warn('⚠️ Failed to get public model stats:', error.message)
+    return { stats: [], period }
+  }
+}
+
+// 获取公开趋势数据的辅助函数（最近7天）
+async function getPublicTrendData(settings) {
+  const result = {
+    tokenTrends: null,
+    apiKeysTrends: null,
+    accountTrends: null
+  }
+
+  try {
+    const client = redis.getClientSafe()
+    const days = 7
+
+    // 生成最近7天的日期列表
+    const dates = []
+    for (let i = days - 1; i >= 0; i--) {
+      const date = new Date()
+      date.setDate(date.getDate() - i)
+      dates.push(redis.getDateStringInTimezone(date))
+    }
+
+    // Token使用趋势
+    if (settings.publicStatsShowTokenTrends) {
+      const tokenTrends = []
+      for (const dateStr of dates) {
+        const pattern = `usage:model:daily:*:${dateStr}`
+        const keys = await client.keys(pattern)
+
+        let dayTokens = 0
+        let dayRequests = 0
+        for (const key of keys) {
+          const data = await client.hgetall(key)
+          if (data) {
+            dayTokens += (parseInt(data.inputTokens) || 0) + (parseInt(data.outputTokens) || 0)
+            dayRequests += parseInt(data.requests) || 0
+          }
+        }
+
+        tokenTrends.push({
+          date: dateStr,
+          tokens: dayTokens,
+          requests: dayRequests
+        })
+      }
+      result.tokenTrends = tokenTrends
+    }
+
+    // API Keys使用趋势（脱敏：只显示总数，不显示具体Key）
+    if (settings.publicStatsShowApiKeysTrends) {
+      const apiKeysTrends = []
+      for (const dateStr of dates) {
+        const pattern = `usage:apikey:daily:*:${dateStr}`
+        const keys = await client.keys(pattern)
+
+        let dayRequests = 0
+        let dayTokens = 0
+        let activeKeys = 0
+
+        for (const key of keys) {
+          const data = await client.hgetall(key)
+          if (data) {
+            const requests = parseInt(data.requests) || 0
+            if (requests > 0) {
+              activeKeys++
+              dayRequests += requests
+              dayTokens += (parseInt(data.inputTokens) || 0) + (parseInt(data.outputTokens) || 0)
+            }
+          }
+        }
+
+        apiKeysTrends.push({
+          date: dateStr,
+          activeKeys,
+          requests: dayRequests,
+          tokens: dayTokens
+        })
+      }
+      result.apiKeysTrends = apiKeysTrends
+    }
+
+    // 账号使用趋势（脱敏：只显示总数，不显示具体账号）
+    if (settings.publicStatsShowAccountTrends) {
+      const accountTrends = []
+      for (const dateStr of dates) {
+        const pattern = `usage:account:daily:*:${dateStr}`
+        const keys = await client.keys(pattern)
+
+        let dayRequests = 0
+        let dayTokens = 0
+        let activeAccounts = 0
+
+        for (const key of keys) {
+          const data = await client.hgetall(key)
+          if (data) {
+            const requests = parseInt(data.requests) || 0
+            if (requests > 0) {
+              activeAccounts++
+              dayRequests += requests
+              dayTokens += (parseInt(data.inputTokens) || 0) + (parseInt(data.outputTokens) || 0)
+            }
+          }
+        }
+
+        accountTrends.push({
+          date: dateStr,
+          activeAccounts,
+          requests: dayRequests,
+          tokens: dayTokens
+        })
+      }
+      result.accountTrends = accountTrends
+    }
+  } catch (error) {
+    logger.warn('⚠️ Failed to get public trend data:', error.message)
+  }
+
+  return result
+}
+
 module.exports = router
--- a/src/routes/api.js
+++ b/src/routes/api.js
@@ -20,6 +20,11 @@ const {
  sendMockWarmupStream
 } = require('../utils/warmupInterceptor')
 const { sanitizeUpstreamError } = require('../utils/errorSanitizer')
+const { dumpAnthropicMessagesRequest } = require('../utils/anthropicRequestDump')
+const {
+  handleAnthropicMessagesToGemini,
+  handleAnthropicCountTokensToGemini
+} = require('../services/anthropicGeminiBridgeService')
 const router = express.Router()

 function queueRateLimitUpdate(rateLimitInfo, usageSummary, model, context = '') {
@@ -117,20 +122,6 @@ async function handleMessagesRequest(req, res) {
  try {
    const startTime = Date.now()

-    // Claude 服务权限校验，阻止未授权的 Key
-    if (
-      req.apiKey.permissions &&
-      req.apiKey.permissions !== 'all' &&
-      req.apiKey.permissions !== 'claude'
-    ) {
-      return res.status(403).json({
-        error: {
-          type: 'permission_error',
-          message: '此 API Key 无权访问 Claude 服务'
-        }
-      })
-    }
-
    // 🔄 并发满额重试标志：最多重试一次（使用req对象存储状态）
    if (req._concurrencyRetryAttempted === undefined) {
      req._concurrencyRetryAttempted = false
@@ -175,6 +166,45 @@ async function handleMessagesRequest(req, res) {
      }
    }

+    const forcedVendor = req._anthropicVendor || null
+    logger.api('📥 /v1/messages request received', {
+      model: req.body.model || null,
+      forcedVendor,
+      stream: req.body.stream === true
+    })
+
+    dumpAnthropicMessagesRequest(req, {
+      route: '/v1/messages',
+      forcedVendor,
+      model: req.body?.model || null,
+      stream: req.body?.stream === true
+    })
+
+    // /v1/messages 的扩展：按路径强制分流到 Gemini OAuth 账户（避免 model 前缀混乱）
+    if (forcedVendor === 'gemini-cli' || forcedVendor === 'antigravity') {
+      if (!apiKeyService.hasPermission(req.apiKey?.permissions, 'gemini')) {
+        return res.status(403).json({
+          error: {
+            type: 'permission_error',
+            message: '此 API Key 无权访问 Gemini 服务'
+          }
+        })
+      }
+
+      const baseModel = (req.body.model || '').trim()
+      return await handleAnthropicMessagesToGemini(req, res, { vendor: forcedVendor, baseModel })
+    }
+
+    // Claude 服务权限校验，阻止未授权的 Key（默认路径保持不变）
+    if (!apiKeyService.hasPermission(req.apiKey.permissions, 'claude')) {
+      return res.status(403).json({
+        error: {
+          type: 'permission_error',
+          message: '此 API Key 无权访问 Claude 服务'
+        }
+      })
+    }
+
    // 检查是否为流式请求
    const isStream = req.body.stream === true

@@ -1024,8 +1054,8 @@ async function handleMessagesRequest(req, res) {
          const cacheReadTokens = jsonData.usage.cache_read_input_tokens || 0
          // Parse the model to remove vendor prefix if present (e.g., "ccr,gemini-2.5-pro" -> "gemini-2.5-pro")
          const rawModel = jsonData.model || req.body.model || 'unknown'
-          const { baseModel } = parseVendorPrefixedModel(rawModel)
-          const model = baseModel || rawModel
+          const { baseModel: usageBaseModel } = parseVendorPrefixedModel(rawModel)
+          const model = usageBaseModel || rawModel

          // 记录真实的token使用量（包含模型信息和所有4种token以及账户ID）
          const { accountId: responseAccountId } = response
@@ -1201,6 +1231,65 @@ router.post('/claude/v1/messages', authenticateApiKey, handleMessagesRequest)
 // 📋 模型列表端点 - 支持 Claude, OpenAI, Gemini
 router.get('/v1/models', authenticateApiKey, async (req, res) => {
  try {
+    // Claude Code / Anthropic baseUrl 的分流：/antigravity/api/v1/models 返回 Antigravity 实时模型列表
+    //（通过 v1internal:fetchAvailableModels），避免依赖静态 modelService 列表。
+    const forcedVendor = req._anthropicVendor || null
+    if (forcedVendor === 'antigravity') {
+      if (!apiKeyService.hasPermission(req.apiKey?.permissions, 'gemini')) {
+        return res.status(403).json({
+          error: {
+            type: 'permission_error',
+            message: '此 API Key 无权访问 Gemini 服务'
+          }
+        })
+      }
+
+      const unifiedGeminiScheduler = require('../services/unifiedGeminiScheduler')
+      const geminiAccountService = require('../services/geminiAccountService')
+
+      let accountSelection
+      try {
+        accountSelection = await unifiedGeminiScheduler.selectAccountForApiKey(
+          req.apiKey,
+          null,
+          null,
+          { oauthProvider: 'antigravity' }
+        )
+      } catch (error) {
+        logger.error('Failed to select Gemini OAuth account (antigravity models):', error)
+        return res.status(503).json({ error: 'No available Gemini OAuth accounts' })
+      }
+
+      const account = await geminiAccountService.getAccount(accountSelection.accountId)
+      if (!account) {
+        return res.status(503).json({ error: 'Gemini OAuth account not found' })
+      }
+
+      let proxyConfig = null
+      if (account.proxy) {
+        try {
+          proxyConfig =
+            typeof account.proxy === 'string' ? JSON.parse(account.proxy) : account.proxy
+        } catch (e) {
+          logger.warn('Failed to parse proxy configuration:', e)
+        }
+      }
+
+      const models = await geminiAccountService.fetchAvailableModelsAntigravity(
+        account.accessToken,
+        proxyConfig,
+        account.refreshToken
+      )
+
+      // 可选：根据 API Key 的模型限制过滤（黑名单语义）
+      let filteredModels = models
+      if (req.apiKey.enableModelRestriction && req.apiKey.restrictedModels?.length > 0) {
+        filteredModels = models.filter((model) => !req.apiKey.restrictedModels.includes(model.id))
+      }
+
+      return res.json({ object: 'list', data: filteredModels })
+    }
+
    const modelService = require('../services/modelService')

    // 从 modelService 获取所有支持的模型
@@ -1337,12 +1426,23 @@ router.get('/v1/organizations/:org_id/usage', authenticateApiKey, async (req, re

 // 🔢 Token计数端点 - count_tokens beta API
 router.post('/v1/messages/count_tokens', authenticateApiKey, async (req, res) => {
+  // 按路径强制分流到 Gemini OAuth 账户（避免 model 前缀混乱）
+  const forcedVendor = req._anthropicVendor || null
+  if (forcedVendor === 'gemini-cli' || forcedVendor === 'antigravity') {
+    if (!apiKeyService.hasPermission(req.apiKey?.permissions, 'gemini')) {
+      return res.status(403).json({
+        error: {
+          type: 'permission_error',
+          message: 'This API key does not have permission to access Gemini'
+        }
+      })
+    }
+
+    return await handleAnthropicCountTokensToGemini(req, res, { vendor: forcedVendor })
+  }
+
  // 检查权限
-  if (
-    req.apiKey.permissions &&
-    req.apiKey.permissions !== 'all' &&
-    req.apiKey.permissions !== 'claude'
-  ) {
+  if (!apiKeyService.hasPermission(req.apiKey.permissions, 'claude')) {
    return res.status(403).json({
      error: {
        type: 'permission_error',
--- a/src/routes/droidRoutes.js
+++ b/src/routes/droidRoutes.js
@@ -4,12 +4,12 @@ const { authenticateApiKey } = require('../middleware/auth')
 const droidRelayService = require('../services/droidRelayService')
 const sessionHelper = require('../utils/sessionHelper')
 const logger = require('../utils/logger')
+const apiKeyService = require('../services/apiKeyService')

 const router = express.Router()

 function hasDroidPermission(apiKeyData) {
-  const permissions = apiKeyData?.permissions || 'all'
-  return permissions === 'all' || permissions === 'droid'
+  return apiKeyService.hasPermission(apiKeyData?.permissions, 'droid')
 }

 /**
--- a/src/routes/openaiClaudeRoutes.js
+++ b/src/routes/openaiClaudeRoutes.js
@@ -19,8 +19,7 @@ const { getEffectiveModel } = require('../utils/modelHelper')

 // 🔧 辅助函数：检查 API Key 权限
 function checkPermissions(apiKeyData, requiredPermission = 'claude') {
-  const permissions = apiKeyData.permissions || 'all'
-  return permissions === 'all' || permissions === requiredPermission
+  return apiKeyService.hasPermission(apiKeyData?.permissions, requiredPermission)
 }

 function queueRateLimitUpdate(rateLimitInfo, usageSummary, model, context = '') {
--- a/src/routes/openaiGeminiRoutes.js
+++ b/src/routes/openaiGeminiRoutes.js
@@ -6,6 +6,7 @@ const geminiAccountService = require('../services/geminiAccountService')
 const unifiedGeminiScheduler = require('../services/unifiedGeminiScheduler')
 const { getAvailableModels } = require('../services/geminiRelayService')
 const crypto = require('crypto')
+const apiKeyService = require('../services/apiKeyService')

 // 生成会话哈希
 function generateSessionHash(req) {
@@ -19,10 +20,19 @@ function generateSessionHash(req) {
  return crypto.createHash('sha256').update(sessionData).digest('hex')
 }

+function ensureAntigravityProjectId(account) {
+  if (account.projectId) {
+    return account.projectId
+  }
+  if (account.tempProjectId) {
+    return account.tempProjectId
+  }
+  return `ag-${crypto.randomBytes(8).toString('hex')}`
+}
+
 // 检查 API Key 权限
 function checkPermissions(apiKeyData, requiredPermission = 'gemini') {
-  const permissions = apiKeyData.permissions || 'all'
-  return permissions === 'all' || permissions === requiredPermission
+  return apiKeyService.hasPermission(apiKeyData?.permissions, requiredPermission)
 }

 // 转换 OpenAI 消息格式到 Gemini 格式
@@ -335,25 +345,48 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
    const client = await geminiAccountService.getOauthClient(
      account.accessToken,
      account.refreshToken,
-      proxyConfig
+      proxyConfig,
+      account.oauthProvider
    )
    if (actualStream) {
      // 流式响应
+      const oauthProvider = account.oauthProvider || 'gemini-cli'
+      let { projectId } = account
+
+      if (oauthProvider === 'antigravity') {
+        projectId = ensureAntigravityProjectId(account)
+        if (!account.projectId && account.tempProjectId !== projectId) {
+          await geminiAccountService.updateTempProjectId(account.id, projectId)
+          account.tempProjectId = projectId
+        }
+      }
+
      logger.info('StreamGenerateContent request', {
        model,
-        projectId: account.projectId,
+        projectId,
        apiKeyId: apiKeyData.id
      })

-      const streamResponse = await geminiAccountService.generateContentStream(
-        client,
-        { model, request: geminiRequestBody },
-        null, // user_prompt_id
-        account.projectId, // 使用有权限的项目ID
-        apiKeyData.id, // 使用 API Key ID 作为 session ID
-        abortController.signal, // 传递中止信号
-        proxyConfig // 传递代理配置
-      )
+      const streamResponse =
+        oauthProvider === 'antigravity'
+          ? await geminiAccountService.generateContentStreamAntigravity(
+              client,
+              { model, request: geminiRequestBody },
+              null, // user_prompt_id
+              projectId,
+              apiKeyData.id, // 使用 API Key ID 作为 session ID
+              abortController.signal, // 传递中止信号
+              proxyConfig // 传递代理配置
+            )
+          : await geminiAccountService.generateContentStream(
+              client,
+              { model, request: geminiRequestBody },
+              null, // user_prompt_id
+              projectId, // 使用有权限的项目ID
+              apiKeyData.id, // 使用 API Key ID 作为 session ID
+              abortController.signal, // 传递中止信号
+              proxyConfig // 传递代理配置
+            )

      // 设置流式响应头
      res.setHeader('Content-Type', 'text/event-stream')
@@ -499,7 +532,6 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
        // 记录使用统计
        if (!usageReported && totalUsage.totalTokenCount > 0) {
          try {
-            const apiKeyService = require('../services/apiKeyService')
            await apiKeyService.recordUsage(
              apiKeyData.id,
              totalUsage.promptTokenCount || 0,
@@ -559,20 +591,41 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
      })
    } else {
      // 非流式响应
+      const oauthProvider = account.oauthProvider || 'gemini-cli'
+      let { projectId } = account
+
+      if (oauthProvider === 'antigravity') {
+        projectId = ensureAntigravityProjectId(account)
+        if (!account.projectId && account.tempProjectId !== projectId) {
+          await geminiAccountService.updateTempProjectId(account.id, projectId)
+          account.tempProjectId = projectId
+        }
+      }
+
      logger.info('GenerateContent request', {
        model,
-        projectId: account.projectId,
+        projectId,
        apiKeyId: apiKeyData.id
      })

-      const response = await geminiAccountService.generateContent(
-        client,
-        { model, request: geminiRequestBody },
-        null, // user_prompt_id
-        account.projectId, // 使用有权限的项目ID
-        apiKeyData.id, // 使用 API Key ID 作为 session ID
-        proxyConfig // 传递代理配置
-      )
+      const response =
+        oauthProvider === 'antigravity'
+          ? await geminiAccountService.generateContentAntigravity(
+              client,
+              { model, request: geminiRequestBody },
+              null, // user_prompt_id
+              projectId,
+              apiKeyData.id, // 使用 API Key ID 作为 session ID
+              proxyConfig // 传递代理配置
+            )
+          : await geminiAccountService.generateContent(
+              client,
+              { model, request: geminiRequestBody },
+              null, // user_prompt_id
+              projectId, // 使用有权限的项目ID
+              apiKeyData.id, // 使用 API Key ID 作为 session ID
+              proxyConfig // 传递代理配置
+            )

      // 转换为 OpenAI 格式并返回
      const openaiResponse = convertGeminiResponseToOpenAI(response, model, false)
@@ -580,7 +633,6 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
      // 记录使用统计
      if (openaiResponse.usage) {
        try {
-          const apiKeyService = require('../services/apiKeyService')
          await apiKeyService.recordUsage(
            apiKeyData.id,
            openaiResponse.usage.prompt_tokens || 0,
@@ -604,7 +656,15 @@ router.post('/v1/chat/completions', authenticateApiKey, async (req, res) => {
    const duration = Date.now() - startTime
    logger.info(`OpenAI-Gemini request completed in ${duration}ms`)
  } catch (error) {
-    logger.error('OpenAI-Gemini request error:', error)
+    const statusForLog = error?.status || error?.response?.status
+    logger.error('OpenAI-Gemini request error', {
+      message: error?.message,
+      status: statusForLog,
+      code: error?.code,
+      requestUrl: error?.config?.url,
+      requestMethod: error?.config?.method,
+      upstreamTraceId: error?.response?.headers?.['x-cloudaicompanion-trace-id']
+    })

    // 处理速率限制
    if (error.status === 429) {
@@ -665,8 +725,21 @@ router.get('/v1/models', authenticateApiKey, async (req, res) => {
    let models = []

    if (account) {
-      // 获取实际的模型列表
-      models = await getAvailableModels(account.accessToken, account.proxy)
+      // 获取实际的模型列表（失败时回退到默认列表，避免影响 /v1/models 可用性）
+      try {
+        const oauthProvider = account.oauthProvider || 'gemini-cli'
+        models =
+          oauthProvider === 'antigravity'
+            ? await geminiAccountService.fetchAvailableModelsAntigravity(
+                account.accessToken,
+                account.proxy,
+                account.refreshToken
+              )
+            : await getAvailableModels(account.accessToken, account.proxy)
+      } catch (error) {
+        logger.warn('Failed to get Gemini models list from upstream, fallback to default:', error)
+        models = []
+      }
    } else {
      // 返回默认模型列表
      models = [
@@ -679,6 +752,17 @@ router.get('/v1/models', authenticateApiKey, async (req, res) => {
      ]
    }

+    if (!models || models.length === 0) {
+      models = [
+        {
+          id: 'gemini-2.0-flash-exp',
+          object: 'model',
+          created: Math.floor(Date.now() / 1000),
+          owned_by: 'google'
+        }
+      ]
+    }
+
    // 如果启用了模型限制，过滤模型列表
    if (apiKeyData.enableModelRestriction && apiKeyData.restrictedModels.length > 0) {
      models = models.filter((model) => apiKeyData.restrictedModels.includes(model.id))
--- a/src/routes/openaiRoutes.js
+++ b/src/routes/openaiRoutes.js
@@ -20,8 +20,7 @@ function createProxyAgent(proxy) {

 // 检查 API Key 是否具备 OpenAI 权限
 function checkOpenAIPermissions(apiKeyData) {
-  const permissions = apiKeyData?.permissions || 'all'
-  return permissions === 'all' || permissions === 'openai'
+  return apiKeyService.hasPermission(apiKeyData?.permissions, 'openai')
 }

 function normalizeHeaders(headers = {}) {
--- a/src/routes/unified.js
+++ b/src/routes/unified.js
@@ -8,6 +8,7 @@ const {
  handleStreamGenerateContent: geminiHandleStreamGenerateContent
 } = require('../handlers/geminiHandlers')
 const openaiRoutes = require('./openaiRoutes')
+const apiKeyService = require('../services/apiKeyService')

 const router = express.Router()

@@ -45,11 +46,11 @@ async function routeToBackend(req, res, requestedModel) {
  logger.info(`🔀 Routing request - Model: ${requestedModel}, Backend: ${backend}`)

  // 检查权限
-  const permissions = req.apiKey.permissions || 'all'
+  const { permissions } = req.apiKey

  if (backend === 'claude') {
    // Claude 后端：通过 OpenAI 兼容层
-    if (permissions !== 'all' && permissions !== 'claude') {
+    if (!apiKeyService.hasPermission(permissions, 'claude')) {
      return res.status(403).json({
        error: {
          message: 'This API key does not have permission to access Claude',
@@ -61,7 +62,7 @@ async function routeToBackend(req, res, requestedModel) {
    await handleChatCompletion(req, res, req.apiKey)
  } else if (backend === 'openai') {
    // OpenAI 后端
-    if (permissions !== 'all' && permissions !== 'openai') {
+    if (!apiKeyService.hasPermission(permissions, 'openai')) {
      return res.status(403).json({
        error: {
          message: 'This API key does not have permission to access OpenAI',
@@ -73,7 +74,7 @@ async function routeToBackend(req, res, requestedModel) {
    return await openaiRoutes.handleResponses(req, res)
  } else if (backend === 'gemini') {
    // Gemini 后端
-    if (permissions !== 'all' && permissions !== 'gemini') {
+    if (!apiKeyService.hasPermission(permissions, 'gemini')) {
      return res.status(403).json({
        error: {
          message: 'This API key does not have permission to access Gemini',
--- a/src/routes/web.js
+++ b/src/routes/web.js
@@ -164,13 +164,27 @@ router.post('/auth/change-password', async (req, res) => {

    // 获取当前会话
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+
+    // 🔒 安全修复：检查空对象
+    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }

+    // 🔒 安全修复：验证会话完整性
+    if (!sessionData.username || !sessionData.loginTime) {
+      logger.security(
+        `🔒 Invalid session structure in /auth/change-password from ${req.ip || 'unknown'}`
+      )
+      await redis.deleteSession(token)
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 获取当前管理员信息
    const adminData = await redis.getSession('admin_credentials')
    if (!adminData) {
@@ -269,13 +283,25 @@ router.get('/auth/user', async (req, res) => {

    // 获取当前会话
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+
+    // 🔒 安全修复：检查空对象
+    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }

+    // 🔒 安全修复：验证会话完整性
+    if (!sessionData.username || !sessionData.loginTime) {
+      logger.security(`🔒 Invalid session structure in /auth/user from ${req.ip || 'unknown'}`)
+      await redis.deleteSession(token)
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 获取管理员信息
    const adminData = await redis.getSession('admin_credentials')
    if (!adminData) {
@@ -316,13 +342,24 @@ router.post('/auth/refresh', async (req, res) => {

    const sessionData = await redis.getSession(token)

-    if (!sessionData) {
+    // 🔒 安全修复：检查空对象（hgetall 对不存在的 key 返回 {}）
+    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }

