Merge branch 'router-for-me:main' into main

feat(antigravity): add FetchAntigravityProjectID function and integrate project ID retrieval
2026-03-11 08:15:14 +00:00 · 2025-12-06 01:33:34 +08:00 · 2025-12-06 01:32:12 +08:00 · 2025-12-06 01:12:43 +08:00 · 2025-12-06 01:11:37 +08:00 · 2025-12-06 00:43:02 +08:00
29 changed files with 1367 additions and 550 deletions
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -55,141 +55,130 @@ quota-exceeded:
 # When true, enable authentication for the WebSocket API (/v1/ws).
 ws-auth: false

-# Amp CLI Integration
-# Configure upstream URL for Amp CLI OAuth and management features
-#amp-upstream-url: "https://ampcode.com"
-
-# Optional: Override API key for Amp upstream (otherwise uses env or file)
-#amp-upstream-api-key: ""
-
-# Restrict Amp management routes (/api/auth, /api/user, etc.) to localhost only (recommended)
-#amp-restrict-management-to-localhost: true
-
-# Amp Model Mappings
-# Route unavailable Amp models to alternative models available in your local proxy.
-# Useful when Amp CLI requests models you don't have access to (e.g., Claude Opus 4.5)
-# but you have a similar model available (e.g., Claude Sonnet 4).
-#amp-model-mappings:
-#  - from: "claude-opus-4.5"       # Model requested by Amp CLI
-#    to: "claude-sonnet-4"         # Route to this available model instead
-#  - from: "gpt-5"
-#    to: "gemini-2.5-pro"
-#  - from: "claude-3-opus-20240229"
-#    to: "claude-3-5-sonnet-20241022"
-
-# Gemini API keys (preferred)
-#gemini-api-key:
-#  - api-key: "AIzaSy...01"
-#    base-url: "https://generativelanguage.googleapis.com"
-#    headers:
-#      X-Custom-Header: "custom-value"
-#    proxy-url: "socks5://proxy.example.com:1080"
-#    excluded-models:
-#      - "gemini-2.5-pro"     # exclude specific models from this provider (exact match)
-#      - "gemini-2.5-*"       # wildcard matching prefix (e.g. gemini-2.5-flash, gemini-2.5-pro)
-#      - "*-preview"          # wildcard matching suffix (e.g. gemini-3-pro-preview)
-#      - "*flash*"            # wildcard matching substring (e.g. gemini-2.5-flash-lite)
-#  - api-key: "AIzaSy...02"
-
-# API keys for official Generative Language API (legacy compatibility)
-#generative-language-api-key:
-#  - "AIzaSy...01"
-#  - "AIzaSy...02"
+# Gemini API keys
+# gemini-api-key:
+#   - api-key: "AIzaSy...01"
+#     base-url: "https://generativelanguage.googleapis.com"
+#     headers:
+#       X-Custom-Header: "custom-value"
+#     proxy-url: "socks5://proxy.example.com:1080"
+#     excluded-models:
+#       - "gemini-2.5-pro"     # exclude specific models from this provider (exact match)
+#       - "gemini-2.5-*"       # wildcard matching prefix (e.g. gemini-2.5-flash, gemini-2.5-pro)
+#       - "*-preview"          # wildcard matching suffix (e.g. gemini-3-pro-preview)
+#       - "*flash*"            # wildcard matching substring (e.g. gemini-2.5-flash-lite)
+#   - api-key: "AIzaSy...02"

 # Codex API keys
-#codex-api-key:
-#  - api-key: "sk-atSM..."
-#    base-url: "https://www.example.com" # use the custom codex API endpoint
-#    headers:
-#      X-Custom-Header: "custom-value"
-#    proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
-#    excluded-models:
-#      - "gpt-5.1"         # exclude specific models (exact match)
-#      - "gpt-5-*"         # wildcard matching prefix (e.g. gpt-5-medium, gpt-5-codex)
-#      - "*-mini"          # wildcard matching suffix (e.g. gpt-5-codex-mini)
-#      - "*codex*"         # wildcard matching substring (e.g. gpt-5-codex-low)
+# codex-api-key:
+#   - api-key: "sk-atSM..."
+#     base-url: "https://www.example.com" # use the custom codex API endpoint
+#     headers:
+#       X-Custom-Header: "custom-value"
+#     proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
+#     excluded-models:
+#       - "gpt-5.1"         # exclude specific models (exact match)
+#       - "gpt-5-*"         # wildcard matching prefix (e.g. gpt-5-medium, gpt-5-codex)
+#       - "*-mini"          # wildcard matching suffix (e.g. gpt-5-codex-mini)
+#       - "*codex*"         # wildcard matching substring (e.g. gpt-5-codex-low)

 # Claude API keys
-#claude-api-key:
-#  - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
-#  - api-key: "sk-atSM..."
-#    base-url: "https://www.example.com" # use the custom claude API endpoint
-#    headers:
-#      X-Custom-Header: "custom-value"
-#    proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
-#    models:
-#      - name: "claude-3-5-sonnet-20241022" # upstream model name
-#        alias: "claude-sonnet-latest" # client alias mapped to the upstream model
-#    excluded-models:
-#      - "claude-opus-4-5-20251101" # exclude specific models (exact match)
-#      - "claude-3-*"               # wildcard matching prefix (e.g. claude-3-7-sonnet-20250219)
-#      - "*-think"                  # wildcard matching suffix (e.g. claude-opus-4-5-thinking)
-#      - "*haiku*"                  # wildcard matching substring (e.g. claude-3-5-haiku-20241022)
+# claude-api-key:
+#   - api-key: "sk-atSM..." # use the official claude API key, no need to set the base url
+#   - api-key: "sk-atSM..."
+#     base-url: "https://www.example.com" # use the custom claude API endpoint
+#     headers:
+#       X-Custom-Header: "custom-value"
+#     proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
+#     models:
+#       - name: "claude-3-5-sonnet-20241022" # upstream model name
+#         alias: "claude-sonnet-latest" # client alias mapped to the upstream model
+#     excluded-models:
+#       - "claude-opus-4-5-20251101" # exclude specific models (exact match)
+#       - "claude-3-*"               # wildcard matching prefix (e.g. claude-3-7-sonnet-20250219)
+#       - "*-think"                  # wildcard matching suffix (e.g. claude-opus-4-5-thinking)
+#       - "*haiku*"                  # wildcard matching substring (e.g. claude-3-5-haiku-20241022)

 # OpenAI compatibility providers
-#openai-compatibility:
-#  - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
-#    base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
-#    headers:
-#      X-Custom-Header: "custom-value"
-#    # New format with per-key proxy support (recommended):
-#    api-key-entries:
-#      - api-key: "sk-or-v1-...b780"
-#        proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
-#      - api-key: "sk-or-v1-...b781" # without proxy-url
-#    # Legacy format (still supported, but cannot specify proxy per key):
-#    # api-keys:
-#    #   - "sk-or-v1-...b780"
-#    #   - "sk-or-v1-...b781"
-#    models: # The models supported by the provider.
-#      - name: "moonshotai/kimi-k2:free" # The actual model name.
-#        alias: "kimi-k2" # The alias used in the API.
+# openai-compatibility:
+#   - name: "openrouter" # The name of the provider; it will be used in the user agent and other places.
+#     base-url: "https://openrouter.ai/api/v1" # The base URL of the provider.
+#     headers:
+#       X-Custom-Header: "custom-value"
+#     api-key-entries:
+#       - api-key: "sk-or-v1-...b780"
+#         proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override
+#       - api-key: "sk-or-v1-...b781" # without proxy-url
+#     models: # The models supported by the provider.
+#       - name: "moonshotai/kimi-k2:free" # The actual model name.
+#         alias: "kimi-k2" # The alias used in the API.

 # Vertex API keys (Vertex-compatible endpoints, use API key + base URL)
-#vertex-api-key:
-#  - api-key: "vk-123..."                        # x-goog-api-key header
-#    base-url: "https://example.com/api"         # e.g. https://zenmux.ai/api
-#    proxy-url: "socks5://proxy.example.com:1080" # optional per-key proxy override
-#    headers:
-#      X-Custom-Header: "custom-value"
-#    models:                                     # optional: map aliases to upstream model names
-#      - name: "gemini-2.0-flash"                # upstream model name
-#        alias: "vertex-flash"                   # client-visible alias
-#      - name: "gemini-1.5-pro"
-#        alias: "vertex-pro"
+# vertex-api-key:
+#   - api-key: "vk-123..."                        # x-goog-api-key header
+#     base-url: "https://example.com/api"         # e.g. https://zenmux.ai/api
+#     proxy-url: "socks5://proxy.example.com:1080" # optional per-key proxy override
+#     headers:
+#       X-Custom-Header: "custom-value"
+#     models:                                     # optional: map aliases to upstream model names
+#       - name: "gemini-2.0-flash"                # upstream model name
+#         alias: "vertex-flash"                   # client-visible alias
+#       - name: "gemini-1.5-pro"
+#         alias: "vertex-pro"

-#payload: # Optional payload configuration
-#  default: # Default rules only set parameters when they are missing in the payload.
-#    - models:
-#        - name: "gemini-2.5-pro" # Supports wildcards (e.g., "gemini-*")
-#          protocol: "gemini" # restricts the rule to a specific protocol, options: openai, gemini, claude, codex
-#      params: # JSON path (gjson/sjson syntax) -> value
-#        "generationConfig.thinkingConfig.thinkingBudget": 32768
-#  override: # Override rules always set parameters, overwriting any existing values.
-#    - models:
-#        - name: "gpt-*" # Supports wildcards (e.g., "gpt-*")
-#          protocol: "codex" # restricts the rule to a specific protocol, options: openai, gemini, claude, codex
-#      params: # JSON path (gjson/sjson syntax) -> value
-#        "reasoning.effort": "high"
+# Amp Integration
+# ampcode:
+#   # Configure upstream URL for Amp CLI OAuth and management features
+#   upstream-url: "https://ampcode.com"
+#   # Optional: Override API key for Amp upstream (otherwise uses env or file)
+#   upstream-api-key: ""
+#   # Restrict Amp management routes (/api/auth, /api/user, etc.) to localhost only (recommended)
+#   restrict-management-to-localhost: true
+#   # Amp Model Mappings
+#   # Route unavailable Amp models to alternative models available in your local proxy.
+#   # Useful when Amp CLI requests models you don't have access to (e.g., Claude Opus 4.5)
+#   # but you have a similar model available (e.g., Claude Sonnet 4).
+#   model-mappings:
+#     - from: "claude-opus-4.5"       # Model requested by Amp CLI
+#       to: "claude-sonnet-4"         # Route to this available model instead
+#     - from: "gpt-5"
+#       to: "gemini-2.5-pro"
+#     - from: "claude-3-opus-20240229"
+#       to: "claude-3-5-sonnet-20241022"

 # OAuth provider excluded models
-#oauth-excluded-models:
-#  gemini-cli:
-#    - "gemini-2.5-pro"     # exclude specific models (exact match)
-#    - "gemini-2.5-*"       # wildcard matching prefix (e.g. gemini-2.5-flash, gemini-2.5-pro)
-#    - "*-preview"          # wildcard matching suffix (e.g. gemini-3-pro-preview)
-#    - "*flash*"            # wildcard matching substring (e.g. gemini-2.5-flash-lite)
-#  vertex:
-#    - "gemini-3-pro-preview"
-#  aistudio:
-#    - "gemini-3-pro-preview"
-#  antigravity:
-#    - "gemini-3-pro-preview"
-#  claude:
-#    - "claude-3-5-haiku-20241022"
-#  codex:
-#    - "gpt-5-codex-mini"
-#  qwen:
-#    - "vision-model"
-#  iflow:
-#    - "tstars2.0"
+# oauth-excluded-models:
+#   gemini-cli:
+#     - "gemini-2.5-pro"     # exclude specific models (exact match)
+#     - "gemini-2.5-*"       # wildcard matching prefix (e.g. gemini-2.5-flash, gemini-2.5-pro)
+#     - "*-preview"          # wildcard matching suffix (e.g. gemini-3-pro-preview)
+#     - "*flash*"            # wildcard matching substring (e.g. gemini-2.5-flash-lite)
+#   vertex:
+#     - "gemini-3-pro-preview"
+#   aistudio:
+#     - "gemini-3-pro-preview"
+#   antigravity:
+#     - "gemini-3-pro-preview"
+#   claude:
+#     - "claude-3-5-haiku-20241022"
+#   codex:
+#     - "gpt-5-codex-mini"
+#   qwen:
+#     - "vision-model"
+#   iflow:
+#     - "tstars2.0"
+
+# Optional payload configuration
+# payload:
+#   default: # Default rules only set parameters when they are missing in the payload.
+#     - models:
+#         - name: "gemini-2.5-pro" # Supports wildcards (e.g., "gemini-*")
+#           protocol: "gemini" # restricts the rule to a specific protocol, options: openai, gemini, claude, codex
+#       params: # JSON path (gjson/sjson syntax) -> value
+#         "generationConfig.thinkingConfig.thinkingBudget": 32768
+#   override: # Override rules always set parameters, overwriting any existing values.
+#     - models:
+#         - name: "gpt-*" # Supports wildcards (e.g., "gpt-*")
+#           protocol: "codex" # restricts the rule to a specific protocol, options: openai, gemini, claude, codex
+#       params: # JSON path (gjson/sjson syntax) -> value
+#         "reasoning.effort": "high"
--- a/internal/api/handlers/management/auth_files.go
+++ b/internal/api/handlers/management/auth_files.go
@@ -1472,6 +1472,17 @@ func (h *Handler) RequestAntigravityToken(c *gin.Context) {
 			}
 		}

+		projectID := ""
+		if strings.TrimSpace(tokenResp.AccessToken) != "" {
+			fetchedProjectID, errProject := sdkAuth.FetchAntigravityProjectID(ctx, tokenResp.AccessToken, httpClient)
+			if errProject != nil {
+				log.Warnf("antigravity: failed to fetch project ID: %v", errProject)
+			} else {
+				projectID = fetchedProjectID
+				log.Infof("antigravity: obtained project ID %s", projectID)
+			}
+		}
+
 		now := time.Now()
 		metadata := map[string]any{
 			"type":          "antigravity",
@@ -1484,6 +1495,9 @@ func (h *Handler) RequestAntigravityToken(c *gin.Context) {
 		if email != "" {
 			metadata["email"] = email
 		}
+		if projectID != "" {
+			metadata["project_id"] = projectID
+		}

 		fileName := sanitizeAntigravityFileName(email)
 		label := strings.TrimSpace(email)
@@ -1507,6 +1521,9 @@ func (h *Handler) RequestAntigravityToken(c *gin.Context) {

 		delete(oauthStatus, state)
 		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+		if projectID != "" {
+			fmt.Printf("Using GCP project: %s\n", projectID)
+		}
 		fmt.Println("You can now use Antigravity services through this CLI")
 	}()

--- a/internal/api/handlers/management/config_basic.go
+++ b/internal/api/handlers/management/config_basic.go
@@ -1,43 +1,95 @@
 package management

 import (
+	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
+	"time"

 	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config"
+	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 )

+const (
+	latestReleaseURL       = "https://api.github.com/repos/router-for-me/CLIProxyAPIPlus/releases/latest"
+	latestReleaseUserAgent = "CLIProxyAPIPlus"
+)
+
 func (h *Handler) GetConfig(c *gin.Context) {
 	if h == nil || h.cfg == nil {
 		c.JSON(200, gin.H{})
 		return
 	}
 	cfgCopy := *h.cfg
-	cfgCopy.GlAPIKey = geminiKeyStringsFromConfig(h.cfg)
 	c.JSON(200, &cfgCopy)
 }