+    // 🔒 安全修复：验证会话完整性（必须有 username 和 loginTime）
+    if (!sessionData.username || !sessionData.loginTime) {
+      logger.security(`🔒 Invalid session structure detected from ${req.ip || 'unknown'}`)
+      await redis.deleteSession(token) // 清理无效/伪造的会话
+      return res.status(401).json({
+        error: 'Invalid session',
+        message: 'Session data corrupted or incomplete'
+      })
+    }
+
    // 更新最后活动时间
    sessionData.lastActivity = new Date().toISOString()
    await redis.setSession(token, sessionData, config.security.adminSessionTimeout)
--- a/src/services/accountBalanceService.js
+++ b/src/services/accountBalanceService.js
@@ -0,0 +1,748 @@
+const redis = require('../models/redis')
+const balanceScriptService = require('./balanceScriptService')
+const logger = require('../utils/logger')
+const CostCalculator = require('../utils/costCalculator')
+const { isBalanceScriptEnabled } = require('../utils/featureFlags')
+
+class AccountBalanceService {
+  constructor(options = {}) {
+    this.redis = options.redis || redis
+    this.logger = options.logger || logger
+
+    this.providers = new Map()
+
+    this.CACHE_TTL_SECONDS = 3600
+    this.LOCAL_TTL_SECONDS = 300
+
+    this.LOW_BALANCE_THRESHOLD = 10
+    this.HIGH_USAGE_THRESHOLD_PERCENT = 90
+    this.DEFAULT_CONCURRENCY = 10
+  }
+
+  getSupportedPlatforms() {
+    return [
+      'claude',
+      'claude-console',
+      'gemini',
+      'gemini-api',
+      'openai',
+      'openai-responses',
+      'azure_openai',
+      'bedrock',
+      'droid',
+      'ccr'
+    ]
+  }
+
+  normalizePlatform(platform) {
+    if (!platform) {
+      return null
+    }
+
+    const value = String(platform).trim().toLowerCase()
+
+    // 兼容实施文档与历史命名
+    if (value === 'claude-official') {
+      return 'claude'
+    }
+    if (value === 'azure-openai') {
+      return 'azure_openai'
+    }
+
+    // 保持前端平台键一致
+    return value
+  }
+
+  registerProvider(platform, provider) {
+    const normalized = this.normalizePlatform(platform)
+    if (!normalized) {
+      throw new Error('registerProvider: 缺少 platform')
+    }
+    if (!provider || typeof provider.queryBalance !== 'function') {
+      throw new Error(`registerProvider: Provider 无效 (${normalized})`)
+    }
+    this.providers.set(normalized, provider)
+  }
+
+  async getAccountBalance(accountId, platform, options = {}) {
+    const normalizedPlatform = this.normalizePlatform(platform)
+    const account = await this.getAccount(accountId, normalizedPlatform)
+    if (!account) {
+      return null
+    }
+    return await this._getAccountBalanceForAccount(account, normalizedPlatform, options)
+  }
+
+  async refreshAccountBalance(accountId, platform) {
+    const normalizedPlatform = this.normalizePlatform(platform)
+    const account = await this.getAccount(accountId, normalizedPlatform)
+    if (!account) {
+      return null
+    }
+
+    return await this._getAccountBalanceForAccount(account, normalizedPlatform, {
+      queryApi: true,
+      useCache: false
+    })
+  }
+
+  async getAllAccountsBalance(platform, options = {}) {
+    const normalizedPlatform = this.normalizePlatform(platform)
+    const accounts = await this.getAllAccountsByPlatform(normalizedPlatform)
+    const queryApi = this._parseBoolean(options.queryApi) || false
+    const useCache = options.useCache !== false
+
+    const results = await this._mapWithConcurrency(
+      accounts,
+      this.DEFAULT_CONCURRENCY,
+      async (acc) => {
+        try {
+          const balance = await this._getAccountBalanceForAccount(acc, normalizedPlatform, {
+            queryApi,
+            useCache
+          })
+          return { ...balance, name: acc.name || '' }
+        } catch (error) {
+          this.logger.error(`批量获取余额失败: ${normalizedPlatform}:${acc?.id}`, error)
+          return {
+            success: true,
+            data: {
+              accountId: acc?.id,
+              platform: normalizedPlatform,
+              balance: null,
+              quota: null,
+              statistics: {},
+              source: 'local',
+              lastRefreshAt: new Date().toISOString(),
+              cacheExpiresAt: null,
+              status: 'error',
+              error: error.message || '批量查询失败'
+            },
+            name: acc?.name || ''
+          }
+        }
+      }
+    )
+
+    return results
+  }
+
+  async getBalanceSummary() {
+    const platforms = this.getSupportedPlatforms()
+
+    const summary = {
+      totalBalance: 0,
+      totalCost: 0,
+      lowBalanceCount: 0,
+      platforms: {}
+    }
+
+    for (const platform of platforms) {
+      const accounts = await this.getAllAccountsByPlatform(platform)
+      const platformData = {
+        count: accounts.length,
+        totalBalance: 0,
+        totalCost: 0,
+        lowBalanceCount: 0,
+        accounts: []
+      }
+
+      const balances = await this._mapWithConcurrency(
+        accounts,
+        this.DEFAULT_CONCURRENCY,
+        async (acc) => {
+          const balance = await this._getAccountBalanceForAccount(acc, platform, {
+            queryApi: false,
+            useCache: true
+          })
+          return { ...balance, name: acc.name || '' }
+        }
+      )
+
+      for (const item of balances) {
+        platformData.accounts.push(item)
+
+        const amount = item?.data?.balance?.amount
+        const percentage = item?.data?.quota?.percentage
+        const totalCost = Number(item?.data?.statistics?.totalCost || 0)
+
+        const hasAmount = typeof amount === 'number' && Number.isFinite(amount)
+        const isLowBalance = hasAmount && amount < this.LOW_BALANCE_THRESHOLD
+        const isHighUsage =
+          typeof percentage === 'number' &&
+          Number.isFinite(percentage) &&
+          percentage > this.HIGH_USAGE_THRESHOLD_PERCENT
+
+        if (hasAmount) {
+          platformData.totalBalance += amount
+        }
+
+        if (isLowBalance || isHighUsage) {
+          platformData.lowBalanceCount += 1
+          summary.lowBalanceCount += 1
+        }
+
+        platformData.totalCost += totalCost
+      }
+
+      summary.platforms[platform] = platformData
+      summary.totalBalance += platformData.totalBalance
+      summary.totalCost += platformData.totalCost
+    }
+
+    return summary
+  }
+
+  async clearCache(accountId, platform) {
+    const normalizedPlatform = this.normalizePlatform(platform)
+    if (!normalizedPlatform) {
+      throw new Error('缺少 platform 参数')
+    }
+
+    await this.redis.deleteAccountBalance(normalizedPlatform, accountId)
+    this.logger.info(`余额缓存已清除: ${normalizedPlatform}:${accountId}`)
+  }
+
+  async getAccount(accountId, platform) {
+    if (!accountId || !platform) {
+      return null
+    }
+
+    const serviceMap = {
+      claude: require('./claudeAccountService'),
+      'claude-console': require('./claudeConsoleAccountService'),
+      gemini: require('./geminiAccountService'),
+      'gemini-api': require('./geminiApiAccountService'),
+      openai: require('./openaiAccountService'),
+      'openai-responses': require('./openaiResponsesAccountService'),
+      azure_openai: require('./azureOpenaiAccountService'),
+      bedrock: require('./bedrockAccountService'),
+      droid: require('./droidAccountService'),
+      ccr: require('./ccrAccountService')
+    }
+
+    const service = serviceMap[platform]
+    if (!service || typeof service.getAccount !== 'function') {
+      return null
+    }
+
+    return await service.getAccount(accountId)
+  }
+
+  async getAllAccountsByPlatform(platform) {
+    if (!platform) {
+      return []
+    }
+
+    const serviceMap = {
+      claude: require('./claudeAccountService'),
+      'claude-console': require('./claudeConsoleAccountService'),
+      gemini: require('./geminiAccountService'),
+      'gemini-api': require('./geminiApiAccountService'),
+      openai: require('./openaiAccountService'),
+      'openai-responses': require('./openaiResponsesAccountService'),
+      azure_openai: require('./azureOpenaiAccountService'),
+      bedrock: require('./bedrockAccountService'),
+      droid: require('./droidAccountService'),
+      ccr: require('./ccrAccountService')
+    }
+
+    const service = serviceMap[platform]
+    if (!service) {
+      return []
+    }
+
+    // Bedrock 特殊：返回 { success, data }
+    if (platform === 'bedrock' && typeof service.getAllAccounts === 'function') {
+      const result = await service.getAllAccounts()
+      return result?.success ? result.data || [] : []
+    }
+
+    if (platform === 'openai-responses') {
+      return await service.getAllAccounts(true)
+    }
+
+    if (typeof service.getAllAccounts !== 'function') {
+      return []
+    }
+
+    return await service.getAllAccounts()
+  }
+
+  async _getAccountBalanceForAccount(account, platform, options = {}) {
+    const queryApi = this._parseBoolean(options.queryApi) || false
+    const useCache = options.useCache !== false
+
+    const accountId = account?.id
+    if (!accountId) {
+      throw new Error('账户缺少 id')
+    }
+
+    // 余额脚本配置状态（用于前端控制“刷新余额”按钮）
+    let scriptConfig = null
+    let scriptConfigured = false
+    if (typeof this.redis?.getBalanceScriptConfig === 'function') {
+      scriptConfig = await this.redis.getBalanceScriptConfig(platform, accountId)
+      scriptConfigured = !!(
+        scriptConfig &&
+        scriptConfig.scriptBody &&
+        String(scriptConfig.scriptBody).trim().length > 0
+      )
+    }
+    const scriptEnabled = isBalanceScriptEnabled()
+    const scriptMeta = { scriptEnabled, scriptConfigured }
+
+    const localBalance = await this._getBalanceFromLocal(accountId, platform)
+    const localStatistics = localBalance.statistics || {}
+
+    const quotaFromLocal = this._buildQuotaFromLocal(account, localStatistics)
+
+    // 非强制查询：优先读缓存
+    if (!queryApi) {
+      if (useCache) {
+        const cached = await this.redis.getAccountBalance(platform, accountId)
+        if (cached && cached.status === 'success') {
+          return this._buildResponse(
+            {
+              status: cached.status,
+              errorMessage: cached.errorMessage,
+              balance: quotaFromLocal.balance ?? cached.balance,
+              currency: quotaFromLocal.currency || cached.currency || 'USD',
+              quota: quotaFromLocal.quota || cached.quota || null,
+              statistics: localStatistics,
+              lastRefreshAt: cached.lastRefreshAt
+            },
+            accountId,
+            platform,
+            'cache',
+            cached.ttlSeconds,
+            scriptMeta
+          )
+        }
+      }
+
+      return this._buildResponse(
+        {
+          status: 'success',
+          errorMessage: null,
+          balance: quotaFromLocal.balance,
+          currency: quotaFromLocal.currency || 'USD',
+          quota: quotaFromLocal.quota,
+          statistics: localStatistics,
+          lastRefreshAt: localBalance.lastCalculated
+        },
+        accountId,
+        platform,
+        'local',
+        null,
+        scriptMeta
+      )
+    }
+
+    // 强制查询：优先脚本（如启用且已配置），否则调用 Provider；失败自动降级到本地统计
+    let providerResult
+
+    if (scriptEnabled && scriptConfigured) {
+      providerResult = await this._getBalanceFromScript(scriptConfig, accountId, platform)
+    } else {
+      const provider = this.providers.get(platform)
+      if (!provider) {
+        return this._buildResponse(
+          {
+            status: 'error',
+            errorMessage: `不支持的平台: ${platform}`,
+            balance: quotaFromLocal.balance,
+            currency: quotaFromLocal.currency || 'USD',
+            quota: quotaFromLocal.quota,
+            statistics: localStatistics,
+            lastRefreshAt: new Date().toISOString()
+          },
+          accountId,
+          platform,
+          'local',
+          null,
+          scriptMeta
+        )
+      }
+      providerResult = await this._getBalanceFromProvider(provider, account)
+    }
+
+    const isRemoteSuccess =
+      providerResult.status === 'success' && ['api', 'script'].includes(providerResult.queryMethod)
+
+    // 仅缓存“真实远程查询成功”的结果，避免把字段/本地降级结果当作 API 结果缓存 1h
+    if (isRemoteSuccess) {
+      await this.redis.setAccountBalance(
+        platform,
+        accountId,
+        providerResult,
+        this.CACHE_TTL_SECONDS
+      )
+    }
+
+    const source = isRemoteSuccess ? 'api' : 'local'
+
+    return this._buildResponse(
+      {
+        status: providerResult.status,
+        errorMessage: providerResult.errorMessage,
+        balance: quotaFromLocal.balance ?? providerResult.balance,
+        currency: quotaFromLocal.currency || providerResult.currency || 'USD',
+        quota: quotaFromLocal.quota || providerResult.quota || null,
+        statistics: localStatistics,
+        lastRefreshAt: providerResult.lastRefreshAt
+      },
+      accountId,
+      platform,
+      source,
+      null,
+      scriptMeta
+    )
+  }
+
+  async _getBalanceFromScript(scriptConfig, accountId, platform) {
+    try {
+      const result = await balanceScriptService.execute({
+        scriptBody: scriptConfig.scriptBody,
+        timeoutSeconds: scriptConfig.timeoutSeconds || 10,
+        variables: {
+          baseUrl: scriptConfig.baseUrl || '',
+          apiKey: scriptConfig.apiKey || '',
+          token: scriptConfig.token || '',
+          accountId,
+          platform,
+          extra: scriptConfig.extra || ''
+        }
+      })
+
+      const mapped = result?.mapped || {}
+      return {
+        status: mapped.status || 'error',
+        balance: typeof mapped.balance === 'number' ? mapped.balance : null,
+        currency: mapped.currency || 'USD',
+        quota: mapped.quota || null,
+        queryMethod: 'api',
+        rawData: mapped.rawData || result?.response?.data || null,
+        lastRefreshAt: new Date().toISOString(),
+        errorMessage: mapped.errorMessage || ''
+      }
+    } catch (error) {
+      return {
+        status: 'error',
+        balance: null,
+        currency: 'USD',
+        quota: null,
+        queryMethod: 'api',
+        rawData: null,
+        lastRefreshAt: new Date().toISOString(),
+        errorMessage: error.message || '脚本执行失败'
+      }
+    }
+  }
+
+  async _getBalanceFromProvider(provider, account) {
+    try {
+      const result = await provider.queryBalance(account)
+      return {
+        status: 'success',
+        balance: typeof result?.balance === 'number' ? result.balance : null,
+        currency: result?.currency || 'USD',
+        quota: result?.quota || null,
+        queryMethod: result?.queryMethod || 'api',
+        rawData: result?.rawData || null,
+        lastRefreshAt: new Date().toISOString(),
+        errorMessage: ''
+      }
+    } catch (error) {
+      return {
+        status: 'error',
+        balance: null,
+        currency: 'USD',
+        quota: null,
+        queryMethod: 'api',
+        rawData: null,
+        lastRefreshAt: new Date().toISOString(),
+        errorMessage: error.message || '查询失败'
+      }
+    }
+  }
+
+  async _getBalanceFromLocal(accountId, platform) {
+    const cached = await this.redis.getLocalBalance(platform, accountId)
+    if (cached && cached.statistics) {
+      return cached
+    }
+
+    const statistics = await this._computeLocalStatistics(accountId)
+    const localBalance = {
+      status: 'success',
+      balance: null,
+      currency: 'USD',
+      statistics,
+      queryMethod: 'local',
+      lastCalculated: new Date().toISOString()
+    }
+
+    await this.redis.setLocalBalance(platform, accountId, localBalance, this.LOCAL_TTL_SECONDS)
+    return localBalance
+  }
+
+  async _computeLocalStatistics(accountId) {
+    const safeNumber = (value) => {
+      const num = Number(value)
+      return Number.isFinite(num) ? num : 0
+    }
+
+    try {
+      const usageStats = await this.redis.getAccountUsageStats(accountId)
+      const dailyCost = safeNumber(usageStats?.daily?.cost || 0)
+      const monthlyCost = await this._computeMonthlyCost(accountId)
+      const totalCost = await this._computeTotalCost(accountId)
+
+      return {
+        totalCost,
+        dailyCost,
+        monthlyCost,
+        totalRequests: safeNumber(usageStats?.total?.requests || 0),
+        dailyRequests: safeNumber(usageStats?.daily?.requests || 0),
+        monthlyRequests: safeNumber(usageStats?.monthly?.requests || 0)
+      }
+    } catch (error) {
+      this.logger.debug(`本地统计计算失败: ${accountId}`, error)
+      return {
+        totalCost: 0,
+        dailyCost: 0,
+        monthlyCost: 0,
+        totalRequests: 0,
+        dailyRequests: 0,
+        monthlyRequests: 0
+      }
+    }
+  }
+
+  async _computeMonthlyCost(accountId) {
+    const tzDate = this.redis.getDateInTimezone(new Date())
+    const currentMonth = `${tzDate.getUTCFullYear()}-${String(tzDate.getUTCMonth() + 1).padStart(
+      2,
+      '0'
+    )}`
+
+    const pattern = `account_usage:model:monthly:${accountId}:*:${currentMonth}`
+    return await this._sumModelCostsByKeysPattern(pattern)
+  }
+
+  async _computeTotalCost(accountId) {
+    const pattern = `account_usage:model:monthly:${accountId}:*:*`
+    return await this._sumModelCostsByKeysPattern(pattern)
+  }
+
+  async _sumModelCostsByKeysPattern(pattern) {
+    try {
+      const client = this.redis.getClientSafe()
+      let totalCost = 0
+      let cursor = '0'
+      const scanCount = 200
+      let iterations = 0
+      const maxIterations = 2000
+
+      do {
+        const [nextCursor, keys] = await client.scan(cursor, 'MATCH', pattern, 'COUNT', scanCount)
+        cursor = nextCursor
+        iterations += 1
+
+        if (!keys || keys.length === 0) {
+          continue
+        }
+
+        const pipeline = client.pipeline()
+        keys.forEach((key) => pipeline.hgetall(key))
+        const results = await pipeline.exec()
+
+        for (let i = 0; i < results.length; i += 1) {
+          const [, data] = results[i] || []
+          if (!data || Object.keys(data).length === 0) {
+            continue
+          }
+
+          const parts = String(keys[i]).split(':')
+          const model = parts[4] || 'unknown'
+
+          const usage = {
+            input_tokens: parseInt(data.inputTokens || 0),
+            output_tokens: parseInt(data.outputTokens || 0),
+            cache_creation_input_tokens: parseInt(data.cacheCreateTokens || 0),
+            cache_read_input_tokens: parseInt(data.cacheReadTokens || 0)
+          }
+
+          const costResult = CostCalculator.calculateCost(usage, model)
+          totalCost += costResult.costs.total || 0
+        }
+
+        if (iterations >= maxIterations) {
+          this.logger.warn(`SCAN 次数超过上限，停止汇总：${pattern}`)
+          break
+        }
+      } while (cursor !== '0')
+
+      return totalCost
+    } catch (error) {
+      this.logger.debug(`汇总模型费用失败: ${pattern}`, error)
+      return 0
+    }
+  }
+
+  _buildQuotaFromLocal(account, statistics) {
+    if (!account || !Object.prototype.hasOwnProperty.call(account, 'dailyQuota')) {
+      return { balance: null, currency: null, quota: null }
+    }
+
+    const dailyQuota = Number(account.dailyQuota || 0)
+    const used = Number(statistics?.dailyCost || 0)
+
+    const resetAt = this._computeNextResetAt(account.quotaResetTime || '00:00')
+
+    // 不限制
+    if (!Number.isFinite(dailyQuota) || dailyQuota <= 0) {
+      return {
+        balance: null,
+        currency: 'USD',
+        quota: {
+          daily: Infinity,
+          used,
+          remaining: Infinity,
+          percentage: 0,
+          unlimited: true,
+          resetAt
+        }
+      }
+    }
+
+    const remaining = Math.max(0, dailyQuota - used)
+    const percentage = dailyQuota > 0 ? (used / dailyQuota) * 100 : 0
+
+    return {
+      balance: remaining,
+      currency: 'USD',
+      quota: {
+        daily: dailyQuota,
+        used,
+        remaining,
+        resetAt,
+        percentage: Math.round(percentage * 100) / 100
+      }
+    }
+  }
+
+  _computeNextResetAt(resetTime) {
+    const now = new Date()
+    const tzNow = this.redis.getDateInTimezone(now)
+    const offsetMs = tzNow.getTime() - now.getTime()
+
+    const [h, m] = String(resetTime || '00:00')
+      .split(':')
+      .map((n) => parseInt(n, 10))
+
+    const resetHour = Number.isFinite(h) ? h : 0
+    const resetMinute = Number.isFinite(m) ? m : 0
+
+    const year = tzNow.getUTCFullYear()
+    const month = tzNow.getUTCMonth()
+    const day = tzNow.getUTCDate()
+
+    let resetAtMs = Date.UTC(year, month, day, resetHour, resetMinute, 0, 0) - offsetMs
+    if (resetAtMs <= now.getTime()) {
+      resetAtMs += 24 * 60 * 60 * 1000
+    }
+
+    return new Date(resetAtMs).toISOString()
+  }
+
+  _buildResponse(balanceData, accountId, platform, source, ttlSeconds = null, extraData = {}) {
+    const now = new Date()
+
+    const amount = typeof balanceData.balance === 'number' ? balanceData.balance : null
+    const currency = balanceData.currency || 'USD'
+
+    let cacheExpiresAt = null
+    if (source === 'cache') {
+      const ttl =
+        typeof ttlSeconds === 'number' && ttlSeconds > 0 ? ttlSeconds : this.CACHE_TTL_SECONDS
+      cacheExpiresAt = new Date(Date.now() + ttl * 1000).toISOString()
+    }
+
+    return {
+      success: true,
+      data: {
+        accountId,
+        platform,
+        balance:
+          typeof amount === 'number'
+            ? {
+                amount,
+                currency,
+                formattedAmount: this._formatCurrency(amount, currency)
+              }
+            : null,
+        quota: balanceData.quota || null,
+        statistics: balanceData.statistics || {},
+        source,
+        lastRefreshAt: balanceData.lastRefreshAt || now.toISOString(),
+        cacheExpiresAt,
+        status: balanceData.status || 'success',
+        error: balanceData.errorMessage || null,
+        ...(extraData && typeof extraData === 'object' ? extraData : {})
+      }
+    }
+  }
+
+  _formatCurrency(amount, currency = 'USD') {
+    try {
+      if (typeof amount !== 'number' || !Number.isFinite(amount)) {
+        return 'N/A'
+      }
+      return new Intl.NumberFormat('en-US', { style: 'currency', currency }).format(amount)
+    } catch (error) {
+      return `$${amount.toFixed(2)}`
+    }
+  }
+
+  _parseBoolean(value) {
+    if (typeof value === 'boolean') {
+      return value
+    }
+    if (typeof value !== 'string') {
+      return null
+    }
+    const normalized = value.trim().toLowerCase()
+    if (normalized === 'true' || normalized === '1' || normalized === 'yes') {
+      return true
+    }
+    if (normalized === 'false' || normalized === '0' || normalized === 'no') {
+      return false
+    }
+    return null
+  }
+
+  async _mapWithConcurrency(items, limit, mapper) {
+    const concurrency = Math.max(1, Number(limit) || 1)
+    const list = Array.isArray(items) ? items : []
+
+    const results = new Array(list.length)
+    let nextIndex = 0
+
+    const workers = new Array(Math.min(concurrency, list.length)).fill(null).map(async () => {
+      while (nextIndex < list.length) {
+        const currentIndex = nextIndex
+        nextIndex += 1
+        results[currentIndex] = await mapper(list[currentIndex], currentIndex)
+      }
+    })
+
+    await Promise.all(workers)
+    return results
+  }
+}
+
+const accountBalanceService = new AccountBalanceService()
+module.exports = accountBalanceService
+module.exports.AccountBalanceService = AccountBalanceService
--- a/src/services/anthropicGeminiBridgeService.js
+++ b/src/services/anthropicGeminiBridgeService.js
--- a/src/services/antigravityClient.js
+++ b/src/services/antigravityClient.js
@@ -0,0 +1,559 @@
+const axios = require('axios')
+const https = require('https')
+const { v4: uuidv4 } = require('uuid')
+
+const ProxyHelper = require('../utils/proxyHelper')
+const logger = require('../utils/logger')
+const {
+  mapAntigravityUpstreamModel,
+  normalizeAntigravityModelInput,
+  getAntigravityModelMetadata
+} = require('../utils/antigravityModel')
+const { cleanJsonSchemaForGemini } = require('../utils/geminiSchemaCleaner')
+const { dumpAntigravityUpstreamRequest } = require('../utils/antigravityUpstreamDump')
+
+const keepAliveAgent = new https.Agent({
+  keepAlive: true,
+  keepAliveMsecs: 30000,
+  timeout: 120000,
+  maxSockets: 100,
+  maxFreeSockets: 10
+})
+
+function getAntigravityApiUrl() {
+  return process.env.ANTIGRAVITY_API_URL || 'https://daily-cloudcode-pa.sandbox.googleapis.com'
+}
+
+function normalizeBaseUrl(url) {
+  const str = String(url || '').trim()
+  return str.endsWith('/') ? str.slice(0, -1) : str
+}
+
+function getAntigravityApiUrlCandidates() {
+  const configured = normalizeBaseUrl(getAntigravityApiUrl())
+  const daily = 'https://daily-cloudcode-pa.sandbox.googleapis.com'
+  const prod = 'https://cloudcode-pa.googleapis.com'
+
+  // 若显式配置了自定义 base url，则只使用该地址（不做 fallback，避免意外路由到别的环境）。
+  if (process.env.ANTIGRAVITY_API_URL) {
+    return [configured]
+  }
+
+  // 默认行为：优先 daily（与旧逻辑一致），失败时再尝试 prod（对齐 CLIProxyAPI）。
+  if (configured === normalizeBaseUrl(daily)) {
+    return [configured, prod]
+  }
+  if (configured === normalizeBaseUrl(prod)) {
+    return [configured, daily]
+  }
+
+  return [configured, prod, daily].filter(Boolean)
+}
+
+function getAntigravityHeaders(accessToken, baseUrl) {
+  const resolvedBaseUrl = baseUrl || getAntigravityApiUrl()
+  let host = 'daily-cloudcode-pa.sandbox.googleapis.com'
+  try {
+    host = new URL(resolvedBaseUrl).host || host
+  } catch (e) {
+    // ignore
+  }
+
+  return {
+    Host: host,
+    'User-Agent': process.env.ANTIGRAVITY_USER_AGENT || 'antigravity/1.11.3 windows/amd64',
+    Authorization: `Bearer ${accessToken}`,
+    'Content-Type': 'application/json',
+    'Accept-Encoding': 'gzip'
+  }
+}
+
+function generateAntigravityProjectId() {
+  return `ag-${uuidv4().replace(/-/g, '').slice(0, 16)}`
+}
+
+function generateAntigravitySessionId() {
+  return `sess-${uuidv4()}`
+}
+
+function resolveAntigravityProjectId(projectId, requestData) {
+  const candidate = projectId || requestData?.project || requestData?.projectId || null
+  return candidate || generateAntigravityProjectId()
+}
+
+function resolveAntigravitySessionId(sessionId, requestData) {
+  const candidate =
+    sessionId || requestData?.request?.sessionId || requestData?.request?.session_id || null
+  return candidate || generateAntigravitySessionId()
+}
+
+function buildAntigravityEnvelope({ requestData, projectId, sessionId, userPromptId }) {
+  const model = mapAntigravityUpstreamModel(requestData?.model)
+  const resolvedProjectId = resolveAntigravityProjectId(projectId, requestData)
+  const resolvedSessionId = resolveAntigravitySessionId(sessionId, requestData)
+  const requestPayload = {
+    ...(requestData?.request || {})
+  }
+
+  if (requestPayload.session_id !== undefined) {
+    delete requestPayload.session_id
+  }
+  requestPayload.sessionId = resolvedSessionId
+
+  const envelope = {
+    project: resolvedProjectId,
+    requestId: `req-${uuidv4()}`,
+    model,
+    userAgent: 'antigravity',
+    request: {
+      ...requestPayload
+    }
+  }
+
+  if (userPromptId) {
+    envelope.user_prompt_id = userPromptId
+    envelope.userPromptId = userPromptId
+  }
+
+  normalizeAntigravityEnvelope(envelope)
+  return { model, envelope }
+}
+
+function normalizeAntigravityThinking(model, requestPayload) {
+  if (!requestPayload || typeof requestPayload !== 'object') {
+    return
+  }
+
+  const { generationConfig } = requestPayload
+  if (!generationConfig || typeof generationConfig !== 'object') {
+    return
+  }
+  const { thinkingConfig } = generationConfig
+  if (!thinkingConfig || typeof thinkingConfig !== 'object') {
+    return
+  }
+
+  const normalizedModel = normalizeAntigravityModelInput(model)
+  if (thinkingConfig.thinkingLevel && !normalizedModel.startsWith('gemini-3-')) {
+    delete thinkingConfig.thinkingLevel
+  }
+
+  const metadata = getAntigravityModelMetadata(normalizedModel)
+  if (metadata && !metadata.thinking) {
+    delete generationConfig.thinkingConfig
+    return
+  }
+  if (!metadata || !metadata.thinking) {
+    return
+  }
+
+  const budgetRaw = Number(thinkingConfig.thinkingBudget)
+  if (!Number.isFinite(budgetRaw)) {
+    return
+  }
+  let budget = Math.trunc(budgetRaw)
+
+  const minBudget = Number.isFinite(metadata.thinking.min) ? metadata.thinking.min : null
+  const maxBudget = Number.isFinite(metadata.thinking.max) ? metadata.thinking.max : null
+
+  if (maxBudget !== null && budget > maxBudget) {
+    budget = maxBudget
+  }
+
+  let effectiveMax = Number.isFinite(generationConfig.maxOutputTokens)
+    ? generationConfig.maxOutputTokens
+    : null
+  let setDefaultMax = false
+  if (!effectiveMax && metadata.maxCompletionTokens) {
+    effectiveMax = metadata.maxCompletionTokens
+    setDefaultMax = true
+  }
+
+  if (effectiveMax && budget >= effectiveMax) {
+    budget = Math.max(0, effectiveMax - 1)
+  }
+
+  if (minBudget !== null && budget >= 0 && budget < minBudget) {
+    delete generationConfig.thinkingConfig
+    return
+  }
+
+  thinkingConfig.thinkingBudget = budget
+  if (setDefaultMax) {
+    generationConfig.maxOutputTokens = effectiveMax
+  }
+}
+
+function normalizeAntigravityEnvelope(envelope) {
+  if (!envelope || typeof envelope !== 'object') {
+    return
+  }
+  const model = String(envelope.model || '')
+  const requestPayload = envelope.request
+  if (!requestPayload || typeof requestPayload !== 'object') {
+    return
+  }
+
+  if (requestPayload.safetySettings !== undefined) {
+    delete requestPayload.safetySettings
+  }
+
+  // 对齐 CLIProxyAPI：有 tools 时默认启用 VALIDATED（除非显式 NONE）
+  if (Array.isArray(requestPayload.tools) && requestPayload.tools.length > 0) {
+    const existing = requestPayload?.toolConfig?.functionCallingConfig || null
+    if (existing?.mode !== 'NONE') {
+      const nextCfg = { ...(existing || {}), mode: 'VALIDATED' }
+      requestPayload.toolConfig = { functionCallingConfig: nextCfg }
+    }
+  }
+
+  // 对齐 CLIProxyAPI：非 Claude 模型移除 maxOutputTokens（Antigravity 环境不稳定）
+  normalizeAntigravityThinking(model, requestPayload)
+  if (!model.includes('claude')) {
+    if (requestPayload.generationConfig && typeof requestPayload.generationConfig === 'object') {
+      delete requestPayload.generationConfig.maxOutputTokens
+    }
+    return
+  }
+
+  // Claude 模型：parametersJsonSchema -> parameters + schema 清洗（避免 $schema / additionalProperties 等触发 400）
+  if (!Array.isArray(requestPayload.tools)) {
+    return
+  }
+
+  for (const tool of requestPayload.tools) {
+    if (!tool || typeof tool !== 'object') {
+      continue
+    }
+    const decls = Array.isArray(tool.functionDeclarations)
+      ? tool.functionDeclarations
+      : Array.isArray(tool.function_declarations)
+        ? tool.function_declarations
+        : null
+
+    if (!decls) {
+      continue
+    }
+
+    for (const decl of decls) {
+      if (!decl || typeof decl !== 'object') {
+        continue
+      }
+      let schema =
+        decl.parametersJsonSchema !== undefined ? decl.parametersJsonSchema : decl.parameters
+      if (typeof schema === 'string' && schema) {
+        try {
+          schema = JSON.parse(schema)
+        } catch (_) {
+          schema = null
+        }
+      }
+
+      decl.parameters = cleanJsonSchemaForGemini(schema)
+      delete decl.parametersJsonSchema
+    }
+  }
+}
+
+async function request({
+  accessToken,
+  proxyConfig = null,
+  requestData,
+  projectId = null,
+  sessionId = null,
+  userPromptId = null,
+  stream = false,
+  signal = null,
+  params = null,
+  timeoutMs = null
+}) {
+  const { model, envelope } = buildAntigravityEnvelope({
+    requestData,
+    projectId,
+    sessionId,
+    userPromptId
+  })
+
+  const proxyAgent = ProxyHelper.createProxyAgent(proxyConfig)
+  let endpoints = getAntigravityApiUrlCandidates()
+
+  // Claude 模型在 sandbox(daily) 环境下对 tool_use/tool_result 的兼容性不稳定，优先走 prod。
+  // 保持可配置优先：若用户显式设置了 ANTIGRAVITY_API_URL，则不改变顺序。
+  if (!process.env.ANTIGRAVITY_API_URL && String(model).includes('claude')) {
+    const prodHost = 'cloudcode-pa.googleapis.com'
+    const dailyHost = 'daily-cloudcode-pa.sandbox.googleapis.com'
+    const ordered = []
+    for (const u of endpoints) {
+      if (String(u).includes(prodHost)) {
+        ordered.push(u)
+      }
+    }
+    for (const u of endpoints) {
+      if (!String(u).includes(prodHost)) {
+        ordered.push(u)
+      }
+    }
+    // 去重并保持 prod -> daily 的稳定顺序
+    endpoints = Array.from(new Set(ordered)).sort((a, b) => {
+      const av = String(a)
+      const bv = String(b)
+      const aScore = av.includes(prodHost) ? 0 : av.includes(dailyHost) ? 1 : 2
+      const bScore = bv.includes(prodHost) ? 0 : bv.includes(dailyHost) ? 1 : 2
+      return aScore - bScore
+    })
+  }
+
+  const isRetryable = (error) => {
+    const status = error?.response?.status
+    if (status === 429) {
+      return true
+    }
+
+    // 400/404 的 “model unavailable / not found” 在不同环境间可能表现不同，允许 fallback。
+    if (status === 400 || status === 404) {
+      const data = error?.response?.data
+      const safeToString = (value) => {
+        if (typeof value === 'string') {
+          return value
+        }
+        if (value === null || value === undefined) {
+          return ''
+        }
+        // axios responseType=stream 时，data 可能是 stream（存在循环引用），不能 JSON.stringify
+        if (typeof value === 'object' && typeof value.pipe === 'function') {
+          return ''
+        }
+        if (Buffer.isBuffer(value)) {
+          try {
+            return value.toString('utf8')
+          } catch (_) {
+            return ''
+          }
+        }
+        if (typeof value === 'object') {
+          try {
+            return JSON.stringify(value)
+          } catch (_) {
+            return ''
+          }
+        }
+        return String(value)
+      }
+
+      const text = safeToString(data)
+      const msg = (text || '').toLowerCase()
+      return (
+        msg.includes('requested model is currently unavailable') ||
+        msg.includes('tool_use') ||
+        msg.includes('tool_result') ||
+        msg.includes('requested entity was not found') ||
+        msg.includes('not found')
+      )
+    }
+
+    return false
+  }
+
+  let lastError = null
+  let retriedAfterDelay = false
+
+  const attemptRequest = async () => {
+    for (let index = 0; index < endpoints.length; index += 1) {
+      const baseUrl = endpoints[index]
+      const url = `${baseUrl}/v1internal:${stream ? 'streamGenerateContent' : 'generateContent'}`
+
+      const axiosConfig = {
+        url,
+        method: 'POST',
+        ...(params ? { params } : {}),
+        headers: getAntigravityHeaders(accessToken, baseUrl),
+        data: envelope,
+        timeout: stream ? 0 : timeoutMs || 600000,
+        ...(stream ? { responseType: 'stream' } : {})
+      }
+
+      if (proxyAgent) {
+        axiosConfig.httpsAgent = proxyAgent
+        axiosConfig.proxy = false
+        if (index === 0) {
+          logger.info(
+            `🌐 Using proxy for Antigravity ${stream ? 'streamGenerateContent' : 'generateContent'}: ${ProxyHelper.getProxyDescription(proxyConfig)}`
+          )
+        }
+      } else {
+        axiosConfig.httpsAgent = keepAliveAgent
+      }
+
+      if (signal) {
+        axiosConfig.signal = signal
+      }
+
+      try {
+        dumpAntigravityUpstreamRequest({
+          requestId: envelope.requestId,
+          model,
+          stream,
+          url,
+          baseUrl,
+          params: axiosConfig.params || null,
+          headers: axiosConfig.headers,
+          envelope
+        }).catch(() => {})
+        const response = await axios(axiosConfig)
+        return { model, response }
+      } catch (error) {
+        lastError = error
+        const status = error?.response?.status || null
+
+        const hasNext = index + 1 < endpoints.length
+        if (hasNext && isRetryable(error)) {
+          logger.warn('⚠️ Antigravity upstream error, retrying with fallback baseUrl', {
+            status,
+            from: baseUrl,
+            to: endpoints[index + 1],
+            model
+          })
+          continue
+        }
+        throw error
+      }
+    }
+
+    throw lastError || new Error('Antigravity request failed')
+  }
+
+  try {
+    return await attemptRequest()
+  } catch (error) {
+    // 如果是 429 RESOURCE_EXHAUSTED 且尚未重试过，等待 2 秒后重试一次
+    const status = error?.response?.status
+    if (status === 429 && !retriedAfterDelay && !signal?.aborted) {
+      const data = error?.response?.data
+      const msg = typeof data === 'string' ? data : JSON.stringify(data || '')
+      if (
+        msg.toLowerCase().includes('resource_exhausted') ||
+        msg.toLowerCase().includes('no capacity')
+      ) {
+        retriedAfterDelay = true
+        logger.warn('⏳ Antigravity 429 RESOURCE_EXHAUSTED, waiting 2s before retry', { model })
+        await new Promise((resolve) => setTimeout(resolve, 2000))
+        return await attemptRequest()
+      }
+    }
+    throw error
+  }
+}
+
+async function fetchAvailableModels({ accessToken, proxyConfig = null, timeoutMs = 30000 }) {
+  const proxyAgent = ProxyHelper.createProxyAgent(proxyConfig)
+  const endpoints = getAntigravityApiUrlCandidates()
+
+  let lastError = null
+  for (let index = 0; index < endpoints.length; index += 1) {
+    const baseUrl = endpoints[index]
+    const url = `${baseUrl}/v1internal:fetchAvailableModels`
+
+    const axiosConfig = {
+      url,
+      method: 'POST',
+      headers: getAntigravityHeaders(accessToken, baseUrl),
+      data: {},
+      timeout: timeoutMs
+    }
+
+    if (proxyAgent) {
+      axiosConfig.httpsAgent = proxyAgent
+      axiosConfig.proxy = false
+      if (index === 0) {
+        logger.info(
+          `🌐 Using proxy for Antigravity fetchAvailableModels: ${ProxyHelper.getProxyDescription(proxyConfig)}`
+        )
+      }
+    } else {
+      axiosConfig.httpsAgent = keepAliveAgent
+    }
+
+    try {
+      const response = await axios(axiosConfig)
+      return response.data
+    } catch (error) {
+      lastError = error
+      const status = error?.response?.status
+      const hasNext = index + 1 < endpoints.length
+      if (hasNext && (status === 429 || status === 404)) {
+        continue
+      }
+      throw error
+    }
+  }
+
+  throw lastError || new Error('Antigravity fetchAvailableModels failed')
+}
+
+async function countTokens({
+  accessToken,
+  proxyConfig = null,
+  contents,
+  model,
+  timeoutMs = 30000
+}) {
+  const upstreamModel = mapAntigravityUpstreamModel(model)
+
+  const proxyAgent = ProxyHelper.createProxyAgent(proxyConfig)
+  const endpoints = getAntigravityApiUrlCandidates()
+
+  let lastError = null
+  for (let index = 0; index < endpoints.length; index += 1) {
+    const baseUrl = endpoints[index]
+    const url = `${baseUrl}/v1internal:countTokens`
+    const axiosConfig = {
+      url,
+      method: 'POST',
+      headers: getAntigravityHeaders(accessToken, baseUrl),
+      data: {
+        request: {
+          model: `models/${upstreamModel}`,
+          contents
+        }
+      },
+      timeout: timeoutMs
+    }
+
+    if (proxyAgent) {
+      axiosConfig.httpsAgent = proxyAgent
+      axiosConfig.proxy = false
+      if (index === 0) {
+        logger.info(
+          `🌐 Using proxy for Antigravity countTokens: ${ProxyHelper.getProxyDescription(proxyConfig)}`
+        )
+      }
+    } else {
+      axiosConfig.httpsAgent = keepAliveAgent
+    }
+
+    try {
+      const response = await axios(axiosConfig)
+      return response.data
+    } catch (error) {
+      lastError = error
+      const status = error?.response?.status
+      const hasNext = index + 1 < endpoints.length
+      if (hasNext && (status === 429 || status === 404)) {
+        continue
+      }
+      throw error
+    }
+  }
+
+  throw lastError || new Error('Antigravity countTokens failed')
+}
+
+module.exports = {
+  getAntigravityApiUrl,
+  getAntigravityApiUrlCandidates,
+  getAntigravityHeaders,
+  buildAntigravityEnvelope,
+  request,
+  fetchAvailableModels,
+  countTokens
+}
--- a/src/services/antigravityRelayService.js
+++ b/src/services/antigravityRelayService.js
@@ -0,0 +1,170 @@
+const apiKeyService = require('./apiKeyService')
+const { convertMessagesToGemini, convertGeminiResponse } = require('./geminiRelayService')
+const { normalizeAntigravityModelInput } = require('../utils/antigravityModel')
+const antigravityClient = require('./antigravityClient')
+
+function buildRequestData({ messages, model, temperature, maxTokens, sessionId }) {
+  const requestedModel = normalizeAntigravityModelInput(model)
+  const { contents, systemInstruction } = convertMessagesToGemini(messages)
+
+  const requestData = {
+    model: requestedModel,
+    request: {
+      contents,
+      generationConfig: {
+        temperature,
+        maxOutputTokens: maxTokens,
+        candidateCount: 1,
+        topP: 0.95,
+        topK: 40
+      },
+      ...(sessionId ? { sessionId } : {})
+    }
+  }
+
+  if (systemInstruction) {
+    requestData.request.systemInstruction = { parts: [{ text: systemInstruction }] }
+  }
+
+  return requestData
+}
+
+async function* handleStreamResponse(response, model, apiKeyId, accountId) {
+  let buffer = ''
+  let totalUsage = {
+    promptTokenCount: 0,
+    candidatesTokenCount: 0,
+    totalTokenCount: 0
+  }
+  let usageRecorded = false
+
+  try {
+    for await (const chunk of response.data) {
+      buffer += chunk.toString()
+
+      const lines = buffer.split('\n')
+      buffer = lines.pop() || ''
+
+      for (const line of lines) {
+        if (!line.trim()) {
+          continue
+        }
+
+        let jsonData = line
+        if (line.startsWith('data: ')) {
+          jsonData = line.substring(6).trim()
+        }
+
+        if (!jsonData || jsonData === '[DONE]') {
+          continue
+        }
+
+        try {
+          const data = JSON.parse(jsonData)
+          const payload = data?.response || data
+
+          if (payload?.usageMetadata) {
+            totalUsage = payload.usageMetadata
+          }
+
+          const openaiChunk = convertGeminiResponse(payload, model, true)
+          if (openaiChunk) {
+            yield `data: ${JSON.stringify(openaiChunk)}\n\n`
+            const finishReason = openaiChunk.choices?.[0]?.finish_reason
+            if (finishReason === 'stop') {
+              yield 'data: [DONE]\n\n'
+
+              if (apiKeyId && totalUsage.totalTokenCount > 0) {
+                await apiKeyService.recordUsage(
+                  apiKeyId,
+                  totalUsage.promptTokenCount || 0,
+                  totalUsage.candidatesTokenCount || 0,
+                  0,
+                  0,
+                  model,
+                  accountId
+                )
+                usageRecorded = true
+              }
+              return
+            }
+          }
+        } catch (e) {
+          // ignore chunk parse errors
+        }
+      }
+    }
+  } finally {
+    if (!usageRecorded && apiKeyId && totalUsage.totalTokenCount > 0) {
+      await apiKeyService.recordUsage(
+        apiKeyId,
+        totalUsage.promptTokenCount || 0,
+        totalUsage.candidatesTokenCount || 0,
+        0,
+        0,
+        model,
+        accountId
+      )
+    }
+  }
+}
+
+async function sendAntigravityRequest({
+  messages,
+  model,
+  temperature = 0.7,
+  maxTokens = 4096,
+  stream = false,
+  accessToken,
+  proxy,
+  apiKeyId,
+  signal,
+  projectId,
+  accountId = null
+}) {
+  const requestedModel = normalizeAntigravityModelInput(model)
+
+  const requestData = buildRequestData({
+    messages,
+    model: requestedModel,
+    temperature,
+    maxTokens,
+    sessionId: apiKeyId
+  })
+
+  const { response } = await antigravityClient.request({
+    accessToken,
+    proxyConfig: proxy,
+    requestData,
+    projectId,
+    sessionId: apiKeyId,
+    stream,
+    signal,
+    params: { alt: 'sse' }
+  })
+
+  if (stream) {
+    return handleStreamResponse(response, requestedModel, apiKeyId, accountId)
+  }
+
+  const payload = response.data?.response || response.data
+  const openaiResponse = convertGeminiResponse(payload, requestedModel, false)
+
+  if (apiKeyId && openaiResponse?.usage) {
+    await apiKeyService.recordUsage(
+      apiKeyId,
+      openaiResponse.usage.prompt_tokens || 0,
+      openaiResponse.usage.completion_tokens || 0,
+      0,
+      0,
+      requestedModel,
+      accountId
+    )
+  }
+
+  return openaiResponse
+}
+
+module.exports = {
+  sendAntigravityRequest
+}
--- a/src/services/apiKeyService.js
+++ b/src/services/apiKeyService.js
@@ -37,6 +37,51 @@ const ACCOUNT_CATEGORY_MAP = {
  droid: 'droid'
 }

+/**
+ * 规范化权限数据，兼容旧格式（字符串）和新格式（数组）
+ * @param {string|array} permissions - 权限数据
+ * @returns {array} - 权限数组，空数组表示全部服务
+ */
+function normalizePermissions(permissions) {
+  if (!permissions) {
+    return [] // 空 = 全部服务
+  }
+  if (Array.isArray(permissions)) {
+    return permissions
+  }
+  // 尝试解析 JSON 字符串（新格式存储）
+  if (typeof permissions === 'string') {
+    if (permissions.startsWith('[')) {
+      try {
+        const parsed = JSON.parse(permissions)
+        if (Array.isArray(parsed)) {
+          return parsed
+        }
+      } catch (e) {
+        // 解析失败，继续处理为普通字符串
+      }
+    }
+    // 旧格式 'all' 转为空数组
+    if (permissions === 'all') {
+      return []
+    }
+    // 旧单个字符串转为数组
+    return [permissions]
+  }
+  return []
+}
+
+/**
+ * 检查是否有访问特定服务的权限
+ * @param {string|array} permissions - 权限数据
+ * @param {string} service - 服务名称（claude/gemini/openai/droid）
+ * @returns {boolean} - 是否有权限
+ */
+function hasPermission(permissions, service) {
+  const perms = normalizePermissions(permissions)
+  return perms.length === 0 || perms.includes(service) // 空数组 = 全部服务
+}
+
 function normalizeAccountTypeKey(type) {
  if (!type) {
    return null
@@ -89,7 +134,7 @@ class ApiKeyService {
      azureOpenaiAccountId = null,
      bedrockAccountId = null, // 添加 Bedrock 账号ID支持
      droidAccountId = null,
-      permissions = 'all', // 可选值：'claude'、'gemini'、'openai'、'droid' 或 'all'
+      permissions = [], // 数组格式，空数组表示全部服务，如 ['claude', 'gemini']
      isActive = true,
      concurrencyLimit = 0,
      rateLimitWindow = null,
@@ -132,7 +177,7 @@ class ApiKeyService {
      azureOpenaiAccountId: azureOpenaiAccountId || '',
      bedrockAccountId: bedrockAccountId || '', // 添加 Bedrock 账号ID
      droidAccountId: droidAccountId || '',
-      permissions: permissions || 'all',
+      permissions: JSON.stringify(normalizePermissions(permissions)),
      enableModelRestriction: String(enableModelRestriction),
      restrictedModels: JSON.stringify(restrictedModels || []),
      enableClientRestriction: String(enableClientRestriction || false),
@@ -186,7 +231,7 @@ class ApiKeyService {
      azureOpenaiAccountId: keyData.azureOpenaiAccountId,
      bedrockAccountId: keyData.bedrockAccountId, // 添加 Bedrock 账号ID
      droidAccountId: keyData.droidAccountId,
-      permissions: keyData.permissions,
+      permissions: normalizePermissions(keyData.permissions),
      enableModelRestriction: keyData.enableModelRestriction === 'true',
      restrictedModels: JSON.parse(keyData.restrictedModels),
      enableClientRestriction: keyData.enableClientRestriction === 'true',
@@ -338,7 +383,7 @@ class ApiKeyService {
          azureOpenaiAccountId: keyData.azureOpenaiAccountId,
          bedrockAccountId: keyData.bedrockAccountId, // 添加 Bedrock 账号ID
          droidAccountId: keyData.droidAccountId,
-          permissions: keyData.permissions || 'all',
+          permissions: normalizePermissions(keyData.permissions),
          tokenLimit: parseInt(keyData.tokenLimit),
          concurrencyLimit: parseInt(keyData.concurrencyLimit || 0),
          rateLimitWindow: parseInt(keyData.rateLimitWindow || 0),
@@ -467,7 +512,7 @@ class ApiKeyService {
          azureOpenaiAccountId: keyData.azureOpenaiAccountId,
          bedrockAccountId: keyData.bedrockAccountId,
          droidAccountId: keyData.droidAccountId,
-          permissions: keyData.permissions || 'all',
+          permissions: normalizePermissions(keyData.permissions),
          tokenLimit: parseInt(keyData.tokenLimit),
          concurrencyLimit: parseInt(keyData.concurrencyLimit || 0),
          rateLimitWindow: parseInt(keyData.rateLimitWindow || 0),
@@ -525,7 +570,7 @@ class ApiKeyService {
        key.isActive = key.isActive === 'true'
        key.enableModelRestriction = key.enableModelRestriction === 'true'
        key.enableClientRestriction = key.enableClientRestriction === 'true'
-        key.permissions = key.permissions || 'all' // 兼容旧数据
+        key.permissions = normalizePermissions(key.permissions)
        key.dailyCostLimit = parseFloat(key.dailyCostLimit || 0)
        key.totalCostLimit = parseFloat(key.totalCostLimit || 0)
        key.weeklyOpusCostLimit = parseFloat(key.weeklyOpusCostLimit || 0)
@@ -705,8 +750,13 @@ class ApiKeyService {

      for (const [field, value] of Object.entries(updates)) {
        if (allowedUpdates.includes(field)) {
-          if (field === 'restrictedModels' || field === 'allowedClients' || field === 'tags') {
-            // 特殊处理数组字段
+          if (
+            field === 'restrictedModels' ||
+            field === 'allowedClients' ||
+            field === 'tags' ||
+            field === 'permissions'
+          ) {
+            // 特殊处理数组字段，使用 JSON.stringify
            updatedData[field] = JSON.stringify(value || [])
          } else if (
            field === 'enableModelRestriction' ||
@@ -1568,7 +1618,7 @@ class ApiKeyService {
        userId: keyData.userId,
        userUsername: keyData.userUsername,
        createdBy: keyData.createdBy,
-        permissions: keyData.permissions,
+        permissions: normalizePermissions(keyData.permissions),
        dailyCostLimit: parseFloat(keyData.dailyCostLimit || 0),
        totalCostLimit: parseFloat(keyData.totalCostLimit || 0),
        // 所有平台账户绑定字段
@@ -1820,4 +1870,8 @@ const apiKeyService = new ApiKeyService()
 // 为了方便其他服务调用，导出 recordUsage 方法
 apiKeyService.recordUsageMetrics = apiKeyService.recordUsage.bind(apiKeyService)