-func (h *Handler) GetConfigYAML(c *gin.Context) {
-	data, err := os.ReadFile(h.configFilePath)
+type releaseInfo struct {
+	TagName string `json:"tag_name"`
+	Name    string `json:"name"`
+}
+
+// GetLatestVersion returns the latest release version from GitHub without downloading assets.
+func (h *Handler) GetLatestVersion(c *gin.Context) {
+	client := &http.Client{Timeout: 10 * time.Second}
+	proxyURL := ""
+	if h != nil && h.cfg != nil {
+		proxyURL = strings.TrimSpace(h.cfg.ProxyURL)
+	}
+	if proxyURL != "" {
+		sdkCfg := &sdkconfig.SDKConfig{ProxyURL: proxyURL}
+		util.SetProxy(sdkCfg, client)
+	}
+
+	req, err := http.NewRequestWithContext(c.Request.Context(), http.MethodGet, latestReleaseURL, nil)
 	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "read_failed", "message": err.Error()})
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "request_create_failed", "message": err.Error()})
 		return
 	}
-	var node yaml.Node
-	if err = yaml.Unmarshal(data, &node); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "parse_failed", "message": err.Error()})
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("User-Agent", latestReleaseUserAgent)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		c.JSON(http.StatusBadGateway, gin.H{"error": "request_failed", "message": err.Error()})
 		return
 	}
-	c.Header("Content-Type", "application/yaml; charset=utf-8")
-	c.Header("Vary", "format, Accept")
-	enc := yaml.NewEncoder(c.Writer)
-	enc.SetIndent(2)
-	_ = enc.Encode(&node)
-	_ = enc.Close()
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.WithError(errClose).Debug("failed to close latest version response body")
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1024))
+		c.JSON(http.StatusBadGateway, gin.H{"error": "unexpected_status", "message": fmt.Sprintf("status %d: %s", resp.StatusCode, strings.TrimSpace(string(body)))})
+		return
+	}
+
+	var info releaseInfo
+	if errDecode := json.NewDecoder(resp.Body).Decode(&info); errDecode != nil {
+		c.JSON(http.StatusBadGateway, gin.H{"error": "decode_failed", "message": errDecode.Error()})
+		return
+	}
+
+	version := strings.TrimSpace(info.TagName)
+	if version == "" {
+		version = strings.TrimSpace(info.Name)
+	}
+	if version == "" {
+		c.JSON(http.StatusBadGateway, gin.H{"error": "invalid_response", "message": "missing release version"})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"latest-version": version})
 }

 func WriteConfig(path string, data []byte) error {
@@ -111,9 +163,9 @@ func (h *Handler) PutConfigYAML(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"ok": true, "changed": []string{"config"}})
 }

-// GetConfigFile returns the raw config.yaml file bytes without re-encoding.
+// GetConfigYAML returns the raw config.yaml file bytes without re-encoding.
 // It preserves comments and original formatting/styles.
-func (h *Handler) GetConfigFile(c *gin.Context) {
+func (h *Handler) GetConfigYAML(c *gin.Context) {
 	data, err := os.ReadFile(h.configFilePath)
 	if err != nil {
 		if os.IsNotExist(err) {
--- a/internal/api/handlers/management/config_lists.go
+++ b/internal/api/handlers/management/config_lists.go
@@ -104,53 +104,6 @@ func (h *Handler) deleteFromStringList(c *gin.Context, target *[]string, after f
 	c.JSON(400, gin.H{"error": "missing index or value"})
 }

-func sanitizeStringSlice(in []string) []string {
-	out := make([]string, 0, len(in))
-	for i := range in {
-		if trimmed := strings.TrimSpace(in[i]); trimmed != "" {
-			out = append(out, trimmed)
-		}
-	}
-	return out
-}
-
-func geminiKeyStringsFromConfig(cfg *config.Config) []string {
-	if cfg == nil || len(cfg.GeminiKey) == 0 {
-		return nil
-	}
-	out := make([]string, 0, len(cfg.GeminiKey))
-	for i := range cfg.GeminiKey {
-		if key := strings.TrimSpace(cfg.GeminiKey[i].APIKey); key != "" {
-			out = append(out, key)
-		}
-	}
-	return out
-}
-
-func (h *Handler) applyLegacyKeys(keys []string) {
-	if h == nil || h.cfg == nil {
-		return
-	}
-	sanitized := sanitizeStringSlice(keys)
-	existing := make(map[string]config.GeminiKey, len(h.cfg.GeminiKey))
-	for _, entry := range h.cfg.GeminiKey {
-		if key := strings.TrimSpace(entry.APIKey); key != "" {
-			existing[key] = entry
-		}
-	}
-	newList := make([]config.GeminiKey, 0, len(sanitized))
-	for _, key := range sanitized {
-		if entry, ok := existing[key]; ok {
-			newList = append(newList, entry)
-		} else {
-			newList = append(newList, config.GeminiKey{APIKey: key})
-		}
-	}
-	h.cfg.GeminiKey = newList
-	h.cfg.GlAPIKey = sanitized
-	h.cfg.SanitizeGeminiKeys()
-}
-
 // api-keys
 func (h *Handler) GetAPIKeys(c *gin.Context) { c.JSON(200, gin.H{"api-keys": h.cfg.APIKeys}) }
 func (h *Handler) PutAPIKeys(c *gin.Context) {
@@ -166,24 +119,6 @@ func (h *Handler) DeleteAPIKeys(c *gin.Context) {
 	h.deleteFromStringList(c, &h.cfg.APIKeys, func() { h.cfg.Access.Providers = nil })
 }

-// generative-language-api-key
-func (h *Handler) GetGlKeys(c *gin.Context) {
-	c.JSON(200, gin.H{"generative-language-api-key": geminiKeyStringsFromConfig(h.cfg)})
-}
-func (h *Handler) PutGlKeys(c *gin.Context) {
-	h.putStringList(c, func(v []string) {
-		h.applyLegacyKeys(v)
-	}, nil)
-}
-func (h *Handler) PatchGlKeys(c *gin.Context) {
-	target := append([]string(nil), geminiKeyStringsFromConfig(h.cfg)...)
-	h.patchStringList(c, &target, func() { h.applyLegacyKeys(target) })
-}
-func (h *Handler) DeleteGlKeys(c *gin.Context) {
-	target := append([]string(nil), geminiKeyStringsFromConfig(h.cfg)...)
-	h.deleteFromStringList(c, &target, func() { h.applyLegacyKeys(target) })
-}
-
 // gemini-api-key: []GeminiKey
 func (h *Handler) GetGeminiKeys(c *gin.Context) {
 	c.JSON(200, gin.H{"gemini-api-key": h.cfg.GeminiKey})
@@ -409,15 +344,14 @@ func (h *Handler) PutOpenAICompat(c *gin.Context) {
 		}
 		arr = obj.Items
 	}
-	arr = migrateLegacyOpenAICompatibilityKeys(arr)
-	// Filter out providers with empty base-url -> remove provider entirely
 	filtered := make([]config.OpenAICompatibility, 0, len(arr))
 	for i := range arr {
+		normalizeOpenAICompatibilityEntry(&arr[i])
 		if strings.TrimSpace(arr[i].BaseURL) != "" {
 			filtered = append(filtered, arr[i])
 		}
 	}
-	h.cfg.OpenAICompatibility = migrateLegacyOpenAICompatibilityKeys(filtered)
+	h.cfg.OpenAICompatibility = filtered
 	h.cfg.SanitizeOpenAICompatibility()
 	h.persist(c)
 }
@@ -431,7 +365,6 @@ func (h *Handler) PatchOpenAICompat(c *gin.Context) {
 		c.JSON(400, gin.H{"error": "invalid body"})
 		return
 	}
-	h.cfg.OpenAICompatibility = migrateLegacyOpenAICompatibilityKeys(h.cfg.OpenAICompatibility)
 	normalizeOpenAICompatibilityEntry(body.Value)
 	// If base-url becomes empty, delete the provider instead of updating
 	if strings.TrimSpace(body.Value.BaseURL) == "" {
@@ -731,28 +664,6 @@ func normalizeOpenAICompatibilityEntry(entry *config.OpenAICompatibility) {
 			existing[trimmed] = struct{}{}
 		}
 	}
-	if len(entry.APIKeys) == 0 {
-		return
-	}
-	for _, legacyKey := range entry.APIKeys {
-		trimmed := strings.TrimSpace(legacyKey)
-		if trimmed == "" {
-			continue
-		}
-		if _, ok := existing[trimmed]; ok {
-			continue
-		}
-		entry.APIKeyEntries = append(entry.APIKeyEntries, config.OpenAICompatibilityAPIKey{APIKey: trimmed})
-		existing[trimmed] = struct{}{}
-	}
-	entry.APIKeys = nil
-}
-
-func migrateLegacyOpenAICompatibilityKeys(entries []config.OpenAICompatibility) []config.OpenAICompatibility {
-	for i := range entries {
-		normalizeOpenAICompatibilityEntry(&entries[i])
-	}
-	return entries
 }

 func normalizedOpenAICompatibilityEntries(entries []config.OpenAICompatibility) []config.OpenAICompatibility {
@@ -765,9 +676,6 @@ func normalizedOpenAICompatibilityEntries(entries []config.OpenAICompatibility)
 		if len(copyEntry.APIKeyEntries) > 0 {
 			copyEntry.APIKeyEntries = append([]config.OpenAICompatibilityAPIKey(nil), copyEntry.APIKeyEntries...)
 		}
-		if len(copyEntry.APIKeys) > 0 {
-			copyEntry.APIKeys = append([]string(nil), copyEntry.APIKeys...)
-		}
 		normalizeOpenAICompatibilityEntry(&copyEntry)
 		out[i] = copyEntry
 	}
--- a/internal/api/middleware/request_logging.go
+++ b/internal/api/middleware/request_logging.go
@@ -112,5 +112,10 @@ func shouldLogRequest(path string) bool {
 	if strings.HasPrefix(path, "/v0/management") || strings.HasPrefix(path, "/management") {
 		return false
 	}
+
+	if strings.HasPrefix(path, "/api") {
+		return strings.HasPrefix(path, "/api/provider")
+	}
+
 	return true
 }
--- a/internal/api/modules/amp/amp.go
+++ b/internal/api/modules/amp/amp.go
@@ -27,11 +27,20 @@ type Option func(*AmpModule)
 type AmpModule struct {
 	secretSource    SecretSource
 	proxy           *httputil.ReverseProxy
+	proxyMu         sync.RWMutex // protects proxy for hot-reload
 	accessManager   *sdkaccess.Manager
 	authMiddleware_ gin.HandlerFunc
 	modelMapper     *DefaultModelMapper
 	enabled         bool
 	registerOnce    sync.Once
+
+	// restrictToLocalhost controls localhost-only access for management routes (hot-reloadable)
+	restrictToLocalhost bool
+	restrictMu          sync.RWMutex
+
+	// configMu protects lastConfig for partial reload comparison
+	configMu   sync.RWMutex
+	lastConfig *config.AmpCode
 }

 // New creates a new Amp routing module with the given options.
@@ -95,7 +104,8 @@ func (m *AmpModule) Name() string {
 // This implements the RouteModuleV2 interface with Context.
 // Routes are registered only once via sync.Once for idempotent behavior.
 func (m *AmpModule) Register(ctx modules.Context) error {
-	upstreamURL := strings.TrimSpace(ctx.Config.AmpUpstreamURL)
+	settings := ctx.Config.AmpCode
+	upstreamURL := strings.TrimSpace(settings.UpstreamURL)

 	// Determine auth middleware (from module or context)
 	auth := m.getAuthMiddleware(ctx)
@@ -104,42 +114,35 @@ func (m *AmpModule) Register(ctx modules.Context) error {
 	var regErr error
 	m.registerOnce.Do(func() {
 		// Initialize model mapper from config (for routing unavailable models to alternatives)
-		m.modelMapper = NewModelMapper(ctx.Config.AmpModelMappings)
+		m.modelMapper = NewModelMapper(settings.ModelMappings)
+
+		// Store initial config for partial reload comparison
+		settingsCopy := settings
+		m.lastConfig = &settingsCopy
+
+		// Initialize localhost restriction setting (hot-reloadable)
+		m.setRestrictToLocalhost(settings.RestrictManagementToLocalhost)

 		// Always register provider aliases - these work without an upstream
 		m.registerProviderAliases(ctx.Engine, ctx.BaseHandler, auth)

+		// Register management proxy routes once; middleware will gate access when upstream is unavailable.
+		m.registerManagementRoutes(ctx.Engine, ctx.BaseHandler)
+
 		// If no upstream URL, skip proxy routes but provider aliases are still available
 		if upstreamURL == "" {
-			log.Debug("Amp upstream proxy disabled (no upstream URL configured)")
-			log.Debug("Amp provider alias routes registered")
+			log.Debug("amp upstream proxy disabled (no upstream URL configured)")
+			log.Debug("amp provider alias routes registered")
 			m.enabled = false
 			return
 		}

-		// Create secret source with precedence: config > env > file
-		// Cache secrets for 5 minutes to reduce file I/O
-		if m.secretSource == nil {
-			m.secretSource = NewMultiSourceSecret(ctx.Config.AmpUpstreamAPIKey, 0 /* default 5min */)
-		}
-
-		// Create reverse proxy with gzip handling via ModifyResponse
-		proxy, err := createReverseProxy(upstreamURL, m.secretSource)
-		if err != nil {
+		if err := m.enableUpstreamProxy(upstreamURL, &settings); err != nil {
 			regErr = fmt.Errorf("failed to create amp proxy: %w", err)
 			return
 		}

-		m.proxy = proxy
-		m.enabled = true
-
-		// Register management proxy routes (requires upstream)
-		// Restrict to localhost by default for security (prevents drive-by browser attacks)
-		handler := proxyHandler(proxy)
-		m.registerManagementRoutes(ctx.Engine, ctx.BaseHandler, handler, ctx.Config.AmpRestrictManagementToLocalhost)
-
-		log.Infof("Amp upstream proxy enabled for: %s", upstreamURL)
-		log.Debug("Amp provider alias routes registered")
+		log.Debug("amp provider alias routes registered")
 	})

 	return regErr
@@ -155,47 +158,175 @@ func (m *AmpModule) getAuthMiddleware(ctx modules.Context) gin.HandlerFunc {
 		return ctx.AuthMiddleware
 	}
 	// Fallback: no authentication (should not happen in production)
-	log.Warn("Amp module: no auth middleware provided, allowing all requests")
+	log.Warn("amp module: no auth middleware provided, allowing all requests")
 	return func(c *gin.Context) {
 		c.Next()
 	}
 }

-// OnConfigUpdated handles configuration updates.
-// Currently requires restart for URL changes (could be enhanced for dynamic updates).
+// OnConfigUpdated handles configuration updates with partial reload support.
+// Only updates components that have actually changed to avoid unnecessary work.
+// Supports hot-reload for: model-mappings, upstream-api-key, upstream-url, restrict-management-to-localhost.
 func (m *AmpModule) OnConfigUpdated(cfg *config.Config) error {
-	// Update model mappings (hot-reload supported)
-	if m.modelMapper != nil {
-		log.Infof("amp config updated: reloading %d model mapping(s)", len(cfg.AmpModelMappings))
-		m.modelMapper.UpdateMappings(cfg.AmpModelMappings)
-	} else {
-		log.Warnf("amp model mapper not initialized, skipping model mapping update")
-	}
+	newSettings := cfg.AmpCode

-	if !m.enabled {
-		log.Debug("Amp routing not enabled, skipping other config updates")
-		return nil
-	}
+	// Get previous config for comparison
+	m.configMu.RLock()
+	oldSettings := m.lastConfig
+	m.configMu.RUnlock()

-	upstreamURL := strings.TrimSpace(cfg.AmpUpstreamURL)
-	if upstreamURL == "" {
-		log.Warn("Amp upstream URL removed from config, restart required to disable")
-		return nil
-	}
-
-	// If API key changed, invalidate the cache
-	if m.secretSource != nil {
-		if ms, ok := m.secretSource.(*MultiSourceSecret); ok {
-			ms.InvalidateCache()
-			log.Debug("Amp secret cache invalidated due to config update")
+	if oldSettings != nil && oldSettings.RestrictManagementToLocalhost != newSettings.RestrictManagementToLocalhost {
+		m.setRestrictToLocalhost(newSettings.RestrictManagementToLocalhost)
+		if !newSettings.RestrictManagementToLocalhost {
+			log.Warnf("amp management routes now accessible from any IP - this is insecure!")
 		}
 	}