+// 导出权限辅助函数供路由使用
+apiKeyService.hasPermission = hasPermission
+apiKeyService.normalizePermissions = normalizePermissions
+
 module.exports = apiKeyService
--- a/src/services/balanceProviders/baseBalanceProvider.js
+++ b/src/services/balanceProviders/baseBalanceProvider.js
@@ -0,0 +1,133 @@
+const axios = require('axios')
+const logger = require('../../utils/logger')
+const ProxyHelper = require('../../utils/proxyHelper')
+
+/**
+ * Provider 抽象基类
+ * 各平台 Provider 需继承并实现 queryBalance(account)
+ */
+class BaseBalanceProvider {
+  constructor(platform) {
+    this.platform = platform
+    this.logger = logger
+  }
+
+  /**
+   * 查询余额（抽象方法）
+   * @param {object} account - 账户对象
+   * @returns {Promise<object>}
+   * 形如：
+   * {
+   *   balance: number|null,
+   *   currency?: string,
+   *   quota?: { daily, used, remaining, resetAt, percentage, unlimited? },
+   *   queryMethod?: 'api'|'field'|'local',
+   *   rawData?: any
+   * }
+   */
+  async queryBalance(_account) {
+    throw new Error('queryBalance 方法必须由子类实现')
+  }
+
+  /**
+   * 通用 HTTP 请求方法（支持代理）
+   * @param {string} url
+   * @param {object} options
+   * @param {object} account
+   */
+  async makeRequest(url, options = {}, account = {}) {
+    const config = {
+      url,
+      method: options.method || 'GET',
+      headers: options.headers || {},
+      timeout: options.timeout || 15000,
+      data: options.data,
+      params: options.params,
+      responseType: options.responseType
+    }
+
+    const proxyConfig = account.proxyConfig || account.proxy
+    if (proxyConfig) {
+      const agent = ProxyHelper.createProxyAgent(proxyConfig)
+      if (agent) {
+        config.httpAgent = agent
+        config.httpsAgent = agent
+        config.proxy = false
+      }
+    }
+
+    try {
+      const response = await axios(config)
+      return {
+        success: true,
+        data: response.data,
+        status: response.status,
+        headers: response.headers
+      }
+    } catch (error) {
+      const status = error.response?.status
+      const message = error.response?.data?.message || error.message || '请求失败'
+      this.logger.debug(`余额 Provider HTTP 请求失败: ${url} (${this.platform})`, {
+        status,
+        message
+      })
+      return { success: false, status, error: message }
+    }
+  }
+
+  /**
+   * 从账户字段读取 dailyQuota / dailyUsage（通用降级方案）
+   * 注意：部分平台 dailyUsage 字段可能不是实时值，最终以 AccountBalanceService 的本地统计为准
+   */
+  readQuotaFromFields(account) {
+    const dailyQuota = Number(account?.dailyQuota || 0)
+    const dailyUsage = Number(account?.dailyUsage || 0)
+
+    // 无限制
+    if (!Number.isFinite(dailyQuota) || dailyQuota <= 0) {
+      return {
+        balance: null,
+        currency: 'USD',
+        quota: {
+          daily: Infinity,
+          used: Number.isFinite(dailyUsage) ? dailyUsage : 0,
+          remaining: Infinity,
+          percentage: 0,
+          unlimited: true
+        },
+        queryMethod: 'field'
+      }
+    }
+
+    const used = Number.isFinite(dailyUsage) ? dailyUsage : 0
+    const remaining = Math.max(0, dailyQuota - used)
+    const percentage = dailyQuota > 0 ? (used / dailyQuota) * 100 : 0
+
+    return {
+      balance: remaining,
+      currency: 'USD',
+      quota: {
+        daily: dailyQuota,
+        used,
+        remaining,
+        percentage: Math.round(percentage * 100) / 100
+      },
+      queryMethod: 'field'
+    }
+  }
+
+  parseCurrency(data) {
+    return data?.currency || data?.Currency || 'USD'
+  }
+
+  async safeExecute(fn, fallbackValue = null) {
+    try {
+      return await fn()
+    } catch (error) {
+      this.logger.error(`余额 Provider 执行失败: ${this.platform}`, error)
+      return fallbackValue
+    }
+  }
+}
+
+module.exports = BaseBalanceProvider
--- a/src/services/balanceProviders/claudeBalanceProvider.js
+++ b/src/services/balanceProviders/claudeBalanceProvider.js
@@ -0,0 +1,30 @@
+const BaseBalanceProvider = require('./baseBalanceProvider')
+const claudeAccountService = require('../claudeAccountService')
+
+class ClaudeBalanceProvider extends BaseBalanceProvider {
+  constructor() {
+    super('claude')
+  }
+
+  /**
+   * Claude（OAuth）：优先尝试获取 OAuth usage（用于配额/使用信息），不强行提供余额金额
+   */
+  async queryBalance(account) {
+    this.logger.debug(`查询 Claude 余额（OAuth usage）: ${account?.id}`)
+
+    // 仅 OAuth 账户可用；失败时降级
+    const usageData = await claudeAccountService.fetchOAuthUsage(account.id).catch(() => null)
+    if (!usageData) {
+      return { balance: null, currency: 'USD', queryMethod: 'local' }
+    }
+
+    return {
+      balance: null,
+      currency: 'USD',
+      queryMethod: 'api',
+      rawData: usageData
+    }
+  }
+}
+
+module.exports = ClaudeBalanceProvider
--- a/src/services/balanceProviders/claudeConsoleBalanceProvider.js
+++ b/src/services/balanceProviders/claudeConsoleBalanceProvider.js
@@ -0,0 +1,14 @@
+const BaseBalanceProvider = require('./baseBalanceProvider')
+
+class ClaudeConsoleBalanceProvider extends BaseBalanceProvider {
+  constructor() {
+    super('claude-console')
+  }
+
+  async queryBalance(account) {
+    this.logger.debug(`查询 Claude Console 余额（字段）: ${account?.id}`)
+    return this.readQuotaFromFields(account)
+  }
+}
+
+module.exports = ClaudeConsoleBalanceProvider
--- a/src/services/balanceProviders/genericBalanceProvider.js
+++ b/src/services/balanceProviders/genericBalanceProvider.js
@@ -0,0 +1,23 @@
+const BaseBalanceProvider = require('./baseBalanceProvider')
+
+class GenericBalanceProvider extends BaseBalanceProvider {
+  constructor(platform) {
+    super(platform)
+  }
+
+  async queryBalance(account) {
+    this.logger.debug(`${this.platform} 暂无专用余额 API，实现降级策略`)
+
+    if (account && Object.prototype.hasOwnProperty.call(account, 'dailyQuota')) {
+      return this.readQuotaFromFields(account)
+    }
+
+    return {
+      balance: null,
+      currency: 'USD',
+      queryMethod: 'local'
+    }
+  }
+}
+
+module.exports = GenericBalanceProvider
--- a/src/services/balanceProviders/index.js
+++ b/src/services/balanceProviders/index.js
@@ -0,0 +1,24 @@
+const ClaudeBalanceProvider = require('./claudeBalanceProvider')
+const ClaudeConsoleBalanceProvider = require('./claudeConsoleBalanceProvider')
+const OpenAIResponsesBalanceProvider = require('./openaiResponsesBalanceProvider')
+const GenericBalanceProvider = require('./genericBalanceProvider')
+
+function registerAllProviders(balanceService) {
+  // Claude
+  balanceService.registerProvider('claude', new ClaudeBalanceProvider())
+  balanceService.registerProvider('claude-console', new ClaudeConsoleBalanceProvider())
+
+  // OpenAI / Codex
+  balanceService.registerProvider('openai-responses', new OpenAIResponsesBalanceProvider())
+  balanceService.registerProvider('openai', new GenericBalanceProvider('openai'))
+  balanceService.registerProvider('azure_openai', new GenericBalanceProvider('azure_openai'))
+
+  // 其他平台（降级）
+  balanceService.registerProvider('gemini', new GenericBalanceProvider('gemini'))
+  balanceService.registerProvider('gemini-api', new GenericBalanceProvider('gemini-api'))
+  balanceService.registerProvider('bedrock', new GenericBalanceProvider('bedrock'))
+  balanceService.registerProvider('droid', new GenericBalanceProvider('droid'))
+  balanceService.registerProvider('ccr', new GenericBalanceProvider('ccr'))
+}
+
+module.exports = { registerAllProviders }
--- a/src/services/balanceProviders/openaiResponsesBalanceProvider.js
+++ b/src/services/balanceProviders/openaiResponsesBalanceProvider.js
@@ -0,0 +1,54 @@
+const BaseBalanceProvider = require('./baseBalanceProvider')
+
+class OpenAIResponsesBalanceProvider extends BaseBalanceProvider {
+  constructor() {
+    super('openai-responses')
+  }
+
+  /**
+   * OpenAI-Responses：
+   * - 优先使用 dailyQuota 字段（如果配置了额度）
+   * - 可选：尝试调用兼容 API（不同服务商实现不一，失败自动降级）
+   */
+  async queryBalance(account) {
+    this.logger.debug(`查询 OpenAI Responses 余额: ${account?.id}`)
+
+    // 配置了额度时直接返回（字段法）
+    if (account?.dailyQuota && Number(account.dailyQuota) > 0) {
+      return this.readQuotaFromFields(account)
+    }
+
+    // 尝试调用 usage 接口（兼容性不保证）
+    if (account?.apiKey && account?.baseApi) {
+      const baseApi = String(account.baseApi).replace(/\/$/, '')
+      const response = await this.makeRequest(
+        `${baseApi}/v1/usage`,
+        {
+          method: 'GET',
+          headers: {
+            Authorization: `Bearer ${account.apiKey}`,
+            'Content-Type': 'application/json'
+          }
+        },
+        account
+      )
+
+      if (response.success) {
+        return {
+          balance: null,
+          currency: this.parseCurrency(response.data),
+          queryMethod: 'api',
+          rawData: response.data
+        }
+      }
+    }
+
+    return {
+      balance: null,
+      currency: 'USD',
+      queryMethod: 'local'
+    }
+  }
+}
+
+module.exports = OpenAIResponsesBalanceProvider
--- a/src/services/balanceScriptService.js
+++ b/src/services/balanceScriptService.js
@@ -0,0 +1,161 @@
+const vm = require('vm')
+const axios = require('axios')
+const { isBalanceScriptEnabled } = require('../utils/featureFlags')
+
+/**
+ * 可配置脚本余额查询执行器
+ * - 脚本格式：({ request: {...}, extractor: function(response){...} })
+ * - 模板变量：{{baseUrl}}, {{apiKey}}, {{token}}, {{accountId}}, {{platform}}, {{extra}}
+ */
+class BalanceScriptService {
+  /**
+   * 执行脚本：返回标准余额结构 + 原始响应
+   * @param {object} options
+   *  - scriptBody: string
+   *  - variables: Record<string,string>
+   *  - timeoutSeconds: number
+   */
+  async execute(options = {}) {
+    if (!isBalanceScriptEnabled()) {
+      const error = new Error('余额脚本功能已禁用（可通过 BALANCE_SCRIPT_ENABLED=true 启用）')
+      error.code = 'BALANCE_SCRIPT_DISABLED'
+      throw error
+    }
+
+    const scriptBody = options.scriptBody?.trim()
+    if (!scriptBody) {
+      throw new Error('脚本内容为空')
+    }
+
+    const timeoutMs = Math.max(1, (options.timeoutSeconds || 10) * 1000)
+    const sandbox = {
+      console,
+      Math,
+      Date
+    }
+
+    let scriptResult
+    try {
+      const wrapped = scriptBody.startsWith('(') ? scriptBody : `(${scriptBody})`
+      const script = new vm.Script(wrapped)
+      scriptResult = script.runInNewContext(sandbox, { timeout: timeoutMs })
+    } catch (error) {
+      throw new Error(`脚本解析失败: ${error.message}`)
+    }
+
+    if (!scriptResult || typeof scriptResult !== 'object') {
+      throw new Error('脚本返回格式无效（需返回 { request, extractor }）')
+    }
+
+    const variables = options.variables || {}
+    const request = this.applyTemplates(scriptResult.request || {}, variables)
+    const { extractor } = scriptResult
+
+    if (!request?.url || typeof request.url !== 'string') {
+      throw new Error('脚本 request.url 不能为空')
+    }
+
+    if (typeof extractor !== 'function') {
+      throw new Error('脚本 extractor 必须是函数')
+    }
+
+    const axiosConfig = {
+      url: request.url,
+      method: (request.method || 'GET').toUpperCase(),
+      headers: request.headers || {},
+      timeout: timeoutMs
+    }
+
+    if (request.params) {
+      axiosConfig.params = request.params
+    }
+    if (request.body || request.data) {
+      axiosConfig.data = request.body || request.data
+    }
+
+    let httpResponse
+    try {
+      httpResponse = await axios(axiosConfig)
+    } catch (error) {
+      const { response } = error || {}
+      const { status, data } = response || {}
+      throw new Error(
+        `请求失败: ${status || ''} ${error.message}${data ? ` | ${JSON.stringify(data)}` : ''}`
+      )
+    }
+
+    const responseData = httpResponse?.data
+
+    let extracted = {}
+    try {
+      extracted = extractor(responseData) || {}
+    } catch (error) {
+      throw new Error(`extractor 执行失败: ${error.message}`)
+    }
+
+    const mapped = this.mapExtractorResult(extracted, responseData)
+    return {
+      mapped,
+      extracted,
+      response: {
+        status: httpResponse?.status,
+        headers: httpResponse?.headers,
+        data: responseData
+      }
+    }
+  }
+
+  applyTemplates(value, variables) {
+    if (typeof value === 'string') {
+      return value.replace(/{{(\w+)}}/g, (_, key) => {
+        const trimmed = key.trim()
+        return variables[trimmed] !== undefined ? String(variables[trimmed]) : ''
+      })
+    }
+    if (Array.isArray(value)) {
+      return value.map((item) => this.applyTemplates(item, variables))
+    }
+    if (value && typeof value === 'object') {
+      const result = {}
+      Object.keys(value).forEach((k) => {
+        result[k] = this.applyTemplates(value[k], variables)
+      })
+      return result
+    }
+    return value
+  }
+
+  mapExtractorResult(result = {}, responseData) {
+    const isValid = result.isValid !== false
+    const remaining = Number(result.remaining)
+    const total = Number(result.total)
+    const used = Number(result.used)
+    const currency = result.unit || 'USD'
+
+    const quota =
+      Number.isFinite(total) || Number.isFinite(used)
+        ? {
+            total: Number.isFinite(total) ? total : null,
+            used: Number.isFinite(used) ? used : null,
+            remaining: Number.isFinite(remaining) ? remaining : null,
+            percentage:
+              Number.isFinite(total) && total > 0 && Number.isFinite(used)
+                ? (used / total) * 100
+                : null
+          }
+        : null
+
+    return {
+      status: isValid ? 'success' : 'error',
+      errorMessage: isValid ? '' : result.invalidMessage || '套餐无效',
+      balance: Number.isFinite(remaining) ? remaining : null,
+      currency,
+      quota,
+      planName: result.planName || null,
+      extra: result.extra || null,
+      rawData: responseData || result.raw
+    }
+  }
+}
+
+module.exports = new BalanceScriptService()
--- a/src/services/geminiAccountService.js
+++ b/src/services/geminiAccountService.js
@@ -16,11 +16,62 @@ const {
 } = require('../utils/tokenRefreshLogger')
 const tokenRefreshService = require('./tokenRefreshService')
 const LRUCache = require('../utils/lruCache')
+const antigravityClient = require('./antigravityClient')

-// Gemini CLI OAuth 配置 - 这些是公开的 Gemini CLI 凭据
-const OAUTH_CLIENT_ID = '681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com'
-const OAUTH_CLIENT_SECRET = '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'
-const OAUTH_SCOPES = ['https://www.googleapis.com/auth/cloud-platform']
+// Gemini OAuth 配置 - 支持 Gemini CLI 与 Antigravity 两种 OAuth 应用
+const OAUTH_PROVIDER_GEMINI_CLI = 'gemini-cli'
+const OAUTH_PROVIDER_ANTIGRAVITY = 'antigravity'
+
+const OAUTH_PROVIDERS = {
+  [OAUTH_PROVIDER_GEMINI_CLI]: {
+    // Gemini CLI OAuth 配置（公开）
+    clientId:
+      process.env.GEMINI_OAUTH_CLIENT_ID ||
+      '681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com',
+    clientSecret: process.env.GEMINI_OAUTH_CLIENT_SECRET || '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',
+    scopes: ['https://www.googleapis.com/auth/cloud-platform']
+  },
+  [OAUTH_PROVIDER_ANTIGRAVITY]: {
+    // Antigravity OAuth 配置（参考 gcli2api）
+    clientId:
+      process.env.ANTIGRAVITY_OAUTH_CLIENT_ID ||
+      '1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com',
+    clientSecret:
+      process.env.ANTIGRAVITY_OAUTH_CLIENT_SECRET || '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',
+    scopes: [
+      'https://www.googleapis.com/auth/cloud-platform',
+      'https://www.googleapis.com/auth/userinfo.email',
+      'https://www.googleapis.com/auth/userinfo.profile',
+      'https://www.googleapis.com/auth/cclog',
+      'https://www.googleapis.com/auth/experimentsandconfigs'
+    ]
+  }
+}
+
+if (!process.env.GEMINI_OAUTH_CLIENT_SECRET) {
+  logger.warn(
+    '⚠️ GEMINI_OAUTH_CLIENT_SECRET 未设置，使用内置默认值（建议在生产环境通过环境变量覆盖）'
+  )
+}
+if (!process.env.ANTIGRAVITY_OAUTH_CLIENT_SECRET) {
+  logger.warn(
+    '⚠️ ANTIGRAVITY_OAUTH_CLIENT_SECRET 未设置，使用内置默认值（建议在生产环境通过环境变量覆盖）'
+  )
+}
+
+function normalizeOauthProvider(oauthProvider) {
+  if (!oauthProvider) {
+    return OAUTH_PROVIDER_GEMINI_CLI
+  }
+  return oauthProvider === OAUTH_PROVIDER_ANTIGRAVITY
+    ? OAUTH_PROVIDER_ANTIGRAVITY
+    : OAUTH_PROVIDER_GEMINI_CLI
+}
+
+function getOauthProviderConfig(oauthProvider) {
+  const normalized = normalizeOauthProvider(oauthProvider)
+  return OAUTH_PROVIDERS[normalized] || OAUTH_PROVIDERS[OAUTH_PROVIDER_GEMINI_CLI]
+}

 // 🌐 TCP Keep-Alive Agent 配置
 // 解决长时间流式请求中 NAT/防火墙空闲超时导致的连接中断问题
@@ -34,6 +85,117 @@ const keepAliveAgent = new https.Agent({

 logger.info('🌐 Gemini HTTPS Agent initialized with TCP Keep-Alive support')

+async function fetchAvailableModelsAntigravity(
+  accessToken,
+  proxyConfig = null,
+  refreshToken = null
+) {
+  try {
+    let effectiveToken = accessToken
+    if (refreshToken) {
+      try {
+        const client = await getOauthClient(
+          accessToken,
+          refreshToken,
+          proxyConfig,
+          OAUTH_PROVIDER_ANTIGRAVITY
+        )
+        if (client && client.getAccessToken) {
+          const latest = await client.getAccessToken()
+          if (latest?.token) {
+            effectiveToken = latest.token
+          }
+        }
+      } catch (error) {
+        logger.warn('Failed to refresh Antigravity access token for models list:', {
+          message: error.message
+        })
+      }
+    }
+
+    const data = await antigravityClient.fetchAvailableModels({
+      accessToken: effectiveToken,
+      proxyConfig
+    })
+    const modelsDict = data?.models
+    const created = Math.floor(Date.now() / 1000)
+
+    const models = []
+    const seen = new Set()
+    const {
+      getAntigravityModelAlias,
+      getAntigravityModelMetadata,
+      normalizeAntigravityModelInput
+    } = require('../utils/antigravityModel')
+
+    const pushModel = (modelId) => {
+      if (!modelId || seen.has(modelId)) {
+        return
+      }
+      seen.add(modelId)
+      const metadata = getAntigravityModelMetadata(modelId)
+      const entry = {
+        id: modelId,
+        object: 'model',
+        created,
+        owned_by: 'antigravity'
+      }
+      if (metadata?.name) {
+        entry.name = metadata.name
+      }
+      if (metadata?.maxCompletionTokens) {
+        entry.max_completion_tokens = metadata.maxCompletionTokens
+      }
+      if (metadata?.thinking) {
+        entry.thinking = metadata.thinking
+      }
+      models.push(entry)
+    }
+
+    if (modelsDict && typeof modelsDict === 'object') {
+      for (const modelId of Object.keys(modelsDict)) {
+        const normalized = normalizeAntigravityModelInput(modelId)
+        const alias = getAntigravityModelAlias(normalized)
+        if (!alias) {
+          continue
+        }
+        pushModel(alias)
+
+        if (alias.endsWith('-thinking')) {
+          pushModel(alias.replace(/-thinking$/, ''))
+        }
+
+        if (alias.startsWith('gemini-claude-')) {
+          pushModel(alias.replace(/^gemini-/, ''))
+        }
+      }
+    }
+
+    return models
+  } catch (error) {
+    logger.error('Failed to fetch Antigravity models:', error.response?.data || error.message)
+    return [
+      {
+        id: 'gemini-2.5-flash',
+        object: 'model',
+        created: Math.floor(Date.now() / 1000),
+        owned_by: 'antigravity'
+      }
+    ]
+  }
+}
+
+async function countTokensAntigravity(client, contents, model, proxyConfig = null) {
+  const { token } = await client.getAccessToken()
+  const response = await antigravityClient.countTokens({
+    accessToken: token,
+    proxyConfig,
+    contents,
+    model
+  })
+  return response
+}
+
 // 加密相关常量
 const ALGORITHM = 'aes-256-cbc'
 const ENCRYPTION_SALT = 'gemini-account-salt'
@@ -124,14 +286,15 @@ setInterval(
 )

 // 创建 OAuth2 客户端（支持代理配置）
-function createOAuth2Client(redirectUri = null, proxyConfig = null) {
+function createOAuth2Client(redirectUri = null, proxyConfig = null, oauthProvider = null) {
  // 如果没有提供 redirectUri，使用默认值
  const uri = redirectUri || 'http://localhost:45462'
+  const oauthConfig = getOauthProviderConfig(oauthProvider)

  // 准备客户端选项
  const clientOptions = {
-    clientId: OAUTH_CLIENT_ID,
-    clientSecret: OAUTH_CLIENT_SECRET,
+    clientId: oauthConfig.clientId,
+    clientSecret: oauthConfig.clientSecret,
    redirectUri: uri
  }

@@ -152,10 +315,17 @@ function createOAuth2Client(redirectUri = null, proxyConfig = null) {
 }

 // 生成授权 URL (支持 PKCE 和代理)
-async function generateAuthUrl(state = null, redirectUri = null, proxyConfig = null) {
+async function generateAuthUrl(
+  state = null,
+  redirectUri = null,
+  proxyConfig = null,
+  oauthProvider = null
+) {
  // 使用新的 redirect URI
  const finalRedirectUri = redirectUri || 'https://codeassist.google.com/authcode'
-  const oAuth2Client = createOAuth2Client(finalRedirectUri, proxyConfig)
+  const normalizedProvider = normalizeOauthProvider(oauthProvider)
+  const oauthConfig = getOauthProviderConfig(normalizedProvider)
+  const oAuth2Client = createOAuth2Client(finalRedirectUri, proxyConfig, normalizedProvider)

  if (proxyConfig) {
    logger.info(
@@ -172,7 +342,7 @@ async function generateAuthUrl(state = null, redirectUri = null, proxyConfig = n
  const authUrl = oAuth2Client.generateAuthUrl({
    redirect_uri: finalRedirectUri,
    access_type: 'offline',
-    scope: OAUTH_SCOPES,
+    scope: oauthConfig.scopes,
    code_challenge_method: 'S256',
    code_challenge: codeVerifier.codeChallenge,
    state: stateValue,
@@ -183,7 +353,8 @@ async function generateAuthUrl(state = null, redirectUri = null, proxyConfig = n
    authUrl,
    state: stateValue,
    codeVerifier: codeVerifier.codeVerifier,
-    redirectUri: finalRedirectUri
+    redirectUri: finalRedirectUri,
+    oauthProvider: normalizedProvider
  }
 }

@@ -244,11 +415,14 @@ async function exchangeCodeForTokens(
  code,
  redirectUri = null,
  codeVerifier = null,
-  proxyConfig = null
+  proxyConfig = null,
+  oauthProvider = null
 ) {
  try {
+    const normalizedProvider = normalizeOauthProvider(oauthProvider)
+    const oauthConfig = getOauthProviderConfig(normalizedProvider)
    // 创建带代理配置的 OAuth2Client
-    const oAuth2Client = createOAuth2Client(redirectUri, proxyConfig)
+    const oAuth2Client = createOAuth2Client(redirectUri, proxyConfig, normalizedProvider)

    if (proxyConfig) {
      logger.info(
@@ -274,7 +448,7 @@ async function exchangeCodeForTokens(
    return {
      access_token: tokens.access_token,
      refresh_token: tokens.refresh_token,
-      scope: tokens.scope || OAUTH_SCOPES.join(' '),
+      scope: tokens.scope || oauthConfig.scopes.join(' '),
      token_type: tokens.token_type || 'Bearer',
      expiry_date: tokens.expiry_date || Date.now() + tokens.expires_in * 1000
    }
@@ -285,9 +459,11 @@ async function exchangeCodeForTokens(
 }

 // 刷新访问令牌
-async function refreshAccessToken(refreshToken, proxyConfig = null) {
+async function refreshAccessToken(refreshToken, proxyConfig = null, oauthProvider = null) {
+  const normalizedProvider = normalizeOauthProvider(oauthProvider)
+  const oauthConfig = getOauthProviderConfig(normalizedProvider)
  // 创建带代理配置的 OAuth2Client
-  const oAuth2Client = createOAuth2Client(null, proxyConfig)
+  const oAuth2Client = createOAuth2Client(null, proxyConfig, normalizedProvider)

  try {
    // 设置 refresh_token
@@ -319,7 +495,7 @@ async function refreshAccessToken(refreshToken, proxyConfig = null) {
    return {
      access_token: credentials.access_token,
      refresh_token: credentials.refresh_token || refreshToken, // 保留原 refresh_token 如果没有返回新的
-      scope: credentials.scope || OAUTH_SCOPES.join(' '),
+      scope: credentials.scope || oauthConfig.scopes.join(' '),
      token_type: credentials.token_type || 'Bearer',
      expiry_date: credentials.expiry_date || Date.now() + 3600000 // 默认1小时过期
    }
@@ -339,6 +515,8 @@ async function refreshAccessToken(refreshToken, proxyConfig = null) {
 async function createAccount(accountData) {
  const id = uuidv4()
  const now = new Date().toISOString()
+  const oauthProvider = normalizeOauthProvider(accountData.oauthProvider)
+  const oauthConfig = getOauthProviderConfig(oauthProvider)

  // 处理凭证数据
  let geminiOauth = null
@@ -371,7 +549,7 @@ async function createAccount(accountData) {
      geminiOauth = JSON.stringify({
        access_token: accessToken,
        refresh_token: refreshToken,
-        scope: accountData.scope || OAUTH_SCOPES.join(' '),
+        scope: accountData.scope || oauthConfig.scopes.join(' '),
        token_type: accountData.tokenType || 'Bearer',
        expiry_date: accountData.expiryDate || Date.now() + 3600000 // 默认1小时
      })
@@ -399,7 +577,8 @@ async function createAccount(accountData) {
    refreshToken: refreshToken ? encrypt(refreshToken) : '',
    expiresAt, // OAuth Token 过期时间（技术字段，自动刷新）
    // 只有OAuth方式才有scopes，手动添加的没有
-    scopes: accountData.geminiOauth ? accountData.scopes || OAUTH_SCOPES.join(' ') : '',
+    scopes: accountData.geminiOauth ? accountData.scopes || oauthConfig.scopes.join(' ') : '',
+    oauthProvider,

    // ✅ 新增：账户订阅到期时间（业务字段，手动管理）
    subscriptionExpiresAt: accountData.subscriptionExpiresAt || null,
@@ -508,6 +687,10 @@ async function updateAccount(accountId, updates) {
    updates.schedulable = updates.schedulable.toString()
  }

+  if (updates.oauthProvider !== undefined) {
+    updates.oauthProvider = normalizeOauthProvider(updates.oauthProvider)
+  }
+
  // 加密敏感字段
  if (updates.geminiOauth) {
    updates.geminiOauth = encrypt(
@@ -885,12 +1068,13 @@ async function refreshAccountToken(accountId) {
      // 重新获取账户数据（可能已被其他进程刷新）
      const updatedAccount = await getAccount(accountId)
      if (updatedAccount && updatedAccount.accessToken) {
+        const oauthConfig = getOauthProviderConfig(updatedAccount.oauthProvider)
        const accessToken = decrypt(updatedAccount.accessToken)
        return {
          access_token: accessToken,
          refresh_token: updatedAccount.refreshToken ? decrypt(updatedAccount.refreshToken) : '',
          expiry_date: updatedAccount.expiresAt ? new Date(updatedAccount.expiresAt).getTime() : 0,
-          scope: updatedAccount.scope || OAUTH_SCOPES.join(' '),
+          scope: updatedAccount.scopes || oauthConfig.scopes.join(' '),
          token_type: 'Bearer'
        }
      }
@@ -904,7 +1088,11 @@ async function refreshAccountToken(accountId) {

    // account.refreshToken 已经是解密后的值（从 getAccount 返回）
    // 传入账户的代理配置
-    const newTokens = await refreshAccessToken(account.refreshToken, account.proxy)
+    const newTokens = await refreshAccessToken(
+      account.refreshToken,
+      account.proxy,
+      account.oauthProvider
+    )

    // 更新账户信息
    const updates = {
@@ -1036,14 +1224,15 @@ async function getAccountRateLimitInfo(accountId) {
 }

 // 获取配置的OAuth客户端 - 参考GeminiCliSimulator的getOauthClient方法（支持代理）
-async function getOauthClient(accessToken, refreshToken, proxyConfig = null) {
-  const client = createOAuth2Client(null, proxyConfig)
+async function getOauthClient(accessToken, refreshToken, proxyConfig = null, oauthProvider = null) {
+  const normalizedProvider = normalizeOauthProvider(oauthProvider)
+  const oauthConfig = getOauthProviderConfig(normalizedProvider)
+  const client = createOAuth2Client(null, proxyConfig, normalizedProvider)

  const creds = {
    access_token: accessToken,
    refresh_token: refreshToken,
-    scope:
-      'https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.profile openid https://www.googleapis.com/auth/userinfo.email',
+    scope: oauthConfig.scopes.join(' '),
    token_type: 'Bearer',
    expiry_date: 1754269905646
  }
@@ -1509,6 +1698,43 @@ async function generateContent(
  return response.data
 }

+// 调用 Antigravity 上游生成内容（非流式）
+async function generateContentAntigravity(
+  client,
+  requestData,
+  userPromptId,
+  projectId = null,
+  sessionId = null,
+  proxyConfig = null
+) {
+  const { token } = await client.getAccessToken()
+  const { model } = antigravityClient.buildAntigravityEnvelope({
+    requestData,
+    projectId,
+    sessionId,
+    userPromptId
+  })
+
+  logger.info('🪐 Antigravity generateContent API调用开始', {
+    model,
+    userPromptId,
+    projectId,
+    sessionId
+  })
+
+  const { response } = await antigravityClient.request({
+    accessToken: token,
+    proxyConfig,
+    requestData,
+    projectId,
+    sessionId,
+    userPromptId,
+    stream: false
+  })
+  logger.info('✅ Antigravity generateContent API调用成功')
+  return response.data
+}
+
 // 调用 Code Assist API 生成内容（流式）
 async function generateContentStream(
  client,
@@ -1593,6 +1819,46 @@ async function generateContentStream(
  return response.data // 返回流对象
 }

+// 调用 Antigravity 上游生成内容（流式）
+async function generateContentStreamAntigravity(
+  client,
+  requestData,
+  userPromptId,
+  projectId = null,
+  sessionId = null,
+  signal = null,
+  proxyConfig = null
+) {
+  const { token } = await client.getAccessToken()
+  const { model } = antigravityClient.buildAntigravityEnvelope({
+    requestData,
+    projectId,
+    sessionId,
+    userPromptId
+  })
+
+  logger.info('🌊 Antigravity streamGenerateContent API调用开始', {
+    model,
+    userPromptId,
+    projectId,
+    sessionId
+  })
+
+  const { response } = await antigravityClient.request({
+    accessToken: token,
+    proxyConfig,
+    requestData,
+    projectId,
+    sessionId,
+    userPromptId,
+    stream: true,
+    signal,
+    params: { alt: 'sse' }
+  })
+  logger.info('✅ Antigravity streamGenerateContent API调用成功，开始流式传输')
+  return response.data
+}
+
 // 更新账户的临时项目 ID
 async function updateTempProjectId(accountId, tempProjectId) {
  if (!tempProjectId) {
@@ -1687,10 +1953,12 @@ module.exports = {
  generateEncryptionKey,
  decryptCache, // 暴露缓存对象以便测试和监控
  countTokens,
+  countTokensAntigravity,
  generateContent,
  generateContentStream,
+  generateContentAntigravity,
+  generateContentStreamAntigravity,
+  fetchAvailableModelsAntigravity,
  updateTempProjectId,
-  resetAccountStatus,
-  OAUTH_CLIENT_ID,
-  OAUTH_SCOPES
+  resetAccountStatus
 }
--- a/src/services/openaiToClaude.js
+++ b/src/services/openaiToClaude.js
@@ -36,15 +36,28 @@ class OpenAIToClaudeConverter {

    // 如果 OpenAI 请求中包含系统消息,提取并检查
    const systemMessage = this._extractSystemMessage(openaiRequest.messages)
-    if (systemMessage && systemMessage.includes('You are currently in Xcode')) {
-      // Xcode 系统提示词
+
+    const passThroughSystemPrompt =
+      String(process.env.CRS_PASSTHROUGH_SYSTEM_PROMPT || '').toLowerCase() === 'true'
+
+    if (
+      systemMessage &&
+      (passThroughSystemPrompt || systemMessage.includes('You are currently in Xcode'))
+    ) {
      claudeRequest.system = systemMessage
-      logger.info(
-        `🔍 Xcode request detected, using Xcode system prompt (${systemMessage.length} chars)`
-      )
+
+      if (systemMessage.includes('You are currently in Xcode')) {
+        logger.info(
+          `🔍 Xcode request detected, using Xcode system prompt (${systemMessage.length} chars)`
+        )
+      } else {
+        logger.info(
+          `🧩 Using caller-provided system prompt (${systemMessage.length} chars) because CRS_PASSTHROUGH_SYSTEM_PROMPT=true`
+        )
+      }
      logger.debug(`📋 System prompt preview: ${systemMessage.substring(0, 150)}...`)
    } else {
-      // 使用 Claude Code 默认系统提示词
+      // 默认行为：兼容 Claude Code（忽略外部 system）
      claudeRequest.system = claudeCodeSystemMessage
      logger.debug(
        `📋 Using Claude Code default system prompt${systemMessage ? ' (ignored custom prompt)' : ''}`
--- a/src/services/unifiedGeminiScheduler.js
+++ b/src/services/unifiedGeminiScheduler.js
@@ -4,11 +4,35 @@ const accountGroupService = require('./accountGroupService')
 const redis = require('../models/redis')
 const logger = require('../utils/logger')

+const OAUTH_PROVIDER_GEMINI_CLI = 'gemini-cli'
+const OAUTH_PROVIDER_ANTIGRAVITY = 'antigravity'
+const KNOWN_OAUTH_PROVIDERS = [OAUTH_PROVIDER_GEMINI_CLI, OAUTH_PROVIDER_ANTIGRAVITY]
+
+function normalizeOauthProvider(oauthProvider) {
+  if (!oauthProvider) {
+    return OAUTH_PROVIDER_GEMINI_CLI
+  }
+  return oauthProvider === OAUTH_PROVIDER_ANTIGRAVITY
+    ? OAUTH_PROVIDER_ANTIGRAVITY
+    : OAUTH_PROVIDER_GEMINI_CLI
+}
+
 class UnifiedGeminiScheduler {
  constructor() {
    this.SESSION_MAPPING_PREFIX = 'unified_gemini_session_mapping:'
  }

+  _getSessionMappingKey(sessionHash, oauthProvider = null) {
+    if (!sessionHash) {
+      return null
+    }
+    if (!oauthProvider) {
+      return `${this.SESSION_MAPPING_PREFIX}${sessionHash}`
+    }
+    const normalized = normalizeOauthProvider(oauthProvider)
+    return `${this.SESSION_MAPPING_PREFIX}${normalized}:${sessionHash}`
+  }
+
  // 🔧 辅助方法：检查账户是否可调度（兼容字符串和布尔值）
  _isSchedulable(schedulable) {
    // 如果是 undefined 或 null，默认为可调度
@@ -32,7 +56,8 @@ class UnifiedGeminiScheduler {
    requestedModel = null,
    options = {}
  ) {
-    const { allowApiAccounts = false } = options
+    const { allowApiAccounts = false, oauthProvider = null } = options
+    const normalizedOauthProvider = oauthProvider ? normalizeOauthProvider(oauthProvider) : null

    try {
      // 如果API Key绑定了专属账户或分组，优先使用
@@ -83,14 +108,23 @@ class UnifiedGeminiScheduler {
            this._isActive(boundAccount.isActive) &&
            boundAccount.status !== 'error'
          ) {
-            logger.info(
-              `🎯 Using bound dedicated Gemini account: ${boundAccount.name} (${apiKeyData.geminiAccountId}) for API key ${apiKeyData.name}`
-            )
-            // 更新账户的最后使用时间
-            await geminiAccountService.markAccountUsed(apiKeyData.geminiAccountId)
-            return {
-              accountId: apiKeyData.geminiAccountId,
-              accountType: 'gemini'
+            if (
+              normalizedOauthProvider &&
+              normalizeOauthProvider(boundAccount.oauthProvider) !== normalizedOauthProvider
+            ) {
+              logger.warn(
+                `⚠️ Bound Gemini OAuth account ${boundAccount.name} oauthProvider=${normalizeOauthProvider(boundAccount.oauthProvider)} does not match requested oauthProvider=${normalizedOauthProvider}, falling back to pool`
+              )
+            } else {
+              logger.info(
+                `🎯 Using bound dedicated Gemini account: ${boundAccount.name} (${apiKeyData.geminiAccountId}) for API key ${apiKeyData.name}`
+              )
+              // 更新账户的最后使用时间
+              await geminiAccountService.markAccountUsed(apiKeyData.geminiAccountId)
+              return {
+                accountId: apiKeyData.geminiAccountId,
+                accountType: 'gemini'
+              }
            }
          } else {
            logger.warn(
@@ -102,7 +136,7 @@ class UnifiedGeminiScheduler {

      // 如果有会话哈希，检查是否有已映射的账户
      if (sessionHash) {
-        const mappedAccount = await this._getSessionMapping(sessionHash)
+        const mappedAccount = await this._getSessionMapping(sessionHash, normalizedOauthProvider)
        if (mappedAccount) {
          // 验证映射的账户是否仍然可用
          const isAvailable = await this._isAccountAvailable(
@@ -111,7 +145,7 @@ class UnifiedGeminiScheduler {
          )
          if (isAvailable) {
            // 🚀 智能会话续期（续期 unified 映射键，按配置）
-            await this._extendSessionMappingTTL(sessionHash)
+            await this._extendSessionMappingTTL(sessionHash, normalizedOauthProvider)
            logger.info(
              `🎯 Using sticky session account: ${mappedAccount.accountId} (${mappedAccount.accountType}) for session ${sessionHash}`
            )
@@ -132,11 +166,10 @@ class UnifiedGeminiScheduler {
      }

      // 获取所有可用账户
-      const availableAccounts = await this._getAllAvailableAccounts(
-        apiKeyData,
-        requestedModel,
-        allowApiAccounts
-      )
+      const availableAccounts = await this._getAllAvailableAccounts(apiKeyData, requestedModel, {
+        allowApiAccounts,
+        oauthProvider: normalizedOauthProvider
+      })

      if (availableAccounts.length === 0) {
        // 提供更详细的错误信息
@@ -160,7 +193,8 @@ class UnifiedGeminiScheduler {
        await this._setSessionMapping(
          sessionHash,
          selectedAccount.accountId,
-          selectedAccount.accountType
+          selectedAccount.accountType,
+          normalizedOauthProvider
        )
        logger.info(
          `🎯 Created new sticky session mapping: ${selectedAccount.name} (${selectedAccount.accountId}, ${selectedAccount.accountType}) for session ${sessionHash}`
@@ -189,7 +223,18 @@ class UnifiedGeminiScheduler {
  }

  // 📋 获取所有可用账户
-  async _getAllAvailableAccounts(apiKeyData, requestedModel = null, allowApiAccounts = false) {
+  async _getAllAvailableAccounts(
+    apiKeyData,
+    requestedModel = null,
+    allowApiAccountsOrOptions = false
+  ) {
+    const options =
+      allowApiAccountsOrOptions && typeof allowApiAccountsOrOptions === 'object'
+        ? allowApiAccountsOrOptions
+        : { allowApiAccounts: allowApiAccountsOrOptions }
+    const { allowApiAccounts = false, oauthProvider = null } = options
+    const normalizedOauthProvider = oauthProvider ? normalizeOauthProvider(oauthProvider) : null
+
    const availableAccounts = []

    // 如果API Key绑定了专属账户，优先返回
@@ -254,6 +299,12 @@ class UnifiedGeminiScheduler {
          this._isActive(boundAccount.isActive) &&
          boundAccount.status !== 'error'
        ) {
+          if (
+            normalizedOauthProvider &&
+            normalizeOauthProvider(boundAccount.oauthProvider) !== normalizedOauthProvider
+          ) {
+            return availableAccounts
+          }
          const isRateLimited = await this.isAccountRateLimited(boundAccount.id)
          if (!isRateLimited) {
            // 检查模型支持
@@ -303,6 +354,12 @@ class UnifiedGeminiScheduler {
        (account.accountType === 'shared' || !account.accountType) && // 兼容旧数据
        this._isSchedulable(account.schedulable)
      ) {
+        if (
+          normalizedOauthProvider &&
+          normalizeOauthProvider(account.oauthProvider) !== normalizedOauthProvider
+        ) {
+          continue
+        }
        // 检查是否可调度

        // 检查token是否过期
@@ -437,9 +494,10 @@ class UnifiedGeminiScheduler {
  }

  // 🔗 获取会话映射
-  async _getSessionMapping(sessionHash) {
+  async _getSessionMapping(sessionHash, oauthProvider = null) {
    const client = redis.getClientSafe()
-    const mappingData = await client.get(`${this.SESSION_MAPPING_PREFIX}${sessionHash}`)
+    const key = this._getSessionMappingKey(sessionHash, oauthProvider)
+    const mappingData = key ? await client.get(key) : null

    if (mappingData) {
      try {
@@ -454,27 +512,42 @@ class UnifiedGeminiScheduler {
  }

  // 💾 设置会话映射
-  async _setSessionMapping(sessionHash, accountId, accountType) {
+  async _setSessionMapping(sessionHash, accountId, accountType, oauthProvider = null) {
    const client = redis.getClientSafe()
    const mappingData = JSON.stringify({ accountId, accountType })
    // 依据配置设置TTL（小时）
    const appConfig = require('../../config/config')
    const ttlHours = appConfig.session?.stickyTtlHours || 1
    const ttlSeconds = Math.max(1, Math.floor(ttlHours * 60 * 60))
-    await client.setex(`${this.SESSION_MAPPING_PREFIX}${sessionHash}`, ttlSeconds, mappingData)
+    const key = this._getSessionMappingKey(sessionHash, oauthProvider)
+    if (!key) {
+      return
+    }
+    await client.setex(key, ttlSeconds, mappingData)
  }

  // 🗑️ 删除会话映射
  async _deleteSessionMapping(sessionHash) {
    const client = redis.getClientSafe()
-    await client.del(`${this.SESSION_MAPPING_PREFIX}${sessionHash}`)
+    if (!sessionHash) {
+      return
+    }
+
+    const keys = [this._getSessionMappingKey(sessionHash)]
+    for (const provider of KNOWN_OAUTH_PROVIDERS) {
+      keys.push(this._getSessionMappingKey(sessionHash, provider))
+    }
+    await client.del(keys.filter(Boolean))
  }

  // 🔁 续期统一调度会话映射TTL（针对 unified_gemini_session_mapping:* 键），遵循会话配置
-  async _extendSessionMappingTTL(sessionHash) {
+  async _extendSessionMappingTTL(sessionHash, oauthProvider = null) {
    try {
      const client = redis.getClientSafe()
-      const key = `${this.SESSION_MAPPING_PREFIX}${sessionHash}`
+      const key = this._getSessionMappingKey(sessionHash, oauthProvider)
+      if (!key) {
+        return false
+      }
      const remainingTTL = await client.ttl(key)

      if (remainingTTL === -2) {
--- a/src/utils/anthropicRequestDump.js
+++ b/src/utils/anthropicRequestDump.js
@@ -0,0 +1,126 @@
+const fs = require('fs/promises')
+const path = require('path')
+const logger = require('./logger')
+const { getProjectRoot } = require('./projectPaths')
+
+const REQUEST_DUMP_ENV = 'ANTHROPIC_DEBUG_REQUEST_DUMP'
+const REQUEST_DUMP_MAX_BYTES_ENV = 'ANTHROPIC_DEBUG_REQUEST_DUMP_MAX_BYTES'
+const REQUEST_DUMP_FILENAME = 'anthropic-requests-dump.jsonl'
+
+function isEnabled() {
+  const raw = process.env[REQUEST_DUMP_ENV]
+  if (!raw) {
+    return false
+  }
+  return raw === '1' || raw.toLowerCase() === 'true'
+}
+
+function getMaxBytes() {
+  const raw = process.env[REQUEST_DUMP_MAX_BYTES_ENV]
+  if (!raw) {
+    return 2 * 1024 * 1024
+  }
+  const parsed = Number.parseInt(raw, 10)
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return 2 * 1024 * 1024
+  }
+  return parsed
+}
+
+function maskSecret(value) {
+  if (value === null || value === undefined) {
+    return value
+  }
+  const str = String(value)
+  if (str.length <= 8) {
+    return '***'
+  }
+  return `${str.slice(0, 4)}...${str.slice(-4)}`
+}
+
+function sanitizeHeaders(headers) {
+  const sensitive = new Set([
+    'authorization',
+    'proxy-authorization',
+    'x-api-key',
+    'cookie',
+    'set-cookie',
+    'x-forwarded-for',
+    'x-real-ip'
+  ])
+
+  const out = {}
+  for (const [k, v] of Object.entries(headers || {})) {
+    const key = k.toLowerCase()
+    if (sensitive.has(key)) {
+      out[key] = maskSecret(v)
+      continue
+    }
+    out[key] = v
+  }
+  return out
+}
+
+function safeJsonStringify(payload, maxBytes) {
+  let json = ''
+  try {
+    json = JSON.stringify(payload)
+  } catch (e) {
+    return JSON.stringify({
+      type: 'anthropic_request_dump_error',
+      error: 'JSON.stringify_failed',
+      message: e?.message || String(e)
+    })
+  }
+
+  if (Buffer.byteLength(json, 'utf8') <= maxBytes) {
+    return json
+  }
+
+  const truncated = Buffer.from(json, 'utf8').subarray(0, maxBytes).toString('utf8')
+  return JSON.stringify({
+    type: 'anthropic_request_dump_truncated',
+    maxBytes,
+    originalBytes: Buffer.byteLength(json, 'utf8'),
+    partialJson: truncated
+  })
+}
+
+async function dumpAnthropicMessagesRequest(req, meta = {}) {
+  if (!isEnabled()) {
+    return
+  }
+
+  const maxBytes = getMaxBytes()
+  const filename = path.join(getProjectRoot(), REQUEST_DUMP_FILENAME)
+
+  const record = {
+    ts: new Date().toISOString(),
+    requestId: req?.requestId || null,
+    method: req?.method || null,
+    url: req?.originalUrl || req?.url || null,
+    ip: req?.ip || null,
+    meta,
+    headers: sanitizeHeaders(req?.headers || {}),
+    body: req?.body || null
+  }
+
+  const line = `${safeJsonStringify(record, maxBytes)}\n`
+
+  try {
+    await fs.appendFile(filename, line, { encoding: 'utf8' })
+  } catch (e) {
+    logger.warn('Failed to dump Anthropic request', {
+      filename,
+      requestId: req?.requestId || null,
+      error: e?.message || String(e)
+    })
+  }
+}
+
+module.exports = {
+  dumpAnthropicMessagesRequest,
+  REQUEST_DUMP_ENV,
+  REQUEST_DUMP_MAX_BYTES_ENV,
+  REQUEST_DUMP_FILENAME
+}
--- a/src/utils/anthropicResponseDump.js
+++ b/src/utils/anthropicResponseDump.js
@@ -0,0 +1,125 @@
+const fs = require('fs/promises')
+const path = require('path')
+const logger = require('./logger')
+const { getProjectRoot } = require('./projectPaths')
+
+const RESPONSE_DUMP_ENV = 'ANTHROPIC_DEBUG_RESPONSE_DUMP'
+const RESPONSE_DUMP_MAX_BYTES_ENV = 'ANTHROPIC_DEBUG_RESPONSE_DUMP_MAX_BYTES'
+const RESPONSE_DUMP_FILENAME = 'anthropic-responses-dump.jsonl'
+
+function isEnabled() {
+  const raw = process.env[RESPONSE_DUMP_ENV]
+  if (!raw) {
+    return false
+  }
+  return raw === '1' || raw.toLowerCase() === 'true'
+}
+
+function getMaxBytes() {
+  const raw = process.env[RESPONSE_DUMP_MAX_BYTES_ENV]
+  if (!raw) {
+    return 2 * 1024 * 1024
+  }
+  const parsed = Number.parseInt(raw, 10)
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return 2 * 1024 * 1024
+  }
+  return parsed
+}
+
+function safeJsonStringify(payload, maxBytes) {
+  let json = ''
+  try {
+    json = JSON.stringify(payload)
+  } catch (e) {
+    return JSON.stringify({
+      type: 'anthropic_response_dump_error',
+      error: 'JSON.stringify_failed',
+      message: e?.message || String(e)
+    })
+  }
+
+  if (Buffer.byteLength(json, 'utf8') <= maxBytes) {
+    return json
+  }
+
+  const truncated = Buffer.from(json, 'utf8').subarray(0, maxBytes).toString('utf8')
+  return JSON.stringify({
+    type: 'anthropic_response_dump_truncated',
+    maxBytes,
+    originalBytes: Buffer.byteLength(json, 'utf8'),
+    partialJson: truncated
+  })
+}
+
+function summarizeAnthropicResponseBody(body) {
+  const content = Array.isArray(body?.content) ? body.content : []
+  const toolUses = content.filter((b) => b && b.type === 'tool_use')
+  const texts = content
+    .filter((b) => b && b.type === 'text' && typeof b.text === 'string')
+    .map((b) => b.text)
+    .join('')
+
+  return {
+    id: body?.id || null,
+    model: body?.model || null,
+    stop_reason: body?.stop_reason || null,
+    usage: body?.usage || null,
+    content_blocks: content.map((b) => (b ? b.type : null)).filter(Boolean),
+    tool_use_names: toolUses.map((b) => b.name).filter(Boolean),
+    text_preview: texts ? texts.slice(0, 800) : ''
+  }
+}
+
+async function dumpAnthropicResponse(req, responseInfo, meta = {}) {
+  if (!isEnabled()) {
+    return
+  }
+
+  const maxBytes = getMaxBytes()
+  const filename = path.join(getProjectRoot(), RESPONSE_DUMP_FILENAME)
+
+  const record = {
+    ts: new Date().toISOString(),
+    requestId: req?.requestId || null,
+    url: req?.originalUrl || req?.url || null,
+    meta,
+    response: responseInfo
+  }
+
+  const line = `${safeJsonStringify(record, maxBytes)}\n`
+  try {
+    await fs.appendFile(filename, line, { encoding: 'utf8' })
+  } catch (e) {
+    logger.warn('Failed to dump Anthropic response', {
+      filename,
+      requestId: req?.requestId || null,
+      error: e?.message || String(e)
+    })
+  }
+}
+
+async function dumpAnthropicNonStreamResponse(req, statusCode, body, meta = {}) {
+  return dumpAnthropicResponse(
+    req,
+    { kind: 'non-stream', statusCode, summary: summarizeAnthropicResponseBody(body), body },
+    meta
+  )
+}
+
+async function dumpAnthropicStreamSummary(req, summary, meta = {}) {
+  return dumpAnthropicResponse(req, { kind: 'stream', summary }, meta)
+}
+
+async function dumpAnthropicStreamError(req, error, meta = {}) {
+  return dumpAnthropicResponse(req, { kind: 'stream-error', error }, meta)
+}
+
+module.exports = {
+  dumpAnthropicNonStreamResponse,
+  dumpAnthropicStreamSummary,
+  dumpAnthropicStreamError,
+  RESPONSE_DUMP_ENV,
+  RESPONSE_DUMP_MAX_BYTES_ENV,
+  RESPONSE_DUMP_FILENAME
+}
--- a/src/utils/antigravityModel.js
+++ b/src/utils/antigravityModel.js
@@ -0,0 +1,138 @@
+const DEFAULT_ANTIGRAVITY_MODEL = 'gemini-2.5-flash'
+
+const UPSTREAM_TO_ALIAS = {
+  'rev19-uic3-1p': 'gemini-2.5-computer-use-preview-10-2025',
+  'gemini-3-pro-image': 'gemini-3-pro-image-preview',
+  'gemini-3-pro-high': 'gemini-3-pro-preview',
+  'gemini-3-flash': 'gemini-3-flash-preview',
+  'claude-sonnet-4-5': 'gemini-claude-sonnet-4-5',
+  'claude-sonnet-4-5-thinking': 'gemini-claude-sonnet-4-5-thinking',
+  'claude-opus-4-5-thinking': 'gemini-claude-opus-4-5-thinking',
+  chat_20706: '',
+  chat_23310: '',
+  'gemini-2.5-flash-thinking': '',
+  'gemini-3-pro-low': '',
+  'gemini-2.5-pro': ''
+}
+
+const ALIAS_TO_UPSTREAM = {
+  'gemini-2.5-computer-use-preview-10-2025': 'rev19-uic3-1p',
+  'gemini-3-pro-image-preview': 'gemini-3-pro-image',
+  'gemini-3-pro-preview': 'gemini-3-pro-high',
+  'gemini-3-flash-preview': 'gemini-3-flash',
+  'gemini-claude-sonnet-4-5': 'claude-sonnet-4-5',
+  'gemini-claude-sonnet-4-5-thinking': 'claude-sonnet-4-5-thinking',
+  'gemini-claude-opus-4-5-thinking': 'claude-opus-4-5-thinking'
+}
+
+const ANTIGRAVITY_MODEL_METADATA = {
+  'gemini-2.5-flash': {
+    thinking: { min: 0, max: 24576, zeroAllowed: true, dynamicAllowed: true },
+    name: 'models/gemini-2.5-flash'
+  },
+  'gemini-2.5-flash-lite': {
+    thinking: { min: 0, max: 24576, zeroAllowed: true, dynamicAllowed: true },
+    name: 'models/gemini-2.5-flash-lite'
+  },
+  'gemini-2.5-computer-use-preview-10-2025': {
+    name: 'models/gemini-2.5-computer-use-preview-10-2025'
+  },
+  'gemini-3-pro-preview': {
+    thinking: {
+      min: 128,
+      max: 32768,
+      zeroAllowed: false,
+      dynamicAllowed: true,
+      levels: ['low', 'high']
+    },
+    name: 'models/gemini-3-pro-preview'
+  },
+  'gemini-3-pro-image-preview': {
+    thinking: {
+      min: 128,
+      max: 32768,
+      zeroAllowed: false,
+      dynamicAllowed: true,
+      levels: ['low', 'high']
+    },
+    name: 'models/gemini-3-pro-image-preview'
+  },
+  'gemini-3-flash-preview': {
+    thinking: {
+      min: 128,
+      max: 32768,
+      zeroAllowed: false,
+      dynamicAllowed: true,
+      levels: ['minimal', 'low', 'medium', 'high']
+    },
+    name: 'models/gemini-3-flash-preview'
+  },
+  'gemini-claude-sonnet-4-5-thinking': {
+    thinking: { min: 1024, max: 200000, zeroAllowed: false, dynamicAllowed: true },
+    maxCompletionTokens: 64000
+  },
+  'gemini-claude-opus-4-5-thinking': {
+    thinking: { min: 1024, max: 200000, zeroAllowed: false, dynamicAllowed: true },
+    maxCompletionTokens: 64000
+  }
+}
+
+function normalizeAntigravityModelInput(model, defaultModel = DEFAULT_ANTIGRAVITY_MODEL) {
+  if (!model) {
+    return defaultModel
+  }
+  return model.startsWith('models/') ? model.slice('models/'.length) : model
+}
+
+function getAntigravityModelAlias(modelName) {
+  const normalized = normalizeAntigravityModelInput(modelName)
+  if (Object.prototype.hasOwnProperty.call(UPSTREAM_TO_ALIAS, normalized)) {
+    return UPSTREAM_TO_ALIAS[normalized]
+  }
+  return normalized
+}
+
+function getAntigravityModelMetadata(modelName) {
+  const normalized = normalizeAntigravityModelInput(modelName)
+  if (Object.prototype.hasOwnProperty.call(ANTIGRAVITY_MODEL_METADATA, normalized)) {
+    return ANTIGRAVITY_MODEL_METADATA[normalized]
+  }
+  if (normalized.startsWith('claude-')) {
+    const prefixed = `gemini-${normalized}`
+    if (Object.prototype.hasOwnProperty.call(ANTIGRAVITY_MODEL_METADATA, prefixed)) {
+      return ANTIGRAVITY_MODEL_METADATA[prefixed]
+    }
+    const thinkingAlias = `${prefixed}-thinking`
+    if (Object.prototype.hasOwnProperty.call(ANTIGRAVITY_MODEL_METADATA, thinkingAlias)) {
+      return ANTIGRAVITY_MODEL_METADATA[thinkingAlias]
+    }
+  }
+  return null
+}
+
+function mapAntigravityUpstreamModel(model) {
+  const normalized = normalizeAntigravityModelInput(model)
+  let upstream = Object.prototype.hasOwnProperty.call(ALIAS_TO_UPSTREAM, normalized)
+    ? ALIAS_TO_UPSTREAM[normalized]
+    : normalized
+
+  if (upstream.startsWith('gemini-claude-')) {
+    upstream = upstream.replace(/^gemini-/, '')
+  }
+
+  const mapping = {
+    // Opus：上游更常见的是 thinking 变体（CLIProxyAPI 也按此处理）
+    'claude-opus-4-5': 'claude-opus-4-5-thinking',
+    // Gemini thinking 变体回退
+    'gemini-2.5-flash-thinking': 'gemini-2.5-flash'
+  }
+
+  return mapping[upstream] || upstream
+}
+
+module.exports = {
+  normalizeAntigravityModelInput,
+  getAntigravityModelAlias,
+  getAntigravityModelMetadata,
+  mapAntigravityUpstreamModel
+}
--- a/src/utils/antigravityUpstreamDump.js
+++ b/src/utils/antigravityUpstreamDump.js
@@ -0,0 +1,121 @@
+const fs = require('fs/promises')
+const path = require('path')
+const logger = require('./logger')
+const { getProjectRoot } = require('./projectPaths')
+
+const UPSTREAM_REQUEST_DUMP_ENV = 'ANTIGRAVITY_DEBUG_UPSTREAM_REQUEST_DUMP'
+const UPSTREAM_REQUEST_DUMP_MAX_BYTES_ENV = 'ANTIGRAVITY_DEBUG_UPSTREAM_REQUEST_DUMP_MAX_BYTES'
+const UPSTREAM_REQUEST_DUMP_FILENAME = 'antigravity-upstream-requests-dump.jsonl'
+
+function isEnabled() {
+  const raw = process.env[UPSTREAM_REQUEST_DUMP_ENV]
+  if (!raw) {
+    return false
+  }
+  const normalized = String(raw).trim().toLowerCase()
+  return normalized === '1' || normalized === 'true'
+}
+
+function getMaxBytes() {
+  const raw = process.env[UPSTREAM_REQUEST_DUMP_MAX_BYTES_ENV]
+  if (!raw) {
+    return 2 * 1024 * 1024
+  }
+  const parsed = Number.parseInt(raw, 10)
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return 2 * 1024 * 1024
+  }
+  return parsed
+}
+
+function redact(value) {
+  if (!value) {
+    return value
+  }
+  const s = String(value)
+  if (s.length <= 10) {
+    return '***'
+  }
+  return `${s.slice(0, 3)}...${s.slice(-4)}`
+}
+
+function safeJsonStringify(payload, maxBytes) {
+  let json = ''
+  try {
+    json = JSON.stringify(payload)
+  } catch (e) {
+    return JSON.stringify({
+      type: 'antigravity_upstream_dump_error',
+      error: 'JSON.stringify_failed',
+      message: e?.message || String(e)
+    })
+  }
+
+  if (Buffer.byteLength(json, 'utf8') <= maxBytes) {
+    return json
+  }
+
+  const truncated = Buffer.from(json, 'utf8').subarray(0, maxBytes).toString('utf8')
+  return JSON.stringify({
+    type: 'antigravity_upstream_dump_truncated',
+    maxBytes,
+    originalBytes: Buffer.byteLength(json, 'utf8'),
+    partialJson: truncated
+  })
+}
+
+async function dumpAntigravityUpstreamRequest(requestInfo) {
+  if (!isEnabled()) {
+    return
+  }
+
+  const maxBytes = getMaxBytes()
+  const filename = path.join(getProjectRoot(), UPSTREAM_REQUEST_DUMP_FILENAME)
+
+  const record = {
+    ts: new Date().toISOString(),
+    type: 'antigravity_upstream_request',
+    requestId: requestInfo?.requestId || null,
+    model: requestInfo?.model || null,
+    stream: Boolean(requestInfo?.stream),
+    url: requestInfo?.url || null,
+    baseUrl: requestInfo?.baseUrl || null,
+    params: requestInfo?.params || null,
+    headers: requestInfo?.headers
+      ? {
+          Host: requestInfo.headers.Host || requestInfo.headers.host || null,
+          'User-Agent':
+            requestInfo.headers['User-Agent'] || requestInfo.headers['user-agent'] || null,
+          Authorization: (() => {
+            const raw = requestInfo.headers.Authorization || requestInfo.headers.authorization
+            if (!raw) {
+              return null
+            }
+            const value = String(raw)
+            const m = value.match(/^Bearer\\s+(.+)$/i)
+            const token = m ? m[1] : value
+            return `Bearer ${redact(token)}`
+          })()
+        }
+      : null,
+    envelope: requestInfo?.envelope || null
+  }
+
+  const line = `${safeJsonStringify(record, maxBytes)}\n`
+  try {
+    await fs.appendFile(filename, line, { encoding: 'utf8' })
+  } catch (e) {
+    logger.warn('Failed to dump Antigravity upstream request', {
+      filename,
+      requestId: requestInfo?.requestId || null,
+      error: e?.message || String(e)
+    })
+  }
+}
+
+module.exports = {
+  dumpAntigravityUpstreamRequest,
+  UPSTREAM_REQUEST_DUMP_ENV,
+  UPSTREAM_REQUEST_DUMP_MAX_BYTES_ENV,
+  UPSTREAM_REQUEST_DUMP_FILENAME
+}
--- a/src/utils/errorSanitizer.js
+++ b/src/utils/errorSanitizer.js
@@ -55,16 +55,69 @@ function sanitizeUpstreamError(errorData) {
    return errorData
  }

-  // 深拷贝避免修改原始对象
-  const sanitized = JSON.parse(JSON.stringify(errorData))
+  // AxiosError / Error：返回摘要，避免泄露请求体/headers/token 等敏感信息
+  const looksLikeAxiosError =
+    errorData.isAxiosError ||
+    (errorData.name === 'AxiosError' && (errorData.config || errorData.response))
+  const looksLikeError = errorData instanceof Error || typeof errorData.message === 'string'
+
+  if (looksLikeAxiosError || looksLikeError) {
+    const statusCode = errorData.response?.status
+    const upstreamBody = errorData.response?.data
+    const upstreamMessage = sanitizeErrorMessage(extractErrorMessage(upstreamBody) || '')
+
+    return {
+      name: errorData.name || 'Error',
+      code: errorData.code,
+      statusCode,
+      message: sanitizeErrorMessage(errorData.message || ''),
+      upstreamMessage: upstreamMessage || undefined,
+      upstreamType: upstreamBody?.error?.type || upstreamBody?.error?.status || undefined
+    }
+  }

  // 递归清理嵌套的错误对象
+  const visited = new WeakSet()
+
+  const shouldRedactKey = (key) => {
+    if (!key) {
+      return false
+    }
+    const lowerKey = String(key).toLowerCase()
+    return (
+      lowerKey === 'authorization' ||
+      lowerKey === 'cookie' ||
+      lowerKey.includes('api_key') ||
+      lowerKey.includes('apikey') ||
+      lowerKey.includes('access_token') ||
+      lowerKey.includes('refresh_token') ||
+      lowerKey.endsWith('token') ||
+      lowerKey.includes('secret') ||
+      lowerKey.includes('password')
+    )
+  }
+
  const sanitizeObject = (obj) => {
    if (!obj || typeof obj !== 'object') {
      return obj
    }

+    if (visited.has(obj)) {
+      return '[Circular]'
+    }
+    visited.add(obj)
+
+    // 主动剔除常见“超大且敏感”的字段
+    if (obj.config || obj.request || obj.response) {
+      return '[Redacted]'
+    }
+
    for (const key in obj) {
+      if (shouldRedactKey(key)) {
+        obj[key] = '[REDACTED]'
+        continue
+      }
+
      // 清理所有字符串字段，不仅仅是 message
      if (typeof obj[key] === 'string') {
        obj[key] = sanitizeErrorMessage(obj[key])
@@ -76,7 +129,9 @@ function sanitizeUpstreamError(errorData) {
    return obj
  }

-  return sanitizeObject(sanitized)
+  // 尽量不修改原对象：浅拷贝后递归清理
+  const clone = Array.isArray(errorData) ? [...errorData] : { ...errorData }
+  return sanitizeObject(clone)
 }

 /**
--- a/src/utils/featureFlags.js
+++ b/src/utils/featureFlags.js
@@ -0,0 +1,44 @@
+let config = {}
+try {
+  // config/config.js 可能在某些环境不存在（例如仅拷贝了 config.example.js）
+  // 为保证可运行，这里做容错处理
+  // eslint-disable-next-line global-require
+  config = require('../../config/config')
+} catch (error) {
+  config = {}
+}
+
+const parseBooleanEnv = (value) => {
+  if (typeof value === 'boolean') {
+    return value
+  }
+  if (typeof value !== 'string') {
+    return false
+  }
+  const normalized = value.trim().toLowerCase()
+  return normalized === 'true' || normalized === '1' || normalized === 'yes' || normalized === 'on'
+}
+
+/**
+ * 是否允许执行“余额脚本”（安全开关）
+ * 默认开启，便于保持现有行为；如需禁用请显式设置 BALANCE_SCRIPT_ENABLED=false（环境变量优先）
+ */
+const isBalanceScriptEnabled = () => {
+  if (
+    process.env.BALANCE_SCRIPT_ENABLED !== undefined &&
+    process.env.BALANCE_SCRIPT_ENABLED !== ''
+  ) {
+    return parseBooleanEnv(process.env.BALANCE_SCRIPT_ENABLED)
+  }
+
+  const fromConfig =
+    config?.accountBalance?.enableBalanceScript ??
+    config?.features?.balanceScriptEnabled ??
+    config?.security?.enableBalanceScript
+
+  return typeof fromConfig === 'boolean' ? fromConfig : true
+}
+
+module.exports = {
+  isBalanceScriptEnabled
+}
--- a/src/utils/geminiSchemaCleaner.js
+++ b/src/utils/geminiSchemaCleaner.js
@@ -0,0 +1,265 @@
+function appendHint(description, hint) {
+  if (!hint) {
+    return description || ''
+  }
+  if (!description) {
+    return hint
+  }
+  return `${description} (${hint})`
+}
+
+function getRefHint(refValue) {
+  const ref = String(refValue || '')
+  if (!ref) {
+    return ''
+  }
+  const idx = ref.lastIndexOf('/')
+  const name = idx >= 0 ? ref.slice(idx + 1) : ref
+  return name ? `See: ${name}` : ''
+}
+
+function normalizeType(typeValue) {
+  if (typeof typeValue === 'string' && typeValue) {
+    return { type: typeValue, hint: '' }
+  }
+  if (!Array.isArray(typeValue) || typeValue.length === 0) {
+    return { type: '', hint: '' }
+  }
+  const raw = typeValue.map((t) => (t === null || t === undefined ? '' : String(t))).filter(Boolean)
+  const hasNull = raw.includes('null')
+  const nonNull = raw.filter((t) => t !== 'null')
+  const primary = nonNull[0] || 'string'
+  const hintParts = []
+  if (nonNull.length > 1) {
+    hintParts.push(`Accepts: ${nonNull.join(' | ')}`)
+  }
+  if (hasNull) {
+    hintParts.push('nullable')
+  }
+  return { type: primary, hint: hintParts.join('; ') }
+}
+
+const CONSTRAINT_KEYS = [
+  'minLength',
+  'maxLength',
+  'exclusiveMinimum',
+  'exclusiveMaximum',
+  'pattern',
+  'minItems',
+  'maxItems'
+]
+
+function scoreSchema(schema) {
+  if (!schema || typeof schema !== 'object') {
+    return { score: 0, type: '' }
+  }
+  const t = typeof schema.type === 'string' ? schema.type : ''
+  if (t === 'object' || (schema.properties && typeof schema.properties === 'object')) {
+    return { score: 3, type: t || 'object' }
+  }
+  if (t === 'array' || schema.items) {
+    return { score: 2, type: t || 'array' }
+  }
+  if (t && t !== 'null') {
+    return { score: 1, type: t }
+  }
+  return { score: 0, type: t || 'null' }
+}
+
+function pickBestFromAlternatives(alternatives) {
+  let bestIndex = 0
+  let bestScore = -1
+  const types = []
+  for (let i = 0; i < alternatives.length; i += 1) {
+    const alt = alternatives[i]
+    const { score, type } = scoreSchema(alt)
+    if (type) {
+      types.push(type)
+    }
+    if (score > bestScore) {
+      bestScore = score
+      bestIndex = i
+    }
+  }
+  return { best: alternatives[bestIndex], types: Array.from(new Set(types)).filter(Boolean) }
+}
+
+function cleanJsonSchemaForGemini(schema) {
+  if (schema === null || schema === undefined) {
+    return { type: 'object', properties: {} }
+  }
+  if (typeof schema !== 'object') {
+    return { type: 'object', properties: {} }
+  }
+  if (Array.isArray(schema)) {
+    return { type: 'object', properties: {} }
+  }
+
+  // $ref：Gemini/Antigravity 不支持，转换为 hint
+  if (typeof schema.$ref === 'string' && schema.$ref) {
+    return {
+      type: 'object',
+      description: appendHint(schema.description || '', getRefHint(schema.$ref)),
+      properties: {}
+    }
+  }
+
+  // anyOf / oneOf：选择最可能的 schema，保留类型提示
+  const anyOf = Array.isArray(schema.anyOf) ? schema.anyOf : null
+  const oneOf = Array.isArray(schema.oneOf) ? schema.oneOf : null
+  const alts = anyOf && anyOf.length ? anyOf : oneOf && oneOf.length ? oneOf : null
+  if (alts) {
+    const { best, types } = pickBestFromAlternatives(alts)
+    const cleaned = cleanJsonSchemaForGemini(best)
+    const mergedDescription = appendHint(cleaned.description || '', schema.description || '')
+    const typeHint = types.length > 1 ? `Accepts: ${types.join(' || ')}` : ''
+    return {
+      ...cleaned,
+      description: appendHint(mergedDescription, typeHint)
+    }
+  }
+
+  // allOf：合并 properties/required
+  if (Array.isArray(schema.allOf) && schema.allOf.length) {
+    const merged = {}
+    let mergedDesc = schema.description || ''
+    const mergedReq = new Set()
+    const mergedProps = {}
+    for (const item of schema.allOf) {
+      const cleaned = cleanJsonSchemaForGemini(item)
+      if (cleaned.description) {
+        mergedDesc = appendHint(mergedDesc, cleaned.description)
+      }
+      if (Array.isArray(cleaned.required)) {
+        for (const r of cleaned.required) {
+          if (typeof r === 'string' && r) {
+            mergedReq.add(r)
+          }
+        }
+      }
+      if (cleaned.properties && typeof cleaned.properties === 'object') {
+        Object.assign(mergedProps, cleaned.properties)
+      }
+      if (cleaned.type && !merged.type) {
+        merged.type = cleaned.type
+      }
+      if (cleaned.items && !merged.items) {
+        merged.items = cleaned.items
+      }
+      if (Array.isArray(cleaned.enum) && !merged.enum) {
+        merged.enum = cleaned.enum
+      }
+    }
+    if (Object.keys(mergedProps).length) {
+      merged.type = merged.type || 'object'
+      merged.properties = mergedProps
+      const req = Array.from(mergedReq).filter((r) => mergedProps[r])
+      if (req.length) {
+        merged.required = req
+      }
+    }
+    if (mergedDesc) {
+      merged.description = mergedDesc
+    }
+    return cleanJsonSchemaForGemini(merged)
+  }
+
+  const result = {}
+  const constraintHints = []
+
+  // description
+  if (typeof schema.description === 'string') {
+    result.description = schema.description
+  }
+
+  for (const key of CONSTRAINT_KEYS) {
+    const value = schema[key]
+    if (value === undefined || value === null || typeof value === 'object') {
+      continue
+    }
+    constraintHints.push(`${key}: ${value}`)
+  }
+
+  // const -> enum
+  if (schema.const !== undefined && !Array.isArray(schema.enum)) {
+    result.enum = [schema.const]
+  }
+
+  // enum
+  if (Array.isArray(schema.enum)) {
+    const en = schema.enum.filter(
+      (v) => typeof v === 'string' || typeof v === 'number' || typeof v === 'boolean'
+    )
+    if (en.length) {
+      result.enum = en
+    }
+  }
+
+  // type（flatten 数组 type）
+  const { type: normalizedType, hint: typeHint } = normalizeType(schema.type)
+  if (normalizedType) {
+    result.type = normalizedType
+  }
+  if (typeHint) {
+    result.description = appendHint(result.description || '', typeHint)
+  }
+
+  if (result.enum && result.enum.length > 1 && result.enum.length <= 10) {
+    const list = result.enum.map((item) => String(item)).join(', ')
+    result.description = appendHint(result.description || '', `Allowed: ${list}`)
+  }
+
+  if (constraintHints.length) {
+    result.description = appendHint(result.description || '', constraintHints.join(', '))
+  }
+
+  // additionalProperties：Gemini/Antigravity 不接受布尔值，直接删除并用 hint 记录
+  if (schema.additionalProperties === false) {
+    result.description = appendHint(result.description || '', 'No extra properties allowed')
+  }
+
+  // properties
+  if (
+    schema.properties &&
+    typeof schema.properties === 'object' &&
+    !Array.isArray(schema.properties)
+  ) {
+    const props = {}
+    for (const [name, propSchema] of Object.entries(schema.properties)) {
+      props[name] = cleanJsonSchemaForGemini(propSchema)
+    }
+    result.type = result.type || 'object'
+    result.properties = props
+  }
+
+  // items
+  if (schema.items !== undefined) {
+    result.type = result.type || 'array'
+    result.items = cleanJsonSchemaForGemini(schema.items)
+  }
+
+  // required（最后再清理无效字段）
+  if (Array.isArray(schema.required) && result.properties) {
+    const req = schema.required.filter(
+      (r) =>
+        typeof r === 'string' && r && Object.prototype.hasOwnProperty.call(result.properties, r)
+    )
+    if (req.length) {
+      result.required = req
+    }
+  }
+
+  // 只保留 Gemini 兼容字段：其他（$schema/$id/$defs/definitions/format/constraints/pattern...）一律丢弃
+
+  if (!result.type) {
+    result.type = result.properties ? 'object' : result.items ? 'array' : 'object'
+  }
+  if (result.type === 'object' && !result.properties) {
+    result.properties = {}
+  }
+  return result
+}
+
+module.exports = {
+  cleanJsonSchemaForGemini
+}
--- a/src/utils/modelHelper.js
+++ b/src/utils/modelHelper.js
@@ -5,6 +5,10 @@
 * Supports parsing model strings like "ccr,model_name" to extract vendor type and base model.
 */