-	log.Debug("Amp config updated (restart required for URL changes)")
+	newUpstreamURL := strings.TrimSpace(newSettings.UpstreamURL)
+	oldUpstreamURL := ""
+	if oldSettings != nil {
+		oldUpstreamURL = strings.TrimSpace(oldSettings.UpstreamURL)
+	}
+
+	if !m.enabled && newUpstreamURL != "" {
+		if err := m.enableUpstreamProxy(newUpstreamURL, &newSettings); err != nil {
+			log.Errorf("amp config: failed to enable upstream proxy for %s: %v", newUpstreamURL, err)
+		}
+	}
+
+	// Check model mappings change
+	modelMappingsChanged := m.hasModelMappingsChanged(oldSettings, &newSettings)
+	if modelMappingsChanged {
+		if m.modelMapper != nil {
+			m.modelMapper.UpdateMappings(newSettings.ModelMappings)
+		} else if m.enabled {
+			log.Warnf("amp model mapper not initialized, skipping model mapping update")
+		}
+	}
+
+	if m.enabled {
+		// Check upstream URL change - now supports hot-reload
+		if newUpstreamURL == "" && oldUpstreamURL != "" {
+			m.setProxy(nil)
+			m.enabled = false
+		} else if oldUpstreamURL != "" && newUpstreamURL != oldUpstreamURL && newUpstreamURL != "" {
+			// Recreate proxy with new URL
+			proxy, err := createReverseProxy(newUpstreamURL, m.secretSource)
+			if err != nil {
+				log.Errorf("amp config: failed to create proxy for new upstream URL %s: %v", newUpstreamURL, err)
+			} else {
+				m.setProxy(proxy)
+			}
+		}
+
+		// Check API key change
+		apiKeyChanged := m.hasAPIKeyChanged(oldSettings, &newSettings)
+		if apiKeyChanged {
+			if m.secretSource != nil {
+				if ms, ok := m.secretSource.(*MultiSourceSecret); ok {
+					ms.UpdateExplicitKey(newSettings.UpstreamAPIKey)
+					ms.InvalidateCache()
+				}
+			}
+		}
+
+	}
+
+	// Store current config for next comparison
+	m.configMu.Lock()
+	settingsCopy := newSettings // copy struct
+	m.lastConfig = &settingsCopy
+	m.configMu.Unlock()
+
 	return nil
 }

+func (m *AmpModule) enableUpstreamProxy(upstreamURL string, settings *config.AmpCode) error {
+	if m.secretSource == nil {
+		m.secretSource = NewMultiSourceSecret(settings.UpstreamAPIKey, 0 /* default 5min */)
+	} else if ms, ok := m.secretSource.(*MultiSourceSecret); ok {
+		ms.UpdateExplicitKey(settings.UpstreamAPIKey)
+		ms.InvalidateCache()
+	}
+
+	proxy, err := createReverseProxy(upstreamURL, m.secretSource)
+	if err != nil {
+		return err
+	}
+
+	m.setProxy(proxy)
+	m.enabled = true
+
+	log.Infof("amp upstream proxy enabled for: %s", upstreamURL)
+	return nil
+}
+
+// hasModelMappingsChanged compares old and new model mappings.
+func (m *AmpModule) hasModelMappingsChanged(old *config.AmpCode, new *config.AmpCode) bool {
+	if old == nil {
+		return len(new.ModelMappings) > 0
+	}
+
+	if len(old.ModelMappings) != len(new.ModelMappings) {
+		return true
+	}
+
+	// Build map for efficient comparison
+	oldMap := make(map[string]string, len(old.ModelMappings))
+	for _, mapping := range old.ModelMappings {
+		oldMap[strings.TrimSpace(mapping.From)] = strings.TrimSpace(mapping.To)
+	}
+
+	for _, mapping := range new.ModelMappings {
+		from := strings.TrimSpace(mapping.From)
+		to := strings.TrimSpace(mapping.To)
+		if oldTo, exists := oldMap[from]; !exists || oldTo != to {
+			return true
+		}
+	}
+
+	return false
+}
+
+// hasAPIKeyChanged compares old and new API keys.
+func (m *AmpModule) hasAPIKeyChanged(old *config.AmpCode, new *config.AmpCode) bool {
+	oldKey := ""
+	if old != nil {
+		oldKey = strings.TrimSpace(old.UpstreamAPIKey)
+	}
+	newKey := strings.TrimSpace(new.UpstreamAPIKey)
+	return oldKey != newKey
+}
+
 // GetModelMapper returns the model mapper instance (for testing/debugging).
 func (m *AmpModule) GetModelMapper() *DefaultModelMapper {
 	return m.modelMapper
 }
+
+// getProxy returns the current proxy instance (thread-safe for hot-reload).
+func (m *AmpModule) getProxy() *httputil.ReverseProxy {
+	m.proxyMu.RLock()
+	defer m.proxyMu.RUnlock()
+	return m.proxy
+}
+
+// setProxy updates the proxy instance (thread-safe for hot-reload).
+func (m *AmpModule) setProxy(proxy *httputil.ReverseProxy) {
+	m.proxyMu.Lock()
+	defer m.proxyMu.Unlock()
+	m.proxy = proxy
+}
+
+// IsRestrictedToLocalhost returns whether management routes are restricted to localhost.
+func (m *AmpModule) IsRestrictedToLocalhost() bool {
+	m.restrictMu.RLock()
+	defer m.restrictMu.RUnlock()
+	return m.restrictToLocalhost
+}
+
+// setRestrictToLocalhost updates the localhost restriction setting.
+func (m *AmpModule) setRestrictToLocalhost(restrict bool) {
+	m.restrictMu.Lock()
+	defer m.restrictMu.Unlock()
+	m.restrictToLocalhost = restrict
+}
--- a/internal/api/modules/amp/amp_test.go
+++ b/internal/api/modules/amp/amp_test.go
@@ -56,8 +56,10 @@ func TestAmpModule_Register_WithUpstream(t *testing.T) {
 	m := NewLegacy(accessManager, func(c *gin.Context) { c.Next() })

 	cfg := &config.Config{
-		AmpUpstreamURL:    upstream.URL,
-		AmpUpstreamAPIKey: "test-key",
+		AmpCode: config.AmpCode{
+			UpstreamURL:    upstream.URL,
+			UpstreamAPIKey: "test-key",
+		},
 	}

 	ctx := modules.Context{Engine: r, BaseHandler: base, Config: cfg, AuthMiddleware: func(c *gin.Context) { c.Next() }}
@@ -86,7 +88,9 @@ func TestAmpModule_Register_WithoutUpstream(t *testing.T) {
 	m := NewLegacy(accessManager, func(c *gin.Context) { c.Next() })

 	cfg := &config.Config{
-		AmpUpstreamURL: "", // No upstream
+		AmpCode: config.AmpCode{
+			UpstreamURL: "", // No upstream
+		},
 	}

 	ctx := modules.Context{Engine: r, BaseHandler: base, Config: cfg, AuthMiddleware: func(c *gin.Context) { c.Next() }}
@@ -121,7 +125,9 @@ func TestAmpModule_Register_InvalidUpstream(t *testing.T) {
 	m := NewLegacy(accessManager, func(c *gin.Context) { c.Next() })

 	cfg := &config.Config{
-		AmpUpstreamURL: "://invalid-url",
+		AmpCode: config.AmpCode{
+			UpstreamURL: "://invalid-url",
+		},
 	}

 	ctx := modules.Context{Engine: r, BaseHandler: base, Config: cfg, AuthMiddleware: func(c *gin.Context) { c.Next() }}
@@ -151,7 +157,7 @@ func TestAmpModule_OnConfigUpdated_CacheInvalidation(t *testing.T) {
 	}

 	// Update config - should invalidate cache
-	if err := m.OnConfigUpdated(&config.Config{AmpUpstreamURL: "http://x"}); err != nil {
+	if err := m.OnConfigUpdated(&config.Config{AmpCode: config.AmpCode{UpstreamURL: "http://x"}}); err != nil {
 		t.Fatal(err)
 	}

@@ -175,7 +181,7 @@ func TestAmpModule_OnConfigUpdated_URLRemoved(t *testing.T) {
 	m.secretSource = ms

 	// Config update with empty URL - should log warning but not error
-	cfg := &config.Config{AmpUpstreamURL: ""}
+	cfg := &config.Config{AmpCode: config.AmpCode{UpstreamURL: ""}}

 	if err := m.OnConfigUpdated(cfg); err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -187,7 +193,7 @@ func TestAmpModule_OnConfigUpdated_NonMultiSourceSecret(t *testing.T) {
 	m := &AmpModule{enabled: true}
 	m.secretSource = NewStaticSecretSource("static-key")

-	cfg := &config.Config{AmpUpstreamURL: "http://example.com"}
+	cfg := &config.Config{AmpCode: config.AmpCode{UpstreamURL: "http://example.com"}}

 	// Should not error or panic
 	if err := m.OnConfigUpdated(cfg); err != nil {
@@ -240,8 +246,10 @@ func TestAmpModule_SecretSource_FromConfig(t *testing.T) {

 	// Config with explicit API key
 	cfg := &config.Config{
-		AmpUpstreamURL:    upstream.URL,
-		AmpUpstreamAPIKey: "config-key",
+		AmpCode: config.AmpCode{
+			UpstreamURL:    upstream.URL,
+			UpstreamAPIKey: "config-key",
+		},
 	}

 	ctx := modules.Context{Engine: r, BaseHandler: base, Config: cfg, AuthMiddleware: func(c *gin.Context) { c.Next() }}
@@ -283,7 +291,7 @@ func TestAmpModule_ProviderAliasesAlwaysRegistered(t *testing.T) {

 			m := NewLegacy(accessManager, func(c *gin.Context) { c.Next() })

-			cfg := &config.Config{AmpUpstreamURL: scenario.configURL}
+			cfg := &config.Config{AmpCode: config.AmpCode{UpstreamURL: scenario.configURL}}

 			ctx := modules.Context{Engine: r, BaseHandler: base, Config: cfg, AuthMiddleware: func(c *gin.Context) { c.Next() }}
 			if err := m.Register(ctx); err != nil && scenario.configURL != "" {
--- a/internal/api/modules/amp/fallback_handlers.go
+++ b/internal/api/modules/amp/fallback_handlers.go
@@ -48,25 +48,25 @@ func logAmpRouting(routeType AmpRouteType, requestedModel, resolvedModel, provid
 	case RouteTypeLocalProvider:
 		fields["cost"] = "free"
 		fields["source"] = "local_oauth"
-		log.WithFields(fields).Infof("[AMP] Using local provider for model: %s", requestedModel)
+		log.WithFields(fields).Debugf("amp using local provider for model: %s", requestedModel)

 	case RouteTypeModelMapping:
 		fields["cost"] = "free"
 		fields["source"] = "local_oauth"
 		fields["mapping"] = requestedModel + " -> " + resolvedModel
-		log.WithFields(fields).Infof("[AMP] Model mapped: %s -> %s", requestedModel, resolvedModel)
+		// model mapping already logged in mapper; avoid duplicate here

 	case RouteTypeAmpCredits:
 		fields["cost"] = "amp_credits"
 		fields["source"] = "ampcode.com"
 		fields["model_id"] = requestedModel // Explicit model_id for easy config reference
-		log.WithFields(fields).Warnf("[AMP] Forwarding to ampcode.com (uses Amp credits) - model_id: %s | To use local proxy, add to config: amp-model-mappings: [{from: \"%s\", to: \"<your-local-model>\"}]", requestedModel, requestedModel)
+		log.WithFields(fields).Warnf("forwarding to ampcode.com (uses amp credits) - model_id: %s | To use local proxy, add to config: amp-model-mappings: [{from: \"%s\", to: \"<your-local-model>\"}]", requestedModel, requestedModel)

 	case RouteTypeNoProvider:
 		fields["cost"] = "none"
 		fields["source"] = "error"
 		fields["model_id"] = requestedModel // Explicit model_id for easy config reference
-		log.WithFields(fields).Warnf("[AMP] No provider available for model_id: %s", requestedModel)
+		log.WithFields(fields).Warnf("no provider available for model_id: %s", requestedModel)
 	}
 }

--- a/internal/api/modules/amp/model_mapping_test.go
+++ b/internal/api/modules/amp/model_mapping_test.go
@@ -152,9 +152,9 @@ func TestModelMapper_UpdateMappings_SkipsInvalid(t *testing.T) {
 	mapper := NewModelMapper(nil)

 	mapper.UpdateMappings([]config.AmpModelMapping{
-		{From: "", To: "model-b"},      // Invalid: empty from
-		{From: "model-a", To: ""},      // Invalid: empty to
-		{From: "  ", To: "model-b"},    // Invalid: whitespace from
+		{From: "", To: "model-b"},        // Invalid: empty from
+		{From: "model-a", To: ""},        // Invalid: empty to
+		{From: "  ", To: "model-b"},      // Invalid: whitespace from
 		{From: "model-c", To: "model-d"}, // Valid
 	})

--- a/internal/api/modules/amp/routes.go
+++ b/internal/api/modules/amp/routes.go
@@ -1,11 +1,14 @@
 package amp

 import (
+	"errors"
 	"net"
+	"net/http"
 	"net/http/httputil"
 	"strings"

 	"github.com/gin-gonic/gin"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/logging"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers"
 	"github.com/router-for-me/CLIProxyAPI/v6/sdk/api/handlers/claude"
@@ -14,15 +17,16 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-// localhostOnlyMiddleware restricts access to localhost (127.0.0.1, ::1) only.
-// Returns 403 Forbidden for non-localhost clients.
-//
-// Security: Uses RemoteAddr (actual TCP connection) instead of ClientIP() to prevent
-// header spoofing attacks via X-Forwarded-For or similar headers. This means the
-// middleware will not work correctly behind reverse proxies - users deploying behind
-// nginx/Cloudflare should disable this feature and use firewall rules instead.
-func localhostOnlyMiddleware() gin.HandlerFunc {
+// localhostOnlyMiddleware returns a middleware that dynamically checks the module's
+// localhost restriction setting. This allows hot-reload of the restriction without restarting.
+func (m *AmpModule) localhostOnlyMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
+		// Check current setting (hot-reloadable)
+		if !m.IsRestrictedToLocalhost() {
+			c.Next()
+			return
+		}
+
 		// Use actual TCP connection address (RemoteAddr) to prevent header spoofing
 		// This cannot be forged by X-Forwarded-For or other client-controlled headers
 		remoteAddr := c.Request.RemoteAddr
@@ -37,7 +41,7 @@ func localhostOnlyMiddleware() gin.HandlerFunc {
 		// Parse the IP to handle both IPv4 and IPv6
 		ip := net.ParseIP(host)
 		if ip == nil {
-			log.Warnf("Amp management: invalid RemoteAddr %s, denying access", remoteAddr)
+			log.Warnf("amp management: invalid RemoteAddr %s, denying access", remoteAddr)
 			c.AbortWithStatusJSON(403, gin.H{
 				"error": "Access denied: management routes restricted to localhost",
 			})
@@ -46,7 +50,7 @@ func localhostOnlyMiddleware() gin.HandlerFunc {

 		// Check if IP is loopback (127.0.0.1 or ::1)
 		if !ip.IsLoopback() {
-			log.Warnf("Amp management: non-localhost connection from %s attempted access, denying", remoteAddr)
+			log.Warnf("amp management: non-localhost connection from %s attempted access, denying", remoteAddr)
 			c.AbortWithStatusJSON(403, gin.H{
 				"error": "Access denied: management routes restricted to localhost",
 			})
@@ -77,21 +81,56 @@ func noCORSMiddleware() gin.HandlerFunc {
 	}
 }