+// 仅保留原仓库既有的模型前缀：CCR 路由
+// Gemini/Antigravity 采用“路径分流”，避免在 model 字段里混入 vendor 前缀造成混乱
+const SUPPORTED_VENDOR_PREFIXES = ['ccr']
+
 /**
 * Parse vendor-prefixed model string
 * @param {string} modelStr - Model string, potentially with vendor prefix (e.g., "ccr,gemini-2.5-pro")
@@ -19,16 +23,21 @@ function parseVendorPrefixedModel(modelStr) {
  const trimmed = modelStr.trim()
  const lowerTrimmed = trimmed.toLowerCase()

-  // Check for ccr prefix (case insensitive)
-  if (lowerTrimmed.startsWith('ccr,')) {
+  for (const vendorPrefix of SUPPORTED_VENDOR_PREFIXES) {
+    if (!lowerTrimmed.startsWith(`${vendorPrefix},`)) {
+      continue
+    }
+
    const parts = trimmed.split(',')
-    if (parts.length >= 2) {
-      // Extract base model (everything after the first comma, rejoined in case model name contains commas)
-      const baseModel = parts.slice(1).join(',').trim()
-      return {
-        vendor: 'ccr',
-        baseModel
-      }
+    if (parts.length < 2) {
+      break
+    }
+
+    // Extract base model (everything after the first comma, rejoined in case model name contains commas)
+    const baseModel = parts.slice(1).join(',').trim()
+    return {
+      vendor: vendorPrefix,
+      baseModel
    }
  }

--- a/src/utils/projectPaths.js
+++ b/src/utils/projectPaths.js
@@ -0,0 +1,10 @@
+const path = require('path')
+
+// 该文件位于 src/utils 下，向上两级即项目根目录。
+function getProjectRoot() {
+  return path.resolve(__dirname, '..', '..')
+}
+
+module.exports = {
+  getProjectRoot
+}
--- a/src/validators/clients/claudeCodeValidator.js
+++ b/src/validators/clients/claudeCodeValidator.js
@@ -62,12 +62,17 @@ class ClaudeCodeValidator {

    for (const entry of systemEntries) {
      const rawText = typeof entry?.text === 'string' ? entry.text : ''
-      const { bestScore } = bestSimilarityByTemplates(rawText)
+      const { bestScore, templateId, maskedRaw } = bestSimilarityByTemplates(rawText)
      if (bestScore < threshold) {
        logger.error(
          `Claude system prompt similarity below threshold: score=${bestScore.toFixed(4)}, threshold=${threshold}`
        )
-        logger.warn(`Claude system prompt detail: ${rawText}`)
+        const preview = typeof maskedRaw === 'string' ? maskedRaw.slice(0, 200) : ''
+        logger.warn(
+          `Claude system prompt detail: templateId=${templateId || 'unknown'}, preview=${preview}${
+            maskedRaw && maskedRaw.length > 200 ? '…' : ''
+          }`
+        )
        return false
      }
    }
--- a/src/validators/clients/codexCliValidator.js
+++ b/src/validators/clients/codexCliValidator.js
@@ -125,8 +125,12 @@ class CodexCliValidator {
      const part1 = parts1[i] || 0
      const part2 = parts2[i] || 0

-      if (part1 < part2) return -1
-      if (part1 > part2) return 1
+      if (part1 < part2) {
+        return -1
+      }
+      if (part1 > part2) {
+        return 1
+      }
    }

    return 0
--- a/src/validators/clients/geminiCliValidator.js
+++ b/src/validators/clients/geminiCliValidator.js
@@ -53,7 +53,7 @@ class GeminiCliValidator {
      // 2. 对于 /gemini 路径，检查是否包含 generateContent
      if (path.includes('generateContent')) {
        // 包含 generateContent 的路径需要验证 User-Agent
-        const geminiCliPattern = /^GeminiCLI\/v?[\d\.]+/i
+        const geminiCliPattern = /^GeminiCLI\/v?[\d.]+/i
        if (!geminiCliPattern.test(userAgent)) {
          logger.debug(
            `Gemini CLI validation failed - UA mismatch for generateContent: ${userAgent}`
@@ -84,8 +84,12 @@ class GeminiCliValidator {
      const part1 = parts1[i] || 0
      const part2 = parts2[i] || 0

-      if (part1 < part2) return -1
-      if (part1 > part2) return 1
+      if (part1 < part2) {
+        return -1
+      }
+      if (part1 > part2) {
+        return 1
+      }
    }

    return 0
--- a/tests/accountBalanceService.test.js
+++ b/tests/accountBalanceService.test.js
@@ -0,0 +1,218 @@
+// Mock logger，避免测试输出污染控制台
+jest.mock('../src/utils/logger', () => ({
+  debug: jest.fn(),
+  info: jest.fn(),
+  warn: jest.fn(),
+  error: jest.fn()
+}))
+
+const accountBalanceServiceModule = require('../src/services/accountBalanceService')
+
+const { AccountBalanceService } = accountBalanceServiceModule
+
+describe('AccountBalanceService', () => {
+  const originalBalanceScriptEnabled = process.env.BALANCE_SCRIPT_ENABLED
+
+  afterEach(() => {
+    if (originalBalanceScriptEnabled === undefined) {
+      delete process.env.BALANCE_SCRIPT_ENABLED
+    } else {
+      process.env.BALANCE_SCRIPT_ENABLED = originalBalanceScriptEnabled
+    }
+  })
+
+  const mockLogger = {
+    debug: jest.fn(),
+    info: jest.fn(),
+    warn: jest.fn(),
+    error: jest.fn()
+  }
+
+  const buildMockRedis = () => ({
+    getLocalBalance: jest.fn().mockResolvedValue(null),
+    setLocalBalance: jest.fn().mockResolvedValue(undefined),
+    getAccountBalance: jest.fn().mockResolvedValue(null),
+    setAccountBalance: jest.fn().mockResolvedValue(undefined),
+    deleteAccountBalance: jest.fn().mockResolvedValue(undefined),
+    getBalanceScriptConfig: jest.fn().mockResolvedValue(null),
+    getAccountUsageStats: jest.fn().mockResolvedValue({
+      total: { requests: 10 },
+      daily: { requests: 2, cost: 20 },
+      monthly: { requests: 5 }
+    }),
+    getDateInTimezone: (date) => new Date(date.getTime() + 8 * 3600 * 1000)
+  })
+
+  it('should normalize platform aliases', () => {
+    const service = new AccountBalanceService({ redis: buildMockRedis(), logger: mockLogger })
+    expect(service.normalizePlatform('claude-official')).toBe('claude')
+    expect(service.normalizePlatform('azure-openai')).toBe('azure_openai')
+    expect(service.normalizePlatform('gemini-api')).toBe('gemini-api')
+  })
+
+  it('should build local quota/balance from dailyQuota and local dailyCost', async () => {
+    const mockRedis = buildMockRedis()
+    const service = new AccountBalanceService({ redis: mockRedis, logger: mockLogger })
+
+    service._computeMonthlyCost = jest.fn().mockResolvedValue(30)
+    service._computeTotalCost = jest.fn().mockResolvedValue(123.45)
+
+    const account = { id: 'acct-1', name: 'A', dailyQuota: '100', quotaResetTime: '00:00' }
+    const result = await service._getAccountBalanceForAccount(account, 'claude-console', {
+      queryApi: false,
+      useCache: true
+    })
+
+    expect(result.success).toBe(true)
+    expect(result.data.source).toBe('local')
+    expect(result.data.balance.amount).toBeCloseTo(80, 6)
+    expect(result.data.quota.percentage).toBeCloseTo(20, 6)
+    expect(result.data.statistics.totalCost).toBeCloseTo(123.45, 6)
+    expect(mockRedis.setLocalBalance).toHaveBeenCalled()
+  })
+
+  it('should use cached balance when account has no dailyQuota', async () => {
+    const mockRedis = buildMockRedis()
+    mockRedis.getAccountBalance.mockResolvedValue({
+      status: 'success',
+      balance: 12.34,
+      currency: 'USD',
+      quota: null,
+      errorMessage: '',
+      lastRefreshAt: '2025-01-01T00:00:00Z',
+      ttlSeconds: 120
+    })
+
+    const service = new AccountBalanceService({ redis: mockRedis, logger: mockLogger })
+    service._computeMonthlyCost = jest.fn().mockResolvedValue(0)
+    service._computeTotalCost = jest.fn().mockResolvedValue(0)
+
+    const account = { id: 'acct-2', name: 'B' }
+    const result = await service._getAccountBalanceForAccount(account, 'openai', {
+      queryApi: false,
+      useCache: true
+    })
+
+    expect(result.data.source).toBe('cache')
+    expect(result.data.balance.amount).toBeCloseTo(12.34, 6)
+    expect(result.data.lastRefreshAt).toBe('2025-01-01T00:00:00Z')
+  })
+
+  it('should not cache provider errors and fallback to local when queryApi=true', async () => {
+    const mockRedis = buildMockRedis()
+    const service = new AccountBalanceService({ redis: mockRedis, logger: mockLogger })
+
+    service._computeMonthlyCost = jest.fn().mockResolvedValue(0)
+    service._computeTotalCost = jest.fn().mockResolvedValue(0)
+
+    service.registerProvider('openai', {
+      queryBalance: () => {
+        throw new Error('boom')
+      }
+    })
+
+    const account = { id: 'acct-3', name: 'C' }
+    const result = await service._getAccountBalanceForAccount(account, 'openai', {
+      queryApi: true,
+      useCache: false
+    })
+
+    expect(mockRedis.setAccountBalance).not.toHaveBeenCalled()
+    expect(result.data.source).toBe('local')
+    expect(result.data.status).toBe('error')
+    expect(result.data.error).toBe('boom')
+  })
+
+  it('should ignore script config when balance script is disabled', async () => {
+    process.env.BALANCE_SCRIPT_ENABLED = 'false'
+
+    const mockRedis = buildMockRedis()
+    mockRedis.getBalanceScriptConfig.mockResolvedValue({
+      scriptBody: '({ request: { url: "http://example.com" }, extractor: function(){ return {} } })'
+    })
+
+    const service = new AccountBalanceService({ redis: mockRedis, logger: mockLogger })
+    service._computeMonthlyCost = jest.fn().mockResolvedValue(0)
+    service._computeTotalCost = jest.fn().mockResolvedValue(0)
+
+    const provider = { queryBalance: jest.fn().mockResolvedValue({ balance: 1, currency: 'USD' }) }
+    service.registerProvider('openai', provider)
+
+    const scriptSpy = jest.spyOn(service, '_getBalanceFromScript')
+
+    const account = { id: 'acct-script-off', name: 'S' }
+    const result = await service._getAccountBalanceForAccount(account, 'openai', {
+      queryApi: true,
+      useCache: false
+    })
+
+    expect(provider.queryBalance).toHaveBeenCalled()
+    expect(scriptSpy).not.toHaveBeenCalled()
+    expect(result.data.source).toBe('api')
+  })
+
+  it('should prefer script when configured and enabled', async () => {
+    process.env.BALANCE_SCRIPT_ENABLED = 'true'
+
+    const mockRedis = buildMockRedis()
+    mockRedis.getBalanceScriptConfig.mockResolvedValue({
+      scriptBody: '({ request: { url: "http://example.com" }, extractor: function(){ return {} } })'
+    })
+
+    const service = new AccountBalanceService({ redis: mockRedis, logger: mockLogger })
+    service._computeMonthlyCost = jest.fn().mockResolvedValue(0)
+    service._computeTotalCost = jest.fn().mockResolvedValue(0)
+
+    const provider = { queryBalance: jest.fn().mockResolvedValue({ balance: 2, currency: 'USD' }) }
+    service.registerProvider('openai', provider)
+
+    jest.spyOn(service, '_getBalanceFromScript').mockResolvedValue({
+      status: 'success',
+      balance: 3,
+      currency: 'USD',
+      quota: null,
+      queryMethod: 'script',
+      rawData: { ok: true },
+      lastRefreshAt: '2025-01-01T00:00:00Z',
+      errorMessage: ''
+    })
+
+    const account = { id: 'acct-script-on', name: 'T' }
+    const result = await service._getAccountBalanceForAccount(account, 'openai', {
+      queryApi: true,
+      useCache: false
+    })
+
+    expect(provider.queryBalance).not.toHaveBeenCalled()
+    expect(result.data.source).toBe('api')
+    expect(result.data.balance.amount).toBeCloseTo(3, 6)
+    expect(result.data.lastRefreshAt).toBe('2025-01-01T00:00:00Z')
+  })
+
+  it('should count low balance once per account in summary', async () => {
+    const mockRedis = buildMockRedis()
+    const service = new AccountBalanceService({ redis: mockRedis, logger: mockLogger })
+
+    service.getSupportedPlatforms = () => ['claude-console']
+    service.getAllAccountsByPlatform = async () => [{ id: 'acct-4', name: 'D' }]
+    service._getAccountBalanceForAccount = async () => ({
+      success: true,
+      data: {
+        accountId: 'acct-4',
+        platform: 'claude-console',
+        balance: { amount: 5, currency: 'USD', formattedAmount: '$5.00' },
+        quota: { percentage: 95 },
+        statistics: { totalCost: 1 },
+        source: 'local',
+        lastRefreshAt: '2025-01-01T00:00:00Z',
+        cacheExpiresAt: null,
+        status: 'success',
+        error: null
+      }
+    })
+
+    const summary = await service.getBalanceSummary()
+    expect(summary.lowBalanceCount).toBe(1)
+    expect(summary.platforms['claude-console'].lowBalanceCount).toBe(1)
+  })
+})
--- a/web/admin-spa/package-lock.json
+++ b/web/admin-spa/package-lock.json
@@ -15,6 +15,7 @@
        "element-plus": "^2.4.4",
        "pinia": "^2.1.7",
        "vue": "^3.3.4",
+        "vue-chartjs": "^5.3.3",
        "vue-router": "^4.2.5",
        "xlsx": "^0.18.5",
        "xlsx-js-style": "^1.2.0"
@@ -5131,6 +5132,16 @@
        }
      }
    },
+    "node_modules/vue-chartjs": {
+      "version": "5.3.3",
+      "resolved": "https://registry.npmjs.org/vue-chartjs/-/vue-chartjs-5.3.3.tgz",
+      "integrity": "sha512-jqxtL8KZ6YJ5NTv6XzrzLS7osyegOi28UGNZW0h9OkDL7Sh1396ht4Dorh04aKrl2LiSalQ84WtqiG0RIJb0tA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "chart.js": "^4.1.1",
+        "vue": "^3.0.0-0 || ^2.7.0"
+      }
+    },
    "node_modules/vue-demi": {
      "version": "0.14.10",
      "resolved": "https://registry.npmmirror.com/vue-demi/-/vue-demi-0.14.10.tgz",
--- a/web/admin-spa/package.json
+++ b/web/admin-spa/package.json
@@ -18,6 +18,7 @@
    "element-plus": "^2.4.4",
    "pinia": "^2.1.7",
    "vue": "^3.3.4",
+    "vue-chartjs": "^5.3.3",
    "vue-router": "^4.2.5",
    "xlsx": "^0.18.5",
    "xlsx-js-style": "^1.2.0"
--- a/web/admin-spa/src/components/accounts/AccountBalanceScriptModal.vue
+++ b/web/admin-spa/src/components/accounts/AccountBalanceScriptModal.vue
@@ -0,0 +1,302 @@
+<template>
+  <el-dialog
+    :append-to-body="true"
+    class="balance-script-dialog"
+    :close-on-click-modal="false"
+    :destroy-on-close="true"
+    :model-value="show"
+    :title="`配置余额脚本 - ${account?.name || ''}`"
+    top="5vh"
+    width="720px"
+    @close="emitClose"
+  >
+    <div class="space-y-4">
+      <div class="grid gap-3 md:grid-cols-2">
+        <div class="space-y-2">
+          <label class="text-sm font-medium text-gray-700 dark:text-gray-200">API Key</label>
+          <input v-model="form.apiKey" class="input-text" placeholder="access token / key" />
+        </div>
+        <div class="space-y-2">
+          <label class="text-sm font-medium text-gray-700 dark:text-gray-200"
+            >请求地址（baseUrl）</label
+          >
+          <input v-model="form.baseUrl" class="input-text" placeholder="https://api.example.com" />
+        </div>
+        <div class="space-y-2">
+          <label class="text-sm font-medium text-gray-700 dark:text-gray-200">Token（可选）</label>
+          <input v-model="form.token" class="input-text" placeholder="Bearer token" />
+        </div>
+        <div class="space-y-2">
+          <label class="text-sm font-medium text-gray-700 dark:text-gray-200"
+            >额外参数 (extra / userId)</label
+          >
+          <input v-model="form.extra" class="input-text" placeholder="用户ID等" />
+        </div>
+        <div class="space-y-2">
+          <label class="text-sm font-medium text-gray-700 dark:text-gray-200">超时时间(秒)</label>
+          <input v-model.number="form.timeoutSeconds" class="input-text" min="1" type="number" />
+        </div>
+        <div class="space-y-2">
+          <label class="text-sm font-medium text-gray-700 dark:text-gray-200"
+            >自动查询间隔(分钟)</label
+          >
+          <input
+            v-model.number="form.autoIntervalMinutes"
+            class="input-text"
+            min="0"
+            type="number"
+          />
+          <p class="text-xs text-gray-500 dark:text-gray-400">0 表示仅手动刷新</p>
+        </div>
+        <div class="text-xs text-gray-500 dark:text-gray-400 md:col-span-2">
+          可用变量：{{ '{' }}{{ '{' }}baseUrl{{ '}' }}{{ '}' }}、{{ '{' }}{{ '{' }}apiKey{{ '}'
+          }}{{ '}' }}、{{ '{' }}{{ '{' }}token{{ '}' }}{{ '}' }}、{{ '{' }}{{ '{' }}accountId{{ '}'
+          }}{{ '}' }}、{{ '{' }}{{ '{' }}platform{{ '}' }}{{ '}' }}、{{ '{' }}{{ '{' }}extra{{ '}'
+          }}{{ '}' }}
+        </div>
+      </div>
+
+      <div>
+        <div class="mb-2 flex items-center justify-between">
+          <div class="text-sm font-semibold text-gray-800 dark:text-gray-100">提取器代码</div>
+          <button
+            class="rounded bg-gray-200 px-2 py-1 text-xs dark:bg-gray-700"
+            @click="applyPreset"
+          >
+            使用示例
+          </button>
+        </div>
+        <textarea
+          v-model="form.scriptBody"
+          class="min-h-[260px] w-full rounded-xl bg-gray-900 font-mono text-sm text-gray-100 shadow-inner focus:outline-none focus:ring-2 focus:ring-indigo-500"
+          spellcheck="false"
+        ></textarea>
+        <div class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+          extractor 可返回：isValid、invalidMessage、remaining、unit、planName、total、used、extra
+        </div>
+      </div>
+
+      <div v-if="testResult" class="rounded-lg bg-gray-50 p-3 text-sm dark:bg-gray-800/60">
+        <div class="flex items-center justify-between">
+          <span class="font-semibold">测试结果</span>
+          <span
+            :class="[
+              'rounded px-2 py-0.5 text-xs',
+              testResult.mapped?.status === 'success'
+                ? 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-200'
+                : 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-200'
+            ]"
+          >
+            {{ testResult.mapped?.status || 'unknown' }}
+          </span>
+        </div>
+        <div class="mt-2 text-xs text-gray-600 dark:text-gray-300">
+          <div>余额: {{ displayAmount(testResult.mapped?.balance) }}</div>
+          <div>单位: {{ testResult.mapped?.currency || '—' }}</div>
+          <div v-if="testResult.mapped?.planName">套餐: {{ testResult.mapped.planName }}</div>
+          <div v-if="testResult.mapped?.errorMessage" class="text-red-500">
+            错误: {{ testResult.mapped.errorMessage }}
+          </div>
+        </div>
+        <details class="text-xs text-gray-500 dark:text-gray-400">
+          <summary class="cursor-pointer">查看 extractor 输出</summary>
+          <pre class="mt-1 whitespace-pre-wrap break-all">{{
+            formatJson(testResult.extracted)
+          }}</pre>
+        </details>
+        <details class="text-xs text-gray-500 dark:text-gray-400">
+          <summary class="cursor-pointer">查看原始响应</summary>
+          <pre class="mt-1 whitespace-pre-wrap break-all">{{
+            formatJson(testResult.response)
+          }}</pre>
+        </details>
+      </div>
+    </div>
+
+    <template #footer>
+      <div class="flex items-center gap-2">
+        <el-button :loading="testing" @click="testScript">测试脚本</el-button>
+        <el-button :loading="saving" type="primary" @click="saveConfig">保存配置</el-button>
+        <el-button @click="emitClose">取消</el-button>
+      </div>
+    </template>
+  </el-dialog>
+</template>
+
+<script setup>
+import { reactive, ref, watch } from 'vue'
+import { apiClient } from '@/config/api'
+import { showToast } from '@/utils/toast'
+
+const props = defineProps({
+  show: { type: Boolean, default: false },
+  account: { type: Object, default: () => ({}) }
+})
+
+const emit = defineEmits(['close', 'saved'])
+
+const saving = ref(false)
+const testing = ref(false)
+const testResult = ref(null)
+
+const presetScript = `({
+  request: {
+    url: "{{baseUrl}}/api/user/self",
+    method: "GET",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": "Bearer {{apiKey}}",
+      "New-Api-User": "{{extra}}"
+    }
+  },
+  extractor: function (response) {
+    if (response && response.success && response.data) {
+      const quota = response.data.quota || 0;
+      const used = response.data.used_quota || 0;
+      return {
+        planName: response.data.group || "默认套餐",
+        remaining: quota / 500000,
+        used: used / 500000,
+        total: (quota + used) / 500000,
+        unit: "USD"
+      };
+    }
+    return {
+      isValid: false,
+      invalidMessage: (response && response.message) || "查询失败"
+    };
+  }
+})`
+
+const form = reactive({
+  baseUrl: '',
+  apiKey: '',
+  token: '',
+  extra: '',
+  timeoutSeconds: 10,
+  autoIntervalMinutes: 0,
+  scriptBody: ''
+})
+
+const buildDefaultForm = () => ({
+  baseUrl: '',
+  apiKey: '',
+  token: '',
+  extra: '',
+  timeoutSeconds: 10,
+  autoIntervalMinutes: 0,
+  // 默认给出示例脚本，字段保持清空，避免“上一个账户的配置污染当前账户”
+  scriptBody: presetScript
+})
+
+const emitClose = () => emit('close')
+
+const resetForm = () => {
+  Object.assign(form, buildDefaultForm())
+  testResult.value = null
+  saving.value = false
+  testing.value = false
+}
+
+const loadConfig = async () => {
+  if (!props.account?.id || !props.account?.platform) return
+  try {
+    const res = await apiClient.get(
+      `/admin/accounts/${props.account.id}/balance/script?platform=${props.account.platform}`
+    )
+    if (res?.success && res.data) {
+      Object.assign(form, res.data)
+    }
+  } catch (error) {
+    showToast('加载脚本配置失败', 'error')
+  }
+}
+
+const saveConfig = async () => {
+  if (!props.account?.id || !props.account?.platform) return
+  saving.value = true
+  try {
+    await apiClient.put(
+      `/admin/accounts/${props.account.id}/balance/script?platform=${props.account.platform}`,
+      { ...form }
+    )
+    showToast('已保存', 'success')
+    emit('saved')
+  } catch (error) {
+    showToast(error.message || '保存失败', 'error')
+  } finally {
+    saving.value = false
+  }
+}
+
+const testScript = async () => {
+  if (!props.account?.id || !props.account?.platform) return
+  testing.value = true
+  testResult.value = null
+  try {
+    const res = await apiClient.post(
+      `/admin/accounts/${props.account.id}/balance/script/test?platform=${props.account.platform}`,
+      { ...form }
+    )
+    if (res?.success) {
+      testResult.value = res.data
+      showToast('测试完成', 'success')
+    } else {
+      showToast(res?.error || '测试失败', 'error')
+    }
+  } catch (error) {
+    showToast(error.message || '测试失败', 'error')
+  } finally {
+    testing.value = false
+  }
+}
+
+const applyPreset = () => {
+  form.scriptBody = presetScript
+}
+
+const displayAmount = (val) => {
+  if (val === null || val === undefined || Number.isNaN(Number(val))) return '—'
+  return Number(val).toFixed(2)
+}
+
+const formatJson = (data) => {
+  try {
+    return JSON.stringify(data, null, 2)
+  } catch (error) {
+    return String(data)
+  }
+}
+
+watch(
+  () => props.show,
+  (val) => {
+    if (val) {
+      resetForm()
+      loadConfig()
+    }
+  }
+)
+</script>
+
+<style scoped>
+:deep(.balance-script-dialog) {
+  max-height: 90vh;
+  display: flex;
+  flex-direction: column;
+}
+
+:deep(.balance-script-dialog .el-dialog__body) {
+  flex: 1 1 auto;
+  min-height: 0;
+  overflow: auto;
+}
+
+:deep(.balance-script-dialog .el-dialog__footer) {
+  border-top: 1px solid rgba(229, 231, 235, 0.7);
+}
+
+.input-text {
+  @apply w-full rounded-lg border border-gray-200 bg-white px-3 py-2 text-sm text-gray-800 shadow-sm transition focus:border-indigo-400 focus:outline-none focus:ring-2 focus:ring-indigo-200 dark:border-gray-700 dark:bg-gray-800 dark:text-gray-100 dark:focus:border-indigo-500 dark:focus:ring-indigo-600;
+}
+</style>
--- a/web/admin-spa/src/components/accounts/AccountForm.vue
+++ b/web/admin-spa/src/components/accounts/AccountForm.vue
@@ -477,6 +477,36 @@
                          <i class="fas fa-check text-xs text-white"></i>
                        </div>
                      </label>
+                      <label
+                        class="group relative flex cursor-pointer items-center rounded-md border p-2 transition-all"
+                        :class="[
+                          form.platform === 'gemini-antigravity'
+                            ? 'border-purple-500 bg-purple-50 dark:border-purple-400 dark:bg-purple-900/30'
+                            : 'border-gray-300 bg-white hover:border-purple-400 hover:bg-purple-50/50 dark:border-gray-600 dark:bg-gray-700 dark:hover:border-purple-500 dark:hover:bg-purple-900/20'
+                        ]"
+                      >
+                        <input
+                          v-model="form.platform"
+                          class="sr-only"
+                          type="radio"
+                          value="gemini-antigravity"
+                        />
+                        <div class="flex items-center gap-2">
+                          <i class="fas fa-rocket text-sm text-purple-600 dark:text-purple-400"></i>
+                          <div>
+                            <span class="block text-xs font-medium text-gray-900 dark:text-gray-100"
+                              >Antigravity</span
+                            >
+                            <span class="text-xs text-gray-500 dark:text-gray-400">OAuth</span>
+                          </div>
+                        </div>
+                        <div
+                          v-if="form.platform === 'gemini-antigravity'"
+                          class="absolute right-1 top-1 flex h-4 w-4 items-center justify-center rounded-full bg-purple-500"
+                        >
+                          <i class="fas fa-check text-xs text-white"></i>
+                        </div>
+                      </label>

                      <label
                        class="group relative flex cursor-pointer items-center rounded-md border p-2 transition-all"
@@ -772,7 +802,7 @@
            </div>

            <!-- Gemini 项目 ID 字段 -->
-            <div v-if="form.platform === 'gemini'">
+            <div v-if="form.platform === 'gemini' || form.platform === 'gemini-antigravity'">
              <label class="mb-3 block text-sm font-semibold text-gray-700 dark:text-gray-300"
                >项目 ID (可选)</label
              >
@@ -1824,7 +1854,7 @@
                    Token，建议也一并填写以支持自动刷新。
                  </p>
                  <p
-                    v-else-if="form.platform === 'gemini'"
+                    v-else-if="form.platform === 'gemini' || form.platform === 'gemini-antigravity'"
                    class="mb-2 text-sm text-blue-800 dark:text-blue-300"
                  >
                    请输入有效的 Gemini Access Token。如果您有 Refresh
@@ -1861,7 +1891,9 @@
                      文件中的凭证， 请勿使用 Claude 官网 API Keys 页面的密钥。
                    </p>
                    <p
-                      v-else-if="form.platform === 'gemini'"
+                      v-else-if="
+                        form.platform === 'gemini' || form.platform === 'gemini-antigravity'
+                      "
                      class="text-xs text-blue-800 dark:text-blue-300"
                    >
                      请从已登录 Gemini CLI 的机器上获取
@@ -2591,7 +2623,7 @@
          </div>

          <!-- Gemini 项目 ID 字段 -->
-          <div v-if="form.platform === 'gemini'">
+          <div v-if="form.platform === 'gemini' || form.platform === 'gemini-antigravity'">
            <label class="mb-3 block text-sm font-semibold text-gray-700 dark:text-gray-300"
              >项目 ID (可选)</label
            >
@@ -3880,7 +3912,7 @@ const determinePlatformGroup = (platform) => {
    return 'claude'
  } else if (['openai', 'openai-responses', 'azure_openai'].includes(platform)) {
    return 'openai'
-  } else if (['gemini', 'gemini-api'].includes(platform)) {
+  } else if (['gemini', 'gemini-antigravity', 'gemini-api'].includes(platform)) {
    return 'gemini'
  } else if (platform === 'droid') {
    return 'droid'
@@ -4015,7 +4047,8 @@ const form = ref({
  platform: props.account?.platform || 'claude',
  addType: (() => {
    const platform = props.account?.platform || 'claude'
-    if (platform === 'gemini' || platform === 'openai') return 'oauth'
+    if (platform === 'gemini' || platform === 'gemini-antigravity' || platform === 'openai')
+      return 'oauth'
    if (platform === 'claude') return 'oauth'
    return 'manual'
  })(),
@@ -4357,7 +4390,7 @@ const selectPlatformGroup = (group) => {
  } else if (group === 'openai') {
    form.value.platform = 'openai'
  } else if (group === 'gemini') {
-    form.value.platform = 'gemini'
+    form.value.platform = 'gemini' // Default to Gemini CLI, user can select Antigravity
  } else if (group === 'droid') {
    form.value.platform = 'droid'
  }
@@ -4394,7 +4427,11 @@ const nextStep = async () => {
  }