+// managementAvailabilityMiddleware short-circuits management routes when the upstream
+// proxy is disabled, preventing noisy localhost warnings and accidental exposure.
+func (m *AmpModule) managementAvailabilityMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if m.getProxy() == nil {
+			logging.SkipGinRequestLogging(c)
+			c.AbortWithStatusJSON(http.StatusServiceUnavailable, gin.H{
+				"error": "amp upstream proxy not available",
+			})
+			return
+		}
+		c.Next()
+	}
+}
+
 // registerManagementRoutes registers Amp management proxy routes
 // These routes proxy through to the Amp control plane for OAuth, user management, etc.
-// If restrictToLocalhost is true, routes will only accept connections from 127.0.0.1/::1.
-func (m *AmpModule) registerManagementRoutes(engine *gin.Engine, baseHandler *handlers.BaseAPIHandler, proxyHandler gin.HandlerFunc, restrictToLocalhost bool) {
+// Uses dynamic middleware and proxy getter for hot-reload support.
+func (m *AmpModule) registerManagementRoutes(engine *gin.Engine, baseHandler *handlers.BaseAPIHandler) {
 	ampAPI := engine.Group("/api")

 	// Always disable CORS for management routes to prevent browser-based attacks
-	ampAPI.Use(noCORSMiddleware())
+	ampAPI.Use(m.managementAvailabilityMiddleware(), noCORSMiddleware())

-	// Apply localhost-only restriction if configured
-	if restrictToLocalhost {
-		ampAPI.Use(localhostOnlyMiddleware())
-		log.Info("Amp management routes restricted to localhost only (CORS disabled)")
-	} else {
-		log.Warn("⚠️  Amp management routes are NOT restricted to localhost - this is insecure!")
+	// Apply dynamic localhost-only restriction (hot-reloadable via m.IsRestrictedToLocalhost())
+	ampAPI.Use(m.localhostOnlyMiddleware())
+
+	if !m.IsRestrictedToLocalhost() {
+		log.Warn("amp management routes are NOT restricted to localhost - this is insecure!")
+	}
+
+	// Dynamic proxy handler that uses m.getProxy() for hot-reload support
+	proxyHandler := func(c *gin.Context) {
+		// Swallow ErrAbortHandler panics from ReverseProxy copyResponse to avoid noisy stack traces
+		defer func() {
+			if rec := recover(); rec != nil {
+				if err, ok := rec.(error); ok && errors.Is(err, http.ErrAbortHandler) {
+					// Upstream already wrote the status (often 404) before the client/stream ended.
+					return
+				}
+				panic(rec)
+			}
+		}()
+
+		proxy := m.getProxy()
+		if proxy == nil {
+			c.JSON(503, gin.H{"error": "amp upstream proxy not available"})
+			return
+		}
+		proxy.ServeHTTP(c.Writer, c.Request)
 	}

 	// Management routes - these are proxied directly to Amp upstream
@@ -110,15 +149,21 @@ func (m *AmpModule) registerManagementRoutes(engine *gin.Engine, baseHandler *ha
 	ampAPI.Any("/threads/*path", proxyHandler)
 	ampAPI.Any("/otel", proxyHandler)
 	ampAPI.Any("/otel/*path", proxyHandler)
+	ampAPI.Any("/tab", proxyHandler)
+	ampAPI.Any("/tab/*path", proxyHandler)

 	// Root-level routes that AMP CLI expects without /api prefix
-	// These need the same security middleware as the /api/* routes
-	rootMiddleware := []gin.HandlerFunc{noCORSMiddleware()}
-	if restrictToLocalhost {
-		rootMiddleware = append(rootMiddleware, localhostOnlyMiddleware())
-	}
+	// These need the same security middleware as the /api/* routes (dynamic for hot-reload)
+	rootMiddleware := []gin.HandlerFunc{m.managementAvailabilityMiddleware(), noCORSMiddleware(), m.localhostOnlyMiddleware()}
+	engine.GET("/threads/*path", append(rootMiddleware, proxyHandler)...)
 	engine.GET("/threads.rss", append(rootMiddleware, proxyHandler)...)

+	// Root-level auth routes for CLI login flow
+	// Amp uses multiple auth routes: /auth/cli-login, /auth/callback, /auth/sign-in, /auth/logout
+	// We proxy all /auth/* to support the complete OAuth flow
+	engine.Any("/auth", append(rootMiddleware, proxyHandler)...)
+	engine.Any("/auth/*path", append(rootMiddleware, proxyHandler)...)
+
 	// Google v1beta1 passthrough with OAuth fallback
 	// AMP CLI uses non-standard paths like /publishers/google/models/...
 	// We bridge these to our standard Gemini handler to enable local OAuth.
@@ -126,7 +171,7 @@ func (m *AmpModule) registerManagementRoutes(engine *gin.Engine, baseHandler *ha
 	geminiHandlers := gemini.NewGeminiAPIHandler(baseHandler)
 	geminiBridge := createGeminiBridgeHandler(geminiHandlers)
 	geminiV1Beta1Fallback := NewFallbackHandler(func() *httputil.ReverseProxy {
-		return m.proxy
+		return m.getProxy()
 	})
 	geminiV1Beta1Handler := geminiV1Beta1Fallback.WrapHandler(geminiBridge)

@@ -169,10 +214,10 @@ func (m *AmpModule) registerProviderAliases(engine *gin.Engine, baseHandler *han
 	openaiResponsesHandlers := openai.NewOpenAIResponsesAPIHandler(baseHandler)

 	// Create fallback handler wrapper that forwards to ampcode.com when provider not found
-	// Uses lazy evaluation to access proxy (which is created after routes are registered)
+	// Uses m.getProxy() for hot-reload support (proxy can be updated at runtime)
 	// Also includes model mapping support for routing unavailable models to alternatives
 	fallbackHandler := NewFallbackHandlerWithMapper(func() *httputil.ReverseProxy {
-		return m.proxy
+		return m.getProxy()
 	}, m.modelMapper)

 	// Provider-specific routes under /api/provider/:provider
--- a/internal/api/modules/amp/routes_test.go
+++ b/internal/api/modules/amp/routes_test.go
@@ -13,16 +13,26 @@ func TestRegisterManagementRoutes(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	r := gin.New()

-	// Spy to track if proxy handler was called
-	proxyCalled := false
-	proxyHandler := func(c *gin.Context) {
-		proxyCalled = true
-		c.String(200, "proxied")
+	// Create module with proxy for testing
+	m := &AmpModule{
+		restrictToLocalhost: false, // disable localhost restriction for tests
 	}

-	m := &AmpModule{}
+	// Create a mock proxy that tracks calls
+	proxyCalled := false
+	mockProxy := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		proxyCalled = true
+		w.WriteHeader(200)
+		w.Write([]byte("proxied"))
+	}))
+	defer mockProxy.Close()
+
+	// Create real proxy to mock server
+	proxy, _ := createReverseProxy(mockProxy.URL, NewStaticSecretSource(""))
+	m.setProxy(proxy)
+
 	base := &handlers.BaseAPIHandler{}
-	m.registerManagementRoutes(r, base, proxyHandler, false) // false = don't restrict to localhost in tests
+	m.registerManagementRoutes(r, base)

 	managementPaths := []struct {
 		path   string
@@ -37,8 +47,14 @@ func TestRegisterManagementRoutes(t *testing.T) {
 		{"/api/meta", http.MethodGet},
 		{"/api/telemetry", http.MethodGet},
 		{"/api/threads", http.MethodGet},
+		{"/threads/", http.MethodGet},
 		{"/threads.rss", http.MethodGet}, // Root-level route (no /api prefix)
 		{"/api/otel", http.MethodGet},
+		{"/api/tab", http.MethodGet},
+		{"/api/tab/some/path", http.MethodGet},
+		{"/auth", http.MethodGet},           // Root-level auth route
+		{"/auth/cli-login", http.MethodGet}, // CLI login flow
+		{"/auth/callback", http.MethodGet},  // OAuth callback
 		// Google v1beta1 bridge should still proxy non-model requests (GET) and allow POST
 		{"/api/provider/google/v1beta1/models", http.MethodGet},
 		{"/api/provider/google/v1beta1/models", http.MethodPost},
@@ -226,8 +242,13 @@ func TestLocalhostOnlyMiddleware_PreventsSpoofing(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	r := gin.New()

-	// Apply localhost-only middleware
-	r.Use(localhostOnlyMiddleware())
+	// Create module with localhost restriction enabled
+	m := &AmpModule{
+		restrictToLocalhost: true,
+	}
+
+	// Apply dynamic localhost-only middleware
+	r.Use(m.localhostOnlyMiddleware())
 	r.GET("/test", func(c *gin.Context) {
 		c.String(http.StatusOK, "ok")
 	})
@@ -300,3 +321,53 @@ func TestLocalhostOnlyMiddleware_PreventsSpoofing(t *testing.T) {
 		})
 	}
 }
+
+func TestLocalhostOnlyMiddleware_HotReload(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+
+	// Create module with localhost restriction initially enabled
+	m := &AmpModule{
+		restrictToLocalhost: true,
+	}
+
+	// Apply dynamic localhost-only middleware
+	r.Use(m.localhostOnlyMiddleware())
+	r.GET("/test", func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+
+	// Test 1: Remote IP should be blocked when restriction is enabled
+	req := httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.RemoteAddr = "192.168.1.100:12345"
+	w := httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("Expected 403 when restriction enabled, got %d", w.Code)
+	}
+
+	// Test 2: Hot-reload - disable restriction
+	m.setRestrictToLocalhost(false)
+
+	req = httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.RemoteAddr = "192.168.1.100:12345"
+	w = httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("Expected 200 after disabling restriction, got %d", w.Code)
+	}
+
+	// Test 3: Hot-reload - re-enable restriction
+	m.setRestrictToLocalhost(true)
+
+	req = httptest.NewRequest(http.MethodGet, "/test", nil)
+	req.RemoteAddr = "192.168.1.100:12345"
+	w = httptest.NewRecorder()
+	r.ServeHTTP(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("Expected 403 after re-enabling restriction, got %d", w.Code)
+	}
+}
--- a/internal/api/modules/amp/secret.go
+++ b/internal/api/modules/amp/secret.go
@@ -139,6 +139,17 @@ func (s *MultiSourceSecret) InvalidateCache() {
 	s.cache = nil
 }

+// UpdateExplicitKey refreshes the config-provided key and clears cache.
+func (s *MultiSourceSecret) UpdateExplicitKey(key string) {
+	if s == nil {
+		return
+	}
+	s.mu.Lock()
+	s.explicitKey = strings.TrimSpace(key)
+	s.cache = nil
+	s.mu.Unlock()
+}
+
 // StaticSecretSource returns a fixed API key (for testing)
 type StaticSecretSource struct {
 	key string
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -470,8 +470,9 @@ func (s *Server) registerManagementRoutes() {
 	{
 		mgmt.GET("/usage", s.mgmt.GetUsageStatistics)
 		mgmt.GET("/config", s.mgmt.GetConfig)
+		mgmt.GET("/config.yaml", s.mgmt.GetConfigYAML)
 		mgmt.PUT("/config.yaml", s.mgmt.PutConfigYAML)
-		mgmt.GET("/config.yaml", s.mgmt.GetConfigFile)
+		mgmt.GET("/latest-version", s.mgmt.GetLatestVersion)

 		mgmt.GET("/debug", s.mgmt.GetDebug)
 		mgmt.PUT("/debug", s.mgmt.PutDebug)
@@ -503,11 +504,6 @@ func (s *Server) registerManagementRoutes() {
 		mgmt.PATCH("/api-keys", s.mgmt.PatchAPIKeys)
 		mgmt.DELETE("/api-keys", s.mgmt.DeleteAPIKeys)

-		mgmt.GET("/generative-language-api-key", s.mgmt.GetGlKeys)
-		mgmt.PUT("/generative-language-api-key", s.mgmt.PutGlKeys)
-		mgmt.PATCH("/generative-language-api-key", s.mgmt.PatchGlKeys)
-		mgmt.DELETE("/generative-language-api-key", s.mgmt.DeleteGlKeys)
-
 		mgmt.GET("/gemini-api-key", s.mgmt.GetGeminiKeys)
 		mgmt.PUT("/gemini-api-key", s.mgmt.PutGeminiKeys)
 		mgmt.PATCH("/gemini-api-key", s.mgmt.PatchGeminiKey)
@@ -938,11 +934,7 @@ func (s *Server) UpdateClients(cfg *config.Config) {
 	openAICompatCount := 0
 	for i := range cfg.OpenAICompatibility {
 		entry := cfg.OpenAICompatibility[i]
-		if len(entry.APIKeyEntries) > 0 {
-			openAICompatCount += len(entry.APIKeyEntries)
-			continue
-		}
-		openAICompatCount += len(entry.APIKeys)
+		openAICompatCount += len(entry.APIKeyEntries)
 	}

 	total := authFiles + geminiAPIKeyCount + claudeAPIKeyCount + codexAPIKeyCount + vertexAICompatCount + openAICompatCount
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -26,22 +26,8 @@ type Config struct {
 	// TLS config controls HTTPS server settings.
 	TLS TLSConfig `yaml:"tls" json:"tls"`

-	// AmpUpstreamURL defines the upstream Amp control plane used for non-provider calls.
-	AmpUpstreamURL string `yaml:"amp-upstream-url" json:"amp-upstream-url"`
-
-	// AmpUpstreamAPIKey optionally overrides the Authorization header when proxying Amp upstream calls.
-	AmpUpstreamAPIKey string `yaml:"amp-upstream-api-key" json:"amp-upstream-api-key"`
-
-	// AmpRestrictManagementToLocalhost restricts Amp management routes (/api/user, /api/threads, etc.)
-	// to only accept connections from localhost (127.0.0.1, ::1). When true, prevents drive-by
-	// browser attacks and remote access to management endpoints. Default: true (recommended).
-	AmpRestrictManagementToLocalhost bool `yaml:"amp-restrict-management-to-localhost" json:"amp-restrict-management-to-localhost"`
-
-	// AmpModelMappings defines model name mappings for Amp CLI requests.
-	// When Amp requests a model that isn't available locally, these mappings
-	// allow routing to an alternative model that IS available.
-	// Example: Map "claude-opus-4.5" -> "claude-sonnet-4" when opus isn't available.
-	AmpModelMappings []AmpModelMapping `yaml:"amp-model-mappings" json:"amp-model-mappings"`
+	// RemoteManagement nests management-related options under 'remote-management'.
+	RemoteManagement RemoteManagement `yaml:"remote-management" json:"-"`

 	// AuthDir is the directory where authentication token files are stored.
 	AuthDir string `yaml:"auth-dir" json:"-"`
@@ -58,44 +44,43 @@ type Config struct {
 	// DisableCooling disables quota cooldown scheduling when true.
 	DisableCooling bool `yaml:"disable-cooling" json:"disable-cooling"`

+	// RequestRetry defines the retry times when the request failed.
+	RequestRetry int `yaml:"request-retry" json:"request-retry"`
+	// MaxRetryInterval defines the maximum wait time in seconds before retrying a cooled-down credential.
+	MaxRetryInterval int `yaml:"max-retry-interval" json:"max-retry-interval"`
+
 	// QuotaExceeded defines the behavior when a quota is exceeded.
 	QuotaExceeded QuotaExceeded `yaml:"quota-exceeded" json:"quota-exceeded"`

 	// WebsocketAuth enables or disables authentication for the WebSocket API.
 	WebsocketAuth bool `yaml:"ws-auth" json:"ws-auth"`

-	// GlAPIKey exposes the legacy generative language API key list for backward compatibility.
-	GlAPIKey []string `yaml:"generative-language-api-key" json:"generative-language-api-key"`
-
 	// GeminiKey defines Gemini API key configurations with optional routing overrides.
 	GeminiKey []GeminiKey `yaml:"gemini-api-key" json:"gemini-api-key"`

+	// Codex defines a list of Codex API key configurations as specified in the YAML configuration file.
+	CodexKey []CodexKey `yaml:"codex-api-key" json:"codex-api-key"`
+
+	// ClaudeKey defines a list of Claude API key configurations as specified in the YAML configuration file.
+	ClaudeKey []ClaudeKey `yaml:"claude-api-key" json:"claude-api-key"`
+
+	// OpenAICompatibility defines OpenAI API compatibility configurations for external providers.
+	OpenAICompatibility []OpenAICompatibility `yaml:"openai-compatibility" json:"openai-compatibility"`
+
 	// VertexCompatAPIKey defines Vertex AI-compatible API key configurations for third-party providers.
 	// Used for services that use Vertex AI-style paths but with simple API key authentication.
 	VertexCompatAPIKey []VertexCompatKey `yaml:"vertex-api-key" json:"vertex-api-key"`

-	// RequestRetry defines the retry times when the request failed.
-	RequestRetry int `yaml:"request-retry" json:"request-retry"`
-	// MaxRetryInterval defines the maximum wait time in seconds before retrying a cooled-down credential.
-	MaxRetryInterval int `yaml:"max-retry-interval" json:"max-retry-interval"`
+	// AmpCode contains Amp CLI upstream configuration, management restrictions, and model mappings.
+	AmpCode AmpCode `yaml:"ampcode" json:"ampcode"`

-	// ClaudeKey defines a list of Claude API key configurations as specified in the YAML configuration file.
-	ClaudeKey []ClaudeKey `yaml:"claude-api-key" json:"claude-api-key"`
-
-	// Codex defines a list of Codex API key configurations as specified in the YAML configuration file.
-	CodexKey []CodexKey `yaml:"codex-api-key" json:"codex-api-key"`
-
-	// OpenAICompatibility defines OpenAI API compatibility configurations for external providers.
-	OpenAICompatibility []OpenAICompatibility `yaml:"openai-compatibility" json:"openai-compatibility"`
-
-	// RemoteManagement nests management-related options under 'remote-management'.
-	RemoteManagement RemoteManagement `yaml:"remote-management" json:"-"`
+	// OAuthExcludedModels defines per-provider global model exclusions applied to OAuth/file-backed auth entries.
+	OAuthExcludedModels map[string][]string `yaml:"oauth-excluded-models,omitempty" json:"oauth-excluded-models,omitempty"`

 	// Payload defines default and override rules for provider payload parameters.
 	Payload PayloadConfig `yaml:"payload" json:"payload"`

-	// OAuthExcludedModels defines per-provider global model exclusions applied to OAuth/file-backed auth entries.
-	OAuthExcludedModels map[string][]string `yaml:"oauth-excluded-models,omitempty" json:"oauth-excluded-models,omitempty"`
+	legacyMigrationPending bool `yaml:"-" json:"-"`
 }

 // TLSConfig holds HTTPS server settings.
@@ -140,6 +125,26 @@ type AmpModelMapping struct {
 	To string `yaml:"to" json:"to"`
 }

+// AmpCode groups Amp CLI integration settings including upstream routing,
+// optional overrides, management route restrictions, and model fallback mappings.
+type AmpCode struct {
+	// UpstreamURL defines the upstream Amp control plane used for non-provider calls.
+	UpstreamURL string `yaml:"upstream-url" json:"upstream-url"`
+
+	// UpstreamAPIKey optionally overrides the Authorization header when proxying Amp upstream calls.
+	UpstreamAPIKey string `yaml:"upstream-api-key" json:"upstream-api-key"`
+
+	// RestrictManagementToLocalhost restricts Amp management routes (/api/user, /api/threads, etc.)
+	// to only accept connections from localhost (127.0.0.1, ::1). When true, prevents drive-by
+	// browser attacks and remote access to management endpoints. Default: true (recommended).
+	RestrictManagementToLocalhost bool `yaml:"restrict-management-to-localhost" json:"restrict-management-to-localhost"`
+
+	// ModelMappings defines model name mappings for Amp CLI requests.
+	// When Amp requests a model that isn't available locally, these mappings
+	// allow routing to an alternative model that IS available.
+	ModelMappings []AmpModelMapping `yaml:"model-mappings" json:"model-mappings"`
+}
+
 // PayloadConfig defines default and override parameter rules applied to provider payloads.
 type PayloadConfig struct {
 	// Default defines rules that only set parameters when they are missing in the payload.
@@ -244,10 +249,6 @@ type OpenAICompatibility struct {
 	// BaseURL is the base URL for the external OpenAI-compatible API endpoint.
 	BaseURL string `yaml:"base-url" json:"base-url"`

-	// APIKeys are the authentication keys for accessing the external API services.
-	// Deprecated: Use APIKeyEntries instead to support per-key proxy configuration.
-	APIKeys []string `yaml:"api-keys,omitempty" json:"api-keys,omitempty"`
-
 	// APIKeyEntries defines API keys with optional per-key proxy configuration.
 	APIKeyEntries []OpenAICompatibilityAPIKey `yaml:"api-key-entries,omitempty" json:"api-key-entries,omitempty"`

@@ -318,7 +319,7 @@ func LoadConfigOptional(configFile string, optional bool) (*Config, error) {
 	cfg.LoggingToFile = false
 	cfg.UsageStatisticsEnabled = false
 	cfg.DisableCooling = false
-	cfg.AmpRestrictManagementToLocalhost = true // Default to secure: only localhost access
+	cfg.AmpCode.RestrictManagementToLocalhost = true // Default to secure: only localhost access
 	if err = yaml.Unmarshal(data, &cfg); err != nil {
 		if optional {
 			// In cloud deploy mode, if YAML parsing fails, return empty config instead of error.
@@ -327,6 +328,19 @@ func LoadConfigOptional(configFile string, optional bool) (*Config, error) {
 		return nil, fmt.Errorf("failed to parse config file: %w", err)
 	}

+	var legacy legacyConfigData
+	if errLegacy := yaml.Unmarshal(data, &legacy); errLegacy == nil {
+		if cfg.migrateLegacyGeminiKeys(legacy.LegacyGeminiKeys) {
+			cfg.legacyMigrationPending = true
+		}
+		if cfg.migrateLegacyOpenAICompatibilityKeys(legacy.OpenAICompat) {
+			cfg.legacyMigrationPending = true
+		}
+		if cfg.migrateLegacyAmpConfig(&legacy) {
+			cfg.legacyMigrationPending = true
+		}
+	}
+
 	// Hash remote management key if plaintext is detected (nested)
 	// We consider a value to be already hashed if it looks like a bcrypt hash ($2a$, $2b$, or $2y$ prefix).
 	if cfg.RemoteManagement.SecretKey != "" && !looksLikeBcrypt(cfg.RemoteManagement.SecretKey) {
@@ -362,6 +376,18 @@ func LoadConfigOptional(configFile string, optional bool) (*Config, error) {
 	// Normalize OAuth provider model exclusion map.
 	cfg.OAuthExcludedModels = NormalizeOAuthExcludedModels(cfg.OAuthExcludedModels)

+	if cfg.legacyMigrationPending {
+		fmt.Println("Detected legacy configuration keys, attempting to persist the normalized config...")
+		if !optional && configFile != "" {
+			if err := SaveConfigPreserveComments(configFile, &cfg); err != nil {
+				return nil, fmt.Errorf("failed to persist migrated legacy config: %w", err)
+			}
+			fmt.Println("Legacy configuration normalized and persisted.")
+		} else {
+			fmt.Println("Legacy configuration normalized in memory; persistence skipped.")
+		}
+	}
+
 	// Return the populated configuration struct.
 	return &cfg, nil
 }
@@ -445,22 +471,6 @@ func (cfg *Config) SanitizeGeminiKeys() {
 		out = append(out, entry)
 	}
 	cfg.GeminiKey = out
-
-	if len(cfg.GlAPIKey) > 0 {
-		for _, raw := range cfg.GlAPIKey {
-			key := strings.TrimSpace(raw)
-			if key == "" {
-				continue
-			}
-			if _, exists := seen[key]; exists {
-				continue
-			}
-			cfg.GeminiKey = append(cfg.GeminiKey, GeminiKey{APIKey: key})
-			seen[key] = struct{}{}
-		}
-	}
-
-	cfg.GlAPIKey = nil
 }

 func syncInlineAccessProvider(cfg *Config) {
@@ -596,9 +606,12 @@ func SaveConfigPreserveComments(configFile string, cfg *Config) error {
 		return fmt.Errorf("expected generated root mapping node")
 	}

-	// Remove deprecated auth block before merging to avoid persisting it again.
-	removeMapKey(original.Content[0], "auth")
+	// Remove deprecated sections before merging back the sanitized config.
+	removeLegacyAuthBlock(original.Content[0])
 	removeLegacyOpenAICompatAPIKeys(original.Content[0])
+	removeLegacyAmpKeys(original.Content[0])
+	removeLegacyGenerativeLanguageKeys(original.Content[0])
+
 	pruneMappingToGeneratedKeys(original.Content[0], generated.Content[0], "oauth-excluded-models")

 	// Merge generated into original in-place, preserving comments/order of existing nodes.
@@ -1061,25 +1074,6 @@ func removeMapKey(mapNode *yaml.Node, key string) {
 	}
 }

-func removeLegacyOpenAICompatAPIKeys(root *yaml.Node) {
-	if root == nil || root.Kind != yaml.MappingNode {
-		return
-	}
-	idx := findMapKeyIndex(root, "openai-compatibility")
-	if idx < 0 || idx+1 >= len(root.Content) {
-		return
-	}
-	seq := root.Content[idx+1]
-	if seq == nil || seq.Kind != yaml.SequenceNode {
-		return
-	}
-	for i := range seq.Content {
-		if seq.Content[i] != nil && seq.Content[i].Kind == yaml.MappingNode {
-			removeMapKey(seq.Content[i], "api-keys")
-		}
-	}
-}
-
 func pruneMappingToGeneratedKeys(dstRoot, srcRoot *yaml.Node, key string) {
 	if key == "" || dstRoot == nil || srcRoot == nil {
 		return
@@ -1173,3 +1167,194 @@ func normalizeCollectionNodeStyles(node *yaml.Node) {
 		// Scalars keep their existing style to preserve quoting
 	}
 }
+
+// Legacy migration helpers (move deprecated config keys into structured fields).
+type legacyConfigData struct {
+	LegacyGeminiKeys      []string                    `yaml:"generative-language-api-key"`
+	OpenAICompat          []legacyOpenAICompatibility `yaml:"openai-compatibility"`
+	AmpUpstreamURL        string                      `yaml:"amp-upstream-url"`
+	AmpUpstreamAPIKey     string                      `yaml:"amp-upstream-api-key"`
+	AmpRestrictManagement *bool                       `yaml:"amp-restrict-management-to-localhost"`
+	AmpModelMappings      []AmpModelMapping           `yaml:"amp-model-mappings"`
+}
+
+type legacyOpenAICompatibility struct {
+	Name    string   `yaml:"name"`
+	BaseURL string   `yaml:"base-url"`
+	APIKeys []string `yaml:"api-keys"`
+}
+
+func (cfg *Config) migrateLegacyGeminiKeys(legacy []string) bool {
+	if cfg == nil || len(legacy) == 0 {
+		return false
+	}
+	changed := false
+	seen := make(map[string]struct{}, len(cfg.GeminiKey))
+	for i := range cfg.GeminiKey {
+		key := strings.TrimSpace(cfg.GeminiKey[i].APIKey)
+		if key == "" {
+			continue
+		}
+		seen[key] = struct{}{}
+	}
+	for _, raw := range legacy {
+		key := strings.TrimSpace(raw)
+		if key == "" {
+			continue
+		}
+		if _, exists := seen[key]; exists {
+			continue
+		}
+		cfg.GeminiKey = append(cfg.GeminiKey, GeminiKey{APIKey: key})
+		seen[key] = struct{}{}
+		changed = true
+	}
+	return changed
+}
+
+func (cfg *Config) migrateLegacyOpenAICompatibilityKeys(legacy []legacyOpenAICompatibility) bool {
+	if cfg == nil || len(cfg.OpenAICompatibility) == 0 || len(legacy) == 0 {
+		return false
+	}
+	changed := false
+	for _, legacyEntry := range legacy {
+		if len(legacyEntry.APIKeys) == 0 {
+			continue
+		}
+		target := findOpenAICompatTarget(cfg.OpenAICompatibility, legacyEntry.Name, legacyEntry.BaseURL)
+		if target == nil {
+			continue
+		}
+		if mergeLegacyOpenAICompatAPIKeys(target, legacyEntry.APIKeys) {
+			changed = true
+		}
+	}
+	return changed
+}
+
+func mergeLegacyOpenAICompatAPIKeys(entry *OpenAICompatibility, keys []string) bool {
+	if entry == nil || len(keys) == 0 {
+		return false
+	}
+	changed := false
+	existing := make(map[string]struct{}, len(entry.APIKeyEntries))
+	for i := range entry.APIKeyEntries {
+		key := strings.TrimSpace(entry.APIKeyEntries[i].APIKey)
+		if key == "" {
+			continue
+		}
+		existing[key] = struct{}{}
+	}
+	for _, raw := range keys {
+		key := strings.TrimSpace(raw)
+		if key == "" {
+			continue
+		}
+		if _, ok := existing[key]; ok {
+			continue
+		}
+		entry.APIKeyEntries = append(entry.APIKeyEntries, OpenAICompatibilityAPIKey{APIKey: key})
+		existing[key] = struct{}{}
+		changed = true
+	}
+	return changed
+}
+
+func findOpenAICompatTarget(entries []OpenAICompatibility, legacyName, legacyBase string) *OpenAICompatibility {
+	nameKey := strings.ToLower(strings.TrimSpace(legacyName))
+	baseKey := strings.ToLower(strings.TrimSpace(legacyBase))
+	if nameKey != "" && baseKey != "" {
+		for i := range entries {
+			if strings.ToLower(strings.TrimSpace(entries[i].Name)) == nameKey &&
+				strings.ToLower(strings.TrimSpace(entries[i].BaseURL)) == baseKey {
+				return &entries[i]
+			}
+		}
+	}
+	if baseKey != "" {
+		for i := range entries {
+			if strings.ToLower(strings.TrimSpace(entries[i].BaseURL)) == baseKey {
+				return &entries[i]
+			}
+		}
+	}
+	if nameKey != "" {
+		for i := range entries {
+			if strings.ToLower(strings.TrimSpace(entries[i].Name)) == nameKey {
+				return &entries[i]
+			}
+		}
+	}
+	return nil
+}
+
+func (cfg *Config) migrateLegacyAmpConfig(legacy *legacyConfigData) bool {
+	if cfg == nil || legacy == nil {
+		return false
+	}
+	changed := false
+	if cfg.AmpCode.UpstreamURL == "" {
+		if val := strings.TrimSpace(legacy.AmpUpstreamURL); val != "" {
+			cfg.AmpCode.UpstreamURL = val
+			changed = true
+		}
+	}
+	if cfg.AmpCode.UpstreamAPIKey == "" {
+		if val := strings.TrimSpace(legacy.AmpUpstreamAPIKey); val != "" {
+			cfg.AmpCode.UpstreamAPIKey = val
+			changed = true
+		}
+	}
+	if legacy.AmpRestrictManagement != nil {
+		cfg.AmpCode.RestrictManagementToLocalhost = *legacy.AmpRestrictManagement
+		changed = true
+	}
+	if len(cfg.AmpCode.ModelMappings) == 0 && len(legacy.AmpModelMappings) > 0 {
+		cfg.AmpCode.ModelMappings = append([]AmpModelMapping(nil), legacy.AmpModelMappings...)
+		changed = true
+	}
+	return changed
+}
+
+func removeLegacyOpenAICompatAPIKeys(root *yaml.Node) {
+	if root == nil || root.Kind != yaml.MappingNode {
+		return
+	}
+	idx := findMapKeyIndex(root, "openai-compatibility")
+	if idx < 0 || idx+1 >= len(root.Content) {
+		return
+	}
+	seq := root.Content[idx+1]
+	if seq == nil || seq.Kind != yaml.SequenceNode {
+		return
+	}
+	for i := range seq.Content {
+		if seq.Content[i] != nil && seq.Content[i].Kind == yaml.MappingNode {
+			removeMapKey(seq.Content[i], "api-keys")
+		}
+	}
+}
+
+func removeLegacyAmpKeys(root *yaml.Node) {
+	if root == nil || root.Kind != yaml.MappingNode {
+		return
+	}
+	removeMapKey(root, "amp-upstream-url")
+	removeMapKey(root, "amp-upstream-api-key")
+	removeMapKey(root, "amp-restrict-management-to-localhost")
+	removeMapKey(root, "amp-model-mappings")
+}
+
+func removeLegacyGenerativeLanguageKeys(root *yaml.Node) {
+	if root == nil || root.Kind != yaml.MappingNode {
+		return
+	}
+	removeMapKey(root, "generative-language-api-key")
+}
+
+func removeLegacyAuthBlock(root *yaml.Node) {
+	if root == nil || root.Kind != yaml.MappingNode {
+		return
+	}
+	removeMapKey(root, "auth")
+}
--- a/internal/interfaces/client_models.go
+++ b/internal/interfaces/client_models.go
@@ -85,6 +85,9 @@ type InlineData struct {
 // FunctionCall represents a tool call requested by the model.
 // It includes the function name and its arguments that the model wants to execute.
 type FunctionCall struct {
+	// ID is the identifier of the function to be called.
+	ID string `json:"id,omitempty"`
+
 	// Name is the identifier of the function to be called.
 	Name string `json:"name"`