  // 对于Gemini账户，检查项目 ID
-  if (form.value.platform === 'gemini' && oauthStep.value === 1 && form.value.addType === 'oauth') {
+  if (
+    (form.value.platform === 'gemini' || form.value.platform === 'gemini-antigravity') &&
+    oauthStep.value === 1 &&
+    form.value.addType === 'oauth'
+  ) {
    if (!form.value.projectId || form.value.projectId.trim() === '') {
      // 使用自定义确认弹窗
      const confirmed = await showConfirm(
@@ -4767,9 +4804,14 @@ const handleOAuthSuccess = async (tokenInfoOrList) => {
        hasClaudePro: form.value.subscriptionType === 'claude_pro',
        manuallySet: true // 标记为手动设置
      }
-    } else if (currentPlatform === 'gemini') {
-      // Gemini使用geminiOauth字段
+    } else if (currentPlatform === 'gemini' || currentPlatform === 'gemini-antigravity') {
+      // Gemini/Antigravity使用geminiOauth字段
      data.geminiOauth = tokenInfo.tokens || tokenInfo
+      // 根据 platform 设置 oauthProvider
+      data.oauthProvider =
+        currentPlatform === 'gemini-antigravity'
+          ? 'antigravity'
+          : tokenInfo.oauthProvider || 'gemini-cli'
      if (form.value.projectId) {
        data.projectId = form.value.projectId
      }
@@ -5191,6 +5233,10 @@ const createAccount = async () => {
      data.rateLimitDuration = 60 // 默认值60，不从用户输入获取
      data.dailyQuota = form.value.dailyQuota || 0
      data.quotaResetTime = form.value.quotaResetTime || '00:00'
+    } else if (form.value.platform === 'gemini-antigravity') {
+      // Antigravity OAuth - set oauthProvider, submission happens below
+      data.oauthProvider = 'antigravity'
+      data.priority = form.value.priority || 50
    } else if (form.value.platform === 'gemini-api') {
      // Gemini API 账户特定数据
      data.baseUrl = form.value.baseUrl || 'https://generativelanguage.googleapis.com'
@@ -5242,7 +5288,7 @@ const createAccount = async () => {
      result = await accountsStore.createOpenAIAccount(data)
    } else if (form.value.platform === 'azure_openai') {
      result = await accountsStore.createAzureOpenAIAccount(data)
-    } else if (form.value.platform === 'gemini') {
+    } else if (form.value.platform === 'gemini' || form.value.platform === 'gemini-antigravity') {
      result = await accountsStore.createGeminiAccount(data)
    } else if (form.value.platform === 'gemini-api') {
      result = await accountsStore.createGeminiApiAccount(data)
--- a/web/admin-spa/src/components/accounts/BalanceDisplay.vue
+++ b/web/admin-spa/src/components/accounts/BalanceDisplay.vue
@@ -0,0 +1,281 @@
+<template>
+  <div class="min-w-[200px] space-y-1">
+    <div v-if="loading" class="flex items-center gap-2">
+      <i class="fas fa-spinner fa-spin text-gray-400 dark:text-gray-500"></i>
+      <span class="text-xs text-gray-500 dark:text-gray-400">加载中...</span>
+    </div>
+
+    <div v-else-if="requestError" class="flex items-center gap-2">
+      <i class="fas fa-exclamation-circle text-red-500"></i>
+      <span class="text-xs text-red-600 dark:text-red-400">{{ requestError }}</span>
+      <button
+        class="text-xs text-blue-500 hover:text-blue-600 dark:text-blue-400"
+        :disabled="refreshing"
+        @click="reload"
+      >
+        重试
+      </button>
+    </div>
+
+    <div v-else-if="balanceData" class="space-y-1">
+      <div v-if="balanceData.status === 'error' && balanceData.error" class="text-xs text-red-500">
+        {{ balanceData.error }}
+      </div>
+
+      <div class="flex items-center justify-between gap-2">
+        <div class="flex items-center gap-2">
+          <i
+            class="fas"
+            :class="
+              balanceData.balance
+                ? 'fa-wallet text-green-600 dark:text-green-400'
+                : 'fa-chart-line text-gray-500 dark:text-gray-400'
+            "
+          ></i>
+          <span class="text-sm font-semibold text-gray-900 dark:text-gray-100">
+            {{ primaryText }}
+          </span>
+          <span class="rounded px-1.5 py-0.5 text-xs" :class="sourceClass">
+            {{ sourceLabel }}
+          </span>
+        </div>
+
+        <button
+          v-if="!hideRefresh"
+          class="text-xs text-gray-500 hover:text-blue-600 disabled:cursor-not-allowed disabled:opacity-40 dark:text-gray-400 dark:hover:text-blue-400"
+          :disabled="refreshing || !canRefresh"
+          :title="refreshTitle"
+          @click="refresh"
+        >
+          <i class="fas fa-sync-alt" :class="{ 'fa-spin': refreshing }"></i>
+        </button>
+      </div>
+
+      <!-- 配额（如适用） -->
+      <div v-if="quotaInfo" class="space-y-1">
+        <div class="flex items-center justify-between text-xs text-gray-600 dark:text-gray-400">
+          <span>已用: {{ formatNumber(quotaInfo.used) }}</span>
+          <span>剩余: {{ formatNumber(quotaInfo.remaining) }}</span>
+        </div>
+        <div class="h-1.5 w-full rounded-full bg-gray-200 dark:bg-gray-700">
+          <div
+            class="h-1.5 rounded-full transition-all"
+            :class="quotaBarClass"
+            :style="{ width: `${Math.min(100, quotaInfo.percentage)}%` }"
+          ></div>
+        </div>
+        <div class="flex items-center justify-between text-xs">
+          <span class="text-gray-500 dark:text-gray-400">
+            {{ quotaInfo.percentage.toFixed(1) }}% 已使用
+          </span>
+          <span v-if="quotaInfo.resetAt" class="text-gray-400 dark:text-gray-500">
+            重置: {{ formatResetTime(quotaInfo.resetAt) }}
+          </span>
+        </div>
+      </div>
+
+      <div v-else-if="balanceData.quota?.unlimited" class="flex items-center gap-2">
+        <i class="fas fa-infinity text-blue-500 dark:text-blue-400"></i>
+        <span class="text-xs text-gray-600 dark:text-gray-400">无限制</span>
+      </div>
+
+      <div
+        v-if="balanceData.cacheExpiresAt && balanceData.source === 'cache'"
+        class="text-xs text-gray-400 dark:text-gray-500"
+      >
+        缓存至: {{ formatCacheExpiry(balanceData.cacheExpiresAt) }}
+      </div>
+    </div>
+
+    <div v-else class="text-xs text-gray-400 dark:text-gray-500">暂无余额数据</div>
+  </div>
+</template>
+
+<script setup>
+import { ref, computed, onMounted, watch } from 'vue'
+import { apiClient } from '@/config/api'
+
+const props = defineProps({
+  accountId: { type: String, required: true },
+  platform: { type: String, required: true },
+  initialBalance: { type: Object, default: null },
+  hideRefresh: { type: Boolean, default: false },
+  autoLoad: { type: Boolean, default: true }
+})
+
+const emit = defineEmits(['refreshed', 'error'])
+
+const balanceData = ref(props.initialBalance)
+const loading = ref(false)
+const refreshing = ref(false)
+const requestError = ref(null)
+
+const sourceClass = computed(() => {
+  const source = balanceData.value?.source
+  return {
+    'bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300': source === 'api',
+    'bg-gray-100 text-gray-600 dark:bg-gray-700/60 dark:text-gray-300': source === 'cache',
+    'bg-yellow-100 text-yellow-700 dark:bg-yellow-900/40 dark:text-yellow-300': source === 'local'
+  }
+})
+
+const sourceLabel = computed(() => {
+  const source = balanceData.value?.source
+  return { api: 'API', cache: '缓存', local: '本地' }[source] || '未知'
+})
+
+const quotaInfo = computed(() => {
+  const quota = balanceData.value?.quota
+  if (!quota || quota.unlimited) return null
+  if (typeof quota.percentage !== 'number' || !Number.isFinite(quota.percentage)) return null
+  return {
+    used: quota.used ?? 0,
+    remaining: quota.remaining ?? 0,
+    percentage: quota.percentage,
+    resetAt: quota.resetAt || null
+  }
+})
+
+const quotaBarClass = computed(() => {
+  const percentage = quotaInfo.value?.percentage || 0
+  if (percentage >= 90) return 'bg-red-500 dark:bg-red-600'
+  if (percentage >= 70) return 'bg-yellow-500 dark:bg-yellow-600'
+  return 'bg-green-500 dark:bg-green-600'
+})
+
+const canRefresh = computed(() => {
+  // 仅在“已启用脚本且该账户配置了脚本”时允许刷新，避免误导（非脚本 Provider 多为降级策略）
+  const data = balanceData.value
+  if (!data) return false
+  if (data.scriptEnabled === false) return false
+  return !!data.scriptConfigured
+})
+
+const refreshTitle = computed(() => {
+  if (refreshing.value) return '刷新中...'
+  if (!canRefresh.value) {
+    if (balanceData.value?.scriptEnabled === false) {
+      return '余额脚本功能已禁用'
+    }
+    return '请先配置余额脚本'
+  }
+  return '刷新余额（调用脚本配置的余额 API）'
+})
+
+const primaryText = computed(() => {
+  if (balanceData.value?.balance?.formattedAmount) {
+    return balanceData.value.balance.formattedAmount
+  }
+  const dailyCost = Number(balanceData.value?.statistics?.dailyCost || 0)
+  return `今日成本 ${formatCurrency(dailyCost)}`
+})
+
+const load = async () => {
+  if (!props.autoLoad) return
+  if (!props.accountId || !props.platform) return
+
+  loading.value = true
+  requestError.value = null
+
+  try {
+    const response = await apiClient.get(`/admin/accounts/${props.accountId}/balance`, {
+      params: { platform: props.platform, queryApi: false }
+    })
+    if (response?.success) {
+      balanceData.value = response.data
+    } else {
+      requestError.value = response?.error || '加载失败'
+    }
+  } catch (error) {
+    requestError.value = error.message || '网络错误'
+    emit('error', error)
+  } finally {
+    loading.value = false
+  }
+}
+
+const refresh = async () => {
+  if (!props.accountId || !props.platform) return
+  if (refreshing.value) return
+  if (!canRefresh.value) return
+
+  refreshing.value = true
+  requestError.value = null
+
+  try {
+    const response = await apiClient.post(`/admin/accounts/${props.accountId}/balance/refresh`, {
+      platform: props.platform
+    })
+    if (response?.success) {
+      balanceData.value = response.data
+      emit('refreshed', response.data)
+    } else {
+      requestError.value = response?.error || '刷新失败'
+    }
+  } catch (error) {
+    requestError.value = error.message || '网络错误'
+    emit('error', error)
+  } finally {
+    refreshing.value = false
+  }
+}
+
+const reload = async () => {
+  await load()
+}
+
+const formatNumber = (num) => {
+  if (num === Infinity) return '∞'
+  const value = Number(num)
+  if (!Number.isFinite(value)) return 'N/A'
+  return value.toLocaleString('zh-CN', { maximumFractionDigits: 2 })
+}
+
+const formatCurrency = (amount) => {
+  const value = Number(amount)
+  if (!Number.isFinite(value)) return '$0.00'
+  if (value >= 1) return `$${value.toFixed(2)}`
+  if (value >= 0.01) return `$${value.toFixed(3)}`
+  return `$${value.toFixed(6)}`
+}
+
+const formatResetTime = (isoString) => {
+  const date = new Date(isoString)
+  const now = new Date()
+  const diff = date.getTime() - now.getTime()
+  if (!Number.isFinite(diff)) return '未知'
+  if (diff < 0) return '已过期'
+
+  const minutes = Math.floor(diff / (1000 * 60))
+  const hours = Math.floor(minutes / 60)
+  const remainMinutes = minutes % 60
+  if (hours >= 24) {
+    const days = Math.floor(hours / 24)
+    return `${days}天后`
+  }
+  return `${hours}小时${remainMinutes}分钟`
+}
+
+const formatCacheExpiry = (isoString) => {
+  const date = new Date(isoString)
+  if (Number.isNaN(date.getTime())) return '未知'
+  return date.toLocaleTimeString('zh-CN', { hour: '2-digit', minute: '2-digit' })
+}
+
+watch(
+  () => props.initialBalance,
+  (newVal) => {
+    if (newVal) {
+      balanceData.value = newVal
+    }
+  }
+)
+
+onMounted(() => {
+  if (!props.initialBalance) {
+    load()
+  }
+})
+
+defineExpose({ refresh, reload })
+</script>
--- a/web/admin-spa/src/components/accounts/OAuthFlow.vue
+++ b/web/admin-spa/src/components/accounts/OAuthFlow.vue
@@ -303,6 +303,16 @@
              请按照以下步骤完成 Gemini 账户的授权：
            </p>

+            <!-- 授权来源显示（由平台类型决定） -->
+            <div class="mb-4">
+              <p class="text-sm text-green-800 dark:text-green-300">
+                <i class="fas fa-info-circle mr-1"></i>
+                授权类型：<span class="font-semibold">{{
+                  platform === 'gemini-antigravity' ? 'Antigravity OAuth' : 'Gemini CLI OAuth'
+                }}</span>
+              </p>
+            </div>
+
            <div class="space-y-4">
              <!-- 步骤1: 生成授权链接 -->
              <div
@@ -818,6 +828,13 @@ const exchanging = ref(false)
 const authUrl = ref('')
 const authCode = ref('')
 const copied = ref(false)
+// oauthProvider is now derived from platform prop
+const geminiOauthProvider = computed(() => {
+  if (props.platform === 'gemini-antigravity') {
+    return 'antigravity'
+  }
+  return 'gemini-cli'
+})
 const sessionId = ref('') // 保存sessionId用于后续交换
 const userCode = ref('')
 const verificationUri = ref('')
@@ -921,7 +938,11 @@ watch(authCode, (newValue) => {
        console.error('Failed to parse URL:', error)
        showToast('链接格式错误，请检查是否为完整的 URL', 'error')
      }
-    } else if (props.platform === 'gemini' || props.platform === 'openai') {
+    } else if (
+      props.platform === 'gemini' ||
+      props.platform === 'gemini-antigravity' ||
+      props.platform === 'openai'
+    ) {
      // Gemini 和 OpenAI 平台可能使用不同的回调URL
      // 尝试从任何URL中提取code参数
      try {
@@ -972,8 +993,11 @@ const generateAuthUrl = async () => {
      const result = await accountsStore.generateClaudeAuthUrl(proxyConfig)
      authUrl.value = result.authUrl
      sessionId.value = result.sessionId
-    } else if (props.platform === 'gemini') {
-      const result = await accountsStore.generateGeminiAuthUrl(proxyConfig)
+    } else if (props.platform === 'gemini' || props.platform === 'gemini-antigravity') {
+      const result = await accountsStore.generateGeminiAuthUrl({
+        ...proxyConfig,
+        oauthProvider: geminiOauthProvider.value
+      })
      authUrl.value = result.authUrl
      sessionId.value = result.sessionId
    } else if (props.platform === 'openai') {
@@ -996,6 +1020,8 @@ const generateAuthUrl = async () => {
  }
 }

+// onGeminiOauthProviderChange removed - oauthProvider is now computed from platform
+
 // 重新生成授权URL
 const regenerateAuthUrl = () => {
  stopCountdown()
@@ -1079,11 +1105,12 @@ const exchangeCode = async () => {
        sessionId: sessionId.value,
        callbackUrl: authCode.value.trim()
      }
-    } else if (props.platform === 'gemini') {
-      // Gemini使用code和sessionId
+    } else if (props.platform === 'gemini' || props.platform === 'gemini-antigravity') {
+      // Gemini/Antigravity使用code和sessionId
      data = {
        code: authCode.value.trim(),
-        sessionId: sessionId.value
+        sessionId: sessionId.value,
+        oauthProvider: geminiOauthProvider.value
      }
    } else if (props.platform === 'openai') {
      // OpenAI使用code和sessionId
@@ -1111,8 +1138,12 @@ const exchangeCode = async () => {
    let tokenInfo
    if (props.platform === 'claude') {
      tokenInfo = await accountsStore.exchangeClaudeCode(data)
-    } else if (props.platform === 'gemini') {
+    } else if (props.platform === 'gemini' || props.platform === 'gemini-antigravity') {
      tokenInfo = await accountsStore.exchangeGeminiCode(data)
+      // 附加 oauthProvider 信息到 tokenInfo
+      if (tokenInfo) {
+        tokenInfo.oauthProvider = geminiOauthProvider.value
+      }
    } else if (props.platform === 'openai') {
      tokenInfo = await accountsStore.exchangeOpenAICode(data)
    } else if (props.platform === 'droid') {
--- a/web/admin-spa/src/components/apikeys/BatchEditApiKeyModal.vue
+++ b/web/admin-spa/src/components/apikeys/BatchEditApiKeyModal.vue
@@ -290,31 +290,79 @@
            <label class="mb-3 block text-sm font-semibold text-gray-700 dark:text-gray-300"
              >服务权限</label
            >
-            <div class="flex flex-wrap gap-4">
-              <label class="flex cursor-pointer items-center">
-                <input v-model="form.permissions" class="mr-2" type="radio" value="" />
-                <span class="text-sm text-gray-700">不修改</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input v-model="form.permissions" class="mr-2" type="radio" value="all" />
-                <span class="text-sm text-gray-700">全部服务</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input v-model="form.permissions" class="mr-2" type="radio" value="claude" />
-                <span class="text-sm text-gray-700">仅 Claude</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input v-model="form.permissions" class="mr-2" type="radio" value="gemini" />
-                <span class="text-sm text-gray-700">仅 Gemini</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input v-model="form.permissions" class="mr-2" type="radio" value="openai" />
-                <span class="text-sm text-gray-700">仅 OpenAI</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input v-model="form.permissions" class="mr-2" type="radio" value="droid" />
-                <span class="text-sm text-gray-700">仅 Droid</span>
-              </label>
+            <div class="space-y-3">
+              <!-- 权限操作模式选择 -->
+              <div class="flex flex-wrap gap-4">
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="permissionsOperation"
+                    class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="radio"
+                    value="none"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">不修改</span>
+                </label>
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="permissionsOperation"
+                    class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="radio"
+                    value="all"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">全部服务</span>
+                </label>
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="permissionsOperation"
+                    class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="radio"
+                    value="custom"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">自定义选择</span>
+                </label>
+              </div>
+              <!-- 自定义选择时显示复选框 -->
+              <div v-if="permissionsOperation === 'custom'" class="flex flex-wrap gap-4 pl-6">
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="form.permissions"
+                    class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                    value="claude"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">Claude</span>
+                </label>
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="form.permissions"
+                    class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                    value="gemini"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">Gemini</span>
+                </label>
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="form.permissions"
+                    class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                    value="openai"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">OpenAI</span>
+                </label>
+                <label class="flex cursor-pointer items-center">
+                  <input
+                    v-model="form.permissions"
+                    class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                    value="droid"
+                  />
+                  <span class="text-sm text-gray-700 dark:text-gray-300">Droid</span>
+                </label>
+              </div>
+              <p class="text-xs text-gray-500 dark:text-gray-400">
+                选择"全部服务"表示允许访问所有服务，"自定义选择"可以选择多个特定服务
+              </p>
            </div>
          </div>

@@ -494,6 +542,7 @@ const localAccounts = ref({
 const newTag = ref('')
 const availableTags = ref([])
 const tagOperation = ref('none') // 'replace', 'add', 'remove', 'none'
+const permissionsOperation = ref('none') // 'none', 'all', 'custom'

 const selectedCount = computed(() => props.selectedKeys.length)

@@ -511,7 +560,7 @@ const form = reactive({
  dailyCostLimit: '',
  totalCostLimit: '',
  weeklyOpusCostLimit: '', // 新增Opus周费用限制
-  permissions: '', // 空字符串表示不修改
+  permissions: [], // 数组格式，用于多选
  claudeAccountId: '',
  geminiAccountId: '',
  openaiAccountId: '',
@@ -547,9 +596,15 @@ const bedrockAccountSelectorValue = createAccountSelectorModel('bedrockAccountId
 const droidAccountSelectorValue = createAccountSelectorModel('droidAccountId')

 const isServiceSelectable = (service) => {
-  if (!form.permissions) return true
-  if (form.permissions === 'all') return true
-  return form.permissions === service
+  // 不修改权限时，所有服务都可选
+  if (permissionsOperation.value === 'none') return true
+  // 全部服务时，所有服务都可选
+  if (permissionsOperation.value === 'all') return true
+  // 自定义选择时，根据选择的权限判断
+  if (permissionsOperation.value === 'custom') {
+    return form.permissions.length === 0 || form.permissions.includes(service)
+  }
+  return true
 }

 // 标签管理方法
@@ -737,8 +792,14 @@ const batchUpdateApiKeys = async () => {
    }

    // 权限设置
-    if (form.permissions !== '') {
-      updates.permissions = form.permissions
+    if (permissionsOperation.value !== 'none') {
+      if (permissionsOperation.value === 'all') {
+        // 全部服务：发送空数组
+        updates.permissions = []
+      } else if (permissionsOperation.value === 'custom') {
+        // 自定义选择：发送选中的权限数组
+        updates.permissions = form.permissions
+      }
    }

    // 账户绑定
--- a/web/admin-spa/src/components/apikeys/CreateApiKeyModal.vue
+++ b/web/admin-spa/src/components/apikeys/CreateApiKeyModal.vue
@@ -579,55 +579,46 @@
            <label class="mb-2 block text-sm font-semibold text-gray-700 dark:text-gray-300"
              >服务权限</label
            >
-            <div class="flex gap-4">
+            <div class="flex flex-wrap gap-4">
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
-                  value="all"
-                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">全部服务</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input
-                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="claude"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 Claude</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">Claude</span>
              </label>
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="gemini"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 Gemini</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">Gemini</span>
              </label>
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="openai"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 OpenAI</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">OpenAI</span>
              </label>
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="droid"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 Droid</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">Droid</span>
              </label>
            </div>
            <p class="mt-2 text-xs text-gray-500 dark:text-gray-400">
-              控制此 API Key 可以访问哪些服务
+              不选择任何服务表示允许访问全部服务
            </p>
          </div>

@@ -662,7 +653,7 @@
                  v-model="form.claudeAccountId"
                  :accounts="localAccounts.claude"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'claude'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('claude')"
                  :groups="localAccounts.claudeGroups"
                  placeholder="请选择Claude账号"
                  platform="claude"
@@ -676,7 +667,7 @@
                  v-model="form.geminiAccountId"
                  :accounts="localAccounts.gemini"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'gemini'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('gemini')"
                  :groups="localAccounts.geminiGroups"
                  placeholder="请选择Gemini账号"
                  platform="gemini"
@@ -690,7 +681,7 @@
                  v-model="form.openaiAccountId"
                  :accounts="localAccounts.openai"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'openai'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('openai')"
                  :groups="localAccounts.openaiGroups"
                  placeholder="请选择OpenAI账号"
                  platform="openai"
@@ -704,7 +695,7 @@
                  v-model="form.bedrockAccountId"
                  :accounts="localAccounts.bedrock"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'openai'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('claude')"
                  :groups="[]"
                  placeholder="请选择Bedrock账号"
                  platform="bedrock"
@@ -718,7 +709,7 @@
                  v-model="form.droidAccountId"
                  :accounts="localAccounts.droid"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'droid'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('droid')"
                  :groups="localAccounts.droidGroups"
                  placeholder="请选择Droid账号"
                  platform="droid"
@@ -966,7 +957,7 @@ const form = reactive({
  expirationMode: 'fixed', // 过期模式：fixed(固定) 或 activation(激活)
  activationDays: 30, // 激活后有效天数
  activationUnit: 'days', // 激活时间单位：hours 或 days
-  permissions: 'all',
+  permissions: [], // 数组格式，空数组表示全部服务
  claudeAccountId: '',
  geminiAccountId: '',
  openaiAccountId: '',
--- a/web/admin-spa/src/components/apikeys/EditApiKeyModal.vue
+++ b/web/admin-spa/src/components/apikeys/EditApiKeyModal.vue
@@ -412,55 +412,46 @@
            <label class="mb-3 block text-sm font-semibold text-gray-700 dark:text-gray-300"
              >服务权限</label
            >
-            <div class="flex gap-4">
+            <div class="flex flex-wrap gap-4">
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
-                  value="all"
-                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">全部服务</span>
-              </label>
-              <label class="flex cursor-pointer items-center">
-                <input
-                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="claude"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 Claude</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">Claude</span>
              </label>
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="gemini"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 Gemini</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">Gemini</span>
              </label>
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="openai"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 OpenAI</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">OpenAI</span>
              </label>
              <label class="flex cursor-pointer items-center">
                <input
                  v-model="form.permissions"
-                  class="mr-2 text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
-                  type="radio"
+                  class="mr-2 rounded text-blue-600 focus:ring-blue-500 dark:border-gray-600 dark:bg-gray-700"
+                  type="checkbox"
                  value="droid"
                />
-                <span class="text-sm text-gray-700 dark:text-gray-300">仅 Droid</span>
+                <span class="text-sm text-gray-700 dark:text-gray-300">Droid</span>
              </label>
            </div>
            <p class="mt-2 text-xs text-gray-500 dark:text-gray-400">
-              控制此 API Key 可以访问哪些服务
+              不选择任何服务表示允许访问全部服务
            </p>
          </div>

@@ -495,7 +486,7 @@
                  v-model="form.claudeAccountId"
                  :accounts="localAccounts.claude"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'claude'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('claude')"
                  :groups="localAccounts.claudeGroups"
                  placeholder="请选择Claude账号"
                  platform="claude"
@@ -509,7 +500,7 @@
                  v-model="form.geminiAccountId"
                  :accounts="localAccounts.gemini"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'gemini'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('gemini')"
                  :groups="localAccounts.geminiGroups"
                  placeholder="请选择Gemini账号"
                  platform="gemini"
@@ -523,7 +514,7 @@
                  v-model="form.openaiAccountId"
                  :accounts="localAccounts.openai"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'openai'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('openai')"
                  :groups="localAccounts.openaiGroups"
                  placeholder="请选择OpenAI账号"
                  platform="openai"
@@ -537,7 +528,7 @@
                  v-model="form.bedrockAccountId"
                  :accounts="localAccounts.bedrock"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'openai'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('claude')"
                  :groups="[]"
                  placeholder="请选择Bedrock账号"
                  platform="bedrock"
@@ -551,7 +542,7 @@
                  v-model="form.droidAccountId"
                  :accounts="localAccounts.droid"
                  default-option-text="使用共享账号池"
-                  :disabled="form.permissions !== 'all' && form.permissions !== 'droid'"
+                  :disabled="form.permissions.length > 0 && !form.permissions.includes('droid')"
                  :groups="localAccounts.droidGroups"
                  placeholder="请选择Droid账号"
                  platform="droid"
@@ -800,7 +791,7 @@ const form = reactive({
  dailyCostLimit: '',
  totalCostLimit: '',
  weeklyOpusCostLimit: '',
-  permissions: 'all',
+  permissions: [], // 数组格式，空数组表示全部服务
  claudeAccountId: '',
  geminiAccountId: '',
  openaiAccountId: '',
@@ -1241,7 +1232,71 @@ onMounted(async () => {
  form.dailyCostLimit = props.apiKey.dailyCostLimit || ''
  form.totalCostLimit = props.apiKey.totalCostLimit || ''
  form.weeklyOpusCostLimit = props.apiKey.weeklyOpusCostLimit || ''
-  form.permissions = props.apiKey.permissions || 'all'
+  // 处理权限数据，兼容旧格式（字符串）和新格式（数组）
+  const perms = props.apiKey.permissions
+  if (Array.isArray(perms)) {
+    // 过滤掉损坏的数据（如 "claude,droid" 这种逗号分隔的字符串）
+    const validPerms = ['claude', 'gemini', 'openai', 'droid']
+    const cleaned = []
+    for (const p of perms) {
+      if (validPerms.includes(p)) {
+        cleaned.push(p)
+      } else if (typeof p === 'string' && p.includes(',')) {
+        // 处理逗号分隔的旧格式
+        const parts = p.split(',').map((s) => s.trim())
+        for (const part of parts) {
+          if (validPerms.includes(part) && !cleaned.includes(part)) {
+            cleaned.push(part)
+          }
+        }
+      }
+    }
+    form.permissions = cleaned
+  } else if (perms === 'all' || !perms) {
+    form.permissions = []
+  } else if (typeof perms === 'string') {
+    // 尝试解析 JSON 数组字符串（如 "[]" 或 '["claude","gemini"]'）
+    if (perms.startsWith('[')) {
+      try {
+        const parsed = JSON.parse(perms)
+        if (Array.isArray(parsed)) {
+          // 递归处理解析后的数组
+          const validPerms = ['claude', 'gemini', 'openai', 'droid']
+          const cleaned = []
+          for (const p of parsed) {
+            if (validPerms.includes(p)) {
+              cleaned.push(p)
+            } else if (typeof p === 'string' && p.includes(',')) {
+              const parts = p.split(',').map((s) => s.trim())
+              for (const part of parts) {
+                if (validPerms.includes(part) && !cleaned.includes(part)) {
+                  cleaned.push(part)
+                }
+              }
+            }
+          }
+          form.permissions = cleaned
+        } else {
+          form.permissions = []
+        }
+      } catch (e) {
+        // 解析失败，尝试按逗号分隔处理
+        const validPerms = ['claude', 'gemini', 'openai', 'droid']
+        const parts = perms.split(',').map((s) => s.trim())
+        form.permissions = parts.filter((p) => validPerms.includes(p))
+      }
+    } else if (perms.includes(',')) {
+      // 逗号分隔的旧格式
+      const validPerms = ['claude', 'gemini', 'openai', 'droid']
+      const parts = perms.split(',').map((s) => s.trim())
+      form.permissions = parts.filter((p) => validPerms.includes(p))
+    } else {
+      const validPerms = ['claude', 'gemini', 'openai', 'droid']
+      form.permissions = validPerms.includes(perms) ? [perms] : []
+    }
+  } else {
+    form.permissions = []
+  }
  // 处理 Claude 账号（区分 OAuth 和 Console）
  if (props.apiKey.claudeConsoleAccountId) {
    form.claudeAccountId = `console:${props.apiKey.claudeConsoleAccountId}`
--- a/web/admin-spa/src/components/common/PublicStatsOverview.vue
+++ b/web/admin-spa/src/components/common/PublicStatsOverview.vue
@@ -0,0 +1,750 @@
+<template>
+  <div v-if="authStore.publicStats" class="public-stats-overview">
+    <!-- 顶部状态栏：服务状态 + 平台可用性 -->
+    <div class="header-section">
+      <div class="flex items-center gap-2">
+        <div
+          class="status-badge"
+          :class="{
+            'status-healthy': authStore.publicStats.serviceStatus === 'healthy',
+            'status-degraded': authStore.publicStats.serviceStatus === 'degraded'
+          }"
+        >
+          <span class="status-dot"></span>
+          <span class="status-text">{{
+            authStore.publicStats.serviceStatus === 'healthy' ? '服务正常' : '服务降级'
+          }}</span>
+        </div>
+        <span class="text-xs text-gray-500 dark:text-gray-400">
+          运行 {{ formatUptime(authStore.publicStats.uptime) }}
+        </span>
+      </div>
+      <div class="flex flex-wrap justify-center gap-2 md:justify-end">
+        <div
+          v-for="(available, platform) in authStore.publicStats.platforms"
+          :key="platform"
+          class="platform-badge"
+          :class="{ available: available, unavailable: !available }"
+        >
+          <i class="mr-1" :class="getPlatformIcon(platform)"></i>
+          <span>{{ getPlatformName(platform) }}</span>
+        </div>
+      </div>
+    </div>
+
+    <!-- 主内容区：今日统计 + 模型分布 -->
+    <div class="main-content">
+      <!-- 左侧：今日统计 -->
+      <div class="stats-section">
+        <div class="section-title-left">今日统计</div>
+        <div class="stats-grid">
+          <div class="stat-item">
+            <div class="stat-value">
+              {{ formatNumber(authStore.publicStats.todayStats.requests) }}
+            </div>
+            <div class="stat-label">请求数</div>
+          </div>
+          <div class="stat-item">
+            <div class="stat-value">
+              {{ formatTokens(authStore.publicStats.todayStats.tokens) }}
+            </div>
+            <div class="stat-label">Tokens</div>
+          </div>
+          <div class="stat-item">
+            <div class="stat-value">
+              {{ formatTokens(authStore.publicStats.todayStats.inputTokens) }}
+            </div>
+            <div class="stat-label">输入</div>
+          </div>
+          <div class="stat-item">
+            <div class="stat-value">
+              {{ formatTokens(authStore.publicStats.todayStats.outputTokens) }}
+            </div>
+            <div class="stat-label">输出</div>
+          </div>
+        </div>
+      </div>
+
+      <!-- 右侧：模型使用分布 -->
+      <div
+        v-if="
+          authStore.publicStats.showOptions?.modelDistribution &&
+          authStore.publicStats.modelDistribution?.length > 0
+        "
+        class="model-section"
+      >
+        <div class="section-title-left">
+          模型使用分布
+          <span class="period-label">{{
+            formatPeriodLabel(authStore.publicStats.modelDistributionPeriod)
+          }}</span>
+        </div>
+        <div class="model-chart-container">
+          <Doughnut :data="modelChartData" :options="modelChartOptions" />
+        </div>
+      </div>
+    </div>
+
+    <!-- 趋势图表（三合一双Y轴折线图） -->
+    <div v-if="hasAnyTrendData" class="chart-section">
+      <div class="section-title-left">使用趋势（近7天）</div>
+      <div class="chart-container">
+        <Line :data="chartData" :options="chartOptions" />
+      </div>
+      <!-- 图例 -->
+      <div class="chart-legend">
+        <div v-if="authStore.publicStats.showOptions?.tokenTrends" class="legend-item">
+          <span class="legend-dot legend-tokens"></span>
+          <span class="legend-text">Tokens</span>
+        </div>
+        <div v-if="authStore.publicStats.showOptions?.apiKeysTrends" class="legend-item">
+          <span class="legend-dot legend-keys"></span>
+          <span class="legend-text">活跃 Keys</span>
+        </div>
+        <div v-if="authStore.publicStats.showOptions?.accountTrends" class="legend-item">
+          <span class="legend-dot legend-accounts"></span>
+          <span class="legend-text">活跃账号</span>
+        </div>
+      </div>
+    </div>
+
+    <!-- 暂无趋势数据 -->
+    <div v-else-if="hasTrendOptionsEnabled" class="empty-state">
+      <i class="fas fa-chart-line empty-icon"></i>
+      <p class="empty-text">暂无趋势数据</p>
+      <p class="empty-hint">数据将在有请求后自动更新</p>
+    </div>
+  </div>
+
+  <!-- 加载状态 -->
+  <div v-else-if="authStore.publicStatsLoading" class="public-stats-loading">
+    <div class="loading-spinner"></div>
+  </div>
+
+  <!-- 无数据状态 -->
+  <div v-else class="public-stats-empty">
+    <i class="fas fa-chart-pie empty-icon"></i>
+    <p class="empty-text">暂无统计数据</p>
+  </div>
+</template>
+
+<script setup>
+import { computed } from 'vue'
+import { useAuthStore } from '@/stores/auth'
+import { Line, Doughnut } from 'vue-chartjs'
+import {
+  Chart as ChartJS,
+  CategoryScale,
+  LinearScale,
+  PointElement,
+  LineElement,
+  ArcElement,
+  Title,
+  Tooltip,
+  Legend,
+  Filler
+} from 'chart.js'
+
+// 注册 Chart.js 组件
+ChartJS.register(
+  CategoryScale,
+  LinearScale,
+  PointElement,
+  LineElement,
+  ArcElement,
+  Title,
+  Tooltip,
+  Legend,
+  Filler
+)
+
+const authStore = useAuthStore()
+
+// 检查是否有任何趋势选项启用
+const hasTrendOptionsEnabled = computed(() => {
+  const opts = authStore.publicStats?.showOptions
+  return opts?.tokenTrends || opts?.apiKeysTrends || opts?.accountTrends
+})
+
+// 检查是否有实际趋势数据
+const hasAnyTrendData = computed(() => {
+  const stats = authStore.publicStats
+  if (!stats) return false
+
+  const opts = stats.showOptions || {}
+  const hasTokens = opts.tokenTrends && stats.tokenTrends?.length > 0
+  const hasKeys = opts.apiKeysTrends && stats.apiKeysTrends?.length > 0
+  const hasAccounts = opts.accountTrends && stats.accountTrends?.length > 0
+
+  return hasTokens || hasKeys || hasAccounts
+})
+
+// 模型分布颜色
+const modelColors = [
+  'rgb(99, 102, 241)', // indigo
+  'rgb(59, 130, 246)', // blue
+  'rgb(16, 185, 129)', // emerald
+  'rgb(245, 158, 11)', // amber
+  'rgb(239, 68, 68)', // red
+  'rgb(139, 92, 246)', // violet
+  'rgb(236, 72, 153)', // pink
+  'rgb(20, 184, 166)' // teal
+]
+
+// 模型分布环形图数据
+const modelChartData = computed(() => {
+  const stats = authStore.publicStats
+  if (!stats?.modelDistribution?.length) {
+    return { labels: [], datasets: [] }
+  }
+
+  const models = stats.modelDistribution
+  return {
+    labels: models.map((m) => formatModelName(m.model)),
+    datasets: [
+      {
+        data: models.map((m) => m.percentage),
+        backgroundColor: models.map((_, i) => modelColors[i % modelColors.length]),
+        borderColor: 'transparent',
+        borderWidth: 0,
+        hoverOffset: 4
+      }
+    ]
+  }
+})
+
+// 模型分布环形图选项
+const modelChartOptions = computed(() => {
+  const isDark = document.documentElement.classList.contains('dark')
+  const textColor = isDark ? 'rgb(156, 163, 175)' : 'rgb(107, 114, 128)'
+
+  return {
+    responsive: true,
+    maintainAspectRatio: false,
+    cutout: '60%',
+    plugins: {
+      legend: {
+        position: 'right',
+        labels: {
+          color: textColor,
+          padding: 12,
+          usePointStyle: true,
+          pointStyle: 'circle',
+          font: {
+            size: 11
+          },
+          generateLabels: (chart) => {
+            const data = chart.data
+            if (data.labels.length && data.datasets.length) {
+              return data.labels.map((label, i) => ({
+                text: `${label} ${data.datasets[0].data[i]}%`,
+                fillStyle: data.datasets[0].backgroundColor[i],
+                strokeStyle: 'transparent',
+                lineWidth: 0,
+                pointStyle: 'circle',
+                hidden: false,
+                index: i
+              }))
+            }
+            return []
+          }
+        }
+      },
+      tooltip: {
+        backgroundColor: isDark ? 'rgba(31, 41, 55, 0.95)' : 'rgba(255, 255, 255, 0.95)',
+        titleColor: isDark ? 'rgb(243, 244, 246)' : 'rgb(17, 24, 39)',
+        bodyColor: isDark ? 'rgb(209, 213, 219)' : 'rgb(75, 85, 99)',
+        borderColor: isDark ? 'rgba(75, 85, 99, 0.3)' : 'rgba(209, 213, 219, 0.5)',
+        borderWidth: 1,
+        padding: 10,
+        cornerRadius: 8,
+        callbacks: {
+          label: (context) => {
+            return ` ${context.label}: ${context.parsed}%`
+          }
+        }
+      }
+    }
+  }
+})
+
+// 趋势图表数据
+const chartData = computed(() => {
+  const stats = authStore.publicStats
+  if (!stats) return { labels: [], datasets: [] }
+
+  const opts = stats.showOptions || {}
+
+  // 获取日期标签（优先使用 tokenTrends）
+  const labels =
+    stats.tokenTrends?.map((t) => formatDateShort(t.date)) ||
+    stats.apiKeysTrends?.map((t) => formatDateShort(t.date)) ||
+    stats.accountTrends?.map((t) => formatDateShort(t.date)) ||
+    []
+
+  const datasets = []
+
+  // Token 趋势（左Y轴）
+  if (opts.tokenTrends && stats.tokenTrends?.length > 0) {
+    datasets.push({
+      label: 'Tokens',
+      data: stats.tokenTrends.map((t) => t.tokens),
+      borderColor: 'rgb(59, 130, 246)',
+      backgroundColor: 'rgba(59, 130, 246, 0.1)',
+      yAxisID: 'y',
+      tension: 0.3,
+      fill: true,
+      pointRadius: 3,
+      pointHoverRadius: 5
+    })
+  }
+
+  // API Keys 趋势（右Y轴）
+  if (opts.apiKeysTrends && stats.apiKeysTrends?.length > 0) {
+    datasets.push({
+      label: '活跃 Keys',
+      data: stats.apiKeysTrends.map((t) => t.activeKeys),
+      borderColor: 'rgb(34, 197, 94)',
+      backgroundColor: 'rgba(34, 197, 94, 0.1)',
+      yAxisID: 'y1',
+      tension: 0.3,
+      fill: false,
+      pointRadius: 3,
+      pointHoverRadius: 5
+    })
+  }
+
+  // 账号趋势（右Y轴）
+  if (opts.accountTrends && stats.accountTrends?.length > 0) {
+    datasets.push({
+      label: '活跃账号',
+      data: stats.accountTrends.map((t) => t.activeAccounts),
+      borderColor: 'rgb(168, 85, 247)',
+      backgroundColor: 'rgba(168, 85, 247, 0.1)',
+      yAxisID: 'y1',
+      tension: 0.3,
+      fill: false,
+      pointRadius: 3,
+      pointHoverRadius: 5
+    })
+  }
+
+  return { labels, datasets }
+})
+
+// 图表配置
+const chartOptions = computed(() => {
+  const isDark = document.documentElement.classList.contains('dark')
+  const textColor = isDark ? 'rgba(156, 163, 175, 1)' : 'rgba(107, 114, 128, 1)'
+  const gridColor = isDark ? 'rgba(75, 85, 99, 0.3)' : 'rgba(229, 231, 235, 0.8)'
+
+  return {
+    responsive: true,
+    maintainAspectRatio: false,
+    interaction: {
+      mode: 'index',
+      intersect: false
+    },
+    plugins: {
+      legend: {
+        display: false
+      },
+      tooltip: {
+        backgroundColor: isDark ? 'rgba(31, 41, 55, 0.9)' : 'rgba(255, 255, 255, 0.9)',
+        titleColor: isDark ? '#e5e7eb' : '#1f2937',
+        bodyColor: isDark ? '#d1d5db' : '#4b5563',
+        borderColor: isDark ? 'rgba(75, 85, 99, 0.5)' : 'rgba(229, 231, 235, 1)',
+        borderWidth: 1,
+        padding: 10,
+        displayColors: true,
+        callbacks: {
+          label: function (context) {
+            let label = context.dataset.label || ''
+            if (label) {
+              label += ': '
+            }
+            if (context.dataset.yAxisID === 'y') {
+              label += formatTokens(context.parsed.y)
+            } else {
+              label += context.parsed.y
+            }
+            return label
+          }
+        }
+      }
+    },
+    scales: {
+      x: {
+        grid: {
+          color: gridColor,
+          drawBorder: false
+        },
+        ticks: {
+          color: textColor,
+          font: {
+            size: 10
+          }
+        }
+      },
+      y: {
+        type: 'linear',
+        display: true,
+        position: 'left',
+        min: 0,
+        beginAtZero: true,
+        title: {
+          display: true,
+          text: 'Tokens',
+          color: 'rgb(59, 130, 246)',
+          font: {
+            size: 10
+          }
+        },
+        grid: {
+          color: gridColor,
+          drawBorder: false
+        },
+        ticks: {
+          color: textColor,
+          font: {
+            size: 10
+          },
+          callback: function (value) {
+            return formatTokensShort(value)
+          }
+        }
+      },
+      y1: {
+        type: 'linear',
+        display: true,
+        position: 'right',
+        min: 0,
+        beginAtZero: true,
+        title: {
+          display: true,
+          text: '数量',
+          color: 'rgb(34, 197, 94)',
+          font: {
+            size: 10
+          }
+        },
+        grid: {
+          drawOnChartArea: false
+        },
+        ticks: {
+          color: textColor,
+          font: {
+            size: 10
+          },
+          stepSize: 1
+        }
+      }
+    }
+  }
+})
+
+// 格式化运行时间
+function formatUptime(seconds) {
+  const days = Math.floor(seconds / 86400)
+  const hours = Math.floor((seconds % 86400) / 3600)
+  const minutes = Math.floor((seconds % 3600) / 60)
+
+  if (days > 0) {
+    return `${days}天 ${hours}小时`
+  } else if (hours > 0) {
+    return `${hours}小时 ${minutes}分钟`
+  } else {
+    return `${minutes}分钟`
+  }
+}
+
+// 格式化数字
+function formatNumber(num) {
+  if (num >= 1000000) {
+    return (num / 1000000).toFixed(1) + 'M'
+  } else if (num >= 1000) {
+    return (num / 1000).toFixed(1) + 'K'
+  }
+  return num.toString()
+}
+
+// 格式化 tokens
+function formatTokens(tokens) {
+  if (tokens >= 1000000000) {
+    return (tokens / 1000000000).toFixed(2) + 'B'
+  } else if (tokens >= 1000000) {
+    return (tokens / 1000000).toFixed(2) + 'M'
+  } else if (tokens >= 1000) {
+    return (tokens / 1000).toFixed(1) + 'K'
+  }
+  return tokens.toString()
+}
+
+// 格式化 tokens（简短版，用于Y轴）
+function formatTokensShort(tokens) {
+  if (tokens >= 1000000000) {
+    return (tokens / 1000000000).toFixed(0) + 'B'
+  } else if (tokens >= 1000000) {
+    return (tokens / 1000000).toFixed(0) + 'M'
+  } else if (tokens >= 1000) {
+    return (tokens / 1000).toFixed(0) + 'K'
+  }
+  return tokens.toString()
+}
+
+// 格式化时间范围标签
+function formatPeriodLabel(period) {
+  const labels = {
+    today: '今天',
+    '24h': '过去24小时',
+    '7d': '过去7天',
+    '30d': '过去30天',
+    all: '全部'
+  }
+  return labels[period] || labels['today']
+}
+
+// 获取平台图标
+function getPlatformIcon(platform) {
+  const icons = {
+    claude: 'fas fa-robot',
+    gemini: 'fas fa-gem',
+    bedrock: 'fab fa-aws',
+    droid: 'fas fa-microchip'
+  }
+  return icons[platform] || 'fas fa-server'
+}
+
+// 获取平台名称
+function getPlatformName(platform) {
+  const names = {
+    claude: 'Claude',
+    gemini: 'Gemini',
+    bedrock: 'Bedrock',
+    droid: 'Droid'
+  }
+  return names[platform] || platform
+}
+
+// 格式化模型名称
+function formatModelName(model) {
+  if (!model) return 'Unknown'
+  // 简化长模型名称
+  const parts = model.split('-')
+  if (parts.length > 2) {
+    return parts.slice(0, 2).join('-')
+  }
+  return model
+}
+
+// 格式化日期（短格式）
+function formatDateShort(dateStr) {
+  if (!dateStr) return ''
+  const parts = dateStr.split('-')
+  if (parts.length === 3) {
+    return `${parts[1]}/${parts[2]}`
+  }
+  return dateStr
+}
+</script>
+
+<style scoped>
+.public-stats-overview {
+  @apply rounded-xl border border-gray-200/50 bg-white/80 p-4 backdrop-blur-sm dark:border-gray-700/50 dark:bg-gray-800/80 md:p-6;
+  animation: fadeIn 0.3s ease-out;
+}
+
+@keyframes fadeIn {
+  from {
+    opacity: 0;
+    transform: translateY(10px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+/* 顶部状态栏 */
+.header-section {
+  @apply mb-4 flex flex-col items-center justify-between gap-3 border-b border-gray-200 pb-4 dark:border-gray-700 md:mb-6 md:flex-row md:pb-6;
+}
+
+/* 主内容区 */
+.main-content {
+  @apply grid gap-4 md:grid-cols-2 md:gap-6;
+}
+
+/* 统计区块 */
+.stats-section {
+  @apply rounded-lg bg-gray-50/50 p-4 dark:bg-gray-700/30;
+}
+
+/* 模型区块 */
+.model-section {
+  @apply rounded-lg bg-gray-50/50 p-4 dark:bg-gray-700/30;
+}
+
+/* 图表区块 */
+.chart-section {
+  @apply mt-4 rounded-lg bg-gray-50/50 p-4 dark:bg-gray-700/30 md:mt-6;
+}
+
+/* 章节标题（居中） */
+.section-title {
+  @apply mb-2 text-center text-xs text-gray-600 dark:text-gray-400;
+}
+
+/* 章节标题（左对齐） */
+.section-title-left {
+  @apply mb-3 text-sm font-medium text-gray-700 dark:text-gray-300;
+}
+
+/* 时间范围标签 */
+.period-label {
+  @apply ml-1 rounded bg-gray-200 px-1.5 py-0.5 text-[10px] font-normal text-gray-500 dark:bg-gray-600 dark:text-gray-400;
+}
+
+/* 状态徽章 */
+.status-badge {
+  @apply inline-flex items-center gap-1.5 rounded-full px-3 py-1 text-xs font-medium;
+}
+
+.status-healthy {
+  @apply bg-green-100 text-green-700 dark:bg-green-900/30 dark:text-green-400;
+}
+
+.status-degraded {
+  @apply bg-yellow-100 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400;
+}
+
+.status-dot {
+  @apply inline-block h-2 w-2 rounded-full;
+}
+
+.status-healthy .status-dot {
+  @apply bg-green-500;
+  animation: pulse 2s infinite;
+}
+
+.status-degraded .status-dot {
+  @apply bg-yellow-500;
+  animation: pulse 1s infinite;
+}
+
+@keyframes pulse {
+  0%,
+  100% {
+    opacity: 1;
+  }
+  50% {
+    opacity: 0.5;
+  }
+}
+
+/* 平台徽章 */
+.platform-badge {
+  @apply inline-flex items-center rounded-full px-2.5 py-1 text-xs font-medium transition-all;
+}
+
+.platform-badge.available {
+  @apply bg-blue-100 text-blue-700 dark:bg-blue-900/30 dark:text-blue-400;
+}
+
+.platform-badge.unavailable {
+  @apply bg-gray-100 text-gray-400 line-through dark:bg-gray-800 dark:text-gray-600;
+}
+
+/* 统计网格 */
+.stats-grid {
+  @apply grid grid-cols-2 gap-3;
+}
+
+.stat-item {
+  @apply rounded-lg bg-white p-3 text-center shadow-sm dark:bg-gray-800/50;
+}
+
+.stat-value {
+  @apply text-lg font-bold text-gray-900 dark:text-gray-100 md:text-xl;
+}
+
+.stat-label {
+  @apply text-xs text-gray-500 dark:text-gray-400;
+}
+
+/* 模型分布环形图容器 */
+.model-chart-container {
+  height: 160px;
+}
+
+@media (min-width: 768px) {
+  .model-chart-container {
+    height: 180px;
+  }
+}
+
+/* 趋势图表容器 */
+.chart-container {
+  @apply rounded-lg bg-gray-50 p-3 dark:bg-gray-700/50;
+  height: 180px;
+}
+
+/* 图例 */
+.chart-legend {
+  @apply mt-2 flex flex-wrap items-center justify-center gap-4;
+}
+
+.legend-item {
+  @apply flex items-center gap-1.5;
+}
+
+.legend-dot {
+  @apply inline-block h-2.5 w-2.5 rounded-full;
+}
+
+.legend-tokens {
+  @apply bg-blue-500;
+}
+
+.legend-keys {
+  @apply bg-green-500;
+}
+
+.legend-accounts {
+  @apply bg-purple-500;
+}
+
+.legend-text {
+  @apply text-xs text-gray-600 dark:text-gray-400;
+}
+
+/* 空状态 */
+.empty-state {
+  @apply flex flex-col items-center justify-center rounded-lg bg-gray-50 py-6 dark:bg-gray-700/50;
+}
+
+.empty-icon {
+  @apply mb-2 text-2xl text-gray-400 dark:text-gray-500;
+}
+
+.empty-text {
+  @apply text-sm text-gray-500 dark:text-gray-400;
+}
+
+.empty-hint {
+  @apply mt-1 text-xs text-gray-400 dark:text-gray-500;
+}
+
+/* 加载状态 */
+.public-stats-loading {
+  @apply flex items-center justify-center py-8;
+}
+
+.public-stats-empty {
+  @apply flex flex-col items-center justify-center rounded-xl border border-gray-200/50 bg-white/80 py-8 backdrop-blur-sm dark:border-gray-700/50 dark:bg-gray-800/80;
+}
+
+.loading-spinner {
+  @apply h-6 w-6 animate-spin rounded-full border-2 border-blue-500 border-t-transparent;
+}
+</style>
--- a/web/admin-spa/src/stores/auth.js
+++ b/web/admin-spa/src/stores/auth.js
@@ -14,10 +14,15 @@ export const useAuthStore = defineStore('auth', () => {
    siteName: 'Claude Relay Service',
    siteIcon: '',
    siteIconData: '',
-    faviconData: ''
+    faviconData: '',
+    publicStatsEnabled: false
  })
  const oemLoading = ref(true)