@@ -95,6 +98,9 @@ type FunctionCall struct {
 // FunctionResponse represents the result of a tool execution.
 // This is sent back to the model after a tool call has been processed.
 type FunctionResponse struct {
+	// ID is the identifier of the function to be called.
+	ID string `json:"id,omitempty"`
+
 	// Name is the identifier of the function that was called.
 	Name string `json:"name"`

--- a/internal/logging/gin_logger.go
+++ b/internal/logging/gin_logger.go
@@ -14,6 +14,8 @@ import (
 	log "github.com/sirupsen/logrus"
 )

+const skipGinLogKey = "__gin_skip_request_logging__"
+
 // GinLogrusLogger returns a Gin middleware handler that logs HTTP requests and responses
 // using logrus. It captures request details including method, path, status code, latency,
 // client IP, and any error messages, formatting them in a Gin-style log format.
@@ -28,6 +30,10 @@ func GinLogrusLogger() gin.HandlerFunc {

 		c.Next()

+		if shouldSkipGinRequestLogging(c) {
+			return
+		}
+
 		if raw != "" {
 			path = path + "?" + raw
 		}
@@ -77,3 +83,24 @@ func GinLogrusRecovery() gin.HandlerFunc {
 		c.AbortWithStatus(http.StatusInternalServerError)
 	})
 }
+
+// SkipGinRequestLogging marks the provided Gin context so that GinLogrusLogger
+// will skip emitting a log line for the associated request.
+func SkipGinRequestLogging(c *gin.Context) {
+	if c == nil {
+		return
+	}
+	c.Set(skipGinLogKey, true)
+}
+
+func shouldSkipGinRequestLogging(c *gin.Context) bool {
+	if c == nil {
+		return false
+	}
+	val, exists := c.Get(skipGinLogKey)
+	if !exists {
+		return false
+	}
+	flag, ok := val.(bool)
+	return ok && flag
+}
--- a/internal/logging/global_logger.go
+++ b/internal/logging/global_logger.go
@@ -38,7 +38,13 @@ func (m *LogFormatter) Format(entry *log.Entry) ([]byte, error) {

 	timestamp := entry.Time.Format("2006-01-02 15:04:05")
 	message := strings.TrimRight(entry.Message, "\r\n")
-	formatted := fmt.Sprintf("[%s] [%s] [%s:%d] %s\n", timestamp, entry.Level, filepath.Base(entry.Caller.File), entry.Caller.Line, message)
+
+	var formatted string
+	if entry.Caller != nil {
+		formatted = fmt.Sprintf("[%s] [%s] [%s:%d] %s\n", timestamp, entry.Level, filepath.Base(entry.Caller.File), entry.Caller.Line, message)
+	} else {
+		formatted = fmt.Sprintf("[%s] [%s] %s\n", timestamp, entry.Level, message)
+	}
 	buffer.WriteString(formatted)

 	return buffer.Bytes(), nil
--- a/internal/registry/model_definitions.go
+++ b/internal/registry/model_definitions.go
@@ -961,6 +961,7 @@ func GetIFlowModels() []*ModelInfo {
 		{ID: "glm-4.6", DisplayName: "GLM-4.6", Description: "Zhipu GLM 4.6 general model", Created: 1759190400},
 		{ID: "kimi-k2", DisplayName: "Kimi-K2", Description: "Moonshot Kimi K2 general model", Created: 1752192000},
 		{ID: "kimi-k2-thinking", DisplayName: "Kimi-K2-Thinking", Description: "Moonshot Kimi K2 general model", Created: 1762387200},
+		{ID: "deepseek-v3.2-chat", DisplayName: "DeepSeek-V3.2", Description: "DeepSeek V3.2", Created: 1764576000},
 		{ID: "deepseek-v3.2", DisplayName: "DeepSeek-V3.2-Exp", Description: "DeepSeek V3.2 experimental", Created: 1759104000},
 		{ID: "deepseek-v3.1", DisplayName: "DeepSeek-V3.1-Terminus", Description: "DeepSeek V3.1 Terminus", Created: 1756339200},
 		{ID: "deepseek-r1", DisplayName: "DeepSeek-R1", Description: "DeepSeek reasoning model R1", Created: 1737331200},
--- a/internal/runtime/executor/antigravity_executor.go
+++ b/internal/runtime/executor/antigravity_executor.go
@@ -17,6 +17,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/registry"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
 	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
 	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
@@ -508,8 +509,46 @@ func (e *AntigravityExecutor) buildRequest(ctx context.Context, auth *cliproxyau
 		requestURL.WriteString(url.QueryEscape(alt))
 	}

-	payload = geminiToAntigravity(modelName, payload)
+	// Extract project_id from auth metadata if available
+	projectID := ""
+	if auth != nil && auth.Metadata != nil {
+		if pid, ok := auth.Metadata["project_id"].(string); ok {
+			projectID = strings.TrimSpace(pid)
+		}
+	}
+	payload = geminiToAntigravity(modelName, payload, projectID)
 	payload, _ = sjson.SetBytes(payload, "model", alias2ModelName(modelName))
+
+	if strings.Contains(modelName, "claude") {
+		strJSON := string(payload)
+		paths := make([]string, 0)
+		util.Walk(gjson.ParseBytes(payload), "", "parametersJsonSchema", &paths)
+		for _, p := range paths {
+			strJSON, _ = util.RenameKey(strJSON, p, p[:len(p)-len("parametersJsonSchema")]+"parameters")
+		}
+
+		strJSON = util.DeleteKey(strJSON, "$schema")
+		strJSON = util.DeleteKey(strJSON, "maxItems")
+		strJSON = util.DeleteKey(strJSON, "minItems")
+		strJSON = util.DeleteKey(strJSON, "minLength")
+		strJSON = util.DeleteKey(strJSON, "maxLength")
+		strJSON = util.DeleteKey(strJSON, "exclusiveMinimum")
+
+		paths = make([]string, 0)
+		util.Walk(gjson.Parse(strJSON), "", "anyOf", &paths)
+		for _, p := range paths {
+			anyOf := gjson.Get(strJSON, p)
+			if anyOf.IsArray() {
+				anyOfItems := anyOf.Array()
+				if len(anyOfItems) > 0 {
+					strJSON, _ = sjson.SetRaw(strJSON, p[:len(p)-len(".anyOf")], anyOfItems[0].Raw)
+				}
+			}
+		}
+
+		payload = []byte(strJSON)
+	}
+
 	httpReq, errReq := http.NewRequestWithContext(ctx, http.MethodPost, requestURL.String(), bytes.NewReader(payload))
 	if errReq != nil {
 		return nil, errReq
@@ -670,10 +709,16 @@ func resolveCustomAntigravityBaseURL(auth *cliproxyauth.Auth) string {
 	return ""
 }

-func geminiToAntigravity(modelName string, payload []byte) []byte {
+func geminiToAntigravity(modelName string, payload []byte, projectID string) []byte {
 	template, _ := sjson.Set(string(payload), "model", modelName)
 	template, _ = sjson.Set(template, "userAgent", "antigravity")
-	template, _ = sjson.Set(template, "project", generateProjectID())
+
+	// Use real project ID from auth if available, otherwise generate random (legacy fallback)
+	if projectID != "" {
+		template, _ = sjson.Set(template, "project", projectID)
+	} else {
+		template, _ = sjson.Set(template, "project", generateProjectID())
+	}
 	template, _ = sjson.Set(template, "requestId", generateRequestID())
 	template, _ = sjson.Set(template, "request.sessionId", generateSessionID())

@@ -734,6 +779,8 @@ func modelName2Alias(modelName string) string {
 		return "gemini-claude-sonnet-4-5"
 	case "claude-sonnet-4-5-thinking":
 		return "gemini-claude-sonnet-4-5-thinking"
+	case "claude-opus-4-5-thinking":
+		return "gemini-claude-opus-4-5-thinking"
 	case "chat_20706", "chat_23310", "gemini-2.5-flash-thinking", "gemini-3-pro-low", "gemini-2.5-pro":
 		return ""
 	default:
@@ -753,6 +800,8 @@ func alias2ModelName(modelName string) string {
 		return "claude-sonnet-4-5"
 	case "gemini-claude-sonnet-4-5-thinking":
 		return "claude-sonnet-4-5-thinking"
+	case "gemini-claude-opus-4-5-thinking":
+		return "claude-opus-4-5-thinking"
 	default:
 		return modelName
 	}
--- a/internal/runtime/executor/gemini_cli_executor.go
+++ b/internal/runtime/executor/gemini_cli_executor.go
@@ -667,7 +667,7 @@ func cliPreviewFallbackOrder(model string) []string {
 	case "gemini-2.5-pro":
 		return []string{
 			// "gemini-2.5-pro-preview-05-06",
-			"gemini-2.5-pro-preview-06-05",
+			// "gemini-2.5-pro-preview-06-05",
 		}
 	case "gemini-2.5-flash":
 		return []string{
--- a/internal/translator/antigravity/claude/antigravity_claude_request.go
+++ b/internal/translator/antigravity/claude/antigravity_claude_request.go
@@ -89,10 +89,11 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 					} else if contentTypeResult.Type == gjson.String && contentTypeResult.String() == "tool_use" {
 						functionName := contentResult.Get("name").String()
 						functionArgs := contentResult.Get("input").String()
+						functionID := contentResult.Get("id").String()
 						var args map[string]any
 						if err := json.Unmarshal([]byte(functionArgs), &args); err == nil {
 							clientContent.Parts = append(clientContent.Parts, client.Part{
-								FunctionCall:     &client.FunctionCall{Name: functionName, Args: args},
+								FunctionCall:     &client.FunctionCall{ID: functionID, Name: functionName, Args: args},
 								ThoughtSignature: geminiCLIClaudeThoughtSignature,
 							})
 						}
@@ -105,7 +106,7 @@ func ConvertClaudeRequestToAntigravity(modelName string, inputRawJSON []byte, _
 								funcName = strings.Join(toolCallIDs[0:len(toolCallIDs)-1], "-")
 							}
 							responseData := contentResult.Get("content").Raw
-							functionResponse := client.FunctionResponse{Name: funcName, Response: map[string]interface{}{"result": responseData}}
+							functionResponse := client.FunctionResponse{ID: toolCallID, Name: funcName, Response: map[string]interface{}{"result": responseData}}
 							clientContent.Parts = append(clientContent.Parts, client.Part{FunctionResponse: &functionResponse})
 						}
 					}
--- a/internal/translator/antigravity/claude/antigravity_claude_response.go
+++ b/internal/translator/antigravity/claude/antigravity_claude_response.go
@@ -141,35 +141,38 @@ func ConvertAntigravityResponseToClaude(_ context.Context, _ string, originalReq
 						params.ResponseType = 2 // Set state to thinking
 					}
 				} else {
-					// Process regular text content (user-visible output)
-					// Continue existing text block if already in content state
-					if params.ResponseType == 1 {
-						output = output + "event: content_block_delta\n"
-						data, _ := sjson.Set(fmt.Sprintf(`{"type":"content_block_delta","index":%d,"delta":{"type":"text_delta","text":""}}`, params.ResponseIndex), "delta.text", partTextResult.String())
-						output = output + fmt.Sprintf("data: %s\n\n\n", data)
-					} else {
-						// Transition from another state to text content
-						// First, close any existing content block
-						if params.ResponseType != 0 {
-							if params.ResponseType == 2 {
-								// output = output + "event: content_block_delta\n"
-								// output = output + fmt.Sprintf(`data: {"type":"content_block_delta","index":%d,"delta":{"type":"signature_delta","signature":null}}`, params.ResponseIndex)
-								// output = output + "\n\n\n"
+					finishReasonResult := gjson.GetBytes(rawJSON, "response.candidates.0.finishReason")
+					if partTextResult.String() != "" || !finishReasonResult.Exists() {
+						// Process regular text content (user-visible output)
+						// Continue existing text block if already in content state
+						if params.ResponseType == 1 {
+							output = output + "event: content_block_delta\n"
+							data, _ := sjson.Set(fmt.Sprintf(`{"type":"content_block_delta","index":%d,"delta":{"type":"text_delta","text":""}}`, params.ResponseIndex), "delta.text", partTextResult.String())
+							output = output + fmt.Sprintf("data: %s\n\n\n", data)
+						} else {
+							// Transition from another state to text content
+							// First, close any existing content block
+							if params.ResponseType != 0 {
+								if params.ResponseType == 2 {
+									// output = output + "event: content_block_delta\n"
+									// output = output + fmt.Sprintf(`data: {"type":"content_block_delta","index":%d,"delta":{"type":"signature_delta","signature":null}}`, params.ResponseIndex)
+									// output = output + "\n\n\n"
+								}
+								output = output + "event: content_block_stop\n"
+								output = output + fmt.Sprintf(`data: {"type":"content_block_stop","index":%d}`, params.ResponseIndex)
+								output = output + "\n\n\n"
+								params.ResponseIndex++
 							}
-							output = output + "event: content_block_stop\n"
-							output = output + fmt.Sprintf(`data: {"type":"content_block_stop","index":%d}`, params.ResponseIndex)
-							output = output + "\n\n\n"
-							params.ResponseIndex++
-						}

-						// Start a new text content block
-						output = output + "event: content_block_start\n"
-						output = output + fmt.Sprintf(`data: {"type":"content_block_start","index":%d,"content_block":{"type":"text","text":""}}`, params.ResponseIndex)
-						output = output + "\n\n\n"
-						output = output + "event: content_block_delta\n"
-						data, _ := sjson.Set(fmt.Sprintf(`{"type":"content_block_delta","index":%d,"delta":{"type":"text_delta","text":""}}`, params.ResponseIndex), "delta.text", partTextResult.String())
-						output = output + fmt.Sprintf("data: %s\n\n\n", data)
-						params.ResponseType = 1 // Set state to content
+							// Start a new text content block
+							output = output + "event: content_block_start\n"
+							output = output + fmt.Sprintf(`data: {"type":"content_block_start","index":%d,"content_block":{"type":"text","text":""}}`, params.ResponseIndex)
+							output = output + "\n\n\n"
+							output = output + "event: content_block_delta\n"
+							data, _ := sjson.Set(fmt.Sprintf(`{"type":"content_block_delta","index":%d,"delta":{"type":"text_delta","text":""}}`, params.ResponseIndex), "delta.text", partTextResult.String())
+							output = output + fmt.Sprintf("data: %s\n\n\n", data)
+							params.ResponseType = 1 // Set state to content
+						}
 					}
 				}
 			} else if functionCallResult.Exists() {
--- a/internal/translator/antigravity/openai/chat-completions/antigravity_openai_request.go
+++ b/internal/translator/antigravity/openai/chat-completions/antigravity_openai_request.go
@@ -251,6 +251,7 @@ func ConvertOpenAIRequestToAntigravity(modelName string, inputRawJSON []byte, _
 							fid := tc.Get("id").String()
 							fname := tc.Get("function.name").String()
 							fargs := tc.Get("function.arguments").String()
+							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.id", fid)
 							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".functionCall.name", fname)
 							node, _ = sjson.SetRawBytes(node, "parts."+itoa(p)+".functionCall.args", []byte(fargs))
 							node, _ = sjson.SetBytes(node, "parts."+itoa(p)+".thoughtSignature", geminiCLIFunctionThoughtSignature)
@@ -266,6 +267,7 @@ func ConvertOpenAIRequestToAntigravity(modelName string, inputRawJSON []byte, _
 						pp := 0
 						for _, fid := range fIDs {
 							if name, ok := tcID2Name[fid]; ok {
+								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.id", fid)
 								toolNode, _ = sjson.SetBytes(toolNode, "parts."+itoa(pp)+".functionResponse.name", name)
 								resp := toolResponses[fid]
 								if resp == "" {
--- a/internal/translator/codex/gemini/codex_gemini_response.go
+++ b/internal/translator/codex/gemini/codex_gemini_response.go
@@ -327,7 +327,7 @@ func buildReverseMapFromGeminiOriginal(original []byte) map[string]string {
 func mustMarshalJSON(v interface{}) string {
 	data, err := json.Marshal(v)
 	if err != nil {
-		panic(err)
+		return ""
 	}
 	return string(data)
 }
--- a/internal/translator/gemini/openai/responses/gemini_openai-responses_request.go
+++ b/internal/translator/gemini/openai/responses/gemini_openai-responses_request.go
@@ -249,6 +249,7 @@ func ConvertOpenAIResponsesRequestToGemini(modelName string, inputRawJSON []byte
 				functionCall := `{"functionCall":{"name":"","args":{}}}`
 				functionCall, _ = sjson.Set(functionCall, "functionCall.name", name)
 				functionCall, _ = sjson.Set(functionCall, "thoughtSignature", geminiResponsesThoughtSignature)
+				functionCall, _ = sjson.Set(functionCall, "functionCall.id", item.Get("call_id").String())