+  // 公开统计数据
+  const publicStats = ref(null)
+  const publicStatsLoading = ref(false)
+
  // 计算属性
  const isAuthenticated = computed(() => !!authToken.value && isLoggedIn.value)
  const token = computed(() => authToken.value)
@@ -104,6 +109,11 @@ export const useAuthStore = defineStore('auth', () => {
        if (result.data.siteName) {
          document.title = `${result.data.siteName} - 管理后台`
        }
+
+        // 如果公开统计已启用，加载统计数据
+        if (result.data.publicStatsEnabled) {
+          loadPublicStats()
+        }
      }
    } catch (error) {
      console.error('加载OEM设置失败:', error)
@@ -112,6 +122,23 @@ export const useAuthStore = defineStore('auth', () => {
    }
  }

+  async function loadPublicStats() {
+    publicStatsLoading.value = true
+    try {
+      const result = await apiClient.get('/admin/public-stats')
+      if (result.success && result.enabled && result.data) {
+        publicStats.value = result.data
+      } else {
+        publicStats.value = null
+      }
+    } catch (error) {
+      console.error('加载公开统计失败:', error)
+      publicStats.value = null
+    } finally {
+      publicStatsLoading.value = false
+    }
+  }
+
  return {
    // 状态
    isLoggedIn,
@@ -121,6 +148,8 @@ export const useAuthStore = defineStore('auth', () => {
    loginLoading,
    oemSettings,
    oemLoading,
+    publicStats,
+    publicStatsLoading,

    // 计算属性
    isAuthenticated,
@@ -131,6 +160,7 @@ export const useAuthStore = defineStore('auth', () => {
    login,
    logout,
    checkAuth,
-    loadOemSettings
+    loadOemSettings,
+    loadPublicStats
  }
 })
--- a/web/admin-spa/src/stores/settings.js
+++ b/web/admin-spa/src/stores/settings.js
@@ -9,6 +9,12 @@ export const useSettingsStore = defineStore('settings', () => {
    siteIcon: '',
    siteIconData: '',
    showAdminButton: true, // 控制管理后台按钮的显示
+    publicStatsEnabled: false, // 是否在首页显示公开统计概览
+    publicStatsShowModelDistribution: true,
+    publicStatsModelDistributionPeriod: 'today', // 时间范围: today, 24h, 7d, 30d, all
+    publicStatsShowTokenTrends: false,
+    publicStatsShowApiKeysTrends: false,
+    publicStatsShowAccountTrends: false,
    updatedAt: null
  })

@@ -66,6 +72,7 @@ export const useSettingsStore = defineStore('settings', () => {
      siteIcon: '',
      siteIconData: '',
      showAdminButton: true,
+      publicStatsEnabled: false,
      updatedAt: null
    }

--- a/web/admin-spa/src/views/AccountsView.vue
+++ b/web/admin-spa/src/views/AccountsView.vue
@@ -141,6 +141,28 @@
              </el-tooltip>
            </div>

+            <!-- 刷新余额按钮 -->
+            <div class="relative">
+              <el-tooltip :content="refreshBalanceTooltip" effect="dark" placement="bottom">
+                <button
+                  class="group relative flex items-center justify-center gap-2 rounded-lg border border-gray-200 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm transition-all duration-200 hover:border-gray-300 hover:shadow-md disabled:cursor-not-allowed disabled:opacity-50 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-300 dark:hover:border-gray-500 sm:w-auto"
+                  :disabled="accountsLoading || refreshingBalances || !canRefreshVisibleBalances"
+                  @click="refreshVisibleBalances"
+                >
+                  <div
+                    class="absolute -inset-0.5 rounded-lg bg-gradient-to-r from-blue-500 to-indigo-500 opacity-0 blur transition duration-300 group-hover:opacity-20"
+                  ></div>
+                  <i
+                    :class="[
+                      'fas relative text-blue-500',
+                      refreshingBalances ? 'fa-spinner fa-spin' : 'fa-wallet'
+                    ]"
+                  />
+                  <span class="relative">刷新余额</span>
+                </button>
+              </el-tooltip>
+            </div>
+
            <!-- 选择/取消选择按钮 -->
            <button
              class="flex items-center gap-2 rounded-lg border border-gray-200 bg-white px-4 py-2 text-sm font-medium text-gray-700 shadow-sm transition-all duration-200 hover:border-gray-300 hover:bg-gray-50 hover:shadow-md dark:border-gray-600 dark:bg-gray-800 dark:text-gray-300 dark:hover:bg-gray-700"
@@ -263,6 +285,11 @@
                >
                  今日使用
                </th>
+                <th
+                  class="min-w-[220px] px-3 py-4 text-left text-xs font-bold uppercase tracking-wider text-gray-700 dark:text-gray-300"
+                >
+                  余额/配额
+                </th>
                <th
                  class="min-w-[210px] px-3 py-4 text-left text-xs font-bold uppercase tracking-wider text-gray-700 dark:text-gray-300"
                >
@@ -765,6 +792,23 @@
                  </div>
                  <div v-else class="text-xs text-gray-400">暂无数据</div>
                </td>
+                <td class="whitespace-nowrap px-3 py-4">
+                  <BalanceDisplay
+                    :account-id="account.id"
+                    :initial-balance="account.balanceInfo"
+                    :platform="account.platform"
+                    @error="(error) => handleBalanceError(account.id, error)"
+                    @refreshed="(data) => handleBalanceRefreshed(account.id, data)"
+                  />
+                  <div class="mt-1 text-xs">
+                    <button
+                      class="text-blue-500 hover:underline dark:text-blue-300"
+                      @click="openBalanceScriptModal(account)"
+                    >
+                      配置余额脚本
+                    </button>
+                  </div>
+                </td>
                <td class="whitespace-nowrap px-3 py-4">
                  <div v-if="account.platform === 'claude'" class="space-y-2">
                    <!-- OAuth 账户：显示三窗口 OAuth usage -->
@@ -1425,6 +1469,26 @@
            </div>
          </div>

+          <!-- 余额/配额 -->
+          <div class="mb-3">
+            <p class="mb-1 text-xs text-gray-500 dark:text-gray-400">余额/配额</p>
+            <BalanceDisplay
+              :account-id="account.id"
+              :initial-balance="account.balanceInfo"
+              :platform="account.platform"
+              @error="(error) => handleBalanceError(account.id, error)"
+              @refreshed="(data) => handleBalanceRefreshed(account.id, data)"
+            />
+            <div class="mt-1 text-xs">
+              <button
+                class="text-blue-500 hover:underline dark:text-blue-300"
+                @click="openBalanceScriptModal(account)"
+              >
+                配置余额脚本
+              </button>
+            </div>
+          </div>
+
          <!-- 状态信息 -->
          <div class="mb-3 space-y-2">
            <!-- 会话窗口 -->
@@ -1906,6 +1970,13 @@
      @saved="handleScheduledTestSaved"
    />

+    <AccountBalanceScriptModal
+      :account="selectedAccountForScript"
+      :show="showBalanceScriptModal"
+      @close="closeBalanceScriptModal"
+      @saved="handleBalanceScriptSaved"
+    />
+
    <!-- 账户统计弹窗 -->
    <el-dialog
      v-model="showAccountStatsModal"
@@ -2062,6 +2133,8 @@ import AccountScheduledTestModal from '@/components/accounts/AccountScheduledTes
 import ConfirmModal from '@/components/common/ConfirmModal.vue'
 import CustomDropdown from '@/components/common/CustomDropdown.vue'
 import ActionDropdown from '@/components/common/ActionDropdown.vue'
+import BalanceDisplay from '@/components/accounts/BalanceDisplay.vue'
+import AccountBalanceScriptModal from '@/components/accounts/AccountBalanceScriptModal.vue'

 // 使用确认弹窗
 const { showConfirmModal, confirmOptions, showConfirm, handleConfirm, handleCancel } = useConfirm()
@@ -2069,6 +2142,7 @@ const { showConfirmModal, confirmOptions, showConfirm, handleConfirm, handleCanc
 // 数据状态
 const accounts = ref([])
 const accountsLoading = ref(false)
+const refreshingBalances = ref(false)
 const accountsSortBy = ref('name')
 const accountsSortOrder = ref('asc')
 const apiKeys = ref([]) // 保留用于其他功能（如删除账户时显示绑定信息）
@@ -2498,6 +2572,42 @@ const handleScheduledTestSaved = () => {
  showToast('定时测试配置已保存', 'success')
 }

+// 余额脚本配置
+const showBalanceScriptModal = ref(false)
+const selectedAccountForScript = ref(null)
+
+const openBalanceScriptModal = (account) => {
+  selectedAccountForScript.value = account
+  showBalanceScriptModal.value = true
+}
+
+const closeBalanceScriptModal = () => {
+  showBalanceScriptModal.value = false
+  selectedAccountForScript.value = null
+}
+
+const handleBalanceScriptSaved = async () => {
+  showToast('余额脚本已保存', 'success')
+  const account = selectedAccountForScript.value
+  closeBalanceScriptModal()
+
+  if (!account?.id || !account?.platform) {
+    return
+  }
+
+  // 重新拉取一次余额信息，用于刷新 scriptConfigured 状态（启用“刷新余额”按钮）
+  try {
+    const res = await apiClient.get(`/admin/accounts/${account.id}/balance`, {
+      params: { platform: account.platform, queryApi: false }
+    })
+    if (res?.success && res.data) {
+      handleBalanceRefreshed(account.id, res.data)
+    }
+  } catch (error) {
+    console.debug('Failed to reload balance after saving script:', error)
+  }
+}
+
 // 计算排序后的账户列表
 const sortedAccounts = computed(() => {
  let sourceAccounts = accounts.value
@@ -2768,6 +2878,104 @@ const paginatedAccounts = computed(() => {
  return sortedAccounts.value.slice(start, end)
 })

+const canRefreshVisibleBalances = computed(() => {
+  const targets = paginatedAccounts.value
+  if (!Array.isArray(targets) || targets.length === 0) {
+    return false
+  }
+
+  return targets.some((account) => {
+    const info = account?.balanceInfo
+    return info?.scriptEnabled !== false && !!info?.scriptConfigured
+  })
+})
+
+const refreshBalanceTooltip = computed(() => {
+  if (accountsLoading.value) return '正在加载账户...'
+  if (refreshingBalances.value) return '刷新中...'
+  if (!canRefreshVisibleBalances.value) return '当前页未配置余额脚本，无法刷新'
+  return '刷新当前页余额（仅对已配置余额脚本的账户生效）'
+})
+
+// 余额刷新成功回调
+const handleBalanceRefreshed = (accountId, balanceInfo) => {
+  accounts.value = accounts.value.map((account) => {
+    if (account.id !== accountId) return account
+    return { ...account, balanceInfo }
+  })
+}
+
+// 余额请求错误回调（仅提示，不中断页面）
+const handleBalanceError = (_accountId, error) => {
+  const message = error?.message || '余额查询失败'
+  showToast(message, 'error')
+}
+
+// 批量刷新当前页余额（触发查询）
+const refreshVisibleBalances = async () => {
+  if (refreshingBalances.value) return
+
+  const targets = paginatedAccounts.value
+  if (!targets || targets.length === 0) {
+    return
+  }
+
+  const eligibleTargets = targets.filter((account) => {
+    const info = account?.balanceInfo
+    return info?.scriptEnabled !== false && !!info?.scriptConfigured
+  })
+
+  if (eligibleTargets.length === 0) {
+    showToast('当前页没有配置余额脚本的账户', 'warning')
+    return
+  }
+
+  const skippedCount = targets.length - eligibleTargets.length
+
+  refreshingBalances.value = true
+  try {
+    const results = await Promise.all(
+      eligibleTargets.map(async (account) => {
+        try {
+          const response = await apiClient.post(`/admin/accounts/${account.id}/balance/refresh`, {
+            platform: account.platform
+          })
+          return { id: account.id, success: !!response?.success, data: response?.data || null }
+        } catch (error) {
+          return { id: account.id, success: false, error: error?.message || '刷新失败' }
+        }
+      })
+    )
+
+    const updatedMap = results.reduce((map, item) => {
+      if (item.success && item.data) {
+        map[item.id] = item.data
+      }
+      return map
+    }, {})
+
+    const successCount = results.filter((r) => r.success).length
+    const failCount = results.length - successCount
+
+    const skippedText = skippedCount > 0 ? `，跳过 ${skippedCount} 个未配置脚本` : ''
+    if (Object.keys(updatedMap).length > 0) {
+      accounts.value = accounts.value.map((account) => {
+        const balanceInfo = updatedMap[account.id]
+        if (!balanceInfo) return account
+        return { ...account, balanceInfo }
+      })
+    }
+
+    if (failCount === 0) {
+      showToast(`成功刷新 ${successCount} 个账户余额${skippedText}`, 'success')
+    } else {
+      showToast(`刷新完成：${successCount} 成功，${failCount} 失败${skippedText}`, 'warning')
+    }
+  } finally {
+    refreshingBalances.value = false
+  }
+}
+
 const updateSelectAllState = () => {
  const currentIds = paginatedAccounts.value.map((account) => account.id)
  const selectedInCurrentPage = currentIds.filter((id) =>
@@ -2818,6 +3026,54 @@ const cleanupSelectedAccounts = () => {
  updateSelectAllState()
 }

+// 异步加载余额缓存（按平台批量拉取，避免逐行请求）
+const loadBalanceCacheForAccounts = async () => {
+  const current = accounts.value
+  if (!Array.isArray(current) || current.length === 0) {
+    return
+  }
+
+  const platforms = Array.from(new Set(current.map((acc) => acc.platform).filter(Boolean)))
+  if (platforms.length === 0) {
+    return
+  }
+
+  const responses = await Promise.all(
+    platforms.map(async (platform) => {
+      try {
+        const res = await apiClient.get(`/admin/accounts/balance/platform/${platform}`, {
+          params: { queryApi: false }
+        })
+        return { platform, success: !!res?.success, data: res?.data || [] }
+      } catch (error) {
+        console.debug(`Failed to load balance cache for ${platform}:`, error)
+        return { platform, success: false, data: [] }
+      }
+    })
+  )
+
+  const balanceMap = responses.reduce((map, item) => {
+    if (!item.success) return map
+    const list = Array.isArray(item.data) ? item.data : []
+    list.forEach((entry) => {
+      const accountId = entry?.data?.accountId
+      if (accountId) {
+        map[accountId] = entry.data
+      }
+    })
+    return map
+  }, {})
+
+  if (Object.keys(balanceMap).length === 0) {
+    return
+  }
+
+  accounts.value = accounts.value.map((account) => ({
+    ...account,
+    balanceInfo: balanceMap[account.id] || account.balanceInfo || null
+  }))
+}
+
 // 加载账户列表
 const loadAccounts = async (forceReload = false) => {
  accountsLoading.value = true
@@ -3010,6 +3266,11 @@ const loadAccounts = async (forceReload = false) => {
        console.debug('Claude usage loading failed:', err)
      })
    }
+
+    // 异步加载余额缓存（按平台批量）
+    loadBalanceCacheForAccounts().catch((err) => {
+      console.debug('Balance cache loading failed:', err)
+    })
  } catch (error) {
    showToast('加载账户失败', 'error')
  } finally {
--- a/web/admin-spa/src/views/ApiStatsView.vue
+++ b/web/admin-spa/src/views/ApiStatsView.vue
@@ -6,7 +6,13 @@
        <LogoTitle
          :loading="oemLoading"
          :logo-src="oemSettings.siteIconData || oemSettings.siteIcon"
-          :subtitle="currentTab === 'stats' ? 'API Key 使用统计' : '使用教程'"
+          :subtitle="
+            currentTab === 'stats'
+              ? 'API Key 使用统计'
+              : currentTab === 'overview'
+                ? '服务状态概览'
+                : '使用教程'
+          "
          :title="oemSettings.siteName"
        />
        <div class="flex items-center gap-2 md:gap-4">
@@ -49,6 +55,13 @@
        <div
          class="inline-flex w-full max-w-md rounded-full border border-white/20 bg-white/10 p-1 shadow-lg backdrop-blur-xl md:w-auto"
        >
+          <button
+            :class="['tab-pill-button', currentTab === 'overview' ? 'active' : '']"
+            @click="switchToOverview"
+          >
+            <i class="fas fa-tachometer-alt mr-1 md:mr-2" />
+            <span class="text-sm md:text-base">状态概览</span>
+          </button>
          <button
            :class="['tab-pill-button', currentTab === 'stats' ? 'active' : '']"
            @click="currentTab = 'stats'"
@@ -67,6 +80,11 @@
      </div>
    </div>

+    <!-- 状态概览内容 -->
+    <div v-if="currentTab === 'overview'" class="tab-content">
+      <PublicStatsOverview />
+    </div>
+
    <!-- 统计内容 -->
    <div v-if="currentTab === 'stats'" class="tab-content">
      <!-- API Key 输入区域 -->
@@ -174,6 +192,7 @@ import { useRoute } from 'vue-router'
 import { storeToRefs } from 'pinia'
 import { useApiStatsStore } from '@/stores/apistats'
 import { useThemeStore } from '@/stores/theme'
+import { useAuthStore } from '@/stores/auth'
 import LogoTitle from '@/components/common/LogoTitle.vue'
 import ThemeToggle from '@/components/common/ThemeToggle.vue'
 import ApiKeyInput from '@/components/apistats/ApiKeyInput.vue'
@@ -184,13 +203,15 @@ import AggregatedStatsCard from '@/components/apistats/AggregatedStatsCard.vue'
 import ModelUsageStats from '@/components/apistats/ModelUsageStats.vue'
 import TutorialView from './TutorialView.vue'
 import ApiKeyTestModal from '@/components/apikeys/ApiKeyTestModal.vue'
+import PublicStatsOverview from '@/components/common/PublicStatsOverview.vue'

 const route = useRoute()
 const apiStatsStore = useApiStatsStore()
 const themeStore = useThemeStore()
+const authStore = useAuthStore()

-// 当前标签页
-const currentTab = ref('stats')
+// 当前标签页 - 默认显示状态概览
+const currentTab = ref('overview')

 // 主题相关
 const isDarkMode = computed(() => themeStore.isDarkMode)
@@ -223,6 +244,12 @@ const closeTestModal = () => {
  showTestModal.value = false
 }

+// 切换到状态概览并加载数据
+const switchToOverview = () => {
+  currentTab.value = 'overview'
+  authStore.loadPublicStats()
+}
+
 // 处理键盘快捷键
 const handleKeyDown = (event) => {
  // Ctrl/Cmd + Enter 查询
@@ -249,6 +276,9 @@ onMounted(() => {
  // 加载 OEM 设置
  loadOemSettings()