 				// Parse arguments JSON string and set as args object
 				if arguments != "" {
@@ -285,6 +286,7 @@ func ConvertOpenAIResponsesRequestToGemini(modelName string, inputRawJSON []byte
 				}

 				functionResponse, _ = sjson.Set(functionResponse, "functionResponse.name", functionName)
+				functionResponse, _ = sjson.Set(functionResponse, "functionResponse.id", callID)

 				// Set the raw JSON output directly (preserves string encoding)
 				if outputRaw != "" && outputRaw != "null" {
--- a/internal/util/translator.go
+++ b/internal/util/translator.go
@@ -79,6 +79,15 @@ func RenameKey(jsonStr, oldKeyPath, newKeyPath string) (string, error) {
 	return finalJson, nil
 }

+func DeleteKey(jsonStr, keyName string) string {
+	paths := make([]string, 0)
+	Walk(gjson.Parse(jsonStr), "", keyName, &paths)
+	for _, p := range paths {
+		jsonStr, _ = sjson.Delete(jsonStr, p)
+	}
+	return jsonStr
+}
+
 // FixJSON converts non-standard JSON that uses single quotes for strings into
 // RFC 8259-compliant JSON by converting those single-quoted strings to
 // double-quoted strings with proper escaping.
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -570,6 +570,35 @@ func summarizeExcludedModels(list []string) excludedModelsSummary {
 	}
 }

+type ampModelMappingsSummary struct {
+	hash  string
+	count int
+}
+
+func summarizeAmpModelMappings(mappings []config.AmpModelMapping) ampModelMappingsSummary {
+	if len(mappings) == 0 {
+		return ampModelMappingsSummary{}
+	}
+	entries := make([]string, 0, len(mappings))
+	for _, mapping := range mappings {
+		from := strings.TrimSpace(mapping.From)
+		to := strings.TrimSpace(mapping.To)
+		if from == "" && to == "" {
+			continue
+		}
+		entries = append(entries, from+"->"+to)
+	}
+	if len(entries) == 0 {
+		return ampModelMappingsSummary{}
+	}
+	sort.Strings(entries)
+	sum := sha256.Sum256([]byte(strings.Join(entries, "|")))
+	return ampModelMappingsSummary{
+		hash:  hex.EncodeToString(sum[:]),
+		count: len(entries),
+	}
+}
+
 func summarizeOAuthExcludedModels(entries map[string][]string) map[string]excludedModelsSummary {
 	if len(entries) == 0 {
 		return nil
@@ -1162,71 +1191,37 @@ func (w *Watcher) SnapshotCoreAuths() []*coreauth.Auth {

 			// Handle new APIKeyEntries format (preferred)
 			createdEntries := 0
-			if len(compat.APIKeyEntries) > 0 {
-				for j := range compat.APIKeyEntries {
-					entry := &compat.APIKeyEntries[j]
-					key := strings.TrimSpace(entry.APIKey)
-					proxyURL := strings.TrimSpace(entry.ProxyURL)
-					idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
-					id, token := idGen.next(idKind, key, base, proxyURL)
-					attrs := map[string]string{
-						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
-						"base_url":     base,
-						"compat_name":  compat.Name,
-						"provider_key": providerName,
-					}
-					if key != "" {
-						attrs["api_key"] = key
-					}
-					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
-						attrs["models_hash"] = hash
-					}
-					addConfigHeadersToAttrs(compat.Headers, attrs)
-					a := &coreauth.Auth{
-						ID:         id,
-						Provider:   providerName,
-						Label:      compat.Name,
-						Status:     coreauth.StatusActive,
-						ProxyURL:   proxyURL,
-						Attributes: attrs,
-						CreatedAt:  now,
-						UpdatedAt:  now,
-					}
-					out = append(out, a)
-					createdEntries++
+			for j := range compat.APIKeyEntries {
+				entry := &compat.APIKeyEntries[j]
+				key := strings.TrimSpace(entry.APIKey)
+				proxyURL := strings.TrimSpace(entry.ProxyURL)
+				idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
+				id, token := idGen.next(idKind, key, base, proxyURL)
+				attrs := map[string]string{
+					"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
+					"base_url":     base,
+					"compat_name":  compat.Name,
+					"provider_key": providerName,
 				}
-			} else {
-				// Handle legacy APIKeys format for backward compatibility
-				for j := range compat.APIKeys {
-					key := strings.TrimSpace(compat.APIKeys[j])
-					if key == "" {
-						continue
-					}
-					idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
-					id, token := idGen.next(idKind, key, base)
-					attrs := map[string]string{
-						"source":       fmt.Sprintf("config:%s[%s]", providerName, token),
-						"base_url":     base,
-						"compat_name":  compat.Name,
-						"provider_key": providerName,
-					}
+				if key != "" {
 					attrs["api_key"] = key
-					if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
-						attrs["models_hash"] = hash
-					}
-					addConfigHeadersToAttrs(compat.Headers, attrs)
-					a := &coreauth.Auth{
-						ID:         id,
-						Provider:   providerName,
-						Label:      compat.Name,
-						Status:     coreauth.StatusActive,
-						Attributes: attrs,
-						CreatedAt:  now,
-						UpdatedAt:  now,
-					}
-					out = append(out, a)
-					createdEntries++
 				}
+				if hash := computeOpenAICompatModelsHash(compat.Models); hash != "" {
+					attrs["models_hash"] = hash
+				}
+				addConfigHeadersToAttrs(compat.Headers, attrs)
+				a := &coreauth.Auth{
+					ID:         id,
+					Provider:   providerName,
+					Label:      compat.Name,
+					Status:     coreauth.StatusActive,
+					ProxyURL:   proxyURL,
+					Attributes: attrs,
+					CreatedAt:  now,
+					UpdatedAt:  now,
+				}
+				out = append(out, a)
+				createdEntries++
 			}
 			if createdEntries == 0 {
 				idKind := fmt.Sprintf("openai-compatibility:%s", providerName)
@@ -1530,12 +1525,7 @@ func BuildAPIKeyClients(cfg *config.Config) (int, int, int, int, int) {
 	if len(cfg.OpenAICompatibility) > 0 {
 		// Do not construct legacy clients for OpenAI-compat providers; these are handled by the stateless executor.
 		for _, compatConfig := range cfg.OpenAICompatibility {
-			// Count from new APIKeyEntries format if present, otherwise fall back to legacy APIKeys
-			if len(compatConfig.APIKeyEntries) > 0 {
-				openAICompatCount += len(compatConfig.APIKeyEntries)
-			} else {
-				openAICompatCount += len(compatConfig.APIKeys)
-			}
+			openAICompatCount += len(compatConfig.APIKeyEntries)
 		}
 	}
 	return geminiAPIKeyCount, vertexCompatAPIKeyCount, claudeAPIKeyCount, codexAPIKeyCount, openAICompatCount
@@ -1612,24 +1602,9 @@ func describeOpenAICompatibilityUpdate(oldEntry, newEntry config.OpenAICompatibi
 }

 func countAPIKeys(entry config.OpenAICompatibility) int {
-	// Prefer new APIKeyEntries format
-	if len(entry.APIKeyEntries) > 0 {
-		count := 0
-		for _, keyEntry := range entry.APIKeyEntries {
-			if strings.TrimSpace(keyEntry.APIKey) != "" {
-				count++
-			}
-		}
-		return count
-	}
-	// Fall back to legacy APIKeys format
-	return countNonEmptyStrings(entry.APIKeys)
-}
-
-func countNonEmptyStrings(values []string) int {
 	count := 0
-	for _, value := range values {
-		if strings.TrimSpace(value) != "" {
+	for _, keyEntry := range entry.APIKeyEntries {
+		if strings.TrimSpace(keyEntry.APIKey) != "" {
 			count++
 		}
 	}
@@ -1754,9 +1729,6 @@ func buildConfigChangeDetails(oldCfg, newCfg *config.Config) []string {
 				changes = append(changes, fmt.Sprintf("gemini[%d].excluded-models: updated (%d -> %d entries)", i, oldExcluded.count, newExcluded.count))
 			}
 		}
-		if !reflect.DeepEqual(trimStrings(oldCfg.GlAPIKey), trimStrings(newCfg.GlAPIKey)) {
-			changes = append(changes, "generative-language-api-key: values updated (legacy view, redacted)")
-		}
 	}

 	// Claude keys (do not print key material)
@@ -1819,6 +1791,31 @@ func buildConfigChangeDetails(oldCfg, newCfg *config.Config) []string {
 		}
 	}

+	// AmpCode settings (redacted where needed)
+	oldAmpURL := strings.TrimSpace(oldCfg.AmpCode.UpstreamURL)
+	newAmpURL := strings.TrimSpace(newCfg.AmpCode.UpstreamURL)
+	if oldAmpURL != newAmpURL {
+		changes = append(changes, fmt.Sprintf("ampcode.upstream-url: %s -> %s", oldAmpURL, newAmpURL))
+	}
+	oldAmpKey := strings.TrimSpace(oldCfg.AmpCode.UpstreamAPIKey)
+	newAmpKey := strings.TrimSpace(newCfg.AmpCode.UpstreamAPIKey)
+	switch {
+	case oldAmpKey == "" && newAmpKey != "":
+		changes = append(changes, "ampcode.upstream-api-key: added")
+	case oldAmpKey != "" && newAmpKey == "":
+		changes = append(changes, "ampcode.upstream-api-key: removed")
+	case oldAmpKey != newAmpKey:
+		changes = append(changes, "ampcode.upstream-api-key: updated")
+	}
+	if oldCfg.AmpCode.RestrictManagementToLocalhost != newCfg.AmpCode.RestrictManagementToLocalhost {
+		changes = append(changes, fmt.Sprintf("ampcode.restrict-management-to-localhost: %t -> %t", oldCfg.AmpCode.RestrictManagementToLocalhost, newCfg.AmpCode.RestrictManagementToLocalhost))
+	}
+	oldMappings := summarizeAmpModelMappings(oldCfg.AmpCode.ModelMappings)
+	newMappings := summarizeAmpModelMappings(newCfg.AmpCode.ModelMappings)
+	if oldMappings.hash != newMappings.hash {
+		changes = append(changes, fmt.Sprintf("ampcode.model-mappings: updated (%d -> %d entries)", oldMappings.count, newMappings.count))
+	}
+
 	if entries, _ := diffOAuthExcludedModelChanges(oldCfg.OAuthExcludedModels, newCfg.OAuthExcludedModels); len(entries) > 0 {
 		changes = append(changes, entries...)
 	}
--- a/sdk/auth/antigravity.go
+++ b/sdk/auth/antigravity.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -127,6 +128,18 @@ func (AntigravityAuthenticator) Login(ctx context.Context, cfg *config.Config, o
 		}
 	}

+	// Fetch project ID via loadCodeAssist (same approach as Gemini CLI)
+	projectID := ""
+	if tokenResp.AccessToken != "" {
+		fetchedProjectID, errProject := fetchAntigravityProjectID(ctx, tokenResp.AccessToken, httpClient)
+		if errProject != nil {
+			log.Warnf("antigravity: failed to fetch project ID: %v", errProject)
+		} else {
+			projectID = fetchedProjectID
+			log.Infof("antigravity: obtained project ID %s", projectID)
+		}
+	}
+
 	now := time.Now()
 	metadata := map[string]any{
 		"type":          "antigravity",
@@ -139,6 +152,9 @@ func (AntigravityAuthenticator) Login(ctx context.Context, cfg *config.Config, o
 	if email != "" {
 		metadata["email"] = email
 	}
+	if projectID != "" {
+		metadata["project_id"] = projectID
+	}

 	fileName := sanitizeAntigravityFileName(email)
 	label := email
@@ -147,6 +163,9 @@ func (AntigravityAuthenticator) Login(ctx context.Context, cfg *config.Config, o
 	}

 	fmt.Println("Antigravity authentication successful")
+	if projectID != "" {
+		fmt.Printf("Using GCP project: %s\n", projectID)
+	}
 	return &coreauth.Auth{
 		ID:       fileName,
 		Provider: "antigravity",
@@ -291,3 +310,89 @@ func sanitizeAntigravityFileName(email string) string {
 	replacer := strings.NewReplacer("@", "_", ".", "_")
 	return fmt.Sprintf("antigravity-%s.json", replacer.Replace(email))
 }
+
+// Antigravity API constants for project discovery
+const (
+	antigravityAPIEndpoint    = "https://cloudcode-pa.googleapis.com"
+	antigravityAPIVersion     = "v1internal"
+	antigravityAPIUserAgent   = "google-api-nodejs-client/9.15.1"
+	antigravityAPIClient      = "google-cloud-sdk vscode_cloudshelleditor/0.1"
+	antigravityClientMetadata = `{"ideType":"IDE_UNSPECIFIED","platform":"PLATFORM_UNSPECIFIED","pluginType":"GEMINI"}`
+)
+
+// FetchAntigravityProjectID exposes project discovery for external callers.
+func FetchAntigravityProjectID(ctx context.Context, accessToken string, httpClient *http.Client) (string, error) {
+	return fetchAntigravityProjectID(ctx, accessToken, httpClient)
+}
+
+// fetchAntigravityProjectID retrieves the project ID for the authenticated user via loadCodeAssist.
+// This uses the same approach as Gemini CLI to get the cloudaicompanionProject.
+func fetchAntigravityProjectID(ctx context.Context, accessToken string, httpClient *http.Client) (string, error) {
+	// Call loadCodeAssist to get the project
+	loadReqBody := map[string]any{
+		"metadata": map[string]string{
+			"ideType":    "IDE_UNSPECIFIED",
+			"platform":   "PLATFORM_UNSPECIFIED",
+			"pluginType": "GEMINI",
+		},
+	}
+
+	rawBody, errMarshal := json.Marshal(loadReqBody)
+	if errMarshal != nil {
+		return "", fmt.Errorf("marshal request body: %w", errMarshal)
+	}
+
+	endpointURL := fmt.Sprintf("%s/%s:loadCodeAssist", antigravityAPIEndpoint, antigravityAPIVersion)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpointURL, strings.NewReader(string(rawBody)))
+	if err != nil {
+		return "", fmt.Errorf("create request: %w", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", antigravityAPIUserAgent)
+	req.Header.Set("X-Goog-Api-Client", antigravityAPIClient)
+	req.Header.Set("Client-Metadata", antigravityClientMetadata)
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return "", fmt.Errorf("execute request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("antigravity loadCodeAssist: close body error: %v", errClose)
+		}
+	}()
+
+	bodyBytes, errRead := io.ReadAll(resp.Body)
+	if errRead != nil {
+		return "", fmt.Errorf("read response: %w", errRead)
+	}
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		return "", fmt.Errorf("request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	var loadResp map[string]any
+	if errDecode := json.Unmarshal(bodyBytes, &loadResp); errDecode != nil {
+		return "", fmt.Errorf("decode response: %w", errDecode)
+	}
+
+	// Extract projectID from response
+	projectID := ""
+	if id, ok := loadResp["cloudaicompanionProject"].(string); ok {
+		projectID = strings.TrimSpace(id)
+	}
+	if projectID == "" {
+		if projectMap, ok := loadResp["cloudaicompanionProject"].(map[string]any); ok {
+			if id, okID := projectMap["id"].(string); okID {
+				projectID = strings.TrimSpace(id)
+			}
+		}
+	}
+
+	if projectID == "" {
+		return "", fmt.Errorf("no cloudaicompanionProject in response")
+	}
+
+	return projectID, nil
+}
--- a/test/config_migration_test.go
+++ b/test/config_migration_test.go
@@ -0,0 +1,195 @@
+package test
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+)
+
+func TestLegacyConfigMigration(t *testing.T) {
+	t.Run("onlyLegacyFields", func(t *testing.T) {
+		path := writeConfig(t, `
+port: 8080
+generative-language-api-key:
+  - "legacy-gemini-1"
+openai-compatibility:
+  - name: "legacy-provider"
+    base-url: "https://example.com"
+    api-keys:
+      - "legacy-openai-1"
+amp-upstream-url: "https://amp.example.com"
+amp-upstream-api-key: "amp-legacy-key"
+amp-restrict-management-to-localhost: false
+amp-model-mappings:
+  - from: "old-model"
+    to: "new-model"
+`)
+		cfg, err := config.LoadConfig(path)
+		if err != nil {
+			t.Fatalf("load legacy config: %v", err)
+		}
+		if got := len(cfg.GeminiKey); got != 1 || cfg.GeminiKey[0].APIKey != "legacy-gemini-1" {
+			t.Fatalf("gemini migration mismatch: %+v", cfg.GeminiKey)
+		}
+		if got := len(cfg.OpenAICompatibility); got != 1 {
+			t.Fatalf("expected 1 openai-compat provider, got %d", got)
+		}
+		if entries := cfg.OpenAICompatibility[0].APIKeyEntries; len(entries) != 1 || entries[0].APIKey != "legacy-openai-1" {
+			t.Fatalf("openai-compat migration mismatch: %+v", entries)
+		}
+		if cfg.AmpCode.UpstreamURL != "https://amp.example.com" || cfg.AmpCode.UpstreamAPIKey != "amp-legacy-key" {
+			t.Fatalf("amp migration failed: %+v", cfg.AmpCode)
+		}
+		if cfg.AmpCode.RestrictManagementToLocalhost {
+			t.Fatalf("expected amp restriction to be false after migration")
+		}
+		if got := len(cfg.AmpCode.ModelMappings); got != 1 || cfg.AmpCode.ModelMappings[0].From != "old-model" {
+			t.Fatalf("amp mappings migration mismatch: %+v", cfg.AmpCode.ModelMappings)
+		}
+		updated := readFile(t, path)
+		if strings.Contains(updated, "generative-language-api-key") {
+			t.Fatalf("legacy gemini key still present:\n%s", updated)
+		}
+		if strings.Contains(updated, "amp-upstream-url") || strings.Contains(updated, "amp-restrict-management-to-localhost") {
+			t.Fatalf("legacy amp keys still present:\n%s", updated)
+		}
+		if strings.Contains(updated, "\n    api-keys:") {
+			t.Fatalf("legacy openai compat keys still present:\n%s", updated)
+		}
+	})
+
+	t.Run("mixedLegacyAndNewFields", func(t *testing.T) {
+		path := writeConfig(t, `
+gemini-api-key:
+  - api-key: "new-gemini"
+generative-language-api-key:
+  - "new-gemini"
+  - "legacy-gemini-only"
+openai-compatibility:
+  - name: "mixed-provider"
+    base-url: "https://mixed.example.com"
+    api-key-entries:
+      - api-key: "new-entry"
+    api-keys:
+      - "legacy-entry"
+      - "new-entry"
+`)
+		cfg, err := config.LoadConfig(path)
+		if err != nil {
+			t.Fatalf("load mixed config: %v", err)
+		}
+		if got := len(cfg.GeminiKey); got != 2 {
+			t.Fatalf("expected 2 gemini entries, got %d: %+v", got, cfg.GeminiKey)
+		}
+		seen := make(map[string]struct{}, len(cfg.GeminiKey))
+		for _, entry := range cfg.GeminiKey {
+			if _, exists := seen[entry.APIKey]; exists {
+				t.Fatalf("duplicate gemini key %q after migration", entry.APIKey)
+			}
+			seen[entry.APIKey] = struct{}{}
+		}
+		provider := cfg.OpenAICompatibility[0]
+		if got := len(provider.APIKeyEntries); got != 2 {
+			t.Fatalf("expected 2 openai entries, got %d: %+v", got, provider.APIKeyEntries)
+		}
+		entrySeen := make(map[string]struct{}, len(provider.APIKeyEntries))
+		for _, entry := range provider.APIKeyEntries {
+			if _, ok := entrySeen[entry.APIKey]; ok {
+				t.Fatalf("duplicate openai key %q after migration", entry.APIKey)
+			}
+			entrySeen[entry.APIKey] = struct{}{}
+		}
+	})
+
+	t.Run("onlyNewFields", func(t *testing.T) {
+		path := writeConfig(t, `
+gemini-api-key:
+  - api-key: "new-only"
+openai-compatibility:
+  - name: "new-only-provider"
+    base-url: "https://new-only.example.com"
+    api-key-entries:
+      - api-key: "new-only-entry"
+ampcode:
+  upstream-url: "https://amp.new"
+  upstream-api-key: "new-amp-key"
+  restrict-management-to-localhost: true
+  model-mappings:
+    - from: "a"
+      to: "b"
+`)
+		cfg, err := config.LoadConfig(path)
+		if err != nil {
+			t.Fatalf("load new config: %v", err)
+		}
+		if len(cfg.GeminiKey) != 1 || cfg.GeminiKey[0].APIKey != "new-only" {
+			t.Fatalf("unexpected gemini entries: %+v", cfg.GeminiKey)
+		}
+		if len(cfg.OpenAICompatibility) != 1 || len(cfg.OpenAICompatibility[0].APIKeyEntries) != 1 {
+			t.Fatalf("unexpected openai compat entries: %+v", cfg.OpenAICompatibility)
+		}
+		if cfg.AmpCode.UpstreamURL != "https://amp.new" || cfg.AmpCode.UpstreamAPIKey != "new-amp-key" {
+			t.Fatalf("unexpected amp config: %+v", cfg.AmpCode)
+		}
+	})
+
+	t.Run("duplicateNamesDifferentBase", func(t *testing.T) {
+		path := writeConfig(t, `
+openai-compatibility:
+  - name: "dup-provider"
+    base-url: "https://provider-a"
+    api-keys:
+      - "key-a"
+  - name: "dup-provider"
+    base-url: "https://provider-b"
+    api-keys:
+      - "key-b"
+`)
+		cfg, err := config.LoadConfig(path)
+		if err != nil {
+			t.Fatalf("load duplicate config: %v", err)
+		}
+		if len(cfg.OpenAICompatibility) != 2 {
+			t.Fatalf("expected 2 providers, got %d", len(cfg.OpenAICompatibility))
+		}
+		for _, entry := range cfg.OpenAICompatibility {
+			if len(entry.APIKeyEntries) != 1 {
+				t.Fatalf("expected 1 key entry per provider: %+v", entry)
+			}
+			switch entry.BaseURL {
+			case "https://provider-a":
+				if entry.APIKeyEntries[0].APIKey != "key-a" {
+					t.Fatalf("provider-a key mismatch: %+v", entry.APIKeyEntries)
+				}
+			case "https://provider-b":
+				if entry.APIKeyEntries[0].APIKey != "key-b" {
+					t.Fatalf("provider-b key mismatch: %+v", entry.APIKeyEntries)
+				}
+			default:
+				t.Fatalf("unexpected provider base url: %s", entry.BaseURL)
+			}
+		}
+	})
+}
+
+func writeConfig(t *testing.T, content string) string {
+	t.Helper()
+	dir := t.TempDir()
+	path := filepath.Join(dir, "config.yaml")
+	if err := os.WriteFile(path, []byte(strings.TrimSpace(content)+"\n"), 0o644); err != nil {
+		t.Fatalf("write temp config: %v", err)
+	}
+	return path
+}
+
+func readFile(t *testing.T, path string) string {
+	t.Helper()
+	data, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("read temp config: %v", err)
+	}
+	return string(data)
+}
Author	SHA1	Message	Date
Luis Pater	92f033dec0	Merge branch 'router-for-me:main' into main	2025-12-06 01:33:34 +08:00
Luis Pater	0ebabf5152	feat(antigravity): add FetchAntigravityProjectID function and integrate project ID retrieval	2025-12-06 01:32:12 +08:00
Luis Pater	4b01ecba2e	Merge branch 'router-for-me:main' into main	2025-12-06 01:12:43 +08:00
Luis Pater	d7564173dd	fix(antigravity): restore production base URL in the executor	2025-12-06 01:11:37 +08:00
Luis Pater	f241124599	Merge branch 'router-for-me:main' into main	2025-12-06 00:43:02 +08:00
Luis Pater	c44c46dd80	Fixed: #421 feat(antigravity): implement project ID retrieval and integration in payload processing	2025-12-06 00:40:55 +08:00
Luis Pater	aa810ee719	Merge branch 'router-for-me:main' into main	2025-12-05 23:06:46 +08:00
Luis Pater	412148af0e	feat(antigravity): add function ID to FunctionCall and FunctionResponse models	2025-12-05 23:05:35 +08:00
Luis Pater	5d2baf6058	Merge branch 'router-for-me:main' into main	2025-12-05 21:37:55 +08:00
Luis Pater	d28258501a	Merge pull request #423 from router-for-me/amp fix(amp): suppress ErrAbortHandler panics in reverse proxy handler	2025-12-05 21:36:01 +08:00
hkfires	55cd31fb96	fix(amp): suppress ErrAbortHandler panics in reverse proxy handler	2025-12-05 21:28:58 +08:00
Luis Pater	d138df07bf	Merge branch 'router-for-me:main' into main	2025-12-05 21:28:32 +08:00
Luis Pater	c5df8e7897	Merge pull request #422 from router-for-me/amp Amp	2025-12-05 21:25:43 +08:00
Luis Pater	d4d529833d	refactor(antigravity): handle `anyOf` property, remove `exclusiveMinimum`, and comment unused prod URL	2025-12-05 21:24:12 +08:00
hkfires	caa48e7c6f	fix(amp): improve proxy state management and request logging behavior	2025-12-05 21:09:53 +08:00
hkfires	acdfb3bceb	feat(amp): add root-level /threads routes for CLI compatibility	2025-12-05 18:14:10 +08:00
hkfires	89d68962b1	fix(amp): filter amp request logging to only provider endpoint	2025-12-05 18:14:09 +08:00
Luis Pater	691cdb6bdf	fix(api): update GitHub release URL and user agent for CLIProxyAPIPlus	2025-12-05 10:32:28 +08:00
Luis Pater	8064cba288	Merge branch 'router-for-me:main' into main	2025-12-05 10:31:30 +08:00
Luis Pater	361443db10	feat(api): add GetLatestVersion endpoint to fetch latest release version from GitHub	2025-12-05 10:29:12 +08:00
Luis Pater	d6352dd4d4	feat(util): add DeleteKey function and update antigravity executor for Claude model compatibility	2025-12-05 01:55:45 +08:00
Luis Pater	f8aba62860	Merge branch 'router-for-me:main' into main	2025-12-05 00:45:51 +08:00
Luis Pater	a7eeb06f3d	Merge pull request #418 from router-for-me/amp Amp	2025-12-05 00:43:15 +08:00
hkfires	9426be7a5c	fix(amp): update log message wording for disabled proxy state	2025-12-04 21:36:16 +08:00
hkfires	4a135f1986	feat(amp): add hot-reload support for upstream URL and localhost restriction	2025-12-04 21:30:59 +08:00
hkfires	c4c02f4ad0	feat(amp): add partial reload support with config change detection	2025-12-04 21:30:59 +08:00
Luis Pater	b87b9b455f	Merge pull request #416 from router-for-me/amp Amp	2025-12-04 20:52:33 +08:00
hkfires	db03ae9663	feat(watcher): add AmpCode config change detection	2025-12-04 19:50:54 +08:00
hkfires	969ff6bb68	fix(amp): update explicit API key on config change	2025-12-04 19:32:44 +08:00
Luis Pater	e24af6e545	Merge branch 'router-for-me:main' into main	2025-12-04 18:03:42 +08:00
Luis Pater	bceecfb2e3	Fixed: #414 refactor(gemini): comment out unused CLI preview entry	2025-12-04 17:55:13 +08:00
Luis Pater	48dd987867	Merge branch 'router-for-me:main' into main	2025-12-04 16:14:52 +08:00
Luis Pater	6a2906e3e5	feat(antigravity): add support for Claude-Opus-4-5-Thinking model	2025-12-04 16:13:13 +08:00
Luis Pater	d72886c801	Merge pull request #405 from thurstonsand/fix/amp-missing-proxy-routes fix(amp): add missing /auth/* and /api/tab/* proxy routes for AMP CLI	2025-12-03 22:23:41 +08:00
Luis Pater	6efba3d829	Merge pull request #406 from router-for-me/api refactor(api): remove legacy generative-language-api-key endpoints and duplicate GetConfigYAML	2025-12-03 22:21:15 +08:00
Luis Pater	6b60bdd139	Merge branch 'router-for-me:main' into main	2025-12-03 21:55:29 +08:00
Luis Pater	897c40bed8	feat(registry): add DeepSeek-V3.2-Chat model definition Add new DeepSeek-V3.2-Chat model to the registry with standard chat configuration, positioned before the experimental variant for better organization.	2025-12-03 21:34:50 +08:00
Thurston Sandberg	373ea8d7e4	fix(logging): handle nil caller in LogFormatter to prevent panic	2025-12-03 05:54:38 -05:00
hkfires	b5de004c01	refactor(api): remove legacy generative-language-api-key endpoints and duplicate GetConfigYAML	2025-12-03 18:35:08 +08:00
Thurston Sandberg	94ec772521	test(amp): add tests for /auth/* and /api/tab/* routes	2025-12-03 05:03:25 -05:00
Thurston Sandberg	e216d26731	fix(amp): add missing /auth/* and /api/tab/* proxy routes	2025-12-03 04:40:32 -05:00
Luis Pater	8a98506a15	Merge branch 'router-for-me:main' into main	2025-12-03 16:20:02 +08:00
Luis Pater	6eb94dac33	Merge pull request #404 from router-for-me/config Legacy Config Migration and Amp Consolidation	2025-12-03 16:11:06 +08:00
hkfires	c4a5be6edf	style(amp): standardize log message capitalization	2025-12-03 13:53:18 +08:00
hkfires	651179a642	refactor(config): add detailed logging for legacy configuration migration	2025-12-03 13:39:10 +08:00
hkfires	8c42b21e66	refactor(config): improve OpenAI compatibility target matching logic	2025-12-03 12:41:17 +08:00
hkfires	b693d632d2	docs(config): comment out example API key configurations	2025-12-03 12:31:41 +08:00
hkfires	b5033c22d8	refactor(config): auto-persist migrated legacy configuration fields	2025-12-03 12:26:04 +08:00
hkfires	df0fd1add1	refactor(config): remove deprecated AMP configuration keys during save	2025-12-03 11:42:15 +08:00
hkfires	b6bdbe78ef	refactor(config): relocate legacy migration helpers to end of file	2025-12-03 11:23:11 +08:00
hkfires	06c0d2bab2	refactor(config): remove deprecated legacy API key fields	2025-12-03 11:01:56 +08:00
hkfires	bd1678457b	refactor(config): consolidate Amp settings into AmpCode struct	2025-12-03 10:42:28 +08:00
hkfires	559b7df404	refactor(config): restructure and uncomment example configuration	2025-12-03 10:29:36 +08:00