+  // 默认加载公开统计数据
+  authStore.loadPublicStats()
+
  // 检查 URL 参数
  const urlApiId = route.query.apiId
  const urlApiKey = route.query.apiKey
--- a/web/admin-spa/src/views/BalanceScriptsView.vue
+++ b/web/admin-spa/src/views/BalanceScriptsView.vue
@@ -0,0 +1,312 @@
+<template>
+  <div class="space-y-6">
+    <div class="flex flex-col gap-4 lg:flex-row">
+      <div class="glass-strong flex-1 rounded-2xl p-4 shadow-lg">
+        <div class="mb-3 flex items-center justify-between">
+          <div>
+            <div class="text-lg font-semibold text-gray-900 dark:text-gray-100">脚本余额配置</div>
+            <div class="text-xs text-gray-500 dark:text-gray-400">
+              使用自定义脚本 + 模板变量适配任意余额接口
+            </div>
+          </div>
+          <div class="flex gap-2">
+            <button
+              class="rounded-lg bg-gray-100 px-3 py-2 text-sm font-medium text-gray-700 transition hover:bg-gray-200 dark:bg-gray-700 dark:text-gray-200 dark:hover:bg-gray-600"
+              @click="loadConfig"
+            >
+              重新加载
+            </button>
+            <button
+              class="rounded-lg bg-indigo-600 px-4 py-2 text-sm font-semibold text-white transition hover:bg-indigo-700"
+              :disabled="saving"
+              @click="saveConfig"
+            >
+              <span v-if="saving">保存中...</span>
+              <span v-else>保存配置</span>
+            </button>
+          </div>
+        </div>
+
+        <div class="grid gap-4 md:grid-cols-2">
+          <div class="space-y-2">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200">API Key</label>
+            <input v-model="form.apiKey" class="input-text" placeholder="sk-xxxx" type="text" />
+          </div>
+          <div class="space-y-2">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200">
+              请求地址（baseUrl）
+            </label>
+            <input
+              v-model="form.baseUrl"
+              class="input-text"
+              placeholder="https://api.example.com"
+              type="text"
+            />
+          </div>
+          <div class="space-y-2">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200"
+              >Token（可选）</label
+            >
+            <input v-model="form.token" class="input-text" placeholder="Bearer token" type="text" />
+          </div>
+          <div class="grid grid-cols-2 gap-3">
+            <div class="space-y-2">
+              <label class="text-sm font-medium text-gray-700 dark:text-gray-200"
+                >超时时间(秒)</label
+              >
+              <input
+                v-model.number="form.timeoutSeconds"
+                class="input-text"
+                min="1"
+                type="number"
+              />
+            </div>
+            <div class="space-y-2">
+              <label class="text-sm font-medium text-gray-700 dark:text-gray-200">
+                自动查询间隔(分钟)
+              </label>
+              <input
+                v-model.number="form.autoIntervalMinutes"
+                class="input-text"
+                min="0"
+                type="number"
+              />
+            </div>
+          </div>
+          <div class="md:col-span-2">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200">模板变量</label>
+            <p class="text-xs text-gray-500 dark:text-gray-400">
+              可用变量：{{ '{' }}{{ '{' }}baseUrl{{ '}' }}{{ '}' }}、{{ '{' }}{{ '{' }}apiKey{{ '}'
+              }}{{ '}' }}、{{ '{' }}{{ '{' }}token{{ '}' }}{{ '}' }}、{{ '{' }}{{ '{' }}accountId{{
+                '}'
+              }}{{ '}' }}、{{ '{' }}{{ '{' }}platform{{ '}' }}{{ '}' }}、{{ '{' }}{{ '{' }}extra{{
+                '}'
+              }}{{ '}' }}
+            </p>
+          </div>
+        </div>
+      </div>
+
+      <div class="glass-strong w-full max-w-xl rounded-2xl p-4 shadow-lg">
+        <div class="mb-3 flex items-center justify-between">
+          <div>
+            <div class="text-lg font-semibold text-gray-900 dark:text-gray-100">测试脚本</div>
+            <div class="text-xs text-gray-500 dark:text-gray-400">
+              填入账号上下文（可选），调试 extractor 输出
+            </div>
+          </div>
+          <button
+            class="rounded-lg bg-blue-600 px-4 py-2 text-sm font-semibold text-white transition hover:bg-blue-700"
+            :disabled="testing"
+            @click="testScript"
+          >
+            <span v-if="testing">测试中...</span>
+            <span v-else>测试脚本</span>
+          </button>
+        </div>
+        <div class="grid gap-3">
+          <div class="space-y-1">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200">平台</label>
+            <input v-model="testForm.platform" class="input-text" placeholder="例如 claude" />
+          </div>
+          <div class="space-y-1">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200">账号ID</label>
+            <input v-model="testForm.accountId" class="input-text" placeholder="账号标识，可选" />
+          </div>
+          <div class="space-y-1">
+            <label class="text-sm font-medium text-gray-700 dark:text-gray-200"
+              >额外参数 (extra)</label
+            >
+            <input v-model="testForm.extra" class="input-text" placeholder="可选" />
+          </div>
+        </div>
+
+        <div v-if="testResult" class="mt-4 space-y-2 rounded-xl bg-gray-50 p-3 dark:bg-gray-800/60">
+          <div class="flex items-center justify-between text-sm">
+            <span class="font-semibold text-gray-800 dark:text-gray-100">测试结果</span>
+            <span
+              :class="[
+                'rounded px-2 py-0.5 text-xs',
+                testResult.mapped?.status === 'success'
+                  ? 'bg-emerald-100 text-emerald-700 dark:bg-emerald-900/40 dark:text-emerald-200'
+                  : 'bg-red-100 text-red-700 dark:bg-red-900/40 dark:text-red-200'
+              ]"
+            >
+              {{ testResult.mapped?.status || 'unknown' }}
+            </span>
+          </div>
+          <div class="text-xs text-gray-600 dark:text-gray-300">
+            <div>余额: {{ displayAmount(testResult.mapped?.balance) }}</div>
+            <div>单位: {{ testResult.mapped?.currency || '—' }}</div>
+            <div v-if="testResult.mapped?.planName">套餐: {{ testResult.mapped.planName }}</div>
+            <div v-if="testResult.mapped?.errorMessage" class="text-red-500">
+              错误: {{ testResult.mapped.errorMessage }}
+            </div>
+            <div v-if="testResult.mapped?.quota">
+              配额: {{ JSON.stringify(testResult.mapped.quota) }}
+            </div>
+          </div>
+          <details class="text-xs text-gray-500 dark:text-gray-400">
+            <summary class="cursor-pointer">查看 extractor 输出</summary>
+            <pre class="mt-2 overflow-auto rounded bg-black/70 p-2 text-[11px] text-gray-100"
+              >{{ formatJson(testResult.extracted) }}
+</pre
+            >
+          </details>
+          <details class="text-xs text-gray-500 dark:text-gray-400">
+            <summary class="cursor-pointer">查看原始响应</summary>
+            <pre class="mt-2 overflow-auto rounded bg-black/70 p-2 text-[11px] text-gray-100"
+              >{{ formatJson(testResult.response) }}
+</pre
+            >
+          </details>
+        </div>
+      </div>
+    </div>
+
+    <div class="glass-strong rounded-2xl p-4 shadow-lg">
+      <div class="mb-2 flex items-center justify-between">
+        <div>
+          <div class="text-lg font-semibold text-gray-900 dark:text-gray-100">提取器代码</div>
+          <div class="text-xs text-gray-500 dark:text-gray-400">
+            返回对象需包含 request、extractor；支持模板变量替换
+          </div>
+        </div>
+        <button
+          class="rounded-lg bg-gray-100 px-3 py-2 text-sm font-medium text-gray-700 transition hover:bg-gray-200 dark:bg-gray-700 dark:text-gray-200 dark:hover:bg-gray-600"
+          @click="applyPreset"
+        >
+          使用示例模板
+        </button>
+      </div>
+      <textarea
+        v-model="form.scriptBody"
+        class="min-h-[320px] w-full rounded-xl bg-gray-900 font-mono text-sm text-gray-100 shadow-inner focus:outline-none focus:ring-2 focus:ring-indigo-500"
+        spellcheck="false"
+      ></textarea>
+      <div class="mt-2 text-xs text-gray-500 dark:text-gray-400">
+        extractor
+        返回字段（可选）：isValid、invalidMessage、remaining、unit、planName、total、used、extra
+      </div>
+    </div>
+  </div>
+</template>
+
+<script setup>
+import { onMounted, reactive, ref } from 'vue'
+import { apiClient } from '@/config/api'
+import { showToast } from '@/utils/toast'
+
+const form = reactive({
+  baseUrl: '',
+  apiKey: '',
+  token: '',
+  timeoutSeconds: 10,
+  autoIntervalMinutes: 0,
+  scriptBody: ''
+})
+
+const testForm = reactive({
+  platform: '',
+  accountId: '',
+  extra: ''
+})
+
+const saving = ref(false)
+const testing = ref(false)
+const testResult = ref(null)
+
+const presetScript = `({
+  request: {
+    url: "{{baseUrl}}/user/balance",
+    method: "GET",
+    headers: {
+      "Authorization": "Bearer {{apiKey}}",
+      "User-Agent": "cc-switch/1.0"
+    }
+  },
+  extractor: function(response) {
+    return {
+      isValid: response.is_active || true,
+      remaining: response.balance,
+      unit: "USD",
+      planName: response.plan || "默认套餐"
+    };
+  }
+})`
+
+const loadConfig = async () => {
+  try {
+    const res = await apiClient.get('/admin/balance-scripts/default')
+    if (res?.success && res.data) {
+      Object.assign(form, res.data)
+    }
+  } catch (error) {
+    showToast('加载配置失败', 'error')
+  }
+}
+
+const saveConfig = async () => {
+  saving.value = true
+  try {
+    const payload = { ...form }
+    await apiClient.put('/admin/balance-scripts/default', payload)
+    showToast('配置已保存', 'success')
+  } catch (error) {
+    showToast(error.message || '保存失败', 'error')
+  } finally {
+    saving.value = false
+  }
+}
+
+const testScript = async () => {
+  testing.value = true
+  testResult.value = null
+  try {
+    const payload = {
+      ...form,
+      ...testForm,
+      scriptBody: form.scriptBody
+    }
+    const res = await apiClient.post('/admin/balance-scripts/default/test', payload)
+    if (res?.success) {
+      testResult.value = res.data
+      showToast('测试完成', 'success')
+    } else {
+      showToast(res?.error || '测试失败', 'error')
+    }
+  } catch (error) {
+    showToast(error.message || '测试失败', 'error')
+  } finally {
+    testing.value = false
+  }
+}
+
+const applyPreset = () => {
+  form.scriptBody = presetScript
+}
+
+const displayAmount = (val) => {
+  if (val === null || val === undefined || Number.isNaN(Number(val))) return '—'
+  return Number(val).toFixed(2)
+}
+
+const formatJson = (data) => {
+  try {
+    return JSON.stringify(data, null, 2)
+  } catch (error) {
+    return String(data)
+  }
+}
+
+onMounted(() => {
+  applyPreset()
+  loadConfig()
+})
+</script>
+
+<style scoped>
+.input-text {
+  @apply w-full rounded-lg border border-gray-200 bg-white px-3 py-2 text-sm text-gray-800 shadow-sm transition focus:border-indigo-400 focus:outline-none focus:ring-2 focus:ring-indigo-200 dark:border-gray-700 dark:bg-gray-800 dark:text-gray-100 dark:focus:border-indigo-500 dark:focus:ring-indigo-600;
+}
+</style>
--- a/web/admin-spa/src/views/DashboardView.vue
+++ b/web/admin-spa/src/views/DashboardView.vue
@@ -196,6 +196,105 @@
      </div>
    </div>

+    <!-- 账户余额/配额汇总 -->
+    <div class="mb-4 grid grid-cols-1 gap-3 sm:mb-6 sm:grid-cols-2 sm:gap-4 md:mb-8 md:gap-6">
+      <div class="stat-card">
+        <div class="flex items-center justify-between">
+          <div>
+            <p class="mb-1 text-xs font-semibold text-gray-600 dark:text-gray-400 sm:text-sm">
+              账户余额/配额
+            </p>
+            <p class="text-2xl font-bold text-gray-900 dark:text-gray-100 sm:text-3xl">
+              {{ formatCurrencyUsd(balanceSummary.totalBalance || 0) }}
+            </p>
+            <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+              低余额: {{ balanceSummary.lowBalanceCount || 0 }} | 总成本:
+              {{ formatCurrencyUsd(balanceSummary.totalCost || 0) }}
+            </p>
+          </div>
+          <div class="stat-icon flex-shrink-0 bg-gradient-to-br from-emerald-500 to-green-600">
+            <i class="fas fa-wallet" />
+          </div>
+        </div>
+
+        <div class="mt-3 flex items-center justify-between gap-3">
+          <p class="text-xs text-gray-500 dark:text-gray-400">
+            更新时间: {{ formatLastUpdate(balanceSummaryUpdatedAt) }}
+          </p>
+          <button
+            class="flex items-center gap-2 rounded-lg border border-gray-200 bg-white px-3 py-1.5 text-xs font-medium text-gray-700 shadow-sm transition-all duration-200 hover:border-gray-300 hover:shadow-md disabled:cursor-not-allowed disabled:opacity-50 dark:border-gray-600 dark:bg-gray-800 dark:text-gray-300 dark:hover:border-gray-500"
+            :disabled="loadingBalanceSummary"
+            @click="loadBalanceSummary"
+          >
+            <i :class="['fas', loadingBalanceSummary ? 'fa-spinner fa-spin' : 'fa-sync-alt']" />
+            刷新
+          </button>
+        </div>
+      </div>
+
+      <div class="card p-4 sm:p-6">
+        <div class="mb-3 flex items-center justify-between">
+          <h3 class="text-sm font-semibold text-gray-900 dark:text-gray-100">低余额账户</h3>
+          <span class="text-xs text-gray-500 dark:text-gray-400">
+            {{ lowBalanceAccounts.length }} 个
+          </span>
+        </div>
+
+        <div
+          v-if="loadingBalanceSummary"
+          class="py-6 text-center text-sm text-gray-500 dark:text-gray-400"
+        >
+          正在加载...
+        </div>
+        <div
+          v-else-if="lowBalanceAccounts.length === 0"
+          class="py-6 text-center text-sm text-green-600 dark:text-green-400"
+        >
+          全部正常
+        </div>
+        <div v-else class="max-h-64 space-y-2 overflow-y-auto">
+          <div
+            v-for="account in lowBalanceAccounts"
+            :key="account.accountId"
+            class="rounded-lg border border-red-200 bg-red-50 p-3 dark:border-red-900/60 dark:bg-red-900/20"
+          >
+            <div class="flex items-center justify-between gap-2">
+              <div class="truncate text-sm font-medium text-gray-900 dark:text-gray-100">
+                {{ account.name || account.accountId }}
+              </div>
+              <span
+                class="rounded bg-gray-100 px-2 py-0.5 text-xs text-gray-600 dark:bg-gray-700 dark:text-gray-300"
+              >
+                {{ getBalancePlatformLabel(account.platform) }}
+              </span>
+            </div>
+            <div class="mt-1 text-xs text-gray-600 dark:text-gray-400">
+              <span v-if="account.balance">余额: {{ account.balance.formattedAmount }}</span>
+              <span v-else
+                >今日成本: {{ formatCurrencyUsd(account.statistics?.dailyCost || 0) }}</span
+              >
+            </div>
+            <div v-if="account.quota && typeof account.quota.percentage === 'number'" class="mt-2">
+              <div
+                class="mb-1 flex items-center justify-between text-xs text-gray-600 dark:text-gray-400"
+              >
+                <span>配额使用</span>
+                <span class="text-red-600 dark:text-red-400">
+                  {{ account.quota.percentage.toFixed(1) }}%
+                </span>
+              </div>
+              <div class="h-2 w-full rounded-full bg-gray-200 dark:bg-gray-700">
+                <div
+                  class="h-2 rounded-full bg-red-500"
+                  :style="{ width: `${Math.min(100, account.quota.percentage)}%` }"
+                ></div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+
    <!-- Token统计和性能指标 -->
    <div
      class="mb-4 grid grid-cols-1 gap-3 sm:mb-6 sm:grid-cols-2 sm:gap-4 md:mb-8 md:gap-6 lg:grid-cols-4"
@@ -681,6 +780,8 @@ import { ref, onMounted, onUnmounted, watch, nextTick, computed } from 'vue'
 import { storeToRefs } from 'pinia'
 import { useDashboardStore } from '@/stores/dashboard'
 import { useThemeStore } from '@/stores/theme'
+import { apiClient } from '@/config/api'
+import { showToast } from '@/utils/toast'
 import Chart from 'chart.js/auto'

 const dashboardStore = useDashboardStore()
@@ -732,6 +833,97 @@ const accountGroupOptions = [

 const accountTrendUpdating = ref(false)

+// 余额/配额汇总
+const balanceSummary = ref({
+  totalBalance: 0,
+  totalCost: 0,
+  lowBalanceCount: 0,
+  platforms: {}
+})
+const loadingBalanceSummary = ref(false)
+const balanceSummaryUpdatedAt = ref(null)
+
+const getBalancePlatformLabel = (platform) => {
+  const map = {
+    claude: 'Claude',
+    'claude-console': 'Claude Console',
+    gemini: 'Gemini',
+    'gemini-api': 'Gemini API',
+    openai: 'OpenAI',
+    'openai-responses': 'OpenAI Responses',
+    azure_openai: 'Azure OpenAI',
+    bedrock: 'Bedrock',
+    droid: 'Droid',
+    ccr: 'CCR'
+  }
+  return map[platform] || platform
+}
+
+const lowBalanceAccounts = computed(() => {
+  const result = []
+  const platforms = balanceSummary.value?.platforms || {}
+
+  Object.entries(platforms).forEach(([platform, data]) => {
+    const list = Array.isArray(data?.accounts) ? data.accounts : []
+    list.forEach((entry) => {
+      const accountData = entry?.data
+      if (!accountData) return
+
+      const amount = accountData.balance?.amount
+      const percentage = accountData.quota?.percentage
+
+      const isLowBalance = typeof amount === 'number' && amount < 10
+      const isHighUsage = typeof percentage === 'number' && percentage > 90
+
+      if (isLowBalance || isHighUsage) {
+        result.push({
+          ...accountData,
+          name: entry?.name || accountData.accountId,
+          platform: accountData.platform || platform
+        })
+      }
+    })
+  })
+
+  return result
+})
+
+const formatCurrencyUsd = (amount) => {
+  const value = Number(amount)
+  if (!Number.isFinite(value)) return '$0.00'
+  if (value >= 1) return `$${value.toFixed(2)}`
+  if (value >= 0.01) return `$${value.toFixed(3)}`
+  return `$${value.toFixed(6)}`
+}
+
+const formatLastUpdate = (isoString) => {
+  if (!isoString) return '未知'
+  const date = new Date(isoString)
+  if (Number.isNaN(date.getTime())) return '未知'
+  return date.toLocaleTimeString('zh-CN', { hour: '2-digit', minute: '2-digit' })
+}
+
+const loadBalanceSummary = async () => {
+  loadingBalanceSummary.value = true
+  try {
+    const response = await apiClient.get('/admin/accounts/balance/summary')
+    if (response?.success) {
+      balanceSummary.value = response.data || {
+        totalBalance: 0,
+        totalCost: 0,
+        lowBalanceCount: 0,
+        platforms: {}
+      }
+      balanceSummaryUpdatedAt.value = new Date().toISOString()
+    }
+  } catch (error) {
+    console.debug('加载余额汇总失败:', error)
+    showToast('加载余额汇总失败', 'error')
+  } finally {
+    loadingBalanceSummary.value = false
+  }
+}
+
 // 自动刷新相关
 const autoRefreshEnabled = ref(false)
 const autoRefreshInterval = ref(30) // 秒
@@ -1488,7 +1680,7 @@ async function refreshAllData() {

  isRefreshing.value = true
  try {
-    await Promise.all([loadDashboardData(), refreshChartsData()])
+    await Promise.all([loadDashboardData(), refreshChartsData(), loadBalanceSummary()])
  } finally {
    isRefreshing.value = false
  }
--- a/web/admin-spa/src/views/LoginView.vue
+++ b/web/admin-spa/src/views/LoginView.vue
@@ -5,6 +5,7 @@
      <ThemeToggle mode="dropdown" />
    </div>

+    <!-- 登录卡片 -->
    <div
      class="glass-strong w-full max-w-md rounded-xl p-6 shadow-2xl sm:rounded-2xl sm:p-8 md:rounded-3xl md:p-10"
    >
--- a/web/admin-spa/src/views/SettingsView.vue
+++ b/web/admin-spa/src/views/SettingsView.vue
@@ -48,6 +48,18 @@
            <i class="fas fa-robot mr-2"></i>
            Claude 转发
          </button>
+          <button
+            :class="[
+              'border-b-2 pb-2 text-sm font-medium transition-colors',
+              activeSection === 'publicStats'
+                ? 'border-blue-500 text-blue-600 dark:border-blue-400 dark:text-blue-400'
+                : 'border-transparent text-gray-500 hover:border-gray-300 hover:text-gray-700 dark:text-gray-400 dark:hover:text-gray-300'
+            ]"
+            @click="activeSection = 'publicStats'"
+          >
+            <i class="fas fa-chart-line mr-2"></i>
+            公开统计
+          </button>
        </nav>
      </div>

@@ -1025,6 +1037,158 @@
            </div>
          </div>
        </div>
+
+        <!-- 公开统计设置部分 -->
+        <div v-show="activeSection === 'publicStats'">
+          <div class="rounded-lg bg-white/80 p-6 shadow-lg backdrop-blur-sm dark:bg-gray-800/80">
+            <div class="mb-6 flex items-center justify-between">
+              <div class="flex items-center gap-3">
+                <div
+                  class="flex h-10 w-10 items-center justify-center rounded-xl bg-gradient-to-br from-green-500 to-emerald-600 text-white shadow-md"
+                >
+                  <i class="fas fa-chart-line"></i>
+                </div>
+                <div>
+                  <h2 class="text-lg font-semibold text-gray-800 dark:text-gray-200">
+                    公开统计概览
+                  </h2>
+                  <p class="text-sm text-gray-600 dark:text-gray-400">
+                    配置未登录用户可见的统计数据
+                  </p>
+                </div>
+              </div>
+              <label class="inline-flex cursor-pointer items-center">
+                <input
+                  v-model="oemSettings.publicStatsEnabled"
+                  class="peer sr-only"
+                  type="checkbox"
+                />
+                <div
+                  class="peer relative h-6 w-11 rounded-full bg-gray-200 after:absolute after:left-[2px] after:top-[2px] after:h-5 after:w-5 after:rounded-full after:border after:border-gray-300 after:bg-white after:transition-all after:content-[''] peer-checked:bg-green-600 peer-checked:after:translate-x-full peer-checked:after:border-white peer-focus:outline-none peer-focus:ring-4 peer-focus:ring-green-300 dark:border-gray-600 dark:bg-gray-700 dark:peer-focus:ring-green-800"
+                ></div>
+                <span class="ml-3 text-sm font-medium text-gray-900 dark:text-gray-300">{{
+                  oemSettings.publicStatsEnabled ? '已启用' : '已禁用'
+                }}</span>
+              </label>
+            </div>
+
+            <!-- 数据显示选项 -->
+            <div
+              v-if="oemSettings.publicStatsEnabled"
+              class="space-y-4 rounded-lg border border-gray-200 bg-gray-50 p-4 dark:border-gray-600 dark:bg-gray-700/50"
+            >
+              <p class="text-sm font-medium text-gray-700 dark:text-gray-300">
+                <i class="fas fa-eye mr-2 text-gray-400"></i>
+                选择要公开显示的数据：
+              </p>
+              <div class="grid gap-3 sm:grid-cols-2">
+                <div
+                  class="rounded-lg border border-gray-200 bg-white p-3 transition-colors dark:border-gray-600 dark:bg-gray-800"
+                >
+                  <label class="flex cursor-pointer items-center gap-3">
+                    <input
+                      v-model="oemSettings.publicStatsShowModelDistribution"
+                      class="h-4 w-4 rounded border-gray-300 text-green-600 focus:ring-green-500 dark:border-gray-600 dark:bg-gray-700"
+                      type="checkbox"
+                    />
+                    <div>
+                      <span class="text-sm font-medium text-gray-700 dark:text-gray-300"
+                        >模型使用分布</span
+                      >
+                      <p class="text-xs text-gray-500 dark:text-gray-400">显示各模型的使用占比</p>
+                    </div>
+                  </label>
+                  <div v-if="oemSettings.publicStatsShowModelDistribution" class="mt-3 pl-7">
+                    <div class="mb-1.5 text-xs text-gray-500 dark:text-gray-400">时间范围</div>
+                    <div class="inline-flex rounded-lg bg-gray-100 p-0.5 dark:bg-gray-700/50">
+                      <button
+                        v-for="option in modelDistributionPeriodOptions"
+                        :key="option.value"
+                        class="rounded-md px-2.5 py-1 text-xs font-medium transition-all"
+                        :class="
+                          oemSettings.publicStatsModelDistributionPeriod === option.value
+                            ? 'bg-white text-green-600 shadow-sm dark:bg-gray-600 dark:text-green-400'
+                            : 'text-gray-600 hover:text-gray-900 dark:text-gray-400 dark:hover:text-gray-200'
+                        "
+                        type="button"
+                        @click="oemSettings.publicStatsModelDistributionPeriod = option.value"
+                      >
+                        {{ option.label }}
+                      </button>
+                    </div>
+                  </div>
+                </div>
+                <label
+                  class="flex cursor-pointer items-center gap-3 rounded-lg border border-gray-200 bg-white p-3 transition-colors hover:bg-gray-50 dark:border-gray-600 dark:bg-gray-800 dark:hover:bg-gray-700"
+                >
+                  <input
+                    v-model="oemSettings.publicStatsShowTokenTrends"
+                    class="h-4 w-4 rounded border-gray-300 text-green-600 focus:ring-green-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                  />
+                  <div>
+                    <span class="text-sm font-medium text-gray-700 dark:text-gray-300"
+                      >Token 使用趋势</span
+                    >
+                    <p class="text-xs text-gray-500 dark:text-gray-400">显示近7天的Token使用量</p>
+                  </div>
+                </label>
+                <label
+                  class="flex cursor-pointer items-center gap-3 rounded-lg border border-gray-200 bg-white p-3 transition-colors hover:bg-gray-50 dark:border-gray-600 dark:bg-gray-800 dark:hover:bg-gray-700"
+                >
+                  <input
+                    v-model="oemSettings.publicStatsShowApiKeysTrends"
+                    class="h-4 w-4 rounded border-gray-300 text-green-600 focus:ring-green-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                  />
+                  <div>
+                    <span class="text-sm font-medium text-gray-700 dark:text-gray-300"
+                      >API Keys 活跃趋势</span
+                    >
+                    <p class="text-xs text-gray-500 dark:text-gray-400">
+                      显示近7天的活跃API Key数量
+                    </p>
+                  </div>
+                </label>
+                <label
+                  class="flex cursor-pointer items-center gap-3 rounded-lg border border-gray-200 bg-white p-3 transition-colors hover:bg-gray-50 dark:border-gray-600 dark:bg-gray-800 dark:hover:bg-gray-700"
+                >
+                  <input
+                    v-model="oemSettings.publicStatsShowAccountTrends"
+                    class="h-4 w-4 rounded border-gray-300 text-green-600 focus:ring-green-500 dark:border-gray-600 dark:bg-gray-700"
+                    type="checkbox"
+                  />
+                  <div>
+                    <span class="text-sm font-medium text-gray-700 dark:text-gray-300"
+                      >账号活跃趋势</span
+                    >
+                    <p class="text-xs text-gray-500 dark:text-gray-400">显示近7天的活跃账号数量</p>
+                  </div>
+                </label>
+              </div>
+            </div>
+
+            <!-- 操作按钮 -->
+            <div class="mt-6 flex items-center justify-between">
+              <div class="flex gap-3">
+                <button
+                  class="btn btn-primary px-6 py-3"
+                  :class="{ 'cursor-not-allowed opacity-50': saving }"
+                  :disabled="saving"
+                  @click="saveOemSettings"
+                >
+                  <div v-if="saving" class="loading-spinner mr-2"></div>
+                  <i v-else class="fas fa-save mr-2" />
+                  {{ saving ? '保存中...' : '保存设置' }}
+                </button>
+              </div>
+              <div v-if="oemSettings.updatedAt" class="text-sm text-gray-500 dark:text-gray-400">
+                <i class="fas fa-clock mr-1" />
+                最后更新：{{ formatDateTime(oemSettings.updatedAt) }}
+              </div>
+            </div>
+          </div>
+        </div>
      </div>
    </div>
  </div>
@@ -1622,6 +1786,15 @@ defineOptions({
 const settingsStore = useSettingsStore()
 const { loading, saving, oemSettings } = storeToRefs(settingsStore)

+// 模型使用分布时间范围选项
+const modelDistributionPeriodOptions = [
+  { value: 'today', label: '今天' },
+  { value: '24h', label: '24小时' },
+  { value: '7d', label: '7天' },
+  { value: '30d', label: '30天' },
+  { value: 'all', label: '全部' }
+]
+
 // 组件refs
 const iconFileInput = ref()

@@ -2467,7 +2640,14 @@ const saveOemSettings = async () => {
      siteName: oemSettings.value.siteName,
      siteIcon: oemSettings.value.siteIcon,
      siteIconData: oemSettings.value.siteIconData,
-      showAdminButton: oemSettings.value.showAdminButton
+      showAdminButton: oemSettings.value.showAdminButton,
+      publicStatsEnabled: oemSettings.value.publicStatsEnabled,
+      publicStatsShowModelDistribution: oemSettings.value.publicStatsShowModelDistribution,
+      publicStatsModelDistributionPeriod:
+        oemSettings.value.publicStatsModelDistributionPeriod || 'today',
+      publicStatsShowTokenTrends: oemSettings.value.publicStatsShowTokenTrends,
+      publicStatsShowApiKeysTrends: oemSettings.value.publicStatsShowApiKeysTrends,
+      publicStatsShowAccountTrends: oemSettings.value.publicStatsShowAccountTrends
    }
    const result = await settingsStore.saveOemSettings(settings)
    if (result && result.success) {
Author	SHA1	Message	Date
github-actions[bot]	c3b536a8e9	chore: sync VERSION file with release v1.1.246 [skip ci]	2025-12-26 07:48:03 +00:00
shaw	85dd3a2cc6	fix: 修复PR #814 遗留bug	2025-12-26 15:47:45 +08:00
github-actions[bot]	bbaa850809	chore: sync VERSION file with release v1.1.245 [skip ci]	2025-12-26 06:57:35 +00:00
shaw	0731ac0449	fix: 修复无权访问 Claude 服务的问题2	2025-12-26 14:57:14 +08:00
github-actions[bot]	2c5a74eb5d	chore: sync VERSION file with release v1.1.244 [skip ci]	2025-12-26 06:39:48 +00:00
shaw	09c9b88c27	fix: 修复无权访问 Claude 服务的问题	2025-12-26 14:39:29 +08:00
github-actions[bot]	dd417e780c	chore: sync VERSION file with release v1.1.243 [skip ci]	2025-12-26 06:35:54 +00:00
Wesley Liddick	822466fc6e	Merge pull request #837 from Chapoly1305/guestPreview Feat：登陆前服务状态概览	2025-12-26 01:35:38 -05:00
github-actions[bot]	b892ac30a0	chore: sync VERSION file with release v1.1.242 [skip ci]	2025-12-26 05:59:55 +00:00
Wesley Liddick	b8f34b4630	Merge pull request #844 from dadongwo/antigravity feat: 实现 Antigravity OAuth 账户支持与路径分流	2025-12-26 00:59:42 -05:00
Wesley Liddick	c9621e9efb	Merge pull request #846 from bgColorGray/feat/passthrough-system-prompt [skip ci] feat: allow passing system prompt to Claude	2025-12-26 00:59:29 -05:00
Wesley Liddick	3f98267738	Merge branch 'main' into antigravity	2025-12-26 00:56:27 -05:00
Wesley Liddick	e187b8946a	Merge pull request #825 from atoz03/feat/account-quota [skip ci] Feat：account quota	2025-12-26 00:53:33 -05:00
Wesley Liddick	8917019a78	Merge pull request #814 from Guccbai/feature/multi-select-permissions [skip ci] feat(permissions): 服务权限从单选改为多选	2025-12-26 00:52:42 -05:00
pengyujie	e57a7bd614	feat: allow passing system prompt to Claude Add CRS_PASSTHROUGH_SYSTEM_PROMPT to optionally forward OpenAI-format system messages to Claude, improving compatibility with clients that rely on strict system instructions (e.g. MineContext).	2025-12-25 20:02:26 +08:00
52227	9960f237b8	feat: 实现 Antigravity OAuth 账户支持与路径分流	2025-12-25 14:33:24 +08:00
shaw	b6da77cabe	docs: update readme	2025-12-25 14:27:23 +08:00
github-actions[bot]	e561387e81	chore: sync VERSION file with release v1.1.241 [skip ci]	2025-12-25 06:23:55 +00:00
shaw	982cca1020	fix: 修复鉴权检测的重大安全漏洞	2025-12-25 14:23:35 +08:00
github-actions[bot]	792ba51290	chore: sync VERSION file with release v1.1.240 [skip ci]	2025-12-25 02:46:09 +00:00
Wesley Liddick	74d138a2fb	Merge pull request #842 from IanShaw027/feat/account-export-api feat(admin): 添加账户导出同步 API	2025-12-24 21:45:55 -05:00
IanShaw027	b88698191e	style(admin): fix ESLint curly rule violations in sync.js 为单行 if 语句添加花括号以符合 ESLint curly 规则要求	2025-12-24 17:57:30 -08:00
IanShaw027	11c38b23d1	style(admin): format sync.js with prettier 修复 CI 格式化检查失败问题	2025-12-24 17:52:51 -08:00
IanShaw027	b2dfc2eb25	feat(admin): 添加账户导出同步 API - 新增 /api/accounts 端点，支持导出所有账户数据 - 新增 /api/proxies 端点，支持导出所有代理配置 - 支持 Sub2API 从 CRS 批量同步账户 - 包含完整的 credentials 和 extra 字段 - 提供账户类型标识 (oauth/setup_token/api_key) 相关 PR: Sub2API 端实现账户同步功能	2025-12-24 17:35:11 -08:00
Chapoly1305	b16968c3e5	feat: 模型使用分布改用环形图展示 - 将条形图改为 Doughnut 环形图，更直观展示占比 - 右侧图例显示模型名称和百分比 - 支持8种渐变配色，明暗主题自适应 - 移除旧的条形图相关样式 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 21:59:02 -05:00
Chapoly1305	e754589ad5	style: 优化公开统计概览的宽屏布局 - 移除状态概览的最大宽度限制，与其他标签页保持一致 - 重构 PublicStatsOverview 组件布局为响应式两列设计 - 顶部状态栏：服务状态左侧，平台可用性右侧 - 主内容区：今日统计（4项）与模型分布并排显示 - 图表区域独立占满宽度 - 各区块添加独立圆角背景，视觉层次更清晰 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 21:48:59 -05:00
Chapoly1305	cfeb4658ad	feat: 模型使用分布支持自定义时间范围 - 后端：getPublicModelStats 支持 today/24h/7d/30d/all 五种时间范围 - 后端：新增 publicStatsModelDistributionPeriod 设置项 - 前端：设置页面添加横向选项卡式时间范围选择器 - 前端：公开统计组件显示当前数据时间范围标签 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 21:43:26 -05:00
Chapoly1305	0d94d3b449	feat: 公开统计功能增强 - 独立设置栏目和双Y轴折线图 - 将公开统计设置从品牌设置移至独立栏目 - 用三合一双Y轴折线图替代条形图（Chart.js + vue-chartjs） - 左Y轴显示Tokens，右Y轴显示活跃数量 - 添加暂无数据状态的友好提示 - 修复Y轴可能显示负数的问题（设置min:0） 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 18:58:20 +00:00
Chapoly1305	0c1bdf53d6	feat: 丰富公开统计概览数据并添加可选显示项 - 后端：添加 OEM 设置选项控制公开统计显示内容 - publicStatsShowModelDistribution: 模型使用分布 - publicStatsShowTokenTrends: Token 使用趋势（近7天） - publicStatsShowApiKeysTrends: API Keys 活跃趋势（近7天） - publicStatsShowAccountTrends: 账号活跃趋势（近7天） - 后端：扩展 /admin/public-stats API 返回趋势数据 - 前端：PublicStatsOverview 组件支持显示趋势柱状图 - 前端：设置页面添加公开统计选项复选框 - 前端：从登录页移除公开统计概览（已移至首页） 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 17:42:14 +00:00
Chapoly1305	ab474c3322	feat: 将公开统计概览移至首页状态概览标签 - 在首页添加"状态概览"标签，作为默认显示页面 - 修复 PublicStatsOverview.vue 属性顺序 lint 错误 - 修复 LoginView.vue prettier 格式问题 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 17:30:00 +00:00
Guccbai	534fbf6ac2	fix(eslint): 修复 ESLint 检查错误 - 修复 apiKeyService.js 中 if 语句缺少大括号的 curly 错误 - 移除 openaiGeminiRoutes.js 中重复声明 apiKeyService 导致的 no-shadow 错误 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-23 20:26:18 +08:00
Claude	82d1489a55	feat: 添加公开统计概览功能 - 新增 GET /admin/public-stats 公开端点，返回脱敏的服务统计数据 - 在 OEM 设置中添加 publicStatsEnabled 开关 - 创建 PublicStatsOverview 组件，展示服务状态、平台可用性、今日统计和模型使用分布 - 在登录页集成公开统计展示（当 publicStatsEnabled 开启时） - 在设置页品牌设置中添加公开统计开关	2025-12-23 01:48:55 +00:00
atoz03	b6f3459522	修复 eslint	2025-12-20 01:40:41 +08:00
atoz03	e56d797d87	修复 tests/accountBalanceService.test.js 的 Prettier 格式问题	2025-12-20 01:35:30 +08:00
atoz03	4c6879a9c2	Prettier 格式化	2025-12-20 01:24:08 +08:00
atoz03	1c8084a3b1	fix(admin): 打开余额脚本弹窗时重置表单，避免跨账户残留配置 - 打开弹窗先重置表单字段（baseUrl/apiKey/extra 等），仅保留示例脚本\n- 若后端存在已保存配置，则加载后覆盖\n- 同步清理测试结果与 loading 状态，避免残留误导	2025-12-20 01:18:49 +08:00
atoz03	f6f4b5cfec	feat(admin): 余额脚本驱动的余额/配额刷新与管理端体验修复 - 明确刷新语义：仅脚本启用且已配置时触发远程查询；未配置时前端禁用并提示\n- 新增余额脚本安全开关 BALANCE_SCRIPT_ENABLED（默认开启），脚本测试接口受控\n- Redis 增加单账户脚本配置存取，响应透出 scriptEnabled/scriptConfigured 供 UI 判定\n- accountBalanceService：本地统计汇总改用 SCAN+pipeline，避免 KEYS；仅缓存远程成功结果，避免失败/降级覆盖有效缓存\n- 管理端体验：刷新按钮按配置状态灰置；脚本弹窗内容可滚动、底部操作栏固定，并 append-to-body 使弹窗跟随当前视窗	2025-12-20 01:18:49 +08:00
atoz03	26ca696b91	fix:修复了重复声明 redis 导致的启动报错，并保留余额脚本功能接入账户	2025-12-20 01:18:49 +08:00
atoz03	ce496ed9e6	feat：单账户配置余额脚本 + 刷新按钮即用脚本”，并去掉独立页面/标签。具体改动 - 后端 - src/models/redis.js：新增脚本配置存取 account_balance_script:{platform}:{accountId}。 - src/services/accountBalanceService.js：支持脚本查询。若账户有脚本配置且 queryApi=true，调用 balanceScriptService.execute 获取余额/配额，缓存后返回。 - src/routes/admin/accountBalance.js：新增接口 - GET /admin/accounts/:id/balance/script?platform=... - PUT /admin/accounts/:id/balance/script?platform=... - POST /admin/accounts/:id/balance/script/test?platform=... - 前端 - 新增弹窗 AccountBalanceScriptModal，在账户管理页每个账户“余额/配额”下方有“配置余额脚本”按钮，支持填写 baseUrl/apiKey/token/extra/超时/自动间隔、编写脚本、测试、保存。 - 将余额脚本独立路由/标签移除。 - 格式/ lint 已通过（新组件及 AccountsView）。	2025-12-20 01:18:49 +08:00
atoz03	f6ed420401	feat(admin): 新增账户余额/配额查询与展示 - 新增 accountBalanceService 与多 Provider 适配（Claude/Claude Console/OpenAI Responses/通用） - Redis 增加余额查询结果与本地统计缓存读写 - 管理端新增 /admin/accounts/balance 相关接口与汇总接口，并在应用启动时注册 Provider - 后台前端新增余额组件与 Dashboard 余额/配额汇总、低余额/高使用提示 - 补充 accountBalanceService 单元测试	2025-12-20 01:15:33 +08:00
Guccbai	33ea26f2ac	feat(permissions): 服务权限从单选改为多选 - 将 API Key 的服务权限从单选改为多选，支持同时选择多个服务 - 移除"全部服务"选项，空数组表示允许访问全部服务 - 后端自动兼容旧格式（'all' -> [], 'claude' -> ['claude']） - 前端 radio 改为 checkbox，更新账户选择器联动逻辑修改文件： - apiKeyService.js: 添加 normalizePermissions/hasPermission 函数 - api.js, droidRoutes.js, openaiRoutes.js, unified.js, openaiGeminiRoutes.js, geminiHandlers.js: 使用新权限验证函数 - admin/apiKeys.js: 支持数组格式权限验证 - CreateApiKeyModal.vue, EditApiKeyModal.vue: UI 改为 checkbox 多选 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-17 11:35:11 +08:00
@@ -1 +1 @@
 .1.239
 .1.246